qiurui
/
freebsd-ports
mirror of https://git.FreeBSD.org/ports.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
freebsd-ports/security/vuxml/vuln/2010.xml

5732 lines
202 KiB
XML
Raw Permalink Blame History

<vuln vid="06a12e26-142e-11e0-bea2-0015f2db7bde">
<topic>webkit-gtk2 -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>webkit-gtk2</name>
<range><lt>1.2.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gustavo Noronha Silva reports:</p>
<blockquote cite="http://gitorious.org/webkitgtk/stable/blobs/master/WebKit/gtk/NEWS">
<p>The patches to fix the following CVEs are included with help
from Huzaifa Sidhpurwala from the Red Hat security team.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1791</cvename>
<cvename>CVE-2010-3812</cvename>
<cvename>CVE-2010-3813</cvename>
<cvename>CVE-2010-4197</cvename>
<cvename>CVE-2010-4198</cvename>
<cvename>CVE-2010-4204</cvename>
<cvename>CVE-2010-4206</cvename>
<cvename>CVE-2010-4577</cvename>
<url>http://gitorious.org/webkitgtk/stable/blobs/master/WebKit/gtk/NEWS</url>
</references>
<dates>
<discovery>2010-12-28</discovery>
<entry>2010-12-30</entry>
</dates>
</vuln>
<vuln vid="14a37474-1383-11e0-8a58-00215c6a37bb">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py23-django</name>
<name>py24-django</name>
<name>py25-django</name>
<name>py26-django</name>
<name>py27-django</name>
<name>py30-django</name>
<name>py31-django</name>
<range><gt>1.2</gt><lt>1.2.4</lt></range>
<range><gt>1.1</gt><lt>1.1.3</lt></range>
</package>
<package>
<name>py23-django-devel</name>
<name>py24-django-devel</name>
<name>py25-django-devel</name>
<name>py26-django-devel</name>
<name>py27-django-devel</name>
<name>py30-django-devel</name>
<name>py31-django-devel</name>
<range><lt>15032,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Django project reports:</p>
<blockquote cite="http://www.djangoproject.com/weblog/2010/dec/22/security/">
<p>Today the Django team is issuing multiple releases
-- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 --
to remedy two security issues reported to us. All users
of affected versions of Django are urged to upgrade
immediately.</p>
<h3>Information leakage in Django administrative interface</h3>
<p>The Django administrative interface, django.contrib.admin
supports filtering of displayed lists of objects by fields
on the corresponding models, including across database-level
relationships. This is implemented by passing lookup arguments
in the querystring portion of the URL, and options on the
ModelAdmin class allow developers to specify particular
fields or relationships which will generate automatic links
for filtering.</p>
<h3>Denial-of-service attack in password-reset mechanism</h3>
<p>Django's bundled authentication framework,
django.contrib.auth, offers views which allow users to
reset a forgotten password. The reset mechanism involves
generating a one-time token composed from the user's ID,
the timestamp of the reset request converted to a base36
integer, and a hash derived from the user's current password
hash (which will change once the reset is complete, thus
invalidating the token).</p>
</blockquote>
</body>
</description>
<references>
<bid>45562</bid>
<bid>45563</bid>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=665373</url>
<url>http://secunia.com/advisories/42715/</url>
</references>
<dates>
<discovery>2010-12-22</discovery>
<entry>2010-12-29</entry>
</dates>
</vuln>
<vuln vid="ff8b419a-0ffa-11e0-becc-0022156e8794">
<topic>Drupal Views plugin -- cross-site scripting</topic>
<affects>
<package>
<name>drupal6-views</name>
<range><lt>2.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal security team reports:</p>
<blockquote cite="http://drupal.org/node/999380">
<p>The Views module provides a flexible method for Drupal site
designers to control how lists and tables of content are
presented. Under certain circumstances, Views could display
parts of the page path without escaping, resulting in a
relected Cross Site Scripting (XSS) vulnerability. An attacker
could exploit this to gain full administrative access.</p>
<p>Mitigating factors: This vulnerability only occurs with a
specific combination of configuration options for a specific
View, but this combination is used in the default Views
provided by some additional modules. A malicious user would
need to get an authenticated administrative user to visit a
specially crafted URL.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4521</cvename>
<url>http://drupal.org/node/999380</url>
</references>
<dates>
<discovery>2010-12-15</discovery>
<entry>2010-12-28</entry>
</dates>
</vuln>
<vuln vid="584c506d-0e98-11e0-b59b-0050569b2d21">
<topic>redmine -- multiple vulnerabilities</topic>
<affects>
<package>
<name>redmine</name>
<range><lt>1.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jean-Philippe Lang reports:</p>
<blockquote cite="http://www.redmine.org/news/49">
<p>This release also fixes 3 security issues reported by
joernchen of Phenoelit:</p>
<ul>
<li>logged in users may be able to access private data
(affected versions: 1.0.x)</li>
<li>persistent XSS vulnerability in textile formatter
(affected versions: all previous releases)</li>
<li>remote command execution in bazaar repository adapter
(affected versions: 0.9.x, 1.0.x)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.redmine.org/news/49</url>
</references>
<dates>
<discovery>2010-12-23</discovery>
<entry>2010-12-23</entry>
</dates>
</vuln>
<vuln vid="4bd33bc5-0cd6-11e0-bfa4-001676740879">
<topic>tor -- remote crash and potential remote code execution</topic>
<affects>
<package>
<name>tor</name>
<range><lt>0.2.1.28</lt></range>
</package>
<package>
<name>tor-devel</name>
<range><lt>0.2.2.20-alpha</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Tor Project reports:</p>
<blockquote cite="http://archives.seul.org/or/announce/Dec-2010/msg00000.html">
<p>Remotely exploitable bug that could be used to crash instances
of Tor remotely by overflowing on the heap. Remote-code execution
hasn't been confirmed, but can't be ruled out. Everyone should
upgrade.</p>
</blockquote>
</body>
</description>
<references>
<bid>45500</bid>
<cvename>CVE-2010-1676</cvename>
<freebsdpr>ports/153326</freebsdpr>
<mlist msgid="20101220135830.GU3300@moria.seul.org">http://archives.seul.org/or/announce/Dec-2010/msg00000.html</mlist>
<mlist msgid="20101220141526.GS3255@moria.seul.org">http://archives.seul.org/or/talk/Dec-2010/msg00167.html</mlist>
<url>https://gitweb.torproject.org/tor.git/blob/release-0.2.1:/ChangeLog</url>
<url>https://gitweb.torproject.org/tor.git/blob/release-0.2.2:/ChangeLog</url>
</references>
<dates>
<discovery>2010-12-17</discovery>
<entry>2010-12-22</entry>
</dates>
</vuln>
<vuln vid="d560b346-08a2-11e0-bcca-0050568452ac">
<topic>YUI JavaScript library -- JavaScript injection exploits in Flash components</topic>
<affects>
<package>
<name>yahoo-ui</name>
<range><lt>2.8.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The YUI team reports:</p>
<blockquote cite="http://yuilibrary.com/support/2.8.2/">
<p>A security-related defect was introduced in the YUI 2 Flash
component infrastructure beginning with the YUI 2.4.0 release.
This defect allows JavaScript injection exploits to be created
against domains that host affected YUI .swf files.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4207</cvename>
<cvename>CVE-2010-4208</cvename>
<cvename>CVE-2010-4209</cvename>
<url>http://www.yuiblog.com/blog/2010/10/25/yui-2-8-2-security-update/</url>
<url>http://secunia.com/advisories/41955</url>
<url>http://www.openwall.com/lists/oss-security/2010/11/07/1</url>
<url>http://yuilibrary.com/support/2.8.2/</url>
</references>
<dates>
<discovery>2010-10-25</discovery>
<entry>2010-12-15</entry>
</dates>
</vuln>
<vuln vid="2a41233d-10e7-11e0-becc-0022156e8794">
<topic>php-zip -- multiple Denial of Service vulnerabilities</topic>
<affects>
<package>
<name>php5-zip</name>
<range><lt>5.3.4</lt></range>
</package>
<package>
<name>php52-zip</name>
<range><lt>5.2.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The following DoS conditions in Zip extension
were fixed in PHP 5.3.4 and PHP 5.2.15:</p>
<ul>
<li>
<blockquote cite="http://www.php.net/releases/5_3_4.php">
<p>Fixed crash in zip extract method (possible
CWE-170).</p>
</blockquote>
</li>
<li>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3709">
<p>The ZipArchive::getArchiveComment function
in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3
allows context-dependent attackers to cause a denial
of service (NULL pointer dereference and application
crash) via a crafted ZIP archive.</p>
</blockquote>
</li>
</ul>
</body>
</description>
<references>
<cvename>CVE-2010-3709</cvename>
<url>http://www.php.net/releases/5_3_4.php</url>
<url>http://www.php.net/releases/5_2_15.php</url>
<url>http://securityreason.com/achievement_securityalert/90</url>
</references>
<dates>
<discovery>2010-12-13</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="c623f058-10e7-11e0-becc-0022156e8794">
<topic>php-filter -- Denial of Service</topic>
<affects>
<package>
<name>php5-filter</name>
<range><lt>5.3.4</lt></range>
</package>
<package>
<name>php52-filter</name>
<range><lt>5.2.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The following DoS condition in filter extension
was fixed in PHP 5.3.4 and PHP 5.2.15:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3710">
<p>Stack consumption vulnerability in the filter_var
function in PHP 5.2.x through 5.2.14 and 5.3.x through
5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows
remote attackers to cause a denial of service (memory
consumption and application crash) via a long e-mail
address string.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3710</cvename>
<url>http://www.php.net/releases/5_3_4.php</url>
<url>http://www.php.net/releases/5_2_15.php</url>
</references>
<dates>
<discovery>2010-12-13</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="1a0704e7-0edf-11e0-becc-0022156e8794">
<topic>php-imap -- Denial of Service</topic>
<affects>
<package>
<name>php5-imap</name>
<range><lt>5.3.4</lt></range>
</package>
<package>
<name>php52-imap</name>
<range><lt>5.2.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The following DoS condition in IMAP extension
was fixed in PHP 5.3.4 and PHP 5.2.15:</p>
<blockquote cite="http://securitytracker.com/alerts/2010/Nov/1024761.html">
<p>A remote user can send specially crafted IMAP user name
or password data to trigger a double free memory error
in 'ext/imap/php_imap.c' and cause the target service
to crash.</p>
<p>It may be possible to execute arbitrary code.
However, code execution was not confirmed.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4150</cvename>
<url>http://www.php.net/releases/5_3_4.php</url>
<url>http://www.php.net/releases/5_2_15.php</url>
</references>
<dates>
<discovery>2010-12-13</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="da3d381b-0ee6-11e0-becc-0022156e8794">
<topic>pecl-phar -- format string vulnerability</topic>
<affects>
<package>
<name>pecl-phar</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Entry for CVE-2010-2094 says:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2094">
<p>Multiple format string vulnerabilities in the phar
extension in PHP 5.3 before 5.3.2 allow context-dependent
attackers to obtain sensitive information (memory
contents) and possibly execute arbitrary code via a
crafted phar:// URI that is not properly handled by the
(1) phar_stream_flush, (2) phar_wrapper_unlink,
(3) phar_parse_url, or (4) phar_wrapper_open_url functions
in ext/phar/stream.c; and the (5) phar_wrapper_open_dir
function in ext/phar/dirstream.c, which triggers errors
in the php_stream_wrapper_log_error function.</p>
</blockquote>
<p>PECL source code for PHAR extension shares the same code,
so it is vulnerable too.</p>
</body>
</description>
<references>
<cvename>CVE-2010-2094</cvename>
<url>http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.html</url>
<url>http://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-format-string-vulnerability/index.htm</url>
<url>http://php-security.org/2010/05/14/mops-2010-026-php-phar_wrapper_unlink-format-string-vulnerability/index.htm</url>
<url>http://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/index.htm</url>
<url>http://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/index.html</url>
</references>
<dates>
<discovery>2010-12-13</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="3761df02-0f9c-11e0-becc-0022156e8794">
<topic>php -- NULL byte poisoning</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.3.4</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.17_12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP-specific version of NULL-byte poisoning was briefly
described by ShAnKaR:</p>
<blockquote cite="http://www.securityfocus.com/archive/1/archive/1/445788/100/0/threaded">
<p>Poison NULL byte vulnerability for perl CGI applications
was described in
<a href="http://artofhacking.com/files/phrack/phrack55/P55-07.TXT">[1]</a>.
ShAnKaR noted, that same vulnerability also affects
different PHP applications.</p>
</blockquote>
<p>PHP developers report that branch 5.3 received a fix:</p>
<blockquote cite="http://www.php.net/releases/5_3_4.php">
<p>Paths with NULL in them (foo\0bar.txt) are now considered
as invalid (CVE-2006-7243).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2006-7243</cvename>
<url>http://www.securityfocus.com/archive/1/archive/1/445788/100/0/threaded</url>
<url>http://artofhacking.com/files/phrack/phrack55/P55-07.TXT</url>
</references>
<dates>
<discovery>2010-12-10</discovery>
<entry>2011-01-13</entry>
<modified>2012-11-25</modified>
</dates>
</vuln>
<vuln vid="73634294-0fa7-11e0-becc-0022156e8794">
<topic>php -- open_basedir bypass</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.3.4</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3436">
<p>fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow
remote attackers to bypass open_basedir restrictions via
vectors related to the length of a filename.</p>
</blockquote>
</body>
</description>
<references>
<bid>44723</bid>
<cvename>CVE-2010-3436</cvename>
</references>
<dates>
<discovery>2010-12-10</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="f3148a05-0fa7-11e0-becc-0022156e8794">
<topic>php -- corruption of $GLOBALS and $this variables via extract() method</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.3.4</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Off-by-one error in the sanity validator for the extract()
method allowed attackers to replace the values of $GLOBALS
and $this when mode EXTR_OVERWRITE was used.</p>
</body>
</description>
<references>
<url>http://www.mail-archive.com/php-cvs@lists.php.net/msg47722.html</url>
<url>http://www.php.net/releases/5_2_15.php</url>
</references>
<dates>
<discovery>2010-12-10</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="6887828f-0229-11e0-b84d-00262d5ed8ee">
<cancelled/>
</vuln>
<vuln vid="b2a6fc0e-070f-11e0-a6e9-00215c6a37bb">
<cancelled/>
</vuln>
<vuln vid="1d8ff4a2-0445-11e0-8e32-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.13,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.16,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.13</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.13,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.16</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.11</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><ge>3.1</ge><lt>3.1.7</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.11</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.11</lt></range>
<range><ge>3.1</ge><lt>3.1.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)</p>
<p>MFSA 2010-75 Buffer overflow while line breaking after document.write with long string</p>
<p>MFSA 2010-76 Chrome privilege escalation with window.open and isindex element</p>
<p>MFSA 2010-77 Crash and remote code execution using HTML tags inside a XUL tree</p>
<p>MFSA 2010-78 Add support for OTS font sanitizer</p>
<p>MFSA 2010-79 Java security bypass from LiveConnect loaded via data: URL meta refresh</p>
<p>MFSA 2010-80 Use-after-free error with nsDOMAttribute MutationObserver</p>
<p>MFSA 2010-81 Integer overflow vulnerability in NewIdArray</p>
<p>MFSA 2010-82 Incomplete fix for CVE-2010-0179</p>
<p>MFSA 2010-83 Location bar SSL spoofing using network error page</p>
<p>MFSA 2010-84 XSS hazard in multiple character encodings</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3766</cvename>
<cvename>CVE-2010-3767</cvename>
<cvename>CVE-2010-3768</cvename>
<cvename>CVE-2010-3769</cvename>
<cvename>CVE-2010-3770</cvename>
<cvename>CVE-2010-3771</cvename>
<cvename>CVE-2010-3772</cvename>
<cvename>CVE-2010-3773</cvename>
<cvename>CVE-2010-3774</cvename>
<cvename>CVE-2010-3775</cvename>
<cvename>CVE-2010-3776</cvename>
<cvename>CVE-2010-3777</cvename>
<cvename>CVE-2010-3778</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-74.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-75.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-76.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-77.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-78.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-79.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-80.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-81.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-82.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-83.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-84.html</url>
</references>
<dates>
<discovery>2010-12-09</discovery>
<entry>2010-12-10</entry>
</dates>
</vuln>
<vuln vid="4ccbd40d-03f7-11e0-bf50-001a926c7637">
<topic>krb5 -- client impersonation vulnerability</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7.0</ge><lt>1.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
<p>MIT krb5 KDC may issue tickets not requested
by a client, based on an attacker-chosen KrbFastArmoredReq.</p>
<p>An authenticated remote attacker that controls a legitimate service
principal could obtain a valid service ticket to itself containing
valid KDC-generated authorization data for a client whose TGS-REQ it
has intercepted. The attacker could then use this ticket for
S4U2Proxy to impersonate the targeted client even if the client
never authenticated to the subverted service. The vulnerable
configuration is believed to be rare.</p>
</blockquote>
</body>
</description>
<references>
<bid>45122</bid>
<cvename>CVE-2010-4021</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
<url>http://osvdb.org/69607</url>
</references>
<dates>
<discovery>2010-11-30</discovery>
<entry>2010-12-09</entry>
</dates>
</vuln>
<vuln vid="1d193bba-03f6-11e0-bf50-001a926c7637">
<topic>krb5 -- RFC 3961 key-derivation checksum handling vulnerability</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.8.0</ge><le>1.8.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
<p>MIT krb5 (releases incorrectly accepts RFC 3961
key-derivation checksums using RC4 keys when verifying AD-SIGNEDPATH
and AD-KDC-ISSUED authorization data.</p>
<p>An authenticated remote attacker that controls a legitimate service
principal has a 1/256 chance of forging the AD-SIGNEDPATH signature
if the TGT key is RC4, allowing it to use self-generated "evidence"
tickets for S4U2Proxy, instead of tickets obtained from the user or
with S4U2Self. Configurations using RC4 for the TGT key are
believed to be rare.</p>
<p>An authenticated remote attacker has a 1/256 chance of forging
AD-KDC-ISSUED signatures on authdata elements in tickets having
an RC4 service key, resulting in privilege escalation against
a service that relies on these signatures. There are no known
uses of the KDC-ISSUED authdata container at this time.</p>
</blockquote>
</body>
</description>
<references>
<bid>45117</bid>
<cvename>CVE-2010-4020</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
