Date: Tue, 26 Mar 2013 18:09:07 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r315318 - head/security/vuxml Message-ID: <201303261809.r2QI97EF055181@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Tue Mar 26 18:09:06 2013 New Revision: 315318 URL: http://svnweb.freebsd.org/changeset/ports/315318 Log: unexpand vuln.xml. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Mar 26 17:28:33 2013 (r315317) +++ head/security/vuxml/vuln.xml Tue Mar 26 18:09:06 2013 (r315318) @@ -55,12 +55,12 @@ Note: Please add new entries to the beg <topic>firebird -- Remote Stack Buffer Overflow</topic> <affects> <package> - <name>firebird25-server</name> - <range><ge>2.5.0</ge><le>2.5.2</le></range> + <name>firebird25-server</name> + <range><ge>2.5.0</ge><le>2.5.2</le></range> </package> <package> - <name>firebird21-server</name> - <range><ge>2.1.0</ge><le>2.1.5</le></range> + <name>firebird21-server</name> + <range><ge>2.1.0</ge><le>2.1.5</le></range> </package> </affects> <description> @@ -88,22 +88,22 @@ Note: Please add new entries to the beg <topic>optipng -- use-after-free vulnerability</topic> <affects> <package> - <name>optipng</name> - <range><ge>0.7</ge><lt>0.7.4</lt></range> + <name>optipng</name> + <range><ge>0.7</ge><lt>0.7.4</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Secunia reports:</p> - <blockquote cite="https://secunia.com/advisories/50654">; - <p>A vulnerability has been reported in OptiPNG, which can be - exploited by malicious people to potentially compromise a user's - system.</p> - <p>The vulnerability is caused due to a use-after-free error related - to the palette reduction functionality. No further information is - currently available.</p> - <p>Success exploitation may allow execution of arbitrary code.</p> - </blockquote> + <p>Secunia reports:</p> + <blockquote cite="https://secunia.com/advisories/50654">; + <p>A vulnerability has been reported in OptiPNG, which can be + exploited by malicious people to potentially compromise a user's + system.</p> + <p>The vulnerability is caused due to a use-after-free error related + to the palette reduction functionality. No further information is + currently available.</p> + <p>Success exploitation may allow execution of arbitrary code.</p> + </blockquote> </body> </description> <references> @@ -200,8 +200,8 @@ Note: Please add new entries to the beg </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>libexif project security advisory:</p> - <blockquote cite="http://sourceforge.net/mailarchive/message.php?msg_id=29534027">; + <p>libexif project security advisory:</p> + <blockquote cite="http://sourceforge.net/mailarchive/message.php?msg_id=29534027">; <p>A number of remotely exploitable issues were discovered in libexif and exif, with effects ranging from information leakage to potential remote code execution.</p> @@ -274,8 +274,8 @@ Note: Please add new entries to the beg to cause the master to execute arbitrary code while responding to a catalog request. Specifically, in order to exploit the vulnerability, the puppet master must be made to invoke the - 'template' or 'inline_template' functions during catalog compilation. - </p> + 'template' or 'inline_template' functions during catalog compilation. + </p> <p>A vulnerability found in Puppet could allow an authenticated client to connect to a puppet master and perform unauthorized actions. Specifically, given a valid certificate and private key, an agent @@ -285,8 +285,8 @@ Note: Please add new entries to the beg nodes, facts, and resources. The extent and severity of this vulnerability varies depending on the specific configuration of the master: for example, whether it is using storeconfigs or not, which - version, whether it has access to the cache or not, etc. - </p> + version, whether it has access to the cache or not, etc. + </p> <p>A vulnerability has been found in Puppet which could allow authenticated clients to execute arbitrary code on agents that have been configured to accept kick connections. This vulnerability is @@ -296,27 +296,27 @@ Note: Please add new entries to the beg allow access to the `run` REST endpoint, then a client could construct an HTTP request which could execute arbitrary code. The severity of this issue is exacerbated by the fact that puppet - agents typically run as root. - </p> + agents typically run as root. + </p> <p>A vulnerability has been found in Puppet that could allow a client negotiating a connection to a master to downgrade the master's SSL protocol to SSLv2. This protocol has been found to contain design weaknesses. This issue only affects systems running older versions (pre 1.0.0) of openSSL. Newer versions explicitly disable - SSLv2. - </p> + SSLv2. + </p> <p>A vulnerability found in Puppet could allow unauthenticated clients to send requests to the puppet master which would cause it to load code unsafely. While there are no reported exploits, this vulnerability could cause issues like those described in Rails CVE-2013-0156. This vulnerability only affects puppet masters - running Ruby 1.9.3 and higher. - </p> + running Ruby 1.9.3 and higher. + </p> <p>This vulnerability affects puppet masters 0.25.0 and above. By default, auth.conf allows any authenticated node to submit a report for any other node. This can cause issues with compliance. The - defaults in auth.conf have been changed. - </p> + defaults in auth.conf have been changed. + </p> </blockquote> </body> </description> @@ -358,8 +358,8 @@ Note: Please add new entries to the beg to cause the master to execute arbitrary code while responding to a catalog request. Specifically, in order to exploit the vulnerability, the puppet master must be made to invoke the - 'template' or 'inline_template' functions during catalog compilation. - </p> + 'template' or 'inline_template' functions during catalog compilation. + </p> <p>A vulnerability found in Puppet could allow an authenticated client to connect to a puppet master and perform unauthorized actions. Specifically, given a valid certificate and private key, an agent @@ -369,28 +369,28 @@ Note: Please add new entries to the beg nodes, facts, and resources. The extent and severity of this vulnerability varies depending on the specific configuration of the master: for example, whether it is using storeconfigs or not, which - version, whether it has access to the cache or not, etc. - </p> + version, whether it has access to the cache or not, etc. + </p> <p>A vulnerability has been found in Puppet that could allow a client negotiating a connection to a master to downgrade the master's SSL protocol to SSLv2. This protocol has been found to contain design weaknesses. This issue only affects systems running older versions (pre 1.0.0) of openSSL. Newer versions explicitly disable - SSLv2. - </p> + SSLv2. + </p> <p>A vulnerability found in Puppet could allow an authenticated client to execute arbitrary code on a puppet master that is running in the default configuration, or an agent with `puppet kick` enabled. Specifically, a properly authenticated and connected puppet agent could be made to construct an HTTP PUT request for an authorized report that actually causes the execution of arbitrary code on the - master. - </p> + master. + </p> <p>This vulnerability affects puppet masters 0.25.0 and above. By default, auth.conf allows any authenticated node to submit a report for any other node. This can cause issues with compliance. The - defaults in auth.conf have been changed. - </p> + defaults in auth.conf have been changed. + </p> </blockquote> </body> </description> @@ -416,36 +416,36 @@ Note: Please add new entries to the beg <topic>perl -- denial of service via algorithmic complexity attack on hashing routines</topic> <affects> <package> - <name>perl</name> - <range><lt>5.12.4_5</lt></range> - <range><ge>5.14.0</ge><lt>5.14.2_3</lt></range> - <range><ge>5.16.0</ge><lt>5.16.2_1</lt></range> - </package> - <package> - <name>perl-threaded</name> - <range><lt>5.12.4_5</lt></range> - <range><ge>5.14.0</ge><lt>5.14.2_3</lt></range> - <range><ge>5.16.0</ge><lt>5.16.2_1</lt></range> + <name>perl</name> + <range><lt>5.12.4_5</lt></range> + <range><ge>5.14.0</ge><lt>5.14.2_3</lt></range> + <range><ge>5.16.0</ge><lt>5.16.2_1</lt></range> + </package> + <package> + <name>perl-threaded</name> + <range><lt>5.12.4_5</lt></range> + <range><ge>5.14.0</ge><lt>5.14.2_3</lt></range> + <range><ge>5.16.0</ge><lt>5.16.2_1</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Perl developers report:</p> - <blockquote cite="http://www.nntp.perl.org/group/perl.perl5.porters/2013/03/msg199755.html">; - <p>In order to prevent an algorithmic complexity attack - against its hashing mechanism, perl will sometimes - recalculate keys and redistribute the contents of a hash. - This mechanism has made perl robust against attacks that - have been demonstrated against other systems.</p> - <p>Research by Yves Orton has recently uncovered a flaw in - the rehashing code which can result in pathological - behavior. This flaw could be exploited to carry out a - denial of service attack against code that uses arbitrary - user input as hash keys.</p> - <p>Because using user-provided strings as hash keys is a - very common operation, we urge users of perl to update their - perl executable as soon as possible.</p> - </blockquote> + <p>Perl developers report:</p> + <blockquote cite="http://www.nntp.perl.org/group/perl.perl5.porters/2013/03/msg199755.html">; + <p>In order to prevent an algorithmic complexity attack + against its hashing mechanism, perl will sometimes + recalculate keys and redistribute the contents of a hash. + This mechanism has made perl robust against attacks that + have been demonstrated against other systems.</p> + <p>Research by Yves Orton has recently uncovered a flaw in + the rehashing code which can result in pathological + behavior. This flaw could be exploited to carry out a + denial of service attack against code that uses arbitrary + user input as hash keys.</p> + <p>Because using user-provided strings as hash keys is a + very common operation, we urge users of perl to update their + perl executable as soon as possible.</p> + </blockquote> </body> </description> <references> @@ -737,9 +737,9 @@ Note: Please add new entries to the beg <blockquote cite="http://httpd.apache.org/security/vulnerabilities_22.html">; <h1>low: XSS due to unescaped hostnames CVE-2012-3499</h1> <p>Various XSS flaws due to unescaped hostnames and URIs HTML output in - mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.</p> + mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.</p> <h1>moderate: XSS in mod_proxy_balancer CVE-2012-4558</h1> - <p>A XSS flaw affected the mod_proxy_balancer manager interface.</p> + <p>A XSS flaw affected the mod_proxy_balancer manager interface.