[ISN] Secunia Weekly Summary - Issue: 2008-49

From: InfoSec News <alerts_at_private>
Date: Fri, 5 Dec 2008 00:32:14 -0600 (CST)
========================================================================

                  The Secunia Weekly Advisory Summary                  
                        2008-11-27 - 2008-12-04                        

                       This week: 71 advisories                        

========================================================================
Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

========================================================================
1) Word From Secunia:

1.91% of all PCs are fully patched! 

Almost one year ago, we posted statistics from the Secunia PSI about
the state of programs installed on PCs.

We think the timing is just right for a follow up on the previous
numbers - as you might have noticed, Tuesday last week (25th Nov)
version 1.0 of the Secunia PSI was released. The Secunia PSI 1.0 is out
after being in beta for the past 17 months - a huge thanks goes out to
all 793,478 users that helped us test and improve the Secunia PSI
during this period.

Read more:
http://secunia.com/blog/37/

 --

Monthly Binary Analysis Update (November)

Last month, we were extremely busy and cranked out 28 analyses, but
this month it was fairly quiet on the Binary Analysis front. We issued
only 15 analyses in total, which is probably (without checking) the
most quiet month we've had ever since the service launch about two
years ago.

However, that does not mean that I caught a lucky break and can stop
writing after only three paragraphs and go back to finding a new
vulnerability; there were still plenty of interesting vulnerabilities
to analyse this month and thus blog about.

Read more:
http://secunia.com/blog/36/

========================================================================
2) This Week in Brief:

Some vulnerabilities have been reported in Sun Java, which can be
exploited by malicious people to bypass certain security restrictions,
disclose sensitive information, cause a DoS (Denial of service), or
compromise a vulnerable system.

For more information, refer to:
http://secunia.com/advisories/32991/

 --

A vulnerability has been discovered in VLC Media Player, which
potentially can be exploited by malicious people to compromise a user's
system.

The vulnerability is caused due to an integer overflow within the
"ReadRealIndex()" function in modules/demux/real.c. This can be
exploited to e.g. cause a heap-based buffer overflow by tricking a user
into opening a malicious file.

Successful exploitation may allow execution of arbitrary code.

For more information, refer to:
http://secunia.com/advisories/32942/


========================================================================
3) This Weeks Top Ten Most Read Advisories:

1.  [SA31010] Sun Java JDK / JRE Multiple Vulnerabilities
2.  [SA32270] Adobe Flash Player Multiple Security Issues and
              Vulnerabilities
3.  [SA32942] VLC Media Player Real Demuxer Integer Overflow
              Vulnerability
4.  [SA29773] Adobe Acrobat/Reader Multiple Vulnerabilities
5.  [SA32842] BlackBerry Desktop Software FlexNET Connect ActiveX
              Control Vulnerability
6.  [SA32713] Mozilla Firefox 3 Multiple Vulnerabilities
7.  [SA31821] Apple QuickTime Multiple Vulnerabilities
8.  [SA32772] Adobe AIR Multiple Vulnerabilities
9.  [SA23655] Microsoft XML Core Services Multiple Vulnerabilities
10. [SA32913] Linux Kernel "sendmsg()" Garbage Collector Denial of
              Service

========================================================================
4) Vulnerabilities Summary Listing

Windows:
[SA32987] RadAsm ".rap" Processing Buffer Overflow Vulnerability
[SA33000] MailingListPro Database Disclosure Security Issue
[SA32988] Rae Media Contact Management Software "Password" SQL
Injection
[SA32941] Active Trade "username" and "password" SQL Injection
Vulnerabilities
[SA32930] Ocean12 FAQ Manager Pro "ID" SQL Injection Vulnerability
[SA32929] Ocean12 Mailing List Manager Gold Multiple Vulnerabilities
[SA32928] ASPReferral "AccountID" SQL Injection Vulnerability
[SA32927] Active eWebquiz "useremail" and "password" SQL Injection
Vulnerabilities
[SA32922] Active Votes "AccountID" SQL Injection Vulnerability
[SA32921] Active Products "password" SQL Injection Vulnerability
[SA32920] Active Bids "ItemID" SQL Injection Vulnerability
[SA32976] Gallery MX "ID" SQL Injection Vulnerability
[SA32973] Calendar Mx Professional "ID" SQL Injection Vulnerability
[SA32940] Microsoft Office Communications Server SIP INVITE Denial of
Service

