The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Sarge

computer vulnerability announce CVE-2011-2821 CVE-2011-2834

libxml2: double free via XPath

Synthesis of the vulnerability

An attacker can use a special XPath expression, in order to create a double memory free in libxml2, leading to a denial of service or to code execution.
Impacted products: Debian, Fedora, NSM Central Manager, NSMXpress, libxml, MES, Mandriva Linux, openSUSE, Solaris, RHEL, ESX, ESXi.
Severity: 2/4.
Creation date: 10/10/2011.
Identifiers: CERTA-2011-AVI-528, CERTA-2012-AVI-673, CVE-2011-2821, CVE-2011-2834, DSA-2394-1, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESXi400-201209001, ESXi400-201209401-SG, FEDORA-2012-13820, FEDORA-2012-13824, MDVSA-2011:145, openSUSE-SU-2012:0073-1, PSN-2012-11-767, RHSA-2011:1749-03, RHSA-2012:0016-01, RHSA-2012:0017-01, RHSA-2013:0217-01, VIGILANCE-VUL-11047, VMSA-2012-0003.1, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0012.2, VMSA-2012-0013.1.

Description of the vulnerability

The XPath language is used to indicate a location in XML data. For example "/a/b" selects the "<a><b>" element.

An attacker can use a special XPath expression, in order to create a double memory free in libxml2, leading to a denial of service or to code execution.

Technical details are unknown.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2011-2713

LibreOffice: three vulnerabilities

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious Word document with LibreOffice, in order to execute code on his computer.
Impacted products: OpenOffice, Debian, Fedora, LibreOffice, Mandriva Linux, openSUSE, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Creation date: 06/10/2011.
Identifiers: BID-49969, CERTA-2003-AVI-005, CERTA-2011-AVI-589, CVE-2011-2713, DSA-2315-1, FEDORA-2011-14036, FEDORA-2011-14049, MDVSA-2011:172, openSUSE-SU-2011:1143-1, openSUSE-SU-2011:1143-2, SUSE-SU-2011:1147-1, SUSE-SU-2011:1148-1, VIGILANCE-VUL-11042.

Description of the vulnerability

The LibreOffice suite imports documents in the Microsoft Word format. However, three vulnerabilities can occur during the import.

A malicious Word document corrupts the memory of the import filter. [severity:3/4; BID-49969, CERTA-2011-AVI-589, CVE-2011-2713]

A document containing a malicious Windows Metafile (.WMF) image corrupts the memory. [severity:3/4]

A document containing a malicious Windows Enhanced Metafile (.EMF) image corrupts the memory. [severity:3/4]

An attacker can therefore invite the victim to open a malicious Word document with LibreOffice, in order to execute code on his computer.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2011-3368

Apache httpd: access to another server via mod_proxy

Synthesis of the vulnerability

An attacker can use a malicious HTTP query, when mod_proxy uses RewriteRule or ProxyPassMatch, in order to access to web resources of another server.
Impacted products: Apache httpd, Debian, BIG-IP Hardware, TMOS, Fedora, OpenView NNM, Junos Space, Junos Space Network Management Platform, MES, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 05/10/2011.
Identifiers: BID-49957, c03231301, CERTA-2011-AVI-562, CERTA-2011-AVI-607, CERTA-2012-AVI-050, CERTA-2012-AVI-156, CVE-2011-3368, DSA-2405-1, FEDORA-2012-1598, FEDORA-2012-1642, HPSBMU02748, JSA10585, MDVSA-2011:144, openSUSE-SU-2012:0212-1, openSUSE-SU-2012:0248-1, openSUSE-SU-2013:0243-1, openSUSE-SU-2014:1647-1, RHSA-2011:1391-01, RHSA-2011:1392-01, RHSA-2012:0542-01, RHSA-2012:0543-01, SOL15889, SSA:2012-041-01, SSRT100772, SUSE-SU-2011:1229-1, SUSE-SU-2011:1309-1, SUSE-SU-2011:1322-1, VIGILANCE-VUL-11041.

Description of the vulnerability

The mod_proxy module is used to configure Apache httpd as a proxy, in order to access to an internal web server. Its resources are voluntarily public.

The RewriteRule and ProxyPassMatch directives are used to rewrite requested HTTP paths (url). For example:
  RewriteRule (.*) http://voluntaryPublic.example.com$1 [P]
  ProxyPassMatch (.*) http://voluntaryPublic.example.com$1

However, if the domain name does not end by a '/', an attacker can for example use the following HTTP query:
  GET @privateServer.example.com/page.html HTTP/1.1
This query will be rewritten as:
  GET http://voluntaryPublic.example.com@privateServer.example.com/page.html HTTP/1.1
The attacker then has access to the web page located on the private server.

An attacker can therefore use a malicious HTTP query, when mod_proxy uses RewriteRule or ProxyPassMatch, in order to access to web resources of another server.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2011-3372

Cyrus IMAPd: access to NTTP without authentication

Synthesis of the vulnerability

An attacker can access to the NNTP service of Cyrus IMAPd, without entering a password.
Impacted products: Debian, MES, Mandriva Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Creation date: 05/10/2011.
Identifiers: BID-49949, CERTA-2003-AVI-005, CERTA-2011-AVI-551, CVE-2011-3372, DSA-2318-1, MDVSA-2011:149, openSUSE-SU-2011:1170-1, RHSA-2011:1508-01, SUSE-SU-2011:1173-1, VIGILANCE-VUL-11037.

Description of the vulnerability

The Cyrus IMAPd product implements an IMAP server and a NNTP server (because the format of commands of both protocols are similar).

The access to the NNTP service can be configured as anonymous, or with an authentication requiring a login and a password.

The code of Cyrus IMAPd uses two variables:
 - nntp_userid : contains the entered login name
 - nntp_authstate : indicates if the authentication (login and password) was done

However, at several places, the nntp_userid variable is used instead of the nntp_authstate variable. An attacker who only entered a login name thus accesses to NNTP features as if the authentication was done.

An attacker can therefore access to the NNTP service of Cyrus IMAPd, without entering a password.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2011-2766

Perl FCGI: variable disclosure

Synthesis of the vulnerability

When a CGI script uses the Perl FCGI or CGI::Fast module, an attacker can obtain variables defined during the first query.
Impacted products: Debian, Fedora, MES, Mandriva Linux, openSUSE, Perl Module ~ not comprehensive.
Severity: 2/4.
Creation date: 04/10/2011.
Identifiers: 607479, 68380, 736604, CERTA-2002-AVI-275, CVE-2011-2766, DSA-2327-1, FEDORA-2011-13230, FEDORA-2011-13236, MDVSA-2012:001, openSUSE-SU-2012:0004-1, openSUSE-SU-2012:0036-1, VIGILANCE-VUL-11030.

Description of the vulnerability

The Perl FCGI (Fast CGI) module is used to create a persistent process to manage several successive queries. The initialization code is thus only executed during the first query.

The Perl CGI::Fast module uses FCGI.

During the first call, the FCGI module stores environment variables in the %FCGI::ENV hash, and then on following calls they are restored back. However, other variables (cookies, etc.) defined during the first call are also stored in the environment, and are thus set for the next calls. For example, an authentication cookie set during the first call is memorized, so other queries are processed as authenticated.

When a CGI script uses the Perl FCGI or CGI::Fast module, an attacker can therefore obtain variables defined during the first query.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2011-2372 CVE-2011-2995 CVE-2011-2996

SeaMonkey: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of SeaMonkey can be used by an attacker to execute code on victim's computer.
Impacted products: Debian, SeaMonkey, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 4/4.
Creation date: 28/09/2011.
Identifiers: BID-49800, BID-49808, BID-49810, BID-49811, BID-49812, BID-49813, BID-49837, BID-49845, BID-49847, BID-49848, BID-49849, BID-49850, BID-49852, BID-51786, CERTA-2003-AVI-005, CERTA-2011-AVI-537, CVE-2011-2372, CVE-2011-2995, CVE-2011-2996, CVE-2011-2997, CVE-2011-2999, CVE-2011-3000, CVE-2011-3001, CVE-2011-3002, CVE-2011-3003, CVE-2011-3004, CVE-2011-3005, CVE-2011-3232, CVE-2011-3670, CVE-2011-3866, DSA-2312-1, DSA-2402-1, MFSA 2011-36, MFSA 2011-38, MFSA 2011-39, MFSA 2011-40, MFSA 2011-41, MFSA 2011-42, MFSA 2011-43, MFSA 2011-44, MFSA 2011-45, MFSA 2012-02, openSUSE-SU-2011:1076-1, openSUSE-SU-2011:1076-2, openSUSE-SU-2011:1076-3, openSUSE-SU-2011:1077-1, openSUSE-SU-2011:1079-1, openSUSE-SU-2011:1290-1, openSUSE-SU-2012:0567-1, RHSA-2011:1344-01, SUSE-SU-2011:1096-1, VIGILANCE-VUL-11024.

Description of the vulnerability

Several vulnerabilities were announced in SeaMonkey.

An attacker can use several memory corruptions, in order to execute code. [severity:4/4; BID-49810, BID-49812, BID-49845, CVE-2011-2995, CVE-2011-2996, CVE-2011-2997, MFSA 2011-36]

An attacker can create a Cross Site Scripting via window.location. [severity:3/4; BID-49848, CVE-2011-2999, MFSA 2011-38]

An attacker can inject line feeds in the Location header. [severity:2/4; BID-49849, CVE-2011-3000, MFSA 2011-39]

An attacker can invite the victim to continuously press the Enter key, in order to force a download. [severity:4/4; BID-49811, BID-49837, CERTA-2011-AVI-537, CVE-2011-2372, CVE-2011-3001, MFSA 2011-40]

An attacker can corrupt the memory via WebGL. [severity:4/4; BID-49813, BID-49847, CVE-2011-3002, CVE-2011-3003, MFSA 2011-41]

An attacker can corrupt the memory via a YARR regular expression. [severity:4/4; BID-49850, CVE-2011-3232, MFSA 2011-42]

In some cases, the XPCNativeWrappers protection is removed, so privileged code can be executed. [severity:4/4; BID-49852, CVE-2011-3004, MFSA 2011-43]

A malicious OGG file forces the usage of a freed memory area. [severity:4/4; BID-49808, CVE-2011-3005, MFSA 2011-44]

An attacker can analyze the movements of mobile devices, in order to guess pressed keys (VIGILANCE-ACTU-3062). [severity:1/4; CVE-2011-3866, MFSA 2011-45]

An attacker can use a malformed IPv6 url, in order to obtain information on a proxy. [severity:1/4; BID-51786, CVE-2011-3670, MFSA 2012-02]

The most severe vulnerabilities lead to code execution.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2011-2372 CVE-2011-2995 CVE-2011-2996

Thunderbird 5, 6: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Thunderbird can be used by an attacker to execute code on victim's computer.
Impacted products: Debian, Fedora, Mandriva Linux, Thunderbird, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 4/4.
Creation date: 28/09/2011.
Identifiers: BID-49800, BID-49808, BID-49810, BID-49811, BID-49812, BID-49837, BID-49845, BID-49848, BID-49849, BID-49850, BID-51786, CERTA-2003-AVI-005, CERTA-2011-AVI-537, CVE-2011-2372, CVE-2011-2995, CVE-2011-2996, CVE-2011-2997, CVE-2011-2999, CVE-2011-3000, CVE-2011-3001, CVE-2011-3005, CVE-2011-3232, CVE-2011-3670, DSA-2317-1, FEDORA-2011-13442, FEDORA-2011-13450, MDVSA-2011:140, MDVSA-2011:142, MFSA 2011-36, MFSA 2011-38, MFSA 2011-39, MFSA 2011-40, MFSA 2011-42, MFSA 2011-44, MFSA 2012-02, openSUSE-SU-2011:1076-1, openSUSE-SU-2011:1076-2, openSUSE-SU-2011:1077-1, openSUSE-SU-2011:1079-1, openSUSE-SU-2012:0567-1, RHSA-2011:1342-01, RHSA-2011:1343-01, SUSE-SU-2011:1096-1, VIGILANCE-VUL-11023.

Description of the vulnerability

Several vulnerabilities were announced in Thunderbird.

An attacker can use several memory corruptions, in order to execute code. [severity:4/4; BID-49810, BID-49812, BID-49845, CVE-2011-2995, CVE-2011-2996, CVE-2011-2997, MFSA 2011-36]

An attacker can create a Cross Site Scripting via window.location. [severity:3/4; BID-49848, CVE-2011-2999, MFSA 2011-38]

An attacker can inject line feeds in the Location header. [severity:2/4; BID-49849, CVE-2011-3000, MFSA 2011-39]

An attacker can invite the victim to continuously press the Enter key, in order to force a download. [severity:4/4; BID-49811, BID-49837, CERTA-2011-AVI-537, CVE-2011-2372, CVE-2011-3001, MFSA 2011-40]

An attacker can corrupt the memory via a YARR regular expression. [severity:4/4; BID-49850, CVE-2011-3232, MFSA 2011-42]

A malicious OGG file forces the usage of a freed memory area. [severity:4/4; BID-49808, CVE-2011-3005, MFSA 2011-44]

An attacker can use a malformed IPv6 url, in order to obtain information on a proxy. [severity:1/4; BID-51786, CVE-2011-3670, MFSA 2012-02]

The most severe vulnerabilities lead to code execution.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2011-2372 CVE-2011-2995 CVE-2011-2996

Firefox 3: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Firefox can be used by an attacker to execute code on victim's computer.
Impacted products: Debian, Fedora, MES, Mandriva Linux, Firefox, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 4/4.
Creation date: 28/09/2011.
Revision date: 28/09/2011.
Identifiers: BID-49800, BID-49809, BID-49810, BID-49811, BID-49812, BID-49837, BID-49845, BID-49848, BID-49849, CERTA-2003-AVI-005, CERTA-2011-AVI-537, CVE-2011-2372, CVE-2011-2995, CVE-2011-2996, CVE-2011-2997, CVE-2011-2998, CVE-2011-2999, CVE-2011-3000, CVE-2011-3001, CVE-2011-3867-REJECT, DSA-2313-1, MDVSA-2011:139, MFSA 2011-36, MFSA 2011-37, MFSA 2011-38, MFSA 2011-39, MFSA 2011-40, openSUSE-SU-2011:1076-1, openSUSE-SU-2011:1076-2, openSUSE-SU-2011:1077-1, openSUSE-SU-2011:1079-1, openSUSE-SU-2014:1100-1, RHSA-2011:1341-01, SUSE-SU-2011:1096-1, VIGILANCE-VUL-11018.

