Squid: Multiple vulnerabilities

Background Squid is a full-featured web proxy cache. Description Multiple vulnerabilities have been discovered in Squid. Please review the CVE identifiers referenced below for details. Impact Remote unauthenticated attackers may be able to execute arbitrary code with the privileges of the Squid...

Pure-FTPd: Multiple vulnerabilities

Background Pure-FTPd is a fast, production-quality and standards-compliant FTP server. Description Multiple vulnerabilities have been discovered in Pure-FTPd. Please review the CVE identifiers referenced below for details. Impact Remote unauthenticated attackers may be able to inject FTP commands...

Apache mod_authnz_external: SQL injection

Background modauthnzexternal is a tool for creating custom authentication backends for HTTP basic authentication. Description mysql/mysql-auth.pl in modauthnzexternal does not properly sanitize input before using it in an SQL query. Impact A remote attacker could exploit this vulnerability to...

PostgreSQL: Multiple vulnerabilities

Background PostgreSQL is an open source object-relational database management system. Description Multiple vulnerabilities have been discovered in PostgreSQL. Please review the CVE identifiers referenced below for details. Impact A remote authenticated attacker could send a specially crafted SQL...

Clam AntiVirus: Multiple vulnerabilities

Background Clam AntiVirus short: ClamAV is an anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. Description Multiple vulnerabilities have been discovered in Clam AntiVirus. Please review the CVE identifiers referenced below for details. Impact An unauthenticat...

Asterisk: Multiple vulnerabilities

Background Asterisk is an open source telephony engine and toolkit. Description Multiple vulnerabilities have been discovered in Asterisk. Please review the CVE identifiers referenced below for details. Impact An unauthenticated remote attacker may execute code with the privileges of the Asterisk...

rgmanager: Privilege escalation

Background rgmanager is a clustered resource group manager. Description A vulnerability has been discovered in rgmanager. Please review the CVE identifier referenced below for details. Impact A local attacker could gain escalated privileges. Workaround There is no known workaround at this time...

Avahi: Denial of service

Background Avahi is a system which facilitates service discovery on a local network. Description Multiple vulnerabilities have been discovered in Avahi. Please review the CVE identifiers referenced below for details. Impact A remote attacker could cause a Denial of Service. Workaround There is no...

GnuPG: User-assisted execution of arbitrary code

Background The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of cryptographic software. The GPGSM utility in GnuPG is responsible for processing X.509 certificates, signatures and encryption as well as S/MIME messages. Description The GPGSM utility in GnuPG contains a...

X.Org X Server: Multiple vulnerabilities

Background The X Window System is a graphical windowing system based on a client/server model. Description vladz reported the following vulnerabilities in the X.Org X server: The X.Org X server follows symbolic links when trying to access the lock file for a X display, showing a predictable...

Cyrus IMAP Server: Multiple vulnerabilities

Background The Cyrus IMAP Server is an efficient, highly-scalable IMAP e-mail server. Description Multiple vulnerabilities have been discovered in the Cyrus IMAP Server. Please review the CVE identifiers referenced below for details. Impact An unauthenticated local or remote attacker may be able ...

D-Bus: Multiple vulnerabilities

Background D-Bus is a message bus system, a simple way for applications to talk to each other. Description Multiple vulnerabilities have been discovered in D-Bus. Please review the CVE identifiers referenced below for details. Impact The vulnerabilities allow for local Denial of Service daemon...

Tor: Multiple vulnerabilities

Background Tor is an implementation of second generation Onion Routing, a connection-oriented anonymizing communication service. Description Multiple vulnerabilities have been discovered in Tor. Please review the CVE identifiers referenced below for details. Impact A remote unauthenticated attack...

Unbound: Denial of service

Background Unbound is a validating, recursive, and caching DNS resolver. Description Multiple vulnerabilities have been discovered in unbound. Please review the CVE identifiers referenced below for details. Impact A remote attacker could cause a Denial of Service. Workaround There is no known...

Conky: Privilege escalation

Background Conky is an advanced, highly configurable system monitor for X. Description A privilege escalation vulnerability due to an insecure temporary file was found in Conky. Impact A local attacker could possibly overwrite arbitrary files with the privileges of the user running Conky...

feh: Multiple vulnerabilities

Background feh is a fast, lightweight imageviewer using imlib2. Description Multiple vulnerabilities have been discovered in feh. Please review the CVE identifiers referenced below for details. Impact A malicious entity might entice a user to visit a URL using the --wget-timestamp option, thus...

