Release Date : 2011-03-22
Criticality level : Highly critical
Impact : DoS
System access
Where : From remote
Solution Status : Unpatched
Software: RealPlayer 14.x
Description:
Luigi Auriemma has discovered a vulnerability in RealPlayer, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an error in rvrender.dll when processing Internet Video Recording (IVR) files and can be exploited to cause a heap-based buffer overflow via a specially crafted file.
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in version 14.0.2.633. Other versions may also be affected.
Solution:
Do not open IVR files from untrusted sources. Disable the browser plugin.
Provided and/or discovered by:
Luigi Auriemma
Original Advisory:
http://aluigi.altervista.org/adv/real_5-adv.txt
http://secunia.com/advisories/43847/
Reply 1 : VULNERABILITIES / FIXES - March 22, 2100
Release Date : 2011-03-22
Criticality level : Highly critical
Impact : Security Bypass
Cross Site Scripting
Spoofing
Exposure of system information
Exposure of sensitive information
Privilege escalation
DoS
System access
Where : From remote
Solution Status : Vendor Patch
Operating System: Apple Macintosh OS X
Description:
Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.
1) A divide-by-zero error in AirPort when handling Wi-Fi frames can be exploited to cause a system reset.
2) Multiple vulnerabilities in Apache can be exploited by malicious people to disclose potentially sensitive information and by malicious users and malicious people to cause a DoS (Denial of Service).
3) A format string error within AppleScript Studio when handling certain commands via dialogs can be exploited to potentially execute arbitrary code.
4) An unspecified error in the handling of embedded OpenType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded.
5) Multiple unspecified errors in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded.
6) Multiple unspecified errors in the handling of embedded Type 1 fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded.
7) Multiple unspecified errors in the handling of SFNT tables in embedded fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded.
8) An integer overflow error in bzip2 can be exploited to terminate an application using the library or execute arbitrary code via a specially crafted archive.
9) An error within the "FSFindFolder()" API in CarbonCore when used with the "kTemporaryFolderType" flag can be exploited to disclose the contents of arbitrary directories.
10) Multiple errors in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.
11) An unspecified error in the handling of embedded fonts in CoreText can be exploited to corrupt memory when a specially crafted document is viewed or downloaded.
12) An integer overflow error within the handling of the F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be exploited to read arbitrary files.
13) An error in ImageIO within the handling of JPEG files can be exploited to cause a heap-based buffer overflow.
14) An integer overflow error in ImageIO within the handling of XBM files can be exploited to potentially execute arbitrary code.
15) An error in libTIFF within the handling of JPEG encoded TIFF files can be exploited to cause a buffer overflow.
16) An error in libTIFF within the handling of CCITT Group 4 encoded TIFF files can be exploited to cause a buffer overflow.
17) An integer overflow error in ImageIO within the handling of JPEG encoded TIFF files can be exploited to potentially execute arbitrary code.
18) Multiple errors in Image RAW when handling Canon RAW image files can be exploited to cause buffer overflows.
19) An error in the Install Helper when handling URLs can be exploited to install an arbitrary agent by tricking the user into visiting a malicious website.
20) Multiple errors in Kerberos can be exploited by malicious users and malicious people to conduct spoofing attacks and bypass certain security features.
21) An error within the "i386_set_ldt ()" system call can be exploited by malicious, local users to execute arbitrary code with system privileges.
22) An integer truncation error within Libinfo when handling NFS RPC packets can be exploited to cause NFS RPC services to become unresponsive.
23) An error exists in the libxml library when traversing the XPath.
24) A double free error exists in the libxml library when handling XPath expressions.
25) Two errors in Mailman can be exploited by malicious users to conduct script insertion attacks.
26) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.
27) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions.
28) An error in the OfficeImport framework when processing records containing formulas shared between multiple cells can be exploited to corrupt memory and potentially execute arbitrary code.
29) An error in QuickLook when handling certain Microsoft Office files can be exploited to corrupt memory when a specially crafted document is downloaded.
30) Multiple unspecified errors in QuickTime when handling JPEG2000, FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to corrupt memory via specially crafted files.
31) An integer overflow error in QuickTime when handling certain movie files can be exploited to potentially execute arbitrary code when a specially crafted file is viewed.
32) An error within QuickTime plug-in when handling cross-site redirects can be exploited to disclose video data.
33) An integer truncation error within the Ruby BigDecimal class can be exploited to potentially execute arbitrary code.
