From pinar at pardus.org.tr Tue Jul 7 14:27:41 2009 From: pinar at pardus.org.tr (Pinar Yanardag) Date: Tue, 7 Jul 2009 14:27:41 +0300 Subject: [Pardus-security] [PLSA 2009-99] Thunderbird: Multiple Vulnerabilities Message-ID: ------------------------------------------------------------------------ Pardus Linux Security Advisory 2009-99 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2009-07-07 Severity: 4 Type: Remote ------------------------------------------------------------------------ Summary ======= Some vulnerabilities have been reported in Mozilla Thunderbird, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and cross-site request forgery attacks, and potentially to compromise a user's system. Description =========== 1) Multiple errors in the browser engine can be exploited to corrupt memory and potentially execute arbitrary code. 2) Multiple errors in the JavaScript engine can be exploited to corrupt memory and potentially execute arbitrary code. 3) An error exists when the "jar:" scheme is used to wrap a URI, which serves content with "Content-Disposition: attachment". This can be exploited to e.g. conduct cross-site scripting attacks on sites that allow users to upload arbitrary content, which is served as "application/java-archive" or "application/x-jar", and that rely on the HTTP header "Content-Disposition: attachment" to prevent potentially untrusted content. 4) An error when loading a Adobe Flash file via the "view-source:" scheme can be exploited to conduct cross-site request forgery attacks or read and write Local Shared Objects on a user's system e.g. for tracking purposes. 5) An error in the processing of XBL bindings can be exploited to conduct script insertion attacks on sites that allow user to embed third-party stylesheets. 6) Errors in "XMLHttpRequest" and "XPCNativeWrapper.toString" can be exploited to bypass the same-origin policy and potentially execute code with chrome privileges. 7) A race condition exists when accessing the private data of an NPObject JS wrapper class object if navigating away from a web page while loading a Java applet. This can be exploited via a specially crafted web page to use already freed memory. 8) Multiple errors in the browser engine can be exploited to corrupt memory and potentially execute arbitrary code. 9) An unspecified error can be exploited to trigger double frame constructions, which could corrupt memory. This can potentially be exploited to execute arbitrary code. 10) Multiple errors in the JavaScript engine can be exploited to corrupt memory and potentially execute arbitrary code. 11) An error in the handling of certain invalid unicode characters, when used as part of an IDN (internationalized domain name), can be exploited to spoof the location bar. 12) An error in the handling of "file:" URIs can be exploited to access any domain's cookies saved on the local machine. 13) An error in the handling of non-200 responses after a CONNECT request to a proxy can be exploited to execute arbitrary HTML and script code in the requested SSL-protected domain. 14) Successful exploitation requires a MitM (Man-in-the-Middle) attack and that the victim uses a proxy. 15) The owner document of an element can become null after garbage collection. This can be exploited via event handlers to execute arbitrary Javascript code with chrome privileges. 16) An error when loading a "file:" resource via the location bar can potentially be exploited to access the content of other local files, which would normally be protected. 17) Successful exploitation requires that a victim downloads a specially crafted document, and opens a local file before opening the malicious document in the same browser window. 18) A security issue exists due to improper checks of content-loading policies before loading external script files into XUL documents. 19) A vulnerability exists due to an error when a chrome privileged object (e.g. the browser sidebar or the FeedWriter) interacts with web content. This can be exploited to execute arbitrary code with an object's chrome privileges. Affected packages: Pardus 2008: thunderbird, all before 2.0.0.22-45-9 Resolution ========== There are update(s) for thunderbird. You can update them via Package Manager or with a single command from console: pisi up thunderbird References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=9627 * http://www.mozilla.org/security/announce/2009/mfsa2009-14.html * http://www.mozilla.org/security/announce/2009/mfsa2009-16.html * http://www.mozilla.org/security/announce/2009/mfsa2009-17.html * http://www.mozilla.org/security/announce/2009/mfsa2009-18.html * http://www.mozilla.org/security/announce/2009/mfsa2009-19.html * http://www.mozilla.org/security/announce/2009/mfsa2009-24.html * http://www.mozilla.org/security/announce/2009/mfsa2009-27.html * http://www.mozilla.org/security/announce/2009/mfsa2009-29.html * http://www.mozilla.org/security/announce/2009/mfsa2009-31.html * http://www.mozilla.org/security/announce/2009/mfsa2009-32.html * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1302 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1303 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1304 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1305 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1306 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1307 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1308 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1309 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1392 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1832 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1833 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1836 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1838 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1840 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1841 * http://secunia.com/advisories/34780 * http://secunia.com/advisories/35440 ------------------------------------------------------------------------ -- Pardus Security Team http://security.pardus.org.tr -------------- next part -------------- An HTML attachment was scrubbed... URL: From pinar at pardus.org.tr Tue Jul 7 14:28:16 2009 From: pinar at pardus.org.tr (Pinar Yanardag) Date: Tue, 7 Jul 2009 14:28:16 +0300 Subject: [Pardus-security] [PLSA 2009-100] Pidgin: Denial of Service Message-ID: ------------------------------------------------------------------------ Pardus Linux Security Advisory 2009-100 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2009-07-07 Severity: 2 Type: Remote ------------------------------------------------------------------------ Summary ======= A weakness has been reported in Pidgin, which can be exploited by malicious people to cause a DoS (Denial of Service). Description =========== The weakness is caused due to the application misinterpreting an ICQ web message as an ICQ SMS message. This can be exploited to trigger an out-of-memory condition and terminate the application via a specially crafted ICQ web message. Affected packages: Pardus 2008: pidgin, all before 2.5.8-31-12 Resolution ========== There are update(s) for pidgin. You can update them via Package Manager or with a single command from console: pisi up pidgin References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=10205 * http://developer.pidgin.im/ticket/9483 * http://developer.pidgin.im/viewmtn/revision/info/9bac0a540156fb1848eedd61c8630737dee752c7 ------------------------------------------------------------------------ -- Pardus Security Team http://security.pardus.org.tr -------------- next part -------------- An HTML attachment was scrubbed... URL: From pinar at pardus.org.tr Sun Jul 12 12:25:13 2009 From: pinar at pardus.org.tr (Pinar Yanardag) Date: Sun, 12 Jul 2009 12:25:13 +0300 Subject: [Pardus-security] [PLSA 2009-101] Apache: Multiple Vulnerabilities Message-ID: ------------------------------------------------------------------------ Pardus Linux Security Advisory 2009-101 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2009-07-11 Severity: 3 Type: Remote ------------------------------------------------------------------------ Summary ======= Some vulnerabilities have been reported in Apache, which can be exploited by malicious people to cause a DoS (Denial of Service). Description =========== 1) A vulnerability has been reported in the Apache mod_proxy module, which can be exploited by malicious people to potentially cause a DoS (Denial of Service). An error exists in the mod_proxy module when functioning in reverse proxy mode. This can be exploited to consume large amounts of CPU in an affected proxy process via specially crafted proxy requests. 2) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects.? Affected packages: Pardus 2008: apache, all before 2.2.11-31-9 Resolution ========== There are update(s) for apache. You can update them via Package Manager or with a single command from console: pisi up apache References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=10300 * http://svn.apache.org/viewvc?view=rev&revision=790587 * http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=790587&r2=790586&pathrev=790587 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891 ------------------------------------------------------------------------ -- Pardus Security Team http://security.pardus.org.tr -------------- next part -------------- An HTML attachment was scrubbed... URL: From pinar at pardus.org.tr Sun Jul 12 12:25:58 2009 From: pinar at pardus.org.tr (Pinar Yanardag) Date: Sun, 12 Jul 2009 12:25:58 +0300 Subject: [Pardus-security] [PLSA 2009-102] Qt4: Denial of Service Message-ID: ------------------------------------------------------------------------ Pardus Linux Security Advisory 2009-102 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2009-07-12 Severity: 4 Type: Remote ------------------------------------------------------------------------ Summary ======= A vulnerability has been reported in Qt4, which can be exploited by malicious people to potentially compromise a user's system. Description =========== The vulnerability is caused due to a boundary error in WebKit when processing SVGList objects. This can be exploited to trigger a memory corruption when visiting a malicious web page. Affected packages: Pardus 2008: qt4, all before 4.4.3-55-18 qt4-designer, all before 4.4.3-55-18 qt4-doc, all before 4.4.3-55-16 qt4-linguist, all before 4.4.3-55-18 qt4-sql-ibase, all before 4.4.3-55-4 qt4-sql-mysql, all before 4.4.3-55-18 qt4-sql-odbc, all before 4.4.3-55-18 qt4-sql-postgresql, all before 4.4.3-55-18 qt4-sql-sqlite, all before 4.4.3-55-18 Resolution ========== There are update(s) for qt4, qt4-designer, qt4-doc, qt4-linguist, qt4-sql-ibase, qt4-sql-mysql, qt4-sql-odbc, qt4-sql-postgresql, qt4-sql-sqlite. You can update them via Package Manager or with a single command from console: pisi up qt4 qt4-designer qt4-doc qt4-linguist qt4-sql-ibase qt4-sql-mysql qt4-sql-odbc qt4-sql-postgresql qt4-sql-sqlite References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=9915 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0945 ------------------------------------------------------------------------ -- Pardus Security Team http://security.pardus.org.tr -------------- next part -------------- An HTML attachment was scrubbed... URL: From pinar at pardus.org.tr Sun Jul 19 14:16:04 2009 From: pinar at pardus.org.tr (Pinar Yanardag) Date: Sun, 19 Jul 2009 14:16:04 +0300 Subject: [Pardus-security] [PLSA 2009-103] WxGtk: Integer Overflow Message-ID: ------------------------------------------------------------------------ Pardus Linux Security Advisory 2009-103 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2009-07-19 Severity: 3 Type: Remote ------------------------------------------------------------------------ Summary ======= Tielei Wang has discovered a vulnerability in wxWidgets, which can be exploited by malicious people to potentially compromise a user's system. Description =========== The vulnerability is caused due to an integer overflow error within the "wxImage::Create()" function in src/common/image.cpp. This can be exploited to cause a heap-based buffer overflow by tricking a user into opening e.g. a specially crafted JPEG file. Successful exploitation may allow execution of arbitrary code. Affected packages: Pardus 2008: wxGTK, all before 2.8.9-11-7 Resolution ========== There are update(s) for wxGTK. You can update them via Package Manager or with a single command from console: pisi up wxGTK References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=10477 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2369 * http://secunia.com/advisories/35351 ------------------------------------------------------------------------ -- Pardus Security Team http://security.pardus.org.tr -------------- next part -------------- An HTML attachment was scrubbed... URL: From pinar at pardus.org.tr Wed Jul 22 16:33:14 2009 From: pinar at pardus.org.tr (Pinar Yanardag) Date: Wed, 22 Jul 2009 16:33:14 +0300 Subject: [Pardus-security] [PLSA 2009-104] Perl IO::Socket::SSL: Security Bypass Message-ID: ------------------------------------------------------------------------ Pardus Linux Security Advisory 2009-104 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2009-07-22 Severity: 3 Type: Remote ------------------------------------------------------------------------ Summary ======= A vulnerability has been reported in IO::Socket::SSL, which can be exploited by malicious people to bypass certain security restrictions. Description =========== The vulnerability is caused due to an error within the certificate hostname matching when no wildcard was given, which can be exploited to bypass the hostname verification. Affected packages: Pardus 2008: perl-IO-Socket-SSL, all before 1.26-13-4 Pardus 2009: perl-IO-Socket-SSL, all before 1.26-14-3 Resolution ========== There are update(s) for perl-IO-Socket-SSL. You can update them via Package Manager or with a single command from console: Pardus 2008: pisi up perl-IO-Socket-SSL Pardus 2009: pisi up perl-IO-Socket-SSL References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=10309 * http://search.cpan.org/diff?from=IO-Socket-SSL-1.25&to=IO-Socket-SSL-1.26&w=1 * http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.26/Changes * http://secunia.com/advisories/35703 ------------------------------------------------------------------------ -- Pardus Security Team http://security.pardus.org.tr -------------- next part -------------- An HTML attachment was scrubbed... URL: From pinar at pardus.org.tr Fri Jul 24 10:52:16 2009 From: pinar at pardus.org.tr (Pinar Yanardag) Date: Fri, 24 Jul 2009 10:52:16 +0300 Subject: [Pardus-security] [PLSA 2009-105] Pulseaudio: Privilege escalation Message-ID: ------------------------------------------------------------------------ Pardus Linux Security Advisory 2009-105 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2009-07-24 Severity: 2 Type: Local ------------------------------------------------------------------------ Summary ======= Pardus has issued an update for pulseaudio. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Description =========== The vulnerability is caused due to the application setting the "LD_BIND_NOW" environment variable to "1" before dropping its privileges and executing itself via "/proc/self/exe", which can be exploited to execute arbitrary code with root privileges by creating a hardlink to the pulseaudio executable. Affected packages: Pardus 2008: pulseaudio, all before 0.9.10-8-7 pulseaudio-bluetooth, all before 0.9.10-8-5 pulseaudio-gconf, all before 0.9.10-8-5 pulseaudio-jack, all before 0.9.10-8-5 Pardus 2009: pulseaudio, all before 0.9.15-15-9 Pardus 2009i: pulseaudio-gconf, all before 0.9.15-15-9 Pardus 2009: pulseaudio-jack, all before 0.9.15-15-9 Resolution ========== There are update(s) for pulseaudio, pulseaudio-bluetooth, pulseaudio-gconf, pulseaudio-jack. You can update them via Package Manager or with a single command from console: Pardus 2009i: pisi up pulseaudio-gconf Pardus 2008: pisi up pulseaudio pulseaudio-bluetooth pulseaudio-gconf pulseaudio-jack Pardus 2009: pisi up pulseaudio pulseaudio-jack References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=10490 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1894 ------------------------------------------------------------------------ -- Pardus Security Team http://security.pardus.org.tr -------------- next part -------------- An HTML attachment was scrubbed... URL: From pinar at pardus.org.tr Fri Jul 24 11:25:35 2009 From: pinar at pardus.org.tr (Pinar Yanardag) Date: Fri, 24 Jul 2009 11:25:35 +0300 Subject: [Pardus-security] [PLSA 2009-106] Clamav: Multiple Vulnerabilities Message-ID: ------------------------------------------------------------------------ Pardus Linux Security Advisory 2009-106 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2009-07-24 Severity: 2 Type: Remote ------------------------------------------------------------------------ Summary ======= New ClamAV update corrects several scanner bypass vulnerabilities and other issues as well. Description =========== 1. libclamav: detect and handle archives hidden inside other files (eg. images), which can be unpacked by WinZip, WinRAR and other tools (bb#1554) Reported by ROGER Mickael and Thierry Zoller 2. libclamav/mspack.c, cab.c: don't rely on file sizes stored in CAB headers (bb#1562) Reported by Thierry*Zoller 3. libclamunrar/unrarvm.c: fix handling of some broken rar files 4. libclamav/mbox.c: handle malformed emails with embedded \0s (bb#1573) 5. libclamav/readdb.c: add offset checks (bb#1615) Affected packages: Pardus 2008: clamav, all before 0.95.2-30-4 klamav, all before 0.46-14-2 Pardus 2009: clamav, all before 0.95.2-34-4 Resolution ========== There are update(s) for clamav, klamav. You can update them via Package Manager or with a single command from console: Pardus 2008: pisi up clamav klamav Pardus 2009: pisi up clamav References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=10315 * http://blog.zoller.lu/2009/05/advisory-clamav-generic-bypass.html ------------------------------------------------------------------------ -- Pardus Security Team http://security.pardus.org.tr -------------- next part -------------- An HTML attachment was scrubbed... URL: From pinar at pardus.org.tr Fri Jul 24 11:40:09 2009 From: pinar at pardus.org.tr (Pinar Yanardag) Date: Fri, 24 Jul 2009 11:40:09 +0300 Subject: [Pardus-security] [PLSA 2009-107] Dhcp: Buffer Overflow Message-ID: ------------------------------------------------------------------------ Pardus Linux Security Advisory 2009-107 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2009-07-24 Severity: 3 Type: Local ------------------------------------------------------------------------ Summary ======= A vulnerability has been reported in ISC DHCP, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Description =========== The vulnerability is caused due to a boundary error within the "script_write_params()" function in client/dhclient.c and can be exploited to cause a stack-based buffer overflow by sending an overly long subnet-mask option. Successful exploitation may allow execution of arbitrary code with "root" privileges, but requires that dhclient processes a specially crafted response from a malicious DHCP server Affected packages: Pardus 2008: dhcp, all before 3.1.2_p1-16-3 Resolution ========== There are update(s) for dhcp. You can update them via Package Manager or with a single command from console: pisi up dhcp References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=10476 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692 * http://secunia.com/advisories/35785 ------------------------------------------------------------------------ -- Pardus Security Team http://security.pardus.org.tr -------------- next part -------------- An HTML attachment was scrubbed... URL: