diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index bf0768b5d01c..4a2a0b80d926 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -30,6 +30,38 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --> + + buffer cache invalidation implementation issues + + + FreeBSD + 5.05.2_8 + 4.94.9_9 + 4.04.8_22 + + + + +

Programming errors in the implementation of the msync(2) + system call involving the MS_INVALIDATE operation lead to + cache consistency problems between the virtual memory system + and on-disk contents.

+ +

In some situations, a user with read access to a file may + be able to prevent changes to that file from being committed + to disk.

+ + + + CAN-2004-0435 + SA-04:11.msync + + + 2004-04-24 + 2004-05-26 + + + leafnode denial-of-service triggered by article request @@ -145,10 +177,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Stefan Esser reports:

-

Subversion versions up to 1.0.2 are vulnerable to a date - parsing vulnerability which can be abused to allow remote - code execution on Subversion servers and therefore could - lead to a repository compromise.

+

Subversion versions up to 1.0.2 are vulnerable to a date + parsing vulnerability which can be abused to allow remote + code execution on Subversion servers and therefore could + lead to a repository compromise.

NOTE: This vulnerability is similar to the date parsing issue that affected neon. However, it is a different @@ -178,15 +210,15 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Stefan Esser reports:

-

A vulnerability within a libneon date parsing function - could cause a heap overflow which could lead to remote - code execution, depending on the application using - libneon.

+

A vulnerability within a libneon date parsing function + could cause a heap overflow which could lead to remote + code execution, depending on the application using + libneon.

-

The vulnerability is in the function ne_rfc1036_parse, - which is in turn used by the function ne_httpdate_parse. - Applications using either of these neon functions may be - vulnerable.

+

The vulnerability is in the function ne_rfc1036_parse, + which is in turn used by the function ne_httpdate_parse. + Applications using either of these neon functions may be + vulnerable.

@@ -214,10 +246,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

Due to a programming error in code used to parse data - received from the client, malformed data can cause a heap - buffer to overflow, allowing the client to overwrite - arbitrary portions of the server's memory.

+

Due to a programming error in code used to parse data + received from the client, malformed data can cause a heap + buffer to overflow, allowing the client to overwrite + arbitrary portions of the server's memory.

A malicious CVS client can exploit this to run arbitrary code on the server at the privilege level of the CVS server software.

@@ -277,7 +309,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. MySQL insecure temporary file creation (mysqlbug) - mysql-client + mysql-client 4.04.0.20 4.14.1.1_2 5.05.0.0_2 @@ -348,22 +380,22 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. fsp buffer overflow and directory traversal vulnerabilities - fspd - 2.8.1.19 + fspd + 2.8.1.19 -

The Debian - security team reported a pair of vulnerabilities in - fsp:

-
-

A vulnerability was discovered in fsp, client utilities - for File Service Protocol (FSP), whereby a remote user could - both escape from the FSP root directory (CAN-2003-1022), and - also overflow a fixed-length buffer to execute arbitrary - code (CAN-2004-0011).

-
+

The Debian + security team reported a pair of vulnerabilities in + fsp:

+
+

A vulnerability was discovered in fsp, client utilities + for File Service Protocol (FSP), whereby a remote user could + both escape from the FSP root directory (CAN-2003-1022), and + also overflow a fixed-length buffer to execute arbitrary + code (CAN-2004-0011).

+
@@ -388,10 +420,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

Jindrich Makovicka reports a regression in proftpd's - handling of IP address access control lists (IP ACLs). Due - to this regression, some IP ACLs are treated as ``allow - all''.

+

Jindrich Makovicka reports a regression in proftpd's + handling of IP address access control lists (IP ACLs). Due + to this regression, some IP ACLs are treated as ``allow + all''.

 @@ -416,10 +448,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The Cyrus team reported multiple vulnerabilities in older - versions of Cyrus IMSPd:

+ versions of Cyrus IMSPd:

-

These releases correct a recently discovered buffer - overflow vulnerability, as well as clean up a significant +

These releases correct a recently discovered buffer + overflow vulnerability, as well as clean up a significant amount of buffer handling throughout the code.

@@ -444,7 +476,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

Some scripts installed with xine create temporary files +

Some scripts installed with xine create temporary files insecurely. It is recommended that these scripts (xine-check, xine-bugreport) not be used. They are not needed for normal operation.

@@ -465,19 +497,19 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. exim buffer overflow when verify = header_syntax is used - exim - exim-ldap2 - exim-mysql - exim-postgresql - 4.33+20_1 + exim + exim-ldap2 + exim-mysql + exim-postgresql + 4.33+20_1 -

A remote exploitable buffer overflow has been discovered - in exim when verify = header_syntax is used in the - configuration file. This does not affect the default - configuration.

+

A remote exploitable buffer overflow has been discovered + in exim when verify = header_syntax is used in the + configuration file. This does not affect the default + configuration.

 @@ -534,22 +566,22 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

An input validation error was discovered in the kadmind - code that handles the framing of Kerberos 4 compatibility - administration requests. The code assumed that the length - given in the framing was always two or more bytes. Smaller - lengths will cause kadmind to read an arbitrary amount of - data into a minimally-sized buffer on the heap.

-

A remote attacker may send a specially formatted message - to kadmind, causing it to crash or possibly resulting in - arbitrary code execution.

-

The kadmind daemon is part of Kerberos 5 support. However, - this bug will only be present if kadmind was built with +

An input validation error was discovered in the kadmind + code that handles the framing of Kerberos 4 compatibility + administration requests. The code assumed that the length + given in the framing was always two or more bytes. Smaller + lengths will cause kadmind to read an arbitrary amount of + data into a minimally-sized buffer on the heap.

+

A remote attacker may send a specially formatted message + to kadmind, causing it to crash or possibly resulting in + arbitrary code execution.

+

The kadmind daemon is part of Kerberos 5 support. However, + this bug will only be present if kadmind was built with additional Kerberos 4 support. Thus, only systems that have *both* Heimdal Kerberos 5 and Kerberos 4 installed might be affected.

-

NOTE: On FreeBSD 4 systems, `kadmind' may be - installed as `k5admind'.

+

NOTE: On FreeBSD 4 systems, `kadmind' may be + installed as `k5admind'.

 @@ -578,21 +610,21 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

Two programming errors were discovered in which path names - handled by CVS were not properly validated. In one case, - the CVS client accepts absolute path names from the server - when determining which files to update. In another case, - the CVS server accepts relative path names from the client - when determining which files to transmit, including those - containing references to parent directories (`../').

-

These programming errors generally only have a security +

Two programming errors were discovered in which path names + handled by CVS were not properly validated. In one case, + the CVS client accepts absolute path names from the server + when determining which files to update. In another case, + the CVS server accepts relative path names from the client + when determining which files to transmit, including those + containing references to parent directories (`../').

+

These programming errors generally only have a security impact when dealing with remote CVS repositories.

