schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly validate UDP packets before sending responses, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by krb_pingpong.nasl, a related issue to CVE-1999-0103. https://github.com/krb5/krb5/commit/cf1a0c411b2668c57c41e9c4efd15ba17b6b322c https://bugzilla.redhat.com/show_bug.cgi?id=962531 DSA-2701 http://krbdev.mit.edu/rt/Ticket/Display.html?id=7637 Double free vulnerability in Google Chrome before 22.0.1229.79 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to application exit. http://googlechromereleases.blogspot.com/2012/09/stable-channel-update_25.html https://code.google.com/p/chromium/issues/detail?id=142310 google-chrome-cve20122885(78840) 85755 openSUSE-SU-2012:1376 The getFirstInTableInstance function in the IcedTea-Web plugin before 1.2.1 returns an uninitialized pointer when the instance_to_id_map hash is empty, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted web page, which causes an uninitialized memory location to be read. https://bugzilla.redhat.com/show_bug.cgi?id=840592 USN-1521-1 50089 RHSA-2012:1132 openSUSE-SU-2013:0826 SUSE-SU-2013:0851 openSUSE-SU-2012:0982 openSUSE-SU-2012:0981 SUSE-SU-2012:0979 http://icedtea.classpath.org/hg/release/icedtea-web-1.2/file/icedtea-web-1.2.1/NEWS The IcedTea-Web plugin before 1.2.1 does not properly handle NPVariant NPStrings without NUL terminators, which allows remote attackers to cause a denial of service (crash), obtain sensitive information from memory, or execute arbitrary code via a crafted Java applet. http://icedtea.classpath.org/hg/release/icedtea-web-1.2/rev/d7375e2a9076 http://icedtea.classpath.org/hg/release/icedtea-web-1.2/rev/d65bd94e0ba9 https://bugzilla.redhat.com/show_bug.cgi?id=841345 USN-1521-1 50089 RHSA-2012:1132 openSUSE-SU-2013:0826 SUSE-SU-2013:0851 openSUSE-SU-2012:0982 openSUSE-SU-2012:0981 SUSE-SU-2012:0979 http://icedtea.classpath.org/hg/release/icedtea-web-1.2/file/icedtea-web-1.2.1/NEWS http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=863 http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=518 The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue. https://bugzilla.redhat.com/show_bug.cgi?id=849172 https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2 USN-1542-1 55072 http://www.postgresql.org/support/security/ http://www.postgresql.org/docs/9.1/static/release-9-1-5.html http://www.postgresql.org/docs/9.0/static/release-9-0-9.html http://www.postgresql.org/docs/8.4/static/release-8-4-13.html http://www.postgresql.org/docs/8.3/static/release-8-3-20.html http://www.postgresql.org/about/news/1407/ MDVSA-2012:139 DSA-2534 50946 50859 50718 50636 50635 RHSA-2012:1264 RHSA-2012:1263 openSUSE-SU-2012:1299 openSUSE-SU-2012:1288 openSUSE-SU-2012:1251 APPLE-SA-2013-03-14-1 The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue. https://bugzilla.redhat.com/show_bug.cgi?id=849173 https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2 USN-1542-1 55074 http://www.postgresql.org/support/security/ http://www.postgresql.org/docs/9.1/static/release-9-1-5.html http://www.postgresql.org/docs/9.0/static/release-9-0-9.html http://www.postgresql.org/docs/8.4/static/release-8-4-13.html http://www.postgresql.org/docs/8.3/static/release-8-3-20.html http://www.postgresql.org/about/news/1407/ MDVSA-2012:139 DSA-2534 50946 50859 50718 50635 RHSA-2012:1263 openSUSE-SU-2012:1299 openSUSE-SU-2012:1288 openSUSE-SU-2012:1251 APPLE-SA-2013-03-14-1 s2s/out.c in jabberd2 2.2.16 and earlier does not verify that a request was made for an XMPP Server Dialback response, which allows remote XMPP servers to spoof domains via a (1) Verify Response or (2) Authorization Response. https://github.com/Jabberd2/jabberd2/commit/aabcffae560d5fd00cd1d2ffce5d760353cf0a4d https://bugzilla.redhat.com/show_bug.cgi?id=850872 http://xmpp.org/resources/security-notices/server-dialback/ 55167 [oss-security] 20120822 Re: CVE Request -- jabberd2: Prone to unsolicited XMPP Dialback attacks [oss-security] 20120822 CVE Request -- jabberd2: Prone to unsolicited XMPP Dialback attacks [jabberd2] 20120821 Fwd: [Security] Vulnerability in XMPP Server Dialback Implementations 50859 50124 RHSA-2012:1539 RHSA-2012:1538 APPLE-SA-2013-03-14-1 Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data. http://svn.apache.org/viewvc?view=revision&revision=1476592 http://svn.apache.org/viewvc?view=revision&revision=1378921 http://svn.apache.org/viewvc?view=revision&revision=1378702 http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java?r1=1476592&r2=1476591&pathrev=1476592 USN-1841-1 http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html The Cybozu Live application 1.0.4 and earlier for Android allows remote attackers to execute arbitrary Java methods, and obtain sensitive information or execute arbitrary commands, via a crafted web site. http://magazine.cybozulive.com/2012/08/291200.html JVNDB-2012-000081 JVN#23009798 The WebView class in the Cybozu Live application 1.0.4 and earlier for Android allows remote attackers to execute arbitrary JavaScript code, and obtain sensitive information, via a crafted application that places this code into a local file associated with a file: URL. http://magazine.cybozulive.com/2012/08/291200.html JVNDB-2012-000082 JVN#77393797 The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote attackers to bypass intended network restrictions via overlapping IPv6 fragments. https://github.com/torvalds/linux/commit/70789d7052239992824628db8133de08dc78e593 https://bugzilla.redhat.com/show_bug.cgi?id=874835 https://media.blackhat.com/bh-eu-12/Atlasis/bh-eu-12-Atlasis-Attacking_IPv6-WP.pdf USN-1661-1 USN-1660-1 [oss-security] 20121109 Re: CVE request --- acceptation of overlapping ipv6 fragments RHSA-2012:1580 SUSE-SU-2013:0856 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=70789d7052239992824628db8133de08dc78e593 http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.36 The KVM subsystem in the Linux kernel before 3.6.9, when running on hosts that use qemu userspace without XSAVE, allows local users to cause a denial of service (kernel OOPS) by using the KVM_SET_SREGS ioctl to set the X86_CR4_OSXSAVE bit in the guest cr4 register, then calling the KVM_RUN ioctl. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=6d1068b3a98519247d8ba4ec85cd40ac136dbdf9 SUSE-SU-2012:1679 https://bugzilla.redhat.com/show_bug.cgi?id=862900 56414 [oss-security] 20121106 CVE-2012-4461 -- kernel: kvm: invalid opcode oops on SET_SREGS with OSXSAVE bit set http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.6.9 51160 RHSA-2013:0882 RHSA-2013:0223 http://article.gmane.org/gmane.comp.emulators.kvm.devel/100742 block/scsi_ioctl.c in the Linux kernel through 3.8 does not properly consider the SCSI device class during authorization of SCSI commands, which allows local users to bypass intended access restrictions via an SG_IO ioctl call that leverages overlapping opcodes. https://oss.oracle.com/git/?p=redpatch.git;a=commit;h=76a274e17114abf1a77de6b651424648ce9e10c8 https://bugzilla.redhat.com/show_bug.cgi?id=875360 RHSA-2013:0882 RHSA-2013:0579 RHSA-2013:0496 [linux-kernel] 20130124 [PATCH 04/13] sg_io: resolve conflicts between commands assigned to multiple classes (CVE-2012-4542) [linux-kernel] 20130124 [PATCH 00/13] Corrections and customization of the SG_IO command whitelist (CVE-2012-4542) Cross-site scripting (XSS) vulnerability in REDCap before 4.14.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf Cross-site scripting (XSS) vulnerability in REDCap before 4.14.3 allows remote authenticated users to inject arbitrary web script or HTML via uppercase characters in JavaScript events within user-defined labels. http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf Cross-site scripting (XSS) vulnerability in REDCap before 4.14.