Multiple security vulnerabilities have been identified in libexpat, a library for parsing XML files. These vulnerabilities may allow a local or remote unprivileged user to create a crafted XML file that may cause an application linked with libexpat to crash, resulting in a Denial of Service (DoS) condition.

Additional information regarding these issues is available at:

Permalink | Comments [0]

Two security vulnerabilities have been found in the GNU tar gtar(1) archiving program bundled with Solaris 9, Solaris 10 and OpenSolaris.

The first issue is a directory traversal vulnerability that may allow a local or remote unprivileged user who provides a specially crafted archive to overwrite arbitrary files which the user executing gtar(1) has permission to modify.

The second issue is a buffer overflow which may allow a local or remote unprivileged user who provides a specially crafted tar archive to execute arbitrary commands with the privileges of the user executing gtar(1) or to cause gtar(1) to crash.  The ability to cause a program crash is a type of Denial of Service (DoS).

Additional information regarding these issues is available at:

• CVE-2007-4131 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4131
• CVE-2007-4476 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476
  

Permalink | Comments [0]

Multiple security vulnerabilities in the XML library (see libxml2(3)) bundled with Sun Management Center 3.6.1 and 4.0 may allow a local or remote unprivileged user to execute arbitrary code with the privileges of the SunMC application or crash the SunMC application causing a Denial of Service (DoS) by providing a specially crafted XML file. The SunMC application runs with root privileges.

Additional information regarding these issues is available in the following documents:

Permalink | Comments [0]

A security vulnerability in the TLS protocol (TLS 1.0 or later and SSLv3) may allow an unauthenticated, remote attacker to conduct man-in-the-middle (MITM) type of attacks where chosen plain text may be injected as a prefix in an user's TLS session. This vulnerability does not allow one to decrypt the intercepted network communication.

This issue is referenced in CVE-2009-3555 and US-CERT VU#120541

Exact nature of the impact depends on the application making use of the TLS facility. Applications which use Network Security Services (NSS), Java Secure Socket Extensions (JSSE), OpenSSL or GnuTLS libraries may be affected.

Sun is evaluating the impact of the issue on various products which make use of the TLS libraries. We are working to fix the TLS implementations according to the TLS protocol standard extensions currently being developed.

Solaris Kernel SSL proxy module KSSL does not support client renegotiation or rehandshake. It ignores the rehandshake message which is an allowed behavior by the SSL/TLS specification. Hence it is not vulnerable to this issue. KSSL (see ksslcfg(1M)) is available in Solaris 10 and OpenSolaris. It may be used to workaround the described issue in server applications.

The issue does not affect any server applications distributed with Solaris which use the GnuTLS library. At this time we do not plan to issue any interim fixes to GnuTLS libraries. Fixes to GnuTLS distributed with Solaris would be provided when the proposed TLS extensions become a standard.

Following Sun Alerts provide more information about this issue:

• 273029 Describes the issue in OpenSSL libraries provided with Solaris.
• 273350 Describes the issue in NSS libraries provided with Solaris and Sun Java Enterprise System.

tags: gnutls jsse nss openssl security tls vulnerability

Permalink | Comments [0]

A security vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) protocols in the handling of session renegotiations affects Network Security Services (NSS). This issue may allow a remote unauthenticated user with the ability to intercept and control network traffic to perform a man-in-the-middle (MITM) attack to inject arbitrary plain text at the beginning of the application protocol stream, thus compromising the integrity of the communication. This vulnerability does not allow one to decrypt the intercepted network communication.

Sun acknowledges with thanks, Marsh Ray and Steve Dispensa of PhoneFactor for bringing this issue to our attention.

This issue is also referenced in the following documents:

Permalink | Comments [2]

Security vulnerabilities in thunderbird(1) related to handling of SSL server certificates
may allow remote SSL servers with crafted server certificates to compromise an encrypted
communication or cause arbitrary code execution with the privileges of a Thunderbird user.

The following Mozilla advisories describe the vulnerabilities:
http://www.mozilla.org/security/announce/2009/mfsa2009-42.html

http://www.mozilla.org/security/announce/2009/mfsa2009-43.html

Additional references:

CVE-2009-2404 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2404

CVE-2009-2408 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408

Permalink | Comments [0]

Multiple Cross-Site Scripting (XSS) security vulnerabilities exist in Sun Java System Portal Server's Gateway that may allow remote users to execute arbitrary JavaScript code in a user's web browser.

Permalink | Comments [0]

Multiple security vulnerabilities in Adobe Reader versions 9.x before 9.1.4, 8.x before 8.1.7 and 7.x before 7.1.4 may allow remote unprivileged users to execute arbitrary code or crash the Adobe Reader application, thereby causing a Denial of Service (DoS) condition. These vulnerabilities may be exploited via specially crafted PDF files.

The following resources document these issues in more detail:

Permalink | Comments [0]

A security vulnerability in the BIND DNS software shipped with Solaris may allow a remote user who is able to perform recursive queries to cause a server that is configured to support DNSSEC validation and recursive client queries to return incorrect addresses for Internet hosts, thereby redirecting end users to unintended hosts or services.

This issue is also mentioned in the following document:

• https://www.isc.org/node/504
  

Permalink |

A command execution vulnerability in the Java Runtime Environment Deployment Toolkit may be leveraged to execute arbitrary code. This may occur as the result of a user of the Java Runtime Environment viewing a specially crafted web page that exploits this vulnerability.

Sun acknowledges with thanks, an anonymous researcher working with iDefense for bringing this issue to our attention.

Permalink |

Multiple security vulnerabilities in the LDAP client configuration cache daemon (ldap_cachemgr(1M)) may allow a local unprivileged user to terminate the ldap_cachemgr daemon. On Solaris 9 and 10 systems this will prevent LDAP name service requests from succeeding. This is a type of Denial of Service (DoS) as LDAP name service requests will hang and users may no longer be able to login to LDAP client systems. On Solaris 8 systems, LDAP name service requests will be slower, as caching will not occur which is also a type of Denial of Service (DoS).

Permalink |

Multiple security vulnerabilities with varying impacts affect Firefox (see firefox(1)) versions prior to 3.5.3 as shipped with OpenSolaris. These vulnerabilities may allow an unprivileged remote user to steal content from the "History" or "Smart Location" bar, or to possibly execute arbitrary code on the system where Firefox is being run. Further vulnerabilities may allow a remote user to run malicious JavaScript at Chrome privileges or perform a cross-origin data theft.

The following Mozilla advisories describe the vulnerabilities:

The following are the CVE identifiers that pertain to these security issues:

Permalink |

A security vulnerability in the timeout mechanism of Solaris sshd(1M) may allow a remote unprivileged user to cause a Denial of Service (DoS) condition. If this issue is exploited, the sshd(1M) daemon will stop accepting new ssh(1) connections.

Permalink | Comments [1]

Two security vulnerabilities in SAMBA(7) may result in one or both of the following issues:

1. A remote unprivileged user with a valid SAMBA account may gain unauthorized access to the remote root file system. This issue is referenced in the following CVE document:

2. A remote unprivileged user on an authenticated SAMBA connection may cause a Denial of Service (DoS) condition via specially crafted SMB requests. This issue is referenced in the following CVE document:

Permalink |

Security vulnerabilities in the Solaris IP(7P) module and STREAMS Framework may allow an unprivileged local user to leak kernel memory, eventually causing the system to hang. This is a type of Denial of Service (DoS).

Permalink |