Information Security News mailing list archives
Secunia Weekly Summary - Issue: 2008-2
From: InfoSec News <alerts () infosecnews org>
Date: Fri, 11 Jan 2008 02:39:52 -0600 (CST)
========================================================================
The Secunia Weekly Advisory Summary
2008-01-03 - 2008-01-10
This week: 79 advisories
========================================================================
Table of Contents:
1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing
========================================================================
1) Word From Secunia:
95 out of every 100 computers that are connected to the Internet have
insecure software installed
Read the full blog:
http://secunia.com/blog/18/
Join the many Secunia PSI users:
https://psi.secunia.com/
========================================================================
2) This Week in Brief:
Microsoft has released their monthly security bulletins for January
2008.
1) A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious, local users to gain escalated privileges.
2) Some vulnerabilities have been reported in Microsoft Windows, which
can be exploited by malicious people to cause a DoS (Denial of Service)
or compromise a vulnerable system.
References:
http://secunia.com/SA28341
http://secunia.com/SA28297
--
Will Dormann has reported a vulnerability in AOL Radio, which can be
exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error in
AOLMediaPlaybackControl.exe and can be exploited to cause a stack-based
buffer overflow by e.g. using the "AppendFileToPlayList()" method of the
AmpX ActiveX control.
Successful exploitation allows execution of arbitrary code.
Reference:
http://secunia.com/SA28399
--
VIRUS ALERTS:
During the past week Secunia collected 247 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.
========================================================================
3) This Weeks Top Ten Most Read Advisories:
1. [SA28276] RealPlayer Unspecified Buffer Overflow Vulnerability
2. [SA28297] Microsoft Windows TCP/IP Implementation Vulnerabilities
3. [SA28295] Joomla PU Arcade Component "fid" SQL Injection
Vulnerability
4. [SA28306] milliscripts Redirection "cat" Cross-Site Scripting
Vulnerability
5. [SA28161] Adobe Flash Player Multiple Vulnerabilities
6. [SA28264] XOOPS "b_system_comments_show()" Security Bypass
7. [SA28285] CMS Made Simple "templateid" SQL Injection Vulnerability
8. [SA28317] Debian update for tomcat5.5
9. [SA28261] Hot or Not Clone Multiple Vulnerabilities
10. [SA28299] Fedora update for asterisk
========================================================================
4) Vulnerabilities Summary Listing
Windows:
[SA28399] AOL Radio AOLMediaPlaybackControl.exe Buffer Overflow
Vulnerability
[SA28379] Gateway CWebLaunchCtl ActiveX Control "DoWebLaunch()"
Vulnerabilities
[SA28411] IBM Lotus Domino Unspecified Denial of Service
[SA28337] PortalApp Multiple Vulnerabilities
[SA28408] McAfee E-Business Server Authentication Packet Handling
Vulnerability
[SA28396] Novell Client nicm.sys Privilege Escalation Vulnerability
[SA28366] Motorola netOctopus Agent nantsys.sys Privilege Escalation
[SA28351] Novell ZENworks Endpoint Security Management Privilege
Escalation
[SA28341] Microsoft Windows LSASS Privilege Escalation Vulnerability
UNIX/Linux:
[SA28412] SUSE Update for Multiple Packages
[SA28398] HP-UX update for Firefox
[SA28406] Gentoo update for R
[SA28403] Gentoo update for squid
[SA28400] Mandriva update for libexif
[SA28387] Avaya Products Perl Regular Expressions Unicode Data Buffer
Overflow
[SA28384] xine-lib SDP Attributes Buffer Overflow Vulnerability
[SA28381] Ubuntu update for squid
[SA28380] Ubuntu update for opal
[SA28377] Debian update for libarchive
[SA28374] Debian update for fail2ban
[SA28373] FlexBB "flexbb_temp_id" SQL Injection Vulnerability
[SA28353] Fedora update for python-cherrypy
[SA28350] Mandriva update for squid
[SA28347] Debian update for eggdrop
[SA28346] rPath update for libexif
[SA28345] rPath update for tetex
[SA28342] Debian update for wzdftpd
[SA28334] Debian update for maradns
[SA28333] Debian update for freetype
[SA28329] MaraDNS CNAME Record Resource Rotation Denial of Service
[SA28386] Ubuntu update for cups
[SA28338] Red Hat update for tog-pegasus
[SA28404] Debian update for dovecot
[SA28388] Gentoo update for unp
[SA28385] Ubuntu update for pwlib
[SA28375] IBM WebSphere Application Server for z/OS HTTP Server
Vulnerability
[SA28361] Debian update for tomcat5
[SA28360] Red Hat update for e2fsprogs
[SA28352] Fedora update for mantis
[SA28413] Ubuntu update for Net-SNMP
[SA28401] Gentoo update for openafs
[SA28376] Mandriva update for postgresql
[SA28344] rPath update for cups
[SA28343] Debian update for mysql-dfsg-5.0
[SA28327] OpenAFS File Server Denial of Service Vulnerability
[SA28402] Gentoo update for claws-mail
[SA28405] Xen DR7 and CR4 Register Handling Denial of Service
Vulnerabilities
[SA28349] Debian update for loop-aes-utils
[SA28348] Debian update for util-linux
[SA28339] Ubuntu update for tomboy
Other:
[SA28394] Ingate Firewall and SIParator Port Exhaustion Denial of
Service
[SA28357] Aruba Mobility Controller LDAP User Authentication Security
Bypass
[SA28364] Linksys WRT54GL Cross-Site Request Forgery
Cross Platform:
[SA28421] Kolab Server ClamAV Multiple Vulnerabilities
[SA28420] osDate "php121dir" File Inclusion Vulnerability
[SA28383] VLC Media Player SDP Processing Buffer Overflow
Vulnerability
[SA28368] VMware ESX Server Multiple Security Updates
[SA28365] VMware ESX Server and VirtualCenter Multiple Security
Updates
[SA28363] HP-UX update for Thunderbird
[SA28355] SAM Broadcaster samPHPweb "commonpath" File Inclusion
Vulnerability
[SA28336] Loudblog "template" Code Execution Vulnerability
[SA28330] Strawberry "text" PHP Code Execution
[SA28328] NetRisk Multiple Vulnerabilities
[SA28414] R PCRE Multiple Vulnerabilities
[SA28393] DomPHP "mail" SQL Injection Vulnerability
[SA28382] Multiple Horde Products Security Bypass
[SA28378] Docebo "Accept-Language" SQL Injection Vulnerability
[SA28371] Eggblog "eggblogpassword" SQL Injection Vulnerability
[SA28370] vtiger CRM File Disclosure Vulnerability
[SA28362] Tribisur "id" and "cat" SQL Injection Vulnerabilities
[SA28354] CherryPy Session Id Directory Traversal Vulnerability
[SA28340] RunCms newbb_plus "Client-IP" SQL Injection
[SA28331] eTicket Multiple Vulnerabilities
[SA28409] MaxDB DBM Command Processing Command Execution Vulnerability
[SA28358] OpenPegasus PAM Module Buffer Overflow Vulnerabilities
[SA28369] NetRisk "page" Cross-Site Scripting Vulnerability
[SA28356] Sun Java System Identity Manager Unspecified Cross-Site
Scripting
[SA28335] PRO-Search Multiple Cross-Site Scripting Vulnerabilities
[SA28359] PostgreSQL Multiple Vulnerabilities
========================================================================
5) Vulnerabilities Content Listing
Windows:--
[SA28399] AOL Radio AOLMediaPlaybackControl.exe Buffer Overflow
Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2008-01-10
Will Dormann has reported a vulnerability in AOL Radio, which can be
exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/28399/
--
[SA28379] Gateway CWebLaunchCtl ActiveX Control "DoWebLaunch()"
Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2008-01-09
Some vulnerabilities have been discovered in Gateway CWebLaunchCtl
ActiveX control, which can be exploited by malicious people to
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/28379/
--
[SA28411] IBM Lotus Domino Unspecified Denial of Service
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2008-01-10
A vulnerability has been reported in IBM Lotus Domino, which can be
exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/28411/
--
[SA28337] PortalApp Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Manipulation of
data
Released: 2008-01-09
r3dm0v3 has reported some vulnerabilities in PortalApp, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks or bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/28337/
--
[SA28408] McAfee E-Business Server Authentication Packet Handling
Vulnerability
Critical: Moderately critical
Where: From local network
Impact: System access, DoS
Released: 2008-01-10
Leon Juranic has reported a vulnerability in McAfee E-Business Server,
which can be exploited by malicious people to cause a DoS (Denial of
Service) or potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/28408/
--
[SA28396] Novell Client nicm.sys Privilege Escalation Vulnerability
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2008-01-10
A vulnerability has been reported in Novell Client, which can be
exploited by malicious, local users to gain escalated privileges.
