Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
|
|
| |
|
| |
Security
Firefox security status
A major security
flaw in various
third-party extensions has given Firefox a bit
of a black eye even though the browser is not vulnerable. A number
of other issues in the browser itself caused a security release
which kept Firefox in the news. Unfortunately, after the release,
even more vulnerabilities were reported. One would have to guess that it has not
been the best week or so for the Firefox security team.
A large number of extensions - including toolbars for Google, Yahoo, Facebook
and others - are susceptible to a man-in-the-middle attack that allows
arbitrary code execution within the browser. The vulnerability exploits
the update mechanism built into the extensions by providing malicious code
as an update. An attacker that can control the DNS answers received by a
victim can redirect the update queries from the extensions to a server under
the attacker's control. The code provided gets installed, silently in many
cases; it will then run as part of the browser with all of the capabilities
of an extension.
Situations where one may not be able to trust the DNS answers received
are far more common than people realize. Using a public
or unencrypted wireless network is probably the most common vulnerable
situation, but home routers that have been subverted either
through a vulnerability or
because the owner never changed the default password can also leave an
opening for an attack. Because the extensions typically check for updates
frequently, there are lots of opportunities to provide them with bad code.
There are any number of nasty things that a browser extension can do:
keystroke logging, email reading, spamming, bank transfers, subscribing
to LWN.net, etc. This is truly a situation that one wants
to avoid. Vendors of these extensions have in many cases (with Google being
specifically called out in the vulnerability announcement) bypassed the
default Firefox prompt that would at least alert users that new code was
being installed. Users running those extensions have no defense and need to
delete them from the browser while awaiting a fix from the vendor.
The open source extensions that are available at
https://addons.mozilla.org are not
vulnerable because of the use of SSL to prevent an attacker's host
masquerading as the update server. The SSL certificate presented by
the attacker's server will not pass muster with the browser so the malicious
update will not be installed. This is the fix that the vulnerable
extensions will have to implement. It is not particularly technically
difficult, more of a logistics headache to roll out new code to millions
of users. It may also require some infrastructure improvements to be able
to support encrypted connections for that many users.
Millions of users at risk for all manner of browser mayhem may make the
fixes in the most recent
security
update pale
by comparison but there are some serious issues there as well. The most
important fix, rated as critical by Mozilla, fixes potentially
exploitable crashes in the layout and Javascript engines. There is also a
flaw that allows cross-site scripting using the
addEventListener Javascript call which Mozilla rates as
having a high impact.
A few days after the release, Michal Zalewski was up to his usual tricks by
reporting two vulnerabilities
in Firefox, one that he rates as a major vulnerability, the other as
medium. In both cases, various Javascript tricks can be used to make
the browser behave badly which is yet another reason to look into the
NoScript extension.
Thor Larholm also
had some bad news for the Firefox team shortly after the release when
he reported that a patch
that went into the 2.0.0.4 release only partially fixed the problem
for Windows platforms while doing nothing to prevent the problem for
Linux and other UNIX versions. The directory traversal vulnerability allows
any local files accessible to the browser user with the name known by
the attacker to be read via the resource:// URL handler.
The information in the file could then be transmitted to any site visited.
We can probably expect an update from the Firefox team for this particular
problem relatively soon.
Comments (19 posted)
Security news
Google: Web Server Software and Malware
Google has published the results of some research on web servers and malware. " It is very interesting to see that in China and South Korea, a malicious server is much more likely to be running IIS than Apache.
We suspect that the causes for IIS featuring more prominently in these countries could be due to a combination of factors: first, automatic updates have not been enabled due to software piracy, and second, some security patches are not available for pirated copies of Microsoft operating systems. For instance the patch for a commonly seen ADODB.Stream exploit is not available to pirated copies of Windows operating systems." So the problem may not be that the software is inherently less secure, but that its proprietary licensing cuts off many deployments from security updates.
