mpack -- Information disclosure

The oss-security list reports: Incorrect permissions on temporary files can lead to information disclosure...

php -- multiple vulnerabilities

php development team reports: Security Enhancements and Fixes in PHP 5.3.9: Added maxinputvars directive to prevent attacks based on hash collisions. CVE-2011-4885 Fixed bug 60150 Integer overflow during the parsing of invalid exif header. CVE-2011-4566...

Multiple implementations -- DoS via hash algorithm collision

oCERT reports: A variety of programming languages suffer from a denial-of-service DoS condition against storage functions of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms. The issue finds particula...

FreeBSD -- pam_ssh() does not validate service names

Problem Description: Some third-party applications, including KDE's kcheckpass command, allow the user to specify the name of the policy on the command line. Since OpenPAM treats the policy name as a path relative to /etc/pam.d or /usr/local/etc/pam.d, users who are permitted to run such an...

krb5-appl -- telnetd code execution vulnerability

The MIT Kerberos Team reports: When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. Also see MITKRB5-SA-2011-008...

FreeBSD -- pam_ssh improperly grants access when user account has unencrypted SSH private keys

Problem Description: The OpenSSL library call used to decrypt private keys ignores the passphrase argument if the key is not encrypted. Because the pamssh module only checks whether the passphrase provided by the user is null, users with unencrypted SSH private keys may successfully authenticate...

plib -- remote code execution via buffer overflow

Secunia reports: A vulnerability has been discovered in PLIB, which can be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to a boundary error within the "ulSetError" function src/util/ulError.cxx when creating the error message, which...

plib -- buffer overflow

Secunia reports: A vulnerability has been discovered in PLIB, which can be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to a boundary error within the "ulSetError" function src/util/ulError.cxx when creating the error message, which...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2011-53 Miscellaneous memory safety hazards rv:9.0 MFSA 2011-54 Potentially exploitable crash in the YARR regular expression library MFSA 2011-55 nsSVGValue out-of-bounds access MFSA 2011-56 Key detection without JavaScript via SVG animation MFSA 2011-58 Crash...

unbound -- denial of service vulnerabilities from nonstandard redirection and denial of existence

Unbound developer reports: Unbound crashes when confronted with a non-standard response from a server for a domain. This domain produces duplicate RRs from a certain type and is DNSSEC signed. Unbound also crashes when confronted with a query that eventually, and under specific circumstances,...

phpMyAdmin -- Multiple XSS

The phpMyAdmin development team reports: Using crafted url parameters, it was possible to produce XSS on the export panels in the server, database and table sections. Crafted values entered in the setup interface can produce XSS; also, if the config directory exists and is writeable, the XSS...

typo3 -- Remote Code Execution

The typo3 security team reports: A crafted request to a vulnerable TYPO3 installation will allow an attacker to load PHP code from an external source and to execute it on the TYPO3 installation. This is caused by a PHP file, which is part of the workspaces system extension, that does not validate...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 81753 Medium CVE-2011-3903: Out-of-bounds read in regex matching. Credit to David Holloway of the Chromium development community. 95465 Low CVE-2011-3905: Out-of-bounds reads in libxml. Credit to Google Chrome Security Team Inferno. 98809 Medium CVE-2011-3906:...

krb5 -- KDC null pointer dereference in TGS handling

The MIT Kerberos Team reports: In releases krb5-1.9 and later, the KDC can crash due to a NULL pointer dereference in code that handles TGS Ticket Granting Service requests. The trigger condition is trivial to produce using unmodified client software, but requires the ability to authenticate as a...

PuTTY -- Password vulnerability

Simon Tatham reports: PuTTY 0.62 fixes a security issue present in 0.59, 0.60 and 0.61. If you log in using SSH-2 keyboard-interactive authentication which is the usual method used by modern servers to request a password, the password you type was accidentally kept in PuTTY's memory for the rest ...

redmine -- CSRF protection bypass

Redmine reports: Vulnerability that would allow an attacker to bypass the CSRF protection...

jasper -- buffer overflow

Fedora reports: JasPer fails to properly decode marker segments and other sections in malformed JPEG2000 files. Malformed inputs can cause heap buffer overflows which in turn may result in execution of attacker-controlled code...

asterisk -- Multiple Vulnerabilities

Asterisk project reports: It is possible to enumerate SIP usernames when the general and user/peer NAT settings differ in whether to respond to the port a request is sent from or the port listed for responses in the Via header. When the "automon" feature is enabled in features.conf, it is possibl...

isc-dhcp-server -- Remote DoS

ISC reports: A bug exists which allows an attacker who is able to send DHCP Request packets, either directly or through a relay, to remotely crash an ISC DHCP server if that server is configured to evaluate expressions using a regular expression i.e. uses the "=" or "" comparison operators...

acroread9 -- Multiple Vulnerabilities

The Adobe Security Team reports: An unspecified vulnerability in the U3D component allows remote attackers to execute arbitrary code or cause a denial of service attack via unknown vectors. A heap-based buffer overflow allows attackers to execute arbitrary code via unspecified vectors...

opera -- multiple vulnerabilities

Opera software reports: Fixed a moderately severe issue; details will be disclosed at a later date Fixed an issue that could allow pages to set cookies or communicate cross-site for some top level domains; see our advisory Improved handling of certificate revocation corner cases Added a fix for a...

openx -- undisclosed security issue

OpenX does not provide information about vulnerabilities beyond their existence...

proftpd -- arbitrary code execution vulnerability with chroot

The FreeBSD security advisory FreeBSD-SA-11:07.chroot reports: If ftpd is configured to place a user in a chroot environment, then an attacker who can log in as that user may be able to run arbitrary code.... Proftpd shares the same problem of a similar nature...

lighttpd -- remote DoS in HTTP authentication

US-CERT/NIST reports: Integer signedness error in the base64decode function in the HTTP authentication functionality httpauth.c in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service segmentation fault via crafted base64 input that...

bugzilla -- multiple vulnerabilities

A Bugzilla Security Advisory reports: The following security issues have been discovered in Bugzilla: Tabular and graphical reports, as well as new charts have a debug mode which displays raw data as plain text. This text is not correctly escaped and a crafted URL could use this vulnerability to...

phpMyAdmin -- Multiple XSS

The phpMyAdmin development team reports: Using crafted database names, it was possible to produce XSS in the Database Synchronize and Database rename panels. Using an invalid and crafted SQL query, it was possible to produce XSS when editing a query on a table overview panel or when using the vie...

hiawatha -- memory leak in PreventSQLi routine

Hugo Leisink reports via private mail to maintainer: The memory leak was introduced in version 7.6. It is in the routing that checks for SQL injections. So, if you have set PreventSQLi to 'no', there is no problem...

BIND -- Remote DOS

The Internet Systems Consortium reports: Organizations across the Internet reported crashes interrupting service on BIND 9 nameservers performing recursive queries. Affected servers crashed after logging an error in query.c with the following message: "INSIST! dnsrdatasetisassociatedsigrdataset"...

linux-flashplugin -- multiple vulnerabilities

Adobe Product Security Incident Response Team reports: Critical vulnerabilities have been identified in Adobe Flash Player 11.0.1.152 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 11.0.1.153 and earlier versions for Android. In addition a patch was release...

phpmyadmin -- Local file inclusion

Jan Lieskovsky reports: Importing a specially-crafted XML file which contains an XML entity injection permits to retrieve a local file limited by the privileges of the user running the web server...

ChaSen -- buffer overflow

JVN iPedia reports: ChaSen provided by Nara Institute of Science and Technology is a software for morphologically analyzing Japanese. ChaSen contains an issue when reading in strings, which may lead to a buffer overflow. An arbitrary script may be executed by an attacker with access to a system...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2011-46 loadSubScript unwraps XPCNativeWrapper scope parameter 1.9.2 branch MFSA 2011-47 Potential XSS against sites using Shift-JIS MFSA 2011-48 Miscellaneous memory safety hazards rv:8.0 MFSA 2011-49 Memory corruption while profiling using Firebug MFSA 2011-50...

gnutls -- client session resumption vulnerability

The GnuTLS team reports: GNUTLS-SA-2011-2 Possible buffer overflow/Denial of service...

