Several security issues in Apache2, apache_mod_ssl, CoreFoundation, curl, iodbcadmintool, OpenSSL, passwordserver, Safari, sudo, and syslog were fixed and bundled in the now available Security Update 2005-009.

Several vulnerabilities were found in the way 'gtk2' and 'gdk-pixbuf' process XPM images. An attacker could create a carefully crafted XPM file in such a way that it could execute arbitrary code when the file was opened by a victim.
It was discovered that centericq, a text-mode multi-protocol instant messenger client, can crash when it receives certain zero length packets and is directly connected to the Internet.
Fixed packages are available now.

Racoon is an IKEv1 keying daemon, a common IPSec Utility. Due to a bug in the way the Racoon parsed incoming ISAKMP packets, an attacker could possibly crash the racoon daemon by sending a specially crafted ISAKMP packet. Patches are available now.

SGI has released the Security Update #51 for SGI Advanced Linux Environment 3. These updates fix security related problems in gdk-pixbuf, gtk2, lynx, php, libungif, curl, wget, openssl096b, and ethereal. So it's recommended to install these updates.

A vulnerability with the Java Management Extensions (JMX) implementation included with the Java Runtime Environment (JRE) may allow an untrusted applet to elevate its privileges. For example an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. Patches are available now.

A remote user can cause the CUPS service to hang and consume all available CPU resources. Patches are available now.

A security vulnerability in the libexif JPEG image processing library may allow a remote unprivileged user who provides a carefully crafted JPEG image the ability to execute arbitrary code with the privileges of a local user who opens that image.
Multiple security vulnerabilities in the traceroute(1M) utility may allow an unauthorized local user the ability to execute arbitrary code with elevated privileges.
Patches are available now.

Several vulnerabilities in OTRS allow SQL injection and cross-site scripting attacks. Patches are available now.

Integer overflows in various applications in the binutils package may allow attackers to execute arbitrary code via a carefully crafted object file.
fusermount failed to securely handle special characters specified in mount points, which could allow a local attacker to corrupt the contents of /etc/mtab by mounting over a maliciously-named directory using fusermount. This could potentially allow the attacker to set unauthorized mount options.
Fixed packages are available now.

A security vulnerability in the Sun ONE and Sun Java System Directory Server's HTTP administrative interface may allow a local or remote unprivileged user the ability to kill the admin server or execute arbitrary commands on the system with the privileges of the admin server process. The admin server process normally runs as the privileged "root" user. The ability to kill the admin server is a type of Denial-of-Service. Patches are available now.

Mambo is a Content Management System based on PHP. Mambo versions 4.5.2.3 and prior contain a serious vulnerability allowing remote execution of arbitrary PHP code. The vulnerability is in globals.php which allows arbitrary remote PHP files to be included and executed by overwriting the global mosConfig_absolute_path parameter. An exploit for this vulnerability is publicly available and widespread exploitation of vulnerable web servers has been reported. So it's recommended to install the patch immedeately.

Cisco PIX firewall systems are used to enforce site-specific network security policy. A problem has been publicly reported that may be used by remote, unauthenticated attackers to create a sustained Denial-of-Service against PIX-protected systems under certain conditions (PIX 6.3, 7.0) This condition may occur when TCP SYN packets with malformed TCP checksums and spoofed source addresses and port values are sent to systems behind affected PIX firewalls. Since the PIX reportedly doesn't validate the TCP checksum, it allows such packets through, creating an connection entry to track the connection attempt to the destination from the spoofed source address and port. The target of the attack would silently drop malformed TCP SYN packets without sending TCP RST packets back to the PIX to remove the connection entry. Legitimate attempts to connect to PIX-protected systems may then be blocked for up to two minutes per attack (assuming default connection timer settings). Note this attack doesn't affect established TCP connections. Exploit code has been made publicly available that may automate a sustained Denial-of-Service attack described above. Cisco is working on a patch and has published a workaround.

ISAKMP is a standard protocol that provides the framework for establishing, negotiating, modifying, and deleting security associations. The ISAKMP service listens on UDP port 500 on all the affected security gateways. Under certain conditions a malformed ISAKMP packet can potentially cause the ISAKMP service to crash therefore affecting the ability and stability of dynamic VPN tunnels. This Denial-of-Service can be fixed now with a patch.

No further comment due to legal reasons.

