September 2007

MDKSA-2007:178 
Package : x11-server
Date    : September 11, 2007
Affected: 2007.0, 2007.1

Abstract:
A buffer overflow in the Composite extension  of the X.org X server, which if exploited could lead to local privilege  escalation.

MDKSA-2007:179
Package : fetchmail
Date    : September 11, 2007
Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0

Abstract:
 A vulnerability in fetchmail was found where it could crash when  attempting to deliver an internal warning or error message through an  untrusted or compromised SMTP server, leading to a denial of service.

MDKSA-2007:180
Package : id3lib
Date    : September 12, 2007
Affected: 2007.0, 2007.1, Corporate 3.0

Abstract:
A programming error was found in id3lib that could  lead to a denial of service through symlink attacks

MDKSA-2007:181
Package : librpcsecgss
Date    : September 12, 2007
Affected: 2007.0, 2007.1, Corporate 4.0

Abstract:
A stack buffer overflow vulnerability was discovered in the RPCSEC_GSS  RPC library that could potentially allow  for the execution of arbitrary code

MDKSA-2007:182
Package : quagga
Date    : September 13, 2007
Affected: Corporate 4.0

Abstract:
The bgpd daemon in Quagga prior to 0.99.9 allowed remote BGP peers  to cause a denial of service crash via a malformed OPEN message or  COMMUNITY attribute.


MDKSA-2007:183
Package : qt
Date    : September 13, 2007
Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0

Abstract:
A buffer overflow was found in how Qt expanded malformed Unicode  strings.  If an application linked against Qt parsed a malicious  Unicode string, it could lead to a denial of service or potentially  allow for the execution of arbitrary code.

MDKSA-2007:184
Package : cacti
Date    : September 17, 2007
Affected: Corporate 4.0

Abstract:
A vulnerability in Cacti 0.8.6i and earlier versions allows remote  authenticated users to cause a denial of service (CPU consumption)  via large values of the graph_start, graph_end, graph_height, or  graph_width parameters.

MDKSA-2007:185
Package : avahi
Date    : September 17, 2007
Affected: 2007.0, 2007.1

Abstract:
The Avahi daemon in 0.6.20 and previous allows attackers to cause a  denial of service via empty TXT data over D-Bus, which triggers an  assert error.

MDKSA-2007:186
Package : openoffice.org
Date    : September 17, 2007
Affected: 2007.0, 2007.1, Corporate 3.0

Abstract:
 An integer overflow in the TIFF parser in OpenOffice.org prior to  version 2.3 allows remote attackers to execute arbitrary code via  a TIFF file with crafted values which triggers the allocation of  an incorrect amount of memory which results in a heap-based buffer overflow.

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.