Network Security

AERAsec
Network Security
Current Security Messages


Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Some of the files are transferred by FTP.

By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

Here you find our network security search engine!


This is some information you send:

Your Browser

CCBot/2.0 (http://commoncrawl.org/faq/)

Your IP address

ec2-54-167-144-202.compute-1.amazonaws.com [54.167.144.202]

Your referer

(filtered or not existing)

Current month, Last month, Last 10 messages, Last 20 messages (index only)

Chosen month 11 / 2005

System: Mac OS X
Topic: Security Update 2005-009
Links: APPLE-SA-2005-11-29, ESB-2005.0949, Q-064
ID: ae-200511-060

Several security issues in Apache2, apache_mod_ssl, CoreFoundation, curl, iodbcadmintool, OpenSSL, passwordserver, Safari, sudo, and syslog were fixed and bundled in the now available Security Update 2005-009.

System: Debian GNU/Linux
Topic: Vulnerabilities in gtk+2.0, gdk-pixbuf, and centericq
Links: DSA-911, DSA-913, CVE-2005-2975, CVE-2005-2976, CVE-2005-3186, ESB-2005.0948, ESB-2005.0955,
DSA-912, CVE-2005-3694, ESB-2005.0953
ID: ae-200511-059

Several vulnerabilities were found in the way 'gtk2' and 'gdk-pixbuf' process XPM images. An attacker could create a carefully crafted XPM file in such a way that it could execute arbitrary code when the file was opened by a victim.
It was discovered that centericq, a text-mode multi-protocol instant messenger client, can crash when it receives certain zero length packets and is directly connected to the Internet.
Fixed packages are available now.

System: SCO OpenServer
Topic: Vulnerability in KAME Racoon Daemon
Links: SCOSA-2005.52, CVE-2005-0398
ID: ae-200511-058

Racoon is an IKEv1 keying daemon, a common IPSec Utility. Due to a bug in the way the Racoon parsed incoming ISAKMP packets, an attacker could possibly crash the racoon daemon by sending a specially crafted ISAKMP packet. Patches are available now.

System: SGI Advanced Linux Environment
Topic: Vulnerabilities in gdk-pixbuf, gtk2, lynx, php, libungif, curl, wget, openssl096b, and ethereal
Links: SGI-20051101-01
ID: ae-200511-057

SGI has released the Security Update #51 for SGI Advanced Linux Environment 3. These updates fix security related problems in gdk-pixbuf, gtk2, lynx, php, libungif, curl, wget, openssl096b, and ethereal. So it's recommended to install these updates.

System: Various
Topic: Vulnerability in Sun Java Runtime Environment
Links: Sun Alert 102017, Q-061, ESB-2005.0951
ID: ae-200511-056

A vulnerability with the Java Management Extensions (JMX) implementation included with the Java Runtime Environment (JRE) may allow an untrusted applet to elevate its privileges. For example an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. Patches are available now.

System: SCO OpenServer 6.0.0
Topic: Vulnerabilities in CUPS
Links: SCOSA-2005.51, CVE-2005-2874, CVE-2005-2874
ID: ae-200511-055

A remote user can cause the CUPS service to hang and consume all available CPU resources. Patches are available now.

System: Sun Solaris
Topic: Vulnerabilities in libexif and traceroute
Links: Sun Alert 102041, ESB-2005.0945, Sun Alert 102060, ESB-2005.0946, Q-060
ID: ae-200511-054

A security vulnerability in the libexif JPEG image processing library may allow a remote unprivileged user who provides a carefully crafted JPEG image the ability to execute arbitrary code with the privileges of a local user who opens that image.
Multiple security vulnerabilities in the traceroute(1M) utility may allow an unauthorized local user the ability to execute arbitrary code with elevated privileges.
Patches are available now.

System: Various
Topic: Vulnerabilities in OTRS
Links: OSA-2005-01, ESB-2005.0943
ID: ae-200511-053

Several vulnerabilities in OTRS allow SQL injection and cross-site scripting attacks. Patches are available now.

System: Mandriva Linux
Topic: Vulnerabilities in binutils and fuse
Links: MDKSA-2005:215, CVE-2005-3531
MDKSA-2005:215, CAN-2005-1704
ID: ae-200511-052

Integer overflows in various applications in the binutils package may allow attackers to execute arbitrary code via a carefully crafted object file.
fusermount failed to securely handle special characters specified in mount points, which could allow a local attacker to corrupt the contents of /etc/mtab by mounting over a maliciously-named directory using fusermount. This could potentially allow the attacker to set unauthorized mount options.
Fixed packages are available now.

System: Various
Topic: Vulnerability in Web-Interface of Sun ONE / Sun Java System Directory Server / Sun Java System Directory Proxy Server
Links: Sun Alert 102002, NGSSoftware, AU-2005.0020
ID: ae-200511-051

A security vulnerability in the Sun ONE and Sun Java System Directory Server's HTTP administrative interface may allow a local or remote unprivileged user the ability to kill the admin server or execute arbitrary commands on the system with the privileges of the admin server process. The admin server process normally runs as the privileged "root" user. The ability to kill the admin server is a type of Denial-of-Service. Patches are available now.

System: Unix / Windows
Topic: Vulnerability in Mambo
Links: Mambo, FullDisclosure, AL-2005.0028
ID: ae-200511-050

Mambo is a Content Management System based on PHP. Mambo versions 4.5.2.3 and prior contain a serious vulnerability allowing remote execution of arbitrary PHP code. The vulnerability is in globals.php which allows arbitrary remote PHP files to be included and executed by overwriting the global mosConfig_absolute_path parameter. An exploit for this vulnerability is publicly available and widespread exploitation of vulnerable web servers has been reported. So it's recommended to install the patch immedeately.

System: Cisco PIX
Topic: Possible vulnerability due to spoofed TCP SYN packets
Links: Cisco, FullDisclosure, VU#853540, ESB-2005.0935, Q-062
ID: ae-200511-049

Cisco PIX firewall systems are used to enforce site-specific network security policy. A problem has been publicly reported that may be used by remote, unauthenticated attackers to create a sustained Denial-of-Service against PIX-protected systems under certain conditions (PIX 6.3, 7.0) This condition may occur when TCP SYN packets with malformed TCP checksums and spoofed source addresses and port values are sent to systems behind affected PIX firewalls. Since the PIX reportedly doesn't validate the TCP checksum, it allows such packets through, creating an connection entry to track the connection attempt to the destination from the spoofed source address and port. The target of the attack would silently drop malformed TCP SYN packets without sending TCP RST packets back to the PIX to remove the connection entry. Legitimate attempts to connect to PIX-protected systems may then be blocked for up to two minutes per attack (assuming default connection timer settings). Note this attack doesn't affect established TCP connections. Exploit code has been made publicly available that may automate a sustained Denial-of-Service attack described above. Cisco is working on a patch and has published a workaround.

System: Symantec Enterprise Firewall, Gateway Security, Firewall/VPN Applicance
Topic: Vulnerability in ISAKMP
Links: Symantec, ESB-2005.0937
ID: ae-200511-048

ISAKMP is a standard protocol that provides the framework for establishing, negotiating, modifying, and deleting security associations. The ISAKMP service listens on UDP port 500 on all the affected security gateways. Under certain conditions a malformed ISAKMP packet can potentially cause the ISAKMP service to crash therefore affecting the ability and stability of dynamic VPN tunnels. This Denial-of-Service can be fixed now with a patch.

System: Microsoft Windows
Topic: Vulnerability in Microsoft Internet Explorer
Links: Microsoft, CAN-2005-1790, Q-059, ISS Alert #209a
ID: ae-200511-047

No further comment due to legal reasons.

