path: root/security/vuxml/vuln.xml

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE vuxml PUBLIC "-//vuxml.org//DTD VuXML 1.1//EN" "http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd">
<!--
Copyright 2003, 2004 Jacques Vidrine and contributors

Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
HTML, PDF, PostScript, RTF and so forth) with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code (VuXML) must retain the above
   copyright notice, this list of conditions and the following
   disclaimer as the first lines of this file unmodified.
2. Redistributions in compiled form (transformed to other DTDs,
   published online in any format, converted to PDF, PostScript,
   RTF and other formats) must reproduce the above copyright
   notice, this list of conditions and the following disclaimer
   in the documentation and/or other materials provided with the
   distribution.

THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

  $FreeBSD$

-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
  <vuln vid="762d1c6d-0722-11d9-b45d-000c41e2cdad">
    <topic>apache --- apr_uri_parse IPv6 address handling vulnerability</topic>
    <affects>
      <package>
    <name>apache</name>
    <range><ge>2.0</ge><lt>2.0.51</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>The Apache Software Foundation Security Team discovered a
      programming error in the apr-util library function apr_uri_parse.
      When parsing IPv6 literal addresses, it is possible that a
      length is incorrectly calculated to be negative, and this
      value is passed to memcpy.  This may result in an exploitable
      vulnerability on some platforms, including FreeBSD.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0786</cvename>
      <url>http://httpd.apache.org</url>
    </references>
    <dates>
      <discovery>2004-09-15</discovery>
      <entry>2004-09-15</entry>
    </dates>
  </vuln>

  <vuln vid="ef253f8b-0727-11d9-b45d-000c41e2cdad">
    <topic>xpm --- image decoding vulnerabilities</topic>
    <affects>
      <package>
    <name>agenda-snow-libs</name>
    <name>libXpm</name>
    <name>mupad</name>
    <name>XFree86-libraries</name>
    <name>xorg-libraries</name>
    <name>xpm</name>
    <name>zh-cle_base</name>
    <range><ge>0</ge></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Chris Evans discovered several vulnerabilities in the libXpm
      image decoder:</p>
    <ul>
      <li>A stack-based buffer overflow in xpmParseColors</li>
      <li>An integer overflow in xpmParseColors</li>
      <li>A stack-based buffer overflow in ParsePixels and
        ParseAndPutPixels</li>
    </ul>
    <p>The X11R6.8.1 release announcement reads:</p>
    <blockquote
      cite="http://freedesktop.org/pipermail/xorg/2004-September/003172.html">
          <p>This version is purely a security release, addressing
            multiple integer and stack overflows in libXpm, the X
            Pixmap library; all known versions of X (both XFree86
            and X.Org) are affected, so all users of X are strongly
            encouraged to upgrade.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0687</cvename>
      <cvename>CAN-2004-0688</cvename>
      <url>http://freedesktop.org/pipermail/xorg/2004-September/003172.html</url>
    </references>
    <dates>
      <discovery>2004-09-15</discovery>
      <entry>2004-09-15</entry>
    </dates>
  </vuln>

  <vuln vid="013fa252-0724-11d9-b45d-000c41e2cdad">
    <topic>mod_dav --- lock related denial-of-service</topic>
    <affects>
      <package>
    <name>apache</name>
    <range><ge>2.0</ge><lt>2.0.51</lt></range>
      </package>
      <package>
    <name>mod_dav</name>
    <range><le>1.0.3_1</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A malicious user with DAV write privileges can trigger a null
      pointer dereference in the Apache mod_dav module.  This
      could cause the server to become unavailable.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0809</cvename>
      <url>http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31183</url>
    </references>
    <dates>
      <discovery>2004-09-15</discovery>
      <entry>2004-09-15</entry>
    </dates>
  </vuln>

  <vuln vid="4d49f4ba-071f-11d9-b45d-000c41e2cdad">
    <topic>apache --- ap_resolve_env buffer overflow</topic>
    <affects>
      <package>
    <name>apache</name>
    <range><ge>2.0</ge><lt>2.0.51</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>SITIC discovered a vulnerability in Apache 2's handling of
      environmental variable settings in the httpd configuration
      files (the main `httpd.conf' and `.htaccess' files).
      According to a SITIC advisory:</p>
    <blockquote
      cite="http://lists.netsys.com/pipermail/full-disclosure/2004-September/026463.html">
          <p>The buffer overflow occurs when expanding ${ENVVAR}
            constructs in .htaccess or httpd.conf files. The function
            ap_resolve_env() in server/util.c copies data from
            environment variables to the character array tmp with
            strcat(3), leading to a buffer overflow. </p>
    </blockquote>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0747</cvename>
      <mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-September/026463.html</mlist>
    </references>
    <dates>
      <discovery>2004-09-15</discovery>
      <entry>2004-09-15</entry>
    </dates>
  </vuln>

  <vuln vid="a711de5c-05fa-11d9-a9b2-00061bc2ad93">
    <topic>samba3 DoS attack</topic>
    <affects>
      <package>
        <name>samba3</name>
        <range><lt>3.0.7,1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Code found in nmbd and smbd may allow a remote attacker
      to effectively crash the nmbd server or use the smbd
      server to exhaust the system memory.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0807</cvename>
      <cvename>CAN-2004-0808</cvename>
      <url>http://www.idefense.com/application/poi/display?id=139&amp;type=vulnerabilities</url>
    </references>
    <dates>
      <discovery>2004-09-02</discovery>
      <entry>2004-09-14</entry>
    </dates>
  </vuln>

  <vuln vid="c1d97a8b-05ed-11d9-b45d-000c41e2cdad">
    <topic>mozilla --- POP client heap overflow</topic>
    <affects>
      <package>
    <name>mozilla</name>
    <range><lt>1.7,2</lt></range>
      </package>
      <package>
    <name>linux-mozilla</name>
    <range><lt>1.7</lt></range>
      </package>
      <package>
    <name>netscape7</name>
    <range><lt>7.2</lt></range>
      </package>
      <package>
    <name>thunderbird</name>
    <range><lt>0.7</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>zen-parse discovered a heap buffer overflow in Mozilla's
          POP client implementation.  A malicious POP server
          could exploit this vulnerability to cause Mozilla to execute
      arbitrary code.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0757</cvename>
      <url>http://bugzilla.mozilla.org/show_bug.cgi?id=229374</url>
      <url>http://bugzilla.mozilla.org/show_bug.cgi?id=157644</url>
    </references>
    <dates>
      <discovery>2004-07-22</discovery>
      <entry>2004-09-14</entry>
    </dates>
  </vuln>

  <vuln vid="a4fd8f53-05eb-11d9-b45d-000c41e2cdad">
    <topic>mozilla --- SOAPParameter integer overflow</topic>
    <affects>
      <package>
    <name>firebird</name>
    <range><lt>0.9</lt></range>
      </package>
      <package>
    <name>linux-mozilla</name>
        <name>linux-mozilla-devel</name>
        <name>mozilla-gtk1</name>
    <range><lt>1.7</lt></range>
      </package>
      <package>
    <name>mozilla</name>
    <range><lt>1.7,2</lt></range>
      </package>
      <package>
    <name>netscape7</name>
    <range><lt>7.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>zen-parse discovered and iDEFENSE reported an exploitable
          integer overflow in a scriptable Mozilla component
          `SOAPParameter':</p>
    <blockquote
      cite="http://www.idefense.com/application/poi/display?id=117&amp;type=vulnerabilities">
          <p>Improper input validation to the SOAPParameter object
            constructor in Netscape and Mozilla allows execution of
            arbitrary code.  The SOAPParameter object's constructor
            contains an integer overflow which allows controllable
            heap corruption.  A web page can be constructed to
        leverage this into remote execution of arbitrary code.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0722</cvename>
      <url>http://bugzilla.mozilla.org/show_bug.cgi?id=236618</url>
    </references>
    <dates>
      <discovery>2004-08-02</discovery>
      <entry>2004-09-14</entry>
    </dates>
  </vuln>

  <vuln vid="c62dc69f-05c8-11d9-b45d-000c41e2cdad">
    <topic>openoffice --- document disclosure</topic>
    <affects>
      <package>
    <name>openoffice</name>
    <name>ar-openoffice</name>
    <name>ca-openoffice</name>
    <name>cs-openoffice</name>
    <name>de-openoffice</name>
    <name>dk-openoffice</name>
    <name>el-openoffice</name>
    <name>es-openoffice</name>
    <name>et-openoffice</name>
    <name>fi-openoffice</name>
    <name>fr-openoffice</name>
    <name>gr-openoffice</name>
    <name>hu-openoffice</name>
    <name>it-openoffice</name>
    <name>ja-openoffice</name>
    <name>ko-openoffice</name>
    <name>nl-openoffice</name>
    <name>pl-openoffice</name>
    <name>pt-openoffice</name>
    <name>pt_BR-openoffice</name>
    <name>ru-openoffice</name>
    <name>se-openoffice</name>
    <name>sk-openoffice</name>
    <name>sl-openoffice-SI</name>
    <name>tr-openoffice</name>
    <name>zh-openoffice-CN</name>
    <name>zh-openoffice-TW</name>
    <range><lt>1.1.2_1</lt></range>
    <range><ge>2.0</ge></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>OpenOffice creates a working directory in /tmp on startup,
          and uses this directory to temporarily store document
          content.  However, the permissions of the created directory
          may allow other user on the system to read these files,
          potentially exposing information the user likely assumed was
          inaccessible.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0752</cvename>
      <url>http://www.openoffice.org/issues/show_bug.cgi?id=33357</url>
      <url>http://securitytracker.com/alerts/2004/Sep/1011205.html</url>
      <mlist msgid="20040910152759.7739.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109483308421566</mlist>
    </references>
    <dates>
      <discovery>2004-08-24</discovery>
      <entry>2004-09-14</entry>
    </dates>
  </vuln>

  <vuln vid="ae7b7f65-05c7-11d9-b45d-000c41e2cdad">
    <topic>webmin --- insecure temporary file creation at installation
      time</topic>
    <affects>
      <package>
    <name>webmin</name>
    <range><lt>1.160</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p></p>
    <blockquote cite="http://www.webmin.com/changes-1.160.html">
          <p>Fixed a security hole in the maketemp.pl script, used
            to create the /tmp/.webmin directory at install time. If
            an un-trusted user creates this directory before Webmin
            is installed, he could create in it a symbolic link
            pointing to a critical file on the system, which would be
            overwritten when Webmin writes to the link filename.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0559</cvename>
      <url>http://www.webmin.com/changes-1.160.html</url>
    </references>
    <dates>
      <discovery>2004-09-05</discovery>
      <entry>2004-09-14</entry>
    </dates>
  </vuln>

  <vuln vid="15e0e963-02ed-11d9-a209-00061bc2ad93">
    <topic>mpg123 buffer overflow</topic>
    <affects>
      <package>
        <name>mpg123</name>
        <range><le>0.59r</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>The mpg123 software version 0.59r contains a
          buffer overflow vulnerability which may permit
          the execution of arbitrary code as the owner of
          the mpg123 process.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0805</cvename>
      <url>http://www.alighieri.org/advisories/advisory-mpg123.txt</url>
    </references>
    <dates>
      <discovery>2003-08-16</discovery>
      <entry>2004-09-14</entry>
    </dates>
  </vuln>

  <vuln vid="86a98b57-fb8e-11d8-9343-000a95bc6fae">
    <topic>krb5 -- double-free vulnerabilities</topic>
    <affects>
      <package>
    <name>krb5</name>
    <range><le>1.3.4_1</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>An advisory published by the MIT Kerberos team says:</p>
    <blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt">
      <p>The MIT Kerberos 5 implementation's Key Distribution Center
        (KDC) program contains a double-free vulnerability that
        potentially allows a remote attacker to execute arbitrary code.
        Compromise of a KDC host compromises the security of the entire
        authentication realm served by the KDC.  Additionally, double-free
        vulnerabilities exist in MIT Kerberos 5 library code, making
        client programs and application servers vulnerable.</p>
    </blockquote>
    <p>Double-free vulnerabilities of this type are not believed to be
      exploitable for code execution on FreeBSD systems.  However, 
      the potential for other ill effects may exist.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0642</cvename>
      <cvename>CAN-2004-0643</cvename>
      <cvename>CAN-2004-0772</cvename>
      <certvu>795632</certvu>
      <certvu>866472</certvu>
      <certvu>350792</certvu>
      <url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt</url>
    </references>
    <dates>
      <discovery>2004-08-31</discovery>
      <entry>2004-08-31</entry>
    </dates>
  </vuln>

  <vuln vid="bd60922b-fb8d-11d8-a13e-000a95bc6fae">
    <topic>krb5 -- ASN.1 decoder denial-of-service vulnerability</topic>
    <affects>
      <package>
    <name>krb5</name>
    <range><ge>1.2.2</ge><le>1.3.4</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>An advisory published by the MIT Kerberos team says:</p>
    <blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt">
      <p>The ASN.1 decoder library in the MIT Kerberos 5 distribution
        is vulnerable to a denial-of-service attack causing an infinite
        loop in the decoder.  The KDC is vulnerable to this attack.</p>
      <p>An unauthenticated remote attacker can cause a KDC or application
        server to hang inside an infinite loop.</p>
      <p>An attacker impersonating a legitimate KDC or application
        server may cause a client program to hang inside an infinite
        loop.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0644</cvename>
      <certvu>550464</certvu>
      <url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt</url>
    </references>
    <dates>
      <discovery>2004-08-31</discovery>
      <entry>2004-08-31</entry>
    </dates>
  </vuln>

  <vuln vid="ba005226-fb5b-11d8-9837-000c41e2cdad">
    <topic>imlib2 -- BMP decoder buffer overflow</topic>
    <affects>
      <package>
    <name>imlib2</name>
    <range><le>1.1.1</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Marcus Meissner discovered that imlib2's BMP decoder would
      crash when loading the test BMP file created by Chris Evans
      for testing the previous Qt vulnerability.  There appears to
      be both a stack-based and a heap-based buffer overflow that
      are believed to be exploitable for arbitrary code execution.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0802</cvename>
      <url>http://cvs.sourceforge.net/viewcvs.py/enlightenment/e17/libs/imlib2/ChangeLog?rev=1.20&amp;view=markup</url>
    </references>
    <dates>
      <discovery>2004-08-31</discovery>
      <entry>2004-08-31</entry>
    </dates>
  </vuln>

