LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Wireless networking driver vulnerabilities
One of the major conveniences of wireless networking is its invisibility, but that is also one of its major weaknesses. A recent announcement of wireless driver flaws serves as a reminder that simply having a wireless card installed may be enough to allow unauthorized access. Unlike other network devices, there is no wire to remind the user that they may be making their computer vulnerable to malware.
Two security researchers used an open source tool called lorcon to send a large number of wireless packets to various wireless devices. They were looking to see if they could cause the drivers to fail when they received unexpected data. The result was that they found many flaws in the wireless drivers, including one that would allow a malicious user to take over a machine that was equipped with the vulnerable wireless card. Many of the driver flaws they found did not require that the user or wireless card actually be connected to the network to be exploited.
It is unclear whether this exploit is of concern to Linux users as the researchers are not releasing many details until their talk at the Black Hat conference on 2 August. It is clear, however, that this is an area that is ripe for exploitation on Linux as well as other platforms. Wireless cards do a lot of things invisibly in order to determine what other devices there are in the neighborhood and these actions are often completely outside of the control of the user.
Normally, open source drivers provide at least a path to quickly fix any security problems discovered -- unfortunately, this is not the case with many of the wireless drivers used on Linux systems. Wireless card manufacturers have so far been mostly unwilling to release enough information for kernel hackers to create full open source drivers for those devices. Because of this, many users are installing closed source drivers to access their wireless cards.
In some cases, users are installing Windows drivers and using NdisWrapper to link those into the Linux kernel. Because the wireless vendors are relatively likely to fix the windows drivers, this approach may provide a reasonably quick resolution to security problems. At least, that may be the case for currently-supported hardware, if the vulnerability does not originate in the interaction between the driver and ndiswrapper, and if the user knows to download and install the updated driver. It is likely that any closed source native Linux wireless driver would have a lower priority for a vendor to fix and therefore a security vulnerability might remain unpatched for a significant amount of time.
It is far better, of course, to use hardware which has open-source support. Vulnerabilities in open-source drivers should be fixed quickly, and those fixes will be made available by the distributor's package management system.
As wireless technology becomes more prevalent and more devices and protocols are deployed, it is clear that more exploits and vulnerabilities will be found. Italian researchers recently ran an experiment at the Milan airport to highlight the number of potentially exploitable Bluetooth devices they could find; in 23 hours were able to spot 1400 of them. Wireless manufacturers and standards committees do not seem to learn from the security flaws of the past and that will lead to exploits in the future.
New vulnerabilities
gimp: arbitrary code execution
| Package(s): | gimp | CVE #(s): | CVE-2006-3404 | |||||||||||||||||||||||||||||||||
| Created: | July 10, 2006 | Updated: | July 27, 2006 | |||||||||||||||||||||||||||||||||
| Description: | Henning Makholm discovered that gimp did not sufficiently validate the 'num_axes' parameter in XCF files. By tricking a user into opening a specially crafted XCF file with Gimp, an attacker could exploit this to execute arbitrary code with the user's privileges. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2006-2451 | |||||||||||||||||||||
| Created: | July 7, 2006 | Updated: | July 26, 2006 | |||||||||||||||||||||
| Description: | The Linux kernel, versions 2.6.13 through 2.6.17.3, has a privilege escalation vulnerability that is related to the handling of core dumps. Local users can create a program that can core dump to a directory that the user does not have permission to write to. This can be exploited for the use of a disk consumption denial of service attack, or the unauthorized gaining of root privileges. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
libmms: buffer overflows
| Package(s): | libmms | CVE #(s): | CVE-2006-2200 | |||||||||||||||||||||
| Created: | July 6, 2006 | Updated: | December 25, 2006 | |||||||||||||||||||||
