AOH :: ISN-1495.HTM

Secunia Weekly Summary - Issue: 2005-40




Secunia Weekly Summary - Issue: 2005-40
Secunia Weekly Summary - Issue: 2005-40



=======================================================================
                  The Secunia Weekly Advisory Summary                  
                        2005-09-29 - 2005-10-06                        

                       This week : 67 advisories                       

=======================================================================Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

=======================================================================1) Word From Secunia:

The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single 
vulnerability report is being validated and verified before a Secunia
advisory is written.

Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.

As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.

Secunia Online Vulnerability Database:
http://secunia.com/ 

=======================================================================2) This Week in Brief:

During the last week 3 antivirus vendors Symantec, Kaspersky, and
Bitdefender suffered vulnerabilities, which potentially can be
exploited by malicious people to gain system access on a vulnerable
system.

Additional details can be found in the referenced Secunia advisories
below.

References:
http://secunia.com/SA17049 
http://secunia.com/SA17024 
http://secunia.com/SA16991 


VIRUS ALERTS:

Secunia has not issued any virus alerts during the week.

=======================================================================3) This Weeks Top Ten Most Read Advisories:

1.  [SA16942] Microsoft Internet Explorer "XMLHTTP" HTTP Request
              Injection
2.  [SA16901] Thunderbird Command Line URL Shell Command Injection
3.  [SA16869] Firefox Command Line URL Shell Command Injection
4.  [SA14789] Gentoo update for limewire
5.  [SA16911] Firefox Multiple Vulnerabilities
6.  [SA16766] Netscape IDN URL Domain Name Buffer Overflow
7.  [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability
8.  [SA14896] Microsoft Jet Database Engine Database File Parsing
              Vulnerability
9.  [SA12758] Microsoft Word Document Parsing Buffer Overflow
              Vulnerabilities
10. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing
              Vulnerability

=======================================================================4) Vulnerabilities Summary Listing

Windows:
[SA17024] Kaspersky Anti-Virus CAB Archive Handling Buffer Overflow
[SA17010] MailEnable W3C Logging Buffer Overflow Vulnerability
[SA17046] IceWarp Web Mail Multiple Vulnerabilities
[SA17032] Citrix Metaframe Presentation Server Policy Filtering Bypass
[SA17049] Symantec AntiVirus Scan Engine Administrative Interface
Buffer Overflow

UNIX/Linux:
[SA17042] Fedora update for thunderbird
[SA17066] Debian update for egroupware
[SA17057] HP-UX Mozilla Multiple Vulnerabilities
[SA17053] Debian update for drupal
[SA17027] SUSE Updates for Multiple Packages
[SA17026] Debian update for mozilla-firefox
[SA17014] SUSE update for mozilla/MozillaFirefox
[SA17065] IBM Tivoli Monitoring Web Health Console HTTP Server Vulnerabilities
[SA17062] UW-imapd Mailbox Name Parsing Buffer Overflow Vulnerability
[SA17059] Ubuntu update for dia-common
[SA17054] CVS zlib Vulnerabilities
[SA17052] Fedora update for abiword
[SA17050] Ubuntu update for squid
[SA17047] Dia SVG File Import Arbitrary Code Execution Vulnerability
[SA17035] Debian update for prozilla
[SA17034] Virtools Web Player Buffer Overflow and Directory Traversal Vulnerabilities
[SA17021] ProZilla "ftpsearch" Buffer Overflow Vulnerability
[SA17020] Debian update for mailutils
[SA17016] Debian update for gopher
[SA17015] Debian update for squid
[SA17012] Gentoo update for abiword
[SA17039] OpenView Event Correlation Services Unspecified Privileged Access Vulnerability
[SA17077] Red Hat update for openssh
[SA17073] Red Hat update for kernel
[SA17069] Avaya Products "ls" Denial of Service Vulnerabilities
[SA17067] Debian update for mod-auth-shadow
[SA17060] Apache mod_auth_shadow Module "require group" Incorrect Authentication
[SA17030] Bugzilla Two Information Disclosure Security Issues
[SA17029] AIX tcpdump BGP Denial of Service Vulnerability
[SA17003] 4D WebSTAR IMAP Access Potential Denial of Service
[SA17028] Weex "log_flush()" Format String Vulnerability
[SA17007] Ubuntu update for net-snmp
[SA17080] Red Hat update for mysql
[SA17079] Red Hat update for perl
[SA17072] Red Hat update for gdb
[SA17070] Gentoo update for texinfo
[SA17068] Debian update for arc
[SA17063] Avaya Products cpio Insecure File Creation Vulnerability
[SA17058] Gentoo update for uim
[SA17056] Gentoo update for gtkdiskfree
[SA17051] Gentoo update for mpeg-tools
[SA17044] Sun Java Desktop System XFree86 Pixmap Creation Integer Overflow
[SA17043] uim Environment Variable Privilege Escalation Vulnerability
[SA17040] Debian update for cfengine2
[SA17038] Debian update for cfengine
[SA17037] Cfengine Insecure Temporary File Creation Vulnerabilities
[SA17025] storeBackup Insecure Temporary File Creation and Insecure Backup Root Permissions
[SA17022] Gentoo update for hylafax
[SA17018] Debian update for backupninja
[SA17017] Debian update for ntlmaps
[SA17009] Macromedia Breeze Password Reset Security Issue
[SA17008] Berkeley MPEG Tools Multiple Insecure Temporary File Creation
[SA17005] Debian update for gtkdiskfree
[SA17045] Trustix update for unzip
[SA17023] GNOME libzvt "gnome-pty-helper" Hostname Spoofing
[SA17006] Ubuntu update for unzip
[SA17004] Debian update for util-linux

