Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: @RISK: The Consensus Security Vulnerability Alert Vol. 6 No. 49



> ****************************************************************
>
> (2) HIGH: Mozilla-based Browsers Multiple Memory Corruption
> Vulnerabilities
> Affected:
> Mozilla Firefox versions prior to 2.0.0.10
> Mozilla SeaMonkey versions priot to 1.1.7
> Netscape Navigator versions prior to 9.0.4
>
> Description: Web browsers based on the Mozilla suite,
> including Firefox,
> contain multiple vulnerabilities in their handling of web content. A
> specially crafted web page or script could trigger one of these
> vulnerabilities. Successfully exploiting one of these vulnerabilities
> would allow an attacker to execute arbitrary code with the privileges
> of the current user. Note that other browsers or applications based on
> the Mozilla framework could be vulnerable. Details for these
> vulnerabilities are available via source code analysis.
>
> Status: Mozilla confirmed, updates available.
>
> References:
> Mozilla Security Advisory
> http://www.mozilla.org/security/announce/2007/mfsa2007-38.html
> Netscape Release Notes
> http://browser.netscape.com/releasenotes/#whatsnew
> SecurityFocus BID
> http://www.securityfocus.com/bid/26593
>
> ****************************************************************
>
> (3) HIGH: IBM Lotus Notes Attachment Parsing Multiple Buffer Overflows
> Affected:
> Lotus Notes versions 8.0 and prior
>
> Description: Autonomy KeyView is a media viewing component distributed
> with IBM's Lotus Notes groupware suite. This component
> contains several
> buffer overflows in the processing of various file formats. A
> specially
> crafted file attached to a message could trigger one of these
> overflows,
> allowing an attacker to execute arbitrary code with the privileges of
> the current user. Note that Lotus Notes determines what icon
> to display
> for an attachment and what application to open it using
> different data;
> it is therefore possible to spoof malicious attachments as more
> innocuous formats. A proof-of-concept and full technical details for
> these vulnerabilities are publicly available. Note that other products
> using Autonomy KeyView may be vulnerable.
>
> Status: IBM confirmed, updates available.
>
> References:
> IBM Security Advisory
> http://www-1.ibm.com/support/docview.wss?uid=swg21285600
> CORE Security Advisory
> http://www.coresecurity.com/index.php5?action=item&id=2008
> Proof-of-Concept
> http://downloads.securityfocus.com/vulnerabilities/exploits/26604.py
> SecurityFocus BID
> http://www.securityfocus.com/bid/26604
>
>



 




Copyright © Lexa Software, 1996-2009.