[gull-annonces] Resume SecurityFocus #400-403

Marc SCHAEFER schaefer at alphanet.ch
Wed Jun 20 15:21:24 CEST 2007


3COM SWITCHES BACKDOOR VULNERABILITY
BugTraq ID: 88
Last Updated: 2007-05-30
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/88
Summary:
  There exists an undocumented access level in current (and possibly
  previous) versions of 3Com's "intelligent" and "extended" switching
  software for LanPlex/Corebuilder switches. In addition to the
  "admin", "read", and "write" accounts, there is a "debug" account
  with a password of "synnet" on shipped images (including those
  available for download from infodeli.3com.com). The versions of
  firmware this was tested under include 7.0.1 and 8.1.1.

  The debug account has all the privileges of the admin account plus
  some debugging commands not available to any other ID. They can
  change all the other access password without knowing the old
  password. In addition, they can get to the "underlying OS shell".

  If you allow "remote administration" (telnet access), an attacker
  can obtain full control of your switches.

  Yes: LanPlex/Corebuilder 2500s (SW 7.x and 8.x) Corebuilder 3500
  (ver 1.0.0) 3Com LANplex 2500 (rev 7.15) with Version 7.0.1-19 -
  Built 01/17/97 02:41:17 PM LinkSwitch

  No: Superstack II LinkSwitch FMS-II Superstack Hub P/N 3c16630a

[ firmware ]

APOP PROTOCOL INSECURE MD5 HASH WEAKNESS
BugTraq ID: 23257
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23257
Summary:
  Applications that implement the APOP protocol may be vulnerable to a
  password-hash weakness. This issue occurs because the MD5 hash
  algorithm fails to properly prevent collisions.

  Attackers may exploit this issue in man-in-the-middle attacks to
  potentially gain access to the first three characters of passwords.
  This will increase the likelihood of successful brute-force attacks
  against APOP authentication.

  To limit the possibility of successful exploits, applications that
  implement the APOP protocol should set up safeguards to ensure that
  message IDs are RFC-compliant.

  Mozilla Thunderbird, Evolution, mutt, and fetchmail are reportedly
  affected by this issue.

AMAROK MAGNATURE SHELL COMMAND INJECTION VULNERABILITY
BugTraq ID: 22568
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22568
Summary:
  Amarok Magnature is prone to a shell command-injection
  vulnerability.

  Commands executed through this vulnerability could permit an
  attacker to gain access to a vulnerable system.

APACHE HTTP SERVER MULTIPLE VULNERABILITIES
BugTraq ID: 8226
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/8226
Summary:
  Apache is vulnerable to multiple vulnerabilities, including denial-of-
  service issues, file-descriptor leakage, and logging failures.

  Apache HTTP Server 1.3.28 has been released in response to
  these issues.

APACHE HTTP SERVER TOMCAT DIRECTORY TRAVERSAL VULNERABILITY
BugTraq ID: 22960
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22960
Summary:
  Apache HTTP servers running with the Tomcat servlet container are
  prone to a directory-traversal vulnerability because it fails to
  sufficiently sanitize user-supplied input data.

  Exploiting this issue allows attackers to access arbitrary files in
  the Tomcat webroot. This can expose sensitive information that could
  help the attacker launch further attacks.

  Versions in the 5.0 series prior to 5.5.22 and in the 6.0 series
  prior to 6.0.10 are vulnerable.

APACHE HTTP SERVER WORKER PROCESS MULTIPLE DENIAL OF SERVICE
VULNERABILITIES
BugTraq ID: 24215
Last Updated: 2007-05-30
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24215
Summary:
  Apache is prone to multiple denial-of-service vulnerabilities.

  An attacker with the ability to execute arbitrary server-side script-
  code can exploit these issues to stop arbitrary services on the
  affected computer in the context of the master webserver process;
  other attacks may also be possible.

APACHE TOMCAT INFORMATION DISCLOSURE VULNERABILITY
BugTraq ID: 19106
Last Updated: 2007-05-09
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19106
Summary:
  Apache Tomcat is prone to an information-disclosure vulnerability
  because it fails to properly sanitize user-supplied input.

  An attacker can exploit this issue to reveal a complete directory
  listing from any directory. Information obtained may aid in further
  attacks. Reports indicate that this issue may also allow attackers
  to obtain the source code of script files.

  Apache Tomcat 5.028, 5.5.23, 5.5.9, and 5.5.7 are vulnerable to this
  issue; other versions may also be affected.

  Novell GroupWise Mobile Server 1.0 or other versions bundled with
  Nokia Intellisync Mobile Suite 6.4.31.2, 6.6.0.107, and 6.6.2.2 ship
  with an affected version of Tomcat and are vulnerable as well.

APACHE TOMCAT JK CONNECTOR DOUBLE ENCODING SECURITY BYPASS
VULNERABILITY
BugTraq ID: 24147
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24147
Summary:
  Apache HTTP server running with the Tomcat JK Web Server Connector
  is prone to a security-bypass vulnerability because it decodes
  request URLs multiple times.

  Exploiting this issue allows attackers to access restricted files in
  the Tomcat web directory. This can expose sensitive information that
  could help attackers launch further attacks.

  This issue is present in versions of Apache Tomcat JK Connector
  prior to 1.2.23.

APACHE TOMCAT MOD_JK.SO ARBITRARY CODE EXECUTION VULNERABILITY
BugTraq ID: 22791
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22791
Summary:
  Apache Tomcat is prone to a vulnerability that will allow remote
  attackers to execute arbitrary code on an affected computer. A
  successful attack may result in a complete compromise.

BLENDER KMZ/KML REMOTE COMMAND EXECUTION VULNERABILITY
BugTraq ID: 22770
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22770
Summary:
  Blender is prone to a remote command-execution vulnerability.

  An attacker could exploit this issue by enticing an unsuspecting
  victim to open a malicious file. A successful exploit will allow
  arbitrary Python commands to run within the privileges of the
  currently logged-in user.

BLUEZ HIDD BLUETOOH HID COMMAND INJECTION VULNERABILITY
BugTraq ID: 22076
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22076
Summary:
  BlueZ hidd is prone to a device-command-injection vulnerability.

  A remote attacker can exploit this issue to gain control of mouse
  and keyboard HIDs (human interface device). This will allow the
  attacker to interact with the targeted computer in the context of
  the currently logged-in user.

  Versions prior to 2.25 are vulnerable.

CPIO FILE SIZE STACK BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 16057
Last Updated: 2007-05-08
Remote: No
Relevant URL: http://www.securityfocus.com/bid/16057
Summary:
  The cpio utility is prone to a stack buffer-overflow vulnerability.