Description of the vulnerability

Several vulnerabilities were announced in Firefox.

An attacker can use several memory corruptions, in order to execute code. [severity:4/4; BID-49810, BID-49812, BID-49845, CVE-2011-2995, CVE-2011-2996, CVE-2011-2997, MFSA 2011-36]

An attacker can generate an integer overflow via a JavaScript regular expression. [severity:4/4; BID-49809, CVE-2011-2998, CVE-2011-3867-REJECT, MFSA 2011-37]

An attacker can create a Cross Site Scripting via window.location. [severity:3/4; BID-49848, CVE-2011-2999, MFSA 2011-38]

An attacker can inject line feeds in the Location header. [severity:2/4; BID-49849, CVE-2011-3000, MFSA 2011-39]

An attacker can invite the victim to continuously press the Enter key, in order to force a download. [severity:4/4; BID-49811, BID-49837, CERTA-2011-AVI-537, CVE-2011-2372, CVE-2011-3001, MFSA 2011-40]

The most severe vulnerabilities lead to code execution.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2011-4062

FreeBSD: buffer overflow via Unix Socket

Synthesis of the vulnerability

A local attacker can use a Unix socket, in order to create an overflow in the FreeBSD kernel.
Impacted products: Debian, FreeBSD.
Severity: 2/4.
Creation date: 28/09/2011.
Identifiers: BID-49862, CERTA-2002-AVI-275, CVE-2011-3633-REJECT, CVE-2011-4062, DSA-2325-1, FreeBSD-SA-11-05.unix, FreeBSD-SA-11:05.unix, VIGILANCE-VUL-11020.

Description of the vulnerability

Unix sockets are used to exchange data between two applications, using a file of type socket.

The sockaddr_un structure (which is compatible with sockaddr) contains the following fields:
 - sun_len : size of data in the structure (sun_family + size of file name + 1)
 - sun_family : type of socket (AF_UNIX)
 - sun_path : path of the file, stored in a 104 bytes array

The bind() and connect() system calls setup and connect a socket. However, their implementation in the uipc_bind() and unp_connect() functions in file sys/kern/uipc_usrreq.c do not check if the size indicated in sun_len is larger than the size of the sockaddr_un structure.

A local attacker can therefore use a Unix socket, in order to create an overflow in the FreeBSD kernel.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2011-3323 CVE-2011-3324 CVE-2011-3325

Quagga Routing Suite: five vulnerabilities

Synthesis of the vulnerability

Five vulnerabilities in Quagga Routing Suite can be used by an attacker to create a denial of service or possibly to execute code.
Impacted products: Debian, Fedora, openSUSE, Solaris, Quagga, RHEL, SLES.
Severity: 3/4.
Creation date: 27/09/2011.
Identifiers: BID-49784, CERTA-2003-AVI-005, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, CVE-2011-3326, CVE-2011-3327, DSA-2316-1, FEDORA-2011-13499, FEDORA-2011-13504, openSUSE-SU-2011:1155-1, RHSA-2012:1258-01, RHSA-2012:1259-01, SUSE-SU-2011:1075-1, SUSE-SU-2011:1316-1, VIGILANCE-VUL-11015, VU#668534.

Description of the vulnerability

Five vulnerabilities were announced in Quagga Routing Suite.

An attacker can send a BGP Update message containing special Extended Communities, in order to create a buffer overflow, leading to a denial of service of IPv4 or to code execution. [severity:3/4; CVE-2011-3327]

An attacker can send an OSPF LSA (Link State Advertisement) message with a malicious Link State Update, in order to create a denial of service of IPv4. [severity:2/4; CVE-2011-3326]

An attacker can send a malicious OSPF Hello message, in order to create a denial of service of IPv4. [severity:2/4; CVE-2011-3325]

An attacker can send a malicious OSPFv3 Database Description message, in order to create a denial of service of IPv6. [severity:2/4; CVE-2011-3324]

An attacker can send a malicious OSPFv3 Link State Update message, in order to create a denial of service of IPv6. [severity:2/4; CVE-2011-3323]
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Sarge: