Marc Bevand

**Name of the Vulnerable Software and Affected Versions** Adobe Flash Player plugin versions 9.0.16 and earlier for Windows Adobe Flash Player plugin versions 7.0.63 and earlier for Linux Adobe Flash Player plugin versions 7.x before 7.0 r67 for Solaris Adobe Flash Player plugin versions before 9.0.28.0 for Mac OS X **Description** The issue allows remote attackers to modify HTTP headers of client requests and conduct HTTP Request Splitting attacks via CRLF sequences in arguments to the ActionScript functions `XML.addRequestHeader` and `XML.contentType`. The flexibility of the attack varies depending on the type of web browser being used. **Recommendations** For Adobe Flash Player plugin version 9.0.16 and earlier for Windows, update to a version later than 9.0.16. For Adobe Flash Player plugin version 7.0.63 and earlier for Linux, update to a version later than 7.0.63. For Adobe Flash Player plugin version 7.x before 7.0 r67 for Solaris, update to version 7.0 r67 or later. For Adobe Flash Player plugin version before 9.0.28.0 for Mac OS X, update to version 9.0.28.0 or later.

**Name of the Vulnerable Software and Affected Versions** OpenBSD versions 2.0 through 3.2 **Description** The issue allows local users to read portions of arbitrary files via a hard link attack on a temporary file used to store user database information. This is related to the `chpass` utility. **Recommendations** For OpenBSD versions 2.0 through 3.2, consider restricting access to the `chpass` utility until a fix is available. As a temporary workaround, avoid using `chpass` for sensitive operations.