typo3 -- Multiple vulnerabilities in TYPO3 Core

Typo Security Team reports: It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting and Remote Code Execution. TYPO3 bundles flash files for video and audio playback. Old versions of FlowPlayer and flashmedia are susceptible to Cross-Site Scripting. No authentication is...

phpMyAdmin -- multiple vulnerabilities

The phpMyAdmin development team reports: XSS due to unescaped HTML Output when executing a SQL query. 5 XSS vulnerabilities in setup, chart display, process list, and logo link. If a crafted version.json would be presented, an XSS could be introduced. Full path disclosure vulnerabilities. XSS...

bind -- denial of service vulnerability

ISC reports: A specially crafted query that includes malformed rdata can cause named to terminate with an assertion failure while rejecting the malformed query...

openafs -- single-DES cell-wide key brute force vulnerability

OpenAFS Project reports: The small size of the DES key space permits an attacker to brute force a cell's service key and then forge traffic from any user within the cell. The key space search can be performed in under 1 day at a cost of around $100 using publicly available services...

lcms2 -- Null Pointer Dereference Denial of Service Vulnerability

Mageia security team reports: It was discovered that Little CMS did not properly verify certain memory allocations. If a user or automated system using Little CMS were tricked into opening a specially crafted file, an attacker could cause Little CMS to crash CVE-2013-4160...

subversion -- remotely triggerable "Assertion failed" DoS vulnerability or read overflow.

Subversion Project reports: Subversion's moddavsvn Apache HTTPD server module will trigger an assertion on some requests made against a revision root. This can lead to a DoS. If assertions are disabled it will trigger a read overflow which may cause a SEGFAULT or equivalent or undefined behavior...

GnuPG and Libgcrypt -- side-channel attack vulnerability

Werner Koch of the GNU project reports: Noteworthy changes in version 1.5.3: Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA secret keys... Note that Libgcrypt is used by GnuPG 2.x and thus this release fixes the above problem. The fix for GnuPG less than 2.0 can be found in th...

gnupg -- side channel attack on RSA secret keys

A Yarom and Falkner paper reports: Flush+Reload is a cache side-channel attack that monitors access to data in shared pages. In this paper we demonstrate how to use the attack to extract private encryption keys from GnuPG. The high resolution and low noise of the Flush+Reload attack enables a spy...

squid -- denial of service

Squid project reports: Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted HTTP requests This problem allows any client who can generate HTTP requests to perform a denial of service attack on the Squid service...

apache24 -- several vulnerabilities

Apache HTTP SERVER PROJECT reports: moddav: Sending a MERGE request against a URI handled by moddavsvn with the source href sent as part of the request body as XML pointing to a URI that is not configured for DAV will trigger a segfault. modsessiondbd: Make sure that dirty flag is respected when...

PHP5 -- Heap corruption in XML parser

The PHP development team reports: ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing depth, which allows remote attackers to cause a denial of service heap memory corruption or possibly have unspecified other impact via a crafted document that is processed by the...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: A special reward for Andrey Labunets for his combination of CVE-2013-2879 and CVE-2013-2868 along with some since fixed server-side bugs. 252216 Low CVE-2013-2867: Block pop-unders in various scenarios. 252062 High CVE-2013-2879: Confusion setting up sign-in and...

linux-flashplugin -- multiple vulnerabilities

Adobe reports: These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system...

otrs -- Sql Injection + Xss Issue

The OTRS Project reports: An attacker with a valid agent login could manipulate URLs leading to SQL injection. An attacker with a valid agent login could manipulate URLs in the ITSM ConfigItem search, leading to a JavaScript code injection XSS problem...

PuTTY -- Four security holes in versions before 0.63

Simon Tatham reports: This 0.63 release fixes multiple security holes in previous versions of PuTTY, which can allow an SSH-2 server to make PuTTY overrun or underrun buffers and crash. ... These vulnerabilities can be triggered before host key verification, which means that you are not even safe...

FreeBSD -- Incorrect privilege validation in the NFS server

Problem Description: The kernel incorrectly uses client supplied credentials instead of the one configured in exports5 when filling out the anonymous credential for a NFS export, when -network or -host restrictions are used at the same time. Impact: The remote client may supply privileged...

puppet -- multiple vulnerabilities

Puppet Labs reports: By using the resourcetype service, an attacker could cause puppet to load arbitrary Ruby files from the puppet master node's file system. While this behavior is not enabled by default, auth.conf settings could be modified to allow it. The exploit requires local file system...

phpMyAdmin -- Global variable scope injection

The phpMyAdmin development team reports: The import.php script was vulnerable to GLOBALS variable injection. Therefore, an attacker could manipulate any configuration parameter. This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents...

gallery -- multiple vulnerabilities

Red Hat Security Response Team reports: Gallery upstream has released 3.0.9 version, correcting two security flaws: Issue 1 - Improper stripping of URL fragments in flowplayer SWF file might lead to reply attacks a different flaw than CVE-2013-2138. Issue 2 - gallery3: Multiple information exposu...

ruby -- Hostname check bypassing vulnerability in SSL client

Ruby Developers report: Ruby's SSL client implements hostname identity check but it does not properly handle hostnames in the certificate that contain null bytes...

libzrtpcpp -- multiple security vulnerabilities

Mark Dowd reports: Vulnerability 1. Remote Heap Overflow: If an attacker sends a packet larger than 1024 bytes that gets stored temporarily which occurs many times - such as when sending a ZRTP Hello packet, a heap overflow will occur, leading to potential arbitrary code execution on the vulnerab...

apache-xml-security-c -- heap overflow during XPointer evaluation

The Apache Software Foundation reports: The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: Miscellaneous memory safety hazards rv:22.0 / rv:17.0.7 Title: Memory corruption found using Address Sanitizer Privileged content access and execution via XBL Arbitrary code execution within Profiler Execution of unmapped memory through onreadystatechange Data in the...

cURL library -- heap corruption in curl_easy_unescape

cURL developers report: libcurl is vulnerable to a case of bad checking of the input data which may lead to heap corruption. The function curleasyunescape decodes URL-encoded strings to raw binary data. URL-encoded octets are represented with %HH combinations where HH is a two-digit hexadecimal...

polarssl -- denial of service vulnerability

Paul Bakker reports: A bug in the logic of the parsing of PEM encoded certificates in x509parsecrt can result in an infinite loop, thus hogging processing power. While parsing a Certificate message during the SSL/TLS handshake, PolarSSL extracts the presented certificates and sends them on to be...

apache22 -- several vulnerabilities

Apache HTTP SERVER PROJECT reports: The modrewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a...

wordpress -- multiple vulnerabilities

The wordpress development team reports: Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site Disallow contributors from improperly publishing posts An update to the SWFUpload external library to fix cross-site scripting vulnerabilities...

otrs -- information disclosure

The OTRS Project reports: An attacker with a valid agent login could manipulate URLs in the ticket watch mechanism to see contents of tickets they are not permitted to see...

apache-xml-security-c -- heap overflow

The Apache Software Foundation reports: A heap overflow exists in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitary code execution. If verification of the signature occurs prior to actual evaluation of a signin...

FreeBSD -- Privilege escalation via mmap

Due to insufficient permission checks in the virtual memory system, a tracing process such as a debugger may be able to modify portions of the traced process's address space to which the traced process itself does not have write access...

tor -- guard discovery

The Tor Project reports: Disable middle relay queue overfill detection code due to possible guard discovery attack...

dbus -- local dos

Simon McVittie reports: Alexandru Cornea discovered a vulnerability in libdbus caused by an implementation bug in dbusprintfstringupperbound. This vulnerability can be exploited by a local user to crash system services that use libdbus, causing denial of service. It is platform-specific: x86-64...

puppet -- Unauthenticated Remote Code Execution Vulnerability

Puppet Developers report: When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object. A YAML payload can be crafted to cause the deserialization to construct an instance of any class available in the ruby...

samba -- Private key in key.pem world readable

The Samba project reports: Samba 4.0.x before 4.0.11 and 4.1.x before 4.1.1, when LDAP or HTTP is provided over SSL, uses world-readable permissions for a private key, which allows local users to obtain sensitive information by reading the key file, as demonstrated by access to the local filesyst...

samba -- ACLs are not checked on opening an alternate data stream on a file or directory

The Samba project reports: Samba versions 3.2.0 and above all versions of 3.2.x, 3.3.x, 3.4.x, 3.5.x, 3.6.x, 4.0.x and 4.1.x do not check the underlying file or directory ACL when opening an alternate data stream. According to the SMB1 and SMB2+ protocols the ACL on an underlying file or director...

linux-flashplugin -- multiple vulnerabilities

Adobe reports: These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system...

xdm -- remote denial of service

nvd.nist.gov reports X.Org xdm 1.1.10, 1.1.11, and possibly other versions, when performing authentication using certain implementations of the crypt API function that can return NULL, allows remote attackers to cause a denial of service NULL pointer dereference and crash by attempting to log int...

php5 -- Heap based buffer overflow in quoted_printable_encode

The PHP development team reports: A Heap-based buffer overflow flaw was found in the php quotedprintableencode function. A remote attacker could use this flaw to cause php to crash or execute arbirary code with the permission of the user running php...

phpMyAdmin -- XSS due to unescaped HTML output in Create View page

The phpMyAdmin development team reports: When creating a view with a crafted name and an incorrect CREATE statement, it is possible to trigger an XSS. This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from...

dns/bind9* -- A recursive resolver can be crashed by a query for a malformed zone

ISC reports: A bug has been discovered in the most recent releases of BIND 9 which has the potential for deliberate exploitation as a denial-of-service attack. By sending a recursive resolver a query for a record in a specially malformed zone, an attacker can cause BIND 9 to exit with a fatal...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 242322 Medium CVE-2013-2855: Memory corruption in dev tools API. Credit to "daniel.zulla". 242224 High CVE-2013-2856: Use-after-free in input handling. Credit to miaubiz. 240124 High CVE-2013-2857: Use-after-free in image handling. Credit to miaubiz. 239897 High...

devel/subversion -- contrib hook-scripts can allow arbitrary code execution

Subversion team reports: The script contrib/hook-scripts/check-mime-type.pl does not escape argv arguments to 'svnlook' that start with a hyphen. This could be used to cause 'svnlook', and hence check-mime-type.pl, to error out. The script contrib/hook-scripts/svn-keyword-check.pl parses filename...

devel/subversion -- svnserve remotely triggerable DoS

Subversion team reports: Subversion's svnserve server process may exit when an incoming TCP connection is closed early in the connection process...

devel/subversion -- fsfs repositories can be corrupted by newline characters in filenames

Subversion team reports: If a filename which contains a newline character ASCII 0x0a is committed to a repository using the FSFS format, the resulting revision is corrupt...

passenger -- security vulnerability

The Phusion reports: A denial of service and arbitrary code execution by hijacking temp files. CVE-2013-2119...

znc -- null pointer dereference in webadmin module

No advisory has been released yet. Fix NULL pointer dereference in webadmin...

www/mod_security -- NULL pointer dereference DoS

SecurityFocus reports: When ModSecurity receives a request body with a size bigger than the value set by the "SecRequestBodyInMemoryLimit" and with a "Content-Type" that has no request body processor mapped to it, ModSecurity will systematically crash on every call to "forceRequestBodyVariable"...

telepathy-gabble -- TLS verification bypass

Simon McVittie reports: This release fixes a man-in-the-middle attack. If you use an unencrypted connection to a "legacy Jabber" pre-XMPP server, this version of Gabble will not connect until you make one of these configuration changes: . upgrade the server software to something that supports XMP...

socat -- FD leak

Gerhard Rieger reports: Under certain circumstances an FD leak occurs and can be misused for denial of service attacks against socat running in server mode...

xorg -- protocol handling issues in X Window System client libraries

freedesktop.org reports: Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way various X client libraries handle the responses they receive from servers, and has worked with X.Org's security team to analyze, confirm, and fix these issues. Most ...