Информационная безопасность
[RU] switch to English


Проверка существования учетной записи пользователя в Asterisk
Опубликовано:8 апреля 2009 г.
Источник:
SecurityVulns ID:9800
Тип:удаленная
Уровень опасности:
3/10
Описание:Различные ответы при несуществующей учетной записи SIP и неправильном пароле.
Затронутые продукты:DIGIUM : Asterisk 1.4
 ASTERISK : Asterisk 1.6
CVE:CVE-2008-3903 (Asterisk Open Source 1.2.x before 1.2.32, 1.4.x before 1.4.24.1, and 1.6.0.x before 1.6.0.8; Asterisk Business Edition A.x.x, B.x.x before B.2.5.8, C.1.x.x before C.1.10.5, and C.2.x.x before C.2.3.3; s800i 1.3.x before 1.3.0.2; and Trixbox PBX 2.6.1, when Digest authentication and authalwaysreject are enabled, generates different responses depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames.)
Оригинальный текстdocumentVMWARE, TPTI-09-02: VMWare VMnc Codec Open-DML Standard Index dwSize Heap Overflow (08.04.2009)
 documentVMWARE, TPTI-09-01: VMWare VMnc Codec Invalid RFB Message Type Heap Overflow (08.04.2009)
 documentASTERISK, AST-2009-003: SIP responses expose valid usernames (08.04.2009)

Утечка инфомрации в Apache mod_jk
Опубликовано:8 апреля 2009 г.
Источник:
SecurityVulns ID:9802
Тип:удаленная
Уровень опасности:
5/10
Описание:При определенных условиях ответ, предназначенный одному клиенту может быть получен другим клиентом.
Затронутые продукты:APACHE : mod_jk 1.2
CVE:CVE-2008-5519
Оригинальный текстdocumentAPACHE, [SECURITY] CVE-2008-5519: Apache Tomcat mod_jk information disclosure vulnerability (08.04.2009)

Многочисленные уязвимости безопасности в MIT Kerberos 5
Опубликовано:8 апреля 2009 г.
Источник:
SecurityVulns ID:9803
Тип:удаленная
Уровень опасности:
7/10
Описание:Многочисленные DoS условия, free() неинициализированного указателя.
Затронутые продукты:MIT : krb5 1.5
 MIT : krb5 1.6
CVE:CVE-2009-0847 (The asn1buf_imbed function in the ASN.1 decoder in MIT Kerberos 5 (aka krb5) 1.6.3, when PK-INIT is used, allows remote attackers to cause a denial of service (application crash) via a crafted length value that triggers an erroneous malloc call, related to incorrect calculations with pointer arithmetic.)
 CVE-2009-0846 (The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.)
 CVE-2009-0845 (The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3, when SPNEGO is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via invalid ContextFlags data in the reqFlags field in a negTokenInit token.)
 CVE-2009-0844 (The get_input_token function in the SPNEGO implementation in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote attackers to cause a denial of service (daemon crash) and possibly obtain sensitive information via a crafted length value that triggers a buffer over-read.)
Оригинальный текстdocumentMIT, MITKRB5-SA-2009-002: ASN.1 decoder frees uninitialized pointer [CVE-2009-0846] (08.04.2009)
 documentMIT, MITKRB5-SA-2009-001: multiple vulnerabilities in SPNEGO, ASN.1 decoder [CVE-2009-0844 CVE-2009-0845 CVE-2009-0847] (08.04.2009)

Выполнение кода в клиенте Novell Netware
Опубликовано:8 апреля 2009 г.
Источник:
SecurityVulns ID:9805
Тип:удаленная
Уровень опасности:
6/10
Описание:Обращение по некорректному указателю при разборе сообщений полученных через именованные каналы.
Оригинальный текстdocumentZDI, ZDI-09-016: Novell Client/NetIdentity Agent Remote Arbitrary Pointer Dereference Code Execution Vulnerability (08.04.2009)

целочисленное переполнение в библиотеке xinelib
Опубликовано:8 апреля 2009 г.
Источник:
SecurityVulns ID:9806
Тип:библиотека
Уровень опасности:
6/10
Описание:Целочисленное переполнение при разборе Quicktime STTS.
Затронутые продукты:XINE : xine-lib 1.1
 XINE : xine 1.1
Оригинальный текстdocumenttk_(at)_trapkit.de, [TKADV2009-005] xine-lib Quicktime STTS Atom Integer Overflow (08.04.2009)

Выполнение кода в xpdf
Опубликовано:8 апреля 2009 г.
Источник:
SecurityVulns ID:9804
Тип:локальная
Уровень опасности:
4/10
Описание:Обрабатывается файл xpdfrc в текущем каталоге.
Затронутые продукты:XPDF : xpdf 3.02
CVE:CVE-2009-1144 (Untrusted search path vulnerability in the Gentoo package of Xpdf before 3.02-r2 allows local users to gain privileges via a Trojan horse xpdfrc file in the current working directory, related to an unset SYSTEM_XPDFRC macro in a Gentoo build process that uses the poppler library.)
Оригинальный текстdocumentGENTOO, [ GLSA 200904-07 ] Xpdf: Untrusted search path (08.04.2009)

