Peter De Wachter discovered that CUPS, the Common UNIX Printing
System, did not correctly parse compressed raster files. By submitting
a specially crafted raster file, a remote attacker could use this
vulnerability to trigger a buffer overflow.
Monthly Archives: February 2015
DSA-3173 libgtk2-perl – security update
It was discovered that libgtk2-perl, a Perl interface to the 2.x series
of the Gimp Toolkit library, incorrectly frees memory which GTK+ still
holds onto and might access later, leading to denial of service
(application crash) or, potentially, to arbitrary code execution.
DSA-3174 iceweasel – security update
Multiple security issues have been found in Iceweasel, Debian’s version
of the Mozilla Firefox web browser: Multiple memory safety errors and
implementation errors may lead to the execution of arbitrary code or
information disclosure.
Vuln: Croogo CMS Cross Site Scripting Vulnerability
Croogo CMS Cross Site Scripting Vulnerability
Vuln: PHPKIT WCMS 'include.php' Cross Site Scripting Vulnerability
PHPKIT WCMS ‘include.php’ Cross Site Scripting Vulnerability
Vuln: Samba 'TALLOC_FREE()' Function Remote Code Execution Vulnerability
Samba ‘TALLOC_FREE()’ Function Remote Code Execution Vulnerability
Vuln: Wireshark '.pcap' File Memory Corruption Vulnerability
Wireshark ‘.pcap’ File Memory Corruption Vulnerability
CVE-2015-2077
The SDK for Komodia Redirector with SSL Digestor, as used in Lavasoft Ad-Aware Web Companion 1.1.885.1766 and Ad-Aware AdBlocker (alpha) 1.3.69.1, Qustodio for Windows, Atom Security, Inc. StaffCop 5.8, and other products, uses the same X.509 certificate private key for a root CA certificate across different customers’ installations, which makes it easier for man-in-the-middle attackers to spoof SSL servers by leveraging knowledge of this key, as originally reported for Superfish VisualDiscovery on certain Lenovo Notebook laptop products.
CVE-2015-2078
The SDK for Komodia Redirector with SSL Digestor, as used in Lavasoft Ad-Aware Web Companion 1.1.885.1766 and Ad-Aware AdBlocker (alpha) 1.3.69.1, Qustodio for Windows, Atom Security, Inc. StaffCop 5.8, and other products, does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers, a different vulnerability than CVE-2015-2077.
Ubuntu Security Notice USN-2510-1
Ubuntu Security Notice 2510-1 – Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or possibly execute arbitrary code with user privileges.