An uninitialized data structure use flaw was found in BIND when DNSSEC validation was enabled. A remote attacker able to send a large number of queries to a DNSSEC validating BIND resolver could use this flaw to cause it to exit unexpectedly with an assertion failure. It is recommend to upgrade BIND packages.

It was discovered that under certain conditions bind9, a DNS server, may use cached data before initialization. As a result, an attacker can trigger and assertion failure on servers under high query load that do DNSSEC validation. It is recommend to upgrade bind9 packages.

An error in the Remote Procedure Call (RPC) code in Samba results in a security vulnerability that could be leveraged by a remote attacker to take ownership of files or directories he does not own. SONAS included a vulnerable version of Samba and may be susceptible to an attack that takes advantage of this vulnerability. A new update is available.

An appliance restart or other unpredictable behavior can be triggered by malicious ASN.1 content coming into the DataPower appliance from a variety of entry points. A new update is available.

Two vulnerabilities have been identified in bugzilla, a web based bug tracking system. These vulnerabilities may allow remote attackers to gain access to confidential data. A new update is available to address this issue.

A kernel extension call is exported to user space without proper sanity checks causing a system crash. This Denial-of-Service (DoS) can be avoided by installing a fix.

There is the potential for client applications to bypass security configuration setup on an MQ 7.1 SVRCONN channel, allowing access to the queue manager to unathourised user IDs. Updated packages are available now.

There is a vulnerability in the IBM Eclipse Help System (IEHS), used in locally installed IBM product information centers, that can permit a local user to exploit and gain escalated privilege. To improve security, updated IEHS and IEHS WAR files are provided.

Safari is a web browser by Apple. Safari 6.0 is now available and addresses 121 (!) vulnerabilities. So this update ist strongly recommended.
Xcode is an integrated framework for software development. Vulnerabilities may allow attackers to decrypt data protected by SSL. Helper tools built with Xcode allow any App Store application to read their keychain entries. Due to this, also this update is recommended.

Perl DBI is a database access Application Programming Interface (API) for the Perl language. perl-DBD-Pg allows Perl applications to access PostgreSQL database servers. Two format string flaws were found in perl-DBD-Pg. A specially-crafted database warning or error message from a server could cause an application using perl-DBD-Pg to crash or, potentially, execute arbitrary code with the privileges of the user running the application. Updated packages are available now.

No further comment due to legal reasons

The Berkeley Internet Name Daemon, BIND, is a very often used DNS server. High numbers of queries with DNSSEC validation enabled can cause an assertion failure in named, caused by using a "bad cache" data structure before it has been initialized.
Updated packages are available now.

An error in the handling of malformed client identifiers can cause a DHCP server running affected versions to enter a state where further client requests are not processed and the server process loops endlessly, consuming all available CPU cycles. An unexpected client identifier parameter can cause the ISC DHCP daemon to segmentation fault when running in DHCPv6 mode, resulting also in a Denial-of-Service (DoS). Two memory leaks have been found in ISC DHCP. Both are reproducible when running in DHCPv6 mode (with the -6 command-line argument).
Updated packages are available now.

The kernel packages contain the Linux kernel, the core of any Linux operating system. A NULL pointer dereference flaw was found in the Linux kernel's netfilter IPv6 connection tracking implementation. A remote attacker could use this flaw to send specially-crafted packets to a target system that is using IPv6 and also has the nf_conntrack_ipv6 kernel module loaded, causing it to crash.
Updated packages are available now.

Ipswitch WhatsUp Gold is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the WrVMwareHostList.asp script using the sGroupList parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. Until now, no patch is available.

TeamviewDell SonicWALL Scrutinizer is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the statusFilter.php script using the q parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. A new patch is available for download.

Teamviewer has been published in Version 7.0.13989. As stated, this version is a security update fixing a vulnerability that isn't described further.

Symantec's Web Gateway management console is susceptible to multiple security issues that include remote command execution, local file inclusion, arbitrary password change and SQL injection security issues. Successful exploitation could result in unauthorized command execution on or access to the management console and backend database. Symantec engineers verified these issues and have released an update to address them.

A potential security vulnerability has been identified with Red Hat Enterprise Linux running the famous NDS Server BIND. This vulnerability could be exploited remotely to create a Denial-of-Service (DoS). An update is available for download.

JBoss Application Server is the base package for JBoss Enterprise Portal Platform, providing the core server components. The Java Naming and Directory Interface (JNDI) Java API allows Java software clients to locate objects or services in an application server. It has been detected that the JBoss JNDI service allows unauthenticated, remote write access by default. The JNDI and HA-JNDI services, and the HAJNDIFactory invoker servlet were all affected. A remote attacker able to access the JNDI service (port 1099), HA-JNDI service (port 1100), or the HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add, delete, and modify items in the JNDI tree. This could have various, application-specific impacts. Updated packages are available now.

The XSL implementation in libxslt allows remote attackers to cause a Denial-of-Service (DoS) due to an incorrect read operation via unspecified vectors. Updated packages are available now.

Multiple vulnerabilities has been discovered in PHP. An unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an overflow. Besides this, the SQLite functionality in PHP before 5.3.15 allows remote attackers to bypass the open_basedir protection mechanism via unspecified vectors. Please check if updates are available for your system.

It has been discovered that FreeBSD isn't handling correctly uncanonical return addresses on Intel amd64 CPUs, allowing privilege escalation to kernel for local users. Updated packages are available now.

Symantec System Recovery (formerly Backup Exec System Recovery) doesn't directly specify the fully qualified path to a dynamic-linked library when running on Microsoft Windows. By persuading a victim to open a specially-crafted file from a WebDAV or SMB share using a vulnerable application, a remote attacker could exploit this vulnerability via a specially-crafted library to execute arbitrary code on the system. An official fix is available now.

Security vulnerabilities have been found in IBM WebSphere Operational Decision Management and IBM WebSphere ILOG JRules Flash. Exploiting them might lead to Cross-Site Scripting (XSS) and provisioning of misleading information. Fixes are available now.

Two vulnerabilities have been detected in the management interface of Lotus Protector for Mail Security. Both possible attacks are post-authentication and require the attacker to have valid login credentials for the admin UI. The end user interface is not affected by these vulnerabilities. An update has been created by IBM Security Systems that addresses the vulnerabilities.

The HsmCfgSvc.exe service of HP StorageWorks File Migration Agent listens by default on TCP port 9111. When processing CIFS archives or FTP archives the process doesn't properly validate the size of the root path specified and proceeds to copy the string into a fixed-length buffer on the stack. This can be exploited to execute arbitrary remote code under the context of the running service. Using a firewall can protect vulnerable servers.

Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. A flaw was found in the way the Pidgin MSN protocol plug-in processes text that was not encoded in UTF-8 and MSN notification messages. A malicious server or a remote attacker could use these flaws to crash Pidgin by sending specially-crafted MSN notification messages. Besides this, a buffer overflow flaw was found in the Pidgin MXit protocol plug-in. Also this vulnerability can lead to a Denial-of-Service (DoS).
Red Hat Certificate System is an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments. Multiple Cross-Site scripting (XSS) flaws were discovered in the Red Hat Certificate System Agent and End Entity pages. It was also discovered that Red Hat Certificate System's Certificate Manager doesn't properly check certificate revocation requests performed via its web interface. So the CA's certifcate can be revoked by a bad entity.
Updated packages are available now.

It has been discovered that NSD, an authoritative domain name server, isn't properly handling non-standard DNS packets. This can result in a NULL pointer dereference and crash the handling process. A remote attacker can abuse this flaw to perform Denial-of-Service (DoS) attacks. Updated packages are available now.

