Информационная безопасность
[RU] switch to English


Многочисленные уязвимости безопасности в ClamAV
дополнено с 24 марта 2013 г.
Опубликовано:4 мая 2013 г.
Источник:
SecurityVulns ID:12961
Тип:библиотека
Уровень опасности:
6/10
Описание:Переполнение буфера при разборе файлов сжатых UPX, переполнение массива при разборе PDF.
Затронутые продукты:CLAMAV : ClamAV 0.97
CVE:CVE-2013-2021 (pdf.c in ClamAV 0.97.1 through 0.97.7 allows remote attackers to cause a denial of service (out-of-bounds-read) via a crafted length value in an encrypted PDF file.)
 CVE-2013-2020 (Integer underflow in the cli_scanpe function in pe.c in ClamAV before 0.97.8 allows remote attackers to cause a denial of service (crash) via a skewed offset larger than the size of the PE section in a UPX packed executable, which triggers an out-of-bounds read.)
Оригинальный текстdocumentUBUNTU, [USN-1816-1] ClamAV vulnerabilities (04.05.2013)
 documentUBUNTU, [USN-1773-1] ClamAV vulnerabilities (24.03.2013)

Многочисленные уязвимости безопасности в Microsoft Internet Explorer
дополнено с 12 апреля 2013 г.
Опубликовано:4 мая 2013 г.
Источник:
SecurityVulns ID:13002
Тип:клиент
Уровень опасности:
7/10
Описание:Уязвимости использования памяти после освобождения.
Затронутые продукты:MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows Vista
 MICROSOFT : Windows 2008 Server
 MICROSOFT : Windows 7
 MICROSOFT : Windows 8
 MICROSOFT : Windows 2012 Server
CVE:CVE-2013-1304 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer Use After Free Vulnerability," a different vulnerability than CVE-2013-1303 and CVE-2013-1338.)
 CVE-2013-1303 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer Use After Free Vulnerability," a different vulnerability than CVE-2013-1304 and CVE-2013-1338.)
Оригинальный текстdocumentVUPEN Security Research, VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6 "Scroll" Use-after-free (MS13-028) (04.05.2013)
 documentVUPEN Security Research, VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6 "CDisplayPointer" Use-after-free (MS13-028) (04.05.2013)
Файлы:Microsoft Security Bulletin MS13-028 - Critical Cumulative Security Update for Internet Explorer (2817183)

Многочисленные уязвимости безопасности в продуктах Oracle / Sun / MySQL / PeopleSoft
дополнено с 22 апреля 2013 г.
Опубликовано:4 мая 2013 г.
Источник:
SecurityVulns ID:13017
Тип:библиотека
Уровень опасности:
9/10
Описание:128 уязвимостей в различных приложениях.
Затронутые продукты:ORACLE : Oracle 10g
 ORACLE : Oracle E-Business Suite 11i
 ORACLE : MySQL 5.1
 ORACLE : Oracle 11g
 ORACLE : Oracle Clinical Remote Data Capture Option 4.6
 ORACLE : Oracle Transportation Management 6.2
 ORACLE : MySQL 5.5
 ORACLE : JRockit 28.2
 ORACLE : Siebel CRM 8.2
 ORACLE : Oracle Application Express 4.2
 ORACLE : Oracle Containers for J2EE 10.1
 ORACLE : COREid Access 10.1
 ORACLE : GoldenGate Veridata 3.0
 ORACLE : Oracle HTTP Server 11.1
 ORACLE : Outside In Technology 8.4
 ORACLE : WebCenter Capture 10.1
 ORACLE : WebCenter Content 11.1
 ORACLE : WebCenter Sites 11.1
 ORACLE : WebLogic Server 12.1
 ORACLE : Oracle Web Services Manager 12.1
 ORACLE : Oracle E-Business Suite 12i
 ORACLE : Agile EDM 6.1
 ORACLE : PeopleSoft HRMS 9.1
 ORACLE : PeopleSoft PeopleTools 8.53
 ORACLE : Oracle Retail Central Office 13.4
 ORACLE : Oracle Retail Integration Bus 13.2
 ORACLE : FLEXCUBE Direct Banking 12.0
 ORACLE : Primavera P6 Enterprise Project Portfolio Management 8.2
 ORACLE : MySQL 5.6
 ORACLE : Oracle Automatic Service Request 4.3
CVE:CVE-2013-2441 (Unspecified vulnerability in the Agile EDM component in Oracle Supply Chain Products Suite 6.1.1.0, 6.1.2.0, and 6.1.2.2 allows remote authenticated users to affect integrity via unknown vectors related to Java Client.)
 CVE-2013-2413 (Unspecified vulnerability in the Siebel Enterprise Application Integration component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Web Services.)
 CVE-2013-2411 (Unspecified vulnerability in the Primavera P6 Enterprise Project Portfolio Management component in Oracle Primavera Products Suite 7.0, 8.1, and 8.2 allows remote attackers to affect integrity via unknown vectors related to Web Access.)
 CVE-2013-2410 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.1.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Absence Management.)
 CVE-2013-2409 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect confidentiality via vectors related to PIA Core Technology.)
 CVE-2013-2408 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect integrity via vectors related to PIA Core Technology and use of Internet Explorer 6.)
 CVE-2013-2406 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote authenticated users to affect integrity via vectors related to PIA Core Technology.)
 CVE-2013-2405 (Unspecified vulnerability in the Primavera P6 Enterprise Project Portfolio Management component in Oracle Primavera Products Suite 7.0, 8.1, and 8.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Web Access.)
 CVE-2013-2404 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect integrity via unknown vectors related to Portal.)
 CVE-2013-2403 (Unspecified vulnerability in the Siebel Enterprise Application Integration component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Web Services, a different vulnerability than CVE-2013-0416.)
 CVE-2013-2402 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect integrity via unknown vectors related to WorkCenter.)
 CVE-2013-2401 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote authenticated users to affect integrity via unknown vectors related to Portal.)
 CVE-2013-2399 (Unspecified vulnerability in the Siebel Call Center component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via vectors related to Email - COMM Server Components.)
 CVE-2013-2398 (Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Open UI Client.)
 CVE-2013-2397 (Unspecified vulnerability in the Oracle Retail Central Office component in Oracle Industry Applications 13.1, 13.2, 13.3, and 13.4 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Customer Operations (Add, Search).)
 CVE-2013-2396 (Unspecified vulnerability in the Oracle Applications Manager component in Oracle E-Business Suite 12.0.6 and 12.1.3 allows remote attackers to affect integrity via vectors related to HTML OAM client.)
 CVE-2013-2395 (Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language, a different vulnerability than CVE-2013-1567.)
 CVE-2013-2393 (Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 and 8.4.0 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters.)
 CVE-2013-2392 (Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.)
 CVE-2013-2391 (Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows local users to affect confidentiality and integrity via unknown vectors related to Server Install.)
 CVE-2013-2390 (Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2, 10.3.5, 10.3.6, and 12.1.1 allows remote attackers to affect integrity via unknown vectors related to WebLogic Console, a different vulnerability than CVE-2013-1504.)
 CVE-2013-2389 (Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.)
 CVE-2013-2388 (Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.3 allows remote attackers to affect availability via unknown vectors related to Mid Tier File Management.)
 CVE-2013-2387 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 4.1.0 allows remote authenticated users to affect confidentiality and integrity via vectors related to BASE.)
 CVE-2013-2386 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 4.1.0 allows remote authenticated users to affect integrity and availability via vectors related to BASE.)
 CVE-2013-2385 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 4.1.0 allows remote authenticated users to affect confidentiality via vectors related to BASE, a different vulnerability than CVE-2013-1560.)
 CVE-2013-2382 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 12.0.1 allows local users to affect confidentiality via vectors related to BASE.)
 CVE-2013-2381 (Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Server Privileges.)
 CVE-2013-2380 (Unspecified vulnerability in the Oracle JRockit component in Oracle Fusion Middleware R27.7.4 and earlier and R28.2.6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: this might be a duplicate of CVE-2013-1537 and CVE-2013-2415. If so, then CVE-2013-2380 might be REJECTed in the future.)
 CVE-2013-2379 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 12.0.1 allows remote authenticated users to affect integrity via unknown vectors related to RT.)
 CVE-2013-2378 (Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, 5.5.29 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Information Schema.)
 CVE-2013-2377 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 4.1.0 allows remote authenticated users to affect confidentiality via unknown vectors related to My Services.)
 CVE-2013-2376 (Unspecified vulnerability in Oracle MySQL 5.5.30 and earlier and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Stored Procedure.)
 CVE-2013-2375 (Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2013-2374 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote authenticated users to affect integrity via unknown vectors related to Rich Text Editor.)
 CVE-2013-1570 (Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows remote attackers to affect availability via unknown vectors related to MemCached.)
 CVE-2013-1568 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 5.3.3, 6.0.1, and 6.2.0 allows remote authenticated users to affect availability via unknown vectors related to CB.)
 CVE-2013-1567 (Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language, a different vulnerability than CVE-2013-2395.)
 CVE-2013-1566 (Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.)
