OpenX -- SQL injection vulnerability openx 3.0.2

Revive reports:

An SQL-injection vulnerability was recently discovered and reported to the Revive Adserver team by Florian Sander. The vulnerability is known to be already exploited to gain unauthorised access to the application using brute force mechanisms, however other kind of attacks might be possible and/or already in use. The risk is rated to be critical as the most common end goal of the attackers is to spread malware to the visitors of all the websites and ad networks that the ad server is being used on.

The vulnerability is also present and exploitable in OpenX Source 2.8.11 and earlier versions, potentially back to phpAdsNew 2.0.x.

http://www.revive-adserver.com/security/revive-sa-2013-001/ http://www.kreativrauschen.com/blog/2013/12/18/zero-day-vulnerability-in-openx-source-2-8-11-and-revive-adserver-3-0-1/ CVE-2013-7149 2013-12-20 2013-12-22
cURL library -- cert name check ignore with GnuTLS curl 7.21.47.33.0_2

cURL project reports:

libcurl is vulnerable to a case of missing out the checking of the certificate CN or SAN name field when the digital signature verification is turned off.

libcurl offers two separate and independent options for verifying a server's TLS certificate. CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST. The first one tells libcurl to verify the trust chain using a CA cert bundle, while the second tells libcurl to make sure that the name fields in the server certificate meets the criteria. Both options are enabled by default.

This flaw had the effect that when an application disabled CURLOPT_SSL_VERIFYPEER, libcurl mistakenly also skipped the CURLOPT_SSL_VERIFYHOST check. Applications can disable CURLOPT_SSL_VERIFYPEER and still achieve security by doing the check on its own using other means.

The curl command line tool is not affected by this problem as it either enables both options or disables both at the same time.

http://curl.haxx.se/docs/adv_20131217.html CVE-2013-6422 2013-12-17 2013-12-18
gnupg -- RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack gnupg 1.4.16 gnupg1 1.4.16

Werner Koch reports:

CVE-2013-4576 has been assigned to this security bug.

The paper describes two attacks. The first attack allows to distinguish keys: An attacker is able to notice which key is currently used for decryption. This is in general not a problem but may be used to reveal the information that a message, encrypted to a commonly not used key, has been received by the targeted machine. We do not have a software solution to mitigate this attack.

The second attack is more serious. It is an adaptive chosen ciphertext attack to reveal the private key. A possible scenario is that the attacker places a sensor (for example a standard smartphone) in the vicinity of the targeted machine. That machine is assumed to do unattended RSA decryption of received mails, for example by using a mail client which speeds up browsing by opportunistically decrypting mails expected to be read soon. While listening to the acoustic emanations of the targeted machine, the smartphone will send new encrypted messages to that machine and re-construct the private key bit by bit. A 4096 bit RSA key used on a laptop can be revealed within an hour.

CVE-2013-4576 http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000337.html 2013-12-18 2013-12-18 2014-04-30
asterisk -- multiple vulnerabilities asterisk10 10.12.4 asterisk11 11.6.1 asterisk18 1.8.24.1

The Asterisk project reports:

A 16 bit SMS message that contains an odd message length value will cause the message decoding loop to run forever. The message buffer is not on the stack but will be overflowed resulting in corrupted memory and an immediate crash.

External control protocols, such as the Asterisk Manager Interface, often have the ability to get and set channel variables; this allows the execution of dialplan functions. Dialplan functions within Asterisk are incredibly powerful, which is wonderful for building applications using Asterisk. But during the read or write execution, certain diaplan functions do much more. For example, reading the SHELL() function can execute arbitrary commands on the system Asterisk is running on. Writing to the FILE() function can change any file that Asterisk has write access to. When these functions are executed from an external protocol, that execution could result in a privilege escalation.

CVE-2013-7100 http://downloads.asterisk.org/pub/security/AST-2013-006.pdf http://downloads.asterisk.org/pub/security/AST-2013-007.pdf https://www.asterisk.org/security 2013-12-16 2013-12-17
phpmyfaq -- arbitrary PHP code execution vulnerability phpmyfaq 2.8.4

The phpMyFAQ team reports:

Secunia noticed while analysing the advisory that authenticated users with "Right to add attachments" are able to exploit an already publicly known issue in the bundled Ajax File Manager of phpMyFAQ version 2.8.3, which leads to arbitrary PHP code execution for authenticated users with the permission "Right to add attachments".

http://en.securitylab.ru/lab/PT-2013-41 http://www.phpmyfaq.de/advisory_2013-11-26.php 2013-11-26 2013-12-16 2013-12-17
zabbix -- shell command injection vulnerability zabbix2-agent 2.0.10

Recurity Labs Team project reports:

Zabbix agent is vulnerable to remote command execution from the Zabbix server in some cases.

CVE-2013-6824 https://support.zabbix.com/browse/ZBX-7479 2013-12-03 2013-12-16
PHP5 -- memory corruption in openssl_x509_parse() php5 5.4.05.4.23 php53 5.3.28 php55 5.5.05.5.7

Stefan Esser reports:

The PHP function openssl_x509_parse() uses a helper function called asn1_time_to_time_t() to convert timestamps from ASN1 string format into integer timestamp values. The parser within this helper function is not binary safe and can therefore be tricked to write up to five NUL bytes outside of an allocated buffer.

This problem can be triggered by x509 certificates that contain NUL bytes in their notBefore and notAfter timestamp fields and leads to a memory corruption that might result in arbitrary code execution.

Depending on how openssl_x509_parse() is used within a PHP application the attack requires either a malicious cert signed by a compromised/malicious CA or can be carried out with a self-signed cert.

CVE-2013-6420 https://www.sektioneins.de/advisories/advisory-012013-php-openssl_x509_parse-memory-corruption-vulnerability.html 2013-12-13 2013-12-14
mozilla -- multiple vulnerabilities firefox 25.0,126.0,1 24.2.0,1 linux-firefox 26.0,1 linux-seamonkey 2.23 linux-thunderbird 24.2.0 seamonkey 2.23 thunderbird 24.2.0

The Mozilla Project reports:

MFSA 2013-116 JPEG information leak

MFSA 2013-105 Application Installation doorhanger persists on navigation

MFSA 2013-106 Character encoding cross-origin XSS attack

MFSA 2013-107 Sandbox restrictions not applied to nested object elements

MFSA 2013-108 Use-after-free in event listeners

MFSA 2013-109 Use-after-free during Table Editing

MFSA 2013-110 Potential overflow in JavaScript binary search algorithms

MFSA 2013-111 Segmentation violation when replacing ordered list elements

MFSA 2013-112 Linux clipboard information disclosure though selection paste

MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation

MFSA 2013-114 Use-after-free in synthetic mouse movement

MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets

MFSA 2013-116 JPEG information leak

MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate

CVE-2013-5609 CVE-2013-5610 CVE-2013-5611 CVE-2013-5612 CVE-2013-5613 CVE-2013-5614 CVE-2013-5615 CVE-2013-5616 CVE-2013-5618 CVE-2013-5619 CVE-2013-6629 CVE-2013-6630 CVE-2013-6671 CVE-2013-6672 CVE-2013-6673 https://www.mozilla.org/security/announce/2013/mfsa2013-104.html https://www.mozilla.org/security/announce/2013/mfsa2013-105.html https://www.mozilla.org/security/announce/2013/mfsa2013-106.html https://www.mozilla.org/security/announce/2013/mfsa2013-107.html https://www.mozilla.org/security/announce/2013/mfsa2013-108.html https://www.mozilla.org/security/announce/2013/mfsa2013-109.html https://www.mozilla.org/security/announce/2013/mfsa2013-110.html https://www.mozilla.org/security/announce/2013/mfsa2013-111.html https://www.mozilla.org/security/announce/2013/mfsa2013-112.html https://www.mozilla.org/security/announce/2013/mfsa2013-113.html https://www.mozilla.org/security/announce/2013/mfsa2013-114.html https://www.mozilla.org/security/announce/2013/mfsa2013-115.html https://www.mozilla.org/security/announce/2013/mfsa2013-116.html https://www.mozilla.org/security/announce/2013/mfsa2013-117.html http://www.mozilla.org/security/known-vulnerabilities/ 2013-12-09 2013-12-14
samba -- multiple vulnerabilities samba34 0 samba35 0 samba36 3.6.*3.6.22 samba4 4.0.*4.0.13 samba41 4.1.*4.1.3

The Samba project reports:

These are security releases in order to address CVE-2013-4408 (DCE-RPC fragment length field is incorrectly checked) and CVE-2012-6150 (pam_winbind login without require_membership_of restrictions).

CVE-2012-6150 CVE-2013-4408 http://www.samba.org/samba/security/CVE-2012-6150 http://www.samba.org/samba/security/CVE-2013-4408 2012-06-12 2013-12-11
rails -- multiple vulnerabilities rubygem-actionmailer 3.2.16 rubygem-actionpack 3.2.16 rubygem-activemodel 3.2.16 rubygem-activerecord 3.2.16 rubygem-activeresource 3.2.16 rubygem-activesupport 3.2.16 rubygem-rails 3.2.16 rubygem-railties 3.2.16 rubygem-actionpack4 4.0.2 rubygem-activesupport4 4.0.2

Rails weblog:

Rails 3.2.16 and 4.0.2 have been released! These two releases contain important security fixes, so please upgrade as soon as possible! In order to make upgrading as smooth as possible, we've only included commits directly related to each security issue.

The security fixes in 3.2.16 are:

  • CVE-2013-4491
  • CVE-2013-6414
  • CVE-2013-6415
  • CVE-2013-6417

The security fixes in 4.0.2 are:

  • CVE-2013-4491
  • CVE-2013-6414
  • CVE-2013-6415
  • CVE-2013-6416
  • CVE-2013-6417
CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2013-6416 CVE-2013-6417 http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/ 2013-12-03 2013-12-08 2014-04-23
drupal -- multiple vulnerabilities drupal6 6.29 drupal7 7.24

Drupal Security Team reports:

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

  • Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation - Drupal 6 and 7)
  • Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - Drupal 6 and 7)
  • Code execution prevention (Files directory .htaccess for Apache - Drupal 6 and 7)
  • Access bypass (Security token validation - Drupal 6 and 7)
  • Cross-site scripting (Image module - Drupal 7)
  • Cross-site scripting (Color module - Drupal 7)
  • Open redirect (Overlay module - Drupal 7)
https://drupal.org/SA-CORE-2013-003 2013-11-20 2013-12-06
Joomla! -- Core XSS Vulnerabilities joomla2 2.5.*2.5.14 joomla3 3.0.*3.1.5

The JSST and the Joomla! Security Center report:

[20131101] Core XSS Vulnerability

Inadequate filtering leads to XSS vulnerability in com_contact.

[20131102] Core XSS Vulnerability

Inadequate filtering leads to XSS vulnerability in com_contact, com_weblinks, com_newsfeeds.

[20131103] Core XSS Vulnerability

Inadequate filtering leads to XSS vulnerability in com_contact.

http://developer.joomla.org/security/570-core-xss-20131101.html http://developer.joomla.org/security/571-core-xss-20131102.html http://developer.joomla.org/security/572-core-xss-20131103.html 2013-11-01 2013-12-04 2014-04-23
OpenTTD -- Denial of service using forcefully crashed aircrafts openttd 0.3.61.3.3

The OpenTTD Team reports:

The problem is caused by incorrectly handling the fact that the aircraft circling the corner airport will be outside of the bounds of the map. In the 'out of fuel' crash code the height of the tile under the aircraft is determined. In this case that means a tile outside of the allocated map array, which could occasionally trigger invalid reads.

CVE-2013-6411 https://security.openttd.org/en/CVE-2013-6411 http://bugs.openttd.org/task/5820 http://vcs.openttd.org/svn/changeset/26134 2013-11-28 2013-11-28
monitorix -- serious bug in the built-in HTTP server monitorix 3.3.1

Monitorix Project reports:

A serious bug in the built-in HTTP server. It was discovered that the handle_request() routine did not properly perform input sanitization which led into a number of security vulnerabilities. An unauthenticated, remote attacker could exploit this flaw to execute arbitrary commands on the remote host. All users still using older versions are advised to upgrade to this version, which resolves this issue.

http://www.monitorix.org/news.html#N331 https://github.com/mikaku/Monitorix/issues/30 2013-11-21 2013-12-01
subversion -- multiple vulnerabilities subversion 1.4.01.7.14 1.8.01.8.5

Subversion Project reports:

mod_dontdothat does not restrict requests from serf based clients

mod_dontdothat allows you to block update REPORT requests against certain paths in the repository. It expects the paths in the REPORT request to be absolute URLs. Serf based clients send relative URLs instead of absolute URLs in many cases. As a result these clients are not blocked as configured by mod_dontdothat.

mod_dav_svn assertion triggered by non-canonical URLs in autoversioning commits

When SVNAutoversioning is enabled via SVNAutoversioning on commits can be made by single HTTP requests such as MKCOL and PUT. If Subversion is built with assertions enabled any such requests that have non-canonical URLs, such as URLs with a trailing /, may trigger an assert. An assert will cause the Apache process to abort.

CVE-2013-4505 CVE-2013-4558 http://subversion.apache.org/security/CVE-2013-4505-advisory.txt http://subversion.apache.org/security/CVE-2013-4558-advisory.txt 2013-11-15 2013-11-25
ruby-gems -- Algorithmic Complexity Vulnerability ruby19-gems 1.8.27 ruby20-gems 1.8.27

Ruby Gem developers report:

The patch for CVE-2013-4363 was insufficiently verified so the combined regular expression for verifying gem version remains vulnerable following CVE-2013-4363.

RubyGems validates versions with a regular expression that is vulnerable to denial of service due to backtracking. For specially crafted RubyGems versions attackers can cause denial of service through CPU consumption.

CVE-2013-4363 2013-09-24 2013-11-24
ruby-gems -- Algorithmic Complexity Vulnerability ruby19-gems 1.8.26 ruby20-gems 1.8.26

Ruby Gem developers report:

RubyGems validates versions with a regular expression that is vulnerable to denial of service due to backtracking. For specially crafted RubyGems versions attackers can cause denial of service through CPU consumption.

CVE-2013-4287 2013-09-09 2013-11-24
ruby -- Heap Overflow in Floating Point Parsing ruby19 1.9.3.484,1 ruby20 2.0.0.353,1

Ruby developers report:

Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable.

https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/ https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released/ CVE-2013-4164 2013-11-22 2013-11-23
samba -- Private key in key.pem world readable samba4 4.0.*4.0.11 samba41 4.1.*4.1.1

The Samba project reports:

Samba 4.0.x before 4.0.11 and 4.1.x before 4.1.1, when LDAP or HTTP is provided over SSL, uses world-readable permissions for a private key, which allows local users to obtain sensitive information by reading the key file, as demonstrated by access to the local filesystem on an AD domain controller.

CVE-2013-4476 http://www.samba.org/samba/security/CVE-2013-4476 2013-06-12 2013-11-19
samba -- ACLs are not checked on opening an alternate data stream on a file or directory samba34 0 samba35 0 samba36 3.6.*3.6.20 samba4 4.0.*4.0.11 samba41 4.1.*4.1.1

The Samba project reports:

Samba versions 3.2.0 and above (all versions of 3.2.x, 3.3.x, 3.4.x, 3.5.x, 3.6.x, 4.0.x and 4.1.x) do not check the underlying file or directory ACL when opening an alternate data stream.

According to the SMB1 and SMB2+ protocols the ACL on an underlying file or directory should control what access is allowed to alternate data streams that are associated with the file or directory.

CVE-2013-4475 http://www.samba.org/samba/security/CVE-2013-4475 2013-06-12 2013-11-19
nginx -- Request line parsing vulnerability nginx 0.8.411.4.4,1 nginx-devel 0.8.411.5.7

The nginx project reports:

Ivan Fratric of the Google Security Team discovered a bug in nginx, which might allow an attacker to bypass security restrictions in certain configurations by using a specially crafted request, or might have potential other impact (CVE-2013-4547).

CVE-2013-4547 http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html 2013-11-19 2013-11-19
linux-flashplugin -- multiple vulnerabilities linux-f10-flashplugin 11.2r202.327

Adobe reports:

These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

CVE-2013-5329 CVE-2013-5330 http://www.adobe.com/support/security/bulletins/apsb13-26.html 2013-11-12 2013-11-12
OpenSSH -- Memory corruption in sshd openssh-portable 6.2.p2,16.4.p1,1 openssh-portable-base 6.2.p2,16.4.p1,1

The OpenSSH development team reports:

A memory corruption vulnerability exists in the post- authentication sshd process when an AES-GCM cipher (aes128-gcm@openssh.com or aes256-gcm@openssh.com) is selected during kex exchange.

If exploited, this vulnerability might permit code execution with the privileges of the authenticated user and may therefore allow bypassing restricted shell/command configurations.

Either upgrade to 6.4 or disable AES-GCM in the server configuration. The following sshd_config option will disable AES-GCM while leaving other ciphers active:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc

http://www.openssh.com/txt/gcmrekey.adv 2013-11-07 2013-11-08 2013-11-13
Quassel IRC -- SQL injection vulnerability quassel 0.9.1

Quassel IRC developers report:

SQL injection vulnerability in Quassel IRC before 0.9.1, when Qt 4.8.5 or later and PostgreSQL 8.2 or later are used, allows remote attackers to execute arbitrary SQL commands via a \ (backslash) in a message.

CVE-2013-4422 2013-10-07 2013-11-06
mozilla -- multiple vulnerabilities firefox 24.1.0,1 linux-firefox 25.0,1 linux-seamonkey 2.22 linux-thunderbird 24.1.0 seamonkey 2.22 thunderbird 24.1.0

The Mozilla Project reports:

MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)

MFSA 2013-94 Spoofing addressbar though SELECT element

MFSA 2013-95 Access violation with XSLT and uninitialized data

MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions

MFSA 2013-97 Writing to cycle collected object during image decoding

MFSA 2013-98 Use-after-free when updating offline cache

MFSA 2013-99 Security bypass of PDF.js checks using iframes

MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing

MFSA 2013-101 Memory corruption in workers

MFSA 2013-102 Use-after-free in HTML document templates

CVE-2013-1739 CVE-2013-5590 CVE-2013-5591 CVE-2013-5592 CVE-2013-5593 CVE-2013-5595 CVE-2013-5596 CVE-2013-5597 CVE-2013-5598 CVE-2013-5599 CVE-2013-5600 CVE-2013-5601 CVE-2013-5602 CVE-2013-5603 CVE-2013-5604 https://www.mozilla.org/security/announce/2013/mfsa2013-93.html https://www.mozilla.org/security/announce/2013/mfsa2013-94.html https://www.mozilla.org/security/announce/2013/mfsa2013-95.html https://www.mozilla.org/security/announce/2013/mfsa2013-96.html https://www.mozilla.org/security/announce/2013/mfsa2013-97.html https://www.mozilla.org/security/announce/2013/mfsa2013-98.html https://www.mozilla.org/security/announce/2013/mfsa2013-99.html https://www.mozilla.org/security/announce/2013/mfsa2013-100.html https://www.mozilla.org/security/announce/2013/mfsa2013-101.html https://www.mozilla.org/security/announce/2013/mfsa2013-102.html http://www.mozilla.org/security/known-vulnerabilities/ 2013-10-29 2013-10-30 2013-10-31
mod_pagespeed -- critical cross-site scripting (XSS) vulnerability mod_pagespeed 1.2.24.2,1

mod_pagespeed developers report:

Various versions of mod_pagespeed are subject to critical cross-site scripting (XSS) vulnerability, CVE-2013-6111. This permits a hostile third party to execute JavaScript in users' browsers in context of the domain running mod_pagespeed, which could permit theft of users' cookies or data on the site.

CVE-2013-6111 2013-10-04 2013-10-28
gnutls -- denial of service gnutls3 3.1.16

Salvatore Bonaccorso reports:

This vulnerability affects the DANE library of gnutls 3.1.x and gnutls 3.2.x. A server that returns more 4 DANE entries could corrupt the memory of a requesting client.

CVE-2013-4466 http://www.gnutls.org/security.html#GNUTLS-SA-2013-3 2013-10-25 2013-10-25 2013-11-01
xorg-server -- use-after-free xorg-server 1.7.01.7.7_11 1.12.01.12.4_4

Alan Coopersmith reports:

Pedro Ribeiro (pedrib at gmail.com) reported an issue to the X.Org security team in which an authenticated X client can cause an X server to use memory after it was freed, potentially leading to crash and/or memory corruption.

CVE-2013-4396 http://lists.x.org/archives/xorg-announce/2013-October/002332.html 2013-10-08 2013-10-24
pycrypto -- PRNG reseed race condition py26-pycrypto 2.6.1 py27-pycrypto 2.6.1 py31-pycrypto 2.6.1 py32-pycrypto 2.6.1 py33-pycrypto 2.6.1

Dwayne Litzenberger reports:

In PyCrypto before v2.6.1, the Crypto.Random pseudo-random number generator (PRNG) exhibits a race condition that may cause it to generate the same 'random' output in multiple processes that are forked from each other. Depending on the application, this could reveal sensitive information or cryptographic keys to remote attackers.

CVE-2013-1445 http://lists.dlitz.net/pipermail/pycrypto/2013q4/000702.html 2013-10-17 2013-10-19 2014-04-30
wordpress -- multiple vulnerabilities zh-wordpress-zh_CN 3.6.1 zh-wordpress-zh_TW 3.6.1 de-wordpress 3.6.1 ja-wordpress 3.6.1 ru-wordpress 3.6.1 wordpress 3.6.1

The wordpress development team reports:

  • Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution.
  • Prevent a user with an Author role, using a specially crafted request, from being able to create a post "written by" another user.
  • Fix insufficient input validation that could result in redirecting or leading a user to another website.

Additionally, we've adjusted security restrictions around file uploads to mitigate the potential for cross-site scripting.

CVE-2013-4338 CVE-2013-4339 CVE-2013-4340 CVE-2013-5738 CVE-2013-5739 http://wordpress.org/news/2013/09/wordpress-3-6-1/ 2013-09-11 2013-10-19 2014-04-30
node.js -- DoS Vulnerability node 0.10.21 node-devel 0.11.7

node.js developers report

This release contains a security fix for the http server implementation, please upgrade as soon as possible.

http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/ 2013-10-19 2013-10-19
bugzilla -- multiple vulnerabilities bugzilla 4.0.04.0.11 bugzilla40 4.0.04.0.11 bugzilla42 4.2.04.2.7 bugzilla44 4.44.4.1

A Bugzilla Security Advisory reports:

Cross-Site Request Forgery

When a user submits changes to a bug right after another user did, a midair collision page is displayed to inform the user about changes recently made. This page contains a token which can be used to validate the changes if the user decides to submit his changes anyway. A regression in Bugzilla 4.4 caused this token to be recreated if a crafted URL was given, even when no midair collision page was going to be displayed, allowing an attacker to bypass the token check and abuse a user to commit changes on his behalf.

Cross-Site Request Forgery

When an attachment is edited, a token is generated to validate changes made by the user. Using a crafted URL, an attacker could force the token to be recreated, allowing him to bypass the token check and abuse a user to commit changes on his behalf.

Cross-Site Scripting

Some parameters passed to editflagtypes.cgi were not correctly filtered in the HTML page, which could lead to XSS.

Cross-Site Scripting

Due to an incomplete fix for CVE-2012-4189, some incorrectly filtered field values in tabular reports could lead to XSS.

CVE-2013-1733 https://bugzilla.mozilla.org/show_bug.cgi?id=911593 CVE-2013-1734 https://bugzilla.mozilla.org/show_bug.cgi?id=913904 CVE-2013-1742 https://bugzilla.mozilla.org/show_bug.cgi?id=924802 CVE-2013-1743 https://bugzilla.mozilla.org/show_bug.cgi?id=924932 2013-10-16 2013-10-17 2014-04-30
dropbear -- exposure of sensitive information, DoS dropbear 2012.552013.59

The Dropbear project reports:

A weakness and a vulnerability have been reported in Dropbear SSH Server, which can be exploited by malicious people to disclose certain sensitive information and cause a DoS.

62958 62993 CVE-2013-4421 CVE-2013-4434 http://secunia.com/advisories/55173 2013-05-08 2013-10-17
mod_fcgid -- possible heap buffer overwrite ap22-mod_fcgid 2.3.9 ap24-mod_fcgid 2.3.9

Apache Project reports:

Fix possible heap buffer overwrite.

CVE-2013-4365 2013-09-29 2013-10-10
gnupg -- possible infinite recursion in the compressed packet parser gnupg 1.4.15 2.0.02.0.22

Werner Koch reports:

Special crafted input data may be used to cause a denial of service against GPG (GnuPG's OpenPGP part) and some other OpenPGP implementations. All systems using GPG to process incoming data are affected..

CVE-2013-4402 2013-10-05 2013-10-05
xinetd -- ignores user and group directives for TCPMUX services xinetd 2.3.15_1

xinetd would execute configured TCPMUX services without dropping privilege to match the service configuration allowing the service to run with same privilege as the xinetd process (root).

CVE-2013-4342 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678 https://bugzilla.redhat.com/show_bug.cgi?id=1006100 2005-08-23 2013-10-03
polarssl -- Timing attack against protected RSA-CRT implementation polarssl 1.2.9

PolarSSL Project reports:

The researchers Cyril Arnaud and Pierre-Alain Fouque investigated the PolarSSL RSA implementation and discovered a bias in the implementation of the Montgomery multiplication that we used. For which they then show that it can be used to mount an attack on the RSA key. Although their test attack is done on a local system, there seems to be enough indication that this can properly be performed from a remote system as well.

All versions prior to PolarSSL 1.2.9 and 1.3.0 are affected if a third party can send arbitrary handshake messages to your server.

If correctly executed, this attack reveals the entire private RSA key after a large number of attack messages (> 600.000 on a local machine) are sent to show the timing differences.

CVE-2013-5915 https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05 https://polarssl.org/tech-updates/releases/polarssl-1.2.9-released 2013-10-01 2013-10-02
py-graphite-web -- Multiple vulnerabilities py26-graphite-web 0.9.50.9.11 py27-graphite-web 0.9.50.9.11 py31-graphite-web 0.9.50.9.11 py32-graphite-web 0.9.50.9.11 py33-graphite-web 0.9.50.9.11

Graphite developers report:

This release contains several security fixes for cross-site scripting (XSS) as well as a fix for a remote-execution exploit in graphite-web (CVE-2013-5903).

CVE-2013-5093 https://github.com/rapid7/metasploit-framework/pull/2260 2013-08-21 2013-09-30 2014-04-30
django -- denial-of-service via large passwords py26-django 1.51.5.4 1.41.4.8 py27-django 1.51.5.4 1.41.4.8 py26-django-devel 20130922,1 py27-django-devel 20130922,1

The Django project reports:

These releases address a denial-of-service attack against Django's authentication framework. All users of Django are encouraged to upgrade immediately.

CVE-2013-1443 https://www.djangoproject.com/weblog/2013/sep/15/security/ 2013-09-15 2013-09-22 2014-04-30
FreeBSD -- Cross-mount links between nullfs(5) mounts FreeBSD 9.19.1_7 8.48.4_4 8.38.3_11

Problem Description:

The nullfs(5) implementation of the VOP_LINK(9) VFS operation does not check whether the source and target of the link are both in the same nullfs instance. It is therefore possible to create a hardlink from a location in one nullfs instance to a file in another, as long as the underlying (source) filesystem is the same.

Impact:

If multiple nullfs views into the same filesystem are mounted in different locations, a user with read access to one of these views and write access to another will be able to create a hard link from the latter to a file in the former, even though they are, from the user's perspective, different filesystems. The user may thereby gain write access to files which are nominally on a read-only filesystem.

CVE-2013-5710 SA-13:13.nullfs 2013-09-10 2013-09-19 2016-08-09
FreeBSD -- Insufficient credential checks in network ioctl(2) FreeBSD 9.19.1_7 8.48.4_4 8.38.3_11

Problem Description:

As is commonly the case, the IPv6 and ATM network layer ioctl request handlers are written in such a way that an unrecognized request is passed on unmodified to the link layer, which will either handle it or return an error code.

Network interface drivers, however, assume that the SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK requests have been handled at the network layer, and therefore do not perform input validation or verify the caller's credentials. Typical link-layer actions for these requests may include marking the interface as "up" and resetting the underlying hardware.

Impact:

An unprivileged user with the ability to run arbitrary code can cause any network interface in the system to perform the link layer actions associated with a SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR or SIOCSIFNETMASK ioctl request; or trigger a kernel panic by passing a specially crafted address structure which causes a network interface driver to dereference an invalid pointer.

Although this has not been confirmed, the possibility that an attacker may be able to execute arbitrary code in kernel context cannot be ruled out.

CVE-2013-5691 SA-13:12.ifioctl 2013-09-10 2013-09-19 2016-08-09
mozilla -- multiple vulnerabilities firefox 18.0,124.0,1 17.0.9,1 linux-firefox 17.0.9,1 linux-seamonkey 2.21 linux-thunderbird 17.0.9 seamonkey 2.21 thunderbird 24.0

The Mozilla Project reports:

MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)

MFSA 2013-77 Improper state in HTML5 Tree Builder with templates

MFSA 2013-78 Integer overflow in ANGLE library

MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning

MFSA 2013-80 NativeKey continues handling key messages after widget is destroyed

MFSA 2013-81 Use-after-free with select element

MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption

MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification

MFSA 2013-84 Same-origin bypass through symbolic links

MFSA 2013-85 Uninitialized data in IonMonkey

MFSA 2013-86 WebGL Information disclosure through OS X NVIDIA graphic drivers

MFSA 2013-87 Shared object library loading from writable location

MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes

MFSA 2013-89 Buffer overflow with multi-column, lists, and floats

MFSA 2013-90 Memory corruption involving scrolling

MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object

MFSA 2013-92 GC hazard with default compartments and frame chain restoration

CVE-2013-1718 CVE-2013-1719 CVE-2013-1720 CVE-2013-1721 CVE-2013-1722 CVE-2013-1723 CVE-2013-1724 CVE-2013-1725 CVE-2013-1726 CVE-2013-1727 CVE-2013-1728 CVE-2013-1729 CVE-2013-1730 CVE-2013-1731 CVE-2013-1732 CVE-2013-1735 CVE-2013-1736 CVE-2013-1737 CVE-2013-1738 https://www.mozilla.org/security/announce/2013/mfsa2013-76.html https://www.mozilla.org/security/announce/2013/mfsa2013-77.html https://www.mozilla.org/security/announce/2013/mfsa2013-78.html https://www.mozilla.org/security/announce/2013/mfsa2013-79.html https://www.mozilla.org/security/announce/2013/mfsa2013-80.html https://www.mozilla.org/security/announce/2013/mfsa2013-81.html https://www.mozilla.org/security/announce/2013/mfsa2013-82.html https://www.mozilla.org/security/announce/2013/mfsa2013-83.html https://www.mozilla.org/security/announce/2013/mfsa2013-84.html https://www.mozilla.org/security/announce/2013/mfsa2013-85.html https://www.mozilla.org/security/announce/2013/mfsa2013-86.html https://www.mozilla.org/security/announce/2013/mfsa2013-87.html https://www.mozilla.org/security/announce/2013/mfsa2013-88.html https://www.mozilla.org/security/announce/2013/mfsa2013-89.html https://www.mozilla.org/security/announce/2013/mfsa2013-90.html https://www.mozilla.org/security/announce/2013/mfsa2013-91.html https://www.mozilla.org/security/announce/2013/mfsa2013-92.html http://www.mozilla.org/security/known-vulnerabilities/ 2013-08-17 2013-08-18 2013-09-19
linux-flashplugin -- multiple vulnerabilities linux-f10-flashplugin 11.2r202.310

Adobe reports:

These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

CVE-2013-3361 CVE-2013-3362 CVE-2013-3363 CVE-2013-5324 http://www.adobe.com/support/security/bulletins/apsb13-21.html 2013-09-10 2013-09-13
django -- multiple vulnerabilities py26-django 1.51.5.3 1.41.4.7 py27-django 1.51.5.3 1.41.4.7 py26-django-devel 20130912,1 py27-django-devel 20130912,1

The Django project reports:

These releases address a directory-traversal vulnerability in one of Django's built-in template tags. While this issue requires some fairly specific factors to be exploitable, we encourage all users of Django to upgrade promptly.

CVE-2013-4315 https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/ 2013-09-10 2013-09-12 2014-04-30
svnserve is vulnerable to a local privilege escalation vulnerability via symlink attack. subversion 1.4.01.6.23_2 1.7.01.7.13 1.8.01.8.3

Subversion Project reports:

svnserve takes a --pid-file option which creates a file containing the process id it is running as. It does not take steps to ensure that the file it has been directed at is not a symlink. If the pid file is in a directory writeable by unprivileged users, the destination could be replaced by a symlink allowing for privilege escalation. svnserve does not create a pid file by default.

All versions are only vulnerable when the --pid-file=ARG option is used.

CVE-2013-4277 http://subversion.apache.org/security/CVE-2013-4277-advisory.txt 2013-08-30 2013-09-02
cacti -- allow remote attackers to execute arbitrary SQL commands cacti 0.8.8b

Cacti release reports:

Multiple security vulnerabilities have been fixed:

  • SQL injection vulnerabilities
CVE-2013-1434 CVE-2013-1435 http://www.cacti.net/release_notes_0_8_8b.php 2013-08-06 2013-08-29
asterisk -- multiple vulnerabilities asterisk11 11.*11.5.1 asterisk10 10.*10.12.3 asterisk18 1.8.*1.8.21.1

The Asterisk project reports:

Remote Crash From Late Arriving SIP ACK With SDP

Remote Crash when Invalid SDP is sent in SIP Request

CVE-2013-5641 CVE-2013-5642 http://downloads.asterisk.org/pub/security/AST-2013-004.html http://downloads.asterisk.org/pub/security/AST-2013-005.html https://www.asterisk.org/security 2013-08-27 2013-08-28 2013-08-29
gstreamer-ffmpeg -- Multiple vulnerabilities in bundled libav gstreamer-ffmpeg 0.10.13_1

Bundled version of libav in gstreamer-ffmpeg contains a number of vulnerabilities.

CVE-2011-3892 CVE-2011-3893 CVE-2011-3895 CVE-2011-3929 CVE-2011-3936 CVE-2011-3937 CVE-2011-3940 CVE-2011-3945 CVE-2011-3947 CVE-2011-3951 CVE-2011-3952 CVE-2011-4031 CVE-2011-4351 CVE-2011-4352 CVE-2011-4353 CVE-2011-4364 CVE-2011-4579 CVE-2012-0848 CVE-2012-0850 CVE-2012-0851 CVE-2012-0852 CVE-2012-0853 CVE-2012-0858 CVE-2012-0947 CVE-2012-2772 CVE-2012-2775 CVE-2012-2777 CVE-2012-2779 CVE-2012-2783 CVE-2012-2784 CVE-2012-2786 CVE-2012-2787 CVE-2012-2788 CVE-2012-2790 CVE-2012-2791 CVE-2012-2793 CVE-2012-2794 CVE-2012-2798 CVE-2012-2800 CVE-2012-2801 CVE-2012-2803 CVE-2012-5144 http://libav.org/releases/libav-0.7.7.changelog 2013-08-20 2013-08-20
GnuPG and Libgcrypt -- side-channel attack vulnerability libgcrypt 1.5.3 linux-f10-libgcrypt 1.5.3

Werner Koch of the GNU project reports:

Noteworthy changes in version 1.5.3:

Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA secret keys...

Note that Libgcrypt is used by GnuPG 2.x and thus this release fixes the above problem. The fix for GnuPG less than 2.0 can be found in the just released GnuPG 1.4.14.

CVE-2013-4242 http://eprint.iacr.org/2013/448 http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html 2013-07-18 2013-08-17
puppet -- multiple vulnerabilities puppet 2.72.7.23 3.03.2.4

Puppet Labs reports:

By using the `resource_type` service, an attacker could cause puppet to load arbitrary Ruby files from the puppet master node's file system. While this behavior is not enabled by default, `auth.conf` settings could be modified to allow it. The exploit requires local file system access to the Puppet Master.

Puppet Module Tool (PMT) did not correctly control permissions of modules it installed, instead transferring permissions that existed when the module was built.

CVE-2013-4761 CVE-2013-4956 http://puppetlabs.com/security/cve/cve-2013-4761/ http://puppetlabs.com/security/cve/cve-2013-4956/ 2013-07-05 2013-08-16
lcms2 -- Null Pointer Dereference Denial of Service Vulnerability lcms2 2.5

Mageia security team reports:

It was discovered that Little CMS did not properly verify certain memory allocations. If a user or automated system using Little CMS were tricked into opening a specially crafted file, an attacker could cause Little CMS to crash (CVE-2013-4160).

CVE-2013-4160 http://advisories.mageia.org/MGASA-2013-0240.html https://bugs.mageia.org/show_bug.cgi?id=10816 2013-07-22 2013-08-15 2013-08-19
polarssl -- denial of service vulnerability polarssl 1.2.8

Paul Bakker reports:

A bug in the logic of the parsing of PEM encoded certificates in x509parse_crt() can result in an infinite loop, thus hogging processing power.

While parsing a Certificate message during the SSL/TLS handshake, PolarSSL extracts the presented certificates and sends them on to be parsed. As the RFC specifies that the certificates in the Certificate message are always X.509 certificates in DER format, bugs in the decoding of PEM certificates should normally not be triggerable via the SSL/TLS handshake.

Versions of PolarSSL prior to 1.1.7 in the 1.1 branch and prior to 1.2.8 in the 1.2 branch call the generic x509parse_crt() function for parsing during the handshake. x509parse_crt() is a generic functions that wraps parsing of both PEM-encoded and DER-formatted certificates. As a result it is possible to craft a Certificate message that includes a PEM encoded certificate in the Certificate message that triggers the infinite loop.

CVE-2013-4623 https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-03 2013-06-21 2013-08-13 2013-08-15
samba -- denial of service vulnerability samba34 0 samba35 0 samba36 3.6.*3.6.17 samba4 4.0.*4.0.8

The Samba project reports:

All current released versions of Samba are vulnerable to a denial of service on an authenticated or guest connection. A malformed packet can cause the smbd server to loop the CPU performing memory allocations and preventing any further service.

A connection to a file share, or a local account is needed to exploit this problem, either authenticated or unauthenticated if guest connections are allowed.

CVE-2013-4124 http://www.samba.org/samba/security/CVE-2013-4124 2013-08-05 2013-08-09 2013-08-09
mozilla -- multiple vulnerabilities firefox 18.0,123.0,1 17.0.8,1 linux-firefox 17.0.8,1 linux-seamonkey 2.20 linux-thunderbird 17.0.8 seamonkey 2.20 thunderbird 11.017.0.8

The Mozilla Project reports:

MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)

MFSA 2013-64 Use after free mutating DOM during SetBody

MFSA 2013-65 Buffer underflow when generating CRMF requests

MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater

MFSA 2013-67 Crash during WAV audio file decoding

MFSA 2013-68 Document URI misrepresentation and masquerading

MFSA 2013-69 CRMF requests allow for code execution and XSS attacks

MFSA 2013-70 Bypass of XrayWrappers using XBL Scopes

MFSA 2013-71 Further Privilege escalation through Mozilla Updater

MFSA 2013-72 Wrong principal used for validating URI for some Javascript components

MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest

MFSA 2013-74 Firefox full and stub installer DLL hijacking

MFSA 2013-75 Local Java applets may read contents of local file system

CVE-2013-1701 CVE-2013-1702 CVE-2013-1704 CVE-2013-1705 CVE-2013-1706 CVE-2013-1707 CVE-2013-1708 CVE-2013-1709 CVE-2013-1710 CVE-2013-1711 CVE-2013-1712 CVE-2013-1713 CVE-2013-1714 CVE-2013-1715 CVE-2013-1717 https://www.mozilla.org/security/announce/2013/mfsa2013-63.html https://www.mozilla.org/security/announce/2013/mfsa2013-64.html https://www.mozilla.org/security/announce/2013/mfsa2013-65.html https://www.mozilla.org/security/announce/2013/mfsa2013-66.html https://www.mozilla.org/security/announce/2013/mfsa2013-67.html https://www.mozilla.org/security/announce/2013/mfsa2013-68.html https://www.mozilla.org/security/announce/2013/mfsa2013-69.html https://www.mozilla.org/security/announce/2013/mfsa2013-70.html https://www.mozilla.org/security/announce/2013/mfsa2013-71.html https://www.mozilla.org/security/announce/2013/mfsa2013-72.html http://www.mozilla.org/security/known-vulnerabilities/ 2013-08-06 2013-08-08
PuTTY -- Four security holes in versions before 0.63 putty 0.63

Simon Tatham reports:

This [0.63] release fixes multiple security holes in previous versions of PuTTY, which can allow an SSH-2 server to make PuTTY overrun or underrun buffers and crash. [...]

These vulnerabilities can be triggered before host key verification, which means that you are not even safe if you trust the server you think you're connecting to, since it could be spoofed over the network and the host key check would not detect this before the attack could take place.

Additionally, when PuTTY authenticated with a user's private key, the private key or information equivalent to it was accidentally kept in PuTTY's memory for the rest of its run, where it could be retrieved by other processes reading PuTTY's memory, or written out to swap files or crash dumps. This release fixes that as well.

CVE-2013-4206 CVE-2013-4207 CVE-2013-4208 CVE-2013-4852 http://lists.tartarus.org/pipermail/putty-announce/2013/000018.html http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-division-by-zero.html http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-signature-stringlen.html 2013-07-08 2013-08-07
typo3 -- Multiple vulnerabilities in TYPO3 Core typo3 4.5.04.5.29 4.7.04.7.14 6.1.06.1.3

Typo Security Team reports:

It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting and Remote Code Execution.

TYPO3 bundles flash files for video and audio playback. Old versions of FlowPlayer and flashmedia are susceptible to Cross-Site Scripting. No authentication is required to exploit this vulnerability.

The file upload component and the File Abstraction Layer are failing to check for denied file extensions, which allows authenticated editors (even with limited permissions) to upload php files with arbitrary code, which can then be executed in web server's context.

CVE-2011-3642 CVE-2013-1464 2013-07-30 2013-08-05
phpMyAdmin -- clickJacking protection can be bypassed phpMyAdmin 4.0.5

The phpMyAdmin development team reports:

phpMyAdmin has a number of mechanisms to avoid a clickjacking attack, however these mechanisms either work only in modern browser versions, or can be bypassed.

"We have no solution for 3.5.x, due to the proposed solution requiring JavaScript. We don't want to introduce a dependency to JavaScript in the 3.5.x family."

http://www.phpmyadmin.net/home_page/security/PMASA-2013-10.php 2013-08-04 2013-08-04
phpMyAdmin -- multiple vulnerabilities phpMyAdmin 4.04.0.4.2 phpMyAdmin35 3.53.5.8.2

The phpMyAdmin development team reports:

XSS due to unescaped HTML Output when executing a SQL query.

5 XSS vulnerabilities in setup, chart display, process list, and logo link.

If a crafted version.json would be presented, an XSS could be introduced.

Full path disclosure vulnerabilities.

XSS vulnerability when a text to link transformation is used.

Self-XSS due to unescaped HTML output in schema export.

SQL injection vulnerabilities, producing a privilege escalation (control user).

http://www.phpmyadmin.net/home_page/security/PMASA-2013-8.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-11.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-13.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-14.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/3.5.8.2/phpMyAdmin-3.5.8.2-notes.html/view http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/4.0.4.2/phpMyAdmin-4.0.4.2-notes.html/view 2013-07-28 2013-07-28 2013-07-29
wordpress -- multiple vulnerabilities wordpress 3.5.2,1 zh-wordpress-zh_CN 3.5.2 zh-wordpress-zh_TW 3.5.2 de-wordpress 3.5.2 ja-wordpress 3.5.2 ru-wordpress 3.5.2

The wordpress development team reports:

  • Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site
  • Disallow contributors from improperly publishing posts
  • An update to the SWFUpload external library to fix cross-site scripting vulnerabilities
  • Prevention of a denial of service attack, affecting sites using password-protected posts
  • An update to an external TinyMCE library to fix a cross-site scripting vulnerability
  • Multiple fixes for cross-site scripting
  • Avoid disclosing a full file path when a upload fails
CVE-2013-2199 CVE-2013-2200 CVE-2013-2201 CVE-2013-2202 CVE-2013-2203 CVE-2013-2204 CVE-2013-2205 https://wordpress.org/news/2013/06/wordpress-3-5-2/ 2013-06-21 2013-07-27 2014-04-30
bind -- denial of service vulnerability bind99 9.9.39.9.3.2 bind99-base 9.9.39.9.3.2 bind98 9.8.59.8.5.2 bind98-base 9.8.59.8.5.2 FreeBSD 9.09.1_5 8.48.4_2

ISC reports:

A specially crafted query that includes malformed rdata can cause named to terminate with an assertion failure while rejecting the malformed query.

CVE-2013-4854 SA-13:07.bind https://kb.isc.org/article/AA-01015/0 2013-07-26 2013-07-26 2016-08-09
gnupg -- side channel attack on RSA secret keys gnupg 1.4.14

A Yarom and Falkner paper reports:

Flush+Reload is a cache side-channel attack that monitors access to data in shared pages. In this paper we demonstrate how to use the attack to extract private encryption keys from GnuPG. The high resolution and low noise of the Flush+Reload attack enables a spy program to recover over 98% of the bits of the private key in a single decryption or signing round. Unlike previous attacks, the attack targets the last level L3 cache. Consequently, the spy program and the victim do not need to share the execution core of the CPU. The attack is not limited to a traditional OS and can be used in a virtualised environment, where it can attack programs executing in a different VM.

http://eprint.iacr.org/2013/448 http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html 2013-07-18 2013-07-25 2013-07-26
openafs -- single-DES cell-wide key brute force vulnerability openafs 1.6.5

OpenAFS Project reports:

The small size of the DES key space permits an attacker to brute force a cell's service key and then forge traffic from any user within the cell. The key space search can be performed in under 1 day at a cost of around $100 using publicly available services.

CVE-2013-4134 http://openafs.org/pages/security/OPENAFS-SA-2013-003.txt http://openafs.org/pages/security/how-to-rekey.txt http://openafs.org/pages/security/install-rxkad-k5-1.6.txt 2013-07-24 2013-07-25
subversion -- remotely triggerable "Assertion failed" DoS vulnerability or read overflow. subversion 1.8.01.8.1 1.7.01.7.11

Subversion Project reports:

Subversion's mod_dav_svn Apache HTTPD server module will trigger an assertion on some requests made against a revision root. This can lead to a DoS. If assertions are disabled it will trigger a read overflow which may cause a SEGFAULT (or equivalent) or undefined behavior.

Commit access is required to exploit this.

CVE-2013-4131 http://subversion.apache.org/security/CVE-2013-4131-advisory.txt 2013-07-19 2013-07-24 2013-07-25
suPHP -- Privilege escalation suphp 0.7.2

suPHP developer Sebastian Marsching reports:

When the suPHP_PHPPath was set, mod_suphp would use the specified PHP executable to pretty-print PHP source files (MIME type x-httpd-php-source or application/x-httpd-php-source).

However, it would not sanitize the environment. Thus a user that was allowed to use the SetEnv directive in a .htaccess file (AllowOverride FileInfo) could make PHP load a malicious configuration file (e.g. loading malicious extensions).

As the PHP process for highlighting the source file was run with the privileges of the user Apache HTTPd was running as, a local attacker could probably execute arbitrary code with the privileges of this user.

https://lists.marsching.com/pipermail/suphp/2013-May/002552.html 2013-05-20 2013-07-22
apache24 -- several vulnerabilities apache24 2.4.6

Apache HTTP SERVER PROJECT reports:

mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault.

mod_session_dbd: Make sure that dirty flag is respected when saving sessions, and ensure the session ID is changed each time the session changes. This changes the format of the updatesession SQL statement. Existing configurations must be changed.

CVE-2013-1896 CVE-2013-2249 http://www.apache.org/dist/httpd/Announcement2.4.html 2013-07-11 2013-07-20 2013-07-21
gallery -- multiple vulnerabilities gallery3 3.0.9

Red Hat Security Response Team reports:

Gallery upstream has released 3.0.9 version, correcting two security flaws:

Issue #1 - Improper stripping of URL fragments in flowplayer SWF file might lead to reply attacks (a different flaw than CVE-2013-2138).

Issue #2 - gallery3: Multiple information exposure flaws in data rest core module.

CVE-2013-2240 CVE-2013-2241 http://sourceforge.net/apps/trac/gallery/ticket/2073 https://bugzilla.redhat.com/show_bug.cgi?id=981197 http://sourceforge.net/apps/trac/gallery/ticket/2074 https://bugzilla.redhat.com/show_bug.cgi?id=981198 http://galleryproject.org/gallery_3_0_9 2013-06-28 2013-07-17
PHP5 -- Heap corruption in XML parser php53 5.3.27

The PHP development team reports:

ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing depth, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct function.

CVE-2013-4113 https://bugs.php.net/bug.php?id=65236 2013-07-10 2013-07-16
PHP5 -- Integer overflow in Calendar module php5 5.4.05.4.16 php53 5.3.26

The PHP development team reports:

Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP before 5.3.26 and 5.4.x before 5.4.16 allows context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function.

CVE-2013-4635 https://bugs.php.net/bug.php?id=64895 2013-05-22 2013-07-16
linux-flashplugin -- multiple vulnerabilities linux-f10-flashplugin 11.2r202.297

Adobe reports:

These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

CVE-2013-3344 CVE-2013-3345 CVE-2013-3347 http://www.adobe.com/support/security/bulletins/apsb13-17.html 2013-07-09 2013-07-15 2013-07-18
squid -- denial of service squid 3.23.2.12 3.33.3.8

Squid project reports:

Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted HTTP requests

This problem allows any client who can generate HTTP requests to perform a denial of service attack on the Squid service.

CVE-2013-4123 http://www.squid-cache.org/Advisories/SQUID-2013_3.txt 2013-07-13 2013-07-15
libzrtpcpp -- multiple security vulnerabilities libzrtpcpp 2.3.4

Mark Dowd reports:

Vulnerability 1. Remote Heap Overflow: If an attacker sends a packet larger than 1024 bytes that gets stored temporarily (which occurs many times - such as when sending a ZRTP Hello packet), a heap overflow will occur, leading to potential arbitrary code execution on the vulnerable host.

Vulnerability 2. Multiple Stack Overflows: ZRTPCPP contains multiple stack overflows that arise when preparing a response to a client's ZRTP Hello packet.

Vulnerability 3. Information Leaking / Out of Bounds Reads: The ZRTPCPP library performs very little validation regarding the expected size of a packet versus the actual amount of data received. This can lead to both information leaking and out of bounds data reads (usually resulting in a crash). Information leaking can be performed for example by sending a malformed ZRTP Ping packet.

