Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available.

A vulnerability was found in the Wiki-style text output formatter of 'cvstrac' and is triggered by special text constructs in commit messages, tickets and Wiki pages. Fixed software is available now.

The weekly SUSE Security Summary reports vulnerabilities in the packages neon, gtk2, smb4k, amarok, and JBoss4. Updated packages are available now and should be installed on vulnerable systems.

An authentication vulnerability has been discovered in pop3d, pop3ds, imapd and imapds. The vulnerability allows a user to authenticate under circumstances when authentication should fail. A patch is available now.

An out-of-bounds memory read may occur while handling wireless frames. An attacker in local proximity may be able to trigger a system crash by sending a maliciously-crafted frame to an affected system. A patch is available now.

Several security vulnerabilities in the FreeType 2 type engine may allow a local unprivileged user to be able to execute arbitrary commands with the privileges of an application using FreeType 2 as a font service. A patch is available now.

Buffer overflow in ulogd has unknown impact and attack vectors related to "improper string length calculations."
The soup_headers_parse function in soup-headers.c for libsoup HTTP library before 2.2.99 allows remote attackers to cause a denial of service (crash) via malformed HTTP headers, probably involving missing fields or values.
Fixed packages are available now.

Several format string problems were discovered in vlc, a multimedia player and streamer, that could lead to the execution of arbitrary code.
Several security related problems have been discovered in Mozilla and derived products such as Mozilla Firefox.
Fixed packages are available now.

CHMlib is an open source library used to read Microsoft CHM, compressed HTML, files. CHM files were originally designed for use by Microsoft as help files, but are now commonly used to store e-books. CHM files contain various tables and objects stored in "pages." When parsing a page of objects, CHMlib passes an unsanitized value from the file to the alloca() function. This allows an attacker to shift the stack pointer to point to arbitrary locations in memory. Consequently it is possible to write arbitrary data from the file to arbitrary memory locations. This issue is addressed in version 0.39.

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. This Critical Patch Update contains 51 new security fixes across all products. Affected are Oracle Database, Oracle Collaboration Suite, Oracle E-Business Suite and Applications, Oracle Enterprise Manager, and Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne.

Format string vulnerability in the errors_create_window function in errors.c in xine-ui allows attackers to execute arbitrary code via unknown vectors. XINE allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a certain M3U file that contains a long #EXTINF line. Updated packages are patched to address this issue.

CA BrightStor ARCserve Backup for Laptops and Desktops contains multiple overflow conditions that can allow a remote attacker to cause a denial of service, or execute arbitrary code with local SYSTEM privileges on Windows. A patch is available now.

A stack-based buffer overflow exists in a print provider installed by the Citrix Metaframe Presentation Server. This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of Citrix Presentation Server, Metaframe Presentation Server or MetaFrame XP. Authentication is not required to exploit this vulnerability. A patch is available now.

Two integer overflows have been found in the Xorg X server which may allow a local unprivileged user the ability to execute arbitrary code with the privileges of the Xorg server. A patch is available now.

It is possible for the named to dereference (read) a freed fetch context. This can cause named to exit unintentionally. If dnssec validation is enabled, responses to type * (ANY) queries that return multiple RRsets in the answer section may trigger assertions checks. Fixed software is available now.

Security vulnerabilities in the tip(1) command may allow a local unprivileged user the ability to execute arbitrary code with the privileges of user uucp (uid 5). A patch is available now.

The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. A bug was found in the way the gtk2 GdkPixbufLoader() function processed invalid input. Applications linked against gtk2 could crash if they loaded a malformed image file. A patch solves this problem.

Due to a security vulnerability in the Sun Ray Server Software, an unprivileged local user may be able to intercept the Sun Ray administrator's (utadmin) password when the administrator logs in to the Sun Ray Administration Tool. A patch is available now.

The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a Denial-of-Service condition. This vulnerability only applies to traffic destined to the Cisco IOS device. Cisco has made free software available to address this vulnerability.

Cisco routers and switches running Cisco IOS or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial-of-Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. Cisco has made free software available to address this vulnerability.

Devices running Cisco IOS and having IPv6 enabled on show a vulnerability. Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS. Cisco has made free software available to address this vulnerability.

SGI has released the Security Update #69 for SGI Advanced Linux Environment 3. These updates fix already known security related problems in libsgf and openoffice.org.
So it's recommended to install this update.

The Online Media Technologies NCTsoft NCTAudioFile2 ActiveX control contains a buffer overflow vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. It's recommended to disable the NCTAudioFile2 ActiveX control in Internet Explorer, or ActiveX completely.

An update fixes several format string bugs in xine-ui, xine-lib, xine-extra, and xine-devel that can be exploited remotely with user-assistance to execute arbitrary code.

A security vulnerability in the kcms_calibrate(1) command may allow local unprivileged users to execute arbitrary commands with root privileges. A patch addresses this issue.

Ruby is a dynamic, open source programming language with a focus on simplicity and productivity. The read_multipart function of the CGI library shipped with Ruby (cgi.rb) does not properly check boundaries in MIME multipart content. This might lead to a Denial-of-Service (DoS). Another possibility for a DoS is reasoned by cgi:: which allows an attacker to send a specially crafted HTTP request with a multipart MIME body leading to an infinite loop and CPU consumption.
It's recommended to upgrade to the latest version of Ruby.

A vulnerability in squid was discovered that could be remotely exploited by using a special ftp:// URL. Another Denial of Service vulnerability was discovered in squid 2.6 that allows remote attackers to crash the server by causing an external_acl_queue overload. Fixed software is available now.

The weekly SUSE Security Summary reports vulnerabilities in the packages xsupplicant, ulogd, and dazuko. Updated packages are available now and should be installed on vulnerable systems.

Various security problems have been found in the IBM Java JRE and SDK. Fixed software is available now.

It has been discovered that netrik, a text mode WWW browser with vi like keybindings, doesn't properly sanitize temporary filenames when editing textareas which could allow attackers to execute arbitrary commands via shell metacharacters. Fixed packages are available now.

The Internet Graphics Service (IGS) provides a server architecture, so data from a SAP system or other sources can be used to generate graphical or non-graphical output. IGS is installed and activated by default with the Web Application Server from version 6.30 on. A specially crafted HTTP request can trigger a remote buffer overflow in SAP IGS. As a consequence, code can be executed with administrative rights, which might compromise the system. It's strongly recommended to install the patches which are available now.

A security vulnerability has been identified with HP-UX running IPFilter in combination with PHNE_34474. The vulnerability could be exploited by a remote unauthorized user to create a Denial of Service (DoS). HP has made an updated package available.

A vulnerability has been identified with HP Jetdirect running ftp. The vulnerability could be exploited remotely to create a Denial of Service (DoS). Fixed Jetdirect firmware is available now.

The latest patches for Microsoft are needed to be installed when using the SMA. It's strongly recommended to install these hotfixes from Microsoft.

A buffer overflow vulnerability in processing GIF Images in the Sun Java Runtime Environment may allow an untrusted applet to elevate its privileges. Fixed software is available now.

The Cisco Security Monitoring, Analysis and Response System (CS-MARS) and the Cisco Adaptive Security Device Manager (ASDM) do not validate the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificates or Secure Shell (SSH) public keys presented by devices they are configured to connect to. Cisco has made free software available to address this vulnerability for affected customers.

A vulnerability in xpdf allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a crafted PDF file. 'koffice', 'pdftohtml', 'poppler', 'kdegraphics', and 'tetex' are affected, too.
Stack-based buffer overflow in the glibtop_get_proc_map_s function in libgtop allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a process with a long filename that is mapped in its address space, which triggers the overflow in gnome-system-monitor.
Fixed packages are available now.

Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 2.1 kernel are now available.

An array index error in the URI parser in neon 0.26.0 to 0.26.2 could possibly allow remote malicious servers to cause a crash via a URI with non-ASCII characters. This vulnerability may only exist on 64bit systems. Updated packages are patched to address this issue.

It was discovered that the libsoup HTTP library performs insufficient sanitising when parsing HTTP headers, which might lead to denial of service. Fixed packages are available now.

An array index error in the URI parser in neon 0.26.0 to 0.26.2 could possibly allow remote malicious servers to cause a crash via a URI with non-ASCII characters. This vulnerability may only exist on 64bit systems. Updated packages are patched to address this issue.

The Acer LunchApp ActiveX control is provided by LunchApp.ocx. It contains a method called Run(), which takes three parameters: Drive, FileName, and CmdLine. Although the control is not inherently marked as safe for scripting via the IObjectSafety interface, it may be distributed with the appropriate Implemented Categories registry key to make it safe for scripting. This means that a web page in Internet Explorer can call the Run() method of the control. By convincing a victim to view an HTML document (web page, HTML email, or email attachment), an attacker could run arbitrary commands with the privileges of the user running IE. Acer has provided an update to solve this problem.

