kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
freebsd-ports/security/vuxml/vuln.xml
Simon L. B. Nielsen e870db8f29 Document format string vulnerability in dillo.
2005-01-08 20:18:16 +00:00

10748 lines
362 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE vuxml PUBLIC "-//vuxml.org//DTD VuXML 1.1//EN" "http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd">
<!--
Copyright 2003, 2004 Jacques Vidrine and contributors
Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
HTML, PDF, PostScript, RTF and so forth) with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code (VuXML) must retain the above
copyright notice, this list of conditions and the following
disclaimer as the first lines of this file unmodified.
2. Redistributions in compiled form (transformed to other DTDs,
published online in any format, converted to PDF, PostScript,
RTF and other formats) must reproduce the above copyright
notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the
distribution.
THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
$FreeBSD$
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="28ab7ddf-61ab-11d9-a9e7-0001020eed82">
<topic>dillo -- format string vulnerability</topic>
<affects>
<package>
<name>dillo</name>
<range><lt>0.8.3_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>dillo contains a format string vulnerability which could
lead to execution of arbitrary code simply by viewing a web
page or opening a HTML file.</p>
</body>
</description>
<references>
<cvename>CAN-2005-0012</cvename>
<url>http://bugs.gentoo.org/show_bug.cgi?id=76665</url>
</references>
<dates>
<discovery>2005-01-04</discovery>
<entry>2005-01-08</entry>
</dates>
</vuln>
<vuln vid="f92e1bbc-5e18-11d9-839a-0050da134090">
<topic>tnftp -- mget does not check for directory escapes</topic>
<affects>
<package>
<name>tnftp</name>
<range><lt>20050103</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>When downloading a batch of files from an FTP server the
mget command does not check for directory escapes. A
specially crafted file on the FTP server could then
potentially overwrite an existing file of the user.</p>
</body>
</description>
<references>
<url>http://tigger.uic.edu/~jlongs2/holes/tnftp.txt</url>
<url>http://cvsweb.netbsd.org/bsdweb.cgi/othersrc/usr.bin/tnftp/src/cmds.c?rev=1.1.1.3&amp;content-type=text/x-cvsweb-markup</url>
<url>http://it.slashdot.org/article.pl?sid=04/12/15/2113202</url>
<mlist msgid="653D74053BA6F54A81ED83DCF969DF08CFA2AA@pivxes1.pivx.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110321888413132</mlist>
</references>
<dates>
<discovery>2004-12-15</discovery>
<entry>2005-01-07</entry>
</dates>
</vuln>
<vuln vid="8f86d8b5-6025-11d9-a9e7-0001020eed82">
<topic>tiff -- tiffdump integer overflow vulnerability</topic>
<affects>
<package>
<name>tiff</name>
<name>linux-tiff</name>
<range><lt>3.7.1_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dmitry V. Levin found a potential integer overflow in the
tiffdump utility which could lead to execution of arbritrary
code. This could be exploited by tricking an user into
executing tiffdump on a specially crafted tiff image.</p>
</body>
</description>
<references>
<cvename>CAN-2004-1183</cvename>
</references>
<dates>
<discovery>2005-01-06</discovery>
<entry>2005-01-06</entry>
<modified>2005-01-08</modified>
</dates>
</vuln>
<vuln vid="fc7e6a42-6012-11d9-a9e7-0001020eed82">
<topic>tiff -- directory entry count integer overflow vulnerability</topic>
<affects>
<package>
<name>tiff</name>
<name>linux-tiff</name>
<range><lt>3.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>In an iDEFENSE Security Advisory infamous41md reports:</p>
<blockquote cite="http://www.idefense.com/application/poi/display?id=174&amp;type=vulnerabilities">
<p>Remote exploitation of a heap-based buffer overflow
vulnerability within the LibTIFF package could allow
attackers to execute arbitrary code.</p>
<p>The vulnerability specifically exists due to insufficient
validation of user-supplied data when calculating the size
of a directory entry. A TIFF file includes a number of
directory entry header fields that describe the data in
the file. Included in these entries is an entry count and
offset value that are calculated to determine the size and
location of the data for that entry.</p>
</blockquote>
</body>
</description>
<references>
<bid>12075</bid>
<cvename>CAN-2004-1308</cvename>
<url>http://www.idefense.com/application/poi/display?id=174&amp;type=vulnerabilities</url>
</references>
<dates>
<discovery>2004-12-17</discovery>
<entry>2005-01-06</entry>
</dates>
</vuln>
<vuln vid="14e8f315-600e-11d9-a9e7-0001020eed82">
<topic>tiff -- stripoffsets integer overflow vulnerability</topic>
<affects>
<package>
<name>tiff</name>
<name>linux-tiff</name>
<range><lt>3.7.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>In an iDEFENSE Security Advisory infamous41md reports:</p>
<blockquote cite="http://www.idefense.com/application/poi/display?id=173&amp;type=vulnerabilities">
<p>Remote exploitation of an integer overflow in libtiff may
allow for the execution of arbitrary code.</p>
<p>The overflow occurs in the parsing of TIFF files set with
the STRIPOFFSETS flag in libtiff/tif_dirread.c. In the
TIFFFetchStripThing() function, the number of strips
(nstrips) is used directly in a CheckMalloc() routine
without sanity checking.</p>
</blockquote>
</body>
</description>
<references>
<bid>12075</bid>
<url>http://www.idefense.com/application/poi/display?id=173&amp;type=vulnerabilities</url>
</references>
<dates>
<discovery>2004-12-15</discovery>
<entry>2005-01-06</entry>
</dates>
</vuln>
<vuln vid="bd9fc2bf-5ffe-11d9-a11a-000a95bc6fae">
<topic>vim -- vulnerabilities in modeline handling</topic>
<affects>
<package>
<name>vim</name>
<name>vim-lite</name>
<name>vim+ruby</name>
<range><lt>6.3.45</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ciaran McCreesh discovered news ways in which a VIM modeline
can be used to trojan a text file. The patch by Bram
Moolenaar reads:</p>
<blockquote cite="ftp://ftp.vim.org/pub/vim/patches/6.3/6.3.045">
<p>Problem: Unusual characters in an option value may cause
unexpected behavior, especially for a modeline. (Ciaran
McCreesh)</p>
<p>Solution: Don't allow setting termcap options or
'printdevice' or 'titleold' in a modeline. Don't list
options for "termcap" and "all" in a modeline. Don't allow
unusual characters in 'filetype', 'syntax', 'backupext',
'keymap', 'patchmode' and 'langmenu'.</p>
</blockquote>
<p><strong>Note:</strong> It is generally recommended that VIM
users use <code>set nomodeline</code> in
<code>~/.vimrc</code> to avoid the possibility of trojaned
text files.</p>
</body>
</description>
<references>
<url>ftp://ftp.vim.org/pub/vim/patches/6.3/6.3.045</url>
<mlist>http://groups.yahoo.com/group/vimdev/message/38084</mlist>
</references>
<dates>
<discovery>2004-12-09</discovery>
<entry>2005-01-06</entry>
</dates>
</vuln>
<vuln vid="58fc2752-5f74-11d9-a9e7-0001020eed82">
<topic>pcal -- buffer overflow vulnerabilities</topic>
<affects>
<package>
<name>pcal</name>
<range><lt>4.8.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Danny Lungstrom has found two buffer overflow
vulnerabilities in pcal which can lead to execution of
arbitrary code by making a user run pcal on a specially
crafted calendar file.</p>
</body>
</description>
<references>
<cvename>CAN-2004-1289</cvename>
<bid>12035</bid>
<bid>12036</bid>
<mlist msgid="20041215083219.56092.qmail@cr.yp.to">http://securesoftware.list.cr.yp.to/archive/0/46</mlist>
</references>
<dates>
<discovery>2004-12-15</discovery>
<entry>2005-01-06</entry>
</dates>
</vuln>
<vuln vid="ca9ce879-5ebb-11d9-a01c-0050569f0001">
<topic>exim -- two relatively minor security issues</topic>
<affects>
<package>
<name>exim</name>
<name>exim-ldap</name>
<name>exim-ldap2</name>
<name>exim-mysql</name>
<name>exim-postgresql</name>
<name>exim-sa-exim</name>
<range><lt>4.43+28_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>1. The function host_aton() can overflow a buffer
if it is presented with an illegal IPv6 address
that has more than 8 components.</p>
<p>2. The second report described a buffer overflow
in the function spa_base64_to_bits(), which is part
of the code for SPA authentication.</p>
</body>
</description>
<references>
<mlist msgid="Pine.SOC.4.61.0501041452540.1114@draco.cus.cam.ac.uk">http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html</mlist>
</references>
<dates>
<discovery>2005-01-05</discovery>
<entry>2005-01-05</entry>
</dates>
</vuln>
<vuln vid="877e918e-5362-11d9-96d4-00065be4b5b6">
<topic>mpg123 -- playlist processing buffer overflow vulnerability</topic>
<affects>
<package>
<name>mpg123</name>
<range><le>0.59r_15</le></range>
</package>
<package>
<name>mpg123-esound</name>
<range><le>0.59r_15</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A buffer overflow vulnerability exists in the playlist
processing of mpg123. A specially crafted playlist entry
can cause a stack overflow that can be used to inject
arbitrary code into the mpg123 process </p>
<p>Note that a malicious playlist, demonstrating this
vulnerability, was released by the bug finder and may be
used as a template by attackers.</p>
</body>
</description>
<references>
<url>http://tigger.uic.edu/~jlongs2/holes/mpg123.txt</url>
<url>http://secunia.com/advisories/13511//</url>
<mlist msgid="653D74053BA6F54A81ED83DCF969DF08CFA2AA@pivxes1.pivx.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110321888413132</mlist>
</references>
<dates>
<discovery>2004-12-15</discovery>
<entry>2005-01-03</entry>
</dates>
</vuln>
<vuln vid="bd579366-5290-11d9-ac20-00065be4b5b6">
<topic>greed -- insecure GRX file processing</topic>
<affects>
<package>
<name>greed</name>
<range><le>0.81p</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A buffer overflow vulnerability has been detected in the greed
URL handling code. This bug can especially be a problem when greed is
used to process GRX (GetRight) files that originate from untrusted
sources.</p>
<p>The bug finder, Manigandan Radhakrishnan, gave the following description:</p>
<blockquote cite='http://tigger.uic.edu/~jlongs2/holes/greed.txt'>
<p>Here are the bugs. First, in main.c, DownloadLoop() uses strcat()
to copy an input filename to the end of a 128-byte COMMAND array.
Second, DownloadLoop() passes the input filename to system() without
checking for special characters such as semicolons.</p></blockquote>
</body>
</description>
<references>
<url>http://tigger.uic.edu/~jlongs2/holes/greed.txt</url>
<url>http://secunia.com/advisories/13534/</url>
<mlist msgid="653D74053BA6F54A81ED83DCF969DF08CFA2AA@pivxes1.pivx.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110321888413132</mlist>
</references>
<dates>
<discovery>2004-12-15</discovery>
<entry>2005-01-03</entry>
</dates>
</vuln>
<vuln vid="949c470e-528f-11d9-ac20-00065be4b5b6">
<topic>golddig -- local buffer overflow vulnerabilities</topic>
<affects>
<package>
<name>golddig</name>
<range><le>2.0</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Two buffer overflow vulnerabilities where detected. Both issues can
be used by local users to gain group games privileges on affected systems.</p>
<p>The first overflow exists in the map name handling and can be triggered
when a very long name is given to the program during command-line execution</p>
<p>The second overflow exists in the username processing while writing
the players score to disk. Excessivly long usernames, set via the USER environment
variable, are stored without any length checks in a memory buffer.</p>
</body>
</description>
<references>
<mlist msgid="200412021055.iB2AtweU067125@repoman.freebsd.org">http://docs.FreeBSD.org/cgi/mid.cgi?200412021055.iB2AtweU067125</mlist>
</references>
<dates>
<discovery>2004-11-11</discovery>
<entry>2005-01-03</entry>
</dates>
</vuln>
<vuln vid="927743d4-5ca9-11d9-a9e7-0001020eed82">
<topic>up-imapproxy -- multiple vulnerabilities</topic>
<affects>
<package>
<name>up-imapproxy</name>
<range><lt>1.2.2</lt></range>
</package>
<package>
<name>pop3proxy</name>
<range><le>1.1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Timo Sirainen reports:</p>
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109995749510773">
<p>There are various bugs in up-imapproxy which can crash
it. Since up-imapproxy runs in a single process with each
connection handled in a separate thread, any crash kills
all the connections and stops listening for new ones.</p>
<p>In 64bit systems it might be possible to make it leak
data (mails, passwords, ..) from other connections to
attacker's connection. However I don't think up-imapproxy
actually works in any 64bit system so this is just a
theoretical problem.</p>
</blockquote>
</body>
</description>
<references>
<bid>11630</bid>
<mlist msgid="1099851138.3716.3.camel@hurina">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109995749510773</mlist>
</references>
<dates>
<discovery>2004-11-17</discovery>
<entry>2005-01-02</entry>
</dates>
</vuln>
<vuln vid="832e9d75-5bfc-11d9-a9e7-0001020eed82">
<topic>kdelibs3 -- konqueror FTP command injection vulnerability</topic>
<affects>
<package>
<name>ja-kdelibs</name>
<name>kdelibs</name>
<range><lt>3.3.2_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Albert Puigsech Galicia reports that Konqueror (more
specifically kio_ftp) and Microsoft Internet Explorer are
vulnerable to a FTP command injection vulnerability which
can be exploited by tricking an user into clicking a
specially crafted FTP URI.</p>
<p>It is also reported by Ian Gulliver and Emanuele Balla that
this vulnerability can be used to tricking a client into
sending out emails without user interaction.</p>
</body>
</description>
<references>
<bid>11827</bid>
<cvename>CAN-2004-1165</cvename>
<mlist msgid="200412051011.54045.ripe@7a69ezine.org">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110245752232681</mlist>
<mlist msgid="20041223235620.GA2846@penguinhosting.net">http://marc.theaimsgroup.com/?l=full-disclosure&amp;m=110387390226693</mlist>
<mlist msgid="20041224142506.GB12939@penguinhosting.net">http://marc.theaimsgroup.com/?l=full-disclosure&amp;m=110390734925183</mlist>
<url>http://www.kde.org/info/security/advisory-20050101-1.txt</url>
</references>
<dates>
<discovery>2004-12-01</discovery>
<entry>2005-01-01</entry>
<modified>2005-01-04</modified>
</dates>
</vuln>
<vuln vid="9168253c-5a6d-11d9-a9e7-0001020eed82">
<topic>a2ps -- insecure temporary file creation</topic>
<affects>
<package>
<name>a2ps-a4</name>
<name>a2ps-letter</name>
<name>a2ps-letterdj</name>
<range><lt>4.13b_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Secunia Security Advisory reports that Javier
Fern&#225;ndez-Sanguino Pe&#241;a has found temporary file
creation vulnerabilities in the fixps and psmandup scripts
which are part of a2ps. These vulnerabilities could lead to
an attacker overwriting arbitrary files with the credentials
of the user running the vulnerable scripts.</p>
</body>
</description>
<references>
<bid>12108</bid>
<bid>12109</bid>
<url>http://secunia.com/advisories/13641/</url>
</references>
<dates>
<discovery>2004-12-27</discovery>
<entry>2004-12-30</entry>
<modified>2005-01-02</modified>
</dates>
</vuln>
<vuln vid="64c8cc2a-59b1-11d9-8a99-000c6e8f12ef">
<topic>libxine -- buffer-overflow vulnerability in aiff support</topic>
<affects>
<package>
<name>libxine</name>
<range><le>1.0.r5_3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Due to a buffer overflow in the open_aiff_file function in
demux_aiff.c, a remote attacker is able to execute arbitrary
code via a modified AIFF file.</p></body>
</description>
<references>
<cvename>CAN-2004-1300</cvename>
<url>http://tigger.uic.edu/~jlongs2/holes/xine-lib.txt</url>
</references>
<dates>
<discovery>2004-12-15</discovery>
<entry>2004-12-29</entry>
</dates>
</vuln>
<vuln vid="2e25d38b-54d1-11d9-b612-000c6e8f12ef">
<topic>jabberd -- denial-of-service vulnerability</topic>
<affects>
<package>
<name>jabber</name>
<range><lt>1.4.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Caused by corrupt parsing code in the expat library
part of jabberd it is possible for an attacker to
crash the daemon if it is not using UTF-8.</p>
</body>
</description>
<references>
<url>http://mail.jabber.org/pipermail/jabberd/2004-September/002004.html</url>
</references>
<dates>
<discovery>2004-09-19</discovery>
<entry>2004-12-26</entry>
</dates>
</vuln>
<vuln vid="a30e5e44-5440-11d9-9e1e-c296ac722cb3">
<topic>squid -- confusing results on empty acl declarations</topic>
<affects>
<package>
<name>squid</name>
<range><lt>2.5.7_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The squid-2.5 patches pages notes:</p>
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls">
<p>The meaning of the access controls becomes somewhat
confusing if any of the referenced acls is declared empty,
without any members.</p>
<p>[Administrators should] pay attention to warnings from
"squid -k parse" and do not use configurations where there
are warnings about access controls in production.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls</url>
</references>
<dates>
<discovery>2004-12-21</discovery>
<entry>2004-12-23</entry>
</dates>
</vuln>
<vuln vid="efa1344b-5477-11d9-a9e7-0001020eed82">
<topic>ethereal -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ethereal</name>
<name>ethereal-lite</name>
<name>tethereal</name>
<name>tethereal-lite</name>
<range><lt>0.10.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An Ethreal Security Advisories reports:</p>
<blockquote cite="http://www.ethereal.com/appnotes/enpa-sa-00016.html">
<p>Issues have been discovered in the following protocol
dissectors:</p>
<ul>
<li>Matthew Bing discovered a bug in DICOM dissection that
could make Ethereal crash.</li>
<li>An invalid RTP timestamp could make Ethereal hang and
create a large temporary file, possibly filling
available disk space.</li>
<li>The HTTP dissector could access previously-freed
memory, causing a crash.</li>
<li>Brian Caswell discovered that an improperly formatted
SMB packet could make Ethereal hang, maximizing CPU
utilization.</li>
</ul>
<p>Impact: It may be possible to make Ethereal crash or run
arbitrary code by injecting a purposefully malformed
packet onto the wire or by convincing someone to read a
malformed packet trace file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-1139</cvename>
<cvename>CAN-2004-1140</cvename>
<cvename>CAN-2004-1141</cvename>
<cvename>CAN-2004-1142</cvename>
<url>http://www.ethereal.com/appnotes/enpa-sa-00016.html</url>
</references>
<dates>
<discovery>2004-12-14</discovery>
<entry>2004-12-23</entry>
</dates>
</vuln>
<vuln vid="e3e266e9-5473-11d9-a9e7-0001020eed82">
<topic>xpdf -- buffer overflow vulnerability</topic>
<affects>
<package>
<name>xpdf</name>
<range><lt>3.00_5</lt></range>
</package>
<package>
<name>kdegraphics</name>
<range><lt>3.3.2_1</lt></range>
</package>
<package>
<name>gpdf</name>
<range><le>2.8.1</le></range>
</package>
<package>
<name>teTeX-base</name>
<range><le>2.0.2_6</le></range>
</package>
<package>
<name>cups-base</name>
<range><le>1.1.22.0</le></range>
</package>
<package>
<name>koffice</name>
<range><le>1.3.5,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An iDEFENSE Security Advisory reports:</p>
<blockquote cite="http://www.idefense.com/application/poi/display?id=172&amp;type=vulnerabilities">
<p>Remote exploitation of a buffer overflow vulnerability in
the xpdf PDF viewer, as included in multiple Linux
distributions, could allow attackers to execute arbitrary
code as the user viewing a PDF file. The offending code
can be found in the Gfx::doImage() function in the source
file xpdf/Gfx.cc.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-1125</cvename>
<url>http://www.idefense.com/application/poi/display?id=172&amp;type=vulnerabilities</url>
</references>
<dates>
<discovery>2004-11-23</discovery>
<entry>2004-12-23</entry>
<modified>2004-12-24</modified>
</dates>
</vuln>
<vuln vid="28e93883-539f-11d9-a9e7-0001020eed82">
<topic>acroread5 -- mailListIsPdf() buffer overflow vulnerability</topic>
<affects>
<package>
<name>acroread</name>
<name>acroread4</name>
<name>acroread5</name>
<range><lt>5.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An iDEFENSE Security Advisory reports:</p>
<blockquote cite="http://www.idefense.com/application/poi/display?id=161&amp;type=vulnerabilities">
<p>Remote exploitation of a buffer overflow in version 5.09
of Adobe Acrobat Reader for Unix could allow for execution
of arbitrary code.</p>
<p>The vulnerability specifically exists in a the function
mailListIsPdf(). This function checks if the input file
is an email message containing a PDF. It unsafely copies
user supplied data using strcat into a fixed sized
buffer.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-1152</cvename>
<certvu>253024</certvu>
<url>http://www.adobe.com/support/techdocs/331153.html</url>
<url>http://www.idefense.com/application/poi/display?id=161&amp;type=vulnerabilities</url>
</references>
<dates>
<discovery>2004-10-14</discovery>
<entry>2004-12-21</entry>
<modified>2005-01-06</modified>
</dates>
</vuln>
<vuln vid="be543d74-539a-11d9-a9e7-0001020eed82">
<topic>ecartis -- unauthorised access to admin interface</topic>
<affects>
<package>
<name>ecartis</name>
<range><lt>1.0.0.s20031228_2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Debian security advisory reports:</p>
<blockquote cite="http://www.debian.org/security/2004/dsa-572">
<p>A problem has been discovered in ecartis, a mailing-list
manager, which allows an attacker in the same domain as
the list admin to gain administrator privileges and alter
list settings.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0913</cvename>
<url>http://www.debian.org/security/2004/dsa-572</url>
<url>http://secunia.com/advisories/12918/</url>
</references>
<dates>
<discovery>2004-10-12</discovery>
<entry>2004-12-21</entry>
</dates>
</vuln>
<vuln vid="85d76f02-5380-11d9-a9e7-0001020eed82">
<topic>mplayer -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mplayer</name>
<name>mplayer-gtk</name>
<name>mplayer-gtk2</name>
<name>mplayer-esound</name>
<name>mplayer-gtk-esound</name>
<name>mplayer-gtk2-esound</name>
<range><lt>0.99.5_5</lt></range>
</package>
<package>
<name>libxine</name>
<range><le>1.0.r5_3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>iDEFENSE and the MPlayer Team has found multiple
vulnerabilities in MPlayer:</p>
<ul>
<li>Potential heap overflow in Real RTSP streaming code</li>
<li>Potential stack overflow in MMST streaming code</li>
<li>Multiple buffer overflows in BMP demuxer</li>
<li>Potential heap overflow in pnm streaming code</li>
<li>Potential buffer overflow in mp3lib</li>
</ul>
<p>These vulnerabilities could allow a remote attacker to
execute arbitrary code as the user running MPlayer. The
problem in the pnm streaming code also affects xine.</p>
</body>
</description>
<references>
<cvename>CAN-2004-1187</cvename>
<cvename>CAN-2004-1188</cvename>
<url>http://mplayerhq.hu/homepage/design7/news.html#mplayer10pre5try2</url>
<mlist msgid="IDSERV04yz5b6KZmcK80000000c@exchange.idefense.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110322526210300</mlist>
<mlist msgid="IDSERV04FVjCRGryWtI0000000f@exchange.idefense.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110322829807443</mlist>
<mlist msgid="IDSERV046beUzmRf6Ci00000012@exchange.idefense.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110323022605345</mlist>
</references>
<dates>
<discovery>2004-12-10</discovery>
<entry>2004-12-21</entry>
<modified>2004-12-29</modified>
</dates>
</vuln>
<vuln vid="0bb7677d-52f3-11d9-a9e7-0001020eed82">
<topic>krb5 -- heap buffer overflow vulnerability in libkadm5srv</topic>
<affects>
<package>
<name>krb5</name>
<name>krb5-beta</name>
<range><lt>1.3.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A MIT krb5 Security Advisory reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt">
<p>The MIT Kerberos 5 administration library (libkadm5srv)
contains a heap buffer overflow in password history
handling code which could be exploited to execute
arbitrary code on a Key Distribution Center (KDC)
host. The overflow occurs during a password change of a
principal with a certain password history state. An
administrator must have performed a certain password
policy change in order to create the vulnerable state.</p>
<p>An authenticated user, not necessarily one with
administrative privileges, could execute arbitrary code on
the KDC host, compromising an entire Kerberos realm.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-1189</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt</url>
</references>
<dates>
<discovery>2004-12-06</discovery>
<entry>2004-12-21</entry>
</dates>
</vuln>
<vuln vid="3b3676be-52e1-11d9-a9e7-0001020eed82">
<topic>samba -- integer overflow vulnerability</topic>
<affects>
<package>
<name>samba</name>
<name>ja-samba</name>
<range><lt>3.0.10,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Greg MacManus, iDEFENSE Labs reports:</p>
<blockquote cite="http://www.samba.org/samba/security/CAN-2004-1154.html">
<p>Remote exploitation of an integer overflow vulnerability
in the smbd daemon included in Samba 2.0.x, Samba 2.2.x,
and Samba 3.0.x prior to and including 3.0.9 could allow
an attacker to cause controllable heap corruption, leading
to execution of arbitrary commands with root
privileges.</p>
<p>Successful remote exploitation allows an attacker to gain
root privileges on a vulnerable system. In order to
exploit this vulnerability an attacker must possess
credentials that allow access to a share on the Samba
server. Unsuccessful exploitation attempts will cause the
process serving the request to crash with signal 11, and
may leave evidence of an attack in logs.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-1154</cvename>
<url>http://www.idefense.com/application/poi/display?id=165&amp;type=vulnerabilities</url>
<url>http://www.samba.org/samba/security/CAN-2004-1154.html</url>
</references>
<dates>
<discovery>2004-12-02</discovery>
<entry>2004-12-21</entry>
</dates>
</vuln>
<vuln vid="d47e9d19-5016-11d9-9b5f-0050569f0001">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mod_php4-twig</name>
<name>php4-cgi</name>
<name>php4-cli</name>
<name>php4-dtc</name>
<name>php4-horde</name>
<name>php4-nms</name>
<name>php4</name>
<range><lt>4.3.10</lt></range>
</package>
<package>
<name>mod_php</name>
<name>mod_php4</name>
<range><ge>4</ge><lt>4.3.10,1</lt></range>
</package>
<package>
<name>php5</name>
<name>php5-cgi</name>
<name>php5-cli</name>
<range><lt>5.0.3</lt></range>
</package>
<package>
<name>mod_php5</name>
<range><lt>5.0.3,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/13481/">
<p>Multiple vulnerabilities have been reported in PHP,
which can be exploited to gain escalated privileges,
bypass certain security restrictions, gain knowledge
of sensitive information, or compromise a vulnerable
system.</p>
</blockquote>
</body>
</description>
<references>
<url>http://secunia.com/advisories/13481/</url>
<cvename>CAN-2004-1019</cvename>
<cvename>CAN-2004-1065</cvename>
<url>http://www.php.net/release_4_3_10.php</url>
<url>http://www.hardened-php.net/advisories/012004.txt</url>
</references>
<dates>
<discovery>2004-12-16</discovery>
<entry>2004-12-17</entry>
<modified>2004-12-18</modified>
</dates>
</vuln>
<vuln vid="01c231cd-4393-11d9-8bb9-00065be4b5b6">
<topic>mysql -- GRANT access restriction problem</topic>
<affects>
<package>
<name>mysql-server</name>
<range><lt>3.23.59</lt></range>
<range><ge>4.*</ge><lt>4.0.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>When a user is granted access to a database with a name containing an
underscore and the underscore is not escaped then that user might
also be able to access other, similarly named, databases on the
affected system. </p>
<p>The problem is that the underscore is seen as a wildcard by MySQL
and therefore it is possible that an admin might accidently GRANT
a user access to multiple databases.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0957</cvename>
<bid>11435</bid>
<url>http://bugs.mysql.com/bug.php?id=3933</url>
<url>http://rhn.redhat.com/errata/RHSA-2004-611.html</url>
<url>http://www.openpkg.org/security/OpenPKG-SA-2004.045-mysql.html</url>
</references>
<dates>
<discovery>2004-03-29</discovery>
<entry>2004-12-16</entry>
</dates>
</vuln>
<vuln vid="06a6b2cf-484b-11d9-813c-00065be4b5b6">
<topic>mysql -- ALTER MERGE denial of service vulnerability</topic>
<affects>
<package>
<name>mysql-server</name>
<range><lt>3.23.59</lt></range>
<range><ge>4.*</ge><lt>4.0.21</lt></range>
<range><ge>4.1.*</ge><lt>4.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dean Ellis reported a denial of service vulnerability in the MySQL server:</p>
<blockquote cite="http://bugs.mysql.com/bug.php?id=4017">
<p>
Multiple threads ALTERing the same (or different) MERGE tables to change the
UNION eventually crash the server or hang the individual threads.
</p>
</blockquote>
<p>Note that a script demonstrating the problem is included in the
MySQL bug report. Attackers that have control of a MySQL account
can easily use a modified version of that script during an attack. </p>
</body>
</description>
<references>
<cvename>CAN-2004-0837</cvename>
<bid>11357</bid>
<url>http://bugs.mysql.com/bug.php?id=2408</url>
<url>http://rhn.redhat.com/errata/RHSA-2004-611.html</url>
</references>
<dates>
<discovery>2004-01-15</discovery>
<entry>2004-12-16</entry>
</dates>
</vuln>
<vuln vid="29edd807-438d-11d9-8bb9-00065be4b5b6">
<topic>mysql -- FTS request denial of service vulnerability</topic>
<affects>
<package>
<name>mysql-server</name>
<range><ge>4.*</ge><lt>4.0.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A special crafted MySQL FTS request can cause the server to crash.
Malicious MySQL users can abuse this bug in a denial of service
attack against systems running an affected MySQL daemon. </p>
<p>Note that because this bug is related to the parsing of requests,
it may happen that this bug is triggered accidently by a user when he
or she makes a typo. </p>
</body>
</description>
<references>
<url>http://bugs.mysql.com/bug.php?id=3870</url>
<cvename>CAN-2004-0956</cvename>
<bid>11432</bid>
</references>
<dates>
<discovery>2004-03-23</discovery>
<entry>2004-12-16</entry>
</dates>
</vuln>
<vuln vid="835256b8-46ed-11d9-8ce0-00065be4b5b6">
<topic>mysql -- mysql_real_connect buffer overflow vulnerability</topic>
<affects>
<package>
<name>mysql-server</name>
<range><lt>3.23.59</lt></range>
<range><ge>4.*</ge><lt>4.0.21</lt></range>
</package>
<package>
<name>mysql-client</name>
<range><lt>3.23.59</lt></range>
<range><ge>4.*</ge><lt>4.0.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The mysql_real_connect function doesn't properly handle DNS replies
by copying the IP address into a buffer without any length checking.
A specially crafted DNS reply may therefore be used to cause a
buffer overflow on affected systems.</p>
<p>Note that whether this issue can be exploitable depends on the system library responsible for
the gethostbyname function. The bug finder, Lukasz Wojtow, explaines this with the following words:</p>
<blockquote cite="http://bugs.mysql.com/bug.php?id=4017">
<p>In glibc there is a limitation for an IP address to have only 4
bytes (obviously), but generally speaking the length of the address
comes with a response for dns query (i know it sounds funny but
read rfc1035 if you don't believe). This bug can occur on libraries
where gethostbyname function takes length from dns's response</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0836</cvename>
<bid>10981</bid>
<url>http://bugs.mysql.com/bug.php?id=4017</url>
<url>http://lists.mysql.com/internals/14726</url>
<url>http://rhn.redhat.com/errata/RHSA-2004-611.html</url>
<url>http://www.osvdb.org/displayvuln.php?osvdb_id=10658</url>
</references>
<dates>
<discovery>2004-06-04</discovery>
<entry>2004-12-16</entry>
</dates>
</vuln>
<vuln vid="035d17b2-484a-11d9-813c-00065be4b5b6">
<topic>mysql -- erroneous access restrictions applied to table renames</topic>
<affects>
<package>
<name>mysql-server</name>
<range><lt>3.23.59</lt></range>
<range><ge>4.*</ge><lt>4.0.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Red Hat advisory reports:</p>
<blockquote cite="http://rhn.redhat.com/errata/RHSA-2004-611.html">
<p>Oleksandr Byelkin discovered that "ALTER TABLE ... RENAME"
checked the CREATE/INSERT rights of the old table instead of the new one.</p>
</blockquote>
<p>Table access restrictions, on the affected MySQL servers,
may accidently or intentially be bypassed due to this
bug.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0835</cvename>
<bid>11357</bid>
<url>http://bugs.mysql.com/bug.php?id=3270</url>
<url>http://rhn.redhat.com/errata/RHSA-2004-611.html</url>
<url>http://xforce.iss.net/xforce/xfdb/17666</url>
</references>
<dates>
<discovery>2004-03-23</discovery>
<entry>2004-12-16</entry>
</dates>
</vuln>
<vuln vid="0ff0e9a6-4ee0-11d9-a9e7-0001020eed82">
<topic>phpmyadmin -- command execution vulnerability</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><ge>2.6.0.2</ge><lt>2.6.1.r1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A phpMyAdmin security announcement reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-4">
<p>Command execution: since phpMyAdmin 2.6.0-pl2, on a
system where external MIME-based transformations are
activated, an attacker can put into MySQL data an
offensive value that starts a shell command when
browsed.</p>
</blockquote>
<p>Enabling <q>PHP safe mode</q> on the server can be used as
a workaround for this vulnerability.</p>
</body>
</description>
<references>
<cvename>CAN-2004-1147</cvename>
<url>http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-4</url>
<url>http://www.exaprobe.com/labs/advisories/esa-2004-1213.html</url>
</references>
<dates>
<discovery>2004-12-13</discovery>
<entry>2004-12-15</entry>
<modified>2004-12-19</modified>
</dates>
</vuln>
<vuln vid="9f0a405e-4edd-11d9-a9e7-0001020eed82">
<topic>phpmyadmin -- file disclosure vulnerability</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>2.6.1.r1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A phpMyAdmin security announcement reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-4">
<p>File disclosure: on systems where the UploadDir mecanism
is active, read_dump.php can be called with a crafted
form; using the fact that the sql_localfile variable is
not sanitized can lead to a file disclosure.</p>
</blockquote>
<p>Enabling <q>PHP safe mode</q> on the server can be used as
a workaround for this vulnerability.</p>
</body>
</description>
<references>
<cvename>CAN-2004-1148</cvename>
<url>http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-4</url>
<url>http://www.exaprobe.com/labs/advisories/esa-2004-1213.html</url>
</references>
<dates>
<discovery>2004-12-13</discovery>
<entry>2004-12-15</entry>
<modified>2004-12-19</modified>
</dates>
</vuln>
<vuln vid="06f142ff-4df3-11d9-a9e7-0001020eed82">
<topic>wget -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wget</name>
<name>wget+ipv6</name>
<name>wget-devel</name>
<name>wgetpro</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jan Minar reports that there exists multiple
vulnerabilities in wget:</p>
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110269474112384">
<p>Wget erroneously thinks that the current directory is a
fair game, and will happily write in any file in and below
it. Malicious HTTP response or malicious HTML file can
redirect wget to a file that is vital to the system, and
wget will create/append/overwrite it.</p>
<p>Wget apparently has at least two methods of
``sanitizing'' the potentially malicious data it receives
from the HTTP stream, therefore a malicious redirects can
pass the check. We haven't find a way to trick wget into
writing above the parent directory, which doesn't mean
it's not possible.</p>
<p>Malicious HTTP response can overwrite parts of the
terminal so that the user will not notice anything wrong,
or will believe the error was not fatal.</p>
</blockquote>
</body>
</description>
<references>
<bid>11871</bid>
<mlist msgid="20041209091438.GA15010@kontryhel.haltyr.dyndns.org">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110269474112384</mlist>
<url>http://bugs.debian.org/261755</url>
</references>
<dates>
<discovery>2004-12-09</discovery>
<entry>2004-12-14</entry>
</dates>
</vuln>
<vuln vid="4593cb09-4c81-11d9-983e-000c6e8f12ef">
<topic>konqueror -- Password Disclosure for SMB Shares</topic>
<affects>
<package>
<name>kdebase</name>
<name>kdelibs</name>
<range><ge>3.2.0</ge><le>3.3.1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>When browsing SMB shares with Konqueror, shares with
authentication show up with hidden password in the browser
bar. It is possible to store the URL as a shortcut on the
desktop where the password is then available in plain text.</p>
</body>
</description>
<references>
<mlist msgid="ICEEJPLEDKODPNFKJEGAIEBJGFAA.df@sec-consult.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110178786809694</mlist>
</references>
<dates>
<discovery>2004-10-06</discovery>
<entry>2004-12-12</entry>
</dates>
</vuln>
<vuln vid="af747389-42ba-11d9-bd37-00065be4b5b6">
<topic>mod_access_referer -- NULL pointer dereference vulnerability</topic>
<affects>
<package>
<name>mod_access_referer</name>
<range><lt>1.0.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A malformed <q>Referer</q> header field causes the Apache
ap_parse_uri_components function to discard it with the
result that a pointer is not initialized. The
mod_acesses_referer module does not take this into account
with the result that it may use such a pointer.</p>
<p>The NULL pointer vulnerability may possibly be used in a
remote denial of service attack against affected Apache
servers.</p>
</body>
</description>
<references>
<bid>7375</bid>
<url>http://secunia.com/product/1477/</url>
<mlist>http://marc.theaimsgroup.com/?l=full-disclosure&amp;m=105053485515811</mlist>
</references>
<dates>
<discovery>2003-04-16</discovery>
<entry>2004-12-11</entry>
</dates>
</vuln>
<vuln vid="f0db930b-496b-11d9-bf86-0050569f0001">
<topic>squid -- possible information disclosure</topic>
<affects>
<package>
<name>squid</name>
<range><lt>2.5.7_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The squid-2.5 patches pages notes:</p>
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-dothost">
<p>In certain conditions Squid returns random data as error messages
in response to malformed host name, possibly leaking random
internal information which may come from other requests.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-dothost</url>
</references>
<dates>
<discovery>2004-11-23</discovery>
<entry>2004-12-09</entry>
</dates>
</vuln>
<vuln vid="323784cf-48a6-11d9-a9e7-0001020eed82">
<topic>viewcvs -- information leakage</topic>
<affects>
<package>
<name>viewcvs</name>
<range><lt>0.9.2_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The <code>hide_cvsroot</code> and <code>forbidden</code>
configuration options are not properly honored by viewcvs
when exporting to a tar file which can lead to information
leakage.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0915</cvename>
<bid>11819</bid>
</references>
<dates>
<discovery>2004-11-25</discovery>
<entry>2004-12-08</entry>
<modified>2004-12-12</modified>
</dates>
</vuln>
<vuln vid="a7bfd423-484f-11d9-a9e7-0001020eed82">
<topic>cscope -- symlink attack vulnerability</topic>
<affects>
<package>
<name>cscope</name>
<range><lt>15.5_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>cscope is vulnerable to a symlink attack which could lead
to an attacker overwriting arbitrary files with the
permissions of the user running cscope.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0996</cvename>
<bid>11697</bid>
<mlist msgid="20041124025903.9337.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110133485519690</mlist>
<mlist msgid="20041118012718.78b07d79.research@rexotec.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110072752707293</mlist>
<url>http://sourceforge.net/tracker/index.php?func=detail&amp;aid=1062807&amp;group_id=4664&amp;atid=104664</url>
</references>
<dates>
<discovery>2003-04-03</discovery>
<entry>2004-12-07</entry>
</dates>
</vuln>
<vuln vid="9be819c6-4633-11d9-a9e7-0001020eed82">
<topic>bnc -- remote code execution</topic>
<affects>
<package>
<name>bnc</name>
<range><lt>2.9.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A LSS Security Advisory reports:</p>
<blockquote cite="http://security.lss.hr/en/index.php?page=details&amp;ID=LSS-2004-11-03">
<p>There is a buffer overflow vulnerability in
getnickuserhost() function that is called when BNC is
processing response from IRC server.</p>
<p>Vulnerability can be exploited if attacker tricks user to
connect to his fake IRC server that will exploit this
vulnerability. If the attacker has access to BNC proxy
server, this vulnerability can be used to gain shell
access on machine where BNC proxy server is set.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-1052</cvename>
<mlist msgid="20041110131046.GA21604@cecilija.zesoi.fer.hr">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110011817627839</mlist>
<url>http://security.lss.hr/en/index.php?page=details&amp;ID=LSS-2004-11-03</url>
<url>http://www.gotbnc.com/changes.html</url>
</references>
<dates>
<discovery>2004-11-10</discovery>
<entry>2004-12-04</entry>
</dates>
</vuln>
<vuln vid="f11b219a-44b6-11d9-ae2f-021106004fd6">
<topic>rssh &amp; scponly -- arbitrary command execution</topic>
<affects>
<package>
<name>rssh</name>
<range><le>2.2.2</le></range>
</package>
<package>
<name>scponly</name>
<range><lt>4.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jason Wies identified both rssh &amp; scponly have a vulnerability
that allows arbitrary command execution. He reports:</p>
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110202047507273">
<p>The problem is compounded when you recognize that the main use of rssh and
scponly is to allow file transfers, which in turn allows a malicious user to
transfer and execute entire custom scripts on the remote machine.</p>
</blockquote>
</body>
</description>
<references>
<bid>11791</bid>
<bid>11792</bid>
<freebsdpr>ports/74633</freebsdpr>
<mlist msgid="20041202135143.GA7105@xc.net">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110202047507273</mlist>
</references>
<dates>
<discovery>2004-11-28</discovery>
<entry>2004-12-02</entry>
<modified>2004-12-12</modified>
</dates>
</vuln>
<vuln vid="2b4d5288-447e-11d9-9ebb-000854d03344">
<topic>rockdodger -- buffer overflows</topic>
<affects>
<package>
<name>rockdodger</name>
<range><lt>0.6_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The environment variable HOME is copied without regard
to buffer size, which can be used to gain elevated privilege
if the binary is installed setgid games, and a string is
read from the high score file without bounds check.</p>
<p>The port installs the binary without setgid, but with a
world-writable high score file.</p>
</body>
</description>
<references>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278878</url>
</references>
<dates>
<discovery>2004-10-29</discovery>
<entry>2004-12-02</entry>
</dates>
</vuln>
<vuln vid="40549bbf-43b5-11d9-a9e7-0001020eed82">
<topic>zip -- long path buffer overflow</topic>
<affects>
<package>
<name>zip</name>
<range><lt>2.3_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A HexView security advisory reports:</p>
<blockquote cite="http://www.hexview.com/docs/20041103-1.txt">
<p>When zip performs recursive folder compression, it does
not check for the length of resulting path. If the path is
too long, a buffer overflow occurs leading to stack
corruption and segmentation fault. It is possible to
exploit this vulnerability by embedding a shellcode in
directory or file name. While the issue is not of primary
concern for regular users, it can be critical for
environments where zip archives are re-compressed
automatically using Info-Zip application.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-1010</cvename>
<bid>11603</bid>
<url>http://www.hexview.com/docs/20041103-1.txt</url>
</references>
<dates>
<discovery>2004-10-03</discovery>
<entry>2004-12-01</entry>
<modified>2004-12-12</modified>
</dates>
</vuln>
<vuln vid="85edfb6a-43a5-11d9-a9e7-0001020eed82">
<topic>sudoscript -- signal delivery vulnerability</topic>
<affects>
<package>
<name>sudoscript</name>
<range><lt>2.1.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>If non-root access is enabled in sudoscript, any member of
the ssers group can send a SIGHUP signal to any process.</p>
</body>
</description>
<references>
<url>http://egbok.com/sudoscript/archives/2004/11/sudoscript_212.html</url>
</references>
<dates>
<discovery>2004-11-14</discovery>
<entry>2004-12-01</entry>
</dates>
</vuln>
<vuln vid="553224e7-4325-11d9-a3d5-000c6e8f12ef">
<topic>jabberd -- remote buffer overflow vulnerability</topic>
<affects>
<package>
<name>jabberd</name>
<range><ge>2.*</ge><le>2.0.4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Caused by improper bounds-checking of username
and password in the C2S module, it is possible
for an attacker to cause a remote buffer overflow.
