aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authornectar <nectar@FreeBSD.org>2004-09-20 07:32:05 +0800
committernectar <nectar@FreeBSD.org>2004-09-20 07:32:05 +0800
commit68cee494942a02760b370a065f1dd1f989416f1a (patch)
tree3c3b126f6c8d3cfb2675e0c51fb8dd28401b8be5 /security
parent92662b280cb88f3e1aa776a1cdb985f2a63a5e8e (diff)
downloadfreebsd-ports-gnome-68cee494942a02760b370a065f1dd1f989416f1a.tar.gz
freebsd-ports-gnome-68cee494942a02760b370a065f1dd1f989416f1a.tar.zst
freebsd-ports-gnome-68cee494942a02760b370a065f1dd1f989416f1a.zip
Oh yeah, add affected FreeBSD versions for CVS issues.
Approved by: portmgr
Diffstat (limited to 'security')
-rw-r--r--security/vuxml/vuln.xml3070
1 files changed, 1534 insertions, 1536 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index b0dba59d8fa1..5bc3c3e56b0d 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -57,6 +57,82 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
+ <vuln vid="d2102505-f03d-11d8-81b0-000347a4fa7d">
+ <topic>cvs --- numerous vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>cvs+ipv6</name>
+ <range><lt>1.11.17</lt></range>
+ </package>
+ <system>
+ <name>FreeBSD</name>
+ <range><ge>5.2</ge><lt>5.2.1_10</lt></range>
+ <range><ge>4.10</ge><lt>4.10_3</lt></range>
+ <range><ge>4.9</ge><lt>4.9_12</lt></range>
+ <range><ge>4.8</ge><lt>4.8_25</lt></range>
+ </system>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>A number of vulnerabilities were discovered in CVS by
+ Stefan Esser, Sebastian Krahmer, and Derek Price.</p>
+ <ul>
+ <li>Insufficient input validation while processing "Entry"
+ lines. (CAN-2004-0414)</li>
+ <li>A double-free resulting from erroneous state handling while
+ processing "Argumentx" commands. (CAN-2004-0416)</li>
+ <li>Integer overflow while processing "Max-dotdot" commands.
+ (CAN-2004-0417)</li>
+ <li>Erroneous handling of empty entries handled while processing
+ "Notify" commands. (CAN-2004-0418)</li>
+ <li>A format string bug while processing CVS wrappers.</li>
+ <li>Single-byte buffer underflows while processing configuration files
+ from CVSROOT.</li>
+ <li>Various other integer overflows.</li>
+ </ul>
+ <p>Additionally, iDEFENSE reports an undocumented command-line
+ flag used in debugging does not perform input validation on
+ the given path names.</p>
+ <p>CVS servers ("cvs server" or :pserver: modes) are
+ affected by these vulnerabilities. They vary in impact
+ but include information disclosure (the iDEFENSE-reported
+ bug), denial-of-service (CAN-2004-0414, CAN-2004-0416,
+ CAN-2004-0417 and other bugs), or possibly arbitrary code
+ execution (CAN-2004-0418). In very special situations where
+ the attacker may somehow influence the contents of CVS
+ configuration files in CVSROOT, additional attacks may be
+ possible.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0414</cvename>
+ <cvename>CAN-2004-0416</cvename>
+ <cvename>CAN-2004-0417</cvename>
+ <cvename>CAN-2004-0418</cvename>
+ <cvename>CAN-2004-0778</cvename>
+ <url>http://secunia.com/advisories/11817</url>
+ <url>http://secunia.com/advisories/12309</url>
+ <url>http://security.e-matters.de/advisories/092004.html</url>
+ <url>http://www.idefense.com/application/poi/display?id=130&amp;type=vulnerabilities&amp;flashstatus=false</url>
+ <url>https://ccvs.cvshome.org/source/browse/ccvs/NEWS?rev=1.116.2.104</url>
+ <url>http://www.osvdb.org/6830</url>
+ <url>http://www.osvdb.org/6831</url>
+ <url>http://www.osvdb.org/6832</url>
+ <url>http://www.osvdb.org/6833</url>
+ <url>http://www.osvdb.org/6834</url>
+ <url>http://www.osvdb.org/6835</url>
+ <url>http://www.osvdb.org/6836</url>
+ <url>http://www.packetstormsecurity.org/0405-exploits/cvs_linux_freebsd_HEAP.c</url>
+ <bid>10499</bid>
+ <freebsdsa>SA-04:14.cvs</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2004-05-20</discovery>
+ <entry>2004-08-17</entry>
+ <modified>2004-09-19</modified>
+ </dates>
+ </vuln>
+
<vuln vid="3d1e9267-073f-11d9-b45d-000c41e2cdad">
<topic>gdk-pixbuf --- image decoding vulnerabilities</topic>
<affects>
@@ -95,58 +171,6 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="05dcf751-0733-11d9-b45d-000c41e2cdad">
- <topic>cups --- print queue browser denial-of-service</topic>
- <affects>
- <package>
- <name>cups-base</name>
- <range><lt>1.1.21</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>If the CUPS server (cupsd) receives a zero-length UDP
- message, it will disable its print queue browser service.</p>
- </body>
- </description>
- <references>
- <cvename>CAN-2004-0558</cvename>
- <url>http://www.cups.org/str.php?L863</url>
- </references>
- <dates>
- <discovery>2004-08-23</discovery>
- <entry>2004-09-15</entry>
- </dates>
- </vuln>
-
- <vuln vid="762d1c6d-0722-11d9-b45d-000c41e2cdad">
- <topic>apache --- apr_uri_parse IPv6 address handling vulnerability</topic>
- <affects>
- <package>
- <name>apache</name>
- <range><ge>2.0</ge><lt>2.0.50_3</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>The Apache Software Foundation Security Team discovered a
- programming error in the apr-util library function apr_uri_parse.
- When parsing IPv6 literal addresses, it is possible that a
- length is incorrectly calculated to be negative, and this
- value is passed to memcpy. This may result in an exploitable
- vulnerability on some platforms, including FreeBSD.</p>
- </body>
- </description>
- <references>
- <cvename>CAN-2004-0786</cvename>
- <url>http://httpd.apache.org</url>
- </references>
- <dates>
- <discovery>2004-09-15</discovery>
- <entry>2004-09-15</entry>
- </dates>
- </vuln>
-
<vuln vid="ef253f8b-0727-11d9-b45d-000c41e2cdad">
<topic>xpm --- image decoding vulnerabilities</topic>
<affects>
@@ -181,8 +205,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
ParseAndPutPixels</li>
</ul>
<p>The X11R6.8.1 release announcement reads:</p>
- <blockquote
- cite="http://freedesktop.org/pipermail/xorg/2004-September/003172.html">
+ <blockquote cite="http://freedesktop.org/pipermail/xorg/2004-September/003172.html">
<p>This version is purely a security release, addressing
multiple integer and stack overflows in libXpm, the X
Pixmap library; all known versions of X (both XFree86
@@ -204,6 +227,58 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
+ <vuln vid="05dcf751-0733-11d9-b45d-000c41e2cdad">
+ <topic>cups --- print queue browser denial-of-service</topic>
+ <affects>
+ <package>
+ <name>cups-base</name>
+ <range><lt>1.1.21</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>If the CUPS server (cupsd) receives a zero-length UDP
+ message, it will disable its print queue browser service.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0558</cvename>
+ <url>http://www.cups.org/str.php?L863</url>
+ </references>
+ <dates>
+ <discovery>2004-08-23</discovery>
+ <entry>2004-09-15</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="762d1c6d-0722-11d9-b45d-000c41e2cdad">
+ <topic>apache --- apr_uri_parse IPv6 address handling vulnerability</topic>
+ <affects>
+ <package>
+ <name>apache</name>
+ <range><ge>2.0</ge><lt>2.0.50_3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Apache Software Foundation Security Team discovered a
+ programming error in the apr-util library function apr_uri_parse.
+ When parsing IPv6 literal addresses, it is possible that a
+ length is incorrectly calculated to be negative, and this
+ value is passed to memcpy. This may result in an exploitable
+ vulnerability on some platforms, including FreeBSD.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0786</cvename>
+ <url>http://httpd.apache.org</url>
+ </references>
+ <dates>
+ <discovery>2004-09-15</discovery>
+ <entry>2004-09-15</entry>
+ </dates>
+ </vuln>
+
<vuln vid="013fa252-0724-11d9-b45d-000c41e2cdad">
<topic>mod_dav --- lock related denial-of-service</topic>
<affects>
@@ -247,8 +322,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
environmental variable settings in the httpd configuration
files (the main `httpd.conf' and `.htaccess' files).
According to a SITIC advisory:</p>
- <blockquote
- cite="http://lists.netsys.com/pipermail/full-disclosure/2004-September/026463.html">
+ <blockquote cite="http://lists.netsys.com/pipermail/full-disclosure/2004-September/026463.html">
<p>The buffer overflow occurs when expanding ${ENVVAR}
constructs in .htaccess or httpd.conf files. The function
ap_resolve_env() in server/util.c copies data from
@@ -267,6 +341,39 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
+ <vuln vid="ae7b7f65-05c7-11d9-b45d-000c41e2cdad">
+ <topic>webmin --- insecure temporary file creation at installation time</topic>
+ <affects>
+ <package>
+ <name>webmin</name>
+ <range><lt>1.150_5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Webmin developers documented a security issue in the
+ release notes for version 1.160:</p>
+ <blockquote cite="http://www.webmin.com/changes-1.160.html">
+ <p>Fixed a security hole in the maketemp.pl script, used
+ to create the /tmp/.webmin directory at install time. If
+ an un-trusted user creates this directory before Webmin
+ is installed, he could create in it a symbolic link
+ pointing to a critical file on the system, which would be
+ overwritten when Webmin writes to the link filename.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0559</cvename>
+ <url>http://www.webmin.com/changes-1.160.html</url>
+ </references>
+ <dates>
+ <discovery>2004-09-05</discovery>
+ <entry>2004-09-14</entry>
+ <modified>2004-09-15</modified>
+ </dates>
+ </vuln>
+
<vuln vid="a711de5c-05fa-11d9-a9b2-00061bc2ad93">
<topic>samba3 DoS attack</topic>
<affects>
@@ -359,8 +466,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<p>zen-parse discovered and iDEFENSE reported an exploitable
integer overflow in a scriptable Mozilla component
`SOAPParameter':</p>
- <blockquote
- cite="http://www.idefense.com/application/poi/display?id=117&amp;type=vulnerabilities">
+ <blockquote cite="http://www.idefense.com/application/poi/display?id=117&amp;type=vulnerabilities">
<p>Improper input validation to the SOAPParameter object
constructor in Netscape and Mozilla allows execution of
arbitrary code. The SOAPParameter object's constructor
@@ -437,63 +543,197 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="ae7b7f65-05c7-11d9-b45d-000c41e2cdad">
- <topic>webmin --- insecure temporary file creation at installation
- time</topic>
+ <vuln vid="15e0e963-02ed-11d9-a209-00061bc2ad93">
+ <topic>mpg123 buffer overflow</topic>
<affects>
<package>
- <name>webmin</name>
- <range><lt>1.150_5</lt></range>
+ <name>mpg123</name>
+ <range><le>0.59r</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>The Webmin developers documented a security issue in the
- release notes for version 1.160:</p>
- <blockquote cite="http://www.webmin.com/changes-1.160.html">
- <p>Fixed a security hole in the maketemp.pl script, used
- to create the /tmp/.webmin directory at install time. If
- an un-trusted user creates this directory before Webmin
- is installed, he could create in it a symbolic link
- pointing to a critical file on the system, which would be
- overwritten when Webmin writes to the link filename.</p>
- </blockquote>
+ <p>The mpg123 software version 0.59r contains a
+ buffer overflow vulnerability which may permit
+ the execution of arbitrary code as the owner of
+ the mpg123 process.</p>
</body>
</description>
<references>
- <cvename>CAN-2004-0559</cvename>
- <url>http://www.webmin.com/changes-1.160.html</url>
+ <cvename>CAN-2004-0805</cvename>
+ <url>http://www.alighieri.org/advisories/advisory-mpg123.txt</url>
</references>
<dates>
- <discovery>2004-09-05</discovery>
+ <discovery>2003-08-16</discovery>
<entry>2004-09-14</entry>
- <modified>2004-09-15</modified>
</dates>
</vuln>
- <vuln vid="15e0e963-02ed-11d9-a209-00061bc2ad93">
- <topic>mpg123 buffer overflow</topic>
+ <vuln vid="b6cad7f3-fb59-11d8-9837-000c41e2cdad">
+ <topic>ImageMagick -- BMP decoder buffer overflow</topic>
<affects>
<package>
- <name>mpg123</name>
- <range><le>0.59r</le></range>
+ <name>ImageMagick</name>
+ <name>ImageMagick-nox11</name>
+ <range><lt>6.0.6.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>The mpg123 software version 0.59r contains a
- buffer overflow vulnerability which may permit
- the execution of arbitrary code as the owner of
- the mpg123 process.</p>
+ <p>Marcus Meissner discovered that ImageMagick's BMP decoder would
+ crash when loading the test BMP file created by Chris Evans
+ for testing the previous Qt vulnerability.</p>
</body>
</description>
<references>
- <cvename>CAN-2004-0805</cvename>
- <url>http://www.alighieri.org/advisories/advisory-mpg123.txt</url>
+ <cvename>CAN-2004-0827</cvename>
+ <url>http://www.imagemagick.org/www/Changelog.html</url>
</references>
<dates>
- <discovery>2003-08-16</discovery>
- <entry>2004-09-14</entry>
+ <discovery>2004-08-25</discovery>
+ <entry>2004-08-31</entry>
+ <modified>2004-09-14</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="641859e8-eca1-11d8-b913-000c41e2cdad">
+ <topic>Mutiple browser frame injection vulnerability</topic>
+ <affects>
+ <package>
+ <name>kdelibs</name>
+ <range><lt>3.2.3_3</lt></range>
+ </package>
+ <package>
+ <name>kdebase</name>
+ <range><lt>3.2.3_1</lt></range>
+ </package>
+ <package>
+ <name>linux-opera</name>
+ <name>opera</name>
+ <range><ge>7.50</ge><lt>7.52</lt></range>
+ </package>
+ <package>
+ <name>firefox</name>
+ <range><lt>0.9</lt></range>
+ </package>
+ <package>
+ <name>linux-mozilla</name>
+ <name>linux-mozilla-devel</name>
+ <name>mozilla-gtk1</name>
+ <range><lt>1.7</lt></range>
+ </package>
+ <package>
+ <name>mozilla</name>
+ <range><lt>1.7,2</lt></range>
+ </package>
+ <package>
+ <name>netscape7</name>
+ <range><lt>7.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>A class of bugs affecting many web browsers in the same way
+ was discovered. A Secunia advisory reports:</p>
+ <blockquote cite="http://secunia.com/advisories/11978">
+ <p>The problem is that the browsers don't check if a target
+ frame belongs to a website containing a malicious link,
+ which therefore doesn't prevent one browser window from
+ loading content in a named frame in another window.</p>
+ <p>Successful exploitation allows a malicious website to load
+ arbitrary content in an arbitrary frame in another browser
+ window owned by e.g. a trusted site.</p>
+ </blockquote>
+ <p>A KDE Security Advisory reports:</p>
+ <blockquote cite="http://www.kde.org/info/security/advisory-20040811-3.txt">
+ <p>A malicious website could abuse Konqueror to insert
+ its own frames into the page of an otherwise trusted
+ website. As a result the user may unknowingly send
+ confidential information intended for the trusted website
+ to the malicious website.</p>
+ </blockquote>
+ <p>Secunia has provided a demonstration of the vulnerability at <a href="http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/">http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/</a>.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0717</cvename>
+ <cvename>CAN-2004-0718</cvename>
+ <cvename>CAN-2004-0721</cvename>
+ <url>http://secunia.com/advisories/11978/</url>
+ <url>http://bugzilla.mozilla.org/show_bug.cgi?id=246448</url>
+ <url>ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdelibs-htmlframes.patch</url>
+ <url>ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdebase-htmlframes.patch</url>
+ </references>
+ <dates>
+ <discovery>2004-08-11</discovery>
+ <entry>2004-08-12</entry>
+ <modified>2004-09-14</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="b7cb488c-8349-11d8-a41f-0020ed76ef5a">
+ <topic>isakmpd payload handling denial-of-service vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>isakmpd</name>
+ <range><le>20030903</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Numerous errors in isakmpd's input packet validation lead to
+ denial-of-service vulnerabilities. From the Rapid7 advisory:</p>
+ <blockquote cite="http://www.rapid7.com/advisories/R7-0018.html">
+ <p>The ISAKMP packet processing functions in OpenBSD's
+ isakmpd daemon contain multiple payload handling flaws
+ that allow a remote attacker to launch a denial of
+ service attack against the daemon.</p>
+ <p>Carefully crafted ISAKMP packets will cause the isakmpd
+ daemon to attempt out-of-bounds reads, exhaust available
+ memory, or loop endlessly (consuming 100% of the CPU).</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0218</cvename>
+ <cvename>CAN-2004-0219</cvename>
+ <cvename>CAN-2004-0220</cvename>
+ <cvename>CAN-2004-0221</cvename>
+ <cvename>CAN-2004-0222</cvename>
+ <url>http://www.rapid7.com/advisories/R7-0018.html</url>
+ <url>http://www.openbsd.org/errata34.html</url>
+ </references>
+ <dates>
+ <discovery>2004-03-17</discovery>
+ <entry>2004-03-31</entry>
+ <modified>2004-09-14</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="00644f03-fb58-11d8-9837-000c41e2cdad">
+ <topic>imlib -- BMP decoder heap buffer overflow</topic>
+ <affects>
+ <package>
+ <name>imlib</name>
+ <range><lt>1.9.14_4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Marcus Meissner discovered that imlib's BMP decoder would
+ crash when loading the test BMP file created by Chris Evans
+ for testing the previous Qt vulnerability. It is believed
+ that this bug could be exploited for arbitrary code execution.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0817</cvename>
+ <url>http://bugzilla.gnome.org/show_bug.cgi?id=151034</url>
+ </references>
+ <dates>
+ <discovery>2004-08-25</discovery>
+ <entry>2004-08-31</entry>
+ <modified>2004-09-02</modified>
</dates>
</vuln>
@@ -598,57 +838,160 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="b6cad7f3-fb59-11d8-9837-000c41e2cdad">
- <topic>ImageMagick -- BMP decoder buffer overflow</topic>
+ <vuln vid="0d3a5148-f512-11d8-9837-000c41e2cdad">
+ <topic>SpamAssassin -- denial-of-service in tokenize_headers</topic>
<affects>
<package>
- <name>ImageMagick</name>
- <name>ImageMagick-nox11</name>
- <range><lt>6.0.6.2</lt></range>
+ <name>p5-Mail-SpamAssassin</name>
+ <range><lt>2.64</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Marcus Meissner discovered that ImageMagick's BMP decoder would
- crash when loading the test BMP file created by Chris Evans
- for testing the previous Qt vulnerability.</p>
+ <p>According to the SpamAssassin 2.64 release announcement:</p>
+ <blockquote cite="http://marc.theaimsgroup.com/?l=spamassassin-announce&amp;m=109168121628767">
+ <p>Security fix prevents a denial of service attack open
+ to certain malformed messages; this DoS affects all
+ SpamAssassin 2.5x and 2.6x versions to date.</p>
+ </blockquote>
+ <p>The issue appears to be triggered by overly long message
+ headers.</p>
</body>
</description>
<references>
- <cvename>CAN-2004-0827</cvename>
- <url>http://www.imagemagick.org/www/Changelog.html</url>
+ <cvename>CAN-2004-0796</cvename>
+ <bid>10957</bid>
+ <mlist>http://marc.theaimsgroup.com/?l=spamassassin-announce&amp;m=109168121628767</mlist>
+ <url>http://search.cpan.org/src/JMASON/Mail-SpamAssassin-2.64/Changes</url>
</references>
<dates>
- <discovery>2004-08-25</discovery>
- <entry>2004-08-31</entry>
- <modified>2004-09-14</modified>
+ <discovery>2004-08-04</discovery>
+ <entry>2004-08-23</entry>
+ <modified>2004-08-28</modified>
</dates>
</vuln>
- <vuln vid="00644f03-fb58-11d8-9837-000c41e2cdad">
- <topic>imlib -- BMP decoder heap buffer overflow</topic>
+ <vuln vid="c4b025bb-f05d-11d8-9837-000c41e2cdad">
+ <topic>tnftpd -- remotely exploitable vulnerability</topic>
<affects>
<package>
- <name>imlib</name>
- <range><lt>1.9.14_4</lt></range>
+ <name>tnftpd</name>
+ <range><lt>20040810</lt></range>
+ </package>
+ <package>
+ <name>lukemftpd</name>
+ <range><ge>0</ge></range>
</package>
+ <system>
+ <name>FreeBSD</name>
+ <range><ge>4.7</ge></range>
+ </system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Marcus Meissner discovered that imlib's BMP decoder would
- crash when loading the test BMP file created by Chris Evans
- for testing the previous Qt vulnerability. It is believed
- that this bug could be exploited for arbitrary code execution.</p>
+ <p>lukemftpd(8) is an enhanced BSD FTP server produced
+ within the NetBSD project. The sources for lukemftpd are
+ shipped with some versions of FreeBSD, however it is not
+ built or installed by default. The build system option
+ WANT_LUKEMFTPD must be set to build and install lukemftpd.
+ [<strong>NOTE</strong>: An exception is FreeBSD 4.7-RELEASE,
+ wherein lukemftpd was installed, but not enabled, by
+ default.]</p>
+ <p>Przemyslaw Frasunek discovered several vulnerabilities
+ in lukemftpd arising from races in the out-of-band signal
+ handling code used to implement the ABOR command. As a
+ result of these races, the internal state of the FTP server
+ may be manipulated in unexpected ways.</p>
+ <p>A remote attacker may be able to cause FTP commands to
+ be executed with the privileges of the running lukemftpd
+ process. This may be a low-privilege `ftp' user if the `-r'
+ command line option is specified, or it may be superuser
+ privileges if `-r' is *not* specified.</p>
</body>
</description>
<references>
- <cvename>CAN-2004-0817</cvename>
- <url>http://bugzilla.gnome.org/show_bug.cgi?id=151034</url>
+ <cvename>CAN-2004-0794</cvename>
+ <bid>10967</bid>
+ <url>http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpd.c#rev1.158</url>
+ <url>ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-009.txt.asc</url>
+ <mlist msgid="412239E7.1070807@freebsd.lublin.pl">http://lists.netsys.com/pipermail/full-disclosure/2004-August/025418.html</mlist>
</references>
<dates>
- <discovery>2004-08-25</discovery>
- <entry>2004-08-31</entry>
- <modified>2004-09-02</modified>
+ <discovery>2004-08-17</discovery>
+ <entry>2004-08-17</entry>
+ <modified>2004-08-28</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="e5e2883d-ceb9-11d8-8898-000d6111a684">
+ <topic>MySQL authentication bypass / buffer overflow</topic>
+ <affects>
+ <package>
+ <name>mysql-server</name>
+ <range><ge>4.1</ge><lt>4.1.3</lt></range>
+ <range><ge>5</ge><le>5.0.0_2</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>By submitting a carefully crafted authentication packet, it is possible
+ for an attacker to bypass password authentication in MySQL 4.1. Using a
+ similar method, a stack buffer used in the authentication mechanism can
+ be overflowed.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0627</cvename>
+ <cvename>CAN-2004-0628</cvename>
+ <certvu>184030</certvu>
+ <certvu>645326</certvu>
+ <url>http://www.nextgenss.com/advisories/mysql-authbypass.txt</url>
+ <url>http://dev.mysql.com/doc/mysql/en/News-4.1.3.html</url>
+ <url>http://secunia.com/advisories/12020</url>
+ <url>http://www.osvdb.org/7475</url>
+ <url>http://www.osvdb.org/7476</url>
+ <mlist msgid="Pine.LNX.4.44.0407080940550.9602-200000@pineapple.shacknet.nu">http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0003.html</mlist>
+ </references>
+ <dates>
+ <discovery>2004-07-01</discovery>
+ <entry>2004-07-05</entry>
+ <modified>2004-08-28</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="e811aaf1-f015-11d8-876f-00902714cc7c">
+ <topic>Ruby insecure file permissions in the CGI session management</topic>
+ <affects>
+ <package>
+ <name>ruby</name>
+ <range><lt>1.6.8.2004.07.26</lt></range>
+ <range><ge>1.7.0</ge><lt>1.8.1.2004.07.23</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>According to a Debian Security Advisory:</p>
+ <blockquote cite="http://www.debian.org/security/2004/dsa-537">
+ <p>Andres Salomon noticed a problem in the CGI session
+ management of Ruby, an object-oriented scripting language.
+ CGI::Session's FileStore (and presumably PStore [...])
+ implementations store session information insecurely.
+ They simply create files, ignoring permission issues.
+ This can lead an attacker who has also shell access to the
+ webserver to take over a session.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0755</cvename>
+ <url>http://xforce.iss.net/xforce/xfdb/16996</url>
+ <url>http://www.debian.org/security/2004/dsa-537</url>
+ <mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109267579822250&amp;w=2</mlist>
+ </references>
+ <dates>
+ <discovery>2004-08-16</discovery>
+ <entry>2004-08-16</entry>
+ <modified>2004-08-28</modified>
</dates>
</vuln>
@@ -949,36 +1292,62 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="0d3a5148-f512-11d8-9837-000c41e2cdad">
- <topic>SpamAssassin -- denial-of-service in tokenize_headers</topic>
+ <vuln vid="3243e839-f489-11d8-9837-000c41e2cdad">
+ <topic>fidogate -- write files as `news' user</topic>
<affects>
<package>
- <name>p5-Mail-SpamAssassin</name>
- <range><lt>2.64</lt></range>
+ <name>fidogate</name>
+ <range><lt>4.4.9_3</lt></range>
+ </package>
+ <package>
+ <name>fidogate-ds</name>
+ <range><lt>5.1.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>According to the SpamAssassin 2.64 release announcement:</p>
- <blockquote cite="http://marc.theaimsgroup.com/?l=spamassassin-announce&amp;m=109168121628767">
- <p>Security fix prevents a denial of service attack open
- to certain malformed messages; this DoS affects all
- SpamAssassin 2.5x and 2.6x versions to date.</p>
- </blockquote>
- <p>The issue appears to be triggered by overly long message
- headers.</p>
+ <p>Neils Heinen reports that the setuid `news' binaries
+ installed as part of fidogate may be used to create files or
+ append to file with the privileges of the `news' user by
+ setting the LOGFILE environmental variable.</p>
</body>
</description>
<references>
- <cvename>CAN-2004-0796</cvename>
- <bid>10957</bid>
- <mlist>http://marc.theaimsgroup.com/?l=spamassassin-announce&amp;m=109168121628767</mlist>
- <url>http://search.cpan.org/src/JMASON/Mail-SpamAssassin-2.64/Changes</url>
+ <url>http://cvs.sourceforge.net/viewcvs.py/fidogate/fidogate/ChangeLog?rev=4.320&amp;view=markup</url>
</references>
<dates>
- <discovery>2004-08-04</discovery>
- <entry>2004-08-23</entry>
- <modified>2004-08-28</modified>
+ <discovery>2004-08-21</discovery>
+ <entry>2004-08-22</entry>
+ <modified>2004-08-23</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="65a17a3f-ed6e-11d8-aff1-00061bc2ad93">
+ <topic>Arbitrary code execution via a format string vulnerability in jftpgw</topic>
+ <affects>
+ <package>
+ <name>jftpgw</name>
+ <range><lt>0.13.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The log functions in jftpgw may allow
+ remotely authenticated user to execute
+ arbitrary code via the format string
+ specifiers in certain syslog messages.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0448</cvename>
+ <url>http://www.debian.org/security/2004/dsa-510</url>
+ <bid>10438</bid>
+ <url>http://xforce.iss.net/xforce/xfdb/16271</url>
+ </references>
+ <dates>
+ <discovery>2004-05-30</discovery>
+ <entry>2004-08-13</entry>
+ <modified>2004-08-23</modified>
</dates>
</vuln>
@@ -1041,36 +1410,6 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="3243e839-f489-11d8-9837-000c41e2cdad">
- <topic>fidogate -- write files as `news' user</topic>
- <affects>
- <package>
- <name>fidogate</name>
- <range><lt>4.4.9_3</lt></range>
- </package>
- <package>
- <name>fidogate-ds</name>
- <range><lt>5.1.1_1</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Neils Heinen reports that the setuid `news' binaries
- installed as part of fidogate may be used to create files or
- append to file with the privileges of the `news' user by
- setting the LOGFILE environmental variable.</p>
- </body>
- </description>
- <references>
- <url>http://cvs.sourceforge.net/viewcvs.py/fidogate/fidogate/ChangeLog?rev=4.320&amp;view=markup</url>
- </references>
- <dates>
- <discovery>2004-08-21</discovery>
- <entry>2004-08-22</entry>
- <modified>2004-08-23</modified>
- </dates>
- </vuln>
-
<vuln vid="0c4d5973-f2ab-11d8-9837-000c41e2cdad">
<topic>mysql -- mysqlhotcopy insecure temporary file creation</topic>
<affects>
@@ -1104,164 +1443,201 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="c4b025bb-f05d-11d8-9837-000c41e2cdad">
- <topic>tnftpd -- remotely exploitable vulnerability</topic>
+ <vuln vid="2de14f7a-dad9-11d8-b59a-00061bc2ad93">
+ <topic>Multiple Potential Buffer Overruns in Samba</topic>
<affects>
<package>
- <name>tnftpd</name>
- <range><lt>20040810</lt></range>
+ <name>samba</name>
+ <range><ge>3</ge><lt>3.0.5,1</lt></range>
+ <range><lt>2.2.10</lt></range>
</package>
<package>
- <name>lukemftpd</name>
- <range><ge>0</ge></range>
+ <name>ja-samba</name>
+ <range><lt>2.2.10.j1.0</lt></range>
</package>
- <system>
- <name>FreeBSD</name>
- <range><ge>4.7</ge></range>
- </system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>lukemftpd(8) is an enhanced BSD FTP server produced
- within the NetBSD project. The sources for lukemftpd are
- shipped with some versions of FreeBSD, however it is not
- built or installed by default. The build system option
- WANT_LUKEMFTPD must be set to build and install lukemftpd.
- [<strong>NOTE</strong>: An exception is FreeBSD 4.7-RELEASE,
- wherein lukemftpd was installed, but not enabled, by
- default.]</p>
- <p>Przemyslaw Frasunek discovered several vulnerabilities
- in lukemftpd arising from races in the out-of-band signal
- handling code used to implement the ABOR command. As a
- result of these races, the internal state of the FTP server
- may be manipulated in unexpected ways.</p>
- <p>A remote attacker may be able to cause FTP commands to
- be executed with the privileges of the running lukemftpd
- process. This may be a low-privilege `ftp' user if the `-r'
- command line option is specified, or it may be superuser
- privileges if `-r' is *not* specified.</p>
+ <p>Evgeny Demidov discovered that the Samba server has a
+ buffer overflow in the Samba Web Administration Tool (SWAT)
+ on decoding Base64 data during HTTP Basic Authentication.
+ Versions 3.0.2 through 3.0.4 are affected.</p>
+ <p>Another buffer overflow bug has been found in the code
+ used to support the "mangling method = hash" smb.conf
+ option. The default setting for this parameter is "mangling
+ method = hash2" and therefore not vulnerable. Versions
+ between 2.2.0 through 2.2.9 and 3.0.0 through 3.0.4 are affected.
+ </p>
</body>
</description>
<references>
- <cvename>CAN-2004-0794</cvename>
- <bid>10967</bid>
- <url>http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpd.c#rev1.158</url>
- <url>ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-009.txt.asc</url>
- <mlist msgid="412239E7.1070807@freebsd.lublin.pl">http://lists.netsys.com/pipermail/full-disclosure/2004-August/025418.html</mlist>
+ <cvename>CAN-2004-0600</cvename>
+ <cvename>CAN-2004-0686</cvename>
+ <mlist msgid="web-53121174@cgp.agava.net">http://www.securityfocus.com/archive/1/369698</mlist>
+ <mlist msgid="200407222031.25086.bugtraq@beyondsecurity.com">http://www.securityfocus.com/archive/1/369706</mlist>
+ <url>http://www.samba.org/samba/whatsnew/samba-3.0.5.html</url>
+ <url>http://www.samba.org/samba/whatsnew/samba-2.2.10.html</url>
+ <url>http://www.osvdb.org/8190</url>
+ <url>http://www.osvdb.org/8191</url>
+ <url>http://secunia.com/advisories/12130</url>
</references>
<dates>
- <discovery>2004-08-17</discovery>
- <entry>2004-08-17</entry>
- <modified>2004-08-28</modified>
+ <discovery>2004-07-14</discovery>
+ <entry>2004-07-21</entry>
+ <modified>2004-08-15</modified>
</dates>
</vuln>
- <vuln vid="6fd9a1e9-efd3-11d8-9837-000c41e2cdad">
- <cancelled/>
- </vuln>
-
- <vuln vid="65a17a3f-ed6e-11d8-aff1-00061bc2ad93">
- <topic>Arbitrary code execution via a format string vulnerability in jftpgw</topic>
+ <vuln vid="730db824-e216-11d8-9b0a-000347a4fa7d">
+ <topic>Mozilla / Firefox user interface spoofing vulnerability</topic>
<affects>
<package>
- <name>jftpgw</name>
- <range><lt>0.13.5</lt></range>
+ <name>firefox</name>
+ <range><le>0.9.1_1</le></range>
+ </package>
+ <package>
+ <name>linux-mozilla</name>
+ <range><le>1.7.1</le></range>
+ </package>
+ <package>
+ <name>linux-mozilla-devel</name>
+ <range><le>1.7.1</le></range>
+ </package>
+ <package>
+ <name>mozilla</name>
+ <range><le>1.7.1,2</le></range>
+ <range><ge>1.8.a,2</ge><le>1.8.a2,2</le></range>
+ </package>
+ <package>
+ <name>mozilla-gtk1</name>
+ <range><le>1.7.1_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>The log functions in jftpgw may allow
- remotely authenticated user to execute
- arbitrary code via the format string
- specifiers in certain syslog messages.</p>
+ <p>The Mozilla project's family of browsers contain a design
+ flaw that can allow a website to spoof almost perfectly any
+ part of the Mozilla user interface, including spoofing web
+ sites for phishing or internal elements such as the "Master
+ Password" dialog box. This achieved by manipulating "chrome"
+ through remote XUL content. Recent versions of Mozilla have
+ been fixed to not allow untrusted documents to utilize
+ "chrome" in this way.</p>
</body>
</description>
<references>
- <cvename>CAN-2004-0448</cvename>
- <url>http://www.debian.org/security/2004/dsa-510</url>
- <bid>10438</bid>
- <url>http://xforce.iss.net/xforce/xfdb/16271</url>
+ <cvename>CAN-2004-0764</cvename>
+ <url>http://bugzilla.mozilla.org/show_bug.cgi?id=22183</url>
+ <url>http://bugzilla.mozilla.org/show_bug.cgi?id=244965</url>
+ <url>http://bugzilla.mozilla.org/show_bug.cgi?id=252198</url>
+ <url>http://www.nd.edu/~jsmith30/xul/test/spoof.html</url>
+ <url>http://secunia.com/advisories/12188</url>
+ <bid>10832</bid>
</references>
<dates>
- <discovery>2004-05-30</discovery>
- <entry>2004-08-13</entry>
- <modified>2004-08-23</modified>
+ <discovery>2004-07-19</discovery>
+ <entry>2004-07-30</entry>
+ <modified>2004-08-15</modified>
</dates>
</vuln>
- <vuln vid="641859e8-eca1-11d8-b913-000c41e2cdad">
- <topic>Mutiple browser frame injection vulnerability</topic>
+ <vuln vid="f9e3e60b-e650-11d8-9b0a-000347a4fa7d">
+ <topic>libpng stack-based buffer overflow and other code concerns</topic>
<affects>
<package>
- <name>kdelibs</name>
- <range><lt>3.2.3_3</lt></range>
+ <name>png</name>
+ <range><le>1.2.5_7</le></range>
</package>
<package>
- <name>kdebase</name>
- <range><lt>3.2.3_1</lt></range>
+ <name>linux-png</name>
+ <range><le>1.0.14_3</le></range>
+ <range><ge>1.2</ge><le>1.2.2</le></range>
</package>
<package>
- <name>linux-opera</name>
- <name>opera</name>
- <range><ge>7.50</ge><lt>7.52</lt></range>
+ <name>firefox</name>
+ <range><lt>0.9.3</lt></range>
</package>
<package>
- <name>firefox</name>
- <range><lt>0.9</lt></range>
+ <name>thunderbird</name>
+ <range><lt>0.7.3</lt></range>
</package>
<package>
<name>linux-mozilla</name>
+ <range><lt>1.7.2</lt></range>
+ </package>
+ <package>
<name>linux-mozilla-devel</name>
- <name>mozilla-gtk1</name>
- <range><lt>1.7</lt></range>
+ <range><lt>1.7.2</lt></range>
</package>
<package>
<name>mozilla</name>
- <range><lt>1.7,2</lt></range>
+ <range><lt>1.7.2,2</lt></range>
+ <range><ge>1.8.a,2</ge><le>1.8.a2,2</le></range>
</package>
<package>
- <name>netscape7</name>
- <range><lt>7.2</lt></range>
+ <name>mozilla-gtk1</name>
+ <range><lt>1.7.2</lt></range>
+ </package>
+ <package>
+ <name>netscape-communicator</name>
+ <name>netscape-navigator</name>
+ <range><le>4.78</le></range>
+ </package>
+ <package>
+ <name>linux-netscape-communicator</name>
+ <name>linux-netscape-navigator</name>
+ <name>ko-netscape-navigator-linux</name>
+ <name>ko-netscape-communicator-linux</name>
+ <name>ja-netscape-communicator-linux</name>
+ <name>ja-netscape-navigator-linux</name>
+ <range><le>4.8</le></range>
+ </package>
+ <package>
+ <name>netscape7</name>
+ <name>ja-netscape7</name>
+ <range><le>7.1</le></range>
+ </package>
+ <package>
+ <name>pt_BR-netscape7</name>
+ <name>fr-netscape7</name>
+ <name>de-netscape7</name>
+ <range><le>7.02</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>A class of bugs affecting many web browsers in the same way
- was discovered. A Secunia advisory reports:</p>
- <blockquote cite="http://secunia.com/advisories/11978">
- <p>The problem is that the browsers don't check if a target
- frame belongs to a website containing a malicious link,
- which therefore doesn't prevent one browser window from
- loading content in a named frame in another window.</p>
- <p>Successful exploitation allows a malicious website to load
- arbitrary content in an arbitrary frame in another browser
- window owned by e.g. a trusted site.</p>
- </blockquote>
- <p>A KDE Security Advisory reports:</p>
- <blockquote cite="http://www.kde.org/info/security/advisory-20040811-3.txt">
- <p>A malicious website could abuse Konqueror to insert
- its own frames into the page of an otherwise trusted
- website. As a result the user may unknowingly send
- confidential information intended for the trusted website
- to the malicious website.</p>
- </blockquote>
- <p>Secunia has provided a demonstration of the vulnerability at <a
- href="http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/">http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/</a>.</p>
+ <p>Chris Evans has discovered multiple vulnerabilities in libpng,
+ which can be exploited by malicious people to compromise a
+ vulnerable system or cause a DoS (Denial of Service).</p>
</body>
</description>
<references>
- <cvename>CAN-2004-0717</cvename>
- <cvename>CAN-2004-0718</cvename>
- <cvename>CAN-2004-0721</cvename>
- <url>http://secunia.com/advisories/11978/</url>
- <url>http://bugzilla.mozilla.org/show_bug.cgi?id=246448</url>
- <url>ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdelibs-htmlframes.patch</url>
- <url>ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdebase-htmlframes.patch</url>
+ <mlist msgid="Pine.LNX.4.58.0408041840080.20655@sphinx.mythic-beasts.com">http://www.securityfocus.com/archive/1/370853</mlist>
+ <url>http://scary.beasts.org/security/CESA-2004-001.txt</url>
+ <url>http://www.osvdb.org/8312</url>
+ <url>http://www.osvdb.org/8313</url>
+ <url>http://www.osvdb.org/8314</url>
+ <url>http://www.osvdb.org/8315</url>
+ <url>http://www.osvdb.org/8316</url>
+ <cvename>CAN-2004-0597</cvename>
+ <cvename>CAN-2004-0598</cvename>
+ <cvename>CAN-2004-0599</cvename>
+ <certvu>388984</certvu>
+ <certvu>236656</certvu>
+ <certvu>160448</certvu>
+ <certvu>477512</certvu>
+ <certvu>817368</certvu>
+ <certvu>286464</certvu>
+ <url>http://secunia.com/advisories/12219</url>
+ <url>http://secunia.com/advisories/12232</url>
+ <url>http://bugzilla.mozilla.org/show_bug.cgi?id=251381</url>
+ <uscertta>TA04-217A</uscertta>
+ <url>http://dl.sourceforge.net/sourceforge/libpng/ADVISORY.txt</url>
</references>
<dates>
- <discovery>2004-08-11</discovery>
- <entry>2004-08-12</entry>
- <modified>2004-09-14</modified>
+ <discovery>2004-08-04</discovery>
+ <entry>2004-08-04</entry>
+ <modified>2004-08-15</modified>
</dates>
</vuln>
@@ -1383,48 +1759,393 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="2de14f7a-dad9-11d8-b59a-00061bc2ad93">
- <topic>Multiple Potential Buffer Overruns in Samba</topic>
+ <vuln vid="7a9d5dfe-c507-11d8-8898-000d6111a684">
+ <topic>isc-dhcp3-server buffer overflow in logging mechanism</topic>
<affects>
<package>
- <name>samba</name>
- <range><ge>3</ge><lt>3.0.5,1</lt></range>
- <range><lt>2.2.10</lt></range>
+ <name>isc-dhcp3-relay</name>
+ <name>isc-dhcp3-server</name>
+ <range><ge>3.0.1.r12</ge><lt>3.0.1.r14</lt></range>
</package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>A buffer overflow exists in the logging functionality
+ of the DHCP daemon which could lead to Denial of Service
+ attacks and has the potential to allow attackers to
+ execute arbitrary code.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0460</cvename>
+ <url>http://www.osvdb.org/7237</url>
+ <uscertta>TA04-174A</uscertta>
+ <certvu>317350</certvu>
+ <mlist msgid="BAY13-F94UHMuEEkHMz0005c4f7@hotmail.com">http://www.securityfocus.com/archive/1/366801</mlist>
+ <mlist msgid="40DFAB69.1060909@sympatico.ca">http://www.securityfocus.com/archive/1/367286</mlist>
+ </references>
+ <dates>
+ <discovery>2004-06-22</discovery>
+ <entry>2004-06-25</entry>
+ <modified>2004-08-12</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="3a408f6f-9c52-11d8-9366-0020ed76ef5a">
+ <topic>libpng denial-of-service</topic>
+ <affects>
<package>
- <name>ja-samba</name>
- <range><lt>2.2.10.j1.0</lt></range>
+ <name>linux-png</name>
+ <range><le>1.0.14_3</le></range>
+ <range><ge>1.2</ge><le>1.2.2</le></range>
+ </package>
+ <package>
+ <name>png</name>
+ <range><lt>1.2.5_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Evgeny Demidov discovered that the Samba server has a
- buffer overflow in the Samba Web Administration Tool (SWAT)
- on decoding Base64 data during HTTP Basic Authentication.
- Versions 3.0.2 through 3.0.4 are affected.</p>
- <p>Another buffer overflow bug has been found in the code
- used to support the "mangling method = hash" smb.conf
- option. The default setting for this parameter is "mangling
- method = hash2" and therefore not vulnerable. Versions
- between 2.2.0 through 2.2.9 and 3.0.0 through 3.0.4 are affected.
