Two security vulnerabilities exist in the Apache 2 mod_perl2(3) module
components which affect the Apache 2.0 web server bundled with Solaris
10 and the Apache 2.2 web server bundled with OpenSolaris.

The first issue, a Denial of Service (DoS) vulnerability in the "RunPerl.pm"
component (CVE-2007-1349), may allow a remote unprivileged user to
cause a Denial of Service to the Apache 2 "httpd" process.

The second issue, a Cross Site Scripting (CSS or XSS) vulnerability in the
"Status.pm" component (CVE-2009-0796), may allow a remote unprivileged
user to inject arbitrary web script or HTML. This may allow the unprivileged
user to bypass access control and gain access to unauthorized data.

Additional information regarding these issues is available at:

CVE-2007-1349 at:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1349

CVE-2009-0796 at:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0796




Permalink |

A remote unprivileged user may be able to crash an application which dynamically links to the Portable Network Graphics library (libpng(3)) due to a security vulnerability in libpng(3). The ability to crash an application is a type of Denial of Service (DoS). A number of applications which comprise the GNOME desktop environment dynamically link with libpng(3).

This issue is described in the following documents:

• CERT VU# 684664 at: https://www.kb.cert.org/vuls/id/684664
• CVE-2007-2445 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2445

Permalink |

A security vulnerability in SCTP (Stream Control Transmission Protocol (see sctp(7P))) and SDP (Sockets Direct Protocol driver (see sdp(7D))) sockets may allow local unprivileged users to leak kernel memory, thereby causing a Denial of Service (DoS) condition.
Permalink |

The Java Runtime Environment (JRE) Java Update mechanism running on non-English versions of the Windows operating system does not update the JRE when a new version is available.

Sun acknowledges with thanks, Tomasz "Tometzky" Ostrowski for bringing this issue to our attention.

Permalink |

Two vulnerabilities in the Java Runtime Environment with decoding DER encoded data and parsing HTTP headers may separately allow a remote client to cause the JRE on the server to run out of memory, resulting in a DoS (Denial of Service) condition.

Sun acknowledges with thanks, BFK edv-consulting GmbH, for bringing the first issue to our attention.

Permalink |

A security vulnerability in the Java Runtime Environment with verifying HMAC digests may allow authentication to be bypassed. This could allow a user to forge a digital signature that would be accepted as valid. Applications that validate HMAC-based digital signatures may be vulnerable to this type of attack.

Note: This vulnerability cannot be exploited by an untrusted applet or Java Web Start application.

Sun acknowledges, with thanks, Coda Hale for bringing this issue to our attention.

Permalink |

Multiple buffer and integer overflow vulnerabilities in the Java Runtime Environment with processing audio and image files may allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

Sun acknowledges with thanks, the following researchers for bringing these issues to our attention:

CR 6854303: An anonymous researcher, working with the Zero Day Initiative (http://www.zerodayinitiative.com) and TippingPoint (http://www.tippingpoint.com).

CR 6862970: An anonymous researcher working with the iDefense VCP (http://labs.idefense.com/vcp/).

CR 6872357 and CR 6872358: Peter Vreugdenhil, working with the Zero Day Initiative (http://www.zerodayinitiative.com) and TippingPoint (http://www.tippingpoint.com).

CR 6872358, CR 6862969 and CR 6862968: regenrecht working with iDefense VCP (http://labs.idefense.com/vcp/).

CR 6874643: regenrecht working with Zero Day Initiative (http://www.zerodayinitiative.com) and TippingPoint (http://www.tippingpoint.com).

Permalink |

Permalink |

A security vulnerability in the Java Web Start Installer may be leveraged to allow an untrusted Java Web Start application to run as a trusted application and execute arbitrary code. This may occur when a user opens a specially crafted web page that exploits this vulnerability.

Sun acknowledges with thanks, Peter Csepely, working with the Zero Day Initiative (http://www.zerodayinitiative.com/) and TippingPoint (http://www.tippingpoint.com/) for bringing this issue to our attention.

Permalink |

Security vulnerabilities affecting the PostgreSQL software shipped with Solaris may allow an authenticated PostgreSQL user to cause a denial of service (DoS) to the PostgreSQL server by "re-LOAD-ing" libraries from a certain plugins directory. However, the PostgreSQL versions shipped with Solaris do not include any plugins. In addition, an issue with the privileges for RESET ROLE and RESET SESSION AUTHORIZATION operations may allow any authenticated users to gain extra privileges.

These issues are described in the following documents:

Official PostgreSQL announcement at: http://www.postgresql.org/about/news.1135
CVE-2009-3229 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3229
CVE-2009-3230 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3230

Note: PostgreSQL is not compiled with LDAP support on Solaris. Solaris is not affected with CVE-2009-3231.

Permalink |

A heap overflow vulnerability in the w(1) utility may allow a local unprivileged user to execute arbitrary code with root privileges.

Sun acknowledges with thanks, Monarch Rich "1c239c43f521145fa8385d64a9c32243 http://unsecurityresearch.blogspot.com" for discovering and reporting this issue.
Permalink |

A security vulnerability in Solaris Sockets Direct Protocol (SDP) driver (sdp(7D)) may allow a local or remote unprivileged user to exhaust all kernel memory.  This is a type of Denial of Service (DoS).

Note: No applications bundled with Solaris are affected by this issue however third-party applications which make use of SDP may be affected.
Permalink |

On November 3, 2009, Sun will release the following security updates:

• JDK and JRE 6 Update 17
• JDK and JRE 5.0 Update 22
• SDK and JRE 1.4.2_24
• SDK and JRE 1.3.1_27

The following Sun Alerts corresponding to these updates will be released following the availability of these updates.

• 269868
• 269869
• 269870
• 270474
• 270475
• 270476

tags: java security

Permalink | Comments [1]

A security vulnerability in Solaris Trusted Extensions may result in a condition that prevents XScreenSaver (xscreensaver(1)) from running. The screen may not lock if a user chooses to lock the screen from the JDS menu or if the screen is left unattended. This condition occurs when trying to restart XScreenSaver using "xscreensaver-demo".

Permalink |

A security vulnerability with verifying HMAC-based XML digital signatures in the XML Digital Signature implementation included with webservices component of Sun GlassFish Enterprise Server may allow authentication to be bypassed. This could allow a user to forge an XML digital signature that would be accepted as valid. Applications that validate HMAC-based XML digital signatures may be vulnerable to this issue.

This issue is also described in the following documents:

CERT VU#466161 at:

• http://www.kb.cert.org/vuls/id/466161

CVE-2009-0217 at:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217

Sun acknowledges, with thanks, Thomas Roessler from the W3C for bringing this issue to our attention.

Permalink |