isc-dhcp-server -- Empty link-address denial of service

ISC reports: If the server receives a DHCPv6 packet containing one or more Relay-Forward messages, and none of them supply an address in the Relay-Forward link-address field, then the server will crash. This can be used as a single packet crash attack vector...

proftpd -- remote code execution vulnerability

Tippingpoint reports: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ProFTPD. Authentication is not required to exploit this vulnerability. The flaw exists within the proftpd server component which listens by default on TCP port 21. When readin...

horde-base -- XSS: VCARD attachments vulnerability

The Horde team reports: The major changes compared to Horde version 3.3.10 are: Fixed XSS vulnerability when viewing details of a vCard...

mozilla -- Heap buffer overflow mixing document.write and DOM insertion

The Mozilla Project reports: MFSA 2010-73 Heap buffer overflow mixing document.write and DOM insertion...

YUI JavaScript library -- JavaScript injection exploits in Flash components

The YUI team reports: A security-related defect was introduced in the YUI 2 Flash component infrastructure beginning with the YUI 2.4.0 release. This defect allows JavaScript injection exploits to be created against domains that host affected YUI .swf files...

monotone -- remote denial of service in default setup

The monotone developers report: Running "mtn ''" or "mtn ls ''" doesn't cause an internal error anymore. In monotone 0.48 and earlier this behavior could be used to crash a server remotely but only if it was configured to allow execution of remote commands...

torcs -- untrusted local library loading

TORCS News reports: An insecure change to LDLIBRARYPATH allows loading of libraries in directories other than the standard paths. This can be a problem when downloading and installing untrusted content from the Internet...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: Fixed in 15.0.874.121: 103259 High CVE-2011-3900: Out-of-bounds write in v8. Credit to Christian Holler. Fixed in 15.0.874.120: 100465 High CVE-2011-3892: Double free in Theora decoder. Credit to Aki Helin of OUSPG. 100492 100543 Medium CVE-2011-3893: Out of bounds...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2010-64 Miscellaneous memory safety hazards rv:1.9.2.11/ 1.9.1.14 MFSA 2010-65 Buffer overflow and memory corruption using document.write MFSA 2010-66 Use-after-free error in nsBarProp MFSA 2010-67 Dangling pointer vulnerability in LookupGetterOrSetter MFSA 2010-...

Axis2 -- Cross-site scripting (XSS) vulnerability

Apache Axis2 reports: Apache Axis2 1.7.3 is a security release that contains a fix for CVE-2010-3981. That security vulnerability affects the admin console that is part of the Axis2 Web application and was originally reported for SAP BusinessObjects which includes a version of Axis2. That report...

opera -- multiple vulnerabilities

The Opera Desktop Team reports: Fixed an issue that allowed cross-domain checks to be bypassed, allowing limited data theft using CSS, as reported by Isaac Dawson. Fixed an issue where manipulating the window could be used to spoof the page address. Fixed an issue with reloads and redirects that...

openssl -- TLS extension parsing race condition

OpenSSL Team reports: Rob Hulswit has found a flaw in the OpenSSL TLS server extension code parsing which on affected servers can be exploited in a buffer overrun attack. Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. Servers that...

apr -- multiple vunerabilities

Secunia reports: Multiple vulnerabilities have been reported in APR-util, which can be exploited by malicious people to cause a DoS Denial of Service. Two XML parsing vulnerabilities exist in the bundled version of expat. An error within the "aprbrigadesplitline" function in buckets/aprbrigade.c...

Webkit-gtk2 -- Multiple Vulnabilities

Gustavo Noronha Silva reports: The patches to fix the following CVEs are included with help from Vincent Danen and other members of the Red Hat security team:...

phpmyfaq -- cross site scripting vulnerabilities

The phpMyFAQ project reports: The phpMyFAQ Team has learned of a security issue that has been discovered in phpMyFAQ 2.6.x: phpMyFAQ doesn't sanitize some variables in different pages correctly. With a properly crafted URL it is e.g. possible to inject JavaScript code into the output of a page,...

horde-imp -- XSS vulnerability

The Horde team reports: Thanks to Naumann IT Security Consulting for reporting the XSS vulnerability. The major changes compared to IMP version H3 4.3.7 are: Fixed an XSS vulnerability in the Fetchmail configuration...

linux-flashplugin -- multiple vulnerabilities

Adobe Product Security Incident Response Team reports: Critical vulnerabilities have been identified in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.1.95.1 for Android. These vulnerabilities, including CVE-2010-3654...

bzip2 -- integer overflow vulnerability

Secunia reports: A vulnerability has been reported in bzip2, which can be exploited by malicious people to cause a DoS Denial of Service or potentially compromise a vulnerable system. The vulnerability is caused due to an integer overflow in the "BZ2decompress" function in decompress.c and can be...

