SUSE Linux Enterprise 10 SP3 (SLE10-SP3) configures postfix to listen on all network interfaces, which might allow remote attackers to bypass intended access restrictions. SUSE-SR:2010:001 The URL validation functionality in Microsoft Internet Explorer 7 and 8 does not properly process input parameters, which allows remote attackers to execute arbitrary local programs via a crafted URL, aka "URL Validation Vulnerability." ie-url-code-execution(55773) MS10-002 ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta does not properly validate DNSSEC (1) NSEC and (2) NSEC3 records, which allows remote attackers to add the Authenticated Data (AD) flag to a forged NXDOMAIN response for an existing domain. VU#360341 https://www.isc.org/advisories/CVE-2010-0097 RHSA-2010:0062 https://bugzilla.redhat.com/show_bug.cgi?id=554851 bind-dnssecnsec-cache-poisoning(55753) ADV-2010-0176 USN-888-1 37865 61853 MDVSA-2010:021 1023474 38240 38219 38169 SUSE-SA:2010:008 FEDORA-2010-0868 FEDORA-2010-0861 Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2009-2530 and CVE-2009-2531. ie-deleted-obj-code-exec(55774) MS10-002 Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2009-3671, CVE-2009-3674, and CVE-2010-0246. MS10-002 ie-uninitialized-memory-code-exec(55775) Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2009-3671, CVE-2009-3674, and CVE-2010-0245. ie-deleted-object-code-exec(55776) MS10-002 Microsoft Internet Explorer 5.01 SP4, 6, and 6 SP1 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability." ie-uninitialized-obj-code-exec(55777) MS10-002 Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "HTML Object Memory Corruption Vulnerability." MS10-002 ie-object-memory-code-exec(55778) Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains (1) CNAME or (2) DNAME records, which do not have the intended validation before caching, aka Bug 20737. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-4022. https://www.isc.org/advisories/CVE-2009-4022v6 RHSA-2010:0062 https://bugzilla.redhat.com/show_bug.cgi?id=557121 https://bugzilla.redhat.com/show_bug.cgi?id=554851 ADV-2010-0176 USN-888-1 MDVSA-2010:021 38240 38219 [oss-security] 20100120 Re: BIND CVE-2009-4022 fix incomplete [oss-security] 20100119 BIND CVE-2009-4022 fix incomplete SUSE-SA:2010:008 install.php in JCE-Tech PHP Calendars, downloaded 20100121, allows remote attackers to bypass intended access restrictions and modify application settings via a direct request. NOTE: this is only a vulnerability when the administrator does not follow recommendations in the product's installation documentation. http://www.exploit-db.com/exploits/11082 http://packetstormsecurity.org/1001-exploits/phpcalendars-xss.txt SQL injection vulnerability in modules/arcade/index.php in PHP MySpace Gold Edition 8.0 and 8.10 allows remote attackers to execute arbitrary SQL commands via the gid parameter in a show_stats action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 38245 ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta handles out-of-bailiwick data accompanying a secure response without re-fetching from the original source, which allows remote attackers to have an unspecified impact via a crafted response, aka Bug 20819. NOTE: this vulnerability exists because of a regression during the fix for CVE-2009-4022. https://www.isc.org/advisories/CVE-2009-4022v6 The default configuration of the web server in IBM Lotus Domino Server, possibly 6.0 through 8.0, enables the HTTP TRACE method, which makes it easier for remote attackers to steal cookies and authentication credentials via a cross-site tracing (XST) attack, a related issue to CVE-2004-2763 and CVE-2005-3398. VU#867593 http://www.kb.cert.org/vuls/id/AAMN-5K42VT http://www.kb.cert.org/vuls/id/AAMN-5K42VN http://www-01.ibm.com/support/docview.wss?&uid=swg21201202 Heap-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows remote attackers to execute arbitrary code via a file with invalid ASMRuleBook structures that trigger heap memory corruption. Specific affected release information can be found from RealNetworks at: http://service.real.com/realplayer/security/01192010_player/en/ http://www.zerodayinitiative.com/advisories/ZDI-10-005/ ADV-2010-0178 http://service.real.com/realplayer/security/01192010_player/en/ realplayer-asmrulebook-bo(55794) 37880 20100121 ZDI-10-005: RealNetworks RealPlayer ASMRulebook Remote Code Execution Vulnerability 1023489 38218 Heap-based buffer overflow in RealNetworks RealPlayer 10; RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741; RealPlayer 11 11.0.0 through 11.0.4; RealPlayer Enterprise; Mac RealPlayer 10, 10.1, and 11.0; Linux RealPlayer 10; and Helix Player 10.x allows remote attackers to execute arbitrary code via a GIF file with crafted chunk sizes that trigger improper memory allocation. Specific affected release information can be found from RealNetworks at: http://service.real.com/realplayer/security/01192010_player/en/ http://www.zerodayinitiative.com/advisories/ZDI-10-006/ ADV-2010-0178 http://service.real.com/realplayer/security/01192010_player/en/ 1023489 realplayer-gif-bo(55795) 37880 20100121 ZDI-10-006: RealNetworks RealPlayer GIF Handling Remote Code Execution Vulnerability 38218 61966 RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allow remote attackers to have an unspecified impact via a crafted media file that uses HTTP chunked transfer coding, related to an "overflow." Specific affected release information can be found from RealNetworks at: http://service.real.com/realplayer/security/01192010_player/en/ ADV-2010-0178 http://service.real.com/realplayer/security/01192010_player/en/ 1023489 realplayer-httpchunk-bo(55796) 37880 38218 61967 Heap-based buffer overflow in RealNetworks RealPlayer 10; RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741; RealPlayer 11 11.0.0 through 11.0.4; RealPlayer Enterprise; Mac RealPlayer 10, 10.1, and 11.0; Linux RealPlayer 10; and Helix Player 10.x allows remote attackers to execute arbitrary code via an SIPR codec field with a small length value that triggers incorrect memory allocation. Specific affected release information can be found from RealNetworks at: http://service.real.com/realplayer/security/01192010_player/en/ http://www.zerodayinitiative.com/advisories/ZDI-10-008/ ADV-2010-0178 http://service.real.com/realplayer/security/01192010_player/en/ 1023489 realplayer-sipr-bo(55797) 37880 20100121 ZDI-10-008: RealNetworks RealPlayer SIPR Codec Remote Code Execution Vulnerability 38218 Heap-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows remote attackers to have an unspecified impact via a compressed GIF file. Specific affected release information can be found from RealNetworks at: http://service.real.com/realplayer/security/01192010_player/en/ ADV-2010-0178 http://service.real.com/realplayer/security/01192010_player/en/ 1023489 realplayer-gifimage-bo(55800) 37880 38218 61969 Stack-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows user-assisted remote attackers to execute arbitrary code via a malformed .RJS skin file that contains a web.xmb file with crafted length values. Specific affected release information can be found from RealNetworks at: http://service.real.com/realplayer/security/01192010_player/en/ http://www.zerodayinitiative.com/advisories/ZDI-10-010/ ADV-2010-0178 http://service.real.com/realplayer/security/01192010_player/en/ 1023489 realplayer-skin-bo(55799) 37880 20100121 ZDI-10-010: RealNetworks RealPlayer Skin Parsing Remote Code Execution Vulnerability 38218 RealNetworks RealPlayer 10; RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741; RealPlayer 11 11.0.x; RealPlayer SP 1.0.0 and 1.0.1; RealPlayer Enterprise; Mac RealPlayer 10, 10.1, 11.0, and 11.0.1; Linux RealPlayer 10, 11.0.0, and 11.0.1; and Helix Player 10.x, 11.0.0, and 11.0.1 allow remote attackers to have an unspecified impact via a crafted ASM RuleBook, related to an "array overflow." Specific affected release information can be found from