  This issue presents itself when cpio tries to create an archive
  containing files with extremely large sizes, potentially resulting
  in a memory buffer being overrun.

  Note that this vulnerability presents itself only on 64-bit
  platforms. Presumably, on 32-bit platforms using 64-bit filesystems,
  this may be exploited to crash cpio.

CAMPSITE G_DOCUMENTROOT PARAMETER MULTIPLE REMOTE FILE INCLUDE
VULNERABILITIES
BugTraq ID: 23874
Last Updated: 2007-05-09
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23874
Summary:
  Campsite is prone to multiple remote file-include vulnerabilities.

  Exploiting this issue allows remote attackers to execute code in the
  context of the webserver.

  This issue affects Campsite 2.6.1. Earlier versions may also
  be affected.

CISCO CALLMANAGER SEARCH FORM CROSS SITE SCRIPTING VULNERABILITY
BugTraq ID: 24119
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24119
Summary:
  Cisco CallManager is prone to a cross-site scripting vulnerability
  because, the application fails to sufficiently sanitize user-
  supplied input.

  This vulnerability potentially allows an attacker to perform cross-
  site scripting attacks on unsuspecting users in the context of the
  affected website. As a result, the attacker may be able to steal cookie-
  based authentication credentials and to launch other attacks.

  Version 4.1.1 is reported vulnerable; other versions may also
  be affected.

[ firmware ]

CISCO IOS FTP SERVER MULTIPLE VULNERABILITIES
BugTraq ID: 23885
Last Updated: 2007-05-09
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23885
Summary:
  Cisco IOS FTP Server is prone to multiple vulnerabilities including
  a denial-of-service issue and an authentication-bypass issue.

  Attackers can exploit these issues to deny service to legitimate
  users, gain unauthorized access to an affected device, or execute
  arbitrary code.

  Only IOS devices that have the FTP Server feature enabled are
  vulnerable; this feature is disabled by default.

[ firmware ]

CISCO IOS SSL PACKETS MULTIPLE DENIAL OF SERVICE VULNERABILITIES
BugTraq ID: 24097
Last Updated: 2007-05-22
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24097
Summary:
  Cisco IOS is prone to multiple denial-of-service vulnerabilities
  because it fails to handle malformed SSL packets.

  Attackers can exploit these issues to cause denial-of-service
  conditions on an affected device.

  NOTE: Attackers can exploit these issues only via an established TCP
        connection, but only prior to security authentication. An
        attacker can, however, interrupt a secure session and inject
        malicious packets when a new session is started. Due to these
        factors, the likelihood of successful attacks is reduced.

[ firmware ]

CLAM ANTIVIRUS CLAMAV MULTIPLE REMOTE VULNERABILITIES
BugTraq ID: 23473
Last Updated: 2007-05-09
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23473
Summary:
  ClamAV is prone to a file-descriptor leakage vulnerability and a buffer-
  overflow vulnerability.

  A successful attack may allow an attacker to obtain sensitive
  information, cause denial-of-service conditions, and execute
  arbitrary code in the context of the user running the affected
  application.

  ClamAV versions prior to 0.90.2 are vulnerable to these issues.

CLAM ANTIVIRUS CLAMAV PDF HANDLING REMOTE DENIAL OF SERVICE
VULNERABILITY
BugTraq ID: 23656
Last Updated: 2007-05-09
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23656
Summary:
  ClamAV is prone to a denial-of-service vulnerability.

  A successful attack may allow an attacker to cause denial-of-service
  conditions.

CLAMAV CAB FILE REMOTE DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 22580
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22580
Summary:
  ClamAV is prone to a denial-of-service vulnerability.

  An attacker can exploit this vulnerability to prevent the software
  from scanning certain types of data. When it encounters the data,
  the application will reject it. This can result in denial-of-service
  conditions.

  Versions prior to 0.90 stable are vulnerable.

CLAMAV MIME HEADER ID PARAMETER STRING DIRECTORY TRAVERSAL
VULNERABILITY
BugTraq ID: 22581
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22581
Summary:
  ClamAV is prone to a directory-traversal vulnerability because it
  fails to properly sanitize user-supplied input.

  An attacker can exploit this vulnerability to create or overwrite
  arbitrary files on vulnerable computers in the context of the
  affected application. This may aid in further attacks.

  This issue affects ClamAV versions prior to the 0.90 stable release.

ELINKS RELATIVE PATH ARBITRARY CODE EXECUTION VULNERABILITY
BugTraq ID: 23844
Last Updated: 2007-05-15
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23844
Summary:
  ELinks is prone to an arbitrary code-execution vulnerability.

  An attacker can exploit this issue to potentially execute arbitrary
  code with the privileges of the user running the affected
  application.

  This issue requires an attacker to trick an unsuspecting victim into
  running the vulnerable application in an attacker-controlled
  directory.

  This issue affects ELinks 0.11.1; other versions may also be
  vulnerable.

EXIM SPAMASSASSIN REPLY REMOTE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 23977
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23977
Summary:
  Exim is prone to a remote buffer-overflow vulnerability when used in
  conjunction with remote SpamAssassin servers. This issue occurs
  because the application fails to properly bounds-check user-supplied
  input prior to copying it to an insufficiently sized memory buffer.

  Successfully exploiting this issue allows remote attackers to
  execute arbitrary machine code in the context of the affected
  application. Failed exploit attempts may result in denial-of-service
  conditions.

  Exim 4.66 is vulnerable to this issue; other versions may also
  be affected.

FILE MULTIPLE DENIAL OF SERVICE VULNERABILITIES
BugTraq ID: 24146
Last Updated: 2007-05-30
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24146
Summary:
  The 'file' utility is prone to multiple denial-of-service
  vulnerabilities because it fails to handle exceptional conditions.

  An attacker could exploit this issue by enticing a victim to open a
  specially crafted file. A denial-of-service condition can occur.
  Arbitrary code execution may be possible, but Symantec has not
  confirmed this.

FILE(1) COMMAND FILE_PRINTF INTEGER UNDERFLOW VULNERABILITY
BugTraq ID: 23021
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23021
Summary:
  The file(1) command is prone to an integer-underflow vulnerability
  because the command fails to adequately handle user-supplied data.

  An attacker can leverage this issue to corrupt heap memory and
  execute arbitrary code with the privileges of a user running the
  command. A successful attack may result in the compromise of
  affected computers. Failed attempts will likely cause denial-of-
  service conditions.

  Versions prior to 4.20 are vulnerable.

