N8

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions prior to 2.3.3 **Description** The issue concerns the digest authentication functionality in Ruby on Rails, where the example code defines an authenticate or request with http digest block that returns nil instead of false when the user does not exist. This allows attackers to bypass authentication for applications derived from this example by sending an invalid username without a password. **Recommendations** For versions prior to 2.3.3, update to version 2.3.3 or later to resolve the issue. As a temporary workaround, consider modifying the authenticate or request with http digest block to return false when the user does not exist, instead of returning nil.

Name of the Vulnerable Software and Affected Versions: Cerulean Studios Trillian Pro versions prior to 3.1.10.0 Description: The issue is related to a heap-based buffer overflow in the XML parsing functionality, specifically in the talk.dll component. This allows remote attackers to execute arbitrary code via a malformed attribute in an IMG tag. Recommendations: For versions prior to 3.1.10.0, update to version 3.1.10.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the XML parsing functionality in talk.dll until a patch is applied.

Name of the Vulnerable Software and Affected Versions: Cerulean Studios Trillian versions prior to 3.1.10.0 Description: The issue is a stack-based buffer overflow that allows remote attackers to execute arbitrary code. This is achieved via unspecified attributes in the `X-MMS-IM-FORMAT` header in an MSN message. Recommendations: For versions prior to 3.1.10.0, update to version 3.1.10.0 or later to resolve the issue. As a temporary workaround, consider restricting the handling of MSN messages with the `X-MMS-IM-FORMAT` header until a patch is applied.