Monthly Archives: December 2013

Joomla

CVE-2013-5583

Cross-site scripting (XSS) vulnerability in libraries/idna_convert/example.php in Joomla! 3.1.5 allows remote attackers to inject arbitrary web script or HTML via the lang parameter. (CVSS:4.3) (Last Update:2013-12-30)

NVD

CVE-2013-3140 (internet_explorer)

Use-after-free vulnerability in Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted CMarkup object, aka “Internet Explorer Use After Free Vulnerability.”

NVD

CVE-2013-5045 (internet_explorer)

Microsoft Internet Explorer 10 and 11 allows local users to bypass the Protected Mode protection mechanism, and consequently gain privileges, by leveraging the ability to execute sandboxed code, aka “Internet Explorer Elevation of Privilege Vulnerability.”

NVD

CVE-2013-7020 (debian_linux, ffmpeg)

The read_header function in libavcodec/ffv1dec.c in FFmpeg before 2.1 does not properly enforce certain bit-count and colorspace constraints, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted FFV1 data.

VMWare

UPDATED VMSA-2013-0007.1 VMware ESX third partyupdate for Service Console package sudo

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
             VMware Security Advisory

Advisory ID: VMSA-2013-0007.1
Synopsis:    VMware ESX third party update for Service Console package sudo
Issue date:  2013-05-30
Updated on:  2013-12-05
CVE number:  CVE-2012-2337, CVE-2012-3440
- - -----------------------------------------------------------------------

1. Summary

    VMware ESX third party update for Service Console package sudo

2. Relevant releases

    VMware ESX 4.1 without patch ESX410-201312001
    VMware ESX 4.0 without patch ESX400-201305001

3. Problem Description

  a. Service Console update for sudo
      
      The service console package sudo is updated to version 
      1.7.2p1-14.el5_8.3

      The Common Vulnerabilities and Exposures project (cve.mitre.org) 
      has assigned the name CVE-2012-2337 and CVE-2012-3440 to the issues 
      addressed in this update. 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available. 

        VMwareProductRunningReplace with/
        ProductVersiononApply Patch
        ============================================
ESXianyESXinot affected

ESX4.1ESXESX410-201312401-SG
ESX4.0ESXESX400-201305402-SG

 4. Solution

      Please review the patch/release notes for your product and version 
      and verify the checksum of your downloaded file. 

      ESXi and ESX 
      --------------------------
      http://www.vmware.com/patchmgr/download.portal


      ESX 4.1
      -------
      File: ESX410-201312001.zip
      Build: 1368001
      md5sum: c35763a84db169dd0285442d4129cc18
      sha1sum: ee8e1b8d2d383422ff0dde04749c5d89e77d8e40
      http://kb.vmware.com/kb/2061209
      ESX410-201312001 contains ESX410-201312401-SG

      ESX 4.0 
      -------
      File: ESX400-201305001.zip 
      Build: 1070634
      md5sum: c9ac91d3d803c7b7cb9df401c20b91c0 
      sha1sum: 7f5cef274c709248daa56d8c0e6fcc1ba86ae411
      https://kb.vmware.com/kb/2044240
      ESX400-201305001 contains ESX400-201305402-SG
      
   
5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2337
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3440


- - -----------------------------------------------------------------------

6. Change log

   2013-05-30 VMSA-2013-0007
   Initial security advisory in conjunction with the release of ESX 4.0
   patches on 2013-05-30.

   2013-12-05 VMSA-2013-0007.1
   Security advisory update in conjunction with the release of ESX 4.1
   patches on 2013-12-05.

- - -----------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
   
   This Security Advisory is posted to the following lists:
   
     * security-announce at lists.vmware.com
     * bugtraq at securityfocus.com
     * full-disclosure at lists.grok.org.uk
   
   E-mail:  security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055
   
   VMware Security Advisories
   http://www.vmware.com/security/advisories
   
   VMware security response policy
   http://www.vmware.com/support/policies/security_response.html
   
   General support life cycle policy
   http://www.vmware.com/support/policies/eos.html
   
   VMware Infrastructure support life cycle policy
   http://www.vmware.com/support/policies/eos_vi.html
   
   Copyright 2013 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlKhUgMACgkQDEcm8Vbi9kOk1QCfSIni5b2S0/kH5GOrBijlsGIq
HgoAoJqxCyke7a/OO3aGzBXZaZLZeLa4
=8fBO
-----END PGP SIGNATURE-----
VMWare

UPDATED VMSA-2013-0007.1 VMware ESX third partyupdate for Service Console package sudo

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
             VMware Security Advisory

Advisory ID: VMSA-2013-0007.1
Synopsis:    VMware ESX third party update for Service Console package sudo
Issue date:  2013-05-30
Updated on:  2013-12-05
CVE number:  CVE-2012-2337, CVE-2012-3440
- - -----------------------------------------------------------------------

1. Summary

    VMware ESX third party update for Service Console package sudo

2. Relevant releases

    VMware ESX 4.1 without patch ESX410-201312001
    VMware ESX 4.0 without patch ESX400-201305001

3. Problem Description

  a. Service Console update for sudo
      
      The service console package sudo is updated to version 
      1.7.2p1-14.el5_8.3

      The Common Vulnerabilities and Exposures project (cve.mitre.org) 
      has assigned the name CVE-2012-2337 and CVE-2012-3440 to the issues 
      addressed in this update. 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available. 

        VMwareProductRunningReplace with/
        ProductVersiononApply Patch
        ============================================
ESXianyESXinot affected

ESX4.1ESXESX410-201312401-SG
ESX4.0ESXESX400-201305402-SG

 4. Solution

      Please review the patch/release notes for your product and version 
      and verify the checksum of your downloaded file. 

      ESXi and ESX 
      --------------------------
      http://www.vmware.com/patchmgr/download.portal


      ESX 4.1
      -------
      File: ESX410-201312001.zip
      Build: 1368001
      md5sum: c35763a84db169dd0285442d4129cc18
      sha1sum: ee8e1b8d2d383422ff0dde04749c5d89e77d8e40
      http://kb.vmware.com/kb/2061209
      ESX410-201312001 contains ESX410-201312401-SG

      ESX 4.0 
      -------
      File: ESX400-201305001.zip 
      Build: 1070634
      md5sum: c9ac91d3d803c7b7cb9df401c20b91c0 
      sha1sum: 7f5cef274c709248daa56d8c0e6fcc1ba86ae411
      https://kb.vmware.com/kb/2044240
      ESX400-201305001 contains ESX400-201305402-SG
      
   
5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2337
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3440


- - -----------------------------------------------------------------------

6. Change log

   2013-05-30 VMSA-2013-0007
   Initial security advisory in conjunction with the release of ESX 4.0
   patches on 2013-05-30.

   2013-12-05 VMSA-2013-0007.1
   Security advisory update in conjunction with the release of ESX 4.1
   patches on 2013-12-05.

- - -----------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
   
   This Security Advisory is posted to the following lists:
   
     * security-announce at lists.vmware.com
     * bugtraq at securityfocus.com
     * full-disclosure at lists.grok.org.uk
   
   E-mail:  security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055
   
   VMware Security Advisories
   http://www.vmware.com/security/advisories
   
   VMware security response policy
   http://www.vmware.com/support/policies/security_response.html
   
   General support life cycle policy
   http://www.vmware.com/support/policies/eos.html
   
   VMware Infrastructure support life cycle policy
   http://www.vmware.com/support/policies/eos_vi.html
   
   Copyright 2013 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlKhUgMACgkQDEcm8Vbi9kOk1QCfSIni5b2S0/kH5GOrBijlsGIq
HgoAoJqxCyke7a/OO3aGzBXZaZLZeLa4
=8fBO
-----END PGP SIGNATURE-----