mirror of
https://git.FreeBSD.org/ports.git
synced 2024-12-15 03:14:23 +00:00
541ec22424
o Use the FDP style to fill in the entry. o Remove the secunia references and use the libxine information. o Properly sort the references section o Add the modified tag (since I changed it).
31707 lines
1.1 MiB
31707 lines
1.1 MiB
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE vuxml PUBLIC "-//vuxml.org//DTD VuXML 1.1//EN" "http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd">
|
|
<!--
|
|
Copyright 2003-2006 Jacques Vidrine and contributors
|
|
|
|
Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
|
|
HTML, PDF, PostScript, RTF and so forth) with or without modification,
|
|
are permitted provided that the following conditions are met:
|
|
1. Redistributions of source code (VuXML) must retain the above
|
|
copyright notice, this list of conditions and the following
|
|
disclaimer as the first lines of this file unmodified.
|
|
2. Redistributions in compiled form (transformed to other DTDs,
|
|
published online in any format, converted to PDF, PostScript,
|
|
RTF and other formats) must reproduce the above copyright
|
|
notice, this list of conditions and the following disclaimer
|
|
in the documentation and/or other materials provided with the
|
|
distribution.
|
|
|
|
THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
|
|
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
|
|
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
|
|
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
|
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
|
|
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
|
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
|
|
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
|
|
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
$FreeBSD$
|
|
|
|
Note: Please add new entries to the beginning of this file.
|
|
|
|
-->
|
|
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
|
|
<vuln vid="1b043693-8617-11db-93b2-000e35248ad7">
|
|
<topic>libxine -- multiple buffer overflow vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libxine</name>
|
|
<range><lt>1.1.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The libxine development team reports that several
|
|
vulnerabilities had been found in the libxine library. The
|
|
first vulnerability is caused by improper checking of the
|
|
src/input/libreal/real.c "real_parse_sdp()" function.
|
|
A remote attacker could exploit this by tricking an user to
|
|
connect to a preparated server potentially causing a buffer
|
|
overflow. Another buffer overflow had been found in the
|
|
libmms library, potentially allowing a remote attacker to
|
|
cause a denial of service vulnerability, and possible remote
|
|
code execution through the following functions: send_command,
|
|
string_utf16, get_data and get_media_packets. Other functions
|
|
might be affected as well.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>18608</bid>
|
|
<bid>21435</bid>
|
|
<cvename>CVE-2006-2200</cvename>
|
|
<cvename>CVE-2006-6172</cvename>
|
|
<url>http://sourceforge.net/project/shownotes.php?release_id=468432</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-04</discovery>
|
|
<entry>2006-12-07</entry>
|
|
<modified>2006-12-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4db1669c-8589-11db-ac4f-02e081235dab">
|
|
<topic>gnupg -- remotely controllable function pointer</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnupg</name>
|
|
<range><lt>1.4.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Werner Koch reports:</p>
|
|
<blockquote cite="http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000491.html">
|
|
<p>
|
|
GnuPG uses data structures called filters to process
|
|
OpenPGP messages. These filters are used in a similar
|
|
way as a pipelines in the shell. For communication
|
|
between these filters context structures are used. These
|
|
are usually allocated on the stack and passed to the
|
|
filter functions. At most places the OpenPGP data stream
|
|
fed into these filters is closed before the context
|
|
structure gets deallocated. While decrypting encrypted
|
|
packets, this may not happen in all cases and the filter
|
|
may use a void contest structure filled with garbage. An
|
|
attacker may control this garbage. The filter context
|
|
includes another context used by the low-level decryption
|
|
to access the decryption algorithm. This is done using a
|
|
function pointer. By carefully crafting an OpenPGP
|
|
message, an attacker may control this function pointer and
|
|
call an arbitrary function of the process. Obviously an
|
|
exploit needs to prepared for a specific version,
|
|
compiler, libc, etc to be successful - but it is
|
|
definitely doable.
|
|
</p>
|
|
<p>
|
|
Fixing this is obvious: We need to allocate the context on
|
|
the heap and use a reference count to keep it valid as
|
|
long as either the controlling code or the filter code
|
|
needs it.
|
|
</p>
|
|
<p>
|
|
We have checked all other usages of such a stack based
|
|
filter contexts but fortunately found no other vulnerable
|
|
places. This allows to release a relatively small patch.
|
|
However, for reasons of code cleanness and easier audits
|
|
we will soon start to change all these stack based filter
|
|
contexts to heap based ones.
|
|
</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-6235</cvename>
|
|
<url>http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000246.html</url>
|
|
<url>http://secunia.com/advisories/23245/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-12-04</discovery>
|
|
<entry>2006-12-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a8674c14-83d7-11db-88d5-0012f06707f0">
|
|
<topic>ruby -- cgi.rb library Denial of Service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ruby</name>
|
|
<range><ge>1.8.*,1</ge><lt>1.8.5_5,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ruby+pthreads</name>
|
|
<range><ge>1.8.*,1</ge><lt>1.8.5_5,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ruby+pthreads+oniguruma</name>
|
|
<range><ge>1.8.*,1</ge><lt>1.8.5_5,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ruby+oniguruma</name>
|
|
<range><ge>1.8.*,1</ge><lt>1.8.5_5,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ruby_static</name>
|
|
<range><ge>1.8.*,1</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Official ruby site reports:</p>
|
|
<blockquote cite="http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/">
|
|
<p>Another vulnerability has been discovered in the CGI library
|
|
(cgi.rb) that ships with Ruby which could be used by a malicious
|
|
user to create a denial of service attack (DoS).</p>
|
|
|
|
<p>A specific HTTP request for any web application using cgi.rb
|
|
causes CPU consumption on the machine on which the web application
|
|
is running. Many such requests result in a denial of service.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-12-04</discovery>
|
|
<entry>2006-12-04</entry>
|
|
</dates>
|
|
</vuln>
|
|
<vuln vid="ed124f8c-82a2-11db-b46b-0012f06707f0">
|
|
<topic>libmusicbrainz -- multiple buffer overflow vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libmusicbrainz</name>
|
|
<range><lt>2.1.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>SecurityFocus reports about libmusicbrainz:</p>
|
|
<blockquote cite="http://www.securityfocus.com/bid/19508/discuss">
|
|
<p>The libmusicbrainz library is prone to multiple buffer-overflow
|
|
vulnerabilities because the application fails to check the size of
|
|
the data before copying it into a finite-sized internal memory
|
|
buffer.</p>
|
|
|
|
<p>An attacker can exploit these issues to execute arbitrary code
|
|
within the context of the application or to cause a
|
|
denial-of-service condition.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>19508</bid>
|
|
<cvename>CVE-2006-4197</cvename>
|
|
<url>http://www.securityfocus.com/bid/21185/discuss</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-17</discovery>
|
|
<entry>2006-12-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="666b8c9e-8212-11db-851e-0016179b2dd5">
|
|
<topic>tdiary -- cross site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tdiary</name>
|
|
<range><lt>2.0.2</lt></range>
|
|
<range><gt>2.1</gt><lt>2.1.4.20061115</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>tDiary was vulnerable to an unspecified Cross-Site
|
|
Scripting vulnerability</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://sourceforge.net/forum/forum.php?forum_id=638868</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-11-26</discovery>
|
|
<entry>2006-12-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="18e3a5be-81f9-11db-95a2-0012f06707f0">
|
|
<topic>ImageMagick -- SGI Image File heap overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ImageMagick</name>
|
|
<range><ge>6.0.0</ge><lt>6.2.9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>SecurityFocus reports about ImageMagick:</p>
|
|
<blockquote cite="http://www.securityfocus.com/bid/21185/info">
|
|
<p>ImageMagick is prone to a remote heap-based buffer-overflow
|
|
vulnerability because the application fails to properly
|
|
bounds-check user-supplied input before copying it to an
|
|
insufficiently sized memory buffer.</p>
|
|
|
|
<p>Exploiting this issue allows attackers to execute arbitrary
|
|
machine code in the context of applications that use the
|
|
ImageMagick library.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>21185</bid>
|
|
<cvename>CVE-2006-5868</cvename>
|
|
<url>http://www.securityfocus.com/bid/21185/discuss</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-11-14</discovery>
|
|
<entry>2006-12-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3dd7eb58-80ae-11db-b4ec-000854d03344">
|
|
<topic>gtar -- GNUTYPE_NAMES directory traversal vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gtar</name>
|
|
<range><lt>1.16_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Teemu Salmela reports:</p>
|
|
<blockquote cite="http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0344.html">
|
|
<p>There is a tar record type, called GNUTYPE_NAMES (an
|
|
obsolete GNU extension), that allows the creation of
|
|
symbolic links pointing to arbitrary locations in the
|
|
filesystem, which makes it possible to create/overwrite
|
|
arbitrary files.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>21235</bid>
|
|
<cvename>CVE-2006-6097</cvename>
|
|
<url>http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0344.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-11-21</discovery>
|
|
<entry>2006-11-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a8af7d70-8007-11db-b280-0008743bf21a">
|
|
<topic>kronolith -- arbitrary local file inclusion vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>kronolith</name>
|
|
<range><lt>2.1.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>iDefense Labs reports:</p>
|
|
<blockquote cite="http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=445">
|
|
<p>Remote exploitation of a design error in Horde's Kronolith
|
|
could allow an authenticated web mail user to execute
|
|
arbitrary PHP code under the security context of the running
|
|
web server.</p>
|
|
<p>The vulnerability specifically exists due to a design error
|
|
in the way it includes certain files. Specifically, the
|
|
'lib/FBView.php' file contains a function 'Kronolith_FreeBusy_View::factory'
|
|
which will include local files that are supplied via the
|
|
'view' HTTP GET request parameter.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://lists.horde.org/archives/announce/2006/000307.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-11-29</discovery>
|
|
<entry>2006-11-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="34c93ae8-7e6f-11db-bf00-02e081235dab">
|
|
<topic>gnupg -- buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnupg</name>
|
|
<range><lt>1.4.5_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Werner Koch reports:</p>
|
|
<blockquote cite="http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000241.html">
|
|
<p>When running GnuPG interactively, special crafted
|
|
messages may be used to crash gpg or gpg2. Running gpg in
|
|
batch mode, as done by all software using gpg as a backend
|
|
(e.g. mailers), is not affected by this bug.</p>
|
|
<p>Exploiting this overflow seems to be possible.</p>
|
|
<p>gpg-agent, gpgsm, gpgv or other tools from the GnuPG
|
|
suite are not affected.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000241.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-11-27</discovery>
|
|
<entry>2006-11-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cca97f5f-7435-11db-91de-0008743bf21a">
|
|
<topic>proftpd -- Remote Code Execution Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>proftpd</name>
|
|
<name>proftpd-mysql</name>
|
|
<range><le>1.3.0_2</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>FrSIRT reports:</p>
|
|
<blockquote cite="http://www.frsirt.com/english/advisories/2006/4451">
|
|
<p>A vulnerability has been identified in ProFTPD, which could be
|
|
exploited by attackers to cause a denial of service or execute
|
|
arbitrary commands. This flaw is due to a buffer overflow error
|
|
in the "main.c" file where the "cmd_buf_size" size of the buffer
|
|
used to handle FTP commands sent by clients is not properly set
|
|
to the size configured via the "CommandBufferSize" directive,
|
|
which could be exploited by attackers to compromise a vulnerable
|
|
server via a specially crafted FTP command.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.frsirt.com/english/advisories/2006/4451</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-11-10</discovery>
|
|
<entry>2006-11-14</entry>
|
|
<modified>2006-11-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5a945904-73b1-11db-91d2-0002a5c2f4ef">
|
|
<topic>unzoo -- Directory Traversal Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>unzoo</name>
|
|
<range><lt>4.4_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/12857/">
|
|
<p>Doubles has discovered a vulnerability in Unzoo, which
|
|
potentially can be exploited by malicious people to
|
|
compromise a user's system.</p>
|
|
<p>The vulnerability is caused due to an input validation error
|
|
when unpacking archives. This can be exploited via a
|
|
directory traversal attack to overwrite files outside the
|
|
directory, where the files are extracted to, if a user is
|
|
tricked into extracting a malicious archive using Unzoo.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secunia.com/advisories/12857/</url>
|
|
<url>http://securitytracker.com/alerts/2004/Oct/1011673.html</url>
|
|
<bid>11417</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-18</discovery>
|
|
<entry>2006-11-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6d68618a-7199-11db-a2ad-000c6ec775d9">
|
|
<topic>bugzilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bugzilla</name>
|
|
<name>ja-bugzilla</name>
|
|
<range><gt>2.*</gt><lt>2.22.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Bugzilla Security Advisory reports:</p>
|
|
<blockquote cite="http://www.bugzilla.org/security/2.18.5/">
|
|
<ul>
|
|
<li>Sometimes the information put into the <h1> and
|
|
<h2> tags in Bugzilla was not properly escaped,
|
|
leading to a possible XSS vulnerability.</li>
|
|
<li>Bugzilla administrators were allowed to put raw,
|
|
unfiltered HTML into many fields in Bugzilla, leading to
|
|
a possible XSS vulnerability. Now, the HTML allowed in
|
|
those fields is limited.</li>
|
|
<li>attachment.cgi could leak the names of private
|
|
attachments</li>
|
|
<li>The "deadline" field was visible in the XML format of
|
|
a bug, even to users who were not a member of the
|
|
"timetrackinggroup."</li>
|
|
<li>A malicious user could pass a URL to an admin, and
|
|
make the admin delete or change something that he had
|
|
not intended to delete or change.</li>
|
|
<li>It is possible to inject arbitrary HTML into the
|
|
showdependencygraph.cgi page, allowing for a cross-site
|
|
scripting attack.</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-5453</cvename>
|
|
<cvename>CVE-2006-5454</cvename>
|
|
<cvename>CVE-2006-5455</cvename>
|
|
<url>http://www.bugzilla.org/security/2.18.5/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-10-15</discovery>
|
|
<entry>2006-11-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="92442c4b-6f4a-11db-bd28-0012f06707f0">
|
|
<topic>Imlib2 -- multiple image file processing vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>imlib2</name>
|
|
<range><lt>20060926_1,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/22732/">
|
|
|
|
<p>Some vulnerabilities have been reported in imlib2, which can be
|
|
exploited by malicious people to cause a DoS (Denial of Service) or
|
|
potentially compromise an application using the library.</p>
|
|
|
|
<p>The vulnerabilities are caused due to unspecified errors within
|
|
the processing of JPG, ARGB, PNG, LBM, PNM, TIFF, and TGA images.
|
|
This may be exploited to execute arbitrary code by e.g. tricking a
|
|
user into opening a specially crafted image file with an
|
|
application using imlib2.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-4806</cvename>
|
|
<cvename>CVE-2006-4807</cvename>
|
|
<cvename>CVE-2006-4808</cvename>
|
|
<cvename>CVE-2006-4809</cvename>
|
|
<bid>20903</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-11-03</discovery>
|
|
<entry>2006-11-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ab8dbe98-6be4-11db-ae91-0012f06707f0">
|
|
<topic>ruby -- cgi.rb library Denial of Service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ruby</name>
|
|
<range><ge>1.8.*,1</ge><lt>1.8.5_4,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ruby+pthreads</name>
|
|
<range><ge>1.8.*,1</ge><lt>1.8.5_4,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ruby+pthreads+oniguruma</name>
|
|
<range><ge>1.8.*,1</ge><lt>1.8.5_4,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ruby+oniguruma</name>
|
|
<range><ge>1.8.*,1</ge><lt>1.8.5_4,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ruby_static</name>
|
|
<range><ge>1.8.*,1</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Official ruby site reports:</p>
|
|
<blockquote cite="http://www.ruby-lang.org/en/news/2006/11/03/CVE-2006-5467/">
|
|
<p>A vulnerability has been discovered in the CGI library (cgi.rb)
|
|
that ships with Ruby which could be used by a malicious user to
|
|
create a denial of service attack (DoS). The problem is triggered
|
|
by sending the library an HTTP request that uses multipart MIME
|
|
encoding and as an invalid boundary specifier that begins with
|
|
"-" instead of "--". Once triggered it will
|
|
exhaust all available memory resources effectively creating a DoS
|
|
condition.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-5467</cvename>
|
|
<bid>20777</bid>
|
|
<url>http://rubyforge.org/pipermail/mongrel-users/2006-October/001946.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-10-25</discovery>
|
|
<entry>2006-11-04</entry>
|
|
<modified>2006-12-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b318dc8c-6756-11db-83c3-000c6ec775d9">
|
|
<topic>screen -- combined UTF-8 characters vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>screen</name>
|
|
<range><lt>4.0.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A vulnerability in the handling handling of combined UTF-8
|
|
characters in screen may allow an user-assisted attacker to
|
|
crash screen or potentially allow code execution as the user
|
|
running screen. To exploit this issue the user running
|
|
scren must in some way interact with the attacker.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>20727</bid>
|
|
<cvename>CVE-2006-4573</cvename>
|
|
<mlist>http://lists.gnu.org/archive/html/screen-users/2006-10/msg00028.html</mlist>
|
|
<url>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212056</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-10-23</discovery>
|
|
<entry>2006-10-29</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a9c51caf-6603-11db-ab90-000e35fd8194">
|
|
<topic>mysql -- database suid privilege escalation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-server</name>
|
|
<range><ge>5.1</ge><lt>5.1.12</lt></range>
|
|
<range><ge>5.0</ge><lt>5.0.25</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Dmitri Lenev reports a privilege escalation in
|
|
MySQL. MySQL evaluates arguments of suid routines in the
|
|
security context of the routine's definer instead of the
|
|
routine's caller, which allows remote and local
|
|
authenticated users to gain privileges through a routine
|
|
that has been made available using GRANT EXECUTE.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-4227</cvename>
|
|
<url>http://bugs.mysql.com/bug.php?id=18630</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-29</discovery>
|
|
<entry>2006-10-29</entry>
|
|
<modified>2006-10-30</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a0e92718-6603-11db-ab90-000e35fd8194">
|
|
<topic>mysql -- database "case-sensitive" privilege escalation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-server</name>
|
|
<range><ge>5.1</ge><lt>5.1.12</lt></range>
|
|
<range><ge>5.0</ge><lt>5.0.25</lt></range>
|
|
<range><lt>4.1.21</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Michal Prokopiuk reports a privilege escalation in MySQL.
|
|
The vulnerability causes MySQL, when run on case-sensitive
|
|
filesystems, to allow remote and local authenticated users
|
|
to create or access a database when the database name
|
|
differs only in case from a database for which they have
|
|
permissions.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>19559</bid>
|
|
<cvename>CVE-2006-4226</cvename>
|
|
<url>http://bugs.mysql.com/bug.php?id=17647</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-09</discovery>
|
|
<entry>2006-10-29</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="96ed277b-60e0-11db-ad2d-0016179b2dd5">
|
|
<topic>Serendipity -- XSS Vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>serendipity</name>
|
|
<range><lt>1.0.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Serendipity Team reports:</p>
|
|
<blockquote cite="http://blog.s9y.org/archives/147-Serendipity-1.0.2-and-1.1-beta5-released.html">
|
|
<p>Serendipity failed to correctly sanitize user input on the
|
|
media manager administration page. The content of GET variables
|
|
were written into JavaScript strings. By using standard string
|
|
evasion techniques it was possible to execute arbitrary
|
|
JavaScript.</p>
|
|
<p>Additionally Serendipity dynamically created a HTML form on
|
|
the media manager administration page that contained all
|
|
variables found in the URL as hidden fields. While the variable
|
|
values were correctly escaped it was possible to break out
|
|
by specifying strange variable names.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.hardened-php.net/advisory_112006.136.htmlSerendipity</url>
|
|
<url>http://secunia.com/advisories/22501/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-10-19</discovery>
|
|
<entry>2006-10-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d8fbf13a-6215-11db-a59e-0211d85f11fb">
|
|
<topic>kdelibs -- integer overflow in khtml</topic>
|
|
<affects>
|
|
<package>
|
|
<name>kdelibs</name>
|
|
<name>kdelibs-nocups</name>
|
|
<range><lt>3.5.4_4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>qt</name>
|
|
<name>qt-copy</name>
|
|
<range><lt>3.3.6_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Red Hat reports:</p>
|
|
<blockquote cite="http://rhn.redhat.com/errata/RHSA-2006-0720.html">
|
|
<p>An integer overflow flaw was found in the way Qt handled pixmap
|
|
images. The KDE khtml library uses Qt in such a way that untrusted
|
|
parameters could be passed to Qt, triggering the overflow.
|
|
An attacker could for example create a malicious web page that when
|
|
viewed by a victim in the Konqueror browser would cause Konqueror
|
|
to crash or possibly execute arbitrary code with the privileges of
|
|
the victim.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-4811</cvename>
|
|
<url>http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=210742</url>
|
|
<url>http://rhn.redhat.com/errata/RHSA-2006-0720.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-10-14</discovery>
|
|
<entry>2006-10-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4867ae85-608d-11db-8faf-000c6ec775d9">
|
|
<topic>opera -- URL parsing heap overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>opera</name>
|
|
<name>opera-devel</name>
|
|
<name>linux-opera</name>
|
|
<range><gt>9.*</gt><lt>9.02</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>iDefense Labs reports:</p>
|
|
<blockquote cite="http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=424">
|
|
<p>Remote exploitation of a heap overflow vulnerability
|
|
within version 9 of Opera Software's Opera Web browser
|
|
could allow an attacker to execute arbitrary code on the
|
|
affected host.</p>
|
|
<p>A flaw exists within Opera when parsing a tag that
|
|
contains a URL. A heap buffer with a constant size of 256
|
|
bytes is allocated to store the URL, and the tag's URL is
|
|
copied into this buffer without sufficient bounds checking
|
|
of its length.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-4819</cvename>
|
|
<url>http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=424</url>
|
|
<url>http://secunia.com/advisories/22218/</url>
|
|
<url>http://www.opera.com/support/search/supsearch.dml?index=848</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-10-17</discovery>
|
|
<entry>2006-10-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1c0def84-5fb1-11db-b2e9-0008c79fa3d2">
|
|
<topic>asterisk -- remote heap overwrite vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>asterisk</name>
|
|
<name>asterisk-bristuff</name>
|
|
<range><lt>1.2.13</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Adam Boileau of Security-Assessment.com reports:</p>
|
|
<blockquote cite="http://www.security-assessment.com/files/advisories/Asterisk_remote_heap_overflow.pdf">
|
|
<p>The Asterisk Skinny channel driver for Cisco SCCP phones
|
|
(chan_skinny.so) incorrectly validates a length value in
|
|
the packet header. An integer wrap-around leads to heap
|
|
overwrite, and arbitrary remote code execution as root.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.security-assessment.com/files/advisories/Asterisk_remote_heap_overflow.pdf</url>
|
|
<mlist msgid="4536A2F2.2020902@security-assessment.com">http://marc.theaimsgroup.com/?l=bugtraq&m=116121567530170</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-10-17</discovery>
|
|
<entry>2006-10-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b6c18956-5fa3-11db-ad2d-0016179b2dd5">
|
|
<topic>plone -- unprotected MembershipTool methods</topic>
|
|
<affects>
|
|
<package>
|
|
<name>plone</name>
|
|
<range><lt>2.1.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Plone Team reports:</p>
|
|
<blockquote cite="http://dev.plone.org/plone/ticket/5432">
|
|
<p>Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict
|
|
access to the:</p>
|
|
<ul>
|
|
<li>changeMemberPortrait</li>
|
|
<li>deletePersonalPortrait</li>
|
|
<li>testCurrentPassword</li>
|
|
</ul>
|
|
<p>methods, which allows remote attackers to modify portraits.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1711</cvename>
|
|
<url>http://plone.org/products/plone/releases/2.1.4</url>
|
|
<url>https://svn.plone.org/svn/plone/PloneHotfix20060410/trunk/README.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-10-19</discovery>
|
|
<entry>2006-10-19</entry>
|
|
<modified>2006-10-20</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="19207592-5f17-11db-ae08-0008743bf21a">
|
|
<topic>drupal -- HTML attribute injection</topic>
|
|
<affects>
|
|
<package>
|
|
<name>drupal</name>
|
|
<range><lt>4.6.10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Drupal Team reports:</p>
|
|
<blockquote cite="http://drupal.org/files/sa-2006-026/advisory.txt">
|
|
<p>A malicious user may entice users to visit a specially
|
|
crafted URL that may result in the redirection of Drupal
|
|
form submission to a third-party site. A user visiting the
|
|
user registration page via such a url, for example, will
|
|
submit all data, such as his/her e-mail address, but also
|
|
possible private profile data, to a third-party site.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://drupal.org/files/sa-2006-026/advisory.txt</url>
|
|
<url>http://drupal.org/drupal-4.7.4</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-10-18</discovery>
|
|
<entry>2006-10-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="937d5911-5f16-11db-ae08-0008743bf21a">
|
|
<topic>drupal -- cross site request forgeries</topic>
|
|
<affects>
|
|
<package>
|
|
<name>drupal</name>
|
|
<range><lt>4.6.10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Drupal Team reports:</p>
|
|
<blockquote cite="http://drupal.org/files/sa-2006-025/advisory.txt">
|
|
<p>Visiting a specially crafted page, anywhere on the web, may
|
|
allow that page to post forms to a Drupal site in the
|
|
context of the visitor's session. To illustrate; suppose
|
|
one has an active user 1 session, the most powerful
|
|
administrator account for a site, to a Drupal site while
|
|
visiting a website created by an attacker. This website
|
|
will now be able to submit any form to the Drupal site with
|
|
the privileges of user 1, either by enticing the user to
|
|
submit a form or by automated means.</p>
|
|
<p>An attacker can exploit this vulnerability by changing
|
|
passwords, posting PHP code or creating new users, for
|
|
example. The attack is only limited by the privileges of
|
|
the session it executes in.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://drupal.org/files/sa-2006-025/advisory.txt</url>
|
|
<url>http://drupal.org/drupal-4.7.4</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-10-18</discovery>
|
|
<entry>2006-10-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b2383758-5f15-11db-ae08-0008743bf21a">
|
|
<topic>drupal -- multiple XSS vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>drupal</name>
|
|
<range><lt>4.6.10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Drupal Team reports:</p>
|
|
<blockquote cite="http://drupal.org/files/sa-2006-024/advisory.txt">
|
|
<p>A bug in input validation and lack of output validation
|
|
allows HTML and script insertion on several pages.</p>
|
|
<p>Drupal's XML parser passes unescaped data to watchdog
|
|
under certain circumstances. A malicious user may execute
|
|
an XSS attack via a specially crafted RSS feed. This
|
|
vulnerability exists on systems that do not use PHP's
|
|
mb_string extension (to check if mb_string is being used,
|
|
navigate to admin/settings and look under "String
|
|
handling"). Disabling the aggregator module provides an
|
|
immediate workaround.</p>
|
|
<p>The aggregator module, profile module, and forum module do
|
|
not properly escape output of certain fields.</p>
|
|
<p>Note: XSS attacks may lead to administrator access if
|
|
certain conditions are met.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://drupal.org/files/sa-2006-024/advisory.txt</url>
|
|
<url>http://drupal.org/drupal-4.7.4</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-10-18</discovery>
|
|
<entry>2006-10-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="18a14baa-5ee5-11db-ae08-0008743bf21a">
|
|
<topic>ingo -- local arbitrary shell command execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ingo</name>
|
|
<range><lt>1.1.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Horde team reports a vulnerability within Ingo, the
|
|
filter management suite. The vulnerability is caused due to
|
|
inadequete escaping, possibly allowing a local user to execute
|
|
arbitrary shell commands via procmail.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://bugs.horde.org/ticket/?id=4513</url>
|
|
<url>http://cvs.horde.org/diff.php/ingo/docs/CHANGES?r1=1.55.2.49&r2=1.55.2.59&ty=h</url>
|
|
<url>http://lists.horde.org/archives/announce/2006/000296.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-10-18</discovery>
|
|
<entry>2006-10-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a6d9da4a-5d5e-11db-8faf-000c6ec775d9">
|
|
<topic>nvidia-driver -- arbitrary root code execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>nvidia-driver</name>
|
|
<range><ge>1.0.8762</ge><lt>1.0.8776</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Rapid7 reports:</p>
|
|
<blockquote cite="http://www.rapid7.com/advisories/R7-0025.jsp">
|
|
<p>The NVIDIA Binary Graphics Driver for Linux is vulnerable
|
|
to a buffer overflow that allows an attacker to run
|
|
arbitrary code as root. This bug can be exploited both
|
|
locally or remotely (via a remote X client or an X client
|
|
which visits a malicious web page). A working
|
|
proof-of-concept root exploit is included with this
|
|
advisory.</p>
|
|
<p>The NVIDIA drivers for Solaris and FreeBSD are also
|
|
likely to be vulnerable.</p>
|
|
</blockquote>
|
|
<p>Disabling Render acceleration in the "nvidia" driver, via
|
|
the "RenderAccel" X configuration option, can be used as a
|
|
workaround for this issue.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<certvu>147252</certvu>
|
|
<cvename>CVE-2006-5379</cvename>
|
|
<url>http://nvidia.custhelp.com/cgi-bin/nvidia.cfg/php/enduser/std_adp.php?p_faqid=1971</url>
|
|
<url>http://secunia.com/advisories/22419/</url>
|
|
<url>http://www.rapid7.com/advisories/R7-0025.jsp</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-10-16</discovery>
|
|
<entry>2006-10-16</entry>
|
|
<modified>2006-10-21</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8012a79d-5d21-11db-bb8d-00123ffe8333">
|
|
<topic>clamav -- CHM unpacker and PE rebuilding vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>clamav</name>
|
|
<range><lt>0.88.5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>clamav-devel</name>
|
|
<range><le>20060922</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/22370/">
|
|
<p>Two vulnerabilities have been reported in Clam AntiVirus, which
|
|
potentially can be exploited by malicious people to cause a DoS
|
|
(Denial of Service) or compromise a vulnerable system.</p>
|
|
<p>1) An unspecified error in the CHM unpacker in chmunpack.c can be
|
|
exploited to cause a DoS.</p>
|
|
<p>2) An unspecified error in rebuildpe.c when rebuilding PE files
|
|
after unpacking can be exploited to cause a heap-based buffer
|
|
overflow.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secunia.com/advisories/22370/</url>
|
|
<url>http://lurker.clamav.net/message/20061016.015114.dc6a8930.en.html</url>
|
|
<url>http://sourceforge.net/project/shownotes.php?release_id=455799</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-10-15</discovery>
|
|
<entry>2006-10-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="93ba13f8-5c41-11db-a5ae-00508d6a62df">
|
|
<topic>tkdiff -- temporary file symlink privilege escalation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tkdiff</name>
|
|
<range><lt>4.1.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Javier Fernández-Sanguino Peña reports a vulnerability in
|
|
tkdiff which allows local users to gain priveleges of the
|
|
user running tkdiff due to insecure temporary file creation.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.debian.org/security/2005/dsa-927</url>
|
|
<cvename>CVE-2005-3343</cvename>
|
|
<bid>16064</bid>
|
|
<url>http://secunia.com/advisories/18083</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-20</discovery>
|
|
<entry>2006-10-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2c8a84d9-5bee-11db-a5ae-00508d6a62df">
|
|
<topic>vtiger -- multiple remote file inclusion vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>vtiger</name>
|
|
<range><lt>5.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Dedi Dwianto a.k.a the_day reports:</p>
|
|
<blockquote cite="http://www.milw0rm.com/exploits/2508">
|
|
<p>Input passed to the "$calpath" parameter in update.php is
|
|
not properly verified before being used. This can be
|
|
exploited to execute arbitrary PHP code by including files
|
|
from local or external resources.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-5289</cvename>
|
|
<bid>20435</bid>
|
|
<mlist msgid="20061009094328.15530.qmail@securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=116049557032343</mlist>
|
|
<url>http://advisories.echo.or.id/adv/adv54-theday-2006.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-10-09</discovery>
|
|
<entry>2006-10-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5c9a2769-5ade-11db-a5ae-00508d6a62df">
|
|
<topic>google-earth -- heap overflow in the KML engine</topic>
|
|
<affects>
|
|
<package>
|
|
<name>google-earth</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>JAAScois reports:</p>
|
|
<p>While processing KML/KMZ data Google Earth fails to verify
|
|
its size prior to copying it into a fixed-sized buffer.
|
|
This can be exploited as a buffer-overflow vulnerability to
|
|
cause the application to crash and/or to execute arbitrary
|
|
code.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>20464</bid>
|
|
<url>http://www.jaascois.com/exploits/18602024/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-10-10</discovery>
|
|
<entry>2006-10-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="72f21372-55e4-11db-a5ae-00508d6a62df">
|
|
<topic>torrentflux -- User-Agent XSS Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>torrentflux</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<blockquote cite="http://www.stevenroddis.com.au/2006/10/06/torrentflux-user-agent-xss-vulnerability/">
|
|
<p>Steven Roddis reports that User-Agent string is not
|
|
properly escaped when handled by torrentflux. This allows
|
|
for arbitrary code insertion.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>20371</bid>
|
|
<cvename>CVE-2006-5227</cvename>
|
|
<url>http://www.stevenroddis.com.au/2006/10/06/torrentflux-user-agent-xss-vulnerability/</url>
|
|
<url>http://secunia.com/advisories/22293/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-09-30</discovery>
|
|
<entry>2006-10-07</entry>
|
|
<modified>2006-10-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fe83eb5b-55e1-11db-a5ae-00508d6a62df">
|
|
<topic>python -- buffer overrun in repr() for unicode strings</topic>
|
|
<affects>
|
|
<package>
|
|
<name>python+ipv6</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>python</name>
|
|
<range><lt>2.4.3_1</lt></range>
|
|
<range><gt>2.5.*</gt><lt>2.5.c2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Benjamin C. Wiley Sittler reports:</p>
|
|
<blockquote cite="https://launchpad.net/distros/ubuntu/+source/python2.4/+bug/56633">
|
|
<p>I discovered a [buffer overrun in repr() for unicode
|
|
strings]. This causes an unpatched non-debug wide
|
|
(UTF-32/UCS-4) build of python to abort.</p>
|
|
</blockquote>
|
|
<p>Ubuntu security team reports:</p>
|
|
<blockquote cite="http://www.ubuntu.com/usn/usn-359-1">
|
|
<p>If an application uses repr() on arbitrary untrusted data,
|
|
this [bug] could be exploited to execute arbitrary code
|
|
with the privileges of the python application.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-4980</cvename>
|
|
<url>https://launchpad.net/distros/ubuntu/+source/python2.4/+bug/56633</url>
|
|
<url>http://www.ubuntu.com/usn/usn-359-1</url>
|
|
<url>http://secunia.com/advisories/22276/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-15</discovery>
|
|
<entry>2006-10-07</entry>
|
|
<modified>2006-10-08</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e329550b-54f7-11db-a5ae-00508d6a62df">
|
|
<topic>php -- _ecalloc Integer Overflow Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>php5</name>
|
|
<range><lt>5.1.6_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>php5-cli</name>
|
|
<name>php5-cgi</name>
|
|
<name>php5-dtc</name>
|
|
<name>php5-horde</name>
|
|
<name>php5-nms</name>
|
|
<name>mod_php5</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Stefan Esser reports:</p>
|
|
<blockquote cite="http://www.hardened-php.net/advisory_092006.133.html">
|
|
<p>The PHP 5 branch of the PHP source code lacks the
|
|
protection against possible integer overflows inside
|
|
ecalloc() that is present in the PHP 4 branch and also for
|
|
several years part of our Hardening-Patch and our new
|
|
Suhosin-Patch.</p>
|
|
<p>It was discovered that such an integer overflow can be
|
|
triggered when user input is passed to the unserialize()
|
|
function. Earlier vulnerabilities in PHP's unserialize()
|
|
that were also discovered by one of our audits in December
|
|
2004 are unrelated to the newly discovered flaw, but they
|
|
have shown, that the unserialize() function is exposed to
|
|
user-input in many popular PHP applications. Examples for
|
|
applications that use the content of COOKIE variables with
|
|
unserialize() are phpBB and Serendipity.</p>
|
|
<p>The successful exploitation of this integer overflow will
|
|
result in arbitrary code execution.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-4812</cvename>
|
|
<url>http://www.hardened-php.net/advisory_092006.133.html</url>
|
|
<url>http://secunia.com/advisories/22280/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-09-30</discovery>
|
|
<entry>2006-10-06</entry>
|
|
<modified>2006-10-17</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8a5770b4-54b5-11db-a5ae-00508d6a62df">
|
|
<topic>mambo -- multiple SQL injection vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mambo</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>James Bercegay reports:</p>
|
|
<blockquote cite="http://www.gulftech.org/?node=research&article_id=00116-10042006">
|
|
<p>Mambo is vulnerable to an Authentication Bypass issue that
|
|
is due to an SQL Injection in the login function. The SQL
|
|
Injection is possible because the $passwd variable is only
|
|
sanitized when it is not passed as an argument to the
|
|
function.</p>
|
|
</blockquote>
|
|
<p>Omid reports:</p>
|
|
<blockquote cite="http://seclists.org/bugtraq/2006/Aug/0491.html">
|
|
<p>There are several sql injections in Mambo 4.6 RC2 &
|
|
Joomla 1.0.10 (and maybe other versions):</p>
|
|
<ul>
|
|
<li>When a user edits a content, the "id" parameter is not
|
|
checked properly in /components/com_content/content.php,
|
|
which can cause 2 sql injections.</li>
|
|
<li>The "limit" parameter in the administration section is
|
|
not checked. This affects many pages of administration
|
|
section</li>
|
|
<li>In the administration section, while editing/creating a
|
|
user, the "gid" parameter is not checked properly.</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>19719</bid>
|
|
<bid>19734</bid>
|
|
<url>http://www.gulftech.org/?node=research&article_id=00116-10042006</url>
|
|
<url>http://seclists.org/bugtraq/2006/Aug/0491.html</url>
|
|
<url>http://www.frsirt.com/english/advisories/2006/3918</url>
|
|
<url>http://mamboxchange.com/forum/forum.php?forum_id=7704</url>
|
|
<url>http://secunia.com/advisories/21644/</url>
|
|
<url>http://secunia.com/advisories/22221/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-26</discovery>
|
|
<entry>2006-10-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="19a92df1-548d-11db-8f1a-000a48049292">
|
|
<topic>tin -- buffer overflow vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tin</name>
|
|
<name>zh-tin</name>
|
|
<range><lt>1.8.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<blockquote cite="ftp://ftp.tin.org/pub/news/clients/tin/stable/CHANGES">
|
|
<p>Urs Janssen and Aleksey Salow report possible buffer
|
|
overflows in tin versions 1.8.0 and 1.8.1.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.005-tin.html">
|
|
<p>OpenPKG project elaborates there is an allocation
|
|
off-by-one bug in version 1.8.0 which can lead to a buffer
|
|
overflow.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>ftp://ftp.tin.org/pub/news/clients/tin/stable/CHANGES</url>
|
|
<url>http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.005-tin.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-02-15</discovery>
|
|
<entry>2006-10-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ae7124ff-547c-11db-8f1a-000a48049292">
|
|
<topic>openldap -- slapd acl selfwrite Security Issue</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openldap-server</name>
|
|
<name>openldap-sasl-server</name>
|
|
<range><lt>2.3.25</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Howard Chu reports:</p>
|
|
<blockquote cite="http://www.openldap.org/its/index.cgi/Software%20Bugs?id=4587">
|
|
<p>An ACL of the form 'access to dn.subtree="ou=groups,
|
|
dc=example,dc=com" attr=member by * selfwrite' is intended
|
|
to only allow users to add/delete their own DN to the
|
|
target attribute. Currently it allows any DNs to be
|
|
modified.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>19832</bid>
|
|
<cvename>CVE-2006-4600</cvename>
|
|
<url>http://www.openldap.org/its/index.cgi/Software%20Bugs?id=4587</url>
|
|
<url>http://www.openldap.org/lists/openldap-announce/200608/msg00000.html</url>
|
|
<url>http://secunia.com/advisories/21721</url>
|
|
<url>http://securitytracker.com/alerts/2006/Sep/1016783.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-06-14</discovery>
|
|
<entry>2006-10-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5a39a22e-5478-11db-8f1a-000a48049292">
|
|
<topic>mono -- "System.CodeDom.Compiler" Insecure Temporary Creation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mono</name>
|
|
<range><lt>1.1.13.8.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Sebastian Krahmer reports:</p>
|
|
<blockquote cite="http://www.ubuntu.com/usn/usn-357-1">
|
|
<p>Sebastian Krahmer of the SuSE security team discovered
|
|
that the System.CodeDom.Compiler classes used temporary
|
|
files in an insecure way. This could allow a symbolic link
|
|
attack to create or overwrite arbitrary files with the
|
|
privileges of the user invoking the program. Under some
|
|
circumstances, a local attacker could also exploit this to
|
|
inject arbitrary code into running Mono processes.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-5072</cvename>
|
|
<url>http://www.ubuntu.com/usn/usn-357-1</url>
|
|
<url>http://secunia.com/advisories/22237/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-10-04</discovery>
|
|
<entry>2006-10-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="edabe438-542f-11db-a5ae-00508d6a62df">
|
|
<topic>php -- open_basedir Race Condition Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>php4</name>
|
|
<name>php5</name>
|
|
<range><lt>4.4.4_1</lt></range>
|
|
<range><ge>5.*</ge><lt>5.1.6_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>php-suhosin</name>
|
|
<range><lt>0.9.6</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>php4-cli</name>
|
|
<name>php5-cli</name>
|
|
<name>php4-cgi</name>
|
|
<name>php5-cgi</name>
|
|
<name>php4-dtc</name>
|
|
<name>php5-dtc</name>
|
|
<name>php4-horde</name>
|
|
<name>php5-horde</name>
|
|
<name>php4-nms</name>
|
|
<name>php5-nms</name>
|
|
<name>mod_php4</name>
|
|
<name>mod_php5</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Stefan Esser reports:</p>
|
|
<blockquote cite="http://www.hardened-php.net/advisory_082006.132.html">
|
|
<p>PHP's open_basedir feature is meant to disallow scripts to
|
|
access files outside a set of configured base directories.
|
|
The checks for this are placed within PHP functions dealing
|
|
with files before the actual open call is performed.</p>
|
|
<p>Obviously there is a little span of time between the check
|
|
and the actual open call. During this time span the checked
|
|
path could have been altered and point to a file that is
|
|
forbidden to be accessed due to open_basedir restrictions.</p>
|
|
<p>Because the open_basedir restrictions often not call PHP
|
|
functions but 3rd party library functions to actually open
|
|
the file it is impossible to close this time span in a
|
|
general way. It would only be possible to close it when PHP
|
|
handles the actual opening on it's own.</p>
|
|
<p>While it seems hard to change the path during this little
|
|
time span it is very simple with the use of the symlink()
|
|
function combined with a little trick. PHP's symlink()
|
|
function ensures that source and target of the symlink
|
|
operation are allowed by open_basedir restrictions (and
|
|
safe_mode). However it is possible to point a symlink to
|
|
any file by the use of mkdir(), unlink() and at least two
|
|
symlinks.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>20326</bid>
|
|
<cvename>CVE-2006-5178</cvename>
|
|
<url>http://www.hardened-php.net/advisory_082006.132.html</url>
|
|
<url>http://secunia.com/advisories/22235/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-10-02</discovery>
|
|
<entry>2006-10-05</entry>
|
|
<modified>2006-10-16</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="86526ba4-53c8-11db-8f1a-000a48049292">
|
|
<topic>phpbb -- NULL byte injection vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpbb</name>
|
|
<name>zh-phpbb-tw</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/22188/">
|
|
<p>ShAnKaR has discovered a vulnerability in phpBB, which can
|
|
be exploited by malicious users to compromise a vulnerable
|
|
system.</p>
|
|
<p>Input passed to the "avatar_path" parameter in
|
|
admin/admin_board.php is not properly sanitised before
|
|
being used as a configuration variable to store avatar
|
|
images. This can be exploited to upload and execute
|
|
arbitrary PHP code by changing "avatar_path" to a file with
|
|
a trailing NULL byte.</p>
|
|
<p>Successful exploitation requires privileges to the
|
|
administration section.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>20347</bid>
|
|
<cvename>CVE-2006-4758</cvename>
|
|
<url>http://secunia.com/advisories/22188/</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/28884</url>
|
|
<url>http://www.security.nnov.ru/Odocument221.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-09-12</discovery>
|
|
<entry>2006-10-04</entry>
|
|
<modified>2006-10-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="35f2679f-52d7-11db-8f1a-000a48049292">
|
|
<topic>postnuke -- admin section SQL injection</topic>
|
|
<affects>
|
|
<package>
|
|
<name>postnuke</name>
|
|
<range><lt>0.800</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>ISS X-Force reports:</p>
|
|
<blockquote cite="http://xforce.iss.net/xforce/xfdb/29271">
|
|
<p>PostNuke is vulnerable to SQL injection. A remote attacker
|
|
could send specially-crafted SQL statements to the admin
|
|
section using the hits parameter, which could allow the
|
|
attacker to view, add, modify or delete information in the
|
|
back-end database.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>20317</bid>
|
|
<cvename>CVE-2006-5121</cvename>
|
|
<url>http://xforce.iss.net/xforce/xfdb/29271</url>
|
|
<url>http://www.securityfocus.com/archive/1/archive/1/447361/100/0/threaded</url>
|
|
<url>http://secunia.com/advisories/22197/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-09-29</discovery>
|
|
<entry>2006-10-03</entry>
|
|
<modified>2006-10-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b975763f-5210-11db-8f1a-000a48049292">
|
|
<topic>freetype -- LWFN Files Buffer Overflow Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>freetype2</name>
|
|
<range><lt>2.1.10_5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>SecurityTracker reports:</p>
|
|
<blockquote cite="http://securitytracker.com/alerts/2006/Jul/1016522.html">
|
|
<p>A vulnerability was reported in FreeType. A remote user
|
|
can cause arbitrary code to be executed on the target
|
|
user's system.</p>
|
|
<p>A remote user can create a specially crafted font file
|
|
that, when loaded by the target user's system, will trigger
|
|
an integer underflow or integer overflow and crash the
|
|
application or execute arbitrary code on the target system.</p>
|
|
<p>Chris Evans reported these vulnerabilities.</p>
|
|
<p>Impact: A remote user can create a file that, when loaded
|
|
by the target user, will execute arbitrary code on the
|
|
target user's system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>18034</bid>
|
|
<cvename>CVE-2006-0747</cvename>
|
|
<cvename>CVE-2006-1861</cvename>
|
|
<cvename>CVE-2006-3467</cvename>
|
|
<url>http://securitytracker.com/alerts/2006/Jul/1016522.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-07-10</discovery>
|
|
<entry>2006-10-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="74ff10f6-520f-11db-8f1a-000a48049292">
|
|
<topic>cscope -- Buffer Overflow Vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cscope</name>
|
|
<range><lt>15.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/21601">
|
|
<p>Will Drewry has reported some vulnerabilities in Cscope,
|
|
which potentially can be exploited by malicious people to
|
|
compromise a vulnerable system.</p>
|
|
<p>Various boundary errors within the parsing of file lists
|
|
or the expansion of environment variables can be exploited
|
|
to cause stack-based buffer overflows when parsing
|
|
specially crafted "cscope.lists" files or directories.</p>
|
|
<p>A boundary error within the parsing of command line
|
|
arguments can be exploited to cause a stack-based buffer
|
|
overflow when supplying an overly long "reffile" argument.</p>
|
|
<p>Successful exploitation may allow execution of arbitrary
|
|
code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>19686</bid>
|
|
<bid>19687</bid>
|
|
<cvename>CVE-2006-4262</cvename>
|
|
<url>http://secunia.com/advisories/21601</url>
|
|
<url>http://sourceforge.net/mailarchive/forum.php?thread_id=30266760&forum_id=33500</url>
|
|
<url>http://sourceforge.net/mailarchive/forum.php?thread_id=30266761&forum_id=33500</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-20</discovery>
|
|
<entry>2006-10-02</entry>
|
|
<modified>2006-10-11</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="64bf6234-520d-11db-8f1a-000a48049292">
|
|
<topic>gnutls -- RSA Signature Forgery Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnutls</name>
|
|
<name>gnutls-devel</name>
|
|
<range><lt>1.4.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/21937">
|
|
<p>A vulnerability has been reported in GnuTLS, which can be
|
|
exploited by malicious people to bypass certain security
|
|
restrictions.</p>
|
|
<p>The vulnerability is caused due to an error in the
|
|
verification of certain signatures. If a RSA key with
|
|
exponent 3 is used, it may be possible to forge PKCS #1
|
|
v1.5 signatures signed with that key.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>20027</bid>
|
|
<cvename>CVE-2006-4790</cvename>
|
|
<url>http://secunia.com/advisories/21937</url>
|
|
<url>http://lists.gnupg.org/pipermail/gnutls-dev/2006-September/001205.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-09-08</discovery>
|
|
<entry>2006-10-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="350a5bd9-520b-11db-8f1a-000a48049292">
|
|
<topic>MT -- Search Unspecified XSS</topic>
|
|
<affects>
|
|
<package>
|
|
<name>MT</name>
|
|
<range><ge>3.3</ge><lt>3.33</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/22109">
|
|
<p>Arai has reported a vulnerability in Movable Type and
|
|
Movable Type Enterprise, which can be exploited by
|
|
malicious people to conduct cross-site scripting attacks.</p>
|
|
<p>Some unspecified input passed via the search functionality
|
|
isn't properly sanitised before being returned to the user.
|
|
This can be exploited to execute arbitrary HTML and script
|
|
code in a user's browser session in context of an affected
|
|
site.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>20228</bid>
|
|
<cvename>CVE-2006-5080</cvename>
|
|
<url>http://secunia.com/advisories/22109</url>
|
|
<url>http://www.sixapart.com/movabletype/news/2006/09/mt_333-mte_103_updates.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-09-26</discovery>
|
|
<entry>2006-10-02</entry>
|
|
<modified>2006-10-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="19b17ab4-51e0-11db-a5ae-00508d6a62df">
|
|
<topic>phpmyadmin -- XSRF vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><lt>2.9.0.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>phpMyAdmin team reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-5">
|
|
<p>We received a security advisory from Stefan Esser
|
|
(sesser@hardened-php.net) and we wish to thank him for his
|
|
work.</p>
|
|
<p>It was possible to inject arbitrary SQL commands by
|
|
forcing an authenticated user to follow a crafted link.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-5116</cvename>
|
|
<cvename>CVE-2006-5117</cvename>
|
|
<url>http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-5</url>
|
|
<url>http://secunia.com/advisories/22126/</url>
|
|
<bid>20253</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-09-28</discovery>
|
|
<entry>2006-10-02</entry>
|
|
<modified>2006-10-03</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="32db37a5-50c3-11db-acf3-000c6ec775d9">
|
|
<topic>openssh -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>6.1</ge><lt>6.1_10</lt></range>
|
|
<range><ge>6.0</ge><lt>6.0_15</lt></range>
|
|
<range><ge>5.5</ge><lt>5.5_8</lt></range>
|
|
<range><ge>5.4</ge><lt>5.4_22</lt></range>
|
|
<range><ge>5.0</ge><lt>5.3_37</lt></range>
|
|
<range><lt>4.11_25</lt></range>
|
|
</system>
|
|
<package>
|
|
<name>openssh</name>
|
|
<range><lt>4.4,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>openssh-portable</name>
|
|
<range><lt>4.4.p1,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description</h1>
|
|
<p>The CRC compensation attack detector in the sshd(8) daemon,
|
|
upon receipt of duplicate blocks, uses CPU time cubic in the
|
|
number of duplicate blocks received. [CVE-2006-4924]</p>
|
|
<p>A race condition exists in a signal handler used by the
|
|
sshd(8) daemon to handle the LoginGraceTime option, which
|
|
can potentially cause some cleanup routines to be executed
|
|
multiple times. [CVE-2006-5051]</p>
|
|
<h1>Impact</h1>
|
|
<p>An attacker sending specially crafted packets to sshd(8)
|
|
can cause a Denial of Service by using 100% of CPU time
|
|
until a connection timeout occurs. Since this attack can be
|
|
performed over multiple connections simultaneously, it is
|
|
possible to cause up to MaxStartups (10 by default) sshd
|
|
processes to use all the CPU time they can obtain.
|
|
[CVE-2006-4924]</p>
|
|
<p>The OpenSSH project believe that the race condition can
|
|
lead to a Denial of Service or potentially remote code
|
|
execution, but the FreeBSD Security Team has been unable to
|
|
verify the exact impact. [CVE-2006-5051]</p>
|
|
<h1>Workaround</h1>
|
|
<p>The attack against the CRC compensation attack detector can
|
|
be avoided by disabling SSH Protocol version 1 support in
|
|
sshd_config(5).</p>
|
|
<p>There is no workaround for the second issue.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>20216</bid>
|
|
<cvename>CVE-2006-4924</cvename>
|
|
<cvename>CVE-2006-5051</cvename>
|
|
<freebsdsa>SA-06:22.openssh</freebsdsa>
|
|
<url>http://www.openssh.com/txt/release-4.4</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-09-25</discovery>
|
|
<entry>2006-09-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fcba5764-506a-11db-a5ae-00508d6a62df">
|
|
<topic>dokuwiki -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>dokuwiki</name>
|
|
<range><lt>20060309c</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>dokuwiki-devel</name>
|
|
<range><lt>20060909</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/21819/">
|
|
<p>rgod has discovered a vulnerability in DokuWiki, which can
|
|
be exploited by malicious people to compromise a vulnerable
|
|
system.</p>
|
|
<p>Input passed to the "TARGET_FN" parameter in
|
|
bin/dwpage.php is not properly sanitised before being used
|
|
to copy files. This can be exploited via directory
|
|
traversal attacks in combination with DokuWiki's file
|
|
upload feature to execute arbitrary PHP code.</p>
|
|
</blockquote>
|
|
<p>CVE Mitre reports:</p>
|
|
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4674">
|
|
<p>Direct static code injection vulnerability in doku.php in
|
|
DokuWiki before 2006-03-09c allows remote attackers to
|
|
execute arbitrary PHP code via the X-FORWARDED-FOR HTTP
|
|
header, which is stored in config.php.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4675">
|
|
<p>Unrestricted file upload vulnerability in
|
|
lib/exe/media.php in DokuWiki before 2006-03-09c allows
|
|
remote attackers to upload executable files into the
|
|
data/media folder via unspecified vectors.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4679">
|
|
<p>DokuWiki before 2006-03-09c enables the debug feature by
|
|
default, which allows remote attackers to obtain sensitive
|
|
information by calling doku.php with the X-DOKUWIKI-DO HTTP
|
|
header set to "debug".</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>19911</bid>
|
|
<cvename>CVE-2006-4674</cvename>
|
|
<cvename>CVE-2006-4675</cvename>
|
|
<cvename>CVE-2006-4679</cvename>
|
|
<url>http://secunia.com/advisories/21819/</url>
|
|
<url>http://bugs.splitbrain.org/index.php?do=details&id=906</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-09-08</discovery>
|
|
<entry>2006-09-30</entry>
|
|
<modified>2006-10-02</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="450b76ee-5068-11db-a5ae-00508d6a62df">
|
|
<topic>dokuwiki -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>dokuwiki</name>
|
|
<range><lt>20060309_5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>dokuwiki-devel</name>
|
|
<range><lt>20060609_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/22192/">
|
|
<p>Some vulnerabilities have been reported in DokuWiki, which
|
|
can be exploited by malicious people to cause a DoS (Denial
|
|
of Service) or potentially compromise a vulnerable system.</p>
|
|
<p>Input passed to the "w" and "h" parameters in
|
|
lib/exec/fetch.php is not properly sanitised before being
|
|
passed as resize parameters to the "convert" application.
|
|
This can be exploited to cause a DoS due to excessive CPU
|
|
and memory consumption by passing very large numbers, or to
|
|
inject arbitrary shell commands by passing specially
|
|
crafted strings to the "w" and "h" parameter.</p>
|
|
<p>Successful exploitation requires that the
|
|
"$conf[imconvert]" option is set.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-5098</cvename>
|
|
<cvename>CVE-2006-5099</cvename>
|
|
<url>http://secunia.com/advisories/22192/</url>
|
|
<url>http://secunia.com/advisories/22199/</url>
|
|
<url>http://bugs.splitbrain.org/?do=details&id=924</url>
|
|
<url>http://bugs.splitbrain.org/?do=details&id=926</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-09-26</discovery>
|
|
<entry>2006-09-30</entry>
|
|
<modified>2006-10-02</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e4c62abd-5065-11db-a5ae-00508d6a62df">
|
|
<topic>tikiwiki -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tikiwiki</name>
|
|
<range><lt>1.9.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/21536/">
|
|
<p>Thomas Pollet has discovered a vulnerability in TikiWiki,
|
|
which can be exploited by malicious people to conduct
|
|
cross-site scripting attacks.</p>
|
|
<p>Input passed to the "highlight" parameter in
|
|
tiki-searchindex.php is not properly sanitised before being
|
|
returned to the user. This can be exploited to execute
|
|
arbitrary HTML and script code in a user's browser session
|
|
in context of an affected site.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://secunia.com/advisories/21733/">
|
|
<p>rgod has discovered a vulnerability in TikiWiki, which can
|
|
be exploited by malicious people to compromise a vulnerable
|
|
system.</p>
|
|
<p>The vulnerability is caused due to the "jhot.php" script
|
|
not correctly verifying uploaded files. This can e.g. be
|
|
exploited to execute arbitrary PHP code by uploading a
|
|
malicious PHP script to the "img/wiki" directory.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>19654</bid>
|
|
<bid>19819</bid>
|
|
<cvename>CVE-2006-4299</cvename>
|
|
<cvename>CVE-2006-4602</cvename>
|
|
<url>http://secunia.com/advisories/21536/</url>
|
|
<url>http://secunia.com/advisories/21733/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-21</discovery>
|
|
<entry>2006-09-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e79876e4-5061-11db-a5ae-00508d6a62df">
|
|
<topic>punbb -- NULL byte injection vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>punbb</name>
|
|
<range><lt>1.2.13</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>CVE Mitre reports:</p>
|
|
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4759">
|
|
<p>PunBB 1.2.12 does not properly handle an avatar directory
|
|
pathname ending in %00, which allows remote authenticated
|
|
administrative users to upload arbitrary files and execute
|
|
code, as demonstrated by a query to admin_options.php with
|
|
an avatars_dir parameter ending in %00. NOTE: this issue
|
|
was originally disputed by the vendor, but the dispute was
|
|
withdrawn on 20060926.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-4759</cvename>
|
|
<url>http://forums.punbb.org/viewtopic.php?id=13255</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-09-13</discovery>
|
|
<entry>2006-09-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2d9ad236-4d26-11db-b48d-00508d6a62df">
|
|
<topic>freeciv -- Denial of Service Vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>freeciv</name>
|
|
<name>freeciv-gtk</name>
|
|
<name>freeciv-gtk2</name>
|
|
<name>freeciv-nox11</name>
|
|
<range><lt>2.0.8_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/21171/">
|
|
<p>Luigi Auriemma has reported a vulnerability in Freeciv,
|
|
which can be exploited by malicious people to cause a DoS
|
|
(Denial of Service).</p>
|
|
<p>An error in the "generic_handle_player_attribute_chunk()"
|
|
function in common/packets.c can be exploited to crash the
|
|
service via a specially crafted
|
|
PACKET_PLAYER_ATTRIBUTE_CHUNK packet sent to the server.</p>
|
|
<p>An error in the "handle_unit_orders()" function in
|
|
server/unithand.c can be exploited to crash the service
|
|
via a specially crafted packet.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-3913</cvename>
|
|
<bid>19117</bid>
|
|
<url>http://secunia.com/advisories/21171/</url>
|
|
<url>http://aluigi.altervista.org/adv/freecivx-adv.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-07-23</discovery>
|
|
<entry>2006-09-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="339fbbc1-4d23-11db-b48d-00508d6a62df">
|
|
<topic>freeciv -- Packet Parsing Denial of Service Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>freeciv</name>
|
|
<name>freeciv-gtk</name>
|
|
<name>freeciv-gtk2</name>
|
|
<name>freeciv-nox11</name>
|
|
<range><lt>2.0.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19120/">
|
|
<p>Luigi Auriemma has reported a vulnerability in Freeciv, which
|
|
can be exploited by malicious people to cause a DoS (Denial of
|
|
Service).</p>
|
|
<p>The vulnerability is caused due to an error within the
|
|
handling of the packet length in "common/packets.c". This can
|
|
be exploited to crash the Freeciv server via a specially-
|
|
crafted packet with the size set to "0xffff".</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0047</cvename>
|
|
<bid>16975</bid>
|
|
<url>http://secunia.com/advisories/19120/</url>
|
|
<url>http://aluigi.altervista.org/adv/freecivdos-adv.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-06</discovery>
|
|
<entry>2006-09-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1709084d-4d21-11db-b48d-00508d6a62df">
|
|
<topic>plans -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>plans</name>
|
|
<range><lt>6.7.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/15854/">
|
|
<p>A vulnerability has been reported in Plans, which can be
|
|
exploited by malicious people to conduct SQL injection
|
|
attacks.</p>
|
|
<p>Input passed to the "evt_id" parameter in "plans.cgi"
|
|
isn't properly sanitised before being used in a SQL query.
|
|
This can be exploited to manipulate SQL queries by
|
|
injecting arbitrary SQL code.</p>
|
|
<p>Successful exploitation requires that SQL database
|
|
support has been enabled in "plans_config.pl" (the default
|
|
setting is flat files).</p>
|
|
</blockquote>
|
|
<blockquote cite="http://secunia.com/advisories/15167/">
|
|
<p>Some vulnerabilities have been reported in Plans, which
|
|
can be exploited by malicious people to conduct cross-site
|
|
scripting attacks or gain knowledge of sensitive
|
|
information.</p>
|
|
<p>Input passed to various unspecified parameters is not
|
|
properly sanitised before being returned to users. This
|
|
can be exploited to execute arbitrary HTML and script code
|
|
in a user's browser session in context of a vulnerable
|
|
site.</p>
|
|
<p>An unspecified error can be exploited to gain knowledge
|
|
of the MySQL password.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14069</bid>
|
|
<url>http://secunia.com/advisories/15167/</url>
|
|
<url>http://secunia.com/advisories/15854/</url>
|
|
<url>http://planscalendar.com/forum/viewtopic.php?t=660</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-28</discovery>
|
|
<entry>2006-09-26</entry>
|
|
<modified>2006-10-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d3527663-4ccb-11db-b48d-00508d6a62df">
|
|
<topic>eyeOS -- multiple XSS security bugs</topic>
|
|
<affects>
|
|
<package>
|
|
<name>eyeOS</name>
|
|
<range><lt>0.9.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>eyeOS team reports:</p>
|
|
<blockquote cite="http://eyeos.blogspot.com/2006/09/eyeos-091-released.html">
|
|
<p>[EyeOS 0.9.1] release fixes two XSS security bugs, so we
|
|
recommend all users to upgrade to this new version in order
|
|
to have the best security. These two bugs were discovered by
|
|
Jose Carlos Norte, who is a new eyeOS developer.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>20213</bid>
|
|
<cvename>CVE-2006-5071</cvename>
|
|
<url>http://eyeos.blogspot.com/2006/09/eyeos-091-released.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-09-25</discovery>
|
|
<entry>2006-09-25</entry>
|
|
<modified>2006-10-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="65a8f773-4a37-11db-a4cc-000a48049292">
|
|
<topic>zope -- restructuredText "csv_table" Information Disclosure</topic>
|
|
<affects>
|
|
<package>
|
|
<name>zope</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/21947/">
|
|
<p>A vulnerability has been reported in Zope, which can be
|
|
exploited by malicious people to disclose potentially
|
|
sensitive information.</p>
|
|
<p>The vulnerability is caused due to an error in the use of
|
|
the docutils module to parse and render "restructured"
|
|
text. This can be exploited to disclose certain information
|
|
via the "csv_table" reStructuredText directive.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>20022</bid>
|
|
<cvename>CVE-2006-4684</cvename>
|
|
<url>http://secunia.com/advisories/21947/</url>
|
|
<url>http://www.zope.org/Products/Zope/Hotfix-2006-08-21/Hotfix-20060821/README.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-21</discovery>
|
|
<entry>2006-09-22</entry>
|
|
<modified>2006-10-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f6bff909-4a26-11db-a4cc-000a48049292">
|
|
<topic>libmms -- stack-based buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libmms</name>
|
|
<range><lt>0.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libxine</name>
|
|
<range><lt>1.1.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Mitre CVE reports:</p>
|
|
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2200">
|
|
<p>Stack-based buffer overflow in libmms, as used by (a)
|
|
MiMMS 0.0.9 and (b) xine-lib 1.1.0 and earlier, allows
|
|
remote attackers to cause a denial of service (application
|
|
crash) and possibly execute arbitrary code via the (1)
|
|
send_command, (2) string_utf16, (3) get_data, and (4)
|
|
get_media_packet functions, and possibly other functions.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-2200</cvename>
|
|
<bid>18608</bid>
|
|
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=374577</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-04</discovery>
|
|
<entry>2006-09-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1fe734bf-4a06-11db-b48d-00508d6a62df">
|
|
<topic>opera -- RSA Signature Forgery</topic>
|
|
<affects>
|
|
<package>
|
|
<name>opera</name>
|
|
<name>opera-devel</name>
|
|
<name>linux-opera</name>
|
|
<range><lt>9.02</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Opera reports:</p>
|
|
<blockquote cite="http://www.opera.com/support/search/supsearch.dml?index=845">
|
|
<p>A specially crafted digital certificate can bypass Opera's
|
|
certificate signature verification. Forged certificates can
|
|
contain any false information the forger chooses, and Opera
|
|
will still present it as valid. Opera will not present any
|
|
warning dialogs in this case, and the security status will
|
|
be the highest possible (3). This defeats the protection
|
|
against "man in the middle", the attacks that SSL was
|
|
designed to prevent.</p>
|
|
<p>There is a flaw in OpenSSL's RSA signature verification
|
|
that affects digital certificates using 3 as the public
|
|
exponent. Some of the certificate issuers that are on
|
|
Opera's list of trusted signers have root certificates with
|
|
3 as the public exponent. The forged certificate can appear
|
|
to be signed by one of these.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-4339</cvename>
|
|
<url>http://secunia.com/advisories/21982/</url>
|
|
<url>http://secunia.com/advisories/21709/</url>
|
|
<url>http://www.cdc.informatik.tu-darmstadt.de/securebrowser/</url>
|
|
<url>http://www.openssl.org/news/secadv_20060905.txt</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-60.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-09-18</discovery>
|
|
<entry>2006-09-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e6296105-449b-11db-ba89-000c6ec775d9">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.5.0.7,1</lt></range>
|
|
<range><gt>2.*,1</gt><lt>2.0_1,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>1.5.0.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<name>linux-seamonkey</name>
|
|
<range><lt>1.0.5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<name>linux-thunderbird</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<range><lt>1.5.0.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox-devel</name>
|
|
<range><lt>3.0.a2006.09.21</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-seamonkey-devel</name>
|
|
<range><lt>1.5.a2006.09.21</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla-devel</name>
|
|
<name>linux-mozilla</name>
|
|
<name>mozilla</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla Foundation reports of multiple security issues
|
|
in Firefox, Seamonkey, and Thunderbird. Several of these
|
|
issues can probably be used to run arbitrary code with the
|
|
privilege of the user running the program.</p>
|
|
<blockquote cite="http://www.mozilla.org/security/announce/">
|
|
<ul>
|
|
<li>MFSA 2006-64 Crashes with evidence of memory
|
|
corruption (rv:1.8.0.7)</li>
|
|
<li>MFSA 2006-63 JavaScript execution in mail via XBL</li>
|
|
<li>MFSA 2006-62 Popup-blocker cross-site scripting (XSS)</li>
|
|
<li>MFSA 2006-61 Frame spoofing using document.open()</li>
|
|
<li>MFSA 2006-60 RSA Signature Forgery</li>
|
|
<li>MFSA 2006-59 Concurrency-related vulnerability</li>
|
|
<li>MFSA 2006-58 Auto-Update compromise through DNS and
|
|
SSL spoofing</li>
|
|
<li>MFSA 2006-57 JavaScript Regular Expression Heap
|
|
Corruption</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>20042</bid>
|
|
<cvename>CVE-2006-4253</cvename>
|
|
<cvename>CVE-2006-4340</cvename>
|
|
<cvename>CVE-2006-4565</cvename>
|
|
<cvename>CVE-2006-4566</cvename>
|
|
<cvename>CVE-2006-4567</cvename>
|
|
<cvename>CVE-2006-4568</cvename>
|
|
<cvename>CVE-2006-4569</cvename>
|
|
<cvename>CVE-2006-4570</cvename>
|
|
<cvename>CVE-2006-4571</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-57.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-58.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-59.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-60.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-61.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-62.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-63.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-64.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-09-14</discovery>
|
|
<entry>2006-09-15</entry>
|
|
<modified>2006-11-02</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="24f6b1eb-43d5-11db-81e1-000e0c2e438a">
|
|
<topic>win32-codecs -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>win32-codecs</name>
|
|
<range><lt>3.1.0.p8_1,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Apple Security Team reports that there are multiple
|
|
vulnerabilities within QuickTime (one of the plugins for
|
|
win32-codecs). A remote attacker capable of creating a
|
|
malicious SGI image, FlashPix, FLC movie, or a QuickTime
|
|
movie can possibly lead to execution of arbitrary code or
|
|
cause a Denial of Service (application crash).</p>
|
|
<p>Users who have QuickTime (/win32-codecs) as a browser plugin
|
|
may be vulnerable to remote code execution by visiting a
|
|
website containing a malicious SGI image, FlashPix, FLC movie
|
|
or a QuickTime movie.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>20138</bid>
|
|
<cvename>CVE-2006-4381</cvename>
|
|
<cvename>CVE-2006-4382</cvename>
|
|
<cvename>CVE-2006-4384</cvename>
|
|
<cvename>CVE-2006-4385</cvename>
|
|
<cvename>CVE-2006-4386</cvename>
|
|
<cvename>CVE-2006-4388</cvename>
|
|
<cvename>CVE-2006-4389</cvename>
|
|
<url>http://docs.info.apple.com/article.html?artnum=304357</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-09-08</discovery>
|
|
<entry>2006-09-14</entry>
|
|
<modified>2006-10-17</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ea09c5df-4362-11db-81e1-000e0c2e438a">
|
|
<topic>php -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>php4</name>
|
|
<name>php5</name>
|
|
<range><lt>4.4.4</lt></range>
|
|
<range><ge>5</ge><lt>5.1.5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>php4-cli</name>
|
|
<name>php5-cli</name>
|
|
<name>php4-cgi</name>
|
|
<name>php5-cgi</name>
|
|
<name>php4-dtc</name>
|
|
<name>php5-dtc</name>
|
|
<name>php4-horde</name>
|
|
<name>php5-horde</name>
|
|
<name>php4-nms</name>
|
|
<name>php5-nms</name>
|
|
<name>mod_php4</name>
|
|
<name>mod_php5</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The PHP development team reports:</p>
|
|
<blockquote cite="http://www.php.net/release_5_1_5.php">
|
|
<ul>
|
|
<li>Added missing safe_mode/open_basedir checks inside the
|
|
error_log(), file_exists(), imap_open() and imap_reopen()
|
|
functions.</li>
|
|
<li>Fixed overflows inside str_repeat() and wordwrap()
|
|
functions on 64bit systems.</li>
|
|
<li>Fixed possible open_basedir/safe_mode bypass in cURL
|
|
extension and with realpath cache.</li>
|
|
<li>Fixed overflow in GD extension on invalid GIF
|
|
images.</li>
|
|
<li>Fixed a buffer overflow inside sscanf() function.</li>
|
|
<li>Fixed an out of bounds read inside stripos()
|
|
function.</li>
|
|
<li>Fixed memory_limit restriction on 64 bit system.</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-4481</cvename>
|
|
<cvename>CVE-2006-4482</cvename>
|
|
<cvename>CVE-2006-4483</cvename>
|
|
<cvename>CVE-2006-4484</cvename>
|
|
<cvename>CVE-2006-4485</cvename>
|
|
<cvename>CVE-2006-4486</cvename>
|
|
<url>http://www.php.net/release_4_4_4.php</url>
|
|
<url>http://www.php.net/release_5_1_5.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-18</discovery>
|
|
<entry>2006-09-13</entry>
|
|
<modified>2006-09-14</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c0fd7890-4346-11db-89cc-000ae42e9b93">
|
|
<topic>drupal-pubcookie -- authentication may be bypassed</topic>
|
|
<affects>
|
|
<package>
|
|
<name>drupal-pubcookie</name>
|
|
<range><le>4.6.0_20060210</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Drupal Project reports:</p>
|
|
<blockquote cite="http://drupal.org/node/83064">
|
|
<p>It is possible for a malicious user to spoof a user's
|
|
identity by bypassing the login redirection mechanism in the
|
|
pubcookie module. The malicious user may gain the privileges
|
|
of the user they are spoofing, including the administrative
|
|
user.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://drupal.org/node/83064</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-09-08</discovery>
|
|
<entry>2006-09-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7c75d48c-429b-11db-afae-000c6ec775d9">
|
|
<topic>linux-flashplugin7 -- arbitrary code execution vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-flashplugin</name>
|
|
<range><lt>7.0r68</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Adobe reports:</p>
|
|
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb06-11.html">
|
|
<p>Multiple input validation errors have been identified in
|
|
Flash Player 8.0.24.0 and earlier versions that could lead
|
|
to the potential execution of arbitrary code. These
|
|
vulnerabilities could be accessed through content
|
|
delivered from a remote location via the user?s web
|
|
browser, email client, or other applications that include
|
|
or reference the Flash Player. (CVE-2006-3311,
|
|
CVE-2006-3587, CVE-2006-3588)</p>
|
|
<p>These updates include changes to prevent circumvention of
|
|
the "allowScriptAccess" option. (CVE-2006-4640)</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-3311</cvename>
|
|
<cvename>CVE-2006-3587</cvename>
|
|
<cvename>CVE-2006-3588</cvename>
|
|
<cvename>CVE-2006-4640</cvename>
|
|
<url>http://www.adobe.com/support/security/bulletins/apsb06-11.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-09-12</discovery>
|
|
<entry>2006-09-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="28ce7102-4039-11db-a838-00148584c7dd">
|
|
<cancelled/>
|
|
</vuln>
|
|
|
|
<vuln vid="fffa9257-3c17-11db-86ab-00123ffe8333">
|
|
<topic>mailman -- Multiple Vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mailman</name>
|
|
<name>ja-mailman</name>
|
|
<name>mailman-with-htdig</name>
|
|
<range><lt>2.1.9.r1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/21732/">
|
|
<p>Mailman can be exploited by malicious people to conduct cross-site
|
|
scripting and phishing attacks, and cause a DoS (Denial of
|
|
Service).</p>
|
|
<p>1) An error in the logging functionality can be exploited to
|
|
inject a spoofed log message into the error log via a specially
|
|
crafted URL.</p>
|
|
<p>Successful exploitation may trick an administrator into visiting
|
|
a malicious web site.</p>
|
|
<p>2) An error in the processing of malformed headers which does not
|
|
follow the RFC 2231 standard can be exploited to cause a DoS
|
|
(Denial of Service).</p>
|
|
<p>3) Some unspecified input isn't properly sanitised before being
|
|
returned to the user. This can be exploited to execute arbitrary
|
|
HTML and script code in a user's browser session in context of an
|
|
affected site.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>19831</bid>
|
|
<cvename>CVE-2006-2191</cvename>
|
|
<cvename>CVE-2006-2941</cvename>
|
|
<cvename>CVE-2006-3636</cvename>
|
|
<cvename>CVE-2006-4624</cvename>
|
|
<url>http://secunia.com/advisories/21732/</url>
|
|
<url>http://sourceforge.net/project/shownotes.php?group_id=103&release_id=444295</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-06-09</discovery>
|
|
<entry>2006-09-04</entry>
|
|
<modified>2006-10-04</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="09639ccc-3abb-11db-81e1-000e0c2e438a">
|
|
<topic>hlstats -- multiple cross site scripting vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>hlstats</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Kefka reports multiple cross site scripting vulnerabilities
|
|
within hlstats. The vulnerabilities are caused due to
|
|
improper checking of variables, allowing an attacker to
|
|
perform cross site scripting.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>19745</bid>
|
|
<cvename>CVE-2006-4454</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-29</discovery>
|
|
<entry>2006-09-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0b79743b-3ab7-11db-81e1-000e0c2e438a">
|
|
<topic>gtetrinet -- remote code execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gtetrinet</name>
|
|
<range><lt>0.7.10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Debian Security Team reports:</p>
|
|
<blockquote cite="http://www.debian.org/security/2006/dsa-1163">
|
|
<p>Michael Gehring discovered several potential out-of-bounds
|
|
index accesses in gtetrinet, a multiplayer Tetris-like game,
|
|
which may allow a remote server to execute arbitrary
|
|
code</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>19766</bid>
|
|
<cvename>CVE-2006-3125</cvename>
|
|
<url>http://www.debian.org/security/2006/dsa-1163</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-30</discovery>
|
|
<entry>2006-09-02</entry>
|
|
<modified>2006-10-01</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0ab423e7-3822-11db-81e1-000e0c2e438a">
|
|
<topic>joomla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>joomla</name>
|
|
<range><lt>1.0.11</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Joomla development team reports multiple vulnerabilities
|
|
within the joomla application. Joomla is vulnerable to the
|
|
following vulnerabilities:</p>
|
|
<ul>
|
|
<li>Improper validation of the mosMail function</li>
|
|
<li>Improper validation of the JosIsValidEmail function.</li>
|
|
<li>Remote code execution in PEAR.php</li>
|
|
<li>Zend Hash del key or index vulnerability</li>
|
|
</ul>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.joomla.org/content/view/1841/78/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-28</discovery>
|
|
<entry>2006-08-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c9d2e361-32fb-11db-a6e2-000e0c2e438a">
|
|
<topic>sppp -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><lt>4.11_20</lt></range>
|
|
<range><ge>5.3</ge><lt>5.3_32</lt></range>
|
|
<range><ge>5.4</ge><lt>5.4_17</lt></range>
|
|
<range><ge>5.5</ge><lt>5.5_3</lt></range>
|
|
<range><ge>6.0</ge><lt>6.0_10</lt></range>
|
|
<range><ge>6.1</ge><lt>6.1_4</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description</h1>
|
|
<p>While processing Link Control Protocol (LCP) configuration
|
|
options received from the remote host, sppp(4) fails to
|
|
correctly validate option lengths. This may result in data
|
|
being read or written beyond the allocated kernel memory
|
|
buffer.</p>
|
|
<h1>Impact</h1>
|
|
<p>An attacker able to send LCP packets, including the remote
|
|
end of a sppp(4) connection, can cause the FreeBSD kernel to
|
|
panic. Such an attacker may also be able to obtain
|
|
sensitive information or gain elevated privileges.</p>
|
|
<h1>Workaround</h1>
|
|
<p>No workaround is available, but systems which do not use sppp(4) are not
|
|
vulnerable.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-4304</cvename>
|
|
<freebsdsa>SA-06:18.ppp</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-23</discovery>
|
|
<entry>2006-08-23</entry>
|
|
<modified>2006-08-30</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e2e8d374-2e40-11db-b683-0008743bf21a">
|
|
<topic>horde -- Phishing and Cross-Site Scripting Vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>horde</name>
|
|
<range><le>3.1.2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>imp</name>
|
|
<range><le>4.1.2</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/21500/">
|
|
<p>Some vulnerabilities have been reported in Horde, which
|
|
can be exploited by malicious people to conduct phishing
|
|
and cross-site scripting attacks.
|
|
</p>
|
|
<ol>
|
|
<li>Input passed to the "url" parameter in index.php isn't
|
|
properly verified before it is being used to include an
|
|
arbitrary web site in a frameset. This can e.g. be
|
|
exploited to trick a user into believing certain
|
|
malicious content is served from a trusted web site.</li>
|
|
<li>Some unspecified input passed in index.php isn't
|
|
properly sanitised before being returned to the user.
|
|
This can be exploited to execute arbitrary HTML and
|
|
script code in a user's browser session in context of an
|
|
affected site.</li>
|
|
</ol>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>19557</bid>
|
|
<bid>19544</bid>
|
|
<url>http://secunia.com/advisories/21500/</url>
|
|
<url>http://lists.horde.org/archives/announce/2006/000292.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-17</discovery>
|
|
<entry>2006-08-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5039ae61-2c9f-11db-8401-000ae42e9b93">
|
|
<topic>globus -- Multiple tmpfile races</topic>
|
|
<affects>
|
|
<package>
|
|
<name>globus</name>
|
|
<range><lt>4.0.2_20060706</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Globus Alliance reports:</p>
|
|
<blockquote cite="http://www.globus.org/mail_archive/security-announce/2006/08/msg00000.html">
|
|
<p>The proxy generation tool (grid-proxy-init) creates the
|
|
file, secures the file to provide access only to owner and
|
|
writes proxy to the file. A race condition exists between
|
|
the opening of the proxy credentials file, and making sure
|
|
it is safe file to write to. The checks to ensure this
|
|
file is accessible only to the owner take place using the
|
|
filename after the file is opened for writing, but before
|
|
any data is written.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://www.globus.org/mail_archive/security-announce/2006/08/msg00001.html">
|
|
<p>Various components of the toolkit use files in shared
|
|
directories to store information, some being sensitive
|
|
information. For example, the tool to create proxy
|
|
certificates, stores the generated proxy certificate by
|
|
default in /tmp. Specific vulnerabilities in handling such
|
|
files were reported in myproxy-admin-adduser, grid-ca-sign
|
|
and grid-security-config.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.globus.org/mail_archive/security-announce/2006/08/msg00000.html</url>
|
|
<url>http://www.globus.org/mail_archive/security-announce/2006/08/msg00001.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-08</discovery>
|
|
<entry>2006-08-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9dda3ff1-2b02-11db-a6e2-000e0c2e438a">
|
|
<topic>x11vnc -- authentication bypass vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>x11vnc</name>
|
|
<range><lt>0.8.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ludwig Nussel reports that x11vnc is vulnerable to an
|
|
authentication bypass vulnerability. The vulnerability is
|
|
caused by an error in auth.c. This could allow a remote
|
|
attacker to gain unauthorized and unauthenticated access
|
|
to the system.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>18977</bid>
|
|
<cvename>CVE-2006-2450</cvename>
|
|
<url>http://bugs.debian.org/376824</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-08</discovery>
|
|
<entry>2006-08-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9855ac8e-2aec-11db-a6e2-000e0c2e438a">
|
|
<topic>alsaplayer -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>alsaplayer</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Luigi Auriemma reports three vulnerabilities within
|
|
alsaplayer:</p>
|
|
<blockquote cite="http://aluigi.altervista.org/adv/alsapbof-adv.txt">
|
|
<ul>
|
|
<li>The function which handles the HTTP connections is
|
|
vulnerable to a buffer-overflow that happens when it uses
|
|
sscanf for copying the URL in the Location's field
|
|
received from the server into the redirect buffer of only
|
|
1024 bytes declared in http_open.</li>
|
|
<li>A buffer-overflow exists in the functions which add items
|
|
to the playlist when the GTK interface is used (so the other
|
|
interfaces are not affected by this problem): new_list_item
|
|
and CbUpdated in interface/gtk/PlaylistWindow.cpp.</li>
|
|
<li>AlsaPlayer automatically queries the CDDB server
|
|
specified in its configuration (by default
|
|
freedb.freedb.org) when the user choices the CDDA function
|
|
for playing audio CDs. The function which queries the
|
|
server uses a buffer of 20 bytes and one of 9 for storing
|
|
the category and ID strings received from the server while
|
|
the buffer which contains this server's response is 32768
|
|
bytes long. Naturally for exploiting this bug the attacker
|
|
must have control of the freedb server specified in the
|
|
AlsaPlayer's configuration.</li>
|
|
</ul>
|
|
</blockquote>
|
|
<p>These vulnerabilities could allow a remote attacker to
|
|
execute arbitrary code, possibly gaining access to the
|
|
system.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>19450</bid>
|
|
<url>http://aluigi.altervista.org/adv/alsapbof-adv.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-09</discovery>
|
|
<entry>2006-08-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="17f53c1d-2ae9-11db-a6e2-000e0c2e438a">
|
|
<topic>postgresql -- encoding based SQL injection</topic>
|
|
<affects>
|
|
<package>
|
|
<name>postgresql</name>
|
|
<name>postgresql-server</name>
|
|
<name>ja-postgresql</name>
|
|
<range><ge>7.3</ge><lt>7.3.15</lt></range>
|
|
<range><ge>7.4</ge><lt>7.4.13</lt></range>
|
|
<range><ge>8.0.0</ge><lt>8.0.8</lt></range>
|
|
<range><ge>8.1.0</ge><lt>8.1.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The PostgreSQL development team reports:</p>
|
|
<blockquote cite="http://www.postgresql.org/docs/techdocs.50">
|
|
<p>An attacker able to submit crafted strings to an
|
|
application that will embed those strings in SQL commands
|
|
can use invalidly-encoded multibyte characters to bypass
|
|
standard string-escaping methods, resulting in possible
|
|
injection of hostile SQL commands into the database. The
|
|
attacks covered here work in any multibyte encoding.</p>
|
|
<p>The widely-used practice of escaping ASCII single quote
|
|
"'" by turning it into "\'" is unsafe when operating in
|
|
multibyte encodings that allow 0x5c (ASCII code for
|
|
backslash) as the trailing byte of a multibyte character;
|
|
this includes at least SJIS, BIG5, GBK, GB18030, and UHC.
|
|
An application that uses this conversion while embedding
|
|
untrusted strings in SQL commands is vulnerable to
|
|
SQL-injection attacks if it communicates with the server in
|
|
one of these encodings. While the standard client libraries
|
|
used with PostgreSQL have escaped "'" in the safe,
|
|
SQL-standard way of "''" for some time, the older practice
|
|
remains common.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>18092</bid>
|
|
<cvename>CVE-2006-2313</cvename>
|
|
<cvename>CVE-2006-2314</cvename>
|
|
<url>http://www.postgresql.org/docs/techdocs.50</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-11</discovery>
|
|
<entry>2006-08-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="65c8ecf9-2adb-11db-a6e2-000e0c2e438a">
|
|
<topic>postgresql -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>postgresql</name>
|
|
<name>postgresql-server</name>
|
|
<name>ja-postgresql</name>
|
|
<range><ge>7.2</ge><lt>7.2.7</lt></range>
|
|
<range><ge>7.3</ge><lt>7.3.9</lt></range>
|
|
<range><ge>7.4</ge><lt>7.4.7</lt></range>
|
|
<range><ge>8.0.0</ge><lt>8.0.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Multiple vulnerabilities had been reported in various
|
|
versions of PostgreSQL:</p>
|
|
<ul>
|
|
<li>The EXECUTE restrictions can be bypassed by using the
|
|
AGGREGATE function, which is missing a permissions check.</li>
|
|
<li>A buffer overflow exists in gram.y which could allow an
|
|
attacker to execute arbitrary code by sending a large
|
|
number of arguments to a refcursor function, found in
|
|
gram.y</li>
|
|
<li>The intagg contributed module allows an attacker to crash
|
|
the server (Denial of Service) by constructing a malicious
|
|
crafted array.</li>
|
|
</ul>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0244</cvename>
|
|
<cvename>CVE-2005-0245</cvename>
|
|
<cvename>CVE-2005-0246</cvename>
|
|
<url>http://secunia.com/advisories/12948</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-01</discovery>
|
|
<entry>2006-08-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fcb90eb0-2ace-11db-a6e2-000e0c2e438a">
|
|
<topic>mysql -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-server</name>
|
|
<range><ge>5.1</ge><lt>5.1.6</lt></range>
|
|
<range><ge>5.0</ge><lt>5.0.19</lt></range>
|
|
<range><ge>4.1</ge><lt>4.1.18</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jean-David Maillefer reports a Denial of Service vulnerability
|
|
within MySQL. The vulnerability is caused by improper checking
|
|
of the data_format routine, which cause the MySQL server to
|
|
crash. The crash is triggered by the following code:<br />
|
|
<code>"SELECT date_format('%d%s', 1);</code></p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>19032</bid>
|
|
<cvename>CVE-2006-3469</cvename>
|
|
<url>http://bugs.mysql.com/bug.php?id=20729</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-06-27</discovery>
|
|
<entry>2006-08-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="21b7c550-2a22-11db-a6e2-000e0c2e438a">
|
|
<topic>squirrelmail -- random variable overwrite vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ja-squirrelmail</name>
|
|
<range><ge>1.4.0</ge><lt>1.4.8,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>squirrelmail</name>
|
|
<range><ge>1.4.0</ge><lt>1.4.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The SquirrelMail developers report:</p>
|
|
<blockquote cite="http://www.squirrelmail.org/security/issue/2006-08-11">
|
|
<p>A logged in user could overwrite random variables in
|
|
compose.php, which might make it possible to read/write
|
|
other users' preferences or attachments.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-4019</cvename>
|
|
<url>http://www.squirrelmail.org/security/issue/2006-08-11</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-11</discovery>
|
|
<entry>2006-08-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="90064567-28b1-11db-844d-000c6ec775d9">
|
|
<topic>rubygem-rails -- evaluation of ruby code</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rubygem-rails</name>
|
|
<range><ge>1.1.0</ge><lt>1.1.3</lt></range>
|
|
<range><ge>1.1.4</ge><lt>1.1.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Ruby on Rails blog reports:</p>
|
|
<blockquote cite="http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure">
|
|
<p>With Rails 1.1.0 through 1.1.5 (minus the short-lived 1.1.3),
|
|
you can trigger the evaluation of Ruby code through the URL
|
|
because of a bug in the routing code of Rails. This means that
|
|
you can essentially take down a Rails process by starting
|
|
something like /script/profiler, as the code will run for a
|
|
long time and that process will be hung while it happens.
|
|
Other URLs can even cause data loss.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-09</discovery>
|
|
<entry>2006-08-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="342d2e48-26db-11db-9275-000475abc56f">
|
|
<topic>clamav -- heap overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>clamav</name>
|
|
<range><ge>0.88.1</ge><lt>0.88.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>clamav-devel</name>
|
|
<range><lt>20060808</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Clamav team reports:</p>
|
|
<blockquote cite="http://www.clamav.net/security/0.88.4.html">
|
|
<p>A heap overflow vulnerability was discovered in libclamav
|
|
which could cause a denial of service or allow the
|
|
execution of arbitrary code.</p>
|
|
<p>The problem is specifically located in the PE file rebuild
|
|
function used by the UPX unpacker.</p>
|
|
<p>Relevant code from libclamav/upx.c:</p>
|
|
<p>
|
|
memcpy(dst, newbuf, foffset);
|
|
*dsize = foffset;
|
|
free(newbuf);
|
|
|
|
cli_dbgmsg("UPX: PE structure rebuilt from compressed file\n");
|
|
return 1;</p>
|
|
<p>Due to improper validation it is possible to overflow the above
|
|
memcpy() beyond the allocated memory block.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-4018</cvename>
|
|
<url>http://www.clamav.net/security/0.88.4.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-07</discovery>
|
|
<entry>2006-08-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c905298c-2274-11db-896e-000ae42e9b93">
|
|
<topic>drupal -- XSS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>drupal</name>
|
|
<range><lt>4.6.9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Drupal project reports:</p>
|
|
<blockquote cite="http://drupal.org/files/sa-2006-011/advisory.txt">
|
|
<p>A malicious user can execute a cross site scripting attack
|
|
by enticing someone to visit a Drupal site via a specially
|
|
crafted link.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://drupal.org/files/sa-2006-011/advisory.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-02</discovery>
|
|
<entry>2006-08-02</entry>
|
|
<modified>2006-08-08</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ed529baa-21c6-11db-b625-02e081235dab">
|
|
<topic>gnupg -- 2 more possible memory allocation attacks</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnupg</name>
|
|
<range><lt>1.4.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Author reports:</p>
|
|
<blockquote cite="http://lists.gnupg.org/pipermail/gnupg-announce/2006q3/000229.html">
|
|
<p>Fixed 2 more possible memory allocation attacks. They are
|
|
similar to the problem we fixed with 1.4.4. This bug can easily
|
|
be be exploted for a DoS; remote code execution is not entirely
|
|
impossible.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://lists.gnupg.org/pipermail/gnupg-announce/2006q3/000229.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-01</discovery>
|
|
<entry>2006-08-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="76562594-1f19-11db-b7d4-0008743bf21a">
|
|
<topic>ruby - multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ruby</name>
|
|
<name>ruby_static</name>
|
|
<range><gt>1.6.*</gt><lt>1.8.*</lt></range>
|
|
<range><gt>1.8.*</gt><lt>1.8.4_9,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/21009/">
|
|
<p>Two vulnerabilities have been reported in Ruby, which can
|
|
be exploited by malicious people to bypass certain security
|
|
restrictions.</p>
|
|
<ol>
|
|
<li>An error in the handling of the "alias" functionality
|
|
can be exploited to bypass the safe level protection and
|
|
replace methods called in the trusted level.</li>
|
|
<li>An error caused due to directory operations not being
|
|
properly checked can be exploited to bypass the safe
|
|
level protection and close untainted directory streams.</li>
|
|
</ol>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>18944</bid>
|
|
<cvename>CVE-2006-3694</cvename>
|
|
<url>http://secunia.com/advisories/21009/</url>
|
|
<url>http://jvn.jp/jp/JVN%2383768862/index.html</url>
|
|
<url>http://jvn.jp/jp/JVN%2313947696/index.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-07-12</discovery>
|
|
<entry>2006-07-29</entry>
|
|
<modified>2006-07-30</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="dc8c08c7-1e7c-11db-88cf-000c6ec775d9">
|
|
<topic>apache -- mod_rewrite buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache</name>
|
|
<range><ge>1.3.28</ge><lt>1.3.36_1</lt></range>
|
|
<range><ge>2.0.46</ge><lt>2.0.58_2</lt></range>
|
|
<range><ge>2.2.0</ge><lt>2.2.2_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+mod_perl</name>
|
|
<range><ge>1.3.28</ge><lt>1.3.36_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+ipv6</name>
|
|
<range><ge>1.3.28</ge><lt>1.3.37</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache_fp</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>ru-apache</name>
|
|
<range><ge>1.3.28</ge><lt>1.3.37+30.23</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ru-apache+mod_ssl</name>
|
|
<range><ge>1.3.28</ge><lt>1.3.34.1.57_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+ssl</name>
|
|
<range><ge>1.3.28</ge><lt>1.3.34.1.57_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+mod_ssl</name>
|
|
<name>apache+mod_ssl+ipv6</name>
|
|
<name>apache+mod_ssl+mod_accel</name>
|
|
<name>apache+mod_ssl+mod_accel+ipv6</name>
|
|
<name>apache+mod_ssl+mod_accel+mod_deflate</name>
|
|
<name>apache+mod_ssl+mod_accel+mod_deflate+ipv6</name>
|
|
<name>apache+mod_ssl+mod_deflate</name>
|
|
<name>apache+mod_ssl+mod_deflate+ipv6</name>
|
|
<name>apache+mod_ssl+mod_snmp</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_accel</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_accel+ipv6</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_deflate</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_deflate+ipv6</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6</name>
|
|
<range><ge>1.3.28</ge><lt>1.3.36+2.8.27_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Apache Software Foundation and The Apache HTTP Server
|
|
Project reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=apache-httpd-announce&m=115409818602955">
|
|
<p>An off-by-one flaw exists in the Rewrite module,
|
|
mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0
|
|
since 2.0.46, and 2.2 since 2.2.0.</p>
|
|
<p>Depending on the manner in which Apache HTTP Server was
|
|
compiled, this software defect may result in a
|
|
vulnerability which, in combination with certain types of
|
|
Rewrite rules in the web server configuration files, could
|
|
be triggered remotely. For vulnerable builds, the nature
|
|
of the vulnerability can be denial of service (crashing of
|
|
web server processes) or potentially allow arbitrary code
|
|
execution. This issue has been rated as having important
|
|
security impact by the Apache HTTP Server Security Team.</p>
|
|
<p>This flaw does not affect a default installation of
|
|
Apache HTTP Server. Users who do not use, or have not
|
|
enabled, the Rewrite module mod_rewrite are not affected
|
|
by this issue. This issue only affects installations using
|
|
a Rewrite rule with the following characteristics:</p>
|
|
<ul>
|
|
<li>The RewriteRule allows the attacker to control the
|
|
initial part of the rewritten URL (for example if the
|
|
substitution URL starts with $1)</li>
|
|
<li>The RewriteRule flags do NOT include any of the
|
|
following flags: Forbidden (F), Gone (G), or NoEscape
|
|
(NE).</li>
|
|
</ul>
|
|
<p>Please note that ability to exploit this issue is
|
|
dependent on the stack layout for a particular compiled
|
|
version of mod_rewrite. If the compiler used to compile
|
|
Apache HTTP Server has added padding to the stack
|
|
immediately after the buffer being overwritten, it will
|
|
not be possible to exploit this issue, and Apache HTTP
|
|
Server will continue operating normally.</p>
|
|
<p>The Apache HTTP Server project thanks Mark Dowd of McAfee
|
|
Avert Labs for the responsible reporting of this
|
|
vulnerability.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<certvu>395412</certvu>
|
|
<cvename>CVE-2006-3747</cvename>
|
|
<mlist msgid="44CA22D9.6020200@apache.org">http://marc.theaimsgroup.com/?l=apache-httpd-announce&m=115409818602955</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-07-27</discovery>
|
|
<entry>2006-07-28</entry>
|
|
<modified>2006-11-01</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e2a92664-1d60-11db-88cf-000c6ec775d9">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.5.0.5,1</lt></range>
|
|
<range><gt>2.*,1</gt><lt>2.0_1,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>1.5.0.5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox-devel</name>
|
|
<range><lt>3.0.a2006.07.26</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<name>linux-seamonkey</name>
|
|
<range><lt>1.0.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<name>linux-thunderbird</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<range><lt>1.5.0.5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Mozilla Foundation Security Advisory reports of multiple
|
|
issues. Several of which can be used to run arbitrary code
|
|
with the privilege of the user running the program.</p>
|
|
<blockquote cite="http://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey1.0.3">
|
|
<ul>
|
|
<li>MFSA 2006-56 chrome: scheme loading remote content</li>
|
|
<li>MFSA 2006-55 Crashes with evidence of memory corruption
|
|
(rv:1.8.0.5)</li>
|
|
<li>MFSA 2006-54 XSS with
|
|
XPCNativeWrapper(window).Function(...)</li>
|
|
<li>MFSA 2006-53 UniversalBrowserRead privilege escalation</li>
|
|
<li>MFSA 2006-52 PAC privilege escalation using
|
|
Function.prototype.call</li>
|
|
<li>MFSA 2006-51 Privilege escalation using named-functions
|
|
and redefined "new Object()"</li>
|
|
<li>MFSA 2006-50 JavaScript engine vulnerabilities</li>
|
|
<li>MFSA 2006-49 Heap buffer overwrite on malformed VCard</li>
|
|
<li>MFSA 2006-48 JavaScript new Function race condition</li>
|
|
<li>MFSA 2006-47 Native DOM methods can be hijacked across
|
|
domains</li>
|
|
<li>MFSA 2006-46 Memory corruption with simultaneous events</li>
|
|
<li>MFSA 2006-45 Javascript navigator Object Vulnerability</li>
|
|
<li>MFSA 2006-44 Code execution through deleted frame
|
|
reference</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-3113</cvename>
|
|
<cvename>CVE-2006-3677</cvename>
|
|
<cvename>CVE-2006-3801</cvename>
|
|
<cvename>CVE-2006-3802</cvename>
|
|
<cvename>CVE-2006-3803</cvename>
|
|
<cvename>CVE-2006-3804</cvename>
|
|
<cvename>CVE-2006-3805</cvename>
|
|
<cvename>CVE-2006-3806</cvename>
|
|
<cvename>CVE-2006-3807</cvename>
|
|
<cvename>CVE-2006-3808</cvename>
|
|
<cvename>CVE-2006-3809</cvename>
|
|
<cvename>CVE-2006-3810</cvename>
|
|
<cvename>CVE-2006-3811</cvename>
|
|
<cvename>CVE-2006-3812</cvename>
|
|
<url>http://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey1.0.3</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-44.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-45.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-46.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-47.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-48.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-49.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-50.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-51.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-52.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-53.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-54.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-55.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-56.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-07-25</discovery>
|
|
<entry>2006-07-27</entry>
|
|
<modified>2006-11-02</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5f2a0c40-1322-11db-bd23-000475abc56f">
|
|
<topic>zope -- information disclosure vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>zope</name>
|
|
<range><ge>2.7.0</ge><lt>2.7.9</lt></range>
|
|
<range><ge>2.8.0</ge><lt>2.8.7</lt></range>
|
|
<range><ge>2.9.0</ge><lt>2.9.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Zope team reports:</p>
|
|
<blockquote cite="http://www.zope.org/Products/Zope/Hotfix-2006-07-05/Hotfix-2006-07-05/view">
|
|
<p>Unspecified vulnerability in (Zope2) allows local users
|
|
to obtain sensitive information via unknown attack vectors
|
|
related to the docutils module and "restructured text".</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-3458</cvename>
|
|
<url>http://www.zope.org/Products/Zope/Hotfix-2006-07-05/Hotfix-2006-07-05/view</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-07-05</discovery>
|
|
<entry>2006-07-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6da7344b-128a-11db-b25f-00e00c69a70d">
|
|
<topic>drupal -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>drupal</name>
|
|
<range><lt>4.6.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Drupal team reports:</p>
|
|
<blockquote cite="http://drupal.org/node/66767">
|
|
<p>Vulnerability: XSS Vulnerability in taxonomy module</p>
|
|
<p>It is possible for a malicious user to insert and execute
|
|
XSS into terms, due to lack of validation on output of the
|
|
page title. The fix wraps the display of terms in
|
|
check_plain().</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-2833</cvename>
|
|
<url>http://drupal.org/node/66767</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-18</discovery>
|
|
<entry>2006-07-13</entry>
|
|
<modified>2006-07-14</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="67dbe99f-0f09-11db-94f8-00e029485e38">
|
|
<topic>shoutcast -- cross-site scripting, information exposure</topic>
|
|
<affects>
|
|
<package>
|
|
<name>shoutcast</name>
|
|
<name>linux-shoutcast</name>
|
|
<range><lt>1.9.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Goober's advisory reports reports that shoutcast is vulnerable to an
|
|
arbitrary file reading vulnerability:</p>
|
|
<blockquote cite="http://people.ksp.sk/~goober/advisory/001-shoutcast.html">
|
|
<p>Impact of the vulnerability depends on the way the product was installed.
|
|
In general, the vulnerability allows the attacker to read any file which
|
|
can be read by the Shoutcast server process.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-3007</cvename>
|
|
<url>http://secunia.com/advisories/20524/</url>
|
|
<url>http://people.ksp.sk/~goober/advisory/001-shoutcast.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-06-09</discovery>
|
|
<entry>2006-07-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b168ddea-105a-11db-ac96-000c6ec775d9">
|
|
<topic>samba -- memory exhaustion DoS in smbd</topic>
|
|
<affects>
|
|
<package>
|
|
<name>samba</name>
|
|
<name>ja-samba</name>
|
|
<range><ge>3.0.1,1</ge><lt>3.0.23,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Samba Team reports:</p>
|
|
<blockquote cite="http://www.samba.org/samba/security/CAN-2006-3403.html">
|
|
<p>The smbd daemon maintains internal data structures used
|
|
track active connections to file and printer shares. In
|
|
certain circumstances an attacker may be able to
|
|
continually increase the memory usage of an smbd process
|
|
by issuing a large number of share connection requests.
|
|
This defect affects all Samba configurations.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-3403</cvename>
|
|
<url>http://www.samba.org/samba/security/CAN-2006-3403.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-07-10</discovery>
|
|
<entry>2006-07-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a876df84-0fef-11db-ac96-000c6ec775d9">
|
|
<topic>twiki -- multiple file extensions file upload vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>twiki</name>
|
|
<range><lt>4.0.4,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A TWiki Security Alert reports:</p>
|
|
<blockquote cite="http://twiki.org/cgi-bin/view/Codev/SecurityAlertSecureFileUploads">
|
|
<p>The TWiki upload filter already prevents executable
|
|
scripts such as .php, .php1, .phps, .pl from potentially
|
|
getting executed by appending a .txt suffix to the
|
|
uploaded filename. However, PHP and some other types
|
|
allows additional file suffixes, such as .php.en, .php.1,
|
|
and .php.2. TWiki does not check for these suffixes,
|
|
e.g. it is possible to upload php scripts with such
|
|
suffixes without the .txt filename padding.</p>
|
|
</blockquote>
|
|
<p>This issue can also be worked around with a restrictive web
|
|
server configuration. See the
|
|
<a href="http://twiki.org/cgi-bin/view/Codev/SecurityAlertSecureFileUploads">TWiki
|
|
Security Alert</a> for more information about how to do
|
|
this.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>18854</bid>
|
|
<cvename>CVE-2006-3336</cvename>
|
|
<url>http://secunia.com/advisories/20992/</url>
|
|
<url>http://twiki.org/cgi-bin/view/Codev/SecurityAlertSecureFileUploads</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-07-05</discovery>
|
|
<entry>2006-07-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b0d61f73-0e11-11db-a47b-000c2957fdf1">
|
|
<topic>trac -- reStructuredText breach of privacy and denial of service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>trac</name>
|
|
<name>ja-trac</name>
|
|
<range><lt>0.9.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Trac 0.9.6 Release Notes reports:</p>
|
|
<blockquote cite="http://lists.edgewall.com/archive/trac-announce/2006-July/000013.html">
|
|
<p>Fixed reStructuredText breach of privacy and denial of
|
|
service vulnerability found by Felix Wiemann.</p>
|
|
<p>The discovered vulnerability requires docutils to be
|
|
installed and enabled. Systems that do not have docutils
|
|
installed or enabled are not vulnerable. As of this
|
|
version version 0.3.9 or greater of docutils is required
|
|
for using reStructuredText markup in Trac.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://projects.edgewall.com/trac/wiki/ChangeLog</url>
|
|
<mlist>http://lists.edgewall.com/archive/trac-announce/2006-July/000013.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-07-06</discovery>
|
|
<entry>2006-07-07</entry>
|
|
<modified>2006-06-10</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e94cb43d-0c4a-11db-9016-0050bf27ba24">
|
|
<topic>horde -- various problems in dereferrer</topic>
|
|
<affects>
|
|
<package>
|
|
<name>horde</name>
|
|
<name>horde-php5</name>
|
|
<range><lt>3.1.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Horde 3.1.2 release announcement:</p>
|
|
<blockquote cite="http://lists.horde.org/archives/announce/2006/000288.html">
|
|
<p>Security Fixes:</p>
|
|
<ul>
|
|
<li>Closed XSS problems in dereferrer (IE only), help viewer
|
|
and problem reporting screen.</li>
|
|
<li>Removed unused image proxy code from dereferrer.</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://lists.horde.org/archives/announce/2006/000288.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-06-28</discovery>
|
|
<entry>2006-07-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f70d09cb-0c46-11db-aac7-000c6ec775d9">
|
|
<topic>mambo -- SQL injection vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mambo</name>
|
|
<range><lt>4.5.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Team Mambo reports that two SQL injection
|
|
vulnerabilities have been found in Mambo. The
|
|
vulnerabilities exists due to missing sanitation of the
|
|
<code>title</code> and <code>catid</code> parameters in the
|
|
<code>weblinks.php</code> page and can lead to execution of
|
|
arbitrary SQL code.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>16775</bid>
|
|
<cvename>CVE-2006-0871</cvename>
|
|
<cvename>CVE-2006-1794</cvename>
|
|
<cvename>CVE-2006-3262</cvename>
|
|
<cvename>CVE-2006-3263</cvename>
|
|
<mlist msgid="20060617123242.1684.qmail@securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=115056811230529</mlist>
|
|
<url>http://secunia.com/advisories/18935/</url>
|
|
<url>http://secunia.com/advisories/20745/</url>
|
|
<url>http://www.mamboserver.com/?option=com_content&task=view&id=207</url>
|
|
<url>http://www.gulftech.org/?node=research&article_id=00104-02242006</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-06-19</discovery>
|
|
<entry>2006-07-05</entry>
|
|
<modified>2006-10-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="229577a8-0936-11db-bf72-00046151137e">
|
|
<topic>phpmyadmin -- cross site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpmyadmin</name>
|
|
<range><lt>2.8.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>phpmyadmin Site reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-4">
|
|
<p>It was possible to craft a request that contains XSS by attacking the
|
|
"table" parameter.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-4</url>
|
|
<url>http://securitynews.ir/advisories/phpmyadmin281.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-06-30</discovery>
|
|
<entry>2006-07-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="227475c2-09cb-11db-9156-000e0c2e438a">
|
|
<topic>webmin, usermin -- arbitrary file disclosure vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>webmin</name>
|
|
<range><lt>1.290</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>usermin</name>
|
|
<range><lt>1.220</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The webmin development team reports:</p>
|
|
<blockquote cite="http://www.webmin.com/security.html">
|
|
<p>An attacker without a login to Webmin can read the
|
|
contents of any file on the server using a specially
|
|
crafted URL. All users should upgrade to version
|
|
1.290 as soon as possible, or setup IP access control
|
|
in Webmin.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>18744</bid>
|
|
<url>http://www.webmin.com/security.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-06-30</discovery>
|
|
<entry>2006-07-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d2a43243-087b-11db-bc36-0008743bf21a">
|
|
<topic>mutt -- Remote Buffer Overflow Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mutt</name>
|
|
<name>mutt-lite</name>
|
|
<range><le>1.4.2.1_2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>mutt-devel</name>
|
|
<name>mutt-devel-lite</name>
|
|
<range><le>1.5.11_2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>ja-mutt</name>
|
|
<range><le>1.4.2.1.j1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>zh-mutt-devel</name>
|
|
<range><le>1.5.11_20040617</le></range>
|
|
</package>
|
|
<package>
|
|
<name>ja-mutt-devel</name>
|
|
<range><le>1.5.6.j1_2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>mutt-ng</name>
|
|
<range><le>20060501</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>SecurityFocus reports:</p>
|
|
<blockquote cite="http://www.securityfocus.com/bid/18642">
|
|
<p>
|
|
Mutt is prone to a remote buffer-overflow vulnerability.