- </p>
+ <p>Steve Grubb reports a buffer read overrun in
+ libpng's png_format_buffer function. A specially
+ constructed PNG image processed by an application using
+ libpng may trigger the buffer read overrun and possibly
+ result in an application crash.</p>
</body>
</description>
<references>
- <cvename>CAN-2004-0600</cvename>
- <cvename>CAN-2004-0686</cvename>
- <mlist msgid="web-53121174@cgp.agava.net">http://www.securityfocus.com/archive/1/369698</mlist>
- <mlist msgid="200407222031.25086.bugtraq@beyondsecurity.com">http://www.securityfocus.com/archive/1/369706</mlist>
- <url>http://www.samba.org/samba/whatsnew/samba-3.0.5.html</url>
- <url>http://www.samba.org/samba/whatsnew/samba-2.2.10.html</url>
- <url>http://www.osvdb.org/8190</url>
- <url>http://www.osvdb.org/8191</url>
- <url>http://secunia.com/advisories/12130</url>
+ <cvename>CAN-2004-0421</cvename>
+ <url>http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120508</url>
+ <url>http://rhn.redhat.com/errata/RHSA-2004-181.html</url>
+ <url>http://secunia.com/advisories/11505</url>
+ <url>http://www.osvdb.org/5726</url>
+ <bid>10244</bid>
</references>
<dates>
- <discovery>2004-07-14</discovery>
- <entry>2004-07-21</entry>
- <modified>2004-08-15</modified>
+ <discovery>2004-04-29</discovery>
+ <entry>2004-05-02</entry>
+ <modified>2004-08-12</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="4764cfd6-d630-11d8-b479-02e0185c0b53">
+ <topic>PHP memory_limit and strip_tags() vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>php4</name>
+ <name>php4-cgi</name>
+ <name>php4-cli</name>
+ <name>php4-dtc</name>
+ <name>php4-horde</name>
+ <name>php4-nms</name>
+ <name>mod_php4-twig</name>
+ <range><lt>4.3.8</lt></range>
+ </package>
+ <package>
+ <name>mod_php4</name>
+ <range><lt>4.3.8,1</lt></range>
+ </package>
+ <package>
+ <name>php5</name>
+ <name>php5-cgi</name>
+ <name>php5-cli</name>
+ <range><lt>5.0.0</lt></range>
+ </package>
+ <package>
+ <name>mod_php5</name>
+ <range><lt>5.0.0,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Stefan Esser has reported two vulnerabilities in PHP, which can
+ be exploited by malicious people to bypass security functionality
+ or compromise a vulnerable system. An error within PHP's memory_limit
+ request termination allows remote code execution on PHP servers
+ with activated memory_limit. A binary safety problem within PHP's
+ strip_tags() function may allow injection of arbitrary tags in
+ Internet Explorer and Safari browsers.</p>
+ </body>
+ </description>
+ <references>
+ <url>http://www.php.net/ChangeLog-4.php</url>
+ <url>http://www.php.net/ChangeLog-5.php</url>
+ <url>http://security.e-matters.de/advisories/112004.html</url>
+ <url>http://security.e-matters.de/advisories/122004.html</url>
+ <url>http://secunia.com/advisories/12064</url>
+ <url>http://www.osvdb.org/7870</url>
+ <url>http://www.osvdb.org/7871</url>
+ <cvename>CAN-2004-0594</cvename>
+ <cvename>CAN-2004-0595</cvename>
+ </references>
+ <dates>
+ <discovery>2007-07-07</discovery>
+ <entry>2004-07-15</entry>
+ <modified>2004-08-12</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="abe47a5a-e23c-11d8-9b0a-000347a4fa7d">
+ <topic>Mozilla certificate spoofing</topic>
+ <affects>
+ <package>
+ <name>firefox</name>
+ <range><ge>0.9.1</ge><le>0.9.2</le></range>
+ </package>
+ <package>
+ <name>linux-mozilla</name>
+ <range><lt>1.7.2</lt></range>
+ </package>
+ <package>
+ <name>linux-mozilla-devel</name>
+ <range><lt>1.7.2</lt></range>
+ </package>
+ <package>
+ <name>mozilla</name>
+ <range><lt>1.7.2,2</lt></range>
+ <range><ge>1.8,2</ge><le>1.8.a2,2</le></range>
+ </package>
+ <package>
+ <name>mozilla-gtk1</name>
+ <range><lt>1.7.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mozilla and Mozilla Firefox contains a flaw that may
+ allow a malicious user to spoof SSL certification.</p>
+ </body>
+ </description>
+ <references>
+ <mlist msgid="003a01c472ba$b2060900$6501a8c0@sec">http://www.securityfocus.com/archive/1/369953</mlist>
+ <url>http://www.cipher.org.uk/index.php?p=advisories/Certificate_Spoofing_Mozilla_FireFox_25-07-2004.advisory</url>
+ <url>http://secunia.com/advisories/12160</url>
+ <url>http://bugzilla.mozilla.org/show_bug.cgi?id=253121</url>
+ <url>http://www.osvdb.org/8238</url>
+ <bid>10796</bid>
+ <cvename>CAN-2004-0763</cvename>
+ </references>
+ <dates>
+ <discovery>2004-07-25</discovery>
+ <entry>2004-07-30</entry>
+ <modified>2004-08-12</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="a713c0f9-ec54-11d8-9440-000347a4fa7d">
+ <topic>ImageMagick png vulnerability fix</topic>
+ <affects>
+ <package>
+ <name>ImageMagick</name>
+ <name>ImageMagick-nox11</name>
+ <range><lt>6.0.4.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Glenn Randers-Pehrson has contributed a fix for the png
+ vulnerabilities discovered by Chris Evans.</p>
+ </body>
+ </description>
+ <references>
+ <url>http://studio.imagemagick.org/pipermail/magick-users/2004-August/013218.html</url>
+ <url>http://freshmeat.net/releases/169228</url>
+ <url>http://secunia.com/advisories/12236</url>
+ <url>http://www.freebsd.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.html</url>
+ </references>
+ <dates>
+ <discovery>2004-08-04</discovery>
+ <entry>2004-08-04</entry>
+ <modified>2004-08-12</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="98bd69c3-834b-11d8-a41f-0020ed76ef5a">
+ <topic>Courier mail services: remotely exploitable buffer overflows</topic>
+ <affects>
+ <package>
+ <name>courier</name>
+ <range><lt>0.45</lt></range>
+ </package>
+ <package>
+ <name>courier-imap</name>
+ <range><lt>3.0,1</lt></range>
+ </package>
+ <package>
+ <name>sqwebmail</name>
+ <range><lt>4.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Courier set of mail services use a common Unicode
+ library. This library contains buffer overflows in the
+ converters for two popular Japanese character encodings.
+ These overflows may be remotely exploitable, triggered by
+ a maliciously formatted email message that is later processed
+ by one of the Courier mail services.
+ From the release notes for the corrected versions of the
+ Courier set of mail services:</p>
+ <blockquote>
+ <p>iso2022jp.c: Converters became (upper-)compatible with
+ ISO-2022-JP (RFC1468 / JIS X 0208:1997 Annex 2) and
+ ISO-2022-JP-1 (RFC2237). Buffer overflow vulnerability
+ (when Unicode character is out of BMP range) has been
+ closed. Convert error handling was implemented.</p>
+ <p>shiftjis.c: Broken SHIFT_JIS converters has been fixed
+ and became (upper-)compatible with Shifted Encoding Method
+ (JIS X 0208:1997 Annex 1). Buffer overflow vulnerability
+ (when Unicode character is out of BMP range) has been
+ closed. Convert error handling was implemented.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0224</cvename>
+ <url>http://cvs.sourceforge.net/viewcvs.py/courier/libs/unicode/iso2022jp.c?rev=1.10&amp;view=markup</url>
+ <url>http://cvs.sourceforge.net/viewcvs.py/courier/libs/unicode/shiftjis.c?rev=1.6&amp;view=markup</url>
+ <bid>9845</bid>
+ <url>http://secunia.com/advisories/11087</url>
+ <url>http://www.osvdb.org/4194</url>
+ <url>http://www.osvdb.org/6927</url>
+ </references>
+ <dates>
+ <discovery>2004-02-01</discovery>
+ <entry>2004-03-31</entry>
+ <modified>2004-07-16</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="cdf18ed9-7f4a-11d8-9645-0020ed76ef5a">
+ <topic>multiple vulnerabilities in ethereal</topic>
+ <affects>
+ <package>
+ <name>ethereal</name>
+ <name>tethereal</name>
+ <range><lt>0.10.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Stefan Esser of e-matters Security discovered a baker's dozen
+ of buffer overflows in Ethereal's decoders, including:</p>
+ <ul>
+ <li>NetFlow</li>
+ <li>IGAP</li>
+ <li>EIGRP</li>
+ <li>PGM</li>
+ <li>IRDA</li>
+ <li>BGP</li>
+ <li>ISUP</li>
+ <li>TCAP</li>
+ <li>UCP</li>
+ </ul>
+ <p>In addition, a vulnerability in the RADIUS decoder was found
+ by Jonathan Heusser.</p>
+ <p>Finally, there is one uncredited vulnerability described by the
+ Ethereal team as:</p>
+ <blockquote cite="http://www.ethereal.com/appnotes/enpa-sa-00013.html">
+ <p>A zero-length Presentation protocol selector could make
+ Ethereal crash.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.ethereal.com/appnotes/enpa-sa-00013.html</url>
+ <cvename>CAN-2004-0176</cvename>
+ <cvename>CAN-2004-0365</cvename>
+ <cvename>CAN-2004-0367</cvename>
+ <certvu>119876</certvu>
+ <certvu>124454</certvu>
+ <certvu>125156</certvu>
+ <certvu>433596</certvu>
+ <certvu>591820</certvu>
+ <certvu>644886</certvu>
+ <certvu>659140</certvu>
+ <certvu>695486</certvu>
+ <certvu>740188</certvu>
+ <certvu>792286</certvu>
+ <certvu>864884</certvu>
+ <certvu>931588</certvu>
+ <url>http://security.e-matters.de/advisories/032004.html</url>
+ <url>http://secunia.com/advisories/11185</url>
+ <bid>9952</bid>
+ <url>http://www.osvdb.org/4462</url>
+ <url>http://www.osvdb.org/4463</url>
+ <url>http://www.osvdb.org/4464</url>
+ </references>
+ <dates>
+ <discovery>2004-03-23</discovery>
+ <entry>2004-03-26</entry>
+ <modified>2004-07-11</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="74d06b67-d2cf-11d8-b479-02e0185c0b53">
+ <topic>multiple vulnerabilities in ethereal</topic>
+ <affects>
+ <package>
+ <name>ethereal</name>
+ <name>ethereal-lite</name>
+ <name>tethereal</name>
+ <name>tethereal-lite</name>
+ <range><lt>0.10.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Issues have been discovered in multiple protocol dissectors.</p>
+ </body>
+ </description>
+ <references>
+ <url>http://www.ethereal.com/appnotes/enpa-sa-00014.html</url>
+ <cvename>CAN-2004-0504</cvename>
+ <cvename>CAN-2004-0505</cvename>
+ <cvename>CAN-2004-0506</cvename>
+ <cvename>CAN-2004-0507</cvename>
+ <url>http://secunia.com/advisories/11608</url>
+ <bid>10347</bid>
+ <url>http://www.osvdb.org/6131</url>
+ <url>http://www.osvdb.org/6132</url>
+ <url>http://www.osvdb.org/6133</url>
+ <url>http://www.osvdb.org/6134</url>
+ </references>
+ <dates>
+ <discovery>2004-05-13</discovery>
+ <entry>2004-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="265c8b00-d2d0-11d8-b479-02e0185c0b53">
+ <topic>multiple vulnerabilities in ethereal</topic>
+ <affects>
+ <package>
+ <name>ethereal</name>
+ <name>ethereal-lite</name>
+ <name>tethereal</name>
+ <name>tethereal-lite</name>
+ <range><lt>0.10.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Issues have been discovered in multiple protocol dissectors.</p>
+ </body>
+ </description>
+ <references>
+ <url>http://www.ethereal.com/appnotes/enpa-sa-00015.html</url>
+ <cvename>CAN-2004-0633</cvename>
+ <cvename>CAN-2004-0634</cvename>
+ <cvename>CAN-2004-0635</cvename>
+ <url>http://secunia.com/advisories/12024</url>
+ <bid>10672</bid>
+ <url>http://www.osvdb.org/7536</url>
+ <url>http://www.osvdb.org/7537</url>
+ <url>http://www.osvdb.org/7538</url>
+ </references>
+ <dates>
+ <discovery>2004-07-06</discovery>
+ <entry>2004-07-11</entry>
</dates>
</vuln>
@@ -1452,6 +2173,38 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
+ <vuln vid="c5519420-cec2-11d8-8898-000d6111a684">
+ <topic>"Content-Type" XSS vulnerability affecting other webmail systems</topic>
+ <affects>
+ <package>
+ <name>openwebmail</name>
+ <range><le>2.32</le></range>
+ </package>
+ <package>
+ <name>ilohamail</name>
+ <range><lt>0.8.13</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Roman Medina-Heigl Hernandez did a survey which other webmail systems
+ where vulnerable to a bug he discovered in SquirrelMail. This advisory
+ summarizes the results.</p>
+ </body>
+ </description>
+ <references>
+ <url>http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-2.txt</url>
+ <url>http://www.freebsd.org/ports/portaudit/89a0de27-bf66-11d8-a252-02e0185c0b53.html</url>
+ <url>http://www.freebsd.org/ports/portaudit/911f1b19-bd20-11d8-84f9-000bdb1444a4.html</url>
+ <url>http://www.freebsd.org/ports/portaudit/c3e56efa-c42f-11d8-864c-02e0185c0b53.html</url>
+ <cvename>CAN-2004-0519</cvename>
+ </references>
+ <dates>
+ <discovery>2004-05-29</discovery>
+ <entry>2004-07-05</entry>
+ </dates>
+ </vuln>
+
<vuln vid="76904dce-ccf3-11d8-babb-000854d03344">
<topic>Pavuk HTTP Location header overflow</topic>
<affects>
@@ -1511,6 +2264,66 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
+ <vuln vid="0d4c31ac-cb91-11d8-8898-000d6111a684">
+ <topic>Remote code injection in phpMyAdmin</topic>
+ <affects>
+ <package>
+ <name>phpmyadmin</name>
+ <range><lt>2.5.7.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>This vulnerability would allow remote user to inject PHP code
+ to be executed by eval() function. This vulnerability is only
+ exploitable if variable $cfg['LeftFrameLight'] is set to FALSE (in
+ file config.inc.php).</p>
+ </body>
+ </description>
+ <references>
+ <url>http://sf.net/forum/forum.php?forum_id=387635</url>
+ <mlist msgid="20040629025752.976.qmail@www.securityfocus.com">http://www.securityfocus.com/archive/1/367486</mlist>
+ <url>http://secunia.com/advisories/11974</url>
+ <url>http://eagle.kecapi.com/sec/fd/phpMyAdmin.html</url>
+ </references>
+ <dates>
+ <discovery>2004-06-29</discovery>
+ <entry>2004-07-02</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="4d837296-cc28-11d8-a54c-02e0185c0b53">
+ <topic>GNATS local privilege elevation</topic>
+ <affects>
+ <package>
+ <name>gnats</name>
+ <range><le>3.113.1_9</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>GNATS 3.113.1 contains multiple buffer overflows, through which a
+ local attacker could gain elevated privileges on the system.</p>
+ </body>
+ </description>
+ <references>
+ <freebsdpr>ports/56006</freebsdpr>
+ <mlist msgid="20040625164231.7437.qmail@www.securityfocus.com">http://www.securityfocus.com/archive/1/326337</mlist>
+ <url>http://www.securiteam.com/unixfocus/5CP0N0UAAA.html</url>
+ <url>http://secunia.com/advisories/9096</url>
+ <url>http://x82.inetcop.org/h0me/adv1sor1es/INCSA.2003-0x82-018-GNATS-bt.txt</url>
+ <url>http://www.gnu.org/software/gnats/gnats.html</url>
+ <url>http://www.osvdb.org/2190</url>
+ <url>http://www.osvdb.org/4600</url>
+ <url>http://www.osvdb.org/4601</url>
+ <url>http://www.osvdb.org/4607</url>
+ </references>
+ <dates>
+ <discovery>2003-06-21</discovery>
+ <entry>2004-07-02</entry>
+ </dates>
+ </vuln>
+
<vuln vid="8ecaaca2-cc07-11d8-858d-000d610a3b12">
<topic>Linux binary compatibility mode input validation error</topic>
<affects>
@@ -1541,6 +2354,37 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
+ <vuln vid="1f738bda-c6ac-11d8-8898-000d6111a684">
+ <topic>Remote Denial of Service of HTTP server and client</topic>
+ <affects>
+ <package>
+ <name>giFT-FastTrack</name>
+ <range><lt>0.8.7</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>giFT-FastTrack is susceptible to a remote
+ Denial of Service attack which could allow
+ a remote attacker to render HTTP services
+ unusable. According to the developers, no
+ code execution is possible; however, they
+ recommend an immediate upgrade.</p>
+ </body>
+ </description>
+ <references>
+ <url>http://developer.berlios.de/forum/forum.php?forum_id=5814</url>
+ <url>http://www.osvdb.org/7266</url>
+ <url>http://secunia.com/advisories/11941</url>
+ <bid>10604</bid>
+ </references>
+ <dates>
+ <discovery>2004-06-19</discovery>
+ <entry>2004-06-25</entry>
+ <modified>2004-06-29</modified>
+ </dates>
+ </vuln>
+
<vuln vid="ff00f2ce-c54c-11d8-b708-00061bc2ad93">
<topic>XFree86 opens a chooserFd TCP socket even when DisplayManager.requestPort is 0</topic>
<affects>
@@ -1597,66 +2441,274 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="7a9d5dfe-c507-11d8-8898-000d6111a684">
