Spyware, Viruses, & Security forum

General discussion

VULNERABILITIES \ FIXES - December 24, 2008

by Marianna Schmudlach / December 23, 2008 11:42 PM PST

Gentoo update for imlib2

Release Date: 2008-12-24

Critical:
Highly critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Gentoo Linux 1.x

Description:
Gentoo has issued an update for imlib2. This fixes a vulnerability, which can be exploited by malicious people to potentially compromise an application using the library.

Solution:
Update to "media-libs/imlib2-1.4.2-r1" or later.

Original Advisory:
GLSA-200812-23:
http://www.gentoo.org/security/en/glsa/glsa-200812-23.xml

Other References:
SA32796:
http://secunia.com/advisories/32796/

Discussion is locked
You are posting a reply to: VULNERABILITIES \ FIXES - December 24, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VULNERABILITIES \ FIXES - December 24, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Ubuntu update for nagios2
by Marianna Schmudlach / December 23, 2008 11:43 PM PST

Release Date: 2008-12-24

Critical:
Less critical
Impact: Security Bypass
Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


OS: Ubuntu Linux 8.04

Description:
Ubuntu has issued an update for nagios2. This fixes some vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions or by malicious people to conduct cross-site request forgery attacks.

Solution:
Apply updated packages and restart nagios.

Original Advisory:
USN-698-3:
https://lists.ubuntu.com/archives/ubu...ty-announce/2008-December/000815.html

Other References:
SA32543:
http://secunia.com/advisories/32543/

SA32610:
http://secunia.com/advisories/32610/

Collapse -
Gentoo update for clamav
by Marianna Schmudlach / December 23, 2008 11:44 PM PST

Release Date: 2008-12-24

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Gentoo Linux 1.x

Description:
Gentoo has issued an update for clamav. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.

Solution:
Update to "app-antivirus/clamav-0.94.2" or later.

Original Advisory:
GLSA-200812-21:
http://www.gentoo.org/security/en/glsa/glsa-200812-21.xml

Other References:
SA32663:
http://secunia.com/advisories/32663/

SA32926:
http://secunia.com/advisories/32926/

Collapse -
Gentoo update for ampache
by Marianna Schmudlach / December 23, 2008 11:46 PM PST

Release Date: 2008-12-24

Critical:
Not critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


OS: Gentoo Linux 1.x

Description:
Gentoo has issued an update for ampache. This fixes a security issue, which can be exploited by malicious local users to perform certain actions with escalated privileges.

Solution:
Update to "www-apps/ampache-3.4.3" or later.

Original Advisory:
GLSA-200812-22:
http://www.gentoo.org/security/en/glsa/glsa-200812-22.xml

Other References:
SA31657:
http://secunia.com/advisories/31657/

Collapse -
Gentoo update for vlc
by Marianna Schmudlach / December 23, 2008 11:47 PM PST

Release Date: 2008-12-24

Critical:
Highly critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Gentoo Linux 1.x

Description:
Gentoo has issued an update for vlc. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system.

Solution:
Update to "media-video/vlc-0.9.8a" or later.

Original Advisory:
GLSA-200812-24:
http://www.gentoo.org/security/en/glsa/glsa-200812-24.xml

Other References:
SA32569:
http://secunia.com/advisories/32569/

SA32942:
http://secunia.com/advisories/32942/

Collapse -
Ubuntu update for perl
by Marianna Schmudlach / December 23, 2008 11:48 PM PST

Release Date: 2008-12-24

Critical:
Moderately critical
Impact: Privilege escalation
DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Ubuntu Linux 6.06
Ubuntu Linux 7.10
Ubuntu Linux 8.04
Ubuntu Linux 8.10

Description:
Ubuntu has issued an update for perl. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.

Two vulnerabilities are caused due to the reintroduction of CVE-2004-0452 and CVE-2005-0448.

Ubuntu update for perl
Secunia Advisory: SA33314 Advisory Toolbox:
Issue ticket
Save in to-do list
Mark as handled
Exploit information
Download as PDF
Review actions
Add comment
Release Date: 2008-12-24
Popularity: 167 views


Critical:
Moderately critical
Impact: Privilege escalation
DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Ubuntu Linux 6.06
Ubuntu Linux 7.10
Ubuntu Linux 8.04
Ubuntu Linux 8.10



Subscribe: Instant alerts on relevant vulnerabilities


CVE reference: CVE-2007-4829
CVE-2008-1927
CVE-2008-5302
CVE-2008-5303




Description:
Ubuntu has issued an update for perl. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.

Two vulnerabilities are caused due to the reintroduction of CVE-2004-0452 and CVE-2005-0448.

For more information:
SA13643
SA14531
SA27539
SA27546

Solution:
Apply updated packages.


Original Advisory:
USN-700-1:
https://lists.ubuntu.com/archives/ubu...ty-announce/2008-December/000817.html

Other References:
SA13643:
http://secunia.com/advisories/13643/

SA14531:
http://secunia.com/advisories/14531/

SA27539:
http://secunia.com/advisories/27539/

SA27546:
http://secunia.com/advisories/27546/

Collapse -
Psi File Transfer Service Packet Parsing Vulnerabilities
by Marianna Schmudlach / December 23, 2008 11:49 PM PST

Release Date: 2008-12-24

Critical:
Less critical
Impact: DoS

Where: From remote
Solution Status: Unpatched


Software: Psi 0.x

Description:
sha0 has discovered some vulnerabilities in Psi, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerabilities are caused due to boundary errors in the file transfer functionality when receiving packets. These can be exploited to cause heap-based buffer overflows by sending a specially crafted packet to the file transfer service (by default port 8010/TCP).

The vulnerabilities are confirmed in version 0.12 for Windows. Other versions may also be affected.

Solution:
Restrict access to the file transfer service.

Provided and/or discovered by:
sha0

Original Advisory:
http://milw0rm.com/exploits/7555

Collapse -
PGP Desktop PGPwded.sys Driver Denial of Service
by Marianna Schmudlach / December 23, 2008 11:50 PM PST

Release Date: 2008-12-24

Critical:
Not critical
Impact: DoS

Where: Local system
Solution Status: Unpatched


Software: PGP Corporate Desktop 9.x

Description:
A vulnerability has been discovered in PGP Desktop, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the PGPwded.sys device driver when handling certain IOCTLs and can be exploited via a specially crafted program to crash the system.

The vulnerability is confirmed in version 9.9.0 build 397 and reported in version 9.0.6. Other versions may also be affected.

Solution:
Grant only trusted users access to affected systems.

Provided and/or discovered by:
Giuseppe "Evilcry" Bonfa

Original Advisory:
http://www.evilfingers.com/advisory/PGPDesktop_9_0_6_Denial_Of_Service.php

Collapse -
Qemu and KVM VNC Server Remote DoS
by Marianna Schmudlach / December 23, 2008 11:51 PM PST

24 Dec. 2008

Summary
The VNC server of Qemu and KVM virtualization solutions are vulnerable to a remote DoS, when specially crafted packets are received by the host VNC server causing an infinite loop.

Successful exploitation causes the host server to enter an infinite loop and cease to function. The vulnerability can be triggered remotely by external hosts or virtualized guests. No special privileges are required to perform the Denial of Service.

Credit:
The information has been provided by CORE Security Technologies Advisories.
The original article can be found at: http://www.coresecurity.com/content/vnc-remote-dos

http://www.securiteam.com/securitynews/6J00M15NFE.html

Collapse -
Roundcubemail PHP Arbitrary Code Injection
by Marianna Schmudlach / December 23, 2008 11:52 PM PST

24 Dec. 2008

Summary
Roundcube Webmail is a browser-based IMAP client that uses "chuggnutt.com HTML to Plain Text Conversion" library to convert HTML text to plain text, this library uses the preg_replace PHP function in an insecure manner. A vulnerability in Roundcubemail's html2text script allows unauthenticated remote attackers to execute arbitrary PHP code.

Credit:
The information has been provided by Jacobo Avariento Gimeno.

http://www.securiteam.com/unixfocus/6L00O15NFS.html

Collapse -
Trend Micro HouseCall ActiveX Control Arbitrary Code Executi
by Marianna Schmudlach / December 23, 2008 11:53 PM PST

Trend Micro HouseCall ActiveX Control Arbitrary Code Execution

24 Dec. 2008

Summary
"Trend Micro's HouseCall is an application for checking whether your computer has been infected by viruses, spyware, or other malware. HouseCall performs additional security checks to identify and fix vulnerabilities to prevent reinfection." Secunia Research has discovered a vulnerability in Trend Micro HouseCall, which can be exploited by malicious people to compromise a user's system.

Credit:
The information has been provided by Secunia Research.
The original article can be found at: http://secunia.com/secunia_research/2008-32/


http://www.securiteam.com/windowsntfocus/6K00N15NFY.html

Collapse -
WiFi Router COMTREND Multiple Vulnerabilities
by Marianna Schmudlach / December 23, 2008 11:55 PM PST

24 Dec. 2008

Summary
The COMTREND CT-536 is an 802.11g (54Mbps) wireless and wired Local Area Network (WLAN) ADSL router. Four 10/100 Base-T Ethernet and single USB ports provide wired LAN connectivity with an integrated 802.11g WiFi WLAN Access Point (AP) for wireless connectivity. The CT-536 ADSL router provides state of the art security features such as WPA data encryption; Firewall, VPN pass through. Improper validation of micro_httpd server of the Wifi Router COMTREND permits multiple attacks though this stateless server. Also, access control is inefficient and does not control access at all. Credentials are sent in clear text so "user" could get them easily.

Credit:
The information has been provided by ISecAuditors Security Advisories.

http://www.securiteam.com/securitynews/6I00L15NFQ.html

Collapse -
Gentoo update for imlib2
by Marianna Schmudlach / December 24, 2008 1:01 AM PST

Release Date: 2008-12-24

ritical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS: Gentoo Linux 1.x

Description:
Gentoo has issued an update for imlib2. This fixes a vulnerability, which can be exploited by malicious people to potentially compromise an application using the library.

Solution:
Update to "media-libs/imlib2-1.4.2-r1" or later.

Original Advisory:
GLSA-200812-23:
http://www.gentoo.org/security/en/glsa/glsa-200812-23.xml

Other References:
SA32796:
http://secunia.com/advisories/32796/

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?