System: Debian GNU/Linux
Topic: Vulnerabilities in sylpheed, sylpheed-claws, ipmenu, horde3, and zope
Links: DSA-906, DSA-908, CVE-2005-3354, ESB-2005.0936, ESB-2005.0939,
DSA-907, CVE-2005-2569, ESB-2005.0938,
DSA-909, CVE-2005-3759, ESB-2005.0941, ESB-2005.0942,
DSA-910, CVE-2005-3323, ESB-2005.0944
ID: ae-200511-046

Several buffer overflows were discovered in a number of importer routines in sylpheed, a light-weight e-mail client with GTK+, and sylpheed-claws that could lead to the execution of arbitrary code.
It was noticed that ipmenu, an cursel iptables/iproute2 GUI, creates a temporary file in an insecure fashion allowing a local attacker to overwrite arbitrary files utilising a symlink attack.
The MIME viewer in horde3, a web application suite, does not always sanitise its input leaving a possibility to force the return of malicious code that could be executed on the vicitims machine.
A vulnerability has been discovered in zope 2.7, as Open Source web application server, that allows remote attackers to insert arbitrary files via include directives in reStructuredText functionality.
Fixed packages are available now.

System: Debian GNU/Linux
Topic: Vulnerabilities in unzip, netpbm-free, and mantis
Links: DSA-903, CVE-2005-2475, ESB-2005.0932, Q-057,
DSA-904, CVE-2005-3632, CVE-2005-3662, ESB-2005.0933, Q-058,
DSA-905, CVE-2005-3091, CVE-2005-3335, CVE-2005-3336, CVE-2005-3338, ESB-2005.0934
ID: ae-200511-045

A race condition was discovered in the permissions setting code in unzip. When decompressing a file in a directory an attacker has access to, unzip could be tricked to set the file permissions to a different file the user has permissions to.
Several buffer overflows were discovered in pnmtopng which is also included in netpbm, a collection of graphic conversion utilities, that can lead to the execution of arbitrary code via a specially crafted PNM file.
Several security related problems have been discovered in Mantis, a web-based bug tracking system.
Fixed packages are available now.

System: Debian GNU/Linux
Topic: Vulnerability in xmail
Links: DSA-902, CVE-2005-2943, ESB-2005.0931
ID: ae-200511-044

A buffer overflow has been discovered in the sendmail program of xmail, an advanced, fast and reliable ESMTP/POP3 mail server that could lead to the execution of arbitrary code with group mail privileges. Fixed packages are available now.

System: SCO OpenServer 6.0.0
Topic: Vulnerability in Telnet Client
Links: SCOSA-2005.50, CVE-2005-0488
ID: ae-200511-043

Certain BSD-based telnet clients allow remote malicious telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. A new package remedies this problem.

System: Debian GNU/Linux
Topic: Programming error in gnump3d
Links: DSA-901, CVE-2005-3349, CVE-2005-3355, ESB-2005.0930
ID: ae-200511-042

Gnump3d is a streaming server for MP3 and OGG files. Several temporary files are created with predictable filenames in an insecure fashion and allow local attackers to craft symlink attacks. Addtitionally, the theme parameter to HTTP requests may be used for path traversal. A new version solves these problems.

System: SCO OpenServer 5.0.7
Topic: Several vulnerabilities in Mozilla
Links: SCOSA-2005.49
ID: ae-200511-041

The Mozilla 1.7.12 browser in this update represents a significant advancement in features and fixes over the Mozilla 1.6 released with SCO OpenServer 5.0.7 Maintenance Pack 3. All together, about 38 vulnerabilities are fixed in this version.

System: Suse Linux
Topic: Vulnerability in phpMyAdmin
Links: Suse_2005_66, CVE-2005-2869, CVE-2005-3300, CVE-2005-3301
ID: ae-200511-040

Several cross-site scripting vulnerabilities have been discovered in phpmyadmin, a set of PHP-scripts to administrate MySQL over the WWW. Fixed packages are available now.

System: Debian GNU/Linux
Topic: Vulnerabilities in phpgroupware, egroupware, and fetchmail
Links: DSA-898, DSA-899, CVE-2005-0870, CVE-2005-2600, CVE-2005-3347, CVE-2005-3348, ESB-2005.0926, ESB-2005.0927,
DSA-900, CVE-2005-3088, ESB-2005.0929, Q-056
ID: ae-200511-039

Several vulnerabilities have been discovered in the phpsysinfo and egroupware web-based groupware suites.
It was discovered that the fetchmailconfig program which is provided as part of fetchmail, an POP3, APOP, IMAP mail gatherer/forwarder, creates the new configuration in an insecure fashion that can lead to leaking passwords for mail accounts to local users.
Fixed packages are available now.

