cups -- potential buffer overflow in PNG reading code

CUPS reports: The PNG image reading code did not validate the image size properly, leading to a potential buffer overflow STR 2974...

habari -- Cross-Site Scripting Vulnerability

Secunia reports: Input passed via the "habariusername" parameter when logging in is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site...

opera -- multiple vulnerabilities

Opera reports: Certain constructs are not escaped correctly by Opera's History Search results. These can be used to inject scripts into the page, which can then be used to look through the user's browsing history, including the contents of the pages they have visited. These may contain sensitive...

varnish -- Varnish HTTP Request Parsing Denial of Service

SecurityFocus reports: Varnish is prone to a remote denial-of-service vulnerability because the application fails to handle certain HTTP requests. Successfully exploiting this issue allows remote attackers to crash the affected application denying further service to legitimate users...

vim -- multiple vulnerabilities in the netrw module

Jan Minar reports: Applying the D'' to a file with a crafted file name, or inside a directory with a crafted directory name, can lead to arbitrary code execution. Lack of sanitization throughout Netrw can lead to arbitrary code execution upon opening a directory with a crafted name. The Vim Netrw...

linux-flashplugin -- multiple vulnerabilities

Adobe Product Security Incident Response Team reports: Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users...

mantis -- session hijacking vulnerability

The mantis Team reports: When configuring a web application to use only ssl e. g. by forwarding all http-requests to https, a user would expect that sniffing and hijacking the session is impossible. Though, for this to be secure, one needs to set the session cookie to have the secure flag. Else t...

net-snmp -- DoS for SNMP agent via crafted GETBULK request

Wes Hardaker reports through sourceforge.net forum: SECURITY ISSUE: A bug in the getbulk handling code could let anyone with even minimal access crash the agent. If you have open access to your snmp agents bad bad bad; stop doing that! or if you don't trust everyone that does have access to your...

cups -- multiple vulnerabilities

The release note of cups 1.3.9 reports: It contains the following fixes: SECURITY: The HP-GL/2 filter did not range check pen numbers STR 2911 SECURITY: The SGI image file reader did not range check 16-bit run lengths STR 2918 SECURITY: The text filter did not range check cpi, lpi, or column valu...

drupal -- multiple vulnerabilities

The Drupal Project reports: A logic error in the core upload module validation allowed unprivileged users to attach files to content. Users can view files attached to content which they do not otherwise have access to. If the core upload module is not enabled, your site will not be affected. A...

dovecot -- ACL plugin bypass vulnerabilities

Timo Sirainen reports in dovecot 1.1.4 release notes: ACL plugin fixes: Negative rights were actually treated as positive rights. 'k' right didn't prevent creating parent/child/child mailbox. ACL groups weren't working...

opera -- multiple vulnerabilities

Opera reports: If a malicious page redirects Opera to a specially crafted address URL, it can cause Opera to crash. Given sufficient address content, the crash could cause execution of code controlled by the attacking page. Once a Java applet has been cached, if a page can predict the cache path...

openx -- sql injection vulnerability

Secunia reports: OpenX can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "bannerid" parameter in www/delivery/ac.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code...

linux-flashplugin -- multiple vulnerabilities

Adobe Product Security Incident Response Team reports: Critical vulnerabilities have been identified in Adobe Flash Player version 10.0.45.2 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system...

FreeBSD -- IPv6 Neighbor Discovery Protocol routing vulnerability

Problem Description IPv6 routers may allow "on-link" IPv6 nodes to create and update the router's neighbor cache and forwarding information. A malicious IPv6 node sharing a common router but on a different physical segment from another node may be able to spoof Neighbor Discovery messages, allowi...

mplayer -- multiple integer overflows

The oCERT team reports: The MPlayer multimedia player suffers from a vulnerability which could result in arbitrary code execution and at the least, in unexpected process termination. Three integer underflows located in the Real demuxer code can be used to exploit a heap overflow, a specific video...

lighttpd -- multiple vulnerabilities

Lighttpd seurity annoucement: lighttpd 1.4.19, and possibly other versions before 1.5.0, does not decode the url before matching against rewrite and redirect patterns, which allows attackers to bypass rewrites rules. this can be a security problem in certain configurations if these rules are used...

mozilla -- multiple vulnerabilities

The Mozilla Foundation reports: MFSA 2008-37UTF-8 URL stack buffer overflow MFSA 2008-38nsXMLDocument::OnChannelRedirect same-origin violation MFSA 2008-39Privilege escalation using feed preview page and XSS flaw MFSA 2008-40Forced mouse drag MFSA 2008-41Privilege escalation via XPCnativeWrapper...

phpmyadmin -- Cross-Site Scripting Vulnerability

Secunia reports: An error exists in the "PMAescapeJsString" function in libraries/jsescape.lib.php, which can be exploited to bypass certain filters and execute arbitrary HTML and script code in a user's browser session in context of an affected site when e.g. Microsoft Internet Explorer is used...

proftpd -- Long Command Processing Vulnerability

Secunia reports: The vulnerability is caused due to the application truncating an overly long FTP command, and improperly interpreting the remainder string as a new FTP command. This can be exploited to execute arbitrary FTP commands with the privileges of another user by e.g. tricking the user...

gallery -- multiple vulnerabilities

Secunia reports: An error in the handing of ZIP archives with symbolic links can be exploited to disclose the contents of arbitrary files. Input from uploaded Flash animations is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which is...

faad2 -- heap overflow vulnerability

CVE reports: Heap-based buffer overflow in the decodeMP4file function frontend/main.c in FAAD2 2.6.1 and earlier allows remote attackers to cause a denial of service crash and possibly execute arbitrary code via a crafted MPEG-4 MP4 file...

phpmyadmin -- Code execution vulnerability

A phpMyAdmin security announcement: The serverdatabases.php script was vulnerable to an attack coming from a user who is already logged-on to phpMyAdmin, where he can execute shell code if the PHP configuration permits commands like exec...

mysql -- empty bit-string literal denial of service

MySQL reports: The vulnerability is caused due to an error when processing an empty bit-string literal and can be exploited to crash the server via a specially crafted SQL statement...

horde -- multiple vulnerabilities

Secunia reports: Some vulnerabilities have been reported in various Horde products, which can be exploited by malicious people to conduct script insertion attacks Input via MIME attachment linking is not properly sanitised in the MIME library before being used. This can be exploited to execute...

rubygem-rails -- SQL injection vulnerability

Jonathan Weiss reports, that it is possible to perform an SQL injection in Rails applications via not correctly sanitized :limit and :offset parameters. It is possible to change arbitrary values in affected tables or gain access to the sensitive data...

wordpress -- remote privilege escalation

The Wordpress development team reports: With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another users password to a randomly generated password. The randomly generated password is not disclosed to the...

emacs -- run-python vulnerability

Emacs developers report: The Emacs command run-python' launches an interactive Python interpreter. After the Python process starts up, Emacs automatically sends it the line: import emacs which normally imports a script named emacs.py which is distributed with Emacs. This script, which is typicall...

FreeBSD -- Remote kernel panics on IPv6 connections

Problem Description: In case of an incoming ICMPv6 'Packet Too Big Message', there is an insufficient check on the proposed new MTU for a path to the destination. Impact: When the kernel is configured to process IPv6 packets and has active IPv6 TCP sockets, a specifically crafted ICMPv6 'Packet T...

FreeBSD -- nmount(2) local arbitrary code execution

Problem Description: Various user defined input such as mount points, devices, and mount options are prepared and passed as arguments to nmount2 into the kernel. Under certain error conditions, user defined data will be copied into a stack allocated buffer stored in the kernel without sufficient...

FreeBSD -- amd64 swapgs local privilege escalation

Problem Description: If a General Protection Fault happens on a FreeBSD/amd64 system while it is returning from an interrupt, trap or system call, the swapgs CPU instruction may be called one extra time when it should not resulting in userland and kernel state being mixed. Impact: A local attacke...

bitlbee -- account recreation security issues

Secunia reports: Some security issues have been reported in BitlBee, which can be exploited by malicious people to bypass certain security restrictions and hijack accounts. The security issues are caused due to unspecified errors, which can be exploited to overwrite existing accounts...

mgetty+sendfax -- symlink attack via insecure temporary files

Debian reports: Faxspool in mgetty 1.1.36 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/faxsp. temporary file...

p5-UI-Dialog -- shell command execution vulnerability

Matthijs Kooijman reports: It seems that the whiptail, cdialog and kdialog backends apply some improper escaping in their shell commands, causing special characters present in menu item titles to be interpreted by the shell. This includes the backtick evaluation operator, so this constitutes a...

libxml2 -- two vulnerabilities

Secunia reports: Two vulnerabilities have been reported in Libxml2, which can be exploited by malicious people to cause a DoS Denial of Service or potentially compromise an application using the library. 1 A recursion error exists when processing certain XML content. This can be exploited to e.g...

opera -- multiple vulnerabilities

The Opera Team reports: Scripts are able to change the addresses of framed pages that come from the same site. Due to a flaw in the way that Opera checks what frames can be changed, a site can change the address of frames on other sites inside any window that it has opened. This allows sites to...

neon -- NULL pointer dereference in Digest domain support

Joe Orton reports: A NULL pointer deference in the Digest authentication support in neon versions 0.28.0 through 0.28.2 inclusive allows a malicious server to crash a client application, resulting in possible denial of service...

gnutls -- "gnutls_handshake()" Denial of Service

Secunia reports: A vulnerability has been reported in GnuTLS, which can potentially be exploited by malicious people to cause a DoS Denial of Service. The vulnerability is caused due to a use-after-free error when an application calls "gnutlshandshake" for an already valid session and can...

hplip -- hpssd Denial of Service

Secunia reports: A security issue has been reported in hplip, which can be exploited by malicious, local users to cause a DoS. The security issue is caused due to an error within hpssd.py when parsing certain requests. This can be exploited to crash the service by sending specially crafted reques...

joomla -- flaw in the reset token validation

Joomla project reports: A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user lowest id. Typically, this is an administrator user. Note, that changing the...

drupal -- multiple vulnerabilities

The Drupal Project reports: A bug in the output filter employed by Drupal makes it possible for malicious users to insert script code into pages cross site scripting or XSS. A bug in the private filesystem trusts the MIME type sent by the browser, enabling malicious users with the ability to uplo...

squirrelmail -- Session hijacking vulnerability

Hanno Boeck reports: When configuring a web application to use only ssl e.g. by forwarding all http-requests to https, a user would expect that sniffing and hijacking the session is impossible. Though, for this to be secure, one needs to set the session cookie to have the secure flag. Otherwise t...

ruby -- DoS vulnerability in WEBrick

The official ruby site reports: WEBrick::HTTP::DefaultFileHandler is faulty of exponential time taking requests due to a backtracking regular expression in WEBrick::HTTPUtils.splitheadervalue...

ruby -- DNS spoofing vulnerability

The official ruby site reports: resolv.rb allow remote attackers to spoof DNS answers. This risk can be reduced by randomness of DNS transaction IDs and source ports...

ruby -- multiple vulnerabilities in safe level

The official ruby site reports: Several vulnerabilities in safe level have been discovereds:. untracevar is permitted at safe level 4; $PROGRAMNAME may be modified at safe level 4; insecure methods may be called at safe level 1-3; syslog operations are permitted at safe level 4; dl doesn't check...

twiki -- Arbitrary code execution in session files

Th1nk3r reports: The version of TWiki installed on the remote host allows access to the 'configure' script and fails to sanitize the 'image' parameter of that script of directory traversal sequences before returning the file contents when the 'action' parameter is set to 'image'. An unauthenticat...

python -- multiple vulnerabilities

Secunia reports: Some vulnerabilities have been reported in Python, where some have unknown impact and others can potentially be exploited by malicious people to cause a DoS Denial of Service or to compromise a vulnerable system. Various integer overflow errors exist in core modules e.g...

openvpn-devel -- arbitrary code execution

James Yonan reports: Security Fix - affects non-Windows OpenVPN clients running OpenVPN 2.1-beta14 through 2.1-rc8 OpenVPN 2.0.x clients are NOT vulnerable nor are any versions of the OpenVPN server vulnerable. An OpenVPN client connecting to a malicious or compromised server could potentially...

vim6 -- heap-based overflow while parsing shell metacharacters

Description for CVE-2008-3432 says: Heap-based buffer overflow in the mchexpandwildcards function in osunix.c in Vim 6.2 and 6.3 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames, as demonstrated by the netrw.v3 test case...

ipset-tools -- Denial of Service Vulnerabilities

SecurityFocus reports: IPsec-Tools is affected by multiple remote denial-of-service vulnerabilities because the software fails to properly handle certain network packets. A successful attack allows a remote attacker to crash the software, denying further service to legitimate users...