Summary of Security Items from April 20 through April 26, 2006
The US-CERT Cyber Security Bulletin provides a summary of new and updated vulnerabilities, exploits, trends, and malicious code that have recently been openly reported. Information in the Cyber Security Bulletin is a compilation of open source and US-CERT vulnerability information. As such, the Cyber Security Bulletin includes information published by sources outside of US-CERT and should not be considered the result of US-CERT analysis or as an official report of US-CERT. Although this information does reflect open source reports, it is not an official description and should be used for informational purposes only. The intention of the Cyber Security Bulletin is to serve as a comprehensive directory of pertinent vulnerability reports, providing brief summaries and additional sources for further investigation.
The tables below summarize vulnerabilities that have been reported by various open source organizations or presented in newsgroups and on web sites. Items in bold designate updates that have been made to past entries. Entries are grouped by the operating system on which the reported software operates, and vulnerabilities which affect both Windows and Unix/ Linux Operating Systems are included in the Multiple Operating Systems table. Note, entries in each table are not necessarily vulnerabilities in that operating system, but vulnerabilities in software which operate on some version of that operating system.
Entries may contain additional US-CERT sponsored information, including Common Vulnerabilities and Exposures (CVE) numbers, National Vulnerability Database (NVD) links, Common Vulnerability Scoring System (CVSS) values, Open Vulnerability and Assessment Language (OVAL) definitions, or links to US-CERT Vulnerability Notes. Metrics, values, and information included in the Cyber Security Bulletin which has been provided by other US-CERT sponsored programs, is prepared, managed, and contributed by those respective programs. CVSS values are managed and provided by the US-CERT/ NIST National Vulnerability Database. Links are also provided to patches and workarounds that have been provided by the product’s vendor.
The Risk levels are defined below:
High - Vulnerabilities will be labeled “High” severity if they have a CVSS base score of 7.0-10.0.
Medium - Vulnerabilities will be labeled “Medium” severity if they have a base CVSS score of 4.0-6.9.
Low - Vulnerabilities will be labeled “Low” severity if they have a CVSS base score of 0.0-3.9.
Note that scores provided prior to 11/9/2005 are approximated from only partially available CVSS metric data. Such scores are marked as "Approximated" within NVD. In particular, the following CVSS metrics are only partially available for these vulnerabilities and NVD assumes certain values based on an approximation algorithm: AccessComplexity, Authentication, ConfImpact of 'partial', IntegImpact of 'partial', AvailImpact of 'partial', and the impact biases.
Windows Operating Systems Only
Vendor & Software Name
Description
Common Name
CVSS
Resources
ampleShop 2.1
Multiple vulnerabilities have been reported in ampleShop that could let remote malicious users perform SQL injection.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
HP StorageWorks Secure Path for Windows Denial Of Service
Not Available
Security Tracker, Alert ID: 1015969, April 20, 2006
iOpus Secure Email Attachments
A vulnerability has been reported in iOpus Secure Email Attachments, insecure encryption, that could let remote malicious users disclose encrypted information.
No workaround or patch available at time of publishing.
There is no exploit code required.
iOpus Secure Email Attachments Information Disclosure
A buffer overflow vulnerability has been reported in SpeedProject products, ACE archive handling, that could let remote malicious users execute arbitrary code execution.
Several vulnerabilities have been reported: a buffer overflow vulnerability was reported when parsing an RTSP URL received from a client due to a boundary error, which could let a remote malicious user execute arbitrary code; and a remote Denial of Service vulnerability was reported due to an input validation error when handling the Content-Length HTTP header received from a client.
No workaround or patch available at time of publishing.
Proof of Concept exploits and an exploit script, fenice.c, have been published.
A Cross-Site Scripting vulnerability has been reported in 'register.php' ' due to insufficient sanitization of the 'user_name' parameter before using, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
Safari 2.0-2.0.3, Mac OS X Server 10.4-10.4.6, 10.3-10.3.9, OS X 10.4-10.4.6, 10.3-10.3.9
Multiple vulnerabilities have been reported which could let a remote malicious user cause a Denial of Service or execute arbitrary code: a vulnerability was reported in the 'BOMStackPop()' function in the 'BOMArchiveHelper' when decompressing malformed ZIP archives, a vulnerability was reported in the 'KWQListlteratorImpl(),' 'drawText(),' and 'objc_msgSend_rtp()' functions in Safari when processing malformed HTML tags; a vulnerability was reported in the 'ReadBM()' function when processing malformed BMP images; a vulnerability was reported in the 'CFAllocatorAllocate()' function when processing malformed GIF images; and a vulnerability was reported in the '_cg_TIFFSetField()' and 'PredictorVSetField()' functions when processing malformed TIFF images.
No workaround or patch available at time of publishing.
Gentoo Linux Security Advisory, GLSA 200604-09, April 21, 2006
Ubuntu Security Notice, USN-272-1, April 24, 2006
Debian Security Advisory,
DSA-1042-1, April 25, 2006
Dan Littlejohn
Asterisk Recording Interface 0.7.15
A buffer overflow vulnerability has been reported in 'audio.php' due to a signedness error in 'format_jpeg.c' when processing an overly large JPEG image, which could let a remote malicious user execute arbitrary code.
A vulnerability has been reported in the 'fbgs' script because temporary files are created insecurely when the 'TMPDIR' environment variable isn't defined, which could let a remote malicious user create/overwrite arbitrary files.
Gentoo Linux Security Advisory, GLSA 200604-13, April 23, 2006
Free
RADIUS
FreeRADIUS 1.0-1.0.5
A vulnerability has been reported in the EAP-MSCHAPv2 state machine due to an error, which could let a malicious user bypass authentication and cause a Denial of Service.
Security Focus, Bugtraq ID: 15523, November 22, 2005
Ubuntu Security Notice, USN-221-1, December 01, 2005
Gentoo Linux Security Advisory, GLSA 200512-04, December 12, 2005
SUSE Security Announcement, SUSE-SA:2005:070, December 20, 2005
Conectiva Linux Announcement, CLSA-2006:1058, January 2, 2006
Mandriva Security Advisory, MDKSA-2006:020, January 25, 2006
Debian Security Advisory,
DSA-965-1, February 6, 2006
RedHat Security Advisory, RHSA-2006:0267-11, April 25, 2006
ISC
BIND 4.x.x, 8.x.x, 9.2.x, 9.3.x
A remote Denial of Service vulnerability has been reported due to a failure to properly handle malformed TSIG (Secret Key Transaction Authentication for DNS) replies.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
ISC BIND TSIG Zone Transfer Remote Denial of Service
Not Available
Security Focus, Bugtraq ID: 17692, April 25, 2006
KRANKIKOM GmbH
ContentBoxX 0
A Cross-Site Scripting vulnerability has been reported in 'login.php' due to insufficient sanitization of the 'action' parameter, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
Xpdf 3.0 pl2 & pl3, 3.0 1, 3.00, 2.0-2.03, 1.0 0, 1.0 0a, 0.90-0.93; RedHat Fedora Core4, Core3, Enterprise Linux WS 4, WS 3, WS 2.1 IA64, WS 2.1, ES 4, ES 3, ES 2.1 IA64, 2.1, Enterprise Linux AS 4, AS 3, 2.1 IA64, 2.1, Desktop 4.0, 3.0, Advanced Workstation for the Itanium Processor 2.1 IA64, 2.1; teTeX 2.0.1, 2.0; Poppler poppler 0.4.2;
KDE kpdf 0.5, KOffice 1.4.2 ; PDFTOHTML DFTOHTML 0.36
Multiple vulnerabilities have been reported: a heap-based buffer overflow vulnerability was reported in the 'DCTStream::read
BaselineSOF()' function in 'xpdf/Stream.cc' when copying data from a PDF file, which could let a remote malicious user potentially execute arbitrary code; a buffer overflow vulnerability was reported in the 'DCTStream::read
ProgressiveSOF()' function in 'xpdf/Stream.cc' when copying data from a PDF file, which could let a remote malicious user potentially execute arbitrary code; a buffer overflow vulnerability was reported in the 'StreamPredictor::
StreamPredictor()' function in 'xpdf/Stream.cc' when using the 'numComps' value to calculate the memory size, which could let a remote malicious user potentially execute arbitrary code; and a vulnerability was reported in the 'JPXStream:
:readCodestream()' function in 'xpdf/JPXStream.cc' when using the 'nXTiles' and 'nYTiles' values from a PDF file to copy data from the file into allocated memory, which could let a remote malicious user potentially execute arbitrary code.
Multiple buffer overflow vulnerabilities have been reported when processing ABC music files due to various boundary errors, which could let a remote malicious user execute arbitrary code.
A vulnerability has been reported due to a failure to sanitize user-supplied input before using in a Python 'eval' statement, which could let a remote malicious user execute arbitrary python code.
Fedora Update Notifications, FEDORA-2006-421,
FEDORA-2006-423, April 19 & 20, 2006
Multiple Vendors
Linux Kernel 2.6.x
A vulnerability has been reported because AMD K7/K8 CPUs only save/restore certain x87 registers in FXSAVE instructions when an exception is pending, which could let a remote malicious user obtain sensitive information.
A vulnerability has been reported in GDM gdm due to the way permissions on the '.ICEauthority' file are modified, which could let a remote malicious user obtain sensitive information.
This issue has been addressed in the latest CVS repository.
Vulnerability may be exploited with standard utilities and applications.
GNOME Foundation GDM .ICEauthority Improper File Permissions
A vulnerability has been reported due to the insecure construction of command line arguments that are passed to external helper applications, which could let a remote malicious user execute arbitrary code.
XFree86 X11R6 4.3 .0,
4.1 .0; X.org X11R6 6.8.2;
RedHat Enterprise Linux WS 2.1, IA64, ES 2.1, IA64, AS 2.1, IA64, Advanced Workstation for the Itanium Processor 2.1, IA64; Gentoo Linux
A buffer overflow vulnerability has been reported in the pixmap processing code, which could let a malicious user execute arbitrary code and possibly obtain superuser privileges.
Fedora Update Notifications,
FEDORA-2005-893 & 894, September 16, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0049, September 16, 2005
Debian Security Advisory DSA 816-1, September 19, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101926, September 19, 2005
SUSE Security Announcement, SUSE-SA:2005:056, September 26, 2005
Slackware Security Advisory, SSA:2005-269-02, September 26, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101953, October 3, 2005
SUSE Security Summary Report, SUSE-SR:2005:023, October 14, 2005
Avaya Security Advisory, ASA-2005-218, October 19, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101926, Updated October 24, 2005
NetBSD Security Update, October 31, 2005
SGI Security Advisory, 20060403-01-U, April 11, 2006
SCO Security Advisory, SCOSA-2006.22, April 21, 2006
Multiple Vendors
xzgv Image Viewer 0.8 0.7, 0.6;
SuSE Linux Professional 10.0 OSS, 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, Linux Personal 10.0 OSS, 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1
A buffer overflow vulnerability has been reported when processing JPEG files due to a boundary error, which could let a remote malicious user execute arbitrary code.
Mandriva Security Advisory, MDKSA-2006:079, April 25, 2006
Net Clubs Pro
Net Clubs Pro 4.0
Cross-Site Scripting vulnerabilities have been reported in '/vchat/scripts/
sendim.cgi' due to insufficient sanitization of the 'onuser,' 'pass,' 'chatsys,' 'room,' 'username,' and 'to' parameters, in 'vchat/scripts/imessge.cgi' due to insufficient sanitization of the 'username' parameter, and in 'login.cgi' due to insufficient sanitization of the 'password' parameter, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client; however, a Proof of Concept exploit has been published.
Currently we are not aware of any exploits for this vulnerability.
PDNSD DNS Query Remote Denial of Service
Not Available
Secunia Advisory: SA19835, April 26, 2006
Sendmail Consortium
Sendmail prior to 8.13.6: Sun Cobalt RaQ 4, RaQ 550, RaQ XTR
A vulnerability has been reported due to a race condition caused by the improper handling of
asynchronous signals, which could let a remote malicious user execute arbitrary code.
RedHat Security Advisories, RHSA-2006:0264-8 & RHSA-2006:0265-9, March 22, 2006
Sun(sm) Alert Notification
Sun Alert ID: 102262, March 24, 2006
Gentoo Linux Security Advisory, GLSA 200603-21, March 22, 2006
SUSE Security Announcement, SUSE-SA:2006:017, March 22, 2006
FreeBSD Security Advisory, FreeBSD-SA-06:13, March 22, 2006
Slackware Security Advisory, SSA:2006-081-01, March 22, 2006
Avaya Security Advisory, ASA-2006-074, March 24, 2006
Debian Security Advisory,
DSA-1015-1, March 24, 2006
HP Security Bulletin,
HPSBUX02108, March 27, 2006
NetBSD Security Advisory, /NetBSD-SA2006-010, March 28, 2006
SGI Security Advisory, 20060302-01-P, March 22, 2006
F-Secure Security Bulletin, FSC-2006-2, March 28, 2006
SGI Security Advisory, 20060401-01-U, April 4, 2006
Sun(sm) Alert Notification
Sun Alert ID: 102324, April 25, 2006
Sun Microsystems Inc.
Solaris 10_x86, 10
A vulnerability has been reported in the 'getpwnam()' family of non-reentrant functions due to a failure of the PKCS#11 library to properly utilize non-reentrant functions, which could let a malicious user obtain elevated privileges.
SUSE Security Summary Report, SUSE-SR:2005:023, October 14, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:189 & 194, October 21 & 26, 2005
Slackware Security Advisory, SSA:2005-310-06, November 7, 2005
Conectiva Linux Announcement, CLSA-2005:1046, November 21, 2005
RedHat Security Advisory, RHSA-2005:848-6 & 850-5, December 6, 2005
Fedora Update Notifications,
FEDORA-2005-1112 & 1115, December 8, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0074, December 23, 2005
SGI Security Advisory, 20051201-01-U, January 20, 2006
RedHat Security Advisory, RHSA-2006:0267-11, April 25, 2006
UPDI Network Enterprise
@1 Event Publisher
Several vulnerabilities have been reported: an HTML injection vulnerability was reported in 'event-publisher_
admin.htm' and 'eventpublisher_
usersubmit.htm' due to insufficient sanitization of the 'Event,' 'Description,' 'Time,' 'Website,' and 'Public Remarks' fields before using, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported due to insufficient restriction of 'eventpublisher.txt' which could lead to the disclosure of sensitive information.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client.
@1 Event Publisher HTML Injection & Information Disclosure
An HTML injection vulnerability has been reported due to insufficient sanitization of the 'Title of table' field when adding a new table, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client.
An SQL injection vulnerability has been reported in 'haberler.asp' due to insufficient sanitization of the 'id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
A file include vulnerability has been reported in 'Movie_CLS.PHP3' due to insufficient sanitization of the 'full_path' parameter, which could let a remote malicious user execute arbitrary PHP code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit script, built2go.rfi.txt, has been published.
Several vulnerabilities have been reported: SQL injection vulnerabilities were reported in 'Results.cfm' due to insufficient sanitization of the 'category' parameter and in 'Details.cfm' due to insufficient sanitization of the 'ProdID' parameter, which could let a remote malicious user execute arbitrary SQL code; and it is also possible to reveal installation path by passing invalid parameter values to 'Results.cfm,' 'Details.cfm,' and 'Results.cfm.'
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for these vulnerabilities.
Remote Denials of Service vulnerabilities have been reported when processing malformed SIP (Session Initiation Protocol) messages due to various errors.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for these vulnerabilities.
Multiple input validation vulnerabilities have been reported including a remote file include vulnerability and an SQL injection vulnerability due to insufficient sanitization of user-supplied input, which could lead to the execution of arbitrary SQL and PHP code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client; however, Proof of Concept exploit scripts, 17655-exploit.pl and 17655.html, have been published.
A Cross-Site Scripting vulnerability has been reported in 'A2Z.JSP' due to insufficient sanitization of the 'kwd' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client.
Multiple input validation vulnerabilities have been reported in 'DCBoard.cgi' include Cross-Site Scripting and SQL injection due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML, script code, and SQL code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client; however, a Proof of Concept exploit script, dcforumlite-3.0-sql-xss.txt, has been published.
Currently we are not aware of any exploits for this vulnerability.
DeleGate DNS Query Handling Remote Denial of Service
Not Available
Secunia Advisory: SA19750, April 26, 2006
dForum
dForum 1.5 & prior
File include vulnerabilities have been reported due to insufficient verification of the 'DFORUM_PATH' parameter in various scripts, which could let a remote malicious user execute arbitrary PHP files.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client; however, a Proof of Concept exploit has been published.
Multiple remote buffer overflow vulnerabilities have been reported due to a failure to properly bounds-check user-supplied input before copying it into insufficiently sized memory buffers, which could let a remote malicious user execute arbitrary code.
The vendor has released version 0.95-pre6, along with a patch for 0.94 to address these issues.
Mandriva Security Advisory, MDKSA-2006:062, April 3, 2006
Debian Security Advisory,
DSA-1025-1, April 6, 2006
Gentoo Linux Security Advisory, GLSA 200604-14, April 23, 2006
DUware
DUportal Pro 3.4
An SQL injection vulnerability has been reported in 'cat.asp' due to insufficient sanitization of user-supplied input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit script, DUportalPro-cat.asp-sql.txt, has been published.
DUWare DUPortal Pro SQL Injection
Not Available
Security Focus, Bugtraq ID: 17702, April 26, 2006
Help Center Live
Help Center Live 2.0, 1.2- 1.2.8, 1.0
Multiple SQL injection vulnerabilities have been reported in the 'osTicket' module due to insufficient sanitization of unspecified parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
A Cross-Site Scripting and SQL injection vulnerability has been reported in 'portfolio_photo_
popup.php' due to insufficient sanitization of the 'id' parameter, which could let a remote malicious user execute arbitrary HTML, script code, and SQL code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client; however, a Proof of Concept exploit script, instantphotogallery-xss.txt, has been published.
Multiple vulnerabilities have been reported: a vulnerability was reported in the 'search.php' due to insufficient sanitization of the 'lastdate' parameter before using in a 'preg_replace()' call, which could let a remote malicious user execute arbitrary PHP code; an SQL injection vulnerability was reported in 'index.php' due to insufficient sanitization of the 'ck' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; a vulnerability was reported in 'admin.php' because it is possible for administrators to include arbitrary PHP scripts via the 'name' parameter, which could lead to the execution of arbitrary PHP code; and a vulnerability was reported because it is possible to upload a malicious JPEG image with a GIF header, which could let a remote malicious user execute arbitrary HTML and script code.
Vulnerabilities can be exploited through a web client; however, a Proof of Concept exploit script, invisionpowerboard-
2.1.5-sql-inj.txt, has been published.
Multiple vulnerabilities have been reported: an SQL injection vulnerability was reported due to insufficient sanitization of unspecified input passed to the web interface before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; a vulnerability was reported due to input validation errors in the command line interface, which could let a remote malicious user inject arbitrary shell commands; a vulnerability was reported because the shadow password file has world-readable permissions, which could let a remote malicious user obtain sensitive information; and a vulnerability was reported because the database file is stored with world-readable and world-writable permissions.
A file include vulnerability has been reported in 'common.php' due to insufficient verification of the 'include_path' parameter, which could let a remote malicious user execute arbitrary PHP code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
A remote Denial of Service vulnerability has been reported due to a failure to properly handle DNS datagrams.
The vendor has released updated versions of the affected software to address this issue.
Currently we are not aware of any exploits for this vulnerability.