FREETYPE TT_LOAD_SIMPLE_GLYPH() TTF FILE INTEGER OVERFLOW
VULNERABILITY
BugTraq ID: 24074
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24074
Summary:
  FreeType is prone to an integer-overflow vulnerability because it
  fails to properly validate TTF files.

  An attacker may exploit this issue by enticing victims into opening
  maliciously crafted TTF Files.

  Successful exploits will allow attackers to execute arbitrary code
  in the context in the context of applications that use the affected
  library. Failed exploit attempts will likely result in denial-of-
  service conditions.

  This issue affects FreeType 2.3.4 and prior versions.

GIMP RAS FILE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 23680
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23680
Summary:
  GIMP is prone to a buffer-overflow vulnerability because it fails to
  properly bounds-check user-supplied input data before copying it to
  an insufficiently sized memory buffer.

  Successful exploits of this vulnerability allow remote attackers to
  execute arbitrary machine code in the context of the affected
  application.

  GIMP 2.2.14 is vulnerable to this issue; other versions may also
  be affected.

GNUEDU MULTIPLE REMOTE FILE INCLUDE VULNERABILITIES
BugTraq ID: 23883
Last Updated: 2007-05-09
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23883
Summary:
  GNU Edu is prone to multiple remote file-include vulnerabilities
  because it fails to sufficiently sanitize user-supplied data.

  Exploiting these issues may allow an attacker to compromise
  the application and the underlying system; other attacks are
  also possible.

  These issues affect GNU Edu 1.3b2; other versions may also be
  affected.

GNUPG SIGNED MESSAGE ARBITRARY CONTENT INJECTION WEAKNESS
BugTraq ID: 22757
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22757
Summary:
  GnuPG is prone to a weakness that may allow an attacker to add
  arbitrary content into a message without the end user knowing.

  An attacker may be able to exploit this issue in applications
  using GnuPG to add arbitrary content into a signed and/or
  encrypted message.

  Exploiting this issue depends on the individual application's use of
  GnuPG. Individual records will be created detailing this issue in
  affected applications.

HP PROCURVE 9300M SWITCHES UNSPECIFIED DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23791
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23791
Summary:
  HP ProCurve 9300m Switches are prone to an unspecified remote denial-of-
  service vulnerability. This issue most likely occurs because the
  device fails to properly sanitize user-supplied input.

  An attacker can exploit this issue to crash an affected device,
  effectively denying service to legitimate users.

  This issue affects HP ProCurve 9300m Switches running software
  versions 08.0.01c to 08.0.01j.

[ firmware ]

HP SERVICEGUARD FOR LINUX UNSPECIFIED REMOTE UNAUTHORIZED ACCESS
VULNERABILITY
BugTraq ID: 22574
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22574
Summary:
  HP Serviceguard for Linux is prone to an unauthorized-access
  vulnerability.

  An attacker can exploit this issue to gain remote unauthorized
  access to affected computers.

[ licence?? ]

IFDATE ADMINISTRATIVE AUTHENTICATION BYPASS VULNERABILITY
BugTraq ID: 23971
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23971
Summary:
  iFdate is prone to a vulnerability that will let attackers trivially
  gain administrative access to the application.

  This issue stems from insufficient access validation.

  iFdate 2.0 and later versions are vulnerable.

IPV6 PROTOCOL TYPE 0 ROUTE HEADER DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23615
Last Updated: 2007-05-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23615
Summary:
  IPv6 protocol implementations are prone to a denial-of-service
  vulnerability due to a design error.

  Exploiting this issue allows attackers to cause denial-of-service
  conditions.

  This issue is related to the issue discussed in BID 22210 (Cisco IOS
  IPv6 Source Routing Remote Memory Corruption Vulnerability).

ISC BIND QUERY_ADDSOA DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23738
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23738
Summary:
  ISC BIND is prone to a denial-of-service vulnerability because it
  fails to handle certain sequences of malicious queries.

  NOTE: Only applications configured with the 'recursion'
        directive/attribute enabled are vulnerable to this issue.

  An attacker can exploit this issue to cause the application to exit,
  denying service to legitimate users.

  ISC BIND 9.40, 9.5.0a1, 9.5.0a2, and 9.5.0a3 are vulnerable.

ISC BIND REMOTE DNSSEC VALIDATION DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 22231
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22231
Summary:
  ISC BIND is prone to a remote denial-of-service vulnerability
  because the application fails to properly handle malformed DNSSEC
  validation requests.

  Successfully exploiting this issue allows remote attackers to crash
  affected DNS servers, denying further service to legitimate users.

IMAGEMAGICK XGETPIXEL/XINITIMAGE MULTIPLE INTEGER OVERFLOW
VULNERABILITIES
BugTraq ID: 23300
Last Updated: 2007-05-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23300
Summary:
  ImageMagick is prone to multiple integer-overflow vulnerabilities
  because it fails to properly validate user-supplied data.

  An attacker can exploit these issues to execute arbitrary code in
  the context of the application. Failed exploit attempts will likely
  cause denial-of-service conditions.

IRFANVIEW .IFF FORMAT HANDLING REMOTE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 23692
Last Updated: 2007-05-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23692
Summary:
  IrfanView is prone to a remote buffer-overflow vulnerability because
  the software fails to properly bounds-check user-supplied input
  before copying it to an insufficiently sized memory buffer.

  Successful exploits allow remote attackers to execute arbitrary
  machine code in the context of the vulnerable application. Failed
  exploit attempts likely result in denial-of-service conditions.

  IrfanView 4.00 is vulnerable; other versions may also be affected.

LIBEVENT DNS PARSING DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 22606
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22606
Summary:
  Libevent is prone to a denial-of-service vulnerability.

  A remote attacker may exploit this issue to cause the application to
  crash, denying further service to legitimate users.

  Versions 1.2 to 1.2a are vulnerable to this issue.

LINKSNET NEWSFEED REMOTE FILE INCLUDE VULNERABILITY
BugTraq ID: 23982
Last Updated: 2007-05-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23982
Summary:
  Linksnet Newsfeed is prone to a remote file-include vulnerability
  because it fails to sufficiently sanitize user-supplied data.

  Exploiting this issue may allow an attacker to compromise the
  application and the underlying system; other attacks are also
  possible.

  Linksnet Newsfeed 1.0 is vulnerable; other versions may also
  be affected.

LINUX KERNEL BINFMT_ELF PT_INTERP LOCAL INFORMATION DISCLOSURE
VULNERABILITY
BugTraq ID: 22903
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/22903
Summary:
  The Linux kernel is prone to a vulnerability in the Linux ELF binary
  loader. Exploiting this issue can allow local attackers to gain
  access to privileged information.