- <topic>isc-dhcp3-server buffer overflow in logging mechanism</topic>
+ <vuln vid="35f6fdf8-a425-11d8-9c6d-0020ed76ef5a">
+ <topic>Cyrus IMAP pre-authentication heap overflow vulnerability</topic>
<affects>
<package>
- <name>isc-dhcp3-relay</name>
- <name>isc-dhcp3-server</name>
- <range><ge>3.0.1.r12</ge><lt>3.0.1.r14</lt></range>
+ <name>cyrus</name>
+ <range><lt>2.0.17</lt></range>
+ <range><ge>2.1</ge><lt>2.1.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>A buffer overflow exists in the logging functionality
- of the DHCP daemon which could lead to Denial of Service
- attacks and has the potential to allow attackers to
- execute arbitrary code.</p>
+ <p>In December 2002, Timo Sirainen reported:</p>
+ <blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=103886607825605">
+ <p>Cyrus IMAP server has a a remotely exploitable pre-login
+ buffer overflow. [...] Note that you don't have to log in
+ before exploiting this, and since Cyrus
+ runs everything under one UID, it's possible to read every
+ user's mail in the system.</p>
+ </blockquote>
+ <p>It is unknown whether this vulnerability is exploitable for code
+ execution on FreeBSD systems.</p>
</body>
</description>
<references>
- <cvename>CAN-2004-0460</cvename>
- <url>http://www.osvdb.org/7237</url>
- <uscertta>TA04-174A</uscertta>
- <certvu>317350</certvu>
- <mlist msgid="BAY13-F94UHMuEEkHMz0005c4f7@hotmail.com">http://www.securityfocus.com/archive/1/366801</mlist>
- <mlist msgid="40DFAB69.1060909@sympatico.ca">http://www.securityfocus.com/archive/1/367286</mlist>
+ <cvename>CAN-2002-1580</cvename>
+ <bid>6298</bid>
+ <certvu>740169</certvu>
+ <mlist msgid="20021202175606.GA26254@irccrew.org">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=103886607825605</mlist>
+ <mlist>http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&amp;msg=19349</mlist>
</references>
<dates>
- <discovery>2004-06-22</discovery>
- <entry>2004-06-25</entry>
- <modified>2004-08-12</modified>
+ <discovery>2002-12-02</discovery>
+ <entry>2004-05-12</entry>
+ <modified>2004-06-27</modified>
</dates>
</vuln>
- <vuln vid="1f738bda-c6ac-11d8-8898-000d6111a684">
- <topic>Remote Denial of Service of HTTP server and client</topic>
+ <vuln vid="700d43b4-a42a-11d8-9c6d-0020ed76ef5a">
+ <topic>Cyrus IMSPd multiple vulnerabilities</topic>
<affects>
<package>
- <name>giFT-FastTrack</name>
- <range><lt>0.8.7</lt></range>
+ <name>cyrus-imspd</name>
+ <range><lt>1.6a5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>giFT-FastTrack is susceptible to a remote
- Denial of Service attack which could allow
- a remote attacker to render HTTP services
- unusable. According to the developers, no
- code execution is possible; however, they
- recommend an immediate upgrade.</p>
+ <p>The Cyrus team reported multiple vulnerabilities in older
+ versions of Cyrus IMSPd:</p>
+ <blockquote cite="http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-announce&amp;msg=25">
+ <p>These releases correct a recently discovered buffer
+ overflow vulnerability, as well as clean up a significant
+ amount of buffer handling throughout the code.</p>
+ </blockquote>
</body>
</description>
<references>
- <url>http://developer.berlios.de/forum/forum.php?forum_id=5814</url>
- <url>http://www.osvdb.org/7266</url>
- <url>http://secunia.com/advisories/11941</url>
- <bid>10604</bid>
+ <mlist>http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-announce&amp;msg=25</mlist>
</references>
<dates>
- <discovery>2004-06-19</discovery>
- <entry>2004-06-25</entry>
- <modified>2004-06-29</modified>
+ <discovery>2004-12-12</discovery>
+ <entry>2004-05-12</entry>
+ <modified>2004-06-27</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="5e7f58c3-b3f8-4258-aeb8-795e5e940ff8">
+ <topic>mplayer heap overflow in http requests</topic>
+ <affects>
+ <package>
+ <name>mplayer</name>
+ <name>mplayer-gtk</name>
+ <name>mplayer-esound</name>
+ <name>mplayer-gtk-esound</name>
+ <range><lt>0.92.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>A remotely exploitable heap buffer overflow vulnerability was
+ found in MPlayer's URL decoding code. If an attacker can
+ cause MPlayer to visit a specially crafted URL, arbitrary code
+ execution with the privileges of the user running MPlayer may
+ occur. A `visit' might be caused by social engineering, or a
+ malicious web server could use HTTP redirects which MPlayer
+ would then process.</p>
+ </body>
+ </description>
+ <references>
+ <url>http://www.mplayerhq.hu/homepage/design6/news.html</url>
+ <mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108066964709058</mlist>
+ <freebsdpr>ports/64974</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2004-03-30</discovery>
+ <entry>2004-03-31</entry>
+ <modified>2004-06-27</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="3e9be8c4-8192-11d8-9645-0020ed76ef5a">
+ <topic>ecartis buffer overflows and input validation bugs</topic>
+ <affects>
+ <package>
+ <name>ecartis</name>
+ <range><lt>1.0.0.s20030814,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Timo Sirainen reports multiple buffer overflows that may be
+ triggered while parsing messages, as well as input validation
+ errors that could result in disclosure of mailing list
+ passwords.</p>
+ <p>These bugs were resolved in the August 2003 snapshot of
+ ecartis.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2003-0781</cvename>
+ <cvename>CAN-2003-0782</cvename>
+ <url>http://www.securiteam.com/unixfocus/5YP0H2AAUY.html</url>
+ <freebsdpr>ports/57082</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2003-08-14</discovery>
+ <entry>2004-03-29</entry>
+ <modified>2004-06-27</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="c2e10368-77ab-11d8-b9e8-00e04ccb0a62">
+ <topic>ModSecurity for Apache 2.x remote off-by-one overflow</topic>
+ <affects>
+ <package>
+ <name>mod_security</name>
+ <range><lt>1.7.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>When the directive "SecFilterScanPost" is enabled,
+ the Apache 2.x version of ModSecurity is vulnerable
+ to an off-by-one overflow</p>
+ </body>
+ </description>
+ <references>
+ <url>http://www.s-quadra.com/advisories/Adv-20040315.txt</url>
+ <bid>9885</bid>
+ <url>http://secunia.com/advisories/11138</url>
+ <certvu>779438</certvu>
+ </references>
+ <dates>
+ <discovery>2004-02-09</discovery>
+ <entry>2004-03-17</entry>
+ <modified>2004-06-27</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="74a9541d-5d6c-11d8-80e3-0020ed76ef5a">
+ <topic>clamav remote denial-of-service</topic>
+ <affects>
+ <package>
+ <name>clamav</name>
+ <range><lt>0.65_7</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>clamav will exit when a programming
+ assertion is not met. A malformed uuencoded message can
+ trigger this assertion, allowing an attacker to trivially
+ crash clamd or other components of clamav.</p>
+ </body>
+ </description>
+ <references>
+ <freebsdpr>ports/62586</freebsdpr>
+ <mlist msgid="40279811.9050407@fillmore-labs.com">http://www.securityfocus.com/archive/1/353186</mlist>
+ <url>http://www.osvdb.org/3894</url>
+ <bid>9610</bid>
+ <url>http://secunia.com/advisories/10826</url>
+ <cvename>CAN-2004-0270</cvename>
+ <url>http://xforce.iss.net/xforce/xfdb/15077</url>
+ </references>
+ <dates>
+ <discovery>2004-02-09</discovery>
+ <entry>2004-02-12</entry>
+ <modified>2004-06-27</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="8d075001-a9ce-11d8-9c6d-0020ed76ef5a">
+ <topic>neon date parsing vulnerability</topic>
+ <affects>
+ <package>
+ <name>neon</name>
+ <range><lt>0.24.5_1</lt></range>
+ </package>
+ <package>
+ <name>sitecopy</name>
+ <range><le>0.13.4_1</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Stefan Esser reports:</p>
+ <blockquote cite="http://security.e-matters.de/advisories/062004.html">
+ <p>A vulnerability within a libneon date parsing function
+ could cause a heap overflow which could lead to remote
+ code execution, depending on the application using
+ libneon.</p>
+ </blockquote>
+ <p>The vulnerability is in the function ne_rfc1036_parse,
+ which is in turn used by the function ne_httpdate_parse.
+ Applications using either of these neon functions may be
+ vulnerable.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0398</cvename>
+ <url>http://security.e-matters.de/advisories/062004.html</url>
+ <url>http://secunia.com/advisories/11785</url>
+ </references>
+ <dates>
+ <discovery>2004-05-19</discovery>
+ <entry>2004-05-19</entry>
+ <modified>2004-06-25</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="84237895-8f39-11d8-8b29-0020ed76ef5a">
+ <topic>neon format string vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>neon</name>
+ <range><lt>0.24.5</lt></range>
+ </package>
+ <package>
+ <name>tla</name>
+ <range><lt>1.2_1</lt></range>
+ </package>
+ <package>
+ <name>sitecopy</name>
+ <range><le>0.13.4_1</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Greuff reports that the neon WebDAV client library contains
+ several format string bugs within error reporting code. A
+ malicious server may exploit these bugs by sending specially
+ crafted PROPFIND or PROPPATCH responses.</p>
+ <p>Although several applications include neon, such as cadaver and
+ subversion, the FreeBSD Ports of these applications are not
+ impacted. They are specifically configured to NOT use the
+ included neon. Only packages listed as affected in this
+ notice are believed to be impacted.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0179</cvename>
+ <url>http://www.webdav.org/neon/</url>
+ <url>http://secunia.com/advisories/11785</url>
+ </references>
+ <dates>
+ <discovery>2004-04-14</discovery>
+ <entry>2004-04-15</entry>
+ <modified>2004-06-25</modified>
</dates>
</vuln>
@@ -1689,6 +2741,37 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
+ <vuln vid="0c6f3fde-9c51-11d8-9366-0020ed76ef5a">
+ <topic>Midnight Commander buffer overflows, format string bugs, and insecure temporary file handling</topic>
+ <affects>
+ <package>
+ <name>mc</name>
+ <range><lt>4.6.0_10</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Jakub Jelinek reports several security related bugs in
+ Midnight Commander, including:</p>
+ <ul>
+ <li>Multiple buffer overflows (CAN-2004-0226)</li>
+ <li>Insecure temporary file handling (CAN-2004-0231)</li>
+ <li>Format string bug (CAN-2004-0232)</li>
+ </ul>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0226</cvename>
+ <cvename>CAN-2004-0231</cvename>
+ <cvename>CAN-2004-0232</cvename>
+ </references>
+ <dates>
+ <discovery>2004-04-29</discovery>
+ <entry>2004-05-02</entry>
+ <modified>2004-06-14</modified>
+ </dates>
+ </vuln>
+
<vuln vid="6f955451-ba54-11d8-b88c-000d610a3b12">
<topic>Buffer overflow in Squid NTLM authentication helper</topic>
<affects>
@@ -1723,6 +2806,52 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
+ <vuln vid="27c331d5-64c7-11d8-80e3-0020ed76ef5a">
+ <topic>Vulnerabilities in H.323 implementations</topic>
+ <affects>
+ <package>
+ <name>pwlib</name>
+ <range><lt>1.5.0_5</lt></range>
+ </package>
+ <package>
+ <name>asterisk</name>
+ <range><le>0.7.2</le></range>
+ </package>
+ <package>
+ <name>openh323</name>
+ <range><lt>1.12.0_4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The <a href="http://www.niscc.gov.uk/">NISCC</a> and the <a href="http://www.ee.oulu.fi/research/ouspg/">OUSPG</a>
+ developed a test suite for the H.323 protocol. This test
+ suite has uncovered vulnerabilities in several H.323
+ implementations with impacts ranging from denial-of-service
+ to arbitrary code execution.</p>
+ <p>In the FreeBSD Ports Collection, `pwlib' is directly
+ affected. Other applications such as `asterisk' and
+ `openh323' incorporate `pwlib' statically and so are also
+ independently affected.</p>
+ </body>
+ </description>
+ <references>
+ <!-- General references -->
+ <url>http://www.uniras.gov.uk/vuls/2004/006489/h323.htm</url>
+ <url>http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/h2250v4/index.html</url>
+ <certsa>CA-2004-01</certsa>
+ <certvu>749342</certvu>
+ <!-- pwlib and pwlib-using applications -->
+ <cvename>CAN-2004-0097</cvename>
+ <url>http://www.southeren.com/blog/archives/000055.html</url>
+ </references>
+ <dates>
+ <discovery>2004-01-13</discovery>
+ <entry>2004-02-22</entry>
+ <modified>2004-06-08</modified>
+ </dates>
+ </vuln>
+
<vuln vid="fb5e227e-b8c6-11d8-b88c-000d610a3b12">
<topic>jailed processes can manipulate host routing tables</topic>
<affects>
@@ -1818,8 +2947,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</vuln>
<vuln vid="7b0208ff-3f65-4e16-8d4d-48fd9851f085">
- <topic>leafnode fetchnews denial-of-service triggered by missing
- header</topic>
+ <topic>leafnode fetchnews denial-of-service triggered by missing header</topic>
<affects>
<package>
<name>leafnode</name>
@@ -1847,8 +2975,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</vuln>
<vuln vid="a051a4ec-3aa1-4dd1-9bdc-a61eb5700153">
- <topic>leafnode fetchnews denial-of-service triggered by truncated
- transmission</topic>
+ <topic>leafnode fetchnews denial-of-service triggered by truncated transmission</topic>
<affects>
<package>
<name>leafnode</name>
@@ -1877,6 +3004,40 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
+ <vuln vid="2e129846-8fbb-11d8-8b29-0020ed76ef5a">
+ <topic>MySQL insecure temporary file creation (mysqlbug)</topic>
+ <affects>
+ <package>
+ <name>mysql-client</name>
+ <range><ge>4.0</ge><lt>4.0.20</lt></range>
+ <range><ge>4.1</ge><lt>4.1.1_2</lt></range>
+ <range><ge>5.0</ge><lt>5.0.0_2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Shaun Colley reports that the script `mysqlbug' included
+ with MySQL sometimes creates temporary files in an unsafe
+ manner. As a result, an attacker may create a symlink in
+ /tmp so that if another user invokes `mysqlbug' and <em>quits
+ without making <strong>any</strong> changes</em>, an
+ arbitrary file may be overwritten with the bug report
+ template.</p>
+ </body>
+ </description>
+ <references>
+ <mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108023246916294&amp;w=2</mlist>
+ <url>http://bugs.mysql.com/bug.php?id=3284</url>
+ <bid>9976</bid>
+ <cvename>CAN-2004-0381</cvename>
+ </references>
+ <dates>
+ <discovery>2004-03-25</discovery>
+ <entry>2004-04-16</entry>
+ <modified>2004-05-21</modified>
+ </dates>
+ </vuln>
+
<vuln vid="5d36ef32-a9cf-11d8-9c6d-0020ed76ef5a">
<topic>subversion date parsing vulnerability</topic>
<affects>
@@ -1888,8 +3049,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stefan Esser reports:</p>
- <blockquote
- cite="http://security.e-matters.de/advisories/082004.html">
+ <blockquote cite="http://security.e-matters.de/advisories/082004.html">
<p>Subversion versions up to 1.0.2 are vulnerable to a date
parsing vulnerability which can be abused to allow remote
code execution on Subversion servers and therefore could
@@ -1910,46 +3070,6 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="8d075001-a9ce-11d8-9c6d-0020ed76ef5a">
- <topic>neon date parsing vulnerability</topic>
- <affects>
- <package>
- <name>neon</name>
- <range><lt>0.24.5_1</lt></range>
- </package>
- <package>
- <name>sitecopy</name>
- <range><le>0.13.4_1</le></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Stefan Esser reports:</p>
- <blockquote
- cite="http://security.e-matters.de/advisories/062004.html">
- <p>A vulnerability within a libneon date parsing function
- could cause a heap overflow which could lead to remote
- code execution, depending on the application using
- libneon.</p>
- </blockquote>
- <p>The vulnerability is in the function ne_rfc1036_parse,
- which is in turn used by the function ne_httpdate_parse.
- Applications using either of these neon functions may be
- vulnerable.</p>
- </body>
- </description>
- <references>
- <cvename>CAN-2004-0398</cvename>
- <url>http://security.e-matters.de/advisories/062004.html</url>
- <url>http://secunia.com/advisories/11785</url>
- </references>
- <dates>
- <discovery>2004-05-19</discovery>
- <entry>2004-05-19</entry>
- <modified>2004-06-25</modified>
- </dates>
- </vuln>
-
<vuln vid="f93be979-a992-11d8-aecc-000d610a3b12">
<topic>cvs pserver remote heap buffer overflow</topic>
<affects>
@@ -1984,6 +3104,40 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
+ <vuln vid="492f8896-70fa-11d8-873f-0020ed76ef5a">
+ <topic>Apache 2 mod_ssl denial-of-service</topic>
+ <affects>
+ <package>
+ <name>apache</name>
+ <range><ge>2.0</ge><le>2.0.48_3</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Joe Orton reports a memory leak in Apache 2's mod_ssl.
+ A remote attacker may issue HTTP requests on an HTTPS
+ port, causing an error. Due to a bug in processing this
+ condition, memory associated with the connection is
+ not freed. Repeated requests can result in consuming
+ all available memory resources, probably resulting in
+ termination of the Apache process.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CAN-2004-0113</cvename>
+ <url>http://www.apacheweek.com/features/security-20</url>
+ <url>http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.100.2.11&amp;r2=1.100.2.12</url>
+ <mlist>http://marc.theaimsgroup.com/?l=apache-cvs&amp;m=107869699329638</mlist>
+ <url>http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27106</url>
+ <bid>9826</bid>
+ </references>
+ <dates>
+ <discovery>2004-02-20</discovery>
+ <entry>2004-03-08</entry>
+ <modified>2004-05-19</modified>
+ </dates>
+ </vuln>
+
<vuln vid="df333ede-a8ce-11d8-9c6d-0020ed76ef5a">
<topic>URI handler vulnerabilities in several browsers</topic>
<affects>
@@ -2024,77 +3178,6 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="2e129846-8fbb-11d8-8b29-0020ed76ef5a">
- <topic>MySQL insecure temporary file creation (mysqlbug)</topic>
- <affects>
- <package>
- <name>mysql-client</name>
- <range><ge>4.0</ge><lt>4.0.20</lt></range>
- <range><ge>4.1</ge><lt>4.1.1_2</lt></range>
- <range><ge>5.0</ge><lt>5.0.0_2</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Shaun Colley reports that the script `mysqlbug' included
- with MySQL sometimes creates temporary files in an unsafe
- manner. As a result, an attacker may create a symlink in
- /tmp so that if another user invokes `mysqlbug' and <em>quits
- without making <strong>any</strong> changes</em>, an
- arbitrary file may be overwritten with the bug report
- template.</p>
- </body>
- </description>
- <references>
- <mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108023246916294&amp;w=2</mlist>
- <url>http://bugs.mysql.com/bug.php?id=3284</url>
- <bid>9976</bid>
- <cvename>CAN-2004-0381</cvename>
- </references>
- <dates>
- <discovery>2004-03-25</discovery>
- <entry>2004-04-16</entry>
- <modified>2004-05-21</modified>
- </dates>
- </vuln>
-
- <vuln vid="35f6fdf8-a425-11d8-9c6d-0020ed76ef5a">
- <topic>Cyrus IMAP pre-authentication heap overflow vulnerability</topic>
- <affects>
- <package>
- <name>cyrus</name>
- <range><lt>2.0.17</lt></range>
- <range><ge>2.1</ge><lt>2.1.11</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>In December 2002, Timo Sirainen reported:</p>
- <blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=103886607825605">
- <p>Cyrus IMAP server has a a remotely exploitable pre-login
- buffer overflow. [...] Note that you don't have to log in
- before exploiting this, and since Cyrus
- runs everything under one UID, it's possible to read every
- user's mail in the system.</p>
- </blockquote>
- <p>It is unknown whether this vulnerability is exploitable for code
- execution on FreeBSD systems.</p>
- </body>
- </description>
- <references>
- <cvename>CAN-2002-1580</cvename>
- <bid>6298</bid>
- <certvu>740169</certvu>
- <mlist msgid="20021202175606.GA26254@irccrew.org">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=103886607825605</mlist>
- <mlist>http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&amp;msg=19349</mlist>
- </references>
- <dates>
- <discovery>2002-12-02</discovery>
- <entry>2004-05-12</entry>
- <modified>2004-06-27</modified>
- </dates>
- </vuln>
-
<vuln vid="20be2982-4aae-11d8-96f2-0020ed76ef5a">
<topic>fsp buffer overflow and directory traversal vulnerabilities</topic>
<affects>
@@ -2156,35 +3239,6 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="700d43b4-a42a-11d8-9c6d-0020ed76ef5a">
- <topic>Cyrus IMSPd multiple vulnerabilities</topic>
- <affects>
- <package>
- <name>cyrus-imspd</name>
- <range><lt>1.6a5</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>The Cyrus team reported multiple vulnerabilities in older
- versions of Cyrus IMSPd:</p>
- <blockquote cite="http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-announce&amp;msg=25">
- <p>These releases correct a recently discovered buffer
- overflow vulnerability, as well as clean up a significant
- amount of buffer handling throughout the code.</p>
- </blockquote>
- </body>
- </description>
- <references>
- <mlist>http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-announce&amp;msg=25</mlist>
- </references>
- <dates>
- <discovery>2004-12-12</discovery>
- <entry>2004-05-12</entry>
- <modified>2004-06-27</modified>
- </dates>
- </vuln>
-
<vuln vid="fde53204-7ea6-11d8-9645-0020ed76ef5a">
<topic>insecure temporary file creation in xine-check, xine-bugreport</topic>
<affects>
@@ -2685,43 +3739,6 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="3a408f6f-9c52-11d8-9366-0020ed76ef5a">
- <topic>libpng denial-of-service</topic>
- <affects>
- <package>
- <name>linux-png</name>
- <range><le>1.0.14_3</le></range>
- <range><ge>1.2</ge><le>1.2.2</le></range>
- </package>
- <package>
- <name>png</name>
- <range><lt>1.2.5_4</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Steve Grubb reports a buffer read overrun in
- libpng's png_format_buffer function. A specially
- constructed PNG image processed by an application using
- libpng may trigger the buffer read overrun and possibly
- result in an application crash.</p>
- </body>
- </description>
- <references>
- <cvename>CAN-2004-0421</cvename>
- <url>http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120508</url>
- <url>http://rhn.redhat.com/errata/RHSA-2004-181.html</url>
- <url>http://secunia.com/advisories/11505</url>
- <url>http://www.osvdb.org/5726</url>
- <bid>10244</bid>
- </references>
- <dates>
- <discovery>2004-04-29</discovery>
- <entry>2004-05-02</entry>
- <modified>2004-08-12</modified>
- </dates>
- </vuln>
-
<vuln vid="8338a20f-9573-11d8-9366-0020ed76ef5a">
<topic>xchat remotely exploitable buffer overflow (Socks5)</topic>
<affects>
@@ -2809,37 +3826,6 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="0c6f3fde-9c51-11d8-9366-0020ed76ef5a">
- <topic>Midnight Commander buffer overflows, format string bugs, and insecure temporary file handling</topic>
- <affects>
- <package>
- <name>mc</name>
- <range><lt>4.6.0_10</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Jakub Jelinek reports several security related bugs in
- Midnight Commander, including:</p>
- <ul>
- <li>Multiple buffer overflows (CAN-2004-0226)</li>
- <li>Insecure temporary file handling (CAN-2004-0231)</li>
- <li>Format string bug (CAN-2004-0232)</li>
- </ul>
- </body>
- </description>
- <references>
- <cvename>CAN-2004-0226</cvename>
- <cvename>CAN-2004-0231</cvename>
- <cvename>CAN-2004-0232</cvename>
- </references>
- <dates>
- <discovery>2004-04-29</discovery>
- <entry>2004-05-02</entry>
- <modified>2004-06-14</modified>
- </dates>
- </vuln>
-
<vuln vid="fb521119-9bc4-11d8-9366-0020ed76ef5a">
<topic>pound remotely exploitable vulnerability</topic>
<affects>
@@ -2872,47 +3858,6 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="84237895-8f39-11d8-8b29-0020ed76ef5a">
- <topic>neon format string vulnerabilities</topic>
- <affects>
- <package>
- <name>neon</name>
- <range><lt>0.24.5</lt></range>
- </package>
- <package>
- <name>tla</name>
- <range><lt>1.2_1</lt></range>
- </package>
- <package>
- <name>sitecopy</name>
- <range><le>0.13.4_1</le></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Greuff reports that the neon WebDAV client library contains
- several format string bugs within error reporting code. A
- malicious server may exploit these bugs by sending specially
- crafted PROPFIND or PROPPATCH responses.</p>
- <p>Although several applications include neon, such as cadaver and
- subversion, the FreeBSD Ports of these applications are not
- impacted. They are specifically configured to NOT use the
- included neon. Only packages listed as affected in this
- notice are believed to be impacted.</p>
- </body>
- </description>
- <references>
- <cvename>CAN-2004-0179</cvename>
- <url>http://www.webdav.org/neon/</url>
- <url>http://secunia.com/advisories/11785</url>
- </references>
- <dates>
- <discovery>2004-04-14</discovery>
- <entry>2004-04-15</entry>
- <modified>2004-06-25</modified>
- </dates>
- </vuln>
-
<vuln vid="cfe17ca6-6858-4805-ba1d-a60a61ec9b4d">
<topic>phpBB IP address spoofing</topic>
<affects>
@@ -3018,52 +3963,6 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="27c331d5-64c7-11d8-80e3-0020ed76ef5a">
- <topic>Vulnerabilities in H.323 implementations</topic>
- <affects>
- <package>
- <name>pwlib</name>
- <range><lt>1.5.0_5</lt></range>
- </package>
- <package>
- <name>asterisk</name>
- <range><le>0.7.2</le></range>
- </package>
- <package>
- <name>openh323</name>
- <range><lt>1.12.0_4</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>The <a href="http://www.niscc.gov.uk/">NISCC</a> and the <a href="http://www.ee.oulu.fi/research/ouspg/">OUSPG</a>
- developed a test suite for the H.323 protocol. This test
- suite has uncovered vulnerabilities in several H.323
- implementations with impacts ranging from denial-of-service
- to arbitrary code execution.</p>
- <p>In the FreeBSD Ports Collection, `pwlib' is directly
- affected. Other applications such as `asterisk' and
- `openh323' incorporate `pwlib' statically and so are also
- independently affected.</p>
- </body>
- </description>
- <references>
- <!-- General references -->
- <url>http://www.uniras.gov.uk/vuls/2004/006489/h323.htm</url>
- <url>http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/h2250v4/index.html</url>
- <certsa>CA-2004-01</certsa>
- <certvu>749342</certvu>
- <!-- pwlib and pwlib-using applications -->
- <cvename>CAN-2004-0097</cvename>
- <url>http://www.southeren.com/blog/archives/000055.html</url>
- </references>
- <dates>
- <discovery>2004-01-13</discovery>
- <entry>2004-02-22</entry>
- <modified>2004-06-08</modified>
- </dates>
- </vuln>
-
<vuln vid="ccd698df-8e20-11d8-90d1-0020ed76ef5a">
<topic>racoon remote denial of service vulnerability (ISAKMP header length field)</topic>
<affects>
@@ -3300,139 +4199,6 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="98bd69c3-834b-11d8-a41f-0020ed76ef5a">
- <topic>Courier mail services: remotely exploitable buffer overflows</topic>
- <affects>
- <package>
- <name>courier</name>
- <range><lt>0.45</lt></range>
- </package>
- <package>
- <name>courier-imap</name>
- <range><lt>3.0,1</lt></range>
- </package>
- <package>
- <name>sqwebmail</name>
- <range><lt>4.0</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>The Courier set of mail services use a common Unicode
- library. This library contains buffer overflows in the
- converters for two popular Japanese character encodings.
- These overflows may be remotely exploitable, triggered by
- a maliciously formatted email message that is later processed
- by one of the Courier mail services.
- From the release notes for the corrected versions of the
- Courier set of mail services:</p>
- <blockquote>
- <p>iso2022jp.c: Converters became (upper-)compatible with
- ISO-2022-JP (RFC1468 / JIS X 0208:1997 Annex 2) and
- ISO-2022-JP-1 (RFC2237). Buffer overflow vulnerability
- (when Unicode character is out of BMP range) has been
- closed. Convert error handling was implemented.</p>
- <p>shiftjis.c: Broken SHIFT_JIS converters has been fixed
- and became (upper-)compatible with Shifted Encoding Method
- (JIS X 0208:1997 Annex 1). Buffer overflow vulnerability
- (when Unicode character is out of BMP range) has been
- closed. Convert error handling was implemented.</p>
- </blockquote>
- </body>
- </description>
- <references>
- <cvename>CAN-2004-0224</cvename>
- <url>http://cvs.sourceforge.net/viewcvs.py/courier/libs/unicode/iso2022jp.c?rev=1.10&amp;view=markup</url>
- <url>http://cvs.sourceforge.net/viewcvs.py/courier/libs/unicode/shiftjis.c?rev=1.6&amp;view=markup</url>
- <bid>9845</bid>
- <url>http://secunia.com/advisories/11087</url>
- <url>http://www.osvdb.org/4194</url>
- <url>http://www.osvdb.org/6927</url>
- </references>
- <dates>
- <discovery>2004-02-01</discovery>
- <entry>2004-03-31</entry>
- <modified>2004-07-16</modified>
- </dates>
- </vuln>
-
- <vuln vid="b7cb488c-8349-11d8-a41f-0020ed76ef5a">
- <topic>isakmpd payload handling denial-of-service vulnerabilities</topic>
- <affects>
- <package>
- <name>isakmpd</name>
- <range><le>20030903</le></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Numerous errors in isakmpd's input packet validation lead to
- denial-of-service vulnerabilities. From the Rapid7 advisory:</p>
- <blockquote cite="http://www.rapid7.com/advisories/R7-0018.html">
- <p>The ISAKMP packet processing functions in OpenBSD's
- isakmpd daemon contain multiple payload handling flaws
- that allow a remote attacker to launch a denial of
- service attack against the daemon.</p>
- <p>Carefully crafted ISAKMP packets will cause the isakmpd
- daemon to attempt out-of-bounds reads, exhaust available
- memory, or loop endlessly (consuming 100% of the CPU).</p>
- </blockquote>
- </body>
- </description>
- <references>
- <cvename>CAN-2004-0218</cvename>
- <cvename>CAN-2004-0219</cvename>
- <cvename>CAN-2004-0220</cvename>
- <cvename>CAN-2004-0221</cvename>
- <cvename>CAN-2004-0222</cvename>
- <url>http://www.rapid7.com/advisories/R7-0018.html</url>
- <url>http://www.openbsd.org/errata34.html</url>
- </references>
- <dates>
- <discovery>2004-03-17</discovery>
- <entry>2004-03-31</entry>
- <modified>2004-09-14</modified>
- </dates>
- </vuln>
-
- <vuln vid="3362f2c1-8344-11d8-a41f-0020ed76ef5a">
- <cancelled />
- </vuln>
-
- <vuln vid="5e7f58c3-b3f8-4258-aeb8-795e5e940ff8">
- <topic>mplayer heap overflow in http requests</topic>
- <affects>
- <package>
- <name>mplayer</name>
- <name>mplayer-gtk</name>
- <name>mplayer-esound</name>
- <name>mplayer-gtk-esound</name>
- <range><lt>0.92.1</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>A remotely exploitable heap buffer overflow vulnerability was
- found in MPlayer's URL decoding code. If an attacker can
- cause MPlayer to visit a specially crafted URL, arbitrary code
- execution with the privileges of the user running MPlayer may
- occur. A `visit' might be caused by social engineering, or a
- malicious web server could use HTTP redirects which MPlayer
- would then process.</p>
- </body>
- </description>
- <references>
- <url>http://www.mplayerhq.hu/homepage/design6/news.html</url>
- <mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108066964709058</mlist>
- <freebsdpr>ports/64974</freebsdpr>
- </references>
- <dates>
- <discovery>2004-03-30</discovery>
- <entry>2004-03-31</entry>
- <modified>2004-06-27</modified>
- </dates>
- </vuln>
-
<vuln vid="705e003a-7f36-11d8-9645-0020ed76ef5a">
<topic>squid ACL bypass due to URL decoding bug</topic>
<affects>
@@ -3494,102 +4260,6 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="3e9be8c4-8192-11d8-9645-0020ed76ef5a">
- <topic>ecartis buffer overflows and input validation bugs</topic>
- <affects>
- <package>
- <name>ecartis</name>
- <range><lt>1.0.0.s20030814,1</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Timo Sirainen reports multiple buffer overflows that may be
- triggered while parsing messages, as well as input validation
- errors that could result in disclosure of mailing list
- passwords.</p>
- <p>These bugs were resolved in the August 2003 snapshot of
- ecartis.</p>
- </body>
- </description>
- <references>
- <cvename>CAN-2003-0781</cvename>
- <cvename>CAN-2003-0782</cvename>
- <url>http://www.securiteam.com/unixfocus/5YP0H2AAUY.html</url>
- <freebsdpr>ports/57082</freebsdpr>
- </references>
- <dates>
- <discovery>2003-08-14</discovery>
- <entry>2004-03-29</entry>
- <modified>2004-06-27</modified>
- </dates>
- </vuln>
-
- <vuln vid="cdf18ed9-7f4a-11d8-9645-0020ed76ef5a">
- <topic>multiple vulnerabilities in ethereal</topic>
- <affects>
- <package>
- <name>ethereal</name>
- <name>tethereal</name>
- <range><lt>0.10.3</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Stefan Esser of e-matters Security discovered a baker's dozen
- of buffer overflows in Ethereal's decoders, including:</p>
- <ul>
- <li>NetFlow</li>
- <li>IGAP</li>
- <li>EIGRP</li>
- <li>PGM</li>
- <li>IRDA</li>
- <li>BGP</li>
- <li>ISUP</li>
- <li>TCAP</li>
- <li>UCP</li>
- </ul>
- <p>In addition, a vulnerability in the RADIUS decoder was found
- by Jonathan Heusser.</p>
- <p>Finally, there is one uncredited vulnerability described by the
- Ethereal team as:</p>
- <blockquote cite="http://www.ethereal.com/appnotes/enpa-sa-00013.html">
- <p>A zero-length Presentation protocol selector could make
- Ethereal crash.</p>
- </blockquote>
- </body>
- </description>
- <references>
- <url>http://www.ethereal.com/appnotes/enpa-sa-00013.html</url>
- <cvename>CAN-2004-0176</cvename>
- <cvename>CAN-2004-0365</cvename>
- <cvename>CAN-2004-0367</cvename>
- <certvu>119876</certvu>
- <certvu>124454</certvu>
- <certvu>125156</certvu>
- <certvu>433596</certvu>
- <certvu>591820</certvu>
- <certvu>644886</certvu>
- <certvu>659140</certvu>
- <certvu>695486</certvu>
- <certvu>740188</certvu>
- <certvu>792286</certvu>
- <certvu>864884</certvu>
- <certvu>931588</certvu>
- <url>http://security.e-matters.de/advisories/032004.html</url>
- <url>http://secunia.com/advisories/11185</url>
- <bid>9952</bid>
- <url>http://www.osvdb.org/4462</url>
- <url>http://www.osvdb.org/4463</url>
- <url>http://www.osvdb.org/4464</url>
- </references>
- <dates>
- <discovery>2004-03-23</discovery>
- <entry>2004-03-26</entry>
- <modified>2004-07-11</modified>
- </dates>
- </vuln>
-
<vuln vid="c551ae17-7f00-11d8-868e-000347dd607f">
<topic>multiple vulnerabilities in phpBB</topic>
<affects>
@@ -3675,34 +4345,6 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="c2e10368-77ab-11d8-b9e8-00e04ccb0a62">
- <topic>ModSecurity for Apache 2.x remote off-by-one overflow</topic>
- <affects>
- <package>
- <name>mod_security</name>
- <range><lt>1.7.5</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>When the directive "SecFilterScanPost" is enabled,
- the Apache 2.x version of ModSecurity is vulnerable
- to an off-by-one overflow</p>
- </body>
- </description>
- <references>
- <url>http://www.s-quadra.com/advisories/Adv-20040315.txt</url>
- <bid>9885</bid>
- <url>http://secunia.com/advisories/11138</url>
- <certvu>779438</certvu>
- </references>
- <dates>
- <discovery>2004-02-09</discovery>
- <entry>2004-03-17</entry>
- <modified>2004-06-27</modified>
- </dates>
- </vuln>
-
<vuln vid="3b7c7f6c-7102-11d8-873f-0020ed76ef5a">
<topic>wu-ftpd ftpaccess `restricted-uid'/`restricted-gid' directive may be bypassed</topic>
<affects>
@@ -3741,40 +4383,6 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</dates>
</vuln>
- <vuln vid="492f8896-70fa-11d8-873f-0020ed76ef5a">
- <topic>Apache 2 mod_ssl denial-of-service</topic>
- <affects>
- <package>
- <name>apache</name>
- <range><ge>2.0</ge><le>2.0.48_3</le></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Joe Orton reports a memory leak in Apache 2's mod_ssl.
- A remote attacker may issue HTTP requests on an HTTPS
- port, causing an error. Due to a bug in processing this
- condition, memory associated with the connection is
- not freed. Repeated requests can result in consuming
- all available memory resources, probably resulting in
- termination of the Apache process.</p>
- </body>
- </description>
- <references>
- <cvename>CAN-2004-0113</cvename>
- <url>http://www.apacheweek.com/features/security-20</url>
- <url>http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.100.2.11&amp;r2=1.100.2.12</url>
- <mlist>http://marc.theaimsgroup.com/?l=apache-cvs&amp;m=107869699329638</mlist>
- <url>http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27106</url>
- <bid>9826</bid>
- </references>
- <dates>
- <discovery>2004-02-20</discovery>
- <entry>2004-03-08</entry>
- <modified>2004-05-19</modified>
- </dates>
- </vuln>
-
<vuln vid="8471bb85-6fb0-11d8-873f-0020ed76ef5a">
<topic>GNU Anubis buffer overflows and format string vulnerabilities</topic>
<affects>
@@ -4777,38 +5385,6 @@ misc.c:
</dates>
</vuln>
- <vuln vid="74a9541d-5d6c-11d8-80e3-0020ed76ef5a">
- <topic>clamav remote denial-of-service</topic>
- <affects>
- <package>
- <name>clamav</name>
- <range><lt>0.65_7</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>clamav will exit when a programming
- assertion is not met. A malformed uuencoded message can
- trigger this assertion, allowing an attacker to trivially
- crash clamd or other components of clamav.</p>
- </body>
- </description>
- <references>
- <freebsdpr>ports/62586</freebsdpr>
- <mlist msgid="40279811.9050407@fillmore-labs.com">http://www.securityfocus.com/archive/1/353186</mlist>
- <url>http://www.osvdb.org/3894</url>
- <bid>9610</bid>
- <url>http://secunia.com/advisories/10826</url>
- <cvename>CAN-2004-0270</cvename>
- <url>http://xforce.iss.net/xforce/xfdb/15077</url>
- </references>
- <dates>
- <discovery>2004-02-09</discovery>
- <entry>2004-02-12</entry>
- <modified>2004-06-27</modified>
- </dates>
- </vuln>
-
<vuln vid="67c05283-5d62-11d8-80e3-0020ed76ef5a">
<topic>Buffer overflow in Mutt 1.4</topic>
<affects>
@@ -5155,589 +5731,11 @@ misc.c:
</dates>
</vuln>
- <vuln vid="0d4c31ac-cb91-11d8-8898-000d6111a684">
- <topic>Remote code injection in phpMyAdmin</topic>
- <affects>
- <package>
- <name>phpmyadmin</name>
- <range><lt>2.5.7.1</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>This vulnerability would allow remote user to inject PHP code
- to be executed by eval() function. This vulnerability is only
- exploitable if variable $cfg['LeftFrameLight'] is set to FALSE (in
- file config.inc.php).</p>
- </body>
- </description>
- <references>
- <url>http://sf.net/forum/forum.php?forum_id=387635</url>
- <mlist msgid="20040629025752.976.qmail@www.securityfocus.com">http://www.securityfocus.com/archive/1/367486</mlist>
- <url>http://secunia.com/advisories/11974</url>
- <url>http://eagle.kecapi.com/sec/fd/phpMyAdmin.html</url>
- </references>
- <dates>
- <discovery>2004-06-29</discovery>
- <entry>2004-07-02</entry>
- </dates>
- </vuln>
-
- <vuln vid="4d837296-cc28-11d8-a54c-02e0185c0b53">
- <topic>GNATS local privilege elevation</topic>
- <affects>
- <package>
- <name>gnats</name>
- <range><le>3.113.1_9</le></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>GNATS 3.113.1 contains multiple buffer overflows, through which a
- local attacker could gain elevated privileges on the system.</p>
- </body>
- </description>
- <references>
- <freebsdpr>ports/56006</freebsdpr>
- <mlist msgid="20040625164231.7437.qmail@www.securityfocus.com">http://www.securityfocus.com/archive/1/326337</mlist>
- <url>http://www.securiteam.com/unixfocus/5CP0N0UAAA.html</url>
- <url>http://secunia.com/advisories/9096</url>
- <url>http://x82.inetcop.org/h0me/adv1sor1es/INCSA.2003-0x82-018-GNATS-bt.txt</url>
- <url>http://www.gnu.org/software/gnats/gnats.html</url>
- <url>http://www.osvdb.org/2190</url>
- <url>http://www.osvdb.org/4600</url>
- <url>http://www.osvdb.org/4601</url>
- <url>http://www.osvdb.org/4607</url>
- </references>
- <dates>
- <discovery>2003-06-21</discovery>
- <entry>2004-07-02</entry>
- </dates>
- </vuln>
-
- <vuln vid="c5519420-cec2-11d8-8898-000d6111a684">
- <topic>"Content-Type" XSS vulnerability affecting other webmail systems</topic>
- <affects>
- <package>
- <name>openwebmail</name>
- <range><le>2.32</le></range>
- </package>
- <package>
- <name>ilohamail</name>
- <range><lt>0.8.13</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Roman Medina-Heigl Hernandez did a survey which other webmail systems
- where vulnerable to a bug he discovered in SquirrelMail. This advisory
- summarizes the results.</p>
- </body>
- </description>
- <references>
- <url>http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-2.txt</url>
- <url>http://www.freebsd.org/ports/portaudit/89a0de27-bf66-11d8-a252-02e0185c0b53.html</url>
- <url>http://www.freebsd.org/ports/portaudit/911f1b19-bd20-11d8-84f9-000bdb1444a4.html</url>
- <url>http://www.freebsd.org/ports/portaudit/c3e56efa-c42f-11d8-864c-02e0185c0b53.html</url>
- <cvename>CAN-2004-0519</cvename>
- </references>
- <dates>
- <discovery>2004-05-29</discovery>
- <entry>2004-07-05</entry>
- </dates>
- </vuln>
-
- <vuln vid="e5e2883d-ceb9-11d8-8898-000d6111a684">
- <topic>MySQL authentication bypass / buffer overflow</topic>
- <affects>
- <package>
- <name>mysql-server</name>
- <range><ge>4.1</ge><lt>4.1.3</lt></range>
- <range><ge>5</ge><le>5.0.0_2</le></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>By submitting a carefully crafted authentication packet, it is possible
- for an attacker to bypass password authentication in MySQL 4.1. Using a
- similar method, a stack buffer used in the authentication mechanism can
- be overflowed.</p>
- </body>
- </description>
- <references>
- <cvename>CAN-2004-0627</cvename>
- <cvename>CAN-2004-0628</cvename>
- <certvu>184030</certvu>
- <certvu>645326</certvu>
- <url>http://www.nextgenss.com/advisories/mysql-authbypass.txt</url>
- <url>http://dev.mysql.com/doc/mysql/en/News-4.1.3.html</url>
- <url>http://secunia.com/advisories/12020</url>
- <url>http://www.osvdb.org/7475</url>
- <url>http://www.osvdb.org/7476</url>
- <mlist msgid="Pine.LNX.4.44.0407080940550.9602-200000@pineapple.shacknet.nu">http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0003.html</mlist>
- </references>
- <dates>
- <discovery>2004-07-01</discovery>
- <entry>2004-07-05</entry>
- <modified>2004-08-28</modified>
