dovecot -- Insecure directory permissions

Dovecot author reports: Dovecot v1.2.x had been creating basedir and its parents if necessary with 0777 permissions. The basedir's permissions get changed to 0755 automatically at startup, but you may need to chmod the parent directories manually...

postgresql -- multiple vulnerabilities

PostgreSQL project reports: PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly handle a '\0' character in a domain name in the subject's Common Name CN field of an X.509 certificate, which 1...

bugzilla -- information leak

A Bugzilla Security Advisory reports: When a bug is in a group, none of its information other than its status and resolution should be visible to users outside that group. It was discovered that as of 3.3.2, Bugzilla was showing the alias of the bug a very short string used as a shortcut for...

PEAR -- Net_Ping and Net_Traceroute remote arbitrary command injection

PEAR Security Advisory reports: Multiple remote arbitrary command injections have been found in the NetPing and NetTraceroute. When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections...

wordpress -- multiple vulnerabilities

secunia reports: The security issue is caused due to the wpcheckfiletype function in /wp-includes/functions.php improperly validating uploaded files. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script with multiple extensions. Successful exploitation of this...

KDE -- multiple vulnerabilities

oCERT reports: Ark input sanitization errors: The KDE archiving tool, Ark, performs insufficient validation which leads to specially crafted archive files, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites. IO Slaves inp...

opera -- multiple vulnerabilities

Opera Team Reports: Fixed an issue where certain domain names could allow execution of arbitrary code, as reported by Chris Weber of Casaba Security Fixed an issue where scripts can run on the feed subscription page, as reported by Inferno...

mozilla -- multiple vulnerabilities

Mozilla Foundation reports: MFSA 2009-64 Crashes with evidence of memory corruption rv:1.9.1.4/ 1.9.0.15 MFSA 2009-63 Upgrade media libraries to fix memory safety bugs MFSA 2009-62 Download filename spoofing with RTL override MFSA 2009-61 Cross-origin data theft through document.getSelection MFSA...

p5-HTML-Parser -- denial of service

CVE reports: The decodeentities function in util.c in HTML-Parser before 3.63 allows context-dependent attackers to cause a denial of service infinite loop via an incomplete SGML numeric character reference, which triggers generation of an invalid UTF-8 character...

typo3 -- multiple vulnerabilities in TYPO3 Core

TYPO3 develop team reports: Affected versions: TYPO3 versions 4.0.13 and below, 4.1.12 and below, 4.2.9 and below, 4.3.0beta1 and below. SQL injection, Cross-site scripting XSS, Information disclosure, Frame hijacking, Remote shell command execution and Insecure Install Tool authentication/sessio...

gd -- '_gdGetColors' remote buffer overflow vulnerability

CVE reports: The gdGetColors function in gdgd.c in PHP 5.2.11 and 5.3.0, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different...

Enhanced cTorrent -- stack-based overflow

Securityfocus reports: cTorrent and dTorrent are prone to a remote buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Successful exploits allow remote attackers to execute arbitrary...

squidGuard -- multiple vulnerabilities

SquidGuard website reports: Patch 20091015 fixes one buffer overflow problem in sgLog.c when overlong URLs are requested. SquidGuard will then go into emergency mode were no blocking occurs. This is not required in this situation. Patch 20091019 fixes two bypass problems with URLs which length is...

Xpdf -- Multiple Vulnerabilities

SecurityFocus reports: Some vulnerabilities have been reported in Xpdf, which can be exploited by malicious people to potentially compromise a user's system. 1 Multiple integer overflows in "SplashBitmap::SplashBitmap" can be exploited to cause heap-based buffer overflows. 2 An integer overflow...

phpmyadmin -- XSS and SQL injection vulnerabilities

phpMyAdmin Team reports: Cross-site scripting XSS vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted MySQL table name. SQL injection vulnerability allows remote attackers to inject SQL via various interface parameters of the PDF schema generator feature...

django -- denial-of-service attack

Django project reports: Django's forms library includes field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in these regular expression, resulting in the server process/thread becoming...

virtualbox -- privilege escalation

Sun reports: A security vulnerability in the VBoxNetAdpCtl configuration tool for certain Sun VirtualBox 3.0 packages may allow local unprivileged users who are authorized to run VirtualBox to execute arbitrary commands with root privileges...

expat2 -- buffer over-read and crash

CVE reports: The big2toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service application crash via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related t...

FreeBSD -- Devfs / VFS NULL pointer race condition

Problem Description: Due to the interaction between devfs and VFS, a race condition exists where the kernel might dereference a NULL pointer. Impact: Successful exploitation of the race condition can lead to local kernel privilege escalation, kernel data corruption and/or crash. To exploit this...

FreeBSD -- kqueue pipe race conditions

Problem Description A race condition exists in the pipe close code relating to kqueues, causing use-after-free for kernel memory, which may lead to an exploitable NULL pointer vulnerability in the kernel, kernel memory corruption, and other unpredictable results. Impact: Successful exploitation o...

mybb -- multiple vulnerabilities

mybb team reports: Input passed via avatar extensions is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by uploading specially named avatars. The script allows to sign up with usernames containing zero width space characters, which can be...

fwbuilder -- security issue in temporary file handling

Firewall Builder release notes reports: Vadim Kurland [email protected] reports: Fwbuilder and libfwbuilder 3.0.4 through to 3.0.6 generate iptables scripts with a security issue when also used to generate static routing configurations...

drupal -- multiple vulnerabilities

Drupal Team reports: The core OpenID module does not correctly implement Form API for the form that allows one to link user accounts with OpenID identifiers. A malicious user is therefore able to use cross site request forgeries to add attacker controlled OpenID identities to existing accounts...

php5 -- Multiple security issues

Vendor reports Security Enhancements and Fixes in PHP 5.2.11: Fixed certificate validation inside phpopensslapplyverificationpolicy. Fixed sanity check for the color index in imagecolortransparent. Added missing sanity checks around exif processing. Fixed bug 44683 popen crashes when an invalid...

fuser -- missing user's privileges check

Denis Barov reports: sysutils/fuser allows user to send any signal to any process when installed with suid bit...

vlc -- stack overflow in MPA, AVI and ASF demuxer

VideoLAN reports: When parsing a MP4, ASF or AVI file with an overly deep box structure, a stack overflow might occur. It would overwrite the return address and thus redirect the execution flow. If successful, a malicious third party could trigger execution of arbitrary code within the context of...

nginx -- remote denial of service vulnerability

nginx development team reports: A segmentation fault might occur in worker process while specially crafted request handling...

bugzilla -- two SQL injections, sensitive data exposure

A Bugzilla Security Advisory reports: It is possible to inject raw SQL into the Bugzilla database via the "Bug.create" and "Bug.search" WebService functions. When a user would change his password, his new password would be exposed in the URL field of the browser if he logged in right after changi...

mozilla firefox -- multiple vulnerabilities

Mozilla Foundation reports: MFSA 2009-51 Chrome privilege escalation with FeedWriter MFSA 2009-50 Location bar spoofing via tall line-height Unicode characters MFSA 2009-49 TreeColumns dangling pointer vulnerability MFSA 2009-48 Insufficient warning for PKCS11 module installation and removal MFSA...

freeradius -- remote packet of death vulnerability

freeRADIUS Vulnerability Notifications reports: 2009.09.09 v1.1.7 - Anyone who can send packets to the server can crash it by sending a Tunnel-Password attribute in an Access-Request packet. This vulnerability is not otherwise exploitable. We have released 1.1.8 to correct this vulnerability. Thi...

xapian-omega -- cross-site scripting vulnerability

Olly Betts reports: There's a cross-site scripting issue in Omega - exception messages don't currently get HTML entities escaped, but can contain CGI parameter values in some cases...

cyrus-imapd -- Potential buffer overflow in Sieve

The Cyrus IMAP Server ChangeLog states: Fixed CERT VU336053 - Potential buffer overflow in Sieve...

opera -- multiple vulnerabilities

Opera Team Reports: Issue where sites using revoked intermediate certificates might be shown as secure Issue where the collapsed address bar didn't show the current domain Issue where pages could trick users into uploading files Some IDNA characters not correctly displaying in the address bar Iss...

dnsmasq -- TFTP server remote code injection vulnerability

Simon Kelley reports: Fix security problem which allowed any host permitted to do TFTP to possibly compromise dnsmasq by remote buffer overflow when TFTP enabled. Fix a problem which allowed a malicious TFTP client to crash dnsmasq...

ikiwiki -- insufficient blacklisting in teximg plugin

The IkiWiki development team reports: IkiWikis teximg plugin's blacklisting of insecure TeX commands is insufficient; it can be bypassed and used to read arbitrary files...

pidgin -- MSN overflow parsing SLP messages

Secunia reports: A vulnerability has been reported in Pidgin, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to an error in the "msnslplinkprocessmsg" function when processing MSN SLP messages and can be exploited to corrupt...

GnuTLS -- improper SSL certificate verification

GnuTLS reports: By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS into 1 not printing the entire CN/SAN field value when printing a certificate and 2 cause incorrect positive matches when matching a hostname against a certificate...

wordpress -- remote admin password reset vulnerability

WordPress reports: A specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database usually the admin account would have its password reset and a new passwor...

OpenLDAP -- incorrect handling of NULL in certificate Common Name

Jan Lieskovsky reports: OpenLDAP does not properly handle a '\0' character in a domain name in the subject's Common Name CN field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authori...

silc-toolkit -- Format string vulnerabilities

SILC Changlog reports: An unspecified format string vulnerability exists in silc-toolkit...

subversion -- heap overflow vulnerability

A Subversion Security Advisory reports: Subversion clients and servers have multiple heap overflow issues in the parsing of binary deltas. This is related to an allocation vulnerability in the APR library used by Subversion. Clients with commit access to a vulnerable server can cause a remote hea...

fetchmail -- improper SSL certificate subject verification

Matthias Andree reports: Moxie Marlinspike demonstrated in July 2009 that some CAs would sign certificates that contain embedded NUL characters in the Common Name or subjectAltName fields of ITU-T X.509 certificates. Applications that would treat such X.509 strings as NUL-terminated C strings...

libxml -- Stack consumption vulnerability

Stack consumption vulnerability allows context-dependent attackers to cause a denial of service application crash via a large depth of element declarations in a DTD...

libxml -- Multiple use-after-free vulnerabilities

Multiple use-after-free vulnerabilities in libxml 1.8.17 that allow context-dependent attackers to cause a denial of service application crash via crafted 1 Notation or 2 Enumeration attribute types in an XML file...

mozilla -- multiple vulnerabilities

Mozilla Project reports: MFSA 2009-38: Data corruption with SOCKS5 reply containing DNS name longer than 15 characters MFSA 2009-42: Compromise of SSL-protected communication MFSA 2009-43: Heap overflow in certificate regexp parsing MFSA 2009-44: Location bar and SSL indicator spoofing via...

silc-client -- Format string vulnerability

SILC changelog reports: An unspecified format string vulnerability exists in silc-client...

SquirrelMail -- Plug-ins compromise

Problem Description: The SquirrelMail Web Server has been compromised, and three plugins are affected. The port of squirrelmail-sasql-plugin is safe right MD5, and changepass is not in the FreeBSD ports tree, but multilogin has a wrong MD5...

bugzilla -- product name information leak

A Bugzilla Security Advisory reports: Normally, users are only supposed to see products that they can file bugs against in the "Product" drop-down on the bug-editing page. Instead, users were being shown all products, even those that they normally could not see. Any user who could edit any bug...

apache22 -- several vulnerabilities

Apache ChangeLog reports: CVE-2009-1891: Fix a potential Denial-of-Service attack against moddeflate or other modules. CVE-2009-1195: Prevent the "Includes" Option from being enabled in an .htaccess file if the AllowOverride restrictions do not permit it. CVE-2009-1890: Fix a potential...

BIND -- Dynamic update message remote DoS

Problem Description: When named8 receives a specially crafted dynamic update message an internal assertion check is triggered which causes named8 to exit. To trigger the problem, the dynamic update message must contains a record of type "ANY" and at least one resource record set RRset for this...