  An attacker may be able to obtain sensitive data that can
  potentially be used to gain elevated privileges.

  This issue is a variant of the vulnerability assigned CVE candidate
  ID CAN-2004-1073, which is documented in BID 11646.

  Linux Kernel versions in the 2.6.0 branch prior to 2.6.20 are
  vulnerable; versions in the 2.4.0 branch may also be affected.

LINUX KERNEL IBMTR.C REMOTE DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 21490
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/21490
Summary:
  The Linux kernel is prone to a remote denial-of-service
  vulnerability.

  This vulnerability resides in the
  'drivers/net/tokenring/ibmtr.c' file.

  Exploiting this vulnerability can allow remote attackers to crash
  the affected kernel, resulting in denial-of-service conditions.
  Attackers may also be able to execute arbitrary code, but this has
  not been confirmed.

  Kernel versions from 2.6.0 up to and including 2.6.19 are vulnerable
  to this issue.

LINUX KERNEL IPV6_GETSOCKOPT_STICKY MEMORY LEAK INFORMATION DISCLOSURE
VULNERABILITY
BugTraq ID: 22904
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/22904
Summary:
  Linux Kernel is prone to an information-disclosure vulnerability
  because it fails to handle unexpected user-supplied input.

  Successful exploits will allow attackers to obtain portions of
  kernel memory. Information harvested may be used in further attacks.

  Kernel versions 2.6.0 up to 2.6.20.1 are vulnerable to this issue.

LINUX KERNEL IPV6_SOCKGLUE.C NULL POINTER DEREFERENCE VULNERABILITY
BugTraq ID: 23142
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23142
Summary:
  The Linux kernel is prone to a NULL-pointer dereference
  vulnerability.

  A local attacker can exploit this issue to crash the affected
  application, denying service to legitimate users. The attacker may
  also be able to execute arbitrary code with elevated privileges, but
  this has not been confirmed.

LINUX KERNEL IPV6 TCP SOCKETS LOCAL DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23104
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23104
Summary:
  The Linux kernel is prone to a denial-of-service vulnerability.

  Exploiting this issue allows local attackers to cause the kernel to
  crash, effectively denying service to legitimate users. Attackers
  may also be able to execute arbitrary code with elevated privileges,
  but this has not been confirmed.

  This issue affects the Linux kernel 2.6 series.

LINUX KERNEL KEY_ALLOC_SERIAL() LOCAL DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 22539
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/22539
Summary:
  The Linux Kernel is prone to a denial-of-service vulnerability.

  A successful attack can allow local attackers to trigger a crash and
  deny service to legitimate users.

  Kernel versions 2.6.x are vulnerable.

LINUX KERNEL NETLINK_FIB_LOOKUP LOCAL DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23677
Last Updated: 2007-05-14
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23677
Summary:
  The Linux kernel is prone to a denial-of-service vulnerability. This
  issue presents itself when a NETLINK message is misrouted.

  A local attacker may exploit this issue to trigger an infinite-
  recursion stack-based overflow in the kernel. This results in a
  denial of service to legitimate users.

  Versions prior to 2.6.20.8 are vulnerable.

LINUX KERNEL NFSACL DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 22625
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/22625
Summary:
  The Linux kernel is prone to a local denial-of-service
  vulnerability.

  An attacker can exploit this issue to crash the affected computer,
  denying service to legitimate users.

  This issue affects the Linux kernel 2.6 series up to 2.6.20.

LINUX KERNEL NETFILTER NFNETLINK_LOG MULTIPLE NULL POINTER DEREFERENCE
VULNERABILITIES
BugTraq ID: 22946
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/22946
Summary:
  The Linux kernel is prone to multiple NULL-pointer dereference
  vulnerabilities.

  A local attacker can exploit these issues to crash the affected
  kernel, denying service to legitimate users.

LINUX KERNEL NETFILTER NF_CONNTRACK IPV6 PACKET REASSEMBLY RULE BYPASS
VULNERABILITY
BugTraq ID: 23976
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23976
Summary:
  The Linux kernel is prone to a vulnerability that lets attackers
  bypass firewall rules. This issue occurs because the Linux
  'netfilter' code fails to properly classify network packets.

  Successfully exploiting this issue allows attackers to bypass
  firewall rules, potentially aiding them in further network-
  based attacks.

  Linux kernel versions in the 2.6 series prior to 2.6.20.3 are
  vulnerable to this issue.

LINUX KERNEL OMNIKEY CARDMAN 4040 DRIVER LOCAL BUFFER OVERFLOW
VULNERABILITY
BugTraq ID: 22870
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/22870
Summary:
  The Linux kernel is prone to a local buffer-overflow vulnerability
  because it fails to properly bounds-check user-supplied input before
  using it in a memory copy operation.

  This issue allows local attackers to overwrite kernel memory with
  arbitrary data, potentially allowing them to execute malicious
  machine code in the context of affected kernels. Exploiting this
  vulnerability facilitates the complete compromise of affected
  computers.

  Linux kernel versions prior to 2.6.21-rc3 are affected by this
  issue.

LINUX KERNEL PPPOE SOCKET LOCAL DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23870
Last Updated: 2007-05-08
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23870
Summary:
  The Linux kernel is prone to a denial-of-service vulnerability.

  Exploiting this issue allows local attackers to exhaust memory
  resources and eventually cause the kernel to crash, effectively
  denying service to legitimate users.

  This issue affects the Linux kernel 2.6 series prior to 2.6.21-git8.

MIT KERBEROS 5 KADMIND SERVER STACK BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 23285
Last Updated: 2007-05-30
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23285
Summary:
  Kerberos 5 kadmind (Kerberos Administration Daemon) server is prone
  to a stack-based buffer-overflow vulnerability because the software
  fails to adequately bounds-check user-supplied data before copying
  it to an insufficiently sized buffer.

  An attacker can exploit this issue to execute arbitrary code with
  administrative privileges. A successful attack can result in the
  complete compromise of the application. Failed attempts will likely
  result in denial-of-service conditions.

  All kadmind servers run on the master Kerberos server. Since the
  master server holds the KDC principal and policy database, an attack
  may not only compromise the affected computer, but could also
  compromise multiple hosts that use the server for authentication.

  Kerberos 5 kadmind 1.6 and prior versions are vulnerable.

MIT KERBEROS ADMINISTRATION DAEMON KADMIND DOUBLE FREE MEMORY
CORRUPTION VULNERABILITIES
BugTraq ID: 23282
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23282
Summary:
  MIT Kerberos 5 is prone to a double-free memory-corruption
  vulnerability.