- </dates>
- </vuln>
-
- <vuln vid="74d06b67-d2cf-11d8-b479-02e0185c0b53">
- <topic>multiple vulnerabilities in ethereal</topic>
- <affects>
- <package>
- <name>ethereal</name>
- <name>ethereal-lite</name>
- <name>tethereal</name>
- <name>tethereal-lite</name>
- <range><lt>0.10.4</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Issues have been discovered in multiple protocol dissectors.</p>
- </body>
- </description>
- <references>
- <url>http://www.ethereal.com/appnotes/enpa-sa-00014.html</url>
- <cvename>CAN-2004-0504</cvename>
- <cvename>CAN-2004-0505</cvename>
- <cvename>CAN-2004-0506</cvename>
- <cvename>CAN-2004-0507</cvename>
- <url>http://secunia.com/advisories/11608</url>
- <bid>10347</bid>
- <url>http://www.osvdb.org/6131</url>
- <url>http://www.osvdb.org/6132</url>
- <url>http://www.osvdb.org/6133</url>
- <url>http://www.osvdb.org/6134</url>
- </references>
- <dates>
- <discovery>2004-05-13</discovery>
- <entry>2004-07-11</entry>
- </dates>
- </vuln>
-
- <vuln vid="265c8b00-d2d0-11d8-b479-02e0185c0b53">
- <topic>multiple vulnerabilities in ethereal</topic>
- <affects>
- <package>
- <name>ethereal</name>
- <name>ethereal-lite</name>
- <name>tethereal</name>
- <name>tethereal-lite</name>
- <range><lt>0.10.5</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Issues have been discovered in multiple protocol dissectors.</p>
- </body>
- </description>
- <references>
- <url>http://www.ethereal.com/appnotes/enpa-sa-00015.html</url>
- <cvename>CAN-2004-0633</cvename>
- <cvename>CAN-2004-0634</cvename>
- <cvename>CAN-2004-0635</cvename>
- <url>http://secunia.com/advisories/12024</url>
- <bid>10672</bid>
- <url>http://www.osvdb.org/7536</url>
- <url>http://www.osvdb.org/7537</url>
- <url>http://www.osvdb.org/7538</url>
- </references>
- <dates>
- <discovery>2004-07-06</discovery>
- <entry>2004-07-11</entry>
- </dates>
- </vuln>
-
- <vuln vid="4764cfd6-d630-11d8-b479-02e0185c0b53">
- <topic>PHP memory_limit and strip_tags() vulnerabilities</topic>
- <affects>
- <package>
- <name>php4</name>
- <name>php4-cgi</name>
- <name>php4-cli</name>
- <name>php4-dtc</name>
- <name>php4-horde</name>
- <name>php4-nms</name>
- <name>mod_php4-twig</name>
- <range><lt>4.3.8</lt></range>
- </package>
- <package>
- <name>mod_php4</name>
- <range><lt>4.3.8,1</lt></range>
- </package>
- <package>
- <name>php5</name>
- <name>php5-cgi</name>
- <name>php5-cli</name>
- <range><lt>5.0.0</lt></range>
- </package>
- <package>
- <name>mod_php5</name>
- <range><lt>5.0.0,1</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Stefan Esser has reported two vulnerabilities in PHP, which can
- be exploited by malicious people to bypass security functionality
- or compromise a vulnerable system. An error within PHP's memory_limit
- request termination allows remote code execution on PHP servers
- with activated memory_limit. A binary safety problem within PHP's
- strip_tags() function may allow injection of arbitrary tags in
- Internet Explorer and Safari browsers.</p>
- </body>
- </description>
- <references>
- <url>http://www.php.net/ChangeLog-4.php</url>
- <url>http://www.php.net/ChangeLog-5.php</url>
- <url>http://security.e-matters.de/advisories/112004.html</url>
- <url>http://security.e-matters.de/advisories/122004.html</url>
- <url>http://secunia.com/advisories/12064</url>
- <url>http://www.osvdb.org/7870</url>
- <url>http://www.osvdb.org/7871</url>
- <cvename>CAN-2004-0594</cvename>
- <cvename>CAN-2004-0595</cvename>
- </references>
- <dates>
- <discovery>2007-07-07</discovery>
- <entry>2004-07-15</entry>
- <modified>2004-08-12</modified>
- </dates>
- </vuln>
-
- <vuln vid="730db824-e216-11d8-9b0a-000347a4fa7d">
- <topic>Mozilla / Firefox user interface spoofing vulnerability</topic>
- <affects>
- <package>
- <name>firefox</name>
- <range><le>0.9.1_1</le></range>
- </package>
- <package>
- <name>linux-mozilla</name>
- <range><le>1.7.1</le></range>
- </package>
- <package>
- <name>linux-mozilla-devel</name>
- <range><le>1.7.1</le></range>
- </package>
- <package>
- <name>mozilla</name>
- <range><le>1.7.1,2</le></range>
- <range><ge>1.8.a,2</ge><le>1.8.a2,2</le></range>
- </package>
- <package>
- <name>mozilla-gtk1</name>
- <range><le>1.7.1_1</le></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>The Mozilla project's family of browsers contain a design
- flaw that can allow a website to spoof almost perfectly any
- part of the Mozilla user interface, including spoofing web
- sites for phishing or internal elements such as the "Master
- Password" dialog box. This achieved by manipulating "chrome"
- through remote XUL content. Recent versions of Mozilla have
- been fixed to not allow untrusted documents to utilize
- "chrome" in this way.</p>
- </body>
- </description>
- <references>
- <cvename>CAN-2004-0764</cvename>
- <url>http://bugzilla.mozilla.org/show_bug.cgi?id=22183</url>
- <url>http://bugzilla.mozilla.org/show_bug.cgi?id=244965</url>
- <url>http://bugzilla.mozilla.org/show_bug.cgi?id=252198</url>
- <url>http://www.nd.edu/~jsmith30/xul/test/spoof.html</url>
- <url>http://secunia.com/advisories/12188</url>
- <bid>10832</bid>
- </references>
- <dates>
- <discovery>2004-07-19</discovery>
- <entry>2004-07-30</entry>
- <modified>2004-08-15</modified>
- </dates>
- </vuln>
-
- <vuln vid="f9e3e60b-e650-11d8-9b0a-000347a4fa7d">
- <topic>libpng stack-based buffer overflow and other code concerns</topic>
- <affects>
- <package>
- <name>png</name>
- <range><le>1.2.5_7</le></range>
- </package>
- <package>
- <name>linux-png</name>
- <range><le>1.0.14_3</le></range>
- <range><ge>1.2</ge><le>1.2.2</le></range>
- </package>
- <package>
- <name>firefox</name>
- <range><lt>0.9.3</lt></range>
- </package>
- <package>
- <name>thunderbird</name>
- <range><lt>0.7.3</lt></range>
- </package>
- <package>
- <name>linux-mozilla</name>
- <range><lt>1.7.2</lt></range>
- </package>
- <package>
- <name>linux-mozilla-devel</name>
- <range><lt>1.7.2</lt></range>
- </package>
- <package>
- <name>mozilla</name>
- <range><lt>1.7.2,2</lt></range>
- <range><ge>1.8.a,2</ge><le>1.8.a2,2</le></range>
- </package>
- <package>
- <name>mozilla-gtk1</name>
- <range><lt>1.7.2</lt></range>
- </package>
- <package>
- <name>netscape-communicator</name>
- <name>netscape-navigator</name>
- <range><le>4.78</le></range>
- </package>
- <package>
- <name>linux-netscape-communicator</name>
- <name>linux-netscape-navigator</name>
- <name>ko-netscape-navigator-linux</name>
- <name>ko-netscape-communicator-linux</name>
- <name>ja-netscape-communicator-linux</name>
- <name>ja-netscape-navigator-linux</name>
- <range><le>4.8</le></range>
- </package>
- <package>
- <name>netscape7</name>
- <name>ja-netscape7</name>
- <range><le>7.1</le></range>
- </package>
- <package>
- <name>pt_BR-netscape7</name>
- <name>fr-netscape7</name>
- <name>de-netscape7</name>
- <range><le>7.02</le></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Chris Evans has discovered multiple vulnerabilities in libpng,
- which can be exploited by malicious people to compromise a
- vulnerable system or cause a DoS (Denial of Service).</p>
- </body>
- </description>
- <references>
- <mlist msgid="Pine.LNX.4.58.0408041840080.20655@sphinx.mythic-beasts.com">http://www.securityfocus.com/archive/1/370853</mlist>
- <url>http://scary.beasts.org/security/CESA-2004-001.txt</url>
- <url>http://www.osvdb.org/8312</url>
- <url>http://www.osvdb.org/8313</url>
- <url>http://www.osvdb.org/8314</url>
- <url>http://www.osvdb.org/8315</url>
- <url>http://www.osvdb.org/8316</url>
- <cvename>CAN-2004-0597</cvename>
- <cvename>CAN-2004-0598</cvename>
- <cvename>CAN-2004-0599</cvename>
- <certvu>388984</certvu>
- <certvu>236656</certvu>
- <certvu>160448</certvu>
- <certvu>477512</certvu>
- <certvu>817368</certvu>
- <certvu>286464</certvu>
- <url>http://secunia.com/advisories/12219</url>
- <url>http://secunia.com/advisories/12232</url>
- <url>http://bugzilla.mozilla.org/show_bug.cgi?id=251381</url>
- <uscertta>TA04-217A</uscertta>
- <url>http://dl.sourceforge.net/sourceforge/libpng/ADVISORY.txt</url>
- </references>
- <dates>
- <discovery>2004-08-04</discovery>
- <entry>2004-08-04</entry>
- <modified>2004-08-15</modified>
- </dates>
- </vuln>
-
- <vuln vid="abe47a5a-e23c-11d8-9b0a-000347a4fa7d">
- <topic>Mozilla certificate spoofing</topic>
- <affects>
- <package>
- <name>firefox</name>
- <range><ge>0.9.1</ge><le>0.9.2</le></range>
- </package>
- <package>
- <name>linux-mozilla</name>
- <range><lt>1.7.2</lt></range>
- </package>
- <package>
- <name>linux-mozilla-devel</name>
- <range><lt>1.7.2</lt></range>
- </package>
- <package>
- <name>mozilla</name>
- <range><lt>1.7.2,2</lt></range>
- <range><ge>1.8,2</ge><le>1.8.a2,2</le></range>
- </package>
- <package>
- <name>mozilla-gtk1</name>
- <range><lt>1.7.2</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Mozilla and Mozilla Firefox contains a flaw that may
- allow a malicious user to spoof SSL certification.</p>
- </body>
- </description>
- <references>
- <mlist msgid="003a01c472ba$b2060900$6501a8c0@sec">http://www.securityfocus.com/archive/1/369953</mlist>
- <url>http://www.cipher.org.uk/index.php?p=advisories/Certificate_Spoofing_Mozilla_FireFox_25-07-2004.advisory</url>
- <url>http://secunia.com/advisories/12160</url>
- <url>http://bugzilla.mozilla.org/show_bug.cgi?id=253121</url>
- <url>http://www.osvdb.org/8238</url>
- <bid>10796</bid>
- <cvename>CAN-2004-0763</cvename>
- </references>
- <dates>
- <discovery>2004-07-25</discovery>
- <entry>2004-07-30</entry>
- <modified>2004-08-12</modified>
- </dates>
- </vuln>
-
- <vuln vid="a713c0f9-ec54-11d8-9440-000347a4fa7d">
- <topic>ImageMagick png vulnerability fix</topic>
- <affects>
- <package>
- <name>ImageMagick</name>
- <name>ImageMagick-nox11</name>
- <range><lt>6.0.4.2</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Glenn Randers-Pehrson has contributed a fix for the png
- vulnerabilities discovered by Chris Evans.</p>
- </body>
- </description>
- <references>
- <url>http://studio.imagemagick.org/pipermail/magick-users/2004-August/013218.html</url>
- <url>http://freshmeat.net/releases/169228</url>
- <url>http://secunia.com/advisories/12236</url>
- <url>http://www.freebsd.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.html</url>
- </references>
- <dates>
- <discovery>2004-08-04</discovery>
- <entry>2004-08-04</entry>
- <modified>2004-08-12</modified>
- </dates>
- </vuln>
-
- <vuln vid="e811aaf1-f015-11d8-876f-00902714cc7c">
- <topic>Ruby insecure file permissions in the CGI session management</topic>
- <affects>
- <package>
- <name>ruby</name>
- <range><lt>1.6.8.2004.07.26</lt></range>
- <range><ge>1.7.0</ge><lt>1.8.1.2004.07.23</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>According to a Debian Security Advisory:</p>
- <blockquote cite="http://www.debian.org/security/2004/dsa-537">
- <p>Andres Salomon noticed a problem in the CGI session
- management of Ruby, an object-oriented scripting language.
- CGI::Session's FileStore (and presumably PStore [...])
- implementations store session information insecurely.
- They simply create files, ignoring permission issues.
- This can lead an attacker who has also shell access to the
- webserver to take over a session.</p>
- </blockquote>
- </body>
- </description>
- <references>
- <cvename>CAN-2004-0755</cvename>
- <url>http://xforce.iss.net/xforce/xfdb/16996</url>
- <url>http://www.debian.org/security/2004/dsa-537</url>
- <mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109267579822250&amp;w=2</mlist>
- </references>
- <dates>
- <discovery>2004-08-16</discovery>
- <entry>2004-08-16</entry>
- <modified>2004-08-28</modified>
- </dates>
+ <vuln vid="6fd9a1e9-efd3-11d8-9837-000c41e2cdad">
+ <cancelled/>
</vuln>
- <vuln vid="d2102505-f03d-11d8-81b0-000347a4fa7d">
- <topic>cvs --- numerous vulnerabilities</topic>
- <affects>
- <package>
- <name>cvs+ipv6</name>
- <range><lt>1.11.17</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>A number of vulnerabilities were discovered in CVS by
- Stefan Esser, Sebastian Krahmer, and Derek Price.</p>
- <ul>
- <li>Insufficient input validation while processing "Entry"
- lines. (CAN-2004-0414)</li>
- <li>A double-free resulting from erroneous state handling while
- processing "Argumentx" commands. (CAN-2004-0416)</li>
- <li>Integer overflow while processing "Max-dotdot" commands.
- (CAN-2004-0417)</li>
- <li>Erroneous handling of empty entries handled while processing
- "Notify" commands. (CAN-2004-0418)</li>
- <li>A format string bug while processing CVS wrappers.</li>
- <li>Single-byte buffer underflows while processing configuration files
- from CVSROOT.</li>
- <li>Various other integer overflows.</li>
- </ul>
- <p>Additionally, iDEFENSE reports an undocumented command-line
- flag used in debugging does not perform input validation on
- the given path names.</p>
- <p>CVS servers ("cvs server" or :pserver: modes) are
- affected by these vulnerabilities. They vary in impact
- but include information disclosure (the iDEFENSE-reported
- bug), denial-of-service (CAN-2004-0414, CAN-2004-0416,
- CAN-2004-0417 and other bugs), or possibly arbitrary code
- execution (CAN-2004-0418). In very special situations where
- the attacker may somehow influence the contents of CVS
- configuration files in CVSROOT, additional attacks may be
- possible.</p>
- </body>
- </description>
- <references>
- <cvename>CAN-2004-0414</cvename>
- <cvename>CAN-2004-0416</cvename>
- <cvename>CAN-2004-0417</cvename>
- <cvename>CAN-2004-0418</cvename>
- <cvename>CAN-2004-0778</cvename>
- <url>http://secunia.com/advisories/11817</url>
- <url>http://secunia.com/advisories/12309</url>
- <url>http://security.e-matters.de/advisories/092004.html</url>
- <url>http://www.idefense.com/application/poi/display?id=130&amp;type=vulnerabilities&amp;flashstatus=false</url>
- <url>https://ccvs.cvshome.org/source/browse/ccvs/NEWS?rev=1.116.2.104</url>
- <url>http://www.osvdb.org/6830</url>
- <url>http://www.osvdb.org/6831</url>
- <url>http://www.osvdb.org/6832</url>
- <url>http://www.osvdb.org/6833</url>
- <url>http://www.osvdb.org/6834</url>
- <url>http://www.osvdb.org/6835</url>
- <url>http://www.osvdb.org/6836</url>
- <url>http://www.packetstormsecurity.org/0405-exploits/cvs_linux_freebsd_HEAP.c</url>
- <bid>10499</bid>
- <freebsdsa>SA-04:14.cvs</freebsdsa>
- </references>
- <dates>
- <discovery>2004-05-20</discovery>
- <entry>2004-08-17</entry>
- <modified>2004-09-19</modified>
- </dates>
+ <vuln vid="3362f2c1-8344-11d8-a41f-0020ed76ef5a">
+ <cancelled/>
</vuln>
</vuxml>
generated by cgit (git 2.34.1) at 2024-12-17 02:12:22 +0800