Vulnerability in Monitor utility (SYS$SHARE:SPISHR.EXE) in VMS 5.0 through 5.4-2 allows local users to gain privileges. CA-92.16 CA-1992-18 51 vms-monitor-gain-privileges(7136) 59332 The default setting for the Winlogon key entry ShutdownWithoutLogon in Windows NT allows users with physical access to shut down a Windows NT system without logging in. nt-shutdown-without-logon(1291) http://www.microsoft.com/technet/archive/winntas/deploy/confeat/06wntpcc.mspx?mfr=true http://technet.microsoft.com/en-us/library/cc722469.aspx 59333 Cach�Ã�© Database 5.x installs the /cachesys/csp directory with insecure permissions, which allows local users to execute arbitrary code by adding server-side scripts that are executed with root privileges. Cach�Ã�© Database 5.x installs /cachesys/bin/cache with world-writable permissions, which allows local users to gain privileges by modifying cache and executing it via cuxs. Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement. MDKSA-2005:109 http://www.gulftech.org/?node=research&article_id=00087-07012005 http://pear.php.net/package/XML_RPC/download/1.3.1 20050629 Advisory 02/2005: Remote code execution in Serendipity HPSBTU02083 http://www.hardened-php.net/advisory-022005.php 14088 SSRT051069 RHSA-2005:564 SUSE-SA:2005:049 SUSE-SA:2005:041 SUSE-SR:2005:018 ADV-2005-2827 http://www.drupal.org/security/drupal-sa-2005-003/advisory.txt DSA-789 DSA-747 DSA-746 DSA-745 http://www.ampache.org/announce/3_3_1_2.php http://sourceforge.net/project/shownotes.php?release_id=338803 http://sourceforge.net/project/showfiles.php?group_id=87163 1015336 GLSA-200507-07 GLSA-200507-06 GLSA-200507-01 18003 17674 17440 16693 16339 16001 15957 15947 15944 15922 15917 15916 15904 15903 15895 15884 15883 15872 15861 15855 15852 15810 SUSE-SA:2005:051 20050629 [DRUPAL-SA-2005-003] Drupal 4.6.2 / 4.5.4 fixes critical XML-RPC issue oval:org.mitre.oval:def:350 Double free vulnerability in the krb5_recvauth function in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to execute arbitrary code via certain error conditions. VU#623332 GLSA-200507-11 DSA-757 kerberos-kdc-krb5recvauth-execute-code(21055) USN-224-1 TLSA-2005-78 2005-0036 14239 HPSBUX02152 HPSBUX02152 HPSBUX02152 RHSA-2005:567 RHSA-2005:562 SUSE-SR:2005:017 ADV-2006-3776 ADV-2005-1066 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-003-recvauth.txt 101810 1014461 22090 17899 17135 16041 20050712 MITKRB5-SA-2005-003: double-free in krb5_recvauth APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 CLA-2005:993 20050703-01-U Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow. 1014744 14620 HPSBUX02074 HPSBUX02074 15647 HPSBUX02074 FLSA:168516 RHSA-2006:0197 RHSA-2005:761 RHSA-2005:358 http://www.php.net/release_4_4_1.php SUSE-SA:2005:052 SUSE-SA:2005:049 SUSE-SA:2005:048 GLSA-200509-19 GLSA-200509-12 GLSA-200509-02 GLSA-200509-08 ADV-2006-4502 ADV-2006-4320 ADV-2006-0789 ADV-2005-2659 ADV-2005-1511 http://www.ethereal.com/appnotes/enpa-sa-00021.html DSA-821 DSA-819 DSA-817 DSA-800 http://support.avaya.com/elmodocs2/security/ASA-2006-159.htm http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm http://support.avaya.com/elmodocs2/security/ASA-2005-223.pdf http://support.avaya.com/elmodocs2/security/ASA-2005-216.pdf 102198 604 22875 22691 21522 19532 19193 19072 17813 17252 16679 16502 OpenPKG-SA-2005.018 SUSE-SA:2005:051 TSLSA-2005-0059 SSRT061238 APPLE-SA-2005-11-29 20060401-01-U SCOSA-2006.10 oval:org.mitre.oval:def:735 oval:org.mitre.oval:def:1659 oval:org.mitre.oval:def:1496 WorldClient webmail in Alt-N MDaemon 8.1.3 allows remote attackers to prevent arbitrary users from accessing their inboxes via script tags in the Subject header of an e-mail message, which prevents the user from being able to access the Inbox folder, possibly due to a cross-site scripting (XSS) vulnerability. mdaemon-worldclient-subject-dos(23551) 15815 http://www.ipomonis.com/advisories/mdaemon.zip 17990 Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev and Apache httpd 2.0.x before 2.0.56-dev allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps. TA08-150A 1015344 MDKSA-2006:007 USN-241-1 TSLSA-2005-0074 15834 SSRT061265 FLSA-2006:175406 RHSA-2006:0158 FEDORA-2006-052 OpenPKG-SA-2005.029 GLSA-200602-03 ADV-2005-2870 PK16139 19012 18743 18585 18526 18517 18429 18340 18339 18333 18008 17319 RHSA-2006:0159 SUSE-SR:2006:004 http://issues.apache.org/bugzilla/show_bug.cgi?id=37874 20060101-01-U SSRT061265 HPSBUX02172 SSRT061202 SUSE-SA:2006:043 ADV-2008-1697 ADV-2008-1246 ADV-2008-0924 ADV-2006-4868 ADV-2006-4300 ADV-2006-4015 ADV-2006-3995 ADV-2006-2423 DSA-1167 PK25355 102663 102662 SSA:2006-129-01 SSA:2006-130-01 30430 29849 29420 25239 23260 22669 22388 22368 22140 21744 20670 20046 RHSA-2006:0692 SUSE-SR:2007:011 APPLE-SA-2008-03-18 APPLE-SA-2008-05-28 SSRT071293 http://docs.info.apple.com/article.html?artnum=307562 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-4209. Reason: This candidate is a duplicate of CVE-2005-4209. Notes: All CVE users should reference CVE-2005-4209 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file. ADV-2006-2964 ADV-2006-2963 21174 21172 RHSA-2006:0619 ADV-2006-3264 PK27875 PK24631 http://svn.apache.org/viewvc?view=rev&revision=394965 1016569 21478 21399 RHSA-2006:0618 SSRT090192 SSRT090192 20060724 Write-up by Amit Klein: "Forging HTTP request headers with Flash" 20060508 Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117 USN-575-1 19661 SUSE-SA:2006:051 ADV-2006-5089 ADV-2006-4207 DSA-1167 http://support.avaya.com/elmodocs2/security/ASA-2006-194.htm 1294 29640 28749 22523 22317 22140 21986 21848 21744 21598 RHSA-2006:0692 [3.9] 012: SECURITY FIX: October 7, 2006 SUSE-SA:2008:021 http://kb.vmware.com/KanisaPlatform/Publishing/466/5915871_f.SAL_Public.html 20060801-01-P Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules. VU#395412 TA08-150A DSA-1132 DSA-1131 http://www.apache.org/dist/httpd/Announcement2.0.html https://issues.rpath.com/browse/RPL-538 apache-modrewrite-offbyone-bo(28063) http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117 USN-328-1 19204 HPSBUX02164 HPSBUX02145 HPSBUX02145 HPSBUX02145 HPSBUX02145 20060820 POC & exploit for Apache mod_rewrite off-by-one 20060728 rPSA-2006-0139-1 httpd mod_ssl 20060728 Apache mod_rewrite Buffer Overflow Vulnerability 20060728 [Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released 27588 OpenPKG-SA-2006.015 SUSE-SA:2006:043 ADV-2006-4015 ADV-2006-3995 ADV-2006-3884 ADV-2006-3282 ADV-2006-3264 ADV-2006-3017 PK27875 PK29156 PK29154 http://svn.apache.org/viewvc?view=rev&revision=426144 102663 102662 1016601 GLSA-200608-01 22388 22368 22262 21509 21478 21315 21313 21307 21284 21273 21266 21247 21245 21241 21197 20060728 [Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released 20060728 Apache 1.3.29/2.X mod_rewrite Buffer Overflow Vulnerability CVE-2006-3747 http://kbase.redhat.com/faq/FAQ_68_8653.shtm MDKSA-2006:133 HPSBUX02164 MDKSA-2006:133 ADV-2008-1697 ADV-2008-1246 ADV-2008-0924 ADV-2007-2783 ADV-2006-4868 ADV-2006-4300 ADV-2006-4207 http://www-1.ibm.com/support/docview.wss?uid=swg27007951 1312 30430 29849 29420 26329 23260 23028 22523 21346 2006-0044 APPLE-SA-2008-03-18 APPLE-SA-2008-05-28 HPSBMA02328 SSRT061275 http://docs.info.apple.com/article.html?artnum=307562 OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1. VU#845620 TA06-333A DSA-1173 USN-339-1 19849 http://www.openssl.org/news/secadv_20060905.txt ADV-2006-3453 DSA-1174 21709 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 SSRT071304 https://issues.rpath.com/browse/RPL-616 openssl-rsa-security-bypass(28755) HPSBUX02153 HPSBUX02153 HPSBUX02165 HPSBUX02165 HPSBUX02165 HPSBUX02165 HPSBUX02165 HPSBUX02165 HPSBUX02165 HPSBUX02165 HPSBUX02165 20060912 ERRATA: [ GLSA 200609-05 ] OpenSSL, AMD64 x86 emulation base libraries: RSA signature forgery 20060905 rPSA-2006-0163-1 openssl openssl-scripts