Full Advisory:
http://secunia.com/advisories/28396/
--
[SA28366] Motorola netOctopus Agent nantsys.sys Privilege Escalation
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2008-01-08
A vulnerability has been reported in Motorola netOctopus, which can be
exploited by malicious, local users to gain escalated privileges.
Full Advisory:
http://secunia.com/advisories/28366/
--
[SA28351] Novell ZENworks Endpoint Security Management Privilege
Escalation
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2008-01-07
A vulnerability has been reported in Novell ZENworks Endpoint Security
Management, which can be exploited by malicious, local users to gain
escalated privileges.
Full Advisory:
http://secunia.com/advisories/28351/
--
[SA28341] Microsoft Windows LSASS Privilege Escalation Vulnerability
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2008-01-08
A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious, local users to gain escalated privileges.
Full Advisory:
http://secunia.com/advisories/28341/
UNIX/Linux:--
[SA28412] SUSE Update for Multiple Packages
Critical: Highly critical
Where: From remote
Impact: Unknown, Security Bypass, Manipulation of data, Exposure
of sensitive information, DoS, System access
Released: 2008-01-10
SUSE has issued an update for multiple packages. This fixes some
vulnerabilities, where one vulnerability has unknown impacts and others
can be exploited by malicious, local users to disclose and manipulate
sensitive information and cause a DoS (Denial of Service), by malicious
users to bypass certain security restrictions, and by malicious people
to cause a DoS and compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/28412/
--
[SA28398] HP-UX update for Firefox
Critical: Highly critical
Where: From remote
Impact: Spoofing, Manipulation of data, Exposure of sensitive
information, System access
Released: 2008-01-09
HP has issued an update for Firefox. This fixes some vulnerabilities,
which can be exploited by malicious people to disclose sensitive
information, conduct phishing and cross-site scripting attacks,
manipulate certain data, and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/28398/
--
[SA28406] Gentoo update for R
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information, DoS, System access
Released: 2008-01-10
Gentoo has issued an update for R. This fixes some vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service), disclose sensitive information, or potentially compromise an
application using the library.
Full Advisory:
http://secunia.com/advisories/28406/
--
[SA28403] Gentoo update for squid
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2008-01-10
Gentoo has issued an update for squid. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/28403/
--
[SA28400] Mandriva update for libexif
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2008-01-10
Mandriva has issued an update for libexif. This fixes two
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) or to compromise an application using the
library.
Full Advisory:
http://secunia.com/advisories/28400/
--
[SA28387] Avaya Products Perl Regular Expressions Unicode Data Buffer
Overflow
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2008-01-09
Avaya has acknowledged a vulnerability in various Avaya products, which
potentially can be exploited by malicious people to compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/28387/
--
[SA28384] xine-lib SDP Attributes Buffer Overflow Vulnerability
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2008-01-09
Luigi Auriemma has discovered a vulnerability in xine-lib, which
potentially can be exploited by malicious people to compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/28384/
--
[SA28381] Ubuntu update for squid
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2008-01-10
Ubuntu has issued an update for squid. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/28381/
--
[SA28380] Ubuntu update for opal
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2008-01-09
Ubuntu has issued an update for opal. This fixes a vulnerability, which
can potentially be exploited by malicious people to compromise an
application using the library.
Full Advisory:
http://secunia.com/advisories/28380/
--
[SA28377] Debian update for libarchive
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2008-01-09
Debian has issued an update for libarchive. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) or potentially compromise an application using
the library.
Full Advisory:
http://secunia.com/advisories/28377/
--
[SA28374] Debian update for fail2ban
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2008-01-10
Debian has issued an update for fail2ban. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/28374/
--
[SA28373] FlexBB "flexbb_temp_id" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information
Released: 2008-01-08
Eugene Minaev has discovered a vulnerability in FlexBB, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/28373/
--
[SA28353] Fedora update for python-cherrypy
Critical: Moderately critical
Where: From remote
Impact: Security Bypass
Released: 2008-01-07
Fedora has issued an update for python-cherrypy. This fixes a
vulnerability, which can be exploited by malicious people to bypass
certain security restrictions.
Full Advisory:
http://secunia.com/advisories/28353/
--
[SA28350] Mandriva update for squid
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2008-01-07
Mandriva has issued an update for squid. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/28350/
--
[SA28347] Debian update for eggdrop
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2008-01-07
Debian has issued an update for eggdrop. This fixes a vulnerability,
which can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/28347/
--
[SA28346] rPath update for libexif
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2008-01-07
rPath has issued an update for libexif. This fixes two vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service) or to compromise an application using the library.
Full Advisory:
http://secunia.com/advisories/28346/
--
[SA28345] rPath update for tetex
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2008-01-07
rPath has issued an update for tetex, tetex-afm, tetex-dvips,
tetex-fonts, tetex-latex, and tetex-xdvi. This fixes a vulnerability,
which can be exploited by malicious people to compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/28345/
--
[SA28342] Debian update for wzdftpd
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2008-01-07
Debian has issued an update for wzdftpd. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) or potentially to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/28342/
--
[SA28334] Debian update for maradns
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2008-01-04
Debian has issued an update for maradns. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/28334/
--
[SA28333] Debian update for freetype
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2008-01-08
Debian has issued an update for freetype. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise an application using the library.
Full Advisory:
http://secunia.com/advisories/28333/
--
[SA28329] MaraDNS CNAME Record Resource Rotation Denial of Service
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2008-01-04
A vulnerability has been reported in MaraDNS, which can be exploited by
malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/28329/
--
[SA28386] Ubuntu update for cups
Critical: Moderately critical
Where: From local network
Impact: Privilege escalation, DoS
Released: 2008-01-09
Ubuntu has issued an update for cups. This fixes a vulnerability which
can be exploited by malicious people to cause a DoS (Denial of Service)
or potentially compromise a vulnerable system, and a security issue
which can be exploited by malicious, local users to perform certain
actions with escalated privileges.
Full Advisory:
http://secunia.com/advisories/28386/
--
[SA28338] Red Hat update for tog-pegasus
Critical: Moderately critical
Where: From local network
Impact: DoS, System access
Released: 2008-01-08
Red Hat has issued an update for tog-pegasus. This fixes a
vulnerability, which can potentially be exploited by malicious people
to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/28338/
--
[SA28404] Debian update for dovecot
Critical: Less critical
Where: From remote
Impact: Security Bypass
Released: 2008-01-10
Debian has issued an update for dovecot. This fixes a security issue,
which can be exploited by malicious users to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/28404/
--
[SA28388] Gentoo update for unp
Critical: Less critical
Where: From remote
Impact: System access
Released: 2008-01-09
Gentoo has issued an update for unp. This fixes a vulnerability, which
potentially can be exploited by malicious people to compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/28388/
--
[SA28385] Ubuntu update for pwlib
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2008-01-09
Ubuntu has issued an update for pwlib. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/28385/
--
[SA28375] IBM WebSphere Application Server for z/OS HTTP Server
Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-01-09
IBM has acknowledged a vulnerability in IBM Websphere Application
Server for z/OS, which can be exploited by malicious people to conduct
cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/28375/
--
[SA28361] Debian update for tomcat5
Critical: Less critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2008-01-08
Debian has issued an update for tomcat5. This fixes some
vulnerabilities, which can be exploited by malicious people and
malicious users to disclose sensitive information.