System: Cisco 7920 Wireless IP Phone
Topic: Vulnerabilities in Cisco 7920 Wireless IP Phone
Links: Cisco, ESB-2005.0925
ID: ae-200511-038

The Cisco 7920 Wireless IP Phone provides Voice Over IP service via IEEE 802.11b Wi-Fi networks and has a form-factor similar to a cordless phone. This product contains two vulnerabilities: The first vulnerability is an SNMP service with fixed community strings that allow remote users to read, write, and erase the configuration of an affected device. The second vulnerability is an open VxWorks Remote Debugger on UDP port 17185 that may allow an unauthenticated remote user to access debugging information or cause a denial of service. Cisco has made free software available to address this vulnerability.

System: HP-UX
Topic: Vulnerability in xterm
Links: HPSBUX02075, SSRT051074, HP, Q-053, ESB-2005.0940
ID: ae-200511-037

A security vulnerability has been identified with HP UX running xterm. The vulnerability could be exploited by a local user to gain unauthorized access. Patches are available now.

System: Debian GNU/Linux
Topic: Vulnerabilities in phpsysinfo
Links: DSA-897, CVE-2005-0870, CVE-2005-3347, CVE-2005-3348, ESB-2005.0921, Q-055
ID: ae-200511-036

Several vulnerabilities have been discovered in phpsysinfo, a PHP based host information application. Fixed packages are available now.

System: Various
Topic: Vulnerabilities in gtk2 and gdk-pixbuf
Links: CVE-2005-2975, CVE-2005-2976, CVE-2005-3186, iDEFENSE, RHSA-2005-810, RHSA-2005-811, ESB-2005.0922, ESB-2005.0923, Q-054, SUSE-SA:2005:065, MDKSA-2005:214
ID: ae-200511-035

Several vulnerabilities were found in the way 'gtk2' and 'gdk-pixbuf' process XPM images. An attacker could create a carefully crafted XPM file in such a way that it could execute arbitrary code when the file was opened by a victim. Patches are available now.

System: Debian GNU/Linux
Topic: Vulnerabilities in abiword, uim, and linux-ftpd-ssl
Links: DSA-894, CVE-2005-2964, CVE-2005-2972, ESB-2005.0917,
DSA-895, CVE-2005-3149, ESB-2005.0918,
DSA-896, CVE-2005-3524, ESB-2005.0920
ID: ae-200511-034

Several buffer overflows were discovered in the RTF import mechanism of AbiWord, a WYSIWYG word processor based on GTK 2. Opening a specially crafted RTF file could lead to the execution of arbitrary code.
It was discovered that incorrect use of environment variables in uim, a flexible input method collection and library, could lead to escalated privileges in setuid/setgid applications linked to libuim.
A buffer overflow has been discovered in ftpd-ssl, a simple BSD FTP server with SSL encryption support, that could lead to the execution of arbitrary code.
Fixed packages are available now.

System: Cisco
Topic: Vulnerabilities in Cisco IPSec Software
Links: Cisco, AL-2005.0040, Q-065
ID: ae-200511-033

Multiple Cisco products contain vulnerabilities in the processing of IPSec IKE (Internet Key Exchange) messages. Affected products include Cisco IOS, Cisco PIX Firewall, and Cisco VPN 3000 Series Concentrators. Cisco has made free software available to address this vulnerability.

System: Debian GNU/Linux
Topic: Vulnerabilities in acidlab
Links: DSA-892, CVE-2005-1527, ESB-2005.0916
ID: ae-200511-032

A vulnerability was discoveredin acidlab, Analysis Console for Intrusion Databases, which can be exploited by malicious users to conduct SQL injection attacks. Fixed packages are available now.

System: OpenBSD
Topic: Several vulnerabilities fixed
Links: OpenBSD
ID: ae-200511-031

OpenBSD has published several patches, fixing vulnerabilities in libungif, mailman, SNMP, PHP4, and TWiki. It's recommended to install these updated packages.

System: Unix / Linux
Topic: Vulnerability in lynx
Links: iDEFENSE #338, CVE-2005-2929, RHSA-2005-839, ESB-2005.0914
ID: ae-200511-030

Lynx is a web browser for the command line interface. Remote exploitation of a command injection vulnerability in various vendors' implementations of Lynx could allow attackers to execute arbitrary commands with the privileges of the underlying user. The problem specifically exists within the feature to execute local cgi-bin programs via the "lynxcgi:" URI handler. Lynx 2.8.6dev.15 solves this problem.

System: Red Hat Enterprise Linux
Topic: Vulnerability in flash-plugin
Links: RHSA-2005-835, CVE-2005-2628, VU#146284, Q-051, ESB-2005.0904
ID: ae-200511-029

A buffer overflow bug was discovered in the Macromedia Flash Player. It may be possible to execute arbitrary code on a victim's machine if the victim opens a malicious Macromedia Flash file. Fixed packages are available now.

System: Various
Topic: Vulnerability in IBM Tivoli Directory Server
Links: IBM, ESB-2005.0913
ID: ae-200511-028

A security vulnerability has been identified by IBM for the IBM Tivoli Directory Server (ITDS) that would allow unauthorized access to change, modify and/or delete directory data stored in IBM Tivoli Directory Server. Patches are available now.

System: Red Hat Enterprise Linux
Topic: Vulnerabilities in php and lmsensors
Links: RHSA-2005-831, CVE-2005-3353, CVE-2005-3388, CVE-2005-3389, CVE-2005-3390, Q-050, ESB-2005.0912,
RHSA-2005-825, CVE-2005-2672, ESB-2005.0911
ID: ae-200511-027

Several vulnerabilities were found in PHP:
A flaw was found in the way PHP registers global variables during a file upload request. A remote attacker could submit a carefully crafted multipart/form-data POST request that would overwrite the $GLOBALS array, altering expected script behavior, and possibly leading to the execution of arbitrary PHP commands.
A flaw was found in the PHP parse_str() function. If a PHP script passes only one argument to the parse_str() function, and the script can be forced to abort execution during operation (for example due to the memory_limit setting), the register_globals may be enabled even if it is disabled in the PHP configuration file.
A Cross-Site Scripting flaw was found in the phpinfo() function.
A denial of service flaw was found in the way PHP processes EXIF image data. It is possible for an attacker to cause PHP to crash by supplying carefully crafted EXIF image data.
A bug was found in the way the pwmconfig tool creates temporary files. It is possible that a local attacker could leverage this flaw to overwrite arbitrary files located on the system.
Fixed packages are available now.

System: SCO UnixWare
Topic: Vulnerability in lynx
Links: SCOSA-2005.47, CVE-2005-3120
ID: ae-200511-026

A stack overflow bug was discovered in Lynx when handling connections to NNTP (news) servers. Patches are available now.

System: HP-UX
Topic: Vulnerabilities in ftpd, remshd, and envd
Links: HPSBUX02071, SSRT051064, CVE-2005-3296, ESB-2005.0907, HPSBUX02072, SSRT051014, ESB-2005.0908, HPSBUX02073, SSRT051012, ESB-2005.0909, Q-049
ID: ae-200511-025

A vulnerability has been identified with HP-UX running ftpd. The vulnerability could be exploited by a remote unauthenticated user to list directories with the privileges of the root user.
A vulnerability hs been identified with HP-UX systems running in Trusted Mode. The vulnerability could be exploited remotely to gain unauthorized access.
A vulnerability has been identified with HP-UX running the envd(1M). The vulnerability could be exploited by a local authorized user to execute arbitrary code and/or gain unauthorized privileges.
Patches are available now.

System: Debian GNU/Linux
Topic: Vulnerability in awstats
Links: DSA-892, CVE-2005-1527, Q-052, ESB-2005.0910
ID: ae-200511-024

It was discovered that awstats, a featureful web server log analyser, passes user-supplied data to an eval() function, allowing remote attackers to execute arbitrary Perl commands. Fixed packages are available now.

System: Microsoft Windows
Topic: Vulnerabilities in Graphics Rendering Engine
Links: MS05-053, CAN-2005-0803, CAN-2005-2123, CAN-2005-2124, VU#134756, VU#300549, VU#433341, Q-046, AL-2005.0038, ESB-2005.0901
ID: ae-200511-023

No further comment due to legal reasons.

System: Debian GNU/Linux
Topic: Vulnerabilities in libungif4 and gpsdrive
Links: DSA-890, CVE-2005-2974 CVE-2005-3350, ESB-2005.0905,
DSA-891, CVE-2005-3532, ESB-2005.0906
ID: ae-200511-022

The libungif package contains a shared library of functions for loading and saving GIF format image files. Several bugs in the way libungif decodes GIF images were discovered. An attacker could create a carefully crafted GIF image file in such a way that it could cause an application linked with libungif to crash or execute arbitrary code when the file is opened by a victim.
A format string vulnerability was discovered in gpsdrive, a car navigation system, that can lead to the execution of arbitrary code.
Fixed packages are available now.

System: Various
Topic: Vulnerability in VERITAS NetBackup
Links: Q-048, ESB-2005.0903
ID: ae-200511-021

A buffer overflow vulnerability exists in a shared library used by the VERITAS NetBackup volume manager daemon (vmd) running on VERITAS NetBackup 5.x servers and clients. Successful exploitation of this overflow condition could possibly allow a malicious attacker to create a denial of service disrupting backup systems or potentially allow execution of arbitrary code with elevated privileges on a targeted system. Patches are available now.

System: UNIX
Topic: Vulnerability in VERITAS Cluster Server for UNIX
Links: Q-047, ESB-2005.0902
ID: ae-200511-020

Versions of VERITAS Cluster Server for UNIX are susceptible to a buffer overflow vulnerability that could allow a local user to create a disruption of backup/storage capabilities or potentially gain elevated privileges on a targeted server. Patches are available now.

System: Debian GNU/Linux
Topic: Vulnerabilities in chmlib, clamav, openssl, and enigmail
Links: DSA-886, CVE-2005-2659, CVE-2005-2930, CVE-2005-3318, ESB-2005.0897, Q-043,
DSA-887, CVE-2005-3239, CVE-2005-3303, CVE-2005-3500, CVE-2005-3501, ESB-2005.0898, Q-045,
DSA-888, CVE-2005-2969, ESB-2005.0899, Q-044,
DSA-889, CVE-2005-3256, VU#805121, ESB-2005.0900
ID: ae-200511-019

Chmlib is a library for dealing with CHM format files. A buffer overflow in the LZX decompression method has been discovered. Two further buffer overflows might lead to the execution of arbitrary code.
Clam AntiVirus is an antivirus scanner for Unix, designed for integration with mail servers to perform attachment scanning. The OLE2 unpacker allows remote attackers to cause a segmentation fault via a DOC file with an invalid property tree, which triggers an infinite recursion. A specially crafted executable compressed with FSG 1.33 could cause the extractor to write beyond buffer boundaries, allowing an attacker to execute arbitrary code. A specially crafted CAB file might cause ClamAV to be locked in an infinite loop and use all available processor resources, resulting in a Denial-of-Service.
A vulnerability in the Open Secure Socket Layer (OpenSSL) library that can allow an attacker to perform active protocol-version rollback attacks that could lead to the use of the weaker SSL 2.0 protocol even though both ends support SSL 3.0 or TLS 1.0.
A vulnerability in enigmail, GPG support for Mozilla MailNews and Mozilla Thunderbird, can lead to the encryption of mail with the wrong public key, hence, potential disclosure of confidential data to others.
Updated packages are available now.

System: Debian GNU/Linux
Topic: Vulnerabilities in horde3 and openvpn
Links: DSA-884, CVE-2005-3344, ESB-2005.0895,
DSA-885, CVE-2005-3393, CVE-2005-3409, ESB-2005.0896
ID: ae-200511-018

The default installation of Horde3 on Debian includes an administrator account without a password.
OpenVPN is a free virtual private network daemon. A format string vulnerability has been discovered that could allow arbitrary code to be executed on the client. Additionally, a NULL pointer dereferencing has been discovered that could be exploited to crash the service.
Updated packages are available now.

System: Various
Topic: Vulnerability in Asterisk
Links: Asterisk_200511, ESB-2005.0882
ID: ae-200511-017

Asterisk is a complete PBX in software. It runs on Linux, BSD and MacOSX and provides many features. A vulnerability in the voicemail retrieval system allows an authenticated user to download any .wav/.WAV file from the system, including other users voicemail messages. Asterisk has released patches for the vulnerabilities.

System: Various
Topic: Vulnerabilities in Clam AntiVirus
Links: iDEFENSE #333, iDEFENSE #334, ESB-2005.0878, ESB-2005.0879, Suse 10.0, Suse 9.3
ID: ae-200511-016

ClamAV is a freely available software for Anti Virus. Two vulnerabilities have been found in version 0.86.1. The function tnef_attachment doesn't check a user controlled value which is used to fseek into the file beeing processed. So a user is able to specify the same block for scanning repeatedly, thus leading to an infinite loop. The libmspack library has problems with CAB files, so here a Denial-of-Service is possible, too.
Version 0.87.1 has been published now, fixing these vunlerabilities.

System: Mac OS X and Microsoft Windows
Topic: Vulnerabilities in Apple QuickTime
Links: APPLE-SA-2005-11-04, CAN-2005-2756, CAN-2005-2755, CAN-2005-2754, CAN-2005-2753, VU#855118, ESB-2005.0876
ID: ae-200511-015

Apple QuickTime 7.0.3 has been published. It fixes some problems in earlier versions. An integer overflow may be exploitable via remotely originated content, reasoned by a sign extension of an embedded "Pascal" style string, resulting in a very large memory copy. Improper movie attributes could result in a very large memory copy, too. A missing movie attribute was interpreted as an extension, but the absence of the extension is not flagged as an error, resulting in a de-reference of a NULL pointer and leading to a Denial-of-Service. Expansion of compressed PICT data could exceed the size of the destination buffer, so application memory might been overwritten by remotely originating content.

System: Turbolinux
Topic: Vulnerability in php
Links: TLSA-2005-97, CAN-2005-3390
ID: ae-200511-014

PHP is an HTML-embedded scripting language. A vulnerability exists in the $GLOBALS when handling file upload. This may allow remote attackers to execute arbitrary php script. An updated package is available now.

System: Microsoft Windows
Topic: Vulnerability in Macromedia Flash Player 7
Links: MPSB05-07, ESB-2005.0894
ID: ae-200511-013

A problem with bounds validation for indexes of certain arrays in Flash Player 7.0.19.0 and earlier and earlier might give the possibility that a third party could inject unauthorized code that would have been executed by Flash Player. This is fixed in version 7.0.61.0 or 7.0.60.0 and 8.0.22.0, respectively.

System: Some
Topic: Vulnerability in F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper
Links: FSC-2005-2, Q-042, ESB-2005.0877
ID: ae-200511-012

In F-Secure Anti-Virus for Microsoft Exchange 6.40 and F-Secure Internet Gatekeeper 6.4x a limited directory traversal vulnerability can be exploited by bypassing the Web Console authentication. It's possible to gain a read access to a file on the local disk from allowed hosts. By default the connections are only allowed from the local host. A hotfix remedies this problem.

System: Debian GNU/Linux
Topic: Vulnerabilities in openssl and thttpd
Links: DSA-881, DSA-882, CVE-2005-2969, Q-007, ESB-2005.0880,
DSA-883, CVE-2005-3124, ESB-2005.0881
ID: ae-200511-011

A vulnerability in the Open Secure Socket Layer (OpenSSL 1095/1096) library can allow an attacker to perform active protocol-version rollback attacks that could lead to the use of the weaker SSL 2.0 protocol even though both ends support SSL 3.0 or TLS 1.0.
The syslogtocern script from thttpd, a tiny webserver, uses a temporary file insecurely, allowing a local attacker to craft a symlink attack to overwrite arbitrary files.
Updated packages are available now.

System: SCO OpenServer / UnixWare
Topic: Vulnerability in htdig
Links: SCOSA-2005.45, SCOSA-2005.46, CVE-2005-0085
ID: ae-200511-010

A cross-site scripting vulnerability in docview (htdig) allows remote attackers to execute arbitrary web script or HTML via the config parameter, which is not properly sanitized before it is displayed in an error message. Patches are available now.

System: Red Hat Enterprise Linux
Topic: Vulnerabilities in libungif
Links: RHSA-2005-828, CVE-2005-2974, CVE-2005-3350, Q-041, ESB-2005.0875
ID: ae-200511-009

The libungif package contains a shared library of functions for loading and saving GIF format image files. Several bugs in the way libungif decodes GIF images were discovered. An attacker could create a carefully crafted GIF image file in such a way that it could cause an application linked with libungif to crash or execute arbitrary code when the file is opened by a victim. Fixed packages are available now.

System: Cisco Access Point
Topic: Vulnerability in Cisco Airespace WLAN Controller
Links: Cisco, ESB-2005.0873
ID: ae-200511-008

Cisco Access Points operating in Lightweight Access Point Protocol (LWAPP) mode may allow unauthenticated end hosts to send unencrypted traffic to a secure network by sending frames from the Media Access Control (MAC) address of an already authenticated end host. Cisco has made free software available to address this vulnerability.

System: Cisco IOS
Topic: Vulnerability in IOS System Timers
Links: Cisco, VU#562945, Q-038, ESB-2005.0874
ID: ae-200511-007

The Cisco Internetwork Operating System (IOS) may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has made free software available to address this vulnerability.

System: Red Hat Enterprise Linux
Topic: Vulnerability in openssl
Links: RHSA-2005-829, RHSA-2005-830, CAN-2004-0079, ESB-2005.0871, ESB-2005.0872
ID: ae-200511-006

A vulnerability was found in the openssl 0.9.6b packages. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that uses the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the server this could lead to a denial of service. Fixed packages are available now.

System: Debian GNU/Linux
Topic: Vulnerability in phpmyadmin
Links: DSA-880, CVE-2005-2869, CVE-2005-3300, CVE-2005-3301, ESB-2005.0868, Q-040
ID: ae-200511-005

Several cross-site scripting vulnerabilities have been discovered in phpmyadmin, a set of PHP-scripts to administrate MySQL over the WWW. Fixed packages are available now.

System: Cisco
Topic: Vulnerability in Cisco Management Center for IPS Sensors
Links: Cisco, VU#154883, ESB-2005.0863
ID: ae-200511-004

An issue exists in one of the components of the Cisco Management Center for IPS Sensors (IPS MC) v2.1 during the generation of the Cisco IOS IPS (Intrusion Prevention System) configuration file that may result in some signatures belonging to certain classes being disabled during the configuration deployment process. Cisco has made free software available to address this vulnerability.

System: Mac OS X
Topic: Apple OS X 10.4.3 Security Update
Links: ESB-2005.0862, Q-037, CVE-2005-1126, CVE-2005-1406, CVE-2005-2739, CVE-2005-2749, CVE-2005-2750, CVE-2005-2751, CVE-2005-2752
ID: ae-200511-003

Several security issues in Finder, Software Update, memberd, Keychain, and Kernel are fixed in Mac OS X v10.4.3.

System: NetBSD
Topic: Several vulnerabilities in NetBSD
Links: ESB-2005.0866, NetBSD-SA2005-004, NetBSD-SA2005-005, NetBSD-SA2005-006, NetBSD-SA2005-007, NetBSD-SA2005-008, NetBSD-SA2005-009, NetBSD-SA2005-010, NetBSD-SA2005-011, NetBSD-SA2005-012, NetBSD-SA2005-013, ESB-2005.0883, ESB-2005.0884, ESB-2005.0885, ESB-2005.0886, ESB-2005.0887, ESB-2005.0888, ESB-2005.0889, ESB-2005.0890, ESB-2005.0891, ESB-2005.0892, ESB-2005.0893
ID: ae-200511-002

NetBSD 2.0.3 is the third security/critical update of the NetBSD 2.0 release branch. This represents a selected subset of fixes deemed critical in nature for stability or security reasons.

System: Debian GNU/Linux
Topic: Vulnerability in gallery
Links: DSA-879, CAN-2005-2596, ESB-2005.0867
ID: ae-200511-001

A bug in gallery has been discoverd that grants all registrated postnuke users full access to the gallery. Fixed packages are available now.



(c) 2000-2014 AERAsec Network Services and Security GmbH