CVE-2012-2011
published 2012-06-13CVE-2012-2011: Multiple cross-site scripting (XSS) vulnerabilities in HP Web Jetadmin 8.x allow remote attackers to inject arbitrary web script or HTML via unspecified…
PriorityP417medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
1.61%
72.9th percentile
Multiple cross-site scripting (XSS) vulnerabilities in HP Web Jetadmin 8.x allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | drupal | — | — |
| hp | web_jetadmin | — | — |
| hp | web_jetadmin | — | — |
| openstack | nova | >= 0 < 12.0.0a0 | 12.0.0a0 |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6cvf-279w-2mvw: Multiple cross-site scripting (XSS) vulnerabilities in HP Web Jetadmin 8
ghsa_unreviewed·2022-05-17
CVE-2012-2011 [MEDIUM] CWE-79 GHSA-6cvf-279w-2mvw: Multiple cross-site scripting (XSS) vulnerabilities in HP Web Jetadmin 8
Multiple cross-site scripting (XSS) vulnerabilities in HP Web Jetadmin 8.x allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
GHSA
OpenStack Compute (Nova) Improper Input Validation
ghsa·2022-05-17
CVE-2012-2654 [MEDIUM] CWE-20 OpenStack Compute (Nova) Improper Input Validation
OpenStack Compute (Nova) Improper Input Validation
The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restrictions.
Red Hat
xml: xerces-c hash table collisions CPU usage DoS (oCERT-2011-003)
vendor_redhat·2014-07-08·CVSS 7.5
CVE-2012-0880 [HIGH] CWE-407 xml: xerces-c hash table collisions CPU usage DoS (oCERT-2011-003)
xml: xerces-c hash table collisions CPU usage DoS (oCERT-2011-003)
Apache Xerces-C++ allows remote attackers to cause a denial of service (CPU consumption) via a crafted message sent to an XML service that causes hash table collisions.
Statement: This issue affects the versions of xerces as shipped with Red Hat Enterprise Linux 6. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Package: xerces-c (Red Hat Enterprise Linux 6) - Out of support scope
Package: xerces-c (Red Hat Enterprise MRG 1) - Fix deferred
Package: xerces-c (Red Hat Enterprise MRG 2) - Fix deferred
Red Hat
Webkitgtk: google chrome update [30-April-2012]
vendor_redhat·2012-05-01·CVSS 6.8
CVE-2011-3078 [MEDIUM] Webkitgtk: google chrome update [30-April-2012]
Webkitgtk: google chrome update [30-April-2012]
Use-after-free vulnerability in Google Chrome before 18.0.1025.168 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the floating of elements, a different vulnerability than CVE-2011-3081.
Statement: Not Vulnerable. This issue does not affect the version of webkitgtk as shipped
with Red Hat Enterprise Linux 6.
Package: webkitgtk (Red Hat Enterprise Linux 6) - Not affected
Red Hat
Webkitgtk: google chrome update [28-March-2012]
vendor_redhat·2012-03-28·CVSS 6.8
CVE-2011-3060 [MEDIUM] Webkitgtk: google chrome update [28-March-2012]
Webkitgtk: google chrome update [28-March-2012]
Google Chrome before 18.0.1025.142 does not properly handle text fragments, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
Statement: Not Vulnerable. This issue does not affect the version of webkitgtk as shipped
with Red Hat Enterprise Linux 6.
Package: webkitgtk (Red Hat Enterprise Linux 6) - Not affected
Red Hat
Mozilla: child nodes from nsDOMAttribute still accessible after removal of nodes (MFSA 2012-04)
vendor_redhat·2012-01-31·CVSS 9.3
CVE-2011-3659 [CRITICAL] Mozilla: child nodes from nsDOMAttribute still accessible after removal of nodes (MFSA 2012-04)
Mozilla: child nodes from nsDOMAttribute still accessible after removal of nodes (MFSA 2012-04)
Use-after-free vulnerability in Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 might allow remote attackers to execute arbitrary code via vectors related to incorrect AttributeChildRemoved notifications that affect access to removed nsDOMAttribute child nodes.
