krb5 -- MITKRB5-SA-2011-002, KDC vulnerable to hang when using LDAP back end

An advisory published by the MIT Kerberos team says: The MIT krb5 Key Distribution Center KDC daemon is vulnerable to denial of service attacks from unauthenticated remote attackers. CVE-2011-0281 and CVE-2011-0282 occur only in KDCs using LDAP back ends, but CVE-2011-0283 occurs in all krb5-1.9...

django -- multiple vulnerabilities

Django project reports: Today the Django team is issuing multiple releases -- Django 1.2.5 and Django 1.1.4 -- to remedy three security issues reported to us. All users of affected versions of Django are urged to upgrade immediately...

webkit-gtk2 -- Multiple vurnabilities.

Gustavo Noronha Silva reports: This release has essentially security fixes. Refer to the WebKit/gtk/NEWS file inside the tarball for details. We would like to thank the Red Hat security team Huzaifa Sidhpurwala in particular and Michael Gilbert from Debian for their help in checking and pushing!...

linux-flashplugin -- multiple vulnerabilities

Adobe Product Security Incident Response Team reports: Critical vulnerabilities have been identified in Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris. These vulnerabilities could cause the application to crash and could potentially allow an attacke...

plone -- Remote Security Bypass

Plone developer reports: This is an escalation of privileges attack that can be used by anonymous users to gain access to a Plone site's administration controls, view unpublished content, create new content and modify a site's skin. The sandbox protecting access to the underlying system is still ...

mediawiki -- multiple vulnerabilities

Medawiki reports: An arbitrary script inclusion vulnerability was discovered. The vulnerability only allows execution of files with names ending in ".php" which are already present in the local filesystem. Only servers running Microsoft Windows and possibly Novell Netware are affected. Despite...

exim -- local privilege escalation

exim.org reports: CVE-2011-0017 - check return value of setuid/setgid. This is a privilege escalation vulnerability whereby the Exim run-time user can cause root to append content of the attacker's choosing to arbitrary files...

mupdf -- Remote System Access

Secunia reports: The vulnerability is caused due to an error within the "closedctd" function in fitz/filtdctd.c when processing PDF files containing certain malformed JPEG images. This can be exploited to cause a stack corruption by e.g. tricking a user into opening a specially crafted PDF file...

vlc -- Insufficient input validation in MKV demuxer

VLC team reports: When parsing an invalid MKV Matroska or WebM file, input validation are insufficient...

isc-dhcp-server -- DHCPv6 crash

ISC reports: When the DHCPv6 server code processes a message for an address that was previously declined and internally tagged as abandoned it can trigger an assert failure resulting in the server crashing. This could be used to crash DHCPv6 servers remotely. This issue only affects DHCPv6 server...

opera -- multiple vulnerabilities

Opera reports: Opera 11.01 is a recommended upgrade offering security and stability enhancements. The following security vulnerabilities have been fixed: Removed support for "javascript:" URLs in CSS -o-link values, to make it easier for sites to filter untrusted CSS. Fixed an issue where large...

rubygem-mail -- Remote Arbitrary Shell Command Injection Vulnerability

Secunia reports: Input passed via an email from address is not properly sanitised in the "deliver" function lib/mail/network/deliverymethods/sendmail.rb before being used as a command line argument. This can be exploited to inject arbitrary shell commands...

bugzilla -- multiple serious vulnerabilities

A Bugzilla Security Advisory reports: This advisory covers three security issues that have recently been fixed in the Bugzilla code: A weakness in Bugzilla could allow a user to gain unauthorized access to another Bugzilla account. A weakness in the Perl CGI.pm module allows injecting HTTP header...

maradns -- denial of service when resolving a long DNS hostname

MaraDNS developer Sam Trenholme reports: ... a mistake in allocating an array of integers, allocating it in bytes instead of sizeofint units. This resulted in a buffer being too small, allowing it to be overwritten. The impact of this programming error is that MaraDNS can be crashed by sending...

linux-flashplugin -- remote code execution vulnerability

Adobe Product Security Incident Response Team reports: A critical vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier versions Adobe Flash Player 10.2.154.18 and earlier for Chrome users for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash Player 10.1.106.16 and...

linux-flashplugin -- multiple vulnerabilities

Adobe Product Security Incident Response Team reports: Critical vulnerabilities have been identified in Adobe Flash Player 10.2.159.1 and earlier versions Adobe Flash Player 10.2.154.28 and earlier for Chrome users for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.2.157.51 and...

