summaryrefslogtreecommitdiffstats
path: root/security/vuxml
diff options
context:
space:
mode:
authordes <des@FreeBSD.org>2004-05-26 11:32:29 +0000
committerdes <des@FreeBSD.org>2004-05-26 11:32:29 +0000
commit7568dff7f31dd4293d3c4eb7423028434baa2ebe (patch)
tree02578b84e29c33d4b06b903cb0c0e8cc2c8c9992 /security/vuxml
parent556713eb6b2a5b4de6caca9f889f71f99083e3da (diff)
downloadFreeBSD-ports-7568dff7f31dd4293d3c4eb7423028434baa2ebe.zip
FreeBSD-ports-7568dff7f31dd4293d3c4eb7423028434baa2ebe.tar.gz
FreeBSD-SA-04:11
Diffstat (limited to 'security/vuxml')
-rw-r--r--security/vuxml/vuln.xml1256
1 files changed, 644 insertions, 612 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index bf0768b..4a2a0b8 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -30,6 +30,38 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="1db1ed59-af07-11d8-acb9-000d610a3b12">
+ <topic>buffer cache invalidation implementation issues</topic>
+ <affects>
+ <system>
+ <name>FreeBSD</name>
+ <range><ge>5.0</ge><lt>5.2_8</lt></range>
+ <range><ge>4.9</ge><lt>4.9_9</lt></range>
+ <range><ge>4.0</ge><lt>4.8_22</lt></range>
+ </system>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Programming errors in the implementation of the msync(2)
+ system call involving the MS_INVALIDATE operation lead to
+ cache consistency problems between the virtual memory system
+ and on-disk contents.</p>
+
+ <p>In some situations, a user with read access to a file may
+ be able to prevent changes to that file from being committed
+ to disk.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0435</cvename>
+ <freebsdsa>SA-04:11.msync</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2004-04-24</discovery>
+ <entry>2004-05-26</entry>
+ </dates>
+ </vuln>
+
<vuln vid="f7a3b18c-624c-4703-9756-b6b27429e5b0">
<topic>leafnode denial-of-service triggered by article request</topic>
<affects>
@@ -145,10 +177,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<p>Stefan Esser reports:</p>
<blockquote
cite="http://security.e-matters.de/advisories/082004.html">
- <p>Subversion versions up to 1.0.2 are vulnerable to a date
- parsing vulnerability which can be abused to allow remote
- code execution on Subversion servers and therefore could
- lead to a repository compromise.</p>
+ <p>Subversion versions up to 1.0.2 are vulnerable to a date
+ parsing vulnerability which can be abused to allow remote
+ code execution on Subversion servers and therefore could
+ lead to a repository compromise.</p>
</blockquote>
<p><em>NOTE:</em> This vulnerability is similar to the date
parsing issue that affected neon. However, it is a different
@@ -178,15 +210,15 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<p>Stefan Esser reports:</p>
<blockquote
cite="http://security.e-matters.de/advisories/062004.html">
- <p>A vulnerability within a libneon date parsing function
- could cause a heap overflow which could lead to remote
- code execution, depending on the application using
- libneon.</p>
+ <p>A vulnerability within a libneon date parsing function
+ could cause a heap overflow which could lead to remote
+ code execution, depending on the application using
+ libneon.</p>
</blockquote>
- <p>The vulnerability is in the function ne_rfc1036_parse,
- which is in turn used by the function ne_httpdate_parse.
- Applications using either of these neon functions may be
- vulnerable.</p>
+ <p>The vulnerability is in the function ne_rfc1036_parse,
+ which is in turn used by the function ne_httpdate_parse.
+ Applications using either of these neon functions may be
+ vulnerable.</p>
</body>
</description>
<references>
@@ -214,10 +246,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Due to a programming error in code used to parse data
- received from the client, malformed data can cause a heap
- buffer to overflow, allowing the client to overwrite
- arbitrary portions of the server's memory.</p>
+ <p>Due to a programming error in code used to parse data
+ received from the client, malformed data can cause a heap
+ buffer to overflow, allowing the client to overwrite
+ arbitrary portions of the server's memory.</p>
<p>A malicious CVS client can exploit this to run arbitrary
code on the server at the privilege level of the CVS server
software.</p>
@@ -277,7 +309,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<topic>MySQL insecure temporary file creation (mysqlbug)</topic>
<affects>
<package>
- <name>mysql-client</name>
+ <name>mysql-client</name>
<range><ge>4.0</ge><lt>4.0.20</lt></range>
<range><ge>4.1</ge><lt>4.1.1_2</lt></range>
<range><ge>5.0</ge><lt>5.0.0_2</lt></range>
@@ -348,22 +380,22 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<topic>fsp buffer overflow and directory traversal vulnerabilities</topic>
<affects>
<package>
- <name>fspd</name>
- <range><lt>2.8.1.19</lt></range>
+ <name>fspd</name>
+ <range><lt>2.8.1.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>The <a href="http://www.debian.org/security">Debian
- security team</a> reported a pair of vulnerabilities in
- fsp:</p>
- <blockquote cite="http://www.debian.org/security/2004/dsa-416">
- <p>A vulnerability was discovered in fsp, client utilities
- for File Service Protocol (FSP), whereby a remote user could
- both escape from the FSP root directory (CAN-2003-1022), and
- also overflow a fixed-length buffer to execute arbitrary
- code (CAN-2004-0011).</p>
- </blockquote>
+ <p>The <a href="http://www.debian.org/security">Debian
+ security team</a> reported a pair of vulnerabilities in
+ fsp:</p>
+ <blockquote cite="http://www.debian.org/security/2004/dsa-416">
+ <p>A vulnerability was discovered in fsp, client utilities
+ for File Service Protocol (FSP), whereby a remote user could
+ both escape from the FSP root directory (CAN-2003-1022), and
+ also overflow a fixed-length buffer to execute arbitrary
+ code (CAN-2004-0011).</p>
+ </blockquote>
</body>
</description>
<references>
@@ -388,10 +420,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Jindrich Makovicka reports a regression in proftpd's
- handling of IP address access control lists (IP ACLs). Due
- to this regression, some IP ACLs are treated as ``allow
- all''.</p>
+ <p>Jindrich Makovicka reports a regression in proftpd's
+ handling of IP address access control lists (IP ACLs). Due
+ to this regression, some IP ACLs are treated as ``allow
+ all''.</p>
</body>
</description>
<references>
@@ -416,10 +448,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Cyrus team reported multiple vulnerabilities in older
- versions of Cyrus IMSPd:</p>
+ versions of Cyrus IMSPd:</p>
<blockquote cite="http://marc.theaimsgroup.com/?l=cyrus-announce&amp;m=107150355226926">
- <p>These releases correct a recently discovered buffer
- overflow vulnerability, as well as clean up a significant
+ <p>These releases correct a recently discovered buffer
+ overflow vulnerability, as well as clean up a significant
amount of buffer handling throughout the code.</p>
</blockquote>
</body>
@@ -444,7 +476,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Some scripts installed with xine create temporary files
+ <p>Some scripts installed with xine create temporary files
insecurely. It is recommended that these scripts (xine-check,
xine-bugreport) not be used. They are not needed for normal
operation.</p>
@@ -465,19 +497,19 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<topic>exim buffer overflow when verify = header_syntax is used</topic>
<affects>
<package>
- <name>exim</name>
- <name>exim-ldap2</name>
- <name>exim-mysql</name>
- <name>exim-postgresql</name>
- <range><lt>4.33+20_1</lt></range>
+ <name>exim</name>
+ <name>exim-ldap2</name>
+ <name>exim-mysql</name>
+ <name>exim-postgresql</name>
+ <range><lt>4.33+20_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>A remote exploitable buffer overflow has been discovered
- in exim when verify = header_syntax is used in the
- configuration file. This does not affect the default
- configuration.</p>
+ <p>A remote exploitable buffer overflow has been discovered
+ in exim when verify = header_syntax is used in the
+ configuration file. This does not affect the default
+ configuration.</p>
</body>
</description>
<references>
@@ -534,22 +566,22 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>An input validation error was discovered in the kadmind
- code that handles the framing of Kerberos 4 compatibility
- administration requests. The code assumed that the length
- given in the framing was always two or more bytes. Smaller
- lengths will cause kadmind to read an arbitrary amount of
- data into a minimally-sized buffer on the heap.</p>
- <p>A remote attacker may send a specially formatted message
- to kadmind, causing it to crash or possibly resulting in
- arbitrary code execution.</p>
- <p>The kadmind daemon is part of Kerberos 5 support. However,
- this bug will only be present if kadmind was built with
+ <p>An input validation error was discovered in the kadmind
+ code that handles the framing of Kerberos 4 compatibility
+ administration requests. The code assumed that the length
+ given in the framing was always two or more bytes. Smaller
+ lengths will cause kadmind to read an arbitrary amount of
+ data into a minimally-sized buffer on the heap.</p>
+ <p>A remote attacker may send a specially formatted message
+ to kadmind, causing it to crash or possibly resulting in
+ arbitrary code execution.</p>
+ <p>The kadmind daemon is part of Kerberos 5 support. However,
+ this bug will only be present if kadmind was built with
additional Kerberos 4 support. Thus, only systems that have
*both* Heimdal Kerberos 5 and Kerberos 4 installed might
be affected.</p>
- <p><em>NOTE:</em> On FreeBSD 4 systems, `kadmind' may be
- installed as `k5admind'.</p>
+ <p><em>NOTE:</em> On FreeBSD 4 systems, `kadmind' may be
+ installed as `k5admind'.</p>
</body>
</description>
<references>
@@ -578,21 +610,21 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Two programming errors were discovered in which path names
- handled by CVS were not properly validated. In one case,
- the CVS client accepts absolute path names from the server
- when determining which files to update. In another case,
- the CVS server accepts relative path names from the client
- when determining which files to transmit, including those
- containing references to parent directories (`../').</p>
- <p>These programming errors generally only have a security
+ <p>Two programming errors were discovered in which path names
+ handled by CVS were not properly validated. In one case,
+ the CVS client accepts absolute path names from the server
+ when determining which files to update. In another case,
+ the CVS server accepts relative path names from the client
+ when determining which files to transmit, including those
+ containing references to parent directories (`../').</p>
+ <p>These programming errors generally only have a security
impact when dealing with remote CVS repositories.</p>
- <p>A malicious CVS server may cause a CVS client to overwrite
+ <p>A malicious CVS server may cause a CVS client to overwrite
arbitrary files on the client's system.</p>
- <p>A CVS client may request RCS files from a remote system
- other than those in the repository specified by $CVSROOT.
- These RCS files need not be part of any CVS repository
- themselves.</p>
+ <p>A CVS client may request RCS files from a remote system
+ other than those in the repository specified by $CVSROOT.
+ These RCS files need not be part of any CVS repository
+ themselves.</p>
</body>
</description>
<references>
@@ -619,26 +651,26 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>The kernel interface for creating a snapshot of a
- filesystem is the same as that for changing the flags on
+ <p>The kernel interface for creating a snapshot of a
+ filesystem is the same as that for changing the flags on
that filesystem. Due to an oversight, the <a href="http://www.freebsd.org/cgi/man.cgi?query=mksnap_ffs">mksnap_ffs(8)</a>
- command called that interface with only the snapshot flag
- set, causing all other flags to be reset to the default
+ command called that interface with only the snapshot flag
+ set, causing all other flags to be reset to the default
value.</p>
- <p>A regularly scheduled backup of a live filesystem, or
- any other process that uses the mksnap_ffs command
- (for instance, to provide a rough undelete functionality
- on a file server), will clear any flags in effect on the
- filesystem being snapshot. Possible consequences depend
- on local usage, but can include disabling extended access
- control lists or enabling the use of setuid executables
+ <p>A regularly scheduled backup of a live filesystem, or
+ any other process that uses the mksnap_ffs command
+ (for instance, to provide a rough undelete functionality
+ on a file server), will clear any flags in effect on the
+ filesystem being snapshot. Possible consequences depend
+ on local usage, but can include disabling extended access
+ control lists or enabling the use of setuid executables
stored on an untrusted filesystem.</p>
- <p>The mksnap_ffs command is normally only available to
- the superuser and members of the `operator' group. There
- is therefore no risk of a user gaining elevated privileges
- directly through use of the mksnap_ffs command unless
- it has been intentionally made available to unprivileged
- users.</p>
+ <p>The mksnap_ffs command is normally only available to
+ the superuser and members of the `operator' group. There
+ is therefore no risk of a user gaining elevated privileges
+ directly through use of the mksnap_ffs command unless
+ it has been intentionally made available to unprivileged
+ users.</p>
</body>
</description>
<references>
@@ -668,14 +700,14 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A programming error in the <a href="http://www.freebsd.org/cgi/man.cgi?query=shmat">shmat(2)</a> system call can result
- in a shared memory segment's reference count being erroneously
+ in a shared memory segment's reference count being erroneously
incremented.</p>
- <p>It may be possible to cause a shared memory segment to
- reference unallocated kernel memory, but remain valid.
- This could allow a local attacker to gain read or write
- access to a portion of kernel memory, resulting in sensitive
- information disclosure, bypass of access control mechanisms,
- or privilege escalation. </p>
+ <p>It may be possible to cause a shared memory segment to
+ reference unallocated kernel memory, but remain valid.
+ This could allow a local attacker to gain read or write
+ access to a portion of kernel memory, resulting in sensitive
+ information disclosure, bypass of access control mechanisms,
+ or privilege escalation. </p>
</body>
</description>
<references>
@@ -702,15 +734,15 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A programming error has been found in the <a href="http://www.freebsd.org/cgi/man.cgi?query=jail_attach">jail_attach(2)</a>
- system call which affects the way that system call verifies
- the privilege level of the calling process. Instead of
- failing immediately if the calling process was already
- jailed, the jail_attach system call would fail only after
+ system call which affects the way that system call verifies
+ the privilege level of the calling process. Instead of
+ failing immediately if the calling process was already
+ jailed, the jail_attach system call would fail only after
changing the calling process's root directory.</p>
- <p>A process with superuser privileges inside a jail could
- change its root directory to that of a different jail,
- and thus gain full read and write access to files and
- directories within the target jail. </p>
+ <p>A process with superuser privileges inside a jail could
+ change its root directory to that of a different jail,
+ and thus gain full read and write access to files and
+ directories within the target jail. </p>
</body>
</description>
<references>
@@ -738,14 +770,14 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>FreeBSD does not limit the number of TCP segments that
- may be held in a reassembly queue. A remote attacker may
- conduct a low-bandwidth denial-of-service attack against
- a machine providing services based on TCP (there are many
- such services, including HTTP, SMTP, and FTP). By sending
- many out-of-sequence TCP segments, the attacker can cause
- the target machine to consume all available memory buffers
- (``mbufs''), likely leading to a system crash. </p>
+ <p>FreeBSD does not limit the number of TCP segments that
+ may be held in a reassembly queue. A remote attacker may
+ conduct a low-bandwidth denial-of-service attack against
+ a machine providing services based on TCP (there are many
+ such services, including HTTP, SMTP, and FTP). By sending
+ many out-of-sequence TCP segments, the attacker can cause
+ the target machine to consume all available memory buffers
+ (``mbufs''), likely leading to a system crash. </p>
</body>
</description>
<references>
@@ -772,14 +804,14 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<body xmlns="http://www.w3.org/1999/xhtml">
<p>From the FreeBSD Security Advisory:</p>
<blockquote>
- <p>A programming error in the handling of some IPv6 socket
+ <p>A programming error in the handling of some IPv6 socket
options within the <a href="http://www.freebsd.org/cgi/man.cgi?query=setsockopt">setsockopt(2)</a> system call may result
- in memory locations being accessed without proper
- validation.</p>
- <p>It may be possible for a local attacker to read portions
- of kernel memory, resulting in disclosure of sensitive
- information. A local attacker can cause a system
- panic.</p>
+ in memory locations being accessed without proper
+ validation.</p>
+ <p>It may be possible for a local attacker to read portions
+ of kernel memory, resulting in disclosure of sensitive
+ information. A local attacker can cause a system
+ panic.</p>
</blockquote>
</body>
</description>
@@ -803,7 +835,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<range><lt>0.9.7d</lt></range>
</package>
<system>
- <name>FreeBSD</name>
+ <name>FreeBSD</name>
<range><ge>4.0</ge><lt>4.8_17</lt></range>
<range><ge>4.9</ge><lt>4.9_4</lt></range>
<range><ge>5.0</ge><lt>5.1_16</lt></range>
@@ -834,32 +866,32 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<topic>bind8 negative cache poison attack</topic>
<affects>
<package>
- <name>bind</name>
- <range><ge>8.3</ge><lt>8.3.7</lt></range>
- <range><ge>8.4</ge><lt>8.4.3</lt></range>
+ <name>bind</name>
+ <range><ge>8.3</ge><lt>8.3.7</lt></range>
+ <range><ge>8.4</ge><lt>8.4.3</lt></range>
</package>
<system>
- <name>FreeBSD</name>
- <range><ge>5.1</ge><lt>5.1_11</lt></range>
- <range><ge>5.0</ge><lt>5.0_19</lt></range>
- <range><ge>4.9</ge><lt>4.9_1</lt></range>
- <range><ge>4.8</ge><lt>4.8_14</lt></range>
- <range><ge>4.7</ge><lt>4.7_24</lt></range>
- <range><ge>4.6</ge><lt>4.6.2_27</lt></range>
- <range><ge>4.5</ge><lt>4.5_37</lt></range>
- <range><lt>4.4_47</lt></range>
+ <name>FreeBSD</name>
+ <range><ge>5.1</ge><lt>5.1_11</lt></range>
+ <range><ge>5.0</ge><lt>5.0_19</lt></range>
+ <range><ge>4.9</ge><lt>4.9_1</lt></range>
+ <range><ge>4.8</ge><lt>4.8_14</lt></range>
+ <range><ge>4.7</ge><lt>4.7_24</lt></range>
+ <range><ge>4.6</ge><lt>4.6.2_27</lt></range>
+ <range><ge>4.5</ge><lt>4.5_37</lt></range>
+ <range><lt>4.4_47</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>A programming error in BIND 8 named can result in a DNS
- message being incorrectly cached as a negative response. As
- a result, an attacker may arrange for malicious DNS messages
- to be delivered to a target name server, and cause that name
- server to cache a negative response for some target domain
- name. The name server would thereafter respond negatively
- to legitimate queries for that domain name, resulting in a
- denial-of-service for applications that require DNS.</p>
+ <p>A programming error in BIND 8 named can result in a DNS
+ message being incorrectly cached as a negative response. As
+ a result, an attacker may arrange for malicious DNS messages
+ to be delivered to a target name server, and cause that name
+ server to cache a negative response for some target domain
+ name. The name server would thereafter respond negatively
+ to legitimate queries for that domain name, resulting in a
+ denial-of-service for applications that require DNS.</p>
</body>
</description>
<references>
@@ -1035,10 +1067,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<body xmlns="http://www.w3.org/1999/xhtml">
<p>From the xinehq advisory:</p>
<blockquote cite="http://www.xinehq.de/index.php/security/XSA-2004-1">
- <p>By opening a malicious MRL in any xine-lib based media
- player, an attacker can write arbitrary content to an
- arbitrary file, only restricted by the permissions of the
- user running the application.</p>
+ <p>By opening a malicious MRL in any xine-lib based media
+ player, an attacker can write arbitrary content to an
+ arbitrary file, only restricted by the permissions of the
+ user running the application.</p>
</blockquote>
<p>The flaw is a result of a feature that allows MRLs (media
resource locator URIs) to specify arbitrary configuration
@@ -1098,13 +1130,13 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<p>An unknown remotely exploitable vulnerability was disclosed.
Robert Segall writes:</p>
<blockquote cite="http://www.apsis.ch/pound/pound_list/archive/2003/2003-12/1070234315000">
- <p>a security vulnerability was brought to my attention
- (many thanks to Akira Higuchi). Everyone running any
- previous version should upgrade to 1.6 immediately - the
- vulnerability may allow a remote exploit. No exploits are
- currently known and none have been observed in the wild
- till now. The danger is minimised if you run Pound in a
- root jail and/or you run Pound as non-root user.</p>
+ <p>a security vulnerability was brought to my attention
+ (many thanks to Akira Higuchi). Everyone running any
+ previous version should upgrade to 1.6 immediately - the
+ vulnerability may allow a remote exploit. No exploits are
+ currently known and none have been observed in the wild
+ till now. The danger is minimised if you run Pound in a
+ root jail and/or you run Pound as non-root user.</p>
</blockquote>
</body>
</description>
@@ -1131,10 +1163,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Greuff reports that the neon WebDAV client library contains
- several format string bugs within error reporting code. A
- malicious server may exploit these bugs by sending specially
- crafted PROPFIND or PROPPATCH responses.</p>
+ <p>Greuff reports that the neon WebDAV client library contains
+ several format string bugs within error reporting code. A
+ malicious server may exploit these bugs by sending specially
+ crafted PROPFIND or PROPPATCH responses.</p>
<p>Although several applications include neon, such as cadaver and
subversion, the FreeBSD Ports of these applications are not
impacted. They are specifically configured to NOT use the
@@ -1163,8 +1195,8 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>The common.php script always trusts the `X-Forwarded-For'
- header in the client's HTTP request. A remote user could
+ <p>The common.php script always trusts the `X-Forwarded-For'
+ header in the client's HTTP request. A remote user could
forge this header in order to bypass any IP address access
control lists (ACLs).</p>
</body>
@@ -1219,11 +1251,11 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Jack of RaptureSecurity reported a double byte buffer
- overflow in ident2. The bug may allow a remote attacker to
- execute arbitrary code within the context of the ident2
- daemon. The daemon typically runs as user-ID `nobody', but
- with group-ID `wheel'.</p>
+ <p>Jack of RaptureSecurity reported a double byte buffer
+ overflow in ident2. The bug may allow a remote attacker to
+ execute arbitrary code within the context of the ident2
+ daemon. The daemon typically runs as user-ID `nobody', but
+ with group-ID `wheel'.</p>
</body>
</description>
<references>
@@ -1246,9 +1278,9 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>A buffer overflow is present in some versions of the KDE
- personal information manager (kdepim) which may be triggered
- when processing a specially crafted VCF file.</p>
+ <p>A buffer overflow is present in some versions of the KDE
+ personal information manager (kdepim) which may be triggered
+ when processing a specially crafted VCF file.</p>
</body>
</description>
<references>
@@ -1265,29 +1297,29 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<topic>Vulnerabilities in H.323 implementations</topic>
<affects>
<package>
- <name>pwlib</name>
- <range><lt>1.6.0</lt></range>
+ <name>pwlib</name>
+ <range><lt>1.6.0</lt></range>
</package>
<package>
- <name>asterisk</name>
- <range><le>0.7.2</le></range>
+ <name>asterisk</name>
+ <range><le>0.7.2</le></range>
</package>
<package>
- <name>openh323</name>
- <range><lt>1.13.0</lt></range>
+ <name>openh323</name>
+ <range><lt>1.13.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>The <a href="http://www.niscc.gov.uk/">NISCC</a> and the <a href="http://www.ee.oulu.fi/research/ouspg/">OUSPG</a>
- developed a test suite for the H.323 protocol. This test
- suite has uncovered vulnerabilities in several H.323
- implementations with impacts ranging from denial-of-service
- to arbitrary code execution.</p>
- <p>In the FreeBSD Ports Collection, `pwlib' is directly
- affected. Other applications such as `asterisk' and
- `openh323' incorporate `pwlib' statically and so are also
- independently affected.</p>
+ <p>The <a href="http://www.niscc.gov.uk/">NISCC</a> and the <a href="http://www.ee.oulu.fi/research/ouspg/">OUSPG</a>
+ developed a test suite for the H.323 protocol. This test
+ suite has uncovered vulnerabilities in several H.323
+ implementations with impacts ranging from denial-of-service
+ to arbitrary code execution.</p>
+ <p>In the FreeBSD Ports Collection, `pwlib' is directly
+ affected. Other applications such as `asterisk' and
+ `openh323' incorporate `pwlib' statically and so are also
+ independently affected.</p>
</body>
</description>
<references>
@@ -1317,13 +1349,13 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>When racoon receives an ISAKMP header, it will attempt to
- allocate sufficient memory for the entire ISAKMP message
- according to the header's length field. If an attacker
- crafts an ISAKMP header with a ridiculously large value
- in the length field, racoon may exceed operating system
- resource limits and be terminated, resulting in a denial of
- service.</p>
+ <p>When racoon receives an ISAKMP header, it will attempt to
+ allocate sufficient memory for the entire ISAKMP message
+ according to the header's length field. If an attacker
+ crafts an ISAKMP header with a ridiculously large value
+ in the length field, racoon may exceed operating system
+ resource limits and be terminated, resulting in a denial of
+ service.</p>
</body>
</description>
<references>
@@ -1380,10 +1412,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Chad Loder has discovered vulnerabilities in tcpdump's
- ISAKMP protocol handler. During an audit to repair these
- issues, Bill Fenner discovered some related problems.</p>
- <p>These vulnerabilities may be used by an attacker to crash a
+ <p>Chad Loder has discovered vulnerabilities in tcpdump's
+ ISAKMP protocol handler. During an audit to repair these
+ issues, Bill Fenner discovered some related problems.</p>
+ <p>These vulnerabilities may be used by an attacker to crash a
running `tcpdump' process. They can only be triggered if
the `-v' command line option is being used.</p>
<p>NOTE: the racoon ISAKMP/IKE daemon incorporates the ISAKMP
@@ -1447,10 +1479,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Ralf Spenneberg discovered a serious flaw in racoon.
- When using Phase 1 main or aggressive mode, racoon does
- not verify the client's RSA signature. Any installations
- using <em>X.509 authentication</em> are <strong>strongly
+ <p>Ralf Spenneberg discovered a serious flaw in racoon.