| Description: | Several buffer overflows were found in libmms. By tricking a user into opening a specially crafted remote multimedia stream with an application using libmms, a remote attacker could overwrite an arbitrary memory portion with zeros, thereby crashing the program. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
ppp: privilege escalation
| Package(s): | ppp | CVE #(s): | CVE-2006-2194 | ||||||||||||
| Created: | July 6, 2006 | Updated: | August 14, 2006 | ||||||||||||
| Description: | Marcus Meissner discovered that the winbind plugin of pppd does not check the result of the setuid() call. On systems that configure PAM limits for the maximum number of user processes and enable the winbind plugin, a local attacker could exploit this to execute the winbind NTLM authentication helper as root. Depending on the local winbind configuration, this could potentially lead to privilege escalation. | ||||||||||||||
| Alerts: |
| ||||||||||||||
samba: memory exhaustion
| Package(s): | samba | CVE #(s): | CVE-2006-3403 | |||||||||||||||||||||||||||||||||
| Created: | July 11, 2006 | Updated: | July 26, 2006 | |||||||||||||||||||||||||||||||||
| Description: | The smbd daemon maintains internal data structures used track active connections to file and printer shares. In certain circumstances an attacker may be able to continually increase the memory usage of an smbd process by issuing a large number of share connection requests. This defect affects all Samba configurations, according to this advisory. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
shadow: privilege escalation
| Package(s): | passwd shadow | CVE #(s): | ||||
| Created: | July 6, 2006 | Updated: | July 12, 2006 | |||
| Description: | Ilja van Sprundel discovered that passwd, when called with the -f, -g, or -s option, did not check the result of the setuid() call. On systems that configure PAM limits for the maximum number of user processes, a local attacker could exploit this to execute chfn, gpasswd, or chsh with root privileges. | |||||
| Alerts: |
| |||||
SHOUTcast server: multiple vulnerabilities
| Package(s): | shoutcast | CVE #(s): | ||||
| Created: | July 10, 2006 | Updated: | July 12, 2006 | |||
| Description: | The SHOUTcast server is vulnerable to a file disclosure when the server receives a specially crafted GET request. Furthermore it also fails to sanitize the input passed to the "Description", "URL", "Genre", "AIM", and "ICQ" fields. It also has multiple cross-site scripting vulnerabilities. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
ImageMagick: heap overflow vulnerability
| Package(s): | ImageMagick | CVE #(s): | CVE-2006-2440 | |||||||||
| Created: | May 25, 2006 | Updated: | September 5, 2006 | |||||||||
| Description: | The ImageMagick DisplayImageCommand has a heap overflow vulnerability. If an maliciously created unexpanded glob is passed to ImageMagick, a heap overflow can result. | |||||||||||
| Alerts: |
| |||||||||||
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play | CVE #(s): | CAN-2005-2875 | |||||||||
| Created: | September 19, 2005 | Updated: | September 6, 2006 | |||||||||
| Description: | Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client. | |||||||||||
| Alerts: |
| |||||||||||
acroread: unspecified security problems
| Package(s): | acroread | CVE #(s): | CVE-2006-3093 | |||
| Created: | July 4, 2006 | Updated: | July 5, 2006 | |||
| Description: | Various unspecified security problems have been fixed in Acrobat Reader version 7.0.8. Adobe does not provide detailed information about the nature of the security problems. Therefore, it is necessary to assume that remote code execution is possible. | |||||
| Alerts: |
| |||||
asterisk: buffer overflow
| Package(s): | asterisk | CVE #(s): | CVE-2006-2898 | ||||||
| Created: | June 15, 2006 | Updated: | July 27, 2006 | ||||||
| Description: | The Asterisk PBX application has a buffer overflow vulnerability in the IAX2 channel driver that can be used for the remote execution of arbitrary code. | ||||||||
| Alerts: |
| ||||||||
binutils: buffer overflow
| Package(s): | binutils | CVE #(s): | CVE-2006-2362 | |||||||||
| Created: | May 27, 2006 | Updated: | August 29, 2006 | |||||||||
| Description: | The GNU Binutils has a buffer overflow vulnerability in libbfd. Maliciously crafted Tektronix Hex Format files with improper length characters can cause a crash and possibly lead to the execution of arbitrary code. | |||||||||||
| Alerts: |
| |||||||||||
busybox: insecure password generation
| Package(s): | busybox | CVE #(s): | CVE-2006-1058 | |||||||||
| Created: | May 5, 2006 | Updated: | May 2, 2007 | |||||||||
| Description: | The BusyBox 1.1.1 passwd command does not use a proper salt when generating passwords. This would create an instance where a brute force attack could take very little time. | |||||||||||
| Alerts: |
| |||||||||||
bzip2: race condition and infinite loop
| Package(s): | bzip2 | CVE #(s): | CAN-2005-0953 CAN-2005-1260 | ||||||||||||||||||||||||
| Created: | May 17, 2005 | Updated: | January 10, 2007 | ||||||||||||||||||||||||
| Description: | A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ktools: buffer overflow
| Package(s): | centericq | CVE #(s): | CVE-2005-3863 | |||||||||||||||
| Created: | December 7, 2005 | Updated: | August 29, 2006 | |||||||||||||||
| Description: | From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team discovered a buffer overflow in kkstrtext.h of the ktools library, which is included in (at least) centericq and motor. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
courier: denial of service
| Package(s): | courier | CVE #(s): | CVE-2006-2659 | |||||||||
| Created: | June 9, 2006 | Updated: | August 4, 2006 | |||||||||
| Description: | A denial of service vulnerability has been found in the function for encoding email addresses. Addresses containing a '=' before the '@' character caused the Courier to hang in an endless loop, rendering the service unusable. | |||||||||||
| Alerts: |
| |||||||||||
cpio: arbitrary code execution
| Package(s): | cpio | CVE #(s): | CVE-2005-4268 | |||||||||
| Created: | January 2, 2006 | Updated: | May 8, 2007 | |||||||||
| Description: | Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system). | |||||||||||
| Alerts: |
| |||||||||||
vixie-cron: privilege escalation
| Package(s): | cron | CVE #(s): | CVE-2006-2607 | ||||||||||||
| Created: | May 31, 2006 | Updated: | July 13, 2006 | ||||||||||||
| Description: | The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl | CVE #(s): | CVE-2006-1721 | ||||||||||||||||||||||||
| Created: | April 21, 2006 | Updated: | September 4, 2007 | ||||||||||||||||||||||||
| Description: | Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
freetype: integer overflows
| Package(s): | freetype | CVE #(s): | CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 8, 2006 | Updated: | October 10, 2007 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gdb: multiple vulnerabilities
| Package(s): | gdb | CVE #(s): | CAN-2005-1704 CAN-2005-1705 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 20, 2005 | Updated: | August 11, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gdm: improper file permissions
| Package(s): | gdm | CVE #(s): | CVE-2006-1057 | |||||||||||||||
| Created: | April 19, 2006 | Updated: | May 2, 2007 | |||||||||||||||
| Description: | The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
gnupg: remote denial of service
| Package(s): | gnupg | CVE #(s): | CVE-2006-3082 | |||||||||||||||||||||||||||||||||
| Created: | June 21, 2006 | Updated: | July 28, 2006 | |||||||||||||||||||||||||||||||||
| Description: | A vulnerability was discovered in GnuPG 1.4.3 and 1.9.20 (and earlier) that could allow a remote attacker to cause gpg to crash and possibly overwrite memory via a message packet with a large length. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
gzip: arbitrary command execution
| Package(s): | gzip | CVE #(s): | CAN-2005-0758 | |||||||||||||||||||||
| Created: | August 1, 2005 | Updated: | January 9, 2007 | |||||||||||||||||||||
| Description: | zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Hashcash: possible heap overflow
| Package(s): | hashcash | CVE #(s): | CVE-2006-3251 | ||||||
| Created: | June 27, 2006 | Updated: | July 21, 2006 | ||||||
| Description: | Andreas Seltenreich has reported a possible heap overflow in the array_push() function in hashcash.c, as a result of an incorrect amount of allocated memory for the "ARRAY" structure. | ||||||||
| Alerts: |
| ||||||||
kdebase: local root vulnerability
| Package(s): | kdebase | CVE #(s): | CAN-2005-2494 | |||||||||||||||
| Created: | September 7, 2005 | Updated: | August 11, 2006 | |||||||||||||||
| Description: | The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kdebase: privilege escalation
| Package(s): | kdebase | CVE #(s): | CVE-2006-2449 | |||||||||||||||||||||||||||||||||||||||
| Created: | June 15, 2006 | Updated: | August 28, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | The KDE Display Manager(KDM) is vulnerable to a local symlink attack. A local user can use this to read arbitrary files that they do not have permission to access. See this KDE advisory for more information. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite | CVE #(s): | CAN-2005-1920 | |||||||||||||||||||||
| Created: | July 19, 2005 | Updated: | November 27, 2006 | |||||||||||||||||||||
| Description: | Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 CVE-2006-2275 CVE-2006-1864 | |||||||||||||||||||||
| Created: | May 12, 2006 | Updated: | July 13, 2006 | |||||||||||||||||||||
| Description: | Multiple vulnerabilities in the Linux have been found.