RHSA-2008:0629 RHSA-2006:0661 28549 http://www.opera.com/support/search/supsearch.dml?index=845 [3.9] 20060908 011: SECURITY FIX: September 8, 2006 SUSE-SA:2006:055 http://www.matasano.com/log/469/many-rsa-signatures-may-be-forgeable-in-openssl-and-elsewhere/ MDKSA-2006:161 [ietf-openpgp] 20060827 Bleichenbacher's RSA signature forgery based on implementation error ADV-2006-3793 ADV-2006-3730 ADV-2006-3566 http://support.avaya.com/elmodocs2/security/ASA-2006-188.htm SSA:2006-257-02 1016791 GLSA-200609-18 GLSA-200609-05 FreeBSD-SA-06:19 31492 22259 22161 22036 21982 21930 21927 21906 21873 21870 21852 21846 21823 21812 21791 21785 21778 21776 21767 HPSBMA02250 SSRT061273 MDKSA-2006:178 MDKSA-2006:177 20060901-01-P SSRT071304 https://secure-support.novell.com/KanisaPlatform/Publishing/41/3143224_f.SAL_Public.html https://issues.rpath.com/browse/RPL-1633 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117 HPSBUX02153 http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html http://www.vmware.com/support/server/doc/releasenotes_server.html http://www.vmware.com/support/player2/doc/releasenotes_player2.html http://www.vmware.com/support/player/doc/releasenotes_player.html http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html http://www.vmware.com/security/advisories/VMSA-2008-0005.html http://www.sybase.com/detail?id=1047991 http://www.serv-u.com/releasenotes/ 28276 22083 20080318 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues 20070110 VMware ESX server security updates HPSBUX02165 RHSA-2007:0073 RHSA-2007:0072 RHSA-2007:0062 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html OpenPKG-SA-2006.029 OpenPKG-SA-2006.018 SUSE-SA:2007:010 SUSE-SA:2006:061 SUSE-SR:2006:026 MDKSA-2006:207 MDKSA-2006:178 MDKSA-2006:177 GLSA-200610-06 ADV-2008-0905 ADV-2007-4224 ADV-2007-2783 ADV-2007-2315 ADV-2007-2163 ADV-2007-1945 ADV-2007-1815 ADV-2007-1401 ADV-2007-0343 ADV-2007-0254 ADV-2006-5146 ADV-2006-4750 ADV-2006-4744 ADV-2006-4586 ADV-2006-4417 ADV-2006-4366 ADV-2006-4329 ADV-2006-4327 ADV-2006-4216 ADV-2006-4207 ADV-2006-4206 ADV-2006-4205 ADV-2006-3936 ADV-2006-3899 ADV-2006-3748 20061108 Multiple Vulnerabilities in OpenSSL library 20061108 Multiple Vulnerabilities in OpenSSL Library http://www.bluecoat.com/support/knowledge/openSSL_RSA_Signature_forgery.html http://www.arkoon.fr/upload/alertes/40AK-2006-04-FR-1.1_SSL360_OPENSSL_RSA.pdf http://support.attachmate.com/techdocs/2137.html http://support.attachmate.com/techdocs/2128.html http://support.attachmate.com/techdocs/2127.html 201534 201247 200708 102759 102744 102722 102696 102686 102657 102656 102648 SSA:2006-310-01 1017522 28115 26893 26329 25649 25399 25284 24950 24930 24099 23915 23841 23794 23680 23455 23155 22949 22948 22940 22939 22938 22937 22936 22934 22932 22799 22758 22733 22711 22689 22671 22585 22545 22523 22513 22509 22446 22325 22284 22260 22232 22226 22066 22044 http://openvpn.net/changelog.html [bind-announce] 20061103 Internet Systems Consortium Security Advisory. [revised] [security-announce] 20080317 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues APPLE-SA-2007-12-14 APPLE-SA-2006-11-28 HPSBUX02186 HPSBMA02250 SSRT061273 MDKSA-2006:207 http://docs.info.apple.com/article.html?artnum=307177 http://docs.info.apple.com/article.html?artnum=304829 BEA07-169.00 Race condition in the msxml3 module in Microsoft XML Core Services 3.0, as used in Internet Explorer 6 and other applications, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via many nested tags in an XML document in an IFRAME, when synchronous document rendering is frequently disrupted with asynchronous events, as demonstrated using a JavaScript timer, which can trigger NULL pointer dereferences or memory corruption, aka "MSXML Memory Corruption Vulnerability." TA08-316A 21872 MS08-069 ADV-2008-3111 20070104 Re: RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws) 20070104 RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws) 20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws) 1021164 23655 20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws) oval:org.mitre.oval:def:5793 32627 http://isc.sans.org/diary.php?storyid=2004 20070104 Re: Concurrency strikes MSIE (potentially exploitablemsxml3 flaws) Buffer overflow in Sun JDK and Java Runtime Environment (JRE) 5.0 Update 9 and earlier, SDK and JRE 1.4.2_12 and earlier, and SDK and JRE 1.3.1_18 and earlier allows applets to gain privileges via a GIF image with a block with a 0 width field, which triggers memory corruption. TA07-022A VU#388289 http://www.zerodayinitiative.com/advisories/ZDI-07-005.html 102760 jre-gif-bo(31537) 22085 20070121 Sun Microsystems Java GIF File Parsing Memory Corruption Vulnerability Prove Of Concept Exploit 20070117 ZDI-07-005: Sun Microsystems Java GIF File Parsing Memory Corruption Vulnerability RHSA-2007:0956 RHSA-2007:0167 RHSA-2007:0166 SUSE-SA:2007:045 GLSA-200702-07 ADV-2007-4224 ADV-2007-1814 ADV-2007-0936 ADV-2007-0211 http://support.novell.com/techcenter/psdb/d2f549cc040cd81ae4a268bb5edfe918.html http://support.novell.com/techcenter/psdb/4f850d1e2b871db609de64ec70f0089c.html 1017520 2158 GLSA-200702-08 28115 27203 26645 26119 26049 25283 24993 24468 24202 24189 23757 32834 APPLE-SA-2007-12-14 SSRT071318 SSRT071318 SSRT071318 SSRT071318 SSRT071318 SSRT071318 SSRT071318 SSRT071318 SSRT071318 SSRT071318 http://docs.info.apple.com/article.html?artnum=307177 BEA07-172.00 RHSA-2008:0261 Multiple integer overflows in the chunk_split function in PHP 5 before 5.2.3 and PHP 4 before 4.4.8 allow remote attackers to cause a denial of service (crash) or execute arbitrary code via the (1) chunks, (2) srclen, and (3) chunklen arguments. http://www.php.net/releases/5_2_3.php FEDORA-2007-2215 FEDORA-2007-709 https://launchpad.net/bugs/173043 https://issues.rpath.com/browse/RPL-1702 https://issues.rpath.com/browse/RPL-1693 php-chunksplit-security-bypass(39398) ADV-2008-0059 USN-549-1 USN-549-2 2007-0023 1018186 24261 20070601 SEC Consult SA-20070601-0 :: PHP chunk_split() integer overflow http://www.sec-consult.com/291.html RHSA-2007:0891 RHSA-2007:0890 RHSA-2007:0888 http://www.php.net/releases/4_4_8.php http://www.php.net/ChangeLog-4.php OpenPKG-SA-2007.020 MDKSA-2007:187 GLSA-200710-02 ADV-2007-3386 ADV-2007-2061 http://support.avaya.com/elmodocs2/security/ASA-2007-449.htm SSA:2007-152-01 28318 27864 27545 27377 27351 27110 27102 27037 26967 26930 26895 26871 26838 26231 26048 25535 25456 RHSA-2007:0889 SUSE-SA:2007:044 HPSBUX02308 HPSBUX02262 HPSBUX02262 SSRT080056 ADV-2008-0398 SSA:2008-045-03 30040 28936 28750 28658 SUSE-SA:2008:004 HPSBUX02308 Mozilla Firefox before 2.0.0.5, when run on Windows, allows remote attackers to bypass file type checks and possibly execute programs via a (1) file:/// or (2) resource: URI with a dangerous extension, followed by a NULL byte (%00) and a safer extension, which causes Firefox to treat the requested file differently than Windows would. https://bugzilla.mozilla.org/show_bug.cgi?id=383478 USN-490-1 1018413 24447 SUSE-SA:2007:049 http://www.mozilla.org/security/announce/2007/mfsa2007-22.html MDKSA-2007:152 http://www.0x000000.com/?i=333 http://support.novell.com/techcenter/psdb/07d098f99c9fe6956523beae37f32fda.html 26271 26258 26216 26204 26149 26072 38032 SSRT061181 ftp://ftp.slackware.com/pub/slackware/slackware-12.0/ChangeLog.txt ADV-2007-4256 201516 103177 28135 SSRT061181 Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection. TA08-150A 25653 20070912 Apache2 Undefined Charset UTF-7 XSS Vulnerability http://www.fujitsu.com/global/support/software/security/products-f/interstage-200807e.html http://www.apache.org/dist/httpd/CHANGES_2.2.6 3113 20070912 Apache2 Undefined Charset UTF-7 XSS Vulnerability 35650 33105 31651 oval:org.mitre.oval:def:6089 SSRT090192 SSRT090192 SSRT090085 SSRT090085 HPSBUX02365 HPSBUX02365 FEDORA-2007-707 apache-utf7-xss(36586) USN-575-1 