puppet -- multiple vulnerabilities
Arbitrary file read on the puppet master from authenticated clients (high). It is possible to construct an HTTP get request from an authenticated client with a valid certificate that will return the contents of an arbitrary file on the Puppet master that the master has read-access to.
Arbitrary file delete/D.O.S on Puppet Master from authenticated clients (high). Given a Puppet master with the "Delete" directive allowed in auth.conf for an authenticated host, an attacker on that host can send a specially crafted Delete request that can cause an arbitrary file deletion on the Puppet master, potentially causing a denial of service attack. Note that this vulnerability does *not* exist in Puppet as configured by default.
Insufficient input validation for agent hostnames (low). An attacker could trick the administrator into signing an attacker's certificate rather than the intended one by constructing specially crafted certificate requests containing specific ANSI control sequences. It is possible to use the sequences to rewrite the order of text displayed to an administrator such that display of an invalid certificate and valid certificate are transposed. If the administrator signs the attacker's certificate, the attacker can then man-in-the-middle the agent.
OTRS Security Advisory reports:
This advisory covers vulnerabilities discovered in the OTRS core system. This is a variance of the XSS vulnerability, where an attacker could send a specially prepared HTML email to OTRS which would cause JavaScript code to be executed in your browser while displaying the email. In this case this is achieved by using javascript source attributes with whitespaces.
OTRS Security Advisory reports:
This advisory covers vulnerabilities discovered in the OTRS core system. This is a variance of the XSS vulnerability, where an attacker could send a specially prepared HTML email to OTRS which would cause JavaScript code to be executed in your browser while displaying the email in Firefox and Opera. In this case this is achieved with an invalid HTML structure with nested tags.
OTRS Security Advisory reports:
This advisory covers vulnerabilities discovered in the OTRS core system. Due to the XSS vulnerability in Internet Explorer an attacker could send a specially prepared HTML email to OTRS which would cause JavaScript code to be executed in your Internet Explorer while displaying the email.
Squid developers report:
Due to missing input validation Squid cachemgr.cgi tool is vulnerable to a denial of service attack when processing specially crafted requests.
This problem allows any client able to reach the cachemgr.cgi to perform a denial of service attack on the service host.
The nature of the attack may cause secondary effects through resource consumption on the host server.
Opera reports:
When loading GIF images into memory, Opera should allocate the correct amount of memory to store that image. Specially crafted image files can cause Opera to allocate the wrong amount of memory. Subsequent data may then overwrite unrelated memory with attacker-controlled data. This can lead to a crash, which may also execute that data as code.
Adobe reports:
These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
The Apache Software Foundation reports:
The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request.
The Apache Software Foundation reports:
When using the NIO connector with sendfile and HTTPS enabled, if a client breaks the connection while reading the response an infinite loop is entered leading to a denial of service.
The Apache Software Foundation reports:
When using FORM authentication it was possible to bypass the security constraint checks in the FORM authenticator by appending "/j_security_check" to the end of the URL if some other component (such as the Single-Sign-On valve) had called request.setUserPrincipal() before the call to FormAuthenticator#authenticate().
ISC reports:
BIND 9 nameservers using the DNS64 IPv6 transition mechanism are vulnerable to a software defect that allows a crafted query to crash the server with a REQUIRE assertion failure. Remote exploitation of this defect can be achieved without extensive effort, resulting in a denial-of-service (DoS) vector against affected servers.
David Relson reports:
Fix a heap corruption in base64 decoder on invalid input. Analysis and patch by Julius Plenz, [FU Berlin, Germany].
The YUI team reports:
Vulnerability in YUI 2.4.0 through YUI 2.9.0
A XSS vulnerability has been discovered in some YUI 2 .swf files from versions 2.4.0 through 2.9.0. This defect allows JavaScript injection exploits to be created against domains that host affected YUI .swf files.
If your site loads YUI 2 from a CDN (yui.yahooapis.com, ajax.googleapis.com, etc.) and not from your own domain, you are not affected. YUI 3 is not affected by this issue.
Problem description:
A programming error in the handling of some Linux system calls may result in memory locations being accessed without proper validation.
Problem description:
The internal authentication server of hostapd does not sufficiently validate the message length field of EAP-TLS messages.
Problem description:
The BIND daemon would crash when a query is made on a resource record with RDATA that exceeds 65535 bytes.
The BIND daemon would lock up when a query is made on specific combinations of RDATA.
Opera reports:
When requesting pages using HTTP, Opera temporarily stores the response in a buffer. In some cases, Opera may incorrectly allocate too little space for a buffer, and may then store too much of the response in that buffer. This causes a buffer overflow, which in turn can lead to a memory corruption and crash. It is possible to use this crash to execute the overflowing data as code, which may be controlled by an attacking site.
Lighttpd security advisory reports:
Certain Connection header values will trigger an endless loop, for example: "Connection: TE,,Keep-Alive"
On receiving such value, lighttpd will enter an endless loop, detecting an empty token but not incrementing the current string position, and keep reading the ',' again and again.
This bug was introduced in 1.4.31, when we fixed an "invalid read" bug (it would try to read the byte before the string if it started with ',', although the value wasn't actually used).
The Mozilla Project reports:
MFSA 2012-91 Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11)
MFSA 2012-92 Buffer overflow while rendering GIF images
MFSA 2012-93 evalInSanbox location context incorrectly applied
MFSA 2012-94 Crash when combining SVG text on path with CSS
MFSA 2012-95 Javascript: URLs run in privileged context on New Tab page
MFSA 2012-96 Memory corruption in str_unescape
MFSA 2012-97 XMLHttpRequest inherits incorrect principal within sandbox
MFSA 2012-98 Firefox installer DLL hijacking
MFSA 2012-99 XrayWrappers exposes chrome-only properties when not in chrome compartment
MFSA 2012-100 Improper security filtering for cross-origin wrappers
MFSA 2012-101 Improper character decoding in HZ-GB-2312 charset
MFSA 2012-102 Script entered into Developer Toolbar runs with chrome privileges
MFSA 2012-103 Frames can shadow top.location
MFSA 2012-104 CSS and HTML injection through Style Inspector
MFSA 2012-105 Use-after-free and buffer overflow issues found
MFSA 2012-106 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer
Sebastien Helleu reports:
Untrusted command for function hook_process could lead to execution of commands, because of shell expansions.
Workaround with a non-patched version: remove/unload all scripts calling function hook_process (for maximum safety).
The following security issues have been discovered in Bugzilla:
Information Leak
If the visibility of a custom field is controlled by a product or a component of a product you cannot see, their names are disclosed in the JavaScript code generated for this custom field despite they should remain confidential.
Calling the User.get method with a 'groups' argument leaks the existence of the groups depending on whether an error is thrown or not. This method now also throws an error if the user calling this method does not belong to these groups (independently of whether the groups exist or not).
Trying to mark an attachment in a bug you cannot see as obsolete discloses its description in the error message. The description of the attachment is now removed from the error message.
Cross-Site Scripting
Due to incorrectly filtered field values in tabular reports, it is possible to inject code leading to XSS.
A vulnerability in swfstore.swf from YUI2 allows JavaScript injection exploits to be created against domains that host this affected YUI .swf file.
Typo Security Team reports:
TYPO3 Backend History Module - Due to missing encoding of user input, the history module is susceptible to SQL Injection and Cross-Site Scripting. A valid backend login is required to exploit this vulnerability. Credits go to Thomas Worm who discovered and reported the issue.
TYPO3 Backend API - Failing to properly HTML-encode user input the tree render API (TCA-Tree) is susceptible to Cross-Site Scripting. TYPO3 Versions below 6.0 does not make us of this API, thus is not exploitable, if no third party extension is installed which uses this API. A valid backend login is required to exploit this vulnerability. Credits go to Richard Brain who discovered and reported the issue.
US-CERT reports:
DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust when messages are signed using test or small bit signing keys.
Sebastien Helleu reports:
A buffer overflow is causing a crash or freeze of WeeChat when decoding IRC colors in strings.
Workaround for a non-patched version: /set irc.network.colors_receive off
The official ruby site reports:
Carefully crafted sequence of strings can cause a denial of service attack on the service that parses the sequence to create a Hash object by using the strings as keys. For instance, this vulnerability affects web application that parses the JSON data sent from untrusted entity.
This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby 1.9 versions were using modified MurmurHash function but it's reported that there is a way to create sequence of strings that collide their hash values each other. This fix changes the Hash function of String object from the MurmurHash to SipHash 2-4.
The Apache Software Foundation reports:
Three weaknesses in Tomcat's implementation of DIGEST authentication were identified and resolved:
- Tomcat tracked client rather than server nonces and nonce count.
- When a session ID was present, authentication was bypassed.
- The user name and password were not checked before when indicating that a nonce was stale.
These issues reduced the security of DIGEST authentication making replay attacks possible in some circumstances.
The first issue was identified by Tilmann Kuhn. The second and third issues were identified by the Tomcat security team during the code review resulting from the first issue.
The Apache Software Foundation reports:
The checks that limited the permitted size of request headers were implemented too late in the request parsing process for the HTTP NIO connector. This enabled a malicious user to trigger an OutOfMemoryError by sending a single request with very large headers. This issue was identified by Josh Spiewak.
Adobe reports:
These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.
Opera reports:
CORS (Cross-Origin Resource Sharing) allows web pages to retrieve the contents of pages from other sites, with their permission, as they would appear for the current user. When requests are made in this way, the browser should only allow the page content to be retrieved if the target site sends the correct headers that give permission for their contents to be used in this way. Specially crafted requests may trick Opera into thinking that the target site has given permission when it had not done so. This can result in the contents of any target page being revealed to untrusted sites, including any sensitive information or session IDs contained within the source of those pages.
Also reported are vulnerabilities involving SVG graphics and XSS.
Adobe reports:
These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.
low: XSS in mod_negotiation when untrusted uploads are supported CVE-2012-2687
Possible XSS for sites which use mod_negotiation and allow untrusted uploads to locations which have MultiViews enabled.
low: insecure LD_LIBRARY_PATH handling CVE-2012-0883
This issue was already fixed in port version 2.2.22_5
The webmin updates site reports
Module: Change Passwords; Version: 1.600; Problem: Fix for potential XSS attack via real name field; Solution: New module.
The official ruby site reports:
A vulnerability was found that file creation routines can create unintended files by strategically inserting NUL(s) in file paths. This vulnerability has been reported as CVE-2012-4522.
Ruby can handle arbitrary binary patterns as Strings, including NUL chars. On the other hand OSes and other libraries tend not. They usually treat a NUL as an End of String mark. So to interface them with Ruby, NUL chars should properly be avoided.
However methods like IO#open did not check the filename passed to them, and just passed those strings to lower layer routines. This led to create unintentional files.
The official ruby site reports:
Vulnerabilities found for Exception#to_s, NameError#to_s, and name_err_mesg_to_s() which is Ruby interpreter-internal API. A malicious user code can bypass $SAFE check by utilizing one of those security holes.
Ruby's $SAFE mechanism enables untrusted user codes to run in $SAFE >= 4 mode. This is a kind of sandboxing so some operations are restricted in that mode to protect other data outside the sandbox.
The problem found was around this mechanism. Exception#to_s, NameError#to_s, and name_err_mesg_to_s() interpreter-internal API was not correctly handling the $SAFE bits so a String object which is not tainted can destructively be marked as tainted using them. By using this an untrusted code in a sandbox can modify a formerly-untainted string destructively.
Ruby 1.8 once had a similar security issue. It fixed Exception#to_s and NameError#to_s, but name_err_mesg_to_str() issue survived previous security fix
BestPractical report:
All versions of RT are vulnerable to an email header injection attack. Users with ModifySelf or AdminUser can cause RT to add arbitrary headers or content to outgoing mail. Depending on the scrips that are configured, this may be be leveraged for information leakage or phishing.
RT 4.0.0 and above and RTFM 2.0.0 and above contain a vulnerability due to lack of proper rights checking, allowing any privileged user to create Articles in any class.
All versions of RT with cross-site-request forgery (CSRF) protection (RT 3.8.12 and above, RT 4.0.6 and above, and any instances running the security patches released 2012-05-22) contain a vulnerability which incorrectly allows though CSRF requests which toggle ticket bookmarks.
All versions of RT are vulnerable to a confused deputy attack on the user. While not strictly a CSRF attack, users who are not logged in who are tricked into following a malicious link may, after supplying their credentials, be subject to an attack which leverages their credentials to modify arbitrary state. While users who were logged in would have observed the CSRF protection page, users who were not logged in receive no such warning due to the intervening login process. RT has been extended to notify users of pending actions during the login process.
RT 3.8.0 and above are susceptible to a number of vulnerabilities concerning improper signing or encryption of messages using GnuPG; if GnuPG is not enabled, none of the following affect you.
Drupal Security Team reports:
Arbitrary PHP code execution
A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server.
Information disclosure - OpenID module
For sites using the core OpenID module, an information disclosure vulnerability was identified that allows an attacker to read files on the local filesystem by attempting to log in to the site using a malicious OpenID server.
The Mozilla Project reports:
MFSA 2012-90 Fixes for Location object issues
This vulnerability affects Exim instances built with DKIM enabled (this is the default for FreeBSD Exim port) and running verification of DKIM signatures on the incoming mail messages.
Phil Penncock reports:
This is a SECURITY release, addressing a CRITICAL remote code execution flaw in versions of Exim between 4.70 and 4.80 inclusive, when built with DKIM support (the default).
This security vulnerability can be exploited by anyone who can send email from a domain for which they control the DNS.
You are not vulnerable if you built Exim with DISABLE_DKIM or if you put this at the start of an ACL plumbed into acl_smtp_connect or acl_smtp_rcpt:
warn control = dkim_disable_verify
The Django Project reports:
Host header poisoning
Some parts of Django -- independent of end-user-written applications -- make use of full URLs, including domain name, which are generated from the HTTP Host header. Some attacks against this are beyond Django's ability to control, and require the web server to be properly configured; Django's documentation has for some time contained notes advising users on such configuration.
Django's own built-in parsing of the Host header is, however, still vulnerable, as was reported to us recently. The Host header parsing in Django 1.3 and Django 1.4 -- specifically, django.http.HttpRequest.get_host() -- was incorrectly handling username/password information in the header. Thus, for example, the following Host header would be accepted by Django when running on "validsite.com":
Host: validsite.com:random@evilsite.com
Using this, an attacker can cause parts of Django -- particularly the password-reset mechanism -- to generate and display arbitrary URLs to users.
To remedy this, the parsing in HttpRequest.get_host() is being modified; Host headers which contain potentially dangerous content (such as username/password pairs) now raise the exception django.core.exceptions.SuspiciousOperation.
Documentation of HttpOnly cookie option
As of Django 1.4, session cookies are always sent with the HttpOnly flag, which provides some additional protection from cross-site scripting attacks by denying client-side scripts access to the session cookie.
Though not directly a security issue in Django, it has been reported that the Django 1.4 documentation incorrectly described this change, by claiming that this was now the default for all cookies set by the HttpResponse.set_cookie() method.
The Django documentation has been updated to reflect that this only applies to the session cookie. Users of Django are encouraged to review their use of set_cookie() to ensure that the HttpOnly flag is being set or unset appropriately.
Wireshark reports:
The HSRP dissector could go into an infinite loop.
The PPP dissector could abort.
Martin Wilck discovered an infinite loop in the DRDA dissector.
Laurent Butti discovered a buffer overflow in the LDP dissector.
Ignatios Souvatzis of NetBSD reports:
Due to an error in the dclock screensaver in xlockmore, users who explicitly use this screensaver or a random mix of screensavers using something like "xlockmore -mode random" may have their screen unlocked unexpectedly at a random time.
Thomas Swan reports:
xinetd allows for services to be configured with the TCPMUX or TCPMUXPLUS service types, which makes those services available on port 1, as per RFC 1078 [1], if the tcpmux-server service is enabled. When the tcpmux-server service is enabled, xinetd would expose _all_ enabled services via the tcpmux port, instead of just the configured service(s). This could allow a remote attacker to bypass firewall restrictions and access services via the tcpmux port.
The Zend Framework team reports:
The XmlRpc package of Zend Framework is vulnerable to XML eXternal Entity Injection attacks (both server and client). The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.
Additionally, the Zend_Dom, Zend_Feed, Zend_Soap, and Zend_XmlRpc components are vulnerable to XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.
Sitaram Chamarty reports:
I'm sorry to say there is a potential path traversal vulnerability in v3. Thanks to Stephane Chazelas for finding it and alerting me.
Can it affect you? This can only affect you if you are using wild card repos, *and* at least one of your patterns allows the string "../" to match multiple times.
How badly can it affect you? A malicious user who *also* has the ability to create arbitrary files in, say, /tmp (e.g., he has his own userid on the same box), can compromise the entire "git" user. Otherwise the worst he can do is create arbitrary repos in /tmp.
The phpMyAdmin development team reports:
When creating/modifying a trigger, event or procedure with a crafted name, it is possible to trigger an XSS.
To display information about the current phpMyAdmin version on the main page, a piece of JavaScript is fetched from the phpmyadmin.net website in non-SSL mode. A man-in-the-middle could modify this script on the wire to cause mischief.
The Mozilla Project reports:
MFSA 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)
MFSA 2012-75 select element persistance allows for attacks
MFSA 2012-76 Continued access to initial origin after setting document.domain
MFSA 2012-77 Some DOMWindowUtils methods bypass security checks
MFSA 2012-78 Reader Mode pages have chrome privileges
MFSA 2012-79 DOS and crash with full screen and history navigation
MFSA 2012-80 Crash with invalid cast when using instanceof operator
MFSA 2012-81 GetProperty function can bypass security checks
MFSA 2012-82 top object and location property accessible by plugins
MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties
MFSA 2012-84 Spoofing and script injection through location.hash
MFSA 2012-85 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer
MFSA 2012-86 Heap memory corruption issues found using Address Sanitizer
MFSA 2012-87 Use-after-free in the IME State Manager
MFSA 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)
MFSA 2012-89 defaultValue security checks not applied
ISC reports:
A deliberately constructed combination of records could cause named to hang while populating the additional section of a response.
Secunia reports:
A vulnerability has been discovered in OpenX, which can be exploited by malicious people to conduct SQL injection attacks.
Input passed via the "xajaxargs" parameter to www/admin/updates-history.php (when "xajax" is set to "expandOSURow") is not properly sanitised in e.g. the "queryAuditBackupTablesByUpgradeId()" function (lib/OA/Upgrade/DB_UpgradeAuditor.php) before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The vulnerability is confirmed in version 2.8.9. Prior versions may also be affected.
David Madison reports:
ePerl is a multipurpose Perl filter and interpreter program for Unix systems. The ePerl preprocessor contains an input validation error. The preprocessor allows foreign data to be "safely" included using the 'sinclude' directive.
The problem occurs when a file referenced by a 'sinclude' directive contains a 'include' directive; the contents of the file referred to by the second directive will be loaded and executed.
Kurt Seifried reports:
There is an issue in ImageMagick that is also present in GraphicsMagick. CVE-2011-3026 deals with libpng memory allocation, and limitations have been added so that a bad PNG can't cause the system to allocate a lot of memory and a denial of service. However on further investigation of ImageMagick, Tom Lane found that PNG malloc function (Magick_png_malloc) in turn calls AcquireMagickMemory with an improper size argument.
MITRE CVE team reports:
The SQLite functionality in PHP before 5.3.15 allows remote attackers to bypass the open_basedir protection mechanism via unspecified vectors.
MITRE CVE team reports:
Memory leak in the timezone functionality in PHP before 5.3.9 allows remote attackers to cause a denial of service (memory consumption) by triggering many strtotime function calls, which are not properly handled by the php_date_parse_tzfile cache.
ISC reports:
Prevents a crash when queried for a record whose RDATA exceeds 65535 bytes.
Prevents a crash when validating caused by using "Bad cache" data before it has been initialized.
ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries.
A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process.
Jenkins Security Advisory reports:
This advisory announces security vulnerabilities that were found in Jenkins core and several plugins.
- The first vulnerability in Jenkins core allows unprivileged users to insert data into Jenkins master, which can lead to remote code execution. For this vulnerability to be exploited, the attacker must have an HTTP access to a Jenkins master, and he must have a read access to Jenkins.
- The second vulnerability in Jenkins core is a cross-site scripting vulnerability. This allows an attacker to craft an URL that points to Jenkins, and if a legitimate user clicks this link, and the attacker will be able to hijack the user session.
- The third vulnerability is a cross-site scripting vulnerability in the Violations plugin
- The fourth vulnerability is a cross-site scripting vulnerability in The Continuous Integration Game plugin
Jean-Baptiste Kempf, on behalf of the VideoLAN project reports:
If successful, a malicious third party could crash the VLC media player process. Arbitrary code execution could be possible on some systems.
A security issue has been reported in Bacula, which can be exploited by malicious users to bypass certain security restrictions.
The security issue is caused due to an error within the implementation of console ACLs, which can be exploited to gain access to certain restricted functionality and e.g. dump resources.
Google Reports:
mod_pagespeed 0.10.22.6 is a security update that fixes two critical issues that affect earlier versions:
- CVE-2012-4001, a problem with validation of own host name.
- CVE-2012-4360, a cross-site scripting attack, which affects versions starting from 0.10.19.1.
The effect of the first problem is that it is possible to confuse mod_pagespeed about its own host name, and to trick it into fetching resources from other machines. This could be an issue if the HTTP server has access to machines that are not otherwise publicly visible.
The second problem would permit a hostile third party to execute JavaScript in users' browsers in context of the domain running mod_pagespeed, which could permit interception of users' cookies or data on the site.
Because of the severity of the two problems, users are strongly encouraged to update immediately.
Behavior Changes in the Update:
As part of the fix to the first issue, mod_pagespeed will not fetch resources from machines other than localhost if they are not explicitly mentioned in the configuration. This means that if you need resources on the server's domain to be handled by some other system, you'll need to explicitly use ModPagespeedMapOriginDomain or ModPagespeedDomain to authorize that.
freeRADIUS security team reports:
Overflow in EAP-TLS for 2.1.10, 2.1.11 and 2.1.12.
The issue was found by Timo Warns, and communicated to security@freeradius.org. A sample exploit for the issue was included in the notification.
The vulnerability was created in commit a368a6f4f4aaf on August 18, 2010. Vulnerable versions include 2.1.10, 2.1.11, and 2.1.12. Also anyone running the git "master" branch after August 18, 2010 is vulnerable.
All sites using TLS-based EAP methods and the above versions are vulnerable. The only configuration change which can avoid the issue is to disable EAP-TLS, EAP-TTLS, and PEAP.
An external attacker can use this vulnerability to over-write the stack frame of the RADIUS server, and cause it to crash. In addition, more sophisticated attacks may gain additional privileges on the system running the RADIUS server.
This attack does not require local network access to the RADIUS server. It can be done by an attacker through a WiFi Access Point, so long as the Access Point is configured to use 802.1X authentication with the RADIUS server.
Chong Yidong reports:
Paul Ling has found a security flaw in the file-local variables code in GNU Emacs.
When the Emacs user option `enable-local-variables' is set to `:safe' (the default value is t), Emacs should automatically refuse to evaluate `eval' forms in file-local variable sections. Due to the bug, Emacs instead automatically evaluates such `eval' forms. Thus, if the user changes the value of `enable-local-variables' to `:safe', visiting a malicious file can cause automatic execution of arbitrary Emacs Lisp code with the permissions of the user.
The bug is present in Emacs 23.2, 23.3, 23.4, and 24.1.
Wordpress reports:
Version 3.4.2 also fixes a few security issues and contains some security hardening. The vulnerabilities included potential privilege escalation and a bug that affects multisite installs with untrusted users. These issues were discovered and fixed by the WordPress security team.
MITRE CVE team reports:
Cross-site scripting (XSS) vulnerability in the reStructuredText (rst) parser in parser/text_rst.py in MoinMoin before 1.9.4, when docutils is installed or when "format rst" is set, allows remote attackers to inject arbitrary web script or HTML via a javascript: URL in the refuri attribute.
MoinMoin developers report:
If you have group NAMES containing "All" or "Known" or "Trusted", they behaved wrong until now (they erroneously included All/Known/Trusted users even if you did not list them as members), but will start working correctly with this changeset.
E.g. AllFriendsGroup:
- JoeDoe
AllFriendsGroup will now (correctly) include only JoeDoe. It (erroneously) contained all users (including JoeDoe) before.
E.g. MyTrustedFriendsGroup:
- JoeDoe
MyTrustedFriendsGroup will now (correctly) include only JoeDoe. It (erroneously) contained all trusted users and JoeDoe before.
Rui Hirokawa reports:
As of PHP 5.1.2, header() can no longer be used to send multiple response headers in a single call to prevent the HTTP Response Splitting Attack. header() only checks the linefeed (LF, 0x0A) as line-end marker, it doesn't check the carriage-return (CR, 0x0D).
However, some browsers including Google Chrome, IE also recognize CR as the line-end.
The current specification of header() still has the vulnerability against the HTTP header splitting attack.
A unspecified denial-of-service attack that could cause the bitcoin process to become unresponsive was found.
The following security issues have been discovered in Bugzilla:
LDAP Injection
When the user logs in using LDAP, the username is not escaped when building the uid=$username filter which is used to query the LDAP directory. This could potentially lead to LDAP injection.
Directory Browsing
Extensions are not protected against directory browsing and users can access the source code of the templates which may contain sensitive data. Directory browsing is blocked in Bugzilla 4.3.3 only, because it requires a configuration change in the Apache httpd.conf file to allow local .htaccess files to use Options -Indexes. To not break existing installations, this fix has not been backported to stable branches. The access to templates is blocked for all supported branches except the old 3.6 branch, because this branch doesn't have .htaccess in the bzr repository and cannot be fixed easily for existing installations without potentially conflicting with custom changes.
Jan Willamowius reports:
GNU Gatekeeper before 3.1 does not limit the number of connections to the status port, which allows remote attackers to cause a denial of service (connection and thread consumption) via a large number of connections.
Mediawiki reports:
(Bug 39700) Wikipedia administrator Writ Keeper discovered a stored XSS (HTML injection) vulnerability. This was possible due to the handling of link text on File: links for nonexistent files. MediaWiki 1.16 and later is affected.
(Bug 39180) User Fomafix reported several DOM-based XSS vulnerabilities, made possible by a combination of loose filtering of the uselang parameter, and JavaScript gadgets on various language Wikipedias.
(Bug 39180) During internal review, it was discovered that CSRF tokens, available via the api, were not protected with X-Frame-Options headers. This could lead to a CSRF vulnerability if the API response is embedded in an external website using using an iframe.
(Bug 39824) During internal review, it was discovered extensions were not always allowed to prevent the account creation action. This allowed users blocked by the GlobalBlocking extension to create accounts.
(Bug 39184) During internal review, it was discovered that password data was always saved to the local MediaWiki database even if authentication was handled by an extension, such as LDAP. This could allow a compromised MediaWiki installation to leak information about user's LDAP passwords. Additionally, in situations when an authentication plugin returned false in its strict function, this would allow old passwords to be used for accounts that did not exist in the external system, indefinitely.
(Bug 39823) During internal review, it was discovered that metadata about blocks, hidden by a user with suppression rights, was visible to administrators.
RedHat security team reports:
A denial of service flaw was found in the way Distributed Relational Database Architecture (DRDA) dissector of Wireshark, a network traffic analyzer, performed processing of certain DRDA packet capture files. A remote attacker could create a specially-crafted capture file that, when opened could lead to wireshark executable to consume excessive amount of CPU time and hang with an infinite loop.
Asterisk project reports:
Asterisk Manager User Unauthorized Shell Access
ACL rules ignored when placing outbound calls by certain IAX2 users
The Mozilla Project reports:
MFSA 2012-57 Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7)
MFSA 2012-58 Use-after-free issues found using Address Sanitizer
MFSA 2012-59 Location object can be shadowed using Object.defineProperty
MFSA 2012-60 Escalation of privilege through about:newtab
MFSA 2012-61 Memory corruption with bitmap format images with negative height
MFSA 2012-62 WebGL use-after-free and memory corruption
MFSA 2012-63 SVG buffer overflow and use-after-free issues
MFSA 2012-64 Graphite 2 memory corruption
MFSA 2012-65 Out-of-bounds read in format-number in XSLT
MFSA 2012-66 HTTPMonitor extension allows for remote debugging without explicit activation
MFSA 2012-67 Installer will launch incorrect executable following new installation
MFSA 2012-68 DOMParser loads linked resources in extensions when parsing text/html
MFSA 2012-69 Incorrect site SSL certificate data display
MFSA 2012-70 Location object security checks bypassed by chrome code
MFSA 2012-71 Insecure use of __android_log_print
MFSA 2012-72 Web console eval capable of executing chrome-privileged code
The Coppermine Team reports:
The release covers several path disclosure vulnerabilities. If unpatched, it's possible to generate an error that will reveal the full path of the script. A remote user can determine the full path to the web root directory and other potentially sensitive information. Furthermore, the release covers a recently discovered XSS vulnerability that allows (if unpatched) a malevolent visitor to include own script routines under certain conditions.
US-CERT reports:
Oracle Java Runtime Environment (JRE) 1.7 contains a vulnerability that may allow an applet to call setSecurityManager in a way that allows setting of arbitrary permissions.
By leveraging the public, privileged getField() function, an untrusted Java applet can escalate its privileges by calling the setSecurityManager() function to allow full privileges, without requiring code signing.
This vulnerability is being actively exploited in the wild, and exploit code is publicly available.
This exploit does not only affect Java applets, but every piece of software that relies on the Java Security Manager for sandboxing executable code is affected: malicious code can totally disable Security Manager.
Matthias Andree reports:
Fetchmail version 6.3.9 enabled "all SSL workarounds" (SSL_OP_ALL) which contains a switch to disable a countermeasure against certain attacks against block ciphers that permit guessing the initialization vectors, providing that an attacker can make the application (fetchmail) encrypt some data for him -- which is not easily the case.
Stream ciphers (such as RC4) are unaffected.
Credits to Apple Product Security for reporting this.
RoundCube branch 0.8.x prior to the version 0.8.1 is prone to the cross-scripting attack (XSS) originating from incoming HTML e-mails: due to the lack of proper sanitization of JavaScript code inside the "href" attribute, sender could launch XSS attack when recipient opens the message in RoundCube interface.
KDE Security Advisory reports:
A flaw has been found which can allow malicious code to take advantage of an input validation failure in the Microsoft import filter in Calligra and KOffice. Exploitation can allow the attacker to gain control of the running process and execute code on its behalf.
SquidClamav developers report:
This release fix several security issues by escaping CGI parameters.
Prior to versions 6.7 and 5.8, CGI script clwarn.cgi was not properly sanitizing input variables, so they could be used to inject arbitrary strings to the generated page, leading to the cross-site scripting attacks.
SquidClamav developers report:
Add a workaround for a squidGuard bug that unescape the URL and send it back unescaped. This result in garbage staying into pipe of the system command call and could crash squidclamav on next read or return false information. This is specially true with URL containing the %0D or %0A character.
This vulnerability can be triggered only in configurations where external chained URL checker is configured via "squidguard" directive.
INN developers report:
Fixed a possible plaintext command injection during the negotiation of a TLS layer. The vulnerability detailed in CVE-2011-0411 affects the STARTTLS and AUTHINFO SASL commands. nnrpd now resets its read buffer upon a successful negotiation of a TLS layer. It prevents malicious commands, sent unencrypted, from being executed in the new encrypted state of the session.
XMPP Standards Foundation reports:
Some implementations of the XMPP Server Dialback protocol (RFC 3920/XEP-0220) have not been checking dialback responses to ensure that validated results are correlated with requests.
An attacking server could spoof one or more domains in communicating with a vulnerable server implementation, thereby avoiding the protections built into the Server Dialback protocol.
Derek Martin (rssh maintainer) reports:
John Barber reported a problem where, if the system administrator misconfigures rssh by providing too few access bits in the configuration file, the user will be given default permissions (scp) to the entire system, potentially circumventing any configured chroot. Fixing this required a behavior change: in the past, using rssh without a config file would give all users default access to use scp on an unchrooted system. In order to correct the reported bug, this feature has been eliminated, and you must now have a valid configuration file. If no config file exists, all users will be locked out.
Derek Martin (rssh maintainer) reports:
Henrik Erkkonen has discovered that, through clever manipulation of environment variables on the ssh command line, it is possible to circumvent rssh. As far as I can tell, there is no way to effect a root compromise, except of course if the root account is the one you're attempting to protect with rssh...
