A flurry of kernel security fixes
April 26, 2006
This article was contributed by Jake Edge.
Over the last month, there have been eleven separate releases in the 2.6.16
stable kernel series, seven of which were single-patch releases for security
related issues. This flurry of security fixes would make one think that
there was a concerted effort by an individual or organization to try and
find kernel security problems, but that is not the case. It is entirely
coincidental that all of these fixes came about at around the same time.
A chronological look at each of these fixes gives a nice picture of the
diverse places that kernel developers are looking for bugs in general
and security bugs in particular.
Roughly a week after the original 2.6.16 release, the 2.6.16.1 release
contained 19 patches, including one that fixed
CVE-2006-1242.
Code had been put into the kernel in the 2.4 series to stop leaking
information in the form of fragment IDs in TCP packets that did not
require them. Packets that have the DF (don't fragment) bit set do
not need a fragment ID and eliminating that information is a
countermeasure to a technique called
idle scanning.
Unfortunately when the original change was made, the response to a
certain kind of packet (a SYN-ACK packet) was missed and that was
discovered in March.
The 2.6.16.2 release came out on 7 April and had a quite a few
fixes including a change
to the sysfs interface covered
by LWN two weeks ago.
On the 11th and 12th of April, there were 3 releases, each of which
included just one security fix. 2.6.16.3 is a fix for a bug that would
allow a user to oops the kernel by passing invalid arguments to the keyctl
utility
(CVE-2006-1522).
If the user specified a key as the target for an "add key" operation,
rather than a keyring, a invalid dereference in the kernel would result.
A call to BUG_ON() in the __group_complete_signal() function
(which is part of the RCU signal handling code)
"has unknown impact and attack vectors" and was patched as 2.6.16.4. If a
user process could cause the condition in the BUG_ON call, it could
oops the kernel and lead to a denial of service.
(CVE-2006-1523).
A difference in the way Intel and AMD 64-bit CPUs handle non-canonical return
addresses led to the 2.6.16.5 release. The Intel CPU reports the exception
on the SYSRET instruction which causes the kernel exception handler
to run using the user stack.
(CVE-2006-0744).
Kernel processing using a user created stack would seem rife with opportunities
for exploitation.
The 2.6.16.6 release came out a week later with another long
list of patches, two of which
have security implications. The m32r architecture had a bug in the
get_user and put_user macros that did not check the
address passed to them which would allow access outside of the process
address space.
A more widespread issue was addressed with a patch in this
release and then fixed in the 2.6.16.7 release later in the day.
The MADV_REMOVE vulnerability
(CVE-2006-1524) has been present in kernels since 2.4 and allows local users
to potentially bypass the access restrictions on a read-only attachment
of shared memory. The user process could call mprotect() and gain
write permission on a piece of memory even though the memory was
explicitly set to be read-only when shared via the shared memory IPC
mechanism.
Prior to 2.6.16.8, the kernel was vulnerable to users causing a kernel panic
by requesting a route for a multicast IP address
(CVE-2006-1525). Using a simple 'ip' command from the shell would cause a
null pointer dereference in ip_route_input and panic the kernel.
This is another example of a local denial of service vulnerability.
2.6.16.9 patches a problem that affected both Linux and FreeBSD kernels
running on AMD processors which would allow a malicious process running on
the same CPU to determine portions of the state of floating point
instructions in a target process. AMD had some
comments on the bug and
provided some background information on why they chose to implement the
FXRSTOR and FXSAVE instructions differently than they
are implemented in Intel processors. Essentially, these two instructions
do not save and restore all of the same registers as Intel does and this
allows information to leak from one process to another. The patch ensures
that the floating point state is constant between context switches on
affected processors.
(CVE-2006-1056)
Last on our tour of kernel security fixes is a patch made in 2.6.16.11
and released on Monday that
disallows backslashes in path components unless POSIX paths have been
negotiated. This change is for the CIFS (aka Samba) filesystem code;
one can only imagine the kinds of havoc one could cause by putting
backslashes (the standard Windows path separator) into CIFS paths.
This bug is
CVE-2006-1863,
but the CVE database just shows a placeholder page for that
number at the time of this writing.
Observant readers will have noticed that
we skipped over 2.6.16.10 as it was a release with quite a few patches, none
of which were noted as being security related.
As this laundry list of issues shows, there are a wide variety of places
that kernel bugs can impact security, but the many eyes of kernel developers
seem to be finding and fixing them. This process plays out in the open
and that can give competitors ammunition to claim that Linux is less
secure than certain proprietary systems. Reasonable people
would more likely come to the conclusion that Linux developers are much more
interested in finding these issues and fixing them. The kernel
community has no interest in hiding vulnerabilities or playing games
with security patch descriptions to make the OS look more secure. PR
considerations just do not seem to be on the radar of the technical
contributors and that is just as it should be.
Comments (2 posted)
New vulnerabilities
abc2ps: buffer overflows
| Package(s): | abc2ps abcmidi |
CVE #(s): | CVE-2006-1513
CVE-2006-1514
|
| Created: | April 25, 2006 |
Updated: | April 26, 2006 |
| Description: |
Erik Sjölund discovered that abc2ps, a translator for ABC music
description files into PostScript, does not check the boundaries when
reading in ABC music files resulting in buffer overflows.
The abcmidi-yaps utility suffers from similar problems. |
| Alerts: |
|
Comments (none posted)
beagle: command line injection
| Package(s): | beagle |
CVE #(s): | |
| Created: | April 21, 2006 |
Updated: | April 26, 2006 |
| Description: |
Chris Evans discovered that while indexing, Beagle will build certain
command lines in an insecure manner. When Beagle executes external
helper applications, it is possible to cause beagle to execute
arbitrary commands as the user running beagle. |
| Alerts: |
|
Comments (none posted)
ethereal: multiple vulnerabilities
Comments (none posted)
fbida: insecure temporary file creation
| Package(s): | fbida |
CVE #(s): | CVE-2006-1695
|
| Created: | April 24, 2006 |
Updated: | May 22, 2006 |
| Description: |
The fbgs script in the fbi package 2.01-1.4, when the TMPDIR environment
variable is not defined, allows local users to overwrite arbitrary files
via a symlink attack on temporary files in /var/tmp/fbps-[PID]. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-1056
CVE-2006-1525
CVE-2006-1524
CVE-2006-0744
CVE-2006-1522
CVE-2006-1055
|
| Created: | April 20, 2006 |
Updated: | May 4, 2006 |
| Description: |
Multiple kernel vulnerabilities have been fixed, including
an x87 information leak between processes, an ip_route_input panic,
a MADV_REMOVE vulnerability, an mprotect write permission problem,
insecure MPBL0010 driver sysfs permissions, an x86_64 force IRET issue,
RCU signal handling, a key addition oops, a sysfs write buffer issue
and more. |
| Alerts: |
|
Comments (none posted)
php: several vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2006-0996
CVE-2006-1494
CVE-2006-1608
|
| Created: | April 25, 2006 |
Updated: | May 24, 2006 |
| Description: |
There are several vulnerabilities in PHP v5.1.2 and earlier.
- A cross-site scripting (XSS) vulnerability in phpinfo (info.c) allows
remote attackers to inject arbitrary web script or HTML via long array
variables. (CVE-2006-0996)
- A directory traversal vulnerability in file.c allows local users to
bypass open_basedir restrictions and allows remote attackers to create
files in arbitrary directories via the tempnam function. (CVE-2006-1494)
- The copy function in file.c allows local users to bypass safe mode and
read arbitrary files via a source argument containing a compress.zlib://
URI. (CVE-2006-1608)
|
| Alerts: |
|
Comments (none posted)
ruby1.8: denial of service
| Package(s): | ruby1.8 |
CVE #(s): | CVE-2006-1931
|
| Created: | April 24, 2006 |
Updated: | May 10, 2006 |
| Description: |
The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, which
allows attackers to cause a denial of service (blocked connections) via a
large amount of data. |
| Alerts: |
|
Comments (none posted)
xzgv: heap overflow
| Package(s): | xzgv |
CVE #(s): | CVE-2006-1060
|
| Created: | April 21, 2006 |
Updated: | June 12, 2006 |
| Description: |
Andrea Barisani of Gentoo Linux discovered xzgv and zgv allocate
insufficient memory when rendering images with more than 3 output
components, such as images using the YCCK or CMYK colour space. When
xzgv or zgv attempt to render the image, data from the image overruns a
heap allocated buffer. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2005-3352
|
| Created: | December 14, 2005 |
Updated: | May 10, 2006 |
| Description: |
Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details. |
| Alerts: |
|
Comments (none posted)
blender: integer overflow
| Package(s): | blender |
CVE #(s): | CVE-2005-4470
|
| Created: | January 6, 2006 |
Updated: | June 15, 2006 |
| Description: |
Damian Put discovered that Blender did not properly validate a 'length'
value in .blend files. Negative values led to an insufficiently sized
memory allocation. By tricking a user into opening a specially crafted
.blend file, this could be exploited to execute arbitrary code with the
privileges of the Blender user. |
| Alerts: |
|
Comments (none posted)
bsdgames: buffer overflow
| Package(s): | bsdgames |
CVE #(s): | CVE-2006-1744
|
| Created: | April 17, 2006 |
Updated: | April 19, 2006 |
| Description: |
A buffer overflow problem has been discovered in sail, a game contained
in the bsdgames package, a collection of classic textual Unix games, which
could lead to games group privilege escalation. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
crossfire: arbitrary code execution
| Package(s): | crossfire |
CVE #(s): | CVE-2006-1010
|
| Created: | March 14, 2006 |
Updated: | April 24, 2006 |
| Description: |
It was discovered that Crossfire, a multiplayer adventure game, performs
insufficient bounds checking on network packets when run in "oldsocketmode",
which may possibly lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
curl: heap-based buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2006-1061
|
| Created: | March 21, 2006 |
Updated: | June 28, 2006 |
| Description: |
Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows
remote attackers to execute arbitrary commands via a TFTP URL (tftp://)
with a valid hostname and a long path. |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dia: buffer overflows
| Package(s): | dia |
CVE #(s): | CVE-2006-1550
|
| Created: | April 3, 2006 |
Updated: | May 3, 2006 |
| Description: |
Three buffer overflows were discovered in the Xfig file format importer.
By tricking a user into opening a specially crafted .fig file with dia, an
attacker could exploit this to execute arbitrary code with the user's
privileges. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
fcheck: insecure temporary file
| Package(s): | fcheck |
CVE #(s): | CVE-2006-1753
|
| Created: | April 17, 2006 |
Updated: | April 19, 2006 |
| Description: |
Steve Kemp from the Debian Security Audit project discovered that
a cronjob contained in fcheck, a file integrity checker, creates
a temporary file in an insecure fashion. |
| Alerts: |
|
Comments (none posted)
fetchmail: multidrop bug
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-4348
|
| Created: | December 20, 2005 |
Updated: | May 27, 2006 |
| Description: |
Fetchmail contains a bug which allows a malicious mail server to crash the
client by sending a message without headers. This occurs when running in
multidrop mode. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
Comments (1 posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
freeradius: authentication bypass
| Package(s): | freeradius |
CVE #(s): | CVE-2006-1354
|
| Created: | March 24, 2006 |
Updated: | June 5, 2006 |
| Description: |
An unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote
attackers to bypass authentication or cause a denial of service (server
crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state
machine module. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gnupg: incorrect signature verification
| Package(s): | gnupg |
CVE #(s): | CVE-2006-0049
|
| Created: | March 13, 2006 |
Updated: | May 15, 2006 |
| Description: |
Another vulnerability has been found in
GnuPG. "Signature verification of non-detached signatures may give a
positive result but when extracting the signed data, this data may be
prepended or appended with extra data not covered by the signature. Thus
it is possible for an attacker to take any signed message and inject extra
arbitrary data." |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2005-3732
|
| Created: | December 1, 2005 |
Updated: | June 8, 2006 |
| Description: |
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
mailman: denial of service
| Package(s): | mailman |
CVE #(s): | CVE-2006-0052
|
| Created: | March 30, 2006 |
Updated: | June 9, 2006 |
| Description: |
Mailman 2.1.5 and below have a denial of service vulnerability
in the Scrubber.py script. If a maliciously created message
with a mime multi part format is received, mailman delivery
can be stopped. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
| Package(s): | mozilla |
CVE #(s): | CVE-2005-4134
CVE-2006-0292
CVE-2006-0296
|
| Created: | February 2, 2006 |
Updated: | May 4, 2006 |
| Description: |
Mozilla has three new vulnerabilities.
The Javascript interpreter has a problem with
dereferencing objects. A user can visit a specially crafted web page
which can crash the browser or cause it to execute arbitrary code.