RHSA-2008:0261 RHSA-2008:0008 RHSA-2008:0006 RHSA-2008:0005 RHSA-2008:0004 RHSA-2007:0911 FEDORA-2007-2214 SUSE-SA:2007:061 MDVSA-2008:014 ADV-2008-1697 http://support.avaya.com/elmodocs2/security/ASA-2008-032.htm 1019194 GLSA-200711-06 30430 28749 28607 28471 28467 27732 27563 26952 26842 APPLE-SA-2008-05-28 http://bugs.gentoo.org/show_bug.cgi?id=186219 Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918. apache-413error-xss(38800) USN-731-1 1019030 26663 20071130 PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP method http://www.fujitsu.com/global/support/software/security/products-f/interstage-200807e.html ADV-2008-1875 ADV-2007-4301 ADV-2007-4060 PK57952 34219 33105 30732 28196 27906 http://procheckup.com/Vulnerability_PR07-37.php HPSBUX02465 HPSBUX02465 ADV-2008-1623 ADV-2008-0924 PK65782 3411 GLSA-200803-19 30356 29640 29420 29348 SUSE-SA:2008:021 APPLE-SA-2008-03-18 http://docs.info.apple.com/article.html?artnum=307562 mod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev does not define a charset, which allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding. FEDORA-2008-1695 FEDORA-2008-1711 apache-modproxyftp-utf7-xss(39615) USN-575-1 1019185 27234 20090821 VMSA-2009-0010 VMware Hosted products update libpng and Apache HTTP Server 20080110 SecurityReason - Apache (mod_proxy_ftp) Undefined Charset UTF-7 XSS Vulnerability RHSA-2008:0009 RHSA-2008:0008 RHSA-2008:0007 RHSA-2008:0006 RHSA-2008:0005 RHSA-2008:0004 MDVSA-2008:016 MDVSA-2008:015 MDVSA-2008:014 ADV-2008-1875 ADV-2008-0924 http://support.avaya.com/elmodocs2/security/ASA-2008-032.htm 3526 20080110 Apache (mod_proxy_ftp) Undefined Charset UTF-7 XSS Vulnerability GLSA-200803-19 35650 30732 29640 29420 29348 28977 28749 28607 28526 28471 28467 HPSBUX02465 HPSBUX02465 HPSBUX02431 HPSBUX02431 [security-announce] 20090820 VMSA-2009-0010 VMware Hosted products update libpng and Apache HTTP Server SUSE-SA:2008:021 APPLE-SA-2008-03-18 http://docs.info.apple.com/article.html?artnum=307562 The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbitrary code via a crafted URI. VU#147027 FEDORA-2008-3606 FEDORA-2008-3864 https://issues.rpath.com/browse/RPL-2503 php-vector-unspecified(42137) USN-628-1 1019958 29009 20080523 rPSA-2008-0176-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl RHSA-2008:0505 http://www.php.net/ChangeLog-5.php [oss-security] 20080502 CVE Request (PHP) MDVSA-2008:128 MDVSA-2008:127 ADV-2008-2268 ADV-2008-1810 ADV-2008-1412 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0176 35650 31326 31200 30828 30757 30616 30345 30083 30048 oval:org.mitre.oval:def:5510 SSA:2008-128-01 SSRT090192 SSRT090192 HPSBUX02431 HPSBUX02431 APPLE-SA-2008-07-31 SSRT080063 SSRT080063 http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.50.2.12&r2=1.267.2.15.2.50.2.13&diff_format=u Cross-site scripting (XSS) vulnerability in Apache 2.2.6 and earlier allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded URLs that are not properly handled when displaying the 403 Forbidden error page. apache-403-xss(42303) USN-731-1 29112 20080512 Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability 20080510 Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability 20080510 Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability 20080508 Apache Server HTML Injection and UTF-7 XSS Vulnerability 3889 35650 34219 31651 oval:org.mitre.oval:def:5143 HPSBUX02465 HPSBUX02465 SSRT090085 SSRT090085 SSRT080118 SSRT080118 The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses. 29653 ADV-2008-1798 FEDORA-2008-6314 FEDORA-2008-6393 apache-modproxy-module-dos(42987) USN-731-1 1020267 31681 20081122 rPSA-2008-0328-1 httpd mod_ssl 20080729 rPSA-2008-0236-1 httpd mod_ssl RHSA-2008:0966 MDVSA-2008:237 MDVSA-2008:195 ADV-2009-0320 ADV-2008-2780 PK67579 http://www-01.ibm.com/support/docview.wss?uid=swg27008517 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0328 http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=666154&r2=666153&pathrev=666154 http://support.apple.com/kb/HT3216 247666 GLSA-200807-06 34418 34259 34219 33797 33156 32838 32685 32222 31904 31651 31416 31404 31026 30621 RHSA-2008:0967 oval:org.mitre.oval:def:6084 SSRT090192 SSRT090192 SSRT090005 SSRT090005 SUSE-SR:2009:007 SUSE-SR:2009:006 APPLE-SA-2008-10-09 HPSBUX02365 HPSBUX02365 Multiple directory traversal vulnerabilities in PHP 5.2.6 and earlier allow context-dependent attackers to bypass safe_mode restrictions by creating a subdirectory named http: and then placing ../ (dot dot slash) sequences in an http URL argument to the (1) chdir or (2) ftok function. TA09-133A php-chdir-ftoc-security-bypass(43198) ADV-2009-1297 1020328 29796 20090302 rPSA-2009-0035-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl http://wiki.rpath.com/Advisories:rPSA-2009-0035 http://support.apple.com/kb/HT3549 3942 20080617 PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass 35650 35074 HPSBUX02465 HPSBUX02465 HPSBUX02431 HPSBUX02431 APPLE-SA-2009-05-12 Directory traversal vulnerability in the posix_access function in PHP 5.2.6 and earlier allows remote attackers to bypass safe_mode restrictions via a .. (dot dot) in an http URL, which results in the URL being canonicalized to a local filename after the safe_mode check has successfully run. TA09-133A php-posixaccess-security-bypass(43196) ADV-2009-1297 1020327 29797 20090302 rPSA-2009-0035-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl http://wiki.rpath.com/Advisories:rPSA-2009-0035 http://support.apple.com/kb/HT3549 3941 20080617 PHP 5.2.6 posix_access() (posix ext) safe_mode bypass 35650 35074 HPSBUX02465 HPSBUX02465 SSRT090085 SSRT090085 APPLE-SA-2009-05-12 php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long IMAP request, which triggers an "rfc822.c legacy routine buffer overflow" error message, related to the rfc822_write_address function. TA09-133A ADV-2009-1297 29829 FEDORA-2009-3848 FEDORA-2009-3768 https://bugs.gentoo.org/show_bug.cgi?id=221969 php-phpimap-dos(43357) USN-628-1 20090302 rPSA-2009-0035-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl [oss-security] 20080624 Re: CVE request: php 5.2.6 ext/imap buffer overflows [oss-security] 20080619 CVE request: php 5.2.6 ext/imap buffer overflows MDVSA-2008:128 MDVSA-2008:127 MDVSA-2008:126 http://wiki.rpath.com/Advisories:rPSA-2009-0035 http://support.apple.com/kb/HT3549 35650 35306 35074 31200 46641 HPSBUX02465 HPSBUX02465 SSRT090085 SSRT090085 SUSE-SR:2008:027 APPLE-SA-2009-05-12 http://bugs.php.net/bug.php?id=42862 Heap-based buffer overflow in pcre_compile.c in the Perl-Compatible Regular Expression (PCRE) library 7.7 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a regular expression that begins with an option and contains multiple branches. TA09-133A FEDORA-2008-6048 FEDORA-2008-6025 ADV-2009-1297 ADV-2008-2336 USN-628-1 USN-624-1 31681 30087 20081027 rPSA-2008-0305-1 pcre MDVSA-2009:023 MDVSA-2008:147 GLSA-200807-03 ADV-2008-2780 ADV-2008-2006 ADV-2008-2005 DSA-1602 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0305 http://support.apple.com/kb/HT3549 http://support.apple.com/kb/HT3216 35650 35074 32454 32222 31200 30990 30972 30967 30961 30958 30945 30944 30916 HPSBUX02465 HPSBUX02465 HPSBUX02431 HPSBUX02431 SUSE-SR:2008:014 APPLE-SA-2009-05-12 APPLE-SA-2008-10-09 http://ftp.gnome.org/pub/GNOME/sources/glib/2.16/glib-2.16.4.changes http://bugs.gentoo.org/show_bug.cgi?id=228091 Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI. TA09-133A VU#663763 apache-modproxyftp-xss(44223) ADV-2009-1297 USN-731-1 1020635 30560 20081122 rPSA-2008-0328-1 httpd mod_ssl 20081122 rPSA-2008-0327-1 httpd mod_ssl 20080806 Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting RHSA-2008:0966 http://www.rapid7.com/advisories/R7-0033 MDVSA-2009:124 MDVSA-2008:195 MDVSA-2008:194 ADV-2009-0320 ADV-2008-2461 ADV-2008-2315 PK70937 PK70197 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0328 http://wiki.rpath.com/Advisories:rPSA-2008-0327 http://svn.apache.org/viewvc?view=rev&revision=682871 http://svn.apache.org/viewvc?view=rev&revision=682870 http://svn.apache.org/viewvc?view=rev&revision=682868 http://support.apple.com/kb/HT3549 247666 35074 34219 33797 33156 32838 32685 31673 31384 RHSA-2008:0967 HPSBUX02465 HPSBUX02465 SSRT090005 SSRT090005 SUSE-SR:2008:024 APPLE-SA-2009-05-12 PHP 4.4.x before 4.4.9, and 5.x through 5.2.6, when used as a FastCGI module, allows remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension, as demonstrated using foo..php. Overview contains a typo, should read "PHP 5.2 through 5.2.6" not "5.6 through 5.2.6". TA09-133A FEDORA-2009-3848 FEDORA-2009-3768 php-curl-unspecified(44402) ADV-2009-1297 ADV-2008-2336 1020994 20090302 rPSA-2009-0035-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl RHSA-2009:0350 [oss-security] 20080813 Re: CVE request: php-5.2.6 overflow issues [oss-security] 20080808 CVE request: php-5.2.6 overflow issues MDVSA-2009:024 MDVSA-2009:023 MDVSA-2009:022 MDVSA-2009:021 DSA-1647 http://wiki.rpath.com/Advisories:rPSA-2009-0035 http://support.apple.com/kb/HT3549 35650 35306 35074 32148 31982 SSRT090192 SSRT090192 HPSBUX02431 HPSBUX02431 SUSE-SR:2008:018 APPLE-SA-2009-05-12 http://bugs.gentoo.org/show_bug.cgi?id=234102 Buffer overflow in the memnstr function in PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via the delimiter argument to the explode function. NOTE: the scope of this issue is limited since most applications would not use an attacker-controlled delimiter, but local attacks against safe_mode are feasible. Overview contains a typo, should read "PHP 5.2 through 5.2.6" not "5.6 through 5.2.6". TA09-133A http://www.php.net/archive/2008.php#id2008-08-07-1 php-memnstr-bo(44405) ADV-2009-1297 ADV-2008-2336 1020995 20090302 rPSA-2009-0035-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl [oss-security] 20080813 Re: CVE request: php-5.2.6 overflow issues [oss-security] 20080808 Re: CVE request: php-5.2.6 overflow issues [oss-security] 20080808 Re: CVE request: php-5.2.6 overflow issues [oss-security] 20080808 CVE request: php-5.2.6 overflow issues MDVSA-2009:024 MDVSA-2009:023 MDVSA-2009:022 MDVSA-2009:021 DSA-1647 http://wiki.rpath.com/Advisories:rPSA-2009-0035 http://support.apple.com/kb/HT3549 35650 35074 32316 32148 31982 47483 http://news.php.net/php.cvs/52002 HPSBUX02465 HPSBUX02465 SSRT090085 SSRT090085 SUSE-SR:2008:021 SUSE-SR:2008:018 APPLE-SA-2009-05-12 http://bugs.gentoo.org/show_bug.cgi?id=234102 Buffer overflow in the imageloadfont function in ext/gd/gd.c in PHP 4.4.x before 4.4.9 and PHP 5.2 before 5.2.6-r6 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file. Mitre Description references "PHP 5.6 through 5.2.6" -- however research to the changelog for PHP 5 does not reflect a 5.6 release changelog: http://www.php.net/ChangeLog-5.php However, http://www.openwall.com/lists/oss-security/2008/08/08/2: "Those issues are fixed by the recent php-4.4.9 release, but they affect php-5.2.6 as well and the fixes are not part of any released version in case of 5.2." TA09-133A FEDORA-2009-3848 FEDORA-2009-3768 php-imageloadfont-dos(44401) ADV-2009-1297 ADV-2008-2336 30649 20090302 rPSA-2009-0035-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl HPSBTU02382 HPSBTU02382 RHSA-2009:0350 http://www.php.net/archive/2008.php#id2008-08-07-1 [oss-security] 20080813 Re: CVE request: php-5.2.6 overflow issues [oss-security] 20080808 CVE request: php-5.2.6 overflow issues MDVSA-2009:024 MDVSA-2009:023 MDVSA-2009:022 MDVSA-2009:021 ADV-2009-0320 ADV-2008-3275 DSA-1647 http://wiki.rpath.com/Advisories:rPSA-2009-0035 http://support.apple.com/kb/HT3549 35306 35074 33797 32884 32316 32148 31982 47484 http://news.php.net/php.cvs/51219 SSRT090192 SSRT090192 HPSBUX02401 HPSBUX02401 SUSE-SR:2008:021 SUSE-SR:2008:018 APPLE-SA-2009-05-12 http://bugs.gentoo.org/show_bug.cgi?id=234102 The __scm_destroy function in net/core/scm.c in the Linux kernel 2.6.27.4, 2.6.26, and earlier makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors. 32154 RHSA-2009:1550 https://bugzilla.redhat.com/show_bug.cgi?id=470201 USN-679-1 1021511 1021292 33079 20090101 Linux Kernel 2.6.18/2.6.24/2.6.20/2.6.22/2.6.21 denial of service exploit RHSA-2009:0225 RHSA-2009:0014 RHSA-2009:0009 [oss-security] 20081106 CVE request: kernel: Unix sockets kernel panic MDVSA-2008:234 DSA-1687 DSA-1681 4573 33704 33641 33623 33586 33556 33180 32998 32918 [linux-netdev] 20081106 UNIX sockets kernel panic SUSE-SA:2009:008 SUSE-SA:2009:004 SUSE-SA:2008:057 http://darkircop.org/unix.c Linux kernel 2.6.28 allows local users to cause a denial of service ("soft lockup" and process loss) via a large number of sendmsg function calls, which does not block during AF_UNIX garbage collection and triggers an OOM condition, a different vulnerability than CVE-2008-5029. FEDORA-2008-11618 RHSA-2009:1550 https://issues.rpath.com/browse/RPL-2915 https://bugzilla.redhat.com/show_bug.cgi?id=470201 linux-kernel-sendmsg-dos(46943) USN-714-1 USN-715-1 32516 20081209 rPSA-2008-0332-1 kernel RHSA-2009:0053 RHSA-2009:0014 MDVSA-2009:032 DSA-1681 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0332 4673 33854 33756 33706 33556 33348 33083 32998 32913 50272 [linux-netdev] 20081125 [PATCH] Fix soft lockups/OOM issues w/ unix garbage collector [linux-netdev] 20081120 soft lockups/OOM after unix socket fixes http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=473259 Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16 and earlier, allows remote attackers to cause a denial of service (CPU consumption) via a crafted RSA public key. TA08-340A 246286 RHSA-2009:0466 http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2009/03/024431-01.pdf ADV-2009-1426 1021309 32608 HPSBUX02429 RHSA-2009:0016 ADV-2008-3339 http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=829914&poid= http://support.avaya.com/elmodocs2/security/ASA-2009-012.htm 35255 34972 34259 33709 33015 32991 RHSA-2008:1025 RHSA-2008:1018 50504 SUSE-SR:2009:016 SUSE-SR:2009:006 HPSBMA02429 HPSBMA02429 PHP 5 before 5.2.7 does not properly initialize the page_uid and page_gid global variables for use by the SAPI php_getuid function, which allows context-dependent attackers to bypass safe_mode restrictions via variable settings that are intended to be restricted to root, as demonstrated by a setting of /etc for the error_log variable. php-getuid-safemode-bypass(47318) 32688 20090302 rPSA-2009-0035-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl 20081206 SecurityReason: PHP 5.2.6 SAPI php_getuid() overload http://www.php.net/ChangeLog-5.php#5.2.7 MDVSA-2009:045 DSA-1789 http://wiki.rpath.com/Advisories:rPSA-2009-0035 20081205 PHP 5.2.6 SAPI php_getuid() overload 35650 35003 52207 50483 HPSBUX02465 HPSBUX02465 HPSBUX02431 HPSBUX02431 PHP 5 before 5.2.7 does not enforce the error_log safe_mode restrictions when safe_mode is enabled through a php_admin_flag setting in httpd.conf, which allows context-dependent attackers to write to arbitrary files by placing a "php_value error_log" entry in a .htaccess file. php-error-safemode-bypass(47314) 32383 20090302 rPSA-2009-0035-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl http://www.php.net/ChangeLog-5.php#5.2.7 7171 MDVSA-2009:045 http://wiki.rpath.com/Advisories:rPSA-2009-0035 20081120 PHP 5.2.6 (error_log) safe_mode bypass 35650 52205 SSRT090192 SSRT090192 SSRT090085 SSRT090085 20081120 SecurityReason : PHP 5.2.6 (error_log) safe_mode bypass Directory traversal vulnerability in the ZipArchive::extractTo function in PHP 5.2.6 and earlier allows context-dependent attackers to write arbitrary files via a ZIP file with a file whose name contains .. (dot dot) sequences. FEDORA-2009-3848 FEDORA-2009-3768 php-ziparchive-directory-traversal(47079) http://www.sektioneins.de/advisories/SE-2008-06.txt 