</p> </blockquote> </body> </description> @@ -831,8 +831,8 @@ Note: Please add new entries to the beg <p>Unfortnately there is a security vulnerability in Dragonfly when used with Rails which would potentially allow an attacker to run arbitrary code on a host machine using carefully crafted - requests. - </p> + requests. + </p> </blockquote> </body> </description> @@ -883,7 +883,7 @@ Note: Please add new entries to the beg </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>The OTRS Project reports:</p> + <p>The OTRS Project reports:</p> <blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03">; <p>This advisory covers vulnerabilities discovered in the OTRS core system. This is a variance of the XSS vulnerability, where an attacker @@ -917,7 +917,7 @@ Note: Please add new entries to the beg </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>The OTRS Project reports:</p> + <p>The OTRS Project reports:</p> <blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-02/">; <p>This advisory covers vulnerabilities discovered in the OTRS core system. This is a variance of the XSS vulnerability, where an attacker @@ -952,7 +952,7 @@ Note: Please add new entries to the beg </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>The OTRS Project reports:</p> + <p>The OTRS Project reports:</p> <blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01">; <p>This advisory covers vulnerabilities discovered in the OTRS core system. Due to the XSS vulnerability in Internet Explorer an attacker @@ -989,13 +989,13 @@ Note: Please add new entries to the beg <blockquote cite="http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/">; <p>Unrestricted entity expansion can lead to a DoS vulnerability in REXML. (The CVE identifier will be assigned later.) We strongly - recommend to upgrade ruby. - </p> + recommend to upgrade ruby. + </p> <p>When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of - service. - </p> + service. + </p> </blockquote> </body> </description> @@ -1047,14 +1047,14 @@ Note: Please add new entries to the beg </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>The Django Project reports:</p> + <p>The Django Project reports:</p> <blockquote cite="https://www.djangoproject.com/weblog/2013/feb/19/security/">; <p>These security releases fix four issues: one potential phishing vector, one denial-of-service vector, an information leakage issue, and a range of XML vulnerabilities.</p> - <ol> + <ol> <li> - <p>Host header poisoning</p> + <p>Host header poisoning</p> <p>an attacker could cause Django to generate and display URLs that link to arbitrary domains. This could be used as part of a phishing attack. These releases fix this problem by introducing a new @@ -1287,13 +1287,13 @@ Note: Please add new entries to the beg <topic>drupal7 -- Denial of service</topic> <affects> <package> - <name>drupal7</name> - <range><lt>7.19</lt></range> + <name>drupal7</name> + <range><lt>7.19</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Drupal Security Team reports:</p> + <p>Drupal Security Team reports:</p> <blockquote cite="https://drupal.org/SA-CORE-2013-002">; <p>Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting @@ -1482,7 +1482,7 @@ Note: Please add new entries to the beg <blockquote cite="http://www.ruby-forum.com/topic/4410659">; <p>Today we are proud to announce the release of Rack 1.4.5.</p> <p>Fix CVE-2013-0263, timing attack against Rack::Session::Cookie</p> - <p>Fix CVE-2013-0262, symlink path traversal in Rack::File</p> + <p>Fix CVE-2013-0262, symlink path traversal in Rack::File</p> </blockquote> </body> </description> @@ -1515,11 +1515,11 @@ Note: Please add new entries to the beg <p>The attr_protected method allows developers to specify a blacklist of model attributes which users should not be allowed to assign to. By using a specially crafted request, attackers could circumvent - this protection and alter values that were meant to be protected.</p> + this protection and alter values that were meant to be protected.</p> <p>All users running an affected release should either upgrade or use one of the work arounds immediately. Users should also consider switching from attr_protected to the whitelist method - attr_accessible which is not vulnerable to this attack.</p> + attr_accessible which is not vulnerable to this attack.</p> </blockquote> </body> </description> @@ -1584,9 +1584,9 @@ Note: Please add new entries to the beg <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Multiple cross-site scripting (XSS) vulnerabilities</p> - <blockquote cite="https://www.poweradmin.org/trac/ticket/468">; - <p>Multiple scripts are vulnerable to XSS attacks.</p> - </blockquote> + <blockquote cite="https://www.poweradmin.org/trac/ticket/468">; + <p>Multiple scripts are vulnerable to XSS attacks.</p> + </blockquote> </body> </description> <references> @@ -1630,7 +1630,7 @@ Note: Please add new entries to the beg <p>When parsing certain JSON documents, the JSON gem can be coerced in to creating Ruby symbols in a target system. Since Ruby symbols are not garbage collected, this can result in a denial of service - attack.</p> + attack.</p> <p>The same technique can be used to create objects in a target system that act like internal objects. These "act alike" objects can be used to bypass certain security mechanisms and can be used as a @@ -1718,20 +1718,20 @@ Note: Please add new entries to the beg <topic>OpenSSL -- TLS 1.1, 1.2 denial of service</topic> <affects> <package> - <name>openssl</name> - <range><lt>1.0.1_6</lt></range> + <name>openssl</name> + <range><lt>1.0.1_6</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>OpenSSL security team reports:</p> - <blockquote cite="http://www.openssl.org/news/secadv_20130205.txt">; - <p>A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1 - and TLS 1.2 on AES-NI supporting platforms can be exploited in a + <p>OpenSSL security team reports:</p> + <blockquote cite="http://www.openssl.org/news/secadv_20130205.txt">; + <p>A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1 + and TLS 1.2 on AES-NI supporting platforms can be exploited in a DoS attack.</p> - <p>A flaw in the OpenSSL handling of OCSP response verification can - be exploited in a denial of service attack.</p> - </blockquote> + <p>A flaw in the OpenSSL handling of OCSP response verification can + be exploited in a denial of service attack.</p> + </blockquote> </body> </description> <references> @@ -1795,22 +1795,22 @@ Note: Please add new entries to the beg <topic>opera -- execution of arbitrary code</topic> <affects> <package> - <name>opera</name> - <name>opera-devel</name> - <name>linux-opera</name> - <name>linux-opera-devel</name> - <range><lt>12.13</lt></range> + <name>opera</name> + <name>opera-devel</name> + <name>linux-opera</name> + <name>linux-opera-devel</name> + <range><lt>12.13</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Opera reports:</p> - <blockquote cite="http://www.opera.com/support/kb/view/1042/">; - <p>Particular DOM event manipulations can cause Opera to crash. In - some cases, this crash might occur in a way that allows execution - of arbitrary code. To inject code, additional techniques would - have to be employed.</p> - </blockquote> + <p>Opera reports:</p> + <blockquote cite="http://www.opera.com/support/kb/view/1042/">; + <p>Particular DOM event manipulations can cause Opera to crash. In + some cases, this crash might occur in a way that allows execution + of arbitrary code. To inject code, additional techniques would + have to be employed.</p> + </blockquote> </body> </description> <references> @@ -1993,26 +1993,26 @@ Note: Please add new entries to the beg <topic>drupal -- multiple vulnerabilities</topic> <affects> <package> - <name>drupal6</name> - <range><lt>6.28</lt></range> + <name>drupal6</name> + <range><lt>6.28</lt></range> </package> <package> - <name>drupal7</name> - <range><lt>7.19</lt></range> + <name>drupal7</name> + <range><lt>7.19</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Drupal Security Team reports:</p> - <blockquote cite="https://drupal.org/SA-CORE-2013-001">; - <p>Cross-site scripting (Various core and contributed modules)</p> - <p>Access bypass (Book module printer friendly version)</p> - <p>Access bypass (Image module)</p> - </blockquote> + <p>Drupal Security Team reports:</p> + <blockquote cite="https://drupal.org/SA-CORE-2013-001">; + <p>Cross-site scripting (Various core and contributed modules)</p> + <p>Access bypass (Book module printer friendly version)</p> + <p>Access bypass (Image module)</p> + </blockquote> </body> </description> <references> - <url>https://drupal.org/SA-CORE-2013-001</url>; + <url>https://drupal.org/SA-CORE-2013-001</url>; </references> <dates> <discovery>2013-01-16</discovery> @@ -2024,21 +2024,21 @@ Note: Please add new entries to the beg <topic>ettercap -- buffer overflow in target list parsing</topic> <affects> <package> - <name>ettercap</name> - <range><lt>0.7.4.1</lt></range> - <range><ge>0.7.5</ge><lt>0.7.5.2</lt></range> + <name>ettercap</name> + <range><lt>0.7.4.1</lt></range> + <range><ge>0.7.5</ge><lt>0.7.5.2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Host target list parsing routine in ettercap - 0.7.4-series prior to 0.7.4.1 and 0.7.5-series - is prone to the stack-based buffer overflow that - may lead to the code execution with the privileges - of the ettercap process.</p> - <p>In order to trigger this vulnerability, user or service - that use ettercap should be tricked to pass the crafted list - of targets via the "-j" option.</p> + <p>Host target list parsing routine in ettercap + 0.7.4-series prior to 0.7.4.1 and 0.7.5-series + is prone to the stack-based buffer overflow that + may lead to the code execution with the privileges + of the ettercap process.</p> + <p>In order to trigger this vulnerability, user or service + that use ettercap should be tricked to pass the crafted list + of targets via the "-j" option.</p> </body> </description> <references> @@ -2056,79 +2056,79 @@ Note: Please add new entries to the beg <topic>java 7.x -- security manager bypass</topic> <affects> <package> - <name>openjdk7</name> - <range><gt>0</gt></range> + <name>openjdk7</name> + <range><gt>0</gt></range> </package> <package> - <name>linux-sun-jdk</name> - <range><ge>7.0</ge><lt>7.11</lt></range> + <name>linux-sun-jdk</name> + <range><ge>7.0</ge><lt>7.11</lt></range> </package> <package> - <name>linux-sun-jre</name> - <range><ge>7.0</ge><lt>7.11</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>US CERT reports:</p> - <blockquote cite="http://www.kb.cert.org/vuls/id/625617">; - <p>Java 7 Update 10 and earlier versions of Java 7 contain a - vulnerability that can allow a remote, unauthenticated - attacker to execute arbitrary code on a vulnerable - system.</p> - <p>The Java JRE plug-in provides its own Security Manager. - Typically, a web applet runs with a security manager - provided by the browser or Java Web Start plugin. Oracle's - document states, "If there is a security manager already - installed, this method first calls the security manager's - checkPermission method with a - RuntimePermission("setSecurityManager") permission to ensure - it's safe to replace the existing security manager. This may - result in throwing a SecurityException".</p> - <p>By leveraging the vulnerability in the Java Management - Extensions (JMX) MBean components, unprivileged Java code - can access restricted classes. By using that vulnerability - in conjunction with a second vulnerability involving the - Reflection API and the invokeWithArguments method of the - MethodHandle class, an untrusted Java applet can escalate - its privileges by calling the the setSecurityManager() - function to allow full privileges, without requiring code - signing. Oracle Java 7 update 10 and earlier Java 7 versions - are affected. The invokeWithArguments method was introduced - with Java 7, so therefore Java 6 is not affected.</p> - <p>This vulnerability is being attacked in the wild, and is - reported to be incorporated into exploit kits. Exploit code - for this vulnerability is also publicly available.</p> - </blockquote> - <p>Esteban Guillardoy from Immunity Inc. additionally clarifies - on the recursive reflection exploitation technique:</p> - <blockquote cite="https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf">; - <p>The real issue is in the native - sun.reflect.Reflection.getCallerClass method.</p> - <p>We can see the following information in the Reflection - source code:</p> - <p>Returns the class of the method realFramesToSkip frames - up the stack (zero-based), ignoring frames associated with - java.lang.reflect.Method.invoke() and its - implementation.</p> - <p>So what is happening here is that they forgot to skip the - frames related to the new Reflection API and only the old - reflection API is taken into account.</p> - </blockquote> - <p>This exploit does not only affect Java applets, but every - piece of software that relies on the Java Security Manager for - sandboxing executable code is affected: malicious code can - totally disable Security Manager.</p> - <p>For users who are running native Web browsers with enabled - Java plugin, the workaround is to remove the java/icedtea-web - port and restart all browser instances.</p> - <p>For users who are running Linux Web browser flavors, the - workaround is either to disable the Java plugin in browser - or to upgrade linux-sun-* packages to the non-vulnerable - version.</p> - <p>It is not recommended to run untrusted applets using - appletviewer, since this may lead to the execution of the - malicious code on vulnerable versions on JDK/JRE.</p> + <name>linux-sun-jre</name> + <range><ge>7.0</ge><lt>7.11</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>US CERT reports:</p> + <blockquote cite="http://www.kb.cert.org/vuls/id/625617">; + <p>Java 7 Update 10 and earlier versions of Java 7 contain a + vulnerability that can allow a remote, unauthenticated + attacker to execute arbitrary code on a vulnerable + system.</p> + <p>The Java JRE plug-in provides its own Security Manager. + Typically, a web applet runs with a security manager + provided by the browser or Java Web Start plugin. Oracle's + document states, "If there is a security manager already + installed, this method first calls the security manager's + checkPermission method with a + RuntimePermission("setSecurityManager") permission to ensure + it's safe to replace the existing security manager. This may + result in throwing a SecurityException".</p> + <p>By leveraging the vulnerability in the Java Management + Extensions (JMX) MBean components, unprivileged Java code + can access restricted classes. By using that vulnerability + in conjunction with a second vulnerability involving the + Reflection API and the invokeWithArguments method of the + MethodHandle class, an untrusted Java applet can escalate + its privileges by calling the the setSecurityManager() + function to allow full privileges, without requiring code + signing. Oracle Java 7 update 10 and earlier Java 7 versions + are affected. The invokeWithArguments method was introduced + with Java 7, so therefore Java 6 is not affected.</p> + <p>This vulnerability is being attacked in the wild, and is + reported to be incorporated into exploit kits. Exploit code + for this vulnerability is also publicly available.</p> + </blockquote> + <p>Esteban Guillardoy from Immunity Inc. additionally clarifies + on the recursive reflection exploitation technique:</p> + <blockquote cite="https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf">; + <p>The real issue is in the native + sun.reflect.Reflection.getCallerClass method.</p> + <p>We can see the following information in the Reflection + source code:</p> + <p>Returns the class of the method realFramesToSkip frames + up the stack (zero-based), ignoring frames associated with + java.lang.reflect.Method.invoke() and its + implementation.</p> + <p>So what is happening here is that they forgot to skip the + frames related to the new Reflection API and only the old + reflection API is taken into account.</p> + </blockquote> + <p>This exploit does not only affect Java applets, but every + piece of software that relies on the Java Security Manager for + sandboxing executable code is affected: malicious code can + totally disable Security Manager.</p> + <p>For users who are running native Web browsers with enabled + Java plugin, the workaround is to remove the java/icedtea-web + port and restart all browser instances.</p> + <p>For users who are running Linux Web browser flavors, the + workaround is either to disable the Java plugin in browser + or to upgrade linux-sun-* packages to the non-vulnerable + version.</p> + <p>It is not recommended to run untrusted applets using + appletviewer, since this may lead to the execution of the + malicious code on vulnerable versions on JDK/JRE.</p> </body> </description> <references> @@ -2405,56 +2405,56 @@ Note: Please add new entries to the beg <topic>rubygem-rails -- multiple vulnerabilities</topic> <affects> <package> - <name>rubygem-rails</name> - <range><lt>3.2.11</lt></range> + <name>rubygem-rails</name> + <range><lt>3.2.11</lt></range> </package> <package> - <name>rubygem-actionpack</name> - <range><lt>3.2.11</lt></range> + <name>rubygem-actionpack</name> + <range><lt>3.2.11</lt></range> </package> <package> - <name>rubygem-activerecord</name> - <range><lt>3.2.11</lt></range> + <name>rubygem-activerecord</name> + <range><lt>3.2.11</lt></range> </package> <package> - <name>rubygem-activesupport</name> - <range><lt>3.2.11</lt></range> + <name>rubygem-activesupport</name> + <range><lt>3.2.11</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Ruby on Rails team reports:</p> - <blockquote cite="http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/">; - <p>Two high-risk vulnerabilities have been discovered:</p> - <p>(CVE-2013-0155) There is a vulnerability when Active Record is - used in conjunction with JSON parameter parsing.</p> - <p>Due to the way Active Record interprets parameters in combination - with the way that JSON parameters are parsed, it is possible for an - attacker to issue unexpected database queries with "IS NULL" or - empty "WHERE" clauses. This issue does not let an attacker insert - arbitrary values into an SQL query, however they can cause the - query to check for NULL or eliminate a WHERE clause when most users - would not expect it.</p> - <p>(CVE-2013-0156) There are multiple weaknesses in the parameter - parsing code for Ruby on Rails which allows attackers to bypass - authentication systems, inject arbitrary SQL, inject and execute - arbitrary code, or perform a DoS attack on a Rails application.</p> - <p>The parameter parsing code of Ruby on Rails allows applications to - automatically cast values from strings to certain data types. - Unfortunately the type casting code supported certain conversions - which were not suitable for performing on user-provided data - including creating Symbols and parsing YAML. These unsuitable - conversions can be used by an attacker to compromise a Rails - application.</p> - </blockquote> + <p>Ruby on Rails team reports:</p> + <blockquote cite="http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/">; + <p>Two high-risk vulnerabilities have been discovered:</p> + <p>(CVE-2013-0155) There is a vulnerability when Active Record is + used in conjunction with JSON parameter parsing.</p> + <p>Due to the way Active Record interprets parameters in combination + with the way that JSON parameters are parsed, it is possible for an + attacker to issue unexpected database queries with "IS NULL" or + empty "WHERE" clauses. This issue does not let an attacker insert + arbitrary values into an SQL query, however they can cause the + query to check for NULL or eliminate a WHERE clause when most users + would not expect it.</p> + <p>(CVE-2013-0156) There are multiple weaknesses in the parameter + parsing code for Ruby on Rails which allows attackers to bypass + authentication systems, inject arbitrary SQL, inject and execute + arbitrary code, or perform a DoS attack on a Rails application.</p> + <p>The parameter parsing code of Ruby on Rails allows applications to + automatically cast values from strings to certain data types. + Unfortunately the type casting code supported certain conversions + which were not suitable for performing on user-provided data + including creating Symbols and parsing YAML. These unsuitable + conversions can be used by an attacker to compromise a Rails + application.</p> + </blockquote> </body> </description> <references> - <cvename>CVE-2013-0155</cvename> - <cvename>CVE-2013-0156</cvename> - <url>http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/</url>; - <url>https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/t1WFuuQyavI</url>; - <url>https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/61bkgvnSGTQ</url>; + <cvename>CVE-2013-0155</cvename> + <cvename>CVE-2013-0156</cvename> + <url>http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/</url>; + <url>https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/t1WFuuQyavI</url>; + <url>https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/61bkgvnSGTQ</url>; </references> <dates> <discovery>2013-01-08</discovery> @@ -2466,20 +2466,20 @@ Note: Please add new entries to the beg <topic>rubygem-rails -- SQL injection vulnerability</topic> <affects> <package> - <name>rubygem-rails</name> - <range><lt>3.2.10</lt></range> + <name>rubygem-rails</name> + <range><lt>3.2.10</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Ruby on Rails team reports:</p> - <blockquote cite="https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM">; - <p>There is a SQL injection vulnerability in Active Record in ALL - versions. Due to the way dynamic finders in Active Record extract - options from method parameters, a method parameter can mistakenly - be used as a scope. Carefully crafted requests can use the scope - to inject arbitrary SQL.</p> - </blockquote> + <p>Ruby on Rails team reports:</p> + <blockquote cite="https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM">; + <p>There is a SQL injection vulnerability in Active Record in ALL + versions. Due to the way dynamic finders in Active Record extract + options from method parameters, a method parameter can mistakenly + be used as a scope. Carefully crafted requests can use the scope + to inject arbitrary SQL.</p> + </blockquote> </body> </description> <references> @@ -2513,11 +2513,11 @@ Note: Please add new entries to the beg that may apply to specific installations.</p> <ul> <li>The particular attack vector is only applicable on Jenkins - instances that have slaves attached to them, and allow - anonymous read access.</li> + instances that have slaves attached to them, and allow + anonymous read access.</li> <li>Jenkins allows users to re-generate the API tokens. Those - re-generated API tokens cannot be impersonated by the - attacker.</li> + re-generated API tokens cannot be impersonated by the + attacker.</li> </ul> </blockquote> </body> @@ -2535,21 +2535,21 @@ Note: Please add new entries to the beg <topic>django -- multiple vulnerabilities</topic> <affects> <package> - <name>django</name> - <range><lt>1.4.3</lt></range> + <name>django</name> + <range><lt>1.4.3</lt></range> </package> <package> - <name>django13</name> - <range><lt>1.3.5</lt></range> + <name>django13</name> + <range><lt>1.3.5</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>The Django Project reports:</p> + <p>The Django Project reports:</p> <blockquote cite="https://www.djangoproject.com/weblog/2012/dec/10/security/">; - <ol> - <li> - <p>Host header poisoning</p> + <ol> + <li> + <p>Host header poisoning</p> <p>Several earlier Django security releases focused on the issue of poisoning the HTTP Host header, causing Django to generate URLs pointing to arbitrary, potentially-malicious domains.</p> @@ -2566,9 +2566,9 @@ Note: Please add new entries to the beg </ul> <p>Any deviation from this will now be rejected, raising the exception django.core.exceptions.SuspiciousOperation.</p> - </li> - <li> - <p>Redirect poisoning</p> + </li> + <li> + <p>Redirect poisoning</p> <p>Also following up on a previous issue: in July of this year, we made changes to Django's HTTP redirect classes, performing additional validation of the scheme of the URL to redirect to (since, both @@ -2591,8 +2591,8 @@ Note: Please add new entries to the beg authentication system -- which allow user-supplied redirect targets now use is_safe_url to validate the supplied URL.</li> </ol> - </li> - </ol> + </li> + </ol> </blockquote> </body> </description> @@ -2773,20 +2773,20 @@ Note: Please add new entries to the beg <body xmlns="http://www.w3.org/1999/xhtml">; <p>puppet -- multiple vulnerabilities</p> <blockquote cite="http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.6.17">; - <p>Arbitrary file read on the puppet master from authenticated clients (high). It is possible to construct an HTTP get request from an authenticated client with a valid certificate that will return the contents of an arbitrary file on the Puppet master that the master has read-access to.</p> - <p>Arbitrary file delete/D.O.S on Puppet Master from authenticated clients (high). Given a Puppet master with the "Delete" directive allowed in auth.conf for an authenticated host, an attacker on that host can send a specially crafted Delete request that can cause an arbitrary file deletion on the Puppet master, potentially causing a denial of service attack. Note that this vulnerability does *not* exist in Puppet as configured by default.</p> - <p>Insufficient input validation for agent hostnames (low). An attacker could trick the administrator into signing an attacker's certificate rather than the intended one by constructing specially crafted certificate requests containing specific ANSI control sequences. It is possible to use the sequences to rewrite the order of text displayed to an administrator such that display of an invalid certificate and valid certificate are transposed. If the administrator signs the attacker's certificate, the attacker can then man-in-the-middle the agent.</p> + <p>Arbitrary file read on the puppet master from authenticated clients (high). It is possible to construct an HTTP get request from an authenticated client with a valid certificate that will return the contents of an arbitrary file on the Puppet master that the master has read-access to.</p> + <p>Arbitrary file delete/D.O.S on Puppet Master from authenticated clients (high). Given a Puppet master with the "Delete" directive allowed in auth.conf for an authenticated host, an attacker on that host can send a specially crafted Delete request that can cause an arbitrary file deletion on the Puppet master, potentially causing a denial of service attack. Note that this vulnerability does *not* exist in Puppet as configured by default.