Comments (7 posted)
New vulnerabilities
clamav: denial of service
| Package(s): | clamav |
CVE #(s): | CVE-2007-2650
|
| Created: | June 5, 2007 |
Updated: | July 20, 2007 |
| Description: |
A vulnerability in the OLE2 parser in ClamAV was found that could allow a
remote attacker to cause a denial of service via resource consumption with
a carefully crafted OLE2 file. |
| Alerts: |
|
Comments (none posted)
file: integer overflow
| Package(s): | file |
CVE #(s): | CVE-2007-2799
|
| Created: | June 1, 2007 |
Updated: | October 19, 2007 |
| Description: |
Colin Percival from FreeBSD reported that the previous fix for the
file_printf() buffer overflow introduced a new integer overflow. A remote
attacker could entice a user to run the file program on an overly large
file (more than 1Gb) that would trigger an integer overflow on 32-bit
systems, possibly leading to the execution of arbitrary code with the
rights of the user running file. |
| Alerts: |
|
Comments (3 posted)
firefox: multiple vulnerabilities
| Package(s): | firefox mozilla seamonkey thunderbird |
CVE #(s): | CVE-2007-1362
CVE-2007-2867
CVE-2007-2868
CVE-2007-2869
CVE-2007-2870
CVE-2007-2871
|
| Created: | June 4, 2007 |
Updated: | August 29, 2007 |
| Description: |
Various flaws were discovered in the layout and JavaScript engines. By
tricking a user into opening a malicious web page, an attacker could
execute arbitrary code with the user's privileges. (CVE-2007-2867,
CVE-2007-2868)
A flaw was discovered in the form autocomplete feature. By tricking a user
into opening a malicious web page, an attacker could cause a persistent
denial of service. (CVE-2007-2869)
Nicolas Derouet discovered flaws in cookie handling. By tricking a user
into opening a malicious web page, an attacker could force the browser to
consume large quantities of disk or memory while processing long cookie
paths. (CVE-2007-1362)
A flaw was discovered in the same-origin policy handling of the
addEventListener JavaScript method. A malicious web site could exploit
this to modify the contents, or steal confidential data (such as
passwords), of other web pages. (CVE-2007-2870)
Chris Thomas discovered a flaw in XUL popups. A malicious web site
could exploit this to spoof or obscure portions of the browser UI,
such as the location bar. (CVE-2007-2871) |
| Alerts: |
|
Comments (3 posted)
jasper: denial of service
| Package(s): | jasper |
CVE #(s): | CVE-2007-2721
|
| Created: | June 1, 2007 |
Updated: | November 6, 2007 |
| Description: |
The jpc_qcx_getcompparms function in jpc/jpc_cs.c could allow remote
user-assisted attackers to cause a denial of service (crash) and possibly
corrupt the heap via malformed image files. |
| Alerts: |
|
Comments (none posted)
lha: temporary file vulnerability
| Package(s): | lha |
CVE #(s): | CVE-2007-2030
|
| Created: | June 6, 2007 |
Updated: | June 6, 2007 |
| Description: |
The lha utility creates temporary files in an insecure manner, enabling symlink race attacks. |
| Alerts: |
|
Comments (1 posted)
libexif: integer overflow
| Package(s): | libexif |
CVE #(s): | CVE-2007-2645
|
| Created: | June 1, 2007 |
Updated: | February 11, 2008 |
| Description: |
Integer overflow in the exif_data_load_data_entry function in exif-data.c
in libexif before 0.6.14 allows user-assisted remote attackers to cause a
denial of service (crash) or possibly execute arbitrary code via crafted
EXIF data, involving the (1) doff or (2) s variable. |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2007-2872
CVE-2007-2756
|
| Created: | June 1, 2007 |
Updated: | January 29, 2008 |
| Description: |
According to a vendor release announcement multiple
security enhancements and fixes were fixed in version 5.2.3 of the
programming language PHP. |
| Alerts: |
|
Comments (none posted)
php-pear: directory traversal
| Package(s): | php-pear |
CVE #(s): | CVE-2007-2519
|
| Created: | June 5, 2007 |
Updated: | June 6, 2007 |
| Description: |
Directory traversal vulnerability in the installer in PEAR 1.0 through
1.5.3 allows user-assisted remote attackers to overwrite arbitrary files
via a .. (dot dot) sequence in the (1) install-as attribute in the file
element in package.xml 1.0 or the (2) as attribute in the install element
in package.xml 2.0. NOTE: it could be argued that this does not cross
privilege boundaries in typical installations, since the code being
installed could perform the same actions. |
| Alerts: |
|
Comments (none posted)
Sun JDK/JRE: multiple vulnerabilities
| Package(s): | Sun JDK/JRE |
CVE #(s): | CVE-2007-2435
CVE-2007-2788
CVE-2007-2789
|
| Created: | June 1, 2007 |
Updated: | April 18, 2008 |
| Description: |
An unspecified vulnerability involving an "incorrect use of system
classes" was reported by the Fujitsu security team. Additionally, Chris
Evans from the Google Security Team reported an integer overflow
resulting in a buffer overflow in the ICC parser used with JPG or BMP
files, and an incorrect open() call to /dev/tty when processing certain
BMP files. |
| Alerts: |
|
Comments (none posted)
wpa_supplicant: buffer overflow
| Package(s): | wpa_supplicant networkmanager |
CVE #(s): | |
| Created: | June 5, 2007 |
Updated: | June 6, 2007 |
| Description: |
A buffer overflow flaw was found in the debugging code of Fedora's version
of wpa_supplicant. This can be triggered by those using NetworkManager.
It is recommended that users of wpa_supplicant or NetworkManager update to
this package (and the accompanying NetworkManager packages) which removes
the affected debug code. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
Asterisk: two SIP denial of service vulnerabilities
| Package(s): | Asterisk |
CVE #(s): | CVE-2007-1561
CVE-2007-1594
|
| Created: | April 3, 2007 |
Updated: | August 27, 2007 |
| Description: |
The Madynes research team at INRIA has discovered that Asterisk contains a
null pointer dereferencing error in the SIP channel when handling INVITE
messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to
properly handle SIP responses with return code 0. A remote attacker could
cause an Asterisk server listening for SIP messages to crash by sending a
specially crafted SIP message or answering with a 0 return code. |
| Alerts: |
|
Comments (none posted)
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2007-2241
|
| Created: | May 10, 2007 |
Updated: | June 8, 2007 |
| Description: |
ISC BIND 9.4.0 is vulnerable to a denial of service attack.
If recursion is enabled a remote attacker can use a special
sequence of queries to cause the daemon to exit. |
| Alerts: |
|
Comments (1 posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2006-5453
CVE-2006-5454
CVE-2006-5455
|
| Created: | November 10, 2006 |
Updated: | August 28, 2007 |
| Description: |
Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before
being passed back to users.
Users can gain unauthorized access to read attachment
descriptions while using diff mode.
HTTP GET and HTTP POST requests can be used to perform unauthorized
actions due to improper verification.
Input that is passed to showdependencygraph.cgi is not properly
sanitized before being returned to users. |
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups |
CVE #(s): | CVE-2007-0720
|
| Created: | March 26, 2007 |
Updated: | February 7, 2008 |
| Description: |
Previous versions of the cups package could be forced to hang via a client
"partially negotiating" an ssl connection. In this state, cups would not
allow other connections to be made, a denial of service. |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dovecot: directory traversal
| Package(s): | dovecot |
CVE #(s): | CVE-2007-2231
|
| Created: | May 8, 2007 |
Updated: | May 21, 2008 |
| Description: |
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot
before 1.0.rc29, when using the zlib plugin, allows remote attackers to
read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot)
sequence in the mailbox name. |
| Alerts: |
|
Comments (none posted)
elinks: code execution
| Package(s): | elinks |
CVE #(s): | CVE-2007-2027
|
| Created: | May 7, 2007 |
Updated: | June 7, 2007 |
| Description: |
Arnaud Giersch discovered that elinks incorrectly attempted to load
gettext catalogs from a relative path. If a user were tricked into
running elinks from a specific directory, a local attacker could execute
code with user privileges. |
| Alerts: |
|
Comments (none posted)
evolution: format string error
| Package(s): | evolution |
CVE #(s): | CVE-2007-1002
|
| Created: | March 27, 2007 |
Updated: | February 27, 2008 |
| Description: |
A format string error in the "write_html()" function in calendar/gui/
e-cal-component-memo-preview.c when displaying a memo's categories can
potentially be exploited to execute arbitrary code via a specially crafted
shared memo containing format specifiers. |
| Alerts: |
|
Comments (1 posted)
pop mail man-in-the-middle attacks
| Package(s): | evolution thunderbird mutt fetchmail |
CVE #(s): | CVE-2007-1558
|
| Created: | May 8, 2007 |
Updated: | August 7, 2007 |
| Description: |
The APOP protocol allows remote attackers to guess the first 3 characters
of a password via man-in-the-middle (MITM) attacks that use crafted message
IDs and MD5 collisions. NOTE: this design-level issue potentially affects
all products that use APOP, including (1) Thunderbird, (2) Evolution, (3)
mutt, and (4) fetchmail. |
| Alerts: |
|
Comments (none posted)
fail2ban: denial of service
| Package(s): | fail2ban |
CVE #(s): | CVE-2006-6302
|
| Created: | February 16, 2007 |
Updated: | July 30, 2007 |
| Description: |
fail2ban 0.7.4 and earlier does not properly parse sshd logs file, which
allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file
and cause a denial of service by adding arbitrary IP addresses to the sshd
log file, as demonstrated by logging in to ssh using a login name
containing certain strings with an IP address. |
| Alerts: |
|
Comments (3 posted)
file: arbitrary code execution
| Package(s): | file |
CVE #(s): | CVE-2007-1536
|
| Created: | March 22, 2007 |
Updated: | May 30, 2007 |
| Description: |
The "file" utility incorrectly checks the allocated heap memory size.
If a remote attacker can trick a user into looking at specially crafted
files with file, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (1 posted)
firefox: FTP PASV port-scanning
| Package(s): | firefox seamonkey |
CVE #(s): | CVE-2007-1562
|
| Created: | March 23, 2007 |
Updated: | June 4, 2007 |
| Description: |
According to this
advisory, the FTP protocol includes the PASV (passive) command which is
used by Firefox to request an alternate data port. The specification of the
FTP protocol allows the server response to include an alternate server
address as well, although this is rarely used in practice. |
| Alerts: |
|
Comments (1 posted)
freetype: arbitrary code execution
| Package(s): | freetype |
CVE #(s): | CVE-2007-2754
|
| Created: | May 24, 2007 |
Updated: | July 19, 2007 |
| Description: |
The Freetype font rendering library versions 2.3.4 and below
has an integer sign error. Remote attackers may be able to
create a specially crafted TrueType Font file with a negative
n_points value that will cause an integer overflow and heap-based
buffer overflow, allowing the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gd: buffer overflow
| Package(s): | gd |
CVE #(s): | CVE-2007-0455
|
| Created: | February 7, 2007 |
Updated: | February 28, 2008 |
| Description: |
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable. |
| Alerts: |
|
Comments (2 posted)
gdb: buffer overflow
| Package(s): | gdb |
CVE #(s): | CVE-2006-4146
|
| Created: | September 15, 2006 |
Updated: | June 12, 2007 |
| Description: |
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations. |
| Alerts: |
|
Comments (none posted)
gforge: arbitrary code execution
| Package(s): | gforge |
CVE #(s): | CVE-2007-0246
|
| Created: | May 24, 2007 |
Updated: | May 30, 2007 |
| Description: |
The CVS browsing interface from the Gforge collaborative
development tool does not properly escape URLs.
This can be used by an attacker to execute arbitrary shell commands
with the privileges of the www-data user. |
| Alerts: |
|
Comments (none posted)
gimp: arbitrary code execution
| Package(s): | gimp |
CVE #(s): | CVE-2007-2356
|
| Created: | May 1, 2007 |
Updated: | June 11, 2007 |
| Description: |
From this Secunia
advisory: "Marsu has discovered a vulnerability in Gimp, which
can be exploited by malicious people to compromise a user's system. The
vulnerability is caused due to an error within the "set_color_table()"
function in plug-ins/common/sunras.c. This can be exploited to cause a
stack-based buffer overflow by e.g. tricking a user into opening a
specially crafted .RAS file." |
| Alerts: |
|
Comments (3 posted)
gzip: multiple vulnerabilities
| Package(s): | gzip |
CVE #(s): | CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
|
| Created: | September 19, 2006 |
Updated: | June 1, 2007 |
| Description: |
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
horde-kronolith: local file inclusion
| Package(s): | horde-kronolith |
CVE #(s): | CVE-2006-6175
|
| Created: | January 17, 2007 |
Updated: | March 7, 2008 |
| Description: |
Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered
string is used instead of a sanitized string to view local files. An
authenticated attacker could craft an HTTP GET request that uses directory
traversal techniques to execute any file on the web server as PHP code,
which could allow information disclosure or arbitrary code execution with
the rights of the user running the PHP application (usually the webserver
user). |
| Alerts: |
|
Comments (none posted)
ImageMagick: integer overflows
| Package(s): | imagemagick |
CVE #(s): | CVE-2007-1797
|
| Created: | April 4, 2007 |
Updated: | April 17, 2008 |
| Description: |
Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote
attackers to execute arbitrary code via (1) a crafted DCM image, which
results in a heap-based overflow in the ReadDCMImage function, or (2) the
(a) colors or (b) comments field in a crafted XWD image, which results in a
heap-based overflow in the ReadXWDImage function, different issues than
CVE-2007-1667. |
| Alerts: |
|
Comments (none posted)
imlib2: arbitrary code execution
| Package(s): | imlib2 |
CVE #(s): | CVE-2006-4806
CVE-2006-4807
CVE-2006-4808
CVE-2006-4809
|
| Created: | November 6, 2006 |
Updated: | August 13, 2007 |
| Description: |
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2007-1841
|
| Created: | April 10, 2007 |
Updated: | August 28, 2007 |
| Description: |
A flaw was discovered in the IPSec key exchange server "racoon". Remote
attackers could send a specially crafted packet and disrupt established
IPSec tunnels, leading to a denial of service. |
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
| Package(s): | java |
CVE #(s): | CVE-2006-4339
CVE-2006-4790
CVE-2006-6731
CVE-2006-6736
CVE-2006-6737
CVE-2006-6745
|
| Created: | January 18, 2007 |
Updated: | June 8, 2007 |
| Description: |
java has multiple vulnerabilities, these include:
an RSA exponent padding attack vulnerability, two vulnerabilities
which allow untrusted applets to access data in other applets,
vulnerabilities that involve applets gaining privileges due to
serialization bugs in the JRE and buffer overflows in the java image
handling routines that can give attackers read/write/execute capabilities
for local files. |
| Alerts: |
|
Comments (1 posted)
kdelibs: cross-site scripting
| Package(s): | kdelibs konqeror |
CVE #(s): | CVE-2007-0537
|
| Created: | February 5, 2007 |
Updated: | August 13, 2007 |
| Description: |
Konqueror 3.5.5 does not properly parse HTML comments, which allows remote
attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS
protection schemes by embedding certain HTML tags within a comment, a
related issue to CVE-2007-0478. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2007-1357
|
| Created: | April 16, 2007 |
Updated: | November 14, 2007 |
| Description: |
The atalk_sum_skb function in AppleTalk for Linux kernel 2.6.x before
2.6.21, and possibly 2.4.x, allows remote attackers to cause a denial of
service (crash) via an AppleTalk frame that is shorter than the specified
length, which triggers a BUG_ON call when an attempt is made to perform a
checksum. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-5749
CVE-2006-4814
CVE-2006-6106
|
| Created: | January 5, 2007 |
Updated: | May 7, 2008 |
| Description: |
A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user
space, which has unspecified impact and attack vectors, possibly related to
a deadlock.
Another vulnerability has been reported in Linux kernel caused by a
boundary error within the handling of incoming CAPI messages in
net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain
Kernel data structures. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4623
|
| Created: | October 18, 2006 |
Updated: | November 14, 2007 |
| Description: |
The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2007-0005
CVE-2007-1000
|
| Created: | March 15, 2007 |
Updated: | November 14, 2007 |
| Description: |
The Linux kernel has a boundary error problem with the
Omnikey CardMan 4040 driver read and write functions. This can be used
to cause a buffer overflow and possible execution or arbitrary code with
kernel privileges.
The ipv6_getsockopt_sticky function in
net/ipv6/ipv6_sockglue.c is vulnerable to a NULL pointer dereference.
Local users can use this to crash the kernel or to disclose kernel
memory. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-0007
CVE-2007-0006
|
| Created: | February 15, 2007 |
Updated: | November 14, 2007 |
| Description: |
Linux kernel versions from 2.6.9 to 2.6.20 have a denial of service
vulnerability. A remote attacker can cause the key_alloc_serial
function's key serial number collision avoidance code to have a
null dereference, resulting in a crash. |
| Alerts: |
|
Comments (1 posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4535
CVE-2006-4538
|
| Created: | September 18, 2006 |
Updated: | December 3, 2007 |
| Description: |
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2007-1861
CVE-2007-2242
|
| Created: | May 1, 2007 |
Updated: | February 8, 2008 |
| Description: |
The netlink protocol has an infinite recursion bug that allows users to
cause a kernel crash. Also the IPv6 protocol allows remote attackers to
cause a denial of service via crafted IPv6 type 0 route headers
(IPV6_RTHDR_TYPE_0) that create network amplification between two routers. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2007-0772
|
| Created: | February 23, 2007 |
Updated: | November 14, 2007 |
| Description: |
The Linux kernel before 2.6.20.1 allows remote attackers to cause a denial
of service (oops) via a crafted NFSACL 2 ACCESS request that triggers a free
of an incorrect pointer. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-5757
|
| Created: | November 13, 2006 |
Updated: | November 14, 2007 |
| Description: |
From the MOKB-05-11-2006
advisory: "The ISO9660 filesystem handling code of the Linux
2.6.x kernel fails to properly handle corrupted data structures, leading to
an exploitable denial of service condition. This particular vulnerability
seems to be caused by a race condition and a signedness issue. When
performing a read operation on a corrupted ISO9660 fs stream, the
isofs_get_blocks() function will enter an infinite loop when
__find_get_block_slow() callback from sb_getblk() fails ("due to various
races between file io on the block device and getblk")." |
| Alerts: |
|
|