Drupal
Hash DOS attack prevention with Suhosin needs a .htaccess edit - PSA-2012-001
vendor_drupal·2012-01-11·CVSS 5.0
CVE-2011-4885 [MEDIUM] Hash DOS attack prevention with Suhosin needs a .htaccess edit - PSA-2012-001
Title: Hash DOS attack prevention with Suhosin needs a .htaccess edit - PSA-2012-001
Vulnerability Type: Hash DOS attack prevention with Suhosin needs a .htaccess edit
Description: Advisory ID: DRUPAL-PSA-2012-001 Project: Drupal core Version: 6.x, 7.x Date: 2012-01-11 Security risk: Less critical Exploitable from: Remote Vulnerability: Denial of Service Description Update, June 12th 2012: this advisory is related to flaws in PHP with CVE identifiers CVE-2011-4885 and CVE-2012-0830. Users are encouraged to update the PHP used for their site to a version that is known to fix those vulnerabilities. See below for mitigation techniques if your site runs a version of PHP that doesn't contain those fixes and you cannot change it. PHP is vulnerable to a hash collision denial of service (DOS) at
Red Hat
kernel: incomplete fix for CVE-2011-2482
vendor_redhat·2012-01-10·CVSS 7.5
CVE-2011-4348 [HIGH] CWE-662 kernel: incomplete fix for CVE-2011-2482
kernel: incomplete fix for CVE-2011-2482
Race condition in the sctp_rcv function in net/sctp/input.c in the Linux kernel before 2.6.29 allows remote attackers to cause a denial of service (system hang) via SCTP packets. NOTE: in some environments, this issue exists because of an incomplete fix for CVE-2011-2482.
Statement: This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise Linux 4, 6 and Red Hat Enterprise MRG as they were not vulnerable to CVE-2011-2482. This has been addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2012-0007.html.
Package: kernel (Red Hat Enterprise Linux 4) - Not affected
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: realtime-kernel (Red Hat Enterprise MRG 2) - Not affect
Red Hat
gnutls: DTLS plaintext recovery attack
vendor_redhat·2012-01-05·CVSS 4.3
CVE-2012-0390 [MEDIUM] gnutls: DTLS plaintext recovery attack
gnutls: DTLS plaintext recovery attack
The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain error-handling code only if there is a specific relationship between a padding length and the ciphertext size, which makes it easier for remote attackers to recover partial plaintext via a timing side-channel attack, a related issue to CVE-2011-4108.
Statement: Not vulnerable. This issue did not affect the versions of gnutls as shipped with Red Hat Enterprise Linux 4, 5 and 6 as they did not include support for DTLS.
Package: gnutls (Red Hat Enterprise Linux 4) - Not affected
Package: gnutls (Red Hat Enterprise Linux 5) - Not affected
Package: gnutls (Red Hat Enterprise Linux 6) - Not affected
Red Hat
OpenSSO: unspecified vulnerability in the authentication component
vendor_redhat·2011-10-18·CVSS 4.3
CVE-2011-3517 [MEDIUM] OpenSSO: unspecified vulnerability in the authentication component
OpenSSO: unspecified vulnerability in the authentication component
Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 8.0 allows remote attackers to affect availability via unknown vectors related to Authentication.
Statement: Oracle OpenSSO is provided as part of the opensso quickstart example application shipped with JBoss Enterprise SOA Platform 5. The CVE-2011-3506, CVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso quickstart example application is deployed, or you have created and deployed a custom application that is packaged with a copy of Oracle OpenSSO as provided by the opensso quickstart.