UNIX/Linux:
[SA32963] Ubuntu update for imlib2
[SA32962] Gentoo update for optipng
[SA32949] Debian update for imlib2
[SA32979] PowerDNS CH HINFO Denial of Service Vulnerability
[SA32975] Gentoo update for mantisbt
[SA32974] Gentoo update for libxml2 
[SA32972] Gentoo update for lighttpd
[SA32971] Gentoo update for ipsec-tools
[SA32970] Gentoo update for enscript
[SA32948] Slackware update for ruby
[SA32946] Ubuntu update for libvorbis
[SA32945] Ubuntu update for imagemagick
[SA32944] Debian update for wireshark
[SA32936] Ubuntu update for clamav
[SA32934] WebGUI Executable Attachments Vulnerability
[SA32926] ClamAV "cli_check_jpeg_exploit()" Denial of Service
Vulnerability
[SA32918] Ubuntu update for kernel
[SA32917] Kolab Server ClamAV Multiple Vulnerabilities
[SA33002] Ubuntu update for awstats
[SA32966] Fedora update for wordpress
[SA32954] Debian update for phpmyadmin
[SA32952] VMware ESX Server update for bzip2
[SA32939] Debian update for awstats
[SA33003] Ubuntu update for net-snmp
[SA32968] Fedora update for samba
[SA32951] Slackware update for samba
[SA32919] Ubuntu update for samba
[SA32980] Debian update for perl
[SA32977] IBM HMC HTTP TRACE Response Cross-Site Scripting Weakness
[SA32967] Fedora update for lynx
[SA32969] HP-UX Unspecified Local Denial of Service Vulnerability
[SA32961] Debian update for flamethrower
[SA32960] DAHDI "ZT_SPANCONFIG" IOCTL Privilege Escalation
Vulnerability
[SA32959] Debian update for jailer
[SA32953] SUSE update for kernel
[SA32947] Zaptel "ZT_SPANCONFIG" IOCTL Privilege Escalation
Vulnerabilities
[SA32943] jailer "updatejail" Insecure Temporary Files
[SA32933] Linux Kernel PARISC "parisc_show_stack()" Denial of Service

Other:


Cross Platform:
[SA32991] Sun Java JDK / JRE Multiple Vulnerabilities
[SA32986] Multi SEO phpBB "pfad" File Inclusion Vulnerability
[SA32942] VLC Media Player Real Demuxer Integer Overflow Vulnerability
[SA32964] PHP ZipArchive::extractTo() Directory Traversal
Vulnerability
[SA32958] Check Up System for Thai Healthcare "search" SQL Injection
[SA32950] RakhiSoftware Shopping Cart Multiple Vulnerabilities
[SA32938] Basic PHP CMS "id" SQL Injection Vulnerability
[SA32932] Bluo CMS "id" SQL Injection Vulnerability
[SA32931] mvnForum Unspecified Cross-Site Scripting and Request
Forgery
[SA32925] PHP TV Portal "mid" SQL Injection Vulnerability
[SA32923] Sunbyte e-Flower "id" SQL Injection Vulnerability
[SA32924] CMS Made Simple "cms_language" Cookie Local File Inclusion
[SA32996] W3matter RevSense "section" Cross-Site Scripting
Vulnerability
[SA32985] ImpressCMS Session Fixation Vulnerability
[SA32978] Drupal Storm Module SQL Injection Vulnerabilities
[SA32957] IBM Rational ClearCase Cross-Site Scripting Vulnerability
[SA32937] iNet Orkut Clone "id" SQL Injection and Cross-Site Scripting
[SA32935] Movable Type Unspecified Cross-Site Scripting Vulnerability
[SA32965] VMware ESX / ESXi Virtual Hardware Memory Corruption
Vulnerability

========================================================================
5) Vulnerabilities Content Listing

