[ISN] Secunia Weekly Summary - Issue: 2006-2

InfoSec News isn at c4i.org
Fri Jan 13 05:18:35 EST 2006


========================================================================

                  The Secunia Weekly Advisory Summary                  
                        2006-01-05 - 2006-01-12                        

                       This week : 94 advisories                       

========================================================================
Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

========================================================================
1) Word From Secunia:

The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single 
vulnerability report is being validated and verified before a Secunia
advisory is written.

Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.

As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.

Secunia Online Vulnerability Database:
http://secunia.com/

========================================================================
2) This Week in Brief:

Some vulnerabilities have been reported in Apple QuickTime, which can
be exploited by malicious people to cause a DoS (Denial of Service) and
potentially to compromise a user's system.

Please refer to the referenced Secunia advisory below for complete
details.

Reference:
http://secunia.com/SA18370

--

Microsoft has released one security bulletin ahead of their monthly
patch release cycle. Additionally, two bulletins were also released
as part of Microsofts normal monthly patch release cycle.

All users are advised to visit Windows Update and apply available
patches. For additional details about the issues corrected, please
refer to the referenced Secunia advisories below.

References:
http://secunia.com/SA18365
http://secunia.com/SA18368
http://secunia.com/SA18255


VIRUS ALERTS:

Secunia has not issued any virus alerts during the week.

========================================================================
3) This Weeks Top Ten Most Read Advisories:

1.  [SA18255] Microsoft Windows WMF "SETABORTPROC" Arbitrary Code
              Execution
2.  [SA18131] Symantec AntiVirus RAR Archive Decompression Buffer
              Overflow
3.  [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code
              Execution Vulnerability
4.  [SA18368] Microsoft Outlook / Exchange TNEF Decoding Arbitrary Code
              Execution Vulnerability
5.  [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing
              Vulnerability
6.  [SA18364] Avaya Products Microsoft Windows WMF "SETABORTPROC"
              Vulnerability
7.  [SA18328] IBM Lotus Domino/Notes Denial of Service and
              Unspecified Vulnerabilities
8.  [SA18275] PHP "mysql_connect" Buffer Overflow Vulnerability
9.  [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability
10. [SA18365] Microsoft Windows Embedded Web Fonts Arbitrary Code
              Execution Vulnerability

========================================================================
4) Vulnerabilities Summary Listing

Windows:
[SA18364] Avaya Products Microsoft Windows WMF "SETABORTPROC"
Vulnerability
[SA18393] BlackBerry Enterprise Server PNG File Handling Vulnerability
[SA18391] Avaya Products Microsoft Windows Embedded Web Fonts Code
Execution
[SA18390] Apache2Triad Insecure PEAR Installer Security Issue
[SA18368] Microsoft Outlook / Exchange TNEF Decoding Arbitrary Code
Execution Vulnerability
[SA18365] Microsoft Windows Embedded Web Fonts Arbitrary Code Execution
Vulnerability
[SA18408] AspTopSites SQL Injection Vulnerabilities
[SA18369] MusicBox SQL Injection Vulnerabilities
[SA18342] MegaBBS "replyid" Disclosure of Private Messages
[SA18325] OnePlug CMS SQL Injection Vulnerabilities
[SA18324] Timecan CMS "viewID" SQL Injection Vulnerability
[SA18411] Hummingbird Collaboration Script Insertion and Information
Disclosure
[SA18409] Microsoft Visual Studio User Control Load Event Code
Execution Vulnerability
[SA18326] Aquifer CMS "Keyword" Cross-Site Scripting Vulnerability
[SA18402] Symantec Norton SystemWorks Protected Recycle Bin Weakness

UNIX/Linux:
[SA18405] Red Hat update for auth_ldap
[SA18403] Gentoo update for mod_auth_pgsql
[SA18399] MyPHPim Multiple Vulnerabilities
[SA18397] Debian update for libapache2-mod-auth-pgsql
[SA18381] Debian update for pound
[SA18376] SCO OpenServer update for lynx
[SA18350] Fedora update for mod_auth_pgsql
[SA18348] Ubuntu update for libapache2-mod-auth-pgsql
[SA18347] Mandriva update for apache2-mod_auth_pgsql
[SA18321] Red Hat update for mod_auth_pgsql
[SA18426] Red Hat update for ethereal
[SA18425] Red Hat update for cups
[SA18423] Red Hat update for gpdf
[SA18416] SUSE updates for xpdf / kpdf / gpdf / kword
[SA18414] Fedora update for gpdf
[SA18407] Debian update for libextractor
[SA18406] HP-UX Secure Shell Denial of Service Vulnerability
[SA18400] Gentoo update for xine-lib / ffmpeg
[SA18398] libextractor Multiple Xpdf Vulnerabilities
[SA18389] Debian update for kpdf
[SA18387] Mandriva update for cups
[SA18385] Debian update for xpdf
[SA18380] Mandriva update for tetex
[SA18379] ClamAV Unspecified UPX File Handling Vulnerability
[SA18378] FreeBSD ipfw IP Fragment Denial of Service Vulnerability
[SA18377] SCO OpenServer update for zlib
[SA18375] GNOME gpdf Xpdf Multiple Integer Overflow Vulnerabilities
[SA18373] Fedora update for poppler
[SA18366] Debian update for hylafax
[SA18356] Eudora Internet Mail Server NTLM Authentication Denial of
Service
[SA18355] SysCP WebFTP Module "webftp_language" Local File Inclusion
Vulnerability
[SA18352] Bogofilter Two Denial of Service Vulnerabilities
[SA18349] Mandriva update for xpdf
[SA18338] Ubuntu update for kpdf / kword
[SA18337] Gentoo update for hylafax
[SA18336] Trustix update for cups / curl
[SA18335] Fedora update for cups
[SA18334] Ubuntu updates for cupsys / libpoppler0c2 / tetex-bin /
xpdf-reader / xpdf-utils
[SA18333] Red Hat update for httpd
[SA18332] CUPS xpdf Multiple Integer Overflow Vulnerabilities
[SA18331] Fedora update for ethereal
[SA18330] Fedora update for netpbm
[SA18329] teTeX Xpdf Multiple Integer Overflow Vulnerabilities
[SA18323] Wine Potential WMF "SETABORTPROC" Vulnerability
[SA18344] Gentoo update for vmware
[SA18395] FreeBSD update for cpio
[SA18367] Pound HTTP Request Smuggling Vulnerability
[SA18340] Trustix update for apache
[SA18339] Mandriva update for apache2
[SA18404] FreeBSD ee Insecure Temporary File Creation Vulnerability
[SA18401] FreeBSD update for texindex
[SA18388] NetBSD Kernfs Kernel Memory Disclosure Vulnerability
[SA18363] Ubuntu update for sudo
[SA18358] Sudo Python Environment Cleaning Privilege Escalation
Vulnerability
[SA18357] Debian update for smstools
[SA18351] Fedora update for kernel
[SA18343] SMS Server Tools Logging Format String Vulnerability
[SA18384] Debian update for petris
[SA18371] Sun Solaris uucp / uustat Arbitrary Command Execution
Vulnerability
[SA18362] Petris Buffer Overflow Vulnerability

Other:


Cross Platform:
[SA18382] Apache auth_ldap Module "auth_ldap_log_reason()" Format
String Vulnerability
[SA18370] QuickTime Multiple Image/Media File Handling Vulnerabilities
[SA18346] Phgstats "phgdir" File Inclusion Vulnerability
[SA18417] CaLogic "title" New Event Script Insertion Vulnerability
[SA18394] PHPNuke EV "query" SQL Injection Vulnerability
[SA18392] TheWebForum Script Insertion and SQL Injection
Vulnerabilities
[SA18386] foxrum "url" bbcode Script Insertion Vulnerability
[SA18383] VenomBoard SQL Injection Vulnerabilities
[SA18374] PHP-Nuke News "Story Text" Script Insertion Vulnerability
[SA18361] Joomla! vCard Email Address Disclosure and TinyMCE Compressor
Vulnerabilities
[SA18354] 427BB Multiple Vulnerabilities
[SA18328] IBM Lotus Domino/Notes Denial of Service and Unspecified
Vulnerabilities
[SA18327] Foro Domus "email" SQL Injection and Script Insertion
Vulnerability
[SA18372] WebGUI Form Module Script Insertion Vulnerability
[SA18360] phpChamber "needle" Cross-Site Scripting Vulnerability
[SA18359] Andromeda "s" Cross-Site Scripting Vulnerability
[SA18345] NavBoard Potential BBcode Script Insertion Vulnerability
[SA18320] Modular Merchant Shopping Cart "cat" Cross-Site Scripting
Vulnerability

========================================================================
5) Vulnerabilities Content Listing

Windows:--

[SA18364] Avaya Products Microsoft Windows WMF "SETABORTPROC"
Vulnerability

Critical:    Extremely critical
Where:       From remote
Impact:      System access
Released:    2006-01-09

Avaya has acknowledged a vulnerability in various products, which can
be exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18364/

 --

[SA18393] BlackBerry Enterprise Server PNG File Handling Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-10

FX has been reported a vulnerability in BlackBerry Enterprise Server,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18393/

 --

[SA18391] Avaya Products Microsoft Windows Embedded Web Fonts Code
Execution

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-01-11

Avaya has acknowledged a vulnerability in various products, which can
be exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18391/

 --

[SA18390] Apache2Triad Insecure PEAR Installer Security Issue

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-01-11

Gammarays has reported a security issue in Apache2Triad, which
potentially can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/18390/

 --

[SA18368] Microsoft Outlook / Exchange TNEF Decoding Arbitrary Code
Execution Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-01-10

A vulnerability has been reported in Microsoft Outlook / Exchange,
which can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/18368/

 --

[SA18365] Microsoft Windows Embedded Web Fonts Arbitrary Code Execution
Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-01-10

A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18365/

 --

[SA18408] AspTopSites SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data
Released:    2006-01-11

Donnie Werner has reported some vulnerabilities in AspTopSites, which
can be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/18408/

 --

[SA18369] MusicBox SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-01-10

Medo HaCKer has reported some vulnerabilities in MusicBox, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/18369/

 --

[SA18342] MegaBBS "replyid" Disclosure of Private Messages

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-01-09

Hamid Ebadi has reported a vulnerability in MegaBBS, which potentially
can be exploited by malicious people to disclose sensitive
information.

Full Advisory:
http://secunia.com/advisories/18342/

 --

[SA18325] OnePlug CMS SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-01-06

Preddy has reported some vulnerabilities in OnePlug CMS, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/18325/

 --

[SA18324] Timecan CMS "viewID" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-01-06

Preddy  has reported a vulnerability in Timecan CMS, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/18324/

 --

[SA18411] Hummingbird Collaboration Script Insertion and Information
Disclosure

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting, Spoofing, Exposure of system
information
Released:    2006-01-11

Secure Network has reported a vulnerability and a weakness in
Hummingbird Collaboration, which can be exploited by malicious users to
disclose system information and conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/18411/

 --

[SA18409] Microsoft Visual Studio User Control Load Event Code
Execution Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2006-01-11

priestmaster has discovered a vulnerability in Microsoft Visual Studio,
which can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/18409/

 --

[SA18326] Aquifer CMS "Keyword" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-01-06

Preddy has reported a vulnerability in Aquifer CMS, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/18326/

 --

[SA18402] Symantec Norton SystemWorks Protected Recycle Bin Weakness

Critical:    Not critical
Where:       Local system
Impact:      Security Bypass
Released:    2006-01-11

A weakness has been reported in Norton SystemWorks, which can be
exploited by malicious, local users, or by malware, to bypass certain
security restrictions.

Full Advisory:
http://secunia.com/advisories/18402/


UNIX/Linux:--

[SA18405] Red Hat update for auth_ldap

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-01-11

Red Hat has issued an update for auth_ldap. This fixes a vulnerability,
which can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/18405/

 --

[SA18403] Gentoo update for mod_auth_pgsql

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-01-11

Gentoo has issued an update for mod_auth_pgsql. This fixes a
vulnerability, which can be exploited by malicious people to compromise
a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18403/

 --

[SA18399] MyPHPim Multiple Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, Manipulation of
data, System access
Released:    2006-01-11

Aliaksandr Hartsuyeu has reported some vulnerabilities in MyPHPim,
which can be exploited by malicious people to conduct cross-site
scripting and SQL injection attacks, and potentially to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/18399/

 --

[SA18397] Debian update for libapache2-mod-auth-pgsql

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-01-11

Debian has issued an update for libapache2-mod-auth-pgsql. This fixes a
vulnerability, which can be exploited by malicious people to compromise
a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18397/

 --

[SA18381] Debian update for pound

Critical:    Highly critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, Manipulation of
data, DoS, System access
Released:    2006-01-10

Debian has issued an update for pound. This fixes two vulnerabilities,
which potentially can be exploited by malicious people to conduct HTTP
request smuggling attacks and to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18381/

 --

[SA18376] SCO OpenServer update for lynx

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-01-11

SCO has issued an update for lynx. This fixes two vulnerabilities,
which can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/18376/

 --

[SA18350] Fedora update for mod_auth_pgsql

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-01-09

Fedora has issued an update for mod_auth_pgsql. This fixes a
vulnerability, which can be exploited by malicious people to compromise
a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18350/

 --

[SA18348] Ubuntu update for libapache2-mod-auth-pgsql

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-01-09

Ubuntu has issued an update for libapache2-mod-auth-pgsql. This fixes a
vulnerability, which can be exploited by malicious people to compromise
a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18348/

 --

[SA18347] Mandriva update for apache2-mod_auth_pgsql

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-01-09

Mandriva has issued an update for apache2-mod_auth_pgsql. This fixes a
vulnerability, which can be exploited by malicious people to compromise
a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18347/

 --

[SA18321] Red Hat update for mod_auth_pgsql

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-01-06

Red Hat has issued an update for mod_auth_pgsql. This fixes a
vulnerability, which can be exploited by malicious people to compromise
a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18321/

 --

[SA18426] Red Hat update for ethereal

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-12

Red Hat has issued an update for ethereal. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18426/

 --

[SA18425] Red Hat update for cups

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-12

Red Hat has issued an update for cups. This fixes some vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18425/

 --

[SA18423] Red Hat update for gpdf

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-12

Red Hat has issued an update for gpdf. This fixes some vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18423/

 --

[SA18416] SUSE updates for xpdf / kpdf / gpdf / kword

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-11

SUSE has issued updates for xpdf / kpdf / gpdf / kword. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18416/

 --

[SA18414] Fedora update for gpdf

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-11

Fedora has issued an update for gpdf. This fixes some vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18414/

 --

[SA18407] Debian update for libextractor

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-12

Debian has issued an update for libextractor. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18407/

 --

[SA18406] HP-UX Secure Shell Denial of Service Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Privilege escalation, DoS
Released:    2006-01-11

HP has acknowledged a security issue and a vulnerability in HP-UX,
which can be exploited by malicious people to cause a DoS (Denial of
Service) or by malicious users to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/18406/

 --

[SA18400] Gentoo update for xine-lib / ffmpeg

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-11

Gentoo has issued an update for xine-lib / ffmpeg. This fixes a
vulnerability, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18400/

 --

[SA18398] libextractor Multiple Xpdf Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-11

Some vulnerabilities have been reported in libextractor, which can be
exploited by malicious people to cause a DoS (Denial of Service) and
potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18398/

 --

[SA18389] Debian update for kpdf

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-10

Debian has issued an update for kpdf. This fixes some vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18389/

 --

[SA18387] Mandriva update for cups

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-11

Mandriva has issued an update for cups. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18387/

 --

[SA18385] Debian update for xpdf

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-10

Debian has issued an update for xpdf. This fixes some vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18385/

 --

[SA18380] Mandriva update for tetex

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-11

Mandriva has issued an update for tetex. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18380/

 --

[SA18379] ClamAV Unspecified UPX File Handling Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown
Released:    2006-01-10

A vulnerability has been reported in ClamAV, which potentially can be
exploited by malicious people with an unknown impact.

Full Advisory:
http://secunia.com/advisories/18379/

 --

[SA18378] FreeBSD ipfw IP Fragment Denial of Service Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-01-11

A vulnerability has been reported in FreeBSD, which can be exploited by
malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/18378/

 --

[SA18377] SCO OpenServer update for zlib

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-11

SCO has issued an update for zlib. This fixes some vulnerabilities,
which can be exploited by malicious people to conduct a DoS (Denial of
Service) against a vulnerable application or potentially execute
arbitrary code.

Full Advisory:
http://secunia.com/advisories/18377/

 --

[SA18375] GNOME gpdf Xpdf Multiple Integer Overflow Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-11

Some vulnerabilities have been reported in GNOME gpdf, which can be
exploited by malicious people to cause a DoS (Denial of Service) and
potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18375/

 --

[SA18373] Fedora update for poppler

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-11

Fedora has issued an update for poppler. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18373/

 --

[SA18366] Debian update for hylafax

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-01-10

Debian has issued an update for hylafax. This fixes a vulnerability,
which can be exploited by malicious users to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/18366/

 --

[SA18356] Eudora Internet Mail Server NTLM Authentication Denial of
Service

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-01-09

A vulnerability has been reported in Eudora Internet Mail Server
(EIMS), which potentially can be exploited by malicious people to cause
a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/18356/

 --

[SA18355] SysCP WebFTP Module "webftp_language" Local File Inclusion
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-01-09

Thomas Henlich has reported a vulnerability in the WebFTP module for
SysCP, which can be exploited by malicious people to disclose sensitive
information.

Full Advisory:
http://secunia.com/advisories/18355/

 --

[SA18352] Bogofilter Two Denial of Service Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-01-09

Some vulnerabilities have been reported in Bogofilter, which can be
exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/18352/

 --

[SA18349] Mandriva update for xpdf

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-09

Mandriva has issued an update for xpdf. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18349/

 --

[SA18338] Ubuntu update for kpdf / kword

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-09

Ubuntu has issued updates for kpdf / kword. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18338/

 --

[SA18337] Gentoo update for hylafax

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, System access
Released:    2006-01-06

Gentoo has issued an update for hylafax. This fixes some
vulnerabilities, which can be exploited by malicious people to bypass
certain security restrictions and by malicious users to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/18337/

 --

[SA18336] Trustix update for cups / curl

Critical:    Moderately critical
Where:       From remote
Impact:      System access, DoS, Unknown
Released:    2006-01-06

Trustix has issued updates for cups / curl. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service), potentially to compromise a user's system, and
with an unknown impact.

Full Advisory:
http://secunia.com/advisories/18336/

 --

[SA18335] Fedora update for cups

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-06

Fedora has issued an update for cups. This fixes some vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18335/

 --

[SA18334] Ubuntu updates for cupsys / libpoppler0c2 / tetex-bin /
xpdf-reader / xpdf-utils

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-06

Ubuntu has issued updates for cupsys / libpoppler0c2 / tetex-bin /
xpdf-reader / xpdf-utils. This fixes some vulnerabilities, which can be
exploited by malicious people to cause a DoS (Denial of Service) and
potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18334/

 --

[SA18333] Red Hat update for httpd

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, DoS
Released:    2006-01-06

Red Hat has issued an update for httpd. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/18333/

 --

[SA18332] CUPS xpdf Multiple Integer Overflow Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-06

Some vulnerabilities have been reported in CUPS, which can be exploited
by malicious people to cause a DoS (Denial of Service) and potentially
to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18332/

 --

[SA18331] Fedora update for ethereal

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-06

Fedora has issued an update for Ethereal. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18331/

 --

[SA18330] Fedora update for netpbm

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-01-06

Fedora has issued an update for netpbm. This fixes a vulnerability,
which can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/18330/

 --

[SA18329] teTeX Xpdf Multiple Integer Overflow Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-06

Some vulnerabilities have been reported in teTeX, which can be
exploited by malicious people to cause a DoS (Denial of Service) and
potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18329/

 --

[SA18323] Wine Potential WMF "SETABORTPROC" Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-01-09

H D Moore has reported a vulnerability in wine, which potentially can
be exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18323/

 --

[SA18344] Gentoo update for vmware

Critical:    Moderately critical
Where:       From local network
Impact:      System access
Released:    2006-01-09

Gentoo has issued an update for vmware. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/18344/

 --

[SA18395] FreeBSD update for cpio

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data, DoS
Released:    2006-01-11

FreeBSD has issued an update for cpio. This fixes a vulnerability,
which potentially can be exploited by malicious, local users to cause a
DoS (Denial of Service) and by malicious people to cause files to be
unpacked to arbitrary locations on a user's system.

Full Advisory:
http://secunia.com/advisories/18395/

 --

[SA18367] Pound HTTP Request Smuggling Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, Manipulation of
data
Released:    2006-01-10

A vulnerability has been reported in Pound, which potentially can be
exploited by malicious people to conduct HTTP request smuggling
attacks.

Full Advisory:
http://secunia.com/advisories/18367/

 --

[SA18340] Trustix update for apache

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting, DoS
Released:    2006-01-06

Trustix has issued an update for apache. This fixes two
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/18340/

 --

[SA18339] Mandriva update for apache2

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting, DoS
Released:    2006-01-06

Mandriva has issued an update for apache2. This fixes two
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/18339/

 --

[SA18404] FreeBSD ee Insecure Temporary File Creation Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-01-11

A vulnerability has been reported in FreeBSD, which can be exploited by
malicious, local users to perform certain actions on a vulnerable system
with escalated privileges.

Full Advisory:
http://secunia.com/advisories/18404/

 --

[SA18401] FreeBSD update for texindex

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-01-11

FreeBSD has issued an update for texindex. This fixes a vulnerability,
which can be exploited by malicious, local users to perform certain
actions on a vulnerable system with escalated privileges.

Full Advisory:
http://secunia.com/advisories/18401/

 --

[SA18388] NetBSD Kernfs Kernel Memory Disclosure Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information
Released:    2006-01-10

A vulnerability has been reported in NetBSD, which can be exploited by
malicious, local users to disclose potentially sensitive information.

Full Advisory:
http://secunia.com/advisories/18388/

 --

[SA18363] Ubuntu update for sudo

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-01-09

Ubuntu has issued an update for sudo. This fixes a vulnerability, which
can be exploited by malicious, local users to gain escalated
privileges.

Full Advisory:
http://secunia.com/advisories/18363/

 --

[SA18358] Sudo Python Environment Cleaning Privilege Escalation
Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-01-09

Tavis Ormandy has reported a vulnerability in Sudo, which can be
exploited by malicious, local users to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/18358/

 --

[SA18357] Debian update for smstools

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation, DoS
Released:    2006-01-09

Debian has issued an update for smstools. This fixes a vulnerability,
which can be exploited by malicious, local users to cause a DoS (Denial
of Service) and potentially to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/18357/

 --

[SA18351] Fedora update for kernel

Critical:    Less critical
Where:       Local system
Impact:      Unknown, Exposure of sensitive information
Released:    2006-01-09

Fedora has issued an update for the kernel. This fixes some
vulnerabilities, which potentially can be exploited by malicious, local
users to gain knowledge of potentially sensitive information and with
unknown impact.

Full Advisory:
http://secunia.com/advisories/18351/

 --

[SA18343] SMS Server Tools Logging Format String Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation, DoS
Released:    2006-01-09

Ulf Harnhammar has reported a vulnerability in SMS Server Tools, which
can be exploited by malicious, local users to cause a DoS (Denial of
Service) and potentially to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/18343/

 --

[SA18384] Debian update for petris

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-01-10

Debian has issued an update for petris. This fixes a vulnerability,
which potentially can be exploited by malicious, local users to gain
escalated privileges.

Full Advisory:
http://secunia.com/advisories/18384/

 --

[SA18371] Sun Solaris uucp / uustat Arbitrary Command Execution
Vulnerability

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-01-10

Angelo Rosiello has reported a vulnerability in Solaris, which can be
exploited by malicious, local users to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/18371/

 --

[SA18362] Petris Buffer Overflow Vulnerability

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-01-10

Steve Kemp has reported a vulnerability in Petris, which potentially
can be exploited by malicious, local users to gain escalated
privileges.

Full Advisory:
http://secunia.com/advisories/18362/


Other:


Cross Platform:--

[SA18382] Apache auth_ldap Module "auth_ldap_log_reason()" Format
String Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-01-10

Seregorn has reported a vulnerability in the auth_ldap module for
Apache, which can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/18382/

 --

[SA18370] QuickTime Multiple Image/Media File Handling Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-01-11

Some vulnerabilities have been reported in Apple QuickTime, which can
be exploited by malicious people to cause a DoS (Denial of Service) and
potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18370/

 --

[SA18346] Phgstats "phgdir" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-01-10

A vulnerability has been reported in Phgstats, which can be exploited
by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18346/

 --

[SA18417] CaLogic "title" New Event Script Insertion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-01-11

Aliaksandr Hartsuyeu has reported a vulnerability in CaLogic, which can
be exploited by malicious people to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/18417/

 --

[SA18394] PHPNuke EV "query" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-01-10

A vulnerability has been discovered in PHPNuke EV, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/18394/

 --

[SA18392] TheWebForum Script Insertion and SQL Injection
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, Manipulation of
data
Released:    2006-01-10

Aliaksandr Hartsuyeu has discovered two vulnerabilities in TheWebForum,
which can be exploited by malicious people to conduct script insertion
and SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/18392/

 --

[SA18386] foxrum "url" bbcode Script Insertion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-01-10

Aliaksandr Hartsuyeu has discovered a vulnerability in foxrum, which
can be exploited by malicious people to conduct script insertion
attacks.

Full Advisory:
http://secunia.com/advisories/18386/

 --

[SA18383] VenomBoard SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-01-10

Aliaksandr Hartsuyeu has reported some vulnerabilities in VenomBoard,
which can be exploited by malicious people to conduct SQL injection
attacks.

Full Advisory:
http://secunia.com/advisories/18383/

 --

[SA18374] PHP-Nuke News "Story Text" Script Insertion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-01-10

night_warrior771 has discovered a vulnerability in PHP-Nuke, which can
be exploited by malicious people to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/18374/

 --

[SA18361] Joomla! vCard Email Address Disclosure and TinyMCE Compressor
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Exposure of sensitive information
Released:    2006-01-09

Two vulnerabilities have been reported in Joomla!, which can be
exploited by malicious people to conduct cross-site scripting attacks
and disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/18361/

 --

[SA18354] 427BB Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, Manipulation of
data
Released:    2006-01-09

Aliaksandr Hartsuyeu has discovered some vulnerabilities in 427BB,
which can be exploited by malicious people to conduct script insertion
and SQL injection attacks, and bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/18354/

 --

[SA18328] IBM Lotus Domino/Notes Denial of Service and Unspecified
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown, DoS
Released:    2006-01-06

Some vulnerabilities have been reported in Lotus Domino / Notes, which
potentially can be exploited by malicious users to cause a DoS (Denial
of Service), or with unknown impact.

Full Advisory:
http://secunia.com/advisories/18328/

 --

[SA18327] Foro Domus "email" SQL Injection and Script Insertion
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-01-06

Aliaksandr Hartsuyeu has reported a vulnerability in Foro Domus, which
can be exploited by malicious people to conduct script insertion and
SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/18327/

 --

[SA18372] WebGUI Form Module Script Insertion Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-01-10

Hans Wolters has reported a vulnerability in WebGUI, which potentially
can be exploited by malicious users to conduct script insertion
attacks.

Full Advisory:
http://secunia.com/advisories/18372/

 --

[SA18360] phpChamber "needle" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-01-09

Preddy has reported a vulnerability in phpChamber, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/18360/

 --

[SA18359] Andromeda "s" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-01-09

Preddy has discovered a vulnerability in Andromeda, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/18359/

 --

[SA18345] NavBoard Potential BBcode Script Insertion Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-01-09

Aliaksandr Hartsuyeu has discovered a vulnerability in NavBoard, which
potentially can be exploited by malicious people to conduct script
insertion attacks.

Full Advisory:
http://secunia.com/advisories/18345/

 --

[SA18320] Modular Merchant Shopping Cart "cat" Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-01-06

Preddy has reported a vulnerability in Modular Merchant Shopping Cart,
which can be exploited can be exploited by malicious people to conduct
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/18320/



========================================================================

Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Subscribe:
http://secunia.com/secunia_weekly_summary/

Contact details:
Web	: http://secunia.com/
E-mail	: support at secunia.com
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45





More information about the ISN mailing list