Wget: User-assisted file creation or overwrite

Background GNU Wget is a free software package for retrieving files using HTTP, HTTPS and FTP, the most widely-used Internet protocols. Description It was discovered that Wget was unsafely trusting server-provided filenames. This allowed attackers to overwrite or create files on the user's system...

Adobe Flash Player: Multiple vulnerabilities

Background The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Description Multiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers and Adobe Security Advisories and Bulletins reference...

vsftpd: Denial of service

Background vsftpd is a very secure FTP daemon written with speed, size and security in mind. Description A Denial of Service vulnerability was discovered in vsftpd. Please review the CVE identifier referenced below for details. Impact A remote authenticated attacker could cause a Denial of Servic...

PHP: Multiple vulnerabilities

Background PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Description Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact A...

Dovecot: Multiple vulnerabilities

Background Dovecot is an IMAP and POP3 server written with security primarily in mind. Description Multiple vulnerabilities have been discovered in Dovecot. Please review the CVE identifiers referenced below for details. Impact A remote attacker could exploit these vulnerabilities to cause the...

Bugzilla: Multiple vulnerabilities

Background Bugzilla is the bug-tracking system from the Mozilla project. Description Multiple vulnerabilities have been discovered in Bugzilla. Please review the CVE identifiers referenced below for details. Impact A remote attacker could conduct cross-site scripting attacks, conduct script...

GnuTLS: Multiple vulnerabilities

Background GnuTLS is an Open Source implementation of the TLS 1.2 and SSL 3.0 protocols. Description Multiple vulnerabilities have been discovered in GnuTLS. Please review the CVE identifiers referenced below for details. Impact An attacker could perform man-in-the-middle attacks to spoof arbitra...

Wireshark: Multiple vulnerabilities

Background Wireshark is a versatile network protocol analyzer. Description Multiple vulnerabilities have been discovered in Wireshark. Please review the CVE identifiers referenced below for details. Impact A remote attacker could send specially crafted packets on a network being monitored by...

OpenSSL: Multiple vulnerabilities

Background OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer SSL v2/v3 and Transport Layer Security TLS v1 as well as a general purpose cryptography library. Description Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers referenced...

Adobe Flash Player: Multiple vulnerabilities

Background The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Description Multiple vulnerabilities were discovered in Adobe Flash Player. For further information please consult the CVE entries and the Adobe Security Bulletins...

Adobe Reader: Multiple vulnerabilities

Background Adobe Reader formerly Adobe Acrobat Reader is a closed-source PDF reader. Description Multiple vulnerabilities were discovered in Adobe Reader. For further information please consult the CVE entries and the Adobe Security Bulletins referenced below. Impact A remote attacker might entic...

IO::Socket::SSL: Certificate validation error

Background IO::Socket::SSL is a Perl class implementing an object oriented interface to SSL sockets. Description The vendor reported that IO::Socket::SSL does not properly handle Common Name CN fields. Impact A remote attacker might employ a specially crafted certificate to conduct...

Prewikka: password disclosure

Background Prewikka is a graphical front-end analysis console for the Prelude Hybrid IDS Framework. Description The permissions of the prewikka.conf file are set world readable. Impact A local attacker could obtain the SQL database password used by Prewikka. Workaround There is no known workaroun...

OpenAFS: Arbitrary code execution

Background OpenAFS is a distributed file system. Description Two vulnerabilities were discovered: Simon Wilkinson discovered from a bug report by Toby Blake that the cache manager of OpenAFS contains a heap-based buffer overflow which is related to the use of the ERRPTR macro CVE-2009-1250. A...

libvpx: User-assisted execution of arbitrary code

Background libvpx is the VP8 codec SDK used to encode and decode video streams, typically within a WebM format media file. Description libvpx is vulnerable to an integer overflow vulnerability when processing crafted VP8 video streams. Impact A remote attacker could entice a user to open a...

aria2: Directory traversal

Background aria2 is a download utility with resuming and segmented downloading with HTTP/HTTPS/FTP/BitTorrent support. Description A directory traversal vulnerability was discovered in aria2. Impact A remote attacker could entice a user to download from a specially crafted metalink file, resultin...

Tor: Remote heap-based buffer overflow

Background Tor is an implementation of second generation Onion Routing, a connection-oriented anonymizing communication service. Description Tor contains a heap-based buffer overflow in the processing of user or attacker supplied data. No additional information is available. Impact Successful...

gif2png: User-assisted execution of arbitrary code

Background gif2png is a command line program that converts image files from the Graphics Interchange Format GIF format to the Portable Network Graphics PNG format. Description gif2png contains a command line parsing vulnerability that may result in a stack overflow due to an unexpectedly long inp...