This vulnerability only affects 64-bit Ruby processes.
34) A boundary error in Samba can be exploited by malicious people to potentially compromise a vulnerable system.
35) A security issue in Subversion can be exploited by malicious people to bypass certain security restrictions.
36) A weakness in Terminal uses SSH version 1 as the default protocol version when using ssh via the "New Remote Connection" dialog.
37) Some vulnerabilities in FreeType can be exploited to cause a DoS (Denial of Service) or potentially compromise an application using the library.
Solution:
Update to version 10.6.7 or apply Security Update 2011-001.
Provided and/or discovered by:
15, 16, 33) Reported by the vendor.
The vendor credits:
3) Alexander Strange.
5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis Ormandy and Will Drewry of Google Security Team.
6) Felix Grobert, Google Security Team and geekable via ZDI.
7) Marc Schoenefeld, Red Hat Security Response Team.
11) Christoph Diehl, Mozilla.
12) Dan Rosenberg, Virtual Security Research.
13) Andrzej Dyjak via iDefense.
14) Harry Sintonen.
17) Dominic Chell, NGS Secure.
18) Paul Harrington, NGS Secure.
19) Aaron Sigel, vtty.com.
21) Jeff Mears.
22) Peter Schwenk, University of Delaware.
28) Tobias Klein via iDefense.
29) Charlie Miller and Dion Blazakis via ZDI.
30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability Discovery Team.
31) Honggang Ren, Fortinet's FortiGuard Labs.
32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR).
36) Matt Warren, HNW Inc.
Original Advisory:
Apple:
http://support.apple.com/kb/HT4581
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898
http://secunia.com/advisories/43814/
Criticality level : Highly critical
Impact : Security Bypass
Cross Site Scripting
Spoofing
Exposure of system information
Exposure of sensitive information
Privilege escalation
DoS
System access
Where : From remote
Solution Status : Vendor Patch
Operating System: Apple Macintosh OS X
Description:
Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.
1) A divide-by-zero error in AirPort when handling Wi-Fi frames can be exploited to cause a system reset.
2) Multiple vulnerabilities in Apache can be exploited by malicious people to disclose potentially sensitive information and by malicious users and malicious people to cause a DoS (Denial of Service).
3) A format string error within AppleScript Studio when handling certain commands via dialogs can be exploited to potentially execute arbitrary code.
4) An unspecified error in the handling of embedded OpenType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded.
5) Multiple unspecified errors in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded.
6) Multiple unspecified errors in the handling of embedded Type 1 fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded.
7) Multiple unspecified errors in the handling of SFNT tables in embedded fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded.
8) An integer overflow error in bzip2 can be exploited to terminate an application using the library or execute arbitrary code via a specially crafted archive.
9) An error within the "FSFindFolder()" API in CarbonCore when used with the "kTemporaryFolderType" flag can be exploited to disclose the contents of arbitrary directories.
10) Multiple errors in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.
11) An unspecified error in the handling of embedded fonts in CoreText can be exploited to corrupt memory when a specially crafted document is viewed or downloaded.
12) An integer overflow error within the handling of the F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be exploited to read arbitrary files.
13) An error in ImageIO within the handling of JPEG files can be exploited to cause a heap-based buffer overflow.
14) An integer overflow error in ImageIO within the handling of XBM files can be exploited to potentially execute arbitrary code.
15) An error in libTIFF within the handling of JPEG encoded TIFF files can be exploited to cause a buffer overflow.
16) An error in libTIFF within the handling of CCITT Group 4 encoded TIFF files can be exploited to cause a buffer overflow.
17) An integer overflow error in ImageIO within the handling of JPEG encoded TIFF files can be exploited to potentially execute arbitrary code.
18) Multiple errors in Image RAW when handling Canon RAW image files can be exploited to cause buffer overflows.
19) An error in the Install Helper when handling URLs can be exploited to install an arbitrary agent by tricking the user into visiting a malicious website.
20) Multiple errors in Kerberos can be exploited by malicious users and malicious people to conduct spoofing attacks and bypass certain security features.
21) An error within the "i386_set_ldt ()" system call can be exploited by malicious, local users to execute arbitrary code with system privileges.
22) An integer truncation error within Libinfo when handling NFS RPC packets can be exploited to cause NFS RPC services to become unresponsive.
23) An error exists in the libxml library when traversing the XPath.
24) A double free error exists in the libxml library when handling XPath expressions.
25) Two errors in Mailman can be exploited by malicious users to conduct script insertion attacks.
26) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.
27) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions.
28) An error in the OfficeImport framework when processing records containing formulas shared between multiple cells can be exploited to corrupt memory and potentially execute arbitrary code.
29) An error in QuickLook when handling certain Microsoft Office files can be exploited to corrupt memory when a specially crafted document is downloaded.
30) Multiple unspecified errors in QuickTime when handling JPEG2000, FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to corrupt memory via specially crafted files.
31) An integer overflow error in QuickTime when handling certain movie files can be exploited to potentially execute arbitrary code when a specially crafted file is viewed.
32) An error within QuickTime plug-in when handling cross-site redirects can be exploited to disclose video data.
33) An integer truncation error within the Ruby BigDecimal class can be exploited to potentially execute arbitrary code.
This vulnerability only affects 64-bit Ruby processes.
34) A boundary error in Samba can be exploited by malicious people to potentially compromise a vulnerable system.
35) A security issue in Subversion can be exploited by malicious people to bypass certain security restrictions.
36) A weakness in Terminal uses SSH version 1 as the default protocol version when using ssh via the "New Remote Connection" dialog.
37) Some vulnerabilities in FreeType can be exploited to cause a DoS (Denial of Service) or potentially compromise an application using the library.
Solution:
Update to version 10.6.7 or apply Security Update 2011-001.
Provided and/or discovered by:
15, 16, 33) Reported by the vendor.
The vendor credits:
3) Alexander Strange.
5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis Ormandy and Will Drewry of Google Security Team.
6) Felix Grobert, Google Security Team and geekable via ZDI.
7) Marc Schoenefeld, Red Hat Security Response Team.
11) Christoph Diehl, Mozilla.
12) Dan Rosenberg, Virtual Security Research.
13) Andrzej Dyjak via iDefense.
14) Harry Sintonen.
17) Dominic Chell, NGS Secure.
18) Paul Harrington, NGS Secure.
19) Aaron Sigel, vtty.com.
21) Jeff Mears.
22) Peter Schwenk, University of Delaware.
28) Tobias Klein via iDefense.
29) Charlie Miller and Dion Blazakis via ZDI.
30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability Discovery Team.
31) Honggang Ren, Fortinet's FortiGuard Labs.
32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR).
36) Matt Warren, HNW Inc.
Original Advisory:
Apple:
http://support.apple.com/kb/HT4581
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898
http://secunia.com/advisories/43814/
Reply 2 : VULNERABILITIES / FIXES - March 22, 2100
Symantec LiveUpdate Administrator Cross-Site Request Forgery Vulnerability
Release Date : 2011-03-22
Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch
Software: Symantec LiveUpdate Administrator 2.x
Description:
A vulnerability has been reported in Symantec LiveUpdate Administrator, which can be exploited by malicious people to conduct cross-site request forgery attacks.
The management interface of the application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. execute arbitrary commands by tricking an administrator into visiting a malicious web site while being logged-in to the application.
The vulnerability is reported in versions 2.2.2.9 and prior.
Solution:
Update to version 2.3.
Provided and/or discovered by:
The vendor credits Nikolas Sotiriu, nikolas sotiriu - it services.
Original Advisory:
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110321_00
http://secunia.com/advisories/43820/
Release Date : 2011-03-22
Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch
Software: Symantec LiveUpdate Administrator 2.x
Description:
A vulnerability has been reported in Symantec LiveUpdate Administrator, which can be exploited by malicious people to conduct cross-site request forgery attacks.
The management interface of the application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. execute arbitrary commands by tricking an administrator into visiting a malicious web site while being logged-in to the application.
The vulnerability is reported in versions 2.2.2.9 and prior.
Solution:
Update to version 2.3.
Provided and/or discovered by:
The vendor credits Nikolas Sotiriu, nikolas sotiriu - it services.
Original Advisory:
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110321_00
http://secunia.com/advisories/43820/
Reply 3 : VULNERABILITIES / FIXES - March 22, 2100
Release Date : 2011-03-22
Criticality level : Moderately critical
Impact : DoS
Where : From local network
Solution Status : Vendor Workaround
Software: OpenSLP 1.x
Description:
A vulnerability has been reported in OpenSLP, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error within the parsing of SLP extensions, which can be exploited to trigger an infinite loop by sending specially crafted SLP packets.
The vulnerability is reported in version 1.2.1. Other versions may also be affected.
