[gull-annonces] Resume SecurityFocus #400-403
Marc SCHAEFER
schaefer at alphanet.ch
Wed Jun 20 15:21:24 CEST 2007
3COM SWITCHES BACKDOOR VULNERABILITY
BugTraq ID: 88
Last Updated: 2007-05-30
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/88
Summary:
There exists an undocumented access level in current (and possibly
previous) versions of 3Com's "intelligent" and "extended" switching
software for LanPlex/Corebuilder switches. In addition to the
"admin", "read", and "write" accounts, there is a "debug" account
with a password of "synnet" on shipped images (including those
available for download from infodeli.3com.com). The versions of
firmware this was tested under include 7.0.1 and 8.1.1.
The debug account has all the privileges of the admin account plus
some debugging commands not available to any other ID. They can
change all the other access password without knowing the old
password. In addition, they can get to the "underlying OS shell".
If you allow "remote administration" (telnet access), an attacker
can obtain full control of your switches.
Yes: LanPlex/Corebuilder 2500s (SW 7.x and 8.x) Corebuilder 3500
(ver 1.0.0) 3Com LANplex 2500 (rev 7.15) with Version 7.0.1-19 -
Built 01/17/97 02:41:17 PM LinkSwitch
No: Superstack II LinkSwitch FMS-II Superstack Hub P/N 3c16630a
[ firmware ]
APOP PROTOCOL INSECURE MD5 HASH WEAKNESS
BugTraq ID: 23257
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23257
Summary:
Applications that implement the APOP protocol may be vulnerable to a
password-hash weakness. This issue occurs because the MD5 hash
algorithm fails to properly prevent collisions.
Attackers may exploit this issue in man-in-the-middle attacks to
potentially gain access to the first three characters of passwords.
This will increase the likelihood of successful brute-force attacks
against APOP authentication.
To limit the possibility of successful exploits, applications that
implement the APOP protocol should set up safeguards to ensure that
message IDs are RFC-compliant.
Mozilla Thunderbird, Evolution, mutt, and fetchmail are reportedly
affected by this issue.
AMAROK MAGNATURE SHELL COMMAND INJECTION VULNERABILITY
BugTraq ID: 22568
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22568
Summary:
Amarok Magnature is prone to a shell command-injection
vulnerability.
Commands executed through this vulnerability could permit an
attacker to gain access to a vulnerable system.
APACHE HTTP SERVER MULTIPLE VULNERABILITIES
BugTraq ID: 8226
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/8226
Summary:
Apache is vulnerable to multiple vulnerabilities, including denial-of-
service issues, file-descriptor leakage, and logging failures.
Apache HTTP Server 1.3.28 has been released in response to
these issues.
APACHE HTTP SERVER TOMCAT DIRECTORY TRAVERSAL VULNERABILITY
BugTraq ID: 22960
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22960
Summary:
Apache HTTP servers running with the Tomcat servlet container are
prone to a directory-traversal vulnerability because it fails to
sufficiently sanitize user-supplied input data.
Exploiting this issue allows attackers to access arbitrary files in
the Tomcat webroot. This can expose sensitive information that could
help the attacker launch further attacks.
Versions in the 5.0 series prior to 5.5.22 and in the 6.0 series
prior to 6.0.10 are vulnerable.
APACHE HTTP SERVER WORKER PROCESS MULTIPLE DENIAL OF SERVICE
VULNERABILITIES
BugTraq ID: 24215
Last Updated: 2007-05-30
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24215
Summary:
Apache is prone to multiple denial-of-service vulnerabilities.
An attacker with the ability to execute arbitrary server-side script-
code can exploit these issues to stop arbitrary services on the
affected computer in the context of the master webserver process;
other attacks may also be possible.
APACHE TOMCAT INFORMATION DISCLOSURE VULNERABILITY
BugTraq ID: 19106
Last Updated: 2007-05-09
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19106
Summary:
Apache Tomcat is prone to an information-disclosure vulnerability
because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to reveal a complete directory
listing from any directory. Information obtained may aid in further
attacks. Reports indicate that this issue may also allow attackers
to obtain the source code of script files.
Apache Tomcat 5.028, 5.5.23, 5.5.9, and 5.5.7 are vulnerable to this
issue; other versions may also be affected.
Novell GroupWise Mobile Server 1.0 or other versions bundled with
Nokia Intellisync Mobile Suite 6.4.31.2, 6.6.0.107, and 6.6.2.2 ship
with an affected version of Tomcat and are vulnerable as well.
APACHE TOMCAT JK CONNECTOR DOUBLE ENCODING SECURITY BYPASS
VULNERABILITY
BugTraq ID: 24147
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24147
Summary:
Apache HTTP server running with the Tomcat JK Web Server Connector
is prone to a security-bypass vulnerability because it decodes
request URLs multiple times.
Exploiting this issue allows attackers to access restricted files in
the Tomcat web directory. This can expose sensitive information that
could help attackers launch further attacks.
This issue is present in versions of Apache Tomcat JK Connector
prior to 1.2.23.
APACHE TOMCAT MOD_JK.SO ARBITRARY CODE EXECUTION VULNERABILITY
BugTraq ID: 22791
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22791
Summary:
Apache Tomcat is prone to a vulnerability that will allow remote
attackers to execute arbitrary code on an affected computer. A
successful attack may result in a complete compromise.
BLENDER KMZ/KML REMOTE COMMAND EXECUTION VULNERABILITY
BugTraq ID: 22770
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22770
Summary:
Blender is prone to a remote command-execution vulnerability.
An attacker could exploit this issue by enticing an unsuspecting
victim to open a malicious file. A successful exploit will allow
arbitrary Python commands to run within the privileges of the
currently logged-in user.
BLUEZ HIDD BLUETOOH HID COMMAND INJECTION VULNERABILITY
BugTraq ID: 22076
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22076
Summary:
BlueZ hidd is prone to a device-command-injection vulnerability.
A remote attacker can exploit this issue to gain control of mouse
and keyboard HIDs (human interface device). This will allow the
attacker to interact with the targeted computer in the context of
the currently logged-in user.
Versions prior to 2.25 are vulnerable.
CPIO FILE SIZE STACK BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 16057
Last Updated: 2007-05-08
Remote: No
Relevant URL: http://www.securityfocus.com/bid/16057
Summary:
The cpio utility is prone to a stack buffer-overflow vulnerability.
This issue presents itself when cpio tries to create an archive
containing files with extremely large sizes, potentially resulting
in a memory buffer being overrun.
Note that this vulnerability presents itself only on 64-bit
platforms. Presumably, on 32-bit platforms using 64-bit filesystems,
this may be exploited to crash cpio.
CAMPSITE G_DOCUMENTROOT PARAMETER MULTIPLE REMOTE FILE INCLUDE
VULNERABILITIES
BugTraq ID: 23874
Last Updated: 2007-05-09
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23874
Summary:
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the
context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also
be affected.
CISCO CALLMANAGER SEARCH FORM CROSS SITE SCRIPTING VULNERABILITY
BugTraq ID: 24119
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24119
Summary:
Cisco CallManager is prone to a cross-site scripting vulnerability
because, the application fails to sufficiently sanitize user-
supplied input.
This vulnerability potentially allows an attacker to perform cross-
site scripting attacks on unsuspecting users in the context of the
affected website. As a result, the attacker may be able to steal cookie-
based authentication credentials and to launch other attacks.
Version 4.1.1 is reported vulnerable; other versions may also
be affected.
[ firmware ]
CISCO IOS FTP SERVER MULTIPLE VULNERABILITIES
BugTraq ID: 23885
Last Updated: 2007-05-09
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23885
Summary:
Cisco IOS FTP Server is prone to multiple vulnerabilities including
a denial-of-service issue and an authentication-bypass issue.
Attackers can exploit these issues to deny service to legitimate
users, gain unauthorized access to an affected device, or execute
arbitrary code.
Only IOS devices that have the FTP Server feature enabled are
vulnerable; this feature is disabled by default.
[ firmware ]
CISCO IOS SSL PACKETS MULTIPLE DENIAL OF SERVICE VULNERABILITIES
BugTraq ID: 24097
Last Updated: 2007-05-22
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24097
Summary:
Cisco IOS is prone to multiple denial-of-service vulnerabilities
because it fails to handle malformed SSL packets.
Attackers can exploit these issues to cause denial-of-service
conditions on an affected device.
NOTE: Attackers can exploit these issues only via an established TCP
connection, but only prior to security authentication. An
attacker can, however, interrupt a secure session and inject
malicious packets when a new session is started. Due to these
factors, the likelihood of successful attacks is reduced.
[ firmware ]
CLAM ANTIVIRUS CLAMAV MULTIPLE REMOTE VULNERABILITIES
BugTraq ID: 23473
Last Updated: 2007-05-09
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23473
Summary:
ClamAV is prone to a file-descriptor leakage vulnerability and a buffer-
overflow vulnerability.
A successful attack may allow an attacker to obtain sensitive
information, cause denial-of-service conditions, and execute
arbitrary code in the context of the user running the affected
application.
ClamAV versions prior to 0.90.2 are vulnerable to these issues.
CLAM ANTIVIRUS CLAMAV PDF HANDLING REMOTE DENIAL OF SERVICE
VULNERABILITY
BugTraq ID: 23656
Last Updated: 2007-05-09
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23656
Summary:
ClamAV is prone to a denial-of-service vulnerability.
A successful attack may allow an attacker to cause denial-of-service
conditions.
CLAMAV CAB FILE REMOTE DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 22580
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22580
Summary:
ClamAV is prone to a denial-of-service vulnerability.
An attacker can exploit this vulnerability to prevent the software
from scanning certain types of data. When it encounters the data,
the application will reject it. This can result in denial-of-service
conditions.
Versions prior to 0.90 stable are vulnerable.
CLAMAV MIME HEADER ID PARAMETER STRING DIRECTORY TRAVERSAL
VULNERABILITY
BugTraq ID: 22581
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22581
Summary:
ClamAV is prone to a directory-traversal vulnerability because it
fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to create or overwrite
arbitrary files on vulnerable computers in the context of the
affected application. This may aid in further attacks.
This issue affects ClamAV versions prior to the 0.90 stable release.
ELINKS RELATIVE PATH ARBITRARY CODE EXECUTION VULNERABILITY
BugTraq ID: 23844
Last Updated: 2007-05-15
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23844
Summary:
ELinks is prone to an arbitrary code-execution vulnerability.
An attacker can exploit this issue to potentially execute arbitrary
code with the privileges of the user running the affected
application.
This issue requires an attacker to trick an unsuspecting victim into
running the vulnerable application in an attacker-controlled
directory.
This issue affects ELinks 0.11.1; other versions may also be
vulnerable.
EXIM SPAMASSASSIN REPLY REMOTE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 23977
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23977
Summary:
Exim is prone to a remote buffer-overflow vulnerability when used in
conjunction with remote SpamAssassin servers. This issue occurs
because the application fails to properly bounds-check user-supplied
input prior to copying it to an insufficiently sized memory buffer.
Successfully exploiting this issue allows remote attackers to
execute arbitrary machine code in the context of the affected
application. Failed exploit attempts may result in denial-of-service
conditions.
Exim 4.66 is vulnerable to this issue; other versions may also
be affected.
FILE MULTIPLE DENIAL OF SERVICE VULNERABILITIES
BugTraq ID: 24146
Last Updated: 2007-05-30
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24146
Summary:
The 'file' utility is prone to multiple denial-of-service
vulnerabilities because it fails to handle exceptional conditions.
An attacker could exploit this issue by enticing a victim to open a
specially crafted file. A denial-of-service condition can occur.
Arbitrary code execution may be possible, but Symantec has not
confirmed this.
FILE(1) COMMAND FILE_PRINTF INTEGER UNDERFLOW VULNERABILITY
BugTraq ID: 23021
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23021
Summary:
The file(1) command is prone to an integer-underflow vulnerability
because the command fails to adequately handle user-supplied data.
An attacker can leverage this issue to corrupt heap memory and
execute arbitrary code with the privileges of a user running the
command. A successful attack may result in the compromise of
affected computers. Failed attempts will likely cause denial-of-
service conditions.
Versions prior to 4.20 are vulnerable.
FREETYPE TT_LOAD_SIMPLE_GLYPH() TTF FILE INTEGER OVERFLOW
VULNERABILITY
BugTraq ID: 24074
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24074
Summary:
FreeType is prone to an integer-overflow vulnerability because it
fails to properly validate TTF files.