 CVE-2013-1565 (Unspecified vulnerability in the Oracle GoldenGate Veridata component in Oracle Fusion Middleware 3.0.0.11 allows remote attackers to affect availability via unknown vectors.)
 CVE-2013-1562 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 4.1.0 allows remote authenticated users to affect integrity via vectors related to HELP.)
 CVE-2013-1560 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 4.1.0 allows remote authenticated users to affect confidentiality via vectors related to BASE, a different vulnerability than CVE-2013-2385.)
 CVE-2013-1559 (Unspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 10.1.3.5.1 and 11.1.1.6.0 allows remote authenticated users to affect availability via unknown vectors related to Content Server.)
 CVE-2013-1556 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 12.0.1 allows remote authenticated users to affect integrity via vectors related to OTH.)
 CVE-2013-1555 (Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, and 5.5.29 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Partition.)
 CVE-2013-1554 (Unspecified vulnerability in the Network Layer component in Oracle Database Server 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote attackers to affect availability via unknown vectors.)
 CVE-2013-1553 (Unspecified vulnerability in the Oracle Web Services Manager component in Oracle Fusion Middleware 11.1.1.6.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Web Services Security.)
 CVE-2013-1552 (Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2013-1551 (Unspecified vulnerability in the Siebel Enterprise Application Integration component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Integration Business Services.)
 CVE-2013-1550 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect integrity via unknown vectors related to WorkCenter.)
 CVE-2013-1549 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 5.3.3, 6.0.1, and 12.0.0 allows remote authenticated users to affect integrity via vectors related to BASE.)
 CVE-2013-1548 (Unspecified vulnerability in Oracle MySQL 5.1.63 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Types.)
 CVE-2013-1547 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 12.0.1 allows remote authenticated users to affect integrity via vectors related to BASE.)
 CVE-2013-1546 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 3.1.0 and 5.0.2 through 12.0.1 allows local users to affect confidentiality via vectors related to BASE.)
 CVE-2013-1545 (Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 10.1.3.5, 11.1.1.5.0, and 11.1.1.6.0 allows remote attackers to affect availability via unknown vectors related to Web Listener.)
 CVE-2013-1544 (Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language.)
 CVE-2013-1543 (Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Open UI Client.)
 CVE-2013-1542 (Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect integrity via unknown vectors related to Servlet Runtime.)
 CVE-2013-1541 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 3.1.0, 5.0.2 through 5.0.5, and 5.3.0 through 5.3.4 allows remote authenticated users to affect confidentiality via vectors related to BASE.)
 CVE-2013-1539 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 3.1.0, 5.0.2 through 5.0.5, and 5.3.0 through 5.3.4 allows remote authenticated users to affect confidentiality via vectors related to CTF.)
 CVE-2013-1538 (Unspecified vulnerability in the Network Layer component in Oracle Database Server 11.2.0.2 and 11.2.0.3 allows remote attackers to affect availability via unknown vectors.)
 CVE-2013-1536 (Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 5.5.05 and 6.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Security.)
 CVE-2013-1535 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 4.1.0, 5.1.0, 5.2.0, 5.3.4, and 6.0.1 allows remote attackers to affect confidentiality via vectors related to BASE.)
 CVE-2013-1534 (Unspecified vulnerability in the Workload Manager component in Oracle Database Server 11.2.0.2 and 11.2.0.3, when used in RAC configurations, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2013-1533 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 3.1.0, 5.1.0, 5.2.0, 5.3.1 through 5.3.3, and 6.0.1 through 12.0.0 allows remote authenticated users to affect confidentiality and integrity via vectors related to BASE.)
 CVE-2013-1532 (Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Information Schema.)
 CVE-2013-1531 (Unspecified vulnerability in Oracle MySQL 5.1.66 and earlier and 5.5.28 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Server Privileges.)
 CVE-2013-1530 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users to affect availability via unknown vectors related to Kernel.)
 CVE-2013-1529 (Unspecified vulnerability in the Oracle WebCenter Interaction component in Oracle Fusion Middleware 6.5.1 and 10.3.3.0 allows remote attackers to affect integrity via unknown vectors related to Image Service.)
 CVE-2013-1528 (Unspecified vulnerability in the Oracle HRMS component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect integrity via unknown vectors related to Payroll.)
 CVE-2013-1527 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote authenticated users to affect confidentiality via unknown vectors related to Report Distribution.)
 CVE-2013-1526 (Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Replication.)
 CVE-2013-1525 (Unspecified vulnerability in the Oracle Retail Integration Bus component in Oracle Industry Applications 13.0, 13.1, and 13.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Retail Integration Bus Manager.)
 CVE-2013-1524 (Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.6 and 12.1.3 allows remote attackers to affect integrity via unknown vectors related to Attachments.)
 CVE-2013-1523 (Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier and 5.6.10 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Server Optimizer.)
 CVE-2013-1522 (Unspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 10.1.3.5.1 and 11.1.1.6.0 allows remote attackers to affect integrity via unknown vectors related to Content Server.)
 CVE-2013-1521 (Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Server Locking.)
 CVE-2013-1520 (Unspecified vulnerability in the Oracle Clinical Remote Data Capture Option component in Oracle Industry Applications 4.6.0 and 4.6.6 allows remote authenticated users to affect confidentiality and integrity via vectors related to HTML Surround.)
 CVE-2013-1519 (Unspecified vulnerability in the Application Express component in Oracle Database Server before 4.2.1 allows remote attackers to affect integrity via unknown vectors.)
 CVE-2013-1517 (Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.3 allows remote attackers to affect confidentiality via unknown vectors related to Diagnostics.)
 CVE-2013-1516 (Unspecified vulnerability in the Oracle WebCenter Capture component in Oracle Fusion Middleware 10.1.3.5.1 allows remote authenticated users to affect availability via unknown vectors related to Import Server.)
 CVE-2013-1515 (Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Sun Middleware Products 3.0.1 and 3.1.2 allows remote attackers to affect integrity via vectors related to ADMIN Interface.)
 CVE-2013-1514 (Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Fusion Middleware 10.1.3.5 allows remote authenticated users to affect integrity via vectors related to RMI Support.)
 CVE-2013-1513 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect integrity via vectors related to PIA Core Technology.)
 CVE-2013-1512 (Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language.)
 CVE-2013-1511 (Unspecified vulnerability in Oracle MySQL 5.5.30 and earlier and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.)