CVE-2013-2221 CVE-2013-2222 CVE-2013-2223 2013-06-27 2013-07-11
ruby -- Hostname check bypassing vulnerability in SSL client ruby19 1.9.3.448,1 ruby18 1.8.7.374,1

Ruby Developers report:

Ruby's SSL client implements hostname identity check but it does not properly handle hostnames in the certificate that contain null bytes.

CVE-2013-4073 http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/ 2013-06-27 2013-07-11 2013-09-24
otrs -- Sql Injection + Xss Issue otrs 3.2.9

The OTRS Project reports:

An attacker with a valid agent login could manipulate URLs leading to SQL injection. An attacker with a valid agent login could manipulate URLs in the ITSM ConfigItem search, leading to a JavaScript code injection (XSS) problem.

CVE-2013-4717 CVE-2013-4718 http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-05/ 2013-07-09 2013-07-11
apache22 -- several vulnerabilities apache22 2.2.02.2.25 apache22-event-mpm 2.2.02.2.25 apache22-itk-mpm 2.2.02.2.25 apache22-peruser-mpm 2.2.02.2.25 apache22-worker-mpm 2.2.02.2.25

Apache HTTP SERVER PROJECT reports:

The mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator.

mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault.

CVE-2013-1862 CVE-2013-1896 2013-06-21 2013-07-05 2013-07-10
phpMyAdmin -- Global variable scope injection phpMyAdmin 4.04.0.4.1

The phpMyAdmin development team reports:

The import.php script was vulnerable to GLOBALS variable injection. Therefore, an attacker could manipulate any configuration parameter.

This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required form.

http://www.phpmyadmin.net/home_page/security/PMASA-2013-7.php CVE-2013-4729 2013-06-30 2013-06-30
apache-xml-security-c -- heap overflow during XPointer evaluation apache-xml-security-c 1.7.2

The Apache Software Foundation reports:

The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code.

CVE-2013-2210 http://santuario.apache.org/secadv.data/CVE-2013-2210.txt 2013-06-27 2013-06-28
mozilla -- multiple vulnerabilities firefox 18.0,122.0,1 17.0.7,1 linux-firefox 17.0.7,1 linux-seamonkey 2.19 linux-thunderbird 17.0.7 seamonkey 2.19 thunderbird 11.017.0.7

The Mozilla Project reports:

Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)

Title: Memory corruption found using Address Sanitizer

Privileged content access and execution via XBL

Arbitrary code execution within Profiler

Execution of unmapped memory through onreadystatechange

Data in the body of XHR HEAD requests leads to CSRF attacks

SVG filters can lead to information disclosure

PreserveWrapper has inconsistent behavior

Sandbox restrictions not applied to nested frame elements

X-Frame-Options ignored when using server push with multi-part responses

XrayWrappers can be bypassed to run user defined methods in a privileged context

getUserMedia permission dialog incorrectly displays location

Homograph domain spoofing in .com, .net and .name

Inaccessible updater can lead to local privilege escalation

CVE-2013-1682 CVE-2013-1683 CVE-2013-1684 CVE-2013-1685 CVE-2013-1686 CVE-2013-1687 CVE-2013-1688 CVE-2013-1690 CVE-2013-1692 CVE-2013-1693 CVE-2013-1694 CVE-2013-1695 CVE-2013-1696 CVE-2013-1697 CVE-2013-1698 CVE-2013-1699 CVE-2013-1700 http://www.mozilla.org/security/announce/2013/mfsa2013-49.html http://www.mozilla.org/security/announce/2013/mfsa2013-50.html http://www.mozilla.org/security/announce/2013/mfsa2013-51.html http://www.mozilla.org/security/announce/2013/mfsa2013-52.html http://www.mozilla.org/security/announce/2013/mfsa2013-53.html http://www.mozilla.org/security/announce/2013/mfsa2013-54.html http://www.mozilla.org/security/announce/2013/mfsa2013-55.html http://www.mozilla.org/security/announce/2013/mfsa2013-56.html http://www.mozilla.org/security/announce/2013/mfsa2013-57.html http://www.mozilla.org/security/announce/2013/mfsa2013-58.html http://www.mozilla.org/security/announce/2013/mfsa2013-59.html http://www.mozilla.org/security/announce/2013/mfsa2013-60.html http://www.mozilla.org/security/announce/2013/mfsa2013-61.html http://www.mozilla.org/security/announce/2013/mfsa2013-62.html http://www.mozilla.org/security/known-vulnerabilities/ 2013-06-25 2013-06-26
cURL library -- heap corruption in curl_easy_unescape curl 7.77.24.0_4

cURL developers report:

libcurl is vulnerable to a case of bad checking of the input data which may lead to heap corruption.

The function curl_easy_unescape() decodes URL-encoded strings to raw binary data. URL-encoded octets are represented with %HH combinations where HH is a two-digit hexadecimal number. The decoded string is written to an allocated memory area that the function returns to the caller.

The function takes a source string and a length parameter, and if the length provided is 0 the function will instead use strlen() to figure out how much data to parse.

The "%HH" parser wrongly only considered the case where a zero byte would terminate the input. If a length-limited buffer was passed in which ended with a '%' character which was followed by two hexadecimal digits outside of the buffer libcurl was allowed to parse alas without a terminating zero, libcurl would still parse that sequence as well. The counter for remaining data to handle would then be decreased too much and wrap to become a very large integer and the copying would go on too long and the destination buffer that is allocated on the heap would get overwritten.

We consider it unlikely that programs allow user-provided strings unfiltered into this function. Also, only the not zero-terminated input string use case is affected by this flaw. Exploiting this flaw for gain is probably possible for specific circumstances but we consider the general risk for this to be low.

The curl command line tool is not affected by this problem as it doesn't use this function.

There are no known exploits available at this time.

CVE-2013-2174 http://curl.haxx.se/docs/adv_20130622.html 2013-06-22 2013-06-23 2013-07-01
puppet -- Unauthenticated Remote Code Execution Vulnerability puppet 2.72.7.22 3.03.2.2

Puppet Developers report:

When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object. A YAML payload can be crafted to cause the deserialization to construct an instance of any class available in the ruby process, which allows an attacker to execute code contained in the payload.

CVE-2013-3567 2013-06-13 2013-06-22 2013-08-01
otrs -- information disclosure otrs 3.2.8

The OTRS Project reports:

An attacker with a valid agent login could manipulate URLs in the ticket watch mechanism to see contents of tickets they are not permitted to see.

CVE-2013-4088 http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-04/ 2013-06-18 2013-06-19
FreeBSD -- Privilege escalation via mmap FreeBSD 9.09.1_4

Due to insufficient permission checks in the virtual memory system, a tracing process (such as a debugger) may be able to modify portions of the traced process's address space to which the traced process itself does not have write access.

CVE-2013-2171 SA-13:06.mmap 2013-06-18 2013-06-18 2016-08-09
apache-xml-security-c -- heap overflow apache-xml-security-c 1.7.1

The Apache Software Foundation reports:

A heap overflow exists in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitary code execution. If verification of the signature occurs prior to actual evaluation of a signing key, this could be exploited by an unauthenticated attacker.

CVE-2013-2156 http://santuario.apache.org/secadv.data/CVE-2013-2156.txt 2013-06-18 2013-06-18
tor -- guard discovery tor-devel 0.2.4.13.a_1

The Tor Project reports:

Disable middle relay queue overfill detection code due to possible guard discovery attack

https://trac.torproject.org/projects/tor/ticket/9072 2013-06-15 2013-06-16
dbus -- local dos dbus 1.6.12

Simon McVittie reports:

Alexandru Cornea discovered a vulnerability in libdbus caused by an implementation bug in _dbus_printf_string_upper_bound(). This vulnerability can be exploited by a local user to crash system services that use libdbus, causing denial of service. It is platform-specific: x86-64 Linux is known to be affected.

CVE-2013-2168 http://lists.freedesktop.org/archives/dbus/2013-June/015696.html 2013-06-13 2013-06-13
linux-flashplugin -- multiple vulnerabilities linux-f10-flashplugin 11.2r202.291

Adobe reports:

These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

CVE-2013-3343 2013-06-11 2013-06-14 2013-06-18
owncloud -- Multiple security vulnerabilities owncloud 5.0.7

The ownCloud development team reports:

oC-SA-2013-019 / CVE-2013-2045: Multiple SQL Injections. Credit to Mateusz Goik (aliantsoft.pl).

oC-SA-2013-020 / CVE-2013-[2039,2085]: Multiple directory traversals. Credit to Mateusz Goik (aliantsoft.pl).

oC-SQ-2013-021 / CVE-2013-[2040-2042]: Multiple XSS vulnerabilities. Credit to Mateusz Goik (aliantsoft.pl) and Kacper R. (http://devilteam.pl).

oC-SA-2013-022 / CVE-2013-2044: Open redirector. Credit to Mateusz Goik (aliantsoft.pl).

oC-SA-2013-023 / CVE-2013-2047: Password autocompletion.

oC-SA-2013-024 / CVE-2013-2043: Privilege escalation in the calendar application. Credit to Mateusz Goik (aliantsoft.pl).

oC-SA-2013-025 / CVE-2013-2048: Privilege escalation and CSRF in the API.

oC-SA-2013-026 / CVE-2013-2089: Incomplete blacklist vulnerability.

oC-SA-2013-027 / CVE-2013-2086: CSRF token leakage.

oC-SA-2013-028 / CVE-2013-[2149-2150]: Multiple XSS vulnerabilities.

http://owncloud.org/about/security/advisories/oC-SA-2013-019/ http://owncloud.org/about/security/advisories/oC-SA-2013-020/ http://owncloud.org/about/security/advisories/oC-SA-2013-021/ http://owncloud.org/about/security/advisories/oC-SA-2013-022/ http://owncloud.org/about/security/advisories/oC-SA-2013-023/ http://owncloud.org/about/security/advisories/oC-SA-2013-024/ http://owncloud.org/about/security/advisories/oC-SA-2013-025/ http://owncloud.org/about/security/advisories/oC-SA-2013-026/ http://owncloud.org/about/security/advisories/oC-SA-2013-027/ http://owncloud.org/about/security/advisories/oC-SA-2013-028/ CVE-2013-2039 CVE-2013-2040 CVE-2013-2041 CVE-2013-2042 CVE-2013-2043 CVE-2013-2044 CVE-2013-2045 CVE-2013-2047 CVE-2013-2048 CVE-2013-2085 CVE-2013-2086 CVE-2013-2089 CVE-2013-2149 CVE-2013-2150 2013-05-14 2013-06-11
php5 -- Heap based buffer overflow in quoted_printable_encode php5 5.4.16 php53 5.3.26

The PHP development team reports:

A Heap-based buffer overflow flaw was found in the php quoted_printable_encode() function. A remote attacker could use this flaw to cause php to crash or execute arbirary code with the permission of the user running php

CVE-2013-2110 https://bugzilla.redhat.com/show_bug.cgi?id=964969 2013-06-06 2013-06-07
dns/bind9* -- A recursive resolver can be crashed by a query for a malformed zone bind99 9.9.39.9.3.1 bind99-base 9.9.39.9.3.1 bind98 9.8.59.8.5.1 bind98-base 9.8.59.8.5.1 bind96 9.6.3.1.ESV.R99.6.3.2.ESV.R9 bind96-base 9.6.3.1.ESV.R99.6.3.2.ESV.R9

ISC reports:

A bug has been discovered in the most recent releases of BIND 9 which has the potential for deliberate exploitation as a denial-of-service attack. By sending a recursive resolver a query for a record in a specially malformed zone, an attacker can cause BIND 9 to exit with a fatal "RUNTIME_CHECK" error in resolver.c.

CVE-2013-3919 2013-06-04 2013-06-06 2013-06-07
phpMyAdmin -- XSS due to unescaped HTML output in Create View page phpMyAdmin 4.04.0.3

The phpMyAdmin development team reports:

When creating a view with a crafted name and an incorrect CREATE statement, it is possible to trigger an XSS.

This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required form.

http://www.phpmyadmin.net/home_page/security/PMASA-2013-6.php CVE-2013-3742 2013-06-05 2013-06-05
telepathy-gabble -- TLS verification bypass telepathy-gabble 0.16.6

Simon McVittie reports:

This release fixes a man-in-the-middle attack.

If you use an unencrypted connection to a "legacy Jabber" (pre-XMPP) server, this version of Gabble will not connect until you make one of these configuration changes:

. upgrade the server software to something that supports XMPP 1.0; or

. use an encrypted "old SSL" connection, typically on port 5223 (old-ssl); or

. turn off "Encryption required (TLS/SSL)" (require-encryption).

CVE-2013-1431 http://lists.freedesktop.org/archives/telepathy/2013-May/006449.html 2013-05-27 2013-06-05
xorg -- protocol handling issues in X Window System client libraries libX11 1.6.0 libXext 1.3.2 libXfixes 5.0.1 libXi 1.7_1 libXinerama 1.1.3 libXp 1.0.2 libXrandr 1.4.1 libXrender 0.9.7_1 libXres 1.0.7 libXtst 1.2.2 libXv 1.0.8 libXvMC 1.0.7_1 libXxf86dga 1.1.4 libdmx 1.1.3 libxcb 1.9.1 libGL 7.6.1_4 7.8.08.0.5_4 xf86-video-openchrome 0.3.3 libFS 1.0.5 libXxf86vm 1.1.3 libXt 1.1.4 libXcursor 1.1.14

freedesktop.org reports:

Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way various X client libraries handle the responses they receive from servers, and has worked with X.Org's security team to analyze, confirm, and fix these issues.

Most of these issues stem from the client libraries trusting the server to send correct protocol data, and not verifying that the values will not overflow or cause other damage. Most of the time X clients & servers are run by the same user, with the server more privileged from the clients, so this is not a problem, but there are scenarios in which a privileged client can be connected to an unprivileged server, for instance, connecting a setuid X client (such as a screen lock program) to a virtual X server (such as Xvfb or Xephyr) which the user has modified to return invalid data, potentially allowing the user to escalate their privileges.

The vulnerabilities include:

Integer overflows calculating memory needs for replies.

Sign extension issues calculating memory needs for replies.

Buffer overflows due to not validating length or offset values in replies.

Integer overflows parsing user-specified files.

Unbounded recursion parsing user-specified files.

Memory corruption due to unchecked return values.

CVE-2013-1981 CVE-2013-1982 CVE-2013-1983 CVE-2013-1984 CVE-2013-1985 CVE-2013-1986 CVE-2013-1987 CVE-2013-1988 CVE-2013-1989 CVE-2013-1990 CVE-2013-1991 CVE-2013-1992 CVE-2013-1993 CVE-2013-1994 CVE-2013-1995 CVE-2013-1996 CVE-2013-1997 CVE-2013-1998 CVE-2013-1999 CVE-2013-2000 CVE-2013-2001 CVE-2013-2002 CVE-2013-2003 CVE-2013-2004 CVE-2013-2005 CVE-2013-2062 CVE-2013-2063 CVE-2013-2064 CVE-2013-2066 2013-05-23 2013-06-04
krb5 -- UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443] krb5 1.11.2

No advisory has been released yet.

schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly validate UDP packets before sending responses, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by krb_pingpong.nasl, a related issue to CVE-1999-0103. [CVE-2002-2443].

CVE-2002-2443 http://web.mit.edu/kerberos/www/krb5-1.11/ 2013-05-10 2013-06-03
net/openafs -- buffer overflow openafs 1.6.2.*

Nickolai Zeldovich reports:

An attacker with the ability to manipulate AFS directory ACLs may crash the fileserver hosting that volume. In addition, once a corrupt ACL is placed on a fileserver, its existence may crash client utilities manipulating ACLs on that server.

http://www.openafs.org/pages/security/OPENAFS-SA-2013-001.txt CVE-2013-1794 2013-02-27 2013-06-03
www/mod_security -- NULL pointer dereference DoS mod_security 2.7.3

SecurityFocus reports:

When ModSecurity receives a request body with a size bigger than the value set by the "SecRequestBodyInMemoryLimit" and with a "Content-Type" that has no request body processor mapped to it, ModSecurity will systematically crash on every call to "forceRequestBodyVariable".

CVE-2013-2765 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2765 2013-05-27 2013-06-03
passenger -- security vulnerability rubygem-passenger 4.0.5

The Phusion reports:

A denial of service and arbitrary code execution by hijacking temp files. [CVE-2013-2119]

CVE-2013-2119 http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released/ 2013-05-29 2013-06-01
devel/subversion -- svnserve remotely triggerable DoS subversion 1.7.01.7.10 1.0.01.6.23

Subversion team reports:

Subversion's svnserve server process may exit when an incoming TCP connection is closed early in the connection process.

CVE-2013-2112 2013-05-31 2013-05-31
devel/subversion -- contrib hook-scripts can allow arbitrary code execution subversion 1.7.01.7.10 1.2.01.6.23

Subversion team reports:

The script contrib/hook-scripts/check-mime-type.pl does not escape argv arguments to 'svnlook' that start with a hyphen. This could be used to cause 'svnlook', and hence check-mime-type.pl, to error out.

The script contrib/hook-scripts/svn-keyword-check.pl parses filenames from the output of 'svnlook changed' and passes them to a further shell command (equivalent to the 'system()' call of the C standard library) without escaping them. This could be used to run arbitrary shell commands in the context of the user whom the pre-commit script runs as (the user who owns the repository).

CVE-2013-2088 2013-05-31 2013-05-31
devel/subversion -- fsfs repositories can be corrupted by newline characters in filenames subversion 1.7.01.7.10 1.1.01.6.23

Subversion team reports:

If a filename which contains a newline character (ASCII 0x0a) is committed to a repository using the FSFS format, the resulting revision is corrupt.

CVE-2013-1968 2013-05-31 2013-05-31
irc/bitchx -- multiple vulnerabilities BitchX 1.2.*,1

bannedit reports:

Stack-based buffer overflow in BitchX 1.1 Final allows remote IRC servers to execute arbitrary code via a long string in a MODE command, related to the p_mode variable.

Nico Golde reports:

There is a security issue in ircii-pana in bitchx' hostname command. The e_hostname function (commands.c) uses tmpnam to create a temporary file which is known to be insecure.

Chris reports:

Chris has reported a vulnerability in the Cypress script for BitchX, which can be exploited by malicious people to disclose potentially sensitive information or to compromise a vulnerable system.

The vulnerability is caused due to malicious code being present in the modules/mdop.m file. This can be exploited to disclose the content of various system files or to execute arbitrary shell commands.

Successful exploitation allows execution of arbitrary code, but requires the control of the "lsyn.webhop.net" domain.

CVE-2007-4584 CVE-2007-5839 CVE-2007-5922 2007-08-28 2013-05-31
znc -- null pointer dereference in webadmin module znc 1.0_1

No advisory has been released yet.

Fix NULL pointer dereference in webadmin.

https://github.com/znc/znc/commit/2bd410ee5570cea127233f1133ea22f25174eb28 2013-05-27 2013-05-28
socat -- FD leak socat 1.7.2.2

Gerhard Rieger reports:

Under certain circumstances an FD leak occurs and can be misused for denial of service attacks against socat running in server mode.

CVE-2013-3571 http://seclists.org/oss-sec/2013/q2/411 2013-05-26 2013-05-26
ruby -- Object taint bypassing in DL and Fiddle in Ruby ruby19 1.9.3.429,1

Ruby Developers report:

There is a vulnerability in DL and Fiddle in Ruby where tainted strings can be used by system calls regardless of the $SAFE level set in Ruby.

Native functions exposed to Ruby with DL or Fiddle do not check the taint values set on the objects passed in. This can result in tainted objects being accepted as input when a SecurityError exception should be raised.

CVE-2013-2065 http://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/ 2013-05-14 2013-05-26
couchdb -- DOM based Cross-Site Scripting via Futon UI couchdb 1.2.1,1

Jan Lehnardt reports:

Query parameters passed into the browser-based test suite are not sanitised, and can be used to load external resources. An attacker may execute JavaScript code in the browser, using the context of the remote user.

CVE-2012-5650 http://mail-archives.apache.org/mod_mbox/couchdb-user/201301.mbox/%3C2FFF2FD7-8EAF-4EBF-AFDA-5AEB6EAC853F@apache.org%3E 2012-01-14 2013-05-26
otrs -- information disclosure otrs 3.2.7

The OTRS Project reports:

An attacker with a valid agent login could manipulate URLs in the ticket split mechanism to see contents of tickets and they are not permitted to see.

CVE-2013-3551 http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-03/ 2013-05-22 2013-05-23
otrs -- XSS vulnerability otrs 3.1.8

The OTRS Project reports:

An attacker with permission to write changes, workorder items or FAQ articles could inject JavaScript code into the articles which would be executed by the browser of other users reading the article.

CVE-2013-2637 http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-02/ 2013-04-02 2013-05-23
RT -- multiple vulnerabilities rt38 3.83.8.17 rt40 4.04.0.13

Thomas Sibley reports:

We discovered a number of security vulnerabilities which affect both RT 3.8.x and RT 4.0.x. We are releasing RT versions 3.8.17 and 4.0.13 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0.

The vulnerabilities addressed by 3.8.17, 4.0.13, and the below patches include the following:

RT 4.0.0 and above are vulnerable to a limited privilege escalation leading to unauthorized modification of ticket data. The DeleteTicket right and any custom lifecycle transition rights may be bypassed by any user with ModifyTicket. This vulnerability is assigned CVE-2012-4733.

RT 3.8.0 and above include a version of bin/rt that uses semi-predictable names when creating tempfiles. This could possibly be exploited by a malicious user to overwrite files with permissions of the user running bin/rt. This vulnerability is assigned CVE-2013-3368.

RT 3.8.0 and above allow calling of arbitrary Mason components (without control of arguments) for users who can see administration pages. This could be used by a malicious user to run private components which may have negative side-effects. This vulnerability is assigned CVE-2013-3369.

RT 3.8.0 and above allow direct requests to private callback components. Though no callback components ship with RT, this could be used to exploit an extension or local callback which uses the arguments passed to it insecurely. This vulnerability is assigned CVE-2013-3370.

RT 3.8.3 and above are vulnerable to cross-site scripting (XSS) via attachment filenames. The vector is difficult to exploit due to parsing requirements. Additionally, RT 4.0.0 and above are vulnerable to XSS via maliciously-crafted "URLs" in ticket content when RT's "MakeClicky" feature is configured. Although not believed to be exploitable in the stock configuration, a patch is also included for RTIR 2.6.x to add bulletproofing. These vulnerabilities are assigned CVE-2013-3371.

RT 3.8.0 and above are vulnerable to an HTTP header injection limited to the value of the Content-Disposition header. Injection of other arbitrary response headers is not possible. Some (especially older) browsers may allow multiple Content-Disposition values which could lead to XSS. Newer browsers contain security measures to prevent this. Thank you to Dominic Hargreaves for reporting this vulnerability. This vulnerability is assigned CVE-2013-3372.

RT 3.8.0 and above are vulnerable to a MIME header injection in outgoing email generated by RT. The vectors via RT's stock templates are resolved by this patchset, but any custom email templates should be updated to ensure that values interpolated into mail headers do not contain newlines. This vulnerability is assigned CVE-2013-3373.

RT 3.8.0 and above are vulnerable to limited session re-use when using the file-based session store, Apache::Session::File. RT's default session configuration only uses Apache::Session::File for Oracle. RT instances using Oracle may be locally configured to use the database-backed Apache::Session::Oracle, in which case sessions are never re-used. The extent of session re-use is limited to information leaks of certain user preferences and caches, such as queue names available for ticket creation. Thank you to Jenny Martin for reporting the problem that lead to discovery of this vulnerability. This vulnerability is assigned CVE-2013-3374.

http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000226.html http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000227.html http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000228.html CVE-2012-4733 CVE-2013-3368 CVE-2013-3369 CVE-2013-3370 CVE-2013-3371 CVE-2013-3372 CVE-2013-3373 CVE-2013-3374 2013-05-22 2013-05-23
plib -- stack-based buffer overflow plib 1.8.5_4

CVE reports:

Stack-based buffer overflow in the error function in ssg/ssgParser.cxx in PLIB 1.8.5 allows remote attackers to execute arbitrary code via a crafted 3d model file that triggers a long error message, as demonstrated by a .ase file.

55839 CVE-2012-4552 http://www.openwall.com/lists/oss-security/2012/10/29/8 2012-10-09 2013-05-19
plib -- buffer overflow plib 1.8.5_4

Secunia reports:

A vulnerability has been discovered in PLIB, which can be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to a boundary error within the "ulSetError()" function (src/util/ulError.cxx) when creating the error message, which can be exploited to overflow a static buffer.

Successful exploitation allows the execution of arbitrary code but requires that the attacker can e.g. control the content of an overly long error message passed to the "ulSetError()" function.

The vulnerability is confirmed in version 1.8.5. Other versions may also be affected.

Originally reported in TORCS by Andres Gomez.

CVE-2011-4620 http://openwall.com/lists/oss-security/2011/12/21/2 2011-12-21 2013-05-19
linux-flashplugin -- multiple vulnerabilities linux-f10-flashplugin 11.2r202.285

Adobe reports:

These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

CVE-2013-2728 CVE-2013-3324 CVE-2013-3325 CVE-2013-3326 CVE-2013-3327 CVE-2013-3328 CVE-2013-3329 CVE-2013-3330 CVE-2013-3331 CVE-2013-3332 CVE-2013-3333 CVE-2013-3334 CVE-2013-3335 2013-05-14 2013-05-16
mozilla -- multiple vulnerabilities firefox 18.0,121.0,1 17.0.6,1 linux-firefox 17.0.6,1 linux-seamonkey 2.17.1 linux-thunderbird 17.0.6 seamonkey 2.17.1 thunderbird 11.017.0.6

The Mozilla Project reports:

MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)

MFSA 2013-42 Privileged access for content level constructor

MFSA 2013-43 File input control has access to full path

MFSA 2013-44 Local privilege escalation through Mozilla Maintenance Service

MFSA 2013-45 Mozilla Updater fails to update some Windows Registry entries

MFSA 2013-46 Use-after-free with video and onresize event

MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent

MFSA 2013-48 Memory corruption found using Address Sanitizer

CVE-2012-1942 CVE-2013-0801 CVE-2013-1669 CVE-2013-1670 CVE-2013-1671 CVE-2013-1672 CVE-2013-1674 CVE-2013-1675 CVE-2013-1676 CVE-2013-1677 CVE-2013-1678 CVE-2013-1679 CVE-2013-1680 CVE-2013-1681 http://www.mozilla.org/security/announce/2013/mfsa2013-40.html http://www.mozilla.org/security/announce/2013/mfsa2013-41.html http://www.mozilla.org/security/announce/2013/mfsa2013-42.html http://www.mozilla.org/security/announce/2013/mfsa2013-43.html http://www.mozilla.org/security/announce/2013/mfsa2013-44.html http://www.mozilla.org/security/announce/2013/mfsa2013-45.html http://www.mozilla.org/security/announce/2013/mfsa2013-46.html http://www.mozilla.org/security/announce/2013/mfsa2013-47.html http://www.mozilla.org/security/announce/2013/mfsa2013-48.html http://www.mozilla.org/security/known-vulnerabilities/ 2013-05-14 2013-05-15 2013-05-21
nginx -- multiple vulnerabilities nginx 1.2.0,11.2.8,1 1.3.0,11.4.1,1 nginx-devel 1.1.41.2.8 1.3.01.5.0

The nginx project reports:

A stack-based buffer overflow might occur in a worker process process while handling a specially crafted request, potentially resulting in arbitrary code execution. [CVE-2013-2028]

A security problem related to CVE-2013-2028 was identified, affecting some previous nginx versions if proxy_pass to untrusted upstream HTTP servers is used.

The problem may lead to a denial of service or a disclosure of a worker process memory on a specially crafted response from an upstream proxied server. [CVE-2013-2070]

CVE-2013-2028 CVE-2013-2070 http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html 2013-05-07 2013-05-07 2013-05-16
strongSwan -- ECDSA signature verification issue strongswan 5.0.4

strongSwan security team reports:

If the openssl plugin is used for ECDSA signature verification an empty, zeroed or otherwise invalid signature is handled as a legitimate one. Both IKEv1 and IKEv2 are affected.

Affected are only installations that have enabled and loaded the OpenSSL crypto backend (--enable-openssl). Builds using the default crypto backends are not affected.

CVE-2013-2944 2013-04-30 2013-05-03
jenkins -- multiple vulnerabilities jenkins 1.514

Jenkins Security Advisory reports:

This advisory announces multiple security vulnerabilities that were found in Jenkins core.

  1. SECURITY-63 / CVE-2013-2034

    This creates a cross-site request forgery (CSRF) vulnerability on Jenkins master, where an anonymous attacker can trick an administrator to execute arbitrary code on Jenkins master by having him open a specifically crafted attack URL.

    There's also a related vulnerability where the permission check on this ability is done imprecisely, which may affect those who are running Jenkins instances with a custom authorization strategy plugin.

  2. SECURITY-67 / CVE-2013-2033

    This creates a cross-site scripting (XSS) vulnerability, where an attacker with a valid user account on Jenkins can execute JavaScript in the browser of other users, if those users are using certain browsers.

  3. SECURITY-69 / CVE-2013-2034

    This is another CSRF vulnerability that allows an attacker to cause a deployment of binaries to Maven repositories. This vulnerability has the same CVE ID as SEUCRITY-63.

  4. SECURITY-71 / CVE-2013-1808

    This creates a cross-site scripting (XSS) vulnerability.

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-05-02 CVE-2013-2034 CVE-2013-2033 CVE-2013-2034 CVE-2013-1808 2013-05-02 2013-05-03
FreeBSD -- NFS remote denial of service FreeBSD 8.38.3_8 9.19.1_3

Insufficient input validation in the NFS server allows an attacker to cause the underlying file system to treat a regular file as a directory.

CVE-2013-3266 SA-13:05.nfsserver 2013-04-21 2013-04-29 2016-08-09
Joomla! -- XXS and DDoS vulnerabilities joomla 2.0.*2.5.10

The JSST and the Joomla! Security Center report:

[20130405] - Core - XSS Vulnerability

Inadequate filtering leads to XSS vulnerability in Voting plugin.

[20130403] - Core - XSS Vulnerability

Inadequate filtering allows possibility of XSS exploit in some circumstances.

[20130402] - Core - Information Disclosure

Inadequate permission checking allows unauthorised user to see permission settings in some circumstances.

[20130404] - Core - XSS Vulnerability

Use of old version of Flash-based file uploader leads to XSS vulnerability.

[20130401] - Core - Privilege Escalation

Inadequate permission checking allows unauthorised user to delete private messages.

[20130406] - Core - DOS Vulnerability

Object unserialize method leads to possible denial of service vulnerability.

[20130407] - Core - XSS Vulnerability

Inadequate filtering leads to XSS vulnerability in highlighter plugin

CVE-2013-3059 CVE-2013-3058 CVE-2013-3057 http://developer.joomla.org/security/83-20130404-core-xss-vulnerability.html CVE-2013-3056 CVE-2013-3242 CVE-2013-3267 2013-04-24 2013-04-27
phpMyAdmin -- Multiple security vulnerabilities phpMyAdmin 3.53.5.8.1

The phpMyAdmin development team reports:

In some PHP versions, the preg_replace() function can be tricked into executing arbitrary PHP code on the server. This is done by passing a crafted argument as the regular expression, containing a null byte. phpMyAdmin does not correctly sanitize an argument passed to preg_replace() when using the "Replace table prefix" feature, opening the way to this vulnerability..

This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users to access the required form.

phpMyAdmin can be configured to save an export file on the web server, via its SaveDir directive. With this in place, it's possible, either via a crafted filename template or a crafted table name, to save a double extension file like foobar.php.sql. In turn, an Apache webserver on which there is no definition for the MIME type "sql" (the default) will treat this saved file as a ".php" script, leading to remote code execution.

This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users to access the required form. Moreover, the SaveDir directive is empty by default, so a default configuration is not vulnerable. The $cfg['SaveDir'] directive must be configured, and the server must be running Apache with mod_mime to be exploitable.

CVE-2013-3238 CVE-2013-3239 2013-04-24 2013-04-24
tinc -- Buffer overflow tinc 1.0.21

tinc-vpn.org reports:

Drop packets forwarded via TCP if they are too big.

CVE-2013-1428 2013-01-26 2013-04-22
phpMyAdmin -- XSS due to unescaped HTML output in GIS visualisation page phpMyAdmin 3.53.5.8

The phpMyAdmin development team reports:

When modifying a URL parameter with a crafted value it is possible to trigger an XSS.

These XSS can only be triggered when a valid database is known and when a valid cookie token is used.

CVE-2013-1937 http://www.phpmyadmin.net/home_page/security/PMASA-2013-1.php 2013-04-18 2013-04-20
roundcube -- arbitrary file disclosure vulnerability roundcube 0.8.6,1

RoundCube development team reports:

After getting reports about a possible vulnerability of Roundcube which allows an attacker to modify its users preferences in a way that he/she can then read files from the server, we now published updated packages as well as patches that fix this security issue.

CVE-2013-1904 https://secunia.com/advisories/52806/ 2013-03-27 2013-04-19
jasper -- buffer overflow jasper 1.900.1_12

Fedora reports:

JasPer fails to properly decode marker segments and other sections in malformed JPEG2000 files. Malformed inputs can cause heap buffer overflows which in turn may result in execution of attacker-controlled code.

CVE-2008-3520 CVE-2008-3522 CVE-2011-4516 CVE-2011-4517 http://www.kb.cert.org/vuls/id/887409 2011-12-09 2013-04-18
ModSecurity -- XML External Entity Processing Vulnerability mod_security 2.*2.7.3

Positive Technologies has reported a vulnerability in ModSecurity, which can be exploited by malicious people to disclose potentially sensitive information or cause a DoS (Denial Of Serice).

The vulnerability is caused due to an error when parsing external XML entities and can be exploited to e.g. disclose local files or cause excessive memory and CPU consumption.

.