An attacker may exploit this issue by enticing victims into opening
maliciously crafted TTF Files.
Successful exploits will allow attackers to execute arbitrary code
in the context in the context of applications that use the affected
library. Failed exploit attempts will likely result in denial-of-
service conditions.
This issue affects FreeType 2.3.4 and prior versions.
GIMP RAS FILE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 23680
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23680
Summary:
GIMP is prone to a buffer-overflow vulnerability because it fails to
properly bounds-check user-supplied input data before copying it to
an insufficiently sized memory buffer.
Successful exploits of this vulnerability allow remote attackers to
execute arbitrary machine code in the context of the affected
application.
GIMP 2.2.14 is vulnerable to this issue; other versions may also
be affected.
GNUEDU MULTIPLE REMOTE FILE INCLUDE VULNERABILITIES
BugTraq ID: 23883
Last Updated: 2007-05-09
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23883
Summary:
GNU Edu is prone to multiple remote file-include vulnerabilities
because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise
the application and the underlying system; other attacks are
also possible.
These issues affect GNU Edu 1.3b2; other versions may also be
affected.
GNUPG SIGNED MESSAGE ARBITRARY CONTENT INJECTION WEAKNESS
BugTraq ID: 22757
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22757
Summary:
GnuPG is prone to a weakness that may allow an attacker to add
arbitrary content into a message without the end user knowing.
An attacker may be able to exploit this issue in applications
using GnuPG to add arbitrary content into a signed and/or
encrypted message.
Exploiting this issue depends on the individual application's use of
GnuPG. Individual records will be created detailing this issue in
affected applications.
HP PROCURVE 9300M SWITCHES UNSPECIFIED DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23791
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23791
Summary:
HP ProCurve 9300m Switches are prone to an unspecified remote denial-of-
service vulnerability. This issue most likely occurs because the
device fails to properly sanitize user-supplied input.
An attacker can exploit this issue to crash an affected device,
effectively denying service to legitimate users.
This issue affects HP ProCurve 9300m Switches running software
versions 08.0.01c to 08.0.01j.
[ firmware ]
HP SERVICEGUARD FOR LINUX UNSPECIFIED REMOTE UNAUTHORIZED ACCESS
VULNERABILITY
BugTraq ID: 22574
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22574
Summary:
HP Serviceguard for Linux is prone to an unauthorized-access
vulnerability.
An attacker can exploit this issue to gain remote unauthorized
access to affected computers.
[ licence?? ]
IFDATE ADMINISTRATIVE AUTHENTICATION BYPASS VULNERABILITY
BugTraq ID: 23971
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23971
Summary:
iFdate is prone to a vulnerability that will let attackers trivially
gain administrative access to the application.
This issue stems from insufficient access validation.
iFdate 2.0 and later versions are vulnerable.
IPV6 PROTOCOL TYPE 0 ROUTE HEADER DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23615
Last Updated: 2007-05-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23615
Summary:
IPv6 protocol implementations are prone to a denial-of-service
vulnerability due to a design error.
Exploiting this issue allows attackers to cause denial-of-service
conditions.
This issue is related to the issue discussed in BID 22210 (Cisco IOS
IPv6 Source Routing Remote Memory Corruption Vulnerability).
ISC BIND QUERY_ADDSOA DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23738
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23738
Summary:
ISC BIND is prone to a denial-of-service vulnerability because it
fails to handle certain sequences of malicious queries.
NOTE: Only applications configured with the 'recursion'
directive/attribute enabled are vulnerable to this issue.
An attacker can exploit this issue to cause the application to exit,
denying service to legitimate users.
ISC BIND 9.40, 9.5.0a1, 9.5.0a2, and 9.5.0a3 are vulnerable.
ISC BIND REMOTE DNSSEC VALIDATION DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 22231
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22231
Summary:
ISC BIND is prone to a remote denial-of-service vulnerability
because the application fails to properly handle malformed DNSSEC
validation requests.
Successfully exploiting this issue allows remote attackers to crash
affected DNS servers, denying further service to legitimate users.
IMAGEMAGICK XGETPIXEL/XINITIMAGE MULTIPLE INTEGER OVERFLOW
VULNERABILITIES
BugTraq ID: 23300
Last Updated: 2007-05-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23300
Summary:
ImageMagick is prone to multiple integer-overflow vulnerabilities
because it fails to properly validate user-supplied data.
An attacker can exploit these issues to execute arbitrary code in
the context of the application. Failed exploit attempts will likely
cause denial-of-service conditions.
IRFANVIEW .IFF FORMAT HANDLING REMOTE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 23692
Last Updated: 2007-05-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23692
Summary:
IrfanView is prone to a remote buffer-overflow vulnerability because
the software fails to properly bounds-check user-supplied input
before copying it to an insufficiently sized memory buffer.
Successful exploits allow remote attackers to execute arbitrary
machine code in the context of the vulnerable application. Failed
exploit attempts likely result in denial-of-service conditions.
IrfanView 4.00 is vulnerable; other versions may also be affected.
LIBEVENT DNS PARSING DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 22606
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22606
Summary:
Libevent is prone to a denial-of-service vulnerability.
A remote attacker may exploit this issue to cause the application to
crash, denying further service to legitimate users.
Versions 1.2 to 1.2a are vulnerable to this issue.
LINKSNET NEWSFEED REMOTE FILE INCLUDE VULNERABILITY
BugTraq ID: 23982
Last Updated: 2007-05-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23982
Summary:
Linksnet Newsfeed is prone to a remote file-include vulnerability
because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue may allow an attacker to compromise the
application and the underlying system; other attacks are also
possible.
Linksnet Newsfeed 1.0 is vulnerable; other versions may also
be affected.
LINUX KERNEL BINFMT_ELF PT_INTERP LOCAL INFORMATION DISCLOSURE
VULNERABILITY
BugTraq ID: 22903
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/22903
Summary:
The Linux kernel is prone to a vulnerability in the Linux ELF binary
loader. Exploiting this issue can allow local attackers to gain
access to privileged information.
An attacker may be able to obtain sensitive data that can
potentially be used to gain elevated privileges.
This issue is a variant of the vulnerability assigned CVE candidate
ID CAN-2004-1073, which is documented in BID 11646.
Linux Kernel versions in the 2.6.0 branch prior to 2.6.20 are
vulnerable; versions in the 2.4.0 branch may also be affected.
LINUX KERNEL IBMTR.C REMOTE DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 21490
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/21490
Summary:
The Linux kernel is prone to a remote denial-of-service
vulnerability.
This vulnerability resides in the
'drivers/net/tokenring/ibmtr.c' file.
Exploiting this vulnerability can allow remote attackers to crash
the affected kernel, resulting in denial-of-service conditions.
Attackers may also be able to execute arbitrary code, but this has
not been confirmed.
Kernel versions from 2.6.0 up to and including 2.6.19 are vulnerable
to this issue.
LINUX KERNEL IPV6_GETSOCKOPT_STICKY MEMORY LEAK INFORMATION DISCLOSURE
VULNERABILITY
BugTraq ID: 22904
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/22904
Summary:
Linux Kernel is prone to an information-disclosure vulnerability
because it fails to handle unexpected user-supplied input.
Successful exploits will allow attackers to obtain portions of
kernel memory. Information harvested may be used in further attacks.
Kernel versions 2.6.0 up to 2.6.20.1 are vulnerable to this issue.
LINUX KERNEL IPV6_SOCKGLUE.C NULL POINTER DEREFERENCE VULNERABILITY
BugTraq ID: 23142
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23142
Summary:
The Linux kernel is prone to a NULL-pointer dereference
vulnerability.
A local attacker can exploit this issue to crash the affected
application, denying service to legitimate users. The attacker may
also be able to execute arbitrary code with elevated privileges, but
this has not been confirmed.
LINUX KERNEL IPV6 TCP SOCKETS LOCAL DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23104
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23104
Summary:
The Linux kernel is prone to a denial-of-service vulnerability.
Exploiting this issue allows local attackers to cause the kernel to
crash, effectively denying service to legitimate users. Attackers
may also be able to execute arbitrary code with elevated privileges,
but this has not been confirmed.
This issue affects the Linux kernel 2.6 series.
LINUX KERNEL KEY_ALLOC_SERIAL() LOCAL DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 22539
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/22539
Summary:
The Linux Kernel is prone to a denial-of-service vulnerability.
A successful attack can allow local attackers to trigger a crash and
deny service to legitimate users.
Kernel versions 2.6.x are vulnerable.
LINUX KERNEL NETLINK_FIB_LOOKUP LOCAL DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23677
Last Updated: 2007-05-14
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23677
Summary:
The Linux kernel is prone to a denial-of-service vulnerability. This
issue presents itself when a NETLINK message is misrouted.
A local attacker may exploit this issue to trigger an infinite-
recursion stack-based overflow in the kernel. This results in a
denial of service to legitimate users.
Versions prior to 2.6.20.8 are vulnerable.
LINUX KERNEL NFSACL DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 22625
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/22625
Summary:
The Linux kernel is prone to a local denial-of-service
vulnerability.
An attacker can exploit this issue to crash the affected computer,
denying service to legitimate users.
This issue affects the Linux kernel 2.6 series up to 2.6.20.
LINUX KERNEL NETFILTER NFNETLINK_LOG MULTIPLE NULL POINTER DEREFERENCE
VULNERABILITIES
BugTraq ID: 22946
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/22946
Summary:
The Linux kernel is prone to multiple NULL-pointer dereference
vulnerabilities.
A local attacker can exploit these issues to crash the affected
kernel, denying service to legitimate users.
LINUX KERNEL NETFILTER NF_CONNTRACK IPV6 PACKET REASSEMBLY RULE BYPASS
VULNERABILITY
BugTraq ID: 23976
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23976
Summary:
The Linux kernel is prone to a vulnerability that lets attackers
bypass firewall rules. This issue occurs because the Linux
'netfilter' code fails to properly classify network packets.
Successfully exploiting this issue allows attackers to bypass
firewall rules, potentially aiding them in further network-
based attacks.
Linux kernel versions in the 2.6 series prior to 2.6.20.3 are
vulnerable to this issue.
LINUX KERNEL OMNIKEY CARDMAN 4040 DRIVER LOCAL BUFFER OVERFLOW
VULNERABILITY
BugTraq ID: 22870
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/22870
Summary:
The Linux kernel is prone to a local buffer-overflow vulnerability
because it fails to properly bounds-check user-supplied input before
using it in a memory copy operation.
This issue allows local attackers to overwrite kernel memory with
arbitrary data, potentially allowing them to execute malicious
machine code in the context of affected kernels. Exploiting this
vulnerability facilitates the complete compromise of affected
computers.
Linux kernel versions prior to 2.6.21-rc3 are affected by this
issue.
LINUX KERNEL PPPOE SOCKET LOCAL DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23870
Last Updated: 2007-05-08
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23870
Summary:
The Linux kernel is prone to a denial-of-service vulnerability.
Exploiting this issue allows local attackers to exhaust memory
resources and eventually cause the kernel to crash, effectively
denying service to legitimate users.
This issue affects the Linux kernel 2.6 series prior to 2.6.21-git8.
MIT KERBEROS 5 KADMIND SERVER STACK BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 23285
Last Updated: 2007-05-30
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23285
Summary:
Kerberos 5 kadmind (Kerberos Administration Daemon) server is prone
to a stack-based buffer-overflow vulnerability because the software
fails to adequately bounds-check user-supplied data before copying
it to an insufficiently sized buffer.
An attacker can exploit this issue to execute arbitrary code with
administrative privileges. A successful attack can result in the
complete compromise of the application. Failed attempts will likely
result in denial-of-service conditions.
All kadmind servers run on the master Kerberos server. Since the
master server holds the KDC principal and policy database, an attack
may not only compromise the affected computer, but could also
compromise multiple hosts that use the server for authentication.
Kerberos 5 kadmind 1.6 and prior versions are vulnerable.
MIT KERBEROS ADMINISTRATION DAEMON KADMIND DOUBLE FREE MEMORY
CORRUPTION VULNERABILITIES
BugTraq ID: 23282
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23282
Summary:
MIT Kerberos 5 is prone to a double-free memory-corruption
vulnerability.
An attacker can exploit this issue to execute arbitrary code with
superuser or SYSTEM-level privileges, completely compromising
affected computers. Failed exploit attempts will likely result in a
denial-of-service conditions.
This issue also affects third-party applications using the
affected API.
MPLAYER DMO FILE PARSING BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 22771
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22771
Summary:
MPlayer is prone to a buffer-overflow vulnerability when it attempts
to process malformed video files. This issue occurs because the
application fails to perform proper bounds-checking on user-supplied
data before copying it to an insufficiently sized memory buffer.
An attacker may exploit this issue to execute arbitrary code with
the privileges of the user that activated the vulnerable
application. This may facilitate unauthorized access or privilege
escalation.
MPlayer 1.0rc1 is vulnerable to this issue; previous versions may
also be affected.
MADWIFI MULTIPLE DENIAL OF SERVICE VULNERABILITIES
BugTraq ID: 24114
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24114
Summary:
MadWifi is prone to multiple denial-of-service vulnerabilities.
Exploiting these issues may permit attackers to cause system crashes
and deny service to legitimate users.
Versions of MadWifi prior to 0.9.3.1 are vulnerable.
[ non identifié si c'est la partie libre ou propriétaire du pilote
composite
]
MOZILLA FIREFOX FTP PASV PORT-SCANNING VULNERABILITY
BugTraq ID: 23082
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23082
Summary:
Mozilla Firefox is prone to vulnerability that may allow attackers
to obtain potentially sensitive information.
A successful exploit of this issue would cause the affected
application to connect to arbitrary TCP ports and potentially
reveal sensitive information about services that are running on the
affected computer. Information obtained may aid attackers in
further attacks.
MOZILLA FIREFOX DOCUMENT.COOKIE PATH ARGUMENT DENIAL OF SERVICE
VULNERABILITY
BugTraq ID: 22879
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22879
Summary:
Mozilla Firefox is prone to a remote denial-of-service
vulnerability.
An attacker may exploit this vulnerability to cause Mozilla Firefox
to crash, resulting in denial-of-service conditions.
Little is known regarding this vulnerability; this BID will be
updated when more information is disclosed.
Mozilla Firefox 2.0.0.2 is prone to this issue; other versions may
also be affected.
Attackers may be able to bypass cookie domain and path restrictions,
but this has not been confirmed.
MOZILLA FIREFOX POPUP BLOCKER CROSS ZONE SECURITY BYPASS WEAKNESS
BugTraq ID: 22396
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22396
Summary:
Mozilla Firefox is prone to a cross-zone security-bypass weakness. This issue allows attackers to open 'file://' URIs from remote websites.
By exploiting this issue in conjunction with other weaknesses or
vulnerabilities, attackers may be able to execute arbitrary script
code with the elevated privileges that are granted to scripts when
they are executed from local sources.
Mozilla Firefox 1.5.0.9 is affected by this issue; other versions
may be affected as well.
MOZILLA FIREFOX RESOURCE DIRECTORY TRAVERSAL VULNERABILITY
BugTraq ID: 24191
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24191
Summary:
Mozilla Firefox is prone to a directory-traversal vulnerability
because it fails to adequately sanitize user-supplied data.
An attacker can exploit this issue to access arbitrary files on an
unsuspecting user's computer. Successful exploits can expose
potentially sensitive information that could aid in further attacks.
Firefox 2.0.0.3 and prior versions are vulnerable.
MOZILLA PRODUCTS MULTIPLE REMOTE VULNERABILITIES
BugTraq ID: 24242
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24242
Summary:
The Mozilla Foundation has released six security advisories
specifying vulnerabilities in Firefox, SeaMonkey, and Thunderbird.
These vulnerabilities allow attackers to:
- Execute arbitrary code
- Cause denial-of-service conditions
- Perform cross-site scripting attacks
- Obtain potentially sensitive information
- Spoof legitimate content
Other attacks may also be possible.
MOZILLA THUNDERBIRD/SEAMONKEY/FIREFOX MULTIPLE REMOTE VULNERABILITIES
BugTraq ID: 22694
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22694
Summary:
The Mozilla Foundation has released six security advisories
specifying vulnerabilities in Firefox, SeaMonkey, and Thunderbird.
These vulnerabilities allow attackers to:
- Execute arbitrary code
- Cause denial-of-service conditions
- Perform cross-site scripting attacks
- Obtain potentially sensitive information
- Spoof legitimate content
Other attacks may also be possible.
MULTIPLE PRODUCTS FULL/HALF WIDTH UNICODE DETECTION EVASION
VULNERABILITY
BugTraq ID: 23980
Last Updated: 2007-05-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23980
Summary:
Multiple products are reportedly prone to a vulnerability that may
allow malicious HTTP traffic to bypass detection.
Attackers may send this type of HTTP data to evade detection and
perform further attacks.
Cisco has stated that all IOS releases that support the Firewall/IPS
feature set are affected. Although we currently have no definitive
list of such versions, Symantec is investigating the matter and will
update this BID's list of vulnerable systems appropriately.
[ welcome to the wonderful world of UNICODE ]
MULTIPLE VENDOR C LIBRARY REALPATH() OFF-BY-ONE BUFFER OVERFLOW
VULNERABILITY
BugTraq ID: 8315
Last Updated: 2007-05-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/8315
Summary:
The 'realpath()' function is a C-library procedure to resolve the
canonical, absolute pathname of a file based on a path that may
contain values such as '/', './', '../', or symbolic links. A
vulnerability that was reported to affect the implementation of
'realpath()' in WU-FTPD has lead to the discovery that at least one
implementation of the C library is also vulnerable. FreeBSD has
announced that the off-by-one stack- buffer-overflow vulnerability
is present in their libc. Other systems are also likely vulnerable.
Reportedly, this vulnerability has been successfully exploited
against WU-FTPD to execute arbitrary instructions.
NOTE: Patching the C library alone may not remove all instances of
this vulnerability. Statically linked programs may need to be
rebuilt with a patched version of the C library. Also, some
applications may implement their own version of 'realpath()'.
These applications would require their own patches. FreeBSD
has published a large list of applications that use
'realpath()'. Administrators of FreeBSD and other systems are
urged to review it. For more information, see the advisory 'FreeBSD-SA-
03:08.realpath'.
MULTIPLE VENDOR MULTIPLE HTTP REQUEST SMUGGLING VULNERABILITIES
BugTraq ID: 13873
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/13873
Summary:
Multiple vendors are prone to HTTP-request-smuggling issues.
Attackers can piggyback an HTTP request inside of another HTTP
request. By leveraging failures to implement the HTTP/1.1 RFC
properly, attackers can launch cache-poisoning, cross-site
scripting, session-hijacking, and other attacks.
MULTIPLE VENDOR TCP PACKET FRAGMENTATION HANDLING DENIAL OF SERVICE
VULNERABILITY
BugTraq ID: 11258
Last Updated: 2007-05-30
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/11258
Summary:
Multiple vendor implementations of the TCP stack are reported prone
to a remote denial-of-service vulnerability.
The issue is reported to present itself due to inefficiencies
present when handling fragmented TCP packets.
The discoverer of this issue has dubbed the attack style the "New
Dawn attack"; it is a variation of a previously reported attack that
was named the "Rose Attack".
A remote attacker may exploit this vulnerability to deny service to
an affected computer.
Microsoft Windows 2000/XP, Linux kernel 2.4 tree, and undisclosed
Cisco systems are reported prone to this vulnerability; other
products may also be affected.
[ fragments are bad, disable them ]
MULTIPLE VENDOR WEB BROWSER JAVASCRIPT DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 10998
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/10998
Summary:
Web browsers from multiple different vendors are reported
susceptible to a denial of service vulnerability.
The specified JavaScript code will consume 100% of the CPU resources
of the affected computer. The browser will then reportedly crash.
Mozilla Firefox, Microsoft Internet Explorer, and Opera are all
reportedly affected by this vulnerability.
Update: This BID is being retired as this is not considered a
security vulnerability.
MYSQL IF QUERY HANDLING REMOTE DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23911
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23911
Summary:
MySQL is prone to a remote denial-of-service vulnerability because
it fails to handle certain specially crafted queries.
An attacker can exploit this issue to crash the application, denying
access to legitimate users.
NOTE: An attacker must be able to execute arbitrary SELECT
statements against the database to exploit this issue. This
may be through legitimate means or by exploiting other latent
SQL-injection vulnerabilities.
Versions prior to 5.0.40 are vulnerable.
MYSQL SINGLE ROW SUBSELECT REMOTE DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 22900
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22900
Summary:
MySQL is prone to a remote denial-of-service vulnerability because
it fails to handle certain select statements to database metadata.
An attacker can exploit this issue to crash the application, denying
access to legitimate users. The attacker may also be able to execute
arbitrary code, but this has not yet been confirmed.
NOTE: An attacker must be able to execute arbitrary SELECT
statements on the vulnerable computer to exploit this issue.
This may be through legitimate means or by exploiting other
latent SQL-injection vulnerabilities.
Versions prior to 5.0.36 are vulnerable.
NET-SNMP TCP DISCONNECT REMOTE DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23762
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23762
Summary:
Net-SNMP is prone to a remote denial-of-service vulnerability. The
issue is exposed when Net-SNMP is configured to communicate over
TCP; Net-SNMP using UDP is unaffected.
This issue affects Net-SNMP when running in 'master agentx' mode. An
attacker can exploit this issue to cause the affected service to
crash, effectively denying service to legitimate users.
NET-SNMP UNSPECIFIED REMOTE STREAM-BASED PROTOCOL DENIAL OF SERVICE
VULNERABILITY
BugTraq ID: 14168
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/14168
Summary:
Net-SNMP is prone to a remote denial-of-service vulnerability. The
issue is exposed when Net-SNMP is configured to have an open stream-
based protocol port, such as TCP.
The exact details describing this issue are not available. This BID
will be updated when more information emerges.
NETOPIA R9100 ROUTER DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 2287
Last Updated: 2007-05-30
Remote: No
Relevant URL: http://www.securityfocus.com/bid/2287
Summary:
The Netopia R9100 Router, running firmware version 4.6, is
vulnerable to a denial of service attack. Subsequent (and current)
versions of the product are not vulnerable.
Under very specific circumstances, it is possible to cause the
affected router to halt. By attempting to make a looped connection
from the router's IP address back to the same address, the unit
will crash.
This prevents user disconnect logging and may assist the attacker in
carrying out further attacks on the affected host or other systems
on its network.
[ firmware ]
OPENLD UNSPECIFIED CROSS-SITE SCRIPTING VULNERABILITY
BugTraq ID: 23896
Last Updated: 2007-05-09
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23896
Summary:
OpenLD is prone to a cross-site scripting vulnerability because the
application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code
in the browser of an unsuspecting user in the context of the
affected site. This may help the attacker steal cookie-based
authentication credentials and launch other attacks.
Versions prior to 1.1-modified3 are vulnerable.
OPENSSH-PORTABLE PAM AUTHENTICATION REMOTE INFORMATION DISCLOSURE
VULNERABILITY
BugTraq ID: 11781
Last Updated: 2007-05-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/11781
Summary:
The portable version of OpenSSH is reported prone to an information-
disclosure vulnerability. The portable version is distributed for
operating systems other than its native OpenBSD platform.
This issue is related to BID 7467. Reportedly, the previous fix for
BID 7467 didn't completely fix the issue. This current issue may
involve differing code paths in PAM, resulting in a new
vulnerability, but this has not been confirmed.
Exploiting this vulnerability allows remote attackers to test for
the presence of valid usernames. Knowledge of usernames may aid them
in further attacks.
OPENSSL PKCS PADDING RSA SIGNATURE FORGERY VULNERABILITY
BugTraq ID: 19849
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/19849
Summary:
OpenSSL is prone to a vulnerability that may allow an attacker to
forge an RSA signature. The attacker may be able to forge a PKCS #1
v1.5 signature when an RSA key with exponent 3 is used.
An attacker may exploit this issue to sign digital certificates or
RSA keys and take advantage of trust relationships that depend on
these credentials, possibly posing as a trusted party and signing a
certificate or key.
All versions of OpenSSL prior to and including 0.9.7j and 0.9.8b are
affected by this vulnerability. Updates are available.
POPTOP PPTP SERVER GRE PACKET DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23886
Last Updated: 2007-05-22
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23886
Summary:
PoPToP PPTP Server is prone to a denial-of-service vulnerability
because it fails to adequately handle certain malformed packet data.
Attackers can exploit this issue to disconnect arbitrary PPTP
connections.
PoPToP PPTP Server 1.3.4 is vulnerable; other versions may also
be affected.
POSTGRESQL INFORMATION DISCLOSURE AND DENIAL OF SERVICE
VULNERABILITIES
BugTraq ID: 22387
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22387
Summary:
PostgreSQL is prone to information-disclosure and denial-of-service
vulnerabilities; fixes are available.
An attacker can exploit these vulnerabilities to cause the backend
database to crash and reveal sensitive information. This may lead to
other attacks.
These issues affect versions 8.0, 8.1, and 8.2. The second issue
described also affects version 7.3 and 7.4.
POSTGRESQL SECURITY DEFINER FUNCTION LOCAL PRIVILEGE ESCALATION
VULNERABILITY
BugTraq ID: 23618
Last Updated: 2007-05-08
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23618
Summary:
PostgreSQL is prone to a local privilege-escalation vulnerability.
Exploiting this issue allows local attackers to escalate privileges
in the context of the 'security_definer' function.
PostgreSQL versions prior to 8.2.4, 8.1.9, 8.0.13, 7.4.17, and
7.3.19 are vulnerable to this issue.
PYTHON PYLOCALE_STRXFRM FUNCTION REMOTE INFORMATION LEAK VULNERABILITY
BugTraq ID: 23887
Last Updated: 2007-05-09
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23887
Summary:
Python applications that use the 'PyLocale_strxfrm' function are
prone to an information leak.
Exploiting this issue allows remote attackers to read portions
of memory.
Python 2.4.4-2 and 2.5 are confirmed vulnerable to this issue.
RPC PORTMAPPER DENIAL OF SEVICE VULNERABILITY
BugTraq ID: 1892
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/1892
Summary:
A remote root vulnerability exists in certain versions of rpcbind
portmapper.
RPC (Remote Procedure Call) allows a program to request a service
from a program located in another computer in a network without
requiring detailed information on the network configuration.
An attacker capable of forging a pmap_set/pmap_unset udp packet
can cause the remote host to register or unregister arbitrary
RPC programs.
This can permit an attacker to carry out a denial of services by
disabling key services on the target host, including mountd, nfsd
and ypserv.
Because it allows a malicious local user to register rpc
programs on the server, depending on the program the attacker
chooses to register, this vulnerability can allow a compromise
of root privilege, potentially extending to other systems on the
local network.
In addition to the affected platforms listed, other versions have
yet to be tested, and may be vulnerable as well.
[ you don't need portmapper unless you run NIS or NFS services,
apt-get remove portmap
]
SAMBA DEFERRED CIFS FILE OPEN DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 22395
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/22395
Summary:
The smbd daemon is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to consume excessive memory
resources, ultimately crashing the affected application.
This issue affects Samba versions 3.0.6 through 3.0.23d, inclusive.
SAMBA MS-RPC REMOTE SHELL COMMAND EXECUTION VULNERABILITY
BugTraq ID: 23972
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23972
Summary:
Samba is prone to a vulnerability that allows attackers to execute
arbitrary shell commands because the software fails to sanitize user-
supplied input.
An attacker may leverage this issue to execute arbitrary shell
commands on an affected computer with the privileges of the
application.
This issue affects Samba 3.0.0 to 3.0.25rc3.
SAMBA NDR RPC REQUEST MULTIPLE HEAP-BASED BUFFER OVERFLOW
VULNERABILITIES
BugTraq ID: 23973
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23973
Summary:
Samba is prone to multiple remote heap-based buffer-overflow
vulnerabilities because it fails to properly bounds-check user-
supplied data before copying it to an insufficiently sized
memory buffer.
An attacker can exploit these issues to execute arbitrary code with
superuser privileges, facilitating the complete remote compromise of
affected computers. Failed exploit attempts will result in a denial
of service.
These issues affect Samba 3.0.25rc3 and prior versions.
SAMBA SID NAMES LOCAL PRIVILEGE ESCALATION VULNERABILITY
BugTraq ID: 23974
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23974
Summary:
Samba is prone to a local privilege-escalation vulnerability due to
a logic error in the 'smbd' daemon's internal security stack.
An attacker can exploit this issue to temporarily perform SMB/CIFS
operations with superuser privileges. The attacker may leverage this
issue to gain superuser access to the server.
Samba 3.0.23d through 3.0.25pre2 are vulnerable.
SAMBA SERVER VFS PLUGIN AFSACL.SO REMOTE FORMAT STRING VULNERABILITY
BugTraq ID: 22403
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22403
Summary:
Samba is prone to a remote format-string vulnerability because the
application fails to properly sanitize user-supplied input before
including it in the format-specifier argument of a formatted-
printing function.
Successfully exploiting this issue allows remote attackers to
execute arbitrary machine code in the context of users running the
affected application. This facilitates the remote compromise of
affected computers.
Samba versions 3.06 to 3.0.23d are vulnerable.
SPAMASSASSIN LONG URI HANDLING REMOTE DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 22584
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22584
Summary:
SpamAssassin is prone to a remote denial-of-service vulnerability.
This issue arises when the application handles excessively
long URIs.
SpamAssassin versions prior to 3.1.8 are vulnerable to this issue.
T-COM SPEEDPORT ROUTER BRUTE FORCE SECURITY BYPASS WEAKNESS
BugTraq ID: 23967
Last Updated: 2007-05-14
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23967
Summary:
T-Com Speedport firmware is prone to a security-bypass weakness
because it fails to protect against brute-force attacks.
An attacker can exploit this issue to perform brute-force attacks in
an attempt to gain administrative access.
Successful attacks can result in the complete compromise of the
affected device.
Speedport w700v is vulnerable; other versions may also be affected.
[ firmware ]
TCPDUMP IEEE802.11 PRINTER REMOTE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 22772
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22772
Summary:
The 'tcpdump' utility is prone to a heap-based buffer-overflow
vulnerability because it fails to bounds-check user-supplied input
before copying it into an insufficiently sized memory buffer.
An attacker can exploit this issue to execute arbitrary malicious
code in the context of the user running the affected application.
Failed exploit attempts will likely crash the affected application.
This issue affects tcpdump 3.9.5 and prior versions.
TETEX MKIND.C REMOTE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 23872
Last Updated: 2007-05-08
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23872
Summary:
teTeX is prone to a buffer-overflow vulnerability because it fails
to sufficiently perform boundary checks on user-supplied input
before copying it to an insufficiently sized memory buffer.
Remote attackers may exploit this issue by enticing victims into
opening a malicious file using the affected application.
Attackers can exploit this issue to execute arbitrary code with the
privileges of an unsuspecting user. A successful attack can
facilitate the compromise of vulnerable computers. Failed exploit
attempts will likely result in denial-of-service conditions.
This issue affects teTeX 2.0.2 and 3.0.0; other versions may also be
vulnerable.
TINYIDENTD REMOTE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 23981
Last Updated: 2007-05-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23981
Summary:
TinyIdentD is prone to a buffer-overflow vulnerability because the
application fails to properly bounds-check user-supplied data before
copying it to an insufficiently sized memory buffer.
Exploiting this issue allows attackers to execute arbitrary machine
code in the context of the running application.
TinyIdentD 2.2 and previous versions are vulnerable to this issue.
TROLLTECH QT UTF-8 SEQUENCES INPUT VALIDATION VULNERABILITY
BugTraq ID: 23269
Last Updated: 2007-05-30
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23269
Summary:
Trolltech QT is prone to an input-validation vulnerability because
the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to exploit other issues in
applications that employ the affected library. A successful attack
may allow the attacker to execute arbitrary HTML and script code in
the browser of an unsuspecting user in the context of the affected
site. This may help the attacker steal cookie-based authentication
credentials and launch other attacks.
Qt 3.3.8 and 4.2.3 are known to be vulnerable to this issue; other
versions may be affected as well.
UTIL-LINUX UMOUNT FILESYSTEM NULL POINTER DEREFERENCE VULNERABILITY
BugTraq ID: 22850
Last Updated: 2007-05-23
Remote: No
Relevant URL: http://www.securityfocus.com/bid/22850
Summary:
Util-Linux 'umount' is prone to a NULL-pointer dereference
vulnerability.
A local attacker can exploit this issue to crash the affected
application, denying service to legitimate users. The attacker may
also be able to obtain sensitive information, including the contents
of core files.
Util-Linux Umount implemented on Linux kernel 2.6.15 is reported
vulnerable to this issue.
VIM FEEDKEYS AND WRITEFILE FUNCTIONS REMOTE CODE EXECUTION
VULNERABILITIES
BugTraq ID: 23725
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23725
Summary:
VIM is prone to multiple vulnerabilities that permit a remote
attacker to execute arbitrary code.
The attacker could exploit these issues by enticing a victim to load
a malicious file. A successful exploit could allow arbitrary code to
run within the context of the affected application.
WEBDESPROXY GET REQUEST BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 23962
Last Updated: 2007-05-15
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/23962
Summary:
Webdesproxy is prone to a buffer-overflow vulnerability because it
fails to adequately bounds-check user-supplied data before copying
it to an insufficiently sized buffer.
Attackers can exploit this issue to cause denial-of-service
conditions and possibly to execute arbitrary code with the
privileges of the application.
X.ORG LIBXFONT MULTIPLE INTEGER OVERFLOW VULNERABILITIES
BugTraq ID: 23283
Last Updated: 2007-05-08
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23283
Summary:
The 'libXfont' library is prone to multiple local integer-overflow
vulnerabilities because it fails to adequately bounds-check user-
supplied data.
An attacker can exploit these vulnerabilities to execute arbitrary
code with superuser privileges. Failed exploit attempts will likely
cause denial-of-service conditions.
These issues affect libXfont 1.2.2; other versions may also be
vulnerable.
X.ORG X11 XC-MISC EXTENSION INTEGER OVERFLOW VULNERABILITY
BugTraq ID: 23284
Last Updated: 2007-05-08
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23284
Summary:
X11 is prone to a local integer-overflow vulnerability because it
fails to adequately bounds-check user-supplied input.
An attacker can exploit this vulnerability to execute arbitrary code
with superuser privileges. Failed exploit attempts will likely cause
denial-of-service conditions.
XFSDUMP XFS_FSR INSECURE TEMPORARY FILE CREATION VULNERABILITY
BugTraq ID: 23922
Last Updated: 2007-05-30
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23922
Summary:
The xfsdump 'xfs_fsr' utility creates temporary files in an
insecure manner.
An attacker with local access could potentially exploit this issue
to perform symlink attacks, overwriting arbitrary files in the
context of the affected application.
Successfully exploiting a symlink attack may allow the attacker to
overwrite or corrupt sensitive files. This may result in a denial of
service; other attacks may also be possible.
This issue affects xfsdump 2.2.38; other versions may be
affected as well.
XFREE86 MULTIPLE UNSPECIFIED INTEGER OVERFLOW VULNERABILITIES
BugTraq ID: 8514
Last Updated: 2007-05-30
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/8514
Summary:
Multiple integer-overflow vulnerabilities have been discovered in
the XFree86 font libraries. The problem occurs because of
insufficient sanity checks on integers passed to clients from an X
font server. As a result, an unexpected buffer overrun may occur
within the stack or heap space of process memory. An attacker
could potentially exploit this to execute arbitrary code within a
target X client.
Precise technical details regarding these vulnerabilities are
currently unavailable; as further information is released, this BID
will be updated accordingly.
XINE DIRECTSHOW LOADER REMOTE BUFFER OVERFLOW VULNERABILITY
BugTraq ID: 22933
Last Updated: 2007-05-31
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/22933
Summary:
Xine is prone to a remote buffer-overflow vulnerability because the
application fails to perform boundary checks before copying user-
supplied input into finite-sized buffers.
Successfully exploiting this issue allows remote attackers to
execute arbitrary machine code in the context of the application and
to compromise affected computers.
XSCREENSAVER LOCAL DENIAL OF SERVICE VULNERABILITY
BugTraq ID: 23783
Last Updated: 2007-05-14
Remote: No
Relevant URL: http://www.securityfocus.com/bid/23783
Summary:
Xscreensaver is prone to a local denial-of-service vulnerability.
Successful exploits will cause the xscreensaver daemon to crash,
unlock the screen, and allow unauthorized access to the
vulnerable computer.
Xscreensaver versions prior to 5.02 are vulnerable to this issue.
RDIFFWEB DIRECTORY TRAVERSAL VULNERABILITY
BugTraq ID: 24092
Last Updated: 2007-05-23
Remote: Yes
Relevant URL: http://www.securityfocus.com/bid/24092
Summary:
rdiffWeb is prone to a directory-traversal vulnerability because it
fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to retrieve arbitrary
files from the vulnerable system in the context of the webserver
process. Information obtained may aid in further attacks.
This issue affects rdiffWeb 0.3.5; other versions may also be
affected.
More information about the gull-annonces
mailing list