Full Advisory:
http://secunia.com/advisories/28361/
--
[SA28360] Red Hat update for e2fsprogs
Critical: Less critical
Where: From remote
Impact: DoS, System access
Released: 2008-01-08
Red Hat has issued an update for e2fsprogs. This fixes some
vulnerabilities, which potentially can be exploited by malicious people
to compromise an application using the library.
Full Advisory:
http://secunia.com/advisories/28360/
--
[SA28352] Fedora update for mantis
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-01-07
Fedora has issued an update for mantis. This fixes a vulnerability,
which can be exploited by malicious users to conduct script insertion
attacks.
Full Advisory:
http://secunia.com/advisories/28352/
--
[SA28413] Ubuntu update for Net-SNMP
Critical: Less critical
Where: From local network
Impact: DoS
Released: 2008-01-10
Ubuntu has issued an update for Net-SNMP. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/28413/
--
[SA28401] Gentoo update for openafs
Critical: Less critical
Where: From local network
Impact: DoS
Released: 2008-01-10
Gentoo has issued an update for openafs. This fixes a vulnerability,
which can be exploited by malicious users to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/28401/
--
[SA28376] Mandriva update for postgresql
Critical: Less critical
Where: From local network
Impact: Privilege escalation, DoS
Released: 2008-01-10
Mandriva has issued an update for postgresql. This fixes some
vulnerabilities, which can be exploited by malicious users to gain
escalated privileges or to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/28376/
--
[SA28344] rPath update for cups
Critical: Less critical
Where: From local network
Impact: DoS, System access
Released: 2008-01-07
rPath has issued an update for cups. This fixes a vulnerability, which
can be exploited by malicious users to cause a DoS (Denial of Service)
or to potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/28344/
--
[SA28343] Debian update for mysql-dfsg-5.0
Critical: Less critical
Where: From local network
Impact: Security Bypass, Manipulation of data, DoS
Released: 2008-01-07
Debian has issued an update for mysql-dfsg-5.0. This fixes some
security issues and a vulnerability, which can be exploited by
malicious users to bypass certain security restrictions, manipulate
data, and cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/28343/
--
[SA28327] OpenAFS File Server Denial of Service Vulnerability
Critical: Less critical
Where: From local network
Impact: DoS
Released: 2008-01-04
A vulnerability has been reported in OpenAFS, which can be exploited by
malicious users to cause a DoS (Denial od Service).
Full Advisory:
http://secunia.com/advisories/28327/
--
[SA28402] Gentoo update for claws-mail
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2008-01-10
Gentoo has issued an update for claws-mail. This fixes a security
issue, which can be exploited by malicious, local users to perform
certain actions with escalated privileges.
Full Advisory:
http://secunia.com/advisories/28402/
--
[SA28405] Xen DR7 and CR4 Register Handling Denial of Service
Vulnerabilities
Critical: Not critical
Where: Local system
Impact: DoS
Released: 2008-01-10
Some vulnerabilities have been reported in Xen, which can be exploited
by malicious, local users to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/28405/
--
[SA28349] Debian update for loop-aes-utils
Critical: Not critical
Where: Local system
Impact: Privilege escalation
Released: 2008-01-07
Debian has issued an update for loop-aes-utils. This fixes a
vulnerability, which can be exploited by malicious, local users to
perform certain actions with escalated privileges.
Full Advisory:
http://secunia.com/advisories/28349/
--
[SA28348] Debian update for util-linux
Critical: Not critical
Where: Local system
Impact: Privilege escalation
Released: 2008-01-07
Debian has issued an update for util-linux. This fixes a vulnerability,
which can be exploited by malicious, local users to perform certain
actions with escalated privileges.
Full Advisory:
http://secunia.com/advisories/28348/
--
[SA28339] Ubuntu update for tomboy
Critical: Not critical
Where: Local system
Impact: Privilege escalation
Released: 2008-01-08
Ubuntu has issued an update for tomboy. This fixes a security issue,
which can be exploited by malicious, local users to gain escalated
privileges.
Full Advisory:
http://secunia.com/advisories/28339/
Other:--
[SA28394] Ingate Firewall and SIParator Port Exhaustion Denial of
Service
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2008-01-10
Ingate has acknowledged a vulnerability in Ingate Firewall and
SIParator, which can be exploited by malicious people to cause a DoS
(Denial of Service).
Full Advisory:
http://secunia.com/advisories/28394/
--
[SA28357] Aruba Mobility Controller LDAP User Authentication Security
Bypass
Critical: Moderately critical
Where: From remote
Impact: Security Bypass
Released: 2008-01-07
A security issue has been reported in Aruba Mobility Controller, which
can be exploited by malicious people to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/28357/
--
[SA28364] Linksys WRT54GL Cross-Site Request Forgery
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-01-09
Tomaz Bratusa has reported a vulnerability in Linksys WRT54GL, which
can be exploited by malicious people to conduct cross-site request
forgery attacks.
Full Advisory:
http://secunia.com/advisories/28364/
Cross Platform:--
[SA28421] Kolab Server ClamAV Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Unknown, DoS, System access
Released: 2008-01-10
Some vulnerabilities have been reported in Kolab Server, where one
vulnerability has an unknown impact and others can be exploited by
malicious people to cause a DoS (Denial of Service) or compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/28421/
--
[SA28420] osDate "php121dir" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information, System access
Released: 2008-01-10
Cold z3ro has discovered a vulnerability in osDate, which can be
exploited by malicious people to disclose sensitive information or to
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/28420/
--
[SA28383] VLC Media Player SDP Processing Buffer Overflow
Vulnerability
Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2008-01-10
Luigi Auriemma has reported a vulnerability in VLC Media Player, which
can potentially be exploited by malicious people to compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/28383/
--
[SA28368] VMware ESX Server Multiple Security Updates
Critical: Highly critical
Where: From remote
Impact: Privilege escalation, DoS, System access
Released: 2008-01-08
VMware has issued an update for VMware ESX Server. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
perform actions with escalated privileges and by malicious people to
cause a DoS (Denial of Service) or compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/28368/
--
[SA28365] VMware ESX Server and VirtualCenter Multiple Security
Updates
Critical: Highly critical
Where: From remote
Impact: Security Bypass, DoS, System access
Released: 2008-01-08
VMware has issued updates for VMware ESX Server and VirtualCenter.
These fix some vulnerabilities, which can be exploited by malicious
people to bypass certain security restrictions, to cause a DoS (Denial
of Service) or compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/28365/
--
[SA28363] HP-UX update for Thunderbird
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2008-01-09
HP has issued an update for Thunderbird. This fixes some
vulnerabilities, which potentially can be exploited by malicious people
to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/28363/
--
[SA28355] SAM Broadcaster samPHPweb "commonpath" File Inclusion
Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2008-01-07
Crackers_Child has discovered a vulnerability in the samPHPweb template
included in SAM Broadcaster, which can be exploited by malicious people
to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/28355/
--
[SA28336] Loudblog "template" Code Execution Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2008-01-07
Eugene Minaev has discovered a vulnerability in Loudblog, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/28336/
--
[SA28330] Strawberry "text" PHP Code Execution
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2008-01-07
Eugene Minaev has discovered a vulnerability in Strawberry, which can
be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/28330/
--
[SA28328] NetRisk Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Manipulation of data, System access
Released: 2008-01-07
hadihadi and S.W.A.T. have discovered some vulnerabilities in NetRisk,
which can be exploited by malicious people to conduct SQL injection
attacks and to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/28328/
--
[SA28414] R PCRE Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information, DoS, System access
Released: 2008-01-10
Some vulnerabilities have been reported in R, which can be exploited by
malicious people to cause a DoS (Denial of Service), disclose sensitive
information, or potentially compromise an application using the
library.