Several buffer overflows were discovered in a number of importer routines in sylpheed, a light-weight e-mail client with GTK+, and sylpheed-claws that could lead to the execution of arbitrary code.
It was noticed that ipmenu, an cursel iptables/iproute2 GUI, creates a temporary file in an insecure fashion allowing a local attacker to overwrite arbitrary files utilising a symlink attack.
The MIME viewer in horde3, a web application suite, does not always sanitise its input leaving a possibility to force the return of malicious code that could be executed on the vicitims machine.
A vulnerability has been discovered in zope 2.7, as Open Source web application server, that allows remote attackers to insert arbitrary files via include directives in reStructuredText functionality.
Fixed packages are available now.

A race condition was discovered in the permissions setting code in unzip. When decompressing a file in a directory an attacker has access to, unzip could be tricked to set the file permissions to a different file the user has permissions to.
Several buffer overflows were discovered in pnmtopng which is also included in netpbm, a collection of graphic conversion utilities, that can lead to the execution of arbitrary code via a specially crafted PNM file.
Several security related problems have been discovered in Mantis, a web-based bug tracking system.
Fixed packages are available now.

A buffer overflow has been discovered in the sendmail program of xmail, an advanced, fast and reliable ESMTP/POP3 mail server that could lead to the execution of arbitrary code with group mail privileges. Fixed packages are available now.

Certain BSD-based telnet clients allow remote malicious telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. A new package remedies this problem.

Gnump3d is a streaming server for MP3 and OGG files. Several temporary files are created with predictable filenames in an insecure fashion and allow local attackers to craft symlink attacks. Addtitionally, the theme parameter to HTTP requests may be used for path traversal. A new version solves these problems.

The Mozilla 1.7.12 browser in this update represents a significant advancement in features and fixes over the Mozilla 1.6 released with SCO OpenServer 5.0.7 Maintenance Pack 3. All together, about 38 vulnerabilities are fixed in this version.

Several cross-site scripting vulnerabilities have been discovered in phpmyadmin, a set of PHP-scripts to administrate MySQL over the WWW. Fixed packages are available now.

Several vulnerabilities have been discovered in the phpsysinfo and egroupware web-based groupware suites.
It was discovered that the fetchmailconfig program which is provided as part of fetchmail, an POP3, APOP, IMAP mail gatherer/forwarder, creates the new configuration in an insecure fashion that can lead to leaking passwords for mail accounts to local users.
Fixed packages are available now.

The Cisco 7920 Wireless IP Phone provides Voice Over IP service via IEEE 802.11b Wi-Fi networks and has a form-factor similar to a cordless phone. This product contains two vulnerabilities: The first vulnerability is an SNMP service with fixed community strings that allow remote users to read, write, and erase the configuration of an affected device. The second vulnerability is an open VxWorks Remote Debugger on UDP port 17185 that may allow an unauthenticated remote user to access debugging information or cause a denial of service. Cisco has made free software available to address this vulnerability.

A security vulnerability has been identified with HP UX running xterm. The vulnerability could be exploited by a local user to gain unauthorized access. Patches are available now.

Several vulnerabilities have been discovered in phpsysinfo, a PHP based host information application. Fixed packages are available now.

Several vulnerabilities were found in the way 'gtk2' and 'gdk-pixbuf' process XPM images. An attacker could create a carefully crafted XPM file in such a way that it could execute arbitrary code when the file was opened by a victim. Patches are available now.

Several buffer overflows were discovered in the RTF import mechanism of AbiWord, a WYSIWYG word processor based on GTK 2. Opening a specially crafted RTF file could lead to the execution of arbitrary code.
It was discovered that incorrect use of environment variables in uim, a flexible input method collection and library, could lead to escalated privileges in setuid/setgid applications linked to libuim.
A buffer overflow has been discovered in ftpd-ssl, a simple BSD FTP server with SSL encryption support, that could lead to the execution of arbitrary code.
Fixed packages are available now.

Multiple Cisco products contain vulnerabilities in the processing of IPSec IKE (Internet Key Exchange) messages. Affected products include Cisco IOS, Cisco PIX Firewall, and Cisco VPN 3000 Series Concentrators. Cisco has made free software available to address this vulnerability.

A vulnerability was discoveredin acidlab, Analysis Console for Intrusion Databases, which can be exploited by malicious users to conduct SQL injection attacks. Fixed packages are available now.

OpenBSD has published several patches, fixing vulnerabilities in libungif, mailman, SNMP, PHP4, and TWiki. It's recommended to install these updated packages.

Lynx is a web browser for the command line interface. Remote exploitation of a command injection vulnerability in various vendors' implementations of Lynx could allow attackers to execute arbitrary commands with the privileges of the underlying user. The problem specifically exists within the feature to execute local cgi-bin programs via the "lynxcgi:" URI handler. Lynx 2.8.6dev.15 solves this problem.