OTR developers report:
The otrl_base64_otr_decode() function and similar functions within OTR suffer from buffer overflows in the case of malformed input; specifically if a message of the format of "?OTR:===." is received then a zero-byte allocation is performed without a similar correlation between the subsequent base64 decoding write, as such it becomes possible to write between zero and three bytes incorrectly to the heap, albeit only with a value of '='.
Because this code path is highly utilized, specifically in the reception of instant messages over pidgin or similar, this vulnerability is considered severe even though in many platforms and circumstances the bug would yield an unexploitable state and result simply in denial of service.
The developers of OTR promptly fixed the errors and users of OTR are advised to upgrade the software at the next release cycle.
The OpenTTD Team reports:
Denial of service (server) using ships on half tiles and landscaping.
Wireshark reports:
It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
It may be possible to make Wireshark consume excessive CPU resources by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
The PPP dissector could crash.
The NFS dissector could use excessive amounts of CPU.
The DCP ETSI dissector could trigger a zero division.
The MongoDB dissector could go into a large loop.
The XTP dissector could go into an infinite loop.
The ERF dissector could overflow a buffer.
The AFP dissector could go into a large loop.
The RTPS2 dissector could overflow a buffer.
The GSM RLC MAC dissector could overflow a buffer.
The CIP dissector could exhaust system memory.
The STUN dissector could crash.
The EtherCAT Mailbox dissector could abort.
The CTDB dissector could go into a large loop.
The pcap-ng file parser could trigger a zero division.
The Ixia IxVeriWave file parser could overflow a buffer.
The PostgreSQL Global Development Group reports:
The PostgreSQL Global Development Group today released security updates for all active branches of the PostgreSQL database system, including versions 9.1.5, 9.0.9, 8.4.13 and 8.3.20. This update patches security holes associated with libxml2 and libxslt, similar to those affecting other open source projects. All users are urged to update their installations at the first available opportunity
Users who are relying on the built-in XML functionality to validate external DTDs will need to implement a workaround, as this security patch disables that functionality. Users who are using xslt_process() to fetch documents or stylesheets from external URLs will no longer be able to do so. The PostgreSQL project regrets the need to disable both of these features in order to maintain our security standards. These security issues with XML are substantially similar to issues patched recently by the Webkit (CVE-2011-1774), XMLsec (CVE-2011-1425) and PHP5 (CVE-2012-0057) projects.
The phpMyAdmin development team reports:
Using a crafted table name, it was possible to produce a XSS : 1) On the Database Structure page, creating a new table with a crafted name 2) On the Database Structure page, using the Empty and Drop links of the crafted table name 3) On the Table Operations page of a crafted table, using the 'Empty the table (TRUNCATE)' and 'Delete the table (DROP)' links 4) On the Triggers page of a database containing tables with a crafted name, when opening the 'Add Trigger' popup 5) When creating a trigger for a table with a crafted name, with an invalid definition. Having crafted data in a database table, it was possible to produce a XSS : 6) When visualizing GIS data, having a crafted label name.
Typo Security Team reports:
It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting, Information Disclosure, Insecure Unserialize leading to Arbitrary Code Execution.
TYPO3 Backend Help System - Due to a missing signature (HMAC) for a parameter in the view_help.php file, an attacker could unserialize arbitrary objects within TYPO3. We are aware of a working exploit, which can lead to arbitrary code execution. A valid backend user login or multiple successful cross site request forgery attacks are required to exploit this vulnerability.
TYPO3 Backend - Failing to properly HTML-encode user input in several places, the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend user is required to exploit these vulnerabilities.
TYPO3 Backend - Accessing the configuration module discloses the Encryption Key. A valid backend user with access to the configuration module is required to exploit this vulnerability.
TYPO3 HTML Sanitizing API - By not removing several HTML5 JavaScript events, the API method t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections, thus is susceptible to Cross-Site Scripting. Failing to properly encode for JavaScript the API method t3lib_div::quoteJSvalue(), it is susceptible to Cross-Site Scripting.
TYPO3 Install Tool - Failing to properly sanitize user input, the Install Tool is susceptible to Cross-Site Scripting.
Matthias Andree reports:
With NTLM support enabled, fetchmail might mistake a server-side error message during NTLM protocol exchange for protocol data, leading to a SIGSEGV.
Also, with a carefully crafted NTLM challenge, a malicious server might cause fetchmail to read from a bad memory location, betraying confidential data. It is deemed hard, although not impossible, to steal other accounts' data.
The IcedTea project team reports:
CVE-2012-3422: Use of uninitialized instance pointers
An uninitialized pointer use flaw was found in IcedTea-Web web browser plugin. A malicious web page could use this flaw make IcedTea-Web browser plugin pass invalid pointer to a web browser. Depending on the browser used, it may cause the browser to crash or possibly execute arbitrary code.
The get_cookie_info() and get_proxy_info() call getFirstInTableInstance() with the instance_to_id_map hash as a parameter. If instance_to_id_map is empty (which can happen when plugin was recently removed), getFirstInTableInstance() returns an uninitialized pointer.
CVE-2012-3423: Incorrect handling of non 0-terminated strings
It was discovered that the IcedTea-Web web browser plugin incorrectly assumed that all strings provided by browser are NUL terminated, which is not guaranteed by the NPAPI (Netscape Plugin Application Programming Interface). When used in a browser that does not NUL terminate NPVariant NPStrings, this could lead to buffer over-read or over-write, resulting in possible information leak, crash, or code execution.
Mozilla browsers currently NUL terminate strings, however recent Chrome versions are known not to provide NUL terminated data.
The libcloud development team reports:
When establishing a secure (SSL / TLS) connection to a target server an invalid regular expression has been used for performing the hostname verification. Subset instead of the full target server hostname has been marked an an acceptable match for the given hostname. For example, certificate with a hostname field of "aexample.com" was considered a valid certificate for domain "example.com".
The phpMyAdmin development team reports:
The show_config_errors.php script does not include a library, so an error message shows the full path of this file, leading to possible further attacks.
Rails core team reports:
This version contains three important security fixes, please upgrade immediately.
One of security fixes impacts all users and is related to HTML escaping code. The other two fixes impacts people using select_tag's prompt option and strip_tags helper from ActionPack.
CVE-2012-3463 Potential XSS Vulnerability in select_tag prompt.
CVE-2012-3464 Potential XSS Vulnerability in the HTML escaping code.
CVE-2012-3465 XSS Vulnerability in strip_tags.
ISS reports:
sudosh2 and sudosh3 are vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the replay() function. By persuading a victim to replay a specially-crafted recorded sudo session, a local attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the application to crash.
Problem description:
BIND 9 stores a cache of query names that are known to be failing due to misconfigured name servers or a broken chain of trust. Under high query loads, when DNSSEC validation is active, it is possible for a condition to arise in which data from this cache of failing queries could be used before it was fully initialized, triggering an assertion failure.
GNU reports:
The recipe of the 'distcheck' target granted temporary world-write permissions on the extracted distdir. This introduced a locally exploitable race condition for those who run "make distcheck" with a non-restrictive umask (e.g., 022) in a directory that was accessible by others. A successful exploit would result in arbitrary code execution with the privileges of the user running "make distcheck".
It is important to stress that this vulnerability impacts not only the Automake package itself, but all packages with Automake-generated makefiles. For an effective fix it is necessary to regenerate the Makefile.in files with a fixed Automake version.
The Mozilla Project reports:
MFSA 2012-42 Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6)
MFSA 2012-43 Incorrect URL displayed in addressbar through drag and drop
MFSA 2012-44 Gecko memory corruption
MFSA 2012-45 Spoofing issue with location
MFSA 2012-46 XSS through data: URLs
MFSA 2012-47 Improper filtering of javascript in HTML feed-view
MFSA 2012-48 use-after-free in nsGlobalWindow::PageHidden
MFSA 2012-49 Same-compartment Security Wrappers can be bypassed
MFSA 2012-50 Out of bounds read in QCMS
MFSA 2012-51 X-Frame-Options header ignored when duplicated
MFSA 2012-52 JSDependentString::undepend string conversion results in memory corruption
MFSA 2012-53 Content Security Policy 1.0 implementation errors cause data leakage
MFSA 2012-54 Clickjacking of certificate warning page
MFSA 2012-55 feed: URLs with an innerURI inherit security context of page
MFSA 2012-56 Code execution through javascript: URLs
Apache reports:
Insecure handling of LD_LIBRARY_PATH was found that could lead to the current working directory to be searched for DSOs. This could allow a local user to execute code as root if an administrator runs apachectl from an untrusted directory.
The Django project reports:
Today the Django team is issuing multiple releases -- Django 1.3.2 and Django 1.4.1 -- to remedy security issues reported to us:
- Cross-site scripting in authentication views
- Denial-of-service in image validation
- Denial-of-service via get_image_dimensions()
All users are encouraged to upgrade Django immediately.
The following security issues have been discovered in Bugzilla:
Information Leak
Versions: 4.1.1 to 4.2.1, 4.3.1
In HTML bugmails, all bug IDs and attachment IDs are linkified, and hovering these links displays a tooltip with the bug summary or the attachment description if the user is allowed to see the bug or attachment. But when validating user permissions when generating the email, the permissions of the user who edited the bug were taken into account instead of the permissions of the addressee. This means that confidential information could be disclosed to the addressee if the other user has more privileges than the addressee. Plain text bugmails are not affected as bug and attachment IDs are not linkified.
Information Leak
Versions: 2.17.5 to 3.6.9, 3.7.1 to 4.0.6, 4.1.1 to 4.2.1, 4.3.1
The description of a private attachment could be visible to a user who hasn't permissions to access this attachment if the attachment ID is mentioned in a public comment in a bug that the user can see.
Tom Hendrikx reports:
It is possible to crash (SIGSEGV) a NSD child server process by sending it a DNS packet from any host on the internet and the per zone stats build option is enabled. A crashed child process will automatically be restarted by the parent process, but an attacker may keep the NSD server occupied restarting child processes by sending it a stream of such packets effectively preventing the NSD server to serve.
There is a DoS vulnerability in Action Pack digest authentication handling in authenticate_or_request_with_http_digest.
The RT development team reports:
RT::Authen::ExternalAuth 0.10 and below (for all versions of RT) are vulnerable to an escalation of privilege attack where the URL of a RSS feed of the user can be used to acquire a fully logged-in session as that user. CVE-2012-2770 has been assigned to this vulnerability.
Users of RT 3.8.2 and above should upgrade to RT::Authen::ExternalAuth 0.11, which resolves this vulnerability.
ISC reports:
An unexpected client identifier parameter can cause the ISC DHCP daemon to segmentation fault when running in DHCPv6 mode, resulting in a denial of service to further client requests. In order to exploit this condition, an attacker must be able to send requests to the DHCP server.
An error in the handling of malformed client identifiers can cause a DHCP server running affected versions (see "Impact") to enter a state where further client requests are not processed and the server process loops endlessly, consuming all available CPU cycles. Under normal circumstances this condition should not be triggered, but a non-conforming or malicious client could deliberately trigger it in a vulnerable server. In order to exploit this condition an attacker must be able to send requests to the DHCP server.
