Section: .. / 1001-advisories /
| /// File Name: |
glsa-201001-09.txt |
Description:
|
Gentoo Linux Security Advisory 201001-9 - An input sanitation flaw in the WEBrick HTTP server included in Ruby might allow remote attackers to inject arbitrary control characters into terminal sessions. Giovanni Pellerano, Alessandro Tanasi and Francesco Ongaro reported that WEBrick does not filter terminal control characters, for instance when handling HTTP logs. Versions less than 1.8.7_p249 are affected.
| | Author: | Gentoo | | Homepage: | http://security.gentoo.org | | File Size: | 3029 | | Related CVE(s): | CVE-2009-4492 | | Last Modified: | Jan 14 11:19:15 2010 |
| MD5 Checksum: | 40e7e73f6ac553fab02aa8a843f35873 |
|
| /// File Name: |
HPSBMA02485-SSRT090252.txt |
Description:
|
HP Security Bulletin - Potential security vulnerabilities have been identified with HP Power Manager. The vulnerabilities could be exploited remotely to execute arbitrary code.
| | Homepage: | http://www.hp.com/ | | File Size: | 5774 | | Related CVE(s): | CVE-2009-3999, CVE-2009-4000 | | Last Modified: | Jan 19 22:20:07 2010 |
| MD5 Checksum: | 5e53e5a790d7e6cf8aab781d346210ce |
|
| /// File Name: |
HPSBMA02502-SSRT090171.txt |
Description:
|
HP Security Bulletin - A potential security vulnerability has been identified with HP OpenView Storage Data Protector. The vulnerability could be exploited to gain unauthorized access.
| | Homepage: | http://www.hp.com/ | | File Size: | 8312 | | Related CVE(s): | CVE-2009-4183 | | Last Modified: | Jan 27 13:07:38 2010 |
| MD5 Checksum: | 4c455a83d8b462fe921015938e3d450c |
|
| /// File Name: |
HPSBPI02500-SSRT090263.txt |
Description:
|
HP Security Bulletin - Potential security vulnerabilities have been identified with HP Web Jetadmin. The vulnerabilities could be exploited remotely to gain unauthorized access to data or to create a Denial of Service (DoS).
| | Homepage: | http://www.hp.com/ | | File Size: | 6301 | | Related CVE(s): | CVE-2009-4182 | | Last Modified: | Jan 13 22:11:29 2010 |
| MD5 Checksum: | bb3d984177192513151c14e215a9184d |
|
| /// File Name: |
ibmdatapower-dos.txt |
Description:
|
The IBM DataPower XS40 Security Gateway suffers from a malformed packet denial of service vulnerability.
| | Author: | Erik | | Related Exploit: | ibmxs40-dos.txt | | File Size: | 1092 | | Last Modified: | Jan 27 09:03:55 2010 |
| MD5 Checksum: | 7d4dcdd955223c2a5fb24a52dda795b1 |
|
| /// File Name: |
ie678-exec.txt |
Description:
|
Internet Explorer versions 6, 7, and 7 suffers from a code execution URL validation vulnerability.
| | Author: | Lostmon | | Homepage: | http://lostmon.blogspot.com/ | | File Size: | 1695 | | Last Modified: | Jan 22 03:04:34 2010 |
| MD5 Checksum: | 7deb161324375f9c32b2d6ccdeec2991 |
|
| /// File Name: |
intel-dll.txt |
Description:
|
Intel just released updated drivers for ethernet network adapters and included vulnerable DLLs.
| | Author: | Stefan Kanthak | | File Size: | 709 | | Last Modified: | Jan 4 18:52:44 2010 |
| MD5 Checksum: | db944cb321fd843b417ec87cc8ed6e5c |
|
| /// File Name: |
kayako-xss.txt |
Description:
|
Kayako SupportSuite versions 3.60.04 and below suffer from cross site scripting vulnerabilities.
| | Homepage: | http://www.comodo.com/ | | File Size: | 1074 | | Last Modified: | Jan 22 17:32:25 2010 |
| MD5 Checksum: | 6b9d8f1e9ff43b1f195f7ad88d0e9ea4 |
|
| /// File Name: |
MDVSA-2009-220-1.txt |
Description:
|
Mandriva Linux Security Advisory 2009-220 - A vulnerability was found in xmltok_impl.c (expat) that with specially crafted XML could be exploited and lead to a denial of service attack. Related to CVE-2009-2625. This update fixes this vulnerability. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.
| | Author: | Mandriva | | Homepage: | http://www.mandriva.com/security/ | | File Size: | 2645 | | Related CVE(s): | CVE-2009-3720 | | Last Modified: | Jan 5 16:45:45 2010 |
| MD5 Checksum: | 519ad0aaf9f7de9d7a5a06b5ae943b5e |
|
| /// File Name: |
MDVSA-2009-227-1.txt |
Description:
|
Mandriva Linux Security Advisory 2009-227 - The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes. NOTE: this is a regression error related to CVE-2003-0967. This update provides a solution to this vulnerability. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.
| | Author: | Mandriva | | Homepage: | http://www.mandriva.com/security/ | | File Size: | 3940 | | Related CVE(s): | CVE-2009-3111 | | Last Modified: | Jan 11 17:18:18 2010 |
| MD5 Checksum: | 031906b09da3301302b1320b7fd45d99 |
|
| /// File Name: |
MDVSA-2009-241-1.txt |
Description:
|
Mandriva Linux Security Advisory 2009-241 - The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function. This update provides a solution to this vulnerability. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.
| | Author: | Mandriva | | Homepage: | http://www.mandriva.com/security/ | | File Size: | 2967 | | Related CVE(s): | CVE-2009-2855 | | Last Modified: | Jan 11 18:10:53 2010 |
| MD5 Checksum: | f4986b8ff810c1562933be0272c2e575 |
|
| /// File Name: |
MDVSA-2009-293-1.txt |
Description:
|
Mandriva Linux Security Advisory 2009-293 - Buffer overflow in sgLog.c in squidGuard 1.3 and 1.4 allows remote attackers to cause a denial of service (application hang or loss of blocking functionality) via a long URL with many / (slash) characters, related to emergency mode. Multiple buffer overflows in squidGuard 1.4 allow remote attackers to bypass intended URL blocking via a long URL, related to (1) the relationship between a certain buffer size in squidGuard and a certain buffer size in Squid and (2) a redirect URL that contains information about the originally requested URL. squidGuard was upgraded to 1.2.1 for MNF2/CS3/CS4 with additional upstream security and bug fixes patches applied. This update fixes these vulnerabilities. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.
| | Author: | Mandriva | | Homepage: | http://www.mandriva.com/security/ | | File Size: | 3077 | | Related CVE(s): | CVE-2009-3700, CVE-2009-3826 | | Last Modified: | Jan 11 18:02:09 2010 |
| MD5 Checksum: | 293f7739421dfcd4f1fc2955c6437e73 |
|
| /// File Name: |
MDVSA-2009-300-1.txt |
Description:
|
Mandriva Linux Security Advisory 2009-300 - The Apache HTTP Server enables the HTTP TRACE method per default which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified web client software. This update provides a solution to this vulnerability. The wrong package was uploaded for 2009.1. This update addresses that problem.
| | Author: | Mandriva | | Homepage: | http://www.mandriva.com/security/ | | File Size: | 2561 | | Related CVE(s): | CVE-2009-2823 | | Last Modified: | Jan 7 14:00:49 2010 |
| MD5 Checksum: | 5646335a510afbcb073b2246e3310de4 |
|
| /// File Name: |
MDVSA-2009-300-2.txt |
Description:
|
Mandriva Linux Security Advisory 2009-300 - The Apache HTTP Server enables the HTTP TRACE method per default which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified web client software. This update provides a solution to this vulnerability. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.
| | Author: | Mandriva | | Homepage: | http://www.mandriva.com/security/ | | File Size: | 2551 | | Related CVE(s): | CVE-2009-2823 | | Last Modified: | Jan 7 14:30:34 2010 |
| MD5 Checksum: | 42b94f0a2ded687363fad43c92363120 |
|
| /// File Name: |
MDVSA-2009-316-1.txt |
Description:
|
Mandriva Linux Security Advisory 2009-316 - The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than and CVE-2009-3720. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update provides a solution to these vulnerabilities. This vulnerability was discovered in the bundled expat code in various softwares besides expat itself. As a precaution the affected softwares has preemptively been patched to prevent presumptive future exploitations of this issue.
| | Author: | Mandriva | | Homepage: | http://www.mandriva.com/security/ | | File Size: | 27252 | | Related CVE(s): | CVE-2009-3560 | | Last Modified: | Jan 8 20:42:08 2010 |
| MD5 Checksum: | d04931a023893e2574977321f731d560 |
|
| /// File Name: |
MDVSA-2009-316-2.txt |
Description:
|
Mandriva Linux Security Advisory 2009-316 - The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than and CVE-2009-3720. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update provides a solution to these vulnerabilities. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. SUSE discovered a regression with the previous patch fixing CVE-2009-3560. This regression is now being addressed with this update.
| | Author: | Mandriva | | Homepage: | http://www.mandriva.com/security/ | | File Size: | 28449 | | Related CVE(s): | CVE-2009-3560 | | Last Modified: | Jan 11 13:01:43 2010 |
| MD5 Checksum: | 8a1c6a9407a15672c9cb16af188b52cb |
|
| /// File Name: |
MDVSA-2009-316-3.txt |
Description:
|
Mandriva Linux Security Advisory 2009-316 - The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than and CVE-2009-3720. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update provides a solution to these vulnerabilities. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The previous (MDVSA-2009:316-2) updates provided packages for 2008.0/2009.0/2009.1/2010.0/mes5 that did not have an increased release number which prevented the packages from hitting the mirrors.
| | Author: | Mandriva | | Homepage: | http://www.mandriva.com/security/ | | File Size: | 6433 | | Related CVE(s): | CVE-2009-3560 | | Last Modified: | Jan 11 17:36:33 2010 |
| MD5 Checksum: | 74ea6fb6b4ef05a533850c5b278004b5 |
|
| /// File Name: |
MDVSA-2010-000.txt |
Description:
|
Mandriva Linux Security Advisory 2010-000 - The nsObserverList::FillObserverArray function in xpcom/ds/nsObserverList.cpp in Mozilla Firefox before 3.5.7 allows remote attackers to cause a denial of service (application crash) via a crafted web site that triggers memory consumption and an accompanying Low Memory alert dialog, and also triggers attempted removal of an observer from an empty observers array. Additionally, some packages which require so, have been rebuilt and are being provided as updates.
| | Homepage: | http://www.mandriva.com/security/ | | File Size: | 24598 | | Last Modified: | Jan 11 15:33:32 2010 |
| MD5 Checksum: | b123fa0e1eedf97f96d0694447fc8bb4 |
|
| /// File Name: |
MDVSA-2010-001.txt |
Description:
|
Mandriva Linux Security Advisory 2010-001 - The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client. Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. This update provides pidgin 2.6.5, which is not vulnerable to these issues.
| | Author: | Mandriva | | Homepage: | http://www.mandriva.com/security/ | | File Size: | 11488 | | Related CVE(s): | CVE-2009-3615, CVE-2010-0013 | | Last Modified: | Jan 12 17:30:01 2010 |
| MD5 Checksum: | e5b03601138caff85338a39af21a4bfc |
|
| /// File Name: |
MDVSA-2010-002.txt |
Description:
|
Mandriva Linux Security Advisory 2010-002 - Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon. This update provides pidgin 2.6.5, which is not vulnerable to this issue.
| | Author: | Mandriva | | Homepage: | http://www.mandriva.com/security/ | | File Size: | 5319 | | Related CVE(s): | CVE-2010-0013 | | Last Modified: | Jan 12 17:30:29 2010 |
| MD5 Checksum: | 7226873ff6153f816a25acddb14064ab |
|
| /// File Name: |
MDVSA-2010-003.txt |
Description:
|
Mandriva Linux Security Advisory 2010-003 - sendmail before 8.14.4 does not properly handle a '\\0' (NUL) character in a Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. This update provides a fix for this vulnerability.
| | Author: | Mandriva | | Homepage: | http://www.mandriva.com/security/ | | File Size: | 8965 | | Related CVE(s): | CVE-2009-4565 | | Last Modified: | Jan 12 17:30:56 2010 |
| MD5 Checksum: | c18ea676b8eb51367d52261fb2788cf0 |
|
| /// File Name: |
MDVSA-2010-004.txt |
Description:
|
Mandriva Linux Security Advisory 2010-004 - A vulnerability have been discovered in Mandriva bash package, which could allow a malicious user to hide files from the ls command, or garble its output by crafting files or directories which contain special characters or escape sequences. This update fixes the issue by disabling the display of control characters by default. Additionally, this update fixes the unsafe file creation in bash-doc sample scripts. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.
| | Author: | Mandriva | | Homepage: | http://www.mandriva.com/security/ | | File Size: | 6006 | | Related CVE(s): | CVE-2008-5374, CVE-2010-0002 | | Last Modified: | Jan 13 21:26:35 2010 |
| MD5 Checksum: | 0f04308e7d685c8034baa28de77dda21 |
|
| /// File Name: |
MDVSA-2010-005.txt |
Description:
|
Mandriva Linux Security Advisory 2010-005 - The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer. The asn1buf_imbed function in the ASN.1 decoder in MIT Kerberos 5 (aka krb5) 1.6.3, when PK-INIT is used, allows remote attackers to cause a denial of service (application crash) via a crafted length value that triggers an erroneous malloc call, related to incorrect calculations with pointer arithmetic. The updated packages have been patched to correct these issues.
| | Author: | Mandriva | | Homepage: | http://www.mandriva.com/security/ | | File Size: | 3619 | | Related CVE(s): | CVE-2009-0846, CVE-2009-0847 | | Last Modified: | Jan 13 22:07:30 2010 |
| MD5 Checksum: | 504795128323a810563a4ab2d8212cb4 |
|
| /// File Name: |
MDVSA-2010-006.txt |
Description:
|
Mandriva Linux Security Advisory 2010-006 - Multiple integer underflows in the (1) AES and (2) RC4 decryption functionality in the crypto library in MIT Kerberos 5 (aka krb5) 1.3 through 1.6.3, and 1.7 before 1.7.1, allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code by providing ciphertext with a length that is too short to be valid. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct this issue.
| | Author: | Mandriva | | Homepage: | http://www.mandriva.com/security/ | | File Size: | 14563 | | Related CVE(s): | CVE-2009-4212 | | Last Modified: | Jan 13 22:14:39 2010 |
| MD5 Checksum: | 30a52e5f3a7875296841d488abaa6a7c |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