The kernel packages contain the Linux kernel, the core of any Linux operating system. It was found that an error in the Linux kernel's networking implementation might allow local users to crash the system or, potentially, escalate their privileges.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. A flaw has been found in the way the ASN.1 (Abstract Syntax Notation One) decoder in NSS handles zero length items. A Certificate Authority (CA) issued a subordinate CA certificate to its customer can be used to issue certificates for any name. Exploiting these vulnerabilities might allow to spread misleading information.
The glibc packages provide the standard C and standard math libraries used by multiple programs on the system. It was discovered that the formatted printing functionality in glibc doesn't properly restrict the use of alloca(). This could allow a local attacker to bypass protections and execute arbitrary code using a format string flaw in an application.
Updated packages are available now.

Updates address many vulnerabilities in the Mozilla Software. Since some of the vulnerabilities are rated as critical, these updates are recommended.

Many potential security vulnerabilities have been identified with HP Network Node Manager I (NNMi) running JDK for HP-UX, Linux, Solaris, and Windows. The vulnerabilities could be remotely exploited resulting in unauthorized information disclosure, modification, and Denial-of-Service (DoS). HP has made hotfixes available to resolve these vulnerabilities for NNMi.

Oracle has published their critical patch update for July. This update affects many products like e.g. Oracle Fusion Middleware, Oracle Database but also Oracle Identity Management, Oracle Application Server and others. Since there are 87 vulnerabilities addressed with this update, it's strongly recommended.

A potential security vulnerability has been identified with IBM AIX running the famous NDS Server BIND. This vulnerability could be exploited remotely to create a Denial-of-Service (DoS). An update is available for download.

An update fixes several vulnerabilities in the IBM Java 1.4.2 Runtime Environment and the IBM Java 1.4.2 Software Development Kit. Exploiting the vulnerabilities might lead to e.g. Denial-of-Service (DoS), unauthorized access or modification of arbitrary files. User interaction is necessary to exploit them.
The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root. A flaw was found in the way the network matching code in sudo handles multiple IP networks listed in user specification configuration directives. A user who is authorized to run commands with sudo on specific hosts could use this flaw to bypass intended restrictions and run those commands on hosts not matched by any of the network specifications. An updated package addresses this issue.

Fix Pack 12 for DB2 V9.1 is now available which includes fixes for some security vulnerabilities. These fixes, where applicable, are also available in a Fix Pack for DB2 Version 9.5, a Fix Pack for DB2 Version 9.7, a Fix Pack for DB2 Version 9.8 and a Fix Pack for DB2 Version 10.1. IBM recommends to review the APAR descriptions and deploy one of the fix packs to correct them on affected DB2 installations.

A number of remotely exploitable issues were discovered in libexif and exif, with effects ranging from information leakage to potential remote code execution. Please check if version 0.6.21 is available for your system.

A vulnerability has been discovered and corrected in exif. An integer overflow in the function jpeg_data_load_data in the exif program could cause a data read beyond the end of a buffer, causing an application crash or leakage of potentially sensitive information when parsing a crafted JPEG file. Updated packages are available now.

A VMware ESXi update addresses several security issues. The libxml2 third party library has been updated which addresses multiple security issues. Exploiting them might lead to e.g. remote Denial-of-Service (DoS) or command execution. So this update is recommended.

Pidgin is a multi protocol instant messaging client. A vulnerability might lead to a buffer oferflow. This can be exploited by an incoming message in the MXit protocol plugin. A remote attacker may cause a crash, and in some circumstances can lead to remote code execution. Updated packages are available now.

A potential security vulnerability has been identified with HP AssetManager. The vulnerabilities could be exploited remotely resulting in Cross-Site Scripting (XSS) or unauthorized data modification. HP has provided patch kits to solve this problem.

Several security vulnerabilities have been found in Puppet, a centralized configuration management. Authenticated clients could read or delete arbitrary files on the puppet master. Reports can be read and agent hostnames are insufficiently validated.
The web server included in Mono performs insufficient sanitising of requests, resulting in Cross-Site Scripting (XSS).
Updated packages are available now.

