Several vulnerabilities were discovered in the Network Time Protocol
daemon and utility programs:

Multiple vulnerabilities were discovered in the implementation of the
Perl programming language. The Common Vulnerabilities and Exposures
project identifies the following problems:

Several vulnerabilities have been fixed in phpMyAdmin, the web-based
MySQL administration interface.

Eddie Harari reported that the OpenSSH SSH daemon allows user
enumeration through timing differences when trying to authenticate
users. When sshd tries to authenticate a non-existing user, it will pick
up a fixed fake password structure with a hash based on the Blowfish
algorithm. If real users passwords are hashed using SHA256/SHA512, then
a remote attacker can take advantage of this flaw by sending large
passwords, receiving shorter response times from the server for
non-existing users.

Several security issues have been discovered in the Squid caching proxy.

Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to the new upstream
version 5.5.50. Please see the MySQL 5.5 Release Notes and Oracle’s
Critical Patch Update advisory for further details:

Scott Geary of VendHQ discovered that the Apache HTTPD server used the
value of the Proxy header from HTTP requests to initialize the
HTTP_PROXY environment variable for CGI scripts, which in turn was
incorrectly used by certain HTTP client implementations to configure the
proxy for outgoing HTTP requests. A remote attacker could possibly use
this flaw to redirect HTTP requests performed by a CGI script to an
attacker-controlled proxy via a malicious HTTP request.

It was discovered that Django, a high-level Python web development
framework, is prone to a cross-site scripting vulnerability in the
admin’s add/change related popup.

A vulnerability was discovered in mysql-connector-java, a Java database
(JDBC) driver for MySQL, which may result in unauthorized update, insert
or delete access to some MySQL Connectors accessible data as well as
read access to a subset of MySQL Connectors accessible data. The
vulnerability was addressed by upgrading mysql-connector-java to the new
upstream version 5.1.39, which includes additional changes, such as bug
fixes, new features, and possibly incompatible changes. Please see the
MySQL Connector/J Release Notes and Oracle’s Critical Patch Update
advisory for further details:

Yves Younan of Cisco Talos discovered several vulnerabilities in the
MXit protocol support in pidgin, a multi-protocol instant messaging
client. A remote attacker can take advantage of these flaws to cause a
denial of service (application crash), overwrite files, information
disclosure, or potentially to execute arbitrary code.