Solution:
Fixed in the SVN repository for version 2.x.
Provided and/or discovered by:
US-CERT credits Nicolas Gregoire, Agarri.
Original Advisory:
OpenSLP:
http://openslp.svn.sourceforge.net/viewvc/openslp?view=revision&revision=1647
US-CERT VU#393783:
http://www.kb.cert.org/vuls/id/393783
http://secunia.com/advisories/43742/
Criticality level : Moderately critical
Impact : DoS
Where : From local network
Solution Status : Vendor Workaround
Software: OpenSLP 1.x
Description:
A vulnerability has been reported in OpenSLP, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error within the parsing of SLP extensions, which can be exploited to trigger an infinite loop by sending specially crafted SLP packets.
The vulnerability is reported in version 1.2.1. Other versions may also be affected.
Solution:
Fixed in the SVN repository for version 2.x.
Provided and/or discovered by:
US-CERT credits Nicolas Gregoire, Agarri.
Original Advisory:
OpenSLP:
http://openslp.svn.sourceforge.net/viewvc/openslp?view=revision&revision=1647
US-CERT VU#393783:
http://www.kb.cert.org/vuls/id/393783
http://secunia.com/advisories/43742/
Reply 4 : VULNERABILITIES / FIXES - March 22, 2100
Release Date : 2011-03-22
Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch
Software: Quagga 0.x
Description:
Two vulnerabilities have been reported in Quagga, which can be exploited by malicious people to cause a DoS (Denial of Service).
1) A NULL-pointer dereference error when parsing certain extended community attributes can be exploited to crash the "bgpd" daemon via specially crafted extended community attributes.
Note: Successful exploitation may require that the attacker is a directly configured peer.
2) An error within the AS path limit/TTL functionality when parsing certain AS_PATHLIMIT attributes can be exploited to reset BGP sessions by sending specially crafted AS_PATHLIMIT attributes.
The vulnerabilities are reported in versions prior to 0.99.18.
Solution:
Update to version 0.99.18.
Provided and/or discovered by:
Reported by the vendor.
Original Advisory:
Quagga:
http://www.quagga.net/news2.php?y=2011&m=3&d=21#id1300723200
DSA-2197-1:
http://lists.debian.org/debian-security-announce/2011/msg00065.html
http://secunia.com/advisories/43770/
Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch
Software: Quagga 0.x
Description:
Two vulnerabilities have been reported in Quagga, which can be exploited by malicious people to cause a DoS (Denial of Service).
1) A NULL-pointer dereference error when parsing certain extended community attributes can be exploited to crash the "bgpd" daemon via specially crafted extended community attributes.
Note: Successful exploitation may require that the attacker is a directly configured peer.
2) An error within the AS path limit/TTL functionality when parsing certain AS_PATHLIMIT attributes can be exploited to reset BGP sessions by sending specially crafted AS_PATHLIMIT attributes.
The vulnerabilities are reported in versions prior to 0.99.18.
Solution:
Update to version 0.99.18.
Provided and/or discovered by:
Reported by the vendor.
Original Advisory:
Quagga:
http://www.quagga.net/news2.php?y=2011&m=3&d=21#id1300723200
DSA-2197-1:
http://lists.debian.org/debian-security-announce/2011/msg00065.html
http://secunia.com/advisories/43770/
Reply 5 : VULNERABILITIES / FIXES - March 22, 2100
Release Date : 2011-03-22
Criticality level : Highly critical
Impact : DoS
System access
Where : From remote
Solution Status : Vendor Patch
Software: Xpdf 3.x
Description:
A vulnerability has been reported in Xpdf, which can be exploited by malicious people to cause a DoS and potentially compromise a user's system.
The vulnerability is caused due to the Xpdf binaries for Linux being linked against a vulnerable version of t1lib.
The vulnerability is reported in the Xpdf binaries for Linux prior to version 3.02pl6.
Solution:
Update to version 3.02pl6 of the Linux binaries.
Provided and/or discovered by:
US-CERT credits Jonathan Brossard.
Original Advisory:
Xpdf:
http://www.foolabs.com/xpdf/download.html
US-CERT VU#376500:
http://www.kb.cert.org/vuls/id/376500
http://secunia.com/advisories/43823/
Criticality level : Highly critical
Impact : DoS
System access
Where : From remote
Solution Status : Vendor Patch
Software: Xpdf 3.x
Description:
A vulnerability has been reported in Xpdf, which can be exploited by malicious people to cause a DoS and potentially compromise a user's system.
