Unbound -- an empty error packet handling assertion failure

Unbound developer reports: NLnet Labs was notified of an error in Unbound's code-path for error replies which is triggered under special conditions. The error causes the program to abort...

drupal6 -- multiple vulnerabilities

Drupal Team reports: A reflected cross site scripting vulnerability was discovered in Drupal's error handler. Drupal displays PHP errors in the messages area, and a specially crafted URL can cause malicious scripts to be injected into the message. The issue can be mitigated by disabling on-screen...

Apache APR -- DoS vulnerabilities

The Apache Portable Runtime Project reports: A flaw was discovered in the aprfnmatch function in the Apache Portable Runtime APR library 1.4.4 or any backported versions that contained the upstream fix for CVE-2011-0419. This could cause httpd workers to enter a hung state 100% CPU utilization...

Apache APR -- DoS vulnerabilities

The Apache Portable Runtime Project reports: Reimplement aprfnmatch from scratch using a non-recursive algorithm; now has improved compliance with the fnmatch spec...

libvncserver -- memory corruption

Petr Pisar reports: libvncserver/tight.c:rfbTightCleanup frees a buffer without zeroing freed pointer...

Opera -- code injection vulnerability through broken frameset handling

Opera Software ASA reports: Fixed an issue with framesets that could allow execution of arbitrary code, as reported by an anonymous contributor working with the SecuriTeam Secure Disclosure program...

ViewVC -- user-reachable override of cvsdb row limit

ViewVC.org reports: Security fix: remove user-reachable override of cvsdb row limit...

linux-flashplugin -- cross-site scripting vulnerability

Adobe Product Security Incident Response Team reports: An important vulnerability has been identified in Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.22 and earlier versions for Android. This universal cross-site...

linux-flashplugin -- multiple vulnerabilities

Adobe Product Security Incident Response Team reports: Critical vulnerabilities have been identified in Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.25 and earlier versions for Android. These vulnerabilities could...

linux-flashplugin -- remote code execution vulnerability

Adobe Product Security Incident Response Team reports: A critical vulnerability has been identified in Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.23 and earlier versions for Android. This memory corruption...

Exim -- remote code execution and information disclosure

Release notes for Exim 4.76 says: Bugzilla 1106: CVE-2011-1764 - DKIM log line was subject to a format-string attack -- SECURITY: remote arbitrary code execution. DKIM signature header parsing was double-expanded, second time unintentionally subject to list matching rules, letting the header caus...

Apache APR -- DoS vulnerabilities

The Apache Portable Runtime Project reports: Note especially a security fix to APR 1.4.4, excessive CPU consumption was possible due to an unconstrained, recursive invocation of aprfnmatch, as aprfnmatch processed '' wildcards. Reimplement aprfnmatch from scratch using a non-recursive algorithm n...

Postfix -- memory corruption vulnerability

The Postfix SMTP server has a memory corruption error, when the Cyrus SASL library is used with authentication mechanisms other than PLAIN and LOGIN ANONYMOUS is not affected, but should not be used for other reasons. This memory corruption is known to result in a program crash SIGSEV...

Zend Framework -- potential SQL injection when using PDO_MySql

The Zend Framework team reports: Developers using non-ASCII-compatible encodings in conjunction with the MySQL PDO driver of PHP may be vulnerable to SQL injection attacks. Developers using ASCII-compatible encodings like UTF8 or latin1 are not affected by this PHP issue...

mailman -- CSRF hardening in parts of the web interface

The late Tokio Kikuchi reported: We may have to set lifetime for input forms because of recent activities on cross-site request forgery CSRF. The form lifetime is successfully deployed in frameworks like web.py or plone etc. Proposed branch lp:tkikuchi/mailman/form-lifetime implement lifetime in...

fetchmail -- STARTTLS denial of service

Matthias Andree reports: Fetchmail version 5.9.9 introduced STLS support for POP3, version 6.0.0 added STARTTLS for IMAP. However, the actual STARTTLS-initiated in-band SSL/TLS negotiation was not guarded by a timeout. Depending on the operating system defaults as to TCP stream keepalive mode,...

Mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2011-12 Miscellaneous memory safety hazards MFSA 2011-13 Multiple dangling pointer vulnerabilities MFSA 2011-14 Information stealing via form history MFSA 2011-15 Escalation of privilege through Java Embedding Plugin MFSA 2011-16 Directory traversal in resource:...

ejabberd -- remote denial of service vulnerability

It's reported in CVE advisory that: expaterl.c in ejabberd before 2.1.7 and 3.x before 3.0.0-alpha-3, and exmpp before 0.9.7, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service memory and CPU consumption via a crafted XML documen...

Asterisk -- multiple vulnerabilities

The Asterisk Development Team reports: It is possible for a user of the Asterisk Manager Interface to bypass a security check and execute shell commands when they should not have that ability. Sending the "Async" header with the "Application" header during an Originate action, allows authenticate...

FreeBSD -- Network ACL mishandling in mountd(8)

Problem Description: While parsing the exports5 table, a network mask in the form of "-network=netname/prefixlength" results in an incorrect network mask being computed if the prefix length is not a multiple of 8. For example, specifying the ACL for an export as "-network 192.0.2.0/23" would resu...

rt -- multiple vulnerabilities

Best Practical reports: In the process of preparing the release of RT 4.0.0, we performed an extensive security audit of RT's source code. During this audit, several vulnerabilities were found which affect earlier releases of RT...

mediawiki -- multiple vulnerabilities

Mediawiki reports: Bug 28534 XSS vulnerability for IE 6 clients. This is the third attempt at fixing bug 28235. Bug 28639 Potential privilege escalation when $wgBlockDisablesLogin is enabled...

krb5 -- MITKRB5-SA-2011-004, kadmind invalid pointer free() [CVE-2011-0285]

An advisory published by the MIT Kerberos team says: The password-changing capability of the MIT krb5 administration daemon kadmind has a bug that can cause it to attempt to free an invalid pointer under certain error conditions. This can cause the daemon to crash or induce the execution of...

rsync -- incremental recursion memory corruption vulnerability

rsync development team reports: Fixed a data-corruption issue when preserving hard-links without preserving file ownership, and doing deletions either before or during the transfer CVE-2011-1097. This fixes some assert errors in the hard-linking code, and some potential failed checksums via -c th...

VLC -- Heap corruption in MP4 demultiplexer

VideoLAN project reports: When parsing some MP4 MPEG-4 Part 14 files, insufficient buffer size might lead to corruption of the heap...

xrdb -- root hole via rogue hostname

Matthias Hopf reports: By crafting hostnames with shell escape characters, arbitrary commands can be executed in a root environment when a display manager reads in the resource database via xrdb. These specially crafted hostnames can occur in two environments: Systems are affected are: systems se...

isc-dhcp-client -- dhclient does not strip or escape shell meta-characters

ISC reports: ISC dhclient did not strip or escape certain shell meta-characters in responses from the dhcp server like hostname before passing the responses on to dhclient-script. Depending on the script and OS, this can result in execution of exploit code on the client...

pureftpd -- multiple vulnerabilities

Pure-FTPd development team reports: Support for braces expansion in directory listings has been disabled -- Cf. CVE-2011-0418. Fix a STARTTLS flaw similar to Postfix's CVE-2011-0411. If you're using TLS, upgrading is recommended...

gdm -- privilege escalation vulnerability

Sebastian Krahmer reports: It was discovered that the GNOME Display Manager gdm cleared the cache directory, which is owned by an unprivileged user, with the privileges of the root user. A race condition exists in gdm where a local user could take advantage of this by writing to the cache directo...

mozilla -- update to HTTPS certificate blacklist

The Mozilla Project reports: MFSA 2011-11 Update to HTTPS certificate blacklist...

php -- crash on crafted tag in exif

US-CERT/NIST reports: exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service application crash via an image with a crafted Image File Directory IFD that triggers a buffer over-read...

php -- ZipArchive segfault with FL_UNCHANGED on empty archive

US-CERT/NIST reports: The zipnamelocate function in zipnamelocate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FLUNCHANGED argument, which might allow context-dependent attackers to cause a denial of service application crash via an empty ZIP archive that is...

krb5 -- MITKRB5-SA-2011-003, KDC vulnerable to double-free when PKINIT enabled

An advisory published by the MIT Kerberos team says: The MIT Kerberos 5 Key Distribution Center KDC daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication PKINIT capability is enabled, resulting in daemon crash or arbitrary code execution which i...

