Dkim-milter is an implementation of the DomainKeys Identified Mail protocol. It may crash during DKIM verification if it encounters a specially-crafted or revoked public key record in DNS, resulting in a Denial-of-Service (DoS). Fixed software is available now.

A heap-based buffer overflow has been discovered in the way the editor ed processes long file names. An attacker could create a file with a specially-crafted name that could possibly execute arbitrary code when opened in the ed editor. This problem is solved with ESX 2.5.5 patch 12 Build 142708.

A vulnerability in Apache Tomcat 4.x and 5.x might show POSTed content from a previous request. Updated versions solve this problem.

There are three security vulnerabilities in the Tomcat JSP/Servlet container that affect Tomcat 5.5 bundled in Solaris 9 and Solaris 10. The first two security vulnerabilities are Cross Site Scripting (XSS) issues while the third is a Directory Traversal vulnerability. Patches have been published to solve this potential problem.

A potential security vulnerability has been identified with HP Virtual Rooms client running on Windows. The vulnerability is located in an ActiveX control and it could be exploited to allow remote execution of arbitrary code. An updated client solves this problem.

PHP is an HTML-embedded scripting language. Now multiple vulnerabilities in PHP have been found and patched in Turbolinux.

The programs above show vulnerabilities which should be fixed now using the latest patches.

No further comment due to legal reasons

The Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine Cisco ACE Module and Cisco ACE 4710 Application Control Engine contain multiple vulnerabilities that, if exploited, can could result in different impacts like administrative level access via default user names and passwords, privilege escalation, and a Denial-of-Service (DoS) condition Cisco has released free software updates available for affected customers. Workarounds that mitigate some of the vulnerabilities are available.

Cisco Unified MeetingPlace Web Conferencing servers may contain an authentication bypass vulnerability that could allow an unauthenticated user to gain administrative access to the MeetingPlace application. Cisco has released free software updates that address this vulnerability.

All current versions of the Shibboleth 2 IdP are vulnerable to a cross-site attack during certain error conditions. Such attacks could allow attackers to phish credentials, steal active session, or otherwise intercept user/idp communications. A workaround has been published.

Multiple vulnerabilities have been discovered in Drupal Core. Fixed software is available and should be installed now.

It was discovered that a buffer overflow in the ARC2 implementation of Python Crypto, a collection of cryptographic algorithms and protocols for Python allows denial of service and potentially the execution of arbitrary code.
Two SQL injection vulnerabilities have been found in proftpd, a virtual-hosting FTP daemon.
Fixed packages are available now.

A specially crafted URL could be used to create a cross-site scripting attack on RoboHelp installations. Fixed software is available now.

Security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). The vulnerabilities could be exploited remotely to gain unauthorized access or to create a Denial of Service (DoS). A patch is available now.

A vulnerability was found in php-smarty that allows remote attackers to execute arbitrary PHP code. Fixed packages are available now.

Several vulnerabilities were found in the Adobe Flash Player. Fixed software is available now.

In VMware VirtualCener, VMware Server and VMware ESX some vulnerabilities in the Tomcat packages have been found. They might lead to cross-site scripting attacks or inappropriate access. An update to Apache Tomcat version 5.5.27 solves these problems.

A SUSE Security Summary reports about vulnerabilities in the packages apache-jakarta-tomcat-connectors, apache2-mod_php5, audacity, dovecot, libtiff-devel, libvirt, mediawiki, netatalk, novell-ipsec-tools, opensc, perl, phpPgAdmin, sbl, sblim-sfcb, swfdec, tomcat5, virtualbox, websphere-as_ce, wine, and xine-devel. Updated packages are available now and should be installed on vulnerable systems.

Some vulnerabilities have been found in libpng, e.g. a 1-byte buffer overflow in pngpread.c. The function png_check_keyword() allows setting arbitrary bytes in the process memory to zero. Additionally a potential Denial-of-Service (DoS) against applications using this library has been found. All vulnerabilities can be fixed by installing the appropriate patch.

Proxy servers running in interception mode ("transparent" proxies) that make connection decisions based on HTTP header values may be used by an attacker to relay connections. Due to this, access to the user's web browser is possible as well as connecting to any address the proxy server is able to connect to. Please refer to the advisory for more information about vulnerable servers and patches.

OpenSSH version 5.2 is available now, offering more features and enhancements regarding security.

The programs above show vulnerabilities which should be fixed now using the latest patches.

Python has a variable called sys.path that contains all paths where Python loads modules by using import scripting procedure. A wrong handling of that variable enables local attackers to execute arbitrary code via Python scripting in the current Gnumeric working directory. An update provides a fix for this vulnerability.

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited. A patch is not available yet.

A buffer overflow flaw was discovered in the dmail and tmail mail delivery utilities shipped with imap. If either of these utilities were used as a mail delivery agent, a remote attacker could potentially use this flaw to run arbitrary code as the targeted user by sending a specially-crafted mail message to the victim.
The CUPS security advisory, RHSA-2008:0937, stated that it fixed CVE-2008-3640 for Red Hat Enterprise Linux 3, 4, and 5. It was discovered this flaw was not properly fixed on Red Hat Enterprise Linux 3, however.
Fixed packages are available now.

A vulnerability was found in the FreeBSD telnet daemon, telnetd(8). An attacker who can place a specially-constructed file onto a target system (either by legitimately logging into the system or by exploiting some other service on the system) can execute arbitrary code with the privileges of the user running the telnet daemon (usually root). A patch is available now.

Potential security vulnerabilities have been identified with HP-UX running Apache-based Web Server or Tomcat-based Servelet Engine. The vulnerabilities could be exploited remotely to cause a Denial-of-Service (DoS), cross-site scripting (XSS), execution of arbitrary code, or cross-site request forgery (CSRF). Updates should be installed immediately.

Sun Java System Directory Server Enterprise Edition 6.x shows a security vulnerability in the Direcotry Proxy Server, leading to a Denial-of-Service (DoS). A patch remedies this problem.

A security vulnerability in the Solaris Kerberos PAM module may allow a user supplied Kerberos configuration file to be used to specify realm and KDC server information, thereby allowing certain remote unprivileged users or applications to gain elevated privileges of root. A workaround is described in the advisory, a patch is still pending.

Several vulnerabilities have been discovered in Moodle, an online course management system. They might lead to injection of arbitrary web code or web scripts as well as to a Denial-of-Service (DoS).
WebSVN is a tool to view Subversion repositories over the web. It doesn't not properly restrict access to private repositories, allowing a remote attacker to read significant parts of their content.
Fixed packages are available now.

Multiple vulnerabilities exist in Java Web Start and the Java Plug-in, the most serious of which may allow untrusted Java Web Start applications and untrusted Java applets to obtain elevated privileges. Fixed software is available now.

Multiple input validation issues exist in Safari's handling of feed: URLs. Fixed software is available now.

Apple has published the security update 2009-001 for Mac OS X. It fixes multiple vulnerabilities in AFP Server, Apple Pixlet Video, CarbonCore, CFNetwork, Certificate Assistant, ClamAV, CoreText, CUPS, DS Tools, fetchmail, Folder Manager, FSEvents, Network Time, perl, Printing, python, Remote Apple Events, Safari RSS, servermgrd, SMB, SquirrelMail, X11, and XTerm. It's recommended to install this update.

An input validation flaw and multiple integer overflows were discovered in the JasPer library providing support for JPEG-2000 image format and used in the jpeg2ktopam and pamtojpeg2k converters. An attacker could create a carefully-crafted JPEG file which could cause jpeg2ktopam to crash or, possibly, execute arbitrary code as the user running jpeg2ktopam.
A flaw was found in the way mod_auth_mysql escaped certain multibyte-encoded strings. If mod_auth_mysql was configured to use a multibyte character set that allowed a backslash '\' as part of the character encodings, a remote attacker could inject arbitrary SQL commands into a login request.
An insufficient input validation flaw was discovered in the VNC client application, vncviewer. If an attacker could convince a victim to connect to a malicious VNC server, or when an attacker was able to connect to vncviewer running in the "listen" mode, the attacker could cause the victim's vncviewer to crash or, possibly, execute arbitrary code.
Fixed packages are available now.

Several local vulnerabilities have been discovered in the PAM module for MIT Kerberos and Heimdal Kerberos.
It was discovered that phpMyAdmin, a tool to administrate MySQL over the web, performs insufficient input sanitising allowing a user assisted remote attacker to execute code on the webserver.
Fixed packages are available now.

