Double free vulnerability in the iscsi_rx_handler function (usr/iscsi/iscsid.c) in the tgt daemon (tgtd) in Linux SCSI target framework (tgt) before 1.0.14, aka scsi-target-utils, allows remote attackers to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via unknown vectors related to a buffer overflow during iscsi login. NOTE: some of these details are obtained from third party information. https://bugzilla.redhat.com/show_bug.cgi?id=667261 https://bugzilla.redhat.com/attachment.cgi?id=473779&action=diff [stgt] 20110309 [PATCH] iscsi: fix buffer overflow before login lstf-iscsirxhandler-dos(66010) ADV-2011-0636 1025184 46817 RHSA-2011:0332 DSA-2209 43713 43706 libuser before 0.57 uses a cleartext password value of (1) !! or (2) x for new LDAP user accounts, which makes it easier for remote attackers to obtain access by specifying one of these values. https://fedorahosted.org/libuser/browser/NEWS?rev=libuser-0.57 https://bugzilla.redhat.com/show_bug.cgi?id=643227 libuser-password-security-bypass(64677) ADV-2011-0226 ADV-2011-0201 ADV-2011-0184 45791 RHSA-2011:0170 70421 MDVSA-2011:019 1024960 43047 42966 42891 FEDORA-2011-0320 FEDORA-2011-0316 MediaWiki before 1.16.1, when user or site JavaScript or CSS is enabled, allows remote attackers to conduct clickjacking attacks via unspecified vectors. [MediaWiki-announce] 20110104 MediaWiki security release 1.16.1 https://bugzilla.wikimedia.org/show_bug.cgi?id=26561 mediawiki-frames-clickjacking(64476) ADV-2011-0017 70272 [oss-security] 20110104 (possible) CVE request: Clickjacking in Mediawiki [oss-security] 20110104 Re: (possible) CVE request: Clickjacking in Mediawiki 42810 FEDORA-2011-5807 FEDORA-2011-5812 FEDORA-2011-5848 Multiple cross-site scripting (XSS) vulnerabilities in Piwik before 1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://piwik.org/blog/2011/01/professional-security-audit-in-piwik/ http://piwik.org/blog/2011/01/piwik-1-1-security-advisory/ http://piwik.org/blog/2011/01/piwik-1-1-2/ [oss-security] 20110106 Re: CVE Request: Multiple XSS Vulnerabiliies < Piwik 1.1 [oss-security] 20110105 CVE Request: Multiple XSS Vulnerabiliies < Piwik 1.1 ADV-2011-0013 45659 42809 70310 Cross-site scripting (XSS) vulnerability in the com_search module for Joomla! 1.0.x through 1.0.15 allows remote attackers to inject arbitrary web script or HTML via the ordering parameter to index.php. http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.0.x~15]_cross_site_scripting joomla-ordering-xss(64539) 45679 20110107 Re: Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability 20110105 Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability http://packetstormsecurity.org/files/view/97273/joomla1015-xss.txt 70369 The ima_lsm_rule_init function in security/integrity/ima/ima_policy.c in the Linux kernel before 2.6.37, when the Linux Security Modules (LSM) framework is disabled, allows local users to bypass Integrity Measurement Architecture (IMA) rules in opportunistic circumstances by leveraging an administrator's addition of an IMA rule for LSM. https://github.com/torvalds/linux/commit/867c20265459d30a01b021a9c1e81fb4c5832aa9 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=867c20265459d30a01b021a9c1e81fb4c5832aa9 https://bugzilla.redhat.com/show_bug.cgi?id=667912 [oss-security] 20110106 Re: CVE Request: kernel [Re: Security review of 2.6.32.28] http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.37 pimd 2.1.5 and possibly earlier versions allows user-assisted local users to overwrite arbitrary files via a symlink attack on (1) pimd.dump when a USR1 signal is sent, or (2) pimd.cache when USR2 is sent. [oss-security] 20110107 CVE Request - pimd - Insecure file creation in /var/tmp pimd-pimd-symlink(64528) ADV-2011-0113 45715 70305 [oss-security] 20110107 Re: CVE Request - pimd - Insecure file creation in /var/tmp DSA-2147 42793 42759 A certain Fedora patch for parse.c in sudo before 1.7.4p5-1.fc14 on Fedora 14 does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo command. NOTE: this vulnerability exists because of a CVE-2009-0034 regression. https://bugzilla.redhat.com/show_bug.cgi?id=668843 sudo-parse-privilege-escalation(64965) ADV-2011-0199 ADV-2011-0195 MDVSA-2011:018 42968 FEDORA-2011-0455 FEDORA-2011-0470 Best Practical Solutions RT 3.x before 3.8.9rc2 and 4.x before 4.0.0rc4 uses the MD5 algorithm for password hashes, which makes it easier for context-dependent attackers to determine cleartext passwords via a brute-force attack on the database. https://bugzilla.redhat.com/show_bug.cgi?id=672250 [rt-announce] 20110119 Security vulnerability in RT 3.0 and up http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610850 ADV-2011-0576 ADV-2011-0475 ADV-2011-0190 45959 DSA-2150 43438 70661 FEDORA-2011-1677 check.c in sudo 1.7.x before 1.7.4p5, when a Runas group is configured, does not require a password for command execution that involves a gid change but no uid change, which allows local users to bypass an intended authentication requirement via the -g option to a sudo command. https://bugzilla.redhat.com/show_bug.cgi?id=668879 http://www.sudo.ws/repos/sudo/rev/fe8a94f96542 http://www.sudo.ws/repos/sudo/rev/07d1b0ce530e [oss-security] 20110112 Re: CVE request: sudo does not ask for password on GID changes [oss-security] 20110111 CVE request: sudo does not ask for password on GID changes sudo-groupid-privilege-escalation(64636) ADV-2011-0362 ADV-2011-0212 ADV-2011-0199 ADV-2011-0195 ADV-2011-0182 ADV-2011-0089 USN-1046-1 http://www.sudo.ws/sudo/alerts/runas_group_pw.html 45774 RHSA-2011:0599 70400 MDVSA-2011:018 SSA:2011-041-05 43282 43068 42968 42949 42886 [oss-security] 20110112 Re: CVE request: sudo does not ask for password on GID changes SUSE-SR:2011:002 FEDORA-2011-0455 FEDORA-2011-0470 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641 qemu-kvm before 0.11.0 disables VNC authentication when the password is cleared, which allows remote attackers to bypass authentication and establish VNC sessions. https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197 qemu-vnc-security-bypass(65215) 70992 [oss-security] 20110112 Re: CVE request: qemu-kvm: Setting VNC password to empty string silently disables all authentication [oss-security] 20110110 Re: CVE request: qemu-kvm: Setting VNC password to empty string silently disables all authentication [oss-security] 20110110 CVE request: qemu-kvm: Setting VNC password to empty string silently disables all authentication USN-1063-1 44393 43733 43272 42830 RHSA-2011:0345 The SPICE Firefox plug-in (spice-xpi) 2.4, 2.3, 2.2, and possibly other versions allows local users to overwrite arbitrary files via a symlink attack on the usbrdrctl log file, which has a predictable name. https://bugzilla.redhat.com/show_bug.cgi?id=639869 ADV-2011-0899 1025304 47269 RHSA-2011:0426 Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag. https://bugzilla.redhat.com/show_bug.cgi?id=675786 http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30 http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32 ADV-2011-0376 1025026 46174 20110205 [SECURITY] CVE-2011-0013 Apache Tomcat Manager XSS vulnerability RHSA-2011:1845 RHSA-2011:0897 RHSA-2011:0896 RHSA-2011:0791 MDVSA-2011:030 DSA-2160 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.6_(released_14_Jan_2011) http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html http://support.apple.com/kb/HT5002 8093 45022 43192 oval:org.mitre.oval:def:14945 oval:org.mitre.oval:def:12878 SSRT100627 HPSBUX02725 APPLE-SA-2011-10-12-3 ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka "OCSP stapling vulnerability." http://www.openssl.org/news/secadv_20110208.txt ADV-2011-0603 ADV-2011-0399 ADV-2011-0395 ADV-2011-0389 ADV-2011-0387 ADV-2011-0361 USN-1064-1 1025050 46264 RHSA-2011:0677 MDVSA-2011:028 DSA-2162 http://support.apple.com/kb/HT4723 SSA:2011-041-04 44269 43339 43301 43286 43227 70847 HPSBUX02689 SSRT100494 FEDORA-2011-1273 APPLE-SA-2011-06-23-1 HPSBMA02658 SSRT100413 NetBSD-SA2011-002 Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not properly check the amount of compression in zlib-compressed data, which allows remote attackers to cause a denial of service via a large compression factor. https://gitweb.torproject.org/tor.git/blob/refs/heads/release-0.2.2:/ChangeLog http://blog.torproject.org/blog/tor-02129-released-security-patches [or-announce] 20110117 Tor 0.2.1.29 is released (security patches) https://trac.torproject.org/projects/tor/ticket/2324 ADV-2011-0132 ADV-2011-0131 1024980 45832 [oss-security] 20110118 Re: CVE request: tor DSA-2148 42907 42905 Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not properly manage key data in memory, which might allow local users to obtain sensitive information by leveraging the ability to read memory that was previously used by a different process. http://blog.torproject.org/blog/tor-02129-released-security-patches https://trac.torproject.org/projects/tor/ticket/2385 https://trac.torproject.org/projects/tor/ticket/2384 https://gitweb.torproject.org/tor.git/blob/refs/heads/release-0.2.2:/ChangeLog ADV-2011-0132 ADV-2011-0131 1024980 45832 [oss-security] 20110118 Re: CVE request: tor DSA-2148 42907 42905 [or-announce] 20110117 Tor 0.2.1.29 is released (security patches) The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack. [exim-announce] 20110125 Exim 4.74 Release exim-openlog-privilege-escalation(65028) ADV-2011-0464 ADV-2011-0364 ADV-2011-0245 ADV-2011-0224 USN-1060-1 46065 DSA-2154 43243 43128 43101 70696 SUSE-SR:2011:004 ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74 The email function in manage_sql.c in OpenVAS Manager 1.0.x through 1.0.3 and 2.0.x through 2.0rc2 allows remote authenticated users to execute arbitrary commands via the (1) To or (2) From e-mail address in an OMP request to the Greenbone Security Assistant (GSA). http://www.openvas.org/OVSA20110118.html openvas-email-command-execution(65011) ADV-2011-0208 45987 20110125 [OVSA20110118] OpenVAS Manager Vulnerable To Command Injection 16086 43037 70639 slapd (aka ns-slapd) in 389 Directory Server 1.2.7.5 (aka Red Hat Directory Server 8.2.x or dirsrv) does not properly handle simple paged result searches, which allows remote attackers to cause a denial of service (daemon crash) or possibly have unspecified other impact via multiple search requests. https://bugzilla.redhat.com/show_bug.cgi?id=670914 https://bugzilla.redhat.com/show_bug.cgi?id=666076 1025102 46489 RHSA-2011:0293 Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object. https://bugzilla.redhat.com/show_bug.cgi?id=671122 https://bugzilla.gnome.org/show_bug.cgi?id=639882 https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616 pango-pango-bo(64832) ADV-2011-0238 ADV-2011-0186 1024994 45842 RHSA-2011:0180 43100 42934 70596 [oss-security] 20110120 Re: CVE request: heap corruption in libpango [oss-security] 20110118 CVE request: heap corruption in libpango Multiple heap-based buffer overflows in cdg.c in the CDG decoder in VideoLAN VLC Media Player before 1.1.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted CDG video. [oss-security] 20110120 Re: CVE request: heap corruption in VLC media player http://git.videolan.org/?p=vlc.git;a=commit;h=f9b664eac0e1a7bceed9d7b5854fd9fc351b4aab http://download.videolan.org/pub/videolan/vlc/1.1.6/vlc-1.1.6.tar.bz2 vlcmediaplayer-cdg-code-execution(64879) ADV-2011-0185 45927 oval:org.mitre.oval:def:12460 [oss-security] 20110119 CVE request: heap corruption in VLC media player The setup scripts in 389 Directory Server 1.2.x (aka Red Hat Directory Server 8.2.x), when multiple unprivileged instances are configured, use 0777 permissions for the /var/run/dirsrv directory, which allows local users to cause a denial of service (daemon outage or arbitrary process termination) by replacing PID files contained in this directory. https://bugzilla.redhat.com/show_bug.cgi?id=671199 1025102 46489 RHSA-2011:0293 Heap-based buffer overflow in wiretap/pcapng.c in Wireshark before 1.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted capture file. https://bugzilla.redhat.com/show_bug.cgi?id=671331 ADV-2011-0719 RHSA-2011:0370 43821 IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5 does not properly verify signatures for JAR files that (1) are "partially signed" or (2) signed by multiple entities, which allows remote attackers to trick users into executing code that appears to come from a trusted source. http://icedtea.classpath.org/hg/release/icedtea-web-1.0?cmd=changeset;node=3bd328e4b515 http://blog.fuseyism.com/index.php/2011/02/01/security-icedtea6-178-185-195-released/ icedtea-jar-security-bypass(65151) USN-1055-1 46110 MDVSA-2011:054 DSA-2224 43135 Integer signedness error in the SQLConnectW function in an ODBC API (odbc32.dll) in Microsoft Data Access Components (MDAC) 2.8 SP1 and SP2, and Windows Data Access Components (WDAC) 6.0, allows remote attackers to execute arbitrary code via a long string in the Data Source Name (DSN) and a crafted szDSN argument, which bypasses a signed comparison and leads to a buffer overflow, aka "DSN Overflow Vulnerability." TA11-011A MS11-002 http://www.zerodayinitiative.com/advisories/ZDI-11-001/ ADV-2011-0075 1024947 45695 http://support.avaya.com/css/P8/documents/100124846 42804 oval:org.mitre.oval:def:12333 70443 Microsoft Data Access Components (MDAC) 2.8 SP1 and SP2, and Windows Data Access Components (WDAC) 6.0, does not properly validate memory allocation for internal data structures, which allows remote attackers to execute arbitrary code, possibly via a large CacheSize property that triggers an integer wrap and a buffer overflow, aka "ADO Record Memory Vulnerability." NOTE: this might be a duplicate of CVE-2010-1117 or CVE-2010-1118. TA11-011A MS11-002 http://www.zerodayinitiative.com/advisories/ZDI-11-002/ ADV-2011-0075 1024947 45698 http://vreugdenhilresearch.nl/ms11-002-pwn2own-heap-overflow/ http://support.avaya.com/css/P8/documents/100124846 42804 oval:org.mitre.oval:def:12411 70444 WordPad in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly parse fields in Word documents, which allows remote attackers to execute arbitrary code via a crafted .doc file, aka "WordPad Converter Parsing Vulnerability." TA11-102A MS11-033 oval:org.mitre.oval:def:12301 Untrusted search path vulnerability in the client in Microsoft Remote Desktop Connection 5.2, 6.0, 6.1, and 7.0 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .rdp file, aka "Remote Desktop Insecure Library Loading Vulnerability." Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' Per: http://www.microsoft.com/technet/security/Bulletin/MS11-017.mspx 'For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open an .rdp file.' FAQ: 'This is a remote code execution vulnerability.' TA11-067A MS11-017 ADV-2011-0616 1025172 43628 oval:org.mitre.oval:def:12480 71014 The Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly kill processes after a logout, which allows local users to obtain sensitive information or gain privileges via a crafted application that continues to execute throughout the logout of one user and the login session of the next user, aka "CSRSS Elevation of Privilege Vulnerability," a different vulnerability than CVE-2010-0023. MS11-010 ms-csrss-privilege-escalation(64917) ADV-2011-0323 1025045 43250 oval:org.mitre.oval:def:12476 70826 The (1) JScript 5.8 and (2) VBScript 5.8 scripting engines in Microsoft Windows Server 2008 R2 and Windows 7 do not properly load decoded scripts obtained from web pages, which allows remote attackers to trigger memory corruption and consequently obtain sensitive information via a crafted web site, aka "Scripting Engines Information Disclosure Vulnerability." MS11-009 ms-win-jscript-info-disclosure(64919) ADV-2011-0322 1025044 46139 43249 oval:org.mitre.oval:def:12313 70827 Untrusted search path vulnerability in DirectShow in Microsoft Windows Vista SP1 and SP2, Windows 7 Gold and SP1, Windows Server 2008 R2 and R2 SP1, and Windows Media Center TV Pack for Windows Vista allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a Digital Video Recording (.dvr-ms), Windows Recorded TV Show (.wtv), or .mpg file, aka "DirectShow Insecure Library Loading Vulnerability." Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' Per: http://www.microsoft.com/technet/security/Bulletin/MS11-015.mspx 'For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a media file (such as .wtv, .drv-ms, or .mpg files).' FAQ: 'This is a remote code execution vulnerability. ' TA11-067A MS11-015 ADV-2011-0615 1025170 46682 43626 oval:org.mitre.oval:def:12506 71015 The OpenType Compact Font Format (CFF) driver in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate parameter values in OpenType fonts, which allows remote attackers to execute arbitrary code via a crafted font, aka "OpenType Font Encoded Character Vulnerability." MS11-007 ms-opentype-cff-code-execution(64906) ADV-2011-0320 1025034 46106 http://support.avaya.com/css/P8/documents/100127239 43252 oval:org.mitre.oval:def:11593 70821 Stack-based buffer overflow in the OpenType Compact Font Format (aka OTF or CFF) driver in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via crafted parameter values in an OpenType font, aka "OpenType Font Stack Overflow Vulnerability." TA11-102A MS11-032 oval:org.mitre.oval:def:11860 Microsoft Internet Explorer 6, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2010-2556 and CVE-2011-0036. MS11-003 ms-explorer-code-execution(64911) ADV-2011-0318 1025038 46157 http://support.avaya.com/css/P8/documents/100127294 oval:org.mitre.oval:def:12371 70831 Microsoft Internet Explorer 6, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, relagted to a "dangling pointer," aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2010-2556 and CVE-2011-0035. MS11-003 ms-explorer-code-exec(64912) ADV-2011-0318 1025038 46158 http://support.avaya.com/css/P8/documents/100127294 oval:org.mitre.oval:def:12261 70832 Microsoft Malware Protection Engine before 1.1.6603.0, as used in Microsoft Malicious Software Removal Tool (MSRT), Windows Defender, Security Essentials, Forefront Client Security, Forefront Endpoint Protection 2010, and Windows Live OneCare, allows local users to gain privileges via a crafted value of an unspecified user registry key. ms-malware-engine-priv-esc(65626) ADV-2011-0486 46540 http://www.microsoft.com/technet/security/advisory/2491888.mspx 1025117 43468 Untrusted search path vulnerability in Microsoft Internet Explorer 8 might allow local users to gain privileges via a Trojan horse IEShims.dll in the current working directory, as demonstrated by a Desktop directory that contains an HTML file, aka "Internet Explorer Insecure Library Loading Vulnerability." Per: CWE-426: Untrusted Search Path 'http://cwe.mitre.org/data/definitions/426.html' Per: http://www.microsoft.com/technet/security/Bulletin/MS11-003.mspx 'This is a remote code execution vulnerability.' MS11-003 ms-ie-dll-code-execution(64913) ADV-2011-0318 1025038 46159 http://www.fortiguard.com/advisory/FGA-2011-04.html http://support.avaya.com/css/P8/documents/100127294 oval:org.mitre.oval:def:12270 70833 The Local Security Authority Subsystem Service (LSASS) in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly process authentication requests, which allows local users to gain privileges via a request with a crafted length, aka "LSASS Length Validation Vulnerability." MS11-014 ADV-2011-0327 1025049 46152 43253 oval:org.mitre.oval:def:12537 The server in Microsoft Active Directory on Windows Server 2003 SP2 does not properly handle an update request for a service principal name (SPN), which allows remote attackers to cause a denial of service (authentication downgrade or outage) via a crafted request that triggers name collisions, aka "Active Directory SPN Validation Vulnerability." MS11-005 ms-win-active-directory-dos(64915) ADV-2011-0319 1025042 46145 43215 oval:org.mitre.oval:def:12485 70825 Integer overflow in gdiplus.dll in GDI+ in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold and SP2, and Office XP SP3 allows remote attackers to execute arbitrary code via a crafted EMF image, aka "GDI+ Integer Overflow Vulnerability." TA11-102A MS11-029 oval:org.mitre.oval:def:11854 SBE.dll in the Stream Buffer Engine in Windows Media Player and Windows Media Center in Microsoft Windows XP SP2 and SP3, Windows XP Media Center Edition 2005 SP3, Windows Vista SP1 and SP2, Windows 7 Gold and SP1, and Windows Media Center TV Pack for Windows Vista does not properly parse Digital Video Recording (.dvr-ms) files, which allows remote attackers to execute arbitrary code via a crafted file, aka "DVR-MS Vulnerability." TA11-067A MS11-015 ADV-2011-0615 1025169 46680 43626 oval:org.mitre.oval:def:12281 71016 Kerberos in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 supports weak hashing algorithms, which allows local users to gain privileges by operating a service that sends crafted service tickets, as demonstrated by the CRC32 algorithm, aka "Kerberos Unkeyed Checksum Vulnerability." MS11-013 ms-kerberos-checksum-privilege-escalation(64900) ADV-2011-0326 1025048 46130 http://support.avaya.com/css/P8/documents/100127250 43251 oval:org.mitre.oval:def:12432 70834 The Trace Events functionality in the kernel in Microsoft Windows XP SP3 does not properly perform type conversion, which causes integer truncation and insufficient memory allocation and triggers a buffer overflow, which allows local users to gain privileges via a crafted application, related to WmiTraceMessageVa, aka "Windows Kernel Integer Truncation Vulnerability." MS11-011 ms-win-kernel-privilege-escalation(64926) http://www.zerodayinitiative.com/advisories/ZDI-11-064 ADV-2011-0324 1025046 46136 20110208 ZDI-11-064: Microsoft Windows WmiTraceMessageVa Local Kernel Vulnerability http://support.avaya.com/css/P8/documents/100127248 8110 oval:org.mitre.oval:def:11996 70823 Multiple cross-site request forgery (CSRF) vulnerabilities in Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 allow remote attackers to hijack the authentication of arbitrary users for requests related to (1) adding a saved search in buglist.cgi, (2) voting in votes.cgi, (3) sanity checking in sanitycheck.cgi, (4) creating or editing a chart in chart.cgi, (5) column changing in colchange.cgi, and (6) adding, deleting, or approving a quip in quips.cgi. https://bugzilla.mozilla.org/show_bug.cgi?id=621110 https://bugzilla.mozilla.org/show_bug.cgi?id=621109 https://bugzilla.mozilla.org/show_bug.cgi?id=621108 https://bugzilla.mozilla.org/show_bug.cgi?id=621107 https://bugzilla.mozilla.org/show_bug.cgi?id=621105 https://bugzilla.mozilla.org/show_bug.cgi?id=621090 bugzilla-unspec-csrf(65003) ADV-2011-0271 ADV-2011-0207 45982 DSA-2322 http://www.bugzilla.org/security/3.2.9/ 43165 43033 70710 70709 70708 70707 70706 70705 FEDORA-2011-0755 FEDORA-2011-0741 Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.2 allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) comments, aka "CSS injection vulnerability." [MediaWiki-announce] 20110201 MediaWiki security release 1.16.2 https://bugzilla.wikimedia.org/show_bug.cgi?id=27093 mediawiki-css-comments-xss(65126) ADV-2011-0273 46108 43142 70770 FEDORA-2011-5807 FEDORA-2011-5812 FEDORA-2011-5848 Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 creates a clickable link for a (1) javascript: or (2) data: URI in the URL (aka bug_file_loc) field, which allows remote attackers to conduct cross-site scripting (XSS) attacks against logged-out users via a crafted URI. https://bugzilla.mozilla.org/show_bug.cgi?id=628034 bugzilla-url-xss(65005) ADV-2011-0271 ADV-2011-0207 45982 DSA-2322 http://www.bugzilla.org/security/3.2.9/ 43165 43033 70704 FEDORA-2011-0755 FEDORA-2011-0741 Directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface. VU#363726 https://bugzilla.mozilla.org/show_bug.cgi?id=628064 https://bugzilla.mozilla.org/show_bug.cgi?id=628064 https://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481 https://sitewat.ch/en/Advisory/View/1 majordomo-listfile-directory-traversal(65113) ADV-2011-0288 1025024 46127 20110203 Majordomo2 - Directory Traversal (SMTP/HTTP) 16103 8061 43125 70762 Cross-site scripting (XSS) vulnerability in the nonjs interface (interfaces/nonjs.pm) in CGI:IRC before 0.5.10 allows remote attackers to inject arbitrary web script or HTML via the R parameter. ADV-2011-0346 20110209 CGI:IRC XSS issue (CVE-2011-0050) DSA-2158 [cgiirc-general] 20110207 CGI:IRC 0.5.10 released to fix XSS issue (CVE-2011-0050) 8097 43217 70844 Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, does not properly handle certain recursive eval calls, which makes it easier for remote attackers to force a user to respond positively to a dialog question, as demonstrated by a question about granting privileges. https://bugzilla.mozilla.org/show_bug.cgi?id=616659 RHSA-2011:0313 RHSA-2011:0312 http://www.mozilla.org/security/announce/2011/mfsa2011-02.html MDVSA-2011:041 http://support.avaya.com/css/P8/documents/100128655 oval:org.mitre.oval:def:14211 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=614499 https://bugzilla.mozilla.org/show_bug.cgi?id=613376 https://bugzilla.mozilla.org/show_bug.cgi?id=605672 https://bugzilla.mozilla.org/show_bug.cgi?id=602115 https://bugzilla.mozilla.org/show_bug.cgi?id=600974 https://bugzilla.mozilla.org/show_bug.cgi?id=600853 https://bugzilla.mozilla.org/show_bug.cgi?id=596232 https://bugzilla.mozilla.org/show_bug.cgi?id=576649 https://bugzilla.mozilla.org/show_bug.cgi?id=563618 https://bugzilla.mozilla.org/show_bug.cgi?id=563243 https://bugzilla.mozilla.org/show_bug.cgi?id=558633 https://bugzilla.mozilla.org/show_bug.cgi?id=558541 https://bugzilla.mozilla.org/show_bug.cgi?id=558531 46645 RHSA-2011:0313 RHSA-2011:0312 http://www.mozilla.org/security/announce/2011/mfsa2011-01.html MDVSA-2011:042 http://support.avaya.com/css/P8/documents/100128655 oval:org.mitre.oval:def:14379 Buffer overflow in the JavaScript engine in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, might allow remote attackers to execute arbitrary code via vectors involving non-local JavaScript variables, aka an "upvarMap" issue. https://bugzilla.mozilla.org/show_bug.cgi?id=615657 46648 http://www.mozilla.org/security/announce/2011/mfsa2011-04.html MDVSA-2011:041 oval:org.mitre.oval:def:14018 Use-after-free vulnerability in the JSON.stringify method in js3250.dll in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, might allow remote attackers to execute arbitrary code via unspecified vectors related to the js_HasOwnProperty function and garbage collection. https://bugzilla.mozilla.org/show_bug.cgi?id=619255 https://bugzilla.mozilla.org/show_bug.cgi?id=616009 http://www.zerodayinitiative.com/advisories/ZDI-11-103/ 46661 20110302 ZDI-11-103: Mozilla Firefox JSON.stringify Dangling Pointer Remote Code Execution Vulnerability http://www.mozilla.org/security/announce/2011/mfsa2011-03.html MDVSA-2011:041 oval:org.mitre.oval:def:14476 Buffer overflow in the JavaScript engine in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, might allow remote attackers to execute arbitrary code via vectors involving exception timing and a large number of string values, aka an "atom map" issue. https://bugzilla.mozilla.org/show_bug.cgi?id=622015 46650 http://www.mozilla.org/security/announce/2011/mfsa2011-05.html MDVSA-2011:041 oval:org.mitre.oval:def:14013 Use-after-free vulnerability in the Web Workers implementation in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, allows remote attackers to execute arbitrary code via vectors related to a JavaScript Worker and garbage collection. https://bugzilla.mozilla.org/show_bug.cgi?id=626631 46663 http://www.mozilla.org/security/announce/2011/mfsa2011-06.html MDVSA-2011:041 oval:org.mitre.oval:def:14200 Buffer overflow in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a long string that triggers