The Apple QuickTime plugin running in Microsoft Internet Explorer or Apple Safari fails to restrict web sites from accessing content on the local filesystem. Current proof-of-concept exploit code uses the HREFTrack attribute to exploit a Cross-Site scripting vulnerability in a file on Windows systems. Please note that since QuickTime is a component of Apple iTunes, iTunes installations are also affected by this vulnerability. The vulnerable QuickTime ActiveX controls can be disabled in Internet Explorer. An update is not available until now, but some workarounds are described in the CERT Vulnerability Note.

Some vulnerabilities have been found in CA BrightStor ARCserve Backup. They involve multiple overflow conditions that can allow arbitrary code to be executed remotely with local SYSTEM privileges on Windows. BrightStor ARCserve Backup Tape Engine service, Mediasvr service, and ASCORE.dll file are affected. Updated versions can be downloaded and should be installed now.

There are two vulnerabilities assocated with the HP OpenView Network Node Manager. A remote, unauthorized, user can run arbitrary code with the permissions of the NNM Server. A remote, unauthorized user can read files on the NNM Server. Fixed software is available now.

Due to the lack of handling of potential symbolic links the host's jail rc.d(8) script is vulnerable to "symlink attacks". By replacing /var/log/console.log inside the jail with a symbolic link it is possible for the superuser (root) inside the jail to overwrite files on the host system outside the jail with arbitrary content. A patch is available now.

A heap based buffer overflow flaw was found in the way GNOME Structured File Library (libgsf) processes and certain OLE documents. If an person opened a specially crafted OLE file, it could cause the client application to crash or execute arbitrary code. Fixed packages are available now.

Several vulnereabilities were found in VMware ESX Server. Patches are available now.

A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device. Cisco has made free software available to address this vulnerability for affected customers.

Cisco Unified Contact Center Enterprise, Cisco Unified Contact Center Hosted, Cisco IP Contact Center Enterprise, and Cisco IP Contact Center Hosted editions are affected by a vulnerability that may result in the restart of JTapi Gateway process. Until this process restarts, no new connections can be processed. Existing connections will continue to work. Cisco has made free software available to address this vulnerability for affected customers.

Security vulnerabilities in the gzip(1) command may allow a local or remote unprivileged user to execute arbitrary code with the privileges of another user who runs the gzip(1) command, or cause a Denial of Service (DoS) condition using a specially crafted gzip archive.
A security vulnerability in Solaris 8 or 9 handling of some malformed RPC requests may allow a local or remote unprivileged user to kill the rpcbind(1M) server, causing a Denial of Service (DoS) condition.
Patches are available now.

A vulnerability in the NVIDIA Xorg driver was discovered by Derek Abdine who found that it did not correctly verify the size of buffers used to render text glyphs, resulting in a crash of the server when displaying very long strings of text. If a user was tricked into viewing a specially crafted series of glyphs, this flaw could be exploited to run arbitrary code with root privileges.
KsIRC allows remote attackers to cause a denial of service (crash) via a long PRIVMSG string when connecting to an Internet Relay Chat (IRC) server, which causes an assertion failure and results in a NULL pointer dereference.
Fixed packages are available now.

A potential vulnerability in ColdFusion and JRun URL parsing could allow an attacker to access directory listings in the ColdFusion and JRun installation directory. A specially crafted command sent to the ColdFusion and JRun server could result in the attacker getting access to the directory listings. An update is available now.

No further comment due to legal reasons

No further comment due to legal reasons

No further comment due to legal reasons

No further comment due to legal reasons

Two security issues exist in the Kerberos network authentication system implementation MIT Kerberos. First, the RPC library could call an uninitialized function pointer, which created a security vulnerability for kadmind(8). Second, the GSS-API "mechglue" layer could fail to initialize some output pointers, causing callers to attempt to free uninitialized pointers. This caused another security vulnerability in kadmind(8). Fixed software is available now.

Several vulnerabilities were discovered in X.Org and XFree86, that could allow a local attacker to execute arbitrary code with privileges of the X server, typically root. Fixed packages are available now.

Several vulnerabilities were found in the Sun Java packages. Fixed packages are available now.

Two vulnerabilities were discovered in ftpd. First, a password disclosure vulnerability exists in ftpd. Second, a denial of service vulnerability has been found in ftpd which allows a remote user to cause a denial of service by exhausting available ephemeral ports. A patch is available now.

The consume_labels function in avahi-core/dns.c in Avahi allows remote attackers to cause a denial of service (infinite loop) via a crafted compressed DNS response with a label that points to itself.
It was discovered that the geoipupdate utility fails to do sanity checking on the filename returned by "GET /app/update_getfilename?product_id=%s".
Fixed packages are available now.

It was discovered that the proftpd FTP daemon is vulnerable to denial of service if the addon module for Radius authentication is enabled.
An off-by-one error leading to a heap-based buffer overflow has been identified in libapache-mod-auth-kerb, an Apache module for Kerberos authentication. The error could allow an attacker to trigger an application crash or potentially execute arbitrary code by sending a specially crafted kerberos message.
Fixed packages are available now.

The Weblog publishing system WordPress in versions up to and including 2.0.5 shows a vulnerability. WordPress supports decoding Trackbacks with different charsets when PHP's "mbstring" extension is activated Because the decoding happens after the database escaping is performed, choosing a suitable charset for the input data allows bypassing the protection against SQL injection.

Two security issues have been found in the POP3/IMAP batch client Fetchmail, version up to and including 6.3.5. First, several password disclosure vulnerabilities exist because Fetchmail is using unsafe logins or omitting the necessary protection through SSL/TLS. Second, a Denial-of-Service (DoS) vulnerability exists because Fetchmail crashes during dereferencing the NULL page, when rejecting a message sent to an MDA.

Kaspersky Antivirus is a popular client and gateway virus scanner. Kaspersky is vulnerable to a DoS condition when processing a specially crafted PE (portable executable) file. One of the headers in a PE file is the Optional Windows Header section. This section of the PE header contains information needed by the Windows linker and loader. An invalid value for the 'NumberOfRvaAndSizes' field will cause Kaspersky to repeatedly seek and read from the same section of the file in an endless loop.
Kaspersky Lab reports that it has fixed this vulnerability as of January 2nd, 2007.

Two vulnerabilities have been detected in the Opera Software Opera Web Browser.
A vulnerability exists due to Opera improperly processing a JPEG DHT marker. The DHT marker is used to define a Huffman Table which is used for decoding the image data. An invalid number of index bytes in the DHT marker will trigger a heap overflow with partially user controlled data. This might lead to the execution of arbitrary code.
A second vulnerability exists within Opera's Javascript SVG implementation. When processing a createSVGTransformFromMatrix request Opera does not properly validate the type of object passed to the function. Passing an incorrect object to this function can result in it using a pointer that is user controlled when it attempts to make the virtual function call. This also might lead to the execution of arbitrary code on the vulnerable system.
Opera Software has addressed these vulnerabilities in version 9.10.

There are three categories of vulnerabilities (consisting of a total of five vulnerabilities) associated with an Applied Intelligence Response (AIR) document and the corresponding Cisco PSIRT Advisory. Specially Crafted HTTP GET Request Vulnerability: Processing a specially crafted HTTP GET request may crash the CSAdmin service. Specially Crafted RADIUS Accounting-Request Vulnerability: Processing a specially crafted RADIUS Accounting-Request packet may crash the CSRadius service. Both vulnerabilities are also susceptible to a stack overflow condition. Additionally, specially Crafted RADIUS Access-Request Vulnerabilities have been found: Processing a specially crafted RADIUS Access-Request packet may crash the CSRadius service. In the advisory Cisco points out how these vulnerabilities can be circumvented.

Two vulnerabilities exist in the content management system Drupal, version up to and including 4.7.4.
The first vulnerability exists because a few arguments passed via URLs are not properly sanitized before display. When an attacker is able to entice an administrator to follow a specially crafted link, arbitrary HTML and script code can be injected and executed in the victim's session. Such an attack may lead to administrator access if certain conditions are met.
The second vulnerability is related to the way page caching has been mplemented. It allows a Denial-of-Service (DoS) attack. An attacker has to have the ability to post content on the site. He or she would then be able to poison the page cache, so that it returns cached HTTP response code 404 ("page not found") errors for existing pages. If the page cache is not enabled, the site is not vulnerable. The vulnerability only affects sites running on top of MySQL.
An updated version fixes these problems.

Together with two portability and stability issues, two older security issues were fixed in the compression tool BZip2, versions up to and including 1.0.3.

Several vulnerabilities have been found and fixed now in the kernel. They might have led to a Denial-of-Service (local or remote) and a local privilege escalation. It's recommended to install the update which is available now.

Multiple buffer overflows in MODPlug Tracker (OpenMPT) 1.17.02.43 and earlier and libmodplug 0.8 and earlier allow user-assisted remote attackers to execute arbitrary code via long strings in ITP files used by the CSoundFile::ReadITProject function in soundlib/Load_it.cpp and crafted modules used by the CSoundFile::ReadSample function in soundlib/Sndfile.cpp, as demonstrated by crafted AMF files. Updated packages are patched to address this issue.

The Citrix Presentation Server Client software provides an ActiveX control that can be used to integrate the client into Web pages. The Citrix ICA Client ActiveX control, which is provided by Wfica.ocx, contains a buffer overflow vulnerability in the SendChannelData() method. Citrix notes that his vulnerability is present in all versions of the Citrix Presentation Server Client for Windows earlier than 9.230. An update is available now.

Insufficient validation in vga(4) may allow an attacker to gain root privileges if the kernel is compiled with option PCIAGP and the actual device is not an AGP device. The PCIAGP option is present by default on i386 kernels only. A patch is available now.

OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. Several integer overflow bugs were found in the OpenOffice.org WMF file processor. An attacker could create a carefully crafted WMF file that could cause OpenOffice.org to execute arbitrary code when the file was opened by a victim. OpenOffice 2.1 is available now, fixing this problem.

Cisco Clean Access (CCA) is a software solution that can automatically detect, isolate, and clean infected or vulnerable devices that attempt to access your network. It consists of Cisco Clean Access Manager (CAM) and Cisco Clean Access Server (CAS) devices that work in tandem.
In order for Cisco CAM to authenticate to a Cisco CAS, both CAM and CAS must have the same shared secret. The shared secret is configured during the initial CAM and CAS setup. Due to this vulnerability the shared secret can not be properly set nor be changed, and it will be the same across all affected devices. Successful exploitation of the vulnerability may enable a malicious user to effectively take administrative control of a CAS. After that, every aspect of CAS can be changed including its configuration and setup. In order to exploit this vulnerability an attacker must be able to establish a TCP connection to CAS. The software releases 3.6.4.3, 4.0.4, and 4.1.0 contain the fix for this vulnerability.
Manual backups of the database ("snapshots") taken on CAM are susceptible to brute force download attacks. A malicious user can guess the file name and download it without authentication. The file itself is not encrypted or otherwise protected. The software releases 3.5.10 and 3.6.2 contain the fix for this vulnerability.

Adobe Acrobat Reader is software designed to view Portable Document Format (PDF) files. Adobe also distributes the Adobe Acrobat Plug-In to allow users to view PDF files inside of a web browser. The Adobe Acrobat Plug-In PDF Open Parameters feature allows users to specify actions to take on a PDF document via URI parameters. However, the Adobe Acrobat Plug-In fails to properly validate these URI parameters for scripting code. This allows user-supplied scripts to execute within the context of the web site hosting the PDF file causing a cross-site scripting vulnerability.
This vulnerability is addressed in Adobe Acrobat Reader 8.0.

OLE for Process Control (OPC) is a specification for a standard set of OLE COM objects for use in the process control and manufacturing fields. ICONICS provides OPC-based visualization software. The ICONICS Dialog Wrapper Module ActiveX control is included with ICONICS OPC-enabled visualization tools, such as the Gauge, Switch, and Vessel ActiveX controls. The Dialog Wrapper Module ActiveX control fails to properly handle malformed input allowing a stack-based buffer overflow to occur. This might result in the execution of code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash. A Hotfix solves this problem.

A vulnerability exists in the way Apple QuickTime handles specially crafted Real Time Streaming Protocol (RTSP) URL strings. An attacker may be able to craft a QTL file to take advantage of this vulnerability. This would be the execution of arbitrary code or a Denial-of-Service. Please note that since QuickTime is a component of Apple iTunes, iTunes installations are also affected by this vulnerability. An update is not available until now, but some workarounds are described in the CERT Vulnerability Note.

Wireshark, formerly Ethereal, contains a vulnerability in the HTTP dissector that may allow an attacker to cause a Denial-of-Service condition. This vulnerability may be triggered when a remote attacker sends a specially crafted, malformed packet to a vulnerable Wireshark installation or by convincing the user to read a malformed packet trace file with Wireshark. Version 0.99.4 solves this problem.

Three vulnerabilities have been identified and exploited in the network monitoring and graphing frontend Cacti, versions up to and including 0.8.6i. They can be exploited by malicious people to bypass certain security restrictions, manipulate data and compromise vulnerable systems.
An updated package remedies this problem.