Red Hat Fedora

ソフト名：Red Hat Fedora 14 (David Heinemeier Hansson Ruby on Rails 2.3.x/3.0x)

回避策：FEDORA-2011-11567, FEDORA-2011-11600にて対応

脆弱性：セキュリティ制限の回避, XSS, データ操作, HTTPレスポンス分割攻撃, SQLインジェクション, HTTPヘッダインジェクション, 不正HTMLの実行, スクリプトコード実行

ソース：

http://fedoraproject.org/

http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html

http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html

http://dvw-j.blogspot.com/2011/08/ruby-on-rails.html

http://secunia.com/advisories/45648/

http://secunia.com/advisories/45917/

http://secunia.com/advisories/45921/

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2931

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2932

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3186

CVE：CVE-2011-2931, CVE-2011-2932, CVE-2011-3186

危険性：Medium Risk

Debian GNU/Linux

ソフト名：Debian GNU/Linux 5.0/6.0 (Ruby on Rails 2.3.x/3.0x)

回避策：DSA-2301-1にて対応

脆弱性：XSS, データ操作, セキュリティ制限の回避, HTTPレスポンス分割攻撃, SQLインジェクション, HTTPヘッダインジェクション, 不正HTMLの実行, スクリプトコード実行

ソース：

http://www.debian.org/

http://www.debian.org/security/2011/dsa-2301

http://secunia.com/advisories/37446/

http://secunia.com/advisories/45648/

http://secunia.com/advisories/45839/

http://dvw-j.blogspot.com/2011/08/ruby-on-rails.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4214

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2930

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2931

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3186

CVE：CVE-2009-4214, CVE-2011-2930, CVE-2011-2931, CVE-2011-3186

危険性：Medium Risk

Ruby on Rails

ソフト名：Ruby on Rails 2.3.x/3.0x

回避策：2.3.14/3.0.10へのアップデートにて対応

脆弱性：セキュリティ制限の回避, XSS, データ操作, HTTPレスポンス分割攻撃, SQLインジェクション, HTTPヘッダインジェクション, 不正HTMLの実行, スクリプトコード実行

ソース：

http://rubyonrails.org/

http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b

http://groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6

http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768

http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12

http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195

http://secunia.com/advisories/45648/

危険性：Medium Risk

Red Hat Enterprise Linux

ソフト名：Red Hat Enterprise Linux Desktop 6/HPC Node 6/Server 6/Workstation 6 (CGI.pm 3.50未満, Perl.org Perl 5.12.3)

回避策：RHSA-2011:0558-1にて対応

脆弱性：セキュリティ制限の回避, XSS, HTTPレスポンス分割攻撃, HTTPヘッダインジェクション

ソース：http://www.redhat.com/rhel/

http://www.redhat.com/rhel/server/

http://www.redhat.com/rhel/desktop/

https://rhn.redhat.com/errata/RHSA-2011-0558.html

http://secunia.com/advisories/42443/

http://secunia.com/advisories/42461/

http://secunia.com/advisories/43921/

http://secunia.com/advisories/44649/

http://dvw-j.blogspot.com/2010/12/cgipm-cgisimple.html

http://dvw-j.blogspot.com/2011/04/perlorg-perl.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2761

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4410

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1487

CVE：CVE-2010-2761, CVE-2010-4410, CVE-2011-1487

危険性：Medium Risk

Canonical Ltd. Ubuntu Linux, Sun Solaris 10

ソフト名：Canonical Ltd. Ubuntu Linux 6.06/8.04/10.04/10.10, Sun Solaris 10 (perl, CGI.pm)

回避策：USN-1129-1にて対応, あり

脆弱性：セキュリティ制限の回避, XSS, perlコード実行, HTTPレスポンス分割攻撃, HTTPヘッダインジェクション

ソース：http://www.ubuntu.com/

http://www.oracle.com/us/products/servers-storage/solaris/index.html?origref=http://secunia.com/advisories/product/4813/

http://www.ubuntu.com/usn/usn-1129-1/

http://blogs.sun.com/security/entry/cve_2010_2761_cve_2010

http://secunia.com/advisories/40049/

http://secunia.com/advisories/42443/

http://secunia.com/advisories/42461/

http://secunia.com/advisories/43921/

http://secunia.com/advisories/44400/

http://secunia.com/advisories/44447/

http://dvw-j.blogspot.com/2010/12/cgipm-cgisimple.html

http://dvw-j.blogspot.com/2011/04/perlorg-perl.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1168

