Integer underflow in the unlzw function in unlzw.c in gzip before 1.4 on 64-bit platforms, as used in ncompress and probably others, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted archive that uses LZW compression, leading to an array index error. RHSA-2010:0095 https://bugzilla.redhat.com/show_bug.cgi?id=554418 ADV-2010-1872 ADV-2010-1796 ADV-2010-0185 USN-889-1 RHSA-2010:0061 61869 MDVSA-2011:152 MDVSA-2010:020 MDVSA-2010:019 DSA-2074 DSA-1974 http://support.apple.com/kb/HT4435 1023490 40689 40655 40551 38232 38225 38223 38220 http://savannah.gnu.org/forum/forum.php?forum_id=6153 oval:org.mitre.oval:def:7511 oval:org.mitre.oval:def:10546 http://ncompress.sourceforge.net/#status SUSE-SA:2010:008 APPLE-SA-2010-11-10-1 HPSBMA02554 HPSBMA02554 http://git.savannah.gnu.org/cgit/gzip.git/commit/?id=a3db5806d012082b9e25cc36d09f19cd736a468f The /etc/profile.d/60alias.sh script in the Mandriva bash package for Bash 2.05b, 3.0, 3.2, 3.2.48, and 4.0 enables the --show-control-chars option in LS_OPTIONS, which allows local users to send escape sequences to terminal emulators, or hide the existence of a file, via a crafted filename. MDVSA-2010:004 https://qa.mandriva.com/show_bug.cgi?id=56882 The print_fatal_signal function in kernel/signal.c in the Linux kernel before 2.6.32.4 on the i386 platform, when print-fatal-signals is enabled, allows local users to discover the contents of arbitrary memory locations by jumping to an address and then reading a log file, and might allow local users to cause a denial of service (system slowdown or crash) by jumping to an address. RHSA-2010:0146 https://bugzilla.redhat.com/show_bug.cgi?id=554578 http://www.vmware.com/security/advisories/VMSA-2011-0003.html 37724 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0161 RHSA-2010:0147 [oss-security] 20100113 Re: CVE request - kernel: infoleak if print-fatal-signals=1 [oss-security] 20100112 CVE request - kernel: infoleak if print-fatal-signals=1 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.32.4 DSA-2005 DSA-1996 43315 39033 38779 38492 38333 http://patchwork.kernel.org/patch/69752/ oval:org.mitre.oval:def:10550 SUSE-SA:2010:014 SUSE-SA:2010:012 SUSE-SA:2010:010 FEDORA-2010-0919 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view. FEDORA-2009-13634 FEDORA-2009-13610 [oss-security] 20100114 Re: CVE Request: viewvc [oss-security] 20100113 Re: CVE Request: viewvc [oss-security] 20100111 CVE Request: viewvc http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2300 http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242&r2=2313&pathrev=HEAD http://viewvc.tigris.org/source/browse/*checkout*/viewvc/trunk/docs/release-notes/1.1.0.html?revision=2222 SUSE-SA:2010:008 query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query. http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242&r2=2313&pathrev=HEAD FEDORA-2009-13634 FEDORA-2009-13610 [oss-security] 20100113 Re: CVE Request: viewvc [oss-security] 20100111 CVE Request: viewvc http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2300 SUSE-SA:2010:008 The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.32.4, when network namespaces are enabled, allows remote attackers to cause a denial of service (NULL pointer dereference) via an invalid IPv6 jumbogram, a related issue to CVE-2007-4567. https://bugzilla.redhat.com/show_bug.cgi?id=555217 37810 61876 [oss-security] 20100114 CVE-2010-0006 - kernel: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo() http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.32.4 http://security-tracker.debian.org/tracker/CVE-2010-0006 38333 38168 [linux-netdev] 20100114 [PATCH]: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo(). SUSE-SA:2010:010 FEDORA-2010-0919 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2570a4f5428bcdb1077622342181755741e7fa60 http://cert.fi/en/reports/2010/vulnerability341748.html http://bugs.gentoo.org/show_bug.cgi?id=300951 net/bridge/netfilter/ebtables.c in the ebtables module in the netfilter framework in the Linux kernel before 2.6.33-rc4 does not require the CAP_NET_ADMIN capability for setting or modifying rules, which allows local users to bypass intended access restrictions and configure arbitrary network-traffic filtering via a modified ebtables application. ADV-2010-0109 RHSA-2010:0146 https://bugzilla.redhat.com/show_bug.cgi?id=555238 kernel-ebtables-security-bypass(55602) http://www.vmware.com/security/advisories/VMSA-2011-0003.html 37762 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0161 RHSA-2010:0147 [oss-security] 20100114 Re: CVE Request: kernel ebtables perm check [oss-security] 20100113 CVE Request: kernel ebtables perm check MDVSA-2011:051 http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.33-rc4 DSA-2005 DSA-1996 43315 39033 38779 38492 38333 38296 38133 oval:org.mitre.oval:def:9630 SUSE-SA:2010:014 SUSE-SA:2010:013 SUSE-SA:2010:012 SUSE-SA:2010:010 SUSE-SA:2010:007 FEDORA-2010-0919 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=dce766af541f6605fa9889892c0280bab31c66ab The sctp_rcv_ootb function in the SCTP implementation in the Linux kernel before 2.6.23 allows remote attackers to cause a denial of service (infinite loop) via (1) an Out Of The Blue (OOTB) chunk or (2) a chunk of zero length. [oss-security] 20100317 CVE-2010-0008 kernel: sctp remote denial of service http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ece25dfa0991f65c4e1d26beb1c3c45bda4239b8 RHSA-2010:0146 https://bugzilla.redhat.com/show_bug.cgi?id=555658 http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0342 RHSA-2010:0147 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23 43315 39295 oval:org.mitre.oval:def:11160 Apache CouchDB 0.8.0 through 0.10.1 allows remote attackers to obtain sensitive information by measuring the completion time of operations that verify (1) hashes or (2) passwords. http://couchdb.apache.org/security.html https://bugzilla.redhat.com/show_bug.cgi?id=578572 39116 20100331 [SECURITY] CVE-2008-2370: Apache CouchDB Timing Attack Vulnerability 63350 39146 20100331 [SECURITY] CVE-2008-2370: Apache CouchDB Timing Attack Vulnerability Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow. modproxy-approxysendfb-bo(55941) ADV-2010-1001 ADV-2010-0240 1023533 37966 20100127 Mod_proxy from apache 1.3 - Integer overflow which causes heap overflow. http://site.pi3.com.pl/adv/mod_proxy.txt 39656 38319 http://packetstormsecurity.org/1001-exploits/modproxy-overflow.txt oval:org.mitre.oval:def:7923 SSRT090208 HPSBOV02683 SUSE-SR:2010:010 http://httpd.apache.org/dev/dist/CHANGES_1.3.42 http://blog.pi3.com.pl/?p=69 20100127 Mod_proxy from apache 1.3 - Integer overflow which causes heap overflow. The eval_js function in uzbl-core.c in Uzbl before 2010.01.05 exposes the run method of the Uzbl object, which allows remote attackers to execute arbitrary commands via JavaScript code. http://github.com/Dieterbe/uzbl/downloads uzbl-evaljs-command-execution(56612) http://www.uzbl.org/news.php?id=22 [oss-security] 20100106 Re: CVE request - uzbl remote code execution [oss-security] 20100106 CVE request - uzbl remote code execution [uzbl-dev] 20100102 Fw: Uzbl: security issue http://github.com/Dieterbe/uzbl/commit/1958b52d41cba96956dc1995660de49525ed1047 Directory traversal vulnerability in libtransmission/metainfo.c in Transmission 1.22, 1.34, 1.75, and 1.76 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in a pathname within a .torrent file. https://launchpad.net/bugs/500625 transmission-name-directory-traversal(55454) ADV-2010-0071 [oss-security] 20100106 Re: CVE Request: Transmission [oss-security] 20100106 CVE Request: Transmission [debian-devel-changes] 20100105 Accepted transmission 1.77-1 (source all amd64) DSA-1967 http://trac.transmissionbt.com/wiki/Changes#version-1.77 http://trac.transmissionbt.com/changeset/9829/ http://security.debian.org/pool/updates/main/t/transmission/transmission_1.22-1+lenny2.diff.gz 38005 37993 SUSE-SA:2010:008 Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon. https://bugzilla.redhat.com/show_bug.cgi?id=552483 ADV-2010-1020 ADV-2009-3663 ADV-2009-3662 [oss-security] 20100107 Re: CVE request - pidgin MSN arbitrary file upload [oss-security] 20100107 Re: CVE request - pidgin MSN arbitrary file upload [oss-security] 20100102 CVE request - pidgin MSN arbitrary file upload MDVSA-2010:085 1022203 277450 38915 37961 37954 37953 oval:org.mitre.oval:def:10333 SUSE-SR:2010:006 FEDORA-2010-0429 FEDORA-2010-0368 http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html http://developer.pidgin.im/viewmtn/revision/diff/3d02401cf232459fc80c0837d31e05fae7ae5467/with/c64a1adc8bda2b4aeaae1f273541afbc4f71b810/libpurple/protocols/msn/slp.c http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810 http://d.pidgin.im/viewmtn/revision/info/4be2df4f72bd8a55cdae7f2554b73342a497c92f http://d.pidgin.im/viewmtn/revision/info/3d02401cf232459fc80c0837d31e05fae7ae5467 System Security Services Daemon (SSSD) before 1.0.1, when the krb5 auth_provider is configured but the KDC is unreachable, allows physically proximate attackers to authenticate, via an arbitrary password, to the screen-locking program on a workstation that has any user's Kerberos ticket-granting ticket (TGT); and might allow remote attackers to bypass intended access restrictions via vectors involving an arbitrary password in conjunction with a valid TGT. https://fedorahosted.org/sssd/wiki/Releases/Notes-1.0.1 https://bugzilla.redhat.com/show_bug.cgi?id=553233 37747 38160 nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function. [oss-security] 20100111 Re: CVE id request: GNU libc: NIS shadow password leakage [oss-security] 20100109 Re: CVE id request: GNU libc: NIS shadow password leakage [oss-security] 20100108 Re: CVE id request: GNU libc: NIS shadow password leakage [oss-security] 20100107 CVE id request: GNU libc: NIS shadow password leakage MDVSA-2010:112 MDVSA-2010:111 http://svn.debian.org/viewsvn/pkg-glibc/glibc-package/trunk/debian/patches/any/submitted-nis-shadow.diff?revision=4062&view=markup http://sourceware.org/bugzilla/show_bug.cgi?id=11134 [oss-security] 20100111 Re: CVE id request: GNU libc: NIS shadow password leakage [oss-security] 20100111 Re: CVE id request: GNU libc: NIS shadow password leakage http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560333 The SMB client implementation in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 does not properly validate response fields, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code via a crafted response, aka "SMB Client Pool Corruption Vulnerability." TA10-040A MS10-006 oval:org.mitre.oval:def:8278 Race condition in the SMB client implementation in Microsoft Windows Server 2008 R2 and Windows 7 allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code, and in the SMB client implementation in Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 allows local users to gain privileges, via a crafted SMB Negotiate response, aka "SMB Client Race Condition Vulnerability." TA10-040A MS10-006 oval:org.mitre.oval:def:8298 Integer overflow in the Embedded OpenType (EOT) Font Engine (t2embed.dll) in Microsoft Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 allows remote attackers to execute arbitrary code via compressed data that represents a crafted EOT font, aka "Microtype Express Compressed Fonts Integer Flaw in the LZCOMP Decompressor Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-001.mspx This security update is rated Critical for Microsoft Windows 2000, and is rated Low for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. For more information, see the subsection, Affected and Non-Affected Software, in this section. TA10-012B MS10-001 ADV-2010-0095 1023432 37671 35457 oval:org.mitre.oval:def:8324 61651 http://blogs.technet.com/srd/archive/2010/01/12/ms10-001-font-file-decompression-vulnerability.aspx Microsoft Silverlight 3 before 3.0.50611.0 on Windows, and before 3.0.41130.0 on Mac OS X, does not properly handle pointers, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and framework outage) via a crafted web site, aka "Microsoft Silverlight Memory Corruption Vulnerability." TA10-222A MS10-060 The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate request fields, which allows remote authenticated users to execute arbitrary code via a malformed request, aka "SMB Pathname Overflow Vulnerability." TA10-040A MS10-012 oval:org.mitre.oval:def:8438 Multiple race conditions in the SMB implementation in the Server service in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allow remote attackers to cause a denial of service (system hang) via a crafted (1) SMBv1 or (2) SMBv2 Negotiate packet, aka "SMB Memory Corruption Vulnerability." TA10-040A MS10-012 oval:org.mitre.oval:def:8524 The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate the share and servername fields in SMB packets, which allows remote attackers to cause a denial of service (system hang) via a crafted packet, aka "SMB Null Pointer Vulnerability." TA10-040A MS10-012 oval:org.mitre.oval:def:8314 The Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 does not properly kill processes after a logout, which allows local users to obtain sensitive information or gain privileges via a crafted application that continues to execute throughout the logout of one user and the login session of the next user, aka "CSRSS Local Privilege Elevation Vulnerability." TA10-040A MS10-011 38509 oval:org.mitre.oval:def:8304 The SMTP component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, and Server 2008 Gold, SP2, and R2, and Exchange Server 2003 SP2, does not properly parse MX records, which allows remote DNS servers to cause a denial of service (service outage) via a crafted response to a DNS MX record query, aka "SMTP Server MX Record Vulnerability." TA10-103A MS10-024 oval:org.mitre.oval:def:7067 The SMTP component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, and Server 2008 Gold, SP2, and R2, and Exchange Server 2000 SP3, does not properly allocate memory for SMTP command replies, which allows remote attackers to read fragments of e-mail messages by sending a series of invalid commands and then sending a STARTTLS command, aka "SMTP Memory Allocation Vulnerability." TA10-103A MS10-024 39253 oval:org.mitre.oval:def:12175 The Hyper-V server implementation in Microsoft Windows Server 2008 Gold, SP2, and R2 on the x64 platform allows guest OS users to cause a denial of service (host OS hang) via a crafted application that executes a malformed series of machine instructions, aka "Hyper-V Instruction Set Validation Vulnerability." TA10-040A MS10-010 oval:org.mitre.oval:def:8006 The URL validation functionality in Microsoft Internet Explorer 5.01, 6, 6 SP1, 7 and 8, and the ShellExecute API function in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, does not properly process input parameters, which allows remote attackers to execute arbitrary local programs via a crafted URL, aka "URL Validation Vulnerability." TA10-040A MS10-007 MS10-002 ie-url-code-execution(55773) http://www.zerodayinitiative.com/advisories/ZDI-10-016/ 20100209 ZDI-10-016: Microsoft Windows ShellExecute Improper Sanitization Code Execution Vulnerability oval:org.mitre.oval:def:8464 Integer overflow in Microsoft Paint in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted JPEG (.JPG) file, aka "MS Paint Integer Overflow Vulnerability." TA10-040A MS10-005 36634 oval:org.mitre.oval:def:8429 Buffer overflow in Microsoft Office PowerPoint 2002 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "PowerPoint File Path Handling Buffer Overflow Vulnerability." TA10-040A MS10-004 1023563 oval:org.mitre.oval:def:8410 Heap-based buffer overflow in Microsoft Office PowerPoint 2002 SP3 and 2003 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "PowerPoint LinkedSlideAtom Heap Overflow Vulnerability." TA10-040A MS10-004 1023563 oval:org.mitre.oval:def:8050 Array index error in Microsoft Office PowerPoint 2002 SP3 and 2003 SP3, and PowerPoint in Office 2004 for Mac, allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "PowerPoint OEPlaceholderAtom 'placementId' Invalid Array Indexing Vulnerability." TA10-040A MS10-004 1023563 oval:org.mitre.oval:def:8081 Use-after-free vulnerability in Microsoft Office PowerPoint 2002 SP3 and 2003 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "OEPlaceholderAtom Use After Free Vulnerability." TA10-040A MS10-004 1023563 oval:org.mitre.oval:def:8303 Stack-based buffer overflow in Microsoft Office PowerPoint 2003 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "PowerPoint Viewer TextBytesAtom Record Stack Overflow Vulnerability." TA10-040A MS10-004 1023563 oval:org.mitre.oval:def:7711 Stack-based buffer overflow in Microsoft Office PowerPoint 2003 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "Office PowerPoint Viewer TextCharsAtom Record Stack Overflow Vulnerability." TA10-040A MS10-004 1023563 oval:org.mitre.oval:def:8268 The Key Distribution Center (KDC) in Kerberos in Microsoft Windows 2000 SP4, Server 2003 SP2, and Server 2008 Gold and SP2, when a trust relationship with a non-Windows Kerberos realm exists, allows remote authenticated users to cause a denial of service (NULL pointer dereference and domain controller outage) via a crafted Ticket Granting Ticket (TGT) renewal request, aka "Kerberos Null Pointer Dereference Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-014.mspx "This vulnerability only affects domain controllers. Servers that do not perform the role of domain controllers are not affected." TA10-040A MS10-014 oval:org.mitre.oval:def:8428 Buffer overflow in CoreAudio in Apple Mac OS X 10.5.8 and 10.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MP4 audio file. 37868 macos-coreaudio-mp4-bo(55746) ADV-2010-0173 1023472 http://support.apple.com/kb/HT4013 http://support.apple.com/kb/HT4004 38241 APPLE-SA-2010-01-19-1 APPLE-SA-2010-02-02-1 Buffer overflow in Image RAW in Apple Mac OS X 10.5.8 and 10.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted DNG image. macos-imageraw-dng-bo(55747) ADV-2010-0173 1023473 37869 http://support.apple.com/kb/HT4004 38241 APPLE-SA-2010-01-19-1 Recovery Mode in Apple iPhone OS 1.0 through 3.1.2, and iPhone OS for iPod touch 1.1 through 3.1.2, allows physically proximate attackers to bypass device locking, and read or modify arbitrary data, via a USB control message that triggers memory corruption. 38040 http://support.apple.com/kb/HT4013 62128 APPLE-SA-2010-02-02-1 The Application-Level Gateway (ALG) on the Apple Time Capsule, AirPort Extreme Base Station, and AirPort Express Base Station with firmware before 7.5.2 modifies PORT commands in incoming FTP traffic, which allows remote attackers to use the device's IP address for arbitrary intranet TCP traffic by leveraging write access to an intranet FTP server. http://support.apple.com/kb/HT4298 APPLE-SA-2010-12-16-1 1024907 Integer overflow in ColorSync in Apple Safari before 4.0.5 on Windows, and iTunes before 9.1, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image with a crafted color profile that triggers a heap-based buffer overflow. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html ColorSync CVE-ID: CVE-2010-0040 Available for: Windows 7, Vista, XP Impact: Viewing a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow, that could result in a heap buffer overflow, exists in the handling of images with an embedded color profile. Opening a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution. The issue is addressed by performing additional validation of color profiles. This issue does not affect Mac OS X systems. Credit to Sebastien Renaud of VUPEN Vulnerability Research Team for reporting this issue. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38674 38671 safari-colorsync-bo(56826) 1023706 http://support.apple.com/kb/HT4105 http://support.apple.com/kb/HT4070 39135 oval:org.mitre.oval:def:6741 APPLE-SA-2010-03-11-1 APPLE-SA-2010-03-30-2 ImageIO in Apple Safari before 4.0.5 and iTunes before 9.1 on Windows does not ensure that memory access is associated with initialized memory, which allows remote attackers to obtain potentially sensitive information from process memory via a crafted BMP image. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html ImageIO CVE-ID: CVE-2010-0041 Available for: Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may result in sending data from Safari's memory to the website Description: An uninitialized memory access issue exists in ImageIO's handling of BMP images. Visiting a maliciously crafted website may result in sending data from Safari's memory to the website. This issue is addressed through improved memory handling and additional validation of BMP images. Credit to Matthew 'j00ru' Jurczyk of Hispasec for reporting this issue. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38676 38671 1023706 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4105 http://support.apple.com/kb/HT4077 http://support.apple.com/kb/HT4070 39135 oval:org.mitre.oval:def:6885 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 APPLE-SA-2010-03-30-2 APPLE-SA-2010-03-29-1 ImageIO in Apple Safari before 4.0.5 and iTunes before 9.1 on Windows does not ensure that memory access is associated with initialized memory, which allows remote attackers to obtain potentially sensitive information from process memory via a crafted TIFF image. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'ImageIO CVE-ID: CVE-2010-0042 Available for: Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may result in sending data from Safari's memory to the website Description: An uninitialized memory access issue exists in ImageIO's handling of TIFF images. Visiting a maliciously crafted website may result in sending data from Safari's memory to the website. This issue is addressed through improved memory handling and additional validation of TIFF images. Credit to Matthew 'j00ru' Jurczyk of Hispasec for reporting this issue.' Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38677 38671 1023706 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4105 http://support.apple.com/kb/HT4077 http://support.apple.com/kb/HT4070 42314 39135 oval:org.mitre.oval:def:7561 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-03-30-2 APPLE-SA-2010-03-29-1 ImageIO in Apple Safari before 4.0.5 and iTunes before 9.1 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted TIFF image. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'ImageIO CVE-ID: CVE-2010-0043 Available for: Windows 7, Vista, XP Impact: Processing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in the handling of TIFF images. Processing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory handling. Credit to Gus Mueller of Flying Meat for reporting this issue.' Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38673 38671 1023706 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4105 http://support.apple.com/kb/HT4077 http://support.apple.com/kb/HT4070 39135 oval:org.mitre.oval:def:6901 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 APPLE-SA-2010-03-30-2 APPLE-SA-2010-03-29-1 PubSub in Apple Safari before 4.0.5 does not properly implement use of the Accept Cookies preference to block cookies, which makes it easier for remote web servers to track users by setting a cookie in a (1) RSS or (2) Atom feed. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'PubSub CVE-ID: CVE-2010-0044 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting or updating a feed may result in a cookie being set, even if Safari is configured to block cookies Description: An implementation issue exists in the handling of cookies set by RSS and Atom feeds. Visiting or updating a feed may result in a cookie being set, even if Safari is configured to block cookies via the "Accept Cookies" preference. This update addresses the issue by respecting the preference while updating or viewing feeds.' Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38675 38671 safari-pubsub-security-bypass(56830) http://support.apple.com/kb/HT4070 oval:org.mitre.oval:def:7051 62937 APPLE-SA-2010-03-11-1 Apple Safari before 4.0.5 on Windows does not properly validate external URL schemes, which allows remote attackers to open local files and execute arbitrary code via a crafted HTML document. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html CVE-ID: CVE-2010-0045 Available for: Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: An issue in Safari's handling of external URL schemes may cause a local file to be opened in response to a URL encountered on a web page. Visiting a maliciously crafted website may lead to arbitrary code execution. This update addresses the issue through improved validation of external URLs. This issue does not affect Mac OS X systems. Credit to Billy Rios and Microsoft Vulnerability Research (MSVR) for reporting this issue. 38671 1023706 http://support.apple.com/kb/HT4070 oval:org.mitre.oval:def:6817 APPLE-SA-2010-03-11-1 The Cascading Style Sheets (CSS) implementation in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted format arguments. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'WebKit CVE-ID: CVE-2010-0046 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in WebKit's handling of CSS format() arguments. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of CSS format() arguments. Credit to Robert Swiecki of Google Inc. for reporting this issue.' Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38671 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 1023708 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4070 43068 41856 oval:org.mitre.oval:def:7053 SUSE-SR:2011:002 FEDORA-2010-8423 FEDORA-2010-8379 FEDORA-2010-8360 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to "HTML object element fallback content." Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'WebKit CVE-ID: CVE-2010-0047 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use-after-free issue exists in the handling of HTML object element fallback content. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue.' Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38671 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 1023708 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4070 43068 41856 oval:org.mitre.oval:def:6882 SUSE-SR:2011:002 FEDORA-2010-8423 FEDORA-2010-8379 FEDORA-2010-8360 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted XML document. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html CVE-ID: CVE-2010-0048 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use-after-free issue exists in WebKit's parsing of XML documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 1023708 38671 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4070 43068 41856 oval:org.mitre.oval:def:7135 SUSE-SR:2011:002 FEDORA-2010-8423 FEDORA-2010-8379 FEDORA-2010-8360 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via HTML elements with right-to-left (RTL) text directionality. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000. CVE-ID: CVE-2010-0049 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use-after-free issue exists in the handling of HTML elements containing right-to-left displayed text. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit to wushi&Z of team509 for reporting this issue. 38671 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 1023708 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4070 43068 41856 oval:org.mitre.oval:def:6810 62942 SUSE-SR:2011:002 FEDORA-2010-8423 FEDORA-2010-8379 FEDORA-2010-8360 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 20100311 Multiple Vendor WebKit HTML Element Use After Free Vulnerability Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an HTML document with improperly nested tags. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'WebKit CVE-ID: CVE-2010-0050 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use-after-free issue exists in WebKit's handling of incorrectly nested HTML tags. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit to wushi&Z of team509 working with TippingPoint's Zero Day Initiative for reporting this issue.' Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38671 safari-nested-html-code-exec(56836) ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 1023708 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4070 43068 41856 oval:org.mitre.oval:def:7587 SUSE-SR:2011:002 FEDORA-2010-8423 FEDORA-2010-8379 FEDORA-2010-8360 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 WebKit in Apple Safari before 4.0.5 does not properly validate the cross-origin loading of stylesheets, which allows remote attackers to obtain sensitive information via a crafted HTML document. NOTE: this might overlap CVE-2010-0651. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'WebKit CVE-ID: CVE-2010-0051 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information Description: An implementation issue exists in WebKit's handling of cross-origin stylesheet requests. Visiting a maliciously crafted website may disclose the content of protected resources on another website. This update addresses the issue by performing additional validation on stylesheets that are loaded during a cross-origin request.' Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38671 safari-stylesheet-info-disclosure(56837) ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 1023708 MDVSA-2011:039 http://websec.sv.cmu.edu/css/css.pdf http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4070 43068 42314 41856 http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html oval:org.mitre.oval:def:7554 62944 SUSE-SR:2011:002 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 http://code.google.com/p/chromium/issues/detail?id=9877 Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to "callbacks for HTML elements." Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html CVE-ID: CVE-2010-0052 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use-after-free issue exists in WebKit's handling of callbacks for HTML elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit: Apple. 38671 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 1023708 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4070 43068 41856 oval:org.mitre.oval:def:7403 SUSE-SR:2011:002 FEDORA-2010-8423 FEDORA-2010-8379 FEDORA-2010-8360 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to the run-in Cascading Style Sheets (CSS) display property. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html CVE-ID: CVE-2010-0053 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use-after-free issue exists in the rendering of content with a CSS display property set to 'run-in'. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue. ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 1023708 38671 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4070 43068 41856 oval:org.mitre.oval:def:7323 62948 SUSE-SR:2011:002 FEDORA-2010-8423 FEDORA-2010-8379 FEDORA-2010-8360 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving HTML IMG elements. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'WebKit CVE-ID: CVE-2010-0054 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use-after-free issue exists in WebKit's handling of HTML image elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit: Apple.' Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38671 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 1023708 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4070 43068 41856 oval:org.mitre.oval:def:6915 62949 SUSE-SR:2011:002 FEDORA-2010-8423 FEDORA-2010-8379 FEDORA-2010-8360 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 xar in Apple Mac OS X 10.5.8 does not properly validate package signatures, which allows attackers to have an unspecified impact via a modified package. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Buffer overflow in Cocoa spell checking in AppKit in Apple Mac OS X 10.5.8 allows user-assisted remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted document. APPLE-SA-2010-03-29-1 AFP Server in Apple Mac OS X before 10.6.3 does not prevent guest use of AFP shares when guest access is disabled, which allows remote attackers to bypass intended access restrictions via a mount request. APPLE-SA-2010-03-29-1 freshclam in ClamAV in Apple Mac OS X 10.5.8 with Security Update 2009-005 has an incorrect launchd.plist ProgramArguments key and consequently does not run, which might allow remote attackers to introduce viruses into the system. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 CoreAudio in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted audio content with QDM2 encoding, which triggers a buffer overflow due to inconsistent length fields, related to QDCA. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 http://www.zerodayinitiative.com/advisories/ZDI-10-041 20100402 ZDI-10-041: Apple QuickTime QDM2/QDCA Atom Remote Code Execution Vulnerability oval:org.mitre.oval:def:6922 APPLE-SA-2010-03-30-1 CoreAudio in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted audio content with QDMC encoding. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 oval:org.mitre.oval:def:7513 APPLE-SA-2010-03-30-1 Heap-based buffer overflow in quicktime.qts in CoreMedia and QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a malformed .3g2 movie file with H.263 encoding that triggers an incorrect buffer length calculation. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 http://www.zerodayinitiative.com/advisories/ZDI-10-036 20100402 ZDI-10-036: Apple QuickTime H.263 PictureHeader Remote Code Execution Vulnerability oval:org.mitre.oval:def:6626 APPLE-SA-2010-03-30-1 Incomplete blacklist vulnerability in CoreTypes in Apple Mac OS X before 10.6.3 makes it easier for user-assisted remote attackers to execute arbitrary JavaScript via a web page that offers a download with a Content-Type value that is not on the list of possibly unsafe content types for Safari, as demonstrated by the values for the (1) .ibplugin and (2) .url extensions. Per: http://cwe.mitre.org/data/slices/2000.html 'Incomplete Blacklist - CWE-184' http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 DesktopServices in Apple Mac OS X 10.6 before 10.6.3 preserves file ownership during an authenticated Finder copy, which might allow local users to bypass intended disk-quota restrictions and have unspecified other impact by copying files owned by other users. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Disk Images in Apple Mac OS X before 10.6.3 allows user-assisted remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted disk image with bzip2 compression. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Unspecified vulnerability in the Access Manager Identity Server component in Oracle Application Server 7.0.4.3 and 10.1.4.2 allows remote attackers to affect integrity via unknown vectors. TA10-012A 1023438 http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Application Server 10.1.2.3 and 10.1.3.4 allows remote attackers to affect confidentiality via unknown vectors. TA10-012A 1023438 http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 9.0, 9.1, 9.2MP2, and 10.0 allows remote attackers to affect confidentiality via unknown vectors. TA10-012A http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 7.0, SP7, 8.1SP6, 9.0, 9.1, 9.2MP3, 10.0MP1, and 10.3.0 allows remote attackers to affect integrity via unknown vectors. TA10-012A http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Application Server 10.1.2.3 and 10.1.3.4 allows remote attackers to affect integrity via unknown vectors. TA10-012A 1023438 http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html Unspecified vulnerability in the Listener component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. TA10-012A http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is a buffer overflow in observiced.exe that allows remote attackers to execute arbitrary code via vectors related to a "reverse lookup of connections" to TCP port 10000. TA10-012A http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html Unspecified vulnerability in the WebLogic Server in Oracle WebLogic Server 7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, and 10.3.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. TA10-103B ADV-2010-0216 http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0073.html 39439 Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 7.0SP7, 8.1SP6, 9.0, 9.1, 9.2MP3, 10.0MP2, and 10.3.1 allows remote attackers to affect availability via unknown vectors. TA10-012A http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html Unspecified vulnerability in the Oracle HRMS (Self Service) component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors. TA10-012A http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html Unspecified vulnerability in the Application Express Application Builder component in Oracle Database 3.2.1.00.10 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. TA10-012A http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html Unspecified vulnerability in the CRM Technical Foundation (mobile) component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote attackers to affect confidentiality and integrity via unknown vectors. TA10-012A http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 9.0, 9.1, 9.2MP3, 10.0MP2, and 10.3.1 allows remote attackers to affect availability via unknown vectors. TA10-012A http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html Multiple vulnerabilities in the JRockit component in BEA Product Suite R27.6.5 using JRE/JDK 1.4.2, 5, and 6 allow remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: this CVE identifier overlaps CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, and CVE-2009-3877. TA10-012A http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html Unspecified vulnerability in the PeopleSoft Enterprise HCM - eProfile component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.9 Bundle, #21 and 9.0 Bundle #11 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. TA10-012A http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html Unspecified vulnerability in the Application Server Control component in Oracle Fusion Middleware 10.1.2.3 and 10.1.4.0.1 allows remote authenticated users to affect integrity via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html Unspecified vulnerability in the HotSpot Server component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' ADV-2010-1793 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39317 39292 oval:org.mitre.oval:def:13934 oval:org.mitre.oval:def:11576 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 HPSBMA02547 HPSBMA02547 Unspecified vulnerability in Oracle OpenSolaris 8, 9, and 10 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 39292 oval:org.mitre.oval:def:14061 oval:org.mitre.oval:def:11120 63482 SUSE-SR:2010:017 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 HPSBMA02547 HPSBMA02547 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 39292 oval:org.mitre.oval:def:13803 oval:org.mitre.oval:def:10474 SUSE-SR:2010:017 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 HPSBMA02547 HPSBMA02547 Unspecified vulnerability in the Portal component in Oracle Fusion Middleware 10.1.2.3 allows remote attackers to affect integrity via unknown vectors. TA10-103B 1023869 http://www.oracle.com/technetwork/topics/security/cpuapr2010-099504.html 39439 Unspecified vulnerability in the Java Web Start, Java Plug-in component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 oval:org.mitre.oval:def:13959 SUSE-SR:2010:017 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 39292 oval:org.mitre.oval:def:14321 oval:org.mitre.oval:def:11173 SUSE-SR:2010:017 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 HPSBMA02547 HPSBMA02547 Unspecified vulnerability in the Java Web Start, Java Plug-in component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 oval:org.mitre.oval:def:14208 SUSE-SR:2010:017 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the Java Web Start, Java Plug-in component in Oracle Java SE and Java for Business 6 Update 18 allows remote attackers to affect integrity and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0337 http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 oval:org.mitre.oval:def:14237 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 39292 oval:org.mitre.oval:def:9855 oval:org.mitre.oval:def:13492 63481 SUSE-SR:2010:017 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, and 5.0 Update 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 39292 oval:org.mitre.oval:def:14210 oval:org.mitre.oval:def:10057 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' ADV-2010-1793 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39317 39292 oval:org.mitre.oval:def:9877 oval:org.mitre.oval:def:14288 63485 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 HPSBMA02547 HPSBMA02547 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18 and 5.0 Update 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is due to missing privilege checks during deserialization of RMIConnectionImpl objects, which allows remote attackers to call system-level Java functions via the ClassLoader of a constructor that is being deserialized. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.zerodayinitiative.com/advisories/ZDI-10-051 ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX 20100405 ZDI-10-051: Sun Java Runtime RMIConnectionImpl Privileged Context Remote Code Execution Vulnerability RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 39292 oval:org.mitre.oval:def:14351 oval:org.mitre.oval:def:10851 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 39292 oval:org.mitre.oval:def:14105 oval:org.mitre.oval:def:11621 SUSE-SR:2010:017 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 HPSBMA02547 HPSBMA02547 ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta does not properly validate DNSSEC (1) NSEC and (2) NSEC3 records, which allows remote attackers to add the Authenticated Data (AD) flag to a forged NXDOMAIN response for an existing domain. VU#360341 https://www.isc.org/advisories/CVE-2010-0097 RHSA-2010:0095 RHSA-2010:0062 https://bugzilla.redhat.com/show_bug.cgi?id=554851 bind-dnssecnsec-cache-poisoning(55753) ADV-2010-1352 ADV-2010-0981 ADV-2010-0622 ADV-2010-0176 USN-888-1 37865 61853 MDVSA-2010:021 DSA-2054 http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0018 http://support.apple.com/kb/HT5002 1021798 1023474 40086 39582 39334 38240 38219 38169 oval:org.mitre.oval:def:9357 oval:org.mitre.oval:def:7430 oval:org.mitre.oval:def:7212 oval:org.mitre.oval:def:12205 SSRT100004 SSRT100004 SUSE-SA:2010:008 FEDORA-2010-0868 FEDORA-2010-0861 APPLE-SA-2011-10-12-3 ftp://ftp.sco.com/pub/unixware7/714/security/p535243_uw7/p535243b.txt ClamAV before 0.96 does not properly handle the (1) CAB and (2) 7z file formats, which allows remote attackers to bypass virus detection via a crafted archive that is compatible with standard archive utilities. 39262 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1826 ADV-2010-1206 ADV-2010-1001 ADV-2010-0909 ADV-2010-0832 ADV-2010-0827 USN-926-1 [oss-security] 20100407 Re: ClamAV small issues [oss-security] 20100406 ClamAV small issues MDVSA-2010:082 http://support.apple.com/kb/HT4312 39656 39329 39293 SUSE-SR:2010:010 APPLE-SA-2010-08-24-1 http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob_plain;f=ChangeLog;hb=clamav-0.96 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-0092. Reason: This candidate is a duplicate of CVE-2010-0092. Notes: All CVE users should reference CVE-2010-0092 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The embedded HTTP server in multiple Lexmark laser and inkjet printers and MarkNet devices, including X94x, W840, T656, N4000, E462, C935dn, 25xxN, and other models, allows remote attackers to cause a denial of service (operating system halt) via a malformed HTTP Authorization header. http://support.lexmark.com/index?page=content&id=TE87&locale=EN&userlocale=EN_US UsbCharger.dll in the Energizer DUO USB battery charger software contains a backdoor that is implemented through the Arucer.dll file in the %WINDIR%\system32 directory, which allows remote attackers to download arbitrary programs onto a Windows PC, and execute these programs, via a request to TCP port 7777. Per: http://www.energizer.com/usbcharger/download/March_8_2010_USB_Release__3_.pdf "Energizer has discontinued sale of this product and has removed the site to download the software. In addition, the company is directing consumers that downloaded the Windows version of the software to uninstall or otherwise remove the software from your computer." VU#154421 http://www.symantec.com/connect/blogs/trojan-found-usb-battery-charger-software 38571 http://www.marketwatch.com/story/energizer-announces-duo-charger-and-usb-charger-software-problem-2010-03-05 Unspecified vulnerability in the Broadcom Integrated NIC Management Firmware 1.x before 1.40.0.0 and 8.x before 8.08 on the HP Small Form Factor and Microtower platforms allows remote attackers to execute arbitrary code via unknown vectors. VU#512705 HPSBGN02511 ADV-2010-0631 38759 1023710 39003 HPSBGN02511 The hfs implementation in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 supports hard links to directories and does not prevent certain deeply nested directory structures, which allows local users to cause a denial of service (filesystem corruption) via a crafted application that calls the mkdir and link functions, related to the fsck_hfs program in the diskdev_cmds component. 1024723 39658 http://support.apple.com/kb/HT4435 20100423 MacOS X 10.6.3 filesystem hfs Denial of Service Vulnerability APPLE-SA-2010-11-10-1 The on-demand scanning in Symantec AntiVirus 10.0.x and 10.1.x before MR9, AntiVirus 10.2.x, and Client Security 3.0.x and 3.1.x before MR9, when Tamper protection is disabled, allows remote attackers to cause a denial of service (prevention of on-demand scanning) via "specific events" that prevent the user from having read access to unspecified resources. symantec-ondemand-dos(56354) ADV-2010-0410 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_00 1023621 38219 38653 62414 Buffer overflow in an ActiveX control (SYMLTCOM.dll) in Symantec N360 1.0 and 2.0; Norton Internet Security, AntiVirus, SystemWorks, and Confidential 2006 through 2008; and Symantec Client Security 3.0.x before 3.1 MR9, and 3.1.x before MR9; allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors. NOTE: this is only a vulnerability if the attacker can "masquerade as an authorized site." symantec-symltcom-activex-bo(56357) ADV-2010-0411 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_01 1023631 1023630 1023629 1023628 38217 20100224 VUPEN Security Research - Symantec Products "SYMLTCOM.dll" Buffer Overflow Vulnerability 38654 62412 Buffer overflow in the cliproxy.objects.1 ActiveX control in the Symantec Client Proxy (CLIproxy.dll) in Symantec AntiVirus 10.0.x, 10.1.x before MR9, and 10.2.x before MR4; and Symantec Client Security 3.0.x and 3.1.x before MR9 allows remote attackers to execute arbitrary code via a long argument to the SetRemoteComputerName function. scp-cliproxy-activex-bo(56355) ADV-2010-0412 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_02 38222 20100219 [DSECRG-09-039] Symantec Antivirus 10.0 ActiveX - buffer Overflow. 38651 http://dsecrg.com/pages/vul/show.php?id=139 Multiple stack-based buffer overflows in Intel Alert Management System (aka AMS or AMS2), as used in Symantec AntiVirus Corporate Edition (SAVCE) 10.x before 10.1 MR10, Symantec System Center (SSC) 10.x, and Symantec Quarantine Server 3.5 and 3.6, allow remote attackers to execute arbitrary code via (1) a long string to msgsys.exe, related to the AMSSendAlertAct function in AMSLIB.dll in the Intel Alert Handler service (aka Symantec Intel Handler service); a long (2) modem string or (3) PIN number to msgsys.exe, related to pagehndl.dll in the Intel Alert Handler service; or (4) a message to msgsys.exe, related to iao.exe in the Intel Alert Originator service. symantec-intel-ams2-bo(64940) http://www.zerodayinitiative.com/advisories/ZDI-11-032 http://www.zerodayinitiative.com/advisories/ZDI-11-031 http://www.zerodayinitiative.com/advisories/ZDI-11-030 http://www.zerodayinitiative.com/advisories/ZDI-11-028 ADV-2011-0234 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_00 45936 1024996 43106 43099 HDNLRSVC.EXE in the Intel Alert Handler service (aka Symantec Intel Handler service) in Intel Alert Management System (aka AMS or AMS2), as used in Symantec AntiVirus Corporate Edition (SAVCE) 10.x before 10.1 MR10, Symantec System Center (SSC) 10.x, and Symantec Quarantine Server 3.5 and 3.6, allows remote attackers to execute arbitrary programs by sending msgsys.exe a UNC share pathname, which is used directly in a CreateProcessA (aka CreateProcess) call. symantec-intelams2-dos(64943) symantec-intelams2-code-execution(64942) http://www.zerodayinitiative.com/advisories/ZDI-11-029 ADV-2011-0234 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_01 45935 1024997 43106 43099 Multiple SQL injection vulnerabilities in the Administrative Interface in the IIS extension in Symantec IM Manager before 8.4.16 allow remote attackers to execute arbitrary SQL commands via (1) the rdReport parameter to rdpageimlogic.aspx, related to the sGetDefinition function in rdServer.dll, and SQL statements contained within a certain report file; (2) unspecified parameters in a DetailReportGroup (aka DetailReportGroup.lgx) action to rdpageimlogic.aspx; the (3) selclause, (4) whereTrendTimeClause, (5) TrendTypeForReport, (6) whereProtocolClause, or (7) groupClause parameter in a SummaryReportGroup (aka SummaryReportGroup.lgx) action to rdpageimlogic.aspx; the (8) loginTimeStamp, (9) dbo, (10) dateDiffParam, or (11) whereClause parameter in a LoggedInUsers (aka LoggedInUSers.lgx) action to (a) rdpageimlogic.aspx or (b) rdPage.aspx; the (12) selclause, (13) whereTrendTimeClause, (14) TrendTypeForReport, (15) whereProtocolClause, or (16) groupClause parameter to rdpageimlogic.aspx; (17) the groupList parameter to IMAdminReportTrendFormRun.asp; or (18) the email parameter to IMAdminScheduleReport.asp. immanager-unspecified-sql-injection(62806) http://www.zerodayinitiative.com/advisories/ZDI-10-226/ http://www.zerodayinitiative.com/advisories/ZDI-10-225/ http://www.zerodayinitiative.com/advisories/ZDI-10-224/ http://www.zerodayinitiative.com/advisories/ZDI-10-223/ http://www.zerodayinitiative.com/advisories/ZDI-10-222/ http://www.zerodayinitiative.com/advisories/ZDI-10-221/ http://www.zerodayinitiative.com/advisories/ZDI-10-220/ ADV-2010-2789 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101027_01 1024648 44299 41959 68903 68902 68901 The Symantec Norton Mobile Security application 1.0 Beta for Android records setup details, possibly including wipe/lock credentials, in the device logs, which allows user-assisted remote attackers to obtain potentially sensitive information by leveraging the ability of a separate crafted application to read these logs. norton-mobile-setup-information-disclosure(63294) ADV-2010-2982 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101111_00 44767 69253 fw_charts.php in the reporting module in the Manager (aka SEPM) component in Symantec Endpoint Protection (SEP) 11.x before 11 RU6 MP2 allows remote attackers to bypass intended restrictions on report generation, overwrite arbitrary PHP scripts, and execute arbitrary code via a crafted request. symantec-endpoint-fwcharts-code-execution(64118) http://www.zerodayinitiative.com/advisories/ZDI-10-291/ ADV-2010-3252 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101215_00 45372 1024900 42643 SQL injection vulnerability in login.php in the GUI management console in Symantec Web Gateway 4.5 before 4.5.0.376 allows remote attackers to execute arbitrary SQL commands via the USERNAME parameter. symantec-web-username-sql-injection(64658) http://www.zerodayinitiative.com/advisories/ZDI-11-013/ ADV-2011-0088 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110112_00 1024958 45742 42878 70415 Integer overflow in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows might allow remote attackers to execute arbitrary code via a crafted QCP file that triggers a heap-based buffer overflow. realplayer-qcp-bo(61420) ADV-2010-2216 1024370 http://service.real.com/realplayer/security/08262010_player/en/ http://secunia.com/secunia_research/2010-3/ 41154 41096 oval:org.mitre.oval:def:7326 RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows do not properly handle dimensions during YUV420 transformations, which might allow remote attackers to execute arbitrary code via crafted MP4 content. realplayer-yuv420-code-execution(61421) ADV-2010-2216 1024370 http://service.real.com/realplayer/security/08262010_player/en/ http://secunia.com/secunia_research/2010-5/ 41154 41096 oval:org.mitre.oval:def:7169 Bournal before 1.4.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified temporary files associated with a --hack_the_gibson update check. 38353 20100222 Secunia Research: Bournal Insecure Temporary Files Security Issue http://secunia.com/secunia_research/2010-6/ 38814 38554 FEDORA-2010-3168 FEDORA-2010-3221 FEDORA-2010-3301 Bournal before 1.4.1 on FreeBSD 8.0, when the -K option is used, places a ccrypt key on the command line, which allows local users to obtain sensitive information by listing the process and its arguments, related to "echoing." 38352 20100222 Secunia Research: Bournal ccrypt Information Disclosure Security Issue http://secunia.com/secunia_research/2010-7/ 38814 38723 FEDORA-2010-3168 FEDORA-2010-3221 FEDORA-2010-3301 Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows allows remote attackers to execute arbitrary code via large size values in QCP audio content. realplayer-qcp-audio-bo(61422) ADV-2010-2216 1024370 http://service.real.com/realplayer/security/08262010_player/en/ http://secunia.com/secunia_research/2010-8/ 41154 41096 oval:org.mitre.oval:def:6807 The cook codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, Mac RealPlayer 11.0 through 12.0.0.1444, and Linux RealPlayer 11.0.2.1744 does not properly perform initialization, which has unspecified impact and attack vectors. Per: http://cwe.mitre.org/data/definitions/665.html 'CWE-665: Improper Initialization' 1024861 http://service.real.com/realplayer/security/12102010_player/en/ Multiple SQL injection vulnerabilities in Employee Timeclock Software 0.99 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter to (a) auth.php or (b) login_action.php. timeclock-auth-sql-injection(56799) 38639 20100310 Secunia Research: Employee Timeclock Software SQL Injection Vulnerabilities 62832 62831 http://secunia.com/secunia_research/2010-11/ 38739 The database backup implementation in Employee Timeclock Software 0.99 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for a "semi-predictable file name." timeclock-database-info-disclosure(56798) 20100310 Secunia Research: Employee Timeclock Software Backup Information Disclosure 62833 http://secunia.com/secunia_research/2010-10/ 38739 Employee Timeclock Software 0.99 places the database password on the mysqldump command line, which allows local users to obtain sensitive information by listing the process. timeclock-mysqldump-info-disclosure(56800) 38642 20100310 Secunia Research: Employee Timeclock Software "mysqldump" Password Disclosure 62830 http://secunia.com/secunia_research/2010-12/ 38739 RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, and Mac RealPlayer 11.0 through 12.0.0.1444 do not properly parse spectral data in AAC files, which has unspecified impact and remote attack vectors. 1024861 http://service.real.com/realplayer/security/12102010_player/en/ Heap-based buffer overflow in an unspecified library in Autonomy KeyView 10.4 and 10.9, as used in multiple IBM, Symantec, and other products, allows remote attackers to execute arbitrary code via a crafted compound file, as demonstrated using a Quattro Pro file, which is not properly handled by the Quattro speed reader (qpssr.dll). http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100727_01 41928 http://www-01.ibm.com/support/docview.wss?uid=swg21440812 http://secunia.com/secunia_research/2010-16/ Adobe Shockwave Player before 11.5.7.609 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted FFFFFF45h Shockwave 3D blocks in a Shockwave file. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html 20100512 Secunia Research: Adobe Shockwave Player 3D Parsing Memory Corruption http://secunia.com/secunia_research/2010-17/ 38751 oval:org.mitre.oval:def:7477 Integer signedness error in dirapi.dll in Adobe Shockwave Player before 11.5.7.609 and Adobe Director before 11.5.7.609 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted .dir file that triggers an invalid read operation. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html 20100512 Secunia Research: Adobe Shockwave Player Signedness Error Vulnerability 20100511 [CORE-2010-0405] Adobe Director Invalid Read http://www.coresecurity.com/content/adobe-director-invalid-read http://secunia.com/secunia_research/2010-19/ 38751 oval:org.mitre.oval:def:7273 Multiple integer overflows in Adobe Shockwave Player before 11.5.7.609 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted .dir (aka Director) file that triggers an array index error. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html 20100511 Abobe Shockwave Player Heap Memory Indexing Vulnerability 40082 20100512 Secunia Research: Adobe Shockwave Player Array Indexing Vulnerability 20100512 [CAL-20100204-2]Adobe Shockwave Player Director File Parsing integer overflow vulnerability http://secunia.com/secunia_research/2010-20/ 38751 oval:org.mitre.oval:def:7134 http://hi.baidu.com/fs_fx/blog/item/fa74a61705b5e24621a4e951.html 20100511 [CAL-20100204-2]Adobe Shockwave Player Director File Parsing integer overflow vulnerability Integer overflow in Adobe Shockwave Player before 11.5.7.609 might allow remote attackers to execute arbitrary code via a crafted .dir (aka Director) file. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html 40084 20100512 Secunia Research: Adobe Shockwave Player Integer Overflow Vulnerability http://secunia.com/secunia_research/2010-22/ 38751 oval:org.mitre.oval:def:7108 Stack-based buffer overflow in the SpreadSheet Lotus 123 reader (wkssr.dll), as used in Autonomy KeyView 10.4 and 10.9, Symantec Mail Security, and possibly other products, allows remote attackers to execute arbitrary code via unspecified vectors related to floating point conversion in unknown record types. http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100727_01 41928 http://www-01.ibm.com/support/docview.wss?uid=swg21440812 http://secunia.com/secunia_research/2010-25/ http://secunia.com/secunia_research/2010-23/ Cross-site scripting (XSS) vulnerability in ViewVC 1.1 before 1.1.5 and 1.0 before 1.0.11, when the regular expression search functionality is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to "search_re input," a different vulnerability than CVE-2010-0736. ADV-2010-0743 ADV-2010-0844 20100330 Secunia Research: ViewVC Regular Expression Search Cross-Site Scripting http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2342&r2=2359&pathrev=HEAD http://secunia.com/secunia_research/2010-26/ 38918 SUSE-SR:2010:009 FEDORA-2010-5805 FEDORA-2010-5524 FEDORA-2010-5507 Multiple stack-based buffer overflows in the SpreadSheet Lotus 123 reader (wkssr.dll) in Autonomy KeyView 10.4 and 10.9, as used in multiple IBM, Symantec, and other products, allow remote attackers to execute arbitrary code via unspecified vectors related to "certain records." http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100727_01 41928 http://www-01.ibm.com/support/docview.wss?uid=swg21440812 http://secunia.com/secunia_research/2010-28/ Integer signedness error in rtfsr.dll in Autonomy KeyView 10.4 and 10.9, as used in multiple IBM, Symantec, and other products, allows remote attackers to execute arbitrary code via a crafted \ls keyword in a list override table entry in an RTF file, which triggers a buffer overflow. http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100727_01 41928 http://www-01.ibm.com/support/docview.wss?uid=swg21440812 http://secunia.com/secunia_research/2010-27/ Heap-based buffer overflow in the WordPerfect 5.x reader (wosr.dll), as used in Autonomy KeyView 10.4 and 10.9 and possibly other products, allows remote attackers to execute arbitrary code via unspecified vectors related to "data blocks." http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100727_01 41928 http://www-01.ibm.com/support/docview.wss?uid=swg21440812 http://secunia.com/secunia_research/2010-31/ OpenOffice.org (OOo) 2.0.4, 2.4.1, and 3.1.1 does not properly enforce Visual Basic for Applications (VBA) macro security settings, which allows remote attackers to run arbitrary macros via a crafted document. ADV-2010-2905 ADV-2010-0635 USN-903-1 38245 MDVSA-2010:221 [debian-openoffice] 20100212 ./packages/openofficeorg/3.1.1/unstable r1866: merge 1:3.1.1-15+squeeze1 DSA-1995 1023588 38921 38695 SUSE-SA:2010:017 Unspecified vulnerability in the sshd_child_handler process in the SSH server in Cisco IOS XR 3.4.1 through 3.7.0 allows remote attackers to cause a denial of service (process crash and memory consumption) via a crafted SSH2 packet, aka Bug ID CSCsu10574. 20100120 Cisco IOS XR Software SSH Denial of Service Vulnerability ciscoios-ssh-dos(55767) ADV-2010-0183 37878 1023480 38227 Buffer overflow in Cisco CiscoWorks Internetwork Performance Monitor (IPM) 2.6 and earlier on Windows, as distributed in CiscoWorks LAN Management Solution (LMS), allows remote attackers to execute arbitrary code via a malformed getProcessName CORBA General Inter-ORB Protocol (GIOP) request, related to a "third-party component," aka Bug ID CSCsv62350. cisco-ipm-corba-bo(55768) http://www.zerodayinitiative.com/advisories/ZDI-10-004/ ADV-2010-0184 37879 20100120 CiscoWorks Internetwork Performance Monitor CORBA GIOP Overflow Vulnerability 1023484 38230 Cisco Unified MeetingPlace 7 before 7.0(2.3) hotfix 5F, 6 before 6.0.639.2, and possibly 5 does not properly validate SQL commands, which allows remote attackers to create, modify, or delete data in a database via unspecified vectors, aka Bug ID CSCtc39691. 20100127 Multiple Vulnerabilities in Cisco Unified MeetingPlace 37965 Multiple unspecified vulnerabilities in the web server in Cisco Unified MeetingPlace 7 before 7.0(2.3) hotfix 5F, 6 before 6.0.639.3, and possibly 5 allow remote attackers to create (1) user or (2) administrator accounts via a crafted URL in a request to the internal interface, aka Bug IDs CSCtc59231 and CSCtd40661. Per: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b1490b.shtml Affected Products Vulnerable Products Cisco Unified MeetingPlace versions 5, 6, and 7 are each affected by at least one of the vulnerabilities described in this document. 20100127 Multiple Vulnerabilities in Cisco Unified MeetingPlace 37965 MeetingTime in Cisco Unified MeetingPlace 6 before MR5, and possibly 5, allows remote attackers to discover usernames, passwords, and unspecified other data from the user database via a modified authentication sequence to the Audio Server, aka Bug ID CSCsv76935. 20100127 Multiple Vulnerabilities in Cisco Unified MeetingPlace 37965 MeetingTime in Cisco Unified MeetingPlace 6 before MR5, and possibly 5, allows remote authenticated users to gain privileges via a modified authentication sequence, aka Bug ID CSCsv66530. Per: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b1490b.shtml Affected Products Vulnerable Products Cisco Unified MeetingPlace versions 5, 6, and 7 are each affected by at least one of the vulnerabilities described in this document. 20100127 Multiple Vulnerabilities in Cisco Unified MeetingPlace 37965 Unspecified vulnerability in the administrative interface in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to read arbitrary files via unknown vectors, aka IronPort Bug 65921. 20100210 Multiple Vulnerabilities in Cisco IronPort Encryption Appliance http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080b17904.html 38525 Unspecified vulnerability in the WebSafe DistributorServlet in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to read arbitrary files via unknown vectors, aka IronPort Bug 65922. 20100210 Multiple Vulnerabilities in Cisco IronPort Encryption Appliance http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080b17904.html 38525 Unspecified vulnerability in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to execute arbitrary code via unknown vectors, aka IronPort Bug 65923. 20100210 Multiple Vulnerabilities in Cisco IronPort Encryption Appliance http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080b17904.html 38525 Directory traversal vulnerability in the Management Center for Cisco Security Agents 6.0 allows remote authenticated users to read arbitrary files via unspecified vectors. 20100217 Multiple Vulnerabilities in Cisco Security Agent cisco-sa-mgmtcenter-dir-traversal(56345) ADV-2010-0416 1023606 38271 38619 62443 SQL injection vulnerability in the Management Center for Cisco Security Agents 5.1 before 5.1.0.117, 5.2 before 5.2.0.296, and 6.0 before 6.0.1.132 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. 20100217 Multiple Vulnerabilities in Cisco Security Agent 38619 cisco-sa-mgmtcenter-sql-injection(56346) ADV-2010-0416 1023606 38272 62444 Unspecified vulnerability in Cisco Security Agent 5.2 before 5.2.0.285, when running on Linux, allows remote attackers to cause a denial of service (kernel panic) via "a series of TCP packets." Per: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b1910d.shtml Only Cisco Security Agent release 5.2 for Linux, either managed or standalone, are affected by the DoS vulnerability (the Windows version is not affected). The Linux version of standalone agents are installed in the following products: * Cisco Unified Communications Manager (CallManager) * IPCC Express * IP Interactive Voice Response (IP IVR) * Cisco Unified Meeting Place * Cisco Personal Assistant (PA) * Cisco Unity Connection Note: The Sun Solaris version of the Cisco Security Agent is not affected by these vulnerabilities. Only Cisco Security Agent release 5.2 for Linux, either managed or standalone, are affected by the DoS vulnerability. " 20100217 Multiple Vulnerabilities in Cisco Security Agent 38619 cisco-securityagent-tcp-dos(56347) ADV-2010-0416 1023607 38273 62445 Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security Appliance 7.2 before 7.2(4.46), 8.0 before 8.0(4.38), 8.1 before 8.1(2.29), and 8.2 before 8.2(1.5); and Cisco PIX 500 Series Security Appliance; allows remote attackers to cause a denial of service (prevention of new connections) via crafted TCP segments during termination of the TCP connection that cause the connection to remain in CLOSEWAIT status, aka "TCP Connection Exhaustion Denial of Service Vulnerability." cisco-asa-tcp-dos(56336) ADV-2010-0415 1023612 38275 20100217 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 38636 38618 62433 Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security Appliance 7.0 before 7.0(8.10), 7.2 before 7.2(4.45), 8.0 before 8.0(5.2), 8.1 before 8.1(2.37), and 8.2 before 8.2(1.16); and Cisco PIX 500 Series Security Appliance; allows remote attackers to cause a denial of service (device reload) via malformed SIP messages, aka Bug ID CSCsy91157. cisco-asa5500-sip-dos(56338) ADV-2010-0415 1023612 38277 20100217 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 38636 38618 62434 The Cisco Firewall Services Module (FWSM) 4.0 before 4.0(8), as used in for the Cisco Catalyst 6500 switches, Cisco 7600 routers, and ASA 5500 Adaptive Security Appliances, allows remote attackers to cause a denial of service (crash) via a malformed Skinny Client Control Protocol (SCCP) message. Per: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b1910e.shtml "All non-fixed 4.x versions of Cisco FWSM Software are affected by this vulnerability if SCCP inspection is enabled. SCCP inspection is enabled by default." 20100217 Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability 20100217 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances cisco-fwsm-asa-sccp-dos(56333) ADV-2010-0418 1023609 38274 38621 62432 Multiple cross-site scripting (XSS) vulnerabilities in the Local Management Interface (LMI) on the IBM Proventia Network Mail Security System (PNMSS) appliance with firmware before 2.5.0.2 allow remote attackers to inject arbitrary web script or HTML via (1) the date1 parameter to pvm_messagestore.php, (2) the userfilter parameter to pvm_user_management.php, (3) the ping parameter to sys_tools.php in a sys_ping.php action, (4) the action parameter to pvm_cert_commaction.php, (5) the action parameter to pvm_cert_serveraction.php, (6) the action parameter to pvm_smtpstore.php, (7) the l parameter to sla/index.php, or (8) unspecified stored data; and allow remote authenticated users to inject arbitrary web script or HTML via (9) saved search filters. Per: http://www.ventuneac.net/security-advisories/MVSA-10-007 Affected Versions IBM Proventia Network Mail Security System - virtual appliance (firmware 1.6) IBM Proventia Network Mail Security System - virtual appliance (firmware 2.5) http://www.ventuneac.net/security-advisories/MVSA-10-007 20100912 MVSA-10-007 / CVE-2010-0152 - IBM Proventia Mail Security System - Multiple persistent and reflected XSS vulnerabilities Multiple cross-site request forgery (CSRF) vulnerabilities in the Local Management Interface (LMI) on the IBM Proventia Network Mail Security System (PNMSS) appliance with firmware before 2.5.0.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change settings or (2) conduct denial of service attacks. Per: Affected Versions IBM Proventia Network Mail Security System - virtual appliance (firmware 1.6) IBM Proventia Network Mail Security System - virtual appliance (firmware 2.5) http://www.ventuneac.net/security-advisories/MVSA-10-006 20100912 MVSA-10-006 / CVE-2010-0153 - IBM Proventia Network Mail Security System - Cross-Site Request Forgery vulnerabilities Directory traversal vulnerability in sla/index.php in the Local Management Interface (LMI) on the IBM Proventia Network Mail Security System (PNMSS) appliance with firmware before 2.5 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the l parameter, related to an "Insecure Direct Object Reference vulnerability." Per: http://www.ventuneac.net/security-advisories/MVSA-10-008 Affected Versions IBM Proventia Network Mail Security System - virtual appliance (firmware 1.6) http://www.ventuneac.net/security-advisories/MVSA-10-008 20100912 MVSA-10-008 / CVE-2010-0154 - IBM Proventia Mail Security System - Insecure Direct Object Reference vulnerability CRLF injection vulnerability in load.php in the Local Management Interface (LMI) on the IBM Proventia Network Mail Security System (PNMSS) appliance with firmware before 2.5 allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the javaVersion parameter. Per: http://www.ventuneac.net/security-advisories/MVSA-10-009 Affected Versions IBM Proventia Network Mail Security System - virtual appliance (firmware 1.6) http://www.ventuneac.net/security-advisories/MVSA-10-009 20100912 MVSA-10-009 / CVE-2010-0155 - IBM Proventia Network Mail Security System - CRLF Injection vulnerability Puppet 0.24.x before 0.24.9 and 0.25.x before 0.25.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/daemonout, (2) /tmp/puppetdoc.txt, (3) /tmp/puppetdoc.tex, or (4) /tmp/puppetdoc.aux temporary file. https://bugzilla.redhat.com/show_bug.cgi?id=502881 38766 [puppet-announce] 20100105 ANNOUNCE: Puppet 0.25.2 "Zoe" now available! SUSE-SR:2010:013 FEDORA-2010-1372 FEDORA-2010-1079 [puppet-announce] 20100108 ANNOUNCE: Puppet 0.24.9 is available Directory traversal vulnerability in the Bible Study (com_biblestudy) component 6.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter in a studieslist action to index.php. 37583 37896 http://packetstormsecurity.org/1001-exploits/joomlabiblestudy-lfi.txt ** DISPUTED ** SQL injection vulnerability in the JoomlaBamboo (JB) Simpla Admin template for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an article action to the com_content component, reachable through index.php. NOTE: the vendor disputes this report, saying: "JoomlaBamboo has investigated this report, and it is incorrect. There is no SQL injection vulnerability involving the id parameter in an article view, and there never was. JoomlaBamboo customers have no reason to be concerned about this report." ADV-2010-0014 37579 10971 [VIM] 20100203 Re: disputed: CVE-2010-0158 JoomlaBamboo (JB) Simpla Admin SQL injection [VIM] 20100203 disputed: CVE-2010-0158 JoomlaBamboo (JB) Simpla Admin SQL injection http://packetstormsecurity.org/1001-exploits/joomlabamboo-sql.txt The browser engine in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the nsBlockFrame::StealFrame function in layout/generic/nsBlockFrame.cpp, and unspecified other vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=534082 https://bugzilla.mozilla.org/show_bug.cgi?id=530880 https://bugzilla.mozilla.org/show_bug.cgi?id=528300 https://bugzilla.mozilla.org/show_bug.cgi?id=528134 https://bugzilla.mozilla.org/show_bug.cgi?id=527567 https://bugzilla.mozilla.org/show_bug.cgi?id=501934 https://bugzilla.mozilla.org/show_bug.cgi?id=467005 mozilla-browsereng-code-execution(56359) ADV-2010-0650 ADV-2010-0405 USN-896-1 USN-895-1 RHSA-2010:0154 RHSA-2010:0153 RHSA-2010:0113 RHSA-2010:0112 http://www.mozilla.org/security/announce/2010/mfsa2010-01.html MDVSA-2010:042 DSA-1999 38847 38772 38770 37242 oval:org.mitre.oval:def:9590 oval:org.mitre.oval:def:8485 SUSE-SA:2010:015 FEDORA-2010-3267 FEDORA-2010-3230 FEDORA-2010-1727 FEDORA-2010-1936 FEDORA-2010-1932 The Web Worker functionality in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly handle array data types for posted messages, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. ADV-2010-0405 https://bugzilla.mozilla.org/show_bug.cgi?id=534051 https://bugzilla.mozilla.org/show_bug.cgi?id=533000 https://bugzilla.mozilla.org/show_bug.cgi?id=531222 mozilla-webworkers-code-execution(56360) http://www.zerodayinitiative.com/advisories/ZDI-10-046 USN-896-1 USN-895-1 20100402 ZDI-10-046: Mozilla Firefox Web Worker Array Remote Code Execution Vulnerability RHSA-2010:0112 http://www.mozilla.org/security/announce/2010/mfsa2010-02.html MDVSA-2010:042 DSA-1999 38847 37242 oval:org.mitre.oval:def:8465 oval:org.mitre.oval:def:11166 SUSE-SA:2010:015 FEDORA-2010-1727 FEDORA-2010-1936 FEDORA-2010-1932 The nsAuthSSPI::Unwrap function in extensions/auth/nsAuthSSPI.cpp in Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 on Windows Vista, Windows Server 2008 R2, and Windows 7 allows remote SMTP, IMAP, and POP servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via crafted data in a session that uses SSPI. https://bugzilla.mozilla.org/show_bug.cgi?id=511806 ADV-2010-0648 http://www.mozilla.org/security/announce/2010/mfsa2010-07.html thunderbird-activedirectory-dos(56992) 38831 39001 oval:org.mitre.oval:def:14159 SUSE-SR:2010:013 Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly support the application/octet-stream content type as a protection mechanism against execution of web script in certain circumstances involving SVG and the EMBED element, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via an embedded SVG document. https://bugzilla.mozilla.org/show_bug.cgi?id=455472 mozilla-svg-xss(56363) ADV-2010-0405 USN-896-1 USN-895-1 RHSA-2010:0112 http://www.mozilla.org/security/announce/2010/mfsa2010-05.html MDVSA-2010:042 DSA-1999 38847 37242 oval:org.mitre.oval:def:8631 oval:org.mitre.oval:def:10697 SUSE-SA:2010:015 FEDORA-2010-1727 FEDORA-2010-1936 FEDORA-2010-1932 Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 process e-mail attachments with a parser that performs casts and line termination incorrectly, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted message, related to message indexing. https://bugzilla.mozilla.org/show_bug.cgi?id=505221 http://www.mozilla.org/security/announce/2010/mfsa2010-07.html thunderbird-messages-dos(56993) ADV-2010-1556 ADV-2010-0648 USN-915-1 38831 RHSA-2010:0499 39001 38977 oval:org.mitre.oval:def:14259 oval:org.mitre.oval:def:10805 SUSE-SR:2010:013 Use-after-free vulnerability in the imgContainer::InternalAddFrameHelper function in src/imgContainer.cpp in libpr0n in Mozilla Firefox 3.6 before 3.6.2 allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a multipart/x-mixed-replace animation in which the frames have different bits-per-pixel (bpp) values. https://bugzilla.mozilla.org/show_bug.cgi?id=547143 http://www.zerodayinitiative.com/advisories/ZDI-10-047 ADV-2010-0692 38921 38918 20100402 ZDI-10-047: Mozilla Firefox libpr0n imgContainer Bits-Per-Pixel Change Remote Code Execution Vulnerability http://www.mozilla.org/security/announce/2010/mfsa2010-09.html MDVSA-2010:070 oval:org.mitre.oval:def:8703 The TraceRecorder::traverseScopeChain function in js/src/jstracer.cpp in the browser engine in Mozilla Firefox 3.6 before 3.6.2 allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly execute arbitrary code via vectors involving certain indirect calls to the JavaScript eval function. https://bugzilla.mozilla.org/show_bug.cgi?id=542849 ADV-2010-0692 38918 http://www.mozilla.org/security/announce/2010/mfsa2010-11.html MDVSA-2010:070 oval:org.mitre.oval:def:8472 The gfxTextRun::SanitizeGlyphRuns function in gfx/thebes/src/gfxFont.cpp in the browser engine in Mozilla Firefox 3.6 before 3.6.2 on Mac OS X, when the Core Text API is used, does not properly perform certain deletions, which allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly execute arbitrary code via an HTML document containing invisible Unicode characters, as demonstrated by the U+FEFF, U+FFF9, U+FFFA, and U+FFFB characters. https://bugzilla.mozilla.org/show_bug.cgi?id=538065 ADV-2010-0692 38943 38918 http://www.mozilla.org/security/announce/2010/mfsa2010-11.html oval:org.mitre.oval:def:14182 The browser engine in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly execute arbitrary code via vectors related to (1) layout/generic/nsBlockFrame.cpp and (2) the _evaluate function in modules/plugin/base/src/nsNPAPIPlugin.cpp. http://www.mozilla.org/security/announce/2010/mfsa2010-11.html https://bugzilla.mozilla.org/show_bug.cgi?id=535641 https://bugzilla.mozilla.org/show_bug.cgi?id=534082 ADV-2010-0692 38944 38918 MDVSA-2010:070 oval:org.mitre.oval:def:9835 oval:org.mitre.oval:def:8610 The nsDocument::MaybePreLoadImage function in content/base/src/nsDocument.cpp in the image-preloading implementation in Mozilla Firefox 3.6 before 3.6.2 does not apply scheme restrictions and policy restrictions to the image's URL, which might allow remote attackers to cause a denial of service (application crash or hang) or hijack the functionality of the browser's add-ons via a crafted SRC attribute of an IMG element, as demonstrated by remote command execution through an ssh: URL in a configuration that supports gnome-vfs with a nonstandard network.gnomevfs.supported-protocols setting. 38918 https://bugzilla.mozilla.org/show_bug.cgi?id=540642 ADV-2010-0692 http://www.mozilla.org/security/announce/2010/mfsa2010-13.html MDVSA-2010:070 oval:org.mitre.oval:def:8711 The CSSLoaderImpl::DoSheetComplete function in layout/style/nsCSSLoader.cpp in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 changes the case of certain strings in a stylesheet before adding this stylesheet to the XUL cache, which might allow remote attackers to modify the browser's font and other CSS attributes, and potentially disrupt rendering of a web page, by forcing the browser to perform this erroneous stylesheet caching. https://bugzilla.mozilla.org/show_bug.cgi?id=535806 ADV-2010-0692 38918 http://www.mozilla.org/security/announce/2010/mfsa2010-14.html oval:org.mitre.oval:def:8431 oval:org.mitre.oval:def:11391 Mozilla Firefox 3.6 before 3.6.2 does not offer plugins the expected window.location protection mechanism, which might allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via vectors that are specific to each affected plugin. https://bugzilla.mozilla.org/show_bug.cgi?id=541530 ADV-2010-0692 38919 38918 http://www.mozilla.org/security/announce/2010/mfsa2010-10.html MDVSA-2010:070 oval:org.mitre.oval:def:8602 Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 allow remote attackers to perform cross-origin keystroke capture, and possibly conduct cross-site scripting (XSS) attacks, by using the addEventListener and setTimeout functions in conjunction with a wrapped object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2007-3736. 38918 http://www.mozilla.org/security/announce/2010/mfsa2010-12.html https://bugzilla.mozilla.org/show_bug.cgi?id=531364 ADV-2010-0692 oval:org.mitre.oval:def:7743 oval:org.mitre.oval:def:10773 toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in the asynchronous Authorization Prompt implementation in Mozilla Firefox 3.6 before 3.6.2 does not properly handle concurrent authorization requests from multiple web sites, which might allow remote web servers to spoof an authorization dialog and capture credentials by demanding HTTP authentication in opportunistic circumstances. http://www.mozilla.org/security/announce/2010/mfsa2010-15.html https://bugzilla.mozilla.org/show_bug.cgi?id=537862 ADV-2010-0692 38918 MDVSA-2010:070 oval:org.mitre.oval:def:8281 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.5.9 and 3.6.x before 3.6.2, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=542136 https://bugzilla.mozilla.org/show_bug.cgi?id=499862 https://bugzilla.mozilla.org/show_bug.cgi?id=496011 https://bugzilla.mozilla.org/show_bug.cgi?id=491722 https://bugzilla.mozilla.org/show_bug.cgi?id=488850 firefox-browser-eng-code-execution(57388) ADV-2010-0849 ADV-2010-0748 http://www.mozilla.org/security/announce/2010/mfsa2010-16.html MDVSA-2010:070 USN-921-1 1023781 1023775 39397 39243 39242 39204 39136 oval:org.mitre.oval:def:7467 SUSE-SR:2010:013 FEDORA-2010-5539 FEDORA-2010-5526 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2; Thunderbird before 3.0.4; and SeaMonkey before 2.0.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=546530 https://bugzilla.mozilla.org/show_bug.cgi?id=499844 mozilla-browser-eng-code-exec(57389) ADV-2010-0849 ADV-2010-0790 ADV-2010-0781 ADV-2010-0765 ADV-2010-0764 ADV-2010-0748 RHSA-2010:0333 RHSA-2010:0332 http://www.mozilla.org/security/announce/2010/mfsa2010-16.html MDVSA-2010:070 DSA-2027 USN-921-1 1023781 1023775 39397 39308 39243 39242 39240 39204 39136 39117 38566 oval:org.mitre.oval:def:9502 oval:org.mitre.oval:def:7615 SUSE-SR:2010:013 FEDORA-2010-5561 FEDORA-2010-5539 FEDORA-2010-5526 Use-after-free vulnerability in the nsTreeSelection implementation in Mozilla Firefox before 3.0.19 and 3.5.x before 3.5.9, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors that trigger a call to the handler for the select event for XUL tree items. https://bugzilla.mozilla.org/show_bug.cgi?id=540100 https://bugzilla.mozilla.org/show_bug.cgi?id=375928 firefox-nstreeselection-code-execution(57390) http://www.zerodayinitiative.com/advisories/ZDI-10-050 ADV-2010-0849 ADV-2010-0790 ADV-2010-0781 ADV-2010-0765 ADV-2010-0764 ADV-2010-0748 20100402 ZDI-10-050: Mozilla Firefox nsTreeSelection EventListener Remote Code Execution Vulnerability RHSA-2010:0333 RHSA-2010:0332 http://www.mozilla.org/security/announce/2010/mfsa2010-17.html MDVSA-2010:070 DSA-2027 USN-921-1 1023782 1023780 39397 39308 39243 39242 39240 39204 39136 39117 38566 oval:org.mitre.oval:def:9834 oval:org.mitre.oval:def:7546 SUSE-SR:2010:013 FEDORA-2010-5561 FEDORA-2010-5539 FEDORA-2010-5526 Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2; Thunderbird before 3.0.4; and SeaMonkey before 2.0.4 do not properly manage reference counts for option elements in a XUL tree optgroup, which might allow remote attackers to execute arbitrary code via unspecified vectors that trigger access to deleted elements, related to a "dangling pointer vulnerability." https://bugzilla.mozilla.org/show_bug.cgi?id=538308 firefox-nstreecontentview-code-exec(57392) ADV-2010-0849 ADV-2010-0790 ADV-2010-0781 ADV-2010-0765 ADV-2010-0764 ADV-2010-0748 RHSA-2010:0333 RHSA-2010:0332 http://www.mozilla.org/security/announce/2010/mfsa2010-18.html MDVSA-2010:070 DSA-2027 USN-921-1 1023782 1023776 39397 39308 39243 39242 39240 39204 39136 39117 38566 oval:org.mitre.oval:def:7222 oval:org.mitre.oval:def:11052 SUSE-SR:2010:013 FEDORA-2010-5561 FEDORA-2010-5539 FEDORA-2010-5526 Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2, and SeaMonkey before 2.0.4, frees the contents of the window.navigator.plugins array while a reference to an array element is still active, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors, related to a "dangling pointer vulnerability." https://bugzilla.mozilla.org/show_bug.cgi?id=538310 firefox-nspluginarray-code-execution(57393) http://www.zerodayinitiative.com/advisories/ZDI-10-049 ADV-2010-0849 ADV-2010-0781 ADV-2010-0765 ADV-2010-0764 ADV-2010-0748 20100402 ZDI-10-049: Mozilla Firefox PluginArray nsMimeType Dangling Pointer Remote Code Execution Vulnerability RHSA-2010:0333 RHSA-2010:0332 http://www.mozilla.org/security/announce/2010/mfsa2010-19.html MDVSA-2010:070 DSA-2027 USN-921-1 1023776 39397 39308 39243 39240 39136 39117 38566 oval:org.mitre.oval:def:7622 oval:org.mitre.oval:def:10833 SUSE-SR:2010:013 Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2, and SeaMonkey before 2.0.4, does not prevent applets from interpreting mouse clicks as drag-and-drop actions, which allows remote attackers to execute arbitrary JavaScript with Chrome privileges by loading a chrome: URL and then loading a javascript: URL. https://bugzilla.mozilla.org/show_bug.cgi?id=546909 firefox-draganddrop-code-execution(57391) ADV-2010-0849 ADV-2010-0781 ADV-2010-0764 ADV-2010-0748 RHSA-2010:0332 http://www.mozilla.org/security/announce/2010/mfsa2010-20.html MDVSA-2010:070 DSA-2027 USN-921-1 1023776 39397 39308 39243 39240 39136 oval:org.mitre.oval:def:6975 oval:org.mitre.oval:def:10460 SUSE-SR:2010:013 Mozilla Firefox before 3.0.19 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, when the XMLHttpRequestSpy module in the Firebug add-on is used, does not properly handle interaction between the XMLHttpRequestSpy object and chrome privileged objects, which allows remote attackers to execute arbitrary JavaScript via a crafted HTTP response. https://bugzilla.mozilla.org/show_bug.cgi?id=504021 firefox-firebug-code-execution(57394) ADV-2011-0030 ADV-2010-0849 ADV-2010-0781 ADV-2010-0764 ADV-2010-0748 39124 RHSA-2010:0332 http://www.mozilla.org/security/announce/2010/mfsa2010-21.html MDVSA-2010:251 MDVSA-2010:070 DSA-2027 USN-921-1 http://support.avaya.com/css/P8/documents/100124650 1023783 42818 39397 39308 39243 oval:org.mitre.oval:def:9446 oval:org.mitre.oval:def:6971 SUSE-SA:2011:003 SUSE-SR:2010:013 Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6 and 3.7, when use_suexec is enabled, uses world-readable permissions for the localconfig files, which allows local users to read sensitive configuration fields, as demonstrated by the database password field and the site_wide_secret field. https://bugzilla.mozilla.org/show_bug.cgi?id=561797 ADV-2010-1595 41144 http://www.bugzilla.org/security/3.2.6/ 40300 Mozilla Firefox before 3.5.9 and 3.6.x before 3.6.2, and SeaMonkey before 2.0.4, executes a mail application in situations where an IMG element has a SRC attribute that is a redirect to a mailto: URL, which allows remote attackers to cause a denial of service (excessive application launches) via an HTML document with many images. https://bugzilla.mozilla.org/show_bug.cgi?id=452093 firefox-mailto-weak-security(57395) ADV-2010-0849 ADV-2010-0748 20100518 DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers http://www.mozilla.org/security/announce/2010/mfsa2010-23.html MDVSA-2010:070 http://websecurity.com.ua/4206/ USN-921-1 39397 39136 oval:org.mitre.oval:def:6776 SUSE-SR:2010:013 The XMLDocument::load function in Mozilla Firefox before 3.5.9 and 3.6.x before 3.6.2, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 does not perform the expected nsIContentPolicy checks during loading of content by XML documents, which allows attackers to bypass intended access restrictions via crafted content. https://bugzilla.mozilla.org/show_bug.cgi?id=490790 firefox-xmldocumentload-weak-security(57396) ADV-2010-1557 ADV-2010-0849 ADV-2010-0748 39479 RHSA-2010:0501 RHSA-2010:0500 http://www.mozilla.org/security/announce/2010/mfsa2010-24.html MDVSA-2010:070 USN-921-1 http://support.avaya.com/css/P8/documents/100091069 39397 oval:org.mitre.oval:def:9375 oval:org.mitre.oval:def:7618 SUSE-SR:2010:013 Use-after-free vulnerability in the nsCycleCollector::MarkRoots function in Mozilla Firefox 3.5.x before 3.5.10 and SeaMonkey before 2.0.5 allows remote attackers to execute arbitrary code via a crafted HTML document, related to an improper frame construction process for menus. https://bugzilla.mozilla.org/show_bug.cgi?id=557174 ADV-2010-1773 ADV-2010-1592 ADV-2010-1551 1024138 41050 http://www.mozilla.org/security/announce/2010/mfsa2010-27.html 40481 40326 oval:org.mitre.oval:def:12586 SUSE-SA:2010:030 FEDORA-2010-10361 FEDORA-2010-10344 The (1) domainutility and (2) domainutilitycmd components in TIBCO Domain Utility in TIBCO Runtime Agent (TRA) before 5.6.2, as used in TIBCO ActiveMatrix BusinessWorks and other products, set weak permissions on domain properties files, which allows local users to obtain domain administrator credentials, and gain privileges on all domain systems, via unspecified vectors. ADV-2010-0128 http://www.tibco.com/multimedia/security_advisory_runtime_agent_20100113_tcm8-10392.txt http://www.tibco.com/mk/advisory.jsp 37805 38191 The default configuration of Adobe ColdFusion 9.0 does not restrict access to collections that have been created by the Solr Service, which allows remote attackers to obtain collection metadata, search information, and index data via a request to an unspecified URL. coldfusion-solr-information-disclosure(55997) ADV-2010-0259 1023519 38007 http://www.adobe.com/support/security/bulletins/apsb10-04.html 38387 62037 http://kb2.adobe.com/cps/807/cpsid_80719.html Cross-domain vulnerability in Adobe Flash Player before 10.0.45.2, Adobe AIR before 1.5.3.9130, and Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows remote attackers to bypass intended sandbox restrictions and make cross-domain requests via unspecified vectors. Per: http://www.adobe.com/support/security/bulletins/apsb10-07.html A critical vulnerability has been identified in Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh. As described in Security Bulletin APSB10-06, this vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. Affected software versions Adobe Reader 9.3 and earlier versions for Windows, Macintosh, and UNIX Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh http://www.adobe.com/support/security/bulletins/apsb10-07.html http://www.adobe.com/support/security/bulletins/apsb10-06.html RHSA-2010:0103 RHSA-2010:0102 https://bugzilla.redhat.com/show_bug.cgi?id=563819 ADV-2011-0192 ADV-2010-1481 38198 RHSA-2010:0114 62300 http://support.apple.com/kb/HT4188 1023585 GLSA-201101-09 43026 40220 38915 38639 38547 oval:org.mitre.oval:def:8518 SUSE-SR:2010:006 APPLE-SA-2010-06-15-1 Adobe Flash Player before 10.0.45.2 and Adobe AIR before 1.5.3.9130 allow remote attackers to cause a denial of service (application crash) via a modified SWF file. RHSA-2010:0102 https://bugzilla.redhat.com/show_bug.cgi?id=564287 ADV-2011-0192 ADV-2010-1481 38200 11182 http://www.adobe.com/support/security/bulletins/apsb10-06.html http://support.apple.com/kb/HT4188 1023585 GLSA-201101-09 43026 40220 38915 38547 http://sebug.net/exploit/18967/ oval:org.mitre.oval:def:8393 SUSE-SR:2010:006 APPLE-SA-2010-06-15-1 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. adobe-unspec-priv-escalation(56297) ADV-2010-0399 38195 RHSA-2010:0114 http://www.adobe.com/support/security/bulletins/apsb10-07.html 1023601 38915 38639 oval:org.mitre.oval:def:8697 SUSE-SR:2010:006 A certain ActiveX control in NOS Microsystems getPlus Download Manager (aka DLM or Downloader) 1.5.2.35, as used in Adobe Download Manager, improperly validates requests involving web sites that are not in subdomains, which allows remote attackers to force the download and installation of arbitrary programs via a crafted name for a download site. Per: http://blogs.adobe.com/psirt/2010/02/adobe_download_manager_issue.html "Adobe is aware of the recently posted report of a remote code execution vulnerability in the Adobe Download Manager." http://www.adobe.com/support/security/bulletins/apsb10-08.html adobe-dlmanager-unspecified-file-download(56370) ADV-2010-0459 38313 62547 http://www.akitasecurity.nl/advisory.php?id=AK20090401 1023651 38729 oval:org.mitre.oval:def:7182 20100223 Multiple Vendor NOS Microsystems getPlus Downloader Input Validation Vulnerability http://blogs.zdnet.com/security/?p=5505 http://blogs.adobe.com/psirt/2010/02/adobe_download_manager_issue.html http://aviv.raffon.net/2010/02/18/SkeletonsInAdobesSecurityCloset.aspx Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:6986 Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allow attackers to execute arbitrary code via unspecified vectors, related to a "prefix protocol handler vulnerability." TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:6729 Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2010-0193 and CVE-2010-0196. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:7046 Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2010-0192 and CVE-2010-0196. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html adobe-acrobat-unspec-code-exec(57701) 39329 oval:org.mitre.oval:def:7352 Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allow attackers to cause a denial of service (memory corruption) or execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-0197, CVE-2010-0201, and CVE-2010-0204. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:6823 Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, do not properly handle fonts, which allows attackers to execute arbitrary code via unspecified vectors. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:7420 Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2010-0192 and CVE-2010-0193. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:7064 Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allow attackers to cause a denial of service (memory corruption) or execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-0194, CVE-2010-0201, and CVE-2010-0204. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:7298 Buffer overflow in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-0199, CVE-2010-0202, and CVE-2010-0203. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:7106 Buffer overflow in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-0198, CVE-2010-0202, and CVE-2010-0203. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:6900 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-0200. Reason: This candidate is a duplicate of CVE-2010-0200. Notes: All CVE users should reference CVE-2010-0200 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allow attackers to cause a denial of service (memory corruption) or execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-0194, CVE-2010-0197, and CVE-2010-0204. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:7056 Buffer overflow in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-0198, CVE-2010-0199, and CVE-2010-0203. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:6733 Buffer overflow in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-0198, CVE-2010-0199, and CVE-2010-0202. TA10-103C http://www.adobe.com/support/security/bulletins/apsb10-09.html ADV-2010-0873 39329 oval:org.mitre.oval:def:7494 Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allow attackers to cause a denial of service (memory corruption) or execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-0194, CVE-2010-0197, and CVE-2010-0201. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html acrobat-unspec-code-execution(57711) 39522 39329 oval:org.mitre.oval:def:7387 The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a "decompression bomb" attack. VU#576029 38478 libpng-pngdecompresschunk-dos(56661) ADV-2010-2491 ADV-2010-1107 ADV-2010-0847 ADV-2010-0686 ADV-2010-0682 ADV-2010-0667 ADV-2010-0637 ADV-2010-0626 ADV-2010-0605 ADV-2010-0517 http://www.vmware.com/security/advisories/VMSA-2010-0014.html 1023674 MDVSA-2010:064 MDVSA-2010:063 DSA-2032 USN-913-1 http://support.apple.com/kb/HT4435 41574 39251 38774 62670 [security-announce] 20100923 VMSA-2010-0014 VMware Workstation, Player, and ACE address several security issues SUSE-SR:2010:013 SUSE-SR:2010:012 SUSE-SR:2010:011 FEDORA-2010-4683 FEDORA-2010-3414 FEDORA-2010-3375 FEDORA-2010-2988 APPLE-SA-2010-11-10-1 http://libpng.sourceforge.net/decompression_bombs.html http://libpng.sourceforge.net/ADVISORY-1.4.1.html Adobe Flash Player before 9.0.280 and 10.x before 10.1.82.76, and Adobe AIR before 2.0.3, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-2213, CVE-2010-2214, and CVE-2010-2216. ADV-2011-0192 1024621 http://www.adobe.com/support/security/bulletins/apsb10-16.html http://support.apple.com/kb/HT4435 GLSA-201101-09 43026 oval:org.mitre.oval:def:11461 HPSBMA02592 HPSBMA02592 APPLE-SA-2010-11-10-1 The slap_modrdn2mods function in modrdn.c in OpenLDAP 2.4.22 does not check the return value of a call to the smr_normalize function, which allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a modrdn call with an RDN string containing invalid UTF-8 sequences, which triggers a free of an invalid, uninitialized pointer in the slap_mods_free function, as demonstrated using the Codenomicon LDAPv3 test suite. 41770 ADV-2011-0025 ADV-2010-1858 ADV-2010-1849 http://www.vmware.com/security/advisories/VMSA-2011-0001.html 1024221 20110105 VMSA-2011-0001 VMware ESX third party updates for Service Console packages glibc, sudo, and openldap RHSA-2010:0543 RHSA-2010:0542 http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6570 http://support.apple.com/kb/HT4435 42787 40687 40677 40639 SUSE-SR:2010:014 APPLE-SA-2010-11-10-1 OpenLDAP 2.4.22 allows remote attackers to cause a denial of service (crash) via a modrdn call with a zero-length RDN destination string, which is not properly handled by the smr_normalize function and triggers a NULL pointer dereference in the IA5StringNormalize function in schema_init.c, as demonstrated using the Codenomicon LDAPv3 test suite. ADV-2010-1849 41770 ADV-2011-0025 ADV-2010-1858 http://www.vmware.com/security/advisories/VMSA-2011-0001.html 1024221 20110105 VMSA-2011-0001 VMware ESX third party updates for Service Console packages glibc, sudo, and openldap RHSA-2010:0542 http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6570 http://support.apple.com/kb/HT4435 42787 40687 40639 SUSE-SR:2010:014 APPLE-SA-2010-11-10-1 BIND 9.7.1 and 9.7.1-P1, when a recursive validating server has a trust anchor that is configured statically or via DNSSEC Lookaside Validation (DLV), allows remote attackers to cause a denial of service (infinite loop) via a query for an RRSIG record whose answer is not in the cache, which causes BIND to repeatedly send RRSIG queries to the authoritative servers. VU#211905 ADV-2010-1884 1024217 41730 http://www.isc.org/software/bind/advisories/cve-2010-0213 40709 40652 SUSE-SR:2010:020 FEDORA-2010-11344 The administrative interface on the PolyVision RoomWizard with firmware 3.2.3 places the Sync Connector Active Directory (AD) credentials in a web form that is accessed over HTTP on port 80, which allows remote attackers to obtain sensitive information by reading the HTML source code corresponding to the /admin/sign/DeviceSynch URI. VU#870601 roomwizard-password-security-bypass(64543) ADV-2011-0059 45699 20110106 RoomWizard Default Password and Sync Connector Credential Leak [CVE-2010-0214] http://packetstormsecurity.org/files/view/97291/roomwizard-disclose.txt ActiveCollab before 2.3.2 allows remote authenticated users to bypass intended access restrictions, and (1) delete an attachment or (2) subscribe to an object, via a crafted URL. VU#236703 http://www.activecollab.com/docs/manuals/admin/release-notes/activecollab-2-3-2 authenticate_ad_setup_finished.cfm in MediaCAST 8 and earlier allows remote attackers to discover usernames and cleartext passwords by reading the error messages returned for requests that use the UserID parameter. mediacast-authenticateadsetup-info-disc(67082) 47572 http://www.packetninjas.net/storage/advisories/MediaCast-PWDump-FINAL.txt 72079 8245 44182 Zeacom Chat Server before 5.1 uses too short a random string for the JSESSIONID value, which makes it easier for remote attackers to hijack sessions or cause a denial of service (Chat Server crash or Tomcat daemon crash) via a brute-force attack. chat-server-jsessionid-session-hijacking(67540) 47910 20110517 CVE-2010-0217 - Zeacom Chat Server JSESSIONID weak SessionID Vulnerability http://www.packetninjas.net/storage/advisories/Zeacom-CVE-2010-0217.txt 8255 ISC BIND 9.7.2 through 9.7.2-P1 uses an incorrect ACL to restrict the ability of Recursion Desired (RD) queries to access the cache, which allows remote attackers to obtain potentially sensitive information via a DNS query. VU#784855 http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html [bind-announce] 20100928 Security Advisory Regarding Unexpected ACL Behavior in BIND 9.7.2 Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service. VU#989719 https://service.sap.com/sap/support/notes/1432881 https://kb.juniper.net/KB27373 businessobjects-dswsbobje-security-bypass(62523) ADV-2010-2673 1024929 20101014 R7-0037: SAP BusinessObjects Axis2 Default Admin Password http://www.rapid7.com/security-center/advisories/R7-0037.jsp 70233 15869 http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf 42763 41799 http://retrogod.altervista.org/9sg_ca_d2d.html The nsObserverList::FillObserverArray function in xpcom/ds/nsObserverList.cpp in Mozilla Firefox before 3.5.7 allows remote attackers to cause a denial of service (application crash) via a crafted web site that triggers memory consumption and an accompanying Low Memory alert dialog, and also triggers attempted removal of an observer from an empty observers array. http://www.mozilla.com/en-US/firefox/3.5.7/releasenotes/ http://isc.sans.org/diary.html?storyid=7897 https://bugzilla.mozilla.org/show_bug.cgi?id=507114 firefox-nsobserverlist-dos(55550) MDVSA-2010:000 oval:org.mitre.oval:def:8292 http://hg.mozilla.org/mozilla-central/rev/51396f6c9f20 Kingston DataTraveler BlackBox (DTBB), DataTraveler Secure Privacy Edition (DTSP), and DataTraveler Elite Privacy Edition (DTEP) USB flash drives validate passwords with a program running on the host computer rather than the device hardware, which allows physically proximate attackers to access the cleartext drive contents via a modified program. https://www.ironkey.com/usb-flash-drive-flaw-exposed kingston-access-control-sec-bypass(55477) ADV-2010-0080 http://www.syss.de/index.php?id=108&tx_ttnews[tt_news]=528&cHash=8d16fa63d9 http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/SySS_knackt_Kingston_USB-Stick.pdf http://www.kingston.com/driveupdate/ http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html 1023410 http://news.zdnet.co.uk/security/0,1000000189,39963327,00.htm http://it.slashdot.org/story/10/01/05/1734242/ http://blogs.zdnet.com/hardware/?p=6655 Kingston DataTraveler BlackBox (DTBB), DataTraveler Secure Privacy Edition (DTSP), and DataTraveler Elite Privacy Edition (DTEP) USB flash drives use a fixed 256-bit key for obtaining access to the cleartext drive contents, which makes it easier for physically proximate attackers to read or modify data by determining and providing this key. https://www.ironkey.com/usb-flash-drive-flaw-exposed ADV-2010-0080 http://www.syss.de/index.php?id=108&tx_ttnews[tt_news]=528&cHash=8d16fa63d9 http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/SySS_knackt_Kingston_USB-Stick.pdf http://www.kingston.com/driveupdate/ http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html http://news.zdnet.co.uk/security/0,1000000189,39963327,00.htm http://it.slashdot.org/story/10/01/05/1734242/ http://blogs.zdnet.com/hardware/?p=6655 Kingston DataTraveler BlackBox (DTBB), DataTraveler Secure Privacy Edition (DTSP), and DataTraveler Elite Privacy Edition (DTEP) USB flash drives do not prevent password replay attacks, which allows physically proximate attackers to access the cleartext drive contents by providing a key that was captured in a USB data stream at an earlier time. https://www.ironkey.com/usb-flash-drive-flaw-exposed ADV-2010-0080 http://www.syss.de/index.php?id=108&tx_ttnews[tt_news]=528&cHash=8d16fa63d9 http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/SySS_knackt_Kingston_USB-Stick.pdf http://www.kingston.com/driveupdate/ SanDisk Cruzer Enterprise USB flash drives validate passwords with a program running on the host computer rather than the device hardware, which allows physically proximate attackers to access the cleartext drive contents via a modified program. https://www.ironkey.com/usb-flash-drive-flaw-exposed sandisk-access-control-sec-bypass(55475) ADV-2010-0078 http://www.syss.de/index.php?id=108&tx_ttnews[tt_news]=528&cHash=8d16fa63d9 http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/SySS_knackt_SanDisk_USB-Stick.pdf 37677 http://www.sandisk.com/business-solutions/enterprise/technical-support/security-bulletin-december-2009 http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html 1023408 http://it.slashdot.org/story/10/01/05/1734242/ http://blogs.zdnet.com/hardware/?p=6655 SanDisk Cruzer Enterprise USB flash drives use a fixed 256-bit key for obtaining access to the cleartext drive contents, which makes it easier for physically proximate attackers to read or modify data by determining and providing this key. https://www.ironkey.com/usb-flash-drive-flaw-exposed ADV-2010-0078 http://www.syss.de/index.php?id=108&tx_ttnews[tt_news]=528&cHash=8d16fa63d9 http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/SySS_knackt_SanDisk_USB-Stick.pdf 37677 http://www.sandisk.com/business-solutions/enterprise/technical-support/security-bulletin-december-2009 http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html http://it.slashdot.org/story/10/01/05/1734242/ http://blogs.zdnet.com/hardware/?p=6655 SanDisk Cruzer Enterprise USB flash drives do not prevent password replay attacks, which allows physically proximate attackers to access the cleartext drive contents by providing a key that was captured in a USB data stream at an earlier time. https://www.ironkey.com/usb-flash-drive-flaw-exposed ADV-2010-0078 http://www.syss.de/index.php?id=108&tx_ttnews[tt_news]=528&cHash=8d16fa63d9 http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/SySS_knackt_SanDisk_USB-Stick.pdf 37677 http://www.sandisk.com/business-solutions/enterprise/technical-support/security-bulletin-december-2009 Verbatim Corporate Secure and Corporate Secure FIPS Edition USB flash drives validate passwords with a program running on the host computer rather than the device hardware, which allows physically proximate attackers to access the cleartext drive contents via a modified program. https://www.ironkey.com/usb-flash-drive-flaw-exposed http://www.verbatim.com/security/security-update.cfm http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html 1023409 http://it.slashdot.org/story/10/01/05/1734242/ http://blogs.zdnet.com/hardware/?p=6655 Verbatim Corporate Secure and Corporate Secure FIPS Edition USB flash drives use a fixed 256-bit key for obtaining access to the cleartext drive contents, which makes it easier for physically proximate attackers to read or modify data by determining and providing this key. https://www.ironkey.com/usb-flash-drive-flaw-exposed http://www.verbatim.com/security/security-update.cfm http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html http://it.slashdot.org/story/10/01/05/1734242/ http://blogs.zdnet.com/hardware/?p=6655 Verbatim Corporate Secure and Corporate Secure FIPS Edition USB flash drives do not prevent password replay attacks, which allows physically proximate attackers to access the cleartext drive contents by providing a key that was captured in a USB data stream at an earlier time. https://www.ironkey.com/usb-flash-drive-flaw-exposed http://www.verbatim.com/security/security-update.cfm SUSE Linux Enterprise 10 SP3 (SLE10-SP3) and openSUSE 11.2 configures postfix to listen on all network interfaces, which might allow remote attackers to bypass intended access restrictions. SUSE-SA:2010:011 SUSE-SR:2010:001 The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not use a sufficient source of entropy, which allows remote attackers to obtain access to files and other SMB resources via a large number of authentication requests, related to server-generated challenges, certain "duplicate values," and spoofing of an authentication token, aka "SMB NTLM Authentication Lack of Entropy Vulnerability." TA10-040A MS10-012 oval:org.mitre.oval:def:7751 The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges by crafting a VDM_TIB data structure in the Thread Environment Block (TEB), and then calling the NtVdmControl function to start the Windows Virtual DOS Machine (aka NTVDM) subsystem, leading to improperly handled exceptions involving the #GP trap handler (nt!KiTrap0D), aka "Windows Kernel Exception Handler Vulnerability." TA10-040A MS10-015 http://www.microsoft.com/technet/security/advisory/979682.mspx ms-win-gptrap-privilege-escalation(55742) ADV-2010-0179 37864 20100119 Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack 1023471 38265 20100119 Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack oval:org.mitre.oval:def:8344 http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip [dailydave] 20100119 We hold these axioms to be self evident http://blogs.technet.com/msrc/archive/2010/01/20/security-advisory-979682-released.aspx Double free vulnerability in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows local users to gain privileges via a crafted application, aka "Windows Kernel Double Free Vulnerability." Per: http://cwe.mitre.org/data/slices/2000.html#d "CWE-415 Double Free" vulnerability TA10-040A MS10-015 oval:org.mitre.oval:def:8392 The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 does not properly validate a registry-key argument to an unspecified system call, which allows local users to cause a denial of service (reboot) via a crafted application, aka "Windows Kernel Null Pointer Vulnerability." TA10-103A MS10-021 1023850 39374 39373 oval:org.mitre.oval:def:6814 The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, and Vista Gold does not perform the expected validation before creating a symbolic link, which allows local users to cause a denial of service (reboot) via a crafted application, aka "Windows Kernel Symbolic Link Value Vulnerability." TA10-103A MS10-021 1023850 39373 oval:org.mitre.oval:def:7509 The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, and Vista Gold does not properly allocate memory for the destination key associated with a symbolic-link registry key, which allows local users to gain privileges via a crafted application, aka "Windows Kernel Memory Allocation Vulnerability." TA10-103A MS10-021 1023850 39373 oval:org.mitre.oval:def:7113 The kernel in Microsoft Windows 2000 SP4 and XP SP2 and SP3 allows local users to gain privileges by creating a symbolic link from an untrusted registry hive to a trusted registry hive, aka "Windows Kernel Symbolic Link Creation Vulnerability." TA10-103A MS10-021 1023850 39373 oval:org.mitre.oval:def:7130 Unspecified vulnerability in registry-key validation in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, and Vista Gold allows local users to cause a denial of service (reboot) via a crafted application, aka "Windows Kernel Registry Key Vulnerability." TA10-103A MS10-021 1023850 39373 oval:org.mitre.oval:def:6793 The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2, when IPv6 is enabled, does not properly perform bounds checking on ICMPv6 Router Advertisement packets, which allows remote attackers to execute arbitrary code via crafted packets, aka "ICMPv6 Router Advertisement Vulnerability." TA10-040A MS10-009 oval:org.mitre.oval:def:8478 The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2, when a custom network driver is used, does not properly handle local fragmentation of Encapsulating Security Payload (ESP) over UDP packets, which allows remote attackers to execute arbitrary code via crafted packets, aka "Header MDL Fragmentation Vulnerability." TA10-040A MS10-009 oval:org.mitre.oval:def:8400 The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2, when IPv6 is enabled, does not properly perform bounds checking on ICMPv6 Route Information packets, which allows remote attackers to execute arbitrary code via crafted packets, aka "ICMPv6 Route Information Vulnerability." TA10-040A MS10-009 oval:org.mitre.oval:def:8516 The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 allows remote attackers to cause a denial of service (system hang) via crafted packets with malformed TCP selective acknowledgement (SACK) values, aka "TCP/IP Selective Acknowledgement Vulnerability." TA10-040A MS10-009 oval:org.mitre.oval:def:8449 Buffer overflow in MSO.DLL in Microsoft Office XP SP3 and Office 2004 for Mac allows remote attackers to execute arbitrary code via a crafted Office document, aka "MSO.DLL Buffer Overflow." TA10-040A MS10-003 oval:org.mitre.oval:def:8399 Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2009-2530 and CVE-2009-2531. ie-deleted-obj-code-exec(55774) MS10-002 oval:org.mitre.oval:def:8186 Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2009-3671, CVE-2009-3674, and CVE-2010-0246. MS10-002 ie-uninitialized-memory-code-exec(55775) oval:org.mitre.oval:def:8491 Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2009-3671, CVE-2009-3674, and CVE-2010-0245. ie-deleted-object-code-exec(55776) MS10-002 oval:org.mitre.oval:def:8378 Microsoft Internet Explorer 5.01 SP4, 6, and 6 SP1 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability." ie-uninitialized-obj-code-exec(55777) MS10-002 oval:org.mitre.oval:def:8506 Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "HTML Object Memory Corruption Vulnerability." MS10-002 ie-object-memory-code-exec(55778) oval:org.mitre.oval:def:8267 Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, related to incorrectly initialized memory and improper handling of objects in memory, as exploited in the wild in December 2009 and January 2010 during Operation Aurora, aka "HTML Object Memory Corruption Vulnerability." Per: http://cwe.mitre.org/data/definitions/416.htmlhttp://cwe.mitre.org/data/definitions/416.html CWE-416: Use After Free TA10-055A VU#492515 ie-freed-object-code-execution(55642) ADV-2010-0135 37815 MS10-002 http://www.microsoft.com/technet/security/advisory/979352.mspx 11167 979352 1023462 oval:org.mitre.oval:def:6835 61697 http://news.cnet.com/8301-27080_3-10435232-245.html http://blogs.technet.com/msrc/archive/2010/01/14/security-advisory-979352.aspx Heap-based buffer overflow in DirectShow in Microsoft DirectX, as used in the AVI Filter on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2, and in Quartz on Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, allows remote attackers to execute arbitrary code via an AVI file with a crafted length field in an unspecified video stream, which is not properly handled by the RLE video decompressor, aka "DirectShow Heap Overflow Vulnerability." TA10-040A http://www.zerodayinitiative.com/advisories/ZDI-10-015/ 38112 20100209 ZDI-10-015: Microsoft Windows RLE Video Decompressor Remote Code Execution Vulnerability MS10-013 http://support.avaya.com/css/P8/documents/100074167 38511 oval:org.mitre.oval:def:8064 The Microsoft Data Analyzer ActiveX control (aka the Office Excel ActiveX control for Data Analysis) in max3activex.dll in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows remote attackers to execute arbitrary code via a crafted web page that corrupts the "system state," aka "Microsoft Data Analyzer ActiveX Control Vulnerability." TA10-159B TA10-040A MS10-008 MS10-034 40059 38503 oval:org.mitre.oval:def:8424 Microsoft Office Visio 2002 SP2, 2003 SP3, and 2007 SP1 and SP2 does not properly validate attributes in Visio files, which allows remote attackers to execute arbitrary code via a crafted file, aka "Visio Attribute Validation Memory Corruption Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-028.mspx 'Users of Microsoft Office Visio 2002 and later versions of Visio will be prompted with Open, Save, or Cancel before opening a document. This is a mitigating factor because the vulnerability requires more than a single user action to complete the exploit.' TA10-103A MS10-028 oval:org.mitre.oval:def:6819 Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, 7, and 8 does not prevent rendering of non-HTML local files as HTML documents, which allows remote attackers to bypass intended access restrictions and read arbitrary files via vectors involving JavaScript exploit code that constructs a reference to a file://127.0.0.1 URL, aka the dynamic OBJECT tag vulnerability, as demonstrated by obtaining the data from an index.dat file, a variant of CVE-2009-1140 and related to CVE-2008-1448. TA10-159B 38056 38055 20100203 CORE-2009-0625: Internet Explorer Dynamic OBJECT tag and URLMON sniffing vulnerabilities MS10-035 http://www.microsoft.com/technet/security/advisory/980088.mspx http://www.coresecurity.com/content/internet-explorer-dynamic-object-tag http://support.avaya.com/css/P8/documents/100089747 oval:org.mitre.oval:def:7145 62156 http://isc.sans.org/diary.html?n&storyid=8152 http://blogs.technet.com/msrc/archive/2010/02/03/security-advisory-980088-released.aspx Microsoft Office Visio 2002 SP2, 2003 SP3, and 2007 SP1 and SP2 does not properly calculate unspecified indexes associated with Visio files, which allows remote attackers to execute arbitrary code via a crafted file, aka "Visio Index Calculation Memory Corruption Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-028.mspx 'Users of Microsoft Office Visio 2002 and later versions of Visio will be prompted with Open, Save, or Cancel before opening a document. This is a mitigating factor because the vulnerability requires more than a single user action to complete the exploit.' TA10-103A MS10-028 oval:org.mitre.oval:def:6732 Microsoft Office Excel 2002 SP3 does not properly parse the Excel file format, which allows remote attackers to execute arbitrary code via a crafted spreadsheet, aka "Microsoft Office Excel Record Memory Corruption Vulnerability." TA10-068A MS10-017 1023698 oval:org.mitre.oval:def:8617 Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 do not properly parse the Excel file format, which allows remote attackers to execute arbitrary code via a crafted spreadsheet that causes memory to be interpreted as a different object type than intended, aka "Microsoft Office Excel Sheet Object Type Confusion Vulnerability." TA10-068A MS10-017 1023698 oval:org.mitre.oval:def:8545 20100309 Microsoft Excel Sheet Object Type Confusion Vulnerability Heap-based buffer overflow in Microsoft Office Excel 2007 SP1 and SP2; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted spreadsheet in which "a MDXTUPLE record is broken up into several records," aka "Microsoft Office Excel MDXTUPLE Record Heap Overflow Vulnerability." TA10-068A MS10-017 1023698 oval:org.mitre.oval:def:7862 20100309 Microsoft Excel MDXTUPLE Record Heap Overflow Vulnerability Heap-based buffer overflow in Microsoft Office Excel 2007 SP1 and SP2 and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted spreadsheet in which "a MDXSET record is broken up into several records," aka "Microsoft Office Excel MDXSET Record Heap Overflow Vulnerability." TA10-068A MS10-017 1023698 oval:org.mitre.oval:def:8479 20100309 Microsoft Excel MDXSET Record Heap Overflow Vulnerability Microsoft Office Excel 2007 SP1 and SP2 and Office 2004 for Mac do not properly parse the Excel file format, which allows remote attackers to execute arbitrary code via a crafted spreadsheet that triggers access of an uninitialized stack variable, aka "Microsoft Office Excel FNGROUPNAME Record Uninitialized Memory Vulnerability." TA10-068A MS10-017 1023698 oval:org.mitre.oval:def:8562 20100309 Microsoft Excel FNGROUPNAME Record Uninitialized Memory Vulnerability Microsoft Office Excel 2007 SP1 and SP2; Office 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer SP1 and SP2; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2; and Office SharePoint Server 2007 SP1 and SP2 do not validate ZIP headers during decompression of Open XML (.XLSX) documents, which allows remote attackers to execute arbitrary code via a crafted document that triggers access to uninitialized memory locations, aka "Microsoft Office Excel XLSX File Parsing Code Execution Vulnerability." TA10-068A MS10-017 http://www.zerodayinitiative.com/advisories/ZDI-10-025/ 1023698 20100309 ZDI-10-025: Microsoft Office Excel XLSX File Parsing Remote Code Execution Vulnerability oval:org.mitre.oval:def:8407 Microsoft Office Excel 2002 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac do not properly parse the Excel file format, which allows remote attackers to execute arbitrary code via a crafted spreadsheet, aka "Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability." TA10-068A MS10-017 1023698 oval:org.mitre.oval:def:7888 Buffer overflow in Microsoft Windows Movie Maker 2.1, 2.6, and 6.0, and Microsoft Producer 2003, allows remote attackers to execute arbitrary code via a crafted project (.MSWMM) file, aka "Movie Maker and Producer Buffer Overflow Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-016.mspx '[1]These versions of Windows Movie Maker are delivered with the indicated operating systems. [2]Windows Movie Maker 2.6 is an optional download that can be installed on the indicated operating systems. Windows 7 systems without Movie Maker 2.6 installed are not affected. TA10-068A MS10-016 oval:org.mitre.oval:def:8595 Microsoft Office Outlook 2002 SP3, 2003 SP3, and 2007 SP1 and SP2 does not properly verify e-mail attachments with a PR_ATTACH_METHOD property value of ATTACH_BY_REFERENCE, which allows user-assisted remote attackers to execute arbitrary code via a crafted message, aka "Microsoft Outlook SMB Attachment Vulnerability." TA10-194A MS10-045 oval:org.mitre.oval:def:11623 Microsoft Internet Explorer 6, 6 SP1, and 7 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx 'Internet Explorer 5.01 Service Pack 4 and Internet Explorer 8 are not affected by this vulnerability.' TA10-089A TA10-068A ADV-2010-0744 39023 MS10-018 1023773 oval:org.mitre.oval:def:8554 Unspecified vulnerability in the Windows Media Player ActiveX control in Windows Media Player (WMP) 9 on Microsoft Windows 2000 SP4 and XP SP2 and SP3 allows remote attackers to execute arbitrary code via crafted media content, aka "Media Player Remote Code Execution Vulnerability." TA10-103A MS10-027 oval:org.mitre.oval:def:7281 The SMB client in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly allocate memory for SMB responses, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code via a crafted (1) SMBv1 or (2) SMBv2 response, aka "SMB Client Memory Allocation Vulnerability." TA10-103A MS10-020 39372 oval:org.mitre.oval:def:7129 The SMB client in Microsoft Windows Server 2008 R2 and Windows 7 does not properly validate fields in SMB transaction responses, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and reboot) via a crafted (1) SMBv1 or (2) SMBv2 response, aka "SMB Client Transaction Vulnerability." TA10-103A MS10-020 39372 oval:org.mitre.oval:def:7164 hald in Sun OpenSolaris snv_51 through snv_130 does not have the proc_audit privilege during unspecified attempts to write to the auditing log, which makes it easier for physically proximate attackers to avoid detection of changes to the set of connected hardware devices supporting the Hardware Abstraction Layer (HAL) specification. opensolaris-hald-weak-security(55461) ADV-2010-0076 1023416 37656 274830 Heap-based buffer overflow in Sun Java System Web Server 7.0 Update 6 on Linux allows remote attackers to discover process memory locations via crafted data to TCP port 80, as demonstrated by the vd_sjws2 module in VulnDisco. NOTE: as of 20100106, this disclosure has no actionable information. However, because the VulnDisco author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. jsws-data-information-disclosure(55527) http://www.intevydis.com/blog/?p=102 http://intevydis.com/sjws_demo.html Unspecified vulnerability in Sun Java System Web Server 7.0 Update 6 on Linux allows remote attackers to execute arbitrary code by sending a process memory address and crafted data to TCP port 80, as demonstrated by the vd_sjws2 module in VulnDisco. NOTE: as of 20100106, this disclosure has no actionable information. However, because the VulnDisco author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. http://www.intevydis.com/blog/?p=102 http://intevydis.com/sjws_demo.html Unspecified vulnerability in the Edit Contact scene in Ultra-light Mode in IBM Lotus iNotes (aka Domino Web Access or DWA) before 229.241 for Domino 8.0.2 FP3 has unknown impact and attack vectors, aka SPR LSHR7TBLY5. http://www-933.ibm.com/support/fixcentral/ domino-ultralight-unspecified(55470) ADV-2010-0077 37675 http://www-01.ibm.com/support/docview.wss?uid=swg27017776 38026 Ultra-light Mode in IBM Lotus iNotes (aka Domino Web Access or DWA) before 229.241 for Domino 8.0.2 FP3 does not properly handle script commands in the status-alerts URL, which has unspecified impact and attack vectors, aka SPR LSHR7TBM58. domino-script-command-unspecified(55471) ADV-2010-0077 37675 http://www-01.ibm.com/support/docview.wss?uid=swg27017776 38026 IBM Lotus iNotes (aka Domino Web Access or DWA) before 229.241 for Domino 8.0.2 FP3 does not properly handle navigation of the "Try Lotus iNotes anyway" link from the page that reports use of an unsupported browser, which has unspecified impact and attack vectors, aka SPR LSHR7TBMQU. domino-trylotus-unspecified(55473) ADV-2010-0077 37675 http://www-01.ibm.com/support/docview.wss?uid=swg27017776 38026 slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013. RHSA-2010:0115 https://bugzilla.redhat.com/show_bug.cgi?id=554335 ADV-2010-2693 ADV-2010-1020 ADV-2010-0413 USN-902-1 38294 [oss-security] 20100107 Re: CVE request - pidgin MSN arbitrary file upload MDVSA-2010:085 MDVSA-2010:041 41868 38915 38712 38658 38640 38563 http://pidgin.im/news/security/?id=43 oval:org.mitre.oval:def:9421 SUSE-SR:2010:006 FEDORA-2010-1383 FEDORA-2010-1934 FEDORA-2010-1279 http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html http://developer.pidgin.im/wiki/ChangeLog http://blogs.sun.com/security/entry/cve_2010_0277_malformed_msn A certain ActiveX control in msgsc.14.0.8089.726.dll in Microsoft Windows Live Messenger 2009 build 14.0.8089.726 on Windows Vista and Windows 7 allows remote attackers to cause a denial of service (msnmsgr.exe crash) by calling the ViewProfile method with a crafted argument during an MSN Messenger session. 37680 20100108 [HACKATTACK Advisory 080110] Windows Live Messenger 2009 ActiveX DoS Vulnerability Unrestricted file upload vulnerability in upload.php in BTS-GI Read excel 1.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. NOTE: some of these details are obtained from third party information. CWE-434 - http://cwe.mitre.org/data/definitions/434.html readexcel-upload-file-upload(55462) 11057 38083 61579 Array index error in Jan Eric Kyprianidis lib3ds 1.x, as used in Google SketchUp 7.x before 7.1 M2, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted structures in a 3DS file, probably related to mesh.c. ADV-2010-0133 37708 20100113 [CORE-2009-1209] Google SketchUp 'lib3ds' 3DS Importer Memory Corruption http://www.coresecurity.com/content/google-sketchup-vulnerability http://sketchup.google.com/support/bin/answer.py?hl=en&answer=141303 38187 38185 The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 before 1.7.2, and 1.8 alpha, allows remote attackers to cause a denial of service (assertion failure and daemon crash) via an invalid (1) AS-REQ or (2) TGS-REQ request. ADV-2010-1481 USN-916-1 38260 20100216 MITKRB5-SA-2010-001 [CVE-2010-0283] krb5-1.7 KDC denial of service http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt http://support.apple.com/kb/HT4188 1023593 40220 39023 38598 FEDORA-2010-1722 APPLE-SA-2010-06-15-1 Directory traversal vulnerability in the getEntry method in the PortalModuleInstallManager component in a servlet in nps.jar in the Administration Console (aka Access Management Console) in Novell Access Manager 3.1 before 3.1.2-281 on Windows allows remote attackers to create arbitrary files with any contents, and consequently execute arbitrary code, via a .. (dot dot) in a parameter, aka ZDI-CAN-678. accessmgr-admincosole-getentry-file-upload(59528) ADV-2010-1516 1024132 40931 http://www.novell.com/support/viewContent.do?externalId=7006255&sliceId=1 40198 gnome-screensaver 2.14.3, 2.22.2, 2.27.x, 2.28.0, and 2.28.3, when the X configuration enables the extend screen option, allows physically proximate attackers to bypass screen locking, access an unattended workstation, and view half of the GNOME desktop by attaching an external monitor. https://bugzilla.redhat.com/show_bug.cgi?id=557525 https://bugzilla.gnome.org/show_bug.cgi?id=593616 screensaver-monitor-setup-sec-bypass(56366) 38254 MDVSA-2011:093 http://security-tracker.debian.org/tracker/CVE-2010-0285 http://git.gnome.org/browse/gnome-screensaver/commit/?id=2f597ea9f1f363277fd4dfc109fa41bbc6225aca Unspecified vulnerability in the OpenID Identity Authentication extension in TYPO3 4.3.0 allows remote attackers to bypass authentication and gain access to a backend user account via unknown attack vectors in which both the attacker and victim have an OpenID provider that discards identities during authentication. ADV-2010-0127 typo3-openid-security-bypass(55609) http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-001/ 38206 61680 Directory traversal vulnerability in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to list the contents of arbitrary directories via a .. (dot dot) in the ns parameter. dokuwiki-ajax-dir-traversal(55660) ADV-2010-0150 http://www.splitbrain.org/blog/2010-01/17-dokuwiki-security 37821 11141 DSA-1976 38183 FEDORA-2010-0800 FEDORA-2010-0770 http://bugs.splitbrain.org/index.php?do=details&task_id=1847 A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain privileges and access closed wikis by editing current ACL statements, as demonstrated in the wild in January 2010. dokuwiki-ajax-security-bypass(55661) ADV-2010-0150 http://www.splitbrain.org/blog/2010-01/17-dokuwiki-security 37820 11141 DSA-1976 38183 61710 FEDORA-2010-0800 FEDORA-2010-0770 http://bugs.splitbrain.org/index.php?do=details&task_id=1847 Multiple cross-site request forgery (CSRF) vulnerabilities in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25c allow remote attackers to hijack the authentication of administrators for requests that modify access control rules, and other unspecified requests, via unknown vectors. http://www.splitbrain.org/blog/2010-01/17-dokuwiki-security DSA-1976 38205 61708 FEDORA-2010-0800 FEDORA-2010-0770 http://freshmeat.net/projects/dokuwiki/tags/security-fix http://bugs.splitbrain.org/index.php?do=details&task_id=1853 Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains (1) CNAME or (2) DNAME records, which do not have the intended validation before caching, aka Bug 20737. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-4022. https://www.isc.org/advisories/CVE-2009-4022v6 RHSA-2010:0062 https://bugzilla.redhat.com/show_bug.cgi?id=557121 https://bugzilla.redhat.com/show_bug.cgi?id=554851 ADV-2010-1352 ADV-2010-0622 ADV-2010-0176 USN-888-1 MDVSA-2010:021 DSA-2054 http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0018 40086 38240 38219 oval:org.mitre.oval:def:8884 oval:org.mitre.oval:def:7512 oval:org.mitre.oval:def:6815 [oss-security] 20100120 Re: BIND CVE-2009-4022 fix incomplete [oss-security] 20100119 BIND CVE-2009-4022 fix incomplete SUSE-SA:2010:008 The Linux kernel before 2.6.32.4 allows local users to gain privileges or cause a denial of service (panic) by calling the (1) mmap or (2) mremap function, aka the "do_mremap() mess" or "mremap/mmap mess." http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.32.4 https://bugzilla.redhat.com/show_bug.cgi?id=556703 http://www.vmware.com/security/advisories/VMSA-2011-0003.html 37906 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0161 DSA-2005 DSA-1996 43315 39033 38492 oval:org.mitre.oval:def:11824 [oss-security] 20100121 Re: CVE request - kernel: untangle the do_mremap() mess [oss-security] 20100120 Re: CVE request - kernel: untangle the do_mremap() mess [oss-security] 20100120 Re: CVE request - kernel: untangle the do_mremap() mess [oss-security] 20100120 Re: CVE request - kernel: untangle the do_mremap() mess [oss-security] 20100120 Re: CVE request - kernel: untangle the do_mremap() mess [oss-security] 20100120 Re: CVE request - kernel: untangle the do_mremap() mess [oss-security] 20100119 Re: CVE request - kernel: untangle the do_mremap() mess [oss-security] 20100119 CVE request - kernel: untangle the do_mremap() mess [linux-kernel] 20091205 [RFC][PATCHSET] mremap/mmap mess [linux-kernel] 20100114 [PATCH 01/52] untangle the do_mremap() mess http://groups.google.co.jp/group/fa.linux.kernel/browse_thread/thread/8bf22336b1082090 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f8b7256096a20436f6d0926747e3ac3d64c81d24 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f106af4e90eadd76cfc0b5325f659619e08fb762 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ecc1a8993751de4e82eb18640d631dae1f626bd6 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e77414e0aad6a1b063ba5e5750c582c75327ea6a http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c4caa778157dbbf04116f0ac2111e389b5cd7a29 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=bb52d6694002b9d632bb355f64daa045c6293a4e http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=aa65607373a4daf2010e8c3867b6317619f3c1a3 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=935874141df839c706cd6cdc438e85eb69d1525e http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9206de95b1ea68357996ec02be5db0638a0de2c1 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8c7b49b3ecd48923eb64ff57e07a1cdb74782970 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=570dcf2c15463842e384eb597a87c1e39bead99b http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=564b3bffc619dcbdd160de597b0547a7017ea010 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=54f5de709984bae0d31d823ff03de755f9dcac54 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2ea1d13f64efdf49319e86c87d9ba38c30902782 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2c6a10161d0b5fc047b5bd81b03693b9af99fab5 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1a0ef85f84feb13f07b604fcf5b90ef7c2b5c82f http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0ec62d290912bb4b989be7563851bc364ec73b56 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=097eed103862f9c6a97f2e415e21d1134017b135 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=05d72faa6d13c9d857478a5d35c85db9adada685 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0067bd8a55862ac9dd212bd1c4f6f5bff1ca1301 The read_from_cmd_socket function in cmdmon.c in chronyd in Chrony before 1.23.1, and 1.24-pre1, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a spoofed cmdmon packet that triggers a continuous exchange of NOHOSTACCESS messages between two daemons, a related issue to CVE-2009-3563. 38106 https://bugzilla.redhat.com/show_bug.cgi?id=555367 DSA-1992 38480 38428 http://git.tuxfamily.org/chrony/chrony.git/?p=gitroot/chrony/chrony.git;a=commit;h=7864c7a70ce00369194e734eb2842ecc5f8db531 http://chrony.tuxfamily.org/News.html The client logging functionality in chronyd in Chrony before 1.23.1 does not restrict the amount of memory used for storage of client information, which allows remote attackers to cause a denial of service (memory consumption) via spoofed (1) NTP or (2) cmdmon packets. https://bugzilla.redhat.com/show_bug.cgi?id=555367 38106 DSA-1992 38480 38428 http://git.tuxfamily.org/chrony/chrony.git/?p=gitroot/chrony/chrony.git;a=commit;h=2f63cf448560fdb96b80d8488aae6a15b802a753 http://chrony.tuxfamily.org/News.html chronyd in Chrony before 1.23.1, and possibly 1.24-pre1, generates a syslog message for each unauthorized cmdmon packet, which allows remote attackers to cause a denial of service (disk consumption) via a large number of invalid packets. 38106 http://chrony.tuxfamily.org/News.html https://bugzilla.redhat.com/show_bug.cgi?id=555367 DSA-1992 38480 38428 http://git.tuxfamily.org/chrony/chrony.git/?p=gitroot/chrony/chrony.git;a=commit;h=0b710499f994823bd938fc6895f097eefb9cc59f lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate. 38036 http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt http://download.lighttpd.net/lighttpd/security/lighttpd-1.5_fix_slow_request_dos.patch http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.x_fix_slow_request_dos.patch lighttpd-slow-request-dos(56038) ADV-2011-0172 [oss-security] 20100202 lighttpd: slow request dos/oom attack [CVE-2010-0295] DSA-1987 GLSA-201006-17 39765 38403 http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2711 http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2710 http://redmine.lighttpd.net/issues/2147 SUSE-SR:2010:003 FEDORA-2010-7643 FEDORA-2010-7611 FEDORA-2010-7636 http://blogs.sun.com/security/entry/cve_2010_0295_vulnerability_in The encode_name macro in misc/mntent_r.c in the GNU C Library (aka glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs, does not properly handle newline characters in mountpoint names, which allows local users to cause a denial of service (mtab corruption), or possibly modify mount options and gain privileges, via a crafted mount request. https://bugzilla.redhat.com/show_bug.cgi?id=559579 gnuclibrary-encodenamemacro-dos(59240) ADV-2011-0863 ADV-2010-1246 http://www.vmware.com/security/advisories/VMSA-2011-0012.html USN-944-1 20111013 VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console RHSA-2011:0412 MDVSA-2010:112 MDVSA-2010:111 DSA-2058 http://sourceware.org/git/?p=glibc.git;a=commit;h=ab00f4eac8f4932211259ff87be83144f5211540 1024043 GLSA-201011-01 46397 43830 39900 http://frugalware.org/security/662 Buffer overflow in the usb_host_handle_control function in the USB passthrough handling implementation in usb-linux.c in QEMU before 0.11.1 allows guest OS users to cause a denial of service (guest OS crash or hang) or possibly execute arbitrary code on the host OS via a crafted USB packet. RHSA-2010:0088 https://bugzilla.redhat.com/show_bug.cgi?id=557025 kernel-usb-bo(56194) 38158 [kvm] 20090721 Re: KVM crashes when using certain USB device [kvm] 20090721 Re: KVM crashes when using certain USB device [kvm] 20090702 KVM crashes when using certain USB device http://wiki.qemu.org/ChangeLog oval:org.mitre.oval:def:11786 [oss-security] 20100204 Re: KVM possible security issues fixed [oss-security] 20100202 KVM possible security issues fixed http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=babd03fde68093482528010a5435c14ce9128e3f The x86 emulator in KVM 83 does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) in determining the memory access available to CPL3 code, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, a related issue to CVE-2010-0306. RHSA-2010:0095 RHSA-2010:0088 https://bugzilla.redhat.com/show_bug.cgi?id=559091 38158 DSA-1996 38492 oval:org.mitre.oval:def:11335 openSUSE 11.2 installs the devtmpfs root directory with insecure permissions (1777), which allows local users to gain privileges via unspecified vectors. SUSE-SA:2010:010 cache.c in ircd-ratbox before 2.2.9 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a HELP command. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' DSA-1980 http://security.debian.org/pool/updates/main/i/ircd-ratbox/ircd-ratbox_2.2.8.dfsg-2+lenny1.diff.gz 38383 38210 [ircd-ratbox] 20100125 ircd-ratbox-2.2.9 released main.C in maildrop 2.3.0 and earlier, when run by root with the -d option, uses the gid of root for execution of the .mailfilter file in a user's home directory, which allows local users to gain privileges via a crafted file. https://bugzilla.redhat.com/show_bug.cgi?id=559681 maildrop-group-priv-escalation(55980) DSA-1981 http://www.courier-mta.org/maildrop/changelog.html 1023515 38374 38367 [oss-security] 20100128 Re: CVE id request: maildrop [oss-security] 20100128 Re: CVE id request: maildrop [oss-security] 20100128 Re: CVE id request: maildrop [oss-security] 20100127 CVE id request: maildrop http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564601 Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS before 1.4.4, when kqueue or epoll is used, allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-3553. RHSA-2010:0129 https://bugzilla.redhat.com/show_bug.cgi?id=557775 ADV-2010-1481 USN-906-1 1024124 38510 MDVSA-2010:073 http://support.apple.com/kb/HT4188 GLSA-201207-10 40220 38979 38927 38785 oval:org.mitre.oval:def:11216 FEDORA-2010-2743 APPLE-SA-2010-06-15-1 http://cups.org/str.php?L3490 http://cups.org/articles.php?L596 mystring.c in hybserv in IRCD-Hybrid (aka Hybrid2 IRC Services) 1.9.2 through 1.9.4 allows remote attackers to cause a denial of service (daemon crash) via a ":help \t" private message to the MemoServ service. http://security.debian.org/pool/updates/main/h/hybserv/hybserv_1.9.2-4+lenny2.diff.gz hybserv2-privatemessage-dos(55992) 38006 DSA-1982 38352 38350 [oss-security] 20100129 Re: CVE id: hybserv http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550389 Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service (crash) via a malformed packet, as demonstrated using a stack-based buffer overflow to the dissect_getaddrsbyname_request function. ADV-2010-0239 wireshark-lwres-bo(55951) http://www.wireshark.org/security/wnpa-sec-2010-02.html http://www.wireshark.org/security/wnpa-sec-2010-01.html 1023516 37985 [oss-security] 20100129 Re: CVE id request: Wireshark http://www.metasploit.com/modules/exploit/multi/misc/wireshark_lwres_getaddrbyname MDVSA-2010:031 DSA-1983 38829 38348 38257 oval:org.mitre.oval:def:9933 oval:org.mitre.oval:def:8490 61987 FEDORA-2010-3556 http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h ejabberd_c2s.erl in ejabberd before 2.1.3 allows remote attackers to cause a denial of service (daemon crash) via a large number of c2s (aka client2server) messages that trigger a queue overload. [oss-security] 20100129 Re: CVE Request -- ejabberd [oss-security] 20100129 CVE Request -- ejabberd https://support.process-one.net/browse/EJAB-1173 ejabberd-client2server-dos(56025) ADV-2010-0894 38003 62066 DSA-2033 39423 38337 The x86 emulator in KVM 83, when a guest is configured for Symmetric Multiprocessing (SMP), does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) to restrict instruction execution, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, and replacing an instruction in between emulator entry and instruction fetch, a related issue to CVE-2010-0298. RHSA-2010:0095 RHSA-2010:0088 https://bugzilla.redhat.com/show_bug.cgi?id=560654 38158 DSA-1996 38499 38492 oval:org.mitre.oval:def:10953 The load_elf_binary function in fs/binfmt_elf.c in the Linux kernel before 2.6.32.8 on the x86_64 platform does not ensure that the ELF interpreter is available before a call to the SET_PERSONALITY macro, which allows local users to cause a denial of service (system crash) via a 32-bit application that attempts to execute a 64-bit application and then triggers a segmentation fault, as demonstrated by amd64_killer, related to the flush_old_exec function. RHSA-2010:0146 https://bugzilla.redhat.com/show_bug.cgi?id=560547 ADV-2010-0638 http://www.vmware.com/security/advisories/VMSA-2011-0003.html USN-914-1 38027 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0771 RHSA-2010:0398 [oss-security] 20100204 Re: CVE request - kernel: DoS on x86_64 [oss-security] 20100203 Re: CVE request - kernel: DoS on x86_64 [oss-security] 20100201 Re: CVE request - kernel: DoS on x86_64 [oss-security] 20100201 CVE request - kernel: DoS on x86_64 MDVSA-2010:066 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.32.8 http://www.globalsecuritymag.com/Vigil-nce-Linux-kernel-denial-of,20100202,15754.html DSA-1996 http://support.avaya.com/css/P8/documents/100088287 43315 39649 38922 38779 38492 oval:org.mitre.oval:def:10870 http://marc.info/?t=126466700200002&r=1&w=2 [linux-mm] 20100128 DoS on x86_64 SUSE-SA:2010:014 FEDORA-2010-1787 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=221af7f87b97431e3ee21ce4b0e77d5411cf1549 lib/rfc1035.c in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through 3.1.0.15 allows remote attackers to cause a denial of service (assertion failure) via a crafted DNS packet that only contains a header. http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9163.patch squid-dns-dos(56001) ADV-2010-0260 http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-9853.patch http://www.squid-cache.org/Versions/v2/HEAD/changesets/12597.patch http://www.squid-cache.org/Advisories/SQUID-2010_1.txt 1023520 37522 38455 38451 oval:org.mitre.oval:def:11270 62044 http://events.ccc.de/congress/2009/Fahrplan/attachments/1483_26c3_ipv4_fuckups.pdf The pit_ioport_read function in the Programmable Interval Timer (PIT) emulation in i8254.c in KVM 83 does not properly use the pit_state data structure, which allows guest OS users to cause a denial of service (host OS crash or hang) by attempting to read the /dev/port file. RHSA-2010:0095 RHSA-2010:0088 https://bugzilla.redhat.com/show_bug.cgi?id=560887 ADV-2010-0638 USN-914-1 38158 [oss-security] 20100202 Re: CVE request - kvm: cat /dev/port in the guest can cause host DoS [oss-security] 20100202 CVE request - kvm: cat /dev/port in the guest can cause host DoS [kvm] 20100129 KVM: PIT: control word is write-only DSA-1996 38922 38492 oval:org.mitre.oval:def:11095 Trusted Extensions in Sun Solaris 10 allows local users to gain privileges via vectors related to omission of unspecified libraries from software updates. http://sunsolve.sun.com/search/document.do?assetkey=1-21-143502-01-1 37754 275410 1023448 38129 oval:org.mitre.oval:def:8444 Unspecified vulnerability in Sun Java System Identity Manager (aka IdM) 8.1.0.5 and 8.1.0.6, when Sun Java System Access Manager, OpenSSO Enterprise 8.0, or IBM Tivoli Access Manager is used, allows remote attackers to obtain administrative access via unknown vectors. jsim-unspecified-security-bypass(55572) ADV-2010-0108 275010 1023447 38130 61658 The do_extendedOp function in ibmslapd in IBM Tivoli Directory Server (TDS) 6.2 on Linux allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted SecureWay 3.2 Event Registration Request (aka a 1.3.18.0.2.12.1 request). 1023433 http://intevydis.blogspot.com/2010/01/tivoli-directory-server-62-doextendedop.html The core_get_proxyauth_dn function in ns-slapd in Sun Java System Directory Server Enterprise Edition 7.0 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted LDAP Search Request message. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' jsds-coregetproxyauthdn-dos(55511) ADV-2010-0085 37699 1023431 37978 http://intevydis.blogspot.com/2010/01/sun-directory-server-70.html Apple Safari allows remote attackers to discover a redirect's target URL, for the session of a specific user of a web site, by placing the site's URL in the HREF attribute of a stylesheet LINK element, and then reading the document.styleSheets[0].href property value. ADV-2011-0552 ADV-2010-2722 USN-1006-1 MDVSA-2011:039 41856 http://nomoreroot.blogspot.com/2010/01/little-bug-in-safari-and-google-chrome.html WebKit before r53607, as used in Google Chrome before 4.0.249.89, allows remote attackers to discover a redirect's target URL, for the session of a specific user of a web site, by placing the site's URL in the HREF attribute of a stylesheet LINK element, and then reading the document.styleSheets[0].href property value, related to an IFRAME element. https://bugs.webkit.org/show_bug.cgi?id=33683 googlechrome-iframe-info-disc(56215) google-chrome-href-info-disclosure(55683) ADV-2011-0212 ADV-2010-0361 38177 http://trac.webkit.org/changeset/53607 http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023583 43068 38545 oval:org.mitre.oval:def:14452 http://nomoreroot.blogspot.com/2010/01/little-bug-in-safari-and-google-chrome.html SUSE-SR:2011:002 http://googlechromereleases.blogspot.com/2010/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=32309 Integer overflow in Google SketchUp before 7.1 M2 allows remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code via a crafted SKP file. ADV-2010-0133 http://sketchup.google.com/support/bin/answer.py?hl=en&answer=141303 38187 Novell Netware 6.5 SP8 allows remote attackers to cause a denial of service (NULL pointer dereference, memory consumption, ABEND, and crash) via a large number of malformed or AFP requests that are not properly handled by (1) the CIFS functionality in CIFS.nlm Semantic Agent (Build 163 MP) 3.27 or (2) the AFP functionality in AFPTCP.nlm Build 163 SP 3.27. NOTE: some of these details are obtained from third party information. netware-afptcp-dos(55389) ADV-2010-0041 1023400 37616 20100105 {PRL} Novell Netware CIFS And AFP Remote Memory Consumption DoS 11009 38114 http://protekresearch.blogspot.com/2010/01/prl-cifsnlm-memory-consumption-denial.html The replay functionality for ZFS Intent Log (ZIL) in FreeBSD 7.1, 7.2, and 8.0, when creating files during replay of a setattr transaction, uses 7777 permissions instead of the original permissions, which might allow local users to read or modify unauthorized files in opportunistic circumstances after a system crash or power failure. FreeBSD-SA-10:03 1023407 37657 38124 Cross-site scripting (XSS) vulnerability in index.php in Docmint 1.0 and 2.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: some of these details are obtained from third party information. docmint-index-xss(55549) 37721 11119 38149 http://packetstormsecurity.org/1001-exploits/docmintcms-xss.txt Cross-site scripting (XSS) vulnerability in submitlink.php in Glitter Central Script allows remote attackers to inject arbitrary web script or HTML via the catid parameter. glittercentral-submitlink-xss(55537) 61632 11108 38146 http://packetstormsecurity.org/1001-exploits/glittercentral-xss.txt Cross-site scripting (XSS) vulnerability in jobs/index.php in Jamit Job Board 3.0 allows remote attackers to inject arbitrary web script or HTML via the post_id parameter. jamit-jobboard-index-xss(55500) 37701 11073 32797 http://packetstormsecurity.org/1001-exploits/jamitjobboard-xss.txt SQL injection vulnerability in the init function in MK-AnydropdownMenu (mk_anydropdownmenu) extension 0.3.28 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/mk_anydropdownmenu/0.4.0/info/ChangeLog/ http://typo3.org/extensions/repository/view/mk_anydropdownmenu/0.4.0/ Unspecified vulnerability in the Photo Book (goof_fotoboek) extension 1.7.14 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown attack vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/goof_fotoboek/1.7.15/ SQL injection vulnerability in the Customer Reference List (ref_list) extension 1.0.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/ref_list/1.0.2/ Unspecified vulnerability in the SB Folderdownload (sb_folderdownload) extension 0.2.2 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown attack vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/sb_folderdownload/0.2.3/ Cross-site scripting (XSS) vulnerability in the Developer log (devlog) extension 2.9.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/devlog/2.9.2/ 38164 Cross-site scripting (XSS) vulnerability in the KJ: Imagelightbox (kj_imagelightbox2) extension 2.0.0 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2008-2490. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/kj_imagelightbox2/2.0.2/ 38165 Cross-site scripting (XSS) vulnerability in the Unit Converter (cs2_unitconv) extension 1.0.4 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/cs2_unitconv/1.0.5/ 38166 SQL injection vulnerability in the powermail extension 1.5.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to the "SQL selection field" and "typoscript." http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/powermail/1.5.2/info/changelog.txt/ http://typo3.org/extensions/repository/view/powermail/1.5.2/ 38167 SQL injection vulnerability in the Googlemaps for tt_news (jf_easymaps) extension 1.0.2 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/jf_easymaps/1.0.3/ Cross-site scripting (XSS) vulnerability in the TV21 Talkshow (tv21_talkshow) extension 1.0.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the TV21 Talkshow (tv21_talkshow) extension 1.0.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the Helpdesk (mg_help) extension 1.1.6 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the Vote rank for news (vote_for_tt_news) extension 1.0.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ Cross-site scripting (XSS) vulnerability in the Vote rank for news (vote_for_tt_news) extension 1.0.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ Unspecified vulnerability in the kiddog_mysqldumper (kiddog_mysqldumper) extension 0.0.3 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown attack vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the tt_news Mail alert (dl3_tt_news_alerts) extension 0.2.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the TT_Products editor (ttpedit) extension 0.0.2 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the User Links (vm19_userlinks) extension 0.1.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the MJS Event Pro (mjseventpro) extension 0.2.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the BB Simple Jobs (bb_simplejobs) extension 0.1.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the Reports for Job (job_reports) extension 0.1.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the Clan Users List (pb_clanlist) extension 0.0.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the zak_store_management extension 1.0.0 and earlier TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ Cross-site scripting (XSS) vulnerability in the Majordomo extension 1.1.3 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ Cross-site scripting (XSS) vulnerability in the Tip many friends (mimi_tipfriends) extension 0.0.2 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ Cross-site scripting (XSS) vulnerability in the VD / Geomap (vd_geomap) extension 0.3.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ Directory traversal vulnerability in C3 Corp. WebCalenderC3 0.32 and earlier allows remote attackers to read arbitrary files via unknown vectors. http://webcal.c-3.jp/zeijakusei.html 38135 61630 JVNDB-2010-000003 JVN#22247093 Cross-site scripting (XSS) vulnerability in C3 Corp. WebCalenderC3 0.32 and earlier allows remote attackers to inject arbitrary web script or HTML via unknown vectors. NOTE: this issue could not be reproduced by the vendor, but a patch was provided anyway. The original researcher is reliable. 61629 http://webcal.c-3.jp/zeijakusei.html 38135 JVNDB-2010-000002 JVN#33977065 Directory traversal vulnerability in the Photo Book (goof_fotoboek) extension 1.7.14 and earlier for TYPO3 has unknown impact and remote attack vectors.