Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a crafted RTSP URL. TA09-022A APPLE-SA-2009-01-21 quicktime-rtspurl-bo(48154) ADV-2009-0212 33385 http://support.apple.com/kb/HT3403 33632 oval:org.mitre.oval:def:6135 Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a QTVR movie file with crafted THKD atoms. TA09-022A APPLE-SA-2009-01-21 http://www.zerodayinitiative.com/advisories/ZDI-09-005/ ADV-2009-0212 33384 http://support.apple.com/kb/HT3403 33632 oval:org.mitre.oval:def:5646 51525 20090121 ZDI-09-005: Apple QuickTime VR Track Header Atom Heap Corruption Vulnerability Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and execute arbitrary code via an AVI movie file with an invalid nBlockAlign value in the _WAVEFORMATEX structure. TA09-022A APPLE-SA-2009-01-21 http://www.zerodayinitiative.com/advisories/ZDI-09-006/ ADV-2009-0212 33387 http://support.apple.com/kb/HT3403 33632 oval:org.mitre.oval:def:6218 51526 Buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a crafted MP3 audio file. TA09-022A http://support.apple.com/kb/HT3403 APPLE-SA-2009-01-21 quicktime-mpeg2-bo(48157) ADV-2009-0212 33632 oval:org.mitre.oval:def:6211 Unspecified vulnerability in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a crafted H.263 encoded movie file that triggers memory corruption. TA09-022A APPLE-SA-2009-01-21 quicktime-h263-movie-code-execution(48158) ADV-2009-0212 33386 http://support.apple.com/kb/HT3403 33632 oval:org.mitre.oval:def:6187 Integer signedness error in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a Cinepak encoded movie file with a crafted MDAT atom that triggers a heap-based buffer overflow. TA09-022A APPLE-SA-2009-01-21 http://www.zerodayinitiative.com/advisories/ZDI-09-007/ ADV-2009-0212 33388 20090124 Re: ZDI-09-007: Apple QuickTime Cinepak Codec MDAT Heap Corruption Vulnerability http://support.apple.com/kb/HT3403 33632 oval:org.mitre.oval:def:6153 51529 20090121 ZDI-09-007: Apple QuickTime Cinepak Codec MDAT Heap Corruption Vulnerability Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a QuickTime movie file containing invalid image width data in JPEG atoms within STSD atoms. TA09-022A APPLE-SA-2009-01-21 http://www.zerodayinitiative.com/advisories/ZDI-09-008/ ADV-2009-0212 33390 http://support.apple.com/kb/HT3403 33632 oval:org.mitre.oval:def:6132 51530 Unspecified vulnerability in Apple QuickTime MPEG-2 Playback Component before 7.60.92.0 on Windows allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted MPEG-2 movie. per http://lists.apple.com/archives/security-announce//2009/Jan/msg00001.html "This issue does not affect systems running Mac OS X." quicktime-mpeg2playback-code-execution(48162) ADV-2009-0211 1021621 33393 http://support.apple.com/kb/HT3404 33642 oval:org.mitre.oval:def:5974 APPLE-SA-2009-01-21 Unspecified vulnerability in the Pixlet codec in Apple Mac OS X 10.4.11 and 10.5.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a crafted movie file that triggers memory corruption. macosx-pixlet-codec-code-execution(48713) ADV-2009-0422 33759 http://support.apple.com/kb/HT3438 1021718 33937 51980 APPLE-SA-2009-02-12 Integer underflow in QuickDraw Manager in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7, and Apple QuickTime before 7.6.2, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PICT image with a crafted 0x77 Poly tag and a crafted length field, which triggers a heap-based buffer overflow. TA09-133A http://support.apple.com/kb/HT3549 APPLE-SA-2009-05-12 http://www.zerodayinitiative.com/advisories/ZDI-09-021/ http://www.zerodayinitiative.com/advisories/ZDI-09-021 http://www.vupen.com/exploits/Apple_QuickTime_PICT_Poly_Tag_Parsing_Heap_Overflow_PoC_Exploit_1407144.php ADV-2009-1407 ADV-2009-1297 1022209 34938 34926 20090527 ZDI-09-021: Apple QuickTime PICT Unspecified Tag Heap Overflow Vulnerability http://support.apple.com/kb/HT3591 35091 35074 APPLE-SA-2009-06-01-1 Certificate Assistant in Apple Mac OS X 10.5.6 allows local users to overwrite arbitrary files via unknown vectors related to an "insecure file operation" on a temporary file. 33759 APPLE-SA-2009-02-12 macosx-certificate-asst-file-overwrite(48715) ADV-2009-0422 http://support.apple.com/kb/HT3438 1021720 33937 51979 Heap-based buffer overflow in CoreText in Apple Mac OS X 10.5.6 allows remote attackers to execute arbitrary code via a crafted Unicode string. APPLE-SA-2009-02-12 ADV-2009-0422 33809 33759 http://support.apple.com/kb/HT3438 33937 51977 dscl in DS Tools in Apple Mac OS X 10.4.11 and 10.5.6 requires that passwords must be provided as command line arguments, which allows local users to gain privileges by listing process information. APPLE-SA-2009-02-12 macosx-dstools-information-disclosure(48717) ADV-2009-0422 33815 33759 http://support.apple.com/kb/HT3438 1021722 33937 Folder Manager in Apple Mac OS X 10.5.6 uses insecure default permissions when recreating a Downloads folder after it has been deleted, which allows local users to bypass intended access restrictions and read the Downloads folder. APPLE-SA-2009-02-12 ADV-2009-0422 33820 33759 http://support.apple.com/kb/HT3438 33937 Unspecified vulnerability in fseventsd in the FSEvents framework in Apple Mac OS X 10.5.6 allows local users to obtain sensitive information (filesystem activities and directory names) via unknown vectors related to "credential management." APPLE-SA-2009-02-12 ADV-2009-0422 33821 33759 http://support.apple.com/kb/HT3438 33937 Apple iTunes before 8.1 on Windows allows remote attackers to cause a denial of service (infinite loop) via a Digital Audio Access Protocol (DAAP) message with a crafted Content-Length header. http://support.apple.com/kb/HT3487 APPLE-SA-2009-03-11 itunes-daap-dos(49200) ADV-2009-0702 34094 20090313 Apple iTunes DAAP Messages Handling Denial of Service Vulnerability http://www.fortiguardcenter.com/advisory/FGA-2009-11.html 1021842 34254 oval:org.mitre.oval:def:6001 52578 20090312 Apple iTunes DAAP Messages Handling Denial of Service Vulnerability csregprinter in the Printing component in Apple Mac OS X 10.4.11 and 10.5.6 does not properly handle error conditions, which allows local users to execute arbitrary code via unknown vectors that trigger a heap-based buffer overflow. APPLE-SA-2009-02-12 ADV-2009-0422 33811 33759 http://support.apple.com/kb/HT3438 33937 The Remote Apple Events server in Apple Mac OS X 10.4.11 and 10.5.6 does not properly initialize a buffer, which allows remote attackers to read portions of memory. ADV-2009-0422 33816 33759 http://support.apple.com/kb/HT3438 33937 APPLE-SA-2009-02-12 Remote Apple Events in Apple Mac OS X 10.4.11 and 10.5.6 allows remote attackers to cause a denial of service (application termination) or obtain sensitive information via unspecified vectors that trigger an out-of-bounds memory access. ADV-2009-0422 33814 33759 http://support.apple.com/kb/HT3438 APPLE-SA-2009-02-12 Unspecified vulnerability in CarbonCore in Apple Mac OS X 10.4.11 and 10.5.6 allows remote attackers to cause a denial of service (application termination) and execute arbitrary code via a crafted resource fork that triggers memory corruption. APPLE-SA-2009-02-12 ADV-2009-0422 33759 http://support.apple.com/kb/HT3438 33937 NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. Note that versions 4.2.5 before 4.2.5p150 are development versions and not production versions. Development versions are not included in the CPE configuration for CVEs. TA09-133A [announce] 20090108 NTP 4.2.4p6 Released ADV-2009-1297 ADV-2009-0042 1021533 20090107 [oCERT-2008-016] Multiple OpenSSL signature verification API misuses RHSA-2009:0046 http://www.ocert.org/advisories/ocert-2008-016.html http://support.apple.com/kb/HT3549 SSA:2009-014-03 35074 34642 33648 33558 33406 oval:org.mitre.oval:def:10035 SUSE-SR:2009:008 SUSE-SR:2009:005 APPLE-SA-2009-05-12 Samba 3.2.0 through 3.2.6, when registry shares are enabled, allows remote authenticated users to access the root filesystem via a crafted connection request that specifies a blank share name. Patch Information - http://www.samba.org/samba/history/security.html FEDORA-2009-0268 samba-file-system-security-bypass(47733) ADV-2009-0017 USN-702-1 1021513 33118 http://www.samba.org/samba/security/CVE-2009-0022.html MDVSA-2009:042 33431 33392 33379 51152 http://master.samba.org/samba/ftp/patches/security/samba-3.2.6-CVE-2009-0022.patch The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2 module for the Apache HTTP Server, or (4) an application that uses the libapreq2 library, which triggers a heap-based buffer underflow. https://bugzilla.redhat.com/show_bug.cgi?id=503928 DSA-1812 FEDORA-2009-5969 FEDORA-2009-6261 FEDORA-2009-6014 apache-aprstrmatchprecompile-dos(50964) ADV-2009-3184 ADV-2009-1907 USN-787-1 USN-786-1 35221 20091112 rPSA-2009-0144-1 apr-util RHSA-2009:1108 RHSA-2009:1107 http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html MDVSA-2009:131 http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 PK99478 PK91241 PK88341 http://wiki.rpath.com/Advisories:rPSA-2009-0144 http://svn.apache.org/viewvc?view=rev&revision=779880 http://support.apple.com/kb/HT3937 SSA:2009-167-02 GLSA-200907-03 37221 35843 35797 35710 35565 35487 35444 35395 35360 35284 34724 oval:org.mitre.oval:def:12321 oval:org.mitre.oval:def:10968 HPSBUX02612 HPSBUX02612 APPLE-SA-2009-11-09-1 The sys_remap_file_pages function in mm/fremap.c in the Linux kernel before 2.6.24.1 allows local users to cause a denial of service or gain privileges via unspecified vectors, related to the vm_file structure member, and the mmap_region and do_munmap functions. 33211 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24.1 [oss-security] 20090112 CVE-2009-0024 kernel: local privilege escalation in sys_remap_file_pages http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.24.y.git;a=commit;h=8a459e44ad837018ea5c34a9efe8eb4ad27ded26 BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. TA09-133A FEDORA-2009-0350 https://www.isc.org/software/bind/advisories/cve-2009-0025 https://issues.rpath.com/browse/RPL-2938 ADV-2009-1297 ADV-2009-0904 ADV-2009-0366 ADV-2009-0043 http://www.vmware.com/security/advisories/VMSA-2009-0004.html 33151 20090401 VMSA-2009-0004 ESX Service Console updates for openssl, bind, and vim 20090120 rPSA-2009-0009-1 bind bind-utils 20090107 [oCERT-2008-016] Multiple OpenSSL signature verification API misuses http://www.openbsd.org/errata44.html#008_bind http://www.ocert.org/advisories/ocert-2008-016.html http://wiki.rpath.com/Advisories:rPSA-2009-0009 http://support.avaya.com/elmodocs2/security/ASA-2009-045.htm http://support.apple.com/kb/HT3549 250846 SSA:2009-014-02 FreeBSD-SA-09:04 35074 33882 33683 33559 33551 33546 33494 oval:org.mitre.oval:def:5569 oval:org.mitre.oval:def:10879 APPLE-SA-2009-05-12 http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/49ef622c8329fd33 Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp. https://issues.apache.org/jira/browse/JCR-1925 jackrabbit-search-swr-xss(48110) ADV-2009-0177 33360 20090120 [ANNOUNCE] Apache Jackrabbit 1.5.2 released http://www.apache.org/dist/jackrabbit/RELEASE-NOTES-1.5.2.txt 4942 33576 The request handler in JBossWS in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP06 and 4.3 before 4.3.0.CP04 does not properly validate the resource path during a request for a WSDL file with a custom web-service endpoint, which allows remote attackers to read arbitrary XML files via a crafted request. RHSA-2009:0349 RHSA-2009:0347 RHSA-2009:0346 https://jira.jboss.org/jira/browse/JBPAPP-1548 https://bugzilla.redhat.com/show_bug.cgi?id=479668 1021817 34023 34112 RHSA-2009:0348 The clone system call in the Linux kernel 2.6.28 and earlier allows local users to send arbitrary signals to a parent process from an unprivileged child process by launching an additional child process with the CLONE_PARENT flag, and then letting this new process exit. https://bugzilla.redhat.com/show_bug.cgi?id=479932 ADV-2009-3316 http://www.vmware.com/security/advisories/VMSA-2009-0016.html USN-751-1 33906 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components 20090516 rPSA-2009-0084-1 kernel RHSA-2009:0451 RHSA-2009:0326 MDVSA-2009:118 DSA-1800 DSA-1794 DSA-1787 http://wiki.rpath.com/Advisories:rPSA-2009-0084 37471 35394 35390 35121 35120 35011 34981 34962 34917 34680 34033 33758 http://scarybeastsecurity.blogspot.com/2009/02/linux-kernel-minor-signal-vulnerability.html http://scary.beasts.org/security/CESA-2009-002.html RHSA-2009:0459 oval:org.mitre.oval:def:7947 oval:org.mitre.oval:def:11187 52204 SUSE-SA:2009:031 SUSE-SA:2009:030 SUSE-SA:2009:010 The ABI in the Linux kernel 2.6.28 and earlier on s390, powerpc, sparc64, and mips 64-bit platforms requires that a 32-bit argument in a 64-bit register was properly sign extended when sent from a user-mode application, but cannot verify this, which allows local users to cause a denial of service (crash) or possibly gain privileges via a crafted system call. FEDORA-2009-0816 https://bugzilla.redhat.com/show_bug.cgi?id=479969 33275 MDVSA-2009:135 DSA-1794 DSA-1787 DSA-1749 35011 34981 34394 33674 33477 [linux-kernel] 20090110 Re: [PATCH -v7][RFC]: mutex: implement adaptive spinning SUSE-SA:2009:010 A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663. RHSA-2009:0057 https://bugzilla.redhat.com/show_bug.cgi?id=480488 https://bugzilla.redhat.com/show_bug.cgi?id=480224 squirrelmail-sessionid-session-hijacking(48115) 33354 1021611 33611 oval:org.mitre.oval:def:10366 SUSE-SR:2009:004 Memory leak in the keyctl_join_session_keyring function (security/keys/keyctl.c) in Linux kernel 2.6.29-rc2 and earlier allows local users to cause a denial of service (kernel memory consumption) via unknown vectors related to a "missing kfree." USN-751-1 RHSA-2009:0360 RHSA-2009:0331 [oss-security] 20090119 CVE-2009-0031 kernel: local denial of service in keyctl_join_session_keyring DSA-1794 DSA-1787 DSA-1749 http://support.avaya.com/elmodocs2/security/ASA-2009-114.htm 35011 34981 34762 34502 34394 34252 33858 RHSA-2009:0264 oval:org.mitre.oval:def:11386 51501 SUSE-SA:2009:010 http://git2.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0d54ee1c7850a954026deec4cd4885f331da35cc CUPS on Mandriva Linux 2008.0, 2008.1, 2009.0, Corporate Server (CS) 3.0 and 4.0, and Multi Network Firewall (MNF) 2.0 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pdf.log temporary file. cups-pdflog-symlink(48210) 33418 MDVSA-2009:029 MDVSA-2009:028 MDVSA-2009:027 1021637 Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header. ADV-2009-1496 35193 http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-4.html http://svn.apache.org/viewvc?rev=781362&view=rev http://svn.apache.org/viewvc?rev=742915&view=rev FEDORA-2009-11356 FEDORA-2009-11352 FEDORA-2009-11374 tomcat-ajp-dos(50928) ADV-2010-3056 ADV-2009-3316 ADV-2009-1856 http://www.vmware.com/security/advisories/VMSA-2009-0016.html 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components 20090603 [SECURITY] CVE-2009-0033 Apache Tomcat DoS when using Java AJP connector MDVSA-2010:176 MDVSA-2009:138 MDVSA-2009:136 DSA-2207 http://support.apple.com/kb/HT4077 263529 1022331 42368 37460 35788 35685 35344 35326 oval:org.mitre.oval:def:5739 oval:org.mitre.oval:def:10231 SSRT101146 HPSBUX02860 SSRT100203 SSRT100203 SUSE-SR:2009:012 APPLE-SA-2010-03-29-1 JVN#87272440 parse.c in sudo 1.6.9p17 through 1.6.9p19 does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo command. https://issues.rpath.com/browse/RPL-2954 https://bugzilla.novell.com/show_bug.cgi?id=468923 ADV-2009-1865 http://www.vmware.com/security/advisories/VMSA-2009-0009.html http://www.sudo.ws/cgi-bin/cvsweb/sudo/parse.c.diff?r1=1.160.2.21&r2=1.160.2.22&f=h 1021688 33517 20090711 VMSA-2009-0009 ESX Service Console updates for udev, sudo, and curl 20090129 rPSA-2009-0021-1 sudo RHSA-2009:0267 MDVSA-2009:033 http://www.gratisoft.us/bugzilla/show_bug.cgi?id=327 http://wiki.rpath.com/Advisories:rPSA-2009-0021 35766 33885 33840 33753 oval:org.mitre.oval:def:6462 oval:org.mitre.oval:def:10856 51736 [Security-announce] 20090710 VMSA-2009-0009 ESX Service Console updates for udev, sudo, and curl Buffer overflow in the proxyReadClientSocket function in proxy/libvirt_proxy.c in libvirt_proxy 0.5.1 might allow local users to gain privileges by sending a portion of the header of a virProxyPacket packet, and then sending the remainder of the packet with crafted values in the header, related to use of uninitialized memory in a validation check. [libvir-list] 20090128 Re: [libvirt] [PATCH] proxy: Fix use of uninitalized memory [libvir-list] 20090128 Re: [libvirt] [PATCH] proxy: Fix use of uninitalized memory [libvir-list] 20090127 [libvirt] [PATCH] proxy: Fix use of uninitalized memory https://bugzilla.redhat.com/show_bug.cgi?id=484947 33724 RHSA-2009:0382 34397 oval:org.mitre.oval:def:10127 [oss-security] 20090210 libvirt_proxy heads up http://git.et.redhat.com/?p=libvirt.git;a=commitdiff;h=2bb0657e28 The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL. ADV-2009-0581 33962 http://curl.haxx.se/lxr/source/CHANGES http://curl.haxx.se/docs/adv_20090303.html curl-location-security-bypass(49030) http://www.withdk.com/archives/Libcurl_arbitrary_file_access.pdf http://www.withdk.com/2009/03/03/curllibcurl-redirect-arbitrary-file-access/ ADV-2009-1865 http://www.vmware.com/security/advisories/VMSA-2009-0009.html USN-726-1 1021783 20090711 VMSA-2009-0009 ESX Service Console updates for udev, sudo, and curl 20090312 rPSA-2009-0042-1 curl RHSA-2009:0341 DSA-1738 http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0042 http://support.apple.com/kb/HT4077 SSA:2009-069-01 GLSA-200903-21 35766 34399 34259 34255 34251 34237 34202 34138 oval:org.mitre.oval:def:6074 oval:org.mitre.oval:def:11054 [Security-announce] 20090710 VMSA-2009-0009 ESX Service Console updates for udev, sudo, and curl SUSE-SR:2009:006 APPLE-SA-2010-03-29-1 Multiple cross-site scripting (XSS) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) ip, (3) username, or (4) description parameter to console/portal/Server/Monitoring; or (5) the PATH_INFO to the default URI under console/portal/. http://issues.apache.org/jira/browse/GERONIMO-4597 http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214 ADV-2009-1089 34562 20090416 [DSECRG-09-019] Apache Geronimo - XSS vulnerabilities.txt 34715 http://dsecrg.com/pages/vul/show.php?id=119 Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to hijack the authentication of administrators for requests that (1) change the web administration password, (2) upload applications, and perform unspecified other administrative actions, as demonstrated by (3) a Shutdown request to console/portal//Server/Shutdown. ADV-2009-1089 34562 20090416 [DSECRG-09-020] Apache Geronimo - XSRF vulnerabilities 34715 http://issues.apache.org/jira/browse/GERONIMO-4597 http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214 http://dsecrg.com/pages/vul/show.php?id=120 The PNG reference library (aka libpng) before 1.0.43, and 1.2.x before 1.2.35, as used in pngcrush and other applications, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables. TA09-218A TA09-133A VU#649212 FEDORA-2009-2884 FEDORA-2009-2882 FEDORA-2009-1976 FEDORA-2009-2045 libpng-pointer-arrays-code-execution(48819) ADV-2009-2172 ADV-2009-1621 ADV-2009-1560 ADV-2009-1522 ADV-2009-1462 ADV-2009-1451 ADV-2009-1297 ADV-2009-0632 ADV-2009-0473 ADV-2009-0469 http://www.vmware.com/security/advisories/VMSA-2009-0007.html 33990 33827 20090821 VMSA-2009-0010 VMware Hosted products update libpng and Apache HTTP Server 20090529 VMSA-2009-0007 VMware Hosted products and ESX and ESXi patches resolve security issues 20090312 rPSA-2009-0046-1 libpng RHSA-2009:0340 RHSA-2009:0333 RHSA-2009:0325 RHSA-2009:0315 MDVSA-2009:083 MDVSA-2009:075 MDVSA-2009:051 DSA-1830 DSA-1750 http://wiki.rpath.com/Advisories:rPSA-2009-0046 http://support.avaya.com/japple/css/japple?temp.documentID=366362&temp.productID=154235&temp.releaseID=361845&temp.bucketID=126655&PAGE=Document http://support.avaya.com/elmodocs2/security/ASA-2009-208.htm http://support.avaya.com/elmodocs2/security/ASA-2009-069.htm http://support.apple.com/kb/HT3757 http://support.apple.com/kb/HT3639 http://support.apple.com/kb/HT3613 http://support.apple.com/kb/HT3549 1020521 259989 http://sourceforge.net/project/shownotes.php?group_id=1689&release_id=662441 [png-mng-implement] 20090219 libpng-1.2.35 and libpng-1.0.43 fix security vulnerability SSA:2009-083-03 SSA:2009-083-02 GLSA-201209-25 GLSA-200903-28 36096 35386 35379 35302 35258 35074 34464 34462 34388 34324 34320 34272 34265 34210 34152 34145 34143 34140 34137 33976 33970 oval:org.mitre.oval:def:6458 oval:org.mitre.oval:def:10316 [security-announce] 20090820 VMSA-2009-0010 VMware Hosted products update libpng and Apache HTTP Server SUSE-SA:2009:023 SUSE-SA:2009:012 SUSE-SR:2009:005 APPLE-SA-2009-05-12 APPLE-SA-2009-06-17-1 APPLE-SA-2009-06-08-1 APPLE-SA-2009-08-05-1 http://downloads.sourceforge.net/libpng/libpng-1.2.34-ADVISORY.txt ftp://ftp.simplesystems.org/pub/png/src/libpng-1.2.34-ADVISORY.txt IAX2 in Asterisk Open Source 1.2.x before 1.2.31, 1.4.x before 1.4.23-rc4, and 1.6.x before 1.6.0.3-rc2; Business Edition A.x.x, B.x.x before B.2.5.7, C.1.x.x before C.1.10.4, and C.2.x.x before C.2.1.2.1; and s800i 1.2.x before 1.3.0 responds differently to a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. Vendor Advisory: http://downloads.digium.com/pub/security/AST-2009-001.html 33174 ADV-2009-0063 1021549 20090108 AST-2009-001: Information leak in IAX2 authentication DSA-1952 4910 GLSA-200905-01 37677 34982 33453 http://downloads.digium.com/pub/security/AST-2009-001.html Multiple unspecified vulnerabilities in the Arclib library (arclib.dll) before 7.3.0.15 in the CA Anti-Virus engine for CA Anti-Virus for the Enterprise 7.1, r8, and r8.1; Anti-Virus 2007 v8 and 2008; Internet Security Suite 2007 v3 and 2008; and other CA products allow remote attackers to bypass virus detection via a malformed archive file. ca-antivirus-engine-security-bypass(48261) ADV-2009-0270 1021639 33464 20090127 CA20090126-01: CA Anti-Virus Engine Detection Evasion Multiple Vulnerabilities http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197601 http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/26/ca20090126-01-ca-anti-virus-engine-detection-evasion-multiple-vulnerabilities.aspx The smmsnmpd service in CA Service Metric Analysis r11.0 through r11.1 SP1 and Service Level Management 3.5 does not properly restrict access, which allows remote attackers to execute arbitrary commands via unspecified vectors. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=196148 33161 ADV-2009-0053 20090107 CA20090107-01: CA Service Metric Analysis and CA Service Level Management smmsnmpd Arbitrary Command Execution Vulnerability 4887 http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/07.aspx Sun GridEngine 5.3 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. ADV-2009-0045 20090107 [oCERT-2008-016] Multiple OpenSSL signature verification API misuses http://www.ocert.org/advisories/ocert-2008-016.html Gale 0.99 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. ADV-2009-0046 20090107 [oCERT-2008-016] Multiple OpenSSL signature verification API misuses http://www.ocert.org/advisories/ocert-2008-016.html OpenEvidence 1.0.6 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. ADV-2009-0047 20090107 [oCERT-2008-016] Multiple OpenSSL signature verification API misuses http://www.ocert.org/advisories/ocert-2008-016.html Belgian eID middleware (eidlib) 2.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. 20090107 [oCERT-2008-016] Multiple OpenSSL signature verification API misuses http://www.ocert.org/advisories/ocert-2008-016.html 34029 SUSE-SR:2009:005 Lasso 2.2.1 and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. openssl-dsa-verify-security-bypass(47837) 20090107 [oCERT-2008-016] Multiple OpenSSL signature verification API misuses http://www.ocert.org/advisories/ocert-2008-016.html ZXID 0.29 and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. openssl-dsa-verify-security-bypass(47837) 20090107 [oCERT-2008-016] Multiple OpenSSL signature verification API misuses http://www.ocert.org/advisories/ocert-2008-016.html The Atheros wireless driver, as used in Netgear WNDAP330 Wi-Fi access point with firmware 2.1.11 and other versions before 3.0.3 on the Atheros AR9160-BC1A chipset, and other products, allows remote authenticated users to cause a denial of service (device reboot or hang) and possibly execute arbitrary code via a truncated reserved management frame. netgear-wndap330-frame-dos(54216) ADV-2009-3212 36991 20091110 Atheros Driver Reserved Frame Vulnerability 59880 37344 PXE Encryption in Cisco IronPort Encryption Appliance 6.2.4 before 6.2.4.1.1, 6.2.5, 6.2.6, 6.2.7 before 6.2.7.7, 6.3 before 6.3.0.4, and 6.5 before 6.5.0.2; and Cisco IronPort PostX 6.2.1 before 6.2.1.1 and 6.2.2 before 6.2.2.3; allows remote attackers to obtain the decryption key via unspecified vectors, related to a "logic error." ADV-2009-0140 33268 20090114 IronPort Encryption Appliance / PostX and PXE Encryption Vulnerabilities 1021593 33479 51395 PXE Encryption in Cisco IronPort Encryption Appliance 6.2.4 before 6.2.4.1.1, 6.2.5, 6.2.6, 6.2.7 before 6.2.7.7, 6.3 before 6.3.0.4, and 6.5 before 6.5.0.2; and Cisco IronPort PostX 6.2.1 before 6.2.1.1 and 6.2.2 before 6.2.2.3; allows remote attackers to capture credentials by tricking a user into reading a modified or crafted e-mail message. ADV-2009-0140 33268 20090114 IronPort Encryption Appliance / PostX and PXE Encryption Vulnerabilities 1021593 33479 51396 Cross-site request forgery (CSRF) vulnerability in the administration interface in Cisco IronPort Encryption Appliance 6.2.4 before 6.2.4.1.1, 6.2.5, 6.2.6, 6.2.7 before 6.2.7.7, 6.3 before 6.3.0.4, and 6.5 before 6.5.0.2; and Cisco IronPort PostX 6.2.1 before 6.2.1.1 and 6.2.2 before 6.2.2.3; allows remote attackers to modify appliance preferences as arbitrary users via unspecified vectors. ADV-2009-0140 33268 20090114 IronPort Encryption Appliance / PostX and PXE Encryption Vulnerabilities 1021594 33479 51397 Cross-site request forgery (CSRF) vulnerability in the administration interface in Cisco IronPort Encryption Appliance 6.2.4 before 6.2.4.1.1, 6.2.5, 6.2.6, 6.2.7 before 6.2.7.7, 6.3 before 6.3.0.4, and 6.5 before 6.5.0.2; and Cisco IronPort PostX 6.2.1 before 6.2.1.1 and 6.2.2 before 6.2.2.3; allows remote attackers to execute commands and modify appliance preferences as arbitrary users via a logout action. ADV-2009-0140 33268 20090114 IronPort Encryption Appliance / PostX and PXE Encryption Vulnerabilities 1021594 33479 51398 The Certificate Authority Proxy Function (CAPF) service in Cisco Unified Communications Manager 5.x before 5.1(3e) and 6.x before 6.1(3) allows remote attackers to cause a denial of service (voice service outage) by sending malformed input over a TCP session in which the "client terminates prematurely." cucm-capf-dos-var1(48139) ADV-2009-0213 1021620 33379 20090121 Cisco Unified Communications Manager CAPF Denial of Service Vulnerability 33588 The Cisco Wireless LAN Controller (WLC), Cisco Catalyst 6500 Wireless Services Module (WiSM), and Cisco Catalyst 3750 Integrated Wireless LAN Controller with software 4.x before 4.2.176.0 and 5.x before 5.2 allow remote attackers to cause a denial of service (web authentication outage or device reload) via unspecified network traffic, as demonstrated by a vulnerability scanner. 1021679 33608 20090204 Multiple Vulnerabilities in Cisco Wireless LAN Controllers 33749 The Cisco Wireless LAN Controller (WLC), Cisco Catalyst 6500 Wireless Services Module (WiSM), and Cisco Catalyst 3750 Integrated Wireless LAN Controller with software 4.x before 4.2.176.0 and 5.2.x before 5.2.157.0 allow remote attackers to cause a denial of service (device reload) via a web authentication (aka WebAuth) session that includes a malformed POST request to login.html. 1021679 33608 20090204 Multiple Vulnerabilities in Cisco Wireless LAN Controllers 33749 Unspecified vulnerability in the Wireless LAN Controller (WLC) TSEC driver in the Cisco 4400 WLC, Cisco Catalyst 6500 and 7600 Wireless Services Module (WiSM), and Cisco Catalyst 3750 Integrated Wireless LAN Controller with software 4.x before 4.2.176.0 and 5.x before 5.1 allows remote attackers to cause a denial of service (device crash or hang) via unknown IP packets. 1021679 33608 20090204 Multiple Vulnerabilities in Cisco Wireless LAN Controllers 33749 Unspecified vulnerability in the Cisco Wireless LAN Controller (WLC), Cisco Catalyst 6500 Wireless Services Module (WiSM), and Cisco Catalyst 3750 Integrated Wireless LAN Controller with software 4.2.173.0 allows remote authenticated users to gain privileges via unknown vectors, as demonstrated by escalation from the (1) Lobby Admin and (2) Local Management User privilege levels. 1021678 33608 20090204 Multiple Vulnerabilities in Cisco Wireless LAN Controllers 33749 Cross-site scripting (XSS) vulnerability in the Control Center in Symantec Brightmail Gateway Appliance before 8.0.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. ADV-2009-1155 1022116 brightmail-controlcenter-xss(50074) http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090423_01 34641 34885 53944 Multiple unspecified vulnerabilities in the Control Center in Symantec Brightmail Gateway Appliance before 8.0.1 allow remote authenticated users to gain privileges, and possibly obtain sensitive information or hijack sessions of arbitrary users, via vectors involving (1) administrative scripts or (2) console functions. ADV-2009-1155 1022117 brightmail-consolescripts-priv-escalation(50075) http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090423_01 34639 34885 53945 Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.28-git8 allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID. FEDORA-2009-0816 https://bugzilla.redhat.com/show_bug.cgi?id=478800 ADV-2009-2193 ADV-2009-0029 USN-751-1 1022698 33113 RHSA-2009:1055 RHSA-2009:0331 RHSA-2009:0053 [oss-security] 20090105 CVE request: kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID DSA-1794 DSA-1787 DSA-1749 http://support.avaya.com/elmodocs2/security/ASA-2009-114.htm 36191 35394 35390 35174 35011 34981 34762 34680 34394 34252 33858 33854 33674 RHSA-2009:0264 http://patchwork.ozlabs.org/patch/15024/ oval:org.mitre.oval:def:10872 SUSE-SA:2009:031 SUSE-SA:2009:030 SUSE-SA:2009:010 SSSRT090149 SSSRT090149 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9fcb95a105758b81ef0131cd18e2db5149f13e95 Multiple unspecified vulnerabilities in Intel system software for Trusted Execution Technology (TXT) allow attackers to bypass intended loader integrity protections, as demonstrated by exploitation of tboot. NOTE: as of 20090107, the only disclosure is a vague pre-advisory with no actionable information. However, because it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes. 33119 http://theinvisiblethings.blogspot.com/2009/01/attacking-intel-trusted-execution.html http://invisiblethingslab.com/press/itl-press-2009-01.pdf http://blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Wojtczuk Interaction error in xdg-open allows remote attackers to execute arbitrary code by sending a file with a dangerous MIME type but using a safe type that Firefox sends to xdg-open, which causes xdg-open to process the dangerous file type through automatic type detection, as demonstrated by overwriting the .desktop file. https://bugs.freedesktop.org/show_bug.cgi?id=19377 33137 [oss-security] 20090106 Fwd: Using xdg-open in /etc/mailcap causes hole in Firefox (Demonstration/Exploit included) Unspecified vulnerability in the nfs4rename_persistent_fh function in the NFS 4 (aka NFSv4) client in the kernel in Sun Solaris 10 and OpenSolaris before snv_102 allows local users to cause a denial of service (recursive mutex_enter and panic) via unspecified vectors. http://sunsolve.sun.com/search/document.do?assetkey=1-21-139466-02-1 solaris-nfs4client-dos(47750) ADV-2009-0030 1021519 33128 248566 33361 [onnv-notify] 20081021 6300710 recursive mutex_enter in nfs4rename_persistent_fh() Integer signedness error in Apple Safari allows remote attackers to read the contents of arbitrary memory locations, cause a denial of service (application crash), and probably have unspecified other impact via the array index of the arguments array in a JavaScript function, possibly a related issue to CVE-2008-2307. safari-array-memory-disclosure(48214) 7673 Mozilla Firefox 3.0.5 and earlier 3.0.x versions, when designMode is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a certain (a) replaceChild or (b) removeChild call, followed by a (1) queryCommandValue, (2) queryCommandState, or (3) queryCommandIndeterm call. NOTE: it was later reported that 3.0.6 and 3.0.7 are also affected. https://bugzilla.mozilla.org/show_bug.cgi?id=472507 https://bugzilla.mozilla.org/show_bug.cgi?id=456727 https://bugzilla.mozilla.org/show_bug.cgi?id=448329 33154 8219 8091 20090107 Re: Firefox 3.0.5 remote vulnerability via queryCommandState 20090107 Re: Firefox 3.0.5 remote vulnerability via queryCommandState 20090107 Firefox 3.0.5 remote vulnerability via queryCommandState Microsoft Internet Explorer 6.0 through 8.0 beta2 allows remote attackers to cause a denial of service (application crash) via an onload=screen[""] attribute value in a BODY element. ie-javascript-screen-dos(47788) 33149 http://skypher.com/index.php/2009/01/07/msie-screen-null-ptr-dos-details/ Microsoft Internet Explorer 7 does not properly handle errors during attempted access to deleted objects, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to CFunctionPointer and the appending of document objects, aka "Uninitialized Memory Corruption Vulnerability." TA09-041A MS09-002 http://www.zerodayinitiative.com/advisories/ZDI-09-011/ ADV-2009-0389 33627 8082 8080 8079 8077 oval:org.mitre.oval:def:6000 51839 Microsoft Internet Explorer 7, when XHTML strict mode is used, allows remote attackers to execute arbitrary code via the zoom style directive in conjunction with unspecified other directives in a malformed Cascading Style Sheets (CSS) stylesheet in a crafted HTML document, aka "CSS Memory Corruption Vulnerability." TA09-041A MS09-002 http://www.zerodayinitiative.com/advisories/ZDI-09-012/ ADV-2009-0389 oval:org.mitre.oval:def:6081 The firewall engine in Microsoft Forefront Threat Management Gateway, Medium Business Edition (TMG MBE); and Internet Security and Acceleration (ISA) Server 2004 SP3, 2006, 2006 Supportability Update, and 2006 SP1; does not properly manage the session state of web listeners, which allows remote attackers to cause a denial of service (many stale sessions) via crafted packets, aka "Web Proxy TCP State Limited Denial of Service Vulnerability." TA09-104A MS09-016 ADV-2009-1030 1022045 34687 oval:org.mitre.oval:def:6068 53636 The Windows Management Instrumentation (WMI) provider in Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) all run under the LocalService account, which allows local users to gain privileges by accessing the resources of one of the processes, aka "Windows WMI Service Isolation Vulnerability." TA09-104A MS09-012 ADV-2009-1026 1022044 oval:org.mitre.oval:def:6193 53666 The RPCSS service in Microsoft Windows XP SP2 and SP3 and Server 2003 SP1 and SP2 does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) all run under the LocalService account, which allows local users to gain privileges by accessing the resources of one of the processes, aka "Windows RPCSS Service Isolation Vulnerability." TA09-104A MS09-012 ADV-2009-1026 1022044 oval:org.mitre.oval:def:6147 53667 The ThreadPool class in Windows Vista Gold and SP1, and Server 2008, does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) all run under the LocalService account, which allows local users to gain privileges by leveraging incorrect thread ACLs to access the resources of one of the processes, aka "Windows Thread Pool ACL Weakness Vulnerability." TA09-104A MS09-012 ADV-2009-1026 1022044 oval:org.mitre.oval:def:6177 53668 The graphics device interface (GDI) implementation in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does not properly validate input received from user mode, which allows remote attackers to execute arbitrary code via a crafted (1) Windows Metafile (aka WMF) or (2) Enhanced Metafile (aka EMF) image file, aka "Windows Kernel Input Validation Vulnerability." TA09-069A MS09-006 ADV-2009-0659 1021826 34012 http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=842987&poid= http://support.avaya.com/elmodocs2/security/ASA-2009-079.htm 34117 oval:org.mitre.oval:def:6202 52522 The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does not properly validate handles, which allows local users to gain privileges via a crafted application that triggers unspecified "actions," aka "Windows Kernel Handle Validation Vulnerability." TA09-069A ADV-2009-0659 1021827 34027 MS09-006 http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=842987&poid= http://support.avaya.com/elmodocs2/security/ASA-2009-079.htm 34117 oval:org.mitre.oval:def:6036 52523 The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 does not properly handle invalid pointers, which allows local users to gain privileges via an application that triggers use of a crafted pointer, aka "Windows Kernel Invalid Pointer Vulnerability." TA09-069A MS09-006 ADV-2009-0659 1021827 34025 http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=842987&poid= http://support.avaya.com/elmodocs2/security/ASA-2009-079.htm 34117 oval:org.mitre.oval:def:5440 52524 Use-after-free vulnerability in DirectShow in Microsoft DirectX 8.1 and 9.0 allows remote attackers to execute arbitrary code via an MJPEG file or video stream with a malformed Huffman table, which triggers an exception that frees heap memory that is later accessed, aka "MJPEG Decompression Vulnerability." TA09-104A MS09-011 ADV-2009-1025 1022040 34460 http://www.piotrbania.com/all/adv/ms-directx-mjpeg-adv.txt http://support.avaya.com/elmodocs2/security/ASA-2009-132.htm 34665 oval:org.mitre.oval:def:5618 53632 The Secure Channel (aka SChannel) authentication component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008, when certificate authentication is used, does not properly validate the client's key exchange data in Transport Layer Security (TLS) handshake messages, which allows remote attackers to spoof authentication by crafting a TLS packet based on knowledge of the certificate but not the private key, aka "SChannel Spoofing Vulnerability." TA09-069A MS09-007 ADV-2009-0660 1021828 34215 oval:org.mitre.oval:def:6011 52521 Integer underflow in Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote HTTP servers to execute arbitrary code via crafted parameter values in a response, related to error handling, aka "Windows HTTP Services Integer Underflow Vulnerability." TA09-104A MS09-013 ADV-2009-1027 1022041 34435 34677 oval:org.mitre.oval:def:6149 53620 Unspecified vulnerability in the Word 6 text converter in WordPad in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and the Word 6 text converter in Microsoft Office Word 2000 SP3 and 2002 SP3; allows remote attackers to execute arbitrary code via a crafted Word 6 file that contains malformed data, aka "WordPad and Office Text Converter Memory Corruption Vulnerability." TA09-104A MS09-010 ADV-2009-1024 1022043 oval:org.mitre.oval:def:5799 53662 The WordPerfect 6.x Converter (WPFT632.CNV, 1998.1.27.0) in Microsoft Office Word 2000 SP3 and Microsoft Office Converter Pack does not properly validate the length of an unspecified string, which allows remote attackers to execute arbitrary code via a crafted WordPerfect 6.x file, related to an unspecified counter and control structures on the stack, aka "Word 2000 WordPerfect 6.x Converter Stack Corruption Vulnerability." TA09-104A MS09-010 ADV-2009-1024 1022043 oval:org.mitre.oval:def:5736 53663 20090414 Microsoft Word 2000 WordPerfect 6.x Converter Stack Corruption Vulnerability Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, and Vista Gold allows remote web servers to impersonate arbitrary https web sites by using DNS spoofing to "forward a connection" to a different https web site that has a valid certificate matching its own domain name, but not a certificate matching the domain name of the host requested by the user, aka "Windows HTTP Services Certificate Name Mismatch Vulnerability." TA09-104A MS09-013 ADV-2009-1027 1022041 34437 34677 oval:org.mitre.oval:def:6027 Microsoft .NET Framework 1.0 SP3, 1.1 SP1, and 2.0 SP1 does not properly validate .NET verifiable code, which allows remote attackers to obtain unintended access to stack memory, and execute arbitrary code, via (1) a crafted XAML browser application (XBAP), (2) a crafted ASP.NET application, or (3) a crafted .NET Framework application, aka "Microsoft .NET Framework Pointer Verification Vulnerability." TA09-286A MS09-061 oval:org.mitre.oval:def:5716 Microsoft .NET Framework 2.0, 2.0 SP1, and 3.5 does not properly enforce a certain type-equality constraint in .NET verifiable code, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP), (2) a crafted ASP.NET application, or (3) a crafted .NET Framework application, aka "Microsoft .NET Framework Type Verification Vulnerability." TA09-286A MS09-061 oval:org.mitre.oval:def:6451 Windows DNS Server in Microsoft Windows 2000 SP4, Server 2003 SP1 and SP2, and Server 2008, when dynamic updates are enabled, does not restrict registration of the "wpad" hostname, which allows remote authenticated users to hijack the Web Proxy Auto-Discovery (WPAD) feature, and conduct man-in-the-middle attacks by spoofing a proxy server, via a Dynamic Update request for this hostname, aka "DNS Server Vulnerability in WPAD Registration Vulnerability," a related issue to CVE-2007-1692. TA09-069A MS09-008 ADV-2009-0661 1021830 33989 http://support.avaya.com/elmodocs2/security/ASA-2009-083.htm 34217 oval:org.mitre.oval:def:6138 52519 http://blogs.technet.com/srd/archive/2009/03/13/ms09-008-dns-and-wins-server-security-update-in-more-detail.aspx