VARIoT IoT vulnerabilities database

Directory traversal vulnerability in src/http/modules/ngx_http_dav_module.c in nginx (aka Engine X) before 0.7.63, and 0.8.x before 0.8.17, allows remote authenticated users to create or overwrite arbitrary files via a .. (dot dot) in the Destination HTTP header for the WebDAV (1) COPY or (2) MOVE method. nginx of src/http/modules/ngx_http_dav_module.c Contains a directory traversal vulnerability.By a remotely authenticated user WebDAV (1) COPY Or (2) MOVE To the method .. The 'nginx' program is prone to multiple directory-traversal vulnerabilities because the software fails to sufficiently sanitize user-supplied input. An attacker can exploit these issues using directory-traversal strings ('../') to overwrite arbitrary files outside the root directory. These issues affect nginx 0.7.61 and 0.7.62; other versions may also be affected. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: nginx WebDAV Directory Traversal Security Issue SECUNIA ADVISORY ID: SA36818 VERIFY ADVISORY: http://secunia.com/advisories/36818/ DESCRIPTION: A security issue has been discovered in nginx, which can be exploited by malicious people to bypass certain security restrictions. Successful exploitation requires that the server has been compiled with the http_dav_module and that the attacker is allowed to use the "MOVE" or "COPY" methods. The security issue is reported in version 0.7.61 and confirmed in version 0.7.62. SOLUTION: Restrict access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Kingcope ORIGINAL ADVISORY: http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0379.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201203-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: nginx: Multiple vulnerabilities Date: March 28, 2012 Bugs: #293785, #293786, #293788, #389319, #408367 ID: 201203-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in nginx, the worst of which may allow execution of arbitrary code. Background ========== nginx is a robust, small, and high performance HTTP and reverse proxy server. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/nginx < 1.0.14 >= 1.0.14 Description =========== Multiple vulnerabilities have been found in nginx: * The TLS protocol does not properly handle session renegotiation requests (CVE-2009-3555). * The "ngx_http_process_request_headers()" function in ngx_http_parse.c could cause a NULL pointer dereference (CVE-2009-3896). * The "ngx_resolver_copy()" function in ngx_resolver.c contains a boundary error which could cause a heap-based buffer overflow (CVE-2011-4315). * nginx does not properly parse HTTP header responses which could expose sensitive information (CVE-2012-1180). Impact ====== A remote attacker could possibly execute arbitrary code with the privileges of the nginx process, cause a Denial of Service condition, create or overwrite arbitrary files, or obtain sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All nginx users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/nginx-1.0.14" References ========== [ 1 ] CVE-2009-3555 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3555 [ 2 ] CVE-2009-3896 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3896 [ 3 ] CVE-2009-3898 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3898 [ 4 ] CVE-2011-4315 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4315 [ 5 ] CVE-2012-1180 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1180 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201203-22.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Gentoo update for nginx SECUNIA ADVISORY ID: SA48577 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48577/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48577 RELEASE DATE: 2012-03-28 DISCUSS ADVISORY: http://secunia.com/advisories/48577/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48577/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48577 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Gentoo has issued an update for nginx. For more information: SA36751 SA36818 SA37291 SA46798 SA48366 SOLUTION: Update to "www-servers/nginx-1.0.14" or later

Buffer overflow in Apple iTunes before 9.0.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted .pls file. Apple iTunes is prone to a buffer-overflow vulnerability because the software fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. Versions prior to Apple iTunes 9.0.1 are vulnerable