+ When using Phase 1 main or aggressive mode, racoon does
+ not verify the client's RSA signature. Any installations
+ using <em>X.509 authentication</em> are <strong>strongly
urged</strong> to upgrade.</p>
<p>Installations using <em>pre-shared keys</em> are believed
to be unaffected.</p>
@@ -1470,39 +1502,39 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<topic>Several remotely exploitable buffer overflows in gaim</topic>
<affects>
<package>
- <name>gaim</name>
- <range><lt>0.75_3</lt></range>
- <range><eq>0.75_5</eq></range>
+ <name>gaim</name>
+ <range><lt>0.75_3</lt></range>
+ <range><eq>0.75_5</eq></range>
<range><eq>0.76</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Stefan Esser of e-matters found almost a dozen remotely
- exploitable vulnerabilities in Gaim. From the e-matters
- advisory:</p>
- <blockquote cite="http://security.e-matters.de/advisories/012004.txt">
- <p>While developing a custom add-on, an integer overflow
- in the handling of AIM DirectIM packets was revealed that
- could lead to a remote compromise of the IM client. After
- disclosing this bug to the vendor, they had to make a
- hurried release because of a change in the Yahoo connection
- procedure that rendered GAIM useless. Unfourtunately at the
- same time a closer look onto the sourcecode revealed 11 more
- vulnerabilities.</p>
-
- <p>The 12 identified problems range from simple standard
- stack overflows, over heap overflows to an integer overflow
- that can be abused to cause a heap overflow. Due to the
- nature of instant messaging many of these bugs require
- man-in-the-middle attacks between client and server. But the
- underlying protocols are easy to implement and MIM attacks
- on ordinary TCP sessions is a fairly simple task.</p>
-
- <p>In combination with the latest kernel vulnerabilities or
- the habit of users to work as root/administrator these bugs
- can result in remote root compromises.</p>
- </blockquote>
+ <p>Stefan Esser of e-matters found almost a dozen remotely
+ exploitable vulnerabilities in Gaim. From the e-matters
+ advisory:</p>
+ <blockquote cite="http://security.e-matters.de/advisories/012004.txt">
+ <p>While developing a custom add-on, an integer overflow
+ in the handling of AIM DirectIM packets was revealed that
+ could lead to a remote compromise of the IM client. After
+ disclosing this bug to the vendor, they had to make a
+ hurried release because of a change in the Yahoo connection
+ procedure that rendered GAIM useless. Unfourtunately at the
+ same time a closer look onto the sourcecode revealed 11 more
+ vulnerabilities.</p>
+
+ <p>The 12 identified problems range from simple standard
+ stack overflows, over heap overflows to an integer overflow
+ that can be abused to cause a heap overflow. Due to the
+ nature of instant messaging many of these bugs require
+ man-in-the-middle attacks between client and server. But the
+ underlying protocols are easy to implement and MIM attacks
+ on ordinary TCP sessions is a fairly simple task.</p>
+
+ <p>In combination with the latest kernel vulnerabilities or
+ the habit of users to work as root/administrator these bugs
+ can result in remote root compromises.</p>
+ </blockquote>
</body>
</description>
<references>
@@ -1529,7 +1561,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Philippe Oechslin reported a denial-of-service vulnerability
+ <p>Philippe Oechslin reported a denial-of-service vulnerability
in oftpd. The oftpd server can be crashed by sending a PORT
command containing an integer over 8 bits long (over 255).</p>
</body>
@@ -1573,16 +1605,16 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
From the release notes for the corrected versions of the
Courier set of mail services:</p>
<blockquote>
- <p>iso2022jp.c: Converters became (upper-)compatible with
- ISO-2022-JP (RFC1468 / JIS X 0208:1997 Annex 2) and
- ISO-2022-JP-1 (RFC2237). Buffer overflow vulnerability
- (when Unicode character is out of BMP range) has been
- closed. Convert error handling was implemented.</p>
- <p>shiftjis.c: Broken SHIFT_JIS converters has been fixed
- and became (upper-)compatible with Shifted Encoding Method
- (JIS X 0208:1997 Annex 1). Buffer overflow vulnerability
- (when Unicode character is out of BMP range) has been
- closed. Convert error handling was implemented.</p>
+ <p>iso2022jp.c: Converters became (upper-)compatible with
+ ISO-2022-JP (RFC1468 / JIS X 0208:1997 Annex 2) and
+ ISO-2022-JP-1 (RFC2237). Buffer overflow vulnerability
+ (when Unicode character is out of BMP range) has been
+ closed. Convert error handling was implemented.</p>
+ <p>shiftjis.c: Broken SHIFT_JIS converters has been fixed
+ and became (upper-)compatible with Shifted Encoding Method
+ (JIS X 0208:1997 Annex 1). Buffer overflow vulnerability
+ (when Unicode character is out of BMP range) has been
+ closed. Convert error handling was implemented.</p>
</blockquote>
</body>
</description>
@@ -1611,12 +1643,12 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<p>Numerous errors in isakmpd's input packet validation lead to
denial-of-service vulnerabilities. From the Rapid7 advisory:</p>
<blockquote cite="http://www.rapid7.com/advisories/R7-0018.html">
- <p>The ISAKMP packet processing functions in OpenBSD's
- isakmpd daemon contain multiple payload handling flaws
- that allow a remote attacker to launch a denial of
- service attack against the daemon.</p>
- <p>Carefully crafted ISAKMP packets will cause the isakmpd
- daemon to attempt out-of-bounds reads, exhaust available
+ <p>The ISAKMP packet processing functions in OpenBSD's
+ isakmpd daemon contain multiple payload handling flaws
+ that allow a remote attacker to launch a denial of
+ service attack against the daemon.</p>
+ <p>Carefully crafted ISAKMP packets will cause the isakmpd
+ daemon to attempt out-of-bounds reads, exhaust available
memory, or loop endlessly (consuming 100% of the CPU).</p>
</blockquote>
</body>
@@ -1651,21 +1683,21 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<p>A denial-of-service issue was reported by Jeff Trawick. From
the CVS commit log for the fix:</p>
<blockquote cite="">
- <p>Fix starvation issue on listening sockets where a
- short-lived connection on a rarely-accessed listening
- socket will cause a child to hold the accept mutex and
- block out new connections until another connection arrives
- on that rarely-accessed listening socket. With Apache
- 2.x there is no performance concern about enabling the
- logic for platforms which don't need it, so it is enabled
- everywhere except for Win32.</p>
+ <p>Fix starvation issue on listening sockets where a
+ short-lived connection on a rarely-accessed listening
+ socket will cause a child to hold the accept mutex and
+ block out new connections until another connection arrives
+ on that rarely-accessed listening socket. With Apache
+ 2.x there is no performance concern about enabling the
+ logic for platforms which don't need it, so it is enabled
+ everywhere except for Win32.</p>
</blockquote>
<p>It was determined that this issue does not affect
FreeBSD systems. From the Apache security advisory:</p>
<blockquote cite="http://www.apacheweek.com/features/security-20">
- <p>This issue is known to affect some versions of AIX,
- Solaris, and Tru64; it is known to not affect FreeBSD or
- Linux.</p>
+ <p>This issue is known to affect some versions of AIX,
+ Solaris, and Tru64; it is known to not affect FreeBSD or
+ Linux.</p>
</blockquote>
</body>
</description>
@@ -1694,7 +1726,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>A remotely exploitable heap buffer overflow vulnerability was
+ <p>A remotely exploitable heap buffer overflow vulnerability was
found in MPlayer's URL decoding code. If an attacker can
cause MPlayer to visit a specially crafted URL, arbitrary code
execution with the privileges of the user running MPlayer may
@@ -1726,10 +1758,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<body xmlns="http://www.w3.org/1999/xhtml">
<p>From the Squid advisory:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2004_1.txt">
- <p>Squid versions 2.5.STABLE4 and earlier contain a bug
- in the "%xx" URL decoding function. It may insert a NUL
- character into decoded URLs, which may allow users to bypass
- url_regex ACLs.</p>
+ <p>Squid versions 2.5.STABLE4 and earlier contain a bug
+ in the "%xx" URL decoding function. It may insert a NUL
+ character into decoded URLs, which may allow users to bypass
+ url_regex ACLs.</p>
</blockquote>
</body>
</description>
@@ -1758,9 +1790,9 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>A remote attacker could cause zebra/quagga to crash by
- sending a malformed telnet command to their management
- port.</p>
+ <p>A remote attacker could cause zebra/quagga to crash by
+ sending a malformed telnet command to their management
+ port.</p>
</body>
</description>
<references>
@@ -1862,9 +1894,9 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Users with admin rights can severly damage an phpBB installation,
- potentially triggered by viewing a page with a malicious link sent
- by an attacker.</p>
+ <p>Users with admin rights can severly damage an phpBB installation,
+ potentially triggered by viewing a page with a malicious link sent
+ by an attacker.</p>
</body>
</description>
<references>
@@ -1889,10 +1921,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>A security hole exists that can be used to crash the proxy and
- execute arbitrary code. An exploit is circulating that takes
- advantage of this, and in some cases succeeds in obtaining a login
- shell on the machine.</p>
+ <p>A security hole exists that can be used to crash the proxy and
+ execute arbitrary code. An exploit is circulating that takes
+ advantage of this, and in some cases succeeds in obtaining a login
+ shell on the machine.</p>
</body>
</description>
<references>
@@ -1917,11 +1949,11 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>A remote attacker may use specially crafted IKE/ISAKMP
- messages to cause racoon to delete security associations.
- This could result in denial-of-service or possibly cause
- sensitive traffic to be transmitted in plaintext, depending
- upon configuration.</p>
+ <p>A remote attacker may use specially crafted IKE/ISAKMP
+ messages to cause racoon to delete security associations.
+ This could result in denial-of-service or possibly cause
+ sensitive traffic to be transmitted in plaintext, depending
+ upon configuration.</p>
</body>
</description>
<references>
@@ -1941,15 +1973,15 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<topic>ModSecurity for Apache 2.x remote off-by-one overflow</topic>
<affects>
<package>
- <name>mod_security</name>
+ <name>mod_security</name>
<range><lt>1.7.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>When the directive "SecFilterScanPost" is enabled,
- the Apache 2.x version of ModSecurity is vulnerable
- to an off-by-one overflow</p>
+ <p>When the directive "SecFilterScanPost" is enabled,
+ the Apache 2.x version of ModSecurity is vulnerable
+ to an off-by-one overflow</p>
</body>
</description>
<references>
@@ -1980,10 +2012,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<p>Glenn Stewart reports a bug in wu-ftpd's ftpaccess
`restricted-uid'/`restricted-gid' directives:</p>
<blockquote>
- <p>Users can get around the restriction to their home
- directory by issuing a simple chmod command on their home
- directory. On the next ftp log in, the user will have '/'
- as their root directory.</p>
+ <p>Users can get around the restriction to their home
+ directory by issuing a simple chmod command on their home
+ directory. On the next ftp log in, the user will have '/'
+ as their root directory.</p>
</blockquote>
<p>Matt Zimmerman discovered that the cause of the bug was a
missing check for a restricted user within a code path that
@@ -2011,13 +2043,13 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Joe Orton reports a memory leak in Apache 2's mod_ssl.
