Security news
The value of privacy policies
Most serious web sites post a privacy policy describing what the site's
owners will do with data collected from and about the site's users. For
users who are concerned about the spread of their personal information, a
strongly-written privacy policy can be a reassuring feature. A recent
court ruling, however, suggests that web privacy policies may not be worth
the paper they aren't printed on, at least some of the time.
Northwest Airlines was recently faced with a class-action lawsuit headed by
some of its customers, who were upset that the airline had provided
passenger name record (PNR) data to the U.S. government after the
September 11 attacks. The plaintiffs made several allegations,
including the violation of various laws and, crucially, breach of contract
as a result of Northwest's failure to live up to its privacy policy.
The policy reads, in part:
When you reserve or purchase travel services through Northwest
Airlines nwa.com Reservations, we provide only the relevant
information required by the car rental agency, hotel, or other
involved third party to ensure the successful fulfillment of your
travel arrangements.
There is nothing here about giving PNR data (which includes hotel and car
information, along with credit card numbers) to interested governmental
agencies. One might well conclude that the privacy policy has been
breached.
The court struck down the breach of contract claim, however. The reasoning
was:
The privacy statement on Northwest's website did not constitute a
unilateral contract. The language used vests discretion in
Northwest to determine when the information is "relevant" and which
"third parties" might need that information... Moreover, absent an
allegation that Plaintiffs actually read the privacy policy, not
merely the general allegation that Plaintiffs "relied on" the
policy, Plaintiffs have failed to allege an essential element of a
contract claim: that the alleged "offer" was accepted by
Plaintiffs.
The implications are clear: weasel words in a privacy statement can be used
against you. If you ever think you may want to take a site operator to
court for the violation of a privacy statement, you will, at a minimum,
have to be able to show that you read that statement before the violation
occurred. It seems unlikely that many potential plaintiffs in privacy
policy cases will be able to make that demonstration. Privacy policies,
thus, may not be worth a whole lot - at least, not in countries which lack
more general restrictions on the use of personal data.
(For the curious, the full ruling is available in PDF format).
Comments (3 posted)
Evans Data on Linux security
Evans Data has sent out
a
press release about a Linux security survey done by the company.
"
Ninety two percent of survey respondents indicated that their Linux
systems have never been infected with a virus, according to Evans Data's
new Summer 2004 Linux Development Survey." The PR lacks an answer
for the most interesting question, however: what, exactly, happened to the
other 8%?
Comments (28 posted)
New vulnerabilities
courier: cross-site scripting vulnerability
| Package(s): | courier |
CVE #(s): | CAN-2004-0591
|
| Created: | July 23, 2004 |
Updated: | August 4, 2004 |
| Description: |
The sqwebmail application has a cross-site scripting vulnerability.
An attacker can inject and execute a web mail script via an
email message. |
| Alerts: |
|
Comments (none posted)
mailreader: directory traversal vulnerability
| Package(s): | mailreader |
CVE #(s): | CAN-2002-1581
|
| Created: | July 23, 2004 |
Updated: | July 28, 2004 |
| Description: |
Mailreader has a directory traversal vulnerability. A remote attacker can
view arbitrary files with the privileges of the nph-mr.cgi process. |
| Alerts: |
|
Comments (none posted)
Pavuk: Digest authentication helper buffer overflow
| Package(s): | pavuk |
CVE #(s): | |
| Created: | July 26, 2004 |
Updated: | July 28, 2004 |
| Description: |
Pavuk contains several buffer overflow vulnerabilities in the code
handling digest authentication. An attacker could cause a buffer overflow,
leading to arbitrary code execution with the rights of the user running
Pavuk. These vulnerabilities have been fixed in pavuk-0.9.28-r3. |
| Alerts: |
|
Comments (none posted)
samba: potential buffer overruns
| Package(s): | samba |
CVE #(s): | CAN-2004-0600
CAN-2004-0686
|
| Created: | July 22, 2004 |
Updated: | September 2, 2004 |
| Description: |
According to this Samba advisory, Evgeny
Demidov discovered that the Samba SMB/CIFS server has a buffer overflow bug
in the Samba Web Administration Tool (SWAT) on decoding Base64 data during
HTTP Basic Authentication. Samba versions between 3.0.2 through 3.0.4 are
affected. (CAN-2004-0600)
Another buffer overflow bug has been located in the Samba code used to
support the "mangling method = hash" functionality. The default setting for
this parameter is "mangling method = hash2" and therefore Samba is not
vulnerable by default. Samba versions between 2.2.0 through 2.2.9 and 3.0.0
through 3.0.4 are affected. (CAN-2004-0686) |
| Alerts: |
|
Comments (1 posted)
sox: buffer overflow
| Package(s): | sox |
CVE #(s): | CAN-2004-0557
|
| Created: | July 28, 2004 |
Updated: | February 21, 2005 |
| Description: |
Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file. |
| Alerts: |
|
Comments (none posted)
subversion: access control bypass
| Package(s): | subversion |
CVE #(s): | |
| Created: | July 23, 2004 |
Updated: | July 28, 2004 |
| Description: |
Subversion has a vulnerability in the mod_authz_svn Apache
authentication module that can allow a local user to bypass
read restrictions in the repository. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Apache mod_proxy: denial of service
| Package(s): | apache |
CVE #(s): | CAN-2004-0492
|
| Created: | June 11, 2004 |
Updated: | October 14, 2004 |
| Description: |
A buffer overflow vulnerability in the apache mod_proxy module
can be exploited to create a denial of service. |
| Alerts: |
|
Comments (none posted)
apache2: stack-based buffer overflow in ssl_util.c
| Package(s): | apache2 |
CVE #(s): | CAN-2004-0488
|
| Created: | June 1, 2004 |
Updated: | October 14, 2004 |
| Description: |
A stack-based buffer overflow exists in the ssl_util_uuencode_binary
function in ssl_util.c in Apache. When mod_ssl is configured to trust the
issuing CA, a remote attacker may be able to execute arbitrary code via a
client certificate with a long subject DN. |
| Alerts: |
|
Comments (none posted)
apache mod_ssl format string vulnerability
| Package(s): | apache mod_ssl |
CVE #(s): | |
| Created: | July 16, 2004 |
Updated: | August 6, 2004 |
| Description: |
Triggered by a report to Packet Storm from Virulent, a format string
vulnerability was found in mod_ssl, the Apache SSL/TLS interface to
OpenSSL, version (up to and including) 2.8.18 for Apache 1.3. The mod_ssl
in Apache 2.x is not affected. The vulnerability could be exploitable if
Apache is used as a proxy for HTTPS URLs and the attacker established a own
specially prepared DNS and origin server environment. |
| Alerts: |
|
Comments (none posted)
aspell: bounds checking problem
| Package(s): | aspell |
CVE #(s): | CAN-2004-0548
|
| Created: | June 17, 2004 |
Updated: | December 20, 2004 |
| Description: |
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker. |
| Alerts: |
|
Comments (none posted)
Ethereal: Multiple security problems
| Package(s): | ethereal |
CVE #(s): | CAN-2004-0633
CAN-2004-0634
CAN-2004-0635
|
| Created: | July 9, 2004 |
Updated: | August 19, 2004 |
| Description: |
There are multiple vulnerabilities in versions of Ethereal earlier than
0.10.5, including:
* In some cases the iSNS dissector could cause Ethereal to abort.
* If there was no policy name for a handle for SMB SID snooping it
could cause a crash.
* A malformed or missing community string could cause the SNMP
dissector to crash.