The opensso quickstart has been removed in JBoss Enterprise SOA Platform 5.3.0 to address these flaws. Users interested in continui
Red Hat
kernel: cifs: signedness issue in CIFSFindNext()
vendor_redhat·2011-08-23·CVSS 8.8
CVE-2011-3191 [HIGH] kernel: cifs: signedness issue in CIFSFindNext()
kernel: cifs: signedness issue in CIFSFindNext()
Integer signedness error in the CIFSFindNext function in fs/cifs/cifssmb.c in the Linux kernel before 3.1 allows remote CIFS servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large length value in a response to a read request for a directory.
Statement: This issue affects the Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, 6, and Red Hat Enterprise MRG. It has been addressed in Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-1386.html, https://rhn.redhat.com/errata/RHSA-2011-1465.html, and https://rhn.redhat.com/errata/RHSA-2012-0010.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, ht
Red Hat
kernel: net: improve sequence number generation
vendor_redhat·2011-08-07·CVSS 9.1
CVE-2011-3188 [CRITICAL] kernel: net: improve sequence number generation
kernel: net: improve sequence number generation
The (1) IPv4 and (2) IPv6 implementations in the Linux kernel before 3.1 use a modified MD4 algorithm to generate sequence numbers and Fragment Identification values, which makes it easier for remote attackers to cause a denial of service (disrupted networking) or hijack network sessions by predicting these values and sending crafted packets.
Statement: This issue affects the Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, 6, and Red Hat Enterprise MRG. It has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-1386.html, https://rhn.redhat.com/errata/RHSA-2011-1465.html, and https://rhn.redhat.com/errata/RHSA-2012-0010.html. Red Hat Enterprise Linux 4 is now in
Red Hat
kernel: excessive in kernel CPU consumption when creating large nested epoll structures
vendor_redhat·2011-02-25·CVSS 4.9
CVE-2011-1083 [MEDIUM] kernel: excessive in kernel CPU consumption when creating large nested epoll structures
kernel: excessive in kernel CPU consumption when creating large nested epoll structures
The epoll implementation in the Linux kernel 2.6.37.2 and earlier does not properly traverse a tree of epoll file descriptors, which allows local users to cause a denial of service (CPU consumption) via a crafted application that makes epoll_create and epoll_ctl system calls.
Statement: This issue affected the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, 6, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 and 6 via RHSA-2012:0150 and RHSA-2012:0862 respectively. There is no plan to address this flaw in Red Hat Enterprise Linux 4. Future updates may address this issue in Red Hat Enterprise MRG.
Package: kernel (Red Hat Enterprise Linux 4) - Will not
Red Hat
openssl: remote DTLS server DoS introduced in the CVE-2011-4108 fix
vendor_redhat·2011-01-18·CVSS 4.3
CVE-2012-0050 [MEDIUM] openssl: remote DTLS server DoS introduced in the CVE-2011-4108 fix
openssl: remote DTLS server DoS introduced in the CVE-2011-4108 fix
OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, which allows remote attackers to cause a denial of service (crash) via unspecified vectors related to an out-of-bounds read. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4108.
Statement: Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, 5, and 6.
Package: openssl (Red Hat Enterprise Linux 4) - Not affected
Package: openssl096b (Red Hat Enterprise Linux 4) - Not affected
Package: openssl (Red Hat Enterprise Linux 5) - Not affected
Package: openssl097a (Red Hat Enterprise Linux 5) - Not affected
Package: openssl (Red Hat Enterprise Linux 6) - Not affected
Pa
No detection rules found.