OTRS -- Several XSS attacks possible

OTRS Security Advisory reports: Several XSS attacks possible: An attacker could trick a logged in user to following a prepared URL inside of the OTRS system which causes a page to be shown that possibly includes malicious !JavaScript code because of incorrect escaping during the generation of the...

redmine -- XSS vulnerability

Jean-Philippe Lang reports: This maintenance release for 1.1.x users includes 13 bug fixes since 1.1.1 and a security fix XSS vulnerability affecting all Redmine versions from 1.0.1 to 1.1.1...

postfix -- plaintext command injection with SMTP over TLS

Wietse Venema has discovered a software flaw that allows an attacker to inject client commands into an SMTP session during the unprotected plaintext SMTP protocol phase, such that the server will execute those commands during the SMTP- over-TLS protocol phase when all communication is supposed to...

dtc -- multiple vulnerabilities

Ansgar Burchardt reports: Ansgar Burchardt discovered several vulnerabilities in DTC, a web control panel for admin and accounting hosting services: The bwpermoth.php graph contains an SQL injection vulnerability; insufficient checks in bwpermonth.php can lead to bandwidth usage information...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2011-01 Miscellaneous memory safety hazards rv:1.9.2.14/ 1.9.1.17 MFSA 2011-02 Recursive eval call causes confirm dialogs to evaluate to true MFSA 2011-03 Use-after-free error in JSON.stringify MFSA 2011-04 Buffer overflow in JavaScript upvarMap MFSA 2011-05 Buff...

asterisk -- Multiple Vulnerabilities

The Asterisk Development Team reports: The releases of Asterisk 1.6.1.23, 1.6.2.17.1, and 1.8.3.1 resolve two issues: Resource exhaustion in Asterisk Manager Interface AST-2011-003 Remote crash vulnerability in TCP/TLS server AST-2011-004 The issues and resolutions are described in the AST-2011-0...

Samba -- Denial of service - memory corruption

The Samba team reports: Samba is vulnerable to a denial of service, caused by a memory corruption error related to missing range checks on file descriptors being used in the "FDSET" macro. By performing a select on a bad file descriptor set, a remote attacker could exploit this vulnerability to...

subversion -- remote HTTP DoS vulnerability

Subversion project reports: Subversion HTTP servers up to 1.5.9 inclusive or 1.6.15 inclusive are vulnerable to a remotely triggerable NULL-pointer dereference...

hiawatha -- integer overflow in Content-Length header parsing

Hugo Leisink reports: A bug has been found in version 7.4 of the Hiawatha webserver, which could lead to a server crash. This is caused by an integer overflow in the routine that reads the HTTP request. A too large value of the Content-Length HTTP header results in an overflow...

asterisk -- Exploitable Stack and Heap Array Overflows

The Asterisk Development Team reports: The releases of Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 resolve an issue that when decoding UDPTL packets, multiple heap based arrays can be made to overflow by specially crafted packets. Systems configured for T.38 pass through or termination a...

moinmoin -- cross-site scripting via RST parser

MITRE CVE team reports: Cross-site scripting XSS vulnerability in the reStructuredText rst parser in parser/textrst.py in MoinMoin before 1.9.4, when docutils is installed or when "format rst" is set, allows remote attackers to inject arbitrary web script or HTML via a javascript: URL in the refu...

avahi -- denial of service

Avahi developers reports: A vulnerability has been reported in Avahi, which can be exploited by malicious people to cause a DoS Denial of Service. The vulnerability is caused due to an error when processing certain UDP packets, which can be exploited to trigger an infinite loop by e.g. sending an...

PivotX -- administrator password reset vulnerability

US CERT reports: PivotX contains a vulnerability that allows an attacker to change the password of any account just by guessing the username. Version 2.2.4 has been reported to not be affected. This vulnerability is being exploited in the wild and users should immediately upgrade to 2.2.5 or late...

openldap -- two security bypass vulnerabilities

Secunia reports: Two vulnerabilities have been reported in OpenLDAP, which can be exploited by malicious people to bypass certain security restrictions. The vulnerabilities are reported in versions prior to 2.4.24...

mailman -- XSS vulnerability

CVE reports: Multiple cross-site scripting XSS vulnerabilities in Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the 1 full name or 2 username field in a confirmation message...

krb5 -- MITKRB5-SA-2011-001, kpropd denial of service

An advisory published by the MIT Kerberos team says: The MIT krb5 KDC database propagation daemon kpropd is vulnerable to a denial-of-service attack triggered by invalid network input. If a kpropd worker process receives invalid input that causes it to exit with an abnormal status, it can cause t...

phpMyAdmin -- multiple vulnerabilities

phpMyAdmin team reports: It was possible to create a bookmark which would be executed unintentionally by other users. When the files README, ChangeLog or LICENSE have been removed from their original place possibly by the distributor, the scripts used to display these files can show their full...