Two memory leaks have been found and fixed in ISC DHCP. Both are reproducible when running in DHCPv6 mode (with the -6 command-line argument.) The first leak is confirmed to only affect servers operating in DHCPv6 mode, but based on initial code analysis the second may theoretically affect DHCPv4 servers (though this has not been demonstrated.)
ISC reports:
High numbers of queries with DNSSEC validation enabled can cause an assertion failure in named, caused by using a 'bad cache' data structure before it has been initialized.
BIND 9 stores a cache of query names that are known to be failing due to misconfigured name servers or a broken chain of trust. Under high query loads when DNSSEC validation is active, it is possible for a condition to arise in which data from this cache of failing queries could be used before it was fully initialized, triggering an assertion failure.
This bug cannot be encountered unless your server is doing DNSSEC validation.
rubygem-activerecord -- multiple vulernabilities
Due to the way Active Record interprets parameters in combination with the way that Rack parses query parameters, it is possible for an attacker to issue unexpected database queries with "IS NULL" where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL where most users wouldn't expect it.
Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries.
The PHP Development Team reports:
The release of PHP 5.4.15 and 5.4.5 fix a potential overflow in _php_stream_scandir
Marek Vavrusa and Lubos Slovak report:
It is possible to crash (SIGSEGV) a NSD child server process by sending it a non-standard DNS packet from any host on the internet. A crashed child process will automatically be restarted by the parent process, but an attacker may keep the NSD server occupied restarting child processes by sending it a stream of such packets effectively preventing the NSD server to serve.
The Changelog for version 1.2.1 says: Fixed a regression caused by 1.2.0[6] in which decompressing corrupt JPEG images (specifically, images in which the component count was erroneously set to a large value) would cause libjpeg-turbo to segfault.
A Heap-based buffer overflow was found in the way libjpeg-turbo decompressed certain corrupt JPEG images in which the component count was erroneously set to a large value. An attacker could create a specially-crafted JPEG image that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
Secunia Research reports:
Secunia Research has discovered a vulnerability in DokuWiki, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed to the "ns" POST parameter in lib/exe/ajax.php (when "call" is set to "medialist" and "do" is set to "media") is not properly sanitised within the "tpl_mediaFileList()" function in inc/template.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
puppet -- multiple vulnerabilities
Arbitrary file read on the puppet master from authenticated clients (high). It is possible to construct an HTTP get request from an authenticated client with a valid certificate that will return the contents of an arbitrary file on the Puppet master that the master has read-access to.
Arbitrary file delete/D.O.S on Puppet Master from authenticated clients (high). Given a Puppet master with the "Delete" directive allowed in auth.conf for an authenticated host, an attacker on that host can send a specially crafted Delete request that can cause an arbitrary file deletion on the Puppet master, potentially causing a denial of service attack. Note that this vulnerability does *not* exist in Puppet as configured by default.
The last_run_report.yaml is world readable (medium). The most recent Puppet run report is stored on the Puppet master with world-readable permissions. The report file contains the context diffs of any changes to configuration on an agent, which may contain sensitive information that an attacker can then access. The last run report is overwritten with every Puppet run.
Arbitrary file read on the Puppet master by an agent (medium). This vulnerability is dependent upon vulnerability "last_run_report.yml is world readable" above. By creating a hard link of a Puppet-managed file to an arbitrary file that the Puppet master can read, an attacker forces the contents to be written to the puppet run summary. The context diff is stored in last_run_report.yaml, which can then be accessed by the attacker.
Insufficient input validation for agent hostnames (low). An attacker could trick the administrator into signing an attacker's certificate rather than the intended one by constructing specially crafted certificate requests containing specific ANSI control sequences. It is possible to use the sequences to rewrite the order of text displayed to an administrator such that display of an invalid certificate and valid certificate are transposed. If the administrator signs the attacker's certificate, the attacker can then man-in-the-middle the agent.
Agents with certnames of IP addresses can be impersonated (low). If an authenticated host with a certname of an IP address changes IP addresses, and a second host assumes the first host's former IP address, the second host will be treated by the puppet master as the first one, giving the second host access to the first host's catalog. Note: This will not be fixed in Puppet versions prior to the forthcoming 3.x. Instead, with this announcement IP-based authentication in Puppet < 3.x is deprecated.
Asterisk project reports:
Possible resource leak on uncompleted re-invite transactions.
Remote crash vulnerability in voice mail application.
Typo3 Security Report (TYPO3-CORE-SA-2012-003):
TYPO3 bundles and uses an external JavaScript and Flash Upload Library called swfupload. TYPO3 can be configured to use this Flash uploader. Input passed via the "movieName" parameter to swfupload.swf is not properly sanitised before being used in a call to "ExternalInterface.call()". This can be exploited to execute arbitrary script code in a user's browser session in context of an affected site. The existance of the swfupload library is sufficient to be vulnerable to the reported problem.
Zero Science Lab reports:
Input passed via the parameter 'sortby' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The param 'num' is vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Problem description:
FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call.
Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash. To exploit this vulnerability, an attacker must be able to run code with user privileges on the target system.
Problem description:
The named(8) server does not properly handle DNS resource records where the RDATA field is zero length, which may cause various issues for the servers handling them.
Resolving servers may crash or disclose some portion of memory to the client. Authoritative servers may crash on restart after transferring a zone containing records with zero-length RDATA fields. These would result in a denial of service, or leak of sensitive information.
Problem description:
There is a programming error in the DES implementation used in crypt() when handling input which contains characters that cannot be represented with 7-bit ASCII.
When the input contains characters with only the most significant bit set (0x80), that character and all characters after it will be ignored.
Problem description:
OpenSSL fails to clear the bytes used as block cipher padding in SSL 3.0 records when operating as a client or a server that accept SSL 3.0 handshakes. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory. [CVE-2011-4576]
OpenSSL support for handshake restarts for server gated cryptography (SGC) can be used in a denial-of-service attack. [CVE-2011-4619]
If an application uses OpenSSL's certificate policy checking when verifying X509 certificates, by enabling the X509_V_FLAG_POLICY_CHECK flag, a policy check failure can lead to a double-free. [CVE-2011-4109]
A weakness in the OpenSSL PKCS #7 code can be exploited using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the million message attack (MMA). [CVE-2012-0884]
The asn1_d2i_read_bio() function, used by the d2i_*_bio and d2i_*_fp functions, in OpenSSL contains multiple integer errors that can cause memory corruption when parsing encoded ASN.1 data. This error can occur on systems that parse untrusted ASN.1 data, such as X.509 certificates or RSA public keys. [CVE-2012-2110]
Dwayne C. Litzenberger of PyCrypto reports:
In the ElGamal schemes (for both encryption and signatures), g is supposed to be the generator of the entire Z^*_p group. However, in PyCrypto 2.5 and earlier, g is more simply the generator of a random sub-group of Z^*_p.
The result is that the signature space (when the key is used for signing) or the public key space (when the key is used for encryption) may be greatly reduced from its expected size of log(p) bits, possibly down to 1 bit (the worst case if the order of g is 2).
While it has not been confirmed, it has also been suggested that an attacker might be able to use this fact to determine the private key.
Anyone using ElGamal keys should generate new keys as soon as practical.
Any additional information about this bug will be tracked at https://bugs.launchpad.net/pycrypto/+bug/985164
Joomla! reported a Core Privilege Escalation::
Inadequate checking leads to possible user privilege escalation..
MITRE Advisories report:
The TAR parser allows remote attackers to bypass malware detection via a POSIX TAR file with an initial [aliases] character sequence.
The TAR parser allows remote attackers to bypass malware detection via a TAR archive entry with a length field that exceeds the total TAR file size.
The Microsoft CHM file parser allows remote attackers to bypass malware detection via a crafted reset interval in the LZXC header of a CHM file.
The TAR file parser allows remote attackers to bypass malware detection via a TAR archive entry with a length field corresponding to that entire entry, plus part of the header ofxi the next entry.
Asterisk project reports:
Skinny Channel Driver Remote Crash Vulnerability.
ImageMagick reports:
Three vulnerabilities have been identified in ImageMagick's handling of JPEG and TIFF files. With these vulnerabilities, it is possible to cause a denial of service situation in the target system.
Mantis reports:
Roland Becker and Damien Regad (MantisBT developers) found that any user able to report issues via the SOAP interface could also modify any bugnotes (comments) created by other users. In a default/typical MantisBT installation, SOAP API is enabled and any user can sign up to report new issues. This vulnerability therefore impacts upon many public facing MantisBT installations.
Roland Becker (MantisBT developer) found that the delete_attachments_threshold permission was not being checked when a user attempted to delete an attachment from an issue. The more generic update_bug_threshold permission was being checked instead. MantisBT administrators may have been under the false impression that their configuration of the delete_attachments_threshold was successfully preventing unwanted users from deleting attachments.
Adobe reports:
These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.
The Mozilla Project reports:
MFSA 2012-34 Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5)
MFSA 2012-36 Content Security Policy inline-script bypass
MFSA 2012-37 Information disclosure though Windows file shares and shortcut files
MFSA 2012-38 Use-after-free while replacing/inserting a node in a document
MFSA 2012-39 NSS parsing errors with zero length items
MFSA 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer
CERT reports:
If a pre-configured BGP peer sends a specially-crafted OPEN message with a malformed ORF capability TLV, Quagga bgpd process will erroneously try to consume extra bytes from the input packet buffer. The process will detect a buffer overrun attempt before it happens and immediately terminate with an error message. All BGP sessions established by the attacked router will be closed and its BGP routing disrupted.
David Verdin reports:
Multiple vulnerabilities have been discovered in Sympa archive management that allow to skip the scenario-based authorization mechanisms.
This vulnerability allows the attacker to:
- display the archives management page ('arc_manage')
- download the list's archives
- delete the list's archives
ISC reports:
Processing of DNS resource records where the rdata field is zero length may cause various issues for the servers handling them.
Processing of these records may lead to unexpected outcomes. Recursive servers may crash or disclose some portion of memory to the client. Secondary servers may crash on restart after transferring a zone containing these records. Master servers may corrupt zone data if the zone option "auto-dnssec" is set to "maintain". Other unexpected problems that are not listed here may also be encountered.
Impact: This issue primarily affects recursive nameservers. Authoritative nameservers will only be impacted if an administrator configures experimental record types with no data. If the server is configured this way, then secondaries can crash on restart after transferring that zone. Zone data on the master can become corrupted if the zone with those records has named configured to manage the DNSSEC key rotation.
The PostgreSQL Global Development Group reports:
Today the PHP, OpenBSD and FreeBSD communities announced updates to patch a security hole involving their crypt() hashing algorithms. This issue is described in CVE-2012-2143. This vulnerability also affects a minority of PostgreSQL users, and will be fixed in an update release on June 4, 2012.