</p> + <p>Insufficient input validation for agent hostnames (low). An attacker could trick the administrator into signing an attacker's certificate rather than the intended one by constructing specially crafted certificate requests containing specific ANSI control sequences. It is possible to use the sequences to rewrite the order of text displayed to an administrator such that display of an invalid certificate and valid certificate are transposed. If the administrator signs the attacker's certificate, the attacker can then man-in-the-middle the agent.</p> </blockquote> </body> </description> <references> - <cvename>CVE-2012-3864</cvename> - <cvename>CVE-2012-3865</cvename> - <cvename>CVE-2012-3867</cvename> - <url>http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.6.17</url>; - <url>http://puppetlabs.com/security/cve/cve-2012-3864/</url>; - <url>http://puppetlabs.com/security/cve/cve-2012-3865/</url>; - <url>http://puppetlabs.com/security/cve/cve-2012-3867/</url>; + <cvename>CVE-2012-3864</cvename> + <cvename>CVE-2012-3865</cvename> + <cvename>CVE-2012-3867</cvename> + <url>http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.6.17</url>; + <url>http://puppetlabs.com/security/cve/cve-2012-3864/</url>; + <url>http://puppetlabs.com/security/cve/cve-2012-3865/</url>; + <url>http://puppetlabs.com/security/cve/cve-2012-3867/</url>; </references> <dates> <discovery>2012-07-10</discovery> @@ -2889,25 +2889,25 @@ executed in your Internet Explorer while <topic>squid -- denial of service</topic> <affects> <package> - <name>squid</name> - <range><lt>3.1.23</lt></range> - <range><ge>3.2</ge><lt>3.2.6</lt></range> - <range><ge>3.3</ge><lt>3.3.0.3</lt></range> + <name>squid</name> + <range><lt>3.1.23</lt></range> + <range><ge>3.2</ge><lt>3.2.6</lt></range> + <range><ge>3.3</ge><lt>3.3.0.3</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Squid developers report:</p> - <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2012_1.txt">; - <p>Due to missing input validation Squid cachemgr.cgi tool - is vulnerable to a denial of service attack when processing - specially crafted requests.</p> - <p>This problem allows any client able to reach the - cachemgr.cgi to perform a denial of service attack on the - service host.</p> - <p>The nature of the attack may cause secondary effects - through resource consumption on the host server.</p> - </blockquote> + <p>Squid developers report:</p> + <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2012_1.txt">; + <p>Due to missing input validation Squid cachemgr.cgi tool + is vulnerable to a denial of service attack when processing + specially crafted requests.</p> + <p>This problem allows any client able to reach the + cachemgr.cgi to perform a denial of service attack on the + service host.</p> + <p>The nature of the attack may cause secondary effects + through resource consumption on the host server.</p> + </blockquote> </body> </description> <references> @@ -2926,24 +2926,24 @@ executed in your Internet Explorer while <topic>opera -- execution of arbitrary code</topic> <affects> <package> - <name>opera</name> - <name>opera-devel</name> - <name>linux-opera</name> - <name>linux-opera-devel</name> - <range><lt>12.12</lt></range> + <name>opera</name> + <name>opera-devel</name> + <name>linux-opera</name> + <name>linux-opera-devel</name> + <range><lt>12.12</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Opera reports:</p> - <blockquote cite="http://www.opera.com/support/kb/view/1038/">; - <p>When loading GIF images into memory, Opera should allocate the - correct amount of memory to store that image. Specially crafted - image files can cause Opera to allocate the wrong amount of memory. - Subsequent data may then overwrite unrelated memory with - attacker-controlled data. This can lead to a crash, which may also - execute that data as code.</p> - </blockquote> + <p>Opera reports:</p> + <blockquote cite="http://www.opera.com/support/kb/view/1038/">; + <p>When loading GIF images into memory, Opera should allocate the + correct amount of memory to store that image. Specially crafted + image files can cause Opera to allocate the wrong amount of memory. + Subsequent data may then overwrite unrelated memory with + attacker-controlled data. This can lead to a crash, which may also + execute that data as code.</p> + </blockquote> </body> </description> <references> @@ -3042,11 +3042,11 @@ executed in your Internet Explorer while </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>The Apache Software Foundation reports:</p> - <blockquote cite="http://tomcat.apache.org/security-7.html">; + <p>The Apache Software Foundation reports:</p> + <blockquote cite="http://tomcat.apache.org/security-7.html">; <p>The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request.</p> - </blockquote> + </blockquote> </body> </description> <references> @@ -3074,12 +3074,12 @@ executed in your Internet Explorer while </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>The Apache Software Foundation reports:</p> - <blockquote cite="http://tomcat.apache.org/security-7.html">; + <p>The Apache Software Foundation reports:</p> + <blockquote cite="http://tomcat.apache.org/security-7.html">; <p>When using the NIO connector with sendfile and HTTPS enabled, if a client breaks the connection while reading the response an infinite loop is entered leading to a denial of service.</p> - </blockquote> *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201303261809.r2QI97EF055181>