-

A malicious CVS server may cause a CVS client to overwrite +

A malicious CVS server may cause a CVS client to overwrite arbitrary files on the client's system.

-

A CVS client may request RCS files from a remote system - other than those in the repository specified by $CVSROOT. - These RCS files need not be part of any CVS repository - themselves.

+

A CVS client may request RCS files from a remote system + other than those in the repository specified by $CVSROOT. + These RCS files need not be part of any CVS repository + themselves.

 @@ -619,26 +651,26 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

The kernel interface for creating a snapshot of a - filesystem is the same as that for changing the flags on +

The kernel interface for creating a snapshot of a + filesystem is the same as that for changing the flags on that filesystem. Due to an oversight, the mksnap_ffs(8) - command called that interface with only the snapshot flag - set, causing all other flags to be reset to the default + command called that interface with only the snapshot flag + set, causing all other flags to be reset to the default value.

-

A regularly scheduled backup of a live filesystem, or - any other process that uses the mksnap_ffs command - (for instance, to provide a rough undelete functionality - on a file server), will clear any flags in effect on the - filesystem being snapshot. Possible consequences depend - on local usage, but can include disabling extended access - control lists or enabling the use of setuid executables +

A regularly scheduled backup of a live filesystem, or + any other process that uses the mksnap_ffs command + (for instance, to provide a rough undelete functionality + on a file server), will clear any flags in effect on the + filesystem being snapshot. Possible consequences depend + on local usage, but can include disabling extended access + control lists or enabling the use of setuid executables stored on an untrusted filesystem.

-

The mksnap_ffs command is normally only available to - the superuser and members of the `operator' group. There - is therefore no risk of a user gaining elevated privileges - directly through use of the mksnap_ffs command unless - it has been intentionally made available to unprivileged - users.

+

The mksnap_ffs command is normally only available to + the superuser and members of the `operator' group. There + is therefore no risk of a user gaining elevated privileges + directly through use of the mksnap_ffs command unless + it has been intentionally made available to unprivileged + users.

 @@ -668,14 +700,14 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

A programming error in the shmat(2) system call can result - in a shared memory segment's reference count being erroneously + in a shared memory segment's reference count being erroneously incremented.

-

It may be possible to cause a shared memory segment to - reference unallocated kernel memory, but remain valid. - This could allow a local attacker to gain read or write - access to a portion of kernel memory, resulting in sensitive - information disclosure, bypass of access control mechanisms, - or privilege escalation.

+

It may be possible to cause a shared memory segment to + reference unallocated kernel memory, but remain valid. + This could allow a local attacker to gain read or write + access to a portion of kernel memory, resulting in sensitive + information disclosure, bypass of access control mechanisms, + or privilege escalation.

@@ -702,15 +734,15 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

A programming error has been found in the jail_attach(2) - system call which affects the way that system call verifies - the privilege level of the calling process. Instead of - failing immediately if the calling process was already - jailed, the jail_attach system call would fail only after + system call which affects the way that system call verifies + the privilege level of the calling process. Instead of + failing immediately if the calling process was already + jailed, the jail_attach system call would fail only after changing the calling process's root directory.

-

A process with superuser privileges inside a jail could - change its root directory to that of a different jail, - and thus gain full read and write access to files and - directories within the target jail.

+

A process with superuser privileges inside a jail could + change its root directory to that of a different jail, + and thus gain full read and write access to files and + directories within the target jail.

@@ -738,14 +770,14 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

FreeBSD does not limit the number of TCP segments that - may be held in a reassembly queue. A remote attacker may - conduct a low-bandwidth denial-of-service attack against - a machine providing services based on TCP (there are many - such services, including HTTP, SMTP, and FTP). By sending - many out-of-sequence TCP segments, the attacker can cause - the target machine to consume all available memory buffers - (``mbufs''), likely leading to a system crash.

+

FreeBSD does not limit the number of TCP segments that + may be held in a reassembly queue. A remote attacker may + conduct a low-bandwidth denial-of-service attack against + a machine providing services based on TCP (there are many + such services, including HTTP, SMTP, and FTP). By sending + many out-of-sequence TCP segments, the attacker can cause + the target machine to consume all available memory buffers + (``mbufs''), likely leading to a system crash.

@@ -772,14 +804,14 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

From the FreeBSD Security Advisory:

-

A programming error in the handling of some IPv6 socket +

A programming error in the handling of some IPv6 socket options within the setsockopt(2) system call may result - in memory locations being accessed without proper - validation.

-

It may be possible for a local attacker to read portions - of kernel memory, resulting in disclosure of sensitive - information. A local attacker can cause a system - panic.

+ in memory locations being accessed without proper + validation.

+

It may be possible for a local attacker to read portions + of kernel memory, resulting in disclosure of sensitive + information. A local attacker can cause a system + panic.

 @@ -803,7 +835,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 0.9.7d - FreeBSD + FreeBSD 4.04.8_17 4.94.9_4 5.05.1_16 @@ -834,32 +866,32 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. bind8 negative cache poison attack - bind - 8.38.3.7 - 8.48.4.3 + bind + 8.38.3.7 + 8.48.4.3 - FreeBSD - 5.15.1_11 - 5.05.0_19 - 4.94.9_1 - 4.84.8_14 - 4.74.7_24 - 4.64.6.2_27 - 4.54.5_37 - 4.4_47 + FreeBSD + 5.15.1_11 + 5.05.0_19 + 4.94.9_1 + 4.84.8_14 + 4.74.7_24 + 4.64.6.2_27 + 4.54.5_37 + 4.4_47 -

A programming error in BIND 8 named can result in a DNS - message being incorrectly cached as a negative response. As - a result, an attacker may arrange for malicious DNS messages - to be delivered to a target name server, and cause that name - server to cache a negative response for some target domain - name. The name server would thereafter respond negatively - to legitimate queries for that domain name, resulting in a - denial-of-service for applications that require DNS.

+

A programming error in BIND 8 named can result in a DNS + message being incorrectly cached as a negative response. As + a result, an attacker may arrange for malicious DNS messages + to be delivered to a target name server, and cause that name + server to cache a negative response for some target domain + name. The name server would thereafter respond negatively + to legitimate queries for that domain name, resulting in a + denial-of-service for applications that require DNS.

 @@ -1035,10 +1067,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

From the xinehq advisory:

-

By opening a malicious MRL in any xine-lib based media - player, an attacker can write arbitrary content to an - arbitrary file, only restricted by the permissions of the - user running the application.

+

By opening a malicious MRL in any xine-lib based media + player, an attacker can write arbitrary content to an + arbitrary file, only restricted by the permissions of the + user running the application.