| |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2006-2934 | |||||||||
| Created: | July 5, 2006 | Updated: | July 7, 2006 | |||||||||
| Description: | The netfilter SCTP connection tracking code can crash when faced with a "packet without chunks." This vulnerability was fixed in the 2.6.17.3 kernel release. | |||||||||||
| Alerts: |
| |||||||||||
kernel: netfilter memory corruption
| Package(s): | kernel | CVE #(s): | CVE-2006-2444 | ||||||||||||
| Created: | May 25, 2006 | Updated: | July 5, 2006 | ||||||||||||
| Description: | The 2.6.12 kernel has a remote memory corruption vulnerability that can be remotely triggered by loading the ip_nat_snmp_basic module and traffic is network-translated on port 161 or 162. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2006-2445 CVE-2006-2448 CVE-2006-3085 | |||||||||||||||
| Created: | June 23, 2006 | Updated: | August 11, 2006 | |||||||||||||||
| Description: | There is a race condition error in the "posix-cpu-timers.c" script that
does not prevent another CPU from attaching the timer to an exiting
process. This could be exploited by attackers to cause a denial of
service.
A flaw due to errors in "powerpc/kernel/signal_32.c" and "powerpc/kernel/signal_32.c" could allow userspace to provoke a machine check on 32-bit kernels. An infinite loop in "netfilter/xt_sctp.c" could be exploited by attackers to exhaust all available memory resources, creating a denial of service condition. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kernel: information disclosure
| Package(s): | kernel | CVE #(s): | CVE-2006-1343 | ||||||||||||||||||
| Created: | May 31, 2006 | Updated: | July 20, 2006 | ||||||||||||||||||
| Description: | The 2.6 kernel netfilter code contains an information leak; this vulnerability has been fixed in the 2.6.16.19 release. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kiax: arbitrary code execution
| Package(s): | kiax | CVE #(s): | CVE-2006-2923 | |||
| Created: | June 30, 2006 | Updated: | July 5, 2006 | |||
| Description: | The iax_net_read function in the iaxclient library fails to properly handle IAX2 packets with truncated full frames or mini-frames. These frames are detected in a length check but processed anyway, leading to buffer overflows. | |||||
| Alerts: |
| |||||
libgadu: memory alignment bug
| Package(s): | libgadu | CVE #(s): | CAN-2005-2370 | |||||||||
| Created: | July 29, 2005 | Updated: | June 25, 2007 | |||||||||
| Description: | Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service. | |||||||||||
| Alerts: |
| |||||||||||
libgd2: denial of service
| Package(s): | libgd2 | CVE #(s): | CVE-2006-2906 | |||||||||||||||
| Created: | June 14, 2006 | Updated: | January 16, 2007 | |||||||||||||||
| Description: | Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap | CVE #(s): | CAN-2005-2641 | ||||||||||||
| Created: | August 25, 2005 | Updated: | October 6, 2006 | ||||||||||||
| Description: | libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass. | ||||||||||||||
| Alerts: |
| ||||||||||||||
libtiff: buffer overflow
| Package(s): | libtiff | CVE #(s): | CVE-2006-2193 | ||||||||||||||||||
| Created: | June 15, 2006 | Updated: | September 5, 2006 | ||||||||||||||||||
| Description: | The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters in the DocumentName tag to overflow a buffer, causing a denial of service, and possibly the execution of arbitrary code. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
mozilla products have multiple vulnerabilities
| Package(s): | mozilla seamonkey firefox thunderbird | CVE #(s): | CVE-2006-2775 CVE-2006-2776 CVE-2006-2777 CVE-2006-2778 CVE-2006-2779 CVE-2006-2780 CVE-2006-2782 CVE-2006-2783 CVE-2006-2784 CVE-2006-2785 CVE-2006-2786 CVE-2006-2787 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 5, 2006 | Updated: | August 2, 2006 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | There are multiple vulnerabilities in products based on Mozilla components, particularly Gecko. This CERT advisory contains details. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
mutt: IMAP namespace buffer overflow
| Package(s): | mutt | CVE #(s): | CVE-2006-3242 | |||||||||||||||||||||||||||||||||||||||
| Created: | June 28, 2006 | Updated: | October 24, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | TAKAHASHI Tamotsu discovered that mutt's IMAP backend did not sufficiently check the validity of namespace strings. If an user connects to a malicious IMAP server, that server could exploit this to crash mutt or even execute arbitrary code with the privileges of the mutt user. See this Secunia advisory for more information. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
mysql: denial of service
| Package(s): | mysql | CVE #(s): | CVE-2006-3081 | |||||||||
| Created: | June 23, 2006 | Updated: | July 18, 2006 | |||||||||
| Description: | Mysqld in MySQL 4.1.x before 4.1.18, 5.0.x before 5.0.19, and 5.1.x before 5.1.6 allows remote authorized users to cause a denial of service (crash) via a NULL second argument to the str_to_date function. | |||||||||||
| Alerts: |
| |||||||||||
MySQL: logging bypass
| Package(s): | mysql | CVE #(s): | CVE-2006-0903 | ||||||||||||
| Created: | April 4, 2006 | Updated: | May 21, 2008 | ||||||||||||
| Description: | MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query. | ||||||||||||||
| Alerts: |
| ||||||||||||||
ntp: uses wrong gid
| Package(s): | ntp | CVE #(s): | CAN-2005-2496 | |||||||||||||||
| Created: | August 26, 2005 | Updated: | August 11, 2006 | |||||||||||||||
| Description: | When starting xntpd with the -u option and specifying the group by using a string not a numeric gid the daemon uses the gid of the user not the group. This problem is now fixed by this update. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
openmotif: buffer overflows
| Package(s): | openmotif | CVE #(s): | CVE-2005-3964 | |||||||||
| Created: | December 29, 2005 | Updated: | July 27, 2006 | |||||||||
| Description: | The libUil component of the OpenMotif toolkit has a pair of buffer overflow vulnerabilities that can possibly be used for the execution of arbitrary code. | |||||||||||
| Alerts: |
| |||||||||||
openoffice.org: several vulnerabilities
| Package(s): | openoffice.org | CVE #(s): | CVE-2006-2198 CVE-2006-2199 CVE-2006-3117 | ||||||||||||||||||||||||||||||||||||
| Created: | June 30, 2006 | Updated: | January 4, 2007 | ||||||||||||||||||||||||||||||||||||
| Description: | Several vulnerabilities have been discovered in OpenOffice.org, a free
office suite.
| ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
OpenSSH: double shell expansion
| Package(s): | openssh | CVE #(s): | CVE-2006-0225 | ||||||||||||||||||||||||||||||
| Created: | January 23, 2006 | Updated: | July 20, 2006 | ||||||||||||||||||||||||||||||
| Description: | OpenSSH has a double shell expansion vulnerability in local to local and remote to remote copy with scp. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
opera: integer overflow and SSL spoof
| Package(s): | opera | CVE #(s): | CVE-2006-3198 CVE-2006-3331 | |||
| Created: | July 3, 2006 | Updated: | July 5, 2006 | |||
| Description: | Opera before version 9.0 has an integer overflow vulnerability due to the improper handling of JPEG files. Also Opera did not reset the SSL security bar after displaying a download dialog from an SSL-enabled website, which could allow remote attackers to spoof a trusted SSL certificate from an untrusted website and facilitate phishing attacks. | |||||
| Alerts: |
| |||||
perl: setuid vulnerabilities
| Package(s): | perl | CVE #(s): | CAN-2005-0155 CAN-2005-0156 | ||||||||||||||||||||||||
| Created: | February 2, 2005 | Updated: | August 11, 2006 | ||||||||||||||||||||||||
| Description: | There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
php: multiple vulnerabilities
| Package(s): | php | CVE #(s): | CVE-2006-1990 CVE-2006-1991 CVE-2006-3017 | |||||||||||||||||||||||||||||||||
| Created: | May 25, 2006 | Updated: | August 18, 2006 | |||||||||||||||||||||||||||||||||
| Description: | The php wordwrap() function is vulnerable to an integer overflow.
Attackers can submit long arguments to cause a heap-based buffer
overflow, allowing arbitrary code execution.
PHP 5.x and PHP 4.4.2 have a problem with the substr_compare() function. An attacker can use an out-of-bounds offset argument to cause a memory access violation, causing a denial of service. A bug in zend_hash_del() allowed attackers to prevent unsetting of some variables | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
phpbb2: missing input sanitizing
| Package(s): | phpbb2 | CVE #(s): | CVE-2006-1896 | |||
| Created: | May 22, 2006 | Updated: | February 11, 2008 | |||
| Description: | It was discovered that phpbb2, a web based bulletin board, insufficiently sanitizes values passed to the "Font Color 3" setting, which might lead to the execution of injected code by admin users. | |||||
| Alerts: |
| |||||
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 | CVE #(s): | CVE-2005-3310 CVE-2005-3415 CVE-2005-3416 CVE-2005-3417 CVE-2005-3418 CVE-2005-3419 CVE-2005-3420 CVE-2005-3536 CVE-2005-3537 | |||
| Created: | December 22, 2005 | Updated: | February 11, 2008 | |||
| Description: | The phpbb2 web forum has a number of vulnerabilities including: a web script injection problem, a protection mechanism bypass, a security check bypass, a remote global variable bypass, cross site scripting vulnerabilities, an SQL injection vulnerability, a remote regular expression modification problem, missing input sanitizing, and a missing request validation problem. | |||||
| Alerts: |
| |||||
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpmyadmin | CVE #(s): | CVE-2005-4079 CVE-2005-3665 | ||||||||||||
| Created: | December 12, 2005 | Updated: | November 20, 2006 | ||||||||||||
| Description: | Stefan Esser reported multiple vulnerabilities found in phpMyAdmin. The $GLOBALS variable allows modifying the global variable import_blacklist to open phpMyAdmin to local and remote file inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9). Furthermore, it is also possible to conduct an XSS attack via the $HTTP_HOST variable and a local and remote file inclusion because the contents of the variable are under total control of the attacker (CVE-2005-3665, PMASA-2005-8). | ||||||||||||||
| Alerts: |
| ||||||||||||||
postgresql: SQL injection
| Package(s): | postgresql | CVE #(s): | CVE-2006-2313 CVE-2006-2314 | ||||||||||||||||||||||||||||||||||||
| Created: | May 24, 2006 | Updated: | June 6, 2007 | ||||||||||||||||||||||||||||||||||||
| Description: | The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a newly-discovered set of SQL injection issues. Details about the problem can be found on the technical information page; in short: multi-byte encodings can be used to defeat normal string sanitizing techniques. The update fixes one problem related to invalid multi-byte characters, but punts on another by simply disallowing the old, unsafe technique of escaping single quotes with a backslash. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||