Double free vulnerability in the iscsi_rx_handler function (usr/iscsi/iscsid.c) in the tgt daemon (tgtd) in Linux SCSI target framework (tgt) before 1.0.14, aka scsi-target-utils, allows remote attackers to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via unknown vectors related to a buffer overflow during iscsi login. NOTE: some of these details are obtained from third party information. SUSE-SR:2011:009 [stgt] 20110309 [PATCH] iscsi: fix buffer overflow before login DSA-2209 RHSA-2011:0332 46817 1025184 ADV-2011-0636 https://bugzilla.redhat.com/attachment.cgi?id=473779&action=diff https://bugzilla.redhat.com/show_bug.cgi?id=667261 lstf-iscsirxhandler-dos(66010) libuser before 0.57 uses a cleartext password value of (1) !! or (2) x for new LDAP user accounts, which makes it easier for remote attackers to obtain access by specifying one of these values. http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 FEDORA-2011-0316 FEDORA-2011-0320 1024960 MDVSA-2011:019 RHSA-2011:0170 45791 ADV-2011-0184 ADV-2011-0201 ADV-2011-0226 https://bugzilla.redhat.com/show_bug.cgi?id=643227 libuser-password-security-bypass(64677) https://fedorahosted.org/libuser/browser/NEWS?rev=libuser-0.57 MediaWiki before 1.16.1, when user or site JavaScript or CSS is enabled, allows remote attackers to conduct clickjacking attacks via unspecified vectors. FEDORA-2011-5848 FEDORA-2011-5812 FEDORA-2011-5807 [MediaWiki-announce] 20110104 MediaWiki security release 1.16.1 [oss-security] 20110104 Re: (possible) CVE request: Clickjacking in Mediawiki [oss-security] 20110104 (possible) CVE request: Clickjacking in Mediawiki ADV-2011-0017 https://bugzilla.wikimedia.org/show_bug.cgi?id=26561 mediawiki-frames-clickjacking(64476) Multiple cross-site scripting (XSS) vulnerabilities in Piwik before 1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. [oss-security] 20110105 CVE Request: Multiple XSS Vulnerabiliies < Piwik 1.1 [oss-security] 20110106 Re: CVE Request: Multiple XSS Vulnerabiliies < Piwik 1.1 http://piwik.org/blog/2011/01/piwik-1-1-2/ http://piwik.org/blog/2011/01/piwik-1-1-security-advisory/ http://piwik.org/blog/2011/01/professional-security-audit-in-piwik/ 45659 ADV-2011-0013 Cross-site scripting (XSS) vulnerability in the com_search module for Joomla! 1.0.x through 1.0.15 allows remote attackers to inject arbitrary web script or HTML via the ordering parameter to index.php. http://packetstormsecurity.org/files/view/97273/joomla1015-xss.txt 20110105 Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability 20110107 Re: Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability 45679 joomla-ordering-xss(64539) The ima_lsm_rule_init function in security/integrity/ima/ima_policy.c in the Linux kernel before 2.6.37, when the Linux Security Modules (LSM) framework is disabled, allows local users to bypass Integrity Measurement Architecture (IMA) rules in opportunistic circumstances by leveraging an administrator's addition of an IMA rule for LSM. http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.37 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=867c20265459d30a01b021a9c1e81fb4c5832aa9 [oss-security] 20110106 Re: CVE Request: kernel [Re: Security review of 2.6.32.28] https://bugzilla.redhat.com/show_bug.cgi?id=667912 https://github.com/torvalds/linux/commit/867c20265459d30a01b021a9c1e81fb4c5832aa9 pimd 2.1.5 and possibly earlier versions allows user-assisted local users to overwrite arbitrary files via a symlink attack on (1) pimd.dump when a USR1 signal is sent, or (2) pimd.cache when USR2 is sent. DSA-2147 [oss-security] 20110107 CVE Request - pimd - Insecure file creation in /var/tmp [oss-security] 20110107 Re: CVE Request - pimd - Insecure file creation in /var/tmp 45715 ADV-2011-0113 pimd-pimd-symlink(64528) A certain Fedora patch for parse.c in sudo before 1.7.4p5-1.fc14 on Fedora 14 does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo command. NOTE: this vulnerability exists because of a CVE-2009-0034 regression. FEDORA-2011-0470 FEDORA-2011-0455 MDVSA-2011:018 ADV-2011-0195 ADV-2011-0199 https://bugzilla.redhat.com/show_bug.cgi?id=668843 sudo-parse-privilege-escalation(64965) Best Practical Solutions RT 3.x before 3.8.9rc2 and 4.x before 4.0.0rc4 uses the MD5 algorithm for password hashes, which makes it easier for context-dependent attackers to determine cleartext passwords via a brute-force attack on the database. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610850 [rt-announce] 20110119 Security vulnerability in RT 3.0 and up FEDORA-2011-1677 DSA-2150 45959 ADV-2011-0190 ADV-2011-0475 ADV-2011-0576 https://bugzilla.redhat.com/show_bug.cgi?id=672250 check.c in sudo 1.7.x before 1.7.4p5, when a Runas group is configured, does not require a password for command execution that involves a gid change but no uid change, which allows local users to bypass an intended authentication requirement via the -g option to a sudo command. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641 FEDORA-2011-0470 FEDORA-2011-0455 SUSE-SR:2011:002 [oss-security] 20110111 CVE request: sudo does not ask for password on GID changes [oss-security] 20110112 Re: CVE request: sudo does not ask for password on GID changes [oss-security] 20110112 Re: CVE request: sudo does not ask for password on GID changes GLSA-201203-06 SSA:2011-041-05 MDVSA-2011:018 RHSA-2011:0599 45774 http://www.sudo.ws/repos/sudo/rev/07d1b0ce530e http://www.sudo.ws/repos/sudo/rev/fe8a94f96542 http://www.sudo.ws/sudo/alerts/runas_group_pw.html USN-1046-1 ADV-2011-0089 ADV-2011-0182 ADV-2011-0195 ADV-2011-0199 ADV-2011-0212 ADV-2011-0362 https://bugzilla.redhat.com/show_bug.cgi?id=668879 sudo-groupid-privilege-escalation(64636) qemu-kvm before 0.11.0 disables VNC authentication when the password is cleared, which allows remote attackers to bypass authentication and establish VNC sessions. RHSA-2011:0345 USN-1063-1 [oss-security] 20110110 CVE request: qemu-kvm: Setting VNC password to empty string silently disables all authentication [oss-security] 20110110 Re: CVE request: qemu-kvm: Setting VNC password to empty string silently disables all authentication [oss-security] 20110112 Re: CVE request: qemu-kvm: Setting VNC password to empty string silently disables all authentication https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197 qemu-vnc-security-bypass(65215) The SPICE Firefox plug-in (spice-xpi) 2.4, 2.3, 2.2, and possibly other versions allows local users to overwrite arbitrary files via a symlink attack on the usbrdrctl log file, which has a predictable name. RHSA-2011:0426 47269 1025304 ADV-2011-0899 https://bugzilla.redhat.com/show_bug.cgi?id=639869 Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag. APPLE-SA-2011-10-12-3 SUSE-SR:2011:005 HPSBUX02645 SSRT100627 HPSBUX02860 HPSBST02955 8093 http://support.apple.com/kb/HT5002 http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32 http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.6_(released_14_Jan_2011) DSA-2160 MDVSA-2011:030 RHSA-2011:0791 RHSA-2011:0896 RHSA-2011:0897 RHSA-2011:1845 20110205 [SECURITY] CVE-2011-0013 Apache Tomcat Manager XSS vulnerability 46174 1025026 ADV-2011-0376 https://bugzilla.redhat.com/show_bug.cgi?id=675786 [tomcat-dev] 20190319 svn commit: r1855831 [22/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ [tomcat-dev] 20190325 svn commit: r1856174 [20/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ oval:org.mitre.oval:def:12878 oval:org.mitre.oval:def:14945 oval:org.mitre.oval:def:19269 ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka "OCSP stapling vulnerability." NetBSD-SA2011-002 HPSBMA02658 APPLE-SA-2011-06-23-1 FEDORA-2011-1273 SUSE-SR:2011:005 SSRT100475 HPSBUX02689 SSA:2011-041-04 http://support.apple.com/kb/HT4723 DSA-2162 MDVSA-2011:028 http://www.openssl.org/news/secadv_20110208.txt RHSA-2011:0677 46264 1025050 USN-1064-1 ADV-2011-0361 ADV-2011-0387 ADV-2011-0389 ADV-2011-0395 ADV-2011-0399 ADV-2011-0603 http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564 oval:org.mitre.oval:def:18985 https://support.f5.com/csp/article/K10534046 Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not properly check the amount of compression in zlib-compressed data, which allows remote attackers to cause a denial of service via a large compression factor. [or-announce] 20110117 Tor 0.2.1.29 is released (security patches) http://blog.torproject.org/blog/tor-02129-released-security-patches DSA-2148 [oss-security] 20110118 Re: CVE request: tor 45832 1024980 ADV-2011-0131 ADV-2011-0132 https://gitweb.torproject.org/tor.git/blob/refs/heads/release-0.2.2:/ChangeLog https://trac.torproject.org/projects/tor/ticket/2324 Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not properly manage key data in memory, which might allow local users to obtain sensitive information by leveraging the ability to read memory that was previously used by a different process. [or-announce] 20110117 Tor 0.2.1.29 is released (security patches) http://blog.torproject.org/blog/tor-02129-released-security-patches DSA-2148 [oss-security] 20110118 Re: CVE request: tor 45832 1024980 ADV-2011-0131 ADV-2011-0132 https://gitweb.torproject.org/tor.git/blob/refs/heads/release-0.2.2:/ChangeLog https://trac.torproject.org/projects/tor/ticket/2384 https://trac.torproject.org/projects/tor/ticket/2385 The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack. ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74 [exim-announce] 20110125 Exim 4.74 Release SUSE-SR:2011:004 DSA-2154 46065 USN-1060-1 ADV-2011-0224 ADV-2011-0245 ADV-2011-0364 ADV-2011-0464 exim-openlog-privilege-escalation(65028) The email function in manage_sql.c in OpenVAS Manager 1.0.x through 1.0.3 and 2.0.x through 2.0rc2 allows remote authenticated users to execute arbitrary commands via the (1) To or (2) From e-mail address in an OMP request to the Greenbone Security Assistant (GSA). 16086 http://www.openvas.org/OVSA20110118.html 20110125 [OVSA20110118] OpenVAS Manager Vulnerable To Command Injection 45987 ADV-2011-0208 openvas-email-command-execution(65011) slapd (aka ns-slapd) in 389 Directory Server 1.2.7.5 (aka Red Hat Directory Server 8.2.x or dirsrv) does not properly handle simple paged result searches, which allows remote attackers to cause a denial of service (daemon crash) or possibly have unspecified other impact via multiple search requests. RHSA-2011:0293 46489 1025102 https://bugzilla.redhat.com/show_bug.cgi?id=666076 https://bugzilla.redhat.com/show_bug.cgi?id=670914 Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object. SUSE-SR:2011:005 [oss-security] 20110118 CVE request: heap corruption in libpango [oss-security] 20110120 Re: CVE request: heap corruption in libpango RHSA-2011:0180 45842 1024994 ADV-2011-0186 ADV-2011-0238 https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616 https://bugzilla.gnome.org/show_bug.cgi?id=639882 https://bugzilla.redhat.com/show_bug.cgi?id=671122 pango-pango-bo(64832) Multiple heap-based buffer overflows in cdg.c in the CDG decoder in VideoLAN VLC Media Player before 1.1.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted CDG video. http://download.videolan.org/pub/videolan/vlc/1.1.6/vlc-1.1.6.tar.bz2 http://git.videolan.org/?p=vlc.git;a=commit;h=f9b664eac0e1a7bceed9d7b5854fd9fc351b4aab [oss-security] 20110119 CVE request: heap corruption in VLC media player [oss-security] 20110120 Re: CVE request: heap corruption in VLC media player 45927 ADV-2011-0185 vlcmediaplayer-cdg-code-execution(64879) oval:org.mitre.oval:def:12460 The setup scripts in 389 Directory Server 1.2.x (aka Red Hat Directory Server 8.2.x), when multiple unprivileged instances are configured, use 0777 permissions for the /var/run/dirsrv directory, which allows local users to cause a denial of service (daemon outage or arbitrary process termination) by replacing PID files contained in this directory. RHSA-2011:0293 46489 1025102 https://bugzilla.redhat.com/show_bug.cgi?id=671199 Heap-based buffer overflow in wiretap/pcapng.c in Wireshark before 1.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted capture file. RHSA-2011:0370 ADV-2011-0719 https://bugzilla.redhat.com/show_bug.cgi?id=671331 IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5 does not properly verify signatures for JAR files that (1) are "partially signed" or (2) signed by multiple entities, which allows remote attackers to trick users into executing code that appears to come from a trusted source. http://blog.fuseyism.com/index.php/2011/02/01/security-icedtea6-178-185-195-released/ http://icedtea.classpath.org/hg/release/icedtea-web-1.0?cmd=changeset;node=3bd328e4b515 GLSA-201406-32 DSA-2224 MDVSA-2011:054 46110 USN-1055-1 icedtea-jar-security-bypass(65151) Integer signedness error in the SQLConnectW function in an ODBC API (odbc32.dll) in Microsoft Data Access Components (MDAC) 2.8 SP1 and SP2, and Windows Data Access Components (WDAC) 6.0, allows remote attackers to execute arbitrary code via a long string in the Data Source Name (DSN) and a crafted szDSN argument, which bypasses a signed comparison and leads to a buffer overflow, aka "DSN Overflow Vulnerability." http://support.avaya.com/css/P8/documents/100124846 45695 1024947 TA11-011A ADV-2011-0075 http://www.zerodayinitiative.com/advisories/ZDI-11-001/ MS11-002 oval:org.mitre.oval:def:12333 Microsoft Data Access Components (MDAC) 2.8 SP1 and SP2, and Windows Data Access Components (WDAC) 6.0, does not properly validate memory allocation for internal data structures, which allows remote attackers to execute arbitrary code, possibly via a large CacheSize property that triggers an integer wrap and a buffer overflow, aka "ADO Record Memory Vulnerability." NOTE: this might be a duplicate of CVE-2010-1117 or CVE-2010-1118. http://support.avaya.com/css/P8/documents/100124846 http://vreugdenhilresearch.nl/ms11-002-pwn2own-heap-overflow/ 45698 1024947 TA11-011A ADV-2011-0075 http://www.zerodayinitiative.com/advisories/ZDI-11-002/ MS11-002 oval:org.mitre.oval:def:12411 WordPad in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly parse fields in Word documents, which allows remote attackers to execute arbitrary code via a crafted .doc file, aka "WordPad Converter Parsing Vulnerability." TA11-102A MS11-033 oval:org.mitre.oval:def:12301 Untrusted search path vulnerability in the client in Microsoft Remote Desktop Connection 5.2, 6.0, 6.1, and 7.0 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .rdp file, aka "Remote Desktop Insecure Library Loading Vulnerability." Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' Per: http://www.microsoft.com/technet/security/Bulletin/MS11-017.mspx 'For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open an .rdp file.' FAQ: 'This is a remote code execution vulnerability.' 1025172 TA11-067A ADV-2011-0616 MS11-017 oval:org.mitre.oval:def:12480 The Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly kill processes after a logout, which allows local users to obtain sensitive information or gain privileges via a crafted application that continues to execute throughout the logout of one user and the login session of the next user, aka "CSRSS Elevation of Privilege Vulnerability," a different vulnerability than CVE-2010-0023. 1025045 ADV-2011-0323 MS11-010 ms-csrss-privilege-escalation(64917) oval:org.mitre.oval:def:12476 The (1) JScript 5.8 and (2) VBScript 5.8 scripting engines in Microsoft Windows Server 2008 R2 and Windows 7 do not properly load decoded scripts obtained from web pages, which allows remote attackers to trigger memory corruption and consequently obtain sensitive information via a crafted web site, aka "Scripting Engines Information Disclosure Vulnerability." 46139 1025044 ADV-2011-0322 MS11-009 ms-win-jscript-info-disclosure(64919) oval:org.mitre.oval:def:12313 Untrusted search path vulnerability in DirectShow in Microsoft Windows Vista SP1 and SP2, Windows 7 Gold and SP1, Windows Server 2008 R2 and R2 SP1, and Windows Media Center TV Pack for Windows Vista allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a Digital Video Recording (.dvr-ms), Windows Recorded TV Show (.wtv), or .mpg file, aka "DirectShow Insecure Library Loading Vulnerability." Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' Per: http://www.microsoft.com/technet/security/Bulletin/MS11-015.mspx 'For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a media file (such as .wtv, .drv-ms, or .mpg files).' FAQ: 'This is a remote code execution vulnerability. ' 46682 1025170 TA11-067A ADV-2011-0615 MS11-015 oval:org.mitre.oval:def:12506 The OpenType Compact Font Format (CFF) driver in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate parameter values in OpenType fonts, which allows remote attackers to execute arbitrary code via a crafted font, aka "OpenType Font Encoded Character Vulnerability." http://support.avaya.com/css/P8/documents/100127239 46106 1025034 ADV-2011-0320 MS11-007 ms-opentype-cff-code-execution(64906) oval:org.mitre.oval:def:11593 Stack-based buffer overflow in the OpenType Compact Font Format (aka OTF or CFF) driver in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via crafted parameter values in an OpenType font, aka "OpenType Font Stack Overflow Vulnerability." TA11-102A MS11-032 oval:org.mitre.oval:def:11860 Microsoft Internet Explorer 6, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2010-2556 and CVE-2011-0036. http://support.avaya.com/css/P8/documents/100127294 46157 1025038 ADV-2011-0318 MS11-003 ms-explorer-code-execution(64911) oval:org.mitre.oval:def:12371 Microsoft Internet Explorer 6, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, related to a "dangling pointer," aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2010-2556 and CVE-2011-0035. http://support.avaya.com/css/P8/documents/100127294 46158 1025038 ADV-2011-0318 MS11-003 ms-explorer-code-exec(64912) oval:org.mitre.oval:def:12261 Microsoft Malware Protection Engine before 1.1.6603.0, as used in Microsoft Malicious Software Removal Tool (MSRT), Windows Defender, Security Essentials, Forefront Client Security, Forefront Endpoint Protection 2010, and Windows Live OneCare, allows local users to gain privileges via a crafted value of an unspecified user registry key. 1025117 http://www.microsoft.com/technet/security/advisory/2491888.mspx 46540 ADV-2011-0486 ms-malware-engine-priv-esc(65626) Untrusted search path vulnerability in Microsoft Internet Explorer 8 might allow local users to gain privileges via a Trojan horse IEShims.dll in the current working directory, as demonstrated by a Desktop directory that contains an HTML file, aka "Internet Explorer Insecure Library Loading Vulnerability." Per: CWE-426: Untrusted Search Path 'http://cwe.mitre.org/data/definitions/426.html' Per: http://www.microsoft.com/technet/security/Bulletin/MS11-003.mspx 'This is a remote code execution vulnerability.' http://support.avaya.com/css/P8/documents/100127294 http://www.fortiguard.com/advisory/FGA-2011-04.html 46159 1025038 ADV-2011-0318 MS11-003 ms-ie-dll-code-execution(64913) oval:org.mitre.oval:def:12270 The Local Security Authority Subsystem Service (LSASS) in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly process authentication requests, which allows local users to gain privileges via a request with a crafted length, aka "LSASS Length Validation Vulnerability." 46152 1025049 ADV-2011-0327 MS11-014 oval:org.mitre.oval:def:12537 The server in Microsoft Active Directory on Windows Server 2003 SP2 does not properly handle an update request for a service principal name (SPN), which allows remote attackers to cause a denial of service (authentication downgrade or outage) via a crafted request that triggers name collisions, aka "Active Directory SPN Validation Vulnerability." 46145 1025042 ADV-2011-0319 MS11-005 ms-win-active-directory-dos(64915) oval:org.mitre.oval:def:12485 Integer overflow in gdiplus.dll in GDI+ in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold and SP2, and Office XP SP3 allows remote attackers to execute arbitrary code via a crafted EMF image, aka "GDI+ Integer Overflow Vulnerability." TA11-102A MS11-029 oval:org.mitre.oval:def:11854 SBE.dll in the Stream Buffer Engine in Windows Media Player and Windows Media Center in Microsoft Windows XP SP2 and SP3, Windows XP Media Center Edition 2005 SP3, Windows Vista SP1 and SP2, Windows 7 Gold and SP1, and Windows Media Center TV Pack for Windows Vista does not properly parse Digital Video Recording (.dvr-ms) files, which allows remote attackers to execute arbitrary code via a crafted file, aka "DVR-MS Vulnerability." 46680 1025169 TA11-067A ADV-2011-0615 MS11-015 oval:org.mitre.oval:def:12281 Kerberos in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 supports weak hashing algorithms, which allows local users to gain privileges by operating a service that sends crafted service tickets, as demonstrated by the CRC32 algorithm, aka "Kerberos Unkeyed Checksum Vulnerability." http://support.avaya.com/css/P8/documents/100127250 46130 1025048 ADV-2011-0326 MS11-013 ms-kerberos-checksum-privilege-escalation(64900) oval:org.mitre.oval:def:12432 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. The Trace Events functionality in the kernel in Microsoft Windows XP SP3 does not properly perform type conversion, which causes integer truncation and insufficient memory allocation and triggers a buffer overflow, which allows local users to gain privileges via a crafted application, related to WmiTraceMessageVa, aka "Windows Kernel Integer Truncation Vulnerability." 8110 http://support.avaya.com/css/P8/documents/100127248 20110208 ZDI-11-064: Microsoft Windows WmiTraceMessageVa Local Kernel Vulnerability 46136 1025046 ADV-2011-0324 http://www.zerodayinitiative.com/advisories/ZDI-11-064 MS11-011 ms-win-kernel-privilege-escalation(64926) oval:org.mitre.oval:def:11996 Multiple cross-site request forgery (CSRF) vulnerabilities in Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 allow remote attackers to hijack the authentication of arbitrary users for requests related to (1) adding a saved search in buglist.cgi, (2) voting in votes.cgi, (3) sanity checking in sanitycheck.cgi, (4) creating or editing a chart in chart.cgi, (5) column changing in colchange.cgi, and (6) adding, deleting, or approving a quip in quips.cgi. FEDORA-2011-0741 FEDORA-2011-0755 http://www.bugzilla.org/security/3.2.9/ DSA-2322 45982 ADV-2011-0207 ADV-2011-0271 https://bugzilla.mozilla.org/show_bug.cgi?id=621090 https://bugzilla.mozilla.org/show_bug.cgi?id=621105 https://bugzilla.mozilla.org/show_bug.cgi?id=621107 https://bugzilla.mozilla.org/show_bug.cgi?id=621108 https://bugzilla.mozilla.org/show_bug.cgi?id=621109 https://bugzilla.mozilla.org/show_bug.cgi?id=621110 bugzilla-unspec-csrf(65003) Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.2 allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) comments, aka "CSS injection vulnerability." FEDORA-2011-5848 FEDORA-2011-5812 FEDORA-2011-5807 [MediaWiki-announce] 20110201 MediaWiki security release 1.16.2 46108 ADV-2011-0273 https://bugzilla.wikimedia.org/show_bug.cgi?id=27093 mediawiki-css-comments-xss(65126) Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 creates a clickable link for a (1) javascript: or (2) data: URI in the URL (aka bug_file_loc) field, which allows remote attackers to conduct cross-site scripting (XSS) attacks against logged-out users via a crafted URI. FEDORA-2011-0741 FEDORA-2011-0755 http://www.bugzilla.org/security/3.2.9/ DSA-2322 45982 ADV-2011-0207 ADV-2011-0271 https://bugzilla.mozilla.org/show_bug.cgi?id=628034 bugzilla-url-xss(65005) Directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface. 8061 16103 VU#363726 20110203 Majordomo2 - Directory Traversal (SMTP/HTTP) 46127 1025024 ADV-2011-0288 https://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481 https://bugzilla.mozilla.org/show_bug.cgi?id=628064 majordomo-listfile-directory-traversal(65113) https://sitewat.ch/en/Advisory/View/1 Cross-site scripting (XSS) vulnerability in the nonjs interface (interfaces/nonjs.pm) in CGI:IRC before 0.5.10 allows remote attackers to inject arbitrary web script or HTML via the R parameter. 8097 [cgiirc-general] 20110207 CGI:IRC 0.5.10 released to fix XSS issue (CVE-2011-0050) DSA-2158 20110209 CGI:IRC XSS issue (CVE-2011-0050) ADV-2011-0346 Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, does not properly handle certain recursive eval calls, which makes it easier for remote attackers to force a user to respond positively to a dialog question, as demonstrated by a question about granting privileges. http://downloads.avaya.com/css/P8/documents/100133195 http://support.avaya.com/css/P8/documents/100128655 MDVSA-2011:041 http://www.mozilla.org/security/announce/2011/mfsa2011-02.html RHSA-2011:0312 RHSA-2011:0313 https://bugzilla.mozilla.org/show_bug.cgi?id=616659 oval:org.mitre.oval:def:14211 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. http://downloads.avaya.com/css/P8/documents/100133195 http://support.avaya.com/css/P8/documents/100128655 MDVSA-2011:042 http://www.mozilla.org/security/announce/2011/mfsa2011-01.html RHSA-2011:0312 RHSA-2011:0313 46645 https://bugzilla.mozilla.org/show_bug.cgi?id=558531 https://bugzilla.mozilla.org/show_bug.cgi?id=558541 https://bugzilla.mozilla.org/show_bug.cgi?id=558633 https://bugzilla.mozilla.org/show_bug.cgi?id=563243 https://bugzilla.mozilla.org/show_bug.cgi?id=563618 https://bugzilla.mozilla.org/show_bug.cgi?id=576649 https://bugzilla.mozilla.org/show_bug.cgi?id=596232 https://bugzilla.mozilla.org/show_bug.cgi?id=600853 https://bugzilla.mozilla.org/show_bug.cgi?id=600974 https://bugzilla.mozilla.org/show_bug.cgi?id=602115 https://bugzilla.mozilla.org/show_bug.cgi?id=605672 https://bugzilla.mozilla.org/show_bug.cgi?id=613376 https://bugzilla.mozilla.org/show_bug.cgi?id=614499 oval:org.mitre.oval:def:14379 Buffer overflow in the JavaScript engine in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, might allow remote attackers to execute arbitrary code via vectors involving non-local JavaScript variables, aka an "upvarMap" issue. http://downloads.avaya.com/css/P8/documents/100133195 MDVSA-2011:041 http://www.mozilla.org/security/announce/2011/mfsa2011-04.html 46648 https://bugzilla.mozilla.org/show_bug.cgi?id=615657 oval:org.mitre.oval:def:14018 Use-after-free vulnerability in the JSON.stringify method in js3250.dll in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, might allow remote attackers to execute arbitrary code via unspecified vectors related to the js_HasOwnProperty function and garbage collection. http://downloads.avaya.com/css/P8/documents/100133195 MDVSA-2011:041 http://www.mozilla.org/security/announce/2011/mfsa2011-03.html 20110302 ZDI-11-103: Mozilla Firefox JSON.stringify Dangling Pointer Remote Code Execution Vulnerability 46661 http://www.zerodayinitiative.com/advisories/ZDI-11-103/ https://bugzilla.mozilla.org/show_bug.cgi?id=616009 https://bugzilla.mozilla.org/show_bug.cgi?id=619255 oval:org.mitre.oval:def:14476 Buffer overflow in the JavaScript engine in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, might allow remote attackers to execute arbitrary code via vectors involving exception timing and a large number of string values, aka an "atom map" issue. http://downloads.avaya.com/css/P8/documents/100133195 MDVSA-2011:041 http://www.mozilla.org/security/announce/2011/mfsa2011-05.html 46650 https://bugzilla.mozilla.org/show_bug.cgi?id=622015 oval:org.mitre.oval:def:14013 Use-after-free vulnerability in the Web Workers implementation in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, allows remote attackers to execute arbitrary code via vectors related to a JavaScript Worker and garbage collection. http://downloads.avaya.com/css/P8/documents/100133195 MDVSA-2011:041 http://www.mozilla.org/security/announce/2011/mfsa2011-06.html 46663 https://bugzilla.mozilla.org/show_bug.cgi?id=626631 oval:org.mitre.oval:def:14200 Buffer overflow in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a long string that triggers construction of a long text run. http://downloads.avaya.com/css/P8/documents/100133195 MDVSA-2011:041 http://www.mozilla.org/security/announce/2011/mfsa2011-07.html 46660 https://bugzilla.mozilla.org/show_bug.cgi?id=607160 oval:org.mitre.oval:def:14254 Cross-site request forgery (CSRF) vulnerability in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, allows remote attackers to hijack the authentication of arbitrary users for requests that were initiated by a plugin and received a 307 redirect to a page on a different web site. http://downloads.avaya.com/css/P8/documents/100133195 http://support.avaya.com/css/P8/documents/100128655 MDVSA-2011:041 http://www.mozilla.org/security/announce/2011/mfsa2011-10.html RHSA-2011:0313 46652 https://bugzilla.mozilla.org/show_bug.cgi?id=573873 oval:org.mitre.oval:def:14473 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. Buffer overflow in Mozilla Firefox 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG image. http://downloads.avaya.com/css/P8/documents/100133195 MDVSA-2011:041 MDVSA-2011:042 http://www.mozilla.org/security/announce/2011/mfsa2011-09.html 46651 https://bugzilla.mozilla.org/show_bug.cgi?id=610601 oval:org.mitre.oval:def:14486 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.6.x before 3.6.14 and Thunderbird 3.1.x before 3.1.8 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. http://downloads.avaya.com/css/P8/documents/100133195 MDVSA-2011:041 MDVSA-2011:042 http://www.mozilla.org/security/announce/2011/mfsa2011-01.html 46647 https://bugzilla.mozilla.org/show_bug.cgi?id=569384 https://bugzilla.mozilla.org/show_bug.cgi?id=599610 oval:org.mitre.oval:def:14409 The _list_file_get function in lib/Majordomo.pm in Majordomo 2 20110203 and earlier allows remote attackers to conduct directory traversal attacks and read arbitrary files via a ./.../ sequence in the "extra" parameter to the help command, which causes the regular expression to produce .. (dot dot) sequences. NOTE: this vulnerability is due to an incomplete fix for CVE-2011-0049. 8133 http://sotiriu.de/adv/NSOADV-2011-003.txt 20110308 NSOADV-2011-003: Majordomo2 'help' Command Directory Traversal (Patch Bypass) https://bugzilla.mozilla.org/show_bug.cgi?id=631307 majordomo-listfileget-dir-traversal(66011) The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' http://cgit.freedesktop.org/harfbuzz/commit/?id=a6a79df5fe2ed2cd307e7a991346faee164e70d9 FEDORA-2011-3194 SUSE-SR:2011:005 1025145 DSA-2178 MDVSA-2011:040 RHSA-2011:0309 46632 USN-1082-1 ADV-2011-0543 ADV-2011-0555 ADV-2011-0558 ADV-2011-0584 ADV-2011-0683 https://bugzilla.mozilla.org/show_bug.cgi?id=606997 https://bugzilla.novell.com/show_bug.cgi?id=672502 https://bugzilla.redhat.com/show_bug.cgi?id=678563 https://build.opensuse.org/request/show/63070 pango-hbbufferensure-bo(65770) Use-after-free vulnerability in Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, allows remote attackers to execute arbitrary code via vectors related to OBJECT's mChannel. http://downloads.avaya.com/css/P8/documents/100144158 8326 8331 8340 DSA-2227 DSA-2228 DSA-2235 MDVSA-2011:079 http://www.mozilla.org/security/announce/2011/mfsa2011-13.html https://bugzilla.mozilla.org/show_bug.cgi?id=634986 oval:org.mitre.oval:def:14142 Use-after-free vulnerability in Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, allows remote attackers to execute arbitrary code via vectors related to OBJECT's mObserverList. http://downloads.avaya.com/css/P8/documents/100144158 DSA-2227 DSA-2228 DSA-2235 MDVSA-2011:079 http://www.mozilla.org/security/announce/2011/mfsa2011-13.html https://bugzilla.mozilla.org/show_bug.cgi?id=634983 oval:org.mitre.oval:def:13970 Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, does not properly implement autocompletion for forms, which allows remote attackers to read form history entries via a Java applet that spoofs interaction with the autocomplete controls. http://downloads.avaya.com/css/P8/documents/100144158 DSA-2227 DSA-2228 DSA-2235 MDVSA-2011:079 http://www.mozilla.org/security/announce/2011/mfsa2011-14.html https://bugzilla.mozilla.org/show_bug.cgi?id=527935 oval:org.mitre.oval:def:14523 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19, 3.6.x before 3.6.17, and 4.x before 4.0.1; Thunderbird before 3.1.10; and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0070. http://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_thunderbird http://downloads.avaya.com/css/P8/documents/100144158 DSA-2227 DSA-2228 DSA-2235 MDVSA-2011:079 MDVSA-2011:080 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html 47656 https://bugzilla.mozilla.org/show_bug.cgi?id=644069 oval:org.mitre.oval:def:14065 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19, 3.6.x before 3.6.17, and 4.x before 4.0.1; Thunderbird before 3.1.10; and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0069. http://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_thunderbird http://downloads.avaya.com/css/P8/documents/100144158 DSA-2227 DSA-2228 DSA-2235 MDVSA-2011:079 MDVSA-2011:080 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html 47654 https://bugzilla.mozilla.org/show_bug.cgi?id=645565 oval:org.mitre.oval:def:14286 Directory traversal vulnerability in Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 on Windows allows remote attackers to determine the existence of arbitrary files, and possibly load resources, via vectors involving a resource: URL. http://downloads.avaya.com/css/P8/documents/100144158 DSA-2227 DSA-2228 DSA-2235 MDVSA-2011:079 MDVSA-2011:080 http://www.mozilla.org/security/announce/2011/mfsa2011-16.html https://bugzilla.mozilla.org/show_bug.cgi?id=624764 oval:org.mitre.oval:def:14058 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0074, CVE-2011-0075, CVE-2011-0077, and CVE-2011-0078. http://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_thunderbird http://downloads.avaya.com/css/P8/documents/100134543 http://downloads.avaya.com/css/P8/documents/100144158 DSA-2227 DSA-2228 DSA-2235 MDVSA-2011:079 MDVSA-2011:080 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html 47655 https://bugzilla.mozilla.org/show_bug.cgi?id=624187 oval:org.mitre.oval:def:14038 Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, does not properly use nsTreeRange data structures, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to a "dangling pointer." http://downloads.avaya.com/css/P8/documents/100134543 http://downloads.avaya.com/css/P8/documents/100144158 8310 DSA-2227 DSA-2228 DSA-2235 MDVSA-2011:079 http://www.mozilla.org/security/announce/2011/mfsa2011-13.html https://bugzilla.mozilla.org/show_bug.cgi?id=630919 oval:org.mitre.oval:def:14020 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0072, CVE-2011-0075, CVE-2011-0077, and CVE-2011-0078. http://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_thunderbird http://downloads.avaya.com/css/P8/documents/100134543 http://downloads.avaya.com/css/P8/documents/100144158 DSA-2227 DSA-2228 DSA-2235 MDVSA-2011:079 MDVSA-2011:080 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html 47646 https://bugzilla.mozilla.org/show_bug.cgi?id=619021 oval:org.mitre.oval:def:14317 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0072, CVE-2011-0074, CVE-2011-0077, and CVE-2011-0078. http://downloads.avaya.com/css/P8/documents/100134543 http://downloads.avaya.com/css/P8/documents/100144158 DSA-2227 DSA-2228 DSA-2235 MDVSA-2011:079 MDVSA-2011:080 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html 47647 https://bugzilla.mozilla.org/show_bug.cgi?id=635977 oval:org.mitre.oval:def:14086 Unspecified vulnerability in the Java Embedding Plugin (JEP) in Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, on Mac OS X allows remote attackers to bypass intended access restrictions via unknown vectors. MDVSA-2011:079 http://www.mozilla.org/security/announce/2011/mfsa2011-15.html https://bugzilla.mozilla.org/show_bug.cgi?id=634724 https://bugzilla.mozilla.org/show_bug.cgi?id=644682 oval:org.mitre.oval:def:14498 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0072, CVE-2011-0074, CVE-2011-0075, and CVE-2011-0078. http://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_thunderbird http://downloads.avaya.com/css/P8/documents/100134543 http://downloads.avaya.com/css/P8/documents/100144158 DSA-2227 DSA-2228 DSA-2235 MDVSA-2011:079 MDVSA-2011:080 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html 47648 https://bugzilla.mozilla.org/show_bug.cgi?id=623998 oval:org.mitre.oval:def:14193 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0072, CVE-2011-0074, CVE-2011-0075, and CVE-2011-0077. http://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_thunderbird http://downloads.avaya.com/css/P8/documents/100134543 http://downloads.avaya.com/css/P8/documents/100144158 DSA-2227 DSA-2228 DSA-2235 MDVSA-2011:079 MDVSA-2011:080 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html 47651 https://bugzilla.mozilla.org/show_bug.cgi?id=635705 oval:org.mitre.oval:def:14246 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x before 4.0.1 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to gfx/layers/d3d10/ReadbackManagerD3D10.cpp and unknown other vectors. http://www.mozilla.org/security/announce/2011/mfsa2011-12.html https://bugzilla.mozilla.org/show_bug.cgi?id=601102 https://bugzilla.mozilla.org/show_bug.cgi?id=639343 https://bugzilla.mozilla.org/show_bug.cgi?id=639728 https://bugzilla.mozilla.org/show_bug.cgi?id=639885 https://bugzilla.mozilla.org/show_bug.cgi?id=641388 https://bugzilla.mozilla.org/show_bug.cgi?id=642717 https://bugzilla.mozilla.org/show_bug.cgi?id=643649 oval:org.mitre.oval:def:14232 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. http://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_thunderbird http://downloads.avaya.com/css/P8/documents/100134543 http://downloads.avaya.com/css/P8/documents/100144158 DSA-2227 DSA-2228 DSA-2235 MDVSA-2011:079 MDVSA-2011:080 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html 47641 https://bugzilla.mozilla.org/show_bug.cgi?id=615147 https://bugzilla.mozilla.org/show_bug.cgi?id=634257 https://bugzilla.mozilla.org/show_bug.cgi?id=637621 https://bugzilla.mozilla.org/show_bug.cgi?id=637957 https://bugzilla.mozilla.org/show_bug.cgi?id=638236 oval:org.mitre.oval:def:13866 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.6.x before 3.6.17 and 4.x before 4.0.1, and Thunderbird 3.1.x before 3.1.10, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. http://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_thunderbird http://downloads.avaya.com/css/P8/documents/100144158 DSA-2227 DSA-2228 DSA-2235 MDVSA-2011:079 MDVSA-2011:080 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html 47653 https://bugzilla.mozilla.org/show_bug.cgi?id=645289 oval:org.mitre.oval:def:13993 The X.509 certificate validation functionality in Mozilla Firefox 4.0.x through 4.0.1 does not properly implement single-session security exceptions, which might make it easier for user-assisted remote attackers to spoof an SSL server via an untrusted certificate that triggers potentially unwanted local caching of documents from that server. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627552 [oss-security] 20110531 Re: CVE request: firefox doesn't (re)validate certificates when loading HTTPS page [oss-security] 20110531 Re: CVE request: firefox doesn't (re)validate certificates when loading HTTPS page [oss-security] 20110531 CVE request: firefox doesn't (re)validate certificates when loading HTTPS page [oss-security] 20110531 Re: CVE request: firefox doesn't (re)validate certificates when loading HTTPS page 48064 https://bugzilla.mozilla.org/show_bug.cgi?id=660749 https://bugzilla.redhat.com/show_bug.cgi?id=709165 oval:org.mitre.oval:def:14145 Use-after-free vulnerability in the nsSVGPathSegList::ReplaceItem function in the implementation of SVG element lists in Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving a user-supplied callback. SUSE-SA:2011:028 http://support.avaya.com/css/P8/documents/100144854 http://support.avaya.com/css/P8/documents/100145333 DSA-2268 DSA-2269 DSA-2273 MDVSA-2011:111 http://www.mozilla.org/security/announce/2011/mfsa2011-23.html RHSA-2011:0885 RHSA-2011:0886 RHSA-2011:0887 RHSA-2011:0888 USN-1149-1 https://bugzilla.mozilla.org/show_bug.cgi?id=648090 oval:org.mitre.oval:def:13543 The SVGTextElement.getCharNumAtPosition function in Mozilla Firefox before 3.6.20, and 4.x through 5; Thunderbird 3.x before 3.1.12 and other versions before 6; SeaMonkey 2.x before 2.3; and possibly other products does not properly handle SVG text, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to a "dangling pointer." SUSE-SA:2011:037 SUSE-SU-2011:0967 DSA-2295 DSA-2296 DSA-2297 MDVSA-2011:127 http://www.mozilla.org/security/announce/2011/mfsa2011-29.html http://www.mozilla.org/security/announce/2011/mfsa2011-30.html http://www.mozilla.org/security/announce/2011/mfsa2011-31.html http://www.mozilla.org/security/announce/2011/mfsa2011-33.html RHSA-2011:1164 RHSA-2011:1166 https://bugzilla.mozilla.org/show_bug.cgi?id=648094 oval:org.mitre.oval:def:14502 Use-after-free vulnerability in the nsXULCommandDispatcher function in Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to execute arbitrary code via a crafted XUL document that dequeues the current command updater. SUSE-SA:2011:028 http://support.avaya.com/css/P8/documents/100144854 http://support.avaya.com/css/P8/documents/100145333 DSA-2268 DSA-2269 DSA-2273 MDVSA-2011:111 http://www.mozilla.org/security/announce/2011/mfsa2011-23.html RHSA-2011:0885 RHSA-2011:0886 RHSA-2011:0887 RHSA-2011:0888 USN-1149-1 https://bugzilla.mozilla.org/show_bug.cgi?id=648100 oval:org.mitre.oval:def:14432 win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Win32k Improper User Input Validation Vulnerability." 46141 ADV-2011-0325 MS11-012 oval:org.mitre.oval:def:12070 win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP1 and SP2, and Server 2008 Gold and SP2 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Win32k Insufficient User Input Validation Vulnerability." 46148 ADV-2011-0325 MS11-012 oval:org.mitre.oval:def:12312 win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Win32k Window Class Pointer Confusion Vulnerability." 46147 ADV-2011-0325 MS11-012 oval:org.mitre.oval:def:12553 win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Win32k Window Class Improper Pointer Validation Vulnerability." 46149 ADV-2011-0325 MS11-012 oval:org.mitre.oval:def:11638 win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Win32k Memory Corruption Vulnerability." 46150 ADV-2011-0325 MS11-012 oval:org.mitre.oval:def:12455 Kerberos in Microsoft Windows Server 2008 R2 and Windows 7 does not prevent a session from changing from strong encryption to DES encryption, which allows man-in-the-middle attackers to spoof network traffic and obtain sensitive information via a DES downgrade, aka "Kerberos Spoofing Vulnerability." http://support.avaya.com/css/P8/documents/100127250 46140 1025048 ADV-2011-0326 MS11-013 ms-kerberos-spoofing(64901) oval:org.mitre.oval:def:12498 The LZW stream decompression functionality in ORMELEMS.DLL in Microsoft Visio 2002 SP2, 2003 SP3, and 2007 SP2 allows remote attackers to execute arbitrary code via a Visio file with a malformed VisioDocument stream that triggers an exception handler that accesses an object that has not been fully initialized, which triggers memory corruption, aka "Visio Object Memory Corruption Vulnerability." 20110208 ZDI-11-063: Microsoft Visio 2007 LZW Stream Decompression Exception Vulnerability 46137 1025043 ADV-2011-0321 http://www.zerodayinitiative.com/advisories/ZDI-11-063/ MS11-008 ms-visio-object-code-execution(64923) oval:org.mitre.oval:def:12403 ELEMENTS.DLL in Microsoft Visio 2002 SP2, 2003 SP3, and 2007 SP2 does not properly parse structures during the opening of a Visio file, which allows remote attackers to execute arbitrary code via a file containing a malformed structure, aka "Visio Data Type Memory Corruption Vulnerability." 46138 1025043 ADV-2011-0321 MS11-008 ms-visio-data-code-execution(64924) oval:org.mitre.oval:def:12469 Use-after-free vulnerability in Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, aka "Layouts Handling Memory Corruption Vulnerability." 20110412 Microsoft Internet Explorer Use-After-Free Memory Corruption Vulnerability 1025327 TA11-102A MS11-018 oval:org.mitre.oval:def:12463 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. The MHTML protocol handler in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly handle a MIME format in a request for content blocks in a document, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site that is visited in Internet Explorer, aka "MHTML Mime-Formatted Request Vulnerability." http://blogs.technet.com/b/msrc/archive/2011/01/28/microsoft-releases-security-advisory-2501696.aspx http://blogs.technet.com/b/srd/archive/2011/01/28/more-information-about-the-mhtml-script-injection-vulnerability.aspx http://www.80vul.com/webzine_0x05/0x05%20IE%E4%B8%8BMHTML%E5%8D%8F%E8%AE%AE%E5%B8%A6%E6%9D%A5%E7%9A%84%E8%B7%A8%E5%9F%9F%E5%8D%B1%E5%AE%B3.html 16071 VU#326549 http://www.microsoft.com/technet/security/advisory/2501696.mspx 46055 1025003 TA11-102A ADV-2011-0242 MS11-026 ms-win-mhtml-info-disclosure(65000) oval:org.mitre.oval:def:6956 Integer underflow in Microsoft Excel 2002 SP3, 2003 SP3, 2007 SP2, and 2010; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Excel Viewer SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2 allows remote attackers to execute arbitrary code via a crafted 400h substream in an Excel file, which triggers a stack-based buffer overflow, aka "Excel Integer Overrun Vulnerability." 47201 1025337 TA11-102A ADV-2011-0940 MS11-021 oval:org.mitre.oval:def:12612 Integer signedness error in Microsoft Excel 2002 SP3, 2003 SP3, 2007 SP2, and 2010; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Excel Viewer SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2 allows remote attackers to execute arbitrary code via an XLS file with a large record size, aka "Excel Heap Overflow Vulnerability." 47235 1025337 TA11-102A ADV-2011-0940 MS11-021 oval:org.mitre.oval:def:12034 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. Microsoft Excel 2002 SP3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted RealTimeData record, related to a stTopic field, double-byte characters, and an incorrect pointer calculation, aka "Excel Record Parsing WriteAV Vulnerability." 20110412 ZDI-11-120: Microsoft Office Excel RealTimeData Record Parsing Remote Code Execution Vulnerability 47243 1025337 TA11-102A ADV-2011-0940 http://www.zerodayinitiative.com/advisories/ZDI-11-120 MS11-021 oval:org.mitre.oval:def:11676 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. Microsoft Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted record information in an Excel file, aka "Excel Memory Corruption Vulnerability." 20110412 Microsoft Excel Memory Corruption Vulnerability 47244 1025337 TA11-102A ADV-2011-0940 MS11-021 oval:org.mitre.oval:def:12616 Microsoft Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HLink record in an Excel file, aka "Excel Buffer Overwrite Vulnerability." http://www.checkpoint.com/defense/advisories/public/2011/cpai-31-Mard.html 47245 1025337 TA11-102A ADV-2011-0940 MS11-021 oval:org.mitre.oval:def:11767 Microsoft Excel 2002 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac obtain a certain length value from an uninitialized memory location, which allows remote attackers to trigger a buffer overflow and execute arbitrary code via a crafted Excel file, aka "Excel Data Initialization Vulnerability." 1025337 TA11-102A ADV-2011-0940 MS11-021 oval:org.mitre.oval:def:12618 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. Untrusted search path vulnerability in Microsoft Office XP SP3, Office 2003 SP3, and Office 2007 SP2 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Office Component Insecure Library Loading Vulnerability." Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' Per: http://www.microsoft.com/technet/security/Bulletin/MS11-023.mspx Access Vector: Network per "This is a remote code execution vulnerability" http://www.fortiguard.com/advisory/FGA-2011-13.html 47246 1025343 TA11-102A ADV-2011-0942 MS11-023 oval:org.mitre.oval:def:12655 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17172 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:16959 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17070 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:16903 The DOM level 2 implementation in WebKit, as used in Apple iTunes before 10.2 on Windows and Apple Safari, does not properly handle DOM manipulations associated with event listeners during processing of range objects, which allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 http://www.zerodayinitiative.com/advisories/ZDI-11-096 Use-after-free vulnerability in the setOuterText method in the htmlelement library in WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to DOM manipulations during iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 http://www.zerodayinitiative.com/advisories/ZDI-11-097 oval:org.mitre.oval:def:17220 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17250 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17327 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17254 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17373 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17374 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17372 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17018 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17280 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17092 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:16788 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17247 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17394 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17161 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:16568 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17094 Use-after-free vulnerability in the Runin box functionality in the Cascading Style Sheets (CSS) 2.1 Visual Formatting Model implementation in WebKit, as used in Apple iTunes before 10.2 on Windows and Apple Safari, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 http://www.zerodayinitiative.com/advisories/ZDI-11-098 WebKit, as used in Apple iTunes before 10.2 on Windows, does not properly access glyph data during layout actions for floating blocks associated with pseudo-elements, which allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 http://www.zerodayinitiative.com/advisories/ZDI-11-099 oval:org.mitre.oval:def:17072 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17059 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17167 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17222 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:16457 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17452 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17446 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17378 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:16730 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17104 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17413 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17312 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17127 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:16843 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:16488 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:16916 WebKit, as used in Apple iTunes before 10.2 on Windows, does not properly parse HTML elements associated with document namespaces, which allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to a "dangling pointer" and iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 http://www.zerodayinitiative.com/advisories/ZDI-11-100 oval:org.mitre.oval:def:17241 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17339 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17397 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:12519 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17218 WebKit, as used in Apple iTunes before 10.2 on Windows and Apple iOS, does not properly implement the .sort function for JavaScript arrays, which allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 http://www.zerodayinitiative.com/advisories/ZDI-11-101 oval:org.mitre.oval:def:17308 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17299 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:17191 WebKit, as used in Apple iOS before 4.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-09-1. APPLE-SA-2011-03-09-1 http://support.apple.com/kb/HT4564 46807 appleios-webkit-unspec-code-exec(66007) MobileSafari in Apple iOS before 4.3 does not properly implement application launching through URL handlers, which allows remote attackers to cause a denial of service (persistent application crash) via crafted JavaScript code. APPLE-SA-2011-03-09-1 http://support.apple.com/kb/HT4564 46806 1025182 appleios-mobilesafari-dos(66002) The Safari Settings feature in Safari in Apple iOS 4.x before 4.3 does not properly implement the clearing of cookies during execution of the Safari application, which might make it easier for remote web servers to track users by setting a cookie. APPLE-SA-2011-03-09-1 http://support.apple.com/kb/HT4564 46810 1025182 WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, does not properly handle redirects in conjunction with HTTP Basic Authentication, which might allow remote web servers to capture credentials by logging the Authorization HTTP header. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 1025182 WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, does not properly handle the Attr.style accessor, which allows remote attackers to bypass the Same Origin Policy and inject Cascading Style Sheets (CSS) token sequences via a crafted web site. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 46814 1025182 appleios-attr-code-execution(66000) Wi-Fi in Apple iOS before 4.3 and Apple TV before 4.2 does not properly perform bounds checking for Wi-Fi frames, which allows remote attackers to cause a denial of service (device reset) via unspecified traffic on the local wireless network. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-3 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4565 46813 1025182 appleios-wifi-dos(65998) WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, does not properly handle unspecified "cached resources," which allows remote attackers to cause a denial of service (resource unavailability) via a crafted web site that conducts a cache-poisoning attack. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 1025182 appleios-cache-dos(66001) WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 oval:org.mitre.oval:def:17482 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:16871 The HTML5 drag and drop functionality in WebKit in Apple Safari before 5.0.4 allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via vectors related to the dragging of content. NOTE: this might overlap CVE-2011-0778. APPLE-SA-2011-03-09-2 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4999 46811 1025183 apple-safari-html5-info-disclosure(66004) The windows functionality in WebKit in Apple Safari before 5.0.4 allows remote attackers to bypass the Same Origin Policy, and force the upload of arbitrary local files from a client computer, via a crafted web site. APPLE-SA-2011-03-09-2 http://support.apple.com/kb/HT4566 46816 1025183 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4566 oval:org.mitre.oval:def:16938 WebKit in Apple Safari before 5.0.4, when the Web Inspector is used, does not properly handle the window.console._inspectorCommandLineAPI property, which allows user-assisted remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site. APPLE-SA-2011-03-09-2 http://support.apple.com/kb/HT4566 46809 1025183 safari-commandlineapi-xss(66006) Heap-based buffer overflow in ImageIO in CoreGraphics in Apple iTunes before 10.2 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted International Color Consortium (ICC) profile in a JPEG image. 20110302 Apple CoreGraphics Library Heap Memory Corruption Vulnerability APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-02-1 APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4581 oval:org.mitre.oval:def:17367 AirPort in Apple Mac OS X 10.6 before 10.6.7 allows remote attackers to cause a denial of service (divide-by-zero error and reboot) via Wi-Fi frames on the local wireless network, a different vulnerability than CVE-2011-0162. APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 Multiple format string vulnerabilities in AppleScript in Apple Mac OS X before 10.6.7 allow context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via format string specifiers in a (1) display dialog or (2) display alert command in a dialog in an AppleScript Studio application. APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 Heap-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X before 10.6.7 allows remote attackers to execute arbitrary code via a document that contains a crafted embedded OpenType font. APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 Multiple buffer overflows in Apple Type Services (ATS) in Apple Mac OS X before 10.6.7 allow remote attackers to execute arbitrary code via a document that contains a crafted embedded TrueType font. APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 Multiple buffer overflows in Apple Type Services (ATS) in Apple Mac OS X before 10.6.7 allow remote attackers to execute arbitrary code via a document that contains a crafted embedded Type 1 font. APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 Multiple buffer overflows in Apple Type Services (ATS) in Apple Mac OS X before 10.6.7 allow remote attackers to execute arbitrary code via a document that contains a crafted SFNT table in an embedded font. APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 The FSFindFolder API in CarbonCore in Apple Mac OS X before 10.6.7 provides a world-readable directory in response to a call with the kTemporaryFolderType flag, which allows local users to obtain potentially sensitive information by accessing this directory. APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 CoreText in Apple Mac OS X before 10.6.7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a document that contains a crafted embedded font. APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 Integer overflow in HFS in Apple Mac OS X before 10.6.7 allows local users to read arbitrary (1) HFS, (2) HFS+, or (3) HFS+J files via a crafted F_READBOOTSTRAP ioctl call. APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 Integer overflow in ImageIO in Apple Mac OS X before 10.6.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted XBM image. APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 The i386_set_ldt system call in the kernel in Apple Mac OS X before 10.6.7 does not properly handle call gates, which allows local users to gain privileges via vectors involving the creation of a call gate entry. APPLE-SA-2011-03-21-1 8402 http://support.apple.com/kb/HT4581 Libinfo in Apple Mac OS X before 10.6.7 does not properly handle an unspecified integer field in an NFS RPC packet, which allows remote attackers to cause a denial of service (lockd, statd, mountd, or portmap outage) via a crafted packet, related to an "integer truncation issue." APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 QuickLook in Apple Mac OS X 10.6 before 10.6.7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via an Excel spreadsheet with a crafted formula that uses unspecified opcodes. 20110321 Apple OfficeImport Framework Excel Memory Corruption Vulnerability APPLE-SA-2011-10-12-1 APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 http://support.apple.com/kb/HT4999 Format string vulnerability in the debug-logging feature in Application Firewall in Apple Mac OS X before 10.7.2 allows local users to gain privileges via a crafted name of an executable file. APPLE-SA-2011-10-12-3 http://support.apple.com/kb/HT5002 50085 50092 QuickTime in Apple Mac OS X before 10.6.7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted JPEG2000 image. APPLE-SA-2011-08-03-1 APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 The plug-in in QuickTime in Apple Mac OS X before 10.6.7 allows remote attackers to bypass the Same Origin Policy and obtain potentially sensitive video data via vectors involving a cross-site redirect. APPLE-SA-2011-08-03-1 APPLE-SA-2011-10-12-1 APPLE-SA-2011-10-12-3 APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT5002 The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an "integer truncation issue." Per: http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html 'This issue only affects 64-bit Ruby processes'. APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/ext/bigdecimal/bigdecimal.c?r1=29364&r2=30993 MDVSA-2011:097 MDVSA-2011:098 RHSA-2011:0908 RHSA-2011:0909 RHSA-2011:0910 1025236 https://bugzilla.redhat.com/show_bug.cgi?id=682332 The default configuration of Terminal in Apple Mac OS X 10.6 before 10.6.7 uses SSH protocol version 1 within the New Remote Connection dialog, which might make it easier for man-in-the-middle attackers to spoof SSH servers by leveraging protocol vulnerabilities. APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 Install Helper in Installer in Apple Mac OS X before 10.6.7 does not properly process an unspecified URL, which might allow remote attackers to track user logins by logging network traffic from an agent that was intended to send network traffic to an Apple server. APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 Buffer overflow in LibTIFF 3.9.4 and possibly other versions, as used in ImageIO in Apple iTunes before 10.2 on Windows and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF image with JPEG encoding. APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-3 APPLE-SA-2011-03-02-1 APPLE-SA-2011-03-21-1 SUSE-SR:2011:005 SUSE-SR:2011:009 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4565 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4581 DSA-2210 MDVSA-2011:064 46657 ADV-2011-0845 ADV-2011-0859 Buffer overflow in Fax4Decode in LibTIFF 3.9.4 and possibly other versions, as used in ImageIO in Apple iTunes before 10.2 on Windows and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF Internet Fax image file that has been compressed using CCITT Group 4 encoding, related to the EXPAND2D macro in libtiff/tif_fax3.h. NOTE: some of these details are obtained from third party information. http://blackberry.com/btsc/KB27244 APPLE-SA-2011-03-09-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-3 APPLE-SA-2011-10-12-1 APPLE-SA-2011-10-12-2 APPLE-SA-2011-03-02-1 APPLE-SA-2011-03-21-1 FEDORA-2011-3836 FEDORA-2011-3827 FEDORA-2011-2540 FEDORA-2011-2498 SUSE-SR:2011:005 SUSE-SR:2011:009 GLSA-201209-02 SSA:2011-098-01 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4565 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4581 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT5001 DSA-2210 MDVSA-2011:043 RHSA-2011:0318 46658 1025153 ADV-2011-0551 ADV-2011-0599 ADV-2011-0621 ADV-2011-0845 ADV-2011-0905 ADV-2011-0930 ADV-2011-0960 https://bugzilla.redhat.com/show_bug.cgi?id=678635 Multiple buffer overflows in Image RAW in Apple Mac OS X before 10.6.7 allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted Canon RAW image. APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 Integer overflow in ImageIO in Apple Mac OS X 10.6 before 10.6.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF image with JPEG encoding. APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4581 The generate-id XPath function in libxslt in Apple iOS 4.3.x before 4.3.2 allows remote attackers to obtain potentially sensitive information about heap memory addresses via a crafted web site. NOTE: this may overlap CVE-2011-1202. APPLE-SA-2011-04-14-1 APPLE-SA-2011-07-20-1 APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4723 http://support.apple.com/kb/HT4808 1025365 AirPort in Apple Mac OS X 10.5.8 allows remote attackers to cause a denial of service (out-of-bounds read and reboot) via Wi-Fi frames on the local wireless network. APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4723 App Store in Apple Mac OS X before 10.6.8 creates a log entry containing a user's AppleID password, which might allow local users to obtain sensitive information by reading a log file, as demonstrated by a log file that has non-default permissions. APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4723 48443 Heap-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code via a crafted embedded TrueType font. APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4723 48436 The Certificate Trust Policy component in Apple Mac OS X before 10.6.8 does not perform CRL checking for Extended Validation (EV) certificates that lack OCSP URLs, which might allow man-in-the-middle attackers to spoof an SSL server via a revoked certificate. APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4723 48447 Integer overflow in ColorSync in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image containing a crafted embedded ColorSync profile that triggers a heap-based buffer overflow. APPLE-SA-2011-07-20-1 APPLE-SA-2011-06-23-1 APPLE-SA-2011-10-11-1 APPLE-SA-2012-02-01-1 http://support.apple.com/kb/HT4723 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT5130 Off-by-one error in the CoreFoundation framework in Apple Mac OS X before 10.6.8 allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a CFString object that triggers a buffer overflow. APPLE-SA-2011-07-20-1 APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4723 http://support.apple.com/kb/HT4808 Integer overflow in CoreGraphics in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted embedded Type 1 font in a PDF document. APPLE-SA-2011-07-20-1 APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4723 http://support.apple.com/kb/HT4808 Absolute path traversal vulnerability in xftpd in the FTP Server component in Apple Mac OS X before 10.6.8 allows remote attackers to list arbitrary directories by using the root directory as the starting point of a recursive listing. APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4723 48418 Heap-based buffer overflow in ImageIO in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF image. 20110628 NGS00062 Patch Notification: Apple Mac OS X ImageIO TIFF Heap Overflow APPLE-SA-2011-07-20-1 APPLE-SA-2011-06-23-1 APPLE-SA-2011-10-11-1 http://support.apple.com/kb/HT4723 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 Heap-based buffer overflow in ImageIO in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG2000 image. APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4723 48439 Buffer overflow in International Components for Unicode (ICU) in Apple Mac OS X before 10.6.8 allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving uppercase strings. APPLE-SA-2011-07-20-1 APPLE-SA-2011-06-23-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4723 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4999 macos-icu-bo(68217) The MobileMe component in Apple Mac OS X before 10.6.8 uses a cleartext HTTP session for the Mail application to read e-mail aliases, which allows remote attackers to obtain potentially sensitive alias information by sniffing the network. APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4723 48444 QuickLook in Apple Mac OS X 10.6 before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Microsoft Office document. APPLE-SA-2011-06-23-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4723 http://support.apple.com/kb/HT4999 Integer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted RIFF WAV file. APPLE-SA-2011-08-03-1 APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4723 QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted sample tables in a movie file. APPLE-SA-2011-08-03-1 APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4723 48442 Integer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file. APPLE-SA-2011-08-03-1 APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4723 servermgrd in Apple Mac OS X before 10.6.8 allows remote attackers to read arbitrary files, and possibly send HTTP requests to intranet servers or cause a denial of service (CPU and memory consumption), via an XML-RPC request containing an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka XXE) issue. APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4723 48445 Buffer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG file. APPLE-SA-2011-08-03-1 APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4723 CFNetwork in Apple Safari before 5.0.6 on Windows does not properly handle an untrusted attribute of a system root certificate, which allows remote web servers to bypass intended SSL restrictions via a certificate signed by a blacklisted certification authority. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4808 ImageIO in Apple Safari before 5.0.6 on Windows does not properly address re-entrancy issues, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF file. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 Off-by-one error in libxml in Apple Safari before 5.0.6 allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow and application crash) via a crafted web site. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-12-1 APPLE-SA-2011-10-12-2 RHSA-2013:0217 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT5001 DSA-2394 MDVSA-2011:188 RHSA-2011:1749 Apple Safari before 5.0.6 provides AutoFill information to scripts that execute before HTML form submission, which allows remote attackers to obtain Address Book information via a crafted form, as demonstrated by a form that includes non-visible fields. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4808 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 Apple Safari before 5.0.6 allows remote attackers to bypass the Same Origin Policy, and modify the rendering of text from arbitrary web sites, via a Java applet that loads fonts. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4808 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 8313 8315 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 CoreMedia in Apple Mac OS X through 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted QuickTime movie file. APPLE-SA-2011-10-12-3 http://support.apple.com/kb/HT5002 50085 50095 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011. APPLE-SA-2011-07-15-1 APPLE-SA-2011-07-15-2 APPLE-SA-2011-10-12-3 [freetype-devel] 20110708 details on iPhone exploit caused by FreeType? [freetype-devel] 20110708 Re: details on iPhone exploit caused by FreeType? [freetype-devel] 20110709 Re: details on iPhone exploit caused by FreeType? [freetype-devel] 20110711 Re: details on iPhone exploit caused by FreeType? [freetype-devel] 20110711 Re: details on iPhone exploit caused by FreeType? openSUSE-SU-2011:0852 SUSE-SU-2011:0853 http://support.apple.com/kb/HT4802 http://support.apple.com/kb/HT4803 http://support.apple.com/kb/HT5002 http://www.appleinsider.com/articles/11/07/06/hackers_release_new_browser_based_ios_jailbreak_based_on_pdf_exploit.html DSA-2294 MDVSA-2011:120 RHSA-2011:1085 48619 The queueing primitives in IOMobileFrameBuffer in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 do not properly perform type conversion, which allows local users to gain privileges via a crafted application. APPLE-SA-2011-07-15-1 APPLE-SA-2011-07-15-2 http://support.apple.com/kb/HT4802 http://support.apple.com/kb/HT4803 The Data Security component in Apple iOS before 4.2.10 and 4.3.x before 4.3.5 does not check the basicConstraints parameter during validation of X.509 certificate chains, which allows man-in-the-middle attackers to spoof an SSL server by using a non-CA certificate to sign a certificate for an arbitrary domain. APPLE-SA-2011-07-25-2 APPLE-SA-2011-07-25-1 8361 1025837 http://support.apple.com/kb/HT4824 http://support.apple.com/kb/HT4825 20110725 TWSL2011-007: iOS SSL Implementation Does Not Validate Certificate Chain 48877 https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt Apple Type Services (ATS) in Apple Mac OS X through 10.6.8 does not properly handle embedded Type 1 fonts, which allows remote attackers to execute arbitrary code via a crafted document that triggers an out-of-bounds memory access. APPLE-SA-2011-10-12-3 http://support.apple.com/kb/HT5002 50085 50091 Buffer overflow in the ATSFontDeactivate API in Apple Type Services (ATS) in Apple Mac OS X before 10.7.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors. APPLE-SA-2011-10-12-3 http://support.apple.com/kb/HT5002 50085 CFNetwork in Apple Mac OS X before 10.7.2 does not properly follow an intended cookie-storage policy, which makes it easier for remote web servers to track users via a cookie, related to a "synchronization issue." APPLE-SA-2011-10-12-3 http://support.apple.com/kb/HT5002 50085 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 Heap-based buffer overflow in ImageIO in Apple Safari before 5.0.6 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF image with CCITT Group 4 encoding. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-12-1 APPLE-SA-2011-10-12-2 APPLE-SA-2012-02-01-1 APPLE-SA-2012-05-09-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT5001 http://support.apple.com/kb/HT5130 http://support.apple.com/kb/HT5281 Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving a URL that contains a username. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4999 WebKit in Apple Safari before 5.0.6 allows user-assisted remote attackers to read arbitrary files via vectors related to improper canonicalization of URLs within RSS feeds. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4808 Buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted pict file. APPLE-SA-2011-08-03-1 oval:org.mitre.oval:def:15755 Heap-based buffer overflow in Apple QuickTime before 7.7 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted GIF file. APPLE-SA-2011-08-03-1 oval:org.mitre.oval:def:15681 Multiple stack-based buffer overflows in Apple QuickTime before 7.7 on Windows allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted H.264 movie. APPLE-SA-2011-08-03-1 oval:org.mitre.oval:def:16186 Stack-based buffer overflow in the QuickTime ActiveX control in Apple QuickTime before 7.7 on Windows, when Internet Explorer is used, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted QTL file. APPLE-SA-2011-08-03-1 Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted STSC atoms in a QuickTime movie file. APPLE-SA-2011-08-03-1 APPLE-SA-2011-10-12-3 http://support.apple.com/kb/HT5002 oval:org.mitre.oval:def:16089 Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted STSS atoms in a QuickTime movie file. APPLE-SA-2011-08-03-1 APPLE-SA-2011-10-12-3 http://support.apple.com/kb/HT5002 oval:org.mitre.oval:def:15885 Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted STSZ atoms in a QuickTime movie file. APPLE-SA-2011-08-03-1 APPLE-SA-2011-10-12-3 http://support.apple.com/kb/HT5002 oval:org.mitre.oval:def:16143 Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted STTS atoms in a QuickTime movie file. APPLE-SA-2011-08-03-1 APPLE-SA-2011-10-12-3 http://support.apple.com/kb/HT5002 oval:org.mitre.oval:def:15884 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 Integer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted track run atoms in a QuickTime movie file. http://support.apple.com/kb/HT4826 oval:org.mitre.oval:def:16097 Integer signedness error in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PnSize opcode in a PICT file that triggers a stack-based buffer overflow. 8365 http://support.apple.com/kb/HT4826 17777 http://zerodayinitiative.com/advisories/ZDI-11-252/ oval:org.mitre.oval:def:16059 Apple QuickTime before 7.7 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted image description associated with an mp4v tag in a movie file. 8368 http://support.apple.com/kb/HT4826 20110831 ZDI-11-277: Apple QuickTime 3g2 'mp4v' atom size Remote Code Execution Vulnerability http://zerodayinitiative.com/advisories/ZDI-11-277/ quicktime-mp4v-bo(69518) oval:org.mitre.oval:def:15671 CoreFoundation, as used in Apple iTunes before 10.5, does not properly perform string tokenization, which allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors. APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 APPLE-SA-2011-10-12-3 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT5002 50067 oval:org.mitre.oval:def:16919 The CoreProcesses component in Apple Mac OS X 10.7 before 10.7.2 does not prevent a system window from receiving keystrokes in the locked-screen state, which might allow physically proximate attackers to bypass intended access restrictions by typing into this window. APPLE-SA-2011-10-12-3 http://support.apple.com/kb/HT5002 50085 Unspecified vulnerability in jovgraph.exe in jovgraph in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via a malformed displayWidth option in the arg parameter. HPSBMA02621 45762 1024951 ADV-2011-0085 http://www.zerodayinitiative.com/advisories/ZDI-11-003/ hp-opennnm-jovgraph-bo(64655) Buffer overflow in the stringToSeconds function in ovutil.dll in ovwebsnmpsrv.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via large values of variables to jovgraph.exe. SSRT100352 45762 1024951 ADV-2011-0085 http://www.zerodayinitiative.com/advisories/ZDI-11-004/ hp-opennnm-ovutildll-bo(64654) Multiple stack-based buffer overflows in ovas.exe in the OVAS service in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allow remote attackers to execute arbitrary code via a long (1) Source Node or (2) Destination Node variable. HPSBMA02621 45762 1024951 ADV-2011-0085 http://www.zerodayinitiative.com/advisories/ZDI-11-005/ hp-opennnm-ovas-bo(64653) Stack-based buffer overflow in ovutil.dll in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via a long COOKIE variable. HPSBMA02621 45762 1024951 ADV-2011-0085 http://www.zerodayinitiative.com/advisories/ZDI-11-006/ hp-opennnm-ovutil-bo(64652) Buffer overflow in nnmRptConfig.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via a long data_select1 parameter. SSRT100352 45762 1024951 ADV-2011-0085 http://www.zerodayinitiative.com/advisories/ZDI-11-007/ hp-opennnm-dataselect1-bo(64651) Buffer overflow in nnmRptConfig.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via a long nameParams parameter, a different vulnerability than CVE-2011-0267.2. 8151 SSRT100352 45762 1024951 ADV-2011-0085 http://www.zerodayinitiative.com/advisories/ZDI-11-008/ hp-opennnm-nameparams-bo(64650) Multiple buffer overflows in nnmRptConfig.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allow remote attackers to execute arbitrary code via a long (1) schdParams or (2) nameParams parameter, a different vulnerability than CVE-2011-0266. 8156 17038 SSRT100352 45762 1024951 ADV-2011-0085 http://www.zerodayinitiative.com/advisories/ZDI-11-009/ hp-opennnm-schdparams-bo(64649) Buffer overflow in nnmRptConfig.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via a long text1 parameter. HPSBMA02621 45762 1024951 ADV-2011-0085 http://www.zerodayinitiative.com/advisories/ZDI-11-010/ hp-opennnm-text1-bo(64648) Buffer overflow in nnmRptConfig.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via a long schd_select1 parameter. HPSBMA02621 45762 1024951 ADV-2011-0085 http://www.zerodayinitiative.com/advisories/ZDI-11-011/ hp-opennnm-schdselect1-bo(64647) Format string vulnerability in nnmRptConfig.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via format string specifiers in input data that involves an invalid template name. HPSBMA02621 45762 1024951 ADV-2011-0085 http://www.zerodayinitiative.com/advisories/ZDI-11-012/ hp-opennnm-nnmrptconfig-format-string(64646) The CGI scripts in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 do not properly validate an unspecified parameter, which allows remote attackers to execute arbitrary commands by using a command string for this parameter's value, related to a "command injection vulnerability." 20110110 HP Network Node Manager Command Injection Vulnerability SSRT100352 45762 1024951 ADV-2011-0085 hp-opennnm-cgi-command-exec(64657) Unspecified vulnerability in HP LoadRunner 9.52 allows remote attackers to execute arbitrary code via network traffic to TCP port 5001 or 5002, related to the HttpTunnel feature. 1024956 SSRT100195 45792 ADV-2011-0095 loadrunner-unspec-code-execution(64659) Buffer overflow in crs.exe in HP OpenView Storage Data Protector Cell Manager 6.11 allows remote attackers to execute arbitrary code via unspecified message types. 1024983 HPSBMA02625 ADV-2011-0177 http://www.zerodayinitiative.com/advisories/ZDI-11-024/ hp-openview-storage-code-execution(64818) Cross-site scripting (XSS) vulnerability in HP Business Availability Center (BAC) 7.x through 7.55 and 8.x through 8.05, and Business Service Management (BSM) through 9.01, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. SSRT100342 1024986 45944 ADV-2011-0188 hp-bac-bsm-xss(64846) Unspecified vulnerability in HP OpenView Storage Data Protector 6.0, 6.10, and 6.11 allows remote attackers to cause a denial of service via unknown vectors. SSRT100301 1024991 46018 ADV-2011-0218 hp-openview-storage-dos(64932) HP OpenView Performance Insight Server 5.2, 5.3, 5.31, 5.4, and 5.41 contains a "hidden account" in the com.trinagy.security.XMLUserManager Java class, which allows remote attackers to execute arbitrary code via the doPost method in the com.trinagy.servlet.HelpManagerServlet class. SSRT090246 8136 16984 20110131 ZDI-11-034: HP OpenView Performance Insight Server Backdoor Account Code Execution Vulnerability 46079 1025014 ADV-2011-0258 http://www.zerodayinitiative.com/advisories/ZDI-11-034 openview-dopost-code-execution(65038) Cross-site request forgery (CSRF) vulnerability in HP Power Manager (HPPM) 4.3.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts. SSRT100381 46258 1025032 Unspecified vulnerability in HP Web Jetadmin 10.2 Service Release 3 and 4 allows local users to bypass intended access restrictions via unknown vectors. SSRT100391 1025130 46595 ADV-2011-0516 HP Multifunction Peripheral (MFP) Digital Sending Software (DSS) 4.91.00 does not properly configure authentication settings of managed devices within device templates, which allows attackers to access these devices via actions that were intended to require authentication. HPSBPI02640 46679 1025155 ADV-2011-0561 hp-mfpdigitalsending-sec-bypass(65866) Multiple cross-site scripting (XSS) vulnerabilities in HP Power Manager (HPPM) 4.3.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the logType parameter to Contents/exportlogs.asp, (2) the Id parameter to Contents/pagehelp.asp, or the (3) SORTORD or (4) SORTCOL parameter to Contents/applicationlogs.asp. NOTE: some of these details are obtained from third party information. SSRT100381 46830 powermanager-unspecified-xss(66035) The unparse implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (file descriptor exhaustion and daemon hang) via a principal name that triggers use of a backslash escape sequence, as demonstrated by a \n sequence. SUSE-SR:2011:004 [kerberos] 20101222 LDAP handle unavailable: Can't contact LDAP server 8073 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt MDVSA-2011:024 MDVSA-2011:025 RHSA-2011:0199 RHSA-2011:0200 20110208 MITKRB5-SA-2011-002 KDC denial of service attacks [CVE-2011-0281 CVE-2011-0282 CVE-2011-0283] 20111013 VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console 46265 1025037 http://www.vmware.com/security/advisories/VMSA-2011-0012.html ADV-2011-0330 ADV-2011-0333 ADV-2011-0347 ADV-2011-0464 kerberos-ldap-descriptor-dos(65324) The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (NULL pointer dereference or buffer over-read, and daemon crash) via a crafted principal name. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' SUSE-SR:2011:004 8073 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt MDVSA-2011:024 MDVSA-2011:025 RHSA-2011:0199 RHSA-2011:0200 20110208 MITKRB5-SA-2011-002 KDC denial of service attacks [CVE-2011-0281 CVE-2011-0282 CVE-2011-0283] 20111013 VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console 46271 1025037 http://www.vmware.com/security/advisories/VMSA-2011-0012.html ADV-2011-0330 ADV-2011-0333 ADV-2011-0347 ADV-2011-0464 kerberos-ldap-dos(65323) The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed request packet that does not trigger a response packet. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' 8073 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt 20110208 MITKRB5-SA-2011-002 KDC denial of service attacks [CVE-2011-0281 CVE-2011-0282 CVE-2011-0283] 46272 1025037 ADV-2011-0330 Double free vulnerability in the prepare_error_as function in do_as_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 through 1.9, when the PKINIT feature is enabled, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via an e_data field containing typed data. FEDORA-2011-3547 FEDORA-2011-3464 FEDORA-2011-3462 SUSE-SR:2011:005 1025216 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt VU#943220 MDVSA-2011:048 RHSA-2011:0356 20110315 MITKRB5-SA-2011-003 [CVE-2011-0284] KDC double-free when PKINIT enabled 46881 USN-1088-1 ADV-2011-0672 ADV-2011-0673 ADV-2011-0680 ADV-2011-0722 ADV-2011-0763 kerberos-perpareerroras-code-execution(66101) The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error condition. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621726 http://krbdev.mit.edu/rt/Ticket/Display.html?id=6899 FEDORA-2011-5333 8200 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-004.txt MDVSA-2011:077 RHSA-2011:0447 20110413 MITKRB5-SA-2011-004 kadmind invalid pointer free() [CVE-2011-0285] 47310 1025320 ADV-2011-0936 ADV-2011-0986 ADV-2011-0997 openSUSE-SU-2011:0348 Cross-site scripting (XSS) vulnerability in webdesktop/app in the BlackBerry Web Desktop Manager component in Research In Motion (RIM) BlackBerry Enterprise Server (BES) software before 5.0.2 MR5 and 5.0.3 before MR1, and BlackBerry Enterprise Server Express software 5.0.1 and 5.0.2, allows remote attackers to inject arbitrary web script or HTML via the displayErrorMessage parameter in a ManageDevices action. 1025356 http://www.blackberry.com/btsc/KB26296 http://www.cybsec.com/vuln/CYBSEC_Advisory_2011_0401_Cross_Site_Scripting_XSS_in_Blackberry_WebDesktop.pdf 47324 ADV-2011-0971 Unspecified vulnerability in the BlackBerry Administration API in Research In Motion (RIM) BlackBerry Enterprise Server (BES) software 5.0.1 through 5.0.3, and BlackBerry Enterprise Server Express software 5.0.1 through 5.0.3, allows remote attackers to read text files or cause a denial of service via unknown vectors. http://www.blackberry.com/btsc/KB27258 48655 The BlackBerry Collaboration Service in Research In Motion (RIM) BlackBerry Enterprise Server (BES) 5.0.3 through MR4 for Microsoft Exchange and Lotus Domino allows remote authenticated users to log into arbitrary user accounts associated with the same organization, and send messages, read messages, read contact lists, or cause a denial of service (login unavailability), via unspecified vectors. 1026179 http://www.blackberry.com/btsc/KB28524 50064 bes-collaboration-service-spoofing(70519) The BlackBerry PlayBook service on the Research In Motion (RIM) BlackBerry PlayBook tablet with software before 1.0.8.6067 allows local users to gain privileges via a crafted configuration file in a backup archive. http://blackberry.com/btsc/KB29191 1026386 50931 blackberry-playbook-priv-esc(71659) Buffer overflow in IBM WebSphere MQ 7.0 before 7.0.1.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted header field in a message. 45923 ADV-2011-0128 http://www-01.ibm.com/support/docview.wss?uid=swg27014224 wmq-messageheader-bo(64628) IZ77607 The class file parser in IBM Java before 1.4.2 SR13 FP9, as used in IBM Runtimes for Java Technology 5.0.0 before SR13 and 6.0.0 before SR10, allows remote authenticated users to cause a denial of service (JVM segmentation fault, and possibly memory consumption or an infinite loop) via a crafted attribute length field in a class file, which triggers a buffer over-read. SUSE-SA:2011:024 SUSE-SU-2011:0823 RHSA-2011:1159 RHSA-2011:1265 IZ89602 IZ89620 ibm-rjt-classfile-dos(65189) PM42551 Heap-based buffer overflow in IBM WebSphere MQ 6.0 before 6.0.2.11 and 7.0 before 7.0.1.5 allows remote authenticated users to execute arbitrary code or cause a denial of service (queue manager crash) by inserting an invalid message into the queue. 45801 IZ81294 wmq-message-bo(64550) Cross-site scripting (XSS) vulnerability in the Servlet Engine / Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 allows remote attackers to inject arbitrary web script or HTML via vectors related to the lack of an error page for an application. 46736 ADV-2011-0564 PM18512 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 was-webcontainer-xss(64554) The Administrative Console component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 does not properly restrict access to console servlets, which allows remote attackers to obtain potentially sensitive status information via a direct request. 46736 ADV-2011-0564 PM24372 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 was-consoleservlet-info-disclosure(64558) Dirapi.dll in Adobe Shockwave Player before 11.6.0.626 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0318, CVE-2011-0319, CVE-2011-0320, CVE-2011-0335, CVE-2011-2119, and CVE-2011-2122. http://www.adobe.com/support/security/bulletins/apsb11-17.html TA11-166A Dirapi.dll in Adobe Shockwave Player before 11.6.0.626 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0317, CVE-2011-0319, CVE-2011-0320, CVE-2011-0335, CVE-2011-2119, and CVE-2011-2122. http://www.adobe.com/support/security/bulletins/apsb11-17.html TA11-166A Dirapi.dll in Adobe Shockwave Player before 11.6.0.626 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0317, CVE-2011-0318, CVE-2011-0320, CVE-2011-0335, CVE-2011-2119, and CVE-2011-2122. http://www.adobe.com/support/security/bulletins/apsb11-17.html TA11-166A Dirapi.dll in Adobe Shockwave Player before 11.6.0.626 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0317, CVE-2011-0318, CVE-2011-0319, CVE-2011-0335, CVE-2011-2119, and CVE-2011-2122. http://www.adobe.com/support/security/bulletins/apsb11-17.html TA11-166A librpc.dll in nsrexecd in EMC NetWorker before 7.5 SP4, 7.5.3.x before 7.5.3.5, and 7.6.x before 7.6.1.2 does not properly mitigate the possibility of a spoofed localhost source IP address, which allows remote attackers to (1) register or (2) unregister RPC services, and consequently cause a denial of service or obtain sensitive information from interprocess communication, via crafted UDP packets containing service commands. 20110126 ESA-2011-003: EMC NetWorker librpc.dll spoofing vulnerability. http://archives.neohapsis.com/archives/bugtraq/2011-01/att-0162/ESA-2011-003.txt 1025010 46044 ADV-2011-0241 networker-librpc-security-bypass(64997) Unspecified vulnerability in EMC RSA Access Manager Server 5.5.x, 6.0.x, and 6.1.x allows remote attackers to access resources via unknown vectors. 8142 20110315 ESA-2011-009: RSA, The Security Division of EMC, announces a fix for potential security vulnerability in RSA Access Manager Server 46875 1025214 ADV-2011-0676 rsa-unspecified-security-bypass(66104) Topaz Systems SigPlus Pro ActiveX Control 3.95, and possibly other versions before 4.29, allows remote attackers to execute arbitrary code by calling the exposed unsafe (1) SetLogFilePath and (2) SigMessage methods to create arbitrary files with arbitrary content. 46128 sigplus-sigmessage-file-overwrite(65117) Multiple heap-based buffer overflows in Topaz Systems SigPlus Pro ActiveX Control 3.95, and possibly other versions before 4.29, allow remote attackers to execute arbitrary code via a long (1) KeyString property, (2) NewPath parameter to the SetLocalIniFilePath method, or (3) NewPortPath parameter to the SetTabletPortPath method. 46128 sigplus-keystring-bo(65114) sigplus-newpath-bo(65115) sigplus-newportpath-bo(65116) Directory traversal vulnerability in the GetData method in the Dell DellSystemLite.Scanner ActiveX control in DellSystemLite.ocx 1.0.0.0 allows remote attackers to read arbitrary files via directory traversal sequences in the fileID parameter. 46443 1025094 The Dell DellSystemLite.Scanner ActiveX control in DellSystemLite.ocx 1.0.0.0 does not properly restrict the values of the WMIAttributesOfInterest property, which allows remote attackers to execute arbitrary WMI Query Language (WQL) statements via a crafted value, as demonstrated by a value that triggers disclosure of information about installed software. 46443 1025094 Use-after-free vulnerability in the addOSPLext method in the Honeywell ScanServer ActiveX control 780.0.20.5 allows remote attackers to execute arbitrary code via a crafted HTML document. 46930 ADV-2011-0725 Integer overflow in Foxit Reader before 4.3.1.0218 and Foxit Phantom before 2.3.3.1112 allows remote attackers to execute arbitrary code via crafted ICC chunks in a PDF file, which triggers a heap-based buffer overflow. http://www.foxitsoftware.com/pdf/reader/security_bulletins.php#memory 1025129 ADV-2011-0508 Heap-based buffer overflow in the NgwiCalVTimeZoneBody::ParseSelf function in gwwww1.dll in GroupWise Internet Agent (GWIA) in Novell GroupWise 8.0 before HP3 allows remote attackers to execute arbitrary code via a crafted TZNAME variable in a VCALENDAR attachment in an e-mail message, related to an "integer truncation error." http://www.novell.com/support/viewContent.do?externalId=7009208 https://bugzilla.novell.com/show_bug.cgi?id=678715 20110926 Novell GroupWise iCal TZNAME Heap Overflow Vulnerability Stack-based buffer overflow in gwia.exe in GroupWise Internet Agent (GWIA) in Novell GroupWise 8.0 before HP3 allows remote attackers to execute arbitrary code via a long HTTP request for a .css file. http://www.novell.com/support/viewContent.do?externalId=7009210 https://bugzilla.novell.com/show_bug.cgi?id=678939 Dirapi.dll in Adobe Shockwave Player before 11.6.0.626 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0317, CVE-2011-0318, CVE-2011-0319, CVE-2011-0320, CVE-2011-2119, and CVE-2011-2122. http://www.adobe.com/support/security/bulletins/apsb11-17.html TA11-166A Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol.ocx 61.6.0.0 and 301.1009.2904.0 in the ISSymbol virtual machine, as distributed in Advantech Studio 6.1 SP6 61.6.01.05, InduSoft Web Studio before 7.0+SP1, and InduSoft Thin Client 7.0, allow remote attackers to execute arbitrary code via a long (1) InternationalOrder, (2) InternationalSeparator, or (3) LogFileName property value; or (4) a long bstrFileName argument to the OpenScreen method. http://ics-cert.us-cert.gov/advisories/ICSA-12-249-03 http://www.advantechdirect.com/eMarketingPrograms/AStudio_Patch/AStudio7.0_Patch_Final.htm http://www.indusoft.com/hotfixes/hotfixes.php 47596 http://www.us-cert.gov/control_systems/pdf/ICSA-12-137-02.pdf ADV-2011-1115 ADV-2011-1116 Stack-based buffer overflow in the pdfmoz_onmouse function in apps/mozilla/moz_main.c in the MuPDF plug-in 2008.09.02 for Firefox allows remote attackers to execute arbitrary code via a crafted web site. 47739 ADV-2011-1191 mupdf-pdfmozonmouse-bo(67298) Multiple buffer overflows in the InduSoft ISSymbol ActiveX control in ISSymbol.ocx 301.1104.601.0 in InduSoft Web Studio 7.0B2 hotfix 7.0.01.04 allow remote attackers to execute arbitrary code via a long parameter to the (1) Open, (2) Close, or (3) SetCurrentLanguage method. http://ics-cert.us-cert.gov/advisories/ICSA-11-273-02 http://www.indusoft.com/hotfixes/hotfixes.php 49403 Balabit syslog-ng 2.0, 3.0, 3.1, 3.2 OSE and PE, when running on FreeBSD or HP-UX, does not properly perform cast operations, which causes syslog-ng to use a default value of -1 to create log files with insecure permissions (07777), which allows local users to read and write to these log files. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608491 20110125 syslog-ng wrong file permission vulnerability 45988 [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.0.6a has been released [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.2.1a has been released Multiple stack-based buffer overflows in unspecified CGI programs in the Unified Maintenance Tool web interface in the embedded web server in the Communication Server (CS) in Alcatel-Lucent OmniPCX Enterprise before R9.0 H1.301.50 allow remote attackers to execute arbitrary code via crafted HTTP headers. 20110301 Alcatel-Lucent OmniPCX Enterprise CS CGI Cookie Buffer Overflow Vulnerability http://www.alcatel-lucent.com/wps/DocumentStreamerServlet?LMSG_CABINET=Corporate&LMSG_CONTENT_FILE=Support/Security/2011001.pdf 46640 ADV-2011-0549 omnipcx-unified-maintenance-bo(65849) Directory traversal vulnerability in the NMS server in Alcatel-Lucent OmniVista 4760 R5.1.06.03 and earlier allows remote attackers to read arbitrary files via directory traversal sequences in HTTP GET requests, related to the lang variable. 20110301 DDIVRT-2010-30 Alcatel-Lucent OmniVista 4760 NMS 'lang' Directory Traversal Vulnerability [ CVE-2011-0345 ] 8122 http://www.alcatel-lucent.com/wps/DocumentStreamerServlet?LMSG_CABINET=Corporate&LMSG_CONTENT_FILE=Support/Security/2011002.pdf 20110301 DDIVRT-2010-30 Alcatel-Lucent OmniVista 4760 NMS 'lang' Directory Traversal Vulnerability [ CVE-2011-0345 ] 46624 ADV-2011-0548 omnivista-lang-file-include(65848) Use-after-free vulnerability in the ReleaseInterface function in MSHTML.DLL in Microsoft Internet Explorer 6, 7, and 8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to the DOM implementation and the BreakAASpecial and BreakCircularMemoryReferences functions, as demonstrated by cross_fuzz, aka "MSHTML Memory Corruption Vulnerability." 20110101 Announcing cross_fuzz, a potential 0-day in circulation, and more http://blogs.technet.com/b/srd/archive/2011/01/07/assessing-the-risk-of-public-issues-currently-being-tracked-by-the-msrc.aspx http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html http://lcamtuf.coredump.cx/cross_fuzz/fuzzer_timeline.txt http://lcamtuf.coredump.cx/cross_fuzz/known_vuln.txt http://lcamtuf.coredump.cx/cross_fuzz/msie_crash.txt VU#427980 20110101 Announcing cross_fuzz, a potential 0-day in circulation, and more 45639 1024940 TA11-102A ADV-2011-0026 MS11-018 ms-ie-releaseinterface-code-execution(64482) oval:org.mitre.oval:def:11882 Microsoft Internet Explorer on Windows XP allows remote attackers to trigger an incorrect GUI display and have unspecified other impact via vectors related to the DOM implementation, as demonstrated by cross_fuzz. 20110101 Announcing cross_fuzz, a potential 0-day in circulation, and more http://blogs.technet.com/b/srd/archive/2011/01/07/assessing-the-risk-of-public-issues-currently-being-tracked-by-the-msrc.aspx http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html http://lcamtuf.coredump.cx/cross_fuzz/fuzzer_timeline.txt http://lcamtuf.coredump.cx/cross_fuzz/msie_display.jpg http://www.microsoft.com/technet/security/advisory/2490606.mspx 20110101 Announcing cross_fuzz, a potential 0-day in circulation, and more ms-ie-gui-weak-security(64571) oval:org.mitre.oval:def:12514 Cisco IOS 12.4(11)MD, 12.4(15)MD, 12.4(22)MD, 12.4(24)MD before 12.4(24)MD3, 12.4(22)MDA before 12.4(22)MDA5, and 12.4(24)MDA before 12.4(24)MDA3 on the Cisco Content Services Gateway Second Generation (aka CSG2) allows remote attackers to bypass intended access restrictions and intended billing restrictions by sending HTTP traffic to a restricted destination after sending HTTP traffic to an unrestricted destination, aka Bug ID CSCtk35917. 1024992 20110126 Cisco Content Services Gateway Vulnerabilities 46022 ADV-2011-0229 cisco-csg2-policy-security-bypass(64936) Unspecified vulnerability in Cisco IOS 12.4(24)MD before 12.4(24)MD2 on the Cisco Content Services Gateway Second Generation (aka CSG2) allows remote attackers to cause a denial of service (device hang or reload) via crafted TCP packets, aka Bug ID CSCth17178, a different vulnerability than CVE-2011-0350. 1024992 20110126 Cisco Content Services Gateway Vulnerabilities 46026 ADV-2011-0229 cisco-csg2-tcp-dos(64937) Unspecified vulnerability in Cisco IOS 12.4(24)MD before 12.4(24)MD2 on the Cisco Content Services Gateway Second Generation (aka CSG2) allows remote attackers to cause a denial of service (device hang or reload) via crafted TCP packets, aka Bug ID CSCth41891, a different vulnerability than CVE-2011-0349. 1024992 20110126 Cisco Content Services Gateway Vulnerabilities 46028 ADV-2011-0229 cisco-csg2-tcp-packets-dos(64938) Buffer overflow in the web-based management interface on the Cisco Linksys WRT54GC router with firmware before 1.06.1 allows remote attackers to cause a denial of service (device crash) via a long string in a POST request. JVN#26605630 JVNDB-2011-000007 http://tools.cisco.com/security/center/viewAlert.x?alertId=22228 ADV-2011-0205 wrt54gc-interface-bo(64850) The default configuration of Cisco Tandberg C Series Endpoints, and Tandberg E and EX Personal Video units, with software before TC4.0.0 has a blank password for the root account, which makes it easier for remote attackers to obtain access via an unspecified login method. 8060 1025017 http://tools.cisco.com/security/center/viewAlert.x?alertId=22314 20110202 Default Credentials for Root Account on Tandberg E, EX and C Series Endpoints 16100 VU#436854 46107 Cisco Nexus 1000V Virtual Ethernet Module (VEM) 4.0(4) SV1(1) through SV1(3b), as used in VMware ESX 4.0 and 4.1 and ESXi 4.0 and 4.1, does not properly handle dropped packets, which allows guest OS users to cause a denial of service (ESX or ESXi host OS crash) by sending an 802.1Q tagged packet over an access vEthernet port, aka Cisco Bug ID CSCtj17451. [security-announce] 20110207 VMSA-2011-0002 Cisco Nexus 1000V VEM updates address denial of service in VMware ESX/ESXi 8090 1025030 http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_3_c/release/notes/n1000v_rn.html 20110208 VMSA-2011-0002 Cisco Nexus 1000V VEM updates address denial of service in VMware ESX/ESXi 46247 http://www.vmware.com/security/advisories/VMSA-2011-0002.html ADV-2011-0314 ADV-2011-0315 cisco-nexus-packets-dos(65217) The Management Console (webagent.exe) in Cisco Security Agent 5.1, 5.2, and 6.0 before 6.0.2.145 allows remote attackers to create arbitrary files and execute arbitrary code via unspecified parameters in a crafted st_upload request. 8095 8197 8205 20110216 Management Center for Cisco Security Agent Remote Code Execution Vulnerability 20110217 ZDI-11-088: Cisco Security Agent Management st_upload Remote Code Execution Vulnerability 46420 1025088 ADV-2011-0424 http://www.zerodayinitiative.com/advisories/ZDI-11-088 cisco-security-webagent-file-upload(65436) The CGI implementation on Cisco TelePresence endpoint devices with software 1.2.x through 1.5.x allows remote attackers to execute arbitrary commands via a malformed request, related to "command injection vulnerabilities," aka Bug ID CSCtb31640. 20110223 Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices 1025112 The CGI implementation on Cisco TelePresence endpoint devices with software 1.2.x through 1.5.x allows remote authenticated users to execute arbitrary commands via a malformed request, related to "command injection vulnerabilities," aka Bug ID CSCtb31685. 20110223 Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices 1025112 The CGI implementation on Cisco TelePresence endpoint devices with software 1.2.x through 1.5.x allows remote authenticated users to execute arbitrary commands via a malformed request, related to "command injection vulnerabilities," aka Bug ID CSCtb31659. 20110223 Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices 1025112 The CGI implementation on Cisco TelePresence endpoint devices with software 1.2.x through 1.6.x allows remote authenticated users to execute arbitrary commands via a malformed request, related to "command injection vulnerabilities," aka Bug ID CSCth24671. 20110223 Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices 1025112 The TFTP implementation on Cisco TelePresence endpoint devices with software 1.2.x through 1.5.x, 1.6.0, and 1.6.1 allows remote attackers to obtain sensitive information via a GET request, aka Bug ID CSCte43876. 20110223 Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices 1025112 Cisco TelePresence endpoint devices with software 1.2.x through 1.6.x allow remote attackers to cause a denial of service (service crash) via a malformed SOAP request in conjunction with a spoofed TelePresence Manager that supplies an invalid IP address, aka Bug ID CSCth03605. 20110223 Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices 1025112 cisco-endpoint-ipaddress-dos(65616) The XML-RPC implementation on Cisco TelePresence endpoint devices with software 1.2.x through 1.5.x allows remote attackers to execute arbitrary commands via a TCP request, related to a "command injection vulnerability," aka Bug ID CSCtb52587. 20110223 Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices 1025112 Buffer overflow on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 1.6.x; Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x; Cisco TelePresence endpoint devices with software 1.2.x through 1.6.x; and Cisco TelePresence Manager 1.2.x, 1.3.x, 1.4.x, 1.5.x, and 1.6.2 allows remote attackers to execute arbitrary code via a crafted Cisco Discovery Protocol packet, aka Bug IDs CSCtd75769, CSCtd75766, CSCtd75754, and CSCtd75761. 20110223 Multiple Vulnerabilities in Cisco TelePresence Recording Server 20110223 Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch 20110223 Multiple Vulnerabilities in Cisco TelePresence Manager 20110223 Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices 1025111 1025112 1025113 1025114 Cisco TelePresence Manager 1.2.x through 1.6.x allows remote attackers to bypass authentication and invoke arbitrary methods via a malformed SOAP request, aka Bug ID CSCtc59562. 20110223 Multiple Vulnerabilities in Cisco TelePresence Manager 46526 1025111 telepresence-soap-security-bypass(65618) Cisco TelePresence Manager 1.2.x through 1.6.x allows remote attackers to perform unspecified actions and consequently execute arbitrary code via a crafted request to the Java RMI interface, related to a "command injection vulnerability," aka Bug ID CSCtf97085. 20110223 Multiple Vulnerabilities in Cisco TelePresence Manager 46526 1025111 telepresence-manager-rmi-command-exec(65619) The CGI subsystem on Cisco TelePresence Recording Server devices with software 1.6.x before 1.6.2 allows remote attackers to execute arbitrary commands via a request to TCP port 443, related to a "command injection vulnerability," aka Bug ID CSCtf97221. 20110223 Multiple Vulnerabilities in Cisco TelePresence Recording Server 46522 1025114 The Java Servlet framework on Cisco TelePresence Recording Server devices with software 1.6.x before 1.6.2 and Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x does not require administrative authentication for unspecified actions, which allows remote attackers to execute arbitrary code via a crafted request, aka Bug IDs CSCtf42005 and CSCtf42008. 20110223 Multiple Vulnerabilities in Cisco TelePresence Recording Server 20110223 Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch 46519 1025113 1025114 telepresence-java-unauth-access(65602) The Java Servlet framework on Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x does not require administrative authentication for unspecified actions, which allows remote attackers to execute arbitrary code via a crafted request, aka Bug ID CSCtf01253. 20110223 Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch 46520 1025113 cisco-switch-java-unauth-access(65620) The administrative web interface on Cisco TelePresence Recording Server devices with software 1.6.x and Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x allows remote attackers to create or overwrite arbitrary files, and possibly execute arbitrary code, via a crafted request, aka Bug IDs CSCth85786 and CSCth61065. 20110223 Multiple Vulnerabilities in Cisco TelePresence Recording Server 20110223 Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch 1025113 1025114 telepresence-interface-file-upload(65604) The XML-RPC implementation on Cisco TelePresence Recording Server devices with software 1.6.x and 1.7.x before 1.7.1 allows remote attackers to overwrite files and consequently execute arbitrary code via a malformed request, aka Bug ID CSCti50739. 20110223 Multiple Vulnerabilities in Cisco TelePresence Recording Server 46522 1025114 telepresence-xmlrpc-file-overwrite(65605) The administrative web interface on Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x allows remote authenticated users to cause a denial of service or have unspecified other impact via vectors involving access to a servlet, aka Bug ID CSCtf97164. 20110223 Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch 46520 1025113 cisco-multipoint-interface-dos(65621) Cisco TelePresence Recording Server devices with software 1.6.x and Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x do not properly restrict remote access to the Java servlet RMI interface, which allows remote attackers to cause a denial of service (memory consumption and web outage) via multiple crafted requests, aka Bug IDs CSCtg35830 and CSCtg35825. 20110223 Multiple Vulnerabilities in Cisco TelePresence Recording Server 20110223 Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch 46523 1025113 1025114 Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x allow remote attackers to cause a denial of service (process crash) via a crafted Real-Time Transport Control Protocol (RTCP) UDP packet, aka Bug ID CSCth60993. 20110223 Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch 46520 1025113 cisco-multipoint-rtpc-dos(65622) The XML-RPC implementation on Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, 1.6.x, and 1.7.0 allows remote attackers to cause a denial of service (process crash) via a crafted request, aka Bug ID CSCtj44534. 20110223 Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch 46520 1025113 telepresence-multipoint-xmlrpc-dos(65623) Cisco TelePresence Recording Server devices with software 1.6.x allow remote attackers to cause a denial of service (thread consumption and device outage) via a malformed request, related to an "ad hoc recording" issue, aka Bug ID CSCtf97205. 20110223 Multiple Vulnerabilities in Cisco TelePresence Recording Server 46522 1025114 telepresence-adhoc-dos(65607) Cisco TelePresence Recording Server devices with software 1.6.x do not require authentication for an XML-RPC interface, which allows remote attackers to perform unspecified actions via a session on TCP port 8080, aka Bug ID CSCtg35833. 20110223 Multiple Vulnerabilities in Cisco TelePresence Recording Server 46522 1025114 telepresence-xmlrpc-security-bypass(65609) Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.0 before 7.0(8.12), 7.1 and 7.2 before 7.2(5.2), 8.0 before 8.0(5.21), 8.1 before 8.1(2.49), 8.2 before 8.2(3.6), and 8.3 before 8.3(2.7) and Cisco PIX Security Appliances 500 series devices, when transparent firewall mode is configured but IPv6 is not configured, allow remote attackers to cause a denial of service (packet buffer exhaustion and device outage) via IPv6 traffic, aka Bug ID CSCtj04707. 20110223 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 1025108 ADV-2011-0493 asa-packet-buffer-dos(65589) Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.0 before 7.0(8.11), 7.1 and 7.2 before 7.2(5.1), 8.0 before 8.0(5.19), 8.1 before 8.1(2.47), 8.2 before 8.2(2.19), and 8.3 before 8.3(1.8); Cisco PIX Security Appliances 500 series devices; and Cisco Firewall Services Module (aka FWSM) 3.1 before 3.1(20), 3.2 before 3.2(20), 4.0 before 4.0(15), and 4.1 before 4.1(5) allow remote attackers to cause a denial of service (device reload) via a malformed Skinny Client Control Protocol (SCCP) message, aka Bug IDs CSCtg69457 and CSCtl84952. 20110223 Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability 20110223 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 46518 1025108 1025109 ADV-2011-0493 ADV-2011-0494 cisco-fwsm-sccp-dos(65593) Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 8.0 before 8.0(5.20), 8.1 before 8.1(2.48), 8.2 before 8.2(3), and 8.3 before 8.3(2.1), when the RIP protocol and the Cisco Phone Proxy functionality are configured, allow remote attackers to cause a denial of service (device reload) via a RIP update, aka Bug ID CSCtg66583. 20110223 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 1025108 ADV-2011-0493 asa-rip-dos(65590) Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 8.0 before 8.0(5.23), 8.1 before 8.1(2.49), 8.2 before 8.2(4.1), and 8.3 before 8.3(2.13), when a Certificate Authority (CA) is configured, allow remote attackers to read arbitrary files via unspecified vectors, aka Bug ID CSCtk12352. 20110223 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 1025108 ADV-2011-0493 asa-ca-unauth-access(65591) The Piwik_Common::getIP function in Piwik before 1.1 does not properly determine the client IP address, which allows remote attackers to bypass intended geolocation and logging functionality via (1) use of a private (aka RFC 1918) address behind a proxy server or (2) spoofing of the X-Forwarded-For HTTP header. http://dev.piwik.org/trac/ticket/567 http://piwik.org/blog/2011/01/piwik-1-1-2/ 45787 piwik-piwikcommongetip-security-bypass(64641) Piwik before 1.1 does not prevent the rendering of the login form inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. http://dev.piwik.org/trac/ticket/1679 http://piwik.org/blog/2011/01/piwik-1-1-2/ 45787 piwik-loginform-clickjacking(64640) Cookie.php in Piwik before 1.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. http://dev.piwik.org/trac/ticket/1795 http://piwik.org/blog/2011/01/piwik-1-1-2/ 45787 piwik-cookie-weak-security(64639) Piwik before 1.1 does not properly limit the number of files stored under tmp/sessions/, which might allow remote attackers to cause a denial of service (inode consumption) by establishing many sessions. http://dev.piwik.org/trac/ticket/1279#comment:13 http://dev.piwik.org/trac/ticket/1910 http://piwik.org/blog/2011/01/piwik-1-1-2/ 45787 piwik-sessions-dos(64638) dpkg-source in dpkg before 1.14.31 and 1.15.x allows user-assisted remote attackers to modify arbitrary files via a symlink attack on unspecified files in the .pc directory. FEDORA-2011-0362 FEDORA-2011-0345 DSA-2142 45703 USN-1038-1 ADV-2011-0040 ADV-2011-0044 ADV-2011-0196 dpkg-dpkgsource-symlink(64614) Untrusted search path vulnerability in ImgBurn.exe in ImgBurn 2.4.0.0, 2.5.4.0, and other versions allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the same folder as a CUE file. Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' http://packetstormsecurity.org/files/view/97207/imgburn-dllhijack.txt 45657 imgburn-dll-code-execution(64478) Stack-based buffer overflow in NetSupport Manager Agent for Linux 11.00, for Solaris 9.50, and for Mac OS X 11.00 allows remote attackers to execute arbitrary code via a long control hostname to TCP port 5405, probably a different vulnerability than CVE-2007-5252. 20110108 NetSupport Manager Agent Remote Buffer Overflow (Linux, Solaris, Mac, ...) 15937 16838 http://www.ikkisoft.com/stuff/netsupport_linux.txt 45728 1024943 ADV-2011-0062 netsupport-manager-client-bo(64546) Directory traversal vulnerability in module.php in PhpGedView 4.2.3 and possibly other versions, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via directory traversal sequences in the pgvaction parameter. http://sourceforge.net/projects/phpgedview/forums/forum/185166/topic/4040059 http://sourceforge.net/tracker/?func=detail&aid=3152857&group_id=55456&atid=477081 15913 45674 ADV-2011-0036 phpgedview-module-file-include(64733) Heap-based buffer overflow in HistorySvr.exe in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a long request to TCP port 777. 8134 http://thesauceofutterpwnage.blogspot.com/2011/01/waking-up-sleeping-dragon.html http://www.cnnvd.org.cn/showCnnvd.html?id=2011010108 15957 VU#180119 http://www.kingview.com/news/detail.aspx?contentid=528 45727 ADV-2011-0063 kingview-historysvr-bo(64559) SQL injection vulnerability in the store function in _phenotype/system/class/PhenoTypeDataObject.class.php in Phenotype CMS 3.0 allows remote attackers to execute arbitrary SQL commands via a crafted URI, as demonstrated by Gallery/gal_id/1/image1,1.html. NOTE: some of these details are obtained from third party information. http://www.htbridge.ch/advisory/sql_injection_in_phenotype_cms.html 20110106 SQL Injection in Phenotype CMS 45700 phenotypecms-uri-sql-injection(64538) pngrtran.c in libpng 1.5.x before 1.5.1 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted palette-based PNG image that triggers a buffer overflow, related to the png_do_expand_palette function, the png_do_rgb_to_gray function, and an integer underflow. NOTE: some of these details are obtained from third party information. 1024955 http://sourceforge.net/mailarchive/forum.php?thread_name=002b01cbb0e2%24ae636c80%240b2a4580%24%40acm.org&forum_name=png-mng-implement VU#643140 ADV-2011-0080 libpng-pngsetrgbtogray-bo(64637) CollabNet ScrumWorks Basic 1.8.4 uses cleartext credentials for network communication and the internal database, which makes it easier for context-dependent attackers to obtain sensitive information by (1) sniffing the network for transmissions of Java objects or (2) reading the database. VU#547167 scrumworks-base64-info-disclosure(64883) The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack. http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 APPLE-SA-2011-10-12-3 FEDORA-2011-3394 FEDORA-2011-3355 SUSE-SR:2011:009 GLSA-201206-33 1025179 http://support.apple.com/kb/HT5002 DSA-2233 VU#555316 http://www.kb.cert.org/vuls/id/MORO-8ELH6Z http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html http://www.postfix.org/CVE-2011-0411.html RHSA-2011:0422 RHSA-2011:0423 46767 ADV-2011-0611 ADV-2011-0752 ADV-2011-0891 multiple-starttls-command-execution(65932) Oracle Solaris 8, 9, and 10 stores back-out patch files (undo.Z) unencrypted with world-readable permissions under /var/sadm/pkg/, which allows local users to obtain password hashes and conduct brute force password guessing attacks. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Per: http://www.kb.cert.org/vuls/id/648244 'III. Solution Apply an Update Install patch 119254-80. Patch 119254-80 is also part of the April 1st recommended patch set for Solaris 10.' VU#648244 http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html 47171 ADV-2011-0882 solaris-password-info-disclosure(66579) The DHCPv6 server in ISC DHCP 4.0.x and 4.1.x before 4.1.2-P1, 4.0-ESV and 4.1-ESV before 4.1-ESV-R1, and 4.2.x before 4.2.1b1 allows remote attackers to cause a denial of service (assertion failure and daemon crash) by sending a message over IPv6 for a declined and abandoned address. FEDORA-2011-0862 1024999 DSA-2184 http://www.isc.org/software/dhcp/advisories/cve-2011-0413 VU#686084 MDVSA-2011:022 RHSA-2011:0256 46035 ADV-2011-0235 ADV-2011-0266 ADV-2011-0300 ADV-2011-0400 ADV-2011-0583 dhcp-dhcpv6-dos(64959) https://kb.isc.org/article/AA-00456 ISC BIND 9.7.1 through 9.7.2-P3, when configured as an authoritative server, allows remote attackers to cause a denial of service (deadlock and daemon hang) by sending a query at the time of (1) an IXFR transfer or (2) a DDNS update. SUSE-SR:2011:005 DSA-2208 http://www.isc.org/software/bind/advisories/cve-2011-0414 VU#449980 VU#559980 1025110 USN-1070-1 ADV-2011-0466 ADV-2011-0489 https://bugzilla.redhat.com/show_bug.cgi?id=679496 The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, does not properly expand expressions containing curly brackets, which allows remote authenticated users to cause a denial of service (memory consumption) via a crafted FTP STAT command. http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c#rev1.28 http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=1.27&r2=1.28&f=h 20110502 Multiple Vendors libc/glob(3) GLOB_BRACE|GLOB_LIMIT memory exhaustion 8228 MDVSA-2011:094 http://www.pureftpd.org/project/pure-ftpd/news 47671 ADV-2011-1273 https://bugzilla.redhat.com/show_bug.cgi?id=704283 Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd. http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/fnmatch.c#rev1.22 http://cxib.net/stuff/apache.fnmatch.phps http://cxib.net/stuff/apr_fnmatch.txts http://httpd.apache.org/security/vulnerabilities_22.html APPLE-SA-2011-10-12-3 SUSE-SU-2011:1229 HPSBUX02702 HPSBUX02707 SSRT100619 SSRT100966 48308 20110512 Multiple Vendors libc/fnmatch(3) DoS (incl apache) 8246 1025527 http://support.apple.com/kb/HT5002 http://svn.apache.org/viewvc/apr/apr/branches/1.4.x/strings/apr_fnmatch.c?r1=731029&r2=1098902 http://svn.apache.org/viewvc?view=revision&revision=1098188 http://svn.apache.org/viewvc?view=revision&revision=1098799 http://www.apache.org/dist/apr/Announcement1.x.html http://www.apache.org/dist/apr/CHANGES-APR-1.4 http://www.apache.org/dist/httpd/Announcement2.2.html DSA-2237 [dev] 20110510 Re: fnmatch rewrite in apr, apr 1.4.3 [dev] 20110510 Re: Apache Portable Runtime 1.4.4 [...] Released [dev] 20110511 Re: Apache Portable Runtime 1.4.4 [...] Released MDVSA-2011:084 MDVSA-2013:150 http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/fnmatch.c#rev1.15 http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html RHSA-2011:0507 RHSA-2011:0896 RHSA-2011:0897 https://bugzilla.redhat.com/show_bug.cgi?id=703390 [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html oval:org.mitre.oval:def:14638 oval:org.mitre.oval:def:14804 The grapheme_extract function in the Internationalization extension (Intl) for ICU for PHP 5.3.5 allows context-dependent attackers to cause a denial of service (crash) via an invalid size argument, which triggers a NULL pointer dereference. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' APPLE-SA-2011-10-12-3 20110217 PHP 5.3.5 grapheme_extract() NULL Pointer Dereference 8087 http://support.apple.com/kb/HT5002 http://svn.php.net/viewvc/php/php-src/trunk/ext/intl/grapheme/grapheme_string.c?r1=306449&r2=306448&pathrev=306449 DSA-2266 16182 VU#210829 20110216 PHP 5.3.5 grapheme_extract() NULL Pointer Dereference 20110217 Re: PHP 5.3.5 grapheme_extract() NULL Pointer Dereference 46429 php-graphemeextract-dos(65437) The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (NULL pointer dereference) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' http://bugs.php.net/bug.php?id=53885 APPLE-SA-2011-10-12-3 FEDORA-2011-3636 FEDORA-2011-3666 FEDORA-2011-3614 SUSE-SR:2011:009 HPSBOV02763 20110318 libzip 0.9.3 _zip_name_locate NULL Pointer Dereference (incl PHP 5.3.5) 8146 http://support.apple.com/kb/HT5002 http://svn.php.net/viewvc/?view=revision&revision=307867 DSA-2266 17004 MDVSA-2011:052 MDVSA-2011:053 MDVSA-2011:099 http://www.php.net/archive/2011.php http://www.php.net/ChangeLog-5.php http://www.php.net/releases/5_3_6.php 20110318 libzip 0.9.3 _zip_name_locate NULL Pointer Dereference (incl PHP 5.3.5) 46354 ADV-2011-0744 ADV-2011-0764 ADV-2011-0890 https://bugzilla.redhat.com/show_bug.cgi?id=688735 libzip-zipnamelocate-dos(66173) The PolyVision RoomWizard with firmware 3.2.3 has a default password of roomwizard for the administrator account, which makes it easier for remote attackers to obtain console access via an HTTP session, a different vulnerability than CVE-2010-0214. http://packetstormsecurity.org/files/view/97291/roomwizard-disclose.txt 20110106 RoomWizard Default Password and Sync Connector Credential Leak [CVE-2010-0214] VU#870601 45699 ADV-2011-0059 roomwizard-password-security-bypass(64543) roomwizard-default-password(64642) Directory traversal vulnerability in vCenter Server in VMware vCenter 4.0 before Update 3 and 4.1 before Update 1, and VMware VirtualCenter 2.5 before Update 6a, allows remote attackers to read arbitrary files via unspecified vectors. [security-announce] 20110505 VMSA-2011-0008 VMware vCenter Server and vSphere Client security vulnerabilities 1025502 http://www.vmware.com/security/advisories/VMSA-2011-0008.html Heap-based buffer overflow in Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. [or-announce] 20110117 Tor 0.2.1.29 is released (security patches) http://blog.torproject.org/blog/tor-02129-released-security-patches DSA-2148 45832 1024980 ADV-2011-0131 ADV-2011-0132 tor-unspec-bo(64748) https://gitweb.torproject.org/tor.git/blob/refs/heads/release-0.2.2:/ChangeLog Double free vulnerability in the Rx server process in OpenAFS 1.4.14, 1.4.12, 1.4.7, and possibly other versions allows remote attackers to cause a denial of service and execute arbitrary code via unknown vectors. DSA-2168 46428 1025095 ADV-2011-0410 ADV-2011-0411 The afs_linux_lock function in afs/LINUX/osi_vnodeops.c in the kernel module in OpenAFS 1.4.14, 1.4.12, 1.4.7, and possibly other versions does not properly handle errors, which allows attackers to cause a denial of service via unknown vectors. NOTE: some of these details are obtained from third party information. DSA-2168 46428 1025095 ADV-2011-0410 ADV-2011-0411 Multiple SQL injection vulnerabilities in the get_userinfo method in the MySQLAuthHandler class in DAVServer/mysqlauth.py in PyWebDAV before 0.9.4.1 allow remote attackers to execute arbitrary SQL commands via the (1) user or (2) pw argument. NOTE: some of these details are obtained from third party information. http://code.google.com/p/pywebdav/updates/list FEDORA-2011-2460 FEDORA-2011-2470 FEDORA-2011-2427 http://pywebdav.googlecode.com/files/PyWebDAV-0.9.4.1.tar.gz DSA-2177 46655 ADV-2011-0553 ADV-2011-0554 ADV-2011-0634 https://bugzilla.redhat.com/show_bug.cgi?id=677718 Heap-based buffer overflow in the linetoken function in afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics (AFM) file, a different vulnerability than CVE-2010-2642. RHSA-2012:1201 MDVSA-2012:144 http://xorl.wordpress.com/2011/02/20/cve-2011-0433-evince-linetoken-buffer-overflow/ https://bugzilla.gnome.org/show_bug.cgi?id=640923 https://bugzilla.redhat.com/show_bug.cgi?id=679732 GLSA-201701-57 Multiple SQL injection vulnerabilities in Domain Technologie Control (DTC) before 0.32.9 allow remote attackers to execute arbitrary SQL commands via the cid parameter to (1) admin/bw_per_month.php or (2) client/bw_per_month.php. http://git.gplhost.com/gitweb/?p=dtc.git;a=commit;h=89da9c519b04cda1b23e6290d2b0a6cea1bae31e http://git.gplhost.com/gitweb/?p=dtc.git;a=commit;h=e94e8b9cc354bfcaeb284d5331b815256bb46162 http://packages.debian.org/changelogs/pool/main/d/dtc/dtc_0.29.17-1+lenny1/changelog http://packages.debian.org/changelogs/pool/main/d/dtc/dtc_0.32.10-1/changelog DSA-2179 [dtcannounce] 20110303 Fwd: [SECURITY] [DSA 2179-1] dtc security update ADV-2011-0556 dtc-cid-sql-injection(65895) Domain Technologie Control (DTC) before 0.32.9 does not require authentication for (1) admin/bw_per_month.php and (2) client/bw_per_month.php, which allows remote attackers to obtain potentially sensitive bandwidth information via a direct request. http://git.gplhost.com/gitweb/?p=dtc.git;a=commit;h=89da9c519b04cda1b23e6290d2b0a6cea1bae31e http://git.gplhost.com/gitweb/?p=dtc.git;a=commit;h=e94e8b9cc354bfcaeb284d5331b815256bb46162 http://packages.debian.org/changelogs/pool/main/d/dtc/dtc_0.29.17-1+lenny1/changelog http://packages.debian.org/changelogs/pool/main/d/dtc/dtc_0.32.10-1/changelog DSA-2179 [dtcannounce] 20110303 Fwd: [SECURITY] [DSA 2179-1] dtc security update ADV-2011-0556 dtc-bwpermonth-info-disc(65896) The register_user function in client/new_account_form.php in Domain Technologie Control (DTC) before 0.32.9 includes a cleartext password in an e-mail message, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614302 http://git.gplhost.com/gitweb/?p=dtc.git;a=commit;h=adffff7efb3687ff465ee0552a944dd3109f3cb0 http://git.gplhost.com/gitweb/?p=dtc.git;a=commit;h=f8e3b2d7cc2da313addc05394568ab9599499285 [oss-security] 20110222 CVE-2011-0436: dtc sends password of new users to site admin by unencrypted email http://packages.debian.org/changelogs/pool/main/d/dtc/dtc_0.29.17-1+lenny1/changelog http://packages.debian.org/changelogs/pool/main/d/dtc/dtc_0.32.10-1/changelog DSA-2179 [dtcannounce] 20110303 Fwd: [SECURITY] [DSA 2179-1] dtc security update ADV-2011-0556 dtc-passwords-info-disc(65898) shared/inc/sql/ssh.php in the SSH accounts management implementation in Domain Technologie Control (DTC) before 0.32.9 allows remote authenticated users to delete arbitrary accounts via the edssh_account parameter in a deletesshaccount Delete action. http://git.gplhost.com/gitweb/?p=dtc.git;a=commit;h=9b75112fc12fead5740b1aaf0df562b5a9045ec0 http://git.gplhost.com/gitweb/?p=dtc.git;a=commit;h=c97ab4ae43945de36534c40004d713b3b10113db http://packages.debian.org/changelogs/pool/main/d/dtc/dtc_0.29.17-1+lenny1/changelog http://packages.debian.org/changelogs/pool/main/d/dtc/dtc_0.32.10-1/changelog DSA-2179 [dtcannounce] 20110303 Fwd: [SECURITY] [DSA 2179-1] dtc security update ADV-2011-0556 dtc-ssh-sec-bypass(65897) nslcd/pam.c in the nss-pam-ldapd 0.8.0 PAM module returns a success code when a user is not found in LDAP, which allows remote attackers to bypass authentication. http://arthurdejong.org/nss-pam-ldapd/news.html#20110309 http://lists.arthurdejong.org/nss-pam-ldapd-announce/2011/attachments/txtVf3rHgt8qQ.txt [nss-pam-ldapd-announce] 20110309 nss-pam-ldapd security advisory (CVE-2011-0438) 8132 46819 nsspamldapd-pam-sec-bypass(66028) Cross-site scripting (XSS) vulnerability in Mahara 1.2.x before 1.2.7 and 1.3.x before 1.3.4 allows remote attackers to inject arbitrary web script or HTML via the Pieforms select box. http://mahara.org/interaction/forum/topic.php?id=3205 http://mahara.org/interaction/forum/topic.php?id=3208 DSA-2206 47033 mahara-pieform-xss(66327) Cross-site request forgery (CSRF) vulnerability in Mahara 1.2.x before 1.2.7 and 1.3.x before 1.3.4 allows remote attackers to hijack the authentication of arbitrary users for requests that delete blogs. http://mahara.org/interaction/forum/topic.php?id=3206 http://mahara.org/interaction/forum/topic.php?id=3208 DSA-2206 47033 mahara-blogposts-csrf(66326) The Debian GNU/Linux /etc/cron.d/php5 cron job for PHP 5.3.5 allows local users to delete arbitrary files via a symlink attack on a directory under /var/lib/php5/. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618489 http://git.debian.org/?p=pkg-php/php.git;a=commit;h=d09fd04ed7bfcf7f008360c6a42025108925df09 MDVSA-2011:069 46928 ADV-2011-0910 php-php5common-file-deletion(66180) The service utility in EMC Avamar 5.x before 5.0.4 uses cleartext to transmit event details in (1) service requests and (2) e-mail messages, which might allow remote attackers to obtain sensitive information by sniffing the network. 8139 20110315 ESA-2011-007: EMC Avamar sensitive information disclosure vulnerability 46879 1025213 ADV-2011-0677 ADV-2011-0678 avamar-service-utility-info-disclosure(66109) SQL injection vulnerability in inc/tinybb-settings.php in tinyBB 1.2, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter in a profile action to index.php. NOTE: some of these details are obtained from third party information. http://tinybb.net/forum/?page=thread&post=989525101 15961 45737 1024949 tinybb-index-sql-injection(64570) Buffer overflow in the MAC-LTE dissector (epan/dissectors/packet-mac-lte.c) in Wireshark 1.2.0 through 1.2.13 and 1.4.0 through 1.4.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of RARs. FEDORA-2011-0450 FEDORA-2011-0460 MDVSA-2011:007 RHSA-2011:0369 45775 ADV-2011-0079 ADV-2011-0104 ADV-2011-0270 ADV-2011-0719 http://www.wireshark.org/security/wnpa-sec-2011-01.html http://www.wireshark.org/security/wnpa-sec-2011-02.html https://bugs.wireshark.org/bugzilla/attachment.cgi?id=5676 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5530 wireshark-maclte-bo(64624) oval:org.mitre.oval:def:14283 The ASN.1 BER dissector in Wireshark 1.4.0 through 1.4.2 allows remote attackers to cause a denial of service (assertion failure) via crafted packets, as demonstrated by fuzz-2010-12-30-28473.pcap. FEDORA-2011-0450 FEDORA-2011-0460 45775 ADV-2011-0079 ADV-2011-0270 http://www.wireshark.org/security/wnpa-sec-2011-02.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5537 wireshark-asn1ber-dissector-dos(64625) oval:org.mitre.oval:def:14505 Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. [rubyonrails-security] 20110209 Potential XSS Problem with mail_to :encode => :javascript FEDORA-2011-4358 FEDORA-2011-2133 FEDORA-2011-2138 DSA-2247 46291 1025064 ADV-2011-0587 ADV-2011-0877 Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696. [rubyonrails-security] 20110209 CSRF Protection Bypass in Ruby on Rails FEDORA-2011-4358 FEDORA-2011-2133 FEDORA-2011-2138 http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails DSA-2247 46291 1025060 ADV-2011-0587 ADV-2011-0877 Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument. [rubyonrails-security] 20110209 Potential SQL Injection in Rails 3.0.x FEDORA-2011-4358 1025063 http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4 ADV-2011-0877 actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters. [rubyonrails-security] 20110209 Filter Problems on Case-Insensitive Filesystems FEDORA-2011-4358 1025061 http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4 ADV-2011-0877 The downloads manager in Opera before 11.01 on Windows does not properly determine the pathname of the filesystem-viewing application, which allows user-assisted remote attackers to execute arbitrary code via a crafted web site that hosts an executable file. JVN#33880169 JVNDB-2011-000010 http://www.opera.com/docs/changelogs/windows/1101/ http://www.opera.com/support/kb/view/985/ ADV-2011-0231 oval:org.mitre.oval:def:12369 Multiple cross-site scripting (XSS) vulnerabilities in (1) data/Smarty/templates/default/list.tpl and (2) data/Smarty/templates/default/campaign/bloc/cart_tag.tpl in EC-CUBE before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. JVN#84393059 JVNDB-2011-000011 http://svn.ec-cube.net/open_trac/changeset/18742 http://www.ec-cube.net/info/weakness/weakness.php?id=36 46100 ec-cube-list-xss(65079) Untrusted search path vulnerability in the script function in Lunascape before 6.4.3 allows local users to gain privileges via a Trojan horse executable file in the current working directory. Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' JVN#38362957 JVNDB-2011-000012 http://lunapedia.lunascape.jp/index.php?title=Lunascape6#2011.2F02.2F18_ver_6.4.3 lunascape-dll-code-execution(65592) F-Secure Internet Gatekeeper for Linux 3.x before 3.03 does not require authentication for reading access logs, which allows remote attackers to obtain potentially sensitive information via a TCP session on the admin UI port. JVN#71542734 JVNDB-2011-000013 http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2011-1.html ADV-2011-0393 Buffer overflow in the PPP Access Concentrator (PPPAC) on the SEIL/x86 with firmware 1.00 through 1.61, SEIL/B1 with firmware 1.00 through 3.11, SEIL/X1 with firmware 1.00 through 3.11, SEIL/X2 with firmware 1.00 through 3.11, SEIL/Turbo with firmware 1.80 through 2.10, and SEIL/neu 2FE Plus with firmware 1.80 through 2.10 might allow remote attackers to execute arbitrary code via a PPPoE packet. JVN#88991166 JVNDB-2011-000014 46598 http://www.seil.jp/support/security/a01001.html seil-pppac-bo(65672) Cross-site scripting (XSS) vulnerability in Things BBS before 2.0.3 and BBS Thread before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. JVN#20982938 JVNDB-2011-000015 46638 http://www.thingslabo.com/cgi/bbs/download.html http://www.thingslabo.com/cgi/bbs_thread/download.html bbs-bbsthread-unspecified-xss(65852) webscript.pl in Open Ticket Request System (OTRS) 2.3.4 and earlier allows remote attackers to execute arbitrary commands via unspecified vectors, related to a "command injection vulnerability." JVN#73162541 JVNDB-2011-000019 openSUSE-SU-2011:0278 Cross-site scripting (XSS) vulnerability in e107 0.7.22 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://e107.org/comment.php?comment.news.872 http://e107.org/svn_changelog.php?version=0.7.23 JVN#01635457 Untrusted search path vulnerability in the Locate on Disk feature in Google Picasa before 3.8 allows local users to gain privileges via a Trojan horse executable file in the current working directory. Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' JVN#99977321 JVNDB-2011-000022 47031 ADV-2011-0766 google-picasa-dll-code-execution(66295) Cross-site scripting (XSS) vulnerability in Cyber-Ark Password Vault Web Access (PVWA) 5.0 and earlier, 5.5 through 5.5 patch 4, and 6.0 through 6.0 patch 2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. JVN#11424086 JVNDB-2011-000023 47271 The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map. openSUSE-SU-2011:0357 https://bugzilla.novell.com/show_bug.cgi?id=663898 /etc/init.d/boot.localfs in the aaa_base package before 11.2-43.48.1 in SUSE openSUSE 11.2, and before 11.3-8.7.1 in openSUSE 11.3, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/mtab. SUSE-SR:2011:005 SUSE-SR:2011:009 [opensuse-updates] 20110314 openSUSE-SU-2011:0171-1 (moderate): aaa_base security update http://support.novell.com/security/cve/CVE-2011-0461.html https://bugzilla.novell.com/665479 Multiple cross-site scripting (XSS) vulnerabilities in the login page in the webui component in SUSE openSUSE Build Service (OBS) before 2.1.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://news.opensuse.org/2011/03/02/build-service-team-releases-new-versions-fixing-security-problems/ https://bugzilla.novell.com/show_bug.cgi?id=669909 The ocfs2_prepare_page_for_write function in fs/ocfs2/aops.c in the Oracle Cluster File System 2 (OCFS2) subsystem in the Linux kernel before 2.6.39-rc1 does not properly handle holes that cross page boundaries, which allows local users to obtain potentially sensitive information from uninitialized disk locations by reading a file. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=272b62c1f0f6f742046e45b50b6fec98860208a0 [ocfs2-devel] 20110217 [PATCH] Treat writes as new when holes span across page boundaries http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.39-rc1 USN-1146-1 https://bugzilla.novell.com/show_bug.cgi?id=673037 Unspecified vulnerability in Novell Vibe OnPrem 3.0 before Hot Patch 1 allows remote attackers to execute arbitrary code via unknown vectors. 1025163 http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5088845.html 46672 ADV-2011-0592 novell-vibeonprem-unspec-code-exec(65865) xrdb.c in xrdb before 1.0.9 in X.Org X11R7.6 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a (1) DHCP or (2) XDMCP message. http://cgit.freedesktop.org/xorg/app/xrdb/commit/?id=1027d5df07398c1507fb1fe3a9981aa6b4bc3a56 FEDORA-2011-4871 [xorg-announce] 20110405 xrdb 1.0.9 [xorg-announce] 20110405 X.Org security advisory: root hole via rogue hostname SUSE-SA:2011:016 SSA:2011-096-01 DSA-2213 MDVSA-2011:076 RHSA-2011:0432 RHSA-2011:0433 47189 1025317 USN-1107-1 ADV-2011-0880 ADV-2011-0889 ADV-2011-0906 ADV-2011-0929 ADV-2011-0966 ADV-2011-0975 https://bugzilla.redhat.com/show_bug.cgi?id=680196 xorg11-xrdb-command-execution(66585) openSUSE-SU-2011:0298 The API in SUSE openSUSE Build Service (OBS) 2.0.x before 2.0.8 and 2.1.x before 2.1.6 allows attackers to bypass intended write-access restrictions and modify a (1) package or (2) project via unspecified vectors. http://news.opensuse.org/2011/03/02/build-service-team-releases-new-versions-fixing-security-problems/ A vulnerability in the listing of available software of SUSE SUSE Studio Onsite, SUSE Studio Onsite 1.1 Appliance allows authenticated users to execute arbitrary SQL statements via SQL injection. Affected releases are SUSE SUSE Studio Onsite: versions prior to 1.0.3-0.18.1, SUSE Studio Onsite 1.1 Appliance: versions prior to 1.1.2-0.25.1. https://bugzilla.suse.com/show_bug.cgi?id=675039 https://www.suse.com/security/cve/CVE-2011-0467/ The aaa_base package before 11.3-8.9.1 in SUSE openSUSE 11.3, and before 11.4-54.62.1 in openSUSE 11.4, allows local users to gain privileges via shell metacharacters in a filename, related to tab expansion. SUSE-SR:2011:005 [opensuse-updates] 20110322 openSUSE-SU-2011:0207-1 (moderate): aaa_base security update http://support.novell.com/security/cve/CVE-2011-0468.html 46983 https://bugzilla.novell.com/678827 aaabase-filename-privilege-escalation(66245) Code injection in openSUSE when running some source services used in the open build service 2.1 before March 11 2011. https://bugzilla.suse.com/show_bug.cgi?id=679325 https://github.com/openSUSE/open-build-service/commit/23c8d21c75242999e29379e6ca8418a14c8725c6 https://github.com/openSUSE/open-build-service/commit/76b0ab003f34435ca90d943e02dd22279cdeec2a Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do not properly handle extensions notification, which allows remote attackers to cause a denial of service (application crash) via unspecified vectors. http://code.google.com/p/chromium/issues/detail?id=58053 http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html 45788 http://www.srware.net/forum/viewtopic.php?f=18&t=2054 unspecified(64661) oval:org.mitre.oval:def:14366 The node-iteration implementation in Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 does not properly handle pointers, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. http://code.google.com/p/chromium/issues/detail?id=65764 http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html 45788 http://www.srware.net/forum/viewtopic.php?f=18&t=2054 chrome-iteration-unspecified(64662) oval:org.mitre.oval:def:13710 Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do not properly handle the printing of PDF documents, which allows user-assisted remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a multi-page document. http://code.google.com/p/chromium/issues/detail?id=66334 http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html 45788 http://www.srware.net/forum/viewtopic.php?f=18&t=2054 chrome-pdf-files-unspecified(64663) oval:org.mitre.oval:def:14622 Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do not properly handle Cascading Style Sheets (CSS) token sequences in conjunction with CANVAS elements, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer." http://code.google.com/p/chromium/issues/detail?id=66560 http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html 45788 http://www.srware.net/forum/viewtopic.php?f=18&t=2054 chrome-css-canvas-unspecified(64664) oval:org.mitre.oval:def:14460 Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do not properly handle Cascading Style Sheets (CSS) token sequences in conjunction with cursors, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer." http://code.google.com/p/chromium/issues/detail?id=66748 http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html DSA-2188 45788 http://www.srware.net/forum/viewtopic.php?f=18&t=2054 chrome-css-cursors-unspecified(64665) oval:org.mitre.oval:def:14443 Use-after-free vulnerability in Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a PDF document. http://code.google.com/p/chromium/issues/detail?id=67100 http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html 45788 http://www.srware.net/forum/viewtopic.php?f=18&t=2054 chrome-pdf-pages-code-execution(64666) oval:org.mitre.oval:def:14606 Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 allow remote attackers to cause a denial of service (stack memory corruption) or possibly have unspecified other impact via a PDF document that triggers an out-of-memory error. http://code.google.com/p/chromium/issues/detail?id=67208 http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html 45788 http://www.srware.net/forum/viewtopic.php?f=18&t=2054 chrome-pdf-files-ce(64667) oval:org.mitre.oval:def:14102 Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do not properly handle a mismatch in video frame sizes, which allows remote attackers to cause a denial of service (incorrect memory access) or possibly have unspecified other impact via unknown vectors. http://code.google.com/p/chromium/issues/detail?id=67303 http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html 45788 http://www.srware.net/forum/viewtopic.php?f=18&t=2054 chrome-video-frame-code-execution(64668) oval:org.mitre.oval:def:14390 Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do not properly handle SVG use elements, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer." http://code.google.com/p/chromium/issues/detail?id=67363 http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html 45788 http://www.srware.net/forum/viewtopic.php?f=18&t=2054 chrome-use-code-execution(64669) oval:org.mitre.oval:def:14191 Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do not properly interact with extensions, which allows remote attackers to cause a denial of service via a crafted extension that triggers an uninitialized pointer. http://code.google.com/p/chromium/issues/detail?id=67393 http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html 45788 http://www.srware.net/forum/viewtopic.php?f=18&t=2054 chrome-rouge-code-execution(64670) oval:org.mitre.oval:def:14746 Multiple buffer overflows in vorbis_dec.c in the Vorbis decoder in FFmpeg, as used in Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted WebM file, related to buffers for (1) the channel floor and (2) the channel residue. [ffmpeg-devel] 20101229 [PATCH] Fix a couple of errors with bad Vorbis headers http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610550 http://code.google.com/p/chromium/issues/detail?id=68115 http://codereview.chromium.org/5964011 http://codereview.chromium.org/6069005 http://ffmpeg.mplayerhq.hu/ http://git.ffmpeg.org/?p=ffmpeg.git;a=commit;h=13184036a6b1b1d4b61c91118c0896e9ad4634c3 http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html http://roundup.ffmpeg.org/issue2548 http://roundup.ffmpeg.org/issue2550 http://src.chromium.org/viewvc/chrome?view=rev&revision=70200 DSA-2306 MDVSA-2011:061 45788 http://www.srware.net/forum/viewtopic.php?f=18&t=2054 USN-1104-1 chrome-vorbis-bo(64671) oval:org.mitre.oval:def:14380 Buffer overflow in Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to PDF shading. http://code.google.com/p/chromium/issues/detail?id=68170 http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html 45788 http://www.srware.net/forum/viewtopic.php?f=18&t=2054 chrome-pdf-shading-bo(64672) oval:org.mitre.oval:def:14418 Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do not properly perform a cast of an unspecified variable during handling of anchors, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted HTML document. http://code.google.com/p/chromium/issues/detail?id=68178 http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html SUSE-SR:2011:009 DSA-2188 45788 http://www.srware.net/forum/viewtopic.php?f=18&t=2054 chrome-anchors-dos(64673) oval:org.mitre.oval:def:14662 Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do not properly perform a cast of an unspecified variable during handling of video, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. http://code.google.com/p/chromium/issues/detail?id=68181 http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html 45788 http://www.srware.net/forum/viewtopic.php?f=18&t=2054 chrome-type-cast-dos(64674) oval:org.mitre.oval:def:14706 Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do not properly perform DOM node removal, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale rendering node." http://code.google.com/p/chromium/issues/detail?id=68439 http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html 45788 http://www.srware.net/forum/viewtopic.php?f=18&t=2054 chrome-dom-node-dos(64675) oval:org.mitre.oval:def:14131 Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do not properly handle speech data, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to a "stale pointer." http://code.google.com/p/chromium/issues/detail?id=68666 http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html 45788 http://www.srware.net/forum/viewtopic.php?f=18&t=2054 chrome-speech-code-exec(64676) oval:org.mitre.oval:def:14381 Cross-site scripting (XSS) vulnerability in cognos.cgi in IBM Cognos 8 Business Intelligence (BI) 8.4.1 before FP1 allows remote attackers to inject arbitrary web script or HTML via the pathinfo parameter. 1024954 20110112 SECURITY ADVISORY IBM Cognos 8 Business Intelligence 8.4.1 45781 ADV-2011-0090 http://www-01.ibm.com/support/docview.wss?uid=swg24026110 ibm-cognos-pathinfo-xss(64660) ICQ 7 does not verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a crafted file that is fetched through an automatic-update mechanism. VU#680540 20110114 Remote Code Execution in ICQ 7 45805 icq-updates-code-execution(64711) Stack-based buffer overflow in NTWebServer.exe in the test web service in InduSoft NTWebServer, as distributed in Advantech Studio 6.1 and InduSoft Web Studio 7.0, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long request to TCP port 80. http://downloadt.advantech.com/download/downloadsr.aspx?File_Id=1-I1D7QD http://www.advantechdirect.com/emarketingprograms/AStudio_Patch/AStudio_Patch.htm http://www.indusoft.com/blog/?p=337 VU#506864 45783 http://www.us-cert.gov/control_systems/pdf/ICSA-10-337-01.pdf ADV-2011-0092 ADV-2011-0093 indusoft-ntwebserver-bo(64678) The server components in Objectivity/DB 10.0 do not require authentication for administrative commands, which allows remote attackers to modify data, obtain sensitive information, or cause a denial of service by sending requests over TCP to (1) the Lock Server or (2) the Advanced Multithreaded Server, as demonstrated by commands that are ordinarily sent by the (a) ookillls and (b) oostopams applications. NOTE: some of these details are obtained from third party information. 15988 VU#782567 45803 ADV-2011-0127 objectivity-operations-sec-bypass(64699) Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha makes calls to Libevent within Libevent log handlers, which might allow remote attackers to cause a denial of service (daemon crash) via vectors that trigger certain log messages. [or-announce] 20110117 Tor 0.2.1.29 is released (security patches) http://blog.torproject.org/blog/tor-02129-released-security-patches 45953 tor-libevent-dos(64889) https://gitweb.torproject.org/tor.git/blob/refs/heads/release-0.2.2:/ChangeLog https://trac.torproject.org/projects/tor/ticket/2190 The tor_realloc function in Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not validate a certain size value during memory allocation, which might allow remote attackers to cause a denial of service (daemon crash) via unspecified vectors, related to "underflow errors." [or-announce] 20110117 Tor 0.2.1.29 is released (security patches) http://blog.torproject.org/blog/tor-02129-released-security-patches 45953 tor-torrealloc-dos(64888) https://gitweb.torproject.org/tor.git/blob/refs/heads/release-0.2.2:/ChangeLog https://trac.torproject.org/projects/tor/ticket/2324 Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha allows remote attackers to cause a denial of service (assertion failure and daemon exit) via blobs that trigger a certain file size, as demonstrated by the cached-descriptors.new file. [or-announce] 20110117 Tor 0.2.1.29 is released (security patches) http://blog.torproject.org/blog/tor-02129-released-security-patches 45953 tor-blobs-dos(64867) https://gitweb.torproject.org/tor.git/blob/refs/heads/release-0.2.2:/ChangeLog https://trac.torproject.org/projects/tor/ticket/2326 Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha might allow remote attackers to cause a denial of service (assertion failure and daemon exit) via vectors related to malformed router caches and improper handling of integer values. [or-announce] 20110117 Tor 0.2.1.29 is released (security patches) http://blog.torproject.org/blog/tor-02129-released-security-patches 45953 tor-routercache-dos(64864) https://gitweb.torproject.org/tor.git/blob/refs/heads/release-0.2.2:/ChangeLog https://trac.torproject.org/projects/tor/ticket/2352 Directory traversal vulnerability in WebSEAL in IBM Tivoli Access Manager for e-business 5.1 before 5.1.0.39-TIV-AWS-IF0040, 6.0 before 6.0.0.25-TIV-AWS-IF0026, 6.1.0 before 6.1.0.5-TIV-AWS-IF0006, and 6.1.1 before 6.1.1-TIV-AWS-FP0001 has unspecified impact and attack vectors. NOTE: this might overlap CVE-2010-4622. 45836 ADV-2011-0138 IZ87328 IZ87470 IZ91619 IZ91620 http://www-01.ibm.com/support/docview.wss?uid=swg21459999 http://www-01.ibm.com/support/docview.wss?uid=swg24025790 http://www-01.ibm.com/support/docview.wss?uid=swg24028829 http://www-01.ibm.com/support/docview.wss?uid=swg24028860 http://www-01.ibm.com/support/docview.wss?uid=swg24028861 tivoli-ebusiness-webseal-directory-traversal(64737) Stack-based buffer overflow in the ast_uri_encode function in main/utils.c in Asterisk Open Source before 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.1, 1.8.1.2, 1.8.2.; and Business Edition before C.3.6.2; when running in pedantic mode allows remote authenticated users to execute arbitrary code via crafted caller ID data in vectors involving the (1) SIP channel driver, (2) URIENCODE dialplan function, or (3) AGI dialplan function. http://downloads.asterisk.org/pub/security/AST-2011-001.html http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff FEDORA-2011-0774 FEDORA-2011-0794 DSA-2171 20110118 AST-2011-001: Stack buffer overflow in SIP channel driver 45839 ADV-2011-0159 ADV-2011-0281 ADV-2011-0449 asterisk-asturiencode-bo(64831) Unspecified vulnerability in Sybase EAServer 5.x and 6.x before 6.3 ESD#2, as used in Appeon, Replication Server Messaging Edition (RSME), and WorkSpace, allows remote attackers to install arbitrary web services and execute arbitrary code, related to a "design vulnerability." Per: http://www.sybase.com/detail?id=1091057 ' Remote exploitation of a design vulnerability in Sybase EAServer could allow an attacker to install arbitrary web services, this condition can result in arbitrary code execution allowing attacker to gain control over the affected machine. This also affects those products that include EAServer: Appeon, Replication Server Messaging Edition, and WorkSpace.' 45809 http://www.sybase.com/detail?id=1091057 ADV-2011-0125 easerver-web-services-code-exec(64697) Directory traversal vulnerability in Sybase EAServer 6.x before 6.3 ESD#2, as used in Appeon, Replication Server Messaging Edition (RSME), and WorkSpace, allows remote attackers to read arbitrary files via "../\" (dot dot forward-slash backslash) sequences in a crafted request. 20110110 Sybase EAServer Remote Directory Traversal Vulnerability 45809 http://www.sybase.com/detail?id=1091057 ADV-2011-0125 easerver-unspec-file-include(64695) Stack-based buffer overflow in Nokia Multimedia Player 1.00.55.5010, and possibly other versions, allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long entry in a playlist (.npl) file. 15975 ADV-2011-0083 Buffer overflow in VideoSpirit Pro 1.6.8.1 and possibly earlier versions, and VideoSpirit Lite 1.4.0.1 and possibly other versions, allows user-assisted remote attackers to execute arbitrary code via a VideoSpirit project (.visprj) file containing a valitem element with a long "name" attribute. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. videospirit-name-bo(64863) Buffer overflow in VideoSpirit Pro 1.6.8.1, 1.68, and earlier; and VideoSpirit Lite 1.4.0.1 and possibly other versions; allows user-assisted remote attackers to execute arbitrary code via a VideoSpirit project (.visprj) file containing a valitem element with a long "value" attribute, as demonstrated using a valitem with the mp3 name. 15936 Stack-based buffer overflow in Music Animation Machine MIDI Player 2006aug19 Release 035 and possibly other versions allows user-assisted remote attackers to execute arbitrary code via a long line in a .mamx file. 15901 Music Animation Machine MIDI Player 2006aug19 Release 035 and possibly other versions allows user-assisted remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a long line in a MIDI (.mid) file. Per: https://secunia.com/advisories/42790 'Successful exploitation allows execution of arbitrary code.' 15897 Cross-site request forgery (CSRF) vulnerability in VaM Shop 1.6, 1.6.1, and probably earlier versions allows remote attackers to hijack the authentication of administrators for requests that (1) change user status via admin/customers.php or (2) change user permissions via admin/accounting.php. NOTE: some of these details are obtained from third party information. 15968 http://www.htbridge.ch/advisory/xsrf_csrf_in_vam_shop.html 20110111 XSRF (CSRF) in VaM Shop Multiple cross-site scripting (XSS) vulnerabilities in VaM Shop 1.6, 1.6.1, and probably earlier versions llow remote attackers to inject arbitrary web script or HTML via the (1) status parameter to admin/orders.php, (2) search parameter to admin/customers.php, or (3) STORE_NAME parameter to admin/configuration.php. 15968 http://www.htbridge.ch/advisory/xss_vulnerability_in_vam_shop.html http://www.htbridge.ch/advisory/xss_vulnerability_in_vam_shop_1.html http://www.htbridge.ch/advisory/xss_vulnerability_in_vam_shop_2.html 20110111 XSS vulnerability in VaM Shop 20110111 XSS vulnerability in VaM Shop 20110111 XSS vulnerability in VaM Shop Directory traversal vulnerability in system/system.php in Zwii 2.1.1, when magic_quotes_gpc is disabled and register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the set[template][value] parameter. 15945 45736 ADV-2011-0072 zwii-system-file-include(64557) Directory traversal vulnerability in modules/profile/user.php in Ax Developer CMS (AxDCMS) 0.1.1 allows remote attackers to execute arbitrary code via a .. (dot dot) in the aXconf[default_language] parameter. 15938 45735 ADV-2011-0071 axdcms-user-file-include(64547) FTPService.exe in Blackmoon FTP 3.1 Build 1735 and Build 1736 (3.1.7.1736), and possibly other versions before 3.1.8.1737, allows remote attackers to cause a denial of service (crash) via a large number of PORT commands with long arguments, which triggers a NULL pointer dereference. NOTE: some of these details are obtained from third party information. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' 15986 45814 blackmoon-port-bo(64696) Cross-site scripting (XSS) vulnerability in system/modules/comments/Comments.php in Contao CMS 2.9.2, and possibly other versions before 2.9.3, allows remote attackers to inject arbitrary web script or HTML via the HTTP X_FORWARDED_FOR header, which is stored by system/libraries/Environment.php but not properly handled by a comments action to main.php. http://dev.contao.org/issues/2751 http://www.contao.org/changelog.html http://www.contao.org/news/items/contao-2_9_3.html 20110112 [MajorSecurity SA-081]Contao CMS 2.9.2 - Persistent Cross Site Scripting Issue contao-xforwardedfor-xss(64679) Cross-site scripting (XSS) vulnerability in Vaadin before 6.4.9 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to the index page. http://dev.vaadin.com/ticket/6257 http://vaadin.com/download/release/6.4/6.4.9/release-notes.html 45779 vaadin-unspec-xss(64626) SQL injection vulnerability in cart.php in Advanced Webhost Billing System (AWBS) 2.9.2 and possibly earlier allows remote attackers to execute arbitrary SQL commands via the oid parameter in an add_other action. 16003 awbs-cart-sql-injection(64726) SQL injection vulnerability in the allCineVid component (com_allcinevid) 1.0.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. http://adv.salvatorefresta.net/allCineVid_Joomla_Component_1.0.0_Blind_SQL_Injection_Vulnerability-18012011.txt 16010 45840 allcinevid-index-sql-injection(64823) SQL injection vulnerability in team.php in the Teams Structure module 3.0 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the team_id parameter. 16004 45826 phpfusion-team-structure-sql-injection(64727) DCR.sys driver in SecurStar DriveCrypt 5.4, 5.3, and earlier allows local users to execute arbitrary code via a crafted argument to the 0x00073800 IOCTL. 15972 45750 ADV-2011-0084 The RDS service (rds.exe) in HP Data Protector Manager 6.11 allows remote attackers to cause a denial of service (crash) via a packet with a large data size to TCP port 1530. 15940 ADV-2011-0064 KisKrnl.sys 2011.1.13.89 and earlier in Kingsoft AntiVirus 2011 SP5.2 allows local users to cause a denial of service (crash) via a crafted request that is not properly handled by the KiFastCallEntry hook. 15998 20110116 Kingsoft AntiVirus 2011 SP5.2 KisKrnl.sys <= 2011.1.13.89 Local Kernel Mode D.O.S Exploit(3 lines of code) 45821 kingsoft-kiskrnl-dos(64723) SQL injection vulnerability in mainx_a.php in E-PROMPT C BetMore Site Suite 4.0 through 4.2.0 allows remote attackers to execute arbitrary SQL commands via the bid parameter. http://epromptc.com/media/nwsatcl/betmore-4-2-1-software-update.html 15999 45820 betmore-bid-sql-injection(64724) Stack-based buffer overflow in Sielco Sistemi Winlog Pro 2.07.00 and earlier, when Run TCP/IP server is enabled, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a crafted 0x02 opcode to TCP port 46823. http://aluigi.org/adv/winlog_1-adv.txt 8280 15992 VU#496040 45813 http://www.us-cert.gov/control_systems/pdf/ICSA-11-017-02.pdf ADV-2011-0126 winlog-tcpip-bo(64716) Directory traversal vulnerability in core/lib/router.php in LotusCMS Fraise 3.0, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via the system parameter to index.php. 15964 ADV-2011-0073 lotuscms-index-file-incldue(64736) SQL injection vulnerability in gallery.php in Gallarific PHP Photo Gallery script 2.1 and possibly other versions allows remote attackers to execute arbitrary SQL commands via the id parameter. 15891 The compress_add_dlabel_points function in dns/Compress.c in MaraDNS 1.4.03, 1.4.05, and probably other versions allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a long DNS hostname with a large number of labels, which triggers a heap-based buffer overflow. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610834 DSA-2196 [oss-security] 20110123 CVE request: MaraDNS DoS via long queries [oss-security] 20110124 Re: CVE request: MaraDNS DoS via long queries 45966 ADV-2011-0699 maradns-compressadddlabelpoints-bo(64885) The dvb_ca_ioctl function in drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel before 2.6.38-rc2 does not check the sign of a certain integer field, which allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a negative value. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=cb26a24ee9706473f31d34cc259f4dcf45cd0644 [oss-security] 20110125 Linux kernel av7110 negative array offset [oss-security] 20110125 Re: Linux kernel av7110 negative array offset http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.38-rc2 20111013 VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console 45986 1025195 http://www.vmware.com/security/advisories/VMSA-2011-0012.html kernel-av7110ca-privilege-escalation(64988) The StripTags function in (1) the USF decoder (modules/codec/subtitles/subsdec.c) and (2) the Text decoder (modules/codec/subtitles/subsusf.c) in VideoLAN VLC Media Player 1.1 before 1.1.6-rc allows remote attackers to execute arbitrary code via a subtitle with an opening "<" without a closing ">" in an MKV file, which triggers heap memory corruption, as demonstrated using refined-australia-blu720p-sample.mkv. http://git.videolan.org/gitweb.cgi?p=vlc/vlc-1.1.git;a=tag;h=bb16813ddb61a53113c71bccc525559405785452 [vlc-devel] 20110116 Security: Subtitle StripTags heap corruption, potentially exploitable. Patch included [vlc-devel] 20110117 Security: Subtitle StripTags heap corruption, potentially exploitable. Patch included 8064 16108 [oss-security] 20110125 CVE Request: VLC Subtitle StripTags heap corruption [oss-security] 20110125 Re: CVE Request: VLC Subtitle StripTags heap corruption 46008 ADV-2011-0225 vlcmediaplayer-usf-bo(65029) oval:org.mitre.oval:def:12414 gypsy 0.8 does not properly restrict the files that can be read while running with root privileges, which allows local users to read otherwise restricted files via unspecified vectors. http://cgit.freedesktop.org/gypsy/commit/?id=40101707cddb319481133b2a137294b6b669bd16 FEDORA-2013-8687 FEDORA-2013-8705 FEDORA-2013-8659 openSUSE-SU-2012:0884 [oss-security] 20110124 CVE request: multiple gypsy vulnerabilities [oss-security] 20110125 Re: CVE request: multiple gypsy vulnerabilities https://bugs.freedesktop.org/show_bug.cgi?id=33431 https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323 Multiple buffer overflows in the NMEA parser (nmea-gen.c) in gypsy 0.8 allow local users to cause a denial of service (crash) via unspecified vectors related to the sprintf function. FEDORA-2013-8687 FEDORA-2013-8705 FEDORA-2013-8659 openSUSE-SU-2012:0884 [oss-security] 20110124 CVE request: multiple gypsy vulnerabilities [oss-security] 20110125 Re: CVE request: multiple gypsy vulnerabilities https://bugs.freedesktop.org/show_bug.cgi?id=33431 https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323 Cross-site scripting (XSS) vulnerability in index.php in Vanilla Forums before 2.0.17 allows remote attackers to inject arbitrary web script or HTML via the Target parameter in a /entry/signin action. [oss-security] 20110127 CVE Request:Vanilla Forums 2.0.16 <= Cross Site Scripting Vulnerability [oss-security] 20110127 Re: CVE Request:Vanilla Forums 2.0.16 <= Cross Site Scripting Vulnerability http://www.vanillaforums.org/discussion/14397/vanilla-2.0.17-released http://yehg.net/lab/pr0js/advisories/%5Bvanilla_forums-2.0.16%5D_cross_site_scripting VMware vFabric tc Server (aka SpringSource tc Server) 2.0.x before 2.0.6.RELEASE and 2.1.x before 2.1.2.RELEASE accepts obfuscated passwords during JMX authentication, which makes it easier for context-dependent attackers to obtain access by leveraging an ability to read stored passwords. 20110811 CVE-2011-0527: VMware vFabric tc Server password obfuscation bypass 1025923 49122 http://www.springsource.com/security/cve-2011-0527 tcserver-jmx-sec-bypass(69156) Puppet 2.6.0 through 2.6.3 does not properly restrict access to node resources, which allows remote authenticated Puppet nodes to read or modify the resources of other nodes via unspecified vectors. [puppet-users] 20101201 SECURITY: Authorization vulnerability in Puppet 2.6.x [oss-security] 20110127 CVE request: puppet [oss-security] 20110127 Re: CVE request: puppet USN-1365-1 Buffer overflow in the mainloop function in nbd-server.c in the server in Network Block Device (nbd) before 2.9.20 might allow remote attackers to execute arbitrary code via a long request. NOTE: this issue exists because of a CVE-2005-3534 regression. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611187 FEDORA-2011-1097 FEDORA-2011-1108 SUSE-SR:2011:005 [oss-security] 20110128 CVE Request -- NDB: CVE-2005-3534 reintroduced in upstream nbd-v2.9.0 version [oss-security] 20110131 Re: CVE Request -- NDB: CVE-2005-3534 reintroduced in upstream nbd-v2.9.0 version GLSA-201206-35 DSA-2183 46572 ADV-2011-0403 ADV-2011-0582 https://bugzilla.redhat.com/show_bug.cgi?id=673562 networkblock-nbdserver-bo(65720) https://github.com/yoe/nbd/commit/3ef52043861ab16352d49af89e048ba6339d6df8 openSUSE-SU-2011:0193 demux/mkv/mkv.hpp in the MKV demuxer plugin in VideoLAN VLC media player 1.1.6.1 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary commands via a crafted MKV (WebM or Matroska) file that triggers memory corruption, related to "class mismatching" and the MKV_IS_ID macro. http://git.videolan.org/?p=vlc.git;a=commit;h=59491dcedffbf97612d2c572943b56ee4289dd07 DSA-2159 [oss-security] 20110131 CVE request: code execution in VLC media player [oss-security] 20110131 Re: CVE request: code execution in VLC media player 46060 1025018 http://www.videolan.org/security/sa1102.html ADV-2011-0363 vlc-mkv-code-execution(65045) oval:org.mitre.oval:def:12415 The (1) backup and restore scripts, (2) main initialization script, and (3) ldap-agent script in 389 Directory Server 1.2.x (aka Red Hat Directory Server 8.2.x) place a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. RHSA-2011:0293 46489 1025102 https://bugzilla.redhat.com/show_bug.cgi?id=672468 rhds-ldlibrarypath-priv-esc(65637) Cross-site scripting (XSS) vulnerability in Apache Continuum 1.1 through 1.2.3.1, 1.3.6, and 1.4.0 Beta; and Archiva 1.3.0 through 1.3.3 and 1.0 through 1.22 allows remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to the autoIncludeParameters setting for the extremecomponents table. http://continuum.apache.org/security.html http://jira.codehaus.org/browse/CONTINUUM-2604 [continuum-users] 20110210 [SECURITY] CVE-2011-0533: Apache Continuum cross-site scripting vulnerability 20110211 [SECURITY] CVE-2011-0533: Apache Continuum cross-site scripting vulnerability 8091 1025065 http://svn.apache.org/viewvc?view=revision&revision=1066053 http://svn.apache.org/viewvc?view=revision&revision=1066056 20110210 [SECURITY] CVE-2011-0533: Apache Continuum cross-site scripting vulnerability 20110216 [SECURITY] CVE-2011-0533: Apache Archiva cross-site scripting vulnerability 46311 ADV-2011-0373 ADV-2011-0426 continuum-unspec-xss(65343) oval:org.mitre.oval:def:12581 Apache Tomcat 7.0.0 through 7.0.6 and 6.0.0 through 6.0.30 does not enforce the maxHttpHeaderSize limit for requests involving the NIO HTTP connector, which allows remote attackers to cause a denial of service (OutOfMemoryError) via a crafted request. APPLE-SA-2011-10-12-3 SUSE-SR:2011:005 HPSBST02955 8074 http://support.apple.com/kb/HT5002 http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.32 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.8_(released_5_Feb_2011) DSA-2160 20110205 [SECURITY] CVE-2011-0534 Apache Tomcat DoS vulnerability 46164 1025027 ADV-2011-0293 tomcat-nio-connector-dos(65162) Cross-site request forgery (CSRF) vulnerability in the Users module in Zikula before 1.2.5 allows remote attackers to hijack the authentication of administrators for requests that change account privileges via an edit access_permissions action to index.php. http://bl0g.yehg.net/2011/02/zikula-cms-124-cross-site-request.html http://code.zikula.org/core12/browser/tags/Zikula-1.2.5/src/docs/CHANGELOG http://community.zikula.org/index.php?module=News&func=display&sid=3041&title=zikula-1.2.5-released [oss-security] 20110201 CVE Request: Zikula CMS 1.2.4 <= Cross Site Request Forgery (CSRF) Vulnerability [oss-security] 20110203 Re: CVE Request: Zikula CMS 1.2.4 <= Cross Site Request Forgery (CSRF) Vulnerability 20110201 Zikula CMS 1.2.4 <= Cross Site Request Forgery (CSRF) Vulnerability 8067 Multiple untrusted search path vulnerabilities in elf/dl-object.c in certain modified versions of the GNU C Library (aka glibc or libc6), including glibc-2.5-49.el5_5.6 and glibc-2.12-1.7.el6_0.3 in Red Hat Enterprise Linux, allow local users to gain privileges via a crafted dynamic shared object (DSO) in a subdirectory of the current working directory during execution of a (1) setuid or (2) setgid program that has $ORIGIN in (a) RPATH or (b) RUNPATH within the program itself or a referenced library. NOTE: this issue exists because of an incorrect fix for CVE-2010-3847. Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' DSA-2122-2 [oss-security] 20110203 CVE request: glibc CVE-2010-3847 fix regression [oss-security] 20110203 Re: CVE request: glibc CVE-2010-3847 fix regression 1025289 http://sourceware.org/git/?p=glibc.git;a=commit;h=96611391ad8823ba58405325d78cefeae5cdf699 MDVSA-2011:178 RHSA-2011:0412 RHSA-2011:0413 20111013 VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console USN-1009-2 http://www.vmware.com/security/advisories/VMSA-2011-0012.html ADV-2011-0863 https://bugzilla.redhat.com/show_bug.cgi?id=667974 https://launchpad.net/bugs/701783 oval:org.mitre.oval:def:13086 Multiple directory traversal vulnerabilities in (1) languages/Language.php and (2) includes/StubObject.php in MediaWiki 1.8.0 and other versions before 1.16.2, when running on Windows and possibly Novell Netware, allow remote attackers to include and execute arbitrary local PHP files via vectors related to a crafted language file and the Language::factory function. http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.2.patch.gz [MediaWiki-announce] 20110201 MediaWiki security release 1.16.2 [oss-security] 20110201 CVE request: Server-side arbitrary script inclusion vulnerability in MediaWiki <=1.16.1 [oss-security] 20110203 Re: CVE request: Server-side arbitrary script inclusion vulnerability in MediaWiki <=1.16.1 ADV-2011-0273 https://bugzilla.wikimedia.org/show_bug.cgi?id=27094 Wireshark 1.2.0 through 1.2.14, 1.4.0 through 1.4.3, and 1.5.0 frees an uninitialized pointer during processing of a .pcap file in the pcap-ng format, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed file. FEDORA-2011-2648 FEDORA-2011-2632 FEDORA-2011-2620 [oss-security] 20110204 Wireshark: Freeing uninitialized pointer DSA-2201 VU#215900 MDVSA-2011:044 RHSA-2011:0369 RHSA-2011:0370 46167 1025148 ADV-2011-0622 ADV-2011-0626 ADV-2011-0719 ADV-2011-0747 http://www.wireshark.org/docs/relnotes/wireshark-1.2.15.html http://www.wireshark.org/docs/relnotes/wireshark-1.4.4.html http://www.wireshark.org/security/wnpa-sec-2011-03.html http://www.wireshark.org/security/wnpa-sec-2011-04.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5652 https://bugzilla.redhat.com/show_bug.cgi?id=676232 wireshark-pcap-code-execution(65182) oval:org.mitre.oval:def:14605 The key_certify function in usr.bin/ssh/key.c in OpenSSH 5.6 and 5.7, when generating legacy certificates using the -t command-line option in ssh-keygen, does not initialize the nonce field, which might allow remote attackers to obtain sensitive stack memory contents or make it easier to conduct hash collision attacks. SSRT100413 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673 http://www.openssh.com/txt/legacy-cert.adv [oss-security] 20110204 Re: [vendor-sec] OpenSSH security advisory: legacy certificate signing in 5.6/5.7 46155 1025028 ADV-2011-0284 openssh-certificate-info-disclosure(65163) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. fuse 2.8.5 and earlier does not properly handle when /etc/mtab cannot be updated, which allows local users to unmount arbitrary directories via a symlink attack. http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=bf5ffb5fd8558bd799791834def431c0cee5a11f SUSE-SR:2011:005 [oss-security] 20110201 CVE request: fuse [oss-security] 20110203 Re: CVE request: fuse [oss-security] 20110208 Re: CVE request: fuse fusermount in fuse 2.8.5 and earlier does not perform a chdir to / before performing a mount or umount, which allows local users to unmount arbitrary directories via unspecified vectors. http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=1e7607ff89c65b005f69e27aeb1649d624099873 [oss-security] 20110201 CVE request: fuse [oss-security] 20110203 Re: CVE request: fuse [oss-security] 20110208 Re: CVE request: fuse Certain legacy functionality in fusermount in fuse 2.8.5 and earlier, when util-linux does not support the --no-canonicalize option, allows local users to bypass intended access restrictions and unmount arbitrary directories via a symlink attack. http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=cbd3a2a84068aae6e3fe32939d88470d712dbf47 SUSE-SR:2011:005 [oss-security] 20110201 CVE request: fuse [oss-security] 20110203 Re: CVE request: fuse [oss-security] 20110208 Re: CVE request: fuse Cross-site request forgery (CSRF) vulnerability in adduser.do in Symantec LiveUpdate Administrator (LUA) before 2.3 allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts, and possibly have unspecified other impact, via the userRole parameter. 8160 1025242 http://sotiriu.de/adv/NSOADV-2011-001.txt 17026 20110322 NSOADV-2011-001: Symantec LiveUpdate Administrator CSRF vulnerability http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110321_00 ADV-2011-0727 symantec-lua-gui-csrf(66213) Symantec Backup Exec 11.0, 12.0, 12.5, 13.0, and 13.0 R2 does not validate identity information sent between the media server and the remote agent, which allows man-in-the-middle attackers to execute NDMP commands via unspecified vectors. SSRT100506 8300 47824 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110526_00 Multiple integer overflows in vxsvc.exe in the Veritas Enterprise Administrator service in Symantec Veritas Storage Foundation 5.1 and earlier, Veritas Storage Foundation Cluster File System (SFCFS) 5.1 and earlier, Veritas Storage Foundation Cluster File System Enterprise for Oracle RAC (SFCFSORAC) 5.1 and earlier, Veritas Dynamic Multi-Pathing (DMP) 5.1, and NetBackup PureDisk 6.5.x through 6.6.1.x allow remote attackers to execute arbitrary code via (1) a crafted Unicode string, related to the vxveautil.value_binary_unpack function; (2) a crafted ASCII string, related to the vxveautil.value_binary_unpack function; or (3) a crafted value, related to the vxveautil.kv_binary_unpack function, leading to a buffer overflow. SSRT100506 49014 http://www.symantec.com/business/support/index?page=content&id=TECH165536 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110815_00 http://zerodayinitiative.com/advisories/ZDI-11-262/ http://zerodayinitiative.com/advisories/ZDI-11-263/ http://zerodayinitiative.com/advisories/ZDI-11-264/ oval:org.mitre.oval:def:14792 Buffer overflow in the Lotus Freelance Graphics PRZ file viewer in Autonomy KeyView, as used in Symantec Mail Security (SMS) 6.x through 8.x, Symantec Brightmail and Messaging Gateway before 9.5.1, and Symantec Data Loss Prevention (DLP) before 10.5.3 and 11.x before 11.1, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted .prz file. NOTE: this may overlap CVE-2011-1217. 1025594 1025595 1025596 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110531_00 SQL injection vulnerability in forget.php in the management GUI in Symantec Web Gateway 4.5.x allows remote attackers to execute arbitrary SQL commands via the username parameter. 1025753 48318 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110707_00 http://www.zerodayinitiative.com/advisories/ZDI-11-233/ symantec-web-gui-sql-injection(68428) Multiple cross-site scripting (XSS) vulnerabilities in the Web Interface in the Endpoint Protection Manager in Symantec Endpoint Protection (SEP) 11.0.600x through 11.0.6300 allow remote attackers to inject arbitrary web script or HTML via (1) the token parameter to portal/Help.jsp or (2) the URI in a console/apps/sepm request. 1025919 48231 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110810_00 symantec-endpoint-sepm-xss(69136) Cross-site request forgery (CSRF) vulnerability in the Web Interface in the Endpoint Protection Manager in Symantec Endpoint Protection (SEP) 11.0.600x through 11.0.6300 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts. 1025919 49101 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110810_00 Multiple cross-site scripting (XSS) vulnerabilities in the management console in Symantec IM Manager before 8.4.18 allow remote attackers to inject arbitrary web script or HTML via the (1) refreshRateSetting parameter to IMManager/Admin/IMAdminSystemDashboard.asp, the (2) nav or (3) menuitem parameter to IMManager/Admin/IMAdminTOC_simple.asp, or the (4) action parameter to IMManager/Admin/IMAdminEdituser.asp. 1026130 49739 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110929_00 SQL injection vulnerability in the management console in Symantec IM Manager before 8.4.18 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 1026130 49738 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110929_00 The management console in Symantec IM Manager before 8.4.18 allows remote attackers to execute arbitrary code via unspecified vectors, related to a "code injection issue." 1026130 49742 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110929_00 The TextXtra.x32 module in Adobe Shockwave Player before 11.5.9.620 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a Director file with a crafted DEMX RIFF chunk that triggers incorrect buffer allocation, a different vulnerability than CVE-2010-4093, CVE-2010-4187, CVE-2010-4190, CVE-2010-4191, CVE-2010-4192, and CVE-2010-4306. http://dvlabs.tippingpoint.com/advisory/TPTI-11-02 http://www.adobe.com/support/security/bulletins/apsb11-01.html 20110209 TPTI-11-02: Adobe Shockwave TextXtra Invalid Seek Remote Code Execution Vulnerability 46327 1025056 ADV-2011-0335 shockwave-memory-code-execution(65257) The Font Xtra.x32 module in Adobe Shockwave Player before 11.5.9.620 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PFR1 chunk that leads to an unexpected sign extension and an invalid pointer dereference, a different vulnerability than CVE-2011-0569. http://dvlabs.tippingpoint.com/advisory/TPTI-11-03 http://www.adobe.com/support/security/bulletins/apsb11-01.html 20110209 TPTI-11-03: Adobe Shockwave Font Xtra String Decoding Remote Code Execution Vulnerability 46328 1025056 ADV-2011-0335 shocwave-player-fontxtra-code-exec(65258) Integer overflow in Adobe Shockwave Player before 11.5.9.620 allows remote attackers to execute arbitrary code via a Director movie with a large count value in 3D assets type 0xFFFFFF45 record, which triggers a "faulty allocation" and memory corruption. http://www.adobe.com/support/security/bulletins/apsb11-01.html 20110208 ZDI-11-079: Adobe Shockwave Player 0xFFFFFF45 Record Count Element Remote Code Execution Vulnerability 46330 1025056 ADV-2011-0335 shockwave-overflow-code-exec(65259) Integer overflow in Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code via a large array length value in the ActionScript method of the Function class. http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_adobe_flash2 20110208 Adobe Flash Player ActionScript Integer Overflow Vulnerability SUSE-SA:2011:009 http://www.adobe.com/support/security/bulletins/apsb11-02.html RHSA-2011:0206 RHSA-2011:0259 RHSA-2011:0368 46194 1025055 ADV-2011-0348 ADV-2011-0383 ADV-2011-0402 ADV-2011-0646 flashplayer-actionscript-code-exec(65230) oval:org.mitre.oval:def:14056 oval:org.mitre.oval:def:16129 Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted parameters to an unspecified ActionScript method that cause a parameter to be used as an object pointer, a different vulnerability than CVE-2011-0560, CVE-2011-0561, CVE-2011-0571, CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, CVE-2011-0578, CVE-2011-0607, and CVE-2011-0608. http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_adobe_flash2 20110208 Adobe Flash Player ActionScript Memory Corruption Vulnerability SUSE-SA:2011:009 http://www.adobe.com/support/security/bulletins/apsb11-02.html RHSA-2011:0206 RHSA-2011:0259 RHSA-2011:0368 46186 1025055 ADV-2011-0348 ADV-2011-0383 ADV-2011-0402 ADV-2011-0646 oval:org.mitre.oval:def:14009 oval:org.mitre.oval:def:16231 Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0559, CVE-2011-0561, CVE-2011-0571, CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, CVE-2011-0578, CVE-2011-0607, and CVE-2011-0608. http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_adobe_flash2 SUSE-SA:2011:009 http://www.adobe.com/support/security/bulletins/apsb11-02.html VU#812969 RHSA-2011:0206 RHSA-2011:0259 RHSA-2011:0368 46188 1025055 ADV-2011-0348 ADV-2011-0383 ADV-2011-0402 ADV-2011-0646 oval:org.mitre.oval:def:13429 oval:org.mitre.oval:def:16174 Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0559, CVE-2011-0560, CVE-2011-0571, CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, CVE-2011-0578, CVE-2011-0607, and CVE-2011-0608. http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_adobe_flash2 SUSE-SA:2011:009 http://www.adobe.com/support/security/bulletins/apsb11-02.html VU#812969 RHSA-2011:0206 RHSA-2011:0259 RHSA-2011:0368 46189 1025055 ADV-2011-0348 ADV-2011-0383 ADV-2011-0402 ADV-2011-0646 oval:org.mitre.oval:def:14169 oval:org.mitre.oval:def:15930 Untrusted search path vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, a different vulnerability than CVE-2011-0570 and CVE-2011-0588. Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' http://www.acrossecurity.com/aspr/ASPR-2011-02-11-1-PUB.txt http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 20110211 ASPR #2011-02-11-1: Remote Binary Planting in Adobe Reader 46252 1025033 ADV-2011-0337 ADV-2011-0492 oval:org.mitre.oval:def:12555 Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0589 and CVE-2011-0606. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 1025033 ADV-2011-0337 ADV-2011-0492 oval:org.mitre.oval:def:12452 Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows use weak permissions for unspecified files, which allows attackers to gain privileges via unknown vectors. http://www.adobe.com/support/security/bulletins/apsb11-03.html 1025033 ADV-2011-0337 oval:org.mitre.oval:def:12548 Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0585. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 46204 1025033 ADV-2011-0337 ADV-2011-0492 oval:org.mitre.oval:def:12606 Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted image, a different vulnerability than CVE-2011-0567 and CVE-2011-0603. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 46198 1025033 ADV-2011-0337 ADV-2011-0492 oval:org.mitre.oval:def:12630 AcroRd32.dll in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted image that triggers an incorrect pointer calculation, leading to heap memory corruption, a different vulnerability than CVE-2011-0566 and CVE-2011-0603. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 46199 1025033 ADV-2011-0337 ADV-2011-0492 http://www.zerodayinitiative.com/advisories/ZDI-11-065/ oval:org.mitre.oval:def:12248 Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Mac OS X allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors. http://www.adobe.com/support/security/bulletins/apsb11-03.html 1025033 ADV-2011-0337 oval:org.mitre.oval:def:14024 The Font Xtra.x32 module in Adobe Shockwave Player before 11.5.9.620 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via a PFR1 chunk containing an invalid size value that leads to an unexpected sign extension and a buffer overflow, a different vulnerability than CVE-2011-0556. http://dvlabs.tippingpoint.com/advisory/TPTI-11-05 http://www.adobe.com/support/security/bulletins/apsb11-01.html 20110209 TPTI-11-05: Adobe Shockwave PFR1 Font Chunk Parsing Remote Code Execution Vulnerability 1025056 ADV-2011-0335 adobe-fontxtra-code-execution(65260) Untrusted search path vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, a different vulnerability than CVE-2011-0562 and CVE-2011-0588. Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' http://www.adobe.com/support/security/bulletins/apsb11-03.html 46255 1025033 ADV-2011-0337 adobe-acrobat-dll-code-execution(65289) oval:org.mitre.oval:def:12262 Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0559, CVE-2011-0560, CVE-2011-0561, CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, CVE-2011-0578, CVE-2011-0607, and CVE-2011-0608. http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_adobe_flash2 SUSE-SA:2011:009 http://www.adobe.com/support/security/bulletins/apsb11-02.html RHSA-2011:0206 RHSA-2011:0259 RHSA-2011:0368 46190 1025055 ADV-2011-0348 ADV-2011-0383 ADV-2011-0402 ADV-2011-0646 adobe-flash-code-execution(65234) oval:org.mitre.oval:def:14115 oval:org.mitre.oval:def:16028 Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0559, CVE-2011-0560, CVE-2011-0561, CVE-2011-0571, CVE-2011-0573, CVE-2011-0574, CVE-2011-0578, CVE-2011-0607, and CVE-2011-0608. http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_adobe_flash2 SUSE-SA:2011:009 http://www.adobe.com/support/security/bulletins/apsb11-02.html RHSA-2011:0206 RHSA-2011:0259 RHSA-2011:0368 46191 1025055 ADV-2011-0348 ADV-2011-0383 ADV-2011-0402 ADV-2011-0646 adobe-player-code-exec(65235) oval:org.mitre.oval:def:14021 oval:org.mitre.oval:def:15931 Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0559, CVE-2011-0560, CVE-2011-0561, CVE-2011-0571, CVE-2011-0572, CVE-2011-0574, CVE-2011-0578, CVE-2011-0607, and CVE-2011-0608. http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_adobe_flash2 SUSE-SA:2011:009 http://www.adobe.com/support/security/bulletins/apsb11-02.html RHSA-2011:0206 RHSA-2011:0259 RHSA-2011:0368 46192 1025055 ADV-2011-0348 ADV-2011-0383 ADV-2011-0402 ADV-2011-0646 player-unspec-code-execution(65236) oval:org.mitre.oval:def:14172 oval:org.mitre.oval:def:16262 Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0559, CVE-2011-0560, CVE-2011-0561, CVE-2011-0571, CVE-2011-0572, CVE-2011-0573, CVE-2011-0578, CVE-2011-0607, and CVE-2011-0608. http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_adobe_flash2 SUSE-SA:2011:009 http://www.adobe.com/support/security/bulletins/apsb11-02.html RHSA-2011:0206 RHSA-2011:0259 RHSA-2011:0368 46193 1025055 ADV-2011-0348 ADV-2011-0383 ADV-2011-0402 ADV-2011-0646 flash-player-code-exec(65237) oval:org.mitre.oval:def:13988 oval:org.mitre.oval:def:15637 Untrusted search path vulnerability in Adobe Flash Player before 10.2.152.26 allows local users to gain privileges via a Trojan horse DLL in the current working directory. Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_adobe_flash2 SUSE-SA:2011:009 http://www.adobe.com/support/security/bulletins/apsb11-02.html RHSA-2011:0206 RHSA-2011:0259 RHSA-2011:0368 20110211 ASPR #2011-02-11-2: Remote Binary Planting in Adobe Flash Player 46197 1025055 ADV-2011-0348 ADV-2011-0383 ADV-2011-0402 ADV-2011-0646 adobe-flash-dll-code-exec(65238) oval:org.mitre.oval:def:14095 oval:org.mitre.oval:def:16127 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. Unspecified vulnerability in Adobe Flash Player before 10.2.152.26 allows remote attackers to execute arbitrary code via a crafted font. http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_adobe_flash2 SUSE-SA:2011:009 http://www.adobe.com/support/security/bulletins/apsb11-02.html RHSA-2011:0206 RHSA-2011:0259 RHSA-2011:0368 46196 1025055 ADV-2011-0348 ADV-2011-0383 ADV-2011-0402 ADV-2011-0646 adobe-fontprasing-code-execution(65239) oval:org.mitre.oval:def:14164 oval:org.mitre.oval:def:15754 Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors related to a constructor for an unspecified ActionScript3 object and improper type checking, a different vulnerability than CVE-2011-0559, CVE-2011-0560, CVE-2011-0561, CVE-2011-0571, CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, CVE-2011-0607, and CVE-2011-0608. http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_adobe_flash2 SUSE-SA:2011:009 http://www.adobe.com/support/security/bulletins/apsb11-02.html RHSA-2011:0206 RHSA-2011:0259 RHSA-2011:0368 46195 1025055 ADV-2011-0348 ADV-2011-0383 ADV-2011-0402 ADV-2011-0646 http://www.zerodayinitiative.com/advisories/ZDI-11-081/ adobe-flashplayer-unspec-ce(65240) oval:org.mitre.oval:def:13205 oval:org.mitre.oval:def:16018 Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and Solaris and before 10.3.185.21 on Android allows attackers to obtain sensitive information via unspecified vectors. http://www.adobe.com/support/security/bulletins/apsb11-12.html oval:org.mitre.oval:def:13379 oval:org.mitre.oval:def:15903 Multiple cross-site scripting (XSS) vulnerabilities in the administrator console in Adobe ColdFusion 8.0 through 9.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://www.adobe.com/support/security/bulletins/apsb11-04.html 46273 1025036 ADV-2011-0334 adobe-coldfusion-multiple-xss(65277) Multiple CRLF injection vulnerabilities in Adobe ColdFusion 8.0 through 9.0.1 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified tags. http://www.adobe.com/support/security/bulletins/apsb11-04.html 46281 1025036 ADV-2011-0334 adobe-coldfusion-crlf-injection(65276) Unspecified vulnerability in the administrator console in Adobe ColdFusion 8.0 through 9.0.1 allows attackers to obtain sensitive information via unknown vectors. http://www.adobe.com/support/security/bulletins/apsb11-04.html 46274 1025036 ADV-2011-0334 adobe-coldfusion-console-info-disclosure(65278) Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 8.0 through 9.0.1 allows remote attackers to inject arbitrary web script or HTML via the cfform tag. http://www.adobe.com/support/security/bulletins/apsb11-04.html 46277 1025036 ADV-2011-0334 adobe-coldfusion-cfform-xss(65279) Session fixation vulnerability in Adobe ColdFusion 8.0 through 9.0.1 allows remote attackers to hijack web sessions via unspecified vectors. Per: http://cwe.mitre.org/data/definitions/384.html 'CWE-384: Session Fixation' http://www.adobe.com/support/security/bulletins/apsb11-04.html 46278 1025036 ADV-2011-0334 adobe-coldfusion-session-hijacking(65280) Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0565. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 46207 1025033 ADV-2011-0337 ADV-2011-0492 acrobat-unspec-dos(65290) oval:org.mitre.oval:def:12193 Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X do not properly validate unspecified input data, which allows attackers to execute arbitrary code via unknown vectors. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 46214 1025033 ADV-2011-0337 ADV-2011-0492 adobe-acrobat-input-code-exec(65291) oval:org.mitre.oval:def:12535 Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2011-0604. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 46251 1025033 ADV-2011-0337 ADV-2011-0492 adobe-acrobat-unspec-xss(65292) oval:org.mitre.oval:def:12217 Untrusted search path vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, a different vulnerability than CVE-2011-0562 and CVE-2011-0570. Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' http://www.adobe.com/support/security/bulletins/apsb11-03.html 46254 1025033 ADV-2011-0337 adobe-reader-dll-code-exec(65293) oval:org.mitre.oval:def:12378 Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0563 and CVE-2011-0606. SUSE-SA:2011:025 http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 46202 1025033 ADV-2011-0337 ADV-2011-0492 adobe-reader-acrobat-unspec-ce(65294) oval:org.mitre.oval:def:12497 Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via a 3D file, a different vulnerability than CVE-2011-0591, CVE-2011-0592, CVE-2011-0593, CVE-2011-0595, and CVE-2011-0600. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 1025033 ADV-2011-0337 ADV-2011-0492 oval:org.mitre.oval:def:12621 Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via a crafted Universal 3D (U3D) file that triggers a buffer overflow during decompression, related to Texture and rgba, a different vulnerability than CVE-2011-0590, CVE-2011-0592, CVE-2011-0593, CVE-2011-0595, and CVE-2011-0600. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 46209 1025033 ADV-2011-0337 ADV-2011-0492 http://www.zerodayinitiative.com/advisories/ZDI-11-067/ oval:org.mitre.oval:def:12558 Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via a crafted Universal 3D (U3D) file that triggers a buffer overflow during decompression, related to "Texture bmp," a different vulnerability than CVE-2011-0590, CVE-2011-0591, CVE-2011-0593, CVE-2011-0595, and CVE-2011-0600. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 46210 1025033 ADV-2011-0337 ADV-2011-0492 http://www.zerodayinitiative.com/advisories/ZDI-11-068/ oval:org.mitre.oval:def:11819 Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via a crafted Universal 3D (U3D) file that triggers a buffer overflow during decompression, a different vulnerability than CVE-2011-0590, CVE-2011-0591, CVE-2011-0592, CVE-2011-0595, and CVE-2011-0600. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 46211 1025033 ADV-2011-0337 ADV-2011-0492 http://www.zerodayinitiative.com/advisories/ZDI-11-069/ oval:org.mitre.oval:def:12258 Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via a font. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 46216 1025033 ADV-2011-0337 ADV-2011-0492 adobe-reader-fonts-code-exec(65299) oval:org.mitre.oval:def:12444 Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via a crafted Universal 3D (U3D) file that triggers a buffer overflow during decompression, a different vulnerability than CVE-2011-0590, CVE-2011-0591, CVE-2011-0592, CVE-2011-0593, and CVE-2011-0600. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 20110208 ZDI-11-070: Adobe Acrobat Reader U3D Texture .fli RLE Decompression Remote Code Execution Vulnerability 46212 1025033 ADV-2011-0337 ADV-2011-0492 http://www.zerodayinitiative.com/advisories/ZDI-11-070/ oval:org.mitre.oval:def:12500 The Bitmap parsing component in 2d.dll in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via an image with crafted (1) height and (2) width values for an RLE_8 compressed bitmap, which triggers a heap-based buffer overflow, a different vulnerability than CVE-2011-0598, CVE-2011-0599, and CVE-2011-0602. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 1025033 ADV-2011-0337 ADV-2011-0492 oval:org.mitre.oval:def:11921 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. Integer overflow in ACE.dll in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows remote attackers to execute arbitrary code via crafted ICC data, a different vulnerability than CVE-2011-0596, CVE-2011-0599, and CVE-2011-0602. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 20110208 ZDI-11-073: Adobe Reader ICC Parsing Remote Code Execution Vulnerability 46219 1025033 ADV-2011-0337 ADV-2011-0492 http://www.zerodayinitiative.com/advisories/ZDI-11-073/ adobe-reader-ace-bo(65302) oval:org.mitre.oval:def:12081 The Bitmap parsing component in rt3d.dll in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via a crafted image that causes an invalid pointer calculation related to 4/8-bit RLE compression, a different vulnerability than CVE-2011-0596, CVE-2011-0598, and CVE-2011-0602. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 20110208 ZDI-11-072: Adobe Reader BMP ColorData Remote Code Execution Vulnerability 46220 1025033 ADV-2011-0337 ADV-2011-0492 http://www.zerodayinitiative.com/advisories/ZDI-11-072/ oval:org.mitre.oval:def:12424 The U3D component in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via a 3D file with an invalid Parent Node count that triggers an incorrect size calculation and memory corruption, a different vulnerability than CVE-2011-0590, CVE-2011-0591, CVE-2011-0592, CVE-2011-0593, and CVE-2011-0595. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 20110208 ZDI-11-074: Adobe Reader u3d Parent Node Count Remote Code Execution Vulnerability 46213 1025033 ADV-2011-0337 ADV-2011-0492 http://www.zerodayinitiative.com/advisories/ZDI-11-074/ oval:org.mitre.oval:def:12428 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via crafted JP2K record types in a JPEG2000 image in a PDF file, which causes heap corruption, a different vulnerability than CVE-2011-0596, CVE-2011-0598, and CVE-2011-0599. 20110208 Adobe Reader and Acrobat JP2K Invalid Indexing Vulnerability http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 46221 1025033 ADV-2011-0337 ADV-2011-0492 oval:org.mitre.oval:def:12562 Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted image, a different vulnerability than CVE-2011-0566 and CVE-2011-0567. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 46222 1025033 ADV-2011-0337 ADV-2011-0492 adobe-reader-acrobat-images-ce(65306) oval:org.mitre.oval:def:12492 Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2011-0587. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 46217 1025033 ADV-2011-0337 ADV-2011-0492 adobe-acrobat-unspecified-xss(65307) oval:org.mitre.oval:def:12592 Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. http://www.adobe.com/support/security/bulletins/apsb11-03.html 46200 1025033 ADV-2011-0337 reader-acrobat-unspec-ce(65308) oval:org.mitre.oval:def:13890 Stack-based buffer overflow in rt3d.dll in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors related to a crafted length value, a different vulnerability than CVE-2011-0563 and CVE-2011-0589. http://www.adobe.com/support/security/bulletins/apsb11-03.html RHSA-2011:0301 20110208 ZDI-11-075: Adobe Acrobat Reader rt3d.dll Multimedia Playing Arbitrary Memory Overwite Remote Code Execution Vulnerability 46201 1025033 ADV-2011-0337 ADV-2011-0492 adobe-reader-acrobat-rt3d-bo(65309) oval:org.mitre.oval:def:12550 Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0559, CVE-2011-0560, CVE-2011-0561, CVE-2011-0571, CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, CVE-2011-0578, and CVE-2011-0608. http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_adobe_flash2 SUSE-SA:2011:009 http://www.adobe.com/support/security/bulletins/apsb11-02.html RHSA-2011:0206 RHSA-2011:0259 RHSA-2011:0368 46282 1025055 ADV-2011-0348 ADV-2011-0383 ADV-2011-0402 ADV-2011-0646 adobe-player-ce(65241) oval:org.mitre.oval:def:14137 oval:org.mitre.oval:def:16194 Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0559, CVE-2011-0560, CVE-2011-0561, CVE-2011-0571, CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, CVE-2011-0578, and CVE-2011-0607. http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_adobe_flash2 SUSE-SA:2011:009 http://www.adobe.com/support/security/bulletins/apsb11-02.html RHSA-2011:0206 RHSA-2011:0259 RHSA-2011:0368 46283 1025055 ADV-2011-0348 ADV-2011-0383 ADV-2011-0402 ADV-2011-0646 adobe-code-exec(65242) oval:org.mitre.oval:def:14066 oval:org.mitre.oval:def:16026 Unspecified vulnerability in Adobe Flash Player 10.2.154.13 and earlier on Windows, Mac OS X, Linux, and Solaris; 10.1.106.16 and earlier on Android; Adobe AIR 2.5.1 and earlier; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader and Acrobat 9.x through 9.4.2 and 10.x through 10.0.1 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, as demonstrated by a .swf file embedded in an Excel spreadsheet, and as exploited in the wild in March 2011. http://blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html http://googlechromereleases.blogspot.com/2011/03/stable-and-beta-channel-updates_15.html SUSE-SR:2011:005 8152 http://www.adobe.com/support/security/advisories/apsa11-01.html http://www.adobe.com/support/security/bulletins/apsb11-06.html VU#192052 RHSA-2011:0372 46860 1025210 1025211 1025238 ADV-2011-0655 ADV-2011-0656 ADV-2011-0688 ADV-2011-0732 adobe-flash-authplay-ce(66078) oval:org.mitre.oval:def:14147 The CoolType library in Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe Reader 9.x before 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x before 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. Per: http://www.adobe.com/support/security/bulletins/apsb11-08.html 'Today's security updates are out-of-cycle updates.' Per: http://www.adobe.com/support/security/bulletins/apsb11-08.html 'Severity rating Adobe categorizes these as critical updates and recommends affected users update their installations to the newest versions.' http://www.adobe.com/support/security/bulletins/apsb11-08.html oval:org.mitre.oval:def:13967 Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and Solaris and 10.2.156.12 and earlier on Android; Adobe AIR before 2.6.19140; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe Reader 9.x before 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x before 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content; as demonstrated by a Microsoft Office document with an embedded .swf file that has a size inconsistency in a "group of included constants," object type confusion, ActionScript that adds custom functions to prototypes, and Date objects; and as exploited in the wild in April 2011. http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspx http://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.html http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html SUSE-SA:2011:018 8204 8292 http://www.adobe.com/support/security/advisories/apsa11-02.html http://www.adobe.com/support/security/bulletins/apsb11-07.html http://www.adobe.com/support/security/bulletins/apsb11-08.html 17175 VU#230057 RHSA-2011:0451 47314 1025324 1025325 ADV-2011-0922 ADV-2011-0923 ADV-2011-0924 adobe-flash-swf-doc-ce(66681) oval:org.mitre.oval:def:14175 Adobe Flash Media Server (FMS) before 3.5.6, and 4.x before 4.0.2, allows remote attackers to cause a denial of service (XML data corruption) via unspecified vectors. http://www.adobe.com/support/security/bulletins/apsb11-11.html Multiple cross-site scripting (XSS) vulnerabilities in RoboHelp 7 and 8, and RoboHelp Server 7 and 8, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to (1) wf_status.htm and (2) wf_topicfs.htm in RoboHTML/WildFireExt/TemplateStock/. http://www.adobe.com/support/security/bulletins/apsb11-09.html Buffer overflow in Adobe Audition 3.0.1 and earlier allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Audition Session (aka .ses) file. 8253 http://www.adobe.com/support/security/bulletins/apsb11-10.html 17278 47841 http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5012.php Multiple buffer overflows in Adobe Audition 3.0.1 and earlier allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted data in unspecified fields in the TRKM chunk in an Audition Session (aka .ses) file, related to inconsistent use of character data types. http://www.adobe.com/support/security/bulletins/apsb11-10.html http://www.coresecurity.com/content/Adobe-Audition-malformed-SES-file 47838 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. Integer overflow in Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and Solaris and before 10.3.185.21 on Android allows attackers to execute arbitrary code via unspecified vectors. SUSE-SA:2011:025 http://www.adobe.com/support/security/bulletins/apsb11-12.html oval:org.mitre.oval:def:14106 oval:org.mitre.oval:def:16041 Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and Solaris and before 10.3.185.21 on Android allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0620, CVE-2011-0621, and CVE-2011-0622. SUSE-SA:2011:025 http://www.adobe.com/support/security/bulletins/apsb11-12.html oval:org.mitre.oval:def:14088 oval:org.mitre.oval:def:16141 Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and Solaris and before 10.3.185.21 on Android allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0619, CVE-2011-0621, and CVE-2011-0622. SUSE-SA:2011:025 http://www.adobe.com/support/security/bulletins/apsb11-12.html oval:org.mitre.oval:def:13832 oval:org.mitre.oval:def:16248 Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and Solaris and before 10.3.185.21 on Android allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0619, CVE-2011-0620, and CVE-2011-0622. SUSE-SA:2011:025 http://www.adobe.com/support/security/bulletins/apsb11-12.html oval:org.mitre.oval:def:14160 oval:org.mitre.oval:def:15739 Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and Solaris and before 10.3.185.21 on Android allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0619, CVE-2011-0620, and CVE-2011-0621. SUSE-SA:2011:025 http://www.adobe.com/support/security/bulletins/apsb11-12.html oval:org.mitre.oval:def:14113 oval:org.mitre.oval:def:16241 Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and Solaris and before 10.3.185.21 on Android allows attackers to execute arbitrary code via unspecified vectors, related to a "bounds checking" issue, a different vulnerability than CVE-2011-0624, CVE-2011-0625, and CVE-2011-0626. SUSE-SA:2011:025 http://www.adobe.com/support/security/bulletins/apsb11-12.html oval:org.mitre.oval:def:13901 oval:org.mitre.oval:def:16134 Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and Solaris and before 10.3.185.21 on Android allows attackers to execute arbitrary code via unspecified vectors, related to a "bounds checking" issue, a different vulnerability than CVE-2011-0623, CVE-2011-0625, and CVE-2011-0626. SUSE-SA:2011:025 http://www.adobe.com/support/security/bulletins/apsb11-12.html oval:org.mitre.oval:def:13924 oval:org.mitre.oval:def:16010 Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and Solaris and before 10.3.185.21 on Android allows attackers to execute arbitrary code via unspecified vectors, related to a "bounds checking" issue, a different vulnerability than CVE-2011-0623, CVE-2011-0624, and CVE-2011-0626. SUSE-SA:2011:025 http://www.adobe.com/support/security/bulletins/apsb11-12.html oval:org.mitre.oval:def:14077 oval:org.mitre.oval:def:16076 Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and Solaris and before 10.3.185.21 on Android allows attackers to execute arbitrary code via unspecified vectors, related to a "bounds checking" issue, a different vulnerability than CVE-2011-0623, CVE-2011-0624, and CVE-2011-0625. SUSE-SA:2011:025 http://www.adobe.com/support/security/bulletins/apsb11-12.html oval:org.mitre.oval:def:14036 oval:org.mitre.oval:def:16156 Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and Solaris and before 10.3.185.21 on Android allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content, as possibly exploited in the wild in May 2011 by a Microsoft Office document with an embedded .swf file. SUSE-SA:2011:025 http://www.adobe.com/support/security/bulletins/apsb11-12.html oval:org.mitre.oval:def:13914 oval:org.mitre.oval:def:16053 Integer overflow in Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and Solaris and before 10.3.185.21 on Android allows remote attackers to execute arbitrary code via ActionScript that improperly handles a long array object. 20110524 Adobe Flash Player ActionScript Integer Overflow Vulnerability http://www.adobe.com/support/security/bulletins/apsb11-12.html 47961 flash-player-overflow(67638) oval:org.mitre.oval:def:13994 oval:org.mitre.oval:def:15639 Cross-site request forgery (CSRF) vulnerability in Adobe ColdFusion 8.0, 8.0.1, 9.0, and 9.0.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. http://www.adobe.com/support/security/bulletins/apsb11-14.html coldfusion-unspec-csrf(68027) The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned. http://cpansearch.perl.org/src/GAAS/libwww-perl-6.02/Changes http://vttynotes.blogspot.com/2010/12/man-in-middle-fun-with-perl-lwp.html http://vttynotes.blogspot.com/2011/03/quick-note-on-lwp-and-perl-security-cve.html ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-1002. Reason: This candidate is a reservation duplicate of CVE-2011-1002. Notes: All CVE users should reference CVE-2011-1002 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Static code injection vulnerability in Simploo CMS 1.7.1 and earlier allows remote authenticated users to inject arbitrary PHP code into config/custom/base.ini.php via the ftpserver parameter (FTP-Server field) to the sicore/updates/optionssav operation for index.php. 16016 20110118 Simploo CMS Community Edition - Remote PHP Code Execution Issue 45906 simploocms-ftpserver-code-execution(64826) The (1) cudaHostAlloc and (2) cuMemHostAlloc functions in the NVIDIA CUDA Toolkit 3.2 developer drivers for Linux 260.19.26, and possibly other versions, do not initialize pinned memory, which allows local users to read potentially sensitive memory, such as file fragments during read or write operations. http://classic.chem.msu.su/cgi-bin/ceilidh.exe/gran/gamess/forum/?C35e9ea936bHW-7675-1380-00.htm http://classic.chem.msu.su/cgi-bin/ceilidh.exe/gran/gamess/forum/?C35e9ea936bHW-7676-1022+00.htm http://classic.chem.msu.su/cgi-bin/ceilidh.exe/gran/gamess/forum/?C35e9ea936bHW-7677-1391+00.htm http://classic.chem.msu.su/cgi-bin/ceilidh.exe/gran/gamess/forum/?C35e9ea936bHW-7681-487+00.htm http://forums.nvidia.com/index.php?showtopic=190303 20110107 CUDA drivers/Linux security hole 20110201 fix for Nvidia CUDA drivers security breach 45717 1024962 cuda-toolkit-cudahostalloc-info-disc(64710) The FC SCSI protocol driver in IBM AIX 6.1 does not verify that a timer is unused before deallocating this timer, which might allow attackers to cause a denial of service (system crash) via unspecified vectors. 45931 ADV-2011-0176 IZ92478 ibm-aix-fcscsi-dos(64817) Microsoft Windows does not properly warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer. http://news.cnet.com/8301-27080_3-20028919-245.html http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Stavrou http://www.cs.gmu.edu/~astavrou/publications.html oval:org.mitre.oval:def:12566 Apple Mac OS X does not properly warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer. http://news.cnet.com/8301-27080_3-20028919-245.html http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Stavrou http://www.cs.gmu.edu/~astavrou/publications.html The default configuration of udev on Linux does not warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer. http://news.cnet.com/8301-27080_3-20028919-245.html http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Stavrou http://www.cs.gmu.edu/~astavrou/publications.html Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/admin.php in the StatPressCN plugin 1.9.0 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) what1, (2) what2, (3) what3, (4) what4, and (5) what5 parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 45950 statpresscn-admin-xss(64882) Cross-site request forgery (CSRF) vulnerability in news/admin.php in N-13 News 3.4, 3.7, and 4.0 allows remote attackers to hijack the authentication of administrators for requests that create new users via the options action. NOTE: some of these details are obtained from third party information. 16013 n13news-admin-csrf(64824) Cross-site request forgery (CSRF) vulnerability in admin/conf_users_edit.php in PHP Link Directory (phpLD) 4.1.0 allows remote attackers to hijack the authentication of administrators for requests that add an administrator via the N action. 16037 phplinkdirectory-confusersedit-csrf(64860) SQL injection vulnerability in include/admin/model_field.class.php in PHPCMS 2008 V2 allows remote attackers to execute arbitrary SQL commands via the modelid parameter to flash_upload.php. 16019 45933 phpcms-flashupload-sql-injection(64828) SQL injection vulnerability in data.php in PHPCMS 2008 V2 allows remote attackers to execute arbitrary SQL commands via the where_time parameter in a get action. http://securityreason.com/wlb_show/WLB-2011010077 45913 phpcms-flashupload-sql-injection(64828) SQL injection vulnerability in viewfaqs.php in PHP LOW BIDS allows remote attackers to execute arbitrary SQL commands via the cat parameter. 16020 45941 phplowbids-viewfaqs-sql-injection(64829) The irccd.exe service in EMC Replication Manager Client before 5.3 and NetWorker Module for Microsoft Applications 2.1.x and 2.2.x allows remote attackers to execute arbitrary commands via the RunProgram function to TCP port 6542. 20110208 ESA-2011-004: EMC Replication Manager remote code execution vulnerability 20110207 ZDI-11-061: EMC Replication Manager Client irccd.exe Remote Code Execution Vulnerability 46235 ADV-2011-0304 http://www.zerodayinitiative.com/advisories/ZDI-11-061/ replicationmanager-irccd-code-execution(65205) Unspecified vulnerability in EMC Avamar before 5.0.4-30 allows remote authenticated users to gain privileges via unknown vectors. 8138 20110315 ESA-2011-006: EMC Avamar privilege escalation vulnerability 46874 avamar-unspecified-priv-escalation(66108) Multiple unspecified vulnerabilities in TIBCO Rendezvous 8.2.1 through 8.3.0, Enterprise Message Service (EMS) 5.1.0 through 6.0.0, Runtime Agent (TRA) 5.6.2 through 5.7.0, Silver BPM Service before 1.0.4, Silver CAP Service vebefore 1.0.2, and Silver BusinessWorks Service 1.0.0, when running on Unix systems, allow local users to gain root privileges via unknown vectors related to SUID and (1) Rendezvous Routing Daemon (rvrd), (2) Rendezvous Secure Daemon (rvsd), (3) Rendezvous Secure Routing Daemon (rvsrd), and (4) EMS Server (tibemsd). Per: http://www.tibco.com/multimedia/rv_ems_security_advisory_20110201_tcm8-13185.txt 'TIBCO Rendezvous and EMS components listed above contain a SUID vulnerability which could potentially grant unauthorized root access to an attacker on Unix-based systems.' Per: http://www.tibco.com/multimedia/rv_ems_security_advisory_20110201_tcm8-13185.txt 'On Unix-based systems a successful attack will result in a privilege escalation to root, granting the attacker full administrative control of the host.' 46104 http://www.tibco.com/multimedia/rv_ems_security_advisory_20110201_tcm8-13185.txt ADV-2011-0269 tibco-suid-privilege-escalation(65105) Cross-site request forgery (CSRF) vulnerability in Greenbone Security Assistant (GSA) before 2.0+rc3 allows remote attackers to hijack the authentication of users for requests that send email via an OMP request to OpenVAS Manager. NOTE: this issue can be leveraged to bypass authentication requirements for exploiting CVE-2011-0018. http://www.openvas.org/OVSA20110118.html 20110125 [OVSA20110118] OpenVAS Manager Vulnerable To Command Injection greenbone-unspecifed-csrf(65012) [openvas-commits] 20110203 r10151 - in trunk/gsa: . src src/html [openvas-commits] 20110203 r10187 - trunk/gsa Buffer overflow in the key exchange functionality in Icon Labs Iconfidant SSL Server before 1.3.0 allows remote attackers to execute arbitrary code via a client master key packet in which the sum of unspecified length fields is greater than a certain value. 45938 http://www.zerodayinitiative.com/advisories/ZDI-11-021/ iconfidant-key-bo(64868) lnsfw1.sys 6.0.2900.5512 in Look 'n' Stop Firewall 2.06p4 and 2.07 allows local users to cause a denial of service (crash) via a crafted 0x80000064 IOCTL request that triggers an assertion failure. NOTE: some of these details are obtained from third party information. 16021 45949 looknstop-ioctl-dos(64851) Cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint Server 2010 Gold and SP1, and SharePoint Foundation 2010, allows remote attackers to inject arbitrary web script or HTML via the URI, aka "XSS in SharePoint Calendar Vulnerability." TA11-256A MS11-074 oval:org.mitre.oval:def:12835 Integer underflow in the BowserWriteErrorLogEntry function in the Common Internet File System (CIFS) browser service in Mrxsmb.sys or bowser.sys in Active Directory in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via a malformed BROWSER ELECTION message, leading to a heap-based buffer overflow, aka "Browser Pool Corruption Vulnerability." NOTE: some of these details are obtained from third party information. 20110214 MS Windows Server 2003 AD Pre-Auth BROWSER ELECTION Remote Heap Overflow http://blogs.technet.com/b/mmpc/archive/2011/02/16/my-sweet-valentine-the-cifs-browser-protocol-heap-corruption-vulnerability.aspx http://blogs.technet.com/b/srd/archive/2011/02/16/notes-on-exploitability-of-the-recent-windows-browser-protocol-issue.aspx 16166 VU#323172 46360 1025328 TA11-102A ADV-2011-0394 ADV-2011-0938 MS11-019 ms-win-server-browser-bo(65376) oval:org.mitre.oval:def:12637 Microsoft PowerPoint 2007 SP2 and 2010; Office 2004, 2008, and 2011 for Mac; Open XML File Format Converter for Mac; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; PowerPoint Viewer; PowerPoint Viewer 2007 SP2; and PowerPoint Web App do not properly validate TimeColorBehaviorContainer Floating Point records in PowerPoint documents, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted document containing an invalid record, aka "Floating Point Techno-color Time Bandit RCE Vulnerability." 1025340 TA11-102A ADV-2011-0941 MS11-022 oval:org.mitre.oval:def:12624 Microsoft PowerPoint 2002 SP3, 2003 SP3, 2007 SP2, and 2010; Office 2004, 2008, and 2011 for Mac; Open XML File Format Converter for Mac; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; PowerPoint Viewer; PowerPoint Viewer 2007 SP2; and PowerPoint Web App do not properly validate PersistDirectoryEntry records in PowerPoint documents, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a Slide with a malformed record, which triggers an exception and later use of an unspecified method, aka "Persist Directory RCE Vulnerability." 20110412 ZDI-11-125: Microsoft Office PowerPoint PersistDirectoryEntry Remote Code Execution Vulnerability 47251 1025340 TA11-102A ADV-2011-0941 http://www.zerodayinitiative.com/advisories/ZDI-11-125 MS11-022 oval:org.mitre.oval:def:11761 DNSAPI.dll in the DNS client in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly process DNS queries, which allows remote attackers to execute arbitrary code via (1) a crafted LLMNR broadcast query or (2) a crafted application, aka "DNS Query Vulnerability." 47242 1025332 TA11-102A ADV-2011-0948 MS11-030 oval:org.mitre.oval:def:11902 Integer underflow in the OLE Automation protocol implementation in VBScript.dll in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted WMF file, aka "OLE Automation Underflow Vulnerability." MS11-038 oval:org.mitre.oval:def:12335 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. The SMB client in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote SMB servers to execute arbitrary code via a crafted (1) SMBv1 or (2) SMBv2 response, aka "SMB Client Response Parsing Vulnerability." 47239 1025328 TA11-102A ADV-2011-0938 MS11-019 oval:org.mitre.oval:def:11995 The SMB Server service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate fields in SMB requests, which allows remote attackers to execute arbitrary code via a malformed request in a (1) SMBv1 or (2) SMBv2 packet, aka "SMB Transaction Parsing Vulnerability." 47198 1025329 TA11-102A ADV-2011-0939 MS11-020 oval:org.mitre.oval:def:12076 Use-after-free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that leverages incorrect driver object management, a different vulnerability than other "Vulnerability Type 1" CVEs listed in MS11-034, aka "Win32k Use After Free Vulnerability." http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-034-addressing-vulnerabilities-in-the-win32k-subsystem.aspx http://support.avaya.com/css/P8/documents/100133352 47194 1025345 TA11-102A ADV-2011-0952 MS11-034 mswin-win32k-var1-priv-escalation(66395) oval:org.mitre.oval:def:12543 Multiple integer overflows in the Microsoft (1) JScript 5.6 through 5.8 and (2) VBScript 5.6 through 5.8 scripting engines allow remote attackers to execute arbitrary code via a crafted web page, aka "Scripting Memory Reallocation Vulnerability." 47249 1025333 TA11-102A ADV-2011-0949 MS11-031 oval:org.mitre.oval:def:12673 Microsoft .NET Framework 2.0 SP1 and SP2, 3.5 Gold and SP1, 3.5.1, and 4.0, and Silverlight 4 before 4.0.60531.0, does not properly validate arguments to unspecified networking API functions, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (aka XBAP), (2) a crafted ASP.NET application, (3) a crafted .NET Framework application, or (4) a crafted Silverlight application, aka ".NET Framework Array Offset Vulnerability." MS11-039 oval:org.mitre.oval:def:12105 Use-after-free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that leverages incorrect driver object management, a different vulnerability than other "Vulnerability Type 1" CVEs listed in MS11-034, aka "Win32k Use After Free Vulnerability." http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-034-addressing-vulnerabilities-in-the-win32k-subsystem.aspx http://support.avaya.com/css/P8/documents/100133352 47202 1025345 TA11-102A ADV-2011-0952 MS11-034 mswin-win32k-var2-priv-escalation(66396) oval:org.mitre.oval:def:12526 Use-after-free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that leverages incorrect driver object management, a different vulnerability than other "Vulnerability Type 1" CVEs listed in MS11-034, aka "Win32k Use After Free Vulnerability." http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-034-addressing-vulnerabilities-in-the-win32k-subsystem.aspx http://support.avaya.com/css/P8/documents/100133352 47203 1025345 TA11-102A ADV-2011-0952 MS11-034 mswin-win32k-var3-priv-escalation(66397) oval:org.mitre.oval:def:12347 Use-after-free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that leverages incorrect driver object management, a different vulnerability than other "Vulnerability Type 1" CVEs listed in MS11-034, aka "Win32k Use After Free Vulnerability." http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-034-addressing-vulnerabilities-in-the-win32k-subsystem.aspx http://support.avaya.com/css/P8/documents/100133352 47204 1025345 TA11-102A ADV-2011-0952 MS11-034 mswin-win32k-var4-priv-escalation(66398) oval:org.mitre.oval:def:12340 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. Use-after-free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that leverages incorrect driver object management, a different vulnerability than other "Vulnerability Type 1" CVEs listed in MS11-034, aka "Win32k Use After Free Vulnerability." http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-034-addressing-vulnerabilities-in-the-win32k-subsystem.aspx http://support.avaya.com/css/P8/documents/100133352 47205 1025345 TA11-102A ADV-2011-0952 MS11-034 mswin-win32k-var5-priv-escalation(66399) oval:org.mitre.oval:def:12337 Use-after-free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that leverages incorrect driver object management, a different vulnerability than other "Vulnerability Type 1" CVEs listed in MS11-034, aka "Win32k Use After Free Vulnerability." http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-034-addressing-vulnerabilities-in-the-win32k-subsystem.aspx http://support.avaya.com/css/P8/documents/100133352 47206 1025345 TA11-102A ADV-2011-0952 MS11-034 mswin-win32k-var6-priv-escalation(66400) oval:org.mitre.oval:def:11942 Use-after-free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that leverages incorrect driver object management, a different vulnerability than other "Vulnerability Type 1" CVEs listed in MS11-034, aka "Win32k Use After Free Vulnerability." http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-034-addressing-vulnerabilities-in-the-win32k-subsystem.aspx http://support.avaya.com/css/P8/documents/100133352 47207 1025345 TA11-102A ADV-2011-0952 MS11-034 mswin-win32k-var7-priv-escalation(66401) oval:org.mitre.oval:def:12167 win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP3 allows local users to gain privileges via a crafted application that triggers a NULL pointer dereference, aka "Win32k Null Pointer De-reference Vulnerability." Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-034-addressing-vulnerabilities-in-the-win32k-subsystem.aspx http://support.avaya.com/css/P8/documents/100133352 47234 1025345 TA11-102A ADV-2011-0952 MS11-034 mswin-win32k-var8-priv-escalation(66402) oval:org.mitre.oval:def:12546 Use-after-free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that leverages incorrect driver object management, a different vulnerability than other "Vulnerability Type 1" CVEs listed in MS11-034, aka "Win32k Use After Free Vulnerability." http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-034-addressing-vulnerabilities-in-the-win32k-subsystem.aspx http://support.avaya.com/css/P8/documents/100133352 47209 1025345 TA11-102A ADV-2011-0952 MS11-034 mswin-win32k-var9-priv-escalation(66403) oval:org.mitre.oval:def:11708 Use-after-free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that leverages incorrect driver object management, a different vulnerability than other "Vulnerability Type 1" CVEs listed in MS11-034, aka "Win32k Use After Free Vulnerability." http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-034-addressing-vulnerabilities-in-the-win32k-subsystem.aspx http://support.avaya.com/css/P8/documents/100133352 47210 1025345 TA11-102A ADV-2011-0952 MS11-034 mswin-win32k-var10-priv-escalation(66404) oval:org.mitre.oval:def:12183 win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that triggers a NULL pointer dereference, a different vulnerability than other "Vulnerability Type 2" CVEs listed in MS11-034, aka "Win32k Null Pointer De-reference Vulnerability." Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-034-addressing-vulnerabilities-in-the-win32k-subsystem.aspx http://support.avaya.com/css/P8/documents/100133352 47220 1025345 TA11-102A ADV-2011-0952 MS11-034 mswin-win32k-var11-priv-escalation(66405) oval:org.mitre.oval:def:12416 oval:org.mitre.oval:def:12474 win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that triggers a NULL pointer dereference, a different vulnerability than other "Vulnerability Type 2" CVEs listed in MS11-034, aka "Win32k Null Pointer De-reference Vulnerability." Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-034-addressing-vulnerabilities-in-the-win32k-subsystem.aspx http://support.avaya.com/css/P8/documents/100133352 47224 1025345 TA11-102A ADV-2011-0952 MS11-034 mswin-win32k-var12-priv-escalation(66406) oval:org.mitre.oval:def:12653 Unrestricted file upload vulnerability in the EasyEdit module in Lomtec ActiveWeb Professional 3.0 allows remote attackers to execute arbitrary code by uploading an executable file via the UploadDirectory and Accepted Extensions fields in the getImagefile component of EasyEdit.cfm. Per: http://cwe.mitre.org/data/definitions/434.html 'CWE-434: Unrestricted Upload of File with Dangerous Type' http://www.exploitdevelopment.com/Vulnerabilities/2010-WEB-002.html VU#528212 45985 ADV-2011-0217 activeweb-easyedit-file-upload(65013) IBM WebSphere Portal 6.0.1.1 through 7.0.0.0, as used in IBM Lotus Web Content Management (WCM) and IBM Lotus Quickr for WebSphere Portal, allows remote attackers to obtain sensitive information via a "modified message." http://www.ibm.com/support/docview.wss?uid=swg21460422 VU#375127 45989 ADV-2011-0223 PM22159 PM22167 PM24319 PM24320 PM25191 PM25698 PM26397 websphere-portal-unspecified-info-disclosure(64890) data/WorkingMessage.java in the Mms application in Android before 2.2.2 and 2.3.x before 2.3.2 does not properly manage the draft cache, which allows remote attackers to read SMS messages intended for other recipients in opportunistic circumstances via a standard text messaging service. http://android.git.kernel.org/?p=platform/packages/apps/Mms.git;a=commit;h=18d6b7e9d2e538fb3c0264332b96c02abf367267 http://android.git.kernel.org/?p=platform/packages/apps/Mms.git;a=commit;h=4d26623ce82230e8e7009adb921c5edea370a9e0 http://code.google.com/p/android/issues/detail?id=9392#c1460 http://code.google.com/p/android/issues/detail?id=9392#c1620 http://phandroid.com/2011/01/21/android-2-3-2-update-pushing-to-nexus-s-phone-fixes-sms-bug/ http://twitter.com/GalaxySsupport/statuses/28078194607263744 http://www.engadget.com/2011/01/22/nexus-one-gets-tiny-update-to-android-2-2-2-probably-fixes-sms/ http://www.htcphones.net/nexus-one-update-to-android-2-2-2/ http://www.samsunghub.com/2011/01/22/nexus-s-gets-android-2-3-2-fixes-sms-bug/ 46105 http://www.theinquirer.net/inquirer/news/1939386/google-updates-nexus-android-222 android-workingmessage-info-disclosure(65125) The Cascading Style Sheets (CSS) Extensions for XML implementation in Opera before 11.01 recognizes links to javascript: URLs in the -o-link property, which makes it easier for remote attackers to bypass CSS filtering via a crafted URL. http://www.opera.com/docs/changelogs/mac/1101/ http://www.opera.com/docs/changelogs/unix/1101/ http://www.opera.com/docs/changelogs/windows/1101/ 46036 ADV-2011-0231 oval:org.mitre.oval:def:12045 Integer truncation error in opera.dll in Opera before 11.01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via an HTML form with a select element that contains a large number of children. http://www.opera.com/docs/changelogs/mac/1101/ http://www.opera.com/docs/changelogs/unix/1101/ http://www.opera.com/docs/changelogs/windows/1101/ http://www.opera.com/support/kb/view/982/ 46036 ADV-2011-0231 oval:org.mitre.oval:def:12636 https://www.alternativ-testing.fr/blog/index.php?post/2011/[CVE-XXXX-XXXX]-Opera-11-Integer-Truncation-Vulnerability Opera before 11.01 does not properly restrict the use of opera: URLs, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. http://www.opera.com/docs/changelogs/mac/1101/ http://www.opera.com/docs/changelogs/unix/1101/ http://www.opera.com/docs/changelogs/windows/1101/ http://www.opera.com/support/kb/view/983/ 46036 ADV-2011-0231 oval:org.mitre.oval:def:11641 Opera before 11.01 does not properly handle redirections and unspecified other HTTP responses, which allows remote web servers to obtain sufficient access to local files to use these files as page resources, and consequently obtain potentially sensitive information from the contents of the files, via an unknown response manipulation. http://www.opera.com/docs/changelogs/mac/1101/ http://www.opera.com/docs/changelogs/unix/1101/ http://www.opera.com/docs/changelogs/windows/1101/ http://www.opera.com/support/kb/view/984/ 46036 ADV-2011-0231 oval:org.mitre.oval:def:12296 The Delete Private Data feature in Opera before 11.01 does not properly implement the "Clear all email account passwords" option, which might allow physically proximate attackers to access an e-mail account via an unattended workstation. http://www.opera.com/docs/changelogs/mac/1101/ http://www.opera.com/docs/changelogs/unix/1101/ http://www.opera.com/docs/changelogs/windows/1101/ http://www.opera.com/support/kb/view/986/ 46036 ADV-2011-0231 opera-passwords-sec-bypass(65018) oval:org.mitre.oval:def:12507 Unspecified vulnerability in Opera before 11.01 allows remote attackers to cause a denial of service (application crash) via unknown content on a web page, as demonstrated by vkontakte.ru. http://www.opera.com/docs/changelogs/mac/1101/ http://www.opera.com/docs/changelogs/unix/1101/ http://www.opera.com/docs/changelogs/windows/1101/ 46036 ADV-2011-0231 oval:org.mitre.oval:def:11878 Opera before 11.01 does not properly implement Wireless Application Protocol (WAP) dropdown lists, which allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted WAP document. http://www.opera.com/docs/changelogs/mac/1101/ http://www.opera.com/docs/changelogs/unix/1101/ http://www.opera.com/docs/changelogs/windows/1101/ 46036 ADV-2011-0231 oval:org.mitre.oval:def:12563 Intel Alert Management System (aka AMS or AMS2), as used in Symantec Antivirus Corporate Edition (SAVCE) 10.x before 10.1 MR10, Symantec System Center (SSC) 10.x, and Symantec Quarantine Server 3.5 and 3.6, allows remote attackers to execute arbitrary commands via crafted messages over TCP, as discovered by Junaid Bohio, a different vulnerability than CVE-2010-0110 and CVE-2010-0111. NOTE: some of these details are obtained from third party information. 1024996 45936 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_00 ADV-2011-0234 symantec-tcp-command-execution(65071) RealNetworks RealPlayer 11.0 through 11.1, SP 1.0 through 1.1.5, and 14.0.0 through 14.0.1, and Enterprise 2.0 through 2.1.4, uses predictable names for temporary files, which allows remote attackers to conduct cross-domain scripting attacks and execute arbitrary code via the OpenURLinPlayerBrowser function. http://docs.real.com/docs/security/SecurityUpdate020811RPE.pdf 8098 http://service.real.com/realplayer/security/02082011_player/en/ 20110208 ZDI-11-076: RealNetworks Real Player Predictable Temporary File Remote Code Execution Vulnerability 1025058 http://www.zerodayinitiative.com/advisories/ZDI-11-076 Race condition in the cm_work_handler function in the InfiniBand driver (drivers/infiniband/core/cma.c) in Linux kernel 2.6.x allows remote attackers to cause a denial of service (panic) by sending an InfiniBand request while other request handlers are still running, which triggers an invalid pointer dereference. Score based on information provided per: https://www.redhat.com/security/data/cve/CVE-2011-0695.html RHSA-2011:0927 [oss-security] 20110311 CVE-2011-0695 kernel: panic in ib_cm:cm_work_handler 46839 [linux-rdma] 20110223 [PATCH 1/2] rdma/cm: Fix crash in request handlers [linux-rdma] 20110223 [PATCH 2/2] ib/cm: Bump reference count on cm_id before invoking callback USN-1146-1 kernel-infiniband-dos(66056) Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447. FEDORA-2011-1261 FEDORA-2011-1235 [oss-security] 20110209 Django multiple flaws (CVEs inside) DSA-2163 http://www.djangoproject.com/weblog/2011/feb/08/security/ MDVSA-2011:031 46296 USN-1066-1 ADV-2011-0372 ADV-2011-0388 ADV-2011-0429 ADV-2011-0439 ADV-2011-0441 https://bugzilla.redhat.com/show_bug.cgi?id=676357 Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload. FEDORA-2011-1261 FEDORA-2011-1235 [oss-security] 20110209 Django multiple flaws (CVEs inside) DSA-2163 http://www.djangoproject.com/weblog/2011/feb/08/security/ MDVSA-2011:031 46296 USN-1066-1 ADV-2011-0372 ADV-2011-0388 ADV-2011-0429 ADV-2011-0439 ADV-2011-0441 https://bugzilla.redhat.com/show_bug.cgi?id=676359 Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays. [oss-security] 20110209 Django multiple flaws (CVEs inside) http://www.djangoproject.com/weblog/2011/feb/08/security/ MDVSA-2011:031 46296 ADV-2011-0372 ADV-2011-0439 Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (1) the Quick/Bulk Edit title (aka post title or post_title), (2) post_status, (3) comment_status, (4) ping_status, and (5) escaping of tags within the tags meta box. http://codex.wordpress.org/Version_3.0.5 http://core.trac.wordpress.org/changeset/17397 http://core.trac.wordpress.org/changeset/17401 http://core.trac.wordpress.org/changeset/17406 http://core.trac.wordpress.org/changeset/17412 FEDORA-2011-3408 FEDORA-2011-3738 FEDORA-2011-3746 [oss-security] 20110209 CVE request: wordpress before 3.0.5 [oss-security] 20110209 Re: CVE request: wordpress before 3.0.5 DSA-2190 46249 ADV-2011-0658 ADV-2011-0721 http://www.wordpress.org/news/2011/02/wordpress-3-0-5/ wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2) private posts via a modified attachment_id parameter. http://codex.wordpress.org/Version_3.0.5 http://core.trac.wordpress.org/changeset/17393 FEDORA-2011-3408 FEDORA-2011-3738 FEDORA-2011-3746 [oss-security] 20110209 CVE request: wordpress before 3.0.5 [oss-security] 20110209 Re: CVE request: wordpress before 3.0.5 DSA-2190 46249 ADV-2011-0658 ADV-2011-0721 http://www.wordpress.org/news/2011/02/wordpress-3-0-5/ The feh_unique_filename function in utils.c in feh before 1.11.2 might allow local users to overwrite arbitrary files via a symlink attack on a /tmp/feh_ temporary file. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612035 [oss-security] 20110209 CVE request for feh [oss-security] 20110209 Re: CVE request for feh https://bugs.launchpad.net/ubuntu/+source/feh/+bug/607328 https://bugzilla.redhat.com/show_bug.cgi?id=676389 https://derf.homelinux.org/git/feh/commit/?id=23421a86cc826dd30f3dc4f62057fafb04b3ac40 https://derf.homelinux.org/git/feh/commit/?id=29ab0855f044ef2fe9c295b72abefcb37f0861a5 https://github.com/derf/feh/issues/#issue/32 389 Directory Server 1.2.7.5, when built with mozldap, allows remote attackers to cause a denial of service (replica crash) by sending an empty modify request. https://bugzilla.redhat.com/show_bug.cgi?id=675320 https://bugzilla.redhat.com/show_bug.cgi?id=676876 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. The JNLPClassLoader class in IcedTea-Web before 1.0.1, as used in OpenJDK Runtime Environment 1.6.0, allows remote attackers to gain privileges via unknown vectors related to multiple signers and the assignment of "an inappropriate security descriptor." http://dbhole.wordpress.com/2011/02/15/icedtea-web-1-0-1-released/ FEDORA-2011-1631 FEDORA-2011-1645 GLSA-201406-32 DSA-2224 MDVSA-2011:054 46439 https://bugzilla.redhat.com/show_bug.cgi?id=677332 icedtea-jnlpclassloader-priv-esc(65534) oval:org.mitre.oval:def:14117 Multiple cross-site scripting (XSS) vulnerabilities in Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) full name or (2) username field in a confirmation message. APPLE-SA-2011-10-12-3 FEDORA-2011-2125 FEDORA-2011-2102 FEDORA-2011-2030 SUSE-SR:2011:009 openSUSE-SU-2011:0424 [mailman-announce] 20110213 Mailman Security Patch Announcement [mailman-announce] 20110218 Mailman Security Patch Announcement http://support.apple.com/kb/HT5002 DSA-2170 MDVSA-2011:036 RHSA-2011:0307 RHSA-2011:0308 46464 1025106 USN-1069-1 ADV-2011-0435 ADV-2011-0436 ADV-2011-0460 ADV-2011-0487 ADV-2011-0542 ADV-2011-0720 mailman-fullname-xss(65538) exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) via an image with a crafted Image File Directory (IFD) that triggers a buffer over-read. http://bugs.php.net/bug.php?id=54002 APPLE-SA-2011-10-12-3 FEDORA-2011-3636 FEDORA-2011-3666 FEDORA-2011-3614 SSRT100826 [oss-security] 20110214 PHP Exif 64bit Casting Vulnerability, CVE request [oss-security] 20110216 Re: Re: PHP Exif 64bit Casting Vulnerability, CVE request RHSA-2012:0071 8114 http://support.apple.com/kb/HT5002 http://svn.php.net/viewvc?view=revision&revision=308316 DSA-2266 16261 MDVSA-2011:052 MDVSA-2011:053 http://www.php.net/archive/2011.php http://www.php.net/ChangeLog-5.php http://www.php.net/releases/5_3_6.php RHSA-2011:1423 46365 ADV-2011-0744 ADV-2011-0764 ADV-2011-0890 https://bugzilla.redhat.com/show_bug.cgi?id=680972 The br_mdb_ip_get function in net/bridge/br_multicast.c in the Linux kernel before 2.6.35-rc5 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an IGMP packet, related to lack of a multicast table. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7f285fa78d4b81b8458f05e77fb6b46245121b4e [oss-security] 20110216 CVE request - kernel: bridge br_multicast NULL pointer dereference [oss-security] 20110216 Re: CVE request - kernel: bridge br_multicast NULL pointer dereference [oss-security] 20110216 Re: CVE request - kernel: bridge br_multicast NULL pointer dereference http://www.kernel.org/pub/linux/kernel/v2.6/testing/v2.6.35/ChangeLog-2.6.35-rc5 41432 [netdev] 20100705 bridge br_multicast: BUG: unable to handle kernel NULL pointer dereference [netdev] 20100706 Re: bridge br_multicast: BUG: unable to handle kernel NULL pointer dereference The task_show_regs function in arch/s390/kernel/traps.c in the Linux kernel before 2.6.38-rc4-next-20110216 on the s390 platform allows local users to obtain the values of the registers of an arbitrary process by reading a status file under /proc/. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=261cd298a8c363d7985e3482946edb4bfedacf98 [oss-security] 20110216 CVE request - kernel: s390 task_show_regs infoleak [oss-security] 20110216 Re: CVE request - kernel: s390 task_show_regs infoleak http://www.kernel.org/pub/linux/kernel/v2.6/next/patch-v2.6.38-rc4-next-20110216.bz2 20111013 VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console 46421 http://www.vmware.com/security/advisories/VMSA-2011-0012.html https://bugzilla.redhat.com/show_bug.cgi?id=677850 kernel-taskshowregs-info-disclosure(65464) The xfs_fs_geometry function in fs/xfs/xfs_fsops.c in the Linux kernel before 2.6.38-rc6-git3 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FSGEOMETRY_V1 ioctl call. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3a3675b7f23f83ca8c67c9c2b6edf707fd28d1ba [oss-security] 20110216 Re: CVE request - kernel: xfs infoleak [oss-security] 20110216 CVE request - kernel: xfs infoleak RHSA-2011:0927 http://www.kernel.org/pub/linux/kernel/v2.6/snapshots/patch-2.6.38-rc6-git3.log 46417 https://bugzilla.redhat.com/show_bug.cgi?id=677260 https://patchwork.kernel.org/patch/555461/ Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel before 2.6.38-rc4-next-20110215 might allow attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c. http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git;a=commit;h=eaae55dac6b64c0616046436b294e69fc5311581 http://www.kernel.org/pub/linux/kernel/v2.6/next/patch-v2.6.38-rc4-next-20110215.bz2 [oss-security] 20110216 Re: kernel: ALSA: caiaq - Fix possible string-buffer overflow [oss-security] 20110216 Re: kernel: ALSA: caiaq - Fix possible string-buffer overflow [oss-security] 20110216 kernel: ALSA: caiaq - Fix possible string-buffer overflow 46419 USN-1146-1 https://bugzilla.redhat.com/show_bug.cgi?id=677881 kernel-usbdevice-bo(65461) Heap-based buffer overflow in wiretap/dct3trace.c in Wireshark 1.2.0 through 1.2.14 and 1.4.0 through 1.4.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long record in a Nokia DCT3 trace file. http://anonsvn.wireshark.org/viewvc?view=rev&revision=35953 FEDORA-2011-2648 FEDORA-2011-2632 FEDORA-2011-2620 [oss-security] 20110216 wireshark dct3trace buffer overflow DSA-2201 VU#215900 MDVSA-2011:044 RHSA-2011:0369 46416 1025148 ADV-2011-0622 ADV-2011-0626 ADV-2011-0719 ADV-2011-0747 http://www.wireshark.org/docs/relnotes/wireshark-1.2.15.html http://www.wireshark.org/docs/relnotes/wireshark-1.4.4.html http://www.wireshark.org/security/wnpa-sec-2011-03.html http://www.wireshark.org/security/wnpa-sec-2011-04.html https://bugzilla.redhat.com/show_bug.cgi?id=678198 wireshark-visualc-bo(65460) wireshark-nokiadct3-bo(65780) oval:org.mitre.oval:def:14766 Use-after-free vulnerability in a certain Red Hat patch for the RPC server sockets functionality in the Linux kernel 2.6.32 on Red Hat Enterprise Linux (RHEL) 6 might allow remote attackers to cause a denial of service (crash) via malformed data in a packet, related to lockd and the svc_xprt_received function. [oss-security] 20110308 CVE-2011-0714 kernel: deficiency in handling of invalid data packets in lockd [oss-security] 20110309 Re: CVE-2011-0714 kernel: deficiency in handling of invalid data packets in lockd https://bugzilla.redhat.com/show_bug.cgi?id=678144 RHSA-2011:0329 The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.16, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a request that contains a lock token. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' APPLE-SA-2011-06-23-1 FEDORA-2011-2657 FEDORA-2011-2698 FEDORA-2011-3775 SUSE-SR:2011:005 1025161 SSA:2011-070-01 http://subversion.apache.org/security/CVE-2011-0715-advisory.txt http://support.apple.com/kb/HT4723 http://svn.apache.org/repos/asf/subversion/tags/1.6.16/CHANGES http://svn.apache.org/viewvc?view=revision&revision=1071239 http://svn.apache.org/viewvc?view=revision&revision=1071307 [dev] 20110303 Subversion 1.6.16 Released DSA-2181 MDVSA-2011:067 46734 USN-1096-1 ADV-2011-0567 ADV-2011-0568 ADV-2011-0624 ADV-2011-0660 ADV-2011-0684 ADV-2011-0776 ADV-2011-0885 https://bugzilla.redhat.com/show_bug.cgi?id=680755 subversion-moddavsvn-dos(65876) oval:org.mitre.oval:def:18967 RHSA-2011:0327 RHSA-2011:0328 The br_multicast_add_group function in net/bridge/br_multicast.c in the Linux kernel before 2.6.38, when a certain Ethernet bridge configuration is used, allows local users to cause a denial of service (memory corruption and system crash) by sending IGMP packets to a local interface. http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6b0d6a9b4296fa16a28d10d416db7a770fc03287 [oss-security] 20110217 Re: CVE request -- kernel: deficiency in processing igmp host membership reports in br_multicast https://bugzilla.redhat.com/show_bug.cgi?id=678169 https://github.com/torvalds/linux/commit/6b0d6a9b4296fa16a28d10d416db7a770fc03287 Session fixation vulnerability in Red Hat Network (RHN) Satellite Server 5.4 allows remote attackers to hijack web sessions via unspecified vectors related to Spacewalk. Per: http://cwe.mitre.org/data/definitions/384.html 'CWE-384: Session Fixation' RHSA-2011:0300 46528 1025116 ADV-2011-0491 https://bugzilla.redhat.com/show_bug.cgi?id=672159 rhnss-session-hijacking(65658) Red Hat Network (RHN) Satellite Server 5.4 does not use a time delay after a failed login attempt, which makes it easier for remote attackers to conduct brute force password guessing attacks. RHSA-2011:0300 46528 1025116 ADV-2011-0491 https://bugzilla.redhat.com/show_bug.cgi?id=672159 rhnss-weak-security(65657) Samba 3.x before 3.3.15, 3.4.x before 3.4.12, and 3.5.x before 3.5.7 does not perform range checks for file descriptors before use of the FD_SET macro, which allows remote attackers to cause a denial of service (stack memory corruption, and infinite loop or daemon crash) by opening a large number of files, related to (1) Winbind or (2) smbd. APPLE-SA-2011-06-23-1 FEDORA-2011-3120 FEDORA-2011-3118 HPSBUX02657 http://samba.org/samba/security/CVE-2011-0719.html SSA:2011-059-01 http://support.apple.com/kb/HT4723 DSA-2175 MDVSA-2011:038 RHSA-2011:0305 RHSA-2011:0306 http://www.samba.org/samba/history/samba-3.3.15.html http://www.samba.org/samba/history/samba-3.4.12.html http://www.samba.org/samba/history/samba-3.5.7.html 46597 1025132 USN-1075-1 ADV-2011-0517 ADV-2011-0518 ADV-2011-0519 ADV-2011-0520 ADV-2011-0522 ADV-2011-0541 ADV-2011-0702 https://bugzilla.redhat.com/show_bug.cgi?id=678328 samba-fdset-dos(65724) Unspecified vulnerability in Plone 2.5 through 4.0, as used in Conga, luci, and possibly other products, allows remote attackers to obtain administrative access, read or create arbitrary content, and change the site skin via unknown vectors. http://plone.org/products/plone/security/advisories/cve-2011-0720 RHSA-2011:0393 RHSA-2011:0394 46102 1025258 ADV-2011-0796 plone-unspec-priv-escalation(65099) Multiple CRLF injection vulnerabilities in (1) chfn and (2) chsh in shadow 1:4.1.4 allow local users to add new users or groups to /etc/passwd via the GECOS field. SSA:2011-086-03 DSA-2164 46426 USN-1065-1 ADV-2011-0396 ADV-2011-0398 ADV-2011-0773 shadow-chfnchsh-crlf-injection(65564) FFmpeg before 0.5.4, as used in MPlayer and other products, allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a malformed RealMedia file. http://ffmpeg.mplayerhq.hu/ DSA-2306 MDVSA-2011:061 MDVSA-2011:062 MDVSA-2011:089 MDVSA-2011:114 47149 USN-1104-1 ADV-2011-1241 FFmpeg 0.5.x, as used in MPlayer and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed VC-1 file. http://ffmpeg.mplayerhq.hu/ DSA-2306 MDVSA-2011:061 MDVSA-2011:062 MDVSA-2011:089 MDVSA-2011:112 MDVSA-2011:114 47151 USN-1104-1 ADV-2011-1241 The Live DVD for Edubuntu 9.10, 10.04 LTS, and 10.10 does not correctly regenerate iTALC private keys after installation, which causes each installation to have the same fixed key, which allows remote attackers to gain privileges. 46346 USN-1061-1 ADV-2011-0378 italc-keys-security-bypass(65389) Absolute path traversal vulnerability in the org.debian.apt.UpdateCachePartially method in worker.py in Aptdaemon 0.40 in Ubuntu 10.10 and 11.04 allows local users to read arbitrary files via a full pathname in the sources_list argument, related to the D-Bus interface. 46490 1025107 USN-1068-1 ADV-2011-0459 https://bugs.launchpad.net/bugs/722228 aptdaemon-updatecache-info-disc(65652) The do_task_stat function in fs/proc/array.c in the Linux kernel before 2.6.39-rc1 does not perform an expected uid check, which makes it easier for local users to defeat the ASLR protection mechanism by reading the start_code and end_code fields in the /proc/#####/stat file for a process executing a PIE binary. http://downloads.avaya.com/css/P8/documents/100145416 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=5883f57ca0008ffc93e09cbb9847a1928e50c6f3 RHSA-2011:0833 http://www.kernel.org/pub/linux/kernel/v2.6/testing/v2.6.39/ChangeLog-2.6.39-rc1 47791 [mm-commits] 20110314 + proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch added to -mm tree https://bugzilla.redhat.com/show_bug.cgi?id=684569 [linux-kernel] 20110311 [PATCH] proc: protect mm start_code/end_code in /proc/pid/stat GNOME Display Manager (gdm) 2.x before 2.32.1 allows local users to change the ownership of arbitrary files via a symlink attack on a (1) dmrc or (2) face icon file under /var/cache/gdm/. http://ftp.gnome.org/pub/GNOME/sources/gdm/2.32/gdm-2.32.1.news FEDORA-2011-4335 FEDORA-2011-4351 [gdm-list] 20110328 GDM 2.32.1 released 1025264 DSA-2205 MDVSA-2011:070 RHSA-2011:0395 47063 USN-1099-1 ADV-2011-0786 ADV-2011-0787 ADV-2011-0797 ADV-2011-0847 ADV-2011-0911 https://bugzilla.redhat.com/show_bug.cgi?id=688323 display-manager-priv-escalation(66377) Cross-site scripting (XSS) vulnerability in templatefunctions.py in Loggerhead before 1.18.1 allows remote authenticated users to inject arbitrary web script or HTML via a filename, which is not properly handled in a revision view. FEDORA-2011-4050 FEDORA-2011-4085 FEDORA-2011-4107 47032 ADV-2011-0848 ADV-2011-0849 https://bugs.launchpad.net/loggerhead/+bug/740142 loggerhead-filename-xss(66305) https://launchpad.net/loggerhead/1.18/1.18.1 dbus_backend/ls-dbus-backend in the D-Bus backend in language-selector before 0.6.7 does not restrict access on the basis of a PolicyKit check result, which allows local users to modify the /etc/default/locale and /etc/environment files via a (1) SetSystemDefaultLangEnv or (2) SetSystemDefaultLanguageEnv call. 47502 USN-1115-1 http://www.ubuntuupdates.org/packages/show/307975 ADV-2011-1032 https://launchpad.net/bugs/764397 https://launchpad.net/ubuntu/+source/language-selector/0.6.7 Eucalyptus before 2.0.3 and Eucalyptus EE before 2.0.2, as used in Ubuntu Enterprise Cloud (UEC) and other products, do not properly interpret signed elements in SOAP requests, which allows man-in-the-middle attackers to execute arbitrary commands by modifying a request, related to an "XML Signature Element Wrapping" or a "SOAP signature replay" issue. http://launchpadlibrarian.net/72472626/eucalyptus_2.0.1%2Bbzr1256-0ubuntu5_2.0.1%2Bbzr1256-0ubuntu6.diff.gz http://open.eucalyptus.com/wiki/esa-02 48000 USN-1137-1 https://bugs.launchpad.net/bugs/746101 eucalyptus-soap-command-execution(67670) https://launchpad.net/ubuntu/+source/eucalyptus/+changelog Buffer overflow in the DB2 Administration Server (DAS) component in IBM DB2 9.1 before FP10, 9.5 before FP7, and 9.7 before FP3 on Linux, UNIX, and Windows allows remote attackers to execute arbitrary code via unspecified vectors. 46052 IC71203 IC72028 IC72029 oval:org.mitre.oval:def:14699 Multiple unspecified vulnerabilities in IBM Tivoli Integrated Portal (TIP) 1.1.1.1, as used in IBM Tivoli Common Reporting (TCR) 1.2.0 before Interim Fix 9, have unknown impact and attack vectors, related to "security vulnerabilities of Websphere Application Server bundled within" and "many internal defects and APARs." IY99978 Cross-site scripting (XSS) vulnerability in Adobe ColdFusion before 9.0.1 CHF1 allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header in an id=- query to a .cfm file. 20110128 Vulnerabilities in Adobe ColdFusion http://kb2.adobe.com/cps/890/cpsid_89094.html 1025012 http://websecurity.com.ua/4879/ http://www.adobe.com/support/security/bulletins/apsb11-04.html Cross-site scripting (XSS) vulnerability in Adobe ColdFusion before 9.0.1 CHF1 allows remote attackers to inject arbitrary web script or HTML via an id parameter containing a JavaScript onLoad event handler for a BODY element, related to a "tag body" attack. NOTE: this was originally reported as affecting 9.0.1 CHF1 and earlier. 20110128 Vulnerabilities in Adobe ColdFusion http://kb2.adobe.com/cps/890/cpsid_89094.html 1025012 http://websecurity.com.ua/4879/ http://www.adobe.com/support/security/bulletins/apsb11-04.html Cross-site scripting (XSS) vulnerability in Adobe ColdFusion before 9.0.1 CHF1 allows remote attackers to inject arbitrary web script or HTML via vectors involving a "tag script." 20110128 Vulnerabilities in Adobe ColdFusion http://kb2.adobe.com/cps/890/cpsid_89094.html http://websecurity.com.ua/4879/ http://www.adobe.com/support/security/bulletins/apsb11-04.html ** DISPUTED ** Adobe ColdFusion 9.0.1 CHF1 and earlier, when a web application is configured to use a DBMS, allows remote attackers to obtain potentially sensitive information about the database structure via an id=- query to a .cfm file. NOTE: the vendor disputes the significance of this issue because the Site-wide Error Handler and Debug Output Settings sections of the ColdFusion Lockdown guide explain the requirement for settings that prevent this information disclosure. 20110128 Vulnerabilities in Adobe ColdFusion http://websecurity.com.ua/4879/ ** DISPUTED ** Adobe ColdFusion 9.0.1 CHF1 and earlier allows remote attackers to obtain sensitive information via an id=- query to a .cfm file, which reveals the installation path in an error message. NOTE: the vendor disputes the significance of this issue because the Site-wide Error Handler and Debug Output Settings sections of the ColdFusion Lockdown guide explain the requirement for settings that prevent this information disclosure. 20110128 Vulnerabilities in Adobe ColdFusion http://websecurity.com.ua/4879/ MyProxy 5.0 through 5.2, as used in Globus Toolkit 5.0.0 through 5.0.2, does not properly verify the (1) hostname or (2) identity in the X.509 certificate for the myproxy-server, which allows remote attackers to spoof the server and conduct man-in-the-middle (MITM) attacks via a crafted certificate when executing (a) myproxy-logon or (b) myproxy-get-delegation. http://grid.ncsa.illinois.edu/myproxy/security/myproxy-adv-2011-01.txt FEDORA-2011-0514 FEDORA-2011-0512 [security-announce] 20110118 Globus Security Advisory 2011-01: myproxy-logon identity checking of server 45916 ADV-2011-0227 myproxy-ssl-spoofing(64830) The deliver function in the sendmail delivery agent (lib/mail/network/delivery_methods/sendmail.rb) in Ruby Mail gem 2.2.14 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an e-mail address. http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd05706478dd?pli=1 46021 ADV-2011-0233 ruby-mail-deliver-command-execution(65010) https://github.com/mikel/mail/raw/master/patches/20110126_sendmail.patch Cross-site scripting (XSS) vulnerability in magpie/scripts/magpie_slashbox.php in RSS Feed Reader 0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the rss_url parameter. http://www.autosectools.com/Advisories/WordPress.RSS.Feed.Reader.for.WordPress.0.1_Reflected.Cross-site.Scripting_82.html 45997 rssfeedreader-slashbox-xss(64949) Multiple cross-site scripting (XSS) vulnerabilities in ModX Evolution before 1.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) installer or (2) image editor. http://modxcms.com/forums/index.php/topic,60045.0.html 46154 evolution-multiple-xss(65164) Buffer overflow in ZfHIPCND.exe in Novell ZENworks Handheld Management 7.0 allows remote attackers to execute arbitrary code via a crafted IP Conduit packet to TCP port 2400. http://telussecuritylabs.com/threats/show/FSC20110125-06 http://www.novell.com/support/viewContent.do?externalId=7007663 20110128 TELUS Security Labs VR - Novell ZENworks Handheld Management ZfHIPCND.exe Buffer Overflow 46024 1024993 ADV-2011-0221 http://www.zerodayinitiative.com/advisories/ZDI-11-026/ zhm-zfhipcnd-bo(64930) SugarCRM before 6.1.3 does not properly handle reloads and direct requests for a warning page produced by a certain duplicate check, which allows remote authenticated users to discover (1) the names of customers via a ShowDuplicates action to the Accounts module, reachable through index.php; or (2) the names of contact persons via a ShowDuplicates action to the Contacts module, reachable through index.php. 8141 http://www.redteam-pentesting.de/advisories/rt-sa-2011-002 20110315 [RT-SA-2011-002] SugarCRM list privilege restriction bypass 46885 1025222 ADV-2011-0675 sugarcrm-list-info-disclosure(66110) Cross-site request forgery (CSRF) vulnerability in Forms/PortForwarding_Edit_1 on the ZyXEL O2 DSL Router Classic allows remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the PortRule_Name parameter. http://int21.de/cve/CVE-2011-0746-o2-router.html 8198 20110407 O2 classic router: persistent cross site scripting (XSS) and cross site request forgery (CSRF) Multiple cross-site request forgery (CSRF) vulnerabilities in phpList before 2.10.13 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) edit administrator accounts. http://int21.de/cve/CVE-2011-0748-phplist.html 8199 18419 http://www.phplist.com/?lid=516 20110407 phplist: cross site request forgery (CSRF), CVE-2011-0748 51681 phplist-admin-csrf(72746) Directory traversal vulnerability in nhttpd (aka Nostromo webserver) before 1.9.4 allows remote attackers to execute arbitrary programs or read arbitrary files via a ..%2f (encoded dot dot slash) in a URI. 8140 http://www.nazgul.ch/dev_nostromo.html http://www.redteam-pentesting.de/advisories/rt-sa-2011-001 20110315 [RT-SA-2011-001] nostromo nhttpd directory traversal leading to arbitrary command execution 46880 ADV-2011-0674 nostromo-http-command-execution(66103) The extract function in PHP before 5.2.15 does not prevent use of the EXTR_OVERWRITE parameter to overwrite (1) the GLOBALS superglobal array and (2) the this variable, which allows context-dependent attackers to bypass intended access restrictions by modifying data structures that were not intended to depend on external input, a related issue to CVE-2005-2691 and CVE-2006-3758. SSRT100826 [oss-security] 20101213 Re: Issues without CVE names in PHP 5.3.4/5.2.15 release http://www.php.net/archive/2010.php#id2010-12-10-1 http://www.php.net/ChangeLog-5.php http://www.php.net/releases/5_2_15.php php-extract-security-bypass(65432) oval:org.mitre.oval:def:12016 Race condition in the PCNTL extension in PHP before 5.3.4, when a user-defined signal handler exists, might allow context-dependent attackers to cause a denial of service (memory corruption) via a large number of concurrent signals. http://bugs.php.net/52784 http://www.php.net/ChangeLog-5.php php-pcntl-dos(65431) oval:org.mitre.oval:def:12271 The SplFileInfo::getType function in the Standard PHP Library (SPL) extension in PHP before 5.3.4 on Windows does not properly detect symbolic links, which might make it easier for local users to conduct symlink attacks by leveraging cross-platform differences in the stat structure, related to lack of a FILE_ATTRIBUTE_REPARSE_POINT check. http://bugs.php.net/51763 http://www.php.net/ChangeLog-5.php php-splfileinfogettype-symlink(65429) oval:org.mitre.oval:def:12334 Integer overflow in the mt_rand function in PHP before 5.3.4 might make it easier for context-dependent attackers to predict the return values by leveraging a script's use of a large max parameter, as demonstrated by a value that exceeds mt_getrandmax. http://bugs.php.net/46587 http://www.php.net/ChangeLog-5.php php-mtrand-weak-security(65426) oval:org.mitre.oval:def:12589 The application server in Trustwave WebDefend Enterprise before 5.0 uses hardcoded console credentials, which makes it easier for remote attackers to read security-event data by using the remote console GUI to connect to the management port. 1025447 https://www.trustwave.com/spiderlabs/advisories/TWSL2011-001.txt IBM DB2 9.1 before FP10, 9.5 before FP6a, and 9.7 before FP2 on Linux, UNIX, and Windows does not properly revoke the DBADM authority, which allows remote authenticated users to execute non-DDL statements by leveraging previous possession of this authority. IC66811 IC66814 IC66815 http://www.ibm.com/support/docview.wss?uid=swg21426108 46064 http://www-01.ibm.com/support/docview.wss?crawler=1&uid=swg1IC66811 http://www-01.ibm.com/support/docview.wss?crawler=1&uid=swg1IC66814 http://www-01.ibm.com/support/docview.wss?crawler=1&uid=swg1IC66815 ibm-db2-dbadm-priv-esc(65008) oval:org.mitre.oval:def:14295 The eCS component (ECSQdmn.exe) in CA ETrust Secure Content Manager 8.0 and CA Gateway Security 8.1 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a crafted request to port 1882, involving an incorrect integer calculation and a heap-based buffer overflow. http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-ca 8075 20110207 ZDI-11-059: CA ETrust Secure Content Manager Common Services Transport Remote Code Execution Vulnerability 46253 1025052 ADV-2011-0306 http://www.zerodayinitiative.com/advisories/ZDI-11-059 Multiple cross-site request forgery (CSRF) vulnerabilities in the configuration page in the Recaptcha (aka WP-reCAPTCHA) plugin 2.9.8.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that disable the CAPTCHA requirement or insert cross-site scripting (XSS) sequences via the (1) recaptcha_opt_pubkey, (2) recaptcha_opt_privkey, (3) re_tabindex, (4) error_blank, (5) error_incorrect, (6) mailhide_pub, (7) mailhide_priv, (8) mh_replace_link, or (9) mh_replace_title parameter. 20110317 Recaptcha Word Press Plugin Cross Site Scripting Vulnerability - CVE-2011-0759 46909 recaptcha-wordpress-csrf(66167) recaptcha-wordpress-multiple-xss(66169) Multiple cross-site request forgery (CSRF) vulnerabilities in the configuration screen in wp-relatedposts.php in the WP Related Posts plugin 1.0 for WordPress allow remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the (1) wp_relatedposts_title, (2) wp_relatedposts_num, or (3) wp_relatedposts_type parameter. 20110317 Related Posts Word Press Plugin Cross Site Scripting Vulnerability - CVE-2011-0760 46908 relatedposts-configuration-xss(66166) relatedposts-configuration-csrf(66168) Perl 5.10.x allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an ability to inject arguments into a (1) getpeername, (2) readdir, (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir function call. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' 8248 1025507 20110509 TSSA-2011-03 - Perl : multiple functions null pointer dereference uppon parameters injection 47766 http://www.toucan-system.com/advisories/tssa-2011-03.txt perl-functions-dos(67355) The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3 allows remote authenticated users to cause a denial of service (CPU consumption and process slot exhaustion) via crafted glob expressions in STAT commands in multiple FTP sessions, a different vulnerability than CVE-2010-2632. ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.3.4/Changelog http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622741 http://cxib.net/stuff/vspoc232.c FEDORA-2011-2615 FEDORA-2011-2590 FEDORA-2011-2567 SUSE-SR:2011:009 HPSBMU02752 20110301 vsftpd 2.3.2 remote denial-of-service 8109 DSA-2305 16270 VU#590604 MDVSA-2011:049 RHSA-2011:0337 20110301 vsftpd 2.3.2 remote denial-of-service 46617 1025186 USN-1098-1 ADV-2011-0547 ADV-2011-0639 ADV-2011-0668 ADV-2011-0713 vsftpd-vsffilenamepassesfilter-dos(65873) t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6, teTeX, and other products, uses an invalid pointer in conjunction with a dereference operation, which allows remote attackers to execute arbitrary code via a crafted Type 1 font in a PDF document, as demonstrated by testz.2184122398.pdf. RHSA-2012:1201 8171 1025266 http://www.foolabs.com/xpdf/download.html VU#376500 http://www.kb.cert.org/vuls/id/MAPG-8ECL8X MDVSA-2012:002 MDVSA-2012:144 20110327 TSSA-2011-01 xpdf : multiple vulnerabilities allow remote code execution 46941 http://www.toucan-system.com/advisories/tssa-2011-01.txt USN-1316-1 ADV-2011-0728 xpdf-t1lib-code-execution(66208) GLSA-201701-57 Unspecified vulnerability in lft in pWhois Layer Four Traceroute (LFT) 3.x before 3.3 allows local users to gain privileges via a crafted command line. http://pwhois.org/lft/ VU#946652 46477 The random number generator in the Crypto application before 2.0.2.2, and SSH before 2.0.5, as used in the Erlang/OTP ssh library before R14B03, uses predictable seeds based on the current time, which makes it easier for remote attackers to guess DSA host and SSH session keys. VU#178990 47980 https://github.com/erlang/otp/commit/f228601de45c5b53241b103af6616453c50885a5 Cross-site scripting (XSS) vulnerability in the management GUI in the MX Management Server in Imperva SecureSphere Web Application Firewall 6.2, 7.x, and 8.x allows remote attackers to inject arbitrary web script or HTML via an HTTP request to a firewalled server, aka Bug ID 31759. http://www.imperva.com/resources/adc/adc_advisories_response_secureworks.html VU#567774 http://www.secureworks.com/research/advisories/SWRX-2011-001/ securesphere-web-server-xss(67779) Cross-site scripting (XSS) vulnerability in Windows Event Log SmartConnector in HP ArcSight Connector Appliance before 6.1 allows remote attackers to inject arbitrary web script or HTML via the Windows XP variable in a file. 1025791 VU#122054 48694 arcsight-connector-xss(68569) The Janrain Engage (formerly RPX) module 6.x-1.3 for Drupal does not validate the file for a profile image, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks and possibly execute arbitrary PHP code by causing a crafted avatar to be downloaded from an external login provider site. http://drupal.org/node/1033154 45926 janrain-unspecified-xss(64847) janrain-file-upload(64848) Multiple cross-site scripting (XSS) vulnerabilities in PivotX 2.2.0, and possibly other versions before 2.2.2, allow remote attackers to inject arbitrary web script or HTML via the (1) color parameter to includes/blogroll.php or (2) src parameter to includes/timwrapper.php. http://blog.pivotx.net/archive/2011/01/11/pivotx-222-released http://pivot-weblog.svn.sf.net/viewvc/pivot-weblog?view=revision&revision=3409 http://pivot-weblog.svn.sf.net/viewvc/pivot-weblog?view=revision&revision=3410 8062 http://www.htbridge.ch/advisory/xss_in_pivotx.html http://www.htbridge.ch/advisory/xss_in_pivotx_1.html 20110125 HTB22788: XSS in Pivotx 20110125 HTB22790: XSS in Pivotx 45996 pivotx-blogroll-xss(64975) Cross-site scripting (XSS) vulnerability in pivotx/modules/module_image.php in PivotX before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the image parameter. http://blog.pivotx.net/2011-01-31/pivotx-223-released http://packetstormsecurity.org/files/view/97831/Pivotx222-xss.txt http://pivot-weblog.svn.sf.net/viewvc/pivot-weblog?view=revision&revision=3459 8063 http://twitter.com/pivotx/statuses/29889056263376898 http://www.autosectools.com/Advisories/PivotX.2.2.2_Reflected.Cross-site.Scripting_76.html 45983 pivotx-image-xss(64976) PivotX before 2.2.2 allows remote attackers to obtain sensitive information via a direct request to (1) includes/ping.php and (2) includes/spamping.php, which reveals the installation path in an error message. http://blog.pivotx.net/archive/2011/01/11/pivotx-222-released http://pivot-weblog.svn.sf.net/viewvc/pivot-weblog?view=revision&revision=3410 http://www.htbridge.ch/advisory/path_disclousure_in_pivotx.html pivotx/modules/module_image.php in PivotX 2.2.2 allows remote attackers to obtain sensitive information via a non-existent file in the image parameter, which reveals the installation path in an error message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. http://pivot-weblog.svn.sf.net/viewvc/pivot-weblog?view=revision&revision=3463 pivotx-image-info-disc(64977) The sandbox implementation in Google Chrome before 9.0.597.84 on Mac OS X might allow remote attackers to obtain potentially sensitive information about local files via vectors related to the stat system call. http://code.google.com/p/chromium/issues/detail?id=42989 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html oval:org.mitre.oval:def:13895 Use-after-free vulnerability in Google Chrome before 9.0.597.84 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to image loading. http://code.google.com/p/chromium/issues/detail?id=55831 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html DSA-2166 ADV-2011-0408 oval:org.mitre.oval:def:14514 Google Chrome before 9.0.597.84 does not properly restrict drag and drop operations, which might allow remote attackers to bypass the Same Origin Policy via unspecified vectors. http://code.google.com/p/chromium/issues/detail?id=59081 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html SUSE-SR:2011:009 DSA-2166 DSA-2188 ADV-2011-0408 oval:org.mitre.oval:def:14228 Google Chrome before 9.0.597.84 does not properly handle a missing key in an extension, which allows remote attackers to cause a denial of service (application crash) via a crafted extension. http://code.google.com/p/chromium/issues/detail?id=62791 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html DSA-2192 ADV-2011-0671 oval:org.mitre.oval:def:14540 The PDF event handler in Google Chrome before 9.0.597.84 does not properly interact with print operations, which allows user-assisted remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via unknown vectors. http://code.google.com/p/chromium/issues/detail?id=64051 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html oval:org.mitre.oval:def:14530 Google Chrome before 9.0.597.84 does not properly handle autofill profile merging, which has unspecified impact and remote attack vectors. http://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html oval:org.mitre.oval:def:14413 Google Chrome before 9.0.597.84 on Mac OS X does not properly mitigate an unspecified flaw in the Mac OS X 10.5 SSL libraries, which allows remote attackers to cause a denial of service (application crash) via unknown vectors. http://code.google.com/p/chromium/issues/detail?id=66931 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html oval:org.mitre.oval:def:14243 Unspecified vulnerability in Google Chrome before 9.0.597.84 allows user-assisted remote attackers to cause a denial of service (application crash) via vectors involving a "bad volume setting." http://code.google.com/p/chromium/issues/detail?id=68244 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html DSA-2166 ADV-2011-0408 oval:org.mitre.oval:def:14730 Race condition in Google Chrome before 9.0.597.84 allows remote attackers to execute arbitrary code via vectors related to audio. http://code.google.com/p/chromium/issues/detail?id=69195 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html oval:org.mitre.oval:def:14108 Unspecified vulnerability in the Oracle Help component in Oracle Database Server 11.1.0.7, 11.2.0.1, 11.2.0.2, 10.1.0.5, 10.2.0.3, 10.2.0.4, 10.2.0.5, and 10.1.0.5; and Oracle Fusion Middleware 11.1.1.2.0, 11.1.1.3.0, and 11.1.1.4.0 allows remote attackers to affect integrity via unknown vectors. Per: http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html 'Fixed in all supported Releases and Patchsets.' http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, when running on Windows, allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2011-0788. openSUSE-SU-2011:0633 SUSE-SA:2011:030 SUSE-SU-2011:0807 SUSE-SU-2011:0863 SUSE-SA:2011:032 SUSE-SA:2011:036 SUSE-SU-2011:0966 SSRT100591 HPSBMU02799 SSRT100867 http://www.ibm.com/developerworks/java/jdk/alerts/ http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html 48133 oval:org.mitre.oval:def:14382 oval:org.mitre.oval:def:14604 Unspecified vulnerability in the Application Service Level Management component in Oracle Database Server 11.1.0.7 and Enterprise Manager Grid Control allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Service Level Agreements. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, when running on Windows, allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2011-0786. openSUSE-SU-2011:0633 SUSE-SA:2011:030 SUSE-SU-2011:0807 SSRT100591 HPSBMU02799 SSRT100867 http://www.ibm.com/developerworks/java/jdk/alerts/ http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html oval:org.mitre.oval:def:14140 oval:org.mitre.oval:def:14568 Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 10.1.2.3 allows remote attackers to affect integrity via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle Solaris 9 and 10 allows local users to affect confidentiality via unknown vectors related to wbem. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality via unknown vectors related to Data Export. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Oracle Warehouse Builder component in Oracle Database Server 10.2.0.5 (OWB) and 11.1.0.7 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Dimensional Data Modeling. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Database Vault component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, and 11.2.0.1 allows remote authenticated users to affect integrity and availability, related to SYSDBA. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5.0 allows local users to affect confidentiality, integrity, and availability, related to File ID SDK. NOTE: the previous information was obtained from the April 2011 CPU. Oracle has not commented on claims from a reliable third party that this issue is in (a) sccut.dll or (b) libsc_ut.so in Outside In 8.3.5.x through 8.3.5.5684, as used when using the CAB file identification functionality to parse OneNote (.onepkg) files and other formats. 20111026 Cisco Security Agent Remote Code Execution Vulnerabilities VU#520721 http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=7009213&sliceId=1&docTypeID=DT_TID_1_1&dialogID=268451045&stateId=0%200%20268449309 http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html 47437 http://www-01.ibm.com/support/docview.wss?uid=swg21660640 Unspecified vulnerability in the Single Sign On component in Oracle Fusion Middleware 10.1.2.3 allows remote authenticated users to affect integrity via unknown vectors related to Administration and Monitoring. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Applications Install component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows local users to affect confidentiality via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Applications Install component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows remote authenticated users to affect confidentiality via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Portal component in Oracle Fusion Middleware 10.1.2.3 and 11.1.1.2.0 allows remote attackers to affect integrity via unknown vectors related to Midtier Infrastructure. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Oracle Warehouse Builder component in Oracle Database Server 10.2.0.5 (OWB), 11.1.0.7, and 11.2.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Oracle Warehouse Builder User Account. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Solaris component in Oracle Solaris 8, 9, 10, and 11 Express allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Administration Utilities. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows local users to affect confidentiality and integrity via unknown vectors related to cp. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound, a different vulnerability than CVE-2011-0814. openSUSE-SU-2011:0633 SUSE-SA:2011:030 SUSE-SU-2011:0807 SUSE-SU-2011:0863 SUSE-SA:2011:032 SUSE-SA:2011:036 SUSE-SU-2011:0966 SSRT100591 HPSBUX02777 HPSBMU02799 SSRT100867 RHSA-2013:1455 http://support.avaya.com/css/P8/documents/100144512 http://support.avaya.com/css/P8/documents/100147041 http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS11-015/index.html http://www.ibm.com/developerworks/java/jdk/alerts/ http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html RHSA-2011:0860 RHSA-2011:0938 RHSA-2011:1087 RHSA-2011:1159 RHSA-2011:1265 TA11-201A oval:org.mitre.oval:def:14477 oval:org.mitre.oval:def:14480 Unspecified vulnerability in the JD Edwards EnterpriseOne Tools component in Oracle JD Edwards Products 8.9 GA through 8.98.4.1, and OneWorld Tools through 24.1.3, allows remote attackers to affect integrity and availability, related to Enterprise Infrastructure SEC. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Database Vault component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, and 11.2.0.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the UIX component in Oracle Database Server 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 allows remote attackers to affect integrity via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Network Foundation component in Oracle Database Server 10.1.0.5, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, and 11.2.0.2, when running on Windows, allows remote attackers to affect availability via unknown vectors. Per: http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html 'Applicable to Windows servers only.' http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle Sun GlassFish Enterprise Server 2.1, 2.1.1, and 3.0.1, and Sun Java System Application Server 9.1, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Administration. 8327 http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.2.0 and 8.3.5.0 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Outside In Filters. NOTE: the previous information was obtained from the April 2011 CPU. Oracle has not commented on claims from a reliable third party that this issue is in (a) vswk6.dll or (b) libvs_wk6.so in Outside In 8.1.0.4037 through 8.3.5.5684, involving the Lotus 123 parser. 20111026 Cisco Security Agent Remote Code Execution Vulnerabilities VU#520721 http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=7009213&sliceId=1&docTypeID=DT_TID_1_1&dialogID=268451045&stateId=0%200%20268449309 http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html 47435 http://www-01.ibm.com/support/docview.wss?uid=swg21660640 Unspecified vulnerability in the Web ADI component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect integrity via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability Oracle JD Edwards EnterpriseOne Tools 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 allows remote attackers to affect availability, related to Enterprise Infrastructure SEC. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Enterprise Config Management component in Oracle Database Server 10.1.0.5, 10.2.0.3, and 10.2.0.4, and Oracle Enterprise Manager Grid Control 10.1.0.6 and 10.2.0.5, allows local users to affect confidentiality via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A Unspecified vulnerability in the Solaris component in Oracle Solaris 8, 9, 10, and 11 Express allows local users to affect availability via unknown vectors related to Kernel. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express allows local users to affect availability via unknown vectors related to Kernel, a different vulnerability than CVE-2012-0098. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound, a different vulnerability than CVE-2011-0802. openSUSE-SU-2011:0633 SUSE-SA:2011:030 SUSE-SU-2011:0807 SUSE-SU-2011:0863 SUSE-SA:2011:032 SUSE-SA:2011:036 SUSE-SU-2011:0966 SSRT100591 HPSBUX02777 HPSBMU02799 SSRT100867 RHSA-2013:1455 http://support.avaya.com/css/P8/documents/100144512 http://support.avaya.com/css/P8/documents/100147041 http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS11-015/index.html http://www.ibm.com/developerworks/java/jdk/alerts/ http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html RHSA-2011:0860 RHSA-2011:0938 RHSA-2011:1087 RHSA-2011:1159 RHSA-2011:1265 48145 TA11-201A oval:org.mitre.oval:def:14174 oval:org.mitre.oval:def:14930 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to AWT. openSUSE-SU-2011:0633 SUSE-SA:2011:030 SUSE-SU-2011:0807 SUSE-SU-2011:0863 SUSE-SA:2011:032 SUSE-SA:2011:036 SUSE-SU-2011:0966 SSRT100591 HPSBUX02777 HPSBMU02799 SSRT100867 GLSA-201406-32 http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS11-015/index.html http://www.ibm.com/developerworks/java/jdk/alerts/ http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html TA11-201A oval:org.mitre.oval:def:14335 oval:org.mitre.oval:def:14896 Unspecified vulnerability in the CMDB Metadata & Instance APIs component in Oracle Database Server 10.1.0.5, 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, and 11.2.0.2; and Oracle Enterprise Manager Grid Control 10.1.0.6 and 10.2.0.5; allows remote authenticated users to affect confidentiality and integrity via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, when running on Windows, allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. openSUSE-SU-2011:0633 SUSE-SA:2011:030 SUSE-SU-2011:0807 SSRT100591 HPSBMU02799 SSRT100867 http://www.ibm.com/developerworks/java/jdk/alerts/ http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html oval:org.mitre.oval:def:14359 oval:org.mitre.oval:def:14462 Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Tools 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 allows remote attackers to affect availability, related to Enterprise Infrastructure SEC. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Tools 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 allows remote attackers to affect integrity, related to Enterprise Infrastructure SEC, a different vulnerability than CVE-2011-0823. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle Solaris 10, and 11 Express allows remote attackers to affect availability via unknown vectors related to Kernel. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows local users to affect confidentiality and integrity via unknown vectors related to uucp. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Streams, AQ & Replication Mgmt component in Oracle Database Server 10.1.0.5 and 10.2.0.3, and Oracle Enterprise Manager Grid Control 10.1.0.6, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. GLSA-201406-32 http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Tools 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 allows remote attackers to affect integrity, related to Enterprise Infrastructure SEC, a different vulnerability than CVE-2011-0819. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Tools 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 allows remote attackers to affect confidentiality and integrity, related to Enterprise Infrastructure SEC. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Tools 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 allows remote attackers to affect confidentiality, integrity, and availability, related to Enterprise Infrastructure SEC. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle PeopleSoft Enterprise 8.8 Bundle #13, 8.9 Bundle #7, 9.0 Bundle #7, and 9.1 Bundle #4 allows remote authenticated users to affect integrity via unknown vectors related to Application Portal. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the PeopleSoft Enterprise component in Oracle PeopleSoft Products 8.50 GA through 8.50.17 and 8.51 GA through 8.51.07 allows remote authenticated users to affect integrity via unknown vectors related to PeopleTools. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle PeopleSoft Enterprise 8.8 Bundle #13 allows remote attackers to affect integrity via unknown vectors related to Application Portal. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows local users to affect availability, related to Kernel/SPARC. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Event Management component in Oracle Database Server 10.1.0.5, 10.2.0.3, and 10.2.0.4, and Oracle Enterprise Manager Grid Control 10.1.0.6, allows remote attackers to affect integrity via unknown vectors related to Rules Management UI. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A Unspecified vulnerability in the Enterprise Config Management component in Oracle Database Server 10.1.0.5, 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, and 11.2.0.2; and Oracle Enterprise Manager Grid Control 10.1.0.6 and 10.2.0.5; allows remote authenticated users to affect confidentiality and integrity via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.1, and 11.2.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2011-0835 and CVE-2011-0880. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A Unspecified vulnerability in the Siebel CRM Core component in Oracle Siebel CRM 7.8.2, 8.0.0, and 8.1.1 allows remote attackers to affect integrity, related to UIF Client. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Siebel CRM Core component in Oracle Siebel CRM 8.0.0 and 8.1.1 allows remote attackers to affect integrity via unknown vectors related to Globalization - Automotive. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.1, and 11.2.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2011-0832 and CVE-2011-0880. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Tools 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 allows remote authenticated users to affect integrity, related to Web Runtime SEC. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Agile Technology Platform component in Oracle Supply Chain Products Suite 9.3.0.2 and 9.3.1 allows remote attackers to affect confidentiality via unknown vectors related to Security. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.1, and 11.2.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to create procedure privileges. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A Unspecified vulnerability in Oracle Solaris 9, 10, and 11 Express allows local users to affect availability, related to LOFS. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle PeopleSoft Enterprise PeopleTools 8.49 GA through 8.49.30 allows remote authenticated users to affect confidentiality via unknown vectors related to File Processing. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle Solaris 11 Express allows remote attackers to affect availability, related to TCP/IP. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. Unspecified vulnerability in the Siebel CRM Core component in Oracle Siebel CRM 7.8.2, 8.0.0, and 8.1.1 allows remote attackers to affect integrity via unknown vectors related to Globalization - Automotive. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the OpenSSO Enterprise and Sun Java System Access Manager components in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Database Control component in Oracle Enterprise Manager Grid Control 10.1.0.6 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html 48794 TA11-201A Unspecified vulnerability in the Oracle Sun Java System Access Manager Policy Agent 2.2 allows remote attackers to affect availability via unknown vectors related to Web Proxy Agent. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the OpenSSO Enterprise and Sun Java System Access Manager components in Oracle Sun Products Suite 7.1 and 8.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Authentication. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Security Framework component in Oracle Database Server 10.1.0.5, 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, and 11.2.0.2; and Oracle Enterprise Manager Grid Control 10.1.0.6 and 10.2.0.5; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to User Model. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A Unspecified vulnerability in Oracle Java Dynamic Management Kit 5.1 allows remote attackers to affect integrity, related to HTML Adaptor. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle PeopleSoft Enterprise CRM 8.9 Bundle #41 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Order Capture. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle PeopleSoft Enterprise ELS 9.0 Bundle #19 and 9.1 Bundle #5 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Enterprise Learning Mgmt. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the Security Management component in Oracle Database Server 10.1.0.5, 10.2.0.3, and 10.2.0.4; and Oracle Enterprise Manager Grid Control 10.1.0.6; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Audit Administration. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.0 Bundle #15 and 9.1 Bundle #5 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to ePerformance. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.1 Bundle #5 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to ePerformance. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in the InForm component in Oracle Industry Applications 4.5, 4.6, and 5.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Core. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle PeopleSoft Enterprise 8.49 GA through 8.49.30, 8.50 GA through 8.50.17, and 8.51 GA through 8.51.07 allows remote authenticated users to affect confidentiality via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.0 Bundle #15 and 9.1 Bundle #5 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Pension Administration. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.0 Bundle #15 and 9.1 Bundle #5 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Talent Acquisition Manager. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.0 Tax Update 11-B and 9.1 Tax Update 11-B allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Global Payroll - North America. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.0 Update 2011-B and 9.1 Update 2011-B allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Global Payroll - Spain. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.0 Update 2011-B and 9.1 Update 2011-B allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Global Payroll Core. http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Multiple unspecified vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allow remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. openSUSE-SU-2011:0633 SUSE-SA:2011:030 SUSE-SU-2011:0807 SUSE-SU-2011:0863 SUSE-SA:2011:032 SUSE-SA:2011:036 SUSE-SU-2011:0966 SSRT100591 HPSBUX02777 HPSBMU02799 SSRT100867 RHSA-2013:1455 GLSA-201406-32 http://support.avaya.com/css/P8/documents/100144512 http://support.avaya.com/css/P8/documents/100147041 DSA-2311 http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS11-015/index.html http://www.ibm.com/developerworks/java/jdk/alerts/ MDVSA-2011:126 http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html RHSA-2011:0856 RHSA-2011:0857 RHSA-2011:0860 RHSA-2011:0938 RHSA-2011:1087 RHSA-2011:1159 RHSA-2011:1265 TA11-201A oval:org.mitre.oval:def:13317 oval:org.mitre.oval:def:14541 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. openSUSE-SU-2011:0633 SUSE-SA:2011:030 SUSE-SU-2011:0807 SSRT100591 HPSBMU02799 SSRT100867 RHSA-2013:1455 http://support.avaya.com/css/P8/documents/100144512 http://www.ibm.com/developerworks/java/jdk/alerts/ http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html RHSA-2011:0860 RHSA-2011:0938 oval:org.mitre.oval:def:14167 oval:org.mitre.oval:def:14214 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot. openSUSE-SU-2011:0633 SSRT100591 HPSBUX02777 HPSBMU02799 SSRT100867 GLSA-201406-32 http://support.avaya.com/css/P8/documents/100144512 DSA-2311 http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS11-015/index.html http://www.ibm.com/developerworks/java/jdk/alerts/ MDVSA-2011:126 http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html RHSA-2011:0856 RHSA-2011:0857 RHSA-2011:0860 oval:org.mitre.oval:def:14225 oval:org.mitre.oval:def:14632 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to Deserialization. openSUSE-SU-2011:0633 SUSE-SA:2011:030 SUSE-SU-2011:0807 SUSE-SU-2011:0863 SUSE-SA:2011:032 SUSE-SA:2011:036 SUSE-SU-2011:0966 SSRT100591 HPSBUX02777 HPSBMU02799 SSRT100867 RHSA-2013:1455 GLSA-201406-32 http://support.avaya.com/css/P8/documents/100144512 DSA-2311 http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS11-015/index.html http://www.ibm.com/developerworks/java/jdk/alerts/ MDVSA-2011:126 http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html RHSA-2011:0856 RHSA-2011:0857 RHSA-2011:0860 RHSA-2011:0938 RHSA-2011:1087 RHSA-2011:1159 RHSA-2011:1265 TA11-201A oval:org.mitre.oval:def:14081 oval:org.mitre.oval:def:14463 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier, when running on Windows, allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Java Runtime Environment. openSUSE-SU-2011:0633 SUSE-SA:2011:030 SUSE-SU-2011:0807 SUSE-SU-2011:0863 SUSE-SA:2011:032 SUSE-SA:2011:036 SUSE-SU-2011:0966 SSRT100591 HPSBMU02799 SSRT100867 http://www.ibm.com/developerworks/java/jdk/alerts/ http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html TA11-201A oval:org.mitre.oval:def:14011 oval:org.mitre.oval:def:14545 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Networking. openSUSE-SU-2011:0633 SUSE-SA:2011:030 SUSE-SU-2011:0807 SUSE-SU-2011:0863 SUSE-SA:2011:032 SUSE-SA:2011:036 SUSE-SU-2011:0966 SSRT100591 HPSBUX02777 HPSBMU02799 SSRT100867 RHSA-2013:1455 http://support.avaya.com/css/P8/documents/100144512 DSA-2311 http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS11-015/index.html http://www.ibm.com/developerworks/java/jdk/alerts/ MDVSA-2011:126 http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html RHSA-2011:0856 RHSA-2011:0857 RHSA-2011:0860 RHSA-2011:0938 RHSA-2011:1087 RHSA-2011:1159 RHSA-2011:1265 TA11-201A oval:org.mitre.oval:def:14240 oval:org.mitre.oval:def:14693 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier allows remote attackers to affect confidentiality via unknown vectors related to 2D. openSUSE-SU-2011:0633 SUSE-SA:2011:030 SUSE-SU-2011:0807 SSRT100591 HPSBMU02799 SSRT100867 RHSA-2013:1455 GLSA-201406-32 http://support.avaya.com/css/P8/documents/100144512 http://support.avaya.com/css/P8/documents/100147041 DSA-2311 http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS11-015/index.html http://www.ibm.com/developerworks/java/jdk/alerts/ MDVSA-2011:126 http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html RHSA-2011:0856 RHSA-2011:0857 RHSA-2011:0860 RHSA-2011:0938 TA11-201A oval:org.mitre.oval:def:14264 oval:org.mitre.oval:def:14827 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 26 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to SAAJ. openSUSE-SU-2011:0633 SUSE-SA:2011:030 SUSE-SU-2011:0807 SSRT100591 HPSBMU02799 SSRT100867 RHSA-2013:1455 GLSA-201406-32 http://support.avaya.com/css/P8/documents/100144512 DSA-2311 http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS11-015/index.html http://www.ibm.com/developerworks/java/jdk/alerts/ MDVSA-2011:126 http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html RHSA-2011:0856 RHSA-2011:0857 RHSA-2011:0860 RHSA-2011:0938 TA11-201A oval:org.mitre.oval:def:14338 oval:org.mitre.oval:def:14644 Unspecified vulnerability in the Schema Management component in Oracle Database Server 10.1.0.5, 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, and 11.2.0.2; and Oracle Enterprise Manager Grid Control 10.1.0.6 and 10.2.0.5; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. GLSA-201406-32 http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Swing. openSUSE-SU-2011:0633 SUSE-SA:2011:030 SUSE-SU-2011:0807 SUSE-SU-2011:0863 SUSE-SA:2011:032 SUSE-SA:2011:036 SUSE-SU-2011:0966 SSRT100591 HPSBUX02777 HPSBMU02799 SSRT100867 RHSA-2013:1455 GLSA-201406-32 http://support.avaya.com/css/P8/documents/100144512 DSA-2311 http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS11-015/index.html http://www.ibm.com/developerworks/java/jdk/alerts/ MDVSA-2011:126 http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html RHSA-2011:0856 RHSA-2011:0857 RHSA-2011:0860 RHSA-2011:0938 RHSA-2011:1087 RHSA-2011:1159 RHSA-2011:1265 TA11-201A oval:org.mitre.oval:def:14112 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier allows remote attackers to affect availability via unknown vectors related to NIO. openSUSE-SU-2011:0633 SUSE-SA:2011:030 SUSE-SU-2011:0807 SUSE-SU-2011:0863 SUSE-SA:2011:032 SUSE-SA:2011:036 SUSE-SU-2011:0966 SSRT100591 HPSBMU02799 SSRT100867 GLSA-201406-32 http://support.avaya.com/css/P8/documents/100147041 http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS11-015/index.html http://www.ibm.com/developerworks/java/jdk/alerts/ http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html TA11-201A oval:org.mitre.oval:def:14241 oval:org.mitre.oval:def:14915 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, and 5.0 Update 29 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. Per: http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html 'Applies to client and server deployments of Java. This vulnerability can be exploited through Untrusted Java Web Start applications and Untrusted Java applets. It can also be exploited by supplying data to APIs in the specified Component without using untrusted Java Web Start applications or untrusted Java applets, such as through a web service.' openSUSE-SU-2011:0633 SUSE-SA:2011:030 SUSE-SU-2011:0807 SUSE-SU-2011:0863 SUSE-SA:2011:032 SSRT100591 HPSBMU02799 SSRT100867 RHSA-2013:1455 http://support.avaya.com/css/P8/documents/100144512 http://support.avaya.com/css/P8/documents/100147041 http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS11-015/index.html http://www.ibm.com/developerworks/java/jdk/alerts/ http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html RHSA-2011:0860 RHSA-2011:0938 RHSA-2011:1087 48148 TA11-201A oval:org.mitre.oval:def:13888 oval:org.mitre.oval:def:14153 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. Unspecified vulnerability in the EMCTL component in Oracle Database Server 11.1.0.7 and Oracle Enterprise Manager Grid Control 10.1.0.6, 10.2.0.5, and 11.1.0.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html 48760 TA11-201A Unspecified vulnerability in the Enterprise Manager Console component in Oracle Database Server 10.1.0.5, 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, and 11.2.0.2; and Oracle Enterprise Manager Grid Control 10.1.0.6 and 10.2.0.5; allows remote attackers to affect integrity via unknown vectors related to Security. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A Unspecified vulnerability in the Instance Management component in Oracle Database Server 10.1.0.5, 10.2.0.3, and 10.2.0.4, and Oracle Enterprise Manager Grid Control 10.1.0.6, allows remote attackers to affect integrity via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. Unspecified vulnerability in the Instance Management component in Oracle Database Server 10.1.0.5, 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, and 11.2.0.2; and Oracle Enterprise Manager Grid Control 10.1.0.6 and 10.2.0.5; allows remote attackers to affect integrity via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.1, and 11.2.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2011-0832 and CVE-2011-0835. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A Unspecified vulnerability in the EMCTL component in Oracle Database Server 10.2.0.3, 10.2.0.4, and 11.1.0.7, and Oracle Enterprise Manager Grid Control 10.1.0.6, allows remote attackers to affect integrity via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A Unspecified vulnerability in the Content Management component in Oracle Database Server 10.1.0.5, 10.2.0.3, 10.2.0.4, and 11.1.0.7; and Oracle Enterprise Manager Grid Control 10.1.0.6, 10.2.0.5, and 11.1.0.1; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Scheduler. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Fusion Middleware 10.1.2.3, 10.1.3.5, 10.1.4.0.1, and 10.1.4.3 allows remote authenticated users to affect integrity, related to Servlet Runtime in OC4J. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A Unspecified vulnerability in the Oracle BPEL Process Manager component in Oracle Fusion Middleware 11.1.1.3.0, 11.1.1.4.0, and 11.1.1.5.0 allows remote authenticated users to affect availability, related to BPEL Console. http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html TA11-201A A certain Comcast Business Gateway configuration of the SMC SMCD3G-CCR with firmware before 1.4.0.49.2 has a default password of D0nt4g3tme for the mso account, which makes it easier for remote attackers to obtain administrative access via the (1) web interface or (2) TELNET interface. 20110204 TWSL2011-002:Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways (SMCD3G-CCR) 8066 16123 20110205 TWSL2011-002:Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways (SMCD3G-CCR) 46215 smcd3gccr-default-password(65184) https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface on the SMC SMCD3G-CCR (aka Comcast Business Gateway) with firmware before 1.4.0.49.2 allow remote attackers to (1) hijack the intranet connectivity of arbitrary users for requests that perform a login via goform/login, or hijack the authentication of administrators for requests that (2) enable external logins via an mso_remote_enable action to goform/RemoteRange or (3) change DNS settings via a manual_dns_enable action to goform/Basic. 20110204 TWSL2011-002:Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways (SMCD3G-CCR) 8068 16123 20110205 TWSL2011-002:Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways (SMCD3G-CCR) 46215 smcd3gccr-interface-csrf(65185) https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt The web management portal on the SMC SMCD3G-CCR (aka Comcast Business Gateway) with firmware before 1.4.0.49.2 uses predictable session IDs based on time values, which makes it easier for remote attackers to hijack sessions via a brute-force attack on the userid cookie. 20110204 TWSL2011-002:Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways (SMCD3G-CCR) 8068 16123 20110205 TWSL2011-002:Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways (SMCD3G-CCR) 46215 smcd3gccr-weak-security(65186) https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt Unspecified vulnerability in HP Client Automation Enterprise (aka HPCA or Radia Notify) 5.11, 7.2, 7.5, 7.8, and 7.9 allows remote attackers to execute arbitrary code via unknown vectors. HPSBMA02644 1025205 46862 ADV-2011-0651 hpca-unspec-code-exec(66082) HP Discovery & Dependency Mapping Inventory (DDMI) 7.50, 7.51, 7.60, 7.61, 7.70, and 9.30 launches the Windows SNMP service with its default configuration, which allows remote attackers to obtain potentially sensitive information or have unspecified other impact by leveraging the public read community. SSRT100383 8163 1025239 46981 ADV-2011-0755 hp-discovery-snmp-info-disclosure(66242) Unspecified vulnerability in the OS-Core.CORE2-KRN fileset in HP HP-UX B.11.23 and B.11.31 allows local users to cause a denial of service via unknown vectors. SSRT100396 1025279 Cross-site scripting (XSS) vulnerability in HP Diagnostics 7.5x and 8.0x before 8.05.54.225 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. SSRT100430 8167 1025255 ADV-2011-0798 Cross-site scripting (XSS) vulnerability in HP Operations 9.10 on UNIX platforms allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. SSRT100429 8174 1025281 ADV-2011-0837 Unspecified vulnerability in HP Operations 9.10 on UNIX platforms allows remote authenticated users to bypass intended access restrictions via unknown vectors. SSRT100429 8174 1025281 ADV-2011-0837 Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x and 8.1x allows remote authenticated users to obtain sensitive information via unknown vectors. SSRT100432 8186 47162 1025288 ADV-2011-0871 Unspecified vulnerability in HP NFS/ONCplus B.11.31.10 and earlier on HP-UX B.11.31 allows remote authenticated users to cause a denial of service via unknown vectors. SSRT100310 8201 47325 1025326 ADV-2011-0935 hpux-nfsoncplus-unspec-dos(66689) Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.00 allows local users to read arbitrary files via unknown vectors. HPSBMA02643 8202 47341 1025354 ADV-2011-0974 hp-nnmi-unspec-unauth-access(66707) Cross-site scripting (XSS) vulnerability in HP Network Node Manager i (NNMi) 9.00 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. SSRT100416 8202 47341 1025354 ADV-2011-0974 hp-nnmi-unspec-xss(66706) The AES encryption module 7.x-1.4 for Drupal leaves certain debugging code enabled in release, which records the plaintext password of the last logged-in user and allows remote attackers to gain privileges as that user. http://drupal.org/node/1040728 http://drupal.org/node/1048998 46116 aes-module-information-disclosure(65112) Stack-based buffer overflow in the tsc_launch_remote function (src/support.c) in Terminal Server Client (tsclient) 0.150, and possibly other versions, allows user-assisted remote attackers to execute arbitrary code via a .RDP file with a long hostname argument. 16095 46099 terminal-server-hostname-bo(65100) Multiple stack-based buffer overflows in the tsc_launch_remote function (src/support.c) in Terminal Server Client (tsclient) 0.150, and possibly other versions, allow user-assisted remote attackers to execute arbitrary code via a .RDP file with a long (1) username, (2) password, or (3) domain argument. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. terminal-server-username-bo(65101) terminal-server-password-bo(65102) terminal-server-domain-bo(65103) Multiple untrusted search path vulnerabilities in the Java Service in Sun Microsystems SunScreen Firewall on SunOS 5.9 allow local users to execute arbitrary code via a modified (1) PATH or (2) LD_LIBRARY_PATH environment variable. Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' 16041 45963 sunscreen-ldlibrarypath-privilege-escalation(64887) Multiple directory traversal vulnerabilities in AR Web Content Manager (AWCM) 2.2 allow remote attackers to read arbitrary files and possibly have other unspecified impact via a .. (dot dot) in the (1) awcm_theme or (2) awcm_lang cookie to (a) index.php or (b) header.php. 16049 46017 awcm-theme-file-include(64980) The rfbSendFramebufferUpdate function in server/libvncserver/rfbserver.c in vino-server in Vino 2.x before 2.28.3, 2.32.x before 2.32.2, 3.0.x before 3.0.2, and 3.1.x before 3.1.1, when raw encoding is used, allows remote authenticated users to cause a denial of service (daemon crash) via a large (1) X position or (2) Y position value in a framebuffer update request that triggers an out-of-bounds memory access, related to the rfbTranslateNone and rfbSendRectEncodingRaw functions. http://ftp.gnome.org/pub/GNOME/sources/vino/2.28/vino-2.28.3.news http://ftp.gnome.org/pub/GNOME/sources/vino/2.32/vino-2.32.2.news http://ftp.gnome.org/pub/GNOME/sources/vino/3.0/vino-3.0.2.news http://git.gnome.org/browse/vino/commit/?id=0c2c9175963fc56bf2af10e42867181332f96ce0 http://git.gnome.org/browse/vino/commit/?id=456dadbb5c5971d3448763a44c05b9ad033e522f http://git.gnome.org/browse/vino/commit/?id=8beefcf7792d343c10c919ee0c928c81f73b1279 http://git.gnome.org/browse/vino/commit/?id=d050a22b1c284b633c407ef92fde95c47e8fdb8a http://git.gnome.org/browse/vino/commit/?id=dff52694a384fe95195f2211254026b752d63ec4 http://git.gnome.org/browse/vino/commit/?id=e17bd4e369f90748654e31a4867211dc7610975d http://git.gnome.org/browse/vino/log/?h=gnome-2-30 http://git.gnome.org/browse/vino/tree/NEWS SUSE-SR:2011:009 RHSA-2013:0169 DSA-2238 MDVSA-2011:087 47681 USN-1128-1 ADV-2011-1144 https://bugzilla.gnome.org/show_bug.cgi?id=641802 https://bugzilla.redhat.com/show_bug.cgi?id=694455 vino-input-dos(67243) The rfbSendFramebufferUpdate function in server/libvncserver/rfbserver.c in vino-server in Vino 2.x before 2.28.3, 2.32.x before 2.32.2, 3.0.x before 3.0.2, and 3.1.x before 3.1.1, when tight encoding is used, allows remote authenticated users to cause a denial of service (daemon crash) via crafted dimensions in a framebuffer update request that triggers an out-of-bounds read operation. http://ftp.gnome.org/pub/GNOME/sources/vino/2.28/vino-2.28.3.news http://ftp.gnome.org/pub/GNOME/sources/vino/2.32/vino-2.32.2.news http://ftp.gnome.org/pub/GNOME/sources/vino/3.0/vino-3.0.2.news http://git.gnome.org/browse/vino/commit/?id=0c2c9175963fc56bf2af10e42867181332f96ce0 http://git.gnome.org/browse/vino/commit/?id=456dadbb5c5971d3448763a44c05b9ad033e522f http://git.gnome.org/browse/vino/commit/?id=8beefcf7792d343c10c919ee0c928c81f73b1279 http://git.gnome.org/browse/vino/commit/?id=d050a22b1c284b633c407ef92fde95c47e8fdb8a http://git.gnome.org/browse/vino/commit/?id=dff52694a384fe95195f2211254026b752d63ec4 http://git.gnome.org/browse/vino/commit/?id=e17bd4e369f90748654e31a4867211dc7610975d http://git.gnome.org/browse/vino/log/?h=gnome-2-30 http://git.gnome.org/browse/vino/tree/NEWS SUSE-SR:2011:009 RHSA-2013:0169 DSA-2238 MDVSA-2011:087 47681 USN-1128-1 ADV-2011-1144 https://bugzilla.gnome.org/show_bug.cgi?id=641803 https://bugzilla.redhat.com/show_bug.cgi?id=694456 vino-framebuffer-dos(67244) Open redirect vulnerability in Vanilla Forums before 2.0.17.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the Target parameter to an unspecified component, a different vulnerability than CVE-2011-0526. http://www.vanillaforums.org/discussion/comment/134729/#Comment_134729 Cross-site scripting (XSS) vulnerability in Vanilla Forums before 2.0.17.6 allows remote attackers to inject arbitrary web script or HTML via the p parameter to an unspecified component, a different vulnerability than CVE-2011-0526. http://www.vanillaforums.org/discussion/comment/134729/#Comment_134729 The cookie implementation in Vanilla Forums before 2.0.17.6 makes it easier for remote attackers to spoof signed requests, and consequently obtain access to arbitrary user accounts, via HMAC timing attacks. http://www.vanillaforums.org/discussion/comment/134729/#Comment_134729 Cross-site scripting (XSS) vulnerability in the Users module in Zikula before 1.2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: it is possible that this overlaps CVE-2011-0535. http://community.zikula.org/index.php?module=News&func=display&sid=3041&title=zikula-1.2.5-released Argument injection vulnerability in IBM Lotus Notes 8.0.x before 8.0.2 FP6 and 8.5.x before 8.5.1 FP5 allows remote attackers to execute arbitrary code via a cai:// URL containing a --launcher.library option that specifies a UNC share pathname for a DLL file, aka SPR PRAD82YJW2. ADV-2011-0295 http://www-01.ibm.com/support/docview.wss?uid=swg21461514 http://zerodayinitiative.com/advisories/ZDI-11-051/ oval:org.mitre.oval:def:14348 Stack-based buffer overflow in ndiiop.exe in the DIIOP implementation in the server in IBM Lotus Domino before 8.5.3 allows remote attackers to execute arbitrary code via a GIOP getEnvironmentString request, related to the local variable cache. http://www-01.ibm.com/support/docview.wss?uid=swg21461514 http://zerodayinitiative.com/advisories/ZDI-11-053/ Integer signedness error in ndiiop.exe in the DIIOP implementation in the server in IBM Lotus Domino before 8.5.3 allows remote attackers to execute arbitrary code via a GIOP client request, leading to a heap-based buffer overflow. http://www-01.ibm.com/support/docview.wss?uid=swg21461514 http://zerodayinitiative.com/advisories/ZDI-11-052/ Stack-based buffer overflow in nrouter.exe in IBM Lotus Domino before 8.5.3 allows remote attackers to execute arbitrary code via a long name parameter in a Content-Type header in a malformed Notes calendar (aka iCalendar or iCal) meeting request, aka SPR KLYH87LL23. 20110207 ZDI-11-048: IBM Lotus Domino iCalendar Meeting Request Parsing Remote Code Execution Vulnerability http://www-01.ibm.com/support/docview.wss?uid=swg21461514 http://zerodayinitiative.com/advisories/ZDI-11-048/ Stack-based buffer overflow in the SMTP service in IBM Lotus Domino allows remote attackers to execute arbitrary code via long arguments in a filename parameter in a malformed MIME e-mail message, aka SPR KLYH889M8H. http://www-01.ibm.com/support/docview.wss?uid=swg21461514 http://zerodayinitiative.com/advisories/ZDI-11-049/ Buffer overflow in nLDAP.exe in IBM Lotus Domino allows remote attackers to execute arbitrary code via a long string in an LDAP Bind operation, aka SPR KLYH87LMVX. 16190 http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=23&Itemid=23 http://www-01.ibm.com/support/docview.wss?uid=swg21461514 http://zerodayinitiative.com/advisories/ZDI-11-047/ Stack-based buffer overflow in the NRouter (aka Router) service in IBM Lotus Domino allows remote attackers to execute arbitrary code via long filenames associated with Content-ID and ATTACH:CID headers in attachments in malformed calendar-request e-mail messages, aka SPR KLYH87LKRE. http://www-01.ibm.com/support/docview.wss?uid=swg21461514 http://zerodayinitiative.com/advisories/ZDI-11-046/ Multiple stack-based buffer overflows in the (1) POP3 and (2) IMAP services in IBM Lotus Domino allow remote attackers to execute arbitrary code via non-printable characters in an envelope sender address, aka SPR KLYH87LLVJ. 20110207 ZDI-11-045: IBM Lotus Domino IMAP/POP3 Non-Printable Character Expansion Remote Code Execution Vulnerability http://www-01.ibm.com/support/docview.wss?uid=swg21461514 http://zerodayinitiative.com/advisories/ZDI-11-045/ The Remote Console in IBM Lotus Domino, when a certain unsupported configuration involving UNC share pathnames is used, allows remote attackers to bypass authentication and execute arbitrary code via unspecified vectors, aka SPR PRAD89WGRS. http://www-01.ibm.com/support/docview.wss?uid=swg21461514 crs.exe in the Cell Manager Service in the client in HP Data Protector does not properly validate credentials associated with the hostname, domain, and username, which allows remote attackers to execute arbitrary code by sending unspecified data over TCP, related to the webreporting client, the applet domain, and the java username. http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-hp SSRT100441 46234 ADV-2011-0308 http://zerodayinitiative.com/advisories/ZDI-11-057/ The client in HP Data Protector allows remote attackers to execute arbitrary programs via an EXEC_SETUP command that references a UNC share pathname. http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-hp SSRT100441 20110207 ZDI-11-056: Hewlett-Packard Data Protector Client EXEC_SETUP Remote Code Execution Vulnerability 46234 ADV-2011-0308 http://zerodayinitiative.com/advisories/ZDI-11-056/ The client in HP Data Protector does not properly validate EXEC_CMD arguments, which allows remote attackers to execute arbitrary Perl code via a crafted command, related to the "local bin directory." http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-hp SSRT100441 8261 8323 8329 46234 ADV-2011-0308 http://zerodayinitiative.com/advisories/ZDI-11-055/ The client in HP Data Protector does not verify the contents of files associated with the EXEC_CMD command, which allows remote attackers to execute arbitrary script code by providing this code with a trusted filename, as demonstrated by omni_chk_ds.sh. http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-hp SSRT100441 20110207 ZDI-11-054: Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Remote Code Execution Vulnerability 46234 ADV-2011-0308 http://zerodayinitiative.com/advisories/ZDI-11-054/ The CSDWebInstallerCtrl ActiveX control in CSDWebInstaller.ocx in Cisco Secure Desktop (CSD) allows remote attackers to download an unintended Cisco program onto a client machine, and execute this program, by identifying a Cisco program with a Cisco digital signature and then renaming this program to inst.exe, a different vulnerability than CVE-2010-0589 and CVE-2011-0926. 8108 20110223 ZDI-11-092: (0day) Cisco Secure Desktop CSDWebInstaller ActiveX Control Cleaner.cab Remote Code Execution Vulnerability 46538 1025118 ADV-2011-0513 http://zerodayinitiative.com/advisories/ZDI-11-092/ cisco-secure-activex-code-execution(65754) A certain ActiveX control in CSDWebInstaller.ocx in Cisco Secure Desktop (CSD) does not properly verify the signature of an unspecified downloaded program, which allows remote attackers to execute arbitrary code by spoofing the CSD installation process, a different vulnerability than CVE-2010-0589. 8105 20110223 ZDI-11-091: (0day) Cisco Secure Desktop CSDWebInstaller Remote Code Execution Vulnerability 46536 1025118 ADV-2011-0513 http://www.zerodayinitiative.com/advisories/ZDI-11-091/ cisco-securedesktop-activex-code-execution(65755) The PKI functionality in Cisco IOS 15.0 and 15.1 does not prevent permanent caching of certain public keys, which allows remote attackers to bypass authentication and have unspecified other impact by leveraging an IKE peer relationship in which a key was previously valid but later revoked, aka Bug ID CSCth82164, a different vulnerability than CVE-2010-4685. CVSS score derived from: http://www.cisco.com/en/US/docs/ios/15_1s/release/notes/15_1s_caveats_15_1_2s.html http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151-2TCAVS.html http://www.cisco.com/en/US/docs/ios/15_1s/release/notes/15_1s_caveats_15_1_1s.html 47407 Unspecified vulnerability in Cisco IOS 12.4, 15.0, and 15.1, and IOS XE 2.5.x through 3.2.x, allows remote attackers to cause a denial of service (device reload) via a crafted SIP message, aka Bug ID CSCth03022. http://tools.cisco.com/security/center/viewAlert.x?alertId=24127 20110928 Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities Memory leak in Cisco Unified Communications Manager (CUCM) 6.x before 6.1(5)su2, 7.x before 7.1(5b)su3, 8.x before 8.0(3a)su1, and 8.5 before 8.5(1), and Cisco IOS 12.4 and 15.1, allows remote attackers to cause a denial of service (memory consumption and process failure or device reload) via a malformed SIP message, aka Bug IDs CSCti75128 and CSCtj09179. 20110928 Cisco Unified Communications Manager Memory Leak Vulnerability http://tools.cisco.com/security/center/viewAlert.x?alertId=24525 Cisco IOS XR 3.8.3, 3.8.4, and 3.9.1 allows remote attackers to cause a denial of service (NetIO process restart or device reload) via a crafted IPv4 packet, aka Bug ID CSCth44147. 20110525 Cisco IOS XR Software IP Packet Vulnerability Cisco IOS 12.4, 15.0, and 15.1 allows remote attackers to cause a denial of service (device reload) via malformed IPv6 packets, aka Bug ID CSCtj41194. http://tools.cisco.com/security/center/viewAlert.x?alertId=24131 20110928 Cisco IOS Software IPv6 Denial of Service Vulnerability Memory leak in the Data-link switching (aka DLSw) feature in Cisco IOS 12.1 through 12.4 and 15.0 through 15.1, and IOS XE 3.1.xS before 3.1.3S and 3.2.xS before 3.2.1S, when implemented over Fast Sequence Transport (FST), allows remote attackers to cause a denial of service (memory consumption and device reload or hang) via a crafted IP protocol 91 packet, aka Bug ID CSCth69364. http://tools.cisco.com/security/center/viewAlert.x?alertId=24116 20110928 Cisco IOS Software Data-Link Switching Vulnerability The NAT implementation in Cisco IOS 12.1 through 12.4 and 15.0 through 15.1, and IOS XE 3.1.xSG, allows remote attackers to cause a denial of service (device reload or hang) via malformed NetMeeting Directory (aka Internet Locator Service or ILS) LDAP traffic, aka Bug ID CSCtd10712. http://tools.cisco.com/security/center/viewAlert.x?alertId=24117 20110928 Cisco IOS Software Network Address Translation Vulnerabilities Cisco IOS XR 3.6.x, 3.8.x before 3.8.3, and 3.9.x before 3.9.1 does not properly remove sshd_lock files from /tmp/, which allows remote attackers to cause a denial of service (disk consumption) by making many SSHv1 connections, aka Bug ID CSCtd64417. 20110525 Cisco IOS XR Software SSHv1 Denial of Service Vulnerability The web-based management interface in Cisco Secure Access Control System (ACS) 5.1 before 5.1.0.44.6 and 5.2 before 5.2.0.26.3 allows remote attackers to change arbitrary user passwords via unspecified vectors, aka Bug ID CSCtl77440. 1025271 20110330 Cisco Secure Access Control System Unauthorized Password Change Vulnerability 47093 ADV-2011-0821 cisco-acs-interface-security-bypass(66471) Multiple cross-site scripting (XSS) vulnerabilities in Cisco Unified Operations Manager (CUOM) before 8.6 allow remote attackers to inject arbitrary web script or HTML via (1) the extn parameter to iptm/advancedfind.do, (2) the deviceInstanceName parameter to iptm/ddv.do, the (3) cmd or (4) group parameter to iptm/eventmon, the (5) clusterName or (6) deviceName parameter to iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp, or the (7) ccmName or (8) clusterName parameter to iptm/logicalTopo.do, aka Bug ID CSCtn61716. 20110518 Cisco Unified Operations Manager Multiple Vulnerabilities - SOS-11-006 http://tools.cisco.com/security/center/viewAlert.x?alertId=23085 17304 http://www.senseofsecurity.com.au/advisories/SOS-11-006.pdf cisco-uom-multiple-xss(67521) Multiple SQL injection vulnerabilities in Cisco Unified Operations Manager (CUOM) before 8.6 allow remote attackers to execute arbitrary SQL commands via (1) the CCMs parameter to iptm/PRTestCreation.do or (2) the ccm parameter to iptm/TelePresenceReportAction.do, aka Bug ID CSCtn61716. 20110518 Cisco Unified Operations Manager Multiple Vulnerabilities - SOS-11-006 http://tools.cisco.com/security/center/viewAlert.x?alertId=23086 17304 47898 http://www.senseofsecurity.com.au/advisories/SOS-11-006.pdf cuom-prtestcreation-sql-injection(67522) Cross-site scripting (XSS) vulnerability in cwhp/device.center.do in the Help servlet in Cisco CiscoWorks Common Services 3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the device parameter, aka Bug ID CSCto12704. 20110518 Cisco Unified Operations Manager Multiple Vulnerabilities - SOS-11-006 http://tools.cisco.com/security/center/viewAlert.x?alertId=23088 17304 47902 http://www.senseofsecurity.com.au/advisories/SOS-11-006.pdf cisco-uom-framework-xss(67523) Cross-site scripting (XSS) vulnerability in CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine in the Common Services Device Center in Cisco Unified Operations Manager (CUOM) before 8.6 allows remote attackers to inject arbitrary web script or HTML via the tag parameter, aka Bug ID CSCto12712. 20110518 Cisco Unified Operations Manager Multiple Vulnerabilities - SOS-11-006 http://tools.cisco.com/security/center/viewAlert.x?alertId=23087 17304 http://www.senseofsecurity.com.au/advisories/SOS-11-006.pdf cisco-uom-common-services-xss(67524) The default configuration of the RADIUS authentication feature on the Cisco Network Admission Control (NAC) Guest Server with software before 2.0.3 allows remote attackers to bypass intended access restrictions and obtain network connectivity via unspecified vectors, aka Bug ID CSCtj66922. 20110330 Cisco Network Admission Control Guest Server System Software Authentication Bypass Vulnerability 1025272 Directory traversal vulnerability in cwhp/auditLog.do in the Homepage Auditing component in Cisco CiscoWorks Common Services 3.3 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter, aka Bug ID CSCto35577. 20110518 Cisco Unified Operations Manager Multiple Vulnerabilities - SOS-11-006 http://tools.cisco.com/security/center/viewAlert.x?alertId=23089 17304 http://www.senseofsecurity.com.au/advisories/SOS-11-006.pdf cisco-uom-auditlog-directory-traversal(67525) Stack-based buffer overflow in BMC PATROL Agent Service Daemon for in Performance Analysis for Servers, Performance Assurance for Servers, and Performance Assurance for Virtual Servers 7.4.00 through 7.5.10; Performance Analyzer and Performance Predictor for Servers 7.4.00 through 7.5.10; and Capacity Management Essentials 1.2.00 (7.4.15) allows remote attackers to execute arbitrary code via a crafted length value in a BGS_MULTIPLE_READS command to TCP port 6768. 