Exploit-DB
HP Data Protector Client - EXEC_CMD Remote Code Execution
exploitdb·2012-06-19·CVSS 10.0
CVE-2011-0922 [CRITICAL] HP Data Protector Client - EXEC_CMD Remote Code Execution
HP Data Protector Client - EXEC_CMD Remote Code Execution
---
#!/usr/bin/env python
# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability
# Date: 2012-12-06
# Exploit Author: Ben Turner
# Vendor Homepage: www.hp.com
# Version: 6.11 & 6.20
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0922
# Notes: ZDI-11-056
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-056/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143
import socket
import sys
import binascii
if len(sys.argv) != 4:
print ""
print "\033[0;31mUsage: ./hp_protector.py \033[0m"
print ""
print "\033[0;32mMake sure you create a meterpreter payload and a share with the following \\\\\\Omniback\\i386\\installservice.exe\033[0m"
print
Exploit-DB
Sony VAIO Wireless Manager 4.0.0.0 - Buffer Overflow
exploitdb·2012-05-31·CVSS 9.3
CVE-2012-0985 [CRITICAL] Sony VAIO Wireless Manager 4.0.0.0 - Buffer Overflow
Sony VAIO Wireless Manager 4.0.0.0 - Buffer Overflow
---
Advisory ID: HTB23063
Product: Wireless Manager Sony VAIO
Vendor: Sony Computers
Vulnerable Version(s): 4.0.0.0 and probably prior
Tested Version: 4.0.0.0
Vendor Notification: 7 December 2011
Vendor Patch: 20 January 2012
Public Disclosure: 30 May 2012
Vulnerability Type: Buffer Overflow
CVE Reference: CVE-2012-0985
Solution Status: Fixed by Vendor
Risk Level: High
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.com/advisory/ )
Advisory Details:
High-Tech Bridge SA Security Research Lab has discovered 2 buffer overflow vulnerabilities in Wireless Manager Sony VAIO which can be exploited to execute arbitrary code on vulnerable system.
1) Buffer Overflow in Wireless Manager Sony VAIO: CVE-2012-0985
1.1
Exploit-DB
XOOPS 2.5.4 - Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2012-04-19·CVSS 4.3
CVE-2012-0984 [MEDIUM] XOOPS 2.5.4 - Multiple Cross-Site Scripting Vulnerabilities
XOOPS 2.5.4 - Multiple Cross-Site Scripting Vulnerabilities
---
Advisory ID: HTB23062
Product: XOOPS
Vendor: xoops.org
Vulnerable Version(s): 2.5.4 and probably prior
Tested Version: 2.5.4
Vendor Notification: 7 December 2011
Vendor Patch: 22 February 2012
Public Disclosure: 18 April 2012
Vulnerability Type: XSS (Cross Site Scripting)
CVE Reference(s): CVE-2012-0984
Solution Status: Fixed by Vendor
Risk Level: Medium
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.com/advisory/ )
Advisory Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in XOOPS, which can be exploited to perform Cross-Site Scripting (XSS) attacks.
1) Multiple Cross-Site Scripting (XSS) in XOOPS: CVE-2012-0984
1.1 Input passed via the "to_userid" PO
Exploit-DB
Microsoft Terminal Services - Use-After-Free (MS12-020)
exploitdb·2012-03-16
CVE-2012-0002 Microsoft Terminal Services - Use-After-Free (MS12-020)
Microsoft Terminal Services - Use-After-Free (MS12-020)
---
#######################################################################
Luigi Auriemma
Application: Microsoft Terminal Services / Remote Desktop Services
http://www.microsoft.com
http://msdn.microsoft.com/en-us/library/aa383015(v=vs.85).aspx
Versions: any Windows version before 13 Mar 2012
Platforms: Windows
Bug: use after free
Exploitation: remote, versus server
Date: 16 Mar 2012 (found 16 May 2011)
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
Additional references:
http://www.zerodayinitiative.com/advisories/ZDI-12-044/
http://technet.microsoft.com/en-us/security/bulletin/ms12-020
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
##
Exploit-DB
appRain CMF 0.1.5 - 'Uploadify.php' Unrestricted Arbitrary File Upload
exploitdb·2012-01-19
CVE-2012-1153 appRain CMF 0.1.5 - 'Uploadify.php' Unrestricted Arbitrary File Upload
appRain CMF 0.1.5 - 'Uploadify.php' Unrestricted Arbitrary File Upload
---
check_admin_login();
add this lines of code at the beginning of the script
[-] Disclosure timeline:
[19/12/2011] - Vulnerability discovered
[19/12/2011] - Issue reported to http://www.apprain.com/ticket/1135
[20/12/2011] - Vendor response and fix suggested
[16/01/2012] - After four weeks still no fix released
[19/01/2012] - Public disclosure
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80)))
die("\n[-] No response from {$host}:80\n");
fputs($sock, $packet);
return stream_get_contents($sock);
}
print "\n+---------------------------------------------------------------+";
print "\n| appRain CMF \n";
print "\
Exploit-DB
WordPress Plugin Relocate Upload 0.14 - Remote File Inclusion
exploitdb·2011-09-19
CVE-2012-1205 WordPress Plugin Relocate Upload 0.14 - Remote File Inclusion
WordPress Plugin Relocate Upload 0.14 - Remote File Inclusion
---
# Exploit Title: Relocate Upload Wordpress plugin RFI
# Google Dork: inurl:wp-content/plugins/relocate-upload
# Date: 09/19/2011
# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
# Software Link: http://wordpress.org/extend/plugins/relocate-upload/download/
# Version: 0.14 (tested)
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/relocate-upload/relocate-upload.php?ru_folder=asdf&abspath=RFI
---
Vulnerable Code
---
// Move folder request handled when called by GET AJAX
if (isset($_GET['ru_folder']))
{ // WP setup and function access
define('WP_USE_THEMES', false);
require_once(urldecode($_GET['abspath']).'/wp-load.php'); // save us looking for it, it's passed as a GET parameter
Exploit-DB
BroadWin Webaccess Client - Multiple Vulnerabilities
exploitdb·2011-09-02
CVE-2012-0242 BroadWin Webaccess Client - Multiple Vulnerabilities
BroadWin Webaccess Client - Multiple Vulnerabilities
---
Application: BroadWin WebAccess Client
http://broadwin.com/Client.htm
Versions: bwocxrun.ocx <= 1.0.0.10 (aka version 7.0)
Platforms: Windows
Bugs: A] format string
B] arbitrary memory corruption
Exploitation: remote
Date: 02 Sep 2011
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
1) Introduction
From vendor's website:
"WebAccess is the first fully web browser-based software package for
human-machine interfaces (HMI), and supervisory control and data
acquisition (SCADA)."
The various operations are handled by the bwoc
Bugzilla
ruby: safe level bypass via name_err_mesg_to_str()
bugzilla·2012-10-03·CVSS 5.0
CVE-2011-1005 [MEDIUM] ruby: safe level bypass via name_err_mesg_to_str()
ruby: safe level bypass via name_err_mesg_to_str()
As noted in bug #862598:
Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1005 to the following vulnerability:
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.
Later it was reported:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689075
[2] http://www.openwall.com/lists/oss-security/2012/10/02/4
that upstream ruby 1.9.1 and ruby 1.9.3 versions are also vulnerable to this flaw.
Relevant upstream patch:
[3] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
There are two issues here:
1) CVE-2011-100
Bugzilla
CVE-2011-4953 cobbler: Privilege escalation by processing of crafted management parameters
bugzilla·2012-04-12·CVSS 6.8
CVE-2011-4953 [MEDIUM] CVE-2011-4953 cobbler: Privilege escalation by processing of crafted management parameters
CVE-2011-4953 cobbler: Privilege escalation by processing of crafted management parameters
A privilege escalation flaw was found in the way Cobbler, a network install server, processed certain YAML strings passed through the Puppet management parameters interface. A remote attacker could provide a specially-crafted management parameter YAML string, which once loaded by Cobbler could lead to arbitrary code execution with the privileges of the privileged system user (root).