construction of a long text run. https://bugzilla.mozilla.org/show_bug.cgi?id=607160 46660 http://www.mozilla.org/security/announce/2011/mfsa2011-07.html MDVSA-2011:041 oval:org.mitre.oval:def:14254 Cross-site request forgery (CSRF) vulnerability in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, allows remote attackers to hijack the authentication of arbitrary users for requests that were initiated by a plugin and received a 307 redirect to a page on a different web site. https://bugzilla.mozilla.org/show_bug.cgi?id=573873 46652 RHSA-2011:0313 http://www.mozilla.org/security/announce/2011/mfsa2011-10.html MDVSA-2011:041 http://support.avaya.com/css/P8/documents/100128655 oval:org.mitre.oval:def:14473 Buffer overflow in Mozilla Firefox 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG image. https://bugzilla.mozilla.org/show_bug.cgi?id=610601 46651 http://www.mozilla.org/security/announce/2011/mfsa2011-09.html MDVSA-2011:042 MDVSA-2011:041 oval:org.mitre.oval:def:14486 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.6.x before 3.6.14 and Thunderbird 3.1.x before 3.1.8 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=599610 https://bugzilla.mozilla.org/show_bug.cgi?id=569384 http://www.mozilla.org/security/announce/2011/mfsa2011-01.html MDVSA-2011:042 MDVSA-2011:041 oval:org.mitre.oval:def:14409 The _list_file_get function in lib/Majordomo.pm in Majordomo 2 20110203 and earlier allows remote attackers to conduct directory traversal attacks and read arbitrary files via a ./.../ sequence in the "extra" parameter to the help command, which causes the regular expression to produce .. (dot dot) sequences. NOTE: this vulnerability is due to an incomplete fix for CVE-2011-0049. https://bugzilla.mozilla.org/show_bug.cgi?id=631307 majordomo-listfileget-dir-traversal(66011) 20110308 NSOADV-2011-003: Majordomo2 'help' Command Directory Traversal (Patch Bypass) http://sotiriu.de/adv/NSOADV-2011-003.txt 8133 43631 The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' https://build.opensuse.org/request/show/63070 https://bugzilla.redhat.com/show_bug.cgi?id=678563 http://cgit.freedesktop.org/harfbuzz/commit/?id=a6a79df5fe2ed2cd307e7a991346faee164e70d9 https://bugzilla.novell.com/show_bug.cgi?id=672502 https://bugzilla.mozilla.org/show_bug.cgi?id=606997 pango-hbbufferensure-bo(65770) ADV-2011-0683 ADV-2011-0584 ADV-2011-0558 ADV-2011-0555 ADV-2011-0543 USN-1082-1 46632 RHSA-2011:0309 MDVSA-2011:040 DSA-2178 1025145 43800 43578 43572 43559 FEDORA-2011-3194 Use-after-free vulnerability in Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, allows remote attackers to execute arbitrary code via vectors related to OBJECT's mChannel. https://bugzilla.mozilla.org/show_bug.cgi?id=634986 http://www.mozilla.org/security/announce/2011/mfsa2011-13.html MDVSA-2011:079 DSA-2235 DSA-2228 DSA-2227 8340 8331 8326 oval:org.mitre.oval:def:14142 Use-after-free vulnerability in Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, allows remote attackers to execute arbitrary code via vectors related to OBJECT's mObserverList. https://bugzilla.mozilla.org/show_bug.cgi?id=634983 http://www.mozilla.org/security/announce/2011/mfsa2011-13.html MDVSA-2011:079 DSA-2235 DSA-2228 DSA-2227 oval:org.mitre.oval:def:13970 Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, does not properly implement autocompletion for forms, which allows remote attackers to read form history entries via a Java applet that spoofs interaction with the autocomplete controls. https://bugzilla.mozilla.org/show_bug.cgi?id=527935 http://www.mozilla.org/security/announce/2011/mfsa2011-14.html MDVSA-2011:079 DSA-2235 DSA-2228 DSA-2227 oval:org.mitre.oval:def:14523 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19, 3.6.x before 3.6.17, and 4.x before 4.0.1; Thunderbird before 3.1.10; and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0070. https://bugzilla.mozilla.org/show_bug.cgi?id=644069 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html MDVSA-2011:080 MDVSA-2011:079 DSA-2235 DSA-2228 DSA-2227 oval:org.mitre.oval:def:14065 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19, 3.6.x before 3.6.17, and 4.x before 4.0.1; Thunderbird before 3.1.10; and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0069. https://bugzilla.mozilla.org/show_bug.cgi?id=645565 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html MDVSA-2011:080 MDVSA-2011:079 DSA-2235 DSA-2228 DSA-2227 oval:org.mitre.oval:def:14286 Directory traversal vulnerability in Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 on Windows allows remote attackers to determine the existence of arbitrary files, and possibly load resources, via vectors involving a resource: URL. https://bugzilla.mozilla.org/show_bug.cgi?id=624764 http://www.mozilla.org/security/announce/2011/mfsa2011-16.html MDVSA-2011:080 MDVSA-2011:079 DSA-2235 DSA-2228 DSA-2227 oval:org.mitre.oval:def:14058 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0074, CVE-2011-0075, CVE-2011-0077, and CVE-2011-0078. https://bugzilla.mozilla.org/show_bug.cgi?id=624187 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html MDVSA-2011:080 MDVSA-2011:079 DSA-2235 DSA-2228 DSA-2227 oval:org.mitre.oval:def:14038 Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, does not properly use nsTreeRange data structures, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to a "dangling pointer." https://bugzilla.mozilla.org/show_bug.cgi?id=630919 http://www.mozilla.org/security/announce/2011/mfsa2011-13.html MDVSA-2011:079 DSA-2235 DSA-2228 DSA-2227 8310 oval:org.mitre.oval:def:14020 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0072, CVE-2011-0075, CVE-2011-0077, and CVE-2011-0078. https://bugzilla.mozilla.org/show_bug.cgi?id=619021 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html MDVSA-2011:080 MDVSA-2011:079 DSA-2235 DSA-2228 DSA-2227 oval:org.mitre.oval:def:14317 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0072, CVE-2011-0074, CVE-2011-0077, and CVE-2011-0078. https://bugzilla.mozilla.org/show_bug.cgi?id=635977 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html MDVSA-2011:080 MDVSA-2011:079 DSA-2235 DSA-2228 DSA-2227 oval:org.mitre.oval:def:14086 Unspecified vulnerability in the Java Embedding Plugin (JEP) in Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, on Mac OS X allows remote attackers to bypass intended access restrictions via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=644682 https://bugzilla.mozilla.org/show_bug.cgi?id=634724 http://www.mozilla.org/security/announce/2011/mfsa2011-15.html MDVSA-2011:079 oval:org.mitre.oval:def:14498 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0072, CVE-2011-0074, CVE-2011-0075, and CVE-2011-0078. https://bugzilla.mozilla.org/show_bug.cgi?id=623998 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html MDVSA-2011:080 MDVSA-2011:079 DSA-2235 DSA-2228 DSA-2227 oval:org.mitre.oval:def:14193 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0072, CVE-2011-0074, CVE-2011-0075, and CVE-2011-0077. https://bugzilla.mozilla.org/show_bug.cgi?id=635705 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html MDVSA-2011:080 MDVSA-2011:079 DSA-2235 DSA-2228 DSA-2227 oval:org.mitre.oval:def:14246 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x before 4.0.1 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to gfx/layers/d3d10/ReadbackManagerD3D10.cpp and unknown other vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=639885 https://bugzilla.mozilla.org/show_bug.cgi?id=643649 https://bugzilla.mozilla.org/show_bug.cgi?id=642717 https://bugzilla.mozilla.org/show_bug.cgi?id=641388 https://bugzilla.mozilla.org/show_bug.cgi?id=639728 https://bugzilla.mozilla.org/show_bug.cgi?id=639343 https://bugzilla.mozilla.org/show_bug.cgi?id=601102 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html oval:org.mitre.oval:def:14232 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=638236 https://bugzilla.mozilla.org/show_bug.cgi?id=637957 https://bugzilla.mozilla.org/show_bug.cgi?id=637621 https://bugzilla.mozilla.org/show_bug.cgi?id=634257 https://bugzilla.mozilla.org/show_bug.cgi?id=615147 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html MDVSA-2011:080 MDVSA-2011:079 DSA-2235 DSA-2228 DSA-2227 oval:org.mitre.oval:def:13866 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.6.x before 3.6.17 and 4.x before 4.0.1, and Thunderbird 3.1.x before 3.1.10, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=645289 http://www.mozilla.org/security/announce/2011/mfsa2011-12.html MDVSA-2011:080 MDVSA-2011:079 DSA-2235 DSA-2228 DSA-2227 oval:org.mitre.oval:def:13993 The X.509 certificate validation functionality in Mozilla Firefox 4.0.x through 4.0.1 does not properly implement single-session security exceptions, which might make it easier for user-assisted remote attackers to spoof an SSL server via an untrusted certificate that triggers potentially unwanted local caching of documents from that server. https://bugzilla.redhat.com/show_bug.cgi?id=709165 https://bugzilla.mozilla.org/show_bug.cgi?id=660749 48064 oval:org.mitre.oval:def:14145 [oss-security] 20110531 Re: CVE request: firefox doesn't (re)validate certificates when loading HTTPS page [oss-security] 20110531 CVE request: firefox doesn't (re)validate certificates when loading HTTPS page [oss-security] 20110531 Re: CVE request: firefox doesn't (re)validate certificates when loading HTTPS page [oss-security] 20110531 Re: CVE request: firefox doesn't (re)validate certificates when loading HTTPS page http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627552 Use-after-free vulnerability in the nsSVGPathSegList::ReplaceItem function in the implementation of SVG element lists in Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving a user-supplied callback. https://bugzilla.mozilla.org/show_bug.cgi?id=648090 USN-1149-1 RHSA-2011:0888 RHSA-2011:0887 RHSA-2011:0886 RHSA-2011:0885 http://www.mozilla.org/security/announce/2011/mfsa2011-23.html MDVSA-2011:111 DSA-2273 DSA-2269 DSA-2268 http://support.avaya.com/css/P8/documents/100145333 http://support.avaya.com/css/P8/documents/100144854 45002 oval:org.mitre.oval:def:13543 SUSE-SA:2011:028 The SVGTextElement.getCharNumAtPosition function in Mozilla Firefox before 3.6.20, and 4.x through 5; Thunderbird 3.x before 3.1.12 and other versions before 6; SeaMonkey 2.x before 2.3; and possibly other products does not properly handle SVG text, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to a "dangling pointer." https://bugzilla.mozilla.org/show_bug.cgi?id=648094 RHSA-2011:1166 RHSA-2011:1164 http://www.mozilla.org/security/announce/2011/mfsa2011-33.html http://www.mozilla.org/security/announce/2011/mfsa2011-31.html http://www.mozilla.org/security/announce/2011/mfsa2011-30.html http://www.mozilla.org/security/announce/2011/mfsa2011-29.html MDVSA-2011:127 DSA-2297 DSA-2296 DSA-2295 oval:org.mitre.oval:def:14502 SUSE-SU-2011:0967 SUSE-SA:2011:037 Use-after-free vulnerability in the nsXULCommandDispatcher function in Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to execute arbitrary code via a crafted XUL document that dequeues the current command updater. https://bugzilla.mozilla.org/show_bug.cgi?id=648100 USN-1149-1 RHSA-2011:0888 RHSA-2011:0887 RHSA-2011:0886 RHSA-2011:0885 http://www.mozilla.org/security/announce/2011/mfsa2011-23.html MDVSA-2011:111 DSA-2273 DSA-2269 DSA-2268 http://support.avaya.com/css/P8/documents/100145333 http://support.avaya.com/css/P8/documents/100144854 45002 oval:org.mitre.oval:def:14432 SUSE-SA:2011:028 win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Win32k Improper User Input Validation Vulnerability." MS11-012 ADV-2011-0325 46141 43255 oval:org.mitre.oval:def:12070 70818 win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP1 and SP2, and Server 2008 Gold and SP2 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Win32k Insufficient User Input Validation Vulnerability." MS11-012 ADV-2011-0325 46148 43255 oval:org.mitre.oval:def:12312 70819 win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Win32k Window Class Pointer Confusion Vulnerability." MS11-012 ADV-2011-0325 46147 43255 oval:org.mitre.oval:def:12553 70816 win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Win32k Window Class Improper Pointer Validation Vulnerability." MS11-012 ADV-2011-0325 46149 43255 oval:org.mitre.oval:def:11638 70817 win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Win32k Memory Corruption Vulnerability." MS11-012 ADV-2011-0325 46150 43255 oval:org.mitre.oval:def:12455 70814 Kerberos in Microsoft Windows Server 2008 R2 and Windows 7 does not prevent a session from changing from strong encryption to DES encryption, which allows man-in-the-middle attackers to spoof network traffic and obtain sensitive information via a DES downgrade, aka "Kerberos Spoofing Vulnerability." MS11-013 ms-kerberos-spoofing(64901) ADV-2011-0326 1025048 46140 http://support.avaya.com/css/P8/documents/100127250 43257 oval:org.mitre.oval:def:12498 70835 The LZW stream decompression functionality in ORMELEMS.DLL in Microsoft Visio 2002 SP2, 2003 SP3, and 2007 SP2 allows remote attackers to execute arbitrary code via a Visio file with a malformed VisioDocument stream that triggers an exception handler that accesses an object that has not been fully initialized, which triggers memory corruption, aka "Visio Object Memory Corruption Vulnerability." MS11-008 ms-visio-object-code-execution(64923) http://www.zerodayinitiative.com/advisories/ZDI-11-063/ ADV-2011-0321 1025043 46137 20110208 ZDI-11-063: Microsoft Visio 2007 LZW Stream Decompression Exception Vulnerability 43254 oval:org.mitre.oval:def:12403 70828 ELEMENTS.DLL in Microsoft Visio 2002 SP2, 2003 SP3, and 2007 SP2 does not properly parse structures during the opening of a Visio file, which allows remote attackers to execute arbitrary code via a file containing a malformed structure, aka "Visio Data Type Memory Corruption Vulnerability." MS11-008 