Weekly Vulnerabilities Reports > July 18 to 24, 2011

Overview

3 new vulnerabilities reported during this period, including 0 critical vulnerabilities and 2 high severity vulnerabilities. This weekly summary report vulnerabilities in 5 products from 5 vendors including Linux, Canonical, Fedoraproject, Redhat, and Vmware. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Improper Initialization", and "Deserialization of Untrusted Data".

  • 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • Linux has the most reported vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

0 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS

2 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-07-21 CVE-2011-2520 Redhat
Fedoraproject
Deserialization of Untrusted Data vulnerability in multiple products

fw_dbus.py in system-config-firewall 1.2.29 and earlier uses the pickle Python module unsafely during D-Bus communication between the GUI and the backend, which might allow local users to gain privileges via a crafted serialized object.

7.8
2011-07-18 CVE-2010-4656 Linux
Canonical
Out-of-bounds Write vulnerability in multiple products

The iowarrior_write function in drivers/usb/misc/iowarrior.c in the Linux kernel before 2.6.37 does not properly allocate memory, which might allow local users to trigger a heap-based buffer overflow, and consequently cause a denial of service or gain privileges, via a long report.

7.8

1 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-07-18 CVE-2010-4655 Linux
Vmware
Canonical
Improper Initialization vulnerability in multiple products

net/core/ethtool.c in the Linux kernel before 2.6.36 does not initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability for an ethtool ioctl call.

5.5

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS