A vulnerability in MIT Kerberos 5 (aka krb5) allows remote attackers to cause a denial of service. Fixed packages are available now.

It was discovered that auth2db, an IDS logger, log viewer and alert generator, is prone to an SQL injection vulnerability, when used with multibyte character encodings.
It was discovered that nss-ldapd, an NSS module for using LDAP as a naming service, by default creates the configuration file /etc/nss-ldapd.conf world-readable which could leak the configured LDAP password if one is used for connecting to the LDAP server.
Fixed packages are available now.

A flaw was discovered in the Dead Peer Detection (DPD) in the pluto IKE daemon of Openswan annd strongswan. A remote attacker could use a malicious DPD packet to crash the pluto daemon. It was discovered that Openswan's livetest script created temporary files in an insecure manner. A local attacker could use this flaw to overwrite arbitrary files owned by the user running the script. Fixed software is available now.

Local privileged users inside a non-global zone may be able to execute arbitrary code within a global zone if an mdb process within the global zone attaches to a non-global zone process. The code would be executed with the privileges of the user running mdb, which could potentially be root. Patches are available now.

Several vulnerabilities have been found in the kernel of Red Hat Enterprise MRG for RHEL 5. Fixed kernel packages are available now.

Two vulnerabilities were found in the Mozilla Firefox browser and Seamonkey. Fixed software is available now.

The Token authentication module allows access to RSS feeds via a token without having to provide your username and password to the site. Token authentication did not properly use the Drupal Form API which would allow a malicious user to learn the site administrator's token giving them the ability to read any nodes on the site via an RSS feed.
The Wikitools module provides several options to get a more wiki-like behavior for Drupal. On several pages, the Wikitools module prints out a parameter without escaping it. Malicious users are thus able to execute a cross site scripting (XSS) attack when they entice users to visit a specifically crafted URL. This may lead to a malicious user gaining full administrative access.
The Vote Up/Down module provides a voting widget for content that records votes using Ajax. The URL for voting is vulnerable to cross-site request forgeries (CSRF) making it possible for users to unknowingly vote for content.
Updated software is available now. Please be aware that Drupal core is not affected.

It has been discovered that the snmpd daemon doesn't use TCP wrappers correctly, causing network hosts access restrictions defined in "/etc/hosts.allow" and "/etc/hosts.deny" to not be honored. A remote attacker could use this flaw to bypass intended access restrictions. An updated package addresses this issue.

NetworkManager is a network link manager that attempts to keep a wired or wireless network connection active at all times. An information disclosure flaw was found in NetworkManager's D-Bus interface. A local attacker could leverage this flaw to discover sensitive information, such as network connection passwords and pre-shared keys. Further on, a potential Denial-of-Service flaw was found in NetworkManager's D-Bus interface. A local user could leverage this flaw to modify local connection settings, preventing the system's network connection from functioning properly. Updated packages are available now.

Several vulnerabilities have been detected in Cisco IOS. Using different protocols and methods some of them might lead to a Denial-of-Service or privilege escalation. It's strongly recommended to update the IOS of productive systems.

An update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. It's available for Red Hat Enterprise Linux now.

No further comment due to legal reasons

Debian points out that the browser iceweasel has reached its End Of Live. Due to this it's not supported any more. It's recommended to switch to another browser.

SystemTap is an instrumentation infrastructure for systems running version 2.6 of the Linux kernel. SystemTap scripts can collect system operations data, greatly simplifying information gathering. Collected data can then assist in performance measuring, functional testing, and performance and function problem diagnosis. A race condition has been discovered in SystemTap that could allow users in the stapusr group to elevate privileges to that of members of the stapdev group (and hence root), bypassing directory confinement restrictions and allowing them to insert arbitrary SystemTap kernel modules. Updated software is available now.

Several vulnerabilitier were found in the Sun Java Runtime Environment (JRE). Fixed software is available now.

Multiple integer overflows causing heap-based buffer overflows were discovered in GLib's Base64 encoding and decoding functions. An attacker could use these flaws to crash an application using GLib's Base64 functions to encode or decode large, untrusted inputs, or, possibly, execute arbitrary code as the user running the application. Fixed packages are available now.

It was discovered that WebCit, the web-based user interface for the Citadel groupware system, contains a format string vulnerability in the mini_calendar component, possibly allowing arbitrary code execution. Fixed packages are available now.

A vulnerability das discovered in the in DNSSEC lookaside validation (DLV) of ISC BIND: unrecognized signature algorithms, which should have been treated as the equivalent of an unsigned zone, were instead treated as a validation failure. Fixed software is available now.

An unprivileged process can overwrite an arbitrary location in kernel memory. A patch is available now.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a Denial-of-Service or privilege escalation. The Linux Kernel 2.6.24 fixes these problems.

A security vulnerability has been identified in pam. Fixed packages are available now.

Several security issues have been discovered in lcms, a color management library. They are due to insufficient checks of files, leading to buffer overflows and the execution of arbitrary code. Additionally, a memory leak might lead to a Denial-of-Service condition.
Ghostscript is the GPL Ghostscript PostScript/PDF interpreter. Two different vulnerabilities might lead to the execution of arbitrary code via crafted ICC profiles in PostScript files with embedded images.
Libsoup is a HTTP library implementation written in C and the GLib library of C routines is called glib2.0. Both programs handle strings insecurely via its Base64 encoding functions. This could possibly lead to the execution of arbitrary code.
Fixed software is available now.

Tasklist does not properly use the Drupal database API and inserts values from the URL directly into queries. This can be exploited to perform SQL Injection attacks. Please be aware that Drupal core is not affected.

Several vulnerabilities in the UFS file system involving the ufs_getpage() and ufs_putapage() routines may lead to a system hang or a system panic.
A security vulnerability in Solaris Kerberos (see kerberos(5)) may allow an unauthenticated remote user on a system which can access a master Key Distribution Center (KDC) server to prevent propagation of incremental propagation requests to slave KDC servers.
Patches are available now.

Multiple integer overflow flaws which could lead to heap-based buffer overflows, as well as multiple insufficient input validation flaws, were found in LittleCMS. An attacker could use these flaws to create a specially-crafted image file which could cause an application using LittleCMS to crash, or, possibly, execute arbitrary code when opened by a victim.
A security vulnerability has been identified in curl.
Multiple integer overflow flaws which could lead to heap-based buffer overflows, as well as multiple insufficient input validation flaws, were found in Ghostscript's International Color Consortium Format library (icclib).
Fixed packages are available now.

It was discovered that an error in the handling of color codes in the weechat IRC client could cause an out-of-bounds read of an internal color array. This can be used by an attacker to crash user clients via a crafted PRIVMSG command. Fixed packages are available now.

Libsoup is an HTTP client/library implementation for GNOME written in C. It was originally part of a SOAP (Simple Object Access Protocol). An integer overflow flaw might cause a heap-based buffer overflow in libsoup's Base64 encoding routine. An attacker could use this flaw to crash, or, possibly, execute arbitrary code. This arbitrary code would execute with the privileges of the application using libsoup's Base64 routine to encode large, untrusted inputs.
Evolution Data Server provides a unified back-end for applications which interact with contacts, task, and calendar information. It doesn't properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. Further on, it has been discovered that Evolution Data Server doesn't properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause an application using Evolution Data Server to disclose portions of its memory or crash during user authentication. Multiple integer overflow flaws might cause heap-based buffer overflows were found in the Base64 encoding routines used by Evolution Data Server. This could cause an application using Evolution Data Server to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded.
Fixed packages are available now.

A security vulnerability in the Solaris 10 keysock kernel module may allow local users with sufficient privileges to create PF_KEY sockets to be able to cause a system panic thereby resulting in a Denial-of-Service (DoS) to the system as a whole. Patches are available now.

It has been discovered that an integer overflow in the PSI Jabber client may lead to remote Denial-of-Service (DoS). An updated package solves this problem.

It has been discovered that mldonkey, a client for several P2P networks, allows attackers to download arbitrary files using crafted requests to the HTTP console. Yaws, a high performance HTTP 1.1 webserver, is prone to a Denial-of-Service (DoS) attack via a request with a large HTTP header. Additionally, libsndfile as a library to read and write sampled audio data is prone to an integer overflow. This causes a heap-based buffer overflow when processing crafted CAF description chunks possibly leading to arbitrary code execution. Updated software addresses these issues.

A security vulnerability has been identified and fixed in avahi which could allow remote attackers to cause a Denial-of-Service (DoS, network bandwidth and CPU consumption) via a crafted legacy unicast mDNS query packet. Updated software remedies this problem.

PTK is an interface to the sleuthkit forensic tools that uses Apache, PHP and MySQL. PTK versions 1.0.0 to 1.0.4 contain multiple vulnerabilities. These vulnerabilities may be triggered remotely or during the inspection of local HTML files that are rendered in web browsers. Due to these vulnerabilities, a remote unauthenticated attacker may be able to execute arbitrary javascript or run commands in the context of the Apache webserver. The most recent version doesn't show these vulnerabilities.

Vulnerabilities were found in the Solaris NFS Daemon (nfsd(1M)) and the Solaris NFS server security modes (nfssec(5)). Patches are available now.

Several vulnerabilities have been found in the kernel of Red Hat Enterprise Linux 4. Fixed kernel packages are available now.

A flaw was found in the way ICU, the International Components for Unicode library, processes certain, invalid, encoded data. If an application used ICU to decode malformed, multibyte, character data, it may have been possible to bypass certain content protection mechanisms, or display information in a manner misleading to the user. Fixed packages are available now.

A SUSE Security Summary reports about vulnerabilities in the packages curl, libmikmod, apache2, optipng, psi, java-1_6_0-openjdk, and gtk2. Updated packages are available now and should be installed on vulnerable systems.

Several security issues have been discovered in wesnoth, a fantasy turn-based strategy game.
A security vulnerability has been identified in curl.
Fixed packages are available now.

No further comment due to legal reasons

No further comment due to legal reasons

No further comment due to legal reasons

A vulnerablity was found in the pedantic option in the SIP channel driver, that may lead to denial of service attacks. Fixed software is available now.

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited. A patch is available now.

It was discovered that znc, an IRC proxy/bouncer, does not properly sanitize input contained in configuration change requests to the webadmin interface. This allows authenticated users to elevate their privileges and indirectly execute arbitrary commands.
It was discovered that mahara, an electronic portfolio, weblog, and resume builder, is prone to cross-site scripting attacks, which allows the injection of arbitrary Java or HTML code.
Fixed packages are available now.

The calendar application in the examples contains invalid HTML which renders the XSS protection for the time parameter ineffective. An attacker can therefore perform an XSS attack using the time attribute. A workaround is described in the advisory.

The request handler in JBossWS does not correctly verify the resource path when serving WSDL files for custom web service endpoints. This allowes remote attackers to read arbitrary XML files with the permissions of the EAP processs. Fixed software is available now.

A crafted PDF file that triggers a parsing error allows remote attackers to cause definal of service.
A security vulnerability has been identified in curl.
Fixed packages are available now.

Multiple vulnerabilities were discovered in the Apple Time Capsule and AirPort Extreme Base Station with 802.11n. Fixed firmware is available now.

Several vulnerabilities were found in PHP.
Crafted data - channels per frame value - in CAF files enables remote attackers to execute arbitrary code or denial of service via a possible integer overflow in libsndfile, leading to a possible heap overflow.
Patches are available now.

A denial of service (DoS) vulnerability exists in the Cisco Session Border Controller (SBC) for the Cisco 7600 series routers. Cisco has released free software updates that address this vulnerability.

It was discovered that OpenSC, a set of smart card utilities, could stores private data on a smart card without proper access restrictions. Fixed packages are available now.

Several vulnerabilities were found in Wireshark. Fixed packages are available now.

Multiple vulnerabilities were found in the Mozilla Firefox browser. Also affected are Thunderbird and Seamonkey. Fixed software is available now.

A SUSE Security Summary reports about vulnerabilities in the packages dhcp, ntp/xntp, squid, wireshark, libpng, pam_mount, enscript, eID-belgium, and gstreamer-0_10-plugins-good. Updated packages are available now and should be installed on vulnerable systems.

A vulnerability in the way libpng handles element pointers could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service. Fixed software is available now.

An assertion error was discovered in squid3, a full featured Web Proxy cache, which could lead to a denial of service attack.
Several vulnerabilities have been found in vim, an enhanced vi editor.
Fixed packages are available now.

Several vulnerabilities have been discovered in the Linux kernel of openSUSE 11.1. An updated Linux Kernel fixes this problem.

Several vulnerabilities have been found in gst-plugins-bad0.10, a collection of various GStreamer plugins, which could potentially lead to the execution of arbitrary code via crafted .mov files.
It was discovered that ndiswrapper suffers from buffer overflows via specially crafted wireless network traffic, due to incorrectly handling long ESSIDs. This could lead to the execution of arbitrary code.
Fixed packages are available now.

A cross site scripting vulnerability was found in the 'Taxonomy Theme' module. A fixed version is available now. Please be aware that Drupal core is not affected.