Iankko

**Name of the Vulnerable Software and Affected Versions** Tor versions prior to 0.2.2.38 **Description** The issue is related to the `networkstatus parse vote from string` function in `routerparse.c`, which does not properly handle an invalid flavor name. This allows remote attackers to cause a denial of service, resulting in an out-of-bounds read and daemon crash, via a crafted vote document or consensus document. **Recommendations** For versions prior to 0.2.2.38, update to version 0.2.2.38 or later to resolve the issue. As a temporary workaround, consider restricting access to the `networkstatus parse vote from string` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Kadu versions 0.9.0 through 0.11.0 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the History Window implementation. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via crafted messages, including SMS messages, presence messages, or status descriptions. **Recommendations** For Kadu versions 0.9.0 through 0.11.0, update to a version that contains a fix for this issue to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** libxml2 versions 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32 libxml version 1.8.17 libxml2 versions prior to 2.7.3 **Description** The issue is related to a stack consumption vulnerability in libxml2, allowing context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD. This is related to a function recursion. The vulnerability can be exploited remotely, leading to a disruption of protected information. **Recommendations** For libxml2 versions 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, update to version 2.7.3 or later. For libxml version 1.8.17, update to a version later than 1.8.17. For libxml2 versions prior to 2.7.3, update to version 2.7.3 or later. As a temporary workaround, consider restricting the use of the `libxml2` library until a patch is available.

**Name of the Vulnerable Software and Affected Versions** CUPS versions 1.1.17 through 1.3.9 **Description** The issue concerns multiple vulnerabilities in the CUPS package that can be exploited remotely, potentially leading to breaches in confidentiality, integrity, and availability of protected information. Specifically, an integer overflow in the ` cupsImageReadPNG` function allows remote attackers to execute arbitrary code via a PNG image with a large height value, bypassing validation checks and triggering a buffer overflow. **Recommendations** For CUPS versions 1.1.17 through 1.3.9, update to a version newer than 1.3.9 to resolve the issue. As a temporary workaround, consider restricting the use of PNG images or disabling the ` cupsImageReadPNG` function until a patch is available. Avoid using the `height` variable in the affected `CUPS` function to minimize the risk of exploitation.