 CVE-2013-1510 (Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Portal Framework.)
 CVE-2013-1509 (Unspecified vulnerability in the Oracle WebCenter Sites component in Oracle Fusion Middleware 7.6.2, 11.1.1.6.0, and 11.1.1.6.1 allows remote authenticated users to affect integrity via unknown vectors related to WebCenter Sites.)
 CVE-2013-1508 (Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Sun Middleware Products 3.0.1 and 3.1.2 allows remote attackers to affect integrity via vectors related to REST Interface.)
 CVE-2013-1507 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect availability via unknown vectors related to Filesystem.)
 CVE-2013-1506 (Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, 5.5.29 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Locking.)
 CVE-2013-1505 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 3.1.0 allows remote authenticated users to affect confidentiality and integrity via vectors related to BASE.)
 CVE-2013-1504 (Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2, 10.3.5, 10.3.6, and 12.1.1 allows remote attackers to affect integrity via unknown vectors related to WebLogic Console, a different vulnerability than CVE-2013-2390.)
 CVE-2013-1503 (Unspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 10.1.3.5.1 and 11.1.1.6.0 allows remote authenticated users to affect integrity via unknown vectors related to Content Server.)
 CVE-2013-1502 (Unspecified vulnerability in Oracle MySQL 5.5.30 and earlier and 5.6.9 and earlier allows local users to affect availability via unknown vectors related to Server Partition.)
 CVE-2013-1501 (Unspecified vulnerability in the Oracle iStore component in Oracle E-Business Suite 11.5.10.2 allows remote attackers to affect integrity via unknown vectors related to Login.)
 CVE-2013-1499 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to Network Configuration.)
 CVE-2013-1498 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect availability via unknown vectors related to Kernel/IO, a different vulnerability than CVE-2013-1496.)
 CVE-2013-1497 (Unspecified vulnerability in the Oracle COREid Access component in Oracle Fusion Middleware 10.1.4.3.0 allows remote attackers to affect integrity via unknown vectors related to WebGate - WebServer plugin.)
 CVE-2013-1496 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect availability via unknown vectors related to Kernel/IO, a different vulnerability than CVE-2013-1498.)
 CVE-2013-1495 (asr in Oracle Auto Service Request in Oracle Support Tools before 4.3.2 allows local users to modify arbitrary files via a symlink attack on a predictable filename in /tmp.)
 CVE-2013-1494 (Unspecified vulnerability in Oracle Sun Solaris 10, when running on SPARC T4 servers, allows local users to affect availability via unknown vectors related to Kernel.)
 CVE-2013-0416 (Unspecified vulnerability in the Siebel Enterprise Application Integration component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Web Services, a different vulnerability than CVE-2013-2403.)
 CVE-2013-0413 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Remote Execution Service.)
 CVE-2013-0412 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allows local users to affect integrity and availability via unknown vectors related to Utility/pax.)
 CVE-2013-0411 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, and 10 allows local users to affect confidentiality, integrity, and availability via vectors related to RBAC Configuration.)
 CVE-2013-0410 (Unspecified vulnerability in the Agile EDM component in Oracle Supply Chain Products Suite 6.1.1.0, 6.1.2.0, and 6.1.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Base Component - Common Objects.)
 CVE-2013-0408 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users to affect availability via vectors related to CPU performance counters drivers.)
 CVE-2013-0406 (Unspecified vulnerability in Oracle Sun Solaris 10 allows remote attackers to affect integrity via unknown vectors via vectors related to Kernel/IPsec.)
 CVE-2013-0405 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allows remote attackers to affect confidentiality and integrity via vectors related to NFS client mounts and IPv6.)
 CVE-2013-0404 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Kernel/Boot.)
 CVE-2013-0403 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allows local users to affect availability via unknown vectors related to Utility.)
 CVE-2012-5614 (Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier, and MariaDB 5.5.28a and possibly other versions, allows remote authenticated users to cause a denial of service (mysqld crash) via a SELECT command with an UpdateXML command containing XML with a large number of unique, nested elements.)
 CVE-2012-4303 (Unspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 11.1.1.6.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Content Server.)
 CVE-2012-2751 (ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-5031.)
 CVE-2012-0841 (libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.)
 CVE-2012-0570 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allows local users to affect availability via unknown vectors related to Libraries/Libc.)
 CVE-2012-0568 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, and 10 allows local users to affect confidentiality via unknown vectors related to Utility/fdformat.)
 CVE-2010-2791 (mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request. NOTE: this is the same issue as CVE-2010-2068, but for a different OS and set of affected versions.)
 CVE-2010-2068 (mod_proxy_http.c in mod_proxy_http in the Apache HTTP Server 2.2.9 through 2.2.15, 2.3.4-alpha, and 2.3.5-alpha on Windows, NetWare, and OS/2, in certain configurations involving proxy worker pools, does not properly detect timeouts, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request.)
 CVE-2010-0408 (The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service (backend server outage) via a crafted request, related to use of a 500 error code instead of the appropriate 400 error code.)
 CVE-2009-2699 (The Solaris pollset feature in the Event Port backend in poll/unix/port.c in the Apache Portable Runtime (APR) library before 1.3.9, as used in the Apache HTTP Server before 2.2.14 and other products, does not properly handle errors, which allows remote attackers to cause a denial of service (daemon hang) via unspecified HTTP requests, related to the prefork and event MPMs.)
 CVE-2009-1956 (Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input.)
 CVE-2009-1955 (The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.)
 CVE-2009-1890 (The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests.)
 CVE-2009-1191 (mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request.)
 CVE-2009-0023 (The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2 module for the Apache HTTP Server, or (4) an application that uses the libapreq2 library, which triggers a heap-based buffer underflow.)
 CVE-2007-1862 (The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously used data, which could be used by remote attackers to obtain potentially sensitive information.)
Оригинальный текстdocumentNCC Group Research, NGS00423 Patch Notification: Oracle Retail Invoice Manager SQL Injection (04.05.2013)
 documentNCC Group Research, NGS00422 Patch Notification: Oracle Retail Integration Bus Manager Directory Traversal (04.05.2013)
 documentNCC Group Research, NGS00416 Patch Notification: Oracle 11g TNS listener remote Invalid Pointer Read (pre-auth) (04.05.2013)
 documentNCC Group Research, NGS00415 Patch Notification: Oracle 11g TNS listener remote Null Pointer Dereference (pre-auth) (04.05.2013)
Файлы:Oracle Critical Patch Update Advisory - April 2013

Целочисленное переполнение в nginx
дополнено с 28 апреля 2013 г.
Опубликовано:4 мая 2013 г.
Источник:
SecurityVulns ID:13034
Тип:удаленная
Уровень опасности:
9/10
Описание:Целочисленное переполнение приводит к возможности выполнения кода.
Затронутые продукты:NGINX : nginx 1.4
Оригинальный текстdocumentmaxim.konovalov_(at)_gmail.com, Re: Nginx ngx_http_close_connection function integer overflow (04.05.2013)
 documentsafe3q_(at)_gmail.com, Nginx ngx_http_close_connection function integer overflow (28.04.2013)

Уязвимости безопасности в EMC Avamar server / client
Опубликовано:4 мая 2013 г.
Источник:
SecurityVulns ID:13039
Тип:удаленная
Уровень опасности:
6/10
Описание:Несанкционированный доступ к файлам, недостаточная проверка сертификата.
Затронутые продукты:EMC : Avamar 6.0
CVE:CVE-2013-0945 (EMC Avamar Client before 6.1.101-89 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.)
 CVE-2013-0944 (The web-based file-restore interface in EMC Avamar Server before 6.1.0 allows remote authenticated users to read arbitrary files via a crafted URL.)
Оригинальный текстdocumentEMC, ESA-2013-035: EMC Avamar Client Improper Certificate Validation Vulnerability (04.05.2013)
 documentEMC, ESA-2013-034: EMC Avamar Improper Authorization vulnerability (04.05.2013)

Повышение привилегий в EMC Networker
Опубликовано:4 мая 2013 г.
Источник:
SecurityVulns ID:13040
Тип:локальная
Уровень опасности:
5/10
Описание:Слабые файловые разрешения.
Затронутые продукты:EMC : NetWorker 7.6
 EMC : NetWorker 8.0
CVE:CVE-2013-0940 (The nsrpush process in the client in EMC NetWorker before 7.6.5.3 and 8.x before 8.0.1.4 sets weak permissions for unspecified files, which allows local users to gain privileges via unknown vectors.)
Оригинальный текстdocumentEMC, ESA-2013-028: EMC NetWorker Elevation of Privilege Vulnerability (04.05.2013)

Целочисленное переполнение в stunnel
Опубликовано:4 мая 2013 г.
Источник:
SecurityVulns ID:13041
Тип:удаленная
Уровень опасности:
7/10
Описание:Целочисленное переполнение приводит к переполнению буфера.
Затронутые продукты:STUNNEL : stunnel 4.54
CVE:CVE-2013-1762 (stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM authentication are enabled, does not correctly perform integer conversion, which allows remote proxy servers to execute arbitrary code via a crafted request that triggers a buffer overflow.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 2664-1] stunnel4 security update (04.05.2013)

Переполнение буфера в реализации IPv6 для контролеров Microchip
Опубликовано:4 мая 2013 г.
Источник:
SecurityVulns ID:13042
Тип:удаленная
Уровень опасности:
6/10
Описание:Переполнение буфера при разборе фрагментированных пакетов.
Затронутые продукты:MICROCHIP : Microchip TCP/IP Stack 6.02
Оригинальный текстdocumentaz.bugreport.subscriber_(at)_gmail.com, Unchecked Buffer in Microchip TCP/IP Stack Could Allow Remote Code Execution (04.05.2013)

Повышение привилегий в strongSwan
Опубликовано:4 мая 2013 г.
Источник:
SecurityVulns ID:13043
Тип:удаленная
Уровень опасности:
5/10
Описание:При определенных условиях возможно авторизоваться другим пользователем.
Затронутые продукты:STRONGSWAN : strongSwan 5.0
CVE:CVE-2013-2944 (strongSwan 4.3.5 through 5.0.3, when using the OpenSSL plugin for ECDSA signature verification, allows remote attackers to authenticate as other users via an invalid signature.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 2665-1] strongswan security update (04.05.2013)

Уязвимости безопасности в MIT Kerberos 5
Опубликовано:4 мая 2013 г.
Источник:
SecurityVulns ID:13044
Тип:удаленная
Уровень опасности:
5/10
Описание:Несколько различных обращений по нулевому указателю.
Затронутые продукты:MIT : krb5 1.10
 MIT : krb5 1.11
CVE:CVE-2013-1416 (The prep_reprocess_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.5 does not properly perform service-principal realm referral, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS-REQ request.)
 CVE-2013-1415 (The pkinit_check_kdc_pkid function in plugins/preauth/pkinit/pkinit_crypto_openssl.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 and 1.11.x before 1.11.1 does not properly handle errors during extraction of fields from an X.509 certificate, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed KRB5_PADATA_PK_AS_REQ AS-REQ request.)
Оригинальный текстdocumentMANDRIVA, [ MDVSA-2013:157 ] krb5 (04.05.2013)

Проблема символьных линков в FUSE
Опубликовано:4 мая 2013 г.
Источник:
SecurityVulns ID:13046
Тип:локальная
Уровень опасности:
5/10
Описание:Возможно отмонтировать любой раздел.
Затронутые продукты:FUSE : fuse 2.8
CVE:CVE-2010-3879 (FUSE, possibly 2.8.5 and earlier, allows local users to create mtab entries with arbitrary pathnames, and consequently unmount any filesystem, via a symlink attack on the parent directory of the mountpoint of a FUSE filesystem, a different vulnerability than CVE-2010-0789.)
 CVE-2010-0789 (fusermount in FUSE before 2.7.5, and 2.8.x before 2.8.2, allows local users to unmount an arbitrary FUSE filesystem share via a symlink attack on a mountpoint.)

Утечка информации в util-linux / mount
Опубликовано:4 мая 2013 г.
Источник:
SecurityVulns ID:13047
Тип:локальная
Уровень опасности:
4/10
Описание:Можно проверить существование файла.
Затронутые продукты:LINUX : util-linux 2.21
CVE:CVE-2013-0157 ((a) mount and (b) umount in util-linux 2.14.1, 2.17.2, and probably other versions allow local users to determine the existence of restricted directories by (1) using the --guess-fstype command-line option or (2) attempting to mount a non-existent device, which generates different error messages depending on whether the directory exists.)
 CVE-2010-3879 (FUSE, possibly 2.8.5 and earlier, allows local users to create mtab entries with arbitrary pathnames, and consequently unmount any filesystem, via a symlink attack on the parent directory of the mountpoint of a FUSE filesystem, a different vulnerability than CVE-2010-0789.)
Оригинальный текстdocumentMANDRIVA, [ MDVSA-2013:154 ] util-linux (04.05.2013)

XSS в Cisco Linksys E1200 / N300
Опубликовано:4 мая 2013 г.
Источник:
SecurityVulns ID:13048
Тип:удаленная
Уровень опасности:
4/10
Описание:XSS в веб-интерфейсе.
Затронутые продукты:CISCO : Linksys E1200
 CISCO : Linksys N300
Оригинальный текстdocumentCarl Benedict, Cisco/Linksys E1200 N300 Reflected XSS (04.05.2013)

Многочисленные уязвимости безопасности в IP-камерах D-Link
Опубликовано:4 мая 2013 г.
Источник:
SecurityVulns ID:13049
Тип:удаленная
Уровень опасности:
7/10
Описание:Выполнение кода, обход аутентификации, утечка информации, неизменяемая учетная запись.
Затронутые продукты:DLINK : D-Link DCS-3411
 DLINK : D-Link DCS-3430
 DLINK : D-Link DCS-5605
 DLINK : D-Link DCS-5635
 DLINK : D-Link DCS-1100
 DLINK : D-Link DCS-1130
 DLINK : D-Link DCS-2102
 DLINK : D-Link DCS-2121
 DLINK : D-Link DCS-3410
 DLINK : D-Link DCS-5230
 DLINK : D-Link DCS-6410
 DLINK : D-Link DCS-7410
 DLINK : D-Link DCS-7510
 DLINK : D-Link WCS-1100
CVE:CVE-2013-1603
 CVE-2013-1602
 CVE-2013-1601
 CVE-2013-1600
 CVE-2013-1599
Оригинальный текстdocumentCORE SECURITY TECHNOLOGIES ADVISORIES, CORE-2013-0303 - D-Link IP Cameras Multiple Vulnerabilities (04.05.2013)
Файлы:D-Link RTSP Authentication Bypass

Переполнение буфера в SRPLab Personal File Share
Опубликовано:4 мая 2013 г.
Источник:
SecurityVulns ID:13050
Тип:удаленная
Уровень опасности:
5/10
Описание:Переполнение буфера в HTTP-сервере на длинном запросе.
Оригинальный текстdocumentdemonalex_(at)_163.com, Personal File Share HTTP Server Remote Overflow Vulnerability (04.05.2013)
Файлы:Personal File Share HTTP Server Remote Overflow Vulnerability Exploit

Уязвимости безопасности в Wowza Media Server
Опубликовано:4 мая 2013 г.
Источник:
SecurityVulns ID:13051
Тип:удаленная
Уровень опасности:
6/10
Описание:Обратный путь в каталогах, обход аутентификации.
Оригинальный текстdocumentMichal J., WowzaMediaServer SecureToken bypass (and worse) (04.05.2013)
 documentMichal J., WowzaMediaServer StorageDir escape (regression) (04.05.2013)

Уязвимости безопасности в HP Service Manager
Опубликовано:4 мая 2013 г.
Источник:
SecurityVulns ID:13052
Тип:удаленная
Уровень опасности:
5/10
Описание:XSS, утечка информаии.
Затронутые продукты:HP : HP Service Manager 9.31
CVE:CVE-2013-2321 (Cross-site scripting (XSS) vulnerability in HP Service Manager Web Tier 9.31 before 9.31.2004 p2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2012-5222 (HP Service Manager Web Tier 9.31 allows remote attackers to obtain sensitive information via unspecified vectors.)
Оригинальный текстdocumentHP, [security bulletin] HPSBMU02872 SSRT101185 rev.1 - HP Service Manager, Remote Disclosure of Information, Cross Site (04.05.2013)

Многочисленные уязвимости безопасности в ядре Linux
дополнено с 4 мая 2013 г.
Опубликовано:27 мая 2013 г.
Источник:
SecurityVulns ID:13038
Тип:библиотека
Уровень опасности:
8/10
Описание:Повышение привилегий через перенаправление вывода suid-процесса, повышение привилегий через сокеты unix, утечка информации в файловых системах UDF и ISO, повреждение памяти в драйвере i915, многочисленные уязвимости в KVM, повышение привилегий через ext3, утечки информации в netlink.
Затронутые продукты:LINUX : kernel 3.8
CVE:CVE-2013-3301 (The ftrace implementation in the Linux kernel before 3.8.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for write access to the (1) set_ftrace_pid or (2) set_graph_function file, and then making an lseek system call.)
 CVE-2013-2635 (The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.)
 CVE-2013-2634 (net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.)
 CVE-2013-1979 (The scm_set_cred function in include/net/scm.h in the Linux kernel before 3.8.11 uses incorrect uid and gid values during credentials passing, which allows local users to gain privileges via a crafted application.)
 CVE-2013-1959 (kernel/user_namespace.c in the Linux kernel before 3.8.9 does not have appropriate capability requirements for the uid_map and gid_map files, which allows local users to gain privileges by opening a file within an unprivileged process and then modifying the file within a privileged process.)
 CVE-2013-1929 (Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the Linux kernel before 3.8.6 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital Product Data (VPD) data structure.)
 CVE-2013-1860 (Heap-based buffer overflow in the wdm_in_callback function in drivers/usb/class/cdc-wdm.c in the Linux kernel before 3.8.4 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted cdc-wdm USB device.)
 CVE-2013-1848 (fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect arguments to functions in certain circumstances related to printk input, which allows local users to conduct format-string attacks and possibly gain privileges via a crafted application.)
 CVE-2013-1798 (The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel through 3.8.4 does not properly handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS OOPS) via a crafted application.)
 CVE-2013-1797 (Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 allows guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation.)
 CVE-2013-1796 (The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 does not ensure a required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users to cause a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other impact via a crafted application.)
 CVE-2013-0913 (Integer overflow in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the i915 driver in the Direct Rendering Manager (DRM) subsystem in the Linux kernel through 3.8.3, as used in Google Chrome OS before 25.0.1364.173 and other products, allows local users to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted application that triggers many relocation copies, and potentially leads to a race condition.)
 CVE-2012-6549 (The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application.)
 CVE-2012-6548 (The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application.)
Оригинальный текстdocumentUBUNTU, [USN-1833-1] Linux kernel vulnerabilities (27.05.2013)
 documentUBUNTU, [USN-1813-1] Linux kernel vulnerabilities (04.05.2013)
 documentUBUNTU, [USN-1815-1] Linux kernel vulnerabilities (04.05.2013)

Повреждение памяти в NFS-сервере FreeBSD
дополнено с 4 мая 2013 г.
Опубликовано:4 июня 2013 г.
Источник:
SecurityVulns ID:13045
Тип:удаленная
Уровень опасности:
6/10
Описание:Возможно выполнение readdir над обычным файлом.
Затронутые продукты:FREEBSD : FreeBSD 9.1
 FREEBSD : FreeBSD 8.4
CVE:CVE-2013-3266 (The nfsrvd_readdir function in sys/fs/nfsserver/nfs_nfsdport.c in the new NFS server in FreeBSD 8.0 through 9.1-RELEASE-p3 does not verify that a READDIR request is for a directory node, which allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code by specifying a plain file instead of a directory.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 2672-1] kfreebsd-9 security update (04.06.2013)
 documentFREEBSD, FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver [REVISED] (04.05.2013)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород