> *************************
> Widely Deployed Software
> *************************
>
> **************************************************************
> **********
>
> (2) MODERATE: Apache SpamAssassin Remote Code Execution
>
> Affected:
> SpamAssassin versions 2.5x, 2.6x, 3.0.x, 3.1.x
>
> Description: SpamAssassin, a popular open source spam detection engine
> contains a remote code execution vulnerability. The flaw can be
> triggered by sending a specially-crafted e-mail message, and can be
> exploited to execute arbitrary commands with the privileges of the
> SpamAssassin daemon (spamd). However, the vulnerability
> exists only when
> the spamd daemon has been executed with the "vpopmail (-v)" and
> "paranoid (-p)" options. The "vpopmail" option is typically used in
> virtual mail hosting environment to operate the SpamAssassin
> daemon with
> individual user preferences. The "paranoid" option is used to validate
> commands from the SpamAssassin clients; invalid commands cause
> operational faults in the daemon. Although in common installations
> neither option is enabled by default, "vpopmail" is generally enabled
> on large mail hosting sites with many virtual users. Note that when
> SpamAssassin is configured to run with both these options, no user
> interaction is required to exploit the flaw.
>
> Status: SpamAssassin has released fixed versions 3.1.3 and 3.0.6.
>
> Council Site Actions: Only one of the reporting council sites is using
> the affected software. They rely heavily on SpamAssassin for their
> central and departmental mail systems; however they believe
> it would be
> very unlikely for any their installations to have the daemon options
> needed for exploitation.
>
> References:
> SpamAssassin Advisory
>
>
> SpamAssassin Daemon (spamd) Documentation
>
> SecurityFocus BIDs
>
>
> **************************************************************
> *********
>
> (3) LOW: MySQL Mysql_real_escape SQL Injection
> Affected: MySQL packages prior to version 4.1.20
>
> Description: The MySQL "Mysql_real_escape" function contains a SQL
> injection vulnerability. This function is used to ensure that strings
> are properly escaped in SQL requests. However, in certain multibyte
> encoding schemes (such as SJIS, BIG5, and GBK), it is still
> possible to
> inject SQL commands into requests to a MySQL server via this function.
> Note that encodings like BIG5 are commonly used in Asian languages.
>
> Status: MySQL has released a fixed version 4.1.20. A possible
> workaround
> for vulnerable versions is to set the "NO_BACKSLASH_ESCAPES" server
> parameter. This will enable strict SQL compatibility mode, which will
> cause the server to treat backslashes as normal characters. Note that
> this workaround is acceptable only if backslashes are
> acceptable in the
> stored data.
>
> Council Site Actions: Several of the reporting council sites
> are using
> the affected software. Two of them plan to distribute the
> patches during
> their next regularly scheduled system update cycle. The third site is
> still assessing whether their deployment is vulnerable to
> exploitation.
>
> References:
> MySQL Release Announcement (includes technical and workaround details)
>
> MySQL Home Page
>
> Previous @RISK Entry (details a similar vulnerability in PostGreSQL)
>
> SecurityFocus BIDs
>
>
> **********************************************************************
>
> (4) LOW: Multiple Browsers Arbitrary File Upload Vulnerability
> Affected: All Mozilla-based web browsers and Microsoft
> Internet Explorer
>
> Description: Multiple web browsers contain an implementation
> flaw in the
> handling of certain JavaScript constructs. By tricking a user into
> typing a file name in a form, a specially-crafted webpage can read any
> file that is accessible to the user. Hence, the vulnerability can be
> used to steal sensitive information from the user's system.
> The problem
> arises due to input-focus-management in the file upload
> dialog windows.
> Exploit code has been publicly posted.
>
> Status: Vendors are aware of the flaw, no updates available.
>
> Council Site Actions: All of the reporting council sites are
> waiting for
> IE patches from Microsoft. The council sites that are also using
> Firefox/Mozilla will be updated via the automatic update
> facility. One
> site commented that they rated this as a low risk because of the
> requirement for the end user to enter text.
>
> References:
> Posting by Charles
>
46610.html
> Posting by Bart
>
> 0085.html
> SecurityFocus BID
>
>
> **************************************************************
> *********
>
> ******************
> Other Software
> ******************
>
> (5) CRITICAL: Qbik WinGate WWW Proxy Server Request Buffer Overflow
> Affected: WinGate 6.1.2.1094 and prior
>
> Description: Qbik WinGate, a popular HTTP proxy server, contains a
> buffer overflow vulnerability. The overflow can be triggered by
> specifying an overly-long URL in an HTTP request and exploited to
> execute arbitrary code. Exploit code for this vulnerability
> is publicly
> available.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References:
> Exploit Code
>
> SecurityFocus BIDs
>
>
> **************************************************************
> *********
> 06.23.1 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Internet Explorer Frameset Denial of Service
> Description: Microsoft Internet Explorer is vulnerable to a denial of
> service issue due to insufficient handling of pages containing
> "frameset" tags, along with "self.resizeTo" method calls with
> excessively large arguments. Microsoft Internet Explorer versions 6
> and earlier are vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.23.2 CVE: Not Available
> Platform: Other Microsoft Products
> Title: NetMeeting Memory Corruption Denial of Service
> Description: Microsoft NetMeeting is a network collaboration
> application. It is vulnerable to a memory corruption denial of service
> issue due to insufficient handling of malformed network traffic.
> Microsoft NetMeeting version 3.01 is vulnerable.
> Ref:
> ______________________________________________________________________
>
>
> 06.23.4 CVE: CVE-2006-2869
> Platform: Third Party Windows Apps
> Title: Avast! Antivirus CHM Unpacker Unspecified Vulnerability
> Description: The Avast! Antivirus product is an antivirus application
> for the Microsoft Windows platform. It is prone to an unspecified
> vulnerability. This issue affects the CHM unpacker in versions 4.7.827
> and earlier.
> Ref:
> ______________________________________________________________________
>
> 06.23.5 CVE: CVE-2006-2926
> Platform: Third Party Windows Apps
> Title: Qbik WinGate Remote HTTP Request Buffer Overflow
> Description: Qbik WinGate is a sharing proxy server. It is exposed to
> a remote buffer overflow issue due to insufficient boundry checking
> when receiving maliciously long packets. Qbick version 6.1.1.1077 is
> affected.
> Ref:
>
46646.html
> ______________________________________________________________________
>
> 06.23.6 CVE: CVE-2006-1091
> Platform: Third Party Windows Apps
> Title: Kaspersky Internet Security Suite Multiple Local
> Vulnerabilities
> Description: Kaspersky Internet Security Suite is a personal security
> suite. It is vulnerable to multiple local issues including a denial of
> service issue. Kaspersky Internet Security Suite version 5.0 is
> vulnerable. See reference for further details.
> Ref:
> ______________________________________________________________________
>
> 06.23.7 CVE: CVE-2006-2193
> Platform: Linux
> Title: LibTIFF tiff2pdf Remote Buffer Overflow
> Description: tiff2pdf is a conversion utility to convert TIFF files to
> PDF format. It is exposed to a buffer overflow issue. This is becasue
> it fails to check the input file size. LibTIFF version 3.8.2 is
> affected.
> Ref:
> ______________________________________________________________________
>
> 06.23.9 CVE: CVE-2006-2447
> Platform: Unix
> Title: SpamAssassin Vpopmail and Paranoid Switches Remote Command
> Execution
> Description: SpamAssassin is a mail filter designed to identify and
> process spam. It is vulnerable to an arbitrary command execution issue
> due to an error when processing a specially formatted input message
> when the "-v" and "-P" options are enabled. SpamAssassin versions
> 3.1.2 and earlier are vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.23.12 CVE: CVE-2006-2659
> Platform: Unix
> Title: Courier Mail Server Username Encoding Remote Denial of Service
> Description: Courier Mail Server is an email server application.
> Courier Mail Server is prone to a remote denial of service
> vulnerability because it fails to properly handle certain usernames in
> email messages. This issue occurs when usernames contain the "="
> character prior to an "@" character in email addresses. This triggers
> an infinite loop, and ultimately the consumption of CPU resources.
> Versions of the Courier MTA prior to 0.53.2 are vulnerable to this
> issue.
> Ref:
> ______________________________________________________________________
>
> 06.23.13 CVE: Not Available
> Platform: Cross Platform
> Title: GD Graphics Library Remote Denial of Service
> Description: The GD Graphics Library (gdlib) is an open-source
> graphics library. It is affetced by a denial of service issue due to
> the "gdImageCreateFromGifPtr()" function entering an infinite loop
> condition while trying to process specially crafted GIF images. GD
> version 2.0.33 is affected.
> Ref:
> ______________________________________________________________________
>
> 06.23.15 CVE: CVE-2006-2894
> Platform: Cross Platform
> Title: Multiple Vendor Web Browser JavaScript Key Filtering
> Description: Multiple web browser products are vulnerable to a
> JavaScript key filtering issue because an attacker can trick a user
> into typing the characters of the target filename in a text box and
> using the OnKeyDown, OnKeyPress, and OnKeyUp Javascript keystroke
> events to change the focus and cause those characters to be inserted
> into a file upload input control. Please see the reference below for
> further details.
> Ref:
> ______________________________________________________________________
>
> 06.23.17 CVE: Not Available
> Platform: Cross Platform
> Title: FreeType TTF File Remote Buffer Overflow
> Description: FreeType is an open-source font-handling library. It is
> affected by an integer underflow issue in the
> "psh_blues_set_zones_0()" function of the "src/pshinter/pshglob.c"
> source file. FreeType versions 2.2.1 and earlier are affected.
> Ref:
> ______________________________________________________________________
>
> 06.23.18 CVE: CVE-2006-2661
> Platform: Cross Platform
> Title: FreeType TTF File Remote Denial of Service
> Description: FreeType is a font handling library. It is prone to a
> denial of service issue due to a flaw in the "base/ftutil.c" source
> file. FreeType versions 2.2.0 and earlier are vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.23.19 CVE: Not Available
> Platform: Cross Platform
> Title: GD Graphics Library Truncated GIF File Remote Denial of Service
> Description: The GD Graphics Library is prone to a denial of service
> vulnerability. Attackers can trigger an infinite loop condition when
> the library tries to handle truncated GIF image files. This issue
> allows attackers to consume excessive CPU resources on computers that
> use the affected software. This may deny service to legitimate users.
> GD version 2.0.33 is vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.23.85 CVE: CVE-2006-2901
> Platform: Network Device
> Title: D-Link DWL-2100AP Information Disclosure
> Description: D-Link DWL-2100AP devices are 802.11b/g wireless access
> points. They are exposed to a remote information disclosure issue.
> This is due to insufficient sanitization of HTTP GET requests to the
> "cgi-bin" directory. D-Link model DWL-2100AP is affected.
> Ref:
> ______________________________________________________________________