Windows:--

[SA32987] RadAsm ".rap" Processing Buffer Overflow Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-12-04

Data_Sniper has discovered a vulnerability in RadAsm, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/32987/

 --

[SA33000] MailingListPro Database Disclosure Security Issue

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2008-12-04

AlpHaNiX has reported a security issue in MailingListPro, which can be
exploited by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/33000/

 --

[SA32988] Rae Media Contact Management Software "Password" SQL
Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data
Released:    2008-12-04

b3hz4d has reported a vulnerability in Rae Media Contact Management
Software, which can be exploited by malicious people to conduct SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/32988/

 --

[SA32941] Active Trade "username" and "password" SQL Injection
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data
Released:    2008-12-01

R3d D3v!L has reported some vulnerabilities in Active Trade, which can
be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32941/

 --

[SA32930] Ocean12 FAQ Manager Pro "ID" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-12-01

Stack has reported a vulnerability in Ocean12 FAQ Manager Pro, which
can be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32930/

 --

[SA32929] Ocean12 Mailing List Manager Gold Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data, Exposure of
sensitive information
Released:    2008-12-03

Pouya_Server has reported some vulnerabilities in Ocean12 Mailing List
Manager Gold, which can be exploited by malicious users and people to
conduct SQL injection attacks and by malicious people to conduct
cross-site scripting attacks and disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/32929/

 --

[SA32928] ASPReferral "AccountID" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-12-01

((r3d D3v!L)) has reported a vulnerability in ASPReferral, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32928/

 --

[SA32927] Active eWebquiz "useremail" and "password" SQL Injection
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Security Bypass
Released:    2008-12-01

R3d D3v!L has reported some vulnerabilities in Active eWebquiz, which
can be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32927/

 --

[SA32922] Active Votes "AccountID" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-12-01

R3d D3v!L has reported a vulnerability in Active Votes, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32922/

 --

[SA32921] Active Products "password" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data
Released:    2008-12-01

R3d-D3v!L has reported some vulnerabilities in multiple Active
products, which can be exploited by malicious people to conduct SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/32921/

 --

[SA32920] Active Bids "ItemID" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-12-01

Stack has reported a vulnerability in Active Bids, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32920/

 --

[SA32976] Gallery MX "ID" SQL Injection Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-12-04

R3d D3v!L has reported a vulnerability in Gallery MX, which can be
exploited by malicious users to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32976/

 --

[SA32973] Calendar Mx Professional "ID" SQL Injection Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-12-04

R3d D3v!L has reported a vulnerability in Calendar Mx Professional,
which can be exploited by malicious users to conduct SQL injection
attacks.

Full Advisory:
http://secunia.com/advisories/32973/

 --

[SA32940] Microsoft Office Communications Server SIP INVITE Denial of
Service

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2008-12-01

A vulnerability has been reported in Microsoft Office Communications
Server, which potentially can be exploited by malicious people to cause
a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/32940/


UNIX/Linux:--

[SA32963] Ubuntu update for imlib2

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2008-12-03

Ubuntu has issued an update for imlib2. This fixes a vulnerability,
which can be exploited by malicious people to potentially compromise an
application using the library.

Full Advisory:
http://secunia.com/advisories/32963/

 --

[SA32962] Gentoo update for optipng

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2008-12-03

Gentoo has issued an update for optipng. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/32962/

 --

[SA32949] Debian update for imlib2

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2008-12-01

Debian has issued an update for imlib2. This fixes a vulnerability,
which can be exploited by malicious people to potentially compromise an
application using the library.

Full Advisory:
http://secunia.com/advisories/32949/

 --

[SA32979] PowerDNS CH HINFO Denial of Service Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2008-12-04

A vulnerability has been reported in PowerDNS, which can be exploited
by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/32979/

 --

[SA32975] Gentoo update for mantisbt

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information, System access
Released:    2008-12-03

Gentoo has issued an update for mantisbt. This fixes a security issue
and a vulnerability, which can be exploited by malicious users to
disclose potentially sensitive information and compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/32975/

 --

[SA32974] Gentoo update for libxml2 

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2008-12-03

Gentoo has issued an update to libxml2. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise an application using
the library.