See this
advisory for more information. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
flim: insecure file creation
| Package(s): | flim |
CVE #(s): | CAN-2004-0422
|
| Created: | May 5, 2004 |
Updated: | December 16, 2004 |
| Description: |
The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
Horde-IMP: improper input validation
| Package(s): | Horde-IMP |
CVE #(s): | |
| Created: | June 16, 2004 |
Updated: | August 10, 2004 |
| Description: |
An input validation error exists in Horde-IMP through version 3.2.4; a specially crafted message could be used to run scripts in the context of the target's browser. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
racoon: failure to verify signatures
| Package(s): | ipsec-tools racoon |
CVE #(s): | CAN-2004-0155
|
| Created: | April 7, 2004 |
Updated: | August 19, 2004 |
| Description: |
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
racoon: denial of service vulnerability
| Package(s): | ipsec-tools racoon iputils |
CVE #(s): | CAN-2004-0403
|
| Created: | April 26, 2004 |
Updated: | July 29, 2004 |
| Description: |
racoon does not check the length of ISAKMP headers. Attackers may be able
to craft an ISAKMP header of sufficient length to consume all available
system resources, causing a Denial of Service. This advisory contains additional
details. |
| Alerts: |
|
Comments (none posted)
kdelibs: cookie disclosure
| Package(s): | kdelibs |
CVE #(s): | CAN-2003-0592
|
| Created: | March 10, 2004 |
Updated: | August 24, 2004 |
| Description: |
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix. |
| Alerts: |
|
Comments (none posted)
kernel allows unauthorized changes to the group ID
| Package(s): | kernel |
CVE #(s): | CAN-2004-0497
|
| Created: | July 2, 2004 |
Updated: | September 27, 2004 |
| Description: |
During an audit of the Linux kernel, SUSE discovered a flaw that allowed
a user to make unauthorized changes to the group ID of files in certain
circumstances - such as when the files are exported via NFS. |
| Alerts: |
|
Comments (none posted)
kernel: netfilter denial of service
| Package(s): | kernel |
CVE #(s): | |
| Created: | June 30, 2004 |
Updated: | July 28, 2004 |
| Description: |
The netfilter code in 2.6 kernels through 2.6.7 is vulnerable to a remote denial of service attack - but only if filtering on the TCP options field has been enabled. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
l2tpd buffer overflow
| Package(s): | l2tpd |
CVE #(s): | CAN-2004-0649
|
| Created: | July 18, 2004 |
Updated: | July 22, 2004 |
| Description: |
Thomas Walpuski reported a buffer overflow in l2tpd, an implementation
of the layer 2 tunneling protocol, whereby a remote attacker could
potentially cause arbitrary code to be executed by transmitting a
specially crafted packet. The exploitability of this vulnerability
has not been verified. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | July 21, 2004 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
logcheck: symlink vulnerability
| Package(s): | logcheck |
CVE #(s): | CAN-2004-0404
|
| Created: | April 21, 2004 |
Updated: | December 22, 2004 |
| Description: |
The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. |
| Alerts: |
|
Comments (none posted)
mailman: password disclosure
| Package(s): | mailman |
CVE #(s): | CAN-2004-0412
|
| Created: | May 27, 2004 |
Updated: | July 20, 2004 |
| Description: |
In mailman versions above 2.1, third parties can retrieve
member passwords from the server. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
MoinMoin Group ACL Bypass
| Package(s): | moinmoin |
CVE #(s): | |
| Created: | July 12, 2004 |
Updated: | August 26, 2004 |
| Description: |
MoinMoin contains a flaw that may allow a malicious user to gain access to
unauthorized privileges. The issue is triggered when an attacker creates a
user with the same name as an administrative group. This flaw may lead to a
loss of integrity. See this osvdb
entry for additional information. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilties
| Package(s): | mozilla |
CVE #(s): | CAN-2003-0594
CAN-2003-0564
|
| Created: | March 10, 2004 |
Updated: | August 19, 2004 |
| Description: |
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
MySQL: temporary file vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0381
CAN-2004-0388
|
| Created: | April 14, 2004 |
Updated: | August 18, 2004 |
| Description: |
The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system. |
| Alerts: |
|
Comments (none posted)
neon: buffer overflow
| Package(s): | neon |
CVE #(s): | CAN-2004-0398
|
| Created: | May 19, 2004 |
Updated: | September 30, 2004 |
| Description: |
The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver). |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netkit-telnet-ssl format string vulnerability
| Package(s): | netkit-telnet-ssl |
CVE #(s): | CAN-2004-0640
|
| Created: | July 18, 2004 |
Updated: | July 21, 2004 |
| Description: |
b0f discovered a format string vulnerability in netkit-telnet-ssl
which could potentially allow a remote attacker to cause the execution
of arbitrary code with the privileges of the telnet daemon (the
'telnetd' user by default). |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
Opera: Multiple spoofing vulnerabilities
| Package(s): | opera |
CVE #(s): | |
| Created: | July 20, 2004 |
Updated: | July 21, 2004 |
| Description: |
Opera fails to remove illegal characters from an URI of a link and to check
that the target frame of a link belongs to the same website as the
link. Opera also updates the address bar before loading a page.
Additionally, Opera contains a certificate verification problem.
These vulnerabilities could allow an attacker to impersonate legitimate
websites to steal sensitive information from users. This could be done by
obfuscating the real URI of a link or by injecting a malicious frame into
an arbitrary frame of another browser window. |
| Alerts: |
|
Comments (none posted)
pavuk: buffer overflow
| Package(s): | pavuk |
CVE #(s): | CAN-2004-0456
|
| Created: | June 30, 2004 |
Updated: | November 11, 2004 |
| Description: |
Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server. |
| Alerts: |
|
Comments (none posted)
php: remotely exploitable memory errors
| Package(s): | php |
CVE #(s): | CAN-2004-0594
|
| Created: | July 14, 2004 |
Updated: | February 7, 2005 |
| Description: |
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not). |
| Alerts: |
|
Comments (none posted)
postgresql buffer overflow in ODBC driver
| Package(s): | postgresql |
CVE #(s): | |
| Created: | June 7, 2004 |
Updated: | July 28, 2004 |
| Description: |
A buffer overflow has been discovered in the ODBC driver of PostgreSQL,
an object-relational SQL database, descended from POSTGRES. It possible
to exploit this problem and crash the surrounding application. Hence, a
PHP script using php4-odbc can be utilized to crash the surrounding
Apache webserver. Other parts of postgresql are not affected. |
| Alerts: |
|
Comments (none posted)
python: buffer overflow
| Package(s): | python |
CVE #(s): | CAN-2004-0150
|
| Created: | March 10, 2004 |
Updated: | October 11, 2004 |
| Description: |
Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. |
| Alerts: |
|
Comments (none posted)
squid: buffer overflow
| Package(s): | squid |
CVE #(s): | CAN-2004-0541
|
| Created: | June 9, 2004 |
Updated: | September 30, 2004 |
| Description: |
The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable. |
| Alerts: |
|
Comments (none posted)
SquirrelMail cross site scripting vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CAN-2004-0519
CAN-2004-0520
CAN-2004-0521
|
| Created: | May 21, 2004 |
Updated: | October 4, 2004 |
| Description: |
Several unspecified cross-site scripting (XSS) vulnerabilities and a well
hidden SQL injection vulnerability were found in SquirrelMail versions
1.4.2 and lower. An XSS attack allows an attacker to insert malicious code
into a web-based application. SquirrelMail does not check for code when
parsing variables received via the URL query string. |
| Alerts: |
|
Comments (none posted)
Subversion: Remote heap overflow
| Package(s): | subversion |
CVE #(s): | CAN-2004-0413
|
| Created: | June 11, 2004 |
Updated: | March 7, 2005 |
| Description: |
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
sysstat: temporary file vulnerability
| Package(s): | sysstat |
CVE #(s): | CAN-2004-0107
CAN-2004-0108
|
| Created: | March 10, 2004 |
Updated: | October 4, 2004 |
| Description: |
The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 9, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
| Package(s): | tcpdump |
CVE #(s): | CAN-2004-0183
CAN-2004-0184
|
| Created: | March 30, 2004 |
Updated: | September 30, 2004 |
| Description: |
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory. |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
ut2003: Unreal Tournament 2003/2004 buffer overflow in 'secure' queries
| Package(s): | ut2003 |
CVE #(s): | |
| Created: | July 19, 2004 |
Updated: | July 21, 2004 |
| Description: |
The Unreal-based game servers support a specific type of query called
'secure'. Part of the Gamespy protocol, this query is used to ask if the
game server is able to calculate an exact response using a provided
string. Luigi Auriemma found that sending a long 'secure' query triggers a
buffer overflow in the game server. By sending a malicious UDP-based
'secure' query, an attacker could execute arbitrary code on the game
server. |
| Alerts: |
|
Comments (none posted)
webmin: denial of service
| Package(s): | webmin |
CVE #(s): | CAN-2004-0582
CAN-2004-0583
|
| Created: | June 16, 2004 |
Updated: | July 28, 2004 |
| Description: |
Versions of webmin prior to 1.150 suffer from denial of service and information disclosure vulnerabilities. See advisories for the disclosure and lockout problems for more information. |
| Alerts: |
|
Comments (none posted)
wv: buffer overflow
| Package(s): | wv |
CVE #(s): | CAN-2004-0645
|
| Created: | July 14, 2004 |
Updated: | February 10, 2005 |
| Description: |
wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 14, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
XFree86, X.org: XDM ignores requestPort setting
| Package(s): | XFree86 X.org |
CVE #(s): | CAN-2004-0419
|
| Created: | July 5, 2004 |
Updated: | July 28, 2004 |
| Description: |
XDM will open TCP sockets for its chooser, even if the
DisplayManager.requestPort setting is set to 0. This may allow
authorized users to access a machine remotely via X, even if the
administrator has configured XDM to refuse such connections. See this XFree86 bug report. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
Page editor: Rebecca Sobol
Next page: Kernel development>>