1021303 32625 20090302 rPSA-2009-0035-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl RHSA-2009:0350 http://www.php.net/ChangeLog-5.php#5.2.7 [oss-security] 20081204 CVE for SE-2008-06 in PHP 5.2.7 (ZipArchive) MDVSA-2009:045 DSA-1789 http://wiki.rpath.com/Advisories:rPSA-2009-0035 35650 35306 35003 50480 SSRT090192 SSRT090192 SSRT090085 SSRT090085 SUSE-SR:2009:004 20081204 Advisory 06/2008: PHP ZipArchive::extractTo() Directory Traversal Vulnerability Heap-based buffer overflow in ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring extension in PHP 4.3.0 through 5.2.6 allows context-dependent attackers to execute arbitrary code via a crafted string containing an HTML entity, which is not properly handled during Unicode conversion, related to the (1) mb_convert_encoding, (2) mb_check_encoding, (3) mb_convert_variables, and (4) mb_parse_str functions. TA09-133A FEDORA-2009-3848 FEDORA-2009-3768 php-multibyte-bo(47525) ADV-2009-1297 32948 20090302 rPSA-2009-0035-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl RHSA-2009:0350 http://www.php.net/ChangeLog-5.php#5.2.7 MDVSA-2009:045 DSA-1789 http://wiki.rpath.com/Advisories:rPSA-2009-0035 http://support.apple.com/kb/HT3549 1021482 35650 35306 35074 35003 34642 HPSBUX02465 HPSBUX02465 SSRT090085 SSRT090085 SUSE-SR:2009:008 SUSE-SR:2009:004 APPLE-SA-2009-05-12 http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c?r1=1.7&r2=1.8 http://bugs.php.net/bug.php?id=45722 20081221 CVE-2008-5557 - PHP mbstring buffer overflow Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the bgd_color or clrBack argument) for an indexed image. FEDORA-2009-3848 FEDORA-2009-3768 php-imagerotate-info-disclosure(47635) 33002 RHSA-2009:0350 http://www.php.net/releases/5_2_9.php MDVSA-2009:023 MDVSA-2009:022 MDVSA-2009:021 http://support.apple.com/kb/HT3865 1021494 36701 35650 35306 34642 51031 SSRT090192 SSRT090192 SSRT090085 SSRT090085 SUSE-SR:2009:008 APPLE-SA-2009-09-10-2 http://downloads.securityfocus.com/vulnerabilities/exploits/33002.php http://downloads.securityfocus.com/vulnerabilities/exploits/33002-2.php http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1360&r2=1.2027.2.547.2.1361&diff_format=u The FormWidgetChoice::loadDefaults function in Poppler before 0.10.4 allows remote attackers to cause a denial of service (crash) via a PDF file with an invalid Form Opt entry. USN-850-1 33749 20090417 rPSA-2009-0059-1 poppler [oss-security] 20090219 Re: CVE Request: Poppler -Two Denial of Service Vulnerabilities [oss-security] 20090213 CVE Request: Poppler -Two Denial of Service Vulnerabilities http://wiki.rpath.com/Advisories:rPSA-2009-0059 37114 35685 33853 SUSE-SR:2009:012 [poppler] 20090128 poppler/Form.cc http://bugs.freedesktop.org/show_bug.cgi?id=19790 Stack-based buffer overflow in mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2, when the server has a map with a long IMAGEPATH or NAME attribute, allows remote attackers to execute arbitrary code via a crafted id parameter in a query action. FEDORA-2009-3383 FEDORA-2009-3357 1021952 34306 20090330 Positron Security Advisory #2009-000: Multiple Vulnerabilities in MapServer v5.2.1 and v4.10.3 http://www.positronsecurity.com/advisories/2009-000.html DSA-1914 http://trac.osgeo.org/mapserver/ticket/2944 34603 34520 [mapserver-users] 20090326 MapServer 5.2.2 and 4.10.4 released with security fixes Heap-based buffer underflow in the readPostBody function in cgiutil.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to have an unknown impact via a negative value in the Content-Length HTTP header. [mapserver-users] 20090326 MapServer 5.2.2 and 4.10.4 released with security fixes FEDORA-2009-3383 FEDORA-2009-3357 mapserver-contentlength-bo(49545) 1021952 34306 20090330 Positron Security Advisory #2009-000: Multiple Vulnerabilities in MapServer v5.2.1 and v4.10.3 http://www.positronsecurity.com/advisories/2009-000.html DSA-1914 http://trac.osgeo.org/mapserver/ticket/2943 34603 34520 Directory traversal vulnerability in mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2, when running on Windows with Cygwin, allows remote attackers to create arbitrary files via a .. (dot dot) in the id parameter. [mapserver-users] 20090326 MapServer 5.2.2 and 4.10.4 released with security fixes FEDORA-2009-3383 FEDORA-2009-3357 mapserver-mapserv-dir-traversal(49548) 1021952 34306 20090330 Positron Security Advisory #2009-000: Multiple Vulnerabilities in MapServer v5.2.1 and v4.10.3 http://www.positronsecurity.com/advisories/2009-000.html DSA-1914 http://trac.osgeo.org/mapserver/ticket/2942 34603 34520 mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to read arbitrary invalid .map files via a full pathname in the map parameter, which triggers the display of partial file contents within an error message, as demonstrated by a /tmp/sekrut.map symlink. [mapserver-users] 20090326 MapServer 5.2.2 and 4.10.4 released with security fixes FEDORA-2009-3383 FEDORA-2009-3357 1021952 34306 20090330 Positron Security Advisory #2009-000: Multiple Vulnerabilities in MapServer v5.2.1 and v4.10.3 http://www.positronsecurity.com/advisories/2009-000.html DSA-1914 http://trac.osgeo.org/mapserver/ticket/2941 34603 34520 The msLoadQuery function in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to determine the existence of arbitrary files via a full pathname in the queryfile parameter, which triggers different error messages depending on whether this pathname exists. [mapserver-users] 20090326 MapServer 5.2.2 and 4.10.4 released with security fixes FEDORA-2009-3383 FEDORA-2009-3357 1021952 34306 20090330 Positron Security Advisory #2009-000: Multiple Vulnerabilities in MapServer v5.2.1 and v4.10.3 http://www.positronsecurity.com/advisories/2009-000.html DSA-1914 http://trac.osgeo.org/mapserver/ticket/2939 34603 34520 Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c. TA09-133A http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/ChangeLog https://bugzilla.redhat.com/show_bug.cgi?id=491384 ADV-2009-1621 ADV-2009-1522 ADV-2009-1297 ADV-2009-1058 USN-767-1 34550 RHSA-2009:1062 RHSA-2009:1061 RHSA-2009:0329 DSA-1784 http://support.apple.com/kb/HT3639 http://support.apple.com/kb/HT3613 http://support.apple.com/kb/HT3549 270268 GLSA-200905-05 35379 35210 35204 35200 35198 35074 35065 34967 34913 34723 SUSE-SR:2009:010 APPLE-SA-2009-05-12 APPLE-SA-2009-06-17-1 APPLE-SA-2009-06-08-1 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a18788b14db60ae3673f932249cd02d33a227c4e http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=79972af4f0485a11dcb19551356c45245749fc5b http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0545ec1ca36b27cb928128870a83e5f668980bc5 The exit_notify function in kernel/exit.c in the Linux kernel before 2.6.30-rc1 does not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application. http://patchwork.kernel.org/patch/16544/ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=432870dab85a2f69dc417022646cb9a70acf7f94 FEDORA-2009-5356 RHSA-2009:1550 https://bugzilla.redhat.com/show_bug.cgi?id=493771 1022141 34405 20090516 rPSA-2009-0084-1 kernel RHSA-2009:1077 RHSA-2009:1024 RHSA-2009:0451 [oss-security] 20090417 Re: CVE request: kernel: exit_notify: kill the wrong capable(CAP_KILL) check [oss-security] 20090407 CVE request: kernel: exit_notify: kill the wrong capable(CAP_KILL) check MDVSA-2009:135 MDVSA-2009:119 http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.30-rc1 DSA-1800 DSA-1794 DSA-1787 http://wiki.rpath.com/Advisories:rPSA-2009-0084 35394 35390 35387 35226 35185 35160 35121 35120 35015 35011 34981 34917 RHSA-2009:0473 [linux-kernel] 20090225 Re: [PATCH 2/2] exit_notify: kill the wrong capable(CAP_KILL) check SUSE-SA:2009:032 SUSE-SA:2009:031 SUSE-SA:2009:030 SUSE-SA:2009:028 The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug." http://rt.openssl.org/Ticket/Display.html?id=1930&user=guest&pass=guest [openssl-dev] 20090516 [openssl.org #1930] [PATCH] DTLS record buffer limitation bug http://cvs.openssl.org/chngview?cn=18187 https://launchpad.net/bugs/cve/2009-1377 ADV-2009-1377 USN-792-1 1022241 35001 [oss-security] 20090518 Two OpenSSL DTLS remote DoS MDVSA-2009:120 http://voodoo-circle.sourceforge.net/sa/sa-20091012-01.html http://sourceforge.net/mailarchive/message.php?msg_name=4AD43807.7080105%40users.sourceforge.net 37003 35729 35571 35461 35416 35128 SUSE-SR:2009:011 NetBSD-SA2009-009 Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak." http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest [openssl-dev] 20090516 [openssl.org #1931] [PATCH] DTLS fragment handling memory leak http://cvs.openssl.org/chngview?cn=18188 https://launchpad.net/bugs/cve/2009-1378 ADV-2009-1377 USN-792-1 1022241 35001 [oss-security] 20090518 Two OpenSSL DTLS remote DoS 8720 MDVSA-2009:120 http://voodoo-circle.sourceforge.net/sa/sa-20091012-01.html http://sourceforge.net/mailarchive/message.php?msg_name=4AD43807.7080105%40users.sourceforge.net 37003 35729 35571 35461 35416 35128 [openssl-dev] 20090518 Re: [openssl.org #1931] [PATCH] DTLS fragment handling memory leak SUSE-SR:2009:011 NetBSD-SA2009-009 Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate. https://launchpad.net/bugs/cve/2009-1379 openssl-dtls1retrievebufferedfragment-dos(50661) ADV-2009-1377 USN-792-1 1022241 35138 [oss-security] 20090518 Re: Two OpenSSL DTLS remote DoS http://voodoo-circle.sourceforge.net/sa/sa-20091012-01.html http://sourceforge.net/mailarchive/message.php?msg_name=4AD43807.7080105%40users.sourceforge.net 37003 35729 35571 35461 35416 http://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest SUSE-SR:2009:011 NetBSD-SA2009-009 The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file. https://bugzilla.redhat.com/show_bug.cgi?id=489436 http://svn.apache.org/viewvc?view=rev&revision=772997 FEDORA-2009-8812 apache-allowoverrides-security-bypass(50808) ADV-2009-1444 USN-787-1 1022296 35115 RHSA-2009:1156 RHSA-2009:1075 MDVSA-2009:124 DSA-1816 GLSA-200907-04 37152 35721 35453 35395 35264 35261 54733 [apache-httpd-dev] 20090423 Includes vs IncludesNoExec security issue - help needed SUSE-SA:2009:050 Integer underflow in the e1000_clean_rx_irq function in drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel before 2.6.30-rc8, the e1000e driver in the Linux kernel, and Intel Wired Ethernet (aka e1000) before 7.5.5 allows remote attackers to cause a denial of service (panic) via a crafted frame size. https://bugzilla.redhat.com/show_bug.cgi?id=502981 http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.30-rc8 http://sourceforge.net/project/shownotes.php?release_id=504022&group_id=42302 FEDORA-2009-6846 FEDORA-2009-6768 FEDORA-2009-6883 RHSA-2009:1550 35185 20090724 rPSA-2009-0111-1 kernel RHSA-2009:1193 RHSA-2009:1157 [oss-security] 20090603 CVE-2009-1385 kernel: e1000_clean_rx_irq() denial of service MDVSA-2009:148 MDVSA-2009:135 http://www.intel.com/support/network/sb/CS-030543.htm DSA-1865 DSA-1844 http://wiki.rpath.com/Advisories:rPSA-2009-0111 36327 36131 36051 35847 35623 35566 35265 54892 SUSE-SA:2009:038 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ea30e11970a96cfe5e32c03a29332554573b4a10 The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug." http://rt.openssl.org/Ticket/Display.html?id=1838&user=guest&pass=guest http://cvs.openssl.org/chngview?cn=17958 USN-792-1 [oss-security] 20090602 Re: Two OpenSSL DTLS remote DoS http://voodoo-circle.sourceforge.net/sa/sa-20091012-01.html http://sourceforge.net/mailarchive/message.php?msg_name=4AD43807.7080105%40users.sourceforge.net 37003 35729 35685 35571 SUSE-SR:2009:012 NetBSD-SA2009-009 The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests. http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=790587&r2=790586&pathrev=790587 FEDORA-2009-8812 RHSA-2009:1148 USN-802-1 1022509 35565 RHSA-2009:1156 MDVSA-2009:149 DSA-1834 http://svn.apache.org/viewvc?view=rev&revision=790587 http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?revision=790587 http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=790587&r2=790586&pathrev=790587 GLSA-200907-04 37152 35865 35793 35721 35691 55553 SUSE-SA:2009:050 The mod_deflate module in Apache httpd 2.2.11 and earlier compresses large files until completion even after the associated network connection is closed, which allows remote attackers to cause a denial of service (CPU consumption). RHSA-2009:1148 https://bugzilla.redhat.com/show_bug.cgi?id=509125 MDVSA-2009:149 FEDORA-2009-8812 ADV-2009-1841 USN-802-1 1022529 RHSA-2009:1156 DSA-1834 GLSA-200907-04 37152 35865 35793 35781 35721 55782 [apache-httpd-dev] 20090703 Re: mod_deflate DoS [apache-httpd-dev] 20090628 mod_deflate DoS SUSE-SA:2009:050 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534712 The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. TA09-294A VU#466161 ADV-2009-1911 ADV-2009-1909 ADV-2009-1908 ADV-2009-1900 35671 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925 PK80627 PK80596 FEDORA-2009-8473 FEDORA-2009-8456 FEDORA-2009-8337 FEDORA-2009-8329 RHSA-2009:1201 RHSA-2009:1200 https://issues.apache.org/bugzilla/show_bug.cgi?id=47527 https://issues.apache.org/bugzilla/show_bug.cgi?id=47526 http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html http://www.w3.org/2008/06/xmldsigcore-errata.html#e03 ADV-2009-2543 USN-826-1 1022661 1022567 1022561 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html http://www.mono-project.com/Vulnerabilities MDVSA-2009:209 http://www.kb.cert.org/vuls/id/WDON-7TY529 http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ http://www.aleksey.com/xmlsec/ 263429 http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1 36494 36180 36176 36162 35858 35855 35854 35853 35852 35776 55907 55895 APPLE-SA-2009-09-03-1 http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161 The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to (1) conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr protection mechanism, or (3) defeat address space layout randomization (ASLR). ADV-2009-1866 http://patchwork.kernel.org/patch/32598/ http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html FEDORA-2009-8144 FEDORA-2009-8264 RHSA-2009:1550 RHSA-2009:1540 https://bugs.launchpad.net/bugs/cve/2009-1895 USN-807-1 35647 20090724 rPSA-2009-0111-1 kernel RHSA-2009:1438 RHSA-2009:1193 55807 http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc3 DSA-1845 DSA-1844 http://wiki.rpath.com/Advisories:rPSA-2009-0111 36759 36131 36116 36054 36051 36045 35801 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 Multiple unspecified vulnerabilities in Wireshark 1.2.0 allow remote attackers to cause a denial of service (application crash) via a file that records a malformed packet trace and is processed by the (1) Bluetooth L2CAP, (2) RADIUS, or (3) MIOP dissector. NOTE: it was later reported that the RADIUS issue also affects 0.10.13 through 1.0.9. http://www.wireshark.org/security/wnpa-sec-2009-04.html 35748 wireshark-radius-dissector-dos(54019) http://www.wireshark.org/security/wnpa-sec-2009-08.html http://www.wireshark.org/docs/relnotes/wireshark-1.0.10.html ADV-2009-3061 ADV-2009-1970 36846 [oss-security] 20090722 Re: CVE request: Wireshark <1.2.1 Multiple DoS MDVSA-2009:194 37175 35884 Unspecified vulnerability in the AFS dissector in Wireshark 0.9.2 through 1.2.0 allows remote attackers to cause a denial of service (crash) via unknown vectors. http://www.wireshark.org/security/wnpa-sec-2009-04.html 35748 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3564 http://www.wireshark.org/security/wnpa-sec-2009-05.html http://www.wireshark.org/docs/relnotes/wireshark-1.0.9.html ADV-2009-1970 [oss-security] Re: Wireshark - wnpa-sec-2009-05.html && wnpa-sec-2009-06.html -- CVE confirmation and CVE Request [oss-security] Wireshark - wnpa-sec-2009-05.html && wnpa-sec-2009-06.html -- CVE confirmation and CVE Request MDVSA-2009:194 35884 Unspecified vulnerability in the Infiniband dissector in Wireshark 1.0.6 through 1.2.0, when running on unspecified platforms, allows remote attackers to cause a denial of service (crash) via unknown vectors. http://www.wireshark.org/security/wnpa-sec-2009-04.html ADV-2009-1970 http://www.wireshark.org/security/wnpa-sec-2009-05.html http://www.wireshark.org/docs/relnotes/wireshark-1.0.9.html 35748 [oss-security] 20090917 Re: Wireshark - wnpa-sec-2009-05.html && wnpa-sec-2009-06.html -- CVE confirmation and CVE Request [oss-security] 20090917 Wireshark - wnpa-sec-2009-05.html && wnpa-sec-2009-06.html -- CVE confirmation and CVE Request MDVSA-2009:194 35884 Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5. https://bugzilla.redhat.com/show_bug.cgi?id=510251 http://www.wired.com/threatlevel/2009/07/kaminsky/ ADV-2009-2085 USN-810-2 USN-810-1 1022632 RHSA-2009:1432 RHSA-2009:1207 http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_m.c.diff?r1=1.8&r2=1.11&f=h http://www.mozilla.org/security/announce/2009/mfsa2009-42.html MDVSA-2009:197 DSA-1874 36434 36157 36139 36125 36088 56723 [oss-security] 20090903 More CVE-2009-2408 like issues http://isc.sans.org/diary.html?storyid=7003 The asn1_length function in strongSwan 2.8 before 2.8.11, 4.2 before 4.2.17, and 4.3 before 4.3.3 does not properly handle X.509 certificates with crafted Relative Distinguished Names (RDNs), which allows remote attackers to cause a denial of service (pluto IKE daemon crash) via malformed ASN.1 data. NOTE: this is due to an incomplete fix for CVE-2009-2185. [Announce] 20090723 ANNOUNCE: strongswan-2.8.11 and strongswan-4.2.17 released http://download.strongswan.org/patches/07_asn1_length_patch/strongswan-4.x.x_asn1_length.patch ADV-2009-2247 [oss-security] 20090727 CVE id request: strongswan DSA-1899 http://up2date.astaro.com/2009/08/up2date_7505_released.html 36922 SUSE-SR:2009:016 http://download.strongswan.org/patches/07_asn1_length_patch/strongswan-4.3.x_asn1_length.patch The audio system in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, does not prevent access to java.lang.System properties by (1) untrusted applets and (2) Java Web Start applications, which allows context-dependent attackers to obtain sensitive information by reading these properties. TA09-294A 263408 http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1 FEDORA-2009-8337 FEDORA-2009-8329 RHSA-2009:1201 RHSA-2009:1200 RHSA-2009:1199 jre-jdk-audiosystem-priv-escalation(52306) ADV-2009-2543 1022658 35939 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html MDVSA-2009:209 36248 36199 36180 36176 36162 56788 SUSE-SR:2009:016 SUSE-SA:2009:043 APPLE-SA-2009-09-03-1 http://java.sun.com/javase/6/webnotes/6u15.html http://java.sun.com/j2se/1.5.0/ReleaseNotes.html#150_20 The SOCKS proxy implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows remote attackers to discover the username of the account that invoked an untrusted (1) applet or (2) Java Web Start application via unspecified vectors. TA09-294A 263409 http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1 FEDORA-2009-8337 FEDORA-2009-8329 RHSA-2009:1201 RHSA-2009:1200 RHSA-2009:1199 sun-jre-socks-info-disclosure(52336) ADV-2009-2543 1022659 35943 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html MDVSA-2009:209 36248 36199 36180 36176 36162 SUSE-SR:2009:016 SUSE-SA:2009:043 APPLE-SA-2009-09-03-1 http://java.sun.com/javase/6/webnotes/6u15.html http://java.sun.com/j2se/1.5.0/ReleaseNotes.html#150_20 The proxy mechanism implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, does not prevent access to browser cookies by untrusted (1) applets and (2) Java Web Start applications, which allows remote attackers to hijack web sessions via unspecified vectors. TA09-294A 263409 http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1 RHSA-2009:1201 RHSA-2009:1200 RHSA-2009:1199 sun-jre-proxy-session-hijacking(52337) ADV-2009-2543 1022659 35943 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html 36248 36199 36180 36176 SUSE-SR:2009:016 SUSE-SA:2009:043 APPLE-SA-2009-09-03-1 http://java.sun.com/javase/6/webnotes/6u15.html http://java.sun.com/j2se/1.5.0/ReleaseNotes.html#150_20 The proxy mechanism implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows remote attackers to bypass intended access restrictions and connect to arbitrary sites via unspecified vectors, related to a declaration that lacks the final keyword. TA09-294A 263409 http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1 FEDORA-2009-8337 FEDORA-2009-8329 RHSA-2009:1201 RHSA-2009:1200 RHSA-2009:1199 sun-jre-proxy-security-bypass(52338) ADV-2009-2543 1022659 35943 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html MDVSA-2009:209 36248 36199 36180 36176 36162 56785 SUSE-SR:2009:016 SUSE-SA:2009:043 APPLE-SA-2009-09-03-1 http://java.sun.com/javase/6/webnotes/6u15.html http://java.sun.com/j2se/1.5.0/ReleaseNotes.html#150_20 Integer overflow in javaws.exe in Sun Java Web Start in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 allows context-dependent attackers to execute arbitrary code via a crafted JPEG image that is not properly handled during display to a splash screen, which triggers a heap-based buffer overflow. TA09-294A 263428 http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1 FEDORA-2009-8337 FEDORA-2009-8329 RHSA-2009:1201 RHSA-2009:1200 sun-jre-jpeg-bo(52339) http://www.zerodayinitiative.com/advisories/ZDI-09-050/ ADV-2009-2543 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html MDVSA-2009:209 36248 36180 36176 36162 SUSE-SR:2009:016 SUSE-SA:2009:043 APPLE-SA-2009-09-03-1 Integer overflow in the unpack200 utility in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows context-dependent attackers to gain privileges via unspecified length fields in the header of a Pack200-compressed JAR file, which leads to a heap-based buffer overflow during decompression. TA09-294A 263488 http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1 FEDORA-2009-8337 FEDORA-2009-8329 RHSA-2009:1201 RHSA-2009:1200 RHSA-2009:1199 jre-pak200-bo(52307) http://www.zerodayinitiative.com/advisories/ZDI-09-049/ ADV-2009-2543 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html MDVSA-2009:209 36248 36199 36180 36176 36162 SUSE-SR:2009:016 SUSE-SA:2009:043 APPLE-SA-2009-09-03-1 20090804 Sun Java Runtime Environment (JRE) Pack200 Decompression Integer Overflow Vulnerability Unspecified vulnerability in JNLPAppletlauncher in Sun Java SE, and SE for Business, in JDK and JRE 6 Update 14 and earlier and JDK and JRE 5.0 Update 19 and earlier; and Java SE for Business in SDK and JRE 1.4.2_21 and earlier; allows remote attackers to create or modify arbitrary files via vectors involving an untrusted Java applet. TA09-294A 263490 http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1 RHSA-2009:1200 RHSA-2009:1199 1022657 35946 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html 36248 36199 36176 56789 SUSE-SA:2009:043 Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information. 