Affected users are those who use the crypt(text, text) function with DES encryption in the optional pg_crypto module. Passwords affected are those that contain characters that cannot be represented with 7-bit ASCII. If a password contains a character that has the most significant bit set (0x80), and DES encryption is used, that character and all characters after it will be ignored.
Networkupstools project reports:
NUT server (upsd), from versions 2.4.0 to 2.6.3, are exposed to crashes when receiving random data from the network.
This issue is related to the way NUT parses characters, especially from the network. Non printable characters were missed from strings operation (such as strlen), but still copied to the buffer, causing an overflow.
Asterisk project reports:
Remote crash vulnerability in IAX2 channel driver.
Skinny Channel Driver Remote Crash Vulnerability
HAProxy reports:
A flaw was reported in HAProxy where, due to a boundary error when copying data into the trash buffer, an external attacker could cause a buffer overflow. Exploiting this flaw could lead to the execution of arbitrary code, however it requires non-default settings for the global.tune.bufsize configuration option (must be set to a value greater than the default), and also that header rewriting is enabled (via, for example, the regrep or rsprep directives). This flaw is reported against 1.4.20, prior versions may also be affected.
BestPractical report:
Internal audits of the RT codebase have uncovered a number of security vulnerabilities in RT. We are releasing versions 3.8.12 and 4.0.6 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0.
The vulnerabilities addressed by 3.8.12, 4.0.6, and the below patches include the following:
The previously released tool to upgrade weak password hashes as part of CVE-2011-0009 was an incomplete fix and failed to upgrade passwords of disabled users.
RT versions 3.0 and above contain a number of cross-site scripting (XSS) vulnerabilities which allow an attacker to run JavaScript with the user's credentials. CVE-2011-2083 is assigned to this vulnerability.
RT versions 3.0 and above are vulnerable to multiple information disclosure vulnerabilities. This includes the ability for privileged users to expose users' previous password hashes -- this vulnerability is particularly dangerous given RT's weak hashing previous to the fix in CVE-2011-0009. A separate vulnerability allows privileged users to obtain correspondence history for any ticket in RT. CVE-2011-2084 is assigned to this vulnerability.
All publicly released versions of RT are vulnerable to cross-site request forgery (CSRF). CVE-2011-2085 is assigned to this vulnerability.
We have also added a separate configuration option ($RestrictLoginReferrer) to prevent login CSRF, a different class of CSRF attack.
RT versions 3.6.1 and above are vulnerable to a remote execution of code vulnerability if the optional VERP configuration options ($VERPPrefix and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a limited remote execution of code which can be leveraged for privilege escalation. RT 4.0.0 and above contain a vulnerability in the global $DisallowExecuteCode option, allowing sufficiently privileged users to still execute code even if RT was configured to not allow it. CVE-2011-4458 is assigned to this set of vulnerabilities.
RT versions 3.0 and above may, under some circumstances, still respect rights that a user only has by way of a currently-disabled group. CVE-2011-4459 is assigned to this vulnerability.
RT versions 2.0 and above are vulnerable to a SQL injection attack, which allow privileged users to obtain arbitrary information from the database. CVE-2011-4460 is assigned to this vulnerability.
Secunia team reports:
Multiple vulnerabilities have been reported in Sympa, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerabilities are caused due to the application allowing access to archive functions without checking credentials. This can be exploited to create, download, and delete an archive.
Foswiki team reports:
When a new user registers, the new user can add arbitrary HTML and script code into the user topic which is generated by the RegistrationAgent via standard registration fields such as "FirstName" or "OrganisationName".
By design, Foswiki's normal editing features allow arbitrary HTML markup, including script code, to be inserted into any topic anyway, assuming the authenticated user has CHANGE permission - which is the case on many Foswiki sites. However, the assumption that only authenticated users with CHANGE permission may create script content is false if new users exploit the vulnerability detailed in this alert to manipulate the registration agent into creating that content for them.
Google chrome team reports:
An off-by-one out-of-bounds write flaw was found in the way libxml, a library for providing XML and HTML support, evaluated certain XPointer parts (XPointer is used by libxml to include only the part from the returned XML document, that can be accessed using the XPath expression given with the XPointer). A remote attacker could provide a specially-crafted XML file, which once opened in an application, linked against libxml, would lead to that application crash, or, potentially arbitrary code execution with the privileges of the user running the application.
Note: The flaw to be exploited requires the particular application, linked against libxml, to use the XPointer evaluation functionality.
InspIRCd reports:
InspIRCd contains a heap corruption vulnerability that exists in the dns.cpp code. The res[] buffer is allocated on the heap and can be overflowed. The res[] buffer can be exploited during its deallocation. The number of overflowed bytes can be controlled with DNS compression features.
The authors report:
Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format string security flaw. This flaw could potentially be exploited by a remote attacker to cause arbitrary code to be executed on the user's machine.
The flaw is in pidgin-otr, not in libotr. Other applications that use libotr are not affected.
Todd Miller reports:
Sudo supports granting access to commands on a per-host basis. The host specification may be in the form of a host name, a netgroup, an IP address, or an IP network (an IP address with an associated netmask).
When IPv6 support was added to sudo, a bug was introduced that caused the IPv6 network matching code to be called when an IPv4 network address does not match. Depending on the value of the uninitialized portion of the IPv6 address, it is possible for the IPv4 network number to match when it should not. This bug only affects IP network matching and does not affect simple IP address matching.
The reported configuration that exhibited the bug was an LDAP-based sudo installation where the sudoRole object contained multiple sudoHost entries, each containing a different IPv4 network. File-based sudoers should be affected as well as the same matching code is used.
OpenSSL security team reports:
A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and DTLS can be exploited in a denial of service attack on both clients and servers.
The socat development team reports:
This vulnerability can be exploited when socat is invoked with the READLINE address (this is usually only used interactively) without option "prompt" and without option "noprompt" and an attacker succeeds to provide malicious data to the other (arbitrary) address that is then transferred by socat to the READLINE address for output.
Successful exploitation may allow an attacker to execute arbitrary code with the privileges of the socat process.
The PHP Development Team reports:
The release of PHP 5.4.13 and 5.4.3 complete a fix for the vulnerability in CGI-based setups as originally described in CVE-2012-1823. (CVE-2012-2311)
Note: mod_php and php-fpm are not vulnerable to this attack.
PHP 5.4.3 fixes a buffer overflow vulnerability in the apache_request_headers() (CVE-2012-2329).
Pidgin reports:
A series of specially crafted file transfer requests can cause clients to reference invalid memory. The user must have accepted one of the file transfer requests.
High-Tech Bridge reports:
Input passed via the "file" GET parameter to /pivotx/ajaxhelper.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of the affected website.
NVIDIA Unix security team reports:
Security vulnerability CVE-2012-0946 in the NVIDIA UNIX driver was disclosed to NVIDIA on March 20th, 2012. The vulnerability makes it possible for an attacker who has read and write access to the GPU device nodes to reconfigure GPUs to gain access to arbitrary system memory. NVIDIA is not aware of any reports of this vulnerability, outside of the disclosure which was made privately to NVIDIA.
NVIDIA has identified the root cause of the vulnerability and has released updated drivers which close it. [NVIDIA encourages] all users with Geforce 8 or newer, G80 Quadro or newer, and all Tesla GPUs to update their drivers to 295.40 or later.
Later, it was additionally discovered that similar exploit could be achieved through remapping of VGA window:
NVIDIA received notification of a security exploit that uses NVIDIA UNIX device files to map and program registers to redirect the VGA window. Through the VGA window, the exploit can access any region of physical system memory. This arbitrary memory access can be further exploited, for example, to escalate user privileges.
rubygem-mail -- multiple vulnerabilities
Two issues were fixed. They are a file system traversal in file_delivery method and arbitrary command execution when using exim or sendmail from the command line.
Private information disclosure
An attacker can cause private information disclosure.
Unsafe Temporary file creation
Config::IniFiles used a predictable name for its temporary file without opening it correctly.
php development team reports:
Security Enhancements and Fixes in PHP 5.3.12:
- Initial fix for cgi-bin ?-s cmdarg parse issue (CVE-2012-1823)
Hanno Boeck reports:
Fixes [are now available] for various security vulnerabilities including LFI (local file inclusion), XSS (cross site scripting) and others.
php development team reports:
Security Enhancements for both PHP 5.3.11 and PHP 5.4.1:
- Insufficient validating of upload name leading to corrupted $_FILES indices. (CVE-2012-1172)
- Add open_basedir checks to readline_write_history and readline_read_history.
Security Enhancements for both PHP 5.3.11 only:
- Regression in magic_quotes_gpc fix for CVE-2012-0831.
The Samba project reports:
Samba versions 3.4.x to 3.6.4 inclusive are affected by a vulnerability that allows arbitrary users to modify privileges on a file server.
Security checks were incorrectly applied to the Local Security Authority (LSA) remote proceedure calls (RPC) CreateAccount, OpenAccount, AddAccountRights and RemoveAccountRights allowing any authenticated user to modify the privileges database.
This is a serious error, as it means that authenticated users can connect to the LSA and grant themselves the "take ownership" privilege. This privilege is used by the smbd file server to grant the ability to change ownership of a file or directory which means users could take ownership of files or directories they do not own.
Ports security team reports:
The portupgrade-devel port fetched directly from a git respository without checking against a known good SHA hash. This means that it is possible that packages built using this port may not match the one vetted by the maintainer. Users are advised to rebuild portupgrade-devel from known good sources.
The Red Hat Security Response Team reports:
An array index error, leading to out-of heap-based buffer read flaw was found in the way the net-snmp agent performed lookups in the extension table. When certain MIB subtrees were handled by the extend directive, a remote attacker (having read privileges to the subntree) could use this flaw to cause a denial of service condition via an SNMP GET request involving a non-existent extension table entry.
The Mozilla Project reports:
MFSA 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)
MFSA 2012-21 Multiple security flaws fixed in FreeType v2.4.9
MFSA 2012-22 use-after-free in IDBKeyRange
MFSA 2012-23 Invalid frees causes heap corruption in gfxImageSurface
MFSA 2012-24 Potential XSS via multibyte content processing errors
MFSA 2012-25 Potential memory corruption during font rendering using cairo-dwrite
MFSA 2012-26 WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error
MFSA 2012-27 Page load short-circuit can lead to XSS
MFSA 2012-28 Ambiguous IPv6 in Origin headers may bypass webserver access restrictions
MFSA 2012-29 Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
MFSA 2012-30 Crash with WebGL content using textImage2D
MFSA 2012-31 Off-by-one error in OpenType Sanitizer
MFSA 2012-32 HTTP Redirections and remote content can be read by javascript errors
MFSA 2012-33 Potential site identity spoofing when loading RSS and Atom feeds
Andy Webber reports:
Add User appears to be vulnerable to Cross Site Request Forgery (CSRF/XSRF).
Asterisk project reports:
Remote Crash Vulnerability in SIP Channel Driver
Heap Buffer Overflow in Skinny Channel Driver
Asterisk Manager User Unauthorized Shell Access
Wordpress reports:
External code has been updated to non-vulnerable versions. In addition the following bugs have been fixed:
- Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances.