The flaw is a result of a feature that allows MRLs (media resource locator URIs) to specify arbitrary configuration @@ -1098,13 +1130,13 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

An unknown remotely exploitable vulnerability was disclosed. Robert Segall writes:

-

a security vulnerability was brought to my attention - (many thanks to Akira Higuchi). Everyone running any - previous version should upgrade to 1.6 immediately - the - vulnerability may allow a remote exploit. No exploits are - currently known and none have been observed in the wild - till now. The danger is minimised if you run Pound in a - root jail and/or you run Pound as non-root user.

+

a security vulnerability was brought to my attention + (many thanks to Akira Higuchi). Everyone running any + previous version should upgrade to 1.6 immediately - the + vulnerability may allow a remote exploit. No exploits are + currently known and none have been observed in the wild + till now. The danger is minimised if you run Pound in a + root jail and/or you run Pound as non-root user.

 @@ -1131,10 +1163,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

Greuff reports that the neon WebDAV client library contains - several format string bugs within error reporting code. A - malicious server may exploit these bugs by sending specially - crafted PROPFIND or PROPPATCH responses.

+

Greuff reports that the neon WebDAV client library contains + several format string bugs within error reporting code. A + malicious server may exploit these bugs by sending specially + crafted PROPFIND or PROPPATCH responses.

Although several applications include neon, such as cadaver and subversion, the FreeBSD Ports of these applications are not impacted. They are specifically configured to NOT use the @@ -1163,8 +1195,8 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

The common.php script always trusts the `X-Forwarded-For' - header in the client's HTTP request. A remote user could +

The common.php script always trusts the `X-Forwarded-For' + header in the client's HTTP request. A remote user could forge this header in order to bypass any IP address access control lists (ACLs).

@@ -1219,11 +1251,11 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

Jack of RaptureSecurity reported a double byte buffer - overflow in ident2. The bug may allow a remote attacker to - execute arbitrary code within the context of the ident2 - daemon. The daemon typically runs as user-ID `nobody', but - with group-ID `wheel'.

+

Jack of RaptureSecurity reported a double byte buffer + overflow in ident2. The bug may allow a remote attacker to + execute arbitrary code within the context of the ident2 + daemon. The daemon typically runs as user-ID `nobody', but + with group-ID `wheel'.

 @@ -1246,9 +1278,9 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

A buffer overflow is present in some versions of the KDE - personal information manager (kdepim) which may be triggered - when processing a specially crafted VCF file.

+

A buffer overflow is present in some versions of the KDE + personal information manager (kdepim) which may be triggered + when processing a specially crafted VCF file.

 @@ -1265,29 +1297,29 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Vulnerabilities in H.323 implementations - pwlib - 1.6.0 + pwlib + 1.6.0 - asterisk - 0.7.2 + asterisk + 0.7.2 - openh323 - 1.13.0 + openh323 + 1.13.0 -

The NISCC and the OUSPG - developed a test suite for the H.323 protocol. This test - suite has uncovered vulnerabilities in several H.323 - implementations with impacts ranging from denial-of-service - to arbitrary code execution.

-

In the FreeBSD Ports Collection, `pwlib' is directly - affected. Other applications such as `asterisk' and - `openh323' incorporate `pwlib' statically and so are also - independently affected.

+

The NISCC and the OUSPG + developed a test suite for the H.323 protocol. This test + suite has uncovered vulnerabilities in several H.323 + implementations with impacts ranging from denial-of-service + to arbitrary code execution.

+

In the FreeBSD Ports Collection, `pwlib' is directly + affected. Other applications such as `asterisk' and + `openh323' incorporate `pwlib' statically and so are also + independently affected.

 @@ -1317,13 +1349,13 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

When racoon receives an ISAKMP header, it will attempt to - allocate sufficient memory for the entire ISAKMP message - according to the header's length field. If an attacker - crafts an ISAKMP header with a ridiculously large value - in the length field, racoon may exceed operating system - resource limits and be terminated, resulting in a denial of - service.

+

When racoon receives an ISAKMP header, it will attempt to + allocate sufficient memory for the entire ISAKMP message + according to the header's length field. If an attacker + crafts an ISAKMP header with a ridiculously large value + in the length field, racoon may exceed operating system + resource limits and be terminated, resulting in a denial of + service.

 @@ -1380,10 +1412,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

Chad Loder has discovered vulnerabilities in tcpdump's - ISAKMP protocol handler. During an audit to repair these - issues, Bill Fenner discovered some related problems.

-

These vulnerabilities may be used by an attacker to crash a +

Chad Loder has discovered vulnerabilities in tcpdump's + ISAKMP protocol handler. During an audit to repair these + issues, Bill Fenner discovered some related problems.

+

These vulnerabilities may be used by an attacker to crash a running `tcpdump' process. They can only be triggered if the `-v' command line option is being used.

NOTE: the racoon ISAKMP/IKE daemon incorporates the ISAKMP @@ -1447,10 +1479,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

Ralf Spenneberg discovered a serious flaw in racoon. - When using Phase 1 main or aggressive mode, racoon does - not verify the client's RSA signature. Any installations - using X.509 authentication are strongly +

Ralf Spenneberg discovered a serious flaw in racoon. + When using Phase 1 main or aggressive mode, racoon does + not verify the client's RSA signature. Any installations + using X.509 authentication are strongly urged to upgrade.

Installations using pre-shared keys are believed to be unaffected.

@@ -1470,39 +1502,39 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Several remotely exploitable buffer overflows in gaim - gaim - 0.75_3 - 0.75_5 + gaim + 0.75_3 + 0.75_5 0.76 -

Stefan Esser of e-matters found almost a dozen remotely - exploitable vulnerabilities in Gaim. From the e-matters - advisory:

-
-

While developing a custom add-on, an integer overflow - in the handling of AIM DirectIM packets was revealed that - could lead to a remote compromise of the IM client. After - disclosing this bug to the vendor, they had to make a - hurried release because of a change in the Yahoo connection - procedure that rendered GAIM useless. Unfourtunately at the - same time a closer look onto the sourcecode revealed 11 more - vulnerabilities.

+

Stefan Esser of e-matters found almost a dozen remotely + exploitable vulnerabilities in Gaim. From the e-matters + advisory:

+
+

While developing a custom add-on, an integer overflow + in the handling of AIM DirectIM packets was revealed that + could lead to a remote compromise of the IM client. After + disclosing this bug to the vendor, they had to make a + hurried release because of a change in the Yahoo connection + procedure that rendered GAIM useless. Unfourtunately at the + same time a closer look onto the sourcecode revealed 11 more + vulnerabilities.

-

The 12 identified problems range from simple standard - stack overflows, over heap overflows to an integer overflow - that can be abused to cause a heap overflow. Due to the - nature of instant messaging many of these bugs require - man-in-the-middle attacks between client and server. But the - underlying protocols are easy to implement and MIM attacks - on ordinary TCP sessions is a fairly simple task.