Other:
[SA17033] NetFORCE NAS Information Disclosure Security Issue

Cross Platform:
[SA17048] PHP-Fusion "album" and "photo" SQL Injection Vulnerabilities
[SA17019] Hitachi Cosminexus Request Body Disclosure of Personal Information
[SA17013] Blender Command Line Buffer Overflow Vulnerability
[SA17011] Serendipity Cross-Site Request Forgery Vulnerability

=======================================================================5) Vulnerabilities Content Listing

Windows:--

[SA17024] Kaspersky Anti-Virus CAB Archive Handling Buffer Overflow

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2005-10-04

Alex Wheeler has reported a vulnerability in Kaspersky Anti-Virus,
which can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/17024/ 

 --

[SA17010] MailEnable W3C Logging Buffer Overflow Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2005-10-04

A vulnerability has been reported in MailEnable, which potentially can
be exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/17010/ 

 --

[SA17046] IceWarp Web Mail Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data, Exposure of
system information, Exposure of sensitive information
Released:    2005-10-03

ShineShadow has discovered some vulnerabilities in IceWarp Web Mail,
which can be exploited by malicious people to conduct cross-site
scripting attacks, delete arbitrary files, and disclose system and
sensitive information.

Full Advisory:
http://secunia.com/advisories/17046/ 

 --

[SA17032] Citrix Metaframe Presentation Server Policy Filtering Bypass

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2005-10-03

Gustavo Gurmandi has reported a vulnerability in Citrix MetaFrame
Presentation Server, which can be exploited by malicious users to
bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/17032/ 

 --

[SA17049] Symantec AntiVirus Scan Engine Administrative Interface
Buffer Overflow

Critical:    Moderately critical
Where:       From local network
Impact:      DoS, System access
Released:    2005-10-05

A vulnerability has been reported in Symantec AntiVirus Scan Engine,
which can be exploited by malicious people to cause a DoS (Denial of
Service) or compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/17049/ 


UNIX/Linux:--

[SA17042] Fedora update for thunderbird

Critical:    Extremely critical
Where:       From remote
Impact:      Security Bypass, Spoofing, Manipulation of data, System
access
Released:    2005-10-03

Fedora has issued an update for thunderbird. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
spoofing attacks, manipulate certain data, bypass certain security
restrictions, and compromise a user's system.

Full Advisory:
http://secunia.com/advisories/17042/ 

 --

[SA17066] Debian update for egroupware

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2005-10-05

Debian has issued an update for egroupware. This fixes a vulnerability,
which can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/17066/ 

 --

[SA17057] HP-UX Mozilla Multiple Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, Spoofing, DoS,
System access
Released:    2005-10-05

HP has acknowledged multiple vulnerabilities in Mozilla for HP-UX,
which can be exploited by malicious people to bypass certain security
restrictions, conduct spoofing and cross-site scripting attacks, and
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/17057/ 

 --

[SA17053] Debian update for drupal

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2005-10-04

Debian has issued an update for drupal. This fixes a vulnerability,
which can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/17053/ 

 --

[SA17027] SUSE Updates for Multiple Packages

Critical:    Highly critical
Where:       From remote
Impact:      Cross Site Scripting, Exposure of sensitive information,
Privilege escalation, DoS, System access
Released:    2005-09-30

SUSE has issued updates for multiple packages. These fix various
vulnerabilities, which potentially can be exploited by malicious, local
users to gain access to sensitive information or perform certain actions
on a vulnerable system with escalated privileges, or by malicious people
to conduct cross-site scripting attacks, cause a DoS (Denial of Service)
or compromise a user's system.

Full Advisory:
http://secunia.com/advisories/17027/ 

 --

[SA17026] Debian update for mozilla-firefox

Critical:    Highly critical
Where:       From remote
Impact:      Security Bypass, Spoofing, Manipulation of data, System
access
Released:    2005-10-03

Debian has issued an update for mozilla-firefox. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
spoofing attacks, manipulate certain data, bypass certain security
restrictions, and compromise a user's system.

Full Advisory:
http://secunia.com/advisories/17026/ 

 --

[SA17014] SUSE update for mozilla/MozillaFirefox

Critical:    Highly critical
Where:       From remote
Impact:      Security Bypass, Spoofing, Manipulation of data, System
access
Released:    2005-09-30

SUSE has issued updates for mozilla and MozillaFirefox. These fix some
vulnerabilities, which can be exploited by malicious people to conduct
spoofing attacks, manipulate certain data, bypass certain security
restrictions, and compromise a user's system.

Full Advisory:
http://secunia.com/advisories/17014/ 

 --

[SA17065] IBM Tivoli Monitoring Web Health Console HTTP Server
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2005-10-05

IBM has acknowledged some vulnerabilities in IBM Tivoli Monitoring,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/17065/ 

 --

[SA17062] UW-imapd Mailbox Name Parsing Buffer Overflow Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2005-10-05

infamous41md has reported a vulnerability in UW-imapd, which can be
exploited by malicious users to cause a DoS (Denial of Service) or
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/17062/ 

 --

[SA17059] Ubuntu update for dia-common

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2005-10-04

Ubuntu has issued an update for dia-common. This fixes a vulnerability,
which can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/17059/ 

 --

[SA17054] CVS zlib Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2005-10-04

Two vulnerabilities have been reported in CVS, which potentially can be
exploited by malicious people to cause a DoS (Denial of Service) and
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/17054/ 

 --

[SA17052] Fedora update for abiword

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2005-10-03

Fedora has issued an update for abiword. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/17052/ 

 --

[SA17050] Ubuntu update for squid

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2005-10-03

Ubuntu has issued an update for squid. This fixes a vulnerability,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service).

Full Advisory:
http://secunia.com/advisories/17050/ 

 --

[SA17047] Dia SVG File Import Arbitrary Code Execution Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2005-10-03

Joxean Koret has reported a vulnerability in Dia, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/17047/ 

 --

[SA17035] Debian update for prozilla

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2005-10-03

Debian has issued an update for prozilla. This fixes a vulnerability,
which can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/17035/ 

 --

[SA17034] Virtools Web Player Buffer Overflow and Directory Traversal
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, System access
Released:    2005-10-03

Luigi Auriemma has reported two vulnerabilities in Virtools Web Player,
which potentially can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/17034/ 

 --

[SA17021] ProZilla "ftpsearch" Buffer Overflow Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2005-10-03

Tavis Ormandy has reported a vulnerability in ProZilla, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/17021/ 

 --

[SA17020] Debian update for mailutils

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2005-10-05

Debian has issued an update for mailutils. This fixes a vulnerability,
which can be exploited by malicious users to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/17020/ 

 --

[SA17016] Debian update for gopher

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2005-09-30

Debian has issued an update for gopher. This fixes two vulnerabilities,
which can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/17016/ 

 --

[SA17015] Debian update for squid

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2005-09-30

Debian has issued an update for squid. This fixes a vulnerability,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service).

Full Advisory:
http://secunia.com/advisories/17015/ 

 --

[SA17012] Gentoo update for abiword

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2005-09-30

Gentoo has issued an update for abiword. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/17012/ 

 --

[SA17039] OpenView Event Correlation Services Unspecified Privileged
Access Vulnerability

Critical:    Moderately critical
Where:       From local network
Impact:      System access
Released:    2005-10-05

A vulnerability has been reported in OpenView Event Correlation
Services, which can be exploited by malicious people to gain access
with escalated privileges.

Full Advisory:
http://secunia.com/advisories/17039/ 

 --

[SA17077] Red Hat update for openssh

Critical:    Less critical
Where:       From remote
Impact:      Privilege escalation
Released:    2005-10-05

Red Hat has issued an update for openssh. This fixes a security issue,
which can be exploited malicious users to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/17077/ 

 --

[SA17073] Red Hat update for kernel

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information, Privilege escalation,
DoS
Released:    2005-10-05

Red Hat has issued an update for the kernel. This fixes some
vulnerabilities which can be exploited by malicious, local users to
disclose certain sensitive information, cause a DoS (Denial of Service)
and gain escalated privileges, or by malicious people to cause a DoS.

Full Advisory:
http://secunia.com/advisories/17073/ 

 --

[SA17069] Avaya Products "ls" Denial of Service Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2005-10-05

Avaya has acknowledged some vulnerabilities in the "ls" program
included in some products, which can be exploited by malicious users to
cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/17069/ 

 --

[SA17067] Debian update for mod-auth-shadow

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2005-10-05

Debian has issued an update for mod-auth-shadow. This fixes a security
issue, which potentially can be exploited by malicious people to bypass
certain security restrictions.

Full Advisory:
http://secunia.com/advisories/17067/ 

 --

[SA17060] Apache mod_auth_shadow Module "require group" Incorrect
Authentication

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2005-10-05

David Herselman has reported a security issue in the mod_auth_shadow
module for Apache, which potentially can be exploited by malicious
people to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/17060/ 

 --

[SA17030] Bugzilla Two Information Disclosure Security Issues

Critical:    Less critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2005-10-03

Two security issues have been reported in Bugzilla, which can be
exploited by malicious people to disclose system and potentially
sensitive information.

Full Advisory:
http://secunia.com/advisories/17030/ 

 --

[SA17029] AIX tcpdump BGP Denial of Service Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2005-10-03

A vulnerability has been reported in AIX, which can be exploited by
malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/17029/ 

 --

[SA17003] 4D WebSTAR IMAP Access Potential Denial of Service

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2005-09-30

A vulnerability has been reported in 4D WebSTAR, which potentially can
be exploited by malicious users to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/17003/ 

 --

[SA17028] Weex "log_flush()" Format String Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      DoS, System access
Released:    2005-10-03

Emanuel Haupt has reported a vulnerability in Weex, which potentially
can be exploited by malicious users to cause a DoS (Denial of Service)
or to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/17028/ 

 --

[SA17007] Ubuntu update for net-snmp

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2005-09-30

Ubuntu has issued an update for net-snmp. This fixes a vulnerability,
which can be exploited by malicious users to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/17007/ 

 --

[SA17080] Red Hat update for mysql

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-10-05

Red Hat has issued an update for mysql. This fixes a vulnerability,
which can be exploited by malicious, local users to conduct various
actions on a vulnerable system with escalated privileges.

Full Advisory:
http://secunia.com/advisories/17080/ 

 --

[SA17079] Red Hat update for perl

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-10-05

Red Hat has issued an update for perl. This fixes a vulnerability,
which potentially can be exploited by malicious, local users to gain
escalated privileges.

Full Advisory:
http://secunia.com/advisories/17079/ 

 --

[SA17072] Red Hat update for gdb

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-10-05

Red Hat has issued an update for gdb. This fixes two vulnerabilities,
which potentially can be exploited by malicious, local users to gain
escalated privileges.