References:
[1] https://bugs.launchpad.net/ubuntu/oneiric/+source/cobbler/+bug/858883
CVE Request:
[2] http://www.openwall.com/lists/oss-security/2012/04/12/6
Ubuntu patch from Robie Basak:
* Backport safe YAML load from upstream. (LP: #858883)
[3] http://bazaar.launchpad.net/~racb/ubuntu/oneiric/cobbler/858878_858883
Bugzilla
CVE-2011-4370 CVE-2011-4371 CVE-2011-4372 CVE-2011-4373 CVE-2012-0774 CVE-2012-0775 CVE-2012-0777 acroread: multiple unspecified flaws (APSB12-08, APSB12-01)
bugzilla·2012-04-05·CVSS 7.5
CVE-2011-4370 [HIGH] CVE-2011-4370 CVE-2011-4371 CVE-2011-4372 CVE-2011-4373 CVE-2012-0774 CVE-2012-0775 CVE-2012-0777 acroread: multiple unspecified flaws (APSB12-08, APSB12-01)
CVE-2011-4370 CVE-2011-4371 CVE-2011-4372 CVE-2011-4373 CVE-2012-0774 CVE-2012-0775 CVE-2012-0777 acroread: multiple unspecified flaws (APSB12-08, APSB12-01)
Adobe has released a prenotification of APSB12-08 indicated that it will release updates for Adobe Reader 9.x for Linux. No details have been noted other than that they fix critical vulnerabilities in the software.
External References:
http://www.adobe.com/support/security/bulletins/apsb12-08.html
Discussion:
Further details from the bulletin, updated today:
These updates resolve an integer overflow in the True Type Font (TTF) handling that could lead to code execution (CVE-2012-0774).
These updates resolve a memory corruption in the JavaScript handling that could lead to code execution (CVE-2012-0775).
These updates resolve a
Bugzilla
CVE-2011-3960 libvorbis: Stack-buffer overflow in render_line
bugzilla·2012-02-09·CVSS 4.3
CVE-2011-3960 [MEDIUM] CVE-2011-3960 libvorbis: Stack-buffer overflow in render_line
CVE-2011-3960 libvorbis: Stack-buffer overflow in render_line
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3960 to
the following vulnerability:
Name: CVE-2011-3960
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3960
Assigned: 20111001
Reference: CONFIRM:http://code.google.com/p/chromium/issues/detail?id=108416
Reference: CONFIRM:http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html
Google Chrome before 17.0.963.46 does not properly decode audio data,
which allows remote attackers to cause a denial of service
(out-of-bounds read) via unspecified vectors.
Discussion:
Patch:
https://trac.xiph.org/changeset/18183
https://trac.xiph.org/changeset/18184
---
(In reply to comment #1)
> Patch:
> https://trac.xiph.org/changeset/18183
>
Bugzilla
CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix [fedora-all]
bugzilla·2012-02-02·CVSS 5.0
CVE-2012-0830 [MEDIUM] CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix [fedora-all]
CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updat
Bugzilla
CVE-2011-3659 Mozilla: child nodes from nsDOMAttribute still accessible after removal of nodes (MFSA 2012-04)
bugzilla·2012-01-31·CVSS 9.3
CVE-2011-3659 [CRITICAL] CVE-2011-3659 Mozilla: child nodes from nsDOMAttribute still accessible after removal of nodes (MFSA 2012-04)
CVE-2011-3659 Mozilla: child nodes from nsDOMAttribute still accessible after removal of nodes (MFSA 2012-04)
It was found that removed child nodes of nsDOMAttribute could be accessed under certain circumstances, due to premature notification of AttributeChildRemoved. This use-after-free of the child nodes could possibly allow for the the remote execution of arbitrary code.