http://blog.ncircle.com/blogs/vert/archives/2009/03/successful_exploit_renders_mic.html The WINS server in Microsoft Windows 2000 SP4 and Server 2003 SP1 and SP2 does not restrict registration of the (1) "wpad" and (2) "isatap" NetBIOS names, which allows remote authenticated users to hijack the Web Proxy Auto-Discovery (WPAD) and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) features, and conduct man-in-the-middle attacks by spoofing a proxy server or ISATAP route, by registering one of these names in the WINS database, aka "WPAD WINS Server Registration Vulnerability," a related issue to CVE-2007-1692. Per: http://www.microsoft.com/technet/security/Bulletin/MS09-008.mspx Mitigating Factors for WPAD WINS Server Registration Vulnerability - CVE-2009-0094 Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation. If WINS server already has WPAD and ISATAP registered than an attacker will not be able to register these as well. TA09-069A MS09-008 ADV-2009-0661 1021829 34013 http://support.avaya.com/elmodocs2/security/ASA-2009-083.htm 34217 oval:org.mitre.oval:def:6117 52520 http://blogs.technet.com/srd/archive/2009/03/13/ms09-008-dns-and-wins-server-security-update-in-more-detail.aspx Microsoft Office Visio 2002 SP2, 2003 SP3, and 2007 SP1 does not properly validate object data in Visio files, which allows remote attackers to execute arbitrary code via a crafted file, aka "Memory Validation Vulnerability." TA09-041A MS09-005 ADV-2009-0391 oval:org.mitre.oval:def:6179 Microsoft Office Visio 2002 SP2, 2003 SP3, and 2007 SP1 does not properly perform memory copy operations for object data, which allows remote attackers to execute arbitrary code via a crafted Visio document, aka "Memory Corruption Vulnerability." TA09-041A ADV-2009-0391 MS09-005 oval:org.mitre.oval:def:6172 Microsoft Office Visio 2002 SP2 and 2003 SP3 does not properly validate memory allocation for Visio files, which allows remote attackers to execute arbitrary code via a crafted file, aka "Memory Corruption Vulnerability." TA09-041A MS09-005 ADV-2009-0391 oval:org.mitre.oval:def:6188 Microsoft Exchange 2000 Server SP3, Exchange Server 2003 SP2, and Exchange Server 2007 SP1 do not properly interpret Transport Neutral Encapsulation (TNEF) properties, which allows remote attackers to execute arbitrary code via a crafted TNEF message, aka "Memory Corruption Vulnerability." TA09-041A MS09-003 33838 oval:org.mitre.oval:def:6114 51837 The Electronic Messaging System Microsoft Data Base (EMSMDB32) provider in Microsoft Exchange 2000 Server SP3 and Exchange Server 2003 SP2, as used in Exchange System Attendant, allows remote attackers to cause a denial of service (application outage) via a malformed MAPI command, aka "Literal Processing Vulnerability." TA09-041A MS09-003 33838 oval:org.mitre.oval:def:6159 51838 Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel in Microsoft Office 2004 and 2008 for Mac; Microsoft Office Excel Viewer and Excel Viewer 2003 SP3; and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 do not properly parse the Excel spreadsheet file format, which allows remote attackers to execute arbitrary code via a crafted spreadsheet that contains a malformed object with "an offset and a two-byte value" that trigger a memory calculation error, aka "Memory Corruption Vulnerability." TA09-104A MS09-009 ADV-2009-1023 1022039 20090415 Microsoft Office Excel Remote Memory Corruption Vulnerability http://www.fortiguardcenter.com/advisory/FGA-2009-16.html oval:org.mitre.oval:def:6043 53665 Microsoft Project 2000 SR1 and 2002 SP1, and Office Project 2003 SP3, does not properly handle memory allocation for Project files, which allows remote attackers to execute arbitrary code via a malformed file, aka "Project Memory Validation Vulnerability." TA09-342A MS09-074 oval:org.mitre.oval:def:6298 Multiple PHP remote file inclusion vulnerabilities in playSMS 0.9.3 allow remote attackers to execute arbitrary PHP code via a URL in the (1) apps_path[plug] parameter to plugin/gateway/gnokii/init.php, the (2) apps_path[themes] parameter to plugin/themes/default/init.php, and the (3) apps_path[libs] parameter to lib/function.php. 33138 7687 4888 33386 SQL injection vulnerability in index.php in EZpack 4.2b2 allows remote attackers to execute arbitrary SQL commands via the qType parameter in a webboard prog action. 33131 7680 4890 Cross-site scripting (XSS) vulnerability in index.php in EZpack 4.2b2 allows remote attackers to inject arbitrary web script or HTML via the mdfd parameter in a prog action. 33131 7680 4890 SQL injection vulnerability in profile.php in PHPAuctions (aka PHPAuctionSystem) allows remote attackers to execute arbitrary SQL commands via the user_id parameter. phpauctions-profile-sql-injection(43264) 33115 33331 51144 7672 Cross-site scripting (XSS) vulnerability in profile.php in PHPAuctions (aka PHPAuctionSystem) allows remote attackers to inject arbitrary web script or HTML via the user_id parameter. 33115 33331 51145 7672 PHPAuctions (aka PHPAuctionSystem) allows remote attackers to bypass authentication and gain administrative access via modified (1) PHPAUCTION_RM_ID, (2) PHPAUCTION_RM_NAME, (3) PHPAUCTION_RM_USERNAME, and (4) PHPAUCTION_RM_EMAIL cookies. 33120 7674 4891 33331 51146 SQL injection vulnerability in index.php in RiotPix 0.61 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: some of these details are obtained from third party information. 33132 7682 4892 33395 SQL injection vulnerability in read.php in RiotPix 0.61 and earlier allows remote attackers to execute arbitrary SQL commands via the forumid parameter. 33129 7679 4893 33395 SQL injection vulnerability in frontpage.php in Goople CMS 1.8.2 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter. 33135 7683 4894 33393 Cross-site request forgery (CSRF) vulnerability in admin/agent_edit.asp in PollPro 3.0 allows remote attackers to create or modify accounts as administrators via the username, password, and name parameters. pollpro-unspecified-csrf(47754) 4895 33319 20090103 PollPro 3.0 XSRF VuLn Directory traversal vulnerability in attachmentlibrary.php in the XStandard component for Joomla! 1.5.8 and earlier allows remote attackers to list arbitrary directories via a .. (dot dot) in the X_CMS_LIBRARY_PATH HTTP header. 33143 7691 4896 33377 Unspecified vulnerability in the Settings Manager in Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87, and possibly other versions, allows remote attackers to trick a user into visiting an arbitrary URL via unknown vectors, related to "a potential Clickjacking issue variant." TA09-133A ADV-2009-0513 http://www.adobe.com/support/security/bulletins/apsb09-01.html flash-settings-manager-click-hijacking(48902) ADV-2009-1297 ADV-2009-0743 http://support.apple.com/kb/HT3549 254909 1021751 GLSA-200903-23 35074 34293 34226 oval:org.mitre.oval:def:6662 APPLE-SA-2009-05-12 http://isc.sans.org/diary.html?storyid=5929 The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0.4.8, as used in SUSE openSUSE, SUSE Linux Enterprise Server (SLES), Fedora, and possibly other operating systems, uses world-writable permissions for the socket file (aka /var/run/multipathd.sock), which allows local users to send arbitrary commands to the multipath daemon. FEDORA-2009-3453 FEDORA-2009-3449 ADV-2010-0528 DSA-1767 http://support.avaya.com/elmodocs2/security/ASA-2009-128.htm 38794 34759 34710 34694 34642 34418 oval:org.mitre.oval:def:9214 [security-announce] 20100303 VMSA-2010-0004 ESX Service Console and vMA third party updates SUSE-SR:2009:008 SUSE-SR:2009:007 http://launchpad.net/bugs/cve/2009-0115 http://download.opensuse.org/update/10.3-test/repodata/patch-kpartx-6082.xml Buffer overflow in Microsoft Windows XP SP3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .chm file. 33204 7720 4912 The IBM WebSphere DataPower XML Security Gateway XS40 with firmware 3.6.1.5 allows remote attackers to cause a denial of service (device reboot) by sending data over an established SSL connection, as demonstrated by the abc\r\n\r\n string data. ADV-2009-0111 1021547 33169 20090108 [IBM Datapower XS40] Denial of Service 4911 SQL injection vulnerability in frontpage.php in Goople CMS 1.8.2 allows remote attackers to execute arbitrary SQL commands via the password parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 33393 hplip.postinst in HP Linux Imaging and Printing (HPLIP) 2.7.7 and 2.8.2 on Ubuntu allows local users to change the ownership of arbitrary files via unspecified manipulations in advance of an HPLIP installation or upgrade by an administrator, related to the product's attempt to correct the ownership of its configuration files within home directories. 33249 https://launchpad.net/bugs/191299 USN-708-1 33539 Unspecified vulnerability in Apple Safari on Mac OS X 10.5 and Windows allows remote attackers to read arbitrary files on a client machine via vectors related to the association of Safari with the (1) feed, (2) feeds, and (3) feedsearch URL types for RSS feeds. NOTE: as of 20090114, the only disclosure is a vague pre-advisory. However, because it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes. safari-rss-feed-info-disclosure(47917) 1021581 33234 33458 http://isc.sans.org/diary.html?storyid=5689 http://brian.mastenbrook.net/display/27 The tqsl_verifyDataBlock function in openssl_cert.cpp in American Radio Relay League (ARRL) tqsllib 2.0 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. FEDORA-2009-0543 https://bugzilla.redhat.com/show_bug.cgi?id=479650 33543 [oss-security] 20090112 CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511509 ** DISPUTED ** NOTE: this issue has been disputed by the upstream vendor. nasl/nasl_crypto2.c in the Nessus Attack Scripting Language library (aka libnasl) 2.2.11 does not properly check the return value from the OpenSSL DSA_do_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: the upstream vendor has disputed this issue, stating "while we do misuse this function (this is a bug), it has absolutely no security ramification." https://bugzilla.redhat.com/show_bug.cgi?id=479655 20090120 CVE-2009-0125 (fwd) [oss-security] 20090112 CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto SUSE-SR:2009:003 http://cvs.fedoraproject.org/viewvc/rpms/libnasl/F-10/libnasl.spec?r1=1.16&r2=1.17 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511517 The decrypt_public function in lib/crypt.cpp in the client in Berkeley Open Infrastructure for Network Computing (BOINC) 6.2.14 and 6.4.5 does not check the return value from the OpenSSL RSA_public_decrypt function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. FEDORA-2009-0578 https://bugzilla.redhat.com/show_bug.cgi?id=479664 33828 33806 [oss-security] 20090112 CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto SUSE-SR:2009:003 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511521 http://boinc.berkeley.edu/trac/ticket/823 http://boinc.berkeley.edu/trac/changeset/16883 ** DISPUTED ** M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto." https://bugzilla.redhat.com/show_bug.cgi?id=479676 [oss-security] 20090112 CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515 plugins/crypto/openssl/crypto_openssl.c in Simple Linux Utility for Resource Management (aka SLURM or slurm-llnl) does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. [oss-security] 20090112 CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511511 libcrypt-openssl-dsa-perl does not properly check the return value from the OpenSSL DSA_verify and DSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. [oss-security] 20090112 CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511519 ** DISPUTED ** lib/crypto/c_src/crypto_drv.c in erlang does not properly check the return value from the OpenSSL DSA_do_verify function, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a package maintainer disputes this issue, reporting that there is a proper check within the only code that uses the applicable part of crypto_drv.c, and thus "this report is invalid." [oss-security] 20090112 CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511520 The UFS implementation in the kernel in Sun OpenSolaris snv_29 through snv_90 allows local users to cause a denial of service (panic) via the single posix_fallocate test in the SUSv3 POSIX test suite, related to an F_ALLOCSP fcntl call. 1021600 33267 239188 http://bugs.opensolaris.org/view_bug.do?bug_id=6711995 Integer overflow in the aio_suspend function in Sun Solaris 8 through 10 and OpenSolaris, when 32-bit mode is enabled, allows local users to cause a denial of service (panic) via a large integer value in the second argument (aka nent argument). 33188 http://sunsolve.sun.com/search/document.do?assetkey=1-21-117350-59-1 ADV-2009-0099 http://www.trapkit.de/advisories/TKADV2009-001.txt 1021553 247986 33516 Buffer overflow in Microsoft HTML Help Workshop 4.74 and earlier allows context-dependent attackers to execute arbitrary code via a .hhp file with a long "Index file" field, possibly a related issue to CVE-2006-0564. 7727 4914 Insecure method vulnerability in the EasyGrid.SGCtrl.32 ActiveX control in EasyGrid.ocx 1.0.0.1 in AAA EasyGrid ActiveX 3.51 allows remote attackers to create and overwrite arbitrary files via the (1) DoSaveFile or (2) DoSaveHtmlFile method. NOTE: vector 1 could be leveraged for code execution by creating executable files in Startup folders or by accessing files using hcp:// URLs. NOTE: some of these details are obtained from third party information. easygrid-activex-dosavefile-file-overwrite(47946) 33272 7779 4913 33537 Multiple integer overflows in the Audible::Tag::readTag function in metadata/audible/audibletag.cpp in Amarok 1.4.10 through 2.0.1 allow remote attackers to execute arbitrary code via an Audible Audio (.aa) file with a large (1) nlen or (2) vlen Tag value, each of which triggers a heap-based buffer overflow. FEDORA-2009-0715 https://bugzilla.redhat.com/show_bug.cgi?id=479946 https://bugzilla.redhat.com/show_bug.cgi?id=479560 ADV-2009-0100 USN-739-1 1021558 33210 20090111 [TKADV2009-002] Amarok Integer Overflow and Unchecked Allocation Vulnerabilities MDVSA-2009:030 DSA-1706 http://websvn.kde.org/?view=rev&revision=908415 http://websvn.kde.org/?view=rev&revision=908401 http://websvn.kde.org/?view=rev&revision=908391 http://trapkit.de/advisories/TKADV2009-002.txt 4915 GLSA-200903-34 34407 34315 33819 33640 33522 33505 [oss-security] 20090114 CVE Request -- amarok SUSE-SR:2009:003 http://bugs.gentoo.org/show_bug.cgi?id=254896 http://amarok.kde.org/en/releases/2.0.1.1 Multiple array index errors in the Audible::Tag::readTag function in metadata/audible/audibletag.cpp in Amarok 1.4.10 through 2.0.1 allow remote attackers to cause a denial of service (application crash) or execute arbitrary code via an Audible Audio (.aa) file with a crafted (1) nlen or (2) vlen Tag value, each of which can lead to an invalid pointer dereference, or the writing of a 0x00 byte to an arbitrary memory location, after an allocation failure. FEDORA-2009-0715 https://bugzilla.redhat.com/show_bug.cgi?id=479946 https://bugzilla.redhat.com/show_bug.cgi?id=479560 ADV-2009-0100 USN-739-1 1021558 33210 20090111 [TKADV2009-002] Amarok Integer Overflow and Unchecked Allocation Vulnerabilities MDVSA-2009:030 DSA-1706 http://websvn.kde.org/?view=rev&revision=908415 http://websvn.kde.org/?view=rev&revision=908401 http://websvn.kde.org/?view=rev&revision=908391 http://trapkit.de/advisories/TKADV2009-002.txt 4915 GLSA-200903-34 34407 34315 33819 33640 33522 33505 [oss-security] 20090114 CVE Request -- amarok SUSE-SR:2009:003 http://bugs.gentoo.org/show_bug.cgi?id=254896 http://amarok.kde.org/en/releases/2.0.1.1 Multiple unspecified vulnerabilities in Safari RSS in Apple Mac OS X 10.4.11 and 10.5.6, and Windows XP and Vista, allow remote attackers to execute arbitrary JavaScript in the local security zone via a crafted feed: URL, related to "input validation issues." APPLE-SA-2009-02-12 APPLE-SA-2009-02-12 http://support.apple.com/kb/HT3438 servermgrd (Server Manager) in Apple Mac OS X 10.5.6 does not properly validate authentication credentials, which allows remote attackers to modify the system configuration. APPLE-SA-2009-02-12 ADV-2009-0422 33813 33759 http://support.apple.com/kb/HT3438 33937 Integer overflow in the SMB component in Apple Mac OS X 10.5.6 allows remote SMB servers to cause a denial of service (system shutdown) or execute arbitrary code via a crafted SMB file system that triggers a heap-based buffer overflow. APPLE-SA-2009-02-12 ADV-2009-0422 http://support.apple.com/kb/HT3438 33937 Unspecified vulnerability in the SMB component in Apple Mac OS X 10.4.11 and 10.5.6 allows remote SMB servers to cause a denial of service (memory exhaustion and system shutdown) via a crafted file system name. APPLE-SA-2009-02-12 ADV-2009-0422 http://support.apple.com/kb/HT3438 33937 XTerm in Apple Mac OS X 10.4.11 and 10.5.6, when used with luit, creates tty devices with insecure world-writable permissions, which allows local users to write to the Xterm of another user. macosx-xterm-information-disclosure(48727) ADV-2009-0422 33798 http://support.apple.com/kb/HT3438 1021729 33937 APPLE-SA-2009-02-12 Race condition in AFP Server in Apple Mac OS X 10.5.6 allows local users to cause a denial of service (infinite loop) via unspecified vectors related to "file enumeration logic." ADV-2009-0422 33812 33759 http://support.apple.com/kb/HT3438 33937 APPLE-SA-2009-02-12 Apple iTunes before 8.1 does not properly inform the user about the origin of an authentication request, which makes it easier for remote podcast servers to trick a user into providing a username and password when subscribing to a crafted podcast. http://support.apple.com/kb/HT3487 APPLE-SA-2009-03-11 itunes-podcast-information-disclosure(49201) ADV-2009-0702 34094 1021843 34254 oval:org.mitre.oval:def:5336 52579 CFNetwork in Apple Mac OS X 10.5 before 10.5.7 does not properly parse noncompliant Set-Cookie headers, which allows remote attackers to obtain sensitive information by sniffing the network for "secure cookies" that are sent over unencrypted HTTP connections. TA09-133A http://support.apple.com/kb/HT3549 APPLE-SA-2009-05-12 macos-cfnetwork-info-disclosure(50479) ADV-2009-1297 1022214 34926 35074 CoreGraphics in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF file that triggers memory corruption. TA09-133A http://support.apple.com/kb/HT3549 APPLE-SA-2009-05-12 macos-coregraphics-pdf-code-execution(50481) ADV-2009-1621 ADV-2009-1522 ADV-2009-1297 1022209 34926 http://support.apple.com/kb/HT3639 http://support.apple.com/kb/HT3613 35379 35074 APPLE-SA-2009-06-17-1 APPLE-SA-2009-06-08-1 Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2SymbolDict::setBitmap and (2) JBIG2Stream::readSymbolDictSeg. TA09-133A RHSA-2009:0430 FEDORA-2009-6982 FEDORA-2009-6973 FEDORA-2009-6972 https://bugzilla.redhat.com/show_bug.cgi?id=490612 ADV-2010-1040 ADV-2009-1621 ADV-2009-1297 ADV-2009-1077 ADV-2009-1066 ADV-2009-1065 1022073 34568 20090417 rPSA-2009-0059-1 poppler 20090417 rPSA-2009-0061-1 cups RHSA-2009:0480 RHSA-2009:0431 RHSA-2009:0429 MDVSA-2010:087 MDVSA-2009:101 DSA-1793 DSA-1790 http://wiki.rpath.com/Advisories:rPSA-2009-0061 http://wiki.rpath.com/Advisories:rPSA-2009-0059 http://support.apple.com/kb/HT3639 http://support.apple.com/kb/HT3549 SSA:2009-129-01 GLSA-200904-20 35685 35618 35074 35065 35064 35037 34991 34963 34959 34852 34756 34755 34481 34291 RHSA-2009:0458 oval:org.mitre.oval:def:9632 SUSE-SR:2009:012 SUSE-SR:2009:010 SUSE-SA:2009:024 APPLE-SA-2009-05-12 APPLE-SA-2009-06-17-1 http://bugs.gentoo.org/show_bug.cgi?id=263028 Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap. TA09-133A RHSA-2009:0430 FEDORA-2009-6982 FEDORA-2009-6973 FEDORA-2009-6972 https://bugzilla.redhat.com/show_bug.cgi?id=490614 ADV-2010-1040 ADV-2009-1621 ADV-2009-1297 ADV-2009-1077 ADV-2009-1066 ADV-2009-1065 1022073 34568 20090417 rPSA-2009-0059-1 poppler 20090417 rPSA-2009-0061-1 cups RHSA-2009:0480 RHSA-2009:0431 RHSA-2009:0429 MDVSA-2010:087 MDVSA-2009:101 DSA-1793 DSA-1790 http://wiki.rpath.com/Advisories:rPSA-2009-0061 http://wiki.rpath.com/Advisories:rPSA-2009-0059 http://support.apple.com/kb/HT3639 http://support.apple.com/kb/HT3549 SSA:2009-129-01 GLSA-200904-20 35685 35618 35074 35065 35064 35037 34991 34963 34959 34852 34756 34755 34481 34291 RHSA-2009:0458 oval:org.mitre.oval:def:9941 SUSE-SR:2009:012 SUSE-SR:2009:010 SUSE-SA:2009:024 APPLE-SA-2009-05-12 APPLE-SA-2009-06-17-1 http://bugs.gentoo.org/show_bug.cgi?id=263028 Multiple buffer overflows in Cscope before 15.7a allow remote attackers to execute arbitrary code via long strings in input such as (1) source-code tokens and (2) pathnames, related to integer overflows in some cases. NOTE: this issue exists because of an incomplete fix for CVE-2004-2541. TA09-133A http://sourceforge.net/project/shownotes.php?group_id=4664&release_id=679527 http://sourceforge.net/forum/forum.php?forum_id=947983 