+

The 12 identified problems range from simple standard + stack overflows, over heap overflows to an integer overflow + that can be abused to cause a heap overflow. Due to the + nature of instant messaging many of these bugs require + man-in-the-middle attacks between client and server. But the + underlying protocols are easy to implement and MIM attacks + on ordinary TCP sessions is a fairly simple task.

-

In combination with the latest kernel vulnerabilities or - the habit of users to work as root/administrator these bugs - can result in remote root compromises.

-
+

In combination with the latest kernel vulnerabilities or + the habit of users to work as root/administrator these bugs + can result in remote root compromises.

+
@@ -1529,7 +1561,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

Philippe Oechslin reported a denial-of-service vulnerability +

Philippe Oechslin reported a denial-of-service vulnerability in oftpd. The oftpd server can be crashed by sending a PORT command containing an integer over 8 bits long (over 255).

@@ -1573,16 +1605,16 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. From the release notes for the corrected versions of the Courier set of mail services:

-

iso2022jp.c: Converters became (upper-)compatible with - ISO-2022-JP (RFC1468 / JIS X 0208:1997 Annex 2) and - ISO-2022-JP-1 (RFC2237). Buffer overflow vulnerability - (when Unicode character is out of BMP range) has been - closed. Convert error handling was implemented.

-

shiftjis.c: Broken SHIFT_JIS converters has been fixed - and became (upper-)compatible with Shifted Encoding Method - (JIS X 0208:1997 Annex 1). Buffer overflow vulnerability - (when Unicode character is out of BMP range) has been - closed. Convert error handling was implemented.

+

iso2022jp.c: Converters became (upper-)compatible with + ISO-2022-JP (RFC1468 / JIS X 0208:1997 Annex 2) and + ISO-2022-JP-1 (RFC2237). Buffer overflow vulnerability + (when Unicode character is out of BMP range) has been + closed. Convert error handling was implemented.

+

shiftjis.c: Broken SHIFT_JIS converters has been fixed + and became (upper-)compatible with Shifted Encoding Method + (JIS X 0208:1997 Annex 1). Buffer overflow vulnerability + (when Unicode character is out of BMP range) has been + closed. Convert error handling was implemented.

 @@ -1611,12 +1643,12 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Numerous errors in isakmpd's input packet validation lead to denial-of-service vulnerabilities. From the Rapid7 advisory:

-

The ISAKMP packet processing functions in OpenBSD's - isakmpd daemon contain multiple payload handling flaws - that allow a remote attacker to launch a denial of - service attack against the daemon.

-

Carefully crafted ISAKMP packets will cause the isakmpd - daemon to attempt out-of-bounds reads, exhaust available +

The ISAKMP packet processing functions in OpenBSD's + isakmpd daemon contain multiple payload handling flaws + that allow a remote attacker to launch a denial of + service attack against the daemon.

+

Carefully crafted ISAKMP packets will cause the isakmpd + daemon to attempt out-of-bounds reads, exhaust available memory, or loop endlessly (consuming 100% of the CPU).

@@ -1651,21 +1683,21 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

A denial-of-service issue was reported by Jeff Trawick. From the CVS commit log for the fix:

-

Fix starvation issue on listening sockets where a - short-lived connection on a rarely-accessed listening - socket will cause a child to hold the accept mutex and - block out new connections until another connection arrives - on that rarely-accessed listening socket. With Apache - 2.x there is no performance concern about enabling the - logic for platforms which don't need it, so it is enabled - everywhere except for Win32.

+

Fix starvation issue on listening sockets where a + short-lived connection on a rarely-accessed listening + socket will cause a child to hold the accept mutex and + block out new connections until another connection arrives + on that rarely-accessed listening socket. With Apache + 2.x there is no performance concern about enabling the + logic for platforms which don't need it, so it is enabled + everywhere except for Win32.

It was determined that this issue does not affect FreeBSD systems. From the Apache security advisory:

-

This issue is known to affect some versions of AIX, - Solaris, and Tru64; it is known to not affect FreeBSD or - Linux.

+

This issue is known to affect some versions of AIX, + Solaris, and Tru64; it is known to not affect FreeBSD or + Linux.

 @@ -1694,7 +1726,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

A remotely exploitable heap buffer overflow vulnerability was +

A remotely exploitable heap buffer overflow vulnerability was found in MPlayer's URL decoding code. If an attacker can cause MPlayer to visit a specially crafted URL, arbitrary code execution with the privileges of the user running MPlayer may @@ -1726,10 +1758,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

From the Squid advisory:

-

Squid versions 2.5.STABLE4 and earlier contain a bug - in the "%xx" URL decoding function. It may insert a NUL - character into decoded URLs, which may allow users to bypass - url_regex ACLs.

+

Squid versions 2.5.STABLE4 and earlier contain a bug + in the "%xx" URL decoding function. It may insert a NUL + character into decoded URLs, which may allow users to bypass + url_regex ACLs.

 @@ -1758,9 +1790,9 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

A remote attacker could cause zebra/quagga to crash by - sending a malformed telnet command to their management - port.

+

A remote attacker could cause zebra/quagga to crash by + sending a malformed telnet command to their management + port.

 @@ -1862,9 +1894,9 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

Users with admin rights can severly damage an phpBB installation, - potentially triggered by viewing a page with a malicious link sent - by an attacker.

+

Users with admin rights can severly damage an phpBB installation, + potentially triggered by viewing a page with a malicious link sent + by an attacker.

 @@ -1889,10 +1921,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

A security hole exists that can be used to crash the proxy and - execute arbitrary code. An exploit is circulating that takes - advantage of this, and in some cases succeeds in obtaining a login - shell on the machine.

+

A security hole exists that can be used to crash the proxy and + execute arbitrary code. An exploit is circulating that takes + advantage of this, and in some cases succeeds in obtaining a login + shell on the machine.

 @@ -1917,11 +1949,11 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

A remote attacker may use specially crafted IKE/ISAKMP - messages to cause racoon to delete security associations. - This could result in denial-of-service or possibly cause - sensitive traffic to be transmitted in plaintext, depending - upon configuration.

+

A remote attacker may use specially crafted IKE/ISAKMP + messages to cause racoon to delete security associations. + This could result in denial-of-service or possibly cause + sensitive traffic to be transmitted in plaintext, depending + upon configuration.

 @@ -1941,15 +1973,15 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ModSecurity for Apache 2.x remote off-by-one overflow - mod_security + mod_security 1.7.5 -

When the directive "SecFilterScanPost" is enabled, - the Apache 2.x version of ModSecurity is vulnerable - to an off-by-one overflow

+

When the directive "SecFilterScanPost" is enabled, + the Apache 2.x version of ModSecurity is vulnerable + to an off-by-one overflow

 @@ -1980,10 +2012,10 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Glenn Stewart reports a bug in wu-ftpd's ftpaccess `restricted-uid'/`restricted-gid' directives:

-

Users can get around the restriction to their home - directory by issuing a simple chmod command on their home - directory. On the next ftp log in, the user will have '/' - as their root directory.