The vulnerability is caused due to the Xpdf binaries for Linux being linked against a vulnerable version of t1lib.
The vulnerability is reported in the Xpdf binaries for Linux prior to version 3.02pl6.
Solution:
Update to version 3.02pl6 of the Linux binaries.
Provided and/or discovered by:
US-CERT credits Jonathan Brossard.
Original Advisory:
Xpdf:
http://www.foolabs.com/xpdf/download.html
US-CERT VU#376500:
http://www.kb.cert.org/vuls/id/376500
http://secunia.com/advisories/43823/
Reply 6 : VULNERABILITIES / FIXES - March 22, 2100
Release Date : 2011-03-22
Criticality level : Highly critical
Impact : Manipulation of data
Exposure of sensitive information
DoS
System access
Where : From remote
Solution Status : Vendor Patch
Operating System: SUSE Linux Enterprise Server (SLES) 10
SUSE Linux Enterprise Server (SLES) 11
Description:
SUSE has issued an update for java-1_6_0-ibm. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to disclose potentially sensitive information and by malicious people to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.
Solution:
Apply updated packages via the zypper package manager.
Original Advisory:
SUSE-SU-2011:0206-1:
https://hermes.opensuse.org/messages/7707692
http://secunia.com/advisories/43813/
Criticality level : Highly critical
Impact : Manipulation of data
Exposure of sensitive information
DoS
System access
Where : From remote
Solution Status : Vendor Patch
Operating System: SUSE Linux Enterprise Server (SLES) 10
SUSE Linux Enterprise Server (SLES) 11
Description:
SUSE has issued an update for java-1_6_0-ibm. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to disclose potentially sensitive information and by malicious people to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.
Solution:
Apply updated packages via the zypper package manager.
Original Advisory:
SUSE-SU-2011:0206-1:
https://hermes.opensuse.org/messages/7707692
http://secunia.com/advisories/43813/
Reply 7 : VULNERABILITIES / FIXES - March 22, 2100
Release Date : 2011-03-22
Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch
Operating System: Fedora 13
Fedora 14
Description:
Fedora has issued an update for mailman. This fixes some vulnerabilities, which can be exploited by malicious users to conduct script insertion attacks.
Solution:
Apply updated packages via the yum utility ("yum update mailman").
Original Advisory:
FEDORA-2011-2102:
http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056387.html
FEDORA-2011-2125:
http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056363.html
http://secunia.com/advisories/43829/
Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch
Operating System: Fedora 13
Fedora 14
Description:
Fedora has issued an update for mailman. This fixes some vulnerabilities, which can be exploited by malicious users to conduct script insertion attacks.
Solution:
Apply updated packages via the yum utility ("yum update mailman").
Original Advisory:
FEDORA-2011-2102:
http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056387.html
FEDORA-2011-2125:
http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056363.html
http://secunia.com/advisories/43829/
Reply 8 : VULNERABILITIES / FIXES - March 22, 2100
Release Date : 2011-03-22
Criticality level : Highly critical
Impact : DoS
System access
Where : From remote
Solution Status : Vendor Patch
Operating System: Red Hat Desktop 4.x
Red Hat Enterprise Linux 5 (Server)
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux Desktop 5
Red Hat Enterprise Linux ES 4
Red Hat Enterprise Linux WS 4
RHEL Desktop Workstation 5
Description:
Red Hat has issued an update for wireshark. This fixes several vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.
1) A boundary error within wiretap/pcapng.c when processing certain pcap-ng files can be exploited to cause a heap-based buffer overflow.
Solution:
Updated packages are available via Red Hat Network
Original Advisory:
RHSA-2011:0370-1:
http://rhn.redhat.com/errata/RHSA-2011-0370.html
http://secunia.com/advisories/43821/
Criticality level : Highly critical
Impact : DoS
System access
Where : From remote
Solution Status : Vendor Patch
Operating System: Red Hat Desktop 4.x
Red Hat Enterprise Linux 5 (Server)
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux Desktop 5
Red Hat Enterprise Linux ES 4
Red Hat Enterprise Linux WS 4
RHEL Desktop Workstation 5
Description:
Red Hat has issued an update for wireshark. This fixes several vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.
1) A boundary error within wiretap/pcapng.c when processing certain pcap-ng files can be exploited to cause a heap-based buffer overflow.
Solution:
Updated packages are available via Red Hat Network
Original Advisory:
RHSA-2011:0370-1:
http://rhn.redhat.com/errata/RHSA-2011-0370.html
http://secunia.com/advisories/43821/
Reply 9 : VULNERABILITIES / FIXES - March 22, 2100
Release Date : 2011-03-22
Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch
Operating System: Debian GNU/Linux 5.0
Debian GNU/Linux 6.0
Description:
Debian has issued an update for quagga. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service).
Solution:
Apply updated packages via the apt-get package manager.
Original Advisory:
DSA-2197-1:
http://www.debian.org/security/2011/dsa-2197
http://secunia.com/advisories/43499/
Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch
Operating System: Debian GNU/Linux 5.0
Debian GNU/Linux 6.0
Description:
Debian has issued an update for quagga. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service).
Solution:
Apply updated packages via the apt-get package manager.
Original Advisory:
DSA-2197-1:
http://www.debian.org/security/2011/dsa-2197
http://secunia.com/advisories/43499/
Reply 10 : VULNERABILITIES / FIXES - March 22, 2100
Release Date : 2011-03-22
Criticality level : Not critical
Impact : DoS
Where : Local system
Solution Status: Vendor Patch
Software: PaX
Description:
A vulnerability has been reported in PaX, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
The vulnerability is caused due to an error within the heap / stack gap functionality, which can be exploited to trigger an infinite loop via certain mmap operations.
Solution:
Update to version 2.2.1-2.6.32.33.
Provided and/or discovered by:
Francisco Blas Izquierdo Riera
Original Advisory:
grsecurity:
http://grsecurity.net/changelog-stable.txt
Francisco Blas Izquierdo Riera:
http://www.openwall.com/lists/oss-security/2011/03/21/15
http://secunia.com/advisories/43791/
Criticality level : Not critical
Impact : DoS
Where : Local system
Solution Status: Vendor Patch
Software: PaX
Description:
A vulnerability has been reported in PaX, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
The vulnerability is caused due to an error within the heap / stack gap functionality, which can be exploited to trigger an infinite loop via certain mmap operations.
Solution:
Update to version 2.2.1-2.6.32.33.
Provided and/or discovered by:
Francisco Blas Izquierdo Riera
Original Advisory:
grsecurity:
http://grsecurity.net/changelog-stable.txt
Francisco Blas Izquierdo Riera:
http://www.openwall.com/lists/oss-security/2011/03/21/15
http://secunia.com/advisories/43791/
Reply 11 : VULNERABILITIES / FIXES - March 22, 2100
RealWin FlexWin Connection Packet Processing Buffer Overflow Vulnerabilities
Release Date : 2011-03-22
Criticality level : Moderately critical
Impact : System access
Where : From local network
Solution Status : Unpatched
Software: RealWin 2.x
Description:
Luigi Auriemma has discovered multiple vulnerabilities in RealWin, which can be exploited by malicious people to compromise a vulnerable system.
1) A boundary error when processing "On_FC_CONNECT_FCS_LOGIN" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
2) A boundary error when processing "On_FC_CTAGLIST_FCS_CADDTAG", "On_FC_CTAGLIST_FCS_ADDTAGMS", and "On_FC_BINFILE_FCS_OPENREADFILE" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
3) A boundary error when processing "On_FC_CTAGLIST_FCS_CDELTAG" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
4) A boundary error when processing "On_FC_RFUSER_FCS_LOGIN" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
5) A boundary error when processing "On_FC_BINFILE_FCS_DIRLIST" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
6) An input validation error when processing "On_FC_MISC_FCS_MSGBROADCAST" packets can be exploited to cause a heap-based buffer overflow via a specially crafted packet sent to TCP port 910.
7) An input validation error when processing "On_FC_MISC_FCS_MSGSEND" packets can be exploited to cause a heap-based buffer overflow via a specially crafted packet sent to TCP port 910.
8) A boundary error when processing "On_FC_CGETTAG_FCS_GETTELEMETRY" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
9) A boundary error when processing "On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
10) A boundary error when processing "On_FC_CPUTTAG_FCS_SETTELEMETRY" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
11) A boundary error when processing "On_FC_CPUTTAG_FCS_SETCHANNELTELEMETRY" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
12) A boundary error when processing "On_FC_SCRIPT_FCS_STARTPROG" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
Successful exploitation of the vulnerabilities allows execution of arbitrary code.
The vulnerabilities are confirmed in version 2.1 Build 6.1.10.10. Other versions may also be affected.
Solution:
Restrict access to trusted hosts only (e.g. via network access control lists).
Provided and/or discovered by:
Luigi Auriemma
Original Advisory:
http://aluigi.altervista.org/adv/realwin_2-adv.txt
http://aluigi.altervista.org/adv/realwin_3-adv.txt
http://aluigi.altervista.org/adv/realwin_4-adv.txt
http://aluigi.altervista.org/adv/realwin_5-adv.txt
http://aluigi.altervista.org/adv/realwin_6-adv.txt
http://aluigi.altervista.org/adv/realwin_7-adv.txt
http://aluigi.altervista.org/adv/realwin_8-adv.txt
http://secunia.com/advisories/43848/
Release Date : 2011-03-22
Criticality level : Moderately critical
Impact : System access
Where : From local network
Solution Status : Unpatched
Software: RealWin 2.x
Description:
Luigi Auriemma has discovered multiple vulnerabilities in RealWin, which can be exploited by malicious people to compromise a vulnerable system.
1) A boundary error when processing "On_FC_CONNECT_FCS_LOGIN" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
2) A boundary error when processing "On_FC_CTAGLIST_FCS_CADDTAG", "On_FC_CTAGLIST_FCS_ADDTAGMS", and "On_FC_BINFILE_FCS_OPENREADFILE" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
3) A boundary error when processing "On_FC_CTAGLIST_FCS_CDELTAG" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
4) A boundary error when processing "On_FC_RFUSER_FCS_LOGIN" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
5) A boundary error when processing "On_FC_BINFILE_FCS_DIRLIST" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
6) An input validation error when processing "On_FC_MISC_FCS_MSGBROADCAST" packets can be exploited to cause a heap-based buffer overflow via a specially crafted packet sent to TCP port 910.
7) An input validation error when processing "On_FC_MISC_FCS_MSGSEND" packets can be exploited to cause a heap-based buffer overflow via a specially crafted packet sent to TCP port 910.
8) A boundary error when processing "On_FC_CGETTAG_FCS_GETTELEMETRY" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
9) A boundary error when processing "On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
10) A boundary error when processing "On_FC_CPUTTAG_FCS_SETTELEMETRY" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
11) A boundary error when processing "On_FC_CPUTTAG_FCS_SETCHANNELTELEMETRY" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
12) A boundary error when processing "On_FC_SCRIPT_FCS_STARTPROG" packets can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 910.
Successful exploitation of the vulnerabilities allows execution of arbitrary code.
The vulnerabilities are confirmed in version 2.1 Build 6.1.10.10. Other versions may also be affected.
Solution:
Restrict access to trusted hosts only (e.g. via network access control lists).
Provided and/or discovered by:
Luigi Auriemma
Original Advisory:
http://aluigi.altervista.org/adv/realwin_2-adv.txt
http://aluigi.altervista.org/adv/realwin_3-adv.txt
http://aluigi.altervista.org/adv/realwin_4-adv.txt
http://aluigi.altervista.org/adv/realwin_5-adv.txt
http://aluigi.altervista.org/adv/realwin_6-adv.txt
http://aluigi.altervista.org/adv/realwin_7-adv.txt
http://aluigi.altervista.org/adv/realwin_8-adv.txt
http://secunia.com/advisories/43848/
Reply 12 : VULNERABILITIES / FIXES - March 22, 2100
SUSE aaa_base Tab Expansion Filename Handling Privilege Escalation
Release Date : 2011-03-22
Criticality level : Less critical
Impact : Privilege escalation
Where : Local system
Solution Status : Vendor Patch
Operating System: openSUSE 11.3
Description:
SUSE has acknowledged a vulnerability in aaa_base, which can be exploited by malicious, local users to gain escalated privileges.
The vulnerability is caused due to an error within the handling of filenames containing meta characters when performing tab expansions, which can be exploited to e.g. trick another user into executing arbitrary commands via specially named files.
Solution:
Apply updated packages via the zypper package manager.
Provided and/or discovered by:
Reported by the vendor.
Original Advisory:
openSUSE-SU-2011:0207-1:
https://hermes.opensuse.org/messages/7712778
http://secunia.com/advisories/43825/
Release Date : 2011-03-22
Criticality level : Less critical
Impact : Privilege escalation
Where : Local system
Solution Status : Vendor Patch
Operating System: openSUSE 11.3
Description:
SUSE has acknowledged a vulnerability in aaa_base, which can be exploited by malicious, local users to gain escalated privileges.