https://bugzilla.redhat.com/show_bug.cgi?id=490667 ADV-2009-1297 ADV-2009-1238 1022218 34805 RHSA-2009:1102 RHSA-2009:1101 [oss-security] 20090506 Re: Old cscope buffer overflow DSA-1806 http://support.apple.com/kb/HT3549 [cscope-cvs] 20090410 CVS: cscope/src snprintf.c, NONE, 1.1 build.c, 1.14, 1.15 command.c, 1.32, 1.33 dir.c, 1.30, 1.31 display.c, 1.29, 1.30 edit.c, 1.6, 1.7 exec.c, 1.11, 1.12 find.c, 1.20, 1.21 global.h, 1.36, 1.37 main.c, 1.45, 1.46 Makefile.am, 1.12, 1.13 Makefile.in, 1.15, 1.16 vpaccess.c, 1.2, 1.3 vpfopen.c, 1.3, 1.4 vpopen.c, 1.4, 1.5 GLSA-200905-02 35462 35214 35213 35074 34978 oval:org.mitre.oval:def:9633 APPLE-SA-2009-05-12 Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allows local users to gain privileges or cause a denial of service (application crash) by attempting to mount a crafted sparse disk image that triggers memory corruption. TA09-133A http://support.apple.com/kb/HT3549 APPLE-SA-2009-05-12 macos-diskimages-code-execution-var1(50484) ADV-2009-1297 1022217 34942 34926 35074 Stack-based buffer overflow in Apple Mac OS X 10.5 before 10.5.7 allows local users to gain privileges or cause a denial of service (application crash) by attempting to mount a crafted sparse disk image. TA09-133A http://support.apple.com/kb/HT3549 APPLE-SA-2009-05-12 macos-diskimages-bo(50483) ADV-2009-1297 1022217 34926 35074 The screen saver in Dock in Apple Mac OS X 10.5 before 10.5.8 does not prevent four-finger Multi-Touch gestures, which allows physically proximate attackers to bypass locking and "manage applications or use Expose" via unspecified vectors. TA09-218A ADV-2009-2172 35954 http://support.apple.com/kb/HT3757 APPLE-SA-2009-08-05-1 macosx-dock-security-bypass(52421) 36096 56847 iChat in Apple Mac OS X 10.5 before 10.5.7 disables SSL for AOL Instant Messenger (AIM) communication in certain circumstances that are inconsistent with the Require SSL setting, which allows remote attackers to obtain sensitive information by sniffing the network. TA09-133A http://support.apple.com/kb/HT3549 APPLE-SA-2009-05-12 macos-ichat-ssl-weak-security(50487) ADV-2009-1297 1022212 34926 35074 International Components for Unicode (ICU) 4.0, 3.6, and other 3.x versions, as used in Apple Mac OS X 10.5 before 10.5.7, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Fedora 9 and 10, and possibly other operating systems, does not properly handle invalid byte sequences during Unicode conversion, which might allow remote attackers to conduct cross-site scripting (XSS) attacks. TA09-133A http://support.apple.com/kb/HT3549 APPLE-SA-2009-05-12 FEDORA-2009-6273 FEDORA-2009-6121 https://bugzilla.redhat.com/show_bug.cgi?id=503071 macos-icu-security-bypass(50488) ADV-2009-1621 ADV-2009-1522 ADV-2009-1297 34974 34926 RHSA-2009:1122 http://support.apple.com/kb/HT3639 http://support.apple.com/kb/HT3613 35584 35498 35436 35379 35074 oval:org.mitre.oval:def:11366 APPLE-SA-2009-06-17-1 APPLE-SA-2009-06-08-1 http://bugs.icu-project.org/trac/ticket/5691 Heap-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allows remote attackers to execute arbitrary code via a crafted Compact Font Format (CFF) font. TA09-133A http://support.apple.com/kb/HT3549 APPLE-SA-2009-05-12 macos-ats-cff-bo(50478) http://www.zerodayinitiative.com/advisories/ZDI-09-023 ADV-2009-1297 1022218 34926 20090519 ZDI-09-023: Apple OS X ATSServer Compact Font Format Parsing Memory Corruption Vulnerability 35074 Integer underflow in CoreGraphics in Apple Mac OS X 10.5 before 10.5.7, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF file that triggers a heap-based buffer overflow. TA09-133A http://support.apple.com/kb/HT3549 APPLE-SA-2009-05-12 macos-coregraphics-pdf-bo(50482) ADV-2009-1621 ADV-2009-1297 1022209 34926 http://support.apple.com/kb/HT3639 35074 APPLE-SA-2009-06-17-1 Launch Services in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allows remote attackers to cause a denial of service (persistent Finder crash) via a crafted Mach-O executable that triggers an out-of-bounds memory read. TA09-133A http://support.apple.com/kb/HT3549 APPLE-SA-2009-05-12 macos-launchservices-dos(50490) ADV-2009-1297 1022215 34932 34926 35074 Heap-based buffer overflow in CFNetwork in Apple Mac OS X 10.5 before 10.5.7 allows remote web servers to execute arbitrary code or cause a denial of service (application crash) via long HTTP headers. TA09-133A http://support.apple.com/kb/HT3549 APPLE-SA-2009-05-12 macos-cfnetwork-bo(50480) ADV-2009-1297 1022211 34926 35074 Stack-based buffer overflow in telnet in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a long hostname for a telnet server. TA09-133A http://support.apple.com/kb/HT3549 APPLE-SA-2009-05-12 ADV-2009-1297 34926 35074 Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response. TA09-133A https://support.ntp.org/bugs/show_bug.cgi?id=1144 34481 FEDORA-2009-5275 FEDORA-2009-5273 RHSA-2009:1651 https://bugzilla.redhat.com/show_bug.cgi?id=490617 ntp-cookedprint-bo(49838) ADV-2009-3316 ADV-2009-1297 ADV-2009-0999 http://www.vmware.com/security/advisories/VMSA-2009-0016.html USN-777-1 1022033 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components MDVSA-2009:092 GLSA-200905-08 DSA-1801 http://support.apple.com/kb/HT3549 SSA:2009-154-01 37471 35630 35416 35336 35308 35253 35169 35166 35138 35137 35074 34608 RHSA-2009:1040 RHSA-2009:1039 oval:org.mitre.oval:def:9634 oval:org.mitre.oval:def:8665 oval:org.mitre.oval:def:8386 oval:org.mitre.oval:def:5411 53593 http://ntp.bkbits.net:8080/ntp-stable/?PAGE=gnupatch&REV=1.1565 SSRT101144 HPSBUX02859 SUSE-SR:2009:011 APPLE-SA-2009-05-12 http://bugs.pardus.org.tr/show_bug.cgi?id=9532 NetBSD-SA2009-006 QuickDraw Manager in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PICT image that triggers memory corruption. TA09-133A http://support.apple.com/kb/HT3549 APPLE-SA-2009-05-12 ADV-2009-1297 1022209 34937 34926 35074 The OpenSSL::OCSP module for Ruby in Apple Mac OS X 10.5 before 10.5.7 misinterprets an unspecified invalid response as a successful OCSP certificate validation, which might allow remote attackers to spoof certificate authentication via a revoked certificate. TA09-133A http://support.apple.com/kb/HT3549 APPLE-SA-2009-05-12 macos-opensslocsp-weak-security(50592) ADV-2009-1297 34926 35074 Cross-site scripting (XSS) vulnerability in Safari before 3.2.3, and 4 Public Beta, on Apple Mac OS X 10.5 before 10.5.7 and Windows allows remote attackers to inject arbitrary web script or HTML via a crafted feed: URL. TA09-133A http://support.apple.com/kb/HT3549 APPLE-SA-2009-05-12 APPLE-SA-2009-05-12 APPLE-SA-2009-05-12 safari-feedurl-code-execution(50476) ADV-2009-1298 ADV-2009-1297 1022206 34925 http://support.apple.com/kb/HT3550 35074 35056 Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and earlier allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via a crafted TIFF image, which is not properly handled by the (1) _cupsImageReadTIFF function in the imagetops filter and (2) imagetoraster filter, leading to a heap-based buffer overflow. https://bugzilla.redhat.com/show_bug.cgi?id=490596 USN-760-1 1022070 34571 20090417 rPSA-2009-0061-1 cups RHSA-2009:0429 RHSA-2009:0428 DSA-1773 http://www.cups.org/str.php?L3031 http://www.cups.org/articles.php?L582 http://wiki.rpath.com/Advisories:rPSA-2009-0061 GLSA-200904-20 34852 34756 34747 34722 34481 oval:org.mitre.oval:def:11546 SUSE-SA:2009:024 The web interface for CUPS before 1.3.10 does not validate the HTTP Host header in a client request, which makes it easier for remote attackers to conduct DNS rebinding attacks. TA09-133A https://bugzilla.redhat.com/show_bug.cgi?id=490597 http://www.cups.org/str.php?L3118 http://www.cups.org/articles.php?L582 ADV-2009-1297 34665 20090417 rPSA-2009-0061-1 cups http://wiki.rpath.com/Advisories:rPSA-2009-0061 http://support.apple.com/kb/HT3549 GLSA-200904-20 35074 APPLE-SA-2009-05-12 http://bugs.gentoo.org/show_bug.cgi?id=263070 Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, as used in Poppler and other products, when running on Mac OS X, has unspecified impact, related to "g*allocn." TA09-133A http://bugs.gentoo.org/show_bug.cgi?id=263028 multiple-jbig2-unspecified(50377) ADV-2009-1621 ADV-2009-1297 34568 MDVSA-2009:101 DSA-1793 DSA-1790 http://support.apple.com/kb/HT3639 http://support.apple.com/kb/HT3549 SSA:2009-129-01 35685 35074 35065 35037 34991 34959 34852 SUSE-SR:2009:012 SUSE-SR:2009:010 SUSE-SA:2009:024 APPLE-SA-2009-05-12 APPLE-SA-2009-06-17-1 The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a free of uninitialized memory. ADV-2009-1066 34568 RHSA-2009:0480 RHSA-2009:0431 RHSA-2009:0430 RHSA-2009:0429 DSA-1793 DSA-1790 RHSA-2009:0458 FEDORA-2009-6982 FEDORA-2009-6973 FEDORA-2009-6972 https://bugzilla.redhat.com/show_bug.cgi?id=490625 ADV-2010-1040 ADV-2009-1077 ADV-2009-1065 1022073 20090417 rPSA-2009-0061-1 cups MDVSA-2010:087 MDVSA-2009:101 http://wiki.rpath.com/Advisories:rPSA-2009-0061 SSA:2009-129-01 GLSA-200904-20 35685 35618 35065 35064 35037 34991 34963 34959 34852 34756 34755 34481 34291 oval:org.mitre.oval:def:9778 SUSE-SR:2009:012 SUSE-SR:2009:010 SUSE-SA:2009:024 Unspecified vulnerability in lpadmin in Sun Solaris 10 and OpenSolaris snv_61 through snv_106 allows local users to cause a denial of service via unspecified vectors, related to enumeration of "wrong printers," aka a "Temporary file vulnerability." http://sunsolve.sun.com/search/document.do?assetkey=1-21-139390-01-1 ADV-2009-0155 1021601 33269 http://support.avaya.com/elmodocs2/security/ASA-2009-026.htm 249306 33705 33488 oval:org.mitre.oval:def:6175 http://opensolaris.org/os/bug_reports/request_sponsor/ Unspecified vulnerability in ppdmgr in Sun Solaris 10 and OpenSolaris snv_61 through snv_106 allows local users to cause a denial of service via unspecified vectors, related to a failure to "include all cache files," and improper handling of temporary files. 249306 http://sunsolve.sun.com/search/document.do?assetkey=1-21-139390-01-1 solaris-ppdmgr-dos(48143) ADV-2009-0155 1021601 33269 http://support.avaya.com/elmodocs2/security/ASA-2009-026.htm 33705 33488 oval:org.mitre.oval:def:5503 http://opensolaris.org/os/bug_reports/request_sponsor/ Sun Java System Access Manager 7.1 allows remote authenticated sub-realm administrators to gain privileges, as demonstrated by creating the amadmin account in the sub-realm, and then logging in as amadmin in the root realm. 33266 http://sunsolve.sun.com/search/document.do?assetkey=1-21-126356-02-1 sun-jsam-subrealm-privilege-escalation(47944) ADV-2009-0157 1021604 249106 Sun Java System Access Manager 6.3 2005Q1, 7 2005Q4, and 7.1 allows remote authenticated users with console privileges to discover passwords, and obtain unspecified other "access to resources," by visiting the Configuration Items component in the console. 33265 242166 http://sunsolve.sun.com/search/document.do?assetkey=1-21-126356-02-1 sun-jsam-password-info-disclosure(47942) ADV-2009-0156 1021605 The Sun SPARC Enterprise M4000 and M5000 Server, within a certain range of serial numbers, allows remote attackers to use the manufacturing root password, perform a root login to the eXtended System Control Facility Unit (aka XSCFU or Service Processor), and have unspecified other impact. ADV-2009-0207 1021602 33280 249126 Unspecified vulnerability in IBM DB2 8 before FP17a, 9.1 before FP6a, and 9.5 before FP3a allows remote attackers to cause a denial of service (infinite loop) via a crafted CONNECT data stream. 33258 http://www-01.ibm.com/support/docview.wss?uid=swg21363936 ibm-db2-connect-stream-dos(47931) ADV-2009-0137 IZ37696 1021591 33529 ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v95/APARLIST.TXT ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v91/APARLIST.TXT ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v82/APARLIST.TXT Unspecified vulnerability in the server in IBM DB2 8 before FP17a, 9.1 before FP6a, and 9.5 before FP3a allows remote authenticated users to cause a denial of service (trap) via a crafted data stream. http://www-01.ibm.com/support/docview.wss?uid=swg21363936 ibm-db2-datastream-dos(47934) ADV-2009-0137 33258 IZ39652 1021591 33529 ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v95/APARLIST.TXT ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v91/APARLIST.TXT ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v82/APARLIST.TXT Stack-based buffer overflow in VUPlayer 2.49 allows remote attackers to execute arbitrary code via a long .asf URI in the HREF attribute of a REF element in a .asx file. vuplayer-asx-bo(47851) 33185 7715 7714 7713 7709 4918 Heap-based buffer overflow in Heathco Software MP3 TrackMaker 1.5 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long string in an invalid .mp3 file. mp3trackmaker-mp3-bo(47852) 33183 7708 4920 Multiple heap-based buffer overflows in the PDF distiller in the Attachment Service in Research in Motion (RIM) BlackBerry Enterprise Server (BES) 4.1.3 through 4.1.6, BlackBerry Professional Software 4.1.4, and BlackBerry Unite! before 1.0.3 bundle 28 allow user-assisted remote attackers to execute arbitrary code via (1) a crafted stream in a .pdf file, related to "symWidths"; or (2) a crafted data stream in a .pdf file, related to "bitmaps." 33224 http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17119 http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17118 33534 20090113 RIM BlackBerry Enterprise Server Attachment Service PDF Distiller 'bitmaps' Heap Overflow Vulnerability 20090113 RIM BlackBerry Enterprise Server Attachment Service PDF Distiller 'symWidths' Heap Overflow Vulnerability vmwarebase.dll, as used in the vmware-authd service (aka vmware-authd.exe), in VMware Workstation 6.5.1 build 126130, 6.5.1 and earlier; VMware Player 2.5.1 build 126130, 2.5.1 and earlier; VMware ACE 2.5.1 and earlier; VMware Server 2.0.x before 2.0.1 build 156745; and VMware Fusion before 2.0.2 build 147997 allows remote attackers to cause a denial of service (daemon crash) via a long (1) USER or (2) PASS command. http://www.vmware.com/security/advisories/VMSA-2009-0005.html 20090403 VMSA-2009-0005 VMware Hosted products, VI Client and patches for ESX and ESXi resolve multiple security issues [security-announce] 20090403 VMSA-2009-0005 VMware Hosted products, VI Client and patches for ESX and ESXi resolve multiple security issues ADV-2009-0944 ADV-2009-0024 1021512 34373 34601 33372 oval:org.mitre.oval:def:6433 51180 7647 Unspecified vulnerability in IBM Hardware Management Console (HMC) 7 release 3.2.0 SP1 has unknown impact and attack vectors. ibm-hmc-unspecified(48010) http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4521 ADV-2009-0158 33293 33518 51432 libmikmod 3.1.11 through 3.2.0, as used by MikMod and possibly other products, allows user-assisted attackers to cause a denial of service (application crash) by loading an XM file. FEDORA-2009-9112 FEDORA-2009-9095 https://bugzilla.redhat.com/show_bug.cgi?id=479833 33240 34259 [oss-security] 20090113 CVE Request -- libmikmod SUSE-SR:2009:006 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476339 Certain Fedora build scripts for nfs-utils before 1.1.2-9.fc9 on Fedora 9, and before 1.1.4-6.fc10 on Fedora 10, omit TCP Wrapper support, which might allow remote attackers to bypass intended access restrictions, possibly a related issue to CVE-2008-1376. FEDORA-2009-0297 FEDORA-2009-0266 https://bugzilla.redhat.com/show_bug.cgi?id=477864 nfsutils-tcpwrapper-security-bypass(48058) 33294 33545 Buffer overflow in VUPlayer allows user-assisted attackers to have an unknown impact via a long file, as demonstrated by a file composed entirely of 'A' characters. vuplayer-file-bo(48169) 20090106 VUPLAYER BufferOver flow POC 4921 Buffer overflow in VUPlayer 2.49 and earlier allows user-assisted attackers to execute arbitrary code via a long URL in a File line in a .pls file, as demonstrated by an http URL on a File1 line. vuplayer-fileline-bo(48170) 7695 4923 Stack-based buffer overflow in Remote Control Server in Free Download Manager (FDM) 2.5 Build 758 and 3.0 Build 844 allows remote attackers to execute arbitrary code via a long Authorization header in an HTTP request. ADV-2009-0302 33554 20090202 Secunia Research: Free Download Manager Remote Control Server Buffer Overflow 7986 http://secunia.com/secunia_research/2009-3/ 33524 51745 Multiple buffer overflows in the torrent parsing implementation in Free Download Manager (FDM) 2.5 Build 758 and 3.0 Build 844 allow remote attackers to execute arbitrary code via (1) a long file name within a torrent file, (2) a long tracker URL in a torrent file, or (3) a long comment in a torrent file. ADV-2009-0302 33555 20090202 Secunia Research: Free Download Manager Torrent Parsing Buffer Overflows http://secunia.com/secunia_research/2009-5/ 33524 Heap-based buffer overflow in Apple QuickTime before 7.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted MS ADPCM encoded audio data in an AVI movie file. ADV-2009-1469 http://support.apple.com/kb/HT3591 APPLE-SA-2009-06-01-1 quicktime-msadpcm-bo(50894) 1022314 35163 20090602 Secunia Research: Apple QuickTime MS ADPCM Encoding Buffer Overflow http://secunia.com/secunia_research/2009-6/ 35091 54879 Integer overflow in libsndfile 1.0.18, as used in Winamp and other products, allows context-dependent attackers to execute arbitrary code via crafted description chunks in a CAF audio file, leading to a heap-based buffer overflow. libsndfile-caf-bo(49038) ADV-2009-0585 ADV-2009-0584 USN-749-1 1021784 33963 20090303 Secunia Research: libsndfile CAF Processing Integer Overflow Vulnerability 20090303 Secunia Research: Winamp CAF Processing Integer Overflow Vulnerability http://www.mega-nerd.com/libsndfile/NEWS DSA-1742 GLSA-200904-16 http://secunia.com/secunia_research/2009-8/ http://secunia.com/secunia_research/2009-7/ 34791 34642 34526 34316 33981 33980 SUSE-SR:2009:008 Stack-based buffer overflow in Orbit Downloader 2.8.2 and 2.8.3, and possibly other versions before 2.8.5, allows remote attackers to execute arbitrary code via a crafted HTTP URL with a long host name, which is not properly handled when constructing a "Connecting" log message. ADV-2009-0521 33894 orbitdownloader-connecting-bo(48932) 20090225 Secunia Research: Orbit Downloader Long URL Parsing Buffer Overflow http://secunia.com/secunia_research/2009-9/ 33843 52294 Apple QuickTime before 7.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie composed of a Sorenson 3 video file. ADV-2009-1469 http://support.apple.com/kb/HT3591 APPLE-SA-2009-06-01-1 quicktime-sorensonvideo-code-execution(50886) 1022314 35159 20090602 Secunia Research: QuickTime Sorenson Video 3 Content Parsing Vulnerability http://secunia.com/secunia_research/2009-10/ 35091 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-1012. Reason: This candidate is a reservation duplicate of CVE-2009-1012. Notes: All CVE users should reference CVE-2009-1012 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-1016. Reason: This candidate is a reservation duplicate of CVE-2009-1016. Notes: All CVE users should reference CVE-2009-1016 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Foxit Reader 2.3 before Build 3902 and 3.0 before Build 1506, including 3.0.2009.1301, does not properly handle a JBIG2 symbol dictionary segment with zero new symbols, which allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a dereference of an uninitialized memory location. ADV-2009-0634 http://www.foxitsoftware.com/pdf/reader/security.htm#Processing foxitreader-jbig2-code-execution(49135) 1021822 34035 20090309 Secunia Research: Foxit Reader JBIG2 Symbol Dictionary Processing Vulnerability http://secunia.com/secunia_research/2009-11/ 34036 Off-by-one error in the iMonitor component in Novell eDirectory 8.8 SP3, 8.8 SP3 FTF3, and possibly other versions allows remote attackers to execute arbitrary code via an HTTP request with a crafted Accept-Language header, which triggers a stack-based buffer overflow. edirectory-imonitor-acceptlanguage-bo(51703) ADV-2009-1883 35666 20090714 Secunia Research: Novell eDirectory iMonitor "Accept-Language" Buffer Overflow http://www.novell.com/support/viewContent.do?externalId=3426981 http://secunia.com/secunia_research/2009-13/ 34160 55847 Heap-based buffer overflow in Adobe Acrobat Reader 9 before 9.1, 8 before 8.1.4, and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a PDF file with a malformed JBIG2 symbol dictionary segment, a different vulnerability than CVE-2009-1061 and CVE-2009-1062. 34229 http://www.adobe.com/support/security/bulletins/apsb09-04.html ADV-2009-1019 1021892 20090325 Secunia Research: Adobe Reader JBIG2 Symbol Dictionary Buffer Overflow RHSA-2009:0376 256788 GLSA-200904-17 http://secunia.com/secunia_research/2009-14/ 34790 34706 34490 34392 SUSE-SR:2009:009 SUSE-SA:2009:014 The domain-locking implementation in the GARMINAXCONTROL.GarminAxControl_t.1 ActiveX control in npGarmin.dll in the Garmin Communicator Plug-In 2.6.4.0 does not properly enforce the restrictions that (1) download and (2) upload requests come from a web site specified by the user, which allows remote attackers to obtain sensitive information or reconfigure Garmin GPS devices via unspecified vectors related to a "synchronisation error." communicator-domain-security-bypass(50360) 34858 20090507 Secunia Research: Garmin Communicator Plug-In Domain Locking Security Bypass 1022173 http://secunia.com/secunia_research/2009-16/ 34326 54258 Heap-based buffer overflow in Xpdf 3.02pl2 and earlier, CUPS 1.3.9, and probably other products, allows remote attackers to execute arbitrary code via a PDF file with crafted JBIG2 symbol dictionary segments. ADV-2010-1040 34791 20090417 Secunia Research: Xpdf JBIG2 Symbol Dictionary Buffer Overflow Vulnerability 20090417 Secunia Research: CUPS pdftops JBIG2 Symbol Dictionary Buffer Overflow RHSA-2009:0480 MDVSA-2010:087 http://secunia.com/secunia_research/2009-18/ http://secunia.com/secunia_research/2009-17/ 35064 34963 34756 34481 34291 RHSA-2009:0458 oval:org.mitre.oval:def:10076 Heap-based buffer overflow in the big2_decode_symbol_dict function (jbig2_symbol_dict.c) in the JBIG2 decoding library (jbig2dec) in Ghostscript 8.64, and probably earlier versions, allows remote attackers to execute arbitrary code via a PDF file with a JBIG2 symbol dictionary segment with a large run length value. 34445 FEDORA-2009-3710 FEDORA-2009-3709 https://bugzilla.redhat.com/attachment.cgi?id=337747 ADV-2009-1708 ADV-2009-0983 USN-757-1 1022029 20090417 rPSA-2009-0060-1 ghostscript 20090409 Secunia Research: Ghostscript jbig2dec JBIG2 Processing Buffer Overflow RHSA-2009:0421 MDVSA-2009:095 http://wiki.rpath.com/Advisories:rPSA-2009-0060 262288 http://secunia.com/secunia_research/2009-21/ 35569 35559 35416 34732 34729 34667 34292 oval:org.mitre.oval:def:10533 53492 SUSE-SR:2009:011 SUSE-SR:2009:009 Integer overflow in the FORMATS Plugin before 4.23 for IrfanView allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a large XPM file that triggers a heap-based buffer overflow. irfanview-formatsplugin-xpm-bo(49717) ADV-2009-0953 http://www.irfanview.com/plugins.htm 34402 20090407 Secunia Research: IrfanView Formats Plug-in XPM Parsing Integer Overflow 53323 http://secunia.com/secunia_research/2009-20/ 34525 Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and Acrobat 7 before 7.1.3, Adobe Reader 8 and Acrobat 8 before 8.1.6, and Adobe Reader 9 and Acrobat 9 before 9.1.2 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PDF file that contains JBIG2 text region segments with Huffman encoding. TA09-161A ADV-2009-1547 http://www.adobe.com/support/security/bulletins/apsb09-07.html reader-acrobat-jbig2-code-exec(51015) 35302 35274 20090610 Secunia Research: Adobe Reader JBIG2 Text Region Segment Buffer Overflow RHSA-2009:1109 1022361 GLSA-200907-06 http://secunia.com/secunia_research/2009-24/ 35734 35685 35655 35496 34580 SUSE-SR:2009:012 SUSE-SA:2009:035 Heap-based buffer overflow in the VMnc media codec in vmnc.dll in VMware Movie Decoder before 6.5.3 build 185404, VMware Workstation 6.5.x before 6.5.3 build 185404, VMware Player 2.5.x before 2.5.3 build 185404, and VMware ACE 2.5.x before 2.5.3 build 185404 on Windows might allow remote attackers to execute arbitrary code via a video file with crafted dimensions (aka framebuffer parameters). ADV-2009-2553 http://www.vmware.com/security/advisories/VMSA-2009-0012.html [security-announce] 20090904 VMSA-2009-0012 VMware Movie Decoder, VMware Workstation, VMware Player, and VMware ACE resolve security issues. 36290 20090905 VMSA-2009-0012 VMware Movie Decoder, VMware Workstation, VMware Player, and VMware ACE resolve security issues. http://secunia.com/secunia_research/2009-25/ 34938 Integer underflow in OpenOffice.org (OOo) before 3.1.1 and StarOffice/StarSuite 7, 8, and 9 might allow remote attackers to execute arbitrary code via crafted records in the document table of a Word document, leading to a heap-based buffer overflow. ADV-2009-2490 36200 20090901 Secunia Research: OpenOffice.org Word Document Table Parsing Integer Underflow MDVSA-2010:105 MDVSA-2010:091 MDVSA-2010:035 DSA-1880 1020715 263508 http://secunia.com/secunia_research/2009-26/ 36750 35036 oval:org.mitre.oval:def:10881 SUSE-SR:2009:015 http://development.openoffice.org/releases/3.1.1.html Heap-based buffer overflow in OpenOffice.org (OOo) before 3.1.1 and StarOffice/StarSuite 7, 8, and 9 might allow remote attackers to execute arbitrary code via unspecified records in a crafted Word document, related to "table parsing." ADV-2009-2490 1022798 36200 20090901 Secunia Research: OpenOffice.org Word Document Table Parsing Buffer Overflow MDVSA-2010:105 MDVSA-2010:091 MDVSA-2010:035 DSA-1880 1020715 263508 http://secunia.com/secunia_research/2009-27/ 36750 35036 oval:org.mitre.oval:def:10726 SUSE-SR:2009:015 http://development.openoffice.org/releases/3.1.1.html Array index error in FL21WIN.DLL in the PowerPoint Freelance Windows 2.1 Translator in Microsoft PowerPoint 2000 and 2002 allows remote attackers to execute arbitrary code via a Freelance file with unspecified "layout information" that triggers a heap-based buffer overflow. ms-powerpoint-freelance-bo(51034) 35275 20090610 Secunia Research: Microsoft PowerPoint Freelance Layout Parsing Vulnerability 54961 1022369 http://secunia.com/secunia_research/2009-29/ 35184 Cross-site scripting (XSS) vulnerability in HP Select Access 6.1 and 6.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. HPSBMA02403 selectaccess-unspecified-xss(48334) ADV-2009-0296 33505 1021641 33713 HPSBMA02403 Unspecified vulnerability in NFS in HP ONCplus B.11.31.05 and earlier for HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors. SSRT080182 hpux-nfs-dos(48556) ADV-2009-0350 33653 33860 Unspecified vulnerability in HP-UX B.11.11 running VERITAS Oracle Disk Manager (VRTSodm) 3.5, B.11.23 running VRTSodm 4.1 or VERITAS File System (VRTSvxfs) 4.1, B.11.23 running VRTSodm 5.0 or VRTSvxfs 5.0, and B.11.31 running VRTSodm 5.0 allows local users to gain root privileges via unknown vectors. 34226 SSRT080171 SSRT080171 hpux-veritas-unspecified-priv-escalation(49403) ADV-2009-0823 1021891 34419 oval:org.mitre.oval:def:6352 Unspecified vulnerability in HP Virtual Rooms Client before 7.0.1, when running on Windows, allows remote attackers to execute arbitrary code via unknown vectors. HPSBGN02410 HPSBGN02410 PI Server in OSIsoft PI System before 3.4.380.x does not properly use encryption in the default authentication process, which allows remote attackers to read or modify information in databases via unspecified vectors. 20090930 C4 SCADA Security Advisory - OSISoft PI Server Authentication Weakness Buffer overflow in the MLF application in AREVA e-terrahabitat 5.7 and earlier allows remote attackers to execute arbitrary commands or cause a denial of service (system crash) via unspecified vectors, aka PD28578. Per http://www.kb.cert.org/vuls/id/337569 "III. Solution Apply Patch Users of e-terrahabitat version 5.5, 5.6, and 5.7 should apply the e-terrahabitat_560_P20081030_SEC patch immediately." VU#337569 33637 20090205 C4 SCADA Security Advisory - AREVA e-terrahabitat / e-terraplatform Multiple Vulnerabilities http://www.scada-security.com/vulnerabilities/areva1.html 33837 Unspecified vulnerability in the WebFGServer application in AREVA e-terrahabitat 5.7 and earlier allows remote attackers to cause a denial of service (system crash) via unknown vectors, aka PD32018. VU#337569 33637 20090205 C4 SCADA Security Advisory - AREVA e-terrahabitat / e-terraplatform Multiple Vulnerabilities http://www.scada-security.com/vulnerabilities/areva1.html 33837 Unspecified vulnerability in the WebFGServer application in AREVA e-terrahabitat 5.7 and earlier allows remote attackers to cause a denial of service (system crash) via unknown vectors, aka PD32020. Per http://www.kb.cert.org/vuls/id/337569 "III. Solution Apply Patch Users of e-terrahabitat version 5.5, 5.6, and 5.7 should apply the e-terrahabitat_560_P20081030_SEC patch immediately." VU#337569 33637 20090205 C4 SCADA Security Advisory - AREVA e-terrahabitat / e-terraplatform Multiple Vulnerabilities http://www.scada-security.com/vulnerabilities/areva1.html 33837 Unspecified vulnerability in the NETIO application in AREVA e-terrahabitat 5.7 and earlier allows remote attackers to cause a denial of service (system crash) via unknown vectors, aka PD32021. Per http://www.kb.cert.org/vuls/id/337569 "III. Solution Apply Patch Users of e-terrahabitat version 5.5, 5.6, and 5.7 should apply the e-terrahabitat_560_P20081030_SEC patch immediately." VU#337569 33637 20090205 C4 SCADA Security Advisory - AREVA e-terrahabitat / e-terraplatform Multiple Vulnerabilities http://www.scada-security.com/vulnerabilities/areva1.html 33837 Unspecified vulnerability in the WebFGServer application in AREVA e-terrahabitat 5.7 and earlier allows remote authenticated users to gain privileges via unknown vectors, aka PD32022. Per http://www.kb.cert.org/vuls/id/337569 "III. Solution Apply Patch Users of e-terrahabitat version 5.5, 5.6, and 5.7 should apply the e-terrahabitat_560_P20081030_SEC patch immediately." VU#337569 33637 20090205 C4 SCADA Security Advisory - AREVA e-terrahabitat / e-terraplatform Multiple Vulnerabilities http://www.scada-security.com/vulnerabilities/areva1.html 33837 Stack-based buffer overflow in the GetXMLValue method in the IBM Access Support ActiveX control in IbmEgath.dll, as distributed on IBM and Lenovo computers, allows remote attackers to execute arbitrary code via unspecified vectors. VU#340420 ibm-access-activex-bo(49409) ADV-2009-0824 34228 34470 52958 GE Fanuc iFIX 5.0 and earlier relies on client-side authentication involving a weakly encrypted local password file, which allows remote attackers to bypass intended access restrictions and start privileged server login sessions by recovering a password or by using a modified program module. VU#310355 gefanucifix-multiple-unauth-access(48691) 33739 http://www.mcgrewsecurity.com/2009/02/10/ge-fanuc-releases-info-on-ifix-vulnerabilities-vu-310355/ http://support.gefanuc.com/support/index?page=kbchannel&id=S:KB13253&actp=search The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. TA10-159B TA09-294A VU#466161 ADV-2009-1911 ADV-2009-1909 ADV-2009-1908 ADV-2009-1900 35671 http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925 PK80627 PK80596 FEDORA-2009-8473 FEDORA-2009-8456 FEDORA-2009-8337 FEDORA-2009-8329 RHSA-2009:1650 RHSA-2009:1649 RHSA-2009:1637 RHSA-2009:1636 RHSA-2009:1428 RHSA-2009:1201 RHSA-2009:1200 https://issues.apache.org/bugzilla/show_bug.cgi?id=47527 https://issues.apache.org/bugzilla/show_bug.cgi?id=47526 https://bugzilla.redhat.com/show_bug.cgi?id=511915 http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html http://www.w3.org/2008/06/xmldsigcore-errata.html#e03 ADV-2010-0635 ADV-2010-0366 ADV-2009-3122 ADV-2009-2543 USN-826-1 USN-903-1 1022661 1022567 1022561 RHSA-2009:1694 http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html http://www.openoffice.org/security/cves/CVE-2009-0217.html http://www.mono-project.com/Vulnerabilities MS10-041 MDVSA-2009:209 http://www.kb.cert.org/vuls/id/WDON-7TY529 http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ DSA-1995 http://www.aleksey.com/xmlsec/ http://svn.apache.org/viewvc?revision=794013&view=revision 1020710 269208 263429 http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1 38921 38695 38568 38567 37841 37671 37300 36494 36180 36176 36162 35858 35855 35854 35853 35852 35776 oval:org.mitre.oval:def:8717 oval:org.mitre.oval:def:7158 oval:org.mitre.oval:def:10186 55907 55895 HPSBUX02476 HPSBUX02476 SUSE-SA:2010:017 SUSE-SA:2009:053 APPLE-SA-2009-09-03-1 http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7 http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7 http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161 Insecure method vulnerability in Particle Software IntraLaunch Application Launcher ActiveX control in IntraLaunch.ocx, as used in LDRA TBbrowse and possibly other products, allows remote attackers to execute arbitrary code via unknown vectors. http://www.kb.cert.org/vuls/id/WDON-7Q4RZN http://www.kb.cert.org/vuls/id/MAPG-7PYRP4 VU#908801 intralaunch-activex-code-execution(49684) 34395 The PDF distiller in the Attachment Service in Research in Motion (RIM) BlackBerry Enterprise Server (BES) 4.1.3 through 4.1.6, BlackBerry Professional Software 4.1.4, and BlackBerry Unite! before 1.0.3 bundle 28 performs delete operations on uninitialized pointers, which allows user-assisted remote attackers to execute arbitrary code via a crafted data stream in a .pdf file. 1021559 33250 http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17119 http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17118 33534 20090113 RIM BlackBerry Enterprise Server Attachment Service PDF Distiller Uninitialized Memory Vulnerability Multiple stack-based buffer overflows in the PowerPoint 4.0 importer (PP4X32.DLL) in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allow remote attackers to execute arbitrary code via crafted formatting data for paragraphs in a file that uses a PowerPoint 4.0 native file format, related to (1) an incorrect calculation from a record header, or (2) an interget that is used to specify the number of bytes to copy, aka "Legacy File Format Vulnerability." TA09-132A MS09-017 ADV-2009-1290 1022205 34833 32428 oval:org.mitre.oval:def:5610 54386 20090512 Microsoft PowerPoint PPT 4.0 Importer Multiple Stack Buffer Overflow Vulnerabilities Integer overflow in Microsoft Office PowerPoint 2002 SP3 and 2003 SP3 allows remote attackers to execute arbitrary code via a PowerPoint file containing a crafted record type for "collaboration information for different slides" that contains a field that specifies a large number of records, which triggers an under-allocated buffer and a heap-based buffer overflow, aka "Integer Overflow Vulnerability." TA09-132A MS09-017 ADV-2009-1290 1022205 34835 32428 oval:org.mitre.oval:def:6127 54394 20090512 Microsoft PowerPoint Integer Overflow Vulnerability Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows remote attackers to execute arbitrary code via crafted sound data in a file that uses a PowerPoint 4.0 native file format, leading to a "pointer overwrite" and memory corruption, aka "Legacy File Format Vulnerability," a different vulnerability than CVE-2009-0223, CVE-2009-0226, CVE-2009-0227, and CVE-2009-1137. TA09-132A MS09-017 http://www.vupen.com/exploits/Microsoft_PowerPoint_Pointer_Overwrite_Code_Execution_Exploit_MS09_017_1290123.php http://www.vupen.com/exploits/Microsoft_PowerPoint_Memory_Corruption_Code_Execution_Exploit_MS09_017_1290124.php ADV-2009-1290 1022205 34831 32428 oval:org.mitre.oval:def:6143 54382 Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows remote attackers to execute arbitrary code via crafted sound data in a file that uses a PowerPoint 4.0 native file format, leading to memory corruption, aka "Legacy File Format Vulnerability," a different vulnerability than CVE-2009-0222, CVE-2009-0226, CVE-2009-0227, and CVE-2009-1137. TA09-132A MS09-017 ADV-2009-1290 1022205 34834 32428 oval:org.mitre.oval:def:6269 Microsoft Office PowerPoint 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; PowerPoint Viewer 2003 and 2007 SP1 and SP2; PowerPoint in Microsoft Office 2004 for Mac and 2008 for Mac; Open XML File Format Converter for Mac; Microsoft Works 8.5 and 9.0; and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 do not properly validate PowerPoint files, which allows remote attackers to execute arbitrary code via multiple crafted BuildList records that include ChartBuild containers, which triggers memory corruption, aka "Memory Corruption Vulnerability." TA09-132A MS09-017 ADV-2009-1290 1022205 34879 32428 oval:org.mitre.oval:def:6023 20090512 Microsoft PowerPoint Build List Memory Corruption Vulnerability Microsoft Office PowerPoint 2002 SP3 allows remote attackers to execute arbitrary code via crafted sound data in a file that uses a PowerPoint 95 native file format, leading to improper "array indexing" and memory corruption, aka "PP7 Memory Corruption Vulnerability." TA09-132A MS09-017 http://www.vupen.com/exploits/Microsoft_PowerPoint_Array_Indexing_Code_Execution_Exploit_MS09_017_1290125.php ADV-2009-1290 1022205 34880 32428 oval:org.mitre.oval:def:5526 54388 Stack-based buffer overflow in the PowerPoint 4.2 conversion filter in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows remote attackers to execute arbitrary code via a long string in sound data in a file that uses a PowerPoint 4.0 native file format, leading to memory corruption, aka "Legacy File Format Vulnerability," a different vulnerability than CVE-2009-0222, CVE-2009-0223, CVE-2009-0227, and CVE-2009-1137. TA09-132A MS09-017 ADV-2009-1290 1022205 34881 32428 oval:org.mitre.oval:def:6106 20090512 Microsoft PowerPoint 4.2 Conversion Filter Stack Overflow Stack-based buffer overflow in the PowerPoint 4.2 conversion filter (PP4X32.DLL) in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows remote attackers to execute arbitrary code via a large number of structures in sound data in a file that uses a PowerPoint 4.0 native file format, leading to memory corruption, aka "Legacy File Format Vulnerability," a different vulnerability than CVE-2009-0222, CVE-2009-0223, CVE-2009-0226, and CVE-2009-1137. TA09-132A MS09-017 ADV-2009-1290 1022205 34882 32428 oval:org.mitre.oval:def:6239 54384 20090512 Microsoft PowerPoint 4.2 Conversion Filter Stack Buffer Overflow Vulnerability Stack-based buffer overflow in the EnumeratePrintShares function in Windows Print Spooler Service (win32spl.dll) in Microsoft Windows 2000 SP4 allows remote printer servers to execute arbitrary code via a a crafted ShareName in a response to an RPC request, related to "printing data structures," aka "Buffer Overflow in Print Spooler Vulnerability." TA09-160A MS09-022 ADV-2009-1541 1022352 35206 http://support.avaya.com/elmodocs2/security/ASA-2009-217.htm 35365 oval:org.mitre.oval:def:6317 54932 20090609 Microsoft Windows 2000 Print Spooler Remote Stack Buffer Overflow Vulnerability The Windows Printing Service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 SP2 allows local users to read arbitrary files via a crafted separator page, aka "Print Spooler Read File Vulnerability." TA09-160A MS09-022 ADV-2009-1541 1022352 35208 http://support.avaya.com/elmodocs2/security/ASA-2009-217.htm 35365 oval:org.mitre.oval:def:5815 54933 The Windows Print Spooler in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 SP2 allows remote authenticated users to gain privileges via a crafted RPC message that triggers loading of a DLL file from an arbitrary directory, aka "Print Spooler Load Library Vulnerability." TA09-160A MS09-022 ADV-2009-1541 1022352 35209 http://support.avaya.com/elmodocs2/security/ASA-2009-217.htm 35365 oval:org.mitre.oval:def:6287 54934 The Embedded OpenType (EOT) Font Engine (T2EMBED.DLL) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted name table in a data record that triggers an integer truncation and a heap-based buffer overflow, aka "Embedded OpenType Font Heap Overflow Vulnerability." TA09-195A MS09-029 ADV-2009-1887 1022543 oval:org.mitre.oval:def:5457 55842 20090714 Microsoft Embedded OpenType Font Engine (T2EMBED.DLL) Heap Buffer Overflow Vulnerability Integer overflow in the Embedded OpenType (EOT) Font Engine in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted name table, aka "Embedded OpenType Font Integer Overflow Vulnerability." TA09-195A MS09-029 ADV-2009-1887 1022543 oval:org.mitre.oval:def:5678 The DNS Resolver Cache Service (aka DNSCache) in Windows DNS Server in Microsoft Windows 2000 SP4, Server 2003 SP1 and SP2, and Server 2008, when dynamic updates are enabled, does not reuse cached DNS responses in all applicable situations, which makes it easier for remote attackers to predict transaction IDs and poison caches by simultaneously sending crafted DNS queries and responses, aka "DNS Server Query Validation Vulnerability." TA09-069A MS09-008 ADV-2009-0661 1021831 33982 http://support.avaya.com/elmodocs2/security/ASA-2009-083.htm 34217 oval:org.mitre.oval:def:6228 52517 http://blogs.technet.com/srd/archive/2009/03/13/ms09-008-dns-and-wins-server-security-update-in-more-detail.aspx The DNS Resolver Cache Service (aka DNSCache) in Windows DNS Server in Microsoft Windows 2000 SP4, Server 2003 SP1 and SP2, and Server 2008 does not properly cache crafted DNS responses, which makes it easier for remote attackers to predict transaction IDs and poison caches by sending many crafted DNS queries that trigger "unnecessary lookups," aka "DNS Server Response Validation Vulnerability." TA09-069A VU#319331 MS09-008 ADV-2009-0661 1021831 33988 http://support.avaya.com/elmodocs2/security/ASA-2009-083.htm 34217 oval:org.mitre.oval:def:5715 52518 http://blogs.technet.com/srd/archive/2009/03/13/ms09-008-dns-and-wins-server-security-update-in-more-detail.aspx Stack-based buffer overflow in the Word 97 text converter in WordPad in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted Word 97 file that triggers memory corruption, related to use of inconsistent integer data sizes for an unspecified length field, aka "WordPad Word 97 Text Converter Stack Overflow Vulnerability." TA09-104A MS09-010 ADV-2009-1024 1022043 34470 oval:org.mitre.oval:def:5893 53664 20090414 Microsoft WordPad Word97 Converter Stack Buffer Overflow Vulnerability Cross-site scripting (XSS) vulnerability in cookieauth.dll in the HTML forms authentication component in Microsoft Forefront Threat Management Gateway, Medium Business Edition (TMG MBE); and Internet Security and Acceleration (ISA) Server 2006, 2006 Supportability Update, and 2006 SP1; allows remote attackers to inject arbitrary web script or HTML via "authentication input" to this component, aka "Cross-Site Scripting Vulnerability." TA09-104A MS09-016 ADV-2009-1030 1022046 34687 oval:org.mitre.oval:def:5771 53637 Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for Mac allow remote attackers to execute arbitrary code via a crafted Excel document that triggers an access attempt on an invalid object, as exploited in the wild in February 2009 by Trojan.Mdropper.AC. TA09-104A ms-excel-unspecified-code-execution(48875) ADV-2009-1023 http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-022310-4202-99 33870 MS09-009 http://www.microsoft.com/technet/security/advisory/968272.mspx 1021744 oval:org.mitre.oval:def:5968 http://isc.sans.org/diary.html?storyid=5923 http://blogs.zdnet.com/security/?p=2658 Cross-site scripting (XSS) vulnerability in Windows Search 4.0 for Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted file that appears in a preview in a search result, aka "Script Execution in Windows Search Vulnerability." TA09-160A MS09-023 ADV-2009-1542 1022353 35366 oval:org.mitre.oval:def:5428 54935 listing.php in WebSVN 2.0 and possibly 1.7 beta, when using an SVN authz file, allows remote authenticated users to read changelogs or diffs for restricted projects via a modified repname parameter. websvn-listing-information-disclosure(48171) [oss-security] 20090118 CVE request: WebSVN GLSA-200903-20 DSA-1725 34191 33945 32338 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512191 Stack-based buffer overflow in the process_path function in gmetad/server.c in Ganglia 3.1.1 allows remote attackers to cause a denial of service (crash) via a request to the gmetad service with a long pathname. 33299 [Ganglia-developers] 20090113 patches for: [Sec] Gmetad server BoF and network overload + [Feature] multiple requests per conn on interactive port GLSA-200903-22 35416 34228 33506 SUSE-SR:2009:011 http://bugzilla.ganglia.info/cgi-bin/bugzilla/show_bug.cgi?id=223 ** REJECT ** gmetad in Ganglia 3.1.1, when supporting multiple requests per connection on an interactive port, allows remote attackers to cause a denial of service via a request to the gmetad service with a path does not exist, which causes Ganglia to (1) perform excessive CPU computation and (2) send the entire tree, which consumes network bandwidth. NOTE: the vendor and original researcher have disputed this issue, since legitimate requests can generate the same amount of resource consumption. CVE concurs with the dispute, so this identifier should not be used. Microsoft Windows does not properly enforce the Autorun and NoDriveTypeAutoRun registry values, which allows physically proximate attackers to execute arbitrary code by (1) inserting CD-ROM media, (2) inserting DVD media, (3) connecting a USB device, and (4) connecting a Firewire device; (5) allows user-assisted remote attackers to execute arbitrary code by mapping a network drive; and allows user-assisted attackers to execute arbitrary code by clicking on (6) an icon under My Computer\Devices with Removable Storage and (7) an option in an AutoPlay dialog, related to the Autorun.inf file. NOTE: vectors 1 and 3 on Vista are already covered by CVE-2008-0951. TA09-020A 1021629 http://isc.sans.org/diary.html?storyid=5695 Directory traversal vulnerability in the OBEX FTP Service in the Microsoft Bluetooth stack in Windows Mobile 6 Professional, and probably Windows Mobile 5.0 for Pocket PC and 5.0 for Pocket PC Phone Edition, allows remote authenticated users to list arbitrary directories, and create or read arbitrary files, via a .. (dot dot) in a pathname. NOTE: this can be leveraged for code execution by writing to a Startup folder. per: http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/Microsoft-Bluetooth-Stack-Directory-Traversal.html "Non vulnerable products: Windows Mobile devices 5.0 and 6 not using Microsoft Bluetooth Stack (for example: ASUS P525, ASUS P535, ... using Widcomm/Broadcom Bluetooth Stack)" winmobile-obexftp-directory-traversal(48124) http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/Microsoft-Bluetooth-Stack-Directory-Traversal.html 33359 20090119 Microsoft Bluetooth Stack OBEX Directory Traversal 4938 33598 Cross-site scripting (XSS) vulnerability in Usagi Project MyNETS 1.2.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2008-4629. http://usagi-project.org/PRESS/archives/57 33145 33409 JVNDB-2009-000001 JVN#36802959 Stack-based buffer overflow in easyHDR PRO 1.60.2 allows user-assisted attackers to execute arbitrary code via an invalid Radiance RGBE (aka .hdr) file. easyhdrpro-hdr-bo(48119) ADV-2009-0190 33363 20090120 Secunia Research: EasyHDR Pro Radiance RGBE Buffer Overflow 4941 http://secunia.com/secunia_research/2008-61/ 33468 51609 http://easyhdr.com/version.php The server for 53KF Web IM 2009 Home, Professional, and Enterprise editions relies on client-side protection mechanisms against cross-site scripting (XSS), which allows remote attackers to conduct XSS attacks by using a modified client to send a crafted IM message, related to the msg variable. 53kfwebim-msg-xss(48096) 33341 20090119 53KF Web IM 2009 Cross-Site Scripting Vulnerabilities Cross-site scripting (XSS) vulnerability in rankup.asp in Katy Whitton RankEm allows remote attackers to inject arbitrary web script or HTML via the siteID parameter. rankem-siteid-xss(48072) rankem-rankup-xss(48071) 33324 7805 Katy Whitton RankEm stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing credentials via a direct request for database/topsites.mdb. rankem-topsites-information-disclosure(48070) 7805 Ryneezy phoSheezy 0.2 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the file containing the administrator's password hash via a direct request for config/password. phosheezy-configpassword-info-disclosure(48056) 7780 4935 33531 51411 Static code injection vulnerability in admin.php in Ryneezy phoSheezy 0.2 allows remote authenticated administrators to inject arbitrary PHP code into config/footer via the footer parameter. NOTE: this can be exploited by unauthenticated attackers by leveraging CVE-2009-0250. NOTE: some of these details are obtained from third party information. 7780 4935 33531 51412 Multiple SQL injection vulnerabilities in default.asp in Enthrallweb eReservations allow remote attackers to execute arbitrary SQL commands via the (1) Login parameter (aka username field) or the (2) Password parameter (aka password field). NOTE: some of these details are obtained from third party information. ereservations-login-sql-injection(48062) 33321 7801 33578 51456 Mozilla Firefox 3.0.5 allows remote attackers to trick a user into visiting an arbitrary URL via an onclick action that moves a crafted element to the current mouse position, related to a "Status Bar Obfuscation" and "Clickjacking" attack. firefox-onclickaction-click-hijacking(48212) 7842 4936 Stack-based buffer overflow in easyHDR PRO 1.60.2 allows user-assisted attackers to execute arbitrary code via an invalid Flexible Image Transport System (FITS) file. NOTE: some of these details are obtained from third party information. ADV-2009-0190 33363 33468 51608 http://easyhdr.com/version.php The System extension Install tool in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 creates the encryption key with an insufficiently random seed, which makes it easier for attackers to crack the key. typo3-installtool-weak-security(48132) 33376 DSA-1711 http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/ 33679 33617 Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication. typo3-library-session-hijacking(48133) 33376 DSA-1711 http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/ 33679 33617 Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name and (2) content of indexed files to the (a) Indexed Search Engine (indexed_search) system extension; (b) unspecified test scripts in the ADOdb system extension; and (c) unspecified vectors in the Workspace module. typo3-adodb-xss(48137) typo3-workspace-xss(48136) typo3-indexedsearchengine-xss(48135) typo3-library-session-hijacking(48133) 33376 DSA-1711 http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/ 33679 33617 The Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via a crafted filename containing shell metacharacters, which is not properly handled by the command-line indexer. typo3-indexedsearch-command-execution(48138) 33376 [oss-security] 20090123 Re: CVE id request: typo3 SA-2009-001 DSA-1711 http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/ 33679 33617 The Word processor in OpenOffice.org 1.1.2 through 1.1.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf Word 97 file that triggers memory corruption, as exploited in the wild in December 2008, as demonstrated by 2008-crash.doc.rar, and a similar issue to CVE-2008-4841. openoffice-wordprocessor-code-execution(48213) 33383 [oss-security] 20090121 CVE Request -- openoffice.org (CVE-2008-4841) 6560 http://milw0rm.com/sploits/2008-crash.doc.rar Multiple cross-site scripting (XSS) vulnerabilities in action/AttachFile.py in MoinMoin before 1.8.1 allow remote attackers to inject arbitrary web script or HTML via an AttachFile action to the WikiSandBox component with (1) the rename parameter or (2) the drawing parameter (aka the basename variable). 33365 moinmoin-attachfilepy-xss(48126) ADV-2009-0195 USN-716-1 20090120 MoinMoin Wiki Engine XSS Vulnerability 33755 33716 33593 51485 http://moinmo.in/SecurityFixes#moin1.8.1 DSA-1715 http://hg.moinmo.in/moin/1.8/rev/8cb4d34ccbc1 Stack-based buffer overflow in EffectMatrix Total Video Player 1.31 allows user-assisted attackers to execute arbitrary code via a Skins\DefaultSkin\DefaultSkin.ini file with a large ColumnHeaderSpan value. totalvideoplayer-defaultskin-bo(48140) 33373 7839 Stack-based buffer overflow in Triologic Media Player 7 and 8.0.0.0 allows user-assisted remote attackers to execute arbitrary code via a long string in a .m3u playlist file. NOTE: some of these details are obtained from third party information. ADV-2009-0097 33221 33496 7737 Multiple buffer overflows in Winamp 5.541 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) a large Common Chunk (COMM) header value in an AIFF file and (2) a large invalid value in an MP3 file. ADV-2009-0113 33226 33478 oval:org.mitre.oval:def:14756 7742 Buffer overflow in the Registry Setting Tool in Fujitsu SystemcastWizard Lite 2.0A, 2.0, 1.9, and earlier has unknown impact and attack vectors. http://www.fujitsu.com/global/services/computing/server/primequest/products/os/windows-server-2008-2.html systemcast-registrytool-bo(48315) 33644 Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077 and CVE-2009-0025. https://www.isc.org/node/373 ADV-2009-0043 MDVSA-2009:037 SSA:2009-014-02 33559 http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/49ef622c8329fd33 Stack-based buffer overflow in Triologic Media Player 8.0.0.0 allows user-assisted remote attackers to execute arbitrary code via a long string in a .m3l playlist file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 33496 libike in Sun Solaris 9 and 10, and OpenSolaris before snv_100, does not properly check packets, which allows remote attackers to cause a denial of service (in.iked daemon crash) via an unspecified IKE packet, a different vulnerability than CVE-2007-2989. 33407 247406 http://sunsolve.sun.com/search/document.do?assetkey=1-21-113451-15-1 sun-solaris-libike-dos(48178) http://support.avaya.com/elmodocs2/security/ASA-2009-032.htm 33702 oval:org.mitre.oval:def:6116 Race condition in the pseudo-terminal (aka pty) driver module in Sun Solaris 8 through 10, and OpenSolaris before snv_103, allows local users to cause a denial of service (panic) via unspecified vectors related to lack of "properly sequenced code" in ptc and ptsl. 33406 249586 http://sunsolve.sun.com/search/document.do?assetkey=1-21-113685-07-1 solaris-pseudo-terminal-dos(48179) 1021640 http://support.avaya.com/elmodocs2/security/ASA-2009-034.htm 33708 oval:org.mitre.oval:def:6061 fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel before 2.6.28.1 allows local users to cause a denial of service (fault or memory corruption), or possibly have unspecified other impact, via a readlink call that results in an error, leading to use of a -1 return value as an array index. 33412 [ecryptfs-devel] 20081222 Re: [PATCH, v5] eCryptfs: check readlink result was not an error before using it [ecryptfs-devel] 20081222 Re: [PATCH, v5] eCryptfs: check readlink result was not an error before using it linux-kernel-readlink-bo(48188) ADV-2009-3316 http://www.vmware.com/security/advisories/VMSA-2009-0016.html USN-751-1 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components RHSA-2009:0360 RHSA-2009:0326 MDVSA-2009:118 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.1 DSA-1787 DSA-1749 37471 35394 35390 34981 34502 34394 33758 oval:org.mitre.oval:def:8944 oval:org.mitre.oval:def:8169 SUSE-SA:2009:031 SUSE-SA:2009:030 SUSE-SA:2009:010 http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.27.y.git;a=commit;h=a17d5232de7b53d34229de79ec22f4bb04adb7e4 Stack-based buffer overflow in PXEService.exe in Fujitsu SystemcastWizard Lite 2.0A, 2.0, 1.9, and earlier allows remote attackers to execute arbitrary code via a large PXE protocol request in a UDP packet. http://www.fujitsu.com/global/services/computing/server/primequest/products/os/windows-server-2008-2.html http://www.wintercore.com/advisories/advisory_W010109.html ADV-2009-0176 33342 20090119 [Wintercore Research ] Fujitsu SystemcastWizard Lite PXEService Remote Buffer Overflow. 33594 51486 Directory traversal vulnerability in the TFTP service in Fujitsu SystemcastWizard Lite 2.0A, 2.0, 1.9, and earlier allows remote attackers to read arbitrary files via directory traversal sequences in unspecified vectors. 33344 http://www.fujitsu.com/global/services/computing/server/primequest/products/os/windows-server-2008-2.html ADV-2009-0176 33594 51487 Cross-site request forgery (CSRF) vulnerability in Novell GroupWise WebAccess 6.5x, 7.0, 7.01, 7.02x, 7.03, 7.03HP1a, and 8.0 allows remote attackers to insert e-mail forwarding rules, and modify unspecified other configuration settings, as arbitrary users via unknown vectors. 20090130 PR08-21: Cross-site Request Forgery (CSRF) on Novell GroupWise WebAccess allows email theft and other attacks http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-21 http://www.novell.com/support/search.do?usemicrosite=true&searchString=7002319 33744 Multiple cross-site scripting (XSS) vulnerabilities in Novell GroupWise WebAccess 6.5x, 7.0, 7.01, 7.02x, 7.03, 7.03HP1a, and 8.0 allow remote attackers to inject arbitrary web script or HTML via the (1) User.id and (2) Library.queryText parameters to gw/webacc, and other vectors involving (3) HTML e-mail and (4) HTML attachments. 33541 33537 20090130 PR08-23: XSS on Novell GroupWise WebAccess 20090130 PR08-22: Persistent XSS on Novell GroupWise WebAccess http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-23 http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-22 http://www.novell.com/support/search.do?usemicrosite=true&searchString=7002321 http://www.novell.com/support/search.do?usemicrosite=true&searchString=7002320 33744 Unspecified vulnerability in WebAccess in Novell GroupWise 6.5, 7.0, 7.01, 7.02x, 7.03, 7.03HP1a, and 8.0 might allow remote attackers to obtain sensitive information via a crafted URL, related to conversion of POST requests to GET requests. 33559 http://www.novell.com/support/viewContent.do?externalId=7002322 33744 Static code injection vulnerability in admin.php in Ryneezy phoSheezy 0.2 allows remote authenticated administrators to inject arbitrary PHP code into config/header via the header parameter. NOTE: this can be exploited by unauthenticated attackers by leveraging CVE-2009-0250. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 51412 33531 Cross-domain vulnerability in the V8 JavaScript engine in Google Chrome before 1.0.154.46 allows remote attackers to bypass the Same Origin Policy via a crafted script that accesses another frame and reads its full URL and possibly other sensitive information, or modifies the URL of this frame. http://src.chromium.org/viewvc/chrome?view=rev&revision=8524 http://sites.google.com/a/chromium.org/dev/getting-involved/dev-channel/release-notes 33754 http://googlechromereleases.blogspot.com/2009/01/stable-beta-update-yahoo-mail-and.html http://codereview.chromium.org/18531 Unspecified vulnerability in the kernel in OpenSolaris snv_100 through snv_102 on the Sun UltraSPARC T2 and T2+ sun4v platforms allows local users to cause a denial of service (panic) via unknown vectors. 250066 solaris-ultrasparct2-dos(48164) ADV-2009-0209 33398 Sun Java System Application Server (AS) 8.1 and 8.2 allows remote attackers to read the Web Application configuration files in the (1) WEB-INF or (2) META-INF directory via a malformed request. 245446 http://sunsolve.sun.com/search/document.do?assetkey=1-21-119166-35-1 javasystem-webinf-metainf-info-disclosure(48161) ADV-2009-0208 33397 33725 51604 SQL injection vulnerability in comentar.php in Pardal CMS 0.2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. pardalcms-comentar-sql-injection(48175) 33404 7851 Asp Project Management 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the crypt cookie to 1. aspproject-cookie-security-bypass(48172) 33401 20090122 Asp-project Cookie Handling 7850 SQL injection vulnerability in login.aspx in WarHound Walking Club allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters. walkingclub-login-sql-injection(48061) 33317 7802 Integer overflow in Ralink Technology USB wireless adapter (RT73) 3.08 for Windows, and other wireless card drivers including rt2400, rt2500, rt2570, and rt61, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Probe Request packet with a long SSID, possibly related to an integer signedness error. 33340 20090118 Ralinktech wireless cards drivers vulnerability DSA-1714 DSA-1713 DSA-1712 GLSA-200907-08 35743 33699 33592 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512995 Cross-site scripting (XSS) vulnerability in err.asp in Oblog allows remote attackers to inject arbitrary web script or HTML via the message parameter. 33416 20090124 Re: Oblog XSS valnerability 20090123 Oblog XSS valnerability SQL injection vulnerability in category.php in Flax Article Manager 1.1 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. 33422 7862 http://www.flaxweb.com/products/articles 33625 Cross-site scripting (XSS) vulnerability in error.asp in BBSXP 5.13 and earlier allows remote attackers to inject arbitrary web script or HTML via the message parameter. bbsxp-error-xss(48187) 33411 20090123 BBSxp Xss vulnerability Directory traversal vulnerability in upgrade/index.php in OpenGoo 1.1, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the form_data[script_class] parameter. 33421 7863 51635 SQL injection vulnerability in lib/patUser.php in KEEP Toolkit before 2.5.1 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password. 33425 http://sourceforge.net/project/shownotes.php?release_id=655845&group_id=227492 33652 51623 http://keeptoolkit.svn.sourceforge.net/viewvc/keeptoolkit?view=rev&revision=56 Directory traversal vulnerability in k23productions TFTPUtil GUI 1.2.0 and 1.3.0 allows remote attackers to read arbitrary files outside the TFTP root directory via directory traversal sequences in a GET request. 33287 http://sourceforge.net/forum/forum.php?forum_id=894598 tftputil-tftpget-directory-traversal(48019) 20090115 TFTPUtil GUI TFTP Directory Traversal http://www.princeofnigeria.org/blogs/index.php/2009/01/14/tftputil-gui-tftp-directory-traversal 33561 k23productions TFTPUtil GUI 1.2.0 and 1.3.0 allows remote attackers to cause a denial of service (service crash) via a long filename in a crafted request. 33289 http://sourceforge.net/forum/forum.php?forum_id=894598 20090115 TFTPUtil GUI TFTP Server Denial of Service Vulnerability http://www.princeofnigeria.org/blogs/index.php/2009/01/14/tftputil-gui-tftp-server-denial-of-servi?blog=1 Directory traversal vulnerability in common.php in SIR GNUBoard 4.31.03 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the g4_path parameter. NOTE: in some environments, this can be leveraged for remote code execution via a data: URI or a UNC share pathname. gnuboard-common-file-include(48015) 33304 7792 33564 Directory traversal vulnerability in fc.php in OpenX 2.6.3 allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the MAX_type parameter. 33458 20090127 OpenX 2.6.3 - Local File Inclusion 7883 SQL injection vulnerability in show_cat2.php in SHOP-INET 4 allows remote attackers to execute arbitrary SQL commands via the grid parameter. 7874 33660 51615 SQL injection vulnerability in profile_view.php in Wazzum Dating Software, possibly 2.0, allows remote attackers to execute arbitrary SQL commands via the userid parameter. 33461 7877 33654 51625 Multiple PHP remote file inclusion vulnerabilities in WB News 2.0.1, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the config[installdir] parameter to (1) search.php, (2) archive.php, (3) comments.php, and (4) news.php; (5) News.php, (6) SendFriend.php, (7) Archive.php, and (8) Comments.php in base/; and possibly other components, different vectors than CVE-2007-1288. 33434 20090125 WB News v2.0.X Remote File include .. 33691 SQL injection vulnerability in index.php in Information Technology Light Poll Information (ITLPoll) 2.7 Stable 2, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter. 33452 7867 33666 51616 SQL injection vulnerability in shop_display_products.php in Script Toko Online 5.01 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. 7873 33661 51630 SQL injection vulnerability in login_check.asp in ClickAuction allows remote attackers to execute arbitrary SQL commands via the (1) txtEmail and (2) txtPassword parameters. NOTE: some of these details are obtained from third party information. 7880 33647 51626 Heap-based buffer overflow in MW6 Technologies Barcode ActiveX control (Barcode.MW6Barcode.1, Barcode.dll) 3.0.0.1 allows remote attackers to execute arbitrary code via a long Supplement property. 33451 7869 33663 SQL injection vulnerability in index.php in Groone GLinks 2.1 allows remote attackers to execute arbitrary SQL commands via the cat parameter. 33460 9236 7878 33649 51628 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-2636. Reason: This candidate is a duplicate of CVE-2006-2636. Notes: All CVE users should reference CVE-2006-2636 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Multiple insecure method vulnerabilities in the FlexCell.Grid ActiveX control (FlexCell.ocx) in FlexCell Grid Control 5.6.9 allow remote attackers to create and overwrite arbitrary files via the (1) SaveFile and (2) ExportToXML methods. 33453 7868 33664 SQL injection vulnerability in the Downloads module for PHP-Nuke 8.0 8.1.0.3.5b and earlier allows remote authenticated users to execute arbitrary SQL commands via the url parameter in the Add operation to modules.php. phpnuke-uri-sql-injection(71475) downloads-module-sql-injection(48186) 50770 33410 20090123 PHP-Nuke 8.0 Downloads Blind Sql Injection 18148 77349 51633 http://1337day.com/exploits/15481 Cross-site scripting (XSS) vulnerability in Web Help Desk before 9.1.18 allows remote attackers to inject arbitrary web script or HTML via vectors related to "encoded JavaScript" and Helpdesk.woa. 33429 http://updates.webhelpdesk.com/weblog/updates/StableReleases/2009/01/23/911812309.html 33651 The kernel in Sun Solaris 10 and 11 snv_101b, and OpenSolaris before snv_108, allows remote attackers to cause a denial of service (system crash) via a crafted IPv6 packet, related to an "insufficient validation security vulnerability," as demonstrated by SunOSipv6.c. sun-solaris-ipv6packets-dos(48208) ADV-2009-0232 33435 7865 251006 1021635 33605 20090126 Solaris Devs Are Smoking Pot Multiple stack-based buffer overflows in the Research in Motion RIM AxLoader ActiveX control in AxLoader.ocx and AxLoader.dll in BlackBerry Application Web Loader 1.0 allow remote attackers to execute arbitrary code via unspecified use of the (1) load or (2) loadJad method. VU#131100 http://blackberry.com/btsc/KB16248 33663 http://www.microsoft.com/technet/security/advisory/960715.mspx 33847 51833 Buffer overflow in the IBM Lotus Notes Intellisync ActiveX control in lnresobject.dll in BlackBerry Desktop Manager in Research In Motion (RIM) BlackBerry Desktop Software before 5.0.1 allows remote attackers to execute arbitrary code via a crafted web page. NOTE: some of these details are obtained from third party information. ADV-2009-3133 http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB19701 36903 Cross-site scripting (XSS) vulnerability in the "Customize Statistics Page" (admin/statistics/ConfigureStatistics) in the MDS Connection Service in Research in Motion (RIM) BlackBerry Enterprise Server (BES) before 4.1.6 MR5 allows remote attackers to inject arbitrary web script or HTML via the (1) customDate, (2) interval, (3) lastCustomInterval, (4) lastIntervalLength, (5) nextCustomInterval, (6) nextIntervalLength, (7) action, (8) delIntervalIndex, (9) addStatIndex, (10) delStatIndex, and (11) referenceTime parameters. ADV-2009-1090 1022081 34573 http://www.blackberry.com/btsc/dynamickc.do?externalId=KB17969&sliceID=1&command=show&forward=nonthreadedKC&kcId=KB17969 34740 53772 20090417 ERNW Security Advisory 01-2009: XSS in Blackberries Mobile Data Service Connection Service Buffer overflow in SUSE blinux (aka sbl) in SUSE openSUSE 10.3 through 11.0 has unknown impact and attack vectors related to "incoming data and authentication-strings." Following information confirms LOCAL Access Vector reported in Hyperlink Record 1058524: http://xforce.iss.net/xforce/xfdb/48797 The SUSE blinux (sbl) package is vulnerable to a buffer overflow. By sending a specially-crafted request, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. suse-blinux-bo(48797) 33794 SUSE-SR:2009:004 The Backbone service (ftbackbone.exe) in EMC AutoStart before 5.3 SP2 allows remote attackers to execute arbitrary code via a packet with a crafted value that is dereferenced as a function pointer. http://zerodayinitiative.com/advisories/ZDI-09-009/ autostart-backbone-code-execution(48197) 1021636 33415 20090123 ZDI-09-009: EMC AutoStart Backbone Engine Trusted Pointer Code Execution Vulnerability 33667 51566 Cross-site scripting (XSS) vulnerability in the antispam feature (security/antispam.py) in MoinMoin 1.7 and 1.8.1 allows remote attackers to inject arbitrary web script or HTML via crafted, disallowed content. moinmoin-antispam-xss(48306) USN-716-1 [oss-security] 20090127 CVE Request: MoinMoin 33755 33716 51632 http://moinmo.in/SecurityFixes#moin1.8.1 DSA-1715 http://hg.moinmo.in/moin/1.8/rev/89b91bf87dad http://hg.moinmo.in/moin/1.7/rev/89b91bf87dad winetricks before 20081223 allows local users to overwrite arbitrary files via a symlink attack on the x_showmenu.txt temporary file. winetricks-xshowmenu-symlink(48320) 33474 51619 SUSE-SR:2009:004 http://code.google.com/p/winezeug/source/detail?r=253 Untrusted search path vulnerability in the Python module in gedit allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983). FEDORA-2009-1189 https://bugzilla.redhat.com/show_bug.cgi?id=481556 gedit-pysyssetargv-privilege-escalation(48271) 33445 [oss-security] 20090126 CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric) MDVSA-2009:039 GLSA-200903-41 34522 33769 33759 http://bugzilla.gnome.org/show_bug.cgi?id=569214 Untrusted search path vulnerability in the Python module in xchat allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983). https://bugzilla.redhat.com/show_bug.cgi?id=481560 33444 [oss-security] 20090126 CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric) MDVSA-2009:059 Untrusted search path vulnerability in src/if_python.c in the Python interface in Vim before 7.2.045 allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983), as demonstrated by an erroneous search path for plugin/bike.vim in bicyclerepair. https://svn.pardus.org.tr/pardus/2008/applications/editors/vim/files/official/7.2.045 https://bugzilla.redhat.com/show_bug.cgi?id=481565 vim-pysyssetargv-privilege-escalation(48275) 33447 [oss-security] 20090126 CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric) [debian-bugs-rc] 20080805 Bug#484305: bicyclerepair: bike.vim imports untrusted python files from cwd MDVSA-2009:047 http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=493937 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484305 Untrusted search path vulnerability in the Python language bindings for Nautilus (nautilus-python) allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983). https://bugzilla.redhat.com/show_bug.cgi?id=481570 33442 [oss-security] 20090126 CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric) Untrusted search path vulnerability in the GObject Python interpreter wrapper in Gnumeric allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983). FEDORA-2009-1295 https://bugzilla.redhat.com/show_bug.cgi?id=481572 33438 [oss-security] 20090126 CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric) MDVSA-2009:043 GLSA-200904-03 33823 33707 http://bugzilla.gnome.org/show_bug.cgi?id=569648 Unspecified vulnerability in the autofs module in the kernel in Sun Solaris 8 through 10, and OpenSolaris before snv_108, allows local users to cause a denial of service (autofs mount outage) or possibly gain privileges via vectors related to "xdr processing problems." 249966 http://sunsolve.sun.com/search/document.do?assetkey=1-21-128624-09-1 solaris-autofs-code-execution(48234) ADV-2009-0363 ADV-2009-0256 1021644 33459 http://support.avaya.com/elmodocs2/security/ASA-2009-041.htm 33665 oval:org.mitre.oval:def:5977 Microsoft Windows XP, Server 2003 and 2008, and Vista exposes I/O activity measurements of all processes, which allows local users to obtain sensitive information, as demonstrated by reading the I/O Other Bytes column in Task Manager (aka taskmgr.exe) to estimate the number of characters that a different user entered at a runas.exe password prompt, related to a "benchmarking attack." 33440 20090124 Benchmarking attacks and major security weakness on all recent Windows versions up to Windows 200 Apple Safari 3.2.1 (aka AppVer 3.525.27.1) on Windows allows remote attackers to cause a denial of service (infinite loop or access violation) via a link to an http URI in which the authority (aka hostname) portion is either a (1) . (dot) or (2) .. (dot dot) sequence. safari-httpuri-dos(48284) 33481 oval:org.mitre.oval:def:6091 http://lostmon.blogspot.com/2009/01/safari-for-windows-321-remote-http-uri.html drivers/firmware/dell_rbu.c in the Linux kernel before 2.6.27.13, and 2.6.28.x before 2.6.28.2, allows local users to cause a denial of service (system crash) via a read system call that specifies zero bytes from the (1) image_type or (2) packet_size file in /sys/devices/platform/dell_rbu/. 33428 ADV-2009-3316 http://www.vmware.com/security/advisories/VMSA-2009-0016.html USN-751-1 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components RHSA-2009:0360 RHSA-2009:0331 RHSA-2009:0326 DSA-1794 DSA-1787 DSA-1749 http://support.avaya.com/elmodocs2/security/ASA-2009-114.htm 37471 35394 35390 35011 34981 34762 34680 34502 34394 34252 33758 33656 oval:org.mitre.oval:def:7734 oval:org.mitre.oval:def:10163 SUSE-SA:2009:031 SUSE-SA:2009:030 SUSE-SA:2009:010 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.2 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.13 http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.27.y.git;a=commit;h=81156928f8fe31621e467490b9d441c0285998c3 Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0 and 11.0 allow remote attackers to execute arbitrary code via (1) a long type parameter in an input tag, which is not properly handled by the EndOfXmlAttributeValue function; (2) an "HTML GI" in a start tag, which is not properly handled by the ProcessStartGI function; and unspecified vectors in (3) html2thot.c and (4) xml2thot.c, related to the msgBuffer variable. NOTE: these are different vectors than CVE-2008-6005. amaya-html-tags-bo(48325) 20090128 CORE-2008-1211: Amaya web editor XML and HTML parser vulnerabilities 7902 http://www.coresecurity.com/content/amaya-buffer-overflows Multiple SQL injection vulnerabilities in BibCiter 1.4 allow remote attackers to execute arbitrary SQL commands via the (1) idp parameter to reports/projects.php, the (2) idc parameter to reports/contacts.php, and the (3) idu parameter to reports/users.php. bibciter-projects-sql-injection(48080) 33329 7814 33555 http://bibciter.sourceforge.net/?p=35 Directory traversal vulnerability in entries/index.php in Ninja Blog 4.8, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the cat parameter. https://www.push55.co.uk/poclibrary/ninjadesignscouk-1.txt 33351 http://www.push55.co.uk/index.php?s=ad&id=6 7831 33573 SQL injection vulnerability in login.php in Dark Age CMS 0.2c beta allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. darkagecms-login-sql-injection(48095) 33271 SQL injection vulnerability in readbible.php in Free Bible Search PHP Script 1.0 allows remote attackers to execute arbitrary SQL commands via the version parameter. http://www.seraphimtech.net/repository/Changes.txt 33301 7798 33595 http://freshmeat.net/projects/freebiblesearch/?branch_id=77256&release_id=292446 ROBS-PROJECTS Digital Sales IPN (aka DS-IPN.NET or DS-IPN Paypal Shop) stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing user credentials via a direct request for Database/Sales.mdb. digitalsales-sales-information-disclosure(48082) 7816 33602 SQL injection vulnerability in the PcCookBook (com_pccookbook) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the recipe_id parameter in a viewrecipe action to index.php, a different vector than CVE-2008-0844. pccookbook-recipeid-sql-injection(48088) 33346 7824 Directory traversal vulnerability in index.php in Simple Content Management System (SCMS) 1 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the p parameter. scms-index-file-include(48081) 33330 7818 33608 Directory traversal vulnerability in gallery/comment.php in Enhanced Simple PHP Gallery (ESPG) 1.72 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. NOTE: the vulnerability may be in my little homepage Comment script. If so, then this should not be treated as a vulnerability in ESPG. espg-comment-directory-traversal(48087) 33335 7819 Multiple SQL injection vulnerabilities in AV Book Library before 1.1 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) admin/edit.php, (2) admin/add.php, (3) lib/book_search.php, and possibly other components. avbook-edit-sql-injection(48084) http://sourceforge.net/tracker/index.php?func=detail&aid=2219743&group_id=209711&atid=1010816 http://sourceforge.net/project/shownotes.php?release_id=654214 33583 SQL injection vulnerability in the WebAmoeba (WA) Ticket System (com_waticketsystem) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a category action to index.php. 33353 33577 7833 SQL injection vulnerability in index.asp in Katy Whitton BlogIt! allows remote attackers to execute arbitrary SQL commands via the day parameter in an archive action. blogit-index-sql-injection(48074) 33325 7806 33572 Cross-site scripting (XSS) vulnerability in index.asp in Katy Whitton BlogIt! allows remote attackers to inject arbitrary web script or HTML via the view parameter. blogit-index-xss(48073) 33325 7806 33572 Katy Whitton BlogIt! stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing user credentials via a direct request for database/Blog.mdb. NOTE: some of these details are obtained from third party information. blogit-blog-information-disclosure(48075) 7806 SQL injection vulnerability in index.asp in Katy Whitton BlogIt! allows remote attackers to execute arbitrary SQL commands via the (1) month and (2) year parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 7806 33572 Cross-site scripting (XSS) vulnerability in inc_webblogmanager.asp in DMXReady Blog Manager allows remote attackers to inject arbitrary web script or HTML via the CategoryID parameter in a refer action. blogmanager-incwebblogmanager-xss(48053) 33314 20090116 DMXReady Blog Manager (SQL/XSS) 33601 http://dmxready.helpserve.com/index.php?_m=news&_a=viewnews&newsid=12 SQL injection vulnerability in inc_webblogmanager.asp in DMXReady Blog Manager allows remote attackers to execute arbitrary SQL commands via the itemID parameter in a view action. blogmanager-incwebblogmanager-sql-injection(48054) 33314 20090116 DMXReady Blog Manager (SQL/XSS) 33601 http://dmxready.helpserve.com/index.php?_m=news&_a=viewnews&newsid=12 Multiple directory traversal vulnerabilities in Simple PHP Newsletter 1.5 allow remote attackers to read arbitrary files via a .. (dot dot) in the olang parameter to (1) mail.php and (2) mailbar.php. simplephpnewsletter-mail-file-include(48089) 33327 7813 The shell32 module in Microsoft Internet Explorer 7.0 on Windows XP SP3 might allow remote attackers to execute arbitrary code via a long VALUE attribute in an INPUT element, possibly related to a stack consumption vulnerability. 33494 20090128 Internet explorer 7.0 stack overflow Niels Provos Systrace before 1.6f on the x86_64 Linux platform allows local users to bypass intended access restrictions by making a 64-bit syscall with a syscall number that corresponds to a policy-compliant 32-bit syscall. 33417 20090123 Problems with syscall filtering technologies on Linux http://www.citi.umich.edu/u/provos/systrace/ http://scarybeastsecurity.blogspot.com/2009/01/bypassing-syscall-filtering.html http://scary.beasts.org/security/CESA-2009-001.html Niels Provos Systrace 1.6f and earlier on the x86_64 Linux platform allows local users to bypass intended access restrictions by making a 32-bit syscall with a syscall number that corresponds to a policy-compliant 64-bit syscall, related to race conditions that occur in monitoring 64-bit processes. 33417 20090123 Problems with syscall filtering technologies on Linux http://www.citi.umich.edu/u/provos/systrace/ http://scarybeastsecurity.blogspot.com/2009/01/bypassing-syscall-filtering.html http://scary.beasts.org/security/CESA-2009-001.html Unspecified vulnerability in the Embedded Lights Out Manager (ELOM) on the Sun Fire X2100 M2 and X2200 M2 x86 platforms before SP/BMC firmware 3.20 allows remote attackers to obtain privileged ELOM login access or execute arbitrary Service Processor (SP) commands via unknown vectors, aka Bug ID 6633175, a different vulnerability than CVE-2007-5717. 239886 sunfire-elom-unauth-access(48329) ADV-2009-0281 1021646 33506 33726 Unspecified vulnerability in the Embedded Lights Out Manager (ELOM) on the Sun Fire X2100 M2 and X2200 M2 x86 platforms before SP/BMC firmware 3.20 allows remote attackers to obtain privileged ELOM login access or execute arbitrary Service Processor (SP) commands via unknown vectors, aka Bug ID 6648082, a different vulnerability than CVE-2007-5717. 239886 sunfire-elom-unauth-access(48329) ADV-2009-0281 1021646 33506 33726 The IP-in-IP packet processing implementation in the IPsec and IP stacks in the kernel in Sun Solaris 9 and 10, and OpenSolaris snv_01 though snv_85, allows local users to cause a denial of service (panic) via a self-encapsulated packet that lacks IPsec protection. 240086 http://sunsolve.sun.com/search/document.do?assetkey=1-21-114344-38-1 solaris-ipinip-dos(48328) ADV-2009-0365 33504 http://support.avaya.com/elmodocs2/security/ASA-2009-043.htm 33727 oval:org.mitre.oval:def:6088 Open redirect vulnerability in cs.html in the Autonomy (formerly Verity) Ultraseek search engine allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter. VU#202753 ultraseek-cs-phishing(48336) http://www.ultraseek.com/forums/thread.jspa?messageID=9818 33500 http://sunbeltblog.blogspot.com/2009/01/constant-stream-of-ultraseek-redirects.html The login module in Sun Java System Access Manager 6 2005Q1 (aka 6.3), 7 2005Q4 (aka 7.0), and 7.1 responds differently to a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. 242026 http://sunsolve.sun.com/search/document.do?assetkey=1-21-119465-15-1 sun-jsam-username-info-disclosure(48283) ADV-2009-0269 33489 33688 Stack-based buffer overflow in FTPShell Server 4.3 allows user-assisted remote attackers to cause a denial of service (persistent daemon crash) and possibly execute arbitrary code via a long string in a licensing key (aka .key) file. 7852 33597 51510 Stack-based buffer overflow in Merak Media Player 3.2 allows remote attackers to execute arbitrary code via a long string in a .m3u playlist file, related to the status bar icon's tooltip. NOTE: some of these details are obtained from third party information. 7857 33645 51565 Stack-based buffer overflow in WFTPSRV.exe in WinFTP 2.3.0 allows remote authenticated users to execute arbitrary code via a long LIST argument beginning with an * (asterisk) character. winftp-list-bo(48263) ADV-2009-0254 33454 7875 Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.6, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the layout engine and destruction of arbitrary layout objects by the nsViewManager::Composite function. FEDORA-2009-3101 FEDORA-2009-2884 FEDORA-2009-2882 FEDORA-2009-1399 https://bugzilla.mozilla.org/show_bug.cgi?id=461027 https://bugzilla.mozilla.org/show_bug.cgi?id=449006 https://bugzilla.mozilla.org/show_bug.cgi?id=437142 https://bugzilla.mozilla.org/show_bug.cgi?id=431705 https://bugzilla.mozilla.org/show_bug.cgi?id=422301 https://bugzilla.mozilla.org/show_bug.cgi?id=422283 https://bugzilla.mozilla.org/show_bug.cgi?id=421839 https://bugzilla.mozilla.org/show_bug.cgi?id=420697 https://bugzilla.mozilla.org/show_bug.cgi?id=416461 https://bugzilla.mozilla.org/show_bug.cgi?id=401042 https://bugzilla.mozilla.org/show_bug.cgi?id=331088 ADV-2009-0313 USN-741-1 USN-717-1 1021663 33598 RHSA-2009:0258 RHSA-2009:0257 http://www.mozilla.org/security/announce/2009/mfsa2009-01.html MDVSA-2009:083 MDVSA-2009:044 DSA-1830 http://support.avaya.com/elmodocs2/security/ASA-2009-040.htm SSA:2009-083-03 SSA:2009-083-02 34527 34464 34462 34417 34387 34324 33869 33846 33841 33831 33816 33809 33808 33802 33799 RHSA-2009:0256 oval:org.mitre.oval:def:10699 SUSE-SA:2009:023 SUSE-SA:2009:009 Unspecified vulnerability in Mozilla Firefox 3.x before 3.0.6, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the JavaScript engine. FEDORA-2009-3101 FEDORA-2009-2884 FEDORA-2009-2882 FEDORA-2009-1399 https://bugzilla.mozilla.org/show_bug.cgi?id=452913 ADV-2009-0313 USN-717-1 1021663 33598 RHSA-2009:0258 RHSA-2009:0257 http://www.mozilla.org/security/announce/2009/mfsa2009-01.html MDVSA-2009:083 MDVSA-2009:044 DSA-1830 http://support.avaya.com/elmodocs2/security/ASA-2009-040.htm SSA:2009-083-03 SSA:2009-083-02 34527 34464 34462 34417 34324 33869 33846 33841 33831 33816 33809 33808 33802 33799 RHSA-2009:0256 oval:org.mitre.oval:def:11193 SUSE-SA:2009:023 SUSE-SA:2009:009 Cross-domain vulnerability in js/src/jsobj.cpp in Mozilla Firefox 3.x before 3.0.6 allows remote attackers to bypass the Same Origin Policy, and access the properties of an arbitrary window and conduct cross-site scripting (XSS) attacks, via vectors involving a chrome XBL method and the window.eval function. FEDORA-2009-1399 https://bugzilla.mozilla.org/show_bug.cgi?id=468581 ADV-2009-0313 USN-717-1 1021664 33598 http://www.mozilla.org/security/announce/2009/mfsa2009-02.html MDVSA-2009:044 http://support.avaya.com/elmodocs2/security/ASA-2009-040.htm 33869 33846 33841 33831 33809 33799 RHSA-2009:0256 oval:org.mitre.oval:def:9796 SUSE-SA:2009:009 components/sessionstore/src/nsSessionStore.js in Mozilla Firefox before 3.0.6 does not block changes of INPUT elements to type="file" during tab restoration, which allows user-assisted remote attackers to read arbitrary files on a client machine via a crafted INPUT element. 33598 FEDORA-2009-2884 FEDORA-2009-2882 FEDORA-2009-1399 https://bugzilla.mozilla.org/show_bug.cgi?id=466937 ADV-2009-0313 USN-717-2 USN-717-1 1021665 RHSA-2009:0258 RHSA-2009:0257 http://www.mozilla.org/security/announce/2009/mfsa2009-03.html MDVSA-2009:044 http://support.avaya.com/elmodocs2/security/ASA-2009-040.htm 34417 34324 33869 33846 33841 33831 33816 33809 33808 33799 RHSA-2009:0256 oval:org.mitre.oval:def:9161 SUSE-SA:2009:009 Mozilla Firefox before 3.0.6 and SeaMonkey do not block links to the (1) about:plugins and (2) about:config URIs from .desktop files, which allows user-assisted remote attackers to bypass the Same Origin Policy and execute arbitrary code with chrome privileges via vectors involving the URL field in a Desktop Entry section of a .desktop file, related to representation of about: URIs as jar:file:// URIs. NOTE: this issue exists because of an incomplete fix for CVE-2008-4582. FEDORA-2009-1399 https://bugzilla.mozilla.org/show_bug.cgi?id=460425 ADV-2009-0313 1021666 33598 http://www.mozilla.org/security/announce/2009/mfsa2009-04.html MDVSA-2009:044 http://support.avaya.com/elmodocs2/security/ASA-2009-040.htm 33846 33841 33831 33809 33799 RHSA-2009:0256 oval:org.mitre.oval:def:9922 SUSE-SA:2009:009 Mozilla Firefox before 3.0.6 and SeaMonkey before 1.1.15 do not properly restrict access from web pages to the (1) Set-Cookie and (2) Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism. FEDORA-2009-3101 FEDORA-2009-1399 https://bugzilla.mozilla.org/show_bug.cgi?id=380418 ADV-2009-0313 USN-717-2 USN-717-1 1021668 33598 RHSA-2009:0257 http://www.mozilla.org/security/announce/2009/mfsa2009-05.html MDVSA-2009:044 http://support.avaya.com/elmodocs2/security/ASA-2009-040.htm SSA:2009-083-02 34527 34462 33869 33846 33841 33831 33816 33809 33808 33799 RHSA-2009:0256 oval:org.mitre.oval:def:9459 SUSE-SA:2009:009 http://ha.ckers.org/blog/20070511/bluehat-errata/ Mozilla Firefox 3.x before 3.0.6 does not properly implement the (1) no-store and (2) no-cache Cache-Control directives, which allows local users to obtain sensitive information by using the (a) back button or (b) history list of the victim's browser, as demonstrated by reading the response page of an https POST request. FEDORA-2009-1399 https://bugzilla.mozilla.org/show_bug.cgi?id=441751 ADV-2009-0313 USN-717-1 1021667 33598 http://www.mozilla.org/security/announce/2009/mfsa2009-06.html MDVSA-2009:044 http://support.avaya.com/elmodocs2/security/ASA-2009-040.htm 33869 33846 33841 33831 33809 33799 RHSA-2009:0256 oval:org.mitre.oval:def:10610 SUSE-SA:2009:009 http://blogs.imeta.co.uk/JDeabill/archive/2008/07/14/303.aspx Multiple cross-site scripting (XSS) vulnerabilities in Samizdat before 0.6.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) message title or (2) user full name. 33768 http://www.nongnu.org/samizdat/release-notes/samizdat-0.6.2.html 20090213 Cross-site scripting in Samizdat 0.6.1 [debian-testing-security-announce] 20090211 Security update for Debian Testing - 2009-02-12 http://samizdat.nongnu.org/release-notes/samizdat-0.6.1-xss-escape-title.patch 52022 Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching a PAM-based setuid application. Per vendor advisory: http://www.eyrie.org/~eagle/software/pam-krb5/security/2009-02-11.html "This advisory is only for my pam-krb5 module, as distributed from my web site and packaged by Debian, Ubuntu, and Gentoo." ADV-2009-0979 ADV-2009-0426 ADV-2009-0410 USN-719-1 33740 20090211 pam-krb5 security advisory (3.12 and earlier) http://www.eyrie.org/~eagle/software/pam-krb5/security/2009-02-11.html DSA-1721 http://support.avaya.com/elmodocs2/security/ASA-2009-070.htm 252767 1021711 GLSA-200903-39 34449 34260 33917 33914 oval:org.mitre.oval:def:5732 oval:org.mitre.oval:def:5669 Russ Allbery pam-krb5 before 3.13, as used by libpam-heimdal, su in Solaris 10, and other software, does not properly handle calls to pam_setcred when running setuid, which allows local users to overwrite and change the ownership of arbitrary files by setting the KRB5CCNAME environment variable, and then launching a setuid application that performs certain pam_setcred operations. ADV-2009-0979 ADV-2009-0426 ADV-2009-0410 USN-719-1 33741 20090211 pam-krb5 security advisory (3.12 and earlier) http://www.eyrie.org/~eagle/software/pam-krb5/security/2009-02-11.html DSA-1722 DSA-1721 http://support.avaya.com/elmodocs2/security/ASA-2009-070.htm 252767 1021711 GLSA-200903-39 34449 34260 33918 33917 33914 oval:org.mitre.oval:def:5521 oval:org.mitre.oval:def:5403 filter.d/wuftpd.conf in Fail2ban 0.8.3 uses an incorrect regular expression that allows remote attackers to cause a denial of service (forced authentication failures) via a crafted reverse-resolved DNS name (rhost) entry that contains a substring that is interpreted as an IP address, a different vulnerability than CVE-2007-4321. 33734 33890 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514163 Multiple buffer overflows in (a) BarnOwl before 1.0.5 and (b) owl 2.1.11 allow remote attackers to execute arbitrary code via vectors involving (1) a crafted zcrypt message, related to zcrypt.c; (2) a reply command on a message with a Zephyr Cc: list, related to zwrite.c; and unspecified other use of the products. https://bugs.launchpad.net/ubuntu/+source/owl/+bug/329165 barnowl-owl-zcrypt-bo(48824) [debian-testing-security-announce] 20090213 Security update for Debian Testing - 2009-02-14 http://bugs.debian.org/515118 http://barnowl.mit.edu/wiki/barnowl-1.0.5-announce http://barnowl.mit.edu/browser/ChangeLog Format string vulnerability in the mini_calendar component in Citadel.org WebCit 7.22, and other versions before 7.39, allows remote attackers to execute arbitrary code via unspecified vectors. 34206 DSA-1752 http://www.citadel.org/doku.php/news:webcit.security.advisory.-.2009-march-23 34457 52915 nm-applet.conf in GNOME NetworkManager before 0.7.0.99 contains an incorrect deny setting, which allows local users to discover (1) network connection passwords and (2) pre-shared keys via calls to the GetSecrets method in the dbus request handler. 33966 https://bugzilla.redhat.com/show_bug.cgi?id=487752 https://bugzilla.redhat.com/show_bug.cgi?id=487722 networkmanager-dbus-info-disclosure(49062) USN-727-2 USN-727-1 1021908 RHSA-2009:0362 RHSA-2009:0361 DSA-1955 http://svn.gnome.org/viewvc/network-manager-applet?view=revision&revision=1207 http://svn.gnome.org/viewvc/network-manager-applet/trunk/nm-applet.conf?r1=1133&r2=1207&pathrev=1207 1021911 1021910 34473 34177 34067 oval:org.mitre.oval:def:10828 SUSE-SR:2009:009 SUSE-SA:2009:013 The uncompress_buffer function in src/server/simple_wml.cpp in Wesnoth before r33069 allows remote attackers to cause a denial of service via a large compressed WML document. https://gna.org/bugs/index.php?13037 34085 DSA-1737 http://svn.gna.org/viewcvs/wesnoth/trunk/src/server/simple_wml.cpp?rev=33069&view=log http://svn.gna.org/viewcvs/wesnoth/trunk/src/server/simple_wml.cpp?rev=33069&r1=32990&r2=33069 34253 34236 http://packages.debian.org/changelogs/pool/main/w/wesnoth/wesnoth_1.5.12-1/changelog http://packages.debian.org/changelogs/pool/main/w/wesnoth/wesnoth_1.4.7-4/changelog 52672 http://launchpad.net/bugs/cve/2009-0366 http://launchpad.net/bugs/336396 http://launchpad.net/bugs/335089 The Python AI module in Wesnoth 1.4.x and 1.5 before 1.5.11 allows remote attackers to escape the sandbox and execute arbitrary code by using a whitelisted module that imports an unsafe module, then using a hierarchical module name to access the unsafe module through the whitelisted module. http://www.wesnoth.org/forum/viewtopic.php?t=24340 http://www.wesnoth.org/forum/viewtopic.php?t=24247 ADV-2009-0595 https://gna.org/bugs/index.php?13048 wesnoth-pythonai-code-execution(49058) DSA-1737 34236 34058 http://packages.debian.org/changelogs/pool/main/w/wesnoth/wesnoth_1.5.12-1/changelog http://packages.debian.org/changelogs/pool/main/w/wesnoth/wesnoth_1.4.7-4/changelog http://launchpad.net/bugs/cve/2009-0367 http://launchpad.net/bugs/336396 http://launchpad.net/bugs/335089 OpenSC before 0.11.7 allows physically proximate attackers to bypass intended PIN requirements and read private data objects via a (1) low level APDU command or (2) debugging tool, as demonstrated by reading the 4601 or 4701 file with the opensc-explorer or opensc-tool program. 33922 [oss-security] 20090226 OpenSC Security Advisory FEDORA-2009-2267 FEDORA-2009-2266 opensc-pkcs-unauth-access(48958) [opensc-announce] 20090226 OpenSC Security Advisory DSA-1734 GLSA-200908-01 36074 35065 34377 34362 34120 34052 SUSE-SR:2009:010 Microsoft Internet Explorer 7 allows remote attackers to trick a user into visiting an arbitrary URL via an onclick action that moves a crafted element to the current mouse position, related to a "Clickjacking" vulnerability. ie-onclickaction-click-hijacking(48542) 7912 Multiple unspecified vulnerabilities in IBM AIX 5.2.0 through 6.1.2 allow local users to append data to arbitrary files, related to (1) rmsock and (2) rmsock64 not creating "secure log files." 33522 IZ42788 IZ42787 IZ42786 IZ42785 IZ41599 IZ41510 IZ40386 IZ41593 oval:org.mitre.oval:def:6028 http://aix.software.ibm.com/aix/efixes/security/rmsock_advisory.asc Directory traversal vulnerability in post.php in SiteXS CMS 0.1.1 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the type parameter. sitexs-type-file-include(48236) ADV-2009-0247 33457 7879 Unrestricted file upload vulnerability in index.php in Miltenovik Manojlo MemHT Portal 4.0.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension and an image content type via a users editProfile action, then accessing this file via a direct request to the file in images/avatar/uploaded/. 33424 memht-avatar-file-upload(48199) 7859 33626 SQL injection vulnerability in the ElearningForce Flash Magazine Deluxe (com_flashmagazinedeluxe) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the mag_id parameter in a magazine action to index.php. flashmagazine-index-sql-injection(48226) ADV-2009-0249 33455 7881 33646 ** DISPUTED ** Google Chrome 1.0.154.43 allows remote attackers to trick a user into visiting an arbitrary URL via an onclick action that moves a crafted element to the current mouse position, related to a "Clickjacking" vulnerability. NOTE: a third party disputes the relevance of this issue, stating that "every sufficiently featured browser is and likely will remain susceptible to the behavior known as clickjacking," and adding that the exploit code "is not a valid demonstration of the issue." 20090128 Re: Advisory: Google Chrome 1.0.154.43 ClickJacking Vulnerability. 20090128 Advisory: Google Chrome 1.0.154.43 ClickJacking Vulnerability. http://www.secniche.org/gcr_clkj/ 7903 Buffer overflow in a DLL file in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows remote attackers to execute arbitrary code via a crafted Internet Video Recording (IVR) file with a filename length field containing a large integer, which triggers overwrite of an arbitrary memory location with a 0x00 byte value, related to use of RealPlayer through a Windows Explorer plugin. Per http://www.fortiguardcenter.com/advisory/FGA-2009-04.html: "It should be noted that the victim does not necessarily have to open the malicious file for exploitation to occur: the vulnerabilities lie in a DLL that is also used as a plugin for the Windows Explorer shell. A successful attack could take place by merely previewing the IVR file through Windows Explorer. " realplayer-ivr-bo(48567) ADV-2010-0178 33652 20090206 RealNetworks RealPlayer IVR File Processing Multiple Code Execute Vulnerabilities http://www.fortiguardcenter.com/advisory/FGA-2009-04.html http://service.real.com/realplayer/security/01192010_player/en/ 38218 33810 Heap-based buffer overflow in a DLL file in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows remote attackers to execute arbitrary code via a crafted Internet Video Recording (IVR) file with a modified field that controls an unspecified structure length and triggers heap corruption, related to use of RealPlayer through a Windows Explorer plugin. realplayer-ivr-code-execution(48568) http://www.zerodayinitiative.com/advisories/ZDI-10-009/ ADV-2010-0178 33652 20100121 ZDI-10-009: RealNetworks RealPlayer IVR Format Remote Code Execution Vulnerability 20090206 RealNetworks RealPlayer IVR File Processing Multiple Code Execute Vulnerabilities http://www.fortiguardcenter.com/advisory/FGA-2009-04.html http://service.real.com/realplayer/security/01192010_player/en/ 38218 33810 SQL injection vulnerability in the beamospetition (com_beamospetition) 1.0.12 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the mpid parameter in a sign action to index.php, a different vector than CVE-2008-3132. 33391 20090121 Joomla component beamospetition 1.0.12 Sql Injection 7847 Cross-site scripting (XSS) vulnerability in index.php in the beamospetition (com_beamospetition) 1.0.12 component for Joomla! allows remote attackers to inject arbitrary web script or HTML via the pet parameter in a sign action. 33391 20090121 Joomla component beamospetition 1.0.12 Sql Injection 7847 SQL injection vulnerability in the Prince Clan Chess Club (com_pcchess) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the game_id parameter in a showgame action to index.php, a different vector than CVE-2008-0761. joomla-pcchess-gameid-sql-injection(48144) 33394 7846 ** DISPUTED ** SQL injection vulnerability in the Sigsiu Online Business Index 2 (SOBI2, com_sobi2) RC 2.8.2 component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the bid parameter in a showbiz action to index.php, a different vector than CVE-2008-0607. NOTE: CVE disputes this issue, since neither "showbiz" nor "bid" appears in the source code for SOBI2. sobi2-bid-sql-injection(48131) 33378 7841 20090130 SOBI2 showbiz SQL injection - false, or site-specific SQL injection vulnerability in the BazaarBuilder Ecommerce Shopping Cart (com_prod) 5.0 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid parameter in a products action to index.php. bazaarbuilder-index-sql-injection(48141) 33380 7840 33612 Unspecified vulnerability in Internationalization (i18n) Translation 5.x before 5.x-2.5, a module for Drupal, allows remote attackers with "translate node" permissions to bypass intended access restrictions and read unpublished nodes via unspecified vectors. http://drupal.org/node/358958 33283 33549 delete.php in Max.Blog 1.0.6 does not properly restrict access, which allows remote attackers to delete arbitrary blog posts via a direct request. http://www.mzbservices.com/show_post.php?id=72 33590 maxblog-delete-security-bypass(48125) 33368 7835 51482 SQL injection vulnerability in autor.php in OwnRS CMS 1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter. 7849 Integer signedness error in the fourxm_read_header function in libavformat/4xm.c in FFmpeg before revision 16846 allows remote attackers to execute arbitrary code via a malformed 4X movie file with a large current_track value, which triggers a NULL pointer dereference. FEDORA-2009-3433 FEDORA-2009-3428 ffmpeg-fourxmreadheader-code-execution(48330) ADV-2009-0277 USN-734-1 http://www.trapkit.de/advisories/TKADV2009-004.txt 33502 20090128 [TKADV2009-004] FFmpeg Type Conversion Vulnerability MDVSA-2009:297 DSA-1782 DSA-1781 http://svn.mplayerhq.hu/ffmpeg?view=rev&revision=16846 http://svn.mplayerhq.hu/ffmpeg/trunk/libavformat/4xm.c?r1=16838&r2=16846&pathrev=16846 GLSA-200903-33 34905 34845 34712 34385 34296 33711 51643 http://git.ffmpeg.org/?p=ffmpeg;a=commitdiff;h=72e715fb798f2cb79fd24a6d2eaeafb7c6eeda17 Heap-based buffer overflow in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11 might allow remote attackers to execute arbitrary code via crafted Composition Time To Sample (ctts) atom data in a malformed QuickTime media .mov file. 33405 http://gstreamer.freedesktop.org/releases/gst-plugins-good/0.10.12.html https://bugzilla.redhat.com/show_bug.cgi?id=481267 ADV-2009-0225 USN-736-1 20090122 [TKADV2009-003] GStreamer Heap Overflow and Array Index out of Bounds Vulnerabilities RHSA-2009:0271 [oss-security] 20090129 CVE Request -- (sort of urgent) gstreamer-plugins-good (repost) (more details about affected versions -- final version) MDVSA-2009:035 http://trapkit.de/advisories/TKADV2009-003.txt GLSA-200907-11 35777 34336 33815 33650 oval:org.mitre.oval:def:10306 SUSE-SR:2009:005 http://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bdc20b9baf13564d9a061343416395f8f9a92b53 Array index error in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted Sync Sample (aka stss) atom data in a malformed QuickTime media .mov file, related to "mark keyframes." http://gstreamer.freedesktop.org/releases/gst-plugins-good/0.10.12.html https://bugzilla.redhat.com/show_bug.cgi?id=481267 ADV-2009-0225 USN-736-1 33405 20090122 [TKADV2009-003] GStreamer Heap Overflow and Array Index out of Bounds Vulnerabilities RHSA-2009:0271 [oss-security] 20090129 CVE Request -- (sort of urgent) gstreamer-plugins-good (repost) (more details about affected versions -- final version) MDVSA-2009:035 http://trapkit.de/advisories/TKADV2009-003.txt GLSA-200907-11 35777 34336 33815 33650 oval:org.mitre.oval:def:10611 SUSE-SR:2009:005 http://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bdc20b9baf13564d9a061343416395f8f9a92b53 Multiple integer signedness errors in (1) UltraVNC 1.0.2 and 1.0.5 and (2) TightVnc 1.3.9 allow remote VNC servers to cause a denial of service (heap corruption and application crash) or possibly execute arbitrary code via a large length value in a message, related to the (a) ClientConnection::CheckBufferSize and (b) ClientConnection::CheckFileZipBufferSize functions in ClientConnection.cpp. 33568 ADV-2009-0322 ADV-2009-0321 20090203 CORE-2008-1009 - VNC Multiple Integer Overflows 8024 7990 http://www.coresecurity.com/content/vnc-integer-overflows http://vnc-tight.svn.sourceforge.net/viewvc/vnc-tight?view=rev&revision=3564 33807 http://forum.ultravnc.info/viewtopic.php?t=14654 Multiple insecure method vulnerabilities in the Web On Windows (WOW) ActiveX control in WOW ActiveX 2 allow remote attackers to (1) create and overwrite arbitrary files via the WriteIniFileString method, (2) execute arbitrary programs via the ShellExecute method, (3) read from the registry via unspecified vectors, and (4) write to the registry via unspecified vectors. NOTE: vectors 1 and 2 can be used together to execute arbitrary code.