Ratul Gupta

**Name of the Vulnerable Software and Affected Versions** Nokogiri gem versions 1.5.x **Description** The issue is related to a Denial of Service via an infinite loop when parsing XML documents. **Recommendations** For Nokogiri gem versions 1.5.x, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libgadu versions prior to 1.12.0 **Description** The issue allows man-in-the-middle attackers to spoof servers by not verifying X.509 certificates from SSL servers. **Recommendations** For versions prior to 1.12.0, update to version 1.12.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Pam (affected versions not specified) **Description** The issue concerns the pam userdb module for Pam, which uses a case-insensitive method to compare hashed passwords. This comparison method makes it easier for attackers to guess the password via a brute force attack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GNOME Shell (aka gnome-shell) versions prior to 3.8 **Description** The issue allows physically proximate attackers to execute arbitrary commands by leveraging an unattended workstation with the keyboard focus on the Activities search field in the `js/ui/screenShield.js` file. **Recommendations** For versions prior to 3.8, consider disabling the screen shield functionality until a patch is available. As a temporary workaround, restrict access to unattended workstations to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PlRPC module for Perl versions 0.2020 and earlier **Description** The issue allows remote attackers to execute arbitrary code via a crafted request. This is possible because the Storable module is used, and the request is not properly handled when it is deserialized. **Recommendations** For PlRPC module for Perl versions 0.2020 and earlier, consider disabling the use of the Storable module as a temporary workaround until a patch is available. Restrict access to the PlRPC module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MongoDB versions prior to 2.3.2 **Description** The issue concerns the default configuration of MongoDB, where objects are not validated. This allows remote authenticated users to cause a denial of service or read system memory by sending a crafted BSON object in the column name of an insert command. This action triggers a buffer over-read. **Recommendations** For versions prior to 2.3.2, update to version 2.3.2 or later to resolve the issue. As a temporary workaround, consider validating objects before processing them to prevent potential exploitation. Restrict access to the insert command to minimize the risk of denial of service or system memory exposure.

**Name of the Vulnerable Software and Affected Versions** denyhosts versions prior to 2.6-r9 denyhosts version 2.6 **Description** The issue allows remote attackers to cause a denial of service, specifically an incorrect block of IP addresses, via crafted login names. This is due to an incorrect regular expression used when analyzing authentication logs. The vulnerability can be exploited remotely, potentially leading to disruption of protected information. **Recommendations** For denyhosts versions prior to 2.6-r9, update to version 2.6-r9 or later to resolve the issue. For denyhosts version 2.6, consider applying configuration changes to mitigate the risk of denial of service attacks until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Net-SNMP versions 5.7.1 and earlier net-snmp-libs version 5.3.2.2 net-snmp-utils version 5.3.2.2 net-snmp-debuginfo version 5.3.2.2 net-snmp-devel version 5.3.2.2 net-snmp version 5.3.2.2 **Description** The issue is related to multiple vulnerabilities in the Net-SNMP package, which can lead to a denial of service (crash or infinite loop, CPU consumption, and hang) when AgentX is registering to handle a MIB and processing GETNEXT requests. The vulnerabilities can be exploited remotely, potentially disrupting the availability of protected information. **Recommendations** For Net-SNMP versions 5.7.1 and earlier: update to a version later than 5.7.1. For net-snmp-libs version 5.3.2.2: consider disabling the AgentX subagent until a patch is available. For net-snmp-utils version 5.3.2.2: restrict access to the MIB handling functionality to minimize the risk of exploitation. For net-snmp-debuginfo version 5.3.2.2: avoid using the debug information until the issue is resolved. For net-snmp-devel version 5.3.2.2: consider disabling the development functionality until a patch is available. For net-snmp version 5.3.2.2: restrict access to the Net-SNMP service to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GnuPG versions 1.4.x through 2.1.x **Description** The issue allows remote attackers to bypass intended cryptographic protection mechanisms by leveraging a subkey with all bits cleared in a key flags subpacket, which is treated as if all bits are set. This might lead to a violation of the integrity and availability of protected information. The exploitation of this issue can be done remotely. **Recommendations** For GnuPG versions 1.4.x through 2.1.x, update to a version that fixes this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.