- Cross-site scripting vulnerability when making URLs clickable.
- Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs.
OpenSSL security team reports:
A potentially exploitable vulnerability has been discovered in the OpenSSL function asn1_d2i_read_bio. Any application which uses BIO or FILE based functions to read untrusted DER format data is vulnerable. Affected functions are of the form d2i_*_bio or d2i_*_fp, for example d2i_X509_bio or d2i_PKCS12_fp.
The following security issues have been discovered in Bugzilla:
Unauthorized Access
Due to a lack of proper validation of the X-FORWARDED-FOR header of an authentication request, an attacker could bypass the current lockout policy used for protection against brute- force password discovery. This vulnerability can only be exploited if the 'inbound_proxies' parameter is set.
Cross Site Scripting
A JavaScript template used by buglist.cgi could be used by a malicious script to permit an attacker to gain access to some information about bugs he would not normally be allowed to see, using the victim's credentials. To be exploitable, the victim must be logged in when visiting the attacker's malicious page.
All affected installations are encouraged to upgrade as soon as possible.
Typo Security Team reports:
Failing to properly encode the output, the default TYPO3 Exception Handler is susceptible to Cross-Site Scripting. We are not aware of a possibility to exploit this vulnerability without third party extensions being installed that put user input in exception messages. However, it has come to our attention that extensions using the extbase MVC framework can be used to exploit this vulnerability if these extensions accept objects in controller actions.
The nginx project reports:
Buffer overflow in the ngx_http_mp4_module
The phpMyFAQ project reports:
The bundled ImageManager library allows injection of arbitrary PHP code to execute arbitrary PHP code and upload malware and trojan horses.
Multiple vulnerabilities exist in puppet that can result in arbitrary code execution, arbitrary file read access, denial of service, and arbitrary file write access. Please review the details in each of the CVEs for additional information.
Samba development team reports:
Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the "root" user from an anonymous connection.
As this does not require an authenticated connection it is the most serious vulnerability possible in a program, and users and vendors are encouraged to patch their Samba installations immediately.
A Bugzilla Security Advisory reports:
The following security issues have been discovered in Bugzilla:
- Due to a lack of validation of the enctype form attribute when making POST requests to xmlrpc.cgi, a possible CSRF vulnerability was discovered. If a user visits an HTML page with some malicious HTML code in it, an attacker could make changes to a remote Bugzilla installation on behalf of the victim's account by using the XML-RPC API on a site running mod_perl. Sites running under mod_cgi are not affected. Also, the user would have had to be already logged in to the target site for the vulnerability to work.
All affected installations are encouraged to upgrade as soon as possible.
Adobe reports:
Multiple Priority 2 vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.
The PNG project reports:
libpng fails to correctly handle malloc() failures for text chunks (in png_set_text_2()), which can lead to memory corruption and the possibility of remote code execution.
The Freetype project reports:
Multiple vulnerabilities exist in freetype that can result in application crashes and remote code execution. Please review the details in each of the CVEs for additional information.
Dave B reports on Full Disclosure:
It seems that mutt fails to check the validity of a SMTP servers certificate during a TLS connection. [...] This means that an attacker could potentially MITM a mutt user connecting to their SMTP server even when the user has forced a TLS connection.
US-CERT reports:
The msn_oim_report_to_user function in oim.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.2 allows remote servers to cause a denial of service (application crash) via an OIM message that lacks UTF-8 encoding.
The phpMyAdmin development team reports:
The show_config_errors.php scripts did not validate the presence of the configuration file, so an error message shows the full path of this file, leading to possible further attacks. For the error messages to be displayed, php.ini's error_reporting must be set to E_ALL and display_errors must be On (these settings are not recommended on a production server in the PHP manual).
Timothy D. Morgan reports:
In December 2011, VSR identified a vulnerability in multiple open source office products (including OpenOffice, LibreOffice, KOffice, and AbiWord) due to unsafe interpretation of XML files with custom entity declarations. Deeper analysis revealed that the vulnerability was caused by acceptance of external entities by the libraptor library, which is used by librdf and is in turn used by these office products.
In the context of office applications, these vulnerabilities could allow for XML External Entity (XXE) attacks resulting in file theft and a loss of user privacy when opening potentially malicious ODF documents. For other applications which depend on librdf or libraptor, potentially serious consequences could result from accepting RDF/XML content from untrusted sources, though the impact may vary widely depending on the context.
CERT reports:
The ospfd implementation of OSPF in Quagga allows a remote attacker (on a local network segment with OSPF enabled) to cause a denial of service (daemon aborts due to an assert) with a malformed OSPF LS-Update message.
The ospfd implementation of OSPF in Quagga allows a remote attacker (on a local network segment with OSPF enabled) to cause a denial of service (daemon crash) with a malformed OSPF Network- LSA message.
The bgpd implementation of BGP in Quagga allows remote attackers to cause a denial of service (daemon aborts due to an assert) via BGP Open message with an invalid AS4 capability.
CERT-FI reports:
A heap overflow vulnerability has been found in the HTTP (Hypertext Transfer Protocol) protocol handling of Apache Traffic Server. The vulnerability allows an attacker to cause a denial of service or potentially to execute his own code by sending a specially modified HTTP message to an affected server.
Mu Dynamics, Inc. reports:
Various functions using the ASN.1 length decoding logic in Libtasn1 were incorrectly assuming that the return value from asn1_get_length_der is always less than the length of the enclosing ASN.1 structure, which is only true for valid structures and not for intentionally corrupt or otherwise buggy structures.
Mu Dynamics, Inc. reports:
The block cipher decryption logic in GnuTLS assumed that a record containing any data which was a multiple of the block size was valid for further decryption processing, leading to a heap corruption vulnerability.
Asterisk project reports:
Stack Buffer Overflow in HTTP Manager
Remote Crash Vulnerability in Milliwatt Application
The OpenSSL Team reports:
A weakness in the OpenSSL CMS and PKCS #7 code can be exploited using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the million message attack (MMA).
Only users of CMS, PKCS #7, or S/MIME decryption operations are affected. A successful attack needs on average 2^20 messages. In practice only automated systems will be affected as humans will not be willing to process this many messages.
SSL/TLS applications are *NOT* affected by this problem since the SSL/TLS code does not use the PKCS#7 or CMS decryption code.
nginx development team reports:
Matthew Daley recently discovered a security problem which may lead to a disclosure of previously freed memory on specially crafted response from an upstream server, potentially resulting in sensitive information leak.
The Mozilla Project reports:
MFSA 2012-13 XSS with Drag and Drop and Javascript: URL
MFSA 2012-14 SVG issues found with Address Sanitizer
MFSA 2012-15 XSS with multiple Content Security Policy headers
MFSA 2012-16 Escalation of privilege with Javascript: URL as home page
MFSA 2012-17 Crash when accessing keyframe cssText after dynamic modification
MFSA 2012-18 window.fullScreen writeable by untrusted content
MFSA 2012-19 Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28)
Michael Gmelin and Jörg Scheinert has reported a remote command execution vulnerability in portaudit.
An attacker who can get the user to use a specially crafted audit file will be able to run commands on the users system, with the privileges of the user running running portaudit (often root).
The attack could e.g. happen through DNS hijacking or a man in the middle attack.
Note that if the user has set up portaudit to run from periodic this attack could happen without direct user interaction.
In the FreeBSD Ports Collection (bsd.port.mk) the check for vulnerable ports at install-time directly operates on the auditfile and has the same vulnerability as portaudit. As the Ports Collection infrastructure does not have a version number just be sure to have a Ports Collection new enough to contain the fix for portaudit. Note that this is only a problem for users which has portaudit installed, as they will not have the audit database installed or downloaded otherwise.
These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.
Jenkins Security Advisory reports:
An XSS vulnerability was found in Jenkins core, which allows an attacker to inject malicious HTMLs to pages served by Jenkins. This allows an attacker to escalate his privileges by hijacking sessions of other users. This vulnerability affects all versions.
The Dropbear project reports:
Dropbear SSH Server could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a use-after- free error. If a command restriction is enforced, an attacker could exploit this vulnerability to execute arbitrary code on the system with root privileges.
OpenX does not provide information about vulnerabilities beyond their existence.
The PostgreSQL Global Development Group reports:
These vulnerabilities could allow users to define triggers that execute functions on which the user does not have EXECUTE permission, allow SSL certificate spoofing and allow line breaks in object names to be exploited to execute code when loading a pg_dump file.
These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.
Google chrome team reports:
Heap-based buffer overflow in libxml2, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
Secunia reports:
A vulnerability has been discovered in PLIB, which can be exploited by malicious people to compromise an application using the library.
The vulnerability is caused due to a boundary error within the "ulSetError()" function (src/util/ulError.cxx) when creating the error message, which can be exploited to overflow a static buffer.
Successful exploitation allows the execution of arbitrary code but requires that the attacker can e.g. control the content of an overly long error message passed to the "ulSetError()" function.
The vulnerability is confirmed in version 1.8.5. Other versions may also be affected.
The phpMyAdmin development team reports:
It was possible to conduct XSS using a crafted database name.
The Piwik Team reports:
We would like to thank the following security researchers for their responsible disclosure of XSS and click-jacking issues: Piotr Duszynski, Sergey Markov, Mauro Gentile.
The Mozilla Project reports:
MFSA 2012-11 libpng integer overflow
Jan Lieskovsky reports,
A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU.
tom reports,
There is no sanitation on the input of the location variable allowing for persistent XSS.
The Mozilla Project reports:
MFSA 2012-10 use after free in nsXBLDocumentInfo::ReadPrototypeBindings
Julien Tinnes reports,
Bip doesn't check if fd is equal or larger than FD_SETSIZE.
surf does not protect its cookie jar against access read access from other local users
The GLPI project reports:
The autocompletion functionality in GLPI before 0.80.2 does not blacklist certain username and password fields, which allows remote attackers to obtain sensitive information via a crafted POST request.
Drupal development team reports:
Cross Site Request Forgery vulnerability in Aggregator module
CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.
This issue affects Drupal 6.x and 7.x.
OpenID not verifying signed attributes in SREG and AX
CVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.
This issue affects Drupal 6.x and 7.x.
Access bypass in File module
CVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.
This issue affects Drupal 7.x only.
A Bugzilla Security Advisory reports:
The following security issues have been discovered in Bugzilla:
- Account Impersonation: When a user creates a new account, Bugzilla doesn't correctly reject email addresses containing non-ASCII characters, which could be used to impersonate another user account. Such email addresses could look visually identical to other valid email addresses, and an attacker could try to confuse other users and be added to bugs he shouldn't have access to.
- Cross-Site Request Forgery: Due to a lack of validation of the Content-Type head when making POST requests to jsonrpc.cgi, a possible CSRF vulnerability was discovered. If a user visits an HTML page with some malicious JS code in it, an attacker could make changes to a remote Bugzilla installation on behalf of the victim's account by using the JSON-RPC API. The user would have had to be already logged in to the target site for the vulnerability to work.