RealNetworks at: http://service.real.com/realplayer/security/01192010_player/en/ ADV-2010-0178 http://service.real.com/realplayer/security/01192010_player/en/ 1023489 realplayer-rulebook-overflow(55802) 37880 38218 Buffer overflow in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows remote attackers to have an unspecified impact via a crafted RTSP SET_PARAMETER request. Specific affected release information can be found from RealNetworks at: http://service.real.com/realplayer/security/01192010_player/en/ ADV-2010-0178 http://service.real.com/realplayer/security/01192010_player/en/ 1023489 realplayer-rtsp-setparameter-bo(55801) 37880 38218 Heap-based buffer overflow in smlrender.dll in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10 and 11.0.0, and Helix Player 10.x and 11.0.0 allows remote attackers to execute arbitrary code via an SMIL file with crafted string lengths. Specific affected release information can be found from RealNetworks at: http://service.real.com/realplayer/security/01192010_player/en/ http://www.zerodayinitiative.com/advisories/ZDI-10-007/ ADV-2010-0178 http://service.real.com/realplayer/security/01192010_player/en/ 1023489 realnetworks-realplayer-smil-bo(55798) 37880 20100121 ZDI-10-007: RealNetworks RealPlayer SMIL getAtom Remote Code Execution Vulnerability 38218 Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, uses deprecated identity keys for certain directory authorities, which makes it easier for man-in-the-middle attackers to compromise the anonymity of traffic sources and destinations. 37901 38198 61977 [or-talk] 20100120 Re: Tor Project infrastructure updates in response to security breach [or-talk] 20100120 Tor 0.2.2.7-alpha is out [or-talk] 20100120 Tor Project infrastructure updates in response to security breach [or-announce] 20100121 Tor 0.2.1.22 is released (security fix) Tor 0.2.2.x before 0.2.2.7-alpha, when functioning as a directory mirror, does not prevent logging of the client IP address upon detection of erroneous client behavior, which might make it easier for local users to discover the identities of clients in opportunistic circumstances by reading log files. [or-talk] 20100120 Tor 0.2.2.7-alpha is out Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, when functioning as a bridge directory authority, allows remote attackers to obtain sensitive information about bridge identities and bridge descriptors via a dbg-stability.txt directory query. 37901 61865 38198 [or-talk] 20100120 Tor 0.2.2.7-alpha is out [or-announce] 20100121 Tor 0.2.1.22 is released (security fix) The default configuration of Sun Java System Application Server 7 and 7 2004Q2 enables the HTTP TRACE method, which makes it easier for remote attackers to steal cookies and authentication credentials via a cross-site tracing (XST) attack, a related issue to CVE-2004-2763 and CVE-2005-3398. Per: http://sunsolve.sun.com/search/document.do?assetkey=1-66-200942-1 Contributing Factors This issue can occur in the following releases: * Sun Java System Application Server Standard Edition 7 and later updates * Sun Java System Application Server Standard Edition 7 2004Q2 and later updates * Sun Java System Application Server Platform Edition 7 and later updates 200942 Multiple heap-based buffer overflows in (1) webservd and (2) the admin server in Sun Java System Web Server 7.0 Update 7 allow remote attackers to cause a denial of service (daemon crash) and possibly have unspecified other impact via a long string in an "Authorization: Digest" HTTP header. jsws-digest-header-bo(55792) 37896 1023488 [dailydave] 20100120 Sun Web Server digest auth overflow http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70u7-digest.html Format string vulnerability in the WebDAV implementation in webservd in Sun Java System Web Server 7.0 Update 6 allows remote attackers to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in the encoding attribute of the XML declaration in a PROPFIND request. jsws-webdav-format-string(55812) 37910 http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70-webdav.html The admin server in Sun Java System Web Server 7.0 Update 6 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an HTTP request that lacks a method token. Per: http://cwe.mitre.org/data/slices/2000.html CWE-476 NULL Pointer Dereference http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70-admin.html Unspecified vulnerability in the Oracle OLAP component in Oracle Database Server 10.1.0.4 (10g) allows remote authenticated attackers to affect availability via unknown vectors, aka DB02. http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html stap-server in SystemTap before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in stap command-line arguments in a request. http://sourceware.org/systemtap/ftp/releases/systemtap-1.1.tar.gz FEDORA-2010-0688 https://bugzilla.redhat.com/show_bug.cgi?id=550172 ADV-2010-0169 [systemtap] 20100115 SystemTap release 1.1 http://sourceware.org/bugzilla/show_bug.cgi?id=11105 38216 38154 FEDORA-2010-0671 The print_fatal_signal function in kernel/signal.c in the Linux kernel before 2.6.32.4 on the i386 platform, when print-fatal-signals is enabled, allows local users to discover the contents of arbitrary memory locations by jumping to an address and then reading a log file, and might allow local users to cause a denial of service (system slowdown or crash) by jumping to an address. https://bugzilla.redhat.com/show_bug.cgi?id=554578 [oss-security] 20100113 Re: CVE request - kernel: infoleak if print-fatal-signals=1 [oss-security] 20100112 CVE request - kernel: infoleak if print-fatal-signals=1 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.32.4 38333 http://patchwork.kernel.org/patch/69752/ FEDORA-2010-0919 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.32.4, when network namespaces are enabled, allows remote attackers to cause a denial of service (NULL pointer dereference) via an invalid IPv6 jumbogram, a related issue to CVE-2007-4567. https://bugzilla.redhat.com/show_bug.cgi?id=555217 37810 61876 [oss-security] 20100114 CVE-2010-0006 - kernel: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo() http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.32.4 http://security-tracker.debian.org/tracker/CVE-2010-0006 38333 38168 [linux-netdev] 20100114 [PATCH]: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo(). FEDORA-2010-0919 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2570a4f5428bcdb1077622342181755741e7fa60 http://cert.fi/en/reports/2010/vulnerability341748.html http://bugs.gentoo.org/show_bug.cgi?id=300951 Unrestricted file upload vulnerability in maxImageUpload/index.php in PHP F1 Max's Image Uploader 1.0, when Apache is not configured to handle the mime-type for files with pjpeg or jpeg extensions, allows remote attackers to execute arbitrary code by uploading a file with a pjpeg or jpeg extension, then accessing it via a direct request to the file in original/. NOTE: some of these details are obtained from third party information. http://www.exploit-db.com/exploits/11169 38018 61808 Multiple stack-based buffer overflows in Embarcadero Technologies InterBase SMP 2009 9.0.3.437 allow remote attackers to execute arbitrary code via unknown vectors involving crafted packets. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 37916 38285 61892 Stack-based buffer overflow in vpnconf.exe in TheGreenBow IPSec VPN Client 4.51.001, 4.65.003, and possibly other versions, allows user-assisted remote attackers to execute arbitrary code via a long OpenScriptAfterUp parameter in a policy (.tgb) file, related to "phase 2." http://www.thegreenbow.com/download.php?id=1000150 http://www.senseofsecurity.com.au/advisories/SOS-10-001 ipsecvpnclient-tgb-bo(55793) 20100121 TheGreenBow VPN Client Local Stack Overflow Vulnerability - Security Advisory - SOS-10-001 38262 61866 A certain Red Hat configuration step for the qla2xxx driver in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5, when N_Port ID Virtualization (NPIV) hardware is used, sets world-writable permissions for the (1) vport_create and (2) vport_delete files under /sys/class/scsi_host/, which allows local users to make arbitrary changes to SCSI host attributes by modifying these files. RHSA-2010:0046 https://bugzilla.redhat.com/show_bug.cgi?id=537177 kernel-qla2xxx-security-bypass(55809) [oss-security] 20100120 CVE-2009-3556 kernel: qla2xxx NPIV vport management pseudofiles are world writable A certain Red Hat patch for net/ipv4/route.c in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 allows remote attackers to cause a denial of service (deadlock) via crafted packets that force collisions in the IPv4 routing hash table, and trigger a routing "emergency" in which a hash chain is too long. NOTE: this is related to an issue in the Linux kernel before 2.6.31, when the kernel routing cache is disabled, involving an uninitialized pointer and a panic. RHSA-2010:0046 https://bugzilla.redhat.com/show_bug.cgi?id=545411 linux-kernel-routing-dos(55808) [oss-security] 20100120 Re: CVE-2009-4272 kernel: emergency route cache flushing leads to node deadlock [oss-security] 20100120 CVE-2009-4272 kernel: emergency route cache flushing leads to node deadlock http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.31 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b6280b47a7a42970d098a3059f4ebe7e55e90d8d http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=73e42897e8e5619eacb787d2ce69be12f47cfc21 VERITAS File System (VxFS) 3.3.3, 3.4, and 3.5 before MP1 Rolling Patch 02 for Sun Solaris 2.5.1 through 9 does not properly implement inheritance of default ACLs in certain circumstances related to the characteristics of a directory inode, which allows local users to bypass intended file permissions by accessing a file on a VxFS filesystem. 200161 http://sunsolve.sun.com/search/document.do?assetkey=1-21-113207-05-1 Buffer overflow in pamverifier in Change Manager (CM) 1.0 for Sun Management Center (SunMC) 3.0 on Solaris 8 and 9 on the sparc platform allows remote attackers to execute arbitrary code via unspecified vectors. Per: http://sunsolve.sun.com/search/document.do?assetkey=1-66-201231-1 * "SunMC Change Manager" 1.0 is an unbundled Sun Management Center (SunMC) 3.0 add-on. It is not a part of the SunMC "base" product. * Solaris 2.6 and 7 are not affected. Solaris on the x86 platform is not affected. 201231 http://sunsolve.sun.com/search/document.do?assetkey=1-21-113105-01-1 Cross-site scripting (XSS) vulnerability in Webmail in Sun ONE Messaging Server 6.1 and iPlanet Messaging Server 5.2 before 5.2hf2.02, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via a crafted e-mail message, a different vulnerability than CVE-2005-2022 and CVE-2006-5486. 201601 http://sunsolve.sun.com/search/document.do?assetkey=1-21-116568-56-1 Webmail in Sun ONE Messaging Server 6.1 and iPlanet Messaging Server 5.2 before 5.2hf2.02 allows remote attackers to obtain unspecified "access" to e-mail via a crafted e-mail message, related to a "session hijacking" issue, a different vulnerability than CVE-2005-2022 and CVE-2006-5486. 201180 http://sunsolve.sun.com/search/document.do?assetkey=1-21-116568-55-1 Unspecified vulnerability on certain Sun StorEdge 6130 (SE6130) Controller Arrays allows remote attackers to delete data via unknown vectors. Per: http://sunsolve.sun.com/search/document.do?assetkey=1-66-200971-1 This issue can occur on the following platform: * Sun StorEdge 6130 arrays with a serial number in the range of 0451AWF00G - 0513AWF00J Per: http://sunsolve.sun.com/search/document.do?assetkey=1-66-200971-1 "Resolution Customers with an array that falls within the serial number range defined above should contact their Sun authorized service provider and reference this Sun Alert to obtain a utility which will resolve this issue." 200971 Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry. ADV-2010-0213 http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html http://svn.apache.org/viewvc?rev=892815&view=rev tomcat-war-directory-traversal(55855) 37944 20100124 [SECURITY] CVE-2009-2693 Apache Tomcat unexpected file deletion and/or alteration http://svn.apache.org/viewvc?rev=902650&view=rev 1023505 38346 38316 The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests. ADV-2010-0213 http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html http://svn.apache.org/viewvc?rev=902650&view=rev http://svn.apache.org/viewvc?rev=892815&view=rev tomcat-autodeploy-security-bypass(55856) 37942 20100124 [SECURITY] CVE-2009-2901 Apache Tomcat insecure partial deploy after failed undeploy 1023503 38346 38316 Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename. apache-tomcat-war-directory-traversal(55857) ADV-2010-0213 37945 20100124 [SECURITY] CVE-2009-2902 Apache Tomcat unexpected file deletion in work directory http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html http://svn.apache.org/viewvc?rev=902650&view=rev http://svn.apache.org/viewvc?rev=892815&view=rev 1023504 38346 38316 Unspecified vulnerability in HP OpenView Storage Data Protector 6.00 and 6.10 allows local users to obtain unspecified "access" via unknown vectors. 37964 61955 38306 SSRT090171 SSRT090171 Cisco Unified MeetingPlace 7 before 7.0(2.3) hotfix 5F, 6 before 6.0.639.2, and possibly 5 does not properly validate SQL commands, which allows remote attackers to create, modify, or delete data in a database via unspecified vectors, aka Bug ID CSCtc39691. 20100127 Multiple Vulnerabilities in Cisco Unified MeetingPlace 37965 Multiple unspecified vulnerabilities in the web server in Cisco Unified MeetingPlace 7 before 7.0(2.3) hotfix 5F, 6 before 6.0.639.3, and possibly 5 allow remote attackers to create (1) user or (2) administrator accounts via a crafted URL in a request to the internal interface, aka Bug IDs CSCtc59231 and CSCtd40661. Per: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b1490b.shtml Affected Products Vulnerable Products Cisco Unified MeetingPlace versions 5, 6, and 7 are each affected by at least one of the vulnerabilities described in this document. 20100127 Multiple Vulnerabilities in Cisco Unified MeetingPlace 37965 MeetingTime in Cisco Unified MeetingPlace 6 before MR5, and possibly 5, allows remote attackers to discover usernames, passwords, and unspecified other data from the user database via a modified authentication sequence to the Audio Server, aka Bug ID CSCsv76935. 20100127 Multiple Vulnerabilities in Cisco Unified MeetingPlace 37965 MeetingTime in Cisco Unified MeetingPlace 6 before MR5, and possibly 5, allows remote authenticated users to gain privileges via a modified authentication sequence, aka Bug ID CSCsv66530. Per: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b1490b.shtml Affected Products Vulnerable Products Cisco Unified MeetingPlace versions 5, 6, and 7 are each affected by at least one of the vulnerabilities described in this document. 20100127 Multiple Vulnerabilities in Cisco Unified MeetingPlace 37965 SQL injection vulnerability in cgi/cgilua.exe/sys/start.htm in Publique! 2.3 allows remote attackers to execute arbitrary SQL commands via the sid parameter. 20100125 Publique! CMS SQL Injection Vulnerabilities 38302 http://packetstormsecurity.org/1001-exploits/publique-sql.txt 61941 Cross-site scripting (XSS) vulnerability in forum/viewtopic.php in PunBB 1.3 allows remote attackers to inject arbitrary web script or HTML via the pid parameter. punbb-viewtopic-xss(55853) 37930 http://www.packetstormsecurity.com/1001-exploits/punbb13-xss.txt SQL injection vulnerability in the indianpulse Game Server (com_gameserver) component 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the grp parameter in a gameserver action to index.php. gameserver-grp-sql-injection(55829) 37934 37920 http://www.exploit-db.com/exploits/11222 SQL injection vulnerability in home.php in magic-portal 2.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. magicportal-home-sql-injection(55849) http://www.exploit-db.com/exploits/11235 http://packetstormsecurity.org/1001-exploits/magicportal-sql.txt Multiple SQL injection vulnerabilities in NetArt Media Blog System 1.5 allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter to index.php log.php and the (2) note parameter to b. blogsystem-index-sql-injection(55818) 37911 http://www.exploit-db.com/exploits/11216 http://packetstormsecurity.org/0512-exploits/blog12SQL.txt SQL injection vulnerability in the Mochigames (com_mochigames) component 0.51 and possibly other versions for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. mochigames-index-sql-injection(55841) 37931 http://www.exploit-db.com/exploits/11243 http://packetstormsecurity.org/1001-exploits/joomlamochigames-sql.txt Multiple cross-site scripting (XSS) vulnerabilities in staff/index.php in Kayako SupportSuite 3.60.04 and earlier allow remote authenticated users to inject arbitrary web script or HTML via the (1) subject parameter and (2) contents parameter (aka body) in an insertquestion action. NOTE: some of these details are obtained from third party information. supportsuite-contents-xss(55859) 37947 20100121 Kayako SupportSuite Multiple Persistent Cross Site Scripting (Current Versions) 38322 http://packetstormsecurity.org/1001-advisories/kayako-xss.txt 61928 SQL injection vulnerability in the casino (com_casino) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a (1) category or (2) player action to index.php. Exploit PoC reference links indicate a prerequisite of privileged authenticated user. casino-indexphp-sql-injection(55846) 37938 http://www.exploit-db.com/exploits/11237 http://packetstormsecurity.org/1001-exploits/joomlacasino1-sql.txt Heap-based buffer overflow in IBM DB2 9.7 and 9.7.1 on Linux allows remote authenticated users to have an unspecified impact via a SELECT statement that has a long column name generated with the REPEAT function. db2-sysibm-bo(55899) 37976 1023509 http://intevydis.blogspot.com/2010/01/ibm-db2-97-heap-overflow.html The huft_build function in inflate.c in gzip before 1.3.13 creates a hufts (aka huffman) table that is too small, which allows remote attackers to cause a denial of service (application crash or infinite loop) or possibly execute arbitrary code via a crafted archive. NOTE: this issue is caused by a CVE-2006-4334 regression. https://bugzilla.redhat.com/show_bug.cgi?id=514711 ADV-2010-0185 USN-889-1 MDVSA-2010:020 DSA-1974 38232 38223 38132 SUSE-SA:2010:008 http://git.savannah.gnu.org/cgit/gzip.git/commit/?id=39a362ae9d9b007473381dba5032f4dfc1744cf2 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507263 [bug-gzip] 20091002 gzip-1.3.13 released [major] Mozilla Necko, as used in Thunderbird 3.0.1, SeaMonkey, and other applications, performs DNS prefetching even when the app type is APP_TYPE_MAIL or APP_TYPE_EDITOR, which makes it easier for remote attackers to determine the network location of the application's user by logging DNS requests, as demonstrated by DNS requests triggered by reading text/plain e-mail messages in Thunderbird. https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail https://bugzilla.mozilla.org/show_bug.cgi?id=492196 Mozilla Necko, as used in Firefox, SeaMonkey, and other applications, performs DNS prefetching of domain names contained in links within local HTML documents, which makes it easier for remote attackers to determine the network location of the application's user by logging DNS requests. NOTE: the vendor disputes the significance of this issue, stating "I don't think we necessarily need to worry about that case." https://bugzilla.mozilla.org/show_bug.cgi?id=492196 https://bugzilla.mozilla.org/show_bug.cgi?id=453403 Integer underflow in the unlzw function in unlzw.c in gzip before 1.4 on 64-bit platforms allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted archive that uses LZW compression, leading to an array index error. https://bugzilla.redhat.com/show_bug.cgi?id=554418 ADV-2010-0185 USN-889-1 RHSA-2010:0061 61869 MDVSA-2010:020 MDVSA-2010:019 DSA-1974 1023490 38232 38225 38223 38220 http://savannah.gnu.org/forum/forum.php?forum_id=6153 SUSE-SA:2010:008 http://git.savannah.gnu.org/cgit/gzip.git/commit/?id=a3db5806d012082b9e25cc36d09f19cd736a468f ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view. FEDORA-2009-13634 FEDORA-2009-13610 [oss-security] 20100114 Re: CVE Request: viewvc [oss-security] 20100113 Re: CVE Request: viewvc [oss-security] 20100111 CVE Request: viewvc http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2300 http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242&r2=2313&pathrev=HEAD http://viewvc.tigris.org/source/browse/*checkout*/viewvc/trunk/docs/release-notes/1.1.0.html?revision=2222 SUSE-SA:2010:008 query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query. http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242&r2=2313&pathrev=HEAD FEDORA-2009-13634 FEDORA-2009-13610 [oss-security] 20100113 Re: CVE Request: viewvc [oss-security] 20100111 CVE Request: viewvc http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2300 SUSE-SA:2010:008 Horde IMP 4.3.6 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests. http://bugs.horde.org/ticket/8836 https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests. http://trac.roundcube.net/ticket/1486449 https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail The web console in Symantec Altiris Notification Server 6.0.x before 6.0 SP3 R12 uses a hardcoded key that can decrypt SQL Server credentials and certain discovery credentials, and stores this key on the Notification Server machine, which allows local users to obtain sensitive information and possibly execute arbitrary code by decrypting and using these credentials. http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100128_00 symantec-ans-key-unauth-access(55952) ADV-2010-0256 37953 38356 62010 Multiple directory traversal vulnerabilities in Lintian 1.23.x through 1.23.28, 1.24.x through 1.24.2.1, and 2.x before 2.3.2 allow remote attackers to overwrite arbitrary files or obtain sensitive information via vectors involving (1) control field names, (2) control field values, and (3) control files of patch systems. 37975 USN-891-1 DSA-1979 38379 38375 [debian-changes] 20100128 Accepted lintian 1.24.2.1+lenny1 (source all) http://packages.debian.org/changelogs/pool/main/l/lintian/lintian_2.3.2/changelog http://git.debian.org/?p=lintian/lintian.git;a=commit;h=fbe0c92b2ef7e360d13414bf40d6af5507d0c86d http://git.debian.org/?p=lintian/lintian.git;a=commit;h=c8d01f062b3e5137cf65196760b079a855c75e00 Multiple format string vulnerabilities in Lintian 1.23.x through 1.23.28, 1.24.x through 1.24.2.1, and 2.x before 2.3.2 allow remote attackers to have an unspecified impact via vectors involving (1) check scripts and (2) the Lintian::Schedule module. 37975 USN-891-1 DSA-1979 38379 38375 [debian-changes] 20100128 Accepted lintian 1.24.2.1+lenny1 (source all) http://packages.debian.org/changelogs/pool/main/l/lintian/lintian_2.3.2/changelog http://git.debian.org/?p=lintian/lintian.git;a=commit;h=fbe0c92b2ef7e360d13414bf40d6af5507d0c86d http://git.debian.org/?p=lintian/lintian.git;a=commit;h=c8d01f062b3e5137cf65196760b079a855c75e00 Lintian 1.23.x through 1.23.28, 1.24.x through 1.24.2.1, and 2.x before 2.3.2 allows remote attackers to execute arbitrary commands via shell metacharacters in filename arguments. 37975 USN-891-1 DSA-1979 38379 38375 [debian-changes] 20100128 Accepted lintian 1.24.2.1+lenny1 (source all) http://packages.debian.org/changelogs/pool/main/l/lintian/lintian_2.3.2/changelog http://git.debian.org/?p=lintian/lintian.git;a=commit;h=fbe0c92b2ef7e360d13414bf40d6af5507d0c86d http://git.debian.org/?p=lintian/lintian.git;a=commit;h=c8d01f062b3e5137cf65196760b079a855c75e00 Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow. modproxy-approxysendfb-bo(55941) ADV-2010-0240 37966 20100127 Mod_proxy from apache 1.3 - Integer overflow which causes heap overflow. http://site.pi3.com.pl/adv/mod_proxy.txt 38319 http://packetstormsecurity.org/1001-exploits/modproxy-overflow.txt http://httpd.apache.org/dev/dist/CHANGES_1.3.42 http://blog.pi3.com.pl/?p=69 20100127 Mod_proxy from apache 1.3 - Integer overflow which causes heap overflow. Directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php. ccnewsletter-index-dir-traversal(55953) 37987 http://www.exploit-db.com/exploits/11282 http://www.exploit-db.com/exploits/11277 http://www.chillcreations.com/en/blog/ccnewsletter-joomla-newsletter/ccnewsletter-106-security-release.html 38378 Cross-site scripting (XSS) vulnerability in utilities/longproc.cfm in PaperThin CommonSpot Content Server allows remote attackers to inject arbitrary web script or HTML via the url parameter. commonspot-longproc-xss(55955) 37986 20100128 PR09-19: Cross-Site Scripting (XSS) on CommonSpot server 20100128 PR09-19: Cross-Site Scripting (XSS) on CommonSpot server SQL injection vulnerability in Files2Links F2L 3000 appliance 4.0.0, and possibly other versions and models, allows remote attackers to execute arbitrary SQL commands via unspecified parameters to the login page. f2l3000-login-sql-injection(55950) 38310 http://packetstormsecurity.org/1001-advisories/DDIVRT-2009-27.txt 61976 20100125 DDIVRT-2009-27 F2L-3000 files2links SQL Injection Vulnerability Cross-site scripting (XSS) vulnerability in scvrtsrv.cmd in Comtrend CT-507IT ADSL Router allows remote attackers to inject arbitrary web script or HTML via the srvName parameter. 38004 38309 http://packetstormsecurity.org/1001-exploits/comtrend-xss.txt SQL injection vulnerability in the comment submission interface (includes/comment.php) in Enano CMS before 1.0.6pl1 allows remote attackers to execute arbitrary SQL commands via unspecified parameters. http://enanocms.org/Release_notes/1.0.6pl1 61974 38253 The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow." https://bugzilla.redhat.com/show_bug.cgi?id=559259 https://bugzilla.redhat.com/show_bug.cgi?id=559194 postgresql-substring-bo(55902) 37973 [oss-security] 20100127 Re: CVE id request: postgresql bitsubstr overflow 1023510 http://intevydis.blogspot.com/2010/01/postgresql-8023-bitsubstr-overflow.html http://git.postgresql.org/gitweb?p=postgresql.git;a=commit;h=b15087cb39ca9e4bde3c8920fcee3741045d2b83 http://git.postgresql.org/gitweb?p=postgresql.git;a=commit;h=75dea10196c31d98d98c0bafeeb576ae99c09b12 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567058 [pgsql-hackers] 20100107 Re: Patch: Allow substring/replace() to get/set bit values [pgsql-committers] 20100107 pgsql: Make bit/varbit substring() treat any negative length as meaning kuddb2 in Tivoli Monitoring for DB2, as distributed in IBM DB2 9.7 FP1 on Linux, allows remote attackers to cause a denial of service (daemon crash) via a certain byte sequence. 38018 http://intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html Unspecified vulnerability in HP Enterprise Cluster Master Toolkit (ECMT) B.05.00 on HP-UX B.11.23 (11i v2) and HP-UX B.11.31 (11i v3) allows local users to gain access to an Oracle or Sybase database via unknown vectors. ADV-2010-0272 1023523 38035 38423 HPSBUX02464 HPSBUX02464 The default configuration of Adobe ColdFusion 9.0 does not restrict access to collections that have been created by the Solr Service, which allows remote attackers to obtain collection metadata, search information, and index data via a request to an unspecified URL. coldfusion-solr-information-disclosure(55997) ADV-2010-0259 1023519 38007 http://www.adobe.com/support/security/bulletins/apsb10-04.html 38387 62037 http://kb2.adobe.com/cps/807/cpsid_80719.html Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service (crash) via a malformed packet, as demonstrated using a stack-based buffer overflow to the dissect_getaddrsbyname_request function. ADV-2010-0239 wireshark-lwres-bo(55951) http://www.wireshark.org/security/wnpa-sec-2010-02.html http://www.wireshark.org/security/wnpa-sec-2010-01.html 1023516 37985 [oss-security] 20100129 Re: CVE id request: Wireshark http://www.metasploit.com/modules/exploit/multi/misc/wireshark_lwres_getaddrbyname DSA-1983 38348 38257 61987 http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h lib/rfc1035.c in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through 3.1.0.15 allows remote attackers to cause a denial of service (assertion failure) via a crafted DNS packet that only contains a header. http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9163.patch squid-dns-dos(56001) ADV-2010-0260 http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-9853.patch http://www.squid-cache.org/Versions/v2/HEAD/changesets/12597.patch http://www.squid-cache.org/Advisories/SQUID-2010_1.txt 1023520 37522 38455 38451 62044 http://events.ccc.de/congress/2009/Fahrplan/attachments/1483_26c3_ipv4_fuckups.pdf Cross-site scripting (XSS) vulnerability in +CSCOT+/translation in Cisco Secure Desktop 3.4.2048, and other versions before 3.5; as used in Cisco ASA appliance before 8.2(1), 8.1(2.7), and 8.0(5); allows remote attackers to inject arbitrary web script or HTML via a crafted POST parameter, which is not properly handled by an eval statement in binary/mainv.js that writes to start.html. Per: http://tools.cisco.com/security/center/viewAlert.x?alertId=19843 "Cisco Secure Desktop versions prior to 3.5 are vulnerable. Cisco Secure Desktop is a component of Cisco ASA 5500 Series Adaptive Security Appliances. Cisco ASA appliances are vulnerable only if the Cisco Secure Desktop feature has been enabled. Cisco ASA appliance versions prior to 8.2(1), 8.1(2.7), and 8.0(5) are vulnerable." http://tools.cisco.com/security/center/viewAlert.x?alertId=19843 ADV-2010-0273 37960 20100201 [CORE-2010-0106] Cisco Secure Desktop XSS/JavaScript Injection http://www.coresecurity.com/content/cisco-secure-desktop-xss 38397 The ucode_ioctl function in intel/io/ucode_drv.c in Sun Solaris 10 and OpenSolaris snv_69 through snv_133, when running on x86 architectures, allows local users to cause a denial of service (panic) via a request with a 0 size value to the UCODE_GET_VERSION IOCTL, which triggers a NULL pointer dereference in the ucode_get_rev function, related to retrieval of the microcode revision. ADV-2010-0270 http://sunsolve.sun.com/search/document.do?assetkey=1-21-143913-01-1 solaris-microcode-dos(55991) http://www.trapkit.de/advisories/TKADV2010-001.txt 38016 20100131 [TKADV2010-001] Oracle Solaris UCODE_GET_VERSION IOCTL Kernel NULL Pointer Dereference 38452 62046 Bugzilla 3.3.1 through 3.4.4, 3.5.1, and 3.5.2 does not allow group restrictions to be preserved throughout the process of moving a bug to a different product category, which allows remote attackers to obtain sensitive information via a request for a bug in opportunistic circumstances. ADV-2010-0261 https://bugzilla.mozilla.org/show_bug.cgi?id=532493 bugzilla-group-restriction-info-disclosure(56004) 38026 20100201 Security Advisory for Bugzilla 3.0.10, 3.2.5, 3.4.4, and 3.5.2 38443 Bugzilla before 3.0.11, 3.2.x before 3.2.6, 3.4.x before 3.4.5, and 3.5.x before 3.5.3 does not block access to files and directories that are used by custom installations, which allows remote attackers to obtain sensitive information via requests for (1) CVS/, (2) contrib/, (3) docs/en/xml/, (4) t/, or (5) old-params.txt. https://bugzilla.mozilla.org/show_bug.cgi?id=434801 https://bugzilla.mozilla.org/show_bug.cgi?id=314871 ADV-2010-0261 bugzilla-files-info-disclosure(56003) 38025 20100201 Security Advisory for Bugzilla 3.0.10, 3.2.5, 3.4.4, and 3.5.2 38443 Recovery Mode in Apple iPhone OS 1.0 through 3.1.2, and iPhone OS for iPod touch 1.1 through 3.1.2, allows physically proximate attackers to bypass device locking, and read or modify arbitrary data, via a USB control message that triggers memory corruption. 38040 http://support.apple.com/kb/HT4013 APPLE-SA-2010-02-02-1 lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate. 38036 http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt http://download.lighttpd.net/lighttpd/security/lighttpd-1.5_fix_slow_request_dos.patch http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.x_fix_slow_request_dos.patch lighttpd-slow-request-dos(56038) [oss-security] 20100202 lighttpd: slow request dos/oom attack [CVE-2010-0295] DSA-1987 38403 http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2711 http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2710 http://redmine.lighttpd.net/issues/2147 ejabberd_c2s.erl in ejabberd before 2.1.3 allows remote attackers to cause a denial of service (daemon crash) via a large number of c2s (aka client2server) messages that trigger a queue overload. [oss-security] 20100129 Re: CVE Request -- ejabberd [oss-security] 20100129 CVE Request -- ejabberd https://support.process-one.net/browse/EJAB-1173 ejabberd-client2server-dos(56025) 38003 62066 38337 FreeBit ServersMan 3.1.5 on Apple iPhone OS 3.1.2, and iPhone OS for iPod touch, allows remote attackers to cause a denial of service (daemon crash) via a HEAD request for the / URI. serversman-iphone-ipod-dos(55949) 38315 20100127 Apple Iphone/Ipod - Serversman 3.1.5 HTTP Remote DoS exploit IBM WebSphere Service Registry and Repository (WSRR) 6.3.0 before FP2 does not have the intended configuration properties, which allows remote authenticated users to obtain unspecified data access via a property query. http://www-01.ibm.com/support/docview.wss?uid=swg24025456 websphere-wsrr-property-security-bypass(55744) Integer underflow in the clean_string function in irc_string.c in (1) IRCD-hybrid 7.2.2 and 7.2.3, (2) ircd-ratbox before 2.2.9, and (3) oftc-hybrid before 1.6.8, when flatten_links is disabled, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a LINKS command. DSA-1980 http://security.debian.org/pool/updates/main/i/ircd-hybrid/ircd-hybrid_7.2.2.dfsg.2-4+lenny1.diff.gz 37978 http://trac.oftc.net/projects/oftc-hybrid/browser/tags/oftc-hybrid-1.6.8/RELNOTES http://svn.ircd-hybrid.org:8000/viewcvs.cgi?rev=1044&view=rev 38383 38382 38381 38210 [ircd-ratbox] 20100125 ircd-ratbox-2.2.9 released cache.c in ircd-ratbox before 2.2.9 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a HELP command. DSA-1980 http://security.debian.org/pool/updates/main/i/ircd-ratbox/ircd-ratbox_2.2.8.dfsg-2+lenny1.diff.gz 38383 38210 [ircd-ratbox] 20100125 ircd-ratbox-2.2.9 released main.C in maildrop 2.3.0 and earlier, when run by root with the -d option, uses the gid of root for execution of the .mailfilter file in a user's home directory, which allows local users to gain privileges via a crafted file. https://bugzilla.redhat.com/show_bug.cgi?id=559681 maildrop-group-priv-escalation(55980) DSA-1981 http://www.courier-mta.org/maildrop/changelog.html 1023515 38374 38367 [oss-security] 20100128 Re: CVE id request: maildrop [oss-security] 20100128 Re: CVE id request: maildrop [oss-security] 20100128 Re: CVE id request: maildrop [oss-security] 20100127 CVE id request: maildrop http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564601 mystring.c in hybserv in IRCD-Hybrid (aka Hybrid2 IRC Services) 1.9.2 through 1.9.4 allows remote attackers to cause a denial of service (daemon crash) via a ":help \t" private message to the MemoServ service. http://security.debian.org/pool/updates/main/h/hybserv/hybserv_1.9.2-4+lenny2.diff.gz hybserv2-privatemessage-dos(55992) 38006 DSA-1982 38352 38350 [oss-security] 20100129 Re: CVE id: hybserv http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550389 Asterisk Open Source 1.6.0.x before 1.6.0.22, 1.6.1.x before 1.6.1.14, and 1.6.2.x before 1.6.2.2, and Business Edition C.3 before C.3.3.2, allows remote attackers to cause a denial of service (daemon crash) via an SIP T.38 negotiation with an SDP FaxMaxDatagram field that is (1) missing, (2) modified to contain a negative number, or (3) modified to contain a large number. http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.1.diff http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.0.diff https://issues.asterisk.org/view.php?id=16724 https://issues.asterisk.org/view.php?id=16634 https://issues.asterisk.org/view.php?id=16517 ADV-2010-0289 38047 20100202 AST-2010-001: T.38 Remote Crash Vulnerability 1023532 38395 http://downloads.asterisk.org/pub/security/AST-2010-001.html http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.2.diff Unspecified vulnerability in Record Management Services (RMS) before VMS83A_RMS-V1100 for HP OpenVMS on the Alpha platform allows local users to gain privileges via unknown vectors. ADV-2010-0286 SSRT100023 SSRT100023 openvms-rms-privilege-escalation(56062) 38048 38366 client/mount.cifs.c in mount.cifs in smbfs in Samba 3.4.5 and earlier does not verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string. http://git.samba.org/?p=samba.git;a=commit;h=a065c177dfc8f968775593ba00dffafeebb2e054 Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, 7, and 8 does not prevent rendering of non-HTML local files as HTML documents, which allows remote attackers to bypass intended access restrictions and read arbitrary files via vectors involving the product's use of text/html as the default content type for files that are encountered after a redirection, aka the URLMON sniffing vulnerability, a variant of CVE-2009-1140 and related to CVE-2008-1448. 38056 38055 20100203 CORE-2009-0625: Internet Explorer Dynamic OBJECT tag and URLMON sniffing vulnerabilities http://www.microsoft.com/technet/security/advisory/980088.mspx http://www.coresecurity.com/content/internet-explorer-dynamic-object-tag http://isc.sans.org/diary.html?n&storyid=8152 http://blogs.technet.com/msrc/archive/2010/02/03/security-advisory-980088-released.aspx Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, 7, and 8 does not prevent rendering of non-HTML local files as HTML documents, which allows remote attackers to bypass intended access restrictions and read arbitrary files via vectors involving JavaScript exploit code that constructs a reference to a file://127.0.0.1 URL, aka the dynamic OBJECT tag vulnerability, as demonstrated by obtaining the data from an index.dat file, a variant of CVE-2009-1140 and related to CVE-2008-1448. 38056 38055 20100203 CORE-2009-0625: Internet Explorer Dynamic OBJECT tag and URLMON sniffing vulnerabilities http://www.microsoft.com/technet/security/advisory/980088.mspx http://www.coresecurity.com/content/internet-explorer-dynamic-object-tag http://isc.sans.org/diary.html?n&storyid=8152 http://blogs.technet.com/msrc/archive/2010/02/03/security-advisory-980088-released.aspx Multiple unspecified vulnerabilities in the Network Controller and Web Server in Xerox WorkCentre 5632, 5638, 5645, 5655, 5665, 5675, and 5687 allow remote attackers to (1) access mailboxes via unknown vectors that bypass Scan to Mailbox authorization or (2) read device configuration information via via unknown vectors that bypass web server authorization. http://www.xerox.com/downloads/usa/en/c/cert_XRX10-002_v1.0.pdf ADV-2010-0209 38139 Unspecified vulnerability in the Network Controller in Xerox WorkCentre 6400 System Software 060.070.109.11407 through 060.070.109.29510, and Net Controller 060.079.11410 through 060.079.29310, allows remote attackers to access "directory structure" via a crafted PostScript file, aka "Unauthorized Directory Structure Access Vulnerability." http://www.xerox.com/downloads/usa/en/c/cert_XRX10-001_v1.0.pdf ADV-2010-0208 1023500 38339 admin.htm in Geo++ GNCASTER 1.4.0.7 and earlier does not properly enforce HTTP Digest Authentication, which allows remote authenticated users to use HTTP Basic Authentication, bypassing intended server policy. gncaster-httpbasic-weak-security(55976) 20100127 [RT-SA-2010-003] Geo++(R) GNCASTER: Faulty implementation of HTTPDigest Authentication http://www.redteam-pentesting.de/en/advisories/rt-sa-2010-003/-geo-r-gncaster-faulty-implementation-of-http-digest-authentication 38323 62013 HTTP authentication implementation in Geo++ GNCASTER 1.4.0.7 and earlier allows remote attackers to read authentication headers of other users via a large request with an incorrect authentication attempt, which includes sensitive memory in the response. NOTE: this is referred to as a "memory leak" by some sources, but is better characterized as "memory disclosure." gncaster-server-info-disclosure(55978) 20100127 [RT-SA-2010-003] Geo++(R) GNCASTER: Faulty implementation of HTTPDigest Authentication http://www.redteam-pentesting.de/en/advisories/rt-sa-2010-003/-geo-r-gncaster-faulty-implementation-of-http-digest-authentication 38323 62015 Geo++ GNCASTER 1.4.0.7 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via multiple requests for a non-existent file using a long URI. gncaster-httpget-code-execution(55974) 20100127 [RT-SA-2010-001] Geo++(R) GNCASTER: Insecure handling of long URLs http://www.redteam-pentesting.de/en/advisories/rt-sa-2010-001/-geo-r-gncaster-insecure-handling-of-long-urls 38323 62011 Geo++ GNCASTER 1.4.0.7 and earlier allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a long NMEA data sentence. gncaster-nmea-code-execution(55975) 20100127 [RT-SA-2010-002] Geo++(R) GNCASTER: Insecure handling of NMEA-data http://www.redteam-pentesting.de/en/advisories/rt-sa-2010-002/-geo-r-gncaster-insecure-handling-of-nmea-data 38323 62012 The HTTP Authentication implementation in Geo++ GNCASTER 1.4.0.7 and earlier uses the same nonce for all authentication, which allows remote attackers to hijack web sessions or bypass authentication via a replay attack. gncaster-nonce-replay(55977) 20100127 [RT-SA-2010-003] Geo++(R) GNCASTER: Faulty implementation of HTTPDigest Authentication http://www.redteam-pentesting.de/en/advisories/rt-sa-2010-003/-geo-r-gncaster-faulty-implementation-of-http-digest-authentication 38323 62014 Sun ONE (aka iPlanet) Web Server 4.1 through SP12 and 6.0 through SP5, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files, and conduct cross-site scripting (XSS) attacks involving the iPlanet Log Analyzer, via an HTTP request in conjunction with a crafted DNS response, related to an "Inverse Lookup Log Corruption (ILLC)" issue, a different vulnerability than CVE-2002-1315 and CVE-2002-1316. 201453 20030304 Log corruption on multiple webservers, log analyzers,... Sun ONE (aka iPlanet) Web Server 4.1 through SP12 and 6.0 through SP5, when DNS resolution is enabled for client IP addresses, allows remote attackers to hide HTTP requests from the log-preview functionality by accompanying the requests with crafted DNS responses specifying a domain name beginning with a "format=" substring, related to an "Inverse Lookup Log Corruption (ILLC)" issue. 7012 201453 20030304 Log corruption on multiple webservers, log analyzers,... Sun ONE (aka iPlanet) Web Server 6 on Windows, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing numerical top-level domains, as demonstrated by a forged 123.123.123.123 domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue. 20030304 Log corruption on multiple webservers, log analyzers,... The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing numerical top-level domains, as demonstrated by a forged 123.123.123.123 domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue. 20030304 Log corruption on multiple webservers, log analyzers,... The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue. 20030304 Log corruption on multiple webservers, log analyzers,... Microsoft Internet Information Services (IIS) 6.0, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue. 20030304 Log corruption on multiple webservers, log analyzers,... Cross-site scripting (XSS) vulnerability in WebTrends allows remote attackers to inject arbitrary web script or HTML via a crafted client domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue. 20030304 Log corruption on multiple webservers, log analyzers,... Cross-site scripting (XSS) vulnerability in SurfStats allows remote attackers to inject arbitrary web script or HTML via a crafted client domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue. 20030304 Log corruption on multiple webservers, log analyzers,... Cross-site scripting (XSS) vulnerability in WebLogExpert allows remote attackers to inject arbitrary web script or HTML via a crafted client domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue. 20030304 Log corruption on multiple webservers, log analyzers,... Cross-site scripting (XSS) vulnerability in WebExpert allows remote attackers to inject arbitrary web script or HTML via a crafted User-Agent HTTP header. 20030304 Log corruption on multiple webservers, log analyzers,... Cross-site scripting (XSS) vulnerability in LoganPro allows remote attackers to inject arbitrary web script or HTML via a crafted User-Agent HTTP header. 20030304 Log corruption on multiple webservers, log analyzers,... IBM WebSphere Commerce 7.0 uses the same cryptographic key for session attributes and merchant data encryption, which has unspecified impact and remote attack vectors. websphere-commerce-key-weak-security(56089) JR35136 http://www-01.ibm.com/support/docview.wss?uid=swg21418443 IBM WebSphere Commerce 7.0 does not properly encrypt data in a database, which makes it easier for local users to obtain sensitive information by defeating cryptographic protection mechanisms. websphere-commerce-scheme-weak-security(56090) JR35199 JR35136 http://www-01.ibm.com/support/docview.wss?uid=swg21418445 Cross-site scripting (XSS) vulnerability in proxy/smhui/getuiinfo in HP System Management Homepage (SMH) before 6.0 allows remote attackers to inject arbitrary web script or HTML via the servercert parameter. ADV-2010-0294 38081 20100127 PR09-15: XSS injection vulnerability within HP System Management Homepage (Insight Manager) http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-15 38341 SSRT090220 SSRT090220 IBM Cognos Express 9.0 allows attackers to obtain unspecified access to the Tomcat Manager component, and cause a denial of service, by leveraging hardcoded credentials. ADV-2010-0297 38084 62118 http://www-01.ibm.com/support/docview.wss?uid=swg21419179 38457 The default configuration of Oracle OpenSolaris snv_77 through snv_131 allows attackers to have an unspecified impact via vectors related to using smbadm to join a Windows Active Directory domain. 275790 The default configuration of Oracle OpenSolaris snv_91 through snv_131 allows attackers to have an unspecified impact via vectors related to using kclient to join a Windows Active Directory domain. 275790 Sun Cluster 2.2, when HA-Oracle or HA-Sybase DBMS services are used, stores database credentials in cleartext in a cluster configuration file, which allows local users to obtain sensitive information by reading this file. 201460 The read_from_cmd_socket function in cmdmon.c in chronyd in Chrony before 1.23.1, and 1.24-pre1, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a spoofed cmdmon packet that triggers a continuous exchange of NOHOSTACCESS messages between two daemons, a related issue to CVE-2009-3563. 38106 https://bugzilla.redhat.com/show_bug.cgi?id=555367 DSA-1992 38480 38428 http://git.tuxfamily.org/chrony/chrony.git/?p=gitroot/chrony/chrony.git;a=commit;h=7864c7a70ce00369194e734eb2842ecc5f8db531 http://chrony.tuxfamily.org/News.html The client logging functionality in chronyd in Chrony before 1.23.1 does not restrict the amount of memory used for storage of client information, which allows remote attackers to cause a denial of service (memory consumption) via spoofed (1) NTP or (2) cmdmon packets. https://bugzilla.redhat.com/show_bug.cgi?id=555367 38106 DSA-1992 38480 38428 http://git.tuxfamily.org/chrony/chrony.git/?p=gitroot/chrony/chrony.git;a=commit;h=2f63cf448560fdb96b80d8488aae6a15b802a753 http://chrony.tuxfamily.org/News.html chronyd in Chrony before 1.23.1, and possibly 1.24-pre1, generates a syslog message for each unauthorized cmdmon packet, which allows remote attackers to cause a denial of service (disk consumption) via a large number of invalid packets. 