Ad: Manage updates with the Download App
ie8 fix
Click Here

Spyware, viruses, & security forum: VULNERABILITIES / FIXES - December 07, 2012

by: Carol~ December 7, 2012 6:16 AM PST

Like this

0 people like this thread

Staff pick

VULNERABILITIES / FIXES - December 07, 2012

by Carol~ Moderator - 12/7/12 6:16 AM

Avaya Experience Portal Apache HTTP Server ByteRange Filter Denial of Service Vulnerability

Release Date : 2012-12-07

Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch

Software: Avaya Experience Portal 6.x

Description:
Avaya has acknowledged a vulnerability in Avaya Experience Portal, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is reported in version 6.0.

Solution:
Update to version 6.0 SP1.

Original Advisory:
ASA-2011-281:
https://downloads.avaya.com/css/P8/documents/100148618

http://secunia.com/advisories/51480/


Reply
Report offensive post
Email to friend

Perl Locale::Maketext Module Two Code Injection

by Carol~ Moderator - 12/7/12 6:22 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

Perl Locale::Maketext Module Two Code Injection Vulnerabilities

Release Date : 2012-12-07

Criticality level : Moderately critical
Impact : System access
Where : From remote
Solution Status : Vendor Workaround

Software: Locale::Maketext 1.x (module for Perl)

Description:
Two vulnerabilities have been reported in Locale::Maketext module for Perl, which can be exploited by malicious users to compromise an application using the module.

The vulnerabilities are caused due to the "_compile()" function not properly sanitising input, which can be exploited to inject and execute arbitrary Perl code.

The vulnerabilities are reported in version 1.23. Prior versions may also be affected.

Solution:
Fixed in the GIT repository:

Provided and/or discovered by:
Brian Carlson of cPanel

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224

http://secunia.com/advisories/51498/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

IBM Tivoli Monitoring HTTP Service Console Cross-Site

by Carol~ Moderator - 12/7/12 6:22 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

IBM Tivoli Monitoring HTTP Service Console Cross-Site Scripting Vulnerability

Release Date : 2012-12-07

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: IBM Tivoli Monitoring 6.x

Description:
A vulnerability has been reported in IBM Tivoli Monitoring, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the HTTP service console is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is reported in versions 6.2.2 and 6.2.3.

Solution:
Apply Fix Pack 6.2.3-TIV-ITM-FP0001 or 6.2.2-TIV-ITM-FP0009.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
IBM:
https://www.ibm.com/support/docview.wss?uid=swg21618972

http://secunia.com/advisories/51509/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

IBM Flex System CMM and IMM2 Modules Credentials Disclosure

by Carol~ Moderator - 12/7/12 6:22 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

IBM Flex System CMM and IMM2 Modules Credentials Disclosure Security Issue

Release Date : 2012-12-07

Criticality level : Not critical
Impact : Exposure of sensitive information
Where : Local system
Solution Status : Vendor Patch

Software: IBM Flex System Chassis Management Module (CMM) 1.x
IBM Flex System Integrated Management Module 2 (IMM2) 1.x

Description:
A security issue has been reported in IBM Flex System CMM and IMM2 Modules, which can be exploited by malicious, local users to disclose sensitive information.

The security issue is caused due to certain service and maintenance activity exposing SNMP and LDAP credentials. No further information is currently available.

The security issue is reported in the following products:
* IBM Flex System CMM version 1.00.0
* IBM Flex System CMM version 1.20.2
* IBM Flex System IMM2 version 1.34
* IBM Flex System IMM2 version 1.45
* IBM Flex System IMM2 version 1.60

Solution:
Apply patch.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
IBM PSIRT:
https://www.ibm.com/connections/blogs/PSIRT/entry/flex_system_chassis_management_module_cmm_and_integrated_management_module_2_imm2_potential_security_vulnerability_with_authentication_data_cve_2012_4838_ibm_flex_system8

http://secunia.com/advisories/51508/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

bogofilter Base64 Character Set Conversion Denial of Service

by Carol~ Moderator - 12/7/12 6:22 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

bogofilter Base64 Character Set Conversion Denial of Service Vulnerability

Release Date : 2012-12-07

Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch

Software: bogofilter 1.x

Description:
A vulnerability has been reported in bogofilter, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the "convert()" function (src/iconvert.c) when converting the character set and can be exploited to cause a heap-based buffer overflow via specially crafted base64 string.

The vulnerability is reported in versions 1.2.2 and prior.

Solution:
Update to version 1.2.3 (r6973).

Provided and/or discovered by:
Julius Plenz

Original Advisory:
bogofilter-SA-2012-01:
http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01

http://secunia.com/advisories/51334/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

IBM Informix Dynamic Server Buffer Overflow Vulnerability

by Carol~ Moderator - 12/7/12 6:22 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

Release Date : 2012-12-07

Criticality level : Less critical
Impact : System access
Where : From local network
Solution Status : Vendor Patch

Software: IBM Informix Dynamic Server 11.x

Description:
A vulnerability has been reported in IBM Informix Dynamic Server, which can be exploited by malicious users to compromise a vulnerable system.

The vulnerability is caused due to an error when processing certain unspecified SQL statements and can be exploited to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in version 11.50.xC9W2 and prior and version 11.70.xC7 and prior.

Solution:
Update to a version with a fix greater than 11.50.xC9W2 or 11.70.xC7.

Provided and/or discovered by:
The vendor credits IOActive Inc.

Original Advisory:
IBM:
https://www.ibm.com/support/docview.wss?uid=swg21618994

http://secunia.com/advisories/51506/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

m0n0wall Cross-Site Request Forgery Vulnerability

by Carol~ Moderator - 12/7/12 7:03 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

Release Date : 2012-12-07

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Operating System : m0n0wall 3.x

Description:
A vulnerability has been reported in m0n0wall, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. execute arbitrary commands if a logged-in administrator visits a malicious web site.

The vulnerability is reported in version 1.33. Prior versions may also be affected.

Solution:
Update to version 1.34.

Provided and/or discovered by:
Yann CAM, Synetis

Original Advisory:
m0n0wall:
http://m0n0.ch/wall/downloads.php

Yann CAM:
http://packetstormsecurity.org/files/118652/m0n0wall-1.33-Cross-Site-Request-Forgery.html

http://secunia.com/advisories/51238/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

SUSE update for gimp

by Carol~ Moderator - 12/7/12 7:04 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

Release Date : 2012-12-07

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Operating System : openSUSE 12.1
openSUSE 12.2

Description:
SUSE has issued an update for gimp. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system.

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2012:1623-1:
http://lists.opensuse.org/opensuse-updates/2012-12/msg00017.html

http://secunia.com/advisories/51479/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

SUSE update for libssh

by Carol~ Moderator - 12/7/12 7:59 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

Release Date : 2012-12-07

Criticality level : Moderately critical
Impact : DoS
System access
Where : From remote
Solution Status : Vendor Patch

Operating System : openSUSE 12.1
openSUSE 12.2

Description:
SUSE has issued an update for libssh. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise an application using the library.

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2012:1620-1:
http://lists.opensuse.org/opensuse-updates/2012-12/msg00014.html

openSUSE-SU-2012:1622-1:
http://lists.opensuse.org/opensuse-updates/2012-12/msg00016.html

http://secunia.com/advisories/51492/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

SUSE update for xen

by Carol~ Moderator - 12/7/12 8:00 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

Release Date : 2012-12-07

Criticality level: Less critical
Impact : Privilege escalation
DoS
Where : Local system
Solution Status : Vendor Patch

Operating System : SUSE Linux Enterprise Server (SLES) 11

Description:
SUSE has issued an update for xen. This fixes multiple vulnerabilities, which can be exploited by malicious, local users in a guest virtual machine to cause a DoS (Denial of Service) and potentially gain escalated privileges.

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
SUSE-SU-2012:1615-1:
http://lists.opensuse.org/opensuse-security-announce/2012-12/msg00001.html

http://secunia.com/advisories/51487/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for pki

by Carol~ Moderator - 12/7/12 8:09 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

Release Date : 2012-12-07

Criticality level : Less critical
Impact : DoS
Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: Red Hat Certificate System 8.x

Description:
Red Hat has issued an update for pki. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to cause a DoS (Denial of Service).

1) Certain input is not properly sanitised within the web interface before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Some errors within the token processing functionality can be exploited to crash the Apache web server child process, which may prevent the processing of other users' requests.

Solution:
Updated packages are available via Red Hat Network.

Provided and/or discovered by:
1) Reported by the vendor.
2) The vendor credits Patrick Raspante and Ryan Millay, GDC4S.

Original Advisory:
RHSA-2012:1550-1:
https://rhn.redhat.com/errata/RHSA-2012-1550.html

http://secunia.com/advisories/51482/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for bind

by Carol~ Moderator - 12/7/12 9:47 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

Release Date : 2012-12-07

Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch

Operating System : Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6

Description:
Red Hat has issued an update for bind. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2012:1549-1:
https://rhn.redhat.com/errata/RHSA-2012-1549.html

http://secunia.com/advisories/51481/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

SUSE update for tor

by Carol~ Moderator - 12/7/12 9:48 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

Release Date : 2012-12-07

Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch

Operating System : openSUSE 12.2

Description:
SUSE has issued an update for tor. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2012:1624-1:
http://lists.opensuse.org/opensuse-updates/2012-12/msg00018.html

http://secunia.com/advisories/51471/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

SUSE update for horde4-kronolith

by Carol~ Moderator - 12/7/12 9:49 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

Release Date : 2012-12-07

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Operating System : openSUSE 12.1
openSUSE 12.2

Description:
SUSE has issued an update for horde4-kronolith. This fixes multiple vulnerabilities, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks.