<url>http://osvdb.org/69608</url>
</references>
<dates>
<discovery>2010-11-30</discovery>
<entry>2010-12-09</entry>
</dates>
</vuln>
<vuln vid="9f971cea-03f5-11e0-bf50-001a926c7637">
<topic>krb5 -- unkeyed PAC checksum handling vulnerability</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7.0</ge><lt>1.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
<p>MIT krb5 incorrectly accepts an unkeyed checksum for PAC
signatures.</p>
<p>An authenticated remote attacker can forge PACs if using a KDC that
does not filter client-provided PAC data. This can result in
privilege escalation against a service that relies on PAC contents
to make authorization decisions.</p>
</blockquote>
</body>
</description>
<references>
<bid>45116</bid>
<cvename>CVE-2010-1324</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
<url>http://osvdb.org/69609</url>
</references>
<dates>
<discovery>2010-11-30</discovery>
<entry>2010-12-09</entry>
</dates>
</vuln>
<vuln vid="0d57c1d9-03f4-11e0-bf50-001a926c7637">
<topic>krb5 -- multiple checksum handling vulnerabilities</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7.0</ge><lt>1.7.2</lt></range>
<range><ge>1.8.0</ge><le>1.8.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
<p>MIT krb incorrectly accepts an unkeyed
checksum with DES session keys for version 2 (RFC 4121)
of the GSS-API krb5 mechanism.</p>
<p>An unauthenticated remote attacker can forge GSS tokens that are
intended to be integrity-protected but unencrypted, if the targeted
pre-existing application session uses a DES session key.</p>
<p>MIT krb5 KDC incorrectly accepts RFC
3961 key-derivation checksums using RC4 keys when verifying the
req-checksum in a KrbFastArmoredReq.</p>
<p>An unauthenticated remote attacker has a 1/256 chance of swapping a
client-issued KrbFastReq into a different KDC-REQ, if the armor
key is RC4. The consequences are believed to be minor.</p>
</blockquote>
</body>
</description>
<references>
<bid>45116</bid>
<cvename>CVE-2010-1324</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
<url>http://osvdb.org/69609</url>
</references>
<dates>
<discovery>2010-11-30</discovery>
<entry>2010-12-09</entry>
</dates>
</vuln>
<vuln vid="11bbccbc-03ee-11e0-bcdb-001fc61c2a55">
<topic>krb5 -- multiple checksum handling vulnerabilities</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.3.0</ge><lt>1.7.2</lt></range>
<range><ge>1.8.0</ge><le>1.8.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
<p>MIT krb5 clients incorrectly accept an unkeyed checksums
in the SAM-2 preauthentication challenge.</p>
<p>An unauthenticated remote attacker could alter a SAM-2 challenge,
affecting the prompt text seen by the user or the kind of response
sent to the KDC. Under some circumstances, this can negate the
incremental security benefit of using a single-use authentication
mechanism token.</p>
<p>MIT krb5 incorrectly accepts RFC 3961 key-derivation checksums
using RC4 keys when verifying KRB-SAFE messages.</p>
<p>An unauthenticated remote attacker has a 1/256 chance of forging
KRB-SAFE messages in an application protocol if the targeted
pre-existing session uses an RC4 session key. Few application
protocols use KRB-SAFE messages.</p>
</blockquote>
</body>
</description>
<references>
<bid>45118</bid>
<cvename>CVE-2010-1323</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
<url>http://osvdb.org/69610</url>
</references>
<dates>
<discovery>2010-11-30</discovery>
<entry>2010-12-09</entry>
</dates>
</vuln>
<vuln vid="ed7fa1b4-ff59-11df-9759-080027284eaa">
<topic>proftpd -- Compromised source packages backdoor</topic>
<affects>
<package>
<name>proftpd</name>
<range><eq>1.3.3c_2</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The ProFTPD Project team reports:</p>
<blockquote cite="http://proftpd.org/">
<p>The security issue is caused due to the distribution of compromised
ProFTPD 1.3.3c source code packages via the project's main FTP server
and all of the mirror servers, which contain a backdoor allowing
remote root access.</p>
</blockquote>
</body>
</description>
<references>
<url>http://sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org</url>
<url>http://secunia.com/advisories/42449</url>
</references>
<dates>
<discovery>2010-11-28</discovery>
<entry>2010-12-04</entry>
</dates>
</vuln>
<vuln vid="753f8185-5ba9-42a4-be02-3f55ee580093">
<topic>phpMyAdmin -- XSS attack in database search</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.3.8.1</lt></range>
</package>
<package>
<name>phpMyAdmin211</name>
<range><lt>2.11.11.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>phpMyAdmin team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2010-8.php">
<p>It was possible to conduct a XSS attack using spoofed request on the
db search script.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/152685</freebsdpr>
<freebsdpr>ports/152686</freebsdpr>
<cvename>CVE-2010-4329</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2010-8.php</url>
</references>
<dates>
<discovery>2010-11-29</discovery>
<entry>2010-11-30</entry>
</dates>
</vuln>
<vuln vid="f154a3c7-f7f4-11df-b617-00e0815b8da8">
<topic>isc-dhcp-server -- Empty link-address denial of service</topic>
<affects>
<package>
<name>isc-dhcp41-server</name>
<range><ge>4.1.0</ge><lt>4.1.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="http://www.isc.org/software/dhcp/advisories/cve-2010-3611">
<p>If the server receives a DHCPv6 packet containing one or more
Relay-Forward messages, and none of them supply an address in the
Relay-Forward link-address field, then the server will crash. This
can be used as a single packet crash attack vector.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3611</cvename>
<url>http://www.isc.org/software/dhcp/advisories/cve-2010-3611</url>
<url>http://www.kb.cert.org/vuls/id/102047</url>
</references>
<dates>
<discovery>2010-11-02</discovery>
<entry>2010-11-24</entry>
</dates>
</vuln>
<vuln vid="373e412e-f748-11df-96cd-0015f2db7bde">
<topic>OpenTTD -- Denial of service (server/client) via invalid read</topic>
<affects>
<package>
<name>openttd</name>
<range><ge>1.0.0</ge><lt>1.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenTTD Team reports:</p>
<blockquote cite="http://security.openttd.org/en/CVE-2010-4168">
<p>When a client disconnects, without sending the "quit" or
"client error" message, the server has a chance of reading and
writing a just freed piece of memory. The writing can only
happen while the server is sending the map. Depending on what
happens directly after freeing the memory there is a chance of
segmentation fault, and thus a denial of service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4168</cvename>
<url>http://security.openttd.org/en/CVE-2010-4168</url>
</references>
<dates>
<discovery>2010-11-20</discovery>
<entry>2010-11-23</entry>
</dates>
</vuln>
<vuln vid="a3314314-f731-11df-a757-0011098ad87f">
<topic>horde-base -- XSS: VCARD attachments vulnerability</topic>
<affects>
<package>
<name>horde-base</name>
<range><lt>3.3.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Horde team reports:</p>
<blockquote cite="http://article.gmane.org/gmane.comp.horde.announce/532">
<p>The major changes compared to Horde version 3.3.10 are:</p>
<p>* Fixed XSS vulnerability when viewing details of a vCard.</p>
</blockquote>
</body>
</description>
<references>
<url>http://article.gmane.org/gmane.comp.horde.announce/532</url>
<url>http://bugs.horde.org/ticket/9357</url>
</references>
<dates>
<discovery>2010-11-02</discovery>
<entry>2010-11-23</entry>
</dates>
</vuln>
<vuln vid="533d20e7-f71f-11df-9ae1-000bcdf0a03b">
<topic>proftpd -- remote code execution vulnerability</topic>
<affects>
<package>
<name>proftpd</name>
<range><lt>1.3.3c</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tippingpoint reports:</p>
<blockquote cite="http://www.zerodayinitiative.com/advisories/ZDI-10-229/">
<p>This vulnerability allows remote attackers to execute arbitrary
code on vulnerable installations of ProFTPD. Authentication is not
required to exploit this vulnerability.</p>
<p>The flaw exists within the proftpd server component which
listens by default on TCP port 21. When reading user input if a
TELNET_IAC escape sequence is encountered the process
miscalculates a buffer length counter value allowing a user
controlled copy of data to a stack buffer. A remote attacker can
exploit this vulnerability to execute arbitrary code under the
context of the proftpd process.</p>
</blockquote>
</body>
</description>
<references>
<bid>44562</bid>
<cvename>CVE-2010-4221</cvename>
<url>http://www.zerodayinitiative.com/advisories/ZDI-10-229/</url>
</references>
<dates>
<discovery>2010-11-02</discovery>
<entry>2010-11-23</entry>
</dates>
</vuln>
<vuln vid="3042c33a-f237-11df-9d02-0018fe623f2b">
<topic>openssl -- TLS extension parsing race condition</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL Team reports:</p>
<blockquote cite="http://openssl.org/news/secadv_20101116.txt">
<p>Rob Hulswit has found a flaw in the OpenSSL TLS server extension
code parsing which on affected servers can be exploited in a buffer
overrun attack.</p>
<p>Any OpenSSL based TLS server is vulnerable if it is multi-threaded
and uses OpenSSL's internal caching mechanism. Servers that are
multi-process and/or disable internal session caching are NOT
affected.</p>
<p>In particular the Apache HTTP server (which never uses OpenSSL
internal caching) and Stunnel (which includes its own workaround)
are NOT affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3864</cvename>
<url>http://openssl.org/news/secadv_20101116.txt</url>
</references>
<dates>
<discovery>2010-10-08</discovery>
<entry>2010-11-17</entry>
</dates>
</vuln>
<vuln vid="76b597e4-e9c6-11df-9e10-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><lt>9.0r289</lt></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.1r102</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb10-26.html">
<p>Critical vulnerabilities have been identified in
Adobe Flash Player 10.1.85.3 and earlier versions for
Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player
10.1.95.1 for Android. These vulnerabilities, including
CVE-2010-3654 referenced in Security Advisory APSA10-05,
could cause the application to crash and could potentially
allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3636</cvename>
<cvename>CVE-2010-3637</cvename>
<cvename>CVE-2010-3638</cvename>
<cvename>CVE-2010-3639</cvename>
<cvename>CVE-2010-3640</cvename>
<cvename>CVE-2010-3641</cvename>
<cvename>CVE-2010-3642</cvename>
<cvename>CVE-2010-3643</cvename>
<cvename>CVE-2010-3644</cvename>
<cvename>CVE-2010-3645</cvename>
<cvename>CVE-2010-3646</cvename>
<cvename>CVE-2010-3647</cvename>
<cvename>CVE-2010-3648</cvename>
<cvename>CVE-2010-3649</cvename>
<cvename>CVE-2010-3650</cvename>
<cvename>CVE-2010-3652</cvename>
<cvename>CVE-2010-3654</cvename>
<cvename>CVE-2010-3676</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb10-26.html</url>
<url>http://www.adobe.com/support/security/advisories/apsa10-05.html</url>
</references>
<dates>
<discovery>2010-09-28</discovery>
<entry>2010-11-06</entry>
</dates>
</vuln>
<vuln vid="b2eaa7c2-e64a-11df-bc65-0022156e8794">
<topic>Wireshark -- DoS in the BER-based dissectors</topic>
<affects>
<package>
<name>wireshark</name>
<range><ge>1.3</ge><lt>1.4.1</lt></range>
<range><ge>1.0</ge><lt>1.2.12</lt></range>
</package>
<package>
<name>wireshark-lite</name>
<range><ge>1.3</ge><lt>1.4.1</lt></range>
<range><ge>1.0</ge><lt>1.2.12</lt></range>
</package>
<package>
<name>tshark</name>
<range><ge>1.3</ge><lt>1.4.1</lt></range>
<range><ge>1.0</ge><lt>1.2.12</lt></range>
</package>
<package>
<name>tshark-lite</name>
<range><ge>1.3</ge><lt>1.4.1</lt></range>
<range><ge>1.0</ge><lt>1.2.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/41535">
<p>A vulnerability has been discovered in Wireshark, which can
be exploited by malicious people to cause a DoS (Denial of
Service).</p>
<p>The vulnerability is caused due to an infinite recursion
error in the "dissect_unknown_ber()" function in
epan/dissectors/packet-ber.c and can be exploited to cause a
stack overflow e.g. via a specially crafted SNMP packet.</p>
<p>The vulnerability is confirmed in version 1.4.0 and
reported in version 1.2.11 and prior and version 1.4.0 and
prior.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3445</cvename>
<url>http://www.wireshark.org/lists/wireshark-announce/201010/msg00002.html</url>
<url>http://www.wireshark.org/lists/wireshark-announce/201010/msg00001.html</url>
</references>
<dates>
<discovery>2010-09-16</discovery>
<entry>2010-11-05</entry>
</dates>
</vuln>
<vuln vid="4ab29e12-e787-11df-adfa-00e0815b8da8">
<topic>Mailman -- cross-site scripting in web interface</topic>
<affects>
<package>
<name>mailman</name>
<range><lt>2.1.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/41265">
<p>Two vulnerabilities have been reported in Mailman, which
can be exploited by malicious users to conduct script
insertion attacks.</p>
<p>Certain input passed via the list descriptions is not
properly sanitised before being displayed to the user. This
can be exploited to insert arbitrary HTML and script code,
which will be executed in a user's browser session in context
of an affected site when the malicious data is being
viewed.</p>
<p>Successful exploitation requires "list owner" permissions.</p>
</blockquote>
</body>
</description>
<references>
<bid>43187</bid>
<cvename>CVE-2010-3089</cvename>
<url>http://secunia.com/advisories/41265</url>
</references>
<dates>
<discovery>2010-09-14</discovery>
<entry>2010-11-03</entry>
</dates>
</vuln>
<vuln vid="96e776c7-e75c-11df-8f26-00151735203a">
<topic>OTRS -- Multiple XSS and denial of service vulnerabilities</topic>
<affects>
<package>
<name>otrs</name>
<range><gt>2.3.*</gt><lt>2.4.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OTRS Security Advisory reports:</p>
<blockquote cite="http://otrs.org/advisory/OSA-2010-02-en/">
<ul>
<li>Multiple Cross Site Scripting issues:
Missing HTML quoting allows authenticated agents or
customers to inject HTML tags. This vulnerability
allows an attacker to inject script code into the OTRS
web-interface which will be loaded and executed
in the browsers of system users.</li>
<li>Possible Denial of Service Attack:
Perl's regular expressions consume 100% CPU time
on the server if an agent or customer views an affected
article. To exploit this vulnerability the malicious user
needs to send extremely large HTML emails to your
system address.</li>
</ul>
</blockquote>
<blockquote cite="http://otrs.org/advisory/OSA-2010-03-en/">
<p>AgentTicketZoom is vulnerable to XSS attacks from HTML e-mails:</p>
<p>Whenever a customer sends an HTML e-mail and RichText is enabled
in OTRS, javascript contained in the email can do everything
in the OTRS agent interface that the agent himself could do.</p>
<p>Most relevant is that this type of exploit can be used in such
a way that the agent won't even detect he is being exploited.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2080</cvename>
<cvename>CVE-2010-4071</cvename>
<url>http://otrs.org/advisory/OSA-2010-02-en/</url>
<url>http://otrs.org/advisory/OSA-2010-03-en/</url>
</references>
<dates>
<discovery>2010-09-15</discovery>
<entry>2010-11-03</entry>
</dates>
</vuln>
<vuln vid="c223b00d-e272-11df-8e32-000f20797ede">
<topic>mozilla -- Heap buffer overflow mixing document.write and DOM insertion</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.12,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.15,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.12</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.12,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.15</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.0.10</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>3.1.6</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.10</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.10</lt></range>
<range><ge>3.1</ge><lt>3.1.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-73 Heap buffer overflow mixing document.write and DOM insertion</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3765</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-73.html</url>
</references>
<dates>
<discovery>2010-10-27</discovery>
<entry>2010-10-28</entry>
</dates>
</vuln>
<vuln vid="aab187d4-e0f3-11df-b1ea-001999392805">
<topic>opera -- multiple vulnerabilities</topic>
<affects>
<package>
<name>opera</name>
<range><lt>10.63</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Opera Desktop Team reports:</p>
<blockquote cite="http://www.opera.com/docs/changelogs/unix/1063/">
<ul>
<li>Fixed an issue that allowed cross-domain checks to be bypassed,
allowing limited data theft using CSS, as reported by Isaac
Dawson.</li>
<li>Fixed an issue where manipulating the window could be used to
spoof the page address.</li>
<li>Fixed an issue with reloads and redirects that could allow
spoofing and cross-site scripting.</li>
<li>Fixed an issue that allowed private video streams to be
intercepted, as reported by Nirankush Panchbhai of Microsoft
Vulnerability Research.</li>
<li>Fixed an issue that caused JavaScript to run in the wrong
security context after manual interaction.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.opera.com/support/kb/view/971/</url>
<url>http://www.opera.com/support/kb/view/972/</url>
<url>http://www.opera.com/support/kb/view/973/</url>
<url>http://www.opera.com/support/kb/view/974/</url>
<url>http://www.opera.com/support/kb/view/976/</url>
</references>
<dates>
<discovery>2010-10-12</discovery>
<entry>2010-10-26</entry>
</dates>
</vuln>
<vuln vid="0ddb57a9-da20-4e99-b048-4366092f3d31">
<topic>bzip2 -- integer overflow vulnerability</topic>
<affects>
<package>
<name>bzip2</name>
<range><lt>1.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/41452">
<p>A vulnerability has been reported in bzip2, which can be exploited by
malicious people to cause a DoS (Denial of Service) or potentially
compromise a vulnerable system.</p>
<p>The vulnerability is caused due to an integer overflow in the
"BZ2_decompress()" function in decompress.c and can be exploited to
cause a crash or potentially execute arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-10:08.bzip2</freebsdsa>
<freebsdpr>ports/151364</freebsdpr>
<cvename>CVE-2010-0405</cvename>
<bid>43331</bid>
<mlist>http://www.openwall.com/lists/oss-security/2010/09/21/4</mlist>
<url>http://secunia.com/advisories/41452</url>
</references>
<dates>
<discovery>2010-09-21</discovery>
<entry>2010-10-25</entry>
</dates>
</vuln>
<vuln vid="18dc48fe-ca42-11df-aade-0050568f000c">
<topic>FreeBSD -- Integer overflow in bzip2 decompression</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>6.4</ge><lt>6.4_11</lt></range>
<range><ge>7.1</ge><lt>7.1_14</lt></range>
<range><ge>7.3</ge><lt>7.3_3</lt></range>
<range><ge>8.0</ge><lt>8.0_5</lt></range>
<range><ge>8.1</ge><lt>8.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>When decompressing data, the run-length encoded values are not
adequately sanity-checked, allowing for an integer overflow.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:08.bzip2</freebsdsa>
</references>
<dates>
<discovery>2010-09-20</discovery>
<entry>2010-10-24</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="7a09a8df-ca41-11df-aade-0050568f000c">
<topic>FreeBSD -- Lost mbuf flag resulting in data corruption</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.1</ge><lt>7.1_13</lt></range>
<range><ge>7.3</ge><lt>7.3_2</lt></range>
<range><ge>8.0</ge><lt>8.0_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The read-only flag is not correctly copied when a mbuf buffer
reference is duplicated. When the sendfile(2) system call is used to
transmit data over the loopback interface, this can result in the
backing pages for the transmitted file being modified, causing data
corruption.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:07.mbuf</freebsdsa>
</references>
<dates>
<discovery>2010-07-13</discovery>
<entry>2010-10-24</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="0dc91089-ca41-11df-aade-0050568f000c">
<topic>FreeBSD -- Unvalidated input in nfsclient</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.2</ge><lt>7.2_8</lt></range>
<range><ge>7.3</ge><lt>7.3_1</lt></range>
<range><ge>8.0</ge><lt>8.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The NFS client subsystem fails to correctly validate the length of a
parameter provided by the user when a filesystem is mounted.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:06.nfsclient</freebsdsa>
</references>
<dates>
<discovery>2010-05-27</discovery>
<entry>2010-10-24</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="768cfe70-ca40-11df-aade-0050568f000c">
<topic>FreeBSD -- OPIE off-by-one stack overflow</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>6.4</ge><lt>6.4_10</lt></range>
<range><ge>7.1</ge><lt>7.1_12</lt></range>
<range><ge>7.2</ge><lt>7.2_8</lt></range>
<range><ge>7.3</ge><lt>7.3_1</lt></range>
<range><ge>8.0</ge><lt>8.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A programming error in the OPIE library could allow an off-by-one
buffer overflow to write a single zero byte beyond the end of an
on-stack buffer.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:05.opie</freebsdsa>
</references>
<dates>
<discovery>2010-05-27</discovery>
<entry>2010-10-24</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="f6eb2279-ca3f-11df-aade-0050568f000c">
<topic>FreeBSD -- Insufficient environment sanitization in jail(8)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>8.0</ge><lt>8.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The jail(8) utility does not change the current working directory
while imprisoning. The current working directory can be accessed by
its descendants.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:04.jail</freebsdsa>
</references>
<dates>
<discovery>2010-05-27</discovery>
<entry>2010-10-24</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="97f09f2f-ca3f-11df-aade-0050568f000c">
<topic>FreeBSD -- ZFS ZIL playback with insecure permissions</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.1</ge><lt>7.1_10</lt></range>
<range><ge>7.2</ge><lt>7.2_6</lt></range>
<range><ge>8.0</ge><lt>8.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>When replaying setattr transaction, the replay code would set the
attributes with certain insecure defaults, when the logged
transaction did not touch these attributes.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:03.zfs</freebsdsa>
</references>
<dates>
<discovery>2010-01-06</discovery>
<entry>2010-10-24</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="48103b0a-ca3f-11df-aade-0050568f000c">
<topic>FreeBSD -- ntpd mode 7 denial of service</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>6.3</ge><lt>6.3_15</lt></range>
<range><ge>6.4</ge><lt>6.4_9</lt></range>
<range><ge>7.1</ge><lt>7.1_10</lt></range>
<range><ge>7.2</ge><lt>7.2_6</lt></range>
<range><ge>8.0</ge><lt>8.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>If ntpd receives a mode 7 (MODE_PRIVATE) request or error response
from a source address not listed in either a 'restrict ... noquery'
or a 'restrict ... ignore' section it will log the even and send a
mode 7 error response.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:02.ntpd</freebsdsa>
</references>
<dates>
<discovery>2010-01-06</discovery>
<entry>2010-10-24</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="e500b9bf-ca3e-11df-aade-0050568f000c">
<topic>FreeBSD -- BIND named(8) cache poisoning with DNSSEC validation</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>6.3</ge><lt>6.3_15</lt></range>
<range><ge>6.4</ge><lt>6.4_9</lt></range>
<range><ge>7.1</ge><lt>7.1_10</lt></range>
<range><ge>7.2</ge><lt>7.2_6</lt></range>
<range><ge>8.0</ge><lt>8.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>If a client requests DNSSEC records with the Checking Disabled (CD)
flag set, BIND may cache the unvalidated responses. These responses
may later be returned to another client that has not set the CD
flag.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:01.bind</freebsdsa>
</references>
<dates>
<discovery>2010-01-06</discovery>
<entry>2010-10-24</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="6e87b696-ca3e-11df-aade-0050568f000c">
<topic>FreeBSD -- Inappropriate directory permissions in freebsd-update(8)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>6.3</ge><lt>6.3_14</lt></range>
<range><ge>6.4</ge><lt>6.4_8</lt></range>
<range><ge>7.1</ge><lt>7.1_9</lt></range>
<range><ge>7.2</ge><lt>7.2_5</lt></range>
<range><ge>8.0</ge><lt>8.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>When downloading updates to FreeBSD via 'freebsd-update fetch' or
'freebsd-update upgrade', the freebsd-update(8) utility copies
currently installed files into its working directory
(/var/db/freebsd-update by default) both for the purpose of merging
changes to configuration files and in order to be able to roll back
installed updates.</p>
<p>The default working directory used by freebsd-update(8) is normally
created during the installation of FreeBSD with permissions which
allow all local users to see its contents, and freebsd-update(8) does
not take any steps to restrict access to files stored in said
directory.</p>
</body>
</description>
<references>
<freebsdsa>SA-09:17.freebsd-update</freebsdsa>
</references>
<dates>
<discovery>2009-12-03</discovery>
<entry>2010-10-24</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="ad08d14b-ca3d-11df-aade-0050568f000c">
<topic>FreeBSD -- Improper environment sanitization in rtld(1)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.1</ge><lt>7.1_9</lt></range>
<range><ge>7.2</ge><lt>7.2_5</lt></range>
<range><ge>8.0</ge><lt>8.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>When running setuid programs rtld will normally remove potentially
dangerous environment variables. Due to recent changes in FreeBSD
environment variable handling code, a corrupt environment may
result in attempts to unset environment variables failing.</p>
</body>
</description>
<references>
<freebsdsa>SA-09:16.rtld</freebsdsa>
</references>
<dates>
<discovery>2009-12-03</discovery>
<entry>2010-10-24</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="406779fd-ca3b-11df-aade-0050568f000c">
<topic>FreeBSD -- SSL protocol flaw</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>6.3</ge><lt>6.3_14</lt></range>
<range><ge>6.4</ge><lt>6.4_8</lt></range>
<range><ge>7.1</ge><lt>7.1_9</lt></range>
<range><ge>7.2</ge><lt>7.2_5</lt></range>
<range><ge>8.0</ge><lt>8.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The SSL version 3 and TLS protocols support session
renegotiation without cryptographically tying the new
session parameters to the old parameters.</p>
</body>
</description>
<references>
<freebsdsa>SA-09:15.ssl</freebsdsa>
</references>
<dates>
<discovery>2009-12-03</discovery>
<entry>2010-10-24</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="c9a6ae4a-df8b-11df-9573-00262d5ed8ee">
<topic>monotone -- remote denial of service in default setup</topic>
<affects>
<package>
<name>monotone</name>
<range><lt>0.48.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The monotone developers report:</p>
<blockquote cite="http://www.monotone.ca/NEWS">
<p>Running "mtn ''" or "mtn ls ''" doesn't cause an internal
error anymore. In monotone 0.48 and earlier this behavior
could be used to crash a server remotely (but only if it was
configured to allow execution of remote commands).</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/151665</freebsdpr>
<url>http://www.monotone.ca/NEWS</url>
<url>http://www.thomaskeller.biz/blog/2010/10/22/monotone-0-48-1-released-please-update-your-servers/</url>
</references>
<dates>
<discovery>2010-10-21</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="c4f067b9-dc4a-11df-8e32-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.11,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.14,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.11</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.11,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.14</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.9</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.9</lt></range>
<range><ge>3.1</ge><lt>3.1.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-64 Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14)</p>
<p>MFSA 2010-65 Buffer overflow and memory corruption using document.write</p>
<p>MFSA 2010-66 Use-after-free error in nsBarProp</p>
<p>MFSA 2010-67 Dangling pointer vulnerability in LookupGetterOrSetter</p>
<p>MFSA 2010-68 XSS in gopher parser when parsing hrefs</p>
<p>MFSA 2010-69 Cross-site information disclosure via modal calls</p>
<p>MFSA 2010-70 SSL wildcard certificate matching IP addresses</p>
<p>MFSA 2010-71 Unsafe library loading vulnerabilities</p>
<p>MFSA 2010-72 Insecure Diffie-Hellman key exchange</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3170</cvename>
<cvename>CVE-2010-3173</cvename>
<cvename>CVE-2010-3174</cvename>
<cvename>CVE-2010-3175</cvename>
<cvename>CVE-2010-3176</cvename>
<cvename>CVE-2010-3177</cvename>
<cvename>CVE-2010-3178</cvename>
<cvename>CVE-2010-3179</cvename>
<cvename>CVE-2010-3180</cvename>
<cvename>CVE-2010-3181</cvename>
<cvename>CVE-2010-3182</cvename>
<cvename>CVE-2010-3183</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-64.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-65.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-66.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-67.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-68.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-69.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-70.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-71.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-72.html</url>
</references>
<dates>
<discovery>2010-10-19</discovery>
<entry>2010-10-20</entry>
</dates>
</vuln>
<vuln vid="e5090d2a-dbbe-11df-82f8-0015f2db7bde">
<topic>Webkit-gtk2 -- Multiple Vulnabilities</topic>
<affects>
<package>
<name>webkit-gtk2</name>
<range><lt>1.2.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gustavo Noronha Silva reports:</p>
<blockquote cite="http://gitorious.org/webkitgtk/stable/blobs/master/WebKit/gtk/NEWS">
<p>The patches to fix the following CVEs are included with help from
Vincent Danen and other members of the Red Hat security team:</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1780</cvename>
<cvename>CVE-2010-1807</cvename>
<cvename>CVE-2010-1812</cvename>
<cvename>CVE-2010-1814</cvename>
<cvename>CVE-2010-1815</cvename>
<cvename>CVE-2010-3113</cvename>
<cvename>CVE-2010-3114</cvename>
<cvename>CVE-2010-3115</cvename>
<cvename>CVE-2010-3116</cvename>
<cvename>CVE-2010-3255</cvename>
<cvename>CVE-2010-3257</cvename>
<cvename>CVE-2010-3259</cvename>
<url>http://gitorious.org/webkitgtk/stable/blobs/master/WebKit/gtk/NEWS</url>
</references>
<dates>
<discovery>2010-10-01</discovery>
<entry>2010-10-19</entry>
</dates>
</vuln>
<vuln vid="dd943fbb-d0fe-11df-95a8-00219b0fc4d8">
<topic>apr -- multiple vunerabilities</topic>
<affects>
<package>
<name>apr1</name>
<range><lt>1.4.2.1.3.10</lt></range>
</package>
<package>
<name>apr0</name>
<range><lt>0.9.19.0.9.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/41701">
<p>Multiple vulnerabilities have been reported in APR-util, which can
be exploited by malicious people to cause a DoS (Denial of
Service).</p>
<p>Two XML parsing vulnerabilities exist in the bundled version of
expat.</p>
<p>An error within the "apr_brigade_split_line()" function in
buckets/apr_brigade.c can be exploited to cause high memory
consumption.</p>
</blockquote>
</body>
</description>
<references>
<bid>43673</bid>
<cvename>CVE-2009-3560</cvename>
<cvename>CVE-2009-3720</cvename>
<cvename>CVE-2010-1623</cvename>
<url>http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3</url>
<url>http://secunia.com/advisories/41701</url>
</references>
<dates>
<discovery>2010-10-02</discovery>
<entry>2010-10-06</entry>
<modified>2010-10-20</modified>
</dates>
</vuln>
<vuln vid="99021f88-ca3c-11df-be21-00e018aa7788">
<topic>phpmyfaq -- cross site scripting vulnerabilities</topic>
<affects>
<package>
<name>phpmyfaq</name>
<range><lt>2.6.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyFAQ project reports:</p>
<blockquote cite="http://www.phpmyfaq.de/advisory_2010-09-28.php">
<p>The phpMyFAQ Team has learned of a security issue that has been
discovered in phpMyFAQ 2.6.x: phpMyFAQ doesn't sanitize
some variables in different pages correctly. With a
properly crafted URL it is e.g. possible to inject
JavaScript code into the output of a page, which could
result in the leakage of domain cookies (f.e. session
identifiers)..</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/151055</freebsdpr>
<url>http://www.phpmyfaq.de/advisory_2010-09-28.php</url>
</references>
<dates>
<discovery>2010-09-28</discovery>
<entry>2010-10-02</entry>
</dates>
</vuln>
<vuln vid="e08c596e-cb28-11df-9c1b-0011098ad87f">
<topic>horde-gollem -- XSS vulnerability</topic>
<affects>
<package>
<name>horde-gollem</name>
<range><lt>1.1.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Horde team reports:</p>
<blockquote cite="http://article.gmane.org/gmane.comp.horde.announce/523">
<p>The major changes compared to Gollem version H3 (1.1.1) are:</p>
<p>* Fixed an XSS vulnerability in the file viewer.</p>
</blockquote>
</body>
</description>
<references>
<url>http://article.gmane.org/gmane.comp.horde.announce/523</url>
<url>http://git.horde.org/diff.php/gollem/docs/CHANGES?rt=horde&amp;r1=1.114.2.55&amp;r2=1.114.2.59&amp;ty=h</url>
<url>http://bugs.horde.org/ticket/9191</url>
</references>
<dates>
<discovery>2010-08-21</discovery>
<entry>2010-09-28</entry>
</dates>
</vuln>
<vuln vid="6c4db192-cb23-11df-9c1b-0011098ad87f">
<topic>horde-imp -- XSS vulnerability</topic>
<affects>
<package>
<name>horde-imp</name>
<range><gt>4.2,1</gt><lt>4.3.8,1</lt></range>
<range><lt>4.3.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Horde team reports:</p>
<blockquote cite="http://article.gmane.org/gmane.comp.horde.announce/516">
<p>Thanks to Naumann IT Security Consulting for reporting the XSS
vulnerability.</p>
<p>The major changes compared to IMP version H3 (4.3.7) are:</p>
<p>* Fixed an XSS vulnerability in the Fetchmail configuration.</p>
</blockquote>
</body>
</description>
<references>
<url>http://article.gmane.org/gmane.comp.horde.announce/516</url>
<url>http://git.horde.org/diff.php/imp/docs/CHANGES?rt=horde&amp;r1=1.699.2.424&amp;r2=1.699.2.430&amp;ty=h</url>
</references>
<dates>
<discovery>2010-09-28</discovery>
<entry>2010-09-28</entry>
<modified>2011-09-23</modified>
</dates>
</vuln>
<vuln vid="8fc55043-cb1e-11df-9c1b-0011098ad87f">
<topic>horde-base -- XSS and CSRF vulnerabilities</topic>
<affects>
<package>
<name>horde-base</name>
<range><lt>3.3.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Horde team reports:</p>
<blockquote cite="http://article.gmane.org/gmane.comp.horde.announce/515">
<p>Thanks to Naumann IT Security Consulting for reporting the XSS
vulnerability.</p>
<p>Thanks to Secunia for releasing an advisory for the new CSRF
protection in the preference interface</p>
<p>The major changes compared to Horde version 3.3.8 are:</p>
<p>* Fixed XSS vulnerability in util/icon_browser.php.</p>
<p>* Protected preference forms against CSRF attacks.</p>
</blockquote>
</body>
</description>
<references>
<url>http://article.gmane.org/gmane.comp.horde.announce/515</url>
<url>http://cvs.horde.org/diff.php/horde/docs/CHANGES?rt=horde&amp;r1=1.515.2.607&amp;r2=1.515.2.620&amp;ty=h</url>
<url>http://secunia.com/advisories/39860/</url>
<url>http://holisticinfosec.org/content/view/145/45/</url>
</references>
<dates>
<discovery>2010-06-03</discovery>
<entry>2010-09-28</entry>
</dates>
</vuln>
<vuln vid="80b6d6cc-c970-11df-bb18-0015587e2cc1">
<topic>openx -- remote code execution vulnerability</topic>
<affects>
<package>
<name>openx</name>
<range><lt>2.8.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenX project reported:</p>
<blockquote cite="http://blog.openx.org/09/security-update/">
<p>It has been brought to our attention that there is a vulnerability
in the 2.8 downloadable version of OpenX that can result in a server
running the downloaded version of OpenX being compromised.</p>
</blockquote>
<p>This vulnerability exists in the file upload functionality
and allows attackers to upload and execute PHP code of
their choice.</p>
</body>
</description>
<references>
<url>http://blog.openx.org/09/security-update/</url>
<url>http://www.h-online.com/security/news/item/Web-sites-distribute-malware-via-hacked-OpenX-servers-1079099.html</url>
</references>
<dates>
<discovery>2010-09-14</discovery>
<entry>2010-09-26</entry>
</dates>
</vuln>
<vuln vid="e4dac715-c818-11df-a92c-0015587e2cc1">
<topic>squid -- Denial of service vulnerability in request handling</topic>
<affects>
<package>
<name>squid</name>
<range><ge>3.0.1</ge><lt>3.0.25_3</lt></range>
<range><ge>3.1.0.1</ge><lt>3.1.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid security advisory 2010:3 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_3.txt">
<p>Due to an internal error in string handling Squid is
vulnerable to a denial of service attack when processing
specially crafted requests.</p>
<p>This problem allows any trusted client to perform a
denial of service attack on the Squid service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3072</cvename>
<url>http://www.squid-cache.org/Advisories/SQUID-2010_3.txt</url>
</references>
<dates>
<discovery>2010-08-30</discovery>
<entry>2010-09-24</entry>
</dates>
</vuln>
<vuln vid="8a34d9e6-c662-11df-b2e1-001b2134ef46">
<topic>linux-flashplugin -- remote code execution</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><lt>9.0r283</lt></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.1r85</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/advisories/apsa10-03.html">
<p>A critical vulnerability exists in Adobe Flash Player
10.1.82.76 and earlier versions for Windows, Macintosh,
Linux, Solaris, and Adobe Flash Player 10.1.92.10 for
Android. This vulnerability also affects Adobe Reader
9.3.4 and earlier versions for Windows, Macintosh and
UNIX, and Adobe Acrobat 9.3.4 and earlier versions for
Windows and Macintosh. This vulnerability (CVE-2010-2884)
could cause a crash and potentially allow an attacker
to take control of the affected system. There are
reports that this vulnerability is being actively
exploited in the wild against Adobe Flash Player on
Windows. Adobe is not aware of any attacks exploiting
this vulnerability against Adobe Reader or Acrobat to
date.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2884</cvename>
<url>http://www.adobe.com/support/security/advisories/apsa10-03.html</url>
</references>
<dates>
<discovery>2010-09-14</discovery>
<entry>2010-09-22</entry>
</dates>
</vuln>
<vuln vid="3ff95dd3-c291-11df-b0dc-00215c6a37bb">
<topic>django -- cross-site scripting vulnerability</topic>
<affects>
<package>
<name>py23-django</name>
<name>py24-django</name>
<name>py25-django</name>
<name>py26-django</name>
<name>py30-django</name>
<name>py31-django</name>
<range><gt>1.2</gt><lt>1.2.2</lt></range>
</package>
<package>
<name>py23-django-devel</name>
<name>py24-django-devel</name>
<name>py25-django-devel</name>
<name>py26-django-devel</name>
<name>py30-django-devel</name>
<name>py31-django-devel</name>
<range><lt>13698,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Django project reports:</p>
<blockquote cite="http://www.djangoproject.com/weblog/2010/sep/08/security-release/">
<p>The provided template tag for inserting the CSRF
token into forms -- {% csrf_token %} -- explicitly
trusts the cookie value, and displays it as-is.
Thus, an attacker who is able to tamper with the
value of the CSRF cookie can cause arbitrary content
to be inserted, unescaped, into the outgoing HTML of
the form, enabling cross-site scripting (XSS) attacks.</p>
</blockquote>
</body>
</description>
<references>
<bid>43116</bid>
<cvename>CVE-2010-3082</cvename>
<url>http://xforce.iss.net/xforce/xfdb/61729</url>
</references>
<dates>
<discovery>2010-09-13</discovery>
<entry>2010-09-17</entry>
</dates>
</vuln>
<vuln vid="9bcfd7b6-bcda-11df-9a6a-0015f2db7bde">
<topic>webkit-gtk2 -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>webkit-gtk2</name>
<range><lt>1.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gustavo Noronha Silva reports:</p>
<blockquote cite="http://gitorious.org/webkitgtk/stable/commit/9d07fda89aab7105962d933eef32ca15dda610d8">
<p>With help from Vincent Danen and other members of the Red Hat
security team, the following CVE's where fixed.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1781</cvename>
<cvename>CVE-2010-1782</cvename>
<cvename>CVE-2010-1784</cvename>
<cvename>CVE-2010-1785</cvename>
<cvename>CVE-2010-1786</cvename>
<cvename>CVE-2010-1787</cvename>
<cvename>CVE-2010-1788</cvename>
<cvename>CVE-2010-1790</cvename>
<cvename>CVE-2010-1792</cvename>
<cvename>CVE-2010-1793</cvename>
<cvename>CVE-2010-2647</cvename>
<cvename>CVE-2010-2648</cvename>
<cvename>CVE-2010-3119</cvename>
<url>http://gitorious.org/webkitgtk/stable/commit/9d07fda89aab7105962d933eef32ca15dda610d8</url>
</references>
<dates>
<discovery>2010-09-07</discovery>
<entry>2010-09-10</entry>
</dates>
</vuln>
<vuln vid="f866d2af-bbba-11df-8a8d-0008743bf21a">
<topic>vim6 -- heap-based overflow while parsing shell metacharacters</topic>
<affects>
<package>
<name>vim6</name>
<name>vim6+ruby</name>
<range><ge>6.2.429</ge><lt>6.3.62</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Description for CVE-2008-3432 says:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3432">
<p>Heap-based buffer overflow in the mch_expand_wildcards
function in os_unix.c in Vim 6.2 and 6.3 allows user-assisted
attackers to execute arbitrary code via shell metacharacters
in filenames, as demonstrated by the netrw.v3 test case.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-3432</cvename>
<url>http://www.openwall.com/lists/oss-security/2008/07/15/4</url>
</references>
<dates>
<discovery>2008-07-31</discovery>
<entry>2010-09-09</entry>
</dates>
</vuln>
<vuln vid="4a21ce2c-bb13-11df-8e32-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.9,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.12,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.9</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.9,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.12</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.7</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.7</lt></range>
<range><ge>3.1</ge><lt>3.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)</p>
<p>MFSA 2010-50 Frameset integer overflow vulnerability</p>
<p>MFSA 2010-51 Dangling pointer vulnerability using DOM plugin array</p>
<p>MFSA 2010-52 Windows XP DLL loading vulnerability</p>
<p>MFSA 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText</p>
<p>MFSA 2010-54 Dangling pointer vulnerability in nsTreeSelection</p>
<p>MFSA 2010-55 XUL tree removal crash and remote code execution</p>
<p>MFSA 2010-56 Dangling pointer vulnerability in nsTreeContentView</p>
<p>MFSA 2010-57 Crash and remote code execution in normalizeDocument</p>
<p>MFSA 2010-58 Crash on Mac using fuzzed font in data: URL</p>
<p>MFSA 2010-59 SJOW creates scope chains ending in outer object</p>
<p>MFSA 2010-60 XSS using SJOW scripted function</p>
<p>MFSA 2010-61 UTF-7 XSS by overriding document charset using object type attribute</p>
<p>MFSA 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS</p>
<p>MFSA 2010-63 Information leak via XMLHttpRequest statusText</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2762</cvename>
<cvename>CVE-2010-2763</cvename>
<cvename>CVE-2010-2764</cvename>
<cvename>CVE-2010-2765</cvename>
<cvename>CVE-2010-2766</cvename>
<cvename>CVE-2010-2767</cvename>
<cvename>CVE-2010-2768</cvename>
<cvename>CVE-2010-2769</cvename>
<cvename>CVE-2010-2770</cvename>
<cvename>CVE-2010-2760</cvename>
<cvename>CVE-2010-3131</cvename>
<cvename>CVE-2010-3166</cvename>
<cvename>CVE-2010-3167</cvename>
<cvename>CVE-2010-3168</cvename>
<cvename>CVE-2010-3169</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-49.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-50.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-51.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-52.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-53.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-54.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-55.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-56.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-57.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-58.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-59.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-60.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-61.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-62.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-63.html</url>
</references>
<dates>
<discovery>2010-09-07</discovery>
<entry>2010-09-08</entry>
<modified>2010-09-15</modified>
</dates>
</vuln>
<vuln vid="67b514c3-ba8f-11df-8f6e-000c29a67389">
<topic>sudo -- Flaw in Runas group matching</topic>
<affects>
<package>
<name>sudo</name>
<range><ge>1.7.0</ge><lt>1.7.4.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="http://www.sudo.ws/sudo/alerts/runas_group.html">
<p>Beginning with sudo version 1.7.0 it has been possible to grant
permission to run a command using a specified group via sudo -g
option (run as group). A flaw exists in the logic that matches
Runas groups in the sudoers file when the -u option is also
specified (run as user). This flaw results in a positive match for
the user specified via -u so long as the group specified via -g
is allowed by the sudoers file.</p>
<p>Exploitation of the flaw requires that Sudo be configured with
sudoers entries that contain a Runas group. Entries that do not
contain a Runas group, or only contain a Runas user are not
affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2956</cvename>
<url>http://www.sudo.ws/sudo/alerts/runas_group.html</url>
</references>
<dates>
<discovery>2010-09-07</discovery>
<entry>2010-09-07</entry>
</dates>
</vuln>
<vuln vid="29b7e3f4-b6a9-11df-ae63-f255a795cb21">
<topic>lftp -- multiple HTTP client download filename vulnerability</topic>
<affects>
<package>
<name>lftp</name>
<range><lt>4.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The get1 command, as used by lftpget, in LFTP before 4.0.6 does
not properly validate a server-provided filename before determining
the destination filename of a download, which allows remote servers
to create or overwrite arbitrary files via a Content-Disposition
header that suggests a crafted filename, and possibly execute
arbitrary code as a consequence of writing to a dotfile in a home
directory.</p>
</body>
</description>
<references>
<cvename>CVE-2010-2251</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=591580</url>
</references>
<dates>
<discovery>2010-06-09</discovery>
<entry>2010-09-03</entry>
</dates>
</vuln>
<vuln vid="d754b7d2-b6a7-11df-826c-e464a695cb21">
<topic>wget -- multiple HTTP client download filename vulnerability</topic>
<affects>
<package>
<name>wget</name>
<name>wget-devel</name>
<range><le>1.12_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GNU Wget version 1.12 and earlier uses a server-provided filename
instead of the original URL to determine the destination filename of
a download, which allows remote servers to create or overwrite
arbitrary files via a 3xx redirect to a URL with a .wgetrc filename
followed by a 3xx redirect to a URL with a crafted filename, and
possibly execute arbitrary code as a consequence of writing to a
dotfile in a home directory.</p>
</body>
</description>
<references>
<cvename>CVE-2010-2252</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=602797</url>
</references>
<dates>
<discovery>2010-06-09</discovery>
<entry>2010-09-03</entry>
</dates>
</vuln>
<vuln vid="3a7c5fc4-b50c-11df-977b-ecc31dd8ad06">
<topic>p5-libwww -- possibility to remote servers to create file with a .(dot) character</topic>
<affects>
<package>
<name>p5-libwww</name>
<range><lt>5.835</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>lwp-download in libwww-perl before 5.835 does not reject downloads
to filenames that begin with a `.' (dot) character, which allows
remote servers to create or overwrite files via a 3xx redirect to a
URL with a crafted filename or a Content-Disposition header that
suggests a crafted filename, and possibly execute arbitrary code as
a consequence of writing to a dotfile in a home directory.</p>
</body>
</description>
<references>
<cvename>CVE-2010-2253</cvename>
<url>http://cpansearch.perl.org/src/GAAS/libwww-perl-5.836/Changes</url>
</references>
<dates>
<discovery>2010-06-09</discovery>
<entry>2010-08-31</entry>
</dates>
</vuln>
<vuln vid="167953a4-b01c-11df-9a98-0015587e2cc1">
<topic>quagga -- stack overflow and DoS vulnerabilities</topic>
<affects>
<package>
<name>quagga</name>
<range><lt>0.99.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Red Hat security team reported two vulnerabilities:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2010/08/24/3">
<p>A stack buffer overflow flaw was found in the way Quagga's bgpd
daemon processed Route-Refresh messages. A configured
Border Gateway Protocol (BGP) peer could send a
Route-Refresh message with specially-crafted Outbound
Route Filtering (ORF) record, which would cause the
master BGP daemon (bgpd) to crash or, possibly, execute
arbitrary code with the privileges of the user running
bgpd.</p>
<p>A NULL pointer dereference flaw was found in the way
Quagga's bgpd daemon parsed paths of autonomous systems
(AS). A configured BGP peer could send a BGP update AS
path request with unknown AS type, which could lead to
denial of service (bgpd daemon crash).</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2010/08/24/3</url>
<url>http://www.quagga.net/news2.php?y=2010&amp;m=8&amp;d=19#id1282241100</url>
</references>
<dates>
<discovery>2010-08-24</discovery>
<entry>2010-08-25</entry>
</dates>
</vuln>
<vuln vid="8cbf4d65-af9a-11df-89b8-00151735203a">
<topic>bugzilla -- information disclosure, denial of service</topic>
<affects>
<package>
<name>bugzilla</name>
<range><gt>2.17.1</gt><lt>3.6.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.2.7/">
<ul>
<li>Remote Information Disclosure:
An unprivileged user is normally not allowed to view
other users' group membership. But boolean charts
let the user use group-based pronouns, indirectly
disclosing group membership. This security fix
restricts the use of pronouns to groups the user
belongs to.</li>
<li>Notification Bypass:
Normally, when a user is impersonated, he receives
an email informing him that he is being impersonated,
containing the identity of the impersonator. However,
it was possible to impersonate a user without this
notification being sent.</li>
<li>Remote Information Disclosure:
An error message thrown by the "Reports" and "Duplicates"
page confirmed the non-existence of products, thus
allowing users to guess confidential product names.
(Note that the "Duplicates" page was not vulnerable
in Bugzilla 3.6rc1 and above though.)</li>
<li>Denial of Service:
If a comment contained the phrases "bug X" or
"attachment X", where X was an integer larger than the
maximum 32-bit signed integer size, PostgreSQL would
throw an error, and any page containing that comment would
not be viewable. On most Bugzillas, any user can enter
a comment on any bug, so any user could have used this to
deny access to one or all bugs. Bugzillas running on
databases other than PostgreSQL are not affected.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2756</cvename>
<cvename>CVE-2010-2757</cvename>
<cvename>CVE-2010-2758</cvename>
<cvename>CVE-2010-2759</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=417048</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=450013</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=577139</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=519835</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=583690</url>
</references>
<dates>
<discovery>2010-08-05</discovery>
<entry>2010-08-24</entry>
</dates>
</vuln>
<vuln vid="b6069837-aadc-11df-82df-0015f2db7bde">
<topic>OpenTTD -- Denial of service (server) via infinite loop</topic>
<affects>
<package>
<name>openttd</name>
<range><ge>1.0.1</ge><lt>1.0.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenTTD Team reports:</p>
<blockquote cite="http://security.openttd.org/en/CVE-2010-2534">
<p>When multiple commands are queued (at the server) for execution
in the next game tick and an client joins the server can get into
an infinite loop. With the default settings triggering this bug
is difficult (if not impossible), however the larger value of
the "frame_freq" setting is easier it is to trigger the bug.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2534</cvename>
<url>http://security.openttd.org/en/CVE-2010-2534</url>
</references>
<dates>
<discovery>2010-06-27</discovery>
<entry>2010-08-22</entry>
</dates>
</vuln>
<vuln vid="67a1c3ae-ad69-11df-9be6-0015587e2cc1">
<topic>corkscrew -- buffer overflow vulnerability</topic>
<affects>
<package>
<name>corkscrew</name>
<range><le>2.0</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The affected corkscrew versions use sscanf calls without proper
bounds checking. In the authentication file parsing routine
this can cause an exploitable buffer overflow condition.
A similar but issue exists in the server response code but
appears to be non-exploitable.</p>
</body>
</description>
<references>
<url>http://people.freebsd.org/~niels/issues/corkscrew-20100821.txt</url>
</references>
<dates>
<discovery>2010-08-21</discovery>
<entry>2010-08-21</entry>
</dates>
</vuln>
<vuln vid="274922b8-ad20-11df-af1f-00e0814cab4e">
<topic>phpmyadmin -- Several XSS vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.3.5.1</lt></range>
</package>
<package>
<name>phpMyAdmin211</name>
<range><lt>2.11.10.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>phpMyAdmin Team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php">
<p>It was possible to conduct a XSS attack using crafted URLs org
POST parameters on several pages.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3056</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php</url>
</references>
<dates>
<discovery>2010-08-09</discovery>
<entry>2010-08-21</entry>
</dates>
</vuln>
<vuln vid="68c7187a-abd2-11df-9be6-0015587e2cc1">
<topic>slim -- insecure PATH assignment</topic>
<affects>
<package>
<name>slim</name>
<range><lt>1.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SLiM assigns logged on users a PATH in which the current
working directory ("./") is included. This PATH can allow
unintentional code execution through planted binaries and
has therefore been fixed SLiM version 1.3.2.</p>
</body>
</description>
<references>
<cvename>CVE-2010-2945</cvename>
<url>http://seclists.org/oss-sec/2010/q3/198</url>
</references>
<dates>
<discovery>2010-05-12</discovery>
<entry>2010-08-19</entry>
<modified>2010-08-20</modified>
</dates>
</vuln>
<vuln vid="34e0316a-aa91-11df-8c2e-001517289bf8">
<topic>ruby -- UTF-7 encoding XSS vulnerability in WEBrick</topic>
<affects>
<package>
<name>ruby</name>
<name>ruby+pthreads</name>
<name>ruby+pthreads+oniguruma</name>
<name>ruby+oniguruma</name>
<range><ge>1.8.*,1</ge><lt>1.8.7.248_3,1</lt></range>
<range><ge>1.9.*,1</ge><lt>1.9.1.430,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The official ruby site reports:</p>
<blockquote cite="http://www.ruby-lang.org/en/news/2010/08/16/xss-in-webrick-cve-2010-0541/">
<p>WEBrick have had a cross-site scripting vulnerability that allows
an attacker to inject arbitrary script or HTML via a crafted URI.
This does not affect user agents that strictly implement HTTP/1.1,
however, some user agents do not.</p>
</blockquote>
</body>
</description>
<references>
<bid>40895</bid>
<cvename>CVE-2010-0541</cvename>
<url>http://www.ruby-lang.org/en/news/2010/08/16/xss-in-webrick-cve-2010-0541/</url>
</references>
<dates>
<discovery>2010-08-16</discovery>
<entry>2010-08-17</entry>
<modified>2010-08-20</modified>
</dates>
</vuln>
<vuln vid="b74a8076-9b1f-11df-9f58-021e8c343e76">
<topic>isolate -- local root exploit</topic>
<affects>
<package>
<name>isolate</name>
<range><lt>20100717</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://code.google.com/p/isolate/">
<p>Isolate currently suffers from some bad security bugs! These
are local root privilege escalation bugs. Thanks to the helpful
person who reported them (email Chris if you want credit!).
We're working to fix them ASAP, but until then, isolate is
unsafe and you should uninstall it. Sorry!</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/148911</freebsdpr>
<url>http://code.google.com/p/isolate/</url>
</references>
<dates>
<discovery>2010-07-29</discovery>
<entry>2010-08-13</entry>
</dates>
</vuln>
<vuln vid="e7d91a3c-a7c9-11df-870c-00242b513d7c">
<topic>vlc -- invalid id3v2 tags may lead to invalid memory dereferencing</topic>
<affects>
<package>
<name>vlc</name>
<range><gt>0.9.0,3</gt><lt>1.1.2_1,3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>VideoLAN project reports:</p>
<blockquote cite="http://www.videolan.org/security/sa1004.html">
<p>VLC fails to perform sufficient input validation when trying to
extract some meta-informations about input media through ID3v2
tags. In the failure case, VLC attempt dereference an invalid
memory address, and a crash will ensure.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2937</cvename>
<url>http://www.videolan.org/security/sa1004.html</url>
</references>
<dates>
<discovery>2010-07-29</discovery>
<entry>2010-08-14</entry>
</dates>
</vuln>
<vuln vid="e19e74a4-a712-11df-b234-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><lt>9.0r280</lt></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.1r82</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb10-16.html">
<p>Critical vulnerabilities have been identified in Adobe
Flash Player version 10.1.53.64 and earlier. These
vulnerabilities could cause the application to crash and
could potentially allow an attacker to take control of the
affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0209</cvename>
<cvename>CVE-2010-2188</cvename>
<cvename>CVE-2010-2213</cvename>
<cvename>CVE-2010-2214</cvename>
<cvename>CVE-2010-2215</cvename>
<cvename>CVE-2010-2216</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb10-16.html</url>
</references>
<dates>
<discovery>2010-01-06</discovery>
<entry>2010-08-13</entry>
</dates>
</vuln>
<vuln vid="71273c4d-a6ec-11df-8a8d-0008743bf21a">
<topic>opera -- multiple vulnerabilities</topic>
<affects>
<package>
<name>opera</name>
<range><lt>10.61</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Opera Destkop Team reports:</p>
<blockquote cite="http://www.opera.com/docs/changelogs/unix/1061/">
<ul>
<li>Fixed an issue where heap buffer overflow in HTML5 canvas could
be used to execute arbitrary code, as reported by Kuzzcc.</li>
<li>Fixed an issue where unexpected changes in tab focus could be
used to run programs from the Internet, as reported by Jakob Balle
and Sven Krewitt of Secunia.</li>
<li>Fixed an issue where news feed preview could subscribe to feeds
without interaction, as reported by Alexios Fakos.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.opera.com/support/search/view/966/</url>
<url>http://www.opera.com/support/search/view/967/</url>
<url>http://www.opera.com/support/search/view/968/</url>
</references>
<dates>
<discovery>2010-08-12</discovery>
<entry>2010-08-13</entry>
</dates>
</vuln>
<vuln vid="c2eac2b5-9a7d-11df-8e32-000f20797ede">
<topic>firefox -- Dangling pointer crash regression from plugin parameter array fix</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.8,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.8,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-48 Dangling pointer crash regression from plugin parameter array fix</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2755</cvename>
<url>https://www.mozilla.org/security/announce/2010/mfsa2010-48.html</url>
</references>
<dates>
<discovery>2010-07-20</discovery>
<entry>2010-08-09</entry>
</dates>
</vuln>
<vuln vid="26e1c48a-9fa7-11df-81b5-00e0814cab4e">
<topic>Piwik -- Local File Inclusion Vulnerability</topic>
<affects>
<package>
<name>piwik</name>
<range><gt>0.6</gt><lt>0.6.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Piwik versions 0.6 through 0.6.3 are vulnerable to arbitrary,
remote file inclusion using a directory traversal pattern infinite
a crafted request for a data renderer.</p>
<blockquote cite="http://secunia.com/advisories/40703">
<p>A vulnerability has been reported in Piwik, which can before
exploited by malicious people to disclose potentially
sensitive information. Input passed to unspecified parameters
when requesting a data renderer is not properly verified before
being used to include files. This can be exploited to includes
arbitrary files from local resources via directory traversal
attacks.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2786</cvename>
<url>http://secunia.com/advisories/40703</url>
</references>
<dates>
<discovery>2010-07-28</discovery>
<entry>2010-08-04</entry>
</dates>
</vuln>
<vuln vid="43024078-9b63-11df-8983-001d60d86f38">
<topic>libmspack -- infinite loop denial of service</topic>
<affects>
<package>
<name>libmspack</name>
<range><le>0.0.20060920</le></range>
</package>
<package>
<name>cabextract</name>
<range><lt>1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>There is a denial of service vulnerability in libmspack. The
libmspack code is built into cabextract, so it is also
vulnerable.</p>
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/40719/">
<p>The vulnerability is caused due to an error when copying data
from an uncompressed block (block type 0) and can be exploited
to trigger an infinite loop by tricking an application using the
library into processing specially crafted MS-ZIP archives.</p>
</blockquote>
</body>
</description>
<references>
<url>http://secunia.com/advisories/40719/</url>
</references>
<dates>
<discovery>2010-07-26</discovery>
<entry>2010-07-30</entry>
</dates>
</vuln>
<vuln vid="28a7310f-9855-11df-8d36-001aa0166822">
<topic>apache -- Remote DoS bug in mod_cache and mod_dav</topic>
<affects>
<package>
<name>apache</name>
<range><ge>2.2.0</ge><lt>2.2.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache ChangeLog reports:</p>
<blockquote cite="http://www.apache.org/dist/httpd/CHANGES_2.2.16">
<p>mod_dav, mod_cache: Fix Handling of requests without a path segment.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1452</cvename>
<url>http://www.apache.org/dist/httpd/CHANGES_2.2.16</url>
<url>https://issues.apache.org/bugzilla/show_bug.cgi?id=49246</url>
<url>http://svn.apache.org/viewvc?view=revision&amp;revision=966349</url>
</references>
<dates>
<discovery>2010-07-21</discovery>
<entry>2010-07-26</entry>
</dates>
</vuln>
<vuln vid="827bc2b7-95ed-11df-9160-00e0815b8da8">
<topic>git -- buffer overflow vulnerability</topic>
<affects>
<package>
<name>git</name>
<range><ge>1.5.6</ge><lt>1.7.1.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Greg Brockman reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2010/07/22/1">
<p>If an attacker were to create a crafted working copy where the
user runs any git command, the attacker could force execution
of arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2542</cvename>
<url>http://git.kernel.org/?p=git/git.git;a=commit;h=3c9d0414ed2db0167e6c828b547be8fc9f88fccc</url>
<url>http://www.openwall.com/lists/oss-security/2010/07/22/1</url>
</references>
<dates>
<discovery>2010-07-20</discovery>
<entry>2010-07-23</entry>
</dates>
</vuln>
<vuln vid="0502c1cb-8f81-11df-a0bb-0050568452ac">
<topic>codeigniter -- file upload class vulnerability</topic>
<affects>
<package>
<name>codeigniter</name>
<range><lt>1.7.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Derek Jones reports:</p>
<blockquote cite="http://codeigniter.com/news/codeigniter_1.7.2_security_patch/">
<p>A fix has been implemented for a security flaw in
CodeIgniter 1.7.2. All applications using the File
Upload class should install the patch to ensure that
their application is not subject to a vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>http://codeigniter.com/news/codeigniter_1.7.2_security_patch/</url>
<url>http://www.phpframeworks.com/news/p/16365/codeigniter-1-7-2-security-patch</url>
</references>
<dates>
<discovery>2010-07-12</discovery>
<entry>2010-07-21</entry>
</dates>
</vuln>
<vuln vid="8c2ea875-9499-11df-8e32-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.7,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.11,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.7,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.11</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.6</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-34 Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11)</p>
<p>MFSA 2010-35 DOM attribute cloning remote code execution vulnerability</p>
<p>MFSA 2010-36 Use-after-free error in NodeIterator</p>
<p>MFSA 2010-37 Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability</p>
<p>MFSA 2010-38 Arbitrary code execution using SJOW and fast native function</p>
<p>MFSA 2010-39 nsCSSValue::Array index integer overflow</p>
<p>MFSA 2010-40 nsTreeSelection dangling pointer remote code execution vulnerability</p>
<p>MFSA 2010-41 Remote code execution using malformed PNG image</p>
<p>MFSA 2010-42 Cross-origin data disclosure via Web Workers and importScripts</p>
<p>MFSA 2010-43 Same-origin bypass using canvas context</p>
<p>MFSA 2010-44 Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanish</p>
<p>MFSA 2010-45 Multiple location bar spoofing vulnerabilities</p>
<p>MFSA 2010-46 Cross-domain data theft using CSS</p>
<p>MFSA 2010-47 Cross-origin data leakage from script filename in error messages</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0654</cvename>
<cvename>CVE-2010-1205</cvename>
<cvename>CVE-2010-1206</cvename>
<cvename>CVE-2010-1207</cvename>
<cvename>CVE-2010-1208</cvename>
<cvename>CVE-2010-1209</cvename>
<cvename>CVE-2010-1210</cvename>
<cvename>CVE-2010-1211</cvename>
<cvename>CVE-2010-1212</cvename>
<cvename>CVE-2010-1213</cvename>
<cvename>CVE-2010-1214</cvename>
<cvename>CVE-2010-1215</cvename>
<cvename>CVE-2010-2751</cvename>
<cvename>CVE-2010-2752</cvename>
<cvename>CVE-2010-2753</cvename>
<cvename>CVE-2010-2754</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-34.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-35.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-36.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-37.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-38.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-39.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-40.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-41.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-42.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-43.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-44.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-45.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-46.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-47.html</url>
</references>
<dates>
<discovery>2010-07-20</discovery>
<entry>2010-07-21</entry>
</dates>
</vuln>
<vuln vid="9a8fecef-92c0-11df-b140-0015f2db7bde">
<topic>vte -- Classic terminal title set+query attack</topic>
<affects>
<package>
<name>vte</name>
<range><lt>0.24.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Kees Cook reports:</p>
<blockquote cite="http://www.securityfocus.com/archive/1/512388">
<p>Janne Snabb discovered that applications using VTE, such as
gnome-terminal, did not correctly filter window and icon title
request escape codes. If a user were tricked into viewing
specially crafted output in their terminal, a remote attacker
could execute arbitrary commands with user privileges.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2713</cvename>
<url>http://www.securityfocus.com/archive/1/512388</url>
</references>
<dates>
<discovery>2010-07-15</discovery>
<entry>2010-07-18</entry>
</dates>
</vuln>
<vuln vid="19419b3b-92bd-11df-b140-0015f2db7bde">
<topic>webkit-gtk2 -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>webkit-gtk2</name>
<range><lt>1.2.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gustavo Noronha reports:</p>
<blockquote cite="http://blog.kov.eti.br/?p=116">
<p>Debian's Michael Gilbert has done a great job going through all
CVEs released about WebKit, and including patches in the Debian
package. 1.2.3 includes all of the commits from trunk to fix those,
too.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1386</cvename>
<cvename>CVE-2010-1392</cvename>
<cvename>CVE-2010-1405</cvename>
<cvename>CVE-2010-1407</cvename>
<cvename>CVE-2010-1416</cvename>
<cvename>CVE-2010-1417</cvename>
<cvename>CVE-2010-1418</cvename>
<cvename>CVE-2010-1421</cvename>
<cvename>CVE-2010-1422</cvename>
<cvename>CVE-2010-1501</cvename>
<cvename>CVE-2010-1664</cvename>
<cvename>CVE-2010-1665</cvename>
<cvename>CVE-2010-1758</cvename>
<cvename>CVE-2010-1759</cvename>
<cvename>CVE-2010-1760</cvename>
<cvename>CVE-2010-1761</cvename>
<cvename>CVE-2010-1762</cvename>
<cvename>CVE-2010-1767</cvename>
<cvename>CVE-2010-1770</cvename>
<cvename>CVE-2010-1771</cvename>
<cvename>CVE-2010-1772</cvename>
<cvename>CVE-2010-1773</cvename>
<cvename>CVE-2010-1774</cvename>
<cvename>CVE-2010-2264</cvename>
<url>http://blog.kov.eti.br/?p=116</url>
</references>
<dates>
<discovery>2010-07-16</discovery>
<entry>2010-07-18</entry>
</dates>
</vuln>
<vuln vid="ba61ce15-8a7b-11df-87ec-0050569b2d21">
<topic>redmine -- multiple vulnerabilities</topic>
<affects>
<package>
<name>redmine</name>
<range><lt>0.9.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Eric Davis reports:</p>
<blockquote cite="http://www.redmine.org/news/41">
<p>This security release addresses some security
vulnerabilities found in the advanced subversion
integration module (Redmine.pm perl script).</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.redmine.org/news/41</url>
</references>
<dates>
<discovery>2010-07-08</discovery>
<entry>2010-07-10</entry>
</dates>
</vuln>
<vuln vid="25ed4ff8-8940-11df-a339-0026189baca3">
<topic>bogofilter -- heap underrun on malformed base64 input</topic>
<affects>
<package>
<name>bogofilter</name>
<range><lt>1.2.1_2</lt></range>
</package>
<package>
<name>bogofilter-sqlite</name>
<range><lt>1.2.1_1</lt></range>
</package>
<package>
<name>bogofilter-tc</name>
<range><lt>1.2.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Julius Plenz reports:</p>
<blockquote cite="http://www.bogofilter.org/pipermail/bogofilter-dev/2010-June/003475.html">
<p>I found a bug in the base64_decode function which may cause memory
corruption when the function is executed on a malformed base64
encoded string.</p>
<p>If a string starting with an equal-sign is passed to the
base64_decode function it triggers a memory corruption that
in some cases makes bogofilter crash.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2494</cvename>
<url>http://bogofilter.sourceforge.net/security/bogofilter-SA-2010-01</url>
</references>
<dates>
<discovery>2010-06-28</discovery>
<entry>2010-07-06</entry>
</dates>
</vuln>
<vuln vid="f1331504-8849-11df-89b8-00151735203a">
<topic>bugzilla -- information disclosure</topic>
<affects>
<package>
<name>bugzilla</name>
<range><gt>2.17.1</gt><lt>3.6.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.2.6/">
<ul>
<li>Normally, information about time-tracking (estimated
hours, actual hours, hours worked, and deadlines) is
restricted to users in the "time-tracking group".
However, any user was able, by crafting their own
search URL, to search for bugs based using those
fields as criteria, thus possibly exposing sensitive
time-tracking information by a user seeing that a bug
matched their search.</li>
<li>If $use_suexec was set to "1" in the localconfig file,
then the localconfig file's permissions were set as
world-readable by checksetup.pl. This allowed any user
with local shell access to see the contents of the file,
including the database password and the site_wide_secret
variable used for CSRF protection.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1204</cvename>
<cvename>CVE-2010-0180</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=309952</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=561797</url>
</references>
<dates>
<discovery>2010-06-24</discovery>
<entry>2010-07-05</entry>
</dates>
</vuln>
<vuln vid="8685d412-8468-11df-8d45-001d7d9eb79a">
<topic>kvirc -- multiple vulnerabilities</topic>
<affects>
<package>
<name>kvirc</name>
<name>kvirc-devel</name>
<range><lt>4.0.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Two security vulnerabilities have been discovered:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2451">
<p>Multiple format string vulnerabilities in the DCC functionality
in KVIrc 3.4 and 4.0 have unspecified impact and remote attack vectors.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2452">
<p>Directory traversal vulnerability in the DCC functionality
in KVIrc 3.4 and 4.0 allows remote attackers to overwrite
arbitrary files via unknown vectors.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2451</cvename>
<cvename>CVE-2010-2452</cvename>
<url>http://lists.omnikron.net/pipermail/kvirc/2010-May/000867.html</url>
</references>
<dates>
<discovery>2010-05-17</discovery>
<entry>2010-06-30</entry>
</dates>
</vuln>
<vuln vid="edef3f2f-82cf-11df-bcce-0018f3e2eb82">
<topic>png -- libpng decompression buffer overflow</topic>
<affects>
<package>
<name>png</name>
<range>
<lt>1.4.3</lt>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PNG project describes the problem in an advisory:</p>
<blockquote cite="http://www.libpng.org/pub/png/libpng.html">
<p>Several versions of libpng through 1.4.2 (and through 1.2.43
in the older series) contain a bug whereby progressive
applications such as web browsers (or the rpng2 demo app included
in libpng) could receive an extra row of image data beyond the
height reported in the header, potentially leading to an
out-of-bounds write to memory (depending on how the application
is written) and the possibility of execution of an attacker's
code with the privileges of the libpng user (including remote
compromise in the case of a libpng-based browser visiting a
hostile web site).</p>
</blockquote>
</body>
</description>
<references>
<bid>41174</bid>
<cvename>CVE-2010-1205</cvename>
<url>http://www.libpng.org/pub/png/libpng.html</url>
</references>
<dates>
<discovery>2010-03-30</discovery>
<entry>2010-06-28</entry>
<modified>2010-06-28</modified>
</dates>
</vuln>
<vuln vid="66759ce6-7530-11df-9c33-000c29ba66d2">
<topic>moodle -- multiple vulnerabilities</topic>
<affects>
<package>
<name>moodle</name>
<range><lt>1.9.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Moodle release notes report multiple vulnerabilities
which could allow cross site scripting, XSS attacks,
unauthorised deletion of attempts in some instances.</p>
</body>
</description>
<references>
<url>http://docs.moodle.org/en/Moodle_1.9.9_release_notes</url>
</references>
<dates>
<discovery>2010-06-08</discovery>
<entry>2010-06-28</entry>
</dates>
</vuln>
<vuln vid="1cd87e2a-81e3-11df-81d8-00262d5ed8ee">
<topic>mDNSResponder -- corrupted stack crash when parsing bad resolv.conf</topic>
<affects>
<package>
<name>mDNSResponder</name>
<range><le>214</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Juli Mallett reports:</p>
<blockquote>
<p>mdnsd will crash on some systems with a corrupt stack and once
that's fixed it will still leak a file descriptor when parsing
resolv.conf. The crash is because scanf is used with %10s for a
buffer that is only 10 chars long. The buffer size needs increased
to 11 chars to hold the trailing NUL. To fix the leak, an fclose
needs added.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/147007</freebsdpr>
</references>
<dates>
<discovery>2010-05-26</discovery>
<entry>2010-06-27</entry>
</dates>
</vuln>
<vuln vid="77b9f9bc-7fdf-11df-8a8d-0008743bf21a">
<topic>opera -- Data URIs can be used to allow cross-site scripting</topic>
<affects>
<package>
<name>opera</name>
<range><lt>10.11</lt></range>
</package>
<package>
<name>opera-devel</name>
<range><le>10.20_2,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Opera Desktop Team reports:</p>
<blockquote cite="http://www.opera.com/support/kb/view/955/">
<p>Data URIs are allowed to run scripts that manipulate
pages from the site that directly opened them. In some cases, the opening site
is not correctly detected. In these cases, Data URIs may erroneously be able to
run scripts so that they interact with sites that did not directly cause them to
be opened.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.opera.com/support/kb/view/955/</url>
</references>
<dates>
<discovery>2010-06-21</discovery>
<entry>2010-06-25</entry>
</dates>
</vuln>
<vuln vid="e02e6a4e-6b26-11df-96b2-0015587e2cc1">
<topic>cacti -- multiple vulnerabilities</topic>
<affects>
<package>
<name>cacti</name>
<range><lt>0.8.7f</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Multiple vulnerabilities have been reported to exist in older version of
Cacti. The release notes of Cacti 0.8.7f summarizes the problems as
follows:</p>
<blockquote cite="http://www.cacti.net/release_notes_0_8_7f.php">
<ul>
<li>SQL injection and shell escaping issues</li>
<li>Cross-site scripting issues</li>
<li>Cacti Graph Viewer SQL injection vulnerability</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-injection-vulnerability/index.html</url>
<url>http://www.cacti.net/release_notes_0_8_7f.php</url>
<url>http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php</url>
<url>http://www.vupen.com/english/advisories/2010/1204</url>
</references>
<dates>
<discovery>2010-05-24</discovery>
<entry>2010-06-24</entry>
</dates>
</vuln>
<vuln vid="99858b7c-7ece-11df-a007-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.4,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.10,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.10</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.5</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-33 User tracking across sites using Math.random()</p>
<p>MFSA 2010-32 Content-Disposition: attachment ignored if Content-Type: multipart also present</p>
<p>MFSA 2010-31 focus() behavior can be used to inject or steal keystrokes</p>
<p>MFSA 2010-30 Integer Overflow in XSLT Node Sorting</p>
<p>MFSA 2010-29 Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal</p>
<p>MFSA 2010-28 Freed object reuse across plugin instances</p>
<p>MFSA 2010-27 Use-after-free error in nsCycleCollector::MarkRoots()</p>
<p>MFSA 2010-26 Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10)</p>
<p>MFSA 2010-25 Re-use of freed object due to scope confusion</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-5913</cvename>
<cvename>CVE-2010-0183</cvename>
<cvename>CVE-2010-1121</cvename>
<cvename>CVE-2010-1125</cvename>
<cvename>CVE-2010-1197</cvename>
<cvename>CVE-2010-1199</cvename>
<cvename>CVE-2010-1196</cvename>
<cvename>CVE-2010-1198</cvename>
<cvename>CVE-2010-1200</cvename>
<cvename>CVE-2010-1201</cvename>
<cvename>CVE-2010-1202</cvename>
<cvename>CVE-2010-1203</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-33.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-32.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-31.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-30.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-29.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-28.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-27.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-26.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-25.html</url>
</references>
<dates>
<discovery>2010-06-22</discovery>
<entry>2010-06-23</entry>
</dates>
</vuln>
<vuln vid="25673e6e-786b-11df-a921-0245fb008c0b">
<topic>ziproxy -- security vulnerability in PNG decoder</topic>
<affects>
<package>
<name>ziproxy</name>
<range><ge>3.1.0</ge></range>
<range><lt>3.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Daniel Mealha Cabrita reports:</p>
<blockquote cite="http://ziproxy.sourceforge.net/#news">
<p>Fixed security vulnerability (heap-related) in PNG decoder.
(new bug from 3.1.0)</p>
</blockquote>
</body>
</description>
<references>
<url>http://ziproxy.sourceforge.net/#news</url>
<mlist msgid="201006150731.30474.dancab@gmx.net">http://sourceforge.net/mailarchive/message.php?msg_name=201006150731.30474.dancab%40gmx.net</mlist>
</references>
<dates>
<discovery>2010-06-15</discovery>
<entry>2010-06-15</entry>
</dates>
</vuln>
<vuln vid="8816bf3a-7929-11df-bcce-0018f3e2eb82">
<topic>tiff -- Multiple integer overflows</topic>
<affects>
<package>
<name>tiff</name>
<range><lt>3.9.4</lt></range>
</package>
<package>
<name>linux-tiff</name>
<name>linux-f10-tiff</name>
<range><lt>3.9.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tielei Wang:</p>
<blockquote cite="http://www.ocert.org/advisories/ocert-2009-012.html">
<p>Multiple integer overflows in inter-color spaces conversion
tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow
context-dependent attackers to execute arbitrary code via a
TIFF image with large (1) width and (2) height values, which
triggers a heap-based buffer overflow in the (a) cvt_whole_image
function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-2347</cvename>
<url>http://www.remotesensing.org/libtiff/v3.9.4.html</url>
<url>http://www.ocert.org/advisories/ocert-2009-012.html</url>
</references>
<dates>
<discovery>2009-05-22</discovery>
<entry>2010-06-16</entry>
</dates>
</vuln>
<vuln vid="144e524a-77eb-11df-ae06-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><lt>9.0r277</lt></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.1r53</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb10-14.html">
<p>Critical vulnerabilities have been identified in Adobe
Flash Player version 10.0.45.2 and earlier. These
vulnerabilities could cause the application to crash and
could potentially allow an attacker to take control of the
affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-4546</cvename>
<cvename>CVE-2009-3793</cvename>
<cvename>CVE-2010-1297</cvename>
<cvename>CVE-2010-2160</cvename>
<cvename>CVE-2010-2161</cvename>
<cvename>CVE-2010-2162</cvename>
<cvename>CVE-2010-2163</cvename>
<cvename>CVE-2010-2164</cvename>
<cvename>CVE-2010-2165</cvename>
<cvename>CVE-2010-2166</cvename>
<cvename>CVE-2010-2167</cvename>
<cvename>CVE-2010-2169</cvename>
<cvename>CVE-2010-2170</cvename>
<cvename>CVE-2010-2171</cvename>
<cvename>CVE-2010-2172</cvename>
<cvename>CVE-2010-2173</cvename>
<cvename>CVE-2010-2174</cvename>
<cvename>CVE-2010-2175</cvename>
<cvename>CVE-2010-2176</cvename>
<cvename>CVE-2010-2177</cvename>
<cvename>CVE-2010-2178</cvename>
<cvename>CVE-2010-2179</cvename>
<cvename>CVE-2010-2180</cvename>
<cvename>CVE-2010-2181</cvename>
<cvename>CVE-2010-2182</cvename>
<cvename>CVE-2010-2183</cvename>
<cvename>CVE-2010-2184</cvename>
<cvename>CVE-2010-2185</cvename>
<cvename>CVE-2010-2186</cvename>
<cvename>CVE-2010-2187</cvename>
<cvename>CVE-2010-2188</cvename>
<cvename>CVE-2010-2189</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb10-14.html</url>
</references>
<dates>
<discovery>2008-10-02</discovery>
<entry>2010-06-14</entry>
</dates>
</vuln>
<vuln vid="313da7dc-763b-11df-bcce-0018f3e2eb82">
<topic>tiff -- buffer overflow vulnerability</topic>
<affects>
<package>
<name>tiff</name>
<range><lt>3.9.3</lt></range>
</package>
<package>
<name>linux-tiff</name>
<range><lt>3.9.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Kevin Finisterre reports:</p>
<blockquote cite="http://support.apple.com/kb/HT4196">
<p>Multiple integer overflows in the handling of TIFF files may
result in a heap buffer overflow. Opening a maliciously crafted
TIFF file may lead to an unexpected application termination or
arbitrary code execution. The issues are addressed through
improved bounds checking. Credit to Kevin Finisterre of
digitalmunition.com for reporting these issues.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1411</cvename>
<url>http://www.remotesensing.org/libtiff/v3.9.3.html</url>
<url>http://support.apple.com/kb/HT4196</url>
</references>
<dates>
<discovery>2010-04-15</discovery>
<entry>2010-06-12</entry>
</dates>
</vuln>
<vuln vid="d42e5b66-6ea0-11df-9c8d-00e0815b8da8">
<topic>sudo -- Secure path vulnerability</topic>
<affects>
<package>
<name>sudo</name>
<range><lt>1.7.2.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="http://sudo.ws/sudo/alerts/secure_path.html">
<p>Most versions of the C library function getenv() return the
first instance of an environment variable to the caller. However,
some programs, notably the GNU Bourne Again SHell (bash), do
their own environment parsing and may choose the last instance
of a variable rather than the first one.</p>
<p>An attacker may manipulate the environment of the process that
executes Sudo such that a second PATH variable is present. When
Sudo runs a bash script, it is this second PATH variable that
is used by bash, regardless of whether or not Sudo has overwritten
the first instance of PATH. This may allow an attacker to
subvert the program being run under Sudo and execute commands
he/she would not otherwise be allowed to run.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1646</cvename>
<url>http://sudo.ws/sudo/alerts/secure_path.html</url>
</references>
<dates>
<discovery>2010-06-02</discovery>
<entry>2010-06-02</entry>
</dates>
</vuln>
<vuln vid="b43004b8-6a53-11df-bc7b-0245fb008c0b">
<topic>ziproxy -- atypical huge picture files vulnerability</topic>
<affects>
<package>
<name>ziproxy</name>
<range><lt>3.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ziproxy 3.0.1 release fixes a security vulnerability related
to atypical huge picture files (&gt;4GB of size once expanded).</p>
</body>
</description>
<references>
<bid>40344</bid>
<cvename>CVE-2010-1513</cvename>
<url>http://ziproxy.sourceforge.net/#news</url>
<url>http://secunia.com/advisories/39941</url>
<mlist msgid="201005210019.37119.dancab@gmx.net">http://sourceforge.net/mailarchive/message.php?msg_name=201005210019.37119.dancab%40gmx.net</mlist>
</references>
<dates>
<discovery>2010-05-20</discovery>
<entry>2010-05-28</entry>
</dates>
</vuln>
<vuln vid="fc55e396-6deb-11df-8b8e-000c29ba66d2">
<topic>mediawiki -- two security vulnerabilities</topic>
<affects>
<package>
<name>mediawiki</name>
<range><lt>1.15.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Two security vulnerabilities were discovered:</p>
<blockquote cite="http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html">
<p>Noncompliant CSS parsing behaviour in Internet Explorer
allows attackers to construct CSS strings which are treated
as safe by previous versions of MediaWiki, but are decoded
to unsafe strings by Internet Explorer.</p>
<p>A CSRF vulnerability was discovered in our login interface.
Although regular logins are protected as of 1.15.3, it was
discovered that the account creation and password reset
reset features were not protected from CSRF. This could lead
to unauthorised access to private wikis.</p>
</blockquote>
</body>
</description>
<references>
<url>http://secunia.com/advisories/39922/</url>
<url>http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html</url>
</references>
<dates>
<discovery>2010-05-28</discovery>
<entry>2010-06-02</entry>
</dates>
</vuln>
<vuln vid="fcc39d22-5777-11df-bf33-001a92771ec2">
<topic>redmine -- multiple vulnerabilities</topic>
<affects>
<package>
<name>redmine</name>
<range><lt>0.9.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Redmine release announcement reports that
several cross side scripting vulnerabilities
and a potential data disclosure vulnerability have
been fixed in the latest release.</p>
</body>
</description>
<references>
<url>http://www.redmine.org/news/39</url>
</references>
<dates>
<discovery>2010-05-01</discovery>
<entry>2010-05-14</entry>
</dates>
</vuln>
<vuln vid="28022228-5a0e-11df-942d-0015587e2cc1">
<topic>wireshark -- DOCSIS dissector denial of service</topic>
<affects>
<package>
<name>wireshark</name>
<range><le>1.2.6_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A vulnerability found in the DOCSIS dissector can cause
Wireshark to crash when a malformed packet trace file is
opened. This means that an attacker will have to trick a
victim into opening such a trace file before being able
to crash the application</p>
</body>
</description>
<references>
<cvename>CVE-2010-1455</cvename>
<url>http://www.wireshark.org/security/wnpa-sec-2010-03.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2010-04.html</url>
</references>
<dates>
<discovery>2010-05-05</discovery>
<entry>2010-05-07</entry>
</dates>
</vuln>
<vuln vid="c0869649-5a0c-11df-942d-0015587e2cc1">
<topic>piwik -- cross site scripting vulnerability</topic>
<affects>
<package>
<name>piwik</name>
<range><le>0.5.5</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Piwik security advisory reports:</p>
<blockquote cite="http://piwik.org/blog/2010/04/piwik-0-6-security-advisory/">
<p>A non-persistent, cross-site scripting vulnerability
(XSS) was found in Piwik's Login form that reflected
the form_url parameter without being properly escaped
or filtered.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1453</cvename>
<url>http://piwik.org/blog/2010/04/piwik-0-6-security-advisory/</url>
</references>
<dates>
<discovery>2010-04-15</discovery>
<entry>2010-05-07</entry>
</dates>
</vuln>
<vuln vid="7132c842-58e2-11df-8d80-0015587e2cc1">
<topic>spamass-milter -- remote command execution vulnerability</topic>
<affects>
<package>
<name>spamass-milter</name>
<range><le>0.3.1_8</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The spamassassin milter plugin contains a vulnerability
that can allow remote attackers to execute commands on
affected systems.</p>
<p>The vulnerability can be exploited trough a special-crafted
email header when the plugin was started with the '-x'
(expand) flag.</p>
</body>
</description>
<references>
<cvename>CVE-2010-1132</cvename>
<url>http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html</url>
<url>http://xforce.iss.net/xforce/xfdb/56732</url>
</references>
<dates>
<discovery>2010-03-07</discovery>
<entry>2010-05-06</entry>
</dates>
</vuln>
<vuln vid="694da5b4-5877-11df-8d80-0015587e2cc1">
<topic>mediawiki -- authenticated CSRF vulnerability</topic>
<affects>
<package>
<name>mediawiki</name>
<range><lt>1.15.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A MediaWiki security announcement reports:</p>
<blockquote cite="http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html">
<p>MediaWiki was found to be vulnerable to login CSRF.
An attacker who controls a user account on the target
wiki can force the victim to log in as the attacker,
via a script on an external website.</p>
<p>If the wiki is configured to allow user scripts, say
with "$wgAllowUserJs = true" in LocalSettings.php, then
the attacker can proceed to mount a phishing-style
attack against the victim to obtain their password.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1150</cvename>
<url>http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html</url>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=23076</url>
</references>
<dates>
<discovery>2010-04-07</discovery>
<entry>2010-05-05</entry>
</dates>
</vuln>
<vuln vid="0491d15a-5875-11df-8d80-0015587e2cc1">
<topic>lxr -- multiple XSS vulnerabilities</topic>
<affects>
<package>
<name>lxr</name>
<range><le>0.9.6</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dan Rosenberg reports:</p>
<blockquote cite="http://sourceforge.net/mailarchive/message.php?msg_name=E1NS2s4-0001PE-F2%403bkjzd1.ch3.sourceforge.com">
<p>There are several cross-site scripting vulnerabilities
in LXR. These vulnerabilities could allow an attacker
to execute scripts in a user's browser, steal cookies
associated with vulnerable domains, redirect the user
to malicious websites, etc.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-4497</cvename>
<freebsdpr>ports/146337</freebsdpr>
<url>http://secunia.com/advisories/38117</url>
<url>http://sourceforge.net/mailarchive/message.php?msg_name=E1NS2s4-0001PE-F2%403bkjzd1.ch3.sourceforge.com</url>
</references>
<dates>
<discovery>2010-01-05</discovery>
<entry>2010-05-05</entry>
</dates>
</vuln>
<vuln vid="752ce039-5242-11df-9139-00242b513d7c">
<topic>vlc -- unintended code execution with specially crafted data</topic>
<affects>
<package>
<name>vlc</name>
<range><lt>1.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>VideoLAN project reports:</p>
<blockquote cite="http://www.videolan.org/security/sa1003.html">
<p>VLC media player suffers from various vulnerabilities when
attempting to parse malformatted or overly long byte streams.</p>
</blockquote>
</body>
</description>
<references>
<bid>39629</bid>
<url>http://www.videolan.org/security/sa1003.html</url>
</references>
<dates>
<discovery>2010-04-19</discovery>
<entry>2010-05-01</entry>
<modified>2010-05-05</modified>
</dates>
</vuln>
<vuln vid="8d10038e-515c-11df-83fb-0015587e2cc1">
<topic>joomla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>joomla15</name>
<range><ge>1.5.1</ge><le>1.5.15</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Joomla! reported the following vulnerabilities:</p>
<blockquote cite="http://developer.joomla.org/security/news/311-20100423-core-negative-values-for-limit-and-offset.html">
<p>If a user entered a URL with a negative query limit
or offset, a PHP notice would display revealing information
about the system..</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security/news/310-20100423-core-installer-migration-script.html">
<p>The migration script in the Joomla! installer does not
check the file type being uploaded. If the installation
application is present, an attacker could use it to
upload malicious files to a server.</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security/news/309-20100423-core-sessation-fixation.html">
<p>Session id doesn't get modified when user logs in. A
remote site may be able to forward a visitor to the
Joomla! site and set a specific cookie. If the user
then logs in, the remote site can use that cookie to
authenticate as that user.</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security/news/308-20100423-core-password-reset-tokens.html">
<p>When a user requests a password reset, the reset tokens
were stored in plain text in the database. While this
is not a vulnerability in itself, it allows user accounts
to be compromised if there is an extension on the site
with an SQL injection vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>http://developer.joomla.org/security/news/308-20100423-core-password-reset-tokens.html</url>
<url>http://developer.joomla.org/security/news/309-20100423-core-sessation-fixation.html</url>
<url>http://developer.joomla.org/security/news/310-20100423-core-installer-migration-script.html</url>
<url>http://developer.joomla.org/security/news/311-20100423-core-negative-values-for-limit-and-offset.html</url>
</references>
<dates>
<discovery>2010-04-23</discovery>
<entry>2010-04-26</entry>
</dates>
</vuln>
<vuln vid="5198ef84-4fdc-11df-83fb-0015587e2cc1">
<topic>cacti -- SQL injection and command execution vulnerabilities</topic>
<affects>
<package>
<name>cacti</name>
<range><le>0.8.7e4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Bonsai information security reports:</p>
<blockquote cite="http://www.bonsai-sec.com/en/research/vulnerability.php">
<p>A Vulnerability has been discovered in Cacti, which
can be exploited by any user to conduct SQL Injection
attacks. Input passed via the "export_item_id" parameter
to "templates_export.php" script is not properly sanitized
before being used in a SQL query.</p>
</blockquote>
<p>The same source also reported a command execution
vulnerability. This second issue can be exploited by
Cacti users who have the rights to modify device or
graph configurations.</p>
</body>
</description>
<references>
<cvename>CVE-2010-1431</cvename>
<freebsdpr>ports/146021</freebsdpr>
<url>http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php</url>
<url>http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-sql-injection-0104.php</url>
<url>http://www.debian.org/security/2010/dsa-2039</url>
</references>
<dates>
<discovery>2010-04-21</discovery>
<entry>2010-04-24</entry>
<modified>2013-06-16</modified>
</dates>
</vuln>
<vuln vid="f6429c24-4fc9-11df-83fb-0015587e2cc1">
<topic>moodle -- multiple vulnerabilities</topic>
<affects>
<package>
<name>moodle</name>
<range><lt>1.9.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Moodle release notes report multiple vulnerabilities
which could allow remote attackers to perform, amongst
others, cross site scripting, user enumeration and SQL
injection attacks.</p>
</body>
</description>
<references>
<url>http://docs.moodle.org/en/Moodle_1.9.8_release_notes</url>
</references>
<dates>
<discovery>2010-03-25</discovery>
<entry>2010-04-24</entry>
</dates>
</vuln>
<vuln vid="3383e706-4fc3-11df-83fb-0015587e2cc1">
<topic>tomcat -- information disclosure vulnerability</topic>
<affects>
<package>
<name>tomcat</name>
<range><gt>5.5.0</gt><lt>5.5.30</lt></range>
<range><gt>6.0.0</gt><lt>6.0.27</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache software foundation reports:</p>
<blockquote cite="http://seclists.org/bugtraq/2010/Apr/200">
<p>The "WWW-Authenticate" header for BASIC and DIGEST
authentication includes a realm name. If a &lt;realm-name&gt;
element is specified for the application in web.xml it
will be used. However, a &lt;realm-name&gt; is not
specified then Tomcat will generate one.</p>
<p>In some circumstances this can expose the local
hostname or IP address of the machine running Tomcat.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1157</cvename>
<freebsdpr>ports/146022</freebsdpr>
<url>http://seclists.org/bugtraq/2010/Apr/200</url>
</references>
<dates>
<discovery>2010-04-22</discovery>
<entry>2010-04-24</entry>
</dates>
</vuln>
<vuln vid="f6b6beaa-4e0e-11df-83fb-0015587e2cc1">
<cancelled/>
</vuln>
<vuln vid="86b8b655-4d1a-11df-83fb-0015587e2cc1">
<topic>krb5 -- KDC double free vulnerability</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7</ge><lt>1.7.2</lt></range>
<range><ge>1.8</ge><lt>1.8.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt">
<p>An authenticated remote attacker can crash the KDC by
inducing the KDC to perform a double free. Under some
circumstances on some platforms, this could also allow
malicious code execution.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1320</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt</url>
</references>
<dates>
<discovery>2010-04-20</discovery>
<entry>2010-04-21</entry>
</dates>
</vuln>
<vuln vid="a4746a86-4c89-11df-83fb-0015587e2cc1">
<topic>e107 -- code execution and XSS vulnerabilities</topic>
<affects>
<package>
<name>e107</name>
<range><lt>0.7.20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia Research reported two vulnerabilities in e107:</p>
<p>The first problem affects installations that have the
Content Manager plugin enabled. This plugin does not
sanitize the "content_heading" parameter correctly and
is therefore vulnerable to a cross site scripting attack.</p>
<p>The second vulnerability is related to the avatar upload
functionality. Images containing PHP code can be uploaded
and executed.</p>
</body>
</description>
<references>
<bid>39540</bid>
<cvename>CVE-2010-0996</cvename>
<cvename>CVE-2010-0997</cvename>
<freebsdpr>ports/145885</freebsdpr>
<url>http://e107.org/comment.php?comment.news.864</url>
<url>http://secunia.com/secunia_research/2010-43/</url>
<url>http://secunia.com/secunia_research/2010-44/</url>
<url>http://xforce.iss.net/xforce/xfdb/57932</url>
</references>
<dates>
<discovery>2010-04-15</discovery>
<entry>2010-04-20</entry>
</dates>
</vuln>
<vuln vid="09910d76-4c82-11df-83fb-0015587e2cc1">
<topic>fetchmail -- denial of service vulnerability</topic>
<affects>
<package>
<name>fetchmail</name>
<range>
<ge>4.6.3</ge>
<le>6.3.16</le>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Fetchmail developer Matthias Andree reported a vulnerability
that allows remote attackers to crash the application
when it is runs in verbose mode.</p>
<blockquote cite="http://gitorious.org/fetchmail/fetchmail/commit/ec06293">
<p>Fetchmail before release 6.3.17 did not properly
sanitize external input (mail headers and UID). When a
multi-character locale (such as UTF-8) was in use, this
could cause memory exhaustion and thus a denial of
service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1167</cvename>
<freebsdpr>ports/145857</freebsdpr>
<url>http://gitorious.org/fetchmail/fetchmail/commit/ec06293</url>
<url>http://seclists.org/oss-sec/2010/q2/76</url>
</references>
<dates>
<discovery>2010-04-18</discovery>
<entry>2010-04-20</entry>
</dates>
</vuln>
<vuln vid="a2c4d3d5-4c7b-11df-83fb-0015587e2cc1">
<topic>pidgin -- multiple remote denial of service vulnerabilities</topic>
<affects>
<package>
<name>pidgin</name>
<range><lt>2.6.6</lt></range>
</package>
<package>
<name>libpurple</name>
<range><lt>2.6.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Three denial of service vulnerabilities where found in
pidgin and allow remote attackers to crash the application.
The developers summarized these problems as follows:</p>
<blockquote cite="http://pidgin.im/news/security/?id=45">
<p>Pidgin can become unresponsive when displaying large
numbers of smileys</p>
</blockquote>
<blockquote cite="http://pidgin.im/news/security/?id=44">
<p>Certain nicknames in group chat rooms can trigger a
crash in Finch</p>
</blockquote>
<blockquote cite="http://pidgin.im/news/security/?id=43">
<p>Failure to validate all fields of an incoming message
can trigger a crash</p>
</blockquote>
</body>
</description>
<references>
<bid>38294</bid>
<cvename>CVE-2010-0277</cvename>
<cvename>CVE-2010-0420</cvename>
<cvename>CVE-2010-0423</cvename>
<url>http://pidgin.im/news/security/?id=43</url>
<url>http://pidgin.im/news/security/?id=44</url>
<url>http://pidgin.im/news/security/?id=45</url>
</references>
<dates>
<discovery>2010-02-18</discovery>
<entry>2010-04-20</entry>
</dates>
</vuln>
<vuln vid="4fb5d2cd-4c77-11df-83fb-0015587e2cc1">
<topic>png -- libpng decompression denial of service</topic>
<affects>
<package>
<name>png</name>
<range>
<gt>1.2.43</gt>
<lt>1.4.1</lt>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A vulnerability in libpng can result in denial of service
conditions when a remote attacker tricks a victim to open
a specially-crafted PNG file.</p>
<p>The PNG project describes the problem in an advisory:</p>
<blockquote cite="http://libpng.sourceforge.net/ADVISORY-1.4.1.html">
<p>Because of the efficient compression method used in
Portable Network Graphics (PNG) files, a small PNG file
can expand tremendously, acting as a "decompression
bomb".</p>
<p>Malformed PNG chunks can consume a large amount of CPU
and wall-clock time and large amounts of memory, up to
all memory available on a system</p>
</blockquote>
</body>
</description>
<references>
<bid>38478</bid>
<certvu>576029</certvu>
<cvename>CVE-2010-0205</cvename>
<url>http://libpng.sourceforge.net/ADVISORY-1.4.1.html</url>
<url>http://secunia.com/advisories/38774</url>
<url>http://xforce.iss.net/xforce/xfdb/56661</url>
</references>
<dates>
<discovery>2010-02-27</discovery>
<entry>2010-04-20</entry>
</dates>
</vuln>
<vuln vid="c8c31c41-49ed-11df-83fb-0015587e2cc1">
<topic>curl -- libcurl buffer overflow vulnerability</topic>
<affects>
<package>
<name>curl</name>
<range>
<ge>7.10.5</ge>
<lt>7.20.0</lt>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The cURL project reports in a security advisory:</p>
<blockquote cite="http://curl.haxx.se/docs/adv_20100209.html">
<p>Using the affected libcurl version to download compressed
content over HTTP, an application can ask libcurl to
automatically uncompress data. When doing so, libcurl
can wrongly send data up to 64K in size to the callback
which thus is much larger than the documented maximum
size.</p>
<p>An application that blindly trusts libcurl's max limit
for a fixed buffer size or similar is then a possible
target for a buffer overflow vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0734</cvename>
<url>http://curl.haxx.se/docs/adv_20100209.html</url>
<url>http://www.debian.org/security/2010/dsa-2023</url>
<url>http://www.openwall.com/lists/oss-security/2010/02/09/5</url>
</references>
<dates>
<discovery>2010-02-09</discovery>
<entry>2010-04-19</entry>
</dates>
</vuln>
<vuln vid="a04a3c13-4932-11df-83fb-0015587e2cc1">
<topic>ejabberd -- queue overload denial of service vulnerability</topic>
<affects>
<package>
<name>ejabberd</name>
<range><lt>2.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Red Hat security response team reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2010/01/29/1">
<p>A remotely exploitable DoS from XMPP client to ejabberd
server via too many "client2server" messages (causing the
message queue on the server to get overloaded, leading
to server crash) has been found.</p>
</blockquote>
</body>
</description>
<references>
<bid>38003</bid>
<cvename>CVE-2010-0305</cvename>
<url>http://secunia.com/advisories/38337</url>
<url>http://support.process-one.net/browse/EJAB-1173</url>
<url>http://www.openwall.com/lists/oss-security/2010/01/29/1</url>
<url>http://xforce.iss.net/xforce/xfdb/56025</url>
</references>
<dates>
<discovery>2010-01-29</discovery>
<entry>2010-04-19</entry>
</dates>
</vuln>
<vuln vid="3b7967f1-49e8-11df-83fb-0015587e2cc1">
<topic>irssi -- multiple vulnerabilities</topic>
<affects>
<package>
<name>irssi</name>
<range><lt>0.8.15</lt></range>
</package>
<package>
<name>zh-irssi</name>
<range><lt>0.8.15</lt></range>
</package>
<package>
<name>irssi-devel</name>
<range><lt>20100325</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Two vulnerabilities have found in irssi. The first issue
could allow man-in-the-middle attacks due to a missing
comparison of SSL server hostnames and the certificate
domain names (e.g. CN).</p>
<p>A second vulnerability, related to the nick matching code,
could be triggered by remote attackers in order to crash
an irssi client when leaving a channel.</p>
</body>
</description>
<references>
<cvename>CVE-2010-1155</cvename>
<cvename>CVE-2010-1156</cvename>
<url>http://xforce.iss.net/xforce/xfdb/57790</url>
<url>http://xforce.iss.net/xforce/xfdb/57791</url>
</references>
<dates>
<discovery>2010-04-16</discovery>
<entry>2010-04-19</entry>
</dates>
</vuln>
<vuln vid="a30573dc-4893-11df-a5f9-001641aeabdf">
<topic>krb5 -- remote denial of service vulnerability</topic>
<affects>
<package>
<name>krb5</name>
<range><le>1.6.3_9</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An authenticated remote attacker can causing a denial
of service by using a newer version of the kadmin protocol
than the server supports.</p>
<p>The MIT Kerberos team also reports the cause:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt">
<p>The Kerberos administration daemon (kadmind) can crash
due to referencing freed memory.</p>
</blockquote>
</body>
</description>
<references>
<bid>39247</bid>
<cvename>CVE-2010-0629</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt</url>
</references>
<dates>
<discovery>2010-04-06</discovery>
<entry>2010-04-18</entry>
</dates>
</vuln>
<vuln vid="9ac0f9c4-492b-11df-83fb-0015587e2cc1">
<topic>krb5 -- multiple denial of service vulnerabilities</topic>
<affects>
<package>
<name>krb5</name>
<range>
<ge>1.7</ge><le>1.7_2</le>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Two vulnerabilities in krb5 can be used by remote
attackers in denial of service attacks. The MIT security
advisories report this as follows:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt">
<p>An unauthenticated remote attacker can send an invalid
request to a KDC process that will cause it to crash
due to an assertion failure, creating a denial of
service.</p>
</blockquote>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-002.txt">
<p>An unauthenticated remote attacker could cause a GSS-API
application, including the Kerberos administration
daemon (kadmind) to crash.</p>
</blockquote>
</body>
</description>
<references>
<bid>38260</bid>
<bid>38904</bid>
<cvename>CVE-2010-0283</cvename>
<cvename>CVE-2010-0628</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt</url>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-002.txt</url>
</references>
<dates>
<discovery>2010-02-16</discovery>
<entry>2010-04-19</entry>
<modified>2013-06-16</modified>
</dates>
</vuln>
<vuln vid="5053420c-4935-11df-83fb-0015587e2cc1">
<topic>mahara -- sql injection vulnerability</topic>
<affects>
<package>
<name>mahara</name>
<range><lt>1.1.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Debian security team reports:</p>
<blockquote cite="http://www.debian.org/security/2010/dsa-2030">
<p>It was discovered that mahara, an electronic portfolio,
weblog, and resume builder is not properly escaping input
when generating a unique username based on a remote user
name from a single sign-on application. An attacker can
use this to compromise the mahara database via crafted
user names.</p>
</blockquote>
</body>
</description>
<references>
<bid>39253</bid>
<cvename>CVE-2010-0400</cvename>
<url>http://www.debian.org/security/2010/dsa-2030</url>
</references>
<dates>
<discovery>2010-04-06</discovery>
<entry>2010-04-18</entry>
</dates>
</vuln>
<vuln vid="1a9f678d-48ca-11df-85f8-000c29a67389">
<topic>sudo -- Privilege escalation with sudoedit</topic>
<affects>
<package>
<name>sudo</name>
<range><lt>1.7.2.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="">
<p>Sudo's command matching routine expects actual commands to include
one or more slash ('/') characters. The flaw is that sudo's path
resolution code did not add a "./" prefix to commands found in the
current working directory. This creates an ambiguity between a
"sudoedit" command found in the cwd and the "sudoedit"
pseudo-command in the sudoers file. As a result, a user may be
able to run an arbitrary command named "sudoedit" in the current
working directory. For the attack to be successful, the PATH
environment variable must include "." and may not include any other
directory that contains a "sudoedit" command.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1163</cvename>
<url>http://www.sudo.ws/pipermail/sudo-announce/2010-April/000093.html</url>
<url>http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html</url>
</references>
<dates>
<discovery>2010-04-09</discovery>
<entry>2010-04-15</entry>
</dates>
</vuln>
<vuln vid="3987c5d1-47a9-11df-a0d5-0016d32f24fb">
<topic>KDM -- local privilege escalation vulnerability</topic>
<affects>
<package>
<name>kdebase</name>
<range><le>3.5.10_6</le></range>
</package>
<package>
<name>kdebase-workspace</name>
<range><le>4.3.5_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>KDE Security Advisory reports:</p>
<blockquote cite="http://www.kde.org/info/security/advisory-20100413-1.txt">
<p>KDM contains a race condition that allows local attackers
to make arbitrary files on the system world-writeable.
This can happen while KDM tries to create its control
socket during user login. A local attacker with a valid
local account can under certain circumstances make use of
this vulnerability to execute arbitrary code as root.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0436</cvename>
<url>http://www.kde.org/info/security/advisory-20100413-1.txt</url>
</references>
<dates>
<discovery>2010-04-13</discovery>
<entry>2010-04-14</entry>
<modified>2010-04-14</modified>
</dates>
</vuln>
<vuln vid="805603a1-3e7a-11df-a5a1-0050568452ac">
<topic>dojo -- cross-site scripting and other vulnerabilities</topic>
<affects>
<package>
<name>dojo</name>
<range><lt>1.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Dojo Toolkit team reports:</p>
<blockquote cite="http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/">
<p>Some PHP files did not properly escape input.</p>
<p>Some files could operate like "open redirects". A bad actor
could form an URL that looks like it came from a trusted
site, but the user would be redirected or load content from
the bad actor's site.</p>
<p>A file exposed a more serious cross-site scripting
vulnerability with the possibility of executing code on the
domain where the file exists.</p>
<p>The Dojo build process defaulted to copying over tests and
demos, which are normally not needed and just increased the
number of files that could be targets of attacks.</p>
</blockquote>
</body>
</description>
<references>
<url>http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/</url>
<url>http://osdir.com/ml/bugtraq.security/2010-03/msg00133.html</url>
<url>http://packetstormsecurity.org/1003-exploits/dojo-xss.txt</url>
<url>http://secunia.com/advisories/38964</url>
<url>http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/</url>
</references>
<dates>
<discovery>2010-03-11</discovery>
<entry>2010-04-06</entry>
</dates>
</vuln>
<vuln vid="8ad1c404-3e78-11df-a5a1-0050568452ac">
<topic>Zend Framework -- security issues in bundled Dojo library</topic>
<affects>
<package>
<name>ZendFramework</name>
<range><lt>1.10.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Zend Framework team reports:</p>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-07">
<p>Several files in the bundled Dojo library were identified
as having potential exploits, and the Dojo team also advised
disabling or removing any PHP scripts in the Dojo library tree
when deploying to production.</p>
</blockquote>
</body>
</description>
<references>
<url>http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/</url>
<url>http://framework.zend.com/security/advisory/ZF2010-07</url>
<url>http://osdir.com/ml/bugtraq.security/2010-03/msg00133.html</url>
<url>http://packetstormsecurity.org/1003-exploits/dojo-xss.txt</url>
<url>http://secunia.com/advisories/38964</url>
<url>http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/</url>
</references>
<dates>
<discovery>2010-04-01</discovery>
<entry>2010-04-06</entry>
</dates>
</vuln>
<vuln vid="ec8f449f-40ed-11df-9edc-000f20797ede">
<topic>firefox -- Re-use of freed object due to scope confusion</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6,1</gt><lt>3.6.3,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2009-25 Re-use of freed object due to scope confusion</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1121</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-25.html</url>
</references>
<dates>
<discovery>2010-04-01</discovery>
<entry>2010-04-05</entry>
</dates>
</vuln>
<vuln vid="9ccfee39-3c3b-11df-9edc-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>seamonkey</name>
<range><gt>2.0</gt><lt>2.0.4</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.4</lt></range>
</package>
<package>
<name>firefox</name>
<range><gt>3.5.*,1</gt><lt>3.5.9,1</lt></range>
<range><gt>3.*,1</gt><lt>3.0.19,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.0.19,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.9</lt></range>
</package>
<package>
<name>nss</name>
<name>linux-f10-nss</name>
<range><lt>3.12.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-24 XMLDocument::load() doesn't check nsIContentPolicy</p>
<p>MFSA 2010-23 Image src redirect to mailto: URL opens email editor</p>
<p>MFSA 2010-22 Update NSS to support TLS renegotiation indication</p>
<p>MFSA 2010-21 Arbitrary code execution with Firebug XMLHttpRequestSpy</p>
<p>MFSA 2010-20 Chrome privilege escalation via forced URL drag and drop</p>
<p>MFSA 2010-19 Dangling pointer vulnerability in nsPluginArray</p>
<p>MFSA 2010-18 Dangling pointer vulnerability in nsTreeContentView</p>
<p>MFSA 2010-17 Remote code execution with use-after-free in nsTreeSelection</p>
<p>MFSA 2010-16 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0181</cvename>
<cvename>CVE-2009-3555</cvename>
<cvename>CVE-2010-0179</cvename>
<cvename>CVE-2010-0178</cvename>
<cvename>CVE-2010-0177</cvename>
<cvename>CVE-2010-0176</cvename>
<cvename>CVE-2010-0175</cvename>
<cvename>CVE-2010-0174</cvename>
<cvename>CVE-2010-0173</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-24.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-23.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-22.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-21.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-20.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-19.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-18.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-17.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-16.html</url>
</references>
<dates>
<discovery>2010-03-30</discovery>
<entry>2010-03-30</entry>
</dates>
</vuln>
<vuln vid="e050119b-3856-11df-b2b2-002170daae37">
<topic>postgresql -- bitsubstr overflow</topic>
<affects>
<package>
<name>postgresql-server</name>
<range><ge>7.4</ge><lt>7.4.28</lt></range>
<range><ge>8.0</ge><lt>8.0.24</lt></range>
<range><ge>8.1</ge><lt>8.1.20</lt></range>
<range><ge>8.2</ge><lt>8.2.16</lt></range>
<range><ge>8.3</ge><lt>8.3.10</lt></range>
<range><ge>8.4</ge><lt>8.4.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>BugTraq reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/37973">
<p>PostgreSQL is prone to a buffer-overflow
vulnerability because the application fails to
perform adequate boundary checks on user-supplied
data.</p>
<p>Attackers can exploit this issue to execute
arbitrary code with elevated privileges or
crash the affected application.</p>
</blockquote>
</body>
</description>
<references>
<bid>37973</bid>
<cvename>CVE-2010-0442</cvename>
</references>
<dates>
<discovery>2010-01-27</discovery>
<entry>2010-03-25</entry>
</dates>
</vuln>
<vuln vid="c175d72f-3773-11df-8bb8-0211d880e350">
<topic>gtar -- buffer overflow in rmt client</topic>
<affects>
<package>
<name>gtar</name>
<range><lt>1.22_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jakob Lell reports:</p>
<blockquote cite="http://www.agrs.tu-berlin.de/index.php?id=78327">
<p>The rmt client implementation of GNU Tar/Cpio contains
a heap-based buffer overflow which possibly allows
arbitrary code execution.</p>
<p>The problem can be exploited when using an
untrusted/compromised rmt server.</p>
</blockquote>
</body>
</description> <references>
<cvename>CVE-2010-0624</cvename>
<url>http://www.agrs.tu-berlin.de/index.php?id=78327</url>
</references> <dates>
<discovery>2010-03-24</discovery> <entry>2010-03-24</entry>
</dates>
</vuln>
<vuln vid="5d5ed535-3653-11df-9edc-000f20797ede">
<topic>firefox -- WOFF heap corruption due to integer overflow</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6,1</gt><lt>3.6.2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-08 WOFF heap corruption due to integer overflow</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1028</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-08.html</url>
</references>
<dates>
<discovery>2010-03-22</discovery>
<entry>2010-03-23</entry>
</dates>
</vuln>
<vuln vid="56cfe192-329f-11df-abb2-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>1.1.19</lt></range>
</package>
<package>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>2.0.0.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-07 Fixes for potentially exploitable crashes ported to the legacy branch</p>
<p>MFSA 2010-06 Scriptable plugin execution in SeaMonkey mail</p>
<p>MFSA 2009-68 NTLM reflection vulnerability</p>
<p>MFSA 2009-62 Download filename spoofing with RTL override</p>
<p>MFSA 2009-59 Heap buffer overflow in string to number conversion</p>
<p>MFSA 2009-49 TreeColumns dangling pointer vulnerability</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0161</cvename>
<cvename>CVE-2010-0163</cvename>
<cvename>CVE-2009-3075</cvename>
<cvename>CVE-2009-3072</cvename>
<cvename>CVE-2009-2463</cvename>
<cvename>CVE-2009-3385</cvename>
<cvename>CVE-2009-3983</cvename>
<cvename>CVE-2009-3376</cvename>
<cvename>CVE-2009-0689</cvename>
<cvename>CVE-2009-3077</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-07.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-06.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-68.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-62.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-59.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-49.html</url>
</references>
<dates>
<discovery>2010-03-16</discovery>
<entry>2010-03-19</entry>
</dates>
</vuln>
<vuln vid="e39caf05-2d6f-11df-aec2-000c29ba66d2">
<topic>egroupware -- two vulnerabilities</topic>
<affects>
<package>
<name>egroupware</name>
<range><lt>1.6.003</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Egroupware Team report:</p>
<blockquote cite="http://www.egroupware.org/Home?category_id=95&amp;item=93">
<p>Nahuel Grisolia from CYBSEC S.A. Security Systems found two security
problems in EGroupware:</p>
<p>Serious remote command execution (allowing to run arbitrary command
on the web server by simply issuing a HTTP request!).</p>
<p>A reflected cross-site scripting (XSS).</p>
<p>Both require NO valid EGroupware account and work without being logged
in!</p>
</blockquote>
</body>
</description>
<references>
<bid>38609</bid>
<url>http://secunia.com/advisories/38859/</url>
<url>http://www.egroupware.org/Home?category_id=95&amp;item=93</url>
</references>
<dates>
<discovery>2010-03-09</discovery>
<entry>2010-03-11</entry>
</dates>
</vuln>
<vuln vid="b3531fe1-2b03-11df-b6db-00248c9b4be7">
<topic>drupal -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal5</name>
<range><lt>5.22</lt></range>
</package>
<package>
<name>drupal6</name>
<range><lt>6.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Team reports:</p>
<blockquote cite="http://drupal.org/node/731710">
<p>A user-supplied value is directly output during installation
allowing a malicious user to craft a URL and perform a cross-site
scripting attack. The exploit can only be conducted on sites not yet
installed.</p>
<p>The API function drupal_goto() is susceptible to a phishing attack.
An attacker could formulate a redirect in a way that gets the Drupal
site to send the user to an arbitrarily provided URL. No user
submitted data will be sent to that URL.</p>
<p>Locale module and dependent contributed modules do not sanitize the
display of language codes, native and English language names properly.
While these usually come from a preselected list, arbitrary
administrator input is allowed. This vulnerability is mitigated by the
fact that the attacker must have a role with the 'administer
languages' permission.</p>
<p>Under certain circumstances, a user with an open session that is
blocked can maintain his/her session on the Drupal site, despite being
blocked.</p>
</blockquote>
</body>
</description>
<references>
<url>http://drupal.org/node/731710</url>
</references>
<dates>
<discovery>2010-03-03</discovery>
<entry>2010-03-08</entry>
</dates>
</vuln>
<vuln vid="018a84d0-2548-11df-b4a3-00e0815b8da8">
<topic>sudo -- Privilege escalation with sudoedit</topic>
<affects>
<package>
<name>sudo</name>
<range><lt>1.7.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="">
<p>When sudo performs its command matching, there is a special case
for pseudo-commands in the sudoers file (currently, the only
pseudo-command is sudoedit). Unlike a regular command,
pseudo-commands do not begin with a slash ('/'). The flaw is that
sudo's the matching code would only check against the list of
pseudo-commands if the user-specified command also contained no
slashes. As a result, if the user ran "sudo ./sudoedit" the normal
matching code path was followed, which uses stat(2) to verify that
the user-specified command matches the one in sudoers. In this
case, it would compare the "./sudoedit" specified by the user with
"sudoedit" from the sudoers file, resulting in a positive
match.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.sudo.ws/pipermail/sudo-announce/2010-February/000092.html</url>
<url>http://www.sudo.ws/sudo/alerts/sudoedit_escalate.html</url>
<url>http://secunia.com/advisories/38659</url>
<cvename>CVE-2010-0426</cvename>
<bid>38362</bid>
</references>
<dates>
<discovery>2010-01-29</discovery>
<entry>2010-03-01</entry>
</dates>
</vuln>
<vuln vid="c97d7a37-2233-11df-96dd-001b2134ef46">
<topic>openoffice.org -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openoffice.org</name>
<range><lt>3.2.0</lt></range>
<range><ge>3.2.20010101</ge><lt>3.2.20100203</lt></range>
<range><ge>3.3.20010101</ge><lt>3.3.20100207</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenOffice.org Security Team reports:</p>
<blockquote cite="http://www.openoffice.org/security/bulletin.html">
<p>Fixed in OpenOffice.org 3.2</p>
<p>CVE-2006-4339: Potential vulnerability from 3rd party
libxml2 libraries</p>
<p>CVE-2009-0217: Potential vulnerability from 3rd party
libxmlsec libraries</p>
<p>CVE-2009-2493: OpenOffice.org 3 for Windows bundles a vulnerable
version of MSVC Runtime</p>
<p>CVE-2009-2949: Potential vulnerability related to XPM file
processing</p>
<p>CVE-2009-2950: Potential vulnerability related to GIF file
processing</p>
<p>CVE-2009-3301/2: Potential vulnerability related to MS-Word
document processing</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openoffice.org/security/bulletin.html</url>
<url>http://www.openoffice.org/security/cves/CVE-2006-4339.html</url>
<url>http://www.openoffice.org/security/cves/CVE-2009-0217.html</url>
<url>http://www.openoffice.org/security/cves/CVE-2009-2493.html</url>
<url>http://www.openoffice.org/security/cves/CVE-2009-2949.html</url>
<url>http://www.openoffice.org/security/cves/CVE-2009-2950.html</url>
<url>http://www.openoffice.org/security/cves/CVE-2009-3301-3302.html</url>
<cvename>CVE-2006-4339</cvename>
<cvename>CVE-2009-0217</cvename>
<cvename>CVE-2009-2493</cvename>
<cvename>CVE-2009-2949</cvename>
<cvename>CVE-2009-2950</cvename>
<cvename>CVE-2009-3301</cvename>
<cvename>CVE-2009-3302</cvename>
</references>
<dates>
<discovery>2006-08-24</discovery>
<entry>2010-02-25</entry>
<modified>2010-02-27</modified>
</dates>
</vuln>
<vuln vid="f82c85d8-1c6e-11df-abb2-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.5.*,1</gt><lt>3.5.8,1</lt></range>
<range><gt>3.*,1</gt><lt>3.0.18,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.0.18,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.8</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.3</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-05 XSS hazard using SVG document and binary Content-Type</p>
<p>MFSA 2010-04 XSS due to window.dialogArguments being readable cross-domain</p>
<p>MFSA 2010-03 Use-after-free crash in HTML parser</p>
<p>MFSA 2010-02 Web Worker Array Handling Heap Corruption Vulnerability</p>
<p>MFSA 2010-01 Crashes with evidence of memory corruption (rv:1.9.1.8/ 1.9.0.18)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0159</cvename>
<cvename>CVE-2010-0160</cvename>
<cvename>CVE-2009-1571</cvename>
<cvename>CVE-2009-3988</cvename>
<cvename>CVE-2010-0162</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-01.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-02.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-03.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-04.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-05.html</url>
</references>
<dates>
<discovery>2010-02-17</discovery>
<entry>2010-02-18</entry>
<modified>2010-02-28</modified>
</dates>
</vuln>
<vuln vid="1a3bd81f-1b25-11df-bd1a-002170daae37">
<topic>lighttpd -- denial of service vulnerability</topic>
<affects>
<package>
<name>lighttpd</name>
<range><lt>1.4.26</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Lighttpd security advisory reports:</p>
<blockquote cite="http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt">
<p>If you send the request data very slow (e.g. sleep
0.01 after each byte), lighttpd will easily use all
available memory and die (especially for parallel
requests), allowing a DoS within minutes.</p>
</blockquote>
</body>
</description>
<references>
<bid>38036</bid>
<cvename>CVE-2010-0295</cvename>
<url>http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt</url>
</references>
<dates>
<discovery>2010-02-02</discovery>
<entry>2010-02-16</entry>
</dates>
</vuln>
<vuln vid="81d9dc0c-1988-11df-8e66-0019996bc1f7">
<topic>squid -- Denial of Service vulnerability in HTCP</topic>
<affects>
<package>
<name>squid</name>
<range><ge>2.7.1</ge><lt>2.7.7_4</lt></range>
<range><ge>3.0.1</ge><lt>3.0.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid security advisory 2010:2 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_2.txt">
<p>Due to incorrect processing Squid is vulnerable to a
denial of service attack when receiving specially crafted
HTCP packets.</p>
<p>This problem allows any machine to perform a denial
of service attack on the Squid service when its HTCP port
is open.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0639</cvename>
<url>http://www.squid-cache.org/Advisories/SQUID-2010_2.txt</url>
</references>
<dates>
<discovery>2010-02-12</discovery>
<entry>2010-02-14</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="ff6519ad-18e5-11df-9bdd-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><lt>9.0r262</lt></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.0r45</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb10-06.html">
<p>A critical vulnerability has been identified in Adobe
Flash Player version 10.0.42.34 and earlier. This
vulnerability (CVE-2010-0186) could subvert the domain sandbox
and make unauthorized cross-domain requests. This update also
resolves a potential Denial of Service issue (CVE-2010-0187).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0186</cvename>
<cvename>CVE-2010-0187</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb10-06.html</url>
</references>
<dates>
<discovery>2010-02-11</discovery>
<entry>2010-02-13</entry>
</dates>
</vuln>
<vuln vid="0a82ac0c-1886-11df-b0d1-0015f2db7bde">
<topic>gnome-screensaver -- Multiple monitor hotplug issues</topic>
<affects>
<package>
<name>gnome-screensaver</name>
<range><lt>2.28.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ray Strode reports:</p>
<blockquote cite="https://bugzilla.gnome.org/show_bug.cgi?id=609337">
<p>Under certain circumstances it is possible to circumvent the security of screen
locking functionality of gnome-screensaver by changing the systems physical
monitor configuration.</p>
</blockquote>
<blockquote cite="https://bugzilla.gnome.org/show_bug.cgi?id=609789">
<p>gnome-screensaver can lose its keyboard grab when locked, exposing the system
to intrusion by adding and removing monitors.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0414</cvename>
<cvename>CVE-2010-0422</cvename>
<url>https://bugzilla.gnome.org/show_bug.cgi?id=609337</url>
<url>https://bugzilla.gnome.org/show_bug.cgi?id=609789</url>
</references>
<dates>
<discovery>2010-02-08</discovery>
<entry>2010-02-13</entry>
</dates>
</vuln>
<vuln vid="2a6a966f-1774-11df-b5c1-0026189baca3">
<topic>fetchmail -- heap overflow on verbose X.509 display</topic>
<affects>
<package>
<name>fetchmail</name>
<range><ge>6.3.11</ge><lt>6.3.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Andree reports:</p>
<blockquote cite="http://www.fetchmail.info/fetchmail-SA-2010-01.txt">
<p>In verbose mode, fetchmail prints X.509 certificate subject and
issuer information to the user, and counts and allocates a malloc()
buffer for that purpose.</p>
<p>If the material to be displayed contains characters with high bit
set and the platform treats the "char" type as signed, this can cause
a heap buffer overrun because non-printing characters are escaped as
\xFF..FFnn, where nn is 80..FF in hex.</p>
</blockquote>
</body>
</description>
<references>
<bid>38088</bid>
<cvename>CVE-2010-0562</cvename>
<url>http://www.fetchmail.info/fetchmail-SA-2010-01.txt</url>
<mlist msgid="20100205014643.GA25506@merlin.emma.line.org">https://lists.berlios.de/pipermail/fetchmail-announce/2010-February/000073.html</mlist>
</references>
<dates>
<discovery>2010-02-04</discovery>
<entry>2010-02-12</entry>
</dates>
</vuln>
<vuln vid="bb0a8795-15dc-11df-bf0a-002170daae37">
<topic>wireshark -- LWRES vulnerability</topic>
<affects>
<package>
<name>wireshark</name>
<name>wireshark-lite</name>
<range><lt>1.2.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark project reports:</p>
<blockquote cite="http://www.wireshark.org/security/wnpa-sec-2010-02.html">
<p>Babi discovered several buffer overflows in the
LWRES dissector.</p>
<p>It may be possible to make Wireshark crash remotely
or by convincing someone to read a malformed packet
trace file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0304</cvename>
<url>http://secunia.com/advisories/38257/</url>
<url>http://www.wireshark.org/security/wnpa-sec-2010-02.html</url>
</references>
<dates>
<discovery>2010-01-27</discovery>
<entry>2010-02-10</entry>
</dates>
</vuln>
<vuln vid="6b575419-14cf-11df-a628-001517351c22">
<topic>otrs -- SQL injection</topic>
<affects>
<package>
<name>otrs</name>
<range><lt>2.4.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OTRS Security Advisory reports:</p>
<blockquote cite="http://otrs.org/advisory/OSA-2010-01-en/">
<p>Missing security quoting for SQL statements allows agents and
customers to manipulate SQL queries. So it's possible for
authenticated users to inject SQL queries
via string manipulation of statements.</p>
<p>A malicious user may be able to manipulate SQL queries to read
or modify records in the database. This way it could also be
possible to get access to more permissions (e. g. administrator
permissions).</p>
<p>To use this vulnerability the malicious user needs to have
a valid Agent- or Customer-session.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0438</cvename>
<url>http://otrs.org/advisory/OSA-2010-01-en/</url>
</references>
<dates>
<discovery>2010-02-08</discovery>
<entry>2010-02-08</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="cae01d7b-110d-11df-955a-00219b0fc4d8">
<topic>apache -- Prevent chunk-size integer overflow on platforms where sizeof(int) &lt; sizeof(long)</topic>
<affects>
<package>
<name>apache</name>
<range><lt>1.3.42</lt></range>
</package>
<package>
<name>apache+mod_perl</name>
<range><lt>1.3.42</lt></range>
</package>
<package>
<name>apache+ipv6</name>
<range><lt>1.3.42</lt></range>
</package>
<package>
<name>apache_fp</name>
<range><ge>0</ge></range>
</package>
<package>
<name>ru-apache</name>
<range><lt>1.3.42+30.23</lt></range>
</package>
<package>
<name>ru-apache+mod_ssl</name>
<range><lt>1.3.42</lt></range>
</package>
<package>
<name>apache+ssl</name>
<range><lt>1.3.42.1.57_2</lt></range>
</package>
<package>
<name>apache+mod_ssl</name>
<name>apache+mod_ssl+ipv6</name>
<name>apache+mod_ssl+mod_accel</name>
<name>apache+mod_ssl+mod_accel+ipv6</name>
<name>apache+mod_ssl+mod_accel+mod_deflate</name>
<name>apache+mod_ssl+mod_accel+mod_deflate+ipv6</name>
<name>apache+mod_ssl+mod_deflate</name>
<name>apache+mod_ssl+mod_deflate+ipv6</name>
<name>apache+mod_ssl+mod_snmp</name>
<name>apache+mod_ssl+mod_snmp+mod_accel</name>
<name>apache+mod_ssl+mod_snmp+mod_accel+ipv6</name>
<name>apache+mod_ssl+mod_snmp+mod_deflate</name>
<name>apache+mod_ssl+mod_snmp+mod_deflate+ipv6</name>
<name>apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6</name>
<range><lt>1.3.41+2.8.27_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache ChangeLog reports:</p>
<blockquote cite="http://www.apache.org/dist/httpd/CHANGES_1.3.42">
<p>Integer overflow in the ap_proxy_send_fb function in
proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before
1.3.42 on 64-bit platforms allows remote origin servers to cause a
denial of service (daemon crash) or possibly execute arbitrary code
via a large chunk size that triggers a heap-based buffer overflow.</p>
</blockquote>
</body>
</description>
<references>
<url>http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0010</url>
<url>http://www.security-database.com/detail.php?alert=CVE-2010-0010</url>
<url>http://security-tracker.debian.org/tracker/CVE-2010-0010</url>
<url>http://www.vupen.com/english/Reference-CVE-2010-0010.php</url>
</references>
<dates>
<discovery>2009-06-30</discovery>
<entry>2010-02-03</entry>
<modified>2010-02-03</modified>
</dates>
</vuln>
<vuln vid="296ecb59-0f6b-11df-8bab-0019996bc1f7">
<topic>squid -- Denial of Service vulnerability in DNS handling</topic>
<affects>
<package>
<name>squid</name>
<range><ge>2.7.1</ge><lt>2.7.7_3</lt></range>
<range><ge>3.0.1</ge><lt>3.0.23</lt></range>
<range><ge>3.1.0.1</ge><lt>3.1.0.15_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid security advisory 2010:1 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_1.txt">
<p>Due to incorrect data validation Squid is vulnerable to a denial
of service attack when processing specially crafted DNS packets.</p>
<p>This problem allows any trusted client or external server who can
determine the squid receiving port to perform a short-term denial
of service attack on the Squid service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0308</cvename>
<url>http://www.squid-cache.org/Advisories/SQUID-2010_1.txt</url>
</references>
<dates>
<discovery>2010-01-14</discovery>
<entry>2010-02-01</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="696053c6-0f50-11df-a628-001517351c22">
<topic>bugzilla -- information leak</topic>
<affects>
<package>
<name>bugzilla</name>
<range><gt>3.3.1</gt><lt>3.4.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.0.10/">
<p>When moving a bug from one product to another, an intermediate
page is displayed letting you select the groups the bug should
be restricted to in the new product. However, a regression in
the 3.4.x series made it ignore all groups which are not
available in both products. As a workaround, you had to move
the bug to the new product first and then restrict it to the
desired groups, in two distinct steps, which could make the bug
temporarily public.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3387</cvename>
<url>http://www.bugzilla.org/security/3.0.10/</url>
</references>
<dates>
<discovery>2010-01-31</discovery>
<entry>2010-02-01</entry>
</dates>
</vuln>
<vuln vid="192609c8-0c51-11df-82a0-00248c9b4be7">
<topic>irc-ratbox -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ircd-ratbox</name>
<range><lt>2.2.9</lt></range>
</package>
<package>
<name>ircd-ratbox-devel</name>
<range><lt>3.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote cite="http://www.securityfocus.com/archive/1/509201">
<p>The first affects the /quote HELP module and allows a user
to trigger an IRCD crash on some platforms.</p>
<p>The second affects the /links processing module when the
flatten_links configuration option is not enabled.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-4016</cvename>
<cvename>CVE-2010-0300</cvename>
<url>http://www.debian.org/security/2010/dsa-1980</url>
<url>http://lists.ratbox.org/pipermail/ircd-ratbox/2010-January/000890.html</url>
<url>http://lists.ratbox.org/pipermail/ircd-ratbox/2010-January/000891.html</url>
</references>
<dates>
<discovery>2010-01-25</discovery>
<entry>2010-01-28</entry>
</dates>
</vuln>
<vuln vid="848539dc-0458-11df-8dd7-002170daae37">
<topic>dokuwiki -- multiple vulnerabilities</topic>
<affects>
<package>
<name>dokuwiki</name>
<range><lt>20091225_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dokuwiki reports:</p>
<blockquote cite="http://bugs.splitbrain.org/index.php?do=details&amp;task_id=1853">
<p>The plugin does no checks against cross-site request
forgeries (CSRF) which can be exploited to e.g. change
the access control rules by tricking a logged in
administrator into visiting a malicious web site.</p>
</blockquote>
<blockquote cite="http://bugs.splitbrain.org/index.php?do=details&amp;task_id=1847">
<p>The bug allows listing the names of arbitrary file on
the webserver - not their contents. This could leak
private information about wiki pages and server structure.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0288</cvename>
<cvename>CVE-2010-0287</cvename>
<cvename>CVE-2010-0289</cvename>
<url>http://bugs.splitbrain.org/index.php?do=details&amp;task_id=1847</url>
<url>http://bugs.splitbrain.org/index.php?do=details&amp;task_id=1853</url>
</references>
<dates>
<discovery>2010-01-17</discovery>
<entry>2010-01-18</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="c9263916-006f-11df-94cb-0050568452ac">
<topic>Zend Framework -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ZendFramework</name>
<range><lt>1.9.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Zend Framework team reports:</p>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-06">
<p>Potential XSS or HTML Injection vector in Zend_Json.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-05">
<p>Potential XSS vector in Zend_Service_ReCaptcha_MailHide.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-04">
<p>Potential MIME-type Injection in Zend_File_Transfer
Executive Summary.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-03">
<p>Potential XSS vector in Zend_Filter_StripTags when
comments allowed.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-02">
<p>Potential XSS vector in Zend_Dojo_View_Helper_Editor.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-01">
<p>Potential XSS vectors due to inconsistent encodings.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2009-02">
<p>XSS vector in Zend_Filter_StripTags.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2009-01">
<p>LFI vector in Zend_View::setScriptPath() and render().</p>
</blockquote>
</body>
</description>
<references>
<url>http://framework.zend.com/security/advisory/ZF2010-06</url>
<url>http://framework.zend.com/security/advisory/ZF2010-05</url>
<url>http://framework.zend.com/security/advisory/ZF2010-04</url>
<url>http://framework.zend.com/security/advisory/ZF2010-03</url>
<url>http://framework.zend.com/security/advisory/ZF2010-02</url>
<url>http://framework.zend.com/security/advisory/ZF2010-01</url>
<url>http://framework.zend.com/security/advisory/ZF2009-02</url>
<url>http://framework.zend.com/security/advisory/ZF2009-01</url>
</references>
<dates>
<discovery>2009-12-31</discovery>
<entry>2010-01-11</entry>
</dates>
</vuln>
<vuln vid="dd8f2394-fd08-11de-b425-00215c6a37bb">
<topic>powerdns-recursor -- multiple vulnerabilities</topic>
<affects>
<package>
<name>powerdns-recursor</name>
<range><lt>3.1.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PowerDNS Security Advisory reports:</p>
<blockquote cite="http://doc.powerdns.com/powerdns-advisory-2010-01.html">
<p>PowerDNS Recursor up to and including 3.1.7.1 can be
brought down and probably exploited.</p>
</blockquote>
<blockquote cite="http://doc.powerdns.com/powerdns-advisory-2010-02.html">
<p>PowerDNS Recursor up to and including 3.1.7.1 can be
spoofed into accepting bogus data</p>
</blockquote>
</body>
</description>
<references>
<bid>37650</bid>
<bid>37653</bid>
<cvename>CVE-2009-4010</cvename>
<cvename>CVE-2009-4009</cvename>
</references>
<dates>
<discovery>2010-01-06</discovery>
<entry>2010-01-09</entry>
</dates>
</vuln>
<vuln vid="56ba8728-f987-11de-b28d-00215c6a37bb">
<topic>PEAR -- Net_Ping and Net_Traceroute remote arbitrary command injection</topic>
<affects>
<package>
<name>pear-Net_Ping</name>
<range><lt>2.4.5</lt></range>
</package>
<package>
<name>pear-Net_Traceroute</name>
<range><lt>0.21.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PEAR Security Advisory reports:</p>
<blockquote cite="http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/">
<p>Multiple remote arbitrary command injections have been
found in the Net_Ping and Net_Traceroute.</p>
<p>When input from forms are used directly, the attacker
could pass variables that would allow him to execute
remote arbitrary command injections.</p>
</blockquote>
</body>
</description>
<references>
<bid>37093</bid>
<bid>37094</bid>
<cvename>CVE-2009-4024</cvename>
<cvename>CVE-2009-4025</cvename>
<url>http://pear.php.net/advisory20091114-01.txt</url>
</references>
<dates>
<discovery>2009-11-14</discovery>
<entry>2010-01-04</entry>
</dates>
</vuln>
Reference in New Issue View Git Blame Copy Permalink