Patch 14 (P14) for RSA Authentication Manager 7.1 Service Pack 4 (SP4) and Appliance 3.0 SP4 contains fixes for multiple security vulnerabilities. Exploiting them might allow Cross-Site Scripting (XSS) attacks and could provide misleading information. So this patch is recommended.

A vulnerability in eXtplorer, a very feature rich web server file manager, can be exploited by malicious people to conduct cross-site request forgery (XSRF) attacks. Updated packages are available now.

JBoss Cache is the clustering backbone for data distribution in JBoss Enterprise Web Platform. It was been detected that NonManagedConnectionFactory would log the username and password in plain text when an exception was thrown. This could lead to the exposure of authentication credentials if local users had permissions to read the log file. Updated packages are available now.

The SMC8024L2 switch does not require authentication for the web interface configuration pages if they are visited with a direct URL. An unauthenticated attacker can retrieve all configuration pages from the web management GUI. So remote management of the switch is possible. The vendor has stated this product is end-of-life and not supported. So please protect these switches by appropriate rules in surrounding firewalls.

A race condition in automake could allow a local attacker to run arbitrary code with the privileges of the user running make distcheck. Updated packages are available now.

Several vulnerabilities have been found in Cisco TelePresence Manager, Cisco TelePresence Multipoint Switch, Cisco TelePresence Endpoint devices, and Cisco TelePresence Recording Server. Exploiting them might lead to remote Denial-of-Service (DoS) and remote code execution. Updates are available now.

OpenJPEG is an open source library for reading and writing image files in JPEG 2000 format. An input validation flaw, leading to a heap-based buffer overflow, was found in the way OpenJPEG handles the tile number and size in an image tile header. OpenJPEG allocates also insufficient memory when encoding JPEG 2000 files from input images that have certain color depths. Both vulnerabilities might allow a remote attacker to execute arbitrary code on a vulnerable system if a user opens a crafted file. Updated packages are available now.

A vulnerability exists in EMC Celerra/VNX/VNXe systems. Under certain circumstances, NFS v2/3/4 clients with network access to exported file systems may be able to gain unauthorized access to files or directories in that file system due to access control issues. Updates address this issue.

No further comment due to legal reasons

No further comment due to legal reasons

No further comment due to legal reasons

No further comment due to legal reasons

No further comment due to legal reasons

No further comment due to legal reasons

No further comment due to legal reasons

No further comment due to legal reasons

No further comment due to legal reasons

No further comment due to legal reasons

No further comment due to legal reasons

The kernel packages contain the Linux kernel, the core of any Linux operating system. A NULL pointer dereference flaw has been found in working with netfilter IPv6 connection tracking. Besides this, a flaw in the kernel's key management and in the Event Poll Subsystem have been detected. All vulnerabilities can be exploited by local users to trigger a Denial-of-Service (DoS). Updated kernel packages are available now.

Vulnerabilities have been found in PostgreSQL which is used in Avaya products. They affect DES and extended DES based cryptography and plugins. Updates are currently not available by Avaya. Please refer to the advisory to get further information about workarounds.

WebSphere Portal could allow a remote attacker to traverse directories on the system, caused by improper validation of user supplied input. By sending a specially-crafted URL request to the Dojo module an attacker could exploit this vulnerability to view arbitrary files on the system. A patch is available now.

Potential security vulnerabilities have been identified with HP Operations Agent for AIX, HP-UX, Linux, Solaris, and Windows. The vulnerabilities could be remotely exploited resulting in the execution of arbitrary code. HP has made patches available to resolve these vulnerabilities.

Cobbler is a network install server. A command injection flaw was found in Cobbler's power management XML-RPC method. A remote, authenticated user who is permitted to perform Cobbler configuration changes via the Cobbler XML-RPC API, could use this flaw to execute arbitrary code with root privileges on the Red Hat Network Satellite server. Updated packages are available now.

Pidgin is a multi protocol instant messaging client. A vulnerability might lead to a buffer oferflow. This can be exploited by an incoming message in the MXit protocol plugin. A remote attacker may cause a crash, and in some circumstances can lead to remote code execution. Updated packages are available now.

Asterisk is a free PBX Software. If Asterisk sends a re-invite and an endpoint responds to the re-invite with a provisional response but never sends a final response, then the SIP dialog structure is never freed and the RTP ports for the call are never released. If an attacker has the ability to place a call, they could create a Denial-of-Service (DoS) by using all available RTP ports. Besides this, if a single voicemail account is manipulated by two parties simultaneously, a condition can occur where memory is freed twice causing a crash.
Upgrades solve these issues.

RESTEasy provides various frameworks to help you build RESTful web services and RESTful Java applications. It was found that RESTEasy is vulnerable to XML External Entity (XXE) attacks. An update for JBoss Enterprise Application Platform 5.1.2 fixes this security issue.

A potential security vulnerability has been identified with HP ProtectTools Enterprise Device Access Manager (EDAM) running on Windows. The vulnerability can be remotely exploited to cause execution of arbitrary code or Denial-of-Service (DoS). HP has updated HP ProtectTools Enterprise Device Access Manager (EDAM) running on Windows to resolve the vulnerability.

The Invensys Wonderware SuiteLink service (slssvc.exe) shows a vulnerability that causes a stack-based buffer overflow due to a maliciously crafted Unicode string. This can be exploited remotely. The consequence is a Denial-of-Service (DoS). Please check if the version used is vulnerable, information can be found in the advisory.

TYPO3 bundles and uses an external JavaScript and Flash Upload Library called swfupload. It can be configured to use this Flash uploader. Input passed via the "movieName" parameter to swfupload.swf isn't properly sanitised before being used. This can be exploited to execute arbitrary script code in a user's browser session in context of an affected site. This Cross-Site Scripting (XSS) vulnerability can be fixed by an upgrade.

Multiple vulnerabilities exist in Java for Debian Linux. They allow remote attackers unautorised access as well as remote code execution and to initiate a Denial-of-Service (DoS). Updated packages address these issues.

Updated mod_cluster packages that fix one security issue are now available for JBoss Enterprise Application Platform 5.1.2 for Red Hat Enterprise Linux 4, 5, and 6.

Updated libtiff packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6 and Mandriva Enterprise Server.

A potential security vulnerability has been identified with HP-UX running BIND. This vulnerability could be exploited remotely to create a Denial of Service (DoS). New update is available for download.

When using DB2 Version 9.7 Fix Pack 6, Memory is consumed quickly in the DB2 private memory when an application uses the db2readlog API to extract log records (common in replication solutions). This leads to a severe memory leak. New update is available for download.

Potential security vulnerabilities have been identified with HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows running PostgreSQL. The vulnerabilities could be remotely exploited resulting in execution of arbitrary code and Denial of Service (DoS) and Cross-Site-Scripting (XSS). New update is available for download.

A vulnerability in ModSecurity, a security module for the Apache webserver, was discovered. In situations where both 'Content:Disposition: attachment' and 'Content-Type: multipart' were present in HTTP headers, the vulernability could allow an attacker to bypass policy and execute cross-site script (XSS) attacks through properly crafted HTML documents New packets are available for download.

Multiple vulnerabilities have been discovered and corrected in python. These vulnerabilities may lead to Denial of Service (DoS), Cross-Site-Scripting (XSS) or may allow access of privileged data. New packets are available for download.

IBM has identified a total of four vulnerabilities in IBM Support Assistant. All four vulnerabilities are resolved by the IBM Support Assistant 4.1.3 fixpack.

A file disclosure flaw was found in the way SimpleXMLElement class of Zend Framework, a PHP framework, processed XML data provided within certain XML-RPC requests. A remote attacker could use this flaw to obtain sensitive information by issuing a specially-crafted XML-RPC request to the Zend Framework based PHP application. New packets are available for update purposes.