- A remote attacker may issue HTTP requests on an HTTPS
- port, causing an error. Due to a bug in processing this
- condition, memory associated with the connection is
- not freed. Repeated requests can result in consuming
- all available memory resources, probably resulting in
- termination of the Apache process.</p>
+ <p>Joe Orton reports a memory leak in Apache 2's mod_ssl.
+ A remote attacker may issue HTTP requests on an HTTPS
+ port, causing an error. Due to a bug in processing this
+ condition, memory associated with the connection is
+ not freed. Repeated requests can result in consuming
+ all available memory resources, probably resulting in
+ termination of the Apache process.</p>
</body>
</description>
<references>
@@ -2074,19 +2106,19 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<topic>Buffer overflows in XFree86 servers</topic>
<affects>
<package>
- <name>XFree86-Server</name>
- <range><le>4.3.0_13</le></range>
- <range><ge>4.3.99</ge><le>4.3.99.15_1</le></range>
+ <name>XFree86-Server</name>
+ <range><le>4.3.0_13</le></range>
+ <range><ge>4.3.99</ge><le>4.3.99.15_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>A number of buffer overflows were recently discovered in
- XFree86, prompted by initial discoveries by iDEFENSE. These
- buffer overflows are present in the font alias handling. An
- attacker with authenticated access to a running X server may
- exploit these vulnerabilities to obtain root privileges on
- the machine running the X server.</p>
+ <p>A number of buffer overflows were recently discovered in
+ XFree86, prompted by initial discoveries by iDEFENSE. These
+ buffer overflows are present in the font alias handling. An
+ attacker with authenticated access to a running X server may
+ exploit these vulnerabilities to obtain root privileges on
+ the machine running the X server.</p>
</body>
</description>
<references>
@@ -2110,34 +2142,34 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<topic>multiple buffer overflows in xboing</topic>
<affects>
<package>
- <name>xboing</name>
- <range><lt>2.4_2</lt></range>
+ <name>xboing</name>
+ <range><lt>2.4_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Steve Kemp reports (in a Debian bug submission):</p>
- <blockquote cite="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=174924">
- <p>Due to improper bounds checking it is possible for a
- malicious user to gain a shell with membership group
- 'games'. (The binary is installed setgid games).</p>
- <p>Environmental variables are used without being bounds-checked
- in any way, from the source code:</p>
+ <p>Steve Kemp reports (in a Debian bug submission):</p>
+ <blockquote cite="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=174924">
+ <p>Due to improper bounds checking it is possible for a
+ malicious user to gain a shell with membership group
+ 'games'. (The binary is installed setgid games).</p>
+ <p>Environmental variables are used without being bounds-checked
+ in any way, from the source code:</p>
<pre>
highscore.c:
/* Use the environment variable if it exists */
if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
- strcpy(filename, str);
+ strcpy(filename, str);
else
- strcpy(filename, HIGH_SCORE_FILE);
+ strcpy(filename, HIGH_SCORE_FILE);
misc.c:
if ((ptr = getenv("HOME")) != NULL)
- (void) strcpy(dest, ptr);
+ (void) strcpy(dest, ptr);
</pre>
- <p>Neither of these checks are boundschecked, and will allow
- arbitary shell code to be run.</p>
- </blockquote>
+ <p>Neither of these checks are boundschecked, and will allow
+ arbitary shell code to be run.</p>
+ </blockquote>
</body>
</description>
<references>
@@ -2156,19 +2188,19 @@ misc.c:
<topic>metamail format string bugs and buffer overflows</topic>
<affects>
<package>
- <name>metamail</name>
- <range><lt>2.7_2</lt></range>
+ <name>metamail</name>
+ <range><lt>2.7_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Ulf Härnhammar reported four bugs in metamail: two are format
- string bugs and two are buffer overflows. The bugs are in
- SaveSquirrelFile(), PrintHeader(), and ShareThisHeader().</p>
- <p>These vulnerabilities could be triggered by a maliciously
- formatted email message if `metamail' or `splitmail' is used
- to process it, possibly resulting in arbitrary code execution
- with the privileges of the user reading mail.</p>
+ <p>Ulf Härnhammar reported four bugs in metamail: two are format
+ string bugs and two are buffer overflows. The bugs are in
+ SaveSquirrelFile(), PrintHeader(), and ShareThisHeader().</p>
+ <p>These vulnerabilities could be triggered by a maliciously
+ formatted email message if `metamail' or `splitmail' is used
+ to process it, possibly resulting in arbitrary code execution
+ with the privileges of the user reading mail.</p>
</body>
</description>
<references>
@@ -2197,7 +2229,7 @@ misc.c:
Emil, some of which are triggered during the parsing
of attachment filenames. In addition, some format string bugs
are present in the error reporting code.</p>
- <p>Depending upon local configuration, these vulnerabilities
+ <p>Depending upon local configuration, these vulnerabilities
may be exploited using specially crafted messages in order
to execute arbitrary code running with the privileges of
the user invoking Emil.</p>
@@ -2292,12 +2324,12 @@ misc.c:
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Henning Brauer discovered a programming error in Apache
- 1.3's mod_access that results in the netmasks in IP address
- access control rules being interpreted incorrectly on
- 64-bit, big-endian platforms. In some cases, this could
- cause a `deny from' IP address access control rule including
- a netmask to fail.</p>
+ <p>Henning Brauer discovered a programming error in Apache
+ 1.3's mod_access that results in the netmasks in IP address
+ access control rules being interpreted incorrectly on
+ 64-bit, big-endian platforms. In some cases, this could
+ cause a `deny from' IP address access control rule including
+ a netmask to fail.</p>
</body>
</description>
<references>
@@ -2318,15 +2350,15 @@ misc.c:
<topic>mod_python denial-of-service vulnerability in parse_qs</topic>
<affects>
<package>
- <name>mod_python</name>
+ <name>mod_python</name>
<range><ge>2.7</ge><lt>2.7.10</lt></range>
<range><ge>3.0</ge><lt>3.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>An attacker may cause Apache with mod_python to crash
- by using a specially constructed query string.</p>
+ <p>An attacker may cause Apache with mod_python to crash
+ by using a specially constructed query string.</p>
</body>
</description>
<references>
@@ -2374,19 +2406,19 @@ misc.c:
<topic>fetchmail denial-of-service vulnerability</topic>
<affects>
<package>
- <name>fetchmail</name>
- <range><lt>6.2.5</lt></range>
+ <name>fetchmail</name>
+ <range><lt>6.2.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Dave Jones discovered a denial-of-service vulnerability
+ <p>Dave Jones discovered a denial-of-service vulnerability
in fetchmail. An email message containing a very long line
could cause fetchmail to segfault due to missing NUL
termination in transact.c.</p>
- <p>Eric Raymond decided not to mention this issue in the
- release notes for fetchmail 6.2.5, but it was fixed
- there.</p>
+ <p>Eric Raymond decided not to mention this issue in the
+ release notes for fetchmail 6.2.5, but it was fixed
+ there.</p>
</body>
</description>
<references>
@@ -2406,13 +2438,13 @@ misc.c:
<topic>mailman denial-of-service vulnerability in MailCommandHandler</topic>
<affects>
<package>
- <name>mailman</name>
- <range><lt>2.1</lt></range>
+ <name>mailman</name>
+ <range><lt>2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>A malformed message could cause mailman to crash.</p>
+ <p>A malformed message could cause mailman to crash.</p>
</body>
</description>
<references>
@@ -2429,17 +2461,17 @@ misc.c:
<topic>mailman XSS in admin script</topic>
<affects>
<package>
- <name>mailman</name>
- <range><lt>2.1.4</lt></range>
+ <name>mailman</name>
+ <range><lt>2.1.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Dirk Mueller reports:</p>
- <blockquote><p>I've found a cross-site scripting
- vulnerability in the admin interface of mailman 2.1.3 that
- allows, under certain circumstances, for anyone to retrieve
- the (valid) session cookie.</p></blockquote>
+ <p>Dirk Mueller reports:</p>
+ <blockquote><p>I've found a cross-site scripting
+ vulnerability in the admin interface of mailman 2.1.3 that
+ allows, under certain circumstances, for anyone to retrieve
+ the (valid) session cookie.</p></blockquote>
</body>
</description>
<references>
@@ -2457,15 +2489,15 @@ misc.c:
<topic>mailman XSS in create script</topic>
<affects>
<package>
- <name>mailman</name>
- <range><lt>2.1.3</lt></range>
+ <name>mailman</name>
+ <range><lt>2.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>From the 2.1.3 release notes:</p>
- <blockquote><p>Closed a cross-site scripting exploit in the
- create cgi script.</p></blockquote>
+ <p>From the 2.1.3 release notes:</p>
+ <blockquote><p>Closed a cross-site scripting exploit in the
+ create cgi script.</p></blockquote>
</body>
</description>
<references>
@@ -2482,15 +2514,15 @@ misc.c:
<topic>mailman XSS in user options page</topic>
<affects>
<package>
- <name>mailman</name>
- <range><lt>2.1.1</lt></range>
+ <name>mailman</name>
+ <range><lt>2.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>From the 2.1.1 release notes:</p>
- <blockquote><p>Closed a cross-site scripting vulnerability in
- the user options page.</p></blockquote>
+ <p>From the 2.1.1 release notes:</p>
+ <blockquote><p>Closed a cross-site scripting vulnerability in
+ the user options page.</p></blockquote>
</body>
</description>
<references>
@@ -2507,17 +2539,17 @@ misc.c:
<topic>SQL injection vulnerability in phpnuke</topic>
<affects>
<package>
- <name>phpnuke</name>
- <range><le>6.9</le></range>
+ <name>phpnuke</name>
+ <range><le>6.9</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Multiple researchers have discovered multiple SQL injection
- vulnerabilities in some versions of Php-Nuke. These
- vulnerabilities may lead to information disclosure, compromise
- of the Php-Nuke site, or compromise of the back-end
- database.</p>
+ <p>Multiple researchers have discovered multiple SQL injection
+ vulnerabilities in some versions of Php-Nuke. These
+ vulnerabilities may lead to information disclosure, compromise
+ of the Php-Nuke site, or compromise of the back-end
+ database.</p>
</body>
</description>
<references>
@@ -2536,20 +2568,20 @@ misc.c:
<topic>lbreakout2 vulnerability in environment variable handling</topic>
<affects>
<package>
- <name>lbreakout2</name>
- <range><le>2.2.2_1</le></range>
+ <name>lbreakout2</name>
+ <range><le>2.2.2_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Ulf Härnhammar discovered an exploitable vulnerability in
- lbreakout2's environmental variable handling. In several
- instances, the contents of the HOME environmental variable
- are copied to a stack or global buffer without range
- checking. A local attacker may use this vulnerability to
- acquire group-ID `games' privileges.</p>
- <p>An exploit for this vulnerability has been published by
- ``Li0n7 voila fr''.</p>
+ <p>Ulf Härnhammar discovered an exploitable vulnerability in
+ lbreakout2's environmental variable handling. In several
+ instances, the contents of the HOME environmental variable
+ are copied to a stack or global buffer without range
+ checking. A local attacker may use this vulnerability to
+ acquire group-ID `games' privileges.</p>
+ <p>An exploit for this vulnerability has been published by
+ ``Li0n7 voila fr''.</p>
</body>
</description>
<references>
@@ -2567,15 +2599,15 @@ misc.c:
<topic>hsftp format string vulnerabilities</topic>
<affects>
<package>
- <name>hsftp</name>
- <range><lt>1.14</lt></range>
+ <name>hsftp</name>
+ <range><lt>1.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Ulf Härnhammar discovered a format string bug in hsftp's file
- listing code may allow a malicious server to cause arbitrary
- code execution by the client.</p>
+ <p>Ulf Härnhammar discovered a format string bug in hsftp's file
+ listing code may allow a malicious server to cause arbitrary
+ code execution by the client.</p>
</body>
</description>
<references>
@@ -2591,14 +2623,14 @@ misc.c:
<topic>Darwin Streaming Server denial-of-service vulnerability</topic>
<affects>
<package>
- <name>DarwinStreamingServer</name>
- <range><le>4.1.3g</le></range>
+ <name>DarwinStreamingServer</name>
+ <range><le>4.1.3g</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>An attacker can cause an assertion to trigger by sending
- a long User-Agent field in a request.</p>
+ <p>An attacker can cause an assertion to trigger by sending
+ a long User-Agent field in a request.</p>
</body>
</description>
<references>
@@ -2615,18 +2647,18 @@ misc.c:
<topic>libxml2 stack buffer overflow in URI parsing</topic>
<affects>
<package>
- <name>libxml2</name>
- <range><lt>2.6.6</lt></range>
+ <name>libxml2</name>
+ <range><lt>2.6.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Yuuichi Teranishi reported a crash in libxml2's URI handling
- when a long URL is supplied. The implementation in nanohttp.c
- and nanoftp.c uses a 4K stack buffer, and longer URLs will
- overwrite the stack. This could result in denial-of-service
- or arbitrary code execution in applications using libxml2
- to parse documents.</p>
+ <p>Yuuichi Teranishi reported a crash in libxml2's URI handling
+ when a long URL is supplied. The implementation in nanohttp.c
+ and nanoftp.c uses a 4K stack buffer, and longer URLs will
+ overwrite the stack. This could result in denial-of-service
+ or arbitrary code execution in applications using libxml2
+ to parse documents.</p>
</body>
</description>
<references>
@@ -2644,15 +2676,15 @@ misc.c:
<topic>file disclosure in phpMyAdmin</topic>
<affects>
<package>
- <name>phpMyAdmin</name>
- <range><le>2.5.4</le></range>
+ <name>phpMyAdmin</name>
+ <range><le>2.5.4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Lack of proper input validation in phpMyAdmin may allow an
- attacker to obtain the contents of any file on the target
- system that is readable by the web server.</p>
+ <p>Lack of proper input validation in phpMyAdmin may allow an
+ attacker to obtain the contents of any file on the target
+ system that is readable by the web server.</p>
</body>
</description>
<references>
@@ -2670,31 +2702,31 @@ misc.c:
<topic>mnGoSearch buffer overflow in UdmDocToTextBuf()</topic>
<affects>
<package>
- <name>mnogosearch</name>
- <range><ge>3.2</ge></range>
+ <name>mnogosearch</name>
+ <range><ge>3.2</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Jedi/Sector One &lt;j@pureftpd.org&gt; reported the following
- on the full-disclosure list:</p>
- <blockquote>
- <p>Every document is stored in multiple parts according to
- its sections (description, body, etc) in databases. And
- when the content has to be sent to the client,
- UdmDocToTextBuf() concatenates those parts together and
- skips metadata.</p>
- <p>Unfortunately, that function lacks bounds checking and
- a buffer overflow can be triggered by indexing a large
- enough document.</p>
- <p>'len' is fixed to 10K [in UdmDocToTextBuf] in searchd.c
- . S-&gt;val length depends on the length of the original
- document and on the indexer settings (the sample
- configuration file has low limits that work around the
- bug, though).</p>
- <p>Exploitation should be easy, moreover textbuf points to
- the stack.</p>
- </blockquote>
+ <p>Jedi/Sector One &lt;j@pureftpd.org&gt; reported the following
+ on the full-disclosure list:</p>
+ <blockquote>
+ <p>Every document is stored in multiple parts according to
+ its sections (description, body, etc) in databases. And
+ when the content has to be sent to the client,
+ UdmDocToTextBuf() concatenates those parts together and
+ skips metadata.</p>
+ <p>Unfortunately, that function lacks bounds checking and
+ a buffer overflow can be triggered by indexing a large
+ enough document.</p>
+ <p>'len' is fixed to 10K [in UdmDocToTextBuf] in searchd.c
+ . S-&gt;val length depends on the length of the original
+ document and on the indexer settings (the sample
+ configuration file has low limits that work around the
+ bug, though).</p>
+ <p>Exploitation should be easy, moreover textbuf points to
+ the stack.</p>
+ </blockquote>
</body>
</description>
<references>
@@ -2710,25 +2742,25 @@ misc.c:
<topic>GNU libtool insecure temporary file handling</topic>
<affects>
<package>
- <name>libtool</name>
- <range><ge>1.3</ge><lt>1.3.5_2</lt></range>
- <range><ge>1.4</ge><lt>1.4.3_3</lt></range>
- <range><ge>1.5</ge><lt>1.5.2</lt></range>
+ <name>libtool</name>
+ <range><ge>1.3</ge><lt>1.3.5_2</lt></range>
+ <range><ge>1.4</ge><lt>1.4.3_3</lt></range>
+ <range><ge>1.5</ge><lt>1.5.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>libtool attempts to create a temporary directory in
- which to write scratch files needed during processing. A
- malicious user may create a symlink and then manipulate
- the directory so as to write to files to which she normally
- has no permissions.</p>
- <p>This has been reported as a ``symlink vulnerability'',
- although I do not think that is an accurate description.</p>
- <p>This vulnerability could possibly be used on a multi-user
- system to gain elevated privileges, e.g. root builds some
- packages, and another user successfully exploits this
- vulnerability to write to a system file.</p>
+ <p>libtool attempts to create a temporary directory in
+ which to write scratch files needed during processing. A
+ malicious user may create a symlink and then manipulate
+ the directory so as to write to files to which she normally
+ has no permissions.</p>
+ <p>This has been reported as a ``symlink vulnerability'',
+ although I do not think that is an accurate description.</p>
+ <p>This vulnerability could possibly be used on a multi-user
+ system to gain elevated privileges, e.g. root builds some
+ packages, and another user successfully exploits this
+ vulnerability to write to a system file.</p>
</body>
</description>
<references>
@@ -2745,16 +2777,16 @@ misc.c:
<topic>seti@home remotely exploitable buffer overflow</topic>
<affects>
<package>
- <name>setiathome</name>
- <range><lt>3.0.8</lt></range>
+ <name>setiathome</name>
+ <range><lt>3.0.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>The seti@home client contains a buffer overflow in the HTTP
- response handler. A malicious, spoofed seti@home server can
- exploit this buffer overflow to cause remote code execution
- on the client. Exploit programs are widely available.</p>
+ <p>The seti@home client contains a buffer overflow in the HTTP
+ response handler. A malicious, spoofed seti@home server can
+ exploit this buffer overflow to cause remote code execution
+ on the client. Exploit programs are widely available.</p>
</body>
</description>
<references>
@@ -2771,15 +2803,15 @@ misc.c:
<topic>icecast 1.x multiple vulnerabilities</topic>
<affects>
<package>
- <name>icecast</name>
- <range><lt>1.3.12</lt></range>
+ <name>icecast</name>
+ <range><lt>1.3.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>icecast 1.3.11 and earlier contained numerous security
- vulnerabilities, the most severe allowing a remote attacker
- to execute arbitrary code as root.</p>
+ <p>icecast 1.3.11 and earlier contained numerous security
+ vulnerabilities, the most severe allowing a remote attacker
+ to execute arbitrary code as root.</p>
</body>
</description>
<references>
@@ -2801,18 +2833,18 @@ misc.c:
<topic>nap allows arbitrary file access</topic>
<affects>
<package>
- <name>nap</name>
- <range><lt>1.4.5</lt></range>
+ <name>nap</name>
+ <range><lt>1.4.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>According to the author:</p>
- <blockquote>
- <p>Fixed security loophole which allowed remote
- clients to access arbitrary files on our
- system.</p>
- </blockquote>
+ <p>According to the author:</p>
+ <blockquote>
+ <p>Fixed security loophole which allowed remote
+ clients to access arbitrary files on our
+ system.</p>
+ </blockquote>
</body>
</description>
<references>
@@ -2828,14 +2860,14 @@ misc.c:
<topic>CCE contains exploitable buffer overflows</topic>
<affects>
<package>
- <name>zh-cce</name>
- <range><lt>0.40</lt></range>
+ <name>zh-cce</name>
+ <range><lt>0.40</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>The Chinese Console Environment contains exploitable buffer
- overflows.</p>
+ <p>The Chinese Console Environment contains exploitable buffer
+ overflows.</p>
</body>
</description>
<references>
@@ -2851,15 +2883,15 @@ misc.c:
<topic>ChiTeX/ChiLaTeX unsafe set-user-id root</topic>
<affects>
<package>
- <name>zh-chitex</name>
- <range><gt>0</gt></range>
+ <name>zh-chitex</name>
+ <range><gt>0</gt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Niels Heinen reports that ChiTeX installs set-user-id root
- executables that invoked system(3) without setting up the
- environment, trivially allowing local root compromise.</p>
+ <p>Niels Heinen reports that ChiTeX installs set-user-id root
+ executables that invoked system(3) without setting up the
+ environment, trivially allowing local root compromise.</p>
</body>
</description>
<references>
@@ -2875,17 +2907,17 @@ misc.c:
<topic>pine remotely exploitable buffer overflow in newmail.c</topic>
<affects>
<package>
- <name>zh-pine</name>
- <name>iw-pine</name>
- <name>pine</name>
- <name>pine4-ssl</name>
- <range><le>4.21</le></range>
+ <name>zh-pine</name>
+ <name>iw-pine</name>
+ <name>pine</name>
+ <name>pine4-ssl</name>
+ <range><le>4.21</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Kris Kennaway reports a remotely exploitable buffer overflow
- in newmail.c. Mike Silbersack submitted the fix.</p>
+ <p>Kris Kennaway reports a remotely exploitable buffer overflow
+ in newmail.c. Mike Silbersack submitted the fix.</p>
</body>
</description>
<references>
@@ -2901,17 +2933,17 @@ misc.c:
<topic>pine insecure URL handling</topic>
<affects>
<package>
- <name>pine</name>
- <name>zh-pine</name>
- <name>iw-pine</name>
- <range><lt>4.44</lt></range>
+ <name>pine</name>
+ <name>zh-pine</name>
+ <name>iw-pine</name>
+ <range><lt>4.44</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>An attacker may send an email message containing a specially
- constructed URL that will execute arbitrary commands when
- viewed.</p>
+ <p>An attacker may send an email message containing a specially
+ constructed URL that will execute arbitrary commands when
+ viewed.</p>
</body>
</description>
<references>
@@ -2927,16 +2959,16 @@ misc.c:
<topic>pine remote denial-of-service attack</topic>
<affects>
<package>
- <name>pine</name>
- <name>zh-pine</name>
- <name>iw-pine</name>
- <range><lt>4.50</lt></range>
+ <name>pine</name>
+ <name>zh-pine</name>
+ <name>iw-pine</name>
+ <range><lt>4.50</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>An attacker may send a specially-formatted email message
- that will cause pine to crash.</p>
+ <p>An attacker may send a specially-formatted email message
+ that will cause pine to crash.</p>
</body>
</description>
<references>
@@ -2953,19 +2985,19 @@ misc.c:
<topic>pine remotely exploitable vulnerabilities</topic>
<affects>
<package>
- <name>pine</name>
- <name>zh-pine</name>
- <name>iw-pine</name>
- <range><lt>4.58</lt></range>
+ <name>pine</name>
+ <name>zh-pine</name>
+ <name>iw-pine</name>
+ <range><lt>4.58</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Pine versions prior to 4.58 are affected by two
- vulnerabilities discovered by iDEFENSE, a buffer overflow
- in mailview.c and an integer overflow in strings.c. Both
- vulnerabilities can result in arbitrary code execution
- when processing a malicious message.</p>
+ <p>Pine versions prior to 4.58 are affected by two
+ vulnerabilities discovered by iDEFENSE, a buffer overflow
+ in mailview.c and an integer overflow in strings.c. Both
+ vulnerabilities can result in arbitrary code execution
+ when processing a malicious message.</p>
</body>
</description>
<references>
@@ -2983,16 +3015,16 @@ misc.c:
<topic>rsync buffer overflow in server mode</topic>
<affects>
<package>
- <name>rsync</name>
- <range><lt>2.5.7</lt></range>
+ <name>rsync</name>
+ <range><lt>2.5.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>When rsync is run in server mode, a buffer overflow could
- allow a remote attacker to execute arbitrary code with the
- privileges of the rsync server. Anonymous rsync servers are
- at the highest risk.</p>
+ <p>When rsync is run in server mode, a buffer overflow could
+ allow a remote attacker to execute arbitrary code with the
+ privileges of the rsync server. Anonymous rsync servers are
+ at the highest risk.</p>
</body>
</description>
<references>
@@ -3010,20 +3042,20 @@ misc.c:
<topic>Samba 3.0.x password initialization bug</topic>
<affects>
<package>
- <name>samba</name>
- <range><ge>3.0,1</ge><lt>3.0.1_2,1</lt></range>
+ <name>samba</name>
+ <range><ge>3.0,1</ge><lt>3.0.1_2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>From the Samba 3.0.2 release notes:</p>
- <blockquote cite="http://www.samba.org/samba/whatsnew/samba-3.0.2.html">
- <p>Security Announcement: It has been confirmed that
- previous versions of Samba 3.0 are susceptible to a password
- initialization bug that could grant an attacker unauthorized
- access to a user account created by the mksmbpasswd.sh shell
- script.</p>
- </blockquote>
+ <p>From the Samba 3.0.2 release notes:</p>
+ <blockquote cite="http://www.samba.org/samba/whatsnew/samba-3.0.2.html">
+ <p>Security Announcement: It has been confirmed that
+ previous versions of Samba 3.0 are susceptible to a password
+ initialization bug that could grant an attacker unauthorized
+ access to a user account created by the mksmbpasswd.sh shell
+ script.</p>
+ </blockquote>
</body>
</description>
<references>
@@ -3040,16 +3072,16 @@ misc.c:
<topic>clamav remote denial-of-service</topic>
<affects>
<package>
- <name>clamav</name>
- <range><lt>0.65_7</lt></range>
+ <name>clamav</name>
+ <range><lt>0.65_7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>clamav will exit when a programming
- assertion is not met. A malformed uuencoded message can
- trigger this assertion, allowing an attacker to trivially
- crash clamd or other components of clamav.</p>
+ <p>clamav will exit when a programming
+ assertion is not met. A malformed uuencoded message can
+ trigger this assertion, allowing an attacker to trivially
+ crash clamd or other components of clamav.</p>
</body>
</description>
<references>
@@ -3066,16 +3098,16 @@ misc.c:
<topic>Buffer overflow in Mutt 1.4</topic>
<affects>
<package>
- <name>mutt</name>
- <name>ja-mutt</name>
- <range><ge>1.4</ge><lt>1.4.2</lt></range>
+ <name>mutt</name>
+ <name>ja-mutt</name>
+ <range><ge>1.4</ge><lt>1.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Mutt 1.4 contains a buffer overflow that could be exploited
- with a specially formed message, causing Mutt to crash or
- possibly execute arbitrary code.</p>
+ <p>Mutt 1.4 contains a buffer overflow that could be exploited
+ with a specially formed message, causing Mutt to crash or
+ possibly execute arbitrary code.</p>
</body>
</description>
<references>
@@ -3092,24 +3124,24 @@ misc.c:
<topic>Apache-SSL optional client certificate vulnerability</topic>
<affects>
<package>
- <name>apache+ssl</name>
- <range><lt>1.3.29.1.53</lt></range>
+ <name>apache+ssl</name>
+ <range><lt>1.3.29.1.53</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>From the Apache-SSL security advisory:</p>
- <blockquote>
- <p>If configured with SSLVerifyClient set to 1 or 3 (client
- certificates optional) and SSLFakeBasicAuth, Apache-SSL
- 1.3.28+1.52 and all earlier versions would permit a
- client to use real basic authentication to forge a client
- certificate.</p>
-
- <p>All the attacker needed is the "one-line DN" of a valid
- user, as used by faked basic auth in Apache-SSL, and the
- fixed password ("password" by default).</p>
- </blockquote>
+ <p>From the Apache-SSL security advisory:</p>
+ <blockquote>
+ <p>If configured with SSLVerifyClient set to 1 or 3 (client
+ certificates optional) and SSLFakeBasicAuth, Apache-SSL
+ 1.3.28+1.52 and all earlier versions would permit a
+ client to use real basic authentication to forge a client
+ certificate.</p>
+
+ <p>All the attacker needed is the "one-line DN" of a valid
+ user, as used by faked basic auth in Apache-SSL, and the
+ fixed password ("password" by default).</p>
+ </blockquote>
</body>
</description>
<references>
@@ -3125,20 +3157,20 @@ misc.c:
<topic>L2TP, ISAKMP, and RADIUS parsing vulnerabilities in tcpdump</topic>
<affects>
<package>
- <name>tcpdump</name>
- <range><lt>3.8.1_351</lt></range>
+ <name>tcpdump</name>
+ <range><lt>3.8.1_351</lt></range>
</package>
<system>
- <name>FreeBSD</name>
- <range><lt>5.2.1</lt></range>
+ <name>FreeBSD</name>
+ <range><lt>5.2.1</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Jonathan Heusser discovered vulnerabilities in tcpdump's
- L2TP, ISAKMP, and RADIUS protocol handlers. These
- vulnerabilities may be used by an attacker to crash a running
- `tcpdump' process.</p>
+ <p>Jonathan Heusser discovered vulnerabilities in tcpdump's
+ L2TP, ISAKMP, and RADIUS protocol handlers. These
+ vulnerabilities may be used by an attacker to crash a running
+ `tcpdump' process.</p>
</body>
</description>
<references>
@@ -3158,19 +3190,19 @@ misc.c:
<topic>Buffer overflow in INN control message handling</topic>
<affects>
<package>
- <name>inn</name>
- <range><lt>2.4.1</lt></range>
+ <name>inn</name>
+ <range><lt>2.4.1</lt></range>
</package>
<package>
- <name>inn-stable</name>
- <range><lt>20031022_1</lt></range>
+ <name>inn-stable</name>
+ <range><lt>20031022_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>A small, fixed-size stack buffer is used to construct a
- filename based on a received control message. This could
- result in a stack buffer overflow.</p>
+ <p>A small, fixed-size stack buffer is used to construct a
+ filename based on a received control message. This could
+ result in a stack buffer overflow.</p>
</body>
</description>
<references>
@@ -3186,17 +3218,17 @@ misc.c:
<topic>ProFTPD ASCII translation bug resulting in remote root compromise</topic>
<affects>
<package>
- <name>proftpd</name>
- <range><lt>1.2.8_1</lt></range>
+ <name>proftpd</name>
+ <range><lt>1.2.8_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>A buffer overflow exists in the ProFTPD code that handles
- translation of newline characters during ASCII-mode file
- uploads. An attacker may exploit this buffer overflow by
- uploading a specially crafted file, resulting in code
- execution and ultimately a remote root compromise.</p>
+ <p>A buffer overflow exists in the ProFTPD code that handles
+ translation of newline characters during ASCII-mode file
+ uploads. An attacker may exploit this buffer overflow by
+ uploading a specially crafted file, resulting in code
+ execution and ultimately a remote root compromise.</p>
</body>
</description>
<references>
@@ -3213,38 +3245,38 @@ misc.c:
<topic>ElGamal sign+encrypt keys created by GnuPG can be compromised</topic>
<affects>
<package>
- <name>gnupg</name>
- <range><ge>1.0.2</ge><lt>1.2.3_4</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Any ElGamal sign+encrypt keys created by GnuPG contain a
- cryptographic weakness that may allow someone to obtain
- the private key. <strong>These keys should be considered
- unusable and should be revoked.</strong></p>
- <p>The following summary was written by Werner Koch, GnuPG
- author:</p>
- <blockquote cite="http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html">
- <p>Phong Nguyen identified a severe bug in the way GnuPG
- creates and uses ElGamal keys for signing. This is
- a significant security failure which can lead to a
- compromise of almost all ElGamal keys used for signing.
- Note that this is a real world vulnerability which will
- reveal your private key within a few seconds.</p>
- <p>...</p>
- <p>Please <em>take immediate action and revoke your ElGamal
- signing keys</em>. Furthermore you should take whatever
- measures necessary to limit the damage done for signed or
- encrypted documents using that key.</p>
- <p>Note that the standard keys as generated by GnuPG (DSA
- and ElGamal encryption) as well as RSA keys are NOT
- vulnerable. Note also that ElGamal signing keys cannot
- be generated without the use of a special flag to enable
- hidden options and even then overriding a warning message
- about this key type. See below for details on how to
- identify vulnerable keys.</p>
- </blockquote>
+ <name>gnupg</name>
+ <range><ge>1.0.2</ge><lt>1.2.3_4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Any ElGamal sign+encrypt keys created by GnuPG contain a
+ cryptographic weakness that may allow someone to obtain
+ the private key. <strong>These keys should be considered
+ unusable and should be revoked.</strong></p>
+ <p>The following summary was written by Werner Koch, GnuPG
+ author:</p>
+ <blockquote cite="http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html">
+ <p>Phong Nguyen identified a severe bug in the way GnuPG
+ creates and uses ElGamal keys for signing. This is
+ a significant security failure which can lead to a
+ compromise of almost all ElGamal keys used for signing.
+ Note that this is a real world vulnerability which will
+ reveal your private key within a few seconds.</p>
+ <p>...</p>
+ <p>Please <em>take immediate action and revoke your ElGamal
+ signing keys</em>. Furthermore you should take whatever
+ measures necessary to limit the damage done for signed or
+ encrypted documents using that key.</p>
+ <p>Note that the standard keys as generated by GnuPG (DSA
+ and ElGamal encryption) as well as RSA keys are NOT
+ vulnerable. Note also that ElGamal signing keys cannot
+ be generated without the use of a special flag to enable
+ hidden options and even then overriding a warning message
+ about this key type. See below for details on how to
+ identify vulnerable keys.</p>
+ </blockquote>
</body>
</description>
<references>
@@ -3261,14 +3293,14 @@ misc.c:
<topic>Mathopd buffer overflow</topic>
<affects>
<package>
- <name>mathopd</name>
- <range><lt>1.4p2</lt></range>
+ <name>mathopd</name>
+ <range><lt>1.4p2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Mathopd contains a buffer overflow in the prepare_reply()
- function that may be remotely exploitable.</p>
+ <p>Mathopd contains a buffer overflow in the prepare_reply()
+ function that may be remotely exploitable.</p>
</body>
</description>
<references>
@@ -3284,15 +3316,15 @@ misc.c:
<topic>lftp HTML parsing vulnerability</topic>
<affects>
<package>
- <name>lftp</name>
- <range><le>2.6.10</le></range>
+ <name>lftp</name>
+ <range><le>2.6.10</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>A buffer overflow exists in lftp which may be triggered when
- requesting a directory listing from a malicious server over
- HTTP.</p>
+ <p>A buffer overflow exists in lftp which may be triggered when
+ requesting a directory listing from a malicious server over
+ HTTP.</p>
</body>
</description>
<references>
@@ -3309,16 +3341,16 @@ misc.c:
<topic>qpopper format string vulnerability</topic>
<affects>
<package>
- <name>qpopper</name>
- <range><lt>2.53_1</lt></range>
+ <name>qpopper</name>
+ <range><lt>2.53_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>An authenticated user may trigger a format string
- vulnerability present in qpopper's UIDL code, resulting
- in arbitrary code execution with group ID `mail'
- privileges.</p>
+ <p>An authenticated user may trigger a format string
+ vulnerability present in qpopper's UIDL code, resulting
+ in arbitrary code execution with group ID `mail'
+ privileges.</p>
</body>
</description>
<references>
@@ -3336,13 +3368,13 @@ misc.c:
<topic>Fetchmail address parsing vulnerability</topic>
<affects>
<package>
- <name>fetchmail</name>
- <range><le>6.2.0</le></range>
+ <name>fetchmail</name>
+ <range><le>6.2.0</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Fetchmail can be crashed by a malicious email message.</p>
+ <p>Fetchmail can be crashed by a malicious email message.</p>
</body>
</description>
<references>
@@ -3358,15 +3390,15 @@ misc.c:
<topic>Buffer overflow in pam_smb password handling</topic>
<affects>
<package>
- <name>pam_smb</name>
- <range><lt>1.9.9_3</lt></range>
+ <name>pam_smb</name>
+ <range><lt>1.9.9_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Applications utilizing pam_smb can be compromised by
- any user who can enter a password. In many cases,
- this is a remote root compromise.</p>
+ <p>Applications utilizing pam_smb can be compromised by
+ any user who can enter a password. In many cases,
+ this is a remote root compromise.</p>
</body>
</description>
<references>
@@ -3384,16 +3416,16 @@ misc.c:
<topic>Buffer overflows in libmcrypt</topic>
<affects>
<package>
- <name>libmcrypt</name>
- <range><lt>2.5.6</lt></range>
+ <name>libmcrypt</name>
+ <range><lt>2.5.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>libmcrypt does incomplete input validation, leading to
- several buffer overflow vuxml. Additionally,
- a memory leak is present. Both of these problems may be
- exploited in a denial-of-service attack.</p>
+ <p>libmcrypt does incomplete input validation, leading to
+ several buffer overflow vuxml. Additionally,
+ a memory leak is present. Both of these problems may be
+ exploited in a denial-of-service attack.</p>
</body>
</description>
<references>
OpenPOWER on IntegriCloud