The vulnerability is caused due to an error within the handling of filenames containing meta characters when performing tab expansions, which can be exploited to e.g. trick another user into executing arbitrary commands via specially named files.
Solution:
Apply updated packages via the zypper package manager.
Provided and/or discovered by:
Reported by the vendor.
Original Advisory:
openSUSE-SU-2011:0207-1:
https://hermes.opensuse.org/messages/7712778
http://secunia.com/advisories/43825/
Reply 13 : VULNERABILITIES / FIXES - March 22, 2100
Release Date : 2011-03-22
Criticality level : Moderately critical
Impact : Privilege escalation
DoS
System access
Where : From remote
Solution Status : Unpatched
Operating System: Linux Kernel 2.6.x
Description:
Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and potentially gain escalated privileges and by malicious people to cause a DoS and potentially compromise a vulnerable system.
The vulnerabilities are caused due to various errors within the implementation of the ROSE protocol and can be exploited to e.g. cause memory corruptions via specially crafted FAC_CCITT_DEST_NSAP or FAC_CCITT_SRC_NSAP fields.
Solution:
Restrict access to trusted users only. Do not use the ROSE protocol.
Provided and/or discovered by:
Dan Rosenberg and Ben Hutchings.
Original Advisory:
http://www.spinics.net/lists/netdev/msg158874.html
http://www.spinics.net/lists/netdev/msg158900.html
http://secunia.com/advisories/43846/
Criticality level : Moderately critical
Impact : Privilege escalation
DoS
System access
Where : From remote
Solution Status : Unpatched
Operating System: Linux Kernel 2.6.x
Description:
Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and potentially gain escalated privileges and by malicious people to cause a DoS and potentially compromise a vulnerable system.
The vulnerabilities are caused due to various errors within the implementation of the ROSE protocol and can be exploited to e.g. cause memory corruptions via specially crafted FAC_CCITT_DEST_NSAP or FAC_CCITT_SRC_NSAP fields.
Solution:
Restrict access to trusted users only. Do not use the ROSE protocol.
Provided and/or discovered by:
Dan Rosenberg and Ben Hutchings.
Original Advisory:
http://www.spinics.net/lists/netdev/msg158874.html
http://www.spinics.net/lists/netdev/msg158900.html
http://secunia.com/advisories/43846/
Reply 14 : VULNERABILITIES / FIXES - March 22, 2100
Release Date : 2011-03-22
Criticality level : Less critical
Impact : Exposure of system information
Exposure of sensitive information
Where : From local network
Solution Status : Unpatched
Software: TIOD 1.x (iPhone/iPod touch)
Description:
A vulnerability has been discovered in TIOD, which can be exploited by malicious people to disclose potentially sensitive information.
Input passed to the "Ready 4 Others" FTP functionality of the application is not properly sanitised before being used to access files. This can be exploited to access files outside of the application root and e.g. download an iPhone address book via directory traversal attacks.
Note: The "Ready 4 Others" FTP functionality is not enabled by default and only accessible through WLAN.
The vulnerability is confirmed in version 1.3.3. Other versions may also be affected.
Solution:
Only use the "Ready 4 Others" FTP functionality within a trusted WLAN.
Provided and/or discovered by:
R3d@l3rt and H@ckk3y.
Original Advisory:
http://www.exploit-db.com/exploits/16271/
http://secunia.com/advisories/43789/
Criticality level : Less critical
Impact : Exposure of system information
Exposure of sensitive information
Where : From local network
Solution Status : Unpatched
Software: TIOD 1.x (iPhone/iPod touch)
Description:
A vulnerability has been discovered in TIOD, which can be exploited by malicious people to disclose potentially sensitive information.
Input passed to the "Ready 4 Others" FTP functionality of the application is not properly sanitised before being used to access files. This can be exploited to access files outside of the application root and e.g. download an iPhone address book via directory traversal attacks.
Note: The "Ready 4 Others" FTP functionality is not enabled by default and only accessible through WLAN.
The vulnerability is confirmed in version 1.3.3. Other versions may also be affected.
Solution:
Only use the "Ready 4 Others" FTP functionality within a trusted WLAN.
Provided and/or discovered by:
R3d@l3rt and H@ckk3y.
Original Advisory:
http://www.exploit-db.com/exploits/16271/
http://secunia.com/advisories/43789/
No comments:
Post a Comment