8076 20110203 ZDI-11-039: BMC PATROL Agent Service Daemon BGS_MULTIPLE_READS Remote Code Execution Vulnerability 46151 ADV-2011-0286 http://www.zerodayinitiative.com/advisories/ZDI-11-039 bmc-patrolagent-bo(65135) Microsoft PowerPoint 2002 SP3, 2003 SP3, and 2007 SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; and PowerPoint Viewer 2007 SP2 do not properly handle Office Art containers that have invalid records, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a PowerPoint document with a container that triggers certain access to an uninitialized object, aka "OfficeArt Atom RCE Vulnerability." http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-microsoft 20110207 ZDI-11-044: Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability 1025340 TA11-102A ADV-2011-0941 http://zerodayinitiative.com/advisories/ZDI-11-044/ MS11-022 oval:org.mitre.oval:def:11978 Use-after-free vulnerability in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via malformed shape data in the Office drawing file format, aka "Microsoft Office Graphic Object Dereferencing Vulnerability." http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-microsoft 1025343 TA11-102A ADV-2011-0942 http://zerodayinitiative.com/advisories/ZDI-11-043/ MS11-023 oval:org.mitre.oval:def:12339 Stack-based buffer overflow in Microsoft Excel 2002 SP3, 2003 SP3, and 2007 SP2; Office 2004 for Mac; Excel Viewer SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2 allows remote attackers to execute arbitrary code via vectors related to an axis properties record, and improper incrementing of an array index, aka "Excel Array Indexing Vulnerability." http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-microsoft 8231 1025337 TA11-102A ADV-2011-0940 http://zerodayinitiative.com/advisories/ZDI-11-042/ MS11-021 oval:org.mitre.oval:def:12439 Microsoft Excel 2002 SP3, 2003 SP3, 2007 SP2, and 2010; Office 2004, 2008, and 2011 for Mac; Open XML File Format Converter for Mac; and Excel Viewer SP2 do not properly handle errors during the parsing of Office Art records in Excel spreadsheets, which allows remote attackers to execute arbitrary code via a malformed object record, related to a "stray reference," aka "Excel Linked List Corruption Vulnerability." http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-microsoft 1025337 TA11-102A ADV-2011-0940 http://zerodayinitiative.com/advisories/ZDI-11-041/ MS11-021 oval:org.mitre.oval:def:12595 Microsoft Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac do not properly parse Office Art objects, which allows remote attackers to execute arbitrary code via vectors related to a function pointer, aka "Excel Dangling Pointer Vulnerability." http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-microsoft 1025337 TA11-102A ADV-2011-0940 http://zerodayinitiative.com/advisories/ZDI-11-040/ MS11-021 oval:org.mitre.oval:def:12018 Google Chrome before 9.0.597.94 does not properly perform event handling for animations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer." http://code.google.com/p/chromium/issues/detail?id=67234 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_08.html APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 DSA-2166 46262 http://www.srware.net/forum/viewtopic.php?f=18&t=2190 ADV-2011-0408 oval:org.mitre.oval:def:14320 Use-after-free vulnerability in Google Chrome before 9.0.597.94 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving SVG font faces. http://code.google.com/p/chromium/issues/detail?id=68120 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_08.html 46262 http://www.srware.net/forum/viewtopic.php?f=18&t=2190 oval:org.mitre.oval:def:14582 Google Chrome before 9.0.597.94 does not properly handle anonymous blocks, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer." http://code.google.com/p/chromium/issues/detail?id=69556 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_08.html APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 DSA-2166 46262 http://www.srware.net/forum/viewtopic.php?f=18&t=2190 ADV-2011-0408 oval:org.mitre.oval:def:14543 Google Chrome before 9.0.597.94 does not properly handle plug-ins, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. http://code.google.com/p/chromium/issues/detail?id=69970 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_08.html DSA-2166 46262 http://www.srware.net/forum/viewtopic.php?f=18&t=2190 ADV-2011-0408 oval:org.mitre.oval:def:14719 Google Chrome before 9.0.597.94 does not properly perform process termination upon memory exhaustion, which has unspecified impact and remote attack vectors. http://code.google.com/p/chromium/issues/detail?id=70456 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_08.html DSA-2166 46262 http://www.srware.net/forum/viewtopic.php?f=18&t=2190 ADV-2011-0408 oval:org.mitre.oval:def:14506 phpMyAdmin 2.11.x before 2.11.11.2, and 3.3.x before 3.3.9.1, does not properly handle the absence of the (1) README, (2) ChangeLog, and (3) LICENSE files, which allows remote attackers to obtain the installation path via a direct request for a nonexistent file. FEDORA-2011-1373 FEDORA-2011-1408 http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=035d002db1e1201e73e560d7d98591563b506a83 MDVSA-2011:026 http://www.phpmyadmin.net/home_page/security/PMASA-2011-1.php ADV-2011-0385 phpmyadmin-readme-path-disclosure(65424) The PMA_Bookmark_get function in libraries/bookmark.lib.php in phpMyAdmin 2.11.x before 2.11.11.3, and 3.3.x before 3.3.9.2, does not properly restrict bookmark queries, which makes it easier for remote authenticated users to trigger another user's execution of a SQL query by creating a bookmark. FEDORA-2011-1373 FEDORA-2011-1408 FEDORA-2011-1282 http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=a5464b4daff0059cdf8c9e5f4d54a80e2dd2a5b0 DSA-2167 MDVSA-2011:026 http://www.phpmyadmin.net/home_page/security/PMASA-2011-2.php 46359 ADV-2011-0381 ADV-2011-0385 ADV-2011-0409 ADV-2011-0512 ADV-2011-0570 phpmyadmin-bookmark-security-bypass(65390) pure-ftpd 1.0.22, as used in SUSE Linux Enterprise Server 10 SP3 and SP4, and Enterprise Desktop 10 SP3 and SP4, when running OES Netware extensions, creates a world-writeable directory, which allows local users to overwrite arbitrary files and gain privileges via unspecified vectors. sles-pureftpd-privilege-escalation(66618) SUSE-SU-2011:0306 The RuntimeHelpers.InitializeArray method in metadata/icall.c in Mono, when Moonlight 2.x before 2.4.1 or 3.x before 3.99.3 is used, does not properly restrict data types, which allows remote attackers to modify internal read-only data structures, and cause a denial of service (plugin crash) or corrupt the internal state of the security manager, via a crafted media file, as demonstrated by modifying a C# struct. [opensuse-updates] 20110408 openSUSE-SU-2011:0313-1 (critical): moonlight security update [oss-security] 20110406 Moonlight release 2.4.1 with security fixes http://www.mono-project.com/Vulnerabilities 47208 ADV-2011-0904 https://bugzilla.novell.com/show_bug.cgi?id=667077 momo-runtime-security-bypass(66624) https://github.com/mono/mono/commit/035c8587c0d8d307e45f1b7171a0d337bb451f1e Race condition in the FastCopy optimization in the Array.Copy method in metadata/icall.c in Mono, when Moonlight 2.x before 2.4.1 or 3.x before 3.99.3 is used, allows remote attackers to trigger a buffer overflow and modify internal data structures, and cause a denial of service (plugin crash) or corrupt the internal state of the security manager, via a crafted media file in which a thread makes a change after a type check but before a copy action. [opensuse-updates] 20110408 openSUSE-SU-2011:0313-1 (critical): moonlight security update [oss-security] 20110406 Moonlight release 2.4.1 with security fixes http://www.mono-project.com/Vulnerabilities 47208 ADV-2011-0904 https://bugzilla.novell.com/show_bug.cgi?id=667077 momo-arraycopy-security-bypass(66625) https://github.com/mono/mono/commit/2f00e4bbb2137130845afb1b2a1e678552fc8e5c Use-after-free vulnerability in Mono, when Moonlight 2.x before 2.4.1 or 3.x before 3.99.3 is used, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to finalizing and then resurrecting a DynamicMethod instance. [opensuse-updates] 20110408 openSUSE-SU-2011:0313-1 (critical): moonlight security update [oss-security] 20110406 Moonlight release 2.4.1 with security fixes http://www.mono-project.com/Vulnerabilities 47208 ADV-2011-0904 https://bugzilla.novell.com/show_bug.cgi?id=660422 https://bugzilla.novell.com/show_bug.cgi?id=667077 momo-dynamicmethod-code-execution(66626) https://github.com/mono/mono/commit/3f8ee42b8c867d9a4c18c22657840d072cca5c3a https://github.com/mono/mono/commit/89d1455a80ef13cddee5d79ec00c06055da3085c https://github.com/mono/mono/commit/8eb1189099e02372fd45ca1c67230eccf1edddc0 Use-after-free vulnerability in Mono, when Moonlight 2.x before 2.4.1 or 3.x before 3.99.3 is used, allows remote attackers to cause a denial of service (plugin crash) or obtain sensitive information via vectors related to member data in a resurrected MonoThread instance. [opensuse-updates] 20110408 openSUSE-SU-2011:0313-1 (critical): moonlight security update [oss-security] 20110406 Moonlight release 2.4.1 with security fixes http://www.mono-project.com/Vulnerabilities 47208 ADV-2011-0904 https://bugzilla.novell.com/show_bug.cgi?id=667077 https://bugzilla.novell.com/show_bug.cgi?id=678515 https://bugzilla.redhat.com/show_bug.cgi?id=694933 momo-monothread-info-disclosure(66627) https://github.com/mono/mono/commit/722f9890f09aadfc37ae479e7d946d5fc5ef7b91 SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors. SUSE-SR:2011:007 slms-cve20110993-info-disc(95697) Stack-based buffer overflow in NFRAgent.exe in Novell File Reporter (NFR) before 1.0.2 allows remote attackers to execute arbitrary code via unspecified XML data. http://download.novell.com/Download?buildid=rCAgCcbPH9s~ 8194 20110404 ZDI-11-116: Novell File Reporter Agent XML Parsing Remote Code Execution Vulnerability 47144 1025292 ADV-2011-0866 http://www.zerodayinitiative.com/advisories/ZDI-11-116/ filereporter-nfragent-bo(66548) oval:org.mitre.oval:def:12064 The sqlite3-ruby gem in the rubygem-sqlite3 package before 1.2.4-0.5.1 in SUSE Linux Enterprise (SLE) 11 SP1 uses weak permissions for unspecified files, which allows local users to gain privileges via unknown vectors. http://support.novell.com/security/cve/CVE-2011-0995.html 47694 https://bugzilla.novell.com/show_bug.cgi?id=685928 sqlite3ruby-file-overwrite(67263) dhcpcd before 5.2.12 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message. [dhcpcd-discuss] 20110406 [CVE-2011-996] dhcpcd does not strip or escape shell meta characters http://roy.marples.name/projects/dhcpcd/changeset/c317b39786ac6c3a939dc711db7c78cf099859fd http://roy.marples.name/projects/dhcpcd/timeline GLSA-201301-04 47272 https://bugzilla.novell.com/show_bug.cgi?id=675052 dhcpcd-response-command-execution(66641) dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script. http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761 FEDORA-2011-4897 FEDORA-2011-4934 HPSBMU02752 GLSA-201301-06 1025300 SSA:2011-097-01 DSA-2216 DSA-2217 VU#107886 MDVSA-2011:073 RHSA-2011:0428 RHSA-2011:0840 47176 USN-1108-1 ADV-2011-0879 ADV-2011-0886 ADV-2011-0909 ADV-2011-0915 ADV-2011-0926 ADV-2011-0965 ADV-2011-1000 https://bugzilla.redhat.com/show_bug.cgi?id=689832 iscdhcp-dhclient-command-execution(66580) oval:org.mitre.oval:def:12812 37623 https://www.isc.org/software/dhcp/advisories/cve-2011-0997 mm/huge_memory.c in the Linux kernel before 2.6.38-rc5 does not prevent creation of a transparent huge page (THP) during the existence of a temporary stack for an exec system call, which allows local users to cause a denial of service (memory consumption) or possibly have unspecified other impact via a crafted application. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a7d6e4ecdb7648478ddec76d30d87d03d6e22b31 [oss-security] 20110217 CVE request - kernel: thp: prevent hugepages during args/env copying into the user stack [oss-security] 20110217 Re: CVE request - kernel: thp: prevent hugepages during args/env copying into the user stack http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.38-rc5 46442 https://bugzilla.redhat.com/show_bug.cgi?id=678209 kernel-hugepages-dos(65535) jingle-factory.c in Telepathy Gabble 0.11 before 0.11.7, 0.10 before 0.10.5, and 0.8 before 0.8.15 allows remote attackers to sniff audio and video calls via a crafted google:jingleinfo stanza that specifies an alternate server for streamed media. FEDORA-2011-1668 FEDORA-2011-1903 FEDORA-2011-1284 DSA-2169 [oss-security] 20110217 CVE id request: telepathy-gabble [oss-security] 20110217 Re: CVE id request: telepathy-gabble 46440 USN-1067-1 ADV-2011-0412 ADV-2011-0428 ADV-2011-0537 ADV-2011-0572 ADV-2011-0901 https://bugs.freedesktop.org/show_bug.cgi?id=34048 gabble-jingle-info-security-bypass(65523) openSUSE-SU-2011:0303 dexdump in Android SDK before 2.3 does not properly perform structural verification, which allows user-assisted remote attackers to cause a denial of service (dexdump crash) and possibly execute arbitrary code via a malformed APK or dex file that calls a method using more arguments than the number of register that have been declared for that method. http://android.git.kernel.org/?p=platform/dalvik.git;a=commit;h=4b0750e8df91220690bb417f45d7ae8b7851b220 20110328 Android SDK: Segmentation fault with dexdump / dexDecodeDebugInfo avahi-core/socket.c in avahi-daemon in Avahi before 0.6.29 allows remote attackers to cause a denial of service (infinite loop) via an empty mDNS (1) IPv4 or (2) IPv6 UDP packet to port 5353. NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-2244. http://avahi.org/ticket/325 http://git.0pointer.de/?p=avahi.git;a=commit;h=46109dfec75534fe270c0ab902576f685d5ab3a6 FEDORA-2011-3033 SUSE-SR:2011:005 [oss-security] 20110218 CVE request: avahi daemon remote denial of service by sending NULL UDP [oss-security] 20110218 Re: CVE request: avahi daemon remote denial of service by sending NULL UDP USN-1084-1 DSA-2174 MDVSA-2011:037 MDVSA-2011:040 [oss-security] 20110222 Re: [oss-security] CVE request: avahi daemon remote denial of service by sending NULL UDP RHSA-2011:0436 RHSA-2011:0779 46446 ADV-2011-0448 ADV-2011-0499 ADV-2011-0511 ADV-2011-0565 ADV-2011-0601 ADV-2011-0670 ADV-2011-0969 http://xorl.wordpress.com/2011/02/20/cve-2011-1002-avahi-daemon-remote-denial-of-service/ https://bugzilla.redhat.com/show_bug.cgi?id=667187 avahi-udp-dos(65524) avahi-udp-packet-dos(65525) Double free vulnerability in the vba_read_project_strings function in vba_extract.c in libclamav in ClamAV before 0.97 might allow remote attackers to execute arbitrary code via crafted Visual Basic for Applications (VBA) data in a Microsoft Office document. NOTE: some of these details are obtained from third party information. http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob;f=ChangeLog;hb=clamav-0.97 http://git.clamav.net/gitweb?p=clamav-devel.git;a=commit;h=d21fb8d975f8c9688894a8cef4d50d977022e09f FEDORA-2011-2741 FEDORA-2011-2743 SUSE-SR:2011:005 [oss-security] 20110221 clamav 0.97 [oss-security] 20110221 Re: clamav 0.97 1025100 MDVA-2011:007 46470 USN-1076-1 ADV-2011-0453 ADV-2011-0458 ADV-2011-0523 clamav-vbareadprojectstrings-dos(65544) https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2486 The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1.8.8dev, 1.9.1 through 1.9.1-430, 1.9.2 through 1.9.2-136, and 1.9.3dev allows local users to delete arbitrary files via a symlink attack. APPLE-SA-2012-05-09-1 FEDORA-2011-1876 FEDORA-2011-1913 http://support.apple.com/kb/HT5281 MDVSA-2011:097 [oss-security] 20110221 CVE request: ruby: FileUtils is vulnerable to symlink race attacks + Exception methods can bypass $SAFE [oss-security] 20110221 Re: CVE request: ruby: FileUtils is vulnerable to symlink race attacks + Exception methods can bypass $SAFE RHSA-2011:0909 RHSA-2011:0910 http://www.ruby-lang.org/en/news/2011/02/18/fileutils-is-vulnerable-to-symlink-race-attacks/ 46460 ADV-2011-0539 https://bugzilla.redhat.com/show_bug.cgi?id=678913 The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname. APPLE-SA-2012-05-09-1 FEDORA-2011-1876 FEDORA-2011-1913 http://support.apple.com/kb/HT5281 MDVSA-2011:097 MDVSA-2011:098 [oss-security] 20110221 CVE request: ruby: FileUtils is vulnerable to symlink race attacks + Exception methods can bypass $SAFE [oss-security] 20110221 Re: CVE request: ruby: FileUtils is vulnerable to symlink race attacks + Exception methods can bypass $SAFE RHSA-2011:0908 RHSA-2011:0909 RHSA-2011:0910 http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/ 46458 ADV-2011-0539 https://bugzilla.redhat.com/show_bug.cgi?id=678920 Heap-based buffer overflow in the parse_cgroup_spec function in tools/tools-common.c in the Control Group Configuration Library (aka libcgroup or libcg) before 0.37.1 allows local users to gain privileges via a crafted controller list on the command line of an application. NOTE: it is not clear whether this issue crosses privilege boundaries. http://libcg.git.sourceforge.net/git/gitweb.cgi?p=libcg/libcg;a=commit;h=5ae8aea1ecd60c439121d3329d8eaabf13d292c1 FEDORA-2011-2631 FEDORA-2011-2638 openSUSE-SU-2011:0316 http://sourceforge.net/projects/libcg/files/libcgroup/v0.37.1/libcgroup-0.37.1.tar.bz2/download DSA-2193 RHSA-2011:0320 46729 1025158 ADV-2011-0679 ADV-2011-0774 https://bugzilla.redhat.com/show_bug.cgi?id=678107 Best Practical Solutions RT before 3.8.9 does not perform certain redirect actions upon a login, which allows physically proximate attackers to obtain credentials by resubmitting the login form via the back button of a web browser on an unattended workstation after an RT logout. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614575 http://issues.bestpractical.com/Ticket/Display.html?id=15804 [rt-announce] 20110216 RT 3.8.9 Released [oss-security] 20110222 Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition [oss-security] 20110222 Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition [oss-security] 20110222 CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition [oss-security] 20110223 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition [oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition [oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition [oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition ADV-2011-0475 rt-login-information-disclosure(65771) https://github.com/bestpractical/rt/commit/057552287159e801535e59b8fbd5bd98d1322069 https://github.com/bestpractical/rt/commit/917c211820590950f7eb0521f7f43b31aeed44c4 Scrips_Overlay.pm in Best Practical Solutions RT before 3.8.9 does not properly restrict access to a TicketObj in a Scrip after a CurrentUser change, which allows remote authenticated users to obtain sensitive information via unspecified vectors, as demonstrated by custom-field value information, related to SQL logging. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614576 [rt-announce] 20110216 RT 3.8.9 Released [oss-security] 20110222 Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition [oss-security] 20110222 Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition [oss-security] 20110222 CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition [oss-security] 20110223 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition [oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition [oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition [oss-security] 20110224 Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition ADV-2011-0475 rt-scripsoverlay-information-disclosure(65772) https://github.com/bestpractical/rt/commit/2338cd19ed7a7f4c1e94f639ab2789d6586d01f3 Buffer overflow in the mac_partition function in fs/partitions/mac.c in the Linux kernel before 2.6.37.2 allows local users to cause a denial of service (panic) or possibly have unspecified other impact via a malformed Mac OS partition table. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fa7ea87a057958a8b7926c1a60a3ca6d696328ed [oss-security] 20110222 Re: CVE request: kernel: fs/partitions: validate map_count in mac partition tables [oss-security] 20110222 Re: CVE request: kernel: fs/partitions: validate map_count in mac partition tables [oss-security] 20110222 CVE request: kernel: fs/partitions: validate map_count in mac partition tables 8115 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.37.2 http://www.pre-cert.de/advisories/PRE-SA-2011-01.txt 20110223 [PRE-SA-2011-01] Multiple Linux kernel vulnerabilities in partition handling code of LDM and MAC partition tables 20111013 VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console 46492 1025126 http://www.vmware.com/security/advisories/VMSA-2011-0012.html https://bugzilla.redhat.com/show_bug.cgi?id=679282 kernel-map-dos(65643) The seunshare_mount function in sandbox/seunshare.c in seunshare in certain Red Hat packages of policycoreutils 2.0.83 and earlier in Red Hat Enterprise Linux (RHEL) 6 and earlier, and Fedora 14 and earlier, mounts a new directory on top of /tmp without assigning root ownership and the sticky bit to this new directory, which allows local users to replace or delete arbitrary /tmp files, and consequently cause a denial of service or possibly gain privileges, by running a setuid application that relies on /tmp, as demonstrated by the ksu application. 20110222 Developers should not rely on the stickiness of /tmp on Red Hat Linux FEDORA-2011-3043 [oss-security] 20110222 CVE Request [oss-security] 20110223 Re: CVE Request http://pkgs.fedoraproject.org/gitweb/?p=policycoreutils.git;a=blob;f=policycoreutils-rhat.patch;h=d4db5bc06027de23d12a4b3f18fa6f9b1517df27;hb=HEAD#l2197 RHSA-2011:0414 46510 1025291 ADV-2011-0701 ADV-2011-0864 https://bugzilla.redhat.com/show_bug.cgi?id=633544 policycoreutils-seunshare-symlink(65641) The ldm_parse_vmdb function in fs/partitions/ldm.c in the Linux kernel before 2.6.38-rc6-git6 does not validate the VBLK size value in the VMDB structure in an LDM partition table, which allows local users to cause a denial of service (divide-by-zero error and OOPS) via a crafted partition table. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=294f6cf48666825d23c9372ef37631232746e40d [oss-security] 20110223 Re: CVE request: kernel: Corrupted LDM partition table issues [oss-security] 20110223 CVE request: kernel: Corrupted LDM partition table issues 8115 http://www.kernel.org/pub/linux/kernel/v2.6/snapshots/patch-2.6.38-rc6-git6.log http://www.pre-cert.de/advisories/PRE-SA-2011-01.txt 20110223 [PRE-SA-2011-01] Multiple Linux kernel vulnerabilities in partition handling code of LDM and MAC partition tables 46512 1025127 [mm-commits] 20110222 + ldm-corrupted-partition-table-can-cause-kernel-oops.patch added to -mm tree USN-1146-1 Integer signedness error in the drm_modeset_ctl function in (1) drivers/gpu/drm/drm_irq.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.38 and (2) sys/dev/pci/drm/drm_irq.c in the kernel in OpenBSD before 4.9 allows local users to trigger out-of-bounds write operations, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via a crafted num_crtcs (aka vb_num) structure member in an ioctl argument. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1922756124ddd53846877416d92ba4a802bc658f http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38 http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/drm/drm_irq.c http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/drm/drm_irq.c.diff?r1=1.41;r2=1.42;f=h 47639 https://bugzilla.redhat.com/show_bug.cgi?id=679925 kernel-drmioctl-priv-escalation(67199) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-0465. Reason: This candidate is a reservation duplicate of CVE-2011-0465. Notes: All CVE users should reference CVE-2011-0465 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI. http://bugs.python.org/issue2254 http://hg.python.org/cpython/rev/c6c4398293bd/ [oss-security] 20110223 CVE request: Information disclosure in CGIHTTPServer from Python [oss-security] 20110224 Re: CVE request: Information disclosure in CGIHTTPServer from Python 1025489 http://svn.python.org/view?view=revision&revision=71303 MDVSA-2011:096 46541 USN-1596-1 USN-1613-1 USN-1613-2 https://bugzilla.redhat.com/show_bug.cgi?id=680094 The Radeon GPU drivers in the Linux kernel before 2.6.38-rc5 do not properly validate data related to the AA resolve registers, which allows local users to write to arbitrary memory locations associated with (1) Video RAM (aka VRAM) or (2) the Graphics Translation Table (GTT) via crafted values. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fff1ce4dc6113b6fdc4e3a815ca5fd229408f8ef [oss-security] 20110224 Re: CVE request: kernel: drm/radeon/kms: check AA resolve registers on r300 [oss-security] 20110224 CVE request: kernel: drm/radeon/kms: check AA resolve registers on r300 [oss-security] 20110225 Re: CVE request: kernel: drm/radeon/kms: check AA resolve registers on r300 http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.38-rc5 46557 https://bugzilla.redhat.com/show_bug.cgi?id=680000 kernel-atiradeon-sec-bypass(65691) Heap-based buffer overflow in the ldm_frag_add function in fs/partitions/ldm.c in the Linux kernel 2.6.37.2 and earlier might allow local users to gain privileges or obtain sensitive information via a crafted LDM partition table. [oss-security] 20110223 CVE request: kernel: fs/partitions: Kernel heap overflow via corrupted LDM partition tables [oss-security] 20110224 Re: CVE request: kernel: fs/partitions: Kernel heap overflow via corrupted LDM partition tables [oss-security] 20110223 Re: CVE request: kernel: fs/partitions: Kernel heap overflow via corrupted LDM partition tables 8115 1025128 http://www.pre-cert.de/advisories/PRE-SA-2011-01.txt 20110223 [PRE-SA-2011-01] Multiple Linux kernel vulnerabilities in partition handling code of LDM and MAC partition tables 46512 USN-1146-1 logwatch.pl in Logwatch 7.3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in a log file name, as demonstrated via a crafted username to a Samba server. FEDORA-2011-2328 FEDORA-2011-2318 FEDORA-2011-2396 SUSE-SR:2011:005 http://logwatch.svn.sourceforge.net/viewvc/logwatch/scripts/logwatch.pl?r1=3&r2=26&pathrev=26 [Logwatch-devel] 20110216 Remote command execution issue with root privileges http://sourceforge.net/tracker/?func=detail&aid=3184223&group_id=312875&atid=1316824 DSA-2182 [oss-security] 20110224 CVE Request -- logwatch: Privilege escalation due improper sanitization of special characters in log file names [oss-security] 20110224 Re: CVE Request -- logwatch: Privilege escalation due improper sanitization of special characters in log file names RHSA-2011:0324 46554 1025165 USN-1078-1 ADV-2011-0533 ADV-2011-0581 ADV-2011-0596 https://bugzilla.redhat.com/show_bug.cgi?id=680237 The dev_load function in net/core/dev.c in the Linux kernel before 2.6.38 allows local users to bypass an intended CAP_SYS_MODULE capability requirement and load arbitrary modules by leveraging the CAP_NET_ADMIN capability. http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8909c9ad8ff03611c9c96c9a92656213e4bb495b [oss-security] 20110225 Re: CVE request: kernel: CAP_SYS_MODULE bypass via CAP_NET_ADMIN https://bugzilla.redhat.com/show_bug.cgi?id=680360 https://github.com/torvalds/linux/commit/8909c9ad8ff03611c9c96c9a92656213e4bb495b The proc filesystem implementation in the Linux kernel 2.6.37 and earlier does not restrict access to the /proc directory tree of a process after this process performs an exec of a setuid program, which allows local users to obtain sensitive information or cause a denial of service via open, lseek, read, and write system calls. [oss-security] 20110224 CVE request: kernel: /proc/$pid/ leaks contents across setuid exec [oss-security] 20110225 Re: CVE request: kernel: /proc/$pid/ leaks contents across setuid exec 20110122 Proc filesystem and SUID-Binaries 8107 http://www.halfdog.net/Security/2011/SuidBinariesAndProcInterface/ 46567 kernel-procpid-security-bypass(65693) [linux-kernel] 20110209 Re: [SECURITY] /proc/$pid/ leaks contents across setuid exec [linux-kernel] 20110207 [SECURITY] /proc/$pid/ leaks contents across setuid exec [linux-kernel] 20110208 Re: [SECURITY] /proc/$pid/ leaks contents across setuid exec [linux-kernel] 20110207 Re: [SECURITY] /proc/$pid/ leaks contents across setuid exec [linux-kernel] 20110208 Re: [SECURITY] /proc/$pid/ leaks contents across setuid exec [linux-kernel] 20110207 Re: [SECURITY] /proc/$pid/ leaks contents across setuid exec [linux-kernel] 20110209 Re: [SECURITY] /proc/$pid/ leaks contents across setuid exec drivers/acpi/debugfs.c in the Linux kernel before 3.0 allows local users to modify arbitrary kernel memory locations by leveraging root privileges to write to the /sys/kernel/debug/acpi/custom_method file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4347. http://ftp.osuosl.org/pub/linux/kernel/v3.0/ChangeLog-3.0 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=526b4af47f44148c9d665e57723ed9f86634c6e3 [oss-security] 20110225 Re: CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions https://bugzilla.redhat.com/show_bug.cgi?id=680841 https://github.com/torvalds/linux/commit/526b4af47f44148c9d665e57723ed9f86634c6e3 The cgre_receive_netlink_msg function in daemon/cgrulesengd.c in cgrulesengd in the Control Group Configuration Library (aka libcgroup or libcg) before 0.37.1 does not verify that netlink messages originated in the kernel, which allows local users to bypass intended resource restrictions via a crafted message. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=615987 FEDORA-2011-2631 FEDORA-2011-2638 openSUSE-SU-2011:0316 [oss-security] 20110225 Re: CVE request: libcgroup: Failure to verify netlink messages [oss-security] 20110225 Re: CVE request: libcgroup: Failure to verify netlink messages [oss-security] 20110225 Re: CVE request: libcgroup: Failure to verify netlink messages [oss-security] 20110224 CVE request: libcgroup: Failure to verify netlink messages [oss-security] 20110225 Re: CVE request: libcgroup: Failure to verify netlink messages [libcg-devel] 20101115 Fwd: libcgroup netlink [libcg-devel] 20110218 [PATCH 2/2] cgrulesengd: Ignore netlink messages that don't come from the kernel. http://sourceforge.net/projects/libcg/files/libcgroup/v0.37.1/libcgroup-0.37.1.tar.bz2/download DSA-2193 RHSA-2011:0320 46578 1025157 ADV-2011-0679 ADV-2011-0774 https://bugzilla.redhat.com/show_bug.cgi?id=680409 The Reliable Datagram Sockets (RDS) subsystem in the Linux kernel before 2.6.38 does not properly handle congestion map updates, which allows local users to cause a denial of service (BUG_ON and system crash) via vectors involving (1) a loopback (aka loop) transmit operation or (2) an InfiniBand (aka ib) transmit operation. http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6094628bfd94323fc1cea05ec2c6affd98c18f7f [oss-security] 20110303 CVE-2011-1023 kernel: rds: prevent BUG_ON triggering on congestion map updates https://bugzilla.redhat.com/show_bug.cgi?id=680345 https://github.com/torvalds/linux/commit/6094628bfd94323fc1cea05ec2c6affd98c18f7f chain.c in back-ldap in OpenLDAP 2.4.x before 2.4.24, when a master-slave configuration with a chain overlay and ppolicy_forward_updates (aka authentication-failure forwarding) is used, allows remote authenticated users to bypass external-program authentication by sending an invalid password to a slave server. http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735 [oss-security] 20110224 CVE Request -- OpenLDAP -- two issues [oss-security] 20110225 Re: CVE Request -- OpenLDAP -- two issues GLSA-201406-36 1025188 MDVSA-2011:055 MDVSA-2011:056 http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ldap/chain.c.diff?r1=1.76&r2=1.77&hideattic=1&sortbydate=0 http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6607 [openldap-announce] 20110212 OpenLDAP 2.4.24 available [openldap-technical] 20100429 ppolicy master/slave issue RHSA-2011:0346 RHSA-2011:0347 USN-1100-1 ADV-2011-0665 https://bugzilla.novell.com/show_bug.cgi?id=674985 https://bugzilla.redhat.com/show_bug.cgi?id=680466 bind.cpp in back-ndb in OpenLDAP 2.4.x before 2.4.24 does not require authentication for the root Distinguished Name (DN), which allows remote attackers to bypass intended access restrictions via an arbitrary password. http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 [oss-security] 20110224 CVE Request -- OpenLDAP -- two issues [oss-security] 20110225 Re: CVE Request -- OpenLDAP -- two issue GLSA-201406-36 1025190 MDVSA-2011:056 http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ndb/bind.cpp.diff?r1=1.5&r2=1.8 http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6661 [openldap-announce] 20110212 OpenLDAP 2.4.24 available RHSA-2011:0347 USN-1100-1 ADV-2011-0665 https://bugzilla.redhat.com/show_bug.cgi?id=680472 Multiple cross-site request forgery (CSRF) vulnerabilities in Apache Archiva 1.0 through 1.2.2, and 1.3.x before 1.3.5, allow remote attackers to hijack the authentication of administrators. http://archiva.apache.org/docs/1.3.5/release-notes.html http://archiva.apache.org/security.html 20110531 [CVE-2011-1026] Apache Archiva Multiple CSRF vulnerabilities 8266 20110527 [SECURITY] CVE-2011-1026: Apache Archiva Multiple CSRF vulnerability 48015 archiva-multiple-csrf(67671) Off-by-one error in the convert_query_hexchar function in html.c in cgit.cgi in cgit before 0.8.3.5 allows remote attackers to cause a denial of service (infinite loop) via a string composed of a % (percent) character followed by invalid hex characters, as demonstrated by a %gg sequence. [git] 20110305 [ANNOUNCE] CGIT 0.8.3.5 http://hjemli.net/git/cgit/commit/?h=stable&id=fc384b16fb9787380746000d3cea2d53fccc548e FEDORA-2011-2803 FEDORA-2011-2815 FEDORA-2011-2790 [oss-security] 20110307 cgit convert_query_hexchar infinite loop (CVE-2011-1027) 46756 ADV-2011-0667 https://bugzilla.redhat.com/show_bug.cgi?id=680905 cgit-convertqueryhexchar-dos(65919) Cross-site scripting (XSS) vulnerability in IBM Rational Team Concert (RTC) 2.0.0.x allows remote authenticated users to inject arbitrary web script or HTML via the name of a shared report. PM22477 46179 ADV-2011-0297 ibm-concert-reportnames-xss(65170) Cross-site scripting (XSS) vulnerability in the Wikis component in IBM Lotus Connections 3.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to the "Confirm New Page scene." 1025054 LO57850 http://www-01.ibm.com/support/docview.wss?crawler=1&uid=swg1LO57850 The feh_unique_filename function in utils.c in feh 1.11.2 and earlier might allow local users to create arbitrary files via a symlink attack on a /tmp/feh_ temporary file, a different vulnerability than CVE-2011-0702. https://bugzilla.redhat.com/show_bug.cgi?id=676389 https://derf.homelinux.org/git/feh/commit/?id=23421a86cc826dd30f3dc4f62057fafb04b3ac40 https://derf.homelinux.org/git/feh/commit/?id=29ab0855f044ef2fe9c295b72abefcb37f0861a5 https://github.com/derf/feh/issues/#issue/32 IBM Lotus Connections 3.0, when IBM WebSphere Application Server 7.0.0.11 is used, does not properly restrict access to the internal login module, which has unspecified impact and attack vectors. http://www.ibm.com/support/docview.wss?uid=swg21462435 ADV-2011-0382 PK54565 Stack-based buffer overflow in oninit in IBM Informix Dynamic Server (IDS) 11.50 allows remote attackers to execute arbitrary code via crafted arguments in the USELASTCOMMITTED session environment option in a SQL SET ENVIRONMENT statement. http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-ibm 8078 20110207 ZDI-11-050: IBM Informix Dynamic Server SET ENVIRONMENT Remote Code Execution Vulnerability 46230 ADV-2011-0309 http://zerodayinitiative.com/advisories/ZDI-11-050/ ibm-informix-dynamic-oninit-bo(65209) Cross-site scripting (XSS) vulnerability in the UI in IBM Rational Build Forge 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the mod parameter to the fullcontrol program. NOTE: some of these details are obtained from third party information. 1025019 PM05187 46125 ADV-2011-0276 The password reset in PivotX before 2.2.4 allows remote attackers to modify the passwords of arbitrary users via unspecified vectors. http://blog.pivotx.net/2011-02-16/pivotx-225-released http://forum.pivotx.net/viewtopic.php?f=2&t=1961 http://forum.pivotx.net/viewtopic.php?f=2&t=1967 http://forum.pivotx.net/viewtopic.php?p=10639#p10639 VU#175068 46463 ADV-2011-0445 pivotx-resetpassword-security-bypass(65539) The XML Security Database Parser class in the XMLSecDB ActiveX control in the HIPSEngine component in the Management Server before 8.1.0.88, and the client before 1.6.450, in CA Host-Based Intrusion Prevention System (HIPS) 8.1, as used in CA Internet Security Suite (ISS) 2010, allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via vectors involving the SetXml and Save methods. 8106 20110223 ZDI-11-093: CA Internet Security Suite HIPS XML Security Database Parser Class Remote Code Execution Vulnerability 20110225 CA20110223-01: Security Notice for CA Host-Based Intrusion Prevention System 46539 1025120 ADV-2011-0496 http://www.zerodayinitiative.com/advisories/ZDI-11-093 ca-products-activex-file-overwrite(65632) Multiple cross-site scripting (XSS) vulnerabilities in stconf.nsf in the server in IBM Lotus Sametime 8.0.1 allow remote attackers to inject arbitrary web script or HTML via (1) the messageString parameter in a WebMessage action or (2) the PATH_INFO. 8100 20110221 Domino Sametime Multiple Reflected Cross-Site Scripting 46471 sametime-stcenter-xss(65555) Use-after-free vulnerability in flimflamd in flimflam in Google Chrome OS before 0.9.130.14 Beta allows user-assisted remote attackers to cause a denial of service (daemon crash) by providing the name of a hidden WiFi network that does not respond to connection attempts. http://code.google.com/p/chromium-os/issues/detail?id=8871 http://codereview.chromium.org/5255012 http://googlechromereleases.blogspot.com/2011/01/chrome-os-beta-channel-update.html google-chrome-flimflamd-dos(65556) The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 does not initialize a certain response buffer, which allows local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7182afea8d1afd432a17c18162cc3fd441d0da93 RHSA-2011:0927 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.37 46488 https://bugzilla.redhat.com/show_bug.cgi?id=667916 kernel-ibuverbspollcq-info-disclosure(65563) Unspecified vulnerability in the Rendition Engine (aka P8RE) 4.0.1 through 4.5.1 in IBM FileNet P8 Content Manager (CM) allows remote attackers to gain privileges via unknown vectors. 46424 ADV-2011-0406 http://www-01.ibm.com/support/docview.wss?uid=swg21462440 ibm-fcm-renditionengine-priv-escalation(65417) IBM FileNet P8 Content Engine (aka P8CE) 4.0.1 through 5.0.0, as used in FileNet P8 Content Manager (CM) and FileNet P8 Business Process Manager (BPM), does not require the PRIVILEGED_WRITE access role for all intended Object Store modifications, which allows remote attackers to change a privileged property of an object via unspecified vectors. 46432 ADV-2011-0423 http://www-01.ibm.com/support/docview.wss?uid=swg21462438 ibm-filenet-contentengine-sec-bypass(65448) Multiple SQL injection vulnerabilities in VastHTML Forum Server (aka ForumPress) plugin 1.6.1 and 1.6.5 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) search_max parameter in a search action to index.php, which is not properly handled by wpf.class.php, (2) id parameter in an editpost action to index.php, which is not properly handled by wpf-post.php, or (3) topic parameter to feed.php. 8099 http://www.htbridge.ch/advisory/sql_injection_in_wp_forum_server_wordpress_plugin.html http://www.htbridge.ch/advisory/sql_injection_in_wp_forum_server_wordpress_plugin_1.html http://www.htbridge.ch/advisory/sql_injection_in_wp_forum_server_wordpress_plugin_2.html 20110210 HTB22852: SQL Injection in WP Forum Server wordpress plugin 20110210 HTB22851: SQL Injection in WP Forum Server wordpress plugin 46362 SQL injection vulnerability in product.php in MihanTools 1.33 allows remote attackers to execute arbitrary SQL commands via the id parameter. 16143 46287 Buffer overflow in the Mach-O input file loader in Hex-Rays IDA Pro 5.7 and 6.0 allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted Macho-O file. ADV-2011-0357 https://www.hex-rays.com/vulnfix.shtml Unspecified vulnerability in Hex-Rays IDA Pro 5.7 and 6.0 has unknown impact and attack vectors related to "converson of string encodings" and "inconsistencies in the handling of UTF8 sequences by the user interface." 46525 ADV-2011-0357 idapro-utf8-unspecified(65562) https://www.hex-rays.com/vulnfix.shtml Integer overflow in the COFF/EPOC/EXPLOAD input file loaders in Hex-Rays IDA Pro 5.7 and 6.0 has unknown impact and attack vectors related to memory allocation. 46525 idapro-coffepocexpload-unspecified(65561) https://www.hex-rays.com/vulnfix.shtml Integer overflow in the PSX/GEOS input file loaders in Hex-Rays IDA Pro 5.7 and 6.0 has unknown impact and attack vectors related to memory allocation. 46525 idapro-psxgeos-unspecified(65560) https://www.hex-rays.com/vulnfix.shtml Unspecified vulnerability in the Mach-O input file loader in Hex-Rays IDA Pro 5.7 and 6.0 allows user-assisted remote attackers to cause a denial of service (out-of-memory exception and inability to analyze code) via a crafted Mach-O file. 46525 idapro-macho-dos(65559) https://www.hex-rays.com/vulnfix.shtml Unspecified vulnerability in the PEF input file loader in Hex-Rays IDA Pro 5.7 and 6.0 has unknown impact and attack vectors. 46525 idapro-pef-unspecified(65558) https://www.hex-rays.com/vulnfix.shtml SQL injection vulnerability in api/ice_media.cfc in Lingxia I.C.E CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the session.user_id parameter to media.cfm. 16171 46373 http://www.stratsec.net/Research/Advisories/Lingxia-273-I-C-E-CMS-Blind-SQL-Injection-(SS-2011 icecms-media-sql-injection(65462) lingxiaicecms-media-sql-injection(65477) The installer for Metasploit Framework 3.5.1, when running on Windows, uses weak inherited permissions for the Metasploit installation directory, which allows local users to gain privileges by replacing critical files with a Trojan horse. http://blog.metasploit.com/2011/02/metasploit-framework-352-released.html ADV-2011-0371 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-1056. Reason: This candidate is a duplicate of CVE-2011-1056. Notes: All CVE users should reference CVE-2011-1056 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Cross-site scripting (XSS) vulnerability in the reStructuredText (rst) parser in parser/text_rst.py in MoinMoin before 1.9.3, when docutils is installed or when "format rst" is set, allows remote attackers to inject arbitrary web script or HTML via a javascript: URL in the refuri attribute. NOTE: some of these details are obtained from third party information. FEDORA-2011-2219 FEDORA-2011-2156 FEDORA-2011-2157 http://moinmo.in/SecurityFixes DSA-2321 46476 USN-1604-1 ADV-2011-0455 ADV-2011-0571 ADV-2011-0588 moinmoin-refuri-xss(65545) Use-after-free vulnerability in WebCore in WebKit before r77705, as used in Google Chrome before 11.0.672.2 and other products, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via vectors that entice a user to resubmit a form, related to improper handling of provisional items by the HistoryController component, aka rdar problem 8938557. http://code.google.com/p/chromium/issues/detail?id=70315 http://googlechromereleases.blogspot.com/2011/02/dev-channel-update_17.html http://trac.webkit.org/changeset/77705 46577 https://bugs.webkit.org/show_bug.cgi?id=52819 webkit-webcore-dos(65714) oval:org.mitre.oval:def:13943 SQL injection vulnerability in the member function in classes/member.php in WSN Guest 1.24 allows remote attackers to execute arbitrary SQL commands via the wsnuser cookie to index.php. http://evuln.com/vulns/174/summary.html 8101 20110218 www.eVuln.com : "wsnuser" Cookie SQL Injection vulnerability in WSN Guest 46444 wsnguest-member-wsnuser-sql-injection(65527) SQL injection vulnerability in memberlist.php in WSN Guest 1.24 allows remote attackers to execute arbitrary SQL commands via the time parameter. http://evuln.com/vulns/175/summary.html http://packetstormsecurity.org/files/view/98573/wsnguest124-sql.txt 8102 20110221 www.eVuln.com : "time" SQL Injection vulnerability in WSN Guest 46465 wsnguest-index-sql-injection(65550) Multiple cross-site scripting (XSS) vulnerabilities in include/html/header.php in TaskFreak! 0.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1) sContext, (2) sort, (3) dir, and (4) show parameters in a save action to index.php; the (5) dir and (6) show parameters to print_list.php; and the (7) HTTP referer header to rss.php. NOTE: some of these details are obtained from third party information. 16158 http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4990.php taskfreak-printlist-xss(65359) Multiple cross-site scripting (XSS) vulnerabilities in Cherry-Design Photopad 1.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) id or (2) data[title] parameters in an edit action to files.php, or (3) id parameter in a view action to gallery.php. 8103 http://www.htbridge.ch/advisory/multiple_xss_vulnerabilities_in_photopad.html 20110215 HTB22828: Multiple XSS vulnerabilities in Photopad photopad-files-gallery-xss(65519) SQL injection vulnerability in member/list.php in qibosoft Qi Bo CMS 7 allows remote attackers to execute arbitrary SQL commands via the aidDB[] parameter. http://bbs.wolvez.org/viewtopic.php?id=211 46445 qibocms-list-sql-injection(65485) Multiple stack-based buffer overflows in the PIPIWebPlayer ActiveX control (PIWebPlayer.ocx) in PIPI Player 2.8.0.0 allow remote attackers to execute arbitrary code via long arguments to the (1) PlayURL or (2) PlayURLWithLocalPlayer methods. 46468 http://www.wooyun.org/bugs/wooyun-2010-01382 http://www.wooyun.org/bugs/wooyun-2010-01383 pipiplayer-activex-control-bo(65537) Cross-site scripting (XSS) vulnerability in the Messaging module 6.x-2.x before 6.x-2.4 and 6.x-4.x before 6.x-4.0-beta8 for Drupal allows remote attackers with administer messaging permissions to inject arbitrary web script or HTML via unspecified vectors. http://drupal.org/node/1064024 46438 messaging-unspec-xss(65449) slapd (aka ns-slapd) in 389 Directory Server before 1.2.8.a2 does not properly manage the c_timelimit field of the connection table element, which allows remote attackers to cause a denial of service (daemon outage) via Simple Paged Results connections, as demonstrated by using multiple processes to replay TCP sessions, a different vulnerability than CVE-2011-0019. http://directory.fedoraproject.org/wiki/Release_Notes https://bugzilla.redhat.com/show_bug.cgi?id=668619 rhds-simple-paged-dos(65769) Microsoft Windows Azure Software Development Kit (SDK) 1.3.x before 1.3.20121.1237, when Full IIS and a Web Role are used with an ASP.NET application, does not properly support the use of cookies for maintaining state, which allows remote attackers to obtain potentially sensitive information by reading an encrypted cookie and performing unspecified other steps. http://blogs.msdn.com/b/windowsazure/archive/2011/02/03/windows-azure-software-development-kit-sdk-refresh-released.aspx The GNU C Library (aka glibc or libc6) before 2.12.2 and Embedded GLIBC (EGLIBC) allow context-dependent attackers to execute arbitrary code or cause a denial of service (memory consumption) via a long UTF8 string that is used in an fnmatch call, aka a "stack extension attack," a related issue to CVE-2010-2898, CVE-2010-1917, and CVE-2007-4782, as originally reported for use of this library by Google Chrome. http://bugs.debian.org/615120 http://code.google.com/p/chromium/issues/detail?id=48733 [oss-security] 20110228 cve request: eglibc memory corruption [oss-security] 20110228 Re: cve request: eglibc memory corruption [oss-security] 20110228 Re: cve request: eglibc memory corruption http://scarybeastsecurity.blogspot.com/2011/02/i-got-accidental-code-execution-via.html 20110224 glibc and alloca() 20110226 Re: glibc and alloca() 8175 1025290 http://sourceware.org/bugzilla/show_bug.cgi?id=11883 http://sourceware.org/git/?p=glibc.git;a=commit;h=f15ce4d8dc139523fe0c273580b604b2453acba6 MDVSA-2011:178 RHSA-2011:0412 RHSA-2011:0413 20111013 VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console 46563 http://www.vmware.com/security/advisories/VMSA-2011-0012.html ADV-2011-0863 https://bugzilla.redhat.com/show_bug.cgi?id=681054 oval:org.mitre.oval:def:12853 The installer in PEAR before 1.9.2 allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories, a different vulnerability than CVE-2007-2519. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546164 http://news.php.net/php.pear.cvs/61264 [oss-security] 20110228 Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack [oss-security] 20110228 CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack [oss-security] 20110228 Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack [oss-security] 20110301 Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack [oss-security] 20110301 Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack [oss-security] 20110301 Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack [oss-security] 20110301 Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack [oss-security] 20110301 Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack http://pear.php.net/advisory-20110228.txt http://pear.php.net/bugs/bug.php?id=18056 http://security-tracker.debian.org/tracker/CVE-2011-1072 http://svn.php.net/viewvc?view=revision&revision=308687 MDVSA-2011:187 RHSA-2011:1741 46605 pear-pear-installer-symlink(65721) crontab.c in crontab in FreeBSD and Apple Mac OS X allows local users to (1) determine the existence of arbitrary files via a symlink attack on a /tmp/crontab.XXXXXXXXXX temporary file and (2) perform MD5 checksum comparisons on arbitrary pairs of files via two symlink attacks on /tmp/crontab.XXXXXXXXXX temporary files. 20110228 FreeBSD crontab information leakage [oss-security] 20110228 Re: CVE request: FreeBSD/OS X crontab information leakage [oss-security] 20110228 CVE request: FreeBSD/OS X crontab information leakage 8117 20110228 FreeBSD crontab information leakage 46604 freebsd-realpath-info-disc(65899) crontab.c in crontab in FreeBSD allows local users to determine the existence of arbitrary directories via a command-line argument composed of a directory name concatenated with a directory traversal sequence that leads to the /etc/crontab pathname. 20110228 FreeBSD crontab information leakage [oss-security] 20110228 Re: CVE request: FreeBSD/OS X crontab information leakage [oss-security] 20110228 CVE request: FreeBSD/OS X crontab information leakage 8117 20110228 FreeBSD crontab information leakage 46604 freebsd-statcalls-info-disc(65900) net/dns_resolver/dns_key.c in the Linux kernel before 2.6.38 allows remote DNS servers to cause a denial of service (NULL pointer dereference and OOPS) by not providing a valid response to a DNS query, as demonstrated by an erroneous grand.centrall.org query, which triggers improper handling of error data within a DNS resolver key. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1362fa078dae16776cd439791c6605b224ea6171 [oss-security] 20110304 CVE-2011-1076 kernel: DNS: Fix a NULL pointer deref when trying to read an error key 1025162 Multiple cross-site scripting (XSS) vulnerabilities in Apache Archiva 1.0 through 1.2.2, and 1.3.x before 1.3.5, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://archiva.apache.org/docs/1.3.5/release-notes.html http://archiva.apache.org/security.html 20110531 [CVE-2011-1077] Apache Archiva Multiple XSS vulnerabilities 8267 20110527 [SECURITY] CVE-2011-1077: Apache Archiva Multiple XSS vulnerability 48011 archiva-multiple-xss(67672) The sco_sock_getsockopt_old function in net/bluetooth/sco.c in the Linux kernel before 2.6.39 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via the SCO_CONNINFO option. http://downloads.avaya.com/css/P8/documents/100145416 http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c4c896e1471aec3b004a693c689f60be3b17ac86 RHSA-2011:0833 RHSA-2012:1156 [oss-security] 20110301 Re: CVE request: kernel: two bluetooth and one ebtables infoleaks/DoSes https://bugzilla.redhat.com/show_bug.cgi?id=681259 https://github.com/torvalds/linux/commit/c4c896e1471aec3b004a693c689f60be3b17ac86 The bnep_sock_ioctl function in net/bluetooth/bnep/sock.c in the Linux kernel before 2.6.39 does not ensure that a certain device field ends with a '\0' character, which allows local users to obtain potentially sensitive information from kernel stack memory, or cause a denial of service (BUG and system crash), via a BNEPCONNADD command. http://downloads.avaya.com/css/P8/documents/100145416 http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=43629f8f5ea32a998d06d1bb41eefa0e821ff573 http://packetstormsecurity.com/files/153799/Kernel-Live-Patch-Security-Notice-LSN-0053-1.html RHSA-2011:0833 [oss-security] 20110301 Re: CVE request: kernel: two bluetooth and one ebtables infoleaks/DoSes https://bugzilla.redhat.com/show_bug.cgi?id=681260 https://github.com/torvalds/linux/commit/43629f8f5ea32a998d06d1bb41eefa0e821ff573 The do_replace function in net/bridge/netfilter/ebtables.c in the Linux kernel before 2.6.39 does not ensure that a certain name field ends with a '\0' character, which allows local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability to replace a table, and then reading a modprobe command line. http://downloads.avaya.com/css/P8/documents/100145416 http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d846f71195d57b0bbb143382647c2c6638b04c5a RHSA-2011:0833 [oss-security] 20110301 Re: CVE request: kernel: two bluetooth and one ebtables infoleaks/DoSes https://bugzilla.redhat.com/show_bug.cgi?id=681262 https://github.com/torvalds/linux/commit/d846f71195d57b0bbb143382647c2c6638b04c5a modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote attackers to cause a denial of service (daemon crash) via a relative Distinguished Name (DN) modification request (aka MODRDN operation) that contains an empty value for the OldDN field. http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 [oss-security] 20110228 Re: CVE Request -- OpenLDAP -- two issues [oss-security] 20110228 Re: CVE Request -- OpenLDAP -- two issues [oss-security] 20110301 Re: CVE Request -- OpenLDAP -- two issues [oss-security] 20110301 Re: CVE Request -- OpenLDAP -- two issues GLSA-201406-36 1025191 MDVSA-2011:055 MDVSA-2011:056 http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/modrdn.c.diff?r1=1.170.2.8&r2=1.170.2.9 http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6768 [openldap-announce] 20110212 OpenLDAP 2.4.24 available RHSA-2011:0347 USN-1100-1 ADV-2011-0665 https://bugzilla.novell.com/show_bug.cgi?id=674985 https://bugzilla.redhat.com/show_bug.cgi?id=680975 openldap-modrdnc-dos(66239) fs/eventpoll.c in the Linux kernel before 2.6.38 places epoll file descriptors within other epoll data structures without properly checking for (1) closed loops or (2) deep chains, which allows local users to cause a denial of service (deadlock or stack memory consumption) via a crafted application that makes epoll_create and epoll_ctl system calls. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e [oss-security] 20110301 CVE request: kernel: Multiple DoS issues in epoll [oss-security] 20110302 Re: CVE request: kernel: Multiple DoS issues in epoll http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38 https://bugzilla.redhat.com/show_bug.cgi?id=681575 [linux-kernel] 20110205 [PATCH] epoll: Prevent deadlock through unsafe ->f_op->poll() calls. The epoll implementation in the Linux kernel 2.6.37.2 and earlier does not properly traverse a tree of epoll file descriptors, which allows local users to cause a denial of service (CPU consumption) via a crafted application that makes epoll_create and epoll_ctl system calls. [linux-kernel] 20110225 [PATCH] optimize epoll loop detection [linux-kernel] 20110226 Re: [PATCH] optimize epoll loop detection [linux-kernel] 20110228 Re: [PATCH] optimize epoll loop detection SUSE-SU-2012:0554 SUSE-SU-2012:0616 [oss-security] 20110301 CVE request: kernel: Multiple DoS issues in epoll [oss-security] 20110302 Re: CVE request: kernel: Multiple DoS issues in epoll RHSA-2012:0862 48115 48410 https://bugzilla.redhat.com/show_bug.cgi?id=681578 Buffer overflow in VideoLAN VLC media player 1.0.5 allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .mp3 file that is played during bookmark creation. [oss-security] 20110302 CVE request: VLC bookmark buffer overflow [oss-security] 20110303 Re: CVE request: VLC bookmark buffer overflow [oss-security] 20110303 Re: CVE request: VLC bookmark buffer overflow [oss-security] 20110328 Re: CVE request: VLC bookmark buffer overflow 38569 http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4931.php oval:org.mitre.oval:def:14532 Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. [announce] 20110302 [SECURITY] Tomcat 7 ignores @ServletSecurity annotations [users] 20110302 Re: @DenyAll does nothing [users] 20110302 Re: @DenyAll does nothing http://svn.apache.org/viewvc?view=revision&revision=1076586 http://svn.apache.org/viewvc?view=revision&revision=1076587 http://svn.apache.org/viewvc?view=revision&revision=1077995 http://tomcat.apache.org/security-7.html 20110315 [SECURITY] CVE-2011-1088 Apache Tomcat security constraint bypass 46685 1025215 ADV-2011-0563 tomcat-servletsecurity-sec-bypass(65971) The addmntent function in the GNU C Library (aka glibc or libc6) 2.13 and earlier does not report an error status for failed attempts to write to the /etc/mtab file, which makes it easier for local users to trigger corruption of this file, as demonstrated by writes from a process with a small RLIMIT_FSIZE value, a different vulnerability than CVE-2010-0296. [oss-security] 20110304 Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE [oss-security] 20110303 Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE [oss-security] 20110304 Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE [oss-security] 20110303 Suid mount helpers fail to anticipate RLIMIT_FSIZE [oss-security] 20110305 Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE [oss-security] 20110305 Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE [oss-security] 20110307 Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE [oss-security] 20110314 Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE [oss-security] 20110314 Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE [oss-security] 20110314 Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE [oss-security] 20110315 Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE [oss-security] 20110322 Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE [oss-security] 20110322 Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE [oss-security] 20110331 Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE [oss-security] 20110331 Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE [oss-security] 20110401 Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE http://sourceware.org/bugzilla/show_bug.cgi?id=12625 MDVSA-2011:178 MDVSA-2011:179 RHSA-2011:1526 46740 https://bugzilla.redhat.com/show_bug.cgi?id=688980 The __nfs4_proc_set_acl function in fs/nfs/nfs4proc.c in the Linux kernel before 2.6.38 stores NFSv4 ACL data in memory that is allocated by kmalloc but not properly freed, which allows local users to cause a denial of service (panic) via a crafted attempt to set an ACL. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e9e3d724e2145f5039b423c290ce2b2c3d8f94bc SUSE-SU-2015:0812 [oss-security] 20110307 Re: CVE request - kernel: nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab [oss-security] 20110307 CVE request - kernel: nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab 1025336 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38 20111013 VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console http://www.vmware.com/security/advisories/VMSA-2011-0012.html https://bugzilla.redhat.com/show_bug.cgi?id=682641 libymsg.c in the Yahoo! protocol plugin in libpurple in Pidgin 2.6.0 through 2.7.10 allows (1) remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via a malformed YMSG notification packet, and allows (2) remote Yahoo! servers to cause a denial of service (NULL pointer dereference and application crash) via a malformed YMSG SMS message. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' http://developer.pidgin.im/viewmtn/revision/diff/5cbe18129b6e7c660bc093f7e5e1414ceca17d04/with/a7c415abba1f5f01f79295337518837f73d99bb7/libpurple/protocols/yahoo/libymsg.c http://developer.pidgin.im/viewmtn/revision/info/a7c415abba1f5f01f79295337518837f73d99bb7 FEDORA-2011-3113 FEDORA-2011-3150 SSA:2011-070-02 http://www.pidgin.im/news/security/?id=51 RHSA-2011:0616 RHSA-2011:1371 46837 ADV-2011-0643 ADV-2011-0661 ADV-2011-0669 ADV-2011-0703 https://bugzilla.redhat.com/show_bug.cgi?id=683031 pidgin-yahoo-protocol-dos(66055) openSUSE-SU-2012:0066 oval:org.mitre.oval:def:18402 Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (crash) and possibly read sensitive memory via a large third argument to the shmop_read function. http://bugs.php.net/bug.php?id=54193 APPLE-SA-2011-10-12-3 SSRT100826 8130 http://support.apple.com/kb/HT5002 http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/shmop/shmop.c?r1=306939&r2=309018&pathrev=309018 16966 MDVSA-2011:052 MDVSA-2011:053 [oss-security] 20110308 Re: CVE request, php's shm [oss-security] 20110308 CVE request, php's shm http://www.php.net/archive/2011.php http://www.php.net/ChangeLog-5.php http://www.php.net/releases/5_3_6.php 46786 ADV-2011-0744 https://bugzilla.redhat.com/show_bug.cgi?id=683183 php-shmopread-overflow(65988) The dccp_rcv_state_process function in net/dccp/input.c in the Datagram Congestion Control Protocol (DCCP) implementation in the Linux kernel before 2.6.38 does not properly handle packets for a CLOSED endpoint, which allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending a DCCP-Close packet followed by a DCCP-Reset packet. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' http://downloads.avaya.com/css/P8/documents/100145416 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=720dc34bbbe9493c7bd48b2243058b4e447a929d [oss-security] 20110308 Re: CVE request: kernel: dccp: fix oops on Reset after close [oss-security] 20110308 CVE request: kernel: dccp: fix oops on Reset after close RHSA-2011:0833 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38 46793 https://bugzilla.redhat.com/show_bug.cgi?id=682954 kio/kio/tcpslavebase.cpp in KDE KSSL in kdelibs before 4.6.1 does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a certificate issued by a legitimate Certification Authority for an IP address, a different vulnerability than CVE-2009-2702. [oss-security] 20110308 KDE SSL name check issue [oss-security] 20110308 Re: KDE SSL name check issue MDVSA-2011:071 46789 USN-1110-1 ADV-2011-0913 ADV-2011-0990 kdelibs-ssl-security-bypass(65986) https://projects.kde.org/projects/kde/kdelibs/repository/revisions/76f935197599a335a5fe09b78751ddb455248cf7 locale/programs/locale.c in locale in the GNU C Library (aka glibc or libc6) before 2.13 does not quote its output, which might allow local users to gain privileges via a crafted localization environment variable, in conjunction with a program that executes a script that uses the eval function. http://bugs.gentoo.org/show_bug.cgi?id=330923 [oss-security] 20110308 Re: glibc locale escaping issue [oss-security] 20110308 Re: glibc locale escaping issue [oss-security] 20110308 glibc locale escaping issue GLSA-201011-01 1025286 http://sources.redhat.com/bugzilla/show_bug.cgi?id=11904 http://sourceware.org/bugzilla/show_bug.cgi?id=11904 http://sourceware.org/git/?p=glibc.git;a=patch;h=026373745eab50a683536d950cb7e17dc98c4259 MDVSA-2011:178 RHSA-2011:0412 RHSA-2011:0413 20111013 VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console http://www.vmware.com/security/advisories/VMSA-2011-0012.html ADV-2011-0863 https://bugzilla.redhat.com/show_bug.cgi?id=625893 oval:org.mitre.oval:def:12272 The W3C XML Encryption Standard, as used in the JBoss Web Services (JBossWS) component in JBoss Enterprise Portal Platform before 5.2.2 and other products, when using block ciphers in cipher-block chaining (CBC) mode, allows remote attackers to obtain plaintext data via a chosen-ciphertext attack on SOAP responses, aka "character encoding pattern attack." http://aktuell.ruhr-uni-bochum.de/pm2011/pm00330.html.de http://coheigea.blogspot.com/2012/04/note-on-cve-2011-1096.html http://cxf.apache.org/note-on-cve-2011-1096.html http://dl.acm.org/citation.cfm?id=2046756&dl=ACM&coll=DL RHSA-2012:1301 RHSA-2012:1330 RHSA-2012:1344 RHSA-2013:0191 RHSA-2013:0192 RHSA-2013:0193 RHSA-2013:0194 RHSA-2013:0195 RHSA-2013:0196 RHSA-2013:0197 RHSA-2013:0198 RHSA-2013:0221 RHSA-2013:0261 RHSA-2013:1437 http://www.csoonline.com/article/692366/widely-used-encryption-standard-is-insecure-say-experts 55770 https://bugzilla.redhat.com/show_bug.cgi?id=681916 jboss-web-services-cbc-info-disc(79031) [cxf-commits] 20190326 svn commit: r1042570 [4/4] - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-http-signature.html docs/jax-rs-jose.html docs/jax-rs-oauth2.html docs/jax-rs-xml-security.html docs/secure-jax-rs-services.html rsync 3.x before 3.0.8, when certain recursion, deletion, and ownership options are used, allows remote rsync servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via malformed data. http://gitweb.samba.org/?p=rsync.git;a=commit;h=83b94efa6b60a3ff5eee4c5f7812c617a90a03f6 FEDORA-2011-4389 FEDORA-2011-4427 FEDORA-2011-4413 SUSE-SR:2011:009 [rsync] 20110122 rsync -rcv printing out filenames when content identical HPSBMU02752 http://rsync.samba.org/ftp/rsync/src/rsync-3.0.8-NEWS 1025256 MDVSA-2011:066 RHSA-2011:0390 ADV-2011-0792 ADV-2011-0793 ADV-2011-0873 ADV-2011-0876 https://bugzilla.redhat.com/show_bug.cgi?id=675036 https://bugzilla.samba.org/show_bug.cgi?id=7936 Race condition in the createOutputFile function in logrotate.c in logrotate 3.7.9 and earlier allows local users to read log data by opening a file before the intended permissions are in place. FEDORA-2011-3739 FEDORA-2011-3758 [oss-security] 20110304 CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110305 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110305 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110305 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110306 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110306 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110306 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110306 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110306 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110307 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110307 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110307 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110308 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110310 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110310 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110311 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110311 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110311 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110311 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110314 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110323 Re: CVE Request -- logrotate -- nine issues MDVSA-2011:065 RHSA-2011:0407 ADV-2011-0791 ADV-2011-0872 ADV-2011-0961 https://bugzilla.redhat.com/show_bug.cgi?id=680798 Multiple directory traversal vulnerabilities in FocalMedia.Net Quick Polls before 1.0.2 allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the p parameter in a preview action to index.php, or (2) delete arbitrary files via a .. (dot dot) in the p parameter in a delete action to index.php. 8121 16933 20110306 'Quick Polls' Local File Inclusion & Deletion Vulnerabilities (CVE-2011-1099) 46770 http://www.uncompiled.com/2011/03/quick-polls-local-file-inclusion-deletion-vulnerabilities-cve-2011-1099/ quickpoll-index-directory-traversal(65947) Multiple SQL injection vulnerabilities in admin/index.php in Pixelpost 1.7.3 allow remote authenticated users to execute arbitrary SQL commands via the (1) findfid, (2) id, (3) selectfcat, (4) selectfmon, or (5) selectftag parameter in an images action. 16160 http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4992.php pixelpost-index-multiple-sql-injection(65474) Multiple unspecified vulnerabilities in a third-party component of the Citrix Licensing Administration Console 11.6, formerly License Management Console, allow remote attackers to (1) access unauthorized "license administration functionality" or (2) cause a denial of service via unknown vectors. http://support.citrix.com/article/CTX128167 46529 1025123 ADV-2011-0477 citrix-licensing-console-dos(65633) Cross-site scripting (XSS) vulnerability in the WebReporting module in F-Secure Policy Manager 7.x, 8.00 before hotfix 2, 8.1x before hotfix 3 on Windows and hotfix 2 on Linux, and 9.00 before hotfix 4 on Windows and hotfix 2 on Linux, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2011-2.html 46547 1025124 ADV-2011-0509 fsecure-webreporting-xss(65665) The WebReporting module in F-Secure Policy Manager 7.x, 8.00 before hotfix 2, 8.1x before hotfix 3 on Windows and hotfix 2 on Linux, and 9.00 before hotfix 4 on Windows and hotfix 2 on Linux, allows remote attackers to obtain sensitive information via a request to an invalid report, which reveals the installation path in an error message, as demonstrated with requests to (1) report/infection-table.html or (2) report/productsummary-table.html. http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2011-2.html 1025124 ADV-2011-0509 fsecure-webreporting-path-disclosure(65664) Multiple cross-site request forgery (CSRF) vulnerabilities in Mutare EVM allow remote attackers to hijack the authentication of arbitrary users for requests that (1) change a PIN, (2) delete messages, (3) add a delivery address, or (4) change a delivery address. VU#136612 46537 ADV-2011-0476 Multiple cross-site scripting (XSS) vulnerabilities in Mutare EVM allow remote attackers to inject arbitrary web script or HTML via (1) a delivery address and possibly (2) a PIN. VU#136612 mutare-evm-pin-xss(65768) Cross-site scripting (XSS) vulnerability in stcenter.nsf in the server in IBM Lotus Sametime allows remote attackers to inject arbitrary web script or HTML via the authReasonCode parameter in an OpenDatabase action. 20110222 Re: Domino Sametime Multiple Reflected Cross-Site Scripting 46481 sametime-stcenter-xss(65555) Unspecified vulnerability in Google Chrome before 9.0.597.107 allows remote attackers to spoof the URL bar via unknown vectors. http://code.google.com/p/chromium/issues/detail?id=54262 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4999 46614 google-chrome-url-spoofing(65725) oval:org.mitre.oval:def:14322 Google Chrome before 9.0.597.107 does not properly implement JavaScript dialogs, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted HTML document. http://code.google.com/p/chromium/issues/detail?id=63732 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html 46614 google-chrome-dialogs-unspecified(65726) oval:org.mitre.oval:def:14345 Google Chrome before 9.0.597.107 does not properly process nodes in Cascading Style Sheets (CSS) stylesheets, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer." http://code.google.com/p/chromium/issues/detail?id=68263 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 46614 google-chrome-stylesheet-dos(65727) oval:org.mitre.oval:def:14422 Google Chrome before 9.0.597.107 does not properly implement key frame rules, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer." http://code.google.com/p/chromium/issues/detail?id=68741 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html 46614 google-chrome-key-frames-dos(65728) oval:org.mitre.oval:def:14415 Google Chrome before 9.0.597.107 does not properly implement forms controls, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via unknown vectors. http://code.google.com/p/chromium/issues/detail?id=70078 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html 46614 google-chrome-form-controls-unspecified(65729) oval:org.mitre.oval:def:14245 Google Chrome before 9.0.597.107 does not properly perform SVG rendering, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via unknown vectors. http://code.google.com/p/chromium/issues/detail?id=70244 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html 46614 google-chrome-svgcontent-code-exec(65730) oval:org.mitre.oval:def:14648 Google Chrome before 9.0.597.107 on 64-bit Linux platforms does not properly perform pickle deserialization, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. Per: http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html '# [64-bit Linux only] [70376] Medium Out-of-bounds read in pickle deserialization. Credit to Evgeniy Stepanov of the Chromium development community.' http://code.google.com/p/chromium/issues/detail?id=70376 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html 46614 google-chrome-pickle-dos(65731) oval:org.mitre.oval:def:13935 Google Chrome before 9.0.597.107 does not properly handle tables, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale node." http://code.google.com/p/chromium/issues/detail?id=71114 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 46614 google-chrome-table-dos(65732) oval:org.mitre.oval:def:14404 Google Chrome before 9.0.597.107 does not properly render tables, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer." http://code.google.com/p/chromium/issues/detail?id=71115 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 46614 google-chrome-table-rendering-dos(65733) oval:org.mitre.oval:def:13641 Google Chrome before 9.0.597.107 does not properly handle SVG animations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer." http://code.google.com/p/chromium/issues/detail?id=71296 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html 46614 google-chrome-svg-animations-dos(65734) oval:org.mitre.oval:def:14205 Google Chrome before 9.0.597.107 does not properly handle XHTML documents, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to "stale nodes." http://code.google.com/p/chromium/issues/detail?id=71386 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 46614 google-chrome-xhtml-dos(65735) oval:org.mitre.oval:def:14487 Google Chrome before 9.0.597.107 does not properly handle TEXTAREA elements, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted HTML document. http://code.google.com/p/chromium/issues/detail?id=71388 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html 46614 google-chrome-textarea-unspecified(65736) oval:org.mitre.oval:def:14341 Google Chrome before 9.0.597.107 does not properly determine device orientation, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer." http://code.google.com/p/chromium/issues/detail?id=71595 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html 46614 google-chrome-orientation-dos(65737) oval:org.mitre.oval:def:14542 The WebGL implementation in Google Chrome before 9.0.597.107 allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, aka Issue 71717. http://code.google.com/p/chromium/issues/detail?id=71717 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html 46614 google-webgl-dos(65738) oval:org.mitre.oval:def:14459 Integer overflow in Google Chrome before 9.0.597.107 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a TEXTAREA element. http://code.google.com/p/chromium/issues/detail?id=71855 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 46614 google-chrome-textarea-code-execution(65739) oval:org.mitre.oval:def:14685 The WebGL implementation in Google Chrome before 9.0.597.107 allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, aka Issue 71960. http://code.google.com/p/chromium/issues/detail?id=71960 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html 46614 google-chrome-webgl-dos(65740) oval:org.mitre.oval:def:14559 Google Chrome before 9.0.597.107 does not properly restrict access to internal extension functions, which has unspecified impact and remote attack vectors. http://code.google.com/p/chromium/issues/detail?id=72214 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html 46614 google-chrome-extension-weak-security(65741) oval:org.mitre.oval:def:13978 Use-after-free vulnerability in Google Chrome before 9.0.597.107 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to blocked plug-ins. http://code.google.com/p/chromium/issues/detail?id=72437 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html 46614 google-chrome-plugins-code-execution(65742) oval:org.mitre.oval:def:14563 Google Chrome before 9.0.597.107 does not properly perform layout, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer." http://code.google.com/p/chromium/issues/detail?id=73235 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html 46614 google-chrome-layouts-dos(65743) oval:org.mitre.oval:def:14368 VMware vmrun, as used in VIX API 1.x before 1.10.3 and VMware Workstation 6.5.x and 7.x before 7.1.4 build 385536 on Linux, might allow local users to gain privileges via a Trojan horse shared library in an unspecified directory. [security-announce] 20110330 UPDATED VMSA-2011-0006.1 VMware vmrun utility local privilege escalation 8173 1025270 20110330 VMSA-2011-0006 VMware vmrun utility local privilege escalation 47094 http://www.vmware.com/security/advisories/VMSA-2011-0006.html ADV-2011-0816 vmware-vmrun-privilege-escalation(66472) SSI.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, does not properly restrict guest access, which allows remote attackers to have an unspecified impact via unknown vectors. http://custom.simplemachines.org/mods/downloads/smf_patch_2.0-RC4_security.zip [oss-security] 20110222 CVE request: simple machines forum before 1.1.13 [oss-security] 20110302 Re: CVE request: simple machines forum before 1.1.13 http://www.simplemachines.org/community/index.php?topic=421547.0 The loadUserSettings function in Load.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, does not properly handle invalid login attempts, which might make it easier for remote attackers to obtain access or cause a denial of service via a brute-force attack. http://custom.simplemachines.org/mods/downloads/smf_patch_2.0-RC4_security.zip [oss-security] 20110222 CVE request: simple machines forum before 1.1.13 [oss-security] 20110302 Re: CVE request: simple machines forum before 1.1.13 http://www.simplemachines.org/community/index.php?topic=421547.0 Cross-site scripting (XSS) vulnerability in the EditNews function in ManageNews.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, might allow remote authenticated users to inject arbitrary web script or HTML via a save_items action. http://custom.simplemachines.org/mods/downloads/smf_patch_2.0-RC4_security.zip [oss-security] 20110222 CVE request: simple machines forum before 1.1.13 [oss-security] 20110302 Re: CVE request: simple machines forum before 1.1.13 http://www.simplemachines.org/community/index.php?topic=421547.0 Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, does not properly validate the start parameter, which might allow remote attackers to conduct SQL injection attacks, obtain sensitive information, or cause a denial of service via a crafted value, related to the cleanRequest function in QueryString.php and the constructPageIndex function in Subs.php. http://custom.simplemachines.org/mods/downloads/smf_patch_2.0-RC4_security.zip [oss-security] 20110222 CVE request: simple machines forum before 1.1.13 [oss-security] 20110302 Re: CVE request: simple machines forum before 1.1.13 http://www.simplemachines.org/community/index.php?topic=421547.0 The PlushSearch2 function in Search.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, uses certain cached data in a situation where a temporary table has been created, even though this cached data is intended only for situations where a temporary table has not been created, which might allow remote attackers to obtain sensitive information via a search. http://custom.simplemachines.org/mods/downloads/smf_patch_2.0-RC4_security.zip [oss-security] 20110222 CVE request: simple machines forum before 1.1.13 [oss-security] 20110302 Re: CVE request: simple machines forum before 1.1.13 http://www.simplemachines.org/community/index.php?topic=421547.0 The IPv6 implementation in the kernel in Apple Mac OS X before 10.6.8 allows local users to cause a denial of service (NULL pointer dereference and reboot) via vectors involving socket options. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' APPLE-SA-2011-06-23-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4723 http://support.apple.com/kb/HT4999 48422 Integer overflow in the mod_sftp (aka SFTP) module in ProFTPD 1.3.3d and earlier allows remote attackers to cause a denial of service (memory consumption leading to OOM kill) via a malformed SSH message. http://bugs.proftpd.org/show_bug.cgi?id=3586 http://bugs.proftpd.org/show_bug.cgi?id=3587 FEDORA-2011-5040 FEDORA-2011-5033 http://proftp.cvs.sourceforge.net/viewvc/proftp/proftpd/contrib/mod_sftp/mod_sftp.c?r1=1.29.2.1&r2=1.29.2.2 http://proftp.cvs.sourceforge.net/viewvc/proftp/proftpd/contrib/mod_sftp/packet.c?r1=1.14.2.2&r2=1.14.2.3 http://proftp.cvs.sourceforge.net/viewvc/proftp/proftpd/contrib/mod_sftp/packet.h?r1=1.3&r2=1.3.2.1 SSA:2011-095-01 DSA-2185 16129 46183 ADV-2011-0617 ADV-2011-0857 https://bugzilla.redhat.com/show_bug.cgi?id=681718 Off-by-one error in the dissect_6lowpan_iphc function in packet-6lowpan.c in Wireshark 1.4.0 through 1.4.3 on 32-bit platforms allows remote attackers to cause a denial of service (application crash) via a malformed 6LoWPAN IPv6 packet. http://anonsvn.wireshark.org/viewvc?view=rev&revision=36036 FEDORA-2011-2648 FEDORA-2011-2632 FEDORA-2011-2620 VU#215900 46636 1025148 ADV-2011-0626 http://www.wireshark.org/docs/relnotes/wireshark-1.4.4.html http://www.wireshark.org/security/wnpa-sec-2011-04.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5722 wireshark6lowpan-bo(65783) openSUSE-SU-2011:0347 oval:org.mitre.oval:def:16299 wiretap/pcapng.c in Wireshark 1.2.0 through 1.2.14 and 1.4.0 through 1.4.3 allows remote attackers to cause a denial of service (application crash) via a pcap-ng file that contains a large packet-length field. http://anonsvn.wireshark.org/viewvc?view=rev&revision=35855 FEDORA-2011-2648 FEDORA-2011-2632 FEDORA-2011-2620 DSA-2201 VU#215900 MDVSA-2011:044 RHSA-2011:0369 RHSA-2011:0370 1025148 ADV-2011-0622 ADV-2011-0626 ADV-2011-0719 ADV-2011-0747 http://www.wireshark.org/docs/relnotes/wireshark-1.2.15.html http://www.wireshark.org/docs/relnotes/wireshark-1.4.4.html http://www.wireshark.org/security/wnpa-sec-2011-03.html http://www.wireshark.org/security/wnpa-sec-2011-04.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5661 wireshark-pcapng-dos(65779) openSUSE-SU-2011:0347 oval:org.mitre.oval:def:14997 Multiple stack consumption vulnerabilities in the dissect_ms_compressed_string and dissect_mscldap_string functions in Wireshark 1.0.x, 1.2.0 through 1.2.14, and 1.4.0 through 1.4.3 allow remote attackers to cause a denial of service (infinite recursion) via a crafted (1) SMB or (2) Connection-less LDAP (CLDAP) packet. http://anonsvn.wireshark.org/viewvc?view=rev&revision=36029 FEDORA-2011-2648 FEDORA-2011-2632 FEDORA-2011-2620 DSA-2201 VU#215900 MDVSA-2011:044 RHSA-2011:0369 RHSA-2011:0370 1025148 ADV-2011-0622 ADV-2011-0626 ADV-2011-0719 ADV-2011-0747 http://www.wireshark.org/docs/relnotes/wireshark-1.2.15.html http://www.wireshark.org/docs/relnotes/wireshark-1.4.4.html http://www.wireshark.org/security/wnpa-sec-2011-03.html http://www.wireshark.org/security/wnpa-sec-2011-04.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5717 openSUSE-SU-2011:0347 oval:org.mitre.oval:def:14715 epan/dissectors/packet-ldap.c in Wireshark 1.0.x, 1.2.0 through 1.2.14, and 1.4.0 through 1.4.3 allows remote attackers to cause a denial of service (memory consumption) via (1) a long LDAP filter string or (2) an LDAP filter string containing many elements. http://anonsvn.wireshark.org/viewvc?view=rev&revision=36101 FEDORA-2011-2632 FEDORA-2011-2620 DSA-2201 VU#215900 MDVSA-2011:044 RHSA-2011:0369 RHSA-2011:0370 1025148 ADV-2011-0622 ADV-2011-0719 ADV-2011-0747 http://www.wireshark.org/docs/relnotes/wireshark-1.2.15.html http://www.wireshark.org/docs/relnotes/wireshark-1.4.4.html http://www.wireshark.org/security/wnpa-sec-2011-03.html http://www.wireshark.org/security/wnpa-sec-2011-04.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5732 oval:org.mitre.oval:def:14974 Stack consumption vulnerability in the dissect_ber_choice function in the BER dissector in Wireshark 1.2.x through 1.2.15 and 1.4.x through 1.4.4 might allow remote attackers to cause a denial of service (infinite loop) via vectors involving self-referential ASN.1 CHOICE values. MDVSA-2011:044 1025148 ADV-2011-0622 http://www.wireshark.org/docs/relnotes/wireshark-1.2.15.html http://www.wireshark.org/docs/relnotes/wireshark-1.4.4.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1516 oval:org.mitre.oval:def:14724 epan/dissectors/packet-ntlmssp.c in the NTLMSSP dissector in Wireshark before 1.4.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted .pcap file. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' http://anonsvn.wireshark.org/viewvc?view=rev&revision=34018 FEDORA-2011-2648 FEDORA-2011-2632 FEDORA-2011-2620 VU#215900 RHSA-2011:0370 46796 1025148 ADV-2011-0626 ADV-2011-0719 http://www.wireshark.org/docs/relnotes/wireshark-1.4.4.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5157 openSUSE-SU-2011:0347 oval:org.mitre.oval:def:16209 The installer in PEAR 1.9.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1072. [oss-security] 20110228 Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack [oss-security] 20110301 Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack [oss-security] 20110301 Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack [oss-security] 20110301 Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack [oss-security] 20110301 Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack [oss-security] 20110301 Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack http://pear.php.net/bugs/bug.php?id=18056 pear-package-symlink(65911) libvirt.c in the API in Red Hat libvirt 0.8.8 does not properly restrict operations in a read-only connection, which allows remote attackers to cause a denial of service (host OS crash) or possibly execute arbitrary code via a (1) virNodeDeviceDettach, (2) virNodeDeviceReset, (3) virDomainRevertToSnapshot, (4) virDomainSnapshotDelete, (5) virNodeDeviceReAttach, or (6) virConnectDomainXMLToNative call, a different vulnerability than CVE-2008-5086. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=617773 http://libvirt.org/git/?p=libvirt.git;a=commit;h=71753cb7f7a16ff800381c0b5ee4e99eea92fed3 FEDORA-2011-3286 openSUSE-SU-2011:0311 [oss-security] 20110309 CVE request: libvirt: several API calls do not honour read-only connection [oss-security] 20110310 Re: CVE request: libvirt: several API calls do not honour read-only connection DSA-2194 RHSA-2011:0391 46820 1025262 USN-1094-1 ADV-2011-0694 ADV-2011-0700 ADV-2011-0794 ADV-2011-0805 https://bugzilla.novell.com/show_bug.cgi?id=678406 https://bugzilla.redhat.com/show_bug.cgi?id=683650 libvirt-apicalls-dos(66012) Multiple stack-based and heap-based buffer overflows in the (1) decode_open_type and (2) udptl_rx_packet functions in main/udptl.c in Asterisk Open Source 1.4.x before 1.4.39.2, 1.6.1.x before 1.6.1.22, 1.6.2.x before 1.6.2.16.2, and 1.8 before 1.8.2.4; Business Edition C.x.x before C.3.6.3; AsteriskNOW 1.5; and s800i (Asterisk Appliance), when T.38 support is enabled, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted UDPTL packet. http://downloads.asterisk.org/pub/security/AST-2011-002.html FEDORA-2011-2360 FEDORA-2011-2438 FEDORA-2011-2558 DSA-2225 [oss-security] 20110311 CVE Request -- Asterisk AST-2011-002 / Multiple array overflow and crash vulnerabilities in UDPTL code [oss-security] 20110311 Re: CVE Request -- Asterisk AST-2011-002 / Multiple array overflow and crash vulnerabilities in UDPTL code 46474 1025101 ADV-2011-0635 Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments. http://bugs.php.net/bug.php?id=54238 APPLE-SA-2012-02-01-1 SSRT100826 [oss-security] 20110313 CVE request: PHP substr_replace() use-after-free [oss-security] 20110313 Re: CVE request: PHP substr_replace() use-after-free [oss-security] 20110313 Re: CVE request: PHP substr_replace() use-after-free http://support.apple.com/kb/HT5130 MDVSA-2011:165 http://www.php.net/archive/2011.php#id2011-08-18-1 http://www.php.net/ChangeLog-5.php#5.3.7 RHSA-2011:1423 46843 49241 php-substrreplace-code-exec(66080) Android before 2.3 does not properly restrict access to the system property space, which allows local applications to bypass the application sandbox and gain privileges, as demonstrated by psneuter and KillingInTheNameOf, related to the use of Android shared memory (ashmem) and ASHMEM_SET_PROT_MASK. http://android.git.kernel.org/?p=kernel/common.git;a=commit;h=c98a285075f26e2b17a5baa2cb3eb6356a75597e http://android.git.kernel.org/?p=platform/system/core.git;a=commit;h=25b15be9120bcdaa0aba622c67ad2c835d9e91ca http://c-skills.blogspot.com/2011/01/adb-trickery-again.html http://forum.xda-developers.com/wiki/index.php?title=HTC_Vision#Rooting_the_G2 http://groups.google.com/group/android-security-discuss/browse_thread/thread/15f97658c88d6827/e86db04652651971?show_docid=e86db04652651971 https://github.com/tmzt/g2root-kmod/tree/scotty2/scotty2 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-3712. Reason: This candidate is a duplicate of CVE-2010-3712. Notes: All CVE users should reference CVE-2010-3712 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Multiple format string vulnerabilities in phar_object.c in the phar extension in PHP 5.3.5 and earlier allow context-dependent attackers to obtain sensitive information from process memory, cause a denial of service (memory corruption), or possibly execute arbitrary code via format string specifiers in an argument to a class method, leading to an incorrect zend_throw_exception_ex call. http://bugs.php.net/bug.php?id=54247 APPLE-SA-2011-10-12-3 FEDORA-2011-3636 FEDORA-2011-3666 FEDORA-2011-3614 [oss-security] 20110314 CVE request: format-string vulnerability in PHP Phar extension [oss-security] 20110314 Re: CVE request: format-string vulnerability in PHP Phar extension [oss-security] 20110314 Re: CVE request: format-string vulnerability in PHP Phar extension http://support.apple.com/kb/HT5002 http://svn.php.net/viewvc?view=revision&revision=309221 DSA-2266 MDVSA-2011:052 MDVSA-2011:053 http://www.php.net/archive/2011.php http://www.php.net/ChangeLog-5.php http://www.php.net/releases/5_3_6.php 46854 ADV-2011-0744 ADV-2011-0764 ADV-2011-0890 https://bugzilla.redhat.com/show_bug.cgi?id=688378 php-pharobject-format-string(66079) The shred_file function in logrotate.c in logrotate 3.7.9 and earlier might allow context-dependent attackers to execute arbitrary commands via shell metacharacters in a log filename, as demonstrated by a filename that is automatically constructed on the basis of a hostname or virtual machine name. FEDORA-2011-3739 FEDORA-2011-3758 [oss-security] 20110304 CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110305 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110305 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110305 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110306 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110306 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110306 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110306 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110306 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110307 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110307 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110307 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110308 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110310 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110310 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110311 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110311 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110311 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110311 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110314 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110323 Re: CVE Request -- logrotate -- nine issues MDVSA-2011:065 RHSA-2011:0407 ADV-2011-0791 ADV-2011-0872 ADV-2011-0961 https://bugzilla.redhat.com/show_bug.cgi?id=680796 The writeState function in logrotate.c in logrotate 3.7.9 and earlier might allow context-dependent attackers to cause a denial of service (rotation outage) via a (1) \n (newline) or (2) \ (backslash) character in a log filename, as demonstrated by a filename that is automatically constructed on the basis of a hostname or virtual machine name. FEDORA-2011-3739 FEDORA-2011-3758 [oss-security] 20110304 CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110304 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110305 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110305 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110305 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110306 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110306 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110306 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110306 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110306 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110307 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110307 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110307 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110308 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110310 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110310 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110311 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110311 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110311 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110311 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110314 Re: CVE Request -- logrotate -- nine issues [oss-security] 20110323 Re: CVE Request -- logrotate -- nine issues MDVSA-2011:065 RHSA-2011:0407 ADV-2011-0791 ADV-2011-0872 ADV-2011-0961 https://bugzilla.redhat.com/show_bug.cgi?id=680797 feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) before 5.0.1 allows remote attackers to cause a denial of service (application crash) via a malformed DOCTYPE declaration. [opensuse-updates] 20110408 openSUSE-SU-2011:0314-1 (moderate): python-feedparser security update [oss-security] 20110314 CVE request for python-feedparser [oss-security] 20110315 Re: CVE request for python-feedparser http://support.novell.com/security/cve/CVE-2011-1156.html MDVSA-2011:082 46867 https://bugzilla.novell.com/show_bug.cgi?id=680074 https://bugzilla.redhat.com/show_bug.cgi?id=684877 https://code.google.com/p/feedparser/issues/detail?id=91 Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via malformed XML comments. [opensuse-updates] 20110408 openSUSE-SU-2011:0314-1 (moderate): python-feedparser security update [oss-security] 20110314 CVE request for python-feedparser [oss-security] 20110315 Re: CVE request for python-feedparser http://support.novell.com/security/cve/CVE-2011-1157.html MDVSA-2011:082 46867 https://bugzilla.novell.com/show_bug.cgi?id=680074 https://bugzilla.redhat.com/show_bug.cgi?id=684877 https://code.google.com/p/feedparser/issues/detail?id=254 Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via an unexpected URI scheme, as demonstrated by a javascript: URI. [opensuse-updates] 20110408 openSUSE-SU-2011:0314-1 (moderate): python-feedparser security update [oss-security] 20110314 CVE request for python-feedparser [oss-security] 20110315 Re: CVE request for python-feedparser http://support.novell.com/security/cve/CVE-2011-1158.html MDVSA-2011:082 46867 https://bugzilla.novell.com/show_bug.cgi?id=680074 https://bugzilla.redhat.com/show_bug.cgi?id=684877 https://code.google.com/p/feedparser/issues/detail?id=255 acpid.c in acpid before 2.0.9 does not properly handle a situation in which a process has connected to acpid.socket but is not reading any data, which allows local users to cause a denial of service (daemon hang) via a crafted application that performs a connect system call but no read system calls. FEDORA-2011-6681 FEDORA-2011-6460 [oss-security] 20110119 2 acpid flaws [oss-security] 20110315 Re: 2 acpid flaws [oss-security] 20110315 Re: 2 acpid flaws 45915 https://bugzilla.redhat.com/show_bug.cgi?id=688698 The tpm_open function in drivers/char/tpm/tpm.c in the Linux kernel before 2.6.39 does not initialize a certain buffer, which allows local users to obtain potentially sensitive information from kernel memory via unspecified vectors. http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1309d7afbed112f0e8e90be9af975550caa0076b [oss-security] 20110315 Re: CVE requests - kernel: tpm infoleaks https://bugzilla.redhat.com/show_bug.cgi?id=684671 https://github.com/torvalds/linux/commit/1309d7afbed112f0e8e90be9af975550caa0076b ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-1160, CVE-2011-1162. Reason: This candidate was withdrawn by its CNA. Further investigation showed that only two candidates, CVE-2011-1160 and CVE-2011-1162, were needed for the set of security issues in question. Notes: none. The tpm_read function in the Linux kernel 2.6 does not properly clear memory, which might allow local users to read the results of the previous TPM command. 50764 https://bugzilla.redhat.com/show_bug.cgi?id=732629 The osf_partition function in fs/partitions/osf.c in the Linux kernel before 2.6.38 does not properly handle an invalid number of partitions, which might allow local users to obtain potentially sensitive information from kernel heap memory via vectors related to partition-table parsing. http://downloads.avaya.com/css/P8/documents/100145416 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05 SUSE-SU-2015:0812 [oss-security] 20110315 Re: CVE Request: kernel: fs/partitions: Corrupted OSF partition table can cause information disclosure [oss-security] 20110315 CVE Request: kernel: fs/partitions: Corrupted OSF partition table can cause information disclosure RHSA-2011:0833 8189 1025225 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38 http://www.pre-cert.de/advisories/PRE-SA-2011-02.txt 20110317 [PRE-SA-2011-02] Information disclosure vulnerability in the OSF partition handling code of the Linux kernel 46878 [mm-commits] 20110314 + fs-partitions-osfc-corrupted-osf-partition-table-can-cause-information-disclosure.patch added to -mm tree https://bugzilla.redhat.com/show_bug.cgi?id=688021 Vino before 2.99.4 can connect external networks contrary to the statement in the vino-preferences dialog box, which might make it easier for remote attackers to perform attacks. RHSA-2013:0169 https://bugzilla.gnome.org/show_bug.cgi?id=596190 https://bugzilla.redhat.com/show_bug.cgi?id=553477 Vino, possibly before 3.2, does not properly document that it opens ports in UPnP routers when the "Configure network to automatically accept connections" setting is enabled, which might make it easier for remote attackers to perform further attacks. http://git.gnome.org/browse/vino/commit/?id=410bbf8e284409bdef02322af4d4a3a388419566 RHSA-2013:0169 http://www.dslreports.com/forum/r25446313-Ubuntu-computer-hijacked-by-hacker~start=40 https://bugzilla.gnome.org/show_bug.cgi?id=594521 https://bugzilla.redhat.com/show_bug.cgi?id=678846 Xen, possibly before 4.0.2, allows local 64-bit PV guests to cause a denial of service (host crash) by specifying user mode execution without user-mode pagetables. http://downloads.avaya.com/css/P8/documents/100145416 RHSA-2011:0833 http://wiki.xen.org/wiki/Security_Announcements#XSA-1_Host_crash_due_to_failure_to_correctly_validate_PV_kernel_execution_state. Heap-based buffer overflow in the thunder (aka ThunderScan) decoder in tif_thunder.c in LibTIFF 3.9.4 and earlier allows remote attackers to execute arbitrary code via crafted THUNDER_2BITDELTAS data in a .tiff file that has an unexpected BitsPerSample value. http://blackberry.com/btsc/KB27244 http://bugzilla.maptools.org/show_bug.cgi?id=2300 APPLE-SA-2012-02-01-1 APPLE-SA-2012-05-09-1 APPLE-SA-2012-09-19-1 FEDORA-2011-3836 FEDORA-2011-3827 SUSE-SR:2011:009 GLSA-201209-02 8165 SSA:2011-098-01 http://support.apple.com/kb/HT5130 http://support.apple.com/kb/HT5281 http://support.apple.com/kb/HT5503 USN-1102-1 DSA-2210 MDVSA-2011:064 RHSA-2011:0392 20110321 ZDI-11-107: Libtiff ThunderCode Decoder THUNDER_2BITDELTAS Remote Code Execution Vulnerability 46951 1025257 ADV-2011-0795 ADV-2011-0845 ADV-2011-0859 ADV-2011-0860 ADV-2011-0905 ADV-2011-0930 ADV-2011-0960 http://www.zerodayinitiative.com/advisories/ZDI-11-107 https://bugzilla.redhat.com/show_bug.cgi?id=684939 libtiff-thundercode-decoder-bo(66247) Cross-site scripting (XSS) vulnerability in the KHTMLPart::htmlError function in khtml/khtml_part.cpp in Konqueror in KDE SC 4.4.0 through 4.6.1 allows remote attackers to inject arbitrary web script or HTML via the URI in a URL corresponding to an unavailable web site. SUSE-SR:2011:009 8208 1025322 SSA:2011-101-02 http://www.kde.org/info/security/advisory-20110411-1.txt MDVSA-2011:075 http://www.nth-dimension.org.uk/pub/NDSA20110321.txt.asc 20110411 Medium severity flaw in Konqueror 20110412 Re: [Full-disclosure] Medium severity flaw in Konqueror 47304 USN-1110-1 ADV-2011-0927 ADV-2011-0928 ADV-2011-0990 https://bugzilla.redhat.com/show_bug.cgi?id=695398 konqueror-khtmlparthtmlerror-xss(66697) Array index error in the asihpi_hpi_ioctl function in sound/pci/asihpi/hpioctl.c in the AudioScience HPI driver in the Linux kernel before 2.6.38.1 might allow local users to cause a denial of service (memory corruption) or possibly gain privileges via a crafted adapter index value that triggers access to an invalid kernel pointer. http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git;a=commit;h=4a122c10fbfe9020df469f0f669da129c5757671 [oss-security] 20110318 CVE request: kernel: AudioScience HPI driver [oss-security] 20110318 Re: CVE request: kernel: AudioScience HPI driver http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38.1 https://bugzilla.redhat.com/show_bug.cgi?id=688898 net/ipv4/netfilter/arp_tables.c in the IPv4 implementation in the Linux kernel before 2.6.39 does not place the expected '\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process. http://downloads.avaya.com/css/P8/documents/100145416 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=42eab94fff18cb1091d3501cd284d6bd6cc9c143 [netfilter-devel] 20110310 [PATCH] ipv4: netfilter: arp_tables: fix infoleak to userspace RHSA-2011:0833 8278 8282 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39 [oss-security] 20110318 CVE request: kernel: netfilter & econet infoleaks [oss-security] 20110321 Re: CVE request: kernel: netfilter & econet infoleaks [oss-security] 20110321 Re: CVE request: kernel: netfilter & econet infoleaks https://bugzilla.redhat.com/show_bug.cgi?id=689321 net/ipv4/netfilter/ip_tables.c in the IPv4 implementation in the Linux kernel before 2.6.39 does not place the expected '\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process. http://downloads.avaya.com/css/P8/documents/100145416 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=78b79876761b86653df89c48a7010b5cbd41a84a [linux-kernel] 20110310 [PATCH] ipv4: netfilter: ip_tables: fix infoleak to userspace RHSA-2011:0833 8278 8283 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39 [oss-security] 20110318 CVE request: kernel: netfilter & econet infoleaks [oss-security] 20110321 Re: CVE request: kernel: netfilter & econet infoleaks [oss-security] 20110321 Re: CVE request: kernel: netfilter & econet infoleaks https://bugzilla.redhat.com/show_bug.cgi?id=689327 net/ipv6/netfilter/ip6_tables.c in the IPv6 implementation in the Linux kernel before 2.6.39 does not place the expected '\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process. http://downloads.avaya.com/css/P8/documents/100145416 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6a8ab060779779de8aea92ce3337ca348f973f54 [linux-kernel] 20110310 [PATCH] ipv6: netfilter: ip6_tables: fix infoleak to userspace RHSA-2011:0833 8278 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39 [oss-security] 20110318 CVE request: kernel: netfilter & econet infoleaks [oss-security] 20110321 Re: CVE request: kernel: netfilter & econet infoleaks [oss-security] 20110321 Re: CVE request: kernel: netfilter & econet infoleaks https://bugzilla.redhat.com/show_bug.cgi?id=689345 The econet_sendmsg function in net/econet/af_econet.c in the Linux kernel before 2.6.39 on the x86_64 platform allows remote attackers to obtain potentially sensitive information from kernel stack memory by reading uninitialized data in the ah field of an Acorn Universal Networking (AUN) packet. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=67c5c6cb8129c595f21e88254a3fc6b3b841ae8e [netdev] 20110317 [PATCH] econet: 4 byte infoleak to the network 8279 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39 [oss-security] 20110318 CVE request: kernel: netfilter & econet infoleaks [oss-security] 20110321 Re: CVE request: kernel: netfilter & econet infoleaks [oss-security] 20110321 Re: CVE request: kernel: netfilter & econet infoleaks https://bugzilla.redhat.com/show_bug.cgi?id=591815#c14 manager.c in Asterisk Open Source 1.6.1.x before 1.6.1.24, 1.6.2.x before 1.6.2.17.2, and 1.8.x before 1.8.3.2 allows remote attackers to cause a denial of service (CPU and memory consumption) via a series of manager sessions involving invalid data. http://downloads.asterisk.org/pub/security/AST-2011-003.html FEDORA-2011-3958 FEDORA-2011-3945 FEDORA-2011-3942 [oss-security] 20110317 CVE request for Asterisk flaws [oss-security] 20110321 Re: CVE request for Asterisk flaws 1025223 DSA-2225 46897 ADV-2011-0686 ADV-2011-0790 https://bugzilla.redhat.com/show_bug.cgi?id=688675 asterisk-writes-dos(66139) tcptls.c in the TCP/TLS server in Asterisk Open Source 1.6.1.x before 1.6.1.23, 1.6.2.x before 1.6.2.17.1, and 1.8.x before 1.8.3.1 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by establishing many short TCP sessions to services that use a certain TLS API. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' http://downloads.asterisk.org/pub/security/AST-2011-004.html FEDORA-2011-3958 FEDORA-2011-3945 FEDORA-2011-3942 [oss-security] 20110317 CVE request for Asterisk flaws [oss-security] 20110321 Re: CVE request for Asterisk flaws 1025224 DSA-2225 46898 ADV-2011-0686 ADV-2011-0790 https://bugzilla.redhat.com/show_bug.cgi?id=688678 asterisk-handletcptlsconnection-dos(66140) The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server does not properly handle certain configuration sections that specify NiceValue but not AssignUserID, which might allow remote attackers to gain privileges by leveraging the root uid and root gid of an mpm-itk process. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618857 [mpm-itk] 20110321 CVE 2011-1176: Sometimes runs as root instead of the default Apache user [mpm-itk] 20110321 mpm-itk version 2.2.17-01 released [oss-security] 20110320 CVE request: MPM-ITK module for Apache HTTPD [oss-security] 20110321 Re: CVE request: MPM-ITK module for Apache HTTPD DSA-2202 MDVSA-2011:057 46953 ADV-2011-0748 ADV-2011-0749 ADV-2011-0824 apache-mtmitk-weak-security(66248) Multiple integer overflows in the load_image function in file-pcx.c in the Personal Computer Exchange (PCX) plugin in GIMP 2.6.x and earlier allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PCX image that triggers a heap-based buffer overflow. http://git.gnome.org/browse/gimp/commit/?id=a9671395f6573e90316a9d748588c5435216f6ce GLSA-201209-23 1025586 MDVSA-2011:110 RHSA-2011:0837 RHSA-2011:0838 48057 https://bugzilla.redhat.com/show_bug.cgi?id=689831 gimp-pcximage-bo(67787) The SPICE Firefox plug-in (spice-xpi) 2.4, 2.3, 2.2, and possibly other versions allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to (1) plugin/nsScriptablePeer.cpp and (2) plugin/plugin.cpp, which trigger multiple uses of an uninitialized pointer. RHSA-2011:0426 RHSA-2011:0427 47269 1025304 ADV-2011-0899 https://bugzilla.redhat.com/attachment.cgi?id=487006&action=diff https://bugzilla.redhat.com/show_bug.cgi?id=689931 spicexpi-pointer-privilege-escalation(66777) Multiple stack-based buffer overflows in the iriap_getvaluebyclass_indication function in net/irda/iriap.c in the Linux kernel before 2.6.39 allow remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging connectivity to an IrDA infrared network and sending a large integer value for a (1) name length or (2) attribute length. http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d370af0ef7951188daeb15bae75db7ba57c67846 [oss-security] 20110322 Re: CVE requests - kernel: irda/decnet issues https://github.com/torvalds/linux/commit/d370af0ef7951188daeb15bae75db7ba57c67846 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn. Further investigation showed that it was not a security issue. Notes: none. kernel/signal.c in the Linux kernel before 2.6.39 allows local users to spoof the uid and pid of a signal sender via a sigqueueinfo system call. http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=da48524eb20662618854bb3df2db01fc65f3070c RHSA-2011:0927 [oss-security] 20110323 Re: Linux kernel signal spoofing vulnerability (CVE request) https://bugzilla.redhat.com/show_bug.cgi?id=690028 https://github.com/torvalds/linux/commit/da48524eb20662618854bb3df2db01fc65f3070c Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419. 20110406 [SECURITY] CVE-2011-1183 Apache Tomcat security constraint bypass 8187 http://svn.apache.org/viewvc?view=revision&revision=1087643 http://tomcat.apache.org/security-7.html 20110406 [SECURITY] CVE-2011-1183 Apache Tomcat security constraint bypass 47196 tomcat-webxml-security-bypass(66675) oval:org.mitre.oval:def:12701 The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values. SUSE-SU-2012:0155 openSUSE-SU-2012:0208 HPSBOV02762 HPSBUX02860 HPSBST02955 RHSA-2012:0074 RHSA-2012:0075 RHSA-2012:0076 RHSA-2012:0077 RHSA-2012:0078 RHSA-2012:0325 http://svn.apache.org/viewvc?view=rev&rev=1087655 http://svn.apache.org/viewvc?view=rev&rev=1158180 http://svn.apache.org/viewvc?view=rev&rev=1159309 http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-7.html DSA-2401 MDVSA-2011:156 RHSA-2011:1845 [tomcat-dev] 20190319 svn commit: r1855831 [22/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ [tomcat-dev] 20190325 svn commit: r1856174 [20/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ oval:org.mitre.oval:def:19169 Google Chrome before 10.0.648.127 does not prevent (1) navigation and (2) close operations on the top location of a sandboxed frame, which has unspecified impact and remote attack vectors. http://code.google.com/p/chromium/issues/detail?id=42574 http://code.google.com/p/chromium/issues/detail?id=42765 http://googlechromereleases.blogspot.com/2011/03/chrome-stable-release.html 46785 ADV-2011-0628 chrome-sandboxed-sec-bypass(65948) oval:org.mitre.oval:def:14349 Google Chrome before 10.0.648.127 on Linux does not properly handle parallel execution of calls to the print method, which might allow remote attackers to cause a denial of service (application crash) via crafted JavaScript code. http://code.google.com/p/chromium/issues/detail?id=66962 http://googlechromereleases.blogspot.com/2011/03/chrome-stable-release.html 46785 ADV-2011-0628 google-parallel-dos(65950) oval:org.mitre.oval:def:14255 Google Chrome before 10.0.648.127 allows remote attackers to bypass the Same Origin Policy via unspecified vectors, related to an "error message leak." http://code.google.com/p/chromium/issues/detail?id=69187 http://googlechromereleases.blogspot.com/2011/03/chrome-stable-release.html http://www.mozilla.org/security/announce/2012/mfsa2012-32.html 46785 ADV-2011-0628 https://bugzilla.mozilla.org/show_bug.cgi?id=624621 google-unspecified-info-disc(65951) oval:org.mitre.oval:def:14369 Google Chrome before 10.0.648.127 does not properly handle counter nodes, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. http://code.google.com/p/chromium/issues/detail?id=69628 http://googlechromereleases.blogspot.com/2011/03/chrome-stable-release.html APPLE-SA-2011-07-20-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-10-12-1 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4999 46785 ADV-2011-0628 google-counter-nodes-code-exec(65952) oval:org.mitre.oval:def:14493 Google Chrome before 10.0.648.127 does not properly perform box layout, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale node." http://code.google.com/p/chromium/issues/detail?id=70027 http://googlechromereleases.blogspot.com/2011/03/chrome-stable-release.html 46785 ADV-2011-0628 google-box-layouts-dos(65953) oval:org.mitre.oval:def:14370