Full Advisory:
http://secunia.com/advisories/28414/
--
[SA28393] DomPHP "mail" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2008-01-10
j0j0 has discovered a vulnerability in DomPHP, which can be exploited
by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/28393/
--
[SA28382] Multiple Horde Products Security Bypass
Critical: Moderately critical
Where: From remote
Impact: Security Bypass
Released: 2008-01-10
Some vulnerabilities have been reported in various Horde products,
which can be exploited by malicious people to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/28382/
--
[SA28378] Docebo "Accept-Language" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2008-01-10
EgiX has discovered a vulnerability in Docebo, which can be exploited
by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/28378/
--
[SA28371] Eggblog "eggblogpassword" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2008-01-09
gemaglabin and Elekt have discovered a vulnerability in eggblog, which
can be exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/28371/
--
[SA28370] vtiger CRM File Disclosure Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2008-01-10
A vulnerability has been reported in vtiger CRM, which can be exploited
by malicious people to disclose potentially sensitive information.
Full Advisory:
http://secunia.com/advisories/28370/
--
[SA28362] Tribisur "id" and "cat" SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2008-01-07
x0kster has discovered some vulnerabilities in Tribisur, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/28362/
--
[SA28354] CherryPy Session Id Directory Traversal Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Security Bypass
Released: 2008-01-07
A vulnerability has been reported in CherryPy, which can be exploited
by malicious people to bypass certain security settings.
Full Advisory:
http://secunia.com/advisories/28354/
--
[SA28340] RunCms newbb_plus "Client-IP" SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2008-01-09
gemaglabin and Elekt have discovered a vulnerability in RunCms, which
can be exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/28340/
--
[SA28331] eTicket Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2008-01-04
Some vulnerabilities have been discovered in eTicket, which can be
exploited by malicious people to conduct script insertion, cross-site
scripting, and SQL injection attacks, and by malicious users to conduct
SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/28331/
--
[SA28409] MaxDB DBM Command Processing Command Execution Vulnerability
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2008-01-10
Luigi Auriemma has discovered a vulnerability in MaxDB, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/28409/
--
[SA28358] OpenPegasus PAM Module Buffer Overflow Vulnerabilities
Critical: Moderately critical
Where: From local network
Impact: DoS, System access
Released: 2008-01-08
Some vulnerabilities have been reported in OpenPegasus, which can
potentially be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/28358/
--
[SA28369] NetRisk "page" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-01-07
hadihadi has discovered a vulnerability in NetRisk, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/28369/
--
[SA28356] Sun Java System Identity Manager Unspecified Cross-Site
Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-01-10
Some vulnerabilities have been reported in Sun Java System Identity
Manager, which can be exploited by malicious people to conduct
cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/28356/
--
[SA28335] PRO-Search Multiple Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-01-04
MustLive has reported some vulnerabilities in PRO-Search, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/28335/
--
[SA28359] PostgreSQL Multiple Vulnerabilities
Critical: Less critical
Where: From local network
Impact: Privilege escalation, DoS
Released: 2008-01-07
Some vulnerabilities have been reported in PostgreSQL, which can be
exploited by malicious users to gain escalated privileges or to cause a
DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/28359/
========================================================================
Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Subscribe:
http://secunia.com/secunia_weekly_summary/
Contact details:
Web : http://secunia.com/
E-mail : support () secunia com
Tel : +45 70 20 51 44
Fax : +45 70 20 51 45
__________________________________________________________________
Visit InfoSec News
http://www.infosecnews.org/
Current thread:
- Secunia Weekly Summary - Issue: 2008-2 InfoSec News (Jan 11)