38106 http://chrony.tuxfamily.org/News.html https://bugzilla.redhat.com/show_bug.cgi?id=555367 DSA-1992 38480 38428 http://git.tuxfamily.org/chrony/chrony.git/?p=gitroot/chrony/chrony.git;a=commit;h=0b710499f994823bd938fc6895f097eefb9cc59f Multiple integer signedness errors in the (1) __get_argv and (2) __get_compat_argv functions in tapset/aux_syscalls.stp in SystemTap 1.1 allow local users to cause a denial of service (script crash, or system crash or hang) via a process with a large number of arguments, leading to a buffer overflow. https://bugzilla.redhat.com/show_bug.cgi?id=559719 38120 http://sourceware.org/git/gitweb.cgi?p=systemtap.git;a=commit;h=a2d399c87a642190f08ede63dc6fc434a5a8363a http://sourceware.org/bugzilla/show_bug.cgi?id=11234 38426 [oss-security] 20100204 systemtap DoS issue (CVE-2010-0411) Buffer overflow in the GMIME_UUENCODE_LEN macro in gmime/gmime-encodings.h in GMime before 2.4.15 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via input data for a uuencode operation. http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.14-2.4.15.diff.gz https://bugzilla.redhat.com/show_bug.cgi?id=561457 [oss-security] 20100203 Re: CVE Request -- GMime-2.4.15 [oss-security] 20100203 CVE Request -- GMime-2.4.15 38459 http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.15.changes Unspecified vulnerability in the BIOS in Intel Desktop Board DB, DG, DH, DP, and DQ Series allows local administrators to execute arbitrary code in System Management Mode (SSM) via unknown attack vectors. ADV-2010-0271 http://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00022&languageid=en-fr 38413 62071 Integer signedness error in NetBSD 4.0, 5.0, and NetBSD-current before 2010-01-21 allows local users to cause a denial of service (kernel panic) via a negative mixer index number being passed to (1) the azalia_query_devinfo function in the azalia audio driver (src/sys/dev/pci/azalia.c) or (2) the hdaudio_afg_query_devinfo function in the hdaudio audio driver (src/sys/dev/pci/hdaudio/hdaudio_afg.c). 1023539 38057 38284 62082 62081 NetBSD-SA2010-003 The sdump function in sdump.c in fetchmail 6.3.11, 6.3.12, and 6.3.13, when running in verbose mode on platforms for which char is signed, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an SSL X.509 certificate containing non-printable characters with the high bit set, which triggers a heap-based buffer overflow during escaping. ADV-2010-0296 1023543 38088 http://www.fetchmail.info/fetchmail-SA-2010-01.txt 38391 62114 http://mknod.org/svn/fetchmail/branches/BRANCH_6-3/fetchmail-SA-2010-01.txt The Single Sign-on (SSO) functionality in IBM WebSphere Application Server (WAS) 7.0.0.0 through 7.0.0.8 does not recognize the Requires SSL configuration option, which might allow remote attackers to obtain sensitive information by sniffing network sessions that were expected to be encrypted. http://www-01.ibm.com/support/docview.wss?uid=swg21417839 38122 62140 PM00610 1023551 38425 Multiple SQL injection vulnerabilities in Kernel/System/Ticket.pm in OTRS-Core in Open Ticket Request System (OTRS) 2.1.x before 2.1.9, 2.2.x before 2.2.9, 2.3.x before 2.3.5, and 2.4.x before 2.4.7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors. 38146 http://www.otrs.org/news/2010/otrs_2-4-7/ 62181 http://source.otrs.org/viewvc.cgi/otrs/Kernel/System/Ticket.pm?view=log 38507 http://otrs.org/releases/2.4.7/ http://otrs.org/advisory/OSA-2010-01-en/ HP Operations Agent 8.51, 8.52, 8.53, and 8.60 on Solaris 10 uses a blank password for the opc_op account, which allows remote attackers to execute arbitrary code via unspecified vectors. 38150 1023555 HPSBMA02487 SSRT100024 Off-by-one error in the VP3 decoder (vp3.c) in FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted VP3 file that triggers an out-of-bounds read and possibly memory corruption. https://roundup.ffmpeg.org/roundup/ffmpeg/issue1483 https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240 http://scarybeastsecurity.blogspot.com/2009/09/patching-ffmpeg-into-shape.html oggparsevorbis.c in FFmpeg 0.5 does not properly perform certain pointer arithmetic, which might allow remote attackers to obtain sensitive memory contents and cause a denial of service via a crafted file that triggers an out-of-bounds read. https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240 http://scarybeastsecurity.blogspot.com/2009/09/patching-ffmpeg-into-shape.html vorbis_dec.c in FFmpeg 0.5 uses an assignment operator when a comparison operator was intended, which might allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted file that modifies a loop counter and triggers a heap-based buffer overflow. https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240 http://scarybeastsecurity.blogspot.com/2009/09/patching-ffmpeg-into-shape.html Multiple integer underflows in FFmpeg 0.5 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted file that (1) bypasses a validation check in vorbis_dec.c and triggers a wraparound of the stack pointer, or (2) access a pointer from out-of-bounds memory in mov.c, related to an elst tag that appears before a tag that creates a stream. https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240 http://scarybeastsecurity.blogspot.com/2009/09/patching-ffmpeg-into-shape.html FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted MOV container with improperly ordered tags that cause (1) mov.c and (2) utils.c to use inconsistent codec types and identifiers, which causes the mp3 decoder to process a pointer for a video structure, leading to a stack-based buffer overflow. https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240 http://scarybeastsecurity.blogspot.com/2009/09/patching-ffmpeg-into-shape.html FFmpeg 0.5 allows remote attackers to cause a denial of service (hang) via a crafted file that triggers an infinite loop. https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240 http://scarybeastsecurity.blogspot.com/2009/09/patching-ffmpeg-into-shape.html FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a stack-based buffer overflow. https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240 http://scarybeastsecurity.blogspot.com/2009/09/patching-ffmpeg-into-shape.html Integer overflow in FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors. https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240 http://scarybeastsecurity.blogspot.com/2009/09/patching-ffmpeg-into-shape.html The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) via a crafted AVI file that triggers a divide-by-zero error. https://roundup.ffmpeg.org/roundup/ffmpeg/issue1245 https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240 http://scarybeastsecurity.blogspot.com/2009/09/patching-ffmpeg-into-shape.html Array index error in vorbis_dec.c in FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Vorbis file that triggers an out-of-bounds read. https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240 http://scarybeastsecurity.blogspot.com/2009/09/patching-ffmpeg-into-shape.html PyGIT.py in the Trac Git plugin (trac-git) before 0.0.20080710-3+lenny1 and before 0.0.20090320-1 on Debian GNU/Linux, when enabled in Trac, allows remote attackers to execute arbitrary commands via shell metacharacters in a crafted HTTP query that is used to generate a certain git command. tracgit-command-execution(56105) 38076 DSA-1990 38325 62147 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567039 Buffer overflow in Trend Micro URL Filtering Engine (TMUFE) in OfficeScan 8.0 before SP1 Patch 5 - Build 3510, possibly tmufeng.dll before 3.0.0.1029, allows attackers to cause a denial of service (crash or OfficeScan hang) via unspecified vectors. NOTE: it is likely that this issue also affects tmufeng.dll before 2.0.0.1049 for OfficeScan 10.0. officescan-tmufe-bo(56097) ADV-2010-0295 http://www.trendmicro.com/ftp/documentation/readme/readme_1224.txt http://www.trendmicro.com/ftp/documentation/readme/OSCE_80_Win_SP1_Patch_5_en_readme.txt 1023553 38083 38396