Cross-site scripting (XSS) vulnerability in the J-Web interface in Juniper JUNOS 8.5R1.14 and 9.0R1.1 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. This issue affects the following: J-Web 8.5R1.14 J-Web 9.0R1.1. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Juniper JUNOS JWeb Multiple Vulnerabilities SECUNIA ADVISORY ID: SA36829 VERIFY ADVISORY: http://secunia.com/advisories/36829/ DESCRIPTION: Some vulnerabilities have been reported in Juniper JUNOS, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to conduct script insertion attacks. 1) Input passed via the URL to the JWeb administrative web interface is not properly sanitised before being returned to the user. 2) Input passed via multiple parameters to the JWeb administrative web interface is not properly sanitised before being returned to the user. The following parameters passed to the following scripts are reportedly affected: * "host" to /diagnose?m[]=pinghost and /diagnose?m[]=traceroute * "probe-limit" to /configuration?m[]=wizards&m[]=rpm * "wizard_ids" and "pager-new-identifier" to /configuration?m[]=wizards&m[]=firewall-acl&m[]=firewall-filters * "os-physical-interface-name" to /configuration?m[]=wizards&m[]=cos&m[]=cos-interfaces * "wizard-args" and "wizard-ids" to /configuration?m[]=wizards&m[]=snmp * "username" and "fullname" to /configuration?m[]=wizards&m[]=users * "certname" and "certbody" to /configuration?m[]=wizards&m[]=https 3) Input passed via multiple parameters to the JWeb administrative web interface is not properly sanitised before being returned to the user. The following parameters passed to the following scripts are reportedly affected: * "JEXEC_OUTID" to /jexec?JEXEC_MODE=JEXEC_MODE_RELAY_OUTPUT&JEXEC_RPC=request-background-task-start-junoscript * "act" to /scripter.php?debug=1&ifid=1&refresh-time=1 * "refresh-time" to /scripter.php * "ifid" to /scripter?act=header * "revision" to /configuration?m[]=history&action=rollback * "m[]" to /monitor, /manage, /events, /configuration, /alarms, and / " "wizard-next" to /configuration?m[]=wizards&m[]=https 4) Input passed via the "Contact Information", "System Description", "Local Engine ID", "System Location", and "System Name Override" fields to /configuration?m[]=wizards&m[]=snmp&start=true is not properly sanitised before being stored. Vulnerability #1 is reported in JWeb version 8.5R1.14 and 9.0R1.1. Vulnerabilities #2 through #4 are reported in version 8.5R1.14. SOLUTION: Filter malicious characters and character sequences in a web proxy. PROVIDED AND/OR DISCOVERED BY: 1, 2) Amir Azam of ProCheckUp Ltd 3, 4) Richard Brain of ProCheckUp Ltd ORIGINAL ADVISORY: http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-08 http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-09 http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-10 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8.5R1.14 allow remote authenticated users to inject arbitrary web script or HTML via (1) the JEXEC_OUTID parameter in a JEXEC_MODE_RELAY_OUTPUT action to the jexec program; the (2) act, (3) refresh-time, or (4) ifid parameter to scripter.php; (5) the revision parameter in a rollback action to the configuration program; the m[] parameter to the (6) monitor, (7) manage, (8) events, (9) configuration, or (10) alarms program; (11) the m[] parameter to the default URI; (12) the m[] parameter in a browse action to the default URI; (13) the wizard-next parameter in an https action to the configuration program; or the (14) Contact Information, (15) System Description, (16) Local Engine ID, (17) System Location, or (18) System Name Override SNMP parameter, related to the configuration program. Juniper JUNOS of J-Web There is a cross-site scripting vulnerability in the interface due to flaws in the processing related to the configuration program.By a remotely authenticated user, any Web Script or HTML May be inserted. Juniper Networks JUNOS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data to J-Web (Juniper Web Management). Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. This issue affects the following: J-Web 8.5R1.14 J-Web 9.0R1.1. JUNOS is prone to a cross-site scripting vulnerability. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Juniper JUNOS JWeb Multiple Vulnerabilities SECUNIA ADVISORY ID: SA36829 VERIFY ADVISORY: http://secunia.com/advisories/36829/ DESCRIPTION: Some vulnerabilities have been reported in Juniper JUNOS, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to conduct script insertion attacks. 1) Input passed via the URL to the JWeb administrative web interface is not properly sanitised before being returned to the user. 2) Input passed via multiple parameters to the JWeb administrative web interface is not properly sanitised before being returned to the user. The following parameters passed to the following scripts are reportedly affected: * "host" to /diagnose?m[]=pinghost and /diagnose?m[]=traceroute * "probe-limit" to /configuration?m[]=wizards&m[]=rpm * "wizard_ids" and "pager-new-identifier" to /configuration?m[]=wizards&m[]=firewall-acl&m[]=firewall-filters * "os-physical-interface-name" to /configuration?m[]=wizards&m[]=cos&m[]=cos-interfaces * "wizard-args" and "wizard-ids" to /configuration?m[]=wizards&m[]=snmp * "username" and "fullname" to /configuration?m[]=wizards&m[]=users * "certname" and "certbody" to /configuration?m[]=wizards&m[]=https 3) Input passed via multiple parameters to the JWeb administrative web interface is not properly sanitised before being returned to the user. Vulnerability #1 is reported in JWeb version 8.5R1.14 and 9.0R1.1. Vulnerabilities #2 through #4 are reported in version 8.5R1.14. SOLUTION: Filter malicious characters and character sequences in a web proxy. PROVIDED AND/OR DISCOVERED BY: 1, 2) Amir Azam of ProCheckUp Ltd 3, 4) Richard Brain of ProCheckUp Ltd ORIGINAL ADVISORY: http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-08 http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-09 http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-10 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8.5R1.14 allow remote authenticated users to inject arbitrary web script or HTML via the host parameter to (1) the pinghost program, reachable through the diagnose program; or (2) the traceroute program, reachable through the diagnose program; or (3) the probe-limit parameter to the configuration program; the (4) wizard-ids or (5) pager-new-identifier parameter in a firewall-filters action to the configuration program; (6) the cos-physical-interface-name parameter in a cos-physical-interfaces-edit action to the configuration program; the (7) wizard-args or (8) wizard-ids parameter in an snmp action to the configuration program; the (9) username or (10) fullname parameter in a users action to the configuration program; or the (11) certname or (12) certbody parameter in a local-cert (aka https) action to the configuration program. Juniper JUNOS of J-Web The interface contains a cross-site scripting vulnerability.Depending on the remote authenticated user, host Any via parameter Web Script or HTML May be inserted. Juniper Networks JUNOS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data to J-Web (Juniper Web Management). Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. This issue affects the following: J-Web 8.5R1.14 J-Web 9.0R1.1. JUNOS is prone to a cross-site scripting vulnerability. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Juniper JUNOS JWeb Multiple Vulnerabilities SECUNIA ADVISORY ID: SA36829 VERIFY ADVISORY: http://secunia.com/advisories/36829/ DESCRIPTION: Some vulnerabilities have been reported in Juniper JUNOS, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to conduct script insertion attacks. 1) Input passed via the URL to the JWeb administrative web interface is not properly sanitised before being returned to the user. 2) Input passed via multiple parameters to the JWeb administrative web interface is not properly sanitised before being returned to the user. The following parameters passed to the following scripts are reportedly affected: * "host" to /diagnose?m[]=pinghost and /diagnose?m[]=traceroute * "probe-limit" to /configuration?m[]=wizards&m[]=rpm * "wizard_ids" and "pager-new-identifier" to /configuration?m[]=wizards&m[]=firewall-acl&m[]=firewall-filters * "os-physical-interface-name" to /configuration?m[]=wizards&m[]=cos&m[]=cos-interfaces * "wizard-args" and "wizard-ids" to /configuration?m[]=wizards&m[]=snmp * "username" and "fullname" to /configuration?m[]=wizards&m[]=users * "certname" and "certbody" to /configuration?m[]=wizards&m[]=https 3) Input passed via multiple parameters to the JWeb administrative web interface is not properly sanitised before being returned to the user. The following parameters passed to the following scripts are reportedly affected: * "JEXEC_OUTID" to /jexec?JEXEC_MODE=JEXEC_MODE_RELAY_OUTPUT&JEXEC_RPC=request-background-task-start-junoscript * "act" to /scripter.php?debug=1&ifid=1&refresh-time=1 * "refresh-time" to /scripter.php * "ifid" to /scripter?act=header * "revision" to /configuration?m[]=history&action=rollback * "m[]" to /monitor, /manage, /events, /configuration, /alarms, and / " "wizard-next" to /configuration?m[]=wizards&m[]=https 4) Input passed via the "Contact Information", "System Description", "Local Engine ID", "System Location", and "System Name Override" fields to /configuration?m[]=wizards&m[]=snmp&start=true is not properly sanitised before being stored. Vulnerability #1 is reported in JWeb version 8.5R1.14 and 9.0R1.1. Vulnerabilities #2 through #4 are reported in version 8.5R1.14. SOLUTION: Filter malicious characters and character sequences in a web proxy. PROVIDED AND/OR DISCOVERED BY: 1, 2) Amir Azam of ProCheckUp Ltd 3, 4) Richard Brain of ProCheckUp Ltd ORIGINAL ADVISORY: http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-08 http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-09 http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-10 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Firewall Builder 3.0.4, 3.0.5, and 3.0.6, when running on Linux, allows local users to gain privileges via a symlink attack on an unspecified temporary file that is created by the iptables script. Firewall Builder creates temporary files in an insecure manner. An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application. Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files or to execute arbitrary code with elevated privileges. Firewall Builder 3.0.4, 3.0.5, and 3.0.6 are vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Firewall Builder Insecure Temporary Files SECUNIA ADVISORY ID: SA36809 VERIFY ADVISORY: http://secunia.com/advisories/36809/ DESCRIPTION: A security issue has been reported in Firewall Builder, which can be exploited by malicious, local users to perform certain actions with escalated privileges. This can be exploited to e.g. overwrite arbitrary files via symlink attacks. Note: Only scripts setting iptable's static routing configuration are affected. The security issue is reported in versions 3.0.4, 3.0.5, and 3.0.6. SOLUTION: Update to version 3.0.7. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://blog.fwbuilder.org/2009/09/firewall-builder-v307-released.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Background ========== Firewall Builder is a GUI for easy management of multiple firewall platforms. Workaround ========== There is no known workaround at this time. Resolution ========== All Firewall Builder users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-firewall/fwbuilder-3.0.7" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since March 09, 2010. It is likely that your system is already no longer affected by this issue. References ========== [ 1 ] CVE-2008-4956 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4956 [ 2 ] CVE-2009-4664 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4664 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-11.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Secunia integrated with Microsoft WSUS http://secunia.com/blog/71/ ---------------------------------------------------------------------- TITLE: Fedora update for fwbuilder and libfwbuilder SECUNIA ADVISORY ID: SA38585 VERIFY ADVISORY: http://secunia.com/advisories/38585/ DESCRIPTION: Fedora has issued an update for fwbuilder and libfwbuilder. For more information: SA36809 SOLUTION: Apply updated packages using the yum utility ("yum update fwbuilder libfwbuilder")

Stack consumption vulnerability in WebKit.dll in WebKit in Apple Safari 3.2.3, and possibly other versions before 4.1.2, allows remote attackers to cause a denial of service (application crash) via JavaScript code that calls eval on a long string composed of A/ sequences. Apple Safari of WebKit of WebKit.dll In this case, a stack consumption state occurs, which disrupts service operation. Safari is prone to a denial-of-service vulnerability. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: SUSE update for Multiple Packages SECUNIA ADVISORY ID: SA43068 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43068/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43068 RELEASE DATE: 2011-01-25 DISCUSS ADVISORY: http://secunia.com/advisories/43068/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43068/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43068 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: SUSE has issued an update for multiple packages, which fixes multiple vulnerabilities. For more information: SA32349 SA33495 SA35095 SA35379 SA35411 SA35449 SA35758 SA36269 SA36677 SA37273 SA37346 SA37769 SA38061 SA38545 SA38932 SA39029 SA39091 SA39384 SA39661 SA39937 SA40002 SA40072 SA40105 SA40112 SA40148 SA40196 SA40257 SA40664 SA40783 SA41014 SA41085 SA41242 SA41328 SA41390 SA41443 SA41535 SA41841 SA41888 SA41968 SA42151 SA42264 SA42290 SA42312 SA42443 SA42461 SA42658 SA42769 SA42886 SA42956 SA43053 SOLUTION: Apply updated packages via YaST Online Update or the SUSE FTP server. ORIGINAL ADVISORY: SUSE-SR:2011:002: http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site request forgery (CSRF) vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to index.php