No further comment due to legal reasons

No further comment due to legal reasons

No further comment due to legal reasons

No further comment due to legal reasons

The RIM BlackBerry Application Web Loader is an ActiveX control that is used to load applications onto a BlackBerry device using a PC and Internet Explorer. The BlackBerry Application Web Loader ActiveX control, which is provided by AxLoader.ocx or AxLoader.dll, contains stack buffer overflows in the load() and loadJad() methods. A patch is available now.

It was discovered that GNUTLS, an implementation of the TLS/SSL protocol, handles verification of X.509 certificate chains incorrectly if a self-signed certificate is configured as a trusted certificate. This could cause clients to accept forged server certificates as genuine.
Several remote vulnerabilities have been discovered in the TYPO3 web content management framework.
Fixed packages are available now.

Several vulnerabilities have been found in the kernel of Red Hat Enterprise Linux 5. Fixed kernel packages are available now.

A security vulnerability has been identified with certain HP LaserJet printers, HP Color LaserJet printers and HP Digital Senders. The vulnerability could be exploited remotely to gain unauthorized access to files. Patches are available now.

A security vulnerability has been identified with HP-UX running NFS. This vulnerability could be exploited locally resulting in a Denial of Service (DoS). Patches are available now.

A security vulnerability in the process file system (proc(4)) when interacting with the contract(4) file system may allow a local unprivileged user the ability to panic the system or execute arbitrary commands with all (super-user) privileges. A patch is available now.

Several vulnerabilities have been discovered in the Linux kernel of SUSE Linux Enterprise 10. An updated Linux Kernel fixes this problem.

It was discovered that the core client for the BOINC distributed computing infrastructure performs incorrect validation of the return values of OpenSSL's RSA functions. Fixed packages are available now.

Remote exploitation of multiple command injection vulnerabilities or a BSS based buffer overflow vulnerability in Hewlett-Packard Network Node Manager (NNM) might allow an attacker to execute arbitrary code with the privileges of the affected service. Remote exploitation of multiple information disclosure vulnerabilities might allow an attacker to gain access to sensitive information. HP has published updates to solve these problems.

Devil is a cross-platform image loading and manipulation toolkit. Here, a buffer overflow can be triggered via a specially crafted Radiance RGBE file, leading to the execution of arbitrary code. Updated packages are available now.

Several vulnerabilities were found in the gstreamer-plugins packages. Fixed packages are available now.

Due to an internal error Squid is vulnerable to a denial of service attack when processing specially crafted requests. This problem allows any client to perform a denial of service attack on the Squid service. A patch to fix this problem is available now.

A flaw was discovered in a way sudo handled group specifications in "run as" lists in the sudoers configuration file. If sudo configuration allowed a user to run commands as any user of some group and the user was also a member of that group, sudo incorrectly allowed them to run defined commands with the privileges of any system user. A patch to fix this problem is available now.

A cross site scripting vulnerability was found in the 'Views bulk operations' module. Updates solve these potential problems. Please be aware that Drupal core is not affected.

Multiple vulnerabilities exist in the Cisco Wireless LAN Controllers (WLCs), Cisco Catalyst 6500 Wireless Services Modules (WiSMs), and Cisco Catalyst 3750 Integrated Wireless LAN Controllers. Cisco has released free software updates that address these vulnerabilities.

Multiple vulnerabilities were found in the Mozilla Firefox browser. Also affected are Thunderbird and Seamonkey. Fixed software is available now.

Updated ESX patches address an issue loading corrupt virtual disks and update Service Console packages for net-snmp and libxml2.

A SUSE Security Summary reports about vulnerabilities in the packages boinc-client, xrdp, phpMyAdmin, libnasl, moodle, xrdp, net-snmp, audiofile, XFree86/xterm, amarok, libpng, sudo, and avahi. Updated packages are available now and should be installed on vulnerable systems.

Multiple vulnerabilities were disclosed in Novell Groupwise 7 and 8 which may allow an attacker to execute arbitrary code, compromise a GroupWise account, conduct cross-site scripting attacks, or obtain sensitive information. Fixed software is available now.

It was discovered that xvnc4viewer, a virtual network computing client software for X, is prone to an integer overflow via a malicious encoding value that could lead to arbitrary code execution. Fixed packages are available now.