Full Advisory:
http://secunia.com/advisories/32974/

 --

[SA32972] Gentoo update for lighttpd

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Exposure of sensitive information, DoS
Released:    2008-12-03

Gentoo has issued an update for lighttpd. This fixes a weakness and two
vulnerabilities, which can be exploited by malicious people to disclose
potentially sensitive information, bypass certain security
restrictions, and cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/32972/

 --

[SA32971] Gentoo update for ipsec-tools

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2008-12-03

Gentoo has issued an update for ipsec-tools. This fixes some
vulnerabilities, which can be exploited by malicious users and
malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/32971/

 --

[SA32970] Gentoo update for enscript

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2008-12-03

Gentoo has issued an update for enscript. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32970/

 --

[SA32948] Slackware update for ruby

Critical:    Moderately critical
Where:       From remote
Impact:      Spoofing
Released:    2008-12-01

Slackware has issued an update for ruby. This fixes a vulnerability,
which can be exploited by malicious people to conduct spoofing
attacks.

Full Advisory:
http://secunia.com/advisories/32948/

 --

[SA32946] Ubuntu update for libvorbis

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2008-12-02

Ubuntu has issued an update for libvorbis. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise an application
using the library.

Full Advisory:
http://secunia.com/advisories/32946/

 --

[SA32945] Ubuntu update for imagemagick

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2008-12-02

Ubuntu has issued an update for imagemagick. This fixes a
vulnerability, which potentially can be exploited by malicious people
to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/32945/

 --

[SA32944] Debian update for wireshark

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information, DoS
Released:    2008-12-01

Debian has issued an update for wireshark. This fixes some
vulnerabilities, which can be exploited by malicious people to disclose
potentially sensitive information or cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/32944/

 --

[SA32936] Ubuntu update for clamav

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2008-12-03

Ubuntu has issued an update for clamav. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/32936/

 --

[SA32934] WebGUI Executable Attachments Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2008-12-03

A vulnerability has been reported in WebGUI, which can be exploited by
malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32934/

 --

[SA32926] ClamAV "cli_check_jpeg_exploit()" Denial of Service
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2008-12-02

A vulnerability has been reported in ClamAV, which can be exploited by
malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/32926/

 --

[SA32918] Ubuntu update for kernel

Critical:    Moderately critical
Where:       From remote
Impact:      Privilege escalation, DoS, System access
Released:    2008-11-28

Ubuntu has issued an update for the kernel. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
bypass certain security restrictions and gain escalated privileges, and
by malicious people to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32918/

 --

[SA32917] Kolab Server ClamAV Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2008-12-03

Some vulnerabilities have been reported in Kolab Server, which can be
exploited by malicious people to cause a DoS (Denial of Service) or
potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32917/

 --

[SA33002] Ubuntu update for awstats

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-12-04

Ubuntu has issued an update for awstats. This fixes a vulnerability,
which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/33002/

 --

[SA32966] Fedora update for wordpress

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-12-03

Fedora has issued an update for wordpress. This fixes a vulnerability,
which can be exploited by malicious people to conduct script insertion
attacks.

Full Advisory:
http://secunia.com/advisories/32966/

 --

[SA32954] Debian update for phpmyadmin

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-12-02

Debian has issued an update for phpmyadmin. This fixes a vulnerability,
which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/32954/

 --

[SA32952] VMware ESX Server update for bzip2

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2008-12-03

VMware has issued an update for VMware ESX Server. This fixes a
vulnerability, which can be exploited by malicious people to cause a
DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/32952/

 --

[SA32939] Debian update for awstats

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-12-03

Debian has issued an update for awstats. This fixes a vulnerability,
which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/32939/

 --

[SA33003] Ubuntu update for net-snmp

Critical:    Less critical
Where:       From local network
Impact:      DoS, System access
Released:    2008-12-04

Ubuntu has issued an update for net-snmp. This fixes some
vulnerabilities, which can be exploited by malicious people to spoof
authenticated SNMPv3 packets, cause a DoS (Denial of Service), and
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/33003/

 --

[SA32968] Fedora update for samba

Critical:    Less critical
Where:       From local network
Impact:      Exposure of sensitive information
Released:    2008-12-03

Fedora has issued an update for samba. This fixes a vulnerability,
which potentially can be exploited by malicious people to disclose
sensitive information.

