p5-RT-Authen-ExternalAuth -- privilege escalation

The RT development team reports: RT::Authen::ExternalAuth 0.10 and below for all versions of RT are vulnerable to an escalation of privilege attack where the URL of a RSS feed of the user can be used to acquire a fully logged-in session as that user. CVE-2012-2770 has been assigned to this...

OpenTTD -- Denial of Service

The OpenTTD Team reports: Denial of service server using ships on half tiles and landscaping...

squidclamav -- Denial of Service

SquidClamav developers report: Add a workaround for a squidGuard bug that unescape the URL and send it back unescaped. This result in garbage staying into pipe of the system command call and could crash squidclamav on next read or return false information. This is specially true with URL containi...

dns/bind9* -- Heavy DNSSEC Validation Load Can Cause a 'Bad Cache' Assertion Failure

ISC reports: High numbers of queries with DNSSEC validation enabled can cause an assertion failure in named, caused by using a 'bad cache' data structure before it has been initialized. BIND 9 stores a cache of query names that are known to be failing due to misconfigured name servers or a broken...

FreeBSD -- named(8) DNSSEC validation Denial of Service

Problem description: BIND 9 stores a cache of query names that are known to be failing due to misconfigured name servers or a broken chain of trust. Under high query loads, when DNSSEC validation is active, it is possible for a condition to arise in which data from this cache of failing queries...

squidclamav -- cross-site scripting in default virus warning pages

SquidClamav developers report: This release fix several security issues by escaping CGI parameters. Prior to versions 6.7 and 5.8, CGI script clwarn.cgi was not properly sanitizing input variables, so they could be used to inject arbitrary strings to the generated page, leading to the cross-site...

isc-dhcp -- multiple vulnerabilities

ISC reports: An unexpected client identifier parameter can cause the ISC DHCP daemon to segmentation fault when running in DHCPv6 mode, resulting in a denial of service to further client requests. In order to exploit this condition, an attacker must be able to send requests to the DHCP server. An...

Wireshark -- Multiple vulnerabilities

Wireshark reports: It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file. It may be possible to make Wireshark consume excessive CPU resources by injecting a malformed packet onto the wire or by...

bitcoin -- denial of service

A unspecified denial-of-service attack that could cause the bitcoin process to become unresponsive was found...

php -- potential overflow in _php_stream_scandir

The PHP Development Team reports: The release of PHP 5.4.15 and 5.4.5 fix a potential overflow in phpstreamscandir...

dns/nsd -- DoS vulnerability from non-standard DNS packet

Marek Vavrusa and Lubos Slovak report: It is possible to crash SIGSEGV a NSD child server process by sending it a non-standard DNS packet from any host on the internet. A crashed child process will automatically be restarted by the parent process, but an attacker may keep the NSD server occupied...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2012-42 Miscellaneous memory safety hazards rv:14.0/ rv:10.0.6 MFSA 2012-43 Incorrect URL displayed in addressbar through drag and drop MFSA 2012-44 Gecko memory corruption MFSA 2012-45 Spoofing issue with location MFSA 2012-46 XSS through data: URLs MFSA 2012-47...

Dokuwiki -- cross site scripting vulnerability

Secunia Research reports: Secunia Research has discovered a vulnerability in DokuWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "ns" POST parameter in lib/exe/ajax.php when "call" is set to "medialist" and "do" is set to "media" is no...

libexif -- multiple remote vulnerabilities

libexif project security advisory: A number of remotely exploitable issues were discovered in libexif and exif, with effects ranging from information leakage to potential remote code execution...

www/chromium -- multiple vulnerabilities

Google Chrome Releases reports: 129898 High CVE-2012-2842: Use-after-free in counter handling. Credit to miaubiz. 130595 High CVE-2012-2843: Use-after-free in layout height tracking. Credit to miaubiz. 133450 High CVE-2012-2844: Bad object access with JavaScript in PDF. Credit to Alexey Samsonov ...

puppet -- multiple vulnerabilities

puppet -- multiple vulnerabilities Arbitrary file read on the puppet master from authenticated clients high. It is possible to construct an HTTP get request from an authenticated client with a valid certificate that will return the contents of an arbitrary file on the Puppet master that the maste...

automake -- Insecure 'distcheck' recipe granted world-writable distdir

GNU reports: The recipe of the 'distcheck' target granted temporary world-write permissions on the extracted distdir. This introduced a locally exploitable race condition for those who run "make distcheck" with a non-restrictive umask e.g., 022 in a directory that was accessible by others. A...