The XULDocument.persist() function has a bug that can be triggered by
viewing specially crafted web sites, RDF data can be injected into the
localstore.rdf file, allowing arbitrary javascript code to be executed.
The Mozilla history saving mechanism is vulnerable to a denial of
service attack, visiting sites with extra-long titles can cause a
crash or very slow startup the next time the browser is run. |
| Alerts: |
|
Comments (none posted)
Mozilla Thunderbird: remote code execution and DoS
| Package(s): | mozilla-thunderbird |
CVE #(s): | CVE-2006-0884
|
| Created: | March 3, 2006 |
Updated: | May 4, 2006 |
| Description: |
The WYSIWYG rendering engine in Mozilla Thunderbird 1.0.7 and earlier
allows user-complicit attackers to bypass javascript security settings and
obtain sensitive information or cause a crash via an e-mail containing a
javascript URI in the SRC attribute of an IFRAME tag, which is executed
when the user edits the e-mail. |
| Alerts: |
|
Comments (1 posted)
mplayer: integer overflows
| Package(s): | mplayer |
CVE #(s): | CVE-2006-1502
|
| Created: | April 9, 2006 |
Updated: | May 1, 2006 |
| Description: |
MPlayer 1.0pre7try2 has multiple integer overflow vulnerabilities.
Remote attackers can maliciously craft an ASF file or an AVI file
in order to cause a denial of service. |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs |
CVE #(s): | CAN-2005-0013
CAN-2005-0014
|
| Created: | January 31, 2005 |
Updated: | May 15, 2006 |
| Description: |
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013). |
| Alerts: |
|
Comments (none posted)
ntp: uses wrong gid
| Package(s): | ntp |
CVE #(s): | CAN-2005-2496
|
| Created: | August 26, 2005 |
Updated: | August 11, 2006 |
| Description: |
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update. |
| Alerts: |
|
Comments (none posted)
openmotif: buffer overflows
| Package(s): | openmotif |
CVE #(s): | CVE-2005-3964
|
| Created: | December 29, 2005 |
Updated: | July 27, 2006 |
| Description: |
The libUil component of the OpenMotif toolkit has a pair of buffer
overflow vulnerabilities that can possibly be used for the execution
of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
OpenSSH: double shell expansion
| Package(s): | openssh |
CVE #(s): | CVE-2006-0225
|
| Created: | January 23, 2006 |
Updated: | July 20, 2006 |
| Description: |
OpenSSH has a double shell expansion vulnerability in local to local and
remote to remote copy with scp. |
| Alerts: |
|
Comments (none posted)
openvpn: arbitrary code execution
| Package(s): | openvpn |
CVE #(s): | CVE-2006-1629
|
| Created: | April 11, 2006 |
Updated: | April 27, 2006 |
| Description: |
OpenVPN 2.0 through 2.0.5 allows remote malicious servers to execute
arbitrary code on the client by using setenv with the LD_PRELOAD
environment variable. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 |
CVE #(s): | CVE-2005-3310
CVE-2005-3415
CVE-2005-3416
CVE-2005-3417
CVE-2005-3418
CVE-2005-3419
CVE-2005-3420
CVE-2005-3536
CVE-2005-3537
|
| Created: | December 22, 2005 |
Updated: | February 11, 2008 |
| Description: |
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2005-4079
CVE-2005-3665
|
| Created: | December 12, 2005 |
Updated: | November 20, 2006 |
| Description: |
Stefan Esser reported multiple vulnerabilities
found in phpMyAdmin. The $GLOBALS variable allows modifying the global
variable import_blacklist to open phpMyAdmin to local and remote file
inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9).
Furthermore, it is also possible to conduct an XSS attack via the
$HTTP_HOST variable and a local and remote file inclusion because the
contents of the variable are under total control of the attacker
(CVE-2005-3665, PMASA-2005-8). |
| Alerts: |
|
Comments (none posted)
pound: HTTP Request Smuggling Attack
| Package(s): | pound |
CVE #(s): | CVE-2005-3751
|
| Created: | January 10, 2006 |
Updated: | June 8, 2006 |
| Description: |
HTTP requests with conflicting Content-Length and Transfer-Encoding headers
could lead to HTTP Request Smuggling Attack, which can be exploited to
bypass packet filters or poison web caches. |
| Alerts: |
|
Comments (none posted)
Py2Play: remote execution of arbitrary Python code