php5 -- header splitting attack via carriage-return character

Rui Hirokawa reports: As of PHP 5.1.2, header can no longer be used to send multiple response headers in a single call to prevent the HTTP Response Splitting Attack. header only checks the linefeed LF, 0x0A as line-end marker, it doesn't check the carriage-return CR, 0x0D. However, some browsers...

caml-light -- insecure use of temporary files

caml-light uses mktemp insecurely, and also does unsafe things in /tmp during make install...

phpmyfaq -- Remote PHP Code Injection Vulnerability

The phpMyFAQ project reports: The phpMyFAQ Team has learned of a serious security issue that has been discovered in our bundled ImageManager library we use in phpMyFAQ 2.6 and 2.7. The bundled ImageManager library allows injection of arbitrary PHP code via POST requests...

phpLDAPadmin -- Remote PHP code injection vulnerability

EgiX n0b0d13s at gmail dot com reports: The $sortby parameter passed to 'masort' function in file lib/functions.php isn't properly sanitized before being used in a call to createfunction at line 1080. This can be exploited to inject and execute arbitrary PHP code. The only possible attack vector ...

tomcat -- Denial of Service

The Tomcat security team reports: Analysis of the recent hash collision vulnerability identified unrelated inefficiencies with Apache Tomcat's handling of large numbers of parameters and parameter values. These inefficiencies could allow an attacker, via a specially crafted request, to cause larg...

kdeutils4 -- Directory traversal vulnerability

Tim Brown from Nth Dimention reports: I recently discovered that the Ark archiving tool is vulnerable to directory traversal via malformed. When attempts are made to view files within the malformed Zip file in Ark's default view, the wrong file may be displayed due to incorrect construction of th...

piwik -- unknown critical vulnerabilities

Secunia reports: Multiple vulnerabilities with an unknown impact have been reported in Piwik. The vulnerabilities are caused due to unspecified errors. No further information is currently available...

Xorg server -- two vulnerabilities in X server lock handling code

Matthieu Herrb reports: It is possible to deduce if a file exists or not by exploiting the way that Xorg creates its lock files. This is caused by the fact that the X server is behaving differently if the lock file already exists as a symbolic link pointing to an existing or non-existing file. It...

asterisk -- remote crash vulnerability in SIP channel driver

Asterisk project reports: A remote authenticated user can cause a crash with a malformed request due to an unitialized variable...

freetype -- Some type 1 fonts handling vulnerabilities

The FreeType project reports: A couple of vulnerabilities in handling Type 1 fonts...

Apache 1.3 -- mod_proxy reverse proxy exposure

Apache HTTP server project reports: An exposure was found when using modproxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from...

apache -- multiple vulnerabilities

CVE MITRE reports: An exposure was found when using modproxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from...

kdelibs4, rekonq -- input validation failure

KDE Security Advisory reports: The default rendering type for a QLabel is QLabel::AutoText, which uses heuristics to determine whether to render the given content as plain text or rich text. KSSL and Rekonq did not properly force its QLabels to use QLabel::PlainText. As a result, if given a...

FreeBSD -- Buffer overflow in handling of UNIX socket addresses

Problem Description: When a UNIX-domain socket is attached to a location using the bind2 system call, the length of the provided path is not validated. Later, when this address was returned via other system calls, it is copied into a fixed-length buffer. Linux uses a larger socket address structu...

FreeBSD -- errors handling corrupt compress file in compress(1) and gzip(1)

Problem Description: The code used to decompress a file created by compress1 does not do sufficient boundary checks on compressed code words, allowing reference beyond the decompression table, which may result in a stack overflow or an infinite loop when the decompressor encounters a corrupted fi...

Mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2011-36 Miscellaneous memory safety hazards rv:7.0 / rv:1.9.2.23 MFSA 2011-37 Integer underflow when using JavaScript RegExp MFSA 2011-38 XSS via plugins and shadowed window.location object MFSA 2011-39 Defense against multiple Location headers due to CRLF...

quagga -- multiple vulnerabilities

CERT-FI reports: Five vulnerabilities have been found in the BGP, OSPF, and OSPFv3 components of Quagga. The vulnerabilities allow an attacker to cause a denial of service or potentially to execute his own code by sending a specially modified packets to an affected server. Routing messages are...