Heap-based buffer overflow in the AppleTalk networking stack in XNU 1228.3.13 and earlier on Apple Mac OS X 10.5.6 and earlier allows remote attackers to cause a denial of service (system crash) via a ZIP NOTIFY (aka ZIPOP_NOTIFY) packet that overwrites a certain ifPort structure member. (CVSS:10.0) (Last Update:2009-04-18)
Category Archives: Security
Security
CVE-2009-1237
Multiple memory leaks in XNU 1228.3.13 and earlier on Apple Mac OS X 10.5.6 and earlier allow local users to cause a denial of service (kernel memory consumption) via a crafted (1) SYS_add_profil or (2) SYS___mac_getfsstat system call. (CVSS:4.9) (Last Update:2009-04-18)
CVE-2009-1233
Apple Safari 3.2.2 and 4 Beta on Windows allows remote attackers to cause a denial of service (application crash) via an XML document containing many nested A elements. (CVSS:4.3) (Last Update:2010-08-21)
CVE-2009-1238
Race condition in the HFS vfs sysctl interface in XNU 1228.8.20 and earlier on Apple Mac OS X 10.5.6 and earlier allows local users to cause a denial of service (kernel memory corruption) by simultaneously executing the same HFS_SET_PKG_EXTENSIONS code path in multiple threads, which is problematic because of lack of mutex locking for an unspecified global variable. (CVSS:7.2) (Last Update:2009-04-18)
CVE-2009-1235
XNU 1228.9.59 and earlier on Apple Mac OS X 10.5.6 and earlier does not properly restrict interaction between user space and the HFS IOCTL handler, which allows local users to overwrite kernel memory and gain privileges by attaching an HFS+ disk image and performing certain steps involving HFS_GET_BOOT_INFO fcntl calls. (CVSS:7.2) (Last Update:2009-08-13)
New pages and RSS feeds for security announcements
Separate Security Announcements by Type
To make the impact of different security advisories and announcements easier to see, they are now separated by type.
Drupal core security advisories: http://drupal.org/security
RSS feed for Drupal core: http://drupal.org/security/rss.xml
Contributed project security advisories: http://drupal.org/security/contrib
RSS feed for contributed projects: http://drupal.org/security/contrib/rss.xml
Public service announcements: http://drupal.org/security/psa
RSS feed for announcements: http://drupal.org/security/psa/rss.xml
We encourage those using RSS readers to track security-related developments to subscribe to all three of these feeds.
All posts to each of these three forums will still be sent to the one security announcements e-mail list. To subscribe to that e-mail list, once logged in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.
All future public service announcements will only be posted to the Public service announcements page and feed.
Background on the Changes
At Drupalcon in Washington, D.C. earlier this month, members of the Security team held a “Birds of a Feather” session to discusses various topics including improvements to our process of communicating with the public.
One outcome of this meeting was that we decided to more clearly differentiate among security advisories for Drupal core (which affect all users) as opposed to security advisories for contributed projects (which are often used by only tens of sites). In addition, the security team has on occasion issued announcements (such as this one), which were previously mixed in with actual security advisories.
Since the Drupal 6.x upgrade of http://drupal.org, newsletter postings have been managed using forums. The security team has thus split security-related postings among three forums under http://drupal.org/forum/1188.
All past and new advisories and announcements and their feeds can be viewed (via tabs) on http://drupal.org/security.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Front page news:
[ANNOUNCE] libapreq2-2.12 Released
libapreq2-2.12 Released
The Apache Software Foundation and The Apache HTTP Server Project
are pleased to announce the 2.12 release of libapreq2. This
Announcement notes significant changes introduced by this release.
libapreq2-2.12 is released under the Apache License
version 2.0. It is now available through the ASF mirrors
http://httpd.apache.org/apreq/download.cgi
and has entered the CPAN as
file: $CPAN/authors/id/J/JO/JOESUF/libapreq2-2.12.tar.gz
size: 859412 bytes
md5: 76e2acde0d82246dea6f2565f3746eec
libapreq2 is an APR-based shared library used for parsing HTTP cookies,
query-strings and POST data. This package provides
1) version 2.7.1 of the libapreq2 library,
2) mod_apreq2, a filter module necessary for using libapreq2
within the Apache HTTP Server,
3) the Apache2::Request, Apache2::Cookie, and Apache2::Upload
perl modules for using libapreq2 with mod_perl2.
========================================================================
Changes with libapreq2-2.12 (released March 13, 2009)
- C API [joes]
Make the cookie parser a little more flexible.
- Interactive CGI module [issac]
Allow cgi module to interactively prompt for parameters and cookies when
running a script from the command line and not from a CGI interface
- Perl Glue [joes]
Fix the linking of the perl modules to libapreq2 and libapr
on Solaris.
- Perl Glue [joes]
Fix install-time linking issue of the .so modules.
Previously they would remain linked against the src
library path, not the install path.