Full Advisory:
http://secunia.com/advisories/32968/

 --

[SA32951] Slackware update for samba

Critical:    Less critical
Where:       From local network
Impact:      Exposure of sensitive information
Released:    2008-12-01

Slackware has issued an update for samba. This fixes a vulnerability,
which potentially can be exploited by malicious people to disclose
sensitive information.

Full Advisory:
http://secunia.com/advisories/32951/

 --

[SA32919] Ubuntu update for samba

Critical:    Less critical
Where:       From local network
Impact:      Exposure of sensitive information
Released:    2008-11-28

Ubuntu has issued an update for samba. This fixes a vulnerability,
which potentially can be exploited by malicious people to disclose
sensitive information.

Full Advisory:
http://secunia.com/advisories/32919/

 --

[SA32980] Debian update for perl

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2008-12-04

Debian has issued an update for perl. This fixes some vulnerabilities,
which can be exploited by malicious, local users to gain escalated
privileges.

Full Advisory:
http://secunia.com/advisories/32980/

 --

[SA32977] IBM HMC HTTP TRACE Response Cross-Site Scripting Weakness

Critical:    Not critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-12-04

IBM has acknowledged a weakness in IBM HMC, which potentially can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/32977/

 --

[SA32967] Fedora update for lynx

Critical:    Not critical
Where:       From remote
Impact:      System access
Released:    2008-12-03

Fedora has issued an update for lynx. This fixes a vulnerability, which
can be exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/32967/

 --

[SA32969] HP-UX Unspecified Local Denial of Service Vulnerability

Critical:    Not critical
Where:       Local system
Impact:      DoS
Released:    2008-12-03

A vulnerability has been reported in HP-UX, which can be exploited by
malicious, local users to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/32969/

 --

[SA32961] Debian update for flamethrower

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2008-12-02

Debian has issued an update for flamethrower. This fixes a security
issue, which can be exploited by malicious, local users to perform
certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/32961/

 --

[SA32960] DAHDI "ZT_SPANCONFIG" IOCTL Privilege Escalation
Vulnerability

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2008-12-02

A vulnerability has been reported in DAHDI, which potentially can be
exploited by malicious, local users to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/32960/

 --

[SA32959] Debian update for jailer

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2008-12-01

Debian has issued an update for jailer. This fixes a security issue,
which can be exploited by malicious, local users to perform certain
actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/32959/

 --

[SA32953] SUSE update for kernel

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2008-12-03

SUSE has issued an update for the kernel. This fixes a security issue,
which can be exploited by malicious, local users to gain escalated
privileges.

Full Advisory:
http://secunia.com/advisories/32953/

 --

[SA32947] Zaptel "ZT_SPANCONFIG" IOCTL Privilege Escalation
Vulnerabilities

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2008-12-02

Some vulnerabilities have been reported in Zaptel, which can be
exploited by malicious, local users to cause a DoS (Denial of Service)
and potentially gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/32947/

 --

[SA32943] jailer "updatejail" Insecure Temporary Files

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2008-12-01

A security issue has been reported in jailer, which can be exploited by
malicious, local users to perform certain actions with escalated
privileges.

Full Advisory:
http://secunia.com/advisories/32943/

 --

[SA32933] Linux Kernel PARISC "parisc_show_stack()" Denial of Service

Critical:    Not critical
Where:       Local system
Impact:      DoS
Released:    2008-12-04

A vulnerability has been reported in the Linux Kernel, which can be
exploited by malicious, local users to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/32933/


Other:


Cross Platform:--

[SA32991] Sun Java JDK / JRE Multiple Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Security Bypass, Exposure of system information, Exposure
of sensitive information, DoS, System access
Released:    2008-12-04

Some vulnerabilities have been reported in Sun Java, which can be
exploited by malicious people to bypass certain security restrictions,
disclose sensitive information, cause a DoS (Denial of service), or
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32991/

 --

[SA32986] Multi SEO phpBB "pfad" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-12-04

NoGe has discovered a vulnerability in Multi SEO phpBB, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32986/

 --

[SA32942] VLC Media Player Real Demuxer Integer Overflow Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2008-12-01

A vulnerability has been discovered in VLC Media Player, which
potentially can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/32942/

 --

[SA32964] PHP ZipArchive::extractTo() Directory Traversal
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2008-12-04

Stefan Esser has reported a vulnerability in PHP, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32964/

 --

[SA32958] Check Up System for Thai Healthcare "search" SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-12-04

CWH Underground has reported a vulnerability in Check Up System for
Thai Healthcare, which can be exploited by malicious people to conduct
SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32958/

 --

[SA32950] RakhiSoftware Shopping Cart Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data, Exposure of
system information
Released:    2008-12-01

Charalambous Glafkos has reported some vulnerabilities in RakhiSoftware
Shopping Cart, which can be exploited by malicious people to disclose
system information, or to conduct SQL injection and cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/32950/

 --

[SA32938] Basic PHP CMS "id" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-12-01

CWH Underground has discovered a vulnerability in Basic PHP CMS, which
can be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32938/

 --

[SA32932] Bluo CMS "id" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-12-01

The_5p3ctrum has reported a vulnerability in Bluo CMS, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32932/

 --

[SA32931] mvnForum Unspecified Cross-Site Scripting and Request
Forgery

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-12-03

Some vulnerabilities have been reported in mvnForum, which can be
exploited by malicious people to conduct cross-site scripting and
cross-site request forgery attacks.

Full Advisory:
http://secunia.com/advisories/32931/

 --

[SA32925] PHP TV Portal "mid" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-12-01

A vulnerability has been reported in PHP TV Portal, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32925/

 --

[SA32923] Sunbyte e-Flower "id" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-12-03

W4RL0CK has reported a vulnerability in Sunbyte e-Flower, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32923/

 --

[SA32924] CMS Made Simple "cms_language" Cookie Local File Inclusion

Critical:    Moderately critical
Where:       Local system
Impact:      Exposure of sensitive information
Released:    2008-12-01

A vulnerability has been discovered in CMS Made Simple, which can be
exploited by malicious people to disclose potentially sensitive
information.

Full Advisory:
http://secunia.com/advisories/32924/

 --

[SA32996] W3matter RevSense "section" Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-12-04

Pouya_Server has reported a vulnerability in W3matter RevSense, which
can be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/32996/

 --

[SA32985] ImpressCMS Session Fixation Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Hijacking
Released:    2008-12-04

A vulnerability has been reported in ImpressCMS, which can be exploited
by malicious people to conduct session fixation attacks.

Full Advisory:
http://secunia.com/advisories/32985/

 --

[SA32978] Drupal Storm Module SQL Injection Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-12-04

Jakub Suchy has reported some vulnerabilities in the Storm module for
Drupal, which can be exploited by malicious users to conduct SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/32978/

 --

[SA32957] IBM Rational ClearCase Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-12-02

A vulnerability has been reported in IBM Rational ClearCase, which can
be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/32957/

 --

[SA32937] iNet Orkut Clone "id" SQL Injection and Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2008-12-03

d3b4g has reported some vulnerabilities in iNet Orkut Clone, which can
be exploited by malicious users to conduct SQL injection attacks and
malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/32937/

 --

[SA32935] Movable Type Unspecified Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-12-03

A vulnerability has been reported in Movable Type, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/32935/

 --

[SA32965] VMware ESX / ESXi Virtual Hardware Memory Corruption
Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Security Bypass
Released:    2008-12-03

A vulnerability has been reported in VMware ESX / ESXi, which can be
exploited by malicious, local users to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/32965/



========================================================================

Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/

Subscribe:
http://secunia.com/advisories/weekly_summary/

Contact details:
Web	: http://secunia.com/
E-mail	: support_at_private
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45


_______________________________________________      
Help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html
Received on Thu Dec 04 2008 - 22:32:14 PST

This archive was generated by hypermail 2.2.0 : Thu Dec 04 2008 - 22:40:51 PST