FreeBSD -- Integer overflow in bzip2 decompression

Problem Description: When decompressing data, the run-length encoded values are not adequately sanity-checked, allowing for an integer overflow...

Wireshark -- DoS in the BER-based dissectors

Secunia reports: A vulnerability has been discovered in Wireshark, which can be exploited by malicious people to cause a DoS Denial of Service. The vulnerability is caused due to an infinite recursion error in the "dissectunknownber" function in epan/dissectors/packet-ber.c and can be exploited t...

OTRS -- Multiple XSS and denial of service vulnerabilities

OTRS Security Advisory reports: Multiple Cross Site Scripting issues: Missing HTML quoting allows authenticated agents or customers to inject HTML tags. This vulnerability allows an attacker to inject script code into the OTRS web-interface which will be loaded and executed in the browsers of...

Mailman -- cross-site scripting in web interface

Secunia reports: Two vulnerabilities have been reported in Mailman, which can be exploited by malicious users to conduct script insertion attacks. Certain input passed via the list descriptions is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary...

linux-flashplugin -- remote code execution

Adobe Product Security Incident Response Team reports: A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 and earlier versio...

openx -- remote code execution vulnerability

The OpenX project reported: It has been brought to our attention that there is a vulnerability in the 2.8 downloadable version of OpenX that can result in a server running the downloaded version of OpenX being compromised. This vulnerability exists in the file upload functionality and allows...

django -- cross-site scripting vulnerability

Django project reports: The provided template tag for inserting the CSRF token into forms -- % csrftoken % -- explicitly trusts the cookie value, and displays it as-is. Thus, an attacker who is able to tamper with the value of the CSRF cookie can cause arbitrary content to be inserted, unescaped,...

sudo -- Flaw in Runas group matching

Todd Miller reports: Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo -g option run as group. A flaw exists in the logic that matches Runas groups in the sudoers file when the -u option is also specified run as user. This...

webkit-gtk2 -- Multiple vulnerabilities

Gustavo Noronha Silva reports: With help from Vincent Danen and other members of the Red Hat security team, the following CVE's where fixed...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2010-49 Miscellaneous memory safety hazards rv:1.9.2.9/ 1.9.1.12 MFSA 2010-50 Frameset integer overflow vulnerability MFSA 2010-51 Dangling pointer vulnerability using DOM plugin array MFSA 2010-52 Windows XP DLL loading vulnerability MFSA 2010-53 Heap buffer...

squid -- Denial of service vulnerability in request handling

Squid security advisory 2010:3 reports: Due to an internal error in string handling Squid is vulnerable to a denial of service attack when processing specially crafted requests. This problem allows any trusted client to perform a denial of service attack on the Squid service...

quagga -- stack overflow and DoS vulnerabilities

The Red Hat security team reported two vulnerabilities: A stack buffer overflow flaw was found in the way Quagga's bgpd daemon processed Route-Refresh messages. A configured Border Gateway Protocol BGP peer could send a Route-Refresh message with specially-crafted Outbound Route Filtering ORF...

horde-gollem -- XSS vulnerability

The Horde team reports: The major changes compared to Gollem version H3 1.1.1 are: Fixed an XSS vulnerability in the file viewer...

corkscrew -- buffer overflow vulnerability

The affected corkscrew versions use sscanf calls without proper bounds checking. In the authentication file parsing routine this can cause an exploitable buffer overflow condition. A similar but issue exists in the server response code but appears to be non-exploitable...

ruby -- UTF-7 encoding XSS vulnerability in WEBrick

The official ruby site reports: WEBrick have had a cross-site scripting vulnerability that allows an attacker to inject arbitrary script or HTML via a crafted URI. This does not affect user agents that strictly implement HTTP/1.1, however, some user agents do not...

opera -- multiple vulnerabilities

The Opera Destkop Team reports: Fixed an issue where heap buffer overflow in HTML5 canvas could be used to execute arbitrary code, as reported by Kuzzcc. Fixed an issue where unexpected changes in tab focus could be used to run programs from the Internet, as reported by Jakob Balle and Sven Krewi...

phpmyadmin -- Several XSS vulnerabilities

phpMyAdmin Team reports: It was possible to conduct a XSS attack using crafted URLs org POST parameters on several pages...

bugzilla -- information disclosure, denial of service

A Bugzilla Security Advisory reports: Remote Information Disclosure: An unprivileged user is normally not allowed to view other users' group membership. But boolean charts let the user use group-based pronouns, indirectly disclosing group membership. This security fix restricts the use of pronoun...

openoffice.org -- Multiple vulnerabilities

OpenOffice.org Security Team reports: Fixed in OpenOffice.org 3.3 CVE-2010-2935 / CVE-2010-2936: Security Vulnerability in OpenOffice.org related to PowerPoint document processing CVE-2010-3450: Security Vulnerability in OpenOffice.org related to Extensions and filter package files CVE-2010-3451 ...

rssh -- configuration restrictions bypass

Derek Martin rssh maintainer reports: John Barber reported a problem where, if the system administrator misconfigures rssh by providing too few access bits in the configuration file, the user will be given default permissions scp to the entire system, potentially circumventing any configured...

isolate -- local root exploit

Isolate currently suffers from some bad security bugs! These are local root privilege escalation bugs. Thanks to the helpful person who reported them email Chris if you want credit!. We're working to fix them ASAP, but until then, isolate is unsafe and you should uninstall it. Sorry!...

vlc -- invalid id3v2 tags may lead to invalid memory dereferencing

VideoLAN project reports: VLC fails to perform sufficient input validation when trying to extract some meta-informations about input media through ID3v2 tags. In the failure case, VLC attempt dereference an invalid memory address, and a crash will ensure...

Piwik -- Local File Inclusion Vulnerability

Piwik versions 0.6 through 0.6.3 are vulnerable to arbitrary, remote file inclusion using a directory traversal pattern infinite a crafted request for a data renderer. A vulnerability has been reported in Piwik, which can before exploited by malicious people to disclose potentially sensitive...

libmspack -- infinite loop denial of service

There is a denial of service vulnerability in libmspack. The libmspack code is built into cabextract, so it is also vulnerable. Secunia reports: The vulnerability is caused due to an error when copying data from an uncompressed block block type 0 and can be exploited to trigger an infinite loop b...

apache -- Remote DoS bug in mod_cache and mod_dav

Apache ChangeLog reports: moddav, modcache: Fix Handling of requests without a path segment...

git -- buffer overflow vulnerability

Greg Brockman reports: If an attacker were to create a crafted working copy where the user runs any git command, the attacker could force execution of arbitrary code...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2010-34 Miscellaneous memory safety hazards rv:1.9.2.7/ 1.9.1.11 MFSA 2010-35 DOM attribute cloning remote code execution vulnerability MFSA 2010-36 Use-after-free error in NodeIterator MFSA 2010-37 Plugin parameter EnsureCachedAttrParamArrays remote code executi...

firefox -- Dangling pointer crash regression from plugin parameter array fix

The Mozilla Project reports: MFSA 2010-48 Dangling pointer crash regression from plugin parameter array fix...

webkit-gtk2 -- Multiple vulnerabilities

Gustavo Noronha reports: Debian's Michael Gilbert has done a great job going through all CVEs released about WebKit, and including patches in the Debian package. 1.2.3 includes all of the commits from trunk to fix those, too...

vte -- Classic terminal title set+query attack

Kees Cook reports: Janne Snabb discovered that applications using VTE, such as gnome-terminal, did not correctly filter window and icon title request escape codes. If a user were tricked into viewing specially crafted output in their terminal, a remote attacker could execute arbitrary commands wi...

FreeBSD -- Lost mbuf flag resulting in data corruption

Problem Description: The read-only flag is not correctly copied when a mbuf buffer reference is duplicated. When the sendfile2 system call is used to transmit data over the loopback interface, this can result in the backing pages for the transmitted file being modified, causing data corruption...

codeigniter -- file upload class vulnerability

Derek Jones reports: A fix has been implemented for a security flaw in CodeIgniter 1.7.2. All applications using the File Upload class should install the patch to ensure that their application is not subject to a vulnerability...