common/snapshots.py in Back In Time (aka backintime) 0.9.26 changes certain permissions to 0777 before deleting the files in an old backup snapshot, which allows local users to obtain sensitive information by reading these files, or interfere with backup integrity by modifying files that are shared across snapshots. http://ftp.debian.org/debian/pool/main/b/backintime/backintime_0.9.26-3.diff.gz http://bugs.gentoo.org/show_bug.cgi?id=289047 FEDORA-2009-9298 FEDORA-2009-9282 https://bugzilla.redhat.com/show_bug.cgi?id=520210 https://bugs.launchpad.net/ubuntu/+source/backintime/+bug/434256 [oss-security] 20091014 Re: CVE Request - backintime [oss-security] 20091014 CVE Request - backintime http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543785 Directory traversal vulnerability in www/index.php in Sahana 0.6.2.2 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the mod parameter. https://bugzilla.redhat.com/show_bug.cgi?id=530255 [oss-security] 20091022 Re: CVE Request -- Sahana [oss-security] 20091022 CVE Request -- Sahana http://sahana.cvs.sourceforge.net/viewvc/sahana/sahana-phase2/www/index.php?r1=1.83&r2=1.84 https://fedorahosted.org/rel-eng/ticket/2635 36826 [sahana-maindev] 20091019 SEVERE Security Vulnerability in Sahana Identified and Patched SQL injection vulnerability in Moodle Course List 6.x before 6.x-1.2, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. ADV-2009-3001 36787 http://drupal.org/node/610986 moodle-course-unspecified-sql-injection(53895) 37126 59100 Cross-site scripting (XSS) vulnerability in vCard 5.x before 5.x-1.4 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to the addition of the theme_vcard function to a theme and the use of default content. ADV-2009-3002 http://drupal.org/node/610996 http://drupal.org/node/610420 http://drupal.org/node/610416 vcard-themevcard-xss(53903) 36789 37127 Cross-site scripting (XSS) vulnerability in Abuse 5.x before 5.x-2.1 and 6.x before 6.x-1.1-alpha1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 36791 http://drupal.org/node/611078 http://drupal.org/node/610900 http://drupal.org/node/610784 abuse-unspecified-xss(53898) 37129 The filefield_file_download function in FileField 6.x-3.1, a module for Drupal, does not properly check node-access permissions for Drupal core private files, which allows remote attackers to access unauthorized files via unspecified vectors. 36792 http://drupal.org/node/611128 http://drupal.org/node/609874 http://drupal.org/node/516104 http://drupal.org/files/issues/filefield-node-access-fix-516104-3.patch filefield-nodeaccess-security-bypass(53897) 37130 Unspecified vulnerability in Userpoints 6.x before 6.x-1.1, a module for Drupal, allows remote authenticated users with "View own userpoints" permissions to read the userpoint data of arbitrary users via unknown attack vectors. ADV-2009-2998 36786 http://drupal.org/node/610828 http://drupal.org/node/610818 userpoints-userpoint-information-disclosure(53896) 37123 59124 Cross-site scripting (XSS) vulnerability in Simplenews Statistics 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vector. 36790 http://drupal.org/node/611002 http://drupal.org/node/590098 simplenews-unspecified-xss(53905) 37128 Open redirect vulnerability in Simplenews Statistics 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. 36790 http://drupal.org/node/611002 http://drupal.org/node/590098 37128 Multiple cross-site request forgery (CSRF) vulnerabilities in Simplenews Statistics 6.x before 6.x-2.0, a module for Drupal, allow remote attackers to hijack the authentication of arbitrary users via unknown vectors. 36790 http://drupal.org/node/611002 http://drupal.org/node/590098 simplenews-unspecified-csrf(53906) 37128 Cross-site scripting (XSS) vulnerability in Organic Groups (OG) Vocabulary 5.x before 5.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the group title. ADV-2009-3000 36784 http://drupal.org/node/610948 http://drupal.org/node/605094 ogvocabulary-title-xss(53902) 37125 59129 files.php in Vivvo CMS 4.1.5.1 allows remote attackers to conduct directory traversal attacks and read arbitrary files via the file parameter with "logs/" in between two . (dot) characters, which is filtered into a "../" sequence. http://www.waraxe.us/advisory-75.html 36783 20091021 [waraxe-2009-SA#075] - Remote File Disclosure in Vivvo CMS 4.1.5.1 37117 SQL injection vulnerability in index.php in OpenDocMan 1.2.5 allows remote attackers to execute arbitrary SQL commands via the frmuser (aka Username) parameter. 36777 opendocman-user-sql-injection(53886) http://www.packetstormsecurity.org/0910-exploits/opendocman-sqlxss.txt 30750 59301 Multiple cross-site scripting (XSS) vulnerabilities in OpenDocMan 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the last_message parameter to (1) add.php, (2) toBePublished.php, (3) index.php, and (4) admin.php; the PATH_INFO to the default URI to (5) category.php, (6) department.php, (7) profile.php, (8) rejects.php, (9) search.php, (10) toBePublished.php, (11) user.php, and (12) view_file.php; and (13) the caller parameter in a Modify User action to user.php. 36777 opendocman-multiple-xss(53887) http://www.packetstormsecurity.org/0910-exploits/opendocman-sqlxss.txt 30750 59312 59311 59310 59309 59308 59307 59306 59305 59304 59303 59302 Heap-based buffer overflow in FormMax (formerly AcroForm) evaluation 3.5 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted FormMax import (.aim) file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. formmax-aim-bo(53890) 36943 59079 SQL injection vulnerability in index.php in OpenDocMan 1.2.5 allows remote attackers to execute arbitrary SQL commands via the frmpass (aka Password) parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 30750 Amiro.CMS 5.4.0.0 and earlier allows remote attackers to obtain sensitive information via an invalid loginname ("%%%") to _admin/index.php, which reveals the installation path and other information in an error message. amiro-index-path-disclosure(53894) ADV-2009-2967 http://www.onsec.ru/vuln?id=12 37065 http://packetstormsecurity.org/0910-exploits/ONSEC-09-005.txt Multiple cross-site scripting (XSS) vulnerabilities in Amiro.CMS 5.4.0.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the status_message parameter to (1) /news, (2) /comment, (3) /forum, (4) /blog, and (5) /tags; the status_message parameter to (6) forum.php, (7) discussion.php, (8) guestbook.php, (9) blog.php, (10) news.php, (11) srv_updates.php, (12) srv_backups.php, (13) srv_twist_prevention.php, (14) srv_tags.php, (15) srv_tags_reindex.php, (16) google_sitemap.php, (17) sitemap_history.php, (18) srv_options.php, (19) locales.php and (20) plugins_wizard.php in _admin/; a crafted IMG BBcode tag in the message body of a (21) forum, (22) guestbook, or (23) comment; (24) the content of an avatar file, which is not properly handled by Internet Explorer; and (25) the loginname parameter (aka username) in _admin/index.php. amiro-loginname-xss(53893) amiro-statusmessage-xss(53892) ADV-2009-2967 http://www.onsec.ru/vuln?id=11 37065 http://packetstormsecurity.org/0910-exploits/ONSEC-09-004.txt Multiple SQL injection vulnerabilities in modules/forum/post.php in RunCMS 2M1 allow remote authenticated users to execute arbitrary SQL commands via (1) the pid parameter, which is not properly handled by the store function in modules/forum/class/class.forumposts.php, or (2) the topic_id parameter. 37137 http://retrogod.altervista.org/9sg_runcms_store_sql.html gpg2.exe in Gpg4win 2.0.1, as used in KDE Kleopatra 2.0.11, allows remote attackers to cause a denial of service (application crash) via a long certificate signature. gpg4win-gpg2-dos(53908) 36781 http://www.packetstormsecurity.com/0910-exploits/gpg2kleo-dos.txt SQL injection vulnerability in feedback_js.php in DedeCMS 5.1 allows remote attackers to execute arbitrary SQL commands via the arcurl parameter. 20091012 DEDECMS v5.1 Sql Injection Vulnerability Stack-based buffer overflow in MixVibes 7.043 Pro allows remote attackers to cause a denial of service (crash) via a long string in a .vib file. mixvibes-vib-bo(51715) 9147 MixSense DJ Studio 1.0.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long string in an .mp3 playlist file. djstudio-mp3-dos(51814) 9178 Acoustica MP3 Audio Mixer 1.0 and possibly 2.471 allows remote attackers to cause a denial of service (crash) via a long string in a .sgp playlist file. acoustica-m3u-bo(51868) ADV-2009-1958 9212 Heap-based buffer overflow in Acoustica MP3 Audio Mixer 2.471 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a long string in a .M3U playlist file. acoustica-m3u-bo(51868) ADV-2009-1958 9213 35902 56033 Stack-based buffer overflow in Music Tag Editor 1.61 build 212 allows remote attackers to execute arbitrary code via an MP3 file with a long ID3 tag. NOTE: some of these details are obtained from third party information. musictageditor-mp3-bo(51724) 9167 35828 55861 http://liquidworm.blogspot.com/2009/07/music-tag-editor-161-build-212-remote.html Heap-based buffer overflow in OtsAV DJ trial version 1.85.64.0, Radio trial version 1.85.64.0, TV trial version 1.85.64.0, and Free version 1.77.001 allows remote attackers to execute arbitrary code via a long playlist in an Ots File List (.ofl) file. otsav-multiple-olf-bo(51628) ADV-2009-1861 9113 35738 http://packetstormsecurity.org/0907-exploits/otsav-overflow.txt 55747 Multiple SQL injection vulnerabilities in RunCMS 2M1 allow remote authenticated users to execute arbitrary SQL commands via the (1) forum parameter to modules/forum/post.php and possibly (2) forum_id variable to modules/forum/class/class.permissions.php. 37137 http://retrogod.altervista.org/9sg_runcms_forum_sql.html Static code injection vulnerability in RunCMS 2M1 allows remote authenticated administrators to execute arbitrary PHP code via the "Filter/Banning" feature, as demonstrated by modifying modules/system/cache/bademails.php using the "Prohibited: Emails" action, and other unspecified filters. http://retrogod.altervista.org/9sg_runcms_forum_sql.html RunCMS 2M1, when running with certain error_reporting levels, allows remote attackers to obtain sensitive information via (1) the op[] parameter to modules/contact/index.php or (2) uid[] parameter to userinfo.php, which leaks the installation path in an error message when these parameters are used in a call to the preg_match function. http://retrogod.altervista.org/9sg_runcms_forum_sql.html Multiple cross-site scripting (XSS) vulnerabilities in Activities pages in the Mobile subsystem in IBM Lotus Connections 2.5.0.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://www-01.ibm.com/support/docview.wss?uid=swg24024303 37106 PHP remote file inclusion vulnerability in doc/releasenote.php in the BookLibrary (com_booklibrary) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter, a different vector than CVE-2009-2637. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2009-2969 http://www.securityfocus.com/bid/36732/exploit 36732 Unspecified vulnerability in the session handling feature in freeCap CAPTCHA (sr_freecap) extension 1.2.0 and earlier for TYPO3 has unknown impact and attack vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-014/ 37094 Unspecified vulnerability in the Random Images (maag_randomimage) extension 1.6.4 and earlier for TYPO3 allows remote attackers to execute arbitrary shell commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-014/ 37095 SQL injection vulnerability in the Flagbit Filebase (fb_filebase) extension 0.1.0 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-014/ Cross-site scripting (XSS) vulnerability in the Apache Solr Search (solr) extension 1.0.0 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-014/ PHP remote file inclusion vulnerability in Fiji Web Design Ajax Chat (com_ajaxchat) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[mosConfig_absolute_path] parameter to tests/ajcuser.php. ADV-2009-2968 36731 http://www.packetstormsecurity.org/0910-exploits/joomlaajaxchat-rfi.txt 37087 Directory traversal vulnerability in myhtml.php in Mobilelib GOLD 3.0, when magic_quotes_gpc is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the GLOBALS[page] parameter. mobilelib-myhtml-file-include(51713) 9144 Directory traversal vulnerability in include/processor.php in Greenwood PHP Content Manager 0.3.2 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the content_path parameter. greenwood-processor-file-include(51737) 9156 Multiple directory traversal vulnerabilities in GenCMS 2006 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) p parameter to show.php and the (2) Template parameter to admin/pages/SiteNew.php. gencms-show-file-include(51653) 9103 The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate, which allows remote attackers to bypass intended client-hostname restrictions via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. https://bugzilla.redhat.com/show_bug.cgi?id=530719 36804 proftpd-modtls-security-bypass(53936) MDVSA-2009:288 37131 [oss-security] 20091023 Re: proftpd - mod_tls - Improper SSL/TLS certificate subjectAltName verification [oss-security] 20091023 proftpd - mod_tls - Improper SSL/TLS certificate subjectAltName verification http://bugs.proftpd.org/show_bug.cgi?id=3275 Snort before 2.8.5.1, when the -v option is enabled, allows remote attackers to cause a denial of service (application crash) via a crafted IPv6 packet that uses the (1) TCP or (2) ICMP protocol. 