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2012:1625-1:
http://lists.opensuse.org/opensuse-updates/2012-12/msg00019.html

http://secunia.com/advisories/51469/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

SUSE update for gegl

by Carol~ Moderator - 12/7/12 9:58 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

Release Date : 2012-12-07

Criticality level : Moderately critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Operating System : openSUSE 12.1
openSUSE 12.2

Description:
SUSE has issued an update for gegl. This fixes a vulnerability, which can be exploited by malicious people to compromise an application using the library.

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2012:1627-1:
http://lists.opensuse.org/opensuse-updates/2012-12/msg00021.html

http://secunia.com/advisories/51461/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for mysql

by Carol~ Moderator - 12/7/12 11:10 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

Release Date : 2012-12-07

Criticality level : Less critical
Impact : System access
Where : From local network
Solution Status : Vendor Patch

Operating System : Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6

Description:
Red Hat has issued an update for mysql. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2012:1551-1:
https://rhn.redhat.com/errata/RHSA-2012-1551.html

http://secunia.com/advisories/51466/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

TVMOBiLi HTTP Request Processing Two Buffer Overflow

by Carol~ Moderator - 12/7/12 11:10 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

TVMOBiLi HTTP Request Processing Two Buffer Overflow Vulnerabilities

Release Date : 2012-12-07

Criticality level : Moderately critical
Impact : System access
DoS
Where : From local network
Solution Status : Vendor Patch

Software: TVMOBiLi 2.x

Description:
Two vulnerabilities have been discovered in TVMOBiLi, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

1) A boundary error in the "CHTTPServerTransaction::LoadResource()" method (HttpUtils.dll) when processing a web request can be exploited to cause a limited stack-based buffer overflow resulting in a crash only via a specially crafted URL.

2) A boundary error in the "CHTTPServerTransaction::LoadFile()" method (HttpUtils.dll) when processing a web request can be exploited to cause a heap-based buffer overflow via a specially crafted URL.

Successful exploitation of this vulnerability may allow execution of arbitrary code.

The vulnerabilities are confirmed in version 2.1.3557. Prior versions may also be affected.

Solution:
Update to version 2.1.3974.

Provided and/or discovered by:
1) High-Tech Bridge
2) Additional information provided by Secunia Research.

Original Advisory:
TVMOBiLi:
http://dev.tvmobili.com/changelog.php
http://forum.tvmobili.com/viewtopic.php?f=7&t=55117

HTB23120:
https://www.htbridge.com/advisory/HTB23120

http://secunia.com/advisories/51465/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Ubuntu update for libxml2

by Carol~ Moderator - 12/7/12 11:15 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

Release Date : 2012-12-06

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Operating System : Ubuntu Linux 10.04
Ubuntu Linux 11.10
Ubuntu Linux 12.04
Ubuntu Linux 8.04

Description:
Ubuntu has issued an update for libxml2. This fixes a vulnerability, which can be exploited by malicious people to potentially compromise an application using the library.

Solution:
Apply updated packages.

Original Advisory:
USN-1656-1:
http://www.ubuntu.com/usn/usn-1656-1/

http://secunia.com/advisories/51478/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Forum Icon Legend

  • UnreadUnread
  • ReadRead
  • Locked threadLocked thread
  •   
  •   
  •   
  •   
  •   
  •   
  •   
  • ModeratorModerator
  • CNET StaffCNET Staff
  • Samsung StaffSamsung Staff
  • Norton Authorized Support TeamNorton Authorized Support Team
  • AVG StaffAVG Staff
  • avast! Staffavast! Staff
  • Webroot Support TeamWebroot Support Team
  • Acer Customer Experience TeamAcer Customer Experience Team
  • Windows Outreach TeamWindows Outreach Team
  • DISH staffDISH staff
  • Dell StaffDell Staff
  • Intel StaffIntel Staff
  • QuestionQuestion
  • Resolved questionResolved question
  • General discussionGeneral discussion
  • TipTip
  • Alert or warningAlert or warning
  • PraisePraise
  • RantRant

You are e-mailing the following post: Post Subject

Your e-mail address is used only to let the recipient know who sent the e-mail and in case of transmission error. Neither your address nor the recipient's address will be used for any other purpose.

Sorry, there was a problem emailing this post. Please try again.

Submit Email Cancel

Thank you. Sent email to

Close

Thank you. Sent email to

Close

You are reporting the following post: Post Subject

If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

Offensive: Sexually explicit or offensive language

Spam: Advertisements or commercial links

Disruptive posting: Flaming or offending other users

Illegal activities: Promote cracked software, or other illegal content

Sorry, there was a problem submitting your post. Please try again.

Submit Report Cancel

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

You are posting a reply to: Post Subject

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to the CNET Forums policies for details. All submitted content is subject to CBS Interactive Site Terms of Use.

You are currently tracking this discussion. Click here to manage your tracked discussions.

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Sorry, there was a problem submitting your post. Please try again.

Sorry, there was a problem generating the preview. Please try again.

Duplicate posts are not allowed in the forums. Please edit your post and submit again.

Submit Reply Preview Cancel

Thank you, , your post has been submitted.

> Click here to view your post. > Manage your tracked discussions. > Track this discussion. Close

Thank you, , your post has been submitted and will appear on our site shortly.

Close