Weekly Vulnerabilities Reports > November 10 to 16, 2008

Overview

2 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 0 high severity vulnerabilities. This weekly summary report vulnerabilities in 8 products from 7 vendors including Debian, Fedoraproject, Opensuse, Suse, and Canonical. Vulnerabilities are notably categorized as "Use After Free", and "Improper Certificate Validation".

  • 2 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 2 reported vulnerabilities are exploitable by an anonymous user.
  • Debian has the most reported vulnerabilities, with 1 reported vulnerabilities.
  • Novell has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

1 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-11-12 CVE-2008-5038 Novell Use After Free vulnerability in Novell Edirectory

Use-after-free vulnerability in the NetWare Core Protocol (NCP) feature in Novell eDirectory 8.7.3 SP10 before 8.7.3 SP10 FTF1 and 8.8 SP2 for Windows allows remote attackers to cause a denial of service and possibly execute arbitrary code via a sequence of "Get NCP Extension Information By Name" requests that cause one thread to operate on memory after it has been freed in another thread, which triggers memory corruption, aka Novell Bug 373852.

9.8

0 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS

1 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-11-13 CVE-2008-4989 GNU
Fedoraproject
Canonical
Debian
Suse
Opensuse
Improper Certificate Validation vulnerability in multiple products

The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).

5.9

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS