|
|
| |
|
| |
Security
The LD_DEBUG environment variable is one of those obscure, useful features
found in glibc. By setting LD_DEBUG to one of a few specific values (use
help to get the full list), you can get a great deal of
information on just how the dynamic library loader is resolving symbols and
performing relocation. This information can be most useful for tracking
down certain kinds of obscure shareable library problems.
LD_DEBUG can be verbose; it can also provide information about
security-critical programs - especially those running setuid - which
perhaps should not be made available to just anybody. The large amount of
output created by LD_DEBUG can also be used as a sort of poor-man's
single-stepping mechanism. If you can control when the standard output
will block, you can stop a setuid program at almost any library call. This
capability can be most useful if you are trying to exploit a difficult race
condition, such as a temporary file vulnerability. The ability to stop a
program at an arbitrary point can turn a small, difficult window into a
wide-open one which can be exploited at leisure.
Thus, it would make sense to disallow LD_DEBUG for setuid binaries.
Unfortunately, this didn't occur to the glibc implementors, who did not add
any checks for setuid operation in the LD_DEBUG code. Gentoo has recently
issued an update fixing the problem; no other
distributors have followed suit as of this writing.
As it turns out, some distributors do not need to. OpenWall fixed this problem over three years ago; ALT
Linux also patched glibc in its distribution. Somehow, however, the fixes
applied by these distributors never got into wider distribution.
This is not the first time that somebody has discovered a security problem
for which a fix had been available for years. These incidents are, at
best, a missed opportunity: known holes with available fixes remain
unpatched for long periods of time. A less pleasant possibility is that
crackers can look at the patches applied by security-conscious
distributions (such as OpenWall) in search of holes which have not been
fixed elsewhere. Security fixes are best applied universally.
The obvious way to ensure widespread diffusion of security fixes is to
submit them back to the package's maintainer. Such patches should almost
always be accepted - or the maintainer should come up with a better way to
fix the problem. If the maintainer refuses to fix the problem, there is
always the time-honored technique of posting an advisory to Bugtraq. What
should not be an option is keeping security fixes to ones self.
Comments (16 posted)
New vulnerabilities
Cacti: SQL injection vulnerability
| Package(s): | cacti |
CVE #(s): | |
| Created: | August 23, 2004 |
Updated: | August 25, 2004 |
| Description: |
Cacti is vulnerable to a SQL injection attack where an attacker may
inject SQL into the Username field. An attacker could use these
vulnerabilities to compromise the Cacti service and potentially execute
programs with the permissions of the user running Cacti. |
| Alerts: |
|
Comments (none posted)
courier-imap: Remote Format String Vulnerability
| Package(s): | courier-imap |
CVE #(s): | CAN-2004-0777
|
| Created: | August 20, 2004 |
Updated: | August 26, 2004 |
| Description: |
There is a format string vulnerability in the auth_debug() function which
can be exploited remotely, potentially leading to arbitrary code execution
as the user running the IMAP daemon (which is often root). A remote
attacker may send username or password information containing printf()
format tokens (such as "%s"), which will crash the server or cause it to
execute arbitrary code. This vulnerability can only be exploited if
DEBUG_LOGIN is set to something other than 0 in the imapd config file.
If DEBUG_LOGIN is enabled in the imapd configuration, a remote attacker
may execute arbitrary code as the root user. |
| Alerts: |
|
Comments (none posted)
icecast-server: missing escape
| Package(s): | icecast-server |
CVE #(s): | CAN-2004-0781
|
| Created: | August 24, 2004 |
Updated: | August 25, 2004 |
| Description: |
Markus Wörle discovered a cross site scripting problem in
status-display (list.cgi) of the icecast internal webserver, an MPEG
layer III streaming server. The UserAgent variable is not properly
html_escaped so that an attacker could cause the client to execute
arbitrary Java script commands. |
| Alerts: |
|
Comments (none posted)
qt3: BMP image parser heap overflow
| Package(s): | qt3/qt3-non-mt/qt3-32bit/qt3-static |
CVE #(s): | CAN-2004-0691
CAN-2004-0692
CAN-2004-0693
|
| Created: | August 19, 2004 |
Updated: | May 15, 2005 |
| Description: |
A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution. |
| Alerts: |
|
Comments (none posted)
roundup: remote file access vulnerability
| Package(s): | roundup |
CVE #(s): | |
| Created: | August 18, 2004 |
Updated: | August 25, 2004 |
| Description: |
The roundup issue tracker has a vulnerability that allows
a remote attacker to read files owned by the user that is
running the application. |
| Alerts: |
|
Comments (none posted)
zlib: denial of service
| Package(s): | zlib |
CVE #(s): | CAN-2004-0797
|
| Created: | August 25, 2004 |
Updated: | June 10, 2005 |
| Description: |
Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
acroread: UUDecode filename buffer overflow
| Package(s): | acroread |
CVE #(s): | |
| Created: | August 16, 2004 |
Updated: | August 17, 2004 |
| Description: |
acroread contains two errors in the handling of UUEncoded filenames.
First, it fails to check the length of a filename before copying it
into a fixed size buffer and, secondly, it fails to check for the
backtick shell metacharacter in the filename before executing a command
with a shell. By enticing a user to open a PDF with a specially crafted
filename, an attacker could execute arbitrary code or programs with the
permissions of the user running acroread. |
| Alerts: |
|
Comments (none posted)
Apache mod_proxy: denial of service
| Package(s): | apache |
CVE #(s): | CAN-2004-0492
|
| Created: | June 11, 2004 |
Updated: | October 14, 2004 |
| Description: |
A buffer overflow vulnerability in the apache mod_proxy module
can be exploited to create a denial of service. |
| Alerts: |
|
Comments (none posted)
apache2: stack-based buffer overflow in ssl_util.c
| Package(s): | apache2 |
CVE #(s): | CAN-2004-0488
|
| Created: | June 1, 2004 |
Updated: | October 14, 2004 |
| Description: |
A stack-based buffer overflow exists in the ssl_util_uuencode_binary
function in ssl_util.c in Apache. When mod_ssl is configured to trust the
issuing CA, a remote attacker may be able to execute arbitrary code via a
client certificate with a long subject DN. |
| Alerts: |
|
Comments (none posted)
aspell: bounds checking problem
| Package(s): | aspell |
CVE #(s): | CAN-2004-0548
|
| Created: | June 17, 2004 |
Updated: | December 20, 2004 |
| Description: |
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker. |
| Alerts: |
|
Comments (none posted)
Ethereal: Multiple security problems
| Package(s): | ethereal |
CVE #(s): | CAN-2004-0633
CAN-2004-0634
CAN-2004-0635
|
| Created: | July 9, 2004 |
Updated: | August 19, 2004 |
| Description: |
There are multiple vulnerabilities in versions of Ethereal earlier than
0.10.5, including:
* In some cases the iSNS dissector could cause Ethereal to abort.
* If there was no policy name for a handle for SMB SID snooping it
could cause a crash.
* A malformed or missing community string could cause the SNMP
dissector to crash.
See this
advisory for more information. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
flim: insecure file creation
| Package(s): | flim |
CVE #(s): | CAN-2004-0422
|
| Created: | May 5, 2004 |
Updated: | December 16, 2004 |
| Description: |
The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
Gaim: remote code execution vulnerability
| Package(s): | gaim |
CVE #(s): | CAN-2004-0500
|
| Created: | August 12, 2004 |
Updated: | October 18, 2004 |
| Description: |
The Gaim IRC client (versions 0.81 and prior) has a remote code execution vulnerability
in the MSN-protocol parsing functions. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs |
CVE #(s): | CAN-2004-0494
|
| Created: | August 4, 2004 |
Updated: | February 21, 2005 |
| Description: |
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
gv: unsafe sscanf () buffer overflow vulnerability
| Package(s): | gv |
CVE #(s): | CAN-2002-0838
|
| Created: | August 12, 2004 |
Updated: | August 19, 2004 |
| Description: |
gv (prior to version 3.5.8-r4) has a buffer overflow vulnerability involving the sscanf()
function. An attacker can execute arbitrary code with the
permission of the user running gv. |
| Alerts: |
|
Comments (1 posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
racoon: failure to verify signatures
| Package(s): | ipsec-tools racoon |
CVE #(s): | CAN-2004-0155
|
| Created: | April 7, 2004 |
Updated: | August 19, 2004 |
| Description: |
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdebase: multiple vulnerabilities
| Package(s): | kdebase |
CVE #(s): | CAN-2004-0689
CAN-2004-0690
CAN-2004-0721
CAN-2004-0746
|
| Created: | August 12, 2004 |
Updated: | October 4, 2004 |
| Description: |
Three separate vulnerabilities have been identified in the KDE 3.2
"kdebase" package; see this advisory for
details. These problems include two temporary file vulnerabilities and a
"frame injection" problem in konqueror which could help with phishing
attacks. In a fourth vulnerability, described here, Konqueror allows websites to set cookies
for certain country specific secondary top level domains. |
| Alerts: |
|
Comments (none posted)
kdelibs: cookie disclosure
| Package(s): | kdelibs |
CVE #(s): | CAN-2003-0592
|
| Created: | March 10, 2004 |
Updated: | August 24, 2004 |
| Description: |
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix. |
| Alerts: |
|
Comments (none posted)
kernel allows unauthorized changes to the group ID
| Package(s): | kernel |
CVE #(s): | CAN-2004-0497
|
| Created: | July 2, 2004 |
Updated: | September 27, 2004 |
| Description: |
During an audit of the Linux kernel, SUSE discovered a flaw that allowed
a user to make unauthorized changes to the group ID of files in certain
circumstances - such as when the files are exported via NFS. |
| Alerts: |
|
Comments (none posted)
kernel information leak
| Package(s): | kernel |
CVE #(s): | CAN-2004-0415
|
| Created: | August 3, 2004 |
Updated: | October 26, 2004 |
| Description: |
Paul Starzetz discovered
flaws in the Linux kernel when handling file
offset pointers. These consist of invalid conversions of 64 to 32-bit file
offset pointers and possible race conditions. A local unprivileged user
could make use of these flaws to access large portions of kernel memory.
Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.
A fix for this problem was added to the fifth
2.4.27 release candidate. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpng: multiple vulnerabilities
Comments (1 posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
logcheck: symlink vulnerability
| Package(s): | logcheck |
CVE #(s): | CAN-2004-0404
|
| Created: | April 21, 2004 |
Updated: | December 22, 2004 |
| Description: |
The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
MoinMoin Group ACL Bypass
| Package(s): | moinmoin |
CVE #(s): | |
| Created: | July 12, 2004 |
Updated: | August 26, 2004 |
| Description: |
MoinMoin contains a flaw that may allow a malicious user to gain access to
unauthorized privileges. The issue is triggered when an attacker creates a
user with the same name as an administrative group. This flaw may lead to a
loss of integrity. See this osvdb
entry for additional information. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilties
| Package(s): | mozilla |
CVE #(s): | CAN-2003-0594
CAN-2003-0564
|
| Created: | March 10, 2004 |
Updated: | August 19, 2004 |
| Description: |
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
MySQL: temporary file vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0381
CAN-2004-0388
|
| Created: | April 14, 2004 |
Updated: | August 18, 2004 |
| Description: |
The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system. |
| Alerts: |
|
Comments (none posted)
MySQL: temporary file vulnerability
| Package(s): | mysql |
CVE #(s): | CAN-2004-0457
|
| Created: | August 18, 2004 |
Updated: | September 1, 2004 |
| Description: |
The MySQL "mysqlhotcopy" script contains a temporary file vulnerability
which could be used by an attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
neon: buffer overflow
| Package(s): | neon |
CVE #(s): | CAN-2004-0398
|
| Created: | May 19, 2004 |
Updated: | September 30, 2004 |
| Description: |
The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver). |
| Alerts: |
|
Comments (none posted)
nessus: adduser race condition vulnerability
| Package(s): | nessus |
CVE #(s): | |
| Created: | August 12, 2004 |
Updated: | August 17, 2004 |
| Description: |
The nessus security scanner has a temporary file vulnerability that allows a
user to perform a privilege escalation attack by way of an adduser
race condition. |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
pavuk: buffer overflow
| Package(s): | pavuk |
CVE #(s): | CAN-2004-0456
|
| Created: | June 30, 2004 |
Updated: | November 11, 2004 |
| Description: |
Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server. |
| Alerts: |
|
Comments (none posted)
php: remotely exploitable memory errors
| Package(s): | php |
CVE #(s): | CAN-2004-0594
|
| Created: | July 14, 2004 |
Updated: | February 7, 2005 |
| Description: |
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not). |
| Alerts: |
|
Comments (none posted)
PuTTY: pre-authentication arbitrary code execution problem
| Package(s): | putty |
CVE #(s): | |
| Created: | August 5, 2004 |
Updated: | October 28, 2004 |
| Description: |
PuTTY, a telnet and SSH client, contains a vulnerability that
can allow an SSH server to execute arbitrary code on a connecting client.
|
| Alerts: |
|
Comments (none posted)
python: buffer overflow
| Package(s): | python |
CVE #(s): | CAN-2004-0150
|
| Created: | March 10, 2004 |
Updated: | October 11, 2004 |
| Description: |
Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. |
| Alerts: |
|
Comments (none posted)
rsync: path-sanitizing bug
| Package(s): | rsync |
CVE #(s): | CAN-2004-0792
|
| Created: | August 16, 2004 |
Updated: | November 1, 2004 |
| Description: |
This August 2004 rsync
advisory reports that there is a path-sanitizing bug that affects
daemon mode in all recent rsync versions (including 2.6.2) but only if
chroot is disabled. It does NOT affect the normal send/receive filenames
that specify what files should be transferred (this is because these names
happen to get sanitized twice, and thus the second call removes any
lingering leading slash(es) that the first call left behind). It does
affect certain option paths that cause auxilliary files to be read or
written. |
| Alerts: |
|
Comments (none posted)
ruby: insecure file permissions
| Package(s): | ruby |
CVE #(s): | CAN-2004-0755
|
| Created: | August 16, 2004 |
Updated: | October 14, 2004 |
| Description: |
Andres Salomon noticed a problem in the CGI session management of Ruby, an
object-oriented scripting language. CGI::Session's FileStore (and
presumably PStore, but not in Debian woody) implementations store session
information insecurely. They simply create files, ignoring permission
issues. This can lead an attacker who has also shell access to the
webserver to take over a session. |
| Alerts: |
|
Comments (none posted)
samba: potential buffer overruns
| Package(s): | samba |
CVE #(s): | CAN-2004-0600
CAN-2004-0686
|
| Created: | July 22, 2004 |
Updated: | September 2, 2004 |
| Description: |
According to this Samba advisory, Evgeny
Demidov discovered that the Samba SMB/CIFS server has a buffer overflow bug
in the Samba Web Administration Tool (SWAT) on decoding Base64 data during
HTTP Basic Authentication. Samba versions between 3.0.2 through 3.0.4 are
affected. (CAN-2004-0600)
Another buffer overflow bug has been located in the Samba code used to
support the "mangling method = hash" functionality. The default setting for
this parameter is "mangling method = hash2" and therefore Samba is not
vulnerable by default. Samba versions between 2.2.0 through 2.2.9 and 3.0.0
through 3.0.4 are affected. (CAN-2004-0686) |
| Alerts: |
|
Comments (1 posted)
sox: buffer overflow
| Package(s): | sox |
CVE #(s): | CAN-2004-0557
|
| Created: | July 28, 2004 |
Updated: | February 21, 2005 |
| Description: |
Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file. |
| Alerts: |
|
Comments (none posted)
SpamAssassin: Denial of Service vulnerability
| Package(s): | spamassassin |
CVE #(s): | CAN-2004-0796
|
| Created: | August 9, 2004 |
Updated: | August 11, 2005 |
| Description: |
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service. |
| Alerts: |
|
Comments (none posted)
squid: buffer overflow
| Package(s): | squid |
CVE #(s): | CAN-2004-0541
|
| Created: | June 9, 2004 |
Updated: | September 30, 2004 |
| Description: |
The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable. |
| Alerts: |
|
Comments (none posted)
SquirrelMail cross site scripting vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CAN-2004-0519
CAN-2004-0520
CAN-2004-0521
|
| Created: | May 21, 2004 |
Updated: | October 4, 2004 |
| Description: |
Several unspecified cross-site scripting (XSS) vulnerabilities and a well
hidden SQL injection vulnerability were found in SquirrelMail versions
1.4.2 and lower. An XSS attack allows an attacker to insert malicious code
into a web-based application. SquirrelMail does not check for code when
parsing variables received via the URL query string. |
| Alerts: |
|
Comments (none posted)
Subversion: Remote heap overflow
| Package(s): | subversion |
CVE #(s): | CAN-2004-0413
|
| Created: | June 11, 2004 |
Updated: | March 7, 2005 |
| Description: |
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
sysstat: temporary file vulnerability
| Package(s): | sysstat |
CVE #(s): | CAN-2004-0107
CAN-2004-0108
|
| Created: | March 10, 2004 |
Updated: | October 4, 2004 |
| Description: |
The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
| Package(s): | tcpdump |
CVE #(s): | CAN-2004-0183
CAN-2004-0184
|
| Created: | March 30, 2004 |
Updated: | September 30, 2004 |
| Description: |
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory. |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
wv: buffer overflow
| Package(s): | wv |
CVE #(s): | CAN-2004-0645
|
| Created: | July 14, 2004 |
Updated: | February 10, 2005 |
| Description: |
wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-lib: VCD MRL buffer overflow
| Package(s): | xine-lib |
CVE #(s): | |
| Created: | August 17, 2004 |
Updated: | August 18, 2004 |
| Description: |
xine-lib contains a bug where it is possible to overflow the vcd:// input
source identifier management buffer through carefully crafted playlists.
An attacker may construct a carefully-crafted playlist file which will
cause xine-lib to execute arbitrary code with the permissions of the
user. In order to conform with the generic naming standards of most
Unix-like systems, playlists can have extensions other than .asx (the
standard xine playlist format), and made to look like another file
(MP3, AVI, or MPEG for example). If an attacker crafts a playlist with
a valid header, they can insert a VCD playlist line that can cause a
buffer overflow and possible shellcode execution. |
| Alerts: |
|
Comments (1 posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Next page: Kernel development>>
|
|
|