From security em unicamp.br Thu Dec 2 15:21:38 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 2 Dec 2004 15:21:38 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20041202172137.GA28073@unicamp.br> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Srs. Assinantes, Atualizamos o site do CSIRT (Computer Security Incident Response Team) da Unicamp com os seguintes boletins de vulnerabilidades: Anúncio de Segurança do Conectiva Linux: - ---------------------------------------- 02/12/2004 - CLA-2004:905 Assunto: Correção para vulnerabilidade de cross site scripting no pacote squirrelmail. http://www.security.unicamp.br/docs/bugs/2004/12/v11.txt 01/12/2004 - CLA-2004:904 Assunto: Múltiplas vulnerabilidades no cyrus-imapd. http://www.security.unicamp.br/docs/bugs/2004/12/v3.txt 01/12/2004 - CLA-2004:902 Assunto: Correção para vulnerabilidade de estouro de buffer no pacote abiword. http://www.security.unicamp.br/docs/bugs/2004/12/v2.txt CAIS-Alerta: - ------------ 01/12/2004 Assunto: Patch acumulativo para MS Internet Explorer (MS04-040). http://www.security.unicamp.br/docs/bugs/2004/12/v7.txt Debian Security Advisory: - ------------------------- 01/12/2004 - DSA 603-1 Assunto: vulnerabilidade de seguranca no pacote openssl. http://www.security.unicamp.br/docs/bugs/2004/12/v4.txt Fedora Update Notification: - --------------------------- 01/12/2004 - FEDORA-2004-487 Assunto: Fedora Core 3: cyrus-imapd. http://www.security.unicamp.br/docs/bugs/2004/12/v6.txt 01/12/2004 - FEDORA-2004-489 Assunto: Fedora Core 2: cyrus-imapd. http://www.security.unicamp.br/docs/bugs/2004/12/v5.txt FreeBSD Security Advisory: - -------------------------- 01/12/2004 - FreeBSD-SA-04:17 Assunto: Kernel memory disclosure in procfs and linprocfs. http://www.security.unicamp.br/docs/bugs/2004/12/v10.txt Gentoo Linux Security Advisory: - ------------------------------- 28/11/2004 - GLSA 200411-37 Assunto: Open DC Hub: Remote code execution. http://www.security.unicamp.br/docs/bugs/2004/11/v145.txt Microsoft Security Bulletins: - ----------------------------- 01/12/2004 Assunto: Microsoft Security Bulletin Summary for December 2004. http://www.security.unicamp.br/docs/bugs/2004/12/v8.txt SUSE Security Announcement: - --------------------------- 01/12/2004 - SUSE-SA:2004:042 Assunto: vulnerabilidade de seguranca no kernel. http://www.security.unicamp.br/docs/bugs/2004/12/v1.txt US-CERT Technical Cyber Security Alert: - --------------------------------------- 01/12/2004 - TA04-336A Assunto: Update for Microsoft Internet Explorer HTML Elements Vulnerability. http://www.security.unicamp.br/docs/bugs/2004/12/v9.txt - -- Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - UNICAMP mailto:security at unicamp.br http://www.security.unicamp.br GnuPG Public Key: http://www.security.unicamp.br/security.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBr070/UMb1l3gm8IRAjsfAKCc40+FGKWw6HJDbg/bMMzc+5TgJQCgyoaw xU4+twO5/QlFLSXZiXo+4aE= =+t+O -----END PGP SIGNATURE----- From security em unicamp.br Tue Dec 7 13:47:50 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 7 Dec 2004 13:47:50 -0200 Subject: [SECURITY-L] Oportunidade de estagio remunerado no Centro de Computacao da Unicamp Message-ID: <20041207154746.GA36337@unicamp.br> -------------------------------------------------------------------------------- Oportunidade de estágio remunerado no Centro de Computação da Unicamp O CCUEC (Centro de Computação da Unicamp) esta selecionando um (1) estagiário(a) para atuar como desenvolvedores de sistemas com ênfase em web services e diretórios. Requisitos Gerais - Estar matriculado em curso de nivel superior em Análise de Sistemas ou Engenharia da Computação - Disponibilidade para trabalhar em regime