  An attacker can exploit this issue to execute arbitrary code with
  superuser or SYSTEM-level privileges, completely compromising
  affected computers. Failed exploit attempts will likely result in a
  denial-of-service conditions.

  This issue also affects third-party applications using the
  affected API.

MPLAYER DMO FILE PARSING BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 22771
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22771
Summary:
  MPlayer is prone to a buffer-overflow vulnerability when it attempts
  to process malformed video files. This issue occurs because the
  application fails to perform proper bounds-checking on user-supplied
  data before copying it to an insufficiently sized memory buffer.

  An attacker may exploit this issue to execute arbitrary code with
  the privileges of the user that activated the vulnerable
  application. This may facilitate unauthorized access or privilege
  escalation.

  MPlayer 1.0rc1 is vulnerable to this issue; previous versions may
  also be affected.

MADWIFI MULTIPLE DENIAL OF SERVICE VULNERABILITIES
BugTraq ID: 24114
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24114
Summary:
  MadWifi is prone to multiple denial-of-service vulnerabilities.

  Exploiting these issues may permit attackers to cause system crashes
  and deny service to legitimate users.

  Versions of MadWifi prior to 0.9.3.1 are vulnerable.

[ non identifié si c'est la partie libre ou propriétaire du pilote
  composite
]

MOZILLA FIREFOX FTP PASV PORT-SCANNING VULNERABILITY
BugTraq ID: 23082
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23082
Summary:
  Mozilla Firefox is prone to vulnerability that may allow attackers
  to obtain potentially sensitive information.

  A successful exploit of this issue would cause the affected
  application to connect to arbitrary TCP ports and potentially
  reveal sensitive information about services that are running on the
  affected computer. Information obtained may aid attackers in
  further attacks.

MOZILLA FIREFOX DOCUMENT.COOKIE PATH ARGUMENT DENIAL OF SERVICE
VULNERABILITY
BugTraq ID: 22879
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22879
Summary:
  Mozilla Firefox is prone to a remote denial-of-service
  vulnerability.

  An attacker may exploit this vulnerability to cause Mozilla Firefox
  to crash, resulting in denial-of-service conditions.

  Little is known regarding this vulnerability; this BID will be
  updated when more information is disclosed.

  Mozilla Firefox 2.0.0.2 is prone to this issue; other versions may
  also be affected.

  Attackers may be able to bypass cookie domain and path restrictions,
  but this has not been confirmed.

MOZILLA FIREFOX POPUP BLOCKER CROSS ZONE SECURITY BYPASS WEAKNESS
BugTraq ID: 22396
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22396
Summary:
Mozilla Firefox is prone to a cross-zone security-bypass weakness. This issue allows attackers to open 'file://' URIs from remote websites.

  By exploiting this issue in conjunction with other weaknesses or
  vulnerabilities, attackers may be able to execute arbitrary script
  code with the elevated privileges that are granted to scripts when
  they are executed from local sources.

  Mozilla Firefox 1.5.0.9 is affected by this issue; other versions
  may be affected as well.

MOZILLA FIREFOX RESOURCE DIRECTORY TRAVERSAL VULNERABILITY
BugTraq ID: 24191
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24191
Summary:
  Mozilla Firefox is prone to a directory-traversal vulnerability
  because it fails to adequately sanitize user-supplied data.

  An attacker can exploit this issue to access arbitrary files on an
  unsuspecting user's computer. Successful exploits can expose
  potentially sensitive information that could aid in further attacks.

  Firefox 2.0.0.3 and prior versions are vulnerable.

MOZILLA PRODUCTS MULTIPLE REMOTE VULNERABILITIES
BugTraq ID: 24242
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24242
Summary:
  The Mozilla Foundation has released six security advisories
  specifying vulnerabilities in Firefox, SeaMonkey, and Thunderbird.

  These vulnerabilities allow attackers to:

  - Execute arbitrary code
  - Cause denial-of-service conditions
  - Perform cross-site scripting attacks
  - Obtain potentially sensitive information
  - Spoof legitimate content

  Other attacks may also be possible.

MOZILLA THUNDERBIRD/SEAMONKEY/FIREFOX MULTIPLE REMOTE VULNERABILITIES
BugTraq ID: 22694
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22694
Summary:
  The Mozilla Foundation has released six security advisories
  specifying vulnerabilities in Firefox, SeaMonkey, and Thunderbird.

  These vulnerabilities allow attackers to:

  - Execute arbitrary code
  - Cause denial-of-service conditions
  - Perform cross-site scripting attacks
  - Obtain potentially sensitive information
  - Spoof legitimate content

  Other attacks may also be possible.

MULTIPLE PRODUCTS FULL/HALF WIDTH UNICODE DETECTION EVASION
VULNERABILITY
BugTraq ID: 23980
Last Updated: 2007-05-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23980
Summary:
  Multiple products are reportedly prone to a vulnerability that may
  allow malicious HTTP traffic to bypass detection.

  Attackers may send this type of HTTP data to evade detection and
  perform further attacks.

  Cisco has stated that all IOS releases that support the Firewall/IPS
  feature set are affected. Although we currently have no definitive
  list of such versions, Symantec is investigating the matter and will
  update this BID's list of vulnerable systems appropriately.

[ welcome to the wonderful world of UNICODE ]

MULTIPLE VENDOR C LIBRARY REALPATH() OFF-BY-ONE BUFFER OVERFLOW
VULNERABILITY
BugTraq ID: 8315
Last Updated: 2007-05-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/8315
Summary:
  The 'realpath()' function is a C-library procedure to resolve the
  canonical, absolute pathname of a file based on a path that may
  contain values such as '/', './', '../', or symbolic links. A
  vulnerability that was reported to affect the implementation of
  'realpath()' in WU-FTPD has lead to the discovery that at least one
  implementation of the C library is also vulnerable. FreeBSD has
  announced that the off-by-one stack- buffer-overflow vulnerability
  is present in their libc. Other systems are also likely vulnerable.

  Reportedly, this vulnerability has been successfully exploited
  against WU-FTPD to execute arbitrary instructions.

  NOTE: Patching the C library alone may not remove all instances of
        this vulnerability. Statically linked programs may need to be
        rebuilt with a patched version of the C library. Also, some
        applications may implement their own version of 'realpath()'.
        These applications would require their own patches. FreeBSD
        has published a large list of applications that use
        'realpath()'. Administrators of FreeBSD and other systems are
        urged to review it. For more information, see the advisory 'FreeBSD-SA-
        03:08.realpath'.

MULTIPLE VENDOR MULTIPLE HTTP REQUEST SMUGGLING VULNERABILITIES
BugTraq ID: 13873
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/13873
Summary:
  Multiple vendors are prone to HTTP-request-smuggling issues.
  Attackers can piggyback an HTTP request inside of another HTTP
  request. By leveraging failures to implement the HTTP/1.1 RFC
  properly, attackers can launch cache-poisoning, cross-site
  scripting, session-hijacking, and other attacks.

MULTIPLE VENDOR TCP PACKET FRAGMENTATION HANDLING DENIAL OF SERVICE
VULNERABILITY
BugTraq ID: 11258
Last Updated: 2007-05-30
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/11258
Summary:
  Multiple vendor implementations of the TCP stack are reported prone
  to a remote denial-of-service vulnerability.

  The issue is reported to present itself due to inefficiencies
  present when handling fragmented TCP packets.

  The discoverer of this issue has dubbed the attack style the "New
  Dawn attack"; it is a variation of a previously reported attack that
  was named the "Rose Attack".

  A remote attacker may exploit this vulnerability to deny service to
  an affected computer.

  Microsoft Windows 2000/XP, Linux kernel 2.4 tree, and undisclosed
  Cisco systems are reported prone to this vulnerability; other
  products may also be affected.

[ fragments are bad, disable them ]

MULTIPLE VENDOR WEB BROWSER JAVASCRIPT DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 10998
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/10998
Summary:
  Web browsers from multiple different vendors are reported
  susceptible to a denial of service vulnerability.

  The specified JavaScript code will consume 100% of the CPU resources
  of the affected computer. The browser will then reportedly crash.

  Mozilla Firefox, Microsoft Internet Explorer, and Opera are all
  reportedly affected by this vulnerability.

  Update: This BID is being retired as this is not considered a
  security vulnerability.

MYSQL IF QUERY HANDLING REMOTE DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23911
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23911
Summary:
  MySQL is prone to a remote denial-of-service vulnerability because
  it fails to handle certain specially crafted queries.

  An attacker can exploit this issue to crash the application, denying
  access to legitimate users.

  NOTE: An attacker must be able to execute arbitrary SELECT
        statements against the database to exploit this issue. This
        may be through legitimate means or by exploiting other latent
        SQL-injection vulnerabilities.

  Versions prior to 5.0.40 are vulnerable.

MYSQL SINGLE ROW SUBSELECT REMOTE DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 22900
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22900
Summary:
  MySQL is prone to a remote denial-of-service vulnerability because
  it fails to handle certain select statements to database metadata.

  An attacker can exploit this issue to crash the application, denying
  access to legitimate users. The attacker may also be able to execute
  arbitrary code, but this has not yet been confirmed.

  NOTE: An attacker must be able to execute arbitrary SELECT
        statements on the vulnerable computer to exploit this issue.
        This may be through legitimate means or by exploiting other
        latent SQL-injection vulnerabilities.

  Versions prior to 5.0.36 are vulnerable.

NET-SNMP TCP DISCONNECT REMOTE DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23762
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23762
Summary:
  Net-SNMP is prone to a remote denial-of-service vulnerability. The
  issue is exposed when Net-SNMP is configured to communicate over
  TCP; Net-SNMP using UDP is unaffected.

  This issue affects Net-SNMP when running in 'master agentx' mode. An
  attacker can exploit this issue to cause the affected service to
  crash, effectively denying service to legitimate users.

NET-SNMP UNSPECIFIED REMOTE STREAM-BASED PROTOCOL DENIAL OF SERVICE
VULNERABILITY
BugTraq ID: 14168
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/14168
Summary:
  Net-SNMP is prone to a remote denial-of-service vulnerability. The
  issue is exposed when Net-SNMP is configured to have an open stream-
  based protocol port, such as TCP.

  The exact details describing this issue are not available. This BID
  will be updated when more information emerges.

NETOPIA R9100 ROUTER DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 2287
Last Updated: 2007-05-30
Remote: No
Relevant URL: http://www.securityfocus.com/bid/2287
Summary:
  The Netopia R9100 Router, running firmware version 4.6, is
  vulnerable to a denial of service attack. Subsequent (and current)
  versions of the product are not vulnerable.

  Under very specific circumstances, it is possible to cause the
  affected router to halt. By attempting to make a looped connection
  from the router's IP address back to the same address, the unit
  will crash.

  This prevents user disconnect logging and may assist the attacker in
  carrying out further attacks on the affected host or other systems
  on its network.

[ firmware ]

OPENLD UNSPECIFIED CROSS-SITE SCRIPTING VULNERABILITY
BugTraq ID: 23896
Last Updated: 2007-05-09
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23896
Summary:
  OpenLD is prone to a cross-site scripting vulnerability because the
  application fails to properly sanitize user-supplied input.

  An attacker may leverage this issue to execute arbitrary script code
  in the browser of an unsuspecting user in the context of the
  affected site. This may help the attacker steal cookie-based
  authentication credentials and launch other attacks.

  Versions prior to 1.1-modified3 are vulnerable.

OPENSSH-PORTABLE PAM AUTHENTICATION REMOTE INFORMATION DISCLOSURE
VULNERABILITY
BugTraq ID: 11781
Last Updated: 2007-05-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/11781
Summary:
  The portable version of OpenSSH is reported prone to an information-
  disclosure vulnerability. The portable version is distributed for
  operating systems other than its native OpenBSD platform.

  This issue is related to BID 7467. Reportedly, the previous fix for
  BID 7467 didn't completely fix the issue. This current issue may
  involve differing code paths in PAM, resulting in a new
  vulnerability, but this has not been confirmed.

  Exploiting this vulnerability allows remote attackers to test for
  the presence of valid usernames. Knowledge of usernames may aid them
  in further attacks.

OPENSSL PKCS PADDING RSA SIGNATURE FORGERY VULNERABILITY
BugTraq ID: 19849
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19849
Summary:
  OpenSSL is prone to a vulnerability that may allow an attacker to
  forge an RSA signature. The attacker may be able to forge a PKCS #1
  v1.5 signature when an RSA key with exponent 3 is used.

  An attacker may exploit this issue to sign digital certificates or
  RSA keys and take advantage of trust relationships that depend on
  these credentials, possibly posing as a trusted party and signing a
  certificate or key.

  All versions of OpenSSL prior to and including 0.9.7j and 0.9.8b are
  affected by this vulnerability. Updates are available.

POPTOP PPTP SERVER GRE PACKET DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23886
Last Updated: 2007-05-22
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23886
Summary:
  PoPToP PPTP Server is prone to a denial-of-service vulnerability
  because it fails to adequately handle certain malformed packet data.

  Attackers can exploit this issue to disconnect arbitrary PPTP
  connections.

  PoPToP PPTP Server 1.3.4 is vulnerable; other versions may also
  be affected.

POSTGRESQL INFORMATION DISCLOSURE AND DENIAL OF SERVICE
VULNERABILITIES
BugTraq ID: 22387
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22387
Summary:
  PostgreSQL is prone to information-disclosure and denial-of-service
  vulnerabilities; fixes are available.

  An attacker can exploit these vulnerabilities to cause the backend
  database to crash and reveal sensitive information. This may lead to
  other attacks.

  These issues affect versions 8.0, 8.1, and 8.2. The second issue
  described also affects version 7.3 and 7.4.

POSTGRESQL SECURITY DEFINER FUNCTION LOCAL PRIVILEGE ESCALATION
VULNERABILITY
BugTraq ID: 23618
Last Updated: 2007-05-08
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23618
Summary:
  PostgreSQL is prone to a local privilege-escalation vulnerability.

  Exploiting this issue allows local attackers to escalate privileges
  in the context of the 'security_definer' function.

  PostgreSQL versions prior to 8.2.4, 8.1.9, 8.0.13, 7.4.17, and
  7.3.19 are vulnerable to this issue.

PYTHON PYLOCALE_STRXFRM FUNCTION REMOTE INFORMATION LEAK VULNERABILITY
BugTraq ID: 23887
Last Updated: 2007-05-09
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23887
Summary:
  Python applications that use the 'PyLocale_strxfrm' function are
  prone to an information leak.

  Exploiting this issue allows remote attackers to read portions
  of memory.

  Python 2.4.4-2 and 2.5 are confirmed vulnerable to this issue.

RPC PORTMAPPER DENIAL OF SEVICE VULNERABILITY
BugTraq ID: 1892
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/1892
Summary:
  A remote root vulnerability exists in certain versions of rpcbind
  portmapper.

  RPC (Remote Procedure Call) allows a program to request a service
  from a program located in another computer in a network without
  requiring detailed information on the network configuration.

  An attacker capable of forging a pmap_set/pmap_unset udp packet
  can cause the remote host to register or unregister arbitrary
  RPC programs.

  This can permit an attacker to carry out a denial of services by
  disabling key services on the target host, including mountd, nfsd
  and ypserv.

  Because it allows a malicious local user to register rpc
  programs on the server, depending on the program the attacker
  chooses to register, this vulnerability can allow a compromise
  of root privilege, potentially extending to other systems on the
  local network.

  In addition to the affected platforms listed, other versions have
  yet to be tested, and may be vulnerable as well.

[ you don't need portmapper unless you run NIS or NFS services, 
  apt-get remove portmap
]

SAMBA DEFERRED CIFS FILE OPEN DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 22395
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/22395
Summary:
  The smbd daemon is prone to a denial-of-service vulnerability.

  An attacker can exploit this issue to consume excessive memory
  resources, ultimately crashing the affected application.

  This issue affects Samba versions 3.0.6 through 3.0.23d, inclusive.

SAMBA MS-RPC REMOTE SHELL COMMAND EXECUTION VULNERABILITY
BugTraq ID: 23972
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23972
Summary:
  Samba is prone to a vulnerability that allows attackers to execute
  arbitrary shell commands because the software fails to sanitize user-
  supplied input.

  An attacker may leverage this issue to execute arbitrary shell
  commands on an affected computer with the privileges of the
  application.

  This issue affects Samba 3.0.0 to 3.0.25rc3.

SAMBA NDR RPC REQUEST MULTIPLE HEAP-BASED BUFFER OVERFLOW
VULNERABILITIES
BugTraq ID: 23973
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23973
Summary:
  Samba is prone to multiple remote heap-based buffer-overflow
  vulnerabilities because it fails to properly bounds-check user-
  supplied data before copying it to an insufficiently sized
  memory buffer.

  An attacker can exploit these issues to execute arbitrary code with
  superuser privileges, facilitating the complete remote compromise of
  affected computers. Failed exploit attempts will result in a denial
  of service.

  These issues affect Samba 3.0.25rc3 and prior versions.

SAMBA SID NAMES LOCAL PRIVILEGE ESCALATION VULNERABILITY
BugTraq ID: 23974
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23974
Summary:
  Samba is prone to a local privilege-escalation vulnerability due to
  a logic error in the 'smbd' daemon's internal security stack.

  An attacker can exploit this issue to temporarily perform SMB/CIFS
  operations with superuser privileges. The attacker may leverage this
  issue to gain superuser access to the server.

  Samba 3.0.23d through 3.0.25pre2 are vulnerable.

SAMBA SERVER VFS PLUGIN AFSACL.SO REMOTE FORMAT STRING VULNERABILITY
BugTraq ID: 22403
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22403
Summary:
  Samba is prone to a remote format-string vulnerability because the
  application fails to properly sanitize user-supplied input before
  including it in the format-specifier argument of a formatted-
  printing function.

  Successfully exploiting this issue allows remote attackers to
  execute arbitrary machine code in the context of users running the
  affected application. This facilitates the remote compromise of
  affected computers.

  Samba versions 3.06 to 3.0.23d are vulnerable.

SPAMASSASSIN LONG URI HANDLING REMOTE DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 22584
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22584
Summary:
  SpamAssassin is prone to a remote denial-of-service vulnerability.

  This issue arises when the application handles excessively
  long URIs.

  SpamAssassin versions prior to 3.1.8 are vulnerable to this issue.

T-COM SPEEDPORT ROUTER BRUTE FORCE SECURITY BYPASS WEAKNESS
BugTraq ID: 23967
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23967
Summary:
  T-Com Speedport firmware is prone to a security-bypass weakness
  because it fails to protect against brute-force attacks.

  An attacker can exploit this issue to perform brute-force attacks in
  an attempt to gain administrative access.

  Successful attacks can result in the complete compromise of the
  affected device.

  Speedport w700v is vulnerable; other versions may also be affected.

[ firmware ]

TCPDUMP IEEE802.11 PRINTER REMOTE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 22772
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22772
Summary:
  The 'tcpdump' utility is prone to a heap-based buffer-overflow
  vulnerability because it fails to bounds-check user-supplied input
  before copying it into an insufficiently sized memory buffer.

  An attacker can exploit this issue to execute arbitrary malicious
  code in the context of the user running the affected application.
  Failed exploit attempts will likely crash the affected application.

  This issue affects tcpdump 3.9.5 and prior versions.

TETEX MKIND.C REMOTE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 23872
Last Updated: 2007-05-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23872
Summary:
  teTeX is prone to a buffer-overflow vulnerability because it fails
  to sufficiently perform boundary checks on user-supplied input
  before copying it to an insufficiently sized memory buffer.

