========================================================================
The Secunia Weekly Advisory Summary
2007-06-08 - 2007-06-15
This week: 81 advisories
========================================================================
Table of Contents:
1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing
========================================================================
1) Word From Secunia:
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
The Full Featured Secunia Network Software Inspector (NSI) is now
available:
http://secunia.com/network_software_inspector/
The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
========================================================================
2) This Week in Brief:
It has been Patch Tuesday again for all Windows users, with Microsoft
releasing six security bulletins, including one for Windows Vista.
The vulnerabilities range from the “less critical” information
disclosure vulnerability in Vista, to “highly critical” ones found
in Internet Explorer (IE), Visio, Outlook Express, and in the Windows
code itself.
MS07-030 discusses two vulnerabilities in Microsoft Visio, which could
be exploited to execute arbitrary code.
http://secunia.com/advisories/25619/
MS07-031 discusses a vulnerability in the Microsoft Windows Secure
Channel Digital Signature security package, which on Windows XP could
be exploited to execute arbitrary code, and on Windows 2000 and Server
2003 cause a Denial of Service (DoS) condition.
http://secunia.com/advisories/25620/
MS07-032 discusses a vulnerability in Windows Vista, which could be
used by malicious, local users to disclose possibly sensitive
information.
http://secunia.com/advisories/25623/
http://secunia.com/advisories/25623/
MS07-033 discusses six vulnerabilities in Internet Explorer, which can
be exploited to spoof the contents of an arbitrary site, or to gain
access to a vulnerable system.
http://secunia.com/advisories/25627/
MS07-034 discusses three vulnerabilities in Micosoft Outlook Express
and Windows Mail, which could be exploited to read data on the system
or execute arbitrary code.
http://secunia.com/advisories/25639/
MS07-035 discusses a vulnerability in the Microsoft Windows Win32 API,
which could be exploited to execute arbitrary code using a local
application, for example when a user is tricked into viewing a web
site hosting malicious code.
http://secunia.com/advisories/25640/
--
Some vulnerabilities have been reported in OpenOffice this week, one
resulting from an error when parsing data within RTF files, and the
other as a vulnerability carried over from OpenOffice's use of the
Freetype library, which contains an error when parsing malformed TTF
fonts.
A patch has been released for these vulnerabilities, and all users
are urged to update as soon as possible. Several Linux distributions
have also released patches, such as Debian and Red Hat:
http://secunia.com/advisories/25650/
http://secunia.com/advisories/25673/
For more information, read the OpenOffice advisory here:
http://secunia.com/advisories/25648/
--
VIRUS ALERTS:
During the past week Secunia collected 231 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.
========================================================================
3) This Weeks Top Ten Most Read Advisories:
1. [SA14921] Microsoft Windows Message Queuing Buffer Overflow
Vulnerability
2. [SA25547] Yahoo! Messenger Two ActiveX Controls Buffer Overflows
3. [SA25594] Linux Kernel Multiple Vulnerabilities
4. [SA25640] Microsoft Windows Win32 API Code Execution Vulnerability
5. [SA25620] Windows Secure Channel Digital Signature Parsing
Vulnerability
6. [SA18787] Internet Explorer Drag-and-Drop Vulnerability
7. [SA25619] Microsoft Visio Two Code Execution Vulnerabilities
8. [SA25627] Internet Explorer Multiple Vulnerabilities
9. [SA25639] Microsoft Outlook Express and Windows Mail Multiple
Vulnerabilities
10. [SA25648] OpenOffice RTF File and FreeType Font Parsing
Vulnerabilities
========================================================================
4) Vulnerabilities Summary Listing
Windows:
[SA25672] Corel ActiveCGM Browser ActiveX Control Multiple Buffer
Overflows
[SA25640] Microsoft Windows Win32 API Code Execution Vulnerability
[SA25639] Microsoft Outlook Express and Windows Mail Multiple
Vulnerabilities
[SA25627] Internet Explorer Multiple Vulnerabilities
[SA25625] Zoomify Viewer ActiveX Control Multiple Buffer Overflows
[SA25624] HP Help and Support Center Unspecified Vulnerability
[SA25620] Windows Secure Channel Digital Signature Parsing
Vulnerability
[SA25619] Microsoft Visio Two Code Execution Vulnerabilities
[SA25604] Vitalize! Cellosoft Tokens Object Extension "RemoveChr()"
Buffer Overflow
[SA25593] Blue Coat K9 Web Protection Management Service Buffer
Overflow
[SA25602] D-Link DWL-G650+ Wireless Driver Beacon TIM Buffer Overflow
[SA25606] BrightStor ARCserve Backup for Laptops & Desktops Unspecified
Vulnerabilities
[SA25643] TEC-IT TBarCode TBarCode7 ActiveX Control "SaveImage()"
Insecure Method
[SA25623] Microsoft Windows Vista User Information Disclosure
[SA25663] Microsoft Internet Explorer 7 HTTP Basic Authentication IDN
Spoofing
[SA25603] Kaspersky AntiVirus klif.sys Hooked Functions Denial of
Service
UNIX/Linux:
[SA25673] Red Hat update for openoffice.org
[SA25667] Xoops XT-Conteudo Module "spaw_root" File Inclusion
[SA25665] Xoops Cjay Content WYSIWYG IE Module "spaw_root" File
Inclusion
[SA25660] Avaya Products PHP Multiple Vulnerabilities
[SA25652] Xoops Tiny Content Module "spaw_root" File Inclusion
[SA25651] Xoops Horoscope Module "xoopsConfig[root_path]" File
Inclusion
[SA25650] Debian update for openoffice
[SA25647] Mandriva update for mozilla-firefox
[SA25635] Debian update for xulrunner
[SA25591] SGI Advanced Linux Environment Multiple Updates
[SA25669] Red Hat update for kdebase
[SA25666] Sun Java System Directory Server Two Vulnerabilities
[SA25664] Debian update for icedove
[SA25662] Konqueror Flash Player Plug-in Vulnerability
[SA25655] Red Hat update for mod_perl
[SA25654] Mandriva update for freetype2
[SA25653] fuzzylime (forum) "topic" SQL Injection and Cross-Site
Scripting
[SA25644] Mandriva update for mozilla-thunderbird
[SA25622] Gentoo update for madwifi
[SA25621] Ubuntu update for libexif
[SA25613] Debian update for lighttpd
[SA25612] Debian update for freetype
[SA25609] Red Hat update for freetype
[SA25608] Sun Solaris sshd Identical Blocks Denial of Service
Vulnerability
[SA25599] Mandriva update for libexif
[SA25594] Linux Kernel Multiple Vulnerabilities
[SA25676] Avaya Products OpenLDAP slapd "selfwrite" Security Issue
[SA25661] Avaya CMS Sun Solaris "in.iked" Denial of Service
Vulnerability
[SA25658] Mandriva update for libwmf
[SA25657] Mandriva update for gd
[SA25649] HP-UX update for Bind
[SA25646] Mandriva update for tetex
[SA25633] Red Hat update for gcc
[SA25632] Red Hat update for gdb
[SA25628] Red Hat update for openldap
[SA25616] Maran PHP Blog "id" Cross-Site Scripting
[SA25600] Mail Notification "WITH_SSL" Plaintext Password Security
Issue
[SA25590] rPath update for gd, php, php-mysql, and php-pgsql
[SA25668] Sun Solaris 10 NFS XDR Handling Vulnerability
[SA25631] Red Hat update for pam
[SA25630] Red Hat update for kernel
[SA25629] Red Hat update for shadow-utils
[SA25598] Cisco Trust Agent "User Notification" Authentication Bypass
[SA25596] Ubuntu update for kernel
[SA25679] Red Hat update for iscsi-initiator-utils
[SA25610] Ubuntu update for xscreensaver
[SA25607] Sun Solaris scp Command Line Shell Command Injection
Other:
[SA25611] ARRIS Cadant C3 CMTS IP Options Handling Denial of Service
[SA25592] Novell Modular Authentication Service NMASINST Information
Disclosure
Cross Platform:
[SA25656] YaBB CRLF Injection Privilege Escalation Vulnerability
[SA25648] OpenOffice RTF File and FreeType Font Parsing
