[VIM] [CVENEW] New CVE CANs: 2013/03/21 13:00 ; count=4

coley at mitre.org coley at mitre.org
Thu Mar 21 12:04:25 CDT 2013


======================================================
Name: CVE-2013-1051
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1051
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130111
Category: 
Reference: UBUNTU:USN-1762-1
Reference: URL:http://www.ubuntu.com/usn/USN-1762-1
Reference: OSVDB:91428
Reference: URL:http://osvdb.org/91428
Reference: SECUNIA:52633
Reference: URL:http://secunia.com/advisories/52633

apt 0.8.16, 0.9.7, and possibly other versions does not properly
handle InRelease files, which allows man-in-the-middle attackers to
modify packages before installation via unknown vectors, possibly
related to integrity checking and the use of third-party repositories.



======================================================
Name: CVE-2013-1052
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1052
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130111
Category: 
Reference: UBUNTU:USN-1766-1
Reference: URL:http://www.ubuntu.com/usn/USN-1766-1
Reference: BID:58550
Reference: URL:http://www.securityfocus.com/bid/58550
Reference: XF:ubuntu-cve20131052-priv-esc(82918)
Reference: URL:http://xforce.iss.net/xforce/xfdb/82918

pam-xdg-support, as used in Ubuntu 12.10, does not properly handle the
PATH environment variable, which allows local users to gain privileges
via unspecified vectors related to sudo.



======================================================
Name: CVE-2013-1427
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1427
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130126
Category: 
Reference: DEBIAN:DSA-2649
Reference: URL:http://www.debian.org/security/2013/dsa-2649
Reference: BID:58528
Reference: URL:http://www.securityfocus.com/bid/58528
Reference: OSVDB:91462
Reference: URL:http://osvdb.org/91462
Reference: XF:lighttpd-cve20131427-symlink(82897)
Reference: URL:http://xforce.iss.net/xforce/xfdb/82897

The configuration file for the FastCGI PHP support for lighthttpd
before 1.4.28 on Debian GNU/Linux creates a socket file with a
predictable name in /tmp, which allows local users to hijack the PHP
control socket and perform unauthorized actions such as forcing the
use of a different version of PHP via a symlink attack or a race
condition.



======================================================
Name: CVE-2013-2279
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2279
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130226
Category: 
Reference: BUGTRAQ:20130319 CA20130319-01: Security Notice for SiteMinder products using SAML
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2013-03/0118.html
Reference: CONFIRM:https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={53E50CBD-6F6A-4B3A-85FF-36E44ABED8D5}
Reference: BID:58609
Reference: URL:http://www.securityfocus.com/bid/58609
Reference: SECUNIA:52610
Reference: URL:http://secunia.com/advisories/52610

CA SiteMinder Federation (FSS) 12.5, 12.0, and r6; Federation
(Standalone) 12.1 and 12.0; Agent for SharePoint 2010; and SiteMinder
for Secure Proxy Server 6.0, 12.0, and 12.5 does not properly verify
XML signatures for SAML statements, which allows remote attackers to
spoof other users and gain privileges.





More information about the VIM mailing list