[gull-annonces] Résumé SecurityFocus Newsletter #362-363
Marc SCHAEFER
schaefer at alphanet.ch
Sun Aug 27 09:34:41 CEST 2006
APACHE HTTP REQUEST SMUGGLING VULNERABILITY
BugTraq ID: 14106
Last Updated: 2006-08-16
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/14106
Summary:
Apache is prone to an HTTP-request-smuggling attack.
A specially crafted request with a 'Transfer-Encoding: chunked'
header and a 'Content-Length' header can cause the server to
forward a reassembled request with the original 'Content-Length'
header. As a result, the malicious request may piggyback on the
valid HTTP request.
This attack may result in cache poisoning, cross-site scripting,
session hijacking, and other attacks.
This issue was originally described in BID 13873 (Multiple Vendor
Multiple HTTP Request Smuggling Vulnerabilities). Since vendor
confirmation and more details are available, the issue has now been
assigned a new BID.
APACHE MPM WORKER.C DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 15762
Last Updated: 2006-08-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/15762
Summary:
Apache is prone to a memory leak that may cause a denial-of-service
condition.
An attacker may consume excessive memory resources, resulting in a
denial of service for legitimate users.
Apache 2.x versions are vulnerable; other versions may also be
affected.
APACHE MOD_REWRITE OFF-BY-ONE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 19204
Last Updated: 2006-08-16
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19204
Summary:
Apache mod_rewrite is prone to an off-by-one buffer-overflow
condition.
The vulnerability arising in the mod_rewrite module's ldap scheme
handling allows for potential memory corruption when an attacker
exploits certain rewrite rules.
An attacker may exploit this issue to trigger a denial-of-
service condition. Reportedly, arbitrary code execution may be
possible as well.
APACHE MOD_SSL CUSTOM ERROR DOCUMENT REMOTE DENIAL OF SERVICE
VULNERABILITY
BugTraq ID: 16152
Last Updated: 2006-08-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/16152
Summary:
Apache's mod_ssl module is susceptible to a remote denial-of-service
vulnerability. A flaw in the module results in a NULL-pointer
dereference that causes the server to crash. This issue is present
only when virtual hosts are configured with a custom 'ErrorDocument'
statement for '400' errors or 'SSLEngine optional'.
Depending on the configuration of Apache, attackers may crash the
entire webserver or individual child processes. Repeated attacks are
required to deny service to legitimate users when Apache is
configured for multiple child processes to handle connections.
This issue affects Apache 2.x versions.
APACHE MOD_INCLUDE LOCAL BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 11471
Last Updated: 2006-08-16
Remote: No
Relevant URL: http://www.securityfocus.com/bid/11471
Summary:
The problem presents itself when the affected module attempts to
parse mod_include-specific tag values. A failure to properly
validate the lengths of user-supplied tag strings before copying
them into finite buffers facilitates the overflow.
A local attacker may leverage this issue to execute arbitrary code
on the affected computer with the privileges of the affected
Apache server.
BUSYBOX INSECURE PASSWORD HASH WEAKNESS
BugTraq ID: 17330
Last Updated: 2006-08-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/17330
Summary:
BusyBox is prone to an insecure password-hash weakness. This issue
is due to a design flaw that results in password hashes being
created in an insecure manner.
This issue allows attackers to use precomputed password hashes in
brute-force attacks if they can gain access to password hashes by
some means (such as exploiting another vulnerability).
[ super-binaire contenant les commandes de base d'une distribution
GNU/Linux, mais prenant moins de place. Utilisé p.ex. par les
installeurs ]
CHM LIB EXTRACT_CHMLIB DIRECTORY TRAVERSAL VULNERABILITY
BugTraq ID: 18511
Last Updated: 2006-08-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/18511
Summary:
CHM Lib is prone to a directory-traversal vulnerability because it
fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to place malicious files
and to overwrite files in arbitrary locations on the vulnerable
system, in the context of the user running the application.
Successful exploits may aid in further attacks.
[ bibliothèque libre pour accès aux fichiers d'aide Microsoft (?) ]
CISCO PIX SIP IMPLEMENTATION UNAUTHORIZED UDP PORT FORWARDING
VULNERABILITY
BugTraq ID: 19536
Last Updated: 2006-08-16
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19536
Summary:
Cisco PIX is reportedly prone to an unauthorized UDP port-forwarding
vulnerability.
Attackers may exploit this issue to forward UDP datagrams to
arbitrary hosts protected by affected firewall devices, potentially
bypassing firewall rules. This may aid attackers in further attacks
against computers protected by affected firewall devices.
Note that Cisco is investigating the vulnerability and so far has
not been able to reproduce this issue.
This BID will be updated as further information becomes available.
[ firmware ]
CLAM ANTI-VIRUS CLAMAV UPX COMPRESSED FILE HEAP BUFFER OVERFLOW
VULNERABILITY
BugTraq ID: 16191
Last Updated: 2006-08-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/16191
Summary:
ClamAV is prone to a heap buffer-overflow vulnerability. This
issue is due to the application's failure to properly bounds-check
user-supplied data before copying it to an insufficiently sized
memory buffer.
This issue occurs when the application attempts to handle compressed
UPX files.
Exploitation of this issue could allow attacker-supplied machine
code to be executed in the context of the affected application. The
issue would occur when the malformed file is scanned manually or
automatically in deployments such as email gateways.
[ ne faudrait-il pas simplement autoriser UN format de compression,
p.ex. tar.gz, et supprimer simplement le reste? Il y a de plus en plus
d'attaques dirigées vers les désarchiveurs.
]
CYRUS IMAPD POP3D REMOTE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 18056
Last Updated: 2006-08-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/18056
Summary:
Cyrus IMAPD is prone to a remote buffer-overflow vulnerability. This
issue is due to a failure in the application to properly verify user-
supplied input before copying it into a finite-sized buffer.
Successful exploits may result in memory corruption leading to a denial-of-
service condition or arbitrary code execution.
Cyrus IMAPD version 2.3.2 is reported to be vulnerable. Other
versions may be affected as well.
DAVE CARRIGAN AUTH_LDAP REMOTE FORMAT STRING VULNERABILITY
BugTraq ID: 16177
Last Updated: 2006-08-16
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/16177
Summary:
Dave Carrigan's auth_ldap is susceptible to a remote format-string
vulnerability. This issue is due to the application's failure to
properly sanitize user-supplied input before using it in the format-
specifier of a formatted printing function.
This issue likely arises only if auth_ldap has been enabled and is
used for user authentication.
This issue allows remote attackers to execute arbitrary machine code
in the context of Apache webservers that use the affected module.
This may facilitate the compromise of affected computers.
FREERADIUS MULTIPLE RLM_SQLCOUNTER BUFFER OVERFLOW VULNERABILITIES
BugTraq ID: 17293
Last Updated: 2006-08-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/17293
Summary:
FreeRADIUS is prone to multiple buffer-overflow vulnerabilities.
These issues are due to a failure in the application to do proper
bounds checking on user-supplied data.
Reportedly, these issues may result in a denial-of-service condition
only. Attackers cannot exploit these issues to gain unauthorized
remote access.
FREERADIUS RLM_SQLCOUNTER SQL INJECTION VULNERABILITY
BugTraq ID: 17294
Last Updated: 2006-08-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/17294
Summary:
FreeRADIUS is prone to an SQL-injection vulnerability. This issue is
due to a failure in the application to properly sanitize user-
supplied input before using it in an SQL query.
Successful exploitation could allow an attacker to compromise the
application, access or modify data, or exploit vulnerabilities in
the underlying database implementation.
GNU MAILMAN LARGE DATE DATA DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 16248
Last Updated: 2006-08-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/16248
Summary:
GNU Mailman is prone to a denial-of-service attack. This issue
affects Mailman's email date parsing.
The vulnerability could be triggered by mailing-list posts and will
impact the availability of mailing lists hosted by the application.
GNUPG PARSE_COMMENT REMOTE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 19110
Last Updated: 2006-08-16
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19110
Summary:
GnuPG is prone to a remote buffer-overflow vulnerability because it
fails to properly bounds-check user-supplied input before copying it
to an insufficiently sized memory buffer.
This issue may allow remote attackers to execute arbitrary machine
code in the context of the affected application, but this has not
been confirmed.
GnuPG version 1.4.4 is vulnerable to this issue; previous versions
may also be affected.
IMAGEMAGICK FILE NAME HANDLING REMOTE FORMAT STRING VULNERABILITY
BugTraq ID: 12717
Last Updated: 2006-08-16
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/12717
Summary:
ImageMagick is reported prone to a remote format-string
vulnerability.
Reportedly, this issue arises when the application handles malformed
filenames. An attacker can exploit this vulnerability by crafting a
malicious file with a name that contains format specifiers and
sending the file to an unsuspecting user.
Note that there are other attack vectors that may not require user
interaction, since the application can be used with custom printing
systems and web applications.
A successful attack may crash the application or lead to arbitrary
code execution.
All versions of ImageMagick are considered vulnerable at the moment.
IMAGEMAGICK IMAGE FILENAME REMOTE COMMAND EXECUTION VULNERABILITY
BugTraq ID: 16093
Last Updated: 2006-08-16
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/16093
Summary:
ImageMagick is prone to a remote shell command-execution
vulnerability.
Successful exploitation can allow arbitrary commands to be executed
in the context of the affected user. Note that attackers could
exploit this issue through other applications that use ImageMagick
as the default image viewer.
ImageMagick 6.2.4.5 is reportedly vulnerable. Other versions may be
affected as well.
IMAGEMAGICK SGI IMAGE FILE REMOTE HEAP BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 19507
Last Updated: 2006-08-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19507
Summary:
ImageMagick is prone to a remote heap buffer-overflow vulnerability
because the application fails to properly bounds-check user-supplied
input before copying it to an insufficiently sized memory buffer.
This issue allows attackers to execute arbitrary machine code in the
context of applications that use the ImageMagick library.
ImageMagick versions in the 6.x series, up to version 6.2.8, are
vulnerable to this issue.
KPDF AND KWORD MULTIPLE UNSPECIFIED BUFFER AND INTEGER OVERFLOW
VULNERABILITIES
BugTraq ID: 16143
Last Updated: 2006-08-07
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/16143
Summary:
KPDF and KWord are prone to multiple buffer and integer overflows.
Successful exploitation could result in arbitrary code execution in
the context of the user running the vulnerable application.
Specific details of these issues are not currently available. This
record will be updated when more information becomes available.
The following are vulnerable:
- kdegraphics package
- KPDF versions 3.4.3 and earlier
- KOffice
- KWord versions 1.4.2 and earlier
LHAZ LHA LONG MULTIPLE BUFFER OVERFLOW VULNERABILITIES
BugTraq ID: 19377
Last Updated: 2006-08-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19377
Summary:
Lhaz is prone to multiple buffer-overflow vulnerabilities because
the application fails to check overly long filenames before copying
them to a finite-sized buffer.
An attacker can exploit these issues to execute arbitrary code
within the context of the affected application.
Version 1.31 is vulnerable to these issues; other versions may also
be affected.
LSH SEED FILE FILE DESCRIPTOR LEAKAGE VULNERABILITY
BugTraq ID: 16357
Last Updated: 2006-08-16
Remote: No
Relevant URL: http://www.securityfocus.com/bid/16357
Summary:
lsh may leak file descriptors that may allow a local attacker to
access sensitive information or to cause a denial-of-service
condition.
lsh 2.0.1 is reportedly vulnerable. Other versions may be
affected as well.
[ simpler ssh ]
LIBTIFF PIXARLOG DECODER REMOTE HEAP BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 19290
Last Updated: 2006-08-07
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19290
Summary:
The PixarLog Decoder for libTIFF is prone to a remote heap buffer-
overflow vulnerability.
This issue may allow attackers to execute arbitrary machine code
within the context of the vulnerable application or to cause a
denial-of-service.
LIBTIFF TIFFFETCHSHORTPAIR REMOTE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 19283
Last Updated: 2006-08-07
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19283
Summary:
LibTIFF is prone to a buffer-overflow vulnerability because the
library fails to do proper boundary checks before copying user-
supplied data into a finite-sized buffer.
This issue allows remote attackers to execute arbitrary machine code
in the context of appications using the affected library. Failed
exploit attempts will likely crash the application, denying service
to legitimate users.
LIBTIFF TIFFSCANLINESIZE REMOTE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 19288
Last Updated: 2006-08-07
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19288
Summary:
LibTIFF is prone to a buffer-overflow vulnerability because the
library fails to do proper boundary checks before copying user-
supplied data into a finite-sized buffer.
This issue allows remote attackers to execute arbitrary machine code
in the context of applications using the affected library. Failed
exploit attempts will likely crash the application, denying service
to legitimate users.
LIBTIFF ESTIMATESTRIPBYTECOUNTS() DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 19284
Last Updated: 2006-08-07
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19284
Summary:
LibTIFF is affected by a denial-of-service vulnerability.
An attacker can exploit this vulnerability to cause a denial of
service in applications using the affected library.
LIBTIFF SANITY CHECKS MULTIPLE DENIAL OF SERVICE VULNERABILITIES
BugTraq ID: 19286
Last Updated: 2006-08-07
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19286
Summary:
LibTIFF is affected by multiple denial-of-service vulnerabilities.
An attacker can exploit these vulnerabilities to cause a denial of
service in applications using the affected library.
LIBVNCSERVER REMOTE AUTHENTICATION BYPASS VULNERABILITY
BugTraq ID: 18977
Last Updated: 2006-08-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/18977
Summary:
LibVNCServer is prone to an authentication-bypass vulnerability.
This issue is due to a flaw in the authentication process of the
affected package.
Exploiting this issue may allow attackers to gain unauthenticated,
remote access to the VNC servers.
All versions of LibVNCServer are considered vulnerable to this
issue.
Reports indicate that this issue is similar to the issue described
in BID 17978 (RealVNC Remote Authentication Bypass Vulnerability).
Note that since LibVNCServer and RealVNC do not share code, this
issue is being assigned a separate BID.
[ ne pas oublier que VNC n'est pas un protocole sécurisé et qu'il faut
uniquement l'utiliser à travers d'un tunnel, p.ex. SSH
]
LIBMUSICBRAINZ MULTIPLE BUFFER OVERFLOW VULNERABILITIES
BugTraq ID: 19508
Last Updated: 2006-08-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19508
Summary:
The libmusicbrainz library is prone to multiple buffer-overflow
vulnerabilities because the application fails to check the size
of the data before copying it into a finite-sized internal
memory buffer.
An attacker can exploit these issues to execute arbitrary code
within the context of the application or to cause a denial-of-
service condition.
Versions 2.1.2, SVN 8406, and prior are vulnerable to this issue;
other versions may also be affected.
LIBTIFF LIBRARY ANONYMOUS FIELD MERGING DENIAL OF SERVICE
VULNERABILITY
BugTraq ID: 19287
Last Updated: 2006-08-07
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19287
Summary:
The 'libtiff' library is prone to a denial-of-service vulnerability.
An attacker can exploit this issue by submitting malformed
image files.
When the libtiff library routines process a malicious TIFF file,
this could result in abnormal behavior, cause the application to
become unresponsive, or possibly allow malicious code to execute.
LIBTIFF NEXT RLE DECODER REMOTE HEAP BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 19282
Last Updated: 2006-08-07
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19282
Summary:
The Next RLE Decoder for libTIFF is prone to a remote heap buffer-
overflow vulnerability.
This issue occurs because the application fails to check boundary
conditions on certain RLE decoding operations.
This issue may allow attackers to execute arbitrary machine code
within the context of the vulnerable application or to cause a
denial of service.
LINKSYS WRT54GS POST REQUEST CONFIGURATION CHANGE AUTHENTICATION
BYPASS VULNERABILITY
BugTraq ID: 19347
Last Updated: 2006-08-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19347
Summary:
Linksys WRT54GS is prone to an authentication-bypass vulnerability.
Reportedly, the device permits changes in its configuration settings
without requring authentication.
Linksys WRT54GS is prone to an authentication-bypass vulnerability.
The problem presents itself when a victim user visits a specially
crafted web page on an attacker-controlled site. An attacker can
exploit this vulnerability to bypass authentication and modify the
configuration settings of the device.
This issue is reported to affect firmware version 1.00.9; other
firmware versions may also be affected.
[ firmware ]
LINUX KERNEL DM-CRYPT LOCAL INFORMATION DISCLOSURE VULNERABILITY
BugTraq ID: 16301
Last Updated: 2006-08-14
Remote: No
Relevant URL: http://www.securityfocus.com/bid/16301
Summary:
The Linux kernel 'dm-crypt' module is susceptible to a local information-
disclosure vulnerability. This issue is due to the module's failure
to properly zero-sensitive memory buffers before freeing the memory.
This issue may allow local attackers to gain access to potentially
sensitive memory that contains information on the cryptographic
key used for the encrypted storage. This may aid attackers in
further attacks.
This issue affects the 2.6 series of the Linux kernel.
LINUX KERNEL DVB DRIVER LOCAL BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 16142
Last Updated: 2006-08-14
Remote: No
Relevant URL: http://www.securityfocus.com/bid/16142
Summary:
Linux kernel is prone to a local buffer-overflow vulnerability. This
issue is due to a flaw in the DVB (Digital Video Broadcasting)
driver subsystem. This issue is exploitable only on computers with
the affected DVB module compiled, enabled, and accessible to local
malicious users.
A successful attack may result in a denial-of-service condition
or possibly arbitrary code execution in the context of the
local kernel.
Linux kernel versions prior to 2.6.15 in the 2.6 series are
considered vulnerable to this issue.
LINUX KERNEL IPV6 FLOWLABLE DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 15729
Last Updated: 2006-08-15
Remote: No
Relevant URL: http://www.securityfocus.com/bid/15729
Summary:
Linux Kernel is prone to a local denial-of-service vulnerability.
Local attackers can exploit this vulnerability to corrupt kernel
memory or free non-allocated memory. Successful exploitation will
crash the kernel, effectively denying service to legitimate users.
LINUX KERNEL NFS AND EXT3 COMBINATION REMOTE DENIAL OF SERVICE
VULNERABILITY
BugTraq ID: 19396
Last Updated: 2006-08-08
Remote: No
Relevant URL: http://www.securityfocus.com/bid/19396
Summary:
The Linux kernel is susceptible to a remote denial-of-service
vulnerability because the EXT3 filesystem code fails to properly
handle unexpected conditions.
Remote attackers may trigger this issue by sending crafted UDP
datagrams to affected computers that are configured as NFS servers,
causing filesystem errors. Depending on the mount-time options of
affected filesystems, this may result in remounting filesystems as
read-only or cause a kernel panic.
Linux kernel versions 2.6.14.4, 2.6.17.6, and 2.6.17.7 are
vulnerable to this issue; other versions in the 2.6 series are also
likely affected.
[ assez grave! ]
LINUX KERNEL POSIX TIMER CLEANUP HANDLING LOCAL DENIAL OF SERVICE
VULNERABILITY
BugTraq ID: 15722
Last Updated: 2006-08-15
Remote: No
Relevant URL: http://www.securityfocus.com/bid/15722
Summary:
A local denial-of-service vulnerability affects the Linux kernel.
The vulnerability arises due to a race-condition error in the
handling of POSIX timer cleanup routines.
A successful attack can result in a kernel crash.
Linux kernel versions 2.6.10 to 2.6.14 are vulnerable to this issue.
LINUX KERNEL PTRACED CHILD AUTO-REAP LOCAL DENIAL OF SERVICE
VULNERABILITY
BugTraq ID: 15625
Last Updated: 2006-08-15
Remote: No
Relevant URL: http://www.securityfocus.com/bid/15625
Summary:
Linux kernel is prone to a local denial-of-service vulnerability.
The kernel improperly auto-reaps processes when they are being
ptraced, leading to an invalid pointer. Further operations on this
pointer result in a kernel crash.
This issue allows local users to crash the kernel, denying service
to legitimate users.
A complete compromise of the affected computer has also been
reported, but this has not been confirmed.
Kernel versions prior to 2.6.15 are vulnerable to this issue.
LINUX KERNEL PROCFS KERNEL MEMORY DISCLOSURE VULNERABILITY
BugTraq ID: 16284
Last Updated: 2006-08-14
Remote: No
Relevant URL: http://www.securityfocus.com/bid/16284
Summary:
The Linux kernel is affected by a local memory-disclosure
vulnerability.
This issue allows an attacker to read kernel memory.
Information gathered via exploitation may aid malicious users
in further attacks.
This issue affects the 2.6 series of the Linux kernel, prior
to 2.6.15.
LINUX KERNEL SYSCTL_STRING LOCAL BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 16141
Last Updated: 2006-08-14
Remote: No
Relevant URL: http://www.securityfocus.com/bid/16141
Summary:
Linux kernel is prone to a local buffer-overflow vulnerability. This
issue is due to an off-by-one error in the 'sysctl' subsystem.
A successful attack may result in a denial-of-service condition
or possibly arbitrary code execution in the context of the
local kernel.
Linux kernel versions prior to 2.6.15 in the 2.6 series are
considered vulnerable to this issue.
LINUX KERNEL DO_COREDUMP DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 15723
Last Updated: 2006-08-15
Remote: No
Relevant URL: http://www.securityfocus.com/bid/15723
Summary:
Linux kernel is prone to a denial-of-service vulnerability caused by
a race condition in 'do_coredump()'.
Successful exploitation can cause the system to stop responding to
legitimate requests.
LINUX KERNEL MQ_OPEN SYSTEM CALL UNSPECIFIED DENIAL OF SERVICE
VULNERABILITY
BugTraq ID: 16283
Last Updated: 2006-08-14
Remote: No
Relevant URL: http://www.securityfocus.com/bid/16283
Summary:
Linux kernel 'mq_open()' system call is prone to a local denial-of-
service vulnerability. Further information is not currently
available. This record will be updated when more details are
disclosed.
This issue affects Linux kernel 2.6.9. Earlier kernel versions may
be affected.
LINUX-HA HEARTBEAT INSECURE DEFAULT PERMISSIONS ON SHARED MEMORY
VULNERABILITY
BugTraq ID: 19186
Last Updated: 2006-08-15
Remote: No
Relevant URL: http://www.securityfocus.com/bid/19186
Summary:
Since Linux-HA Heartbeat has insecure default permissions set
on shared memory, local attackers may be able to cause a denial
of service.
Exploitation would most likely result in a system crash, loss of
data, and resource exhaustion, leading to a denial of service if
critical files are accessed improperly or overwritten in the attack.
Other attacks may be possible as well.
MIT KERBEROS 5 MULTIPLE LOCAL PRIVILEGE ESCALATION VULNERABILITIES
BugTraq ID: 19427
Last Updated: 2006-08-16
Remote: No
Relevant URL: http://www.securityfocus.com/bid/19427
Summary:
MIT Kerberos 5 is prone to multiple local privilege-escalation
vulnerabilities because it fails to properly implement privilege-
dropping functionality when used in conjunction with Linux 2.6
kernels or with AIX operating systems.
This issue allows local attackers to gain superuser privileges,
facilitating the complete compromise of affected computers.
MySQL MERGE Priviledge Revoke Bypass Vulnerability
BugTraq ID: 19279
Remote: Yes
Last Updated: 2006-08-08
Relevant URL:
http://www.securityfocus.com/bid/19279
Summary:
MySQL is prone to a vulnerability that allows users with revoked
privileges to a particular table to access these tables without permission.
This issue allows attackers to gain access to data when access
privileges have been revoked. The specific impact of this issue
depends on the data that the attacker may retrieve.
MOZILLA FIREFOX JAVASCRIPT HANDLER RACE CONDITION MEMORY CORRUPTION
VULNERABILITY
BugTraq ID: 19488
Last Updated: 2006-08-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19488
Summary:
Mozilla Firefox is prone to a remote memory-corruption
vulnerability. This issue is due to a race condition that may result
in double-free or other memory-corruption issues.
Attackers may likely exploit this issue to execute arbitrary machine
code in the context of the vulnerable application, but this has not
been confirmed. Failed exploit attempts will likely crash the
application.
Mozilla Firefox is vulnerable to this issue. Due to code-reuse,
other Mozilla products are also likely affected.
MOZILLA FIREFOX XML HANDLER RACE CONDITION MEMORY CORRUPTION
VULNERABILITY
BugTraq ID: 19534
Last Updated: 2006-08-16
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19534
Summary:
Mozilla Firefox is prone to a remote memory-corruption vulnerability
because of a race condition that may result in double-free or other
memory-corruption issues.
Attackers may likely exploit this issue to execute arbitrary machine
code in the context of the vulnerable application, but this has not
been confirmed. Failed exploit attempts will likely crash the
application.
Mozilla Firefox is vulnerable to this issue. Due to code-reuse,
other Mozilla products are also likely affected.
MOZILLA MULTIPLE PRODUCTS REMOTE VULNERABILITIES
BugTraq ID: 19181
Last Updated: 2006-08-07
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19181
Summary:
The Mozilla Foundation has released thirteen security advisories
specifying vulnerabilities in Mozilla Firefox, SeaMonkey, and
Thunderbird.
These vulnerabilities allow attackers to:
- execute arbitrary machine code in the context of the vulnerable
application
- crash affected applications
- run arbitrary script code with elevated privileges
- gain access to potentially sensitive information
- carry out cross-domain scripting attacks.
Other attacks may also be possible.
The issues described here will be split into individual BIDs as more
information becomes available.
These issues are fixed in:
- Mozilla Firefox version 1.5.0.5
- Mozilla Thunderbird version 1.5.0.5
- Mozilla SeaMonkey version 1.0.3
MULTIPLE VENDOR DUMP FILE LOCKING DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 5264
Last Updated: 2006-08-16
Remote: No
Relevant URL: http://www.securityfocus.com/bid/5264
Summary:
It is possible for local attackers to create a denial of service by
creating a file lock on files that the dump utility requires for
normal operation. This may be exploited to effectively prevent dump
from backing up files.
The process holding the file lock must be killed to resume normal
operation.
[ uniquement en cas de MANDATORY LOCKING, ce qui n'est pas activé par
défaut dans la plupart des kernels Linux p.ex.
]
MYSQL SERVER DATE_FORMAT DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 19032
Last Updated: 2006-08-07
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19032
Summary:
MySQL is prone to a remote denial-of-service vulnerability because
the database server fails to properly handle unexpected input.
This issue allows remote attackers to crash affected database
servers, denying service to legitimate users. Attackers must be able
to execute arbitrary SQL statements on affected servers, which
requires valid credentials to connect to affected servers.
Attackers may exploit this issue in conjunction with latent SQL-
injection vulnerabilities in other applications.
Versions of MySQL prior to 4.1.18, 5.0.19, and 5.1.6 are vulnerable
to this issue.
MYSQL USER-DEFINED FUNCTION BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 14509
Last Updated: 2006-08-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/14509
Summary:
MySQL is prone to a buffer-overflow vulnerability. The application
fails to perform sufficient boundary checks on data supplied as an
argument in a user-defined function.
A database user with sufficient access to create a user-defined
function can exploit this issue. Attackers may also be able to
exploit this issue through latent SQL-injection vulnerabilities in
third-party applications that use the database as a backend.
Successful exploitation will result in the execution of arbitrary
code in the context of the database server process.
NCOMPRESS DECOMPRESS BUFFER UNDERFLOW VULNERABILITY
BugTraq ID: 19455
Last Updated: 2006-08-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19455
Summary:
The ncompress utility is prone to a buffer-underflow vulnerability.
When ncompress decompresses data, it fails to perform appropriate
bounds checking, which may allow certain decompress operations to
underflow an internal buffer. This may cause unpredictable effects
on vulnerable systems.
Version 4.2.4 is reportedly vulnerable to this issue; earlier
versions may be affected as well.
NFS-SERVER REMOTE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 16388
Last Updated: 2006-08-16
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/16388
Summary:
The 'nfs-server' package is prone to a remote buffer-overflow
vulnerability.
A remote attacker with the ability to create symlinks on any of the
filesystems on an affected computer running 'rpc.mountd' can exploit
this issue to execute arbitrary code. Attackers without filesystem
access may also be able to execute arbitrary code, but this has not
been confirmed.
Note that the 'nfs-server' package is obsolete. The 'nfs-utils'
package is not affected by this issue.
[ ça fait assez SuSEism ... je pense qu'ils parlent de la différence
entre la version user-space et la version kernel-space du serveur NFS,
ce que Debian appelle nfs-user-server et nfs-kernel-server, et je pense
que la vulnérabilité, chez SuSE, est dans la version user-space, même
si le rapport n'est pas très clair. Pour Debian, voir
http://www.us.debian.org/security/2006/dsa-975, il s'agit bien du
user-space server (nfs-user-server), datant de février 2006.
]
OPENLDAP AMBIGUOUS PASSWORD ATTRIBUTE WEAKNESS
BugTraq ID: 11137
Last Updated: 2006-08-16
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/11137
Summary:
It is reported that in certain undisclosed cases, OpenLDAP is
susceptible to an ambiguous password attribute weakness.
If an attacker is able to retrieve a password hash as contained in
the OpenLDAP database, they are possibly able to directly
authenticate to the LDAP database. An attacker is able to gain
unauthorized access if they can sniff password hashes from the
network, or retrieve the contents of the 'userPassword' attribute
from a database backup, or through weak permissions on the database.
The OpenLDAP that is included with Apple Mac OS X, versions 10.3.4
and 10.3.5 is reported to be affected. Versions of OpenLDAP included
in other operating systems are also possibly affected.
OPENLDAP TLS PLAINTEXT PASSWORD VULNERABILITY
BugTraq ID: 14125
Last Updated: 2006-08-16
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/14125
Summary:
OpenLDAP is affected by a password-disclosure vulnerability when
used with TLS.
This issue arises when a connection to a slave is established using
TLS and the client is referred to a master. TLS is not used with
this connection, which can allow an attacker to sniff network
traffic and obtain user credentials.
OpenLDAP 2.1.25 is known to be vulnerable at the moment. Other
versions may be affected as well.
OPENSSH SCP SHELL COMMAND EXECUTION VULNERABILITY
BugTraq ID: 16369
Last Updated: 2006-08-16
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/16369
Summary:
OpenSSH is prone to an SCP shell command-execution vulnerability
because the application fails to properly sanitize user-supplied
input before using it in a 'system()' function call.
This issue allows attackers to execute arbitrary shell commands with
the privileges of users executing a vulnerable version of SCP.
This issue reportedly affects version 4.2 of OpenSSH. Other versions
may also be affected.
PCRE REGULAR EXPRESSION HEAP OVERFLOW VULNERABILITY
BugTraq ID: 14620
Last Updated: 2006-08-16
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/14620
Summary:
PCRE is prone to a heap-overflow vulnerability. This issue is due to
the library's failure to properly perform boundary checks on user-
supplied input before copying data to an internal memory buffer.
The impact of successful exploitation of this vulnerability depends
on the application and the user credentials using the vulnerable
library. A successful attack may ultimately permit an attacker to
control the contents of critical memory control structures and write
arbitrary data to arbitrary memory locations.
[ bibliothèque offrant la puissance des expressions régulières de Perl
à d'autres langages (Perl 5 Compatible Regular Expression Library).
]
PIKE UNSPECIFIED SQL INJECTION VULNERABILITY
BugTraq ID: 19367
Last Updated: 2006-08-07
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19367
Summary:
Pike is prone to an unspecified SQL-injection vulnerability because
it fails to properly sanitize user-supplied input before using it in
an SQL query.
A successful attack could allow an attacker to compromise the
application, access or modify data, gain administrative access to
the application, or exploit vulnerabilities in the underlying
database implementation.
Versions prior to 7.6.86 are vulnerable to this issue.
[ Pike est un langage interprété à syntaxe voisine du C ]
RUBY ON RAILS ROUTING DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 19454
Last Updated: 2006-08-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19454
Summary:
Ruby on Rails is prone to a vulnerability in its routing
functionality that may result in denial-of-service or data
loss issues.
Attackers may exploit this issue by issuing HTTP GET requests to
predictable URIs to affected webservers.
This issue affects Ruby on Rails versions 1.1.0, 1.1.1, 1.1.2,
1.1.4, and 1.1.5.
SAMBA INTERNAL DATA STRUCTURES DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 18927
Last Updated: 2006-08-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/18927
Summary:
The smbd daemon is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to consume excessive memory
resources, ultimately crashing the affected application.
This issue affects Samba versions 3.0.1 through 3.0.22 inclusive.
TWIKI CONFIGURE SCRIPT TYPEOF PARAMETER REMOTE COMMAND EXECUTION
VULNERABILITY
BugTraq ID: 19188
Last Updated: 2006-08-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19188
Summary:
TWiki is prone to a remote command-execution vulnerability.
Attackers can exploit this issue to execute arbitrary system
commands with the privileges of the webserver process.
[ ne pas laisser le script configure à accès distant sans
authentification; et appliquer le patch
]
WEBMIN/USERMIN UNSPECIFED INFORMATION DISCLOSURE VULNERABILITY
BugTraq ID: 18744
Last Updated: 2006-08-07
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/18744
Summary:
Webmin and Usermin are prone to an unspecified information-
disclosure vulnerability. This issue is due to a failure in the
applications to properly sanitize user-supplied input.
An attacker can exploit this issue to retrieve potentially sensitive
information.
This issue affects Webmin versions prior to 1.290 and Usermin
versions prior to 1.220.
Unconfirmed reports suggest that this issue is the same as the one
discussed in BID 18613 (Webmin Remote Directory Traversal
Vulnerability). However, the fixes associated with that issue did
not completely solve the vulnerability.
WIRESHARK PROTOCOL DISSECTORS MULTIPLE VULNERABILITIES
BugTraq ID: 19051
Last Updated: 2006-08-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19051
Summary:
Wireshark is prone to multiple vulnerabilities:
- A format-string vulnerability.
- An off-by-one vulnerability.
- An infinite-loop vulnerability.
- A memory-allocation vulnerability.
These may permit attackers to execute arbitrary code, which can
facilitate a compromise of an affected computer or cause a denial-of-
service condition to legitimate users of the application.
[ ex-ethereal ]
XPDF DCTSTREAM BASELINE REMOTE HEAP BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 15727
Last Updated: 2006-08-07
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/15727
Summary:
The 'xpdf' viewer is reported prone to a remote buffer-overflow
vulnerability. This issue exists because the application fails to
perform proper boundary checks before copying user-supplied data
into process buffers. A remote attacker may execute arbitrary code
in the context of a user running the application. This can result in
the attacker gaining unauthorized access to the vulnerable computer.
This issue is reported to present itself in the
'CTStream::readBaselineSOF' function residing in the
'xpdf/Stream.cc' file.
This issue is reported to affect xpdf 3.01, but earlier versions are
likely prone to this vulnerability as well. Applications using
embedded xpdf code may also be vulnerable.
The 'pdftohtml' utility also includes vulnerable versions of xpdf.
Version 0.36 of pdftohtml was reported prone to this issue, however,
earlier versions may also be affected.
The 'kpdf' viewer reportedly incorporates vulnerable xpdf code.
Version 0.5 of kpdf is prone to this issue, but other versions may
also be affected.
XPDF DCTSTREAM PROGRESSIVE REMOTE HEAP BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 15726
Last Updated: 2006-08-07
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/15726
Summary:
The 'xpdf' utility is reported prone to a remote buffer-overflow
vulnerability. This issue exists because the application fails to
perform proper boundary checks before copying user-supplied data
into process buffers. A remote attacker may execute arbitrary code
in the context of a user running the application. As a result, the
attacker can gain unauthorized access to the vulnerable computer.
Reportedly, this issue presents itself in the
'DCTStream::readProgressiveSOF' function residing in the
'xpdf/Stream.cc' file.
This issue is reported to affect xpdf 3.01, but earlier versions are
likely vulnerable as well. Applications using embedded xpdf code may
also be vulnerable.
The 'pdftohtml' utility also includes vulnerable versions of xpdf.
Version 0.36 of pdftohtml was reported prone to this issue, but
earlier versions may also be affected.
Th 'kpdf' utility reportedly incorporates vulnerable xpdf code.
Version 0.5 of kpdf is prone to this issue, but other versions may
also be affected.
XPDF JPX STREAM READER REMOTE HEAP BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 15721
Last Updated: 2006-08-07
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/15721
Summary:
The 'xpdf' utility is reported prone to a remote buffer-overflow
vulnerability. This issue exists because the application fails to
perform proper boundary checks before copying user-supplied data
into process buffers. A remote attacker may execute arbitrary code
in the context of a user running the application. As a result, the
attacker can gain unauthorized access to the vulnerable computer.
Reportedly, this issue presents itself in the
'JPXStream::readCodestream' function residing in the
'xpdf/JPXStream.cc' file.
This issue is reported to affect xpdf 3.01, but earlier versions are
likely prone to this vulnerability as well. Applications using
embedded xpdf code may also be vulnerable.
The 'kpdf' utility reportedly incorporates vulnerable xpdf code.
Version 0.5 of kpdf is prone to this issue, but other versions may
also be affected.
XPDF LOCA TABLE VERIFICATION REMOTE DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 14529
Last Updated: 2006-08-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/14529
Summary:
The 'xpdf' utility is prone to a remote denial-of-service
vulnerability.
The vulnerability presents itself when the application tries to
verify the validity of a malformed 'loca' table in PDF files.
This issue can result in disk consumption and can ultimately lead to
a denial-of-service condition.
The 'kpdf', 'gpdf', and 'CUPS' utilities are vulnerable to this
issue as well.
XPDF STREAMPREDICTOR REMOTE HEAP BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 15725
Last Updated: 2006-08-07
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/15725
Summary:
The 'xpdf' viewer is reported prone to a remote buffer-overflow
vulnerability. This issue exists because the application fails to
perform proper boundary checks before copying user-supplied data
into process buffers. A remote attacker may execute arbitrary code
in the context of a user running the application. As a result, the
attacker can gain unauthorized access to the vulnerable computer.
This issue is reported to present itself in the
'StreamPredictor::StreamPredictor' function residing in the
'xpdf/Stream.cc' file.
This issue is reported to affect xpdf 3.01, but earlier versions are
likely prone to this vulnerability as well. Applications using
embedded xpdf code may also be vulnerable.
The 'pdftohtml' utility also includes vulnerable versions of xpdf.
Version 0.36 of pdftohtml was reported prone to this issue, but
earlier versions may also be affected.
The 'kpdf ' viewer reportedly incorporates vulnerable xpdf code.
Version 0.5 of kpdf is prone to this issue, but other versions may
also be affected.
More information about the gull-annonces
mailing list