All affected installations are encouraged to upgrade as soon as possible.
Secunia reports:
A vulnerability has been reported in PHP, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to a logic error within the "php_register_variable_ex()" function (php_variables.c) when hashing form posts and updating a hash table, which can be exploited to execute arbitrary code.
Michiel Boland reports:
The software has a vulnerability that could lead to directory traversal if the '*' construct for mass virtual hosting is used.
CVE MITRE reports:
An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker.
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.
An additional exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker.
A flaw was found in mod_log_config. If the '%{cookiename}C' log format string is in use, a remote attacker could send a specific cookie causing a crash. This crash would only be a denial of service if using a threaded MPM.
A flaw was found in the handling of the scoreboard. An unprivileged child process could cause the parent process to crash at shutdown rather than terminate cleanly.
A flaw was found in the default error response for status code 400. This flaw could be used by an attacker to expose "httpOnly" cookies when no custom ErrorDocument is specified.
The Mozilla Project reports:
MFSA 2012-01 Miscellaneous memory safety hazards (rv:10.0/ rv:1.9.2.26)
MFSA 2012-02 Overly permissive IPv6 literal syntax
MFSA 2012-03 iframe element exposed across domains via name attribute
MFSA 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes
MFSA 2012-05 Frame scripts calling into untrusted objects bypass security checks
MFSA 2012-06 Uninitialized memory appended when encoding icon images may cause information disclosure
MFSA 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files
MFSA 2012-08 Crash with malformed embedded XSLT stylesheets
MFSA 2012-09 Firefox Recovery Key.html is saved with unsafe permission
Todd Miller reports:
Sudo 1.8.0 introduced simple debugging support that was primarily intended for use when developing policy or I/O logging plugins. The sudo_debug() function contains a flaw where the program name is used as part of the format string passed to the fprintf() function. The program name can be controlled by the caller, either via a symbolic link or, on some systems, by setting argv[0] when executing sudo.
Using standard format string vulnerability exploitation techniques it is possible to leverage this bug to achieve root privileges.
Exploitation of the bug does not require that the attacker be listed in the sudoers file. As such, we strongly suggest that affected sites upgrade from affected sudo versions as soon as possible.
Problem Description:
Some third-party applications, including KDE's kcheckpass command, allow the user to specify the name of the policy on the command line. Since OpenPAM treats the policy name as a path relative to /etc/pam.d or /usr/local/etc/pam.d, users who are permitted to run such an application can craft their own policies and cause the application to load and execute their own modules.
Problem Description:
The OpenSSL library call used to decrypt private keys ignores the passphrase argument if the key is not encrypted. Because the pam_ssh module only checks whether the passphrase provided by the user is null, users with unencrypted SSH private keys may successfully authenticate themselves by providing a dummy passphrase.
Problem Description:
When a UNIX-domain socket is attached to a location using the bind(2) system call, the length of the provided path is not validated. Later, when this address was returned via other system calls, it is copied into a fixed-length buffer.
Linux uses a larger socket address structure for UNIX-domain sockets than FreeBSD, and the FreeBSD's linux emulation code did not translate UNIX-domain socket addresses into the correct size of structure.
Problem Description:
The code used to decompress a file created by compress(1) does not do sufficient boundary checks on compressed code words, allowing reference beyond the decompression table, which may result in a stack overflow or an infinite loop when the decompressor encounters a corrupted file.
Problem Description:
While parsing the exports(5) table, a network mask in the form of "-network=netname/prefixlength" results in an incorrect network mask being computed if the prefix length is not a multiple of 8.
For example, specifying the ACL for an export as "-network 192.0.2.0/23" would result in a netmask of 255.255.127.0 being used instead of the correct netmask of 255.255.254.0.
The Postfix Admin Team reports:
Multiple XSS vulnerabilities exist:
- XSS with $_GET[domain] in templates/menu.php and edit-vacation
- XSS in some create-domain input fields
- XSS in create-alias and edit-alias error message
- XSS (by values stored in the database) in fetchmail list view, list-domain and list-virtualMultiple SQL injection issues exist:
- SQL injection in pacrypt() (if $CONF[encrypt] == 'mysql_encrypt')
- SQL injection in backup.php - the dump was not mysql_escape()d, therefore users could inject SQL (for example in the vacation message) which will be executed when restoring the database dump. WARNING: database dumps created with backup.php from 2.3.4 or older might contain malicious SQL. Double-check before using them!
The oss-security list reports:
Incorrect permissions on temporary files can lead to information disclosure.
The Adobe Security Team reports:
An unspecified vulnerability in the U3D component allows remote attackers to execute arbitrary code (or cause a denial of service attack) via unknown vectors.
A heap-based buffer overflow allows attackers to execute arbitrary code via unspecified vectors.
Wireshark reports:
Laurent Butti discovered that Wireshark failed to properly check record sizes for many packet capture file formats
Wireshark could dereference a NULL pointer and crash.
The RLC dissector could overflow a buffer.
Secunia reports:
Fixed a number of very serious errors in the usage of snprintf()/vsnprintf().
The return value was being used as the length of the string printed into the buffer, but the return value really indicates the length of the string that *could* be printed if the buffer were of infinite size. Because the returned value could be larger than the buffer's size, this meant remotely exploitable buffer overflows were possible, depending on spamdyke's configuration.
The OpenSSL Team reports:
A flaw in the fix to CVE-2011-4108 can be exploited in a denial of service attack. Only DTLS applications using OpenSSL 1.0.0f and 0.9.8s are affected.
Asterisk project reports:
An attacker attempting to negotiate a secure video stream can crash Asterisk if video support has not been enabled and the res_srtp Asterisk module is loaded.
The Tomcat security team reports:
Analysis of the recent hash collision vulnerability identified unrelated inefficiencies with Apache Tomcat's handling of large numbers of parameters and parameter values. These inefficiencies could allow an attacker, via a specially crafted request, to cause large amounts of CPU to be used which in turn could create a denial of service. The issue was addressed by modifying the Tomcat parameter handling code to efficiently process large numbers of parameters and parameter values.
The OpenTTD Team reports:
Using a slow read type attack it is possible to prevent anyone from joining a server with virtually no resources. Once downloading the map no other downloads of the map can start, so downloading really slowly will prevent others from joining. This can be further aggravated by the pause-on-join setting in which case the game is paused and the players cannot continue the game during such an attack. This attack requires that the user is not banned and passes the authorization to the server, although for many servers there is no server password and thus authorization is easy.
oCERT reports:
A variety of programming languages suffer from a denial-of-service (DoS) condition against storage functions of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms.
The issue finds particular exposure in web server applications and/or frameworks. In particular, the lack of sufficient limits for the number of parameters in POST requests in conjunction with the predictable collision properties in the hashing functions of the underlying languages can render web applications vulnerable to the DoS condition. The attacker, using specially crafted HTTP requests, can lead to a 100% of CPU usage which can last up to several hours depending on the targeted application and server performance, the amplification effect is considerable and requires little bandwidth and time on the attacker side.
The condition for predictable collisions in the hashing functions has been reported for the following language implementations: Java, JRuby, PHP, Python, Rubinius, Ruby. In the case of the Ruby language, the 1.9.x branch is not affected by the predictable collision condition since this version includes a randomization of the hashing function.
The vulnerability outlined in this advisory is practically identical to the one reported in 2003 and described in the paper Denial of Service via Algorithmic Complexity Attacks which affected the Perl language.
Ubuntu Security Notice USN-1320-1 reports:
Phillip Langlois discovered that FFmpeg incorrectly handled certain malformed QDM2 streams. If a user were tricked into opening a crafted QDM2 stream file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2011-4351)
Phillip Langlois discovered that FFmpeg incorrectly handled certain malformed VP3 streams. If a user were tricked into opening a crafted file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2011-4352)
Phillip Langlois discovered that FFmpeg incorrectly handled certain malformed VP5 and VP6 streams. If a user were tricked into opening a crafted file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2011-4353)
It was discovered that FFmpeg incorrectly handled certain malformed VMD files. If a user were tricked into opening a crafted VMD file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2011-4364)
Phillip Langlois discovered that FFmpeg incorrectly handled certain malformed SVQ1 streams. If a user were tricked into opening a crafted SVQ1 stream file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2011-4579)
The OpenSSL Team reports:
6 security flaws have been fixed in OpenSSL 1.0.0f:
If X509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8, then a policy check failure can lead to a double-free.
OpenSSL prior to 1.0.0f and 0.9.8s failed to clear the bytes used as block cipher padding in SSL 3.0 records. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory.
RFC 3779 data can be included in certificates, and if it is malformed, may trigger an assertion failure. This could be used in a denial-of-service attack.
Support for handshake restarts for server gated cryptograpy (SGC) can be used in a denial-of-service attack.
A malicious TLS client can send an invalid set of GOST parameters which will cause the server to crash due to lack of error checking. This could be used in a denial-of-service attack.
ISC reports:
Due to improper handling of a DHCPv6 lease structure, ISC DHCP servers that are serving IPv6 address pools AND using Dynamic DNS can encounter a segmentation fault error while updating lease status under certain conditions.
The potential exists for this condition to be intentionally triggered, resulting in effective denial of service to clients expecting service from the affected server.
The PowerDNS Team reports:
Using well crafted UDP packets, one or more PowerDNS servers could be made to enter a tight packet loop, causing temporary denial of service.
php development team reports:
Security Enhancements and Fixes in PHP 5.3.9:
- Added max_input_vars directive to prevent attacks based on hash collisions. (CVE-2011-4885)
- Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (CVE-2011-4566)
TORCS News reports:
An insecure change to LD_LIBRARY_PATH allows loading of libraries in directories other than the standard paths. This can be a problem when downloading and installing untrusted content from the Internet.
Secunia reports:
The vulnerability is caused due to the TLS implementation not properly clearing transport layer buffers when upgrading from plaintext to ciphertext after receiving the "STARTTLS" command. This can be exploited to insert arbitrary plaintext data (e.g. SMTP commands) during the plaintext phase, which will then be executed after upgrading to the TLS ciphertext phase.
A Bugzilla Security Advisory reports:
The following security issues have been discovered in Bugzilla:
- Tabular and graphical reports, as well as new charts have a debug mode which displays raw data as plain text. This text is not correctly escaped and a crafted URL could use this vulnerability to inject code leading to XSS.
- The User.offer_account_by_email WebService method ignores the user_can_create_account setting of the authentication method and generates an email with a token in it which the user can use to create an account. Depending on the authentication method being active, this could allow the user to log in using this account. Installations where the createemailregexp parameter is empty are not vulnerable to this issue.
- The creation of bug reports and of attachments is not protected by a token and so they can be created without the consent of a user if the relevant code is embedded in an HTML page and the user visits this page. This behavior was intentional to let third-party applications submit new bug reports and attachments easily. But as this behavior can be abused by a malicious user, it has been decided to block submissions with no valid token starting from version 4.2rc1. Older branches are not patched to not break these third-party applications after the upgrade.
All affected installations are encouraged to upgrade as soon as possible.