|
|
This issue is due to the application's failure to properly
|
|
bounds-check user-supplied input before copying it to an
|
|
insufficiently sized memory buffer.
|
|
|
|
This issue may allow remote attackers to execute arbitrary
|
|
machine code in the context of the affected application.
|
|
Failed exploit attempts will likely crash the application,
|
|
denying further service to legitimate users.
|
|
</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>18642</bid>
|
|
<url>http://dev.mutt.org/cgi-bin/gitweb.cgi?p=mutt/.git;a=commit;h=dc0272b749f0e2b102973b7ac43dbd3908507540</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-06-26</discovery>
|
|
<entry>2006-06-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1f935f61-075d-11db-822b-728b50d539a3">
|
|
<topic>Joomla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>joomla</name>
|
|
<range><lt>1.0.10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Joomla Site reports:</p>
|
|
<blockquote cite="http://www.joomla.org/content/view/1510/74/">
|
|
<ul>
|
|
<li>Secured "Remember Me" functionality against SQL injection
|
|
attacks</li>
|
|
<li>Secured "Related Items" module against SQL injection
|
|
attacks</li>
|
|
<li>Secured "Weblinks" submission against SQL injection
|
|
attacks</li>
|
|
<li>Secured SEF from XSS vulnerability</li>
|
|
<li>Hardened frontend submission forms against spoofing</li>
|
|
<li>Secured mosmsg from misuse</li>
|
|
<li>Hardened mosgetparam by setting variable type to integer if
|
|
default value is detected as numeric</li>
|
|
<li>Secured com_messages from XSS vulnerability</li>
|
|
<li>Secured getUserStateFromRequest() from XSS vulnerability</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secunia.com/advisories/20746/</url>
|
|
<url>http://www.joomla.org/content/view/1510/74/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-06-26</discovery>
|
|
<entry>2006-06-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2be7c122-0614-11db-9156-000e0c2e438a">
|
|
<topic>hashcash -- heap overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>hashcash</name>
|
|
<range><lt>1.22</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Andreas Seltenreich reports that hashcash is prone to a heap
|
|
overflow vulnerability. This vulnerability is caused by
|
|
improper checking of memory allocations within the
|
|
"array_push()" function. An attacker could trigger this
|
|
vulnerability by passing a lot of "-r" or "-j" flags from
|
|
the command line, this only applies when the application is
|
|
configured to allow command line options, or by passing a lot
|
|
of resource names when the application was started with the
|
|
"-m" flag set. This could lead to a Denial or Service or
|
|
could allow remote access to the targeted system.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secunia.com/advisories/20800/</url>
|
|
<url>http://www.hashcash.org/source/CHANGELOG</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-06-27</discovery>
|
|
<entry>2006-06-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f900bda8-0472-11db-bbf7-000c6ec775d9">
|
|
<topic>gnupg -- user id integer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnupg</name>
|
|
<range><lt>1.4.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>If GnuPG processes a userid with a very long packet length,
|
|
GnuPG can crash due to insufficient bounds check. This can
|
|
result in a denial-of-service condition or potentially
|
|
execution of arbitrary code with the privileges of the user
|
|
running GnuPG.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>18554</bid>
|
|
<cvename>CVE-2006-3082</cvename>
|
|
<mlist msgid="87psgxic5e.fsf@wheatstone.g10code.de">http://marc.theaimsgroup.com/?l=gnupg-users&m=115124706210430</mlist>
|
|
<mlist msgid="20060531115548.A2E4923E4B6@dzeta.agava.net">http://marc.theaimsgroup.com/?l=full-disclosure&m=114907659313360</mlist>
|
|
<url>http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/trunk/g10/parse-packet.c?rev=4157&r1=4141&r2=4157</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-31</discovery>
|
|
<entry>2006-06-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0a4cd819-0291-11db-bbf7-000c6ec775d9">
|
|
<cancelled/>
|
|
</vuln>
|
|
|
|
<vuln vid="09429f7c-fd6e-11da-b1cd-0050bf27ba24">
|
|
<topic>horde -- multiple parameter cross site scripting vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>horde</name>
|
|
<name>horde-php5</name>
|
|
<range><le>3.1.1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>FrSIRT advisory ADV-2006-2356 reports:</p>
|
|
<blockquote cite="http://www.frsirt.com/english/advisories/2006/2356">
|
|
<p>Multiple vulnerabilities have been identified in Horde
|
|
Application Framework, which may be exploited by attackers
|
|
to execute arbitrary scripting code. These flaws are due
|
|
to input validation errors in the "test.php" and
|
|
"templates/problem/problem.inc" scripts that do not
|
|
validate the "url", "name", "email", "subject" and
|
|
"message" parameters, which could be exploited by
|
|
attackers to cause arbitrary scripting code to be executed
|
|
by the user's browser in the security context of an
|
|
affected Web site.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-2195</cvename>
|
|
<url>http://www.frsirt.com/english/advisories/2006/2356</url>
|
|
<url>http://cvs.horde.org/diff.php?f=horde%2Ftest.php&r1=1.145&r2=1.146</url>
|
|
<url>http://cvs.horde.org/diff.php?f=horde%2Ftemplates%2Fproblem%2Fproblem.inc&r1=2.25&r2=2.26</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-06-10</discovery>
|
|
<entry>2006-06-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="09c92f3a-fd49-11da-995c-605724cdf281">
|
|
<topic>webcalendar -- information disclosure vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>WebCalendar</name>
|
|
<range><lt>1.0.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/20367/">
|
|
<p>socsam has discovered a vulnerability in WebCalendar,
|
|
which can be exploited by malicious people to bypass
|
|
certain security restrictions and disclose sensitive
|
|
information.</p>
|
|
<p>Input passed to the "includedir" parameter isn't properly
|
|
verified, before it is used in an "fopen()" call. This can
|
|
be exploited to load an arbitrary setting file from an
|
|
external web site.</p>
|
|
<p>This can further be exploited to disclose the content of
|
|
arbitrary files by defining the "user_inc" variable in a
|
|
malicious setting file.</p>
|
|
<p>Successful exploitation requires that "register_globals"
|
|
is enabled.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>18175</bid>
|
|
<cvename>CVE-2006-2762</cvename>
|
|
<url>http://www.securityfocus.com/archive/1/435379</url>
|
|
<url>http://www.securityfocus.com/archive/1/436263</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-30</discovery>
|
|
<entry>2006-06-16</entry>
|
|
<modified>2006-06-17</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c611be81-fbc2-11da-9156-000e0c2e438a">
|
|
<topic>sendmail -- Incorrect multipart message handling</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>4.11</ge><lt>4.11_19</lt></range>
|
|
<range><ge>5.3</ge><lt>5.3_31</lt></range>
|
|
<range><ge>5.4</ge><lt>5.4_16</lt></range>
|
|
<range><ge>5.5</ge><lt>5.5_2</lt></range>
|
|
<range><ge>6.0</ge><lt>6.0_9</lt></range>
|
|
<range><ge>6.1</ge><lt>6.1_2</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description</h1>
|
|
<p>A suitably malformed multipart MIME message can cause
|
|
sendmail to exceed predefined limits on its stack usage.</p>
|
|
<h1>Impact</h1>
|
|
<p>An attacker able to send mail to, or via, a server can cause
|
|
queued messages on the system to not be delivered, by causing
|
|
the sendmail process which handles queued messages to crash.
|
|
Note that this will not stop new messages from entering the
|
|
queue (either from local processes, or incoming via SMTP).</p>
|
|
<h1>Workaround</h1>
|
|
<p>No workaround is available, but systems which do not receive
|
|
email from untrusted sources are not vulnerable.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1173</cvename>
|
|
<freebsdsa>SA-06:17.sendmail</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-06-14</discovery>
|
|
<entry>2006-06-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="23573650-f99a-11da-994e-00142a5f241c">
|
|
<topic>dokuwiki -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>dokuwiki</name>
|
|
<range><lt>20060309_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Multiple vulnerabilities have been reported within dokuwiki.
|
|
dokuwiki is proven vulnerable to:</p>
|
|
<ul>
|
|
<li>arbitrary PHP code insertion via spellcheck module,</li>
|
|
<li>XSS attack via "Update your account profile,"</li>
|
|
<li>bypassing of ACL controls when enabled.</li>
|
|
</ul>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://bugs.splitbrain.org/index.php?do=details&id=820</url>
|
|
<url>http://bugs.splitbrain.org/index.php?do=details&id=823</url>
|
|
<url>http://bugs.splitbrain.org/index.php?do=details&id=825</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-31</discovery>
|
|
<entry>2006-06-11</entry>
|
|
<modified>2006-06-12</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="107e2ee5-f941-11da-b1fa-020039488e34">
|
|
<topic>libxine -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libxine</name>
|
|
<range><lt>1.1.1_6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/20369">
|
|
<p>Federico L. Bossi Bonin has discovered a weakness in xine-lib,
|
|
which can be exploited by malicious people to crash certain
|
|
applications on a user's system.</p>
|
|
<p>The weakness is cause due to a heap corruption within the
|
|
"xineplug_inp_http.so" plugin when handling an overly large
|
|
reply from the HTTP server. This can be exploited to crash
|
|
an application that uses the plugin (e.g. gxine).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secunia.com/advisories/20369</url>
|
|
<cvename>CVE-2006-2802</cvename>
|
|
<bid>18187</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-31</discovery>
|
|
<entry>2006-06-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cf3b9a96-f7bb-11da-9156-000e0c2e438a">
|
|
<topic>smbfs -- chroot escape</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>4.10</ge><lt>4.10_24</lt></range>
|
|
<range><ge>4.11</ge><lt>4.11_18</lt></range>
|
|
<range><ge>5.3</ge><lt>5.3_30</lt></range>
|
|
<range><ge>5.4</ge><lt>5.4_15</lt></range>
|
|
<range><ge>5.5</ge><lt>5.5_1</lt></range>
|
|
<range><ge>6.0</ge><lt>6.0_8</lt></range>
|
|
<range><ge>6.1</ge><lt>6.1_1</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description</h1>
|
|
<p>smbfs does not properly sanitize paths containing a backslash
|
|
character; in particular the directory name '..\' is
|
|
interpreted as the parent directory by the SMB/CIFS server,
|
|
but smbfs handles it in the same manner as any other
|
|
directory.</p>
|
|
<h1>Impact</h1>
|
|
<p>When inside a chroot environment which resides on a smbfs
|
|
mounted file-system it is possible for an attacker to escape
|
|
out of this chroot to any other directory on the smbfs
|
|
mounted file-system.</p>
|
|
<h1>Workaround</h1>
|
|
<p>Mount the smbfs file-systems which need to be used with
|
|
chroot on top, in a way so the chroot directory is exactly on
|
|
the mount point and not a sub directory</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-2654</cvename>
|
|
<freebsdsa>SA-06:16.smbfs</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-31</discovery>
|
|
<entry>2006-06-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0ac1aace-f7b9-11da-9156-000e0c2e438a">
|
|
<topic>ypserv -- Inoperative access controls in ypserv</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.3</ge><lt>5.3_30</lt></range>
|
|
<range><ge>5.4</ge><lt>5.4_15</lt></range>
|
|
<range><ge>5.5</ge><lt>5.5_1</lt></range>
|
|
<range><ge>6.0</ge><lt>6.0_8</lt></range>
|
|
<range><ge>6.1</ge><lt>6.1_1</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description</h1>
|
|
<p>There are two documented methods of restricting access to
|
|
NIS maps through ypserv(8): through the use of the
|
|
/var/yp/securenets file, and through the /etc/hosts.allow file.
|
|
While both mechanisms are implemented in the server, a change
|
|
in the build process caused the "securenets" access restrictions
|
|
to be inadvertantly disabled.</p>
|
|
<h1>Impact</h1>
|
|
<p>ypserv(8) will not load or process any of the networks or
|
|
hosts specified in the /var/yp/securenets file, rendering
|
|
those access controls ineffective.</p>
|
|
<h1>Workaround</h1>
|
|
<p>One possible workaround is to use /etc/hosts.allow for access
|
|
control, as shown by examples in that file.</p>
|
|
<p>Another workaround is to use a firewall (e.g., ipfw(4),
|
|
ipf(4), or pf(4)) to limit access to RPC functions from
|
|
untrusted systems or networks, but due to the complexities of
|
|
RPC, it might be difficult to create a set of firewall rules
|
|
which accomplish this without blocking all access to the
|
|
machine in question.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-2655</cvename>
|
|
<freebsdsa>SA-06:15.ypserv</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-31</discovery>
|
|
<entry>2006-06-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ec2f2ff5-f710-11da-9156-000e0c2e438a">
|
|
<topic>freeradius -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>freeradius</name>
|
|
<range><ge>1.0.0</ge><le>1.0.4</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The freeradious development team reports:</p>
|
|
<blockquote cite="http://www.freeradius.org/security.html">
|
|
<p>Multiple issues exist with version 1.0.4, and all prior
|
|
versions of the server. Externally exploitable
|
|
vulnerabilities exist only for sites that use the
|
|
rlm_sqlcounter module. Those sites may be vulnerable to
|
|
SQL injection attacks, similar to the issues noted below.
|
|
All sites that have not deployed the rlm_sqlcounter module
|
|
are not vulnerable to external exploits.</p>
|
|
<p>The issues are:<br/>
|
|
SQL Injection attack in the rlm_sqlcounter module.<br/>
|
|
Buffer overflow in the rlm_sqlcounter module, that may cause
|
|
a server crash. <br/>
|
|
Buffer overflow while expanding %t, that may cause a server
|
|
crash.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>17171</bid>
|
|
<cvename>CVE-2005-4744</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-09-09</discovery>
|
|
<entry>2006-06-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1a216dfd-f710-11da-9156-000e0c2e438a">
|
|
<topic>freeradius -- authentication bypass vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>freeradius</name>
|
|
<range><gt>1.0.0</gt><le>1.1.0</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The freeradius development team reports:</p>
|
|
<blockquote cite="http://www.freeradius.org/security.html">
|
|
<p>A validation issue exists with the EAP-MSCHAPv2 module
|
|
in all versions from 1.0.0 (where the module first
|
|
appeared) to 1.1.0. Insufficient input validation was being
|
|
done in the EAP-MSCHAPv2 state machine. A malicious
|
|
attacker could manipulate their EAP-MSCHAPv2 client state
|
|
machine to potentially convince the server to bypass
|
|
authentication checks. This bypassing could also result
|
|
in the server crashing</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>17293</bid>
|
|
<cvename>CVE-2006-1354</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-06-03</discovery>
|
|
<entry>2006-06-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="00784d6e-f4ce-11da-87a1-000c6ec775d9">
|
|
<topic>squirrelmail -- plugin.php local file inclusion vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squirrelmail</name>
|
|
<range><lt>1.4.6_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The SquirrelMail Project Team reports:</p>
|
|
<blockquote cite="http://www.squirrelmail.org/security/issue/2006-06-01">
|
|
<p>A security issue has been uncovered in
|
|
functions/plugin.php that could allow a remote user to
|
|
access local files on the server without requiring
|
|
login. This issue manifests itself if register_globals is
|
|
enabled, and magic_quotes_gpc is disabled.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.squirrelmail.org/security/issue/2006-06-01</url>
|
|
<url>http://secunia.com/advisories/20406/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-06-01</discovery>
|
|
<entry>2006-06-05</entry>
|
|
<modified>2006-06-06</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="af8dba15-f4cc-11da-87a1-000c6ec775d9">
|
|
<topic>dokuwiki -- spellchecker remote PHP code execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>dokuwiki</name>
|
|
<range><lt>20060309_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Stefan Esser reports:</p>
|
|
<blockquote cite="http://www.hardened-php.net/advisory_042006.119.html">
|
|
<p>During the evaluation of DokuWiki for a german/korean
|
|
wiki of mine a flaw in DokuWiki's spellchecker was
|
|
discovered, that allows injecting arbitrary PHP commands,
|
|
by requesting a spellcheck on PHP commands in 'complex
|
|
curly syntax'.</p>
|
|
<p>Because the spellchecker is written as part of the AJAX
|
|
functionality of DokuWiki, it can be directly called by
|
|
any website visitor, without the need for a wiki
|
|
account.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.hardened-php.net/advisory_042006.119.html</url>
|
|
<url>http://bugs.splitbrain.org/index.php?do=details&id=823</url>
|
|
<url>http://secunia.com/advisories/20429/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-06-05</discovery>
|
|
<entry>2006-06-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="40a0185f-ec32-11da-be02-000c6ec775d9">
|
|
<topic>drupal -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>drupal</name>
|
|
<range><lt>4.6.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Drupal team reports:</p>
|
|
<blockquote cite="http://drupal.org/node/65357">
|
|
<p>Vulnerability: SQL injection</p>
|
|
<p>A security vulnerability in the database layer allowed
|
|
certain queries to be submitted to the database without
|
|
going through Drupal's query sanitizer.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://drupal.org/node/65409">
|
|
<p>Vulnerability: Execution of arbitrary files</p>
|
|
<p>Certain -- alas, typical -- configurations of Apache
|
|
allows execution of carefully named arbitrary scripts in
|
|
the files directory. Drupal now will attempt to
|
|
automatically create a .htaccess file in your "files"
|
|
directory to protect you.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-2742</cvename>
|
|
<cvename>CVE-2006-2743</cvename>
|
|
<url>http://drupal.org/node/65357</url>
|
|
<url>http://drupal.org/node/65409</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-18</discovery>
|
|
<entry>2006-06-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7f8cecea-f199-11da-8422-00123ffe8333">
|
|
<topic>MySQL -- SQL-injection security vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-server</name>
|
|
<range><ge>5.1</ge><le>5.1.9</le></range>
|
|
<range><ge>5.0</ge><lt>5.0.22</lt></range>
|
|
<range><ge>4.1</ge><lt>4.1.20</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>MySQL reports:</p>
|
|
<blockquote cite="http://lists.mysql.com/announce/364">
|
|
<p>An SQL-injection security hole has been found in multibyte
|
|
encoding processing. An SQL-injection security hole can include a
|
|
situation whereby when inserting user supplied data into a
|
|
database, the user might inject his own SQL statements that the
|
|
server will execute. With regards to this vulnerability discovered,
|
|
when character set unaware escaping is used (e.g., addslashes() in
|
|
PHP), it is possible to bypass it in some multibyte character sets
|
|
(e.g., SJIS, BIG5 and GBK). As a result, a function like
|
|
addslashes() is not able to prevent SQL injection attacks. It is
|
|
impossible to fix this on the server side. The best solution is for
|
|
applications to use character set aware escaping offered in a
|
|
function like mysql_real_escape().</p>
|
|
<p>Workarounds:</p>
|
|
<p>One can use NO_BACKSLASH_ESCAPES mode as a workaround for a bug
|
|
in mysql_real_escape_string(), if you cannot upgrade your server
|
|
for some reason. It will enable SQL standard compatibility mode,
|
|
where backslash is not considered a special character.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://lists.mysql.com/announce/364</url>
|
|
<url>http://lists.mysql.com/announce/365</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-31</discovery>
|
|
<entry>2006-06-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4913886c-e875-11da-b9f4-00123ffe8333">
|
|
<topic>MySQL -- Information Disclosure and Buffer Overflow Vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-server</name>
|
|
<range><gt>4.0</gt><lt>4.0.27</lt></range>
|
|
<range><gt>4.1</gt><lt>4.1.19</lt></range>
|
|
<range><gt>5.1</gt><le>5.1.9</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19929/">
|
|
<p>MySQL have some vulnerabilities, which can be exploited by
|
|
malicious users to disclose potentially sensitive information
|
|
and compromise a vulnerable system.</p>
|
|
<p>1) An error within the code that generates an error response
|
|
to an invalid COM_TABLE_DUMP packet can be exploited by an
|
|
authenticated client to disclosure certain memory content of the
|
|
server process.</p>
|
|
<p>2) A boundary error within the handling of specially crafted
|
|
invalid COM_TABLE_DUMP packets can be exploited by an authenticated
|
|
client to cause a buffer overflow and allows arbitrary code
|
|
execution.</p>
|
|
<p>3) An error within the handling of malformed login packets can be
|
|
exploited to disclosure certain memory content of the server
|
|
process in the error messages.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1516</cvename>
|
|
<cvename>CVE-2006-1517</cvename>
|
|
<cvename>CVE-2006-1518</cvename>
|
|
<certvu>602457</certvu>
|
|
<url>http://www.wisec.it/vulns.php?page=7</url>
|
|
<url>http://www.wisec.it/vulns.php?page=8</url>
|
|
<url>http://dev.mysql.com/doc/refman/4.1/en/news-4-0-27.html</url>
|
|
<url>http://dev.mysql.com/doc/refman/4.1/en/news-4-1-19.html</url>
|
|
<url>http://dev.mysql.com/doc/refman/5.1/en/news-5-1-10.html</url>
|
|
<url>http://secunia.com/advisories/19929/</url>
|
|
<url>http://www.vuxml.org/freebsd/a8d8713e-dc83-11da-a22b-000c6ec775d9.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-02</discovery>
|
|
<entry>2006-06-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c0171f59-ea8a-11da-be02-000c6ec775d9">
|
|
<topic>frontpage -- cross site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>frontpage</name>
|
|
<name>mod_frontpage13</name>
|
|
<name>mod_frontpage20</name>
|
|
<name>mod_frontpage21</name>
|
|
<name>mod_frontpage22</name>
|
|
<range><lt>5.0.2.4803</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Esteban Martinez Fayo reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=114487846329000">
|
|
<p>The FrontPage Server Extensions 2002 (included in Windows
|
|
Sever 2003 IIS 6.0 and available as a separate download
|
|
for Windows 2000 and XP) has a web page
|
|
/_vti_bin/_vti_adm/fpadmdll.dll that is used for
|
|
administrative purposes. This web page is vulnerable to
|
|
cross site scripting attacks allowing an attacker to run
|
|
client-side script on behalf of an FPSE user. If the
|
|
victim is an administrator, the attacker could take
|
|
complete control of a Front Page Server Extensions 2002
|
|
server.</p>
|
|
<p>To exploit the vulnerability an attacker can send a
|
|
specially crafted e-mail message to a FPSE user and then
|
|
persuade the user to click a link in the e-mail
|
|
message.</p>
|
|
<p>In addition, this vulnerability can be exploited if an
|
|
attacker hosts a malicious website and persuade the user
|
|
to visit it.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0015</cvename>
|
|
<mlist msgid="0e3f01c65e78$93c00800$de00a8c0@rigel">http://marc.theaimsgroup.com/?l=bugtraq&m=114487846329000</mlist>
|
|
<url>http://www.microsoft.com/technet/security/bulletin/MS06-017.mspx</url>
|
|
<url>http://www.rtr.com/fpsupport/fpse_release_may_2_2006.htm</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-12</discovery>
|
|
<entry>2006-05-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="72d8df84-ea6d-11da-8a53-00123ffe8333">
|
|
<topic>cscope -- buffer overflow vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cscope</name>
|
|
<range><lt>15.5_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jason Duell reports:</p>
|
|
<blockquote cite="http://sourceforge.net/tracker/index.php?func=detail&aid=1064875&group_id=4664&atid=104664">
|
|
<p>Cscope contains an alarming number of buffer overflow
|
|
vulnerabilities. By a rough count, there are at least 48 places
|
|
where we blindly sprintf() a file name into a fixed-length buffer
|
|
of size PATHLEN without checking to see if the file's name
|
|
is <= PATHLEN. We do similar things with environment variable
|
|
values.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-2541</cvename>
|
|
<url>http://sourceforge.net/tracker/index.php?func=detail&aid=1064875&group_id=4664&atid=104664</url>
|
|
<url>http://secunia.com/advisories/13237</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-11</discovery>
|
|
<entry>2006-05-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0b628470-e9a6-11da-b9f4-00123ffe8333">
|
|
<topic>coppermine -- Multiple File Extensions Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>coppermine</name>
|
|
<range><lt>1.4.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/20211/">
|
|
<p>Coppermine Photo Gallery have a vulnerability, which can be
|
|
exploited by malicious users to compromise a vulnerable system.</p>
|
|
<p>The vulnerability is caused due to an error in the handling of
|
|
file uploads where a filename has multiple file extensions. This
|
|
can be exploited to upload malicious script files inside the web
|
|
root (e.g. a PHP script).</p>
|
|
<p>Successful exploitation may allow execution of script code
|
|
depending on the HTTP server configuration (it requires e.g. an
|
|
Apache server with the "mod_mime" module installed).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://sourceforge.net/project/shownotes.php?group_id=89658&release_id=418266</url>
|
|
<url>http://secunia.com/advisories/20211/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-22</discovery>
|
|
<entry>2006-05-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6738977b-e9a5-11da-b9f4-00123ffe8333">
|
|
<topic>coppermine -- "file" Local File Inclusion Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>coppermine</name>
|
|
<range><lt>1.4.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19665/">
|
|
<p>Coppermine Photo Gallery have a vulnerability, which can be
|
|
exploited by malicious people to disclose sensitive
|
|
information.</p>
|
|
<p>Input passed to the "file" parameter in "index.php" isn't properly
|
|
verified, before it is used to include files. This can be exploited
|
|
to include arbitrary files from local resources.</p>
|
|
<p>Example:
|
|
http://[host]/index.php?file=.//././/././/././/./[file]%00</p>
|
|
<p>Successful exploitation requires that "magic_quotes_gpc" is
|
|
disabled.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1909</cvename>
|
|
<url>http://coppermine-gallery.net/forum/index.php?topic=30655.0</url>
|
|
<url>http://myimei.com/security/2006-04-14/copperminephotogallery144-plugininclusionsystemindexphp-remotefileinclusion-attack.html</url>
|
|
<url>http://secunia.com/advisories/19665/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-19</discovery>
|
|
<entry>2006-05-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="77cceaef-e9a4-11da-b9f4-00123ffe8333">
|
|
<topic>coppermine -- File Inclusion Vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>coppermine</name>
|
|
<range><lt>1.4.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/18941/">
|
|
<p>Coppermine Photo Gallery have a vulnerability, which can be
|
|
exploited by malicious people and by malicious users to compromise
|
|
a vulnerable system.</p>
|
|
<p>1) Input passed to the "lang" parameter in include/init.inc.php
|
|
isn't properly verified, before it is used to include files. This
|
|
can be exploited to include arbitrary files from local resources.
|
|
The vulnerability can be further exploited by users who are allowed
|
|
to upload image files to execute arbitrary PHP code.</p>
|
|
<p>2) Input passed to the "f" parameter in docs/showdoc.php isn't
|
|
properly verified, before it is used to include files. This can be
|
|
exploited to include arbitrary files from local resources on the
|
|
Windows platform, and remote files from Windows shared folders.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0872</cvename>
|
|
<cvename>CVE-2006-0873</cvename>
|
|
<url>http://retrogod.altervista.org/cpg_143_adv.html</url>
|
|
<url>http://secunia.com/advisories/18941/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-02-20</discovery>
|
|
<entry>2006-05-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2ecd02e2-e864-11da-b9f4-00123ffe8333">
|
|
<topic>phpmyadmin -- XSRF vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><lt>2.8.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>phpMyAdmin security team reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-3">
|
|
<p>It was possible to inject arbitrary SQL commands by forcing an
|
|
authenticated user to follow a crafted link.</p>
|
|
<p>Such issue is quite common in many PHP applications and users
|
|
should take care what links they follow. We consider these
|
|
vulnerabilities to be quite dangerous.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1804</cvename>
|
|
<url>http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-3</url>
|
|
<url>http://secunia.com/advisories/19659</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-20</discovery>
|
|
<entry>2006-05-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4645b98c-e46e-11da-9ae7-00123fcc6e5c">
|
|
<topic>vnc - authentication bypass vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>vnc</name>
|
|
<range><eq>4.1.1</eq></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>RealVNC is susceptible to an authentication-bypass vulnerability.
|
|
A malicious VNC client can cause a VNC server to allow it to connect
|
|
without any authentication regardless of the authentication settings
|
|
configured in the server. Exploiting this issue allows attackers to
|
|
gain unauthenticated, remote access to the VNC servers.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>17978</bid>
|
|
<mlist>http://www.securityfocus.com/archive/1/433994/30/0/threaded</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-15</discovery>
|
|
<entry>2006-05-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6d78202e-e2f9-11da-8674-00123ffe8333">
|
|
<topic>phpldapadmin -- Cross-Site Scripting and Script Insertion vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpldapadmin098</name>
|
|
<range><lt>0.9.8.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19747/">
|
|
<p>phpLDAPadmin have some vulnerabilities, which can be exploited by
|
|
malicious users to conduct script insertion attacks and by
|
|
malicious people to conduct cross-site scripting attacks.</p>
|
|
<p>1) Some input isn't properly sanitised before being returned to
|
|
the user. This can be exploited to execute arbitrary HTML and
|
|
script code in a user's browser session in context of an affected
|
|
site.</p>
|
|
<p>2) Input passed to the "Container DN", "Machine Name", and "UID
|
|
Number" parameters in "template_engine.php" isn't properly
|
|
sanitised before being used. This can be exploited to inject
|
|
arbitrary HTML and script code, which will be executed in a user's
|
|
browser session in context of an affected site when the malicious
|
|
user data is viewed.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-2016</cvename>
|
|
<url>http://pridels.blogspot.com/2006/04/phpldapadmin-multiple-vuln.html</url>
|
|
<url>http://www.frsirt.com/english/advisories/2006/1450</url>
|
|
<url>http://secunia.com/advisories/19747/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-21</discovery>
|
|
<entry>2006-05-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a86f30e7-dce7-11da-bf3f-02e081235dab">
|
|
<topic>fswiki -- XSS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>fswiki</name>
|
|
<range><lt>3.5.11</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>JVN reports:</p>
|
|
<blockquote cite="http://jvn.jp/jp/JVN%2335274905/">
|
|
<p>FreeStyleWiki has XSS vulnerability.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://jvn.jp/jp/JVN%2335274905/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-18</discovery>
|
|
<entry>2006-05-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a8d8713e-dc83-11da-a22b-000c6ec775d9">
|
|
<topic>mysql50-server -- COM_TABLE_DUMP arbitrary code execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-server</name>
|
|
<range><gt>5.0</gt><lt>5.0.21</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Stefano Di Paola reports:</p>
|
|
<blockquote cite="http://www.wisec.it/vulns.php?page=8">
|
|
<p>An authenticated user could remotely execute arbitrary
|
|
commands by taking advantage of a stack overflow.</p>
|
|
<p>To take advantage of these flaws an attacker should have
|
|
direct access to MySQL server communication layer (port
|
|
3306 or unix socket). But if used in conjuction with some
|
|
web application flaws (i.e. php code injection) an
|
|
attacker could use socket programming (i.e. php sockets)
|
|
to gain access to that layer.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1518</cvename>
|
|
<url>http://www.wisec.it/vulns.php?page=8</url>
|
|
<mlist msgid="1146577257.5679.217.camel@first">http://marc.theaimsgroup.com/?l=bugtraq&m=114659633220473</mlist>
|
|
<url>http://dev.mysql.com/doc/refman/5.0/en/news-5-0-21.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-02</discovery>
|
|
<entry>2006-05-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2df297a2-dc74-11da-a22b-000c6ec775d9">
|
|
<topic>awstats -- arbitrary command execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>awstats</name>
|
|
<range><lt>6.5_2,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>OS Reviews reports:</p>
|
|
<blockquote cite="http://www.osreviews.net/reviews/comm/awstats">
|
|
<p>If the update of the stats via web front-end is allowed,
|
|
a remote attacker can execute arbitrary code on the server
|
|
using a specially crafted request involving the migrate
|
|
parameter. Input starting with a pipe character ("|")
|
|
leads to an insecure call to Perl's open function and the
|
|
rest of the input being executed in a shell. The code is
|
|
run in the context of the process running the AWStats
|
|
CGI.</p>
|
|
<p>Arbitrary code can be executed by uploading a specially
|
|
crafted configuration file if an attacker can put a file
|
|
on the server with chosen file name and content (e.g. by
|
|
using an FTP account on a shared hosting server). In this
|
|
configuration file, the LogFile directive can be used to
|
|
execute shell code following a pipe character. As above,
|
|
an open call on unsanitized input is the source of this
|
|
vulnerability.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://awstats.sourceforge.net/awstats_security_news.php</url>
|
|
<url>http://secunia.com/advisories/19969/</url>
|
|
<url>http://www.osreviews.net/reviews/comm/awstats</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-03</discovery>
|
|
<entry>2006-05-05</entry>
|
|
<modified>2006-11-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d9dc2697-dadf-11da-912f-00123ffe8333">
|
|
<topic>phpwebftp -- "language" Local File Inclusion</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpwebftp</name>
|
|
<range><lt>3.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19706/">
|
|
<p>phpWebFTP have a vulnerability, which can be exploited by
|
|
malicious people to disclose sensitive information.</p>
|
|
<p>Input passed to to the "language" parameter in index.php isn't
|
|
properly verified, before it is used to include files. This can be
|
|
exploited to include arbitrary files from local resources.</p>
|
|
<p>Successful exploitation requires that "magic_quotes_gpc" is
|
|
disabled.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1812</cvename>
|
|
<cvename>CVE-2006-1813</cvename>
|
|
<url>https://sourceforge.net/forum/forum.php?forum_id=566199</url>
|
|
<url>http://secunia.com/advisories/19706/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-18</discovery>
|
|
<entry>2006-05-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e2476979-da74-11da-a67b-0013d4a4a40e">
|
|
<topic>firefox -- denial of service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>1.5.*,1</gt><lt>1.5.0.3,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>1.5.0.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Mozilla Foundation Security Advisory reports for
|
|
deleted object reference when designMode="on"</p>
|
|
<blockquote cite="http://www.mozilla.org/security/announce/2006/mfsa2006-30.html">
|
|
<p>Martijn Wargers and Nick Mott each described crashes that
|
|
were discovered to ultimately stem from the same root cause:
|
|
attempting to use a deleted controller context when designMode
|
|
was turned on. This generally results in crashing the browser,
|
|
but in theory references to deleted objects can be abused to
|
|
run malicious code.</p>
|
|
<p>"splices" reported the same crash at the fan site MozillaZine and
|
|
on Bugtraq, incorrectly describing it as a buffer overflow.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1993</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-30.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-02</discovery>
|
|
<entry>2006-05-03</entry>
|
|
<modified>2006-05-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="400d9d22-d6c5-11da-a14b-00123ffe8333">
|
|
<topic>trac -- Wiki Macro Script Insertion Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>trac</name>
|
|
<name>ja-trac</name>
|
|
<range><lt>0.9.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19870/">
|
|
<p>A vulnerability has been reported, which can be exploited by
|
|
malicious people to conduct script insertion attacks.</p>
|
|
<p>Input passed using the wiki macro isn't properly sanitised before
|
|
being used. This can be exploited to inject arbitrary HTML and
|
|
script code, which will be executed in a user's browser session in
|
|
context of an affected site when the malicious user data is
|
|
viewed.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://projects.edgewall.com/trac/wiki/ChangeLog</url>
|
|
<url>http://jvn.jp/jp/JVN%2384091359/index.html</url>
|
|
<url>http://secunia.com/advisories/19870/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-28</discovery>
|
|
<entry>2006-05-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="af2a60ed-da3e-11da-93e0-00123ffe8333">
|
|
<cancelled/>
|
|
</vuln>
|
|
|
|
<vuln vid="b088bf48-da3b-11da-93e0-00123ffe8333">
|
|
<topic>clamav -- Freshclam HTTP Header Buffer Overflow Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>clamav</name>
|
|
<range><ge>0.80</ge><lt>0.88.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>clamav-devel</name>
|
|
<range><ge>20040826</ge><lt>20060502</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19880/">
|
|
<p>A vulnerability has been reported in ClamAV, which can be
|
|
exploited by malicious people to cause a DoS (Denial of Service)
|
|
and potentially to compromise a vulnerable system.</p>
|
|
<p>The vulnerability is caused due to a boundary error within the
|
|
HTTP client in the Freshclam command line utility. This can be
|
|
exploited to cause a stack-based buffer overflow when the HTTP
|
|
headers received from a web server exceeds 8KB.</p>
|
|
<p>Successful exploitation requires that Freshclam is used to
|
|
download virus signature updates from a malicious mirror web
|
|
server e.g. via DNS poisoning.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1989</cvename>
|
|
<url>http://www.clamav.net/security/0.88.2.html</url>
|
|
<url>http://secunia.com/advisories/19880/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-05-01</discovery>
|
|
<entry>2006-05-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f4af098d-d921-11da-ad4a-00123ffe8333">
|
|
<topic>jabberd -- SASL Negotiation Denial of Service Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>jabberd</name>
|
|
<range><lt>2.0.11</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19281/">
|
|
<p>A vulnerability has been reported in jabberd, which can be
|
|
exploited by malicious people to cause a DoS (Denial of
|
|
Service).</p>
|
|
<p>The vulnerability is caused due to an error within the handling
|
|
of SASL negotiation. This can be exploited to cause a crash by
|
|
sending a "response" stanza before an "auth" stanza.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1329</cvename>
|
|
<url>http://article.gmane.org/gmane.network.jabber.admin/27372</url>
|
|
<url>http://jabberstudio.org/projects/jabberd2/releases/view.php?id=826</url>
|
|
<url>http://secunia.com/advisories/19281/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-20</discovery>
|
|
<entry>2006-05-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="79c1154d-d5a5-11da-8098-00123ffe8333">
|
|
<topic>cacti -- ADOdb "server.php" Insecure Test Script Security Issue</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cacti</name>
|
|
<range><lt>0.8.6h</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/18276/">
|
|
<p>Cacti have a security issue, which can be exploited by malicious
|
|
people to execute arbitrary SQL code and potentially compromise a
|
|
vulnerable system.</p>
|
|
<p>The problem is caused due to the presence of the insecure
|
|
"server.php" test script.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secunia.com/advisories/18276/</url>
|
|
<url>http://secunia.com/advisories/17418/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-01-09</discovery>
|
|
<entry>2006-04-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="dc930435-d59f-11da-8098-00123ffe8333">
|
|
<topic>amaya -- Attribute Value Buffer Overflow Vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>amaya</name>
|
|
<range><lt>9.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19670/">
|
|
<p>Amaya have two vulnerabilities, which can be exploited by
|
|
malicious people to compromise a user's system.</p>
|
|
<p>The vulnerabilities are caused due to boundary errors within the
|
|
parsing of various attribute values. This can be exploited to cause
|
|
stack-based buffer overflows when a user opens a specially crafted
|
|
HTML document containing certain tags with overly long attribute
|
|
values.</p>
|
|
<p>Successful exploitation allows execution of arbitrary code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1900</cvename>
|
|
<url>http://morph3us.org/advisories/20060412-amaya-94.txt</url>
|
|
<url>http://morph3us.org/advisories/20060412-amaya-94-2.txt</url>
|
|
<url>http://secunia.com/advisories/19670/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-14</discovery>
|
|
<entry>2006-04-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="116b0820-d59c-11da-8098-00123ffe8333">
|
|
<topic>lifetype -- ADOdb "server.php" Insecure Test Script Security Issue</topic>
|
|
<affects>
|
|
<package>
|
|
<name>lifetype</name>
|
|
<range><lt>1.0.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19699/">
|
|
<p>A security issue has been discovered in LifeType, which can be
|
|
exploited by malicious people to execute arbitrary SQL code and
|
|
potentially compromise a vulnerable system.</p>
|
|
<p>The problem is caused due to the presence of the insecure
|
|
"server.php" test script.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0146</cvename>
|
|
<url>http://secunia.com/advisories/19699/</url>
|
|
<url>http://secunia.com/advisories/17418/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-19</discovery>
|
|
<entry>2006-04-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="21c223f2-d596-11da-8098-00123ffe8333">
|
|
<topic>ethereal -- Multiple Protocol Dissector Vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ethereal</name>
|
|
<name>ethereal-lite</name>
|
|
<name>tethereal</name>
|
|
<name>tethereal-lite</name>
|
|
<range><ge>0.8.5</ge><lt>0.99.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19769/">
|
|
<p>Multiple vulnerabilities have been reported in Ethereal, which
|
|
can be exploited by malicious people to cause a DoS (Denial of
|
|
Service) or compromise a vulnerable system.</p>
|
|
<p>The vulnerabilities are caused due to various types of errors
|
|
including boundary errors, an off-by-one error, an infinite loop
|
|
error, and several unspecified errors in a multitude of protocol
|
|
dissectors.</p>
|
|
<p>Successful exploitation causes Ethereal to stop responding,
|
|
consume a large amount of system resources, crash, or execute
|
|
arbitrary code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1932</cvename>
|
|
<cvename>CVE-2006-1933</cvename>
|
|
<cvename>CVE-2006-1934</cvename>
|
|
<cvename>CVE-2006-1935</cvename>
|
|
<cvename>CVE-2006-1936</cvename>
|
|
<cvename>CVE-2006-1937</cvename>
|
|
<cvename>CVE-2006-1938</cvename>
|
|
<cvename>CVE-2006-1939</cvename>
|
|
<cvename>CVE-2006-1940</cvename>
|
|
<url>http://www.ethereal.com/appnotes/enpa-sa-00023.html</url>
|
|
<url>http://secunia.com/advisories/19769/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-25</discovery>
|
|
<entry>2006-04-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8b683bea-d49c-11da-a672-000e0c2e438a">
|
|
<topic>asterisk -- denial of service vulnerability, local system access</topic>
|
|
<affects>
|
|
<package>
|
|
<name>asterisk</name>
|
|
<range><lt>1.2.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Emmanouel Kellenis reports a denial of service vulnerability
|
|
within asterisk. The vulnerability is caused by a buffer
|
|
overflow in "format_jpeg.c". A large JPEG image could
|
|
trigger this bug, potentially allowing a local attacker to
|
|
execute arbitrary code.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>17561</bid>
|
|
<cvename>CVE-2006-1827</cvename>
|
|
<url>http://www.cipher.org.uk/index.php?p=advisories/Asterisk_Codec_Integer_Overflow_07-04-2006.advisory</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-07</discovery>
|
|
<entry>2006-04-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a813a219-d2d4-11da-a672-000e0c2e438a">
|
|
<topic>zgv, xzgv -- heap overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>zgv</name>
|
|
<range><lt>5.9_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>xzgv</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Gentoo reports:</p>
|
|
<blockquote cite="http://www.gentoo.org/security/en/glsa/glsa-200604-10.xml">
|
|
<p>Andrea Barisani of Gentoo Linux discovered xzgv and zgv
|
|
allocate insufficient memory when rendering images with
|
|
more than 3 output components, such as images using the
|
|
YCCK or CMYK colour space. When xzgv or zgv attempt to
|
|
render the image, data from the image overruns a heap
|
|
allocated buffer.</p>
|
|
<p>An attacker may be able to construct a malicious image that
|
|
executes arbitrary code with the permissions of the xzgv or
|
|
zgv user when attempting to render the image.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>17409</bid>
|
|
<cvename>CVE-2006-1060</cvename>
|
|
<url>http://www.gentoo.org/security/en/glsa/glsa-200604-10.xml</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-21</discovery>
|
|
<entry>2006-04-23</entry>
|
|
<modified>2006-10-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="86cc5c6f-d2b4-11da-a672-000e0c2e438a">
|
|
<topic>crossfire-server -- denial of service and remote code execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>crossfire-server</name>
|
|
<range><lt>1.9.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>FRSIRT reports:</p>
|
|
<blockquote cite="http://www.frsirt.com/english/advisories/2006/0760">
|
|
<p>A vulnerability has been identified in CrossFire, which
|
|
could be exploited by remote attackers to execute arbitrary
|
|
commands or cause a denial of service. This flaw is due to
|
|
a buffer overflow error in the "oldsocketmode" module that
|
|
fails to properly handle overly large requests, which could
|
|
be exploited by a malicious client to crash or compromise a
|
|
vulnerable system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>16883</bid>
|
|
<cvename>CVE-2006-1010</cvename>
|
|
<url>http://www.frsirt.com/english/advisories/2006/0760</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-02-28</discovery>
|
|
<entry>2006-04-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8cfb6f42-d2b0-11da-a672-000e0c2e438a">
|
|
<topic>p5-DBI -- insecure temporary file creation vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>p5-DBI-137</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>p5-DBI</name>
|
|
<range><lt>1.37_1</lt></range>
|
|
<range><ge>1.38</ge><lt>1.48</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Javier Fernández-Sanguino Peña reports:</p>
|
|
<blockquote cite="http://www.debian.org/security/2005/dsa-658">
|
|
<p>The DBI library, the Perl5 database interface, creates a
|
|
temporary PID file in an insecure manner. This can be
|
|
exploited by a malicious user to overwrite arbitrary files
|
|
owned by the person executing the parts of the library.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12360</bid>
|
|
<cvename>CAN-2005-0077</cvename>
|
|
<url>http://www.debian.org/security/2005/dsa-658</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-25</discovery>
|
|
<entry>2006-04-23</entry>
|
|
<modified>2006-05-11</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e0b342a1-d2ae-11da-a672-000e0c2e438a">
|
|
<topic>wordpress -- full path disclosure</topic>
|
|
<affects>
|
|
<package>
|
|
<name>wordpress</name>
|
|
<range><lt>1.5.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Dedi Dwianto reports:</p>
|
|
<blockquote cite="http://echo.or.id/adv/adv24-theday-2005.txt">
|
|
<p>A remote user can access the file directly to cause the
|
|
system to display an error message that indicates the
|
|
installation path. The resulting error message will
|
|
disclose potentially sensitive installation path
|
|
information to the remote attacker.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-4463</cvename>
|
|
<url>http://echo.or.id/adv/adv24-theday-2005.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-20</discovery>
|
|
<entry>2006-04-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8d4ae57d-d2ab-11da-a672-000e0c2e438a">
|
|
<topic>xine -- multiple remote string vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xine</name>
|
|
<range><lt>0.99.4_4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>c0ntexb reports:</p>
|
|
<blockquote cite="http://www.open-security.org/advisories/16">
|
|
<p>There are 2 format string bugs in the latest version of
|
|
Xine that could be exploited by a malicious person to
|
|
execute code on the system of a remote user running the
|
|
media player against a malicious playlist file. By passing
|
|
a format specifier in the path of a file that is embedded
|
|
in a remote playlist, it is possible to trigger this bug.
|
|
</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>17579</bid>
|
|
<cvename>CVE-2006-1905</cvename>
|
|
<url>http://www.open-security.org/advisories/16</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-18</discovery>
|
|
<entry>2006-04-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="408f6ebf-d152-11da-962f-000b972eb521">
|
|
<topic>cyrus-sasl -- DIGEST-MD5 Pre-Authentication Denial of Service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cyrus-sasl</name>
|
|
<range><ge>2.*</ge><lt>2.1.21</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Unspecified vulnerability in the CMU Cyrus Simple
|
|
Authentication and Security Layer (SASL) library, has unknown
|
|
impact and remote unauthenticated attack vectors, related to
|
|
DIGEST-MD5 negotiation.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1721</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-11</discovery>
|
|
<entry>2006-04-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1fa4c9f1-cfca-11da-a672-000e0c2e438a">
|
|
<topic>FreeBSD -- FPU information disclosure</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><gt>6.0</gt><lt>6.0_7</lt></range>
|
|
<range><gt>5.4</gt><lt>5.4_14</lt></range>
|
|
<range><gt>5.3</gt><lt>5.3_29</lt></range>
|
|
<range><gt>5</gt><lt>5.3</lt></range>
|
|
<range><gt>4.11</gt><lt>4.11_17</lt></range>
|
|
<range><gt>4.10</gt><lt>4.10_23</lt></range>
|
|
<range><lt>4.10</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description</h1>
|
|
<p>On "7th generation" and "8th generation" processors
|
|
manufactured by AMD, including the AMD Athlon, Duron, Athlon
|
|
MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, and
|
|
Sempron, the fxsave and fxrstor instructions do not save and
|
|
restore the FOP, FIP, and FDP registers unless the exception
|
|
summary bit (ES) in the x87 status word is set to 1,
|
|
indicating that an unmasked x87 exception has occurred.</p>
|
|
<p>This behaviour is consistent with documentation provided by
|
|
AMD, but is different from processors from other vendors,
|
|
which save and restore the FOP, FIP, and FDP registers
|
|
regardless of the value of the ES bit. As a result of this
|
|
discrepancy remaining unnoticed until now, the FreeBSD kernel
|
|
does not restore the contents of the FOP, FIP, and FDP
|
|
registers between context switches.</p>
|
|
<h1>Impact</h1>
|
|
<p>On affected processors, a local attacker can monitor the
|
|
execution path of a process which uses floating-point
|
|
operations. This may allow an attacker to steal
|
|
cryptographic keys or other sensitive information.</p>
|
|
<h1>Workaround</h1>
|
|
<p>No workaround is available, but systems which do not use AMD
|
|
Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX,
|
|
Opteron, Turion, or Sempron processors are not vulnerable.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1056</cvename>
|
|
<freebsdsa>SA-06:14.fpu</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-19</discovery>
|
|
<entry>2006-04-19</entry>
|
|
<modified>2006-06-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="22c6b826-cee0-11da-8578-00123ffe8333">
|
|
<topic>plone -- "member_id" Parameter Portrait Manipulation Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>plone</name>
|
|
<range><lt>2.1.2_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19633/">
|
|
<p>The vulnerability is caused due to missing security declarations
|
|
in "changeMemberPortrait" and "deletePersonalPortrait". This can
|
|
be exploited to manipulate or delete another user's portrait via
|
|
the "member_id" parameter.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1711</cvename>
|
|
<url>http://dev.plone.org/plone/ticket/5432</url>
|
|
<url>http://www.debian.org/security/2006/dsa-1032</url>
|
|
<url>http://secunia.com/advisories/19633/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-13</discovery>
|
|
<entry>2006-04-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="84630f4a-cd8c-11da-b7b9-000c6ec775d9">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.0.8,1</lt></range>
|
|
<range><gt>1.5.*,1</gt><lt>1.5.0.2,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>1.5.0.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.13,2</lt></range>
|
|
<range><ge>1.8.*,2</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<range><lt>1.7.13</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<name>linux-seamonkey</name>
|
|
<range><lt>1.0.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<range><lt>1.5.0.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Mozilla Foundation Security Advisory reports of multiple
|
|
issues. Several of which can be used to run arbitrary code
|
|
with the privilege of the user running the program.</p>
|
|
<blockquote cite="http://www.mozilla.org/security/announce/">
|
|
<ul>
|
|
<li>MFSA 2006-29 Spoofing with translucent windows</li>
|
|
<li>MFSA 2006-28 Security check of js_ValueToFunctionObject() can be circumvented</li>
|
|
<li>MFSA 2006-26 Mail Multiple Information Disclosure</li>
|
|
<li>MFSA 2006-25 Privilege escalation through Print Preview</li>
|
|
<li>MFSA 2006-24 Privilege escalation using crypto.generateCRMFRequest</li>
|
|
<li>MFSA 2006-23 File stealing by changing input type</li>
|
|
<li>MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability</li>
|
|
<li>MFSA 2006-20 Crashes with evidence of memory corruption (rv:1.8.0.2)</li>
|
|
<li>MFSA 2006-19 Cross-site scripting using .valueOf.call()</li>
|
|
<li>MFSA 2006-18 Mozilla Firefox Tag Order Vulnerability</li>
|
|
<li>MFSA 2006-17 cross-site scripting through window.controllers</li>
|
|
<li>MFSA 2006-16 Accessing XBL compilation scope via valueOf.call()</li>
|
|
<li>MFSA 2006-15 Privilege escalation using a JavaScript function's cloned parent</li>
|
|
<li>MFSA 2006-14 Privilege escalation via XBL.method.eval</li>
|
|
<li>MFSA 2006-13 Downloading executables with "Save Image As..."</li>
|
|
<li>MFSA 2006-12 Secure-site spoof (requires security warning dialog)</li>
|
|
<li>MFSA 2006-11 Crashes with evidence of memory corruption (rv:1.8)</li>
|
|
<li>MFSA 2006-10 JavaScript garbage-collection hazard audit</li>
|
|
<li>MFSA 2006-09 Cross-site JavaScript injection using event handlers</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<certvu>179014</certvu>
|
|
<certvu>252324</certvu>
|
|
<certvu>329500</certvu>
|
|
<certvu>350262</certvu>
|
|
<certvu>488774</certvu>
|
|
<certvu>736934</certvu>
|
|
<certvu>813230</certvu>
|
|
<certvu>842094</certvu>
|
|
<certvu>932734</certvu>
|
|
<certvu>935556</certvu>
|
|
<certvu>968814</certvu>
|
|
<cvename>CVE-2006-0749</cvename>
|
|
<cvename>CVE-2006-1045</cvename>
|
|
<cvename>CVE-2006-1529</cvename>
|
|
<cvename>CVE-2006-1530</cvename>
|
|
<cvename>CVE-2006-1531</cvename>
|
|
<cvename>CVE-2006-1723</cvename>
|
|
<cvename>CVE-2006-1724</cvename>
|
|
<cvename>CVE-2006-1725</cvename>
|
|
<cvename>CVE-2006-1726</cvename>
|
|
<cvename>CVE-2006-1727</cvename>
|
|
<cvename>CVE-2006-1728</cvename>
|
|
<cvename>CVE-2006-1729</cvename>
|
|
<cvename>CVE-2006-1730</cvename>
|
|
<cvename>CVE-2006-1731</cvename>
|
|
<cvename>CVE-2006-1732</cvename>
|
|
<cvename>CVE-2006-1733</cvename>
|
|
<cvename>CVE-2006-1734</cvename>
|
|
<cvename>CVE-2006-1735</cvename>
|
|
<cvename>CVE-2006-1736</cvename>
|
|
<cvename>CVE-2006-1737</cvename>
|
|
<cvename>CVE-2006-1738</cvename>
|
|
<cvename>CVE-2006-1739</cvename>
|
|
<cvename>CVE-2006-1740</cvename>
|
|
<cvename>CVE-2006-1741</cvename>
|
|
<cvename>CVE-2006-1742</cvename>
|
|
<cvename>CVE-2006-1790</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-09.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-10.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-11.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-12.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-13.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-14.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-15.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-16.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-17.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-18.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-19.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-20.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-22.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-23.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-25.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-26.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-28.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2006/mfsa2006-29.html</url>
|
|
<url>http://www.zerodayinitiative.com/advisories/ZDI-06-010.html</url>
|
|
<uscertta>TA06-107A</uscertta>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-13</discovery>
|
|
<entry>2006-04-16</entry>
|
|
<modified>2006-04-27</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8be2e304-cce6-11da-a3b1-00123ffe8333">
|
|
<topic>mailman -- Private Archive Script Cross-Site Scripting</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mailman</name>
|
|
<name>ja-mailman</name>
|
|
<name>mailman-with-htdig</name>
|
|
<range><lt>2.1.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19558/">
|
|
<p>A vulnerability has been reported in Mailman, which can be
|
|
exploited by malicious people to conduct cross-site scripting
|
|
attacks.</p>
|
|
<p>Unspecified input passed to the private archive script is not
|
|
properly sanitised before being returned to users. This can be
|
|
exploited to execute arbitrary HTML and script code in a user's
|
|
browser session in context of a vulnerable site.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1712</cvename>
|
|
<mlist>http://mail.python.org/pipermail/mailman-announce/2006-April/000084.html</mlist>
|
|
<url>http://secunia.com/advisories/19558/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-07</discovery>
|
|
<entry>2006-04-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="43cb40b3-c8c2-11da-a672-000e0c2e438a">
|
|
<topic>f2c -- insecure temporary files</topic>
|
|
<affects>
|
|
<package>
|
|
<name>f2c</name>
|
|
<range><lt>20060506</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Javier Fernández-Sanguino Peña reports two temporary file
|
|
vulnerability within f2c. The vulnerabilities are caused
|
|
due to weak temporary file handling. An attacker could
|
|
create an symbolic link, causing a local user running f2c
|
|
to overwrite the symlinked file. This could give the
|
|
attacker elevated privileges.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>1280</bid>
|
|
<cvename>CAN-2005-0017</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-27</discovery>
|
|
<entry>2006-04-10</entry>
|
|
<modified>2006-08-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c7526a14-c4dc-11da-9699-00123ffe8333">
|
|
<topic>mplayer -- Multiple integer overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mplayer</name>
|
|
<name>mplayer-esound</name>
|
|
<name>mplayer-gtk</name>
|
|
<name>mplayer-gtk2</name>
|
|
<name>mplayer-gtk-esound</name>
|
|
<name>mplayer-gtk2-esound</name>
|
|
<range><lt>0.99.7_12</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19418/">
|
|
<p>The vulnerabilities are caused due to integer overflow errors
|
|
in "libmpdemux/asfheader.c" within the handling of an ASF file,
|
|
and in "libmpdemux/aviheader.c" when parsing the "indx" chunk in
|
|
an AVI file. This can be exploited to cause heap-based buffer
|
|
overflows via a malicious ASF file, or via a AVI file with
|
|
specially-crafted "wLongsPerEntry" and "nEntriesInUse" values in
|
|
the "indx" chunk.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1502</cvename>
|
|
<url>http://www.xfocus.org/advisories/200603/11.html</url>
|
|
<url>http://secunia.com/advisories/19418/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-29</discovery>
|
|
<entry>2006-04-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4bfcd857-c628-11da-b2fb-000e0c2e438a">
|
|
<topic>kaffeine -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>kaffeine</name>
|
|
<range><ge>0.4.2</ge><lt>0.8.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The KDE team reports:</p>
|
|
<blockquote cite="http://www.kde.org/info/security/advisory-20060404-1.txt">
|
|
<p>Kaffeine can produce a buffer overflow in http_peek() while
|
|
creating HTTP request headers for fetching remote playlists,
|
|
which under certain circumstances could be used to crash the
|
|
application and/or execute arbitrary code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>17372</bid>
|
|
<cvename>CVE-2006-0051</cvename>
|
|
<url>http://www.kde.org/info/security/advisory-20060404-1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-04</discovery>
|
|
<entry>2006-04-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="61349f77-c620-11da-b2fb-000e0c2e438a">
|
|
<topic>thunderbird -- javascript execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<range><le>1.0.7</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Renaud Lifchitz reports a vulnerability within thunderbird.
|
|
The vulnerability is caused by improper checking of javascript
|
|
scripts. This could lead to javascript code execution which
|
|
can lead to information disclosure or a denial of service
|
|
(application crash). This vulnerability is present even if
|
|
javascript had been disabled in the preferences.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>16770</bid>
|
|
<cvename>CAN-2006-0884</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-02-22</discovery>
|
|
<entry>2006-04-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fba75b43-c588-11da-9110-00123ffe8333">
|
|
<topic>phpmyadmin -- XSS vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><lt>2.8.0.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>phpMyAdmin security announcement:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-1">
|
|
<p>It was possible to conduct an XSS attack with a direct call
|
|
to some scripts under the themes directory.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-1</url>
|
|
<url>http://secunia.com/advisories/19556/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-06</discovery>
|
|
<entry>2006-04-06</entry>
|
|
<modified>2006-04-07</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7b55f5c2-c58b-11da-9110-00123ffe8333">
|
|
<topic>phpmyadmin -- 'set_theme' Cross-Site Scripting</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><lt>2.8.0.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19277">
|
|
<p>A vulnerability has been reported in phpMyAdmin, which can be
|
|
exploited by malicious people to conduct cross-site scripting
|
|
attacks.</p>
|
|
<p>Input passed to the "set_theme" parameter isn't properly
|
|
sanitised before being returned to the user. This can be exploited
|
|
to execute arbitrary HTML and script code in a user's browser
|
|
session in context of an affected site.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1258</cvename>
|
|
<url>http://secunia.com/advisories/19277</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-17</discovery>
|
|
<entry>2006-04-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6a5174bd-c580-11da-9110-00123ffe8333">
|
|
<topic>clamav -- Multiple Vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>clamav</name>
|
|
<range><lt>0.88.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>clamav-devel</name>
|
|
<range><le>20051104_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19534/">
|
|
<p>Some vulnerabilities have been reported in ClamAV, which
|
|
potentially can be exploited by malicious people to cause a
|
|
DoS (Denial of Service) and compromise a vulnerable system.</p>
|
|
<p>An unspecified integer overflow error exists in the PE header
|
|
parser in "libclamav/pe.c". Successful exploitation requires that
|
|
the ArchiveMaxFileSize option is disabled.</p>
|
|
<p>Some format string errors in the logging handling in
|
|
"shared/output.c" may be exploited to execute arbitrary code.</p>
|
|
<p>An out-of-bounds memory access error in the "cli_bitset_test()"
|
|
function in "ibclamav/others.c" may be exploited to cause a
|
|
crash.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1614</cvename>
|
|
<cvename>CVE-2006-1615</cvename>
|
|
<cvename>CVE-2006-1630</cvename>
|
|
<url>http://secunia.com/advisories/19534/</url>
|
|
<url>http://www.us.debian.org/security/2006/dsa-1024</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-06</discovery>
|
|
<entry>2006-04-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="99015cf5-c4dd-11da-b2fb-000e0c2e438a">
|
|
<topic>mediawiki -- hardcoded placeholder string security bypass vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mediawiki</name>
|
|
<range><lt>1.5.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The mediawiki development team reports a vulnerability
|
|
within the mediawiki application. The vulnerability is
|
|
caused by improper checking of inline style attributes. This
|
|
could result in the execution of arbitrary javascript code in
|
|
Microsoft Internet Explorer. It appears that other browsers
|
|
are not affected by this vulnerability.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>16032</bid>
|
|
<cvename>CAN-2005-4501</cvename>
|
|
<url>http://sourceforge.net/project/shownotes.php?release_id=379951</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-22</discovery>
|
|
<entry>2006-04-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ae9fb0d7-c4dc-11da-b2fb-000e0c2e438a">
|
|
<topic>netpbm -- buffer overflow in pnmtopng</topic>
|
|
<affects>
|
|
<package>
|
|
<name>netpbm</name>
|
|
<range><lt>10.26</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ubuntu reports:</p>
|
|
<blockquote cite="http://www.ubuntulinux.org/support/documentation/usn/usn-210-1">
|
|
<p>A buffer overflow was found in the "pnmtopng" conversion
|
|
program. By tricking an user (or automated system) to
|
|
process a specially crafted PNM image with pnmtopng, this
|
|
could be exploited to execute arbitrary code with the
|
|
privileges of the user running pnmtopng.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>15128</bid>
|
|
<cvename>CAN-2005-2978</cvename>
|
|
<url>http://www.ubuntulinux.org/support/documentation/usn/usn-210-1</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-18</discovery>
|
|
<entry>2006-04-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d9307a41-c4d7-11da-b2fb-000e0c2e438a">
|
|
<topic>zoo -- stack based buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>zoo</name>
|
|
<range><lt>2.10.1_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jean-Sébastien Guay-Leroux report a vulnerability
|
|
within the zoo archiver. The vulnerability which is present
|
|
in the fullpath() function (from the misc.c file) is caused by
|
|
improper checking of user supplied data. The data returned
|
|
to the buffer can be up to 512 bytes, while the buffer is
|
|
created to hold 256 bytes. This could result in a buffer
|
|
overflow which could allow remote code execution.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>16790</bid>
|
|
<cvename>CVE-2006-0855</cvename>
|
|
<url>http://www.guay-leroux.com/projects/zoo-advisory.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-02-22</discovery>
|
|
<entry>2006-04-05</entry>
|
|
<modified>2006-04-06</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="74b7403c-c4d5-11da-b2fb-000e0c2e438a">
|
|
<topic>mediawiki -- cross site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mediawiki</name>
|
|
<range><ge>1.4</ge><lt>1.4.14</lt></range>
|
|
<range><ge>1.5</ge><lt>1.5.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The mediawiki development team reports that there is an
|
|
site scripting vulnerability within mediawiki. The
|
|
vulnerability is caused by improper checking of encoded
|
|
links which could allow the injection of html in the output
|
|
generated by mediawiki. This could lead to cross site
|
|
scripting attacks against mediawiki installations.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>17269</bid>
|
|
<cvename>CVE-2006-1498</cvename>
|
|
<url>http://mail.wikipedia.org/pipermail/mediawiki-announce/2006-March/000040.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-27</discovery>
|
|
<entry>2006-04-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b5fc63ad-c4c3-11da-9699-00123ffe8333">
|
|
<topic>dia -- XFig Import Plugin Buffer Overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>dia</name>
|
|
<name>dia-gnome</name>
|
|
<range><gt>0.86_1</gt><lt>0.94_6,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19469/">
|
|
<p>Some vulnerabilities have been reported in Dia, which
|
|
potentially can be exploited by malicious people to
|
|
compromise a user's system.</p>
|
|
<p>The vulnerabilities are caused due to boundary errors
|
|
within the XFig import plugin. This can be exploited to
|
|
cause buffer overflows and may allow arbitrary code
|
|
execution when a specially-crafted FIG file is imported.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1550</cvename>
|
|
<url>http://secunia.com/advisories/19469/</url>
|
|
<mlist msgid="1143662924.6460.60.camel@linux.site">http://mail.gnome.org/archives/dia-list/2006-March/msg00149.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-31</discovery>
|
|
<entry>2006-04-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="be4ccb7b-c48b-11da-ae12-0002b3b60e4c">
|
|
<topic>openvpn -- LD_PRELOAD code execution on client through malicious or compromised server</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openvpn</name>
|
|
<range><ge>2.0</ge><lt>2.0.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Hendrik Weimer reports:</p>
|
|
<blockquote cite="http://www.osreviews.net/reviews/security/openvpn-print">
|
|
<p>OpenVPN clients are a bit too generous when accepting
|
|
configuration options from a server. It is possible to transmit
|
|
environment variables to client-side shell scripts. There are some
|
|
filters in place to prevent obvious nonsense, however they don't
|
|
catch the good old LD_PRELOAD trick. All we need is to put a file
|
|
onto the client under a known location (e.g. by returning a
|
|
specially crafted document upon web access) and we have a remote
|
|
root exploit. But since the attack may only come from authenticated
|
|
servers, this threat is greatly reduced.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1629</cvename>
|
|
<url>http://www.osreviews.net/reviews/security/openvpn-print</url>
|
|
<url>http://openvpn.net/changelog.html</url>
|
|
<mlist msgid="4431F7C4.4030804@yonan.net">http://sourceforge.net/mailarchive/message.php?msg_id=15298074</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-04-03</discovery>
|
|
<entry>2006-04-05</entry>
|
|
<modified>2006-04-06</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="92fd40eb-c458-11da-9c79-00123ffe8333">
|
|
<topic>samba -- Exposure of machine account credentials in winbind log files</topic>
|
|
<affects>
|
|
<package>
|
|
<name>samba</name>
|
|
<range><ge>3.0.21a,1</ge><lt>3.0.22,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ja-samba</name>
|
|
<range><ge>3.0.21a,1</ge><lt>3.0.22,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Samba Security Advisory:</p>
|
|
<blockquote cite="http://us1.samba.org/samba/security/CAN-2006-1059.html">
|
|
<p>The machine trust account password is the secret
|
|
shared between a domain controller and a specific
|
|
member server. Access to the member server machine
|
|
credentials allows an attacker to impersonate the
|
|
server in the domain and gain access to additional
|
|
information regarding domain users and groups.</p>
|
|
<p>The winbindd daemon writes the clear text of server's
|
|
machine credentials to its log file at level 5.
|
|
The winbindd log files are world readable by default
|
|
and often log files are requested on open mailing
|
|
lists as tools used to debug server misconfigurations.</p>
|
|
<p>This affects servers configured to use domain or
|
|
ads security and possibly Samba domain controllers
|
|
as well (if configured to use winbindd).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1059</cvename>
|
|
<url>http://us1.samba.org/samba/security/CAN-2006-1059.html</url>
|
|
<url>http://secunia.com/advisories/19455/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-30</discovery>
|
|
<entry>2006-04-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="91afa94c-c452-11da-8bff-000ae42e9b93">
|
|
<topic>mod_pubcookie -- cross site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mod_pubcookie</name>
|
|
<range><lt>3.3.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Nathan Dors of the Pubcookie Project reports:</p>
|
|
<blockquote cite="http://www.pubcookie.org/news/20060306-apps-secadv.html">
|
|
<p>Non-persistent XSS vulnerabilities were found in the
|
|
Pubcookie Apache module (mod_pubcookie) and ISAPI
|
|
filter. These components mishandle untrusted data when
|
|
printing responses to the browser. This makes them
|
|
vulnerable to carefully crafted requests containing script
|
|
or HTML. If an attacker can lure an unsuspecting user to
|
|
visit carefully staged content, the attacker can use it to
|
|
redirect the user to a vulnerable Pubcookie application
|
|
server and attempt to exploit the XSS vulnerabilities.</p>
|
|
<p>These vulnerabilities are classified as *high* due to the
|
|
nature and purpose of Pubcookie application servers for user
|
|
authentication and Web Single Sign-on (SSO). An attacker
|
|
who injects malicious script through the vulnerabilities
|
|
might steal private Pubcookie data including a user's
|
|
authentication assertion ("granting") cookies and
|
|
application session cookies.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<certvu>314540</certvu>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-06</discovery>
|
|
<entry>2006-04-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="855cd9fa-c452-11da-8bff-000ae42e9b93">
|
|
<topic>pubcookie-login-server -- cross site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pubcookie-login-server</name>
|
|
<range><lt>3.3.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Nathan Dors of the Pubcookie Project reports:</p>
|
|
<blockquote cite="">
|
|
<p> Multiple non-persistent XSS vulnerabilities were found
|
|
in the Pubcookie login server's compiled binary "index.cgi"
|
|
CGI program. The CGI program mishandles untrusted data when
|
|
printing responses to the browser. This makes the program
|
|
vulnerable to carefully crafted requests containing script
|
|
or HTML. If an attacker can lure an unsuspecting user to
|
|
visit carefully staged content, the attacker can use it to
|
|
redirect the user to his or her local Pubcookie login page
|
|
and attempt to exploit the XSS vulnerabilities.</p>
|
|
<p> These vulnerabilities are classified as *critical* due
|
|
to the nature and purpose of the Pubcookie login server for
|
|
user authentication and Web Single Sign-on (SSO). Specific
|
|
threats include:</p>
|
|
<ul>
|
|
<li>An attacker who injects malicious script through the
|
|
vulnerabilities might steal senstive user data including
|
|
a user's authentication credentials (usernames and
|
|
passwords);</li>
|
|
<li>An attacker who injects malicious script through the
|
|
vulnerabilities might steal private Pubcookie data
|
|
including a user's authentication assertion ("granting")
|
|
cookies and SSO ("login") session cookies;</li>
|
|
<li>An attacker who injects HTML tags through the
|
|
vulnerabilities might deface a site's Pubcookie login page
|
|
for a single visit by a single user (i.e. a non-persistent
|
|
defacement).</li>
|
|
</ul>
|
|
<p>At the heart of these threats lies a violation of the
|
|
user's trust in the Pubcookie login server.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<certvu>337585</certvu>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-06</discovery>
|
|
<entry>2006-04-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="37a5c10f-bf56-11da-b0e9-00123ffe8333">
|
|
<topic>freeradius -- EAP-MSCHAPv2 Authentication Bypass</topic>
|
|
<affects>
|
|
<package>
|
|
<name>freeradius</name>
|
|
<range><ge>1.0.0</ge><lt>1.1.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Freeradius Security Contact reports:</p>
|
|
<blockquote cite="http://www.freeradius.org/security.html#1.1.0">
|
|
<p>Insufficient input validation was being done in the
|
|
EAP-MSCHAPv2 state machine. A malicious attacker could
|
|
manipulate their EAP-MSCHAPv2 client state machine to
|
|
potentially convince the server to bypass authentication
|
|
checks. This bypassing could also result in the server
|
|
crashing.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1354</cvename>
|
|
<url>http://www.freeradius.org/security.html#1.1.0</url>
|
|
<url>http://secunia.com/advisories/19300/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-21</discovery>
|
|
<entry>2006-03-29</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2db97aa6-be81-11da-9b82-0050bf27ba24">
|
|
<topic>horde -- remote code execution vulnerability in the help viewer</topic>
|
|
<affects>
|
|
<package>
|
|
<name>horde</name>
|
|
<name>horde-php5</name>
|
|
<range><lt>3.1.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Horde 3.1.1 release announcement:</p>
|
|
<blockquote cite="http://lists.horde.org/archives/announce/2006/000271.html">
|
|
<p>Major changes compared to Horde 3.1 are:</p>
|
|
<ul>
|
|
<li>Fix for remote code execution vulnerability in the
|
|
help viewer, discovered by Jan Schneider from the Horde
|
|
team.</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>17292</bid>
|
|
<cvename>CVE-2006-1491</cvename>
|
|
<url>http://lists.horde.org/archives/announce/2006/000271.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-28</discovery>
|
|
<entry>2006-03-28</entry>
|
|
<modified>2006-03-30</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="25858c37-bdab-11da-b7d4-00123ffe8333">
|
|
<topic>linux-realplayer -- buffer overrun</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-realplayer</name>
|
|
<range><ge>10.0.1</ge><lt>10.0.7.785.20060201</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia Advisories Reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19358/">
|
|
<p>A boundary error when processing SWF files can be exploited to
|
|
cause a buffer overflow. This may allow execution of arbitrary
|
|
code on the user's system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0323</cvename>
|
|
<url>http://service.real.com/realplayer/security/03162006_player/en/</url>
|
|
<url>http://secunia.com/advisories/19358/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-23</discovery>
|
|
<entry>2006-03-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fe4c84fc-bdb5-11da-b7d4-00123ffe8333">
|
|
<topic>linux-realplayer -- heap overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-realplayer</name>
|
|
<range><ge>10.0.1</ge><lt>10.0.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>iDefense Reports:</p>
|
|
<blockquote cite="http://www.idefense.com/intelligence/vulnerabilities/display.php?id=404">
|
|
<p>Remote exploitation of a heap-based buffer overflow in
|
|
RealNetwork Inc's RealPlayer could allow the execution of
|
|
arbitrary code in the context of the currently logged in
|
|
user.</p>
|
|
<p>In order to exploit this vulnerability, an attacker would
|
|
need to entice a user to follow a link to a malicious server.
|
|
Once the user visits a website under the control of an
|
|
attacker, it is possible in a default install of RealPlayer
|
|
to force a web-browser to use RealPlayer to connect to an
|
|
arbitrary server, even when it is not the default application
|
|
for handling those types, by the use of embedded object tags
|
|
in a webpage. This may allow automated exploitation when the
|
|
page is viewed.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2922</cvename>
|
|
<url>http://service.real.com/realplayer/security/03162006_player/en/</url>
|
|
<url>http://www.idefense.com/intelligence/vulnerabilities/display.php?id=404</url>
|
|
<url>http://secunia.com/advisories/19358/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-23</discovery>
|
|
<entry>2006-03-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="08ac7b8b-bb30-11da-b2fb-000e0c2e438a">
|
|
<topic>sendmail -- race condition vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sendmail</name>
|
|
<range><gt>8.13</gt><lt>8.13.6</lt></range>
|
|
</package>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>6.0</ge><lt>6.0_6</lt></range>
|
|
<range><ge>5.4</ge><lt>5.4_13</lt></range>
|
|
<range><ge>5.3</ge><lt>5.3_28</lt></range>
|
|
<range><ge>4.11</ge><lt>4.11_16</lt></range>
|
|
<range><ge>4.10</ge><lt>4.10_22</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description</h1>
|
|
<p>A race condition has been reported to exist in the handling
|
|
by sendmail of asynchronous signals.</p>
|
|
<h1>Impact</h1>
|
|
<p>A remote attacker may be able to execute arbitrary code with
|
|
the privileges of the user running sendmail, typically
|
|
root.</p>
|
|
<h1>Workaround</h1>
|
|
<p>There is no known workaround other than disabling
|
|
sendmail.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0058</cvename>
|
|
<freebsdsa>SA-06:13.sendmail</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-22</discovery>
|
|
<entry>2006-03-24</entry>
|
|
<modified>2006-06-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e93bc5b0-bb2e-11da-b2fb-000e0c2e438a">
|
|
<topic>OPIE -- arbitrary password change</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>6.0</ge><lt>6.0_6</lt></range>
|
|
<range><ge>5.4</ge><lt>5.4_13</lt></range>
|
|
<range><ge>5.3</ge><lt>5.3_28</lt></range>
|
|
<range><ge>4.11</ge><lt>4.11_16</lt></range>
|
|
<range><ge>4.10</ge><lt>4.10_22</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description</h1>
|
|
<p>The opiepasswd(1) program uses getlogin(2) to identify the
|
|
user calling opiepasswd(1). In some circumstances
|
|
getlogin(2) will return "root" even when running as an
|
|
unprivileged user. This causes opiepasswd(1) to allow an
|
|
unpriviled user to configure OPIE authentication for the root
|
|
user.</p>
|
|
<h1>Impact</h1>
|
|
<p>In certain cases an attacker able to run commands as a non
|
|
privileged users which have not explicitly logged in, for
|
|
example CGI scripts run by a web server, is able to configure
|
|
OPIE access for the root user. If the attacker is able to
|
|
authenticate as root using OPIE authentication, for example if
|
|
"PermitRootLogin" is set to "yes" in sshd_config or the
|
|
attacker has access to a local user in the "wheel" group, the
|
|
attacker can gain root privileges.</p>
|
|
<h1>Workaround</h1>
|
|
<p>Disable OPIE authentication in PAM:</p>
|
|
<pre># sed -i "" -e /opie/s/^/#/ /etc/pam.d/*</pre>
|
|
<p>or</p>
|
|
<p>Remove the setuid bit from opiepasswd:</p>
|
|
<pre># chflags noschg /usr/bin/opiepasswd</pre>
|
|
<pre># chmod 555 /usr/bin/opiepasswd</pre>
|
|
<pre># chflags schg /usr/bin/opiepasswd</pre>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1283</cvename>
|
|
<freebsdsa>SA-06:12.opie</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-22</discovery>
|
|
<entry>2006-03-24</entry>
|
|
<modified>2006-06-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e50a7476-bb2d-11da-b2fb-000e0c2e438a">
|
|
<topic>ipsec -- reply attack vulnerability</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>6.0</ge><lt>6.0_6</lt></range>
|
|
<range><ge>5.4</ge><lt>5.4_13</lt></range>
|
|
<range><ge>5.3</ge><lt>5.3_28</lt></range>
|
|
<range><ge>4.11</ge><lt>4.11_16</lt></range>
|
|
<range><ge>4.10</ge><lt>4.10_22</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description</h1>
|
|
<p>IPsec provides an anti-replay service which when enabled
|
|
prevents an attacker from successfully executing a replay
|
|
attack. This is done through the verification of sequence
|
|
numbers. A programming error in the fast_ipsec(4)
|
|
implementation results in the sequence number associated with
|
|
a Security Association not being updated, allowing packets to
|
|
unconditionally pass sequence number verification checks.</p>
|
|
<h1>Impact</h1>
|
|
<p>An attacker able to to intercept IPSec packets can replay
|
|
them. If higher level protocols which do not provide any
|
|
protection against packet replays (e.g., UDP) are used, this
|
|
may have a variety of effects.</p>
|
|
<h1>Workaround</h1>
|
|
<p>No workaround is available.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0905</cvename>
|
|
<freebsdsa>SA-06:11.ipsec</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-22</discovery>
|
|
<entry>2006-03-24</entry>
|
|
<modified>2006-06-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="61534682-b8f4-11da-8e62-000e0c33c2dc">
|
|
<topic>xorg-server -- privilege escalation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xorg-server</name>
|
|
<range><eq>6.9.0</eq></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Daniel Stone of X.Org reports:</p>
|
|
<blockquote cite="http://lists.freedesktop.org/archives/xorg/2006-March/013992.html">
|
|
<p>During the analysis of results from the Coverity code review
|
|
of X.Org, we discovered a flaw in the server that allows local
|
|
users to execute arbitrary code with root privileges, or cause
|
|
a denial of service by overwriting files on the system, again
|
|
with root privileges.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0745</cvename>
|
|
<url>https://bugs.freedesktop.org/show_bug.cgi?id=6213</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-20</discovery>
|
|
<entry>2006-03-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b62c80c2-b81a-11da-bec5-00123ffe8333">
|
|
<topic>heimdal -- Multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>heimdal</name>
|
|
<range><lt>0.6.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Project heimdal Security Advisory reports:</p>
|
|
<blockquote cite="http://www.pdc.kth.se/heimdal/advisory/2005-04-20/">
|
|
<p>The telnet client program in Heimdal has buffer overflows
|
|
in the functions slc_add_reply() and env_opt_add(), which
|
|
may lead to remote code execution.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://www.pdc.kth.se/heimdal/advisory/2005-06-20/">
|
|
<p>The telnetd server program in Heimdal has buffer overflows
|
|
in the function getterminaltype, which may lead to remote code
|
|
execution.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://www.pdc.kth.se/heimdal/advisory/2006-02-06/">
|
|
<p>The rshd server in Heimdal has a privilege escalation bug
|
|
when storing forwarded credentials. The code allowes a user
|
|
to overwrite a file with its credential cache, and get ownership
|
|
of the file.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0469</cvename>
|
|
<cvename>CVE-2005-2040</cvename>
|
|
<cvename>CVE-2006-0582</cvename>
|
|
<cvename>CVE-2006-0677</cvename>
|
|
<url>http://www.pdc.kth.se/heimdal/advisory/2005-04-20</url>
|
|
<url>http://www.pdc.kth.se/heimdal/advisory/2005-06-20</url>
|
|
<url>http://www.pdc.kth.se/heimdal/advisory/2006-02-06</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-02-06</discovery>
|
|
<entry>2006-03-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b8e361b8-b7ff-11da-8414-0013d4a4a40e">
|
|
<topic>curl -- TFTP packet buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>curl</name>
|
|
<name>linux-curl</name>
|
|
<range><gt>7.14.1</gt><lt>7.15.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Project cURL Security Advisory reports:</p>
|
|
<blockquote cite="http://curl.haxx.se/docs/adv_20060320.html">
|
|
<p>libcurl uses the given file part of a TFTP URL in a manner that allows a
|
|
malicious user to overflow a heap-based memory buffer due to the lack of
|
|
boundary check.</p>
|
|
<p>This overflow happens if you pass in a URL with a TFTP
|
|
protocol prefix ("tftp://"), using a valid host and a path
|
|
part that is longer than 512 bytes.</p>
|
|
<p>The affected flaw can be triggered by a redirect, if
|
|
curl/libcurl is told to follow redirects and an HTTP
|
|
server points the client to a tftp URL with the
|
|
characteristics described above.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-1061</cvename>
|
|
<url>http://curl.haxx.se/docs/adv_20060320.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-20</discovery>
|
|
<entry>2006-03-20</entry>
|
|
<modified>2006-10-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6779e82f-b60b-11da-913d-000ae42e9b93">
|
|
<topic>drupal -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>drupal</name>
|
|
<range><lt>3.6.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Drupal reports:</p>
|
|
<blockquote cite="http://drupal.org/node/53806">
|
|
<p>Mail header injection vulnerability.</p>
|
|
<p>Linefeeds and carriage returns were not being stripped from
|
|
email headers, raising the possibility of bogus headers
|
|
being inserted into outgoing email.</p>
|
|
<p>This could lead to Drupal sites being used to send unwanted
|
|
email.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://drupal.org/node/53805">
|
|
<p>Session fixation vulnerability.</p>
|
|
<p>If someone creates a clever enough URL and convinces you to
|
|
click on it, and you later log in but you do not log off
|
|
then the attacker may be able to impersonate you.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://drupal.org/node/53803">
|
|
<p>XSS vulnerabilities.</p>
|
|
<p>Some user input sanity checking was missing. This could
|
|
lead to possible cross-site scripting (XSS) attacks.</p>
|
|
<p>XSS can lead to user tracking and theft of accounts and
|
|
services.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://drupal.org/node/53796">
|
|
<p>Security bypass in menu.module.</p>
|
|
<p>If you use menu.module to create a menu item, the page you
|
|
point to will be accessible to all, even if it is an admin
|
|
page.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://drupal.org/node/53806</url>
|
|
<url>http://drupal.org/node/53805</url>
|
|
<url>http://drupal.org/node/53803</url>
|
|
<url>http://drupal.org/node/53796</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-13</discovery>
|
|
<entry>2006-03-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c7c09579-b466-11da-82d0-0050bf27ba24">
|
|
<topic>horde -- "url" disclosure of sensitive information vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>horde</name>
|
|
<name>horde-php5</name>
|
|
<range><lt>3.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p> Secunia advisory SA19246:</p>
|
|
<blockquote cite="http://secunia.com/advisories/19246/">
|
|
<p>Paul Craig has discovered a vulnerability in Horde, which
|
|
can be exploited by malicious people to disclose sensitive
|
|
information.
|
|
Input passed to the "url" parameter in "services/go.php"
|
|
isn't properly verified, before it is used in a
|
|
"readfile()" call. This can be exploited to disclose the
|
|
content of arbitrary files via e.g. the "php://" protocol
|
|
wrapper.</p>
|
|
<p>The vulnerability has been confirmed in version 3.0.9 and
|
|
has also been reported in prior versions.</p>
|
|
<p>Provided and/or discovered by:
|
|
Paul Craig, Security-Assessment.com.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secunia.com/advisories/19246/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-15</discovery>
|
|
<entry>2006-03-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="83421018-b3ef-11da-a32d-000c6ec775d9">
|
|
<topic>linux-flashplugin -- arbitrary code execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-flashplugin</name>
|
|
<range><lt>7.0r63</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Adobe reports:</p>
|
|
<blockquote cite="http://www.macromedia.com/devnet/security/security_zone/apsb06-03.html">
|
|
<p>Critical vulnerabilities have been identified in Flash
|
|
Player that could allow an attacker who successfully
|
|
exploits these vulnerabilities to take control of the
|
|
affected system. A malicious SWF must be loaded in Flash
|
|
Player by the user for an attacker to exploit these
|
|
vulnerabilities.</p>
|
|
<p>Flash Player 8 update (8.0.24.0), and Flash Player 7
|
|
update (7.0.63.0) address security vulnerabilities in
|
|
previous versions of Flash Player, which could lead to the
|
|
potential execution of arbitrary code. These
|
|
vulnerabilities could be accessed through content
|
|
delivered from a remote location via the users web
|
|
browser, email client, or other applications that include
|
|
or reference the Flash Player.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0024</cvename>
|
|
<url>http://www.macromedia.com/devnet/security/security_zone/apsb06-03.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-14</discovery>
|
|
<entry>2006-03-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6111ecb8-b20d-11da-b2fb-000e0c2e438a">
|
|
<topic>nfs -- remote denial of service</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><gt>6.0</gt><lt>6.0_5</lt></range>
|
|
<range><gt>5.4</gt><lt>5.4_12</lt></range>
|
|
<range><gt>5.3</gt><lt>5.3_27</lt></range>
|
|
<range><gt>4.11</gt><lt>4.11_15</lt></range>
|
|
<range><gt>4.10</gt><lt>4.10_21</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem description:</h1>
|
|
<p>A part of the NFS server code charged with handling incoming
|
|
RPC messages via TCP had an error which, when the server
|
|
received a message with a zero-length payload, would cause a
|
|
NULL pointer dereference which results in a kernel panic. The
|
|
kernel will only process the RPC messages if a userland nfsd
|
|
daemon is running.</p>
|
|
<h1>Impact:</h1>
|
|
<p>The NULL pointer deference allows a remote attacker capable
|
|
of sending RPC messages to an affected FreeBSD system to crash
|
|
the FreeBSD system.</p>
|
|
<h1>Workaround:</h1>
|
|
<ol>
|
|
<li>
|
|
<p>Disable the NFS server: set the nfs_server_enable
|
|
variable to "NO" in /etc/rc.conf, and reboot.</p>
|
|
<p>Alternatively, if there are no active NFS clients (as
|
|
listed by the showmount(8) utility), simply killing the
|
|
mountd and nfsd processes should suffice.</p>
|
|
</li>
|
|
<li>
|
|
<p>Add firewall rules to block RPC traffic to the NFS server
|
|
from untrusted hosts.</p>
|
|
</li>
|
|
</ol>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0900</cvename>
|
|
<freebsdsa>SA-06:10.nfs</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-01</discovery>
|
|
<entry>2006-03-12</entry>
|
|
<modified>2006-06-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6a308e8e-b1b4-11da-b2fb-000e0c2e438a">
|
|
<topic>openssh -- remote denial of service</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><gt>5.4</gt><lt>5.4_12</lt></range>
|
|
<range><gt>5.3</gt><lt>5.3_27</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem description:</h1>
|
|
<p>Because OpenSSH and OpenPAM have conflicting designs (one is event-
|
|
driven while the other is callback-driven), it is necessary for
|
|
OpenSSH to fork a child process to handle calls to the PAM framework.
|
|
However, if the unprivileged child terminates while PAM authentication
|
|
is under way, the parent process incorrectly believes that the PAM
|
|
child also terminated. The parent process then terminates, and the
|
|
PAM child is left behind.</p>
|
|
<p>Due to the way OpenSSH performs internal accounting, these orphaned
|
|
PAM children are counted as pending connections by the master OpenSSH
|
|
server process. Once a certain number of orphans has accumulated, the
|
|
master decides that it is overloaded and stops accepting client
|
|
connections.</p>
|
|
<h1>Impact:</h1>
|
|
<p>By repeatedly connecting to a vulnerable server, waiting for
|
|
a password prompt, and closing the connection, an attacker can
|
|
cause OpenSSH to stop accepting client connections until the
|
|
system restarts or an administrator manually kills the orphaned
|
|
PAM processes.</p>
|
|
<h1>Workaround:</h1>
|
|
<p>The following command will show a list of orphaned PAM
|
|
processes:</p>
|
|
<pre># pgrep -lf 'sshd.*\[pam\]'</pre>
|
|
<p>The following command will kill orphaned PAM processes:</p>
|
|
<pre># pkill -f 'sshd.*\[pam\]'</pre>
|
|
<p>To prevent OpenSSH from leaving orphaned PAM processes behind,
|
|
perform one of the following:</p>
|
|
<ol>
|
|
<li>
|
|
<p>Disable PAM authentication in OpenSSH. Users will still
|
|
be able to log in using their Unix password, OPIE or SSH
|
|
keys.</p>
|
|
<p>To do this, execute the following commands as root:</p>
|
|
<pre># echo 'UsePAM no' >>/etc/ssh/sshd_config</pre>
|
|
<pre># echo 'PasswordAuthentication yes' >>/etc/ssh/sshd_config</pre>
|
|
<pre># /etc/rc.d/sshd restart</pre>
|
|
</li>
|
|
<li>
|
|
<p>If disabling PAM is not an option - if, for instance, you use
|
|
RADIUS authentication, or store user passwords in an SQL database -
|
|
you may instead disable privilege separation. However, this may
|
|
leave OpenSSH vulnerable to hitherto unknown bugs, and should be
|
|
considered a last resort.</p>
|
|
<p>To do this, execute the following commands as root:</p>
|
|
<pre># echo 'UsePrivilegeSeparation no' >>/etc/ssh/sshd_config</pre>
|
|
<pre># /etc/rc.d/sshd restart</pre>
|
|
</li>
|
|
</ol>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0883</cvename>
|
|
<freebsdsa>SA-06:09.openssh</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-01</discovery>
|
|
<entry>2006-03-12</entry>
|
|
<modified>2006-06-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="948921ad-afbc-11da-bad9-02e081235dab">
|
|
<topic>GnuPG does not detect injection of unsigned data</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnupg</name>
|
|
<range><lt>1.4.2.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Werner Koch reports:</p>
|
|
<blockquote cite="http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000216.html">
|
|
<p>In the aftermath of the false positive signature
|
|
verfication bug (announced 2006-02-15) more thorough testing
|
|
of the fix has been done and another vulnerability has been
|
|
detected. This new problem affects the use of *gpg* for
|
|
verification of signatures which are _not_ detached
|
|
signatures. The problem also affects verification of
|
|
signatures embedded in encrypted messages; i.e. standard use
|
|
of gpg for mails.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0049</cvename>
|
|
<mlist msgid="87d5gvh2kr.fsf@wheatstone.g10code.de">http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000216.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-03-09</discovery>
|
|
<entry>2006-03-10</entry>
|
|
<modified>2006-03-11</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="104beb63-af4d-11da-8414-0013d4a4a40e">
|
|
<topic>mplayer -- heap overflow in the ASF demuxer</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mplayer</name>
|
|
<name>mplayer-gtk</name>
|
|
<name>mplayer-esound</name>
|
|
<name>mplayer-gtk-esound</name>
|
|
<range><lt>0.99.7_11</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mplayer team reports:</p>
|
|
<blockquote cite="http://www.mplayerhq.hu/design7/news.html#vuln13">
|
|
<p>A potential buffer overflow was found in the ASF demuxer.
|
|
Arbitrary remote code execution is possible (under the user ID
|
|
running the player) when streaming an ASF file from a malicious
|
|
server or local code execution (under the user ID running the
|
|
player) if a malicious ASF file is played locally.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0579</cvename>
|
|
<url>http://www.mplayerhq.hu/design7/news.html#vuln13</url>
|
|
<url>http://secunia.com/advisories/18718</url>
|
|
<url>http://bugs.gentoo.org/show_bug.cgi?id=122029</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-02-15</discovery>
|
|
<entry>2006-03-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="594ad3c5-a39b-11da-926c-0800209adf0e">
|
|
<topic>SSH.COM SFTP server -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ssh2</name>
|
|
<name>ssh2-nox11</name>
|
|
<range><lt>3.2.9.1_5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>SSH Communications Security Corp reports a format string
|
|
vulnerability in their SFTP server. This vulnerability could
|
|
cause a user with SCP/SFTP access only to get permission to
|
|
execute also other commands. It could also allow user A to
|
|
create a special file that when accessed by user B allows
|
|
user A to execute commands as user B.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0705</cvename>
|
|
<bid>16640</bid>
|
|
<url>http://www.ssh.com/company/newsroom/article/715/</url>
|
|
<url>http://www.frsirt.com/english/advisories/2006/0554</url>
|
|
<url>http://securitytracker.com/id?1015619</url>
|
|
<url>http://secunia.com/advisories/18828</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/24651</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-02-13</discovery>
|
|
<entry>2006-03-04</entry>
|
|
<modified>2006-03-06</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6107efb9-aae3-11da-aea1-000854d03344">
|
|
<topic>gtar -- invalid headers buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gtar</name>
|
|
<range><lt>1.15.1_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>GNU tar is vulnerable to a buffer overflow, caused by
|
|
improper bounds checking of the PAX extended headers. By
|
|
tricking an user into processing a specially crafted tar
|
|
archive, this could be exploited to execute arbitrary
|
|
code with the privileges of the user.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>16764</bid>
|
|
<cvename>CVE-2006-0300</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-02-22</discovery>
|
|
<entry>2006-03-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="46f7b598-a781-11da-906a-fde5cdde365e">
|
|
<topic>bugzilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bugzilla</name>
|
|
<name>ja-bugzilla</name>
|
|
<range><ge>2.17.1</ge><lt>2.20.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Some vulnerabilities have been reported in Bugzilla,
|
|
which can be exploited by malicious users to conduct SQL injection
|
|
attacks, and by malicious people to disclose sensitive information
|
|
and conduct script insertion attacks.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-2420</cvename>
|
|
<cvename>CVE-2006-0916</cvename>
|
|
<cvename>CVE-2006-0915</cvename>
|
|
<cvename>CVE-2006-0914</cvename>
|
|
<cvename>CVE-2006-0913</cvename>
|
|
<url>http://www.bugzilla.org/security/2.18.4/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-02-20</discovery>
|
|
<entry>2006-02-27</entry>
|
|
<modified>2006-11-11</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="af9018b6-a4f5-11da-bb41-0011433a9404">
|
|
<topic>squirrelmail -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squirrelmail</name>
|
|
<range><lt>1.4.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Multiple vulnerabilities has been discovered since 1.4.5,
|
|
including IMAP injection as well as some XSS issues.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0377</cvename>
|
|
<cvename>CVE-2006-0195</cvename>
|
|
<cvename>CVE-2006-0188</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-02-23</discovery>
|
|
<entry>2006-02-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e319da0b-a228-11da-b410-000e0c2e438a">
|
|
<topic>gedit -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gedit</name>
|
|
<range><lt>2.10.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Yan Feng reports a format string vulnerability in gedit.
|
|
This vulnerability could cause a denial of service with a
|
|
binary file that contains format string characters within
|
|
the filename. It had been reported that web browsers
|
|
and email clients can be configured to provide a filename as
|
|
an argument to gedit.:</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CAN-2005-1686</cvename>
|
|
<mlist msgid="20050520202628.12260.qmail@www.securityfocus.com">:http://marc.theaimsgroup.com/?l=bugtraq&m=111661117701398</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-20</discovery>
|
|
<entry>2006-02-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="07ead557-a220-11da-b410-000e0c2e438a">
|
|
<topic>WebCalendar -- unauthorized access vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>WebCalendar</name>
|
|
<range><lt>1.0.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>SecurityFocus reports that WebCalendar is affected by
|
|
an unauthorized access vulnerability. The vulnerability
|
|
is caused by improper checking of the authentication
|
|
mechanism before access is being permitted to the
|
|
"assistant_edit.php" file.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14072</bid>
|
|
<cvename>CAN-2005-2320</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-27</discovery>
|
|
<entry>2006-02-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9cd52bc6-a213-11da-b410-000e0c2e438a">
|
|
<topic>abiword, koffice -- stack based buffer overflow vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>koffice</name>
|
|
<range><gt>1.2.0</gt><lt>1.4.1_1,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>abiword</name>
|
|
<range><lt>2.2.11</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Chris Evans reports that AbiWord is vulnerable to multiple
|
|
stack-based buffer overflow vulnerabilities. This
|
|
is caused by improper checking of the user-supplied data
|
|
before it is being copied to an too small buffer. The
|
|
vulnerability is triggered when someone is importing RTF
|
|
files.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>15096</bid>
|
|
<cvename>CAN-2005-2972</cvename>
|
|
<url>http://scary.beasts.org/security/CESA-2005-006.txt</url>
|
|
<url>http://www.abisource.com/changelogs/2.2.11.phtml</url>
|
|
<url>http://www.kde.org/info/security/advisory-20051011-1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-14</discovery>
|
|
<entry>2006-02-20</entry>
|
|
<modified>2006-02-20</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0b2b4b4d-a07c-11da-be0a-000c6ec775d9">
|
|
<topic>postgresql81-server -- SET ROLE privilege escalation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>postgresql-server</name>
|
|
<range><ge>8.1.0</ge><lt>8.1.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The PostgreSQL team reports:</p>
|
|
<blockquote cite="http://www.postgresql.org/docs/8.1/static/release.html#RELEASE-8-1-3">
|
|
<p>Due to inadequate validity checking, a user could exploit
|
|
the special case that SET ROLE normally uses to restore
|
|
the previous role setting after an error. This allowed
|
|
ordinary users to acquire superuser status, for
|
|
example.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0553</cvename>
|
|
<url>http://www.postgresql.org/docs/8.1/static/release.html#RELEASE-8-1-3</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-02-14</discovery>
|
|
<entry>2006-02-18</entry>
|
|
<modified>2006-08-13</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="63fe4189-9f97-11da-ac32-0001020eed82">
|
|
<topic>gnupg -- false positive signature verification</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnupg</name>
|
|
<range><lt>1.4.2.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Werner Koch reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=gnupg-devel&m=113999098729114">
|
|
<p>The Gentoo project identified a security related bug in
|
|
GnuPG. When using any current version of GnuPG for
|
|
unattended signature verification (e.g. by scripts and
|
|
mail programs), false positive signature verification of
|
|
detached signatures may occur.</p>
|
|
<p>This problem affects the tool *gpgv*, as well as using
|
|
"gpg --verify" to imitate gpgv, if only the exit code of
|
|
the process is used to decide whether a detached signature
|
|
is valid. This is a plausible mode of operation for
|
|
gpgv.</p>
|
|
<p>If, as suggested, the --status-fd generated output is
|
|
used to decide whether a signature is valid, no problem
|
|
exists. In particular applications making use of the
|
|
GPGME library[2] are not affected.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0455</cvename>
|
|
<mlist msgid="87u0b1xdru.fsf@wheatstone.g10code.de">http://marc.theaimsgroup.com/?l=gnupg-devel&m=113999098729114</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-02-15</discovery>
|
|
<entry>2006-02-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e34d0c2e-9efb-11da-b410-000e0c2e438a">
|
|
<topic>rssh -- privilege escalation vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rssh</name>
|
|
<range><lt>2.3.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Pizzashack reports:</p>
|
|
<blockquote cite="http://www.pizzashack.org/rssh/security.shtml">
|
|
<p>Max Vozeler has reported a problem whereby rssh can
|
|
allow users who have shell access to systems where rssh
|
|
is installed (and rssh_chroot_helper is installed SUID)
|
|
to gain root access to the system, due to the ability to
|
|
chroot to arbitrary locations. There are a lot of
|
|
potentially mitigating factors, but to be safe you should
|
|
upgrade immediately.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>16050</bid>
|
|
<cvename>CVE-2005-3345</cvename>
|
|
<url>http://www.pizzashack.org/rssh/security.shtml</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-18</discovery>
|
|
<entry>2006-02-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d38e1810-9ef7-11da-b410-000e0c2e438a">
|
|
<topic>tor -- malicious tor server can locate a hidden service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tor</name>
|
|
<range><lt>0.1.0.12</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Roger Dingledine reports:</p>
|
|
<blockquote cite="http://archives.seul.org/or/announce/Jan-2006/msg00001.html">
|
|
<p>If you offer a Tor hidden service, an adversary who can
|
|
run a fast Tor server and who knows some basic statistics
|
|
can find the location of your hidden service in a matter of
|
|
minutes to hours.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0414</cvename>
|
|
<url>http://archives.seul.org/or/announce/Jan-2006/msg00001.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-01-12</discovery>
|
|
<entry>2006-02-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1b725079-9ef6-11da-b410-000e0c2e438a">
|
|
<topic>sudo -- arbitrary command execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sudo</name>
|
|
<range><lt>1.6.8.10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Tavis Ormandy reports:</p>
|
|
<blockquote cite="http://www.courtesan.com/sudo/alerts/bash_env.html">
|
|
<p>The bash shell uses the value of the PS4 environment
|
|
variable (after expansion) as a prefix for commands run
|
|
in execution trace mode. Execution trace mode (xtrace) is
|
|
normally set via bash's -x command line option or
|
|
interactively by running "set -o xtrace". However, it may
|
|
also be enabled by placing the string "xtrace" in the
|
|
SHELLOPTS environment variable before bash is started.</p>
|
|
<p>A malicious user with sudo access to a shell script that
|
|
uses bash can use this feature to run arbitrary commands
|
|
for each line of the script.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>15191</bid>
|
|
<cvename>CVE-2005-2959</cvename>
|
|
<url>http://www.courtesan.com/sudo/alerts/bash_env.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-25</discovery>
|
|
<entry>2006-02-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a78299e7-9ef3-11da-b410-000e0c2e438a">
|
|
<topic>libtomcrypt -- weak signature scheme with ECC keys</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libtomcrypt</name>
|
|
<range><le>1.02</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Secure Science Corporation reports that libtomcrypt is
|
|
vulnerable to a weak signature scheme. This allows an
|
|
attacker to create a valid random signature and use that to
|
|
sign arbitrary messages without requiring the private key.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="4276CC31.9000307@securescience.net">http://marc.theaimsgroup.com/?l=bugtraq&m=111540819703204</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-01</discovery>
|
|
<entry>2006-02-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="592815da-9eed-11da-b410-000e0c2e438a">
|
|
<topic>mantis -- "view_filters_page.php" cross site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mantis</name>
|
|
<range><lt>1.0.0a4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>r0t reports:</p>
|
|
<blockquote cite="http://pridels.blogspot.com/2005/12/mantis-bugtracking-system-xss-vuln.html">
|
|
<p>Mantis contains a flaw that allows a remote cross site
|
|
scripting attack. This flaw exists because input passed to
|
|
"target_field" parameter in "view_filters_page.php" is not
|
|
properly sanitised before being returned to the user. This
|
|
could allow a user to create a specially crafted URL that
|
|
would execute arbitrary code in a user's browser within the
|
|
trust relationship between the browser and the server,
|
|
leading to a loss of integrity.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CAN-2005-4238</cvename>
|
|
<url>http://pridels.blogspot.com/2005/12/mantis-bugtracking-system-xss-vuln.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-13</discovery>
|
|
<entry>2006-02-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="28c9243a-72ed-11da-8c1d-000e0c2e438a">
|
|
<topic>phpbb -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpbb</name>
|
|
<name>zh-phpbb-tw</name>
|
|
<range><lt>2.0.18</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Multiple vulnerabilities have been reported within phpbb.
|
|
phpbb is proven vulnerable to:</p>
|
|
<ul>
|
|
<li>script insertion,</li>
|
|
<li>bypassing of protetion mechanisms,</li>
|
|
<li>multiple cross site scripting vulnerabilities,</li>
|
|
<li>SQL injection,</li>
|
|
<li>arbitrary code execution</li>
|
|
</ul>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>15170</bid>
|
|
<bid>15243</bid>
|
|
<cvename>CVE-2005-3310</cvename>
|
|
<cvename>CVE-2005-3415</cvename>
|
|
<cvename>CVE-2005-3416</cvename>
|
|
<cvename>CVE-2005-3417</cvename>
|
|
<cvename>CVE-2005-3418</cvename>
|
|
<cvename>CVE-2005-3419</cvename>
|
|
<cvename>CVE-2005-3420</cvename>
|
|
<cvename>CVE-2005-3536</cvename>
|
|
<cvename>CVE-2005-3537</cvename>
|
|
<mlist msgid="20051022132217.10390.qmail@securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=113017003617987</mlist>
|
|
<url>http://www.hardened-php.net/advisory_172005.75.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-24</discovery>
|
|
<entry>2006-02-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="486aff57-9ecd-11da-b410-000e0c2e438a">
|
|
<topic>postgresql -- character conversion and tsearch2 vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>postgresql</name>
|
|
<range><ge>7.2.0</ge><lt>7.2.8</lt></range>
|
|
<range><ge>7.3.0</ge><lt>7.3.10</lt></range>
|
|
<range><ge>7.4.0</ge><lt>7.4.8</lt></range>
|
|
<range><ge>8.0.0</ge><lt>8.0.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The postgresql development team reports:</p>
|
|
<blockquote cite="http://www.postgresql.org/about/news.315">
|
|
<p>The more severe of the two errors is that the functions
|
|
that support client-to-server character set conversion
|
|
can be called from SQL commands by unprivileged users,
|
|
but these functions are not designed to be safe against
|
|
malicious choices of argument values. This problem exists
|
|
in PostgreSQL 7.3.* through 8.0.*. The recommended fix is
|
|
to disable public EXECUTE access for these functions. This
|
|
does not affect normal usage of the functions for character
|
|
set conversion, but it will prevent misuse.</p>
|
|
<p>The other error is that the contrib/tsearch2 module
|
|
misdeclares several functions as returning type "internal"
|
|
when they do not have any "internal" argument. This breaks
|
|
the type safety of "internal" by allowing users to
|
|
construct SQL commands that invoke other functions accepting
|
|
"internal" arguments. The consequences of this have not been
|
|
investigated in detail, but it is certainly at least possible
|
|
to crash the backend.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CAN-2005-1409</cvename>
|
|
<cvename>CAN-2005-1410</cvename>
|
|
<url>http://www.postgresql.org/about/news.315</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-02</discovery>
|
|
<entry>2006-02-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f6447303-9ec9-11da-b410-000e0c2e438a">
|
|
<topic>heartbeat -- insecure temporary file creation vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>heartbeat</name>
|
|
<range><lt>1.2.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Eric Romang reports a temporary file creation vulnerability
|
|
within heartbeat. The vulnerability is caused by hardcoded
|
|
temporary file usage. This can cause an attacker to create
|
|
an arbitrary symlink causing the application to overwrite the
|
|
symlinked file with the permissions of the user executing the
|
|
application.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CAN-2005-2231</cvename>
|
|
<url>http://www.zataz.net/adviso/heartbeat-06272005.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-12</discovery>
|
|
<entry>2006-02-16</entry>
|
|
<modified>2006-04-16</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="432bf98d-9e25-11da-b410-000e0c2e438a">
|
|
<topic>kpdf -- heap based buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>kdegraphics</name>
|
|
<range><lt>3.5.1_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The KDE team reports:</p>
|
|
<blockquote cite="http://www.kde.org/info/security/advisory-20060202-1.txt">
|
|
<p>kpdf, the KDE pdf viewer, shares code with xpdf. xpdf
|
|
contains a heap based buffer overflow in the splash
|
|
rasterizer engine that can crash kpdf or even execute
|
|
arbitrary code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0301</cvename>
|
|
<url>http://www.kde.org/info/security/advisory-20060202-1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-02-02</discovery>
|
|
<entry>2006-02-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="bb33981a-7ac6-11da-bf72-00123f589060">
|
|
<topic>perl, webmin, usermin -- perl format string integer wrap vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>perl</name>
|
|
<range><ge>5.6.0</ge><lt>5.6.2</lt></range>
|
|
<range><ge>5.8.0</ge><lt>5.8.7_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>webmin</name>
|
|
<range><lt>1.250</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>usermin</name>
|
|
<range><lt>1.180</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Perl Development page reports:</p>
|
|
<blockquote cite="http://dev.perl.org/perl5/news/2005/perl_patches_fix_sprintf_buffer.html">
|
|
<p>Dyad Security recently released a security advisory
|
|
explaining how in certain cases, a carefully crafted format string
|
|
passed to sprintf can cause a buffer overflow. This buffer overflow
|
|
can then be used by an attacker to execute code on the machine.
|
|
This was discovered in the context of a design problem with the Webmin
|
|
administration package that allowed a malicious user to pass
|
|
unchecked data into sprintf.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>15629</bid>
|
|
<cvename>CVE-2005-3912</cvename>
|
|
<cvename>CVE-2005-3962</cvename>
|
|
<url>http://dev.perl.org/perl5/news/2005/perl_patches_fix_sprintf_buffer.html</url>
|
|
<url>http://www.dyadsecurity.com/perl-0002.html</url>
|
|
<url>http://www.dyadsecurity.com/webmin-0001.html</url>
|
|
<url>http://www.webmin.com/security.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-09-23</discovery>
|
|
<entry>2006-02-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="12f9d9e9-9e1e-11da-b410-000e0c2e438a">
|
|
<topic>phpicalendar -- cross site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpicalendar</name>
|
|
<range><lt>2.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Francesco Ongaro reports that phpicalendar is vulnerable for
|
|
a cross site scripting attack. The vulnerability is caused by
|
|
improper validation of the index.php file allowing attackers
|
|
to include an arbitrary file with the .php extension</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>15193</bid>
|
|
<cvename>CVE-2005-3366</cvename>
|
|
<url>http://www.ush.it/2005/10/25/php-icalendar-css/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-25</discovery>
|
|
<entry>2006-02-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f1f163ce-9e09-11da-b410-000e0c2e438a">
|
|
<topic>phpicalendar -- file disclosure vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpicalendar</name>
|
|
<range><lt>2.21</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The phpicalendar team reports that there is an
|
|
unspecified vulnerability within phpicalendar. This
|
|
seems to be a file disclosure vulnerability caused by
|
|
improper checking of the template parsing function.
|
|
This would allow an attacker to disclose any file
|
|
readable by the user under which the webserver runs.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://phpicalendar.net/forums/viewtopic.php?t=396</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-02-08</discovery>
|
|
<entry>2006-02-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="dfb71c00-9d44-11da-8c1d-000e0c2e438a">
|
|
<topic>FreeBSD -- Infinite loop in SACK handling</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><gt>5.4</gt><lt>5.4_11</lt></range>
|
|
<range><gt>5.3</gt><lt>5.3_26</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Problem description:</p>
|
|
<p>When insufficient memory is available to handle an
|
|
incoming selective acknowledgement, the TCP/IP stack may
|
|
enter an infinite loop.</p>
|
|
<p>Impact:</p>
|
|
<p>By opening a TCP connection and sending a carefully crafted
|
|
series of packets, an attacker may be able to cause a denial
|
|
of service.</p>
|
|
<p>Workaround:</p>
|
|
<p>On FreeBSD 5.4, the net.inet.tcp.sack.enable sysctl can be used to
|
|
disable the use of SACK:</p>
|
|
<p># sysctl net.inet.tcp.sack.enable=0</p>
|
|
<p>No workaround is available for FreeBSD 5.3.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0433</cvename>
|
|
<freebsdsa>SA-06:08.sack</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-02-01</discovery>
|
|
<entry>2006-02-14</entry>
|
|
<modified>2006-06-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="52ba7713-9d42-11da-8c1d-000e0c2e438a">
|
|
<topic>pf -- IP fragment handling panic</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><gt>6.0</gt><lt>6.0_4</lt></range>
|
|
<range><gt>5.4</gt><lt>5.4_10</lt></range>
|
|
<range><gt>5.3</gt><lt>5.3_25</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Problem description:</p>
|
|
<p>A logic bug in pf's IP fragment cache may result in a packet
|
|
fragment being inserted twice, violating a kernel
|
|
invariant.</p>
|
|
<p>Impact:</p>
|
|
<p>By sending carefully crafted sequence of IP packet fragments,
|
|
a remote attacker can cause a system running pf with a ruleset
|
|
containing a 'scrub fragment crop' or 'scrub fragment
|
|
drop-ovl' rule to crash.</p>
|
|
<p>Workaround:</p>
|
|
<p>Do not use 'scrub fragment crop' or 'scrub fragment drop-ovl'
|
|
rules on systems running pf. In most cases, such rules can be
|
|
replaced by 'scrub fragment reassemble' rules; see the
|
|
pf.conf(5) manual page for more details.</p>
|
|
|
|
<p>Systems which do not use pf, or use pf but do not use the aforementioned
|
|
rules, are not affected by this issue.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0381</cvename>
|
|
<freebsdsa>SA-06:07.pf</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-01-25</discovery>
|
|
<entry>2006-02-14</entry>
|
|
<modified>2006-06-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7a4f2aca-9d40-11da-8c1d-000e0c2e438a">
|
|
<topic>FreeBSD -- Local kernel memory disclosure</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><gt>6.0</gt><lt>6.0_4</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Problem description:</p>
|
|
<p>A buffer allocated from the kernel stack may not be completely
|
|
initialized before being copied to userland. [CVE-2006-0379]</p>
|
|
<p>A logic error in computing a buffer length may allow too much
|
|
data to be copied into userland. [CVE-2006-0380]</p>
|
|
<p>Impact:</p>
|
|
<p>Portions of kernel memory may be disclosed to local users.
|
|
Such memory might contain sensitive information, such as
|
|
portions of the file cache or terminal buffers. This
|
|
information might be directly useful, or it might be
|
|
leveraged to obtain elevated privileges in some way. For
|
|
example, a terminal buffer might include a user-entered
|
|
password.</p>
|
|
<p>Workaround:</p>
|
|
<p>No workaround is available.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0379</cvename>
|
|
<cvename>CVE-2006-0380</cvename>
|
|
<freebsdsa>SA-06:06.kmem</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-01-25</discovery>
|
|
<entry>2006-02-14</entry>
|
|
<modified>2006-06-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="dade3316-9d31-11da-8c1d-000e0c2e438a">
|
|
<topic>IEEE 802.11 -- buffer overflow</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><gt>6.0</gt><lt>6.0_3</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Problem description:</p>
|
|
<p>An integer overflow in the handling of corrupt IEEE 802.11
|
|
beacon or probe response frames when scanning for existing
|
|
wireless networks can result in the frame overflowing a
|
|
buffer.</p>
|
|
<p>Impact:</p>
|
|
<p>An attacker able broadcast a carefully crafted beacon or
|
|
probe response frame may be able to execute arbitrary code
|
|
within the context of the FreeBSD kernel on any system
|
|
scanning for wireless networks.</p>
|
|
<p>Workaround:</p>
|
|
<p>No workaround is available, but systems without IEEE 802.11
|
|
hardware or drivers loaded are not vulnerable.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0226</cvename>
|
|
<freebsdsa>SA-06:05.80211</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-01-18</discovery>
|
|
<entry>2006-02-14</entry>
|
|
<modified>2006-06-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d7c1d00d-9d2e-11da-8c1d-000e0c2e438a">
|
|
<topic>ipfw -- IP fragment denial of service</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><gt>6.0</gt><lt>6.0_2</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Problem description:</p>
|
|
<p>The firewall maintains a pointer to layer 4 header
|
|
information in the event that it needs to send a TCP reset
|
|
or ICMP error message to discard packets. Due to incorrect
|
|
handling of IP fragments, this pointer fails to get
|
|
initialized.</p>
|
|
<p>Impact:</p>
|
|
<p>An attacker can cause the firewall to crash by sending ICMP
|
|
IP fragments to or through firewalls which match any reset,
|
|
reject or unreach actions.</p>
|
|
<p>Workaround:</p>
|
|
<p>Change any reset, reject or unreach actions to deny. It
|
|
should be noted that this will result in packets being
|
|
silently discarded.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0054</cvename>
|
|
<freebsdsa>SA-06:04.ipfw</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-01-11</discovery>
|
|
<entry>2006-02-14</entry>
|
|
<modified>2006-06-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1613db79-8e52-11da-8426-000fea0a9611">
|
|
<topic>kpopup -- local root exploit and local denial of service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>kpopup</name>
|
|
<range><ge>0.9.1</ge><le>0.9.5</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Mitre CVE reports:</p>
|
|
<blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1170">
|
|
<p>Format string vulnerability in main.cpp in kpopup
|
|
0.9.1-0.9.5pre2 allows local users to cause a denial of
|
|
service (segmentation fault) and possibly execute
|
|
arbitrary code via format string specifiers in command
|
|
line arguments.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1167">
|
|
<p>misc.cpp in KPopup 0.9.1 trusts the PATH variable when
|
|
executing killall, which allows local users to elevate
|
|
their privileges by modifying the PATH variable to
|
|
reference a malicious killall program.</p>
|
|
</blockquote>
|
|
<p>SecurityFocus credits "b0f" b0fnet@yahoo.com</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-1170</cvename>
|
|
<bid>8918</bid>
|
|
<cvename>CVE-2003-1167</cvename>
|
|
<bid>8915</bid>
|
|
<url>http://www.securityfocus.com/archive/1/342736</url>
|
|
<url>http://www.henschelsoft.de/kpopup_en.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-10-28</discovery>
|
|
<entry>2006-02-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6b0215ae-8f26-11da-8c1d-000e0c2e438a">
|
|
<topic>cpio -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>6.0</ge><lt>6.0_2</lt></range>
|
|
<range><ge>5.4</ge><lt>5.4_9</lt></range>
|
|
<range><ge>5.3</ge><lt>5.3_24</lt></range>
|
|
<range><ge>4.11</ge><lt>4.11_14</lt></range>
|
|
<range><ge>4.10</ge><lt>4.10_20</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Problem description:</p>
|
|
<p>A number of issues has been discovered in cpio:</p>
|
|
<p>When creating a new file, cpio closes the file before setting
|
|
its permissions. (CVE-2005-1111)</p>
|
|
<p>When extracting files cpio does not properly sanitize file
|
|
names to filter out ".." components, even if the
|
|
--no-absolute-filenames option is used. (CVE-2005-1229)</p>
|
|
<p>When adding large files (larger than 4 GB) to a cpio archive
|
|
on 64-bit platforms an internal buffer might overflow.
|
|
(CVE-2005-4268)</p>
|
|
<p>Impact</p>
|
|
<p>The first problem can allow a local attacker to change the
|
|
permissions of files owned by the user executing cpio providing
|
|
that they have write access to the directory in which the file
|
|
is being extracted. (CVE-2005-1111)</p>
|
|
<p>The lack of proper file name sanitation can allow an attacker
|
|
to overwrite arbitrary local files when extracting files from
|
|
a cpio archive. (CVE-2005-1229)</p>
|
|
<p>The buffer-overflow on 64-bit platforms could lead cpio to a
|
|
Denial-of-Service situation (crash) or possibly execute
|
|
arbitrary code with the permissions of the user running
|
|
cpio. (CVE-2005-4268)</p>
|
|
<p>Workaround</p>
|
|
<p>Use a different utility to create and extract cpio archives,
|
|
for example pax(1) or (on FreeBSD 5.3 or later) tar(1). If
|
|
this is not possible, do not extract untrusted archives and
|
|
when running on 64-bit platforms do not add untrusted files
|
|
to cpio archives.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1111</cvename>
|
|
<cvename>CVE-2005-1229</cvename>
|
|
<cvename>CVE-2005-4268</cvename>
|
|
<freebsdsa>SA-06:03.cpio</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-01-11</discovery>
|
|
<entry>2006-01-27</entry>
|
|
<modified>2006-01-11</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="726dd9bd-8f25-11da-8c1d-000e0c2e438a">
|
|
<topic>ee -- temporary file privilege escalation</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>6.0</ge><lt>6.0_2</lt></range>
|
|
<range><ge>5.4</ge><lt>5.4_9</lt></range>
|
|
<range><ge>5.3</ge><lt>5.3_24</lt></range>
|
|
<range><ge>4.11</ge><lt>4.11_14</lt></range>
|
|
<range><ge>4.10</ge><lt>4.10_20</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Problem description</p>
|
|
<p>The ispell_op function used by ee(1) while executing spell
|
|
check operations employs an insecure method of temporary file
|
|
generation. This method produces predictable file names based
|
|
on the process ID and fails to confirm which path will be over
|
|
written with the user.<br/>
|
|
It should be noted that ispell does not have to be installed
|
|
in order for this to be exploited. The option simply needs to
|
|
be selected.</p>
|
|
<p>Impact</p>
|
|
<p>These predictable temporary file names are problematic
|
|
because they allow an attacker to take advantage of a race
|
|
condition in order to execute a symlink attack, which could
|
|
allow them to overwrite files on the system in the context of
|
|
the user running the ee(1) editor.</p>
|
|
<p>Workaround</p>
|
|
<p>Instead of invoking ispell through ee(1), invoke it directly.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>16207</bid>
|
|
<cvename>CVE-2006-0055</cvename>
|
|
<freebsdsa>SA-06:02.ee</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-01-11</discovery>
|
|
<entry>2006-01-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c01a25f5-8f20-11da-8c1d-000e0c2e438a">
|
|
<topic>texindex -- temporary file privilege escalation</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>6.0</ge><lt>6.0_2</lt></range>
|
|
<range><ge>5.4</ge><lt>5.4_9</lt></range>
|
|
<range><ge>5.3</ge><lt>5.3_24</lt></range>
|
|
<range><ge>4.11</ge><lt>4.11_14</lt></range>
|
|
<range><ge>4.10</ge><lt>4.10_20</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Problem description</p>
|
|
<p>The "sort_offline" function used by texindex(1) employs the
|
|
"maketempname" function, which produces predictable file names
|
|
and fails to validate that the paths do not exist.</p>
|
|
<p>Impact</p>
|
|
<p>These predictable temporary file names are problematic because
|
|
they allow an attacker to take advantage of a race condition in
|
|
order to execute a symlink attack, which could enable them to
|
|
overwrite files on the system in the context of the user running
|
|
the texindex(1) utility.</p>
|
|
<p>Workaround</p>
|
|
<p>No workaround is available, but the problematic code is only
|
|
executed if the input file being processed is 500kB or more in
|
|
length; as a result, users working with documents of less than
|
|
several hundred pages are very unlikely to be affected.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14854</bid>
|
|
<cvename>CAN-2005-3011</cvename>
|
|
<freebsdsa>SA-06:01.texindex</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-01-11</discovery>
|
|
<entry>2006-01-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c5c17ead-8f23-11da-8c1d-000e0c2e438a">
|
|
<topic>cvsbug -- race condition</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.4</ge><lt>5.4_7</lt></range>
|
|
<range><ge>5.3</ge><lt>5.3_22</lt></range>
|
|
<range><ge>4.11</ge><lt>4.11_12</lt></range>
|
|
<range><ge>4.10</ge><lt>4.10_18</lt></range>
|
|
</system>
|
|
<package>
|
|
<name>cvs+ipv6</name>
|
|
<range><lt>1.11.17_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Problem description</p>
|
|
<p>A temporary file is created, used, deleted, and then
|
|
re-created with the same name. This creates a window during
|
|
which an attacker could replace the file with a link to
|
|
another file. While cvsbug(1) is based on the send-pr(1)
|
|
utility, this problem does not exist in the version of
|
|
send-pr(1) distributed with FreeBSD.<br/>
|
|
In FreeBSD 4.10 and 5.3, some additional problems exist
|
|
concerning temporary file usage in both cvsbug(1) and
|
|
send-pr(1).</p>
|
|
<p>Impact</p>
|
|
<p>A local attacker could cause data to be written to any file
|
|
to which the user running cvsbug(1) (or send-pr(1) in FreeBSD
|
|
4.10 and 5.3) has write access. This may cause damage in
|
|
itself (e.g., by destroying important system files or
|
|
documents) or may be used to obtain elevated privileges.</p>
|
|
<p>Workaround</p>
|
|
<p>Do not use the cvsbug(1) utility on any system with untrusted
|
|
users.<br/>
|
|
Do not use the send-pr(1) utility on a FreeBSD 4.10 or 5.3
|
|
system with untrusted users.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CAN-2005-2693</cvename>
|
|
<freebsdsa>SA-05:20.cvsbug</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-09-07</discovery>
|
|
<entry>2006-01-27</entry>
|
|
<modified>2006-11-08</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="57a0242d-8c4e-11da-8ddf-000ae42e9b93">
|
|
<topic>sge -- local root exploit in bundled rsh executable</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sge</name>
|
|
<name>sgeee</name>
|
|
<range><lt>5.3.6.20040330_1</lt></range>
|
|
<range><gt>6.*</gt><lt>6.0.7.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Sun Microsystems reports:</p>
|
|
<blockquote cite="http://gridengine.sunsource.net/project/gridengine/news/SGE60u7_1-announce.html">
|
|
<p>The SGE 6.0u7_1 release fixes a security bug which can
|
|
allow malicious users to gain root access.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://gridengine.sunsource.net/project/gridengine/news/SGE60u7_1-announce.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-23</discovery>
|
|
<entry>2006-01-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f11d3b22-88c6-11da-a7b2-0060084a00e5">
|
|
<topic>fetchmail -- crash when bouncing a message</topic>
|
|
<affects>
|
|
<package>
|
|
<name>fetchmail</name>
|
|
<range><ge>6.3.0</ge><lt>6.3.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Matthias Andree reports:</p>
|
|
<blockquote cite="http://fetchmail.berlios.de/fetchmail-SA-2006-01.txt">
|
|
<p>Fetchmail contains a bug that causes itself to crash when
|
|
bouncing a message to the originator or to the local
|
|
postmaster. The crash happens after the bounce message has
|
|
been sent, when fetchmail tries to free the dynamic array
|
|
of failed addresses, and calls the free() function with an
|
|
invalid pointer.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-0321</cvename>
|
|
<url>http://fetchmail.berlios.de/fetchmail-SA-2006-01.txt</url>
|
|
<url>http://bugs.debian.org/348747</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-01-22</discovery>
|
|
<entry>2006-01-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="612a34ec-81dc-11da-a043-0002a5c3d308">
|
|
<topic>clamav -- possible heap overflow in the UPX code</topic>
|
|
<affects>
|
|
<package>
|
|
<name>clamav</name>
|
|
<range><lt>0.88</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>clamav-devel</name>
|
|
<range><lt>20060110</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Zero Day Initiative reports:</p>
|
|
<blockquote cite="http://www.zerodayinitiative.com/advisories/ZDI-06-001.html">
|
|
<p>This vulnerability allows remote attackers to execute
|
|
arbitrary code on vulnerable Clam AntiVirus
|
|
installations. Authentication is not required to exploit
|
|
this vulnerability.</p>
|
|
<p>This specific flaw exists within libclamav/upx.c during
|
|
the unpacking of executable files compressed with UPX. Due
|
|
to an invalid size calculation during a data copy from the
|
|
user-controlled file to heap allocated memory, an
|
|
exploitable memory corruption condition is created.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>16191</bid>
|
|
<cvename>CVE-2006-0162</cvename>
|
|
<mlist>http://lurker.clamav.net/message/20060109.213247.a16ae8db.en.html</mlist>
|
|
<url>http://www.zerodayinitiative.com/advisories/ZDI-06-001.html</url>
|
|
<url>http://secunia.com/advisories/18379/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-01-09</discovery>
|
|
<entry>2006-01-10</entry>
|
|
<modified>2006-01-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6d9a28f8-8152-11da-817c-0001020eed82">
|
|
<topic>milter-bogom -- headerless message crash</topic>
|
|
<affects>
|
|
<package>
|
|
<name>milter-bogom</name>
|
|
<range><lt>1.8.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Juan J. Marítnez reports:</p>
|
|
<blockquote cite="http://www.usebox.net/jjm/bogom/errata/bogom-errata-2006-1.txt">
|
|
<p>The milter crashes while processing a headerless
|
|
message</p>
|
|
<p>Impact: bogom crashes and sendmail moves it to error
|
|
state</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.usebox.net/jjm/bogom/errata/bogom-errata-2006-1.txt</url>
|
|
<mlist>http://alf.dyndns.ws/pipermail/milter/2006-January/000076.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-01-05</discovery>
|
|
<entry>2006-01-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b747b2a9-7be0-11da-8ec4-0002b3b60e4c">
|
|
<topic>bogofilter -- heap corruption through excessively long words</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bogofilter</name>
|
|
<range><ge>0.96.2</ge><lt>0.96.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Matthias Andree reports:</p>
|
|
<blockquote cite="http://bogofilter.sourceforge.net/security/bogofilter-SA-2005-02">
|
|
<p>Bogofilter's/bogolexer's input handling in version 0.96.2 was not
|
|
keeping track of its output buffers properly and could overrun a
|
|
heap buffer if the input contained words whose length exceeded
|
|
16,384 bytes, the size of flex's input buffer. A "word" here refers
|
|
to a contiguous run of input octets that was not '_' and did not
|
|
match at least one of ispunct(), iscntrl() or isspace().</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-4592</cvename>
|
|
<url>http://bogofilter.sourceforge.net/security/bogofilter-SA-2005-02</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-23</discovery>
|
|
<entry>2006-01-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="92140bc9-7bde-11da-8ec4-0002b3b60e4c">
|
|
<topic>bogofilter -- heap corruption through malformed input</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bogofilter</name>
|
|
<range><ge>0.93.5</ge><lt>0.96.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Matthias Andree reports:</p>
|
|
<blockquote cite="http://bogofilter.sourceforge.net/security/bogofilter-SA-2005-01">
|
|
<p>When using Unicode databases (default in more recent bogofilter
|
|
installations), upon encountering invalid input sequences,
|
|
bogofilter or bogolexer could overrun a malloc()'d buffer,
|
|
corrupting the heap, while converting character sets. Bogofilter
|
|
would usually be processing untrusted data received from the
|
|
network at that time.</p>
|
|
|
|
<p>This problem was aggravated by an unrelated bug that made
|
|
bogofilter process binary attachments as though they were text, and
|
|
attempt charset conversion on them. Given the MIME default
|
|
character set, US-ASCII, all input octets in the range 0x80...0xff
|
|
were considered invalid input sequences and could trigger the heap
|
|
corruption.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-4591</cvename>
|
|
<url>http://bogofilter.sourceforge.net/security/bogofilter-SA-2005-01</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-22</discovery>
|
|
<entry>2006-01-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c2fdb3bc-7d72-11da-b96e-000fb586ba73">
|
|
<topic>rxvt-unicode -- restore permissions on tty devices</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rxvt-unicode</name>
|
|
<range><lt>6.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A rxvt-unicode changelog reports:</p>
|
|
<blockquote cite="http://dist.schmorp.de/rxvt-unicode/Changes">
|
|
<p>SECURITY FIX: on systems using openpty, permissions were
|
|
not correctly updated on the tty device and were left as
|
|
world-readable and world-writable (likely in original rxvt,
|
|
too), and were not restored properly. Affected are only
|
|
systems where non-unix ptys were used (such as most BSDs).
|
|
Found, patched and debugged by Ryan Beasley.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://dist.schmorp.de/rxvt-unicode/Changes</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-31</discovery>
|
|
<entry>2006-01-04</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9fff8dc8-7aa7-11da-bf72-00123f589060">
|
|
<topic>apache -- mod_imap cross-site scripting flaw</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache</name>
|
|
<range><ge>1.3</ge><lt>1.3.34_3</lt></range>
|
|
<range><ge>2.0.35</ge><lt>2.0.55_2</lt></range>
|
|
<range><ge>2.1</ge><lt>2.1.9_3</lt></range>
|
|
<range><ge>2.2</ge><lt>2.2.0_3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+mod_perl</name>
|
|
<range><lt>1.3.34_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache_fp</name>
|
|
<name>apache+ipv6</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>ru-apache</name>
|
|
<range><lt>1.3.34+30.22_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ru-apache+mod_ssl</name>
|
|
<range><lt>1.3.34+30.22+2.8.25_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+ssl</name>
|
|
<range><ge>1.3.0</ge><lt>1.3.33.1.55_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+mod_ssl</name>
|
|
<name>apache+mod_ssl+ipv6</name>
|
|
<name>apache+mod_ssl+mod_accel</name>
|
|
<name>apache+mod_ssl+mod_accel+ipv6</name>
|
|
<name>apache+mod_ssl+mod_accel+mod_deflate</name>
|
|
<name>apache+mod_ssl+mod_accel+mod_deflate+ipv6</name>
|
|
<name>apache+mod_ssl+mod_deflate</name>
|
|
<name>apache+mod_ssl+mod_deflate+ipv6</name>
|
|
<name>apache+mod_ssl+mod_snmp</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_accel</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_accel+ipv6</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_deflate</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_deflate+ipv6</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6</name>
|
|
<range><lt>1.3.34+2.8.25_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Apache HTTP Server Project reports:</p>
|
|
<blockquote cite="http://httpd.apache.org/security/vulnerabilities_13.html">
|
|
<p>A flaw in mod_imap when using the Referer directive with
|
|
image maps. In certain site configurations a remote
|
|
attacker could perform a cross-site scripting attack if a
|
|
victim can be forced to visit a malicious URL using
|
|
certain web browsers.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-3352</cvename>
|
|
<bid>15834</bid>
|
|
<url>http://www.apacheweek.com/features/security-13</url>
|
|
<url>http://www.apacheweek.com/features/security-20</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-11-01</discovery>
|
|
<entry>2006-01-01</entry>
|
|
<modified>2006-01-03</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="43770b1c-72f6-11da-8c1d-000e0c2e438a">
|
|
<topic>nbd-server -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>nbd-server</name>
|
|
<range><lt>2.8.2_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Kurt Fitzner reports a buffer overflow vulnerability
|
|
within nbd. This could potentially allow the execution
|
|
of arbitrary code on the nbd server.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-3534</cvename>
|
|
<url>http://www.debian.org/security/2005/dsa-924</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-21</discovery>
|
|
<entry>2005-12-22</entry>
|
|
<modified>2005-12-25</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b5a49db7-72fc-11da-9827-021106004fd6">
|
|
<topic>scponly -- local privilege escalation exploits</topic>
|
|
<affects>
|
|
<package>
|
|
<name>scponly</name>
|
|
<range><lt>4.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Max Vozeler reports:</p>
|
|
<blockquote cite="https://lists.ccs.neu.edu/pipermail/scponly/2005-December/001027.html">
|
|
<p>If ALL the following conditions are true, administrators using
|
|
scponly-4.1 or older may be at risk of a local privilege
|
|
escalation exploit:</p>
|
|
<ul>
|
|
<li>the chrooted setuid scponlyc binary is installed</li>
|
|
<li>regular non-scponly users have interactive shell access
|
|
to the box</li>
|
|
<li>a user executable dynamically linked setuid binary
|
|
(such as ping) exists on the same file system mount
|
|
as the user's home directory</li>
|
|
<li>the operating system supports an LD_PRELOAD style
|
|
mechanism to overload dynamic library loading</li>
|
|
</ul>
|
|
</blockquote>
|
|
<p>Pekka Pessi also reports:</p>
|
|
<blockquote cite="https://lists.ccs.neu.edu/pipermail/scponly/2005-December/001027.html">
|
|
<p>If ANY the following conditions are true, administrators
|
|
using scponly-4.1 or older may be at risk of a local privilege
|
|
escalation exploit:</p>
|
|
<ul>
|
|
<li>scp compatibility is enabled</li>
|
|
<li>rsync compatibility is enabled</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>https://lists.ccs.neu.edu/pipermail/scponly/2005-December/001027.html</url>
|
|
<url>http://sublimation.org/scponly/#relnotes</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-21</discovery>
|
|
<entry>2005-12-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f7eb0b23-7099-11da-a15c-0060084a00e5">
|
|
<topic>fetchmail -- null pointer dereference in multidrop mode with headerless email</topic>
|
|
<affects>
|
|
<package>
|
|
<name>fetchmail</name>
|
|
<range><lt>6.3.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The fetchmail team reports:</p>
|
|
<blockquote cite="http://fetchmail.berlios.de/fetchmail-SA-2005-03.txt">
|
|
<p>Fetchmail contains a bug that causes an application crash
|
|
when fetchmail is configured for multidrop mode and the
|
|
upstream mail server sends a message without headers. As
|
|
fetchmail does not record this message as "previously fetched",
|
|
it will crash with the same message if it is re-executed, so it
|
|
cannot make progress. A malicious or broken-into upstream server
|
|
could thus cause a denial of service in fetchmail clients.
|
|
</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-4348</cvename>
|
|
<url>http://fetchmail.berlios.de/fetchmail-SA-2005-03.txt</url>
|
|
<url>http://article.gmane.org/gmane.mail.fetchmail.user/7573</url>
|
|
<url>http://bugs.debian.org/343836</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-19</discovery>
|
|
<entry>2005-12-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="82a41084-6ce7-11da-b90c-000e0c2e438a">
|
|
<topic>mantis -- "t_core_path" file inclusion vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mantis</name>
|
|
<range><lt>1.0.0rc3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia Research reports:</p>
|
|
<blockquote cite="http://secunia.com/secunia_research/2005-46/advisory/">
|
|
<p>Input passed to the "t_core_path" parameter in
|
|
"bug_sponsorship_list_view_inc.php" isn't properly verified,
|
|
before it used to include files. This can be exploited to
|
|
include arbitrary files from external and local
|
|
resources.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-3335</cvename>
|
|
<url>http://secunia.com/secunia_research/2005-46/advisory/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-26</discovery>
|
|
<entry>2005-12-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6e3b12e2-6ce3-11da-b90c-000e0c2e438a">
|
|
<topic>mantis -- "view_filters_page.php" cross-site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mantis</name>
|
|
<range><lt>1.0.0rc4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>r0t reports:</p>
|
|
<blockquote cite="http://pridels.blogspot.com/2005/12/mantis-bugtracking-system-xss-vuln.html">
|
|
<p>Mantis contains a flaw that allows a remote cross site
|
|
scripting attack. This flaw exists because input passed to
|
|
"target_field" parameter in "view_filters_page.php" isn't
|
|
properly sanitised before being returned to the user. This
|
|
could allow a user to create a specially crafted URL that
|
|
would execute arbitrary code in a user's browser within the
|
|
trust relationship between the browser and the server,
|
|
leading to a loss of integrity.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>15842</bid>
|
|
<url>http://pridels.blogspot.com/2005/12/mantis-bugtracking-system-xss-vuln.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-13</discovery>
|
|
<entry>2005-12-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2506f558-6a8a-11da-b96e-000fb586ba73">
|
|
<topic>mnemo -- Cross site scripting vulnerabilities in several of the notepad name and note data fields</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mnemo</name>
|
|
<range><lt>2.0.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Announce of Mnemo H3 (2.0.3) (final):</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=horde-announce&m=113433279228172&w=2">
|
|
<p>This [2.0.3] is a security release that fixes cross site
|
|
scripting vulnerabilities in several of the notepad name
|
|
and note data fields. None of the vulnerabilities can be
|
|
exploited by unauthenticated users; however, we strongly
|
|
recommend that all users of Mnemo 2.0.2 upgrade to 2.0.3
|
|
as soon as possible.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://marc.theaimsgroup.com/?l=horde-announce&m=113433279228172&w=2</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-11</discovery>
|
|
<entry>2005-12-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ee6b5956-6a89-11da-b96e-000fb586ba73">
|
|
<topic>nag -- Cross site scripting vulnerabilities in several of the tasklist name and task data fields</topic>
|
|
<affects>
|
|
<package>
|
|
<name>nag</name>
|
|
<range><lt>2.0.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Announce of Nag H3 (2.0.4) (final):</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=horde-announce&m=113433205826731&w=2">
|
|
<p>This [2.0.4] is a security release that fixes cross site
|
|
scripting vulnerabilities in several of the tasklist name
|
|
and task data fields. None of the vulnerabilities can be
|
|
exploited by unauthenticated users; however, we strongly
|
|
recommend that all users of Nag 2.0.3 upgrade to 2.0.4 as
|
|
soon as possible.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://marc.theaimsgroup.com/?l=horde-announce&m=113433205826731&w=2</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-11</discovery>
|
|
<entry>2005-12-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="eeebd55d-6a88-11da-b96e-000fb586ba73">
|
|
<topic>turba -- Cross site scripting vulnerabilities in several of the address book name and contact data fields</topic>
|
|
<affects>
|
|
<package>
|
|
<name>turba</name>
|
|
<range><lt>2.0.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Announce of Turba H3 (2.0.5) (final):</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=horde-announce&m=113433120829232&w=2">
|
|
<p>This [2.0.5] is a security release that fixes cross site
|
|
scripting vulnerabilities in several of the address book
|
|
name and contact data fields. None of the vulnerabilities
|
|
can be exploited by unauthenticated users; however, we
|
|
strongly recommend that all users of Turba 2.0.4 upgrade
|
|
to 2.0.5 as soon as possible.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://marc.theaimsgroup.com/?l=horde-announce&m=113433120829232&w=2</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-11</discovery>
|
|
<entry>2005-12-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="36494478-6a88-11da-b96e-000fb586ba73">
|
|
<topic>kronolith -- Cross site scripting vulnerabilities in several of the calendar name and event data fields</topic>
|
|
<affects>
|
|
<package>
|
|
<name>kronolith</name>
|
|
<range><lt>2.0.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Announce of Kronolith H3 (2.0.6) (final):</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=kronolith&m=113433029822279&w=2">
|
|
<p>This [2.0.6] is a security release that fixes cross site
|
|
scripting vulnerabilities in several of the calendar name
|
|
and event data fields. None of the vulnerabilities can be
|
|
exploited by unauthenticated users; however, we strongly
|
|
recommend that all users of Kronolith 2.0.5 upgrade to
|
|
2.0.6 as soon as possible.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://marc.theaimsgroup.com/?l=kronolith&m=113433029822279&w=2</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-11</discovery>
|
|
<entry>2005-12-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="01356ccc-6a87-11da-b96e-000fb586ba73">
|
|
<topic>horde -- Cross site scripting vulnerabilities in several of Horde's templates</topic>
|
|
<affects>
|
|
<package>
|
|
<name>horde</name>
|
|
<name>horde-php5</name>
|
|
<range><lt>3.0.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Announce of Horde H3 3.0.8 (final):</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=horde-announce&m=113433346726097&w=2">
|
|
<p>This [3.0.8] is a security release that fixes cross site
|
|
scripting vulnerabilities in several of Horde's templates.
|
|
None of the vulnerabilities can be exploited by
|
|
unauthenticated users; however, we strongly recommend that
|
|
all users of Horde 3.0.7 upgrade to 3.0.8 as soon as
|
|
possible.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://marc.theaimsgroup.com/?l=horde-announce&m=113433346726097&w=2</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-11</discovery>
|
|
<entry>2005-12-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9b4facec-6761-11da-99f6-00123ffe8333">
|
|
<topic>curl -- URL buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>curl</name>
|
|
<range><ge>7.11.2</ge><lt>7.15.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Project cURL Security Advisory reports:</p>
|
|
<blockquote cite="http://curl.haxx.se/docs/adv_20051207.html">
|
|
<p>libcurl's URL parser function can overflow a malloced
|
|
buffer in two ways, if given a too long URL.</p>
|
|
<p>1 - pass in a URL with no protocol (like "http://")
|
|
prefix, using no slash and the string is 256 bytes or
|
|
longer. This leads to a single zero byte overflow of the
|
|
malloced buffer.</p>
|
|
<p>2 - pass in a URL with only a question mark as separator
|
|
(no slash) between the host and the query part of the URL.
|
|
This leads to a single zero byte overflow of the malloced
|
|
buffer.</p>
|
|
<p>Both overflows can be made with the same input string,
|
|
leading to two single zero byte overwrites.</p>
|
|
<p>The affected flaw cannot be triggered by a redirect, but
|
|
the long URL must be passed in "directly" to libcurl. It
|
|
makes this a "local" problem. Of course, lots of programs
|
|
may still pass in user-provided URLs to libcurl without doing
|
|
much syntax checking of their own, allowing a user to exploit
|
|
this vulnerability.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>15756</bid>
|
|
<cvename>CVE-2005-4077</cvename>
|
|
<url>http://curl.haxx.se/docs/adv_20051207.html</url>
|
|
<url>http://www.hardened-php.net/advisory_242005.109.html</url>
|
|
<url>http://secunia.com/advisories/17907/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-07</discovery>
|
|
<entry>2005-12-09</entry>
|
|
<modified>2006-01-01</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="23afd91f-676b-11da-99f6-00123ffe8333">
|
|
<topic>phpmyadmin -- register_globals emulation "import_blacklist" manipulation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><lt>2.7.0.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/17925/">
|
|
<p>Stefan Esser has reported a vulnerability in phpMyAdmin,
|
|
which can be exploited by malicious people to conduct
|
|
cross-site scripting attacks, disclose sensitive
|
|
information, and compromise a vulnerable system.</p>
|
|
<p>The vulnerability is caused due to an error in the
|
|
register_globals emulation layer in "grab_globals.php"
|
|
where the "import_blacklist" variable is not properly
|
|
protected from being overwritten. This can be exploited
|
|
to execute arbitrary HTML and script code in a user's
|
|
browser session in context of an affected site, and
|
|
include arbitrary files from external and local resources.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-9</url>
|
|
<url>http://www.hardened-php.net/advisory_252005.110.html</url>
|
|
<url>http://secunia.com/advisories/17925/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-07</discovery>
|
|
<entry>2005-12-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="59ada6e5-676a-11da-99f6-00123ffe8333">
|
|
<topic>phpmyadmin -- XSS vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><lt>2.7.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A phpMyAdmin security advisory reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-8">
|
|
<p>It was possible to conduct an XSS attack via the
|
|
HTTP_HOST variable; also, some scripts in the libraries
|
|
directory that handle header generation were vulnerable
|
|
to XSS.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-3665</cvename>
|
|
<url>http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-8</url>
|
|
<url>http://secunia.com/advisories/17895/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-05</discovery>
|
|
<entry>2005-12-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="964161cd-6715-11da-99f6-00123ffe8333">
|
|
<topic>ffmpeg -- libavcodec buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ffmpeg</name>
|
|
<range><lt>0.4.9.p1_4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ffmpeg-devel</name>
|
|
<range><lt>0.4.9.c.2005120600</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/17892/">
|
|
<p>Simon Kilvington has reported a vulnerability in
|
|
FFmpeg libavcodec, which can be exploited by malicious
|
|
people to cause a DoS (Denial of Service) and
|
|
potentially to compromise a user's system.</p>
|
|
<p>The vulnerability is caused due to a boundary error
|
|
in the "avcodec_default_get_buffer()" function of
|
|
"utils.c" in libavcodec. This can be exploited to
|
|
cause a heap-based buffer overflow when a
|
|
specially-crafted 1x1 ".png" file containing a palette
|
|
is read.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://article.gmane.org/gmane.comp.video.ffmpeg.devel/26558</url>
|
|
<url>http://secunia.com/advisories/17892/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-11-30</discovery>
|
|
<entry>2005-12-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7289187b-66a5-11da-99f6-00123ffe8333">
|
|
<topic>trac -- search module SQL injection vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>trac</name>
|
|
<range><lt>0.9.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/17894/">
|
|
<p>A vulnerability has been reported in Trac, which
|
|
can be exploited by malicious people to conduct SQL
|
|
injection attacks.</p>
|
|
<p>Some unspecified input passed in the search module
|
|
isn't properly sanitised before being used in a SQL
|
|
query. This can be exploited to manipulate SQL
|
|
queries by injecting arbitrary SQL code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://projects.edgewall.com/trac/wiki/ChangeLog#a0.9.2</url>
|
|
<url>http://secunia.com/advisories/17894/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-05</discovery>
|
|
<entry>2005-12-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="faca0843-6281-11da-8630-00123ffe8333">
|
|
<topic>drupal -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>drupal</name>
|
|
<range><lt>4.6.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/17824/">
|
|
<p>Some vulnerabilities have been reported in Drupal,
|
|
which can be exploited by malicious people to bypass
|
|
certain security restrictions, and conduct script
|
|
insertion and HTTP response splitting attacks.</p>
|
|
<p>1) An input validation error in the filtering of
|
|
HTML code can be exploited to inject arbitrary
|
|
JavaScript code in submitted content, which will be
|
|
executed in a user's browser session in context of
|
|
an affected site when the malicious user data is
|
|
viewed.
|
|
Successful exploitation requires that the user has
|
|
access to the full HTML input format.
|
|
Ref: sa-2005-007</p>
|
|
<p>2) An input validation error in the attachment
|
|
handling can be exploited to upload a malicious
|
|
image with embedded HTML and script content, which
|
|
will be executed in a user's browser session in
|
|
context of an affected site when viewed directly with
|
|
the Microsoft Internet Explorer browser.
|
|
This can also be exploited to inject arbitrary HTTP
|
|
headers, which will be included in the response sent
|
|
to the user.
|
|
Ref: sa-2005-008</p>
|
|
<p>3) The problem is that it is possible to bypass the
|
|
"access user profile" permission. However, this cannot
|
|
be exploited to modify data.
|
|
Successful exploitation requires that the server runs
|
|
PHP 5.
|
|
Ref: sa-2005-009</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://drupal.org/files/sa-2005-007/advisory.txt</url>
|
|
<url>http://drupal.org/files/sa-2005-008/advisory.txt</url>
|
|
<url>http://drupal.org/files/sa-2005-009/advisory.txt</url>
|
|
<url>http://secunia.com/advisories/17824/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-12-01</discovery>
|
|
<entry>2005-12-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d6b092bd-61e1-11da-b64c-0001020eed82">
|
|
<topic>opera -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-opera</name>
|
|
<name>opera-devel</name>
|
|
<name>opera</name>
|
|
<range><lt>8.51</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Opera reports:</p>
|
|
<blockquote cite="http://www.opera.com/support/search/supsearch.dml?index=819">
|
|
<p>It is possible to make a form input that looks like an
|
|
image link. If the form input has a "title" attribute, the
|
|
status bar will show the "title". A "title" which looks
|
|
like a URL can mislead the user, since the title can say
|
|
http://nice.familiar.com/, while the form action can be
|
|
something else.</p>
|
|
<p>Opera's tooltip says "Title:" before the title text,
|
|
making a spoof URL less convincing. A user who has enabled
|
|
the status bar and disabled tooltips can be affected by
|
|
this. Neither of these settings are Opera's defaults.</p>
|
|
<p>This exploit is mostly of interest to users who disable
|
|
JavaScript. If JavaScript is enabled, any link target or
|
|
form action can be overridden by the script. The tooltip
|
|
and the statusbar can only be trusted to show the true
|
|
location if JavaScript is disabled.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://www.opera.com/support/search/supsearch.dml?index=817">
|
|
<p>Java code using LiveConnect methods to remove a property
|
|
of a JavaScript object may in some cases use null pointers
|
|
that can make Opera crash. This crash is not exploitable
|
|
and such code is rare on the web.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-3699</cvename>
|
|
<url>http://secunia.com/advisories/17571/</url>
|
|
<url>http://www.opera.com/support/search/supsearch.dml?index=817</url>
|
|
<url>http://www.opera.com/support/search/supsearch.dml?index=819</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-11-16</discovery>
|
|
<entry>2005-11-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="dfc1daa8-61de-11da-b64c-0001020eed82">
|
|
<topic>opera -- command line URL shell command injection</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-opera</name>
|
|
<name>opera-devel</name>
|
|
<name>opera</name>
|
|
<range><lt>8.51</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An Opera Advisory reports:</p>
|
|
<blockquote cite="http://www.opera.com/support/search/supsearch.dml?index=818">
|
|
<p>Opera for UNIX uses a wrapper shell script to start up
|
|
Opera. This shell script reads the input arguments, like
|
|
the file names or URLs that Opera is to open. It also
|
|
performs some environment checks, for example whether Java
|
|
is available and if so, where it is located.</p>
|
|
<p>This wrapper script can also run commands embedded in the
|
|
URL, so that a specially crafted URL can make arbitrary
|
|
commands run on the recipient's machine. Users who have
|
|
other programs set up to use Opera to open Web links are
|
|
vulnerable to this flaw. For these users, clicking a Web
|
|
link in for example OpenOffice.org or Evolution can run a
|
|
command that was put into the link.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>15521</bid>
|
|
<cvename>CVE-2005-3750</cvename>
|
|
<url>http://secunia.com/secunia_research/2005-57/advisory/</url>
|
|
<url>http://www.opera.com/support/search/supsearch.dml?index=818</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-11-17</discovery>
|
|
<entry>2005-11-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ffb82d3a-610f-11da-8823-00123ffe8333">
|
|
<topic>mambo -- "register_globals" emulation layer overwrite vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mambo</name>
|
|
<range><lt>4.5.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/17622/">
|
|
<p>peter MC tachatte has discovered a vulnerability in Mambo,
|
|
which can be exploited by malicious people to manipulate
|
|
certain information and compromise a vulnerable system.</p>
|
|
<p>The vulnerability is caused due to an error in the
|
|
"register_globals" emulation layer in "globals.php" where
|
|
certain arrays used by the system can be overwritten. This
|
|
can be exploited to include arbitrary files from external
|
|
and local resources via the "mosConfig_absolute_path" parameter.</p>
|
|
<p>Successful exploitation requires that "register_globals"
|
|
is disabled.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.mamboserver.com/index.php?option=com_content&task=view&id=172&Itemid=1</url>
|
|
<url>http://secunia.com/advisories/17622/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-11-17</discovery>
|
|
<entry>2005-11-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="27a70a01-5f6c-11da-8d54-000cf18bbe54">
|
|
<topic>ghostscript -- insecure temporary file creation vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ghostscript-gnu</name>
|
|
<name>ghostscript-gnu-nox11</name>
|
|
<range><lt>7.07_14</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ghostscript-afpl</name>
|
|
<name>ghostscript-afpl-nox11</name>
|
|
<range><lt>8.53_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<blockquote cite="http://www.securityfocus.com/bid/11285/discuss">
|
|
<p>Ghostscript is affected by an insecure temporary file
|
|
creation vulnerability. This issue is likely due
|
|
to a design error that causes the application to fail
|
|
to verify the existence of a file before writing to it.</p>
|
|
|
|
<p>An attacker may leverage this issue to overwrite
|
|
arbitrary files with the privileges of an unsuspecting
|
|
user that activates the vulnerable application.
|
|
Reportedly this issue is unlikely to facilitate
|
|
privilege escalation.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>11285</bid>
|
|
<cvename>CVE-2004-0967</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-19</discovery>
|
|
<entry>2005-11-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="873a6542-5b8d-11da-b96e-000fb586ba73">
|
|
<topic>horde -- Cross site scripting vulnerabilities in MIME viewers</topic>
|
|
<affects>
|
|
<package>
|
|
<name>horde</name>
|
|
<name>horde-php5</name>
|
|
<range><lt>3.0.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Announce of Horde 3.0.7 (final):</p>
|
|
<blockquote cite="http://lists.horde.org/archives/announce/2005/000232.html">
|
|
<p>This [3.0.7] is a security release that fixes cross site
|
|
scripting vulnerabilities in two of Horde's MIME viewers. These
|
|
holes could for example be exploited by an attacker sending
|
|
specially crafted emails to Horde's webmail client IMP. The
|
|
attack could be used to steal users' identity information, taking
|
|
over users' sessions, or changing users' settings.</p>
|
|
<p>As a hotfix the css and tgz MIME drivers can be disabled by
|
|
removing their entries from the
|
|
$mime_drivers_map['horde']['registered'] list in
|
|
horde/config/mime_drivers.php.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>15535</bid>
|
|
<cvename>CVE-2005-3759</cvename>
|
|
<url>http://lists.horde.org/archives/announce/2005/000232.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-11-22</discovery>
|
|
<entry>2005-11-22</entry>
|
|
<modified>2005-11-26</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c55f9ed0-56a7-11da-a3f0-00123ffe8333">
|
|
<topic>phpmyadmin -- HTTP Response Splitting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><lt>2.6.4.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A phpMyAdmin security advisory reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6">
|
|
<p>Some scripts in phpMyAdmin are vulnerable to an
|
|
HTTP Response Splitting attack.</p>
|
|
<p>Severity:</p>
|
|
<p>We consider these vulnerabilities to be serious.
|
|
However, they can only be triggered on systems running
|
|
with register_globals = on.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6</url>
|
|
<url>http://secunia.com/advisories/17578/</url>
|
|
<url>http://www.fitsec.com/advisories/FS-05-02.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-11-15</discovery>
|
|
<entry>2005-11-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9c1cea79-548a-11da-b53f-0004614cc33d">
|
|
<topic>phpSysInfo -- "register_globals" emulation layer overwrite vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpSysInfo</name>
|
|
<range><lt>2.5.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/17441/">
|
|
<p>Christopher Kunz has reported a vulnerability in
|
|
phpSysInfo, which can be exploited by malicious people
|
|
to manipulate certain information.</p>
|
|
<p>The vulnerability is caused due to an error in
|
|
the "register_globals" emulation layer where certain
|
|
arrays used by the system can be overwritten. This can be
|
|
exploited to execute arbitrary HTML and script code in
|
|
a user's browser session and include arbitrary files from
|
|
local resources.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.hardened-php.net/advisory_222005.81.html</url>
|
|
<url>http://secunia.com/advisories/17441/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-11-10</discovery>
|
|
<entry>2005-11-13</entry>
|
|
<modified>2005-12-25</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="aed343b4-5480-11da-b579-001125afbed7">
|
|
<topic>Macromedia flash player -- swf file handling arbitrary code</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-flashplugin6</name>
|
|
<range><le>6.0r79_3</le></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-flashplugin7</name>
|
|
<range><lt>7.0r61</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/17430/">
|
|
<p>A vulnerability has been reported in Macromedia
|
|
Flash Player, which can be exploited by malicious
|
|
people to compromise a user's system.</p>
|
|
<p>The vulnerability is caused due to missing validation
|
|
of the frame type identifier that is read from
|
|
a SWF file. This value is used as an index in Flash.ocx
|
|
to reference an array of function pointers. This can be
|
|
exploited via a specially crafted SWF file to cause
|
|
the index to reference memory that is under the attacker's
|
|
control, which causes Flash Player to use attacker
|
|
supplied values as function pointers.</p>
|
|
<p>Successful exploitation allows execution of arbitrary
|
|
code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html</url>
|
|
<url>http://secunia.com/advisories/17430/</url>
|
|
<url>http://www.eeye.com/html/research/advisories/AD20051104.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-27</discovery>
|
|
<entry>2005-11-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f4b95430-51d8-11da-8e93-0010dc4afb40">
|
|
<topic>flyspray -- cross-site scripting vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>flyspray</name>
|
|
<range><lt>0.9.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/17316/">
|
|
<p>Lostmon has reported some vulnerabilities in Flyspray,
|
|
which can be exploited by malicious people to conduct
|
|
cross-site scripting attacks.</p>
|
|
<p>Some input isn't properly sanitised before being
|
|
returned to the user. This can be exploited to execute
|
|
arbitrary HTML and script code in a user's browser
|
|
session in context of an affected site.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>15209</bid>
|
|
<url>http://secunia.com/advisories/17316/</url>
|
|
<url>http://lostmon.blogspot.com/2005/10/flyspray-bug-killer-multiple-variable.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-26</discovery>
|
|
<entry>2005-11-10</entry>
|
|
<modified>2005-11-29</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7f3fdef7-51d2-11da-8e93-0010dc4afb40">
|
|
<topic>p5-Mail-SpamAssassin -- long message header denial of service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>p5-Mail-SpamAssassin</name>
|
|
<range><lt>3.1.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/17386/">
|
|
<p>A vulnerability has been reported in SpamAssassin,
|
|
which can be exploited by malicious people to cause
|
|
a DoS (Denial of Service).</p>
|
|
<p>The vulnerability is caused due to the use of
|
|
an inefficient regular expression in
|
|
"/SpamAssassin/Message.pm" to parse email headers.
|
|
This can cause perl to crash when it runs out of stack
|
|
space and can be exploited via a malicious email that
|
|
contains a large number of recipients.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secunia.com/advisories/17386/</url>
|
|
<url>http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4570</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-11-10</discovery>
|
|
<entry>2005-11-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="eb29a575-3381-11da-8340-000e0c2e438a">
|
|
<topic>qpopper -- multiple privilege escalation vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>qpopper</name>
|
|
<range><ge>4.0</ge><le>4.0.5</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jens Steube reports that qpopper is vulnerable to a privilege
|
|
escalation vulnerability. qpopper does not properly drop root
|
|
privileges so that user supplied configuration and trace files
|
|
can be processed with root privileges. This could allow a
|
|
local attacker to create or modify arbitrary files.</p>
|
|
<p>qpopper is also affected by improper umask settings
|
|
which could allow users to create group or world-writeable
|
|
files, possibly allowing an attacker to overwrite arbitrary
|
|
files.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1151</cvename>
|
|
<cvename>CVE-2005-1152</cvename>
|
|
<url>http://secunia.com/advisories/15475/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-26</discovery>
|
|
<entry>2005-11-07</entry>
|
|
<modified>2005-11-26</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="44e5f5bd-4d76-11da-bf37-000fb586ba73">
|
|
<topic>pear-PEAR -- PEAR installer arbitrary code execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pear-PEAR</name>
|
|
<range><lt>1.4.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Gregory Beaver reports:</p>
|
|
<blockquote cite="http://pear.php.net/advisory-20051104.txt">
|
|
<p>A standard feature of the PEAR installer implemented in
|
|
all versions of PEAR can lead to the execution of
|
|
arbitrary PHP code upon running the "pear" command
|
|
or loading the Web/Gtk frontend.</p>
|
|
<p>To be vulnerable, a user must explicitly install a
|
|
publicly released malicious package using the PEAR
|
|
installer, or explicitly install a package that depends on
|
|
a malicious package.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://pear.php.net/advisory-20051104.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-11-01</discovery>
|
|
<entry>2005-11-04</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3de49331-0dec-422c-93e5-e4719e9869c5">
|
|
<topic>openvpn -- potential denial-of-service on servers in TCP mode</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openvpn</name>
|
|
<range><ge>2.0</ge><lt>2.0.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>James Yonan reports:</p>
|
|
<blockquote cite="http://openvpn.net/changelog.html">
|
|
<p>If the TCP server accept() call returns an error status, the
|
|
resulting exception handler may attempt to indirect through a NULL
|
|
pointer, causing a segfault. Affects all OpenVPN 2.0 versions.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-3409</cvename>
|
|
<url>http://openvpn.net/changelog.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-11-01</discovery>
|
|
<entry>2005-11-01</entry>
|
|
<modified>2005-11-04</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6129fdc7-6462-456d-a3ef-8fc3fbf44d16">
|
|
<topic>openvpn -- arbitrary code execution on client through malicious or compromised server</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openvpn</name>
|
|
<range><ge>2.0</ge><lt>2.0.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>James Yonan reports:</p>
|
|
<blockquote cite="http://openvpn.net/changelog.html">
|
|
<p>A format string vulnerability
|
|
in the foreign_option function in options.c could
|
|
potentially allow a malicious or compromised server
|
|
to execute arbitrary code on the client. Only
|
|
non-Windows clients are affected. The vulnerability
|
|
only exists if (a) the client's TLS negotiation with
|
|
the server succeeds, (b) the server is malicious or
|
|
has been compromised such that it is configured to
|
|
push a maliciously crafted options string to the client,
|
|
and (c) the client indicates its willingness to accept
|
|
pushed options from the server by having "pull" or
|
|
"client" in its configuration file (Credit: Vade79).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-3393</cvename>
|
|
<mlist>http://www.securityfocus.com/archive/1/415293/30/0/threaded</mlist>
|
|
<url>http://openvpn.net/changelog.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-31</discovery>
|
|
<entry>2005-11-01</entry>
|
|
<modified>2005-11-04</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6821a2db-4ab7-11da-932d-00055d790c25">
|
|
<topic>PHP -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mod_php4-twig</name>
|
|
<name>php4-cgi</name>
|
|
<name>php4-cli</name>
|
|
<name>php4-dtc</name>
|
|
<name>php4-horde</name>
|
|
<name>php4-nms</name>
|
|
<name>php4</name>
|
|
<range><lt>4.4.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mod_php</name>
|
|
<name>mod_php4</name>
|
|
<range><ge>4</ge><lt>4.4.1,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/17371/">
|
|
<p>Some vulnerabilities have been reported in PHP,
|
|
which can be exploited by malicious people to conduct
|
|
cross-site scripting attacks, bypass certain security
|
|
restrictions, and potentially compromise a vulnerable
|
|
system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secunia.com/advisories/17371/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-31</discovery>
|
|
<entry>2005-11-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="70fc13d9-4ab4-11da-932d-00055d790c25">
|
|
<topic>skype -- multiple buffer overflow vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>skype</name>
|
|
<range><lt>1.2.0.18</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/17305/">
|
|
<p>Some vulnerabilities have been reported in Skype,
|
|
which can be exploited by malicious people to cause
|
|
a DoS or to compromise a user's system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-3265</cvename>
|
|
<cvename>CVE-2005-3267</cvename>
|
|
<certvu>930345</certvu>
|
|
<certvu>668193</certvu>
|
|
<url>http://secunia.com/advisories/17305/</url>
|
|
<url>http://skype.com/security/skype-sb-2005-02.html</url>
|
|
<url>http://skype.com/security/skype-sb-2005-03.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-25</discovery>
|
|
<entry>2005-11-01</entry>
|
|
<modified>2005-11-02</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1c3142a3-4ab2-11da-932d-00055d790c25">
|
|
<topic>squid -- FTP server response handling denial of service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.11_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/17271/">
|
|
<p>M.A.Young has reported a vulnerability in Squid,
|
|
which can be exploited by malicious people to cause
|
|
a DoS (Denial of Service).</p>
|
|
<p>The vulnerability is caused due to an error in
|
|
handling certain FTP server responses. This can be
|
|
exploited to crash Squid by visiting a malicious FTP
|
|
server via the proxy.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-3258</cvename>
|
|
<url>http://secunia.com/advisories/17271/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-19</discovery>
|
|
<entry>2005-11-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f38c87a5-4a3e-11da-8ba2-0004614cc33d">
|
|
<topic>base -- PHP SQL injection vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>base</name>
|
|
<range><lt>1.2.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/17314/">
|
|
<p>Remco Verhoef has discovered a vulnerability in
|
|
Basic Analysis and Security Engine (BASE), which
|
|
can be exploited by malicious users to conduct SQL
|
|
injection attacks.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>15199</bid>
|
|
<url>http://secunia.com/advisories/17314/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-25</discovery>
|
|
<entry>2005-10-31</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="baf74e0b-497a-11da-a4f4-0060084a00e5">
|
|
<topic>fetchmail -- fetchmailconf local password exposure</topic>
|
|
<affects>
|
|
<package>
|
|
<name>fetchmail</name>
|
|
<range><lt>6.2.5.2_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The fetchmail team reports:</p>
|
|
<blockquote cite="http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt">
|
|
<p>The fetchmailconf program before and excluding version
|
|
1.49 opened the run control file, wrote the configuration
|
|
to it, and only then changed the mode to 0600 (rw-------).
|
|
Writing the file, which usually contains passwords, before
|
|
making it unreadable to other users, can expose sensitive
|
|
password information.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-3088</cvename>
|
|
<url>http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-21</discovery>
|
|
<entry>2005-10-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c01170bf-4990-11da-a1b8-000854d03344">
|
|
<topic>lynx -- remote buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>lynx</name>
|
|
<name>ja-lynx</name>
|
|
<range><lt>2.8.5_1</lt></range>
|
|
<range><gt>2.8.6*</gt><lt>2.8.6d14</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>lynx-ssl</name>
|
|
<range><lt>2.8.5_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ulf Härnhammar reports:</p>
|
|
<blockquote cite="http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html">
|
|
<p>When Lynx connects to an NNTP server to fetch information
|
|
about the available articles in a newsgroup, it will
|
|
call a function called HTrjis() with the information
|
|
from certain article headers. The function adds missing
|
|
ESC characters to certain data, to support Asian character
|
|
sets. However, it does not check if it writes outside
|
|
of the char array buf, and that causes a remote stack-based
|
|
buffer overflow.
|
|
</p>
|
|
</blockquote>
|
|
</body>
|
|
</description> <references>
|
|
<cvename>CVE-2005-3120</cvename>
|
|
<url>http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html</url>
|
|
</references> <dates>
|
|
<discovery>2005-10-17</discovery>
|
|
<entry>2005-10-30</entry>
|
|
<modified>2006-10-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1daea60a-4719-11da-b5c6-0004614cc33d">
|
|
<topic>ruby -- vulnerability in the safe level settings</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ruby</name>
|
|
<name>ruby_static</name>
|
|
<range><gt>1.6.*</gt><lt>1.6.8.2004.07.28_2</lt></range>
|
|
<range><gt>1.8.*</gt><lt>1.8.2_5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ruby home page reports:</p>
|
|
<blockquote cite="http://www.ruby-lang.org/en/20051003.html">
|
|
<p>The Object Oriented Scripting Language Ruby supports
|
|
safely executing an untrusted code with two mechanisms:
|
|
safe level and taint flag on objects.</p>
|
|
<p>A vulnerability has been found that allows bypassing
|
|
these mechanisms.</p>
|
|
<p>By using the vulnerability, arbitrary code can be executed
|
|
beyond the restrictions specified in each safe level.
|
|
Therefore, Ruby has to be updated on all systems that use
|
|
safe level to execute untrusted code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2337</cvename>
|
|
<url>http://www.ruby-lang.org/en/20051003.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-02</discovery>
|
|
<entry>2005-10-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2f0cb4bb-416d-11da-99fe-000854d03344">
|
|
<topic>xloadimage -- buffer overflows in NIFF image title handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xloadimage</name>
|
|
<range><lt>4.1.15</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>xli</name>
|
|
<range><lt>1.17.0_4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ariel Berkman reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=112862493918840&w=2">
|
|
<p>Unlike most of the supported image formats in xloadimage,
|
|
the NIFF image format can store a title name of arbitrary
|
|
length as part of the image file.</p>
|
|
<p>When xloadimage is processing a loaded image, it is
|
|
creating a new Image object and then writing the processed
|
|
image to it. At that point, it will also copy the title
|
|
from the old image to the newly created image.</p>
|
|
<p>The 'zoom', 'reduce', and 'rotate' functions are using
|
|
a fixed length buffer to construct the new title name
|
|
when an image processing is done. Since the title name
|
|
in a NIFF format is of varying length, and there are
|
|
insufficient buffer size validations, the buffer can
|
|
be overflowed.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>15051</bid>
|
|
<cvename>CVE-2005-3178</cvename>
|
|
<mlist msgid="BOEKKJLADFNHIEFBHCECMEONCFAA.aberkm1@uic.edu">http://marc.theaimsgroup.com/?l=bugtraq&m=112862493918840&w=2</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-05</discovery>
|
|
<entry>2005-10-20</entry>
|
|
<modified>2005-10-23</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="97d45e95-3ffc-11da-a263-0001020eed82">
|
|
<topic>snort -- Back Orifice preprocessor buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>snort</name>
|
|
<range><ge>2.4.0</ge><lt>2.4.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jennifer Steffens reports:</p>
|
|
<blockquote cite="http://www.snort.org/pub-bin/snortnews.cgi#99">
|
|
<p>The Back Orifice preprocessor contains a stack-based
|
|
buffer overflow. This vulnerability could be leveraged by
|
|
an attacker to execute code remotely on a Snort sensor
|
|
where the Back Orifice preprocessor is enabled. However,
|
|
there are a number of factors that make remote code
|
|
execution difficult to achieve across different builds of
|
|
Snort on different platforms, even on the same platform
|
|
with different compiler versions, and it is more likely
|
|
that an attacker could use the vulnerability as a denial
|
|
of service attack.</p>
|
|
<p>The Back Orifice preprocessor can be disabled by
|
|
commenting out the line "preprocessor bo" in
|
|
snort.conf. This can be done in any text editor using the
|
|
following procedure:</p>
|
|
<ol>
|
|
<li>Locate the line "preprocessor bo"</li>
|
|
<li>Comment out this line by preceding it with a hash
|
|
(#). The new line will look like "#preprocessor bo"</li>
|
|
<li>Save the file</li>
|
|
<li>Restart snort</li>
|
|
</ol>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<certvu>175500</certvu>
|
|
<url>http://www.snort.org/pub-bin/snortnews.cgi#99</url>
|
|
<url>http://xforce.iss.net/xforce/alerts/id/207</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-18</discovery>
|
|
<entry>2005-10-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="60f8fe7b-3cfb-11da-baa2-0004614cc33d">
|
|
<topic>webcalendar -- remote file inclusion vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>WebCalendar</name>
|
|
<range><lt>1.0.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>WebCalendar is proven vulnerable to a remote file inclusion
|
|
vulnerability. The send_reminders.php does not properly
|
|
verify the "includedir" parameter, giving remote attackers
|
|
the possibility to include local and remote files. These
|
|
files can be used by the attacker to gain access to the
|
|
system.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14651</bid>
|
|
<cvename>CVE-2005-2717</cvename>
|
|
<url>http://sourceforge.net/forum/forum.php?thread_id=1342085&forum_id=11587</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-08-26</discovery>
|
|
<entry>2005-10-15</entry>
|
|
<modified>2005-11-08</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="47bdabcf-3cf9-11da-baa2-0004614cc33d">
|
|
<topic>gallery2 -- file disclosure vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gallery2</name>
|
|
<range><lt>2.0.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Michael Dipper wrote:</p>
|
|
<blockquote cite="http://dipper.info/security/20051012/">
|
|
<p>A vulnerability has been discovered in gallery,
|
|
which allows remote users unauthorized access to files
|
|
on the webserver.</p>
|
|
<p>A remote user accessing gallery over the web may use
|
|
specially crafted HTTP parameters to access arbitrary
|
|
files located on the webserver. All files readable by
|
|
the webserver process are subject to disclosure.
|
|
The vulnerability is *not* restricted to the webserver's
|
|
document root but extends to the whole server file space.</p>
|
|
<p>The vulnerabilty may be used by any anonymous user,
|
|
there is no login to the application required.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>15108</bid>
|
|
<cvename>CVE-2005-3251</cvename>
|
|
<url>http://dipper.info/security/20051012/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-12</discovery>
|
|
<entry>2005-10-15</entry>
|
|
<modified>2005-11-08</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="60e26a40-3b25-11da-9484-00123ffe8333">
|
|
<topic>openssl -- potential SSL 2.0 rollback</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openssl</name>
|
|
<name>openssl-overwrite-base</name>
|
|
<range><le>0.9.7g</le></range>
|
|
<range><ge>0.9.8</ge><le>0.9.8_1</le></range>
|
|
<range><ge>0.9.*_20050325</ge><le>0.9.*_20051011</le></range>
|
|
</package>
|
|
<package>
|
|
<name>openssl-beta</name>
|
|
<name>openssl-beta-overwrite-base</name>
|
|
<range><le>0.9.8_1</le></range>
|
|
<range><ge>0.9.*_20050325</ge><le>0.9.*_20051011</le></range>
|
|
</package>
|
|
<package>
|
|
<name>compat5x-alpha</name>
|
|
<name>compat5x-amd64</name>
|
|
<name>compat5x-i386</name>
|
|
<name>compat5x-sparc64</name>
|
|
<range><lt>5.4.0.8</lt></range>
|
|
</package>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><lt>4.10_19</lt></range>
|
|
<range><ge>4.11</ge><lt>4.11_13</lt></range>
|
|
<range><ge>5.3</ge><lt>5.3_23</lt></range>
|
|
<range><ge>5.4</ge><lt>5.4_8</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Vulnerability:</p>
|
|
<blockquote cite="http://www.openssl.org/news/secadv_20051011.txt">
|
|
<p>Such applications are affected if they use the option
|
|
SSL_OP_MSIE_SSLV2_RSA_PADDING. This option is implied by use of
|
|
SSL_OP_ALL, which is intended to work around various bugs in
|
|
third-party software that might prevent interoperability. The
|
|
SSL_OP_MSIE_SSLV2_RSA_PADDING option disables a verification step in
|
|
the SSL 2.0 server supposed to prevent active protocol-version
|
|
rollback attacks. With this verification step disabled, an attacker
|
|
acting as a "man in the middle" can force a client and a server to
|
|
negotiate the SSL 2.0 protocol even if these parties both support SSL
|
|
3.0 or TLS 1.0. The SSL 2.0 protocol is known to have severe
|
|
cryptographic weaknesses and is supported as a fallback only.</p>
|
|
<p>Applications using neither SSL_OP_MSIE_SSLV2_RSA_PADDING nor
|
|
SSL_OP_ALL are not affected. Also, applications that disable
|
|
use of SSL 2.0 are not affected.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdsa>SA-05:21.openssl</freebsdsa>
|
|
<cvename>CVE-2005-2969</cvename>
|
|
<url>http://www.openssl.org/news/secadv_20051011.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-11</discovery>
|
|
<entry>2005-10-12</entry>
|
|
<modified>2005-10-25</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9b7053fd-3ab5-11da-9484-00123ffe8333">
|
|
<topic>phpmyadmin -- local file inclusion vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><ge>2.6.4.r1</ge><le>2.6.4.1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A phpMyAdmin security announcement reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-4">
|
|
<p>In libraries/grab_globals.lib.php, the $__redirect
|
|
parameter was not correctly validated, opening the door to
|
|
a local file inclusion attack.</p>
|
|
<p>We consider this vulnerability to be serious.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>15053</bid>
|
|
<mlist msgid="20051010161119.1689.qmail@securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=112907764728209</mlist>
|
|
<url>http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-4</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-11</discovery>
|
|
<entry>2005-10-11</entry>
|
|
<modified>2005-10-13</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d2b80c7c-3aae-11da-9484-00123ffe8333">
|
|
<topic>zope -- expose RestructuredText functionality to untrusted users</topic>
|
|
<affects>
|
|
<package>
|
|
<name>zope</name>
|
|
<range><ge>2.6.0</ge><lt>2.7.8</lt></range>
|
|
<range><ge>2.8.0</ge><le>2.8.1_2</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Zope Hotfix Alert reports:</p>
|
|
<blockquote cite="http://www.zope.org/Products/Zope/Hotfix_2005-10-09/security_alert">
|
|
<p>This hotfix resolves a security issue with docutils.</p>
|
|
<p>Affected are possibly all Zope instances that expose
|
|
RestructuredText functionalies to untrusted users through
|
|
the web.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-3323</cvename>
|
|
<bid>15082</bid>
|
|
<url>http://www.zope.org/Products/Zope/Hotfix_2005-10-09/security_alert</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-09</discovery>
|
|
<entry>2005-10-11</entry>
|
|
<modified>2005-11-28</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3bc5691e-38dd-11da-92f5-020039488e34">
|
|
<topic>libxine -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libxine</name>
|
|
<range><lt>1.1.0_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Gentoo Linux Security Advisory reports:</p>
|
|
<blockquote cite="http://www.gentoo.org/security/en/glsa/glsa-200510-08.xml">
|
|
<p>Ulf Harnhammar discovered a format string bug in the routines
|
|
handling CDDB server response contents.</p>
|
|
<p>An attacker could submit malicious information about an audio
|
|
CD to a public CDDB server (or impersonate a public CDDB server).
|
|
When the victim plays this CD on a multimedia frontend relying
|
|
on xine-lib, it could end up executing arbitrary code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2967</cvename>
|
|
<url>http://www.gentoo.org/security/en/glsa/glsa-200510-08.xml</url>
|
|
<url>http://xinehq.de/index.php/security/XSA-2005-1</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-08</discovery>
|
|
<entry>2005-10-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1f6e2ade-35c2-11da-811d-0050bf27ba24">
|
|
<topic>imap-uw -- mailbox name handling remote buffer vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>imap-uw</name>
|
|
<range><lt>2004g</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>FrSIRT reports:</p>
|
|
<blockquote cite="http://www.frsirt.com/english/advisories/2005/1953">
|
|
<p>A vulnerability has been identified in UW-IMAP, which could
|
|
be exploited by remote attackers to execute arbitrary commands.
|
|
This flaw is due to a stack overflow error in the
|
|
"mail_valid_net_parse_work()" [src/c-client/mail.c] function that
|
|
does not properly handle specially crafted mailbox names containing
|
|
a quote (") character, which could be exploited by authenticated
|
|
remote attackers to execute arbitrary commands with the privileges
|
|
of the IMAP server.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2933</cvename>
|
|
<url>http://www.frsirt.com/english/advisories/2005/1953</url>
|
|
<url>http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities</url>
|
|
<url>http://www.washington.edu/imap/documentation/RELNOTES.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-05</discovery>
|
|
<entry>2005-10-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d4c70df5-335d-11da-9c70-0040f42d58c6">
|
|
<topic>weex -- remote format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>weex</name>
|
|
<range><lt>2.6.1.5_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Emanuel Haupt reports:</p>
|
|
<blockquote cite="http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/86833">
|
|
<p>Someone who controls an FTP server that weex will log in to
|
|
can set up malicious data in the account that weex will use,
|
|
and that will cause a format string bug that will allow remote
|
|
code execution. It will only happen when weex is first run or
|
|
when its cache files are rebuilt with the -r option,
|
|
though. The vulnerability was found by Ulf Harnhammar.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdpr>ports/86833</freebsdpr>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-02</discovery>
|
|
<entry>2005-10-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8a3ece40-3315-11da-a263-0001020eed82">
|
|
<topic>picasm -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>picasm</name>
|
|
<range><lt>1.12c</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Shaun Colley reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=111661253517089">
|
|
<p>When generating error and warning messages, picasm copies
|
|
strings into fixed length buffers without bounds
|
|
checking.</p>
|
|
<p>If an attacker could trick a user into assembling a
|
|
source file with a malformed 'error' directive, arbitrary
|
|
code could be executed with the privileges of the user.
|
|
This could result in full system compromise.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13698</bid>
|
|
<cvename>CVE-2005-1679</cvename>
|
|
<mlist msgid="c522a35a0505200807744163c4@mail.gmail.com">http://marc.theaimsgroup.com/?l=bugtraq&m=111661253517089</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-20</discovery>
|
|
<entry>2005-10-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1e606080-3293-11da-ac91-020039488e34">
|
|
<topic>uim -- privilege escalation vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ja-uim</name>
|
|
<range><lt>0.4.9.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The uim developers reports:</p>
|
|
<blockquote cite="http://lists.freedesktop.org/archives/uim/2005-September/001346.html">
|
|
<p>Masanari Yamamoto discovered that incorrect use
|
|
of environment variables in uim. This bug causes
|
|
privilege escalation if setuid/setgid applications
|
|
was linked to libuim.</p>
|
|
<p>This bug appears in 'immodule for Qt' enabled Qt.
|
|
(Normal Qt is also safe.) In some distribution,
|
|
mlterm is also an setuid/setgid application.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://lists.freedesktop.org/archives/uim/2005-September/001346.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-09-28</discovery>
|
|
<entry>2005-10-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8688d5cd-328c-11da-a263-0001020eed82">
|
|
<topic>cfengine -- arbitrary file overwriting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cfengine</name>
|
|
<range><lt>2.1.6_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>cfengine2</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Debian Security Advisory reports:</p>
|
|
<blockquote cite="http://www.debian.org/security/2005/dsa-835">
|
|
<p>Javier Fernández-Sanguino Peña discovered several
|
|
insecure temporary file uses in cfengine, a tool for
|
|
configuring and maintaining networked machines, that can
|
|
be exploited by a symlink attack to overwrite arbitrary
|
|
files owned by the user executing cfengine, which is
|
|
probably root.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2960</cvename>
|
|
<bid>14994</bid>
|
|
<url>http://www.debian.org/security/2005/dsa-835</url>
|
|
<url>http://www.debian.org/security/2005/dsa-836</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-10-01</discovery>
|
|
<entry>2005-10-01</entry>
|
|
<modified>2005-10-07</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="271498a9-2cd4-11da-a263-0001020eed82">
|
|
<topic>clamav -- arbitrary code execution and DoS vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>clamav</name>
|
|
<range><lt>0.87</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>clamav-devel</name>
|
|
<range><lt>20050917</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Gentoo Linux Security Advisory reports:</p>
|
|
<blockquote cite="http://www.gentoo.org/security/en/glsa/glsa-200509-13.xml">
|
|
<p>Clam AntiVirus is vulnerable to a buffer overflow in
|
|
"libclamav/upx.c" when processing malformed UPX-packed
|
|
executables. It can also be sent into an infinite loop in
|
|
"libclamav/fsg.c" when processing specially-crafted
|
|
FSG-packed executables.</p>
|
|
<p>By sending a specially-crafted file an attacker could
|
|
execute arbitrary code with the permissions of the user
|
|
running Clam AntiVirus, or cause a Denial of Service.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<certvu>363713</certvu>
|
|
<cvename>CVE-2005-2919</cvename>
|
|
<cvename>CVE-2005-2920</cvename>
|
|
<url>http://www.gentoo.org/security/en/glsa/glsa-200509-13.xml</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-09-16</discovery>
|
|
<entry>2005-09-24</entry>
|
|
<modified>2005-10-22</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8f5dd74b-2c61-11da-a263-0001020eed82">
|
|
<topic>firefox & mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.0.7,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>1.0.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.12,2</lt></range>
|
|
<range><ge>1.8.*,2</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<range><lt>1.7.12</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
<package>
|
|
<name>netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These ports are obsolete. -->
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>de-netscape7</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>ja-netscape7</name>
|
|
<name>linux-netscape</name>
|
|
<name>linux-phoenix</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk1</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>phoenix</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Mozilla Foundation Security Advisory reports of multiple
|
|
issues:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/announce/mfsa2005-58.html">
|
|
<h1>Heap overrun in XBM image processing</h1>
|
|
<p>jackerror reports that an improperly terminated XBM image
|
|
ending with space characters instead of the expected end
|
|
tag can lead to a heap buffer overrun. This appears to be
|
|
exploitable to install or run malicious code on the user's
|
|
machine.</p>
|
|
<p>Thunderbird does not support the XBM format and is not
|
|
affected by this flaw.</p>
|
|
<h1>Crash on "zero-width non-joiner" sequence</h1>
|
|
<p>Mats Palmgren discovered that a reported crash on Unicode
|
|
sequences with "zero-width non-joiner" characters was due
|
|
to stack corruption that may be exploitable.</p>
|
|
<h1>XMLHttpRequest header spoofing</h1>
|
|
<p>It was possible to add illegal and malformed headers to
|
|
an XMLHttpRequest. This could have been used to exploit
|
|
server or proxy flaws from the user's machine, or to fool
|
|
a server or proxy into thinking a single request was a
|
|
stream of separate requests. The severity of this
|
|
vulnerability depends on the value of servers which might
|
|
be vulnerable to HTTP request smuggling and similar
|
|
attacks, or which share an IP address (virtual hosting)
|
|
with the attacker's page.</p>
|
|
<p>For users connecting to the web through a proxy this flaw
|
|
could be used to bypass the same-origin restriction on
|
|
XMLHttpRequests by fooling the proxy into handling a
|
|
single request as multiple pipe-lined requests directed at
|
|
arbitrary hosts. This could be used, for example, to read
|
|
files on intranet servers behind a firewall.</p>
|
|
<h1>Object spoofing using XBL <implements></h1>
|
|
<p>moz_bug_r_a4 demonstrated a DOM object spoofing bug
|
|
similar to <a href="http://www.mozilla.org/security/announce/mfsa2005-55.html">MFSA
|
|
2005-55</a> using an XBL control that <implements>
|
|
an internal interface. The severity depends on the version
|
|
of Firefox: investigation so far indicates Firefox 1.0.x
|
|
releases don't expose any vulnerable functionality to
|
|
interfaces spoofed in this way, but that early Deer Park
|
|
Alpha 1 versions did.</p>
|
|
<p>XBL was changed to no longer allow unprivileged controls
|
|
from web content to implement XPCOM interfaces.</p>
|
|
<h1>JavaScript integer overflow</h1>
|
|
<p>Georgi Guninski reported an integer overflow in the
|
|
JavaScript engine. We presume this could be exploited to
|
|
run arbitrary code under favorable conditions.</p>
|
|
<h1>Privilege escalation using about: scheme</h1>
|
|
<p>heatsync and shutdown report two different ways to bypass
|
|
the restriction on loading high privileged "chrome" pages
|
|
from an unprivileged "about:" page. By itself this is
|
|
harmless--once the "about" page's privilege is raised the
|
|
original page no longer has access--but should this be
|
|
combined with a same-origin violation this could lead to
|
|
arbitrary code execution.</p>
|
|
<h1>Chrome window spoofing</h1>
|
|
<p>moz_bug_r_a4 demonstrates a way to get a blank "chrome"
|
|
canvas by opening a window from a reference to a closed
|
|
window. The resulting window is not privileged, but the
|
|
normal browser UI is missing and can be used to construct
|
|
a spoof page without any of the safety features of the
|
|
browser chrome designed to alert users to phishing sites,
|
|
such as the address bar and the status bar.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2701</cvename>
|
|
<cvename>CVE-2005-2702</cvename>
|
|
<cvename>CVE-2005-2703</cvename>
|
|
<cvename>CVE-2005-2704</cvename>
|
|
<cvename>CVE-2005-2705</cvename>
|
|
<cvename>CVE-2005-2706</cvename>
|
|
<cvename>CVE-2005-2707</cvename>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-58.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-09-22</discovery>
|
|
<entry>2005-09-23</entry>
|
|
<modified>2005-10-26</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2e28cefb-2aee-11da-a263-0001020eed82">
|
|
<topic>firefox & mozilla -- command line URL shell command injection</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.0.7,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>1.0.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.12,2</lt></range>
|
|
<range><ge>1.8.*,2</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<range><lt>1.7.12</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
<package>
|
|
<name>netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These ports are obsolete. -->
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>de-netscape7</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>ja-netscape7</name>
|
|
<name>linux-netscape</name>
|
|
<name>linux-phoenix</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk1</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>phoenix</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/16869/">
|
|
<p>Peter Zelezny has discovered a vulnerability in Firefox,
|
|
which can be exploited by malicious people to compromise a
|
|
user's system.</p>
|
|
<p>The vulnerability is caused due to the shell script used
|
|
to launch Firefox parsing shell commands that are enclosed
|
|
within backticks in the URL provided via the command
|
|
line. This can e.g. be exploited to execute arbitrary
|
|
shell commands by tricking a user into following a
|
|
malicious link in an external application which uses
|
|
Firefox as the default browser.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2968</cvename>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=307185</url>
|
|
<url>http://secunia.com/advisories/16869/</url>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-59.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-09-06</discovery>
|
|
<entry>2005-09-22</entry>
|
|
<modified>2005-10-26</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e936d612-253f-11da-bc01-000e0c2e438a">
|
|
<topic>apache -- Certificate Revocation List (CRL) off-by-one vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache</name>
|
|
<range><gt>2.*</gt><lt>2.0.54_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Marc Stern reports an off-by-one vulnerability in within
|
|
mod_ssl. The vulnerability lies in mod_ssl's Certificate
|
|
Revocation List (CRL). If Apache is configured to use a
|
|
CRL this could allow an attacker to crash a child process
|
|
causing a Denial of Service.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14366</bid>
|
|
<cvename>CVE-2005-1268</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-12</discovery>
|
|
<entry>2005-09-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7d52081f-2795-11da-bc01-000e0c2e438a">
|
|
<topic>squirrelmail -- _$POST variable handling allows for various attacks</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squirrelmail</name>
|
|
<name>ja-squirrelmail</name>
|
|
<range><ge>1.4.0</ge><lt>1.4.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Squirrelmail Advisory reports:</p>
|
|
<blockquote cite="http://www.squirrelmail.org/security/issue/2005-07-13">
|
|
<p>An extract($_POST) was done in options_identities.php which
|
|
allowed for an attacker to set random variables in that
|
|
file. This could lead to the reading (and possible
|
|
writing) of other people's preferences, cross site scripting
|
|
or writing files in webserver-writable locations.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14254</bid>
|
|
<cvename>CVE-2005-2095</cvename>
|
|
<url>http://www.squirrelmail.org/security/issue/2005-07-13</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-13</discovery>
|
|
<entry>2005-09-17</entry>
|
|
<modified>2005-09-19</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a863aa74-24be-11da-8882-000e0c33c2dc">
|
|
<topic>X11 server -- pixmap allocation vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>XFree86-Server</name>
|
|
<range><lt>4.5.0_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>xorg-server</name>
|
|
<range><lt>6.8.2_5</lt></range>
|
|
<range><gt>6.8.99</gt><lt>6.8.99.12_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Allocating large pixmaps by a client can trigger an integer
|
|
overflow in the X server, potentially leading to execution of
|
|
arbitrary code with elevated (root) privileges.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14807</bid>
|
|
<certvu>102441</certvu>
|
|
<cvename>CVE-2005-2495</cvename>
|
|
<url>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166856</url>
|
|
<url>https://bugs.freedesktop.org/show_bug.cgi?id=594</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-09-12</discovery>
|
|
<entry>2005-09-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9750cf22-216d-11da-bc01-000e0c2e438a">
|
|
<topic>unzip -- permission race vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>unzip</name>
|
|
<name>zh-unzip</name>
|
|
<name>ko-unzip</name>
|
|
<range><lt>5.52_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Imran Ghory reports a vulnerability within unzip. The
|
|
vulnerability is caused by a race condition between
|
|
extracting an archive and changing the permissions of the
|
|
extracted files. This would give an attacker enough time to
|
|
remove a file and hardlink it to another file owned by the
|
|
user running unzip. When unzip changes the permissions of
|
|
the file it could give the attacker access to files that
|
|
normally would not have been accessible for others.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14450</bid>
|
|
<cvename>CVE-2005-2475</cvename>
|
|
<mlist msgid="7389fc4b05080116031536adf7@mail.gmail.com">http://marc.theaimsgroup.com/?l=bugtraq&m=112300046224117</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-08-02</discovery>
|
|
<entry>2005-09-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8665ebb9-2237-11da-978e-0001020eed82">
|
|
<topic>firefox & mozilla -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.0.6_5,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>1.0.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.11_1,2</lt></range>
|
|
<range><ge>1.8.*,2</ge><lt>1.8.b1_5,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<range><lt>1.7.12</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
<package>
|
|
<name>netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These ports are obsolete. -->
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>de-netscape7</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>ja-netscape7</name>
|
|
<name>linux-netscape</name>
|
|
<name>linux-phoenix</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk1</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>phoenix</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Tom Ferris reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=full-disclosure&m=112624614008387">
|
|
<p>A buffer overflow vulnerability exists within Firefox
|
|
version 1.0.6 and all other prior versions which allows
|
|
for an attacker to remotely execute arbitrary code on an
|
|
affected host.</p>
|
|
<p>The problem seems to be when a hostname which has all
|
|
dashes causes the NormalizeIDN call in
|
|
nsStandardURL::BuildNormalizedSpec to return true, but is
|
|
sets encHost to an empty string. Meaning, Firefox appends
|
|
0 to approxLen and then appends the long string of dashes
|
|
to the buffer instead.</p>
|
|
</blockquote>
|
|
<p><strong>Note:</strong> It is possible to disable IDN
|
|
support as a workaround to protect against this buffer
|
|
overflow. How to do this is described on the <em><a href="http://www.mozilla.org/security/idn.html">What Firefox
|
|
and Mozilla users should know about the IDN buffer overflow
|
|
security issue</a></em> web page.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14784</bid>
|
|
<certvu>573857</certvu>
|
|
<cvename>CVE-2005-2871</cvename>
|
|
<url>http://marc.theaimsgroup.com/?l=full-disclosure&m=112624614008387</url>
|
|
<url>http://www.mozilla.org/security/idn.html</url>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=307259</url>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-57.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-09-08</discovery>
|
|
<entry>2005-09-10</entry>
|
|
<modified>2005-10-26</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="673aec6f-1cae-11da-bc01-000e0c2e438a">
|
|
<topic>htdig -- cross site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>htdig</name>
|
|
<range><lt>3.2.0.b6_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Michael Krax reports a vulnerability within htdig. The
|
|
vulnerability lies within an unsanitized config parameter,
|
|
allowing a malicious attacker to execute arbitrary scripting
|
|
code on the target's browser. This might allow the attacker
|
|
to obtain the user's cookies which are associated with the
|
|
site, including cookies used for authentication.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12442</bid>
|
|
<cvename>CVE-2005-0085</cvename>
|
|
<url>http://www.securitytracker.com/alerts/2005/Feb/1013078.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-03</discovery>
|
|
<entry>2005-09-04</entry>
|
|
<modified>2005-09-13</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4e210d72-1c5c-11da-92ce-0048543d60ce">
|
|
<topic>squid -- Denial Of Service Vulnerability in sslConnectTimeout</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.10_5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The squid patches page notes:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE10-sslConnectTimeout">
|
|
<p>After certain slightly odd requests Squid crashes with a segmentation fault in sslConnectTimeout.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14731</bid>
|
|
<cvename>CVE-2005-2796</cvename>
|
|
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE10-sslConnectTimeout</url>
|
|
<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1355</url>
|
|
<url>http://secunia.com/advisories/16674/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-21</discovery>
|
|
<entry>2005-09-04</entry>
|
|
<modified>2005-10-02</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0c0dc409-1c5e-11da-92ce-0048543d60ce">
|
|
<topic>squid -- Possible Denial Of Service Vulnerability in store.c</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.10_5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The squid patches page notes:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE10-STORE_PENDING">
|
|
<p>Squid crashes with the above assertion failure [assertion failed:
|
|
store.c:523: "e->store_status == STORE_PENDING"] in certain
|
|
conditions involving aborted requests.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14761</bid>
|
|
<cvename>CVE-2005-2794</cvename>
|
|
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE10-STORE_PENDING</url>
|
|
<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1368</url>
|
|
<url>http://secunia.com/advisories/16708/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-08-02</discovery>
|
|
<entry>2005-09-04</entry>
|
|
<modified>2005-10-02</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="30e4ed7b-1ca6-11da-bc01-000e0c2e438a">
|
|
<topic>bind9 -- denial of service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bind9</name>
|
|
<range><eq>9.3.0</eq></range>
|
|
</package>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.3</ge><lt>5.3_16</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Problem description</p>
|
|
<p>A DNSSEC-related validator function in BIND 9.3.0 contains an
|
|
inappropriate internal consistency test. When this test is
|
|
triggered, named(8) will exit.</p>
|
|
<p>Impact</p>
|
|
<p>On systems with DNSSEC enabled, a remote attacker may be able
|
|
to inject a specially crafted packet that will cause the
|
|
internal consistency test to trigger, and named(8) to
|
|
terminate. As a result, the name server will no longer be
|
|
available to service requests.</p>
|
|
<p>Workaround</p>
|
|
<p>DNSSEC is not enabled by default, and the "dnssec-enable"
|
|
directive is not normally present. If DNSSEC has been
|
|
enabled, disable it by changing the "dnssec-enable" directive
|
|
to "dnssec-enable no;" in the named.conf(5) configuration
|
|
file.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<certvu>938617</certvu>
|
|
<cvename>CVE-2005-0034</cvename>
|
|
<url>http://www.uniras.gov.uk/niscc/docs/al-20050125-00060.html?lang=en</url>
|
|
<url>http://www.isc.org/sw/bind/bind9.3.php#security</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-25</discovery>
|
|
<entry>2005-09-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="947f4b14-1c89-11da-bc01-000e0c2e438a">
|
|
<topic>bind -- buffer overrun vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bind84</name>
|
|
<range><ge>8.4.4</ge><lt>8.4.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An ISC advisory reports a buffer overrun vulnerability within
|
|
bind. The vulnerability could result in a Denial of Service.
|
|
A workaround is available by disabling recursion and glue
|
|
fetching.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<certvu>327633</certvu>
|
|
<cvename>CVE-2005-0033</cvename>
|
|
<url>http://www.uniras.gov.uk/niscc/docs/al-20050125-00059.html?lang=en</url>
|
|
<url>http://www.isc.org/sw/bind/bind-security.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-25</discovery>
|
|
<entry>2005-09-03</entry>
|
|
<modified>2005-09-21</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="08df5d46-1baf-11da-8038-0040f42d58c6">
|
|
<topic>urban -- stack overflow vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>urban</name>
|
|
<range><lt>1.5.3_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Several filename-related stack overflow bugs allow a local
|
|
attacker to elevate its privileges to the games group, since
|
|
urban is installed setgid games.</p>
|
|
<p>Issue discovered and fixed by <shaun@rsc.cx>.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2864</cvename>
|
|
<mlist msgid="55104.213.107.125.108.1125844783.squirrel@webmail.rsc.cx">http://marc.theaimsgroup.com/?l=bugtraq&m=112604855119036</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-09-02</discovery>
|
|
<entry>2005-09-02</entry>
|
|
<modified>2005-09-22</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6e27f3b6-189b-11da-b6be-0090274e8dbb">
|
|
<topic>fswiki - command injection vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>fswiki</name>
|
|
<range><lt>3.5.9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>There is a command injection vulnerability in admin page
|
|
of fswiki.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://jvn.jp/jp/JVN%2342435855/index.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-08-29</discovery>
|
|
<entry>2005-08-29</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e5afdf63-1746-11da-978e-0001020eed82">
|
|
<topic>evolution -- remote format string vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>evolution</name>
|
|
<range><gt>1.5</gt><lt>2.2.3_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A SITIC Vulnerability Advisory reports:</p>
|
|
<blockquote cite="http://www.sitic.se/eng/advisories_and_recommendations/sa05-001.html">
|
|
<p>Evolution suffers from several format string bugs when
|
|
handling data from remote sources. These bugs lead to
|
|
crashes or the execution of arbitrary assembly language
|
|
code.</p>
|
|
<ol>
|
|
<li>The first format string bug occurs when viewing the
|
|
full vCard data attached to an e-mail message.</li>
|
|
<li>The second format string bug occurs when displaying
|
|
contact data from remote LDAP servers.</li>
|
|
<li>The third format string bug occurs when displaying
|
|
task list data from remote servers.</li>
|
|
<li>The fourth, and least serious, format string bug
|
|
occurs when the user goes to the Calendars tab to save
|
|
task list data that is vulnerable to problem 3
|
|
above. Other calendar entries that do not come from task
|
|
lists are also affected.</li>
|
|
</ol>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14532</bid>
|
|
<cvename>CVE-2005-2549</cvename>
|
|
<cvename>CVE-2005-2550</cvename>
|
|
<url>http://www.sitic.se/eng/advisories_and_recommendations/sa05-001.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-08-10</discovery>
|
|
<entry>2005-08-27</entry>
|
|
<modified>2006-03-24</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="38c76fcf-1744-11da-978e-0001020eed82">
|
|
<topic>pam_ldap -- authentication bypass vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pam_ldap</name>
|
|
<range><lt>1.8.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Luke Howard reports:</p>
|
|
<blockquote cite="https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166163">
|
|
<p>If a pam_ldap client authenticates against an LDAP server
|
|
that returns a passwordPolicyResponse control, but omits
|
|
the optional "error" field of the
|
|
PasswordPolicyResponseValue, then the LDAP authentication
|
|
result will be ignored and the authentication step will
|
|
always succeed.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2641</cvename>
|
|
<certvu>778916</certvu>
|
|
<url>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166163</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-08-22</discovery>
|
|
<entry>2005-08-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b971d2a6-1670-11da-978e-0001020eed82">
|
|
<topic>pcre -- regular expression buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pcre</name>
|
|
<name>pcre-utf8</name>
|
|
<range><lt>6.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The pcre library is vulnerable to a buffer overflow
|
|
vulnerability due to insufficient validation of quantifier
|
|
values. This could lead execution of arbitrary code with
|
|
the permissions of the program using pcre by way of a
|
|
specially crated regular expression.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14620</bid>
|
|
<cvename>CVE-2005-2491</cvename>
|
|
<url>http://www.pcre.org/changelog.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-08-01</discovery>
|
|
<entry>2005-08-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f66e011d-13ff-11da-af41-0004614cc33d">
|
|
<topic>elm -- remote buffer overflow in Expires header</topic>
|
|
<affects>
|
|
<package>
|
|
<name>elm</name>
|
|
<range><lt>2.5.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ulf Harnhammar has discovered a remotely exploitable buffer
|
|
overflow in Elm e-mail client when parsing the Expires header
|
|
of an e-mail message:</p>
|
|
<blockquote cite="http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0688.html">
|
|
<p>The attacker only needs to send the victim an e-mail
|
|
message. When the victim with that message in his or her
|
|
inbox starts Elm or simply views the inbox in an already
|
|
started copy of Elm, the buffer overflow will happen
|
|
immediately. The overflow is stack-based, and it gives full
|
|
control over EIP, EBP and EBX. It is caused by a bad
|
|
sscanf(3) call, using a format string containing "%s"
|
|
to copy from a long char array to a shorter array.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0688.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-08-20</discovery>
|
|
<entry>2005-08-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5ad3e437-e527-4514-b9ed-280b2ca1a8c9">
|
|
<topic>openvpn -- multiple TCP clients connecting with the same certificate at the same time can crash the server</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openvpn</name>
|
|
<range><lt>2.0.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>James Yonan reports:</p>
|
|
<blockquote cite="http://openvpn.net/changelog.html">
|
|
<p>If two or more client machines try to connect to the server
|
|
at the same time via TCP, using the same client certificate,
|
|
and when --duplicate-cn is not enabled on the server, a race
|
|
condition can crash the server with "Assertion failed at
|
|
mtcp.c:411"</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2534</cvename>
|
|
<url>http://openvpn.net/changelog.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-08-03</discovery>
|
|
<entry>2005-08-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1986449a-8b74-40fa-b7cc-0d8def8aad65">
|
|
<topic>openvpn -- denial of service: malicious authenticated "tap" client can deplete server virtual memory</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openvpn</name>
|
|
<range><lt>2.0.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>James Yonan reports:</p>
|
|
<blockquote cite="http://openvpn.net/changelog.html">
|
|
<p>A malicious [authenticated] client in "dev tap"
|
|
ethernet bridging mode could theoretically flood the server
|
|
with packets appearing to come from hundreds of thousands
|
|
of different MAC addresses, causing the OpenVPN process to
|
|
deplete system virtual memory as it expands its internal
|
|
routing table.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2533</cvename>
|
|
<url>http://openvpn.net/changelog.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-27</discovery>
|
|
<entry>2005-08-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d1c39c8e-05ab-4739-870f-765490fa2052">
|
|
<topic>openvpn -- denial of service: undecryptable packet from authorized client can disconnect unrelated clients</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openvpn</name>
|
|
<range><lt>2.0.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>James Yonan reports:</p>
|
|
<blockquote cite="http://openvpn.net/changelog.html">
|
|
<p>If the client sends a packet which fails to decrypt on the
|
|
server, the OpenSSL error queue is not properly flushed,
|
|
which can result in another unrelated client instance on the
|
|
server seeing the error and responding to it, resulting in
|
|
disconnection of the unrelated client.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2532</cvename>
|
|
<url>http://openvpn.net/changelog.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-27</discovery>
|
|
<entry>2005-08-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a51ad838-2077-48b2-a136-e888a7db5f8d">
|
|
<topic>openvpn -- denial of service: client certificate validation can disconnect unrelated clients</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openvpn</name>
|
|
<range><lt>2.0.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>James Yonan reports:</p>
|
|
<blockquote cite="http://openvpn.net/changelog.html">
|
|
<p>DoS attack against server when run with "verb 0" and
|
|
without "tls-auth". If a client connection to the server
|
|
fails certificate verification, the OpenSSL error queue is
|
|
not properly flushed, which can result in another unrelated
|
|
client instance on the server seeing the error and
|
|
responding to it, resulting in disconnection of the
|
|
unrelated client.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2531</cvename>
|
|
<url>http://openvpn.net/changelog.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-08-03</discovery>
|
|
<entry>2005-08-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5fde5c30-0f4e-11da-bc01-000e0c2e438a">
|
|
<topic>tor -- diffie-hellman handshake flaw</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tor</name>
|
|
<range><lt>0.1.0.14</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A tor advisory reports</p>
|
|
<blockquote cite="http://archives.seul.org/or/announce/Aug-2005/msg00002.html">
|
|
<p>Tor clients can completely loose anonymity, confidentiality,
|
|
and data integrity if the first Tor server in their path is
|
|
malicious. Specifically, if the Tor client chooses a
|
|
malicious Tor server for her first hop in the circuit, that
|
|
server can learn all the keys she negotiates for the rest of
|
|
the circuit (or just spoof the whole circuit), and then read
|
|
and/or modify all her traffic over that circuit.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2643</cvename>
|
|
<url>http://archives.seul.org/or/announce/Aug-2005/msg00002.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-08-11</discovery>
|
|
<entry>2005-08-17</entry>
|
|
<modified>2005-09-21</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f74dc01b-0e83-11da-bc08-0001020eed82">
|
|
<topic>acroread -- plug-in buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>acroread</name>
|
|
<range><lt>7.0.1</lt></range>
|
|
<range><gt>5.*,1</gt><lt>7.0.1,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>acroread4</name>
|
|
<name>acroread5</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>acroread7</name>
|
|
<range><lt>7.0.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Adobe Security Advisory reports:</p>
|
|
<blockquote cite="http://www.adobe.com/support/techdocs/321644.html">
|
|
<p>The identified vulnerability is a buffer overflow within
|
|
a core application plug-in, which is part of Adobe Acrobat
|
|
and Adobe Reader. If a malicious file were opened it could
|
|
trigger a buffer overflow as the file is being loaded into
|
|
Adobe Acrobat and Adobe Reader. A buffer overflow can
|
|
cause the application to crash and increase the risk of
|
|
malicious code execution.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2470</cvename>
|
|
<url>http://www.adobe.com/support/techdocs/321644.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-08-16</discovery>
|
|
<entry>2005-08-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e65ad1bf-0d8b-11da-90d0-00304823c0d3">
|
|
<topic>pear-XML_RPC -- remote PHP code injection vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pear-XML_RPC</name>
|
|
<range><lt>1.4.0</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>phpmyfaq</name>
|
|
<range><lt>1.4.11</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>drupal</name>
|
|
<range><lt>4.6.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>eGroupWare</name>
|
|
<range><lt>1.0.0.009</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>phpAdsNew</name>
|
|
<range><lt>2.0.5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>phpgroupware</name>
|
|
<range><lt>0.9.16.007</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>b2evolution</name>
|
|
<range><lt>0.9.0.12_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Hardened-PHP Project Security Advisory reports:</p>
|
|
<blockquote cite="http://www.hardened-php.net/advisory_142005.66.html">
|
|
<p>When the library parses XMLRPC requests/responses, it constructs
|
|
a string of PHP code, that is later evaluated. This means any
|
|
failure to properly handle the construction of this string can
|
|
result in arbitrary execution of PHP code.</p>
|
|
<p>This new injection vulnerability is cause by not properly
|
|
handling the situation, when certain XML tags are nested
|
|
in the parsed document, that were never meant to be nested
|
|
at all. This can be easily exploited in a way, that
|
|
user-input is placed outside of string delimiters within
|
|
the evaluation string, which obviously results in
|
|
arbitrary code execution.</p>
|
|
</blockquote>
|
|
<p>Note that several applications contains an embedded version
|
|
on XML_RPC, therefor making them the vulnerable to the same
|
|
code injection vulnerability.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2498</cvename>
|
|
<url>http://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1</url>
|
|
<url>http://downloads.phpgroupware.org/changelog</url>
|
|
<url>http://drupal.org/files/sa-2005-004/advisory.txt</url>
|
|
<url>http://phpadsnew.com/two/nucleus/index.php?itemid=45</url>
|
|
<url>http://sourceforge.net/project/shownotes.php?release_id=349626</url>
|
|
<url>http://www.hardened-php.net/advisory_142005.66.html</url>
|
|
<url>http://www.hardened-php.net/advisory_152005.67.html</url>
|
|
<url>http://www.phpmyfaq.de/advisory_2005-08-15.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-08-15</discovery>
|
|
<entry>2005-08-15</entry>
|
|
<modified>2005-09-04</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e86fbb5f-0d04-11da-bc08-0001020eed82">
|
|
<topic>awstats -- arbitrary code execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>awstats</name>
|
|
<range><lt>6.4_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An iDEFENSE Security Advisory reports:</p>
|
|
<blockquote cite="http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities">
|
|
<p>Remote exploitation of an input validation vulnerability
|
|
in AWStats allows remote attackers to execute arbitrary
|
|
commands.</p>
|
|
|
|
<p>The problem specifically exists because of insufficient
|
|
input filtering before passing user-supplied data to an
|
|
<code>eval()</code> function. As part of the statistics
|
|
reporting function, AWStats displays information about the
|
|
most common referrer values that caused users to visit the
|
|
website. The referrer data is used without proper
|
|
sanitation in an <code>eval()</code> statement, resulting
|
|
in the execution of arbitrary perl code.</p>
|
|
|
|
<p>Successful exploitation results in the execution of
|
|
arbitrary commands with permissions of the web
|
|
service. Exploitation will not occur until the stats page
|
|
has been regenerated with the tainted referrer values from
|
|
the http access log. Note that AWStats is only vulnerable
|
|
in situations where at least one URLPlugin is enabled.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1527</cvename>
|
|
<mlist msgid="20050811155502.61E3C7A00B4@mail.idefense.com">http://marc.theaimsgroup.com/?l=full-disclosure&m=112377934108902</mlist>
|
|
<url>http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-08-09</discovery>
|
|
<entry>2005-08-14</entry>
|
|
<modified>2005-08-23</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3b4a6982-0b24-11da-bc08-0001020eed82">
|
|
<topic>libgadu -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>1.4.0_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>kdenetwork</name>
|
|
<range><gt>3.2.2</gt><lt>3.4.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>pl-ekg</name>
|
|
<range><lt>1.6r3,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>centericq</name>
|
|
<range><lt>4.21.0_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Wojtek Kaniewski reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=112198499417250">
|
|
<p>Multiple vulnerabilities have been found in libgadu, a
|
|
library for handling Gadu-Gadu instant messaging
|
|
protocol. It is a part of ekg, a Gadu-Gadu client, but is
|
|
widely used in other clients. Also some of the user
|
|
contributed scripts were found to behave in an insecure
|
|
manner.</p>
|
|
<ul>
|
|
<li>integer overflow in libgadu (CVE-2005-1852) that could
|
|
be triggered by an incomming message and lead to
|
|
application crash and/or remote code execution</li>
|
|
<li>insecure file creation (CVE-2005-1850) and shell
|
|
command injection (CVE-2005-1851) in other user
|
|
contributed scripts (discovered by Marcin Owsiany and
|
|
Wojtek Kaniewski)</li>
|
|
<li>several signedness errors in libgadu that could be
|
|
triggered by an incomming network data or an application
|
|
passing invalid user input to the library</li>
|
|
<li>memory alignment errors in libgadu that could be
|
|
triggered by an incomming message and lead to bus errors
|
|
on architectures like SPARC</li>
|
|
<li>endianness errors in libgadu that could cause invalid
|
|
behaviour of applications on big-endian
|
|
architectures</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14345</bid>
|
|
<cvename>CVE-2005-1850</cvename>
|
|
<cvename>CVE-2005-1851</cvename>
|
|
<cvename>CVE-2005-1852</cvename>
|
|
<cvename>CVE-2005-2369</cvename>
|
|
<cvename>CVE-2005-2370</cvename>
|
|
<cvename>CVE-2005-2448</cvename>
|
|
<mlist msgid="42DFF06F.7060005@toxygen.net">http://marc.theaimsgroup.com/?l=bugtraq&m=112198499417250</mlist>
|
|
<url>http://gaim.sourceforge.net/security/?id=20</url>
|
|
<url>http://www.kde.org/info/security/advisory-20050721-1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-21</discovery>
|
|
<entry>2005-08-12</entry>
|
|
<modified>2005-10-23</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="09db2844-0b21-11da-bc08-0001020eed82">
|
|
<topic>gaim -- AIM/ICQ non-UTF-8 filename crash</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>1.4.0_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The GAIM team reports:</p>
|
|
<blockquote cite="http://gaim.sourceforge.net/security/?id=21">
|
|
<p>A remote user could cause Gaim to crash on some systems
|
|
by sending the Gaim user a file whose filename contains
|
|
certain invalid characters. It is unknown what combination
|
|
of systems are affected, but it is suspected that Windows
|
|
users and systems with older versions of GTK+ are
|
|
especially susceptible.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2102</cvename>
|
|
<url>http://gaim.sourceforge.net/security/?id=21</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-08-09</discovery>
|
|
<entry>2005-08-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6d1761d2-0b23-11da-bc08-0001020eed82">
|
|
<topic>gaim -- AIM/ICQ away message buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>1.4.0_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The GAIM team reports:</p>
|
|
<blockquote cite="http://gaim.sourceforge.net/security/?id=22">
|
|
<p>A remote AIM or ICQ user can cause a buffer overflow in
|
|
Gaim by setting an away message containing many AIM
|
|
substitution strings (such as %t or %n).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2103</cvename>
|
|
<url>http://gaim.sourceforge.net/security/?id=22</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-08-09</discovery>
|
|
<entry>2005-08-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="24eee285-09c7-11da-bc08-0001020eed82">
|
|
<topic>xpdf -- disk fill DoS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xpdf</name>
|
|
<range><lt>3.00_7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>kdegraphics</name>
|
|
<range><lt>3.4.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gpdf</name>
|
|
<range><lt>2.10.0_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>cups-base</name>
|
|
<range><lt>1.1.23.0_5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>xpdf is vulnerable to a denial of service vulnerability
|
|
which can cause xpdf to create an infinitely large file,
|
|
thereby filling up the /tmp partition, when opening a
|
|
specially crafted PDF file.</p>
|
|
<p>Note that several applications contains an embedded version
|
|
of xpdf, therefor making them the vulnerable to the same
|
|
DoS. In CUPS this vulnerability would cause the pdftops
|
|
filter to crash.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14529</bid>
|
|
<cvename>CVE-2005-2097</cvename>
|
|
<url>http://rhn.redhat.com/errata/RHSA-2005-670.html</url>
|
|
<url>http://www.kde.org/info/security/advisory-20050809-1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-08-09</discovery>
|
|
<entry>2005-08-12</entry>
|
|
<modified>2005-09-07</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d7cd5015-08c9-11da-bc08-0001020eed82">
|
|
<topic>gforge -- XSS and email flood vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gforge</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jose Antonio Coret reports that GForge contains multiple
|
|
Cross Site Scripting vulnerabilities and an e-mail flood
|
|
vulnerability:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=112259845904350">
|
|
<p>The login form is also vulnerable to XSS (Cross Site
|
|
Scripting) attacks. This may be used to launch phising
|
|
attacks by sending HTML e-mails (i.e.: saying that you
|
|
need to upgrade to the latest GForge version due to a
|
|
security problem) and putting in the e-mail an HTML link
|
|
that points to an specially crafted url that inserts an
|
|
html form in the GForge login page and when the user press
|
|
the login button, he/she send the credentials to the
|
|
attackers website.</p>
|
|
|
|
<p>The 'forgot your password?' feature allows a remote user
|
|
to load a certain URL to cause the service to send a
|
|
validation e-mail to the specified user's e-mail address.