Chromium: Multiple vulnerabilities

Background Chromium is an open-source web browser project. Description Multiple vulnerabilities were found in Chromium. For further information please consult the release notes referenced below. Impact A remote attacker could trick a user to perform a set of UI actions that trigger a possibly...

GNU C library: Multiple vulnerabilities

Background The GNU C library is the standard C library used by Gentoo Linux systems. Description Multiple vulnerabilities were found in glibc, amongst others the widely-known recent LDAUDIT and $ORIGIN issues. For further information please consult the CVE entries referenced below. Impact A local...

Libpng: Multiple vulnerabilities

Background libpng is a standard library used to process PNG Portable Network Graphics images. It is used by several programs, including web browsers and potentially server processes. Description Multiple vulnerabilities were found in libpng: The pngdecompresschunk function in pngrutil.c does not...

fence: Multiple symlink vulnerabilities

Background fence is an I/O group fencing system. Description The fenceapc, fenceapcsnmp CVE-2008-4579 and fencemanual CVE-2008-4580 programs contain symlink vulnerabilities. Impact These vulnerabilities may allow arbitrary files to be overwritten with root privileges. Workaround There is no known...

python-updater: Untrusted search path

Background python-updater is a script used to remerge python packages when changing Python version. Description Robert Buchholz of the Gentoo Security Team reported that python-updater includes the current working directory and subdirectories in the Python module search path sys.path before calli...

libxml2: Denial of service

Background libxml2 is a library to manipulate XML files. Description The following vulnerabilities were reported after a test with the Codenomicon XML fuzzing framework: Two use-after-free vulnerabilities are possible when parsing a XML file with Notation or Enumeration attribute types...

SARG: User-assisted execution of arbitrary code

Background SARG is the Squid Analysis Report Generator. Description Multiple vulnerabilities were discovered in SARG. For further information please consult the CVE entries referenced below. Impact These vulnerabilities might allow attackers to execute arbitrary code via unknown vectors. NOTE: Th...

Adobe Reader: Multiple vulnerabilities

Background Adobe Reader formerly Adobe Acrobat Reader is a closed-source PDF reader. Description Multiple vulnerabilities were discovered in Adobe Reader. For further information please consult the CVE entries and the Adobe Security Bulletins referenced below. Impact A remote attacker might entic...

sudo: Privilege Escalation

Background sudo allows a system administrator to give users the ability to run commands as other users. Description Multiple vulnerabilities have been reported in sudo: Evan Broder and Anders Kaseorg of Ksplice, Inc. reported that the sudo 'secure path' feature does not properly handle multiple...

Clam AntiVirus: Multiple vulnerabilities

Background Clam AntiVirus short: ClamAV is an anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. Description Multiple vulnerabilities were discovered in Clam AntiVirus. For further information, please consult the CVE entries referenced below. Impact A remote...

Maildrop: privilege escalation

Background maildrop is the mail filter/mail delivery agent that is used by the Courier Mail Server. Description Christoph Anton Mitterer reported that maildrop does not properly drop its privileges when run as root. Impact A local attacker could create a specially crafted .mailfilter file, possib...

wxGTK: User-assisted execution of arbitrary code

Background wxGTK is the GTK+ version of wxWidgets, a cross-platform C++ GUI toolkit. Description wxGTK is prone to an integer overflow error in the wxImage::Create function in src/common/image.cpp, possibly leading to a heap-based buffer overflow. Impact A remote attacker might entice a user to...

UnrealIRCd: Multiple vulnerabilities

Background UnrealIRCd is an Internet Relay Chat IRC daemon. Description Multiple vulnerabilities have been reported in UnrealIRCd: The vendor reported a buffer overflow in the user authorization code CVE-2009-4893. The vendor reported that the distributed source code of UnrealIRCd was compromised...

Asterisk: Multiple vulnerabilities

Background Asterisk is an open source telephony engine and toolkit. Description Multiple vulnerabilities have been reported in Asterisk: Nick Baggott reported that Asterisk does not properly process overly long ASCII strings in various packets CVE-2009-2726. Noam Rathaus and Blake Cornell reporte...

Bugzilla: Multiple vulnerabilities

Background Bugzilla is a bug tracking system from the Mozilla project. Description Multiple vulnerabilities have been reported in Bugzilla. Please review the CVE identifiers referenced below for details. Impact A remote attacker might be able to disclose local files, bug information, passwords, a...

Oracle JRE/JDK: Multiple vulnerabilities

Background The Oracle Java Development Kit JDK formerly known as Sun JDK and the Oracle Java Runtime Environment JRE formerly known as Sun JRE provide the Oracle Java platform formerly known as Sun Java Platform. Description Multiple vulnerabilities have been reported in the Oracle Java...