de 20, 30 ou 40 horas semanais, das 8:30 às 17:30h; Conhecimentos desejáveis: - Engenharia de Software (Arquiteturas, Java (J2EE), - Sistemas Operacionais (Linux) - WEB (HTML, XML), Apache, Tomcat. - Redes de Computadores (TCP/IP). - Bancos de Dados (MySQL, PostgreSQL) - Redes (TCP/IP) e Seguranca Atividades do estágio Participar como membro de equipe em projeto de desenvolvimento de sofware em Java. Informações Os interessados deverão enviar curriculum vitae para estagios em ccuec.unicamp.br , indicando no subjet ESTÁGIO SUPORTE DE SOFTWARE JAVA . -------------------------------------------------------------------------------- From security em unicamp.br Mon Dec 13 16:19:45 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 13 Dec 2004 16:19:45 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20041213181944.GA340@unicamp.br> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Srs. Assinantes, Atualizamos o site do CSIRT (Computer Security Incident Response Team) da Unicamp com os seguintes boletins de vulnerabilidades: CAIS-Alerta: - ------------ 06/12/2004 Assunto: Vulnerabilidade no servico WINS. http://www.security.unicamp.br/docs/bugs/2004/12/v21.txt Cisco Security Advisory: - ------------------------ 02/12/2004 Assunto: Cisco CNS Network Registrar Denial of Service Vulnerability. http://www.security.unicamp.br/docs/bugs/2004/12/v12.txt Debian Security Advisory: - ------------------------- 10/12/2004 - DSA 607-1 Assunto: vulnerabilidade de seguranca no pacote xfree86. http://www.security.unicamp.br/docs/bugs/2004/12/v16.txt 08/12/2004 - DSA 606-1 Assunto: vulnerabilidade de seguranca no pacote nfs-utils. http://www.security.unicamp.br/docs/bugs/2004/12/v15.txt 06/12/2004 - DSA 605-1 Assunto: vulnerabilidade de seguranca no pacote viewcvs. http://www.security.unicamp.br/docs/bugs/2004/12/v14.txt 03/12/2004 - DSA 604-1 Assunto: vulnerabilidade de seguranca no pacote hpsockd. http://www.security.unicamp.br/docs/bugs/2004/12/v13.txt Fedora Update Notification: - --------------------------- 08/12/2004 - FEDORA-2004-530 Assunto: Fedora Core 2: mysql. http://www.security.unicamp.br/docs/bugs/2004/12/v28.txt Gentoo Linux Security Advisory: - ------------------------------- 07/12/2004 - GLSA 200412-04 Assunto: Perl: Insecure temporary file creation. http://www.security.unicamp.br/docs/bugs/2004/12/v20.txt 06/12/2004 - GLSA 200412-03 Assunto: imlib: Buffer overflows in image decoding. http://www.security.unicamp.br/docs/bugs/2004/12/v19.txt 05/12/2004 - GLSA 200412-02 Assunto: PDFlib: Multiple overflows in the included TIFF library. http://www.security.unicamp.br/docs/bugs/2004/12/v18.txt 03/12/2004 - GLSA 200412-01 Assunto: rssh, scponly: Unrestricted command execution. http://www.security.unicamp.br/docs/bugs/2004/12/v17.txt KDE Security Advisories: - ------------------------ 09/12/2004 Assunto: plain text password exposure. http://www.security.unicamp.br/docs/bugs/2004/12/v30.txt 09/12/2004 Assunto: kfax libtiff vulnerabilities. http://www.security.unicamp.br/docs/bugs/2004/12/v29.txt Mandrakelinux Security Update Advisory: - --------------------------------------- 06/12/2004 - MDKSA-2004:147 Assunto: vulnerabilidade de seguranca no pacote openssl. http://www.security.unicamp.br/docs/bugs/2004/12/v27.txt 06/12/2004 - MDKSA-2004:146 Assunto: vulnerabilidade de seguranca no pacote nfs-utils. http://www.security.unicamp.br/docs/bugs/2004/12/v26.txt 06/12/2004 - MDKSA-2004:145 Assunto: vulnerabilidade de seguranca no pacote rp-pppoe. http://www.security.unicamp.br/docs/bugs/2004/12/v25.txt 06/12/2004 - MDKSA-2004:144 Assunto: vulnerabilidade de seguranca no pacote lvm. http://www.security.unicamp.br/docs/bugs/2004/12/v24.txt 06/12/2004 - MDKSA-2004:143 Assunto: vulnerabilidade de seguranca no pacote ImageMagick. http://www.security.unicamp.br/docs/bugs/2004/12/v23.txt 06/12/2004 - MDKSA-2004:142 Assunto: vulnerabilidade de seguranca no pacote gzip. http://www.security.unicamp.br/docs/bugs/2004/12/v22.txt - -- Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - UNICAMP mailto:security at unicamp.br http://www.security.unicamp.br GnuPG Public Key: http://www.security.unicamp.br/security.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBvdzJ/UMb1l3gm8IRAqlMAKDrAIcHm7MwjKT8NW3JlUls4Bf6+ACeJdjz MGstia5+e5RlEpd4IYTR44Y= =nzG9 -----END PGP SIGNATURE----- From security em unicamp.br Thu Dec 16 09:39:28 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 16 Dec 2004 09:39:28 -0200 Subject: [SECURITY-L] *** IMPORTANTE *** Advisory 01/2004: Multiple vulnerabilities in PHP 4/5 Message-ID: <20041216113927.GA5804@unicamp.br> From: Stefan Esser Subject: Advisory 01/2004: Multiple vulnerabilities in PHP 4/5 To: bugtraq em securityfocus.com, full-disclosure em lists.netsys.com Date: Wed, 15 Dec 2004 19:46:20 +0100 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: Multiple vulnerabilities within PHP 4/5 Release Date: 2004/12/15 Last Modified: 2004/12/15 Author: Stefan Esser [sesser em php.net] Application: PHP4 <= 4.3.9 PHP5 <= 5.0.2 Severity: Several vulnerabilities within PHP allow local and remote execution of arbitrary code Risk: Critical Vendor Status: Vendor has released bugfixed versions. References: http://www.hardened-php.net/advisories/012004.txt Overview: PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. During the development of Hardened-PHP which adds security hardening features to the PHP codebase, several vulnerabilities within PHP were discovered that reach from bufferoverflows, over information leak vulnerabilities and path truncation vulnerabilities to safe_mode restriction bypass vulnerabilities. Details: [01 - pack() - integer overflow leading to heap bufferoverflow ] Insufficient validation of the parameters passed to pack() can lead to a heap overflow which can be used to execute arbitrary code from within a PHP script. This enables an attacker to bypass safe_mode restrictions and execute arbitrary code with the permissions of the webserver. Due to the nature of this function it is unlikely that a script accidently exposes it to remote attackers. [02 - unpack() - integer overflow leading to heap info leak ] Insufficient validation of the parameters passed to unpack() can lead to a heap information leak which can be used to retrieve secret data from the apache process. Additionally a skilled local attacker could use this vulnerability in combination with 01 to bypass heap canary protection systems. Similiar to 01 this function is usually not used on user supplied data within webapplications. [03 - safe_mode_exec_dir bypass in multithreaded PHP ] When safe_mode is activated within PHP, it is only allowed to execute commands within the configured safe_mode_exec_dir. Unfourtunately PHP does prepend a "cd [currentdir] ;" to any executed command when a PHP is running on a multithreaded unix webserver (f.e. some installations of Apache2). Because the name of the current directory is prepended directly a local attacker may bypass safe_mode_exec_dir restrictions by injecting shell- commands into the current directory name. [04 - safe_mode bypass through path truncation ] The safe_mode checks silently truncated the file path at MAXPATHLEN bytes before passing it to realpath(). In combination with certain malfunctional implementations of realpath() f.e. within glibc this allows crafting a filepath that pass the safe_mode check although it points to a file that should fail the safe_mode check. [05 - path truncation in realpath() ] PHP uses realpath() within several places to get the real path of files. Unfourtunately some implementations of realpath() silently truncate overlong filenames (f.e. OpenBSD, and older NetBSD/FreeBSD) This can lead to arbitrary file include vulnerabilities if something like "include "modules/$userinput/config.inc.php"; is used on such systems. [06 - unserialize() - wrong handling of negative references ] The variable unserializer could be fooled with negative references to add false zvalues to hashtables. When those hashtables get destroyed this can lead to efree()s of arbitrary memory addresses which can result in arbitrary code execution. (Unless Hardened-PHP's memory manager canaries are activated) [07 - unserialize() - wrong handling of references to freed data ] Additionally to bug 07 the previous version of the variable unserializer allowed setting references to already freed entries in the variable hash. A skilled attacker can exploit this to create an universal string that will pass execution to an arbitrary memory address when it is passed to unserialize(). For AMD64 systems a string was developed that directly passes execution to code contained in the string itself. It is necessary to understand that these strings can exploit a bunch of popular PHP applications remotely because they pass f.e. cookie content to unserialize(). Examples of vulnerable scripts: - phpBB2 - Invision Board - vBulletin - Woltlab Burning Board 2.x - Serendipity Weblog - phpAds(New) - ... Proof of Concept: The Hardened-PHP project is not going to release exploits for any of these vulnerabilities to the public. CVE Information: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1018 to issues 01, 02, the name CAN-2004-1019 to issues 06, 07, the name CAN-2004-1063 to issue 03 and the name CAN-2004-1064 to issues 04, 05. Recommendation: It is strongly recommended to upgrade to the new PHP-Releases as soon as possible, because a lot of PHP applications expose the easy to exploit unserialize() vulnerability to remote attackers. Additionally we always recommend to run PHP with the Hardened-PHP patch applied. GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2004 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFBwDo7RDkUzAqGSqERAgVxAKC0LnTE49y5HFjeXpwXrZmAjuCL8gCgpQUl rtmmBfJ3iv9Ksb/xtnyflD0= =lzXX -----END PGP SIGNATURE----- From security em unicamp.br Thu Dec 16 16:54:56 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 16 Dec 2004 16:54:56 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20041216185451.GA6588@unicamp.br> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Srs. Assinantes, Atualizamos o site do CSIRT (Computer Security Incident Response Team) da Unicamp com os seguintes boletins de vulnerabilidades: CAIS-Alerta: - ------------ 14/12/2004 Assunto: Vulnerabilidades no servico WINS (MS04-045). http://www.security.unicamp.br/docs/bugs/2004/12/v46.txt 14/12/2004 Assunto: Vulnerabilidades no kernel do Windows e protocolo LSASS (MS04-044). http://www.security.unicamp.br/docs/bugs/2004/12/v45.txt 14/12/2004 Assunto: Vulnerabilidade no Microsoft Hyperterminal (MS04-043). http://www.security.unicamp.br/docs/bugs/2004/12/v44.txt 14/12/2004 Assunto: Vulnerabilidade no servico DHCP do Windows (MS04-042). http://www.security.unicamp.br/docs/bugs/2004/12/v43.txt 14/12/2004 Assunto: Vulnerabilidade remota no WordPad (MS04-041). http://www.security.unicamp.br/docs/bugs/2004/12/v42.txt Cisco Security Advisory: - ------------------------ 15/12/2004 Assunto: Default Administrative Password in Cisco Guard and Traffic Anomaly Detector. http://www.security.unicamp.br/docs/bugs/2004/12/v50.txt 15/12/2004 Assunto: Cisco Unity Integrated with Exchange Has Default Passwords. http://www.security.unicamp.br/docs/bugs/2004/12/v49.txt Debian Security Advisory: - ------------------------- 14/12/2004 - DSA 609-1 Assunto: vulnerabilidade de seguranca no pacote atari800. http://www.security.unicamp.br/docs/bugs/2004/12/v41.txt 14/12/2004 - DSA 608-1 Assunto: vulnerabilidade de seguranca no pacote zgv. http://www.security.unicamp.br/docs/bugs/2004/12/v40.txt Gentoo Linux Security Advisory: - ------------------------------- 15/12/2004 - GLSA 200412-10 Assunto: Vim, gVim: Vulnerable options in modelines. http://www.security.unicamp.br/docs/bugs/2004/12/v35.txt 15/12/2004 - GLSA 200412-09 Assunto: ncpfs: Buffer overflow in ncplogin and ncpmap. http://www.security.unicamp.br/docs/bugs/2004/12/v34.txt 14/12/2004 - GLSA 200412-08 Assunto: nfs-utils: Multiple remote vulnerabilities. http://www.security.unicamp.br/docs/bugs/2004/12/v33.txt 13/12/2004 - GLSA 200412-07 Assunto: file: Arbitrary code execution. http://www.security.unicamp.br/docs/bugs/2004/12/v32.txt 10/12/2004 - GLSA 200412-06 Assunto: PHProjekt: setup.php vulnerability. http://www.security.unicamp.br/docs/bugs/2004/12/v31.txt KDE Security Advisories: - ------------------------ 13/12/2004 Assunto: Konqueror Window Injection Vulnerability. http://www.security.unicamp.br/docs/bugs/2004/12/v36.txt Mandrakelinux Security Update Advisory: - --------------------------------------- 15/12/2004 - MDKSA-2004:150 Assunto: vulnerabilidade de seguranca no pacote kdelibs. http://www.security.unicamp.br/docs/bugs/2004/12/v39.txt 13/12/2004 - MDKSA-2004:149 Assunto: vulnerabilidade de seguranca no pacote postgresql. http://www.security.unicamp.br/docs/bugs/2004/12/v38.txt 13/12/2004 - MDKSA-2004:148 Assunto: vulnerabilidade de seguranca no pacote iproute2. http://www.security.unicamp.br/docs/bugs/2004/12/v37.txt Microsoft Security Bulletins: - ----------------------------- 14/12/2004 Assunto: Microsoft Security Bulletin Summary for December 2004. http://www.security.unicamp.br/docs/bugs/2004/12/v48.txt 14/12/2004 Assunto: Microsoft Security Bulletin Re-Release, December 2004. http://www.security.unicamp.br/docs/bugs/2004/12/v47.txt - -- Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - UNICAMP mailto:security at unicamp.br http://www.security.unicamp.br GnuPG Public Key: http://www.security.unicamp.br/security.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBwdnb/UMb1l3gm8IRAssjAKC6FZp73GCNKLAiHb9/z4slnas7wACeNg3k qFJd8M1WqCSH/uLp4pi4erI= =JWQo -----END PGP SIGNATURE----- From security em unicamp.br Thu Dec 23 11:27:29 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 23 Dec 2004 11:27:29 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20041223132728.GA6736@unicamp.br> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Srs. Assinantes, Atualizamos o site do CSIRT (Computer Security Incident Response Team) da Unicamp com os seguintes boletins de vulnerabilidades: CAIS-Alerta: - ------------ 22/12/2004 Assunto: Propagacao do worm Santy. http://www.security.unicamp.br/docs/bugs/2004/12/v98.txt 21/12/2004 Assunto: Multiplas vulnerabilidades no PHP 4.3.9 e 5.0.2. http://www.security.unicamp.br/docs/bugs/2004/12/v92.txt Debian Security Advisory: - ------------------------- 22/12/2004 - DSA 615-1 Assunto: vulnerabilidade de seguranca no pacote debmake. http://www.security.unicamp.br/docs/bugs/2004/12/v99.txt 21/12/2004 - DSA 614-1 Assunto: vulnerabilidade de seguranca no pacote xzgv. http://www.security.unicamp.br/docs/bugs/2004/12/v76.txt 21/12/2004 - DSA 613-1 Assunto: vulnerabilidade de seguranca no pacote ethereal. http://www.security.unicamp.br/docs/bugs/2004/12/v91.txt 20/12/2004 - DSA 612-1 Assunto: vulnerabilidade de seguranca no pacote a2ps. http://www.security.unicamp.br/docs/bugs/2004/12/v75.txt 20/12/2004 - DSA 611-1 Assunto: vulnerabilidade de seguranca no pacote htget. http://www.security.unicamp.br/docs/bugs/2004/12/v74.txt 17/12/2004 - DSA 610-1 Assunto: vulnerabilidade de seguranca no pacote cscope. http://www.security.unicamp.br/docs/bugs/2004/12/v73.txt Fedora Update Notification: - --------------------------- 22/12/2004 - FEDORA-2004-577 Assunto: Fedora Core 3: libtiff. http://www.security.unicamp.br/docs/bugs/2004/12/v105.txt 22/12/2004 - FEDORA-2004-576 Assunto: Fedora Core 2: libtiff. http://www.security.unicamp.br/docs/bugs/2004/12/v104.txt 21/12/2004 - FEDORA-2004-568 Assunto: Fedora Core 3: php. http://www.security.unicamp.br/docs/bugs/2004/12/v89.txt 21/12/2004 - FEDORA-2004-567 Assunto: Fedora Core 2: php. http://www.security.unicamp.br/docs/bugs/2004/12/v90.txt 21/12/2004 - FEDORA-2004-564 Assunto: Fedora Core 3: krb5. http://www.security.unicamp.br/docs/bugs/2004/12/v88.txt 21/12/2004 - FEDORA-2004-563 Assunto: Fedora Core 2: krb5. http://www.security.unicamp.br/docs/bugs/2004/12/v87.txt 20/12/2004 - FEDORA-2004-562 Assunto: Fedora Core 3: samba. http://www.security.unicamp.br/docs/bugs/2004/12/v86.txt 20/12/2004 - FEDORA-2004-561 Assunto: Fedora Core 2: samba. http://www.security.unicamp.br/docs/bugs/2004/12/v85.txt 15/12/2004 - FEDORA-2004-551 Assunto: Fedora Core 3: kdebase. http://www.security.unicamp.br/docs/bugs/2004/12/v59.txt 15/12/2004 - FEDORA-2004-550 Assunto: Fedora Core 3: kdelibs. http://www.security.unicamp.br/docs/bugs/2004/12/v58.txt 15/12/2004 - FEDORA-2004-549 Assunto: Fedora Core 2: kdebase. http://www.security.unicamp.br/docs/bugs/2004/12/v57.txt 15/12/2004 - FEDORA-2004-548 Assunto: Fedora Core 2: kdelibs. http://www.security.unicamp.br/docs/bugs/2004/12/v56.txt 15/12/2004 - FEDORA-2004-546 Assunto: Fedora Core 2: flim. http://www.security.unicamp.br/docs/bugs/2004/12/v55.txt Gentoo Linux Security Advisory: - ------------------------------- 21/12/2004 - GLSA 200412-23 Assunto: Zwiki: XSS vulnerability. http://www.security.unicamp.br/docs/bugs/2004/12/v96.txt 20/12/2004 - GLSA 200412-21 Assunto: MPlayer: Multiple overflows. http://www.security.unicamp.br/docs/bugs/2004/12/v72.txt 19/12/2004 - GLSA 200412-20 Assunto: NASM: Buffer overflow vulnerability. http://www.security.unicamp.br/docs/bugs/2004/12/v71.txt 19/12/2004 - GLSA 200410-12:02 Assunto: WordPress: HTTP response splitting and XSS vulnerabilities. http://www.security.unicamp.br/docs/bugs/2004/12/v70.txt 19/12/2004 - GLSA 200412-19 Assunto: phpMyAdmin: Multiple vulnerabilities. http://www.security.unicamp.br/docs/bugs/2004/12/v69.txt 19/12/2004 - GLSA 200412-18:02 Assunto: abcm2ps: Buffer overflow vulnerability. http://www.security.unicamp.br/docs/bugs/2004/12/v68.txt 19/12/2004 - GLSA 200412-17 Assunto: kfax: Multiple overflows in the included TIFF library. http://www.security.unicamp.br/docs/bugs/2004/12/v67.txt 19/12/2004 - GLSA 200412-16 Assunto: kdelibs, kdebase: Multiple vulnerabilities. http://www.security.unicamp.br/docs/bugs/2004/12/v66.txt 19/12/2004 - GLSA 200412-15 Assunto: Ethereal: Multiple vulnerabilities. http://www.security.unicamp.br/docs/bugs/2004/12/v65.txt 19/12/2004 - GLSA 200412-14 Assunto: PHP: Multiple vulnerabilities. http://www.security.unicamp.br/docs/bugs/2004/12/v64.txt 17/12/2004 - GLSA 200412-13 Assunto: Samba: Integer overflow. http://www.security.unicamp.br/docs/bugs/2004/12/v63.txt 16/12/2004 - GLSA 200412-12 Assunto: Adobe Acrobat Reader: Buffer overflow vulnerability. http://www.security.unicamp.br/docs/bugs/2004/12/v62.txt 16/12/2004 - GLSA 200412-11 Assunto: Cscope: Insecure creation of temporary files. http://www.security.unicamp.br/docs/bugs/2004/12/v61.txt HP Security Bulletin: - --------------------- 20/12/2004 - HPSBUX01102 Assunto: SSRT4687 rev.0 HP-UX newgrp(1) local privilege elevation. http://www.security.unicamp.br/docs/bugs/2004/12/v80.txt KDE Security Advisories: - ------------------------ 20/12/2004 - Konqueror Java Vulnerability http://www.security.unicamp.br/docs/bugs/2004/12/v83.txt Mandrakelinux Security Update Advisory: - --------------------------------------- 22/12/2004 - MDKSA-2004:157 Assunto: vulnerabilidade de seguranca no pacote mplayer. http://www.security.unicamp.br/docs/bugs/2004/12/v103.txt 22/12/2004 - MDKSA-2004:156 Assunto: vulnerabilidade de seguranca no pacote krb5. http://www.security.unicamp.br/docs/bugs/2004/12/v102.txt 22/12/2004 - MDKSA-2004:155 Assunto: vulnerabilidade de seguranca no pacote logcheck. http://www.security.unicamp.br/docs/bugs/2004/12/v101.txt 22/12/2004 - MDKSA-2004:154 Assunto: vulnerabilidade de seguranca no pacote kdelibs. http://www.security.unicamp.br/docs/bugs/2004/12/v100.txt 20/12/2004 - MDKSA-2004:153 Assunto: vulnerabilidade de seguranca no pacote aspell. http://www.security.unicamp.br/docs/bugs/2004/12/v79.txt 20/12/2004 - MDKSA-2004:152 Assunto: vulnerabilidade de seguranca no pacote ethereal. http://www.security.unicamp.br/docs/bugs/2004/12/v78.txt 17/12/2004 - MDKSA-2004:151 Assunto: vulnerabilidade de seguranca no pacote php. http://www.security.unicamp.br/docs/bugs/2004/12/v77.txt OpenPKG Security Advisory: - -------------------------- 17/12/2004 - OpenPKG-SA-2004.056 Assunto: vulnerabilidade de seguranca no pacote cvstrac. http://www.security.unicamp.br/docs/bugs/2004/12/v54.txt 16/12/2004 - OpenPKG-SA-2004.054 Assunto: vulnerabilidade de seguranca no pacote samba. http://www.security.unicamp.br/docs/bugs/2004/12/v53.txt 16/12/2004 - OpenPKG-SA-2004.053 Assunto: vulnerabilidade de seguranca no pacote php. http://www.security.unicamp.br/docs/bugs/2004/12/v52.txt 15/12/2004 - OpenPKG-SA-2004.052 Assunto: vulnerabilidade de seguranca no pacote vim. http://www.security.unicamp.br/docs/bugs/2004/12/v51.txt Samba Security Release: - ----------------------- 16/11/2004 Assunto: Possible remote code execution. http://www.security.unicamp.br/docs/bugs/2004/12/v60.txt SUSE Security Announcement: - --------------------------- 22/12/2004 - SUSE-SA:2004:046 Assunto: vulnerabilidade de seguranca no kernel. http://www.security.unicamp.br/docs/bugs/2004/12/v95.txt 22/12/2004 - SUSE-SA:2004:045 Assunto: vulnerabilidade de seguranca no pacote samba. http://www.security.unicamp.br/docs/bugs/2004/12/v94.txt 21/12/2004 - SUSE-SA:2004:044 Assunto: vulnerabilidade de seguranca no kernel. http://www.security.unicamp.br/docs/bugs/2004/12/v93.txt Trustix Secure Linux Security Advisory: - --------------------------------------- 21/12/2004 - #2004-0069 Assunto: vulnerabilidade de seguranca no kerberos5. http://www.security.unicamp.br/docs/bugs/2004/12/v84.txt 19/12/2004 - #2004-0068 Assunto: vulnerabilidade de seguranca no kernel. http://www.security.unicamp.br/docs/bugs/2004/12/v82.txt 17/12/2004 - #2004-0066 Assunto: vulnerabilidade de seguranca nos pacotes samba, php. http://www.security.unicamp.br/docs/bugs/2004/12/v81.txt US-CERT Technical Cyber Security Alert: - --------------------------------------- 21/12/2004 - TA04-356A Assunto: Exploitation of phpBB highlight parameter vulnerability. http://www.security.unicamp.br/docs/bugs/2004/12/v97.txt - -- Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - UNICAMP mailto:security at unicamp.br http://www.security.unicamp.br GnuPG Public Key: http://www.security.unicamp.br/security.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFByseh/UMb1l3gm8IRAqu6AKDxZVfV3mrIeu/sCq8rpX4seHLlfgCeJyEy cEnOX9q0p124TAZdgM5bSVI= =ujam -----END PGP SIGNATURE-----