  Remote attackers may exploit this issue by enticing victims into
  opening a malicious file using the affected application.

  Attackers can exploit this issue to execute arbitrary code with the
  privileges of an unsuspecting user. A successful attack can
  facilitate the compromise of vulnerable computers. Failed exploit
  attempts will likely result in denial-of-service conditions.

  This issue affects teTeX 2.0.2 and 3.0.0; other versions may also be
  vulnerable.

TINYIDENTD REMOTE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 23981
Last Updated: 2007-05-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23981
Summary:
  TinyIdentD is prone to a buffer-overflow vulnerability because the
  application fails to properly bounds-check user-supplied data before
  copying it to an insufficiently sized memory buffer.

  Exploiting this issue allows attackers to execute arbitrary machine
  code in the context of the running application.

  TinyIdentD 2.2 and previous versions are vulnerable to this issue.

TROLLTECH QT UTF-8 SEQUENCES INPUT VALIDATION VULNERABILITY
BugTraq ID: 23269
Last Updated: 2007-05-30
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23269
Summary:
  Trolltech QT is prone to an input-validation vulnerability because
  the application fails to properly sanitize user-supplied input.

  An attacker may leverage this issue to exploit other issues in
  applications that employ the affected library. A successful attack
  may allow the attacker to execute arbitrary HTML and script code in
  the browser of an unsuspecting user in the context of the affected
  site. This may help the attacker steal cookie-based authentication
  credentials and launch other attacks.

  Qt 3.3.8 and 4.2.3 are known to be vulnerable to this issue; other
  versions may be affected as well.

UTIL-LINUX UMOUNT FILESYSTEM NULL POINTER DEREFERENCE VULNERABILITY
BugTraq ID: 22850
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/22850
Summary:
  Util-Linux 'umount' is prone to a NULL-pointer dereference
  vulnerability.

  A local attacker can exploit this issue to crash the affected
  application, denying service to legitimate users. The attacker may
  also be able to obtain sensitive information, including the contents
  of core files.

  Util-Linux Umount implemented on Linux kernel 2.6.15 is reported
  vulnerable to this issue.

VIM FEEDKEYS AND WRITEFILE FUNCTIONS REMOTE CODE EXECUTION
VULNERABILITIES
BugTraq ID: 23725
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23725
Summary:
  VIM is prone to multiple vulnerabilities that permit a remote
  attacker to execute arbitrary code.

  The attacker could exploit these issues by enticing a victim to load
  a malicious file. A successful exploit could allow arbitrary code to
  run within the context of the affected application.

WEBDESPROXY GET REQUEST BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 23962
Last Updated: 2007-05-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23962
Summary:
  Webdesproxy is prone to a buffer-overflow vulnerability because it
  fails to adequately bounds-check user-supplied data before copying
  it to an insufficiently sized buffer.

  Attackers can exploit this issue to cause denial-of-service
  conditions and possibly to execute arbitrary code with the
  privileges of the application.

X.ORG LIBXFONT MULTIPLE INTEGER OVERFLOW VULNERABILITIES
BugTraq ID: 23283
Last Updated: 2007-05-08
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23283
Summary:
  The 'libXfont' library is prone to multiple local integer-overflow
  vulnerabilities because it fails to adequately bounds-check user-
  supplied data.

  An attacker can exploit these vulnerabilities to execute arbitrary
  code with superuser privileges. Failed exploit attempts will likely
  cause denial-of-service conditions.

  These issues affect libXfont 1.2.2; other versions may also be
  vulnerable.

X.ORG X11 XC-MISC EXTENSION INTEGER OVERFLOW VULNERABILITY
BugTraq ID: 23284
Last Updated: 2007-05-08
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23284
Summary:
  X11 is prone to a local integer-overflow vulnerability because it
  fails to adequately bounds-check user-supplied input.

  An attacker can exploit this vulnerability to execute arbitrary code
  with superuser privileges. Failed exploit attempts will likely cause
  denial-of-service conditions.

XFSDUMP XFS_FSR INSECURE TEMPORARY FILE CREATION VULNERABILITY
BugTraq ID: 23922
Last Updated: 2007-05-30
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23922
Summary:
  The xfsdump 'xfs_fsr' utility creates temporary files in an
  insecure manner.

  An attacker with local access could potentially exploit this issue
  to perform symlink attacks, overwriting arbitrary files in the
  context of the affected application.

  Successfully exploiting a symlink attack may allow the attacker to
  overwrite or corrupt sensitive files. This may result in a denial of
  service; other attacks may also be possible.

  This issue affects xfsdump 2.2.38; other versions may be
  affected as well.

XFREE86 MULTIPLE UNSPECIFIED INTEGER OVERFLOW VULNERABILITIES
BugTraq ID: 8514
Last Updated: 2007-05-30
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/8514
Summary:
  Multiple integer-overflow vulnerabilities have been discovered in
  the XFree86 font libraries. The problem occurs because of
  insufficient sanity checks on integers passed to clients from an X
  font server. As a result, an unexpected buffer overrun may occur
  within the stack or heap space of process memory. An attacker
  could potentially exploit this to execute arbitrary code within a
  target X client.

  Precise technical details regarding these vulnerabilities are
  currently unavailable; as further information is released, this BID
  will be updated accordingly.

XINE DIRECTSHOW LOADER REMOTE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 22933
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22933
Summary:
  Xine is prone to a remote buffer-overflow vulnerability because the
  application fails to perform boundary checks before copying user-
  supplied input into finite-sized buffers.

  Successfully exploiting this issue allows remote attackers to
  execute arbitrary machine code in the context of the application and
  to compromise affected computers.

XSCREENSAVER LOCAL DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23783
Last Updated: 2007-05-14
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23783
Summary:
  Xscreensaver is prone to a local denial-of-service vulnerability.

  Successful exploits will cause the xscreensaver daemon to crash,
  unlock the screen, and allow unauthorized access to the
  vulnerable computer.

  Xscreensaver versions prior to 5.02 are vulnerable to this issue.

RDIFFWEB DIRECTORY TRAVERSAL VULNERABILITY
BugTraq ID: 24092
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24092
Summary:
  rdiffWeb is prone to a directory-traversal vulnerability because it
  fails to properly sanitize user-supplied input.

  An attacker can exploit this vulnerability to retrieve arbitrary
  files from the vulnerable system in the context of the webserver
  process. Information obtained may aid in further attacks.

  This issue affects rdiffWeb 0.3.5; other versions may also be
  affected.




More information about the gull-annonces mailing list