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1447

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2761

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4410

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4411

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1487

CVE：CVE-2010-1168, CVE-2010-1447, CVE-2010-2761, CVE-2010-4410, CVE-2010-4411, CVE-2011-1487

危険性：Medium Risk

Novell openSUSE, Novell SUSE Linux Enterprise Server

ソフト名：Novell openSUSE 11.1～11.3, Novell SUSE Linux Enterprise Server 10/11
回避策：SUSE-SR:2011:003にて対応
脆弱性：セキュリティ制限の回避, XSS, データ操作, 機密情報の奪取, DoS攻撃, システムアクセス, HTTPレスポンス分割攻撃
ソース：http://www.opensuse.org/en/
http://www.novell.com/promo/home/sle11.html
http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00001.html
http://secunia.com/advisories/37291/
http://secunia.com/advisories/42337/
http://secunia.com/advisories/42443/
http://secunia.com/advisories/42461/
http://secunia.com/advisories/42659/
http://secunia.com/advisories/43006/
http://secunia.com/advisories/43023/
http://secunia.com/advisories/43135/
http://secunia.com/advisories/43236/
http://dvw-j.blogspot.com/2010/12/cgipm-cgisimple.html
http://dvw-j.blogspot.com/2010/12/pcsc-lite.html
http://dvw-j.blogspot.com/2011/01/isc-dhcp.html
http://dvw-j.blogspot.com/2011/01/opera-software-opera.html
http://dvw-j.blogspot.com/2011/02/canonical-ltd-ubuntu-linux_8844.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4172
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4530
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4531
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0025
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0413
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0681
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0682
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0683
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0684
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0685
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0686
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0687
CVE：CVE-2009-3555, CVE-2010-3782, CVE-2010-4172, 2010-4410, CVE-2010-4411, CVE-2010-4530, CVE-2010-4531, CVE-2011-0025, CVE-2011-0413, CVE-2011-0681, CVE-2011-0682, CVE-2011-0683, CVE-2011-0684, CVE-2011-0685, CVE-2011-0686, CVE-2011-0687
危険性：High Risk

Red Hat Fedora

ソフト名：Red Hat Fedora 13/14
回避策：FEDORA-2011-0741, FEDORA-2011-0755にて対応
脆弱性：セキュリティ制限の回避, XSS, ブルートフォース攻撃, HTTPレスポンス分割攻撃, CSRF, スクリプトの挿入, 不正アクセス, HTTPヘッダインジェクション, 不正HTMLの挿入, 不正HTMLのリクエスト
ソース：https://fedoraproject.org/wiki/F13_one_page_release_notes
http://fedoraproject.org/
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053678.html
http://secunia.com/advisories/43033/
http://secunia.com/advisories/43165/
http://dvw-j.blogspot.com/2011/01/mozilla-foundation-bugzilla.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4567
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4572
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0046
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0048
CVE：CVE-2010-2761, CVE-2010-4411, CVE-2010-4567, CVE-2010-4568, CVE-2010-4572, CVE-2011-0046, CVE-2011-0048
危険性：Medium Risk

Red Hat Fedora

ソフト名：Red Hat Fedora 13/14
回避策：FEDORA-2011-0654, FEDORA-2011-0640にて対応
脆弱性：XSS, HTTPレスポンス分割攻撃, HTTPヘッダインジェクション
ソース：https://fedoraproject.org/wiki/F13_one_page_release_notes
http://fedoraproject.org/
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053601.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053628.html
http://secunia.com/advisories/42461/
http://secunia.com/advisories/43149/
http://dvw-j.blogspot.com/2010/12/cgipm-cgisimple.html
http://dvw-j.blogspot.com/2011/02/red-hat-fedora_01.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2761
CVE：CVE-2010-2761
危険性：Medium Risk

Red Hat Fedora

ソフト名：Red Hat Fedora 13/14
回避策：FEDORA-2011-0631, FEDORA-2011-0653にて対応
脆弱性：XSS, HTTPレスポンス分割攻撃, HTTPヘッダインジェクション
ソース：https://fedoraproject.org/wiki/F13_one_page_release_notes
http://fedoraproject.org/
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053576.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053591.html
http://secunia.com/advisories/42443/
http://secunia.com/advisories/42460/
http://secunia.com/advisories/42461/
http://secunia.com/advisories/43147/
http://dvw-j.blogspot.com/2010/12/cgipm-cgisimple.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4410
CVE：CVE-2010-2761, CVE-2010-4410
危険性：Medium Risk

Mozilla Foundation Bugzilla

ソフト名：Mozilla Foundation Bugzilla 3.2.10/3.4.10/3.6.4未満
回避策：アップデートにて対応
脆弱性：セキュリティ制限の回避, XSS, ブルートフォース攻撃, HTTPレスポンス分割攻撃, CSRF, スクリプトの挿入, 不正アクセス, HTTPヘッダインジェクション, 不正HTMLの挿入, 不正HTMLのリクエスト
ソース：http://www.bugzilla.org/releases/3.0/
http://www.bugzilla.org/security/3.2.9/
http://secunia.com/advisories/43033/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4567
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4572
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0046
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0048
CVE：CVE-2010-2761, CVE-2010-4411, CVE-2010-4567, CVE-2010-4568, CVE-2010-4572, CVE-2011-0046, CVE-2011-0048
危険性：Medium Risk

Novell openSUSE, Novell SUSE Linux Enterprise Server

ソフト名：Novell openSUSE 11.1～11.3, Novell SUSE Linux Enterprise Server (SLES) 10/11
回避策：SUSE-SR:2011:001にて対応
脆弱性：セキュリティ制限の回避, XSS, 機密情報の奪取, 権限の昇格, DoS攻撃, 不正アクセス, スタックオーバーフロー, デリファレンスエラー, システムのクラッシュ, 無限ループ, バウンダリエラー, コード実行, HTTPレスポンス分割攻撃, HTTPヘッダインジェクション
ソース：http://www.opensuse.org/en/
http://www.novell.com/promo/home/sle11.html
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00003.html
http://secunia.com/advisories/39661/
http://secunia.com/advisories/40112/
http://secunia.com/advisories/40783/
http://secunia.com/advisories/41535/
http://secunia.com/advisories/41841/
http://secunia.com/advisories/42290/
http://secunia.com/advisories/42373/
http://secunia.com/advisories/42461/
http://secunia.com/advisories/42473/
http://secunia.com/advisories/42732/
http://secunia.com/advisories/42877/
http://dvw-j.blogspot.com/2010/12/pidgin.html
http://dvw-j.blogspot.com/2010/12/openssl.html
http://dvw-j.blogspot.com/2010/12/cgipm-cgisimple.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1455
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2284
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2285
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2287
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2891
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2992
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2994
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2995
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3445
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3912
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4254
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4300
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4301
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4528
CVE：CVE-2010-1455, CVE-2010-2283, CVE-2010-2284, CVE-2010-2285, CVE-2010-2286, CVE-2010-2287, CVE-2010-2761, CVE-2010-2891, CVE-2010-2992, CVE-2010-2993, CVE-2010-2994, CVE-2010-2995, CVE-2010-3445, CVE-2010-3912, CVE-2010-4180, CVE-2010-4254, CVE-2010-4300, CVE-2010-4301, CVE-2010-4528
回避策：High Risk

CGI.pm, CGI::Simple

ソフト名：CGI.pm, CGI::Simple 1.x
回避策：アップデートにて対応
脆弱性：XSS, HTTPレスポンス分割攻撃, HTTPヘッダインジェクション
ソース：http://search.cpan.org/dist/CGI.pm/
http://search.cpan.org/dist/CGI-Simple/lib/CGI/Simple.pm
http://cpansearch.perl.org/src/LDS/CGI.pm-3.50/Changes
https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380
http://www.openwall.com/lists/oss-security/2010/12/01/2
http://www.openwall.com/lists/oss-security/2010/12/01/3
http://secunia.com/advisories/42443/
http://secunia.com/advisories/42460/
http://secunia.com/advisories/42461/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2761
CVE：CVE-2010-2761
危険性：Low Risk

Mozilla Bugzilla

ソフト名：Mozilla Bugzilla 3.2 rc1～3.6.1
回避策：アップデートにて対応
脆弱性：HTTPレスポンス分割攻撃, 機密情報の奪取, 特定されていない脆弱性, HTTPヘッダインジェクション, XSS, Webキャッシュ汚染
ソース：http://www.bugzilla.org/security/3.2.8/
http://www.securityfocus.com/bid/44618
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3172
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3764
http://secunia.com/advisories/42071
http://www.vupen.com/english/advisories/2010/2878
CVE：CVE-2010-3172, CVE-2010-3764
危険性：Medium Risk

HP System Management Homepage

ソフト名：HP System Management Homepage 6.0/6.1
回避策：HPSBMA02568 SSRT100219にて対応
脆弱性：HTTPレスポンス分割攻撃, XSS, Webキャッシュ汚染
ソース：http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02512995
http://www.securityfocus.com/bid/43236
http://www.securityfocus.com/bid/43269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3011
http://secunia.com/advisories/41480
http://secunia.com/advisories/41490
http://www.vupen.com/english/advisories/2010/2418
CVE：CVE-2010-3011
危険性：Medium Risk

Cisco ACE 4750 A3(2.5), Cisco Content Services Switch 11500

ソフト名：Cisco ACE 4750 A3(2.5), Cisco Content Services Switch 11500
回避策：未対応
脆弱性：スプーフィング攻撃, マンインミドル攻撃, HTTPレスポンス分割攻撃, XSS, Webキャッシュ汚染
ソース：http://www.cisco.com/
http://www.vsecurity.com/resources/advisory/20100702-1/
http://www.securityfocus.com/bid/41315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1575
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1576
http://securitytracker.com/alerts/2010/Jul/1024167.html
CVE：CVE-2010-1575, CVE-2010-1576
危険性：Medium Risk

Cisco ASA 5580 8.1(1)

ソフト名：Cisco ASA 5580 8.1(1)
回避策：Cisco ASA 5580 Series Release Notes April 6, 2009にて対応
脆弱性：HTTPレスポンス分割攻撃, XSS, Webキャッシュ汚染
ソース：http://www.cisco.com/en/US/docs/security/asa/asa81/release/notes/asarn812.html
http://www.secureworks.com/ctu/advisories/SWRX-2010-001/
http://www.securityfocus.com/bid/41159
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7257
http://securitytracker.com/alerts/2010/Jun/1024155.html
CVE：CVE-2008-7257
危険性：Medium Risk

Marco Cimmino Cimy Counter for WordPress

ソフト名：Marco Cimmino Cimy Counter for WordPress 0.9.4
回避策：アップデートにて対応
脆弱性：機密情報の奪取, セキュリティの強度不足, HTTPレスポンス分割攻撃, XSS, Webキャッシュ汚染, 認証資格情報の奪取
ソース：http://www.exploit-db.com/exploits/14057/
http://wordpress.org/extend/plugins/cimy-counter/
危険性：Medium Risk

Interchange

ソフト名：Interchange 5.4.1～5.4.4, 5.6.0～5.6.2
回避策：アップデートで対応
脆弱性：HTTPレスポンス分割攻撃, XSS, Webキャッシュ汚染, 機密情報の奪取
ソース：http://ftp.icdevgroup.org/interchange/WHATSNEW
http://www.securityfocus.com/bid/38960
http://secunia.com/advisories/39103
危険性：Medium Risk

cPanel

cPanel 11.25 build 42174
未対応
HTTPレスポンス分割攻撃
XSS
Webキャッシュ汚染
機密情報の奪取
http://www.exploit-db.com/exploits/11211