+

Users can get around the restriction to their home + directory by issuing a simple chmod command on their home + directory. On the next ftp log in, the user will have '/' + as their root directory.

Matt Zimmerman discovered that the cause of the bug was a missing check for a restricted user within a code path that @@ -2011,13 +2043,13 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -

Joe Orton reports a memory leak in Apache 2's mod_ssl. - A remote attacker may issue HTTP requests on an HTTPS - port, causing an error. Due to a bug in processing this - condition, memory associated with the connection is - not freed. Repeated requests can result in consuming - all available memory resources, probably resulting in - termination of the Apache process.

+

Joe Orton reports a memory leak in Apache 2's mod_ssl. + A remote attacker may issue HTTP requests on an HTTPS + port, causing an error. Due to a bug in processing this + condition, memory associated with the connection is + not freed. Repeated requests can result in consuming + all available memory resources, probably resulting in + termination of the Apache process.

 @@ -2074,19 +2106,19 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Buffer overflows in XFree86 servers - XFree86-Server - 4.3.0_13 - 4.3.994.3.99.15_1 + XFree86-Server + 4.3.0_13 + 4.3.994.3.99.15_1 -

A number of buffer overflows were recently discovered in - XFree86, prompted by initial discoveries by iDEFENSE. These - buffer overflows are present in the font alias handling. An - attacker with authenticated access to a running X server may - exploit these vulnerabilities to obtain root privileges on - the machine running the X server.

+

A number of buffer overflows were recently discovered in + XFree86, prompted by initial discoveries by iDEFENSE. These + buffer overflows are present in the font alias handling. An + attacker with authenticated access to a running X server may + exploit these vulnerabilities to obtain root privileges on + the machine running the X server.

 @@ -2110,34 +2142,34 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. multiple buffer overflows in xboing - xboing - 2.4_2 + xboing + 2.4_2 -

Steve Kemp reports (in a Debian bug submission):

-
-

Due to improper bounds checking it is possible for a - malicious user to gain a shell with membership group - 'games'. (The binary is installed setgid games).

-

Environmental variables are used without being bounds-checked - in any way, from the source code:

+

Steve Kemp reports (in a Debian bug submission):

+
+

Due to improper bounds checking it is possible for a + malicious user to gain a shell with membership group + 'games'. (The binary is installed setgid games).

+

Environmental variables are used without being bounds-checked + in any way, from the source code:

 highscore.c:
    /* Use the environment variable if it exists */
    if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
-        strcpy(filename, str);
+	strcpy(filename, str);
    else
-        strcpy(filename, HIGH_SCORE_FILE);
+	strcpy(filename, HIGH_SCORE_FILE);
 
 misc.c:
     if ((ptr = getenv("HOME")) != NULL)
-        (void) strcpy(dest, ptr);
+	(void) strcpy(dest, ptr);
-

Neither of these checks are boundschecked, and will allow - arbitary shell code to be run.

-
+

Neither of these checks are boundschecked, and will allow + arbitary shell code to be run.

+
@@ -2156,19 +2188,19 @@ misc.c: metamail format string bugs and buffer overflows - metamail - 2.7_2 + metamail + 2.7_2 -

Ulf Härnhammar reported four bugs in metamail: two are format - string bugs and two are buffer overflows. The bugs are in - SaveSquirrelFile(), PrintHeader(), and ShareThisHeader().

-

These vulnerabilities could be triggered by a maliciously - formatted email message if `metamail' or `splitmail' is used - to process it, possibly resulting in arbitrary code execution - with the privileges of the user reading mail.

+

Ulf Härnhammar reported four bugs in metamail: two are format + string bugs and two are buffer overflows. The bugs are in + SaveSquirrelFile(), PrintHeader(), and ShareThisHeader().

+

These vulnerabilities could be triggered by a maliciously + formatted email message if `metamail' or `splitmail' is used + to process it, possibly resulting in arbitrary code execution + with the privileges of the user reading mail.

 @@ -2197,7 +2229,7 @@ misc.c: Emil, some of which are triggered during the parsing of attachment filenames. In addition, some format string bugs are present in the error reporting code.

-

Depending upon local configuration, these vulnerabilities +

Depending upon local configuration, these vulnerabilities may be exploited using specially crafted messages in order to execute arbitrary code running with the privileges of the user invoking Emil.

@@ -2292,12 +2324,12 @@ misc.c: -

Henning Brauer discovered a programming error in Apache - 1.3's mod_access that results in the netmasks in IP address - access control rules being interpreted incorrectly on - 64-bit, big-endian platforms. In some cases, this could - cause a `deny from' IP address access control rule including - a netmask to fail.

+

Henning Brauer discovered a programming error in Apache + 1.3's mod_access that results in the netmasks in IP address + access control rules being interpreted incorrectly on + 64-bit, big-endian platforms. In some cases, this could + cause a `deny from' IP address access control rule including + a netmask to fail.

 @@ -2318,15 +2350,15 @@ misc.c: mod_python denial-of-service vulnerability in parse_qs - mod_python + mod_python 2.72.7.10 3.03.0.4 -

An attacker may cause Apache with mod_python to crash - by using a specially constructed query string.

+

An attacker may cause Apache with mod_python to crash + by using a specially constructed query string.

 @@ -2374,19 +2406,19 @@ misc.c: fetchmail denial-of-service vulnerability - fetchmail - 6.2.5 + fetchmail + 6.2.5 -

Dave Jones discovered a denial-of-service vulnerability +

Dave Jones discovered a denial-of-service vulnerability in fetchmail. An email message containing a very long line could cause fetchmail to segfault due to missing NUL termination in transact.c.

-

Eric Raymond decided not to mention this issue in the - release notes for fetchmail 6.2.5, but it was fixed - there.

+

Eric Raymond decided not to mention this issue in the + release notes for fetchmail 6.2.5, but it was fixed + there.

 @@ -2406,13 +2438,13 @@ misc.c: mailman denial-of-service vulnerability in MailCommandHandler - mailman - 2.1 + mailman + 2.1 -

A malformed message could cause mailman to crash.

+

A malformed message could cause mailman to crash.

 @@ -2429,17 +2461,17 @@ misc.c: mailman XSS in admin script - mailman - 2.1.4 + mailman + 2.1.4 -

Dirk Mueller reports:

-

I've found a cross-site scripting - vulnerability in the admin interface of mailman 2.1.3 that - allows, under certain circumstances, for anyone to retrieve - the (valid) session cookie.

+

Dirk Mueller reports:

+

I've found a cross-site scripting + vulnerability in the admin interface of mailman 2.1.3 that + allows, under certain circumstances, for anyone to retrieve + the (valid) session cookie.

 @@ -2457,15 +2489,15 @@ misc.c: mailman XSS in create script - mailman - 2.1.3 + mailman + 2.1.3 -

From the 2.1.3 release notes:

-

Closed a cross-site scripting exploit in the - create cgi script.

+

From the 2.1.3 release notes:

+

Closed a cross-site scripting exploit in the + create cgi script.

 @@ -2482,15 +2514,15 @@ misc.c: mailman XSS in user options page - mailman - 2.1.1 + mailman + 2.1.1 -

From the 2.1.1 release notes:

-

Closed a cross-site scripting vulnerability in - the user options page.

+

From the 2.1.1 release notes:

+

Closed a cross-site scripting vulnerability in + the user options page.

 @@ -2507,17 +2539,17 @@ misc.c: SQL injection vulnerability in phpnuke - phpnuke - 6.9 + phpnuke + 6.9 -

Multiple researchers have discovered multiple SQL injection - vulnerabilities in some versions of Php-Nuke. These - vulnerabilities may lead to information disclosure, compromise - of the Php-Nuke site, or compromise of the back-end - database.

+

Multiple researchers have discovered multiple SQL injection + vulnerabilities in some versions of Php-Nuke. These + vulnerabilities may lead to information disclosure, compromise + of the Php-Nuke site, or compromise of the back-end + database.

 @@ -2536,20 +2568,20 @@ misc.c: lbreakout2 vulnerability in environment variable handling - lbreakout2 - 2.2.2_1 + lbreakout2 + 2.2.2_1 -

Ulf Härnhammar discovered an exploitable vulnerability in - lbreakout2's environmental variable handling. In several - instances, the contents of the HOME environmental variable - are copied to a stack or global buffer without range - checking. A local attacker may use this vulnerability to - acquire group-ID `games' privileges.

-

An exploit for this vulnerability has been published by - ``Li0n7 voila fr''.

+

Ulf Härnhammar discovered an exploitable vulnerability in + lbreakout2's environmental variable handling. In several + instances, the contents of the HOME environmental variable + are copied to a stack or global buffer without range + checking. A local attacker may use this vulnerability to + acquire group-ID `games' privileges.

+

An exploit for this vulnerability has been published by + ``Li0n7 voila fr''.

 @@ -2567,15 +2599,15 @@ misc.c: hsftp format string vulnerabilities - hsftp - 1.14 + hsftp + 1.14 -

Ulf Härnhammar discovered a format string bug in hsftp's file - listing code may allow a malicious server to cause arbitrary - code execution by the client.

+

Ulf Härnhammar discovered a format string bug in hsftp's file + listing code may allow a malicious server to cause arbitrary + code execution by the client.

 @@ -2591,14 +2623,14 @@ misc.c: Darwin Streaming Server denial-of-service vulnerability - DarwinStreamingServer - 4.1.3g + DarwinStreamingServer + 4.1.3g -

An attacker can cause an assertion to trigger by sending - a long User-Agent field in a request.

+

An attacker can cause an assertion to trigger by sending + a long User-Agent field in a request.

 @@ -2615,18 +2647,18 @@ misc.c: libxml2 stack buffer overflow in URI parsing - libxml2 - 2.6.6 + libxml2 + 2.6.6 -

Yuuichi Teranishi reported a crash in libxml2's URI handling - when a long URL is supplied. The implementation in nanohttp.c - and nanoftp.c uses a 4K stack buffer, and longer URLs will - overwrite the stack. This could result in denial-of-service - or arbitrary code execution in applications using libxml2 - to parse documents.

+

Yuuichi Teranishi reported a crash in libxml2's URI handling + when a long URL is supplied. The implementation in nanohttp.c + and nanoftp.c uses a 4K stack buffer, and longer URLs will + overwrite the stack. This could result in denial-of-service + or arbitrary code execution in applications using libxml2 + to parse documents.

 @@ -2644,15 +2676,15 @@ misc.c: file disclosure in phpMyAdmin - phpMyAdmin - 2.5.4 + phpMyAdmin + 2.5.4 -

Lack of proper input validation in phpMyAdmin may allow an - attacker to obtain the contents of any file on the target - system that is readable by the web server.

+

Lack of proper input validation in phpMyAdmin may allow an + attacker to obtain the contents of any file on the target + system that is readable by the web server.

 @@ -2670,31 +2702,31 @@ misc.c: mnGoSearch buffer overflow in UdmDocToTextBuf() - mnogosearch - 3.2 + mnogosearch + 3.2 -

Jedi/Sector One <j@pureftpd.org> reported the following - on the full-disclosure list:

-
-

Every document is stored in multiple parts according to - its sections (description, body, etc) in databases. And - when the content has to be sent to the client, - UdmDocToTextBuf() concatenates those parts together and - skips metadata.

-

Unfortunately, that function lacks bounds checking and - a buffer overflow can be triggered by indexing a large - enough document.

-

'len' is fixed to 10K [in UdmDocToTextBuf] in searchd.c - . S->val length depends on the length of the original - document and on the indexer settings (the sample - configuration file has low limits that work around the - bug, though).

-

Exploitation should be easy, moreover textbuf points to - the stack.

-
+

Jedi/Sector One <j@pureftpd.org> reported the following + on the full-disclosure list:

+
+

Every document is stored in multiple parts according to + its sections (description, body, etc) in databases. And + when the content has to be sent to the client, + UdmDocToTextBuf() concatenates those parts together and + skips metadata.

+

Unfortunately, that function lacks bounds checking and + a buffer overflow can be triggered by indexing a large + enough document.

+

'len' is fixed to 10K [in UdmDocToTextBuf] in searchd.c + . S->val length depends on the length of the original + document and on the indexer settings (the sample + configuration file has low limits that work around the + bug, though).

+

Exploitation should be easy, moreover textbuf points to + the stack.

+
@@ -2710,25 +2742,25 @@ misc.c: GNU libtool insecure temporary file handling - libtool - 1.31.3.5_2 - 1.41.4.3_3 - 1.51.5.2 + libtool + 1.31.3.5_2 + 1.41.4.3_3 + 1.51.5.2 -

libtool attempts to create a temporary directory in - which to write scratch files needed during processing. A - malicious user may create a symlink and then manipulate - the directory so as to write to files to which she normally - has no permissions.

-

This has been reported as a ``symlink vulnerability'', - although I do not think that is an accurate description.

-

This vulnerability could possibly be used on a multi-user - system to gain elevated privileges, e.g. root builds some - packages, and another user successfully exploits this - vulnerability to write to a system file.

+

libtool attempts to create a temporary directory in + which to write scratch files needed during processing. A + malicious user may create a symlink and then manipulate + the directory so as to write to files to which she normally + has no permissions.

+

This has been reported as a ``symlink vulnerability'', + although I do not think that is an accurate description.

+

This vulnerability could possibly be used on a multi-user + system to gain elevated privileges, e.g. root builds some + packages, and another user successfully exploits this + vulnerability to write to a system file.

 @@ -2745,16 +2777,16 @@ misc.c: seti@home remotely exploitable buffer overflow - setiathome - 3.0.8 + setiathome + 3.0.8 -

The seti@home client contains a buffer overflow in the HTTP - response handler. A malicious, spoofed seti@home server can - exploit this buffer overflow to cause remote code execution - on the client. Exploit programs are widely available.

+

The seti@home client contains a buffer overflow in the HTTP + response handler. A malicious, spoofed seti@home server can + exploit this buffer overflow to cause remote code execution + on the client. Exploit programs are widely available.

 @@ -2771,15 +2803,15 @@ misc.c: icecast 1.x multiple vulnerabilities - icecast - 1.3.12 + icecast + 1.3.12 -

icecast 1.3.11 and earlier contained numerous security - vulnerabilities, the most severe allowing a remote attacker - to execute arbitrary code as root.

+

icecast 1.3.11 and earlier contained numerous security + vulnerabilities, the most severe allowing a remote attacker + to execute arbitrary code as root.

 @@ -2801,18 +2833,18 @@ misc.c: nap allows arbitrary file access - nap - 1.4.5 + nap + 1.4.5 -

According to the author:

-
-

Fixed security loophole which allowed remote - clients to access arbitrary files on our - system.

-
+

According to the author:

+
+

Fixed security loophole which allowed remote + clients to access arbitrary files on our + system.

+
@@ -2828,14 +2860,14 @@ misc.c: CCE contains exploitable buffer overflows - zh-cce - 0.40 + zh-cce + 0.40 -

The Chinese Console Environment contains exploitable buffer - overflows.

+

The Chinese Console Environment contains exploitable buffer + overflows.

 @@ -2851,15 +2883,15 @@ misc.c: ChiTeX/ChiLaTeX unsafe set-user-id root - zh-chitex - 0 + zh-chitex + 0 -

Niels Heinen reports that ChiTeX installs set-user-id root - executables that invoked system(3) without setting up the - environment, trivially allowing local root compromise.

+

Niels Heinen reports that ChiTeX installs set-user-id root + executables that invoked system(3) without setting up the + environment, trivially allowing local root compromise.

 @@ -2875,17 +2907,17 @@ misc.c: pine remotely exploitable buffer overflow in newmail.c - zh-pine - iw-pine - pine - pine4-ssl - 4.21 + zh-pine + iw-pine + pine + pine4-ssl + 4.21 -

Kris Kennaway reports a remotely exploitable buffer overflow - in newmail.c. Mike Silbersack submitted the fix.

+

Kris Kennaway reports a remotely exploitable buffer overflow + in newmail.c. Mike Silbersack submitted the fix.

 @@ -2901,17 +2933,17 @@ misc.c: pine insecure URL handling - pine - zh-pine - iw-pine - 4.44 + pine + zh-pine + iw-pine + 4.44 -

An attacker may send an email message containing a specially - constructed URL that will execute arbitrary commands when - viewed.

+

An attacker may send an email message containing a specially + constructed URL that will execute arbitrary commands when + viewed.

 @@ -2927,16 +2959,16 @@ misc.c: pine remote denial-of-service attack - pine - zh-pine - iw-pine - 4.50 + pine + zh-pine + iw-pine + 4.50 -

An attacker may send a specially-formatted email message - that will cause pine to crash.

+

An attacker may send a specially-formatted email message + that will cause pine to crash.

 @@ -2953,19 +2985,19 @@ misc.c: pine remotely exploitable vulnerabilities - pine - zh-pine - iw-pine - 4.58 + pine + zh-pine + iw-pine + 4.58 -

Pine versions prior to 4.58 are affected by two - vulnerabilities discovered by iDEFENSE, a buffer overflow - in mailview.c and an integer overflow in strings.c. Both - vulnerabilities can result in arbitrary code execution - when processing a malicious message.

+

Pine versions prior to 4.58 are affected by two + vulnerabilities discovered by iDEFENSE, a buffer overflow + in mailview.c and an integer overflow in strings.c. Both + vulnerabilities can result in arbitrary code execution + when processing a malicious message.

 @@ -2983,16 +3015,16 @@ misc.c: rsync buffer overflow in server mode - rsync - 2.5.7 + rsync + 2.5.7 -

When rsync is run in server mode, a buffer overflow could - allow a remote attacker to execute arbitrary code with the - privileges of the rsync server. Anonymous rsync servers are - at the highest risk.

+

When rsync is run in server mode, a buffer overflow could + allow a remote attacker to execute arbitrary code with the + privileges of the rsync server. Anonymous rsync servers are + at the highest risk.

 @@ -3010,20 +3042,20 @@ misc.c: Samba 3.0.x password initialization bug - samba - 3.0,13.0.1_2,1 + samba + 3.0,13.0.1_2,1 -

From the Samba 3.0.2 release notes:

-
-

Security Announcement: It has been confirmed that - previous versions of Samba 3.0 are susceptible to a password - initialization bug that could grant an attacker unauthorized - access to a user account created by the mksmbpasswd.sh shell - script.

-
+

From the Samba 3.0.2 release notes:

+
+

Security Announcement: It has been confirmed that + previous versions of Samba 3.0 are susceptible to a password + initialization bug that could grant an attacker unauthorized + access to a user account created by the mksmbpasswd.sh shell + script.

+
@@ -3040,16 +3072,16 @@ misc.c: clamav remote denial-of-service - clamav - 0.65_7 + clamav + 0.65_7 -

clamav will exit when a programming - assertion is not met. A malformed uuencoded message can - trigger this assertion, allowing an attacker to trivially - crash clamd or other components of clamav.

+

clamav will exit when a programming + assertion is not met. A malformed uuencoded message can + trigger this assertion, allowing an attacker to trivially + crash clamd or other components of clamav.

 @@ -3066,16 +3098,16 @@ misc.c: Buffer overflow in Mutt 1.4 - mutt - ja-mutt - 1.41.4.2 + mutt + ja-mutt + 1.41.4.2 -

Mutt 1.4 contains a buffer overflow that could be exploited - with a specially formed message, causing Mutt to crash or - possibly execute arbitrary code.

+

Mutt 1.4 contains a buffer overflow that could be exploited + with a specially formed message, causing Mutt to crash or + possibly execute arbitrary code.

 @@ -3092,24 +3124,24 @@ misc.c: Apache-SSL optional client certificate vulnerability - apache+ssl - 1.3.29.1.53 + apache+ssl + 1.3.29.1.53 -

From the Apache-SSL security advisory:

-
-

If configured with SSLVerifyClient set to 1 or 3 (client - certificates optional) and SSLFakeBasicAuth, Apache-SSL - 1.3.28+1.52 and all earlier versions would permit a - client to use real basic authentication to forge a client - certificate.

+

From the Apache-SSL security advisory:

+
+

If configured with SSLVerifyClient set to 1 or 3 (client + certificates optional) and SSLFakeBasicAuth, Apache-SSL + 1.3.28+1.52 and all earlier versions would permit a + client to use real basic authentication to forge a client + certificate.

-

All the attacker needed is the "one-line DN" of a valid - user, as used by faked basic auth in Apache-SSL, and the - fixed password ("password" by default).

-
+

All the attacker needed is the "one-line DN" of a valid + user, as used by faked basic auth in Apache-SSL, and the + fixed password ("password" by default).

+
@@ -3125,20 +3157,20 @@ misc.c: L2TP, ISAKMP, and RADIUS parsing vulnerabilities in tcpdump - tcpdump - 3.8.1_351 + tcpdump + 3.8.1_351 - FreeBSD - 5.2.1 + FreeBSD + 5.2.1 -

Jonathan Heusser discovered vulnerabilities in tcpdump's - L2TP, ISAKMP, and RADIUS protocol handlers. These - vulnerabilities may be used by an attacker to crash a running - `tcpdump' process.

+

Jonathan Heusser discovered vulnerabilities in tcpdump's + L2TP, ISAKMP, and RADIUS protocol handlers. These + vulnerabilities may be used by an attacker to crash a running + `tcpdump' process.

 @@ -3158,19 +3190,19 @@ misc.c: Buffer overflow in INN control message handling - inn - 2.4.1 + inn + 2.4.1 - inn-stable - 20031022_1 + inn-stable + 20031022_1 -

A small, fixed-size stack buffer is used to construct a - filename based on a received control message. This could - result in a stack buffer overflow.

+

A small, fixed-size stack buffer is used to construct a + filename based on a received control message. This could + result in a stack buffer overflow.

 @@ -3186,17 +3218,17 @@ misc.c: ProFTPD ASCII translation bug resulting in remote root compromise - proftpd - 1.2.8_1 + proftpd + 1.2.8_1 -

A buffer overflow exists in the ProFTPD code that handles - translation of newline characters during ASCII-mode file - uploads. An attacker may exploit this buffer overflow by - uploading a specially crafted file, resulting in code - execution and ultimately a remote root compromise.

+

A buffer overflow exists in the ProFTPD code that handles + translation of newline characters during ASCII-mode file + uploads. An attacker may exploit this buffer overflow by + uploading a specially crafted file, resulting in code + execution and ultimately a remote root compromise.

 @@ -3213,38 +3245,38 @@ misc.c: ElGamal sign+encrypt keys created by GnuPG can be compromised - gnupg - 1.0.21.2.3_4 + gnupg + 1.0.21.2.3_4 -

Any ElGamal sign+encrypt keys created by GnuPG contain a - cryptographic weakness that may allow someone to obtain - the private key. These keys should be considered - unusable and should be revoked.

-

The following summary was written by Werner Koch, GnuPG - author:

-
-

Phong Nguyen identified a severe bug in the way GnuPG - creates and uses ElGamal keys for signing. This is - a significant security failure which can lead to a - compromise of almost all ElGamal keys used for signing. - Note that this is a real world vulnerability which will - reveal your private key within a few seconds.

-

...

-

Please take immediate action and revoke your ElGamal - signing keys. Furthermore you should take whatever - measures necessary to limit the damage done for signed or - encrypted documents using that key.

-

Note that the standard keys as generated by GnuPG (DSA - and ElGamal encryption) as well as RSA keys are NOT - vulnerable. Note also that ElGamal signing keys cannot - be generated without the use of a special flag to enable - hidden options and even then overriding a warning message - about this key type. See below for details on how to - identify vulnerable keys.

-
+

Any ElGamal sign+encrypt keys created by GnuPG contain a + cryptographic weakness that may allow someone to obtain + the private key. These keys should be considered + unusable and should be revoked.

+

The following summary was written by Werner Koch, GnuPG + author:

+
+

Phong Nguyen identified a severe bug in the way GnuPG + creates and uses ElGamal keys for signing. This is + a significant security failure which can lead to a + compromise of almost all ElGamal keys used for signing. + Note that this is a real world vulnerability which will + reveal your private key within a few seconds.

+

...

+

Please take immediate action and revoke your ElGamal + signing keys. Furthermore you should take whatever + measures necessary to limit the damage done for signed or + encrypted documents using that key.

+

Note that the standard keys as generated by GnuPG (DSA + and ElGamal encryption) as well as RSA keys are NOT + vulnerable. Note also that ElGamal signing keys cannot + be generated without the use of a special flag to enable + hidden options and even then overriding a warning message + about this key type. See below for details on how to + identify vulnerable keys.

+
@@ -3261,14 +3293,14 @@ misc.c: Mathopd buffer overflow - mathopd - 1.4p2 + mathopd + 1.4p2 -

Mathopd contains a buffer overflow in the prepare_reply() - function that may be remotely exploitable.

+

Mathopd contains a buffer overflow in the prepare_reply() + function that may be remotely exploitable.

 @@ -3284,15 +3316,15 @@ misc.c: lftp HTML parsing vulnerability - lftp - 2.6.10 + lftp + 2.6.10 -

A buffer overflow exists in lftp which may be triggered when - requesting a directory listing from a malicious server over - HTTP.

+

A buffer overflow exists in lftp which may be triggered when + requesting a directory listing from a malicious server over + HTTP.

 @@ -3309,16 +3341,16 @@ misc.c: qpopper format string vulnerability - qpopper - 2.53_1 + qpopper + 2.53_1 -

An authenticated user may trigger a format string - vulnerability present in qpopper's UIDL code, resulting - in arbitrary code execution with group ID `mail' - privileges.

+

An authenticated user may trigger a format string + vulnerability present in qpopper's UIDL code, resulting + in arbitrary code execution with group ID `mail' + privileges.

 @@ -3336,13 +3368,13 @@ misc.c: Fetchmail address parsing vulnerability - fetchmail - 6.2.0 + fetchmail + 6.2.0 -

Fetchmail can be crashed by a malicious email message.

+

Fetchmail can be crashed by a malicious email message.

 @@ -3358,15 +3390,15 @@ misc.c: Buffer overflow in pam_smb password handling - pam_smb - 1.9.9_3 + pam_smb + 1.9.9_3 -

Applications utilizing pam_smb can be compromised by - any user who can enter a password. In many cases, - this is a remote root compromise.

+

Applications utilizing pam_smb can be compromised by + any user who can enter a password. In many cases, + this is a remote root compromise.

 @@ -3384,16 +3416,16 @@ misc.c: Buffer overflows in libmcrypt - libmcrypt - 2.5.6 + libmcrypt + 2.5.6 -

libmcrypt does incomplete input validation, leading to - several buffer overflow vuxml. Additionally, - a memory leak is present. Both of these problems may be - exploited in a denial-of-service attack.

+

libmcrypt does incomplete input validation, leading to + several buffer overflow vuxml. Additionally, + a memory leak is present. Both of these problems may be + exploited in a denial-of-service attack.