The saveForwardAttachments procedure in the Compose Mail functionality in vtiger CRM 5.0.4 allows remote authenticated users to execute arbitrary code by composing an e-mail message with an attachment filename ending in (1) .php in installations based on certain Apache HTTP Server configurations, (2) .php. on Windows, or (3) .php/ on Linux, and then making a direct request to a certain pathname under storage/. (1) specific Apache HTTP Server Setting environment .php (2) Windows upper .php (3) Linux upper .php/. vtiger CRM is prone to a remote security vulnerability. An attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed attempts will likely cause a denial-of-service condition

vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile. vtiger CRM is prone to a remote security vulnerability

Intuity Audix LX is a powerful multimedia messaging server. Multiple CGI perl scripts in the /html/cswebadm/basic/cgibin/ directory of Intuity Audix LX do not properly validate user-submitted parameter requests, and remote attackers can execute arbitrary code by submitting HTTP POST requests; The url parameter of /cgi-bin/smallmenu.pl may cause cross-site scripting attacks; the use of tokenization protection management changes when logging into the web interface may result in cross-site request forgery attacks. Avaya Intuity Audix LX is prone to multiple remote vulnerabilities, including: 1. Multiple remote command-execution vulnerabilities 2. A cross-site request-forgery vulnerability 3. A cross-site scripting vulnerability Attackers can exploit these issues to execute arbitrary commands with the privileges of 'vexvm' on the underlying system, steal cookie-based authentication credentials, execute arbitrary script code, and perform administrative tasks. Other attacks are also possible

include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view. vtiger CRM is prone to a security bypass vulnerability

vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12) filters, (13) views, and (14) tickets via unspecified vectors. vtiger CRM is prone to a remote security vulnerability

Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the module parameter to graph.php; or the (2) module or (3) file parameter to include/Ajax/CommonAjax.php, reachable through modules/Campaigns/CampaignsAjax.php, modules/SalesOrder/SalesOrderAjax.php, modules/System/SystemAjax.php, modules/Products/ProductsAjax.php, modules/uploads/uploadsAjax.php, modules/Dashboard/DashboardAjax.php, modules/Potentials/PotentialsAjax.php, modules/Notes/NotesAjax.php, modules/Faq/FaqAjax.php, modules/Quotes/QuotesAjax.php, modules/Utilities/UtilitiesAjax.php, modules/Calendar/ActivityAjax.php, modules/Calendar/CalendarAjax.php, modules/PurchaseOrder/PurchaseOrderAjax.php, modules/HelpDesk/HelpDeskAjax.php, modules/Invoice/InvoiceAjax.php, modules/Accounts/AccountsAjax.php, modules/Reports/ReportsAjax.php, modules/Contacts/ContactsAjax.php, and modules/Portal/PortalAjax.php; and allow remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the step parameter in an Import action to the (4) Accounts, (5) Contacts, (6) HelpDesk, (7) Leads, (8) Potentials, (9) Products, or (10) Vendors module, reachable through index.php and related to modules/Import/index.php and multiple Import.php files. A remote attacker can use (1) module parameters to graph.php; or (2) modules or (3) include/Ajax/CommonAjax.php from modules/Campaigns/CampaignsAjax.php, modules/SalesOrder/SalesOrderAjax

Nginx is a multi-platform HTTP server and mail proxy server. Nginx maintains an internal DNS cache for the parsed domain name, but in the search cache, nginx only checks if the name's crc32 matches and the short name is a long name prefix, but does not check if the names are equal in length. If nginx is configured as a proxy cache, the remote attacker can spoof the domain name through DNS poisoning attacks, tricking the user into believing that the domain name being accessed is legitimate. This issue can be exploited when nginx is configured to act as a forward proxy, but this is a nonstandard and unsupported configuration. Attacks against other configurations may also be possible. Successful exploits may allow remote attackers to intercept traffic intended for legitimate websites, which may aid in further attacks

Multiple cross-site scripting (XSS) vulnerabilities in Jetdirect and the Embedded Web Server (EWS) on certain HP LaserJet and Color LaserJet printers, and HP Digital Senders, allow remote attackers to inject arbitrary web script or HTML via the (1) Product_URL or (2) Tech_URL parameter in an Apply action to the support_param.html/config script. (1) support_param.html/config To script Apply In action Product_URL Parameters (2) support_param.html/config To script Apply In action Tech_URL Parameters. Multiple HP printers are prone to multiple cross-site scripting vulnerabilities because they fail to sufficiently sanitize user-supplied input. Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01841397 Version: 1 HPSBPI02463 SSRT090061 rev.1 - HP LaserJet Printers, HP Color LaserJet Printers, Remote Cross Site Scripting (XSS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. The vulnerabilities could be exploited remotely by Cross Site Scripting (XSS). References: CVE-2009-2684 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2009-2684 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Digital Security Research Group (dsecrg.com) for reporting these vulnerabilities to security-alert@hp.com. Affected Products - Jetdirect Product Jetdirect Part Number Jetdirect Version or later HP Color LaserJet 3000n J7949E V.28.XX HP Color LaserJet CP3505 J7987E V.34.60 HP Color LaserJet 3600n J7973E V.30.31 HP Color LaserJet 3800n J7949E V.28.XX HP Color LaserJet 4700n J7949E V.28.XX HP Color LaserJet CP4005n J7990E V.33.41 HP LaserJet 2410/2420/2430n J7949E V.28.XX HP LaserJet P3005n J7979E V.33.55 HP LaserJet 4240/4250n J7949E V.28.XX HP LaserJet 4350n J7949E V.28.XX HP LaserJet 5200n J7949E V.28.XX HP LaserJet 9040n/9050n J7949E V.28.XX HP Color LaserJet 4730 MFP J7949E V.28.XX HP Color LaserJet CM4730 MFP J7991E V.34.60 HP LaserJet 9040/9050MFP J7949E V.28.XX HP LaserJet M3027/3035 MFP J7982E V.34.08 HP LaserJet 4345 MFP J7949E V.28.XX HP LaserJet M4345x MFP J7982E V.34.08 HP LaserJet M5025/5035 MFP J7982E V.34.08 HP CM8050/8060 MFP J7974E V.34.40 HP DS9200c Digital Sender J7949E V.28.XX HP DS9250c Digital Sender J7992E V.34.12 HP LaserJet P4515 J8003E V.36.35 HP LaserJet P4015 J8003E V.36.35 HP LaserJet P4014 J8006E V.36.35 HP Color LaserJet CP6015 J7993E V.36.35 HP Color LaserJet 6040 MFP J7993E V.36.35 HP LaserJet M9040/50 MFP J8004E V.36.35 Affected Products - Embedded Web Server (EWS) Product HP Color LaserJet 3000n HP Color LaserJet CP3505 HP Color LaserJet 3600n HP Color LaserJet 3800n HP Color LaserJet 4700n HP Color LaserJet CP4005n HP LaserJet 2410/2420/2430n HP LaserJet P3005n HP LaserJet 4240/4250n HP LaserJet 4350n HP LaserJet 5200n HP LaserJet 9040n/9050n HP Color LaserJet 4730 MFP HP Color LaserJet CM4730 MFP HP LaserJet 9040/9050MFP HP LaserJet M3027/3035 MFP HP LaserJet 4345 MFP HP LaserJet M4345x MFP HP LaserJet M5025/5035 MFP HP CM8050/8060 MFP HP DS9200c Digital Sender HP DS9250c Digital Sender HP LaserJet P4515 HP LaserJet P4015 HP LaserJet P4014 HP Color LaserJet CP6015 HP Color LaserJet 6040 MFP HP LaserJet M9040/50 MFP Note: For further information on Secure Printing and Imaging please refer to http://www.hp.com/go/secureprinting RESOLUTION The following steps can be taken to limit the exposure to the XSS vulnerabilities. set the administrator password use a new browser instance for administrator tasks do not access other web sites while performing administrator tasks exit the browser when administrator tasks are complete PRODUCT SPECIFIC INFORMATION None HISTORY Version:1 (rev.1) - 7 October 2009 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (HP-UX) iEYEARECAAYFAkrMkcsACgkQ4B86/C0qfVkloACeJjXFqi/GNPBY7Z/Zn5bkBchG RhUAoInJdnRoqTTCkgJqrss2Etcz9ool =xes/ -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: KSP Sound Player "m3u" Playlist Buffer Overflow SECUNIA ADVISORY ID: SA36621 VERIFY ADVISORY: http://secunia.com/advisories/36621/ DESCRIPTION: hack4love has discovered a vulnerability in KSP Sound Player, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the processing of "m3u" files. This can be exploited to cause a stack-based buffer overflow when a user is tricked into opening a specially crafted "m3u" playlist file containing an overly long entry. Successful exploitation allows execution of arbitrary code. SOLUTION: Do not open files from untrusted sources. PROVIDED AND/OR DISCOVERED BY: hack4love ORIGINAL ADVISORY: http://milw0rm.com/exploits/9624 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Input passed via the "Product_URL" and "Tech_URL" parameters to support_param.html/config is not properly sanitised before being used. SOLUTION: Filter malicious characters and character sequences in a web proxy. See the vendor's advisory for recommended workarounds. Details ******* Multiple Linked Stored XSS vulnerabilities found in script support_param.html/config Attacker can inject XSS in parameters "Product_URL" and "Tech_URL". http://dsecrg.ru/pages/vul/show.php?id=148 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01841397 About ***** Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com Polyakov Alexandr Information Security Analyst ______________________ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polyakov@dsec.ru www.dsec.ru ----------------------------------- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. -----------------------------------

GreenSQL Firewall (greensql-fw) before 0.9.2 allows remote attackers to bypass SQL injection protection via a crafted string, possibly involving an encoded space character (%20). Greensql Firewall is prone to a sql-injection vulnerability

Hitachi JP1/File Transmission Server/FTP contains multiple vulnerabilities that could allow an attacker to execute arbitrary commands.A remote attacker could execute arbitrary commands.

Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests. Nginx A web server contains a buffer underrun vulnerability. Nginx Is offered for various platforms HTTP Server and mail proxy server. Nginx Is ngx_http_parse_complex_uri() There was a problem with the function and it was crafted URI A buffer underrun may occur when processing.nginx Consists of a privileged master process and an unprivileged worker process. Arbitrary code execution or denial of service by a remote third party with the authority of a worker process (DoS) There is a possibility of being attacked. The 'nginx' program is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/nginx < 0.7.62 *>= 0.5.38 *>= 0.6.39 >= 0.7.62 Description =========== Chris Ries reported a heap-based buffer underflow in the ngx_http_parse_complex_uri() function in http/ngx_http_parse.c when parsing the request URI. NOTE: By default, nginx runs as the "nginx" user. Workaround ========== There is no known workaround at this time. Resolution ========== All nginx 0.5.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-servers/nginx-0.5.38 All nginx 0.6.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-servers/nginx-0.6.39 All nginx 0.7.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-servers/nginx-0.7.62 References ========== [ 1 ] CVE-2009-2629 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2629 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-18.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA-1884-1 security@debian.org http://www.debian.org/security/ Nico Golde September 14th, 2009 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : nginx Vulnerability : buffer underflow Problem type : remote Debian-specific: no CVE ID : CVE-2009-2629 Chris Ries discovered that nginx, a high-performance HTTP server, reverse proxy and IMAP/POP3 proxy server, is vulnerable to a buffer underflow when processing certain HTTP requests. For the oldstable distribution (etch), this problem has been fixed in version 0.4.13-2+etch2. For the stable distribution (lenny), this problem has been fixed in version 0.6.32-3+lenny2. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 0.7.61-3. We recommend that you upgrade your nginx packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Debian (oldstable) - ------------------ Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13.orig.tar.gz Size/MD5 checksum: 436610 d385a1e7a23020d421531818d5606b5b http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2.diff.gz Size/MD5 checksum: 6578 db07ea3610574b7561cbedef09a51bf2 http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2.dsc Size/MD5 checksum: 618 12706d3c92e0c225dd47367aae43115e alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_alpha.deb Size/MD5 checksum: 211310 5e7efe11eca1aea2f6611cd913bf519d amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_amd64.deb Size/MD5 checksum: 195352 3fc58e180fca1465a360f37bad3da7db arm architecture (ARM) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_arm.deb Size/MD5 checksum: 187144 6e49d62ee4efa11f9b75292bcb3be1d7 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_hppa.deb Size/MD5 checksum: 205204 7f8f76147eccbf489c900831782806c0 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_i386.deb Size/MD5 checksum: 184912 7dc5e3672666d1b5666f6ce79f4c755b ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_ia64.deb Size/MD5 checksum: 278490 669e8d9e43a123367c429ca34927e22a mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_mips.deb Size/MD5 checksum: 208238 2e6f25c4bc053d1bb1ac82bec398624d mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_mipsel.deb Size/MD5 checksum: 207640 e6b0e0e8148d1786274cf9a4b7f9d060 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_powerpc.deb Size/MD5 checksum: 186542 5b1460ab8707b1ccb3cf0b75c8ea2548 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_s390.deb Size/MD5 checksum: 199720 8ecde48c393df02819c45bc966f73eae sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_sparc.deb Size/MD5 checksum: 185032 15212749985501b223af7888447fc433 Debian GNU/Linux 5.0 alias lenny - -------------------------------- Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2.dsc Size/MD5 checksum: 1238 41197ff9eca3cb3707ca5eff5e431183 http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2.diff.gz Size/MD5 checksum: 10720 b2c8f555b7de4ac17b2c98247fd2ae6b http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32.orig.tar.gz Size/MD5 checksum: 522183 c09a2ace3c91f45dabbb608b11e48ed1 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_alpha.deb Size/MD5 checksum: 297782 dc05cbf94712134298acdedad2a4e85d amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_amd64.deb Size/MD5 checksum: 268518 58dc10022dd7b20ff58a4b839be62a43 arm architecture (ARM) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_arm.deb Size/MD5 checksum: 251688 7f5a9499de8ba40ae2caea7de183b966 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_hppa.deb Size/MD5 checksum: 282324 f0264b98d0564f51692292c0ec269a19 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_i386.deb Size/MD5 checksum: 253060 a64340fa3a9a5b58e23267f13abfeeed ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_ia64.deb Size/MD5 checksum: 420004 a2e6de141194e41a60893b0b2c457f28 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_mips.deb Size/MD5 checksum: 283220 04407318230621467ea3a42bfb11d724 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_mipsel.deb Size/MD5 checksum: 283444 0bd0eb1e415d7d6877a95e21ddb91fa7 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_powerpc.deb Size/MD5 checksum: 276056 fae6451ab5ac767f93d3229a9e01f3bf sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_sparc.deb Size/MD5 checksum: 256778 df6a47fe174736468910a4166fe0a064 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkquZwIACgkQHYflSXNkfP+2zACghwt2Hx3UoREEb7p697sYiPSl pZQAn1WWgFTERwdFo5uw5KuZ7hN09KuH =Xrul -----END PGP SIGNATURE-----

The screensharing feature in the Admin application in Apple Xsan before 2.2 places a cleartext username and password in a URL within an error dialog, which allows physically proximate attackers to obtain credentials by reading this dialog. Apple Xsan is prone to an information-disclosure vulnerability affecting the Xsan Admin component. Successful exploits may allow attackers with physical access to an affected computer to obtain password data. Information harvested may aid in launching further attacks. Versions prior to Xsan 2.2 are vulnerable. Xsan is an enterprise-class storage network solution, and Xsan Admin is an application for simplifying SAN management. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Apple Xsan Admin Connection URL Username/Password Disclosure SECUNIA ADVISORY ID: SA36673 VERIFY ADVISORY: http://secunia.com/advisories/36673/ DESCRIPTION: A security issue has been reported in Xsan, which may disclose sensitive information to malicious people with physical access to a system. Any person able to see the user's display could gain knowledge of this information. SOLUTION: Update to version 2.2. PROVIDED AND/OR DISCOVERED BY: The vendor credits Ben Greisler, Kadimac Corp Macintosh Integrators. ORIGINAL ADVISORY: http://support.apple.com/kb/HT3797 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------