The server directly handles the userinput with
SQL backend functions - malicious input may lead
to buffer overflow.</p>
</body>
</description>
<references>
<mlist msgid="41A3FEE1.5030701@0x557.org">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110144303826709</mlist>
</references>
<dates>
<discovery>2004-11-24</discovery>
<entry>2004-11-30</entry>
</dates>
</vuln>
<vuln vid="cdf14b68-3ff9-11d9-8405-00065be4b5b6">
<topic>Open Dc Hub -- remote buffer overflow vulnerability</topic>
<affects>
<package>
<name>opendchub</name>
<range><le>0.7.14_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Donato Ferrante reported an exploitable buffer overflow in
this software package. Any user that can login with 'admin'
privileges can abuse it, trough the $RedirectAll command,
to execute arbitrary code.</p>
</body>
</description>
<references>
<mlist msgid="20041124155429.893852455E@chernobyl.investici.org">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110144606411674</mlist>
<url>http://www.gentoo.org/security/en/glsa/glsa-200411-37.xml</url>
</references>
<dates>
<discovery>2004-11-24</discovery>
<entry>2004-11-27</entry>
</dates>
</vuln>
<vuln vid="a163baff-3fe1-11d9-a9e7-0001020eed82">
<topic>unarj -- long filename buffer overflow</topic>
<affects>
<package>
<name>unarj</name>
<range><lt>2.43_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ludwig Nussel has discovered a buffer overflow
vulnerability in unarj's handling of long filenames which
could potentially lead to execution of arbitrary code with
the permissions of the user running unarj.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0947</cvename>
<bid>11665</bid>
</references>
<dates>
<discovery>2004-11-09</discovery>
<entry>2004-11-26</entry>
</dates>
</vuln>
<vuln vid="1f922de0-3fe5-11d9-a9e7-0001020eed82">
<topic>unarj -- directory traversal vulnerability</topic>
<affects>
<package>
<name>unarj</name>
<range><lt>2.43_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>unarj has insufficient checks for filenames that contain
<q>..</q>. This can allow an attacker to overwrite
arbitrary files with the permissions of the user running
unarj.</p>
</body>
</description>
<references>
<cvename>CAN-2004-1027</cvename>
<bid>11436</bid>
<mlist msgid="200410102243.i9AMhA9F083398@mailserver2.hushmail.com">http://marc.theaimsgroup.com/?l=full-disclosure&amp;m=109748984030292</mlist>
</references>
<dates>
<discovery>2004-10-10</discovery>
<entry>2004-11-26</entry>
</dates>
</vuln>
<vuln vid="ac619d06-3ef8-11d9-8741-c942c075aa41">
<topic>jdk/jre -- Security Vulnerability With Java Plugin</topic>
<affects>
<package>
<name>jdk</name>
<range><ge>1.4.0</ge><le>1.4.2p6_6</le></range>
<range><ge>1.3.0</ge><le>1.3.1p9_4</le></range>
</package>
<package>
<name>linux-jdk</name>
<name>linux-sun-jdk</name>
<range><ge>1.4.0</ge><le>1.4.2.05</le></range>
<range><ge>1.3.0</ge><le>1.3.1.13</le></range>
</package>
<package>
<name>linux-blackdown-jdk</name>
<range><ge>1.3.0</ge><le>1.4.2</le></range>
</package>
<package>
<name>linux-ibm-jdk</name>
<range><ge>1.3.0</ge><le>1.4.2</le></range>
</package>
<package>
<name>diablo-jdk</name>
<name>diablo-jre</name>
<range><ge>1.3.1.0</ge><le>1.3.1.0_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>
The Sun Java Plugin capability in Java 2 Runtime Environment
(JRE) 1.4.2_01, 1.4.2_04, and possibly earlier versions, does
not properly restrict access between Javascript and Java
applets during data transfer, which allows remote attackers
to load unsafe classes and execute arbitrary code.
</p>
</body>
</description>
<references>
<url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1&amp;searchclause=%22category:security%22%20%22availability,%20security%22</url>
<url>http://www.securityfocus.com/archive/1/382072</url>
<cvename>CAN-2004-1029</cvename>
<mlist msgid="20041123070248.GA25385@jouko.iki.fi">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110125046627909</mlist>
</references>
<dates>
<discovery>2004-11-24</discovery>
<entry>2004-11-25</entry>
<modified>2004-12-04</modified>
</dates>
</vuln>
<vuln vid="1a32e8ee-3edb-11d9-8699-00065be4b5b6">
<topic>ProZilla -- server response buffer overflow vulnerabilities</topic>
<affects>
<package>
<name>prozilla</name>
<range><le>1.3.6_3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Buffer overflow vulnerabilities have been reported to exist
in this software package. The vulnerabilities can be triggered by
a remote server and can be used to inject malicious code in the
ProZilla process.</p>
</body>
</description>
<references>
<url>http://www.gentoo.org/security/en/glsa/glsa-200411-31.xml</url>
<url>http://bugs.gentoo.org/show_bug.cgi?id=70090</url>
<mlist msgid="41A411E0.2010907@gmx.net">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110136626320497</mlist>
</references>
<dates>
<discovery>2004-11-23</discovery>
<entry>2004-11-25</entry>
</dates>
</vuln>
<vuln vid="31952117-3d17-11d9-8818-008088034841">
<topic>Cyrus IMAPd -- APPEND command uses undefined programming construct</topic>
<affects>
<package>
<name>cyrus-imapd</name>
<range><ge>2.2.7</ge><le>2.2.8</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>To support MULTIAPPENDS the cmd_append handler uses the
global stage array. This array is one of the things that gets
destructed when the fatal() function is triggered. When the
Cyrus IMAP code adds new entries to this array this is done
with the help of the postfix increment operator in combination
with memory allocation functions. The increment is performed
on a global variable counting the number of allocated
stages. Because the memory allocation function can fail and
therefore internally call fatal() this construct is undefined
arcording to ANSI C. This means that it is not clearly defined
if the numstage counter is already increased when fatal() is
called or not. While older gcc versions increase the counter
after the memory allocation function has returned, on newer
gcc versions (3.x) the counter gets actually increased
before. In such a case the stage destructing process will try
to free an uninitialised and maybe attacker supplied
pointer. Which again could lead to remote code
execution. (Because it is hard for an attacker to let the
memory allocation functions fail in the right moment no PoC
code for this problem was designed)</p>
</body>
</description>
<references>
<url>http://security.e-matters.de/advisories/152004.html</url>
</references>
<dates>
<discovery>2004-11-06</discovery>
<entry>2004-11-22</entry>
</dates>
</vuln>
<vuln vid="c0a269d5-3d16-11d9-8818-008088034841">
<topic>Cyrus IMAPd -- FETCH command out of bounds memory corruption</topic>
<affects>
<package>
<name>cyrus-imapd</name>
<range><lt>2.1.17</lt></range>
<range><ge>2.2.*</ge><le>2.2.8</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The argument parser of the fetch command suffers a bug very
similiar to the partial command problem. Arguments like
"body[p", "binary[p" or "binary[p" will be wrongly detected
and the bufferposition can point outside of the allocated
buffer for the rest of the parsing process. When the parser
triggers the PARSE_PARTIAL macro after such a malformed
argument was received this can lead to a similiar one byte
memory corruption and allows remote code execution, when the
heap layout was successfully controlled by the attacker.</p>
</body>
</description>
<references>
<cvename>CAN-2004-1013</cvename>
<url>http://security.e-matters.de/advisories/152004.html</url>
</references>
<dates>
<discovery>2004-11-06</discovery>
<entry>2004-11-22</entry>
<modified>2004-11-24</modified>
</dates>
</vuln>
<vuln vid="114d70f3-3d16-11d9-8818-008088034841">
<topic>Cyrus IMAPd -- PARTIAL command out of bounds memory corruption</topic>
<affects>
<package>
<name>cyrus-imapd</name>
<range><lt>2.1.17</lt></range>
<range><ge>2.2.*</ge><le>2.2.6</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Due to a bug within the argument parser of the partial
command an argument like "body[p" will be wrongly detected as
"body.peek". Because of this the bufferposition gets increased
by 10 instead of 5 and could therefore point outside the
allocated memory buffer for the rest of the parsing
process. In imapd versions prior to 2.2.7 the handling of
"body" or "bodypeek" arguments was broken so that the
terminating ']' got overwritten by a '\0'. Combined the two
problems allow a potential attacker to overwrite a single byte
of malloc() control structures, which leads to remote code
execution if the attacker successfully controls the heap
layout.</p>
</body>
</description>
<references>
<cvename>CAN-2004-1012</cvename>
<url>http://security.e-matters.de/advisories/152004.html</url>
</references>
<dates>
<discovery>2004-11-06</discovery>
<entry>2004-11-22</entry>
<modified>2004-11-24</modified>
</dates>
</vuln>
<vuln vid="816fdd8b-3d14-11d9-8818-008088034841">
<topic>Cyrus IMAPd -- IMAPMAGICPLUS preauthentification overflow</topic>
<affects>
<package>
<name>cyrus-imapd</name>
<range><ge>2.2.4</ge><le>2.2.8</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>When the option imapmagicplus is activated on a server the
PROXY and LOGIN commands suffer a standard stack overflow,
because the username is not checked against a maximum length
when it is copied into a temporary stack buffer. This bug is
especially dangerous because it can be triggered before any
kind of authentification took place.</p>
</body>
</description>
<references>
<cvename>CAN-2004-1011</cvename>
<url>http://security.e-matters.de/advisories/152004.html</url>
</references>
<dates>
<discovery>2004-11-06</discovery>
<entry>2004-11-22</entry>
</dates>
</vuln>
<vuln vid="6a33477e-3a9c-11d9-84ad-000c6e8f12ef">
<topic>phpMyAdmin -- cross-site scripting vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><le>2.6.0.2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Multiple cross-site scripting vulnerabilities, caused
by improper input parameter sanitizing, were
detected in phpMyAdmin, which may enable an attacker
to do cross-site scripting attacks.</p>
</body>
</description>
<references>
<url>http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-3</url>
</references>
<dates>
<discovery>2004-11-18</discovery>
<entry>2004-11-20</entry>
</dates>
</vuln>
<vuln vid="759b8dfe-3972-11d9-a9e7-0001020eed82">
<topic>Overflow error in fetch</topic>
<affects>
<system>
<name>FreeBSD</name>
<range><ge>5.3</ge><lt>5.3_1</lt></range>
<range><ge>5.2.1</ge><lt>5.2.1_12</lt></range>
<range><ge>5.1</ge><lt>5.1_18</lt></range>
<range><ge>5.0</ge><lt>5.0_22</lt></range>
<range><ge>4.10</ge><lt>4.10_4</lt></range>
<range><ge>4.9</ge><lt>4.9_13</lt></range>
<range><ge>4.8</ge><lt>4.8_26</lt></range>
<range><lt>4.7_28</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An integer overflow condition in <a
href="http://www.freebsd.org/cgi/man.cgi?query=fetch">fetch(1)</a>
in the processing of HTTP headers can result in a buffer
overflow.</p>
<p>A malicious server or CGI script can respond to an HTTP or
HTTPS request in such a manner as to cause arbitrary
portions of the client's memory to be overwritten, allowing
for arbitrary code execution.</p>
</body>
</description>
<references>
<freebsdsa>SA-04:16.fetch</freebsdsa>
<cvename>CAN-2004-1053</cvename>
<bid>11702</bid>
</references>
<dates>
<discovery>2004-11-14</discovery>
<entry>2004-11-18</entry>
</dates>
</vuln>
<vuln vid="f3d3f621-38d8-11d9-8fff-000c6e8f12ef">
<topic>smbd -- buffer-overrun vulnerability</topic>
<affects>
<package>
<name>samba</name>
<range><ge>3.*</ge><lt>3.0.8,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Caused by improper bounds checking of certain trans2
requests, there is a possible buffer overrun in smbd.
The attacker needs to be able to create files with
very specific Unicode filenames on the share to take
advantage of this issue.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0882</cvename>
<bid>11678</bid>
<mlist msgid="4198AE84.7020509@samba.org">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110055646329581</mlist>
</references>
<dates>
<discovery>2004-11-15</discovery>
<entry>2004-11-17</entry>
<modified>2004-12-12</modified>
</dates>
</vuln>
<vuln vid="b4af3ede-36e9-11d9-a9e7-0001020eed82">
<topic>twiki -- arbitrary shell command execution</topic>
<affects>
<package>
<name>twiki</name>
<range><lt>20040902</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Hans Ulrich Niedermann reports:</p>
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110037207516456">
<p>The TWiki search function uses a user supplied search
string to compose a command line executed by the Perl
backtick (``) operator.</p>
<p>The search string is not checked properly for shell
metacharacters and is thus vulnerable to search string
containing quotes and shell commands.</p>
<p>IMPACT: An attacker is able to execute arbitrary shell
commands with the privileges of the TWiki process.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-1037</cvename>
<mlist msgid="86zn1mhchx.fsf@n-dimensional.de">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110037207516456</mlist>
<url>http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch</url>
</references>
<dates>
<discovery>2004-11-12</discovery>
<entry>2004-11-15</entry>
<modified>2004-11-23</modified>
</dates>
</vuln>
<vuln vid="50744596-368f-11d9-a9e7-0001020eed82">
<topic>proxytunnel -- format string vulnerability</topic>
<affects>
<package>
<name>proxytunnel</name>
<range><lt>1.2.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Gentoo Linux Security Advisory reports:</p>
<blockquote cite="http://www.gentoo.org/security/en/glsa/glsa-200411-07.xml">
<p>Florian Schilhabel of the Gentoo Linux Security Audit
project found a format string vulnerability in
Proxytunnel. When the program is started in daemon mode
(-a [port]), it improperly logs invalid proxy answers to
syslog.</p>
<p>A malicious remote server could send specially-crafted
invalid answers to exploit the format string
vulnerability, potentially allowing the execution of
arbitrary code on the tunnelling host with the rights of
the Proxytunnel process.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0992</cvename>
<url>http://proxytunnel.sourceforge.net/news.html</url>
<url>http://www.gentoo.org/security/en/glsa/glsa-200411-07.xml</url>
</references>
<dates>
<discovery>2004-11-01</discovery>
<entry>2004-11-15</entry>
</dates>
</vuln>
<vuln vid="bdd1537b-354c-11d9-a9e7-0001020eed82">
<topic>sudo -- privilege escalation with bash scripts</topic>
<affects>
<package>
<name>sudo</name>
<range><lt>1.6.8.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Sudo Security Alerts reports:</p>
<blockquote cite="http://www.courtesan.com/sudo/alerts/bash_functions.html">
<p>A flaw in exists in sudo's environment sanitizing prior
to sudo version 1.6.8p2 that could allow a malicious user
with permission to run a shell script that utilized the
bash shell to run arbitrary commands.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.courtesan.com/sudo/alerts/bash_functions.html</url>
</references>
<dates>
<discovery>2004-11-11</discovery>
<entry>2004-11-13</entry>
</dates>
</vuln>
<vuln vid="d656296b-33ff-11d9-a9e7-0001020eed82">
<topic>ruby -- CGI DoS</topic>
<affects>
<package>
<name>ruby</name>
<name>ruby_r</name>
<range><gt>1.7.*</gt><lt>1.8.2.p2_2</lt></range>
<range><lt>1.6.8.2004.07.28_1</lt></range>
</package>
<package>
<name>ruby-1.7.0</name>
<range><ge>a2001.05.12</ge><le>a2001.05.26</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Ruby CGI.rb module contains a bug which can cause the
CGI module to go into an infinite loop, thereby causing a
denial-of-service situation on the web server by using all
available CPU time.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0983</cvename>
<url>http://www.debian.org/security/2004/dsa-586</url>
</references>
<dates>
<discovery>2004-11-06</discovery>
<entry>2004-11-13</entry>
<modified>2004-11-25</modified>
</dates>
</vuln>
<vuln vid="ba13dc13-340d-11d9-ac1b-000d614f7fad">
<topic>samba -- potential remote DoS vulnerability</topic>
<affects>
<package>
<name>samba</name>
<range><ge>3</ge><lt>3.0.8,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Karol Wiesek at iDEFENSE reports:</p>
<blockquote cite="http://us4.samba.org/samba/security/CAN-2004-0930.html">
<p>A remote attacker could cause an smbd process to consume
abnormal amounts of system resources due to an input
validation error when matching filenames containing
wildcard characters.</p>
</blockquote>
<p>Although samba.org classifies this as a DoS vulnerability,
several members of the security community believe it may be
exploitable for arbitrary code execution.</p>
</body>
</description>
<references>
<freebsdpr>ports/73701</freebsdpr>
<cvename>CAN-2004-0930</cvename>
<url>http://us4.samba.org/samba/security/CAN-2004-0930.html</url>
</references>
<dates>
<discovery>2004-09-30</discovery>
<entry>2004-11-12</entry>
</dates>
</vuln>
<vuln vid="fc99c736-3499-11d9-98a7-0090962cff2a">
<topic>gnats -- format string vulnerability</topic>
<affects>
<package>
<name>gnats</name>
<range><ge>4.*</ge><le>4.0_2</le></range>
<range><le>3.113.1_9</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gnats suffers from a format string bug, which may enable an
attacker to execute arbitary code.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0623</cvename>
<mlist msgid="20040625164231.7437.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108820000823191</mlist>
</references>
<dates>
<discovery>2004-06-21</discovery>
<entry>2004-11-12</entry>
</dates>
</vuln>
<vuln vid="7fbfe159-3438-11d9-a9e7-0001020eed82">
<topic>squirrelmail -- cross site scripting vulnerability</topic>
<affects>
<package>
<name>ja-squirrelmail</name>
<range><lt>1.4.3a_4,2</lt></range>
</package>
<package>
<name>squirrelmail</name>
<range><lt>1.4.3a_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A SquirrelMail Security Notice reports:</p>
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110012133608004">
<p>There is a cross site scripting issue in the decoding of
encoded text in certain headers. SquirrelMail correctly
decodes the specially crafted header, but doesn't sanitize
the decoded strings.</p>
</blockquote>
</body>
</description>
<references>
<mlist msgid="544475695.20041110000451@netdork.net">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110012133608004</mlist>
</references>
<dates>
<discovery>2004-11-03</discovery>
<entry>2004-11-12</entry>
</dates>
</vuln>
<vuln vid="1f8dea68-3436-11d9-952f-000c6e8f12ef">
<topic>bnc -- buffer-overflow vulnerability</topic>
<affects>
<package>
<name>bnc</name>
<range><le>2.8.9</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The function getnickuserhost() suffers from a buffer-overflow.
It is called when BNC processes a response from IRC server.
An attacking server can use this vulnerability to gain shell
access, on the BNC running machine.</p>
</body>
</description>
<references>
<mlist msgid="20041110131046.GA21604@cecilija.zesoi.fer.hr>">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110011817627839</mlist>
</references>
<dates>
<discovery>2004-10-11</discovery>
<entry>2004-11-11</entry>
</dates>
</vuln>
<vuln vid="027380b7-3404-11d9-ac1b-000d614f7fad">
<topic>hafiye -- lack of terminal escape sequence filtering</topic>
<affects>
<package>
<name>hafiye</name>
<range><lt>1.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A siyahsapka.org advisory reads:</p>
<blockquote cite="http://deicide.siyahsapka.org/hafiye_esc.txt">
<p>Hafiye-1.0 doesnt filter the payload when printing it to
the terminal. A malicious attacker can send packets with
escape sequence payloads to exploit this vulnerability.</p>
<p>If Hafiye has been started with -n packet count option ,
the vulnerability could allow remote code execution. For
remote code execution the victim must press Enter after
program exit.</p>
</blockquote>
<p>Note that it appears that this bug can only be exploited in
conjunction with a terminal emulator that honors the
appropriate escape sequences.</p>
</body>
</description>
<references>
<freebsdpr>ports/70978</freebsdpr>
<url>http://deicide.siyahsapka.org/hafiye_esc.txt</url>
<url>http://www.enderunix.org/hafiye/</url>
</references>
<dates>
<discovery>2004-08-23</discovery>
<entry>2004-11-11</entry>
</dates>
</vuln>
<vuln vid="e69ba632-326f-11d9-b5b7-000854d03344">
<topic>ez-ipupdate -- format string vulnerability</topic>
<affects>
<package>
<name>ez-ipupdate</name>
<range><lt>3.0.11b8_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Data supplied by a remote server is used as the format string
instead of as parameters in a syslog() call. This may lead
to crashes or potential running of arbitrary code. It is
only a problem when running in daemon mode (very common) and
when using some service types.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0980</cvename>
<mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-November/028590.html</mlist>
</references>
<dates>
<discovery>2004-11-11</discovery>
<entry>2004-11-11</entry>
</dates>
</vuln>
<vuln vid="eeb1c128-33e7-11d9-a9e7-0001020eed82">
<topic>ImageMagick -- EXIF parser buffer overflow</topic>
<affects>
<package>
<name>ImageMagick</name>
<range><lt>6.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>There exists a buffer overflow vulnerability in
ImageMagick's EXIF parsing code which may lead to execution
of arbitrary code.</p>
</body>
</description>
<references>
<bid>11548</bid>
<cvename>CAN-2004-0981</cvename>
<url>http://secunia.com/advisories/12995/</url>
<url>http://www.imagemagick.org/www/Changelog.html</url>
</references>
<dates>
<discovery>2004-10-25</discovery>
<entry>2004-11-11</entry>
<modified>2004-12-12</modified>
</dates>
</vuln>
<vuln vid="282dfea0-3378-11d9-b404-000c6e8f12ef">
<topic>apache2 multiple space header denial-of-service vulnerability</topic>
<affects>
<package>
<name>apache</name>
<range><gt>2.*</gt><le>2.0.52_2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>It is possible for remote attackers to cause a denial-of-service
scenario on Apache 2.0.52 and earlier by sending an HTTP GET
request with a MIME header containing multiple lines full of
whitespaces.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0942</cvename>
<mlist msgid="a62f45480411010157571febcc.mail@gmail.com">http://marc.theaimsgroup.com/?l=full-disclosure&amp;m=109930632317208</mlist>
</references>
<dates>
<discovery>2004-11-01</discovery>
<entry>2004-11-10</entry>
<modified>2004-11-11</modified>
</dates>
</vuln>
<vuln vid="f3017ce1-32a4-11d9-a9e7-0001020eed82">
<topic>socat -- format string vulnerability</topic>
<affects>
<package>
<name>socat</name>
<range><lt>1.4.0.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Socat Security Advisory 1 states:</p>
<blockquote cite="http://www.dest-unreach.org/socat/advisory/socat-adv-1.html">
<p>socat up to version 1.4.0.2 contains a syslog() based
format string vulnerability. This issue was originally
reported by CoKi on 19 Oct.2004 <a
href="http://www.nosystem.com.ar/advisories/advisory-07.txt">http://www.nosystem.com.ar/advisories/advisory-07.txt</a>.
Further investigation showed that this vulnerability could
under some circumstances lead to local or remote execution
of arbitrary code with the privileges of the socat
process.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.dest-unreach.org/socat/advisory/socat-adv-1.html</url>
<url>http://www.nosystem.com.ar/advisories/advisory-07.txt</url>
</references>
<dates>
<discovery>2004-10-18</discovery>
<entry>2004-11-10</entry>
</dates>
</vuln>
<vuln vid="9ff4c91e-328c-11d9-a9e7-0001020eed82">
<topic>libxml -- remote buffer overflows</topic>
<affects>
<package>
<name>libxml</name>
<range><lt>1.8.17_3</lt></range>
</package>
<package>
<name>libxml2</name>
<range><lt>2.6.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p><q>infamous41md</q> reports that libxml contains multiple
buffer overflows in the URL parsing and DNS name resolving
functions. These vulnerabilities could lead to execution of
arbitrary code.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0989</cvename>
<bid>11526</bid>
<mlist msgid="20041025205132.1f1620a8.infamous41md@hotpop.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109880813013482</mlist>
<url>http://www.debian.org/security/2004/dsa-582</url>
</references>
<dates>
<discovery>2004-10-26</discovery>
<entry>2004-11-09</entry>
<modified>2004-11-10</modified>
</dates>
</vuln>
<vuln vid="a5742055-300a-11d9-a9e7-0001020eed82">
<topic>p5-Archive-Zip -- virus detection evasion</topic>
<affects>
<package>
<name>p5-Archive-Zip</name>
<range><lt>1.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An AMaViS Security Announcement reports that a
vulnerability exist in the Archive::Zip Perl module which
may lead to bypass of malicious code in anti-virus programs
by creating specially crafted ZIP files.</p>
</body>
</description>
<references>
<url>http://www.idefense.com/application/poi/display?id=153&amp;type=vulnerabilities</url>
<url>http://www.amavis.org/security/asa-2004-6.txt</url>
<url>http://rt.cpan.org/NoAuth/Bug.html?id=8077</url>
</references>
<dates>
<discovery>2004-10-18</discovery>
<entry>2004-11-08</entry>
</dates>
</vuln>
<vuln vid="6e6a6b8a-2fde-11d9-b3a2-0050fc56d258">
<topic>apache mod_include buffer overflow vulnerability</topic>
<affects>
<package>
<name>apache</name>
<range><lt>1.3.33</lt></range>
</package>
<package>
<name>apache+mod_ssl</name>
<range><lt>1.3.32+2.8.21_1</lt></range>
</package>
<package>
<name>apache+mod_ssl+ipv6</name>
<range><lt>1.3.32+2.8.21_1</lt></range>
</package>
<package>
<name>apache+mod_perl</name>
<range><le>1.3.31</le></range>
</package>
<package>
<name>apache+ipv6</name>
<range><lt>1.3.33</lt></range>
</package>
<package>
<name>apache+ssl</name>
<range><le>1.3.29.1.55</le></range>
</package>
<package>
<name>ru-apache</name>
<range><lt>1.3.33+30.21</lt></range>
</package>
<package>
<name>ru-apache+mod_ssl</name>
<range><lt>1.3.33+30.21+2.8.22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>There is a buffer overflow in a function used by mod_include
that may enable a local user to gain privileges of a httpd
child. Only users that are able to create SSI documents can
take advantage of that vulnerability.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0940</cvename>
<url>http://www.securitylab.ru/48807.html</url>
</references>
<dates>
<discovery>2004-10-22</discovery>
<entry>2004-11-06</entry>
</dates>
</vuln>
<vuln vid="6a164d84-2f7f-11d9-a9e7-0001020eed82">
<topic>postgresql-contrib -- insecure temporary file
creation</topic>
<affects>
<package>
<name>postgresql-contrib</name>
<range><lt>7.2.6</lt></range>
<range><gt>7.3.*</gt><lt>7.3.8</lt></range>
<range><gt>7.4.*</gt><lt>7.4.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The make_oidjoins_check script in the PostgreSQL RDBMS has
insecure handling of temporary files, which could lead to an
attacker overwriting arbitrary files with the credentials of
the user running the make_oidjoins_check script.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0977</cvename>
<bid>11295</bid>
<url>http://www.postgresql.org/news/234.html</url>
<url>http://www.trustix.net/errata/2004/0050/</url>
</references>
<dates>
<discovery>2004-09-10</discovery>
<entry>2004-11-06</entry>
</dates>
</vuln>
<vuln vid="62239968-2f2a-11d9-a9e7-0001020eed82">
<topic>gd -- integer overflow</topic>
<affects>
<package>
<name>gd</name>
<name>uk-gd</name>
<name>ja-gd</name>
<range><lt>2.0.29,1</lt></range>
<range><gt>1.*,2</gt><lt>2.*,2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>infamous41md reports about the GD Graphics Library:</p>
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109882489302099">
<p>There is an integer overflow when allocating memory in
the routine that handles loading PNG image files. This
later leads to heap data structures being overwritten. If
an attacker tricked a user into loading a malicious PNG
image, they could leverage this into executing arbitrary
code in the context of the user opening image.</p>
</blockquote>
</body>
</description>
<references>
<bid>11523</bid>
<cvename>CAN-2004-0990</cvename>
<mlist msgid="20041025204303.4341d907.infamous41md@hotpop.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109882489302099</mlist>
<url>http://www.boutell.com/gd/manual2.0.29.html#whatsnew2.0.29</url>
</references>
<dates>
<discovery>2004-10-26</discovery>
<entry>2004-11-05</entry>
</dates>
</vuln>
<vuln vid="19518d22-2d05-11d9-8943-0050fc56d258">
<topic>putty -- buffer overflow vulnerability in ssh2 support</topic>
<affects>
<package>
<name>putty</name>
<range><lt>0.56</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>There is a bug in SSH2 support that allows a server to execute
malicious code on a connecting PuTTY client.
This attack can be performed before host key verification happens,
so a different machine -- man in the middle attack -- could fake
the machine you are connecting to.</p>
</body>
</description>
<references>
<mlist msgid="1CE07882ECEE894CA2D5A89B8DEBC4010A2DD2@porgy.admin.idefense.com>">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109890310929207</mlist>
<url>http://www.gentoo.org/security/en/glsa/glsa-200410-29.xml</url>
<url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ssh2-debug.html</url>
</references>
<dates>
<discovery>2004-10-26</discovery>
<entry>2004-11-04</entry>
</dates>
</vuln>
<vuln vid="e0070221-2dd8-11d9-a9e7-0001020eed82">
<topic>wzdftpd -- remote DoS</topic>
<affects>
<package>
<name>wzdftpd</name>
<range><lt>0.4.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>wzdftpd contains a potential remote Denial-of-Service.</p>
</body>
</description>
<references>
<url>http://sourceforge.net/project/shownotes.php?release_id=263573</url>
</references>
<dates>
<discovery>2004-10-28</discovery>
<entry>2004-11-03</entry>
</dates>
</vuln>
<vuln vid="1f826757-26be-11d9-ad2d-0050fc56d258">
<topic>rssh -- format string vulnerability</topic>
<affects>
<package>
<name>rssh</name>
<range><le>2.2.1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>There is a format string bug in rssh that enables an attacker
to execute arbitrary code from an account configured to use
rssh. On FreeBSD it is only possible to compromise the rssh
running account, not root.</p>
</body>
</description>
<references>
<url>http://www.pizzashack.org/rssh/security.shtml</url>
<mlist msgid="20041023084829.GA16819@sophic.org">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109855982425122</mlist>
</references>
<dates>
<discovery>2004-10-23</discovery>
<entry>2004-10-25</entry>
</dates>
</vuln>
<vuln vid="ed1d404d-2784-11d9-b954-000bdb1444a4">
<topic>horde -- cross-site scripting vulnerability in help
window</topic>
<affects>
<package>
<name>horde</name>
<name>horde-devel</name>
<range><lt>2.2.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Horde Team announcement states that a potential cross-site
scripting vulnerability in the help window has been
corrected. The vulnerability appears to involve the handling
of the <code>topic</code> and <code>module</code> parameters
of the help window template.</p>
</body>
</description>
<references>
<mlist msgid="20041026115303.10FBEC046E@neo.wg.de">http://marc.theaimsgroup.com/?l=horde-announce&amp;m=109879164718625</mlist>
</references>
<dates>
<discovery>2004-10-06</discovery>
<entry>2004-10-27</entry>
</dates>
</vuln>
<vuln vid="f4428842-a583-4a4c-89b7-297c3459a1c3">
<topic>bogofilter -- RFC 2047 decoder denial-of-service vulnerability</topic>
<affects>
<package>
<name>bogofilter</name>
<name>bogofilter-qdbm</name>
<name>bogofilter-tdb</name>
<name>ru-bogofilter</name>
<range><ge>0.17.4</ge><lt>0.92.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The bogofilter team has been provided with a test case of a
malformatted (non-conformant) RFC-2047 encoded word that can cause
bogofilter versions 0.92.7 and prior to try to write a NUL byte into
a memory location that is either one byte past the end of a flex
buffer or to a location that is the negative of the encoded word's
start of payload data, causing a segmentation fault.</p>
</body>
</description>
<references>
<freebsdpr>73144</freebsdpr>
<cvename>CAN-2004-1007</cvename>
<mlist msgid="20041008143604.GA14934@scowler.net">http://article.gmane.org/gmane.mail.bogofilter.devel/3308</mlist>
<mlist msgid="m3r7o892vj.fsf@merlin.emma.line.org">http://article.gmane.org/gmane.mail.bogofilter.devel/3317</mlist>
<url>http://bugs.debian.org/275373</url>
<url>http://bogofilter.sourceforge.net/security/bogofilter-SA-2004-01</url>
</references>
<dates>
<discovery>2004-10-09</discovery>
<entry>2004-10-26</entry>
<modified>2004-11-03</modified>
</dates>
</vuln>
<vuln vid="ad2f3337-26bf-11d9-9289-000c41e2cdad">
<topic>xpdf -- integer overflow vulnerabilities</topic>
<affects>
<package>
<name>gpdf</name>
<name>cups-base</name>
<range><lt>1.1.22.0</lt></range>
</package>
<package>
<name>xpdf</name>
<range><lt>3.00_4</lt></range>
</package>
<package>
<name>kdegraphics</name>
<range><lt>3.3.0_1</lt></range>
</package>
<package>
<name>koffice</name>
<range><lt>1.3.2_1,1</lt></range>
</package>
<package>
<name>teTeX-base</name>
<range><lt>2.0.2_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chris Evans discovered several integer arithmetic overflows
in the xpdf 2 and xpdf 3 code bases. The flaws have impacts
ranging from denial-of-service to arbitrary code execution.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0888</cvename>
<cvename>CAN-2004-0889</cvename>
<url>http://scary.beasts.org/security/CESA-2004-002.txt</url>
<url>http://scary.beasts.org/security/CESA-2004-007.txt</url>
<url>http://www.kde.org/info/security/advisory-20041021-1.txt</url>
</references>
<dates>
<discovery>2004-10-21</discovery>
<entry>2004-10-25</entry>
</dates>
</vuln>
<vuln vid="f2d6a5e1-26b9-11d9-9289-000c41e2cdad">
<topic>gaim -- MSN denial-of-service vulnerabilities</topic>
<affects>
<package>
<name>gaim</name>
<name>ja-gaim</name>
<name>ko-gaim</name>
<name>ru-gaim</name>
<range><lt>1.0.2</lt></range>
</package>
<package>
<name>gaim</name>
<range><gt>20030000</gt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Gaim team discovered denial-of-service vulnerabilities in
the MSN protocol handler:</p>
<blockquote cite="http://gaim.sourceforge.net/security/?id=7">
<p>After accepting a file transfer request, Gaim will attempt
to allocate a buffer of a size equal to the entire filesize,
this allocation attempt will cause Gaim to crash if the size
exceeds the amount of available memory.</p>
</blockquote>
<blockquote cite="http://gaim.sourceforge.net/security/?id=8">
<p>Gaim allocates a buffer for the payload of each message
received based on the size field in the header of the
message. A malicious peer could specify an invalid size that
exceeds the amount of available memory.</p>
</blockquote>
</body>
</description>
<references>
<url>http://gaim.sourceforge.net/security/?id=7</url>
<url>http://gaim.sourceforge.net/security/?id=8</url>
</references>
<dates>
<discovery>2004-10-19</discovery>
<entry>2004-10-25</entry>
</dates>
</vuln>
<vuln vid="ad61657d-26b9-11d9-9289-000c41e2cdad">
<topic>gaim -- Content-Length header denial-of-service vulnerability</topic>
<affects>
<package>
<name>gaim</name>
<name>ja-gaim</name>
<name>ko-gaim</name>
<name>ru-gaim</name>
<range><lt>0.82</lt></range>
</package>
<package>
<name>gaim</name>
<range><gt>20030000</gt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sean <q>infamous42md</q> reports:</p>
<blockquote cite="http://gaim.sourceforge.net/security/?id=6">
<p>When a remote server provides a large "content-length"
header value, Gaim will attempt to allocate a buffer to
store the content, however this allocation attempt will
cause Gaim to crash if the length exceeds the amount of
possible memory. This happens when reading profile
information on some protocols. It also happens when smiley
themes are installed via drag and drop.</p>
</blockquote>
</body>
</description>
<references>
<url>http://gaim.sourceforge.net/security/?id=6</url>
</references>
<dates>
<discovery>2004-08-26</discovery>
<entry>2004-10-25</entry>
</dates>
</vuln>
<vuln vid="4260eacb-26b8-11d9-9289-000c41e2cdad">
<topic>gaim -- multiple buffer overflows</topic>
<affects>
<package>
<name>gaim</name>
<name>ja-gaim</name>
<name>ko-gaim</name>
<name>ru-gaim</name>
<range><lt>0.82</lt></range>
</package>
<package>
<name>gaim</name>
<range><gt>20030000</gt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sean <q>infamous42md</q> reports several situations in gaim
that may result in exploitable buffer overflows:</p>
<ul>
<li>Rich Text Format (RTF) messages in Novell GroupWise
protocol</li>
<li>Unsafe use of gethostbyname in zephyr protocol</li>
<li>URLs which are over 2048 bytes long once decoded</li>
</ul>
</body>
</description>
<references>
<cvename>CAN-2004-0785</cvename>
<url>http://gaim.sourceforge.net/security/?id=3</url>
<url>http://gaim.sourceforge.net/security/?id=4</url>
<url>http://gaim.sourceforge.net/security/?id=5</url>
</references>
<dates>
<discovery>2004-08-26</discovery>
<entry>2004-10-25</entry>
</dates>
</vuln>
<vuln vid="e16293f0-26b7-11d9-9289-000c41e2cdad">
<topic>gaim -- heap overflow exploitable by malicious GroupWise
server</topic>
<affects>
<package>
<name>gaim</name>
<name>ja-gaim</name>
<name>ko-gaim</name>
<name>ru-gaim</name>
<range><lt>0.82</lt></range>
</package>
<package>
<name>gaim</name>
<range><gt>20030000</gt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sean <q>infamous42md</q> reports that a malicous GroupWise
messaging server may be able to exploit a heap buffer
overflow in gaim, leading to arbitrary code execution.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0754</cvename>
<url>http://gaim.sourceforge.net/security/?id=2</url>
</references>
<dates>
<discovery>2004-08-26</discovery>
<entry>2004-10-25</entry>
</dates>
</vuln>
<vuln vid="635bf5f4-26b7-11d9-9289-000c41e2cdad">
<topic>gaim -- malicious smiley themes</topic>
<affects>
<package>
<name>gaim</name>
<name>ja-gaim</name>
<name>ko-gaim</name>
<name>ru-gaim</name>
<range><lt>0.82</lt></range>
</package>
<package>
<name>gaim</name>
<range><gt>20030000</gt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Gaim Security Issues page documents a problem with
installing smiley themes from an untrusted source:</p>
<blockquote cite="http://gaim.sourceforge.net/security/?id=1">
<p>To install a new smiley theme, a user can drag a tarball
from a graphical file manager, or a hypertext link to one
from a web browser. When a tarball is dragged, Gaim executes
a shell command to untar it. However, it does not escape the
filename before sending it to the shell. Thus, a specially
crafted filename could execute arbitrary commands if the
user could be convinced to drag a file into the smiley theme
selector.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0784</cvename>
<url>http://gaim.sourceforge.net/security/?id=1</url>
</references>
<dates>
<discovery>2004-08-22</discovery>
<entry>2004-10-25</entry>
</dates>
</vuln>
<vuln vid="1e6c4008-245f-11d9-b584-0050fc56d258">
<topic>gaim -- buffer overflow in MSN protocol support</topic>
<affects>
<package>
<name>gaim</name>
<name>ja-gaim</name>
<name>ru-gaim</name>
<range><ge>0.79</ge><le>1.0.1</le></range>
</package>
<package>
<name>gaim</name>
<range><gt>20030000</gt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Due to a buffer overflow in the MSN protocol support for
gaim 0.79 to 1.0.1, it is possible for remote clients to do a
denial-of-service attack on the application.
This is caused by an unbounded copy operation, which writes
to the wrong buffer.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0891</cvename>
<url>http://gaim.sourceforge.net/security/?id=9</url>
</references>
<dates>
<discovery>2004-10-19</discovery>
<entry>2004-10-25</entry>
</dates>
</vuln>
<vuln vid="4238151d-207a-11d9-bfe2-0090962cff2a">
<topic>mod_ssl -- SSLCipherSuite bypass</topic>
<affects>
<package>
<name>ru-apache+mod_ssl</name>
<range><le>1.3.31+30.20+2.8.18</le></range>
</package>
<package>
<name>apache+mod_ssl</name>
<range><lt>1.3.31+2.8.20</lt></range>
</package>
<package>
<name>apache+mod_ssl+ipv6</name>
<range><le>1.3.31+2.8.18_4</le></range>
</package>
<package>
<name>apache2</name>
<range><le>2.0.52_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>It is possible for clients to use any cipher suite configured by
the virtual host, whether or not a certain cipher suite is selected
for a specific directory. This might result in clients using a
weaker encryption than originally configured.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0885</cvename>
<mlist msgid="20041008152510.GE8385@redhat.com">http://marc.theaimsgroup.com/?l=apache-modssl&amp;m=109724918128044</mlist>
<url>http://issues.apache.org/bugzilla/show_bug.cgi?id=31505</url>
</references>
<dates>
<discovery>2004-10-01</discovery>
<entry>2004-10-23</entry>
</dates>
</vuln>
<vuln vid="20d16518-2477-11d9-814e-0001020eed82">
<topic>mpg123 -- buffer overflow in URL handling</topic>
<affects>
<package>
<name>mpg123</name>
<name>mpg123-nas</name>
<name>mpg123-esound</name>
<range><lt>0.59r_15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Carlos Barros reports that mpg123 contains two buffer
overflows. These vulnerabilities can potentially lead to
execution of arbitrary code.</p>
<p>The first buffer overflow can occur when mpg123 parses a
URL with a user-name/password field that is more than 256
characters long. This problem can be triggered either
locally or remotely via a specially crafted play list. The
second potential buffer overflow may be triggered locally by
a specially crafted symlink to the mpg123 binary. This
problem is not as serious, since mpg123 is not installed
setuid by default.</p>
</body>
</description>
<references>
<bid>11468</bid>
<cvename>CAN-2004-0982</cvename>
<mlist msgid="200410200119.42801.barros@barrossecurity.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109834486312407</mlist>
</references>
<dates>
<discovery>2004-10-02</discovery>
<entry>2004-10-23</entry>
<modified>2004-12-30</modified>
</dates>
</vuln>
<vuln vid="7b81fc47-239f-11d9-814e-0001020eed82">
<topic>apache2 -- SSL remote DoS</topic>
<affects>
<package>
<name>apache</name>
<range><gt>2.0</gt><lt>2.0.51</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache HTTP Server 2.0.51 release notes report that the
following issues have been fixed:</p>
<blockquote cite="http://marc.theaimsgroup.com/?l=apache-httpd-announce&amp;m=109527608022322">
<p>A segfault in mod_ssl which can be triggered by a
malicious remote server, if proxying to SSL servers has
been configured. [CAN-2004-0751]</p>
<p>A potential infinite loop in mod_ssl which could be
triggered given particular timing of a connection
abort. [CAN-2004-0748]</p>
</blockquote>
</body>
</description>
<references>
<bid>11094</bid>
<bid>11154</bid>
<cvename>CAN-2004-0748</cvename>
<cvename>CAN-2004-0751</cvename>
<mlist msgid="029f01c49b54$dec30f20$1500a8c0@Cougar">http://marc.theaimsgroup.com/?l=apache-httpd-announce&amp;m=109527608022322</mlist>
<url>http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964</url>
<url>http://nagoya.apache.org/bugzilla/show_bug.cgi?id=30134</url>
</references>
<dates>
<discovery>2004-07-07</discovery>
<entry>2004-10-21</entry>
</dates>
</vuln>
<vuln vid="fc07c9ca-22ce-11d9-814e-0001020eed82">
<topic>phpmyadmin -- remote command execution
vulnerability</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<name>phpmyadmin</name>
<range><lt>2.6.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>From the phpMyAdmin 2.6.0p2 release notes:</p>
<blockquote cite="http://sourceforge.net/project/shownotes.php?release_id=274709">
<p>If PHP is not running in safe mode, a problem in the
MIME-based transformation system (with an "external"
transformation) allows to execute any command with the
privileges of the web server's user.</p>
</blockquote>
</body>
</description>
<references>
<bid>11391</bid>
<url>http://sourceforge.net/project/shownotes.php?release_id=274709</url>
<url>http://sourceforge.net/tracker/index.php?func=detail&amp;aid=1044864&amp;group_id=23067&amp;atid=377408</url>
</references>
<dates>
<discovery>2004-10-11</discovery>
<entry>2004-10-20</entry>
</dates>
</vuln>
<vuln vid="61480a9a-22b2-11d9-814e-0001020eed82">
<topic>cabextract -- insecure directory handling</topic>
<affects>
<package>
<name>cabextract</name>
<range><lt>1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>cabextract has insufficient checks for file names that
contain <q>../</q>. This can cause files to be extracted to
the parent directory.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0916</cvename>
<url>http://www.kyz.uklinux.net/cabextract.php#changes</url>
</references>
<dates>
<discovery>2004-10-18</discovery>
<entry>2004-10-20</entry>
<modified>2004-10-22</modified>
</dates>
</vuln>
<vuln vid="8091fcea-f35e-11d8-81b0-000347a4fa7d">
<topic>a2ps -- insecure command line argument handling</topic>
<affects>
<package>
<name>a2ps-a4</name>
<range><lt>4.13b_2</lt></range>
</package>
<package>
<name>a2ps-letter</name>
<range><lt>4.13b_2</lt></range>
</package>
<package>
<name>a2ps-letterdj</name>
<range><lt>4.13b_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Rudolf Polzer reports:</p>
<blockquote cite="http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/70618">
<p>a2ps builds a command line for file() containing an
unescaped version of the file name, thus might call
external programs described by the file name. Running a
cronjob over a public writable directory a2ps-ing all
files in it - or simply typing "a2ps *.txt" in /tmp - is
therefore dangerous.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-1170</cvename>
<freebsdpr>ports/70618</freebsdpr>
<bid>11025</bid>
<url>http://www.osvdb.org/9176</url>
<mlist msgid="e5312d6a040824040119840c7c@mail.gmail.com">http://marc.theaimsgroup.com/?l=full-disclosure&amp;m=109334851517137</mlist>
</references>
<dates>
<discovery>2004-08-18</discovery>
<entry>2004-10-20</entry>
<modified>2004-12-30</modified>
</dates>
</vuln>
<vuln vid="746ca1ac-21ec-11d9-9289-000c41e2cdad">
<topic>ifmail -- unsafe set-user-ID application</topic>
<affects>
<package>
<name>ifmail</name>
<range><le>ifmail-2.15_4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Niels Heinen reports that ifmail allows one to specify
a configuration file. Since ifmail runs set-user-ID `news',
this may allow a local attacker to write to arbitrary files
or execute arbitrary commands as the `news' user.</p>
</body>
</description>
<references>
<url>http://cvsweb.freebsd.org/ports/news/ifmail</url>
</references>
<dates>
<discovery>2004-08-23</discovery>
<entry>2004-10-19</entry>
</dates>
</vuln>
<vuln vid="e31d44a2-21e3-11d9-9289-000c41e2cdad">
<topic>imwheel -- insecure handling of PID file</topic>
<affects>
<package>
<name>imwheel</name>
<range><lt>1.0.0.p12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Computer Academic Underground advisory describes the
consequences of imwheel's handling of the process ID file (PID
file):</p>
<blockquote
cite="http://www.caughq.org/advisories/CAU-2004-0002.txt">
<p>imwheel exclusively uses a predictably named PID file for
management of multiple imwheel processes. A race condition
exists when the -k command-line option is used to kill
existing imwheel processes. This race condition may be
used by a local user to Denial of Service another user
using imwheel, lead to resource exhaustion of the host
system, or append data to arbitrary files.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.caughq.org/advisories/CAU-2004-0002.txt</url>
<url>http://imwheel.sourceforge.net/files/DEVELOPMENT.txt</url>
</references>
<dates>
<discovery>2004-08-20</discovery>
<entry>2004-10-19</entry>
</dates>
</vuln>
<vuln vid="064225c5-1f53-11d9-836a-0090962cff2a">
<topic>squid -- NTLM authentication denial-of-service vulnerability</topic>
<affects>
<package>
<name>squid</name>
<range><lt>2.5.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A remote attacker is able to cause a denial-of-service
situation, when NTLM authentication is enabled in squid.
NTLM authentication uses two functions which lack correct
offset checking.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0832</cvename>
<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=1045</url>
</references>
<dates>
<discovery>2004-08-18</discovery>
<entry>2004-08-16</entry>
</dates>
</vuln>
<vuln vid="ca543e06-207a-11d9-814e-0001020eed82">
<topic>cacti -- SQL injection</topic>
<affects>
<package>
<name>cacti</name>
<range><lt>0.8.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Fernando Quintero reports that Cacti 0.8.5a suffers from a
SQL injection attack where an attacker can change the
password for any Cacti user. This attack is not possible if
the PHP option magic_quotes_gpc is set to On, which is the
default for PHP in FreeBSD.</p>
</body>
</description>
<references>
<mlist msgid="1092686621.818.8.camel@mitnick.nadied.org">http://marc.theaimsgroup.com/?l=full-disclosure&amp;m=109269427427368</mlist>
</references>
<dates>
<discovery>2004-08-16</discovery>
<entry>2004-10-17</entry>
</dates>
</vuln>
<vuln vid="18974c8a-1fbd-11d9-814e-0001020eed82">
<topic>apache13-modssl -- format string vulnerability in
proxy support</topic>
<affects>
<package>
<name>apache+mod_ssl</name>
<range><lt>1.3.31+2.8.19</lt></range>
</package>
<package>
<name>apache+mod_ssl+ipv6</name>
<range><lt>1.3.31+2.8.19</lt></range>
</package>
<package>
<name>ru-apache+mod_ssl</name>
<range><lt>1.3.31+30.20+2.8.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A OpenPKG Security Advisory reports:</p>
<blockquote cite="http://www.openpkg.org/security/OpenPKG-SA-2004.032-apache.html">
<p>Triggered by a report to Packet Storm from Virulent, a
format string vulnerability was found in mod_ssl, the
Apache SSL/TLS interface to OpenSSL, version (up to and
including) 2.8.18 for Apache 1.3. The mod_ssl in Apache
2.x is not affected. The vulnerability could be
exploitable if Apache is used as a proxy for HTTPS URLs
and the attacker established a own specially prepared DNS
and origin server environment.</p>
</blockquote>
</body>
</description>
<references>
<bid>10736</bid>
<certvu>303448</certvu>
<cvename>CAN-2004-0700</cvename>
<url>http://www.openpkg.org/security/OpenPKG-SA-2004.032-apache.html</url>
<url>http://packetstormsecurity.org/0407-advisories/modsslFormat.txt</url>
<mlist msgid="20040716204207.GA45678@engelschall.com">http://marc.theaimsgroup.com/?l=apache-modssl&amp;m=109001100906749</mlist>
</references>
<dates>
<discovery>2004-07-16</discovery>
<entry>2004-10-17</entry>
</dates>
</vuln>
<vuln vid="8e2e6ad8-1720-11d9-9fb9-00902788733b">
<topic>tor -- remote DoS and loss of anonymity</topic>
<affects>
<package>
<name>tor</name>
<range><lt>0.0.8.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tor has various remote crashes which could lead to a remote
denial-of-service and be used to defeat clients anonymity.
It is not expected that these vulnerabilities are
exploitable for arbitrary code execution.</p>
</body>
</description>
<references>
<mlist>http://archives.seul.org/or/announce/Aug-2004/msg00001.html</mlist>
<mlist>http://archives.seul.org/or/announce/Oct-2004/msg00000.html</mlist>
</references>
<dates>
<discovery>2004-08-25</discovery>
<entry>2004-10-15</entry>
</dates>
</vuln>
<vuln vid="b2cfb400-1df0-11d9-a859-0050fc56d258">
<topic>icecast -- Cross-Site Scripting Vulnerability</topic>
<affects>
<package>
<name>icecast</name>
<range><lt>1.3.12_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Caused by improper filtering of HTML code in the
status display, it is possible for a remote user
to execute scripting code in the target user's
browser.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0781</cvename>
<url>http://www.securitytracker.com/alerts/2004/Aug/1011047.html</url>
</references>
<dates>
<discovery>2004-08-24</discovery>
<entry>2004-10-13</entry>
</dates>
</vuln>
<vuln vid="741c3957-1d69-11d9-a804-0050fc56d258">
<topic>icecast -- HTTP header overflow</topic>
<affects>
<package>
<name>icecast2</name>
<range><lt>2.0.2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>It is possible to execute remote code simply using
HTTP request plus 31 headers followed by a shellcode that will be
executed directly.</p>
</body>
</description>
<references>
<mlist msgid="20040928184943.0a82b6f6.aluigi@autistici.org">http://marc.theaimsgroup.com/?l=full-disclosure&amp;m=109646043512722</mlist>
</references>
<dates>
<discovery>2004-09-29</discovery>
<entry>2004-10-13</entry>
</dates>
</vuln>
<vuln vid="20dfd134-1d39-11d9-9be9-000c6e8f12e">
<topic>freeradius -- denial-of-service vulnerability</topic>
<affects>
<package>
<name>freeradius</name>
<range><ge>0.8.0</ge><lt>1.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A remote attacker may be able to crash the freeRADIUS Server
due to three independant bugs in the function which does
improper checking values while processing RADIUS
attributes.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0938</cvename>
<cvename>CAN-2004-0960</cvename>
<cvename>CAN-2004-0961</cvename>
<url>http://www.securitytracker.com/alerts/2004/Sep/1011364.html</url>
<certvu>541574</certvu>
<bid>11222</bid>
</references>
<dates>
<discovery>2004-09-20</discovery>
<entry>2004-10-13</entry>
<modified>2004-10-19</modified>
</dates>
</vuln>
<vuln vid="76301302-1d59-11d9-814e-0001020eed82">
<topic>xerces-c2 -- Attribute blowup denial-of-service</topic>
<affects>
<package>
<name>xerces-c2</name>
<range><lt>2.6.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Amit Klein reports about Xerces-C++:</p>
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109674050017645">
<p>An attacker can craft a malicious XML document, which
uses XML attributes in a way that inflicts a denial of
service condition on the target machine (XML parser). The
result of this attack is that the XML parser consumes all
the CPU.</p>
</blockquote>
</body>
</description>
<references>
<bid>11312</bid>
<mlist msgid="415F00A8.13029.1FAADB7@localhost">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109674050017645</mlist>
</references>
<dates>
<discovery>2004-10-02</discovery>
<entry>2004-10-13</entry>
<modified>2004-10-14</modified>
</dates>
</vuln>
<vuln vid="12b7b4cf-1d53-11d9-814e-0001020eed82">
<topic>wordpress -- XSS in administration panel</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>1.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Pages in the administration panel of Wordpress are
vulnerable for XSS attacks.</p>
</body>
</description>
<references>
<url>http://wordpress.org/development/2004/10/wp-121/</url>
<mlist msgid="20040927231608.19365.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109641484723194</mlist>
</references>
<dates>
<discovery>2004-09-27</discovery>
<entry>2004-10-13</entry>
</dates>
</vuln>
<vuln vid="3897a2f8-1d57-11d9-bc4a-000c41e2cdad">
<topic>tiff -- multiple integer overflows</topic>
<affects>
<package>
<name>tiff</name>
<name>linux-tiff</name>
<range><le>3.6.1_2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dmitry V. Levin discovered numerous integer overflow bugs in
libtiff. Most of these bugs are related to memory management,
and are believed to be exploitable for arbitrary code
execution.</p>
</body>
</description>
<references>
<certvu>687568</certvu>
<cvename>CAN-2004-0886</cvename>
</references>
<dates>
<discovery>2004-10-13</discovery>
<entry>2004-10-13</entry>
<modified>2005-01-08</modified>
</dates>
</vuln>
<vuln vid="30cea6be-1d0c-11d9-814e-0001020eed82">
<topic>CUPS -- local information disclosure</topic>
<affects>
<package>
<name>cups-base</name>
<range><lt>1.1.22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Certain methods of authenticated remote printing in CUPS
can disclose user names and passwords in the log files.</p>
<p>A workaround for this problem is to set more strict
access permissions on the CUPS logfiles.</p>
</body>
</description>
<references>
<url>http://docs.info.apple.com/article.html?artnum=61798</url>
<url>http://secunia.com/advisories/12690/</url>
<url>http://www.cups.org/str.php?L920</url>
<cvename>CAN-2004-0923</cvename>
<certvu>557062</certvu>
</references>
<dates>
<discovery>2004-09-23</discovery>
<entry>2004-10-13</entry>
</dates>
</vuln>
<vuln vid="30cf9485-1c2c-11d9-9ecb-000c6e8f12ef">
<topic>zinf -- potential buffer overflow playlist support</topic>
<affects>
<package>
<name>zinf</name>
<range><lt>2.2.5</lt></range>
</package>
<package>
<name>freeamp</name>
<range><gt>0</gt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The audio player Zinf is vulnerable to a buffer-overflow
bug in the management of the playlist files.</p>
</body>
</description>
<references>
<mlist msgid="20040924213102.7fb91138.aluigi@autistici.org">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109608092609200</mlist>
</references>
<dates>
<discovery>2004-09-24</discovery>
<entry>2004-10-12</entry>
</dates>
</vuln>
<vuln vid="f6680c03-0bd8-11d9-8a8a-000c41e2cdad">
<topic>tiff -- RLE decoder heap overflows</topic>
<affects>
<package>
<name>tiff</name>
<name>linux-tiff</name>
<range><le>3.6.1_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chris Evans discovered several heap buffer overflows in
libtiff's RLE decoder. These overflows could be triggered
by a specially-crafted TIFF image file, resulting in an
application crash and possibly arbitrary code execution.</p>
</body>
</description>
<references>
<certvu>948752</certvu>
<cvename>CAN-2004-0803</cvename>
<url>http://scary.beasts.org/security/CESA-2004-006.txt</url>
</references>
<dates>
<discovery>2004-10-13</discovery>
<entry>2004-10-13</entry>
<modified>2005-01-08</modified>
</dates>
</vuln>
<vuln vid="26c9e8c6-1c99-11d9-814e-0001020eed82">
<topic>sharutils -- buffer overflows</topic>
<affects>
<package>
<name>sharutils</name>
<range><lt>4.2.1_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>From Gentoo advisory GLSA 200410-01:</p>
<blockquote cite="http://www.gentoo.org/security/en/glsa/glsa-200410-01.xml">
<p>sharutils contains two buffer overflows. Ulf Harnhammar
discovered a buffer overflow in shar.c, where the length
of data returned by the wc command is not checked.
Florian Schilhabel discovered another buffer overflow in
unshar.c.</p>
<p>An attacker could exploit these vulnerabilities to
execute arbitrary code as the user running one of the
sharutils programs.</p>
</blockquote>
</body>
</description>
<references>
<bid>11298</bid>
<url>http://www.gentoo.org/security/en/glsa/glsa-200410-01.xml</url>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=265904</url>
</references>
<dates>
<discovery>2004-08-15</discovery>
<entry>2004-10-13</entry>
</dates>
</vuln>
<vuln vid="3030ae22-1c7f-11d9-81a4-0050fc56d258">
<topic>mail-notification -- denial-of-service vulnerability</topic>
<affects>
<package>
<name>mail-notification</name>
<range><lt>0.7.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Caused by an untested return value, and a resulting
null pointer dereference, it is possible for an attacker
to crash the application. However, the attacker must first
hijack the connection between Mail Notification and the
Gmail or IMAP server.</p>
</body>
</description>
<references>
<url>http://www.nongnu.org/mailnotify/sa/mail-notification-SA-04:2.asc</url>
<url>http://www.nongnu.org/mailnotify/sa/mail-notification-SA-04:3.asc</url>
</references>
<dates>
<discovery>2004-10-06</discovery>
<entry>2004-10-12</entry>
</dates>
</vuln>
<vuln vid="65e99f52-1c5f-11d9-bc4a-000c41e2cdad">
<topic>squid -- SNMP module denial-of-service vulnerability</topic>
<affects>
<package>
<name>squid</name>
<range><lt>2.5.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Squid-2.5 patches page notes:</p>
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-SNMP_core_dump">
<p>If a certain malformed SNMP request is received squid
restarts with a Segmentation Fault error.</p>
</blockquote>
<p>This only affects squid installations where SNMP is
explicitly enabled via "make config". As a workaround,
SNMP can be disabled by defining "snmp_port 0" in
squid.conf.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0918</cvename>
<url>http://www.idefense.com/application/poi/display?id=152&amp;type=vulnerabilities</url>
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-SNMP_core_dump</url>
</references>
<dates>
<discovery>2004-09-29</discovery>
<entry>2004-10-12</entry>
</dates>
</vuln>
<vuln vid="0c592c4a-1bcc-11d9-a3ec-00061bd2d56f">
<topic>cyrus-sasl -- potential buffer overflow in DIGEST-MD5 plugin</topic>
<affects>
<package>
<name>cyrus-sasl</name>
<range><ge>2.*</ge><lt>2.1.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Cyrus SASL DIGEST-MD5 plugin contains a potential
buffer overflow when quoting is required in the output.</p>
</body>
</description>
<references>
<url>https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c#rev1.171</url>
</references>
<dates>
<discovery>2004-07-06</discovery>
<entry>2004-10-12</entry>
</dates>
</vuln>
<vuln vid="92268205-1947-11d9-bc4a-000c41e2cdad">
<topic>cyrus-sasl -- dynamic library loading and set-user-ID
applications</topic>
<affects>
<package>
<name>cyrus-sasl</name>
<range><le>1.5.28_3</le></range>
<range><ge>2.*</ge><le>2.1.19</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Cyrus SASL library, libsasl, contains functions which
may load dynamic libraries. These libraries may be loaded
from the path specified by the environmental variable
SASL_PATH, which in some situations may be fully controlled
by a local attacker. Thus, if a set-user-ID application
(such as chsh) utilizes libsasl, it may be possible for a
local attacker to gain superuser privileges.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0884</cvename>
<url>https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/lib/common.c#rev1.104</url>
</references>
<dates>
<discovery>2004-09-22</discovery>
<entry>2004-10-08</entry>
</dates>
</vuln>
<vuln vid="efc4819b-0b2d-11d9-bfe1-000bdb1444a4">
<topic>imp3 -- XSS hole in the HTML viewer</topic>
<affects>
<package>
<name>imp</name>
<range><lt>3.2.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The script vulnerabilities can only be exposed with
certain browsers and allow XSS attacks when viewing
HTML messages with the HTML MIME viewer</p>
</body>
</description>
<references>
<url>http://thread.gmane.org/gmane.comp.horde.imp/15488</url>
<url>http://cvs.horde.org/diff.php/imp/docs/CHANGES?r1=1.389.2.109&amp;r2=1.389.2.111&amp;ty=h</url>
</references>
<dates>
<discovery>2004-08-20</discovery>
<entry>2004-10-05</entry>
</dates>
</vuln>
<vuln vid="938f357c-16dd-11d9-bc4a-000c41e2cdad">
<topic>bmon -- unsafe set-user-ID application</topic>
<affects>
<package>
<name>bmon</name>
<range><lt>1.2.1_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jon Nistor reported that the FreeBSD port of bmon was
installed set-user-ID root, and executes commands using
relative paths. This could allow local user to easily obtain
root privileges.</p>
</body>
</description>
<references>
<freebsdpr>ports/67340</freebsdpr>
</references>
<dates>
<discovery>2004-05-29</discovery>
<entry>2004-10-05</entry>
</dates>
</vuln>
<vuln vid="84ab58cf-e4ac-11d8-9b0a-000347a4fa7d">
<topic>gnutls -- certificate chain verification DoS</topic>
<affects>
<package>
<name>gnutls</name>
<range><lt>1.0.17</lt></range>
</package>
<package>
<name>gnutls-devel</name>
<range><ge>1.1.*</ge><lt>1.1.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Patric Hornik reports on a problem in the certificate chain
verification procedures of GnuTLS that may result in a
denial-of-service vulnerability:</p>
<blockquote cite="http://www.hornik.sk/SA/SA-20040802.txt">
<p>The certificate chain should be verified from last root
certificate to the first certificate. Otherwise a lot
of unauthorized CPU processing can be forced to check
certificate signatures signed with arbitrary RSA/DSA keys
chosen by attacker.</p>
<p>In GnuTLS the signatures are checked from first to last
certificate, there is no limit on size of keys and no
limit on length of certificate chain.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.hornik.sk/SA/SA-20040802.txt</url>
<url>http://secunia.com/advisories/12156</url>
</references>
<dates>
<discovery>2004-08-02</discovery>
<entry>2004-10-05</entry>
</dates>
</vuln>
<vuln vid="562a3fdf-16d6-11d9-bc4a-000c41e2cdad">
<topic>php -- vulnerability in RFC 1867 file upload processing</topic>
<affects>
<package>
<name>php4</name>
<name>php4-cgi</name>
<range><le>4.3.8_2</le></range>
</package>
<package>
<name>mod_php4</name>
<range><le>4.3.8_2,1</le></range>
</package>
<package>
<name>php5</name>
<name>php5-cgi</name>
<range><le>5.0.1</le></range>
</package>
<package>
<name>mod_php5</name>
<range><le>5.0.1,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stefano Di Paola discovered an issue with PHP that
could allow someone to upload a file to any directory
writeable by the httpd process. Any sanitizing performed on
the prepended directory path is ignored. This bug can only
be triggered if the $_FILES element name contains an
underscore.</p>
</body>
</description>
<references>
<mlist msgid="1095268057.2818.20.camel@localhost">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109534848430404</mlist>
<mlist msgid="1096478151.3220.6.camel@localhost">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109648426331965</mlist>
</references>
<dates>
<discovery>2004-09-15</discovery>
<entry>2004-09-15</entry>
<modified>2004-10-12</modified>
</dates>
</vuln>
<vuln vid="ad74a1bd-16d2-11d9-bc4a-000c41e2cdad">
<topic>php -- php_variables memory disclosure</topic>
<affects>
<package>
<name>mod_php4-twig</name>
<name>php4-cgi</name>
<name>php4-cli</name>
<name>php4-dtc</name>
<name>php4-horde</name>
<name>php4-nms</name>
<name>php4</name>
<range><le>4.3.8_2</le></range>
</package>
<package>
<name>mod_php</name>
<name>mod_php4</name>
<range><ge>4</ge><le>4.3.8_2,1</le></range>
</package>
<package>
<name>php5</name>
<name>php5-cgi</name>
<name>php5-cli</name>
<range><le>5.0.1</le></range>
</package>
<package>
<name>mod_php5</name>
<range><le>5.0.1,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stefano Di Paola reports:</p>
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109527531130492">
<p>Bad array parsing in php_variables.c could lead to show
arbitrary memory content such as pieces of php code
and other data. This affects all GET, POST or COOKIES
variables.</p>
</blockquote>
</body>
</description>
<references>
<mlist msgid="1095267581.2818.13.camel@localhost">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109527531130492</mlist>
</references>
<dates>
<discovery>2004-09-15</discovery>
<entry>2004-10-05</entry>
</dates>
</vuln>
<vuln vid="fffacc93-16cb-11d9-bc4a-000c41e2cdad">
<topic>xv -- exploitable buffer overflows</topic>
<affects>
<package>
<name>xv</name>
<name>xv-m17n</name>
<range><lt>3.10a_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>In a Bugtraq posting, infamous41md(at)hotpop.com reported:</p>
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109302498125092">
<p>there are at least 5 exploitable buffer and heap
overflows in the image handling code. this allows someone
to craft a malicious image, trick a user into viewing the
file in xv, and upon viewing that image execute arbitrary
code under privileges of the user viewing image. note
the AT LEAST part of the above sentence. there is such a
plethora of bad code that I just stopped reading after
a while. there are at least 100 calls to sprintf() and
strcpy() with no regards for bounds of buffers. 95% of
these deal with program arguments or filenames, so they
are of no interest to exploit. however I just got sick of
reading this code after not too long. so im sure there are
still other overflows in the image handling code for other
image types.</p>
</blockquote>
<p>The posting also included an exploit.</p>
</body>
</description>
<references>
<mlist msgid="20040820032605.360e43e3.infamous41md@hotpop.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109302498125092</mlist>
</references>
<dates>
<discovery>2004-08-20</discovery>
<entry>2004-10-05</entry>
<modified>2004-10-12</modified>
</dates>
</vuln>
<vuln vid="8c33b299-163b-11d9-ac1b-000d614f7fad">
<topic>getmail -- symlink vulnerability during maildir delivery</topic>
<affects>
<package>
<name>getmail</name>
<range><lt>3.2.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>David Watson reports a symlink vulnerability in getmail.
If run as root (not the recommended mode of operation), a
local user may be able to cause getmail to write files in
arbitrary directories via a symlink attack on subdirectories
of the maildir.</p>
</body>
</description>
<references>
<mlist msgid="200409191532.38997.baikie@ehwat.freeserve.co.uk">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109571883130372</mlist>
<cvename>CAN-2004-0881</cvename>
<bid>11224</bid>
</references>
<dates>
<discovery>2004-09-19</discovery>
<entry>2004-10-04</entry>
</dates>
</vuln>
<vuln vid="67710833-1626-11d9-bc4a-000c41e2cdad">
<topic>Boundary checking errors in syscons</topic>
<affects>
<system>
<name>FreeBSD</name>
<range><ge>5.0</ge><lt>5.2.1_11</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The syscons CONS_SCRSHOT <a
href="http://www.freebsd.org/cgi/man.cgi?query=ioctl">ioctl(2)</a>
does insufficient validation of its input arguments. In
particular, negative coordinates or large coordinates may
cause unexpected behavior.</p>
<p>It may be possible to cause the CONS_SCRSHOT ioctl to
return portions of kernel memory. Such memory might
contain sensitive information, such as portions of the
file cache or terminal buffers. This information might be
directly useful, or it might be leveraged to obtain elevated
privileges in some way. For example, a terminal buffer
might include a user-entered password.</p>
<p>This bug may be exploitable by users who have access to the
physical console or can otherwise open a /dev/ttyv* device
node.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0919</cvename>
<freebsdsa>SA-04:15.syscons</freebsdsa>
<url>http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/dev/syscons/syscons.c#rev1.429</url>
</references>
<dates>
<discovery>2004-09-30</discovery>
<entry>2004-10-04</entry>
</dates>
</vuln>
<vuln vid="2328ADEF-157C-11D9-8402-000D93664D5C">
<topic>racoon -- improper certificate handling</topic>
<affects>
<package>
<name>racoon</name>
<range><lt>20040818a</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Thomas Walpuski noted when OpenSSL would detect an error
condition for a peer certificate, racoon mistakenly ignored
the error. This could allow five invalid certificate states
to properly be used for authentication.</p>
</body>
</description>
<references>
<mlist msgid="20040614185623.GA10290@unproved.org">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108726102304507</mlist>
<url>http://www.kame.net/racoon/racoon-ml/msg00517.html</url>
</references>
<dates>
<discovery>2004-01-31</discovery>
<entry>2004-10-03</entry>
</dates>
</vuln>
<vuln vid="e8d4800f-1547-11d9-90a3-00010327614a">
<topic>distcc -- incorrect parsing of IP access control rules</topic>
<affects>
<package>
<name>distcc</name>
<range><lt>2.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://distcc.samba.org/ftp/distcc/distcc-2.16.NEWS">
<p>Fix bug that might cause IP-based access control rules not to
be interpreted correctly on 64-bit platforms.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0601</cvename>
<url>http://distcc.samba.org/ftp/distcc/distcc-2.16.NEWS</url>
</references>
<dates>
<discovery>2004-06-23</discovery>
<entry>2004-10-03</entry>
</dates>
</vuln>
<vuln vid="b2e6d1d6-1339-11d9-bc4a-000c41e2cdad">
<topic>mozilla -- scripting vulnerabilities</topic>
<affects>
<package>
<name>thunderbird</name>
<range><lt>0.8</lt></range>
</package>
<package>
<name>de-linux-mozillafirebird</name>
<name>el-linux-mozillafirebird</name>
<name>firefox</name>
<name>ja-linux-mozillafirebird-gtk1</name>
<name>ja-mozillafirebird-gtk2</name>
<name>linux-mozillafirebird</name>
<name>ru-linux-mozillafirebird</name>
<name>zhCN-linux-mozillafirebird</name>
<name>zhTW-linux-mozillafirebird</name>
<range><lt>1.p</lt></range>
</package>
<package>
<name>de-netscape7</name>
<name>fr-netscape7</name>
<name>ja-netscape7</name>
<name>netscape7</name>
<name>pt_BR-netscape7</name>
<range><le>7.2</le></range>
</package>
<package>
<name>mozilla-gtk1</name>
<name>linux-mozilla</name>
<name>linux-mozilla-devel</name>
<range><lt>1.7.3</lt></range>
</package>
<package>
<name>mozilla</name>
<range><lt>1.7.3,2</lt></range>
</package>
<package>
<!-- These package names are obsolete. -->
<name>de-linux-netscape</name>
<name>fr-linux-netscape</name>
<name>ja-linux-netscape</name>
<name>linux-netscape</name>
<name>linux-phoenix</name>
<name>mozilla+ipv6</name>
<name>mozilla-embedded</name>
<name>mozilla-firebird</name>
<name>mozilla-gtk2</name>
<name>mozilla-gtk</name>
<name>mozilla-thunderbird</name>
<name>phoenix</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Several scripting vulnerabilities were discovered and
corrected in Mozilla:</p>
<dl>
<dt>CAN-2004-0905</dt>
<dd>
<blockquote cite="http://www.mozilla.org/projects/security/known-vulnerabilities.html">
<p>javascript; links dragged onto another frame or
page allows an attacker to steal or modify sensitive
information from other sites. The user could be convinced
to drag obscurred links in the context of a game or even a
fake scrollbar. If the user could be convinced to drag two
links in sequence into a separate window (not frame) the
attacker would be able to run arbitrary programs.</p>
</blockquote>
</dd>
<dt>CAN-2004-0908</dt>
<dd>
<blockquote cite="http://www.mozilla.org/projects/security/known-vulnerabilities.html">
<p>Untrusted javascript code can read and write to the
clipboard, stealing any sensitive data the user might
have copied. <strong>Workaround:</strong> disable
javascript</p>
</blockquote>
</dd>
<dt>CAN-2004-0909</dt>
<dd>
<blockquote cite="http://www.mozilla.org/projects/security/known-vulnerabilities.html">
<p>Signed scripts requesting enhanced abilities could
construct the request in a way that led to a confusing
grant dialog, possibly fooling the user into thinking
the privilege requested was inconsequential while
actually obtaining explicit permission to run and
install software. <strong>Workaround:</strong> Never
grant enhanced abilities of any kind to untrusted web
pages.</p>
</blockquote>
</dd>
</dl>
</body>
</description>
<references>
<cvename>CAN-2004-0905</cvename>
<cvename>CAN-2004-0908</cvename>
<cvename>CAN-2004-0909</cvename>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=250862</url>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=257523</url>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=253942</url>
</references>
<dates>
<discovery>2004-09-13</discovery>
<entry>2004-09-30</entry>
</dates>
</vuln>
<vuln vid="a7e0d783-131b-11d9-bc4a-000c41e2cdad">
<topic>mozilla -- users may be lured into bypassing security dialogs</topic>
<affects>
<package>
<name>thunderbird</name>
<range><lt>0.7</lt></range>
</package>
<package>
<name>de-linux-mozillafirebird</name>
<name>el-linux-mozillafirebird</name>
<name>firefox</name>
<name>ja-linux-mozillafirebird-gtk1</name>
<name>ja-mozillafirebird-gtk2</name>
<name>linux-mozillafirebird</name>
<name>ru-linux-mozillafirebird</name>
<name>zhCN-linux-mozillafirebird</name>
<name>zhTW-linux-mozillafirebird</name>
<range><lt>0.9.2</lt></range>
</package>
<package>
<name>de-netscape7</name>
<name>fr-netscape7</name>
<name>ja-netscape7</name>
<name>netscape7</name>
<name>pt_BR-netscape7</name>
<range><le>7.2</le></range>
</package>
<package>
<name>mozilla-gtk1</name>
<name>linux-mozilla</name>
<name>linux-mozilla-devel</name>
<range><lt>1.7</lt></range>
</package>
<package>
<name>mozilla</name>
<range><lt>1.7,2</lt></range>
</package>
<package>
<!-- These package names are obsolete. -->
<name>de-linux-netscape</name>
<name>fr-linux-netscape</name>
<name>ja-linux-netscape</name>
<name>linux-netscape</name>
<name>linux-phoenix</name>
<name>mozilla+ipv6</name>
<name>mozilla-embedded</name>
<name>mozilla-firebird</name>
<name>mozilla-gtk2</name>
<name>mozilla-gtk</name>
<name>mozilla-thunderbird</name>
<name>phoenix</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>According to the Mozilla project:</p>
<blockquote cite="http://www.mozilla.org/projects/security/known-vulnerabilities.html">
<p>An attacker who could lure users into clicking in
particular places, or typing specific text, could cause a
security permission or software installation dialog to pop
up under the user's mouse click, clicking on the grant (or
install) button.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0762</cvename>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=162020</url>
</references>
<dates>
<discovery>2004-06-05</discovery>
<entry>2004-09-30</entry>
</dates>
</vuln>
<vuln vid="5360a659-131c-11d9-bc4a-000c41e2cdad">
<topic>mozilla -- hostname spoofing bug</topic>
<affects>
<package>
<name>thunderbird</name>
<range><lt>0.7</lt></range>
</package>
<package>
<name>de-linux-mozillafirebird</name>
<name>el-linux-mozillafirebird</name>
<name>firefox</name>
<name>ja-linux-mozillafirebird-gtk1</name>
<name>ja-mozillafirebird-gtk2</name>
<name>linux-mozillafirebird</name>
<name>ru-linux-mozillafirebird</name>
<name>zhCN-linux-mozillafirebird</name>
<name>zhTW-linux-mozillafirebird</name>
<range><lt>0.9.2</lt></range>
</package>
<package>
<name>de-netscape7</name>
<name>fr-netscape7</name>
<name>ja-netscape7</name>
<name>netscape7</name>
<name>pt_BR-netscape7</name>
<range><le>7.2</le></range>
</package>
<package>
<name>mozilla-gtk1</name>
<name>linux-mozilla</name>
<name>linux-mozilla-devel</name>
<range><lt>1.7</lt></range>
</package>
<package>
<name>mozilla</name>
<range><lt>1.7,2</lt></range>
</package>
<package>
<!-- These package names are obsolete. -->
<name>de-linux-netscape</name>
<name>fr-linux-netscape</name>
<name>ja-linux-netscape</name>
<name>linux-netscape</name>
<name>linux-phoenix</name>
<name>mozilla+ipv6</name>
<name>mozilla-embedded</name>
<name>mozilla-firebird</name>
<name>mozilla-gtk2</name>
<name>mozilla-gtk</name>
<name>mozilla-thunderbird</name>
<name>phoenix</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>When processing URIs that contain an unqualified host name--
specifically, a domain name of only one component--
Mozilla will perform matching against the first component
of the domain name in SSL certificates. In other words, in
some situations, a certificate issued to "www.example.com"
will be accepted as matching "www".</p>
</body>
</description>
<references>
<cvename>CAN-2004-0765</cvename>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=234058</url>
</references>
<dates>
<discovery>2004-02-12</discovery>
<entry>2004-09-30</entry>
</dates>
</vuln>
<vuln vid="de16b056-132e-11d9-bc4a-000c41e2cdad">
<topic>samba -- remote file disclosure</topic>
<affects>
<package>
<name>samba</name>
<range><lt>2.2.12</lt></range>
<range><ge>3.a</ge><le>3.0.2a_1,1</le></range>
</package>
<package>
<name>ja-samba</name>
<range><lt>2.2.11.j1.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>According to a Samba Team security notice:</p>
<blockquote cite="http://www.samba.org/samba/news/#security_2.2.12">
<p>A security vulnerability has been located in Samba
2.2.x &lt;= 2.2.11 and Samba 3.0.x &lt;= 3.0.5. A remote
attacker may be able to gain access to files which exist
outside of the share's defined path. Such files must still
be readable by the account used for the connection.</p>
</blockquote>
<blockquote cite="http://www.samba.org/samba/news/#errata_05oct">
<p>The original notice for CAN-2004-0815 indicated that
Samba 3.0.x &lt;= 3.0.5 was vulnerable to the security
issue. After further research, Samba developers have
confirmed that only Samba 3.0.2a and earlier releases
contain the exploitable code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0815</cvename>
<url>http://www.samba.org/samba/news/#security_2.2.12</url>
</references>
<dates>
<discovery>2004-09-30</discovery>
<entry>2004-09-30</entry>
<modified>2004-10-15</modified>
</dates>
</vuln>
<vuln vid="ab9c559e-115a-11d9-bc4a-000c41e2cdad">
<topic>mozilla -- BMP decoder vulnerabilities</topic>
<affects>
<package>
<name>thunderbird</name>
<range><lt>0.7.3_1</lt></range>
</package>
<package>
<name>de-linux-mozillafirebird</name>
<name>el-linux-mozillafirebird</name>
<name>firefox</name>
<name>ja-linux-mozillafirebird-gtk1</name>
<name>ja-mozillafirebird-gtk2</name>
<name>linux-mozillafirebird</name>
<name>linux-phoenix</name>
<name>phoenix</name>
<name>ru-linux-mozillafirebird</name>
<name>zhCN-linux-mozillafirebird</name>
<name>zhTW-linux-mozillafirebird</name>
<range><lt>0.9.3_1</lt></range>
</package>
<package>
<name>de-netscape7</name>
<name>fr-netscape7</name>
<name>ja-netscape7</name>
<name>netscape7</name>
<name>pt_BR-netscape7</name>
<range><le>7.2</le></range>
</package>
<package>
<name>linux-mozilla</name>
<name>linux-mozilla-devel</name>
<range><lt>1.7.3</lt></range>
</package>
<package>
<name>mozilla-gtk1</name>
<range><lt>1.7.2_3</lt></range>
</package>
<package>
<name>mozilla</name>
<range><lt>1.7.2_2,2</lt></range>
<range><ge>1.8.a,2</ge><lt>1.8.a3_1,2</lt></range>
</package>
<package>
<!-- These package names are obsolete. -->
<name>mozilla+ipv6</name>
<name>mozilla-embedded</name>
<name>mozilla-firebird</name>
<name>mozilla-gtk</name>
<name>mozilla-gtk2</name>
<name>mozilla-thunderbird</name>
<name>linux-netscape</name>
<name>de-linux-netscape</name>
<name>fr-linux-netscape</name>
<name>ja-linux-netscape</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gael Delalleau discovered several integer overflows in
Mozilla's BMP decoder that can result in denial-of-service or
arbitrary code execution.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0904</cvename>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=255067</url>
<uscertta>TA04-261A</uscertta>
<certvu>847200</certvu>
</references>
<dates>
<discovery>2004-09-13</discovery>
<entry>2004-09-28</entry>
<modified>2004-09-30</modified>
</dates>
</vuln>
<vuln vid="da690355-1159-11d9-bc4a-000c41e2cdad">
<topic>mozilla -- vCard stack buffer overflow</topic>
<affects>
<package>
<name>thunderbird</name>
<range><lt>0.7.3_1</lt></range>
</package>
<package>
<name>mozilla</name>
<range><lt>1.7.2_2,2</lt></range>
<range><ge>1.8.a,2</ge><lt>1.8.a3_1,2</lt></range>
</package>
<package>
<name>mozilla-gtk1</name>
<range><lt>1.7.2_3</lt></range>
</package>
<package>
<name>linux-mozilla</name>
<range><lt>1.7.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Georgi Guninski discovered a stack buffer overflow which
may be triggered when viewing email messages with vCard
attachments.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0903</cvename>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=257314</url>
<uscertta>TA04-261A</uscertta>
<certvu>414240</certvu>
</references>
<dates>
<discovery>2004-09-13</discovery>
<entry>2004-09-28</entry>
<modified>2004-09-30</modified>
</dates>
</vuln>
<vuln vid="93d6162f-1153-11d9-bc4a-000c41e2cdad">
<topic>mozilla -- multiple heap buffer overflows</topic>
<affects>
<package>
<name>thunderbird</name>
<range><lt>0.7.3_1</lt></range>
</package>
<package>
<name>firefox</name>
<range><lt>0.9.3_1</lt></range>
</package>
<package>
<name>mozilla</name>
<range><lt>1.7.2_2,2</lt></range>
<range><ge>1.8.a,2</ge><lt>1.8.a3_1,2</lt></range>
</package>
<package>
<name>mozilla-gtk1</name>
<range><lt>1.7.2_3</lt></range>
</package>
<package>
<name>linux-mozilla</name>
<range><lt>1.7.3</lt></range>
</package>
<package>
<name>linux-mozillafirebird</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Several heap buffer overflows were discovered and fixed in the
most recent versions of Mozilla, Firefox, and Thunderbird.
These overflows may occur when:</p>
<ul>
<li>Using the "Send Page" function.</li>
<li>Checking mail on a malicious POP3 server.</li>
<li>Processing non-ASCII URLs.</li>
</ul>
<p>Each of these vulnerabilities may be exploited for remote
code execution.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0902</cvename>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=258005</url>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=245066</url>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=226669</url>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=256316</url>
<uscertta>TA04-261A</uscertta>
</references>
<dates>
<discovery>2004-09-13</discovery>
<entry>2004-09-28</entry>
</dates>
</vuln>
<vuln vid="edf61c61-0f07-11d9-8393-000103ccf9d6">
<topic>php -- strip_tags cross-site scripting vulnerability</topic>
<affects>
<package>
<name>mod_php4-twig</name>
<name>php4</name>
<name>php4-cgi</name>
<name>php4-cli</name>
<name>php4-dtc</name>
<name>php4-horde</name>
<name>php4-nms</name>
<range><le>4.3.7_3</le></range>
</package>
<package>
<name>mod_php4</name>
<range><le>4.3.7_3,1</le></range>
</package>
<package>
<name>php5</name>
<name>php5-cgi</name>
<name>php5-cli</name>
<range><le>5.0.0.r3_2</le></range>
</package>
<package>
<name>mod_php5</name>
<range><le>5.0.0.r3_2,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stefan Esser of e-matters discovered that PHP's strip_tags()
function would ignore certain characters during parsing of tags,
allowing these tags to pass through. Select browsers could then
parse these tags, possibly allowing cross-site scripting attacks.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0595</cvename>
<mlist msgid="20040713225525.GB26865@e-matters.de">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108981589117423</mlist>
<url>http://security.e-matters.de/advisories/122004.html</url>
<bid>10724</bid>
</references>
<dates>
<discovery>2007-07-07</discovery>
<entry>2004-09-27</entry>
<modified>2004-10-02</modified>
</dates>
</vuln>
<vuln vid="dd7aa4f1-102f-11d9-8a8a-000c41e2cdad">
<topic>php -- memory_limit related vulnerability</topic>
<affects>
<package>
<name>mod_php4-twig</name>
<name>php4</name>
<name>php4-cgi</name>
<name>php4-cli</name>
<name>php4-dtc</name>
<name>php4-horde</name>
<name>php4-nms</name>
<range><le>4.3.7_3</le></range>
</package>
<package>
<name>mod_php4</name>
<range><le>4.3.7_3,1</le></range>
</package>
<package>
<name>php5</name>
<name>php5-cgi</name>
<name>php5-cli</name>
<range><le>5.0.0.r3_2</le></range>
</package>
<package>
<name>mod_php5</name>
<range><le>5.0.0.r3_2,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stefan Esser of e-matters discovered a condition within PHP
that may lead to remote execution of arbitrary code. The
memory_limit facility is used to notify functions when memory
contraints have been met. Under certain conditions, the entry
into this facility is able to interrupt functions such as
zend_hash_init() at locations not suitable for interruption.
The result would leave these functions in a vulnerable state.</p>
<blockquote cite="http://security.e-matters.de/advisories/112004.html">
<p>An attacker that is able to trigger the memory_limit abort
within zend_hash_init() and is additionally able to control
the heap before the HashTable itself is allocated, is able to
supply his own HashTable destructor pointer. [...]</p>
<p>All mentioned places outside of the extensions are quite easy
to exploit, because the memory allocation up to those places
is deterministic and quite static throughout different PHP
versions. [...]</p>
<p>Because the exploit itself consist of supplying an arbitrary
destructor pointer this bug is exploitable on any platform.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0594</cvename>
<mlist msgid="20040713225329.GA26865@e-matters.de">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108981780109154</mlist>
<url>http://security.e-matters.de/advisories/112004.html</url>
<bid>10725</bid>
</references>
<dates>
<discovery>2007-07-07</discovery>
<entry>2004-09-27</entry>
<modified>2004-10-02</modified>
</dates>
</vuln>
<vuln vid="184f5d0b-0fe8-11d9-8a8a-000c41e2cdad">
<topic>subversion -- WebDAV fails to protect metadata</topic>
<affects>
<package>
<name>subversion</name>
<name>subversion-perl</name>
<name>subversion-python</name>
<range><lt>1.0.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>In some situations, subversion metadata may be unexpectedly
disclosed via WebDAV. A subversion advisory states:</p>
<blockquote cite="http://subversion.tigris.org/security/CAN-2004-0749-advisory.txt">
<p>mod_authz_svn, the Apache httpd module which does path-based
authorization on Subversion repositories, is not correctly
protecting all metadata on unreadable paths.</p>
<p>This security issue is not about revealing the contents
of protected files: it only reveals metadata about
protected areas such as paths and log messages. This may
or may not be important to your organization, depending
on how you're using path-based authorization, and the
sensitivity of the metadata. </p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0749</cvename>
<url>http://subversion.tigris.org/security/CAN-2004-0749-advisory.txt</url>
</references>
<dates>
<discovery>2004-09-15</discovery>
<entry>2004-09-26</entry>
</dates>
</vuln>
<vuln vid="273cc1a3-0d6b-11d9-8a8a-000c41e2cdad">
<topic>lha -- numerous vulnerabilities when extracting archives</topic>
<affects>
<package>
<name>lha</name>
<range><lt>1.14i_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Source code reviews of lha by Lukasz Wojtow, Thomas Biege,
and others uncovered a number of vulnerabilities affecting
lha:</p>
<ul>
<li>Buffer overflows when handling archives and filenames.
(CAN-2004-0694)</li>
<li>Possible command execution via shell meta-characters when
built with NOMKDIR. (CAN-2004-0745)</li>
<li>Buffer overflow resulting in arbitrary code execution when
handling long pathnames in LHZ archives. (CAN-2004-0769)</li>
<li>Buffer overflow in the extract_one. (CAN-2004-0771)</li>
</ul>
</body>
</description>
<references>
<cvename>CAN-2004-0694</cvename>
<cvename>CAN-2004-0745</cvename>
<cvename>CAN-2004-0769</cvename>
<cvename>CAN-2004-0771</cvename>
<mlist msgid="20040515110900.24784.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108464470103227</mlist>
<mlist msgid="20040606162856.29866.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108668791510153</mlist>
<url>http://bugs.gentoo.org/show_bug.cgi?id=51285</url>
<url>http://xforce.iss.net/xforce/xfdb/16196</url>
<bid>10354</bid>
</references>
<dates>
<discovery>2004-05-17</discovery>
<entry>2004-09-23</entry>
</dates>
</vuln>
<vuln vid="77420ebb-0cf4-11d9-8a8a-000c41e2cdad">
<topic>mysql -- heap buffer overflow with prepared statements</topic>
<affects>
<package>
<name>mysql-server</name>
<name>mysql-client</name>
<range><ge>4.1.0</ge><le>4.1.4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>There is a buffer overflow in the prepared statements API
(libmysqlclient) when a statement containing thousands of
placeholders is executed.</p>
</body>
</description>
<references>
<url>http://bugs.mysql.com/bug.php?id=5194</url>
<url>http://dev.mysql.com/doc/mysql/en/News-4.1.5.html</url>
<url>http://mysql.bkbits.net:8080/mysql-4.1/cset@1.1932.152.4</url>
</references>
<dates>
<discovery>2004-09-08</discovery>
<entry>2004-09-23</entry>
</dates>
</vuln>
<vuln vid="e9f9d232-0cb2-11d9-8a8a-000c41e2cdad">
<topic>mozilla -- security icon spoofing</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>0.9</lt></range>
</package>
<package>
<name>linux-mozilla</name>
<name>linux-mozilla-devel</name>
<range><lt>1.7</lt></range>
</package>
<package>
<name>mozilla</name>
<range><lt>1.7,2</lt></range>
</package>
<package>
<name>mozilla-gtk1</name>
<range><lt>1.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Under certain situations it is possible for the security icon
which Mozilla displays when connected to a site using SSL to
be spoofed. This could be used to make so-called "phishing
attacks" more difficult to detect.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0761</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=240053</url>
</references>
<dates>
<discovery>2004-04-08</discovery>
<entry>2004-09-22</entry>
</dates>
</vuln>
<vuln vid="7c188c55-0cb0-11d9-8a8a-000c41e2cdad">
<topic>mozilla -- NULL bytes in FTP URLs</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>0.9.3</lt></range>
</package>
<package>
<name>linux-mozilla</name>
<name>linux-mozilla-devel</name>
<range><lt>1.7.2</lt></range>
</package>
<package>
<name>mozilla</name>
<range><lt>1.7.2,2</lt></range>
<range><ge>1.8.a,2</ge></range>
</package>
<package>
<name>mozilla-gtk1</name>
<range><lt>1.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>When handling FTP URLs containing NULL bytes, Mozilla will
interpret the file content as HTML. This may allow unexpected
execution of Javascript when viewing plain text or other file
types via FTP.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0760</cvename>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=250906</url>
</references>
<dates>
<discovery>2004-07-11</discovery>
<entry>2004-09-22</entry>
<modified>2004-09-24</modified>
</dates>
</vuln>
<vuln vid="6e740881-0cae-11d9-8a8a-000c41e2cdad">
<topic>mozilla -- automated file upload</topic>
<affects>
<package>
<name>mozilla</name>
<range><ge>1.7.a,2</ge><lt>1.7,2</lt></range>
<range><ge>1.8.a,2</ge><lt>1.8.a2,2</lt></range>
</package>
<package>
<name>mozilla-gtk1</name>
<range><ge>1.7.a</ge><lt>1.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A malicious web page can cause an automated file upload
from the victim's machine when viewed with Mozilla with
Javascript enabled. This is due to a bug permitting
default values for type="file" &lt;input&gt; elements in
certain situations.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0759</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=241924</url>
</references>
<dates>
<discovery>2004-04-28</discovery>
<entry>2004-09-22</entry>
<modified>2004-09-26</modified>
</dates>
</vuln>
<vuln vid="8d823883-0ca9-11d9-8a8a-000c41e2cdad">
<topic>mozilla -- built-in CA certificates may be overridden</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>0.9.3</lt></range>
</package>
<package>
<name>linux-mozilla</name>
<name>linux-mozilla-devel</name>
<range><lt>1.7.2</lt></range>
</package>
<package>
<name>mozilla</name>
<range><lt>1.7.2,2</lt></range>
<range><ge>1.8.a,2</ge></range>
</package>
<package>
<name>mozilla-gtk1</name>
<range><lt>1.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Under some situations, Mozilla will automatically import
a certificate from an email message or web site. This
behavior can be used as a denial-of-service attack: if the
certificate has a distinguished name (DN) identical to one
of the built-in Certificate Authorities (CAs), then Mozilla
will no longer be able to certify sites with certificates
issued from that CA.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0758</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=249004</url>
<certvu>160360</certvu>
<url>http://banquo.inf.ethz.ch:8080/</url>
</references>
<dates>
<discovery>2004-06-29</discovery>
<entry>2004-09-22</entry>
</dates>
</vuln>
<vuln vid="a4815970-c5cc-11d8-8898-000d6111a684">
<topic>rssh -- file name disclosure bug</topic>
<affects>
<package>
<name>rssh</name>
<range><lt>2.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>rssh expands command line paramters before invoking chroot.
This could result in the disclosure to the client of file
names outside of the chroot directory. A posting by the rssh
author explains:</p>
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108787373022844">
<p>The cause of the problem identified by Mr. McCaw is that
rssh expanded command-line arguments prior to entering
the chroot jail. This bug DOES NOT allow a user to
access any of the files outside the jail, but can allow
them to discover what files are in a directory which is
outside the jail, if their credentials on the server would
normally allow them read/execute access in the specified
directory.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0609</cvename>
<mlist msgid="20040619074141.GG13649@sophic.org">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108787373022844</mlist>
<bid>10574</bid>
<url>http://www.osvdb.org/7239</url>
</references>
<dates>
<discovery>2004-06-19</discovery>
<entry>2004-09-21</entry>
</dates>
</vuln>
<vuln vid="e6f0edd8-0b40-11d9-8a8a-000c41e2cdad">
<topic>gnu-radius -- SNMP-related denial-of-service</topic>
<affects>
<package>
<name>gnu-radius</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An iDEFENSE security advisory reports:</p>
<blockquote
cite="http://www.idefense.com/application/poi/display?id=141&amp;type=vulnerabilities">
<p>Remote exploitation of an input validation error in
version 1.2 of GNU radiusd could allow a denial of
service.</p>
<p>The vulnerability specifically exists within
the asn_decode_string() function defined in
snmplib/asn1.c. When a very large unsigned number is
supplied, it is possible that an integer overflow will
occur in the bounds-checking code. The daemon will then
attempt to reference unallocated memory, resulting in an
access violation that causes the process to terminate.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0849</cvename>
<url>http://www.idefense.com/application/poi/display?id=141&amp;type=vulnerabilities</url>
</references>
<dates>
<discovery>2004-09-15</discovery>
<entry>2004-09-20</entry>
</dates>
</vuln>
<vuln vid="a268ef4a-0b35-11d9-8a8a-000c41e2cdad">
<topic>sudo -- sudoedit information disclosure</topic>
<affects>
<package>
<name>sudo</name>
<range><eq>1.6.8</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A new feature of sudo 1.6.8 called "sudoedit" (a safe
editing facility) may allow users to read files to which
they normally have no access.</p>
</body>
</description>
<references>
<url>http://www.sudo.ws/sudo/alerts/sudoedit.html</url>
</references>
<dates>
<discovery>2004-09-18</discovery>
<entry>2004-09-20</entry>
</dates>
</vuln>
<vuln vid="ca6c8f35-0a5f-11d9-ad6f-00061bc2ad93">
<topic>apache -- heap overflow in mod_proxy</topic>
<affects>
<package>
<name>apache</name>
<range><lt>1.3.31_1</lt></range>
</package>
<package>
<name>apache13-ssl</name>
<range><le>1.3.29.1.53_2</le></range>
</package>
<package>
<name>apache13-modssl</name>
<range><lt>1.3.31+2.8.18_4</lt></range>
</package>
<package>
<name>apache13+ipv6</name>
<range><le>1.3.29_2</le></range>
</package>
<package>
<name>apache13-modperl</name>
<range><le>1.3.31</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A buffer overflow exists in mod_proxy which may
allow an attacker to launch local DoS attacks
and possibly execute arbitrary code.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0492</cvename>
<url>http://www.guninski.com/modproxy1.html</url>
</references>
<dates>
<discovery>2004-06-10</discovery>
<entry>2004-09-19</entry>
<modified>2004-10-05</modified>
</dates>
</vuln>
<vuln vid="d2102505-f03d-11d8-81b0-000347a4fa7d">
<topic>cvs -- numerous vulnerabilities</topic>
<affects>
<package>
<name>cvs+ipv6</name>
<range><lt>1.11.17</lt></range>
</package>
<system>
<name>FreeBSD</name>
<range><ge>5.2</ge><lt>5.2.1_10</lt></range>
<range><ge>4.10</ge><lt>4.10_3</lt></range>
<range><ge>4.9</ge><lt>4.9_12</lt></range>
<range><ge>4.8</ge><lt>4.8_25</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A number of vulnerabilities were discovered in CVS by
Stefan Esser, Sebastian Krahmer, and Derek Price.</p>
<ul>
<li>Insufficient input validation while processing "Entry"
lines. (CAN-2004-0414)</li>
<li>A double-free resulting from erroneous state handling while
processing "Argumentx" commands. (CAN-2004-0416)</li>
<li>Integer overflow while processing "Max-dotdot" commands.
(CAN-2004-0417)</li>
<li>Erroneous handling of empty entries handled while processing
"Notify" commands. (CAN-2004-0418)</li>
<li>A format string bug while processing CVS wrappers.</li>
<li>Single-byte buffer underflows while processing configuration files
from CVSROOT.</li>
<li>Various other integer overflows.</li>
</ul>
<p>Additionally, iDEFENSE reports an undocumented command-line
flag used in debugging does not perform input validation on
the given path names.</p>
<p>CVS servers ("cvs server" or :pserver: modes) are
affected by these vulnerabilities. They vary in impact
but include information disclosure (the iDEFENSE-reported
bug), denial-of-service (CAN-2004-0414, CAN-2004-0416,
CAN-2004-0417 and other bugs), or possibly arbitrary code
execution (CAN-2004-0418). In very special situations where
the attacker may somehow influence the contents of CVS
configuration files in CVSROOT, additional attacks may be
possible.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0414</cvename>
<cvename>CAN-2004-0416</cvename>
<cvename>CAN-2004-0417</cvename>
<cvename>CAN-2004-0418</cvename>
<cvename>CAN-2004-0778</cvename>
<url>http://secunia.com/advisories/11817</url>
<url>http://secunia.com/advisories/12309</url>
<url>http://security.e-matters.de/advisories/092004.html</url>
<url>http://www.idefense.com/application/poi/display?id=130&amp;type=vulnerabilities&amp;flashstatus=false</url>
<url>https://ccvs.cvshome.org/source/browse/ccvs/NEWS?rev=1.116.2.104</url>
<url>http://www.osvdb.org/6830</url>
<url>http://www.osvdb.org/6831</url>
<url>http://www.osvdb.org/6832</url>
<url>http://www.osvdb.org/6833</url>
<url>http://www.osvdb.org/6834</url>
<url>http://www.osvdb.org/6835</url>
<url>http://www.osvdb.org/6836</url>
<bid>10499</bid>
<freebsdsa>SA-04:14.cvs</freebsdsa>
</references>
<dates>
<discovery>2004-05-20</discovery>
<entry>2004-08-17</entry>
<modified>2004-09-19</modified>
</dates>
</vuln>
<vuln vid="3d1e9267-073f-11d9-b45d-000c41e2cdad">
<topic>gdk-pixbuf -- image decoding vulnerabilities</topic>
<affects>
<package>
<name>linux-gdk-pixbuf</name>
<range><lt>0.22.0.11.3.5</lt></range>
</package>
<package>
<name>gtk</name>
<range><ge>2.0</ge><lt>2.4.9_1</lt></range>
</package>
<package>
<name>gdk-pixbuf</name>
<range><lt>0.22.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chris Evans discovered several flaws in the gdk-pixbuf
XPM image decoder:</p>
<ul>
<li>Heap-based overflow in pixbuf_create_from_xpm</li>
<li>Stack-based overflow in xpm_extract_color</li>
<li>Integer overflows in io-ico.c</li>
</ul>
<p>Some of these flaws are believed to be exploitable.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0782</cvename>
<cvename>CAN-2004-0783</cvename>
<cvename>CAN-2004-0788</cvename>
<url>http://scary.beasts.org/security/CESA-2004-005.txt</url>
</references>
<dates>
<discovery>2004-09-15</discovery>
<entry>2004-09-15</entry>
<modified>2004-11-09</modified>
</dates>
</vuln>
<vuln vid="ef253f8b-0727-11d9-b45d-000c41e2cdad">
<topic>xpm -- image decoding vulnerabilities</topic>
<affects>
<package>
<name>agenda-snow-libs</name>
<name>linux_base</name>
<name>open-motif-devel</name>
<name>mupad</name>
<name>zh-cle_base</name>
<range><ge>0</ge></range>
</package>
<package>
<name>libXpm</name>
<range><lt>3.5.1_1</lt></range>
</package>
<package>
<name>XFree86-libraries</name>
<range><lt>4.4.0_1</lt></range>
</package>
<package>
<name>xorg-libraries</name>
<range><lt>6.7.0_2</lt></range>
</package>
<package>
<name>lesstif</name>
<range><lt>0.93.96,2</lt></range>
</package>
<package>
<name>xpm</name>
<range><lt>3.4k_1</lt></range>
</package>
<package>
<name>linux-openmotif</name>
<range><lt>2.2.4</lt></range>
</package>
<package>
<name>open-motif</name>
<range><lt>2.2.3_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chris Evans discovered several vulnerabilities in the libXpm
image decoder:</p>
<ul>
<li>A stack-based buffer overflow in xpmParseColors</li>
<li>An integer overflow in xpmParseColors</li>
<li>A stack-based buffer overflow in ParsePixels and
ParseAndPutPixels</li>
</ul>
<p>The X11R6.8.1 release announcement reads:</p>
<blockquote cite="http://freedesktop.org/pipermail/xorg/2004-September/003172.html">
<p>This version is purely a security release, addressing
multiple integer and stack overflows in libXpm, the X
Pixmap library; all known versions of X (both XFree86
and X.Org) are affected, so all users of X are strongly
encouraged to upgrade.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0687</cvename>
<cvename>CAN-2004-0688</cvename>
<url>http://freedesktop.org/pipermail/xorg/2004-September/003172.html</url>
<url>http://scary.beasts.org/security/CESA-2004-003.txt</url>
<certvu>537878</certvu>
<certvu>882750</certvu>
</references>
<dates>
<discovery>2004-09-15</discovery>
<entry>2004-09-15</entry>
<modified>2005-01-03</modified>
</dates>
</vuln>
<vuln vid="05dcf751-0733-11d9-b45d-000c41e2cdad">
<topic>cups -- print queue browser denial-of-service</topic>
<affects>
<package>
<name>cups-base</name>
<range><lt>1.1.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>If the CUPS server (cupsd) receives a zero-length UDP
message, it will disable its print queue browser service.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0558</cvename>
<url>http://www.cups.org/str.php?L863</url>
</references>
<dates>
<discovery>2004-08-23</discovery>
<entry>2004-09-15</entry>
</dates>
</vuln>
<vuln vid="762d1c6d-0722-11d9-b45d-000c41e2cdad">
<topic>apache -- apr_uri_parse IPv6 address handling vulnerability</topic>
<affects>
<package>
<name>apache</name>
<range><ge>2.0</ge><lt>2.0.50_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Software Foundation Security Team discovered a
programming error in the apr-util library function apr_uri_parse.
When parsing IPv6 literal addresses, it is possible that a
length is incorrectly calculated to be negative, and this
value is passed to memcpy. This may result in an exploitable
vulnerability on some platforms, including FreeBSD.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0786</cvename>
<url>http://httpd.apache.org</url>
</references>
<dates>
<discovery>2004-09-15</discovery>
<entry>2004-09-15</entry>
</dates>
</vuln>
<vuln vid="013fa252-0724-11d9-b45d-000c41e2cdad">
<topic>mod_dav -- lock related denial-of-service</topic>
<affects>
<package>
<name>apache</name>
<range><ge>2.0</ge><lt>2.0.50_3</lt></range>
</package>
<package>
<name>mod_dav</name>
<range><le>1.0.3_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A malicious user with DAV write privileges can trigger a null
pointer dereference in the Apache mod_dav module. This
could cause the server to become unavailable.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0809</cvename>
<url>http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31183</url>
</references>
<dates>
<discovery>2004-09-15</discovery>
<entry>2004-09-15</entry>
</dates>
</vuln>
<vuln vid="4d49f4ba-071f-11d9-b45d-000c41e2cdad">
<topic>apache -- ap_resolve_env buffer overflow</topic>
<affects>
<package>
<name>apache</name>
<range><ge>2.0</ge><lt>2.0.50_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SITIC discovered a vulnerability in Apache 2's handling of
environmental variable settings in the httpd configuration
files (the main `httpd.conf' and `.htaccess' files).
According to a SITIC advisory:</p>
<blockquote cite="http://lists.netsys.com/pipermail/full-disclosure/2004-September/026463.html">
<p>The buffer overflow occurs when expanding ${ENVVAR}
constructs in .htaccess or httpd.conf files. The function
ap_resolve_env() in server/util.c copies data from
environment variables to the character array tmp with
strcat(3), leading to a buffer overflow. </p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0747</cvename>
<mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-September/026463.html</mlist>
</references>
<dates>
<discovery>2004-09-15</discovery>
<entry>2004-09-15</entry>
</dates>
</vuln>
<vuln vid="ae7b7f65-05c7-11d9-b45d-000c41e2cdad">
<topic>webmin -- insecure temporary file creation at installation time</topic>
<affects>
<package>
<name>webmin</name>
<range><lt>1.150_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Webmin developers documented a security issue in the
release notes for version 1.160:</p>
<blockquote cite="http://www.webmin.com/changes-1.160.html">
<p>Fixed a security hole in the maketemp.pl script, used
to create the /tmp/.webmin directory at install time. If
an un-trusted user creates this directory before Webmin
is installed, he could create in it a symbolic link
pointing to a critical file on the system, which would be
overwritten when Webmin writes to the link filename.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0559</cvename>
<url>http://www.webmin.com/changes-1.160.html</url>
</references>
<dates>
<discovery>2004-09-05</discovery>
<entry>2004-09-14</entry>
<modified>2004-09-15</modified>
</dates>
</vuln>
<vuln vid="a711de5c-05fa-11d9-a9b2-00061bc2ad93">
<topic>samba3 DoS attack</topic>
<affects>
<package>
<name>samba3</name>
<range><lt>3.0.7,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Code found in nmbd and smbd may allow a remote attacker
to effectively crash the nmbd server or use the smbd
server to exhaust the system memory.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0807</cvename>
<cvename>CAN-2004-0808</cvename>
<url>http://www.idefense.com/application/poi/display?id=139&amp;type=vulnerabilities</url>
</references>
<dates>
<discovery>2004-09-02</discovery>
<entry>2004-09-14</entry>
</dates>
</vuln>
<vuln vid="c1d97a8b-05ed-11d9-b45d-000c41e2cdad">
<topic>mozilla -- POP client heap overflow</topic>
<affects>
<package>
<name>mozilla</name>
<range><lt>1.7,2</lt></range>
</package>
<package>
<name>linux-mozilla</name>
<range><lt>1.7</lt></range>
</package>
<package>
<name>netscape7</name>
<range><lt>7.2</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>0.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>zen-parse discovered a heap buffer overflow in Mozilla's
POP client implementation. A malicious POP server
could exploit this vulnerability to cause Mozilla to execute
arbitrary code.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0757</cvename>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=229374</url>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=157644</url>
</references>
<dates>
<discovery>2004-07-22</discovery>
<entry>2004-09-14</entry>
</dates>
</vuln>
<vuln vid="a4fd8f53-05eb-11d9-b45d-000c41e2cdad">
<topic>mozilla -- SOAPParameter integer overflow</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>0.9</lt></range>
</package>
<package>
<name>linux-mozilla</name>
<name>linux-mozilla-devel</name>
<name>mozilla-gtk1</name>
<range><lt>1.7</lt></range>
</package>
<package>
<name>mozilla</name>
<range><lt>1.7,2</lt></range>
</package>
<package>
<name>netscape7</name>
<range><lt>7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>zen-parse discovered and iDEFENSE reported an exploitable
integer overflow in a scriptable Mozilla component
`SOAPParameter':</p>
<blockquote cite="http://www.idefense.com/application/poi/display?id=117&amp;type=vulnerabilities">
<p>Improper input validation to the SOAPParameter object
constructor in Netscape and Mozilla allows execution of
arbitrary code. The SOAPParameter object's constructor
contains an integer overflow which allows controllable
heap corruption. A web page can be constructed to
leverage this into remote execution of arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0722</cvename>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=236618</url>
</references>
<dates>
<discovery>2004-08-02</discovery>
<entry>2004-09-14</entry>
<modified>2004-09-22</modified>
</dates>
</vuln>
<vuln vid="c62dc69f-05c8-11d9-b45d-000c41e2cdad">
<topic>openoffice -- document disclosure</topic>
<affects>
<package>
<name>openoffice</name>
<name>ar-openoffice</name>
<name>ca-openoffice</name>
<name>cs-openoffice</name>
<name>de-openoffice</name>
<name>dk-openoffice</name>
<name>el-openoffice</name>
<name>es-openoffice</name>
<name>et-openoffice</name>
<name>fi-openoffice</name>
<name>fr-openoffice</name>
<name>gr-openoffice</name>
<name>hu-openoffice</name>
<name>it-openoffice</name>
<name>ja-openoffice</name>
<name>ko-openoffice</name>
<name>nl-openoffice</name>
<name>pl-openoffice</name>
<name>pt-openoffice</name>
<name>pt_BR-openoffice</name>
<name>ru-openoffice</name>
<name>se-openoffice</name>
<name>sk-openoffice</name>
<name>sl-openoffice-SI</name>
<name>tr-openoffice</name>
<name>zh-openoffice-CN</name>
<name>zh-openoffice-TW</name>
<range><lt>1.1.2_1</lt></range>
<range><ge>2.0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenOffice creates a working directory in /tmp on startup,
and uses this directory to temporarily store document
content. However, the permissions of the created directory
may allow other user on the system to read these files,
potentially exposing information the user likely assumed was
inaccessible.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0752</cvename>
<url>http://www.openoffice.org/issues/show_bug.cgi?id=33357</url>
<url>http://securitytracker.com/alerts/2004/Sep/1011205.html</url>
<mlist msgid="20040910152759.7739.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109483308421566</mlist>
</references>
<dates>
<discovery>2004-08-24</discovery>
<entry>2004-09-14</entry>
</dates>
</vuln>
<vuln vid="15e0e963-02ed-11d9-a209-00061bc2ad93">
<topic>mpg123 buffer overflow</topic>
<affects>
<package>
<name>mpg123</name>
<name>mpg123-nas</name>
<name>mpg123-esound</name>
<range><le>0.59r</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The mpg123 software version 0.59r contains a
buffer overflow vulnerability which may permit
the execution of arbitrary code as the owner of
the mpg123 process.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0805</cvename>
<url>http://www.alighieri.org/advisories/advisory-mpg123.txt</url>
</references>
<dates>
<discovery>2003-08-16</discovery>
<entry>2004-09-14</entry>
</dates>
</vuln>
<vuln vid="b6cad7f3-fb59-11d8-9837-000c41e2cdad">
<topic>ImageMagick -- BMP decoder buffer overflow</topic>
<affects>
<package>
<name>ImageMagick</name>
<name>ImageMagick-nox11</name>
<range><lt>6.0.6.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Marcus Meissner discovered that ImageMagick's BMP decoder would
crash when loading the test BMP file created by Chris Evans
for testing the previous Qt vulnerability.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0827</cvename>
<url>http://www.imagemagick.org/www/Changelog.html</url>
</references>
<dates>
<discovery>2004-08-25</discovery>
<entry>2004-08-31</entry>
<modified>2004-09-14</modified>
</dates>
</vuln>
<vuln vid="641859e8-eca1-11d8-b913-000c41e2cdad">
<topic>Mutiple browser frame injection vulnerability</topic>
<affects>
<package>
<name>kdelibs</name>
<range><lt>3.2.3_3</lt></range>
</package>
<package>
<name>kdebase</name>
<range><lt>3.2.3_1</lt></range>
</package>
<package>
<name>linux-opera</name>
<name>opera</name>
<range><ge>7.50</ge><lt>7.52</lt></range>
</package>
<package>
<name>firefox</name>
<range><lt>0.9</lt></range>
</package>
<package>
<name>linux-mozilla</name>
<name>linux-mozilla-devel</name>
<name>mozilla-gtk1</name>
<range><lt>1.7</lt></range>
</package>
<package>
<name>mozilla</name>
<range><lt>1.7,2</lt></range>
</package>
<package>
<name>netscape7</name>
<range><lt>7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A class of bugs affecting many web browsers in the same way
was discovered. A Secunia advisory reports:</p>
<blockquote cite="http://secunia.com/advisories/11978">
<p>The problem is that the browsers don't check if a target
frame belongs to a website containing a malicious link,
which therefore doesn't prevent one browser window from
loading content in a named frame in another window.</p>
<p>Successful exploitation allows a malicious website to load
arbitrary content in an arbitrary frame in another browser
window owned by e.g. a trusted site.</p>
</blockquote>
<p>A KDE Security Advisory reports:</p>
<blockquote cite="http://www.kde.org/info/security/advisory-20040811-3.txt">
<p>A malicious website could abuse Konqueror to insert
its own frames into the page of an otherwise trusted
website. As a result the user may unknowingly send
confidential information intended for the trusted website
to the malicious website.</p>
</blockquote>
<p>Secunia has provided a demonstration of the vulnerability at <a href="http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/">http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/</a>.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0717</cvename>
<cvename>CAN-2004-0718</cvename>
<cvename>CAN-2004-0721</cvename>
<url>http://secunia.com/advisories/11978/</url>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=246448</url>
<url>ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdelibs-htmlframes.patch</url>
<url>ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdebase-htmlframes.patch</url>
</references>
<dates>
<discovery>2004-08-11</discovery>
<entry>2004-08-12</entry>
<modified>2004-09-14</modified>
</dates>
</vuln>
<vuln vid="b7cb488c-8349-11d8-a41f-0020ed76ef5a">
<topic>isakmpd payload handling denial-of-service vulnerabilities</topic>
<affects>
<package>
<name>isakmpd</name>
<range><le>20030903</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Numerous errors in isakmpd's input packet validation lead to
denial-of-service vulnerabilities. From the Rapid7 advisory:</p>
<blockquote cite="http://www.rapid7.com/advisories/R7-0018.html">
<p>The ISAKMP packet processing functions in OpenBSD's
isakmpd daemon contain multiple payload handling flaws
that allow a remote attacker to launch a denial of
service attack against the daemon.</p>
<p>Carefully crafted ISAKMP packets will cause the isakmpd
daemon to attempt out-of-bounds reads, exhaust available
memory, or loop endlessly (consuming 100% of the CPU).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0218</cvename>
<cvename>CAN-2004-0219</cvename>
<cvename>CAN-2004-0220</cvename>
<cvename>CAN-2004-0221</cvename>
<cvename>CAN-2004-0222</cvename>
<url>http://www.rapid7.com/advisories/R7-0018.html</url>
<url>http://www.openbsd.org/errata34.html</url>
</references>
<dates>
<discovery>2004-03-17</discovery>
<entry>2004-03-31</entry>
<modified>2004-09-14</modified>
</dates>
</vuln>
<vuln vid="00644f03-fb58-11d8-9837-000c41e2cdad">
<topic>imlib -- BMP decoder heap buffer overflow</topic>
<affects>
<package>
<name>imlib</name>
<range><lt>1.9.14_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Marcus Meissner discovered that imlib's BMP decoder would
crash when loading the test BMP file created by Chris Evans
for testing the previous Qt vulnerability. It is believed
that this bug could be exploited for arbitrary code execution.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0817</cvename>
<url>http://bugzilla.gnome.org/show_bug.cgi?id=151034</url>
</references>
<dates>
<discovery>2004-08-25</discovery>
<entry>2004-08-31</entry>
<modified>2004-09-02</modified>
</dates>
</vuln>
<vuln vid="86a98b57-fb8e-11d8-9343-000a95bc6fae">
<topic>krb5 -- double-free vulnerabilities</topic>
<affects>
<package>
<name>krb5</name>
<range><le>1.3.4_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An advisory published by the MIT Kerberos team says:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt">
<p>The MIT Kerberos 5 implementation's Key Distribution Center
(KDC) program contains a double-free vulnerability that
potentially allows a remote attacker to execute arbitrary code.
Compromise of a KDC host compromises the security of the entire
authentication realm served by the KDC. Additionally, double-free
vulnerabilities exist in MIT Kerberos 5 library code, making
client programs and application servers vulnerable.</p>
</blockquote>
<p>Double-free vulnerabilities of this type are not believed to be
exploitable for code execution on FreeBSD systems. However,
the potential for other ill effects may exist.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0642</cvename>
<cvename>CAN-2004-0643</cvename>
<cvename>CAN-2004-0772</cvename>
<certvu>795632</certvu>
<certvu>866472</certvu>
<certvu>350792</certvu>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt</url>
</references>
<dates>
<discovery>2004-08-31</discovery>
<entry>2004-08-31</entry>
</dates>
</vuln>
<vuln vid="bd60922b-fb8d-11d8-a13e-000a95bc6fae">
<topic>krb5 -- ASN.1 decoder denial-of-service vulnerability</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.2.2</ge><le>1.3.4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An advisory published by the MIT Kerberos team says:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt">
<p>The ASN.1 decoder library in the MIT Kerberos 5 distribution
is vulnerable to a denial-of-service attack causing an infinite
loop in the decoder. The KDC is vulnerable to this attack.</p>
<p>An unauthenticated remote attacker can cause a KDC or application
server to hang inside an infinite loop.</p>
<p>An attacker impersonating a legitimate KDC or application
server may cause a client program to hang inside an infinite
loop.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0644</cvename>
<certvu>550464</certvu>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt</url>
</references>
<dates>
<discovery>2004-08-31</discovery>
<entry>2004-08-31</entry>
</dates>
</vuln>
<vuln vid="ba005226-fb5b-11d8-9837-000c41e2cdad">
<topic>imlib2 -- BMP decoder buffer overflow</topic>
<affects>
<package>
<name>imlib2</name>
<range><le>1.1.1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Marcus Meissner discovered that imlib2's BMP decoder would
crash when loading the test BMP file created by Chris Evans
for testing the previous Qt vulnerability. There appears to
be both a stack-based and a heap-based buffer overflow that
are believed to be exploitable for arbitrary code execution.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0802</cvename>
<url>http://cvs.sourceforge.net/viewcvs.py/enlightenment/e17/libs/imlib2/ChangeLog?rev=1.20&amp;view=markup</url>
</references>
<dates>
<discovery>2004-08-31</discovery>
<entry>2004-08-31</entry>
</dates>
</vuln>
<vuln vid="0d3a5148-f512-11d8-9837-000c41e2cdad">
<topic>SpamAssassin -- denial-of-service in tokenize_headers</topic>
<affects>
<package>
<name>p5-Mail-SpamAssassin</name>
<range><lt>2.64</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>According to the SpamAssassin 2.64 release announcement:</p>
<blockquote cite="http://marc.theaimsgroup.com/?l=spamassassin-announce&amp;m=109168121628767">
<p>Security fix prevents a denial of service attack open
to certain malformed messages; this DoS affects all
SpamAssassin 2.5x and 2.6x versions to date.</p>
</blockquote>
<p>The issue appears to be triggered by overly long message
headers.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0796</cvename>
<bid>10957</bid>
<mlist>http://marc.theaimsgroup.com/?l=spamassassin-announce&amp;m=109168121628767</mlist>
<url>http://search.cpan.org/src/JMASON/Mail-SpamAssassin-2.64/Changes</url>
</references>
<dates>
<discovery>2004-08-04</discovery>
<entry>2004-08-23</entry>
<modified>2004-08-28</modified>
</dates>
</vuln>
<vuln vid="c4b025bb-f05d-11d8-9837-000c41e2cdad">
<topic>tnftpd -- remotely exploitable vulnerability</topic>
<affects>
<package>
<name>tnftpd</name>
<range><lt>20040810</lt></range>
</package>
<package>
<name>lukemftpd</name>
<range><ge>0</ge></range>
</package>
<system>
<name>FreeBSD</name>
<range><ge>4.7</ge></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>lukemftpd(8) is an enhanced BSD FTP server produced
within the NetBSD project. The sources for lukemftpd are
shipped with some versions of FreeBSD, however it is not
built or installed by default. The build system option
WANT_LUKEMFTPD must be set to build and install lukemftpd.
[<strong>NOTE</strong>: An exception is FreeBSD 4.7-RELEASE,
wherein lukemftpd was installed, but not enabled, by
default.]</p>
<p>Przemyslaw Frasunek discovered several vulnerabilities
in lukemftpd arising from races in the out-of-band signal
handling code used to implement the ABOR command. As a
result of these races, the internal state of the FTP server
may be manipulated in unexpected ways.</p>
<p>A remote attacker may be able to cause FTP commands to
be executed with the privileges of the running lukemftpd
process. This may be a low-privilege `ftp' user if the `-r'
command line option is specified, or it may be superuser
privileges if `-r' is *not* specified.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0794</cvename>
<bid>10967</bid>
<url>http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpd.c#rev1.158</url>
<url>ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-009.txt.asc</url>
<mlist msgid="412239E7.1070807@freebsd.lublin.pl">http://lists.netsys.com/pipermail/full-disclosure/2004-August/025418.html</mlist>
</references>
<dates>
<discovery>2004-08-17</discovery>
<entry>2004-08-17</entry>
<modified>2004-08-28</modified>
</dates>
</vuln>
<vuln vid="e5e2883d-ceb9-11d8-8898-000d6111a684">
<topic>MySQL authentication bypass / buffer overflow</topic>
<affects>
<package>
<name>mysql-server</name>
<range><ge>4.1</ge><lt>4.1.3</lt></range>
<range><ge>5</ge><le>5.0.0_2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>By submitting a carefully crafted authentication packet, it is possible
for an attacker to bypass password authentication in MySQL 4.1. Using a
similar method, a stack buffer used in the authentication mechanism can
be overflowed.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0627</cvename>
<cvename>CAN-2004-0628</cvename>
<certvu>184030</certvu>
<certvu>645326</certvu>
<url>http://www.nextgenss.com/advisories/mysql-authbypass.txt</url>
<url>http://dev.mysql.com/doc/mysql/en/News-4.1.3.html</url>
<url>http://secunia.com/advisories/12020</url>
<url>http://www.osvdb.org/7475</url>
<url>http://www.osvdb.org/7476</url>
<mlist msgid="Pine.LNX.4.44.0407080940550.9602-200000@pineapple.shacknet.nu">http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0003.html</mlist>
</references>
<dates>
<discovery>2004-07-01</discovery>
<entry>2004-07-05</entry>
<modified>2004-08-28</modified>
</dates>
</vuln>
<vuln vid="e811aaf1-f015-11d8-876f-00902714cc7c">
<topic>Ruby insecure file permissions in the CGI session management</topic>
<affects>
<package>
<name>ruby</name>
<range><lt>1.6.8.2004.07.26</lt></range>
<range><ge>1.7.0</ge><lt>1.8.1.2004.07.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>According to a Debian Security Advisory:</p>
<blockquote cite="http://www.debian.org/security/2004/dsa-537">
<p>Andres Salomon noticed a problem in the CGI session
management of Ruby, an object-oriented scripting language.
CGI::Session's FileStore (and presumably PStore [...])
implementations store session information insecurely.
They simply create files, ignoring permission issues.
This can lead an attacker who has also shell access to the
webserver to take over a session.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0755</cvename>
<url>http://xforce.iss.net/xforce/xfdb/16996</url>
<url>http://www.debian.org/security/2004/dsa-537</url>
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109267579822250&amp;w=2</mlist>
</references>
<dates>
<discovery>2004-08-16</discovery>
<entry>2004-08-16</entry>
<modified>2004-08-28</modified>
</dates>
</vuln>
<vuln vid="207f8ff3-f697-11d8-81b0-000347a4fa7d">
<topic>nss -- exploitable buffer overflow in SSLv2 protocol handler</topic>
<affects>
<package>
<name>nss</name>
<range><lt>3.9.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISS X-Force reports that a remotely exploitable buffer
overflow exists in the Netscape Security Services (NSS)
library's implementation of SSLv2. From their advisory:</p>
<blockquote cite="http://xforce.iss.net/xforce/alerts/id/180">
<p>The NSS library contains a flaw in SSLv2 record parsing
that may lead to remote compromise. When parsing the
first record in an SSLv2 negotiation, the client hello
message, the server fails to validate the length of a
record field. As a result, it is possible for an attacker
to trigger a heap-based overflow of arbitrary length.</p>
</blockquote>
<p>Note that the vulnerable NSS library is also present in
Mozilla-based browsers. However, it is not believed that
browsers are affected, as the vulnerability is present only in
code used by SSLv2 *servers*.</p>
</body>
</description>
<references>
<url>http://xforce.iss.net/xforce/alerts/id/180</url>
<url>http://www.osvdb.org/9116</url>
<url>http://secunia.com/advisories/12362</url>
<bid>11015</bid>
</references>
<dates>
<discovery>2004-08-23</discovery>
<entry>2004-08-27</entry>
</dates>
</vuln>
<vuln vid="85e19dff-e606-11d8-9b0a-000347a4fa7d">
<topic>ripMIME -- decoding bug allowing content filter bypass</topic>
<affects>
<package>
<name>ripmime</name>
<range><lt>1.3.2.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ripMIME may prematurely terminate decoding Base64 encoded
messages when it encounters multiple blank lines or other
non-standard Base64 constructs. Virus scanning and content
filtering tools that use ripMIME may therefore be
bypassed.</p>
<p>The ripMIME CHANGELOG file says:</p>
<blockquote cite="http://www.pldaniels.com/ripmime/CHANGELOG">
<p>There's viruses going around exploiting the ability to
hide the majority of their data in an attachment by using
blank lines and other tricks to make scanning systems
prematurely terminate their base64 decoding.</p>
</blockquote>
</body>
</description>
<references>
<bid>10848</bid>
<url>http://www.osvdb.org/8287</url>
<url>http://www.pldaniels.com/ripmime/CHANGELOG</url>
<url>http://secunia.com/advisories/12201</url>
<url>http://xforce.iss.net/xforce/xfdb/16867</url>
</references>
<dates>
<discovery>2004-07-30</discovery>
<entry>2004-08-27</entry>
</dates>
</vuln>
<vuln vid="1ecf4ca1-f7ad-11d8-96c9-00061bc2ad93">
<topic>moinmoin -- ACL group bypass</topic>
<affects>
<package>
<name>moinmoin</name>
<range><lt>1.2.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The moinmoin package contains two bugs with ACLs and anonymous
users. Both bugs may permit anonymous users to gain access to
administrative functions; for example the delete function.</p>
<p>There is no known workaround, the vulnerability exists regardless
if a site is using ACLs or not.</p>
</body>
</description>
<references>
<url>http://www.osvdb.org/8194</url>
<url>http://www.osvdb.org/8195</url>
<url>http://security.gentoo.org/glsa/glsa-200408-25.xml</url>
<url>http://secunia.com/advisories/11832</url>
<bid>10805</bid>
<bid>10801</bid>
</references>
<dates>
<discovery>2004-07-21</discovery>
<entry>2004-08-26</entry>
</dates>
</vuln>
<vuln vid="2689f4cb-ec4c-11d8-9440-000347a4fa7d">
<topic>rsync -- path sanitizing vulnerability</topic>
<affects>
<package>
<name>rsync</name>
<range><lt>2.6.2_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An rsync security advisory reports:</p>
<blockquote cite="http://samba.org/rsync/#security_aug04">
<p>There is a path-sanitizing bug that affects daemon mode in
all recent rsync versions (including 2.6.2) but only if
chroot is disabled.</p>
</blockquote>
<p>The bug may allow a remote user to access files outside
of an rsync module's configured path with the privileges
configured for that module.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0792</cvename>
<url>http://samba.org/rsync/#security_aug04</url>
<mlist>http://lists.samba.org/archive/rsync-announce/2004/000017.html</mlist>
<url>http://secunia.com/advisories/12294</url>
<url>http://www.osvdb.org/8829</url>
</references>
<dates>
<discovery>2004-08-12</discovery>
<entry>2004-08-26</entry>
</dates>
</vuln>
<vuln vid="7884d56f-f7a1-11d8-9837-000c41e2cdad">
<topic>gnomevfs -- unsafe URI handling</topic>
<affects>
<package>
<name>gnomevfs2</name>
<range><lt>2.6.2_1</lt></range>
</package>
<package>
<name>gnomevfs</name>
<range><lt>1.0.5_6</lt></range>
</package>
<package>
<name>mc</name>
<range><le>4.6.0_12</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Alexander Larsson reports that some versions of gnome-vfs and
MidnightCommander contain a number of `extfs' scripts that do not
properly validate user input. If an attacker can cause her
victim to process a specially-crafted URI, arbitrary commands
can be executed with the privileges of the victim.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0494</cvename>
<bid>10864</bid>
<url>http://www.ciac.org/ciac/bulletins/o-194.shtml</url>
<url>http://xforce.iss.net/xforce/xfdb/16897</url>
<url>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127263</url>
</references>
<dates>
<discovery>2004-08-04</discovery>
<entry>2004-08-26</entry>
</dates>
</vuln>
<vuln vid="3e4ffe76-e0d4-11d8-9b0a-000347a4fa7d">
<topic>SoX buffer overflows when handling .WAV files</topic>
<affects>
<package>
<name>sox</name>
<range><gt>12.17.1</gt><le>12.17.4_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ulf Härnhammar discovered a pair of buffer overflows in the
WAV file handling code of SoX. If an attacker can cause her
victim to process a specially-crafted WAV file with SoX (e.g.
through social engineering or through some other program that
relies on SoX), arbitrary code can be executed with the
privileges of the victim.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0557</cvename>
<mlist msgid="1091040793.4107f6193d81a@webmail.uu.se">http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0014.html</mlist>
<url>http://secunia.com/advisories/12175</url>
<url>http://www.osvdb.org/8267</url>
</references>
<dates>
<discovery>2004-07-28</discovery>
<entry>2004-08-26</entry>
</dates>
</vuln>
<vuln vid="2797b27a-f55b-11d8-81b0-000347a4fa7d">
<topic>kdelibs -- konqueror cross-domain cookie injection</topic>
<affects>
<package>
<name>kdelibs</name>
<range><lt>3.2.3_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>According to a KDE Security Advisory:</p>
<blockquote cite="http://www.kde.org/info/security/advisory-20040823-1.txt">
<p>WESTPOINT internet reconnaissance services alerted the
KDE security team that the KDE web browser Konqueror
allows websites to set cookies for certain country
specific secondary top level domains.</p>
<p>Web sites operating under the affected domains can
set HTTP cookies in such a way that the Konqueror web
browser will send them to all other web sites operating
under the same domain. A malicious website can use
this as part of a session fixation attack. See e.g.
http://www.acros.si/papers/session_fixation.pdf</p>
<p>Affected are all country specific secondary top level
domains that use more than 2 characters in the secondary
part of the domain name and that use a secondary part other
than com, net, mil, org, gov, edu or int. Examples of
affected domains are .ltd.uk, .plc.uk and .firm.in</p>
<p>It should be noted that popular domains such as .co.uk, .co.in
and .com are NOT affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0746</cvename>
<url>http://www.kde.org/info/security/advisory-20040823-1.txt</url>
<url>http://www.osvdb.org/9117</url>
<url>http://secunia.com/advisories/12341</url>
<url>http://www.acros.si/papers/session_fixation.pdf</url>
<bid>10991</bid>
</references>
<dates>
<discovery>2004-08-23</discovery>
<entry>2004-08-26</entry>
</dates>
</vuln>
<vuln vid="bef4515b-eaa9-11d8-9440-000347a4fa7d">
<topic>xine -- vcd URL buffer overflow</topic>
<affects>
<package>
<name>libxine</name>
<range><lt>1.0.r5_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>c0ntex[at]open-security.org reports a buffer overflow in
xine's handling of vcd:// URLs:</p>
<blockquote cite="http://www.open-security.org/advisories/6">
<p>Like the excellent Mplayer, Xine is a superb free media
player for Linux. Sadly there is a generic stack based
buffer overflow in all versions of Xine-lib, including
Xine-lib-rc5 that allows for local and remote malicious
code execution.</p>
<p>By overflowing the vcd:// input source identifier buffer,
it is possible to modify the instruction pointer with a
value that a malicious attacker can control. The issue
can be replicated in a remote context by embedding the
input source idientifier within a playlist file, such as
an asx. When a user plays the file, this stack overflow
will occur, exploit code can then be executed with the
rights of the user running Xine.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.open-security.org/advisories/6</url>
<url>http://cvs.sourceforge.net/viewcvs.py/xine/xine-vcdnav/input/xineplug_inp_vcd.c#rev1.109</url>
<url>http://secunia.com/advisories/12194</url>
<url>http://sourceforge.net/mailarchive/forum.php?thread_id=5143955&amp;forum_id=11923</url>
<url>http://www.osvdb.org/8409</url>
</references>
<dates>
<discovery>2004-07-18</discovery>
<entry>2004-08-23</entry>
</dates>
</vuln>
<vuln vid="3243e839-f489-11d8-9837-000c41e2cdad">
<topic>fidogate -- write files as `news' user</topic>
<affects>
<package>
<name>fidogate</name>
<range><lt>4.4.9_3</lt></range>
</package>
<package>
<name>fidogate-ds</name>
<range><lt>5.1.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Neils Heinen reports that the setuid `news' binaries
installed as part of fidogate may be used to create files or
append to file with the privileges of the `news' user by
setting the LOGFILE environmental variable.</p>
</body>
</description>
<references>
<url>http://cvs.sourceforge.net/viewcvs.py/fidogate/fidogate/ChangeLog?rev=4.320&amp;view=markup</url>
</references>
<dates>
<discovery>2004-08-21</discovery>
<entry>2004-08-22</entry>
<modified>2004-08-23</modified>
</dates>
</vuln>
<vuln vid="65a17a3f-ed6e-11d8-aff1-00061bc2ad93">
<topic>Arbitrary code execution via a format string vulnerability in jftpgw</topic>
<affects>
<package>
<name>jftpgw</name>
<range><lt>0.13.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The log functions in jftpgw may allow
remotely authenticated user to execute
arbitrary code via the format string
specifiers in certain syslog messages.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0448</cvename>
<url>http://www.debian.org/security/2004/dsa-510</url>
<bid>10438</bid>
<url>http://xforce.iss.net/xforce/xfdb/16271</url>
</references>
<dates>
<discovery>2004-05-30</discovery>
<entry>2004-08-13</entry>
<modified>2004-08-23</modified>
</dates>
</vuln>
<vuln vid="ebffe27a-f48c-11d8-9837-000c41e2cdad">
<topic>qt -- image loader vulnerabilities</topic>
<affects>
<package>
<name>qt</name>
<range><lt>3.3.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Qt contains several vulnerabilities related to image
loading, including possible crashes when loading corrupt
GIF, BMP, or JPEG images. Most seriously, Chris Evans
reports that the BMP crash is actually due to a heap
buffer overflow. It is believed that an attacker may be
able to construct a BMP image that could cause a Qt-using
application to execute arbitrary code when it is loaded.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0691</cvename>
<cvename>CAN-2004-0692</cvename>
<cvename>CAN-2004-0693</cvename>
<url>http://www.trolltech.com/developer/changes/changes-3.3.3.html</url>
<url>http://scary.beasts.org/security/CESA-2004-004.txt</url>
</references>
<dates>
<discovery>2004-08-11</discovery>
<entry>2004-08-22</entry>
</dates>
</vuln>
<vuln vid="616cf823-f48b-11d8-9837-000c41e2cdad">
<topic>courier-imap -- format string vulnerability in debug mode</topic>
<affects>
<package>
<name>courier-imap</name>
<range><lt>3.0.7,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An iDEFENSE security advisory describes a format string
vulnerability that could be exploited when Courier-IMAP is run
in debug mode (DEBUG_LOGIN set).</p>
</body>
</description>
<references>
<cvename>CAN-2004-0777</cvename>
<mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-August/025478.html</mlist>
<url>http://www.idefense.com/application/poi/display?id=131&amp;type=vulnerabilities&amp;flashstatus=false</url>
<bid>10976</bid>
</references>
<dates>
<discovery>2004-08-18</discovery>
<entry>2004-08-22</entry>
</dates>
</vuln>
<vuln vid="0c4d5973-f2ab-11d8-9837-000c41e2cdad">
<topic>mysql -- mysqlhotcopy insecure temporary file creation</topic>
<affects>
<package>
<name>mysql-scripts</name>
<range><le>3.23.58</le></range>
<range><gt>4</gt><le>4.0.20</le></range>
<range><gt>4.1</gt><le>4.1.3</le></range>
<range><gt>5</gt><le>5.0.0_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>According to Christian Hammers:</p>
<blockquote cite="http://packages.debian.org/changelogs/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.20-11/changelog">
<p>[mysqlhotcopy created] temporary files in /tmp which
had predictable filenames and such could be used for a
tempfile run attack.</p>
</blockquote>
<p>Jeroen van Wolffelaar is credited with discovering the issue.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0457</cvename>
<url>http://www.debian.org/security/2004/dsa-540</url>
<mlist>http://lists.mysql.com/internals/15185</mlist>
</references>
<dates>
<discovery>2004-08-18</discovery>
<entry>2004-08-22</entry>
</dates>
</vuln>
<vuln vid="2de14f7a-dad9-11d8-b59a-00061bc2ad93">
<topic>Multiple Potential Buffer Overruns in Samba</topic>
<affects>
<package>
<name>samba</name>
<range><ge>3</ge><lt>3.0.5,1</lt></range>
<range><lt>2.2.10</lt></range>
</package>
<package>
<name>ja-samba</name>
<range><lt>2.2.10.j1.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Evgeny Demidov discovered that the Samba server has a
buffer overflow in the Samba Web Administration Tool (SWAT)
on decoding Base64 data during HTTP Basic Authentication.
Versions 3.0.2 through 3.0.4 are affected.</p>
<p>Another buffer overflow bug has been found in the code
used to support the "mangling method = hash" smb.conf
option. The default setting for this parameter is "mangling
method = hash2" and therefore not vulnerable. Versions
between 2.2.0 through 2.2.9 and 3.0.0 through 3.0.4 are affected.
</p>
</body>
</description>
<references>
<cvename>CAN-2004-0600</cvename>
<cvename>CAN-2004-0686</cvename>
<mlist msgid="web-53121174@cgp.agava.net">http://www.securityfocus.com/archive/1/369698</mlist>
<mlist msgid="200407222031.25086.bugtraq@beyondsecurity.com">http://www.securityfocus.com/archive/1/369706</mlist>
<url>http://www.samba.org/samba/whatsnew/samba-3.0.5.html</url>
<url>http://www.samba.org/samba/whatsnew/samba-2.2.10.html</url>
<url>http://www.osvdb.org/8190</url>
<url>http://www.osvdb.org/8191</url>
<url>http://secunia.com/advisories/12130</url>
</references>
<dates>
<discovery>2004-07-14</discovery>
<entry>2004-07-21</entry>
<modified>2004-08-15</modified>
</dates>
</vuln>
<vuln vid="730db824-e216-11d8-9b0a-000347a4fa7d">
<topic>Mozilla / Firefox user interface spoofing vulnerability</topic>
<affects>
<package>
<name>firefox</name>
<range><le>0.9.1_1</le></range>
</package>
<package>
<name>linux-mozilla</name>
<range><le>1.7.1</le></range>
</package>
<package>
<name>linux-mozilla-devel</name>
<range><le>1.7.1</le></range>
</package>
<package>
<name>mozilla</name>
<range><le>1.7.1,2</le></range>
<range><ge>1.8.a,2</ge><le>1.8.a2,2</le></range>
</package>
<package>
<name>mozilla-gtk1</name>
<range><le>1.7.1_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla project's family of browsers contain a design
flaw that can allow a website to spoof almost perfectly any
part of the Mozilla user interface, including spoofing web
sites for phishing or internal elements such as the "Master
Password" dialog box. This achieved by manipulating "chrome"
through remote XUL content. Recent versions of Mozilla have
been fixed to not allow untrusted documents to utilize
"chrome" in this way.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0764</cvename>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=22183</url>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=244965</url>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=252198</url>
<url>http://www.nd.edu/~jsmith30/xul/test/spoof.html</url>
<url>http://secunia.com/advisories/12188</url>
<bid>10832</bid>
</references>
<dates>
<discovery>2004-07-19</discovery>
<entry>2004-07-30</entry>
<modified>2004-08-15</modified>
</dates>
</vuln>
<vuln vid="f9e3e60b-e650-11d8-9b0a-000347a4fa7d">
<topic>libpng stack-based buffer overflow and other code concerns</topic>
<affects>
<package>
<name>png</name>
<range><le>1.2.5_7</le></range>
</package>
<package>
<name>linux-png</name>
<range><le>1.0.14_3</le></range>
<range><ge>1.2</ge><le>1.2.2</le></range>
</package>
<package>
<name>firefox</name>
<range><lt>0.9.3</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>0.7.3</lt></range>
</package>
<package>
<name>linux-mozilla</name>
<range><lt>1.7.2</lt></range>
</package>
<package>
<name>linux-mozilla-devel</name>
<range><lt>1.7.2</lt></range>
</package>
<package>
<name>mozilla</name>
<range><lt>1.7.2,2</lt></range>
<range><ge>1.8.a,2</ge><le>1.8.a2,2</le></range>
</package>
<package>
<name>mozilla-gtk1</name>
<range><lt>1.7.2</lt></range>
</package>
<package>
<name>netscape-communicator</name>
<name>netscape-navigator</name>
<range><le>4.78</le></range>
</package>
<package>
<name>linux-netscape-communicator</name>
<name>linux-netscape-navigator</name>
<name>ko-netscape-navigator-linux</name>
<name>ko-netscape-communicator-linux</name>
<name>ja-netscape-communicator-linux</name>
<name>ja-netscape-navigator-linux</name>
<range><le>4.8</le></range>
</package>
<package>
<name>netscape7</name>
<name>ja-netscape7</name>
<range><le>7.1</le></range>
</package>
<package>
<name>pt_BR-netscape7</name>
<name>fr-netscape7</name>
<name>de-netscape7</name>
<range><le>7.02</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chris Evans has discovered multiple vulnerabilities in libpng,
which can be exploited by malicious people to compromise a
vulnerable system or cause a DoS (Denial of Service).</p>
</body>
</description>
<references>
<mlist msgid="Pine.LNX.4.58.0408041840080.20655@sphinx.mythic-beasts.com">http://www.securityfocus.com/archive/1/370853</mlist>
<url>http://scary.beasts.org/security/CESA-2004-001.txt</url>
<url>http://www.osvdb.org/8312</url>
<url>http://www.osvdb.org/8313</url>
<url>http://www.osvdb.org/8314</url>
<url>http://www.osvdb.org/8315</url>
<url>http://www.osvdb.org/8316</url>
<cvename>CAN-2004-0597</cvename>
<cvename>CAN-2004-0598</cvename>
<cvename>CAN-2004-0599</cvename>
<certvu>388984</certvu>
<certvu>236656</certvu>
<certvu>160448</certvu>
<certvu>477512</certvu>
<certvu>817368</certvu>
<certvu>286464</certvu>
<url>http://secunia.com/advisories/12219</url>
<url>http://secunia.com/advisories/12232</url>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=251381</url>
<uscertta>TA04-217A</uscertta>
<url>http://dl.sourceforge.net/sourceforge/libpng/ADVISORY.txt</url>
</references>
<dates>
<discovery>2004-08-04</discovery>
<entry>2004-08-04</entry>
<modified>2004-08-15</modified>
</dates>
</vuln>
<vuln vid="603fe36d-ec9d-11d8-b913-000c41e2cdad">
<topic>kdelibs insecure temporary file handling</topic>
<affects>
<package>
<name>kdelibs</name>
<range><le>3.2.3_3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>According to a KDE Security Advisory, KDE may sometimes
create temporary files without properly checking the ownership
and type of the target path. This could allow a local
attacker to cause KDE applications to overwrite arbitrary
files.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0689</cvename>
<cvename>CAN-2004-0690</cvename>
<url>http://www.kde.org/info/security/advisory-20040811-1.txt</url>
<url>http://www.kde.org/info/security/advisory-20040811-2.txt</url>
<url>ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdelibs-kstandarddirs.patch</url>
<url>ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdelibs-dcopserver.patch</url>
</references>
<dates>
<discovery>2004-08-11</discovery>
<entry>2004-08-12</entry>
</dates>
</vuln>
<vuln vid="5b8f9a02-ec93-11d8-b913-000c41e2cdad">
<topic>gaim remotely exploitable vulnerabilities in MSN component</topic>
<affects>
<package>
<name>gaim</name>
<name>ja-gaim</name>
<name>ko-gaim</name>
<name>ru-gaim</name>
<range><lt>0.81_1</lt></range>
</package>
<package>
<name>gaim</name>
<range><ge>20030000</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sebastian Krahmer discovered several remotely exploitable
buffer overflow vulnerabilities in the MSN component of
gaim.</p>
<blockquote cite="http://gaim.sourceforge.net/security/?id=0">
<p>In two places in the MSN protocol plugins (object.c and
slp.c), strncpy was used incorrectly; the size of the array
was not checked before copying to it. Both bugs affect MSN's
MSNSLP protocol, which is peer-to-peer, so this could
potentially be easy to exploit.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0500</cvename>
<url>http://gaim.sourceforge.net/security/?id=0</url>
</references>
<dates>
<discovery>2004-08-12</discovery>
<entry>2004-08-12</entry>
<modified>2004-10-25</modified>
</dates>
</vuln>
<vuln vid="78348ea2-ec91-11d8-b913-000c41e2cdad">
<topic>acroread uudecoder input validation error</topic>
<affects>
<package>
<name>acroread</name>
<name>acroread4</name>
<name>acroread5</name>
<range><lt>5.0.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An iDEFENSE security advisory reports:</p>
<blockquote cite="www.idefense.com/application/poi/display?id=124&amp;type=vulnerabilities">
<p>Remote exploitation of an input validation error in the
uudecoding feature of Adobe Acrobat Reader (Unix) 5.0
allows an attacker to execute arbitrary code.</p>
<p>The Unix and Linux versions of Adobe Acrobat Reader 5.0
automatically attempt to convert uuencoded documents
back into their original format. The vulnerability
specifically exists in the failure of Acrobat Reader to
check for the backtick shell metacharacter in the filename
before executing a command with a shell. This allows a
maliciously constructed filename to execute arbitrary
programs.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0630</cvename>
<url>http://www.idefense.com/application/poi/display?id=124&amp;type=vulnerabilities</url>
</references>
<dates>
<discovery>2004-08-12</discovery>
<entry>2004-08-12</entry>
<modified>2005-01-06</modified>
</dates>
</vuln>
<vuln vid="12c7b7ae-ec90-11d8-b913-000c41e2cdad">
<topic>popfile file disclosure</topic>
<affects>
<package>
<name>popfile</name>
<range><le>0.21.1_2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>John Graham-Cumming reports that certain configurations of
POPFile may allow the retrieval of any files with the
extensions .gif, .png, .ico, .css, as well as some files with
the extension .html.</p>
</body>
</description>
<references>
<mlist>http://sourceforge.net/mailarchive/forum.php?thread_id=5248725&amp;forum_id=12356</mlist>
</references>
<dates>
<discovery>2004-08-02</discovery>
<entry>2004-08-12</entry>
</dates>
</vuln>
<vuln vid="7a9d5dfe-c507-11d8-8898-000d6111a684">
<topic>isc-dhcp3-server buffer overflow in logging mechanism</topic>
<affects>
<package>
<name>isc-dhcp3-relay</name>
<name>isc-dhcp3-server</name>
<range><ge>3.0.1.r12</ge><lt>3.0.1.r14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A buffer overflow exists in the logging functionality
of the DHCP daemon which could lead to Denial of Service
attacks and has the potential to allow attackers to
execute arbitrary code.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0460</cvename>
<url>http://www.osvdb.org/7237</url>
<uscertta>TA04-174A</uscertta>
<certvu>317350</certvu>
<mlist msgid="BAY13-F94UHMuEEkHMz0005c4f7@hotmail.com">http://www.securityfocus.com/archive/1/366801</mlist>
<mlist msgid="40DFAB69.1060909@sympatico.ca">http://www.securityfocus.com/archive/1/367286</mlist>
</references>
<dates>
<discovery>2004-06-22</discovery>
<entry>2004-06-25</entry>
<modified>2004-08-12</modified>
</dates>
</vuln>
<vuln vid="3a408f6f-9c52-11d8-9366-0020ed76ef5a">
<topic>libpng denial-of-service</topic>
<affects>
<package>
<name>linux-png</name>
<range><le>1.0.14_3</le></range>
<range><ge>1.2</ge><le>1.2.2</le></range>
</package>
<package>
<name>png</name>
<range><lt>1.2.5_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Steve Grubb reports a buffer read overrun in
libpng's png_format_buffer function. A specially
constructed PNG image processed by an application using
libpng may trigger the buffer read overrun and possibly
result in an application crash.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0421</cvename>
<url>http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120508</url>
<url>http://rhn.redhat.com/errata/RHSA-2004-181.html</url>
<url>http://secunia.com/advisories/11505</url>
<url>http://www.osvdb.org/5726</url>
<bid>10244</bid>
</references>
<dates>
<discovery>2004-04-29</discovery>
<entry>2004-05-02</entry>
<modified>2004-08-12</modified>
</dates>
</vuln>
<vuln vid="4764cfd6-d630-11d8-b479-02e0185c0b53">
<cancelled superseded="dd7aa4f1-102f-11d9-8a8a-000c41e2cdad" />
</vuln>
<vuln vid="abe47a5a-e23c-11d8-9b0a-000347a4fa7d">
<topic>Mozilla certificate spoofing</topic>
<affects>
<package>
<name>firefox</name>
<range><ge>0.9.1</ge><le>0.9.2</le></range>
</package>
<package>
<name>linux-mozilla</name>
<range><lt>1.7.2</lt></range>
</package>
<package>
<name>linux-mozilla-devel</name>
<range><lt>1.7.2</lt></range>
</package>
<package>
<name>mozilla</name>
<range><lt>1.7.2,2</lt></range>
<range><ge>1.8,2</ge><le>1.8.a2,2</le></range>
</package>
<package>
<name>mozilla-gtk1</name>
<range><lt>1.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla and Mozilla Firefox contains a flaw that may
allow a malicious user to spoof SSL certification.</p>
</body>
</description>
<references>
<mlist msgid="003a01c472ba$b2060900$6501a8c0@sec">http://www.securityfocus.com/archive/1/369953</mlist>
<url>http://www.cipher.org.uk/index.php?p=advisories/Certificate_Spoofing_Mozilla_FireFox_25-07-2004.advisory</url>
<url>http://secunia.com/advisories/12160</url>
<url>http://bugzilla.mozilla.org/show_bug.cgi?id=253121</url>
<url>http://www.osvdb.org/8238</url>
<bid>10796</bid>
<cvename>CAN-2004-0763</cvename>
</references>
<dates>
<discovery>2004-07-25</discovery>
<entry>2004-07-30</entry>
<modified>2004-08-12</modified>
</dates>
</vuln>
<vuln vid="a713c0f9-ec54-11d8-9440-000347a4fa7d">
<topic>ImageMagick png vulnerability fix</topic>
<affects>
<package>
<name>ImageMagick</name>
<name>ImageMagick-nox11</name>
<range><lt>6.0.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Glenn Randers-Pehrson has contributed a fix for the png
vulnerabilities discovered by Chris Evans.</p>
</body>
</description>
<references>
<url>http://studio.imagemagick.org/pipermail/magick-users/2004-August/013218.html</url>
<url>http://freshmeat.net/releases/169228</url>
<url>http://secunia.com/advisories/12236</url>
<url>http://www.freebsd.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.html</url>
</references>
<dates>
<discovery>2004-08-04</discovery>
<entry>2004-08-04</entry>
<modified>2004-08-12</modified>
</dates>
</vuln>
<vuln vid="98bd69c3-834b-11d8-a41f-0020ed76ef5a">
<topic>Courier mail services: remotely exploitable buffer overflows</topic>
<affects>
<package>
<name>courier</name>
<range><lt>0.45</lt></range>
</package>
<package>
<name>courier-imap</name>
<range><lt>3.0,1</lt></range>
</package>
<package>
<name>sqwebmail</name>
<range><lt>4.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Courier set of mail services use a common Unicode
library. This library contains buffer overflows in the
converters for two popular Japanese character encodings.
These overflows may be remotely exploitable, triggered by
a maliciously formatted email message that is later processed
by one of the Courier mail services.
From the release notes for the corrected versions of the
Courier set of mail services:</p>
<blockquote>
<p>iso2022jp.c: Converters became (upper-)compatible with
ISO-2022-JP (RFC1468 / JIS X 0208:1997 Annex 2) and
ISO-2022-JP-1 (RFC2237). Buffer overflow vulnerability
(when Unicode character is out of BMP range) has been
closed. Convert error handling was implemented.</p>
<p>shiftjis.c: Broken SHIFT_JIS converters has been fixed
and became (upper-)compatible with Shifted Encoding Method
(JIS X 0208:1997 Annex 1). Buffer overflow vulnerability
(when Unicode character is out of BMP range) has been
closed. Convert error handling was implemented.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0224</cvename>
<url>http://cvs.sourceforge.net/viewcvs.py/courier/libs/unicode/iso2022jp.c?rev=1.10&amp;view=markup</url>
<url>http://cvs.sourceforge.net/viewcvs.py/courier/libs/unicode/shiftjis.c?rev=1.6&amp;view=markup</url>
<bid>9845</bid>
<url>http://secunia.com/advisories/11087</url>
<url>http://www.osvdb.org/4194</url>
<url>http://www.osvdb.org/6927</url>
</references>
<dates>
<discovery>2004-02-01</discovery>
<entry>2004-03-31</entry>
<modified>2004-07-16</modified>
</dates>
</vuln>
<vuln vid="cdf18ed9-7f4a-11d8-9645-0020ed76ef5a">
<topic>multiple vulnerabilities in ethereal</topic>
<affects>
<package>
<name>ethereal</name>
<name>tethereal</name>
<range><lt>0.10.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stefan Esser of e-matters Security discovered a baker's dozen
of buffer overflows in Ethereal's decoders, including:</p>
<ul>
<li>NetFlow</li>
<li>IGAP</li>
<li>EIGRP</li>
<li>PGM</li>
<li>IRDA</li>
<li>BGP</li>
<li>ISUP</li>
<li>TCAP</li>
<li>UCP</li>
</ul>
<p>In addition, a vulnerability in the RADIUS decoder was found
by Jonathan Heusser.</p>
<p>Finally, there is one uncredited vulnerability described by the
Ethereal team as:</p>
<blockquote cite="http://www.ethereal.com/appnotes/enpa-sa-00013.html">
<p>A zero-length Presentation protocol selector could make
Ethereal crash.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.ethereal.com/appnotes/enpa-sa-00013.html</url>
<cvename>CAN-2004-0176</cvename>
<cvename>CAN-2004-0365</cvename>
<cvename>CAN-2004-0367</cvename>
<certvu>119876</certvu>
<certvu>124454</certvu>
<certvu>125156</certvu>
<certvu>433596</certvu>
<certvu>591820</certvu>
<certvu>644886</certvu>
<certvu>659140</certvu>
<certvu>695486</certvu>
<certvu>740188</certvu>
<certvu>792286</certvu>
<certvu>864884</certvu>
<certvu>931588</certvu>
<url>http://security.e-matters.de/advisories/032004.html</url>
<url>http://secunia.com/advisories/11185</url>
<bid>9952</bid>
<url>http://www.osvdb.org/4462</url>
<url>http://www.osvdb.org/4463</url>
<url>http://www.osvdb.org/4464</url>
</references>
<dates>
<discovery>2004-03-23</discovery>
<entry>2004-03-26</entry>
<modified>2004-07-11</modified>
</dates>
</vuln>
<vuln vid="74d06b67-d2cf-11d8-b479-02e0185c0b53">
<topic>multiple vulnerabilities in ethereal</topic>
<affects>
<package>
<name>ethereal</name>
<name>ethereal-lite</name>
<name>tethereal</name>
<name>tethereal-lite</name>
<range><lt>0.10.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Issues have been discovered in multiple protocol dissectors.</p>
</body>
</description>
<references>
<url>http://www.ethereal.com/appnotes/enpa-sa-00014.html</url>
<cvename>CAN-2004-0504</cvename>
<cvename>CAN-2004-0505</cvename>
<cvename>CAN-2004-0506</cvename>
<cvename>CAN-2004-0507</cvename>
<url>http://secunia.com/advisories/11608</url>
<bid>10347</bid>
<url>http://www.osvdb.org/6131</url>
<url>http://www.osvdb.org/6132</url>
<url>http://www.osvdb.org/6133</url>
<url>http://www.osvdb.org/6134</url>
</references>
<dates>
<discovery>2004-05-13</discovery>
<entry>2004-07-11</entry>
</dates>
</vuln>
<vuln vid="265c8b00-d2d0-11d8-b479-02e0185c0b53">
<topic>multiple vulnerabilities in ethereal</topic>
<affects>
<package>
<name>ethereal</name>
<name>ethereal-lite</name>
<name>tethereal</name>
<name>tethereal-lite</name>
<range><lt>0.10.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Issues have been discovered in multiple protocol dissectors.</p>
</body>
</description>
<references>
<url>http://www.ethereal.com/appnotes/enpa-sa-00015.html</url>
<cvename>CAN-2004-0633</cvename>
<cvename>CAN-2004-0634</cvename>
<cvename>CAN-2004-0635</cvename>
<url>http://secunia.com/advisories/12024</url>
<bid>10672</bid>
<url>http://www.osvdb.org/7536</url>
<url>http://www.osvdb.org/7537</url>
<url>http://www.osvdb.org/7538</url>
</references>
<dates>
<discovery>2004-07-06</discovery>
<entry>2004-07-11</entry>
</dates>
</vuln>
<vuln vid="4aec9d58-ce7b-11d8-858d-000d610a3b12">
<topic>Format string vulnerability in SSLtelnet</topic>
<affects>
<package>
<name>SSLtelnet</name>
<range><le>0.13_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SSLtelnet contains a format string vulnerability that could
allow remote code execution and privilege escalation.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0640</cvename>
<url>http://www.idefense.com/application/poi/display?id=114&amp;type=vulnerabilities</url>
</references>
<dates>
<discovery>2003-04-03</discovery>
<entry>2004-07-05</entry>
</dates>
</vuln>
<vuln vid="c5519420-cec2-11d8-8898-000d6111a684">
<topic>"Content-Type" XSS vulnerability affecting other webmail systems</topic>
<affects>
<package>
<name>openwebmail</name>
<range><le>2.32</le></range>
</package>
<package>
<name>ilohamail</name>
<range><lt>0.8.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Roman Medina-Heigl Hernandez did a survey which other webmail systems
where vulnerable to a bug he discovered in SquirrelMail. This advisory
summarizes the results.</p>
</body>
</description>
<references>
<url>http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-2.txt</url>
<url>http://www.freebsd.org/ports/portaudit/89a0de27-bf66-11d8-a252-02e0185c0b53.html</url>
<url>http://www.freebsd.org/ports/portaudit/911f1b19-bd20-11d8-84f9-000bdb1444a4.html</url>
<url>http://www.freebsd.org/ports/portaudit/c3e56efa-c42f-11d8-864c-02e0185c0b53.html</url>
<cvename>CAN-2004-0519</cvename>
</references>
<dates>
<discovery>2004-05-29</discovery>
<entry>2004-07-05</entry>
</dates>
</vuln>
<vuln vid="76904dce-ccf3-11d8-babb-000854d03344">
<topic>Pavuk HTTP Location header overflow</topic>
<affects>
<package>
<name>pavuk</name>
<range><lt>0.9.28_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>When pavuk sends a request to a web server and the server
sends back the HTTP status code 305 (Use Proxy), pavuk
copies data from the HTTP Location header in an unsafe
manner. This leads to a stack-based buffer overflow with
control over EIP.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0456</cvename>
<mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-July/023322.html</mlist>
<url>http://www.osvdb.org/7319</url>
</references>
<dates>
<discovery>2004-06-30</discovery>
<entry>2004-07-03</entry>
</dates>
</vuln>
<vuln vid="33ab4a47-bfc1-11d8-b00e-000347a4fa7d">
<topic>Several vulnerabilities found in PHPNuke</topic>
<affects>
<package>
<name>phpnuke</name>
<range><lt>7.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Janek Vind "waraxe" reports that several issues in the
PHPNuke software may be exploited via carefully crafted
URL requests. These URLs will permit the injection of
SQL code, cookie theft, and the readability of the
PHPNuke administrator account.</p>
</body>
</description>
<references>
<cvename>CAN-2003-0279</cvename>
<cvename>CAN-2003-0318</cvename>
<cvename>CAN-2004-0266</cvename>
<cvename>CAN-2004-0269</cvename>
<url>http://www.waraxe.us/index.php?modname=sa&amp;id=27</url>
<url>http://secunia.com/advisories/11920</url>
</references>
<dates>
<discovery>2004-05-05</discovery>
<entry>2004-07-03</entry>
<modified>2004-09-28</modified>
</dates>
</vuln>
<vuln vid="0d4c31ac-cb91-11d8-8898-000d6111a684">
<topic>Remote code injection in phpMyAdmin</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>2.5.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>This vulnerability would allow remote user to inject PHP code
to be executed by eval() function. This vulnerability is only
exploitable if variable $cfg['LeftFrameLight'] is set to FALSE (in
file config.inc.php).</p>
</body>
</description>
<references>
<url>http://sf.net/forum/forum.php?forum_id=387635</url>
<mlist msgid="20040629025752.976.qmail@www.securityfocus.com">http://www.securityfocus.com/archive/1/367486</mlist>
<url>http://secunia.com/advisories/11974</url>
<url>http://eagle.kecapi.com/sec/fd/phpMyAdmin.html</url>
</references>
<dates>
<discovery>2004-06-29</discovery>
<entry>2004-07-02</entry>
<modified>2004-09-28</modified>
</dates>
</vuln>
<vuln vid="4d837296-cc28-11d8-a54c-02e0185c0b53">
<topic>GNATS local privilege elevation</topic>
<affects>
<package>
<name>gnats</name>
<range><le>3.113.1_9</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GNATS 3.113.1 contains multiple buffer overflows, through which a
local attacker could gain elevated privileges on the system.</p>
</body>
</description>
<references>
<freebsdpr>ports/56006</freebsdpr>
<mlist msgid="20040625164231.7437.qmail@www.securityfocus.com">http://www.securityfocus.com/archive/1/326337</mlist>
<url>http://www.securiteam.com/unixfocus/5CP0N0UAAA.html</url>
<url>http://secunia.com/advisories/9096</url>
<url>http://x82.inetcop.org/h0me/adv1sor1es/INCSA.2003-0x82-018-GNATS-bt.txt</url>
<url>http://www.gnu.org/software/gnats/gnats.html</url>
<url>http://www.osvdb.org/2190</url>
<url>http://www.osvdb.org/4600</url>
<url>http://www.osvdb.org/4601</url>
<url>http://www.osvdb.org/4607</url>
</references>
<dates>
<discovery>2003-06-21</discovery>
<entry>2004-07-02</entry>
</dates>
</vuln>
<vuln vid="8ecaaca2-cc07-11d8-858d-000d610a3b12">
<topic>Linux binary compatibility mode input validation error</topic>
<affects>
<system>
<name>FreeBSD</name>
<range><ge>4.9</ge><lt>4.9_10</lt></range>
<range><ge>4.8</ge><lt>4.8_23</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A programming error in the handling of some Linux system
calls may result in memory locations being accessed without
proper validation.</p>
<p>It may be possible for a local attacker to read and/or
overwrite portions of kernel memory, resulting in disclosure
of sensitive information or potential privilege escalation.
A local attacker can cause a system panic.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0602</cvename>
<freebsdsa>SA-04:13.linux</freebsdsa>
</references>
<dates>
<discovery>2004-06-18</discovery>
<entry>2004-06-30</entry>
</dates>
</vuln>
<vuln vid="1f738bda-c6ac-11d8-8898-000d6111a684">
<topic>Remote Denial of Service of HTTP server and client</topic>
<affects>
<package>
<name>giFT-FastTrack</name>
<range><lt>0.8.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>giFT-FastTrack is susceptible to a remote
Denial of Service attack which could allow
a remote attacker to render HTTP services
unusable. According to the developers, no
code execution is possible; however, they
recommend an immediate upgrade.</p>
</body>
</description>
<references>
<url>http://developer.berlios.de/forum/forum.php?forum_id=5814</url>
<url>http://www.osvdb.org/7266</url>
<url>http://secunia.com/advisories/11941</url>
<bid>10604</bid>
</references>
<dates>
<discovery>2004-06-19</discovery>
<entry>2004-06-25</entry>
<modified>2004-06-29</modified>
</dates>
</vuln>
<vuln vid="ff00f2ce-c54c-11d8-b708-00061bc2ad93">
<topic>XFree86 opens a chooserFd TCP socket even when DisplayManager.requestPort is 0</topic>
<affects>
<package>
<name>xorg-clients</name>
<range><eq>6.7.0</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>When the IPv6 code was added to xdm a critical
test to disable xdmcp was accidentally removed. This
caused xdm to create the chooser socket regardless if
DisplayManager.requestPort was disabled in xdm-config
or not.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0419</cvename>
<url>http://bugs.xfree86.org/show_bug.cgi?id=1376</url>
<url>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124900</url>
</references>
<dates>
<discovery>2004-05-19</discovery>
<entry>2004-06-28</entry>
<modified>2004-06-28</modified>
</dates>
</vuln>
<vuln vid="da9e6438-bfc0-11d8-b00e-000347a4fa7d">
<topic>MoinMoin administrative group name privilege escalation vulnerability</topic>
<affects>
<package>
<name>moinmoin</name>
<range><lt>1.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A serious flaw exists in the MoinMoin software
which may allow a malicious user to gain access to
unauthorized privileges.</p>
</body>
</description>
<references>
<url>http://www.osvdb.org/6704</url>
<cvename>CAN-2004-0708</cvename>
<bid>10568</bid>
<url>http://secunia.com/advisories/11807</url>
</references>
<dates>
<discovery>2004-05-04</discovery>
<entry>2004-06-28</entry>
</dates>
</vuln>
<vuln vid="35f6fdf8-a425-11d8-9c6d-0020ed76ef5a">
<topic>Cyrus IMAP pre-authentication heap overflow vulnerability</topic>
<affects>
<package>
<name>cyrus</name>
<range><lt>2.0.17</lt></range>
<range><ge>2.1</ge><lt>2.1.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>In December 2002, Timo Sirainen reported:</p>
<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=103886607825605">
<p>Cyrus IMAP server has a a remotely exploitable pre-login
buffer overflow. [...] Note that you don't have to log in
before exploiting this, and since Cyrus
runs everything under one UID, it's possible to read every
user's mail in the system.</p>
</blockquote>
<p>It is unknown whether this vulnerability is exploitable for code
execution on FreeBSD systems.</p>
</body>
</description>
<references>
<cvename>CAN-2002-1580</cvename>
<bid>6298</bid>
<certvu>740169</certvu>
<mlist msgid="20021202175606.GA26254@irccrew.org">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=103886607825605</mlist>
<mlist>http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&amp;msg=19349</mlist>
</references>
<dates>
<discovery>2002-12-02</discovery>
<entry>2004-05-12</entry>
<modified>2004-06-27</modified>
</dates>
</vuln>
<vuln vid="700d43b4-a42a-11d8-9c6d-0020ed76ef5a">
<topic>Cyrus IMSPd multiple vulnerabilities</topic>
<affects>
<package>
<name>cyrus-imspd</name>
<range><lt>1.6a5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Cyrus team reported multiple vulnerabilities in older
versions of Cyrus IMSPd:</p>
<blockquote cite="http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-announce&amp;msg=25">
<p>These releases correct a recently discovered buffer
overflow vulnerability, as well as clean up a significant
amount of buffer handling throughout the code.</p>
</blockquote>
</body>
</description>
<references>
<mlist>http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-announce&amp;msg=25</mlist>
</references>
<dates>
<discovery>2004-12-12</discovery>
<entry>2004-05-12</entry>
<modified>2004-06-27</modified>
</dates>
</vuln>
<vuln vid="5e7f58c3-b3f8-4258-aeb8-795e5e940ff8">
<topic>mplayer heap overflow in http requests</topic>
<affects>
<package>
<name>mplayer</name>
<name>mplayer-gtk</name>
<name>mplayer-esound</name>
<name>mplayer-gtk-esound</name>
<range><lt>0.92.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A remotely exploitable heap buffer overflow vulnerability was
found in MPlayer's URL decoding code. If an attacker can
cause MPlayer to visit a specially crafted URL, arbitrary code
execution with the privileges of the user running MPlayer may
occur. A `visit' might be caused by social engineering, or a
malicious web server could use HTTP redirects which MPlayer
would then process.</p>
</body>
</description>
<references>
<url>http://www.mplayerhq.hu/homepage/design6/news.html</url>
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108066964709058</mlist>
<freebsdpr>ports/64974</freebsdpr>
</references>
<dates>
<discovery>2004-03-30</discovery>
<entry>2004-03-31</entry>
<modified>2004-06-27</modified>
</dates>
</vuln>
<vuln vid="3e9be8c4-8192-11d8-9645-0020ed76ef5a">
<topic>ecartis buffer overflows and input validation bugs</topic>
<affects>
<package>
<name>ecartis</name>
<range><lt>1.0.0.s20030814,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Timo Sirainen reports multiple buffer overflows that may be
triggered while parsing messages, as well as input validation
errors that could result in disclosure of mailing list
passwords.</p>
<p>These bugs were resolved in the August 2003 snapshot of
ecartis.</p>
</body>
</description>
<references>
<cvename>CAN-2003-0781</cvename>
<cvename>CAN-2003-0782</cvename>
<url>http://www.securiteam.com/unixfocus/5YP0H2AAUY.html</url>
<freebsdpr>ports/57082</freebsdpr>
</references>
<dates>
<discovery>2003-08-14</discovery>
<entry>2004-03-29</entry>
<modified>2004-06-27</modified>
</dates>
</vuln>
<vuln vid="c2e10368-77ab-11d8-b9e8-00e04ccb0a62">
<topic>ModSecurity for Apache 2.x remote off-by-one overflow</topic>
<affects>
<package>
<name>mod_security</name>
<range><lt>1.7.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>When the directive "SecFilterScanPost" is enabled,
the Apache 2.x version of ModSecurity is vulnerable
to an off-by-one overflow</p>
</body>
</description>
<references>
<url>http://www.s-quadra.com/advisories/Adv-20040315.txt</url>
<bid>9885</bid>
<url>http://secunia.com/advisories/11138</url>
<certvu>779438</certvu>
</references>
<dates>
<discovery>2004-02-09</discovery>
<entry>2004-03-17</entry>
<modified>2004-06-27</modified>
</dates>
</vuln>
<vuln vid="74a9541d-5d6c-11d8-80e3-0020ed76ef5a">
<topic>clamav remote denial-of-service</topic>
<affects>
<package>
<name>clamav</name>
<range><lt>0.65_7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>clamav will exit when a programming
assertion is not met. A malformed uuencoded message can
trigger this assertion, allowing an attacker to trivially
crash clamd or other components of clamav.</p>
</body>
</description>
<references>
<freebsdpr>ports/62586</freebsdpr>
<mlist msgid="40279811.9050407@fillmore-labs.com">http://www.securityfocus.com/archive/1/353186</mlist>
<url>http://www.osvdb.org/3894</url>
<bid>9610</bid>
<url>http://secunia.com/advisories/10826</url>
<cvename>CAN-2004-0270</cvename>
<url>http://xforce.iss.net/xforce/xfdb/15077</url>
</references>
<dates>
<discovery>2004-02-09</discovery>
<entry>2004-02-12</entry>
<modified>2004-06-27</modified>
</dates>
</vuln>
<vuln vid="8d075001-a9ce-11d8-9c6d-0020ed76ef5a">
<topic>neon date parsing vulnerability</topic>
<affects>
<package>
<name>neon</name>
<range><lt>0.24.5_1</lt></range>
</package>
<package>
<name>sitecopy</name>
<range><le>0.13.4_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stefan Esser reports:</p>
<blockquote cite="http://security.e-matters.de/advisories/062004.html">
<p>A vulnerability within a libneon date parsing function
could cause a heap overflow which could lead to remote
code execution, depending on the application using
libneon.</p>
</blockquote>
<p>The vulnerability is in the function ne_rfc1036_parse,
which is in turn used by the function ne_httpdate_parse.
Applications using either of these neon functions may be
vulnerable.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0398</cvename>
<url>http://security.e-matters.de/advisories/062004.html</url>
<url>http://secunia.com/advisories/11785</url>
</references>
<dates>
<discovery>2004-05-19</discovery>
<entry>2004-05-19</entry>
<modified>2004-06-25</modified>
</dates>
</vuln>
<vuln vid="84237895-8f39-11d8-8b29-0020ed76ef5a">
<topic>neon format string vulnerabilities</topic>
<affects>
<package>
<name>neon</name>
<range><lt>0.24.5</lt></range>
</package>
<package>
<name>tla</name>
<range><lt>1.2_1</lt></range>
</package>
<package>
<name>sitecopy</name>
<range><le>0.13.4_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Greuff reports that the neon WebDAV client library contains
several format string bugs within error reporting code. A
malicious server may exploit these bugs by sending specially
crafted PROPFIND or PROPPATCH responses.</p>
<p>Although several applications include neon, such as cadaver and
subversion, the FreeBSD Ports of these applications are not
impacted. They are specifically configured to NOT use the
included neon. Only packages listed as affected in this
notice are believed to be impacted.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0179</cvename>
<url>http://www.webdav.org/neon/</url>
<url>http://secunia.com/advisories/11785</url>
</references>
<dates>
<discovery>2004-04-14</discovery>
<entry>2004-04-15</entry>
<modified>2004-06-25</modified>
</dates>
</vuln>
<vuln vid="253ea131-bd12-11d8-b071-00e08110b673">
<topic>Gallery 1.4.3 and ealier user authentication bypass</topic>
<affects>
<package>
<name>gallery</name>
<range><lt>1.4.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A flaw exists in Gallery versions previous to
1.4.3-pl1 and post 1.2 which may give an attacker
the potential to log in under the "admin" account.
Data outside of the gallery is unaffected and the
attacker cannot modify any data other than the
photos or photo albums.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0522</cvename>
<url>http://gallery.menalto.com/modules.php?op=modload&amp;name=News&amp;file=article&amp;sid=123</url>
<url>http://secunia.com/advisories/11752</url>
</references>
<dates>
<discovery>2004-06-01</discovery>
<entry>2004-06-24</entry>
</dates>
</vuln>
<vuln vid="0c6f3fde-9c51-11d8-9366-0020ed76ef5a">
<topic>Midnight Commander buffer overflows, format string bugs, and insecure temporary file handling</topic>
<affects>
<package>
<name>mc</name>
<range><lt>4.6.0_10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jakub Jelinek reports several security related bugs in
Midnight Commander, including:</p>
<ul>
<li>Multiple buffer overflows (CAN-2004-0226)</li>
<li>Insecure temporary file handling (CAN-2004-0231)</li>
<li>Format string bug (CAN-2004-0232)</li>
</ul>
</body>
</description>
<references>
<cvename>CAN-2004-0226</cvename>
<cvename>CAN-2004-0231</cvename>
<cvename>CAN-2004-0232</cvename>
</references>
<dates>
<discovery>2004-04-29</discovery>
<entry>2004-05-02</entry>
<modified>2004-06-14</modified>
</dates>
</vuln>
<vuln vid="6f955451-ba54-11d8-b88c-000d610a3b12">
<topic>Buffer overflow in Squid NTLM authentication helper</topic>
<affects>
<package>
<name>squid</name>
<range><lt>2.5.5_9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Remote exploitation of a buffer overflow vulnerability in
the NTLM authentication helper routine of the Squid Web
Proxy Cache could allow a remote attacker to execute
arbitrary code. A remote attacker can compromise a target
system if the Squid Proxy is configured to use the NTLM
authentication helper. The attacker can send an overly long
password to overflow the buffer and execute arbitrary
code.</p>
</body>
</description>
<references>
<url>http://www.idefense.com/application/poi/display?id=107&amp;type=vulnerabilities&amp;flashstatus=false</url>
<cvename>CAN-2004-0541</cvename>
<url>http://www.osvdb.org/6791</url>
<url>http://secunia.com/advisories/11804</url>
<bid>10500</bid>
<url>http://www.squid-cache.org/bugs/show_bug.cgi?id=998</url>
</references>
<dates>
<discovery>2004-05-20</discovery>
<entry>2004-06-09</entry>
</dates>
</vuln>
<vuln vid="27c331d5-64c7-11d8-80e3-0020ed76ef5a">
<topic>Vulnerabilities in H.323 implementations</topic>
<affects>
<package>
<name>pwlib</name>
<range><lt>1.5.0_5</lt></range>
</package>
<package>
<name>asterisk</name>
<range><le>0.7.2</le></range>
</package>
<package>
<name>openh323</name>
<range><lt>1.12.0_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The <a href="http://www.niscc.gov.uk/">NISCC</a> and the <a href="http://www.ee.oulu.fi/research/ouspg/">OUSPG</a>
developed a test suite for the H.323 protocol. This test
suite has uncovered vulnerabilities in several H.323
implementations with impacts ranging from denial-of-service
to arbitrary code execution.</p>
<p>In the FreeBSD Ports Collection, `pwlib' is directly
affected. Other applications such as `asterisk' and
`openh323' incorporate `pwlib' statically and so are also
independently affected.</p>
</body>
</description>
<references>
<!-- General references -->
<url>http://www.uniras.gov.uk/vuls/2004/006489/h323.htm</url>
<url>http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/h2250v4/index.html</url>
<certsa>CA-2004-01</certsa>
<certvu>749342</certvu>
<!-- pwlib and pwlib-using applications -->
<cvename>CAN-2004-0097</cvename>
<url>http://www.southeren.com/blog/archives/000055.html</url>
</references>
<dates>
<discovery>2004-01-13</discovery>
<entry>2004-02-22</entry>
<modified>2004-06-08</modified>
</dates>
</vuln>
<vuln vid="fb5e227e-b8c6-11d8-b88c-000d610a3b12">
<topic>jailed processes can manipulate host routing tables</topic>
<affects>
<system>
<name>FreeBSD</name>
<range><ge>4.9</ge><lt>4.9_10</lt></range>
<range><ge>4.8</ge><lt>4.8_23</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A programming error resulting in a failure to verify that
an attempt to manipulate routing tables originated from a
non-jailed process.</p>
<p>Jailed processes running with superuser privileges could
modify host routing tables. This could result in a variety
of consequences including packets being sent via an
incorrect network interface and packets being discarded
entirely.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0125</cvename>
<freebsdsa>SA-04:12.jailroute</freebsdsa>
</references>
<dates>
<discovery>2004-02-03</discovery>
<entry>2004-06-07</entry>
</dates>
</vuln>
<vuln vid="1db1ed59-af07-11d8-acb9-000d610a3b12">
<topic>buffer cache invalidation implementation issues</topic>
<affects>
<system>
<name>FreeBSD</name>
<range><ge>5.0</ge><lt>5.2_8</lt></range>
<range><ge>4.9</ge><lt>4.9_9</lt></range>
<range><ge>4.0</ge><lt>4.8_22</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Programming errors in the implementation of the msync(2)
system call involving the MS_INVALIDATE operation lead to
cache consistency problems between the virtual memory system
and on-disk contents.</p>
<p>In some situations, a user with read access to a file may
be able to prevent changes to that file from being committed
to disk.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0435</cvename>
<freebsdsa>SA-04:11.msync</freebsdsa>
</references>
<dates>
<discovery>2004-04-24</discovery>
<entry>2004-05-26</entry>
</dates>
</vuln>
<vuln vid="f7a3b18c-624c-4703-9756-b6b27429e5b0">
<topic>leafnode denial-of-service triggered by article request</topic>
<affects>
<package>
<name>leafnode</name>
<range><ge>1.9.20</ge><lt>1.9.30</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The leafnode NNTP server may go into an unterminated loop with 100%
CPU use when an article is requested by Message-ID that has been
crossposted to several news groups when one of the group names is the
prefix of another group name that the article was cross-posted
to. Found by Jan Knutar.</p>
</body>
</description>
<references>
<url>http://leafnode.sourceforge.net/leafnode-SA-2002-01</url>
<mlist msgid="20021229205023.GA5216@merlin.emma.line.org">http://sourceforge.net/mailarchive/message.php?msg_id=2796226</mlist>
<mlist msgid="20021229205023.GA5216@merlin.emma.line.org">http://article.gmane.org/gmane.network.leafnode.announce/8</mlist>
<bid>6490</bid>
<freebsdpr>ports/46613</freebsdpr>
</references>
<dates>
<discovery>2002-11-06</discovery>
<entry>2004-05-21</entry>
</dates>
</vuln>
<vuln vid="7b0208ff-3f65-4e16-8d4d-48fd9851f085">
<topic>leafnode fetchnews denial-of-service triggered by missing header</topic>
<affects>
<package>
<name>leafnode</name>
<range><ge>1.9.3</ge><le>1.9.41</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Fetchnews could hang when a news article to be downloaded lacked one
of the mandatory headers. Found by Joshua Crawford.</p>
</body>
</description>
<references>
<cvename>CAN-2003-0744</cvename>
<url>http://leafnode.sourceforge.net/leafnode-SA-2003-01</url>
<mlist msgid="20030904011904.GB12350@merlin.emma.line.org">http://sourceforge.net/mailarchive/message.php?msg_id=5975563</mlist>
<mlist msgid="20030904011904.GB12350@merlin.emma.line.org">http://article.gmane.org/gmane.network.leafnode.announce/21</mlist>
<bid>8541</bid>
<freebsdpr>ports/53838</freebsdpr>
</references>
<dates>
<discovery>2003-06-20</discovery>
<entry>2004-05-21</entry>
</dates>
</vuln>
<vuln vid="a051a4ec-3aa1-4dd1-9bdc-a61eb5700153">
<topic>leafnode fetchnews denial-of-service triggered by truncated transmission</topic>
<affects>
<package>
<name>leafnode</name>
<range><le>1.9.47</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>When a downloaded news article ends prematurely, i. e. when the
server sends [CR]LF.[CR]LF before sending a blank line, fetchnews may
wait indefinitely for data that never arrives. Workaround: configure
"minlines=1" (or use a bigger value) in the configuration file. Found
by Toni Viemerö.</p>
</body>
</description>
<references>
<url>http://leafnode.sourceforge.net/leafnode-SA-2004-01</url>
<url>http://sourceforge.net/tracker/index.php?func=detail&amp;aid=873149&amp;group_id=57767&amp;atid=485349</url>
<mlist msgid="20040109015625.GA12319@merlin.emma.line.org">http://article.gmane.org/gmane.network.leafnode.announce/32</mlist>
<mlist msgid="20040109015625.GA12319@merlin.emma.line.org">http://sourceforge.net/mailarchive/message.php?msg_id=6922570</mlist>
<freebsdpr>ports/61105</freebsdpr>
</references>
<dates>
<discovery>2004-01-08</discovery>
<entry>2004-05-21</entry>
</dates>
</vuln>
<vuln vid="2e129846-8fbb-11d8-8b29-0020ed76ef5a">
<topic>MySQL insecure temporary file creation (mysqlbug)</topic>
<affects>
<package>
<name>mysql-client</name>
<range><ge>4.0</ge><lt>4.0.20</lt></range>
<range><ge>4.1</ge><lt>4.1.1_2</lt></range>
<range><ge>5.0</ge><lt>5.0.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Shaun Colley reports that the script `mysqlbug' included
with MySQL sometimes creates temporary files in an unsafe
manner. As a result, an attacker may create a symlink in
/tmp so that if another user invokes `mysqlbug' and <em>quits
without making <strong>any</strong> changes</em>, an
arbitrary file may be overwritten with the bug report
template.</p>
</body>
</description>
<references>
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108023246916294&amp;w=2</mlist>
<url>http://bugs.mysql.com/bug.php?id=3284</url>
<bid>9976</bid>
<cvename>CAN-2004-0381</cvename>
</references>
<dates>
<discovery>2004-03-25</discovery>
<entry>2004-04-16</entry>
<modified>2004-05-21</modified>
</dates>
</vuln>
<vuln vid="5d36ef32-a9cf-11d8-9c6d-0020ed76ef5a">
<topic>subversion date parsing vulnerability</topic>
<affects>
<package>
<name>subversion</name>
<range><lt>1.0.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stefan Esser reports:</p>
<blockquote cite="http://security.e-matters.de/advisories/082004.html">
<p>Subversion versions up to 1.0.2 are vulnerable to a date
parsing vulnerability which can be abused to allow remote
code execution on Subversion servers and therefore could
lead to a repository compromise.</p>
</blockquote>
<p><em>NOTE:</em> This vulnerability is similar to the date
parsing issue that affected neon. However, it is a different
and distinct bug.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0397</cvename>
<url>http://security.e-matters.de/advisories/082004.html</url>
</references>
<dates>
<discovery>2004-05-19</discovery>
<entry>2004-05-19</entry>
</dates>
</vuln>
<vuln vid="f93be979-a992-11d8-aecc-000d610a3b12">
<topic>cvs pserver remote heap buffer overflow</topic>
<affects>
<system>
<name>FreeBSD</name>
<range><ge>5.2</ge><lt>5.2_7</lt></range>
<range><ge>5.1</ge><lt>5.1_17</lt></range>
<range><ge>5.0</ge><lt>5.0_21</lt></range>
<range><ge>4.9</ge><lt>4.9_8</lt></range>
<range><ge>4.8</ge><lt>4.8_21</lt></range>
<range><ge>4.0</ge><lt>4.7_27</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Due to a programming error in code used to parse data
received from the client, malformed data can cause a heap
buffer to overflow, allowing the client to overwrite
arbitrary portions of the server's memory.</p>
<p>A malicious CVS client can exploit this to run arbitrary
code on the server at the privilege level of the CVS server
software.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0396</cvename>
<freebsdsa>SA-04:10.cvs</freebsdsa>
</references>
<dates>
<discovery>2004-05-02</discovery>
<entry>2004-05-19</entry>
</dates>
</vuln>
<vuln vid="492f8896-70fa-11d8-873f-0020ed76ef5a">
<topic>Apache 2 mod_ssl denial-of-service</topic>
<affects>
<package>
<name>apache</name>
<range><ge>2.0</ge><le>2.0.48_3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Joe Orton reports a memory leak in Apache 2's mod_ssl.
A remote attacker may issue HTTP requests on an HTTPS
port, causing an error. Due to a bug in processing this
condition, memory associated with the connection is
not freed. Repeated requests can result in consuming
all available memory resources, probably resulting in
termination of the Apache process.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0113</cvename>
<url>http://www.apacheweek.com/features/security-20</url>
<url>http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.100.2.11&amp;r2=1.100.2.12</url>
<mlist>http://marc.theaimsgroup.com/?l=apache-cvs&amp;m=107869699329638</mlist>
<url>http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27106</url>
<bid>9826</bid>
</references>
<dates>
<discovery>2004-02-20</discovery>
<entry>2004-03-08</entry>
<modified>2004-05-19</modified>
</dates>
</vuln>
<vuln vid="df333ede-a8ce-11d8-9c6d-0020ed76ef5a">
<topic>URI handler vulnerabilities in several browsers</topic>
<affects>
<package>
<name>linux-opera</name>
<name>opera</name>
<range><lt>7.50</lt></range>
</package>
<package>
<name>kdelibs</name>
<range><lt>3.2.2_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Karol Wiesek and Greg MacManus reported via iDEFENSE that the
Opera web browser contains a flaw in the handling of
certain URIs. When presented with these URIs, Opera would
invoke external commands to process them after some
validation. However, if the hostname component of a URI
begins with a `-', it may be treated as an option by an external
command. This could have undesirable side-effects, from
denial-of-service to code execution. The impact is very
dependent on local configuration.</p>
<p>After the iDEFENSE advisory was published, the KDE team
discovered similar problems in KDE's URI handlers.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0411</cvename>
<url>http://www.idefense.com/application/poi/display?id=104&amp;type=vulnerabilities</url>
<url>http://www.kde.org/info/security/advisory-20040517-1.txt</url>
<url>http://freebsd.kde.org/index.php#n20040517</url>
</references>
<dates>
<discovery>2004-05-12</discovery>
<entry>2004-05-18</entry>
</dates>
</vuln>
<vuln vid="20be2982-4aae-11d8-96f2-0020ed76ef5a">
<topic>fsp buffer overflow and directory traversal vulnerabilities</topic>
<affects>
<package>
<name>fspd</name>
<range><lt>2.8.1.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The <a href="http://www.debian.org/security">Debian
security team</a> reported a pair of vulnerabilities in
fsp:</p>
<blockquote cite="http://www.debian.org/security/2004/dsa-416">
<p>A vulnerability was discovered in fsp, client utilities
for File Service Protocol (FSP), whereby a remote user could
both escape from the FSP root directory (CAN-2003-1022), and
also overflow a fixed-length buffer to execute arbitrary
code (CAN-2004-0011).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2003-1022</cvename>
<cvename>CAN-2004-0011</cvename>
<url>http://www.debian.org/security/2004/dsa-416</url>
</references>
<dates>
<discovery>2004-01-06</discovery>
<entry>2004-01-19</entry>
<modified>2004-05-17</modified>
</dates>
</vuln>
<vuln vid="cb6c6c29-9c4f-11d8-9366-0020ed76ef5a">
<topic>proftpd IP address access control list breakage</topic>
<affects>
<package>
<name>proftpd</name>
<range><ge>1.2.9</ge><lt>1.2.10.r1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jindrich Makovicka reports a regression in proftpd's
handling of IP address access control lists (IP ACLs). Due
to this regression, some IP ACLs are treated as ``allow
all''.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0432</cvename>
<url>http://bugs.proftpd.org/show_bug.cgi?id=2267</url>
</references>
<dates>
<discovery>2003-11-04</discovery>
<entry>2004-05-02</entry>
<modified>2004-05-15</modified>
</dates>
</vuln>
<vuln vid="fde53204-7ea6-11d8-9645-0020ed76ef5a">
<topic>insecure temporary file creation in xine-check, xine-bugreport</topic>
<affects>
<package>
<name>xine</name>
<range><lt>0.9.23_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Some scripts installed with xine create temporary files
insecurely. It is recommended that these scripts (xine-check,
xine-bugreport) not be used. They are not needed for normal
operation.</p>
</body>
</description>
<references>
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=107997911025558</mlist>
<bid>9939</bid>
</references>
<dates>
<discovery>2004-03-20</discovery>
<entry>2004-03-26</entry>
<modified>2004-05-09</modified>
</dates>
</vuln>
<vuln vid="5f29c2e4-9f6a-11d8-abbc-00e08110b673">
<topic>exim buffer overflow when verify = header_syntax is used</topic>
<affects>
<package>
<name>exim</name>
<name>exim-ldap2</name>
<name>exim-mysql</name>
<name>exim-postgresql</name>
<range><lt>4.33+20_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A remote exploitable buffer overflow has been discovered
in exim when verify = header_syntax is used in the
configuration file. This does not affect the default
configuration.</p>
</body>
</description>
<references>
<url>http://www.guninski.com/exim1.html</url>
<cvename>CAN-2004-0400</cvename>
</references>
<dates>
<discovery>2004-05-06</discovery>
<entry>2004-05-06</entry>
</dates>
</vuln>
<vuln vid="a56a72bb-9f72-11d8-9585-0020ed76ef5a">
<topic>phpBB session table exhaustion</topic>
<affects>
<package>
<name>phpbb</name>
<range><le>2.0.8_2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The includes/sessions.php unnecessarily adds session item into
session table and therefore vulnerable to a denial-of-service
attack.</p>
</body>
</description>
<references>
<mlist msgid="20040421011055.GA1448@frontfree.net">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108256462710010</mlist>
</references>
<dates>
<discovery>2004-03-05</discovery>
<entry>2004-05-06</entry>
</dates>
</vuln>
<vuln vid="446dbecb-9edc-11d8-9366-0020ed76ef5a">
<topic>heimdal kadmind remote heap buffer overflow</topic>
<affects>
<package>
<name>heimdal</name>
<range><lt>0.6.1_1</lt></range>
</package>
<system>
<name>FreeBSD</name>
<range><ge>4.9</ge><lt>4.9_7</lt></range>
<range><ge>4.0</ge><lt>4.8_20</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An input validation error was discovered in the kadmind
code that handles the framing of Kerberos 4 compatibility
administration requests. The code assumed that the length
given in the framing was always two or more bytes. Smaller
lengths will cause kadmind to read an arbitrary amount of
data into a minimally-sized buffer on the heap.</p>
<p>A remote attacker may send a specially formatted message
to kadmind, causing it to crash or possibly resulting in
arbitrary code execution.</p>
<p>The kadmind daemon is part of Kerberos 5 support. However,
this bug will only be present if kadmind was built with
additional Kerberos 4 support. Thus, only systems that have
*both* Heimdal Kerberos 5 and Kerberos 4 installed might
be affected.</p>
<p><em>NOTE:</em> On FreeBSD 4 systems, `kadmind' may be
installed as `k5admind'.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0434</cvename>
<freebsdsa>SA-04:09.kadmind</freebsdsa>
</references>
<dates>
<discovery>2004-05-05</discovery>
<entry>2004-05-05</entry>
</dates>
</vuln>
<vuln vid="0792e7a7-8e37-11d8-90d1-0020ed76ef5a">
<topic>CVS path validation errors</topic>
<affects>
<package>
<name>cvs+ipv6</name>
<range><le>1.11.5_1</le></range>
</package>
<system>
<name>FreeBSD</name>
<range><ge>5.2</ge><lt>5.2.1_5</lt></range>
<range><ge>4.9</ge><lt>4.9_5</lt></range>
<range><ge>4.8</ge><lt>4.8_18</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Two programming errors were discovered in which path names
handled by CVS were not properly validated. In one case,
the CVS client accepts absolute path names from the server
when determining which files to update. In another case,
the CVS server accepts relative path names from the client
when determining which files to transmit, including those
containing references to parent directories (`../').</p>
<p>These programming errors generally only have a security
impact when dealing with remote CVS repositories.</p>
<p>A malicious CVS server may cause a CVS client to overwrite
arbitrary files on the client's system.</p>
<p>A CVS client may request RCS files from a remote system
other than those in the repository specified by $CVSROOT.
These RCS files need not be part of any CVS repository
themselves.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0180</cvename>
<cvename>CAN-2004-0405</cvename>
<url>http://ccvs.cvshome.org/servlets/NewsItemView?newsID=102</url>
<freebsdsa>SA-04:07.cvs</freebsdsa>
</references>
<dates>
<discovery>2004-04-14</discovery>
<entry>2004-04-14</entry>
<modified>2004-05-05</modified>
</dates>
</vuln>
<vuln vid="7229d900-88af-11d8-90d1-0020ed76ef5a">
<topic>mksnap_ffs clears file system options</topic>
<affects>
<system>
<name>FreeBSD</name>
<range><ge>5.2</ge><lt>5.2_1</lt></range>
<range><ge>5.1</ge><lt>5.1_12</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The kernel interface for creating a snapshot of a
filesystem is the same as that for changing the flags on
that filesystem. Due to an oversight, the <a href="http://www.freebsd.org/cgi/man.cgi?query=mksnap_ffs">mksnap_ffs(8)</a>
command called that interface with only the snapshot flag
set, causing all other flags to be reset to the default
value.</p>
<p>A regularly scheduled backup of a live filesystem, or
any other process that uses the mksnap_ffs command
(for instance, to provide a rough undelete functionality
on a file server), will clear any flags in effect on the
filesystem being snapshot. Possible consequences depend
on local usage, but can include disabling extended access
control lists or enabling the use of setuid executables
stored on an untrusted filesystem.</p>
<p>The mksnap_ffs command is normally only available to
the superuser and members of the `operator' group. There
is therefore no risk of a user gaining elevated privileges
directly through use of the mksnap_ffs command unless
it has been intentionally made available to unprivileged
users.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0099</cvename>
<freebsdsa>SA-04:01.mksnap_ffs</freebsdsa>
</references>
<dates>
<discovery>2004-01-30</discovery>
<entry>2004-04-07</entry>
<modified>2004-05-05</modified>
</dates>
</vuln>
<vuln vid="f95a9005-88ae-11d8-90d1-0020ed76ef5a">
<topic>shmat reference counting bug</topic>
<affects>
<system>
<name>FreeBSD</name>
<range><ge>5.2</ge><lt>5.2_2</lt></range>
<range><ge>5.1</ge><lt>5.1_14</lt></range>
<range><ge>5.0</ge><lt>5.0_20</lt></range>
<range><ge>4.9</ge><lt>4.9_2</lt></range>
<range><ge>4.8</ge><lt>4.8_15</lt></range>
<range><lt>4.7_25</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A programming error in the <a href="http://www.freebsd.org/cgi/man.cgi?query=shmat">shmat(2)</a> system call can result
in a shared memory segment's reference count being erroneously
incremented.</p>
<p>It may be possible to cause a shared memory segment to
reference unallocated kernel memory, but remain valid.
This could allow a local attacker to gain read or write
access to a portion of kernel memory, resulting in sensitive
information disclosure, bypass of access control mechanisms,
or privilege escalation. </p>
</body>
</description>
<references>
<cvename>CAN-2004-0114</cvename>
<freebsdsa>SA-04:02.shmat</freebsdsa>
<url>http://www.pine.nl/press/pine-cert-20040201.txt</url>
</references>
<dates>
<discovery>2004-02-01</discovery>
<entry>2004-04-07</entry>
<modified>2004-05-05</modified>
</dates>
</vuln>
<vuln vid="9082a85a-88ae-11d8-90d1-0020ed76ef5a">
<topic>jailed processes can attach to other jails</topic>
<affects>
<system>
<name>FreeBSD</name>
<range><ge>5.1</ge><lt>5.1_14</lt></range>
<range><ge>5.2</ge><lt>5.2.1</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A programming error has been found in the <a href="http://www.freebsd.org/cgi/man.cgi?query=jail_attach">jail_attach(2)</a>
system call which affects the way that system call verifies
the privilege level of the calling process. Instead of
failing immediately if the calling process was already
jailed, the jail_attach system call would fail only after
changing the calling process's root directory.</p>
<p>A process with superuser privileges inside a jail could
change its root directory to that of a different jail,
and thus gain full read and write access to files and
directories within the target jail. </p>
</body>
</description>
<references>
<cvename>CAN-2004-0126</cvename>
<freebsdsa>SA-04:03.jail</freebsdsa>
</references>
<dates>
<discovery>2004-02-19</discovery>
<entry>2004-04-07</entry>
<modified>2004-05-05</modified>
</dates>
</vuln>
<vuln vid="e289f7fd-88ac-11d8-90d1-0020ed76ef5a">
<topic>many out-of-sequence TCP packets denial-of-service</topic>
<affects>
<system>
<name>FreeBSD</name>
<range><ge>5.2</ge><lt>5.2.1_2</lt></range>
<range><ge>5.0</ge><lt>5.1_15</lt></range>
<range><ge>4.9</ge><lt>4.9_3</lt></range>
<range><ge>4.8</ge><lt>4.8_16</lt></range>
<range><lt>4.7_26</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>FreeBSD does not limit the number of TCP segments that
may be held in a reassembly queue. A remote attacker may
conduct a low-bandwidth denial-of-service attack against
a machine providing services based on TCP (there are many
such services, including HTTP, SMTP, and FTP). By sending
many out-of-sequence TCP segments, the attacker can cause
the target machine to consume all available memory buffers
(``mbufs''), likely leading to a system crash. </p>
</body>
</description>
<references>
<cvename>CAN-2004-0171</cvename>
<freebsdsa>SA-04:04.tcp</freebsdsa>
<url>http://www.idefense.com/application/poi/display?id=78&amp;type=vulnerabilities</url>
</references>
<dates>
<discovery>2004-02-18</discovery>
<entry>2004-04-07</entry>
<modified>2004-05-05</modified>
</dates>
</vuln>
<vuln vid="2c6acefd-8194-11d8-9645-0020ed76ef5a">
<topic>setsockopt(2) IPv6 sockets input validation error</topic>
<affects>
<system>
<name>FreeBSD</name>
<range><ge>5.2</ge><lt>5.2.1_4</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>From the FreeBSD Security Advisory:</p>
<blockquote>
<p>A programming error in the handling of some IPv6 socket
options within the <a href="http://www.freebsd.org/cgi/man.cgi?query=setsockopt">setsockopt(2)</a> system call may result
in memory locations being accessed without proper
validation.</p>
<p>It may be possible for a local attacker to read portions
of kernel memory, resulting in disclosure of sensitive
information. A local attacker can cause a system
panic.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0370</cvename>
<freebsdsa>SA-04:06.ipv6</freebsdsa>
</references>
<dates>
<discovery>2004-03-29</discovery>
<entry>2004-03-29</entry>
<modified>2004-05-05</modified>
</dates>
</vuln>
<vuln vid="68233cba-7774-11d8-89ed-0020ed76ef5a">
<topic>OpenSSL ChangeCipherSpec denial-of-service vulnerability</topic>
<affects>
<package>
<name>openssl</name>
<name>openssl-beta</name>
<range><lt>0.9.7d</lt></range>
</package>
<system>
<name>FreeBSD</name>
<range><ge>4.0</ge><lt>4.8_17</lt></range>
<range><ge>4.9</ge><lt>4.9_4</lt></range>
<range><ge>5.0</ge><lt>5.1_16</lt></range>
<range><ge>5.2</ge><lt>5.2.1_3</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A remote attacker could cause an application using OpenSSL to
crash by performing a specially crafted SSL/TLS handshake.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0079</cvename>
<url>http://www.openssl.org/news/secadv_20040317.txt</url>
<freebsdsa>SA-04:05.openssl</freebsdsa>
<certvu>288574</certvu>
<bid>9899</bid>
</references>
<dates>
<discovery>2004-03-17</discovery>
<entry>2004-03-17</entry>
<modified>2004-05-05</modified>
</dates>
</vuln>
<vuln vid="f04cc5cb-2d0b-11d8-beaf-000a95c4d922">
<topic>bind8 negative cache poison attack</topic>
<affects>
<package>
<name>bind</name>
<range><ge>8.3</ge><lt>8.3.7</lt></range>
<range><ge>8.4</ge><lt>8.4.3</lt></range>
</package>
<system>
<name>FreeBSD</name>
<range><ge>5.1</ge><lt>5.1_11</lt></range>
<range><ge>5.0</ge><lt>5.0_19</lt></range>
<range><ge>4.9</ge><lt>4.9_1</lt></range>
<range><ge>4.8</ge><lt>4.8_14</lt></range>
<range><ge>4.7</ge><lt>4.7_24</lt></range>
<range><ge>4.6</ge><lt>4.6.2_27</lt></range>
<range><ge>4.5</ge><lt>4.5_37</lt></range>
<range><lt>4.4_47</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A programming error in BIND 8 named can result in a DNS
message being incorrectly cached as a negative response. As
a result, an attacker may arrange for malicious DNS messages
to be delivered to a target name server, and cause that name
server to cache a negative response for some target domain
name. The name server would thereafter respond negatively
to legitimate queries for that domain name, resulting in a
denial-of-service for applications that require DNS.</p>
</body>
</description>
<references>
<cvename>CAN-2003-0914</cvename>
<freebsdsa>SA-03:19.bind</freebsdsa>
<certvu>734644</certvu>
</references>
<dates>
<discovery>2003-11-28</discovery>
<entry>2003-12-12</entry>
<modified>2004-05-05</modified>
</dates>
</vuln>
<vuln vid="bfb36941-84fa-11d8-a41f-0020ed76ef5a">
<topic>Incorrect cross-realm trust handling in Heimdal</topic>
<affects>
<package>
<name>heimdal</name>
<range><lt>0.6.1</lt></range>
</package>
<system>
<name>FreeBSD</name>
<range><ge>5.0</ge><lt>5.2_6</lt></range>
<range><ge>4.9</ge><lt>4.9_6</lt></range>
<range><ge>4.0</ge><lt>4.8_19</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Heimdal does not correctly validate the `transited' field of
Kerberos tickets when computing the authentication path. This
could allow a rogue KDC with which cross-realm relationships
have been established to impersonate any KDC in the
authentication path.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0371</cvename>
<freebsdsa>SA-04:08.heimdal</freebsdsa>
<url>http://www.pdc.kth.se/heimdal/advisory/2004-04-01/</url>
</references>
<dates>
<discovery>2004-04-01</discovery>
<entry>2004-04-02</entry>
<modified>2004-05-05</modified>
</dates>
</vuln>
<vuln vid="a2ffb627-9c53-11d8-9366-0020ed76ef5a">
<topic>lha buffer overflows and path traversal issues</topic>
<affects>
<package>
<name>lha</name>
<range><lt>1.14i_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ulf Härnhammar discovered several vulnerabilities in
LHa for UNIX's path name handling code. Specially constructed
archive files may cause LHa to overwrite files or
execute arbitrary code with the privileges of the user
invoking LHa. This could be particularly harmful for
automated systems that might handle archives such as
virus scanning processes.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0234</cvename>
<cvename>CAN-2004-0235</cvename>
</references>
<dates>
<discovery>2004-04-29</discovery>
<entry>2004-05-02</entry>
<modified>2004-05-03</modified>
</dates>
</vuln>
<vuln vid="8338a20f-9573-11d8-9366-0020ed76ef5a">
<topic>xchat remotely exploitable buffer overflow (Socks5)</topic>
<affects>
<package>
<name>xchat2</name>
<range><ge>1.8</ge><lt>2.0.8_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A straightforward stack buffer overflow exists in XChat's
Socks5 proxy support.</p>
<p>The XChat developers report that `tsifra' discovered this
issue.</p>
<p>NOTE: XChat Socks5 support is disabled by support in the
FreeBSD Ports Collection.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0409</cvename>
<url>http://xchat.org/files/source/2.0/patches/xc208-fixsocks5.diff</url>
<mlist msgid="20040405171305.04f19c44.zed@xchat.org">http://marc.theaimsgroup.com/?l=xchat-announce&amp;m=108114935507357</mlist>
</references>
<dates>
<discovery>2004-04-05</discovery>
<entry>2004-04-23</entry>
<modified>2004-05-03</modified>
</dates>
</vuln>
<vuln vid="73ea0706-9c57-11d8-9366-0020ed76ef5a">
<topic>rsync path traversal issue</topic>
<affects>
<package>
<name>rsync</name>
<range><lt>2.6.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>When running rsync in daemon mode, no checks were made
to prevent clients from writing outside of a module's
`path' setting.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0426</cvename>
<url>http://rsync.samba.org/#security_apr04</url>
</references>
<dates>
<discovery>2004-04-26</discovery>
<entry>2004-05-02</entry>
</dates>
</vuln>
<vuln vid="e50b04e8-9c55-11d8-9366-0020ed76ef5a">
<topic>xine-lib arbitrary file overwrite</topic>
<affects>
<package>
<name>libxine</name>
<range><gt>0.9</gt><lt>1.0.r3_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>From the xinehq advisory:</p>
<blockquote cite="http://www.xinehq.de/index.php/security/XSA-2004-1">
<p>By opening a malicious MRL in any xine-lib based media
player, an attacker can write arbitrary content to an
arbitrary file, only restricted by the permissions of the
user running the application.</p>
</blockquote>
<p>The flaw is a result of a feature that allows MRLs (media
resource locator URIs) to specify arbitrary configuration
options.</p>
</body>
</description>
<references>
<bid>10193</bid>
<url>http://www.xinehq.de/index.php/security/XSA-2004-1</url>
</references>
<dates>
<discovery>2004-04-20</discovery>
<entry>2004-05-02</entry>
</dates>
</vuln>
<vuln vid="fb521119-9bc4-11d8-9366-0020ed76ef5a">
<topic>pound remotely exploitable vulnerability</topic>
<affects>
<package>
<name>pound</name>
<range><lt>1.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An unknown remotely exploitable vulnerability was disclosed.
Robert Segall writes:</p>
<blockquote cite="http://www.apsis.ch/pound/pound_list/archive/2003/2003-12/1070234315000">
<p>a security vulnerability was brought to my attention
(many thanks to Akira Higuchi). Everyone running any
previous version should upgrade to 1.6 immediately - the
vulnerability may allow a remote exploit. No exploits are
currently known and none have been observed in the wild
till now. The danger is minimised if you run Pound in a
root jail and/or you run Pound as non-root user.</p>
</blockquote>
</body>
</description>
<references>
<mlist>http://www.apsis.ch/pound/pound_list/archive/2003/2003-12/1070234315000</mlist>
</references>
<dates>
<discovery>2003-12-01</discovery>
<entry>2004-05-02</entry>
</dates>
</vuln>
<vuln vid="cfe17ca6-6858-4805-ba1d-a60a61ec9b4d">
<topic>phpBB IP address spoofing</topic>
<affects>
<package>
<name>phpbb</name>
<range><le>2.0.8_2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The common.php script always trusts the `X-Forwarded-For'
header in the client's HTTP request. A remote user could
forge this header in order to bypass any IP address access
control lists (ACLs).</p>
</body>
</description>
<references>
<mlist msgid="20040419000129.28917.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108239864203144</mlist>
</references>
<dates>
<discovery>2004-04-18</discovery>
<entry>2004-04-23</entry>
</dates>
</vuln>
<vuln vid="c7705712-92e6-11d8-8b29-0020ed76ef5a">
<topic>TCP denial-of-service attacks against long lived connections</topic>
<affects>
<system>
<name>FreeBSD</name>
<range><ge>0</ge></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p><a href="http://www.niscc.gov.uk/">NISCC</a> /
<a href="http://www.uniras.gov.uk/">UNIRAS</a> has published
an advisory that re-visits the long discussed spoofed TCP RST
denial-of-service vulnerability. This new look emphasizes
the fact that for some applications such attacks are
practically feasible.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0230</cvename>
<url>http://www.uniras.gov.uk/vuls/2004/236929/index.htm</url>
</references>
<dates>
<discovery>1995-06-01</discovery>
<entry>2004-04-23</entry>
</dates>
</vuln>
<vuln vid="99230277-8fb4-11d8-8b29-0020ed76ef5a">
<topic>ident2 double byte buffer overflow</topic>
<affects>
<package>
<name>ident2</name>
<range><le>1.04</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jack of RaptureSecurity reported a double byte buffer
overflow in ident2. The bug may allow a remote attacker to
execute arbitrary code within the context of the ident2
daemon. The daemon typically runs as user-ID `nobody', but
with group-ID `wheel'.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0408</cvename>
<url>http://cvsweb.freebsd.org/ports/security/ident2/files/patch-common.c</url>
</references>
<dates>
<discovery>2004-04-15</discovery>
<entry>2004-04-23</entry>
</dates>
</vuln>
<vuln vid="da6f265b-8f3d-11d8-8b29-0020ed76ef5a">
<topic>kdepim exploitable buffer overflow in VCF reader</topic>
<affects>
<package>
<name>kdepim</name>
<range><ge>3.1.0</ge><lt>3.1.4_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A buffer overflow is present in some versions of the KDE
personal information manager (kdepim) which may be triggered
when processing a specially crafted VCF file.</p>
</body>
</description>
<references>
<cvename>CAN-2003-0988</cvename>
<url>http://www.kde.org/info/security/advisory-20040114-1.txt</url>
</references>
<dates>
<discovery>2004-01-14</discovery>
<entry>2004-04-15</entry>
</dates>
</vuln>
<vuln vid="ccd698df-8e20-11d8-90d1-0020ed76ef5a">
<topic>racoon remote denial of service vulnerability (ISAKMP header length field)</topic>
<affects>
<package>
<name>racoon</name>
<range><lt>20040408a</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>When racoon receives an ISAKMP header, it will attempt to
allocate sufficient memory for the entire ISAKMP message
according to the header's length field. If an attacker
crafts an ISAKMP header with a ridiculously large value
in the length field, racoon may exceed operating system
resource limits and be terminated, resulting in a denial of
service.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0403</cvename>
<url>http://www.kame.net/dev/cvsweb2.cgi/kame/kame/kame/racoon/isakmp.c.diff?r1=1.180&amp;r2=1.181</url>
</references>
<dates>
<discovery>2004-03-31</discovery>
<entry>2004-04-14</entry>
</dates>
</vuln>
<vuln vid="40fcf20f-8891-11d8-90d1-0020ed76ef5a">
<topic>racoon remote denial of service vulnerability (IKE Generic Payload Header)</topic>
<affects>
<package>
<name>racoon</name>
<range><lt>20040407b</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>When racoon receives an IKE message with an incorrectly
constructed Generic Payload Header, it may behave erratically,
going into a tight loop and dropping connections.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0392</cvename>
<url>http://orange.kame.net/dev/query-pr.cgi?pr=555</url>
</references>
<dates>
<discovery>2003-12-03</discovery>
<entry>2004-04-07</entry>
<modified>2004-04-14</modified>
</dates>
</vuln>
<vuln vid="f8551668-de09-4d7b-9720-f1360929df07">
<topic>tcpdump ISAKMP payload handling remote denial-of-service</topic>
<affects>
<package>
<name>tcpdump</name>
<range><lt>3.8.3</lt></range>
</package>
<package>
<name>racoon</name>
<range><lt>20040408a</lt></range>
</package>
<system>
<name>FreeBSD</name>
<range><ge>0</ge></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chad Loder has discovered vulnerabilities in tcpdump's
ISAKMP protocol handler. During an audit to repair these
issues, Bill Fenner discovered some related problems.</p>
<p>These vulnerabilities may be used by an attacker to crash a
running `tcpdump' process. They can only be triggered if
the `-v' command line option is being used.</p>
<p>NOTE: the racoon ISAKMP/IKE daemon incorporates the ISAKMP
protocol handler from tcpdump, and so is also affected by
this issue.</p>
</body>
</description>
<references>
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108067265931525</mlist>
<url>http://www.rapid7.com/advisories/R7-0017.html</url>
<cvename>CAN-2004-0183</cvename>
<cvename>CAN-2004-0184</cvename>
</references>
<dates>
<discovery>2004-03-12</discovery>
<entry>2004-03-31</entry>
<modified>2004-04-14</modified>
</dates>
</vuln>
<vuln vid="322d4ff6-85c3-11d8-a41f-0020ed76ef5a">
<topic>Midnight Commander buffer overflow during symlink resolution</topic>
<affects>
<package>
<name>mc</name>
<range><lt>4.6.0_9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Midnight Commander uses a fixed sized stack buffer while
resolving symbolic links within file archives (tar or cpio).
If an attacker can cause a user to process a specially
crafted file archive with Midnight Commander,
the attacker may be able to obtain the privileges of the
target user.</p>
</body>
</description>
<references>
<cvename>CAN-2003-1023</cvename>
<mlist msgid="E1A0LbX-000NPk-00.alienhard-mail-ru@f9.mail.ru">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=106399528518704</mlist>
<bid>8658</bid>
</references>
<dates>
<discovery>2003-09-19</discovery>
<entry>2004-04-03</entry>
<modified>2004-04-13</modified>
</dates>
</vuln>
<vuln vid="d8769838-8814-11d8-90d1-0020ed76ef5a">
<topic>racoon fails to verify signature during Phase 1</topic>
<affects>
<package>
<name>racoon</name>
<range><lt>20040407b</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ralf Spenneberg discovered a serious flaw in racoon.
When using Phase 1 main or aggressive mode, racoon does
not verify the client's RSA signature. Any installations
using <em>X.509 authentication</em> are <strong>strongly
urged</strong> to upgrade.</p>
<p>Installations using <em>pre-shared keys</em> are believed
to be unaffected.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0155</cvename>
<url>http://www.kame.net/dev/cvsweb2.cgi/kame/kame/kame/racoon/crypto_openssl.c?rev=1.84&amp;content-type=text/x-cvsweb-markup</url>
</references>
<dates>
<discovery>2004-04-05</discovery>
<entry>2004-04-07</entry>
</dates>
</vuln>
<vuln vid="6fd02439-5d70-11d8-80e3-0020ed76ef5a">
<topic>Several remotely exploitable buffer overflows in gaim</topic>
<affects>
<package>
<name>gaim</name>
<name>ja-gaim</name>
<name>ko-gaim</name>
<name>ru-gaim</name>
<range><lt>0.75_3</lt></range>
<range><eq>0.75_5</eq></range>
<range><eq>0.76</eq></range>
</package>
<package>
<name>gaim</name>
<range><ge>20030000</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stefan Esser of e-matters found almost a dozen remotely
exploitable vulnerabilities in Gaim. From the e-matters
advisory:</p>
<blockquote cite="http://security.e-matters.de/advisories/012004.txt">
<p>While developing a custom add-on, an integer overflow
in the handling of AIM DirectIM packets was revealed that
could lead to a remote compromise of the IM client. After
disclosing this bug to the vendor, they had to make a
hurried release because of a change in the Yahoo connection
procedure that rendered GAIM useless. Unfourtunately at the
same time a closer look onto the sourcecode revealed 11 more
vulnerabilities.</p>
<p>The 12 identified problems range from simple standard
stack overflows, over heap overflows to an integer overflow
that can be abused to cause a heap overflow. Due to the
nature of instant messaging many of these bugs require
man-in-the-middle attacks between client and server. But the
underlying protocols are easy to implement and MIM attacks
on ordinary TCP sessions is a fairly simple task.</p>
<p>In combination with the latest kernel vulnerabilities or
the habit of users to work as root/administrator these bugs
can result in remote root compromises.</p>
</blockquote>
</body>
</description>
<references>
<url>http://security.e-matters.de/advisories/012004.txt</url>
<cvename>CAN-2004-0005</cvename>
<cvename>CAN-2004-0006</cvename>
<cvename>CAN-2004-0007</cvename>
<cvename>CAN-2004-0008</cvename>
</references>
<dates>
<discovery>2004-01-26</discovery>
<entry>2004-02-12</entry>
<modified>2004-10-25</modified>
</dates>
</vuln>
<vuln vid="290d81b9-80f1-11d8-9645-0020ed76ef5a">
<topic>oftpd denial-of-service vulnerability (PORT command)</topic>
<affects>
<package>
<name>oftpd</name>
<range><lt>0.3.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Philippe Oechslin reported a denial-of-service vulnerability
in oftpd. The oftpd server can be crashed by sending a PORT
command containing an integer over 8 bits long (over 255).</p>
</body>
</description>
<references>
<url>http://www.time-travellers.org/oftpd/oftpd-dos.html</url>
<bid>9980</bid>
<cvename>CAN-2004-0376</cvename>
</references>
<dates>
<discovery>2004-03-04</discovery>
<entry>2004-03-28</entry>
<modified>2004-04-05</modified>
</dates>
</vuln>
<vuln vid="705e003a-7f36-11d8-9645-0020ed76ef5a">
<topic>squid ACL bypass due to URL decoding bug</topic>
<affects>
<package>
<name>squid</name>
<range><lt>squid-2.5.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>From the Squid advisory:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2004_1.txt">
<p>Squid versions 2.5.STABLE4 and earlier contain a bug
in the "%xx" URL decoding function. It may insert a NUL
character into decoded URLs, which may allow users to bypass
url_regex ACLs.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.squid-cache.org/Advisories/SQUID-2004_1.txt</url>
<cvename>CAN-2004-0189</cvename>
</references>
<dates>
<discovery>2004-02-29</discovery>
<entry>2004-03-26</entry>
<modified>2004-03-30</modified>
</dates>
</vuln>
<vuln vid="cad045c0-81a5-11d8-9645-0020ed76ef5a">
<topic>zebra/quagga denial of service vulnerability</topic>
<affects>
<package>
<name>zebra</name>
<range><lt>0.93b_7</lt></range>
</package>
<package>
<name>quagga</name>
<range><lt>0.96.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A remote attacker could cause zebra/quagga to crash by
sending a malformed telnet command to their management
port.</p>
</body>
</description>
<references>
<cvename>CAN-2003-0858</cvename>
<url>http://rhn.redhat.com/errata/RHSA-2003-305.html</url>
<url>http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107140</url>
<mlist>http://lists.quagga.net/pipermail/quagga-users/2003-November/000906.html</mlist>
</references>
<dates>
<discovery>2003-11-20</discovery>
<entry>2004-03-29</entry>
</dates>
</vuln>
<vuln vid="c551ae17-7f00-11d8-868e-000347dd607f">
<topic>multiple vulnerabilities in phpBB</topic>
<affects>
<package>
<name>phpbb</name>
<range><lt>2.0.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Users with admin rights can severly damage an phpBB installation,
potentially triggered by viewing a page with a malicious link sent
by an attacker.</p>
</body>
</description>
<references>
<url>http://www.gulftech.org/03202004.php</url>
<url>http://www.phpbb.com/phpBB/viewtopic.php?t=183982</url>
<bid>9942</bid>
</references>
<dates>
<discovery>2004-03-20</discovery>
<entry>2004-03-26</entry>
<modified>2004-03-29</modified>
</dates>
</vuln>
<vuln vid="c480eb5e-7f00-11d8-868e-000347dd607f">
<topic>ezbounce remote format string vulnerability</topic>
<affects>
<package>
<name>ezbounce</name>
<range><lt>1.04.a_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A security hole exists that can be used to crash the proxy and
execute arbitrary code. An exploit is circulating that takes
advantage of this, and in some cases succeeds in obtaining a login
shell on the machine.</p>
</body>
</description>
<references>
<cvename>CAN-2003-0510</cvename>
<url>http://ezbounce.dc-team.com/</url>
<bid>8071</bid>
</references>
<dates>
<discovery>2003-07-01</discovery>
<entry>2004-03-26</entry>
<modified>2004-03-29</modified>
</dates>
</vuln>
<vuln vid="739bb51d-7e82-11d8-9645-0020ed76ef5a">
<topic>racoon security association deletion vulnerability</topic>
<affects>
<package>
<name>racoon</name>
<range><lt>20040116a</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A remote attacker may use specially crafted IKE/ISAKMP
messages to cause racoon to delete security associations.
This could result in denial-of-service or possibly cause
sensitive traffic to be transmitted in plaintext, depending
upon configuration.</p>
</body>
</description>
<references>
<mlist msgid="20040113213940.GA1727@hzeroseven.org">http://www.securityfocus.com/archive/1/349756</mlist>
<bid>9416</bid>
<bid>9417</bid>
<cvename>CAN-2004-0164</cvename>
</references>
<dates>
<discovery>2004-01-13</discovery>
<entry>2004-03-25</entry>
<modified>2004-03-29</modified>
</dates>
</vuln>
<vuln vid="3b7c7f6c-7102-11d8-873f-0020ed76ef5a">
<topic>wu-ftpd ftpaccess `restricted-uid'/`restricted-gid' directive may be bypassed</topic>
<affects>
<package>
<name>wu-ftpd</name>
<range><le>2.6.2_3</le></range>
</package>
<package>
<name>wu-ftpd+ipv6</name>
<range><le>2.6.2_5</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Glenn Stewart reports a bug in wu-ftpd's ftpaccess
`restricted-uid'/`restricted-gid' directives:</p>
<blockquote>
<p>Users can get around the restriction to their home
directory by issuing a simple chmod command on their home
directory. On the next ftp log in, the user will have '/'
as their root directory.</p>
</blockquote>
<p>Matt Zimmerman discovered that the cause of the bug was a
missing check for a restricted user within a code path that
is executed only when a certain error is encountered.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0148</cvename>
<bid>9832</bid>
</references>
<dates>
<discovery>2004-02-17</discovery>
<entry>2004-03-08</entry>
<modified>2004-03-29</modified>
</dates>
</vuln>
<vuln vid="8471bb85-6fb0-11d8-873f-0020ed76ef5a">
<topic>GNU Anubis buffer overflows and format string vulnerabilities</topic>
<affects>
<package>
<name>anubis</name>
<range><le>3.6.2_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ulf Härnhammar discovered several vulnerabilities in GNU
Anubis.</p>
<ul>
<li>Unsafe uses of `sscanf'. The `%s' format specifier is
used, which allows a classical buffer overflow. (auth.c)</li>
<li>Format string bugs invoking `syslog'. (log.c, errs.c,
ssl.c)</li>
</ul>
<p>Ulf notes that these vulnerabilities can be exploited by a
malicious IDENT server as a denial-of-service attack.</p>
</body>
</description>
<references>
<mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-March/018290.html</mlist>
<bid>9772</bid>
<cvename>CAN-2004-0353</cvename>
<cvename>CAN-2004-0354</cvename>
</references>
<dates>
<discovery>2004-03-04</discovery>
<entry>2004-03-06</entry>
<modified>2004-03-29</modified>
</dates>
</vuln>
<vuln vid="3837f462-5d6b-11d8-80e3-0020ed76ef5a">
<topic>Buffer overflows in XFree86 servers</topic>
<affects>
<package>
<name>XFree86-Server</name>
<range><le>4.3.0_13</le></range>
<range><ge>4.3.99</ge><le>4.3.99.15_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A number of buffer overflows were recently discovered in
XFree86, prompted by initial discoveries by iDEFENSE. These
buffer overflows are present in the font alias handling. An
attacker with authenticated access to a running X server may
exploit these vulnerabilities to obtain root privileges on
the machine running the X server.</p>
</body>
</description>
<references>
<url>http://www.idefense.com/application/poi/display?id=72</url>
<url>http://www.idefense.com/application/poi/display?id=73</url>
<cvename>CAN-2004-0083</cvename>
<cvename>CAN-2004-0084</cvename>
<cvename>CAN-2004-0106</cvename>
<bid>9636</bid>
<bid>9652</bid>
<bid>9655</bid>
</references>
<dates>
<discovery>2004-02-10</discovery>
<entry>2004-02-12</entry>
<modified>2004-03-29</modified>
</dates>
</vuln>
<vuln vid="e25566d5-6d3f-11d8-83a4-000a95bc6fae">
<topic>multiple buffer overflows in xboing</topic>
<affects>
<package>
<name>xboing</name>
<range><lt>2.4_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Steve Kemp reports (in a Debian bug submission):</p>
<blockquote cite="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=174924">
<p>Due to improper bounds checking it is possible for a
malicious user to gain a shell with membership group
'games'. (The binary is installed setgid games).</p>
<p>Environmental variables are used without being bounds-checked
in any way, from the source code:</p>
<pre>
highscore.c:
/* Use the environment variable if it exists */
if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
strcpy(filename, str);
else
strcpy(filename, HIGH_SCORE_FILE);
misc.c:
if ((ptr = getenv("HOME")) != NULL)
(void) strcpy(dest, ptr);
</pre>
<p>Neither of these checks are boundschecked, and will allow
arbitary shell code to be run.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2004-0149</cvename>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=174924</url>
<bid>9764</bid>
</references>
<dates>
<discovery>2003-01-01</discovery>
<entry>2004-03-05</entry>
<modified>2004-03-29</modified>
</dates>
</vuln>
<vuln vid="a20082c3-6255-11d8-80e3-0020ed76ef5a">
<topic>metamail format string bugs and buffer overflows</topic>
<affects>
<package>
<name>metamail</name>
<range><lt>2.7_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ulf Härnhammar reported four bugs in metamail: two are format
string bugs and two are buffer overflows. The bugs are in
SaveSquirrelFile(), PrintHeader(), and ShareThisHeader().</p>
<p>These vulnerabilities could be triggered by a maliciously
formatted email message if `metamail' or `splitmail' is used
to process it, possibly resulting in arbitrary code execution
with the privileges of the user reading mail.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0104</cvename>
<cvename>CAN-2004-0105</cvename>
<bid>9692</bid>
</references>
<dates>
<discovery>2004-02-18</discovery>
<entry>2004-02-18</entry>
<modified>2004-03-29</modified>
</dates>
</vuln>
<vuln vid="ce46b93a-80f2-11d8-9645-0020ed76ef5a">
<topic>Buffer overflows and format string bugs in Emil</topic>
<affects>
<package>
<name>emil</name>
<range><le>2.1b9</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ulf Härnhammar reports multiple buffer overflows in
Emil, some of which are triggered during the parsing
of attachment filenames. In addition, some format string bugs
are present in the error reporting code.</p>
<p>Depending upon local configuration, these vulnerabilities
may be exploited using specially crafted messages in order
to execute arbitrary code running with the privileges of
the user invoking Emil.</p>
</body>
</description>
<references>
<mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-March/019325.html</mlist>
<url>http://www.debian.org/security/2004/dsa-468</url>
<cvename>CAN-2004-0152</cvename>
<cvename>CAN-2004-0153</cvename>
</references>
<dates>
<discovery>2004-03-24</discovery>
<entry>2004-03-28</entry>
</dates>
</vuln>
<vuln vid="70f5b3c6-80f0-11d8-9645-0020ed76ef5a">
<topic>Critical SQL injection in phpBB</topic>
<affects>
<package>
<name>phpbb</name>
<range><le>2.0.8</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Anyone can get admin's username and password's md5 hash via a
single web request.
A working example is provided in the advisory.</p>
</body>
</description>
<references>
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108032454818873</mlist>
<bid>9984</bid>
</references>
<dates>
<discovery>2004-03-26</discovery>
<entry>2004-03-28</entry>
</dates>
</vuln>
<vuln vid="6c7661ff-7912-11d8-9645-0020ed76ef5a">
<topic>uudeview buffer overflows</topic>
<affects>
<package>
<name>uulib</name>
<name>uudeview</name>
<name>xdeview</name>
<range><lt>0.5.20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The authors of UUDeview report repairing two buffer
overflows in their software.</p>
</body>
</description>
<references>
<url>http://www.fpx.de/fp/Software/UUDeview/HISTORY.txt</url>
</references>
<dates>
<discovery>2004-03-01</discovery>
<entry>2004-03-18</entry>
<modified>2004-03-25</modified>
</dates>
</vuln>
<vuln vid="09d418db-70fd-11d8-873f-0020ed76ef5a">
<topic>Apache 1.3 IP address access control failure on some 64-bit platforms</topic>
<affects>
<package>
<name>apache</name>
<range><lt>1.3.29_2</lt></range>
</package>
<package>
<name>apache+mod_ssl</name>
<range><lt>1.3.29+2.8.16_1</lt></range>
</package>
<package>
<name>apache+ssl</name>
<range><lt>1.3.29.1.53_1</lt></range>
</package>
<package>
<name>ru-apache</name>
<range><lt>1.3.29+30.19_1</lt></range>
</package>
<package>
<name>ru-apache+mod_ssl</name>
<range><lt>1.3.29+30.19+2.8.16_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Henning Brauer discovered a programming error in Apache
1.3's mod_access that results in the netmasks in IP address
access control rules being interpreted incorrectly on
64-bit, big-endian platforms. In some cases, this could
cause a `deny from' IP address access control rule including
a netmask to fail.</p>
</body>
</description>
<references>
<cvename>CAN-2003-0993</cvename>
<url>http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/modules/standard/mod_access.c?r1=1.46&amp;r2=1.47</url>
<url>http://www.apacheweek.com/features/security-13</url>
<url>http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23850</url>
<mlist>http://marc.theaimsgroup.com/?l=apache-cvs&amp;m=107869603013722</mlist>
<bid>9829</bid>
</references>
<dates>
<discovery>2004-03-07</discovery>
<entry>2004-03-08</entry>
<modified>2004-03-12</modified>
</dates>
</vuln>
<vuln vid="1a448eb7-6988-11d8-873f-0020ed76ef5a">
<topic>mod_python denial-of-service vulnerability in parse_qs</topic>
<affects>
<package>
<name>mod_python</name>
<range><ge>2.7</ge><lt>2.7.10</lt></range>
<range><ge>3.0</ge><lt>3.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An attacker may cause Apache with mod_python to crash
by using a specially constructed query string.</p>
</body>
</description>
<references>
<cvename>CAN-2003-0973</cvename>
<bid>9129</bid>
<url>http://www.modpython.org/pipermail/mod_python/2003-November/014532.html</url>
<url>http://www.modpython.org/pipermail/mod_python/2004-January/014879.html</url>
</references>
<dates>
<discovery>2003-11-28</discovery>
<entry>2004-03-03</entry>
<modified>2004-03-11</modified>
</dates>
</vuln>
<vuln vid="9fccad5a-7096-11d8-873f-0020ed76ef5a">
<topic>mpg123 vulnerabilities</topic>
<affects>
<package>
<name>mpg123</name>
<name>mpg123-nas</name>
<name>mpg123-esound</name>
<range><le>0.59r_12</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>In 2003, two vulnerabilities were discovered in mpg123
that could result in remote code execution when using
untrusted input or streaming from an untrusted server.</p>
</body>
</description>
<references>
<cvename>CAN-2003-0577</cvename>
<cvename>CAN-2003-0865</cvename>
<bid>6629</bid>
<bid>8680</bid>
</references>
<dates>
<discovery>2003-01-16</discovery>
<entry>2004-03-07</entry>
</dates>
</vuln>
<vuln vid="ac4b9d18-67a9-11d8-80e3-0020ed76ef5a">
<topic>fetchmail denial-of-service vulnerability</topic>
<affects>
<package>
<name>fetchmail</name>
<range><lt>6.2.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dave Jones discovered a denial-of-service vulnerability
in fetchmail. An email message containing a very long line
could cause fetchmail to segfault due to missing NUL
termination in transact.c.</p>
<p>Eric Raymond decided not to mention this issue in the
release notes for fetchmail 6.2.5, but it was fixed
there.</p>
</body>
</description>
<references>
<cvename>CAN-2003-0792</cvename>
<bid>8843</bid>
<url>http://xforce.iss.net/xforce/xfdb/13450</url>
<url>http://www.openbsd.org/cgi-bin/cvsweb/ports/mail/fetchmail/patches/Attic/patch-rfc822_c?rev=1.1</url>
</references>
<dates>
<discovery>2003-10-16</discovery>
<entry>2004-02-25</entry>
<modified>2004-03-05</modified>
</dates>
</vuln>
<vuln vid="b0e76877-67a8-11d8-80e3-0020ed76ef5a">
<topic>mailman denial-of-service vulnerability in MailCommandHandler</topic>
<affects>
<package>
<name>mailman</name>
<range><lt>2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A malformed message could cause mailman to crash.</p>
</body>
</description>
<references>
<cvename>CAN-2003-0991</cvename>
<url>http://umn.dl.sourceforge.net/sourceforge/mailman/mailman-2.0.13-2.0.14-diff.txt</url>
</references>
<dates>
<discovery>2003-11-18</discovery>
<entry>2004-02-25</entry>
</dates>
</vuln>
<vuln vid="3cb88bb2-67a6-11d8-80e3-0020ed76ef5a">
<topic>mailman XSS in admin script</topic>
<affects>
<package>
<name>mailman</name>
<range><lt>2.1.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dirk Mueller reports:</p>
<blockquote><p>I've found a cross-site scripting
vulnerability in the admin interface of mailman 2.1.3 that
allows, under certain circumstances, for anyone to retrieve
the (valid) session cookie.</p></blockquote>
</body>
</description>
<references>
<cvename>CAN-2003-0965</cvename>
<url>http://mail.python.org/pipermail/mailman-announce/2003-December/000066.html</url>
<url>http://xforce.iss.net/xforce/xfdb/14121</url>
</references>
<dates>
<discovery>2003-12-31</discovery>
<entry>2004-02-25</entry>
</dates>
</vuln>
<vuln vid="429249d2-67a7-11d8-80e3-0020ed76ef5a">
<topic>mailman XSS in create script</topic>
<affects>
<package>
<name>mailman</name>
<range><lt>2.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>From the 2.1.3 release notes:</p>
<blockquote><p>Closed a cross-site scripting exploit in the
create cgi script.</p></blockquote>
</body>
</description>
<references>
<cvename>CAN-2003-0992</cvename>
<url>http://mail.python.org/pipermail/mailman-announce/2003-September/000061.html</url>
</references>
<dates>
<discovery>2003-09-28</discovery>
<entry>2004-02-25</entry>
</dates>
</vuln>
<vuln vid="00263aa3-67a8-11d8-80e3-0020ed76ef5a">
<topic>mailman XSS in user options page</topic>
<affects>
<package>
<name>mailman</name>
<range><lt>2.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>From the 2.1.1 release notes:</p>
<blockquote><p>Closed a cross-site scripting vulnerability in
the user options page.</p></blockquote>
</body>
</description>
<references>
<cvename>CAN-2003-0038</cvename>
<url>http://mail.python.org/pipermail/mailman-announce/2003-February/000056.html</url>
</references>
<dates>
<discovery>2003-02-08</discovery>
<entry>2004-02-25</entry>
</dates>
</vuln>
<vuln vid="75770425-67a2-11d8-80e3-0020ed76ef5a">
<topic>SQL injection vulnerability in phpnuke</topic>
<affects>
<package>
<name>phpnuke</name>
<range><le>6.9</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Multiple researchers have discovered multiple SQL injection
vulnerabilities in some versions of Php-Nuke. These
vulnerabilities may lead to information disclosure, compromise
of the Php-Nuke site, or compromise of the back-end
database.</p>
</body>
</description>
<references>
<url>http://security.nnov.ru/search/document.asp?docid=5748</url>
<mlist>http://www.securityfocus.com/archive/1/348375</mlist>
<url>http://www.security-corporation.com/advisories-027.html</url>
<mlist>http://www.securityfocus.com/archive/1/353201</mlist>
</references>
<dates>
<discovery>2003-12-12</discovery>
<entry>2004-02-25</entry>
</dates>
</vuln>
<vuln vid="ad4f6ca4-6720-11d8-9fb5-000a95bc6fae">
<topic>lbreakout2 vulnerability in environment variable handling</topic>
<affects>
<package>
<name>lbreakout2</name>
<range><le>2.2.2_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ulf Härnhammar discovered an exploitable vulnerability in
lbreakout2's environmental variable handling. In several
instances, the contents of the HOME environmental variable
are copied to a stack or global buffer without range
checking. A local attacker may use this vulnerability to
acquire group-ID `games' privileges.</p>
<p>An exploit for this vulnerability has been published by
``Li0n7 voila fr''.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0158</cvename>
<url>http://www.debian.org/security/2004/dsa-445</url>
<mlist>http://www.securityfocus.com/archive/1/354760</mlist>
</references>
<dates>
<discovery>2004-02-21</discovery>
<entry>2004-02-25</entry>
</dates>
</vuln>
<vuln vid="316e1c9b-671c-11d8-9aad-000a95bc6fae">
<topic>hsftp format string vulnerabilities</topic>
<affects>
<package>
<name>hsftp</name>
<range><lt>1.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ulf Härnhammar discovered a format string bug in hsftp's file
listing code may allow a malicious server to cause arbitrary
code execution by the client.</p>
</body>
</description>
<references>
<mlist>http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00044.html</mlist>
</references>
<dates>
<discovery>2004-02-22</discovery>
<entry>2004-02-25</entry>
</dates>
</vuln>
<vuln vid="c7cad0f0-671a-11d8-bdeb-000a95bc6fae">
<topic>Darwin Streaming Server denial-of-service vulnerability</topic>
<affects>
<package>
<name>DarwinStreamingServer</name>
<range><le>4.1.3g</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An attacker can cause an assertion to trigger by sending
a long User-Agent field in a request.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0169</cvename>
<url>http://www.idefense.com/application/poi/display?id=75</url>
</references>
<dates>
<discovery>2004-02-23</discovery>
<entry>2004-02-25</entry>
</dates>
</vuln>
<vuln vid="847ade05-6717-11d8-b321-000a95bc6fae">
<topic>libxml2 stack buffer overflow in URI parsing</topic>
<affects>
<package>
<name>libxml2</name>
<range><lt>2.6.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Yuuichi Teranishi reported a crash in libxml2's URI handling
when a long URL is supplied. The implementation in nanohttp.c
and nanoftp.c uses a 4K stack buffer, and longer URLs will
overwrite the stack. This could result in denial-of-service
or arbitrary code execution in applications using libxml2
to parse documents.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0110</cvename>
<url>http://www.xmlsoft.org/news.html</url>
<url>http://mail.gnome.org/archives/xml/2004-February/msg00070.html</url>
</references>
<dates>
<discovery>2004-02-08</discovery>
<entry>2004-02-25</entry>
</dates>
</vuln>
<vuln vid="cc0fb686-6550-11d8-80e3-0020ed76ef5a">
<topic>file disclosure in phpMyAdmin</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><le>2.5.4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Lack of proper input validation in phpMyAdmin may allow an
attacker to obtain the contents of any file on the target
system that is readable by the web server.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0129</cvename>
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=107582619125932&amp;w=2</mlist>
<url>http://cvs.sourceforge.net/viewcvs.py/phpmyadmin/phpMyAdmin/export.php#rev2.3.2.1</url>
</references>
<dates>
<discovery>2004-02-17</discovery>
<entry>2004-02-22</entry>
</dates>
</vuln>
<vuln vid="87cc48fd-5fdd-11d8-80e3-0020ed76ef5a">
<topic>mnGoSearch buffer overflow in UdmDocToTextBuf()</topic>
<affects>
<package>
<name>mnogosearch</name>
<range><ge>3.2</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jedi/Sector One &lt;j@pureftpd.org&gt; reported the following
on the full-disclosure list:</p>
<blockquote>
<p>Every document is stored in multiple parts according to
its sections (description, body, etc) in databases. And
when the content has to be sent to the client,
UdmDocToTextBuf() concatenates those parts together and
skips metadata.</p>
<p>Unfortunately, that function lacks bounds checking and
a buffer overflow can be triggered by indexing a large
enough document.</p>
<p>'len' is fixed to 10K [in UdmDocToTextBuf] in searchd.c
. S-&gt;val length depends on the length of the original
document and on the indexer settings (the sample
configuration file has low limits that work around the
bug, though).</p>
<p>Exploitation should be easy, moreover textbuf points to
the stack.</p>
</blockquote>
</body>
</description>
<references>
<mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-February/017366.html</mlist>
</references>
<dates>
<discovery>2004-02-15</discovery>
<entry>2004-02-15</entry>
</dates>
</vuln>
<vuln vid="cacaffbc-5e64-11d8-80e3-0020ed76ef5a">
<topic>GNU libtool insecure temporary file handling</topic>
<affects>
<package>
<name>libtool</name>
<range><ge>1.3</ge><lt>1.3.5_2</lt></range>
<range><ge>1.4</ge><lt>1.4.3_3</lt></range>
<range><ge>1.5</ge><lt>1.5.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>libtool attempts to create a temporary directory in
which to write scratch files needed during processing. A
malicious user may create a symlink and then manipulate
the directory so as to write to files to which she normally
has no permissions.</p>
<p>This has been reported as a ``symlink vulnerability'',
although I do not think that is an accurate description.</p>
<p>This vulnerability could possibly be used on a multi-user
system to gain elevated privileges, e.g. root builds some
packages, and another user successfully exploits this
vulnerability to write to a system file.</p>
</body>
</description>
<references>
<mlist>http://www.geocrawler.com/mail/msg.php3?msg_id=3438808&amp;list=405</mlist>
<mlist>http://www.securityfocus.com/archive/1/352333</mlist>
</references>
<dates>
<discovery>2004-01-30</discovery>
<entry>2004-02-13</entry>
</dates>
</vuln>
<vuln vid="0e154a9c-5d7a-11d8-80e3-0020ed76ef5a">
<topic>seti@home remotely exploitable buffer overflow</topic>
<affects>
<package>
<name>setiathome</name>
<range><lt>3.0.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The seti@home client contains a buffer overflow in the HTTP
response handler. A malicious, spoofed seti@home server can
exploit this buffer overflow to cause remote code execution
on the client. Exploit programs are widely available.</p>
</body>
</description>
<references>
<url>http://setiathome.berkeley.edu/version308.html</url>
<url>http://web.archive.org/web/20030609204812/http://spoor12.edup.tudelft.nl/</url>
</references>
<dates>
<discovery>2003-04-08</discovery>
<entry>2004-02-12</entry>
</dates>
</vuln>
<vuln vid="5e92e8a2-5d7b-11d8-80e3-0020ed76ef5a">
<topic>icecast 1.x multiple vulnerabilities</topic>
<affects>
<package>
<name>icecast</name>
<range><lt>1.3.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>icecast 1.3.11 and earlier contained numerous security
vulnerabilities, the most severe allowing a remote attacker
to execute arbitrary code as root.</p>
</body>
</description>
<references>
<cvename>CAN-2002-0177</cvename>
<cvename>CAN-2001-1230</cvename>
<cvename>CAN-2001-1229</cvename>
<cvename>CAN-2001-1083</cvename>
<cvename>CAN-2001-0784</cvename>
<bid>4415</bid>
<bid>2933</bid>
</references>
<dates>
<discovery>2002-04-28</discovery>
<entry>2004-02-12</entry>
</dates>
</vuln>
<vuln vid="83119e27-5d7c-11d8-80e3-0020ed76ef5a">
<topic>nap allows arbitrary file access</topic>
<affects>
<package>
<name>nap</name>
<range><lt>1.4.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>According to the author:</p>
<blockquote>
<p>Fixed security loophole which allowed remote
clients to access arbitrary files on our
system.</p>
</blockquote>
</body>
</description>
<references>
<url>http://quasar.mathstat.uottawa.ca/~selinger/nap/NEWS</url>
</references>
<dates>
<discovery>2001-04-12</discovery>
<entry>2004-02-12</entry>
</dates>
</vuln>
<vuln vid="a736deab-5d7d-11d8-80e3-0020ed76ef5a">
<topic>CCE contains exploitable buffer overflows</topic>
<affects>
<package>
<name>zh-cce</name>
<range><lt>0.40</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Chinese Console Environment contains exploitable buffer
overflows.</p>
</body>
</description>
<references>
<url>http://programmer.lib.sjtu.edu.cn/cce/cce.html</url>
</references>
<dates>
<discovery>2000-06-22</discovery>
<entry>2004-02-12</entry>
</dates>
</vuln>
<vuln vid="49ad1bf8-5d7e-11d8-80e3-0020ed76ef5a">
<topic>ChiTeX/ChiLaTeX unsafe set-user-id root</topic>
<affects>
<package>
<name>zh-chitex</name>
<range><gt>0</gt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Niels Heinen reports that ChiTeX installs set-user-id root
executables that invoked system(3) without setting up the
environment, trivially allowing local root compromise.</p>
</body>
</description>
<references>
<url>http://cvsweb.freebsd.org/ports/chinese/chitex/Attic/Makefile?rev=1.5&amp;content-type=text/x-cvsweb-markup</url>
</references>
<dates>
<discovery>2003-04-25</discovery>
<entry>2004-02-12</entry>
</dates>
</vuln>
<vuln vid="5789a92e-5d7f-11d8-80e3-0020ed76ef5a">
<topic>pine remotely exploitable buffer overflow in newmail.c</topic>
<affects>
<package>
<name>zh-pine</name>
<name>iw-pine</name>
<name>pine</name>
<name>pine4-ssl</name>
<range><le>4.21</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Kris Kennaway reports a remotely exploitable buffer overflow
in newmail.c. Mike Silbersack submitted the fix.</p>
</body>
</description>
<references>
<url>http://www.freebsd.org/cgi/cvsweb.cgi/ports/mail/pine4/Makefile?rev=1.43&amp;content-type=text/x-cvsweb-markup</url>
</references>
<dates>
<discovery>2000-09-29</discovery>
<entry>2004-02-12</entry>
</dates>
</vuln>
<vuln vid="34134fd4-5d81-11d8-80e3-0020ed76ef5a">
<topic>pine insecure URL handling</topic>
<affects>
<package>
<name>pine</name>
<name>zh-pine</name>
<name>iw-pine</name>
<range><lt>4.44</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An attacker may send an email message containing a specially
constructed URL that will execute arbitrary commands when
viewed.</p>
</body>
</description>
<references>
<freebsdsa>SA-02:05.pine</freebsdsa>
</references>
<dates>
<discovery>2002-01-04</discovery>
<entry>2004-02-12</entry>
</dates>
</vuln>
<vuln vid="5abfee2d-5d82-11d8-80e3-0020ed76ef5a">
<topic>pine remote denial-of-service attack</topic>
<affects>
<package>
<name>pine</name>
<name>zh-pine</name>
<name>iw-pine</name>
<range><lt>4.50</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An attacker may send a specially-formatted email message
that will cause pine to crash.</p>
</body>
</description>
<references>
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=103668430620531&amp;w=2</mlist>
<cvename>CAN-2002-1320</cvename>
</references>
<dates>
<discovery>2002-10-23</discovery>
<entry>2004-02-12</entry>
</dates>
</vuln>
<vuln vid="39bd57e6-5d83-11d8-80e3-0020ed76ef5a">
<topic>pine remotely exploitable vulnerabilities</topic>
<affects>
<package>
<name>pine</name>
<name>zh-pine</name>
<name>iw-pine</name>
<range><lt>4.58</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Pine versions prior to 4.58 are affected by two
vulnerabilities discovered by iDEFENSE, a buffer overflow
in mailview.c and an integer overflow in strings.c. Both
vulnerabilities can result in arbitrary code execution
when processing a malicious message.</p>
</body>
</description>
<references>
<cvename>CAN-2003-0720</cvename>
<cvename>CAN-2003-0721</cvename>
<url>http://www.idefense.com/application/poi/display?id=5</url>
</references>
<dates>
<discovery>2003-09-10</discovery>
<entry>2004-02-12</entry>
</dates>
</vuln>
<vuln vid="5729b8ed-5d75-11d8-80e3-0020ed76ef5a">
<topic>rsync buffer overflow in server mode</topic>
<affects>
<package>
<name>rsync</name>
<range><lt>2.5.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>When rsync is run in server mode, a buffer overflow could
allow a remote attacker to execute arbitrary code with the
privileges of the rsync server. Anonymous rsync servers are
at the highest risk.</p>
</body>
</description>
<references>
<cvename>CAN-2003-0962</cvename>
<mlist>http://lists.samba.org/archive/rsync-announce/2003/000011.html</mlist>
<url>http://rsync.samba.org/#security</url>
</references>
<dates>
<discovery>2003-12-04</discovery>
<entry>2004-02-12</entry>
</dates>
</vuln>
<vuln vid="3388eff9-5d6e-11d8-80e3-0020ed76ef5a">
<topic>Samba 3.0.x password initialization bug</topic>
<affects>
<package>
<name>samba</name>
<range><ge>3.0,1</ge><lt>3.0.1_2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>From the Samba 3.0.2 release notes:</p>
<blockquote cite="http://www.samba.org/samba/whatsnew/samba-3.0.2.html">
<p>Security Announcement: It has been confirmed that
previous versions of Samba 3.0 are susceptible to a password
initialization bug that could grant an attacker unauthorized
access to a user account created by the mksmbpasswd.sh shell
script.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.samba.org/samba/whatsnew/samba-3.0.2.html</url>
<cvename>CAN-2004-0082</cvename>
</references>
<dates>
<discovery>2004-02-09</discovery>
<entry>2004-02-12</entry>
</dates>
</vuln>
<vuln vid="67c05283-5d62-11d8-80e3-0020ed76ef5a">
<topic>Buffer overflow in Mutt 1.4</topic>
<affects>
<package>
<name>mutt</name>
<name>ja-mutt</name>
<range><ge>1.4</ge><lt>1.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mutt 1.4 contains a buffer overflow that could be exploited
with a specially formed message, causing Mutt to crash or
possibly execute arbitrary code.</p>
</body>
</description>
<references>
<cvename>CAN-2004-0078</cvename>
<url>http://www.mutt.org/news.html</url>
</references>
<dates>
<discovery>2004-02-11</discovery>
<entry>2004-02-12</entry>
</dates>
</vuln>
<vuln vid="7557a2b1-5d63-11d8-80e3-0020ed76ef5a">
<topic>Apache-SSL optional client certificate vulnerability</topic>
<affects>
<package>
<name>apache+ssl</name>
<range><lt>1.3.29.1.53</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>From the Apache-SSL security advisory:</p>
<blockquote>
<p>If configured with SSLVerifyClient set to 1 or 3 (client
certificates optional) and SSLFakeBasicAuth, Apache-SSL
1.3.28+1.52 and all earlier versions would permit a
client to use real basic authentication to forge a client
certificate.</p>
<p>All the attacker needed is the "one-line DN" of a valid
user, as used by faked basic auth in Apache-SSL, and the
fixed password ("password" by default).</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.apache-ssl.org/advisory-20040206.txt</url>
</references>
<dates>
<discovery>2004-02-06</discovery>
<entry>2004-02-10</entry>
</dates>
</vuln>
<vuln vid="96ba2dae-4ab0-11d8-96f2-0020ed76ef5a">
<topic>L2TP, ISAKMP, and RADIUS parsing vulnerabilities in tcpdump</topic>
<affects>
<package>
<name>tcpdump</name>
<range><lt>3.8.1_351</lt></range>
</package>
<system>
<name>FreeBSD</name>
<range><lt>5.2.1</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jonathan Heusser discovered vulnerabilities in tcpdump's
L2TP, ISAKMP, and RADIUS protocol handlers. These
vulnerabilities may be used by an attacker to crash a running
`tcpdump' process.</p>
</body>
</description>
<references>
<cvename>CAN-2003-0989</cvename>
<cvename>CAN-2003-1029</cvename>
<cvename>CAN-2004-0057</cvename>
<mlist>http://www.tcpdump.org/lists/workers/2003/12/msg00083.html</mlist>
<mlist>http://marc.theaimsgroup.com/?l=tcpdump-workers&amp;m=107325073018070&amp;w=2</mlist>
</references>
<dates>
<discovery>2003-12-24</discovery>
<entry>2004-01-19</entry>
</dates>
</vuln>
<vuln vid="fd376b8b-41e1-11d8-b096-0020ed76ef5a">
<topic>Buffer overflow in INN control message handling</topic>
<affects>
<package>
<name>inn</name>
<range><ge>2.4.*</ge><lt>2.4.1</lt></range>
</package>
<package>
<name>inn-stable</name>
<range><lt>20031022_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A small, fixed-size stack buffer is used to construct a
filename based on a received control message. This could
result in a stack buffer overflow.</p>
</body>
</description>
<references>
<mlist msgid="87d69v7222.fsf@windlord.stanford.edu">http://marc.theaimsgroup.com/?l=inn-workers&amp;m=107351974008605</mlist>
</references>
<dates>
<discovery>2004-01-07</discovery>
<entry>2004-01-08</entry>
<modified>2004-10-21</modified>
</dates>
</vuln>
<vuln vid="cf0fb426-3f96-11d8-b096-0020ed76ef5a">
<topic>ProFTPD ASCII translation bug resulting in remote root compromise</topic>
<affects>
<package>
<name>proftpd</name>
<range><lt>1.2.8_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A buffer overflow exists in the ProFTPD code that handles
translation of newline characters during ASCII-mode file
uploads. An attacker may exploit this buffer overflow by
uploading a specially crafted file, resulting in code
execution and ultimately a remote root compromise.</p>
</body>
</description>
<references>
<url>http://xforce.iss.net/xforce/alerts/id/154</url>
<cvename>CAN-2003-0831</cvename>
</references>
<dates>
<discovery>2003-09-23</discovery>
<entry>2004-01-05</entry>
</dates>
</vuln>
<vuln vid="81313647-2d03-11d8-9355-0020ed76ef5a">
<topic>ElGamal sign+encrypt keys created by GnuPG can be compromised</topic>
<affects>
<package>
<name>gnupg</name>
<range><ge>1.0.2</ge><lt>1.2.3_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Any ElGamal sign+encrypt keys created by GnuPG contain a
cryptographic weakness that may allow someone to obtain
the private key. <strong>These keys should be considered
unusable and should be revoked.</strong></p>
<p>The following summary was written by Werner Koch, GnuPG
author:</p>
<blockquote cite="http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html">
<p>Phong Nguyen identified a severe bug in the way GnuPG
creates and uses ElGamal keys for signing. This is
a significant security failure which can lead to a
compromise of almost all ElGamal keys used for signing.
Note that this is a real world vulnerability which will
reveal your private key within a few seconds.</p>
<p>...</p>
<p>Please <em>take immediate action and revoke your ElGamal
signing keys</em>. Furthermore you should take whatever
measures necessary to limit the damage done for signed or
encrypted documents using that key.</p>
<p>Note that the standard keys as generated by GnuPG (DSA
and ElGamal encryption) as well as RSA keys are NOT
vulnerable. Note also that ElGamal signing keys cannot
be generated without the use of a special flag to enable
hidden options and even then overriding a warning message
about this key type. See below for details on how to
identify vulnerable keys.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CAN-2003-0971</cvename>
<mlist>http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html</mlist>
</references>
<dates>
<discovery>2003-11-27</discovery>
<entry>2003-12-12</entry>
</dates>
</vuln>
<vuln vid="96fdbf5b-2cfd-11d8-9355-0020ed76ef5a">
<topic>Mathopd buffer overflow</topic>
<affects>
<package>
<name>mathopd</name>
<range><lt>1.4p2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mathopd contains a buffer overflow in the prepare_reply()
function that may be remotely exploitable.</p>
</body>
</description>
<references>
<url>http://www.mail-archive.com/mathopd%40mathopd.org/msg00136.html</url>
</references>
<dates>
<discovery>2003-12-04</discovery>
<entry>2003-12-12</entry>
</dates>
</vuln>
<vuln vid="d7af61c8-2cc0-11d8-9355-0020ed76ef5a">
<topic>lftp HTML parsing vulnerability</topic>
<affects>
<package>
<name>lftp</name>
<range><le>2.6.10</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A buffer overflow exists in lftp which may be triggered when
requesting a directory listing from a malicious server over
HTTP.</p>
</body>
</description>
<references>
<cvename>CAN-2003-0963</cvename>
<url>http://lftp.yar.ru/news.html#2.6.10</url>
</references>
<dates>
<discovery>2003-12-11</discovery>
<entry>2003-12-12</entry>
</dates>
</vuln>
<vuln vid="ebdf65c7-2ca6-11d8-9355-0020ed76ef5a">
<topic>qpopper format string vulnerability</topic>
<affects>
<package>
<name>qpopper</name>
<range><lt>2.53_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An authenticated user may trigger a format string
vulnerability present in qpopper's UIDL code, resulting
in arbitrary code execution with group ID `mail'
privileges.</p>
</body>
</description>
<references>
<bid>1241</bid>
<cvename>CVE-2000-0442</cvename>
<url>http://www.netsys.com/suse-linux-security/2000-May/att-0137/01-b0f5-Qpopper.txt</url>
</references>
<dates>
<discovery>2000-05-23</discovery>
<entry>2003-12-12</entry>
</dates>
</vuln>
<vuln vid="af0296be-2455-11d8-82e5-0020ed76ef5a">
<topic>Fetchmail address parsing vulnerability</topic>
<affects>
<package>
<name>fetchmail</name>
<range><le>6.2.0</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Fetchmail can be crashed by a malicious email message.</p>
</body>
</description>
<references>
<url>http://security.e-matters.de/advisories/052002.html</url>
</references>
<dates>
<discovery>2003-10-25</discovery>
<entry>2003-10-25</entry>
</dates>
</vuln>
<vuln vid="2bcd2d24-24ca-11d8-82e5-0020ed76ef5a">
<topic>Buffer overflow in pam_smb password handling</topic>
<affects>
<package>
<name>pam_smb</name>
<range><lt>1.9.9_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Applications utilizing pam_smb can be compromised by
any user who can enter a password. In many cases,
this is a remote root compromise.</p>
</body>
</description>
<references>
<url>http://www.skynet.ie/~airlied/pam_smb/</url>
<cvename>CAN-2003-0686</cvename>
</references>
<dates>
<discovery>2003-10-25</discovery>
<entry>2003-10-25</entry>
<modified>2003-10-25</modified>
</dates>
</vuln>
<vuln vid="c4b7badf-24ca-11d8-82e5-0020ed76ef5a">
<topic>Buffer overflows in libmcrypt</topic>
<affects>
<package>
<name>libmcrypt</name>
<range><lt>2.5.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>libmcrypt does incomplete input validation, leading to
several buffer overflows. Additionally,
a memory leak is present. Both of these problems may be
exploited in a denial-of-service attack.</p>
</body>
</description>
<references>
<mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=104162752401212&amp;w=2</mlist>
<cvename>CAN-2003-0031</cvename>
<cvename>CAN-2003-0032</cvename>
</references>
<dates>
<discovery>2003-10-25</discovery>
<entry>2003-10-25</entry>
<modified>2003-10-25</modified>
</dates>
</vuln>
<vuln vid="6fd9a1e9-efd3-11d8-9837-000c41e2cdad">
<cancelled/>
</vuln>
<vuln vid="3362f2c1-8344-11d8-a41f-0020ed76ef5a">
<cancelled/>
</vuln>
<vuln vid="e3cf89f0-53da-11d9-92b7-ceadd4ac2edd">
<topic>phpbb -- arbitrary command execution vulnerability</topic>
<affects>
<package>
<name>phpbb</name>
<range><lt>2.0.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A US-CERT Technical Cyber Security Alert reports:</p>
<blockquote
cite="http://www.us-cert.gov/cas/techalerts/TA04-356A.html">
<p>phpBB contains an user input validation problem with regard to
the parsing of the URL. An intruder can deface a phpBB website, execute
arbitrary commands, or gain administrative privileges on a compromised
bulletin board.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/74106</freebsdpr>
<uscertta>TA04-356A</uscertta>
<url>http://www.phpbb.com/phpBB/viewtopic.php?f=14&amp;t=240636</url>
<url>http://www.kb.cert.org/vuls/id/497400</url>
<url>http://www.us-cert.gov/cas/techalerts/TA04-356A.html</url>
</references>
<dates>
<discovery>2004-11-18</discovery>
<entry>2004-12-22</entry>
<modified>2004-12-30</modified>
</dates>
</vuln>
</vuxml>
Reference in a new issue View git blame Copy permalink