linux-flashplugin -- remote code execution vulnerability

Adobe Product Security Incident Response Team reports: A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions Adobe Flash Player 10.2.154.25 and earlier for Chrome users for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for...

asterisk -- Exploitable Stack Buffer Overflow

The Asterisk Development Team reports: The releases of Asterisk 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.2, 1.8.1.2, and 1.8.2.1 resolve an issue when forming an outgoing SIP request while in pedantic mode, which can cause a stack buffer to be made to overflow if supplied with carefully...

tarsnap -- cryptographic nonce reuse

Colin Percival reports: In versions 1.0.22 through 1.0.27 of Tarsnap, the CTR nonce value is not incremented after each chunk is encrypted. The CTR counter is correctly incremented after each 16 bytes of data was processed, but this counter is reset to zero for each new chunk. Note that since the...

dokuwiki -- multiple privilege escalation vulnerabilities

Dokuwiki reports: This security update fixes problems in the XMLRPC interface where ACLs where not checked correctly sometimes, making it possible to access and write information that should not have been accessible/writable. This only affects users who have enabled the XMLRPC interface default i...

tor -- remote code execution and crash

The Tor Project reports: A remote heap overflow vulnerability that can allow remote code execution. Other fixes address a variety of assert and crash bugs, most of which we think are hard to exploit remotely. All Tor users should upgrade...

sudo -- local privilege escalation

Todd Miller reports: Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo's -g option run as group, if allowed by the sudoers file. A flaw exists in sudo's password checking logic that allows a user to run a command with only...

php -- multiple vulnerabilities

PHP developers reports: Security Enhancements and Fixes in PHP 5.3.5: Fixed bug 53632 PHP hangs on numeric value 2.2250738585072011e-308. CVE-2010-4645 Security Enhancements and Fixes in PHP 5.2.17: Fixed bug 53632 PHP hangs on numeric value 2.2250738585072011e-308. CVE-2010-4645...

mediawiki -- Clickjacking vulnerabilities

Clickjacking vulnerabilities: Clickjacking is a type of vulnerability discovered in 2008, which is similar to CSRF. The attack involves displaying the target webpage in a iframe embedded in a malicious website. Using CSS, the submit button of the form on the targeit webpage is made invisible, and...

subversion -- multiple DoS

Entry for CVE-2010-4539 says: The walk function in repos.c in the moddavsvn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.15, allows remote authenticated users to cause a denial of service NULL pointer dereference and daemon crash via vectors that trigger the...

webkit-gtk2 -- Multiple vulnerabilities

Gustavo Noronha Silva reports: The patches to fix the following CVEs are included with help from Huzaifa Sidhpurwala from the Red Hat security team...

redmine -- multiple vulnerabilities

Jean-Philippe Lang reports: This release also fixes 3 security issues reported by joernchen of Phenoelit: logged in users may be able to access private data affected versions: 1.0.x persistent XSS vulnerability in textile formatter affected versions: all previous releases remote command execution...

django -- multiple vulnerabilities

Django project reports: Today the Django team is issuing multiple releases -- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 -- to remedy two security issues reported to us. All users of affected versions of Django are urged to upgrade immediately. Information leakage in Django administrative...

tor -- remote crash and potential remote code execution

The Tor Project reports: Remotely exploitable bug that could be used to crash instances of Tor remotely by overflowing on the heap. Remote-code execution hasn't been confirmed, but can't be ruled out. Everyone should upgrade...

Drupal Views plugin -- cross-site scripting

Drupal security team reports: The Views module provides a flexible method for Drupal site designers to control how lists and tables of content are presented. Under certain circumstances, Views could display parts of the page path without escaping, resulting in a relected Cross Site Scripting XSS...

php-filter -- Denial of Service

The following DoS condition in filter extension was fixed in PHP 5.3.4 and PHP 5.2.15: Stack consumption vulnerability in the filtervar function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3, when FILTERVALIDATEEMAIL mode is used, allows remote attackers to cause a denial of service memory...

php-zip -- multiple Denial of Service vulnerabilities

The following DoS conditions in Zip extension were fixed in PHP 5.3.4 and PHP 5.2.15: Fixed crash in zip extract method possible CWE-170. The ZipArchive::getArchiveComment function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3 allows context-dependent attackers to cause a denial of service...

php-imap -- Denial of Service

The following DoS condition in IMAP extension was fixed in PHP 5.3.4 and PHP 5.2.15: A remote user can send specially crafted IMAP user name or password data to trigger a double free memory error in 'ext/imap/phpimap.c' and cause the target service to crash. It may be possible to execute arbitrar...

pecl-phar -- format string vulnerability

Entry for CVE-2010-2094 says: Multiple format string vulnerabilities in the phar extension in PHP 5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive information memory contents and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the 1...

exim -- local privilege escalation

David Woodhouse reports: Secondly a privilege escalation where the trusted 'exim' user is able to tell Exim to use arbitrary config files, in which further $run ... commands will be invoked as root...

php -- NULL byte poisoning

PHP-specific version of NULL-byte poisoning was briefly described by ShAnKaR: Poison NULL byte vulnerability for perl CGI applications was described in 1. ShAnKaR noted, that same vulnerability also affects different PHP applications. PHP developers report that branch 5.3 received a fix: Paths wi...

php -- corruption of $GLOBALS and $this variables via extract() method

Off-by-one error in the sanity validator for the extract method allowed attackers to replace the values of $GLOBALS and $this when mode EXTROVERWRITE was used...

php -- open_basedir bypass

MITRE reports: fopenwrappers.c in PHP 5.3.x through 5.3.3 might allow remote attackers to bypass openbasedir restrictions via vectors related to the length of a filename...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2010-74 Miscellaneous memory safety hazards rv:1.9.2.13/ 1.9.1.16 MFSA 2010-75 Buffer overflow while line breaking after document.write with long string MFSA 2010-76 Chrome privilege escalation with window.open and isindex element MFSA 2010-77 Crash and remote co...

php5 -- Denial of Service in php_date_parse_tzfile()

MITRE CVE team reports: Memory leak in the timezone functionality in PHP before 5.3.9 allows remote attackers to cause a denial of service memory consumption by triggering many strtotime function calls, which are not properly handled by the phpdateparsetzfile cache...

krb5 -- multiple checksum handling vulnerabilities

The MIT Kerberos team reports: MIT krb incorrectly accepts an unkeyed checksum with DES session keys for version 2 RFC 4121 of the GSS-API krb5 mechanism. An unauthenticated remote attacker can forge GSS tokens that are intended to be integrity-protected but unencrypted, if the targeted...

krb5 -- unkeyed PAC checksum handling vulnerability

The MIT Kerberos team reports: MIT krb5 incorrectly accepts an unkeyed checksum for PAC signatures. An authenticated remote attacker can forge PACs if using a KDC that does not filter client-provided PAC data. This can result in privilege escalation against a service that relies on PAC contents t...

krb5 -- client impersonation vulnerability

The MIT Kerberos team reports: MIT krb5 KDC may issue tickets not requested by a client, based on an attacker-chosen KrbFastArmoredReq. An authenticated remote attacker that controls a legitimate service principal could obtain a valid service ticket to itself containing valid KDC-generated...

krb5 -- RFC 3961 key-derivation checksum handling vulnerability

The MIT Kerberos team reports: MIT krb5 releases incorrectly accepts RFC 3961 key-derivation checksums using RC4 keys when verifying AD-SIGNEDPATH and AD-KDC-ISSUED authorization data. An authenticated remote attacker that controls a legitimate service principal has a 1/256 chance of forging the...

krb5 -- multiple checksum handling vulnerabilities

The MIT Kerberos team reports: MIT krb5 clients incorrectly accept an unkeyed checksums in the SAM-2 preauthentication challenge. An unauthenticated remote attacker could alter a SAM-2 challenge, affecting the prompt text seen by the user or the kind of response sent to the KDC. Under some...

phpMyAdmin -- XSS attack in database search

phpMyAdmin team reports: It was possible to conduct a XSS attack using spoofed request on the db search script...

proftpd -- Compromised source packages backdoor

The ProFTPD Project team reports: The security issue is caused due to the distribution of compromised ProFTPD 1.3.3c source code packages via the project's main FTP server and all of the mirror servers, which contain a backdoor allowing remote root access...

OpenTTD -- Denial of service (server/client) via invalid read

The OpenTTD Team reports: When a client disconnects, without sending the "quit" or "client error" message, the server has a chance of reading and writing a just freed piece of memory. The writing can only happen while the server is sending the map. Depending on what happens directly after freeing...

wordpress -- SQL injection vulnerability

Vendor reports: SQL injection vulnerability in the dotrackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field...

tomcat -- Cross-site scripting vulnerability

The Tomcat security team reports: The HTML Manager interface displayed web applciation provided data, such as display names, without filtering. A malicious web application could trigger script execution by an administartive user when viewing the manager pages...