Full Advisory:
http://secunia.com/advisories/17072/ 

 --

[SA17070] Gentoo update for texinfo

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-10-05

Gentoo has issued an update for texinfo. This fixes a vulnerability,
which can be exploited by malicious, local users to perform certain
actions on a vulnerable system with escalated privileges.

Full Advisory:
http://secunia.com/advisories/17070/ 

 --

[SA17068] Debian update for arc

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information, Privilege escalation
Released:    2005-10-05

Debian has issued an update for arc. This fixes a security issue and a
vulnerability, which can be exploited by malicious, local users to gain
access to sensitive information and perform certain actions on a
vulnerable system with escalated privileges.

Full Advisory:
http://secunia.com/advisories/17068/ 

 --

[SA17063] Avaya Products cpio Insecure File Creation Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2005-10-05

Avaya has acknowledged a vulnerability in cpio included in some
products, which can be exploited by malicious, local users to disclose
and manipulate information.

Full Advisory:
http://secunia.com/advisories/17063/ 

 --

[SA17058] Gentoo update for uim

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-10-05

Gentoo has issued an update for uim. This fixes a vulnerability, which
potentially can be exploited by malicious, local users to gain
escalated privileges.

Full Advisory:
http://secunia.com/advisories/17058/ 

 --

[SA17056] Gentoo update for gtkdiskfree

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-10-04

Gentoo has issued an update for gtkdiskfree. This fixes a
vulnerability, which can be exploited by malicious, local users to
perform certain actions on a vulnerable system with escalated
privileges.

Full Advisory:
http://secunia.com/advisories/17056/ 

 --

[SA17051] Gentoo update for mpeg-tools

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-10-04

Gentoo has issued an update for mpeg-tools. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
perform certain actions on a vulnerable system with escalated
privileges.

Full Advisory:
http://secunia.com/advisories/17051/ 

 --

[SA17044] Sun Java Desktop System XFree86 Pixmap Creation Integer
Overflow

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-10-04

Sun Microsystems has acknowledged a vulnerability in Sun JDS (Java
Desktop System), which potentially can be exploited by malicious, local
users to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/17044/ 

 --

[SA17043] uim Environment Variable Privilege Escalation Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-10-04

Masanari Yamamoto has reported a vulnerability in uim, which
potentially can be exploited by malicious, local users to gain
escalated privileges.

Full Advisory:
http://secunia.com/advisories/17043/ 

 --

[SA17040] Debian update for cfengine2

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-10-03

Debian has issued an update for cfengine2. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
perform certain actions on a vulnerable system with escalated
privileges.

Full Advisory:
http://secunia.com/advisories/17040/ 

 --

[SA17038] Debian update for cfengine

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-10-03

Debian has issued an update for cfengine. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
perform certain actions on a vulnerable system with escalated
privileges.

Full Advisory:
http://secunia.com/advisories/17038/ 

 --

[SA17037] Cfengine Insecure Temporary File Creation Vulnerabilities

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-10-03

Javier Fernandez-Sanguino Pena has reported some vulnerabilities in
Cfengine, which can be exploited by malicious, local users to perform
certain actions on a vulnerable system with escalated privileges.

Full Advisory:
http://secunia.com/advisories/17037/ 

 --

[SA17025] storeBackup Insecure Temporary File Creation and Insecure
Backup Root Permissions

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information, Privilege escalation
Released:    2005-09-30

A vulnerability and a security issue have been reported in storeBackup,
which potentially can be exploited by malicious, local users to gain
access to sensitive information or perform certain actions on a
vulnerable system with escalated privileges.

Full Advisory:
http://secunia.com/advisories/17025/ 

 --

[SA17022] Gentoo update for hylafax

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-09-30

Gentoo has issued an update for hylafax. This fixes a vulnerability,
which can be exploited by malicious, local users to perform certain
actions on a vulnerable system with escalated privileges.

Full Advisory:
http://secunia.com/advisories/17022/ 

 --

[SA17018] Debian update for backupninja

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-09-30

Debian has issued an update for backupninja. This fixes a
vulnerability, which can be exploited by malicious, local users to
perform certain actions on a vulnerable system with escalated
privileges.