Reference:
https://bugzilla.mozilla.org/show_bug.cgi?id=708198
External References:
http://www.mozilla.org/security/announce/2012/mfsa2012-04.html
Discussion:
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2012:0080 https://rhn.redhat.com/errata/RHSA-2012-0080.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Red Hat Enterprise L
Bugzilla
CVE-2012-0039 glib2: hash table collisions CPU usage DoS
bugzilla·2012-01-09·CVSS 7.5
CVE-2012-0039 [HIGH] CVE-2012-0039 glib2: hash table collisions CPU usage DoS
CVE-2012-0039 glib2: hash table collisions CPU usage DoS
It was reported [1] (and the original report [2]) that glib2 also suffers from algorithmic complexity attacks as described in oCERT-2011-003. While this was originally reported to upstream in 2003, it does not look as though anything was done to correct the problem. According to the Debian report, current glib2 is still vulnerable.
Doing a lookup on other g_str_hash() functions, the following packages may also be vulnerable if they copied code from glib2:
arts-1.5.10/flow/gsl/gslglib.c:172: guint g_str_hash (gconstpointer key)
gettext-0.17/gettext-tools/gnulib-lib/glib/gstring.c:97: g_str_hash (gconstpointer v)
pkg-config-0.23/glib-1.2.10/gstring.c:72: g_str_hash (gconstpointer key)
In addition to the above, the following are als
Bugzilla
CVE-2011-4573 JON: Incorrect delete permissions check
bugzilla·2011-12-05·CVSS 3.5
CVE-2011-4573 [LOW] CVE-2011-4573 JON: Incorrect delete permissions check
CVE-2011-4573 JON: Incorrect delete permissions check
JON did not verify that a user had the proper modify resource permissions when they attempted to delete a plug-in configuration update from the group connection properties history.
Discussion:
Patch commit:
http://git.fedorahosted.org/git/?p=rhq/rhq.git;a=commitdiff;h=24ba99780531d2f187528d7b555d79fab807467b
---
JON (RHQ) BZs:
https://bugzilla.redhat.com/show_bug.cgi?id=617649
https://bugzilla.redhat.com/show_bug.cgi?id=617653
---
This issue has been resolved in JON 3.0. A fix for this issue may be included in a future update for JON 2.4.1.
---
This issue has been addressed in following products:
JBoss Operations Network 2.4.2
Via RHSA-2012:0089 https://rhn.redhat.com/errata/RHSA-2012-0089.html
Bugzilla
CVE-2011-4330 kernel: hfs: add sanity check for file name length
bugzilla·2011-11-21·CVSS 7.2
CVE-2011-4330 [HIGH] CVE-2011-4330 kernel: hfs: add sanity check for file name length
CVE-2011-4330 kernel: hfs: add sanity check for file name length
On a corrupted file system the ->len field could be wrong leading to a buffer overflow.
https://lkml.org/lkml/2011/11/9/303
Upstream commit:
http://git.kernel.org/linus/bc5b8a9003132ae44559edd63a1623
Acknowledgements:
Red Hat would like to thank Clement Lecigne for reporting this issue.
Discussion:
Statement:
This issue did not affect the Linux kernels as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG as they did not include support for the Hierarchical File System (HFS) file system. This has been addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2012-0007.html.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2012:0007 ht
Bugzilla
CVE-2011-2918 kernel: perf: Fix software event overflow
bugzilla·2011-08-15·CVSS 5.5
CVE-2011-2918 [MEDIUM] CVE-2011-2918 kernel: perf: Fix software event overflow
CVE-2011-2918 kernel: perf: Fix software event overflow
Under certain circumstances software event overflows go wrong and deadlock. Avoid trying to delete a timer from the timer callback.
Upstream fix:
a8b0ca17b80e92faab46ee7179ba9e99ccb61233
References:
https://lkml.org/lkml/2011/7/27/337
https://lkml.org/lkml/2011/7/28/284
Discussion:
Statement:
This issue did not affect Red Hat Enterprise Linux 4 and 5 as they did not include support for perf. This has been addressed in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-1350.html and https://rhn.redhat.com/errata/RHSA-2012-0333.html.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2011:1350 https://rhn.redhat.com/errata/RHSA-2011-1350.h
2012-06-13
Published