Vulnerabilities > CVE-2012-4540 - Numeric Errors vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Off-by-one error in the invoke function in IcedTeaScriptablePluginObject.cc in IcedTea-Web 1.1.x before 1.1.7, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.x before 1.4.1 allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly execute arbitrary code via a crafted webpage that triggers a heap-based buffer overflow, related to an error message and a "triggering event attached to applet." NOTE: the 1.4.x versions were originally associated with CVE-2013-4349, but that entry has been MERGED with this one.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 2 | |
| Application | 10 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20121107_ICEDTEA_WEB_ON_SL6_X.NASL description This erratum also upgrades IcedTea-Web to version 1.2.2. Web browsers using the IcedTea-Web browser plug-in must be restarted for this update to take effect. last seen 2020-03-18 modified 2012-11-08 plugin id 62859 published 2012-11-08 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62859 title Scientific Linux Security Update : icedtea-web on SL6.x i386/x86_64 (20121107) code # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(62859); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/27"); script_cve_id("CVE-2012-4540"); script_name(english:"Scientific Linux Security Update : icedtea-web on SL6.x i386/x86_64 (20121107)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This erratum also upgrades IcedTea-Web to version 1.2.2. Web browsers using the IcedTea-Web browser plug-in must be restarted for this update to take effect." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1211&L=scientific-linux-errata&T=0&P=431 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5d3c7b86" ); script_set_attribute( attribute:"solution", value:"Update the affected icedtea-web and / or icedtea-web-javadoc packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:icedtea-web"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:icedtea-web-javadoc"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/11"); script_set_attribute(attribute:"patch_publication_date", value:"2012/11/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/11/08"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 6.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL6", reference:"icedtea-web-1.2.2-1.el6_3")) flag++; if (rpm_check(release:"SL6", reference:"icedtea-web-javadoc-1.2.2-1.el6_3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "icedtea-web / icedtea-web-javadoc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2013-17026.NASL description Updated to icedtea-web 1.4.1 New in release 1.4.1 (2013-XX-YY) : - Improved and cleaned Temporary internet files panel - PR1465 - java.io.FileNotFoundException while trying to download a JAR file - PR1473 - javaws should not depend on name of local file - PR854: Resizing an applet several times causes 100% CPU load - CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event attached to applet - reproducers tests are enabled in dist-tarball - application context support for OpenJDK build 25 and higher - small patches into rhino support and - PR1533: Inherit jnlp.packEnabled and jnlp.versionEnabled like other properties - add icedtea-web man page - make check enabled again - should be build for non-standart archs - removed unused multilib arches Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-09-21 plugin id 70037 published 2013-09-21 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70037 title Fedora 19 : icedtea-web-1.4.1-0.fc19 (2013-17026) NASL family SuSE Local Security Checks NASL id SUSE_11_ICEDTEA-WEB-130924.NASL description This icedtea-web update adds a missing fix for an off-by-one heap-based buffer overflow. - icedtea-web 1.4.1 fixes the missing patch for CVE-2012-4540. (bnc#840572: CVE-2013-4349) last seen 2020-06-05 modified 2013-10-03 plugin id 70289 published 2013-10-03 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70289 title SuSE 11.2 / 11.3 Security Update : icedtea-web (SAT Patch Numbers 8357 / 8358) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-733.NASL description This icedtea-web update fixes several security issues. Changes in icedtea-web : - update to 1.4.1 (bnc#840572) - Improved and cleaned Temporary internet files panel - NetX - PR1465 - java.io.FileNotFoundException while trying to download a JAR file - PR1473 - javaws should not depend on name of local file - Plugin - PR854: Resizing an applet several times causes 100% CPU load - Security Updates - CVE-2013-4349, RH869040: Heap-based buffer overflow after triggering event attached to applet CVE-2012-4540 nit fixed in icedtea-web 1.4 - Misc - reproducers tests are enabled in dist-tarball - application context support for OpenJDK build 25 and higher - small patches into rhino support and - PR1533: Inherit jnlp.packEnabled and jnlp.versionEnabled like other properties - need jpackage-utils on older distros - run more tests in %check - drop icedtea-web-AppContext.patch, already upstream - add javapackages-tools to build requires last seen 2020-06-05 modified 2014-06-13 plugin id 75156 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75156 title openSUSE Security Update : icedtea-web (openSUSE-SU-2013:1509-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2012-1434.NASL description Updated icedtea-web packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. A buffer overflow flaw was found in the IcedTea-Web plug-in. Visiting a malicious web page could cause a web browser using the IcedTea-Web plug-in to crash or, possibly, execute arbitrary code. (CVE-2012-4540) Red Hat would like to thank Arthur Gerkis for reporting this issue. This erratum also upgrades IcedTea-Web to version 1.2.2. Refer to the NEWS file, linked to in the References, for further information. All IcedTea-Web users should upgrade to these updated packages, which resolve this issue. Web browsers using the IcedTea-Web browser plug-in must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 62871 published 2012-11-12 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62871 title CentOS 6 : icedtea-web (CESA-2012:1434) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2012-1434.NASL description From Red Hat Security Advisory 2012:1434 : Updated icedtea-web packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. A buffer overflow flaw was found in the IcedTea-Web plug-in. Visiting a malicious web page could cause a web browser using the IcedTea-Web plug-in to crash or, possibly, execute arbitrary code. (CVE-2012-4540) Red Hat would like to thank Arthur Gerkis for reporting this issue. This erratum also upgrades IcedTea-Web to version 1.2.2. Refer to the NEWS file, linked to in the References, for further information. All IcedTea-Web users should upgrade to these updated packages, which resolve this issue. Web browsers using the IcedTea-Web browser plug-in must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 68652 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68652 title Oracle Linux 6 : icedtea-web (ELSA-2012-1434) NASL family Fedora Local Security Checks NASL id FEDORA_2013-16971.NASL description Updated to icedtea-web 1.4.1 New in release 1.4.1 (2013-XX-YY) : - Improved and cleaned Temporary internet files panel - PR1465 - java.io.FileNotFoundException while trying to download a JAR file - PR1473 - javaws should not depend on name of local file - PR854: Resizing an applet several times causes 100% CPU load - CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event attached to applet - reproducers tests are enabled in dist-tarball - application context support for OpenJDK build 25 and higher - small patches into rhino support and - PR1533: Inherit jnlp.packEnabled and jnlp.versionEnabled like other properties - add icedtea-web man page - make check enabled again - should be build for non-standart archs - removed unused multilib arches Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-09-23 plugin id 70060 published 2013-09-23 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70060 title Fedora 20 : icedtea-web-1.4.1-0.fc20 (2013-16971) NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-797.NASL description The IcedTea Web Java plugin was updated to 1.3.1 (bnc#787846) - Security Updates - CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event attached to applet - Common Bugfixes - PR1161: X509VariableTrustManager does not work correctly with OpenJDK7 fixes the self-signed issue (mentioned in bnc#784859, bnc#785333, bnc#786775) last seen 2020-06-05 modified 2014-06-13 plugin id 74816 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74816 title openSUSE Security Update : icedtea-web (openSUSE-SU-2012:1524-1) NASL family SuSE Local Security Checks NASL id SUSE_11_ICEDTEA-WEB-121113.NASL description The IcedTea-Web Java plugin has been updated to version 1.3.1 to fix various bugs and security issues. 1.3.1 changes : - Security Updates - RH869040: Heap-based buffer overflow after triggering event attached to applet. (CVE-2012-4540) - Common - PR1161: X509VariableTrustManager does not work correctly with OpenJDK7 fixes the self-signed issue (mentioned in bnc#784859, bnc#785333, bnc#786775) last seen 2020-06-05 modified 2013-01-25 plugin id 64156 published 2013-01-25 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64156 title SuSE 11.2 Security Update : icedtea-web (SAT Patch Number 7041) NASL family Fedora Local Security Checks NASL id FEDORA_2012-17745.NASL description This updates a recently found heap buffer overflow issue in IcedTea web. It fixes : CVE-2012-4540 icedtea-web: IcedTeaScriptableJavaObject::invoke off-by-one heap-based buffer overflow Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-11-12 plugin id 62881 published 2012-11-12 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62881 title Fedora 16 : icedtea-web-1.3.1-1.fc16 (2012-17745) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1625-1.NASL description Arthur Gerkis discovered a buffer overflow in the Icedtea-Web plugin. If a user were tricked into opening a malicious website, an attacker could cause the plugin to crash or possibly execute arbitrary code as the user invoking the program. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 62860 published 2012-11-08 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62860 title Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : icedtea-web vulnerability (USN-1625-1) NASL family Fedora Local Security Checks NASL id FEDORA_2012-17827.NASL description This updates a recently found heap buffer overflow issue in IcedTea web. It fixes : CVE-2012-4540 icedtea-web: IcedTeaScriptableJavaObject::invoke off-by-one heap-based buffer overflow Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-11-12 plugin id 62883 published 2012-11-12 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62883 title Fedora 18 : icedtea-web-1.3.1-1.fc18 (2012-17827) NASL family Fedora Local Security Checks NASL id FEDORA_2013-17016.NASL description Updated to icedtea-web 1.4.1 New in release 1.4.1 (2013-XX-YY) : - Improved and cleaned Temporary internet files panel - PR1465 - java.io.FileNotFoundException while trying to download a JAR file - PR1473 - javaws should not depend on name of local file - PR854: Resizing an applet several times causes 100% CPU load - CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event attached to applet - reproducers tests are enabled in dist-tarball - application context support for OpenJDK build 25 and higher - small patches into rhino support and - PR1533: Inherit jnlp.packEnabled and jnlp.versionEnabled like other properties - add icedtea-web man page - make check enabled again - should be build for non-standart archs - removed unused multilib arches Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-10-04 plugin id 70296 published 2013-10-04 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70296 title Fedora 18 : icedtea-web-1.4.1-0.fc18 (2013-17016) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-602.NASL description The icedtea-web java plugin was updated to 1.6.1. Changes included : - Enabled Entry-Point attribute check - permissions sandbox and signed app and unsigned app with permissions all-permissions now run in sandbox instead of not at all. - fixed DownloadService - comments in deployment.properties now should persists load/save - fixed bug in caching of files with query - fixed issues with recreating of existing shortcut - trustAll/trustNone now processed correctly - headless no longer shows dialogues - RH1231441 Unable to read the text of the buttons of the security dialogue - Fixed RH1233697 icedtea-web: applet origin spoofing (CVE-2015-5235, bsc#944208) - Fixed RH1233667 icedtea-web: unexpected permanent authorization of unsigned applets (CVE-2015-5234, bsc#944209) - MissingALACAdialog made available also for unsigned applications (but ignoring actual manifest value) and fixed - NetX - fixed issues with -html shortcuts - fixed issue with -html receiving garbage in width and height - PolicyEditor - file flag made to work when used standalone - file flag and main argument cannot be used in combination - Fix generation of man-pages with some versions of last seen 2020-06-05 modified 2015-09-23 plugin id 86094 published 2015-09-23 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86094 title openSUSE Security Update : icedtea-web (openSUSE-2015-602) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201406-32.NASL description The remote host is affected by the vulnerability described in GLSA-201406-32 (IcedTea JDK: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in the IcedTea JDK. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, bypass intended security policies, or have other unspecified impact. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 76303 published 2014-06-30 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76303 title GLSA-201406-32 : IcedTea JDK: Multiple vulnerabilities (BEAST) (ROBOT) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-1434.NASL description Updated icedtea-web packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. A buffer overflow flaw was found in the IcedTea-Web plug-in. Visiting a malicious web page could cause a web browser using the IcedTea-Web plug-in to crash or, possibly, execute arbitrary code. (CVE-2012-4540) Red Hat would like to thank Arthur Gerkis for reporting this issue. This erratum also upgrades IcedTea-Web to version 1.2.2. Refer to the NEWS file, linked to in the References, for further information. All IcedTea-Web users should upgrade to these updated packages, which resolve this issue. Web browsers using the IcedTea-Web browser plug-in must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 62857 published 2012-11-08 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62857 title RHEL 6 : icedtea-web (RHSA-2012:1434) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2768.NASL description A heap-based buffer overflow vulnerability was found in icedtea-web, a web browser plugin for running applets written in the Java programming language. If a user were tricked into opening a malicious website, an attacker could cause the plugin to crash or possibly execute arbitrary code as the user invoking the program. This problem was initially discovered by Arthur Gerkis and got assigned CVE-2012-4540. Fixes where applied in the 1.1, 1.2 and 1.3 branches but not to the 1.4 branch. last seen 2020-03-17 modified 2013-10-06 plugin id 70303 published 2013-10-06 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/70303 title Debian DSA-2768-1 : icedtea-web - heap-based buffer overflow NASL family Fedora Local Security Checks NASL id FEDORA_2012-17762.NASL description This updates a recently found heap buffer overflow issue in IcedTea web. It fixes : CVE-2012-4540 icedtea-web: IcedTeaScriptableJavaObject::invoke off-by-one heap-based buffer overflow Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-11-12 plugin id 62882 published 2012-11-12 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62882 title Fedora 17 : icedtea-web-1.3.1-1.fc17 (2012-17762)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://icedtea.classpath.org/hg/release/icedtea-web-1.1/file/d759ec560073/NEWS
- http://icedtea.classpath.org/hg/release/icedtea-web-1.2/rev/596a718be03f
- http://icedtea.classpath.org/hg/release/icedtea-web-1.3/rev/e7970f3da5fe
- http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html
- http://lists.opensuse.org/opensuse-updates/2012-11/msg00040.html
- http://lists.opensuse.org/opensuse-updates/2013-01/msg00065.html
- http://lists.opensuse.org/opensuse-updates/2013-09/msg00071.html
- http://lists.opensuse.org/opensuse-updates/2013-09/msg00073.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-November/020775.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-September/024750.html
- http://rhn.redhat.com/errata/RHSA-2012-1434.html
- http://secunia.com/advisories/51206
- http://secunia.com/advisories/51220
- http://secunia.com/advisories/51374
- http://security.gentoo.org/glsa/glsa-201406-32.xml
- http://www.debian.org/security/2013/dsa-2768
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:171
- http://www.openwall.com/lists/oss-security/2012/11/07/5
- http://www.securityfocus.com/bid/56434
- http://www.securityfocus.com/bid/62426
- http://www.securitytracker.com/id?1027738
- http://www.ubuntu.com/usn/USN-1625-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1007960
- https://bugzilla.redhat.com/show_bug.cgi?id=869040
- https://exchange.xforce.ibmcloud.com/vulnerabilities/79894