ms-visio-data-code-execution(64924) ADV-2011-0321 1025043 46138 43254 oval:org.mitre.oval:def:12469 70829 Use-after-free vulnerability in Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, aka "Layouts Handling Memory Corruption Vulnerability." TA11-102A MS11-018 1025327 oval:org.mitre.oval:def:12463 20110412 Microsoft Internet Explorer Use-After-Free Memory Corruption Vulnerability The MHTML protocol handler in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly handle a MIME format in a request for content blocks in a document, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site that is visited in Internet Explorer, aka "MHTML Mime-Formatted Request Vulnerability." TA11-102A VU#326549 ms-win-mhtml-info-disclosure(65000) ADV-2011-0242 1025003 46055 MS11-026 http://www.microsoft.com/technet/security/advisory/2501696.mspx 16071 http://www.80vul.com/webzine_0x05/0x05%20IE%E4%B8%8BMHTML%E5%8D%8F%E8%AE%AE%E5%B8%A6%E6%9D%A5%E7%9A%84%E8%B7%A8%E5%9F%9F%E5%8D%B1%E5%AE%B3.html 43093 oval:org.mitre.oval:def:6956 70693 http://blogs.technet.com/b/srd/archive/2011/01/28/more-information-about-the-mhtml-script-injection-vulnerability.aspx http://blogs.technet.com/b/msrc/archive/2011/01/28/microsoft-releases-security-advisory-2501696.aspx Integer underflow in Microsoft Excel 2002 SP3, 2003 SP3, 2007 SP2, and 2010; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Excel Viewer SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2 allows remote attackers to execute arbitrary code via a crafted 400h substream in an Excel file, which triggers a stack-based buffer overflow, aka "Excel Integer Overrun Vulnerability." TA11-102A MS11-021 ADV-2011-0940 1025337 47201 http://secunia.com/secunia_research/2011-31 39122 oval:org.mitre.oval:def:12612 71758 Integer signedness error in Microsoft Excel 2002 SP3, 2003 SP3, 2007 SP2, and 2010; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Excel Viewer SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2 allows remote attackers to execute arbitrary code via an XLS file with a large record size, aka "Excel Heap Overflow Vulnerability." TA11-102A MS11-021 ADV-2011-0940 1025337 47235 http://secunia.com/secunia_research/2011-32/ 39122 oval:org.mitre.oval:def:12034 71759 Microsoft Excel 2002 SP3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted RealTimeData record, related to a stTopic field, doubly-byte characters, and an incorrect pointer calculation, aka "Excel Record Parsing WriteAV Vulnerability." TA11-102A MS11-021 http://www.zerodayinitiative.com/advisories/ZDI-11-120 ADV-2011-0940 1025337 47243 20110412 ZDI-11-120: Microsoft Office Excel RealTimeData Record Parsing Remote Code Execution Vulnerability 39122 oval:org.mitre.oval:def:11676 71766 Microsoft Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted record information in an Excel file, aka "Excel Memory Corruption Vulnerability." TA11-102A MS11-021 ADV-2011-0940 1025337 47244 39122 oval:org.mitre.oval:def:12616 71760 20110412 Microsoft Excel Memory Corruption Vulnerability Microsoft Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HLink record in an Excel file, aka "Excel Buffer Overwrite Vulnerability." TA11-102A MS11-021 ADV-2011-0940 1025337 47245 http://www.checkpoint.com/defense/advisories/public/2011/cpai-31-Mard.html 39122 oval:org.mitre.oval:def:11767 71761 Microsoft Excel 2002 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac obtain a certain length value from an uninitialized memory location, which allows remote attackers to trigger a buffer overflow and execute arbitrary code via a crafted Excel file, aka "Excel Data Initialization Vulnerability." TA11-102A MS11-021 ADV-2011-0940 1025337 39122 oval:org.mitre.oval:def:12618 Untrusted search path vulnerability in Microsoft Office XP SP3, Office 2003 SP3, and Office 2007 SP2 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Office Component Insecure Library Loading Vulnerability." Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' Per: http://www.microsoft.com/technet/security/Bulletin/MS11-023.mspx Access Vector: Network per "This is a remote code execution vulnerability" TA11-102A MS11-023 ADV-2011-0942 1025343 47246 http://www.fortiguard.com/advisory/FGA-2011-13.html 44015 oval:org.mitre.oval:def:12655 71767 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-02-1 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 The DOM level 2 implementation in WebKit, as used in Apple iTunes before 10.2 on Windows and Apple Safari, does not properly handle DOM manipulations associated with event listeners during processing of range objects, which allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://www.zerodayinitiative.com/advisories/ZDI-11-096 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 Use-after-free vulnerability in the setOuterText method in the htmlelement library in WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to DOM manipulations during iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://www.zerodayinitiative.com/advisories/ZDI-11-097 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 Use-after-free vulnerability in the Runin box functionality in the Cascading Style Sheets (CSS) 2.1 Visual Formatting Model implementation in WebKit, as used in Apple iTunes before 10.2 on Windows and Apple Safari, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://www.zerodayinitiative.com/advisories/ZDI-11-098 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, does not properly access glyph data during layout actions for floating blocks associated with pseudo-elements, which allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://www.zerodayinitiative.com/advisories/ZDI-11-099 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, does not properly parse HTML elements associated with document namespaces, which allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to a "dangling pointer" and iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://www.zerodayinitiative.com/advisories/ZDI-11-100 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 oval:org.mitre.oval:def:12519 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows and Apple iOS, does not properly implement the .sort function for JavaScript arrays, which allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://www.zerodayinitiative.com/advisories/ZDI-11-101 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iOS before 4.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-09-1. appleios-webkit-unspec-code-exec(66007) 46807 http://support.apple.com/kb/HT4564 APPLE-SA-2011-03-09-1 MobileSafari in Apple iOS before 4.3 does not properly implement application launching through URL handlers, which allows remote attackers to cause a denial of service (persistent application crash) via crafted JavaScript code. appleios-mobilesafari-dos(66002) 1025182 46806 http://support.apple.com/kb/HT4564 APPLE-SA-2011-03-09-1 The Safari Settings feature in Safari in Apple iOS 4.x before 4.3 does not properly implement the clearing of cookies during execution of the Safari application, which might make it easier for remote web servers to track users by setting a cookie. 1025182 46810 http://support.apple.com/kb/HT4564 APPLE-SA-2011-03-09-1 WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, does not properly handle redirects in conjunction with HTTP Basic Authentication, which might allow remote web servers to capture credentials by logging the Authorization HTTP header. 1025182 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, does not properly handle the Attr.style accessor, which allows remote attackers to bypass the Same Origin Policy and inject Cascading Style Sheets (CSS) token sequences via a crafted web site. appleios-attr-code-execution(66000) 1025182 46814 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 Wi-Fi in Apple iOS before 4.3 and Apple TV before 4.2 does not properly perform bounds checking for Wi-Fi frames, which allows remote attackers to cause a denial of service (device reset) via unspecified traffic on the local wireless network. appleios-wifi-dos(65998) 1025182 46813 http://support.apple.com/kb/HT4565 http://support.apple.com/kb/HT4564 APPLE-SA-2011-03-09-3 APPLE-SA-2011-03-09-1 WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, does not properly handle unspecified "cached resources," which allows remote attackers to cause a denial of service (resource unavailability) via a crafted web site that conducts a cache-poisoning attack. appleios-cache-dos(66001) 1025182 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4554 APPLE-SA-2011-10-11-1 APPLE-SA-2011-07-20-1 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 The HTML5 drag and drop functionality in WebKit in Apple Safari before 5.0.4 allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via vectors related to the dragging of content. NOTE: this might overlap CVE-2011-0778. apple-safari-html5-info-disclosure(66004) 1025183 46811 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT4566 APPLE-SA-2011-10-12-1 APPLE-SA-2011-03-09-2 The windows functionality in WebKit in Apple Safari before 5.0.4 allows remote attackers to bypass the Same Origin Policy, and force the upload of arbitrary local files from a client computer, via a crafted web site. 1025183 46816 http://support.apple.com/kb/HT4566 APPLE-SA-2011-03-09-2 WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 WebKit in Apple Safari before 5.0.4, when the Web Inspector is used, does not properly handle the window.console._inspectorCommandLineAPI property, which allows user-assisted remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site. safari-commandlineapi-xss(66006) 1025183 46809 http://support.apple.com/kb/HT4566 APPLE-SA-2011-03-09-2 Heap-based buffer overflow in ImageIO in CoreGraphics in Apple iTunes before 10.2 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted International Color Consortium (ICC) profile in a JPEG image. APPLE-SA-2011-03-02-1 http://support.apple.com/kb/HT4581 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4554 APPLE-SA-2011-03-21-1 APPLE-SA-2011-03-09-2 20110302 Apple CoreGraphics Library Heap Memory Corruption Vulnerability AirPort in Apple Mac OS X 10.6 before 10.6.7 allows remote attackers to cause a denial of service (divide-by-zero error and reboot) via Wi-Fi frames on the local wireless network, a different vulnerability than CVE-2011-0162. http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 Multiple format string vulnerabilities in AppleScript in Apple Mac OS X before 10.6.7 allow context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via format string specifiers in a (1) display dialog or (2) display alert command in a dialog in an AppleScript Studio application. http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 Heap-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X before 10.6.7 allows remote attackers to execute arbitrary code via a document that contains a crafted embedded OpenType font. http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 Multiple buffer overflows in Apple Type Services (ATS) in Apple Mac OS X before 10.6.7 allow remote attackers to execute arbitrary code via a document that contains a crafted embedded TrueType font. http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 Multiple buffer overflows in Apple Type Services (ATS) in Apple Mac OS X before 10.6.7 allow remote attackers to execute arbitrary code via a document that contains a crafted embedded Type 1 font. http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 Multiple buffer overflows in Apple Type Services (ATS) in Apple Mac OS X before 10.6.7 allow remote attackers to execute arbitrary code via a document that contains a crafted SFNT table in an embedded font. http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 The FSFindFolder API in CarbonCore in Apple Mac OS X before 10.6.7 provides a world-readable directory in response to a call with the kTemporaryFolderType flag, which allows local users to obtain potentially sensitive information by accessing this directory. http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 CoreText in Apple Mac OS X before 10.6.7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a document that contains a crafted embedded font. http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 Integer overflow in HFS in Apple Mac OS X before 10.6.7 allows local users to read arbitrary (1) HFS, (2) HFS+, or (3) HFS+J files via a crafted F_READBOOTSTRAP ioctl call. http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 Integer overflow in ImageIO in Apple Mac OS X before 10.6.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted XBM image. http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 The i386_set_ldt system call in the kernel in Apple Mac OS X before 10.6.7 does not properly handle call gates, which allows local users to gain privileges via vectors involving the creation of a call gate entry. http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 8402 Libinfo in Apple Mac OS X before 10.6.7 does not properly handle an unspecified integer field in an NFS RPC packet, which allows remote attackers to cause a denial of service (lockd, statd, mountd, or portmap outage) via a crafted packet, related to an "integer truncation issue." http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 QuickLook in Apple Mac OS X 10.6 before 10.6.7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via an Excel spreadsheet with a crafted formula that uses unspecified opcodes. http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT4999 APPLE-SA-2011-10-12-1 20110321 Apple OfficeImport Framework Excel Memory Corruption Vulnerability Format string vulnerability in the debug-logging feature in Application Firewall in Apple Mac OS X before 10.7.2 allows local users to gain privileges via a crafted name of an executable file. 50092 50085 http://support.apple.com/kb/HT5002 APPLE-SA-2011-10-12-3 QuickTime in Apple Mac OS X before 10.6.7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted JPEG2000 image. http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 APPLE-SA-2011-08-03-1 The plug-in in QuickTime in Apple Mac OS X before 10.6.7 allows remote attackers to bypass the Same Origin Policy and obtain potentially sensitive video data via vectors involving a cross-site redirect. http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 http://support.apple.com/kb/HT5002 http://support.apple.com/kb/HT4999 APPLE-SA-2011-10-12-3 APPLE-SA-2011-10-12-1 APPLE-SA-2011-08-03-1 The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an "integer truncation issue." Per: http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html 'This issue only affects 64-bit Ruby processes'. https://bugzilla.redhat.com/show_bug.cgi?id=682332 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/ext/bigdecimal/bigdecimal.c?r1=29364&r2=30993 http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 1025236 RHSA-2011:0910 RHSA-2011:0909 RHSA-2011:0908 MDVSA-2011:098 MDVSA-2011:097 The default configuration of Terminal in Apple Mac OS X 10.6 before 10.6.7 uses SSH protocol version 1 within the New Remote Connection dialog, which might make it easier for man-in-the-middle attackers to spoof SSH servers by leveraging protocol vulnerabilities. http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 Install Helper in Installer in Apple Mac OS X before 10.6.7 does not properly process an unspecified URL, which might allow remote attackers to track user logins by logging network traffic from an agent that was intended to send network traffic to an Apple server. http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 Buffer overflow in LibTIFF 3.9.4 and possibly other versions, as used in ImageIO in Apple iTunes before 10.2 on Windows and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF image with JPEG encoding. APPLE-SA-2011-03-02-1 ADV-2011-0859 ADV-2011-0845 46657 MDVSA-2011:064 DSA-2210 http://support.apple.com/kb/HT4581 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4565 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 43934 APPLE-SA-2011-03-21-1 APPLE-SA-2011-03-09-3 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 Buffer overflow in Fax4Decode in LibTIFF 3.9.4 and possibly other versions, as used in ImageIO in Apple iTunes before 10.2 on Windows and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF Internet Fax image file that has been compressed using CCITT Group 4 encoding, related to the EXPAND2D macro in libtiff/tif_fax3.h. NOTE: some of these details are obtained from third party information. APPLE-SA-2011-03-02-1 https://bugzilla.redhat.com/show_bug.cgi?id=678635 ADV-2011-0960 ADV-2011-0930 ADV-2011-0905 ADV-2011-0845 ADV-2011-0621 ADV-2011-0599 ADV-2011-0551 1025153 46658 RHSA-2011:0318 MDVSA-2011:043 DSA-2210 http://support.apple.com/kb/HT5001 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT4581 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4565 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4554 SSA:2011-098-01 GLSA-201209-02 50726 44135 44117 43934 43664 43593 43585 FEDORA-2011-2498 FEDORA-2011-2540 FEDORA-2011-3827 FEDORA-2011-3836 APPLE-SA-2011-03-21-1 APPLE-SA-2011-10-12-2 APPLE-SA-2011-10-12-1 APPLE-SA-2011-03-09-3 APPLE-SA-2011-03-09-2 APPLE-SA-2011-03-09-1 http://blackberry.com/btsc/KB27244 Multiple buffer overflows in Image RAW in Apple Mac OS X before 10.6.7 allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted Canon RAW image. http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 Integer overflow in ImageIO in Apple Mac OS X 10.6 before 10.6.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF image with JPEG encoding. http://support.apple.com/kb/HT4581 APPLE-SA-2011-03-21-1 The generate-id XPath function in libxslt in Apple iOS 4.3.x before 4.3.2 allows remote attackers to obtain potentially sensitive information about heap memory addresses via a crafted web site. NOTE: this may overlap CVE-2011-1202. 1025365 http://support.apple.com/kb/HT4808 http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 APPLE-SA-2011-07-20-1 APPLE-SA-2011-04-14-1 AirPort in Apple Mac OS X 10.5.8 allows remote attackers to cause a denial of service (out-of-bounds read and reboot) via Wi-Fi frames on the local wireless network. http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 App Store in Apple Mac OS X before 10.6.8 creates a log entry containing a user's AppleID password, which might allow local users to obtain sensitive information by reading a log file, as demonstrated by a log file that has non-default permissions. http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 48443 Heap-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code via a crafted embedded TrueType font. http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 48436 The Certificate Trust Policy component in Apple Mac OS X before 10.6.8 does not perform CRL checking for Extended Validation (EV) certificates that lack OCSP URLs, which might allow man-in-the-middle attackers to spoof an SSL server via a revoked certificate. http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 48447 Integer overflow in ColorSync in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image containing a crafted embedded ColorSync profile that triggers a heap-based buffer overflow. http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT5130 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 APPLE-SA-2012-02-01-1 APPLE-SA-2011-10-11-1 APPLE-SA-2011-07-20-1 Off-by-one error in the CoreFoundation framework in Apple Mac OS X before 10.6.8 allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a CFString object that triggers a buffer overflow. http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4808 APPLE-SA-2011-07-20-1 Integer overflow in CoreGraphics in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted embedded Type 1 font in a PDF document. http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4808 APPLE-SA-2011-07-20-1 Absolute path traversal vulnerability in xftpd in the FTP Server component in Apple Mac OS X before 10.6.8 allows remote attackers to list arbitrary directories by using the root directory as the starting point of a recursive listing. http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 48418 Heap-based buffer overflow in ImageIO in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF image. http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 73368 APPLE-SA-2011-10-11-1 APPLE-SA-2011-07-20-1 20110628 NGS00062 Patch Notification: Apple Mac OS X ImageIO TIFF Heap Overflow Heap-based buffer overflow in ImageIO in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG2000 image. http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 48439 Buffer overflow in International Components for Unicode (ICU) in Apple Mac OS X before 10.6.8 allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving uppercase strings. http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 macos-icu-bo(68217) http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT4808 APPLE-SA-2011-10-12-1 APPLE-SA-2011-07-20-1 The MobileMe component in Apple Mac OS X before 10.6.8 uses a cleartext HTTP session for the Mail application to read e-mail aliases, which allows remote attackers to obtain potentially sensitive alias information by sniffing the network. http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 48444 QuickLook in Apple Mac OS X 10.6 before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Microsoft Office document. http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 http://support.apple.com/kb/HT4999 APPLE-SA-2011-10-12-1 Integer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted RIFF WAV file. http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 APPLE-SA-2011-08-03-1 QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted sample tables in a movie file. http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 48442 APPLE-SA-2011-08-03-1 Integer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file. http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 APPLE-SA-2011-08-03-1 servermgrd in Apple Mac OS X before 10.6.8 allows remote attackers to read arbitrary files, and possibly send HTTP requests to intranet servers or cause a denial of service (CPU and memory consumption), via an XML-RPC request containing an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka XXE) issue. http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 48445 Buffer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG file. http://support.apple.com/kb/HT4723 APPLE-SA-2011-06-23-1 APPLE-SA-2011-08-03-1 CFNetwork in Apple Safari before 5.0.6 on Windows does not properly handle an untrusted attribute of a system root certificate, which allows remote web servers to bypass intended SSL restrictions via a certificate signed by a blacklisted certification authority. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4808 ImageIO in Apple Safari before 5.0.6 on Windows does not properly address re-entrancy issues, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF file. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 APPLE-SA-2011-10-11-1 Off-by-one error in libxml in Apple Safari before 5.0.6 allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow and application crash) via a crafted web site. APPLE-SA-2011-07-20-1 RHSA-2011:1749 MDVSA-2011:188 DSA-2394 http://support.apple.com/kb/HT5001 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT4808 RHSA-2013:0217 APPLE-SA-2011-10-12-2 APPLE-SA-2011-10-12-1 Apple Safari before 5.0.6 provides AutoFill information to scripts that execute before HTML form submission, which allows remote attackers to obtain Address Book information via a crafted form, as demonstrated by a form that includes non-visible fields. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4808 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 APPLE-SA-2011-10-12-1 APPLE-SA-2011-10-11-1 Apple Safari before 5.0.6 allows remote attackers to bypass the Same Origin Policy, and modify the rendering of text from arbitrary web sites, via a Java applet that loads fonts. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4808 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 APPLE-SA-2011-10-12-1 APPLE-SA-2011-10-11-1 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 8315 8313 APPLE-SA-2011-10-12-1 APPLE-SA-2011-10-11-1 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 APPLE-SA-2011-10-11-1 CoreMedia in Apple Mac OS X through 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted QuickTime movie file. 50095 50085 http://support.apple.com/kb/HT5002 APPLE-SA-2011-10-12-3 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 APPLE-SA-2011-10-12-1 APPLE-SA-2011-10-11-1 Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011. 48619 RHSA-2011:1085 MDVSA-2011:120 DSA-2294 http://www.appleinsider.com/articles/11/07/06/hackers_release_new_browser_based_ios_jailbreak_based_on_pdf_exploit.html http://support.apple.com/kb/HT5002 http://support.apple.com/kb/HT4803 http://support.apple.com/kb/HT4802 45224 45167 SUSE-SU-2011:0853 openSUSE-SU-2011:0852 [freetype-devel] 20110711 Re: details on iPhone exploit caused by FreeType? [freetype-devel] 20110711 Re: details on iPhone exploit caused by FreeType? [freetype-devel] 20110709 Re: details on iPhone exploit caused by FreeType? [freetype-devel] 20110708 Re: details on iPhone exploit caused by FreeType? [freetype-devel] 20110708 details on iPhone exploit caused by FreeType? APPLE-SA-2011-10-12-3 APPLE-SA-2011-07-15-2 APPLE-SA-2011-07-15-1 The queueing primitives in IOMobileFrameBuffer in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 do not properly perform type conversion, which allows local users to gain privileges via a crafted application. http://support.apple.com/kb/HT4803 http://support.apple.com/kb/HT4802 APPLE-SA-2011-07-15-2 APPLE-SA-2011-07-15-1 The Data Security component in Apple iOS before 4.2.10 and 4.3.x before 4.3.5 does not check the basicConstraints parameter during validation of X.509 certificate chains, which allows man-in-the-middle attackers to spoof an SSL server by using a non-CA certificate to sign a certificate for an arbitrary domain. https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt 48877 20110725 TWSL2011-007: iOS SSL Implementation Does Not Validate Certificate Chain http://support.apple.com/kb/HT4825 http://support.apple.com/kb/HT4824 1025837 8361 45369 APPLE-SA-2011-07-25-1 APPLE-SA-2011-07-25-2 Apple Type Services (ATS) in Apple Mac OS X through 10.6.8 does not properly handle embedded Type 1 fonts, which allows remote attackers to execute arbitrary code via a crafted document that triggers an out-of-bounds memory access. 50091 50085 http://support.apple.com/kb/HT5002 APPLE-SA-2011-10-12-3 Buffer overflow in the ATSFontDeactivate API in Apple Type Services (ATS) in Apple Mac OS X before 10.7.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors. 50085 http://support.apple.com/kb/HT5002 APPLE-SA-2011-10-12-3 CFNetwork in Apple Mac OS X before 10.7.2 does not properly follow an intended cookie-storage policy, which makes it easier for remote web servers to track users via a cookie, related to a "synchronization issue." 50085 http://support.apple.com/kb/HT5002 APPLE-SA-2011-10-12-3 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 APPLE-SA-2011-10-12-1 APPLE-SA-2011-10-11-1 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 APPLE-SA-2011-10-12-1 APPLE-SA-2011-10-11-1 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 APPLE-SA-2011-10-12-1 APPLE-SA-2011-10-11-1 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 APPLE-SA-2011-10-12-1 APPLE-SA-2011-10-11-1 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 APPLE-SA-2011-10-11-1 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 APPLE-SA-2011-10-12-1 APPLE-SA-2011-10-11-1 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 APPLE-SA-2011-10-11-1 Heap-based buffer overflow in ImageIO in Apple Safari before 5.0.6 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF image with CCITT Group 4 encoding. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT5281 http://support.apple.com/kb/HT5130 http://support.apple.com/kb/HT5001 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT4808 APPLE-SA-2012-05-09-1 APPLE-SA-2012-02-01-1 APPLE-SA-2011-10-12-2 APPLE-SA-2011-10-12-1 Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving a URL that contains a username. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT4808 APPLE-SA-2011-10-12-1 WebKit in Apple Safari before 5.0.6 allows user-assisted remote attackers to read arbitrary files via vectors related to improper canonicalization of URLs within RSS feeds. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4808 Buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted pict file. APPLE-SA-2011-08-03-1 Heap-based buffer overflow in Apple QuickTime before 7.7 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted GIF file. APPLE-SA-2011-08-03-1 Multiple stack-based buffer overflows in Apple QuickTime before 7.7 on Windows allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted H.264 movie. APPLE-SA-2011-08-03-1 Stack-based buffer overflow in the QuickTime ActiveX control in Apple QuickTime before 7.7 on Windows, when Internet Explorer is used, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted QTL file. APPLE-SA-2011-08-03-1 Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted STSC atoms in a QuickTime movie file. APPLE-SA-2011-08-03-1 http://support.apple.com/kb/HT5002 APPLE-SA-2011-10-12-3 Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted STSS atoms in a QuickTime movie file. APPLE-SA-2011-08-03-1 http://support.apple.com/kb/HT5002 APPLE-SA-2011-10-12-3 Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted STSZ atoms in a QuickTime movie file. APPLE-SA-2011-08-03-1 http://support.apple.com/kb/HT5002 APPLE-SA-2011-10-12-3 Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted STTS atoms in a QuickTime movie file. APPLE-SA-2011-08-03-1 http://support.apple.com/kb/HT5002 APPLE-SA-2011-10-12-3 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 APPLE-SA-2011-10-11-1 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 APPLE-SA-2011-10-12-1 APPLE-SA-2011-10-11-1 WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 APPLE-SA-2011-10-12-1 APPLE-SA-2011-10-11-1 Integer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted track run atoms in a QuickTime movie file. http://support.apple.com/kb/HT4826 Integer signedness error in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PnSize opcode in a PICT file that triggers a stack-based buffer overflow. http://zerodayinitiative.com/advisories/ZDI-11-252/ 17777 http://support.apple.com/kb/HT4826 8365 Apple QuickTime before 7.7 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted image description associated with an mp4v tag in a movie file. http://zerodayinitiative.com/advisories/ZDI-11-277/ quicktime-mp4v-bo(69518) 20110831 ZDI-11-277: Apple QuickTime 3g2 'mp4v' atom size Remote Code Execution Vulnerability http://support.apple.com/kb/HT4826 8368 CoreFoundation, as used in Apple iTunes before 10.5, does not properly perform string tokenization, which allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors. APPLE-SA-2011-10-11-1 50067 http://support.apple.com/kb/HT5002 http://support.apple.com/kb/HT4999 http://support.apple.com/kb/HT4981 APPLE-SA-2011-10-12-3 APPLE-SA-2011-10-12-1 The CoreProcesses component in Apple Mac OS X 10.7 before 10.7.2 does not prevent a system window from receiving keystrokes in the locked-screen state, which might allow physically proximate attackers to bypass intended access restrictions by typing into this window. 50085 http://support.apple.com/kb/HT5002 APPLE-SA-2011-10-12-3 Unspecified vulnerability in jovgraph.exe in jovgraph in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via a malformed displayWidth option in the arg parameter. hp-opennnm-jovgraph-bo(64655) http://www.zerodayinitiative.com/advisories/ZDI-11-003/ ADV-2011-0085 1024951 45762 SSRT100352 SSRT100352 Buffer overflow in the stringToSeconds function in ovutil.dll in ovwebsnmpsrv.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via large values of variables to jovgraph.exe. hp-opennnm-ovutildll-bo(64654) http://www.zerodayinitiative.com/advisories/ZDI-11-004/ ADV-2011-0085 1024951 45762 HPSBMA02621 HPSBMA02621 Multiple stack-based buffer overflows in ovas.exe in the OVAS service in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allow remote attackers to execute arbitrary code via a long (1) Source Node or (2) Destination Node variable. hp-opennnm-ovas-bo(64653) http://www.zerodayinitiative.com/advisories/ZDI-11-005/ ADV-2011-0085 1024951 45762 SSRT100352 SSRT100352 Stack-based buffer overflow in ovutil.dll in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via a long COOKIE variable. hp-opennnm-ovutil-bo(64652) http://www.zerodayinitiative.com/advisories/ZDI-11-006/ ADV-2011-0085 1024951 45762 SSRT100352 SSRT100352 Buffer overflow in nnmRptConfig.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via a long data_select1 parameter. hp-opennnm-dataselect1-bo(64651) http://www.zerodayinitiative.com/advisories/ZDI-11-007/ ADV-2011-0085 1024951 45762 HPSBMA02621 HPSBMA02621 Buffer overflow in nnmRptConfig.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via a long nameParams parameter, a different vulnerability than CVE-2011-0267.2. hp-opennnm-nameparams-bo(64650) http://www.zerodayinitiative.com/advisories/ZDI-11-008/ ADV-2011-0085 1024951 45762 HPSBMA02621 HPSBMA02621 8151 Multiple buffer overflows in nnmRptConfig.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allow remote attackers to execute arbitrary code via a long (1) schdParams or (2) nameParams parameter, a different vulnerability than CVE-2011-0266. hp-opennnm-schdparams-bo(64649) http://www.zerodayinitiative.com/advisories/ZDI-11-009/ ADV-2011-0085 1024951 45762 SSRT100352 SSRT100352 17038 8156 Buffer overflow in nnmRptConfig.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via a long text1 parameter. hp-opennnm-text1-bo(64648) http://www.zerodayinitiative.com/advisories/ZDI-11-010/ ADV-2011-0085 1024951 45762 SSRT100352 SSRT100352 Buffer overflow in nnmRptConfig.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via a long schd_select1 parameter. hp-opennnm-schdselect1-bo(64647) http://www.zerodayinitiative.com/advisories/ZDI-11-011/ ADV-2011-0085 1024951 45762 SSRT100352 SSRT100352 Format string vulnerability in nnmRptConfig.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via format string specifiers in input data that involves an invalid template name. hp-opennnm-nnmrptconfig-format-string(64646) http://www.zerodayinitiative.com/advisories/ZDI-11-012/ ADV-2011-0085 1024951 45762 HPSBMA02621 HPSBMA02621 70474 The CGI scripts in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 do not properly validate an unspecified parameter, which allows remote attackers to execute arbitrary commands by using a command string for this parameter's value, related to a "command injection vulnerability." hp-opennnm-cgi-command-exec(64657) ADV-2011-0085 1024951 45762 HPSBMA02621 HPSBMA02621 20110110 HP Network Node Manager Command Injection Vulnerability Unspecified vulnerability in HP LoadRunner 9.52 allows remote attackers to execute arbitrary code via network traffic to TCP port 5001 or 5002, related to the HttpTunnel feature. loadrunner-unspec-code-execution(64659) ADV-2011-0095 45792 HPSBMA02624 HPSBMA02624 1024956 42898 70432 Buffer overflow in crs.exe in HP OpenView Storage Data Protector Cell Manager 6.11 allows remote attackers to execute arbitrary code via unspecified message types. hp-openview-storage-code-execution(64818) http://www.zerodayinitiative.com/advisories/ZDI-11-024/ ADV-2011-0177 SSRT100138 SSRT100138 1024983 42997 70621 Cross-site scripting (XSS) vulnerability in HP Business Availability Center (BAC) 7.x through 7.55 and 8.x through 8.05, and Business Service Management (BSM) through 9.01, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. hp-bac-bsm-xss(64846) ADV-2011-0188 45944 1024986 43018 43014 SSRT100342 SSRT100342 Unspecified vulnerability in HP OpenView Storage Data Protector 6.0, 6.10, and 6.11 allows remote attackers to cause a denial of service via unknown vectors. hp-openview-storage-dos(64932) ADV-2011-0218 46018 1024991 43088 70657 HPSBMA02626 HPSBMA02626 HP OpenView Performance Insight Server 5.2, 5.3, 5.31, 5.4, and 5.41 contains a "hidden account" in the com.trinagy.security.XMLUserManager Java class, which allows remote attackers to execute arbitrary code via the doPost method in the com.trinagy.servlet.HelpManagerServlet class. openview-dopost-code-execution(65038) http://www.zerodayinitiative.com/advisories/ZDI-11-034 ADV-2011-0258 1025014 46079 20110131 ZDI-11-034: HP OpenView Performance Insight Server Backdoor Account Code Execution Vulnerability 16984 8136 43145 70754 HPSBMA02627 HPSBMA02627 Cross-site request forgery (CSRF) vulnerability in HP Power Manager (HPPM) 4.3.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts. 1025032 46258 43058 70836 HPSBMA02629 HPSBMA02629 Unspecified vulnerability in HP Web Jetadmin 10.2 Service Release 3 and 4 allows local users to bypass intended access restrictions via unknown vectors. ADV-2011-0516 46595 1025130 43526 HPSBPI02635 HPSBPI02635 HP Multifunction Peripheral (MFP) Digital Sending Software (DSS) 4.91.00 does not properly configure authentication settings of managed devices within device templates, which allows attackers to access these devices via actions that were intended to require authentication. hp-mfpdigitalsending-sec-bypass(65866) ADV-2011-0561 1025155 46679 43618 SSRT100410 HPSBPI02640 Multiple cross-site scripting (XSS) vulnerabilities in HP Power Manager (HPPM) 4.3.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the logType parameter to Contents/exportlogs.asp, (2) the Id parameter to Contents/pagehelp.asp, or the (3) SORTORD or (4) SORTCOL parameter to Contents/applicationlogs.asp. NOTE: some of these details are obtained from third party information. powermanager-unspecified-xss(66035) 46830 43058 SSRT100381 HPSBMA02629 The unparse implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (file descriptor exhaustion and daemon hang) via a principal name that triggers use of a backslash escape sequence, as demonstrated by a \n sequence. kerberos-ldap-descriptor-dos(65324) ADV-2011-0464 ADV-2011-0347 ADV-2011-0333 ADV-2011-0330 http://www.vmware.com/security/advisories/VMSA-2011-0012.html 1025037 46265 20111013 VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console 20110208 MITKRB5-SA-2011-002 KDC denial of service attacks [CVE-2011-0281 CVE-2011-0282 CVE-2011-0283] RHSA-2011:0200 RHSA-2011:0199 MDVSA-2011:025 MDVSA-2011:024 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt 8073 46397 43275 43273 43260 [kerberos] 20101222 LDAP handle unavailable: Can't contact LDAP server SUSE-SR:2011:004 The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (NULL pointer dereference or buffer over-read, and daemon crash) via a crafted principal name. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' kerberos-ldap-dos(65323) ADV-2011-0464 ADV-2011-0347 ADV-2011-0333 ADV-2011-0330 http://www.vmware.com/security/advisories/VMSA-2011-0012.html 1025037 46271 20111013 VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console 20110208 MITKRB5-SA-2011-002 KDC denial of service attacks [CVE-2011-0281 CVE-2011-0282 CVE-2011-0283] RHSA-2011:0200 RHSA-2011:0199 MDVSA-2011:025 MDVSA-2011:024 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt 8073 46397 43275 43273 43260 SUSE-SR:2011:004 The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed request packet that does not trigger a response packet. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' ADV-2011-0330 1025037 46272 20110208 MITKRB5-SA-2011-002 KDC denial of service attacks [CVE-2011-0281 CVE-2011-0282 CVE-2011-0283] http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt 8073 43260 Double free vulnerability in the prepare_error_as function in do_as_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 through 1.9, when the PKINIT feature is enabled, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via an e_data field containing typed data. VU#943220 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt kerberos-perpareerroras-code-execution(66101) ADV-2011-0763 ADV-2011-0722 ADV-2011-0680 ADV-2011-0673 ADV-2011-0672 USN-1088-1 46881 20110315 MITKRB5-SA-2011-003 [CVE-2011-0284] KDC double-free when PKINIT enabled RHSA-2011:0356 MDVSA-2011:048 1025216 43881 43783 43760 43700 71183 FEDORA-2011-3462 FEDORA-2011-3464 FEDORA-2011-3547 The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error condition. 20110413 MITKRB5-SA-2011-004 kadmind invalid pointer free() [CVE-2011-0285] http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-004.txt openSUSE-SU-2011:0348 ADV-2011-0997 ADV-2011-0986 ADV-2011-0936 1025320 47310 RHSA-2011:0447 MDVSA-2011:077 8200 44196 44181 44125 71789 FEDORA-2011-5333 http://krbdev.mit.edu/rt/Ticket/Display.html?id=6899 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621726 Cross-site scripting (XSS) vulnerability in webdesktop/app in the BlackBerry Web Desktop Manager component in Research In Motion (RIM) BlackBerry Enterprise Server (BES) software before 5.0.2 MR5 and 5.0.3 before MR1, and BlackBerry Enterprise Server Express software 5.0.1 and 5.0.2, allows remote attackers to inject arbitrary web script or HTML via the displayErrorMessage parameter in a ManageDevices action. ADV-2011-0971 47324 http://www.cybsec.com/vuln/CYBSEC_Advisory_2011_0401_Cross_Site_Scripting_XSS_in_Blackberry_WebDesktop.pdf http://www.blackberry.com/btsc/KB26296 1025356 44183 Unspecified vulnerability in the BlackBerry Administration API in Research In Motion (RIM) BlackBerry Enterprise Server (BES) software 5.0.1 through 5.0.3, and BlackBerry Enterprise Server Express software 5.0.1 through 5.0.3, allows remote attackers to read text files or cause a denial of service via unknown vectors. 48655 http://www.blackberry.com/btsc/KB27258 45242 The BlackBerry Collaboration Service in Research In Motion (RIM) BlackBerry Enterprise Server (BES) 5.0.3 through MR4 for Microsoft Exchange and Lotus Domino allows remote authenticated users to log into arbitrary user accounts associated with the same organization, and send messages, read messages, read contact lists, or cause a denial of service (login unavailability), via unspecified vectors. bes-collaboration-service-spoofing(70519) 50064 76286 http://www.blackberry.com/btsc/KB28524 1026179 46370 The BlackBerry PlayBook service on the Research In Motion (RIM) BlackBerry PlayBook tablet with software before 1.0.8.6067 allows local users to gain privileges via a crafted configuration file in a backup archive. blackberry-playbook-priv-esc(71659) 50931 1026386 47132 http://blackberry.com/btsc/KB29191 Buffer overflow in IBM WebSphere MQ 7.0 before 7.0.1.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted header field in a message. IZ77607 wmq-messageheader-bo(64628) ADV-2011-0128 45923 http://www-01.ibm.com/support/docview.wss?uid=swg27014224 42958 70476 The class file parser in IBM Java before 1.4.2 SR13 FP9, as used in IBM Runtimes for Java Technology 5.0.0 before SR13 and 6.0.0 before SR10, allows remote authenticated users to cause a denial of service (JVM segmentation fault, and possibly memory consumption or an infinite loop) via a crafted attribute length field in a class file, which triggers a buffer over-read. PM42551 ibm-rjt-classfile-dos(65189) RHSA-2011:1265 RHSA-2011:1159 IZ89620 IZ89602 SUSE-SU-2011:0823 SUSE-SA:2011:024 Heap-based buffer overflow in IBM WebSphere MQ 6.0 before 6.0.2.11 and 7.0 before 7.0.1.5 allows remote authenticated users to execute arbitrary code or cause a denial of service (queue manager crash) by inserting an invalid message into the queue. wmq-message-bo(64550) 45801 IZ81294 42941 Cross-site scripting (XSS) vulnerability in the Servlet Engine / Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 allows remote attackers to inject arbitrary web script or HTML via vectors related to the lack of an error page for an application. was-webcontainer-xss(64554) ADV-2011-0564 46736 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 PM18512 42938 The Administrative Console component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 does not properly restrict access to console servlets, which allows remote attackers to obtain potentially sensitive status information via a direct request. was-consoleservlet-info-disclosure(64558) ADV-2011-0564 46736 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 PM24372 42938 Dirapi.dll in Adobe Shockwave Player before 11.6.0.626 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0318, CVE-2011-0319, CVE-2011-0320, CVE-2011-0335, CVE-2011-2119, and CVE-2011-2122. TA11-166A http://www.adobe.com/support/security/bulletins/apsb11-17.html Dirapi.dll in Adobe Shockwave Player before 11.6.0.626 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0317, CVE-2011-0319, CVE-2011-0320, CVE-2011-0335, CVE-2011-2119, and CVE-2011-2122. TA11-166A http://www.adobe.com/support/security/bulletins/apsb11-17.html Dirapi.dll in Adobe Shockwave Player before 11.6.0.626 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0317, CVE-2011-0318, CVE-2011-0320, CVE-2011-0335, CVE-2011-2119, and CVE-2011-2122. TA11-166A http://www.adobe.com/support/security/bulletins/apsb11-17.html Dirapi.dll in Adobe Shockwave Player before 11.6.0.626 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0317, CVE-2011-0318, CVE-2011-0319, CVE-2011-0335, CVE-2011-2119, and CVE-2011-2122. TA11-166A http://www.adobe.com/support/security/bulletins/apsb11-17.html librpc.dll in nsrexecd in EMC NetWorker before 7.5 SP4, 7.5.3.x before 7.5.3.5, and 7.6.x before 7.6.1.2 does not properly mitigate the possibility of a spoofed localhost source IP address, which allows remote attackers to (1) register or (2) unregister RPC services, and consequently cause a denial of service or obtain sensitive information from interprocess communication, via crafted UDP packets containing service commands. networker-librpc-security-bypass(64997) ADV-2011-0241 46044 70686 1025010 43113 http://archives.neohapsis.com/archives/bugtraq/2011-01/att-0162/ESA-2011-003.txt 20110126 ESA-2011-003: EMC NetWorker librpc.dll spoofing vulnerability. Unspecified vulnerability in EMC RSA Access Manager Server 5.5.x, 6.0.x, and 6.1.x allows remote attackers to access resources via unknown vectors. rsa-unspecified-security-bypass(66104) ADV-2011-0676 1025214 46875 20110315 ESA-2011-009: RSA, The Security Division of EMC, announces a fix for potential security vulnerability in RSA Access Manager Server 8142 43796 Topaz Systems SigPlus Pro ActiveX Control 3.95, and possibly other versions before 4.29, allows remote attackers to execute arbitrary code by calling the exposed unsafe (1) SetLogFilePath and (2) SigMessage methods to create arbitrary files with arbitrary content. sigplus-sigmessage-file-overwrite(65117) 46128 http://secunia.com/secunia_research/2011-1/ 42800 Multiple heap-based buffer overflows in Topaz Systems SigPlus Pro ActiveX Control 3.95, and possibly other versions before 4.29, allow remote attackers to execute arbitrary code via a long (1) KeyString property, (2) NewPath parameter to the SetLocalIniFilePath method, or (3) NewPortPath parameter to the SetTabletPortPath method. sigplus-newportpath-bo(65116) sigplus-newpath-bo(65115) sigplus-keystring-bo(65114) 46128 http://secunia.com/secunia_research/2011-2/ 42800 Directory traversal vulnerability in the GetData method in the Dell DellSystemLite.Scanner ActiveX control in DellSystemLite.ocx 1.0.0.0 allows remote attackers to read arbitrary files via directory traversal sequences in the fileID parameter. 1025094 46443 http://secunia.com/secunia_research/2011-10/ 42880 The Dell DellSystemLite.Scanner ActiveX control in DellSystemLite.ocx 1.0.0.0 does not properly restrict the values of the WMIAttributesOfInterest property, which allows remote attackers to execute arbitrary WMI Query Language (WQL) statements via a crafted value, as demonstrated by a value that triggers disclosure of information about installed software. 1025094 46443 http://secunia.com/secunia_research/2011-11/ 42880 Use-after-free vulnerability in the addOSPLext method in the Honeywell ScanServer ActiveX control 780.0.20.5 allows remote attackers to execute arbitrary code via a crafted HTML document. ADV-2011-0725 46930 http://secunia.com/secunia_research/2011-22/ 43360 71249 Integer overflow in Foxit Reader before 4.3.1.0218 and Foxit Phantom before 2.3.3.1112 allows remote attackers to execute arbitrary code via crafted ICC chunks in a PDF file, which triggers a heap-based buffer overflow. http://www.foxitsoftware.com/pdf/reader/security_bulletins.php#memory ADV-2011-0508 1025129 http://secunia.com/secunia_research/2011-14/ 43440 43329 Heap-based buffer overflow in the NgwiCalVTimeZoneBody::ParseSelf function in gwwww1.dll in GroupWise Internet Agent (GWIA) in Novell GroupWise 8.0 before HP3 allows remote attackers to execute arbitrary code via a crafted TZNAME variable in a VCALENDAR attachment in an e-mail message, related to an "integer truncation error." 20110926 Novell GroupWise iCal TZNAME Heap Overflow Vulnerability https://bugzilla.novell.com/show_bug.cgi?id=678715 http://www.novell.com/support/viewContent.do?externalId=7009208 http://secunia.com/secunia_research/2011-66/ Stack-based buffer overflow in gwia.exe in GroupWise Internet Agent (GWIA) in Novell GroupWise 8.0 before HP3 allows remote attackers to execute arbitrary code via a long HTTP request for a .css file. https://bugzilla.novell.com/show_bug.cgi?id=678939 http://www.novell.com/support/viewContent.do?externalId=7009210 http://secunia.com/secunia_research/2011-67/ Dirapi.dll in Adobe Shockwave Player before 11.6.0.626 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0317, CVE-2011-0318, CVE-2011-0319, CVE-2011-0320, CVE-2011-2119, and CVE-2011-2122. TA11-166A http://www.adobe.com/support/security/bulletins/apsb11-17.html Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol.ocx 61.6.0.0 and 301.1009.2904.0 in the ISSymbol virtual machine, as distributed in Advantech Studio 6.1 SP6 61.6.01.05, InduSoft Web Studio before 7.0+SP1, and InduSoft Thin Client 7.0, allow remote attackers to execute arbitrary code via a long (1) InternationalOrder, (2) InternationalSeparator, or (3) LogFileName property value; or (4) a long bstrFileName argument to the OpenScreen method. ADV-2011-1116 ADV-2011-1115 http://www.us-cert.gov/control_systems/pdf/ICSA-12-137-02.pdf 47596 http://www.indusoft.com/hotfixes/hotfixes.php http://www.advantechdirect.com/eMarketingPrograms/AStudio_Patch/AStudio7.0_Patch_Final.htm http://secunia.com/secunia_research/2011-37/ http://secunia.com/secunia_research/2011-36/ 43116 42928 http://ics-cert.us-cert.gov/advisories/ICSA-12-249-03 Stack-based buffer overflow in the pdfmoz_onmouse function in apps/mozilla/moz_main.c in the MuPDF plug-in 2008.09.02 for Firefox allows remote attackers to execute arbitrary code via a crafted web site. mupdf-pdfmozonmouse-bo(67298) ADV-2011-1191 47739 72177 http://secunia.com/secunia_research/2011-38/ 43739 Multiple buffer overflows in the InduSoft ISSymbol ActiveX control in ISSymbol.ocx 301.1104.601.0 in InduSoft Web Studio 7.0B2 hotfix 7.0.01.04 allow remote attackers to execute arbitrary code via a long parameter to the (1) Open, (2) Close, or (3) SetCurrentLanguage method. 49403 http://www.indusoft.com/hotfixes/hotfixes.php http://secunia.com/secunia_research/2011-61/ 44875 http://ics-cert.us-cert.gov/advisories/ICSA-11-273-02 Balabit syslog-ng 2.0, 3.0, 3.1, 3.2 OSE and PE, when running on FreeBSD or HP-UX, does not properly perform cast operations, which causes syslog-ng to use a default value of -1 to create log files with insecure permissions (07777), which allows local users to read and write to these log files. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608491 [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.2.1a has been released [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.0.6a has been released 45988 20110125 syslog-ng wrong file permission vulnerability Multiple stack-based buffer overflows in unspecified CGI programs in the Unified Maintenance Tool web interface in the embedded web server in the Communication Server (CS) in Alcatel-Lucent OmniPCX Enterprise before R9.0 H1.301.50 allow remote attackers to execute arbitrary code via crafted HTTP headers. omnipcx-unified-maintenance-bo(65849) ADV-2011-0549 46640 http://www.alcatel-lucent.com/wps/DocumentStreamerServlet?LMSG_CABINET=Corporate&LMSG_CONTENT_FILE=Support/Security/2011001.pdf 43588 20110301 Alcatel-Lucent OmniPCX Enterprise CS CGI Cookie Buffer Overflow Vulnerability Directory traversal vulnerability in the NMS server in Alcatel-Lucent OmniVista 4760 R5.1.06.03 and earlier allows remote attackers to read arbitrary files via directory traversal sequences in HTTP GET requests, related to the lang variable. omnivista-lang-file-include(65848) ADV-2011-0548 46624 20110301 DDIVRT-2010-30 Alcatel-Lucent OmniVista 4760 NMS 'lang' Directory Traversal Vulnerability [ CVE-2011-0345 ] http://www.alcatel-lucent.com/wps/DocumentStreamerServlet?LMSG_CABINET=Corporate&LMSG_CONTENT_FILE=Support/Security/2011002.pdf 8122 43507 20110301 DDIVRT-2010-30 Alcatel-Lucent OmniVista 4760 NMS 'lang' Directory Traversal Vulnerability [ CVE-2011-0345 ] Use-after-free vulnerability in the ReleaseInterface function in MSHTML.DLL in Microsoft Internet Explorer 6, 7, and 8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to the DOM implementation and the BreakAASpecial and BreakCircularMemoryReferences functions, as demonstrated by cross_fuzz, aka "MSHTML Memory Corruption Vulnerability." TA11-102A VU#427980 MS11-018 ms-ie-releaseinterface-code-execution(64482) ADV-2011-0026 1024940 45639 20110101 Announcing cross_fuzz, a potential 0-day in circulation, and more oval:org.mitre.oval:def:11882 http://lcamtuf.coredump.cx/cross_fuzz/msie_crash.txt http://lcamtuf.coredump.cx/cross_fuzz/known_vuln.txt http://lcamtuf.coredump.cx/cross_fuzz/fuzzer_timeline.txt http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html http://blogs.technet.com/b/srd/archive/2011/01/07/assessing-the-risk-of-public-issues-currently-being-tracked-by-the-msrc.aspx 20110101 Announcing cross_fuzz, a potential 0-day in circulation, and more Microsoft Internet Explorer on Windows XP allows remote attackers to trigger an incorrect GUI display and have unspecified other impact via vectors related to the DOM implementation, as demonstrated by cross_fuzz. ms-ie-gui-weak-security(64571) 20110101 Announcing cross_fuzz, a potential 0-day in circulation, and more http://www.microsoft.com/technet/security/advisory/2490606.mspx oval:org.mitre.oval:def:12514 http://lcamtuf.coredump.cx/cross_fuzz/msie_display.jpg http://lcamtuf.coredump.cx/cross_fuzz/fuzzer_timeline.txt http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html http://blogs.technet.com/b/srd/archive/2011/01/07/assessing-the-risk-of-public-issues-currently-being-tracked-by-the-msrc.aspx 20110101 Announcing cross_fuzz, a potential 0-day in circulation, and more Cisco IOS 12.4(11)MD, 12.4(15)MD, 12.4(22)MD, 12.4(24)MD before 12.4(24)MD3, 12.4(22)MDA before 12.4(22)MDA5, and 12.4(24)MDA before 12.4(24)MDA3 on the Cisco Content Services Gateway Second Generation (aka CSG2) allows remote attackers to bypass intended access restrictions and intended billing restrictions by sending HTTP traffic to a restricted destination after sending HTTP traffic to an unrestricted destination, aka Bug ID CSCtk35917. cisco-csg2-policy-security-bypass(64936) ADV-2011-0229 46022 20110126 Cisco Content Services Gateway Vulnerabilities 1024992 43052 70720 Unspecified vulnerability in Cisco IOS 12.4(24)MD before 12.4(24)MD2 on the Cisco Content Services Gateway Second Generation (aka CSG2) allows remote attackers to cause a denial of service (device hang or reload) via crafted TCP packets, aka Bug ID CSCth17178, a different vulnerability than CVE-2011-0350. cisco-csg2-tcp-dos(64937) ADV-2011-0229 46026 20110126 Cisco Content Services Gateway Vulnerabilities 1024992 43052 70721 Unspecified vulnerability in Cisco IOS 12.4(24)MD before 12.4(24)MD2 on the Cisco Content Services Gateway Second Generation (aka CSG2) allows remote attackers to cause a denial of service (device hang or reload) via crafted TCP packets, aka Bug ID CSCth41891, a different vulnerability than CVE-2011-0349. cisco-csg2-tcp-packets-dos(64938) ADV-2011-0229 46028 20110126 Cisco Content Services Gateway Vulnerabilities 1024992 43052 70722 Buffer overflow in the web-based management interface on the Cisco Linksys WRT54GC router with firmware before 1.06.1 allows remote attackers to cause a denial of service (device crash) via a long string in a POST request. http://tools.cisco.com/security/center/viewAlert.x?alertId=22228 wrt54gc-interface-bo(64850) ADV-2011-0205 43017 JVNDB-2011-000007 JVN#26605630 The default configuration of Cisco Tandberg C Series Endpoints, and Tandberg E and EX Personal Video units, with software before TC4.0.0 has a blank password for the root account, which makes it easier for remote attackers to obtain access via an unspecified login method. VU#436854 46107 16100 20110202 Default Credentials for Root Account on Tandberg E, EX and C Series Endpoints http://tools.cisco.com/security/center/viewAlert.x?alertId=22314 1025017 8060 43158 Cisco Nexus 1000V Virtual Ethernet Module (VEM) 4.0(4) SV1(1) through SV1(3b), as used in VMware ESX 4.0 and 4.1 and ESXi 4.0 and 4.1, does not properly handle dropped packets, which allows guest OS users to cause a denial of service (ESX or ESXi host OS crash) by sending an 802.1Q tagged packet over an access vEthernet port, aka Cisco Bug ID CSCtj17451. cisco-nexus-packets-dos(65217) ADV-2011-0315 ADV-2011-0314 http://www.vmware.com/security/advisories/VMSA-2011-0002.html 46247 20110208 VMSA-2011-0002 Cisco Nexus 1000V VEM updates address denial of service in VMware ESX/ESXi 70837 http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_3_c/release/notes/n1000v_rn.html 1025030 8090 43084 [security-announce] 20110207 VMSA-2011-0002 Cisco Nexus 1000V VEM updates address denial of service in VMware ESX/ESXi The Management Console (webagent.exe) in Cisco Security Agent 5.1, 5.2, and 6.0 before 6.0.2.145 allows remote attackers to create arbitrary files and execute arbitrary code via unspecified parameters in a crafted st_upload request. cisco-security-webagent-file-upload(65436) http://www.zerodayinitiative.com/advisories/ZDI-11-088 ADV-2011-0424 1025088 46420 20110217 ZDI-11-088: Cisco Security Agent Management st_upload Remote Code Execution Vulnerability 20110216 Management Center for Cisco Security Agent Remote Code Execution Vulnerability 8205 8197 8095 43393 43383 The CGI implementation on Cisco TelePresence endpoint devices with software 1.2.x through 1.5.x allows remote attackers to execute arbitrary commands via a malformed request, related to "command injection vulnerabilities," aka Bug ID CSCtb31640. 1025112 20110223 Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices The CGI implementation on Cisco TelePresence endpoint devices with software 1.2.x through 1.5.x allows remote authenticated users to execute arbitrary commands via a malformed request, related to "command injection vulnerabilities," aka Bug ID CSCtb31685. 1025112 20110223 Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices The CGI implementation on Cisco TelePresence endpoint devices with software 1.2.x through 1.5.x allows remote authenticated users to execute arbitrary commands via a malformed request, related to "command injection vulnerabilities," aka Bug ID CSCtb31659. 1025112 20110223 Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices The CGI implementation on Cisco TelePresence endpoint devices with software 1.2.x through 1.6.x allows remote authenticated users to execute arbitrary commands via a malformed request, related to "command injection vulnerabilities," aka Bug ID CSCth24671. 1025112 20110223 Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices The TFTP implementation on Cisco TelePresence endpoint devices with software 1.2.x through 1.5.x, 1.6.0, and 1.6.1 allows remote attackers to obtain sensitive information via a GET request, aka Bug ID CSCte43876. 1025112 20110223 Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices Cisco TelePresence endpoint devices with software 1.2.x through 1.6.x allow remote attackers to cause a denial of service (service crash) via a malformed SOAP request in conjunction with a spoofed TelePresence Manager that supplies an invalid IP address, aka Bug ID CSCth03605. cisco-endpoint-ipaddress-dos(65616) 1025112 20110223 Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices The XML-RPC implementation on Cisco TelePresence endpoint devices with software 1.2.x through 1.5.x allows remote attackers to execute arbitrary commands via a TCP request, related to a "command injection vulnerability," aka Bug ID CSCtb52587. 1025112 20110223 Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices Buffer overflow on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 1.6.x; Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x; Cisco TelePresence endpoint devices with software 1.2.x through 1.6.x; and Cisco TelePresence Manager 1.2.x, 1.3.x, 1.4.x, 1.5.x, and 1.6.2 allows remote attackers to execute arbitrary code via a crafted Cisco Discovery Protocol packet, aka Bug IDs CSCtd75769, CSCtd75766, CSCtd75754, and CSCtd75761. 1025114 1025113 1025112 1025111 20110223 Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices 20110223 Multiple Vulnerabilities in Cisco TelePresence Manager 20110223 Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch 20110223 Multiple Vulnerabilities in Cisco TelePresence Recording Server Cisco TelePresence Manager 1.2.x through 1.6.x allows remote attackers to bypass authentication and invoke arbitrary methods via a malformed SOAP request, aka Bug ID CSCtc59562. telepresence-soap-security-bypass(65618) 1025111 46526 20110223 Multiple Vulnerabilities in Cisco TelePresence Manager Cisco TelePresence Manager 1.2.x through 1.6.x allows remote attackers to perform unspecified actions and consequently execute arbitrary code via a crafted request to the Java RMI interface, related to a "command injection vulnerability," aka Bug ID CSCtf97085. telepresence-manager-rmi-command-exec(65619) 1025111 46526 20110223 Multiple Vulnerabilities in Cisco TelePresence Manager The CGI subsystem on Cisco TelePresence Recording Server devices with software 1.6.x before 1.6.2 allows remote attackers to execute arbitrary commands via a request to TCP port 443, related to a "command injection vulnerability," aka Bug ID CSCtf97221. 1025114 46522 20110223 Multiple Vulnerabilities in Cisco TelePresence Recording Server The Java Servlet framework on Cisco TelePresence Recording Server devices with software 1.6.x before 1.6.2 and Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x does not require administrative authentication for unspecified actions, which allows remote attackers to execute arbitrary code via a crafted request, aka Bug IDs CSCtf42005 and CSCtf42008. telepresence-java-unauth-access(65602) 1025114 1025113 46519 20110223 Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch 20110223 Multiple Vulnerabilities in Cisco TelePresence Recording Server The Java Servlet framework on Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x does not require administrative authentication for unspecified actions, which allows remote attackers to execute arbitrary code via a crafted request, aka Bug ID CSCtf01253. cisco-switch-java-unauth-access(65620) 1025113 46520 20110223 Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch The administrative web interface on Cisco TelePresence Recording Server devices with software 1.6.x and Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x allows remote attackers to create or overwrite arbitrary files, and possibly execute arbitrary code, via a crafted request, aka Bug IDs CSCth85786 and CSCth61065. telepresence-interface-file-upload(65604) 1025114 1025113 20110223 Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch 20110223 Multiple Vulnerabilities in Cisco TelePresence Recording Server The XML-RPC implementation on Cisco TelePresence Recording Server devices with software 1.6.x and 1.7.x before 1.7.1 allows remote attackers to overwrite files and consequently execute arbitrary code via a malformed request, aka Bug ID CSCti50739. telepresence-xmlrpc-file-overwrite(65605) 1025114 46522 20110223 Multiple Vulnerabilities in Cisco TelePresence Recording Server The administrative web interface on Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x allows remote authenticated users to cause a denial of service or have unspecified other impact via vectors involving access to a servlet, aka Bug ID CSCtf97164. cisco-multipoint-interface-dos(65621) 1025113 46520 20110223 Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch Cisco TelePresence Recording Server devices with software 1.6.x and Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x do not properly restrict remote access to the Java servlet RMI interface, which allows remote attackers to cause a denial of service (memory consumption and web outage) via multiple crafted requests, aka Bug IDs CSCtg35830 and CSCtg35825. 1025114 1025113 46523 20110223 Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch 20110223 Multiple Vulnerabilities in Cisco TelePresence Recording Server Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x allow remote attackers to cause a denial of service (process crash) via a crafted Real-Time Transport Control Protocol (RTCP) UDP packet, aka Bug ID CSCth60993. cisco-multipoint-rtpc-dos(65622) 1025113 46520 20110223 Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch The XML-RPC implementation on Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, 1.6.x, and 1.7.0 allows remote attackers to cause a denial of service (process crash) via a crafted request, aka Bug ID CSCtj44534. telepresence-multipoint-xmlrpc-dos(65623) 1025113 46520 20110223 Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch Cisco TelePresence Recording Server devices with software 1.6.x allow remote attackers to cause a denial of service (thread consumption and device outage) via a malformed request, related to an "ad hoc recording" issue, aka Bug ID CSCtf97205. telepresence-adhoc-dos(65607) 1025114 46522 20110223 Multiple Vulnerabilities in Cisco TelePresence Recording Server Cisco TelePresence Recording Server devices with software 1.6.x do not require authentication for an XML-RPC interface, which allows remote attackers to perform unspecified actions via a session on TCP port 8080, aka Bug ID CSCtg35833. telepresence-xmlrpc-security-bypass(65609) 1025114 46522 20110223 Multiple Vulnerabilities in Cisco TelePresence Recording Server Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.0 before 7.0(8.12), 7.1 and 7.2 before 7.2(5.2), 8.0 before 8.0(5.21), 8.1 before 8.1(2.49), 8.2 before 8.2(3.6), and 8.3 before 8.3(2.7) and Cisco PIX Security Appliances 500 series devices, when transparent firewall mode is configured but IPv6 is not configured, allow remote attackers to cause a denial of service (packet buffer exhaustion and device outage) via IPv6 traffic, aka Bug ID CSCtj04707. asa-packet-buffer-dos(65589) ADV-2011-0493 1025108 20110223 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 43488 Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.0 before 7.0(8.11), 7.1 and 7.2 before 7.2(5.1), 8.0 before 8.0(5.19), 8.1 before 8.1(2.47), 8.2 before 8.2(2.19), and 8.3 before 8.3(1.8); Cisco PIX Security Appliances 500 series devices; and Cisco Firewall Services Module (aka FWSM) 3.1 before 3.1(20), 3.2 before 3.2(20), 4.0 before 4.0(15), and 4.1 before 4.1(5) allow remote attackers to cause a denial of service (device reload) via a malformed Skinny Client Control Protocol (SCCP) message, aka Bug IDs CSCtg69457 and CSCtl84952. cisco-fwsm-sccp-dos(65593) ADV-2011-0494 ADV-2011-0493 1025109 1025108 46518 20110223 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 20110223 Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability 43488 43453 Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 8.0 before 8.0(5.20), 8.1 before 8.1(2.48), 8.2 before 8.2(3), and 8.3 before 8.3(2.1), when the RIP protocol and the Cisco Phone Proxy functionality are configured, allow remote attackers to cause a denial of service (device reload) via a RIP update, aka Bug ID CSCtg66583. asa-rip-dos(65590) ADV-2011-0493 1025108 20110223 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 43488 Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 8.0 before 8.0(5.23), 8.1 before 8.1(2.49), 8.2 before 8.2(4.1), and 8.3 before 8.3(2.13), when a Certificate Authority (CA) is configured, allow remote attackers to read arbitrary files via unspecified vectors, aka Bug ID CSCtk12352. asa-ca-unauth-access(65591) ADV-2011-0493 1025108 20110223 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 43488 The Piwik_Common::getIP function in Piwik before 1.1 does not properly determine the client IP address, which allows remote attackers to bypass intended geolocation and logging functionality via (1) use of a private (aka RFC 1918) address behind a proxy server or (2) spoofing of the X-Forward