A buffer overflow bug was discovered in the Macromedia Flash Player. It may be possible to execute arbitrary code on a victim's machine if the victim opens a malicious Macromedia Flash file. Fixed packages are available now.

A security vulnerability has been identified by IBM for the IBM Tivoli Directory Server (ITDS) that would allow unauthorized access to change, modify and/or delete directory data stored in IBM Tivoli Directory Server. Patches are available now.

Several vulnerabilities were found in PHP:
A flaw was found in the way PHP registers global variables during a file upload request. A remote attacker could submit a carefully crafted multipart/form-data POST request that would overwrite the $GLOBALS array, altering expected script behavior, and possibly leading to the execution of arbitrary PHP commands.
A flaw was found in the PHP parse_str() function. If a PHP script passes only one argument to the parse_str() function, and the script can be forced to abort execution during operation (for example due to the memory_limit setting), the register_globals may be enabled even if it is disabled in the PHP configuration file.
A Cross-Site Scripting flaw was found in the phpinfo() function.
A denial of service flaw was found in the way PHP processes EXIF image data. It is possible for an attacker to cause PHP to crash by supplying carefully crafted EXIF image data.
A bug was found in the way the pwmconfig tool creates temporary files. It is possible that a local attacker could leverage this flaw to overwrite arbitrary files located on the system.
Fixed packages are available now.

A stack overflow bug was discovered in Lynx when handling connections to NNTP (news) servers. Patches are available now.

A vulnerability has been identified with HP-UX running ftpd. The vulnerability could be exploited by a remote unauthenticated user to list directories with the privileges of the root user.
A vulnerability hs been identified with HP-UX systems running in Trusted Mode. The vulnerability could be exploited remotely to gain unauthorized access.
A vulnerability has been identified with HP-UX running the envd(1M). The vulnerability could be exploited by a local authorized user to execute arbitrary code and/or gain unauthorized privileges.
Patches are available now.

It was discovered that awstats, a featureful web server log analyser, passes user-supplied data to an eval() function, allowing remote attackers to execute arbitrary Perl commands. Fixed packages are available now.

No further comment due to legal reasons.

The libungif package contains a shared library of functions for loading and saving GIF format image files. Several bugs in the way libungif decodes GIF images were discovered. An attacker could create a carefully crafted GIF image file in such a way that it could cause an application linked with libungif to crash or execute arbitrary code when the file is opened by a victim.
A format string vulnerability was discovered in gpsdrive, a car navigation system, that can lead to the execution of arbitrary code.
Fixed packages are available now.

A buffer overflow vulnerability exists in a shared library used by the VERITAS NetBackup volume manager daemon (vmd) running on VERITAS NetBackup 5.x servers and clients. Successful exploitation of this overflow condition could possibly allow a malicious attacker to create a denial of service disrupting backup systems or potentially allow execution of arbitrary code with elevated privileges on a targeted system. Patches are available now.

Versions of VERITAS Cluster Server for UNIX are susceptible to a buffer overflow vulnerability that could allow a local user to create a disruption of backup/storage capabilities or potentially gain elevated privileges on a targeted server. Patches are available now.

Chmlib is a library for dealing with CHM format files. A buffer overflow in the LZX decompression method has been discovered. Two further buffer overflows might lead to the execution of arbitrary code.
Clam AntiVirus is an antivirus scanner for Unix, designed for integration with mail servers to perform attachment scanning. The OLE2 unpacker allows remote attackers to cause a segmentation fault via a DOC file with an invalid property tree, which triggers an infinite recursion. A specially crafted executable compressed with FSG 1.33 could cause the extractor to write beyond buffer boundaries, allowing an attacker to execute arbitrary code. A specially crafted CAB file might cause ClamAV to be locked in an infinite loop and use all available processor resources, resulting in a Denial-of-Service.
A vulnerability in the Open Secure Socket Layer (OpenSSL) library that can allow an attacker to perform active protocol-version rollback attacks that could lead to the use of the weaker SSL 2.0 protocol even though both ends support SSL 3.0 or TLS 1.0.
A vulnerability in enigmail, GPG support for Mozilla MailNews and Mozilla Thunderbird, can lead to the encryption of mail with the wrong public key, hence, potential disclosure of confidential data to others.
Updated packages are available now.