Full Advisory:
http://secunia.com/advisories/17018/ 

 --

[SA17017] Debian update for ntlmaps

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information
Released:    2005-09-30

Debian has issued an update for ntlmaps. This fixes a security issue,
which can be exploited by malicious, local users to disclose certain
sensitive information.

Full Advisory:
http://secunia.com/advisories/17017/ 

 --

[SA17009] Macromedia Breeze Password Reset Security Issue

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information
Released:    2005-09-30

A security issue has been reported in Macromedia Breeze, which can be
exploited by malicious, local users to disclose certain sensitive
information.

Full Advisory:
http://secunia.com/advisories/17009/ 

 --

[SA17008] Berkeley MPEG Tools Multiple Insecure Temporary File
Creation

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-10-04

Mike Frysinger has reported some vulnerabilities in Berkeley MPEG
Tools, which can be exploited by malicious, local users to perform
certain actions on a vulnerable system with escalated privileges.

Full Advisory:
http://secunia.com/advisories/17008/ 

 --

[SA17005] Debian update for gtkdiskfree

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-09-29

Debian has issued an update for gtkdiskfree. This fixes a
vulnerability, which can be exploited by malicious, local users to
perform certain actions on a vulnerable system with escalated
privileges.

Full Advisory:
http://secunia.com/advisories/17005/ 

 --

[SA17045] Trustix update for unzip

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-10-03

Trustix has issued an update for unzip. This fixes a vulnerability,
which can be exploited by malicious, local users to perform certain
actions on a vulnerable system with escalated privileges.

Full Advisory:
http://secunia.com/advisories/17045/ 

 --

[SA17023] GNOME libzvt "gnome-pty-helper" Hostname Spoofing

Critical:    Not critical
Where:       Local system
Impact:      Spoofing
Released:    2005-10-03

Paul Szabo has reported a security issue in GNOME libzvt, which can be
exploited by malicious, local users to spoof the hostname that is
recorded into "utmp".

Full Advisory:
http://secunia.com/advisories/17023/ 

 --

[SA17006] Ubuntu update for unzip

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-09-30

Ubuntu has issued an update for unzip. This fixes a vulnerability,
which can be exploited by malicious, local users to perform certain
actions on a vulnerable system with escalated privileges.

Full Advisory:
http://secunia.com/advisories/17006/ 

 --

[SA17004] Debian update for util-linux

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-09-29

Debian has issued an update for util-linux. This fixes a security
issue, which potentially can be exploited by malicious, local users to
gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/17004/ 


Other:--

[SA17033] NetFORCE NAS Information Disclosure Security Issue

Critical:    Not critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2005-10-03

bambenek has reported a security issue in NetFORCE NAS (Network
Attached Storage), which potentially can be exploited by malicious
people to gain knowledge of certain sensitive information.

Full Advisory:
http://secunia.com/advisories/17033/ 


Cross Platform:--

[SA17048] PHP-Fusion "album" and "photo" SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2005-10-04

Critical Security has discovered two vulnerabilities in PHP-Fusion,
which can be exploited by malicious people to conduct SQL injection
attacks.

Full Advisory:
http://secunia.com/advisories/17048/ 

 --

[SA17019] Hitachi Cosminexus Request Body Disclosure of Personal
Information

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2005-10-03

A vulnerability has been reported in Hitachi Cosminexus, which
potentially can be exploited by malicious people to disclose sensitive
information.

Full Advisory:
http://secunia.com/advisories/17019/ 

 --

[SA17013] Blender Command Line Buffer Overflow Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2005-09-30

Qnix has reported a vulnerability in Blender, which potentially can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/17013/ 

 --

[SA17011] Serendipity Cross-Site Request Forgery Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Hijacking
Released:    2005-09-30

Nenad Jovanovic has reported a vulnerability in Serendipity, which can
be exploited by malicious people to conduct cross-site request forgery
attacks.

Full Advisory:
http://secunia.com/advisories/17011/ 



=======================================================================
Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/ 

Subscribe:
http://secunia.com/secunia_weekly_summary/ 

Contact details:
Web	: http://secunia.com/ 
E-mail	: support@secunia.com 
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45



_________________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org 

Site design & layout copyright © 1986-2014 CodeGods