Целочисленное переполнение в IrfanView
Опубликовано:8 апреля 2009 г.
Источник:
SecurityVulns ID:9807
Тип:локальная
Уровень опасности:
4/10
Описание:Целочисленное переполнение при разборе формата XPM.
Затронутые продукты:IRFANVIEW : IrfanView 4.22
CVE:CVE-2009-0197 (Integer overflow in the FORMATS Plugin before 4.23 for IrfanView allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a large XPM file that triggers a heap-based buffer overflow.)
Оригинальный текстdocumentSECUNIA, Secunia Research: IrfanView Formats Plug-in XPM Parsing Integer Overflow (08.04.2009)

Многочисленные уязвимости безопасности в VMWare
дополнено с 8 апреля 2009 г.
Опубликовано:12 апреля 2009 г.
Источник:
SecurityVulns ID:9801
Тип:удаленная
Уровень опасности:
6/10
Описание:Многочисленные DoS условия, повышения привилегий, переполнение буфера в кодеке VNnc.
Затронутые продукты:VMWARE : VMware Server 1.0
 VMWARE : VMware ESX 3.0
 VMWARE : VMware ESXi 3.5
 VMWARE : VMware ESXi 3.0
 VMWARE : VMware ESX 3.5
 VMWARE : VMware Workstation 6.5
 VMWARE : VMware Player 2.5
 VMWARE : VMware ACE 2.5
 VMWARE : VMware Server 2.0
 VMWARE : VMware Fusion 2.0
CVE:CVE-2009-1244 (Unspecified vulnerability in the virtual machine display function in VMware Workstation 6.5.1 and earlier; VMware Player 2.5.1 and earlier; VMware ACE 2.5.1 and earlier; VMware Server 1.x before 1.0.9 build 156507 and 2.x before 2.0.1 build 156745; VMware Fusion before 2.0.4 build 159196; VMware ESXi 3.5; and VMware ESX 3.0.2, 3.0.3, and 3.5 allows guest OS users to execute arbitrary code on the host OS via unknown vectors, a different vulnerability than CVE-2008-4916.)
 CVE-2009-1147 (Unspecified vulnerability in vmci.sys in the Virtual Machine Communication Interface (VMCI) in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 2.0.x before 2.0.1 build 156745 allows local users to gain privileges via unknown vectors.)
 CVE-2009-1146 (Unspecified vulnerability in an ioctl in hcmon.sys in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 1.0.x before 1.0.9 build 156507 and 2.0.x before 2.0.1 build 156745 allows local users to cause a denial of service via unknown vectors, a different vulnerability than CVE-2008-3761.)
 CVE-2009-0910 (Heap-based buffer overflow in the VNnc Codec in VMware Workstation 6.5.x before 6.5.2 build 156735, VMware Player 2.5.x before 2.5.2 build 156735, VMware ACE 2.5.x before 2.5.2 build 156735, and VMware Server 2.0.x before 2.0.1 build 156745 allows remote attackers to execute arbitrary code via a crafted web page or video file, aka ZDI-CVE-436.)
 CVE-2009-0909 (Heap-based buffer overflow in the VNnc Codec in VMware Workstation 6.5.x before 6.5.2 build 156735, VMware Player 2.5.x before 2.5.2 build 156735, VMware ACE 2.5.x before 2.5.2 build 156735, and VMware Server 2.0.x before 2.0.1 build 156745 allows remote attackers to execute arbitrary code via a crafted web page or video file, aka ZDI-CVE-435.)
 CVE-2009-0908 (Unspecified vulnerability in the ACE shared folders implementation in the VMware Host Guest File System (HGFS) shared folders feature in VMware ACE 2.5.1 and earlier allows attackers to enable a disabled shared folder.)
 CVE-2009-0518 (VI Client in VMware VirtualCenter before 2.5 Update 4, VMware ESXi 3.5 before Update 4, and VMware ESX 3.5 before Update 4 retains the VirtualCenter Server password in process memory, which might allow local users to obtain this password.)
 CVE-2009-0177 (vmwarebase.dll, as used in the vmware-authd service (aka vmware-authd.exe), in VMware Workstation 6.5.1 build 126130 and earlier, and VMware Player 2.5.1 build 126130 and earlier, allows remote attackers to cause a denial of service (daemon crash) via a long (1) USER or (2) PASS command.)
 CVE-2008-4916 (Unspecified vulnerability in a guest virtual device driver in VMware Workstation before 5.5.9 build 126128, and 6.5.1 and earlier 6.x versions; VMware Player before 1.0.9 build 126128, and 2.5.1 and earlier 2.x versions; VMware ACE before 1.0.8 build 125922, and 2.5.1 and earlier 2.x versions; VMware Server 1.x before 1.0.8 build 126538 and 2.0.x before 2.0.1 build 156745; VMware Fusion before 2.0.1; VMware ESXi 3.5; and VMware ESX 3.0.2, 3.0.3, and 3.5 allows guest OS users to cause a denial of service (host OS crash) via unknown vectors.)
 CVE-2008-3761 (hcmon.sys in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 1.0.x before 1.0.9 build 156507 and 2.0.x before 2.0.1 build 156745 uses the METHOD_NEITHER communication method for IOCTLs, which allows local users to cause a denial of service via a crafted IOCTL request.)
Оригинальный текстdocumentVMWARE, VMSA-2009-0006 VMware Hosted products and patches for ESX and ESXi resolve a critical security vulnerability (12.04.2009)
 documentVMWARE, VMSA-2009-0005 VMware Hosted products, VI Client and patches for ESX and ESXi resolve multiple security issues (08.04.2009)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород