Yutaka Oiwa

Name of the Vulnerable Software and Affected Versions: Mozilla version 1.7.8 Description: The issue concerns the XMLHttpRequest object, which supports the HTTP TRACE method. This allows remote attackers to obtain proxy authentication passwords via a request with a "Max-Forwards: 0" header or arbitrary local passwords on the web server hosting this object. Recommendations: For Mozilla version 1.7.8, consider disabling the HTTP TRACE method to prevent exploitation until a patch is available. Restrict access to the XMLHttpRequest object to minimize the risk of obtaining sensitive information.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 0.9.7 through 0.9.7h OpenSSL versions 0.9.8 through 0.9.8a **Description** The issue concerns a problem in the SSL/TLS server implementation when using the SSL OP MSIE SSLV2 RSA PADDING option, which disables a necessary verification step. This allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack. The vulnerability could also enable an unauthenticated, remote attacker to bypass security restrictions or cause a denial of service, potentially allowing access to encrypted data without knowledge of the encryption key. **Recommendations** For OpenSSL versions 0.9.7 through 0.9.7h, update to version 0.9.7h or later to resolve the issue. For OpenSSL versions 0.9.8 through 0.9.8a, update to version 0.9.8a or later to resolve the issue. As a temporary workaround, consider disabling the SSL OP MSIE SSLV2 RSA PADDING option until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Ruby versions 1.6.x up to 1.6.8 Ruby versions 1.8.x up to 1.8.2 Ruby version 1.9.0 development up to 2005-09-01 **Description** The issue allows attackers to bypass safe level and taint flag protections and execute disallowed code when Ruby processes a program through standard input. Multiple vulnerabilities in the Ruby package may lead to a breach of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. **Recommendations** For Ruby versions 1.6.x up to 1.6.8, update to a version later than 1.6.8 to resolve the issue. For Ruby versions 1.8.x up to 1.8.2, update to a version later than 1.8.2 to resolve the issue. For Ruby version 1.9.0 development up to 2005-09-01, update to a version later than 2005-09-01 to resolve the issue.