36795 http://vrt-sourcefire.blogspot.com/2009/10/snort-2851-release.html 20091022 Snort <= 2.8.5 IPV6 Remote DoS https://bugzilla.redhat.com/show_bug.cgi?id=530863 snort-ipv6-dos(53912) ADV-2009-3014 59159 [oss-security] 20091025 SANS: Security Thought LeadersRe: CVE Request -- Snort - 2.8.5.1 1023076 37135 [oss-security] 20091025 CVE Request -- Snort - 2.8.5.1 http://dl.snort.org/snort-current/release_notes_2851.txt Buffer overflow in sgLog.c in squidGuard 1.3 and 1.4 allows remote attackers to cause a denial of service (application hang or loss of blocking functionality) via a long URL with many / (slash) characters, related to "emergency mode." ADV-2009-3013 http://www.squidguard.org/Downloads/Patches/1.4/Readme.Patch-20091015 36800 squidguard-sglog-security-bypass(53921) 20091026 squidGuard 1.3 & 1.4 : buffer overflow 59163 1023079 37107 Multiple buffer overflows in squidGuard 1.4 allow remote attackers to bypass intended URL blocking via a long URL, related to (1) the relationship between a certain buffer size in squidGuard and a certain buffer size in Squid and (2) a redirect URL that contains information about the originally requested URL. ADV-2009-3013 36800 squidguard-url-security-bypass(53922) http://www.squidguard.org/Downloads/Patches/1.4/Readme.Patch-20091019 20091026 squidGuard 1.3 & 1.4 : buffer overflow 59164 1023079 37107 Array index error in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 allows remote attackers to execute arbitrary code via a long string that triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number. http://www.mozilla.org/security/announce/2009/mfsa2009-59.html https://bugzilla.mozilla.org/show_bug.cgi?id=516862 https://bugzilla.mozilla.org/show_bug.cgi?id=516396 http://secunia.com/secunia_research/2009-35/ Mozilla Firefox before 3.0.15, and 3.5.x before 3.5.4, allows remote attackers to read form history by forging mouse and keyboard events that leverage the auto-fill feature to populate form fields, in an attacker-readable form, with history entries. http://www.mozilla.org/security/announce/2009/mfsa2009-52.html https://bugzilla.mozilla.org/show_bug.cgi?id=511615 Use-after-free vulnerability in Mozilla Firefox 3.5.x before 3.5.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by creating JavaScript web-workers recursively. http://www.mozilla.org/security/announce/2009/mfsa2009-54.html https://bugzilla.mozilla.org/show_bug.cgi?id=514554 Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, allows remote attackers to execute arbitrary code via a crafted regular expression in a Proxy Auto-configuration (PAC) file. http://www.mozilla.org/security/announce/2009/mfsa2009-55.html https://bugzilla.mozilla.org/show_bug.cgi?id=500644 Heap-based buffer overflow in the GIF image parser in Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, allows remote attackers to execute arbitrary code via unspecified vectors. http://www.mozilla.org/security/announce/2009/mfsa2009-56.html https://bugzilla.mozilla.org/show_bug.cgi?id=511689 The XPCVariant::VariantDataToJS function in the XPCOM implementation in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 does not enforce intended restrictions on interaction between chrome privileged code and objects obtained from remote web sites, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via unspecified method calls, related to "doubly-wrapped objects." http://www.mozilla.org/security/announce/2009/mfsa2009-57.html https://bugzilla.mozilla.org/show_bug.cgi?id=505988 content/html/document/src/nsHTMLDocument.cpp in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 allows user-assisted remote attackers to bypass the Same Origin Policy and read an arbitrary content selection via the document.getSelection function. http://www.mozilla.org/security/announce/2009/mfsa2009-61.html https://bugzilla.mozilla.org/show_bug.cgi?id=503226 Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, does not properly handle a right-to-left override (aka RLO or U+202E) Unicode character in a download filename, which allows remote attackers to spoof file extensions via a crafted filename, as demonstrated by displaying a non-executable extension for an executable file. https://bugzilla.mozilla.org/show_bug.cgi?id=511521 http://www.mozilla.org/security/announce/2009/mfsa2009-62.html Multiple unspecified vulnerabilities in liboggz before cf5feeaab69b05e24, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=512327 http://www.mozilla.org/security/announce/2009/mfsa2009-63.html https://bugzilla.mozilla.org/show_bug.cgi?id=515376 The oggplay_data_handle_theora_frame function in media/liboggplay/src/liboggplay/oggplay_data.c in liboggplay, as used in Mozilla Firefox 3.5.x before 3.5.4, attempts to reuse an earlier frame data structure upon encountering a decoding error for the first frame, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via a crafted .ogg video file. http://www.mozilla.org/security/announce/2009/mfsa2009-63.html https://bugzilla.mozilla.org/show_bug.cgi?id=500311 Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. NOTE: this might overlap CVE-2009-2663. https://bugzilla.mozilla.org/show_bug.cgi?id=500254 http://www.mozilla.org/security/announce/2009/mfsa2009-63.html https://bugzilla.mozilla.org/show_bug.cgi?id=515889 https://bugzilla.mozilla.org/show_bug.cgi?id=507167 https://bugzilla.mozilla.org/show_bug.cgi?id=501279 https://bugzilla.mozilla.org/show_bug.cgi?id=499512 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. http://www.mozilla.org/security/announce/2009/mfsa2009-64.html https://bugzilla.mozilla.org/show_bug.cgi?id=522030 https://bugzilla.mozilla.org/show_bug.cgi?id=514776 https://bugzilla.mozilla.org/show_bug.cgi?id=509602 https://bugzilla.mozilla.org/show_bug.cgi?id=509244 https://bugzilla.mozilla.org/show_bug.cgi?id=508927 https://bugzilla.mozilla.org/show_bug.cgi?id=497013 https://bugzilla.mozilla.org/show_bug.cgi?id=489925 https://bugzilla.mozilla.org/show_bug.cgi?id=454872 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. http://www.mozilla.org/security/announce/2009/mfsa2009-64.html https://bugzilla.mozilla.org/show_bug.cgi?id=516709 https://bugzilla.mozilla.org/show_bug.cgi?id=513394 https://bugzilla.mozilla.org/show_bug.cgi?id=508057 https://bugzilla.mozilla.org/show_bug.cgi?id=503196 https://bugzilla.mozilla.org/show_bug.cgi?id=502168 layout/base/nsCSSFrameConstructor.cpp in the browser engine in Mozilla Firefox 3.0.x before 3.0.15 does not properly handle first-letter frames, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. http://www.mozilla.org/security/announce/2009/mfsa2009-64.html https://bugzilla.mozilla.org/show_bug.cgi?id=514960 Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox 3.5.x before 3.5.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=518675 https://bugzilla.mozilla.org/show_bug.cgi?id=510987 http://www.mozilla.org/security/announce/2009/mfsa2009-64.html Perl 5.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a UTF-8 character with a large, invalid codepoint, which is not properly handled during a regular-expression match. ADV-2009-3023 http://perl5.git.perl.org/perl.git/commit/0abd0d78a73da1c4d13b1c700526b7e5d03b32d4 https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6225 perl-utf8-expressions-dos(53939) 36812 59283 [oss-security] 20091023 CVE-2009-3626 assigment notification - Perl - perl-5.10.1 1023077 37144 http://rt.perl.org/rt3/Ticket/Attachment/617489/295383/ http://rt.perl.org/rt3/Public/Bug/Display.html?id=69973 The decode_entities function in util.c in HTML-Parser before 3.63 allows context-dependent attackers to cause a denial of service (infinite loop) via an incomplete SGML numeric character reference, which triggers generation of an invalid UTF-8 character. https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6225 ADV-2009-3022 36807 [oss-security] 20091023 CVE-2009-3627 assignment notification - HTML-Parser-3.63 https://bugzilla.redhat.com/show_bug.cgi?id=530604 htmlparser-decodeentities-dos(53941) 37155 http://github.com/gisle/html-parser/commit/b9aae1e43eb2c8e989510187cff0ba3e996f9a4c Integer overflow in the kvm_dev_ioctl_get_supported_cpuid function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.31.4 allows local users to have an unspecified impact via a KVM_GET_SUPPORTED_CPUID request to the kvm_arch_dev_ioctl function. https://bugzilla.redhat.com/show_bug.cgi?id=530515 linux-kernel-supportedcpuid-code-execution(53934) 36803 http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.32-rc4 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.31.4 [oss-security] 20091023 Re: CVE request: kvm: integer overflow in kvm_dev_ioctl_get_supported_cpuid() [oss-security] 20091023 CVE request: kvm: integer overflow in kvm_dev_ioctl_get_supported_cpuid() http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6a54435560efdab1a08f429a954df4d6c740bddf The update_cr8_intercept function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.32-rc1 does not properly handle the absence of an Advanced Programmable Interrupt Controller (APIC), which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via a call to the kvm_vcpu_ioctl function. kernel-updatecr8intercept-dos(53947) 36805 http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.32-rc1 [oss-security] 20091024 Re: CVE request: kvm: update_cr8_intercept() NULL pointer dereference [oss-security] 20091023 CVE request: kvm: update_cr8_intercept() NULL pointer dereference http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=88c808fd42b53a7e01a2ac3253ef31fef74cb5af The web interface for Everfocus EDR1600 DVR allows remote attackers to bypass authentication and access live cams via certain vectors. everfocus-authentication-sec-bypass(53909) 20091022 Everfocus EDR1600 remote authentication bypass 59139 37108 20091022 Everfocus EDR1600 remote authentication bypass packet-paltalk.c in the Paltalk dissector in Wireshark 1.2.0 through 1.2.2, on SPARC and certain other platforms, allows remote attackers to cause a denial of service (application crash) via a file that records a malformed packet trace. http://www.wireshark.org/docs/relnotes/wireshark-1.2.3.html ADV-2009-3061 36846 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3689 wireshark-dissectpaltalk-dos(54016) http://www.wireshark.org/security/wnpa-sec-2009-07.html 37175 The DCERPC/NT dissector in Wireshark 0.10.10 through 1.0.9 and 1.2.0 through 1.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a file that records a malformed packet trace. NOTE: some of these details are obtained from third party information. http://www.wireshark.org/docs/relnotes/wireshark-1.2.3.html http://www.wireshark.org/docs/relnotes/wireshark-1.0.10.html wireshark-dcerpcnt-dos(54017) http://www.wireshark.org/security/wnpa-sec-2009-08.html http://www.wireshark.org/security/wnpa-sec-2009-07.html ADV-2009-3061 36846 37175 Off-by-one error in the dissect_negprot_response function in packet-smb.c in the SMB dissector in Wireshark 1.2.0 through 1.2.2 allows remote attackers to cause a denial of service (application crash) via a file that records a malformed packet trace. NOTE: some of these details are obtained from third party information. http://www.wireshark.org/docs/relnotes/wireshark-1.2.3.html ADV-2009-3061 36846 wireshark-negprotresponse-dos(54018) http://www.wireshark.org/security/wnpa-sec-2009-07.html 37175 The lookup_cb_cred function in fs/nfsd/nfs4callback.c in the nfsd4 subsystem in the Linux kernel before 2.6.31.2 attempts to access a credentials cache even when a client specifies the AUTH_NULL authentication flavor, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an NFSv4 mount request. https://bugzilla.redhat.com/show_bug.cgi?id=530269 http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.32-rc1 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.31.2 [oss-security] 20091022 Re: CVE request: kernel: nfsd4: fix null dereference creating nfsv4 callback client [oss-security] 20091022 CVE request: kernel: nfsd4: fix null dereference creating nfsv4 callback client http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=886e3b7fe6054230c89ae078a09565ed183ecc73 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=80fc015bdfe1f5b870c1e1ee02d78e709523fee7 The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 2.6.31.1 does not properly verify the Current Privilege Level (CPL) before accessing a debug register, which allows guest OS users to cause a denial of service (trap) on the host OS via a crafted application. https://bugzilla.redhat.com/show_bug.cgi?id=531660 http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.32-rc1 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.31.1 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.9 [oss-security] 20090929 Re: CVE request: kvm: check cpl before emulating debug register access [oss-security] 20090929 CVE request: kvm: check cpl before emulating debug register access http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0a79b009525b160081d75cef5dbf45817956acf2 Integer overflow in wiretap/erf.c in Wireshark before 1.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted erf file, related to an "unsigned integer wrap vulnerability." VU#676492 http://www.wireshark.org/docs/relnotes/wireshark-1.2.2.html http://anonsvn.wireshark.org/viewvc/trunk/wiretap/erf.c?view=markup&pathrev=29364 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3849 The download functionality in Team Services in Microsoft Office SharePoint Server 2007 12.0.0.4518 and 12.0.0.6219 allows remote attackers to read ASP.NET source code via pathnames in the SourceUrl and Source parameters to _layouts/download.aspx. sharepoint-download-info-disclosure(53955) 36817 20091026 SharePoint 2007 ASP.NET Source Code Disclosure 976829 Opera before 10.01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted domain name. opera-domain-names-code-execution(54020) ADV-2009-3073 36850 59357 http://www.opera.com/support/kb/view/938/ http://www.opera.com/docs/changelogs/windows/1001/ http://www.opera.com/docs/changelogs/unix/1001/ http://www.opera.com/docs/changelogs/mac/1001/ 37182 Opera before 10.01 on Windows does not prevent use of Web fonts in rendering the product's own user interface, which allows remote attackers to spoof the address field via a crafted web site. ADV-2009-3073 36850 opera-web-fonts-spoofing(54022) 59359 http://www.opera.com/support/kb/view/940/ http://www.opera.com/docs/changelogs/windows/1001/ 37182 VMware Workstation 6.5.x before 6.5.3 build 185404, VMware Player 2.5.x before 2.5.3 build 185404, VMware ACE 2.5.x before 2.5.3 build 185404, VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138, VMware Fusion 2.x before 2.0.6 build 196839, VMware ESXi 3.5 and 4.0, and VMware ESX 2.5.5, 3.0.3, 3.5, and 4.0, when Virtual-8086 mode is used, do not properly set the exception code upon a page fault (aka #PF) exception, which allows guest OS users to gain privileges on the guest OS by specifying a crafted value for the cs register. http://www.vmware.com/security/advisories/VMSA-2009-0015.html ADV-2009-3062 36841 20091027 Invalid #PF Exception Code in VMware can result in Guest Privilege Escalation 20091027 VMSA-2009-0015 VMware hosted products and ESX patches resolve two security issues 1023083 1023082 37172 [security-announce] 20091027 VMSA-2009-0015 VMware hosted products and ESX patches resolve two security issues Multiple integer overflows in Poppler 0.10.5 and earlier allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF file, related to (1) glib/poppler-page.cc; (2) ArthurOutputDev.cc, (3) CairoOutputDev.cc, (4) GfxState.cc, (5) JBIG2Stream.cc, (6) PSOutputDev.cc, and (7) SplashOutputDev.cc in poppler/; and (8) SplashBitmap.cc, (9) Splash.cc, and (10) SplashFTFont.cc in splash/. NOTE: this may overlap CVE-2009-0791. https://launchpad.net/ubuntu/+archive/primary/+files/poppler_0.8.7-1ubuntu0.4.diff.gz https://launchpad.net/ubuntu/+archive/primary/+files/poppler_0.10.5-1ubuntu2.4.diff.gz https://bugzilla.redhat.com/show_bug.cgi?id=491840 https://bugs.launchpad.net/bugs/cve/2009-3605 USN-850-1 37114 http://cgit.freedesktop.org/poppler/poppler/commit/?id=9cf2325fb22f812b31858e519411f57747d39bd8 http://cgit.freedesktop.org/poppler/poppler/commit/?id=7b2d314a61fd0e12f47c62996cb49ec0d1ba747a http://cgit.freedesktop.org/poppler/poppler/commit/?id=284a92899602daa4a7f429e61849e794569310b5 The get_instantiation_keyring function in security/keys/keyctl.c in the KEYS subsystem in the Linux kernel before 2.6.32-rc5 does not properly maintain the reference count of a keyring, which allows local users to gain privileges or cause a denial of service (OOPS) via vectors involving calls to this function without specifying a keyring by ID, as demonstrated by a series of keyctl request2 and keyctl list commands. http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.32-rc5 http://twitter.com/spendergrsec/statuses/4916661870 37086 [oss-security] 20091022 Re: CVE request: kernel: get_instantiation_keyring() should inc the keyring refcount in all cases [oss-security] 20091022 CVE request: kernel: get_instantiation_keyring() should inc the keyring refcount in all cases http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=21279cfa107af07ef985539ac0de2152b9cba5f5 The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to determine an encryption key via crafted input to a tt_content form element. 36801 typo3-ttcontent-info-disclosure(53917) ADV-2009-3009 http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016 37122 [oss-security] 20091023 Re: CVE id request: typo3 Multiple cross-site scripting (XSS) vulnerabilities in the Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. typo3-backend-xss(53918) ADV-2009-3009 36801 http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/ 37122 [oss-security] 20091023 Re: CVE id request: typo3 [oss-security] 20091023 Re: CVE id request: typo3 The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to place arbitrary web sites in TYPO3 backend framesets via crafted parameters, related to a "frame hijacking" issue. ADV-2009-3009 36801 typo3-url-hijacking(53920) http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/ 37122 [oss-security] 20091023 Re: CVE id request: typo3 The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename. ADV-2009-3009 36801 typo3-uploads-command-execution(53923) http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/ 37122 [oss-security] 20091023 Re: CVE id request: typo3 SQL injection vulnerability in the traditional frontend editing feature in the Frontend Editing subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to execute arbitrary SQL commands via unspecified parameters. typo3-editing-sql-injection(53924) ADV-2009-3009 36801 http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/ 37122 [oss-security] 20091023 Re: CVE id request: typo3 Cross-site scripting (XSS) vulnerability in the t3lib_div::quoteJSvalue API function in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the sanitizing algorithm. ADV-2009-3009 36801 typo3-t3libdivquotejsvalue-xss(53925) http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/ 37122 [oss-security] 20091023 Re: CVE id request: typo3 [oss-security] 20091023 Re: CVE id request: typo3 Cross-site scripting (XSS) vulnerability in the Frontend Login Box (aka felogin) subcomponent in TYPO3 4.2.0 through 4.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. typo3-login-xss(53926) ADV-2009-3009 36801 http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/ 37122 [oss-security] 20091023 Re: CVE id request: typo3 [oss-security] 20091023 Re: CVE id request: typo3 The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to gain access by using only the password's md5 hash as a credential. 36801 typo3-installtool-auth-bypass(53928) ADV-2009-3009 http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/ 37122 [oss-security] 20091023 Re: CVE id request: typo3 Cross-site scripting (XSS) vulnerability in the Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. ADV-2009-3009 36801 typo3-installtool-xss(53929) http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/ 37122 [oss-security] 20091023 Re: CVE id request: typo3 [oss-security] 20091023 Re: CVE id request: typo3 Directory traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files via unspecified vectors. ADV-2009-3062 http://www.vmware.com/security/advisories/VMSA-2009-0015.html 36842 20091027 VMSA-2009-0015 VMware hosted products and ESX patches resolve two security issues 1023089 1023088 37186 [security-announce] 20091027 VMSA-2009-0015 VMware hosted products and ESX patches resolve two security issues Cross-site scripting (XSS) vulnerability in index.php in TFTgallery 0.13 allows remote attackers to inject arbitrary web script or HTML via the album parameter. 37156 http://packetstormsecurity.org/0910-exploits/tftgallery-xss.txt SQL injection vulnerability in the Photoblog (com_photoblog) component alpha 3 and alpha 3a for Joomla! allows remote attackers to execute arbitrary SQL commands via the category parameter in a blogs action to index.php. photoblog-index-sql-injection(53943) 36809 http://packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt SQL injection vulnerability in the JShop (com_jshop) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a product action to index.php. jshop-pid-sql-injection(53944) 36808 http://www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt ArubaOS 3.3.1.x, 3.3.2.x, RN 3.1.x, 3.4.x, and 3.3.2.x-FIPS on the Aruba Mobility Controller allows remote attackers to cause a denial of service (Access Point crash) via a malformed 802.11 Association Request management frame. ADV-2009-3051 36832 http://www.arubanetworks.com/support/alerts/aid-102609.asc 37085 Stack-based buffer overflow in Eureka Email 2.2q allows remote POP3 servers to execute arbitrary code via a long error message. eurekaemail-pop3-bo(53940) ADV-2009-3025 20091022 {PRL} Eureka Mail client BoF http://www.packetstormsecurity.org/0910-exploits/eurekamc-dos.txt 37132 59262 Stack-based buffer overflow in Pegasus Mail (PMail) 4.41 and possibly 4.51 allows remote POP3 servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long error message. pegasus-pop3-bo(53933) http://www.vupen.com/exploits/Pegasus_Mail_POP3_Message_Handling_Remote_Buffer_Overflow_Exploit_3026233.php ADV-2009-3026 1023075 36797 20091022 {PRL} Pegasus Mail client BoF http://www.packetstormsecurity.org/0910-exploits/pegasusmc-dos.txt 37134 59261 Unspecified vulnerability in the Solaris Trusted Extensions Policy configuration in Sun Solaris 10, and OpenSolaris snv_37 through snv_125, might allow remote attackers to execute arbitrary code by leveraging access to the X server. 270969 ADV-2009-3070 36840 37184 Stack-based buffer overflow in the BrowseAndSaveFile method in the Altiris eXpress NS ConsoleUtilities ActiveX control 6.0.0.1846 in AeXNSConsoleUtilities.dll in Symantec Altiris Notification Server (NS) 6.0 before R12, Deployment Server 6.8 and 6.9 in Symantec Altiris Deployment Solution 6.9 SP3, and Symantec Management Platform (SMP) 7.0 before SP3 allows remote attackers to execute arbitrary code via a long string in the second argument. http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00 https://kb.altiris.com/article.asp?article=49568&p=1 https://kb.altiris.com/article.asp?article=49389&p=1 ADV-2009-3117 36698 20091102 NSOADV-2009-001: Symantec ConsoleUtilities ActiveX Control Buffer Overflow http://sotiriu.de/adv/NSOADV-2009-001.txt Mahara before 1.0.13, and 1.1.x before 1.1.7, allows remote authenticated institution administrators to reset a site administrator password via unspecified vectors. ADV-2009-3101 36893 http://eduforge.org/frs/shownotes.php?release_id=546 59584 DSA-1924 37218 37217 http://mahara.org/interaction/forum/topic.php?id=1169 http://eduforge.org/frs/shownotes.php?release_id=547 Cross-site scripting (XSS) vulnerability in the resume blocktype in Mahara before 1.0.13, and 1.1.x before 1.1.7, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. ADV-2009-3101 36892 http://eduforge.org/frs/shownotes.php?release_id=546 59583 DSA-1924 37218 37217 http://mahara.org/interaction/forum/topic.php?id=1170 http://eduforge.org/frs/shownotes.php?release_id=547 The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625. https://bugs.gentoo.org/show_bug.cgi?id=280615 [oss-security] 20091028 Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430] [oss-security] 20091026 Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430] [oss-security] 20091023 Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430] [oss-security] 20091022 Re: Re: Regarding expat bug 1990430 [oss-security] 20091022 Re: Regarding expat bug 1990430 [oss-security] 20091022 Regarding expat bug 1990430 [oss-security] 20090906 Re: Re: expat bug 1990430 [oss-security] 20090827 Re: Re: expat bug 1990430 [oss-security] 20090826 Re: Re: expat bug 1990430 [oss-security] 20090826 Re: expat bug 1990430 [oss-security] 20090821 expat bug 1990430 MDVSA-2009:211 http://svn.python.org/view?view=rev&revision=74429 http://sourceforge.net/tracker/index.php?func=detail&aid=1990430&group_id=10127&atid=110127 [expat-bugs] 20090117 [ expat-Bugs-1990430 ] Parser crash with specially formatted UTF-8 sequences http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?view=log http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch Trusted Extensions in Sun Solaris 10 interferes with the operation of the xscreensaver-demo command for the XScreenSaver application, which makes it easier for physically proximate attackers to access an unattended workstation for which the intended screen locking did not occur, related to the "restart daemon." http://sunsolve.sun.com/search/document.do?assetkey=1-21-120094-28-1 270809 Unspecified vulnerability in the XML component in IBM Runtimes for Java Technology 5.0.0 before SR10 has unknown impact and attack vectors, related to the "updated version of XML4J 4.4.17." runtime-xml4j-unspecified(54069) ADV-2009-3106 36894 IZ63920 37210 Buffer overflow in the IBM Lotus Notes Intellisync ActiveX control in lnresobject.dll in BlackBerry Desktop Manager in Research In Motion (RIM) BlackBerry Desktop Software before 5.0.1 allows remote attackers to execute arbitrary code via a crafted web page. NOTE: some of these details are obtained from third party information. http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB19701 ADV-2009-3133 36903 Array index error in Adobe Shockwave Player before 11.5.2.602 allows remote attackers to execute arbitrary code via crafted Shockwave content on a web site. NOTE: some of these details are obtained from third party information. http://www.adobe.com/support/security/bulletins/apsb09-16.html shockwave-index-code-execution(54118) ADV-2009-3134 36905 1023123 Adobe Shockwave Player before 11.5.2.602 allows remote attackers to execute arbitrary code via crafted Shockwave content on a web site, related to an "invalid pointer vulnerability," a different issue than CVE-2009-3465. NOTE: some of these details are obtained from third party information. 36905 http://www.adobe.com/support/security/bulletins/apsb09-16.html shockwave-pointer-code-execution(54119) ADV-2009-3134 1023123 Adobe Shockwave Player before 11.5.2.602 allows remote attackers to execute arbitrary code via crafted Shockwave content on a web site, related to an "invalid pointer vulnerability," a different issue than CVE-2009-3464. NOTE: some of these details are obtained from third party information. shockwave-invalid-pointer-code-execution(54120) ADV-2009-3134 36905 http://www.adobe.com/support/security/bulletins/apsb09-16.html 1023123 Adobe Shockwave Player before 11.5.2.602 allows remote attackers to execute arbitrary code via a crafted web page that triggers memory corruption, related to an "invalid string length vulnerability." NOTE: some of these details are obtained from third party information. http://www.adobe.com/support/security/bulletins/apsb09-16.html shockwave-string-code-execution(54121) ADV-2009-3134 36905 1023123 Multiple race conditions in fs/pipe.c in the Linux kernel before 2.6.32-rc6 allow local users to cause a denial of service (NULL pointer dereference and system crash) or gain privileges by attempting to open an anonymous pipe via a /proc/*/fd/ pathname. RHSA-2009:1550 RHSA-2009:1548 RHSA-2009:1541 RHSA-2009:1540 https://bugzilla.redhat.com/show_bug.cgi?id=530490 36901 http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.32-rc6 [oss-security] 20091103 CVE-2009-3547 kernel: fs: pipe.c null pointer dereference [linux-kernel] 20091021 Re: [PATCH v4 1/1]: fs: pipe.c null pointer dereference + really sign off + unmangled diffs [linux-kernel] 20091014 fs/pipe.c null pointer dereference http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ad3960243e55320d74195fb85c975e0a8cc4466c Buffer overflow in the client acceptor daemon (CAD) scheduler in the client in IBM Tivoli Storage Manager (TSM) 5.3 before 5.3.6.7, 5.4 before 5.4.3, 5.5 before 5.5.2.2, and 6.1 before 6.1.0.2, and TSM Express 5.3.3.0 through 5.3.6.6, allows remote attackers to execute arbitrary code via unspecified vectors. http://www-01.ibm.com/support/docview.wss?uid=swg21405562 ADV-2009-3132 IC61036 Buffer overflow in the traditional client scheduler in the client in IBM Tivoli Storage Manager (TSM) 5.3 before 5.3.6.7 and 5.4 before 5.4.2 allows remote attackers to execute arbitrary code via unspecified vectors. http://www-01.ibm.com/support/docview.wss?uid=swg21405562 ADV-2009-3132 IC61058 Multiple unspecified vulnerabilities in the (1) UNIX and (2) Linux backup-archive clients, and the (3) OS/400 API client, in IBM Tivoli Storage Manager (TSM) 5.3 before 5.3.6.6, 5.4 before 5.4.2, and 5.5 before 5.5.1, when the MAILPROG option is enabled, allow attackers to read, modify, or delete arbitrary files via unknown vectors. http://www-01.ibm.com/support/docview.wss?uid=swg21405562 ADV-2009-3132 IC54489 Cross-site scripting (XSS) vulnerability in the default URI in news/ in Twilight CMS before 4.1 allows remote attackers to inject arbitrary web script or HTML via the calendar parameter. NOTE: some of these details are obtained from third party information. 37204 http://onsec.ru/vuln?id=10 Buffer overflow in Softonic International SciTE 1.72 allows user-assisted remote attackers to cause a denial of service (application crash) via a Ruby (.rb) file containing a long string, which triggers the crash when a scroll bar is used. scite-editor-file-dos(51674) 9133 Cross-site scripting (XSS) vulnerability in GejoSoft allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI in photos/tags. gejosoft-photostags-xss(51879) ADV-2009-1968 35921 http://packetstormsecurity.org/0907-exploits/gejosoft-xss.txt 56061 Buffer overflow in eEye Retina WiFi Scanner 1.0.8.68, as used in Retina Network Security Scanner 5.10.14, allows user-assisted remote attackers to cause a denial of service (application crash) or execute arbitrary code via a .rws file with a long RWS010 entry. AD20090710 retinawifiscanner-rws-bo(51625) ADV-2009-1862 1022534 35624 9114 35786 55744 Multiple insecure method vulnerabilities in Idefense Labs COMRaider allow remote attackers to create or overwrite arbitrary files via the (1) CreateFolder and (2) Copy methods. NOTE: this might only be a vulnerability in certain insecure configurations of Internet Explorer. 35725 20090717 COMRaider Idefense Labs CreateFolder() and Copy() Insecure Method (Hard Disk Filler Exploit) http://www.juniper.net/security/auto/vulnerabilities/vuln35725.html Stack-based buffer overflow in SafeNet SoftRemote 10.8.5 (Build 2) and 10.3.5 (Build 6), and possibly other versions before 10.8.9, allows local users to execute arbitrary code via a long string in a (1) TREENAME or (2) GROUPNAME Policy file (spd). ADV-2009-3108 http://www.senseofsecurity.com.au/advisories/SOS-09-008 1023117 20091030 SafeNet SoftRemote Local Buffer Overflow - Security Advisory - SOS-09-008 The NDSD process in Novell eDirectory 8.7.3 before 8.7.3.10 ftf2 and eDirectory 8.8 before 8.8.5 ftf1 does not properly handle certain LDAP search requests, which allows remote attackers to cause a denial of service (application hang) via a search request with a NULL BaseDN value. http://www.novell.com/support/viewContent.do?externalId=7004721 http://www.zerodayinitiative.com/advisories/ZDI-09-075/ ADV-2009-3120 36902 Buffer overflow in the gxmim1.dll ActiveX control in Novell Groupwise Client 7.0.3.1294 allows remote attackers to cause a denial of service (application crash) via a long argument to the SetFontFace method. 9683 The Java Update functionality in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22 and JDK and JRE 6 before Update 17, when a non-English version of Windows is used, does not retrieve available new JRE versions, which allows remote attackers to leverage vulnerabilities in older releases of this software, aka Bug Id 6869694. ADV-2009-3131 269868 36881 37231 http://java.sun.com/javase/6/webnotes/6u17.html The launch method in the Deployment Toolkit plugin in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 6 before Update 17 allows remote attackers to execute arbitrary commands via a crafted web page, aka Bug Id 6869752. ADV-2009-3131 36881 269869 37231 http://java.sun.com/javase/6/webnotes/6u17.html The Java Web Start Installer in Sun Java SE in JDK and JRE 6 before Update 17 does not properly use security model permissions when removing installer extensions, which allows remote attackers to execute arbitrary code by modifying a certain JNLP file to have a URL field that points to an unintended trusted application, aka Bug Id 6872824. http://zerodayinitiative.com/advisories/ZDI-09-077/ 269870 ADV-2009-3131 36881 37231 http://java.sun.com/javase/6/webnotes/6u17.html Stack-based buffer overflow in the HsbParser.getSoundBank function in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via a long file: URL in an argument, aka Bug Id 6854303. http://zerodayinitiative.com/advisories/ZDI-09-076/ 270474 ADV-2009-3131 36881 1023132 37231 http://java.sun.com/javase/6/webnotes/6u17.html Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 does not properly parse color profiles, which allows remote attackers to gain privileges via a crafted image file, aka Bug Id 6862970. 270474 ADV-2009-3131 36881 1023132 37231 http://java.sun.com/javase/6/webnotes/6u17.html Stack-based buffer overflow in the setDiffICM function in the Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via a crafted argument, aka Bug Id 6872357. http://zerodayinitiative.com/advisories/ZDI-09-078/ 270474 ADV-2009-3131 36881 1023132 37231 http://java.sun.com/javase/6/webnotes/6u17.html Heap-based buffer overflow in the setBytePixels function in the Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via crafted arguments, aka Bug Id 6872358. http://zerodayinitiative.com/advisories/ZDI-09-079/ 270474 ADV-2009-3131 36881 1023132 37231 http://java.sun.com/javase/6/webnotes/6u17.html Unspecified vulnerability in the JPEG JFIF Decoder in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to gain privileges via a crafted image file, aka Bug Id 6862969. 270474 ADV-2009-3131 36881 1023132 37231 http://java.sun.com/javase/6/webnotes/6u17.html The JPEG Image Writer in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to gain privileges via a crafted image file, related to a "quantization problem," aka Bug Id 6862968. 270474 ADV-2009-3131 36881 1023132 37231 http://java.sun.com/javase/6/webnotes/6u17.html Integer overflow in the JPEGImageReader implementation in the ImageI/O component in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via large subsample dimensions in a JPEG file that triggers a heap-based buffer overflow, aka Bug Id 6874643. http://zerodayinitiative.com/advisories/ZDI-09-080/ 270474 ADV-2009-3131 36881 1023132 37231 http://java.sun.com/javase/6/webnotes/6u17.html The MessageDigest.isEqual function in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to spoof HMAC-based digital signatures, and possibly bypass authentication, via unspecified vectors related to "timing attack vulnerabilities," aka Bug Id 6863503. 270475 ADV-2009-3131 36881 37231 http://java.sun.com/javase/6/webnotes/6u17.html Unspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to cause a denial of service (memory consumption) via crafted DER encoded data, which is not properly decoded by the ASN.1 DER input stream parser, aka Bug Id 6864911. 270476 ADV-2009-3131 36881 37231 http://java.sun.com/javase/6/webnotes/6u17.html Unspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to cause a denial of service (memory consumption) via crafted HTTP headers, which are not properly parsed by the ASN.1 DER input stream parser, aka Bug Id 6864911. 270476 ADV-2009-3131 36881 37231 http://java.sun.com/javase/6/webnotes/6u17.html