Spyware, viruses, & security forum: VULNERABILITIES / FIXES - April 26, 2012

Release Date : 2012-04-26

Criticality level : Moderately critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Operating System: Red Hat Enterprise Linux Desktop 5
Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux Server 5
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6
RHEL Desktop Workstation 5

Description:
Red Hat has issued an update for libpng. This fixes a vulnerability, which can be exploited by malicious people to compromise an application using the library.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2012:0523-01:
https://rhn.redhat.com/errata/RHSA-2012-0523.html

http://secunia.com/advisories/48983/

Release Date : 2012-04-26

Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch

Operating System: openSUSE 11.4
openSUSE 12.1

Description:
SUSE has issued an update for wireshark. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2012:0558-1:
http://lists.opensuse.org/opensuse-updates/2012-04/msg00060.html

http://secunia.com/advisories/48986/

Release Date : 2012-04-26

Criticality level : Moderately critical
Impact : Unknown
Where : From remote
Solution Status : Vendor Patch

Software: NinjaXplorer 1.x (component for Joomla!)

Description:
A vulnerability with an unknown impact has been reported in the NinjaXplorer component for Joomla!.

The vulnerability is caused due to an unspecified error. No further information is currently available.

The vulnerability is reported in versions prior to 1.0.7.

Solution:
Update to version 1.0.7.

Provided and/or discovered by:
The vendor credits CloudAccess.

Original Advisory:
http://ninjaforge.com/blog/318-security-vulnerability-discovered-in-ninjaxplorer-upgrade-immediately

http://secunia.com/advisories/48958/

Release Date : 2012-04-26

Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch

Operating System: Debian GNU/Linux 6.0

Description:
Debian has issued an update for quagga. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Apply updated packages via the apt-get package manager.

Original Advisory:
DSA-2459-1:
http://lists.debian.org/debian-security-announce/2012/msg00092.html

http://secunia.com/advisories/48949/

Drupal Creative Commons Module License Description Script Insertion Vulnerability

Release Date : 2012-04-26

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: Drupal Creative Commons Module 6.x

Description:
A vulnerability has been reported in the Creative Commons module for Drupal, which can be exploited by malicious users to conduct script insertion attacks.

Certain input related to the text describing licenses is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation requires the "administer creative commons" permission.

The vulnerability is reported in versions 6.x-1.x prior to 6.x-1.1.

Solution:
Update to version 6.x-1.1.

Provided and/or discovered by:
The vendor credits Justin Klein-Keane.

Original Advisory:
SA-CONTRIB-2012-062:
http://drupal.org/node/1547520

http://secunia.com/advisories/48937/

Drupal Spaces Module Spaces Access Permissions Security Bypass Security Issue

Release Date : 2012-04-26

Criticality level : Less critical
Impact : Security Bypass
Where : From remote
Solution Status : Vendor Patch

Software: Drupal Spaces Module 6.x

Description:
A security issue has been reported in the Spaces module for Drupal, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to an error within the spaces and spaces_og modules when verifying spaces access permissions for non-objects (e.g. /node) and can be exploited to e.g. disclose block data information.

NOTE: Drupal's node_access and user profile systems implement additional permission checks and may prevent certain information from being disclosed.

The security issue is reported in versions prior to 6.x-3.4.

Solution:
Update to version 6.x-3.4.

Provided and/or discovered by:
The vendor credits hefox.

Original Advisory:
SA-CONTRIB-2012-066:
http://drupal.org/node/1547736

http://secunia.com/advisories/48930/

Net-SNMP Agent MIB Subtree Handling Denial of Service Vulnerability

Release Date : 2012-04-26

Criticality level : Less critical
Impact : DoS
Where : From local network
Solution Status : Unpatched

Software: Net-SNMP 5.x

Description:
A vulnerability has been reported in Net-SNMP, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an array-indexing error in the "handle_nsExtendOutput2Table()" function (agent/mibgroup/agent/extend.c) when processing certain MIB subtrees. This can be exploited to cause the "snmpd" process to crash via a specially crafted SNMP GET request.

Successful exploitation requires read privileges to a subtree.

The vulnerability is reported in version 5.7.1. Other versions may also be affected.

Solution:
Restrict access to trusted hosts only.

Provided and/or discovered by:
Reported by Sergio Freire in a Red Hat bug report.

Original Advisory:
https://bugzilla.redhat.com/show_bug.cgi?id=815813

http://secunia.com/advisories/48938/