Vulnerabilities
[SA25641] Mbedthis AppWeb URL Protocol Format String Vulnerability
[SA25626] PHPMailer "Sender" Arbitrary Command Execution
[SA25615] PHP Real Estate Classifieds "loc" File Inclusion
[SA25614] Link Request Contact Form PHP File Upload
[SA25597] Sun Java System Products NSS SSLv2 Processing Buffer
Overflows
[SA25642] libexif EXIF Information Integer Overflow Vulnerability
[SA25605] e-Vision CMS Multiple Vulnerabilities
[SA25595] PhpWiki Empty LDAP Passwords Authentication Bypass
[SA25601] Firebird "connect" Request Handling Buffer Overflow
Vulnerability
[SA25638] dotProject Cross-Site Scripting Vulnerability
[SA25637] Invision Power Board Profile Updating Security Issue
[SA25634] Beehive Forum "links.php" Cross-Site Scripting
[SA25617] Sporum Forum "view" and "mode" Cross-Site Scripting
Vulnerabilities
[SA25636] Mbedthis AppWeb HTTP TRACE Response Cross-Site Scripting
========================================================================
5) Vulnerabilities Content Listing
Windows:--
[SA25672] Corel ActiveCGM Browser ActiveX Control Multiple Buffer
Overflows
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2007-06-14
Will Dormann has reported some vulnerabilities in ActiveCGM, which can
be exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/25672/
--
[SA25640] Microsoft Windows Win32 API Code Execution Vulnerability
Critical: Highly critical
Where: From remote
Impact: Privilege escalation, System access
Released: 2007-06-12
A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious, local users to gain escalated privileges or by
malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/25640/
--
[SA25639] Microsoft Outlook Express and Windows Mail Multiple
Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Exposure of sensitive information, System
access
Released: 2007-06-12
Some vulnerabilities have been reported in Microsoft Outlook Express
and Windows Mail, which can be exploited by malicious people to
disclose sensitive information and compromise a user's system.
Full Advisory:
http://secunia.com/advisories/25639/
--
[SA25627] Internet Explorer Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Cross Site Scripting, Spoofing, System access
Released: 2007-06-12
Multiple vulnerabilities have been reported in Internet Explorer, which
can be exploited by malicious people to conduct phishing attacks or
compromise a user's system.
Full Advisory:
http://secunia.com/advisories/25627/
--
[SA25625] Zoomify Viewer ActiveX Control Multiple Buffer Overflows
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2007-06-12
Will Dormann has reported some vulnerabilities in Zoomify Viewer
ActiveX control, which can be exploited by malicious people to
compromise a user's system.
Full Advisory:
http://secunia.com/advisories/25625/
--
[SA25624] HP Help and Support Center Unspecified Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2007-06-13
HP has acknowledged a vulnerability in Help and Support Center, which
can be exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/25624/
--
[SA25620] Windows Secure Channel Digital Signature Parsing
Vulnerability
Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2007-06-12
A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious people to cause a DoS (Denial of Service) or
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/25620/
--
[SA25619] Microsoft Visio Two Code Execution Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2007-06-12
Two vulnerabilities have been reported in Microsoft Visio, which can be
exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/25619/
--
[SA25604] Vitalize! Cellosoft Tokens Object Extension "RemoveChr()"
Buffer Overflow
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2007-06-13
Haikz has reported a vulnerability in Cellosoft Tokens Object extension
for Vitalize!, which can be exploited by malicious people to compromise
a user's system.