CVE-2013-1915 https://secunia.com/advisories/52847/ https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1915 https://bugs.gentoo.org/show_bug.cgi?id=464188 2013-04-02 2013-04-16
sieve-connect -- TLS hostname verification was not occurring sieve-connect 0.85

sieve-connect developer Phil Pennock reports:

sieve-connect was not actually verifying TLS certificate identities matched the expected hostname.

http://mail.globnix.net/pipermail/sieve-connect-announce/2013/000005.html 2013-04-14 2013-04-15
linux-flashplugin -- multiple vulnerabilities linux-f10-flashplugin 11.2r202.280

Adobe reports:

These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

CVE-2013-1383 CVE-2013-1384 CVE-2013-1385 CVE-2013-1386 2013-04-09 2013-04-10
rubygem-rails -- multiple vulnerabilities rubygem-rails 3.2.13 rubygem-actionpack 3.2.13 rubygem-activerecord 3.2.13 rubygem-activesupport 3.2.13

Ruby on Rails team reports:

Rails versions 3.2.13 has been released. This release contains important security fixes. It is recommended users upgrade as soon as possible.

Four vulnerabilities have been discovered and fixed:

  1. (CVE-2013-1854) Symbol DoS vulnerability in Active Record
  2. (CVE-2013-1855) XSS vulnerability in sanitize_css in Action Pack
  3. (CVE-2013-1856) XML Parsing Vulnerability affecting JRuby users
  4. (CVE-2013-1857) XSS Vulnerability in the `sanitize` helper of Ruby on Rails
CVE-2013-1854 CVE-2013-1856 CVE-2013-1856 CVE-2013-1857 http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/ https://groups.google.com/forum/#!topic/ruby-security-ann/o0Dsdk2WrQ0 https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_QHo4BqnN8 https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/KZwsQbYsOiI https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/zAAU7vGTPvI 2013-03-18 2013-04-10
NVIDIA UNIX driver -- ARGB cursor buffer overflow in "NoScanout" mode nvidia-driver 310.14310.44 195.22304.88

NVIDIA Unix security team reports:

When the NVIDIA driver for the X Window System is operated in "NoScanout" mode, and an X client installs an ARGB cursor that is larger than the expected size (64x64 or 256x256, depending on the driver version), the driver will overflow a buffer. This can cause a denial of service (e.g., an X server segmentation fault), or could be exploited to achieve arbitrary code execution. Because the X server runs as setuid root in many configurations, an attacker could potentially use this vulnerability in those configurations to gain root privileges.

CVE-2013-0131 http://nvidia.custhelp.com/app/answers/detail/a_id/3290 2013-03-27 2013-04-08
opera -- moderately severe issue opera 12.15 opera-devel 12.15 linux-opera 12.15 linux-opera-devel 12.15

Opera reports:

Fixed a moderately severe issue, as reported by Attila Suszte.

http://www.opera.com/docs/changelogs/unified/1215/ http://www.opera.com/support/kb/view/1046/ http://www.opera.com/support/kb/view/1047/ 2013-04-04 2014-04-30
Subversion -- multiple vulnerabilities subversion 1.7.01.7.9 1.0.01.6.21

Subversion team reports:

Subversion's mod_dav_svn Apache HTTPD server module will use excessive amounts of memory when a large number of properties are set or deleted on a node.

Subversion's mod_dav_svn Apache HTTPD server module will crash when a LOCK request is made against activity URLs.

Subversion's mod_dav_svn Apache HTTPD server module will crash in some circumstances when a LOCK request is made against a non-existent URL.

Subversion's mod_dav_svn Apache HTTPD server module will crash when a PROPFIND request is made against activity URLs.

Subversion's mod_dav_svn Apache HTTPD server module will crash when a log REPORT request receives a limit that is out of the allowed range.

CVE-2013-1845 CVE-2013-1846 CVE-2013-1847 CVE-2013-1849 CVE-2013-1884 2013-04-05 2013-04-05
otrs -- Information disclosure and Data manipulation otrs 3.1.14

The OTRS Project reports:

An attacker with a valid agent login could manipulate URLs in the object linking mechanism to see titles of tickets and other objects that are not obliged to be seen. Furthermore, links to objects without permission can be placed and removed.

CVE-2013-2625 http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-01/ 2013-04-02 2013-04-05
PostgreSQL -- anonymous remote access data corruption vulnerability postgresql-server 8.3.08.3.21_1 8.4.08.4.17 9.0.09.0.13 9.1.09.1.9 9.2.09.2.4

PostgreSQL project reports:

The PostgreSQL Global Development Group has released a security update to all current versions of the PostgreSQL database system, including versions 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update fixes a high-exposure security vulnerability in versions 9.0 and later. All users of the affected versions are strongly urged to apply the update *immediately*.

A major security issue (for versions 9.x only) fixed in this release, [CVE-2013-1899](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899), makes it possible for a connection request containing a database name that begins with "-" to be crafted that can damage or destroy files within a server's data directory. Anyone with access to the port the PostgreSQL server listens on can initiate this request. This issue was discovered by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source Software Center.

Two lesser security fixes are also included in this release: [CVE-2013-1900](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900), wherein random numbers generated by contrib/pgcrypto functions may be easy for another database user to guess (all versions), and [CVE-2013-1901](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901), which mistakenly allows an unprivileged user to run commands that could interfere with in-progress backups (for versions 9.x only).

CVE-2013-1899 CVE-2013-1900 CVE-2013-1901 2013-04-04 2013-04-04
mozilla -- multiple vulnerabilities firefox 18.0,120.0,1 17.0.5,1 linux-firefox 17.0.5,1 linux-seamonkey 2.17 linux-thunderbird 17.0.5 seamonkey 2.17 thunderbird 11.017.0.5

The Mozilla Project reports:

MFSA 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5)

MFSA 2013-31 Out-of-bounds write in Cairo library

MFSA 2013-32 Privilege escalation through Mozilla Maintenance Service

MFSA 2013-33 World read and write access to app_tmp directory on Android

MFSA 2013-34 Privilege escalation through Mozilla Updater

MFSA 2013-35 WebGL crash with Mesa graphics driver on Linux

MFSA 2013-36 Bypass of SOW protections allows cloning of protected nodes

MFSA 2013-37 Bypass of tab-modal dialog origin disclosure

MFSA 2013-38 Cross-site scripting (XSS) using timed history navigations

MFSA 2013-39 Memory corruption while rendering grayscale PNG images

MFSA 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage

CVE-2013-0788 CVE-2013-0789 CVE-2013-0790 CVE-2013-0791 CVE-2013-0792 CVE-2013-0793 CVE-2013-0794 CVE-2013-0795 CVE-2013-0796 CVE-2013-0797 CVE-2013-0798 CVE-2013-0799 CVE-2013-0800 http://www.mozilla.org/security/announce/2013/mfsa2013-30.html http://www.mozilla.org/security/announce/2013/mfsa2013-31.html http://www.mozilla.org/security/announce/2013/mfsa2013-32.html http://www.mozilla.org/security/announce/2013/mfsa2013-33.html http://www.mozilla.org/security/announce/2013/mfsa2013-34.html http://www.mozilla.org/security/announce/2013/mfsa2013-35.html http://www.mozilla.org/security/announce/2013/mfsa2013-36.html http://www.mozilla.org/security/announce/2013/mfsa2013-37.html http://www.mozilla.org/security/announce/2013/mfsa2013-38.html http://www.mozilla.org/security/announce/2013/mfsa2013-39.html http://www.mozilla.org/security/announce/2013/mfsa2013-40.html http://www.mozilla.org/security/known-vulnerabilities/ 2013-04-02 2013-04-03 2013-04-08
FreeBSD -- BIND remote denial of service FreeBSD 9.09.0_7 9.19.1_2

A flaw in a library used by BIND allows an attacker to deliberately cause excessive memory consumption by the named(8) process. This affects both recursive and authoritative servers.

CVE-2013-2266 SA-13:04.bind https://kb.isc.org/article/AA-00871 2013-04-02 2013-04-02 2016-08-09
FreeBSD -- OpenSSL multiple vulnerabilities FreeBSD 8.38.3_7 9.09.0_7 9.19.1_2

A flaw in the OpenSSL handling of OCSP response verification could be exploited to cause a denial of service attack.

OpenSSL has a weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS. The weakness could reveal plaintext in a timing attack.

CVE-2013-0166 CVE-2013-0169 SA-13:03.openssl http://www.openssl.org/news/secadv_20130205.txt 2013-04-02 2013-04-02 2016-08-09
OpenVPN -- potential side-channel/timing attack when comparing HMACs openvpn 2.0.9_4 2.1.02.2.2_2 2.3.02.3.1

The OpenVPN project reports:

OpenVPN 2.3.0 and earlier running in UDP mode are subject to chosen ciphertext injection due to a non-constant-time HMAC comparison function.

https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc CVE-2013-2061 http://www.openwall.com/lists/oss-security/2013/05/06/6 https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee 2013-03-19 2013-03-31 2013-06-01
libxml2 -- cpu consumption Dos libxml2 2.8.0

Kurt Seifried reports:

libxml2 is affected by the expansion of internal entities (which can be used to consume resources) and external entities (which can cause a denial of service against other services, be used to port scan, etc.)..

CVE-2013-0338 CVE-2013-0339 http://seclists.org/oss-sec/2013/q1/391 https://security-tracker.debian.org/tracker/CVE-2013-0338 https://security-tracker.debian.org/tracker/CVE-2013-0339 2013-02-21 2013-03-29
asterisk -- multiple vulnerabilities asterisk11 11.*11.2.2 asterisk10 10.*10.12.2 asterisk18 1.8.*1.8.20.2

Asterisk project reports:

Buffer Overflow Exploit Through SIP SDP Header

Username disclosure in SIP channel driver

Denial of Service in HTTP server

CVE-2013-2685 CVE-2013-2686 CVE-2013-2264 http://downloads.asterisk.org/pub/security/AST-2013-001.html http://downloads.asterisk.org/pub/security/AST-2013-002.html http://downloads.asterisk.org/pub/security/AST-2013-003.html https://www.asterisk.org/security 2013-03-27 2013-03-29
dns/bind9* -- Malicious Regex Can Cause Memory Exhaustion bind99 9.9.2.2 bind99-base 9.9.2.2 bind98 9.8.4.2 bind98-base 9.8.4.2

ISC reports:

A critical defect in BIND 9 allows an attacker to cause excessive memory consumption in named or other programs linked to libdns.

CVE-2013-2266 2013-03-11 2013-03-27
firebird -- Remote Stack Buffer Overflow firebird25-server 2.5.02.5.2 firebird21-server 2.1.02.1.5

Firebird Project reports:

The FirebirdSQL server is vulnerable to a stack buffer overflow that can be triggered when an unauthenticated user sends a specially crafted packet. The result can lead to remote code execution as the user which runs the FirebirdSQL server.

CVE-2013-2492 https://gist.github.com/zeroSteiner/85daef257831d904479c 2013-01-31 2013-03-06
optipng -- use-after-free vulnerability optipng 0.70.7.4

Secunia reports:

A vulnerability has been reported in OptiPNG, which can be exploited by malicious people to potentially compromise a user's system.

The vulnerability is caused due to a use-after-free error related to the palette reduction functionality. No further information is currently available.

Success exploitation may allow execution of arbitrary code.

CVE-2012-4432 https://secunia.com/advisories/50654 2012-09-16 2013-03-21
php5 -- Multiple vulnerabilities php5 5.4.13 php53 5.3.23

The PHP development team reports:

PHP does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory.

The SOAP parser in PHP allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions.

CVE-2013-1635 CVE-2013-1643 2013-03-04 2013-03-18
piwigo -- CSRF/Path Traversal piwigo 2.4.7

High-Tech Bridge Security Research Lab reports:

The CSRF vulnerability exists due to insufficient verification of the HTTP request origin in "/admin.php" script. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create arbitrary PHP file on the remote server.

The path traversal vulnerability exists due to insufficient filtration of user-supplied input in "dl" HTTP GET parameter passed to "/install.php" script. The script is present on the system after installation by default, and can be accessed by attacker without any restrictions.

CVE-2013-1468 CVE-2013-1469 http://piwigo.org/bugs/view.php?id=0002843 http://piwigo.org/bugs/view.php?id=0002844 http://dl.packetstormsecurity.net/1302-exploits/piwigo246-traversalxsrf.txt 2013-02-06 2013-03-18
libexif -- multiple remote vulnerabilities libexif 0.6.21

libexif project security advisory:

A number of remotely exploitable issues were discovered in libexif and exif, with effects ranging from information leakage to potential remote code execution.

CVE-2012-2812 CVE-2012-2813 CVE-2012-2814 CVE-2012-2836 CVE-2012-2837 CVE-2012-2840 CVE-2012-2841 CVE-2012-2845 54437 2012-07-12 2013-03-13
linux-flashplugin -- multiple vulnerabilities linux-f10-flashplugin 11.2r202.275

Adobe reports:

These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

CVE-2013-0646 CVE-2013-0650 CVE-2013-1371 CVE-2013-1375 2013-03-12 2013-03-12
puppet27 and puppet -- multiple vulnerabilities puppet 3.03.1.1 puppet27 2.72.7.21

Moses Mendoza reports:

A vulnerability found in Puppet could allow an authenticated client to cause the master to execute arbitrary code while responding to a catalog request. Specifically, in order to exploit the vulnerability, the puppet master must be made to invoke the 'template' or 'inline_template' functions during catalog compilation.

A vulnerability found in Puppet could allow an authenticated client to connect to a puppet master and perform unauthorized actions. Specifically, given a valid certificate and private key, an agent could retrieve catalogs from the master that it is not authorized to access or it could poison the puppet master's caches for any puppet-generated data that supports caching such as catalogs, nodes, facts, and resources. The extent and severity of this vulnerability varies depending on the specific configuration of the master: for example, whether it is using storeconfigs or not, which version, whether it has access to the cache or not, etc.

A vulnerability has been found in Puppet which could allow authenticated clients to execute arbitrary code on agents that have been configured to accept kick connections. This vulnerability is not present in the default configuration of puppet agents, but if they have been configured to listen for incoming connections ('listen=true'), and the agent's auth.conf has been configured to allow access to the `run` REST endpoint, then a client could construct an HTTP request which could execute arbitrary code. The severity of this issue is exacerbated by the fact that puppet agents typically run as root.

A vulnerability has been found in Puppet that could allow a client negotiating a connection to a master to downgrade the master's SSL protocol to SSLv2. This protocol has been found to contain design weaknesses. This issue only affects systems running older versions (pre 1.0.0) of openSSL. Newer versions explicitly disable SSLv2.

A vulnerability found in Puppet could allow unauthenticated clients to send requests to the puppet master which would cause it to load code unsafely. While there are no reported exploits, this vulnerability could cause issues like those described in Rails CVE-2013-0156. This vulnerability only affects puppet masters running Ruby 1.9.3 and higher.

This vulnerability affects puppet masters 0.25.0 and above. By default, auth.conf allows any authenticated node to submit a report for any other node. This can cause issues with compliance. The defaults in auth.conf have been changed.

CVE-2013-1640 CVE-2013-1652 CVE-2013-1653 CVE-2013-1654 CVE-2013-1655 CVE-2013-2275 https://puppetlabs.com/security/cve/cve-2013-1640/ https://puppetlabs.com/security/cve/cve-2013-1652/ https://puppetlabs.com/security/cve/cve-2013-1653/ https://puppetlabs.com/security/cve/cve-2013-1654/ https://puppetlabs.com/security/cve/cve-2013-1655/ https://puppetlabs.com/security/cve/cve-2013-2275/ https://groups.google.com/forum/?fromgroups=#!topic/puppet-announce/f_gybceSV6E https://groups.google.com/forum/?fromgroups=#!topic/puppet-announce/kgDyaPhHniw 2013-03-13 2013-03-13
puppet26 -- multiple vulnerabilities puppet26 2.62.6.18

Moses Mendoza reports:

A vulnerability found in Puppet could allow an authenticated client to cause the master to execute arbitrary code while responding to a catalog request. Specifically, in order to exploit the vulnerability, the puppet master must be made to invoke the 'template' or 'inline_template' functions during catalog compilation.

A vulnerability found in Puppet could allow an authenticated client to connect to a puppet master and perform unauthorized actions. Specifically, given a valid certificate and private key, an agent could retrieve catalogs from the master that it is not authorized to access or it could poison the puppet master's caches for any puppet-generated data that supports caching such as catalogs, nodes, facts, and resources. The extent and severity of this vulnerability varies depending on the specific configuration of the master: for example, whether it is using storeconfigs or not, which version, whether it has access to the cache or not, etc.

A vulnerability has been found in Puppet that could allow a client negotiating a connection to a master to downgrade the master's SSL protocol to SSLv2. This protocol has been found to contain design weaknesses. This issue only affects systems running older versions (pre 1.0.0) of openSSL. Newer versions explicitly disable SSLv2.

A vulnerability found in Puppet could allow an authenticated client to execute arbitrary code on a puppet master that is running in the default configuration, or an agent with `puppet kick` enabled. Specifically, a properly authenticated and connected puppet agent could be made to construct an HTTP PUT request for an authorized report that actually causes the execution of arbitrary code on the master.

This vulnerability affects puppet masters 0.25.0 and above. By default, auth.conf allows any authenticated node to submit a report for any other node. This can cause issues with compliance. The defaults in auth.conf have been changed.

CVE-2013-1640 CVE-2013-1652 CVE-2013-1654 CVE-2013-2274 CVE-2013-2275 https://puppetlabs.com/security/cve/cve-2013-1640/ https://puppetlabs.com/security/cve/cve-2013-1652/ https://puppetlabs.com/security/cve/cve-2013-1654/ https://puppetlabs.com/security/cve/cve-2013-2274/ https://puppetlabs.com/security/cve/cve-2013-2275/ 2013-03-13 2013-03-13
perl -- denial of service via algorithmic complexity attack on hashing routines perl perl-threaded 5.12.4_5 5.14.05.14.2_3 5.16.05.16.2_1

Perl developers report:

In order to prevent an algorithmic complexity attack against its hashing mechanism, perl will sometimes recalculate keys and redistribute the contents of a hash. This mechanism has made perl robust against attacks that have been demonstrated against other systems.

Research by Yves Orton has recently uncovered a flaw in the rehashing code which can result in pathological behavior. This flaw could be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys.

Because using user-provided strings as hash keys is a very common operation, we urge users of perl to update their perl executable as soon as possible.

CVE-2013-1667 http://www.nntp.perl.org/group/perl.perl5.porters/2013/03/msg199755.html 2013-03-04 2013-03-10 2016-08-22
libpurple -- multiple vulnerabilities libpurple 2.10.7

Pidgin reports:

libpurple

Fix a crash when receiving UPnP responses with abnormally long values.

MXit

Fix two bugs where a remote MXit user could possibly specify a local file path to be written to.

Fix a bug where the MXit server or a man-in-the-middle could potentially send specially crafted data that could overflow a buffer and lead to a crash or remote code execution.

Sametime

Fix a crash in Sametime when a malicious server sends us an abnormally long user ID.

CVE-2013-0274 CVE-2013-0271 CVE-2013-0272 CVE-2013-0273 https://developer.pidgin.im/wiki/ChangeLog 2013-02-13 2013-03-10 2013-03-16
mozilla -- use-after-free in HTML Editor firefox 18.0,119.0.2,1 17.0.3,1 linux-firefox 17.0.4,1 linux-seamonkey 2.16.1 linux-thunderbird 17.0.4 seamonkey 2.16.1 thunderbird 11.017.0.4 10.0.12

The Mozilla Project reports:

MFSA 2013-29 Use-after-free in HTML Editor

CVE-2013-0787 http://www.mozilla.org/security/announce/2013/mfsa2013-29.html http://www.mozilla.org/security/known-vulnerabilities/ 2013-03-07 2013-03-08
typo3 -- Multiple vulnerabilities in TYPO3 Core typo3 4.5.04.5.23 4.6.04.6.16 4.7.04.7.8 6.0.06.0.2

Typo Security Team reports:

Extbase Framework - Failing to sanitize user input, the Extbase database abstraction layer is susceptible to SQL Injection. TYPO3 sites which have no Extbase extensions installed are not affected. Extbase extensions are affected if they use the Query Object Model and relation values are user generated input. Credits go to Helmut Hummel and Markus Opahle who discovered and reported the issue.

Access tracking mechanism - Failing to validate user provided input, the access tracking mechanism allows redirects to arbitrary URLs. To fix this vulnerability, we had to break existing behaviour of TYPO3 sites that use the access tracking mechanism (jumpurl feature) to transform links to external sites. The link generation has been changed to include a hash that is checked before redirecting to an external URL. This means that old links that have been distributed (e.g. by a newsletter) will not work any more.

http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-001/ 2013-03-06 2013-03-06
stunnel -- Remote Code Execution stunnel 4.214.55

Michal Trojnara reports:

64-bit versions of stunnel with the following conditions: * NTLM authentication enabled * CONNECT protocol negotiation enabled * Configured in SSL client mode * An attacker that can either control the proxy server specified in the "connect" option or execute MITM attacks on the TCP session between stunnel and the proxy

Can be exploited for remote code execution. The code is executed within the configured chroot directory, with privileges of the configured user and group.

CVE-2013-1762 https://www.stunnel.org/CVE-2013-1762.html 2013-03-03 2013-03-03
apache22 -- several vulnerabilities apache22 2.2.02.2.24 apache22-event-mpm 2.2.02.2.24 apache22-itk-mpm 2.2.02.2.24 apache22-peruser-mpm 2.2.02.2.24 apache22-worker-mpm 2.2.02.2.24

Apache HTTP SERVER PROJECT reports:

low: XSS due to unescaped hostnames CVE-2012-3499

Various XSS flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.

moderate: XSS in mod_proxy_balancer CVE-2012-4558

A XSS flaw affected the mod_proxy_balancer manager interface.

CVE-2012-3499 CVE-2012-4558 2012-10-07 2013-03-02
sudo -- Authentication bypass when clock is reset sudo 1.8.6.p7

Todd Miller reports:

The flaw may allow someone with physical access to a machine that is not password-protected to run sudo commands without knowing the logged in user's password. On systems where sudo is the principal way of running commands as root, such as on Ubuntu and Mac OS X, there is a greater chance that the logged in user has run sudo before and thus that an attack would succeed.

CVE-2013-1775 http://www.sudo.ws/sudo/alerts/epoch_ticket.html 2013-02-27 2013-03-01
sudo -- Potential bypass of tty_tickets constraints sudo 1.8.6.p7

Todd Miller reports:

A (potentially malicious) program run by a user with sudo access may be able to bypass the "tty_ticket" constraints. In order for this to succeed there must exist on the machine a terminal device that the user has previously authenticated themselves on via sudo within the last time stamp timeout (5 minutes by default).

CVE-2013-1776 http://www.sudo.ws/sudo/alerts/tty_tickets.html 2013-02-27 2013-03-01
rubygem-dragonfly -- arbitrary code execution rubygem18-dragonfly rubygem19-dragonfly rubygem20-dragonfly 0.9.14

Mark Evans reports:

Unfortnately there is a security vulnerability in Dragonfly when used with Rails which would potentially allow an attacker to run arbitrary code on a host machine using carefully crafted requests.

CVE-2013-1756 2013-02-19 2013-02-28
linux-flashplugin -- multiple vulnerabilities linux-f10-flashplugin 11.2r202.273

Adobe reports:

These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

CVE-2013-0504 CVE-2013-0643 CVE-2013-0648 2013-02-26 2013-02-27
otrs -- XSS vulnerability could lead to remote code execution otrs 3.1.*3.1.11

The OTRS Project reports:

This advisory covers vulnerabilities discovered in the OTRS core system. This is a variance of the XSS vulnerability, where an attacker could send a specially prepared HTML email to OTRS which would cause JavaScript code to be executed in your browser while displaying the email. In this case this is achieved by using javascript source attributes with whitespaces.

Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.14, 3.0.x up to and including 3.0.16 and 3.1.x up to and including 3.1.10.

CVE-2012-4751 http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03 2012-10-16 2013-02-25
otrs -- XSS vulnerability in Firefox and Opera could lead to remote code execution otrs 3.1.*3.1.10

The OTRS Project reports:

This advisory covers vulnerabilities discovered in the OTRS core system. This is a variance of the XSS vulnerability, where an attacker could send a specially prepared HTML email to OTRS which would cause JavaScript code to be executed in your browser while displaying the email in Firefox and Opera. In this case this is achieved with an invalid HTML structure with nested tags.

Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.13, 3.0.x up to and including 3.0.15 and 3.1.x up to and including 3.1.9 in combination with Firefox and Opera.

CVE-2012-4600 http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-02 2012-08-30 2013-02-25
otrs -- XSS vulnerability in Internet Explorer could lead to remote code execution otrs 3.1.*3.1.9

The OTRS Project reports:

This advisory covers vulnerabilities discovered in the OTRS core system. Due to the XSS vulnerability in Internet Explorer an attacker could send a specially prepared HTML email to OTRS which would cause JavaScript code to be executed in your Internet Explorer while displaying the email.

Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.12, 3.0.x up to and including 3.0.14 and 3.1.x up to and including 3.1.8 in combination with Internet Explorer.

CVE-2012-2582 http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01 2012-08-22 2013-02-25
ruby -- DoS vulnerability in REXML ruby 1.9,11.9.3.392,1

Ruby developers report:

Unrestricted entity expansion can lead to a DoS vulnerability in REXML. (The CVE identifier will be assigned later.) We strongly recommend to upgrade ruby.

When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.

http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/ 2013-02-22 2013-02-24
rubygem-ruby_parser -- insecure tmp file usage rubygem18-ruby_parser rubygem19-ruby_parser rubygem20-ruby_parser 3.1.1

Michael Scherer reports:

This is a relatively minor tmp file usage issue.

CVE-2013-0162 2013-02-24 2013-02-24
django -- multiple vulnerabilities py26-django py27-django 1.31.3.6 1.41.4.4

The Django Project reports:

These security releases fix four issues: one potential phishing vector, one denial-of-service vector, an information leakage issue, and a range of XML vulnerabilities.

  1. Host header poisoning

    an attacker could cause Django to generate and display URLs that link to arbitrary domains. This could be used as part of a phishing attack. These releases fix this problem by introducing a new setting, ALLOWED_HOSTS, which specifies a whitelist of domains your site is known to respond to.

    Important: by default Django 1.3.6 and 1.4.4 set ALLOWED_HOSTS to allow all hosts. This means that to actually fix the security vulnerability you should define this setting yourself immediately after upgrading.

  2. Formset denial-of-service

    an attacker can abuse Django's tracking of the number of forms in a formset to cause a denial-of-service attack. This has been fixed by adding a default maximum number of forms of 1,000. You can still manually specify a bigger max_num, if you wish, but 1,000 should be enough for anyone.

  3. XML attacks

    Django's serialization framework was vulnerable to attacks via XML entity expansion and external references; this is now fixed. However, if you're parsing arbitrary XML in other parts of your application, we recommend you look into the defusedxml Python packages which remedy this anywhere you parse XML, not just via Django's serialization framework.

  4. Data leakage via admin history log

    Django's admin interface could expose supposedly-hidden information via its history log. This has been fixed.

CVE-2013-1664 CVE-2013-1665 CVE-2013-0305 CVE-2013-0306 58022 58061 2013-02-21 2013-02-24
krb5 -- null pointer dereference in the KDC PKINIT code [CVE-2013-1415] krb5 1.11

No advisory has been released yet.

Fix a null pointer dereference in the KDC PKINIT code [CVE-2013-1415].

CVE-2013-1415 http://web.mit.edu/kerberos/www/krb5-1.11/ 2013-02-21 2013-02-22
FreeBSD -- glob(3) related resource exhaustion FreeBSD 7.47.4_12 8.38.3_6 9.09.0_6 9.19.1_1

Problem description:

GLOB_LIMIT is supposed to limit the number of paths to prevent against memory or CPU attacks. The implementation however is insufficient.

SA-13:02.libc CVE-2010-2632 2013-02-19 2013-02-21 2016-08-09
FreeBSD -- BIND remote DoS with deliberately crafted DNS64 query FreeBSD 9.09.0_6 9.19.1_1

Problem description:

Due to a software defect a crafted query can cause named(8) to crash with an assertion failure.

SA-13:01.bind CVE-2012-5688 2013-02-19 2013-02-21
drupal7 -- Denial of service drupal7 7.19

Drupal Security Team reports:

Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.

CVE-2013-0316 https://drupal.org/SA-CORE-2013-002 2013-02-20 2013-02-21
nss-pam-ldapd -- file descriptor buffer overflow nss-pam-ldapd 0.8.12

Garth Mollett reports:

A file descriptor overflow issue in the use of FD_SET() in nss-pam-ldapd can lead to a stack-based buffer overflow. An attacker could, under some circumstances, use this flaw to cause a process that has the NSS or PAM module loaded to crash or potentially execute arbitrary code.

CVE-2013-0288 2013-02-18 2013-02-20
bugzilla -- multiple vulnerabilities bugzilla de-bugzilla ru-bugzilla ja-bugzilla 3.6.03.6.13 4.0.04.0.10 4.2.04.2.5

A Bugzilla Security Advisory reports:

Cross-Site Scripting

When viewing a single bug report, which is the default, the bug ID is validated and rejected if it is invalid. But when viewing several bug reports at once, which is specified by the format=multiple parameter, invalid bug IDs can go through and are sanitized in the HTML page itself. But when an invalid page format is passed to the CGI script, the wrong HTML page is called and data are not correctly sanitized, which can lead to XSS.

Information Leak

When running a query in debug mode, the generated SQL query used to collect the data is displayed. The way this SQL query is built permits the user to determine if some confidential field value (such as a product name) exists. This problem only affects Bugzilla 4.0.9 and older. Newer releases are not affected by this issue.

CVE-2013-0785 https://bugzilla.mozilla.org/show_bug.cgi?id=842038 CVE-2013-0786 https://bugzilla.mozilla.org/show_bug.cgi?id=824399 2013-02-19 2013-02-20 2013-03-31
mozilla -- multiple vulnerabilities firefox 18.0,119.0,1 17.0.3,1 linux-firefox 17.0.3,1 linux-seamonkey 2.16 linux-thunderbird 17.0.3 seamonkey 2.16 thunderbird 11.017.0.3 10.0.12 libxul 1.9.2.*10.0.12

The Mozilla Project reports:

MFSA 2013-21 Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3)

MFSA 2013-22 Out-of-bounds read in image rendering

MFSA 2013-23 Wrapped WebIDL objects can be wrapped again

MFSA 2013-24 Web content bypass of COW and SOW security wrappers

MFSA 2013-25 Privacy leak in JavaScript Workers

MFSA 2013-26 Use-after-free in nsImageLoadingContent

MFSA 2013-27 Phishing on HTTPS connection through malicious proxy

MFSA 2013-28 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer

CVE-2013-0765 CVE-2013-0772 CVE-2013-0773 CVE-2013-0774 CVE-2013-0775 CVE-2013-0776 CVE-2013-0783 CVE-2013-0784 http://www.mozilla.org/security/announce/2013/mfsa2013-20.html http://www.mozilla.org/security/announce/2013/mfsa2013-21.html http://www.mozilla.org/security/announce/2013/mfsa2013-22.html http://www.mozilla.org/security/announce/2013/mfsa2013-23.html http://www.mozilla.org/security/announce/2013/mfsa2013-24.html http://www.mozilla.org/security/announce/2013/mfsa2013-25.html http://www.mozilla.org/security/announce/2013/mfsa2013-26.html http://www.mozilla.org/security/announce/2013/mfsa2013-27.html http://www.mozilla.org/security/known-vulnerabilities/ 2013-02-19 2013-02-19 2013-02-20
Ruby Rack Gem -- Multiple Issues rubygem18-rack 1.4.5 rubygem19-rack 1.4.5

Rack developers report:

Today we are proud to announce the release of Rack 1.4.5.

Fix CVE-2013-0263, timing attack against Rack::Session::Cookie

Fix CVE-2013-0262, symlink path traversal in Rack::File

CVE-2013-0262 CVE-2013-0263 2013-02-08 2013-02-17
Ruby Activemodel Gem -- Circumvention of attr_protected rubygem18-activemodel 3.2.12 rubygem19-activemodel 3.2.12

Aaron Patterson reports:

The attr_protected method allows developers to specify a blacklist of model attributes which users should not be allowed to assign to. By using a specially crafted request, attackers could circumvent this protection and alter values that were meant to be protected.

All users running an affected release should either upgrade or use one of the work arounds immediately. Users should also consider switching from attr_protected to the whitelist method attr_accessible which is not vulnerable to this attack.

CVE-2013-0276 2013-02-11 2013-02-17
jenkins -- multiple vulnerabilities jenkins 1.501

Jenkins Security Advisory reports:

This advisory announces multiple security vulnerabilities that were found in Jenkins core.

  1. One of the vulnerabilities allows cross-site request forgery (CSRF) attacks on Jenkins master, which causes an user to make unwanted actions on Jenkins. Another vulnerability enables cross-site scripting (XSS) attacks, which has the similar consequence. Another vulnerability allowed an attacker to bypass the CSRF protection mechanism in place, thereby mounting more CSRF attackes. These attacks allow an attacker without direct access to Jenkins to mount an attack.
  2. In the fourth vulnerability, a malicious user of Jenkins can trick Jenkins into building jobs that he does not have direct access to.
  3. And lastly, a vulnerability allows a malicious user of Jenkins to mount a denial of service attack by feeding a carefully crafted payload to Jenkins.
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16 2013-02-16 2013-02-17
poweradmin -- multiple XSS vulnerabilities poweradmin 2.1.6

Multiple cross-site scripting (XSS) vulnerabilities

Multiple scripts are vulnerable to XSS attacks.

55619 http://packetstormsecurity.com/files/116698/Poweradmin-Cross-Site-Scripting.html 2012-01-12 2013-02-16
Ruby -- Denial of Service and Unsafe Object Creation Vulnerability in JSON ruby 1.9,11.9.3.385,1 rubygem18-json 1.7.7 rubygem19-json 1.7.7 rubygem18-json_pure 1.7.7 rubygem19-json_pure 1.7.7

Aaron Patterson reports:

When parsing certain JSON documents, the JSON gem can be coerced in to creating Ruby symbols in a target system. Since Ruby symbols are not garbage collected, this can result in a denial of service attack.