|
|
There is no limit to the number of messages sent over a
|
|
period of time, so a remote user can flood the target
|
|
user's secondary e-mail address. E-Mail Flood, E-Mail
|
|
bomber.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14405</bid>
|
|
<cvename>CVE-2005-2430</cvename>
|
|
<cvename>CVE-2005-2431</cvename>
|
|
<mlist msgid="1122496636.26878.2.camel@localhost.localdomain">http://marc.theaimsgroup.com/?l=bugtraq&m=112259845904350</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-27</discovery>
|
|
<entry>2005-08-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0274a9f1-0759-11da-bc08-0001020eed82">
|
|
<topic>postnuke -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>postnuke</name>
|
|
<range><lt>0.760</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Postnuke Security Announcementss reports of the following
|
|
vulnerabilities:</p>
|
|
<blockquote cite="http://news.postnuke.com/Article2691.html">
|
|
<ul>
|
|
<li>missing input validation within /modules/Messages/readpmsg.php</li>
|
|
<li>possible path disclosure within /user.php</li>
|
|
<li>possible path disclosure within /modules/News/article.php</li>
|
|
<li>possible remote code injection within /includes/pnMod.php</li>
|
|
<li>possible cross-site-scripting in /index.php</li>
|
|
</ul>
|
|
</blockquote>
|
|
<blockquote cite="http://news.postnuke.com/Article2699.html">
|
|
<ul>
|
|
<li>remote code injection via xml rpc library</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1621</cvename>
|
|
<cvename>CVE-2005-1695</cvename>
|
|
<cvename>CVE-2005-1696</cvename>
|
|
<cvename>CVE-2005-1698</cvename>
|
|
<cvename>CVE-2005-1777</cvename>
|
|
<cvename>CVE-2005-1778</cvename>
|
|
<cvename>CVE-2005-1921</cvename>
|
|
<mlist msgid="20050527223753.21735.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=111721364707520</mlist>
|
|
<url>http://secunia.com/advisories/15450/</url>
|
|
<url>http://news.postnuke.com/Article2691.html</url>
|
|
<url>http://news.postnuke.com/Article2699.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-27</discovery>
|
|
<entry>2005-08-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0bf9d7fb-05b3-11da-bc08-0001020eed82">
|
|
<topic>mambo -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mambo</name>
|
|
<range><lt>4.5.2.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/15710/">
|
|
<p>Some vulnerabilities have been reported in Mambo, where
|
|
some have unknown impacts and others can be exploited by
|
|
malicious people to conduct spoofing and SQL injection
|
|
attacks.</p>
|
|
<ol>
|
|
<li>Input passed to the "user_rating" parameter when
|
|
voting isn't properly sanitised before being used in a
|
|
SQL query. This can be exploited to manipulate SQL
|
|
queries by injecting arbitrary SQL code.</li>
|
|
<li>Some unspecified vulnerabilities in the "mosDBTable"
|
|
class and the "DOMIT" library have an unknown
|
|
impact.</li>
|
|
<li>An unspecified error in the "administrator/index3.php"
|
|
script can be exploited to spoof session IDs.</li>
|
|
</ol>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13966</bid>
|
|
<cvename>CVE-2005-2002</cvename>
|
|
<url>http://secunia.com/advisories/15710/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-15</discovery>
|
|
<entry>2005-08-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2b6e47b1-0598-11da-86bc-000e0c2e438a">
|
|
<topic>ipsec -- Incorrect key usage in AES-XCBC-MAC</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.4</ge><lt>5.4_6</lt></range>
|
|
<range><ge>5.*</ge><lt>5.3_20</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem description</h1>
|
|
<p>A programming error in the implementation of the
|
|
AES-XCBC-MAC algorithm for authentication resulted in a
|
|
constant key being used instead of the key specified by the
|
|
system administrator.</p>
|
|
<h1>Impact</h1>
|
|
<p>If the AES-XCBC-MAC algorithm is used for authentication in
|
|
the absence of any encryption, then an attacker may be able to
|
|
forge packets which appear to originate from a different
|
|
system and thereby succeed in establishing an IPsec session.
|
|
If access to sensitive information or systems is controlled
|
|
based on the identity of the source system, this may result
|
|
in information disclosure or privilege escalation.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2359</cvename>
|
|
<freebsdsa>SA-05:19.ipsec</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-27</discovery>
|
|
<entry>2005-08-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="837b9fb2-0595-11da-86bc-000e0c2e438a">
|
|
<topic>zlib -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux_base-suse</name>
|
|
<range><lt>9.3_1</lt></range>
|
|
</package>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.4</ge><lt>5.4_6</lt></range>
|
|
<range><ge>5.3</ge><lt>5.3_20</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem description</h1>
|
|
<p>A fixed-size buffer is used in the decompression of data
|
|
streams. Due to erronous analysis performed when zlib was
|
|
written, this buffer, which was belived to be sufficiently
|
|
large to handle any possible input stream, is in fact too
|
|
small.</p>
|
|
<h1>Impact</h1>
|
|
<p>A carefully constructed compressed data stream can result in
|
|
zlib overwriting some data structures. This may cause
|
|
applications to halt, resulting in a denial of service; or
|
|
it may result in an attacker gaining elevated privileges.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1849</cvename>
|
|
<freebsdsa>SA-05:18.zlib</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-27</discovery>
|
|
<entry>2005-08-05</entry>
|
|
<modified>2005-09-24</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7257b26f-0597-11da-86bc-000e0c2e438a">
|
|
<topic>devfs -- ruleset bypass</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.4</ge><lt>5.4_5</lt></range>
|
|
<range><ge>5.*</ge><lt>5.3_19</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem description</h1>
|
|
<p>Due to insufficient parameter checking of the node type
|
|
during device creation, any user can expose hidden device
|
|
nodes on devfs mounted file systems within their jail.
|
|
Device nodes will be created in the jail with their normal
|
|
default access permissions.</p>
|
|
<h1>Impact</h1>
|
|
<p>Jailed processes can get access to restricted resources on
|
|
the host system. For jailed processes running with superuser
|
|
privileges this implies access to all devices on the system.
|
|
This level of access can lead to information leakage and
|
|
privilege escalation.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2218</cvename>
|
|
<freebsdsa>SA-05:17.devfs</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-20</discovery>
|
|
<entry>2005-08-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c28f4705-043f-11da-bc08-0001020eed82">
|
|
<topic>proftpd -- format string vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>proftpd</name>
|
|
<name>proftpd-mysql</name>
|
|
<range><lt>1.3.0.rc2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The ProFTPD release notes states:</p>
|
|
<blockquote cite="http://www.proftpd.org/docs/RELEASE_NOTES-1.3.0rc2">
|
|
<p>sean <infamous42md at hotpop.com> found two format
|
|
string vulnerabilities, one in mod_sql's SQLShowInfo
|
|
directive, and one involving the 'ftpshut' utility. Both
|
|
can be considered low risk, as they require active
|
|
involvement on the part of the site administrator in order
|
|
to be exploited.</p>
|
|
</blockquote>
|
|
<p>These vulnerabilities could potentially lead to information
|
|
disclosure, a denial-of-server situation, or execution of
|
|
arbitrary code with the permissions of the user running
|
|
ProFTPD.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2390</cvename>
|
|
<url>http://www.gentoo.org/security/en/glsa/glsa-200508-02.xml</url>
|
|
<url>http://www.proftpd.org/docs/RELEASE_NOTES-1.3.0rc2</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-26</discovery>
|
|
<entry>2005-08-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="debbb39c-fdb3-11d9-a30d-00b0d09acbfc">
|
|
<topic>nbsmtp -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>nbsmtp</name>
|
|
<range><lt>0.99_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>When nbsmtp is executed in debug mode, server messages
|
|
will be printed to stdout and logged via syslog. Syslog is
|
|
used insecurely and user-supplied format characters are
|
|
directly fed to the syslog function, which results in a
|
|
format string vulnerability.</p>
|
|
<p>Under some circumstances, an SMTP server may be able to
|
|
abuse this vulnerability in order to alter the nbsmtp
|
|
process and execute malicious code.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://people.freebsd.org/~niels/issues/nbsmtp-20050726.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-25</discovery>
|
|
<entry>2005-08-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b1e8c810-01d0-11da-bc08-0001020eed82">
|
|
<topic>sylpheed -- MIME-encoded file name buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sylpheed</name>
|
|
<name>sylpheed-gtk2</name>
|
|
<name>sylpheed-claws</name>
|
|
<range><lt>1.0.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Sylpheed is vulnerable to a buffer overflow when displaying
|
|
emails with attachments that have MIME-encoded file names.
|
|
This could be used by a remote attacker to crash sylpheed
|
|
potentially allowing execution of arbitrary code with the
|
|
permissions of the user running sylpheed.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12934</bid>
|
|
<cvename>CVE-2005-0926</cvename>
|
|
<url>http://sylpheed.good-day.net/changelog.html.en</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-29</discovery>
|
|
<entry>2005-07-31</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="58247a96-01c8-11da-bc08-0001020eed82">
|
|
<topic>phpmyadmin -- cross site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpmyadmin</name>
|
|
<name>phpMyAdmin</name>
|
|
<range><lt>2.6.2.r1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A phpMyAdmin security announcement reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-3">
|
|
<p>The convcharset parameter was not correctly validated,
|
|
opening the door to a XSS attack. </p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12982</bid>
|
|
<cvename>CVE-2005-0992</cvename>
|
|
<mlist msgid="4f9e4516050404101223fbdeed@mail.gmail.com">http://marc.theaimsgroup.com/?l=bugtraq&m=111264361622660</mlist>
|
|
<url>http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-3</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-03</discovery>
|
|
<entry>2005-07-31</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8375a73f-01bf-11da-bc08-0001020eed82">
|
|
<topic>gnupg -- OpenPGP symmetric encryption vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnupg</name>
|
|
<range><lt>1.4.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>p5-Crypt-OpenPGP</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
<package>
|
|
<name>pgp</name>
|
|
<range><ge>3.0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Serge Mister and Robert Zuccherato reports that the OpenPGP
|
|
protocol is vulnerable to a cryptographic attack when using
|
|
symmetric encryption in an automated way.</p>
|
|
<p>David Shaw reports about the impact:</p>
|
|
<blockquote cite="http://lists.gnupg.org/pipermail/gnupg-announce/2005q1/000191.html">
|
|
<p>This attack, while very significant from a cryptographic
|
|
point of view, is not generally effective in the real
|
|
world. To be specific, unless you have your OpenPGP
|
|
program set up as part of an automated system to accept
|
|
encrypted messages, decrypt them, and then provide a
|
|
response to the submitter, then this does not affect you
|
|
at all.</p>
|
|
</blockquote>
|
|
<p>Note that the <q>fix</q> in GnuPG does note completely
|
|
eliminate the potential problem:</p>
|
|
<blockquote cite="http://lists.gnupg.org/pipermail/gnupg-announce/2005q1/000191.html">
|
|
<p>These patches disable a portion of the OpenPGP protocol
|
|
that the attack is exploiting. This change should not be
|
|
user visible. With the patch in place, this attack will
|
|
not work using a public-key encrypted message. It will
|
|
still work using a passphrase-encrypted message.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<certvu>303094</certvu>
|
|
<cvename>CVE-2005-0366</cvename>
|
|
<url>http://eprint.iacr.org/2005/033</url>
|
|
<url>http://lists.gnupg.org/pipermail/gnupg-announce/2005q1/000191.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-08</discovery>
|
|
<entry>2005-07-31</entry>
|
|
<modified>2005-08-03</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="81f127a8-0038-11da-86bc-000e0c2e438a">
|
|
<topic>vim -- vulnerabilities in modeline handling: glob, expand</topic>
|
|
<affects>
|
|
<package>
|
|
<name>vim</name>
|
|
<name>vim-lite</name>
|
|
<name>vim+ruby</name>
|
|
<range><ge>6.3</ge><lt>6.3.82</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Georgi Guninski discovered a way to construct Vim modelines
|
|
that execute arbitrary shell commands. The vulnerability
|
|
can be exploited by including shell commands in modelines
|
|
that call the glob() or expand() functions. An attacker
|
|
could trick an user to read or edit a trojaned file with
|
|
modelines enabled, after which the attacker is able to
|
|
execute arbitrary commands with the privileges of the user.</p>
|
|
<p><strong>Note:</strong> It is generally recommended that VIM
|
|
users use <code>set nomodeline</code> in
|
|
<code>~/.vimrc</code> to avoid the possibility of trojaned
|
|
text files.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14374</bid>
|
|
<cvename>CVE-2005-2368</cvename>
|
|
<url>http://www.guninski.com/where_do_you_want_billg_to_go_today_5.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-25</discovery>
|
|
<entry>2005-07-31</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="68222076-010b-11da-bc08-0001020eed82">
|
|
<topic>tiff -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tiff</name>
|
|
<range><lt>3.7.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-tiff</name>
|
|
<range><lt>3.6.1_3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>pdflib</name>
|
|
<name>pdflib-perl</name>
|
|
<range><lt>6.0.1_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gdal</name>
|
|
<range><lt>1.2.1_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ivtools</name>
|
|
<range><lt>1.2.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>paraview</name>
|
|
<range><lt>2.4.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>fractorama</name>
|
|
<range><lt>1.6.7_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>iv</name>
|
|
<name>ja-iv</name>
|
|
<name>ja-libimg</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Gentoo Linux Security Advisory reports:</p>
|
|
<blockquote cite="http://www.gentoo.org/security/en/glsa/glsa-200505-07.xml">
|
|
<p>Tavis Ormandy of the Gentoo Linux Security Audit Team
|
|
discovered a stack based buffer overflow in the libTIFF
|
|
library when reading a TIFF image with a malformed
|
|
BitsPerSample tag.</p>
|
|
<p>Successful exploitation would require the victim to open
|
|
a specially crafted TIFF image, resulting in the execution
|
|
of arbitrary code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1544</cvename>
|
|
<url>http://bugzilla.remotesensing.org/show_bug.cgi?id=843</url>
|
|
<url>http://www.gentoo.org/security/en/glsa/glsa-200505-07.xml</url>
|
|
<url>http://www.remotesensing.org/libtiff/v3.7.3.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-10</discovery>
|
|
<entry>2005-07-30</entry>
|
|
<modified>2006-06-08</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="934b1de4-00d7-11da-bc08-0001020eed82">
|
|
<topic>opera -- image dragging vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-opera</name>
|
|
<name>opera-devel</name>
|
|
<name>opera</name>
|
|
<range><lt>8.02</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/15756/">
|
|
<p>Secunia Research has discovered a vulnerability in Opera,
|
|
which can be exploited by malicious people to conduct
|
|
cross-site scripting attacks and retrieve a user's
|
|
files.</p>
|
|
<p>The vulnerability is caused due to Opera allowing a user
|
|
to drag e.g. an image, which is actually a "javascript:"
|
|
URI, resulting in cross-site scripting if dropped over
|
|
another site. This may also be used to populate a file
|
|
upload form, resulting in uploading of arbitrary files to
|
|
a malicious web site.</p>
|
|
<p>Successful exploitation requires that the user is tricked
|
|
into dragging and dropping e.g. an image or a link.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secunia.com/advisories/15756/</url>
|
|
<url>http://www.opera.com/freebsd/changelogs/802/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-28</discovery>
|
|
<entry>2005-07-30</entry>
|
|
<modified>2006-06-08</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a2aa24fd-00d4-11da-bc08-0001020eed82">
|
|
<topic>opera -- download dialog spoofing vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-opera</name>
|
|
<name>opera-devel</name>
|
|
<name>opera</name>
|
|
<range><lt>8.02</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/15870/">
|
|
<p>Secunia Research has discovered a vulnerability in Opera,
|
|
which can be exploited by malicious people to trick users
|
|
into executing malicious files.</p>
|
|
<p>The vulnerability is caused due to an error in the
|
|
handling of extended ASCII codes in the download
|
|
dialog. This can be exploited to spoof the file extension
|
|
in the file download dialog via a specially crafted
|
|
"Content-Disposition" HTTP header.</p>
|
|
<p>Successful exploitation may result in users being tricked
|
|
into executing a malicious file via the download dialog,
|
|
but requires that the "Arial Unicode MS" font
|
|
(ARIALUNI.TTF) has been installed on the system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secunia.com/advisories/15870/</url>
|
|
<url>http://www.opera.com/freebsd/changelogs/802/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-28</discovery>
|
|
<entry>2005-07-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5d51d245-00ca-11da-bc08-0001020eed82">
|
|
<topic>ethereal -- multiple protocol dissectors vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ethereal</name>
|
|
<name>ethereal-lite</name>
|
|
<name>tethereal</name>
|
|
<name>tethereal-lite</name>
|
|
<range><ge>0.8.5</ge><lt>0.10.12</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An Ethreal Security Advisories reports:</p>
|
|
<blockquote cite="http://www.ethereal.com/appnotes/enpa-sa-00020.html">
|
|
<p>Our testing program has turned up several more security
|
|
issues:</p>
|
|
<ul>
|
|
<li>The LDAP dissector could free static memory and crash.</li>
|
|
<li>The AgentX dissector could crash.</li>
|
|
<li>The 802.3 dissector could go into an infinite loop.</li>
|
|
<li>The PER dissector could abort.</li>
|
|
<li>The DHCP dissector could go into an infinite loop.</li>
|
|
<li>The BER dissector could abort or loop infinitely.</li>
|
|
<li>The MEGACO dissector could go into an infinite loop.</li>
|
|
<li>The GIOP dissector could dereference a null pointer.</li>
|
|
<li>The SMB dissector was susceptible to a buffer overflow.</li>
|
|
<li>The WBXML could dereference a null pointer.</li>
|
|
<li>The H1 dissector could go into an infinite loop.</li>
|
|
<li>The DOCSIS dissector could cause a crash.</li>
|
|
<li>The SMPP dissector could go into an infinite loop.</li>
|
|
<li>SCTP graphs could crash.</li>
|
|
<li>The HTTP dissector could crash.</li>
|
|
<li>The SMB dissector could go into a large loop.</li>
|
|
<li>The DCERPC dissector could crash.</li>
|
|
<li>Several dissectors could crash while reassembling packets.</li>
|
|
</ul>
|
|
<p>Steve Grubb at Red Hat found the following issues:</p>
|
|
<ul>
|
|
<li>The CAMEL dissector could dereference a null pointer.</li>
|
|
<li>The DHCP dissector could crash.</li>
|
|
<li>The CAMEL dissector could crash.</li>
|
|
<li>The PER dissector could crash.</li>
|
|
<li>The RADIUS dissector could crash.</li>
|
|
<li>The Telnet dissector could crash.</li>
|
|
<li>The IS-IS LSP dissector could crash.</li>
|
|
<li>The NCP dissector could crash.</li>
|
|
</ul>
|
|
<p>iDEFENSE found the following issues:</p>
|
|
<ul>
|
|
<li>Several dissectors were susceptible to a format string
|
|
overflow.</li>
|
|
</ul>
|
|
<h1>Impact:</h1>
|
|
<p>It may be possible to make Ethereal crash, use up
|
|
available memory, or run arbitrary code by injecting a
|
|
purposefully malformed packet onto the wire or by
|
|
convincing someone to read a malformed packet trace
|
|
file.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.ethereal.com/appnotes/enpa-sa-00020.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-26</discovery>
|
|
<entry>2005-07-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="651996e0-fe07-11d9-8329-000e0c2e438a">
|
|
<topic>apache -- http request smuggling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache</name>
|
|
<range><lt>1.3.33_2</lt></range>
|
|
<range><gt>2.*</gt><lt>2.0.54_1</lt></range>
|
|
<range><gt>2.1.0</gt><lt>2.1.6_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+ssl</name>
|
|
<range><lt>1.3.33.1.55_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+mod_perl</name>
|
|
<range><lt>1.3.33_3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+mod_ssl</name>
|
|
<name>apache+mod_ssl+ipv6</name>
|
|
<name>apache+mod_ssl+mod_accel</name>
|
|
<name>apache+mod_ssl+mod_accel+ipv6</name>
|
|
<name>apache+mod_ssl+mod_accel+mod_deflate</name>
|
|
<name>apache+mod_ssl+mod_accel+mod_deflate+ipv6</name>
|
|
<name>apache+mod_ssl+mod_deflate</name>
|
|
<name>apache+mod_ssl+mod_deflate+ipv6</name>
|
|
<name>apache+mod_ssl+mod_snmp</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_accel</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_accel+ipv6</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_deflate</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_deflate+ipv6</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6</name>
|
|
<range><lt>1.3.33+2.8.22_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache_fp</name>
|
|
<name>apache+ipv6</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
<package>
|
|
<name>ru-apache</name>
|
|
<range><lt>1.3.34+30.22</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ru-apache+mod_ssl</name>
|
|
<range><lt>1.3.34+30.22+2.8.25</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Watchfire whitepaper reports an vulnerability in the
|
|
Apache webserver. The vulnerability can be exploited by
|
|
malicious people causing cross site scripting, web cache
|
|
poisoining, session hijacking and most importantly the
|
|
ability to bypass web application firewall protection.
|
|
Exploiting this vulnerability requires multiple carefully
|
|
crafted HTTP requests, taking advantage of an caching server,
|
|
proxy server, web application firewall etc. This only affects
|
|
installations where Apache is used as HTTP proxy in
|
|
combination with the following web servers:</p>
|
|
<ul>
|
|
<li>IIS/6.0 and 5.0</li>
|
|
<li>Apache 2.0.45 (as web server)</li>
|
|
<li>apache 1.3.29</li>
|
|
<li>WebSphere 5.1 and 5.0</li>
|
|
<li>WebLogic 8.1 SP1</li>
|
|
<li>Oracle9iAS web server 9.0.2</li>
|
|
<li>SunONE web server 6.1 SP4</li>
|
|
</ul>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14106</bid>
|
|
<cvename>CVE-2005-2088</cvename>
|
|
<url>http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-25</discovery>
|
|
<entry>2005-07-26</entry>
|
|
<modified>2005-12-25</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1db7ecf5-fd24-11d9-b4d6-0007e900f87b">
|
|
<topic>clamav -- multiple remote buffer overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>clamav</name>
|
|
<range><lt>0.86.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>clamav-devel</name>
|
|
<range><le>20050704</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/16180/">
|
|
<p>Neel Mehta and Alex Wheeler have reported some
|
|
vulnerabilities in Clam AntiVirus, which can be exploited
|
|
by malicious people to cause a DoS (Denial of Service)
|
|
or compromise a vulnerable system.</p>
|
|
<ol>
|
|
<li>Two integer overflow errors in "libclamav/tnef.c"
|
|
when processing TNEF files can be exploited to cause
|
|
a heap-based buffer overflow via a specially crafted
|
|
TNEF file with a length value of -1 in the header.</li>
|
|
<li>An integer overflow error in "libclamav/chmunpack.c"
|
|
can be exploited to cause a heap-based buffer overflow
|
|
via a specially crafted CHM file with a chunk entry that
|
|
has a filename length of -1.</li>
|
|
<li>A boundary error in "libclamav/fsg.c" when
|
|
processing a FSG compressed file can cause a heap-based
|
|
buffer overflow.</li>
|
|
</ol>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.rem0te.com/public/images/clamav.pdf</url>
|
|
<url>http://secunia.com/advisories/16180/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-24</discovery>
|
|
<entry>2005-07-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ccd325d2-fa08-11d9-bc08-0001020eed82">
|
|
<topic>isc-dhcpd -- format string vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>isc-dhcp3-client</name>
|
|
<name>isc-dhcp3-devel</name>
|
|
<name>isc-dhcp3-relay</name>
|
|
<name>isc-dhcp3-server</name>
|
|
<name>isc-dhcp3</name>
|
|
<name>isc-dhcp</name>
|
|
<name>isc-dhcpd</name>
|
|
<range><lt>3.0.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The ISC DHCP programs are vulnerable to several format
|
|
string vulnerabilities which may allow a remote attacker to
|
|
execute arbitrary code with the permissions of the DHCP
|
|
programs, typically root for the DHCP server.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>11591</bid>
|
|
<certvu>448384</certvu>
|
|
<cvename>CVE-2004-1006</cvename>
|
|
<mlist msgid="20041109003345.GG763@isc.org">http://marc.theaimsgroup.com/?l=dhcp-announce&m=109996073218290</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-08</discovery>
|
|
<entry>2005-07-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b4892b5b-fb1c-11d9-96ba-00909925db3e">
|
|
<topic>egroupware -- multiple cross-site scripting (XSS) and SQL injection vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>egroupware</name>
|
|
<range><lt>1.0.0.007</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Multiple cross-site scripting (XSS) vulnerabilities in eGroupware
|
|
before 1.0.0.007 allow remote attackers to inject arbitrary web
|
|
script or HTML via the (1) ab_id, (2) page, (3) type,
|
|
or (4) lang parameter to index.php or (5) category_id parameter.
|
|
</p>
|
|
<p>Multiple SQL injection vulnerabilities in index.php in eGroupware
|
|
before 1.0.0.007 allow remote attackers to execute arbitrary SQL
|
|
commands via the (1) filter or (2) cats_app parameter.
|
|
</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1202</cvename>
|
|
<cvename>CVE-2005-1203</cvename>
|
|
<url>http://sourceforge.net/project/shownotes.php?release_id=320768</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-20</discovery>
|
|
<entry>2005-07-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3f4ac724-fa8b-11d9-afcf-0060084a00e5">
|
|
<topic>fetchmail -- denial of service/crash from malicious POP3 server</topic>
|
|
<affects>
|
|
<package>
|
|
<name>fetchmail</name>
|
|
<range><eq>6.2.5.1</eq></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>In fetchmail 6.2.5.1, the the remote code injection via
|
|
POP3 UIDL was fixed, but a denial of service attack was
|
|
introduced:</p>
|
|
<p>Two possible NULL-pointer dereferences allow a malicous
|
|
POP3 server to crash fetchmail by respondig with UID lines
|
|
containing only the article number but no UID (in violation
|
|
of RFC-1939), or a message without Message-ID when no UIDL
|
|
support is available.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="20050721172317.GB3071@amilo.ms.mff.cuni.cz">http://lists.berlios.de/pipermail/fetchmail-devel/2005-July/000397.html</mlist>
|
|
<url>http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-21</discovery>
|
|
<entry>2005-07-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e72fd82b-fa01-11d9-bc08-0001020eed82">
|
|
<topic>dnrd -- remote buffer and stack overflow vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>dnrd</name>
|
|
<range><lt>2.19.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Natanael Copa reports that dnrd is vulnerable to a remote
|
|
buffer overflow and a remote stack overflow. These
|
|
vulnerabilities can be triggered by sending invalid DNS
|
|
packets to dnrd.</p>
|
|
<p>The buffer overflow could potentially be used to execute
|
|
arbitrary code with the permissions of the dnrd daemon.
|
|
Note that dnrd runs in an chroot environment and runs as
|
|
non-root.</p>
|
|
<p>The stack overflow vulnerability can cause dnrd to
|
|
crash.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2315</cvename>
|
|
<cvename>CVE-2005-2316</cvename>
|
|
<freebsdpr>ports/83851</freebsdpr>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-21</discovery>
|
|
<entry>2005-07-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="43a7b0a7-f9bc-11d9-b473-00061bc2ad93">
|
|
<topic>PowerDNS -- LDAP backend fails to escape all queries</topic>
|
|
<affects>
|
|
<package>
|
|
<name>powerdns</name>
|
|
<range><lt>2.9.18</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The LDAP backend in PowerDNS has issues with escaping
|
|
queries which could cause connection errors. This would
|
|
make it possible for a malicious user to temporarily blank
|
|
domains.</p>
|
|
<blockquote cite="http://doc.powerdns.com/security-policy.html">
|
|
<p>This is known to affect all releases prior to 2.9.18.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2302</cvename>
|
|
<url>http://doc.powerdns.com/security-policy.html</url>
|
|
<url>http://marc.theaimsgroup.com/?l=bugtraq&m=112155941310297&w=2</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-16</discovery>
|
|
<entry>2005-07-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3497d7be-2fef-45f4-8162-9063751b573a">
|
|
<topic>fetchmail -- remote root/code injection from malicious POP3 server</topic>
|
|
<affects>
|
|
<package>
|
|
<name>fetchmail</name>
|
|
<range><lt>6.2.5.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>fetchmail's POP3/UIDL code does not truncate received UIDs properly.
|
|
A malicious or compromised POP3 server can thus corrupt fetchmail's
|
|
stack and inject code when fetchmail is using UIDL, either through
|
|
configuration, or as a result of certain server capabilities. Note
|
|
that fetchmail is run as root on some sites, so an attack might
|
|
compromise the root account and thus the whole machine.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2335</cvename>
|
|
<freebsdpr>ports/83805</freebsdpr>
|
|
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212762</url>
|
|
<url>http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-20</discovery>
|
|
<entry>2005-07-20</entry>
|
|
<modified>2005-07-21</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2e116ba5-f7c3-11d9-928e-000b5d7e6dd5">
|
|
<topic>kdebase -- Kate backup file permission leak</topic>
|
|
<affects>
|
|
<package>
|
|
<name>kdebase</name>
|
|
<range><ge>3.2.0</ge><lt>3.4.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux_base-suse</name>
|
|
<range><ge>9.3</ge><lt>9.3_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A KDE Security Advisory explains:</p>
|
|
<blockquote cite="http://www.kde.org/info/security/advisory-20050718-1.txt">
|
|
<p>Kate / Kwrite create a file backup before saving a modified
|
|
file. These backup files are created with default permissions,
|
|
even if the original file had more strict permissions set.</p>
|
|
<p>Depending on the system security settings, backup files
|
|
might be readable by other users. Kate / Kwrite are
|
|
network transparent applications and therefore this
|
|
vulnerability might not be restricted to local users.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1920</cvename>
|
|
<url>https://bugs.kde.org/show_bug.cgi?id=103331</url>
|
|
<url>http://www.kde.org/info/security/advisory-20050718-1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-18</discovery>
|
|
<entry>2005-07-18</entry>
|
|
<modified>2005-10-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5d72701a-f601-11d9-bcd1-02061b08fc24">
|
|
<topic>firefox & mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.0.5,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>1.0.5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.9,2</lt></range>
|
|
<range><ge>1.8.*,2</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.9</lt></range>
|
|
<range><ge>1.8.*</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These ports are obsolete. -->
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>de-netscape7</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>ja-netscape7</name>
|
|
<name>linux-netscape</name>
|
|
<name>linux-phoenix</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk1</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>phoenix</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla Foundation reports of multiple security
|
|
vulnerabilities in Firefox and Mozilla:</p>
|
|
<blockquote cite="http://www.mozilla.org/projects/security/known-vulnerabilities.html">
|
|
<ul>
|
|
<li><em>MFSA 2005-56</em> Code execution through shared function
|
|
objects</li>
|
|
<li><em>MFSA 2005-55</em> XHTML node spoofing</li>
|
|
<li><em>MFSA 2005-54</em> Javascript prompt origin spoofing</li>
|
|
<li><em>MFSA 2005-53</em> Standalone applications can run arbitrary
|
|
code through the browser</li>
|
|
<li><em>MFSA 2005-52</em> Same origin violation: frame calling
|
|
top.focus()</li>
|
|
<li><em>MFSA 2005-51</em> The return of frame-injection
|
|
spoofing</li>
|
|
<li><em>MFSA 2005-50</em> Possibly exploitable crash in
|
|
InstallVersion.compareTo()</li>
|
|
<li><em>MFSA 2005-49</em> Script injection from Firefox sidebar
|
|
panel using data:</li>
|
|
<li><em>MFSA 2005-48</em> Same-origin violation with InstallTrigger
|
|
callback</li>
|
|
<li><em>MFSA 2005-47</em> Code execution via "Set as
|
|
Wallpaper"</li>
|
|
<li><em>MFSA 2005-46</em> XBL scripts ran even when Javascript
|
|
disabled</li>
|
|
<li><em>MFSA 2005-45</em> Content-generated event
|
|
vulnerabilities</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1937</cvename>
|
|
<cvename>CVE-2005-2260</cvename>
|
|
<cvename>CVE-2005-2261</cvename>
|
|
<cvename>CVE-2005-2262</cvename>
|
|
<cvename>CVE-2005-2263</cvename>
|
|
<cvename>CVE-2005-2264</cvename>
|
|
<cvename>CVE-2005-2265</cvename>
|
|
<cvename>CVE-2005-2266</cvename>
|
|
<cvename>CVE-2005-2267</cvename>
|
|
<cvename>CVE-2005-2268</cvename>
|
|
<cvename>CVE-2005-2269</cvename>
|
|
<cvename>CVE-2005-2270</cvename>
|
|
<url>http://www.mozilla.org/projects/security/known-vulnerabilities.html</url>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-45.html</url>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-46.html</url>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-47.html</url>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-48.html</url>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-49.html</url>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-50.html</url>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-51.html</url>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-52.html</url>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-53.html</url>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-54.html</url>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-55.html</url>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-56.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-12</discovery>
|
|
<entry>2005-07-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f241641e-f5ea-11d9-a6db-000d608ed240">
|
|
<topic>drupal -- PHP code execution vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>drupal</name>
|
|
<range><lt>4.6.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Kuba Zygmunt discovered a flaw in the input validation routines
|
|
of Drupal's filter mechanism. An attacker could execute
|
|
arbitrary PHP code on a target site when public comments or
|
|
postings are allowed.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1921</cvename>
|
|
<cvename>CVE-2005-2106</cvename>
|
|
<url>http://drupal.org/files/sa-2005-002/advisory.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-29</discovery>
|
|
<entry>2005-07-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="50457509-d05e-11d9-9aed-000e0c2e438a">
|
|
<topic>phpSysInfo -- cross site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpSysInfo</name>
|
|
<range><lt>2.5.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Securityreason.com advisory reports that various cross
|
|
site scripting vulnerabilities have been found in phpSysInfo.
|
|
Input is not properly sanitised before it is returned to the
|
|
user. A malicious person could exploit this to execute
|
|
arbitrary HTML and script code in a users browser session.
|
|
Also it is possible to view the full path of certain scripts
|
|
by accessing them directly.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12887</bid>
|
|
<cvename>CVE-2005-0869</cvename>
|
|
<cvename>CVE-2005-0870</cvename>
|
|
<mlist msgid="20050323180207.11987.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=111161017209422</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-22</discovery>
|
|
<entry>2005-07-09</entry>
|
|
<modified>2005-12-25</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="eeae6cce-d05c-11d9-9aed-000e0c2e438a">
|
|
<topic>mysql-server -- insecure temporary file creation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-server</name>
|
|
<range><gt>4.1</gt><lt>4.1.12</lt></range>
|
|
<range><gt>5.0</gt><lt>5.0.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Zataz advisory reports that MySQL contains a security
|
|
flaw which could allow a malicious local user to inject
|
|
arbitrary SQL commands during the initial database creation
|
|
process.</p>
|
|
<p>The problem lies in the mysql_install_db script which
|
|
creates temporary files based on the PID used by the
|
|
script.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13660</bid>
|
|
<cvename>CVE-2005-1636</cvename>
|
|
<url>http://www.zataz.net/adviso/mysql-05172005.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-07</discovery>
|
|
<entry>2005-07-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3e0072d4-d05b-11d9-9aed-000e0c2e438a">
|
|
<topic>net-snmp -- fixproc insecure temporary file creation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>net-snmp</name>
|
|
<range><lt>5.2.1.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Gentoo advisory reports:</p>
|
|
<blockquote cite="http://www.gentoo.org/security/en/glsa/glsa-200505-18.xml">
|
|
<p>Net-SNMP creates temporary files in an insecure manner,
|
|
possibly allowing the execution of arbitrary code.</p>
|
|
<p>A malicious local attacker could exploit a race condition
|
|
to change the content of the temporary files before they
|
|
are executed by fixproc, possibly leading to the execution
|
|
of arbitrary code. A local attacker could also create
|
|
symbolic links in the temporary files directory, pointing
|
|
to a valid file somewhere on the filesystem. When fixproc
|
|
is executed, this would result in the file being
|
|
overwritten.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13715</bid>
|
|
<cvename>CVE-2005-1740</cvename>
|
|
<url>http://security.gentoo.org/glsa/glsa-200505-18.xml</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-23</discovery>
|
|
<entry>2005-07-09</entry>
|
|
<modified>2005-07-13</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="326c517a-d029-11d9-9aed-000e0c2e438a">
|
|
<topic>phpbb -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpbb</name>
|
|
<range><lt>2.0.12</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>phpBB is vulnerable to remote exploitation of an input
|
|
validation vulnerability allows attackers to read the
|
|
contents of arbitrary system files under the privileges
|
|
of the webserver. This also allows remote attackers to
|
|
unlink arbitrary system files under the privileges of the
|
|
webserver.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12618</bid>
|
|
<bid>12621</bid>
|
|
<bid>12623</bid>
|
|
<cvename>CVE-2005-0258</cvename>
|
|
<cvename>CVE-2005-0259</cvename>
|
|
<url>http://security.gentoo.org/glsa/glsa-200503-02.xml</url>
|
|
<url>http://www.idefense.com/application/poi/display?id=205&type=vulnerabilities</url>
|
|
<url>http://www.idefense.com/application/poi/display?id=204&type=vulnerabilities</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-22</discovery>
|
|
<entry>2005-07-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6596bb80-d026-11d9-9aed-000e0c2e438a">
|
|
<topic>shtool -- insecure temporary file creation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>shtool</name>
|
|
<range><le>2.0.1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Zataz advisory reports that shtool contains a security
|
|
flaw which could allow a malicious local user to create or
|
|
overwrite the contents of arbitrary files. The attacker
|
|
could fool a user into executing the arbitrary file possibly
|
|
executing arbitrary code.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13767</bid>
|
|
<url>http://www.zataz.net/adviso/shtool-05252005.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-25</discovery>
|
|
<entry>2005-07-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="88188a8c-eff6-11d9-8310-0001020eed82">
|
|
<topic>phppgadmin -- "formLanguage" local file inclusion vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phppgadmin</name>
|
|
<range><lt>3.5.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/15941/">
|
|
<p>A vulnerability has been reported in phpPgAdmin, which
|
|
can be exploited by malicious people to disclose sensitive
|
|
information.</p>
|
|
<p>Input passed to the "formLanguage" parameter in
|
|
"index.php" isn't properly verified, before it is used to
|
|
include files. This can be exploited to include arbitrary
|
|
files from local resources.</p>
|
|
<p>Successful exploitation requires that "magic_quotes_gpc"
|
|
is disabled.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14142</bid>
|
|
<cvename>CVE-2005-2256</cvename>
|
|
<url>http://secunia.com/advisories/15941/</url>
|
|
<url>http://sourceforge.net/project/shownotes.php?release_id=342261</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-05</discovery>
|
|
<entry>2005-07-08</entry>
|
|
<modified>2005-07-21</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b64481d9-eff4-11d9-8310-0001020eed82">
|
|
<topic>pear-XML_RPC -- information disclosure vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pear-XML_RPC</name>
|
|
<range><lt>1.3.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The pear-XML_RPC release notes reports that the following
|
|
issues has been fixed:</p>
|
|
<blockquote cite="http://pear.php.net/package/XML_RPC/download/1.3.2">
|
|
<p>Eliminate path disclosure vulnerabilities by suppressing
|
|
error messages when eval()'ing.</p>
|
|
<p>Eliminate path disclosure vulnerability by catching bogus
|
|
parameters submitted to
|
|
<code>XML_RPC_Value::serializeval()</code>.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://pear.php.net/package/XML_RPC/download/1.3.2</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-07</discovery>
|
|
<entry>2005-07-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9a035a56-eff0-11d9-8310-0001020eed82">
|
|
<topic>ekg -- insecure temporary file creation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pl-ekg</name>
|
|
<range><lt>1.6r2,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Eric Romang reports that ekg creates temporary files in an
|
|
insecure manner. This can be exploited by an attacker using
|
|
a symlink attack to overwrite arbitrary files and possibly
|
|
execute arbitrary commands with the permissions of the user
|
|
running ekg.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14146</bid>
|
|
<cvename>CVE-2005-1916</cvename>
|
|
<mlist msgid="42CA2DDB.5030606@zataz.net">http://marc.theaimsgroup.com/?l=bugtraq&m=112060146011122</mlist>
|
|
<url>http://bugs.gentoo.org/show_bug.cgi?id=94172</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-05</discovery>
|
|
<entry>2005-07-08</entry>
|
|
<modified>2005-07-31</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6e33f4ab-efed-11d9-8310-0001020eed82">
|
|
<topic>bugzilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bugzilla</name>
|
|
<name>ja-bugzilla</name>
|
|
<range><ge>2.17.1</ge><lt>2.18.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Bugzilla Security Advisory reports:</p>
|
|
<blockquote cite="http://www.bugzilla.org/security/2.18.1/">
|
|
<p>Any user can change any flag on any bug, even if they
|
|
don't have access to that bug, or even if they can't
|
|
normally make bug changes. This also allows them to expose
|
|
the summary of a bug.</p>
|
|
<p>Bugs are inserted into the database before they are
|
|
marked as private, in Bugzilla code. Thus, MySQL
|
|
replication can lag in between the time that the bug is
|
|
inserted and when it is marked as private (usually less
|
|
than a second). If replication lags at this point, the bug
|
|
summary will be accessible to all users until replication
|
|
catches up. Also, on a very slow machine, there may be a
|
|
pause longer than a second that allows users to see the
|
|
title of the newly-filed bug.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2173</cvename>
|
|
<cvename>CVE-2005-2174</cvename>
|
|
<url>http://www.bugzilla.org/security/2.18.1/</url>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=292544</url>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=293159</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-07</discovery>
|
|
<entry>2005-07-08</entry>
|
|
<modified>2005-07-18</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d177d9f9-e317-11d9-8088-00123f0f7307">
|
|
<topic>nwclient -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>nwclient</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Insecure file permissions, network access control and DNS
|
|
usage put systems that use Legato NetWorker at risk.</p>
|
|
<p>When the software is running, several files that contain
|
|
sensitive information are created with insecure permissions.
|
|
The information exposed include passwords and can therefore
|
|
be used for privilege elevation.</p>
|
|
<p>An empty "servers" file, which should normally
|
|
contain hostnames of authorized backup servers, may allow
|
|
unauthorized backups to be made. Sensitive information can
|
|
be extracted from these backups.</p>
|
|
<p>When reverse DNS fails for the Legato client IP a weak
|
|
authorization scheme, containing a flaw that allows
|
|
unauthorized access, is used. This may allow unauthorized
|
|
access.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>3564</bid>
|
|
<bid>3840</bid>
|
|
<bid>3842</bid>
|
|
<cvename>CVE-2001-0910</cvename>
|
|
<cvename>CVE-2002-0113</cvename>
|
|
<cvename>CVE-2002-0114</cvename>
|
|
<url>http://portal1.legato.com/resources/bulletins/372.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2002-01-10</discovery>
|
|
<entry>2005-07-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="107692a1-ee6c-11d9-8310-0001020eed82">
|
|
<topic>acroread -- insecure temporary file creation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>acroread4</name>
|
|
<name>acroread5</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>acroread</name>
|
|
<range><lt>7.0.0</lt></range>
|
|
<range><gt>5.*,1</gt><lt>7.0.0,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia Research reports:</p>
|
|
<blockquote cite="http://secunia.com/secunia_research/2005-6/advisory/">
|
|
<p>Secunia has discovered a security issue in Adobe Reader
|
|
for Linux, which can be exploited by malicious, local
|
|
users to gain knowledge of sensitive information.</p>
|
|
<p>The problem is caused due to temporary files being
|
|
created with permissions based on a user's umask in the
|
|
"/tmp" folder under certain circumstances when documents
|
|
are opened.</p>
|
|
<p>Successful exploitation allows an unprivileged user to
|
|
read arbitrary users' documents.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1912</cvename>
|
|
<url>http://secunia.com/secunia_research/2005-6/advisory/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-29</discovery>
|
|
<entry>2005-07-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d8e1aadd-ee68-11d9-8310-0001020eed82">
|
|
<topic>clamav -- cabinet file handling DoS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>clamav</name>
|
|
<range><lt>0.86</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>clamav-devel</name>
|
|
<range><lt>20050620</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An iDEFENSE Security Advisory reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=112006456809016">
|
|
<p>Remote exploitation of an input validation error in Clam
|
|
AntiVirus ClamAV allows attackers to cause a denial of
|
|
service condition.</p>
|
|
<p>The vulnerability specifically exists due to insufficient
|
|
validation on cabinet file header data. The
|
|
<code>ENSURE_BITS()</code> macro fails to check for zero
|
|
length reads, allowing a carefully constructed cabinet
|
|
file to cause an infinite loop.</p>
|
|
<p>ClamAV is used in a number of mail gateway
|
|
products. Successful exploitation requires an attacker to
|
|
send a specially constructed CAB file through a mail
|
|
gateway or personal anti-virus client utilizing the ClamAV
|
|
scanning engine. The infinate loop will cause the ClamAV
|
|
software to use all available processor resources,
|
|
resulting in a denial of service or severe degradation to
|
|
system performance. Remote exploitation can be achieved by
|
|
sending a malicious file in an e-mail message or during an
|
|
HTTP session.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1923</cvename>
|
|
<mlist msgid="FB24803D1DF2A34FA59FC157B77C97050462A3AB@IDSERV04.idef.com">http://marc.theaimsgroup.com/?l=bugtraq&m=112006456809016</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-29</discovery>
|
|
<entry>2005-07-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6d18fe19-ee67-11d9-8310-0001020eed82">
|
|
<topic>clamav -- MS-Expand file handling DoS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>clamav</name>
|
|
<range><lt>0.86</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>clamav-devel</name>
|
|
<range><lt>20050620</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An iDEFENSE Security Advisory reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=112006402411598">
|
|
<p>Remote exploitation of an input validation error in Clam
|
|
AntiVirus ClamAV allows attackers to cause a denial of
|
|
service condition.</p>
|
|
<p>The vulnerability specifically exists due to improper
|
|
behavior during exceptional conditions.</p>
|
|
<p>Successful exploitation allows attackers to exhaust file
|
|
descriptors pool and memory. Anti-virus detection
|
|
functionality will fail if there is no file descriptors
|
|
available with which to open files. Remote exploitation
|
|
can be achieved by sending a malicious file in an e-mail
|
|
message or during an HTTP session.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1922</cvename>
|
|
<mlist msgid="FB24803D1DF2A34FA59FC157B77C97050462A3AC@IDSERV04.idef.com">http://marc.theaimsgroup.com/?l=bugtraq&m=112006402411598</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-29</discovery>
|
|
<entry>2005-07-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8efe93e2-ee62-11d9-8310-0001020eed82">
|
|
<topic>zlib -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>zsync</name>
|
|
<range><lt>0.4.1</lt></range>
|
|
</package>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.4</ge><lt>5.4_4</lt></range>
|
|
<range><ge>5.3</ge><lt>5.3_18</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description</h1>
|
|
<p>An error in the handling of corrupt compressed data streams
|
|
can result in a buffer being overflowed.</p>
|
|
<h1>Impact</h1>
|
|
<p>By carefully crafting a corrupt compressed data stream, an
|
|
attacker can overwrite data structures in a zlib-using
|
|
application. This may cause the application to halt,
|
|
causing a denial of service; or it may result in the
|
|
attacker gaining elevated privileges.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2096</cvename>
|
|
<freebsdsa>SA-05:16.zlib</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-06</discovery>
|
|
<entry>2005-07-06</entry>
|
|
<modified>2005-10-01</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="70c59485-ee5a-11d9-8310-0001020eed82">
|
|
<topic>acroread -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>acroread4</name>
|
|
<name>acroread5</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>acroread</name>
|
|
<range><lt>7.0.0</lt></range>
|
|
<range><gt>5.*,1</gt><lt>7.0.0,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An Adobe Security Advisory reports:</p>
|
|
<blockquote cite="http://www.adobe.com/support/techdocs/329083.html">
|
|
<p>A vulnerability within Adobe Reader has been
|
|
identified. Under certain circumstances, remote
|
|
exploitation of a buffer overflow in Adobe Reader could
|
|
allow an attacker to execute arbitrary code.</p>
|
|
<p>If exploited, it could allow the execution of arbitrary
|
|
code under the privileges of the local user. Remote
|
|
exploitation is possible if the malicious PDF document is
|
|
sent as an email attachment or if the PDF document is
|
|
accessed via a web link.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1625</cvename>
|
|
<url>http://www.adobe.com/support/techdocs/329083.html</url>
|
|
<mlist msgid="FB24803D1DF2A34FA59FC157B77C97050462A5E2@IDSERV04.idef.com">http://marc.theaimsgroup.com/?l=bugtraq&m=112059685332569</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-05</discovery>
|
|
<entry>2005-07-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b2a1a3b5-ed95-11d9-8310-0001020eed82">
|
|
<topic>net-snmp -- remote DoS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>net-snmp</name>
|
|
<range><lt>5.2.1.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Net-SNMP release announcement reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=net-snmp-announce&m=112059518426328">
|
|
<p>A security vulnerability has been found in Net-SNMP
|
|
releases that could allow a denial of service attack
|
|
against Net-SNMP agent's which have opened a stream based
|
|
protocol (EG, TCP but not UDP; it should be noted that
|
|
Net-SNMP does not by default open a TCP port).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14168</bid>
|
|
<cvename>CVE-2005-2177</cvename>
|
|
<mlist msgid="sdzmt5sul0.fsf@wes.hardakers.net">http://marc.theaimsgroup.com/?l=net-snmp-announce&m=112059518426328</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-02</discovery>
|
|
<entry>2005-07-05</entry>
|
|
<modified>2005-10-26</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1cf00643-ed8a-11d9-8310-0001020eed82">
|
|
<topic>cacti -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cacti</name>
|
|
<range><lt>0.8.6f</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Stefan Esser reports:</p>
|
|
<blockquote cite="http://www.hardened-php.net/advisory-032005.php">
|
|
<p>Wrongly implemented user input filters lead to multiple
|
|
SQL Injection vulnerabilities which can lead f.e. to
|
|
disclosure of the admin password hash.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://www.hardened-php.net/advisory-042005.php">
|
|
<p>Wrongly implemented user input filters allows injection
|
|
of user input into executed commandline.</p>
|
|
<p>Alberto Trivero posted his Remote Command Execution
|
|
Exploit for Cacti <= 0.8.6d to Bugtraq on the 22th
|
|
June. Having analysed his bug we come to the conclusion,
|
|
that the malfunctioning input filters, which were already
|
|
mentioned in the previous advisory are also responsible
|
|
for this bug still being exploitable.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://www.hardened-php.net/advisory-052005.php">
|
|
<p>A HTTP headers bypass switch can also be used to
|
|
completely bypass the authentification system of Cacti. As
|
|
admin it is possible to execute shell commands with the
|
|
permission of the webserver.</p>
|
|
<p>While looking at the source of Cacti a HTTP headers
|
|
bypass switch was discovered, that also switches off a
|
|
call to <code>session_start()</code> and the manual
|
|
application of <code>addslashes()</code> in case of
|
|
<code>magic_quotes_gpc=Off</code>.</p>
|
|
<p>When register_globals is turned on* an attacker can use
|
|
this switch to disables Cacti's use of PHP's session
|
|
support and therefore supply the session variables on his
|
|
own through f.e. the URL. Additionally using the switch
|
|
renders several SQL statements vulnerable to SQL
|
|
Injections attacks, when magic_quotes_gpc is turned off,
|
|
which is the recommended setting.</p>
|
|
<p>Logged in as an admin it is possible to issue shell
|
|
commands.</p>
|
|
<p>(*) register_globals is turned off by default since PHP
|
|
4.2 but is activated on most servers because of older
|
|
scripts requiring it.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="007301c57753$5ab17f60$0100a8c0@alberto">http://marc.theaimsgroup.com/?l=bugtraq&m=111954136315248</mlist>
|
|
<url>http://www.hardened-php.net/advisory-032005.php</url>
|
|
<url>http://www.hardened-php.net/advisory-042005.php</url>
|
|
<url>http://www.hardened-php.net/advisory-052005.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-22</discovery>
|
|
<entry>2005-07-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="dca0a345-ed81-11d9-8310-0001020eed82">
|
|
<topic>wordpress -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>wordpress</name>
|
|
<range><lt>1.5.1.3,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>GulfTech Security Research reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=112006967221438">
|
|
<p>There are a number of vulnerabilities in WordPress that
|
|
may allow an attacker to ultimately run arbitrary code on
|
|
the vulnerable system. These vulnerabilities include SQL
|
|
Injection, Cross Site Scripting, and also issues that may
|
|
aid an attacker in social engineering.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2107</cvename>
|
|
<cvename>CVE-2005-2108</cvename>
|
|
<cvename>CVE-2005-2109</cvename>
|
|
<cvename>CVE-2005-2110</cvename>
|
|
<mlist msgid="42C2BE6E.2050408@gulftech.org">http://marc.theaimsgroup.com/?l=bugtraq&m=112006967221438</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-28</discovery>
|
|
<entry>2005-07-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a4955b32-ed84-11d9-8310-0001020eed82">
|
|
<topic>wordpress -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>wordpress</name>
|
|
<range><lt>1.5.1.2,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Gentoo Linux Security Advisory reports:</p>
|
|
<blockquote cite="http://www.gentoo.org/security/en/glsa/glsa-200506-04.xml">
|
|
<p>Due to a lack of input validation, WordPress is
|
|
vulnerable to SQL injection and XSS attacks.</p>
|
|
<p>An attacker could use the SQL injection vulnerabilites to
|
|
gain information from the database. Furthermore the
|
|
cross-site scripting issues give an attacker the ability
|
|
to inject and execute malicious script code or to steal
|
|
cookie-based authentication credentials, potentially
|
|
compromising the victim's browser.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1810</cvename>
|
|
<url>http://www.gentoo.org/security/en/glsa/glsa-200506-04.xml</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-12</discovery>
|
|
<entry>2005-07-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4afacca1-eb9d-11d9-a8bd-000cf18bbe54">
|
|
<topic>phpbb -- remote PHP code execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpbb</name>
|
|
<range><lt>2.0.16</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>FrSIRT Advisory reports:</p>
|
|
<blockquote cite="http://www.frsirt.com/english/advisories/2005/0904">
|
|
<p>A vulnerability was identified in phpBB, which
|
|
may be exploited by attackers to compromise a vulnerable
|
|
web server. This flaw is due to an input validation error
|
|
in the "viewtopic.php" script that does not properly filter
|
|
the "highlight" parameter before calling the "preg_replace()"
|
|
function, which may be exploited by remote attackers to execute
|
|
arbitrary PHP commands with the privileges of the web server.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2086</cvename>
|
|
<url>http://www.frsirt.com/english/advisories/2005/0904</url>
|
|
<url>http://www.phpbb.com/phpBB/viewtopic.php?t=302011</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-28</discovery>
|
|
<entry>2005-07-03</entry>
|
|
<modified>2005-07-07</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="523fad14-eb9d-11d9-a8bd-000cf18bbe54">
|
|
<topic>pear-XML_RPC -- arbitrary remote code execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pear-XML_RPC</name>
|
|
<range><lt>1.3.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>GulfTech Security Research Team reports:</p>
|
|
<blockquote cite="http://www.gulftech.org/?node=research&article_id=00087-07012005">
|
|
<p>PEAR XML_RPC is vulnerable to a very high risk php code
|
|
injection vulnerability due to unsanatized data being
|
|
passed into an eval() call.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1921</cvename>
|
|
<url>http://www.gulftech.org/?node=research&article_id=00087-07012005</url>
|
|
<url>http://www.hardened-php.net/advisory-022005.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-29</discovery>
|
|
<entry>2005-07-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f70f8860-e8ee-11d9-b875-0001020eed82">
|
|
<topic>kernel -- ipfw packet matching errors with address tables</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.4</ge><lt>5.4_3</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description</h1>
|
|
<p>The ipfw tables lookup code caches the result of the last
|
|
query. The kernel may process multiple packets
|
|
concurrently, performing several concurrent table lookups.
|
|
Due to an insufficient locking, a cached result can become
|
|
corrupted that could cause some addresses to be incorrectly
|
|
matched against a lookup table.</p>
|
|
<h1>Impact</h1>
|
|
<p>When lookup tables are used with ipfw, packets may on very
|
|
rare occasions incorrectly match a lookup table. This could
|
|
result in a packet being treated contrary to the defined
|
|
packet filtering ruleset. For example, a packet may be
|
|
allowed to pass through when it should have been
|
|
discarded.</p>
|
|
<p>The problem can only occur on Symmetric Multi-Processor
|
|
(SMP) systems, or on Uni Processor (UP) systems with the
|
|
PREEMPTION kernel option enabled (not the default).</p>
|
|
<h1>Workaround</h1>
|
|
<p>a) Do not use lookup tables.</p>
|
|
<p>OR</p>
|
|
<p>b) Disable concurrent processing of packets in the network
|
|
stack by setting the "debug.mpsafenet=0" tunable:</p>
|
|
<p># echo "debug.mpsafenet=0" << /boot/loader.conf</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-2019</cvename>
|
|
<freebsdsa>SA-05:13.ipfw</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-29</discovery>
|
|
<entry>2005-06-29</entry>
|
|
<modified>2005-07-06</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="197f444f-e8ef-11d9-b875-0001020eed82">
|
|
<topic>bzip2 -- denial of service and permission race vulnerabilities</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.4</ge><lt>5.4_3</lt></range>
|
|
<range><ge>5.*</ge><lt>5.3_17</lt></range>
|
|
<range><ge>4.11</ge><lt>4.11_11</lt></range>
|
|
<range><lt>4.10_16</lt></range>
|
|
</system>
|
|
<package>
|
|
<name>bzip2</name>
|
|
<range><lt>1.0.3_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description</h1>
|
|
<p>Two problems have been discovered relating to the
|
|
extraction of bzip2-compressed files. First, a carefully
|
|
constructed invalid bzip2 archive can cause bzip2 to enter
|
|
an infinite loop. Second, when creating a new file, bzip2
|
|
closes the file before setting its permissions.</p>
|
|
<h1>Impact</h1>
|
|
<p>The first problem can cause bzip2 to extract a bzip2
|
|
archive to an infinitely large file. If bzip2 is used in
|
|
automated processing of untrusted files this could be
|
|
exploited by an attacker to create an denial-of-service
|
|
situation by exhausting disk space or by consuming all
|
|
available cpu time.</p>
|
|
<p>The second problem can allow a local attacker to change the
|
|
permissions of local files owned by the user executing bzip2
|
|
providing that they have write access to the directory in
|
|
which the file is being extracted.</p>
|
|
<h1>Workaround</h1>
|
|
<p>Do not uncompress bzip2 archives from untrusted sources and
|
|
do not uncompress files in directories where untrusted users
|
|
have write access.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0953</cvename>
|
|
<cvename>CVE-2005-1260</cvename>
|
|
<freebsdsa>SA-05:14.bzip2</freebsdsa>
|
|
<url>http://scary.beasts.org/security/CESA-2005-002.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-30</discovery>
|
|
<entry>2005-06-29</entry>
|
|
<modified>2005-07-06</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3ec8f43b-e8ef-11d9-b875-0001020eed82">
|
|
<topic>kernel -- TCP connection stall denial of service</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.4</ge><lt>5.4_3</lt></range>
|
|
<range><ge>5.*</ge><lt>5.3_17</lt></range>
|
|
<range><ge>4.11</ge><lt>4.11_11</lt></range>
|
|
<range><lt>4.10_16</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description</h1>
|
|
<p>Two problems have been discovered in the FreeBSD TCP stack.</p>
|
|
<p>First, when a TCP packets containing a timestamp is
|
|
received, inadequate checking of sequence numbers is
|
|
performed, allowing an attacker to artificially increase the
|
|
internal "recent" timestamp for a connection.</p>
|
|
<p>Second, a TCP packet with the SYN flag set is accepted for
|
|
established connections, allowing an attacker to overwrite
|
|
certain TCP options.</p>
|
|
<h1>Impact</h1>
|
|
<p>Using either of the two problems an attacker with knowledge
|
|
of the local and remote IP and port numbers associated with
|
|
a connection can cause a denial of service situation by
|
|
stalling the TCP connection. The stalled TCP connection my
|
|
be closed after some time by the other host.</p>
|
|
<h1>Workaround</h1>
|
|
<p>In some cases it may be possible to defend against these
|
|
attacks by blocking the attack packets using a firewall.
|
|
Packets used to effect either of these attacks would have
|
|
spoofed source IP addresses.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<certvu>637934</certvu>
|
|
<cvename>CVE-2005-0356</cvename>
|
|
<cvename>CVE-2005-2068</cvename>
|
|
<freebsdsa>SA-05:15.tcp</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-29</discovery>
|
|
<entry>2005-06-29</entry>
|
|
<modified>2005-07-06</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="76adaab0-e4e3-11d9-b875-0001020eed82">
|
|
<topic>ethereal -- multiple protocol dissectors vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ethereal</name>
|
|
<name>ethereal-lite</name>
|
|
<name>tethereal</name>
|
|
<name>tethereal-lite</name>
|
|
<range><ge>0.8.14</ge><lt>0.10.11</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An Ethreal Security Advisories reports:</p>
|
|
<blockquote cite="http://www.ethereal.com/appnotes/enpa-sa-00019.html">
|
|
<p>An aggressive testing program as well as independent
|
|
discovery has turned up a multitude of security issues:</p>
|
|
<ul>
|
|
<li>The ANSI A dissector was susceptible to format string
|
|
vulnerabilities. Discovered by Bryan Fulton.</li>
|
|
<li>The GSM MAP dissector could crash.</li>
|
|
<li>The AIM dissector could cause a crash.</li>
|
|
<li>The DISTCC dissector was susceptible to a buffer
|
|
overflow. Discovered by Ilja van Sprundel</li>
|
|
<li>The FCELS dissector was susceptible to a buffer
|
|
overflow. Discovered by Neil Kettle</li>
|
|
<li>The SIP dissector was susceptible to a buffer
|
|
overflow. Discovered by Ejovi Nuwere.</li>
|
|
<li>The KINK dissector was susceptible to a null pointer
|
|
exception, endless looping, and other problems.</li>
|
|
<li>The LMP dissector was susceptible to an endless
|
|
loop.</li>
|
|
<li>The Telnet dissector could abort.</li>
|
|
<li>The TZSP dissector could cause a segmentation
|
|
fault.</li>
|
|
<li>The WSP dissector was susceptible to a null pointer
|
|
exception and assertions.</li>
|
|
<li>The 802.3 Slow protocols dissector could throw an
|
|
assertion.</li>
|
|
<li>The BER dissector could throw assertions.</li>
|
|
<li>The SMB Mailslot dissector was susceptible to a null
|
|
pointer exception and could throw assertions.</li>
|
|
<li>The H.245 dissector was susceptible to a null pointer
|
|
exception.</li>
|
|
<li>The Bittorrent dissector could cause a segmentation
|
|
fault.</li>
|
|
<li>The SMB dissector could cause a segmentation fault and
|
|
throw assertions.</li>
|
|
<li>The Fibre Channel dissector could cause a crash.</li>
|
|
<li>The DICOM dissector could attempt to allocate large
|
|
amounts of memory.</li>
|
|
<li>The MGCP dissector was susceptible to a null pointer
|
|
exception, could loop indefinitely, and segfault.</li>
|
|
<li>The RSVP dissector could loop indefinitely.</li>
|
|
<li>The DHCP dissector was susceptible to format string
|
|
vulnerabilities, and could abort.</li>
|
|
<li>The SRVLOC dissector could crash unexpectedly or go
|
|
into an infinite loop.</li>
|
|
<li>The EIGRP dissector could loop indefinitely.</li>
|
|
<li>The ISIS dissector could overflow a buffer.</li>
|
|
<li>The CMIP, CMP, CMS, CRMF, ESS, OCSP, PKIX1Explitit,
|
|
PKIX Qualified, and X.509 dissectors could overflow
|
|
buffers.</li>
|
|
<li>The NDPS dissector could exhaust system memory or
|
|
cause an assertion, or crash.</li>
|
|
<li>The Q.931 dissector could try to free a null pointer
|
|
and overflow a buffer.</li>
|
|
<li>The IAX2 dissector could throw an assertion.</li>
|
|
<li>The ICEP dissector could try to free the same memory
|
|
twice.</li>
|
|
<li>The MEGACO dissector was susceptible to an infinite
|
|
loop and a buffer overflow.</li>
|
|
<li>The DLSw dissector was susceptible to an infinite
|
|
loop.</li>
|
|
<li>The RPC dissector was susceptible to a null pointer
|
|
exception.</li>
|
|
<li>The NCP dissector could overflow a buffer or loop for
|
|
a large amount of time.</li>
|
|
<li>The RADIUS dissector could throw an assertion.</li>
|
|
<li>The GSM dissector could access an invalid
|
|
pointer.</li>
|
|
<li>The SMB PIPE dissector could throw an assertion.</li>
|
|
<li>The L2TP dissector was susceptible to an infinite loop.</li>
|
|
<li>The SMB NETLOGON dissector could dereference a null
|
|
pointer.</li>
|
|
<li>The MRDISC dissector could throw an assertion.</li>
|
|
<li>The ISUP dissector could overflow a buffer or cause a
|
|
segmentation fault.</li>
|
|
<li>The LDAP dissector could crash.</li>
|
|
<li>The TCAP dissector could overflow a buffer or throw an
|
|
assertion.</li>
|
|
<li>The NTLMSSP dissector could crash.</li>
|
|
<li>The Presentation dissector could overflow a
|
|
buffer.</li>
|
|
<li>Additionally, a number of dissectors could throw an
|
|
assertion when passing an invalid protocol tree item
|
|
length.</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13391</bid>
|
|
<bid>13504</bid>
|
|
<bid>13567</bid>
|
|
<cvename>CVE-2005-1281</cvename>
|
|
<cvename>CVE-2005-1456</cvename>
|
|
<cvename>CVE-2005-1457</cvename>
|
|
<cvename>CVE-2005-1458</cvename>
|
|
<cvename>CVE-2005-1459</cvename>
|
|
<cvename>CVE-2005-1460</cvename>
|
|
<cvename>CVE-2005-1461</cvename>
|
|
<cvename>CVE-2005-1462</cvename>
|
|
<cvename>CVE-2005-1463</cvename>
|
|
<cvename>CVE-2005-1464</cvename>
|
|
<cvename>CVE-2005-1465</cvename>
|
|
<cvename>CVE-2005-1466</cvename>
|
|
<cvename>CVE-2005-1467</cvename>
|
|
<cvename>CVE-2005-1468</cvename>
|
|
<cvename>CVE-2005-1469</cvename>
|
|
<cvename>CVE-2005-1470</cvename>
|
|
<url>http://www.ethereal.com/appnotes/enpa-sa-00019.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-04</discovery>
|
|
<entry>2005-06-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="691ed622-e499-11d9-a8bd-000cf18bbe54">
|
|
<topic>tor -- information disclosure</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tor</name>
|
|
<range><lt>0.1.0.10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Roger Dingledine reports:</p>
|
|
<blockquote cite="http://archives.seul.org/or/announce/Jun-2005/msg00001.html">
|
|
<p>The Tor 0.1.0.10 release from a few days ago
|
|
includes a fix for a bug that might allow an attacker
|
|
to read arbitrary memory (maybe even keys) from an exit
|
|
server's process space. We haven't heard any reports of
|
|
exploits yet, but hey.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist>http://archives.seul.org/or/announce/Jun-2005/msg00001.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-16</discovery>
|
|
<entry>2005-06-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="95ee96f2-e488-11d9-bf22-080020c11455">
|
|
<topic>linux-realplayer -- RealText parsing heap overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-realplayer</name>
|
|
<range><le>10.0.4_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An iDEFENSE Security Advisory reports:</p>
|
|
<blockquote cite="http://www.idefense.com/application/poi/display?id=250&type=vulnerabilities&flashstatus=false">
|
|
<p>Remote exploitation of a heap-based buffer
|
|
overflow vulnerability in the RealText file format
|
|
parser within various versions of RealNetworks
|
|
Inc.'s RealPlayer could allow attackers to
|
|
execute arbitrary code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1277</cvename>
|
|
<url>http://www.idefense.com/application/poi/display?id=250&type=vulnerabilities&flashstatus=false</url>
|
|
<url>http://service.real.com/help/faq/security/050623_player/EN/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-23</discovery>
|
|
<entry>2005-06-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="594eb447-e398-11d9-a8bd-000cf18bbe54">
|
|
<topic>ruby -- arbitrary command execution on XMLRPC server</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ruby</name>
|
|
<name>ruby_static</name>
|
|
<range><gt>1.8.*</gt><lt>1.8.2_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Nobuhiro IMAI reports:</p>
|
|
<blockquote cite="http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5237">
|
|
<p>the default value modification on
|
|
Module#public_instance_methods (from false to true) breaks
|
|
s.add_handler(XMLRPC::iPIMethods("sample"), MyHandler.new) style
|
|
security protection.</p>
|
|
<p>This problem could allow a remote attacker to execute arbitrary
|
|
commands on XMLRPC server of libruby.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1992</cvename>
|
|
<url>http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5237</url>
|
|
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315064</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-22</discovery>
|
|
<entry>2005-06-23</entry>
|
|
<modified>2005-11-06</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="96948a6a-e239-11d9-83cf-0010dc5df42d">
|
|
<topic>cacti -- potential SQL injection and cross site scripting attacks</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cacti</name>
|
|
<range><le>0.8.6d</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>iDEFENSE security group disclosed potential SQL injection
|
|
attacks from unchecked user input and two security holes
|
|
regarding potential cross site scripting attacks</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.cacti.net/release_notes_0_8_6e.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-21</discovery>
|
|
<entry>2005-06-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="79217c9b-e1d9-11d9-b875-0001020eed82">
|
|
<topic>opera -- XMLHttpRequest security bypass</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-opera</name>
|
|
<name>opera-devel</name>
|
|
<name>opera</name>
|
|
<range><gt>8.*</gt><lt>8.01</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/15008/">
|
|
<p>Secunia Research has discovered a vulnerability in Opera,
|
|
which can be exploited by malicious people to steal
|
|
content or to perform actions on other web sites with the
|
|
privileges of the user.</p>
|
|
<p>Normally, it should not be possible for the
|
|
<code>XMLHttpRequest</code> object to access resources
|
|
from outside the domain of which the object was
|
|
opened. However, due to insufficient validation of server
|
|
side redirects, it is possible to circumvent this
|
|
restriction.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1475</cvename>
|
|
<url>http://secunia.com/advisories/15008/</url>
|
|
<url>http://secunia.com/secunia_research/2005-4/advisory/</url>
|
|
<url>http://www.opera.com/freebsd/changelogs/801/#security</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-16</discovery>
|
|
<entry>2005-06-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="40856a51-e1d9-11d9-b875-0001020eed82">
|
|
<topic>opera -- "javascript:" URL cross-site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-opera</name>
|
|
<name>opera-devel</name>
|
|
<name>opera</name>
|
|
<range><lt>8.01</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/15411/">
|
|
<p>Secunia Research has discovered a vulnerability in Opera,
|
|
which can be exploited by malicious people to conduct
|
|
cross-site scripting attacks and to read local files.</p>
|
|
<p>The vulnerability is caused due to Opera not properly
|
|
restricting the privileges of "javascript:" URLs when
|
|
opened in e.g. new windows or frames.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1669</cvename>
|
|
<url>http://secunia.com/advisories/15411/</url>
|
|
<url>http://www.opera.com/freebsd/changelogs/801/#security</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-16</discovery>
|
|
<entry>2005-06-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="985bfcf0-e1d7-11d9-b875-0001020eed82">
|
|
<topic>opera -- redirection cross-site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-opera</name>
|
|
<name>opera-devel</name>
|
|
<name>opera</name>
|
|
<range><gt>8.*</gt><lt>8.01</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/15423/">
|
|
<p>Secunia Research has discovered a vulnerability in Opera,
|
|
which can be exploited by malicious people to conduct
|
|
cross-site scripting attacks against users.</p>
|
|
<p>The vulnerability is caused due to input not being
|
|
sanitised, when Opera generates a temporary page for
|
|
displaying a redirection when "Automatic redirection" is
|
|
disabled (not default setting).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secunia.com/advisories/15423/</url>
|
|
<url>http://secunia.com/secunia_research/2003-1/advisory/</url>
|
|
<url>http://www.opera.com/freebsd/changelogs/801/#security</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-16</discovery>
|
|
<entry>2005-06-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3bf157fa-e1c6-11d9-b875-0001020eed82">
|
|
<topic>sudo -- local race condition vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sudo</name>
|
|
<range><lt>1.6.8.9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Todd C. Miller reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=111928183431376">
|
|
<p>A race condition in Sudo's command pathname handling
|
|
prior to Sudo version 1.6.8p9 that could allow a user with
|
|
Sudo privileges to run arbitrary commands.</p>
|
|
<p>Exploitation of the bug requires that the user be allowed
|
|
to run one or more commands via Sudo and be able to create
|
|
symbolic links in the filesystem. Furthermore, a sudoers
|
|
entry giving another user access to the ALL pseudo-command
|
|
must follow the user's sudoers entry for the race to
|
|
exist.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13993</bid>
|
|
<cvename>CVE-2005-1993</cvename>
|
|
<mlist msgid="200506201424.j5KEOhQI024645@xerxes.courtesan.com">http://marc.theaimsgroup.com/?l=bugtraq&m=111928183431376</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-20</discovery>
|
|
<entry>2005-06-20</entry>
|
|
<modified>2005-11-14</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b02c1d80-e1bb-11d9-b875-0001020eed82">
|
|
<topic>trac -- file upload/download vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>trac</name>
|
|
<range><lt>0.8.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Stefan Esser reports:</p>
|
|
<blockquote cite="http://www.hardened-php.net/advisory-012005.php">
|
|
<p>Trac's wiki and ticket systems allows to add attachments
|
|
to wiki entries and bug tracker tickets. These attachments
|
|
are stored within directories that are determined by the
|
|
id of the corresponding ticket or wiki entry.</p>
|
|
<p>Due to a missing validation of the id parameter it is
|
|
possible for an attacker to supply arbitrary paths to the
|
|
upload and attachment viewer scripts. This means that a
|
|
potential attacker can retrieve any file accessible by the
|
|
webserver user.</p>
|
|
<p>Additionally it is possible to upload arbitrary files (up
|
|
to a configured file length) to any place the webserver
|
|
has write access too.</p>
|
|
<p>For obvious reasons this can lead to the execution of
|
|
arbitrary code if it possible to upload files to the
|
|
document root or it's subdirectories. One example of a
|
|
configuration would be f.e. running Trac and
|
|
s9y/wordpress with writeable content directories on the
|
|
same webserver.</p>
|
|
<p>Another potential usage of this exploit would be to abuse
|
|
Trac powered webservers as storage for f.e. torrent
|
|
files.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13990</bid>
|
|
<url>http://www.hardened-php.net/advisory-012005.php</url>
|
|
<url>http://projects.edgewall.com/trac/wiki/ChangeLog</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-20</discovery>
|
|
<entry>2005-06-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="85069fb6-e15b-11d9-83cf-0010dc5df42d">
|
|
<topic>razor-agents -- denial of service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>razor-agents</name>
|
|
<range><le>2.71</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia security advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/15739/">
|
|
<p>Two vulnerabilities have been reported in Razor-agents,
|
|
which can be exploited by malicious people to cause a DoS
|
|
(Denial of Service).</p>
|
|
<ol>
|
|
<li>An unspecified error in the preprocessing of certain
|
|
HTML messages can be exploited to crash the
|
|
application.</li>
|
|
<li>A bug in the discovery logic causes Razor-agents to go
|
|
into an infinite loop and consume a large amount of
|
|
memory when discovery fails.</li>
|
|
</ol>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secunia.com/advisories/15739/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-17</discovery>
|
|
<entry>2005-06-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cc4ce06b-e01c-11d9-a8bd-000cf18bbe54">
|
|
<topic>p5-Mail-SpamAssassin -- denial of service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>p5-Mail-SpamAssassin</name>
|
|
<range><ge>3.0.1</ge><lt>3.0.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Apache SpamAssassin Security Team reports:</p>
|
|
<blockquote cite="http://mail-archives.apache.org/mod_mbox/spamassassin-announce/200506.mbox/%3c17072.35054.586017.822288@proton.pathname.com%3e">
|
|
<p>Apache SpamAssassin 3.0.4 was recently released, and
|
|
fixes a denial of service vulnerability in versions 3.0.1, 3.0.2,
|
|
and 3.0.3. The vulnerability allows certain misformatted
|
|
long message headers to cause spam checking to
|
|
take a very long time.</p>
|
|
<p>While the exploit has yet to be seen in the wild,
|
|
we are concerned that there may be attempts to abuse
|
|
the vulnerability in the future. Therefore, we strongly
|
|
recommend all users of these versions upgrade to
|
|
Apache SpamAssassin 3.0.4 as soon as possible.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1266</cvename>
|
|
<mlist msgid="c17072.35054.586017.822288@proton.pathname.com">http://mail-archives.apache.org/mod_mbox/spamassassin-announce/200506.mbox/%3c17072.35054.586017.822288@proton.pathname.com%3e</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-15</discovery>
|
|
<entry>2005-06-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e879ca68-e01b-11d9-a8bd-000cf18bbe54">
|
|
<topic>squirrelmail -- Several cross site scripting vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squirrelmail</name>
|
|
<name>ja-squirrelmail</name>
|
|
<range><ge>1.4.0</ge><le>1.4.4</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A SquirrelMail Security Advisory reports:</p>
|
|
<blockquote cite="http://www.squirrelmail.org/security/issue/2005-06-15">
|
|
<p>Several cross site scripting (XSS) vulnerabilities have been discovered
|
|
in SquirrelMail versions 1.4.0 - 1.4.4.</p>
|
|
<p>The vulnerabilities are in two categories: the majority can be
|
|
exploited through URL manipulation, and some by sending a specially
|
|
crafted email to a victim. When done very carefully,
|
|
this can cause the session of the user to be hijacked.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1769</cvename>
|
|
<url>http://www.squirrelmail.org/security/issue/2005-06-15</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-15</discovery>
|
|
<entry>2005-06-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="02bc9b7c-e019-11d9-a8bd-000cf18bbe54">
|
|
<topic>acroread -- XML External Entity vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>acroread7</name>
|
|
<name>ja-acroread</name>
|
|
<range><ge>7.0.0</ge><lt>7.0.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Sverre H. Huseby discovered a vulnerability in Adobe Acrobat
|
|
and Adobe Reader.
|
|
Under certain circumstances, using XML scripts it is possible
|
|
to discover the existence of local files.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1306</cvename>
|
|
<url>http://shh.thathost.com/secadv/adobexxe/</url>
|
|
<url>http://www.adobe.com/support/techdocs/331710.html</url>
|
|
<url>http://support.adobe.co.jp/faq/faq/qadoc.sv?226360+002+3</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-15</discovery>
|
|
<entry>2005-06-18</entry>
|
|
<modified>2005-08-28</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="63bd4bad-dffe-11d9-b875-0001020eed82">
|
|
<topic>gzip -- directory traversal and permission race vulnerabilities</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.4</ge><lt>5.4_2</lt></range>
|
|
<range><ge>5.0</ge><lt>5.3_16</lt></range>
|
|
<range><ge>4.11</ge><lt>4.11_10</lt></range>
|
|
<range><ge>4.10</ge><lt>4.10_15</lt></range>
|
|
<range><ge>4.9</ge><lt>4.9_18</lt></range>
|
|
<range><lt>4.8_33</lt></range>
|
|
</system>
|
|
<package>
|
|
<name>gzip</name>
|
|
<range><lt>1.3.5_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description</h1>
|
|
<p>Two problems related to extraction of files exist in gzip:</p>
|
|
<p>The first problem is that gzip does not properly sanitize
|
|
filenames containing "/" when uncompressing files using the
|
|
-N command line option.</p>
|
|
<p>The second problem is that gzip does not set permissions on
|
|
newly extracted files until after the file has been created
|
|
and the file descriptor has been closed.</p>
|
|
<h1>Impact</h1>
|
|
<p>The first problem can allow an attacker to overwrite
|
|
arbitrary local files when uncompressing a file using the -N
|
|
command line option.</p>
|
|
<p>The second problem can allow a local attacker to change the
|
|
permissions of arbitrary local files, on the same partition
|
|
as the one the user is uncompressing a file on, by removing
|
|
the file the user is uncompressing and replacing it with a
|
|
hardlink before the uncompress operation is finished.</p>
|
|
<h1>Workaround</h1>
|
|
<p>Do not use the -N command line option on untrusted files
|
|
and do not uncompress files in directories where untrusted
|
|
users have write access.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0988</cvename>
|
|
<cvename>CVE-2005-1228</cvename>
|
|
<freebsdsa>SA-05:11.gzip</freebsdsa>
|
|
<mlist msgid="7389fc4b05040412574f819112@mail.gmail.com">http://marc.theaimsgroup.com/?l=bugtraq&m=111271860708210</mlist>
|
|
<mlist msgid="7389fc4b0504201224759f31b@mail.gmail.com">http://marc.theaimsgroup.com/?l=bugtraq&m=111402732406477</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-20</discovery>
|
|
<entry>2005-06-18</entry>
|
|
<modified>2005-07-06</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9fae0f1f-df82-11d9-b875-0001020eed82">
|
|
<topic>tcpdump -- infinite loops in protocol decoding</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.4</ge><lt>5.4_2</lt></range>
|
|
<range><ge>5.3</ge><lt>5.3_16</lt></range>
|
|
</system>
|
|
<package>
|
|
<name>tcpdump</name>
|
|
<range><lt>3.8.3_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description</h1>
|
|
<p>Several tcpdump protocol decoders contain programming
|
|
errors which can cause them to go into infinite loops.</p>
|
|
<h1>Impact</h1>
|
|
<p>An attacker can inject specially crafted packets into the
|
|
network which, when processed by tcpdump, could lead to a
|
|
denial-of-service. After the attack, tcpdump would no
|
|
longer capture traffic, and would potentially use all
|
|
available processor time.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1267</cvename>
|
|
<cvename>CVE-2005-1278</cvename>
|
|
<cvename>CVE-2005-1279</cvename>
|
|
<cvename>CVE-2005-1280</cvename>
|
|
<freebsdsa>SA-05:10.tcpdump</freebsdsa>
|
|
<mlist msgid="20050426100140.1945.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=111454406222040</mlist>
|
|
<mlist msgid="20050426100057.1748.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=111454461300644</mlist>
|
|
<mlist msgid="20050619091553.GB982@zaphod.nitro.dk">http://marc.theaimsgroup.com/?l=bugtraq&m=111928309502304</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-09</discovery>
|
|
<entry>2005-06-18</entry>
|
|
<modified>2005-06-20</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2701611f-df5c-11d9-b875-0001020eed82">
|
|
<topic>gaim -- Yahoo! remote crash vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>1.3.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jacopo Ottaviani reports that Gaim can be crashed by being
|
|
offered files with names containing non-ASCII
|
|
characters via the Yahoo! protocol.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13931</bid>
|
|
<cvename>CVE-2005-1269</cvename>
|
|
<url>http://gaim.sourceforge.net/security/index.php?id=18</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-10</discovery>
|
|
<entry>2005-06-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b6612eee-df5f-11d9-b875-0001020eed82">
|
|
<topic>gaim -- MSN Remote DoS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>1.3.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The GAIM team reports:</p>
|
|
<blockquote cite="http://gaim.sourceforge.net/security/index.php?id=19">
|
|
<p>Remote attackers can cause a denial of service (crash)
|
|
via a malformed MSN message that leads to a memory
|
|
allocation of a large size, possibly due to an integer
|
|
signedness error.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13932</bid>
|
|
<cvename>CVE-2005-1934</cvename>
|
|
<url>http://gaim.sourceforge.net/security/index.php?id=19</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-10</discovery>
|
|
<entry>2005-06-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="12b1a62d-6056-4d90-9e21-45fcde6abae4">
|
|
<topic>gallery -- remote code injection via HTTP_POST_VARS</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gallery</name>
|
|
<range><lt>1.4.1.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A web server running Gallery can be exploited for arbitrary
|
|
PHP code execution through the use of a maliciously crafted
|
|
URL.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-2124</cvename>
|
|
<mlist msgid="0c0a01c3e525$1c0ed2b0$c90c030a@bmedirattatg">http://marc.theaimsgroup.com/?l=bugtraq&m=107524414317693</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-01-27</discovery>
|
|
<entry>2005-06-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5752a0df-60c5-4876-a872-f12f9a02fa05">
|
|
<topic>gallery -- cross-site scripting</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gallery</name>
|
|
<range><lt>1.4.4.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Gallery includes several cross-site scripting vulnerabilities
|
|
that could allow malicious content to be injected.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1106</cvename>
|
|
<cvename>CVE-2005-0219</cvename>
|
|
<cvename>CVE-2005-0220</cvename>
|
|
<cvename>CVE-2005-0221</cvename>
|
|
<cvename>CVE-2005-0222</cvename>
|
|
<bid>11602</bid>
|
|
<url>http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=147</url>
|
|
<url>http://marc.theaimsgroup.com/?l=bugtraq&m=110608459222364</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-26</discovery>
|
|
<entry>2005-06-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0512b761-70fb-40d3-9954-aa4565528fa8">
|
|
<topic>kstars -- exploitable set-user-ID application fliccd</topic>
|
|
<affects>
|
|
<package>
|
|
<name>kdeedu</name>
|
|
<range><lt>3.3.2_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A KDE Security Advisory explains:</p>
|
|
<blockquote cite="http://www.kde.org/info/security/advisory-20050215-1.txt">
|
|
<h1>Overview</h1>
|
|
<p>KStars includes support for the Instrument Neutral
|
|
Distributed Interface (INDI). The build system of this
|
|
extra 3rd party software contained an installation hook to
|
|
install fliccd (part of INDI) as SUID root
|
|
application.</p>
|
|
<p>Erik Sjölund discovered that the code contains several
|
|
vulnerabilities that allow stack based buffer
|
|
overflows.</p>
|
|
<h1>Impact</h1>
|
|
<p>If the fliccd binary is installed as suid root, it
|
|
enables root privilege escalation for local users, or, if
|
|
the daemon is actually running (which it does not by
|
|
default) and is running as root, remote root privilege
|
|
escalation.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0011</cvename>
|
|
<url>http://www.kde.org/info/security/advisory-20050215-1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-05</discovery>
|
|
<entry>2005-06-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4c005a5e-2541-4d95-80a0-00c76919aa66">
|
|
<topic>fd_set -- bitmap index overflow in multiple applications</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gatekeeper</name>
|
|
<range><lt>2.2.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>citadel</name>
|
|
<range><lt>6.29</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>3proxy</name>
|
|
<range><lt>0.5.b</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>jabber</name>
|
|
<range><lt>1.4.3.1_1,1</lt></range>
|
|
<range><eq>1.4.4</eq></range>
|
|
</package>
|
|
<package>
|
|
<name>bnc</name>
|
|
<range><lt>2.9.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rinetd</name>
|
|
<range><lt>0.62_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>dante</name>
|
|
<range><lt>1.1.15</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>bld</name>
|
|
<range><lt>0.3.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>3APA3A reports:</p>
|
|
<blockquote cite="http://www.security.nnov.ru/advisories/sockets.asp">
|
|
<p>If programmer fails to check socket number before using
|
|
select() or fd_set macros, it's possible to overwrite
|
|
memory behind fd_set structure. Very few select() based
|
|
application actually check FD_SETSIZE value. <em>[...]</em></p>
|
|
<p>Depending on vulnerable application it's possible to
|
|
overwrite portions of memory. Impact is close to
|
|
off-by-one overflows, code execution doesn't seems
|
|
exploitable.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.gotbnc.com/changes.html#2.9.3</url>
|
|
<url>http://www.security.nnov.ru/advisories/sockets.asp</url>
|
|
<mlist msgid="1473827718.20050124233008@security.nnov.ru">http://marc.theaimsgroup.com/?l=bugtraq&m=110660879328901</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-12</discovery>
|
|
<entry>2005-06-17</entry>
|
|
<modified>2006-09-03</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b5ffaa2a-ee50-4498-af99-61bc1b163c00">
|
|
<topic>leafnode -- denial of service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>leafnode</name>
|
|
<range><lt>1.11.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Matthias Andree reports:</p>
|
|
<blockquote cite="http://leafnode.sourceforge.net/leafnode-SA-2005-02.txt">
|
|
<p>A vulnerability was found in the fetchnews program (the NNTP
|
|
client) that may under some circumstances cause a wait for input
|
|
that never arrives, fetchnews "hangs". [...]</p>
|
|
<p>As only one fetchnews program can run at a time, subsequently
|
|
started fetchnews and texpire programs will terminate. [...]</p>
|
|
<p>Upgrade your leafnode package to version 1.11.3.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1911</cvename>
|
|
<url>http://leafnode.sourceforge.net/leafnode-SA-2005-02.txt</url>
|
|
<freebsdpr>ports/82056</freebsdpr>
|
|
<mlist msgid="20050608215155.GB27234@merlin.emma.line.org">http://marc.theaimsgroup.com/?l=vulnwatch&m=111827180929063</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-06-08</discovery>
|
|
<entry>2005-06-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fe903533-ff96-4c7a-bd3e-4d40efa71897">
|
|
<topic>gforge -- directory traversal vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gforge</name>
|
|
<range><lt>4.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An STG Security Advisory reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=110627132209963">
|
|
<p>GForge CVS module made by Dragos Moinescu and another
|
|
module made by Ronald Petty have a directory traversal
|
|
vulnerability. [...] malicious attackers can read
|
|
arbitrary directory lists.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0299</cvename>
|
|
<bid>12318</bid>
|
|
<mlist msgid="20050120051735.2832.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110627132209963</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-20</discovery>
|
|
<entry>2005-06-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d1bbc235-c0c9-45cd-8d2d-c1b8fd22e616">
|
|
<topic>imap-uw -- authentication bypass when CRAM-MD5 is enabled</topic>
|
|
<affects>
|
|
<package>
|
|
<name>imap-uw</name>
|
|
<range><lt>2004b,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The CRAM-MD5 authentication support of the University of
|
|
Washington IMAP and POP3 servers contains a vulnerability that
|
|
may allow an attacker to bypass authentication and impersonate
|
|
arbitrary users. Only installations with CRAM-MD5 support
|
|
configured are affected.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0198</cvename>
|
|
<certvu>702777</certvu>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-04</discovery>
|
|
<entry>2005-06-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5bf1a715-cc57-440f-b0a5-6406961c54a7">
|
|
<topic>squid -- denial-of-service vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Squid team reported several denial-of-service
|
|
vulnerabilities related to the handling of DNS responses and
|
|
NT Lan Manager messages. These may allow an attacker to crash
|
|
the Squid cache.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0446</cvename>
|
|
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE8-dns_assert</url>
|
|
<cvename>CVE-2005-0096</cvename>
|
|
<cvename>CVE-2005-0097</cvename>
|
|
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-16</discovery>
|
|
<entry>2005-06-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3b260179-e464-460d-bf9f-d5cda6204020">
|
|
<topic>racoon -- remote denial-of-service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>racoon</name>
|
|
<range><lt>20050510a</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Sebastian Krahmer discovered that the racoon ISAKMP daemon
|
|
could be crashed with a maliciously crafted UDP packet. No
|
|
authentication is required in order to perform the attack.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0398</cvename>
|
|
<mlist>http://sourceforge.net/mailarchive/forum.php?thread_id=6787713&forum_id=32000</mlist>
|
|
<url>http://xforce.iss.net/xforce/xfdb/19707</url>
|
|
<url>https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=109966&action=view</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-12</discovery>
|
|
<entry>2005-06-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="bfbbd505-3bd6-409c-8c67-445d3635cf4b">
|
|
<topic>xli -- integer overflows in image size calculations</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xli</name>
|
|
<range><le>1.17.0_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Tavis Ormandy discovered several integer overflows in xli's
|
|
image size handling. A maliciously crafted image may be able
|
|
to cause a heap buffer overflow and execute arbitrary code.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0639</cvename>
|
|
<url>http://bugs.gentoo.org/show_bug.cgi?id=79762</url>
|
|
<url>http://pantransit.reptiles.org/prog/xli/CHANGES</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-08</discovery>
|
|
<entry>2005-06-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="310d0087-0fde-4929-a41f-96f17c5adffe">
|
|
<topic>xloadimage -- arbitrary command execution when handling compressed files</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xli</name>
|
|
<range><le>1.17.0_1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>xloadimage</name>
|
|
<range><le>4.1.10</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Tavis Ormandy discovered that xli and xloadimage attempt to
|
|
decompress images by piping them through <code>gunzip</code>
|
|
or similar decompression tools. Unfortunately, the
|
|
unsanitized file name is included as part of the command.
|
|
This is dangerous, as in some situations, such as mailcap
|
|
processing, an attacker may control the input file name. As a
|
|
result, an attacker may be able to cause arbitrary command
|
|
execution.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0638</cvename>
|
|
<url>http://bugs.gentoo.org/show_bug.cgi?id=79762</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-18</discovery>
|
|
<entry>2005-06-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8c1da77d-d3e9-11d9-8ffb-00061bc2ad93">
|
|
<topic>xloadimage -- buffer overflow in FACES image handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xli</name>
|
|
<range><le>1.17.0_1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>xloadimage</name>
|
|
<range><lt>4.1.9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>In 2001, zen-parse discovered a buffer overflow in
|
|
xloadimage's FACES image loader. A maliciously crafted image
|
|
could cause xloadimage to execute arbitrary code. A published
|
|
exploit exists for this vulnerability.</p>
|
|
<p>In 2005, Rob Holland discovered that the same vulnerability
|
|
was present in xli.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2001-0775</cvename>
|
|
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&m=99477230306845</mlist>
|
|
<url>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=46186</url>
|
|
<url>http://bugs.gentoo.org/show_bug.cgi?id=79762</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2000-02-19</discovery>
|
|
<entry>2005-06-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="99b5cfa5-d3d2-11d9-8ffb-00061bc2ad93">
|
|
<topic>yamt -- buffer overflow and directory traversal issues</topic>
|
|
<affects>
|
|
<package>
|
|
<name>yamt</name>
|
|
<range><lt>0.5_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Stanislav Brabec discovered errors in yamt's path name
|
|
handling that lead to buffer overflows and directory traversal
|
|
issues. When processing a file with a maliciously crafted ID3
|
|
tag, yamt might overwrite arbitrary files or possibly execute
|
|
arbitrary code.</p>
|
|
<p>The SuSE package ChangeLog contains:</p>
|
|
<blockquote>
|
|
<ul>
|
|
<li>Several security fixes (#49337):</li>
|
|
<li>directory traversal in rename</li>
|
|
<li>directory traversal in sort</li>
|
|
<li>buffer overflow in sort</li>
|
|
<li>buffer overflow in rename</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1846</cvename>
|
|
<cvename>CVE-2005-1847</cvename>
|
|
<url>http://rpmfind.net/linux/RPM/suse/updates/8.2/i386/rpm/i586/yamt-0.5-1277.i586.html</url>
|
|
<url>ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/yamt-0.5-1277.src.rpm</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-20</discovery>
|
|
<entry>2005-06-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ae6ec9b8-2f43-4d02-8129-c6a3a53ef09d">
|
|
<topic>xview -- multiple buffer overflows in xv_parse_one</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xview</name>
|
|
<range><lt>3.2.1_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Debian Security Advisory reports:</p>
|
|
<blockquote cite="http://www.debian.org/security/2005/dsa-672">
|
|
<p>Erik Sjölund discovered that programs linked against xview
|
|
are vulnerable to a number of buffer overflows in the XView
|
|
library. When the overflow is triggered in a program which
|
|
is installed setuid root a malicious user could perhaps
|
|
execute arbitrary code as privileged user.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0076</cvename>
|
|
<url>http://www.debian.org/security/2005/dsa-672</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/19271</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-09</discovery>
|
|
<entry>2005-06-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f7e8d2ca-410e-40b2-8748-3abd021e44a9">
|
|
<topic>xtrlock -- X display locking bypass</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xtrlock</name>
|
|
<range><lt>2.0.10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The X display locking program <code>xtrlock</code> contains
|
|
an integer overflow bug. It is possible for an attacker with
|
|
physical access to the system to bypass the display lock.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0079</cvename>
|
|
<url>http://www.debian.org/security/2005/dsa-649</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/18991</url>
|
|
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278191</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-25</discovery>
|
|
<entry>2005-06-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="bf2e7483-d3fa-440d-8c6e-8f1f2f018818">
|
|
<topic>linux_base -- vulnerabilities in Red Hat 7.1 libraries</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux_base</name>
|
|
<range><lt>7.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Trevor Johnson reported that the Red Hat Linux RPMs used
|
|
by linux_base contained multiple older vulnerabilities, such
|
|
as a DNS resolver issue and critical bugs in X font handling
|
|
and XPM image handling.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://fedoralegacy.org/updates/RH7.3/2004-10-23-FLSA_2004_1947__Updated_glibc_packages_fix_flaws.html</url>
|
|
<url>http://rhn.redhat.com/errata/RHSA-2004-059.html</url>
|
|
<url>http://rhn.redhat.com/errata/RHSA-2004-478.html</url>
|
|
<url>http://rhn.redhat.com/errata/RHSA-2004-612.html</url>
|
|
<cvename>CVE-2002-0029</cvename>
|
|
<cvename>CVE-2004-0083</cvename>
|
|
<cvename>CVE-2004-0084</cvename>
|
|
<cvename>CVE-2004-0106</cvename>
|
|
<cvename>CVE-2004-0687</cvename>
|
|
<cvename>CVE-2004-0688</cvename>
|
|
<cvename>CVE-2004-0692</cvename>
|
|
<cvename>CVE-2004-0914</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-27</discovery>
|
|
<entry>2005-06-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="79630c0c-8dcc-45d0-9908-4087fe1d618c">
|
|
<topic>squirrelmail -- XSS and remote code injection vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squirrelmail</name>
|
|
<name>ja-squirrelmail</name>
|
|
<range><lt>1.4.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A SquirrelMail Security Advisory reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=110702772714662">
|
|
<p>SquirrelMail 1.4.4 has been released to resolve a number of
|
|
security issues disclosed below. It is strongly recommended
|
|
that all running SquirrelMail prior to 1.4.4 upgrade to the
|
|
latest release.</p>
|
|
<h1>Remote File Inclusion</h1>
|
|
<p>Manoel Zaninetti reported an issue in src/webmail.php which
|
|
would allow a crafted URL to include a remote web page.
|
|
This was assigned CAN-2005-0103 by the Common
|
|
Vulnerabilities and Exposures.</p>
|
|
<h1>Cross Site Scripting Issues</h1>
|
|
<p>A possible cross site scripting issue exists in
|
|
src/webmail.php that is only accessible when the PHP
|
|
installation is running with register_globals set to On.
|
|
This issue was uncovered internally by the SquirrelMail
|
|
Development team. This isssue was assigned CAN-2005-0104 by
|
|
the Common Vulnerabilities and Exposures.</p>
|
|
<p>A second issue which was resolved in the 1.4.4-rc1 release
|
|
was uncovered and assigned CAN-2004-1036 by the Common
|
|
Vulnerabilities and Exposures. This issue could allow a
|
|
remote user to send a specially crafted header and cause
|
|
execution of script (such as javascript) in the client
|
|
browser.</p>
|
|
<h1>Local File Inclusion</h1>
|
|
<p>A possible local file inclusion issue was uncovered by one
|
|
of our developers involving custom preference handlers.
|
|
This issue is only active if the PHP installation is running
|
|
with register_globals set to On.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1036</cvename>
|
|
<cvename>CVE-2005-0075</cvename>
|
|
<cvename>CVE-2005-0103</cvename>
|
|
<cvename>CVE-2005-0104</cvename>
|
|
<mlist msgid="47249.24.0.109.81.1106975343.squirrel@sm-14.netdork.net">http://marc.theaimsgroup.com/?l=bugtraq&m=110702772714662</mlist>
|
|
<url>http://www.squirrelmail.org/security/issue/2005-01-14</url>
|
|
<url>http://www.squirrelmail.org/security/issue/2005-01-19</url>
|
|
<url>http://www.squirrelmail.org/security/issue/2005-01-20</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-29</discovery>
|
|
<entry>2005-06-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0d9ba03b-0dbb-42b4-ae0f-60e27af78e22">
|
|
<topic>sympa -- buffer overflow in "queue"</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sympa</name>
|
|
<range><lt>4.1.2_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Erik Sjölund discovered a vulnerabilitiy in Sympa. The
|
|
<code>queue</code> application processes messages received via
|
|
aliases. It contains a buffer overflow in the usage of
|
|
<code>sprintf</code>. In some configurations, it may allow an
|
|
attacker to execute arbitrary code as the <code>sympa</code>
|
|
user.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0073</cvename>
|
|
<url>http://www.debian.org/security/2005/dsa-677</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-11</discovery>
|
|
<entry>2005-06-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b3cd00f7-c0c5-452d-87bc-086c5635333e">
|
|
<topic>mailman -- generated passwords are poor quality</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mailman</name>
|
|
<name>ja-mailman</name>
|
|
<range><lt>2.1.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Florian Weimer wrote:</p>
|
|
<blockquote cite="http://mail.python.org/pipermail/mailman-developers/attachments/20041215/be238297/attachment.mht">
|
|
<p>Mailman 2.1.5 uses weak auto-generated passwords for new
|
|
subscribers. These passwords are assigned when members
|
|
subscribe without specifying their own password (either by
|
|
email or the web frontend). Knowledge of this password
|
|
allows an attacker to gain access to the list archive even
|
|
though she's not a member and the archive is restricted to
|
|
members only. [...]</p>
|
|
<p>This means that only about 5 million different passwords
|
|
are ever generated, a number that is in the range of brute
|
|
force attacks -- you only have to guess one subscriber
|
|
address (which is usually not that hard).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1143</cvename>
|
|
<mlist>http://mail.python.org/pipermail/mailman-developers/2004-December/017553.html</mlist>
|
|
<mlist msgid="87llc0u6l8.fsf@deneb.enyo.de">http://mail.python.org/pipermail/mailman-developers/attachments/20041215/be238297/attachment.mht</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-15</discovery>
|
|
<entry>2005-06-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ad9d2518-3471-4737-b60b-9a1f51023b28">
|
|
<topic>mailman -- password disclosure</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mailman</name>
|
|
<name>ja-mailman</name>
|
|
<range><lt>2.1.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Barry Warsaw reports:</p>
|
|
<blockquote cite="http://mail.python.org/pipermail/mailman-announce/2004-May/000072.html">
|
|
<p>Today I am releasing Mailman 2.1.5, a bug fix release
|
|
[...] This version also contains a fix for an exploit that
|
|
could allow 3rd parties to retrieve member passwords. It is
|
|
thus highly recommended that all existing sites upgrade to
|
|
the latest version.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0412</cvename>
|
|
<mlist>http://mail.python.org/pipermail/mailman-announce/2004-May/000072.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-05-15</discovery>
|
|
<entry>2005-06-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="26a08c77-32da-4dd7-a884-a76fc49aa824">
|
|
<topic>tomcat -- Tomcat Manager cross-site scripting</topic>
|
|
<affects>
|
|
<package>
|
|
<name>jakarta-tomcat</name>
|
|
<range><ge>5.0.*</ge><lt>5.0.30_5</lt></range>
|
|
<range><ge>5.5.*</ge><lt>5.5.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Oliver Karow discovered cross-site scripting issues in
|
|
the Apache Jakarta Tomcat manager. The developers refer to
|
|
the issues as <q>minor</q>.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.oliverkarow.de/research/jakarta556_xss.txt</url>
|
|
<mlist>http://www.mail-archive.com/tomcat-dev@jakarta.apache.org/msg66978.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-03</discovery>
|
|
<entry>2005-06-01</entry>
|
|
<modified>2006-09-12</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="84479a62-ca5f-11d9-b772-000c29b00e99">
|
|
<topic>fswiki -- XSS problem in file upload form</topic>
|
|
<affects>
|
|
<package>
|
|
<name>fswiki</name>
|
|
<range><le>3.5.6</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia security advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/15538">
|
|
<p>A vulnerability has been reported in FreeStyle Wiki and
|
|
FSWikiLite, which can be exploited by malicious people to
|
|
conduct script insertion attacks.</p>
|
|
<p>Input passed in uploaded attachments is not properly
|
|
sanitised before being used. This can be exploited to inject
|
|
arbitrary HTML and script code, which will be executed in a
|
|
user's browser session in context of an affected site when
|
|
the malicious attachment is viewed.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1799</cvename>
|
|
<url>http://secunia.com/advisories/15538</url>
|
|
<freebsdpr>ports/81520</freebsdpr>
|
|
<url>http://fswiki.poi.jp/wiki.cgi?page=%CD%FA%CE%F2%2F2005%2D5%2D19</url>
|
|
<url>http://jvn.jp/jp/JVN%23465742E4/index.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-19</discovery>
|
|
<entry>2005-05-29</entry>
|
|
<modified>2005-06-01</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2fbe16c2-cab6-11d9-9aed-000e0c2e438a">
|
|
<topic>freeradius -- sql injection and denial of service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>freeradius</name>
|
|
<range><le>1.0.2_1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>freeradius-devel</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Gentoo Advisory reports:</p>
|
|
<blockquote cite="http://www.gentoo.org/security/en/glsa/glsa-200505-13.xml">
|
|
<p>The FreeRADIUS server is vulnerable to an SQL injection
|
|
attack and a buffer overflow, possibly resulting in
|
|
disclosure and modification of data and Denial of
|
|
Service.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13540</bid>
|
|
<bid>13541</bid>
|
|
<url>http://www.gentoo.org/security/en/glsa/glsa-200505-13.xml</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-17</discovery>
|
|
<entry>2005-05-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="641e8609-cab5-11d9-9aed-000e0c2e438a">
|
|
<topic>ppxp -- local root exploit</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ppxp</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
<package>
|
|
<name>ja-ppxp</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Debian Advisory reports:</p>
|
|
<blockquote cite="http://www.debian.org/security/2005/dsa-725">
|
|
<p>Jens Steube discovered that ppxp, yet another PPP program,
|
|
does not release root privileges when opening potentially
|
|
user supplied log files. This can be tricked into opening
|
|
a root shell.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0392</cvename>
|
|
<url>http://www.debian.org/security/2005/dsa-725</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-19</discovery>
|
|
<entry>2005-05-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1033750f-cab4-11d9-9aed-000e0c2e438a">
|
|
<topic>oops -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>oops</name>
|
|
<range><le>1.5.24</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A RST/GHC Advisory reports that there is an format string
|
|
vulnerability in oops. The vulnerability can be found in
|
|
the MySQL/PgSQL authentication module. Succesful
|
|
exploitation may allow execution of arbitrary code.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13172</bid>
|
|
<cvename>CVE-2005-1121</cvename>
|
|
<url>http://rst.void.ru/papers/advisory24.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-14</discovery>
|
|
<entry>2005-05-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d51a7e6e-c546-11d9-9aed-000e0c2e438a">
|
|
<topic>cdrdao -- unspecified privilege escalation vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cdrdao</name>
|
|
<range><lt>1.2.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The developers of cdrdao report that there is a potential
|
|
root exploit in the software. In order to be able to
|
|
succesfully exploit this vulnerability cdrdao must be
|
|
installed setuid root. When succesfully exploited a local
|
|
user might get escalated privileges. By default this port is
|
|
not installed setuid root.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secunia.com/advisories/15354/</url>
|
|
<url>http://sourceforge.net/forum/forum.php?forum_id=466399</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-13</discovery>
|
|
<entry>2005-05-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ad5e70bb-c429-11d9-ac59-02061b08fc24">
|
|
<topic>gaim -- MSN remote DoS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>1.3.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The GAIM team reports:</p>
|
|
<blockquote cite="http://gaim.sourceforge.net/security/index.php?id=17">
|
|
<p>Potential remote denial of service bug resulting from not
|
|
checking a pointer for non-NULL before passing it to
|
|
strncmp, which results in a crash. This can be triggered
|
|
by a remote client sending an SLP message with an empty
|
|
body.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1262</cvename>
|
|
<url>http://gaim.sourceforge.net/security/index.php?id=17</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-10</discovery>
|
|
<entry>2005-05-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="889061af-c427-11d9-ac59-02061b08fc24">
|
|
<topic>gaim -- remote crash on some protocols</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>1.3.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The GAIM team reports that GAIM is vulnerable to a
|
|
denial-of-service vulnerability which can cause GAIM to
|
|
crash:</p>
|
|
<blockquote cite="http://gaim.sourceforge.net/security/index.php?id=16">
|
|
<p>It is possible for a remote user to overflow a static
|
|
buffer by sending an IM containing a very large URL
|
|
(greater than 8192 bytes) to the Gaim user. This is not
|
|
possible on all protocols, due to message length
|
|
restrictions. Jabber are SILC are known to be
|
|
vulnerable.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1261</cvename>
|
|
<url>http://gaim.sourceforge.net/security/index.php?id=16</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-10</discovery>
|
|
<entry>2005-05-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="180e9a38-060f-4c16-a6b7-49f3505ff22a">
|
|
<topic>kernel -- information disclosure when using HTT</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.4</ge><lt>5.4_1</lt></range>
|
|
<range><ge>5.0</ge><lt>5.3_15</lt></range>
|
|
<range><ge>4.11</ge><lt>4.11_9</lt></range>
|
|
<range><lt>4.10_14</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem description and impact</h1>
|
|
<p>When running on processors supporting Hyper-Threading Technology, it is
|
|
possible for a malicious thread to monitor the execution of another
|
|
thread.</p>
|
|
<p>Information may be disclosed to local users, allowing in many
|
|
cases for privilege escalation. For example, on a multi-user
|
|
system, it may be possible to steal cryptographic keys used in
|
|
applications such as OpenSSH or SSL-enabled web servers.</p>
|
|
<p><strong>NOTE:</strong> Similar problems may exist in other
|
|
simultaneous multithreading implementations, or even some
|
|
systems in the absence of simultaneous multithreading.