Full Advisory:
http://secunia.com/advisories/25604/
--
[SA25593] Blue Coat K9 Web Protection Management Service Buffer
Overflow
Critical: Highly critical
Where: From remote
Impact: Privilege escalation, System access
Released: 2007-06-08
CSIS Security Group has reported a vulnerability in BlueCoat K9 Web
Protection, which can be exploited by malicious, local users to gain
escalated privileges or by malicious people to compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/25593/
--
[SA25602] D-Link DWL-G650+ Wireless Driver Beacon TIM Buffer Overflow
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2007-06-12
Laurent Butti has reported a vulnerability in the D-Link DWL-G650+
wireless driver, which can be exploited by malicious people to cause a
DoS (Denial of Service) or to potentially compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/25602/
--
[SA25606] BrightStor ARCserve Backup for Laptops & Desktops Unspecified
Vulnerabilities
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2007-06-11
Some vulnerabilities have been reported in BrightStor ARCserve Backup
for Laptops & Desktops, which can be exploited by malicious people to
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/25606/
--
[SA25643] TEC-IT TBarCode TBarCode7 ActiveX Control "SaveImage()"
Insecure Method
Critical: Less critical
Where: From remote
Impact: Manipulation of data
Released: 2007-06-13
shinnai has reported a vulnerability in TEC-IT's TBarCode TBarCode7
ActiveX control, which can be exploited by malicious people to
overwrite arbitrary files.
Full Advisory:
http://secunia.com/advisories/25643/
--
[SA25623] Microsoft Windows Vista User Information Disclosure
Critical: Less critical
Where: Local system
Impact: Exposure of sensitive information
Released: 2007-06-12
A security issue has been reported in Microsoft Windows Vista, which
can be exploited by malicious, local users to gain knowledge of
sensitive information.
Full Advisory:
http://secunia.com/advisories/25623/
--
[SA25663] Microsoft Internet Explorer 7 HTTP Basic Authentication IDN
Spoofing
Critical: Not critical
Where: From remote
Impact: Spoofing
Released: 2007-06-14
A weakness has been discovered in Internet Explorer 7, which can be
exploited by malicious people to conduct spoofing attacks.
Full Advisory:
http://secunia.com/advisories/25663/
--
[SA25603] Kaspersky AntiVirus klif.sys Hooked Functions Denial of
Service
Critical: Not critical
Where: Local system
Impact: DoS
Released: 2007-06-12
EP_X0FF has reported some vulnerabilities in Kasperky AntiVirus, which
can be exploited by malicious, local users to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/25603/
UNIX/Linux:--
[SA25673] Red Hat update for openoffice.org
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2007-06-14
Red Hat has issued an update for openoffice.org. This fixes a
vulnerability, which potentially can be exploited by malicious people
to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/25673/
--
[SA25667] Xoops XT-Conteudo Module "spaw_root" File Inclusion
Critical: Highly critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information, System access
Released: 2007-06-14
FiSh has discovered a vulnerability in the XT-Conteudo module for
Xoops, which can be exploited by malicious people to disclose sensitive
information or to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/25667/
--
[SA25665] Xoops Cjay Content WYSIWYG IE Module "spaw_root" File
Inclusion
Critical: Highly critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information, System access
Released: 2007-06-14
FiSh has discovered a vulnerability in the Cjay Content WYSIWYG IE
module for Xoops, which can be exploited by malicious people to
disclose sensitive information or to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/25665/
--
[SA25660] Avaya Products PHP Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Unknown, Security Bypass, System access
Released: 2007-06-14
Avaya has acknowledged some vulnerabilities in various Avaya products,
where some have unknown impacts and others can be exploited by
malicious users to bypass certain security restrictions and potentially
by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/25660/
--
[SA25652] Xoops Tiny Content Module "spaw_root" File Inclusion
Critical: Highly critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information, System access
Released: 2007-06-13
Sp[L]o1T has discovered a vulnerability in the Tiny Content module for
Xoops, which can be exploited by malicious people to disclose sensitive
information or to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/25652/
--
[SA25651] Xoops Horoscope Module "xoopsConfig[root_path]" File
Inclusion
Critical: Highly critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information, System access
Released: 2007-06-13
BeyazKurt has discovered a vulnerability in the Horoscope module for
Xoops, which can be exploited by malicious people to disclose sensitive
information or to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/25651/
--
[SA25650] Debian update for openoffice
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2007-06-13
Debian has issued an update for openoffice. This fixes a vulnerability,
which can be exploited by malicious people to compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/25650/
--
[SA25647] Mandriva update for mozilla-firefox
Critical: Highly critical
Where: From remote
Impact: Spoofing, Exposure of sensitive information, DoS, System
access
Released: 2007-06-13
Mandriva has issued an update for mozilla-firefox. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
spoofing attacks, bypass certain security restrictions, and potentially
compromise a user's system.
Full Advisory:
http://secunia.com/advisories/25647/
--
[SA25635] Debian update for xulrunner
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Exposure of system information, DoS,
System access
Released: 2007-06-13
Debian has issued an update for xulrunner. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service), conduct spoofing attacks, bypass certain
security restrictions, and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/25635/
--
[SA25591] SGI Advanced Linux Environment Multiple Updates
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Spoofing, Exposure of sensitive
information, Privilege escalation, DoS, System access
Released: 2007-06-08
SGI has issued multiple updates for SGI Advanced Linux Environment.
These fix some vulnerabilities, which can be exploited by malicious,
local users to perform certain actions with escalated privileges or
gain escalated privileges, by malicious users to cause a DoS (Denial of
Service), and by malicious people to conduct spoofing attacks, bypass
certain security restrictions, and potentially compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/25591/
--
[SA25669] Red Hat update for kdebase
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2007-06-14
Red Hat has issued an update for kdebase. This fixes a vulnerability,
which can be exploited by malicious people to disclose potentially
sensitive information.
Full Advisory:
http://secunia.com/advisories/25669/
--
[SA25666] Sun Java System Directory Server Two Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Manipulation of data, Exposure of
sensitive information
Released: 2007-06-14
Two vulnerabilities have been reported in the Sun Java System Directory
Server, which can be exploited by malicious people to disclose
potentially sensitive information or bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/25666/
--
[SA25664] Debian update for icedove
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2007-06-14
Debian has issued an update for icedove. This fixes some
vulnerabilities, which can potentially be exploited by malicious people
to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/25664/
--
[SA25662] Konqueror Flash Player Plug-in Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2007-06-14
A vulnerability has been reported in Konqueror, which can be exploited
by malicious people to disclose potentially sensitive information.
Full Advisory:
http://secunia.com/advisories/25662/
--
[SA25655] Red Hat update for mod_perl
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2007-06-14
Red Hat has issued an update for mod_perl. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/25655/
--
[SA25654] Mandriva update for freetype2
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2007-06-14
Mandriva has issued an update for freetype2. This fixes a
vulnerability, which can be exploited by malicious people to cause a
DoS (Denial of Service) or potentially compromise an application using
the library.
Full Advisory:
http://secunia.com/advisories/25654/
--
[SA25653] fuzzylime (forum) "topic" SQL Injection and Cross-Site
Scripting
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data, Exposure of
sensitive information
Released: 2007-06-13
Silentz has discovered some vulnerabilities in fuzzylime (forum), which
can be exploited by malicious people to conduct SQL injection attacks
and cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/25653/
--
[SA25644] Mandriva update for mozilla-thunderbird
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2007-06-13
Mandriva has issued an update for mozilla-thunderbird. This fixes some
vulnerabilities, which can potentially be exploited by malicious people
to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/25644/
--
[SA25622] Gentoo update for madwifi
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2007-06-12
Gentoo has issued an update for madwifi. This fixes some
vulnerabilities, which can be exploited by malicious, local users and
by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/25622/
--
[SA25621] Ubuntu update for libexif
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2007-06-12
Ubuntu has issued an update for libexif. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise an application using the library.
Full Advisory:
http://secunia.com/advisories/25621/
--
[SA25613] Debian update for lighttpd
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2007-06-11
Debian has issued an update for lighttpd. This fixes some
vulnerabilities, which can be exploited by malicious users and
malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/25613/
--
[SA25612] Debian update for freetype
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2007-06-11
Debian has issued an update for freetype. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) or potentially compromise an application using the library.
Full Advisory:
http://secunia.com/advisories/25612/
--
[SA25609] Red Hat update for freetype
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2007-06-11
Red Hat has issued an update for freetype. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) or potentially compromise an application using the library.
Full Advisory:
http://secunia.com/advisories/25609/
--
[SA25608] Sun Solaris sshd Identical Blocks Denial of Service
Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2007-06-11
Sun has acknowledged a vulnerability in Sun Solaris, which can be
exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/25608/
--
[SA25599] Mandriva update for libexif
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2007-06-11
Mandriva has issued an update for libexif. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise an application using the library.
Full Advisory:
http://secunia.com/advisories/25599/
--
[SA25594] Linux Kernel Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Brute force, Exposure of sensitive information, DoS
Released: 2007-06-08
Two vulnerabilities and a weakness have been reported in the Linux
Kernel, which can be exploited by malicious, local users to disclose
potentially sensitive information and malicious people to cause a DoS
(Denial of Service).
Full Advisory:
http://secunia.com/advisories/25594/
--
[SA25676] Avaya Products OpenLDAP slapd "selfwrite" Security Issue
Critical: Less critical
Where: From remote
Impact: Security Bypass
Released: 2007-06-14
Avaya has acknowledged a security issue in various Avaya products,
which can be exploited by malicious users to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/25676/
--
[SA25661] Avaya CMS Sun Solaris "in.iked" Denial of Service
Vulnerability
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2007-06-14
Avaya has acknowledged a vulnerability in Avaya CMS (Call Management
System), which can be exploited by malicious users to cause a DoS
(Denial of Service).
Full Advisory:
http://secunia.com/advisories/25661/
--
[SA25658] Mandriva update for libwmf
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2007-06-14
Mandriva has issued an update for libwmf. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/25658/
--
[SA25657] Mandriva update for gd
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2007-06-14
Mandriva has issued an update for gd. This fixes a vulnerability, which
can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/25657/
--
[SA25649] HP-UX update for Bind
Critical: Less critical
Where: From remote
Impact: Security Bypass
Released: 2007-06-13
HP has issued an update for HP-UX. This fixes some vulnerabilities,
which can be exploited by malicious people to bypass certain security
restrictions or cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/25649/
--
[SA25646] Mandriva update for tetex
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2007-06-14
Mandriva has issued an update for tetex. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/25646/
--
[SA25633] Red Hat update for gcc
Critical: Less critical
Where: From remote
Impact: System access
Released: 2007-06-12
Red Hat has issued an update for gcc. This fixes a vulnerability, which
potentially can be exploited by malicious people to compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/25633/
--
[SA25632] Red Hat update for gdb
Critical: Less critical
Where: From remote
Impact: DoS, System access
Released: 2007-06-12
Red Hat has issued an update for gdb. This fixes some vulnerabilities,
which potentially can be exploited by malicious, local users to gain
escalated privileges or malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/25632/
--
[SA25628] Red Hat update for openldap
Critical: Less critical
Where: From remote
Impact: Security Bypass
Released: 2007-06-12
Red Hat has issued an update for openldap. This fixes a security issue,
which can be exploited by malicious users to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/25628/
--
[SA25616] Maran PHP Blog "id" Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2007-06-12
ls has discovered a vulnerability in Maran PHP Blog, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/25616/
--
[SA25600] Mail Notification "WITH_SSL" Plaintext Password Security
Issue
Critical: Less critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2007-06-11
Ted Percival has reported a security issue in Mail Notification, which
can be exploited by malicious people to disclose potentially sensitive
information.
Full Advisory:
http://secunia.com/advisories/25600/
--
[SA25590] rPath update for gd, php, php-mysql, and php-pgsql
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2007-06-08
rPath has issued an update for gd, php, php-mysql, and php-pgsql. This
fixes a vulnerability, which can be exploited by malicious people to
cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/25590/
--
[SA25668] Sun Solaris 10 NFS XDR Handling Vulnerability
Critical: Less critical
Where: From local network
Impact: DoS
Released: 2007-06-14
A vulnerability has been reported in Solaris 10, which can be exploited
by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/25668/
--
[SA25631] Red Hat update for pam
Critical: Less critical
Where: Local system
Impact: Security Bypass
Released: 2007-06-12
Red Hat has issued an update for pam. This fixes a vulnerability, which
can be exploited by malicious, local users to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/25631/
--
[SA25630] Red Hat update for kernel
Critical: Less critical
Where: Local system
Impact: DoS
Released: 2007-06-12
Red Hat has issued an update for the kernel. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/25630/
--
[SA25629] Red Hat update for shadow-utils
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2007-06-12
Red Hat has issued an update for shadow-utils. This fixes a security
issue, which potentially can be exploited by malicious, local users to
perform certain actions with escalated privileges.
Full Advisory:
http://secunia.com/advisories/25629/
--
[SA25598] Cisco Trust Agent "User Notification" Authentication Bypass
Critical: Less critical
Where: Local system
Impact: Security Bypass
Released: 2007-06-12
Adam Blake has reported a security issue in Cisco Trust Agent, which
can be exploited by malicious people to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/25598/
--
[SA25596] Ubuntu update for kernel
Critical: Less critical
Where: Local system
Impact: Brute force, Exposure of sensitive information
Released: 2007-06-11
Ubuntu has issued an update for the kernel. This fixes a security issue
and two weaknesses, which can be exploited by malicious, local users and
malicious people to disclose potentially sensitive information.
Full Advisory:
http://secunia.com/advisories/25596/
--
[SA25679] Red Hat update for iscsi-initiator-utils
Critical: Not critical
Where: Local system
Impact: DoS
Released: 2007-06-14
Red Hat has issued an update for iscsi-initiator-utils. This fixes some
security issues, which can be exploited by malicious, local users to
cause a DoS (Denial of Service),
Full Advisory:
http://secunia.com/advisories/25679/
--
[SA25610] Ubuntu update for xscreensaver
Critical: Not critical
Where: Local system
Impact: Security Bypass
Released: 2007-06-13
Ubuntu has issued an update for xscreensaver. This fixes a weakness,
which potentially can be exploited by malicious people to bypass
certain security restrictions.
Full Advisory:
http://secunia.com/advisories/25610/
--
[SA25607] Sun Solaris scp Command Line Shell Command Injection
Critical: Not critical
Where: Local system
Impact: Privilege escalation
Released: 2007-06-11
Sun has acknowledged a weakness in Sun Solaris, which can be exploited
by malicious, local users to perform certain actions with escalated
privileges.
Full Advisory:
http://secunia.com/advisories/25607/
Other:--
[SA25611] ARRIS Cadant C3 CMTS IP Options Handling Denial of Service
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2007-06-12
A vulnerability has been reported in ARRIS's Cadant C3 CMTS, which can
be exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/25611/
--
[SA25592] Novell Modular Authentication Service NMASINST Information
Disclosure
Critical: Less critical
Where: Local system
Impact: Exposure of sensitive information
Released: 2007-06-11
A security issue has been reported in Novell Modular Authentication
Service, which can be exploited by malicious, local users to disclose
sensitive information.
Full Advisory:
http://secunia.com/advisories/25592/
Cross Platform:--
[SA25656] YaBB CRLF Injection Privilege Escalation Vulnerability
Critical: Highly critical
Where: From remote
Impact: Privilege escalation
Released: 2007-06-13
A vulnerability has been reported in YaBB, which can be exploited by
malicious users and malicious people to gain escalated privileges.