Juniper JUNOSe DNS Client Remote Denial of Service
Not Available
Security Focus, Bugtraq ID: 17693, April 25, 2006
kcscripts.com
Portal Pack 6.0
Cross-Site Scripting vulnerabilities have been reported in 'calendar/Visitor.cgi' and 'news/NsVisitor.cgi' due to insufficient sanitization of the 'sort_order' parameter, in 'search/search.cgi' due to insufficient sanitization of the 'q' parameter, and in 'classifieds/viewcat.cgi' due to insufficient sanitization of the 'cat_id' parameter, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client; however, Proof of Concept exploit scripts have been published.
An HTML injection vulnerability has been reported in 'MWguest.PHP' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
SQL injection vulnerabilities have been reported due to insufficient sanitization of the 'Username' and 'Password' fields during login, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client.
An SQL injection vulnerability has been reported in 'pages.asp' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Vulnerability can be exploited through a web client; however, a Proof of Concept exploit has been published.
Several vulnerabilities have been reported: an SQL injection vulnerability was reported in the 'include/VB/vb_board_
functions.php' script due to insufficient validation of several parameters, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting vulnerability was reported in the 'includes/pm_popup.php' script due to insufficient filtering of HTML code from user-supplied input before displaying, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
Vulnerabilities can be exploited through a web client; however, a Proof of Concept exploit has been published.
SuSE Security Announcement, SUSE-SA:2006:021, April 20, 2006
Gentoo Linux Security Advisory, GLSA 200604-12, April 23, 2006
Mandriva Security Advisory, MDKSA-2006:075, April 24, 2006
Slackware Security Advisory, SSA:2006-114-01, April 24, 2006
SGI Security Advisory, 20060404-01-U, April 24, 2006
RedHat Security Advisory, RHSA-2006:0330-15, April 25, 2006
Mandriva Security Advisory, MDKSA-2006:078, April 25, 2006
SuSE Security Announcement, SUSE-SA:2006:022, April 25, 2006
Mozilla.oeg
Thunderbird prior to 1.0.8, 1.5 - 1.5.0.1; Seamonkey prior to 1.0.1; Mozilla browser prior to 1.7.13; Firefox prior to 1.0.8, 1.5 - 1.5.0.1
A integer overflow vulnerability has been reported because a remote malicious user can create an HTML based email that contains a specially crafted CSS letter-spacing property value, which could lead to the execution of arbitrary code.
SuSE Security Announcement, SUSE-SA:2006:021, April 20, 2006
Gentoo Linux Security Advisory, GLSA 200604-12, April 23, 2006
Mandriva Security Advisory, MDKSA-2006:075, April 24, 2006
Slackware Security Advisory, SSA:2006-114-01, April 24, 2006
SGI Security Advisory, 20060404-01-U, April 24, 2006
RedHat Security Advisory, RHSA-2006:0330-15, April 25, 2006
Mandriva Security Advisory, MDKSA-2006:078, April 25, 2006
SuSE Security Announcement, SUSE-SA:2006:022, April 25, 2006
Mozilla.org
Firefox 0.x, 1.x
Multiple vulnerabilities have been reported: a vulnerability was reported due to an error because untrusted events generated by web content are delivered to the browser user interface; a vulnerability was reported because scripts in XBL controls can be executed even when JavaScript has been disabled; a vulnerability was reported because remote malicious users can execute arbitrary code by tricking the user into using the 'Set As Wallpaper' context menu on an image URL that is really a javascript; a vulnerability was reported in the 'Install
Trigger.install()' function due to an error in the callback function, which could let a remote malicious user execute arbitrary code; a vulnerability was reported due to an error when handling 'data:' URL that originates from the sidebar, which could let a remote malicious user execute arbitrary code; an input validation vulnerability was reported in the 'InstallVersion.compareTo()' function when handling unexpected JavaScript objects, which could let a remote malicious user execute arbitrary code; a vulnerability was reported because it is possible for a remote malicious user to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL; a vulnerability was reported due to an error when handling DOM node names with different namespaces, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported due to insecure cloning of base objects, which could let a remote malicious user execute arbitrary code.