asterisk -- multiple vulnerabilities

Asterisk project reports: Possible resource leak on uncompleted re-invite transactions. Remote crash vulnerability in voice mail application...

puppet -- multiple vulnerabilities

puppet -- multiple vulnerabilities Arbitrary file read on the puppet master from authenticated clients high. It is possible to construct an HTTP get request from an authenticated client with a valid certificate that will return the contents of an arbitrary file on the Puppet master that the maste...

typo3 -- Cross-Site Scripting Vulnerability in TYPO3 Core

Typo3 Security Report TYPO3-CORE-SA-2012-003: TYPO3 bundles and uses an external JavaScript and Flash Upload Library called swfupload. TYPO3 can be configured to use this Flash uploader. Input passed via the "movieName" parameter to swfupload.swf is not properly sanitised before being used in a...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 118633 Low CVE-2012-2815: Leak of iframe fragment id. Credit to Elie Bursztein of Google. 120222 High CVE-2012-2817: Use-after-free in table section handling. Credit to miaubiz. 120944 High CVE-2012-2818: Use-after-free in counter layout. Credit to miaubiz. 120977...

Zend Framework -- Multiple vulnerabilities via XXE injection

The Zend Framework team reports: The XmlRpc package of Zend Framework is vulnerable to XML eXternal Entity Injection attacks both server and client. The SimpleXMLElement class SimpleXML PHP extension is used in an insecure way to parse XML data. External entities can be specified by adding a...

asterisk -- remote crash vulnerability

Asterisk project reports: Skinny Channel Driver Remote Crash Vulnerability...

php5-sqlite -- open_basedir bypass

MITRE CVE team reports: The SQLite functionality in PHP before 5.3.15 allows remote attackers to bypass the openbasedir protection mechanism via unspecified vectors...

samba -- multiple vulnerabilities

The Samba project reports: These are security releases in order to address CVE-2013-4408 DCE-RPC fragment length field is incorrectly checked and CVE-2012-6150 pamwinbind login without requiremembershipof restrictions...

FreeBSD -- Incorrect handling of zero-length RDATA fields in named(8)

Problem description: The named8 server does not properly handle DNS resource records where the RDATA field is zero length, which may cause various issues for the servers handling them. Resolving servers may crash or disclose some portion of memory to the client. Authoritative servers may crash on...

FreeBSD -- Privilege escalation when returning from kernel

Problem description: FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call. Successful exploitation of the problem can lead to local kernel privilege escalation, kernel...

mantis -- multiple vulnerabilities

Mantis reports: Roland Becker and Damien Regad MantisBT developers found that any user able to report issues via the SOAP interface could also modify any bugnotes comments created by other users. In a default/typical MantisBT installation, SOAP API is enabled and any user can sign up to report ne...

linux-flashplugin -- multiple vulnerabilities

Adobe reports: These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2012-34 Miscellaneous memory safety hazards rv:13.0/ rv:10.0.5 MFSA 2012-36 Content Security Policy inline-script bypass MFSA 2012-37 Information disclosure though Windows file shares and shortcut files MFSA 2012-38 Use-after-free while replacing/inserting a node...

quagga -- BGP OPEN denial of service vulnerability

CERT reports: If a pre-configured BGP peer sends a specially-crafted OPEN message with a malformed ORF capability TLV, Quagga bgpd process will erroneously try to consume extra bytes from the input packet buffer. The process will detect a buffer overrun attempt before it happens and immediately...

dns/bind9* -- zero-length RDATA can cause named to terminate, reveal memory

ISC reports: Processing of DNS resource records where the rdata field is zero length may cause various issues for the servers handling them. Processing of these records may lead to unexpected outcomes. Recursive servers may crash or disclose some portion of memory to the client. Secondary servers...

libjpeg-turbo -- heap-based buffer overflow

The Changelog for version 1.2.1 says: Fixed a regression caused by 1.2.06 in which decompressing corrupt JPEG images specifically, images in which the component count was erroneously set to a large value would cause libjpeg-turbo to segfault. A Heap-based buffer overflow was found in the way...

rubygem-activerecord -- multiple vulnerabilities

rubygem-activerecord -- multiple vulernabilities Due to the way Active Record interprets parameters in combination with the way that Rack parses query parameters, it is possible for an attacker to issue unexpected database queries with "IS NULL" where clauses. This issue does not let an attacker...

databases/postgresql*-server -- crypt vulnerabilities

The PostgreSQL Global Development Group reports: Today the PHP, OpenBSD and FreeBSD communities announced updates to patch a security hole involving their crypt hashing algorithms. This issue is described in CVE-2012-2143. This vulnerability also affects a minority of PostgreSQL users, and will b...

FreeBSD -- Incorrect crypt() hashing

Problem description: There is a programming error in the DES implementation used in crypt when handling input which contains characters that cannot be represented with 7-bit ASCII. When the input contains characters with only the most significant bit set 0x80, that character and all characters...

nut -- upsd can be remotely crashed

Networkupstools project reports: NUT server upsd, from versions 2.4.0 to 2.6.3, are exposed to crashes when receiving random data from the network. This issue is related to the way NUT parses characters, especially from the network. Non printable characters were missed from strings operation such...

asterisk -- multiple vulnerabilities

Asterisk project reports: Remote crash vulnerability in IAX2 channel driver. Skinny Channel Driver Remote Crash Vulnerability...

pycrypto -- vulnerable ElGamal key generation

Dwayne C. Litzenberger of PyCrypto reports: In the ElGamal schemes for both encryption and signatures, g is supposed to be the generator of the entire Z^p group. However, in PyCrypto 2.5 and earlier, g is more simply the generator of a random sub-group of Z^p. The result is that the signature spa...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 117409 High CVE-2011-3103: Crashes in v8 garbage collection. Credit to the Chromium development community Brett Wilson. 118018 Medium CVE-2011-3104: Out-of-bounds read in Skia. Credit to Google Chrome Security Team Inferno. 120912 High CVE-2011-3105: Use-after-free...

RT -- Multiple Vulnerabilities

BestPractical report: Internal audits of the RT codebase have uncovered a number of security vulnerabilities in RT. We are releasing versions 3.8.12 and 4.0.6 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0. The vulnerabilities addressed ...

haproxy -- buffer overflow

HAProxy reports: A flaw was reported in HAProxy where, due to a boundary error when copying data into the trash buffer, an external attacker could cause a buffer overflow. Exploiting this flaw could lead to the execution of arbitrary code, however it requires non-default settings for the...

sudo -- netmask vulnerability

Todd Miller reports: Sudo supports granting access to commands on a per-host basis. The host specification may be in the form of a host name, a netgroup, an IP address, or an IP network an IP address with an associated netmask. When IPv6 support was added to sudo, a bug was introduced that caused...

pidgin-otr -- format string vulnerability

The authors report: Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format string security flaw. This flaw could potentially be exploited by a remote attacker to cause arbitrary code to be executed on the user's machine. The flaw is in pidgin-otr, not in libotr. Other applications...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 112983 Low CVE-2011-3083: Browser crash with video + FTP. Credit to Aki Helin of OUSPG. 113496 Low CVE-2011-3084: Load links from internal pages in their own process. Credit to Brett Wilson of the Chromium development community. 118374 Medium CVE-2011-3085: UI...

libxml2 -- An off-by-one out-of-bounds write by XPointer

Google chrome team reports: An off-by-one out-of-bounds write flaw was found in the way libxml, a library for providing XML and HTML support, evaluated certain XPointer parts XPointer is used by libxml to include only the part from the returned XML document, that can be accessed using the XPath...

mail/sympa* -- Multiple vulnerabilities in Sympa archive management

David Verdin reports: Multiple vulnerabilities have been discovered in Sympa archive management that allow to skip the scenario-based authorization mechanisms. This vulnerability allows the attacker to: display the archives management page 'arcmanage' download the list's archives delete the list'...

sympa -- Multiple Security Bypass Vulnerabilities

Secunia team reports: Multiple vulnerabilities have been reported in Sympa, which can be exploited by malicious people to bypass certain security restrictions. The vulnerabilities are caused due to the application allowing access to archive functions without checking credentials. This can be...

socat -- Heap-based buffer overflow

The socat development team reports: This vulnerability can be exploited when socat is invoked with the READLINE address this is usually only used interactively without option "prompt" and without option "noprompt" and an attacker succeeds to provide malicious data to the other arbitrary address...

openjpeg -- Multiple vulnerabilities

Openjpeg release notes report: That CVE-2012-3535 and CVE-2012-3358 are fixed in the 1.5.1 release. That CVE-2013-4289, CVE-2013-4290, CVE-2013-1447, CVE-2013-6045, CVE-2013-6052, CVE-2013-6054, CVE-2013-6053, CVE-2013-6887, where fixed in the 1.5.2 release...