The default installation of Horde3 on Debian includes an administrator account without a password.
OpenVPN is a free virtual private network daemon. A format string vulnerability has been discovered that could allow arbitrary code to be executed on the client. Additionally, a NULL pointer dereferencing has been discovered that could be exploited to crash the service.
Updated packages are available now.

Asterisk is a complete PBX in software. It runs on Linux, BSD and MacOSX and provides many features. A vulnerability in the voicemail retrieval system allows an authenticated user to download any .wav/.WAV file from the system, including other users voicemail messages. Asterisk has released patches for the vulnerabilities.

ClamAV is a freely available software for Anti Virus. Two vulnerabilities have been found in version 0.86.1. The function tnef_attachment doesn't check a user controlled value which is used to fseek into the file beeing processed. So a user is able to specify the same block for scanning repeatedly, thus leading to an infinite loop. The libmspack library has problems with CAB files, so here a Denial-of-Service is possible, too.
Version 0.87.1 has been published now, fixing these vunlerabilities.

Apple QuickTime 7.0.3 has been published. It fixes some problems in earlier versions. An integer overflow may be exploitable via remotely originated content, reasoned by a sign extension of an embedded "Pascal" style string, resulting in a very large memory copy. Improper movie attributes could result in a very large memory copy, too. A missing movie attribute was interpreted as an extension, but the absence of the extension is not flagged as an error, resulting in a de-reference of a NULL pointer and leading to a Denial-of-Service. Expansion of compressed PICT data could exceed the size of the destination buffer, so application memory might been overwritten by remotely originating content.

PHP is an HTML-embedded scripting language. A vulnerability exists in the $GLOBALS when handling file upload. This may allow remote attackers to execute arbitrary php script. An updated package is available now.

A problem with bounds validation for indexes of certain arrays in Flash Player 7.0.19.0 and earlier and earlier might give the possibility that a third party could inject unauthorized code that would have been executed by Flash Player. This is fixed in version 7.0.61.0 or 7.0.60.0 and 8.0.22.0, respectively.

In F-Secure Anti-Virus for Microsoft Exchange 6.40 and F-Secure Internet Gatekeeper 6.4x a limited directory traversal vulnerability can be exploited by bypassing the Web Console authentication. It's possible to gain a read access to a file on the local disk from allowed hosts. By default the connections are only allowed from the local host. A hotfix remedies this problem.

A vulnerability in the Open Secure Socket Layer (OpenSSL 1095/1096) library can allow an attacker to perform active protocol-version rollback attacks that could lead to the use of the weaker SSL 2.0 protocol even though both ends support SSL 3.0 or TLS 1.0.
The syslogtocern script from thttpd, a tiny webserver, uses a temporary file insecurely, allowing a local attacker to craft a symlink attack to overwrite arbitrary files.
Updated packages are available now.

A cross-site scripting vulnerability in docview (htdig) allows remote attackers to execute arbitrary web script or HTML via the config parameter, which is not properly sanitized before it is displayed in an error message. Patches are available now.

The libungif package contains a shared library of functions for loading and saving GIF format image files. Several bugs in the way libungif decodes GIF images were discovered. An attacker could create a carefully crafted GIF image file in such a way that it could cause an application linked with libungif to crash or execute arbitrary code when the file is opened by a victim. Fixed packages are available now.

Cisco Access Points operating in Lightweight Access Point Protocol (LWAPP) mode may allow unauthenticated end hosts to send unencrypted traffic to a secure network by sending frames from the Media Access Control (MAC) address of an already authenticated end host. Cisco has made free software available to address this vulnerability.

The Cisco Internetwork Operating System (IOS) may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has made free software available to address this vulnerability.

A vulnerability was found in the openssl 0.9.6b packages. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that uses the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the server this could lead to a denial of service. Fixed packages are available now.

Several cross-site scripting vulnerabilities have been discovered in phpmyadmin, a set of PHP-scripts to administrate MySQL over the WWW. Fixed packages are available now.

An issue exists in one of the components of the Cisco Management Center for IPS Sensors (IPS MC) v2.1 during the generation of the Cisco IOS IPS (Intrusion Prevention System) configuration file that may result in some signatures belonging to certain classes being disabled during the configuration deployment process. Cisco has made free software available to address this vulnerability.

Several security issues in Finder, Software Update, memberd, Keychain, and Kernel are fixed in Mac OS X v10.4.3.

NetBSD 2.0.3 is the third security/critical update of the NetBSD 2.0 release branch. This represents a selected subset of fixes deemed critical in nature for stability or security reasons.

A bug in gallery has been discoverd that grants all registrated postnuke users full access to the gallery. Fixed packages are available now.