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf REDCap before 4.14.0 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the logic of a custom rule. http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf The Data Camouflage (aka Faircom Standard Encryption) algorithm in Faircom c-treeACE does not ensure that a decryption key is needed for accessing database contents, which allows context-dependent attackers to read cleartext database records by copying a database to another system that has a certain default configuration. VU#900031 The translate_desc function in drivers/vhost/vhost.c in the Linux kernel before 3.7 does not properly handle cross-region descriptors, which allows guest OS users to obtain host OS privileges by leveraging KVM guest OS privileges. Per https://access.redhat.com/security/cve/CVE-2013-0311 "This issue did affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 6." http://www.kernel.org/pub/linux/kernel/v3.x/patch-3.7.bz2 https://github.com/torvalds/linux/commit/bd97120fc3d1a11f3124c7c9ba1d91f51829eb85 https://bugzilla.redhat.com/show_bug.cgi?id=912905 [oss-security] 20130219 Re: CVE request -- Linux kernel: vhost: fix length for cross region descriptor RHSA-2013:0882 RHSA-2013:0579 RHSA-2013:0496 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=bd97120fc3d1a11f3124c7c9ba1d91f51829eb85 IBM Eclipse Help System (IEHS), as used in IBM Data Studio 3.1 and 3.1.1 and other products, allows remote authenticated users to read source code via a crafted URL. iehs-source-disclosure(81102) http://www-01.ibm.com/support/docview.wss?uid=swg21625573 The server process in IBM Cognos TM1 10.1.x before 10.1.1 FP1 allows remote attackers to cause a denial of service (daemon crash) via an undocumented API call that triggers the transmission of unexpected data. tm1-undocumented-api(81612) http://www-01.ibm.com/support/docview.wss?uid=swg21637655 The Chrome Object Wrapper (COW) and System Only Wrapper (SOW) implementations in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 do not prevent modifications to a prototype, which allows remote attackers to obtain sensitive information from chrome objects or possibly execute arbitrary JavaScript code with chrome privileges via a crafted web site. https://bugzilla.mozilla.org/show_bug.cgi?id=809652 USN-1748-1 USN-1729-2 USN-1729-1 http://www.mozilla.org/security/announce/2013/mfsa2013-24.html DSA-2699 openSUSE-SU-2013:0324 openSUSE-SU-2013:0323 Use-after-free vulnerability in the nsImageLoadingContent::OnStopContainer function in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code via crafted web script. https://bugzilla.mozilla.org/show_bug.cgi?id=831095 USN-1748-1 USN-1729-2 USN-1729-1 http://www.mozilla.org/security/announce/2013/mfsa2013-26.html DSA-2699 RHSA-2013:0272 RHSA-2013:0271 openSUSE-SU-2013:0324 openSUSE-SU-2013:0323 Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allow man-in-the-middle attackers to spoof the address bar by operating a proxy server that provides a 407 HTTP status code accompanied by web script, as demonstrated by a phishing attack on an HTTPS site. https://bugzilla.mozilla.org/show_bug.cgi?id=796475 USN-1748-1 USN-1729-2 USN-1729-1 http://www.mozilla.org/security/announce/2013/mfsa2013-27.html DSA-2699 RHSA-2013:0272 RHSA-2013:0271 openSUSE-SU-2013:0324 openSUSE-SU-2013:0323 Use-after-free vulnerability in the nsOverflowContinuationTracker::Finish function in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted document that uses Cascading Style Sheets (CSS) -moz-column-* properties. https://bugzilla.mozilla.org/show_bug.cgi?id=812893 USN-1748-1 USN-1729-2 USN-1729-1 http://www.mozilla.org/security/announce/2013/mfsa2013-28.html DSA-2699 RHSA-2013:0272 RHSA-2013:0271 openSUSE-SU-2013:0324 openSUSE-SU-2013:0323 Heap-based buffer overflow in the nsSaveAsCharset::DoCharsetConversion function in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code via unspecified vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=827070 USN-1748-1 USN-1729-2 USN-1729-1 http://www.mozilla.org/security/announce/2013/mfsa2013-28.html DSA-2699 RHSA-2013:0272 RHSA-2013:0271 openSUSE-SU-2013:0324 openSUSE-SU-2013:0323 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=832162 https://bugzilla.mozilla.org/show_bug.cgi?id=830975 https://bugzilla.mozilla.org/show_bug.cgi?id=830399 https://bugzilla.mozilla.org/show_bug.cgi?id=826471 https://bugzilla.mozilla.org/show_bug.cgi?id=822858 https://bugzilla.mozilla.org/show_bug.cgi?id=818241 https://bugzilla.mozilla.org/show_bug.cgi?id=812380 https://bugzilla.mozilla.org/show_bug.cgi?id=780549 https://bugzilla.mozilla.org/show_bug.cgi?id=761448 https://bugzilla.mozilla.org/show_bug.cgi?id=690970 USN-1748-1 USN-1729-2 USN-1729-1 http://www.mozilla.org/security/announce/2013/mfsa2013-21.html DSA-2699 RHSA-2013:0272 RHSA-2013:0271 openSUSE-SU-2013:0324 openSUSE-SU-2013:0323 Use-after-free vulnerability in the nsEditor::IsPreformatted function in editor/libeditor/base/nsEditor.cpp in Mozilla Firefox before 19.0.2, Firefox ESR 17.x before 17.0.4, Thunderbird before 17.0.4, Thunderbird ESR 17.x before 17.0.4, and SeaMonkey before 2.16.1 allows remote attackers to execute arbitrary code via vectors involving an execCommand call. https://bugzilla.mozilla.org/show_bug.cgi?id=848644 USN-1758-1 http://www.mozilla.org/security/announce/2013/mfsa2013-29.html DSA-2699 http://twitter.com/VUPEN/statuses/309505403631325184 http://twitter.com/thezdi/statuses/309484730506698752 RHSA-2013:0627 RHSA-2013:0614 SUSE-SU-2013:0470 openSUSE-SU-2013:0468 openSUSE-SU-2013:0467 openSUSE-SU-2013:0465 openSUSE-SU-2013:0431 http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, and SeaMonkey before 2.17 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=852923 https://bugzilla.mozilla.org/show_bug.cgi?id=840353 https://bugzilla.mozilla.org/show_bug.cgi?id=840263 https://bugzilla.mozilla.org/show_bug.cgi?id=839621 https://bugzilla.mozilla.org/show_bug.cgi?id=834240 https://bugzilla.mozilla.org/show_bug.cgi?id=827870 https://bugzilla.mozilla.org/show_bug.cgi?id=813442 https://bugzilla.mozilla.org/show_bug.cgi?id=784730 https://bugzilla.mozilla.org/show_bug.cgi?id=771942 https://bugzilla.mozilla.org/show_bug.cgi?id=635852 USN-1791-1 http://www.mozilla.org/security/announce/2013/mfsa2013-30.html DSA-2699 RHSA-2013:0697 RHSA-2013:0696 SUSE-SU-2013:0850 SUSE-SU-2013:0645 openSUSE-SU-2013:0631 openSUSE-SU-2013:0630 The CERT_DecodeCertPackage function in Mozilla Network Security Services (NSS), as used in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, SeaMonkey before 2.17, and other products, allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) via a crafted certificate. https://bugzilla.mozilla.org/show_bug.cgi?id=629816 USN-1791-1 http://www.mozilla.org/security/announce/2013/mfsa2013-40.html SUSE-SU-2013:0850 SUSE-SU-2013:0645 openSUSE-SU-2013:0631 openSUSE-SU-2013:0630 Mozilla Firefox before 20.0 and SeaMonkey before 2.17, when gfx.color_management.enablev4 is used, do not properly handle color profiles during PNG rendering, which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (memory corruption) via a grayscale PNG image. https://bugzilla.mozilla.org/show_bug.cgi?id=722831 http://www.mozilla.org/security/announce/2013/mfsa2013-39.html SUSE-SU-2013:0850 SUSE-SU-2013:0645 openSUSE-SU-2013:0631 openSUSE-SU-2013:0630 Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, and SeaMonkey before 2.17 do not ensure the correctness of the address bar during history navigation, which allows remote attackers to conduct cross-site scripting (XSS) attacks or phishing attacks by leveraging control over navigation timing. https://bugzilla.mozilla.org/show_bug.cgi?id=803870 USN-1791-1 http://www.mozilla.org/security/announce/2013/mfsa2013-38.html DSA-2699 RHSA-2013:0697 RHSA-2013:0696 SUSE-SU-2013:0850 SUSE-SU-2013:0645 openSUSE-SU-2013:0631 openSUSE-SU-2013:0630 Mozilla Firefox before 20.0 and SeaMonkey before 2.17 do not prevent origin spoofing of tab-modal dialogs, which allows remote attackers to conduct phishing attacks via a crafted web site. https://bugzilla.mozilla.org/show_bug.cgi?id=626775 http://www.mozilla.org/security/announce/2013/mfsa2013-37.html SUSE-SU-2013:0850 SUSE-SU-2013:0645 openSUSE-SU-2013:0631 openSUSE-SU-2013:0630 The System Only Wrapper (SOW) implementation in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, and SeaMonkey before 2.17 does not prevent use of the cloneNode method for cloning a protected node, which allows remote attackers to bypass the Same Origin Policy or possibly execute arbitrary JavaScript code with chrome privileges via a crafted web site. https://bugzilla.mozilla.org/show_bug.cgi?id=825697 USN-1791-1 http://www.mozilla.org/security/announce/2013/mfsa2013-36.html DSA-2699 RHSA-2013:0697 RHSA-2013:0696 SUSE-SU-2013:0850 SUSE-SU-2013:0645 openSUSE-SU-2013:0631 openSUSE-SU-2013:0630 The WebGL subsystem in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, and SeaMonkey before 2.17 on Linux does not properly interact with Mesa drivers, which allows remote attackers to execute arbitrary code or cause a denial of service (free of unallocated memory) via unspecified vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=838413 https://bugzilla.mozilla.org/show_bug.cgi?id=827106 USN-1791-1 http://www.mozilla.org/security/announce/2013/mfsa2013-35.html DSA-2699 RHSA-2013:0697 RHSA-2013:0696 SUSE-SU-2013:0850 SUSE-SU-2013:0645 openSUSE-SU-2013:0631 openSUSE-SU-2013:0630 Untrusted search path vulnerability in the Mozilla Updater in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, and SeaMonkey before 2.17 allows local users to gain privileges via a Trojan horse DLL file in an unspecified directory. Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' https://bugzilla.mozilla.org/show_bug.cgi?id=830134 http://www.mozilla.org/security/announce/2013/mfsa2013-34.html SUSE-SU-2013:0850 SUSE-SU-2013:0645 Buffer overflow in the Mozilla Maintenance Service in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, and Thunderbird ESR 17.x before 17.0.5 on Windows allows local users to gain privileges via crafted arguments. https://bugzilla.mozilla.org/show_bug.cgi?id=848417 http://www.mozilla.org/security/announce/2013/mfsa2013-32.html SUSE-SU-2013:0850 SUSE-SU-2013:0645 Integer signedness error in the pixman_fill_sse2 function in pixman-sse2.c in Pixman, as distributed with Cairo and used in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, SeaMonkey before 2.17, and other products, allows remote attackers to execute arbitrary code via crafted values that trigger attempted use of a (1) negative box boundary or (2) negative box size, leading to an out-of-bounds write operation. https://bugzilla.mozilla.org/show_bug.cgi?id=825721 USN-1791-1 http://www.mozilla.org/security/announce/2013/mfsa2013-31.html DSA-2699 RHSA-2013:0697 RHSA-2013:0696 SUSE-SU-2013:0850 SUSE-SU-2013:0645 openSUSE-SU-2013:0631 openSUSE-SU-2013:0630 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=866544 https://bugzilla.mozilla.org/show_bug.cgi?id=864558 https://bugzilla.mozilla.org/show_bug.cgi?id=852315 https://bugzilla.mozilla.org/show_bug.cgi?id=849597 https://bugzilla.mozilla.org/show_bug.cgi?id=808402 https://bugzilla.mozilla.org/show_bug.cgi?id=787283 USN-1823-1 USN-1822-1 http://www.mozilla.org/security/announce/2013/mfsa2013-41.html DSA-2699 RHSA-2013:0821 RHSA-2013:0820 openSUSE-SU-2013:0834 openSUSE-SU-2013:0831 openSUSE-SU-2013:0825 Integer overflow in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the i915 driver in the Direct Rendering Manager (DRM) subsystem in the Linux kernel through 3.8.3, as used in Google Chrome OS before 25.0.1364.173 and other products, allows local users to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted application that triggers many relocation copies, and potentially leads to a race condition. [linux-kernel] 20130311 [PATCH] drm/i915: bounds check execbuffer relocations https://gerrit.chromium.org/gerrit/45118 https://code.google.com/p/chromium-os/issues/detail?id=39733 https://bugzilla.redhat.com/show_bug.cgi?id=920471 USN-1814-1 USN-1813-1 USN-1812-1 USN-1811-1 USN-1809-1 RHSA-2013:0744 [oss-security] 20130314 Re: CVE-2013-0913 Linux kernel i915 integer overflow [oss-security] 20130313 Re: CVE-2013-0913 Linux kernel i915 integer overflow [oss-security] 20130311 CVE-2013-0913 Linux kernel i915 integer overflow openSUSE-SU-2013:0847 http://googlechromereleases.blogspot.com/2013/03/stable-channel-update-for-chrome-os_15.html http://git.chromium.org/gitweb/?p=chromiumos/third_party/kernel.git;a=commit;h=c79efdf2b7f68f985922a8272d64269ecd490477 Open redirect vulnerability in the fwdToURL function in the ZCC login page in zcc-framework.jar in Novell ZENworks Configuration Management (ZCM) 11.2 before 11.2.3a Monthly Update 1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the directToPage parameter. http://www.novell.com/support/kb/doc.php?id=7012499 http://www.novell.com/support/kb/doc.php?id=7012025 Cross-site scripting (XSS) vulnerability in a ZCC page in zenworks-core in Novell ZENworks Configuration Management (ZCM) 11.2 before 11.2.3a Monthly Update 1 allows remote attackers to inject arbitrary web script or HTML via an invalid locale. http://www.novell.com/support/kb/doc.php?id=7012501 http://www.novell.com/support/kb/doc.php?id=7012025 Cross-site scripting (XSS) vulnerability in a ZCC page in njwc.jar in Novell ZENworks Configuration Management (ZCM) 11.2 before 11.2.3a Monthly Update 1 allows remote attackers to inject arbitrary web script or HTML via vectors involving an onError event. http://www.novell.com/support/kb/doc.php?id=7012500 http://www.novell.com/support/kb/doc.php?id=7012025 Cross-site scripting (XSS) vulnerability in a ZCC page in njwc.jar in Novell ZENworks Configuration Management (ZCM) 11.2 before 11.2.3a Monthly Update 1 allows remote attackers to inject arbitrary web script or HTML via vectors involving an onload event. http://www.novell.com/support/kb/doc.php?id=7012502 http://www.novell.com/support/kb/doc.php?id=7012025 Cisco ASA CX Context-Aware Security Software allows remote attackers to cause a denial of service (device reload) via crafted TCP packets that appear to have been forwarded by a Cisco Adaptive Security Appliances (ASA) device, aka Bug ID CSCue88386. 20130617 Cisco ASA CX TCP Traffic Denial of Service Vulnerability Buffer overflow in Microsoft Office 2003 SP3 and Office 2011 for Mac allows remote attackers to execute arbitrary code via crafted PNG data in an Office document, leading to improper memory allocation, aka "Office Buffer Overflow Vulnerability." MS13-051 The Print Spooler in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not properly manage memory during deletion of printer connections, which allows remote authenticated users to execute arbitrary code via a crafted request, aka "Print Spooler Vulnerability." MS13-050 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate subsequently withdrew it. Notes: none. Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows local users to affect confidentiality and integrity via unknown vectors related to 2D. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This issue cannot be exploited through sandboxed Java Web Start applications and sandboxed Java applets. Local access is required to leverage this issue.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Javadoc component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, 5.0 Update 45 and earlier, and JavaFX 2.2.21 and earlier allows remote attackers to affect integrity via unknown vectors related to Javadoc. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to the Javadoc tool and documentation generated by the tool. This vulnerability can be exploited only through Javadoc output hosted on a web server. This addresses CERT/CC VU#225657.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 does not prevent acquisition of chrome privileges during calls to content level constructors, which allows remote attackers to bypass certain read-only restrictions and conduct cross-site scripting (XSS) attacks via a crafted web site. https://bugzilla.mozilla.org/show_bug.cgi?id=853709 USN-1823-1 USN-1822-1 http://www.mozilla.org/security/announce/2013/mfsa2013-42.html DSA-2699 RHSA-2013:0821 RHSA-2013:0820 openSUSE-SU-2013:0834 openSUSE-SU-2013:0831 openSUSE-SU-2013:0825 Use-after-free vulnerability in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 allows remote attackers to execute arbitrary code via vectors involving an onresize event during the playing of a video. https://bugzilla.mozilla.org/show_bug.cgi?id=860971 USN-1823-1 USN-1822-1 http://www.mozilla.org/security/announce/2013/mfsa2013-46.html DSA-2699 RHSA-2013:0821 RHSA-2013:0820 openSUSE-SU-2013:0834 openSUSE-SU-2013:0831 openSUSE-SU-2013:0825 Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 do not properly initialize data structures for the nsDOMSVGZoomEvent::mPreviousScale and nsDOMSVGZoomEvent::mNewScale functions, which allows remote attackers to obtain sensitive information from process memory via a crafted web site. https://bugzilla.mozilla.org/show_bug.cgi?id=866825 USN-1823-1 USN-1822-1 http://www.mozilla.org/security/announce/2013/mfsa2013-47.html DSA-2699 RHSA-2013:0821 RHSA-2013:0820 openSUSE-SU-2013:0834 openSUSE-SU-2013:0831 openSUSE-SU-2013:0825 The SelectionIterator::GetNextSegment function in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via unspecified vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=818454 USN-1823-1 USN-1822-1 http://www.mozilla.org/security/announce/2013/mfsa2013-48.html DSA-2699 RHSA-2013:0821 RHSA-2013:0820 openSUSE-SU-2013:0834 openSUSE-SU-2013:0831 openSUSE-SU-2013:0825 The gfxSkipCharsIterator::SetOffsets function in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via unspecified vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=826163 USN-1823-1 USN-1822-1 http://www.mozilla.org/security/announce/2013/mfsa2013-48.html DSA-2699 RHSA-2013:0821 RHSA-2013:0820 openSUSE-SU-2013:0834 openSUSE-SU-2013:0831 openSUSE-SU-2013:0825 The _cairo_xlib_surface_add_glyph function in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 allows remote attackers to execute arbitrary code or cause a denial of service (invalid write operation) via unspecified vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=839745 USN-1823-1 USN-1822-1 http://www.mozilla.org/security/announce/2013/mfsa2013-48.html DSA-2699 RHSA-2013:0821 RHSA-2013:0820 openSUSE-SU-2013:0834 openSUSE-SU-2013:0831 openSUSE-SU-2013:0825 Use-after-free vulnerability in the mozilla::plugins::child::_geturlnotify function in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=848237 USN-1823-1 USN-1822-1 http://www.mozilla.org/security/announce/2013/mfsa2013-48.html DSA-2699 RHSA-2013:0821 RHSA-2013:0820 openSUSE-SU-2013:0834 openSUSE-SU-2013:0831 openSUSE-SU-2013:0825 Use-after-free vulnerability in the nsFrameList::FirstChild function in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=850931 USN-1823-1 USN-1822-1 http://www.mozilla.org/security/announce/2013/mfsa2013-48.html DSA-2699 RHSA-2013:0821 RHSA-2013:0820 openSUSE-SU-2013:0834 openSUSE-SU-2013:0831 openSUSE-SU-2013:0825 Use-after-free vulnerability in the nsContentUtils::RemoveScriptBlocker function in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=851781 USN-1823-1 USN-1822-1 http://www.mozilla.org/security/announce/2013/mfsa2013-48.html DSA-2699 RHSA-2013:0821 RHSA-2013:0820 openSUSE-SU-2013:0834 openSUSE-SU-2013:0831 openSUSE-SU-2013:0825 Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option. https://github.com/torvalds/linux/commit/5f00110f7273f9ff04ac69a5f85bb535a4fd0987 https://bugzilla.redhat.com/show_bug.cgi?id=915592 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=5f00110f7273f9ff04ac69a5f85bb535a4fd0987 USN-1798-1 USN-1797-1 USN-1796-1 USN-1795-1 USN-1794-1 USN-1793-1 USN-1792-1 USN-1788-1 USN-1787-1 [oss-security] 20130225 Re: kernel: tmpfs use-after-free http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.7.10 RHSA-2013:0882 RHSA-2013:0744 openSUSE-SU-2013:0847 The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel before 3.7.4 allows local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter. Per https://access.redhat.com/security/cve/CVE-2013-1774 "This issue affects the version of Linux kernel as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG 2. Future kernel updates for Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG 2 may address this issue." https://github.com/torvalds/linux/commit/1ee0a224bc9aad1de496c795f96bc6ba2c394811 https://bugzilla.redhat.com/show_bug.cgi?id=916191 USN-1808-1 USN-1805-1 [oss-security] 20130227 Re: CVE request: Linux kernel: USB: io_ti: NULL pointer dereference http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.7.4 RHSA-2013:0744 openSUSE-SU-2013:0847 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1ee0a224bc9aad1de496c795f96bc6ba2c394811 The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 does not ensure a required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users to cause a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other impact via a crafted application. https://github.com/torvalds/linux/commit/c300aa64ddf57d9c5d9c898a64b36877345dd4a9 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c300aa64ddf57d9c5d9c898a64b36877345dd4a9 https://bugzilla.redhat.com/show_bug.cgi?id=917012 USN-1813-1 USN-1812-1 USN-1809-1 USN-1808-1 USN-1805-1 [oss-security] 20130320 linux kernel: kvm: CVE-2013-179[6..8] RHSA-2013:0746 RHSA-2013:0744 RHSA-2013:0727 openSUSE-SU-2013:0847 Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 allows guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation. https://github.com/torvalds/linux/commit/0b79459b482e85cb7426aa7da683a9f2c97aeae1 https://bugzilla.redhat.com/show_bug.cgi?id=917013 USN-1813-1 USN-1812-1 USN-1809-1 [oss-security] 20130320 linux kernel: kvm: CVE-2013-179[6..8] RHSA-2013:0746 RHSA-2013:0744 RHSA-2013:0727 openSUSE-SU-2013:0847 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0b79459b482e85cb7426aa7da683a9f2c97aeae1 The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel through 3.8.4 does not properly handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS OOPS) via a crafted application. https://github.com/torvalds/linux/commit/a2c118bfab8bc6b8bb213abfc35201e441693d55 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a2c118bfab8bc6b8bb213abfc35201e441693d55 https://bugzilla.redhat.com/show_bug.cgi?id=917017 USN-1813-1 USN-1812-1 USN-1809-1 [oss-security] 20130320 linux kernel: kvm: CVE-2013-179[6..8] RHSA-2013:0746 RHSA-2013:0744 RHSA-2013:0727 openSUSE-SU-2013:0847 The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 uses the same class loader for applets with the same codebase path but from different domains, which allows remote attackers to obtain sensitive information or possibly alter other applets via a crafted applet. Per http://www.ubuntu.com/usn/USN-1804-1/ "A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.10 Ubuntu 12.04 LTS Ubuntu 11.10 Ubuntu 10.04 LTS" Per http://lists.opensuse.org/opensuse-updates/2013-04/msg00106.html "Affected Products: openSUSE 12.2" https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0123 https://bugzilla.redhat.com/show_bug.cgi?id=916774 icedtea-cve20131940-security-bypass(83642) USN-1804-1 59281 MDVSA-2013:146 53117 53109 RHSA-2013:0753 92543 [distro-pkg-dev] 20130417 IcedTea-Web 1.3.2 and 1.2.3 released! openSUSE-SU-2013:0826 openSUSE-SU-2013:0735 openSUSE-SU-2013:0715 SUSE-SU-2013:0851 http://icedtea.classpath.org/hg/release/icedtea-web-1.3/rev/25dd7c7ac39c http://icedtea.classpath.org/hg/release/icedtea-web-1.2/rev/34b6f60ae586 http://icedtea.classpath.org/hg/release/icedtea-web-1.2/file/icedtea-web-1.2.3/NEWS The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 allows remote attackers to execute arbitrary code via a crafted file that validates as both a GIF and a Java JAR file, aka "GIFAR." Per http://www.ubuntu.com/usn/USN-1804-1/ "A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.10 Ubuntu 12.04 LTS Ubuntu 11.10 Ubuntu 10.04 LTS" Per http://lists.opensuse.org/opensuse-updates/2013-04/msg00106.html "Affected Products: openSUSE 12.2" https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0123 https://bugzilla.redhat.com/show_bug.cgi?id=884705 icedtea-cve20131927-sec-bypass(83640) USN-1804-1 59286 MDVSA-2013:146 53117 53109 RHSA-2013:0753 92544 [distro-pkg-dev] 20130417 IcedTea-Web 1.3.2 and 1.2.3 released! openSUSE-SU-2013:0826 openSUSE-SU-2013:0735 openSUSE-SU-2013:0715 SUSE-SU-2013:0851 http://icedtea.classpath.org/hg/release/icedtea-web-1.3/rev/19f5282f53e8 http://icedtea.classpath.org/hg/release/icedtea-web-1.2/rev/cb58b31c450e http://icedtea.classpath.org/hg/release/icedtea-web-1.2/file/icedtea-web-1.2.3/NEWS The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel before 3.6.5 on unspecified architectures lacks a certain error check, which might allow local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device. Per https://access.redhat.com/security/cve/CVE-2013-1928 "This issue affects the version of Linux kernel as shipped with Red Hat Enterprise Linux 6. Future kernel updates for Red Hat Enterprise Linux 6 may address this issue." https://github.com/torvalds/linux/commit/12176503366885edd542389eed3aaf94be163fdb https://bugzilla.redhat.com/show_bug.cgi?id=949567 USN-1829-1 [oss-security] 20130409 Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE [oss-security] 20130405 Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.6.5 SUSE-SU-2013:0856 openSUSE-SU-2013:0847 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=12176503366885edd542389eed3aaf94be163fdb Multiple integer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XQueryFont, (2) _XF86BigfontQueryFont, (3) XListFontsWithInfo, (4) XGetMotionEvents, (5) XListHosts, (6) XGetModifierMapping, (7) XGetPointerMapping, (8) XGetKeyboardMapping, (9) XGetWindowProperty, (10) XGetImage, (11) LoadColornameDB, (12) XrmGetFileDatabase, (13) _XimParseStringFile, or (14) TransFileName functions. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Multiple integer overflows in X.org libXext 1.3.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XcupGetReservedColormapEntries, (2) XcupStoreColors, (3) XdbeGetVisualInfo, (4) XeviGetVisualInfo, (5) XShapeGetRectangles, and (6) XSyncListSystemCounters functions. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Integer overflow in X.org libXfixes 5.0 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XFixesGetCursorImage function. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Multiple integer overflows in X.org libXi 1.7.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XGetDeviceControl, (2) XGetFeedbackControl, (3) XGetDeviceDontPropagateList, (4) XGetDeviceMotionEvents, (5) XIGetProperty, (6) XIGetSelectedEvents, (7) XGetDeviceProperties, and (8) XListInputDevices functions. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Integer overflow in X.org libXinerama 1.1.2 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XineramaQueryScreens function. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Multiple integer overflows in X.org libXrandr 1.4.0 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XRRQueryOutputProperty and (2) XRRQueryProviderProperty functions. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Multiple integer overflows in X.org libXrender 0.9.7 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XRender QueryFilters, (2) XRenderQueryFormats, and (3) XRenderQueryPictIndexValues functions. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Multiple integer overflows in X.org libXRes 1.0.6 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XResQueryClients and (2) XResQueryClientResources functions. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Multiple integer overflows in X.org libXv 1.0.7 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XvQueryPortAttributes, (2) XvListImageFormats, and (3) XvCreateImage function. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Multiple integer overflows in X.org libXvMC 1.0.7 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XvMCListSurfaceTypes and (2) XvMCListSubpictureTypes functions. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Multiple integer overflows in X.org libXxf86dga 1.1.3 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XDGAQueryModes and (2) XDGASetMode functions. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Multiple integer overflows in X.org libdmx 1.1.2 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) DMXGetScreenAttributes, (2) DMXGetWindowAttributes, and (3) DMXGetInputAttributes functions. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Multiple integer overflows in X.org libGLX in Mesa 9.1.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XF86DRIOpenConnection and (2) XF86DRIGetClientDriverName functions. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Multiple integer overflows in X.org libchromeXvMC and libchromeXvMCPro in openChrome 0.3.2 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) uniDRIOpenConnection and (2) uniDRIGetClientDriverName functions. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries X.org libXi 1.7.1 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to an unexpected sign extension in the XListInputDevices function. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries X.org libFS 1.0.4 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to an unexpected sign extension in the FSOpenServer function. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Multiple buffer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XAllocColorCells, (2) _XkbReadGetDeviceInfoReply, (3) _XkbReadGeomShapes, (4) _XkbReadGetGeometryReply, (5) _XkbReadKeySyms, (6) _XkbReadKeyActions, (7) _XkbReadKeyBehaviors, (8) _XkbReadModifierMap, (9) _XkbReadExplicitComponents, (10) _XkbReadVirtualModMap, (11) _XkbReadGetNamesReply, (12) _XkbReadGetMapReply, (13) _XimXGetReadData, (14) XListFonts, (15) XListExtensions, and (16) XGetFontPath functions. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Multiple buffer overflows in X.org libXi 1.7.1 and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XGetDeviceButtonMapping, (2) XIPassiveGrabDevice, and (3) XQueryDeviceState functions. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Buffer overflow in X.org libXvMC 1.0.7 and earlier allows X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the XvMCGetDRInfo function. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Multiple buffer overflows in X.org libXxf86dga 1.1.3 and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XDGAQueryModes and (2) XDGASetMode functions. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Buffer overflow in X.org libXxf86vm 1.1.2 and earlier allows X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the XF86VidModeGetGammaRamp function. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Buffer overflow in X.org libXt 1.1.3 and earlier allows X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the _XtResourceConfigurationEH function. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Integer overflow in X.org libXcursor 1.1.13 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the _XcursorFileHeaderCreate function. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries The (1) GetDatabase and (2) _XimParseStringFile functions in X.org libX11 1.5.99.901 (1.6 RC1) and earlier do not restrict the recursion depth when processing directives to include files, which allows X servers to cause a denial of service (stack consumption) via a crafted file. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries X.org libXt 1.1.3 and earlier does not check the return value of the XGetWindowProperty function, which allows X servers to trigger use of an uninitialized pointer and memory corruption via vectors related to the (1) ReqCleanup, (2) HandleSelectionEvents, (3) ReqTimedOut, (4) HandleNormal, and (5) HandleSelectionReplies functions. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when started in daemon mode, uses weak permissions for certain files, which allows local users to read and write to these files. https://bugzilla.redhat.com/show_bug.cgi?id=956082 qemu-cve20132007-priv-esc(84047) 1028521 59675 [oss-security] 20130506 Xen Security Advisory 51 (CVE-2013-2007) - qemu guest agent (qga) insecure file permissions 53325 RHSA-2013:0896 RHSA-2013:0791 93032 http://git.qemu.org/?p=qemu.git;a=commit;h=c689b4f1bac352dcfd6ecb9a1d45337de0f1de67 Multiple integer overflows in X.org libXp 1.0.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XpGetAttributes, (2) XpGetOneAttribute, (3) XpGetPrinterList, and (4) XpQueryScreens functions. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Integer overflow in X.org libXtst 1.2.1 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XRecordGetContext function. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Integer overflow in X.org libxcb 1.9 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the read_packet function. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Buffer overflow in X.org libXv 1.0.7 and earlier allows X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the XvQueryPortAttributes function. http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 [oss-security] 20130523 Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack. http://svn.apache.org/viewvc?view=revision&revision=1417891 http://svn.apache.org/viewvc?view=revision&revision=1408044 http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?r1=1408044&r2=1408043&pathrev=1408044 http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?r1=1417891&r2=1417890&pathrev=1417891 USN-1841-1 http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes. http://svn.apache.org/viewvc?view=revision&revision=1471372 http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AsyncContextImpl.java?r1=1471372&r2=1471371&pathrev=1471372 https://issues.apache.org/bugzilla/show_bug.cgi?id=54178 USN-1841-1 http://tomcat.apache.org/security-7.html The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call. http://twitter.com/djrbliss/statuses/334301992648331267 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8176cced706b5e5d15887584150764894e94e02f https://github.com/torvalds/linux/commit/8176cced706b5e5d15887584150764894e94e02f https://bugzilla.redhat.com/show_bug.cgi?id=962792 USN-1828-1 USN-1827-1 USN-1826-1 USN-1825-1 http://www.reddit.com/r/netsec/comments/1eb9iw [oss-security] 20130514 Re: CVE Request: linux kernel perf out-of-bounds access http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.9 RHSA-2013:0830 http://packetstormsecurity.com/files/121616/semtex.c http://news.ycombinator.com/item?id=5703758 [linux-kernel] 20130413 Re: sw_perf_event_destroy() oops while fuzzing [linux-kernel] 20130412 Re: sw_perf_event_destroy() oops while fuzzing [linux-kernel] 20130412 sw_perf_event_destroy() oops while fuzzing openSUSE-SU-2013:0847 SUSE-SU-2013:0819 [CentOS-announce] 20130517 CESA-2013:0830 Important CentOS 6 kernel Update [CentOS-announce] 20130515 CentOS-6 CVE-2013-2094 Kernel Issue Cross-site scripting (XSS) vulnerability in the management screen in OpenPNE 3.4.x before 3.4.21.1, 3.6.x before 3.6.9.1, and 3.8.x before 3.8.5.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving the "mobile version color scheme." http://www.openpne.jp/archives/11096/ JVNDB-2013-000038 JVN#18501376 SoftBank Wi-Fi Spot Configuration Software, as used on SoftBank SHARP 3G handsets, SoftBank Panasonic 3G handsets, SoftBank NEC 3G handsets, SoftBank Samsung 3G handsets, SoftBank mobile Wi-Fi routers, SoftBank Android smartphones with the Wi-Fi application before 1.7.1, SoftBank Windows Mobile smartphones with the WISPrClient application before 1.3.1, SoftBank Disney Mobile Android smartphones with the Wi-Fi application before 1.7.1, and WILLCOM Android smartphones with the Wi-Fi application before 1.7.1, does not properly connect to access points, which allows remote attackers to obtain sensitive information by leveraging access to an 802.11 network. JVNDB-2013-000039 JVN#85371480 http://jvn.jp/en/jp/JVN85371480/995417/index.html http://jvn.jp/en/jp/JVN85371480/995319/index.html http://jvn.jp/en/jp/JVN85371480/397327/index.html HP Service Manager 7.11, 9.21, 9.30, and 9.31, and ServiceCenter 6.2.8, allows remote attackers to obtain sensitive information via unspecified vectors. HPSBMU02884 SSRT101207 Cross-site scripting (XSS) vulnerability in HP Service Manager 7.11, 9.21, 9.30, and 9.31, and ServiceCenter 6.2.8, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. HPSBMU02884 SSRT101208 Unspecified vulnerability on HP Integrated Lights-Out 3 (aka iLO3) cards with firmware before 1.57 and 4 (aka iLO4) cards with firmware before 1.22, when Single-Sign-On (SSO) is used, allows remote attackers to execute arbitrary code via unknown vectors. HPSBHF02885 SSRT101180 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-3744. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality and availability via unknown vectors related to Libraries. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Serviceability. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Deployment. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2466 and CVE-2013-2468. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Libraries, a different vulnerability than CVE-2013-2452 and CVE-2013-2455. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, 5.0 Update 45 and earlier, and JavaFX 2.2.21 and earlier allows remote attackers to affect availability via vectors related to AWT. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect availability via unknown vectors related to Hotspot. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality via vectors related to CORBA. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Networking. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Libraries. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect availability via unknown vectors related to Serialization. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Networking. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Libraries, a different vulnerability than CVE-2013-2443 and CVE-2013-2455. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect integrity via vectors related to JMX. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality and integrity via vectors related to JDBC. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Libraries, a different vulnerability than CVE-2013-2443 and CVE-2013-2452. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Serialization. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect integrity via vectors related to JMX. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2464, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, and CVE-2013-2473. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2463, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, and CVE-2013-2473. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2463, CVE-2013-2464, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, and CVE-2013-2473. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2442 and CVE-2013-2468. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 5.0 Update 45 and earlier allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the Java installer. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to the Java installer only. This issue cannot be exploited through sandboxed Java Web Start applications and sandboxed Java applets. Local access is required to leverage this issue.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2442 and CVE-2013-2466. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, and CVE-2013-2473. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2469, CVE-2013-2471, CVE-2013-2472, and CVE-2013-2473. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2472, and CVE-2013-2473. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, and CVE-2013-2473. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, and CVE-2013-2472. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html The DNP3 driver in IOServer drivers 1.0.19.0 allows remote attackers to cause a denial of service (infinite loop) or obtain unspecified control via crafted data to TCP port 20000. http://ics-cert.us-cert.gov/advisories/ICSA-13-161-01 The PDF functionality in Google Chrome before 27.0.1453.110 allows remote attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via unknown vectors. https://code.google.com/p/chromium/issues/detail?id=239134 http://googlechromereleases.blogspot.com/2013/06/stable-channel-update.html The Flash plug-in in Google Chrome before 27.0.1453.116 does not properly determine whether a user wishes to permit camera or microphone access by a Flash application, which allows remote attackers to obtain sensitive information from a machine's physical environment via a clickjacking attack, as demonstrated by an attack using a crafted Cascading Style Sheets (CSS) opacity property. https://src.chromium.org/viewvc/chrome?revision=206188&view=revision https://code.google.com/p/chromium/issues/detail?id=249335 http://habrahabr.ru/post/182706/ http://googlechromereleases.blogspot.com/2013/06/stable-channel-update_18.html An unspecified buffer-read method in IBM Sterling Control Center (SCC) 5.2 before 5.2.0.9, 5.3 before 5.3.0.4, and 5.4 through 5.4.0.1 allows remote authenticated users to cause a denial of service via a large file that lacks end-of-line characters. sterling-cve20132968-dos(83859) http://www-01.ibm.com/support/docview.wss?uid=swg21640348 Cross-site scripting (XSS) vulnerability in IBM Sterling Control Center (SCC) 5.2 before 5.2.0.9, 5.3 before 5.3.0.4, and 5.4 through 5.4.0.1 allows remote authenticated users to inject arbitrary web script or HTML via vectors involving invalid characters. sterling-cve20132969-xss(83860) http://www-01.ibm.com/support/docview.wss?uid=swg21640348 Unspecified vulnerability in IBM QRadar Security Information and Event Manager (SIEM) 7.x before 7.1 MR2 Patch 1 allows remote authenticated users to execute operating-system commands via unknown vectors. VU#722868 qradar-siem-command-exec(83872) http://www-01.ibm.com/support/docview.wss?uid=swg21639309 Cross-site request forgery (CSRF) vulnerability in the Web Console in IBM Data Studio 3.1.0 and 3.1.1 allows remote attackers to hijack the authentication of arbitrary users for requests that access monitored database information. datastudio-cve20132980-csrf(84113) http://www-01.ibm.com/support/docview.wss?uid=swg21638733 Directory traversal vulnerability in the Web Console in IBM Data Studio 3.1.0 and 3.1.1 allows remote attackers to read arbitrary files via unspecified vectors. datastudio-cve20132981-dir-traversal(83973) http://www-01.ibm.com/support/docview.wss?uid=swg21638734 Buffer overflow in the Lotus Quickr for Domino ActiveX control in qp2.cab in IBM Lotus Quickr 8.1 before FP 8.1.0.32-001a, 8.2 before FP 8.2.0.28-001a, and 8.5.1 before FP 8.5.1.39-002a for Domino allows remote attackers to execute arbitrary code via a crafted web site. quickr-qp2-activex-bo(84381) http://www-01.ibm.com/support/docview.wss?uid=swg21639643 Microsoft Internet Explorer 8 and 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3141. MS13-047 Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3123. MS13-047 Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3113, CVE-2013-3121, CVE-2013-3139, and CVE-2013-3142. MS13-047 Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3112, CVE-2013-3121, CVE-2013-3139, and CVE-2013-3142. MS13-047 Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3119. MS13-047 Microsoft Internet Explorer 7 through 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." MS13-047 Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3122 and CVE-2013-3124. MS13-047 Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3120 and CVE-2013-3125. MS13-047 Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3114. MS13-047 Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3118 and CVE-2013-3125. MS13-047 Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3112, CVE-2013-3113, CVE-2013-3139, and CVE-2013-3142. MS13-047 Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3117 and CVE-2013-3124. MS13-047 Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3111. MS13-047 Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3117 and CVE-2013-3122. MS13-047 Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3118 and CVE-2013-3120. MS13-047 Microsoft Internet Explorer 9 and 10, when script debugging is enabled, does not properly handle objects in memory during the processing of script, which allows remote attackers to execute arbitrary code via a crafted web site, aka "Internet Explorer Script Debug Vulnerability." MS13-047 The kernel in Microsoft Windows XP SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 on 32-bit platforms does not properly handle unspecified page-fault system calls, which allows local users to obtain sensitive information from kernel memory via a crafted application, aka "Kernel Information Disclosure Vulnerability." MS13-048 Integer overflow in the TCP/IP kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT allows remote attackers to cause a denial of service (system hang) via crafted TCP packets, aka "TCP/IP Integer Overflow Vulnerability." MS13-049 Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3112, CVE-2013-3113, CVE-2013-3121, and CVE-2013-3142. MS13-047 Microsoft Internet Explorer 8 and 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3110. MS13-047 Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3112, CVE-2013-3113, CVE-2013-3121, and CVE-2013-3139. MS13-047 Adobe Flash Player before 10.3.183.90 and 11.x before 11.7.700.224 on Windows, before 10.3.183.90 and 11.x before 11.7.700.225 on Mac OS X, before 10.3.183.90 and 11.x before 11.2.202.291 on Linux, before 11.1.111.59 on Android 2.x and 3.x, and before 11.1.115.63 on Android 4.x; Adobe AIR before 3.7.0.2090 on Windows and Android and before 3.7.0.2100 on Mac OS X; and Adobe AIR SDK & Compiler before 3.7.0.2090 on Windows and before 3.7.0.2100 on Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. http://www.adobe.com/support/security/bulletins/apsb13-16.html Cross-site scripting (XSS) vulnerability in the portal page in Cisco Prime Central for Hosted Collaboration Solution allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCue23798. 20130613 Cisco Prime Central for Hosted Collaboration Solution Cross-Site Scripting Vulnerability Open redirect vulnerability in the help page in Cisco Video Surveillance Operations Manager allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted URL, aka Bug ID CSCty74490. 20130612 Cisco Video Surveillance Operations Manager Help Page Allows Loading Remote Sites The administrative web interface in the Access Control Server in Cisco Secure Access Control System (ACS) does not properly restrict the report view page, which allows remote authenticated users to obtain sensitive information via a direct request, aka Bug ID CSCue79279. 20130610 Cisco Access Control Server Privilege Escalation Vulnerability Cisco Hosted Collaboration Mediation allows remote attackers to cause a denial of service (CPU consumption) via a flood of malformed UDP packets on port 162, aka Bug ID CSCug85756. 20130610 Cisco Hosted Collaboration Mediation Excessive CPU Utilization Vulnerability VMware vCenter Chargeback Manager (aka CBM) before 2.5.1 does not proper handle uploads, which allows remote attackers to execute arbitrary code via unspecified vectors. http://www.vmware.com/security/advisories/VMSA-2013-0008.html epan/dissectors/packet-gtpv2.c in the GTPv2 dissector in Wireshark 1.8.x before 1.8.7 calls incorrect functions in certain contexts related to ciphers, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. http://anonsvn.wireshark.org/viewvc?view=revision&revision=48393 http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-gtpv2.c?r1=48393&r2=48392&pathrev=48393 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8493 http://www.wireshark.org/security/wnpa-sec-2013-24.html DSA-2700 The dissect_ber_choice function in epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.6.x before 1.6.15 and 1.8.x before 1.8.7 does not properly initialize a certain variable, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. http://anonsvn.wireshark.org/viewvc?view=revision&revision=48944 http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-ber.c?r1=48944&r2=48943&pathrev=48944 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8599 http://www.wireshark.org/security/wnpa-sec-2013-25.html DSA-2700 The dissect_ccp_bsdcomp_opt function in epan/dissectors/packet-ppp.c in the PPP CCP dissector in Wireshark 1.8.x before 1.8.7 does not terminate a bit-field list, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8638 http://www.wireshark.org/security/wnpa-sec-2013-26.html DSA-2700 http://anonsvn.wireshark.org/viewvc?view=revision&revision=49214 http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-ppp.c?r1=49214&r2=49213&pathrev=49214 epan/dissectors/packet-dcp-etsi.c in the DCP ETSI dissector in Wireshark 1.8.x before 1.8.7 uses incorrect integer data types, which allows remote attackers to cause a denial of service (integer overflow, and heap memory corruption or NULL pointer dereference, and application crash) via a malformed packet. http://anonsvn.wireshark.org/viewvc?view=revision&revision=48644 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8541 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8540 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8231 http://www.wireshark.org/security/wnpa-sec-2013-27.html DSA-2700 http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-dcp-etsi.c?r1=48644&r2=48643&pathrev=48644 The dissect_dsmcc_un_download function in epan/dissectors/packet-mpeg-dsmcc.c in the MPEG DSM-CC dissector in Wireshark 1.8.x before 1.8.7 uses an incorrect format string, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. http://anonsvn.wireshark.org/viewvc?view=revision&revision=48332 http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-mpeg-dsmcc.c?r1=48332&r2=48331&pathrev=48332 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8481 http://www.wireshark.org/security/wnpa-sec-2013-28.html DSA-2700 Multiple integer signedness errors in the tvb_unmasked function in epan/dissectors/packet-websocket.c in the Websocket dissector in Wireshark 1.8.x before 1.8.7 allow remote attackers to cause a denial of service (application crash) via a malformed packet. http://anonsvn.wireshark.org/viewvc?view=revision&revision=48419 http://anonsvn.wireshark.org/viewvc/trunk-1.8/epan/dissectors/packet-websocket.c?r1=48419&r2=48418&pathrev=48419 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8499 http://www.wireshark.org/security/wnpa-sec-2013-29.html DSA-2700 HP Insight Diagnostics 9.4.0.4710 allows remote attackers to conduct unspecified injection attacks via unknown vectors. VU#324668 Absolute path traversal vulnerability in hpdiags/frontend2/commands/saveCompareConfig.php in HP Insight Diagnostics 9.4.0.4710 allows remote attackers to write data to arbitrary files via a full pathname in the argument to the devicePath (aka mount) parameter. VU#324668 hpdiags/frontend2/help/pageview.php in HP Insight Diagnostics 9.4.0.4710 does not properly restrict PHP include or require statements, which allows remote attackers to include arbitrary hpdiags/frontend2/help/ .html files via the path parameter. VU#324668 ginkgosnmp.inc in HP System Management Homepage (SMH) allows remote authenticated users to execute arbitrary commands via shell metacharacters in the PATH_INFO to smhutil/snmpchp.php.en. VU#735364 The Angel Browser application 1.47b and earlier for Android 1.6 through 2.1, 1.62b and earlier for Android 2.2 through 2.3.4, 1.68b and earlier for Android 3.0 through 4.0.3, and 1.76b and earlier for Android 4.1 through 4.2 does not properly implement the WebView class, which allows attackers to obtain sensitive information via a crafted application. JVNDB-2013-000055 JVN#79301570 The Galapagos Browser application for Android does not properly implement the WebView class, which allows attackers to obtain sensitive information via a crafted application. JVNDB-2013-000056 JVN#99813183 Unspecified vulnerability in JustSystems Ichitaro 2006 through 2013; Ichitaro Pro through 2; Ichitaro Government 6, 7, and 2006 through 2010; Ichitaro Portable with oreplug; Ichitaro Viewer; and Ichitaro JUST School through 2010 allows remote attackers to execute arbitrary code via a crafted document. http://www.justsystems.com/jp/info/js13002.html JVNDB-2013-000058 JVN#98712361 Cross-site scripting (XSS) vulnerability in the Orchard.Comments module in Orchard before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://docs.orchardproject.net/Documentation/Patch-4-30-2013 JVNDB-2013-000057 JVN#53622030 The Cybozu Live application before 2.0.1 for Android allows remote attackers to execute arbitrary Java methods, and obtain sensitive information or execute arbitrary commands, via a crafted web site. NOTE: this vulnerability exists because of a CVE-2012-4008 regression. https://live.cybozu.co.jp/trouble.html?q=2530 JVNDB-2013-000059 JVN#63428218 The WebView class in the Cybozu Live application before 2.0.1 for Android allows attackers to execute arbitrary JavaScript code, and obtain sensitive information, via a crafted application that places this code into a local file associated with a file: URL. NOTE: this vulnerability exists because of a CVE-2012-4009 regression. https://live.cybozu.co.jp/trouble.html?q=2530 JVNDB-2013-000060 JVN#19740283 The process_frame_obj function in sanm.c in libavcodec in FFmpeg before 1.2.1 does not validate width and height values, which allows remote attackers to cause a denial of service (integer overflow, out-of-bounds array access, and application crash) via crafted LucasArts Smush video data. http://git.videolan.org/?p=ffmpeg.git;a=commit;h=9dd04f6d8cdd1c10c28b2cb4252c1a41df581915 http://git.videolan.org/?p=ffmpeg.git;a=commit;h=524d0d2cfc7bab1b348f85e7c0369859e63781cf http://ffmpeg.org/security.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 45 and earlier and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2400. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.' http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the client library in Siemens COMOS 9.2 before 9.2.0.6.10 and 10.0 before 10.0.3.0.4 allows local users to obtain unintended write access to the database by leveraging read access. http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-194865.pdf SQL injection vulnerability in the login screen in the Web Navigator in Siemens WinCC before 7.2 Update 1, as used in SIMATIC PCS7 8.0 SP1 and earlier and other products, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345843.pdf The login implementation in the Web Navigator in Siemens WinCC before 7.2 Update 1, as used in SIMATIC PCS7 8.0 SP1 and earlier and other products, has a hardcoded account, which makes it easier for remote attackers to obtain access via an unspecified request. http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345843.pdf The Web Navigator in Siemens WinCC before 7.2 Update 1, as used in SIMATIC PCS7 8.0 SP1 and earlier and other products, exhibits different behavior for NetBIOS user names depending on whether the user account exists, which allows remote authenticated users to enumerate account names via crafted URL parameters. http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345843.pdf Juniper Junos Pulse Secure Access Service (aka SSL VPN) with IVE OS 7.0r2 through 7.0r8 and 7.1r1 through 7.1r5 and Junos Pulse Access Control Service (aka UAC) with UAC OS 4.1r1 through 4.1r5 include a test Certification Authority (CA) certificate in the Trusted Server CAs list, which makes it easier for man-in-the-middle attackers to spoof SSL servers by leveraging control over that test CA. http://kb.juniper.net/JSA10571 The vwr_read function in wiretap/vwr.c in the Ixia IxVeriWave file parser in Wireshark 1.8.x before 1.8.8 does not validate the relationship between a record length and a trailer length, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) via a crafted packet. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8760 http://www.wireshark.org/security/wnpa-sec-2013-40.html http://www.wireshark.org/docs/relnotes/wireshark-1.8.8.html http://anonsvn.wireshark.org/viewvc?view=revision&revision=49739 http://anonsvn.wireshark.org/viewvc/trunk/wiretap/vwr.c?r1=49739&r2=49738&pathrev=49739 Cross-site scripting (XSS) vulnerability in REDCap before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving the Graphical Data View & Descriptive Stats page. http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call. http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and 5.1.x before 5.1.2 has unknown impact and remote attack vectors. http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remote attackers to have an unknown impact via vectors involving (1) the Online Designer page or (2) the Manage Survey Participants page. http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf Multiple cross-site scripting (XSS) vulnerabilities in REDCap before 5.1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving different modules. http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf The WifiPasswordController generateDefaultPassword method in Preferences in Apple iOS 6 and earlier relies on the UITextChecker suggestWordInLanguage method for selection of Wi-Fi hotspot WPA2 PSK passphrases, which makes it easier for remote attackers to obtain access via a brute-force attack that leverages the insufficient number of possible passphrases. http://www1.cs.fau.de/hotspot http://www1.cs.fau.de/filepool/projects/hotspot/hotspot.pdf [owasp-mobile-security-project] 20130617 Cracking iOS personal hotspots using a Scrabble crossword game word list The 3G Mobile Hotspot feature on the HTC Droid Incredible has a default WPA2 PSK passphrase of 1234567890, which makes it easier for remote attackers to obtain access by leveraging a position within the WLAN coverage area. http://www1.cs.fau.de/filepool/projects/hotspot/hotspot.pdf http://support.verizonwireless.com/clc/devices/knowledge_base.html?id=35523