|
|
However, current research has only demonstrated this flaw in
|
|
Hyper-Threading Technology, where shared memory caches are
|
|
used.</p>
|
|
<h1>Workaround</h1>
|
|
<p>Systems not using processors with Hyper-Threading Technology
|
|
support are not affected by this issue. On systems which are
|
|
affected, the security flaw can be eliminated by setting the
|
|
"machdep.hlt_logical_cpus" tunable:</p>
|
|
<pre># echo "machdep.hlt_logical_cpus=1" >> /boot/loader.conf</pre>
|
|
<p>The system must be rebooted in order for tunables to take effect.</p>
|
|
<p>Use of this workaround is not recommended on "dual-core" systems, as
|
|
this workaround will also disable one of the processor
|
|
cores.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0109</cvename>
|
|
<freebsdsa>SA-05:09.htt</freebsdsa>
|
|
<url>http://www.daemonology.net/hyperthreading-considered-harmful/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-13</discovery>
|
|
<entry>2005-05-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="66dbb2ee-99b8-45b2-bb3e-640caea67a60">
|
|
<topic>leafnode -- fetchnews denial-of-service triggered by transmission abort/timeout</topic>
|
|
<affects>
|
|
<package>
|
|
<name>leafnode</name>
|
|
<range><ge>1.9.48</ge><lt>1.11.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>When an upstream server aborts the transmission or stops sending
|
|
data after the fetchnews program has requested an article header
|
|
or body, fetchnews may crash, without querying further servers
|
|
that are configured. This can prevent articles from being fetched.
|
|
</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://leafnode.sourceforge.net/leafnode-SA-2005-01.txt</url>
|
|
<cvename>CVE-2005-1453</cvename>
|
|
<freebsdpr>ports/80663</freebsdpr>
|
|
<bid>13489</bid>
|
|
<bid>13492</bid>
|
|
<mlist msgid="20050504152311.GA25593@merlin.emma.line.org">http://sourceforge.net/mailarchive/forum.php?thread_id=7186974&forum_id=10210</mlist>
|
|
<mlist msgid="20050504152311.GA25593@merlin.emma.line.org">http://article.gmane.org/gmane.network.leafnode.announce/52</mlist>
|
|
<mlist msgid="20050504152311.GA25593@merlin.emma.line.org">http://www.dt.e-technik.uni-dortmund.de/pipermail/leafnode-list/2005q2/000900.html</mlist>
|
|
<mlist msgid="20050504152311.GA25593@merlin.emma.line.org">http://www.fredi.de/maillist/msg00111.html</mlist>
|
|
<mlist msgid="20050504152311.GA25593@merlin.emma.line.org">http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0037.html</mlist>
|
|
<url>http://www.frsirt.com/english/advisories/2005/0468</url>
|
|
<url>http://secunia.com/advisories/15252</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-04</discovery>
|
|
<entry>2005-05-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a6427195-c2c7-11d9-89f7-02061b08fc24">
|
|
<topic>mozilla -- privilege escalation via non-DOM property overrides</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.0.4,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>1.0.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.8,2</lt></range>
|
|
<range><ge>1.8.*,2</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.8</lt></range>
|
|
<range><ge>1.8.*</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These ports are obsolete. -->
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>de-netscape7</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>ja-netscape7</name>
|
|
<name>linux-netscape</name>
|
|
<name>linux-phoenix</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk1</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>phoenix</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Mozilla Foundation Security Advisory reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/announce/mfsa2005-44.html">
|
|
<p>Additional checks were added to make sure Javascript eval
|
|
and Script objects are run with the privileges of the
|
|
context that created them, not the potentially elevated
|
|
privilege of the context calling them in order to protect
|
|
against an additional variant of <a href="http://www.mozilla.org/security/announce/mfsa2005-41.html">MFSA
|
|
2005-41</a>.</p>
|
|
</blockquote>
|
|
<p>The Mozilla Foundation Security Advisory MFSA 2005-41
|
|
reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/announce/mfsa2005-41.html">
|
|
<p>moz_bug_r_a4 reported several exploits giving an attacker
|
|
the ability to install malicious code or steal data,
|
|
requiring only that the user do commonplace actions like
|
|
click on a link or open the context menu.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-44.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-11</discovery>
|
|
<entry>2005-05-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a81746a1-c2c7-11d9-89f7-02061b08fc24">
|
|
<topic>mozilla -- "Wrapped" javascript: urls bypass security checks</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.0.4,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>1.0.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.8,2</lt></range>
|
|
<range><ge>1.8.*,2</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.8</lt></range>
|
|
<range><ge>1.8.*</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These ports are obsolete. -->
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>de-netscape7</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>ja-netscape7</name>
|
|
<name>linux-netscape</name>
|
|
<name>linux-phoenix</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk1</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>phoenix</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Mozilla Foundation Security Advisory reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/announce/mfsa2005-43.html">
|
|
<p>Some security checks intended to prevent script injection
|
|
were incorrect and could be bypassed by wrapping a
|
|
javascript: url in the view-source:
|
|
pseudo-protocol. Michael Krax demonstrated that a variant
|
|
of his <a href="http://www.mozilla.org/security/announce/mfsa2005-37.html">favicon</a>
|
|
exploit could still execute arbitrary code, and the same
|
|
technique could also be used to perform cross-site
|
|
scripting.</p>
|
|
<p>Georgi Guninski demonstrated the same flaw wrapping
|
|
javascript: urls with the jar: pseudo-protocol.</p>
|
|
<p>L. David Baron discovered a nested variant that defeated
|
|
checks in the script security manager.</p>
|
|
<p><strong>Workaround:</strong> Disable Javascript</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-43.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-11</discovery>
|
|
<entry>2005-05-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="eca6195a-c233-11d9-804c-02061b08fc24">
|
|
<topic>mozilla -- code execution via javascript: IconURL vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.0.4,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>1.0.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.8,2</lt></range>
|
|
<range><ge>1.8.*,2</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.8</lt></range>
|
|
<range><ge>1.8.*</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These ports are obsolete. -->
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>de-netscape7</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>ja-netscape7</name>
|
|
<name>linux-netscape</name>
|
|
<name>linux-phoenix</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk1</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>phoenix</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Mozilla Foundation Security Advisory reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/announce/mfsa2005-42.html">
|
|
<p>Two vulnerabilities have been discovered in Firefox,
|
|
which can be exploited by malicious people to conduct
|
|
cross-site scripting attacks and compromise a user's
|
|
system.</p>
|
|
<ol>
|
|
<li>The problem is that "IFRAME" JavaScript URLs are not
|
|
properly protected from being executed in context of
|
|
another URL in the history list. This can be exploited
|
|
to execute arbitrary HTML and script code in a user's
|
|
browser session in context of an arbitrary site.</li>
|
|
<li>Input passed to the "IconURL" parameter in
|
|
"InstallTrigger.install()" is not properly verified
|
|
before being used. This can be exploited to execute
|
|
arbitrary JavaScript code with escalated privileges via
|
|
a specially crafted JavaScript URL.</li>
|
|
</ol>
|
|
<p>Successful exploitation requires that the site is allowed
|
|
to install software (default sites are
|
|
"update.mozilla.org" and "addons.mozilla.org").</p>
|
|
<p>A combination of vulnerability 1 and 2 can be exploited
|
|
to execute arbitrary code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1476</cvename>
|
|
<cvename>CVE-2005-1477</cvename>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-42.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-08</discovery>
|
|
<entry>2005-05-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="01bb84e2-bd88-11d9-a281-02e018374e71">
|
|
<topic>groff -- pic2graph and eqn2graph are vulnerable to symlink attack through temporary files</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ja-groff</name>
|
|
<range><ge>1.18.1</ge><lt>1.18.1_8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The eqn2graph and pic2graph scripts in groff 1.18.1
|
|
allow local users to overwrite arbitrary files via
|
|
a symlink attack on temporary files.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdpr>ports/80671</freebsdpr>
|
|
<bid>12058</bid>
|
|
<cvename>CVE-2004-1296</cvename>
|
|
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286371</url>
|
|
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286372</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-20</discovery>
|
|
<entry>2005-05-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="169f422f-bd88-11d9-a281-02e018374e71">
|
|
<topic>groff -- groffer uses temporary files unsafely</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ja-groff</name>
|
|
<range><ge>1.18</ge><lt>1.18.1_8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The groffer script in the groff package 1.18 and later versions
|
|
allows local users to overwrite files via a symlink attack
|
|
on temporary files.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdpr>ports/80671</freebsdpr>
|
|
<bid>11287</bid>
|
|
<cvename>CVE-2004-0969</cvename>
|
|
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278265</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-30</discovery>
|
|
<entry>2005-05-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5f003a08-ba3c-11d9-837d-000e0c2e438a">
|
|
<topic>sharutils -- unshar insecure temporary file creation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sharutils</name>
|
|
<range><lt>4.3.80</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An Ubuntu Advisory reports:</p>
|
|
<blockquote cite="http://www.ubuntulinux.org/support/documentation/usn/usn-104-1">
|
|
<p>Joey Hess discovered that "unshar" created temporary files
|
|
in an insecure manner. This could allow a symbolic link
|
|
attack to create or overwrite arbitrary files with the
|
|
privileges of the user invoking the program.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12981</bid>
|
|
<cvename>CVE-2005-0990</cvename>
|
|
<url>http://www.ubuntulinux.org/support/documentation/usn/usn-104-1</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-04</discovery>
|
|
<entry>2005-05-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8c5ad0cf-ba37-11d9-837d-000e0c2e438a">
|
|
<topic>rsnapshot -- local privilege escalation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rsnapshot</name>
|
|
<range><lt>1.1.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An rsnapshot Advisory reports:</p>
|
|
<blockquote cite="http://www.rsnapshot.org/security/2005/001.html">
|
|
<p>The copy_symlink() subroutine in rsnapshot incorrectly
|
|
changes file ownership on the files pointed to by symlinks,
|
|
not on the symlinks themselves. This would allow, under
|
|
certain circumstances, an arbitrary user to take ownership
|
|
of a file on the main filesystem.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13095</bid>
|
|
<cvename>CVE-2005-1064</cvename>
|
|
<url>http://www.rsnapshot.org/security/2005/001.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-10</discovery>
|
|
<entry>2005-05-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="756db070-b9d4-11d9-ae81-000ae42e9b93">
|
|
<topic>coppermine -- IP spoofing and XSS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>coppermine</name>
|
|
<range><lt>1.3.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>GHC team reports about coppermine</p>
|
|
<blockquote cite="http://www.securityfocus.com/archive/1/396080">
|
|
<p>The lack of sanitizing of user defined variables may
|
|
result in undesirable consequences such as IP spoofing
|
|
or XSS attack.</p>
|
|
<p>Generally users of Coppermine Gallery can post comments.
|
|
Remote address & x-forwarded-for variables are logged
|
|
for admin's eyes. X-Forwarded-for variable does not pass
|
|
throu any filtration before logging into database. User
|
|
can define/redefine this variable.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="20050418122434.10438.qmail@www.securityfocus.com">http://www.securityfocus.com/archive/1/396080</mlist>
|
|
<bid>13218</bid>
|
|
<cvename>CVE-2005-1172</cvename>
|
|
<url>http://coppermine.sourceforge.net/board/index.php?topic=17134.0</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-18</discovery>
|
|
<entry>2005-05-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cd286cc5-b762-11d9-bfb7-000c6ec775d9">
|
|
<topic>ImageMagick -- ReadPNMImage() heap overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ImageMagick</name>
|
|
<range><lt>6.2.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Damian Put reports about ImageMagick:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=111445767107869">
|
|
<p>Remote exploitation of a heap overflow vulnerability
|
|
could allow execution of arbitrary code or course denial
|
|
of service.</p>
|
|
<p>A heap overflow exists in ReadPNMImage() function, that
|
|
is used to decode a PNM image files.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13351</bid>
|
|
<url>http://marc.theaimsgroup.com/?l=bugtraq&m=111445767107869</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-25</discovery>
|
|
<entry>2005-04-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="91c606fc-b5d0-11d9-a788-0001020eed82">
|
|
<topic>mplayer & libxine -- MMS and Real RTSP buffer overflow vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mplayer</name>
|
|
<name>mplayer-gtk</name>
|
|
<name>mplayer-gtk2</name>
|
|
<name>mplayer-esound</name>
|
|
<name>mplayer-gtk-esound</name>
|
|
<name>mplayer-gtk2-esound</name>
|
|
<range><lt>0.99.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libxine</name>
|
|
<range><ge>0.9.9</ge><lt>1.0.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A xine security announcement reports:</p>
|
|
<blockquote cite="http://xinehq.de/index.php/security/XSA-2004-8">
|
|
<p>By a user receiving data from a malicious network
|
|
streaming server, an attacker can overrun a heap buffer,
|
|
which can, on some systems, lead to or help in executing
|
|
attacker-chosen malicious code with the permissions of the
|
|
user running a xine-lib based media application.</p>
|
|
<p>Both the MMS and Real RTSP streaming client code made
|
|
some too-strong assumptions on the transferred
|
|
data. Several critical bounds checks were missing,
|
|
resulting in the possibility of heap overflows, should the
|
|
remote server not adhere to these assumptions. In the MMS
|
|
case, a remote server could present content with too many
|
|
individual streams; in the RTSP case, a remote server's
|
|
reply could have too many lines.</p>
|
|
<p>An attacker can set up a server delivering malicious data
|
|
to the users. This can be used to overflow a heap buffer,
|
|
which can, with certain implementations of heap
|
|
management, lead to attacker chosen data written to the
|
|
stack. This can cause attacker-chosen code being executed
|
|
with the permissions of the user running the
|
|
application. By tricking users to retrieve a stream, which
|
|
can be as easy as providing a link on a website, this
|
|
vulnerability can be exploited remotely.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13270</bid>
|
|
<bid>13271</bid>
|
|
<cvename>CVE-2005-1195</cvename>
|
|
<url>http://www.mplayerhq.hu/homepage/design7/news.html#vuln10</url>
|
|
<url>http://www.mplayerhq.hu/homepage/design7/news.html#vuln11</url>
|
|
<url>http://xinehq.de/index.php/security/XSA-2004-8</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-16</discovery>
|
|
<entry>2005-04-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8b0e94cc-b5cd-11d9-a788-0001020eed82">
|
|
<topic>gaim -- AIM/ICQ remote denial of service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>1.1.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The GAIM team reports that GAIM is vulnerable to a
|
|
denial-of-service vulnerability which can cause GAIM to
|
|
freeze:</p>
|
|
<blockquote cite="http://gaim.sourceforge.net/security/index.php?id=10">
|
|
<p>Certain malformed SNAC packets sent by other AIM or ICQ
|
|
users can trigger an infinite loop in Gaim when parsing
|
|
the SNAC. The remote user would need a custom client, able
|
|
to generate malformed SNACs.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0472</cvename>
|
|
<url>http://gaim.sourceforge.net/security/index.php?id=10</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-17</discovery>
|
|
<entry>2005-04-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="142353df-b5cc-11d9-a788-0001020eed82">
|
|
<topic>gaim -- remote DoS on receiving malformed HTML</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>1.1.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The GAIM team reports:</p>
|
|
<blockquote cite="http://gaim.sourceforge.net/security/index.php?id=12">
|
|
<p>Receiving malformed HTML can result in an invalid memory
|
|
access causing Gaim to crash.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0208</cvename>
|
|
<cvename>CVE-2005-0473</cvename>
|
|
<url>http://gaim.sourceforge.net/security/index.php?id=11</url>
|
|
<url>http://gaim.sourceforge.net/security/index.php?id=12</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-17</discovery>
|
|
<entry>2005-04-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="91f1adc7-b3e9-11d9-a788-0001020eed82">
|
|
<topic>kdewebdev -- kommander untrusted code execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>kdewebdev</name>
|
|
<range><lt>3.4.0_1,2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A KDE Security Advisory reports:</p>
|
|
<blockquote cite="http://www.kde.org/info/security/advisory-20050420-1.txt">
|
|
<p>Kommander executes without user confirmation data files
|
|
from possibly untrusted locations. As they contain
|
|
scripts, the user might accidentally run arbitrary
|
|
code.</p>
|
|
<p><strong>Impact:</strong> Remotly supplied kommander files
|
|
from untrusted sources are executed without
|
|
confirmation.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0754</cvename>
|
|
<url>http://www.kde.org/info/security/advisory-20050420-1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-20</discovery>
|
|
<entry>2005-04-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="97edf5ab-b319-11d9-837d-000e0c2e438a">
|
|
<topic>junkbuster -- heap corruption vulnerability and configuration modification vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>junkbuster</name>
|
|
<range><lt>2.0.2_3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>junkbuster-zlib</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Debian advisory reports:</p>
|
|
<blockquote cite="http://www.debian.org/security/2005/dsa-713">
|
|
<p>James Ranson discovered that an attacker can modify the
|
|
referrer setting with a carefully crafted URL by accidently
|
|
overwriting a global variable.</p>
|
|
<p>Tavis Ormandy from the Gentoo Security Team discovered
|
|
several heap corruptions due to inconsistent use of an
|
|
internal function that can crash the daemon or possibly
|
|
lead to the execution of arbitrary code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13146</bid>
|
|
<bid>13147</bid>
|
|
<cvename>CVE-2005-1108</cvename>
|
|
<cvename>CVE-2005-1109</cvename>
|
|
<url>http://www.debian.org/security/2005/dsa-713</url>
|
|
<url>http://www.gentoo.org/security/en/glsa/glsa-200504-11.xml</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-13</discovery>
|
|
<entry>2005-04-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="06404241-b306-11d9-a788-0001020eed82">
|
|
<topic>kdelibs -- kimgio input validation errors</topic>
|
|
<affects>
|
|
<package>
|
|
<name>kdelibs</name>
|
|
<range><ge>3.2</ge><lt>3.4.0_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A KDE Security Advisory reports:</p>
|
|
<blockquote cite="http://www.kde.org/info/security/advisory-20050421-1.txt">
|
|
<p>kimgio contains a PCX image file format reader that does
|
|
not properly perform input validation. A source code audit
|
|
performed by the KDE security team discovered several
|
|
vulnerabilities in the PCX and other image file format
|
|
readers, some of them exploitable to execute arbitrary
|
|
code.</p>
|
|
<p><strong>Impact:</strong> Remotely supplied, specially
|
|
crafted image files can be used to execute arbitrary
|
|
code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1046</cvename>
|
|
<url>http://bugs.kde.org/102328</url>
|
|
<url>http://www.kde.org/info/security/advisory-20050421-1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-21</discovery>
|
|
<entry>2005-04-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6c2d4f29-af3e-11d9-837d-000e0c2e438a">
|
|
<topic>gld -- format string and buffer overflow vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gld</name>
|
|
<range><lt>1.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Gld has been found vulnerable to multiple buffer overflows as
|
|
well as multiple format string vulnerabilities.</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=111339935903880">
|
|
<p>An attacker could exploit this vulnerability to execute
|
|
arbitrary code with the permissions of the user running Gld,
|
|
the default user being root.</p>
|
|
</blockquote>
|
|
<p>The FreeBSD port defaults to running gld as the root user.
|
|
The risk of exploitation can be minimized by making gld
|
|
listen on the loopback address only, or configure it to only
|
|
accept connections from trusted smtp servers.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13129</bid>
|
|
<bid>13133</bid>
|
|
<cvename>CVE-2005-1099</cvename>
|
|
<cvename>CVE-2005-1100</cvename>
|
|
<mlist msgid="20050412004111.562AC7A890E@ws4-4.us4.outblaze.com">http://marc.theaimsgroup.com/?l=bugtraq&m=111339935903880</mlist>
|
|
<mlist msgid="20050413174736.20947.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=111342432325670</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-12</discovery>
|
|
<entry>2005-04-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0163b498-af54-11d9-acd0-000854d03344">
|
|
<topic>axel -- remote buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>axel</name>
|
|
<range><lt>1.0a_4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Debian Security Advisory reports:</p>
|
|
<blockquote cite="http://www.debian.org/security/2005/dsa-706">
|
|
<p>Ulf Härnhammar from the Debian Security Audit Project
|
|
discovered a buffer overflow in axel, a light download
|
|
accelerator. When reading remote input the program did
|
|
not check if a part of the input can overflow a buffer
|
|
and maybe trigger the execution of arbitrary code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13059</bid>
|
|
<cvename>CVE-2005-0390</cvename>
|
|
<url>http://www.debian.org/security/2005/dsa-706</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-16</discovery>
|
|
<entry>2005-04-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ce6ac624-aec8-11d9-a788-0001020eed82">
|
|
<topic>firefox -- PLUGINSPAGE privileged javascript execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.0.3,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>1.0.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Mozilla Foundation Security Advisory reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/announce/mfsa2005-34.html">
|
|
<p>When a webpage requires a plugin that is not installed
|
|
the user can click to launch the Plugin Finder Service
|
|
(PFS) to find an appropriate plugin. If the service does
|
|
not have an appropriate plugin the EMBED tag is checked
|
|
for a PLUGINSPAGE attribute, and if one is found the PFS
|
|
dialog will contain a "manual install" button that will
|
|
load the PLUGINSPAGE url.</p>
|
|
<p>Omar Khan reported that if the PLUGINSPAGE attribute
|
|
contains a javascript: url then pressing the button could
|
|
launch arbitrary code capable of stealing local data or
|
|
installing malicious code.</p>
|
|
<p>Doron Rosenberg reported a variant that injects script by
|
|
appending it to a malformed URL of any protocol.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0752</cvename>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-34.html</url>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=288556</url>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=289171</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-31</discovery>
|
|
<entry>2005-04-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="18e5428f-ae7c-11d9-837d-000e0c2e438a">
|
|
<topic>jdk -- jar directory traversal vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>jdk</name>
|
|
<range><le>1.2.2p11_3</le></range>
|
|
<range><ge>1.3.*</ge><le>1.3.1p9_4</le></range>
|
|
<range><ge>1.4.*</ge><le>1.4.2p7</le></range>
|
|
<range><ge>1.5.*</ge><le>1.5.0p1_1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-ibm-jdk</name>
|
|
<range><le>1.4.2_1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-sun-jdk</name>
|
|
<range><le>1.4.2.08_1</le></range>
|
|
<range><ge>1.5.*</ge><le>1.5.2.02,2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-blackdown-jdk</name>
|
|
<range><le>1.4.2_2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>diablo-jdk</name>
|
|
<range><le>1.3.1.0_1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>diablo-jdk-freebsd6</name>
|
|
<range><le>i386.1.5.0.07.00</le></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-jdk</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Pluf has discovered a vulnerability in Sun Java JDK/SDK,
|
|
which potentially can be exploited by malicious people to
|
|
compromise a user's system.</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=111331593310508">
|
|
<p>The jar tool does not check properly if the files to be
|
|
extracted have the string "../" on its names, so it's
|
|
possible for an attacker to create a malicious jar file in
|
|
order to overwrite arbitrary files within the filesystem.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1080</cvename>
|
|
<mlist msgid="200504120226.10559.pluf@7a69ezine.org">http://marc.theaimsgroup.com/?l=bugtraq&m=111331593310508</mlist>
|
|
<url>http://www.securiteam.com/securitynews/5IP0C0AFGW.html</url>
|
|
<url>http://secunia.com/advisories/14902/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-11</discovery>
|
|
<entry>2005-04-16</entry>
|
|
<modified>2006-09-12</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f650d5b8-ae62-11d9-a788-0001020eed82">
|
|
<topic>mozilla -- privilege escalation via DOM property overrides</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.0.3,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>1.0.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.7,2</lt></range>
|
|
<range><ge>1.8.*,2</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.7</lt></range>
|
|
<range><ge>1.8.*</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These ports are obsolete. -->
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>de-netscape7</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>ja-netscape7</name>
|
|
<name>linux-netscape</name>
|
|
<name>linux-phoenix</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk1</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>phoenix</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Mozilla Foundation Security Advisory reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/announce/mfsa2005-41.html">
|
|
<p>moz_bug_r_a4 reported several exploits giving an attacker
|
|
the ability to install malicious code or steal data,
|
|
requiring only that the user do commonplace actions like
|
|
click on a link or open the context menu. The common cause
|
|
in each case was privileged UI code ("chrome") being
|
|
overly trusting of DOM nodes from the content
|
|
window. Scripts in the web page can override properties
|
|
and methods of DOM nodes and shadow the native values,
|
|
unless steps are taken to get the true underlying values.</p>
|
|
<p>We found that most extensions also interacted with
|
|
content DOM in a natural, but unsafe, manner. Changes were
|
|
made so that chrome code using this natural DOM coding
|
|
style will now automatically use the native DOM value if
|
|
it exists without having to use cumbersome wrapper
|
|
objects.</p>
|
|
<p>Most of the specific exploits involved tricking the
|
|
privileged code into calling eval() on an
|
|
attacker-supplied script string, or the equivalent using
|
|
the Script() object. Checks were added in the security
|
|
manager to make sure eval and Script objects are run with
|
|
the privileges of the context that created them, not the
|
|
potentially elevated privileges of the context calling
|
|
them.</p>
|
|
<p><strong>Workaround</strong>: Disable Javascript</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-41.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-15</discovery>
|
|
<entry>2005-04-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1989b511-ae62-11d9-a788-0001020eed82">
|
|
<topic>mozilla -- code execution through javascript: favicons</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.0.3,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>1.0.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.7,2</lt></range>
|
|
<range><ge>1.8.*,2</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.7</lt></range>
|
|
<range><ge>1.8.*</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These ports are obsolete. -->
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>de-netscape7</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>ja-netscape7</name>
|
|
<name>linux-netscape</name>
|
|
<name>linux-phoenix</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk1</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>phoenix</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Mozilla Foundation Security Advisory reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/announce/mfsa2005-37.html">
|
|
<p>Firefox and the Mozilla Suite support custom "favicons"
|
|
through the <LINK rel="icon"> tag. If a link tag is added
|
|
to the page programmatically and a javascript: url is
|
|
used, then script will run with elevated privileges and
|
|
could run or install malicious software.</p>
|
|
<p><strong>Workaround</strong>: Disable Javascript</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-37.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-12</discovery>
|
|
<entry>2005-04-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="45b75152-ae5f-11d9-a788-0001020eed82">
|
|
<topic>mozilla -- javascript "lambda" replace exposes memory contents</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.0.3,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>1.0.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.7,2</lt></range>
|
|
<range><ge>1.8.*,2</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.7</lt></range>
|
|
<range><ge>1.8.*</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These ports are obsolete. -->
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>de-netscape7</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>ja-netscape7</name>
|
|
<name>linux-netscape</name>
|
|
<name>linux-phoenix</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk1</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>phoenix</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Mozilla Foundation Security Advisory reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/announce/mfsa2005-33.html">
|
|
<p>A bug in javascript's regular expression string
|
|
replacement when using an anonymous function as the
|
|
replacement argument allows a malicious script to capture
|
|
blocks of memory allocated to the browser. A web site
|
|
could capture data and transmit it to a server without
|
|
user interaction or knowledge.</p>
|
|
<p><strong>Workaround</strong>: Disable Javascript</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0989</cvename>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-33.html</url>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=288688</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-01</discovery>
|
|
<entry>2005-04-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1f2fdcff-ae60-11d9-a788-0001020eed82">
|
|
<topic>firefox -- arbitrary code execution in sidebar panel</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.0.3,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>1.0.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Mozilla Foundation Security Advisory reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/announce/mfsa2005-39.html">
|
|
<p>Sites can use the _search target to open links in the
|
|
Firefox sidebar. Two missing security checks allow
|
|
malicious scripts to first open a privileged page (such as
|
|
about:config) and then inject script using a javascript:
|
|
url. This could be used to install malicious code or steal
|
|
data without user interaction.</p>
|
|
<p><strong>Workaround</strong>: Disable Javascript</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-39.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-12</discovery>
|
|
<entry>2005-04-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b206dd82-ac67-11d9-a788-0001020eed82">
|
|
<topic>openoffice -- DOC document heap overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openoffice</name>
|
|
<name>ar-openoffice</name>
|
|
<name>ca-openoffice</name>
|
|
<name>cs-openoffice</name>
|
|
<name>de-openoffice</name>
|
|
<name>dk-openoffice</name>
|
|
<name>el-openoffice</name>
|
|
<name>es-openoffice</name>
|
|
<name>et-openoffice</name>
|
|
<name>fi-openoffice</name>
|
|
<name>fr-openoffice</name>
|
|
<name>gr-openoffice</name>
|
|
<name>hu-openoffice</name>
|
|
<name>it-openoffice</name>
|
|
<name>ja-openoffice</name>
|
|
<name>ko-openoffice</name>
|
|
<name>nl-openoffice</name>
|
|
<name>pl-openoffice</name>
|
|
<name>pt-openoffice</name>
|
|
<name>pt_BR-openoffice</name>
|
|
<name>ru-openoffice</name>
|
|
<name>se-openoffice</name>
|
|
<name>sk-openoffice</name>
|
|
<name>sl-openoffice-SI</name>
|
|
<name>tr-openoffice</name>
|
|
<name>zh-openoffice-CN</name>
|
|
<name>zh-openoffice-TW</name>
|
|
<!-- Deprecated names -->
|
|
<name>jp-openoffice</name>
|
|
<name>kr-openoffice</name>
|
|
<name>sl-openoffice-SL</name>
|
|
<name>zh-openoffice</name>
|
|
<name>zh_TW-openoffice</name>
|
|
<range><lt>1.1.4_2</lt></range>
|
|
<range><gt>2.*</gt><le>2.0.20050406</le></range>
|
|
</package>
|
|
<package>
|
|
<name>openoffice</name>
|
|
<name>ja-openoffice</name>
|
|
<range><ge>6.0.a609</ge><le>6.0.a638</le></range>
|
|
<range><ge>641c</ge><le>645</le></range>
|
|
<range><eq>1.1RC4</eq></range>
|
|
<range><eq>1.1rc5</eq></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>AD-LAB reports that a heap-based buffer overflow
|
|
vulnerability exists in OpenOffice's handling of DOC
|
|
documents. When reading a DOC document 16 bit from a 32 bit
|
|
integer is used for memory allocation, but the full 32 bit
|
|
is used for further processing of the document. This can
|
|
allow an attacker to crash OpenOffice, or potentially
|
|
execute arbitrary code as the user running OpenOffice, by
|
|
tricking an user into opening a specially crafted DOC
|
|
document.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13092</bid>
|
|
<cvename>CVE-2005-0941</cvename>
|
|
<mlist msgid="20050412000438.17342.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=111325305109137</mlist>
|
|
<url>http://www.openoffice.org/issues/show_bug.cgi?id=46388</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-11</discovery>
|
|
<entry>2005-04-13</entry>
|
|
<modified>2005-04-20</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="22f00553-a09d-11d9-a788-0001020eed82">
|
|
<topic>portupgrade -- insecure temporary file handling vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>portupgrade</name>
|
|
<range><lt>20041226_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Simon L. Nielsen discovered that portupgrade handles
|
|
temporary files in an insecure manner. This could allow an
|
|
unprivileged local attacker to execute arbitrary commands or
|
|
overwrite arbitrary files with the permissions of the user
|
|
running portupgrade, typically root, by way of a symlink
|
|
attack.</p>
|
|
<p>The following issues exist where the temporary files are
|
|
created, by default in the world writeable directory
|
|
/var/tmp, with the permissions of the user running
|
|
portupgrade:</p>
|
|
<ul>
|
|
<li>pkg_fetch download packages with a predictable local
|
|
filename allowing a local attacker to overwrite arbitrary
|
|
local files or potentially replace the downloaded package
|
|
after download but before install with a package with
|
|
malicious content, allowing the attacker to run arbitrary
|
|
commands.</li>
|
|
<li>portupgrade will, when upgrading ports/packages, write
|
|
the old package to a predictable temporary file, allowing
|
|
an attacker to overwrite arbitrary files via a symlink
|
|
attack.</li>
|
|
<li>portupgrade will <q>touch</q> a temporary temporary file
|
|
with a constant filename (pkgdb.fixme) allowing an
|
|
attacker to create arbitrary zero-byte files via a symlink
|
|
attack.</li>
|
|
</ul>
|
|
<p>A workaround for these issues is to set the
|
|
<code>PKG_TMPDIR</code> environment variable to a directory
|
|
only write-able by the user running portupgrade.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0610</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-12</discovery>
|
|
<entry>2005-04-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ecf68408-a9f5-11d9-a788-0001020eed82">
|
|
<topic>gaim -- jabber remote crash</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>1.2.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The GAIM team reports:</p>
|
|
<blockquote cite="http://gaim.sourceforge.net/security/?id=15">
|
|
<p>A remote jabber user can cause Gaim to crash by sending a
|
|
specific file transfer request.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13004</bid>
|
|
<cvename>CVE-2005-0967</cvename>
|
|
<url>http://gaim.sourceforge.net/security/?id=15</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-04</discovery>
|
|
<entry>2005-04-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ec09baa3-a9f5-11d9-a788-0001020eed82">
|
|
<topic>gaim -- remote DoS on receiving certain messages over IRC</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>1.2.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The GAIM team reports:</p>
|
|
<blockquote cite="http://gaim.sourceforge.net/security/?id=14">
|
|
<p>The IRC protocol plugin in Gaim 1.2.0, and possibly
|
|
earlier versions, allows (1) remote attackers to inject
|
|
arbitrary Gaim markup via irc_msg_kick, irc_msg_mode,
|
|
irc_msg_part, irc_msg_quit, (2) remote attackers to inject
|
|
arbitrary Pango markup and pop up empty dialog boxes via
|
|
irc_msg_invite, or (3) malicious IRC servers to cause a
|
|
denial of service (application crash) by injecting certain
|
|
Pango markup into irc_msg_badmode, irc_msg_banned,
|
|
irc_msg_unknown, irc_msg_nochan functions.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>13003</bid>
|
|
<cvename>CVE-2005-0966</cvename>
|
|
<url>http://gaim.sourceforge.net/security/?id=14</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-02</discovery>
|
|
<entry>2005-04-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3fa2b372-a9f5-11d9-a788-0001020eed82">
|
|
<topic>gaim -- remote DoS on receiving malformed HTML</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>1.2.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The GAIM team reports:</p>
|
|
<blockquote cite="http://gaim.sourceforge.net/security/?id=13">
|
|
<p>The gaim_markup_strip_html function in Gaim 1.2.0, and
|
|
possibly earlier versions, allows remote attackers to
|
|
cause a denial of service (application crash) via a string
|
|
that contains malformed HTML, which causes an
|
|
out-of-bounds read.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12999</bid>
|
|
<cvename>CVE-2005-0965</cvename>
|
|
<url>http://gaim.sourceforge.net/security/?id=13</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-04-02</discovery>
|
|
<entry>2005-04-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="07f3fe15-a9de-11d9-a788-0001020eed82">
|
|
<topic>php -- readfile() DoS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mod_php4-twig</name>
|
|
<name>php4-cgi</name>
|
|
<name>php4-cli</name>
|
|
<name>php4-dtc</name>
|
|
<name>php4-horde</name>
|
|
<name>php4-nms</name>
|
|
<name>php4</name>
|
|
<range><lt>4.3.5_7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mod_php</name>
|
|
<name>mod_php4</name>
|
|
<range><lt>4.3.5_7,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A SUSE Security advisory reports:</p>
|
|
<blockquote cite="http://www.novell.com/linux/security/advisories/2005_06_sr.html">
|
|
<p>A bug in the readfile() function of php4 could be used to
|
|
to crash the httpd running the php4 code when accessing
|
|
files with a multiple of the architectures page size
|
|
leading to a denial of service.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12665</bid>
|
|
<cvename>CVE-2005-0596</cvename>
|
|
<url>http://bugs.php.net/bug.php?id=27037</url>
|
|
<url>http://www.novell.com/linux/security/advisories/2005_06_sr.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-01-25</discovery>
|
|
<entry>2005-04-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8dbf7894-a9a8-11d9-a788-0001020eed82">
|
|
<topic>squid -- DoS on failed PUT/POST requests vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><le>2.5.7_12</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The squid patches page notes:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-post">
|
|
<p>An inconsistent state is entered on a failed PUT/POST
|
|
request making a high risk for segmentation faults or
|
|
other strange errors</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0718</cvename>
|
|
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-post</url>
|
|
<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1224</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-03</discovery>
|
|
<entry>2005-04-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="396ee517-a607-11d9-ac72-000bdb1444a4">
|
|
<topic>horde -- Horde Page Title Cross-Site Scripting Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>horde</name>
|
|
<name>horde-php5</name>
|
|
<range><gt>3.*</gt><lt>3.0.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia Advisory: SA14730</p>
|
|
<blockquote cite="http://secunia.com/advisories/14730">
|
|
<p>A vulnerability has been reported in Horde, which can be
|
|
exploited by malicious people to conduct cross-site scripting
|
|
attacks.</p>
|
|
<p>Input passed when setting the parent frame's page title via
|
|
JavaScript is not properly sanitised before being returned to
|
|
the user. This can be exploited to execute arbitrary HTML and
|
|
script code in a user's browser session in context of an affected
|
|
site.</p>
|
|
<p>The vulnerability has been reported in version 3.0.4-RC2. Prior
|
|
versions may also be affected.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0961</cvename>
|
|
<mlist msgid="20050329111028.6A112117243@neo.wg.de">http://lists.horde.org/archives/announce/2005/000176.html</mlist>
|
|
<url>http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.49&r2=1.515.2.93&ty=h</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-29</discovery>
|
|
<entry>2005-04-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ef410571-a541-11d9-a788-0001020eed82">
|
|
<topic>wu-ftpd -- remote globbing DoS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>wu-ftpd</name>
|
|
<range><lt>2.6.2_6</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>wu-ftpd+ipv6</name>
|
|
<range><lt>2.6.2_7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An iDEFENSE Security Advisory reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=110935886414939">
|
|
<p>Remote exploitation of an input validation vulnerability
|
|
in version 2.6.2 of WU-FPTD could allow for a denial of
|
|
service of the system by resource exhaustion.</p>
|
|
<p>The vulnerability specifically exists in the
|
|
<code>wu_fnmatch()</code> function in wu_fnmatch.c. When a
|
|
pattern containing a '*' character is supplied as input,
|
|
the function calls itself recursively on a smaller
|
|
substring. By supplying a string which contains a large
|
|
number of '*' characters, the system will take a long time
|
|
to return the results, during which time it will be using
|
|
a large amount of CPU time.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0256</cvename>
|
|
<mlist msgid="FB24803D1DF2A34FA59FC157B77C970503E249AF@idserv04.idef.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110935886414939</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-05</discovery>
|
|
<entry>2005-04-04</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5ebfe901-a3cb-11d9-b248-000854d03344">
|
|
<topic>hashcash -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>hashcash</name>
|
|
<range><lt>1.17</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Gentoo Linux Security Advisory reports:</p>
|
|
<blockquote cite="http://www.gentoo.org/security/en/glsa/glsa-200503-12.xml">
|
|
<p>Tavis Ormandy of the Gentoo Linux Security Audit Team
|
|
identified a flaw in the Hashcash utility that an attacker
|
|
could expose by specifying a malformed reply address.</p>
|
|
<p>Successful exploitation would permit an attacker to disrupt
|
|
Hashcash users, and potentially execute arbitrary code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0687</cvename>
|
|
<url>http://www.gentoo.org/security/en/glsa/glsa-200503-12.xml</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-06</discovery>
|
|
<entry>2005-04-02</entry>
|
|
<modified>2005-04-03</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="70b62f5e-9e2e-11d9-a256-0001020eed82">
|
|
<topic>clamav -- zip handling DoS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>clamav</name>
|
|
<range><lt>0.81</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>clamav-devel</name>
|
|
<range><lt>20050408</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The clamav daemon is vulnerable to a DoS vulnerability due
|
|
to insufficient handling of malformed zip files which can
|
|
crash the clamav daemon.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12408</bid>
|
|
<cvename>CVE-2005-0133</cvename>
|
|
<url>http://sourceforge.net/project/shownotes.php?release_id=300116</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-27</discovery>
|
|
<entry>2005-03-26</entry>
|
|
<modified>2005-04-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="48a59c96-9c6e-11d9-a040-000a95bc6fae">
|
|
<topic>wine -- information disclosure due to insecure temporary file handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>wine</name>
|
|
<range><lt>20050310</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Due to insecure temporary file creation in the Wine Windows
|
|
emulator, it is possible for any user to read potentially
|
|
sensitive information from temporary registry files.</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=111082537009842">
|
|
<p>When a Win32 application is launched by wine, wine makes
|
|
a dump of the Windows registry in /tmp with name
|
|
regxxxxyyyy.tmp , where xxxxxx is the pid in hexadecimal
|
|
value of the current wine process and yyyy is an integer
|
|
value usually equal to zero.</p>
|
|
<p>regxxxxyyyy.tmp is created with 0644 (-rw-r--r--)
|
|
permissions. This could represent a security problem in a
|
|
multi-user environment. Indeed, any local user could
|
|
access to windows regstry's dump and get sensitive
|
|
information, like passwords and other private data.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0787</cvename>
|
|
<mlist msgid="20050314135701.30231.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=111082537009842</mlist>
|
|
<url>http://bugs.winehq.org/show_bug.cgi?id=2715</url>
|
|
<url>http://www.securitytracker.com/alerts/2005/Mar/1013428.html</url>
|
|
<url>http://www.zone-h.org/advisories/read/id=7300</url>
|
|
<url>http://www.securityfocus.com/bid/12791</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/19697</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-13</discovery>
|
|
<entry>2005-03-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="741f8841-9c6b-11d9-9dbe-000a95bc6fae">
|
|
<topic>firefox -- arbitrary code execution from sidebar panel</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.0.2,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>1.0.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Mozilla Foundation Security Advisory states:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/announce/mfsa2005-31.html">
|
|
<p>If a user bookmarked a malicious page as a Firefox
|
|
sidebar panel that page could execute arbitrary programs
|
|
by opening a privileged page and injecting javascript into
|
|
it.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0402</cvename>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-31.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-03</discovery>
|
|
<entry>2005-03-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7d2aac52-9c6b-11d9-99a7-000a95bc6fae">
|
|
<topic>mozilla -- heap buffer overflow in GIF image processing</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.0.2,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<name>linux-firefox</name>
|
|
<range><lt>1.0.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.6,2</lt></range>
|
|
<range><ge>1.8.*,2</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.6</lt></range>
|
|
<range><ge>1.8.*</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These ports are obsolete. -->
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>de-netscape7</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>ja-netscape7</name>
|
|
<name>linux-netscape</name>
|
|
<name>linux-phoenix</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk1</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>phoenix</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Mozilla Foundation Security Advisory states:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/announce/mfsa2005-31.html">
|
|
<p>An <em>(sic)</em> GIF processing error when parsing the
|
|
obsolete Netscape extension 2 can lead to an exploitable
|
|
heap overrun, allowing an attacker to run arbitrary code on
|
|
the user's machine.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0399</cvename>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-30.html</url>
|
|
<url>http://xforce.iss.net/xforce/alerts/id/191</url>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=285595</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-10</discovery>
|
|
<entry>2005-03-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f8536143-9bc4-11d9-b8b3-000a95bc6fae">
|
|
<topic>sylpheed -- buffer overflow in header processing</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sylpheed</name>
|
|
<name>sylpheed-claws</name>
|
|
<name>sylpheed-gtk2</name>
|
|
<range><ge>0.8.*</ge><lt>1.0.3</lt></range>
|
|
<range><ge>1.9.*</ge><lt>1.9.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Sylpheed web site states:</p>
|
|
<blockquote cite="http://sylpheed.good-day.net/index.cgi.en#changes">
|
|
<p>A buffer overflow which occurred when replying to a
|
|
message with certain headers which contain non-ascii
|
|
characters was fixed.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0667</cvename>
|
|
<url>http://sylpheed.good-day.net/index.cgi.en#changes</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-07</discovery>
|
|
<entry>2005-03-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a4bd3039-9a48-11d9-a256-0001020eed82">
|
|
<topic>xv -- filename handling format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xv</name>
|
|
<name>ja-xv</name>
|
|
<range><lt>3.10a_5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Gentoo Linux Security Advisory reports:</p>
|
|
<blockquote cite="http://www.gentoo.org/security/en/glsa/glsa-200503-09.xml">
|
|
<p>Tavis Ormandy of the Gentoo Linux Security Audit Team
|
|
identified a flaw in the handling of image filenames by xv.</p>
|
|
<p>Successful exploitation would require a victim to process
|
|
a specially crafted image with a malformed filename,
|
|
potentially resulting in the execution of arbitrary code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0665</cvename>
|
|
<url>http://www.gentoo.org/security/en/glsa/glsa-200503-09.xml</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-01</discovery>
|
|
<entry>2005-03-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="972697a7-9a42-11d9-a256-0001020eed82">
|
|
<topic>kdelibs -- local DCOP denial of service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ja-kdelibs</name>
|
|
<name>kdelibs-nocups</name>
|
|
<name>kdelibs</name>
|
|
<range><lt>3.4.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A KDE Security Advisory reports:</p>
|
|
<blockquote cite="http://www.kde.org/info/security/advisory-20050316-1.txt">
|
|
<p>Sebastian Krahmer of the SUSE LINUX Security Team
|
|
reported a local denial of service vulnerability in KDE's
|
|
Desktop Communication Protocol (DCOP) daemon better known
|
|
as dcopserver.</p>
|
|
<p>A local user can lock up the dcopserver of arbitrary
|
|
other users on the same machine. This can cause a
|
|
significant reduction in desktop functionality for the
|
|
affected users including, but not limited to, the
|
|
inability to browse the internet and the inability to
|
|
start new applications.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0396</cvename>
|
|
<url>http://www.kde.org/info/security/advisory-20050316-1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-16</discovery>
|
|
<entry>2005-03-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6192ae3d-9595-11d9-a9e0-0001020eed82">
|
|
<topic>phpmyadmin -- increased privilege vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpmyadmin</name>
|
|
<name>phpMyAdmin</name>
|
|
<range><lt>2.6.1.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The phpMyAdmin team reports:</p>
|
|
<blockquote cite="http://sourceforge.net/forum/forum.php?forum_id=450948">
|
|
<p>Escaping of the "_" character was not properly done,
|
|
giving a wildcard privilege when editing db-specific
|
|
privileges with phpMyAdmin.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0653</cvename>
|
|
<url>http://sourceforge.net/forum/forum.php?forum_id=450948</url>
|
|
<url>http://sourceforge.net/tracker/index.php?func=detail&aid=1113788&group_id=23067&atid=377408</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-01</discovery>
|
|
<entry>2005-03-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cb470368-94d2-11d9-a9e0-0001020eed82">
|
|
<topic>ethereal -- multiple protocol dissectors vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ethereal</name>
|
|
<name>ethereal-lite</name>
|
|
<name>tethereal</name>
|
|
<name>tethereal-lite</name>
|
|
<range><ge>0.9.1</ge><lt>0.10.10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An Ethreal Security Advisories reports:</p>
|
|
<blockquote cite="http://www.ethereal.com/appnotes/enpa-sa-00018.html">
|
|
<p>Issues have been discovered in the following protocol
|
|
dissectors:</p>
|
|
<ul>
|
|
<li>Matevz Pustisek discovered a buffer overflow in the
|
|
Etheric dissector. CVE: CAN-2005-0704</li>
|
|
<li>The GPRS-LLC dissector could crash if the "ignore
|
|
cipher bit" option was enabled. CVE: CAN-2005-0705</li>
|
|
<li>Diego Giago discovered a buffer overflow in the 3GPP2
|
|
A11 dissector. This flaw was later reported by Leon
|
|
Juranic. CVE: CAN-2005-0699</li>
|
|
<li>Leon Juranic discovered a buffer overflow in the IAPP dissector.
|
|
CVE: CAN-2005-0739</li>
|
|
<li>A bug in the JXTA dissector could make Ethereal crash.</li>
|
|
<li>A bug in the sFlow dissector could make Ethereal crash.</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12759</bid>
|
|
<cvename>CVE-2005-0699</cvename>
|
|
<cvename>CVE-2005-0704</cvename>
|
|
<cvename>CVE-2005-0705</cvename>
|
|
<cvename>CVE-2005-0739</cvename>
|
|
<url>http://www.ethereal.com/appnotes/enpa-sa-00018.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-09</discovery>
|
|
<entry>2005-03-14</entry>
|
|
<modified>2005-06-24</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="bcf27002-94c3-11d9-a9e0-0001020eed82">
|
|
<topic>grip -- CDDB response multiple matches buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>grip</name>
|
|
<range><lt>3.2.0_7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Joseph VanAndel reports that grip is vulnerability to a
|
|
buffer overflow vulnerability when receiving more than 16
|
|
CDDB responses. This could lead to a crash in grip and
|
|
potentially execution arbitrary code.</p>
|
|
<p>A workaround is to disable CDDB lookups.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12770</bid>
|
|
<cvename>CVE-2005-0706</cvename>
|
|
<url>http://sourceforge.net/tracker/index.php?func=detail&aid=834724&group_id=3714&atid=103714</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-11-02</discovery>
|
|
<entry>2005-03-14</entry>
|
|
<modified>2005-03-18</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="619ef337-949a-11d9-b813-00d05964249f">
|
|
<topic>mysql-server -- multiple remote vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-server</name>
|
|
<range><ge>4.0.0</ge><lt>4.0.24</lt></range>
|
|
<range><ge>4.1.0</ge><lt>4.1.10a</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>SecurityFocus reports:</p>
|
|
<blockquote cite="http://www.securityfocus.com/bid/12781/discussion/">
|
|
<p>MySQL is reported prone to an insecure temporary file creation
|
|
vulnerability.</p>
|
|
<p>Reports indicate that an attacker that has 'CREATE TEMPORARY TABLE'
|
|
privileges on an affected installation may leverage this
|
|
vulnerability to corrupt files with the privileges of the MySQL
|
|
process.</p>
|
|
<p>MySQL is reported prone to an input validation vulnerability that
|
|
can be exploited by remote users that have INSERT and DELETE
|
|
privileges on the 'mysql' administrative database.</p>
|
|
<p>Reports indicate that this issue may be leveraged to load an
|
|
execute a malicious library in the context of the MySQL process.</p>
|
|
<p>Finally, MySQL is reported prone to a remote arbitrary code
|
|
execution vulnerability. It is reported that the vulnerability may
|
|
be triggered by employing the 'CREATE FUNCTION' statement to
|
|
manipulate functions in order to control sensitive data
|
|
structures.</p>
|
|
<p>This issue may be exploited to execute arbitrary code in the
|
|
context of the database process.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12781</bid>
|
|
<cvename>CVE-2005-0709</cvename>
|
|
<cvename>CVE-2005-0710</cvename>
|
|
<cvename>CVE-2005-0711</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-11</discovery>
|
|
<entry>2005-03-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d4bd4046-93a6-11d9-8378-000bdb1444a4">
|
|
<topic>rxvt-unicode -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rxvt-unicode</name>
|
|
<range><lt>5.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A rxvt-unicode changelog reports:</p>
|
|
<blockquote cite="http://dist.schmorp.de/rxvt-unicode/Changes">
|
|
<p>Fix a bug that allowed to overflow a buffer via a long
|
|
escape sequence, which is probably exploitable (fix by
|
|
Rob Holland / Yoann Vandoorselaere / Gentoo Audit Team).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://dist.schmorp.de/rxvt-unicode/Changes</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-13</discovery>
|
|
<entry>2005-03-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a7062952-9023-11d9-a22c-0001020eed82">
|
|
<topic>phpmyadmin -- information disclosure vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpmyadmin</name>
|
|
<name>phpMyAdmin</name>
|
|
<range><lt>2.6.1.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A phpMyAdmin security announcement reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-2">
|
|
<p>By calling some scripts that are part of phpMyAdmin in an
|
|
unexpected way (especially scripts in the libraries
|
|
subdirectory), it is possible to trigger phpMyAdmin to
|
|
display a PHP error message which contains the full path
|
|
of the directory where phpMyAdmin is installed.</p>
|
|
<p><strong>Mitigation factor:</strong> This path disclosure
|
|
is possible on servers where the recommended setting of
|
|
the PHP configuration directive
|
|
<code>display_errors</code> is set to on, which is against
|
|
the recommendations given in the PHP manual.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0544</cvename>
|
|
<url>http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-2</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-22</discovery>
|
|
<entry>2005-03-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="882ef43b-901f-11d9-a22c-0001020eed82">
|
|
<topic>phpmyadmin -- arbitrary file include and XSS vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpmyadmin</name>
|
|
<name>phpMyAdmin</name>
|
|
<range><gt>1.3.1</gt><lt>2.6.1.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A phpMyAdmin security announcement reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-1">
|
|
<p>We received two bug reports by Maksymilian Arciemowicz
|
|
about those vulnerabilities and we wish to thank him for
|
|
his work. The vulnerabilities apply to those points:</p>
|
|
<ol>
|
|
<li>css/phpmyadmin.css.php was vulnerable against
|
|
<code>$cfg</code> and <code>GLOBALS</code> variable
|
|
injections. This way, a possible attacker could
|
|
manipulate any configuration parameter. Using
|
|
phpMyAdmin's theming mechanism, he was able to include
|
|
arbitrary files. This is especially dangerous if php is
|
|
not running in safe mode.</li>
|
|
<li>A possible attacker could manipulate phpMyAdmin's
|
|
localized strings via the URL and inject harmful
|
|
JavaScript code this way, which could be used for XSS
|
|
attacks.</li>
|
|
</ol>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12644</bid>
|
|
<bid>12645</bid>
|
|
<cvename>CVE-2005-0543</cvename>
|
|
<cvename>CVE-2005-0567</cvename>
|
|
<mlist msgid="20050224190307.20197.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110929725801154</mlist>
|
|
<url>http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-1</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-21</discovery>
|
|
<entry>2005-03-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="624fe633-9006-11d9-a22c-0001020eed82">
|
|
<topic>libexif -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libexif</name>
|
|
<range><lt>0.6.10_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Sylvain Defresne reports that libexif is vulnerable to a
|
|
buffer overflow vulnerability due to insufficient input
|
|
checking. This could lead crash of applications using
|
|
libexif.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12744</bid>
|
|
<cvename>CVE-2005-0664</cvename>
|
|
<url>https://bugzilla.ubuntulinux.org/show_bug.cgi?id=7152</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-03</discovery>
|
|
<entry>2005-03-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4a0b334d-8d8d-11d9-afa0-003048705d5a">
|
|
<topic>phpbb - Insuffient check against HTML code in usercp_register.php</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpbb</name>
|
|
<range><le>2.0.13</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Neo Security Team reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=110987231502274">
|
|
<p>If we specify a variable in the html code (any type:
|
|
hidden, text, radio, check, etc) with the name allowhtml,
|
|
allowbbcode or allowsmilies, is going to be on the html,
|
|
bbcode and smilies in our signature.</p>
|
|
</blockquote>
|
|
<p>This is a low risk vulnerability that allows users to bypass
|
|
forum-wide configuration.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="20050303055339.3109.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110987231502274</mlist>
|
|
<mlist msgid="38599.166.68.134.174.1109875231.squirrel@166.68.134.174">http://marc.theaimsgroup.com/?l=bugtraq&m=110988400407204</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-28</discovery>
|
|
<entry>2005-03-05</entry>
|
|
<modified>2005-03-07</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f3eec2b5-8cd8-11d9-8066-000a95bc6fae">
|
|
<topic>postnuke -- SQL injection vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>postnuke</name>
|
|
<range><lt>0.760</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Two separate SQL injection vulnerabilites have been
|
|
identified in the PostNuke PHP content management
|
|
system. An attacker can use this vulnerability to
|
|
potentially insert executable PHP code into the content
|
|
management system (to view all files within the PHP scope,
|
|
for instance). Various other SQL injection vulnerabilities
|
|
exist, which give attackers the ability to run SQL queries
|
|
on any tables within the database.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0617</cvename>
|
|
<cvename>CVE-2005-0615</cvename>
|
|
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&m=110962710805864</mlist>
|
|
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&m=110962819232255</mlist>
|
|
<url>http://news.postnuke.com/Article2669.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-28</discovery>
|
|
<entry>2005-03-04</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7e580822-8cd8-11d9-8c81-000a95bc6fae">
|
|
<topic>postnuke -- cross-site scripting (XSS) vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>postnuke</name>
|
|
<range><lt>0.760</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A cross-site scripting vulnerability is present in the
|
|
PostNuke PHP content management system. By passing data
|
|
injected through exploitable errors in input validation, an
|
|
attacker can insert code which will run on the machine of
|
|
anybody viewing the page. It is feasible that this attack
|
|
could be used to retrieve session information from cookies,
|
|
thereby allowing the attacker to gain administrative access
|
|
to the CMS.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0616</cvename>
|
|
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&m=110962768300373</mlist>
|
|
<url>http://news.postnuke.com/Article2669.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-28</discovery>
|
|
<entry>2005-03-04</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c73305ae-8cd7-11d9-9873-000a95bc6fae">
|
|
<topic>realplayer -- remote heap overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-realplayer</name>
|
|
<range><le>10.0.2</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Two exploits have been identified in the Linux RealPlayer client.
|
|
RealNetworks states:</p>
|
|
<blockquote cite="http://service.real.com/help/faq/security/050224_player/EN/">
|
|
<p>RealNetworks, Inc. has addressed recently discovered
|
|
security vulnerabilities that offered the potential for
|
|
an attacker to run arbitrary or malicious code on a
|
|
customer's machine. RealNetworks has received no reports
|
|
of machines compromised as a result of the now-remedied
|
|
vulnerabilities. RealNetworks takes all security
|
|
vulnerabilities very seriously.</p>
|
|
<p>The specific exploits were:</p>
|
|
<ul>
|
|
<li><strong>Exploit 1:</strong> To fashion a malicious WAV
|
|
file to cause a buffer overflow which could have allowed
|
|
an attacker to execute arbitrary code on a customer's
|
|
machine.</li>
|
|
<li><strong>Exploit 2:</strong> To fashion a malicious
|
|
SMIL file to cause a buffer overflow which could have
|
|
allowed an attacker to execute arbitrary code on a
|
|
customer's machine.</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0611</cvename>
|
|
<mlist>http://marc.theaimsgroup.com/?l=vulnwatch&m=110977858619314</mlist>
|
|
<url>http://service.real.com/help/faq/security/050224_player/EN/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-01</discovery>
|
|
<entry>2005-03-04</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="713c3913-8c2b-11d9-b58c-0001020eed82">
|
|
<topic>ImageMagick -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ImageMagick</name>
|
|
<range><lt>6.2.0.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Tavis Ormandy reports:</p>
|
|
<blockquote>
|
|
<p>magemagick-6.2.0-3 fixes an potential issue handling
|
|
malformed filenames, the flaw may affect webapps or
|
|
scripts that use the imagemagick utilities for image
|
|
processing, or applications linked with libMagick.</p>
|
|
</blockquote>
|
|
<p>This vulnerability could crash ImageMagick or potentially
|
|
lead to the execution of arbitrary code with the permissions
|
|
of the user running ImageMagick.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0397</cvename>
|
|
<url>http://www.ubuntulinux.org/support/documentation/usn/usn-90-1</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-03-02</discovery>
|
|
<entry>2005-03-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fb03b1c6-8a8a-11d9-81f7-02023f003c9f">
|
|
<topic>uim -- privilege escalation vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ja-uim</name>
|
|
<range><lt>0.4.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The uim developers reports:</p>
|
|
<blockquote cite="http://lists.freedesktop.org/pipermail/uim/2005-February/000996.html">
|
|
<p>Takumi ASAKI discovered that uim always trusts environment variables.
|
|
But this is not correct behavior, sometimes environment variables
|
|
shouldn't be trusted. This bug causes privilege escalation when libuim
|
|
is linked against setuid/setgid application. Since GTK+ prohibits
|
|
setuid/setgid applications, the bug appears only in 'immodule for Qt'
|
|
enabled Qt. (Normal Qt is also safe.)</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0503</cvename>
|
|
<mlist>http://lists.freedesktop.org/pipermail/uim/2005-February/000996.html</mlist>
|
|
<bid>12604</bid>
|
|
<url>http://secunia.com/advisories/13981</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-21</discovery>
|
|
<entry>2005-03-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="bdad9ada-8a52-11d9-9e53-000a95bc6fae">
|
|
<topic>lighttpd -- script source disclosure vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>lighttpd</name>
|
|
<range><lt>1.3.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The lighttpd website reports:</p>
|
|
<blockquote cite="http://article.gmane.org/gmane.comp.web.lighttpd/1171">
|
|
<p>In lighttpd 1.3.7 and below it is possible to fetch the source
|
|
files which should be handled by CGI or FastCGI applications.</p>
|
|
</blockquote>
|
|
<p>The vulnerability is in the handling of urlencoded trailing
|
|
NUL bytes. Installations that do not use CGI or FastCGI are
|
|
not affected.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0453</cvename>
|
|
<mlist>http://article.gmane.org/gmane.comp.web.lighttpd/1171</mlist>
|
|
<url>http://www.lighttpd.net/news/</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/19350</url>
|
|
<bid>12567</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-12</discovery>
|
|
<entry>2005-03-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="53e711ed-8972-11d9-9ff8-00306e01dda2">
|
|
<topic>phpbb -- privilege elevation and path disclosure</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpbb</name>
|
|
<range><lt>2.0.13</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The phpbb developer group reports:</p>
|
|
<blockquote cite="http://www.phpbb.com/phpBB/viewtopic.php?t=267563">
|
|
<p>phpBB Group announces the release of phpBB 2.0.13, the
|
|
"Beware of the furries" edition. This release addresses two
|
|
recent security exploits, one of them critical. They were
|
|
reported a few days after .12 was released and no one is
|
|
more annoyed than us, having to release a new version ini
|
|
such a short period of time. Fortunately both fixes are
|
|
easy and in each case just one line needs to be edited.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.phpbb.com/phpBB/viewtopic.php?t=267563</url>
|
|
<bid>12678</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-27</discovery>
|
|
<entry>2005-02-28</entry>
|
|
<modified>2005-03-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="96df5fd0-8900-11d9-aa18-0001020eed82">
|
|
<topic>curl -- authentication buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>curl</name>
|
|
<range><lt>7.13.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Two iDEFENSE Security Advisories reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=110902601221592">
|
|
<p>An exploitable stack-based buffer overflow condition
|
|
exists when using NT Lan Manager (NTLM)
|
|
authentication. The problem specifically exists within
|
|
<code>Curl_input_ntlm()</code> defined in
|
|
lib/http_ntlm.c.</p>
|
|
<p>Successful exploitation allows remote attackers to
|
|
execute arbitrary code under the privileges of the target
|
|
user. Exploitation requires that an attacker either coerce
|
|
or force a target to connect to a malicious server using
|
|
NTLM authentication.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=110902850731457">
|
|
<p>An exploitable stack-based buffer overflow condition
|
|
exists when using Kerberos authentication. The problem
|
|
specifically exists within the functions
|
|
<code>Curl_krb_kauth()</code> and <code>krb4_auth()</code>
|
|
defined in lib/krb4.c.</p>
|
|
<p>Successful exploitation allows remote attackers to
|
|
execute arbitrary code under the privileges of the target
|
|
user. Exploitation requires that an attacker either coerce
|
|
or force a target to connect to a malicious server using
|
|
Kerberos authentication.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12615</bid>
|
|
<bid>12616</bid>
|
|
<cvename>CVE-2005-0490</cvename>
|
|
<mlist msgid="FB24803D1DF2A34FA59FC157B77C970503E2462D@idserv04.idef.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110902850731457</mlist>
|
|
<mlist msgid="FB24803D1DF2A34FA59FC157B77C970503E2462E@idserv04.idef.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110902601221592</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-21</discovery>
|
|
<entry>2005-02-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b2d248ad-88f6-11d9-aa18-0001020eed82">
|
|
<topic>cyrus-imapd -- multiple buffer overflow vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cyrus-imapd</name>
|
|
<range><lt>2.1.18</lt></range>
|
|
<range><gt>2.2.*</gt><lt>2.2.11</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Cyrus IMAP Server ChangeLog states:</p>
|
|
<blockquote cite="http://asg.web.cmu.edu/cyrus/download/imapd/changes.html">
|
|
<ul>
|
|
<li>Fix possible single byte overflow in mailbox handling
|
|
code.</li>
|
|
<li>Fix possible single byte overflows in the imapd
|
|
annotate extension.</li>
|
|
<li>Fix stack buffer overflows in fetchnews (exploitable
|
|
by peer news server), backend (exploitable by admin),
|
|
and in imapd (exploitable by users though only on
|
|
platforms where a filename may be larger than a mailbox
|
|
name).</li>
|
|
</ul>
|
|
</blockquote>
|
|
<p>The 2.1.X series are reportedly only affected by the second
|
|
issue.</p>
|
|
<p>These issues may lead to execution of arbitrary code with
|
|
the permissions of the user running the Cyrus IMAP
|
|
Server.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12636</bid>
|
|
<cvename>CVE-2005-0546</cvename>
|
|
<url>http://asg.web.cmu.edu/cyrus/download/imapd/changes.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-14</discovery>
|
|
<entry>2005-02-27</entry>
|
|
<modified>2005-04-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2c5757f4-88bf-11d9-8720-0007e900f87b">
|
|
<topic>sup -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sup</name>
|
|
<range><lt>2.0.20050226</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Debian Security Advisory reports:</p>
|
|
<blockquote cite="http://www.securityfocus.com/advisories/6874">
|
|
<p>jaguar@felinemenace.org discovered a format string
|
|
vulnerability in sup, a set of programs to synchronize
|
|
collections of files across a number of machines,
|
|
whereby a remote attacker could potentially cause
|
|
arbitrary code to be executed with the privileges
|
|
of the supfilesrv process (this process does not run
|
|
automatically by default). </p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>10571</bid>
|
|
<cvename>CVE-2004-0451</cvename>
|
|
<url>http://www.securityfocus.com/advisories/6874</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-06-19</discovery>
|
|
<entry>2005-02-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d022754d-8839-11d9-aa18-0001020eed82">
|
|
<topic>mozilla -- insecure temporary directory vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.0.1,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.6,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.6</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These ports are obsolete. -->
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>de-netscape7</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>ja-netscape7</name>
|
|
<name>linux-netscape</name>
|
|
<name>linux-phoenix</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk1</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>phoenix</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Mozilla Foundation Security Advisory reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/announce/mfsa2005-28.html">
|
|
<p>A predictable name is used for the plugin temporary
|
|
directory. A malicious local user could symlink this to
|
|
the victim's home directory and wait for the victim to run
|
|
Firefox. When Firefox shuts down the victim's directory
|
|
would be erased.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-28.html</url>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=281284</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-06</discovery>
|
|
<entry>2005-02-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cbfde1cd-87eb-11d9-aa18-0001020eed82">
|
|
<topic>mozilla -- arbitrary code execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.0.1,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.6,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.6</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These ports are obsolete. -->
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>de-netscape7</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>ja-netscape7</name>
|
|
<name>linux-netscape</name>
|
|
<name>linux-phoenix</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk1</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>phoenix</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Mozilla Foundation Security Advisory reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/announce/mfsa2005-27.html">
|
|
<p>Plugins (such as flash) can be used to load privileged
|
|
content into a frame. Once loaded various spoofs can be
|
|
applied to get the user to interact with the privileged
|
|
content. Michael Krax's "Fireflashing" example
|
|
demonstrates that an attacker can open about:config in a
|
|
frame, hide it with an opacity setting, and if the
|
|
attacker can get the victim to click at a particular spot
|
|
(design some kind of simple game) you could toggle boolean
|
|
preferences, some of which would make further attacks
|
|
easier.</p>
|
|
<p>The "firescrolling" example demonstrates arbitrary code
|
|
execution (in this case downloading a file) by convincing
|
|
the user to scroll twice.</p>
|
|
</blockquote>
|
|
<p><strong>Workaround:</strong> Disable JavaScript.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0527</cvename>
|
|
<url>http://www.mikx.de/fireflashing/</url>
|
|
<url>http://www.mikx.de/firescrolling/</url>
|
|
<url>http://www.mozilla.org/security/announce/mfsa2005-27.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-24</discovery>
|
|
<entry>2005-02-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="32d4f0f1-85c3-11d9-b6dc-0007e900f747">
|
|
<topic>mkbold-mkitalic -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mkbold-mkitalic</name>
|
|
<range><lt>0.07</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The version 0.06_1 and prior
|
|
have a format string vulnerability which can be triggered
|
|
by using a carefully-crafted BDF font file.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://home.jp.FreeBSD.org/cgi-bin/showmail/ports-jp/15568</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-23</discovery>
|
|
<entry>2005-02-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="03653079-8594-11d9-afa0-003048705d5a">
|
|
<topic>phpbb -- multiple information disclosure vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpbb</name>
|
|
<range><lt>2.0.12</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>psoTFX reports:</p>
|
|
<blockquote cite="http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=265423">
|
|
<p>phpBB Group are pleased to announce the release of phpBB
|
|
2.0.12 the "Horray for Furrywood" release. This release
|
|
addresses a number of bugs and a couple of potential
|
|
exploits. [...] one of the potential exploits addressed
|
|
in this release could be serious in certain situations and
|
|
thus we urge all users, as always, to upgrade to this
|
|
release as soon as possible. Mostly this release is
|
|
concerned with eliminating disclosures of information
|
|
which while useful in debug situations may allow third
|
|
parties to gain information which could be used to do harm
|
|
via unknown or unfixed exploits in this or other
|
|
applications.</p>
|
|
</blockquote>
|
|
<p>The ChangeLog for phpBB 2.0.12 states:</p>
|
|
<blockquote cite="http://www.phpbb.com/support/documents.php?mode=changelog">
|
|
<ul>
|
|
<li>Prevented full path display on critical messages</li>
|
|
<li>Fixed full path disclosure in username handling caused
|
|
by a PHP 4.3.10 bug - <strong>AnthraX101</strong></li>
|
|
<li>Added exclude list to unsetting globals (if
|
|
register_globals is on) -
|
|
<strong>SpoofedExistence</strong></li>
|
|
<li>Fixed arbitrary file disclosure vulnerability in avatar
|
|
handling functions - <strong>AnthraX101</strong></li>
|
|
<li>Fixed arbitrary file unlink vulnerability in avatar
|
|
handling functions - <strong>AnthraX101</strong></li>
|
|
<li>Fixed path disclosure bug in search.php caused by a
|
|
PHP 4.3.10 bug (related to AnthraX101's discovery)</li>
|
|
<li>Fixed path disclosure bug in viewtopic.php caused by
|
|
a PHP 4.3.10 bug - <strong>matrix_killer</strong></li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.phpbb.com/support/documents.php?mode=changelog</url>
|
|
<url>http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=265423</url>
|
|
<freebsdpr>ports/77943</freebsdpr>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-22</discovery>
|
|
<entry>2005-02-23</entry>
|
|
<modified>2005-02-25</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1d3a2737-7eb7-11d9-acf7-000854d03344">
|
|
<topic>unace -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>unace</name>
|
|
<range><lt>1.2b_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-unace</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ulf Härnhammar reports:</p>
|
|
<ul>
|
|
<li>There are buffer overflows when extracting, testing or
|
|
listing specially prepared ACE archives.</li>
|
|
<li>There are directory traversal bugs when extracting ACE
|
|
archives.</li>
|
|
<li>There are also buffer overflows when dealing with long
|
|
(>17000 characters) command line arguments.</li>
|
|
</ul>
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/14359/">
|
|
<p>The vulnerabilities have been confirmed in version 1.2b.
|
|
One of the buffer overflow vulnerabilities have also been
|
|
reported in version 2.04, 2.2 and 2.5. Other versions may
|
|
also be affected.</p>
|
|
<p>Successful exploitation may allow execution of arbitrary
|
|
code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<certvu>215006</certvu>
|
|
<cvename>CVE-2005-0160</cvename>
|
|
<cvename>CVE-2005-0161</cvename>
|
|
<mlist msgid="1109113175.421bb95705d42@webmail.uu.se">http://marc.theaimsgroup.com/?l=full-disclosure&m=110911451613135</mlist>
|
|
<url>http://secunia.com/advisories/14359/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-14</discovery>
|
|
<entry>2005-02-22</entry>
|
|
<modified>2006-09-26</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a413ed94-836e-11d9-a9e7-0001020eed82">
|
|
<topic>putty -- pscp/psftp heap corruption vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>putty</name>
|
|
<range><lt>0.57</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Simon Tatham reports:</p>
|
|
<blockquote cite="http://lists.tartarus.org/pipermail/putty-announce/2005/000012.html">
|
|
<p>This version fixes a security hole in previous versions
|
|
of PuTTY, which can allow a malicious SFTP server to
|
|
attack your client. If you use either PSCP or PSFTP, you
|
|
should upgrade. Users of the main PuTTY program are not
|
|
affected. (However, note that the server must have passed
|
|
host key verification before this attack can be launched,
|
|
so a man-in-the-middle shouldn't be able to attack you if
|
|
you're careful.)</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12601</bid>
|
|
<cvename>CVE-2005-0467</cvename>
|
|
<mlist msgid="E1D2taM-0005R1-00@ixion.tartarus.org">http://lists.tartarus.org/pipermail/putty-announce/2005/000012.html</mlist>
|
|
<mlist msgid="FB24803D1DF2A34FA59FC157B77C970503E2462F@idserv04.idef.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110902510713763</mlist>
|
|
<url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-readdir.html</url>
|
|
<url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-string.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-20</discovery>
|
|
<entry>2005-02-20</entry>
|
|
<modified>2005-02-23</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="29dd0065-81fa-11d9-a9e7-0001020eed82">
|
|
<topic>kdelibs -- insecure temporary file creation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>kdelibs</name>
|
|
<name>ja-kdelibs</name>
|
|
<range><lt>3.3.2_5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Davide Madrisan reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=110814653804757">
|
|
<p>The `dcopidlng' script in the KDE library package
|
|
(kdelibs-3.3.2/dcop/dcopidlng/dcopidlng) creates temporary
|
|
files in a unsecure manner.</p>
|
|
</blockquote>
|
|
<p><strong>Note:</strong> dcopidlng is only used at build
|
|
time, so only users installing KDE are vulnerable, not users
|
|
already running KDE.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0365</cvename>
|
|
<url>http://bugs.kde.org/show_bug.cgi?id=97608</url>
|
|
<mlist msgid="200502110916.48921.davide.madrisan@qilinux.it">http://marc.theaimsgroup.com/?l=bugtraq&m=110814653804757</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-21</discovery>
|
|
<entry>2005-02-18</entry>
|
|
<modified>2005-02-20</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="74c86a29-81ef-11d9-a9e7-0001020eed82">
|
|
<topic>bidwatcher -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bidwatcher</name>
|
|
<range><lt>1.3.17</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Debian Security Advisory reports:</p>
|
|
<blockquote cite="http://www.debian.org/security/2005/dsa-687">
|
|
<p>Ulf Härnhammer from the Debian Security Audit Project
|
|
discovered a format string vulnerability in bidwatcher, a
|
|
tool for watching and bidding on eBay auctions. This
|
|
problem can be triggered remotely by a web server of eBay,
|
|
or someone pretending to be eBay, sending certain data
|
|
back.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12590</bid>
|
|
<cvename>CVE-2005-0158</cvename>
|
|
<url>http://www.debian.org/security/2005/dsa-687</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-18</discovery>
|
|
<entry>2005-02-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2d8cf857-81ea-11d9-a9e7-0001020eed82">
|
|
<topic>gftp -- directory traversal vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gftp</name>
|
|
<range><lt>2.0.18</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Debian Security Advisory reports:</p>
|
|
<blockquote cite="http://www.debian.org/security/2005/dsa-686">
|
|
<p>Albert Puigsech Galicia discovered a directory traversal
|
|
vulnerability in a proprietary FTP client (CAN-2004-1376)
|
|
which is also present in gftp, a GTK+ FTP client. A
|
|
malicious server could provide a specially crafted
|
|
filename that could cause arbitrary files to be
|
|
overwritten or created by the client.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12539</bid>
|
|
<cvename>CVE-2005-0372</cvename>
|
|
<url>http://www.debian.org/security/2005/dsa-686</url>
|
|
<url>http://www.gftp.org/changelog.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-04</discovery>
|
|
<entry>2005-02-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="20c9bb14-81e6-11d9-a9e7-0001020eed82">
|
|
<topic>opera -- "data:" URI handler spoofing vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>opera</name>
|
|
<name>opera-devel</name>
|
|
<name>linux-opera</name>
|
|
<range><lt>7.54.20050131</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/13818/">
|
|
<p>Michael Holzt has discovered a vulnerability in Opera,
|
|
which can be exploited by malicious people to trick users
|
|
into executing malicious files.</p>
|
|
<p>The vulnerability is caused due to an error in the
|
|
processing of "data:" URIs, causing wrong information to
|
|
be shown in a download dialog. This can be exploited by
|
|
e.g. a malicious website to trick users into executing a
|
|
malicious file by supplying a specially crafted "data:"
|
|
URI.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0456</cvename>
|
|
<certvu>882926</certvu>
|
|
<url>http://secunia.com/advisories/13818/</url>
|
|
<url>http://www.opera.com/freebsd/changelogs/754u2/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-12</discovery>
|
|
<entry>2005-02-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d8e55d65-81d6-11d9-a9e7-0001020eed82">
|
|
<topic>opera -- kfmclient exec command execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>opera</name>
|
|
<name>opera-devel</name>
|
|
<name>linux-opera</name>
|
|
<range><lt>7.54.20050131</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Giovanni Delvecchio reports:</p>
|
|
<blockquote cite="http://www.zone-h.org/advisories/read/id=6503">
|
|
<p>Opera for linux uses "kfmclient exec" as "Default
|
|
Application" to handle saved files. This could be used by
|
|
malicious remote users to execute arbitrary shell commands
|
|
on a target system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1491</cvename>
|
|
<url>http://secunia.com/advisories/13447/</url>
|
|
<url>http://www.opera.com/freebsd/changelogs/754u2/</url>
|
|
<url>http://www.zone-h.org/advisories/read/id=6503</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-12</discovery>
|
|
<entry>2005-02-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6b4b0b3f-8127-11d9-a9e7-0001020eed82">
|
|
<topic>postgresql -- multiple buffer overflows in PL/PgSQL parser</topic>
|
|
<affects>
|
|
<package>
|
|
<name>postgresql</name>
|
|
<name>postgresql-server</name>
|
|
<name>ja-postgresql</name>
|
|
<range><lt>7.3.9_1</lt></range>
|
|
<range><gt>7.4.*</gt><lt>7.4.7_1</lt></range>
|
|
<range><gt>8.*</gt><lt>8.0.1_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The PL/PgSQL parser in postgresql is vulnerable to several
|
|
buffer overflows. These could be exploited by a remote
|
|
attacker to execute arbitrary code with the permissions of
|
|
the postgresql server by running a specially crafted
|
|
query.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0247</cvename>
|
|
<url>http://archives.postgresql.org/pgsql-committers/2005-02/msg00049.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-07</discovery>
|
|
<entry>2005-02-17</entry>
|
|
<modified>2005-02-19</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fdad8a87-7f94-11d9-a9e7-0001020eed82">
|
|
<topic>awstats -- arbitrary command execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>awstats</name>
|
|
<range><lt>6.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Several input validation errors exist in AWStats that allow a
|
|
remote unauthenticated attacker to execute arbitrary commands
|
|
with the priviliges of the web server. These programming
|
|
errors involve CGI parameters including
|
|
<code>loadplugin</code>, <code>logfile</code>,
|
|
<code>pluginmode</code>, <code>update</code>, and possibly
|
|
others.</p>
|
|
<p>Additionally, the <code>debug</code> and other CGI parameters
|
|
may be used to cause AWStats to disclose AWStats and system
|
|
configuration information.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0362</cvename>
|
|
<cvename>CVE-2005-0363</cvename>
|
|
<cvename>CVE-2005-0435</cvename>
|
|
<cvename>CVE-2005-0436</cvename>
|
|
<cvename>CVE-2005-0437</cvename>
|
|
<cvename>CVE-2005-0438</cvename>
|
|
<bid>12543</bid>
|
|
<bid>12545</bid>
|
|
<mlist msgid="20050214081040.3370.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110840530924124</mlist>
|
|
<url>http://awstats.sourceforge.net/docs/awstats_changelog.txt</url>
|
|
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=294488</url>
|
|
<url>http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-10</discovery>
|
|
<entry>2005-02-16</entry>
|
|
<modified>2005-02-23</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5a5422fd-7e1a-11d9-a9e7-0001020eed82">
|
|
<topic>powerdns -- DoS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>powerdns</name>
|
|
<range><lt>2.9.17</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>PowerDNS is vulnerable to a temporary denial-of-service
|
|
vulnerability that can be triggered using a random stream of
|
|
bytes.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12446</bid>
|
|
<url>http://ds9a.nl/cgi-bin/cvstrac/pdns/tktview?tn=21</url>
|
|
<url>http://doc.powerdns.com/changelog.html#CHANGELOG-2-9-17</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-18</discovery>
|
|
<entry>2005-02-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3e3c860d-7dae-11d9-a9e7-0001020eed82">
|
|
<topic>emacs -- movemail format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>zh-emacs</name>
|
|
<name>emacs</name>
|
|
<range><lt>20.7_4</lt></range>
|
|
<range><gt>21.*</gt><lt>21.3_4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>xemacs</name>
|
|
<name>xemacs-mule</name>
|
|
<name>zh-xemacs</name>
|
|
<name>zh-xemacs-mule</name>
|
|
<range><lt>21.4.17</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>xemacs-devel</name>
|
|
<range><lt>21.5.b19,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>xemacs-devel-21.5</name>
|
|
<range><eq>b11</eq></range>
|
|
</package>
|
|
<package>
|
|
<name>xemacs-devel-mule</name>
|
|
<range><lt>21.5.b19</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mule-common</name>
|
|
<name>hanemacs</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Max Vozeler discovered several format string
|
|
vulnerabilities in the movemail utility of Emacs. They can
|
|
be exploited when connecting to a malicious POP server and
|
|
can allow an attacker can execute arbitrary code under the
|
|
privileges of the user running Emacs.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0100</cvename>
|
|
<bid>12462</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-31</discovery>
|
|
<entry>2005-02-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="bc4a7efa-7d9a-11d9-a9e7-0001020eed82">
|
|
<topic>ngircd -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ngircd</name>
|
|
<range><lt>0.8.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A No System Group security advisory reports that ngircd is
|
|
vulnerable to a format string vulnerability in the
|
|
<code>Log_Resolver()</code> function of log.c, if IDENT
|
|
support is enabled. This could allow a remote attacker to
|
|
execute arbitrary code with the permissions of the ngircd
|
|
daemon, which is <q>root</q> by default.</p>
|
|
<p><strong>Note:</strong> By default the FreeBSD ngircd port
|
|
does not enable IDENT support.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0226</cvename>
|
|
<bid>12434</bid>
|
|
<mlist msgid="20050203020909.21785.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110746413108183</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-03</discovery>
|
|
<entry>2005-02-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7f6dd1bd-7d99-11d9-a9e7-0001020eed82">
|
|
<topic>ngircd -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ngircd</name>
|
|
<range><lt>0.8.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Florian Westphal discovered a buffer overflow in ngircd
|
|
which can be used remotely crash the server and possibly
|
|
execute arbitrary code.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0199</cvename>
|
|
<bid>12397</bid>
|
|
<mlist>http://arthur.ath.cx/pipermail/ngircd-ml/2005-January/000228.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-26</discovery>
|
|
<entry>2005-02-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5192e7ca-7d4f-11d9-a9e7-0001020eed82">
|
|
<topic>mod_python -- information leakage vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mod_python</name>
|
|
<range><lt>2.7.11</lt></range>
|
|
<range><gt>3.*</gt><lt>3.1.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Mark J Cox reports:</p>
|
|
<blockquote>
|
|
<p>Graham Dumpleton discovered a flaw which can affect
|
|
anyone using the publisher handle of the Apache Software
|
|
Foundation mod_python. The publisher handle lets you
|
|
publish objects inside modules to make them callable via
|
|
URL. The flaw allows a carefully crafted URL to obtain
|
|
extra information that should not be visible (information
|
|
leak).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0088</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-30</discovery>
|
|
<entry>2005-02-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c7ccc33f-7d31-11d9-a9e7-0001020eed82">
|
|
<topic>mailman -- directory traversal vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mailman</name>
|
|
<name>ja-mailman</name>
|
|
<range><lt>2.1.5_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A directory traversal vulnerability in mailman allow remote
|
|
attackers to read arbitrary files due to inadequate input
|
|
sanitizing. This could, among other things, lead remote
|
|
attackers to gaining access to the mailman configuration
|
|
database (which contains subscriber email addresses and
|
|
passwords) or to the mail archives for private lists.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0202</cvename>
|
|
<mlist msgid="20050209181502.GA26136@grok.org.uk">http://marc.theaimsgroup.com/?l=full-disclosure&m=110797575304304</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-02</discovery>
|
|
<entry>2005-02-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="72da8af6-7c75-11d9-8cc5-000854d03344">
|
|
<topic>enscript -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>enscript-a4</name>
|
|
<name>enscript-letter</name>
|
|
<name>enscript-letterdj</name>
|
|
<range><lt>1.6.4_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Erik Sjölund discovered several issues in enscript:
|
|
it suffers from several buffer overflows, quotes and shell
|
|
escape characters are insufficiently sanitized in filenames,
|
|
and it supported taking input from an arbitrary command
|
|
pipe, with unwanted side effects.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1184</cvename>
|
|
<cvename>CVE-2004-1185</cvename>
|
|
<cvename>CVE-2004-1186</cvename>
|
|
<url>http://www.gentoo.org/security/en/glsa/glsa-200502-03.xml</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-02</discovery>
|
|
<entry>2005-02-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5d425189-7a03-11d9-a9e7-0001020eed82">
|
|
<topic>postgresql -- privilege escalation vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>postgresql</name>
|
|
<name>postgresql-server</name>
|
|
<name>ja-postgresql</name>
|
|
<range><lt>7.3.9</lt></range>
|
|
<range><gt>7.4.*</gt><lt>7.4.7</lt></range>
|
|
<range><gt>8.*</gt><lt>8.0.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>postgresql-devel</name>
|
|
<range><le>8.0.1,1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>John Heasman and others disovered that non-privileged users
|
|
could use the <q>LOAD</q> extension to load arbitrary
|
|
libraries into the postgres server process space. This
|
|
could be used by non-privileged local users to execute
|
|
arbitrary code with the privileges of the postgresql
|
|
server.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12411</bid>
|
|
<cvename>CVE-2005-0227</cvename>
|
|
<mlist>http://archives.postgresql.org/pgsql-announce/2005-02/msg00000.php</mlist>
|
|
<mlist>http://archives.postgresql.org/pgsql-bugs/2005-01/msg00269.php</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-21</discovery>
|
|
<entry>2005-02-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="831a6a66-79fa-11d9-a9e7-0001020eed82">
|
|
<topic>ethereal -- multiple protocol dissectors vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ethereal</name>
|
|
<name>ethereal-lite</name>
|
|
<name>tethereal</name>
|
|
<name>tethereal-lite</name>
|
|
<range><ge>0.8.10</ge><lt>0.10.9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An Ethreal Security Advisories reports:</p>
|
|
<blockquote cite="http://www.ethereal.com/appnotes/enpa-sa-00017.html">
|
|
<p>Issues have been discovered in the following protocol dissectors:</p>
|
|
<ul>
|
|
<li>The COPS dissector could go into an infinite
|
|
loop. CVE: CAN-2005-0006</li>
|
|
<li>The DLSw dissector could cause an assertion. CVE:
|
|
CAN-2005-0007</li>
|
|
<li>The DNP dissector could cause memory corruption. CVE:
|
|
CAN-2005-0008</li>
|
|
<li>The Gnutella dissector could cuase an assertion. CVE:
|
|
CAN-2005-0009</li>
|
|
<li>The MMSE dissector could free statically-allocated
|
|
memory. CVE: CAN-2005-0010</li>
|
|
<li>The X11 dissector is vulnerable to a string buffer
|
|
overflow. CVE: CAN-2005-0084</li>
|
|
</ul>
|
|
<p>Impact: It may be possible to make Ethereal crash or run
|
|
arbitrary code by injecting a purposefully malformed
|
|
packet onto the wire or by convincing someone to read a
|
|
malformed packet trace file.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0006</cvename>
|
|
<cvename>CVE-2005-0007</cvename>
|
|
<cvename>CVE-2005-0008</cvename>
|
|
<cvename>CVE-2005-0009</cvename>
|
|
<cvename>CVE-2005-0010</cvename>
|
|
<cvename>CVE-2005-0084</cvename>
|
|
<bid>12326</bid>
|
|
<url>http://www.ethereal.com/appnotes/enpa-sa-00017.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-18</discovery>
|
|
<entry>2005-02-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="bfda39de-7467-11d9-9e1e-c296ac722cb3">
|
|
<topic>squid -- correct handling of oversized HTTP reply headers</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.7_12</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The squid patches page notes:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-oversize_reply_headers.patch">
|
|
<p>This patch addresses a HTTP protocol mismatch related to oversized
|
|
reply headers. In addition it enhances the cache.log reporting on
|
|
reply header parsing failures to make it easier to track down which
|
|
sites are malfunctioning.</p>
|
|
</blockquote>
|
|
<p>It is believed that this bug may lead to cache pollution or
|
|
allow access controls to be bypassed.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0241</cvename>
|
|
<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1216</url>
|
|
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-oversize_reply_headers.patch</url>
|
|
<freebsdpr>ports/76967</freebsdpr>
|
|
<certvu>823350</certvu>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-31</discovery>
|
|
<entry>2005-02-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6afa87d3-764b-11d9-b0e7-0000e249a0a2">
|
|
<topic>python -- SimpleXMLRPCServer.py allows unrestricted traversal</topic>
|
|
<affects>
|
|
<package>
|
|
<name>python</name>
|
|
<name>python+ipv6</name>
|
|
<range><ge>2.2</ge><lt>2.2.3_7</lt></range>
|
|
<range><ge>2.3</ge><lt>2.3.4_4</lt></range>
|
|
<range><ge>2.4</ge><lt>2.4_1</lt></range>
|
|
<range><ge>2.5.a0.20050129</ge><lt>2.5.a0.20050129_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>According to Python Security Advisory PSF-2005-001,</p>
|
|
<blockquote cite="http://www.python.org/security/PSF-2005-001/">
|
|
<p>The Python development team has discovered a flaw in
|
|
the <code>SimpleXMLRPCServer</code> library module which
|
|
can give remote attackers access to internals of the
|
|
registered object or its module or possibly other modules.
|
|
The flaw only affects Python XML-RPC servers that use the
|
|
<code>register_instance()</code> method to register an object
|
|
without a <code>_dispatch()</code> method. Servers using
|
|
only <code>register_function()</code> are not affected.</p>
|
|
<p>On vulnerable XML-RPC servers, a remote attacker may
|
|
be able to view or modify globals of the module(s)
|
|
containing the registered instance's class(es), potentially
|
|
leading to data loss or arbitrary code execution. If the
|
|
registered object is a module, the danger is particularly
|
|
serious. For example, if the registered module imports
|
|
the <code>os</code> module, an attacker could invoke the
|
|
<code>os.system()</code> function.</p>
|
|
</blockquote>
|
|
<p><strong>Note:</strong> This vulnerability affects your
|
|
system only if you're running
|
|
<code>SimpleXMLRPCServer</code>-based server. This isn't
|
|
harmful at all if you don't run any internet server written
|
|
in Python or your server doesn't serve in XML-RPC protocol.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0089</cvename>
|
|
<url>http://www.python.org/security/PSF-2005-001/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-03</discovery>
|
|
<entry>2005-02-03</entry>
|
|
<modified>2006-10-08</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a5eb760a-753c-11d9-a36f-000a95bc6fae">
|
|
<topic>perl -- vulnerabilities in PERLIO_DEBUG handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>perl</name>
|
|
<range><ge>5.8</ge><lt>5.8.6_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Kevin Finisterre discovered bugs in perl's I/O debug support:</p>
|
|
<ul>
|
|
<li>The environmental variable PERLIO_DEBUG is honored even
|
|
by the set-user-ID perl command (usually
|
|
named <code>sperl</code> or <code>suidperl</code>). As a
|
|
result, a local attacker may be able to gain elevated
|
|
privileges. <em>(CVE-2005-0155)</em></li>
|
|
<li>A buffer overflow may occur in threaded versions of perl
|
|
when the full pathname of the script being executed is
|
|
very long. <em>(CVE-2005-0156)</em>.</li>
|
|
</ul>
|
|
<p><strong>Note:</strong> By default, no set-user-ID perl
|
|
binary is installed. An administrator must enable it
|
|
manually at build time with the <code>ENABLE_SUIDPERL</code>
|
|
port flag.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0155</cvename>
|
|
<cvename>CVE-2005-0156</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-02-02</discovery>
|
|
<entry>2005-02-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cd7e260a-6bff-11d9-a5df-00065be4b5b6">
|
|
<topic>newsgrab -- insecure file and directory creation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>newsgrab</name>
|
|
<range><le>0.4.0</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The newsgrab script uses insecure permissions during the
|
|
creation of the local output directory and downloaded files.</p>
|
|
<p>After a file is created, permissions on it are set using the mode
|
|
value of the newsgroup posting. This can potentially be a problem
|
|
when the mode is not restrictive enough. In addition, the output
|
|
directory is created with world writable permissions allowing other
|
|
users to drop symlinks or other files at that location.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://people.freebsd.org/~niels/issues/newsgrab-20050114.txt</url>
|
|
<url>http://sourceforge.net/project/shownotes.php?release_id=300562</url>
|
|
<cvename>CVE-2005-0154</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-18</discovery>
|
|
<entry>2005-02-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="35f6093c-73c3-11d9-8a93-00065be4b5b6">
|
|
<topic>newsgrab -- directory traversal vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>newsgrab</name>
|
|
<range><le>0.4.0</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The newsgrab script creates files by using the names provided
|
|
in the newsgroup messages in a perl open() call. This is done
|
|
without performing any security checks to prevent a
|
|
directory traversal. A specially crafted newsgroup message
|
|
could cause newsgrab to drop an attachment anywhere on the
|
|
file system using the permissions of the user running the
|
|
script.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://people.freebsd.org/~niels/issues/newsgrab-20050114.txt</url>
|
|
<url>http://sourceforge.net/project/shownotes.php?release_id=300562</url>
|
|
<cvename>CVE-2005-0153</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-18</discovery>
|
|
<entry>2005-02-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7f13607b-6948-11d9-8937-00065be4b5b6">
|
|
<topic>newspost -- server response buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>newspost</name>
|
|
<range><le>2.1.1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The newspost program uses a function named socket_getline to
|
|
read server responses from the network socket. Unfortunately this
|
|
function does not check the length of the buffer in which the read
|
|
data is stored and only stops reading when a newline character is found.</p>
|
|
<p>A malicious NNTP server could use this bug to cause a buffer
|
|
overflow by sending an overly long response. Such an overflow allows
|
|
arbitrary code to be executed, with the privileges of the newspost
|
|
process, on the affected systems.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://people.freebsd.org/~niels/issues/newspost-20050114.txt</url>
|
|
<cvename>CVE-2005-0101</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-14</discovery>
|
|
<entry>2005-02-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="76e0b133-6bfd-11d9-a5df-00065be4b5b6">
|
|
<topic>newsfetch -- server response buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>newsfetch</name>
|
|
<range><le>1.21_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The newsfetch program uses the sscanf function to read information
|
|
from server responses into static memory buffers. Unfortunately
|
|
this is done without any proper bounds checking. As a result long
|
|
server responses may cause an overflow when a newsgroup listing is
|
|
requested from an NNTP server.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://people.freebsd.org/~niels/issues/newsfetch-20050119.txt</url>
|
|
<cvename>CVE-2005-0132</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-18</discovery>
|
|
<entry>2005-02-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="23fb5a04-722b-11d9-9e1e-c296ac722cb3">
|
|
<topic>squid -- buffer overflow in WCCP recvfrom() call</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.7_10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>According to the Squid Proxy Cache Security Update Advisory SQUID-2005:3,</p>
|
|
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2005_3.txt">
|
|
<p>The WCCP recvfrom() call accepts more data than will fit in
|
|
the allocated buffer. An attacker may send a larger-than-normal
|
|
WCCP message to Squid and overflow this buffer.</p>
|
|
<p>Severity:</p>
|
|
<p>The bug is important because it allows remote attackers to crash
|
|
Squid, causing a disription in service. However, the bug is
|
|
exploitable only if you have configured Squid to send WCCP messages
|
|
to, and expect WCCP replies from, a router.</p>
|
|
<p>Sites that do not use WCCP are not vulnerable.</p>
|
|
</blockquote>
|
|
<p>Note that while the default configuration of the FreeBSD squid port
|
|
enables WCCP support in general, the default configuration
|
|
supplied does not actually configure squid to send and receive WCCP
|
|
messages.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0211</cvename>
|
|
<certvu>886006</certvu>
|
|
<url>http://www.squid-cache.org/Advisories/SQUID-2005_3.txt</url>
|
|
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_buffer_overflow</url>
|
|
<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1217</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-28</discovery>
|
|
<entry>2005-01-28</entry>
|
|
<modified>2005-02-13</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f755545e-6fcd-11d9-abec-00061bd2d56f">
|
|
<topic>xpdf -- makeFileKey2() buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xpdf</name>
|
|
<range><lt>3.00_6</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>kdegraphics</name>
|
|
<range><lt>3.3.2_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gpdf</name>
|
|
<range><lt>2.8.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>teTeX-base</name>
|
|
<range><lt>2.0.2_9</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>cups-base</name>
|
|
<range><lt>1.1.23.0_3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>koffice</name>
|
|
<range><lt>1.3.5_2,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>pdftohtml</name>
|
|
<range><lt>0.36_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An iDEFENSE Security Advisory reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=110608898221554">
|
|
<p>Remote exploitation of a buffer overflow vulnerability in
|
|
the xpdf PDF viewer included in multiple Unix and Linux
|
|
distributions could allow for arbitrary code execution as
|
|
the user viewing a PDF file.</p>
|
|
<p>The vulnerability specifically exists due to insufficient
|
|
bounds checking while processing a PDF file that provides
|
|
malicious values in the /Encrypt /Length tag. The
|
|
offending code can be found in the
|
|
<code>Decrypt::makeFileKey2</code> function in the source
|
|
file xpdf/Decrypt.cc.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0064</cvename>
|
|
<mlist msgid="FB24803D1DF2A34FA59FC157B77C970503C8B298@idserv04.idef.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110608898221554</mlist>
|
|
<url>http://www.koffice.org/security/advisory-20050120-1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-06</discovery>
|
|
<entry>2005-01-26</entry>
|
|
<modified>2005-02-03</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d371b627-6ed5-11d9-bd18-000a95bc6fae">
|
|
<topic>zhcon -- unauthorized file access</topic>
|
|
<affects>
|
|
<package>
|
|
<name>zhcon</name>
|
|
<name>zh-zhcon</name>
|
|
<range><lt>0.2.3_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Martin <q>Joey</q> Schulze reports:</p>
|
|
<blockquote>
|
|
<p>Erik Sjöund discovered that zhcon, a fast console CJK
|
|
system using the Linux framebuffer, accesses a
|
|
user-controlled configuration file with elevated
|
|
privileges. Thus, it is possible to read arbitrary files.</p>
|
|
</blockquote>
|
|
<p>When installed from the FreeBSD Ports Collection, zhcon is
|
|
installed set-user-ID root.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0072</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-25</discovery>
|
|
<entry>2005-01-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b8943e61-6e68-11d9-a9e7-0001020eed82">
|
|
<topic>evolution -- arbitrary code execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>evolution</name>
|
|
<range><lt>2.0.3_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Martin <q>Joey</q> Schulze reports:</p>
|
|
<blockquote>
|
|
<p>Max Vozeler discovered an integer overflow in the helper
|
|
application camel-lock-helper which runs setuid root or
|
|
setgid mail inside of Evolution, a free groupware suite.
|
|
A local attacker can cause the setuid root helper to
|
|
execute arbitrary code with elevated privileges via a
|
|
malicious POP server.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12354</bid>
|
|
<cvename>CVE-2005-0102</cvename>
|
|
<url>http://cvs.gnome.org/viewcvs/evolution/camel/camel-lock-helper.c?rev=1.7&view=log#rev1.5.74.1</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-20</discovery>
|
|
<entry>2005-01-25</entry>
|
|
<modified>2005-02-02</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="88ff90f2-6e43-11d9-8c87-000a95bc6fae">
|
|
<topic>mod_dosevasive -- insecure temporary file creation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mod_dosevasive20</name>
|
|
<range><lt>1.10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An LSS Security Advisory reports:</p>
|
|
<blockquote cite="http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-01">
|
|
<p>When a denial of service attack is detected,
|
|
mod_dosevasive will, among other things, create a
|
|
temporary file which it will use to trace actions from the
|
|
offensive IP address. This file is insecurely created in
|
|
/tmp and it's name is easily predictable.</p>
|
|
<p>It is then easy for an attacker to create arbitrary files
|
|
in any directory that the user under which apache runs has
|
|
privileges to write.</p>
|
|
<p><em>[...]</em> once the target file is opened, there is a
|
|
race attack (although difficult to exploit) which can lead
|
|
to mod_dosevasive overwriting any file that the user under
|
|
which apache runs has privileges to write.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdpr>ports/77513</freebsdpr>
|
|
<url>http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-01</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-04</discovery>
|
|
<entry>2005-01-24</entry>
|
|
<modified>2005-02-22</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b4d94fa0-6e38-11d9-9e1e-c296ac722cb3">
|
|
<topic>squid -- possible cache-poisoning via malformed HTTP responses</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.7_9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The squid patches page notes:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsing">
|
|
<p>This patch makes Squid considerably stricter while
|
|
parsing the HTTP protocol.</p>
|
|
<ol>
|
|
<li>A Content-length header should only appear once in a
|
|
valid request or response. Multiple Content-length
|
|
headers, in conjunction with specially crafted requests,
|
|
may allow Squid's cache to be poisoned with bad content
|
|
in certain situations.</li>
|
|
<li>CR characters is only allowed as part of the CR NL
|
|
line terminator, not alone. This to ensure that all
|
|
involved agrees on the structure of HTTP headers.</li>
|
|
<li>Rejects requests/responses that have whitespace in an
|
|
HTTP header name.</li>
|
|
</ol>
|
|
</blockquote>
|
|
<p>To enable these strict parsing rules, update to at least
|
|
squid-2.5.7_9 and specify <code>relaxed_header_parser
|
|
off</code> in squid.conf.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0174</cvename>
|
|
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsing</url>
|
|
<certvu>768702</certvu>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-24</discovery>
|
|
<entry>2005-01-24</entry>
|
|
<modified>2006-01-02</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="97c3a452-6e36-11d9-8324-000a95bc6fae">
|
|
<topic>bugzilla -- cross-site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bugzilla</name>
|
|
<name>ja-bugzilla</name>
|
|
<range><lt>2.16.8</lt></range>
|
|
<range><ge>2.17.*</ge><lt>2.18</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Bugzilla advisory states:</p>
|
|
<blockquote cite="http://www.bugzilla.org/security/2.16.7-nr/">
|
|
<p>This advisory covers a single cross-site scripting issue
|
|
that has recently been discovered and fixed in the
|
|
Bugzilla code: If a malicious user links to a Bugzilla
|
|
site using a specially crafted URL, a script in the error
|
|
page generated by Bugzilla will display the URL unaltered
|
|
in the page, allowing scripts embedded in the URL to
|
|
execute.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1061</cvename>
|
|
<url>http://www.bugzilla.org/security/2.16.7-nr/</url>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=272620</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-01</discovery>
|
|
<entry>2005-01-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b0911985-6e2a-11d9-9557-000a95bc6fae">
|
|
<topic>web browsers -- window injection vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>1.0.1,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.6,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.6</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<name>de-netscape7</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-netscape7</name>
|
|
<name>netscape7</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<name>mozilla-gtk1</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>linux-netscape</name>
|
|
<name>linux-phoenix</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>phoenix</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>kdebase</name>
|
|
<name>kdelibs</name>
|
|
<range><lt>3.3.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>opera</name>
|
|
<name>opera-devel</name>
|
|
<name>linux-opera</name>
|
|
<range><lt>7.54.20050131</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Research advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/secunia_research/2004-13/advisory/">
|
|
<p>Secunia Research has reported a vulnerability in multiple
|
|
browsers, which can be exploited by malicious people to
|
|
spoof the content of websites.</p>
|
|
<p>The problem is that a website can inject content into
|
|
another site's window if the target name of the window is
|
|
known. This can e.g. be exploited by a malicious website
|
|
to spoof the content of a pop-up window opened on a
|
|
trusted website.</p>
|
|
<p>Secunia has constructed a test, which can be used to
|
|
check if your browser is affected by this issue:
|
|
<a href="http://secunia.com/multiple_browsers_window_injection_vulnerability_test/">http://secunia.com/multiple_browsers_window_injection_vulnerability_test/</a></p>
|
|
</blockquote>
|
|
<p>A <a href="http://mozillanews.org/?article_date=2004-12-08+06-48-46">workaround
|
|
for Mozilla-based browsers</a> is available.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secunia.com/secunia_research/2004-13/advisory/</url>
|
|
<url>http://secunia.com/multiple_browsers_window_injection_vulnerability_test/</url>
|
|
<!-- mozilla -->
|
|
<cvename>CVE-2004-1156</cvename>
|
|
<url>http://secunia.com/advisories/13129/</url>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=273699</url>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=103638</url>
|
|
<url>http://mozillanews.org/?article_date=2004-12-08+06-48-46</url>
|
|
<!-- opera -->
|
|
<cvename>CVE-2004-1157</cvename>
|
|
<url>http://secunia.com/advisories/13253/</url>
|
|
<!-- konqueror -->
|
|
<cvename>CVE-2004-1158</cvename>
|
|
<url>http://secunia.com/advisories/13254/</url>
|
|
<url>http://www.kde.org/info/security/advisory-20041213-1.txt</url>
|
|
<!-- netscape -->
|
|
<cvename>CVE-2004-1160</cvename>
|
|
<url>http://secunia.com/advisories/13402/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-08</discovery>
|
|
<entry>2005-01-24</entry>
|
|
<modified>2005-02-26</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d4a7054a-6d96-11d9-a9e7-0001020eed82">
|
|
<topic>yamt -- arbitrary command execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>yamt</name>
|
|
<range><lt>0.5_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Manigandan Radhakrishnan discovered a security
|
|
vulnerability in YAMT which can lead to execution of
|
|
arbitrary commands with the privileges of the user running
|
|
YAMT when sorting based on MP3 tags. The problem exist in
|
|
the <code>id3tag_sort()</code> routine which does not
|
|
properly sanitize the artist tag from the MP3 file before
|
|
using it as an argument to the mv command.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>11999</bid>
|
|
<cvename>CVE-2004-1302</cvename>
|
|
<url>http://tigger.uic.edu/~jlongs2/holes/yamt.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-15</discovery>
|
|
<entry>2005-01-23</entry>
|
|
<modified>2005-01-25</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4e4bd2c2-6bd5-11d9-9e1e-c296ac722cb3">
|
|
<topic>squid -- HTTP response splitting cache pollution attack</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.7_8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>According to a whitepaper published by Sanctum, Inc., it
|
|
is possible to mount cache poisoning attacks against, among others,
|
|
squid proxies by inserting false replies into the HTTP stream.</p>
|
|
<p>The squid patches page notes:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_splitting">
|
|
<p>This patch additionally strengthens Squid from the HTTP response
|
|
attack described by Sanctum.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0175</cvename>
|
|
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_splitting</url>
|
|
<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1200</url>
|
|
<url>https://www.watchfire.com/securearea/whitepapers.aspx?id=8</url>
|
|
<certvu>625878</certvu>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-01</discovery>
|
|
<entry>2005-01-22</entry>
|
|
<modified>2005-02-07</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="338d1723-5f03-11d9-92a7-000bdb1444a4">
|
|
<topic>horde -- XSS vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>horde</name>
|
|
<name>horde-php5</name>
|
|
<range><gt>3.*</gt><lt>3.0.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Hyperdose Security Advisory reports:</p>
|
|
<blockquote cite="http://lists.horde.org/archives/announce/2005/000159.html">
|
|
<p>Horde contains two XSS attacks that can be exploited
|
|
through GET requests. Once exploited, these requests
|
|
could be used to execute any javascript commands in the
|
|
context of that user, potentially including but not
|
|
limited to reading and deleting email, and stealing auth
|
|
tokens.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12255</bid>
|
|
<mlist msgid="1105593825.8638@mx249a.mysite4now.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110564059322774</mlist>
|
|
<mlist>http://lists.horde.org/archives/announce/2005/000159.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-04</discovery>
|
|
<entry>2005-01-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2b2b333b-6bd3-11d9-95f8-000a95bc6fae">
|
|
<topic>mc -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mc</name>
|
|
<range><lt>4.6.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Andrew V. Samoilov reported several vulnerabilities that
|
|
were corrected in MidnightCommand 4.6.0:</p>
|
|
<ul>
|
|
<li>Format string issues (CVE-2004-1004)</li>
|
|
<li>Buffer overflows (CVE-2004-1005)</li>
|
|
<li>Denial-of-service, infinite loop (CVE-2004-1009)</li>
|
|
<li>Denial-of-service, corrupted section header
|
|
(CVE-2004-1090)</li>
|
|
<li>Denial-of-service, null pointer dereference (CVE-2004-1091)</li>
|
|
<li>Freeing unallocated memory (CVE-2004-1092)</li>
|
|
<li>Using already freed memory (CVE-2004-1093)</li>
|
|
</ul>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1004</cvename>
|
|
<cvename>CVE-2004-1005</cvename>
|
|
<cvename>CVE-2004-1009</cvename>
|
|
<cvename>CVE-2004-1090</cvename>
|
|
<cvename>CVE-2004-1091</cvename>
|
|
<cvename>CVE-2004-1092</cvename>
|
|
<cvename>CVE-2004-1093</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-01</discovery>
|
|
<entry>2005-01-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c418d472-6bd1-11d9-93ca-000a95bc6fae">
|
|
<topic>perl -- File::Path insecure file/directory permissions</topic>
|
|
<affects>
|
|
<package>
|
|
<name>perl</name>
|
|
<range><ge>0</ge><lt>5.6.2</lt></range>
|
|
<range><ge>5.8.0</ge><lt>5.8.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jeroen van Wolffelaar reports that the Perl module File::Path
|
|
contains a race condition wherein traversed directories and files
|
|
are temporarily made world-readable/writable.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0452</cvename>
|
|
<url>http://www.debian.org/security/2004/dsa-620</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/18650</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-30</discovery>
|
|
<entry>2005-01-21</entry>
|
|
<modified>2005-02-01</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e8c6ade2-6bcc-11d9-8e6f-000a95bc6fae">
|
|
<cancelled superseded="e3cf89f0-53da-11d9-92b7-ceadd4ac2edd"/>
|
|
</vuln>
|
|
|
|
<vuln vid="1489df94-6bcb-11d9-a21e-000a95bc6fae">
|
|
<topic>opera -- multiple vulnerabilities in Java implementation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>opera</name>
|
|
<name>opera-devel</name>
|
|
<name>linux-opera</name>
|
|
<range><lt>7.54.20041210</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Marc Schoenefeld reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=110088923127820">
|
|
<p>Opera 7.54 is vulnerable to leakage of the java sandbox,
|
|
allowing malicious applets to gain unacceptable
|
|
privileges. This allows them to be used for information
|
|
gathering (spying) of local identity information and
|
|
system configurations as well as causing annoying crash
|
|
effects.</p>
|
|
<p>Opera 754 <em>[sic]</em> which was released Aug 5,2004 is
|
|
vulnerable to the XSLT processor covert channel attack,
|
|
which was corrected with JRE 1.4.2_05 [released in July
|
|
04], but in disadvantage to the users the opera packaging
|
|
guys chose to bundle the JRE 1.4.2_04 <em>[...]</em></p>
|
|
<p>Internal pointer DoS exploitation: Opera.jar contains the
|
|
opera replacement of the java plugin. It therefore handles
|
|
communication between javascript and the Java VM via the
|
|
liveconnect protocol. The public class EcmaScriptObject
|
|
exposes a system memory pointer to the java address space,
|
|
by constructing a special variant of this type an internal
|
|
cache table can be polluted by false entries that infer
|
|
proper function of the JSObject class and in the following
|
|
proof-of-concept crash the browser.</p>
|
|
<p>Exposure of location of local java installation Sniffing
|
|
the URL classpath allows to retrieve the URLs of the
|
|
bootstrap class path and therefore the JDK installation
|
|
directory.</p>
|
|
<p>Exposure of local user name to an untrusted applet An
|
|
attacker could use the sun.security.krb5.Credentials class
|
|
to retrieve the name of the currently logged in user and
|
|
parse his home directory from the information which is
|
|
provided by the thrown
|
|
java.security.AccessControlException.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="Pine.A41.4.58.0411191800510.57436@zivunix.uni-muenster.de">http://marc.theaimsgroup.com/?l=bugtraq&m=110088923127820</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-19</discovery>
|
|
<entry>2005-01-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="045944a0-6bca-11d9-aaa6-000a95bc6fae">
|
|
<topic>sudo -- environmental variable CDPATH is not cleared</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sudo</name>
|
|
<range><lt>1.6.8.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A sudo bug report says:</p>
|
|
<blockquote cite="http://www.sudo.ws/bugs/show_bug.cgi?id=155">
|
|
<p>sudo doesn't unset the CDPATH variable, which leads to
|
|
possible security problems.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.sudo.ws/bugs/show_bug.cgi?id=155</url>
|
|
<mlist>http://www.sudo.ws/pipermail/sudo-announce/2004-November/000044.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-18</discovery>
|
|
<entry>2005-01-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e480ccb2-6bc8-11d9-8dbe-000a95bc6fae">
|
|
<topic>fcron -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>fcron</name>
|
|
<range><lt>2.9.5.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An iDEFENSE Security Advisory states:</p>
|
|
<blockquote cite="http://www.idefense.com/application/poi/display?id=157&type=vulnerabilities&flashstatus=false">
|
|
<p>Multiple vulnerabilities have been found in Fcron.</p>
|
|
<ol>
|
|
<li>File contents disclosure</li>
|
|
<li>Configuration Bypass Vulnerability</li>
|
|
<li>File Removal and Empty File Creation Vulnerability</li>
|
|
<li>Information Disclosure Vulnerability</li>
|
|
</ol>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.idefense.com/application/poi/display?id=157&type=vulnerabilities&flashstatus=false</url>
|
|
<cvename>CVE-2004-1030</cvename>
|
|
<cvename>CVE-2004-1031</cvename>
|
|
<cvename>CVE-2004-1032</cvename>
|
|
<cvename>CVE-2004-1033</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-15</discovery>
|
|
<entry>2005-01-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="02274fd9-6bc5-11d9-8edb-000a95bc6fae">
|
|
<topic>realplayer -- arbitrary file deletion and other vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-realplayer</name>
|
|
<range><lt>10.0.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An NGSSoftware Insight Security Research Advisory reports:</p>
|
|
<blockquote cite="http://www.ngssoftware.com/advisories/real-03full.txt">
|
|
<p>Two vulnerabilities have been discovered in RealPlayer
|
|
which may potentially be leveraged to allow remote code
|
|
execution, or may used in combination with the Real
|
|
Metadata Package File Deletion vulnerability to reliably
|
|
delete files from a users system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.ngssoftware.com/advisories/real-02full.txt</url>
|
|
<url>http://www.ngssoftware.com/advisories/real-03full.txt</url>
|
|
<url>http://service.real.com/help/faq/security/040928_player/EN/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-06</discovery>
|
|
<entry>2005-01-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2001103a-6bbd-11d9-851d-000a95bc6fae">
|
|
<topic>imlib -- xpm heap buffer overflows and integer overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>imlib</name>
|
|
<range><lt>1.9.15_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>imlib2</name>
|
|
<range><lt>1.1.2_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Pavel Kankovsky reports:</p>
|
|
<blockquote cite="https://bugzilla.fedora.us/show_bug.cgi?id=2051#c11">
|
|
<p>Imlib affected by a variant of CAN-2004-0782 too.</p>
|
|
<p>I've discovered more vulnerabilities in Imlib
|
|
(1.9.13). In particular, it appears to be affected by a
|
|
variant of Chris Evans' libXpm flaw #1 (CAN-2004-0782, see
|
|
http://scary.beasts.org/security/CESA-2004-003.txt). Look
|
|
at the attached image, it kills ee on my 7.3.</p>
|
|
</blockquote>
|
|
<p>The flaws also affect imlib2.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1025</cvename>
|
|
<cvename>CVE-2004-1026</cvename>
|
|
<bid>11830</bid>
|
|
<url>https://bugzilla.fedora.us/show_bug.cgi?id=2051#c11</url>
|
|
<url>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138516</url>
|
|
<url>http://cvs.sourceforge.net/viewcvs.py/enlightenment/e17/libs/imlib2/src/modules/loaders/loader_xpm.c#rev1.3</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-06</discovery>
|
|
<entry>2005-01-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="39953788-6bbb-11d9-8bc9-000a95bc6fae">
|
|
<topic>egroupware -- arbitrary file download in JiNN</topic>
|
|
<affects>
|
|
<package>
|
|
<name>eGroupWare</name>
|
|
<range><lt>1.0.0.006</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>eGroupWare contains a bug in the JiNN component that allows
|
|
a remote attacker to download arbitrary files.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://cvs.sourceforge.net/viewcvs.py/egroupware/jinn/CHANGELOG#rev1.24</url>
|
|
<mlist>http://sourceforge.net/mailarchive/forum.php?thread_id=5915445&forum_id=35178</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-15</discovery>
|
|
<entry>2005-01-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2c25e762-6bb9-11d9-93db-000a95bc6fae">
|
|
<topic>quake2 -- multiple critical vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>quake2forge</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>quake2lnx</name>
|
|
<range><lt>0.16.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An advisory published by Richard Stanway describes numerous
|
|
critical vulnerabilities in the Quake II engine:</p>
|
|
<blockquote cite="http://secur1ty.net/advisories/001">
|
|
<p>Due to unchecked input at various stages in the server,
|
|
remote users are able to cause the server to crash, reveal
|
|
sensitive information or potentially execute arbitrary
|
|
code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secur1ty.net/advisories/001</url>
|
|
<mlist msgid="NGEHLEPKOGIHAIJAMDPKOEHJCGAA.bugtraq@secur1ty.net">http://marc.theaimsgroup.com/?l=bugtraq&m=109892527321706</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-27</discovery>
|
|
<entry>2005-01-21</entry>
|
|
<modified>2005-03-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5c7bb4dd-6a56-11d9-97ec-000c6e8f12ef">
|
|
<topic>konversation -- shell script command injection</topic>
|
|
<affects>
|
|
<package>
|
|
<name>konversation</name>
|
|
<range><lt>0.15</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Konversation comes with Perl scripts that do not properly escape
|
|
shell characters on executing a script. This makes it possible
|
|
to attack Konversation with shell script command injection.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0129</cvename>
|
|
<cvename>CVE-2005-0130</cvename>
|
|
<cvename>CVE-2005-0131</cvename>
|
|
<mlist msgid="200501191739.56585.wouter@coekaerts.be">http://marc.theaimsgroup.com/?l=full-disclosure&m=110616016509114</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-19</discovery>
|
|
<entry>2005-01-19</entry>
|
|
<modified>2005-01-21</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7a921e9e-68b1-11d9-9e1e-c296ac722cb3">
|
|
<topic>squid -- no sanity check of usernames in squid_ldap_auth</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.7_7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The LDAP authentication helper did not strip
|
|
leading or trailing spaces from the login name.
|
|
According to the squid patches page:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces">
|
|
<p>LDAP is very forgiving about spaces in search
|
|
filters and this could be abused to log in
|
|
using several variants of the login name,
|
|
possibly bypassing explicit access controls
|
|
or confusing accounting.</p>
|
|
<p>Workaround: Block logins with spaces</p>
|
|
<pre>
|
|
acl login_with_spaces proxy_auth_regex [:space:]
|
|
http_access deny login_with_spaces
|
|
</pre>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0173</cvename>
|
|
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces</url>
|
|
<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1187</url>
|
|
<certvu>924198</certvu>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-10</discovery>
|
|
<entry>2005-01-19</entry>
|
|
<modified>2005-02-08</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="990cf07e-6988-11d9-a9e7-0001020eed82">
|
|
<topic>cups-base -- CUPS server remote DoS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cups-base</name>
|
|
<range><ge>1.1.21</ge><lt>1.1.23</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Kenshi Muto discovered that the CUPS server would enter an
|
|
infinite loop when processing a URL containing
|
|
<q><code>/..</code></q>.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12200</bid>
|
|
<cvename>CVE-2005-2874</cvename>
|
|
<url>http://www.cups.org/str.php?L1042</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-30</discovery>
|
|
<entry>2005-01-18</entry>
|
|
<modified>2005-09-21</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b58ff497-6977-11d9-ae49-000c41e2cdad">
|
|
<topic>tiff -- divide-by-zero denial-of-service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tiff</name>
|
|
<name>linux-tiff</name>
|
|
<range><lt>3.6.0</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>pdflib</name>
|
|
<name>pdflib-perl</name>
|
|
<range><lt>6.0.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gdal</name>
|
|
<range><lt>1.2.1_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ivtools</name>
|
|
<range><lt>1.2.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>paraview</name>
|
|
<range><lt>2.4.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>fractorama</name>
|
|
<range><lt>1.6.7_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>iv</name>
|
|
<name>ja-iv</name>
|
|
<name>ja-libimg</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A US-CERT vulnerability note reports:</p>
|
|
<blockquote cite="http://www.kb.cert.org/vuls/id/555304">
|
|
<p>An Integer overflow in the LibTIFF library may allow a
|
|
remote attacker to cause a divide-by-zero error that results
|
|
in a denial-of-service condition.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0804</cvename>
|
|
<certvu>555304</certvu>
|
|
<url>http://bugzilla.remotesensing.org/show_bug.cgi?id=111</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2002-03-27</discovery>
|
|
<entry>2005-01-18</entry>
|
|
<modified>2006-06-08</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="249a8c42-6973-11d9-ae49-000c41e2cdad">
|
|
<topic>zgv -- exploitable heap overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>zgv</name>
|
|
<range><lt>5.8_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>xzgv</name>
|
|
<range><lt>0.8_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>infamous41md reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=109886210702781">
|
|
<p>zgv uses malloc() frequently to allocate memory for storing
|
|
image data. When calculating how much to allocate, user
|
|
supplied data from image headers is multiplied and/or added
|
|
without any checks for arithmetic overflows. We can
|
|
overflow numerous calculations, and cause small buffers to
|
|
be allocated. Then we can overflow the buffer, and
|
|
eventually execute code. There are a total of
|
|
11 overflows that are exploitable to execute arbitrary
|
|
code.</p>
|
|
</blockquote>
|
|
<p>These bugs exist in both zgv and xzgv.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="20041025210717.2799d9c1.infamous41md@hotpop.com">http://marc.theaimsgroup.com/?l=bugtraq&m=109886210702781</mlist>
|
|
<mlist msgid="20041027233907.A3678@netdirect.ca">http://marc.theaimsgroup.com/?l=bugtraq&m=109898111915661</mlist>
|
|
<url>http://rus.members.beeb.net/xzgv.html</url>
|
|
<url>http://www.svgalib.org/rus/zgv/</url>
|
|
<cvename>CVE-2004-0994</cvename>
|
|
<url>http://www.idefense.com/application/poi/display?id=160&type=vulnerabilities&flashstatus=false</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-26</discovery>
|
|
<entry>2005-01-18</entry>
|
|
<modified>2005-01-21</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a77849a5-696f-11d9-ae49-000c41e2cdad">
|
|
<topic>mozilla -- insecure permissions for some downloaded files</topic>
|
|
<affects>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><lt>0.9</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>firefox</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<range><lt>1.0.r2,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>de-netscape7</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-netscape7</name>
|
|
<name>netscape7</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><le>7.2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla-gtk1</name>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.5,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>linux-netscape</name>
|
|
<name>linux-phoenix</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>phoenix</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>In a Mozilla bug report, Daniel Kleinsinger writes:</p>
|
|
<blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=251297">
|
|
<p>I was comparing treatment of attachments opened directly
|
|
from emails on different platforms. I discovered that Linux
|
|
builds save attachments in /tmp with world readable rights.
|
|
This doesn't seem like a good thing. Couldn't someone else
|
|
logged onto the same machine read your attachments?</p>
|
|
</blockquote>
|
|
<p>This could expose the contents of downloaded files or email
|
|
attachments to other users on a multi-user system.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=251297</url>
|
|
<mlist msgid="417C19F1.2040107@ptraced.net">http://marc.theaimsgroup.com/?l=full-disclosure&m=109865078103911</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-07-13</discovery>
|
|
<entry>2005-01-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0f5a2b4d-694b-11d9-a9e7-0001020eed82">
|
|
<topic>awstats -- remote command execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>awstats</name>
|
|
<range><lt>6.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An iDEFENSE Security Advisory reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=full-disclosure&m=110600949323439">
|
|
<p>Remote exploitation of an input validation vulnerability
|
|
in AWStats allows attackers to execute arbitrary commands
|
|
under the privileges of the web server.</p>
|
|
<p>The problem specifically exists when the application is
|
|
running as a CGI script on a web server. The "configdir"
|
|
parameter contains unfiltered user-supplied data that is
|
|
utilized in a call to the Perl routine open()...</p>
|
|
<p>Successful exploitation allows remote attackers to
|
|
execute arbitrary commands under the privileges of the web
|
|
server. This can lead to further compromise as it provides
|
|
remote attackers with local access.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12270</bid>
|
|
<cvename>CVE-2005-0116</cvename>
|
|
<certvu>272296</certvu>
|
|
<mlist msgid="FB24803D1DF2A34FA59FC157B77C970503C8B20C@idserv04.idef.com">http://marc.theaimsgroup.com/?l=full-disclosure&m=110600949323439</mlist>
|
|
<url>http://awstats.sourceforge.net/docs/awstats_changelog.txt</url>
|
|
<url>http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-21</discovery>
|
|
<entry>2005-01-18</entry>
|
|
<modified>2005-02-23</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="597e2bee-68ea-11d9-a9e7-0001020eed82">
|
|
<topic>ImageMagick -- PSD handler heap overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ImageMagick</name>
|
|
<range><lt>6.1.8.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An iDEFENSE Security Advisory reports:</p>
|
|
<blockquote cite="http://www.idefense.com/application/poi/display?id=184&type=vulnerabilities">
|
|
<p>Remote exploitation of a buffer overflow vulnerability in
|
|
The ImageMagick's Project's ImageMagick PSD image-decoding
|
|
module could allow an attacker to execute arbitrary
|
|
code.</p>
|
|
<p>Exploitation may allow attackers to run arbitrary code on
|
|
a victim's computer if the victim opens a specially
|
|
formatted image. Such images could be delivered by e-mail
|
|
or HTML, in some cases, and would likely not raise
|
|
suspicion on the victim's part. Exploitation is also
|
|
possible when a web-based application uses ImageMagick to
|
|
process user-uploaded image files.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0005</cvename>
|
|
<url>http://www.idefense.com/application/poi/display?id=184&type=vulnerabilities</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-21</discovery>
|
|
<entry>2005-01-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7850a238-680a-11d9-a9e7-0001020eed82">
|
|
<topic>cups-lpr -- lppasswd multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cups-lpr</name>
|
|
<name>fr-cups-lpr</name>
|
|
<range><lt>1.1.23</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>D. J. Bernstein reports that Bartlomiej Sieka has
|
|
discovered several security vulnerabilities in lppasswd,
|
|
which is part of CUPS. In the following excerpt from
|
|
Bernstein's email, CVE names have been added for each issue:</p>
|
|
<blockquote cite="http://tigger.uic.edu/~jlongs2/holes/cups2.txt">
|
|
<p>First, lppasswd blithely ignores write errors in
|
|
fputs(line,outfile) at lines 311 and 315 of lppasswd.c,
|
|
and in fprintf(...) at line 346. An attacker who fills up
|
|
the disk at the right moment can arrange for
|
|
/usr/local/etc/cups/passwd to be truncated.
|
|
<em>(CAN-2004-1268)</em></p>
|
|
<p>Second, if lppasswd bumps into a file-size resource limit
|
|
while writing passwd.new, it leaves passwd.new in place,
|
|
disabling all subsequent invocations of lppasswd. Any
|
|
local user can thus disable lppasswd...
|
|
<em>(CAN-2004-1269)</em></p>
|
|
<p>Third, line 306 of lppasswd.c prints an error message to
|
|
stderr but does not exit. This is not a problem on systems
|
|
that ensure that file descriptors 0, 1, and 2 are open for
|
|
setuid programs, but it is a problem on other systems;
|
|
lppasswd does not check that passwd.new is different from
|
|
stderr, so it ends up writing a user-controlled error
|
|
message to passwd if the user closes file descriptor
|
|
2. <em>(CAN-2004-1270)</em></p>
|
|
</blockquote>
|
|
<p><strong>Note:</strong> The third issue, CVE-2004-1270, does
|
|
not affect FreeBSD 4.6-RELEASE or later systems, as these
|
|
systems ensure that the file descriptors 0, 1, and 2 are
|
|
always open for set-user-ID and set-group-ID programs.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1268</cvename>
|
|
<cvename>CVE-2004-1269</cvename>
|
|
<cvename>CVE-2004-1270</cvename>
|
|
<bid>12007</bid>
|
|
<bid>12004</bid>
|
|
<url>http://www.cups.org/str.php?L1023</url>
|
|
<url>http://tigger.uic.edu/~jlongs2/holes/cups2.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-11</discovery>
|
|
<entry>2005-01-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="40a3bca2-6809-11d9-a9e7-0001020eed82">
|
|
<topic>cups-base -- HPGL buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cups-base</name>
|
|
<name>fr-cups-base</name>
|
|
<range><lt>1.1.22.0_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ariel Berkman has discovered a buffer overflow
|
|
vulnerability in CUPS's HPGL input driver. This
|
|
vulnerability could be exploited to execute arbitrary code
|
|
with the permission of the CUPS server by printing a
|
|
specially crated HPGL file.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>11968</bid>
|
|
<cvename>CVE-2004-1267</cvename>
|
|
<url>http://tigger.uic.edu/~jlongs2/holes/cups.txt</url>
|
|
<url>http://www.cups.org/str.php?L1024</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-15</discovery>
|
|
<entry>2005-01-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ce109fd4-67f3-11d9-a9e7-0001020eed82">
|
|
<topic>mysql-scripts -- mysqlaccess insecure temporary file creation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-scripts</name>
|
|
<range><lt>3.23.58_2</lt></range>
|
|
<range><gt>4.*</gt><lt>4.0.23a_1</lt></range>
|
|
<range><gt>4.1.*</gt><lt>4.1.9_1</lt></range>
|
|
<range><gt>5.*</gt><lt>5.0.2_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Debian Security Team reports:</p>
|
|
<blockquote>
|
|
<p>Javier Fernández-Sanguino Peña from the Debian Security
|
|
Audit Project discovered a temporary file vulnerability in
|
|
the mysqlaccess script of MySQL that could allow an
|
|
unprivileged user to let root overwrite arbitrary files
|
|
via a symlink attack and could also could unveil the
|
|
contents of a temporary file which might contain sensitive
|
|
information.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0004</cvename>
|
|
<url>http://lists.mysql.com/internals/20600</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-12</discovery>
|
|
<entry>2005-01-16</entry>
|
|
<modified>2005-01-17</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f2d5e56e-67eb-11d9-a9e7-0001020eed82">
|
|
<topic>unrtf -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>unrtf</name>
|
|
<range><lt>0.19.3_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Yosef Klein and Limin Wang have found a buffer overflow
|
|
vulnerability in unrtf that can allow an attacker to execute
|
|
arbitrary code with the permissions of the user running
|
|
unrtf, by running unrtf on a specially crafted rtf
|
|
document.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12030</bid>
|
|
<cvename>CVE-2004-1297</cvename>
|
|
<url>http://tigger.uic.edu/~jlongs2/holes/unrtf.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-15</discovery>
|
|
<entry>2005-01-16</entry>
|
|
<modified>2005-02-11</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3fbf9db2-658b-11d9-abad-000a95bc6fae">
|
|
<topic>mozilla -- heap overflow in NNTP handler</topic>
|
|
<affects>
|
|
<package>
|
|
<name>de-netscape7</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-netscape7</name>
|
|
<name>netscape7</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla-gtk1</name>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.5,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>linux-netscape</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Maurycy Prodeus reports a critical vulnerability in
|
|
Mozilla-based browsers:</p>
|
|
<blockquote cite="http://isec.pl/vulnerabilities/isec-0020-mozilla.txt">
|
|
<p>Mozilla browser supports NNTP urls. Remote side is able to
|
|
trigger news:// connection to any server. I found a flaw in
|
|
NNTP handling code which may cause heap overflow and allow
|
|
remote attacker to execute arbitrary code on client
|
|
machine.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1316</cvename>
|
|
<url>http://isec.pl/vulnerabilities/isec-0020-mozilla.txt</url>
|
|
<mlist msgid="Pine.LNX.4.44.0412292228440.19239-200000@isec.pl">http://marc.theaimsgroup.com/?l=bugtraq&m=110436284718949</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-29</discovery>
|
|
<entry>2005-01-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3cc84400-6576-11d9-a9e7-0001020eed82">
|
|
<topic>mpg123 -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mpg123</name>
|
|
<name>mpg123-nas</name>
|
|
<name>mpg123-esound</name>
|
|
<range><lt>0.59r_17</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Yuri D'Elia has found a buffer overflow vulnerability in
|
|
mpg123's parsing of frame headers in input streams. This
|
|
vulnerability can potentially lead to execution of arbitrary
|
|
code with the permissions of the user running mpg123, if the
|
|
user runs mpg123 on a specially crafted MP2 or MP3 file.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0991</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-01</discovery>
|
|
<entry>2005-01-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5fe7e27a-64cb-11d9-9e1e-c296ac722cb3">
|
|
<topic>squid -- denial of service with forged WCCP messages</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.7_6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The squid patches page notes:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_denial_of_service">
|
|
<p>WCCP_I_SEE_YOU messages contain a 'number of caches'
|
|
field which should be between 1 and 32. Values outside
|
|
that range may crash Squid if WCCP is enabled, and if an
|
|
attacker can spoof UDP packets with the WCCP router's IP
|
|
address.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0095</cvename>
|
|
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_denial_of_service</url>
|
|
<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1190</url>
|
|
<url>http://www.squid-cache.org/Advisories/SQUID-2005_2.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-07</discovery>
|
|
<entry>2005-01-12</entry>
|
|
<modified>2005-01-22</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="184ab9e0-64cd-11d9-9e1e-c296ac722cb3">
|
|
<topic>squid -- buffer overflow vulnerability in gopherToHTML</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.7_6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The squid patches page notes:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-gopher_html_parsing">
|
|
<p>A malicious gopher server may return a response with very
|
|
long lines that cause a buffer overflow in Squid.</p>
|
|
<p>Workaround: Since gopher is very obscure these days, do
|
|
not allow Squid to any gopher servers. Use an ACL rule
|
|
like:</p>
|
|
<pre>acl Gopher proto gopher
|
|
http_access deny Gopher</pre>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0094</cvename>
|
|
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-gopher_html_parsing</url>
|
|
<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1189</url>
|
|
<url>http://www.squid-cache.org/Advisories/SQUID-2005_1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-11</discovery>
|
|
<entry>2005-01-12</entry>
|
|
<modified>2005-01-22</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="131bd7c4-64a3-11d9-829a-000a95bc6fae">
|
|
<topic>libxine -- DVD subpicture decoder heap overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libxine</name>
|
|
<range><lt>1.0.r6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A xine security announcement states:</p>
|
|
<blockquote cite="http://xinehq.de/index.php/security/XSA-2004-5">
|
|
<p>A heap overflow has been found in the DVD subpicture
|
|
decoder of xine-lib. This can be used for a remote heap
|
|
overflow exploit, which can, on some systems, lead to or
|
|
help in executing malicious code with the permissions of the
|
|
user running a xine-lib based media application.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1379</cvename>
|
|
<url>http://xinehq.de/index.php/security/XSA-2004-5</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-06</discovery>
|
|
<entry>2005-01-12</entry>
|
|
<modified>2005-01-19</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b6939d5b-64a1-11d9-9106-000a95bc6fae">
|
|
<topic>libxine -- multiple vulnerabilities in VideoCD handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libxine</name>
|
|
<range><ge>1.0.r2</ge><lt>1.0.r6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A xine security announcement states:</p>
|
|
<blockquote cite="http://xinehq.de/index.php/security/XSA-2004-4">
|
|
<p>Several string overflows on the stack have been fixed in
|
|
xine-lib, some of them can be used for remote buffer
|
|
overflow exploits leading to the execution of arbitrary code
|
|
with the permissions of the user running a xine-lib based
|
|
media application.</p>
|
|
<p>Stack-based string overflows have been found:</p>
|
|
<ol>
|
|
<li>in the code which handles VideoCD MRLs</li>
|
|
<li>in VideoCD code reading the disc label</li>
|
|
<li>in the code which parses text subtitles and prepares
|
|
them for display</li>
|
|
</ol>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://xinehq.de/index.php/security/XSA-2004-4</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-07</discovery>
|
|
<entry>2005-01-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1b70bef4-649f-11d9-a30e-000a95bc6fae">
|
|
<topic>libxine -- multiple buffer overflows in RTSP</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mplayer</name>
|
|
<name>mplayer-gtk</name>
|
|
<name>mplayer-gtk2</name>
|
|
<name>mplayer-esound</name>
|
|
<name>mplayer-gtk-esound</name>
|
|
<name>mplayer-gtk2-esound</name>
|
|
<range><lt>0.99.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libxine</name>
|
|
<range><lt>1.0.r4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A xine security announcement states:</p>
|
|
<blockquote cite="http://xinehq.de/index.php/security/XSA-2004-3">
|
|
<p>Multiple vulnerabilities have been found and fixed in the
|
|
Real-Time Streaming Protocol (RTSP) client for RealNetworks
|
|
servers, including a series of potentially remotely
|
|
exploitable buffer overflows. This is a joint advisory by
|
|
the MPlayer and xine teams as the code in question is common
|
|
to these projects.</p>
|
|
<p>Severity: High (arbitrary remote code execution under the
|
|
user ID running the player) when playing Real RTSP streams.
|
|
At this time, there is no known exploit for these
|
|
vulnerabilities.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0433</cvename>
|
|
<url>http://xinehq.de/index.php/security/XSA-2004-3</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/16019</url>
|
|
<bid>10245</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-05-25</discovery>
|
|
<entry>2005-01-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8eabaad9-641f-11d9-92a7-000a95bc6fae">
|
|
<topic>hylafax -- unauthorized login vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>hylafax</name>
|
|
<range><lt>4.2.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A flaw in HylaFAX may allow an attacker to bypass normal
|
|
authentication by spoofing their DNS PTR records.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1182</cvename>
|
|
<mlist msgid="20050111155949.GU9853@bilbo.x101.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110546971307585</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-11</discovery>
|
|
<entry>2005-01-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="56971fa6-641c-11d9-a097-000854d03344">
|
|
<topic>xshisen -- local buffer overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xshisen</name>
|
|
<range><lt>1.36_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Steve Kemp has found buffer overflows in the handling
|
|
of the command line flag -KCONV and the XSHISENLIB environment
|
|
variable. Ulf Härnhammer has detected an unbounded copy from
|
|
the GECOS field to a char array. All overflows can be exploited
|
|
to gain group games privileges.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=213957</url>
|
|
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289784</url>
|
|
<cvename>CVE-2003-1053</cvename>
|
|
<cvename>CVE-2005-0117</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-11</discovery>
|
|
<entry>2005-01-11</entry>
|
|
<modified>2005-01-19</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0cf3480d-5fdf-11d9-b721-00065be4b5b6">
|
|
<topic>helvis -- arbitrary file deletion problem</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ko-helvis</name>
|
|
<range><le>1.8h2_1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>helvis</name>
|
|
<range><le>1.8h2_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The setuid root elvprsv utility, used to preserve
|
|
recovery helvis files, can be abused by local users to delete
|
|
with root privileges.</p>
|
|
<p>The problem is that elvprsv deletes files when it thinks they
|
|
have become corrupt. When elvprsv is pointed to a normal file then
|
|
it will almost always think the file is corrupt and deletes it.
|
|
This behavior may be exploited by local attackers to delete critical
|
|
files.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0120</cvename>
|
|
<url>http://people.freebsd.org/~niels/ports/korean/helvis/issues.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-24</discovery>
|
|
<entry>2005-01-10</entry>
|
|
<modified>2005-01-19</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="bb99f803-5fde-11d9-b721-00065be4b5b6">
|
|
<topic>helvis -- information leak vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ko-helvis</name>
|
|
<range><le>1.8h2_1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>helvis</name>
|
|
<range><le>1.8h2_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Once a recovery file has been preserved by the setuid root elvprsv
|
|
utility it is placed in a worldreadable directory with worldreadable
|
|
permissions. This possibly allows sensitive information to leak.</p>
|
|
<p>In addition to this information leak, it is possible for users
|
|
to recover files that belong to other users by using elvrec, another
|
|
setuid root binary.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0118</cvename>
|
|
<cvename>CVE-2005-0119</cvename>
|
|
<url>http://people.freebsd.org/~niels/ports/korean/helvis/issues.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-24</discovery>
|
|
<entry>2005-01-10</entry>
|
|
<modified>2005-01-19</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="28ab7ddf-61ab-11d9-a9e7-0001020eed82">
|
|
<topic>dillo -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>dillo</name>
|
|
<range><lt>0.8.3_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>dillo contains a format string vulnerability which could
|
|
lead to execution of arbitrary code simply by viewing a web
|
|
page or opening a HTML file.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0012</cvename>
|
|
<url>http://bugs.gentoo.org/show_bug.cgi?id=76665</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-04</discovery>
|
|
<entry>2005-01-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f92e1bbc-5e18-11d9-839a-0050da134090">
|
|
<topic>tnftp -- mget does not check for directory escapes</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tnftp</name>
|
|
<range><lt>20050103</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>When downloading a batch of files from an FTP server the
|
|
mget command does not check for directory escapes. A
|
|
specially crafted file on the FTP server could then
|
|
potentially overwrite an existing file of the user.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1294</cvename>
|
|
<url>http://tigger.uic.edu/~jlongs2/holes/tnftp.txt</url>
|
|
<url>http://cvsweb.netbsd.org/bsdweb.cgi/othersrc/usr.bin/tnftp/src/cmds.c?rev=1.1.1.3&content-type=text/x-cvsweb-markup</url>
|
|
<url>http://it.slashdot.org/article.pl?sid=04/12/15/2113202</url>
|
|
<mlist msgid="653D74053BA6F54A81ED83DCF969DF08CFA2AA@pivxes1.pivx.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110321888413132</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-15</discovery>
|
|
<entry>2005-01-07</entry>
|
|
<modified>2005-01-13</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8f86d8b5-6025-11d9-a9e7-0001020eed82">
|
|
<topic>tiff -- tiffdump integer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tiff</name>
|
|
<range><lt>3.7.1_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-tiff</name>
|
|
<range><lt>3.6.1_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Dmitry V. Levin found a potential integer overflow in the
|
|
tiffdump utility which could lead to execution of arbitrary
|
|
code. This could be exploited by tricking an user into
|
|
executing tiffdump on a specially crafted tiff image.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1183</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-06</discovery>
|
|
<entry>2005-01-06</entry>
|
|
<modified>2005-03-01</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fc7e6a42-6012-11d9-a9e7-0001020eed82">
|
|
<topic>tiff -- directory entry count integer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tiff</name>
|
|
<range><lt>3.7.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-tiff</name>
|
|
<range><lt>3.6.1_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>pdflib</name>
|
|
<name>pdflib-perl</name>
|
|
<range><lt>6.0.1_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gdal</name>
|
|
<range><lt>1.2.1_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ivtools</name>
|
|
<range><lt>1.2.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>paraview</name>
|
|
<range><lt>2.4.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>fractorama</name>
|
|
<range><lt>1.6.7_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>iv</name>
|
|
<name>ja-iv</name>
|
|
<name>ja-libimg</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>In an iDEFENSE Security Advisory infamous41md reports:</p>
|
|
<blockquote cite="http://www.idefense.com/application/poi/display?id=174&type=vulnerabilities">
|
|
<p>Remote exploitation of a heap-based buffer overflow
|
|
vulnerability within the LibTIFF package could allow
|
|
attackers to execute arbitrary code.</p>
|
|
<p>The vulnerability specifically exists due to insufficient
|
|
validation of user-supplied data when calculating the size
|
|
of a directory entry. A TIFF file includes a number of
|
|
directory entry header fields that describe the data in
|
|
the file. Included in these entries is an entry count and
|
|
offset value that are calculated to determine the size and
|
|
location of the data for that entry.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>12075</bid>
|
|
<cvename>CVE-2004-1308</cvename>
|
|
<url>http://www.idefense.com/application/poi/display?id=174&type=vulnerabilities</url>
|
|
<certvu>125598</certvu>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-17</discovery>
|
|
<entry>2005-01-06</entry>
|
|
<modified>2006-06-08</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="14e8f315-600e-11d9-a9e7-0001020eed82">
|
|
<cancelled superseded="3897a2f8-1d57-11d9-bc4a-000c41e2cdad"/>
|
|
</vuln>
|
|
|
|
<vuln vid="bd9fc2bf-5ffe-11d9-a11a-000a95bc6fae">
|
|
<topic>vim -- vulnerabilities in modeline handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>vim</name>
|
|
<name>vim-lite</name>
|
|
<name>vim+ruby</name>
|
|
<range><lt>6.3.45</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ciaran McCreesh discovered news ways in which a VIM modeline
|
|
can be used to trojan a text file. The patch by Bram
|
|
Moolenaar reads:</p>
|
|
<blockquote cite="ftp://ftp.vim.org/pub/vim/patches/6.3/6.3.045">
|
|
<p>Problem: Unusual characters in an option value may cause
|
|
unexpected behavior, especially for a modeline. (Ciaran
|
|
McCreesh)</p>
|
|
<p>Solution: Don't allow setting termcap options or
|
|
'printdevice' or 'titleold' in a modeline. Don't list
|
|
options for "termcap" and "all" in a modeline. Don't allow
|
|
unusual characters in 'filetype', 'syntax', 'backupext',
|
|
'keymap', 'patchmode' and 'langmenu'.</p>
|
|
</blockquote>
|
|
<p><strong>Note:</strong> It is generally recommended that VIM
|
|
users use <code>set nomodeline</code> in
|
|
<code>~/.vimrc</code> to avoid the possibility of trojaned
|
|
text files.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1138</cvename>
|
|
<url>ftp://ftp.vim.org/pub/vim/patches/6.3/6.3.045</url>
|
|
<mlist>http://groups.yahoo.com/group/vimdev/message/38084</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-09</discovery>
|
|
<entry>2005-01-06</entry>
|
|
<modified>2005-01-13</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="58fc2752-5f74-11d9-a9e7-0001020eed82">
|
|
<topic>pcal -- buffer overflow vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pcal</name>
|
|
<range><lt>4.8.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Danny Lungstrom has found two buffer overflow
|
|
vulnerabilities in pcal which can lead to execution of
|
|
arbitrary code by making a user run pcal on a specially
|
|
crafted calendar file.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1289</cvename>
|
|
<bid>12035</bid>
|
|
<bid>12036</bid>
|
|
<mlist msgid="20041215083219.56092.qmail@cr.yp.to">http://securesoftware.list.cr.yp.to/archive/0/46</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-15</discovery>
|
|
<entry>2005-01-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ca9ce879-5ebb-11d9-a01c-0050569f0001">
|
|
<topic>exim -- two buffer overflow vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>exim</name>
|
|
<name>exim-ldap</name>
|
|
<name>exim-ldap2</name>
|
|
<name>exim-mysql</name>
|
|
<name>exim-postgresql</name>
|
|
<name>exim-sa-exim</name>
|
|
<range><lt>4.43+28_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>1. The function host_aton() can overflow a buffer
|
|
if it is presented with an illegal IPv6 address
|
|
that has more than 8 components.</p>
|
|
<p>2. The second report described a buffer overflow
|
|
in the function spa_base64_to_bits(), which is part
|
|
of the code for SPA authentication.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="Pine.SOC.4.61.0501041452540.1114@draco.cus.cam.ac.uk">http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html</mlist>
|
|
<mlist msgid="1CE07882ECEE894CA2D5A89B8DEBC4011CFDE5@porgy.admin.idefense.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110573573800377</mlist>
|
|
<cvename>CVE-2005-0021</cvename>
|
|
<cvename>CVE-2005-0022</cvename>
|
|
<bid>12185</bid>
|
|
<bid>12188</bid>
|
|
<bid>12268</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-01-05</discovery>
|
|
<entry>2005-01-05</entry>
|
|
<modified>2005-01-18</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="877e918e-5362-11d9-96d4-00065be4b5b6">
|
|
<topic>mpg123 -- playlist processing buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mpg123</name>
|
|
<name>mpg123-nas</name>
|
|
<name>mpg123-esound</name>
|
|
<range><le>0.59r_15</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A buffer overflow vulnerability exists in the playlist
|
|
processing of mpg123. A specially crafted playlist entry
|
|
can cause a stack overflow that can be used to inject
|
|
arbitrary code into the mpg123 process </p>
|
|
<p>Note that a malicious playlist, demonstrating this
|
|
vulnerability, was released by the bug finder and may be
|
|
used as a template by attackers.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1284</cvename>
|
|
<url>http://tigger.uic.edu/~jlongs2/holes/mpg123.txt</url>
|
|
<url>http://secunia.com/advisories/13511/</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/18626</url>
|
|
<bid>11958</bid>
|
|
<mlist msgid="653D74053BA6F54A81ED83DCF969DF08CFA2AA@pivxes1.pivx.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110321888413132</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-15</discovery>
|
|
<entry>2005-01-03</entry>
|
|
<modified>2005-01-13</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="bd579366-5290-11d9-ac20-00065be4b5b6">
|
|
<topic>greed -- insecure GRX file processing</topic>
|
|
<affects>
|
|
<package>
|
|
<name>greed</name>
|
|
<range><le>0.81p</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A buffer overflow vulnerability has been detected in the greed
|
|
URL handling code. This bug can especially be a problem when greed is
|
|
used to process GRX (GetRight) files that originate from untrusted
|
|
sources.</p>
|
|
<p>The bug finder, Manigandan Radhakrishnan, gave the following description:</p>
|
|
<blockquote cite="http://tigger.uic.edu/~jlongs2/holes/greed.txt">
|
|
<p>Here are the bugs. First, in main.c, DownloadLoop() uses strcat()
|
|
to copy an input filename to the end of a 128-byte COMMAND array.
|
|
Second, DownloadLoop() passes the input filename to system() without
|
|
checking for special characters such as semicolons.</p></blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1273</cvename>
|
|
<cvename>CVE-2004-1274</cvename>
|
|
<url>http://tigger.uic.edu/~jlongs2/holes/greed.txt</url>
|
|
<url>http://secunia.com/advisories/13534/</url>
|
|
<mlist msgid="653D74053BA6F54A81ED83DCF969DF08CFA2AA@pivxes1.pivx.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110321888413132</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-15</discovery>
|
|
<entry>2005-01-03</entry>
|
|
<modified>2005-01-13</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="949c470e-528f-11d9-ac20-00065be4b5b6">
|
|
<topic>golddig -- local buffer overflow vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>golddig</name>
|
|
<range><le>2.0</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Two buffer overflow vulnerabilities where detected. Both issues can
|
|
be used by local users to gain group games privileges on affected systems.</p>
|
|
<p>The first overflow exists in the map name handling and can be triggered
|
|
when a very long name is given to the program during command-line execution</p>
|
|
<p>The second overflow exists in the username processing while writing
|
|
the players score to disk. Excessivly long usernames, set via the USER environment
|
|
variable, are stored without any length checks in a memory buffer.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0121</cvename>
|
|
<mlist msgid="200412021055.iB2AtweU067125@repoman.freebsd.org">http://docs.FreeBSD.org/cgi/mid.cgi?200412021055.iB2AtweU067125</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-11</discovery>
|
|
<entry>2005-01-03</entry>
|
|
<modified>2005-01-19</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="927743d4-5ca9-11d9-a9e7-0001020eed82">
|
|
<topic>up-imapproxy -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>up-imapproxy</name>
|
|
<range><lt>1.2.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>pop3proxy</name>
|
|
<range><le>1.1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Timo Sirainen reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=109995749510773">
|
|
<p>There are various bugs in up-imapproxy which can crash
|
|
it. Since up-imapproxy runs in a single process with each
|
|
connection handled in a separate thread, any crash kills
|
|
all the connections and stops listening for new ones.</p>
|
|
<p>In 64bit systems it might be possible to make it leak
|
|
data (mails, passwords, ..) from other connections to
|
|
attacker's connection. However I don't think up-imapproxy
|
|
actually works in any 64bit system so this is just a
|
|
theoretical problem.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1035</cvename>
|
|
<bid>11630</bid>
|
|
<mlist msgid="1099851138.3716.3.camel@hurina">http://marc.theaimsgroup.com/?l=bugtraq&m=109995749510773</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-17</discovery>
|
|
<entry>2005-01-02</entry>
|
|
<modified>2005-01-13</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="832e9d75-5bfc-11d9-a9e7-0001020eed82">
|
|
<topic>kdelibs3 -- konqueror FTP command injection vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ja-kdelibs</name>
|
|
<name>kdelibs</name>
|
|
<range><lt>3.3.2_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Albert Puigsech Galicia reports that Konqueror (more
|
|
specifically kio_ftp) and Microsoft Internet Explorer are
|
|
vulnerable to a FTP command injection vulnerability which
|
|
can be exploited by tricking an user into clicking a
|
|
specially crafted FTP URI.</p>
|
|
<p>It is also reported by Ian Gulliver and Emanuele Balla that
|
|
this vulnerability can be used to tricking a client into
|
|
sending out emails without user interaction.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>11827</bid>
|
|
<cvename>CVE-2004-1165</cvename>
|
|
<mlist msgid="200412051011.54045.ripe@7a69ezine.org">http://marc.theaimsgroup.com/?l=bugtraq&m=110245752232681</mlist>
|
|
<mlist msgid="20041223235620.GA2846@penguinhosting.net">http://marc.theaimsgroup.com/?l=full-disclosure&m=110387390226693</mlist>
|
|
<mlist msgid="20041224142506.GB12939@penguinhosting.net">http://marc.theaimsgroup.com/?l=full-disclosure&m=110390734925183</mlist>
|
|
<url>http://www.kde.org/info/security/advisory-20050101-1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-01</discovery>
|
|
<entry>2005-01-01</entry>
|
|
<modified>2005-01-04</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9168253c-5a6d-11d9-a9e7-0001020eed82">
|
|
<topic>a2ps -- insecure temporary file creation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>a2ps-a4</name>
|
|
<name>a2ps-letter</name>
|
|
<name>a2ps-letterdj</name>
|
|
<range><lt>4.13b_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Secunia Security Advisory reports that Javier
|
|
Fernández-Sanguino Peña has found temporary file
|
|
creation vulnerabilities in the fixps and psmandup scripts
|
|
which are part of a2ps. These vulnerabilities could lead to
|
|
an attacker overwriting arbitrary files with the credentials
|
|
of the user running the vulnerable scripts.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1377</cvename>
|
|
<bid>12108</bid>
|
|
<bid>12109</bid>
|
|
<url>http://secunia.com/advisories/13641/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-27</discovery>
|
|
<entry>2004-12-30</entry>
|
|
<modified>2005-01-19</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="64c8cc2a-59b1-11d9-8a99-000c6e8f12ef">
|
|
<topic>libxine -- buffer-overflow vulnerability in aiff support</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libxine</name>
|
|
<range><le>1.0.r5_3</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Due to a buffer overflow in the open_aiff_file function in
|
|
demux_aiff.c, a remote attacker is able to execute arbitrary
|
|
code via a modified AIFF file.</p></body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1300</cvename>
|
|
<url>http://tigger.uic.edu/~jlongs2/holes/xine-lib.txt</url>
|
|
<url>http://xinehq.de/index.php/security/XSA-2004-7</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-15</discovery>
|
|
<entry>2004-12-29</entry>
|
|
<modified>2005-01-12</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2e25d38b-54d1-11d9-b612-000c6e8f12ef">
|
|
<topic>jabberd -- denial-of-service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>jabber</name>
|
|
<range><lt>1.4.3.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>José Antonio Calvo discovered a bug in the Jabber 1.x server.
|
|
According to Matthias Wimmer:</p>
|
|
<blockquote cite="http://devel.amessage.info/jabberd14/README.html">
|
|
<p>Without this patch, it is possible to remotly crash
|
|
jabberd14, if there is access to one of the following types
|
|
of network sockets:</p>
|
|
<ul>
|
|
<li>Socket accepting client connections</li>
|
|
<li>Socket accepting connections from other servers</li>
|
|
<li>Socket connecting to an other Jabber server</li>
|
|
<li>Socket accepting connections from server components</li>
|
|
<li>Socket connecting to server components</li>
|
|
</ul>
|
|
<p>This is any socket on which the jabberd server parses
|
|
XML!</p>
|
|
<p>The problem existed in the included expat XML parser code.
|
|
This patch removes the included expat code from jabberd14
|
|
and links jabberd against an installed version of expat.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1378</cvename>
|
|
<url>http://devel.amessage.info/jabberd14/README.html</url>
|
|
<url>http://mail.jabber.org/pipermail/jabberd/2004-September/002004.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-19</discovery>
|
|
<entry>2004-12-26</entry>
|
|
<modified>2005-01-19</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a30e5e44-5440-11d9-9e1e-c296ac722cb3">
|
|
<topic>squid -- confusing results on empty acl declarations</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.7_5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Applying an empty ACL list results in unexpected behavior:
|
|
anything will match an empty ACL list. For example,</p>
|
|
<blockquote cite="http://www.squid-cache.org/bugs/show_bug.cgi?id=1166">
|
|
<p>The meaning of the configuration gets very confusing when
|
|
we encounter empty ACLs such as</p>
|
|
<p><code>acl something src "/path/to/empty_file.txt"<br/>
|
|
http_access allow something somewhere</code></p>
|
|
<p>gets parsed (with warnings) as</p>
|
|
<p><code>http_access allow somwhere</code></p>
|
|
<p>And similarily if you are using proxy_auth acls without
|
|
having any auth schemes defined.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-0194</cvename>
|
|
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls</url>
|
|
<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1166</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-21</discovery>
|
|
<entry>2004-12-23</entry>
|
|
<modified>2005-02-08</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="efa1344b-5477-11d9-a9e7-0001020eed82">
|
|
<topic>ethereal -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ethereal</name>
|
|
<name>ethereal-lite</name>
|
|
<name>tethereal</name>
|
|
<name>tethereal-lite</name>
|
|
<range><lt>0.10.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An Ethreal Security Advisories reports:</p>
|
|
<blockquote cite="http://www.ethereal.com/appnotes/enpa-sa-00016.html">
|
|
<p>Issues have been discovered in the following protocol
|
|
dissectors:</p>
|
|
<ul>
|
|
<li>Matthew Bing discovered a bug in DICOM dissection that
|
|
could make Ethereal crash.</li>
|
|
<li>An invalid RTP timestamp could make Ethereal hang and
|
|
create a large temporary file, possibly filling
|
|
available disk space.</li>
|
|
<li>The HTTP dissector could access previously-freed
|
|
memory, causing a crash.</li>
|
|
<li>Brian Caswell discovered that an improperly formatted
|
|
SMB packet could make Ethereal hang, maximizing CPU
|
|
utilization.</li>
|
|
</ul>
|
|
<p>Impact: It may be possible to make Ethereal crash or run
|
|
arbitrary code by injecting a purposefully malformed
|
|
packet onto the wire or by convincing someone to read a
|
|
malformed packet trace file.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1139</cvename>
|
|
<cvename>CVE-2004-1140</cvename>
|
|
<cvename>CVE-2004-1141</cvename>
|
|
<cvename>CVE-2004-1142</cvename>
|
|
<url>http://www.ethereal.com/appnotes/enpa-sa-00016.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-14</discovery>
|
|
<entry>2004-12-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e3e266e9-5473-11d9-a9e7-0001020eed82">
|
|
<topic>xpdf -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xpdf</name>
|
|
<range><lt>3.00_5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>kdegraphics</name>
|
|
<range><lt>3.3.2_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gpdf</name>
|
|
<range><le>2.8.1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>teTeX-base</name>
|
|
<range><le>2.0.2_6</le></range>
|
|
</package>
|
|
<package>
|
|
<name>cups-base</name>
|
|
<range><le>1.1.22.0</le></range>
|
|
</package>
|
|
<package>
|
|
<name>koffice</name>
|
|
<range><le>1.3.5,1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>pdftohtml</name>
|
|
<range><lt>0.36_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An iDEFENSE Security Advisory reports:</p>
|
|
<blockquote cite="http://www.idefense.com/application/poi/display?id=172&type=vulnerabilities">
|
|
<p>Remote exploitation of a buffer overflow vulnerability in
|
|
the xpdf PDF viewer, as included in multiple Linux
|
|
distributions, could allow attackers to execute arbitrary
|
|
code as the user viewing a PDF file. The offending code
|
|
can be found in the Gfx::doImage() function in the source
|
|
file xpdf/Gfx.cc.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1125</cvename>
|
|
<url>http://www.idefense.com/application/poi/display?id=172&type=vulnerabilities</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-23</discovery>
|
|
<entry>2004-12-23</entry>
|
|
<modified>2005-01-13</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="28e93883-539f-11d9-a9e7-0001020eed82">
|
|
<topic>acroread5 -- mailListIsPdf() buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>acroread</name>
|
|
<name>acroread4</name>
|
|
<name>acroread5</name>
|
|
<range><lt>5.10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An iDEFENSE Security Advisory reports:</p>
|
|
<blockquote cite="http://www.idefense.com/application/poi/display?id=161&type=vulnerabilities">
|
|
<p>Remote exploitation of a buffer overflow in version 5.09
|
|
of Adobe Acrobat Reader for Unix could allow for execution
|
|
of arbitrary code.</p>
|
|
<p>The vulnerability specifically exists in a the function
|
|
mailListIsPdf(). This function checks if the input file
|
|
is an email message containing a PDF. It unsafely copies
|
|
user supplied data using strcat into a fixed sized
|
|
buffer.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1152</cvename>
|
|
<certvu>253024</certvu>
|
|
<url>http://www.adobe.com/support/techdocs/331153.html</url>
|
|
<url>http://www.idefense.com/application/poi/display?id=161&type=vulnerabilities</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-14</discovery>
|
|
<entry>2004-12-21</entry>
|
|
<modified>2005-01-06</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="be543d74-539a-11d9-a9e7-0001020eed82">
|
|
<topic>ecartis -- unauthorised access to admin interface</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ecartis</name>
|
|
<range><lt>1.0.0.s20031228_2,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Debian security advisory reports:</p>
|
|
<blockquote cite="http://www.debian.org/security/2004/dsa-572">
|
|
<p>A problem has been discovered in ecartis, a mailing-list
|
|
manager, which allows an attacker in the same domain as
|
|
the list admin to gain administrator privileges and alter
|
|
list settings.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0913</cvename>
|
|
<url>http://www.debian.org/security/2004/dsa-572</url>
|
|
<url>http://secunia.com/advisories/12918/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-12</discovery>
|
|
<entry>2004-12-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="85d76f02-5380-11d9-a9e7-0001020eed82">
|
|
<topic>mplayer -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mplayer</name>
|
|
<name>mplayer-gtk</name>
|
|
<name>mplayer-gtk2</name>
|
|
<name>mplayer-esound</name>
|
|
<name>mplayer-gtk-esound</name>
|
|
<name>mplayer-gtk2-esound</name>
|
|
<range><lt>0.99.5_5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libxine</name>
|
|
<range><le>1.0.r5_3</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>iDEFENSE and the MPlayer Team have found multiple
|
|
vulnerabilities in MPlayer:</p>
|
|
<ul>
|
|
<li>Potential heap overflow in Real RTSP streaming code</li>
|
|
<li>Potential stack overflow in MMST streaming code</li>
|
|
<li>Multiple buffer overflows in BMP demuxer</li>
|
|
<li>Potential heap overflow in pnm streaming code</li>
|
|
<li>Potential buffer overflow in mp3lib</li>
|
|
</ul>
|
|
<p>These vulnerabilities could allow a remote attacker to
|
|
execute arbitrary code as the user running MPlayer. The
|
|
problem in the pnm streaming code also affects xine.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1187</cvename>
|
|
<cvename>CVE-2004-1188</cvename>
|
|
<url>http://mplayerhq.hu/homepage/design7/news.html#mplayer10pre5try2</url>
|
|
<mlist msgid="IDSERV04yz5b6KZmcK80000000c@exchange.idefense.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110322526210300</mlist>
|
|
<url>http://www.idefense.com/application/poi/display?id=166</url>
|
|
<mlist msgid="IDSERV04FVjCRGryWtI0000000f@exchange.idefense.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110322829807443</mlist>
|
|
<url>http://www.idefense.com/application/poi/display?id=167</url>
|
|
<mlist msgid="IDSERV046beUzmRf6Ci00000012@exchange.idefense.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110323022605345</mlist>
|
|
<url>http://www.idefense.com/application/poi/display?id=168</url>
|
|
<url>http://xinehq.de/index.php/security/XSA-2004-6</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-10</discovery>
|
|
<entry>2004-12-21</entry>
|
|
<modified>2005-01-12</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0bb7677d-52f3-11d9-a9e7-0001020eed82">
|
|
<topic>krb5 -- heap buffer overflow vulnerability in libkadm5srv</topic>
|
|
<affects>
|
|
<package>
|
|
<name>krb5</name>
|
|
<name>krb5-beta</name>
|
|
<range><lt>1.3.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A MIT krb5 Security Advisory reports:</p>
|
|
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt">
|
|
<p>The MIT Kerberos 5 administration library (libkadm5srv)
|
|
contains a heap buffer overflow in password history
|
|
handling code which could be exploited to execute
|
|
arbitrary code on a Key Distribution Center (KDC)
|
|
host. The overflow occurs during a password change of a
|
|
principal with a certain password history state. An
|
|
administrator must have performed a certain password
|
|
policy change in order to create the vulnerable state.</p>
|
|
<p>An authenticated user, not necessarily one with
|
|
administrative privileges, could execute arbitrary code on
|
|
the KDC host, compromising an entire Kerberos realm.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1189</cvename>
|
|
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-06</discovery>
|
|
<entry>2004-12-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3b3676be-52e1-11d9-a9e7-0001020eed82">
|
|
<topic>samba -- integer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>samba</name>
|
|
<range><lt>3.0.10,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ja-samba</name>
|
|
<range><lt>2.2.12.j1.0beta1_2</lt></range>
|
|
<range><gt>3.*</gt><lt>3.0.10,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Greg MacManus, iDEFENSE Labs reports:</p>
|
|
<blockquote cite="http://www.samba.org/samba/security/CAN-2004-1154.html">
|
|
<p>Remote exploitation of an integer overflow vulnerability
|
|
in the smbd daemon included in Samba 2.0.x, Samba 2.2.x,
|
|
and Samba 3.0.x prior to and including 3.0.9 could allow
|
|
an attacker to cause controllable heap corruption, leading
|
|
to execution of arbitrary commands with root
|
|
privileges.</p>
|
|
<p>Successful remote exploitation allows an attacker to gain
|
|
root privileges on a vulnerable system. In order to
|
|
exploit this vulnerability an attacker must possess
|
|
credentials that allow access to a share on the Samba
|
|
server. Unsuccessful exploitation attempts will cause the
|
|
process serving the request to crash with signal 11, and
|
|
may leave evidence of an attack in logs.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1154</cvename>
|
|
<url>http://www.idefense.com/application/poi/display?id=165&type=vulnerabilities</url>
|
|
<url>http://www.samba.org/samba/security/CAN-2004-1154.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-02</discovery>
|
|
<entry>2004-12-21</entry>
|
|
<modified>2005-05-29</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d47e9d19-5016-11d9-9b5f-0050569f0001">
|
|
<topic>php -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mod_php4-twig</name>
|
|
<name>php4-cgi</name>
|
|
<name>php4-cli</name>
|
|
<name>php4-dtc</name>
|
|
<name>php4-horde</name>
|
|
<name>php4-nms</name>
|
|
<name>php4</name>
|
|
<range><lt>4.3.10</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mod_php</name>
|
|
<name>mod_php4</name>
|
|
<range><ge>4</ge><lt>4.3.10,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>php5</name>
|
|
<name>php5-cgi</name>
|
|
<name>php5-cli</name>
|
|
<range><lt>5.0.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mod_php5</name>
|
|
<range><lt>5.0.3,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/13481/">
|
|
<p>Multiple vulnerabilities have been reported in PHP,
|
|
which can be exploited to gain escalated privileges,
|
|
bypass certain security restrictions, gain knowledge
|
|
of sensitive information, or compromise a vulnerable
|
|
system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secunia.com/advisories/13481/</url>
|
|
<cvename>CVE-2004-1019</cvename>
|
|
<cvename>CVE-2004-1065</cvename>
|
|
<url>http://www.php.net/release_4_3_10.php</url>
|
|
<url>http://www.hardened-php.net/advisories/012004.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-16</discovery>
|
|
<entry>2004-12-17</entry>
|
|
<modified>2004-12-18</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="01c231cd-4393-11d9-8bb9-00065be4b5b6">
|
|
<topic>mysql -- GRANT access restriction problem</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-server</name>
|
|
<range><le>3.23.58_3</le></range>
|
|
<range><ge>4.*</ge><lt>4.0.21</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>When a user is granted access to a database with a name containing an
|
|
underscore and the underscore is not escaped then that user might
|
|
also be able to access other, similarly named, databases on the
|
|
affected system. </p>
|
|
<p>The problem is that the underscore is seen as a wildcard by MySQL
|
|
and therefore it is possible that an admin might accidently GRANT
|
|
a user access to multiple databases.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0957</cvename>
|
|
<bid>11435</bid>
|
|
<url>http://bugs.mysql.com/bug.php?id=3933</url>
|
|
<url>http://rhn.redhat.com/errata/RHSA-2004-611.html</url>
|
|
<url>http://www.openpkg.org/security/OpenPKG-SA-2004.045-mysql.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-29</discovery>
|
|
<entry>2004-12-16</entry>
|
|
<modified>2005-03-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="06a6b2cf-484b-11d9-813c-00065be4b5b6">
|
|
<topic>mysql -- ALTER MERGE denial of service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-server</name>
|
|
<range><le>3.23.58_3</le></range>
|
|
<range><ge>4.*</ge><lt>4.0.21</lt></range>
|
|
<range><ge>4.1.*</ge><lt>4.1.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Dean Ellis reported a denial of service vulnerability in the MySQL server:</p>
|
|
<blockquote cite="http://bugs.mysql.com/bug.php?id=4017">
|
|
<p>
|
|
Multiple threads ALTERing the same (or different) MERGE tables to change the
|
|
UNION eventually crash the server or hang the individual threads.
|
|
</p>
|
|
</blockquote>
|
|
<p>Note that a script demonstrating the problem is included in the
|
|
MySQL bug report. Attackers that have control of a MySQL account
|
|
can easily use a modified version of that script during an attack. </p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0837</cvename>
|
|
<bid>11357</bid>
|
|
<url>http://bugs.mysql.com/bug.php?id=2408</url>
|
|
<url>http://rhn.redhat.com/errata/RHSA-2004-611.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-01-15</discovery>
|
|
<entry>2004-12-16</entry>
|
|
<modified>2005-03-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="29edd807-438d-11d9-8bb9-00065be4b5b6">
|
|
<topic>mysql -- FTS request denial of service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-server</name>
|
|
<range><ge>4.*</ge><lt>4.0.21</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A special crafted MySQL FTS request can cause the server to crash.
|
|
Malicious MySQL users can abuse this bug in a denial of service
|
|
attack against systems running an affected MySQL daemon. </p>
|
|
<p>Note that because this bug is related to the parsing of requests,
|
|
it may happen that this bug is triggered accidently by a user when he
|
|
or she makes a typo. </p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://bugs.mysql.com/bug.php?id=3870</url>
|
|
<cvename>CVE-2004-0956</cvename>
|
|
<bid>11432</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-23</discovery>
|
|
<entry>2004-12-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="835256b8-46ed-11d9-8ce0-00065be4b5b6">
|
|
<topic>mysql -- mysql_real_connect buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-server</name>
|
|
<range><le>3.23.58_3</le></range>
|
|
<range><ge>4.*</ge><lt>4.0.21</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mysql-client</name>
|
|
<range><le>3.23.58_3</le></range>
|
|
<range><ge>4.*</ge><lt>4.0.21</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The mysql_real_connect function doesn't properly handle DNS replies
|
|
by copying the IP address into a buffer without any length checking.
|
|
A specially crafted DNS reply may therefore be used to cause a
|
|
buffer overflow on affected systems.</p>
|
|
<p>Note that whether this issue can be exploitable depends on the system library responsible for
|
|
the gethostbyname function. The bug finder, Lukasz Wojtow, explaines this with the following words:</p>
|
|
<blockquote cite="http://bugs.mysql.com/bug.php?id=4017">
|
|
<p>In glibc there is a limitation for an IP address to have only 4
|
|
bytes (obviously), but generally speaking the length of the address
|
|
comes with a response for dns query (i know it sounds funny but
|
|
read rfc1035 if you don't believe). This bug can occur on libraries
|
|
where gethostbyname function takes length from dns's response</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0836</cvename>
|
|
<bid>10981</bid>
|
|
<url>http://bugs.mysql.com/bug.php?id=4017</url>
|
|
<url>http://lists.mysql.com/internals/14726</url>
|
|
<url>http://rhn.redhat.com/errata/RHSA-2004-611.html</url>
|
|
<url>http://www.osvdb.org/displayvuln.php?osvdb_id=10658</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-06-04</discovery>
|
|
<entry>2004-12-16</entry>
|
|
<modified>2005-03-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="035d17b2-484a-11d9-813c-00065be4b5b6">
|
|
<topic>mysql -- erroneous access restrictions applied to table renames</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-server</name>
|
|
<range><le>3.23.58_3</le></range>
|
|
<range><ge>4.*</ge><lt>4.0.21</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Red Hat advisory reports:</p>
|
|
<blockquote cite="http://rhn.redhat.com/errata/RHSA-2004-611.html">
|
|
<p>Oleksandr Byelkin discovered that "ALTER TABLE ... RENAME"
|
|
checked the CREATE/INSERT rights of the old table instead of the new one.</p>
|
|
</blockquote>
|
|
<p>Table access restrictions, on the affected MySQL servers,
|
|
may accidently or intentially be bypassed due to this
|
|
bug.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0835</cvename>
|
|
<bid>11357</bid>
|
|
<url>http://bugs.mysql.com/bug.php?id=3270</url>
|
|
<url>http://rhn.redhat.com/errata/RHSA-2004-611.html</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/17666</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-23</discovery>
|
|
<entry>2004-12-16</entry>
|
|
<modified>2005-03-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0ff0e9a6-4ee0-11d9-a9e7-0001020eed82">
|
|
<topic>phpmyadmin -- command execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><ge>2.6.0.2</ge><lt>2.6.1.r1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A phpMyAdmin security announcement reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-4">
|
|
<p>Command execution: since phpMyAdmin 2.6.0-pl2, on a
|
|
system where external MIME-based transformations are
|
|
activated, an attacker can put into MySQL data an
|
|
offensive value that starts a shell command when
|
|
browsed.</p>
|
|
</blockquote>
|
|
<p>Enabling <q>PHP safe mode</q> on the server can be used as
|
|
a workaround for this vulnerability.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1147</cvename>
|
|
<url>http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-4</url>
|
|
<url>http://www.exaprobe.com/labs/advisories/esa-2004-1213.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-13</discovery>
|
|
<entry>2004-12-15</entry>
|
|
<modified>2004-12-19</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9f0a405e-4edd-11d9-a9e7-0001020eed82">
|
|
<topic>phpmyadmin -- file disclosure vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><lt>2.6.1.r1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A phpMyAdmin security announcement reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-4">
|
|
<p>File disclosure: on systems where the UploadDir mecanism
|
|
is active, read_dump.php can be called with a crafted
|
|
form; using the fact that the sql_localfile variable is
|
|
not sanitized can lead to a file disclosure.</p>
|
|
</blockquote>
|
|
<p>Enabling <q>PHP safe mode</q> on the server can be used as
|
|
a workaround for this vulnerability.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1148</cvename>
|
|
<url>http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-4</url>
|
|
<url>http://www.exaprobe.com/labs/advisories/esa-2004-1213.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-13</discovery>
|
|
<entry>2004-12-15</entry>
|
|
<modified>2004-12-19</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="06f142ff-4df3-11d9-a9e7-0001020eed82">
|
|
<topic>wget -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>wget</name>
|
|
<name>wget-devel</name>
|
|
<range><lt>1.10.a1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>wgetpro</name>
|
|
<name>wget+ipv6</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jan Minar reports that there exists multiple
|
|
vulnerabilities in wget:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=110269474112384">
|
|
<p>Wget erroneously thinks that the current directory is a
|
|
fair game, and will happily write in any file in and below
|
|
it. Malicious HTTP response or malicious HTML file can
|
|
redirect wget to a file that is vital to the system, and
|
|
wget will create/append/overwrite it.</p>
|
|
<p>Wget apparently has at least two methods of
|
|
``sanitizing'' the potentially malicious data it receives
|
|
from the HTTP stream, therefore a malicious redirects can
|
|
pass the check. We haven't find a way to trick wget into
|
|
writing above the parent directory, which doesn't mean
|
|
it's not possible.</p>
|
|
<p>Malicious HTTP response can overwrite parts of the
|
|
terminal so that the user will not notice anything wrong,
|
|
or will believe the error was not fatal.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1487</cvename>
|
|
<cvename>CVE-2004-1488</cvename>
|
|
<bid>11871</bid>
|
|
<mlist msgid="20041209091438.GA15010@kontryhel.haltyr.dyndns.org">http://marc.theaimsgroup.com/?l=bugtraq&m=110269474112384</mlist>
|
|
<url>http://bugs.debian.org/261755</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-09</discovery>
|
|
<entry>2004-12-14</entry>
|
|
<modified>2005-04-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4593cb09-4c81-11d9-983e-000c6e8f12ef">
|
|
<topic>konqueror -- Password Disclosure for SMB Shares</topic>
|
|
<affects>
|
|
<package>
|
|
<name>kdebase</name>
|
|
<name>kdelibs</name>
|
|
<range><ge>3.2.0</ge><le>3.3.1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>When browsing SMB shares with Konqueror, shares with
|
|
authentication show up with hidden password in the browser
|
|
bar. It is possible to store the URL as a shortcut on the
|
|
desktop where the password is then available in plain text.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1171</cvename>
|
|
<certvu>305294</certvu>
|
|
<url>http://www.kde.org/info/security/advisory-20041209-1.txt</url>
|
|
<mlist msgid="ICEEJPLEDKODPNFKJEGAIEBJGFAA.df@sec-consult.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110178786809694</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-06</discovery>
|
|
<entry>2004-12-12</entry>
|
|
<modified>2005-01-13</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="af747389-42ba-11d9-bd37-00065be4b5b6">
|
|
<topic>mod_access_referer -- null pointer dereference vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mod_access_referer</name>
|
|
<range><lt>1.0.2_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A malformed <q>Referer</q> header field causes the Apache
|
|
ap_parse_uri_components function to discard it with the
|
|
result that a pointer is not initialized. The
|
|
mod_access_referer module does not take this into account
|
|
with the result that it may use such a pointer.</p>
|
|
<p>The null pointer vulnerability may possibly be used in a
|
|
remote denial of service attack against affected Apache
|
|
servers.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-1054</cvename>
|
|
<bid>7375</bid>
|
|
<url>http://secunia.com/advisories/8612/</url>
|
|
<mlist>http://marc.theaimsgroup.com/?l=full-disclosure&m=105053485515811</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-04-16</discovery>
|
|
<entry>2004-12-11</entry>
|
|
<modified>2005-01-19</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f0db930b-496b-11d9-bf86-0050569f0001">
|
|
<topic>squid -- possible information disclosure</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.7_4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The squid-2.5 patches pages notes:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-dothost">
|
|
<p>In certain conditions Squid returns random data as error messages
|
|
in response to malformed host name, possibly leaking random
|
|
internal information which may come from other requests.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-dothost</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-23</discovery>
|
|
<entry>2004-12-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="323784cf-48a6-11d9-a9e7-0001020eed82">
|
|
<topic>viewcvs -- information leakage</topic>
|
|
<affects>
|
|
<package>
|
|
<name>viewcvs</name>
|
|
<range><lt>0.9.2_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The <code>hide_cvsroot</code> and <code>forbidden</code>
|
|
configuration options are not properly honored by viewcvs
|
|
when exporting to a tar file which can lead to information
|
|
leakage.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0915</cvename>
|
|
<bid>11819</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-25</discovery>
|
|
<entry>2004-12-08</entry>
|
|
<modified>2004-12-12</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a7bfd423-484f-11d9-a9e7-0001020eed82">
|
|
<topic>cscope -- symlink attack vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cscope</name>
|
|
<range><lt>15.5_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>cscope is vulnerable to a symlink attack which could lead
|
|
to an attacker overwriting arbitrary files with the
|
|
permissions of the user running cscope.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0996</cvename>
|
|
<bid>11697</bid>
|
|
<mlist msgid="20041124025903.9337.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110133485519690</mlist>
|
|
<mlist msgid="20041118012718.78b07d79.research@rexotec.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110072752707293</mlist>
|
|
<url>http://sourceforge.net/tracker/index.php?func=detail&aid=1062807&group_id=4664&atid=104664</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-04-03</discovery>
|
|
<entry>2004-12-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9be819c6-4633-11d9-a9e7-0001020eed82">
|
|
<topic>bnc -- remotely exploitable buffer overflow in getnickuserhost</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bnc</name>
|
|
<range><lt>2.9.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A LSS Security Advisory reports:</p>
|
|
<blockquote cite="http://security.lss.hr/en/index.php?page=details&ID=LSS-2004-11-03">
|
|
<p>There is a buffer overflow vulnerability in
|
|
getnickuserhost() function that is called when BNC is
|
|
processing response from IRC server.</p>
|
|
<p>Vulnerability can be exploited if attacker tricks user to
|
|
connect to his fake IRC server that will exploit this
|
|
vulnerability. If the attacker has access to BNC proxy
|
|
server, this vulnerability can be used to gain shell
|
|
access on machine where BNC proxy server is set.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1052</cvename>
|
|
<mlist msgid="20041110131046.GA21604@cecilija.zesoi.fer.hr">http://marc.theaimsgroup.com/?l=bugtraq&m=110011817627839</mlist>
|
|
<url>http://security.lss.hr/en/index.php?page=details&ID=LSS-2004-11-03</url>
|
|
<url>http://www.gotbnc.com/changes.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-10</discovery>
|
|
<entry>2004-12-04</entry>
|
|
<modified>2005-02-22</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f11b219a-44b6-11d9-ae2f-021106004fd6">
|
|
<topic>rssh & scponly -- arbitrary command execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rssh</name>
|
|
<range><le>2.2.2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>scponly</name>
|
|
<range><lt>4.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jason Wies identified both rssh & scponly have a vulnerability
|
|
that allows arbitrary command execution. He reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=110202047507273">
|
|
<p>The problem is compounded when you recognize that the main use of rssh and
|
|
scponly is to allow file transfers, which in turn allows a malicious user to
|
|
transfer and execute entire custom scripts on the remote machine.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>11791</bid>
|
|
<bid>11792</bid>
|
|
<freebsdpr>ports/74633</freebsdpr>
|
|
<mlist msgid="20041202135143.GA7105@xc.net">http://marc.theaimsgroup.com/?l=bugtraq&m=110202047507273</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-28</discovery>
|
|
<entry>2004-12-02</entry>
|
|
<modified>2004-12-12</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2b4d5288-447e-11d9-9ebb-000854d03344">
|
|
<topic>rockdodger -- buffer overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rockdodger</name>
|
|
<range><lt>0.6_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The environment variable HOME is copied without regard
|
|
to buffer size, which can be used to gain elevated privilege
|
|
if the binary is installed setgid games, and a string is
|
|
read from the high score file without bounds check.</p>
|
|
<p>The port installs the binary without setgid, but with a
|
|
world-writable high score file.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278878</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-29</discovery>
|
|
<entry>2004-12-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="40549bbf-43b5-11d9-a9e7-0001020eed82">
|
|
<topic>zip -- long path buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>zip</name>
|
|
<range><lt>2.3_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A HexView security advisory reports:</p>
|
|
<blockquote cite="http://www.hexview.com/docs/20041103-1.txt">
|
|
<p>When zip performs recursive folder compression, it does
|
|
not check for the length of resulting path. If the path is
|
|
too long, a buffer overflow occurs leading to stack
|
|
corruption and segmentation fault. It is possible to
|
|
exploit this vulnerability by embedding a shellcode in
|
|
directory or file name. While the issue is not of primary
|
|
concern for regular users, it can be critical for
|
|
environments where zip archives are re-compressed
|
|
automatically using Info-Zip application.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1010</cvename>
|
|
<bid>11603</bid>
|
|
<url>http://www.hexview.com/docs/20041103-1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-03</discovery>
|
|
<entry>2004-12-01</entry>
|
|
<modified>2004-12-12</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="85edfb6a-43a5-11d9-a9e7-0001020eed82">
|
|
<topic>sudoscript -- signal delivery vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sudoscript</name>
|
|
<range><lt>2.1.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>If non-root access is enabled in sudoscript, any member of
|
|
the ssers group can send a SIGHUP signal to any process.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://egbok.com/sudoscript/archives/2004/11/sudoscript_212.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-14</discovery>
|
|
<entry>2004-12-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="553224e7-4325-11d9-a3d5-000c6e8f12ef">
|
|
<topic>jabberd -- remote buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>jabberd</name>
|
|
<range><ge>2.*</ge><le>2.0.4</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Caused by improper bounds-checking of username
|
|
and password in the C2S module, it is possible
|
|
for an attacker to cause a remote buffer overflow.
|
|
The server directly handles the userinput with
|
|
SQL backend functions - malicious input may lead
|
|
to buffer overflow.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="41A3FEE1.5030701@0x557.org">http://marc.theaimsgroup.com/?l=bugtraq&m=110144303826709</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-24</discovery>
|
|
<entry>2004-11-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cdf14b68-3ff9-11d9-8405-00065be4b5b6">
|
|
<topic>Open DC Hub -- remote buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>opendchub</name>
|
|
<range><lt>0.7.14_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Donato Ferrante reported an exploitable buffer overflow in
|
|
this software package. Any user that can login with 'admin'
|
|
privileges can abuse it, trough the $RedirectAll command,
|
|
to execute arbitrary code.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="20041124155429.893852455E@chernobyl.investici.org">http://marc.theaimsgroup.com/?l=bugtraq&m=110144606411674</mlist>
|
|
<url>http://www.gentoo.org/security/en/glsa/glsa-200411-37.xml</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-24</discovery>
|
|
<entry>2004-11-27</entry>
|
|
<modified>2005-02-13</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a163baff-3fe1-11d9-a9e7-0001020eed82">
|
|
<topic>unarj -- long filename buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>unarj</name>
|
|
<range><lt>2.43_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ludwig Nussel has discovered a buffer overflow
|
|
vulnerability in unarj's handling of long filenames which
|
|
could potentially lead to execution of arbitrary code with
|
|
the permissions of the user running unarj.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0947</cvename>
|
|
<bid>11665</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-09</discovery>
|
|
<entry>2004-11-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1f922de0-3fe5-11d9-a9e7-0001020eed82">
|
|
<topic>unarj -- directory traversal vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>unarj</name>
|
|
<range><lt>2.43_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>unarj has insufficient checks for filenames that contain
|
|
<q>..</q>. This can allow an attacker to overwrite
|
|
arbitrary files with the permissions of the user running
|
|
unarj.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1027</cvename>
|
|
<bid>11436</bid>
|
|
<mlist msgid="200410102243.i9AMhA9F083398@mailserver2.hushmail.com">http://marc.theaimsgroup.com/?l=full-disclosure&m=109748984030292</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-10</discovery>
|
|
<entry>2004-11-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ac619d06-3ef8-11d9-8741-c942c075aa41">
|
|
<topic>jdk/jre -- Security Vulnerability With Java Plugin</topic>
|
|
<affects>
|
|
<package>
|
|
<name>jdk</name>
|
|
<range><ge>1.4.0</ge><le>1.4.2p6_6</le></range>
|
|
<range><ge>1.3.0</ge><le>1.3.1p9_5</le></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-jdk</name>
|
|
<name>linux-sun-jdk</name>
|
|
<range><ge>1.4.0</ge><le>1.4.2.05</le></range>
|
|
<range><ge>1.3.0</ge><le>1.3.1.13</le></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-blackdown-jdk</name>
|
|
<range><ge>1.3.0</ge><le>1.4.2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-ibm-jdk</name>
|
|
<range><ge>1.3.0</ge><le>1.4.2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>diablo-jdk</name>
|
|
<name>diablo-jre</name>
|
|
<range><ge>1.3.1.0</ge><le>1.3.1.0_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>
|
|
The Sun Java Plugin capability in Java 2 Runtime Environment
|
|
(JRE) 1.4.2_01, 1.4.2_04, and possibly earlier versions, does
|
|
not properly restrict access between Javascript and Java
|
|
applets during data transfer, which allows remote attackers
|
|
to load unsafe classes and execute arbitrary code.
|
|
</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1&searchclause=%22category:security%22%20%22availability,%20security%22</url>
|
|
<url>http://www.securityfocus.com/archive/1/382072</url>
|
|
<cvename>CVE-2004-1029</cvename>
|
|
<mlist msgid="20041123070248.GA25385@jouko.iki.fi">http://marc.theaimsgroup.com/?l=bugtraq&m=110125046627909</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-24</discovery>
|
|
<entry>2004-11-25</entry>
|
|
<modified>2005-04-27</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1a32e8ee-3edb-11d9-8699-00065be4b5b6">
|
|
<topic>ProZilla -- server response buffer overflow vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>prozilla</name>
|
|
<range><le>1.3.6_3</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Buffer overflow vulnerabilities have been reported to exist
|
|
in this software package. The vulnerabilities can be triggered by
|
|
a remote server and can be used to inject malicious code in the
|
|
ProZilla process.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1120</cvename>
|
|
<url>http://www.gentoo.org/security/en/glsa/glsa-200411-31.xml</url>
|
|
<url>http://bugs.gentoo.org/show_bug.cgi?id=70090</url>
|
|
<mlist msgid="41A411E0.2010907@gmx.net">http://marc.theaimsgroup.com/?l=bugtraq&m=110136626320497</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-23</discovery>
|
|
<entry>2004-11-25</entry>
|
|
<modified>2005-10-01</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="31952117-3d17-11d9-8818-008088034841">
|
|
<topic>Cyrus IMAPd -- APPEND command uses undefined programming construct</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cyrus-imapd</name>
|
|
<range><ge>2.2.7</ge><le>2.2.8</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>To support MULTIAPPENDS the cmd_append handler uses the
|
|
global stage array. This array is one of the things that gets
|
|
destructed when the fatal() function is triggered. When the
|
|
Cyrus IMAP code adds new entries to this array this is done
|
|
with the help of the postfix increment operator in combination
|
|
with memory allocation functions. The increment is performed
|
|
on a global variable counting the number of allocated
|
|
stages. Because the memory allocation function can fail and
|
|
therefore internally call fatal() this construct is undefined
|
|
arcording to ANSI C. This means that it is not clearly defined
|
|
if the numstage counter is already increased when fatal() is
|
|
called or not. While older gcc versions increase the counter
|
|
after the memory allocation function has returned, on newer
|
|
gcc versions (3.x) the counter gets actually increased
|
|
before. In such a case the stage destructing process will try
|
|
to free an uninitialised and maybe attacker supplied
|
|
pointer. Which again could lead to remote code
|
|
execution. (Because it is hard for an attacker to let the
|
|
memory allocation functions fail in the right moment no PoC
|
|
code for this problem was designed)</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://security.e-matters.de/advisories/152004.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-06</discovery>
|
|
<entry>2004-11-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c0a269d5-3d16-11d9-8818-008088034841">
|
|
<topic>Cyrus IMAPd -- FETCH command out of bounds memory corruption</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cyrus-imapd</name>
|
|
<range><lt>2.1.17</lt></range>
|
|
<range><ge>2.2.*</ge><le>2.2.8</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The argument parser of the fetch command suffers a bug very
|
|
similiar to the partial command problem. Arguments like
|
|
"body[p", "binary[p" or "binary[p" will be wrongly detected
|
|
and the bufferposition can point outside of the allocated
|
|
buffer for the rest of the parsing process. When the parser
|
|
triggers the PARSE_PARTIAL macro after such a malformed
|
|
argument was received this can lead to a similiar one byte
|
|
memory corruption and allows remote code execution, when the
|
|
heap layout was successfully controlled by the attacker.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1013</cvename>
|
|
<url>http://security.e-matters.de/advisories/152004.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-06</discovery>
|
|
<entry>2004-11-22</entry>
|
|
<modified>2004-11-24</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="114d70f3-3d16-11d9-8818-008088034841">
|
|
<topic>Cyrus IMAPd -- PARTIAL command out of bounds memory corruption</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cyrus-imapd</name>
|
|
<range><lt>2.1.17</lt></range>
|
|
<range><ge>2.2.*</ge><le>2.2.6</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Due to a bug within the argument parser of the partial
|
|
command an argument like "body[p" will be wrongly detected as
|
|
"body.peek". Because of this the bufferposition gets increased
|
|
by 10 instead of 5 and could therefore point outside the
|
|
allocated memory buffer for the rest of the parsing
|
|
process. In imapd versions prior to 2.2.7 the handling of
|
|
"body" or "bodypeek" arguments was broken so that the
|
|
terminating ']' got overwritten by a '\0'. Combined the two
|
|
problems allow a potential attacker to overwrite a single byte
|
|
of malloc() control structures, which leads to remote code
|
|
execution if the attacker successfully controls the heap
|
|
layout.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1012</cvename>
|
|
<url>http://security.e-matters.de/advisories/152004.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-06</discovery>
|
|
<entry>2004-11-22</entry>
|
|
<modified>2004-11-24</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="816fdd8b-3d14-11d9-8818-008088034841">
|
|
<topic>Cyrus IMAPd -- IMAPMAGICPLUS preauthentification overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cyrus-imapd</name>
|
|
<range><ge>2.2.4</ge><le>2.2.8</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>When the option imapmagicplus is activated on a server the
|
|
PROXY and LOGIN commands suffer a standard stack overflow,
|
|
because the username is not checked against a maximum length
|
|
when it is copied into a temporary stack buffer. This bug is
|
|
especially dangerous because it can be triggered before any
|
|
kind of authentification took place.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1011</cvename>
|
|
<url>http://security.e-matters.de/advisories/152004.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-06</discovery>
|
|
<entry>2004-11-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6a33477e-3a9c-11d9-84ad-000c6e8f12ef">
|
|
<topic>phpMyAdmin -- cross-site scripting vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><le>2.6.0.2</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Multiple cross-site scripting vulnerabilities, caused
|
|
by improper input parameter sanitizing, were
|
|
detected in phpMyAdmin, which may enable an attacker
|
|
to do cross-site scripting attacks.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-3</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-18</discovery>
|
|
<entry>2004-11-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="759b8dfe-3972-11d9-a9e7-0001020eed82">
|
|
<topic>Overflow error in fetch</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.3</ge><lt>5.3_1</lt></range>
|
|
<range><ge>5.2.1</ge><lt>5.2.1_12</lt></range>
|
|
<range><ge>5.1</ge><lt>5.1_18</lt></range>
|
|
<range><ge>5.0</ge><lt>5.0_22</lt></range>
|
|
<range><ge>4.10</ge><lt>4.10_4</lt></range>
|
|
<range><ge>4.9</ge><lt>4.9_13</lt></range>
|
|
<range><ge>4.8</ge><lt>4.8_26</lt></range>
|
|
<range><lt>4.7_28</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An integer overflow condition in <a href="http://www.freebsd.org/cgi/man.cgi?query=fetch">fetch(1)</a>
|
|
in the processing of HTTP headers can result in a buffer
|
|
overflow.</p>
|
|
<p>A malicious server or CGI script can respond to an HTTP or
|
|
HTTPS request in such a manner as to cause arbitrary
|
|
portions of the client's memory to be overwritten, allowing
|
|
for arbitrary code execution.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdsa>SA-04:16.fetch</freebsdsa>
|
|
<cvename>CVE-2004-1053</cvename>
|
|
<bid>11702</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-14</discovery>
|
|
<entry>2004-11-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f3d3f621-38d8-11d9-8fff-000c6e8f12ef">
|
|
<topic>smbd -- buffer-overrun vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>samba</name>
|
|
<range><ge>3.*</ge><lt>3.0.8,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Caused by improper bounds checking of certain trans2
|
|
requests, there is a possible buffer overrun in smbd.
|
|
The attacker needs to be able to create files with
|
|
very specific Unicode filenames on the share to take
|
|
advantage of this issue.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0882</cvename>
|
|
<bid>11678</bid>
|
|
<mlist msgid="4198AE84.7020509@samba.org">http://marc.theaimsgroup.com/?l=bugtraq&m=110055646329581</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-15</discovery>
|
|
<entry>2004-11-17</entry>
|
|
<modified>2004-12-12</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b4af3ede-36e9-11d9-a9e7-0001020eed82">
|
|
<topic>twiki -- arbitrary shell command execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>twiki</name>
|
|
<range><lt>20040902</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Hans Ulrich Niedermann reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=110037207516456">
|
|
<p>The TWiki search function uses a user supplied search
|
|
string to compose a command line executed by the Perl
|
|
backtick (``) operator.</p>
|
|
<p>The search string is not checked properly for shell
|
|
metacharacters and is thus vulnerable to search string
|
|
containing quotes and shell commands.</p>
|
|
<p>IMPACT: An attacker is able to execute arbitrary shell
|
|
commands with the privileges of the TWiki process.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1037</cvename>
|
|
<mlist msgid="86zn1mhchx.fsf@n-dimensional.de">http://marc.theaimsgroup.com/?l=bugtraq&m=110037207516456</mlist>
|
|
<url>http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-12</discovery>
|
|
<entry>2004-11-15</entry>
|
|
<modified>2004-11-23</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="50744596-368f-11d9-a9e7-0001020eed82">
|
|
<topic>proxytunnel -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>proxytunnel</name>
|
|
<range><lt>1.2.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Gentoo Linux Security Advisory reports:</p>
|
|
<blockquote cite="http://www.gentoo.org/security/en/glsa/glsa-200411-07.xml">
|
|
<p>Florian Schilhabel of the Gentoo Linux Security Audit
|
|
project found a format string vulnerability in
|
|
Proxytunnel. When the program is started in daemon mode
|
|
(-a [port]), it improperly logs invalid proxy answers to
|
|
syslog.</p>
|
|
<p>A malicious remote server could send specially-crafted
|
|
invalid answers to exploit the format string
|
|
vulnerability, potentially allowing the execution of
|
|
arbitrary code on the tunnelling host with the rights of
|
|
the Proxytunnel process.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0992</cvename>
|
|
<url>http://proxytunnel.sourceforge.net/news.html</url>
|
|
<url>http://www.gentoo.org/security/en/glsa/glsa-200411-07.xml</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-01</discovery>
|
|
<entry>2004-11-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="bdd1537b-354c-11d9-a9e7-0001020eed82">
|
|
<topic>sudo -- privilege escalation with bash scripts</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sudo</name>
|
|
<range><lt>1.6.8.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Sudo Security Alerts reports:</p>
|
|
<blockquote cite="http://www.courtesan.com/sudo/alerts/bash_functions.html">
|
|
<p>A flaw in exists in sudo's environment sanitizing prior
|
|
to sudo version 1.6.8p2 that could allow a malicious user
|
|
with permission to run a shell script that utilized the
|
|
bash shell to run arbitrary commands.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.courtesan.com/sudo/alerts/bash_functions.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-11</discovery>
|
|
<entry>2004-11-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d656296b-33ff-11d9-a9e7-0001020eed82">
|
|
<topic>ruby -- CGI DoS</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ruby</name>
|
|
<name>ruby_r</name>
|
|
<range><gt>1.7.*</gt><lt>1.8.2.p2_2</lt></range>
|
|
<range><lt>1.6.8.2004.07.28_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ruby-1.7.0</name>
|
|
<range><ge>a2001.05.12</ge><le>a2001.05.26</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Ruby CGI.rb module contains a bug which can cause the
|
|
CGI module to go into an infinite loop, thereby causing a
|
|
denial-of-service situation on the web server by using all
|
|
available CPU time.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0983</cvename>
|
|
<url>http://www.debian.org/security/2004/dsa-586</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-06</discovery>
|
|
<entry>2004-11-13</entry>
|
|
<modified>2004-11-25</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ba13dc13-340d-11d9-ac1b-000d614f7fad">
|
|
<topic>samba -- potential remote DoS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>samba</name>
|
|
<range><ge>3</ge><lt>3.0.8,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Karol Wiesek at iDEFENSE reports:</p>
|
|
<blockquote cite="http://us4.samba.org/samba/security/CAN-2004-0930.html">
|
|
<p>A remote attacker could cause an smbd process to consume
|
|
abnormal amounts of system resources due to an input
|
|
validation error when matching filenames containing
|
|
wildcard characters.</p>
|
|
</blockquote>
|
|
<p>Although samba.org classifies this as a DoS vulnerability,
|
|
several members of the security community believe it may be
|
|
exploitable for arbitrary code execution.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdpr>ports/73701</freebsdpr>
|
|
<cvename>CVE-2004-0930</cvename>
|
|
<url>http://us4.samba.org/samba/security/CAN-2004-0930.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-30</discovery>
|
|
<entry>2004-11-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fc99c736-3499-11d9-98a7-0090962cff2a">
|
|
<topic>gnats -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnats</name>
|
|
<range><ge>4.*</ge><le>4.0_2</le></range>
|
|
<range><le>3.113.1_9</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Gnats suffers from a format string bug, which may enable an
|
|
attacker to execute arbitary code.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0623</cvename>
|
|
<mlist msgid="20040625164231.7437.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=108820000823191</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-06-21</discovery>
|
|
<entry>2004-11-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7fbfe159-3438-11d9-a9e7-0001020eed82">
|
|
<topic>squirrelmail -- cross site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ja-squirrelmail</name>
|
|
<range><lt>1.4.3a_4,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>squirrelmail</name>
|
|
<range><lt>1.4.3a_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A SquirrelMail Security Notice reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=110012133608004">
|
|
<p>There is a cross site scripting issue in the decoding of
|
|
encoded text in certain headers. SquirrelMail correctly
|
|
decodes the specially crafted header, but doesn't sanitize
|
|
the decoded strings.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="544475695.20041110000451@netdork.net">http://marc.theaimsgroup.com/?l=bugtraq&m=110012133608004</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-03</discovery>
|
|
<entry>2004-11-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1f8dea68-3436-11d9-952f-000c6e8f12ef">
|
|
<cancelled superseded="9be819c6-4633-11d9-a9e7-0001020eed82"/>
|
|
</vuln>
|
|
|
|
<vuln vid="027380b7-3404-11d9-ac1b-000d614f7fad">
|
|
<topic>hafiye -- lack of terminal escape sequence filtering</topic>
|
|
<affects>
|
|
<package>
|
|
<name>hafiye</name>
|
|
<range><lt>1.0_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A siyahsapka.org advisory reads:</p>
|
|
<blockquote cite="http://deicide.siyahsapka.org/hafiye_esc.txt">
|
|
<p>Hafiye-1.0 doesnt filter the payload when printing it to
|
|
the terminal. A malicious attacker can send packets with
|
|
escape sequence payloads to exploit this vulnerability.</p>
|
|
<p>If Hafiye has been started with -n packet count option ,
|
|
the vulnerability could allow remote code execution. For
|
|
remote code execution the victim must press Enter after
|
|
program exit.</p>
|
|
</blockquote>
|
|
<p>Note that it appears that this bug can only be exploited in
|
|
conjunction with a terminal emulator that honors the
|
|
appropriate escape sequences.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdpr>ports/70978</freebsdpr>
|
|
<url>http://deicide.siyahsapka.org/hafiye_esc.txt</url>
|
|
<url>http://www.enderunix.org/hafiye/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-23</discovery>
|
|
<entry>2004-11-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e69ba632-326f-11d9-b5b7-000854d03344">
|
|
<topic>ez-ipupdate -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ez-ipupdate</name>
|
|
<range><lt>3.0.11b8_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Data supplied by a remote server is used as the format string
|
|
instead of as parameters in a syslog() call. This may lead
|
|
to crashes or potential running of arbitrary code. It is
|
|
only a problem when running in daemon mode (very common) and
|
|
when using some service types.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0980</cvename>
|
|
<mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-November/028590.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-11</discovery>
|
|
<entry>2004-11-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="eeb1c128-33e7-11d9-a9e7-0001020eed82">
|
|
<topic>ImageMagick -- EXIF parser buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ImageMagick</name>
|
|
<range><lt>6.1.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>There exists a buffer overflow vulnerability in
|
|
ImageMagick's EXIF parsing code which may lead to execution
|
|
of arbitrary code.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>11548</bid>
|
|
<cvename>CVE-2004-0981</cvename>
|
|
<url>http://secunia.com/advisories/12995/</url>
|
|
<url>http://www.imagemagick.org/www/Changelog.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-25</discovery>
|
|
<entry>2004-11-11</entry>
|
|
<modified>2004-12-12</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="282dfea0-3378-11d9-b404-000c6e8f12ef">
|
|
<topic>apache2 multiple space header denial-of-service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache</name>
|
|
<range><gt>2.*</gt><le>2.0.52_2</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>It is possible for remote attackers to cause a denial-of-service
|
|
scenario on Apache 2.0.52 and earlier by sending an HTTP GET
|
|
request with a MIME header containing multiple lines full of
|
|
whitespaces.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0942</cvename>
|
|
<mlist msgid="a62f45480411010157571febcc.mail@gmail.com">http://marc.theaimsgroup.com/?l=full-disclosure&m=109930632317208</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-01</discovery>
|
|
<entry>2004-11-10</entry>
|
|
<modified>2004-11-11</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f3017ce1-32a4-11d9-a9e7-0001020eed82">
|
|
<topic>socat -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>socat</name>
|
|
<range><lt>1.4.0.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Socat Security Advisory 1 states:</p>
|
|
<blockquote cite="http://www.dest-unreach.org/socat/advisory/socat-adv-1.html">
|
|
<p>socat up to version 1.4.0.2 contains a syslog() based
|
|
format string vulnerability. This issue was originally
|
|
reported by CoKi on 19 Oct.2004 <a href="http://www.nosystem.com.ar/advisories/advisory-07.txt">http://www.nosystem.com.ar/advisories/advisory-07.txt</a>.
|
|
Further investigation showed that this vulnerability could
|
|
under some circumstances lead to local or remote execution
|
|
of arbitrary code with the privileges of the socat
|
|
process.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.dest-unreach.org/socat/advisory/socat-adv-1.html</url>
|
|
<url>http://www.nosystem.com.ar/advisories/advisory-07.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-18</discovery>
|
|
<entry>2004-11-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9ff4c91e-328c-11d9-a9e7-0001020eed82">
|
|
<topic>libxml -- remote buffer overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libxml</name>
|
|
<range><lt>1.8.17_3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libxml2</name>
|
|
<range><lt>2.6.15</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p><q>infamous41md</q> reports that libxml contains multiple
|
|
buffer overflows in the URL parsing and DNS name resolving
|
|
functions. These vulnerabilities could lead to execution of
|
|
arbitrary code.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0989</cvename>
|
|
<bid>11526</bid>
|
|
<mlist msgid="20041025205132.1f1620a8.infamous41md@hotpop.com">http://marc.theaimsgroup.com/?l=bugtraq&m=109880813013482</mlist>
|
|
<url>http://www.debian.org/security/2004/dsa-582</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-26</discovery>
|
|
<entry>2004-11-09</entry>
|
|
<modified>2004-11-10</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a5742055-300a-11d9-a9e7-0001020eed82">
|
|
<topic>p5-Archive-Zip -- virus detection evasion</topic>
|
|
<affects>
|
|
<package>
|
|
<name>p5-Archive-Zip</name>
|
|
<range><lt>1.14</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An AMaViS Security Announcement reports that a
|
|
vulnerability exist in the Archive::Zip Perl module which
|
|
may lead to bypass of malicious code in anti-virus programs
|
|
by creating specially crafted ZIP files.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities</url>
|
|
<url>http://www.amavis.org/security/asa-2004-6.txt</url>
|
|
<url>http://rt.cpan.org/NoAuth/Bug.html?id=8077</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-18</discovery>
|
|
<entry>2004-11-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6e6a6b8a-2fde-11d9-b3a2-0050fc56d258">
|
|
<topic>apache mod_include buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache</name>
|
|
<range><lt>1.3.33</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+mod_ssl</name>
|
|
<range><lt>1.3.32+2.8.21_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+mod_ssl+ipv6</name>
|
|
<range><lt>1.3.32+2.8.21_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+mod_perl</name>
|
|
<range><le>1.3.31</le></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+ipv6</name>
|
|
<range><lt>1.3.33</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+ssl</name>
|
|
<range><le>1.3.29.1.55</le></range>
|
|
</package>
|
|
<package>
|
|
<name>ru-apache</name>
|
|
<range><lt>1.3.33+30.21</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ru-apache+mod_ssl</name>
|
|
<range><lt>1.3.33+30.21+2.8.22</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>There is a buffer overflow in a function used by mod_include
|
|
that may enable a local user to gain privileges of a httpd
|
|
child. Only users that are able to create SSI documents can
|
|
take advantage of that vulnerability.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0940</cvename>
|
|
<url>http://www.securitylab.ru/48807.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-22</discovery>
|
|
<entry>2004-11-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6a164d84-2f7f-11d9-a9e7-0001020eed82">
|
|
<topic>postgresql-contrib -- insecure temporary file creation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>postgresql-contrib</name>
|
|
<range><lt>7.2.6</lt></range>
|
|
<range><gt>7.3.*</gt><lt>7.3.8</lt></range>
|
|
<range><gt>7.4.*</gt><lt>7.4.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The make_oidjoins_check script in the PostgreSQL RDBMS has
|
|
insecure handling of temporary files, which could lead to an
|
|
attacker overwriting arbitrary files with the credentials of
|
|
the user running the make_oidjoins_check script.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0977</cvename>
|
|
<bid>11295</bid>
|
|
<url>http://www.postgresql.org/news/234.html</url>
|
|
<url>http://www.trustix.net/errata/2004/0050/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-10</discovery>
|
|
<entry>2004-11-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="62239968-2f2a-11d9-a9e7-0001020eed82">
|
|
<topic>gd -- integer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gd</name>
|
|
<name>uk-gd</name>
|
|
<name>ja-gd</name>
|
|
<range><lt>2.0.29,1</lt></range>
|
|
<range><gt>1.*,2</gt><lt>2.*,2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>infamous41md reports about the GD Graphics Library:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=109882489302099">
|
|
<p>There is an integer overflow when allocating memory in
|
|
the routine that handles loading PNG image files. This
|
|
later leads to heap data structures being overwritten. If
|
|
an attacker tricked a user into loading a malicious PNG
|
|
image, they could leverage this into executing arbitrary
|
|
code in the context of the user opening image.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>11523</bid>
|
|
<cvename>CVE-2004-0990</cvename>
|
|
<mlist msgid="20041025204303.4341d907.infamous41md@hotpop.com">http://marc.theaimsgroup.com/?l=bugtraq&m=109882489302099</mlist>
|
|
<url>http://www.boutell.com/gd/manual2.0.29.html#whatsnew2.0.29</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-26</discovery>
|
|
<entry>2004-11-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="19518d22-2d05-11d9-8943-0050fc56d258">
|
|
<topic>putty -- buffer overflow vulnerability in ssh2 support</topic>
|
|
<affects>
|
|
<package>
|
|
<name>putty</name>
|
|
<range><lt>0.56</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>There is a bug in SSH2 support that allows a server to execute
|
|
malicious code on a connecting PuTTY client.
|
|
This attack can be performed before host key verification happens,
|
|
so a different machine -- man in the middle attack -- could fake
|
|
the machine you are connecting to.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="1CE07882ECEE894CA2D5A89B8DEBC4010A2DD2@porgy.admin.idefense.com">http://marc.theaimsgroup.com/?l=bugtraq&m=109890310929207</mlist>
|
|
<url>http://www.gentoo.org/security/en/glsa/glsa-200410-29.xml</url>
|
|
<url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ssh2-debug.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-26</discovery>
|
|
<entry>2004-11-04</entry>
|
|
<modified>2005-01-19</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e0070221-2dd8-11d9-a9e7-0001020eed82">
|
|
<topic>wzdftpd -- remote DoS</topic>
|
|
<affects>
|
|
<package>
|
|
<name>wzdftpd</name>
|
|
<range><lt>0.4.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>wzdftpd contains a potential remote Denial-of-Service.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://sourceforge.net/project/shownotes.php?release_id=263573</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-28</discovery>
|
|
<entry>2004-11-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1f826757-26be-11d9-ad2d-0050fc56d258">
|
|
<topic>rssh -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rssh</name>
|
|
<range><le>2.2.1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>There is a format string bug in rssh that enables an attacker
|
|
to execute arbitrary code from an account configured to use
|
|
rssh. On FreeBSD it is only possible to compromise the rssh
|
|
running account, not root.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.pizzashack.org/rssh/security.shtml</url>
|
|
<mlist msgid="20041023084829.GA16819@sophic.org">http://marc.theaimsgroup.com/?l=bugtraq&m=109855982425122</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-23</discovery>
|
|
<entry>2004-10-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ed1d404d-2784-11d9-b954-000bdb1444a4">
|
|
<topic>horde -- cross-site scripting vulnerability in help window</topic>
|
|
<affects>
|
|
<package>
|
|
<name>horde</name>
|
|
<name>horde-devel</name>
|
|
<range><lt>2.2.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Horde Team announcement states that a potential cross-site
|
|
scripting vulnerability in the help window has been
|
|
corrected. The vulnerability appears to involve the handling
|
|
of the <code>topic</code> and <code>module</code> parameters
|
|
of the help window template.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="20041026115303.10FBEC046E@neo.wg.de">http://marc.theaimsgroup.com/?l=horde-announce&m=109879164718625</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-06</discovery>
|
|
<entry>2004-10-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f4428842-a583-4a4c-89b7-297c3459a1c3">
|
|
<topic>bogofilter -- RFC 2047 decoder denial-of-service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bogofilter</name>
|
|
<name>bogofilter-qdbm</name>
|
|
<name>bogofilter-tdb</name>
|
|
<name>ru-bogofilter</name>
|
|
<range><ge>0.17.4</ge><lt>0.92.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The bogofilter team has been provided with a test case of a
|
|
malformatted (non-conformant) RFC-2047 encoded word that can cause
|
|
bogofilter versions 0.92.7 and prior to try to write a NUL byte into
|
|
a memory location that is either one byte past the end of a flex
|
|
buffer or to a location that is the negative of the encoded word's
|
|
start of payload data, causing a segmentation fault.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdpr>73144</freebsdpr>
|
|
<cvename>CVE-2004-1007</cvename>
|
|
<mlist msgid="20041008143604.GA14934@scowler.net">http://article.gmane.org/gmane.mail.bogofilter.devel/3308</mlist>
|
|
<mlist msgid="m3r7o892vj.fsf@merlin.emma.line.org">http://article.gmane.org/gmane.mail.bogofilter.devel/3317</mlist>
|
|
<url>http://bugs.debian.org/275373</url>
|
|
<url>http://bogofilter.sourceforge.net/security/bogofilter-SA-2004-01</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-09</discovery>
|
|
<entry>2004-10-26</entry>
|
|
<modified>2004-11-03</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ad2f3337-26bf-11d9-9289-000c41e2cdad">
|
|
<topic>xpdf -- integer overflow vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gpdf</name>
|
|
<name>cups-base</name>
|
|
<range><lt>1.1.22.0</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>xpdf</name>
|
|
<range><lt>3.00_4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>kdegraphics</name>
|
|
<range><lt>3.3.0_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>koffice</name>
|
|
<range><lt>1.3.2_1,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>teTeX-base</name>
|
|
<range><lt>2.0.2_4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Chris Evans discovered several integer arithmetic overflows
|
|
in the xpdf 2 and xpdf 3 code bases. The flaws have impacts
|
|
ranging from denial-of-service to arbitrary code execution.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0888</cvename>
|
|
<cvename>CVE-2004-0889</cvename>
|
|
<url>http://scary.beasts.org/security/CESA-2004-002.txt</url>
|
|
<url>http://scary.beasts.org/security/CESA-2004-007.txt</url>
|
|
<url>http://www.kde.org/info/security/advisory-20041021-1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-21</discovery>
|
|
<entry>2004-10-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f2d6a5e1-26b9-11d9-9289-000c41e2cdad">
|
|
<topic>gaim -- MSN denial-of-service vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>1.0.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gaim</name>
|
|
<range><gt>20030000</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Gaim team discovered denial-of-service vulnerabilities in
|
|
the MSN protocol handler:</p>
|
|
<blockquote cite="http://gaim.sourceforge.net/security/?id=7">
|
|
<p>After accepting a file transfer request, Gaim will attempt
|
|
to allocate a buffer of a size equal to the entire filesize,
|
|
this allocation attempt will cause Gaim to crash if the size
|
|
exceeds the amount of available memory.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://gaim.sourceforge.net/security/?id=8">
|
|
<p>Gaim allocates a buffer for the payload of each message
|
|
received based on the size field in the header of the
|
|
message. A malicious peer could specify an invalid size that
|
|
exceeds the amount of available memory.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://gaim.sourceforge.net/security/?id=7</url>
|
|
<url>http://gaim.sourceforge.net/security/?id=8</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-19</discovery>
|
|
<entry>2004-10-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ad61657d-26b9-11d9-9289-000c41e2cdad">
|
|
<topic>gaim -- Content-Length header denial-of-service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>0.82</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gaim</name>
|
|
<range><gt>20030000</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Sean <q>infamous42md</q> reports:</p>
|
|
<blockquote cite="http://gaim.sourceforge.net/security/?id=6">
|
|
<p>When a remote server provides a large "content-length"
|
|
header value, Gaim will attempt to allocate a buffer to
|
|
store the content, however this allocation attempt will
|
|
cause Gaim to crash if the length exceeds the amount of
|
|
possible memory. This happens when reading profile
|
|
information on some protocols. It also happens when smiley
|
|
themes are installed via drag and drop.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://gaim.sourceforge.net/security/?id=6</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-26</discovery>
|
|
<entry>2004-10-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4260eacb-26b8-11d9-9289-000c41e2cdad">
|
|
<topic>gaim -- multiple buffer overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>0.82</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gaim</name>
|
|
<range><gt>20030000</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Sean <q>infamous42md</q> reports several situations in gaim
|
|
that may result in exploitable buffer overflows:</p>
|
|
<ul>
|
|
<li>Rich Text Format (RTF) messages in Novell GroupWise
|
|
protocol</li>
|
|
<li>Unsafe use of gethostbyname in zephyr protocol</li>
|
|
<li>URLs which are over 2048 bytes long once decoded</li>
|
|
</ul>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0785</cvename>
|
|
<url>http://gaim.sourceforge.net/security/?id=3</url>
|
|
<url>http://gaim.sourceforge.net/security/?id=4</url>
|
|
<url>http://gaim.sourceforge.net/security/?id=5</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-26</discovery>
|
|
<entry>2004-10-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e16293f0-26b7-11d9-9289-000c41e2cdad">
|
|
<topic>gaim -- heap overflow exploitable by malicious GroupWise server</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>0.82</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gaim</name>
|
|
<range><gt>20030000</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Sean <q>infamous42md</q> reports that a malicous GroupWise
|
|
messaging server may be able to exploit a heap buffer
|
|
overflow in gaim, leading to arbitrary code execution.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0754</cvename>
|
|
<url>http://gaim.sourceforge.net/security/?id=2</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-26</discovery>
|
|
<entry>2004-10-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="635bf5f4-26b7-11d9-9289-000c41e2cdad">
|
|
<topic>gaim -- malicious smiley themes</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>0.82</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gaim</name>
|
|
<range><gt>20030000</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Gaim Security Issues page documents a problem with
|
|
installing smiley themes from an untrusted source:</p>
|
|
<blockquote cite="http://gaim.sourceforge.net/security/?id=1">
|
|
<p>To install a new smiley theme, a user can drag a tarball
|
|
from a graphical file manager, or a hypertext link to one
|
|
from a web browser. When a tarball is dragged, Gaim executes
|
|
a shell command to untar it. However, it does not escape the
|
|
filename before sending it to the shell. Thus, a specially
|
|
crafted filename could execute arbitrary commands if the
|
|
user could be convinced to drag a file into the smiley theme
|
|
selector.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0784</cvename>
|
|
<url>http://gaim.sourceforge.net/security/?id=1</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-22</discovery>
|
|
<entry>2004-10-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1e6c4008-245f-11d9-b584-0050fc56d258">
|
|
<topic>gaim -- buffer overflow in MSN protocol support</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><ge>0.79</ge><le>1.0.1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>gaim</name>
|
|
<range><gt>20030000</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Due to a buffer overflow in the MSN protocol support for
|
|
gaim 0.79 to 1.0.1, it is possible for remote clients to do a
|
|
denial-of-service attack on the application.
|
|
This is caused by an unbounded copy operation, which writes
|
|
to the wrong buffer.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0891</cvename>
|
|
<url>http://gaim.sourceforge.net/security/?id=9</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-19</discovery>
|
|
<entry>2004-10-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4238151d-207a-11d9-bfe2-0090962cff2a">
|
|
<topic>mod_ssl -- SSLCipherSuite bypass</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ru-apache+mod_ssl</name>
|
|
<range><le>1.3.31+30.20+2.8.18</le></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+mod_ssl</name>
|
|
<range><lt>1.3.31+2.8.20</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+mod_ssl+ipv6</name>
|
|
<range><le>1.3.31+2.8.18_4</le></range>
|
|
</package>
|
|
<package>
|
|
<name>apache2</name>
|
|
<range><le>2.0.52_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>It is possible for clients to use any cipher suite configured by
|
|
the virtual host, whether or not a certain cipher suite is selected
|
|
for a specific directory. This might result in clients using a
|
|
weaker encryption than originally configured.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0885</cvename>
|
|
<mlist msgid="20041008152510.GE8385@redhat.com">http://marc.theaimsgroup.com/?l=apache-modssl&m=109724918128044</mlist>
|
|
<url>http://issues.apache.org/bugzilla/show_bug.cgi?id=31505</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-01</discovery>
|
|
<entry>2004-10-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="20d16518-2477-11d9-814e-0001020eed82">
|
|
<topic>mpg123 -- buffer overflow in URL handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mpg123</name>
|
|
<name>mpg123-nas</name>
|
|
<name>mpg123-esound</name>
|
|
<range><lt>0.59r_15</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Carlos Barros reports that mpg123 contains two buffer
|
|
overflows. These vulnerabilities can potentially lead to
|
|
execution of arbitrary code.</p>
|
|
<p>The first buffer overflow can occur when mpg123 parses a
|
|
URL with a user-name/password field that is more than 256
|
|
characters long. This problem can be triggered either
|
|
locally or remotely via a specially crafted play list. The
|
|
second potential buffer overflow may be triggered locally by
|
|
a specially crafted symlink to the mpg123 binary. This
|
|
problem is not as serious, since mpg123 is not installed
|
|
setuid by default.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>11468</bid>
|
|
<cvename>CVE-2004-0982</cvename>
|
|
<mlist msgid="200410200119.42801.barros@barrossecurity.com">http://marc.theaimsgroup.com/?l=bugtraq&m=109834486312407</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-02</discovery>
|
|
<entry>2004-10-23</entry>
|
|
<modified>2004-12-30</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7b81fc47-239f-11d9-814e-0001020eed82">
|
|
<topic>apache2 -- SSL remote DoS</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache</name>
|
|
<range><gt>2.0</gt><lt>2.0.51</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Apache HTTP Server 2.0.51 release notes report that the
|
|
following issues have been fixed:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=apache-httpd-announce&m=109527608022322">
|
|
<p>A segfault in mod_ssl which can be triggered by a
|
|
malicious remote server, if proxying to SSL servers has
|
|
been configured. [CAN-2004-0751]</p>
|
|
<p>A potential infinite loop in mod_ssl which could be
|
|
triggered given particular timing of a connection
|
|
abort. [CAN-2004-0748]</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>11094</bid>
|
|
<bid>11154</bid>
|
|
<cvename>CVE-2004-0748</cvename>
|
|
<cvename>CVE-2004-0751</cvename>
|
|
<mlist msgid="029f01c49b54$dec30f20$1500a8c0@Cougar">http://marc.theaimsgroup.com/?l=apache-httpd-announce&m=109527608022322</mlist>
|
|
<url>http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964</url>
|
|
<url>http://nagoya.apache.org/bugzilla/show_bug.cgi?id=30134</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-07-07</discovery>
|
|
<entry>2004-10-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fc07c9ca-22ce-11d9-814e-0001020eed82">
|
|
<topic>phpmyadmin -- remote command execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<name>phpmyadmin</name>
|
|
<range><lt>2.6.0.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>From the phpMyAdmin 2.6.0p2 release notes:</p>
|
|
<blockquote cite="http://sourceforge.net/project/shownotes.php?release_id=274709">
|
|
<p>If PHP is not running in safe mode, a problem in the
|
|
MIME-based transformation system (with an "external"
|
|
transformation) allows to execute any command with the
|
|
privileges of the web server's user.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>11391</bid>
|
|
<url>http://sourceforge.net/project/shownotes.php?release_id=274709</url>
|
|
<url>http://sourceforge.net/tracker/index.php?func=detail&aid=1044864&group_id=23067&atid=377408</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-11</discovery>
|
|
<entry>2004-10-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="61480a9a-22b2-11d9-814e-0001020eed82">
|
|
<topic>cabextract -- insecure directory handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cabextract</name>
|
|
<range><lt>1.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>cabextract has insufficient checks for file names that
|
|
contain <q>../</q>. This can cause files to be extracted to
|
|
the parent directory.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0916</cvename>
|
|
<url>http://www.kyz.uklinux.net/cabextract.php#changes</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-18</discovery>
|
|
<entry>2004-10-20</entry>
|
|
<modified>2004-10-22</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8091fcea-f35e-11d8-81b0-000347a4fa7d">
|
|
<topic>a2ps -- insecure command line argument handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>a2ps-a4</name>
|
|
<range><lt>4.13b_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>a2ps-letter</name>
|
|
<range><lt>4.13b_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>a2ps-letterdj</name>
|
|
<range><lt>4.13b_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Rudolf Polzer reports:</p>
|
|
<blockquote cite="http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/70618">
|
|
<p>a2ps builds a command line for file() containing an
|
|
unescaped version of the file name, thus might call
|
|
external programs described by the file name. Running a
|
|
cronjob over a public writable directory a2ps-ing all
|
|
files in it - or simply typing "a2ps *.txt" in /tmp - is
|
|
therefore dangerous.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1170</cvename>
|
|
<freebsdpr>ports/70618</freebsdpr>
|
|
<bid>11025</bid>
|
|
<url>http://www.osvdb.org/9176</url>
|
|
<mlist msgid="e5312d6a040824040119840c7c@mail.gmail.com">http://marc.theaimsgroup.com/?l=full-disclosure&m=109334851517137</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-18</discovery>
|
|
<entry>2004-10-20</entry>
|
|
<modified>2004-12-30</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="746ca1ac-21ec-11d9-9289-000c41e2cdad">
|
|
<topic>ifmail -- unsafe set-user-ID application</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ifmail</name>
|
|
<range><le>ifmail-2.15_4</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Niels Heinen reports that ifmail allows one to specify
|
|
a configuration file. Since ifmail runs set-user-ID `news',
|
|
this may allow a local attacker to write to arbitrary files
|
|
or execute arbitrary commands as the `news' user.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://cvsweb.freebsd.org/ports/news/ifmail</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-23</discovery>
|
|
<entry>2004-10-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e31d44a2-21e3-11d9-9289-000c41e2cdad">
|
|
<topic>imwheel -- insecure handling of PID file</topic>
|
|
<affects>
|
|
<package>
|
|
<name>imwheel</name>
|
|
<range><lt>1.0.0.p12</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Computer Academic Underground advisory describes the
|
|
consequences of imwheel's handling of the process ID file (PID
|
|
file):</p>
|
|
<blockquote cite="http://www.caughq.org/advisories/CAU-2004-0002.txt">
|
|
<p>imwheel exclusively uses a predictably named PID file for
|
|
management of multiple imwheel processes. A race condition
|
|
exists when the -k command-line option is used to kill
|
|
existing imwheel processes. This race condition may be
|
|
used by a local user to Denial of Service another user
|
|
using imwheel, lead to resource exhaustion of the host
|
|
system, or append data to arbitrary files.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.caughq.org/advisories/CAU-2004-0002.txt</url>
|
|
<url>http://imwheel.sourceforge.net/files/DEVELOPMENT.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-20</discovery>
|
|
<entry>2004-10-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="064225c5-1f53-11d9-836a-0090962cff2a">
|
|
<topic>squid -- NTLM authentication denial-of-service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A remote attacker is able to cause a denial-of-service
|
|
situation, when NTLM authentication is enabled in squid.
|
|
NTLM authentication uses two functions which lack correct
|
|
offset checking.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0832</cvename>
|
|
<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1045</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-18</discovery>
|
|
<entry>2004-08-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ca543e06-207a-11d9-814e-0001020eed82">
|
|
<topic>cacti -- SQL injection</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cacti</name>
|
|
<range><lt>0.8.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Fernando Quintero reports that Cacti 0.8.5a suffers from a
|
|
SQL injection attack where an attacker can change the
|
|
password for any Cacti user. This attack is not possible if
|
|
the PHP option magic_quotes_gpc is set to On, which is the
|
|
default for PHP in FreeBSD.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="1092686621.818.8.camel@mitnick.nadied.org">http://marc.theaimsgroup.com/?l=full-disclosure&m=109269427427368</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-16</discovery>
|
|
<entry>2004-10-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="18974c8a-1fbd-11d9-814e-0001020eed82">
|
|
<topic>apache13-modssl -- format string vulnerability in proxy support</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache+mod_ssl</name>
|
|
<range><lt>1.3.31+2.8.19</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+mod_ssl+ipv6</name>
|
|
<range><lt>1.3.31+2.8.19</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ru-apache+mod_ssl</name>
|
|
<range><lt>1.3.31+30.20+2.8.19</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A OpenPKG Security Advisory reports:</p>
|
|
<blockquote cite="http://www.openpkg.org/security/OpenPKG-SA-2004.032-apache.html">
|
|
<p>Triggered by a report to Packet Storm from Virulent, a
|
|
format string vulnerability was found in mod_ssl, the
|
|
Apache SSL/TLS interface to OpenSSL, version (up to and
|
|
including) 2.8.18 for Apache 1.3. The mod_ssl in Apache
|
|
2.x is not affected. The vulnerability could be
|
|
exploitable if Apache is used as a proxy for HTTPS URLs
|
|
and the attacker established a own specially prepared DNS
|
|
and origin server environment.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>10736</bid>
|
|
<certvu>303448</certvu>
|
|
<cvename>CVE-2004-0700</cvename>
|
|
<url>http://www.openpkg.org/security/OpenPKG-SA-2004.032-apache.html</url>
|
|
<url>http://packetstormsecurity.org/0407-advisories/modsslFormat.txt</url>
|
|
<mlist msgid="20040716204207.GA45678@engelschall.com">http://marc.theaimsgroup.com/?l=apache-modssl&m=109001100906749</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-07-16</discovery>
|
|
<entry>2004-10-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8e2e6ad8-1720-11d9-9fb9-00902788733b">
|
|
<topic>tor -- remote DoS and loss of anonymity</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tor</name>
|
|
<range><lt>0.0.8.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Tor has various remote crashes which could lead to a remote
|
|
denial-of-service and be used to defeat clients anonymity.
|
|
It is not expected that these vulnerabilities are
|
|
exploitable for arbitrary code execution.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist>http://archives.seul.org/or/announce/Aug-2004/msg00001.html</mlist>
|
|
<mlist>http://archives.seul.org/or/announce/Oct-2004/msg00000.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-25</discovery>
|
|
<entry>2004-10-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b2cfb400-1df0-11d9-a859-0050fc56d258">
|
|
<topic>icecast -- Cross-Site Scripting Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>icecast</name>
|
|
<range><lt>1.3.12_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Caused by improper filtering of HTML code in the
|
|
status display, it is possible for a remote user
|
|
to execute scripting code in the target user's
|
|
browser.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0781</cvename>
|
|
<url>http://www.securitytracker.com/alerts/2004/Aug/1011047.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-24</discovery>
|
|
<entry>2004-10-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="741c3957-1d69-11d9-a804-0050fc56d258">
|
|
<topic>icecast -- HTTP header overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>icecast2</name>
|
|
<range><lt>2.0.2,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>It is possible to execute remote code simply using
|
|
HTTP request plus 31 headers followed by a shellcode that will be
|
|
executed directly.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="20040928184943.0a82b6f6.aluigi@autistici.org">http://marc.theaimsgroup.com/?l=full-disclosure&m=109646043512722</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-29</discovery>
|
|
<entry>2004-10-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="20dfd134-1d39-11d9-9be9-000c6e8f12ef">
|
|
<topic>freeradius -- denial-of-service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>freeradius</name>
|
|
<range><ge>0.8.0</ge><lt>1.0.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A remote attacker may be able to crash the freeRADIUS Server
|
|
due to three independant bugs in the function which does
|
|
improper checking values while processing RADIUS
|
|
attributes.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0938</cvename>
|
|
<cvename>CVE-2004-0960</cvename>
|
|
<cvename>CVE-2004-0961</cvename>
|
|
<url>http://www.securitytracker.com/alerts/2004/Sep/1011364.html</url>
|
|
<certvu>541574</certvu>
|
|
<bid>11222</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-20</discovery>
|
|
<entry>2004-10-13</entry>
|
|
<modified>2004-10-19</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="76301302-1d59-11d9-814e-0001020eed82">
|
|
<topic>xerces-c2 -- Attribute blowup denial-of-service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xerces-c2</name>
|
|
<range><lt>2.6.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Amit Klein reports about Xerces-C++:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=109674050017645">
|
|
<p>An attacker can craft a malicious XML document, which
|
|
uses XML attributes in a way that inflicts a denial of
|
|
service condition on the target machine (XML parser). The
|
|
result of this attack is that the XML parser consumes all
|
|
the CPU.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>11312</bid>
|
|
<mlist msgid="415F00A8.13029.1FAADB7@localhost">http://marc.theaimsgroup.com/?l=bugtraq&m=109674050017645</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-02</discovery>
|
|
<entry>2004-10-13</entry>
|
|
<modified>2004-10-14</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="12b7b4cf-1d53-11d9-814e-0001020eed82">
|
|
<topic>wordpress -- XSS in administration panel</topic>
|
|
<affects>
|
|
<package>
|
|
<name>wordpress</name>
|
|
<range><lt>1.2.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Pages in the administration panel of Wordpress are
|
|
vulnerable for XSS attacks.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://wordpress.org/development/2004/10/wp-121/</url>
|
|
<mlist msgid="20040927231608.19365.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=109641484723194</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-27</discovery>
|
|
<entry>2004-10-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3897a2f8-1d57-11d9-bc4a-000c41e2cdad">
|
|
<topic>tiff -- multiple integer overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tiff</name>
|
|
<range><le>3.6.1_2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-tiff</name>
|
|
<range><lt>3.6.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>pdflib</name>
|
|
<name>pdflib-perl</name>
|
|
<range><lt>6.0.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gdal</name>
|
|
<range><lt>1.2.1_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ivtools</name>
|
|
<range><lt>1.2.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>paraview</name>
|
|
<range><lt>2.4.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>fractorama</name>
|
|
<range><lt>1.6.7_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>iv</name>
|
|
<name>ja-iv</name>
|
|
<name>ja-libimg</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Dmitry V. Levin discovered numerous integer overflow bugs in
|
|
libtiff. Most of these bugs are related to memory management,
|
|
and are believed to be exploitable for arbitrary code
|
|
execution.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<certvu>687568</certvu>
|
|
<cvename>CVE-2004-0886</cvename>
|
|
<url>http://www.idefense.com/application/poi/display?id=173&type=vulnerabilities</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-13</discovery>
|
|
<entry>2004-10-13</entry>
|
|
<modified>2006-06-08</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="30cea6be-1d0c-11d9-814e-0001020eed82">
|
|
<topic>CUPS -- local information disclosure</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cups-base</name>
|
|
<range><lt>1.1.22</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Certain methods of authenticated remote printing in CUPS
|
|
can disclose user names and passwords in the log files.</p>
|
|
<p>A workaround for this problem is to set more strict
|
|
access permissions on the CUPS logfiles.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://docs.info.apple.com/article.html?artnum=61798</url>
|
|
<url>http://secunia.com/advisories/12690/</url>
|
|
<url>http://www.cups.org/str.php?L920</url>
|
|
<cvename>CVE-2004-0923</cvename>
|
|
<certvu>557062</certvu>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-23</discovery>
|
|
<entry>2004-10-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="30cf9485-1c2c-11d9-9ecb-000c6e8f12ef">
|
|
<topic>zinf -- potential buffer overflow playlist support</topic>
|
|
<affects>
|
|
<package>
|
|
<name>zinf</name>
|
|
<range><lt>2.2.5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>freeamp</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The audio player Zinf is vulnerable to a buffer-overflow
|
|
bug in the management of the playlist files.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="20040924213102.7fb91138.aluigi@autistici.org">http://marc.theaimsgroup.com/?l=bugtraq&m=109608092609200</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-24</discovery>
|
|
<entry>2004-10-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f6680c03-0bd8-11d9-8a8a-000c41e2cdad">
|
|
<topic>tiff -- RLE decoder heap overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tiff</name>
|
|
<range><le>3.6.1_1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-tiff</name>
|
|
<range><lt>3.6.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>pdflib</name>
|
|
<name>pdflib-perl</name>
|
|
<range><lt>6.0.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gdal</name>
|
|
<range><lt>1.2.1_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ivtools</name>
|
|
<range><lt>1.2.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>paraview</name>
|
|
<range><lt>2.4.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>fractorama</name>
|
|
<range><lt>1.6.7_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>iv</name>
|
|
<name>ja-iv</name>
|
|
<name>ja-libimg</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Chris Evans discovered several heap buffer overflows in
|
|
libtiff's RLE decoder. These overflows could be triggered
|
|
by a specially-crafted TIFF image file, resulting in an
|
|
application crash and possibly arbitrary code execution.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<certvu>948752</certvu>
|
|
<cvename>CVE-2004-0803</cvename>
|
|
<url>http://scary.beasts.org/security/CESA-2004-006.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-13</discovery>
|
|
<entry>2004-10-13</entry>
|
|
<modified>2006-06-08</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="26c9e8c6-1c99-11d9-814e-0001020eed82">
|
|
<topic>sharutils -- buffer overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sharutils</name>
|
|
<range><lt>4.2.1_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>From Gentoo advisory GLSA 200410-01:</p>
|
|
<blockquote cite="http://www.gentoo.org/security/en/glsa/glsa-200410-01.xml">
|
|
<p>sharutils contains two buffer overflows. Ulf Harnhammar
|
|
discovered a buffer overflow in shar.c, where the length
|
|
of data returned by the wc command is not checked.
|
|
Florian Schilhabel discovered another buffer overflow in
|
|
unshar.c.</p>
|
|
<p>An attacker could exploit these vulnerabilities to
|
|
execute arbitrary code as the user running one of the
|
|
sharutils programs.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>11298</bid>
|
|
<url>http://www.gentoo.org/security/en/glsa/glsa-200410-01.xml</url>
|
|
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=265904</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-15</discovery>
|
|
<entry>2004-10-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3030ae22-1c7f-11d9-81a4-0050fc56d258">
|
|
<topic>mail-notification -- denial-of-service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mail-notification</name>
|
|
<range><lt>0.7.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Caused by an untested return value, and a resulting
|
|
null pointer dereference, it is possible for an attacker
|
|
to crash the application. However, the attacker must first
|
|
hijack the connection between Mail Notification and the
|
|
Gmail or IMAP server.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.nongnu.org/mailnotify/sa/mail-notification-SA-04:2.asc</url>
|
|
<url>http://www.nongnu.org/mailnotify/sa/mail-notification-SA-04:3.asc</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-10-06</discovery>
|
|
<entry>2004-10-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="65e99f52-1c5f-11d9-bc4a-000c41e2cdad">
|
|
<topic>squid -- SNMP module denial-of-service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Squid-2.5 patches page notes:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-SNMP_core_dump">
|
|
<p>If a certain malformed SNMP request is received squid
|
|
restarts with a Segmentation Fault error.</p>
|
|
</blockquote>
|
|
<p>This only affects squid installations where SNMP is
|
|
explicitly enabled via "make config". As a workaround,
|
|
SNMP can be disabled by defining "snmp_port 0" in
|
|
squid.conf.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0918</cvename>
|
|
<url>http://www.idefense.com/application/poi/display?id=152&type=vulnerabilities</url>
|
|
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-SNMP_core_dump</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-29</discovery>
|
|
<entry>2004-10-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0c592c4a-1bcc-11d9-a3ec-00061bd2d56f">
|
|
<topic>cyrus-sasl -- potential buffer overflow in DIGEST-MD5 plugin</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cyrus-sasl</name>
|
|
<range><ge>2.*</ge><lt>2.1.19</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Cyrus SASL DIGEST-MD5 plugin contains a potential
|
|
buffer overflow when quoting is required in the output.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c#rev1.171</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-07-06</discovery>
|
|
<entry>2004-10-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="92268205-1947-11d9-bc4a-000c41e2cdad">
|
|
<topic>cyrus-sasl -- dynamic library loading and set-user-ID applications</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cyrus-sasl</name>
|
|
<range><le>1.5.28_3</le></range>
|
|
<range><ge>2.*</ge><le>2.1.19</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Cyrus SASL library, libsasl, contains functions which
|
|
may load dynamic libraries. These libraries may be loaded
|
|
from the path specified by the environmental variable
|
|
SASL_PATH, which in some situations may be fully controlled
|
|
by a local attacker. Thus, if a set-user-ID application
|
|
(such as chsh) utilizes libsasl, it may be possible for a
|
|
local attacker to gain superuser privileges.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0884</cvename>
|
|
<url>https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/lib/common.c#rev1.104</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-22</discovery>
|
|
<entry>2004-10-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="efc4819b-0b2d-11d9-bfe1-000bdb1444a4">
|
|
<topic>imp3 -- XSS hole in the HTML viewer</topic>
|
|
<affects>
|
|
<package>
|
|
<name>imp</name>
|
|
<range><lt>3.2.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The script vulnerabilities can only be exposed with
|
|
certain browsers and allow XSS attacks when viewing
|
|
HTML messages with the HTML MIME viewer</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://thread.gmane.org/gmane.comp.horde.imp/15488</url>
|
|
<url>http://cvs.horde.org/diff.php/imp/docs/CHANGES?r1=1.389.2.109&r2=1.389.2.111&ty=h</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-20</discovery>
|
|
<entry>2004-10-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="938f357c-16dd-11d9-bc4a-000c41e2cdad">
|
|
<topic>bmon -- unsafe set-user-ID application</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bmon</name>
|
|
<range><lt>1.2.1_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jon Nistor reported that the FreeBSD port of bmon was
|
|
installed set-user-ID root, and executes commands using
|
|
relative paths. This could allow local user to easily obtain
|
|
root privileges.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdpr>ports/67340</freebsdpr>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-05-29</discovery>
|
|
<entry>2004-10-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="84ab58cf-e4ac-11d8-9b0a-000347a4fa7d">
|
|
<topic>gnutls -- certificate chain verification DoS</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnutls</name>
|
|
<range><lt>1.0.17</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gnutls-devel</name>
|
|
<range><ge>1.1.*</ge><lt>1.1.12</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Patric Hornik reports on a problem in the certificate chain
|
|
verification procedures of GnuTLS that may result in a
|
|
denial-of-service vulnerability:</p>
|
|
<blockquote cite="http://www.hornik.sk/SA/SA-20040802.txt">
|
|
<p>The certificate chain should be verified from last root
|
|
certificate to the first certificate. Otherwise a lot
|
|
of unauthorized CPU processing can be forced to check
|
|
certificate signatures signed with arbitrary RSA/DSA keys
|
|
chosen by attacker.</p>
|
|
<p>In GnuTLS the signatures are checked from first to last
|
|
certificate, there is no limit on size of keys and no
|
|
limit on length of certificate chain.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.hornik.sk/SA/SA-20040802.txt</url>
|
|
<url>http://secunia.com/advisories/12156</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-02</discovery>
|
|
<entry>2004-10-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="562a3fdf-16d6-11d9-bc4a-000c41e2cdad">
|
|
<topic>php -- vulnerability in RFC 1867 file upload processing</topic>
|
|
<affects>
|
|
<package>
|
|
<name>php4</name>
|
|
<name>php4-cgi</name>
|
|
<range><le>4.3.8_2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>mod_php4</name>
|
|
<range><le>4.3.8_2,1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>php5</name>
|
|
<name>php5-cgi</name>
|
|
<range><le>5.0.1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>mod_php5</name>
|
|
<range><le>5.0.1,1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Stefano Di Paola discovered an issue with PHP that
|
|
could allow someone to upload a file to any directory
|
|
writeable by the httpd process. Any sanitizing performed on
|
|
the prepended directory path is ignored. This bug can only
|
|
be triggered if the $_FILES element name contains an
|
|
underscore.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="1095268057.2818.20.camel@localhost">http://marc.theaimsgroup.com/?l=bugtraq&m=109534848430404</mlist>
|
|
<mlist msgid="1096478151.3220.6.camel@localhost">http://marc.theaimsgroup.com/?l=bugtraq&m=109648426331965</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-15</discovery>
|
|
<entry>2004-09-15</entry>
|
|
<modified>2004-10-12</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ad74a1bd-16d2-11d9-bc4a-000c41e2cdad">
|
|
<topic>php -- php_variables memory disclosure</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mod_php4-twig</name>
|
|
<name>php4-cgi</name>
|
|
<name>php4-cli</name>
|
|
<name>php4-dtc</name>
|
|
<name>php4-horde</name>
|
|
<name>php4-nms</name>
|
|
<name>php4</name>
|
|
<range><le>4.3.8_2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>mod_php</name>
|
|
<name>mod_php4</name>
|
|
<range><ge>4</ge><le>4.3.8_2,1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>php5</name>
|
|
<name>php5-cgi</name>
|
|
<name>php5-cli</name>
|
|
<range><le>5.0.1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>mod_php5</name>
|
|
<range><le>5.0.1,1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Stefano Di Paola reports:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=109527531130492">
|
|
<p>Bad array parsing in php_variables.c could lead to show
|
|
arbitrary memory content such as pieces of php code
|
|
and other data. This affects all GET, POST or COOKIES
|
|
variables.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="1095267581.2818.13.camel@localhost">http://marc.theaimsgroup.com/?l=bugtraq&m=109527531130492</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-15</discovery>
|
|
<entry>2004-10-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fffacc93-16cb-11d9-bc4a-000c41e2cdad">
|
|
<topic>xv -- exploitable buffer overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xv</name>
|
|
<name>xv-m17n</name>
|
|
<range><lt>3.10a_4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>In a Bugtraq posting, infamous41md(at)hotpop.com reported:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=109302498125092">
|
|
<p>there are at least 5 exploitable buffer and heap
|
|
overflows in the image handling code. this allows someone
|
|
to craft a malicious image, trick a user into viewing the
|
|
file in xv, and upon viewing that image execute arbitrary
|
|
code under privileges of the user viewing image. note
|
|
the AT LEAST part of the above sentence. there is such a
|
|
plethora of bad code that I just stopped reading after
|
|
a while. there are at least 100 calls to sprintf() and
|
|
strcpy() with no regards for bounds of buffers. 95% of
|
|
these deal with program arguments or filenames, so they
|
|
are of no interest to exploit. however I just got sick of
|
|
reading this code after not too long. so im sure there are
|
|
still other overflows in the image handling code for other
|
|
image types.</p>
|
|
</blockquote>
|
|
<p>The posting also included an exploit.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="20040820032605.360e43e3.infamous41md@hotpop.com">http://marc.theaimsgroup.com/?l=bugtraq&m=109302498125092</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-20</discovery>
|
|
<entry>2004-10-05</entry>
|
|
<modified>2004-10-12</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8c33b299-163b-11d9-ac1b-000d614f7fad">
|
|
<topic>getmail -- symlink vulnerability during maildir delivery</topic>
|
|
<affects>
|
|
<package>
|
|
<name>getmail</name>
|
|
<range><lt>3.2.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>David Watson reports a symlink vulnerability in getmail.
|
|
If run as root (not the recommended mode of operation), a
|
|
local user may be able to cause getmail to write files in
|
|
arbitrary directories via a symlink attack on subdirectories
|
|
of the maildir.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="200409191532.38997.baikie@ehwat.freeserve.co.uk">http://marc.theaimsgroup.com/?l=bugtraq&m=109571883130372</mlist>
|
|
<cvename>CVE-2004-0881</cvename>
|
|
<bid>11224</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-19</discovery>
|
|
<entry>2004-10-04</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="67710833-1626-11d9-bc4a-000c41e2cdad">
|
|
<topic>Boundary checking errors in syscons</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.0</ge><lt>5.2.1_11</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The syscons CONS_SCRSHOT <a href="http://www.freebsd.org/cgi/man.cgi?query=ioctl">ioctl(2)</a>
|
|
does insufficient validation of its input arguments. In
|
|
particular, negative coordinates or large coordinates may
|
|
cause unexpected behavior.</p>
|
|
<p>It may be possible to cause the CONS_SCRSHOT ioctl to
|
|
return portions of kernel memory. Such memory might
|
|
contain sensitive information, such as portions of the
|
|
file cache or terminal buffers. This information might be
|
|
directly useful, or it might be leveraged to obtain elevated
|
|
privileges in some way. For example, a terminal buffer
|
|
might include a user-entered password.</p>
|
|
<p>This bug may be exploitable by users who have access to the
|
|
physical console or can otherwise open a /dev/ttyv* device
|
|
node.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0919</cvename>
|
|
<freebsdsa>SA-04:15.syscons</freebsdsa>
|
|
<url>http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/dev/syscons/syscons.c#rev1.429</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-30</discovery>
|
|
<entry>2004-10-04</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2328adef-157c-11d9-8402-000d93664d5c">
|
|
<topic>racoon -- improper certificate handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>racoon</name>
|
|
<range><lt>20040818a</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Thomas Walpuski noted when OpenSSL would detect an error
|
|
condition for a peer certificate, racoon mistakenly ignored
|
|
the error. This could allow five invalid certificate states
|
|
to properly be used for authentication.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="20040614185623.GA10290@unproved.org">http://marc.theaimsgroup.com/?l=bugtraq&m=108726102304507</mlist>
|
|
<url>http://www.kame.net/racoon/racoon-ml/msg00517.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-01-31</discovery>
|
|
<entry>2004-10-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e8d4800f-1547-11d9-90a3-00010327614a">
|
|
<topic>distcc -- incorrect parsing of IP access control rules</topic>
|
|
<affects>
|
|
<package>
|
|
<name>distcc</name>
|
|
<range><lt>2.16</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<blockquote cite="http://distcc.samba.org/ftp/distcc/distcc-2.16.NEWS">
|
|
<p>Fix bug that might cause IP-based access control rules not to
|
|
be interpreted correctly on 64-bit platforms.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0601</cvename>
|
|
<url>http://distcc.samba.org/ftp/distcc/distcc-2.16.NEWS</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-06-23</discovery>
|
|
<entry>2004-10-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b2e6d1d6-1339-11d9-bc4a-000c41e2cdad">
|
|
<topic>mozilla -- scripting vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><lt>0.8</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>firefox</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<range><lt>1.p</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>de-netscape7</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-netscape7</name>
|
|
<name>netscape7</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><le>7.2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla-gtk1</name>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.3,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>linux-netscape</name>
|
|
<name>linux-phoenix</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>phoenix</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Several scripting vulnerabilities were discovered and
|
|
corrected in Mozilla:</p>
|
|
<dl>
|
|
<dt>CVE-2004-0905</dt>
|
|
<dd>
|
|
<blockquote cite="http://www.mozilla.org/projects/security/known-vulnerabilities.html">
|
|
<p>javascript; links dragged onto another frame or
|
|
page allows an attacker to steal or modify sensitive
|
|
information from other sites. The user could be convinced
|
|
to drag obscurred links in the context of a game or even a
|
|
fake scrollbar. If the user could be convinced to drag two
|
|
links in sequence into a separate window (not frame) the
|
|
attacker would be able to run arbitrary programs.</p>
|
|
</blockquote>
|
|
</dd>
|
|
<dt>CVE-2004-0908</dt>
|
|
<dd>
|
|
<blockquote cite="http://www.mozilla.org/projects/security/known-vulnerabilities.html">
|
|
<p>Untrusted javascript code can read and write to the
|
|
clipboard, stealing any sensitive data the user might
|
|
have copied. <strong>Workaround:</strong> disable
|
|
javascript</p>
|
|
</blockquote>
|
|
</dd>
|
|
<dt>CVE-2004-0909</dt>
|
|
<dd>
|
|
<blockquote cite="http://www.mozilla.org/projects/security/known-vulnerabilities.html">
|
|
<p>Signed scripts requesting enhanced abilities could
|
|
construct the request in a way that led to a confusing
|
|
grant dialog, possibly fooling the user into thinking
|
|
the privilege requested was inconsequential while
|
|
actually obtaining explicit permission to run and
|
|
install software. <strong>Workaround:</strong> Never
|
|
grant enhanced abilities of any kind to untrusted web
|
|
pages.</p>
|
|
</blockquote>
|
|
</dd>
|
|
</dl>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0905</cvename>
|
|
<cvename>CVE-2004-0908</cvename>
|
|
<cvename>CVE-2004-0909</cvename>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=250862</url>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=257523</url>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=253942</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-13</discovery>
|
|
<entry>2004-09-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a7e0d783-131b-11d9-bc4a-000c41e2cdad">
|
|
<topic>mozilla -- users may be lured into bypassing security dialogs</topic>
|
|
<affects>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><lt>0.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>firefox</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<range><lt>0.9.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>de-netscape7</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-netscape7</name>
|
|
<name>netscape7</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><le>7.2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla-gtk1</name>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>linux-netscape</name>
|
|
<name>linux-phoenix</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>phoenix</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>According to the Mozilla project:</p>
|
|
<blockquote cite="http://www.mozilla.org/projects/security/known-vulnerabilities.html">
|
|
<p>An attacker who could lure users into clicking in
|
|
particular places, or typing specific text, could cause a
|
|
security permission or software installation dialog to pop
|
|
up under the user's mouse click, clicking on the grant (or
|
|
install) button.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0762</cvename>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=162020</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-06-05</discovery>
|
|
<entry>2004-09-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5360a659-131c-11d9-bc4a-000c41e2cdad">
|
|
<topic>mozilla -- hostname spoofing bug</topic>
|
|
<affects>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><lt>0.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>firefox</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<range><lt>0.9.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>de-netscape7</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-netscape7</name>
|
|
<name>netscape7</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><le>7.2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla-gtk1</name>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>de-linux-netscape</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>ja-linux-netscape</name>
|
|
<name>linux-netscape</name>
|
|
<name>linux-phoenix</name>
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>phoenix</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>When processing URIs that contain an unqualified host name--
|
|
specifically, a domain name of only one component--
|
|
Mozilla will perform matching against the first component
|
|
of the domain name in SSL certificates. In other words, in
|
|
some situations, a certificate issued to "www.example.com"
|
|
will be accepted as matching "www".</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0765</cvename>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=234058</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-12</discovery>
|
|
<entry>2004-09-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="de16b056-132e-11d9-bc4a-000c41e2cdad">
|
|
<topic>samba -- remote file disclosure</topic>
|
|
<affects>
|
|
<package>
|
|
<name>samba</name>
|
|
<range><lt>2.2.12</lt></range>
|
|
<range><ge>3.a</ge><le>3.0.2a_1,1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>ja-samba</name>
|
|
<range><lt>2.2.11.j1.0_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>According to a Samba Team security notice:</p>
|
|
<blockquote cite="http://www.samba.org/samba/news/#security_2.2.12">
|
|
<p>A security vulnerability has been located in Samba
|
|
2.2.x <= 2.2.11 and Samba 3.0.x <= 3.0.5. A remote
|
|
attacker may be able to gain access to files which exist
|
|
outside of the share's defined path. Such files must still
|
|
be readable by the account used for the connection.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://www.samba.org/samba/news/#errata_05oct">
|
|
<p>The original notice for CAN-2004-0815 indicated that
|
|
Samba 3.0.x <= 3.0.5 was vulnerable to the security
|
|
issue. After further research, Samba developers have
|
|
confirmed that only Samba 3.0.2a and earlier releases
|
|
contain the exploitable code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0815</cvename>
|
|
<url>http://www.samba.org/samba/news/#security_2.2.12</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-30</discovery>
|
|
<entry>2004-09-30</entry>
|
|
<modified>2004-10-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ab9c559e-115a-11d9-bc4a-000c41e2cdad">
|
|
<topic>mozilla -- BMP decoder vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><lt>0.7.3_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>de-linux-mozillafirebird</name>
|
|
<name>el-linux-mozillafirebird</name>
|
|
<name>firefox</name>
|
|
<name>ja-linux-mozillafirebird-gtk1</name>
|
|
<name>ja-mozillafirebird-gtk2</name>
|
|
<name>linux-mozillafirebird</name>
|
|
<name>linux-phoenix</name>
|
|
<name>phoenix</name>
|
|
<name>ru-linux-mozillafirebird</name>
|
|
<name>zhCN-linux-mozillafirebird</name>
|
|
<name>zhTW-linux-mozillafirebird</name>
|
|
<range><lt>0.9.3_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>de-netscape7</name>
|
|
<name>fr-netscape7</name>
|
|
<name>ja-netscape7</name>
|
|
<name>netscape7</name>
|
|
<name>pt_BR-netscape7</name>
|
|
<range><le>7.2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla-gtk1</name>
|
|
<range><lt>1.7.2_3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.2_2,2</lt></range>
|
|
<range><ge>1.8.a,2</ge><lt>1.8.a3_1,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<!-- These package names are obsolete. -->
|
|
<name>mozilla+ipv6</name>
|
|
<name>mozilla-embedded</name>
|
|
<name>mozilla-firebird</name>
|
|
<name>mozilla-gtk</name>
|
|
<name>mozilla-gtk2</name>
|
|
<name>mozilla-thunderbird</name>
|
|
<name>linux-netscape</name>
|
|
<name>de-linux-netscape</name>
|
|
<name>fr-linux-netscape</name>
|
|
<name>ja-linux-netscape</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Gael Delalleau discovered several integer overflows in
|
|
Mozilla's BMP decoder that can result in denial-of-service or
|
|
arbitrary code execution.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0904</cvename>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=255067</url>
|
|
<uscertta>TA04-261A</uscertta>
|
|
<certvu>847200</certvu>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-13</discovery>
|
|
<entry>2004-09-28</entry>
|
|
<modified>2004-09-30</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="da690355-1159-11d9-bc4a-000c41e2cdad">
|
|
<topic>mozilla -- vCard stack buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><lt>0.7.3_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.2_2,2</lt></range>
|
|
<range><ge>1.8.a,2</ge><lt>1.8.a3_1,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla-gtk1</name>
|
|
<range><lt>1.7.2_3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<range><lt>1.7.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Georgi Guninski discovered a stack buffer overflow which
|
|
may be triggered when viewing email messages with vCard
|
|
attachments.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0903</cvename>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=257314</url>
|
|
<uscertta>TA04-261A</uscertta>
|
|
<certvu>414240</certvu>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-13</discovery>
|
|
<entry>2004-09-28</entry>
|
|
<modified>2004-09-30</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="93d6162f-1153-11d9-bc4a-000c41e2cdad">
|
|
<topic>mozilla -- multiple heap buffer overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><lt>0.7.3_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>0.9.3_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.2_2,2</lt></range>
|
|
<range><ge>1.8.a,2</ge><lt>1.8.a3_1,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla-gtk1</name>
|
|
<range><lt>1.7.2_3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<range><lt>1.7.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozillafirebird</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Several heap buffer overflows were discovered and fixed in the
|
|
most recent versions of Mozilla, Firefox, and Thunderbird.
|
|
These overflows may occur when:</p>
|
|
<ul>
|
|
<li>Using the "Send Page" function.</li>
|
|
<li>Checking mail on a malicious POP3 server.</li>
|
|
<li>Processing non-ASCII URLs.</li>
|
|
</ul>
|
|
<p>Each of these vulnerabilities may be exploited for remote
|
|
code execution.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0902</cvename>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=258005</url>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=245066</url>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=226669</url>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=256316</url>
|
|
<uscertta>TA04-261A</uscertta>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-13</discovery>
|
|
<entry>2004-09-28</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="edf61c61-0f07-11d9-8393-000103ccf9d6">
|
|
<topic>php -- strip_tags cross-site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mod_php4-twig</name>
|
|
<name>php4</name>
|
|
<name>php4-cgi</name>
|
|
<name>php4-cli</name>
|
|
<name>php4-dtc</name>
|
|
<name>php4-horde</name>
|
|
<name>php4-nms</name>
|
|
<range><le>4.3.7_3</le></range>
|
|
</package>
|
|
<package>
|
|
<name>mod_php4</name>
|
|
<range><le>4.3.7_3,1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>php5</name>
|
|
<name>php5-cgi</name>
|
|
<name>php5-cli</name>
|
|
<range><le>5.0.0.r3_2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>mod_php5</name>
|
|
<range><le>5.0.0.r3_2,1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Stefan Esser of e-matters discovered that PHP's strip_tags()
|
|
function would ignore certain characters during parsing of tags,
|
|
allowing these tags to pass through. Select browsers could then
|
|
parse these tags, possibly allowing cross-site scripting attacks.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0595</cvename>
|
|
<mlist msgid="20040713225525.GB26865@e-matters.de">http://marc.theaimsgroup.com/?l=bugtraq&m=108981589117423</mlist>
|
|
<url>http://security.e-matters.de/advisories/122004.html</url>
|
|
<bid>10724</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2007-07-07</discovery>
|
|
<entry>2004-09-27</entry>
|
|
<modified>2004-10-02</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="dd7aa4f1-102f-11d9-8a8a-000c41e2cdad">
|
|
<topic>php -- memory_limit related vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mod_php4-twig</name>
|
|
<name>php4</name>
|
|
<name>php4-cgi</name>
|
|
<name>php4-cli</name>
|
|
<name>php4-dtc</name>
|
|
<name>php4-horde</name>
|
|
<name>php4-nms</name>
|
|
<range><le>4.3.7_3</le></range>
|
|
</package>
|
|
<package>
|
|
<name>mod_php4</name>
|
|
<range><le>4.3.7_3,1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>php5</name>
|
|
<name>php5-cgi</name>
|
|
<name>php5-cli</name>
|
|
<range><le>5.0.0.r3_2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>mod_php5</name>
|
|
<range><le>5.0.0.r3_2,1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Stefan Esser of e-matters discovered a condition within PHP
|
|
that may lead to remote execution of arbitrary code. The
|
|
memory_limit facility is used to notify functions when memory
|
|
contraints have been met. Under certain conditions, the entry
|
|
into this facility is able to interrupt functions such as
|
|
zend_hash_init() at locations not suitable for interruption.
|
|
The result would leave these functions in a vulnerable state.</p>
|
|
<blockquote cite="http://security.e-matters.de/advisories/112004.html">
|
|
<p>An attacker that is able to trigger the memory_limit abort
|
|
within zend_hash_init() and is additionally able to control
|
|
the heap before the HashTable itself is allocated, is able to
|
|
supply his own HashTable destructor pointer. [...]</p>
|
|
<p>All mentioned places outside of the extensions are quite easy
|
|
to exploit, because the memory allocation up to those places
|
|
is deterministic and quite static throughout different PHP
|
|
versions. [...]</p>
|
|
<p>Because the exploit itself consist of supplying an arbitrary
|
|
destructor pointer this bug is exploitable on any platform.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0594</cvename>
|
|
<mlist msgid="20040713225329.GA26865@e-matters.de">http://marc.theaimsgroup.com/?l=bugtraq&m=108981780109154</mlist>
|
|
<url>http://security.e-matters.de/advisories/112004.html</url>
|
|
<bid>10725</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2007-07-07</discovery>
|
|
<entry>2004-09-27</entry>
|
|
<modified>2004-10-02</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="184f5d0b-0fe8-11d9-8a8a-000c41e2cdad">
|
|
<topic>subversion -- WebDAV fails to protect metadata</topic>
|
|
<affects>
|
|
<package>
|
|
<name>subversion</name>
|
|
<name>subversion-perl</name>
|
|
<name>subversion-python</name>
|
|
<range><lt>1.0.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>In some situations, subversion metadata may be unexpectedly
|
|
disclosed via WebDAV. A subversion advisory states:</p>
|
|
<blockquote cite="http://subversion.tigris.org/security/CAN-2004-0749-advisory.txt">
|
|
<p>mod_authz_svn, the Apache httpd module which does path-based
|
|
authorization on Subversion repositories, is not correctly
|
|
protecting all metadata on unreadable paths.</p>
|
|
<p>This security issue is not about revealing the contents
|
|
of protected files: it only reveals metadata about
|
|
protected areas such as paths and log messages. This may
|
|
or may not be important to your organization, depending
|
|
on how you're using path-based authorization, and the
|
|
sensitivity of the metadata. </p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0749</cvename>
|
|
<url>http://subversion.tigris.org/security/CAN-2004-0749-advisory.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-15</discovery>
|
|
<entry>2004-09-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="273cc1a3-0d6b-11d9-8a8a-000c41e2cdad">
|
|
<topic>lha -- numerous vulnerabilities when extracting archives</topic>
|
|
<affects>
|
|
<package>
|
|
<name>lha</name>
|
|
<range><lt>1.14i_6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Source code reviews of lha by Lukasz Wojtow, Thomas Biege,
|
|
and others uncovered a number of vulnerabilities affecting
|
|
lha:</p>
|
|
<ul>
|
|
<li>Buffer overflows when handling archives and filenames.
|
|
(CVE-2004-0694)</li>
|
|
<li>Possible command execution via shell meta-characters when
|
|
built with NOMKDIR. (CVE-2004-0745)</li>
|
|
<li>Buffer overflow resulting in arbitrary code execution when
|
|
handling long pathnames in LHZ archives. (CVE-2004-0769)</li>
|
|
<li>Buffer overflow in the extract_one. (CVE-2004-0771)</li>
|
|
</ul>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0694</cvename>
|
|
<cvename>CVE-2004-0745</cvename>
|
|
<cvename>CVE-2004-0769</cvename>
|
|
<cvename>CVE-2004-0771</cvename>
|
|
<mlist msgid="20040515110900.24784.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=108464470103227</mlist>
|
|
<mlist msgid="20040606162856.29866.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=108668791510153</mlist>
|
|
<url>http://bugs.gentoo.org/show_bug.cgi?id=51285</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/16196</url>
|
|
<bid>10354</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-05-17</discovery>
|
|
<entry>2004-09-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="77420ebb-0cf4-11d9-8a8a-000c41e2cdad">
|
|
<topic>mysql -- heap buffer overflow with prepared statements</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-server</name>
|
|
<name>mysql-client</name>
|
|
<range><ge>4.1.0</ge><le>4.1.4</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>There is a buffer overflow in the prepared statements API
|
|
(libmysqlclient) when a statement containing thousands of
|
|
placeholders is executed.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://bugs.mysql.com/bug.php?id=5194</url>
|
|
<url>http://dev.mysql.com/doc/mysql/en/News-4.1.5.html</url>
|
|
<url>http://mysql.bkbits.net:8080/mysql-4.1/cset@1.1932.152.4</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-08</discovery>
|
|
<entry>2004-09-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e9f9d232-0cb2-11d9-8a8a-000c41e2cdad">
|
|
<topic>mozilla -- security icon spoofing</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>0.9</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla-gtk1</name>
|
|
<range><lt>1.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Under certain situations it is possible for the security icon
|
|
which Mozilla displays when connected to a site using SSL to
|
|
be spoofed. This could be used to make so-called "phishing
|
|
attacks" more difficult to detect.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0761</cvename>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=240053</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-04-08</discovery>
|
|
<entry>2004-09-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7c188c55-0cb0-11d9-8a8a-000c41e2cdad">
|
|
<topic>mozilla -- NULL bytes in FTP URLs</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>0.9.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.2,2</lt></range>
|
|
<range><ge>1.8.a,2</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla-gtk1</name>
|
|
<range><lt>1.7.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>When handling FTP URLs containing NULL bytes, Mozilla will
|
|
interpret the file content as HTML. This may allow unexpected
|
|
execution of Javascript when viewing plain text or other file
|
|
types via FTP.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0760</cvename>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=250906</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-07-11</discovery>
|
|
<entry>2004-09-22</entry>
|
|
<modified>2004-09-24</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6e740881-0cae-11d9-8a8a-000c41e2cdad">
|
|
<topic>mozilla -- automated file upload</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><ge>1.7.a,2</ge><lt>1.7,2</lt></range>
|
|
<range><ge>1.8.a,2</ge><lt>1.8.a2,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla-gtk1</name>
|
|
<range><ge>1.7.a</ge><lt>1.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A malicious web page can cause an automated file upload
|
|
from the victim's machine when viewed with Mozilla with
|
|
Javascript enabled. This is due to a bug permitting
|
|
default values for type="file" <input> elements in
|
|
certain situations.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0759</cvename>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=241924</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-04-28</discovery>
|
|
<entry>2004-09-22</entry>
|
|
<modified>2004-09-26</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8d823883-0ca9-11d9-8a8a-000c41e2cdad">
|
|
<topic>mozilla -- built-in CA certificates may be overridden</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>0.9.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.2,2</lt></range>
|
|
<range><ge>1.8.a,2</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla-gtk1</name>
|
|
<range><lt>1.7.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Under some situations, Mozilla will automatically import
|
|
a certificate from an email message or web site. This
|
|
behavior can be used as a denial-of-service attack: if the
|
|
certificate has a distinguished name (DN) identical to one
|
|
of the built-in Certificate Authorities (CAs), then Mozilla
|
|
will no longer be able to certify sites with certificates
|
|
issued from that CA.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0758</cvename>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=249004</url>
|
|
<certvu>160360</certvu>
|
|
<url>http://banquo.inf.ethz.ch:8080/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-06-29</discovery>
|
|
<entry>2004-09-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a4815970-c5cc-11d8-8898-000d6111a684">
|
|
<topic>rssh -- file name disclosure bug</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rssh</name>
|
|
<range><lt>2.2.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>rssh expands command line paramters before invoking chroot.
|
|
This could result in the disclosure to the client of file
|
|
names outside of the chroot directory. A posting by the rssh
|
|
author explains:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=108787373022844">
|
|
<p>The cause of the problem identified by Mr. McCaw is that
|
|
rssh expanded command-line arguments prior to entering
|
|
the chroot jail. This bug DOES NOT allow a user to
|
|
access any of the files outside the jail, but can allow
|
|
them to discover what files are in a directory which is
|
|
outside the jail, if their credentials on the server would
|
|
normally allow them read/execute access in the specified
|
|
directory.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0609</cvename>
|
|
<mlist msgid="20040619074141.GG13649@sophic.org">http://marc.theaimsgroup.com/?l=bugtraq&m=108787373022844</mlist>
|
|
<bid>10574</bid>
|
|
<url>http://www.osvdb.org/7239</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-06-19</discovery>
|
|
<entry>2004-09-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e6f0edd8-0b40-11d9-8a8a-000c41e2cdad">
|
|
<topic>gnu-radius -- SNMP-related denial-of-service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnu-radius</name>
|
|
<range><lt>1.2.94</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An iDEFENSE security advisory reports:</p>
|
|
<blockquote cite="http://www.idefense.com/application/poi/display?id=141&type=vulnerabilities">
|
|
<p>Remote exploitation of an input validation error in
|
|
version 1.2 of GNU radiusd could allow a denial of
|
|
service.</p>
|
|
<p>The vulnerability specifically exists within
|
|
the asn_decode_string() function defined in
|
|
snmplib/asn1.c. When a very large unsigned number is
|
|
supplied, it is possible that an integer overflow will
|
|
occur in the bounds-checking code. The daemon will then
|
|
attempt to reference unallocated memory, resulting in an
|
|
access violation that causes the process to terminate.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0849</cvename>
|
|
<url>http://www.idefense.com/application/poi/display?id=141&type=vulnerabilities</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-15</discovery>
|
|
<entry>2004-09-20</entry>
|
|
<modified>2005-05-03</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a268ef4a-0b35-11d9-8a8a-000c41e2cdad">
|
|
<topic>sudo -- sudoedit information disclosure</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sudo</name>
|
|
<range><eq>1.6.8</eq></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A new feature of sudo 1.6.8 called "sudoedit" (a safe
|
|
editing facility) may allow users to read files to which
|
|
they normally have no access.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.sudo.ws/sudo/alerts/sudoedit.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-18</discovery>
|
|
<entry>2004-09-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ca6c8f35-0a5f-11d9-ad6f-00061bc2ad93">
|
|
<topic>apache -- heap overflow in mod_proxy</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache</name>
|
|
<range><lt>1.3.31_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache13-ssl</name>
|
|
<range><le>1.3.29.1.53_2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>apache13-modssl</name>
|
|
<range><lt>1.3.31+2.8.18_4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache13+ipv6</name>
|
|
<range><le>1.3.29_2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>apache13-modperl</name>
|
|
<range><le>1.3.31</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A buffer overflow exists in mod_proxy which may
|
|
allow an attacker to launch local DoS attacks
|
|
and possibly execute arbitrary code.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0492</cvename>
|
|
<url>http://www.guninski.com/modproxy1.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-06-10</discovery>
|
|
<entry>2004-09-19</entry>
|
|
<modified>2004-10-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d2102505-f03d-11d8-81b0-000347a4fa7d">
|
|
<topic>cvs -- numerous vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cvs+ipv6</name>
|
|
<range><lt>1.11.17</lt></range>
|
|
</package>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.2</ge><lt>5.2.1_10</lt></range>
|
|
<range><ge>4.10</ge><lt>4.10_3</lt></range>
|
|
<range><ge>4.9</ge><lt>4.9_12</lt></range>
|
|
<range><ge>4.8</ge><lt>4.8_25</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A number of vulnerabilities were discovered in CVS by
|
|
Stefan Esser, Sebastian Krahmer, and Derek Price.</p>
|
|
<ul>
|
|
<li>Insufficient input validation while processing "Entry"
|
|
lines. (CVE-2004-0414)</li>
|
|
<li>A double-free resulting from erroneous state handling while
|
|
processing "Argumentx" commands. (CVE-2004-0416)</li>
|
|
<li>Integer overflow while processing "Max-dotdot" commands.
|
|
(CVE-2004-0417)</li>
|
|
<li>Erroneous handling of empty entries handled while processing
|
|
"Notify" commands. (CVE-2004-0418)</li>
|
|
<li>A format string bug while processing CVS wrappers.</li>
|
|
<li>Single-byte buffer underflows while processing configuration files
|
|
from CVSROOT.</li>
|
|
<li>Various other integer overflows.</li>
|
|
</ul>
|
|
<p>Additionally, iDEFENSE reports an undocumented command-line
|
|
flag used in debugging does not perform input validation on
|
|
the given path names.</p>
|
|
<p>CVS servers ("cvs server" or :pserver: modes) are
|
|
affected by these vulnerabilities. They vary in impact
|
|
but include information disclosure (the iDEFENSE-reported
|
|
bug), denial-of-service (CVE-2004-0414, CVE-2004-0416,
|
|
CVE-2004-0417 and other bugs), or possibly arbitrary code
|
|
execution (CVE-2004-0418). In very special situations where
|
|
the attacker may somehow influence the contents of CVS
|
|
configuration files in CVSROOT, additional attacks may be
|
|
possible.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0414</cvename>
|
|
<cvename>CVE-2004-0416</cvename>
|
|
<cvename>CVE-2004-0417</cvename>
|
|
<cvename>CVE-2004-0418</cvename>
|
|
<cvename>CVE-2004-0778</cvename>
|
|
<url>http://secunia.com/advisories/11817</url>
|
|
<url>http://secunia.com/advisories/12309</url>
|
|
<url>http://security.e-matters.de/advisories/092004.html</url>
|
|
<url>http://www.idefense.com/application/poi/display?id=130&type=vulnerabilities&flashstatus=false</url>
|
|
<url>https://ccvs.cvshome.org/source/browse/ccvs/NEWS?rev=1.116.2.104</url>
|
|
<url>http://www.osvdb.org/6830</url>
|
|
<url>http://www.osvdb.org/6831</url>
|
|
<url>http://www.osvdb.org/6832</url>
|
|
<url>http://www.osvdb.org/6833</url>
|
|
<url>http://www.osvdb.org/6834</url>
|
|
<url>http://www.osvdb.org/6835</url>
|
|
<url>http://www.osvdb.org/6836</url>
|
|
<bid>10499</bid>
|
|
<freebsdsa>SA-04:14.cvs</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-05-20</discovery>
|
|
<entry>2004-08-17</entry>
|
|
<modified>2004-09-19</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3d1e9267-073f-11d9-b45d-000c41e2cdad">
|
|
<topic>gdk-pixbuf -- image decoding vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-gdk-pixbuf</name>
|
|
<range><lt>0.22.0.11.3.5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gtk</name>
|
|
<range><ge>2.0</ge><lt>2.4.9_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gdk-pixbuf</name>
|
|
<range><lt>0.22.0_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Chris Evans discovered several flaws in the gdk-pixbuf
|
|
XPM image decoder:</p>
|
|
<ul>
|
|
<li>Heap-based overflow in pixbuf_create_from_xpm</li>
|
|
<li>Stack-based overflow in xpm_extract_color</li>
|
|
<li>Integer overflows in io-ico.c</li>
|
|
</ul>
|
|
<p>Some of these flaws are believed to be exploitable.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0782</cvename>
|
|
<cvename>CVE-2004-0783</cvename>
|
|
<cvename>CVE-2004-0788</cvename>
|
|
<url>http://scary.beasts.org/security/CESA-2004-005.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-15</discovery>
|
|
<entry>2004-09-15</entry>
|
|
<modified>2004-11-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ef253f8b-0727-11d9-b45d-000c41e2cdad">
|
|
<topic>xpm -- image decoding vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>agenda-snow-libs</name>
|
|
<name>linux_base</name>
|
|
<name>open-motif-devel</name>
|
|
<name>mupad</name>
|
|
<name>zh-cle_base</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>libXpm</name>
|
|
<range><lt>3.5.1_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>XFree86-libraries</name>
|
|
<range><lt>4.4.0_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>xorg-libraries</name>
|
|
<range><lt>6.7.0_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>lesstif</name>
|
|
<range><lt>0.93.96,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>xpm</name>
|
|
<range><lt>3.4k_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-openmotif</name>
|
|
<range><lt>2.2.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>open-motif</name>
|
|
<range><lt>2.2.3_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Chris Evans discovered several vulnerabilities in the libXpm
|
|
image decoder:</p>
|
|
<ul>
|
|
<li>A stack-based buffer overflow in xpmParseColors</li>
|
|
<li>An integer overflow in xpmParseColors</li>
|
|
<li>A stack-based buffer overflow in ParsePixels and
|
|
ParseAndPutPixels</li>
|
|
</ul>
|
|
<p>The X11R6.8.1 release announcement reads:</p>
|
|
<blockquote cite="http://freedesktop.org/pipermail/xorg/2004-September/003172.html">
|
|
<p>This version is purely a security release, addressing
|
|
multiple integer and stack overflows in libXpm, the X
|
|
Pixmap library; all known versions of X (both XFree86
|
|
and X.Org) are affected, so all users of X are strongly
|
|
encouraged to upgrade.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0687</cvename>
|
|
<cvename>CVE-2004-0688</cvename>
|
|
<url>http://freedesktop.org/pipermail/xorg/2004-September/003172.html</url>
|
|
<url>http://scary.beasts.org/security/CESA-2004-003.txt</url>
|
|
<certvu>537878</certvu>
|
|
<certvu>882750</certvu>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-15</discovery>
|
|
<entry>2004-09-15</entry>
|
|
<modified>2005-01-03</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="05dcf751-0733-11d9-b45d-000c41e2cdad">
|
|
<topic>cups -- print queue browser denial-of-service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cups-base</name>
|
|
<range><lt>1.1.21</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>If the CUPS server (cupsd) receives a zero-length UDP
|
|
message, it will disable its print queue browser service.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0558</cvename>
|
|
<url>http://www.cups.org/str.php?L863</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-23</discovery>
|
|
<entry>2004-09-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="762d1c6d-0722-11d9-b45d-000c41e2cdad">
|
|
<topic>apache -- apr_uri_parse IPv6 address handling vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache</name>
|
|
<range><ge>2.0</ge><lt>2.0.50_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Apache Software Foundation Security Team discovered a
|
|
programming error in the apr-util library function apr_uri_parse.
|
|
When parsing IPv6 literal addresses, it is possible that a
|
|
length is incorrectly calculated to be negative, and this
|
|
value is passed to memcpy. This may result in an exploitable
|
|
vulnerability on some platforms, including FreeBSD.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0786</cvename>
|
|
<url>http://httpd.apache.org</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-15</discovery>
|
|
<entry>2004-09-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="013fa252-0724-11d9-b45d-000c41e2cdad">
|
|
<topic>mod_dav -- lock related denial-of-service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache</name>
|
|
<range><ge>2.0</ge><lt>2.0.50_3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mod_dav</name>
|
|
<range><le>1.0.3_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A malicious user with DAV write privileges can trigger a null
|
|
pointer dereference in the Apache mod_dav module. This
|
|
could cause the server to become unavailable.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0809</cvename>
|
|
<url>http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31183</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-15</discovery>
|
|
<entry>2004-09-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4d49f4ba-071f-11d9-b45d-000c41e2cdad">
|
|
<topic>apache -- ap_resolve_env buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache</name>
|
|
<range><ge>2.0</ge><lt>2.0.50_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>SITIC discovered a vulnerability in Apache 2's handling of
|
|
environmental variable settings in the httpd configuration
|
|
files (the main `httpd.conf' and `.htaccess' files).
|
|
According to a SITIC advisory:</p>
|
|
<blockquote cite="http://lists.netsys.com/pipermail/full-disclosure/2004-September/026463.html">
|
|
<p>The buffer overflow occurs when expanding ${ENVVAR}
|
|
constructs in .htaccess or httpd.conf files. The function
|
|
ap_resolve_env() in server/util.c copies data from
|
|
environment variables to the character array tmp with
|
|
strcat(3), leading to a buffer overflow. </p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0747</cvename>
|
|
<mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-September/026463.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-15</discovery>
|
|
<entry>2004-09-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ae7b7f65-05c7-11d9-b45d-000c41e2cdad">
|
|
<topic>webmin -- insecure temporary file creation at installation time</topic>
|
|
<affects>
|
|
<package>
|
|
<name>webmin</name>
|
|
<range><lt>1.150_5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Webmin developers documented a security issue in the
|
|
release notes for version 1.160:</p>
|
|
<blockquote cite="http://www.webmin.com/changes-1.160.html">
|
|
<p>Fixed a security hole in the maketemp.pl script, used
|
|
to create the /tmp/.webmin directory at install time. If
|
|
an un-trusted user creates this directory before Webmin
|
|
is installed, he could create in it a symbolic link
|
|
pointing to a critical file on the system, which would be
|
|
overwritten when Webmin writes to the link filename.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0559</cvename>
|
|
<url>http://www.webmin.com/changes-1.160.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-05</discovery>
|
|
<entry>2004-09-14</entry>
|
|
<modified>2004-09-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a711de5c-05fa-11d9-a9b2-00061bc2ad93">
|
|
<topic>samba3 DoS attack</topic>
|
|
<affects>
|
|
<package>
|
|
<name>samba3</name>
|
|
<range><lt>3.0.7,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Code found in nmbd and smbd may allow a remote attacker
|
|
to effectively crash the nmbd server or use the smbd
|
|
server to exhaust the system memory.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0807</cvename>
|
|
<cvename>CVE-2004-0808</cvename>
|
|
<url>http://www.idefense.com/application/poi/display?id=139&type=vulnerabilities</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-09-02</discovery>
|
|
<entry>2004-09-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c1d97a8b-05ed-11d9-b45d-000c41e2cdad">
|
|
<topic>mozilla -- POP client heap overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<range><lt>1.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>netscape7</name>
|
|
<range><lt>7.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><lt>0.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>zen-parse discovered a heap buffer overflow in Mozilla's
|
|
POP client implementation. A malicious POP server
|
|
could exploit this vulnerability to cause Mozilla to execute
|
|
arbitrary code.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0757</cvename>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=229374</url>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=157644</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-07-22</discovery>
|
|
<entry>2004-09-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a4fd8f53-05eb-11d9-b45d-000c41e2cdad">
|
|
<topic>mozilla -- SOAPParameter integer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>0.9</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<name>mozilla-gtk1</name>
|
|
<range><lt>1.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>netscape7</name>
|
|
<range><lt>7.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>zen-parse discovered and iDEFENSE reported an exploitable
|
|
integer overflow in a scriptable Mozilla component
|
|
`SOAPParameter':</p>
|
|
<blockquote cite="http://www.idefense.com/application/poi/display?id=117&type=vulnerabilities">
|
|
<p>Improper input validation to the SOAPParameter object
|
|
constructor in Netscape and Mozilla allows execution of
|
|
arbitrary code. The SOAPParameter object's constructor
|
|
contains an integer overflow which allows controllable
|
|
heap corruption. A web page can be constructed to
|
|
leverage this into remote execution of arbitrary code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0722</cvename>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=236618</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-02</discovery>
|
|
<entry>2004-09-14</entry>
|
|
<modified>2004-09-22</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c62dc69f-05c8-11d9-b45d-000c41e2cdad">
|
|
<topic>openoffice -- document disclosure</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openoffice</name>
|
|
<name>ar-openoffice</name>
|
|
<name>ca-openoffice</name>
|
|
<name>cs-openoffice</name>
|
|
<name>de-openoffice</name>
|
|
<name>dk-openoffice</name>
|
|
<name>el-openoffice</name>
|
|
<name>es-openoffice</name>
|
|
<name>et-openoffice</name>
|
|
<name>fi-openoffice</name>
|
|
<name>fr-openoffice</name>
|
|
<name>gr-openoffice</name>
|
|
<name>hu-openoffice</name>
|
|
<name>it-openoffice</name>
|
|
<name>ja-openoffice</name>
|
|
<name>ko-openoffice</name>
|
|
<name>nl-openoffice</name>
|
|
<name>pl-openoffice</name>
|
|
<name>pt-openoffice</name>
|
|
<name>pt_BR-openoffice</name>
|
|
<name>ru-openoffice</name>
|
|
<name>se-openoffice</name>
|
|
<name>sk-openoffice</name>
|
|
<name>sl-openoffice-SI</name>
|
|
<name>tr-openoffice</name>
|
|
<name>zh-openoffice-CN</name>
|
|
<name>zh-openoffice-TW</name>
|
|
<range><lt>1.1.2_1</lt></range>
|
|
<range><ge>2.0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>OpenOffice creates a working directory in /tmp on startup,
|
|
and uses this directory to temporarily store document
|
|
content. However, the permissions of the created directory
|
|
may allow other user on the system to read these files,
|
|
potentially exposing information the user likely assumed was
|
|
inaccessible.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0752</cvename>
|
|
<url>http://www.openoffice.org/issues/show_bug.cgi?id=33357</url>
|
|
<url>http://securitytracker.com/alerts/2004/Sep/1011205.html</url>
|
|
<mlist msgid="20040910152759.7739.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=109483308421566</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-24</discovery>
|
|
<entry>2004-09-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="15e0e963-02ed-11d9-a209-00061bc2ad93">
|
|
<topic>mpg123 buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mpg123</name>
|
|
<name>mpg123-nas</name>
|
|
<name>mpg123-esound</name>
|
|
<range><le>0.59r</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The mpg123 software version 0.59r contains a
|
|
buffer overflow vulnerability which may permit
|
|
the execution of arbitrary code as the owner of
|
|
the mpg123 process.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0805</cvename>
|
|
<url>http://www.alighieri.org/advisories/advisory-mpg123.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-08-16</discovery>
|
|
<entry>2004-09-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b6cad7f3-fb59-11d8-9837-000c41e2cdad">
|
|
<topic>ImageMagick -- BMP decoder buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ImageMagick</name>
|
|
<name>ImageMagick-nox11</name>
|
|
<range><lt>6.0.6.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Marcus Meissner discovered that ImageMagick's BMP decoder would
|
|
crash when loading the test BMP file created by Chris Evans
|
|
for testing the previous Qt vulnerability.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0827</cvename>
|
|
<url>http://www.imagemagick.org/www/Changelog.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-25</discovery>
|
|
<entry>2004-08-31</entry>
|
|
<modified>2004-09-14</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="641859e8-eca1-11d8-b913-000c41e2cdad">
|
|
<topic>Mutiple browser frame injection vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>kdelibs</name>
|
|
<range><lt>3.2.3_3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>kdebase</name>
|
|
<range><lt>3.2.3_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-opera</name>
|
|
<name>opera</name>
|
|
<range><ge>7.50</ge><lt>7.52</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>0.9</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<name>linux-mozilla-devel</name>
|
|
<name>mozilla-gtk1</name>
|
|
<range><lt>1.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7,2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>netscape7</name>
|
|
<range><lt>7.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A class of bugs affecting many web browsers in the same way
|
|
was discovered. A Secunia advisory reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/11978">
|
|
<p>The problem is that the browsers don't check if a target
|
|
frame belongs to a website containing a malicious link,
|
|
which therefore doesn't prevent one browser window from
|
|
loading content in a named frame in another window.</p>
|
|
<p>Successful exploitation allows a malicious website to load
|
|
arbitrary content in an arbitrary frame in another browser
|
|
window owned by e.g. a trusted site.</p>
|
|
</blockquote>
|
|
<p>A KDE Security Advisory reports:</p>
|
|
<blockquote cite="http://www.kde.org/info/security/advisory-20040811-3.txt">
|
|
<p>A malicious website could abuse Konqueror to insert
|
|
its own frames into the page of an otherwise trusted
|
|
website. As a result the user may unknowingly send
|
|
confidential information intended for the trusted website
|
|
to the malicious website.</p>
|
|
</blockquote>
|
|
<p>Secunia has provided a demonstration of the vulnerability at <a href="http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/">http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/</a>.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0717</cvename>
|
|
<cvename>CVE-2004-0718</cvename>
|
|
<cvename>CVE-2004-0721</cvename>
|
|
<url>http://secunia.com/advisories/11978/</url>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=246448</url>
|
|
<url>ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdelibs-htmlframes.patch</url>
|
|
<url>ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdebase-htmlframes.patch</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-11</discovery>
|
|
<entry>2004-08-12</entry>
|
|
<modified>2004-09-14</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b7cb488c-8349-11d8-a41f-0020ed76ef5a">
|
|
<topic>isakmpd payload handling denial-of-service vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>isakmpd</name>
|
|
<range><le>20030903</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Numerous errors in isakmpd's input packet validation lead to
|
|
denial-of-service vulnerabilities. From the Rapid7 advisory:</p>
|
|
<blockquote cite="http://www.rapid7.com/advisories/R7-0018.html">
|
|
<p>The ISAKMP packet processing functions in OpenBSD's
|
|
isakmpd daemon contain multiple payload handling flaws
|
|
that allow a remote attacker to launch a denial of
|
|
service attack against the daemon.</p>
|
|
<p>Carefully crafted ISAKMP packets will cause the isakmpd
|
|
daemon to attempt out-of-bounds reads, exhaust available
|
|
memory, or loop endlessly (consuming 100% of the CPU).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0218</cvename>
|
|
<cvename>CVE-2004-0219</cvename>
|
|
<cvename>CVE-2004-0220</cvename>
|
|
<cvename>CVE-2004-0221</cvename>
|
|
<cvename>CVE-2004-0222</cvename>
|
|
<url>http://www.rapid7.com/advisories/R7-0018.html</url>
|
|
<url>http://www.openbsd.org/errata34.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-17</discovery>
|
|
<entry>2004-03-31</entry>
|
|
<modified>2004-09-14</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="00644f03-fb58-11d8-9837-000c41e2cdad">
|
|
<topic>imlib -- BMP decoder heap buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>imlib</name>
|
|
<range><lt>1.9.14_4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Marcus Meissner discovered that imlib's BMP decoder would
|
|
crash when loading the test BMP file created by Chris Evans
|
|
for testing the previous Qt vulnerability. It is believed
|
|
that this bug could be exploited for arbitrary code execution.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0817</cvename>
|
|
<url>http://bugzilla.gnome.org/show_bug.cgi?id=151034</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-25</discovery>
|
|
<entry>2004-08-31</entry>
|
|
<modified>2004-09-02</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="86a98b57-fb8e-11d8-9343-000a95bc6fae">
|
|
<topic>krb5 -- double-free vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>krb5</name>
|
|
<range><le>1.3.4_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An advisory published by the MIT Kerberos team says:</p>
|
|
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt">
|
|
<p>The MIT Kerberos 5 implementation's Key Distribution Center
|
|
(KDC) program contains a double-free vulnerability that
|
|
potentially allows a remote attacker to execute arbitrary code.
|
|
Compromise of a KDC host compromises the security of the entire
|
|
authentication realm served by the KDC. Additionally, double-free
|
|
vulnerabilities exist in MIT Kerberos 5 library code, making
|
|
client programs and application servers vulnerable.</p>
|
|
</blockquote>
|
|
<p>Double-free vulnerabilities of this type are not believed to be
|
|
exploitable for code execution on FreeBSD systems. However,
|
|
the potential for other ill effects may exist.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0642</cvename>
|
|
<cvename>CVE-2004-0643</cvename>
|
|
<cvename>CVE-2004-0772</cvename>
|
|
<certvu>795632</certvu>
|
|
<certvu>866472</certvu>
|
|
<certvu>350792</certvu>
|
|
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-31</discovery>
|
|
<entry>2004-08-31</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="bd60922b-fb8d-11d8-a13e-000a95bc6fae">
|
|
<topic>krb5 -- ASN.1 decoder denial-of-service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>krb5</name>
|
|
<range><ge>1.2.2</ge><le>1.3.4</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An advisory published by the MIT Kerberos team says:</p>
|
|
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt">
|
|
<p>The ASN.1 decoder library in the MIT Kerberos 5 distribution
|
|
is vulnerable to a denial-of-service attack causing an infinite
|
|
loop in the decoder. The KDC is vulnerable to this attack.</p>
|
|
<p>An unauthenticated remote attacker can cause a KDC or application
|
|
server to hang inside an infinite loop.</p>
|
|
<p>An attacker impersonating a legitimate KDC or application
|
|
server may cause a client program to hang inside an infinite
|
|
loop.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0644</cvename>
|
|
<certvu>550464</certvu>
|
|
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-31</discovery>
|
|
<entry>2004-08-31</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ba005226-fb5b-11d8-9837-000c41e2cdad">
|
|
<topic>imlib2 -- BMP decoder buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>imlib2</name>
|
|
<range><le>1.1.1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Marcus Meissner discovered that imlib2's BMP decoder would
|
|
crash when loading the test BMP file created by Chris Evans
|
|
for testing the previous Qt vulnerability. There appears to
|
|
be both a stack-based and a heap-based buffer overflow that
|
|
are believed to be exploitable for arbitrary code execution.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0802</cvename>
|
|
<url>http://cvs.sourceforge.net/viewcvs.py/enlightenment/e17/libs/imlib2/ChangeLog?rev=1.20&view=markup</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-31</discovery>
|
|
<entry>2004-08-31</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0d3a5148-f512-11d8-9837-000c41e2cdad">
|
|
<topic>SpamAssassin -- denial-of-service in tokenize_headers</topic>
|
|
<affects>
|
|
<package>
|
|
<name>p5-Mail-SpamAssassin</name>
|
|
<range><lt>2.64</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>According to the SpamAssassin 2.64 release announcement:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=spamassassin-announce&m=109168121628767">
|
|
<p>Security fix prevents a denial of service attack open
|
|
to certain malformed messages; this DoS affects all
|
|
SpamAssassin 2.5x and 2.6x versions to date.</p>
|
|
</blockquote>
|
|
<p>The issue appears to be triggered by overly long message
|
|
headers.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0796</cvename>
|
|
<bid>10957</bid>
|
|
<mlist>http://marc.theaimsgroup.com/?l=spamassassin-announce&m=109168121628767</mlist>
|
|
<url>http://search.cpan.org/src/JMASON/Mail-SpamAssassin-2.64/Changes</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-04</discovery>
|
|
<entry>2004-08-23</entry>
|
|
<modified>2004-08-28</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c4b025bb-f05d-11d8-9837-000c41e2cdad">
|
|
<topic>tnftpd -- remotely exploitable vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tnftpd</name>
|
|
<range><lt>20040810</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>lukemftpd</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>4.7</ge></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>lukemftpd(8) is an enhanced BSD FTP server produced
|
|
within the NetBSD project. The sources for lukemftpd are
|
|
shipped with some versions of FreeBSD, however it is not
|
|
built or installed by default. The build system option
|
|
WANT_LUKEMFTPD must be set to build and install lukemftpd.
|
|
[<strong>NOTE</strong>: An exception is FreeBSD 4.7-RELEASE,
|
|
wherein lukemftpd was installed, but not enabled, by
|
|
default.]</p>
|
|
<p>Przemyslaw Frasunek discovered several vulnerabilities
|
|
in lukemftpd arising from races in the out-of-band signal
|
|
handling code used to implement the ABOR command. As a
|
|
result of these races, the internal state of the FTP server
|
|
may be manipulated in unexpected ways.</p>
|
|
<p>A remote attacker may be able to cause FTP commands to
|
|
be executed with the privileges of the running lukemftpd
|
|
process. This may be a low-privilege `ftp' user if the `-r'
|
|
command line option is specified, or it may be superuser
|
|
privileges if `-r' is *not* specified.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0794</cvename>
|
|
<bid>10967</bid>
|
|
<url>http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpd.c#rev1.158</url>
|
|
<url>ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-009.txt.asc</url>
|
|
<mlist msgid="412239E7.1070807@freebsd.lublin.pl">http://lists.netsys.com/pipermail/full-disclosure/2004-August/025418.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-17</discovery>
|
|
<entry>2004-08-17</entry>
|
|
<modified>2004-08-28</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e5e2883d-ceb9-11d8-8898-000d6111a684">
|
|
<topic>MySQL authentication bypass / buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-server</name>
|
|
<range><ge>4.1</ge><lt>4.1.3</lt></range>
|
|
<range><ge>5</ge><le>5.0.0_2</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>By submitting a carefully crafted authentication packet, it is possible
|
|
for an attacker to bypass password authentication in MySQL 4.1. Using a
|
|
similar method, a stack buffer used in the authentication mechanism can
|
|
be overflowed.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0627</cvename>
|
|
<cvename>CVE-2004-0628</cvename>
|
|
<certvu>184030</certvu>
|
|
<certvu>645326</certvu>
|
|
<url>http://www.nextgenss.com/advisories/mysql-authbypass.txt</url>
|
|
<url>http://dev.mysql.com/doc/mysql/en/News-4.1.3.html</url>
|
|
<url>http://secunia.com/advisories/12020</url>
|
|
<url>http://www.osvdb.org/7475</url>
|
|
<url>http://www.osvdb.org/7476</url>
|
|
<mlist msgid="Pine.LNX.4.44.0407080940550.9602-200000@pineapple.shacknet.nu">http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0003.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-07-01</discovery>
|
|
<entry>2004-07-05</entry>
|
|
<modified>2004-08-28</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e811aaf1-f015-11d8-876f-00902714cc7c">
|
|
<topic>Ruby insecure file permissions in the CGI session management</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ruby</name>
|
|
<range><lt>1.6.8.2004.07.26</lt></range>
|
|
<range><ge>1.7.0</ge><lt>1.8.1.2004.07.23</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>According to a Debian Security Advisory:</p>
|
|
<blockquote cite="http://www.debian.org/security/2004/dsa-537">
|
|
<p>Andres Salomon noticed a problem in the CGI session
|
|
management of Ruby, an object-oriented scripting language.
|
|
CGI::Session's FileStore (and presumably PStore [...])
|
|
implementations store session information insecurely.
|
|
They simply create files, ignoring permission issues.
|
|
This can lead an attacker who has also shell access to the
|
|
webserver to take over a session.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0755</cvename>
|
|
<url>http://xforce.iss.net/xforce/xfdb/16996</url>
|
|
<url>http://www.debian.org/security/2004/dsa-537</url>
|
|
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&m=109267579822250&w=2</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-16</discovery>
|
|
<entry>2004-08-16</entry>
|
|
<modified>2004-08-28</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="207f8ff3-f697-11d8-81b0-000347a4fa7d">
|
|
<topic>nss -- exploitable buffer overflow in SSLv2 protocol handler</topic>
|
|
<affects>
|
|
<package>
|
|
<name>nss</name>
|
|
<range><lt>3.9.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>ISS X-Force reports that a remotely exploitable buffer
|
|
overflow exists in the Netscape Security Services (NSS)
|
|
library's implementation of SSLv2. From their advisory:</p>
|
|
<blockquote cite="http://xforce.iss.net/xforce/alerts/id/180">
|
|
<p>The NSS library contains a flaw in SSLv2 record parsing
|
|
that may lead to remote compromise. When parsing the
|
|
first record in an SSLv2 negotiation, the client hello
|
|
message, the server fails to validate the length of a
|
|
record field. As a result, it is possible for an attacker
|
|
to trigger a heap-based overflow of arbitrary length.</p>
|
|
</blockquote>
|
|
<p>Note that the vulnerable NSS library is also present in
|
|
Mozilla-based browsers. However, it is not believed that
|
|
browsers are affected, as the vulnerability is present only in
|
|
code used by SSLv2 *servers*.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://xforce.iss.net/xforce/alerts/id/180</url>
|
|
<url>http://www.osvdb.org/9116</url>
|
|
<url>http://secunia.com/advisories/12362</url>
|
|
<bid>11015</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-23</discovery>
|
|
<entry>2004-08-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="85e19dff-e606-11d8-9b0a-000347a4fa7d">
|
|
<topic>ripMIME -- decoding bug allowing content filter bypass</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ripmime</name>
|
|
<range><lt>1.3.2.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>ripMIME may prematurely terminate decoding Base64 encoded
|
|
messages when it encounters multiple blank lines or other
|
|
non-standard Base64 constructs. Virus scanning and content
|
|
filtering tools that use ripMIME may therefore be
|
|
bypassed.</p>
|
|
<p>The ripMIME CHANGELOG file says:</p>
|
|
<blockquote cite="http://www.pldaniels.com/ripmime/CHANGELOG">
|
|
<p>There's viruses going around exploiting the ability to
|
|
hide the majority of their data in an attachment by using
|
|
blank lines and other tricks to make scanning systems
|
|
prematurely terminate their base64 decoding.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>10848</bid>
|
|
<url>http://www.osvdb.org/8287</url>
|
|
<url>http://www.pldaniels.com/ripmime/CHANGELOG</url>
|
|
<url>http://secunia.com/advisories/12201</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/16867</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-07-30</discovery>
|
|
<entry>2004-08-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1ecf4ca1-f7ad-11d8-96c9-00061bc2ad93">
|
|
<topic>moinmoin -- ACL group bypass</topic>
|
|
<affects>
|
|
<package>
|
|
<name>moinmoin</name>
|
|
<range><lt>1.2.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The moinmoin package contains two bugs with ACLs and anonymous
|
|
users. Both bugs may permit anonymous users to gain access to
|
|
administrative functions; for example the delete function.</p>
|
|
<p>There is no known workaround, the vulnerability exists regardless
|
|
if a site is using ACLs or not.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.osvdb.org/8194</url>
|
|
<url>http://www.osvdb.org/8195</url>
|
|
<url>http://security.gentoo.org/glsa/glsa-200408-25.xml</url>
|
|
<url>http://secunia.com/advisories/11832</url>
|
|
<bid>10805</bid>
|
|
<bid>10801</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-07-21</discovery>
|
|
<entry>2004-08-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2689f4cb-ec4c-11d8-9440-000347a4fa7d">
|
|
<topic>rsync -- path sanitizing vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rsync</name>
|
|
<range><lt>2.6.2_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An rsync security advisory reports:</p>
|
|
<blockquote cite="http://samba.org/rsync/#security_aug04">
|
|
<p>There is a path-sanitizing bug that affects daemon mode in
|
|
all recent rsync versions (including 2.6.2) but only if
|
|
chroot is disabled.</p>
|
|
</blockquote>
|
|
<p>The bug may allow a remote user to access files outside
|
|
of an rsync module's configured path with the privileges
|
|
configured for that module.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0792</cvename>
|
|
<url>http://samba.org/rsync/#security_aug04</url>
|
|
<mlist>http://lists.samba.org/archive/rsync-announce/2004/000017.html</mlist>
|
|
<url>http://secunia.com/advisories/12294</url>
|
|
<url>http://www.osvdb.org/8829</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-12</discovery>
|
|
<entry>2004-08-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7884d56f-f7a1-11d8-9837-000c41e2cdad">
|
|
<topic>gnomevfs -- unsafe URI handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnomevfs2</name>
|
|
<range><lt>2.6.2_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gnomevfs</name>
|
|
<range><lt>1.0.5_6</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mc</name>
|
|
<range><le>4.6.0_12</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Alexander Larsson reports that some versions of gnome-vfs and
|
|
MidnightCommander contain a number of `extfs' scripts that do not
|
|
properly validate user input. If an attacker can cause her
|
|
victim to process a specially-crafted URI, arbitrary commands
|
|
can be executed with the privileges of the victim.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0494</cvename>
|
|
<bid>10864</bid>
|
|
<url>http://www.ciac.org/ciac/bulletins/o-194.shtml</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/16897</url>
|
|
<url>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127263</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-04</discovery>
|
|
<entry>2004-08-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3e4ffe76-e0d4-11d8-9b0a-000347a4fa7d">
|
|
<topic>SoX buffer overflows when handling .WAV files</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sox</name>
|
|
<range><gt>12.17.1</gt><le>12.17.4_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ulf Härnhammar discovered a pair of buffer overflows in the
|
|
WAV file handling code of SoX. If an attacker can cause her
|
|
victim to process a specially-crafted WAV file with SoX (e.g.
|
|
through social engineering or through some other program that
|
|
relies on SoX), arbitrary code can be executed with the
|
|
privileges of the victim.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0557</cvename>
|
|
<mlist msgid="1091040793.4107f6193d81a@webmail.uu.se">http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0014.html</mlist>
|
|
<url>http://secunia.com/advisories/12175</url>
|
|
<url>http://www.osvdb.org/8267</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-07-28</discovery>
|
|
<entry>2004-08-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2797b27a-f55b-11d8-81b0-000347a4fa7d">
|
|
<topic>kdelibs -- konqueror cross-domain cookie injection</topic>
|
|
<affects>
|
|
<package>
|
|
<name>kdelibs</name>
|
|
<range><lt>3.2.3_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>According to a KDE Security Advisory:</p>
|
|
<blockquote cite="http://www.kde.org/info/security/advisory-20040823-1.txt">
|
|
<p>WESTPOINT internet reconnaissance services alerted the
|
|
KDE security team that the KDE web browser Konqueror
|
|
allows websites to set cookies for certain country
|
|
specific secondary top level domains.</p>
|
|
<p>Web sites operating under the affected domains can
|
|
set HTTP cookies in such a way that the Konqueror web
|
|
browser will send them to all other web sites operating
|
|
under the same domain. A malicious website can use
|
|
this as part of a session fixation attack. See e.g.
|
|
http://www.acros.si/papers/session_fixation.pdf</p>
|
|
<p>Affected are all country specific secondary top level
|
|
domains that use more than 2 characters in the secondary
|
|
part of the domain name and that use a secondary part other
|
|
than com, net, mil, org, gov, edu or int. Examples of
|
|
affected domains are .ltd.uk, .plc.uk and .firm.in</p>
|
|
<p>It should be noted that popular domains such as .co.uk, .co.in
|
|
and .com are NOT affected.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0746</cvename>
|
|
<url>http://www.kde.org/info/security/advisory-20040823-1.txt</url>
|
|
<url>http://www.osvdb.org/9117</url>
|
|
<url>http://secunia.com/advisories/12341</url>
|
|
<url>http://www.acros.si/papers/session_fixation.pdf</url>
|
|
<bid>10991</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-23</discovery>
|
|
<entry>2004-08-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="bef4515b-eaa9-11d8-9440-000347a4fa7d">
|
|
<cancelled superseded="b6939d5b-64a1-11d9-9106-000a95bc6fae"/>
|
|
</vuln>
|
|
|
|
<vuln vid="3243e839-f489-11d8-9837-000c41e2cdad">
|
|
<topic>fidogate -- write files as `news' user</topic>
|
|
<affects>
|
|
<package>
|
|
<name>fidogate</name>
|
|
<range><lt>4.4.9_3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>fidogate-ds</name>
|
|
<range><lt>5.1.1_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Neils Heinen reports that the setuid `news' binaries
|
|
installed as part of fidogate may be used to create files or
|
|
append to file with the privileges of the `news' user by
|
|
setting the LOGFILE environmental variable.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://cvs.sourceforge.net/viewcvs.py/fidogate/fidogate/ChangeLog?rev=4.320&view=markup</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-21</discovery>
|
|
<entry>2004-08-22</entry>
|
|
<modified>2004-08-23</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="65a17a3f-ed6e-11d8-aff1-00061bc2ad93">
|
|
<topic>Arbitrary code execution via a format string vulnerability in jftpgw</topic>
|
|
<affects>
|
|
<package>
|
|
<name>jftpgw</name>
|
|
<range><lt>0.13.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The log functions in jftpgw may allow
|
|
remotely authenticated user to execute
|
|
arbitrary code via the format string
|
|
specifiers in certain syslog messages.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0448</cvename>
|
|
<url>http://www.debian.org/security/2004/dsa-510</url>
|
|
<bid>10438</bid>
|
|
<url>http://xforce.iss.net/xforce/xfdb/16271</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-05-30</discovery>
|
|
<entry>2004-08-13</entry>
|
|
<modified>2004-08-23</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ebffe27a-f48c-11d8-9837-000c41e2cdad">
|
|
<topic>qt -- image loader vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>qt</name>
|
|
<range><lt>3.3.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Qt contains several vulnerabilities related to image
|
|
loading, including possible crashes when loading corrupt
|
|
GIF, BMP, or JPEG images. Most seriously, Chris Evans
|
|
reports that the BMP crash is actually due to a heap
|
|
buffer overflow. It is believed that an attacker may be
|
|
able to construct a BMP image that could cause a Qt-using
|
|
application to execute arbitrary code when it is loaded.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0691</cvename>
|
|
<cvename>CVE-2004-0692</cvename>
|
|
<cvename>CVE-2004-0693</cvename>
|
|
<url>http://www.trolltech.com/developer/changes/changes-3.3.3.html</url>
|
|
<url>http://scary.beasts.org/security/CESA-2004-004.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-11</discovery>
|
|
<entry>2004-08-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="616cf823-f48b-11d8-9837-000c41e2cdad">
|
|
<topic>courier-imap -- format string vulnerability in debug mode</topic>
|
|
<affects>
|
|
<package>
|
|
<name>courier-imap</name>
|
|
<range><lt>3.0.7,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An iDEFENSE security advisory describes a format string
|
|
vulnerability that could be exploited when Courier-IMAP is run
|
|
in debug mode (DEBUG_LOGIN set).</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0777</cvename>
|
|
<mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-August/025478.html</mlist>
|
|
<url>http://www.idefense.com/application/poi/display?id=131&type=vulnerabilities&flashstatus=false</url>
|
|
<bid>10976</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-18</discovery>
|
|
<entry>2004-08-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0c4d5973-f2ab-11d8-9837-000c41e2cdad">
|
|
<topic>mysql -- mysqlhotcopy insecure temporary file creation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-scripts</name>
|
|
<range><le>3.23.58</le></range>
|
|
<range><gt>4</gt><le>4.0.20</le></range>
|
|
<range><gt>4.1</gt><le>4.1.3</le></range>
|
|
<range><gt>5</gt><le>5.0.0_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>According to Christian Hammers:</p>
|
|
<blockquote cite="http://packages.debian.org/changelogs/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.20-11/changelog">
|
|
<p>[mysqlhotcopy created] temporary files in /tmp which
|
|
had predictable filenames and such could be used for a
|
|
tempfile run attack.</p>
|
|
</blockquote>
|
|
<p>Jeroen van Wolffelaar is credited with discovering the issue.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0457</cvename>
|
|
<url>http://www.debian.org/security/2004/dsa-540</url>
|
|
<mlist>http://lists.mysql.com/internals/15185</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-18</discovery>
|
|
<entry>2004-08-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2de14f7a-dad9-11d8-b59a-00061bc2ad93">
|
|
<topic>Multiple Potential Buffer Overruns in Samba</topic>
|
|
<affects>
|
|
<package>
|
|
<name>samba</name>
|
|
<range><ge>3</ge><lt>3.0.5,1</lt></range>
|
|
<range><lt>2.2.10</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ja-samba</name>
|
|
<range><lt>2.2.10.j1.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Evgeny Demidov discovered that the Samba server has a
|
|
buffer overflow in the Samba Web Administration Tool (SWAT)
|
|
on decoding Base64 data during HTTP Basic Authentication.
|
|
Versions 3.0.2 through 3.0.4 are affected.</p>
|
|
<p>Another buffer overflow bug has been found in the code
|
|
used to support the "mangling method = hash" smb.conf
|
|
option. The default setting for this parameter is "mangling
|
|
method = hash2" and therefore not vulnerable. Versions
|
|
between 2.2.0 through 2.2.9 and 3.0.0 through 3.0.4 are affected.
|
|
</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0600</cvename>
|
|
<cvename>CVE-2004-0686</cvename>
|
|
<mlist msgid="web-53121174@cgp.agava.net">http://www.securityfocus.com/archive/1/369698</mlist>
|
|
<mlist msgid="200407222031.25086.bugtraq@beyondsecurity.com">http://www.securityfocus.com/archive/1/369706</mlist>
|
|
<url>http://www.samba.org/samba/whatsnew/samba-3.0.5.html</url>
|
|
<url>http://www.samba.org/samba/whatsnew/samba-2.2.10.html</url>
|
|
<url>http://www.osvdb.org/8190</url>
|
|
<url>http://www.osvdb.org/8191</url>
|
|
<url>http://secunia.com/advisories/12130</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-07-14</discovery>
|
|
<entry>2004-07-21</entry>
|
|
<modified>2004-08-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="730db824-e216-11d8-9b0a-000347a4fa7d">
|
|
<topic>Mozilla / Firefox user interface spoofing vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><le>0.9.1_1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<range><le>1.7.1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><le>1.7.1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><le>1.7.1,2</le></range>
|
|
<range><ge>1.8.a,2</ge><le>1.8.a2,2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla-gtk1</name>
|
|
<range><le>1.7.1_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla project's family of browsers contain a design
|
|
flaw that can allow a website to spoof almost perfectly any
|
|
part of the Mozilla user interface, including spoofing web
|
|
sites for phishing or internal elements such as the "Master
|
|
Password" dialog box. This achieved by manipulating "chrome"
|
|
through remote XUL content. Recent versions of Mozilla have
|
|
been fixed to not allow untrusted documents to utilize
|
|
"chrome" in this way.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0764</cvename>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=22183</url>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=244965</url>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=252198</url>
|
|
<url>http://www.nd.edu/~jsmith30/xul/test/spoof.html</url>
|
|
<url>http://secunia.com/advisories/12188</url>
|
|
<bid>10832</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-07-19</discovery>
|
|
<entry>2004-07-30</entry>
|
|
<modified>2004-08-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f9e3e60b-e650-11d8-9b0a-000347a4fa7d">
|
|
<topic>libpng stack-based buffer overflow and other code concerns</topic>
|
|
<affects>
|
|
<package>
|
|
<name>png</name>
|
|
<range><le>1.2.5_7</le></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-png</name>
|
|
<range><le>1.0.14_3</le></range>
|
|
<range><ge>1.2</ge><le>1.2.2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>0.9.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><lt>0.7.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<range><lt>1.7.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.2,2</lt></range>
|
|
<range><ge>1.8.a,2</ge><le>1.8.a2,2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla-gtk1</name>
|
|
<range><lt>1.7.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>netscape-communicator</name>
|
|
<name>netscape-navigator</name>
|
|
<range><le>4.78</le></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-netscape-communicator</name>
|
|
<name>linux-netscape-navigator</name>
|
|
<name>ko-netscape-navigator-linux</name>
|
|
<name>ko-netscape-communicator-linux</name>
|
|
<name>ja-netscape-communicator-linux</name>
|
|
<name>ja-netscape-navigator-linux</name>
|
|
<range><le>4.8</le></range>
|
|
</package>
|
|
<package>
|
|
<name>netscape7</name>
|
|
<name>ja-netscape7</name>
|
|
<range><le>7.1</le></range>
|
|
</package>
|
|
<package>
|
|
<name>pt_BR-netscape7</name>
|
|
<name>fr-netscape7</name>
|
|
<name>de-netscape7</name>
|
|
<range><le>7.02</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Chris Evans has discovered multiple vulnerabilities in libpng,
|
|
which can be exploited by malicious people to compromise a
|
|
vulnerable system or cause a DoS (Denial of Service).</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="Pine.LNX.4.58.0408041840080.20655@sphinx.mythic-beasts.com">http://www.securityfocus.com/archive/1/370853</mlist>
|
|
<url>http://scary.beasts.org/security/CESA-2004-001.txt</url>
|
|
<url>http://www.osvdb.org/8312</url>
|
|
<url>http://www.osvdb.org/8313</url>
|
|
<url>http://www.osvdb.org/8314</url>
|
|
<url>http://www.osvdb.org/8315</url>
|
|
<url>http://www.osvdb.org/8316</url>
|
|
<cvename>CVE-2004-0597</cvename>
|
|
<cvename>CVE-2004-0598</cvename>
|
|
<cvename>CVE-2004-0599</cvename>
|
|
<certvu>388984</certvu>
|
|
<certvu>236656</certvu>
|
|
<certvu>160448</certvu>
|
|
<certvu>477512</certvu>
|
|
<certvu>817368</certvu>
|
|
<certvu>286464</certvu>
|
|
<url>http://secunia.com/advisories/12219</url>
|
|
<url>http://secunia.com/advisories/12232</url>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=251381</url>
|
|
<uscertta>TA04-217A</uscertta>
|
|
<url>http://dl.sourceforge.net/sourceforge/libpng/ADVISORY.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-04</discovery>
|
|
<entry>2004-08-04</entry>
|
|
<modified>2004-08-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="603fe36d-ec9d-11d8-b913-000c41e2cdad">
|
|
<topic>kdelibs insecure temporary file handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>kdelibs</name>
|
|
<range><le>3.2.3_3</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>According to a KDE Security Advisory, KDE may sometimes
|
|
create temporary files without properly checking the ownership
|
|
and type of the target path. This could allow a local
|
|
attacker to cause KDE applications to overwrite arbitrary
|
|
files.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0689</cvename>
|
|
<cvename>CVE-2004-0690</cvename>
|
|
<url>http://www.kde.org/info/security/advisory-20040811-1.txt</url>
|
|
<url>http://www.kde.org/info/security/advisory-20040811-2.txt</url>
|
|
<url>ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdelibs-kstandarddirs.patch</url>
|
|
<url>ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdelibs-dcopserver.patch</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-11</discovery>
|
|
<entry>2004-08-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5b8f9a02-ec93-11d8-b913-000c41e2cdad">
|
|
<topic>gaim remotely exploitable vulnerabilities in MSN component</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>0.81_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gaim</name>
|
|
<range><ge>20030000</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Sebastian Krahmer discovered several remotely exploitable
|
|
buffer overflow vulnerabilities in the MSN component of
|
|
gaim.</p>
|
|
<blockquote cite="http://gaim.sourceforge.net/security/?id=0">
|
|
<p>In two places in the MSN protocol plugins (object.c and
|
|
slp.c), strncpy was used incorrectly; the size of the array
|
|
was not checked before copying to it. Both bugs affect MSN's
|
|
MSNSLP protocol, which is peer-to-peer, so this could
|
|
potentially be easy to exploit.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0500</cvename>
|
|
<url>http://gaim.sourceforge.net/security/?id=0</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-12</discovery>
|
|
<entry>2004-08-12</entry>
|
|
<modified>2004-10-25</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="78348ea2-ec91-11d8-b913-000c41e2cdad">
|
|
<topic>acroread uudecoder input validation error</topic>
|
|
<affects>
|
|
<package>
|
|
<name>acroread</name>
|
|
<name>acroread4</name>
|
|
<name>acroread5</name>
|
|
<range><lt>5.0.9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An iDEFENSE security advisory reports:</p>
|
|
<blockquote cite="www.idefense.com/application/poi/display?id=124&type=vulnerabilities">
|
|
<p>Remote exploitation of an input validation error in the
|
|
uudecoding feature of Adobe Acrobat Reader (Unix) 5.0
|
|
allows an attacker to execute arbitrary code.</p>
|
|
<p>The Unix and Linux versions of Adobe Acrobat Reader 5.0
|
|
automatically attempt to convert uuencoded documents
|
|
back into their original format. The vulnerability
|
|
specifically exists in the failure of Acrobat Reader to
|
|
check for the backtick shell metacharacter in the filename
|
|
before executing a command with a shell. This allows a
|
|
maliciously constructed filename to execute arbitrary
|
|
programs.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0630</cvename>
|
|
<url>http://www.idefense.com/application/poi/display?id=124&type=vulnerabilities</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-12</discovery>
|
|
<entry>2004-08-12</entry>
|
|
<modified>2005-01-06</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="12c7b7ae-ec90-11d8-b913-000c41e2cdad">
|
|
<topic>popfile file disclosure</topic>
|
|
<affects>
|
|
<package>
|
|
<name>popfile</name>
|
|
<range><le>0.21.1_2</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>John Graham-Cumming reports that certain configurations of
|
|
POPFile may allow the retrieval of any files with the
|
|
extensions .gif, .png, .ico, .css, as well as some files with
|
|
the extension .html.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist>http://sourceforge.net/mailarchive/forum.php?thread_id=5248725&forum_id=12356</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-02</discovery>
|
|
<entry>2004-08-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7a9d5dfe-c507-11d8-8898-000d6111a684">
|
|
<topic>isc-dhcp3-server buffer overflow in logging mechanism</topic>
|
|
<affects>
|
|
<package>
|
|
<name>isc-dhcp3-relay</name>
|
|
<name>isc-dhcp3-server</name>
|
|
<range><ge>3.0.1.r12</ge><lt>3.0.1.r14</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A buffer overflow exists in the logging functionality
|
|
of the DHCP daemon which could lead to Denial of Service
|
|
attacks and has the potential to allow attackers to
|
|
execute arbitrary code.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0460</cvename>
|
|
<url>http://www.osvdb.org/7237</url>
|
|
<uscertta>TA04-174A</uscertta>
|
|
<certvu>317350</certvu>
|
|
<mlist msgid="BAY13-F94UHMuEEkHMz0005c4f7@hotmail.com">http://www.securityfocus.com/archive/1/366801</mlist>
|
|
<mlist msgid="40DFAB69.1060909@sympatico.ca">http://www.securityfocus.com/archive/1/367286</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-06-22</discovery>
|
|
<entry>2004-06-25</entry>
|
|
<modified>2004-08-12</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3a408f6f-9c52-11d8-9366-0020ed76ef5a">
|
|
<topic>libpng denial-of-service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-png</name>
|
|
<range><le>1.0.14_3</le></range>
|
|
<range><ge>1.2</ge><le>1.2.2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>png</name>
|
|
<range><lt>1.2.5_4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Steve Grubb reports a buffer read overrun in
|
|
libpng's png_format_buffer function. A specially
|
|
constructed PNG image processed by an application using
|
|
libpng may trigger the buffer read overrun and possibly
|
|
result in an application crash.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0421</cvename>
|
|
<url>http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120508</url>
|
|
<url>http://rhn.redhat.com/errata/RHSA-2004-181.html</url>
|
|
<url>http://secunia.com/advisories/11505</url>
|
|
<url>http://www.osvdb.org/5726</url>
|
|
<bid>10244</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-04-29</discovery>
|
|
<entry>2004-05-02</entry>
|
|
<modified>2004-08-12</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4764cfd6-d630-11d8-b479-02e0185c0b53">
|
|
<cancelled superseded="dd7aa4f1-102f-11d9-8a8a-000c41e2cdad"/>
|
|
</vuln>
|
|
|
|
<vuln vid="abe47a5a-e23c-11d8-9b0a-000347a4fa7d">
|
|
<topic>Mozilla certificate spoofing</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><ge>0.9.1</ge><le>0.9.2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla</name>
|
|
<range><lt>1.7.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-mozilla-devel</name>
|
|
<range><lt>1.7.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla</name>
|
|
<range><lt>1.7.2,2</lt></range>
|
|
<range><ge>1.8,2</ge><le>1.8.a2,2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>mozilla-gtk1</name>
|
|
<range><lt>1.7.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Mozilla and Mozilla Firefox contains a flaw that may
|
|
allow a malicious user to spoof SSL certification.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="003a01c472ba$b2060900$6501a8c0@sec">http://www.securityfocus.com/archive/1/369953</mlist>
|
|
<url>http://www.cipher.org.uk/index.php?p=advisories/Certificate_Spoofing_Mozilla_FireFox_25-07-2004.advisory</url>
|
|
<url>http://secunia.com/advisories/12160</url>
|
|
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=253121</url>
|
|
<url>http://www.osvdb.org/8238</url>
|
|
<bid>10796</bid>
|
|
<cvename>CVE-2004-0763</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-07-25</discovery>
|
|
<entry>2004-07-30</entry>
|
|
<modified>2004-08-12</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a713c0f9-ec54-11d8-9440-000347a4fa7d">
|
|
<topic>ImageMagick png vulnerability fix</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ImageMagick</name>
|
|
<name>ImageMagick-nox11</name>
|
|
<range><lt>6.0.4.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Glenn Randers-Pehrson has contributed a fix for the png
|
|
vulnerabilities discovered by Chris Evans.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://studio.imagemagick.org/pipermail/magick-users/2004-August/013218.html</url>
|
|
<url>http://freshmeat.net/releases/169228</url>
|
|
<url>http://secunia.com/advisories/12236</url>
|
|
<url>http://www.freebsd.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-08-04</discovery>
|
|
<entry>2004-08-04</entry>
|
|
<modified>2004-08-12</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="98bd69c3-834b-11d8-a41f-0020ed76ef5a">
|
|
<topic>Courier mail services: remotely exploitable buffer overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>courier</name>
|
|
<range><lt>0.45</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>courier-imap</name>
|
|
<range><lt>3.0,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>sqwebmail</name>
|
|
<range><lt>4.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Courier set of mail services use a common Unicode
|
|
library. This library contains buffer overflows in the
|
|
converters for two popular Japanese character encodings.
|
|
These overflows may be remotely exploitable, triggered by
|
|
a maliciously formatted email message that is later processed
|
|
by one of the Courier mail services.
|
|
From the release notes for the corrected versions of the
|
|
Courier set of mail services:</p>
|
|
<blockquote>
|
|
<p>iso2022jp.c: Converters became (upper-)compatible with
|
|
ISO-2022-JP (RFC1468 / JIS X 0208:1997 Annex 2) and
|
|
ISO-2022-JP-1 (RFC2237). Buffer overflow vulnerability
|
|
(when Unicode character is out of BMP range) has been
|
|
closed. Convert error handling was implemented.</p>
|
|
<p>shiftjis.c: Broken SHIFT_JIS converters has been fixed
|
|
and became (upper-)compatible with Shifted Encoding Method
|
|
(JIS X 0208:1997 Annex 1). Buffer overflow vulnerability
|
|
(when Unicode character is out of BMP range) has been
|
|
closed. Convert error handling was implemented.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0224</cvename>
|
|
<url>http://cvs.sourceforge.net/viewcvs.py/courier/libs/unicode/iso2022jp.c?rev=1.10&view=markup</url>
|
|
<url>http://cvs.sourceforge.net/viewcvs.py/courier/libs/unicode/shiftjis.c?rev=1.6&view=markup</url>
|
|
<bid>9845</bid>
|
|
<url>http://secunia.com/advisories/11087</url>
|
|
<url>http://www.osvdb.org/4194</url>
|
|
<url>http://www.osvdb.org/6927</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-01</discovery>
|
|
<entry>2004-03-31</entry>
|
|
<modified>2004-07-16</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cdf18ed9-7f4a-11d8-9645-0020ed76ef5a">
|
|
<topic>multiple vulnerabilities in ethereal</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ethereal</name>
|
|
<name>tethereal</name>
|
|
<range><lt>0.10.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Stefan Esser of e-matters Security discovered a baker's dozen
|
|
of buffer overflows in Ethereal's decoders, including:</p>
|
|
<ul>
|
|
<li>NetFlow</li>
|
|
<li>IGAP</li>
|
|
<li>EIGRP</li>
|
|
<li>PGM</li>
|
|
<li>IRDA</li>
|
|
<li>BGP</li>
|
|
<li>ISUP</li>
|
|
<li>TCAP</li>
|
|
<li>UCP</li>
|
|
</ul>
|
|
<p>In addition, a vulnerability in the RADIUS decoder was found
|
|
by Jonathan Heusser.</p>
|
|
<p>Finally, there is one uncredited vulnerability described by the
|
|
Ethereal team as:</p>
|
|
<blockquote cite="http://www.ethereal.com/appnotes/enpa-sa-00013.html">
|
|
<p>A zero-length Presentation protocol selector could make
|
|
Ethereal crash.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.ethereal.com/appnotes/enpa-sa-00013.html</url>
|
|
<cvename>CVE-2004-0176</cvename>
|
|
<cvename>CVE-2004-0365</cvename>
|
|
<cvename>CVE-2004-0367</cvename>
|
|
<certvu>119876</certvu>
|
|
<certvu>124454</certvu>
|
|
<certvu>125156</certvu>
|
|
<certvu>433596</certvu>
|
|
<certvu>591820</certvu>
|
|
<certvu>644886</certvu>
|
|
<certvu>659140</certvu>
|
|
<certvu>695486</certvu>
|
|
<certvu>740188</certvu>
|
|
<certvu>792286</certvu>
|
|
<certvu>864884</certvu>
|
|
<certvu>931588</certvu>
|
|
<url>http://security.e-matters.de/advisories/032004.html</url>
|
|
<url>http://secunia.com/advisories/11185</url>
|
|
<bid>9952</bid>
|
|
<url>http://www.osvdb.org/4462</url>
|
|
<url>http://www.osvdb.org/4463</url>
|
|
<url>http://www.osvdb.org/4464</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-23</discovery>
|
|
<entry>2004-03-26</entry>
|
|
<modified>2004-07-11</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="74d06b67-d2cf-11d8-b479-02e0185c0b53">
|
|
<topic>multiple vulnerabilities in ethereal</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ethereal</name>
|
|
<name>ethereal-lite</name>
|
|
<name>tethereal</name>
|
|
<name>tethereal-lite</name>
|
|
<range><lt>0.10.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Issues have been discovered in multiple protocol dissectors.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.ethereal.com/appnotes/enpa-sa-00014.html</url>
|
|
<cvename>CVE-2004-0504</cvename>
|
|
<cvename>CVE-2004-0505</cvename>
|
|
<cvename>CVE-2004-0506</cvename>
|
|
<cvename>CVE-2004-0507</cvename>
|
|
<url>http://secunia.com/advisories/11608</url>
|
|
<bid>10347</bid>
|
|
<url>http://www.osvdb.org/6131</url>
|
|
<url>http://www.osvdb.org/6132</url>
|
|
<url>http://www.osvdb.org/6133</url>
|
|
<url>http://www.osvdb.org/6134</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-05-13</discovery>
|
|
<entry>2004-07-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="265c8b00-d2d0-11d8-b479-02e0185c0b53">
|
|
<topic>multiple vulnerabilities in ethereal</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ethereal</name>
|
|
<name>ethereal-lite</name>
|
|
<name>tethereal</name>
|
|
<name>tethereal-lite</name>
|
|
<range><lt>0.10.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Issues have been discovered in multiple protocol dissectors.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.ethereal.com/appnotes/enpa-sa-00015.html</url>
|
|
<cvename>CVE-2004-0633</cvename>
|
|
<cvename>CVE-2004-0634</cvename>
|
|
<cvename>CVE-2004-0635</cvename>
|
|
<url>http://secunia.com/advisories/12024</url>
|
|
<bid>10672</bid>
|
|
<url>http://www.osvdb.org/7536</url>
|
|
<url>http://www.osvdb.org/7537</url>
|
|
<url>http://www.osvdb.org/7538</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-07-06</discovery>
|
|
<entry>2004-07-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4aec9d58-ce7b-11d8-858d-000d610a3b12">
|
|
<topic>Format string vulnerability in SSLtelnet</topic>
|
|
<affects>
|
|
<package>
|
|
<name>SSLtelnet</name>
|
|
<range><le>0.13_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>SSLtelnet contains a format string vulnerability that could
|
|
allow remote code execution and privilege escalation.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0640</cvename>
|
|
<url>http://www.idefense.com/application/poi/display?id=114&type=vulnerabilities</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-04-03</discovery>
|
|
<entry>2004-07-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c5519420-cec2-11d8-8898-000d6111a684">
|
|
<topic>"Content-Type" XSS vulnerability affecting other webmail systems</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openwebmail</name>
|
|
<range><le>2.32</le></range>
|
|
</package>
|
|
<package>
|
|
<name>ilohamail</name>
|
|
<range><lt>0.8.13</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Roman Medina-Heigl Hernandez did a survey which other webmail systems
|
|
where vulnerable to a bug he discovered in SquirrelMail. This advisory
|
|
summarizes the results.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-2.txt</url>
|
|
<url>http://www.freebsd.org/ports/portaudit/89a0de27-bf66-11d8-a252-02e0185c0b53.html</url>
|
|
<url>http://www.freebsd.org/ports/portaudit/911f1b19-bd20-11d8-84f9-000bdb1444a4.html</url>
|
|
<url>http://www.freebsd.org/ports/portaudit/c3e56efa-c42f-11d8-864c-02e0185c0b53.html</url>
|
|
<cvename>CVE-2004-0519</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-05-29</discovery>
|
|
<entry>2004-07-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="76904dce-ccf3-11d8-babb-000854d03344">
|
|
<topic>Pavuk HTTP Location header overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pavuk</name>
|
|
<range><lt>0.9.28_5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>When pavuk sends a request to a web server and the server
|
|
sends back the HTTP status code 305 (Use Proxy), pavuk
|
|
copies data from the HTTP Location header in an unsafe
|
|
manner. This leads to a stack-based buffer overflow with
|
|
control over EIP.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0456</cvename>
|
|
<mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-July/023322.html</mlist>
|
|
<url>http://www.osvdb.org/7319</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-06-30</discovery>
|
|
<entry>2004-07-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="33ab4a47-bfc1-11d8-b00e-000347a4fa7d">
|
|
<topic>Several vulnerabilities found in PHPNuke</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpnuke</name>
|
|
<range><lt>7.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Janek Vind "waraxe" reports that several issues in the
|
|
PHPNuke software may be exploited via carefully crafted
|
|
URL requests. These URLs will permit the injection of
|
|
SQL code, cookie theft, and the readability of the
|
|
PHPNuke administrator account.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0279</cvename>
|
|
<cvename>CVE-2003-0318</cvename>
|
|
<cvename>CVE-2004-0266</cvename>
|
|
<cvename>CVE-2004-0269</cvename>
|
|
<url>http://www.waraxe.us/index.php?modname=sa&id=27</url>
|
|
<url>http://secunia.com/advisories/11920</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-05-05</discovery>
|
|
<entry>2004-07-03</entry>
|
|
<modified>2004-09-28</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0d4c31ac-cb91-11d8-8898-000d6111a684">
|
|
<topic>Remote code injection in phpMyAdmin</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><lt>2.5.7.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>This vulnerability would allow remote user to inject PHP code
|
|
to be executed by eval() function. This vulnerability is only
|
|
exploitable if variable $cfg['LeftFrameLight'] is set to FALSE (in
|
|
file config.inc.php).</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://sf.net/forum/forum.php?forum_id=387635</url>
|
|
<mlist msgid="20040629025752.976.qmail@www.securityfocus.com">http://www.securityfocus.com/archive/1/367486</mlist>
|
|
<url>http://secunia.com/advisories/11974</url>
|
|
<url>http://eagle.kecapi.com/sec/fd/phpMyAdmin.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-06-29</discovery>
|
|
<entry>2004-07-02</entry>
|
|
<modified>2004-09-28</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4d837296-cc28-11d8-a54c-02e0185c0b53">
|
|
<topic>GNATS local privilege elevation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnats</name>
|
|
<range><le>3.113.1_9</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>GNATS 3.113.1 contains multiple buffer overflows, through which a
|
|
local attacker could gain elevated privileges on the system.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdpr>ports/56006</freebsdpr>
|
|
<mlist msgid="20040625164231.7437.qmail@www.securityfocus.com">http://www.securityfocus.com/archive/1/326337</mlist>
|
|
<url>http://www.securiteam.com/unixfocus/5CP0N0UAAA.html</url>
|
|
<url>http://secunia.com/advisories/9096</url>
|
|
<url>http://x82.inetcop.org/h0me/adv1sor1es/INCSA.2003-0x82-018-GNATS-bt.txt</url>
|
|
<url>http://www.gnu.org/software/gnats/gnats.html</url>
|
|
<url>http://www.osvdb.org/2190</url>
|
|
<url>http://www.osvdb.org/4600</url>
|
|
<url>http://www.osvdb.org/4601</url>
|
|
<url>http://www.osvdb.org/4607</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-06-21</discovery>
|
|
<entry>2004-07-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8ecaaca2-cc07-11d8-858d-000d610a3b12">
|
|
<topic>Linux binary compatibility mode input validation error</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>4.9</ge><lt>4.9_10</lt></range>
|
|
<range><ge>4.8</ge><lt>4.8_23</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A programming error in the handling of some Linux system
|
|
calls may result in memory locations being accessed without
|
|
proper validation.</p>
|
|
<p>It may be possible for a local attacker to read and/or
|
|
overwrite portions of kernel memory, resulting in disclosure
|
|
of sensitive information or potential privilege escalation.
|
|
A local attacker can cause a system panic.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0602</cvename>
|
|
<freebsdsa>SA-04:13.linux</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-06-18</discovery>
|
|
<entry>2004-06-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1f738bda-c6ac-11d8-8898-000d6111a684">
|
|
<topic>Remote Denial of Service of HTTP server and client</topic>
|
|
<affects>
|
|
<package>
|
|
<name>giFT-FastTrack</name>
|
|
<range><lt>0.8.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>giFT-FastTrack is susceptible to a remote
|
|
Denial of Service attack which could allow
|
|
a remote attacker to render HTTP services
|
|
unusable. According to the developers, no
|
|
code execution is possible; however, they
|
|
recommend an immediate upgrade.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://developer.berlios.de/forum/forum.php?forum_id=5814</url>
|
|
<url>http://www.osvdb.org/7266</url>
|
|
<url>http://secunia.com/advisories/11941</url>
|
|
<bid>10604</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-06-19</discovery>
|
|
<entry>2004-06-25</entry>
|
|
<modified>2004-06-29</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ff00f2ce-c54c-11d8-b708-00061bc2ad93">
|
|
<topic>XFree86 opens a chooserFd TCP socket even when DisplayManager.requestPort is 0</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xorg-clients</name>
|
|
<range><eq>6.7.0</eq></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>When the IPv6 code was added to xdm a critical
|
|
test to disable xdmcp was accidentally removed. This
|
|
caused xdm to create the chooser socket regardless if
|
|
DisplayManager.requestPort was disabled in xdm-config
|
|
or not.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0419</cvename>
|
|
<url>http://bugs.xfree86.org/show_bug.cgi?id=1376</url>
|
|
<url>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124900</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-05-19</discovery>
|
|
<entry>2004-06-28</entry>
|
|
<modified>2004-06-28</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="da9e6438-bfc0-11d8-b00e-000347a4fa7d">
|
|
<topic>MoinMoin administrative group name privilege escalation vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>moinmoin</name>
|
|
<range><lt>1.2.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A serious flaw exists in the MoinMoin software
|
|
which may allow a malicious user to gain access to
|
|
unauthorized privileges.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.osvdb.org/6704</url>
|
|
<cvename>CVE-2004-0708</cvename>
|
|
<bid>10568</bid>
|
|
<url>http://secunia.com/advisories/11807</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-05-04</discovery>
|
|
<entry>2004-06-28</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="35f6fdf8-a425-11d8-9c6d-0020ed76ef5a">
|
|
<topic>Cyrus IMAP pre-authentication heap overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cyrus</name>
|
|
<range><lt>2.0.17</lt></range>
|
|
<range><ge>2.1</ge><lt>2.1.11</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>In December 2002, Timo Sirainen reported:</p>
|
|
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=103886607825605">
|
|
<p>Cyrus IMAP server has a a remotely exploitable pre-login
|
|
buffer overflow. [...] Note that you don't have to log in
|
|
before exploiting this, and since Cyrus
|
|
runs everything under one UID, it's possible to read every
|
|
user's mail in the system.</p>
|
|
</blockquote>
|
|
<p>It is unknown whether this vulnerability is exploitable for code
|
|
execution on FreeBSD systems.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2002-1580</cvename>
|
|
<bid>6298</bid>
|
|
<certvu>740169</certvu>
|
|
<mlist msgid="20021202175606.GA26254@irccrew.org">http://marc.theaimsgroup.com/?l=bugtraq&m=103886607825605</mlist>
|
|
<mlist>http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&msg=19349</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2002-12-02</discovery>
|
|
<entry>2004-05-12</entry>
|
|
<modified>2004-06-27</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="700d43b4-a42a-11d8-9c6d-0020ed76ef5a">
|
|
<topic>Cyrus IMSPd multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cyrus-imspd</name>
|
|
<range><lt>1.6a5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Cyrus team reported multiple vulnerabilities in older
|
|
versions of Cyrus IMSPd:</p>
|
|
<blockquote cite="http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-announce&msg=25">
|
|
<p>These releases correct a recently discovered buffer
|
|
overflow vulnerability, as well as clean up a significant
|
|
amount of buffer handling throughout the code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist>http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-announce&msg=25</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-12-12</discovery>
|
|
<entry>2004-05-12</entry>
|
|
<modified>2004-06-27</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5e7f58c3-b3f8-4258-aeb8-795e5e940ff8">
|
|
<topic>mplayer heap overflow in http requests</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mplayer</name>
|
|
<name>mplayer-gtk</name>
|
|
<name>mplayer-esound</name>
|
|
<name>mplayer-gtk-esound</name>
|
|
<range><lt>0.92.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A remotely exploitable heap buffer overflow vulnerability was
|
|
found in MPlayer's URL decoding code. If an attacker can
|
|
cause MPlayer to visit a specially crafted URL, arbitrary code
|
|
execution with the privileges of the user running MPlayer may
|
|
occur. A `visit' might be caused by social engineering, or a
|
|
malicious web server could use HTTP redirects which MPlayer
|
|
would then process.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.mplayerhq.hu/homepage/design6/news.html</url>
|
|
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&m=108066964709058</mlist>
|
|
<freebsdpr>ports/64974</freebsdpr>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-30</discovery>
|
|
<entry>2004-03-31</entry>
|
|
<modified>2004-06-27</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3e9be8c4-8192-11d8-9645-0020ed76ef5a">
|
|
<topic>ecartis buffer overflows and input validation bugs</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ecartis</name>
|
|
<range><lt>1.0.0.s20030814,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Timo Sirainen reports multiple buffer overflows that may be
|
|
triggered while parsing messages, as well as input validation
|
|
errors that could result in disclosure of mailing list
|
|
passwords.</p>
|
|
<p>These bugs were resolved in the August 2003 snapshot of
|
|
ecartis.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0781</cvename>
|
|
<cvename>CVE-2003-0782</cvename>
|
|
<url>http://www.securiteam.com/unixfocus/5YP0H2AAUY.html</url>
|
|
<freebsdpr>ports/57082</freebsdpr>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-08-14</discovery>
|
|
<entry>2004-03-29</entry>
|
|
<modified>2004-06-27</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c2e10368-77ab-11d8-b9e8-00e04ccb0a62">
|
|
<topic>ModSecurity for Apache 2.x remote off-by-one overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mod_security</name>
|
|
<range><lt>1.7.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>When the directive "SecFilterScanPost" is enabled,
|
|
the Apache 2.x version of ModSecurity is vulnerable
|
|
to an off-by-one overflow</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.s-quadra.com/advisories/Adv-20040315.txt</url>
|
|
<bid>9885</bid>
|
|
<url>http://secunia.com/advisories/11138</url>
|
|
<certvu>779438</certvu>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-09</discovery>
|
|
<entry>2004-03-17</entry>
|
|
<modified>2004-06-27</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="74a9541d-5d6c-11d8-80e3-0020ed76ef5a">
|
|
<topic>clamav remote denial-of-service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>clamav</name>
|
|
<range><lt>0.65_7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>clamav will exit when a programming
|
|
assertion is not met. A malformed uuencoded message can
|
|
trigger this assertion, allowing an attacker to trivially
|
|
crash clamd or other components of clamav.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdpr>ports/62586</freebsdpr>
|
|
<mlist msgid="40279811.9050407@fillmore-labs.com">http://www.securityfocus.com/archive/1/353186</mlist>
|
|
<url>http://www.osvdb.org/3894</url>
|
|
<bid>9610</bid>
|
|
<url>http://secunia.com/advisories/10826</url>
|
|
<cvename>CVE-2004-0270</cvename>
|
|
<url>http://xforce.iss.net/xforce/xfdb/15077</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-09</discovery>
|
|
<entry>2004-02-12</entry>
|
|
<modified>2004-06-27</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8d075001-a9ce-11d8-9c6d-0020ed76ef5a">
|
|
<topic>neon date parsing vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>neon</name>
|
|
<range><lt>0.24.5_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>sitecopy</name>
|
|
<range><le>0.13.4_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Stefan Esser reports:</p>
|
|
<blockquote cite="http://security.e-matters.de/advisories/062004.html">
|
|
<p>A vulnerability within a libneon date parsing function
|
|
could cause a heap overflow which could lead to remote
|
|
code execution, depending on the application using
|
|
libneon.</p>
|
|
</blockquote>
|
|
<p>The vulnerability is in the function ne_rfc1036_parse,
|
|
which is in turn used by the function ne_httpdate_parse.
|
|
Applications using either of these neon functions may be
|
|
vulnerable.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0398</cvename>
|
|
<url>http://security.e-matters.de/advisories/062004.html</url>
|
|
<url>http://secunia.com/advisories/11785</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-05-19</discovery>
|
|
<entry>2004-05-19</entry>
|
|
<modified>2004-06-25</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="84237895-8f39-11d8-8b29-0020ed76ef5a">
|
|
<topic>neon format string vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>neon</name>
|
|
<range><lt>0.24.5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>tla</name>
|
|
<range><lt>1.2_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>sitecopy</name>
|
|
<range><le>0.13.4_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Greuff reports that the neon WebDAV client library contains
|
|
several format string bugs within error reporting code. A
|
|
malicious server may exploit these bugs by sending specially
|
|
crafted PROPFIND or PROPPATCH responses.</p>
|
|
<p>Although several applications include neon, such as cadaver and
|
|
subversion, the FreeBSD Ports of these applications are not
|
|
impacted. They are specifically configured to NOT use the
|
|
included neon. Only packages listed as affected in this
|
|
notice are believed to be impacted.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0179</cvename>
|
|
<url>http://www.webdav.org/neon/</url>
|
|
<url>http://secunia.com/advisories/11785</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-04-14</discovery>
|
|
<entry>2004-04-15</entry>
|
|
<modified>2004-06-25</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="253ea131-bd12-11d8-b071-00e08110b673">
|
|
<topic>Gallery 1.4.3 and ealier user authentication bypass</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gallery</name>
|
|
<range><lt>1.4.3.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A flaw exists in Gallery versions previous to
|
|
1.4.3-pl1 and post 1.2 which may give an attacker
|
|
the potential to log in under the "admin" account.
|
|
Data outside of the gallery is unaffected and the
|
|
attacker cannot modify any data other than the
|
|
photos or photo albums.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0522</cvename>
|
|
<url>http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=123</url>
|
|
<url>http://secunia.com/advisories/11752</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-06-01</discovery>
|
|
<entry>2004-06-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0c6f3fde-9c51-11d8-9366-0020ed76ef5a">
|
|
<topic>Midnight Commander buffer overflows, format string bugs, and insecure temporary file handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mc</name>
|
|
<range><lt>4.6.0_10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jakub Jelinek reports several security related bugs in
|
|
Midnight Commander, including:</p>
|
|
<ul>
|
|
<li>Multiple buffer overflows (CVE-2004-0226)</li>
|
|
<li>Insecure temporary file handling (CVE-2004-0231)</li>
|
|
<li>Format string bug (CVE-2004-0232)</li>
|
|
</ul>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0226</cvename>
|
|
<cvename>CVE-2004-0231</cvename>
|
|
<cvename>CVE-2004-0232</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-04-29</discovery>
|
|
<entry>2004-05-02</entry>
|
|
<modified>2004-06-14</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6f955451-ba54-11d8-b88c-000d610a3b12">
|
|
<topic>Buffer overflow in Squid NTLM authentication helper</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.5_9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Remote exploitation of a buffer overflow vulnerability in
|
|
the NTLM authentication helper routine of the Squid Web
|
|
Proxy Cache could allow a remote attacker to execute
|
|
arbitrary code. A remote attacker can compromise a target
|
|
system if the Squid Proxy is configured to use the NTLM
|
|
authentication helper. The attacker can send an overly long
|
|
password to overflow the buffer and execute arbitrary
|
|
code.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false</url>
|
|
<cvename>CVE-2004-0541</cvename>
|
|
<url>http://www.osvdb.org/6791</url>
|
|
<url>http://secunia.com/advisories/11804</url>
|
|
<bid>10500</bid>
|
|
<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=998</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-05-20</discovery>
|
|
<entry>2004-06-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="27c331d5-64c7-11d8-80e3-0020ed76ef5a">
|
|
<topic>Vulnerabilities in H.323 implementations</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pwlib</name>
|
|
<range><lt>1.5.0_5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>asterisk</name>
|
|
<range><le>0.7.2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>openh323</name>
|
|
<range><lt>1.12.0_4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The <a href="http://www.niscc.gov.uk/">NISCC</a> and the <a href="http://www.ee.oulu.fi/research/ouspg/">OUSPG</a>
|
|
developed a test suite for the H.323 protocol. This test
|
|
suite has uncovered vulnerabilities in several H.323
|
|
implementations with impacts ranging from denial-of-service
|
|
to arbitrary code execution.</p>
|
|
<p>In the FreeBSD Ports Collection, `pwlib' is directly
|
|
affected. Other applications such as `asterisk' and
|
|
`openh323' incorporate `pwlib' statically and so are also
|
|
independently affected.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<!-- General references -->
|
|
<url>http://www.uniras.gov.uk/vuls/2004/006489/h323.htm</url>
|
|
<url>http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/h2250v4/index.html</url>
|
|
<certsa>CA-2004-01</certsa>
|
|
<certvu>749342</certvu>
|
|
<!-- pwlib and pwlib-using applications -->
|
|
<cvename>CVE-2004-0097</cvename>
|
|
<url>http://www.southeren.com/blog/archives/000055.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-01-13</discovery>
|
|
<entry>2004-02-22</entry>
|
|
<modified>2004-06-08</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fb5e227e-b8c6-11d8-b88c-000d610a3b12">
|
|
<topic>jailed processes can manipulate host routing tables</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>4.9</ge><lt>4.9_10</lt></range>
|
|
<range><ge>4.8</ge><lt>4.8_23</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A programming error resulting in a failure to verify that
|
|
an attempt to manipulate routing tables originated from a
|
|
non-jailed process.</p>
|
|
|
|
<p>Jailed processes running with superuser privileges could
|
|
modify host routing tables. This could result in a variety
|
|
of consequences including packets being sent via an
|
|
incorrect network interface and packets being discarded
|
|
entirely.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0125</cvename>
|
|
<freebsdsa>SA-04:12.jailroute</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-03</discovery>
|
|
<entry>2004-06-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1db1ed59-af07-11d8-acb9-000d610a3b12">
|
|
<topic>buffer cache invalidation implementation issues</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.0</ge><lt>5.2_8</lt></range>
|
|
<range><ge>4.9</ge><lt>4.9_9</lt></range>
|
|
<range><ge>4.0</ge><lt>4.8_22</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Programming errors in the implementation of the msync(2)
|
|
system call involving the MS_INVALIDATE operation lead to
|
|
cache consistency problems between the virtual memory system
|
|
and on-disk contents.</p>
|
|
|
|
<p>In some situations, a user with read access to a file may
|
|
be able to prevent changes to that file from being committed
|
|
to disk.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0435</cvename>
|
|
<freebsdsa>SA-04:11.msync</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-04-24</discovery>
|
|
<entry>2004-05-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f7a3b18c-624c-4703-9756-b6b27429e5b0">
|
|
<topic>leafnode denial-of-service triggered by article request</topic>
|
|
<affects>
|
|
<package>
|
|
<name>leafnode</name>
|
|
<range><ge>1.9.20</ge><lt>1.9.30</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The leafnode NNTP server may go into an unterminated loop with 100%
|
|
CPU use when an article is requested by Message-ID that has been
|
|
crossposted to several news groups when one of the group names is the
|
|
prefix of another group name that the article was cross-posted
|
|
to. Found by Jan Knutar.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://leafnode.sourceforge.net/leafnode-SA-2002-01.txt</url>
|
|
<cvename>CVE-2002-1661</cvename>
|
|
<mlist msgid="20021229205023.GA5216@merlin.emma.line.org">http://sourceforge.net/mailarchive/message.php?msg_id=2796226</mlist>
|
|
<mlist msgid="20021229205023.GA5216@merlin.emma.line.org">http://article.gmane.org/gmane.network.leafnode.announce/8</mlist>
|
|
<bid>6490</bid>
|
|
<freebsdpr>ports/46613</freebsdpr>
|
|
</references>
|
|
<dates>
|
|
<discovery>2002-11-06</discovery>
|
|
<entry>2004-05-21</entry>
|
|
<modified>2005-05-13</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7b0208ff-3f65-4e16-8d4d-48fd9851f085">
|
|
<topic>leafnode fetchnews denial-of-service triggered by missing header</topic>
|
|
<affects>
|
|
<package>
|
|
<name>leafnode</name>
|
|
<range><ge>1.9.3</ge><le>1.9.41</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Fetchnews could hang when a news article to be downloaded lacked one
|
|
of the mandatory headers. Found by Joshua Crawford.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0744</cvename>
|
|
<url>http://leafnode.sourceforge.net/leafnode-SA-2003-01.txt</url>
|
|
<mlist msgid="20030904011904.GB12350@merlin.emma.line.org">http://sourceforge.net/mailarchive/message.php?msg_id=5975563</mlist>
|
|
<mlist msgid="20030904011904.GB12350@merlin.emma.line.org">http://article.gmane.org/gmane.network.leafnode.announce/21</mlist>
|
|
<bid>8541</bid>
|
|
<freebsdpr>ports/53838</freebsdpr>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-06-20</discovery>
|
|
<entry>2004-05-21</entry>
|
|
<modified>2005-05-13</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a051a4ec-3aa1-4dd1-9bdc-a61eb5700153">
|
|
<topic>leafnode fetchnews denial-of-service triggered by truncated transmission</topic>
|
|
<affects>
|
|
<package>
|
|
<name>leafnode</name>
|
|
<range><le>1.9.47</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>When a downloaded news article ends prematurely, i. e. when the
|
|
server sends [CR]LF.[CR]LF before sending a blank line, fetchnews may
|
|
wait indefinitely for data that never arrives. Workaround: configure
|
|
"minlines=1" (or use a bigger value) in the configuration file. Found
|
|
by Toni Viemerö.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-2068</cvename>
|
|
<url>http://leafnode.sourceforge.net/leafnode-SA-2004-01.txt</url>
|
|
<url>http://sourceforge.net/tracker/index.php?func=detail&aid=873149&group_id=57767&atid=485349</url>
|
|
<mlist msgid="20040109015625.GA12319@merlin.emma.line.org">http://article.gmane.org/gmane.network.leafnode.announce/32</mlist>
|
|
<mlist msgid="20040109015625.GA12319@merlin.emma.line.org">http://sourceforge.net/mailarchive/message.php?msg_id=6922570</mlist>
|
|
<freebsdpr>ports/61105</freebsdpr>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-01-08</discovery>
|
|
<entry>2004-05-21</entry>
|
|
<modified>2005-05-13</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2e129846-8fbb-11d8-8b29-0020ed76ef5a">
|
|
<topic>MySQL insecure temporary file creation (mysqlbug)</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-client</name>
|
|
<range><ge>4.0</ge><lt>4.0.20</lt></range>
|
|
<range><ge>4.1</ge><lt>4.1.1_2</lt></range>
|
|
<range><ge>5.0</ge><lt>5.0.0_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Shaun Colley reports that the script `mysqlbug' included
|
|
with MySQL sometimes creates temporary files in an unsafe
|
|
manner. As a result, an attacker may create a symlink in
|
|
/tmp so that if another user invokes `mysqlbug' and <em>quits
|
|
without making <strong>any</strong> changes</em>, an
|
|
arbitrary file may be overwritten with the bug report
|
|
template.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&m=108023246916294&w=2</mlist>
|
|
<url>http://bugs.mysql.com/bug.php?id=3284</url>
|
|
<bid>9976</bid>
|
|
<cvename>CVE-2004-0381</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-25</discovery>
|
|
<entry>2004-04-16</entry>
|
|
<modified>2004-05-21</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5d36ef32-a9cf-11d8-9c6d-0020ed76ef5a">
|
|
<topic>subversion date parsing vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>subversion</name>
|
|
<range><lt>1.0.2_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Stefan Esser reports:</p>
|
|
<blockquote cite="http://security.e-matters.de/advisories/082004.html">
|
|
<p>Subversion versions up to 1.0.2 are vulnerable to a date
|
|
parsing vulnerability which can be abused to allow remote
|
|
code execution on Subversion servers and therefore could
|
|
lead to a repository compromise.</p>
|
|
</blockquote>
|
|
<p><em>NOTE:</em> This vulnerability is similar to the date
|
|
parsing issue that affected neon. However, it is a different
|
|
and distinct bug.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0397</cvename>
|
|
<url>http://security.e-matters.de/advisories/082004.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-05-19</discovery>
|
|
<entry>2004-05-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f93be979-a992-11d8-aecc-000d610a3b12">
|
|
<topic>cvs pserver remote heap buffer overflow</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.2</ge><lt>5.2_7</lt></range>
|
|
<range><ge>5.1</ge><lt>5.1_17</lt></range>
|
|
<range><ge>5.0</ge><lt>5.0_21</lt></range>
|
|
<range><ge>4.9</ge><lt>4.9_8</lt></range>
|
|
<range><ge>4.8</ge><lt>4.8_21</lt></range>
|
|
<range><ge>4.0</ge><lt>4.7_27</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Due to a programming error in code used to parse data
|
|
received from the client, malformed data can cause a heap
|
|
buffer to overflow, allowing the client to overwrite
|
|
arbitrary portions of the server's memory.</p>
|
|
<p>A malicious CVS client can exploit this to run arbitrary
|
|
code on the server at the privilege level of the CVS server
|
|
software.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0396</cvename>
|
|
<freebsdsa>SA-04:10.cvs</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-05-02</discovery>
|
|
<entry>2004-05-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="492f8896-70fa-11d8-873f-0020ed76ef5a">
|
|
<topic>Apache 2 mod_ssl denial-of-service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache</name>
|
|
<range><ge>2.0</ge><le>2.0.48_3</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Joe Orton reports a memory leak in Apache 2's mod_ssl.
|
|
A remote attacker may issue HTTP requests on an HTTPS
|
|
port, causing an error. Due to a bug in processing this
|
|
condition, memory associated with the connection is
|
|
not freed. Repeated requests can result in consuming
|
|
all available memory resources, probably resulting in
|
|
termination of the Apache process.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0113</cvename>
|
|
<url>http://www.apacheweek.com/features/security-20</url>
|
|
<url>http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.100.2.11&r2=1.100.2.12</url>
|
|
<mlist>http://marc.theaimsgroup.com/?l=apache-cvs&m=107869699329638</mlist>
|
|
<url>http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27106</url>
|
|
<bid>9826</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-20</discovery>
|
|
<entry>2004-03-08</entry>
|
|
<modified>2004-05-19</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="df333ede-a8ce-11d8-9c6d-0020ed76ef5a">
|
|
<topic>URI handler vulnerabilities in several browsers</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-opera</name>
|
|
<name>opera</name>
|
|
<range><lt>7.50</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>kdelibs</name>
|
|
<range><lt>3.2.2_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Karol Wiesek and Greg MacManus reported via iDEFENSE that the
|
|
Opera web browser contains a flaw in the handling of
|
|
certain URIs. When presented with these URIs, Opera would
|
|
invoke external commands to process them after some
|
|
validation. However, if the hostname component of a URI
|
|
begins with a `-', it may be treated as an option by an external
|
|
command. This could have undesirable side-effects, from
|
|
denial-of-service to code execution. The impact is very
|
|
dependent on local configuration.</p>
|
|
<p>After the iDEFENSE advisory was published, the KDE team
|
|
discovered similar problems in KDE's URI handlers.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0411</cvename>
|
|
<url>http://www.idefense.com/application/poi/display?id=104&type=vulnerabilities</url>
|
|
<url>http://www.kde.org/info/security/advisory-20040517-1.txt</url>
|
|
<url>http://freebsd.kde.org/index.php#n20040517</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-05-12</discovery>
|
|
<entry>2004-05-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="20be2982-4aae-11d8-96f2-0020ed76ef5a">
|
|
<topic>fsp buffer overflow and directory traversal vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>fspd</name>
|
|
<range><lt>2.8.1.19</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The <a href="http://www.debian.org/security">Debian
|
|
security team</a> reported a pair of vulnerabilities in
|
|
fsp:</p>
|
|
<blockquote cite="http://www.debian.org/security/2004/dsa-416">
|
|
<p>A vulnerability was discovered in fsp, client utilities
|
|
for File Service Protocol (FSP), whereby a remote user could
|
|
both escape from the FSP root directory (CAN-2003-1022), and
|
|
also overflow a fixed-length buffer to execute arbitrary
|
|
code (CAN-2004-0011).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-1022</cvename>
|
|
<cvename>CVE-2004-0011</cvename>
|
|
<url>http://www.debian.org/security/2004/dsa-416</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-01-06</discovery>
|
|
<entry>2004-01-19</entry>
|
|
<modified>2004-05-17</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cb6c6c29-9c4f-11d8-9366-0020ed76ef5a">
|
|
<topic>proftpd IP address access control list breakage</topic>
|
|
<affects>
|
|
<package>
|
|
<name>proftpd</name>
|
|
<range><ge>1.2.9</ge><lt>1.2.10.r1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jindrich Makovicka reports a regression in proftpd's
|
|
handling of IP address access control lists (IP ACLs). Due
|
|
to this regression, some IP ACLs are treated as ``allow
|
|
all''.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0432</cvename>
|
|
<url>http://bugs.proftpd.org/show_bug.cgi?id=2267</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-11-04</discovery>
|
|
<entry>2004-05-02</entry>
|
|
<modified>2004-05-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fde53204-7ea6-11d8-9645-0020ed76ef5a">
|
|
<topic>insecure temporary file creation in xine-check, xine-bugreport</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xine</name>
|
|
<range><lt>0.9.23_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Some scripts installed with xine create temporary files
|
|
insecurely. It is recommended that these scripts (xine-check,
|
|
xine-bugreport) not be used. They are not needed for normal
|
|
operation.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&m=107997911025558</mlist>
|
|
<bid>9939</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-20</discovery>
|
|
<entry>2004-03-26</entry>
|
|
<modified>2004-05-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5f29c2e4-9f6a-11d8-abbc-00e08110b673">
|
|
<topic>exim buffer overflow when verify = header_syntax is used</topic>
|
|
<affects>
|
|
<package>
|
|
<name>exim</name>
|
|
<name>exim-ldap2</name>
|
|
<name>exim-mysql</name>
|
|
<name>exim-postgresql</name>
|
|
<range><lt>4.33+20_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A remote exploitable buffer overflow has been discovered
|
|
in exim when verify = header_syntax is used in the
|
|
configuration file. This does not affect the default
|
|
configuration.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.guninski.com/exim1.html</url>
|
|
<cvename>CVE-2004-0400</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-05-06</discovery>
|
|
<entry>2004-05-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a56a72bb-9f72-11d8-9585-0020ed76ef5a">
|
|
<topic>phpBB session table exhaustion</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpbb</name>
|
|
<range><le>2.0.8_2</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The includes/sessions.php unnecessarily adds session item into
|
|
session table and therefore vulnerable to a denial-of-service
|
|
attack.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="20040421011055.GA1448@frontfree.net">http://marc.theaimsgroup.com/?l=bugtraq&m=108256462710010</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-05</discovery>
|
|
<entry>2004-05-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="446dbecb-9edc-11d8-9366-0020ed76ef5a">
|
|
<topic>heimdal kadmind remote heap buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>heimdal</name>
|
|
<range><lt>0.6.1_1</lt></range>
|
|
</package>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>4.9</ge><lt>4.9_7</lt></range>
|
|
<range><ge>4.0</ge><lt>4.8_20</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An input validation error was discovered in the kadmind
|
|
code that handles the framing of Kerberos 4 compatibility
|
|
administration requests. The code assumed that the length
|
|
given in the framing was always two or more bytes. Smaller
|
|
lengths will cause kadmind to read an arbitrary amount of
|
|
data into a minimally-sized buffer on the heap.</p>
|
|
<p>A remote attacker may send a specially formatted message
|
|
to kadmind, causing it to crash or possibly resulting in
|
|
arbitrary code execution.</p>
|
|
<p>The kadmind daemon is part of Kerberos 5 support. However,
|
|
this bug will only be present if kadmind was built with
|
|
additional Kerberos 4 support. Thus, only systems that have
|
|
*both* Heimdal Kerberos 5 and Kerberos 4 installed might
|
|
be affected.</p>
|
|
<p><em>NOTE:</em> On FreeBSD 4 systems, `kadmind' may be
|
|
installed as `k5admind'.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0434</cvename>
|
|
<freebsdsa>SA-04:09.kadmind</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-05-05</discovery>
|
|
<entry>2004-05-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0792e7a7-8e37-11d8-90d1-0020ed76ef5a">
|
|
<topic>CVS path validation errors</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cvs+ipv6</name>
|
|
<range><le>1.11.5_1</le></range>
|
|
</package>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.2</ge><lt>5.2.1_5</lt></range>
|
|
<range><ge>4.9</ge><lt>4.9_5</lt></range>
|
|
<range><ge>4.8</ge><lt>4.8_18</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Two programming errors were discovered in which path names
|
|
handled by CVS were not properly validated. In one case,
|
|
the CVS client accepts absolute path names from the server
|
|
when determining which files to update. In another case,
|
|
the CVS server accepts relative path names from the client
|
|
when determining which files to transmit, including those
|
|
containing references to parent directories (`../').</p>
|
|
<p>These programming errors generally only have a security
|
|
impact when dealing with remote CVS repositories.</p>
|
|
<p>A malicious CVS server may cause a CVS client to overwrite
|
|
arbitrary files on the client's system.</p>
|
|
<p>A CVS client may request RCS files from a remote system
|
|
other than those in the repository specified by $CVSROOT.
|
|
These RCS files need not be part of any CVS repository
|
|
themselves.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0180</cvename>
|
|
<cvename>CVE-2004-0405</cvename>
|
|
<url>http://ccvs.cvshome.org/servlets/NewsItemView?newsID=102</url>
|
|
<freebsdsa>SA-04:07.cvs</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-04-14</discovery>
|
|
<entry>2004-04-14</entry>
|
|
<modified>2004-05-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7229d900-88af-11d8-90d1-0020ed76ef5a">
|
|
<topic>mksnap_ffs clears file system options</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.2</ge><lt>5.2_1</lt></range>
|
|
<range><ge>5.1</ge><lt>5.1_12</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The kernel interface for creating a snapshot of a
|
|
filesystem is the same as that for changing the flags on
|
|
that filesystem. Due to an oversight, the <a href="http://www.freebsd.org/cgi/man.cgi?query=mksnap_ffs">mksnap_ffs(8)</a>
|
|
command called that interface with only the snapshot flag
|
|
set, causing all other flags to be reset to the default
|
|
value.</p>
|
|
<p>A regularly scheduled backup of a live filesystem, or
|
|
any other process that uses the mksnap_ffs command
|
|
(for instance, to provide a rough undelete functionality
|
|
on a file server), will clear any flags in effect on the
|
|
filesystem being snapshot. Possible consequences depend
|
|
on local usage, but can include disabling extended access
|
|
control lists or enabling the use of setuid executables
|
|
stored on an untrusted filesystem.</p>
|
|
<p>The mksnap_ffs command is normally only available to
|
|
the superuser and members of the `operator' group. There
|
|
is therefore no risk of a user gaining elevated privileges
|
|
directly through use of the mksnap_ffs command unless
|
|
it has been intentionally made available to unprivileged
|
|
users.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0099</cvename>
|
|
<freebsdsa>SA-04:01.mksnap_ffs</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-01-30</discovery>
|
|
<entry>2004-04-07</entry>
|
|
<modified>2004-05-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f95a9005-88ae-11d8-90d1-0020ed76ef5a">
|
|
<topic>shmat reference counting bug</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.2</ge><lt>5.2_2</lt></range>
|
|
<range><ge>5.1</ge><lt>5.1_14</lt></range>
|
|
<range><ge>5.0</ge><lt>5.0_20</lt></range>
|
|
<range><ge>4.9</ge><lt>4.9_2</lt></range>
|
|
<range><ge>4.8</ge><lt>4.8_15</lt></range>
|
|
<range><lt>4.7_25</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A programming error in the <a href="http://www.freebsd.org/cgi/man.cgi?query=shmat">shmat(2)</a> system call can result
|
|
in a shared memory segment's reference count being erroneously
|
|
incremented.</p>
|
|
<p>It may be possible to cause a shared memory segment to
|
|
reference unallocated kernel memory, but remain valid.
|
|
This could allow a local attacker to gain read or write
|
|
access to a portion of kernel memory, resulting in sensitive
|
|
information disclosure, bypass of access control mechanisms,
|
|
or privilege escalation. </p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0114</cvename>
|
|
<freebsdsa>SA-04:02.shmat</freebsdsa>
|
|
<url>http://www.pine.nl/press/pine-cert-20040201.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-01</discovery>
|
|
<entry>2004-04-07</entry>
|
|
<modified>2004-05-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9082a85a-88ae-11d8-90d1-0020ed76ef5a">
|
|
<topic>jailed processes can attach to other jails</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.1</ge><lt>5.1_14</lt></range>
|
|
<range><ge>5.2</ge><lt>5.2.1</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A programming error has been found in the <a href="http://www.freebsd.org/cgi/man.cgi?query=jail_attach">jail_attach(2)</a>
|
|
system call which affects the way that system call verifies
|
|
the privilege level of the calling process. Instead of
|
|
failing immediately if the calling process was already
|
|
jailed, the jail_attach system call would fail only after
|
|
changing the calling process's root directory.</p>
|
|
<p>A process with superuser privileges inside a jail could
|
|
change its root directory to that of a different jail,
|
|
and thus gain full read and write access to files and
|
|
directories within the target jail. </p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0126</cvename>
|
|
<freebsdsa>SA-04:03.jail</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-19</discovery>
|
|
<entry>2004-04-07</entry>
|
|
<modified>2004-05-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e289f7fd-88ac-11d8-90d1-0020ed76ef5a">
|
|
<topic>many out-of-sequence TCP packets denial-of-service</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.2</ge><lt>5.2.1_2</lt></range>
|
|
<range><ge>5.0</ge><lt>5.1_15</lt></range>
|
|
<range><ge>4.9</ge><lt>4.9_3</lt></range>
|
|
<range><ge>4.8</ge><lt>4.8_16</lt></range>
|
|
<range><lt>4.7_26</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>FreeBSD does not limit the number of TCP segments that
|
|
may be held in a reassembly queue. A remote attacker may
|
|
conduct a low-bandwidth denial-of-service attack against
|
|
a machine providing services based on TCP (there are many
|
|
such services, including HTTP, SMTP, and FTP). By sending
|
|
many out-of-sequence TCP segments, the attacker can cause
|
|
the target machine to consume all available memory buffers
|
|
(``mbufs''), likely leading to a system crash. </p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0171</cvename>
|
|
<freebsdsa>SA-04:04.tcp</freebsdsa>
|
|
<url>http://www.idefense.com/application/poi/display?id=78&type=vulnerabilities</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-18</discovery>
|
|
<entry>2004-04-07</entry>
|
|
<modified>2004-05-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2c6acefd-8194-11d8-9645-0020ed76ef5a">
|
|
<topic>setsockopt(2) IPv6 sockets input validation error</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.2</ge><lt>5.2.1_4</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>From the FreeBSD Security Advisory:</p>
|
|
<blockquote>
|
|
<p>A programming error in the handling of some IPv6 socket
|
|
options within the <a href="http://www.freebsd.org/cgi/man.cgi?query=setsockopt">setsockopt(2)</a> system call may result
|
|
in memory locations being accessed without proper
|
|
validation.</p>
|
|
<p>It may be possible for a local attacker to read portions
|
|
of kernel memory, resulting in disclosure of sensitive
|
|
information. A local attacker can cause a system
|
|
panic.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0370</cvename>
|
|
<freebsdsa>SA-04:06.ipv6</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-29</discovery>
|
|
<entry>2004-03-29</entry>
|
|
<modified>2004-05-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="68233cba-7774-11d8-89ed-0020ed76ef5a">
|
|
<topic>OpenSSL ChangeCipherSpec denial-of-service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openssl</name>
|
|
<name>openssl-beta</name>
|
|
<range><lt>0.9.7d</lt></range>
|
|
</package>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>4.0</ge><lt>4.8_17</lt></range>
|
|
<range><ge>4.9</ge><lt>4.9_4</lt></range>
|
|
<range><ge>5.0</ge><lt>5.1_16</lt></range>
|
|
<range><ge>5.2</ge><lt>5.2.1_3</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A remote attacker could cause an application using OpenSSL to
|
|
crash by performing a specially crafted SSL/TLS handshake.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0079</cvename>
|
|
<url>http://www.openssl.org/news/secadv_20040317.txt</url>
|
|
<freebsdsa>SA-04:05.openssl</freebsdsa>
|
|
<certvu>288574</certvu>
|
|
<bid>9899</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-17</discovery>
|
|
<entry>2004-03-17</entry>
|
|
<modified>2004-05-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f04cc5cb-2d0b-11d8-beaf-000a95c4d922">
|
|
<topic>bind8 negative cache poison attack</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bind</name>
|
|
<range><ge>8.3</ge><lt>8.3.7</lt></range>
|
|
<range><ge>8.4</ge><lt>8.4.3</lt></range>
|
|
</package>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.1</ge><lt>5.1_11</lt></range>
|
|
<range><ge>5.0</ge><lt>5.0_19</lt></range>
|
|
<range><ge>4.9</ge><lt>4.9_1</lt></range>
|
|
<range><ge>4.8</ge><lt>4.8_14</lt></range>
|
|
<range><ge>4.7</ge><lt>4.7_24</lt></range>
|
|
<range><ge>4.6</ge><lt>4.6.2_27</lt></range>
|
|
<range><ge>4.5</ge><lt>4.5_37</lt></range>
|
|
<range><lt>4.4_47</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A programming error in BIND 8 named can result in a DNS
|
|
message being incorrectly cached as a negative response. As
|
|
a result, an attacker may arrange for malicious DNS messages
|
|
to be delivered to a target name server, and cause that name
|
|
server to cache a negative response for some target domain
|
|
name. The name server would thereafter respond negatively
|
|
to legitimate queries for that domain name, resulting in a
|
|
denial-of-service for applications that require DNS.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0914</cvename>
|
|
<freebsdsa>SA-03:19.bind</freebsdsa>
|
|
<certvu>734644</certvu>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-11-28</discovery>
|
|
<entry>2003-12-12</entry>
|
|
<modified>2004-05-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="bfb36941-84fa-11d8-a41f-0020ed76ef5a">
|
|
<topic>Incorrect cross-realm trust handling in Heimdal</topic>
|
|
<affects>
|
|
<package>
|
|
<name>heimdal</name>
|
|
<range><lt>0.6.1</lt></range>
|
|
</package>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>5.0</ge><lt>5.2_6</lt></range>
|
|
<range><ge>4.9</ge><lt>4.9_6</lt></range>
|
|
<range><ge>4.0</ge><lt>4.8_19</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Heimdal does not correctly validate the `transited' field of
|
|
Kerberos tickets when computing the authentication path. This
|
|
could allow a rogue KDC with which cross-realm relationships
|
|
have been established to impersonate any KDC in the
|
|
authentication path.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0371</cvename>
|
|
<freebsdsa>SA-04:08.heimdal</freebsdsa>
|
|
<url>http://www.pdc.kth.se/heimdal/advisory/2004-04-01/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-04-01</discovery>
|
|
<entry>2004-04-02</entry>
|
|
<modified>2004-05-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a2ffb627-9c53-11d8-9366-0020ed76ef5a">
|
|
<topic>lha buffer overflows and path traversal issues</topic>
|
|
<affects>
|
|
<package>
|
|
<name>lha</name>
|
|
<range><lt>1.14i_4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ulf Härnhammar discovered several vulnerabilities in
|
|
LHa for UNIX's path name handling code. Specially constructed
|
|
archive files may cause LHa to overwrite files or
|
|
execute arbitrary code with the privileges of the user
|
|
invoking LHa. This could be particularly harmful for
|
|
automated systems that might handle archives such as
|
|
virus scanning processes.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0234</cvename>
|
|
<cvename>CVE-2004-0235</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-04-29</discovery>
|
|
<entry>2004-05-02</entry>
|
|
<modified>2004-05-03</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8338a20f-9573-11d8-9366-0020ed76ef5a">
|
|
<topic>xchat remotely exploitable buffer overflow (Socks5)</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xchat2</name>
|
|
<range><ge>1.8</ge><lt>2.0.8_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A straightforward stack buffer overflow exists in XChat's
|
|
Socks5 proxy support.</p>
|
|
<p>The XChat developers report that `tsifra' discovered this
|
|
issue.</p>
|
|
<p>NOTE: XChat Socks5 support is disabled by support in the
|
|
FreeBSD Ports Collection.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0409</cvename>
|
|
<url>http://xchat.org/files/source/2.0/patches/xc208-fixsocks5.diff</url>
|
|
<mlist msgid="20040405171305.04f19c44.zed@xchat.org">http://marc.theaimsgroup.com/?l=xchat-announce&m=108114935507357</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-04-05</discovery>
|
|
<entry>2004-04-23</entry>
|
|
<modified>2004-05-03</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="73ea0706-9c57-11d8-9366-0020ed76ef5a">
|
|
<topic>rsync path traversal issue</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rsync</name>
|
|
<range><lt>2.6.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>When running rsync in daemon mode, no checks were made
|
|
to prevent clients from writing outside of a module's
|
|
`path' setting.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0426</cvename>
|
|
<url>http://rsync.samba.org/#security_apr04</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-04-26</discovery>
|
|
<entry>2004-05-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e50b04e8-9c55-11d8-9366-0020ed76ef5a">
|
|
<topic>xine-lib arbitrary file overwrite</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libxine</name>
|
|
<range><gt>0.9</gt><lt>1.0.r3_5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>From the xinehq advisory:</p>
|
|
<blockquote cite="http://www.xinehq.de/index.php/security/XSA-2004-1">
|
|
<p>By opening a malicious MRL in any xine-lib based media
|
|
player, an attacker can write arbitrary content to an
|
|
arbitrary file, only restricted by the permissions of the
|
|
user running the application.</p>
|
|
</blockquote>
|
|
<p>The flaw is a result of a feature that allows MRLs (media
|
|
resource locator URIs) to specify arbitrary configuration
|
|
options.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>10193</bid>
|
|
<url>http://www.xinehq.de/index.php/security/XSA-2004-1</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-04-20</discovery>
|
|
<entry>2004-05-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fb521119-9bc4-11d8-9366-0020ed76ef5a">
|
|
<topic>pound remotely exploitable vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pound</name>
|
|
<range><lt>1.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An unknown remotely exploitable vulnerability was disclosed.
|
|
Robert Segall writes:</p>
|
|
<blockquote cite="http://www.apsis.ch/pound/pound_list/archive/2003/2003-12/1070234315000">
|
|
<p>a security vulnerability was brought to my attention
|
|
(many thanks to Akira Higuchi). Everyone running any
|
|
previous version should upgrade to 1.6 immediately - the
|
|
vulnerability may allow a remote exploit. No exploits are
|
|
currently known and none have been observed in the wild
|
|
till now. The danger is minimised if you run Pound in a
|
|
root jail and/or you run Pound as non-root user.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist>http://www.apsis.ch/pound/pound_list/archive/2003/2003-12/1070234315000</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-12-01</discovery>
|
|
<entry>2004-05-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cfe17ca6-6858-4805-ba1d-a60a61ec9b4d">
|
|
<topic>phpBB IP address spoofing</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpbb</name>
|
|
<range><le>2.0.8_2</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The common.php script always trusts the `X-Forwarded-For'
|
|
header in the client's HTTP request. A remote user could
|
|
forge this header in order to bypass any IP address access
|
|
control lists (ACLs).</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="20040419000129.28917.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=108239864203144</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-04-18</discovery>
|
|
<entry>2004-04-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c7705712-92e6-11d8-8b29-0020ed76ef5a">
|
|
<topic>TCP denial-of-service attacks against long lived connections</topic>
|
|
<affects>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>0</ge></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p><a href="http://www.niscc.gov.uk/">NISCC</a> /
|
|
<a href="http://www.uniras.gov.uk/">UNIRAS</a> has published
|
|
an advisory that re-visits the long discussed spoofed TCP RST
|
|
denial-of-service vulnerability. This new look emphasizes
|
|
the fact that for some applications such attacks are
|
|
practically feasible.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0230</cvename>
|
|
<url>http://www.uniras.gov.uk/vuls/2004/236929/index.htm</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>1995-06-01</discovery>
|
|
<entry>2004-04-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="99230277-8fb4-11d8-8b29-0020ed76ef5a">
|
|
<topic>ident2 double byte buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ident2</name>
|
|
<range><le>1.04</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jack of RaptureSecurity reported a double byte buffer
|
|
overflow in ident2. The bug may allow a remote attacker to
|
|
execute arbitrary code within the context of the ident2
|
|
daemon. The daemon typically runs as user-ID `nobody', but
|
|
with group-ID `wheel'.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0408</cvename>
|
|
<url>http://cvsweb.freebsd.org/ports/security/ident2/files/patch-common.c</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-04-15</discovery>
|
|
<entry>2004-04-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="da6f265b-8f3d-11d8-8b29-0020ed76ef5a">
|
|
<topic>kdepim exploitable buffer overflow in VCF reader</topic>
|
|
<affects>
|
|
<package>
|
|
<name>kdepim</name>
|
|
<range><ge>3.1.0</ge><lt>3.1.4_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A buffer overflow is present in some versions of the KDE
|
|
personal information manager (kdepim) which may be triggered
|
|
when processing a specially crafted VCF file.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0988</cvename>
|
|
<url>http://www.kde.org/info/security/advisory-20040114-1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-01-14</discovery>
|
|
<entry>2004-04-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ccd698df-8e20-11d8-90d1-0020ed76ef5a">
|
|
<topic>racoon remote denial of service vulnerability (ISAKMP header length field)</topic>
|
|
<affects>
|
|
<package>
|
|
<name>racoon</name>
|
|
<range><lt>20040408a</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>When racoon receives an ISAKMP header, it will attempt to
|
|
allocate sufficient memory for the entire ISAKMP message
|
|
according to the header's length field. If an attacker
|
|
crafts an ISAKMP header with a ridiculously large value
|
|
in the length field, racoon may exceed operating system
|
|
resource limits and be terminated, resulting in a denial of
|
|
service.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0403</cvename>
|
|
<url>http://www.kame.net/dev/cvsweb2.cgi/kame/kame/kame/racoon/isakmp.c.diff?r1=1.180&r2=1.181</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-31</discovery>
|
|
<entry>2004-04-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="40fcf20f-8891-11d8-90d1-0020ed76ef5a">
|
|
<topic>racoon remote denial of service vulnerability (IKE Generic Payload Header)</topic>
|
|
<affects>
|
|
<package>
|
|
<name>racoon</name>
|
|
<range><lt>20040407b</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>When racoon receives an IKE message with an incorrectly
|
|
constructed Generic Payload Header, it may behave erratically,
|
|
going into a tight loop and dropping connections.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0392</cvename>
|
|
<url>http://orange.kame.net/dev/query-pr.cgi?pr=555</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-12-03</discovery>
|
|
<entry>2004-04-07</entry>
|
|
<modified>2004-04-14</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f8551668-de09-4d7b-9720-f1360929df07">
|
|
<topic>tcpdump ISAKMP payload handling remote denial-of-service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tcpdump</name>
|
|
<range><lt>3.8.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>racoon</name>
|
|
<range><lt>20040408a</lt></range>
|
|
</package>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><ge>0</ge></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Chad Loder has discovered vulnerabilities in tcpdump's
|
|
ISAKMP protocol handler. During an audit to repair these
|
|
issues, Bill Fenner discovered some related problems.</p>
|
|
<p>These vulnerabilities may be used by an attacker to crash a
|
|
running `tcpdump' process. They can only be triggered if
|
|
the `-v' command line option is being used.</p>
|
|
<p>NOTE: the racoon ISAKMP/IKE daemon incorporates the ISAKMP
|
|
protocol handler from tcpdump, and so is also affected by
|
|
this issue.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&m=108067265931525</mlist>
|
|
<url>http://www.rapid7.com/advisories/R7-0017.html</url>
|
|
<cvename>CVE-2004-0183</cvename>
|
|
<cvename>CVE-2004-0184</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-12</discovery>
|
|
<entry>2004-03-31</entry>
|
|
<modified>2004-04-14</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="322d4ff6-85c3-11d8-a41f-0020ed76ef5a">
|
|
<topic>Midnight Commander buffer overflow during symlink resolution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mc</name>
|
|
<range><lt>4.6.0_9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Midnight Commander uses a fixed sized stack buffer while
|
|
resolving symbolic links within file archives (tar or cpio).
|
|
If an attacker can cause a user to process a specially
|
|
crafted file archive with Midnight Commander,
|
|
the attacker may be able to obtain the privileges of the
|
|
target user.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-1023</cvename>
|
|
<mlist msgid="E1A0LbX-000NPk-00.alienhard-mail-ru@f9.mail.ru">http://marc.theaimsgroup.com/?l=bugtraq&m=106399528518704</mlist>
|
|
<bid>8658</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-09-19</discovery>
|
|
<entry>2004-04-03</entry>
|
|
<modified>2004-04-13</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d8769838-8814-11d8-90d1-0020ed76ef5a">
|
|
<topic>racoon fails to verify signature during Phase 1</topic>
|
|
<affects>
|
|
<package>
|
|
<name>racoon</name>
|
|
<range><lt>20040407b</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ralf Spenneberg discovered a serious flaw in racoon.
|
|
When using Phase 1 main or aggressive mode, racoon does
|
|
not verify the client's RSA signature. Any installations
|
|
using <em>X.509 authentication</em> are <strong>strongly
|
|
urged</strong> to upgrade.</p>
|
|
<p>Installations using <em>pre-shared keys</em> are believed
|
|
to be unaffected.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0155</cvename>
|
|
<url>http://www.kame.net/dev/cvsweb2.cgi/kame/kame/kame/racoon/crypto_openssl.c?rev=1.84&content-type=text/x-cvsweb-markup</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-04-05</discovery>
|
|
<entry>2004-04-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6fd02439-5d70-11d8-80e3-0020ed76ef5a">
|
|
<topic>Several remotely exploitable buffer overflows in gaim</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gaim</name>
|
|
<name>ja-gaim</name>
|
|
<name>ko-gaim</name>
|
|
<name>ru-gaim</name>
|
|
<range><lt>0.75_3</lt></range>
|
|
<range><eq>0.75_5</eq></range>
|
|
<range><eq>0.76</eq></range>
|
|
</package>
|
|
<package>
|
|
<name>gaim</name>
|
|
<range><ge>20030000</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Stefan Esser of e-matters found almost a dozen remotely
|
|
exploitable vulnerabilities in Gaim. From the e-matters
|
|
advisory:</p>
|
|
<blockquote cite="http://security.e-matters.de/advisories/012004.txt">
|
|
<p>While developing a custom add-on, an integer overflow
|
|
in the handling of AIM DirectIM packets was revealed that
|
|
could lead to a remote compromise of the IM client. After
|
|
disclosing this bug to the vendor, they had to make a
|
|
hurried release because of a change in the Yahoo connection
|
|
procedure that rendered GAIM useless. Unfourtunately at the
|
|
same time a closer look onto the sourcecode revealed 11 more
|
|
vulnerabilities.</p>
|
|
|
|
<p>The 12 identified problems range from simple standard
|
|
stack overflows, over heap overflows to an integer overflow
|
|
that can be abused to cause a heap overflow. Due to the
|
|
nature of instant messaging many of these bugs require
|
|
man-in-the-middle attacks between client and server. But the
|
|
underlying protocols are easy to implement and MIM attacks
|
|
on ordinary TCP sessions is a fairly simple task.</p>
|
|
|
|
<p>In combination with the latest kernel vulnerabilities or
|
|
the habit of users to work as root/administrator these bugs
|
|
can result in remote root compromises.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://security.e-matters.de/advisories/012004.txt</url>
|
|
<cvename>CVE-2004-0005</cvename>
|
|
<cvename>CVE-2004-0006</cvename>
|
|
<cvename>CVE-2004-0007</cvename>
|
|
<cvename>CVE-2004-0008</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-01-26</discovery>
|
|
<entry>2004-02-12</entry>
|
|
<modified>2004-10-25</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="290d81b9-80f1-11d8-9645-0020ed76ef5a">
|
|
<topic>oftpd denial-of-service vulnerability (PORT command)</topic>
|
|
<affects>
|
|
<package>
|
|
<name>oftpd</name>
|
|
<range><lt>0.3.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Philippe Oechslin reported a denial-of-service vulnerability
|
|
in oftpd. The oftpd server can be crashed by sending a PORT
|
|
command containing an integer over 8 bits long (over 255).</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.time-travellers.org/oftpd/oftpd-dos.html</url>
|
|
<bid>9980</bid>
|
|
<cvename>CVE-2004-0376</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-04</discovery>
|
|
<entry>2004-03-28</entry>
|
|
<modified>2004-04-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="705e003a-7f36-11d8-9645-0020ed76ef5a">
|
|
<topic>squid ACL bypass due to URL decoding bug</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>squid-2.5.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>From the Squid advisory:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2004_1.txt">
|
|
<p>Squid versions 2.5.STABLE4 and earlier contain a bug
|
|
in the "%xx" URL decoding function. It may insert a NUL
|
|
character into decoded URLs, which may allow users to bypass
|
|
url_regex ACLs.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.squid-cache.org/Advisories/SQUID-2004_1.txt</url>
|
|
<cvename>CVE-2004-0189</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-29</discovery>
|
|
<entry>2004-03-26</entry>
|
|
<modified>2004-03-30</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cad045c0-81a5-11d8-9645-0020ed76ef5a">
|
|
<topic>zebra/quagga denial of service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>zebra</name>
|
|
<range><lt>0.93b_7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>quagga</name>
|
|
<range><lt>0.96.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A remote attacker could cause zebra/quagga to crash by
|
|
sending a malformed telnet command to their management
|
|
port.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0858</cvename>
|
|
<url>http://rhn.redhat.com/errata/RHSA-2003-305.html</url>
|
|
<url>http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107140</url>
|
|
<mlist>http://lists.quagga.net/pipermail/quagga-users/2003-November/000906.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-11-20</discovery>
|
|
<entry>2004-03-29</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c551ae17-7f00-11d8-868e-000347dd607f">
|
|
<topic>multiple vulnerabilities in phpBB</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpbb</name>
|
|
<range><lt>2.0.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Users with admin rights can severly damage an phpBB installation,
|
|
potentially triggered by viewing a page with a malicious link sent
|
|
by an attacker.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.gulftech.org/03202004.php</url>
|
|
<url>http://www.phpbb.com/phpBB/viewtopic.php?t=183982</url>
|
|
<bid>9942</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-20</discovery>
|
|
<entry>2004-03-26</entry>
|
|
<modified>2004-03-29</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c480eb5e-7f00-11d8-868e-000347dd607f">
|
|
<topic>ezbounce remote format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ezbounce</name>
|
|
<range><lt>1.04.a_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A security hole exists that can be used to crash the proxy and
|
|
execute arbitrary code. An exploit is circulating that takes
|
|
advantage of this, and in some cases succeeds in obtaining a login
|
|
shell on the machine.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0510</cvename>
|
|
<url>http://ezbounce.dc-team.com/</url>
|
|
<bid>8071</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-07-01</discovery>
|
|
<entry>2004-03-26</entry>
|
|
<modified>2004-03-29</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="739bb51d-7e82-11d8-9645-0020ed76ef5a">
|
|
<topic>racoon security association deletion vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>racoon</name>
|
|
<range><lt>20040116a</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A remote attacker may use specially crafted IKE/ISAKMP
|
|
messages to cause racoon to delete security associations.
|
|
This could result in denial-of-service or possibly cause
|
|
sensitive traffic to be transmitted in plaintext, depending
|
|
upon configuration.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="20040113213940.GA1727@hzeroseven.org">http://www.securityfocus.com/archive/1/349756</mlist>
|
|
<bid>9416</bid>
|
|
<bid>9417</bid>
|
|
<cvename>CVE-2004-0164</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-01-13</discovery>
|
|
<entry>2004-03-25</entry>
|
|
<modified>2004-03-29</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3b7c7f6c-7102-11d8-873f-0020ed76ef5a">
|
|
<topic>wu-ftpd ftpaccess `restricted-uid'/`restricted-gid' directive may be bypassed</topic>
|
|
<affects>
|
|
<package>
|
|
<name>wu-ftpd</name>
|
|
<range><le>2.6.2_3</le></range>
|
|
</package>
|
|
<package>
|
|
<name>wu-ftpd+ipv6</name>
|
|
<range><le>2.6.2_5</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Glenn Stewart reports a bug in wu-ftpd's ftpaccess
|
|
`restricted-uid'/`restricted-gid' directives:</p>
|
|
<blockquote>
|
|
<p>Users can get around the restriction to their home
|
|
directory by issuing a simple chmod command on their home
|
|
directory. On the next ftp log in, the user will have '/'
|
|
as their root directory.</p>
|
|
</blockquote>
|
|
<p>Matt Zimmerman discovered that the cause of the bug was a
|
|
missing check for a restricted user within a code path that
|
|
is executed only when a certain error is encountered.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0148</cvename>
|
|
<bid>9832</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-17</discovery>
|
|
<entry>2004-03-08</entry>
|
|
<modified>2004-03-29</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8471bb85-6fb0-11d8-873f-0020ed76ef5a">
|
|
<topic>GNU Anubis buffer overflows and format string vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>anubis</name>
|
|
<range><le>3.6.2_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ulf Härnhammar discovered several vulnerabilities in GNU
|
|
Anubis.</p>
|
|
<ul>
|
|
<li>Unsafe uses of `sscanf'. The `%s' format specifier is
|
|
used, which allows a classical buffer overflow. (auth.c)</li>
|
|
<li>Format string bugs invoking `syslog'. (log.c, errs.c,
|
|
ssl.c)</li>
|
|
</ul>
|
|
<p>Ulf notes that these vulnerabilities can be exploited by a
|
|
malicious IDENT server as a denial-of-service attack.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-March/018290.html</mlist>
|
|
<bid>9772</bid>
|
|
<cvename>CVE-2004-0353</cvename>
|
|
<cvename>CVE-2004-0354</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-04</discovery>
|
|
<entry>2004-03-06</entry>
|
|
<modified>2004-03-29</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3837f462-5d6b-11d8-80e3-0020ed76ef5a">
|
|
<topic>Buffer overflows in XFree86 servers</topic>
|
|
<affects>
|
|
<package>
|
|
<name>XFree86-Server</name>
|
|
<range><le>4.3.0_13</le></range>
|
|
<range><ge>4.3.99</ge><le>4.3.99.15_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A number of buffer overflows were recently discovered in
|
|
XFree86, prompted by initial discoveries by iDEFENSE. These
|
|
buffer overflows are present in the font alias handling. An
|
|
attacker with authenticated access to a running X server may
|
|
exploit these vulnerabilities to obtain root privileges on
|
|
the machine running the X server.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.idefense.com/application/poi/display?id=72</url>
|
|
<url>http://www.idefense.com/application/poi/display?id=73</url>
|
|
<cvename>CVE-2004-0083</cvename>
|
|
<cvename>CVE-2004-0084</cvename>
|
|
<cvename>CVE-2004-0106</cvename>
|
|
<bid>9636</bid>
|
|
<bid>9652</bid>
|
|
<bid>9655</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-10</discovery>
|
|
<entry>2004-02-12</entry>
|
|
<modified>2004-03-29</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e25566d5-6d3f-11d8-83a4-000a95bc6fae">
|
|
<topic>multiple buffer overflows in xboing</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xboing</name>
|
|
<range><lt>2.4_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Steve Kemp reports (in a Debian bug submission):</p>
|
|
<blockquote cite="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=174924">
|
|
<p>Due to improper bounds checking it is possible for a
|
|
malicious user to gain a shell with membership group
|
|
'games'. (The binary is installed setgid games).</p>
|
|
<p>Environmental variables are used without being bounds-checked
|
|
in any way, from the source code:</p>
|
|
<pre>
|
|
highscore.c:
|
|
/* Use the environment variable if it exists */
|
|
if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
|
|
strcpy(filename, str);
|
|
else
|
|
strcpy(filename, HIGH_SCORE_FILE);
|
|
|
|
misc.c:
|
|
if ((ptr = getenv("HOME")) != NULL)
|
|
(void) strcpy(dest, ptr);
|
|
</pre>
|
|
<p>Neither of these checks are boundschecked, and will allow
|
|
arbitary shell code to be run.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0149</cvename>
|
|
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=174924</url>
|
|
<bid>9764</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-01-01</discovery>
|
|
<entry>2004-03-05</entry>
|
|
<modified>2004-03-29</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a20082c3-6255-11d8-80e3-0020ed76ef5a">
|
|
<topic>metamail format string bugs and buffer overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>metamail</name>
|
|
<range><lt>2.7_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ulf Härnhammar reported four bugs in metamail: two are format
|
|
string bugs and two are buffer overflows. The bugs are in
|
|
SaveSquirrelFile(), PrintHeader(), and ShareThisHeader().</p>
|
|
<p>These vulnerabilities could be triggered by a maliciously
|
|
formatted email message if `metamail' or `splitmail' is used
|
|
to process it, possibly resulting in arbitrary code execution
|
|
with the privileges of the user reading mail.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0104</cvename>
|
|
<cvename>CVE-2004-0105</cvename>
|
|
<bid>9692</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-18</discovery>
|
|
<entry>2004-02-18</entry>
|
|
<modified>2004-03-29</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ce46b93a-80f2-11d8-9645-0020ed76ef5a">
|
|
<topic>Buffer overflows and format string bugs in Emil</topic>
|
|
<affects>
|
|
<package>
|
|
<name>emil</name>
|
|
<range><le>2.1b9</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ulf Härnhammar reports multiple buffer overflows in
|
|
Emil, some of which are triggered during the parsing
|
|
of attachment filenames. In addition, some format string bugs
|
|
are present in the error reporting code.</p>
|
|
<p>Depending upon local configuration, these vulnerabilities
|
|
may be exploited using specially crafted messages in order
|
|
to execute arbitrary code running with the privileges of
|
|
the user invoking Emil.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-March/019325.html</mlist>
|
|
<url>http://www.debian.org/security/2004/dsa-468</url>
|
|
<cvename>CVE-2004-0152</cvename>
|
|
<cvename>CVE-2004-0153</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-24</discovery>
|
|
<entry>2004-03-28</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="70f5b3c6-80f0-11d8-9645-0020ed76ef5a">
|
|
<topic>Critical SQL injection in phpBB</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpbb</name>
|
|
<range><le>2.0.8</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Anyone can get admin's username and password's md5 hash via a
|
|
single web request.
|
|
A working example is provided in the advisory.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&m=108032454818873</mlist>
|
|
<bid>9984</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-26</discovery>
|
|
<entry>2004-03-28</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6c7661ff-7912-11d8-9645-0020ed76ef5a">
|
|
<topic>uudeview buffer overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>uulib</name>
|
|
<name>uudeview</name>
|
|
<name>xdeview</name>
|
|
<range><lt>0.5.20</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The authors of UUDeview report repairing two buffer
|
|
overflows in their software.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.fpx.de/fp/Software/UUDeview/HISTORY.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-01</discovery>
|
|
<entry>2004-03-18</entry>
|
|
<modified>2004-03-25</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="09d418db-70fd-11d8-873f-0020ed76ef5a">
|
|
<topic>Apache 1.3 IP address access control failure on some 64-bit platforms</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache</name>
|
|
<range><lt>1.3.29_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+mod_ssl</name>
|
|
<range><lt>1.3.29+2.8.16_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+ssl</name>
|
|
<range><lt>1.3.29.1.53_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ru-apache</name>
|
|
<range><lt>1.3.29+30.19_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ru-apache+mod_ssl</name>
|
|
<range><lt>1.3.29+30.19+2.8.16_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Henning Brauer discovered a programming error in Apache
|
|
1.3's mod_access that results in the netmasks in IP address
|
|
access control rules being interpreted incorrectly on
|
|
64-bit, big-endian platforms. In some cases, this could
|
|
cause a `deny from' IP address access control rule including
|
|
a netmask to fail.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0993</cvename>
|
|
<url>http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/modules/standard/mod_access.c?r1=1.46&r2=1.47</url>
|
|
<url>http://www.apacheweek.com/features/security-13</url>
|
|
<url>http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23850</url>
|
|
<mlist>http://marc.theaimsgroup.com/?l=apache-cvs&m=107869603013722</mlist>
|
|
<bid>9829</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-03-07</discovery>
|
|
<entry>2004-03-08</entry>
|
|
<modified>2004-03-12</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1a448eb7-6988-11d8-873f-0020ed76ef5a">
|
|
<topic>mod_python denial-of-service vulnerability in parse_qs</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mod_python</name>
|
|
<range><ge>2.7</ge><lt>2.7.10</lt></range>
|
|
<range><ge>3.0</ge><lt>3.0.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An attacker may cause Apache with mod_python to crash
|
|
by using a specially constructed query string.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0973</cvename>
|
|
<bid>9129</bid>
|
|
<url>http://www.modpython.org/pipermail/mod_python/2003-November/014532.html</url>
|
|
<url>http://www.modpython.org/pipermail/mod_python/2004-January/014879.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-11-28</discovery>
|
|
<entry>2004-03-03</entry>
|
|
<modified>2004-03-11</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9fccad5a-7096-11d8-873f-0020ed76ef5a">
|
|
<topic>mpg123 vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mpg123</name>
|
|
<name>mpg123-nas</name>
|
|
<name>mpg123-esound</name>
|
|
<range><le>0.59r_12</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>In 2003, two vulnerabilities were discovered in mpg123
|
|
that could result in remote code execution when using
|
|
untrusted input or streaming from an untrusted server.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0577</cvename>
|
|
<cvename>CVE-2003-0865</cvename>
|
|
<bid>6629</bid>
|
|
<bid>8680</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-01-16</discovery>
|
|
<entry>2004-03-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ac4b9d18-67a9-11d8-80e3-0020ed76ef5a">
|
|
<topic>fetchmail denial-of-service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>fetchmail</name>
|
|
<range><lt>6.2.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Dave Jones discovered a denial-of-service vulnerability
|
|
in fetchmail. An email message containing a very long line
|
|
could cause fetchmail to segfault due to missing NUL
|
|
termination in transact.c.</p>
|
|
<p>Eric Raymond decided not to mention this issue in the
|
|
release notes for fetchmail 6.2.5, but it was fixed
|
|
there.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0792</cvename>
|
|
<bid>8843</bid>
|
|
<url>http://xforce.iss.net/xforce/xfdb/13450</url>
|
|
<url>http://www.openbsd.org/cgi-bin/cvsweb/ports/mail/fetchmail/patches/Attic/patch-rfc822_c?rev=1.1</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-10-16</discovery>
|
|
<entry>2004-02-25</entry>
|
|
<modified>2004-03-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b0e76877-67a8-11d8-80e3-0020ed76ef5a">
|
|
<topic>mailman denial-of-service vulnerability in MailCommandHandler</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mailman</name>
|
|
<range><lt>2.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A malformed message could cause mailman to crash.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0991</cvename>
|
|
<url>http://umn.dl.sourceforge.net/sourceforge/mailman/mailman-2.0.13-2.0.14-diff.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-11-18</discovery>
|
|
<entry>2004-02-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3cb88bb2-67a6-11d8-80e3-0020ed76ef5a">
|
|
<topic>mailman XSS in admin script</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mailman</name>
|
|
<range><lt>2.1.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Dirk Mueller reports:</p>
|
|
<blockquote><p>I've found a cross-site scripting
|
|
vulnerability in the admin interface of mailman 2.1.3 that
|
|
allows, under certain circumstances, for anyone to retrieve
|
|
the (valid) session cookie.</p></blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0965</cvename>
|
|
<url>http://mail.python.org/pipermail/mailman-announce/2003-December/000066.html</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/14121</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-12-31</discovery>
|
|
<entry>2004-02-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="429249d2-67a7-11d8-80e3-0020ed76ef5a">
|
|
<topic>mailman XSS in create script</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mailman</name>
|
|
<range><lt>2.1.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>From the 2.1.3 release notes:</p>
|
|
<blockquote><p>Closed a cross-site scripting exploit in the
|
|
create cgi script.</p></blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0992</cvename>
|
|
<url>http://mail.python.org/pipermail/mailman-announce/2003-September/000061.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-09-28</discovery>
|
|
<entry>2004-02-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="00263aa3-67a8-11d8-80e3-0020ed76ef5a">
|
|
<topic>mailman XSS in user options page</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mailman</name>
|
|
<range><lt>2.1.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>From the 2.1.1 release notes:</p>
|
|
<blockquote><p>Closed a cross-site scripting vulnerability in
|
|
the user options page.</p></blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0038</cvename>
|
|
<url>http://mail.python.org/pipermail/mailman-announce/2003-February/000056.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-02-08</discovery>
|
|
<entry>2004-02-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="75770425-67a2-11d8-80e3-0020ed76ef5a">
|
|
<topic>SQL injection vulnerability in phpnuke</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpnuke</name>
|
|
<range><le>6.9</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Multiple researchers have discovered multiple SQL injection
|
|
vulnerabilities in some versions of Php-Nuke. These
|
|
vulnerabilities may lead to information disclosure, compromise
|
|
of the Php-Nuke site, or compromise of the back-end
|
|
database.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://security.nnov.ru/search/document.asp?docid=5748</url>
|
|
<mlist>http://www.securityfocus.com/archive/1/348375</mlist>
|
|
<url>http://www.security-corporation.com/advisories-027.html</url>
|
|
<mlist>http://www.securityfocus.com/archive/1/353201</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-12-12</discovery>
|
|
<entry>2004-02-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ad4f6ca4-6720-11d8-9fb5-000a95bc6fae">
|
|
<topic>lbreakout2 vulnerability in environment variable handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>lbreakout2</name>
|
|
<range><le>2.2.2_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ulf Härnhammar discovered an exploitable vulnerability in
|
|
lbreakout2's environmental variable handling. In several
|
|
instances, the contents of the HOME environmental variable
|
|
are copied to a stack or global buffer without range
|
|
checking. A local attacker may use this vulnerability to
|
|
acquire group-ID `games' privileges.</p>
|
|
<p>An exploit for this vulnerability has been published by
|
|
``Li0n7 voila fr''.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0158</cvename>
|
|
<url>http://www.debian.org/security/2004/dsa-445</url>
|
|
<mlist>http://www.securityfocus.com/archive/1/354760</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-21</discovery>
|
|
<entry>2004-02-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="316e1c9b-671c-11d8-9aad-000a95bc6fae">
|
|
<topic>hsftp format string vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>hsftp</name>
|
|
<range><lt>1.14</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ulf Härnhammar discovered a format string bug in hsftp's file
|
|
listing code may allow a malicious server to cause arbitrary
|
|
code execution by the client.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist>http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00044.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-22</discovery>
|
|
<entry>2004-02-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c7cad0f0-671a-11d8-bdeb-000a95bc6fae">
|
|
<topic>Darwin Streaming Server denial-of-service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>DarwinStreamingServer</name>
|
|
<range><le>4.1.3g</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An attacker can cause an assertion to trigger by sending
|
|
a long User-Agent field in a request.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0169</cvename>
|
|
<url>http://www.idefense.com/application/poi/display?id=75</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-23</discovery>
|
|
<entry>2004-02-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="847ade05-6717-11d8-b321-000a95bc6fae">
|
|
<topic>libxml2 stack buffer overflow in URI parsing</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libxml2</name>
|
|
<range><lt>2.6.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Yuuichi Teranishi reported a crash in libxml2's URI handling
|
|
when a long URL is supplied. The implementation in nanohttp.c
|
|
and nanoftp.c uses a 4K stack buffer, and longer URLs will
|
|
overwrite the stack. This could result in denial-of-service
|
|
or arbitrary code execution in applications using libxml2
|
|
to parse documents.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0110</cvename>
|
|
<url>http://www.xmlsoft.org/news.html</url>
|
|
<url>http://mail.gnome.org/archives/xml/2004-February/msg00070.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-08</discovery>
|
|
<entry>2004-02-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cc0fb686-6550-11d8-80e3-0020ed76ef5a">
|
|
<topic>file disclosure in phpMyAdmin</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><le>2.5.4</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Lack of proper input validation in phpMyAdmin may allow an
|
|
attacker to obtain the contents of any file on the target
|
|
system that is readable by the web server.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0129</cvename>
|
|
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&m=107582619125932&w=2</mlist>
|
|
<url>http://cvs.sourceforge.net/viewcvs.py/phpmyadmin/phpMyAdmin/export.php#rev2.3.2.1</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-17</discovery>
|
|
<entry>2004-02-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="87cc48fd-5fdd-11d8-80e3-0020ed76ef5a">
|
|
<topic>mnGoSearch buffer overflow in UdmDocToTextBuf()</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mnogosearch</name>
|
|
<range><ge>3.2.*</ge><lt>3.2.15</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jedi/Sector One <j@pureftpd.org> reported the following
|
|
on the full-disclosure list:</p>
|
|
<blockquote>
|
|
<p>Every document is stored in multiple parts according to
|
|
its sections (description, body, etc) in databases. And
|
|
when the content has to be sent to the client,
|
|
UdmDocToTextBuf() concatenates those parts together and
|
|
skips metadata.</p>
|
|
<p>Unfortunately, that function lacks bounds checking and
|
|
a buffer overflow can be triggered by indexing a large
|
|
enough document.</p>
|
|
<p>'len' is fixed to 10K [in UdmDocToTextBuf] in searchd.c
|
|
. S->val length depends on the length of the original
|
|
document and on the indexer settings (the sample
|
|
configuration file has low limits that work around the
|
|
bug, though).</p>
|
|
<p>Exploitation should be easy, moreover textbuf points to
|
|
the stack.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-February/017366.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-15</discovery>
|
|
<entry>2004-02-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cacaffbc-5e64-11d8-80e3-0020ed76ef5a">
|
|
<topic>GNU libtool insecure temporary file handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libtool</name>
|
|
<range><ge>1.3</ge><lt>1.3.5_2</lt></range>
|
|
<range><ge>1.4</ge><lt>1.4.3_3</lt></range>
|
|
<range><ge>1.5</ge><lt>1.5.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>libtool attempts to create a temporary directory in
|
|
which to write scratch files needed during processing. A
|
|
malicious user may create a symlink and then manipulate
|
|
the directory so as to write to files to which she normally
|
|
has no permissions.</p>
|
|
<p>This has been reported as a ``symlink vulnerability'',
|
|
although I do not think that is an accurate description.</p>
|
|
<p>This vulnerability could possibly be used on a multi-user
|
|
system to gain elevated privileges, e.g. root builds some
|
|
packages, and another user successfully exploits this
|
|
vulnerability to write to a system file.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist>http://www.geocrawler.com/mail/msg.php3?msg_id=3438808&list=405</mlist>
|
|
<mlist>http://www.securityfocus.com/archive/1/352333</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-01-30</discovery>
|
|
<entry>2004-02-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0e154a9c-5d7a-11d8-80e3-0020ed76ef5a">
|
|
<topic>seti@home remotely exploitable buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>setiathome</name>
|
|
<range><lt>3.0.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The seti@home client contains a buffer overflow in the HTTP
|
|
response handler. A malicious, spoofed seti@home server can
|
|
exploit this buffer overflow to cause remote code execution
|
|
on the client. Exploit programs are widely available.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://setiathome.berkeley.edu/version308.html</url>
|
|
<url>http://web.archive.org/web/20030609204812/http://spoor12.edup.tudelft.nl/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-04-08</discovery>
|
|
<entry>2004-02-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5e92e8a2-5d7b-11d8-80e3-0020ed76ef5a">
|
|
<topic>icecast 1.x multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>icecast</name>
|
|
<range><lt>1.3.12</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>icecast 1.3.11 and earlier contained numerous security
|
|
vulnerabilities, the most severe allowing a remote attacker
|
|
to execute arbitrary code as root.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2002-0177</cvename>
|
|
<cvename>CVE-2001-1230</cvename>
|
|
<cvename>CVE-2001-1229</cvename>
|
|
<cvename>CVE-2001-1083</cvename>
|
|
<cvename>CVE-2001-0784</cvename>
|
|
<bid>4415</bid>
|
|
<bid>2933</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2002-04-28</discovery>
|
|
<entry>2004-02-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="83119e27-5d7c-11d8-80e3-0020ed76ef5a">
|
|
<topic>nap allows arbitrary file access</topic>
|
|
<affects>
|
|
<package>
|
|
<name>nap</name>
|
|
<range><lt>1.4.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>According to the author:</p>
|
|
<blockquote>
|
|
<p>Fixed security loophole which allowed remote
|
|
clients to access arbitrary files on our
|
|
system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://quasar.mathstat.uottawa.ca/~selinger/nap/NEWS</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2001-04-12</discovery>
|
|
<entry>2004-02-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a736deab-5d7d-11d8-80e3-0020ed76ef5a">
|
|
<topic>CCE contains exploitable buffer overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>zh-cce</name>
|
|
<range><lt>0.40</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Chinese Console Environment contains exploitable buffer
|
|
overflows.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://programmer.lib.sjtu.edu.cn/cce/cce.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2000-06-22</discovery>
|
|
<entry>2004-02-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="49ad1bf8-5d7e-11d8-80e3-0020ed76ef5a">
|
|
<topic>ChiTeX/ChiLaTeX unsafe set-user-id root</topic>
|
|
<affects>
|
|
<package>
|
|
<name>zh-chitex</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Niels Heinen reports that ChiTeX installs set-user-id root
|
|
executables that invoked system(3) without setting up the
|
|
environment, trivially allowing local root compromise.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://cvsweb.freebsd.org/ports/chinese/chitex/Attic/Makefile?rev=1.5&content-type=text/x-cvsweb-markup</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-04-25</discovery>
|
|
<entry>2004-02-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5789a92e-5d7f-11d8-80e3-0020ed76ef5a">
|
|
<topic>pine remotely exploitable buffer overflow in newmail.c</topic>
|
|
<affects>
|
|
<package>
|
|
<name>zh-pine</name>
|
|
<name>iw-pine</name>
|
|
<name>pine</name>
|
|
<name>pine4-ssl</name>
|
|
<range><le>4.21</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Kris Kennaway reports a remotely exploitable buffer overflow
|
|
in newmail.c. Mike Silbersack submitted the fix.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.freebsd.org/cgi/cvsweb.cgi/ports/mail/pine4/Makefile?rev=1.43&content-type=text/x-cvsweb-markup</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2000-09-29</discovery>
|
|
<entry>2004-02-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="34134fd4-5d81-11d8-80e3-0020ed76ef5a">
|
|
<topic>pine insecure URL handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pine</name>
|
|
<name>zh-pine</name>
|
|
<name>iw-pine</name>
|
|
<range><lt>4.44</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An attacker may send an email message containing a specially
|
|
constructed URL that will execute arbitrary commands when
|
|
viewed.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdsa>SA-02:05.pine</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2002-01-04</discovery>
|
|
<entry>2004-02-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5abfee2d-5d82-11d8-80e3-0020ed76ef5a">
|
|
<topic>pine remote denial-of-service attack</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pine</name>
|
|
<name>zh-pine</name>
|
|
<name>iw-pine</name>
|
|
<range><lt>4.50</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An attacker may send a specially-formatted email message
|
|
that will cause pine to crash.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&m=103668430620531&w=2</mlist>
|
|
<cvename>CVE-2002-1320</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2002-10-23</discovery>
|
|
<entry>2004-02-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="39bd57e6-5d83-11d8-80e3-0020ed76ef5a">
|
|
<topic>pine remotely exploitable vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pine</name>
|
|
<name>zh-pine</name>
|
|
<name>iw-pine</name>
|
|
<range><lt>4.58</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Pine versions prior to 4.58 are affected by two
|
|
vulnerabilities discovered by iDEFENSE, a buffer overflow
|
|
in mailview.c and an integer overflow in strings.c. Both
|
|
vulnerabilities can result in arbitrary code execution
|
|
when processing a malicious message.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0720</cvename>
|
|
<cvename>CVE-2003-0721</cvename>
|
|
<url>http://www.idefense.com/application/poi/display?id=5</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-09-10</discovery>
|
|
<entry>2004-02-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5729b8ed-5d75-11d8-80e3-0020ed76ef5a">
|
|
<topic>rsync buffer overflow in server mode</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rsync</name>
|
|
<range><lt>2.5.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>When rsync is run in server mode, a buffer overflow could
|
|
allow a remote attacker to execute arbitrary code with the
|
|
privileges of the rsync server. Anonymous rsync servers are
|
|
at the highest risk.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0962</cvename>
|
|
<mlist>http://lists.samba.org/archive/rsync-announce/2003/000011.html</mlist>
|
|
<url>http://rsync.samba.org/#security</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-12-04</discovery>
|
|
<entry>2004-02-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3388eff9-5d6e-11d8-80e3-0020ed76ef5a">
|
|
<topic>Samba 3.0.x password initialization bug</topic>
|
|
<affects>
|
|
<package>
|
|
<name>samba</name>
|
|
<range><ge>3.0,1</ge><lt>3.0.1_2,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>From the Samba 3.0.2 release notes:</p>
|
|
<blockquote cite="http://www.samba.org/samba/whatsnew/samba-3.0.2.html">
|
|
<p>Security Announcement: It has been confirmed that
|
|
previous versions of Samba 3.0 are susceptible to a password
|
|
initialization bug that could grant an attacker unauthorized
|
|
access to a user account created by the mksmbpasswd.sh shell
|
|
script.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.samba.org/samba/whatsnew/samba-3.0.2.html</url>
|
|
<cvename>CVE-2004-0082</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-09</discovery>
|
|
<entry>2004-02-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="67c05283-5d62-11d8-80e3-0020ed76ef5a">
|
|
<topic>Buffer overflow in Mutt 1.4</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mutt</name>
|
|
<name>ja-mutt</name>
|
|
<range><ge>1.4</ge><lt>1.4.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Mutt 1.4 contains a buffer overflow that could be exploited
|
|
with a specially formed message, causing Mutt to crash or
|
|
possibly execute arbitrary code.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-0078</cvename>
|
|
<url>http://www.mutt.org/news.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-11</discovery>
|
|
<entry>2004-02-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7557a2b1-5d63-11d8-80e3-0020ed76ef5a">
|
|
<topic>Apache-SSL optional client certificate vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache+ssl</name>
|
|
<range><lt>1.3.29.1.53</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>From the Apache-SSL security advisory:</p>
|
|
<blockquote>
|
|
<p>If configured with SSLVerifyClient set to 1 or 3 (client
|
|
certificates optional) and SSLFakeBasicAuth, Apache-SSL
|
|
1.3.28+1.52 and all earlier versions would permit a
|
|
client to use real basic authentication to forge a client
|
|
certificate.</p>
|
|
|
|
<p>All the attacker needed is the "one-line DN" of a valid
|
|
user, as used by faked basic auth in Apache-SSL, and the
|
|
fixed password ("password" by default).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.apache-ssl.org/advisory-20040206.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-02-06</discovery>
|
|
<entry>2004-02-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="96ba2dae-4ab0-11d8-96f2-0020ed76ef5a">
|
|
<topic>L2TP, ISAKMP, and RADIUS parsing vulnerabilities in tcpdump</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tcpdump</name>
|
|
<range><lt>3.8.1_351</lt></range>
|
|
</package>
|
|
<system>
|
|
<name>FreeBSD</name>
|
|
<range><lt>5.2.1</lt></range>
|
|
</system>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jonathan Heusser discovered vulnerabilities in tcpdump's
|
|
L2TP, ISAKMP, and RADIUS protocol handlers. These
|
|
vulnerabilities may be used by an attacker to crash a running
|
|
`tcpdump' process.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0989</cvename>
|
|
<cvename>CVE-2003-1029</cvename>
|
|
<cvename>CVE-2004-0057</cvename>
|
|
<mlist>http://www.tcpdump.org/lists/workers/2003/12/msg00083.html</mlist>
|
|
<mlist>http://marc.theaimsgroup.com/?l=tcpdump-workers&m=107325073018070&w=2</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-12-24</discovery>
|
|
<entry>2004-01-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fd376b8b-41e1-11d8-b096-0020ed76ef5a">
|
|
<topic>Buffer overflow in INN control message handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>inn</name>
|
|
<range><ge>2.4.*</ge><lt>2.4.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>inn-stable</name>
|
|
<range><lt>20031022_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A small, fixed-size stack buffer is used to construct a
|
|
filename based on a received control message. This could
|
|
result in a stack buffer overflow.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist msgid="87d69v7222.fsf@windlord.stanford.edu">http://marc.theaimsgroup.com/?l=inn-workers&m=107351974008605</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-01-07</discovery>
|
|
<entry>2004-01-08</entry>
|
|
<modified>2004-10-21</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cf0fb426-3f96-11d8-b096-0020ed76ef5a">
|
|
<topic>ProFTPD ASCII translation bug resulting in remote root compromise</topic>
|
|
<affects>
|
|
<package>
|
|
<name>proftpd</name>
|
|
<range><lt>1.2.8_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A buffer overflow exists in the ProFTPD code that handles
|
|
translation of newline characters during ASCII-mode file
|
|
uploads. An attacker may exploit this buffer overflow by
|
|
uploading a specially crafted file, resulting in code
|
|
execution and ultimately a remote root compromise.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://xforce.iss.net/xforce/alerts/id/154</url>
|
|
<cvename>CVE-2003-0831</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-09-23</discovery>
|
|
<entry>2004-01-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="81313647-2d03-11d8-9355-0020ed76ef5a">
|
|
<topic>ElGamal sign+encrypt keys created by GnuPG can be compromised</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnupg</name>
|
|
<range><ge>1.0.2</ge><lt>1.2.3_4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Any ElGamal sign+encrypt keys created by GnuPG contain a
|
|
cryptographic weakness that may allow someone to obtain
|
|
the private key. <strong>These keys should be considered
|
|
unusable and should be revoked.</strong></p>
|
|
<p>The following summary was written by Werner Koch, GnuPG
|
|
author:</p>
|
|
<blockquote cite="http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html">
|
|
<p>Phong Nguyen identified a severe bug in the way GnuPG
|
|
creates and uses ElGamal keys for signing. This is
|
|
a significant security failure which can lead to a
|
|
compromise of almost all ElGamal keys used for signing.
|
|
Note that this is a real world vulnerability which will
|
|
reveal your private key within a few seconds.</p>
|
|
<p>...</p>
|
|
<p>Please <em>take immediate action and revoke your ElGamal
|
|
signing keys</em>. Furthermore you should take whatever
|
|
measures necessary to limit the damage done for signed or
|
|
encrypted documents using that key.</p>
|
|
<p>Note that the standard keys as generated by GnuPG (DSA
|
|
and ElGamal encryption) as well as RSA keys are NOT
|
|
vulnerable. Note also that ElGamal signing keys cannot
|
|
be generated without the use of a special flag to enable
|
|
hidden options and even then overriding a warning message
|
|
about this key type. See below for details on how to
|
|
identify vulnerable keys.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0971</cvename>
|
|
<mlist>http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-11-27</discovery>
|
|
<entry>2003-12-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="96fdbf5b-2cfd-11d8-9355-0020ed76ef5a">
|
|
<topic>Mathopd buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mathopd</name>
|
|
<range><lt>1.4p2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Mathopd contains a buffer overflow in the prepare_reply()
|
|
function that may be remotely exploitable.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.mail-archive.com/mathopd%40mathopd.org/msg00136.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-12-04</discovery>
|
|
<entry>2003-12-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d7af61c8-2cc0-11d8-9355-0020ed76ef5a">
|
|
<topic>lftp HTML parsing vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>lftp</name>
|
|
<range><le>2.6.10</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A buffer overflow exists in lftp which may be triggered when
|
|
requesting a directory listing from a malicious server over
|
|
HTTP.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2003-0963</cvename>
|
|
<url>http://lftp.yar.ru/news.html#2.6.10</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-12-11</discovery>
|
|
<entry>2003-12-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ebdf65c7-2ca6-11d8-9355-0020ed76ef5a">
|
|
<topic>qpopper format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>qpopper</name>
|
|
<range><lt>2.53_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An authenticated user may trigger a format string
|
|
vulnerability present in qpopper's UIDL code, resulting
|
|
in arbitrary code execution with group ID `mail'
|
|
privileges.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>1241</bid>
|
|
<cvename>CVE-2000-0442</cvename>
|
|
<url>http://www.netsys.com/suse-linux-security/2000-May/att-0137/01-b0f5-Qpopper.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2000-05-23</discovery>
|
|
<entry>2003-12-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="af0296be-2455-11d8-82e5-0020ed76ef5a">
|
|
<topic>Fetchmail address parsing vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>fetchmail</name>
|
|
<range><le>6.2.0</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Fetchmail can be crashed by a malicious email message.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://security.e-matters.de/advisories/052002.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-10-25</discovery>
|
|
<entry>2003-10-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2bcd2d24-24ca-11d8-82e5-0020ed76ef5a">
|
|
<topic>Buffer overflow in pam_smb password handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pam_smb</name>
|
|
<range><lt>1.9.9_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Applications utilizing pam_smb can be compromised by
|
|
any user who can enter a password. In many cases,
|
|
this is a remote root compromise.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.skynet.ie/~airlied/pam_smb/</url>
|
|
<cvename>CVE-2003-0686</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-10-25</discovery>
|
|
<entry>2003-10-25</entry>
|
|
<modified>2003-10-25</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c4b7badf-24ca-11d8-82e5-0020ed76ef5a">
|
|
<topic>Buffer overflows in libmcrypt</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libmcrypt</name>
|
|
<range><lt>2.5.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>libmcrypt does incomplete input validation, leading to
|
|
several buffer overflows. Additionally,
|
|
a memory leak is present. Both of these problems may be
|
|
exploited in a denial-of-service attack.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&m=104162752401212&w=2</mlist>
|
|
<cvename>CVE-2003-0031</cvename>
|
|
<cvename>CVE-2003-0032</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2003-10-25</discovery>
|
|
<entry>2003-10-25</entry>
|
|
<modified>2003-10-25</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6fd9a1e9-efd3-11d8-9837-000c41e2cdad">
|
|
<cancelled/>
|
|
</vuln>
|
|
|
|
<vuln vid="3362f2c1-8344-11d8-a41f-0020ed76ef5a">
|
|
<cancelled/>
|
|
</vuln>
|
|
|
|
<vuln vid="e3cf89f0-53da-11d9-92b7-ceadd4ac2edd">
|
|
<topic>phpbb -- arbitrary command execution and other vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpbb</name>
|
|
<range><lt>2.0.11</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The ChangeLog for phpBB 2.0.11 states:</p>
|
|
<blockquote cite="http://www.phpbb.com/support/documents.php?mode=changelog">
|
|
<p>Changes since 2.0.10</p>
|
|
<ul>
|
|
<li>Fixed vulnerability in highlighting code (<strong>very
|
|
high severity, please update your installation as soon
|
|
as possible</strong>)</li>
|
|
<li>Fixed unsetting global vars - <strong>Matt
|
|
Kavanagh</strong></li>
|
|
<li>Fixed XSS vulnerability in username handling
|
|
- <strong>AnthraX101</strong></li>
|
|
<li>Fixed not confirmed sql injection in username handling
|
|
- <strong>warmth</strong></li>
|
|
<li>Added check for empty topic id in topic_review
|
|
function</li>
|
|
<li>Added visual confirmation mod to code base</li>
|
|
</ul>
|
|
</blockquote>
|
|
<p>Additionally, a US-CERT Technical Cyber Security Alert reports:</p>
|
|
<blockquote cite="http://www.us-cert.gov/cas/techalerts/TA04-356A.html">
|
|
<p>phpBB contains an user input validation problem with
|
|
regard to the parsing of the URL. An intruder can deface a
|
|
phpBB website, execute arbitrary commands, or gain
|
|
administrative privileges on a compromised bulletin
|
|
board.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2004-1315</cvename>
|
|
<freebsdpr>ports/74106</freebsdpr>
|
|
<uscertta>TA04-356A</uscertta>
|
|
<certvu>497400</certvu>
|
|
<url>http://www.phpbb.com/support/documents.php?mode=changelog</url>
|
|
<mlist msgid="20041113030542.11396.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110029415208724</mlist>
|
|
<mlist msgid="20041118123055.28647.qmail@mail.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=110079436714518</mlist>
|
|
<url>http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2004-11-18</discovery>
|
|
<entry>2004-12-22</entry>
|
|
<modified>2005-01-24</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a395397c-c7c8-11d9-9e1e-c296ac722cb3">
|
|
<topic>squid -- possible abuse of cachemgr.cgi</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The squid patches page notes:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-cachemgr_conf">
|
|
<p>This patch adds access controls to the cachemgr.cgi script,
|
|
preventing it from being abused to reach other servers than
|
|
allowed in a local configuration file.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-1999-0710</cvename>
|
|
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-cachemgr_conf</url>
|
|
<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1094</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>1999-07-29</discovery>
|
|
<entry>2005-05-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7e97b288-c7ca-11d9-9e1e-c296ac722cb3">
|
|
<topic>squid -- DNS lookup spoofing vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The squid patches page notes:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-dns_query">
|
|
<p>Malicious users may spoof DNS lookups if the DNS client UDP port
|
|
(random, assigned by OS as startup) is unfiltered and your network
|
|
is not protected from IP spoofing.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2005-1519</cvename>
|
|
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-dns_reply</url>
|
|
<url>http://secunia.com/advisories/15294</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-05-11</discovery>
|
|
<entry>2005-05-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="55041d37-ff62-11d9-a9a5-000ae4641456">
|
|
<topic>jabberd -- 3 buffer overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>jabberd</name>
|
|
<range><lt>2.0.9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>There are 3 buffer overflows in jid.c that are triggered
|
|
during parsing of JID strings when components (user, host or
|
|
resource) are too long.</p>
|
|
<ol>
|
|
<li>jid.c, line 103: overflow in `str' buffer through
|
|
<code>strcpy()</code> when "user" part is too long.</li>
|
|
<li>jid.c, line 115: overflow in `str' buffer through
|
|
<code>strcpy()</code> when "host" part is too long.</li>
|
|
<li>jid.c, line 127: overflow in `str' buffer through
|
|
<code>strcpy()</code> when "resource" part is too
|
|
long.</li>
|
|
</ol>
|
|
<p>These overflows can be used to perform a DoS attack on the
|
|
server (sm process segfaults) and can possible be used for
|
|
arbitrary code execution.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://j2.openaether.org/bugzilla/show_bug.cgi?id=99</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-07-25</discovery>
|
|
<entry>2005-07-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="44e7764c-2614-11da-9e1e-c296ac722cb3">
|
|
<topic>squid -- possible denial of service condition regarding NTLM authentication</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><lt>2.5.10_6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The squid patches page notes:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE10-NTLM-scheme_assert">
|
|
<p>Squid may crash with the above error [FATAL: Incorrect scheme in auth header] when given certain request sentences.</p>
|
|
<p>Workaround: disable NTLM authentication.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14977</bid>
|
|
<cvename>CVE-2005-2917</cvename>
|
|
<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1391</url>
|
|
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE10-NTLM-scheme_assert</url>
|
|
<url>http://secunia.com/advisories/16992/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-09-12</discovery>
|
|
<entry>2005-09-15</entry>
|
|
<modified>2005-10-02</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c6b9aee8-3071-11da-af18-000ae4641456">
|
|
<topic>phpmyfaq -- SQL injection, takeover, path disclosure, remote code execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpmyfaq</name>
|
|
<range><lt>1.5.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>If magic quotes are off there's a SQL injection when
|
|
sending a forgotten password. It's possible to overwrite
|
|
the admin password and to take over the whole system. In
|
|
some files in the admin section there are some cross site
|
|
scripting vulnerabilities. In the public frontend it's
|
|
possible to include arbitrary php files.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>14927</bid>
|
|
<bid>14928</bid>
|
|
<bid>14929</bid>
|
|
<bid>14930</bid>
|
|
<cvename>CVE-2005-3046</cvename>
|
|
<cvename>CVE-2005-3047</cvename>
|
|
<cvename>CVE-2005-3048</cvename>
|
|
<cvename>CVE-2005-3049</cvename>
|
|
<cvename>CVE-2005-3050</cvename>
|
|
<url>http://www.phpmyfaq.de/advisory_2005-09-23.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-09-23</discovery>
|
|
<entry>2005-09-29</entry>
|
|
</dates>
|
|
</vuln>
|
|
</vuxml>
|
|
<!-- Note: Please add new entries to the beginning of this file. -->
|