35949 FEDORA-2009-8360 FEDORA-2009-8336 USN-813-2 MDVSA-2009:195 http://svn.apache.org/viewvc/apr/apr/branches/1.3.x/memory/unix/apr_pools.c?r1=678140&r2=800732 http://svn.apache.org/viewvc/apr/apr/branches/1.3.x/CHANGES?revision=800732&view=markup http://svn.apache.org/viewvc/apr/apr/branches/0.9.x/memory/unix/apr_pools.c?r1=585356&r2=800733 http://svn.apache.org/viewvc/apr/apr/branches/0.9.x/CHANGES?revision=800733&view=markup http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/misc/apr_rmm.c?r1=647687&r2=800735 http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/CHANGES?revision=800735&view=markup http://svn.apache.org/viewvc/apr/apr-util/branches/0.9.x/misc/apr_rmm.c?r1=230441&r2=800736 http://svn.apache.org/viewvc/apr/apr-util/branches/0.9.x/CHANGES?revision=800736&view=markup 37152 36233 36166 36140 36138 56766 56765 SUSE-SA:2009:050 XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework. TA09-294A 263489 http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1 FEDORA-2009-8337 FEDORA-2009-8329 RHSA-2009:1201 RHSA-2009:1200 RHSA-2009:1199 ADV-2009-2543 1022680 35958 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html [oss-security] 20091026 Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430] [oss-security] 20091023 Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430] [oss-security] 20091022 Re: Regarding expat bug 1990430 [oss-security] 20090906 Re: Re: expat bug 1990430 http://www.networkworld.com/columnists/2009/080509-xml-flaw.html MDVSA-2009:209 http://www.codenomicon.com/labs/xml/ http://www.cert.fi/en/reports/2009/vulnerability2009085.html http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055&r2=787352&pathrev=787353&diff_format=h 36199 36180 36176 36162 SUSE-SR:2009:016 APPLE-SA-2009-09-03-1 Sun Java SE 5.0 before Update 20 and 6 before Update 15, and OpenJDK, might allow context-dependent attackers to obtain sensitive information via vectors involving static variables that are declared without the final keyword, related to (1) LayoutQueue, (2) Cursor.predefined, (3) AccessibleResourceBundle.getContents, (4) ImageReaderSpi.STANDARD_INPUT_TYPE, (5) ImageWriterSpi.STANDARD_OUTPUT_TYPE, (6) the imageio plugins, (7) DnsContext.debug, (8) RmfFileReader/StandardMidiFileWriter.types, (9) AbstractSaslImpl.logger, (10) Synth.Region.uiToRegionMap/lowerCaseNameMap, (11) the Introspector class and a cache of BeanInfo, and (12) JAX-WS, a different vulnerability than CVE-2009-2673. http://sunsolve.sun.com/search/document.do?assetkey=1-21-125139-16-1 http://sunsolve.sun.com/search/document.do?assetkey=1-21-118667-22-1 FEDORA-2009-8337 FEDORA-2009-8329 RHSA-2009:1201 RHSA-2009:1200 RHSA-2009:1199 https://bugzilla.redhat.com/show_bug.cgi?id=513215 ADV-2009-2543 MDVSA-2009:209 36199 36180 36176 36162 SUSE-SR:2009:016 APPLE-SA-2009-09-03-1 http://java.sun.com/javase/6/webnotes/6u15.html http://java.sun.com/j2se/1.5.0/ReleaseNotes.html The Java Management Extensions (JMX) implementation in Sun Java SE 6 before Update 15, and OpenJDK, does not properly enforce OpenType checks, which allows context-dependent attackers to bypass intended access restrictions by leveraging finalizer resurrection to obtain a reference to a privileged object. http://sunsolve.sun.com/search/document.do?assetkey=1-21-125139-16-1 FEDORA-2009-8337 FEDORA-2009-8329 RHSA-2009:1201 RHSA-2009:1200 https://bugzilla.redhat.com/show_bug.cgi?id=513220 ADV-2009-2543 MDVSA-2009:209 36180 36176 36162 SUSE-SR:2009:016 APPLE-SA-2009-09-03-1 http://java.sun.com/javase/6/webnotes/6u15.html JDK13Services.getProviders in Sun Java SE 5.0 before Update 20 and 6 before Update 15, and OpenJDK, grants full privileges to instances of unspecified object types, which allows context-dependent attackers to bypass intended access restrictions via an untrusted (1) applet or (2) application. http://sunsolve.sun.com/search/document.do?assetkey=1-21-125139-16-1 http://sunsolve.sun.com/search/document.do?assetkey=1-21-118667-22-1 http://java.sun.com/j2se/1.5.0/ReleaseNotes.html FEDORA-2009-8337 FEDORA-2009-8329 RHSA-2009:1201 RHSA-2009:1199 https://bugzilla.redhat.com/show_bug.cgi?id=513222 ADV-2009-2543 MDVSA-2009:209 36199 36180 36162 SUSE-SR:2009:016 APPLE-SA-2009-09-03-1 http://java.sun.com/javase/6/webnotes/6u15.html The encoder in Sun Java SE 6 before Update 15, and OpenJDK, grants read access to private variables with unspecified names, which allows context-dependent attackers to obtain sensitive information via an untrusted (1) applet or (2) application. http://sunsolve.sun.com/search/document.do?assetkey=1-21-125139-16-1 FEDORA-2009-8337 FEDORA-2009-8329 RHSA-2009:1201 RHSA-2009:1200 https://bugzilla.redhat.com/show_bug.cgi?id=513223 ADV-2009-2543 MDVSA-2009:209 36180 36176 36162 SUSE-SR:2009:016 APPLE-SA-2009-09-03-1 http://java.sun.com/javase/6/webnotes/6u15.html The mm_for_maps function in fs/proc/base.c in the Linux kernel 2.6.30.4 and earlier allows local users to read (1) maps and (2) smaps files under proc/ via vectors related to ELF loading, a setuid process, and a race condition. [linux-kernel] 20090710 [PATCH 2/2] mm_for_maps: take ->cred_guard_mutex to fix the race [linux-kernel] 20090710 [PATCH 1/2] mm_for_maps: shift down_read(mmap_sem) to the caller [linux-kernel] 20090623 [PATCH 1/1] mm_for_maps: simplify, use ptrace_may_access() FEDORA-2009-9044 RHSA-2009:1540 https://bugzilla.redhat.com/show_bug.cgi?id=516171 linux-kernel-mmformaps-info-disclosure(52401) ADV-2009-2246 36019 [oss-security] 20090811 CVE-2009-2691 kernel: /proc/$pid/maps visible during initial setuid ELF loading 36501 36265 [linux-kernel] 20090623 [PATCH 0/1] mm_for_maps: simplify, use ptrace_may_access() http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=704b836cbf19e885f8366bccb2e4b0474346c02d http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=13f0feafa6b8aead57a2a328e2fca6a5828bf286 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=00f89d218523b9bf6b522349c039d5ac80aa536d The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket. ADV-2009-2272 https://issues.rpath.com/browse/RPL-3103 https://bugzilla.redhat.com/show_bug.cgi?id=516949 http://zenthought.org/content/file/android-root-2009-08-16-source 36038 20090818 rPSA-2009-0121-1 kernel open-vm-tools 20090813 Linux NULL pointer dereference due to incorrect proto_ops initializations RHSA-2009:1233 [oss-security] 20090814 CVE-2009-2692 kernel: uninit op in SOCKOPS_WRAP() leads to privesc 9477 http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc6 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.5 http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.5 http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0121 36430 36327 36289 36278 RHSA-2009:1223 RHSA-2009:1222 SUSE-SR:2009:015 http://grsecurity.net/~spender/wunderbar_emporium.tgz http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98 http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commit;h=c18d0fe535a73b219f960d1af3d0c264555a12e3 http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html 20090813 Linux NULL pointer dereference due to incorrect proto_ops initializations The execve function in the Linux kernel, possibly 2.6.30-rc6 and earlier, does not properly clear the current->clear_child_tid pointer, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a clone system call with CLONE_CHILD_SETTID or CLONE_CHILD_CLEARTID enabled, which is not properly handled during thread creation and exit. FEDORA-2009-9044 RHSA-2009:1550 kernel-execve-dos(52899) RHSA-2009:1438 [oss-security] 20090805 Re: CVE request - kernel: execve: must clear current->clear_child_tid [oss-security] 20090804 CVE request - kernel: execve: must clear current->clear_child_tid 36759 36501 35983 [linux-kernel] 20090801 [PATCH v2] execve: must clear current->clear_child_tid The md driver (drivers/md/md.c) in the Linux kernel before 2.6.30.2 might allow local users to cause a denial of service (NULL pointer dereference) via vectors related to "suspend_* sysfs attributes" and the (1) suspend_lo_store or (2) suspend_hi_store functions. NOTE: this is only a vulnerability when sysfs is writable by an attacker. FEDORA-2009-9044 RHSA-2009:1540 http://xorl.wordpress.com/2009/07/21/linux-kernel-md-driver-null-pointer-dereference/ kernel-mddriver-dos(52858) 1022961 [oss-security] 20090726 Re: md raid null ptr dereference (when sysfs is writable) [oss-security] 20090724 md raid null ptr dereference (when sysfs is writable) http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.2 36501 http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.30.y.git;a=commit;h=3c92900d9a4afb176d3de335dc0da0198660a244