redmine -- multiple vulnerabilities

Eric Davis reports: This security release addresses some security vulnerabilities found in the advanced subversion integration module Redmine.pm perl script...

bogofilter -- heap underrun on malformed base64 input

Julius Plenz reports: I found a bug in the base64decode function which may cause memory corruption when the function is executed on a malformed base64 encoded string. If a string starting with an equal-sign is passed to the base64decode function it triggers a memory corruption that in some cases...

OpenTTD -- Denial of service (server) via infinite loop

The OpenTTD Team reports: When multiple commands are queued at the server for execution in the next game tick and an client joins the server can get into an infinite loop. With the default settings triggering this bug is difficult if not impossible, however the larger value of the "framefreq"...

bugzilla -- information disclosure

A Bugzilla Security Advisory reports: Normally, information about time-tracking estimated hours, actual hours, hours worked, and deadlines is restricted to users in the "time-tracking group". However, any user was able, by crafting their own search URL, to search for bugs based using those fields...

mozilla -- multiple vulnerabilities

Mozilla Project reports: MFSA 2010-33 User tracking across sites using Math.random MFSA 2010-32 Content-Disposition: attachment ignored if Content-Type: multipart also present MFSA 2010-31 focus behavior can be used to inject or steal keystrokes MFSA 2010-30 Integer Overflow in XSLT Node Sorting...

opera -- Data URIs can be used to allow cross-site scripting

The Opera Desktop Team reports: Data URIs are allowed to run scripts that manipulate pages from the site that directly opened them. In some cases, the opening site is not correctly detected. In these cases, Data URIs may erroneously be able to run scripts so that they interact with sites that did...

ziproxy -- security vulnerability in PNG decoder

Daniel Mealha Cabrita reports: Fixed security vulnerability heap-related in PNG decoder. new bug from 3.1.0...

lftp -- multiple HTTP client download filename vulnerability

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted...

wget -- multiple HTTP client download filename vulnerability

GNU Wget version 1.12 and earlier uses a server-provided filename instead of the original URL to determine the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a 3xx redirect to a URL with a .wgetrc filename followed by a 3xx redirect to a...

p5-libwww -- possibility to remote servers to create file with a .(dot) character

lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a .' dot character, which allows remote servers to create or overwrite files via a 3xx redirect to a URL with a crafted filename or a Content-Disposition header that suggests a crafted filename, and...

moodle -- multiple vulnerabilities

The Moodle release notes report multiple vulnerabilities which could allow cross site scripting, XSS attacks, unauthorised deletion of attempts in some instances...

horde-base -- XSS and CSRF vulnerabilities

The Horde team reports: Thanks to Naumann IT Security Consulting for reporting the XSS vulnerability. Thanks to Secunia for releasing an advisory for the new CSRF protection in the preference interface The major changes compared to Horde version 3.3.8 are: Fixed XSS vulnerability in...

sudo -- Secure path vulnerability

Todd Miller reports: Most versions of the C library function getenv return the first instance of an environment variable to the caller. However, some programs, notably the GNU Bourne Again SHell bash, do their own environment parsing and may choose the last instance of a variable rather than the...

mediawiki -- two security vulnerabilities

Two security vulnerabilities were discovered: Noncompliant CSS parsing behaviour in Internet Explorer allows attackers to construct CSS strings which are treated as safe by previous versions of MediaWiki, but are decoded to unsafe strings by Internet Explorer. A CSRF vulnerability was discovered ...

FreeBSD -- Insufficient environment sanitization in jail(8)

Problem Description: The jail8 utility does not change the current working directory while imprisoning. The current working directory can be accessed by its descendants...

FreeBSD -- Unvalidated input in nfsclient

Problem Description: The NFS client subsystem fails to correctly validate the length of a parameter provided by the user when a filesystem is mounted...

FreeBSD -- OPIE off-by-one stack overflow

Problem Description: A programming error in the OPIE library could allow an off-by-one buffer overflow to write a single zero byte beyond the end of an on-stack buffer...

mDNSResponder -- corrupted stack crash when parsing bad resolv.conf

Juli Mallett reports: mdnsd will crash on some systems with a corrupt stack and once that's fixed it will still leak a file descriptor when parsing resolv.conf. The crash is because scanf is used with %10s for a buffer that is only 10 chars long. The buffer size needs increased to 11 chars to hol...

cacti -- multiple vulnerabilities

Multiple vulnerabilities have been reported to exist in older version of Cacti. The release notes of Cacti 0.8.7f summarizes the problems as follows: SQL injection and shell escaping issues Cross-site scripting issues Cacti Graph Viewer SQL injection vulnerability...

ziproxy -- atypical huge picture files vulnerability

Ziproxy 3.0.1 release fixes a security vulnerability related to atypical huge picture files 4GB of size once expanded...

tinyproxy -- ACL lists ineffective when range is configured

When including a line to allow a network of IP addresses, the access to tinyproxy 56 is actually allowed for all IP addresses...

kvirc -- multiple vulnerabilities

Two security vulnerabilities have been discovered: Multiple format string vulnerabilities in the DCC functionality in KVIrc 3.4 and 4.0 have unspecified impact and remote attack vectors. Directory traversal vulnerability in the DCC functionality in KVIrc 3.4 and 4.0 allows remote attackers to...

slim -- insecure PATH assignment

SLiM assigns logged on users a PATH in which the current working directory "./" is included. This PATH can allow unintentional code execution through planted binaries and has therefore been fixed SLiM version 1.3.2...

wireshark -- DOCSIS dissector denial of service

A vulnerability found in the DOCSIS dissector can cause Wireshark to crash when a malformed packet trace file is opened. This means that an attacker will have to trick a victim into opening such a trace file before being able to crash the application...

awstats -- arbitrary commands execution vulnerability

Awstats change log reports: Security fix Traverse directory of LoadPlugin Security fix Limit config to defined directory to avoid access to external config file via a nfs or webdav link...

redmine -- multiple vulnerabilities

The Redmine release announcement reports that several cross side scripting vulnerabilities and a potential data disclosure vulnerability have been fixed in the latest release...

quagga -- two DoS vulnerabilities

Quagga developers report: Quagga 0.99.18 has been released. This release fixes 2 denial of services in bgpd, which can be remotely triggered by malformed AS-Pathlimit or Extended-Community attributes. These issues have been assigned CVE-2010-1674 and CVE-2010-1675. Support for AS-Pathlimit has be...

joomla -- multiple vulnerabilities

Joomla! reported the following vulnerabilities: If a user entered a URL with a negative query limit or offset, a PHP notice would display revealing information about the system.. The migration script in the Joomla! installer does not check the file type being uploaded. If the installation...

tomcat -- information disclosure vulnerability

The Apache software foundation reports: The "WWW-Authenticate" header for BASIC and DIGEST authentication includes a realm name. If a element is specified for the application in web.xml it will be used. However, a is not specified then Tomcat will generate one. In some circumstances this can expo...

cacti -- SQL injection and command execution vulnerabilities

Bonsai information security reports: A Vulnerability has been discovered in Cacti, which can be exploited by any user to conduct SQL Injection attacks. Input passed via the "exportitemid" parameter to "templatesexport.php" script is not properly sanitized before being used in a SQL query. The sam...

krb5 -- KDC double free vulnerability

The MIT Kerberos team reports: An authenticated remote attacker can crash the KDC by inducing the KDC to perform a double free. Under some circumstances on some platforms, this could also allow malicious code execution...

vlc -- unintended code execution with specially crafted data

VideoLAN project reports: VLC media player suffers from various vulnerabilities when attempting to parse malformatted or overly long byte streams...

fetchmail -- denial of service vulnerability

Fetchmail developer Matthias Andree reported a vulnerability that allows remote attackers to crash the application when it is runs in verbose mode. Fetchmail before release 6.3.17 did not properly sanitize external input mail headers and UID. When a multi-character locale such as UTF-8 was in use...

irssi -- multiple vulnerabilities

Two vulnerabilities have found in irssi. The first issue could allow man-in-the-middle attacks due to a missing comparison of SSL server hostnames and the certificate domain names e.g. CN. A second vulnerability, related to the nick matching code, could be triggered by remote attackers in order t...

tiff -- buffer overflow vulnerability

Kevin Finisterre reports: Multiple integer overflows in the handling of TIFF files may result in a heap buffer overflow. Opening a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution. The issues are addressed through improved bounds checking...

e107 -- code execution and XSS vulnerabilities

Secunia Research reported two vulnerabilities in e107: The first problem affects installations that have the Content Manager plugin enabled. This plugin does not sanitize the "contentheading" parameter correctly and is therefore vulnerable to a cross site scripting attack. The second vulnerabilit...

piwik -- cross site scripting vulnerability

The Piwik security advisory reports: A non-persistent, cross-site scripting vulnerability XSS was found in Piwik's Login form that reflected the formurl parameter without being properly escaped or filtered...

KDM -- local privilege escalation vulnerability

KDE Security Advisory reports: KDM contains a race condition that allows local attackers to make arbitrary files on the system world-writeable. This can happen while KDM tries to create its control socket during user login. A local attacker with a valid local account can under certain circumstanc...

sudo -- Privilege escalation with sudoedit

Todd Miller reports: Sudo's command matching routine expects actual commands to include one or more slash '/' characters. The flaw is that sudo's path resolution code did not add a "./" prefix to commands found in the current working directory. This creates an ambiguity between a "sudoedit" comma...

mediawiki -- authenticated CSRF vulnerability

A MediaWiki security announcement reports: MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to log in as the attacker, via a script on an external website. If the wiki is configured to allow user scripts, say with...

krb5 -- remote denial of service vulnerability

An authenticated remote attacker can causing a denial of service by using a newer version of the kadmin protocol than the server supports. The MIT Kerberos team also reports the cause: The Kerberos administration daemon kadmind can crash due to referencing freed memory...

mahara -- sql injection vulnerability

The Debian security team reports: It was discovered that mahara, an electronic portfolio, weblog, and resume builder is not properly escaping input when generating a unique username based on a remote user name from a single sign-on application. An attacker can use this to compromise the mahara...

MoinMoin -- cross-site scripting vulnerabilities

The MoinMoin developers reports: Fix XSS in Despam action CVE-2010-0828 Fix XSS issues by escaping template name in messages by fixing other places that had similar issues...

Zend Framework -- security issues in bundled Dojo library

The Zend Framework team reports: Several files in the bundled Dojo library were identified as having potential exploits, and the Dojo team also advised disabling or removing any PHP scripts in the Dojo library tree when deploying to production...

firefox -- Re-use of freed object due to scope confusion

Mozilla Project reports: MFSA 2009-25 Re-use of freed object due to scope confusion...

png -- libpng decompression buffer overflow

The PNG project describes the problem in an advisory: Several versions of libpng through 1.4.2 and through 1.2.43 in the older series contain a bug whereby progressive applications such as web browsers or the rpng2 demo app included in libpng could receive an extra row of image data beyond the...

mozilla -- multiple vulnerabilities

Mozilla Project reports: MFSA 2010-24 XMLDocument::load doesn't check nsIContentPolicy MFSA 2010-23 Image src redirect to mailto: URL opens email editor MFSA 2010-22 Update NSS to support TLS renegotiation indication MFSA 2010-21 Arbitrary code execution with Firebug XMLHttpRequestSpy MFSA 2010-2...

moodle -- multiple vulnerabilities

The Moodle release notes report multiple vulnerabilities which could allow remote attackers to perform, amongst others, cross site scripting, user enumeration and SQL injection attacks...

gtar -- buffer overflow in rmt client

Jakob Lell reports: The rmt client implementation of GNU Tar/Cpio contains a heap-based buffer overflow which possibly allows arbitrary code execution. The problem can be exploited when using an untrusted/compromised rmt server...

firefox -- WOFF heap corruption due to integer overflow

Mozilla Project reports: MFSA 2010-08 WOFF heap corruption due to integer overflow...