The same technique can be used to create objects in a target system that act like internal objects. These "act alike" objects can be used to bypass certain security mechanisms and can be used as a spring board for SQL injection attacks in Ruby on Rails.

CVE-2013-0269 2013-02-11 2013-02-16
Ruby -- XSS exploit of RDoc documentation generated by rdoc ruby 1.9,11.9.3.385,1 rubygem18-rdoc 3.12.1 rubygem19-rdoc 3.12.1

Ruby developers report:

RDoc documentation generated by rdoc bundled with ruby are vulnerable to an XSS exploit. All ruby users are recommended to update ruby to newer version which includes security-fixed RDoc. If you are publishing RDoc documentation generated by rdoc, you are recommended to apply a patch for the documentaion or re-generate it with security-fixed RDoc.

CVE-2013-0256 2013-02-06 2013-02-16
linux-flashplugin -- multiple vulnerabilities linux-f10-flashplugin 11.2r202.262

Adobe reports:

These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

CVE-2013-0633 CVE-2013-0634 https://www.adobe.com/support/security/bulletins/apsb13-04.html 2013-02-07 2013-02-08
OpenSSL -- TLS 1.1, 1.2 denial of service openssl 1.0.1_6

OpenSSL security team reports:

A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1 and TLS 1.2 on AES-NI supporting platforms can be exploited in a DoS attack.

A flaw in the OpenSSL handling of OCSP response verification can be exploited in a denial of service attack.

CVE-2012-2686 CVE-2013-0166 CVE-2013-0169 http://www.openssl.org/news/secadv_20120510.txt 2013-02-05 2013-02-06
mysql/mariadb/percona server -- multiple vulnerabilities mysql-server 5.15.1.67 5.55.5.29 mariadb-server 5.35.3.12 5.55.5.29 percona-server 5.55.5.29.29.4

ORACLE reports:

Multiple SQL injection vulnerabilities in the replication code

Stack-based buffer overflow

Heap-based buffer overflow

CVE-2012-4414 CVE-2012-5611 CVE-2012-5612 CVE-2012-5615 CVE-2012-5627 https://mariadb.atlassian.net/browse/MDEV-4029 https://mariadb.atlassian.net/browse/MDEV-MDEV-729 https://mariadb.atlassian.net/browse/MDEV-MDEV-729 http://www.mysqlperformanceblog.com/2013/01/23/announcing-percona-server-5-5-29-29-4/ 2012-12-01 2013-02-01
opera -- execution of arbitrary code opera opera-devel linux-opera linux-opera-devel 12.13

Opera reports:

Particular DOM event manipulations can cause Opera to crash. In some cases, this crash might occur in a way that allows execution of arbitrary code. To inject code, additional techniques would have to be employed.

http://www.opera.com/support/kb/view/1042/ http://www.opera.com/support/kb/view/1043/ 2013-01-30 2013-02-01
upnp -- multiple vulnerabilities upnp 1.6.18

Project changelog reports:

This patch addresses three possible buffer overflows in function unique_service_name().The three issues have the folowing CVE numbers:

  • CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
  • CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
  • CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN

Notice that the following issues have already been dealt by previous work:

  • CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
  • CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
  • CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
  • CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
  • CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 2012-11-21 2013-01-30
wordpress -- multiple vulnerabilities wordpress 3.5.1,1 zh-wordpress-zh_CN 3.5.1 zh-wordpress-zh_TW 3.5.1 de-wordpress 3.5.1 ja-wordpress 3.5.1 ru-wordpress 3.5.1

Wordpress reports:

WordPress 3.5.1 also addresses the following security issues:

  • A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We'd like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.
  • Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.
  • A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.
CVE-2013-0235 CVE-2013-0236 CVE-2013-0237 2013-01-24 2013-01-29 2014-04-30
django-cms -- XSS Vulnerability py-django-cms 2.3.5

Cross-site scripting (XSS) vulnerability

Jonas Obrist reports: The security issue allows users with limited admin access to elevate their privileges through XSS injection using the page_attribute template tag. Only users with admin access and the permission to edit at least one django CMS page object could exploit this vulnerability. Websites that do not use the page_attribute template tag are not affected.

https://www.django-cms.org/en/blog/2012/12/04/2-3-5-security-release/ 2012-12-04 2013-01-25
drupal -- multiple vulnerabilities drupal6 6.28 drupal7 7.19

Drupal Security Team reports:

Cross-site scripting (Various core and contributed modules)

Access bypass (Book module printer friendly version)

Access bypass (Image module)

https://drupal.org/SA-CORE-2013-001 2013-01-16 2013-01-20
ettercap -- buffer overflow in target list parsing ettercap 0.7.4.1 0.7.50.7.5.2

Host target list parsing routine in ettercap 0.7.4-series prior to 0.7.4.1 and 0.7.5-series is prone to the stack-based buffer overflow that may lead to the code execution with the privileges of the ettercap process.

In order to trigger this vulnerability, user or service that use ettercap should be tricked to pass the crafted list of targets via the "-j" option.

CVE-2013-0722 http://www.exploit-db.com/exploits/23945/ https://secunia.com/advisories/51731/ 2013-01-07 2013-01-16
java 7.x -- security manager bypass openjdk7 0 linux-sun-jdk 7.07.11 linux-sun-jre 7.07.11

US CERT reports:

Java 7 Update 10 and earlier versions of Java 7 contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document states, "If there is a security manager already installed, this method first calls the security manager's checkPermission method with a RuntimePermission("setSecurityManager") permission to ensure it's safe to replace the existing security manager. This may result in throwing a SecurityException".

By leveraging the vulnerability in the Java Management Extensions (JMX) MBean components, unprivileged Java code can access restricted classes. By using that vulnerability in conjunction with a second vulnerability involving the Reflection API and the invokeWithArguments method of the MethodHandle class, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier Java 7 versions are affected. The invokeWithArguments method was introduced with Java 7, so therefore Java 6 is not affected.

This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available.

Esteban Guillardoy from Immunity Inc. additionally clarifies on the recursive reflection exploitation technique:

The real issue is in the native sun.reflect.Reflection.getCallerClass method.

We can see the following information in the Reflection source code:

Returns the class of the method realFramesToSkip frames up the stack (zero-based), ignoring frames associated with java.lang.reflect.Method.invoke() and its implementation.

So what is happening here is that they forgot to skip the frames related to the new Reflection API and only the old reflection API is taken into account.

This exploit does not only affect Java applets, but every piece of software that relies on the Java Security Manager for sandboxing executable code is affected: malicious code can totally disable Security Manager.

For users who are running native Web browsers with enabled Java plugin, the workaround is to remove the java/icedtea-web port and restart all browser instances.

For users who are running Linux Web browser flavors, the workaround is either to disable the Java plugin in browser or to upgrade linux-sun-* packages to the non-vulnerable version.

It is not recommended to run untrusted applets using appletviewer, since this may lead to the execution of the malicious code on vulnerable versions on JDK/JRE.

CVE-2013-0433 625617 http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf 2013-01-10 2013-01-14
nagios -- buffer overflow in history.cgi nagios 3.4.3_1

full disclosure reports:

history.cgi is vulnerable to a buffer overflow due to the use of sprintf with user supplied data that has not been restricted in size.

CVE-2012-6096 http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547 2012-12-21 2013-01-10
mozilla -- multiple vulnerabilities firefox 11.0,117.0.2,1 10.0.12,1 linux-firefox 17.0.2,1 linux-seamonkey 2.15 linux-thunderbird 17.0.2 seamonkey 2.15 thunderbird 11.017.0.2 10.0.12 libxul 1.9.2.*10.0.12 ca_root_nss 3.14.1

The Mozilla Project reports:

MFSA 2013-01 Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)

MFSA 2013-02 Use-after-free and buffer overflow issues found using Address Sanitizer

MFSA 2013-03 Buffer Overflow in Canvas

MFSA 2013-04 URL spoofing in addressbar during page loads

MFSA 2013-05 Use-after-free when displaying table with many columns and column groups

MFSA 2013-06 Touch events are shared across iframes

MFSA 2013-07 Crash due to handling of SSL on threads

MFSA 2013-08 AutoWrapperChanger fails to keep objects alive during garbage collection

MFSA 2013-09 Compartment mismatch with quickstubs returned values

MFSA 2013-10 Event manipulation in plugin handler to bypass same-origin policy

MFSA 2013-11 Address space layout leaked in XBL objects

MFSA 2013-12 Buffer overflow in Javascript string concatenation

MFSA 2013-13 Memory corruption in XBL with XML bindings containing SVG

MFSA 2013-14 Chrome Object Wrapper (COW) bypass through changing prototype

MFSA 2013-15 Privilege escalation through plugin objects

MFSA 2013-16 Use-after-free in serializeToStream

MFSA 2013-17 Use-after-free in ListenerManager

MFSA 2013-18 Use-after-free in Vibrate

MFSA 2013-19 Use-after-free in Javascript Proxy objects

MFSA 2013-20 Mis-issued TURKTRUST certificates

CVE-2012-5829 CVE-2013-0743 CVE-2013-0744 CVE-2013-0745 CVE-2013-0746 CVE-2013-0747 CVE-2013-0748 CVE-2013-0749 CVE-2013-0750 CVE-2013-0751 CVE-2013-0752 CVE-2013-0753 CVE-2013-0754 CVE-2013-0755 CVE-2013-0756 CVE-2013-0757 CVE-2013-0758 CVE-2013-0759 CVE-2013-0760 CVE-2013-0761 CVE-2013-0762 CVE-2013-0763 CVE-2013-0764 CVE-2013-0766 CVE-2013-0767 CVE-2013-0768 CVE-2013-0769 CVE-2013-0770 CVE-2013-0771 http://www.mozilla.org/security/announce/2013/mfsa2013-01.html http://www.mozilla.org/security/announce/2013/mfsa2013-02.html http://www.mozilla.org/security/announce/2013/mfsa2013-03.html http://www.mozilla.org/security/announce/2013/mfsa2013-04.html http://www.mozilla.org/security/announce/2013/mfsa2013-05.html http://www.mozilla.org/security/announce/2013/mfsa2013-06.html http://www.mozilla.org/security/announce/2013/mfsa2013-07.html http://www.mozilla.org/security/announce/2013/mfsa2013-08.html http://www.mozilla.org/security/announce/2013/mfsa2013-09.html http://www.mozilla.org/security/announce/2013/mfsa2013-10.html http://www.mozilla.org/security/announce/2013/mfsa2013-11.html http://www.mozilla.org/security/announce/2013/mfsa2013-12.html http://www.mozilla.org/security/announce/2013/mfsa2013-13.html http://www.mozilla.org/security/announce/2013/mfsa2013-14.html http://www.mozilla.org/security/announce/2013/mfsa2013-15.html http://www.mozilla.org/security/announce/2013/mfsa2013-16.html http://www.mozilla.org/security/announce/2013/mfsa2013-17.html http://www.mozilla.org/security/announce/2013/mfsa2013-18.html http://www.mozilla.org/security/announce/2013/mfsa2013-19.html http://www.mozilla.org/security/announce/2013/mfsa2013-20.html http://www.mozilla.org/security/known-vulnerabilities/ 2013-01-08 2013-01-09
rubygem-rails -- multiple vulnerabilities rubygem-rails 3.2.11 rubygem-actionpack 3.2.11 rubygem-activerecord 3.2.11 rubygem-activesupport 3.2.11

Ruby on Rails team reports:

Two high-risk vulnerabilities have been discovered:

(CVE-2013-0155) There is a vulnerability when Active Record is used in conjunction with JSON parameter parsing.

Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with "IS NULL" or empty "WHERE" clauses. This issue does not let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users would not expect it.

(CVE-2013-0156) There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application.

The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.

CVE-2013-0155 CVE-2013-0156 http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/ https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/t1WFuuQyavI https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/61bkgvnSGTQ 2013-01-08 2013-01-08
rubygem-rails -- SQL injection vulnerability rubygem-rails 3.2.10

Ruby on Rails team reports:

There is a SQL injection vulnerability in Active Record in ALL versions. Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL.

CVE-2012-5664 https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM 2013-01-02 2013-01-07
jenkins -- HTTP access to the server to retrieve the master cryptographic key jenkins 1.498

Jenkins Security Advisory reports:

This advisory announces a security vulnerability that was found in Jenkins core.

An attacker can then use this master cryptographic key to mount remote code execution attack against the Jenkins master, or impersonate arbitrary users in making REST API calls.

There are several factors that mitigate some of these problems that may apply to specific installations.

  • The particular attack vector is only applicable on Jenkins instances that have slaves attached to them, and allow anonymous read access.
  • Jenkins allows users to re-generate the API tokens. Those re-generated API tokens cannot be impersonated by the attacker.
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04 2013-01-04 2013-01-08
django -- multiple vulnerabilities django 1.4.3 django13 1.3.5

The Django Project reports:

  1. Host header poisoning

    Several earlier Django security releases focused on the issue of poisoning the HTTP Host header, causing Django to generate URLs pointing to arbitrary, potentially-malicious domains.

    In response to further input received and reports of continuing issues following the previous release, we're taking additional steps to tighten Host header validation. Rather than attempt to accommodate all features HTTP supports here, Django's Host header validation attempts to support a smaller, but far more common, subset:

    • Hostnames must consist of characters [A-Za-z0-9] plus hyphen ('-') or dot ('.').
    • IP addresses -- both IPv4 and IPv6 -- are permitted.
    • Port, if specified, is numeric.

    Any deviation from this will now be rejected, raising the exception django.core.exceptions.SuspiciousOperation.

  2. Redirect poisoning

    Also following up on a previous issue: in July of this year, we made changes to Django's HTTP redirect classes, performing additional validation of the scheme of the URL to redirect to (since, both within Django's own supplied applications and many third-party applications, accepting a user-supplied redirect target is a common pattern).

    Since then, two independent audits of the code turned up further potential problems. So, similar to the Host-header issue, we are taking steps to provide tighter validation in response to reported problems (primarily with third-party applications, but to a certain extent also within Django itself). This comes in two parts:

    1. A new utility function, django.utils.http.is_safe_url, is added; this function takes a URL and a hostname, and checks that the URL is either relative, or if absolute matches the supplied hostname. This function is intended for use whenever user-supplied redirect targets are accepted, to ensure that such redirects cannot lead to arbitrary third-party sites.
    2. All of Django's own built-in views -- primarily in the authentication system -- which allow user-supplied redirect targets now use is_safe_url to validate the supplied URL.
https://www.djangoproject.com/weblog/2012/dec/10/security/ 2012-12-10 2013-01-06
freetype -- Multiple vulnerabilities freetype2 2.4.11

The FreeType Project reports:

Some vulnerabilities in the BDF implementation have been fixed. Users of this font format should upgrade.

http://sourceforge.net/projects/freetype/files/freetype2/2.4.11/README/view 2012-12-20 2013-01-05
moinmoin -- Multiple vulnerabilities moinmoin 1.9.6

MoinMoin developers report the following vulnerabilities as fixed in version 1.9.6:

  • remote code execution vulnerability in twikidraw/anywikidraw action,
  • path traversal vulnerability in AttachFile action,
  • XSS issue, escape page name in rss link.

CVE entries at MITRE furher clarify:

Multiple unrestricted file upload vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory, as exploited in the wild in July 2012.

Directory traversal vulnerability in the _do_attachment_move function in the AttachFile action (action/AttachFile.py) in MoinMoin 1.9.3 through 1.9.5 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in a file name.

Cross-site scripting (XSS) vulnerability in the rsslink function in theme/__init__.py in MoinMoin 1.9.5 allows remote attackers to inject arbitrary web script or HTML via the page name in a rss link.

CVE-2012-6081 CVE-2012-6080 CVE-2012-6082 http://hg.moinmo.in/moin/1.9/raw-file/1.9.6/docs/CHANGES http://www.debian.org/security/2012/dsa-2593 2012-12-29 2013-01-05 2013-01-06
asterisk -- multiple vulnerabilities asterisk11 11.*11.1.2 asterisk10 10.*10.11.1 asterisk18 1.8.*1.8.19.1

Asterisk project reports:

Crashes due to large stack allocations when using TCP

Denial of Service Through Exploitation of Device State Caching

CVE-2012-5976 CVE-2012-5977 http://downloads.digium.com/pub/security/AST-2012-014.html http://downloads.digium.com/pub/security/AST-2012-015.html https://www.asterisk.org/security 2013-01-02 2013-01-03
ircd-ratbox and charybdis -- remote DoS vulnerability ircd-ratbox 2.*3.0.8 charybdis 3.4.2

atheme.org reports:

All versions of Charybdis are vulnerable to a remotely-triggered crash bug caused by code originating from ircd-ratbox 2.0. (Incidentally, this means all versions since ircd-ratbox 2.0 are also vulnerable.)

http://www.ratbox.org/ASA-2012-12-31.txt 2012-12-31 2013-01-02