- C API [joes]
Add optional interface for apreq_handle_apache2().
- C API [joes]
Clean up buggy apreq_hook_find_param().
- Perl Glue Build [Philip M. Gollucci]
config.status format changed format yet again in autoconf 2.62+.
- License [Mladen Turk]
Add libapreq.rc and generate libapreq.res
- Build [Mladen Turk]
Add APREQ_DECLARE_EXPORT/APREQ_DECLARE_STATIC
in the same way as APR declares so that dllexport/dllimport
get correctly handled.
- Build [Randy Kobes]
Add appropriate manifest command to embed manifest files on Win32
when using VC8
- C API [Andy Grundman, joes]
Add missing bytes_read initializer to apreq_handle_custom().
- C API [suggested by Vinay Y S, tested by Steve Hay and Peter Walsham]
For Win32, remove the
flag |= APR_FILE_NOCLEANUP | APR_SHARELOCK;
in apreq_file_cleanup, to avoid problems with file uploads.
- C API [joes]
Fix leak associated to calling apreq_brigade_fwrite() on an upload
brigade.
- Build [Philip M. Gollucci]
SunOS (Solaris)
Users must use gmake not make for building.
- Build [Philip M. Gollucci]
SunOS (Solaris)
Code around bug in libtool (at least in 1.5.18, 1.5.20, 1.5.22)
causing mod_apreq2 to be built instead of mod_apreq2.so
- C API [Philip M. Gollucci]
Fix comparison signed vs unsigned comparison
in apreq_fwritev() on SunOS/gcc where iovec.iov_len is a long.
- Build [Philip M. Gollucci]
SunOS (Solaris)
fix duplicate link error to libexpat.so -- by using the one from httpd
exclusively now.
- Build [Philip M. Gollucci]
code around |#_!!_#| autoconf 2.60 bug.
CVE-2008-6373
Unspecified vulnerability in Nagios before 3.0.6 has unspecified impact and remote attack vectors related to CGI programs, “adaptive external commands,” and “writing newlines and submitting service comments.” (CVSS:5.0) (Last Update:2009-07-22)
SA-CORE-2009-004 – Local file inclusion on Windows
- Advisory ID: DRUPAL-SA-CORE-2009-004
- Project: Drupal core
- Versions: 5.x
- Date: 2009-February-25
- Security risk: Highly Critical
- Exploitable from: Remote
- Vulnerability: Local file inclusion on Windows
- Reference: SA-CORE-2009-003 (6.x)
Description
This vulnerability exists on Windows, regardless of the type of webserver (Apache, IIS) used.
The Drupal theme system takes URL arguments into account when selecting a template file to use for page rendering. While doing so, it doesn’t take into account how Windows arrives at a canonicalized path. This enables malicious users to include files, readable by the webserver and located on the same volume as Drupal, and to execute PHP contained within those files. For example: If a site has uploads enabled, an attacker may upload a file containing PHP code and cause it to be included on a subsequent request by manipulating the URL used to access the site.
Important note: An attacker may also be able to inject PHP code into webserver logs and subsequently include the log file, leading to code execution even if no upload functionality is enabled on the site.
Versions Affected
- Drupal 5.x before version 5.16
Solution
Install the latest version:
- If you are running Drupal 5.x then upgrade to Drupal 5.16.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patch fixes the security vulnerability, but does not contain other fixes which were released in Drupal 5.16.
- To patch Drupal 5.15 use SA-CORE-2009-004-5.15.patch.
Reported by
Bogdan Calin (www.acunetix.com)
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Drupal version:
SA-CORE-2009-003 – Local file inclusion on Windows
- Advisory ID: DRUPAL-SA-CORE-2009-003
- Project: Drupal core
- Versions: 6.x
- Date: 2009-February-25
- Security risk: Highly Critical
- Exploitable from: Remote
- Vulnerability: Local file inclusion on Windows
Description
This vulnerability exists on Windows, regardless of the type of webserver (Apache, IIS) used.
The Drupal theme system takes URL arguments into account when selecting a template file to use for page rendering. While doing so, it doesn’t take into account how Windows arrives at a canonicalized path. This enables malicious users to include files, readable by the webserver and located on the same volume as Drupal, and to execute PHP contained within those files. For example: If a site has uploads enabled, an attacker may upload a file containing PHP code and cause it to be included on a subsequent request by manipulating the URL used to access the site.
Important note: An attacker may also be able to inject PHP code into webserver logs and subsequently include the log file, leading to code execution even if no upload functionality is enabled on the site.
Versions Affected
- Drupal 6.x before version 6.10
Solution
Install the latest version:
- If you are running Drupal 6.x then upgrade to Drupal 6.10.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patch fixes the security vulnerability, but does not contain other fixes which were released in Drupal 6.10.
- To patch Drupal 6.9 use SA-CORE-2009-003-6.9.patch.
Reported by
Bogdan Calin (www.acunetix.com)
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Drupal version: