Software Updates

TrustKeeper Scan Engine Update – October 15, 2014

Written by | Oct 15, 2014 7:06:00 AM

Summary

The latest update to the TrustKeeper scan engine that powers our Trustwave Vulnerability Management product (including both internal and external vulnerability scanning) is now available. A highlight of the update is an additional check for the recently disclosed POODLE vulnerability in version 3 of the SSL protocol (CVE-2014-3566). This week's release also includes new tests for an additional 27 vulnerabilities.

New Vulnerability Test Highlights

Some of the more interesting vulnerability tests we added recently are as follows:

XAMPP

  • XAMPP ADONewConnection Buffer Overflow (CVE-2007-2079)
  • XAMPP Cross Site Request Forgery in xamppsecurity.php (CVE-2008-6498)
  • XAMPP Cross Site Scripting Vulnerabilities in iart.php and ming.php (CVE-2008-3569)
  • XAMPP Cross Site Scripting Vulnerability in phonebook.php and other pages (CVE-2005-1077)
  • XAMPP Directory Traversal and Code Injection Vulnerability (CVE-2005-2043)
  • XAMPP lang.tmp Arbitrary File Write Vulnerability (CVE-2013-2586)
  • XAMPP Multiple SQL Injection Vulnerabilities (CVE-2007-2080)
  • XAMPP Multiple Unquoted Windows Search Path Vulnerabilities (CVE-2006-4994)
  • XAMPP SERVER Superglobal Variable Spoofing (CVE-2008-6499)

Microsoft .NET Framework

PostgreSQL

  • PostgreSQL using LOAD with plugins can shut down backend server (CVE-2009-3229)
  • PostgreSQL RESET SESSION AUTHORIZATION combined with ANALYZE allows privilege escalation (CVE-2009-3230)
  • PostgreSQL authentication bypass with LDAP backend (CVE-2009-3231)
  • PostgreSQL denial-of-service using client-specified localized error messages (CVE-2009-0922)
  • PostgreSQL ANALYZE user defined function privilege escalation (CVE-2007-6600)
  • PostgreSQL TCL regular expression back reference denial-of-service (CVE-2007-4769)
  • PostgreSQL DBLink function privilege escalation (CVE-2007-6601)
  • PostgreSQL search_path SECURITY DEFINER privilege escalation (CVE-2007-2138)
  • PostgreSQL ALTER COLUMN TYPE denial-of-service and unauthorized memory access (CVE-2007-0556)
  • PostgreSQL disable data type check denial-of-service and unauthorized memory access (CVE-2007-0555)
  • PostgreSQL logging of protocol messages denial-of-service (CVE-2006-5542)
  • PostgreSQL aggregates in UPDATE denial-of-service (CVE-2006-5540)
  • PostgreSQL SQL injection quote escape bypass (CVE-2006-2314)
  • PostgreSQL invalid multibyte encoding SQL injection bypass (CVE-2006-2313)
  • PostgreSQL ANYARRAY coercion denial-of-service (CVE-2006-5541)

FreeBSD

  • FreeBSD mmap Local User Privilege Escalation (FreeBSD-SA-13:06.mmap) (CVE-2013-2171)

SSL Protocol

How to Update?

All Trustwave customers using the TrustKeeper scan engine receive the updates automatically as soon as an update is available. No action is required.