Full Advisory:
http://secunia.com/advisories/25656/
--
[SA25648] OpenOffice RTF File and FreeType Font Parsing
Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2007-06-13
Some vulnerabilities have been reported in OpenOffice, which can
potentially be exploited by malicious people to compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/25648/
--
[SA25641] Mbedthis AppWeb URL Protocol Format String Vulnerability
Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2007-06-12
Nir Rachmel has discovered a vulnerability in Mbedthis AppWeb, which
can be exploited by malicious people to cause a DoS (Denial of Service)
or potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/25641/
--
[SA25626] PHPMailer "Sender" Arbitrary Command Execution
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2007-06-12
Thor Larholm has discovered a vulnerability in PHPMailer, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/25626/
--
[SA25615] PHP Real Estate Classifieds "loc" File Inclusion
Critical: Highly critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information, System access
Released: 2007-06-13
not sec group has reported a vulnerability in PHP Real Estate
Classifieds, which can be exploited by malicious people to disclose
sensitive information or to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/25615/
--
[SA25614] Link Request Contact Form PHP File Upload
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2007-06-11
CorryL has discovered a vulnerability in Link Request Contact Form,
which can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/25614/
--
[SA25597] Sun Java System Products NSS SSLv2 Processing Buffer
Overflows
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2007-06-12
Sun has acknowledged some vulnerabilities in various Sun Java System
products, which potentially can be exploited by malicious people to
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/25597/
--
[SA25642] libexif EXIF Information Integer Overflow Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2007-06-13
A vulnerability has been reported in libexif, which can be exploited by
malicious people to cause a DoS (Denial of Service) and potentially
compromise an application using the library.
Full Advisory:
http://secunia.com/advisories/25642/
--
[SA25605] e-Vision CMS Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data, Exposure of system information,
Exposure of sensitive information
Released: 2007-06-11
Silentz has discovered some vulnerabilities in e-Vision CMS, which can
be exploited by malicious people to disclose sensitive information or
to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/25605/
--
[SA25595] PhpWiki Empty LDAP Passwords Authentication Bypass
Critical: Moderately critical
Where: From remote
Impact: Security Bypass
Released: 2007-06-11
A vulnerability has been reported in PhpWiki, which can be exploited by
malicious people to bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/25595/
--
[SA25601] Firebird "connect" Request Handling Buffer Overflow
Vulnerability
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2007-06-12
Cody Pierce has reported a vulnerability in Firebird, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/25601/
--
[SA25638] dotProject Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2007-06-14
A vulnerability has been reported in dotProject, which can be exploited
by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/25638/
--
[SA25637] Invision Power Board Profile Updating Security Issue
Critical: Less critical
Where: From remote
Impact: Manipulation of data
Released: 2007-06-12
A security issue has been reported in Invision Power Board, which can
be exploited by malicious users to manipulate certain data.
Full Advisory:
http://secunia.com/advisories/25637/
--
[SA25634] Beehive Forum "links.php" Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2007-06-12
Ory Segal has discovered some vulnerabilities in Beehive Forum, which
can be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/25634/
--
[SA25617] Sporum Forum "view" and "mode" Cross-Site Scripting
Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2007-06-12
r0t has discovered two vulnerabilities in Sporum, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/25617/
--
[SA25636] Mbedthis AppWeb HTTP TRACE Response Cross-Site Scripting
Critical: Not critical
Where: From remote
Impact: Cross Site Scripting
Released: 2007-06-13
A weakness has been reported in Mbedthis AppWeb, which can be exploited
by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/25636/
========================================================================
Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Subscribe:
http://secunia.com/secunia_weekly_summary/
Contact details:
Web : http://secunia.com/
E-mail : support@private
Tel : +45 70 20 51 44
Fax : +45 70 20 51 45
_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Thu Jun 14 2007 - 23:40:44 PDT