  <vuln vid="b6cad7f3-fb59-11d8-9837-000c41e2cdad">
    <topic>ImageMagick -- BMP decoder buffer overflow</topic>
    <affects>
      <package>
    <name>ImageMagick</name>
    <name>ImageMagick-nox11</name>
    <range><lt>6.0.6.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Marcus Meissner discovered that ImageMagick's BMP decoder would
      crash when loading the test BMP file created by Chris Evans
      for testing the previous Qt vulnerability.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0827</cvename>
      <url>http://www.imagemagick.org/www/Changelog.html</url>
    </references>
    <dates>
      <discovery>2004-08-25</discovery>
      <entry>2004-08-31</entry>
      <modified>2004-09-14</modified>
    </dates>
  </vuln>

  <vuln vid="00644f03-fb58-11d8-9837-000c41e2cdad">
    <topic>imlib -- BMP decoder heap buffer overflow</topic>
    <affects>
      <package>
    <name>imlib</name>
    <range><lt>1.9.14_4</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Marcus Meissner discovered that imlib's BMP decoder would
      crash when loading the test BMP file created by Chris Evans
      for testing the previous Qt vulnerability.  It is believed
      that this bug could be exploited for arbitrary code execution.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0817</cvename>
      <url>http://bugzilla.gnome.org/show_bug.cgi?id=151034</url>
    </references>
    <dates>
      <discovery>2004-08-25</discovery>
      <entry>2004-08-31</entry>
      <modified>2004-09-02</modified>
    </dates>
  </vuln>

  <vuln vid="207f8ff3-f697-11d8-81b0-000347a4fa7d">
    <topic>nss -- exploitable buffer overflow in SSLv2 protocol handler</topic>
    <affects>
      <package>
        <name>nss</name>
        <range><lt>3.9.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>ISS X-Force reports that a remotely exploitable buffer
          overflow exists in the Netscape Security Services (NSS)
      library's implementation of SSLv2.  From their advisory:</p>
    <blockquote cite="http://xforce.iss.net/xforce/alerts/id/180">
          <p>The NSS library contains a flaw in SSLv2 record parsing
            that may lead to remote compromise. When parsing the
            first record in an SSLv2 negotiation, the client hello
            message, the server fails to validate the length of a
            record field. As a result, it is possible for an attacker
            to trigger a heap-based overflow of arbitrary length.</p>
    </blockquote>
    <p>Note that the vulnerable NSS library is also present in
      Mozilla-based browsers.  However, it is not believed that
      browsers are affected, as the vulnerability is present only in
      code used by SSLv2 *servers*.</p>
      </body>
    </description>
    <references>
      <url>http://xforce.iss.net/xforce/alerts/id/180</url>
      <url>http://www.osvdb.org/9116</url>
      <url>http://secunia.com/advisories/12362</url>
      <bid>11015</bid>
    </references>
    <dates>
      <discovery>2004-08-23</discovery>
      <entry>2004-08-27</entry>
    </dates>
  </vuln>

  <vuln vid="85e19dff-e606-11d8-9b0a-000347a4fa7d">
    <topic>ripMIME -- decoding bug allowing content filter bypass</topic>
    <affects>
      <package>
        <name>ripmime</name>
        <range><lt>1.3.2.3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>ripMIME may prematurely terminate decoding Base64 encoded
      messages when it encounters multiple blank lines or other
      non-standard Base64 constructs.  Virus scanning and content
      filtering tools that use ripMIME may therefore be
      bypassed.</p>
    <p>The ripMIME CHANGELOG file says:</p>
    <blockquote cite="http://www.pldaniels.com/ripmime/CHANGELOG">
          <p>There's viruses going around exploiting the ability to
            hide the majority of their data in an attachment by using
            blank lines and other tricks to make scanning systems
        prematurely terminate their base64 decoding.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <bid>10848</bid>
      <url>http://www.osvdb.org/8287</url>
      <url>http://www.pldaniels.com/ripmime/CHANGELOG</url>
      <url>http://secunia.com/advisories/12201</url>
      <url>http://xforce.iss.net/xforce/xfdb/16867</url>
    </references>
    <dates>
      <discovery>2004-07-30</discovery>
      <entry>2004-08-27</entry>
    </dates>
  </vuln>

  <vuln vid="1ecf4ca1-f7ad-11d8-96c9-00061bc2ad93">
    <topic>moinmoin -- ACL group bypass</topic>
    <affects>
      <package>
        <name>moinmoin</name>
        <range><lt>1.2.3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>The moinmoin package contains two bugs with ACLs and anonymous
      users.  Both bugs may permit anonymous users to gain access to
      administrative functions; for example the delete function.</p>
        <p>There is no known workaround, the vulnerability exists regardless
      if a site is using ACLs or not.</p>
      </body>
    </description>
    <references>
      <url>http://www.osvdb.org/8194</url>
      <url>http://www.osvdb.org/8195</url>
      <url>http://security.gentoo.org/glsa/glsa-200408-25.xml</url>
      <url>http://secunia.com/advisories/11832</url>
      <bid>10805</bid>
      <bid>10801</bid>
    </references>
    <dates>
      <discovery>2004-07-21</discovery>
      <entry>2004-08-26</entry>
    </dates>
  </vuln>

  <vuln vid="2689f4cb-ec4c-11d8-9440-000347a4fa7d">
    <topic>rsync -- path sanitizing vulnerability</topic>
    <affects>
      <package>
        <name>rsync</name>
        <range><lt>2.6.2_2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>An rsync security advisory reports:</p>
    <blockquote cite="http://samba.org/rsync/#security_aug04">
      <p>There is a path-sanitizing bug that affects daemon mode in
        all recent rsync versions (including 2.6.2) but only if
        chroot is disabled.</p>
    </blockquote>
    <p>The bug may allow a remote user to access files outside
      of an rsync module's configured path with the privileges
      configured for that module.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0792</cvename>
      <url>http://samba.org/rsync/#security_aug04</url>
      <mlist>http://lists.samba.org/archive/rsync-announce/2004/000017.html</mlist>
      <url>http://secunia.com/advisories/12294</url>
      <url>http://www.osvdb.org/8829</url>
    </references>
    <dates>
      <discovery>2004-08-12</discovery>
      <entry>2004-08-26</entry>
    </dates>
  </vuln>

  <vuln vid="7884d56f-f7a1-11d8-9837-000c41e2cdad">
    <topic>gnomevfs --- unsafe URI handling</topic>
    <affects>
      <package>
    <name>gnomevfs2</name>
    <range><lt>2.6.2_1</lt></range>
      </package>
      <package>
    <name>gnomevfs</name>
    <range><lt>1.0.5_6</lt></range>
      </package>
      <package>
    <name>mc</name>
    <range><le>4.6.0_12</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Alexander Larsson reports that some versions of gnome-vfs and
      MidnightCommander contain a number of `extfs' scripts that do not
      properly validate user input.  If an attacker can cause her
      victim to process a specially-crafted URI, arbitrary commands
      can be executed with the privileges of the victim.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0494</cvename>
      <bid>10864</bid>
      <url>http://www.ciac.org/ciac/bulletins/o-194.shtml</url>
      <url>http://xforce.iss.net/xforce/xfdb/16897</url>
      <url>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127263</url>
    </references>
    <dates>
      <discovery>2004-08-04</discovery>
      <entry>2004-08-26</entry>
    </dates>
  </vuln>

  <vuln vid="3e4ffe76-e0d4-11d8-9b0a-000347a4fa7d">
    <topic>SoX buffer overflows when handling .WAV files</topic>
    <affects>
      <package>
        <name>sox</name>
        <range><gt>12.17.1</gt><le>12.17.4_1</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Ulf Härnhammar discovered a pair of buffer overflows in the
      WAV file handling code of SoX.  If an attacker can cause her
      victim to process a specially-crafted WAV file with SoX (e.g.
      through social engineering or through some other program that
      relies on SoX), arbitrary code can be executed with the
      privileges of the victim.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0557</cvename>
      <mlist msgid="1091040793.4107f6193d81a@webmail.uu.se">http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0014.html</mlist>
      <url>http://secunia.com/advisories/12175</url>
      <url>http://www.osvdb.org/8267</url>
    </references>
    <dates>
      <discovery>2004-07-28</discovery>
      <entry>2004-08-26</entry>
    </dates>
  </vuln>

  <vuln vid="2797b27a-f55b-11d8-81b0-000347a4fa7d">
    <topic>kdelibs -- konqueror cross-domain cookie injection</topic>
    <affects>
      <package>
        <name>kdelibs</name>
        <range><lt>3.2.3_3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>According to a KDE Security Advisory:</p>
    <blockquote cite="http://www.kde.org/info/security/advisory-20040823-1.txt">
          <p>WESTPOINT internet reconnaissance services alerted the
            KDE security team that the KDE web browser Konqueror
            allows websites to set cookies for certain country
            specific secondary top level domains.</p>
          <p>Web sites operating under the affected domains can
           set HTTP cookies in such a way that the Konqueror web
           browser will send them to all other web sites operating
           under the same domain.  A malicious website can use
           this as part of a session fixation attack. See e.g.
           http://www.acros.si/papers/session_fixation.pdf</p>
         <p>Affected are all country specific secondary top level
          domains that use more than 2 characters in the secondary
          part of the domain name and that use a secondary part other
          than com, net, mil, org, gov, edu or int. Examples of
          affected domains are .ltd.uk, .plc.uk and .firm.in</p>
    <p>It should be noted that popular domains such as .co.uk, .co.in
      and .com are NOT affected.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0746</cvename>
      <url>http://www.kde.org/info/security/advisory-20040823-1.txt</url>
      <url>http://www.osvdb.org/9117</url>
      <url>http://secunia.com/advisories/12341</url>
      <url>http://www.acros.si/papers/session_fixation.pdf</url>
      <bid>10991</bid>
    </references>
    <dates>
      <discovery>2004-08-23</discovery>
      <entry>2004-08-26</entry>
    </dates>
  </vuln>

  <vuln vid="bef4515b-eaa9-11d8-9440-000347a4fa7d">
    <topic>xine -- vcd URL buffer overflow</topic>
    <affects>
      <package>
    <name>libxine</name>
    <range><lt>1.0.r5_2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>c0ntex[at]open-security.org reports a buffer overflow in
      xine's handling of vcd:// URLs:</p>
    <blockquote cite="http://www.open-security.org/advisories/6">
          <p>Like the excellent Mplayer, Xine is a superb free media
            player for Linux. Sadly there is a generic stack based
            buffer overflow in all versions of Xine-lib, including
            Xine-lib-rc5 that allows for local and remote malicious
        code execution.</p>
          <p>By overflowing the vcd:// input source identifier buffer,
            it is possible to modify the instruction pointer with a
            value that a malicious attacker can control. The issue
            can be replicated in a remote context by embedding the
            input source idientifier within a playlist file, such as
            an asx.  When a user plays the file, this stack overflow
            will occur, exploit code can then be executed with the
        rights of the user running Xine.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <url>http://www.open-security.org/advisories/6</url>
      <url>http://cvs.sourceforge.net/viewcvs.py/xine/xine-vcdnav/input/xineplug_inp_vcd.c#rev1.109</url>
      <url>http://secunia.com/advisories/12194</url>
      <url>http://sourceforge.net/mailarchive/forum.php?thread_id=5143955&amp;forum_id=11923</url>
      <url>http://www.osvdb.org/8409</url>
    </references>
    <dates>
      <discovery>2004-07-18</discovery>
      <entry>2004-08-23</entry>
    </dates>
  </vuln>

  <vuln vid="0d3a5148-f512-11d8-9837-000c41e2cdad">
    <topic>SpamAssassin -- denial-of-service in tokenize_headers</topic>
    <affects>
      <package>
    <name>p5-Mail-SpamAssassin</name>
    <range><lt>2.64</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>According to the SpamAssassin 2.64 release announcement:</p>
    <blockquote cite="http://marc.theaimsgroup.com/?l=spamassassin-announce&amp;m=109168121628767">
          <p>Security fix prevents a denial of service attack open
            to certain malformed messages; this DoS affects all
            SpamAssassin 2.5x and 2.6x versions to date.</p>
    </blockquote>
    <p>The issue appears to be triggered by overly long message
      headers.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0796</cvename>
      <bid>10957</bid>
      <mlist>http://marc.theaimsgroup.com/?l=spamassassin-announce&amp;m=109168121628767</mlist>
      <url>http://search.cpan.org/src/JMASON/Mail-SpamAssassin-2.64/Changes</url>
    </references>
    <dates>
      <discovery>2004-08-04</discovery>
      <entry>2004-08-23</entry>
      <modified>2004-08-28</modified>
    </dates>
  </vuln>

  <vuln vid="ebffe27a-f48c-11d8-9837-000c41e2cdad">
    <topic>qt -- image loader vulnerabilities</topic>
    <affects>
      <package>
    <name>qt</name>
    <range><lt>3.3.3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Qt contains several vulnerabilities related to image
          loading, including possible crashes when loading corrupt
          GIF, BMP, or JPEG images.  Most seriously, Chris Evans
          reports that the BMP crash is actually due to a heap
          buffer overflow.  It is believed that an attacker may be
          able to construct a BMP image that could cause a Qt-using
          application to execute arbitrary code when it is loaded.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0691</cvename>
      <cvename>CAN-2004-0692</cvename>
      <cvename>CAN-2004-0693</cvename>
      <url>http://www.trolltech.com/developer/changes/changes-3.3.3.html</url>
      <url>http://scary.beasts.org/security/CESA-2004-004.txt</url>
    </references>
    <dates>
      <discovery>2004-08-11</discovery>
      <entry>2004-08-22</entry>
    </dates>
  </vuln>

  <vuln vid="616cf823-f48b-11d8-9837-000c41e2cdad">
    <topic>courier-imap -- format string vulnerability in debug mode</topic>
    <affects>
      <package>
    <name>courier-imap</name>
    <range><lt>3.0.7,1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>An iDEFENSE security advisory describes a format string
      vulnerability that could be exploited when Courier-IMAP is run
      in debug mode (DEBUG_LOGIN set).</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0777</cvename>
      <mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-August/025478.html</mlist>
      <url>http://www.idefense.com/application/poi/display?id=131&amp;type=vulnerabilities&amp;flashstatus=false</url>
      <bid>10976</bid>
    </references>
    <dates>
      <discovery>2004-08-18</discovery>
      <entry>2004-08-22</entry>
    </dates>
  </vuln>

  <vuln vid="3243e839-f489-11d8-9837-000c41e2cdad">
    <topic>fidogate -- write files as `news' user</topic>
    <affects>
      <package>
    <name>fidogate</name>
    <range><lt>4.4.9_3</lt></range>
      </package>
      <package>
    <name>fidogate-ds</name>
    <range><lt>5.1.1_1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Neils Heinen reports that the setuid `news' binaries
      installed as part of fidogate may be used to create files or
      append to file with the privileges of the `news' user by
      setting the LOGFILE environmental variable.</p>
      </body>
    </description>
    <references>
      <url>http://cvs.sourceforge.net/viewcvs.py/fidogate/fidogate/ChangeLog?rev=4.320&amp;view=markup</url>
    </references>
    <dates>
      <discovery>2004-08-21</discovery>
      <entry>2004-08-22</entry>
      <modified>2004-08-23</modified>
    </dates>
  </vuln>

  <vuln vid="0c4d5973-f2ab-11d8-9837-000c41e2cdad">
    <topic>mysql -- mysqlhotcopy insecure temporary file creation</topic>
    <affects>
      <package>
    <name>mysql-scripts</name>
    <range><le>3.23.58</le></range>
    <range><gt>4</gt><le>4.0.20</le></range>
    <range><gt>4.1</gt><le>4.1.3</le></range>
    <range><gt>5</gt><le>5.0.0_1</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>According to Christian Hammers:</p>
    <blockquote cite="http://packages.debian.org/changelogs/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.20-11/changelog">
          <p>[mysqlhotcopy created] temporary files in /tmp which
            had predictable filenames and such could be used for a
            tempfile run attack.</p>
    </blockquote>
    <p>Jeroen van Wolffelaar is credited with discovering the issue.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0457</cvename>
      <url>http://www.debian.org/security/2004/dsa-540</url>
      <mlist>http://lists.mysql.com/internals/15185</mlist>
    </references>
    <dates>
      <discovery>2004-08-18</discovery>
      <entry>2004-08-22</entry>
    </dates>
  </vuln>

  <vuln vid="c4b025bb-f05d-11d8-9837-000c41e2cdad">
    <topic>tnftpd -- remotely exploitable vulnerability</topic>
    <affects>
      <package>
    <name>tnftpd</name>
    <range><lt>20040810</lt></range>
      </package>
      <package>
    <name>lukemftpd</name>
    <range><ge>0</ge></range>
      </package>
      <system>
    <name>FreeBSD</name>
    <range><ge>4.7</ge></range>
      </system>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>lukemftpd(8) is an enhanced BSD FTP server produced
          within the NetBSD project.  The sources for lukemftpd are
          shipped with some versions of FreeBSD, however it is not
          built or installed by default.  The build system option
          WANT_LUKEMFTPD must be set to build and install lukemftpd.
          [<strong>NOTE</strong>: An exception is FreeBSD 4.7-RELEASE,
          wherein lukemftpd was installed, but not enabled, by
      default.]</p>
        <p>Przemyslaw Frasunek discovered several vulnerabilities
          in lukemftpd arising from races in the out-of-band signal
          handling code used to implement the ABOR command.  As a
          result of these races, the internal state of the FTP server
          may be manipulated in unexpected ways.</p>
        <p>A remote attacker may be able to cause FTP commands to
          be executed with the privileges of the running lukemftpd
          process.  This may be a low-privilege `ftp' user if the `-r'
          command line option is specified, or it may be superuser
          privileges if `-r' is *not* specified.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0794</cvename>
      <bid>10967</bid>
      <url>http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpd.c#rev1.158</url>
      <url>ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-009.txt.asc</url>
      <mlist msgid="412239E7.1070807@freebsd.lublin.pl">http://lists.netsys.com/pipermail/full-disclosure/2004-August/025418.html</mlist>
    </references>
    <dates>
      <discovery>2004-08-17</discovery>
      <entry>2004-08-17</entry>
      <modified>2004-08-28</modified>
    </dates>
  </vuln>

  <vuln vid="6fd9a1e9-efd3-11d8-9837-000c41e2cdad">
    <cancelled/>
  </vuln>

  <vuln vid="65a17a3f-ed6e-11d8-aff1-00061bc2ad93">
    <topic>Arbitrary code execution via a format string vulnerability in jftpgw</topic>
    <affects>
      <package>
        <name>jftpgw</name>
        <range><lt>0.13.5</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>The log functions in jftpgw may allow
      remotely authenticated user to execute
      arbitrary code via the format string
      specifiers in certain syslog messages.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0448</cvename>
      <url>http://www.debian.org/security/2004/dsa-510</url>
      <bid>10438</bid>
      <url>http://xforce.iss.net/xforce/xfdb/16271</url>
    </references>
    <dates>
      <discovery>2004-05-30</discovery>
      <entry>2004-08-13</entry>
      <modified>2004-08-23</modified>
    </dates>
  </vuln>

  <vuln vid="641859e8-eca1-11d8-b913-000c41e2cdad">
    <topic>Mutiple browser frame injection vulnerability</topic>
    <affects>
      <package>
    <name>kdelibs</name>
    <range><lt>3.2.3_3</lt></range>
      </package>
      <package>
    <name>kdebase</name>
    <range><lt>3.2.3_1</lt></range>
      </package>
      <package>
    <name>linux-opera</name>
    <name>opera</name>
    <range><ge>7.50</ge><lt>7.52</lt></range>
      </package>
      <package>
        <name>firefox</name>
    <range><lt>0.9</lt></range>
      </package>
      <package>
        <name>linux-mozilla</name>
        <name>linux-mozilla-devel</name>
        <name>mozilla-gtk1</name>
    <range><lt>1.7</lt></range>
      </package>
      <package>
        <name>mozilla</name>
    <range><lt>1.7,2</lt></range>
      </package>
      <package>
    <name>netscape7</name>
    <range><lt>7.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A class of bugs affecting many web browsers in the same way
      was discovered.  A Secunia advisory reports:</p>
    <blockquote cite="http://secunia.com/advisories/11978">
          <p>The problem is that the browsers don't check if a target
            frame belongs to a website containing a malicious link,
            which therefore doesn't prevent one browser window from
        loading content in a named frame in another window.</p>
      <p>Successful exploitation allows a malicious website to load
        arbitrary content in an arbitrary frame in another browser
        window owned by e.g. a trusted site.</p>
    </blockquote>
    <p>A KDE Security Advisory reports:</p>
    <blockquote cite="http://www.kde.org/info/security/advisory-20040811-3.txt">
          <p>A malicious website could abuse Konqueror to insert
            its own frames into the page of an otherwise trusted
            website. As a result the user may unknowingly send
            confidential information intended for the trusted website
            to the malicious website.</p>
    </blockquote>
    <p>Secunia has provided a demonstration of the vulnerability at <a
      href="http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/">http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/</a>.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0717</cvename>
      <cvename>CAN-2004-0718</cvename>
      <cvename>CAN-2004-0721</cvename>
      <url>http://secunia.com/advisories/11978/</url>
      <url>http://bugzilla.mozilla.org/show_bug.cgi?id=246448</url>
      <url>ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdelibs-htmlframes.patch</url>
      <url>ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdebase-htmlframes.patch</url>
    </references>
    <dates>
      <discovery>2004-08-11</discovery>
      <entry>2004-08-12</entry>
      <modified>2004-09-14</modified>
    </dates>
  </vuln>

  <vuln vid="603fe36d-ec9d-11d8-b913-000c41e2cdad">
    <topic>kdelibs insecure temporary file handling</topic>
    <affects>
      <package>
    <name>kdelibs</name>
    <range><le>3.2.3_3</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>According to a KDE Security Advisory, KDE may sometimes
      create temporary files without properly checking the ownership
      and type of the target path.  This could allow a local
      attacker to cause KDE applications to overwrite arbitrary
      files.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0689</cvename>
      <cvename>CAN-2004-0690</cvename>
      <url>http://www.kde.org/info/security/advisory-20040811-1.txt</url>
      <url>http://www.kde.org/info/security/advisory-20040811-2.txt</url>
      <url>ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdelibs-kstandarddirs.patch</url>
      <url>ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdelibs-dcopserver.patch</url>
    </references>
    <dates>
      <discovery>2004-08-11</discovery>
      <entry>2004-08-12</entry>
    </dates>
  </vuln>

  <vuln vid="5b8f9a02-ec93-11d8-b913-000c41e2cdad">
    <topic>gaim remotely exploitable vulnerabilities in MSN component</topic>
    <affects>
      <package>
    <name>gaim</name>
    <name>ja-gaim</name>
    <range><lt>0.81_1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Sebastian Krahmer discovered several remotely exploitable
          buffer overflow vulnerabilities in the MSN component of
          gaim.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0500</cvename>
    </references>
    <dates>
      <discovery>2004-08-12</discovery>
      <entry>2004-08-12</entry>
      <modified>2004-08-12</modified>
    </dates>
  </vuln>

  <vuln vid="78348ea2-ec91-11d8-b913-000c41e2cdad">
    <topic>acroread uudecoder input validation error</topic>
    <affects>
      <package>
    <name>acroread</name>
    <range><lt>5.0.9</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>An iDEFENSE security advisory reports:</p>
    <blockquote cite="www.idefense.com/application/poi/display?id=124&amp;type=vulnerabilities">
          <p>Remote exploitation of an input validation error in the
            uudecoding feature of Adobe Acrobat Reader (Unix) 5.0
            allows an attacker to execute arbitrary code.</p>
          <p>The Unix and Linux versions of Adobe Acrobat Reader 5.0
            automatically attempt to convert uuencoded documents
            back into their original format.  The vulnerability
            specifically exists in the failure of Acrobat Reader to
            check for the backtick shell metacharacter in the filename
            before executing a command with a shell. This allows a
            maliciously constructed filename to execute arbitrary
            programs.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0630</cvename>
      <url>http://www.idefense.com/application/poi/display?id=124&amp;type=vulnerabilities</url>
    </references>
    <dates>
      <discovery>2004-08-12</discovery>
      <entry>2004-08-12</entry>
    </dates>
  </vuln>

  <vuln vid="12c7b7ae-ec90-11d8-b913-000c41e2cdad">
    <topic>popfile file disclosure</topic>
    <affects>
      <package>
    <name>popfile</name>
    <range><le>0.21.1_2</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>John Graham-Cumming reports that certain configurations of
      POPFile may allow the retrieval of any files with the
      extensions .gif, .png, .ico, .css, as well as some files with
      the extension .html.</p>
      </body>
    </description>
    <references>
      <mlist>http://sourceforge.net/mailarchive/forum.php?thread_id=5248725&amp;forum_id=12356</mlist>
    </references>
    <dates>
      <discovery>2004-08-02</discovery>
      <entry>2004-08-12</entry>
    </dates>
  </vuln>

  <vuln vid="2de14f7a-dad9-11d8-b59a-00061bc2ad93">
    <topic>Multiple Potential Buffer Overruns in Samba</topic>
    <affects>
      <package>
    <name>samba</name>
        <range><ge>3</ge><lt>3.0.5,1</lt></range>
    <range><lt>2.2.10</lt></range>
      </package>
      <package>
    <name>ja-samba</name>
    <range><lt>2.2.10.j1.0</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Evgeny Demidov discovered that the Samba server has a
          buffer overflow in the Samba Web Administration Tool (SWAT)
          on decoding Base64 data during HTTP Basic Authentication.
          Versions 3.0.2 through 3.0.4 are affected.</p>
        <p>Another buffer overflow bug has been found in the code
          used to support the "mangling method = hash" smb.conf
          option. The default setting for this parameter is "mangling
          method = hash2" and therefore not vulnerable. Versions
          between 2.2.0 through 2.2.9 and 3.0.0 through 3.0.4 are affected.
      </p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0600</cvename>
      <cvename>CAN-2004-0686</cvename>
      <mlist msgid="web-53121174@cgp.agava.net">http://www.securityfocus.com/archive/1/369698</mlist>
      <mlist msgid="200407222031.25086.bugtraq@beyondsecurity.com">http://www.securityfocus.com/archive/1/369706</mlist>
      <url>http://www.samba.org/samba/whatsnew/samba-3.0.5.html</url>
      <url>http://www.samba.org/samba/whatsnew/samba-2.2.10.html</url>
      <url>http://www.osvdb.org/8190</url>
      <url>http://www.osvdb.org/8191</url>
      <url>http://secunia.com/advisories/12130</url>
    </references>
    <dates>
      <discovery>2004-07-14</discovery>
      <entry>2004-07-21</entry>
      <modified>2004-08-15</modified>
    </dates>
  </vuln>

  <vuln vid="4aec9d58-ce7b-11d8-858d-000d610a3b12">
    <topic>Format string vulnerability in SSLtelnet</topic>
    <affects>
      <package>
    <name>SSLtelnet</name>
    <range><le>0.13_1</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>SSLtelnet contains a format string vulnerability that could
      allow remote code execution and privilege escalation.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0640</cvename>
      <url>http://www.idefense.com/application/poi/display?id=114&amp;type=vulnerabilities</url>
    </references>
    <dates>
      <discovery>2003-04-03</discovery>
      <entry>2004-07-05</entry>
    </dates>
  </vuln>

  <vuln vid="76904dce-ccf3-11d8-babb-000854d03344">
    <topic>Pavuk HTTP Location header overflow</topic>
    <affects>
      <package>
    <name>pavuk</name>
    <range><lt>0.9.28_5</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>When pavuk sends a request to a web server and the server
      sends back the HTTP status code 305 (Use Proxy), pavuk
      copies data from the HTTP Location header in an unsafe
      manner. This leads to a stack-based buffer overflow with
      control over EIP.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0456</cvename>
      <mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-July/023322.html</mlist>
      <url>http://www.osvdb.org/7319</url>
    </references>
    <dates>
      <discovery>2004-06-30</discovery>
      <entry>2004-07-03</entry>
    </dates>
  </vuln>

  <vuln vid="33ab4a47-bfc1-11d8-b00e-000347a4fa7d">
    <topic>Several vulnerabilities found in PHPNuke</topic>
    <affects>
      <package>
    <name>PHPNuke</name>
    <range><lt>7.3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Janek Vind "waraxe" reports that several issues in the
      PHPNuke software may be exploited via carefully crafted
      URL requests.  These URLs will permit the injection of
      SQL code, cookie theft, and the readability of the
      PHPNuke administrator account.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0279</cvename>
      <cvename>CAN-2003-0318</cvename>
      <cvename>CAN-2004-0266</cvename>
      <cvename>CAN-2004-0269</cvename>
      <url>http://www.waraxe.us/index.php?modname=sa&amp;id=27</url>
      <url>http://secunia.com/advisories/11920</url>
    </references>
    <dates>
      <discovery>2004-05-05</discovery>
      <entry>2004-07-03</entry>
    </dates>
  </vuln>

  <vuln vid="8ecaaca2-cc07-11d8-858d-000d610a3b12">
    <topic>Linux binary compatibility mode input validation error</topic>
    <affects>
      <system>
    <name>FreeBSD</name>
    <range><ge>4.9</ge><lt>4.9_10</lt></range>
    <range><ge>4.8</ge><lt>4.8_23</lt></range>
      </system>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A programming error in the handling of some Linux system
      calls may result in memory locations being accessed without
      proper validation.</p>
    <p>It may be possible for a local attacker to read and/or
      overwrite portions of kernel memory, resulting in disclosure
      of sensitive information or potential privilege escalation.
      A local attacker can cause a system panic.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0602</cvename>
      <freebsdsa>SA-04:13.linux</freebsdsa>
    </references>
    <dates>
      <discovery>2004-06-18</discovery>
      <entry>2004-06-30</entry>
    </dates>
  </vuln>

  <vuln vid="ff00f2ce-c54c-11d8-b708-00061bc2ad93">
    <topic>XFree86 opens a chooserFd TCP socket even when DisplayManager.requestPort is 0</topic>
    <affects>
      <package>
    <name>xorg-clients</name>
    <range><eq>6.7.0</eq></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>When the IPv6 code was added to xdm a critical
      test to disable xdmcp was accidentally removed.  This
      caused xdm to create the chooser socket regardless if
      DisplayManager.requestPort was disabled in xdm-config
      or not.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0419</cvename>
      <url>http://bugs.xfree86.org/show_bug.cgi?id=1376</url>
      <url>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124900</url>
    </references>
    <dates>
      <discovery>2004-05-19</discovery>
      <entry>2004-06-28</entry>
      <modified>2004-06-28</modified>
    </dates>
  </vuln>

  <vuln vid="da9e6438-bfc0-11d8-b00e-000347a4fa7d">
    <topic>MoinMoin administrative group name privilege escalation vulnerability</topic>
    <affects>
      <package>
    <name>moinmoin</name>
    <range><lt>1.2.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A serious flaw exists in the MoinMoin software
      which may allow a malicious user to gain access to
      unauthorized privileges.</p>
      </body>
    </description>
    <references>
      <url>http://www.osvdb.org/6704</url>
      <cvename>CAN-2004-0708</cvename>
      <bid>10568</bid>
      <url>http://secunia.com/advisories/11807</url>
    </references>
    <dates>
      <discovery>2004-05-04</discovery>
      <entry>2004-06-28</entry>
    </dates>
  </vuln>

  <vuln vid="7a9d5dfe-c507-11d8-8898-000d6111a684">
    <topic>isc-dhcp3-server buffer overflow in logging mechanism</topic>
    <affects>
      <package>
    <name>isc-dhcp3-relay</name>
    <name>isc-dhcp3-server</name>
    <range><ge>3.0.1.r12</ge><lt>3.0.1.r14</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A buffer overflow exists in the logging functionality
      of the DHCP daemon which could lead to Denial of Service
      attacks and has the potential to allow attackers to
      execute arbitrary code.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0460</cvename>
      <url>http://www.osvdb.org/7237</url>
      <uscertta>TA04-174A</uscertta>
      <certvu>317350</certvu>
      <mlist msgid="BAY13-F94UHMuEEkHMz0005c4f7@hotmail.com">http://www.securityfocus.com/archive/1/366801</mlist>
      <mlist msgid="40DFAB69.1060909@sympatico.ca">http://www.securityfocus.com/archive/1/367286</mlist>
    </references>
    <dates>
      <discovery>2004-06-22</discovery>
      <entry>2004-06-25</entry>
      <modified>2004-08-12</modified>
    </dates>
  </vuln>

  <vuln vid="1f738bda-c6ac-11d8-8898-000d6111a684">
    <topic>Remote Denial of Service of HTTP server and client</topic>
    <affects>
      <package>
    <name>giFT-FastTrack</name>
    <range><lt>0.8.7</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>giFT-FastTrack is susceptible to a remote
      Denial of Service attack which could allow
      a remote attacker to render HTTP services
      unusable.  According to the developers, no
      code execution is possible; however, they
      recommend an immediate upgrade.</p>
      </body>
    </description>
    <references>
      <url>http://developer.berlios.de/forum/forum.php?forum_id=5814</url>
      <url>http://www.osvdb.org/7266</url>
      <url>http://secunia.com/advisories/11941</url>
      <bid>10604</bid>
    </references>
    <dates>
      <discovery>2004-06-19</discovery>
      <entry>2004-06-25</entry>
      <modified>2004-06-29</modified>
    </dates>
  </vuln>

  <vuln vid="253ea131-bd12-11d8-b071-00e08110b673">
    <topic>Gallery 1.4.3 and ealier user authentication bypass</topic>
    <affects>
      <package>
    <name>gallery</name>
    <range><lt>1.4.3.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A flaw exists in Gallery versions previous to
      1.4.3-pl1 and post 1.2 which may give an attacker
      the potential to log in under the "admin" account.
      Data outside of the gallery is unaffected and the
      attacker cannot modify any data other than the
      photos or photo albums.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0522</cvename>
      <url>http://gallery.menalto.com/modules.php?op=modload&amp;name=News&amp;file=article&amp;sid=123</url>
      <url>http://secunia.com/advisories/11752</url>
    </references>
    <dates>
      <discovery>2004-06-01</discovery>
      <entry>2004-06-24</entry>
    </dates>
  </vuln>

  <vuln vid="6f955451-ba54-11d8-b88c-000d610a3b12">
    <topic>Buffer overflow in Squid NTLM authentication helper</topic>
    <affects>
      <package>
    <name>squid</name>
    <range><lt>2.5.5_9</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Remote exploitation of a buffer overflow vulnerability in
      the NTLM authentication helper routine of the Squid Web
      Proxy Cache could allow a remote attacker to execute
      arbitrary code.  A remote attacker can compromise a target
      system if the Squid Proxy is configured to use the NTLM
      authentication helper.  The attacker can send an overly long
      password to overflow the buffer and execute arbitrary
      code.</p>
      </body>
    </description>
    <references>
      <url>http://www.idefense.com/application/poi/display?id=107&amp;type=vulnerabilities&amp;flashstatus=false</url>
      <cvename>CAN-2004-0541</cvename>
      <url>http://www.osvdb.org/6791</url>
      <url>http://secunia.com/advisories/11804</url>
      <bid>10500</bid>
      <url>http://www.squid-cache.org/bugs/show_bug.cgi?id=998</url>
    </references>
    <dates>
      <discovery>2004-05-20</discovery>
      <entry>2004-06-09</entry>
    </dates>
  </vuln>

  <vuln vid="fb5e227e-b8c6-11d8-b88c-000d610a3b12">
    <topic>jailed processes can manipulate host routing tables</topic>
    <affects>
      <system>
    <name>FreeBSD</name>
    <range><ge>4.9</ge><lt>4.9_10</lt></range>
    <range><ge>4.8</ge><lt>4.8_23</lt></range>
      </system>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A programming error resulting in a failure to verify that
      an attempt to manipulate routing tables originated from a
      non-jailed process.</p>

    <p>Jailed processes running with superuser privileges could
      modify host routing tables.  This could result in a variety
      of consequences including packets being sent via an
      incorrect network interface and packets being discarded
      entirely.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0125</cvename>
      <freebsdsa>SA-04:12.jailroute</freebsdsa>
    </references>
    <dates>
      <discovery>2004-02-03</discovery>
      <entry>2004-06-07</entry>
    </dates>
  </vuln>

  <vuln vid="1db1ed59-af07-11d8-acb9-000d610a3b12">
    <topic>buffer cache invalidation implementation issues</topic>
    <affects>
      <system>
    <name>FreeBSD</name>
    <range><ge>5.0</ge><lt>5.2_8</lt></range>
    <range><ge>4.9</ge><lt>4.9_9</lt></range>
    <range><ge>4.0</ge><lt>4.8_22</lt></range>
      </system>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Programming errors in the implementation of the msync(2)
      system call involving the MS_INVALIDATE operation lead to
      cache consistency problems between the virtual memory system
      and on-disk contents.</p>

    <p>In some situations, a user with read access to a file may
      be able to prevent changes to that file from being committed
      to disk.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0435</cvename>
      <freebsdsa>SA-04:11.msync</freebsdsa>
    </references>
    <dates>
      <discovery>2004-04-24</discovery>
      <entry>2004-05-26</entry>
    </dates>
  </vuln>

  <vuln vid="f7a3b18c-624c-4703-9756-b6b27429e5b0">
    <topic>leafnode denial-of-service triggered by article request</topic>
    <affects>
      <package>
    <name>leafnode</name>
    <range><ge>1.9.20</ge><lt>1.9.30</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>The leafnode NNTP server may go into an unterminated loop with 100%
      CPU use when an article is requested by Message-ID that has been
      crossposted to several news groups when one of the group names is the
      prefix of another group name that the article was cross-posted
      to. Found by Jan Knutar.</p>
      </body>
    </description>
    <references>
      <url>http://leafnode.sourceforge.net/leafnode-SA-2002-01</url>
      <mlist msgid="20021229205023.GA5216@merlin.emma.line.org">http://sourceforge.net/mailarchive/message.php?msg_id=2796226</mlist>
      <mlist msgid="20021229205023.GA5216@merlin.emma.line.org">http://article.gmane.org/gmane.network.leafnode.announce/8</mlist>
      <bid>6490</bid>
      <freebsdpr>ports/46613</freebsdpr>
    </references>
    <dates>
      <discovery>2002-11-06</discovery>
      <entry>2004-05-21</entry>
    </dates>
  </vuln>

  <vuln vid="7b0208ff-3f65-4e16-8d4d-48fd9851f085">
    <topic>leafnode fetchnews denial-of-service triggered by missing
      header</topic>
    <affects>
      <package>
    <name>leafnode</name>
    <range><ge>1.9.3</ge><le>1.9.41</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Fetchnews could hang when a news article to be downloaded lacked one
      of the mandatory headers. Found by Joshua Crawford.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0744</cvename>
      <url>http://leafnode.sourceforge.net/leafnode-SA-2003-01</url>
      <mlist msgid="20030904011904.GB12350@merlin.emma.line.org">http://sourceforge.net/mailarchive/message.php?msg_id=5975563</mlist>
      <mlist msgid="20030904011904.GB12350@merlin.emma.line.org">http://article.gmane.org/gmane.network.leafnode.announce/21</mlist>
      <bid>8541</bid>
      <freebsdpr>ports/53838</freebsdpr>
    </references>
    <dates>
      <discovery>2003-06-20</discovery>
      <entry>2004-05-21</entry>
    </dates>
  </vuln>

  <vuln vid="a051a4ec-3aa1-4dd1-9bdc-a61eb5700153">
    <topic>leafnode fetchnews denial-of-service triggered by truncated
      transmission</topic>
    <affects>
      <package>
    <name>leafnode</name>
    <range><le>1.9.47</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>When a downloaded news article ends prematurely, i. e. when the
      server sends [CR]LF.[CR]LF before sending a blank line, fetchnews may
      wait indefinitely for data that never arrives. Workaround: configure
      "minlines=1" (or use a bigger value) in the configuration file. Found
      by Toni Viemerö.</p>
      </body>
    </description>
    <references>
      <url>http://leafnode.sourceforge.net/leafnode-SA-2004-01</url>
      <url>http://sourceforge.net/tracker/index.php?func=detail&amp;aid=873149&amp;group_id=57767&amp;atid=485349</url>
      <mlist msgid="20040109015625.GA12319@merlin.emma.line.org">http://article.gmane.org/gmane.network.leafnode.announce/32</mlist>
      <mlist msgid="20040109015625.GA12319@merlin.emma.line.org">http://sourceforge.net/mailarchive/message.php?msg_id=6922570</mlist>
      <freebsdpr>ports/61105</freebsdpr>
    </references>
    <dates>
      <discovery>2004-01-08</discovery>
      <entry>2004-05-21</entry>
    </dates>
  </vuln>

  <vuln vid="5d36ef32-a9cf-11d8-9c6d-0020ed76ef5a">
    <topic>subversion date parsing vulnerability</topic>
    <affects>
      <package>
    <name>subversion</name>
    <range><lt>1.0.2_1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Stefan Esser reports:</p>
    <blockquote
      cite="http://security.e-matters.de/advisories/082004.html">
      <p>Subversion versions up to 1.0.2 are vulnerable to a date
        parsing vulnerability which can be abused to allow remote
        code execution on Subversion servers and therefore could
        lead to a repository compromise.</p>
    </blockquote>
    <p><em>NOTE:</em> This vulnerability is similar to the date
      parsing issue that affected neon.  However, it is a different
      and distinct bug.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0397</cvename>
      <url>http://security.e-matters.de/advisories/082004.html</url>
    </references>
    <dates>
      <discovery>2004-05-19</discovery>
      <entry>2004-05-19</entry>
    </dates>
  </vuln>

  <vuln vid="8d075001-a9ce-11d8-9c6d-0020ed76ef5a">
    <topic>neon date parsing vulnerability</topic>
    <affects>
      <package>
    <name>neon</name>
    <range><lt>0.24.5_1</lt></range>
      </package>
      <package>
    <name>sitecopy</name>
    <range><le>0.13.4_1</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Stefan Esser reports:</p>
    <blockquote
      cite="http://security.e-matters.de/advisories/062004.html">
      <p>A vulnerability within a libneon date parsing function
        could cause a heap overflow which could lead to remote
        code execution, depending on the application using
        libneon.</p>
    </blockquote>
    <p>The vulnerability is in the function ne_rfc1036_parse,
      which is in turn used by the function ne_httpdate_parse.
      Applications using either of these neon functions may be
      vulnerable.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0398</cvename>
      <url>http://security.e-matters.de/advisories/062004.html</url>
      <url>http://secunia.com/advisories/11785</url>
    </references>
    <dates>
      <discovery>2004-05-19</discovery>
      <entry>2004-05-19</entry>
      <modified>2004-06-25</modified>
    </dates>
  </vuln>

  <vuln vid="f93be979-a992-11d8-aecc-000d610a3b12">
    <topic>cvs pserver remote heap buffer overflow</topic>
    <affects>
      <system>
    <name>FreeBSD</name>
    <range><ge>5.2</ge><lt>5.2_7</lt></range>
    <range><ge>5.1</ge><lt>5.1_17</lt></range>
    <range><ge>5.0</ge><lt>5.0_21</lt></range>
    <range><ge>4.9</ge><lt>4.9_8</lt></range>
    <range><ge>4.8</ge><lt>4.8_21</lt></range>
    <range><ge>4.0</ge><lt>4.7_27</lt></range>
      </system>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Due to a programming error in code used to parse data
      received from the client, malformed data can cause a heap
      buffer to overflow, allowing the client to overwrite
      arbitrary portions of the server's memory.</p>
    <p>A malicious CVS client can exploit this to run arbitrary
      code on the server at the privilege level of the CVS server
      software.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0396</cvename>
      <freebsdsa>SA-04:10.cvs</freebsdsa>
    </references>
    <dates>
      <discovery>2004-05-02</discovery>
      <entry>2004-05-19</entry>
    </dates>
  </vuln>

  <vuln vid="df333ede-a8ce-11d8-9c6d-0020ed76ef5a">
    <topic>URI handler vulnerabilities in several browsers</topic>
    <affects>
      <package>
    <name>linux-opera</name>
    <name>opera</name>
    <range><lt>7.50</lt></range>
      </package>
      <package>
    <name>kdelibs</name>
    <range><lt>3.2.2_3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Karol Wiesek and Greg MacManus reported via iDEFENSE that the
      Opera web browser contains a flaw in the handling of
      certain URIs.  When presented with these URIs, Opera would
      invoke external commands to process them after some
      validation.  However, if the hostname component of a URI
      begins with a `-', it may be treated as an option by an external
      command.  This could have undesirable side-effects, from
      denial-of-service to code execution.  The impact is very
      dependent on local configuration.</p>
    <p>After the iDEFENSE advisory was published, the KDE team
      discovered similar problems in KDE's URI handlers.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0411</cvename>
      <url>http://www.idefense.com/application/poi/display?id=104&amp;type=vulnerabilities</url>
      <url>http://www.kde.org/info/security/advisory-20040517-1.txt</url>
      <url>http://freebsd.kde.org/index.php#n20040517</url>
    </references>
    <dates>
      <discovery>2004-05-12</discovery>
      <entry>2004-05-18</entry>
    </dates>
  </vuln>

  <vuln vid="2e129846-8fbb-11d8-8b29-0020ed76ef5a">
    <topic>MySQL insecure temporary file creation (mysqlbug)</topic>
    <affects>
      <package>
    <name>mysql-client</name>
    <range><ge>4.0</ge><lt>4.0.20</lt></range>
    <range><ge>4.1</ge><lt>4.1.1_2</lt></range>
    <range><ge>5.0</ge><lt>5.0.0_2</lt></range>
      </package>
    </affects>
    <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
     <p>Shaun Colley reports that the script `mysqlbug' included
       with MySQL sometimes creates temporary files in an unsafe
       manner.  As a result, an attacker may create a symlink in
       /tmp so that if another user invokes `mysqlbug' and <em>quits
       without making <strong>any</strong> changes</em>, an
       arbitrary file may be overwritten with the bug report
       template.</p>
       </body>
    </description>
    <references>
      <mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108023246916294&amp;w=2</mlist>
      <url>http://bugs.mysql.com/bug.php?id=3284</url>
      <bid>9976</bid>
      <cvename>CAN-2004-0381</cvename>
    </references>
    <dates>
      <discovery>2004-03-25</discovery>
      <entry>2004-04-16</entry>
      <modified>2004-05-21</modified>
    </dates>
  </vuln>

  <vuln vid="35f6fdf8-a425-11d8-9c6d-0020ed76ef5a">
    <topic>Cyrus IMAP pre-authentication heap overflow vulnerability</topic>
    <affects>
      <package>
    <name>cyrus</name>
    <range><lt>2.0.17</lt></range>
    <range><ge>2.1</ge><lt>2.1.11</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>In December 2002, Timo Sirainen reported:</p>
    <blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=103886607825605">
      <p>Cyrus IMAP server has a a remotely exploitable pre-login
        buffer overflow. [...] Note that you don't have to log in
        before exploiting this, and since Cyrus
        runs everything under one UID, it's possible to read every
        user's mail in the system.</p>
    </blockquote>
    <p>It is unknown whether this vulnerability is exploitable for code
      execution on FreeBSD systems.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2002-1580</cvename>
      <bid>6298</bid>
      <certvu>740169</certvu>
      <mlist msgid="20021202175606.GA26254@irccrew.org">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=103886607825605</mlist>
      <mlist>http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&amp;msg=19349</mlist>
    </references>
    <dates>
      <discovery>2002-12-02</discovery>
      <entry>2004-05-12</entry>
      <modified>2004-06-27</modified>
    </dates>
  </vuln>

  <vuln vid="20be2982-4aae-11d8-96f2-0020ed76ef5a">
    <topic>fsp buffer overflow and directory traversal vulnerabilities</topic>
    <affects>
      <package>
    <name>fspd</name>
    <range><lt>2.8.1.19</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>The <a href="http://www.debian.org/security">Debian
    security team</a> reported a pair of vulnerabilities in
    fsp:</p>
    <blockquote cite="http://www.debian.org/security/2004/dsa-416">
      <p>A vulnerability was discovered in fsp, client utilities
      for File Service Protocol (FSP), whereby a remote user could
      both escape from the FSP root directory (CAN-2003-1022), and
      also overflow a fixed-length buffer to execute arbitrary
      code (CAN-2004-0011).</p>
    </blockquote>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-1022</cvename>
      <cvename>CAN-2004-0011</cvename>
      <url>http://www.debian.org/security/2004/dsa-416</url>
    </references>
    <dates>
      <discovery>2004-01-06</discovery>
      <entry>2004-01-19</entry>
      <modified>2004-05-17</modified>
    </dates>
  </vuln>

  <vuln vid="cb6c6c29-9c4f-11d8-9366-0020ed76ef5a">
    <topic>proftpd IP address access control list breakage</topic>
    <affects>
      <package>
    <name>proftpd</name>
    <range><ge>1.2.9</ge><lt>1.2.10.r1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Jindrich Makovicka reports a regression in proftpd's
      handling of IP address access control lists (IP ACLs).  Due
      to this regression, some IP ACLs are treated as ``allow
      all''.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0432</cvename>
      <url>http://bugs.proftpd.org/show_bug.cgi?id=2267</url>
    </references>
    <dates>
      <discovery>2003-11-04</discovery>
      <entry>2004-05-02</entry>
      <modified>2004-05-15</modified>
    </dates>
  </vuln>

  <vuln vid="700d43b4-a42a-11d8-9c6d-0020ed76ef5a">
    <topic>Cyrus IMSPd multiple vulnerabilities</topic>
    <affects>
      <package>
    <name>cyrus-imspd</name>
    <range><lt>1.6a5</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>The Cyrus team reported multiple vulnerabilities in older
      versions of Cyrus IMSPd:</p>
    <blockquote cite="http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-announce&amp;msg=25">
      <p>These releases correct a recently discovered buffer
        overflow vulnerability, as well as clean up a significant
        amount of buffer handling throughout the code.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <mlist>http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-announce&amp;msg=25</mlist>
    </references>
    <dates>
      <discovery>2004-12-12</discovery>
      <entry>2004-05-12</entry>
      <modified>2004-06-27</modified>
    </dates>
  </vuln>

  <vuln vid="fde53204-7ea6-11d8-9645-0020ed76ef5a">
    <topic>insecure temporary file creation in xine-check, xine-bugreport</topic>
    <affects>
      <package>
    <name>xine</name>
    <range><lt>0.9.23_3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Some scripts installed with xine create temporary files
      insecurely.  It is recommended that these scripts (xine-check,
      xine-bugreport) not be used.  They are not needed for normal
      operation.</p>
      </body>
    </description>
    <references>
      <mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=107997911025558</mlist>
      <bid>9939</bid>
    </references>
    <dates>
      <discovery>2004-03-20</discovery>
      <entry>2004-03-26</entry>
      <modified>2004-05-09</modified>
    </dates>
  </vuln>

  <vuln vid="5f29c2e4-9f6a-11d8-abbc-00e08110b673">
    <topic>exim buffer overflow when verify = header_syntax is used</topic>
    <affects>
      <package>
    <name>exim</name>
    <name>exim-ldap2</name>
    <name>exim-mysql</name>
    <name>exim-postgresql</name>
    <range><lt>4.33+20_1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A remote exploitable buffer overflow has been discovered
      in exim when verify = header_syntax is used in the
      configuration file. This does not affect the default
      configuration.</p>
      </body>
    </description>
    <references>
      <url>http://www.guninski.com/exim1.html</url>
      <cvename>CAN-2004-0400</cvename>
    </references>
    <dates>
      <discovery>2004-05-06</discovery>
      <entry>2004-05-06</entry>
    </dates>
  </vuln>

  <vuln vid="a56a72bb-9f72-11d8-9585-0020ed76ef5a">
    <topic>phpBB session table exhaustion</topic>
    <affects>
      <package>
    <name>phpbb</name>
    <range><le>2.0.8_2</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>The includes/sessions.php unnecessarily adds session item into
      session table and therefore vulnerable to a denial-of-service
      attack.</p>
    </body>
    </description>
    <references>
      <mlist msgid="20040421011055.GA1448@frontfree.net">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108256462710010</mlist>
    </references>
    <dates>
      <discovery>2004-03-05</discovery>
      <entry>2004-05-06</entry>
    </dates>
  </vuln>

  <vuln vid="446dbecb-9edc-11d8-9366-0020ed76ef5a">
    <topic>heimdal kadmind remote heap buffer overflow</topic>
    <affects>
      <package>
    <name>heimdal</name>
    <range><lt>0.6.1_1</lt></range>
      </package>
      <system>
    <name>FreeBSD</name>
    <range><ge>4.9</ge><lt>4.9_7</lt></range>
    <range><ge>4.0</ge><lt>4.8_20</lt></range>
      </system>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>An input validation error was discovered in the kadmind
      code that handles the framing of Kerberos 4 compatibility
      administration requests.  The code assumed that the length
      given in the framing was always two or more bytes.  Smaller
      lengths will cause kadmind to read an arbitrary amount of
      data into a minimally-sized buffer on the heap.</p>
    <p>A remote attacker may send a specially formatted message
      to kadmind, causing it to crash or possibly resulting in
      arbitrary code execution.</p>
    <p>The kadmind daemon is part of Kerberos 5 support.  However,
      this bug will only be present if kadmind was built with
      additional Kerberos 4 support.  Thus, only systems that have
      *both* Heimdal Kerberos 5 and Kerberos 4 installed might
      be affected.</p>
    <p><em>NOTE:</em> On FreeBSD 4 systems, `kadmind' may be
      installed as `k5admind'.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0434</cvename>
      <freebsdsa>SA-04:09.kadmind</freebsdsa>
    </references>
    <dates>
      <discovery>2004-05-05</discovery>
      <entry>2004-05-05</entry>
    </dates>
  </vuln>

  <vuln vid="0792e7a7-8e37-11d8-90d1-0020ed76ef5a">
    <topic>CVS path validation errors</topic>
    <affects>
      <package>
    <name>cvs+ipv6</name>
    <range><le>1.11.5_1</le></range>
      </package>
      <system>
    <name>FreeBSD</name>
    <range><ge>5.2</ge><lt>5.2.1_5</lt></range>
    <range><ge>4.9</ge><lt>4.9_5</lt></range>
    <range><ge>4.8</ge><lt>4.8_18</lt></range>
      </system>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Two programming errors were discovered in which path names
      handled by CVS were not properly validated.  In one case,
      the CVS client accepts absolute path names from the server
      when determining which files to update.  In another case,
      the CVS server accepts relative path names from the client
      when determining which files to transmit, including those
      containing references to parent directories (`../').</p>
    <p>These programming errors generally only have a security
      impact when dealing with remote CVS repositories.</p>
    <p>A malicious CVS server may cause a CVS client to overwrite
      arbitrary files on the client's system.</p>
    <p>A CVS client may request RCS files from a remote system
      other than those in the repository specified by $CVSROOT.
      These RCS files need not be part of any CVS repository
      themselves.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0180</cvename>
      <cvename>CAN-2004-0405</cvename>
      <url>http://ccvs.cvshome.org/servlets/NewsItemView?newsID=102</url>
      <freebsdsa>SA-04:07.cvs</freebsdsa>
    </references>
    <dates>
      <discovery>2004-04-14</discovery>
      <entry>2004-04-14</entry>
      <modified>2004-05-05</modified>
    </dates>
  </vuln>

  <vuln vid="7229d900-88af-11d8-90d1-0020ed76ef5a">
    <topic>mksnap_ffs clears file system options</topic>
    <affects>
      <system>
    <name>FreeBSD</name>
    <range><ge>5.2</ge><lt>5.2_1</lt></range>
    <range><ge>5.1</ge><lt>5.1_12</lt></range>
      </system>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>The kernel interface for creating a snapshot of a
      filesystem is the same as that for changing the flags on
      that filesystem.  Due to an oversight, the <a href="http://www.freebsd.org/cgi/man.cgi?query=mksnap_ffs">mksnap_ffs(8)</a>
      command called that interface with only the snapshot flag
      set, causing all other flags to be reset to the default
      value.</p>
    <p>A regularly scheduled backup of a live filesystem, or
      any other process that uses the mksnap_ffs command
      (for instance, to provide a rough undelete functionality
      on a file server), will clear any flags in effect on the
      filesystem being snapshot.  Possible consequences depend
      on local usage, but can include disabling extended access
      control lists or enabling the use of setuid executables
      stored on an untrusted filesystem.</p>
    <p>The mksnap_ffs command is normally only available to
      the superuser and members of the `operator' group.  There
      is therefore no risk of a user gaining elevated privileges
      directly through use of the mksnap_ffs command unless
      it has been intentionally made available to unprivileged
      users.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0099</cvename>
      <freebsdsa>SA-04:01.mksnap_ffs</freebsdsa>
    </references>
    <dates>
      <discovery>2004-01-30</discovery>
      <entry>2004-04-07</entry>
      <modified>2004-05-05</modified>
    </dates>
  </vuln>

  <vuln vid="f95a9005-88ae-11d8-90d1-0020ed76ef5a">
    <topic>shmat reference counting bug</topic>
    <affects>
      <system>
    <name>FreeBSD</name>
    <range><ge>5.2</ge><lt>5.2_2</lt></range>
    <range><ge>5.1</ge><lt>5.1_14</lt></range>
    <range><ge>5.0</ge><lt>5.0_20</lt></range>
    <range><ge>4.9</ge><lt>4.9_2</lt></range>
    <range><ge>4.8</ge><lt>4.8_15</lt></range>
    <range><lt>4.7_25</lt></range>
      </system>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A programming error in the <a href="http://www.freebsd.org/cgi/man.cgi?query=shmat">shmat(2)</a> system call can result
      in a shared memory segment's reference count being erroneously
      incremented.</p>
    <p>It may be possible to cause a shared memory segment to
      reference unallocated kernel memory, but remain valid.
      This could allow a local attacker to gain read or write
      access to a portion of kernel memory, resulting in sensitive
      information disclosure, bypass of access control mechanisms,
      or privilege escalation. </p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0114</cvename>
      <freebsdsa>SA-04:02.shmat</freebsdsa>
      <url>http://www.pine.nl/press/pine-cert-20040201.txt</url>
    </references>
    <dates>
      <discovery>2004-02-01</discovery>
      <entry>2004-04-07</entry>
      <modified>2004-05-05</modified>
    </dates>
  </vuln>

  <vuln vid="9082a85a-88ae-11d8-90d1-0020ed76ef5a">
    <topic>jailed processes can attach to other jails</topic>
    <affects>
      <system>
    <name>FreeBSD</name>
    <range><ge>5.1</ge><lt>5.1_14</lt></range>
    <range><ge>5.2</ge><lt>5.2.1</lt></range>
      </system>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A programming error has been found in the <a href="http://www.freebsd.org/cgi/man.cgi?query=jail_attach">jail_attach(2)</a>
      system call which affects the way that system call verifies
      the privilege level of the calling process.  Instead of
      failing immediately if the calling process was already
      jailed, the jail_attach system call would fail only after
      changing the calling process's root directory.</p>
    <p>A process with superuser privileges inside a jail could
      change its root directory to that of a different jail,
      and thus gain full read and write access to files and
      directories within the target jail. </p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0126</cvename>
      <freebsdsa>SA-04:03.jail</freebsdsa>
    </references>
    <dates>
      <discovery>2004-02-19</discovery>
      <entry>2004-04-07</entry>
      <modified>2004-05-05</modified>
    </dates>
  </vuln>

  <vuln vid="e289f7fd-88ac-11d8-90d1-0020ed76ef5a">
    <topic>many out-of-sequence TCP packets denial-of-service</topic>
    <affects>
      <system>
    <name>FreeBSD</name>
    <range><ge>5.2</ge><lt>5.2.1_2</lt></range>
    <range><ge>5.0</ge><lt>5.1_15</lt></range>
    <range><ge>4.9</ge><lt>4.9_3</lt></range>
    <range><ge>4.8</ge><lt>4.8_16</lt></range>
    <range><lt>4.7_26</lt></range>
      </system>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>FreeBSD does not limit the number of TCP segments that
    may be held in a reassembly queue.  A remote attacker may
    conduct a low-bandwidth denial-of-service attack against
    a machine providing services based on TCP (there are many
    such services, including HTTP, SMTP, and FTP).  By sending
    many out-of-sequence TCP segments, the attacker can cause
    the target machine to consume all available memory buffers
    (``mbufs''), likely leading to a system crash. </p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0171</cvename>
      <freebsdsa>SA-04:04.tcp</freebsdsa>
      <url>http://www.idefense.com/application/poi/display?id=78&amp;type=vulnerabilities</url>
    </references>
    <dates>
      <discovery>2004-02-18</discovery>
      <entry>2004-04-07</entry>
      <modified>2004-05-05</modified>
    </dates>
  </vuln>

  <vuln vid="2c6acefd-8194-11d8-9645-0020ed76ef5a">
    <topic>setsockopt(2) IPv6 sockets input validation error</topic>
    <affects>
      <system>
    <name>FreeBSD</name>
    <range><ge>5.2</ge><lt>5.2.1_4</lt></range>
      </system>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>From the FreeBSD Security Advisory:</p>
    <blockquote>
      <p>A programming error in the handling of some IPv6 socket
        options within the <a href="http://www.freebsd.org/cgi/man.cgi?query=setsockopt">setsockopt(2)</a> system call may result
        in memory locations being accessed without proper
        validation.</p>
      <p>It may be possible for a local attacker to read portions
        of kernel memory, resulting in disclosure of sensitive
        information.  A local attacker can cause a system
        panic.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0370</cvename>
      <freebsdsa>SA-04:06.ipv6</freebsdsa>
    </references>
    <dates>
      <discovery>2004-03-29</discovery>
      <entry>2004-03-29</entry>
      <modified>2004-05-05</modified>
    </dates>
  </vuln>

  <vuln vid="68233cba-7774-11d8-89ed-0020ed76ef5a">
    <topic>OpenSSL ChangeCipherSpec denial-of-service vulnerability</topic>
    <affects>
      <package>
    <name>openssl</name>
    <name>openssl-beta</name>
    <range><lt>0.9.7d</lt></range>
      </package>
      <system>
    <name>FreeBSD</name>
    <range><ge>4.0</ge><lt>4.8_17</lt></range>
    <range><ge>4.9</ge><lt>4.9_4</lt></range>
    <range><ge>5.0</ge><lt>5.1_16</lt></range>
    <range><ge>5.2</ge><lt>5.2.1_3</lt></range>
      </system>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A remote attacker could cause an application using OpenSSL to
      crash by performing a specially crafted SSL/TLS handshake.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0079</cvename>
      <url>http://www.openssl.org/news/secadv_20040317.txt</url>
      <freebsdsa>SA-04:05.openssl</freebsdsa>
      <certvu>288574</certvu>
      <bid>9899</bid>
    </references>
    <dates>
      <discovery>2004-03-17</discovery>
      <entry>2004-03-17</entry>
      <modified>2004-05-05</modified>
    </dates>
  </vuln>

  <vuln vid="f04cc5cb-2d0b-11d8-beaf-000a95c4d922">
    <topic>bind8 negative cache poison attack</topic>
    <affects>
      <package>
    <name>bind</name>
    <range><ge>8.3</ge><lt>8.3.7</lt></range>
    <range><ge>8.4</ge><lt>8.4.3</lt></range>
      </package>
      <system>
    <name>FreeBSD</name>
    <range><ge>5.1</ge><lt>5.1_11</lt></range>
    <range><ge>5.0</ge><lt>5.0_19</lt></range>
    <range><ge>4.9</ge><lt>4.9_1</lt></range>
    <range><ge>4.8</ge><lt>4.8_14</lt></range>
    <range><ge>4.7</ge><lt>4.7_24</lt></range>
    <range><ge>4.6</ge><lt>4.6.2_27</lt></range>
    <range><ge>4.5</ge><lt>4.5_37</lt></range>
    <range><lt>4.4_47</lt></range>
      </system>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A programming error in BIND 8 named can result in a DNS
    message being incorrectly cached as a negative response.  As
    a result, an attacker may arrange for malicious DNS messages
    to be delivered to a target name server, and cause that name
    server to cache a negative response for some target domain
    name.  The name server would thereafter respond negatively
    to legitimate queries for that domain name, resulting in a
    denial-of-service for applications that require DNS.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0914</cvename>
      <freebsdsa>SA-03:19.bind</freebsdsa>
      <certvu>734644</certvu>
    </references>
    <dates>
      <discovery>2003-11-28</discovery>
      <entry>2003-12-12</entry>
      <modified>2004-05-05</modified>
    </dates>
  </vuln>

  <vuln vid="bfb36941-84fa-11d8-a41f-0020ed76ef5a">
    <topic>Incorrect cross-realm trust handling in Heimdal</topic>
    <affects>
      <package>
    <name>heimdal</name>
    <range><lt>0.6.1</lt></range>
      </package>
      <system>
    <name>FreeBSD</name>
    <range><ge>5.0</ge><lt>5.2_6</lt></range>
    <range><ge>4.9</ge><lt>4.9_6</lt></range>
    <range><ge>4.0</ge><lt>4.8_19</lt></range>
      </system>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Heimdal does not correctly validate the `transited' field of
      Kerberos tickets when computing the authentication path.  This
      could allow a rogue KDC with which cross-realm relationships
      have been established to impersonate any KDC in the
      authentication path.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0371</cvename>
      <freebsdsa>SA-04:08.heimdal</freebsdsa>
      <url>http://www.pdc.kth.se/heimdal/advisory/2004-04-01/</url>
    </references>
    <dates>
      <discovery>2004-04-01</discovery>
      <entry>2004-04-02</entry>
      <modified>2004-05-05</modified>
    </dates>
  </vuln>

  <vuln vid="a2ffb627-9c53-11d8-9366-0020ed76ef5a">
    <topic>lha buffer overflows and path traversal issues</topic>
    <affects>
      <package>
    <name>lha</name>
    <range><lt>1.14i_4</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Ulf Härnhammar discovered several vulnerabilities in
      LHa for UNIX's path name handling code.  Specially constructed
      archive files may cause LHa to overwrite files or
      execute arbitrary code with the privileges of the user
      invoking LHa.  This could be particularly harmful for
      automated systems that might handle archives such as
      virus scanning processes.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0234</cvename>
      <cvename>CAN-2004-0235</cvename>
    </references>
    <dates>
      <discovery>2004-04-29</discovery>
      <entry>2004-05-02</entry>
      <modified>2004-05-03</modified>
    </dates>
  </vuln>

  <vuln vid="3a408f6f-9c52-11d8-9366-0020ed76ef5a">
    <topic>libpng denial-of-service</topic>
    <affects>
      <package>
    <name>linux-png</name>
    <range><le>1.0.14_3</le></range>
    <range><ge>1.2</ge><le>1.2.2</le></range>
      </package>
      <package>
    <name>png</name>
    <range><lt>1.2.5_4</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Steve Grubb reports a buffer read overrun in
      libpng's png_format_buffer function.  A specially
      constructed PNG image processed by an application using
      libpng may trigger the buffer read overrun and possibly
      result in an application crash.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0421</cvename>
      <url>http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120508</url>
      <url>http://rhn.redhat.com/errata/RHSA-2004-181.html</url>
      <url>http://secunia.com/advisories/11505</url>
      <url>http://www.osvdb.org/5726</url>
      <bid>10244</bid>
    </references>
    <dates>
      <discovery>2004-04-29</discovery>
      <entry>2004-05-02</entry>
      <modified>2004-08-12</modified>
    </dates>
  </vuln>

  <vuln vid="8338a20f-9573-11d8-9366-0020ed76ef5a">
    <topic>xchat remotely exploitable buffer overflow (Socks5)</topic>
    <affects>
      <package>
    <name>xchat2</name>
    <range><ge>1.8</ge><lt>2.0.8_2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A straightforward stack buffer overflow exists in XChat's
      Socks5 proxy support.</p>
    <p>The XChat developers report that `tsifra' discovered this
      issue.</p>
    <p>NOTE: XChat Socks5 support is disabled by support in the
      FreeBSD Ports Collection.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0409</cvename>
      <url>http://xchat.org/files/source/2.0/patches/xc208-fixsocks5.diff</url>
      <mlist msgid="20040405171305.04f19c44.zed@xchat.org">http://marc.theaimsgroup.com/?l=xchat-announce&amp;m=108114935507357</mlist>
    </references>
    <dates>
      <discovery>2004-04-05</discovery>
      <entry>2004-04-23</entry>
      <modified>2004-05-03</modified>
    </dates>
  </vuln>

  <vuln vid="73ea0706-9c57-11d8-9366-0020ed76ef5a">
    <topic>rsync path traversal issue</topic>
    <affects>
      <package>
    <name>rsync</name>
    <range><lt>2.6.1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>When running rsync in daemon mode, no checks were made
      to prevent clients from writing outside of a module's
    `path' setting.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0426</cvename>
      <url>http://rsync.samba.org/#security_apr04</url>
    </references>
    <dates>
      <discovery>2004-04-26</discovery>
      <entry>2004-05-02</entry>
    </dates>
  </vuln>

  <vuln vid="e50b04e8-9c55-11d8-9366-0020ed76ef5a">
    <topic>xine-lib arbitrary file overwrite</topic>
    <affects>
      <package>
    <name>libxine</name>
    <range><gt>0.9</gt><lt>1.0.r3_5</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>From the xinehq advisory:</p>
    <blockquote cite="http://www.xinehq.de/index.php/security/XSA-2004-1">
      <p>By opening a malicious MRL in any xine-lib based media
        player, an attacker can write arbitrary content to an
        arbitrary file, only restricted by the permissions of the
        user running the application.</p>
    </blockquote>
    <p>The flaw is a result of a feature that allows MRLs (media
      resource locator URIs) to specify arbitrary configuration
      options.</p>
      </body>
    </description>
    <references>
      <bid>10193</bid>
      <url>http://www.xinehq.de/index.php/security/XSA-2004-1</url>
    </references>
    <dates>
      <discovery>2004-04-20</discovery>
      <entry>2004-05-02</entry>
    </dates>
  </vuln>

  <vuln vid="0c6f3fde-9c51-11d8-9366-0020ed76ef5a">
    <topic>Midnight Commander buffer overflows, format string bugs, and insecure temporary file handling</topic>
    <affects>
      <package>
    <name>mc</name>
    <range><lt>4.6.0_10</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Jakub Jelinek reports several security related bugs in
      Midnight Commander, including:</p>
    <ul>
      <li>Multiple buffer overflows (CAN-2004-0226)</li>
      <li>Insecure temporary file handling (CAN-2004-0231)</li>
      <li>Format string bug (CAN-2004-0232)</li>
    </ul>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0226</cvename>
      <cvename>CAN-2004-0231</cvename>
      <cvename>CAN-2004-0232</cvename>
    </references>
    <dates>
      <discovery>2004-04-29</discovery>
      <entry>2004-05-02</entry>
      <modified>2004-06-14</modified>
    </dates>
  </vuln>

  <vuln vid="fb521119-9bc4-11d8-9366-0020ed76ef5a">
    <topic>pound remotely exploitable vulnerability</topic>
    <affects>
      <package>
    <name>pound</name>
    <range><lt>1.6</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>An unknown remotely exploitable vulnerability was disclosed.
      Robert Segall writes:</p>
    <blockquote cite="http://www.apsis.ch/pound/pound_list/archive/2003/2003-12/1070234315000">
      <p>a security vulnerability was brought to my attention
        (many thanks to Akira Higuchi).  Everyone running any
        previous version should upgrade to 1.6 immediately - the
        vulnerability may allow a remote exploit. No exploits are
        currently known and none have been observed in the wild
        till now. The danger is minimised if you run Pound in a
        root jail and/or you run Pound as non-root user.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <mlist>http://www.apsis.ch/pound/pound_list/archive/2003/2003-12/1070234315000</mlist>
    </references>
    <dates>
      <discovery>2003-12-01</discovery>
      <entry>2004-05-02</entry>
    </dates>
  </vuln>

  <vuln vid="84237895-8f39-11d8-8b29-0020ed76ef5a">
    <topic>neon format string vulnerabilities</topic>
    <affects>
      <package>
    <name>neon</name>
    <range><lt>0.24.5</lt></range>
      </package>
      <package>
    <name>tla</name>
    <range><lt>1.2_1</lt></range>
      </package>
      <package>
    <name>sitecopy</name>
    <range><le>0.13.4_1</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Greuff reports that the neon WebDAV client library contains
      several format string bugs within error reporting code.  A
      malicious server may exploit these bugs by sending specially
      crafted PROPFIND or PROPPATCH responses.</p>
    <p>Although several applications include neon, such as cadaver and
      subversion, the FreeBSD Ports of these applications are not
      impacted.  They are specifically configured to NOT use the
      included neon.  Only packages listed as affected in this
      notice are believed to be impacted.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0179</cvename>
      <url>http://www.webdav.org/neon/</url>
      <url>http://secunia.com/advisories/11785</url>
    </references>
    <dates>
      <discovery>2004-04-14</discovery>
      <entry>2004-04-15</entry>
      <modified>2004-06-25</modified>
    </dates>
  </vuln>

  <vuln vid="cfe17ca6-6858-4805-ba1d-a60a61ec9b4d">
    <topic>phpBB IP address spoofing</topic>
    <affects>
      <package>
    <name>phpbb</name>
    <range><le>2.0.8_2</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>The common.php script always trusts the `X-Forwarded-For'
    header in the client's HTTP request.  A remote user could
    forge this header in order to bypass any IP address access
    control lists (ACLs).</p>
      </body>
    </description>
    <references>
      <mlist msgid="20040419000129.28917.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108239864203144</mlist>
    </references>
    <dates>
      <discovery>2004-04-18</discovery>
      <entry>2004-04-23</entry>
    </dates>
  </vuln>

  <vuln vid="c7705712-92e6-11d8-8b29-0020ed76ef5a">
    <topic>TCP denial-of-service attacks against long lived connections</topic>
    <affects>
      <system>
    <name>FreeBSD</name>
    <range><ge>0</ge></range>
      </system>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p><a href="http://www.niscc.gov.uk/">NISCC</a> /
      <a href="http://www.uniras.gov.uk/">UNIRAS</a> has published
      an advisory that re-visits the long discussed spoofed TCP RST
      denial-of-service vulnerability.  This new look emphasizes
      the fact that for some applications such attacks are
      practically feasible.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0230</cvename>
      <url>http://www.uniras.gov.uk/vuls/2004/236929/index.htm</url>
    </references>
    <dates>
      <discovery>1995-06-01</discovery>
      <entry>2004-04-23</entry>
    </dates>
  </vuln>

  <vuln vid="99230277-8fb4-11d8-8b29-0020ed76ef5a">
    <topic>ident2 double byte buffer overflow</topic>
    <affects>
      <package>
    <name>ident2</name>
    <range><le>1.04</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Jack of RaptureSecurity reported a double byte buffer
      overflow in ident2. The bug may allow a remote attacker to
      execute arbitrary code within the context of the ident2
      daemon.  The daemon typically runs as user-ID `nobody', but
      with group-ID `wheel'.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0408</cvename>
      <url>http://cvsweb.freebsd.org/ports/security/ident2/files/patch-common.c</url>
    </references>
    <dates>
      <discovery>2004-04-15</discovery>
      <entry>2004-04-23</entry>
    </dates>
  </vuln>

  <vuln vid="da6f265b-8f3d-11d8-8b29-0020ed76ef5a">
    <topic>kdepim exploitable buffer overflow in VCF reader</topic>
    <affects>
      <package>
    <name>kdepim</name>
    <range><ge>3.1.0</ge><lt>3.1.4_1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A buffer overflow is present in some versions of the KDE
      personal information manager (kdepim) which may be triggered
      when processing a specially crafted VCF file.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0988</cvename>
      <url>http://www.kde.org/info/security/advisory-20040114-1.txt</url>
    </references>
    <dates>
      <discovery>2004-01-14</discovery>
      <entry>2004-04-15</entry>
    </dates>
  </vuln>

  <vuln vid="27c331d5-64c7-11d8-80e3-0020ed76ef5a">
    <topic>Vulnerabilities in H.323 implementations</topic>
    <affects>
      <package>
    <name>pwlib</name>
    <range><lt>1.5.0_5</lt></range>
      </package>
      <package>
    <name>asterisk</name>
    <range><le>0.7.2</le></range>
      </package>
      <package>
    <name>openh323</name>
    <range><lt>1.12.0_4</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>The <a href="http://www.niscc.gov.uk/">NISCC</a> and the <a href="http://www.ee.oulu.fi/research/ouspg/">OUSPG</a>
      developed a test suite for the H.323 protocol.  This test
      suite has uncovered vulnerabilities in several H.323
      implementations with impacts ranging from denial-of-service
      to arbitrary code execution.</p>
    <p>In the FreeBSD Ports Collection, `pwlib' is directly
      affected.  Other applications such as `asterisk' and
      `openh323' incorporate `pwlib' statically and so are also
      independently affected.</p>
      </body>
    </description>
    <references>
      <!-- General references -->
      <url>http://www.uniras.gov.uk/vuls/2004/006489/h323.htm</url>
      <url>http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/h2250v4/index.html</url>
      <certsa>CA-2004-01</certsa>
      <certvu>749342</certvu>
      <!-- pwlib and pwlib-using applications -->
      <cvename>CAN-2004-0097</cvename>
      <url>http://www.southeren.com/blog/archives/000055.html</url>
    </references>
    <dates>
      <discovery>2004-01-13</discovery>
      <entry>2004-02-22</entry>
      <modified>2004-06-08</modified>
    </dates>
  </vuln>

  <vuln vid="ccd698df-8e20-11d8-90d1-0020ed76ef5a">
    <topic>racoon remote denial of service vulnerability (ISAKMP header length field)</topic>
    <affects>
      <package>
    <name>racoon</name>
    <range><lt>20040408a</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>When racoon receives an ISAKMP header, it will attempt to
      allocate sufficient memory for the entire ISAKMP message
      according to the header's length field.  If an attacker
      crafts an ISAKMP header with a ridiculously large value
      in the length field, racoon may exceed operating system
      resource limits and be terminated, resulting in a denial of
      service.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0403</cvename>
      <url>http://www.kame.net/dev/cvsweb2.cgi/kame/kame/kame/racoon/isakmp.c.diff?r1=1.180&amp;r2=1.181</url>
    </references>
    <dates>
      <discovery>2004-03-31</discovery>
      <entry>2004-04-14</entry>
    </dates>
  </vuln>

  <vuln vid="40fcf20f-8891-11d8-90d1-0020ed76ef5a">
    <topic>racoon remote denial of service vulnerability (IKE Generic Payload Header)</topic>
    <affects>
      <package>
    <name>racoon</name>
    <range><lt>20040407b</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>When racoon receives an IKE message with an incorrectly
      constructed Generic Payload Header, it may behave erratically,
      going into a tight loop and dropping connections.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0392</cvename>
      <url>http://orange.kame.net/dev/query-pr.cgi?pr=555</url>
    </references>
    <dates>
      <discovery>2003-12-03</discovery>
      <entry>2004-04-07</entry>
      <modified>2004-04-14</modified>
    </dates>
  </vuln>

  <vuln vid="f8551668-de09-4d7b-9720-f1360929df07">
    <topic>tcpdump ISAKMP payload handling remote denial-of-service</topic>
    <affects>
      <package>
    <name>tcpdump</name>
    <range><lt>3.8.3</lt></range>
      </package>
      <package>
    <name>racoon</name>
    <range><lt>20040408a</lt></range>
      </package>
      <system>
    <name>FreeBSD</name>
    <range><ge>0</ge></range>
      </system>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Chad Loder has discovered vulnerabilities in tcpdump's
      ISAKMP protocol handler.  During an audit to repair these
      issues, Bill Fenner discovered some related problems.</p>
    <p>These vulnerabilities may be used by an attacker to crash a
      running `tcpdump' process.  They can only be triggered if
      the `-v' command line option is being used.</p>
    <p>NOTE: the racoon ISAKMP/IKE daemon incorporates the ISAKMP
      protocol handler from tcpdump, and so is also affected by
      this issue.</p>
      </body>
    </description>
    <references>
      <mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108067265931525</mlist>
      <url>http://www.rapid7.com/advisories/R7-0017.html</url>
      <cvename>CAN-2004-0183</cvename>
      <cvename>CAN-2004-0184</cvename>
    </references>
    <dates>
      <discovery>2004-03-12</discovery>
      <entry>2004-03-31</entry>
      <modified>2004-04-14</modified>
    </dates>
  </vuln>

  <vuln vid="322d4ff6-85c3-11d8-a41f-0020ed76ef5a">
    <topic>Midnight Commander buffer overflow during symlink resolution</topic>
    <affects>
      <package>
    <name>mc</name>
    <range><lt>4.6.0_9</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Midnight Commander uses a fixed sized stack buffer while
      resolving symbolic links within file archives (tar or cpio).
      If an attacker can cause a user to process a specially
      crafted file archive with Midnight Commander,
      the attacker may be able to obtain the privileges of the
      target user.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-1023</cvename>
      <mlist msgid="E1A0LbX-000NPk-00.alienhard-mail-ru@f9.mail.ru">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=106399528518704</mlist>
      <bid>8658</bid>
    </references>
    <dates>
      <discovery>2003-09-19</discovery>
      <entry>2004-04-03</entry>
      <modified>2004-04-13</modified>
    </dates>
  </vuln>

  <vuln vid="d8769838-8814-11d8-90d1-0020ed76ef5a">
    <topic>racoon fails to verify signature during Phase 1</topic>
    <affects>
      <package>
    <name>racoon</name>
    <range><lt>20040407b</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Ralf Spenneberg discovered a serious flaw in racoon.
      When using Phase 1 main or aggressive mode, racoon does
      not verify the client's RSA signature.  Any installations
      using <em>X.509 authentication</em> are <strong>strongly
      urged</strong> to upgrade.</p>
    <p>Installations using <em>pre-shared keys</em> are believed
      to be unaffected.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0155</cvename>
      <url>http://www.kame.net/dev/cvsweb2.cgi/kame/kame/kame/racoon/crypto_openssl.c?rev=1.84&amp;content-type=text/x-cvsweb-markup</url>
    </references>
    <dates>
      <discovery>2004-04-05</discovery>
      <entry>2004-04-07</entry>
    </dates>
  </vuln>

  <vuln vid="6fd02439-5d70-11d8-80e3-0020ed76ef5a">
    <topic>Several remotely exploitable buffer overflows in gaim</topic>
    <affects>
      <package>
    <name>gaim</name>
    <range><lt>0.75_3</lt></range>
    <range><eq>0.75_5</eq></range>
    <range><eq>0.76</eq></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Stefan Esser of e-matters found almost a dozen remotely
      exploitable vulnerabilities in Gaim.  From the e-matters
      advisory:</p>
    <blockquote cite="http://security.e-matters.de/advisories/012004.txt">
      <p>While developing a custom add-on, an integer overflow
      in the handling of AIM DirectIM packets was revealed that
      could lead to a remote compromise of the IM client. After
      disclosing this bug to the vendor, they had to make a
      hurried release because of a change in the Yahoo connection
      procedure that rendered GAIM useless. Unfourtunately at the
      same time a closer look onto the sourcecode revealed 11 more
      vulnerabilities.</p>

      <p>The 12 identified problems range from simple standard
      stack overflows, over heap overflows to an integer overflow
      that can be abused to cause a heap overflow. Due to the
      nature of instant messaging many of these bugs require
      man-in-the-middle attacks between client and server. But the
      underlying protocols are easy to implement and MIM attacks
      on ordinary TCP sessions is a fairly simple task.</p>

      <p>In combination with the latest kernel vulnerabilities or
      the habit of users to work as root/administrator these bugs
      can result in remote root compromises.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <url>http://security.e-matters.de/advisories/012004.txt</url>
      <cvename>CAN-2004-0005</cvename>
      <cvename>CAN-2004-0006</cvename>
      <cvename>CAN-2004-0007</cvename>
      <cvename>CAN-2004-0008</cvename>
    </references>
    <dates>
      <discovery>2004-01-26</discovery>
      <entry>2004-02-12</entry>
      <modified>2004-04-07</modified>
    </dates>
  </vuln>

  <vuln vid="290d81b9-80f1-11d8-9645-0020ed76ef5a">
    <topic>oftpd denial-of-service vulnerability (PORT command)</topic>
    <affects>
      <package>
    <name>oftpd</name>
    <range><lt>0.3.7</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Philippe Oechslin reported a denial-of-service vulnerability
      in oftpd.  The oftpd server can be crashed by sending a PORT
      command containing an integer over 8 bits long (over 255).</p>
      </body>
    </description>
    <references>
      <url>http://www.time-travellers.org/oftpd/oftpd-dos.html</url>
      <bid>9980</bid>
      <cvename>CAN-2004-0376</cvename>
    </references>
    <dates>
      <discovery>2004-03-04</discovery>
      <entry>2004-03-28</entry>
      <modified>2004-04-05</modified>
    </dates>
  </vuln>

  <vuln vid="98bd69c3-834b-11d8-a41f-0020ed76ef5a">
    <topic>Courier mail services: remotely exploitable buffer overflows</topic>
    <affects>
      <package>
    <name>courier</name>
    <range><lt>0.45</lt></range>
      </package>
      <package>
    <name>courier-imap</name>
    <range><lt>3.0,1</lt></range>
      </package>
      <package>
    <name>sqwebmail</name>
    <range><lt>4.0</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>The Courier set of mail services use a common Unicode
      library.  This library contains buffer overflows in the
      converters for two popular Japanese character encodings.
      These overflows may be remotely exploitable, triggered by
      a maliciously formatted email message that is later processed
      by one of the Courier mail services.
      From the release notes for the corrected versions of the
      Courier set of mail services:</p>
    <blockquote>
      <p>iso2022jp.c: Converters became (upper-)compatible with
        ISO-2022-JP (RFC1468 / JIS X 0208:1997 Annex 2) and
        ISO-2022-JP-1 (RFC2237).  Buffer overflow vulnerability
        (when Unicode character is out of BMP range) has been
        closed.  Convert error handling was implemented.</p>
      <p>shiftjis.c: Broken SHIFT_JIS converters has been fixed
        and became (upper-)compatible with Shifted Encoding Method
        (JIS X 0208:1997 Annex 1). Buffer overflow vulnerability
        (when Unicode character is out of BMP range) has been
        closed.  Convert error handling was implemented.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0224</cvename>
      <url>http://cvs.sourceforge.net/viewcvs.py/courier/libs/unicode/iso2022jp.c?rev=1.10&amp;view=markup</url>
      <url>http://cvs.sourceforge.net/viewcvs.py/courier/libs/unicode/shiftjis.c?rev=1.6&amp;view=markup</url>
      <bid>9845</bid>
      <url>http://secunia.com/advisories/11087</url>
      <url>http://www.osvdb.org/4194</url>
      <url>http://www.osvdb.org/6927</url>
    </references>
    <dates>
      <discovery>2004-02-01</discovery>
      <entry>2004-03-31</entry>
      <modified>2004-07-16</modified>
    </dates>
  </vuln>

  <vuln vid="b7cb488c-8349-11d8-a41f-0020ed76ef5a">
    <topic>isakmpd payload handling denial-of-service vulnerabilities</topic>
    <affects>
      <package>
    <name>isakmpd</name>
    <range><le>20030903</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Numerous errors in isakmpd's input packet validation lead to
      denial-of-service vulnerabilities.  From the Rapid7 advisory:</p>
    <blockquote cite="http://www.rapid7.com/advisories/R7-0018.html">
      <p>The ISAKMP packet processing functions in OpenBSD's
        isakmpd daemon contain multiple payload handling flaws
        that allow a remote attacker to launch a denial of
        service attack against the daemon.</p>
      <p>Carefully crafted ISAKMP packets will cause the isakmpd
        daemon to attempt out-of-bounds reads, exhaust available
        memory, or loop endlessly (consuming 100% of the CPU).</p>
    </blockquote>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0218</cvename>
      <cvename>CAN-2004-0219</cvename>
      <cvename>CAN-2004-0220</cvename>
      <cvename>CAN-2004-0221</cvename>
      <cvename>CAN-2004-0222</cvename>
      <url>http://www.rapid7.com/advisories/R7-0018.html</url>
      <url>http://www.openbsd.org/errata34.html</url>
    </references>
    <dates>
      <discovery>2004-03-17</discovery>
      <entry>2004-03-31</entry>
      <modified>2004-09-14</modified>
    </dates>
  </vuln>

  <vuln vid="3362f2c1-8344-11d8-a41f-0020ed76ef5a">
    <cancelled />
  </vuln>

  <vuln vid="5e7f58c3-b3f8-4258-aeb8-795e5e940ff8">
    <topic>mplayer heap overflow in http requests</topic>
    <affects>
      <package>
    <name>mplayer</name>
    <name>mplayer-gtk</name>
    <name>mplayer-esound</name>
    <name>mplayer-gtk-esound</name>
    <range><lt>0.92.1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A remotely exploitable heap buffer overflow vulnerability was
      found in MPlayer's URL decoding code.  If an attacker can
      cause MPlayer to visit a specially crafted URL, arbitrary code
      execution with the privileges of the user running MPlayer may
      occur.  A `visit' might be caused by social engineering, or a
      malicious web server could use HTTP redirects which MPlayer
      would then process.</p>
      </body>
    </description>
    <references>
      <url>http://www.mplayerhq.hu/homepage/design6/news.html</url>
      <mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108066964709058</mlist>
      <freebsdpr>ports/64974</freebsdpr>
    </references>
    <dates>
      <discovery>2004-03-30</discovery>
      <entry>2004-03-31</entry>
      <modified>2004-06-27</modified>
    </dates>
  </vuln>

  <vuln vid="705e003a-7f36-11d8-9645-0020ed76ef5a">
    <topic>squid ACL bypass due to URL decoding bug</topic>
    <affects>
      <package>
    <name>squid</name>
    <range><lt>squid-2.5.5</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>From the Squid advisory:</p>
    <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2004_1.txt">
      <p>Squid versions 2.5.STABLE4 and earlier contain a bug
      in the "%xx" URL decoding function.  It may insert a NUL
      character into decoded URLs, which may allow users to bypass
      url_regex ACLs.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <url>http://www.squid-cache.org/Advisories/SQUID-2004_1.txt</url>
      <cvename>CAN-2004-0189</cvename>
    </references>
    <dates>
      <discovery>2004-02-29</discovery>
      <entry>2004-03-26</entry>
      <modified>2004-03-30</modified>
    </dates>
  </vuln>

  <vuln vid="cad045c0-81a5-11d8-9645-0020ed76ef5a">
    <topic>zebra/quagga denial of service vulnerability</topic>
    <affects>
      <package>
    <name>zebra</name>
    <range><lt>0.93b_7</lt></range>
      </package>
      <package>
    <name>quagga</name>
    <range><lt>0.96.4</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A remote attacker could cause zebra/quagga to crash by
      sending a malformed telnet command to their management
      port.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0858</cvename>
      <url>http://rhn.redhat.com/errata/RHSA-2003-305.html</url>
      <url>http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107140</url>
      <mlist>http://lists.quagga.net/pipermail/quagga-users/2003-November/000906.html</mlist>
    </references>
    <dates>
      <discovery>2003-11-20</discovery>
      <entry>2004-03-29</entry>
    </dates>
  </vuln>

  <vuln vid="3e9be8c4-8192-11d8-9645-0020ed76ef5a">
    <topic>ecartis buffer overflows and input validation bugs</topic>
    <affects>
      <package>
    <name>ecartis</name>
    <range><lt>1.0.0.s20030814,1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Timo Sirainen reports multiple buffer overflows that may be
      triggered while parsing messages, as well as input validation
      errors that could result in disclosure of mailing list
      passwords.</p>
    <p>These bugs were resolved in the August 2003 snapshot of
      ecartis.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0781</cvename>
      <cvename>CAN-2003-0782</cvename>
      <url>http://www.securiteam.com/unixfocus/5YP0H2AAUY.html</url>
      <freebsdpr>ports/57082</freebsdpr>
    </references>
    <dates>
      <discovery>2003-08-14</discovery>
      <entry>2004-03-29</entry>
      <modified>2004-06-27</modified>
    </dates>
  </vuln>

  <vuln vid="cdf18ed9-7f4a-11d8-9645-0020ed76ef5a">
    <topic>multiple vulnerabilities in ethereal</topic>
    <affects>
      <package>
    <name>ethereal</name>
    <name>tethereal</name>
    <range><lt>0.10.3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Stefan Esser of e-matters Security discovered a baker's dozen
      of buffer overflows in Ethereal's decoders, including:</p>
    <ul>
      <li>NetFlow</li>
      <li>IGAP</li>
      <li>EIGRP</li>
      <li>PGM</li>
      <li>IRDA</li>
      <li>BGP</li>
      <li>ISUP</li>
      <li>TCAP</li>
      <li>UCP</li>
    </ul>
    <p>In addition, a vulnerability in the RADIUS decoder was found
      by Jonathan Heusser.</p>
    <p>Finally, there is one uncredited vulnerability described by the
       Ethereal team as:</p>
    <blockquote cite="http://www.ethereal.com/appnotes/enpa-sa-00013.html">
        <p>A zero-length Presentation protocol selector could make
        Ethereal crash.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <url>http://www.ethereal.com/appnotes/enpa-sa-00013.html</url>
      <cvename>CAN-2004-0176</cvename>
      <cvename>CAN-2004-0365</cvename>
      <cvename>CAN-2004-0367</cvename>
      <certvu>119876</certvu>
      <certvu>124454</certvu>
      <certvu>125156</certvu>
      <certvu>433596</certvu>
      <certvu>591820</certvu>
      <certvu>644886</certvu>
      <certvu>659140</certvu>
      <certvu>695486</certvu>
      <certvu>740188</certvu>
      <certvu>792286</certvu>
      <certvu>864884</certvu>
      <certvu>931588</certvu>
      <url>http://security.e-matters.de/advisories/032004.html</url>
      <url>http://secunia.com/advisories/11185</url>
      <bid>9952</bid>
      <url>http://www.osvdb.org/4462</url>
      <url>http://www.osvdb.org/4463</url>
      <url>http://www.osvdb.org/4464</url>
    </references>
    <dates>
      <discovery>2004-03-23</discovery>
      <entry>2004-03-26</entry>
      <modified>2004-07-11</modified>
    </dates>
  </vuln>

  <vuln vid="c551ae17-7f00-11d8-868e-000347dd607f">
    <topic>multiple vulnerabilities in phpBB</topic>
    <affects>
      <package>
    <name>phpbb</name>
    <range><lt>2.0.8</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Users with admin rights can severly damage an phpBB installation,
      potentially triggered by viewing a page with a malicious link sent
      by an attacker.</p>
      </body>
    </description>
    <references>
      <url>http://www.gulftech.org/03202004.php</url>
      <url>http://www.phpbb.com/phpBB/viewtopic.php?t=183982</url>
      <bid>9942</bid>
    </references>
    <dates>
      <discovery>2004-03-20</discovery>
      <entry>2004-03-26</entry>
      <modified>2004-03-29</modified>
    </dates>
  </vuln>

  <vuln vid="c480eb5e-7f00-11d8-868e-000347dd607f">
    <topic>ezbounce remote format string vulnerability</topic>
    <affects>
      <package>
    <name>ezbounce</name>
    <range><lt>1.04.a_1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A security hole exists that can be used to crash the proxy and
      execute arbitrary code. An exploit is circulating that takes
      advantage of this, and in some cases succeeds in obtaining a login
      shell on the machine.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0510</cvename>
      <url>http://ezbounce.dc-team.com/</url>
      <bid>8071</bid>
    </references>
    <dates>
      <discovery>2003-07-01</discovery>
      <entry>2004-03-26</entry>
      <modified>2004-03-29</modified>
    </dates>
  </vuln>

  <vuln vid="739bb51d-7e82-11d8-9645-0020ed76ef5a">
    <topic>racoon security association deletion vulnerability</topic>
    <affects>
      <package>
    <name>racoon</name>
    <range><lt>20040116a</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A remote attacker may use specially crafted IKE/ISAKMP
      messages to cause racoon to delete security associations.
      This could result in denial-of-service or possibly cause
      sensitive traffic to be transmitted in plaintext, depending
      upon configuration.</p>
      </body>
    </description>
    <references>
      <mlist msgid="20040113213940.GA1727@hzeroseven.org">http://www.securityfocus.com/archive/1/349756</mlist>
      <bid>9416</bid>
      <bid>9417</bid>
      <cvename>CAN-2004-0164</cvename>
    </references>
    <dates>
      <discovery>2004-01-13</discovery>
      <entry>2004-03-25</entry>
      <modified>2004-03-29</modified>
    </dates>
  </vuln>

  <vuln vid="c2e10368-77ab-11d8-b9e8-00e04ccb0a62">
    <topic>ModSecurity for Apache 2.x remote off-by-one overflow</topic>
    <affects>
      <package>
    <name>mod_security</name>
    <range><lt>1.7.5</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>When the directive "SecFilterScanPost" is enabled,
      the Apache 2.x version of ModSecurity is vulnerable
      to an off-by-one overflow</p>
      </body>
    </description>
    <references>
      <url>http://www.s-quadra.com/advisories/Adv-20040315.txt</url>
      <bid>9885</bid>
      <url>http://secunia.com/advisories/11138</url>
      <certvu>779438</certvu>
    </references>
    <dates>
      <discovery>2004-02-09</discovery>
      <entry>2004-03-17</entry>
      <modified>2004-06-27</modified>
    </dates>
  </vuln>

  <vuln vid="3b7c7f6c-7102-11d8-873f-0020ed76ef5a">
    <topic>wu-ftpd ftpaccess `restricted-uid'/`restricted-gid' directive may be bypassed</topic>
    <affects>
      <package>
    <name>wu-ftpd</name>
    <range><le>2.6.2_3</le></range>
      </package>
      <package>
    <name>wu-ftpd+ipv6</name>
    <range><le>2.6.2_5</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Glenn Stewart reports a bug in wu-ftpd's ftpaccess
      `restricted-uid'/`restricted-gid' directives:</p>
    <blockquote>
      <p>Users can get around the restriction to their home
        directory by issuing a simple chmod command on their home
        directory. On the next ftp log in, the user will have '/'
        as their root directory.</p>
    </blockquote>
    <p>Matt Zimmerman discovered that the cause of the bug was a
      missing check for a restricted user within a code path that
      is executed only when a certain error is encountered.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0148</cvename>
      <bid>9832</bid>
    </references>
    <dates>
      <discovery>2004-02-17</discovery>
      <entry>2004-03-08</entry>
      <modified>2004-03-29</modified>
    </dates>
  </vuln>

  <vuln vid="492f8896-70fa-11d8-873f-0020ed76ef5a">
    <topic>Apache 2 mod_ssl denial-of-service</topic>
    <affects>
      <package>
    <name>apache</name>
    <range><ge>2.0</ge><le>2.0.48_3</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Joe Orton reports a memory leak in Apache 2's mod_ssl.
      A remote attacker may issue HTTP requests on an HTTPS
      port, causing an error.  Due to a bug in processing this
      condition, memory associated with the connection is
      not freed.  Repeated requests can result in consuming
      all available memory resources, probably resulting in
      termination of the Apache process.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0113</cvename>
      <url>http://www.apacheweek.com/features/security-20</url>
      <url>http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.100.2.11&amp;r2=1.100.2.12</url>
      <mlist>http://marc.theaimsgroup.com/?l=apache-cvs&amp;m=107869699329638</mlist>
      <url>http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27106</url>
      <bid>9826</bid>
    </references>
    <dates>
      <discovery>2004-02-20</discovery>
      <entry>2004-03-08</entry>
      <modified>2004-05-19</modified>
    </dates>
  </vuln>

  <vuln vid="8471bb85-6fb0-11d8-873f-0020ed76ef5a">
    <topic>GNU Anubis buffer overflows and format string vulnerabilities</topic>
    <affects>
      <package>
    <name>anubis</name>
    <range><le>3.6.2_1</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Ulf Härnhammar discovered several vulnerabilities in GNU
      Anubis.</p>
    <ul>
      <li>Unsafe uses of `sscanf'.  The `%s' format specifier is
        used, which allows a classical buffer overflow.  (auth.c)</li>
      <li>Format string bugs invoking `syslog'.  (log.c, errs.c,
        ssl.c)</li>
    </ul>
    <p>Ulf notes that these vulnerabilities can be exploited by a
      malicious IDENT server as a denial-of-service attack.</p>
      </body>
    </description>
    <references>
      <mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-March/018290.html</mlist>
      <bid>9772</bid>
      <cvename>CAN-2004-0353</cvename>
      <cvename>CAN-2004-0354</cvename>
    </references>
    <dates>
      <discovery>2004-03-04</discovery>
      <entry>2004-03-06</entry>
      <modified>2004-03-29</modified>
    </dates>
  </vuln>

  <vuln vid="3837f462-5d6b-11d8-80e3-0020ed76ef5a">
    <topic>Buffer overflows in XFree86 servers</topic>
    <affects>
      <package>
    <name>XFree86-Server</name>
    <range><le>4.3.0_13</le></range>
    <range><ge>4.3.99</ge><le>4.3.99.15_1</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A number of buffer overflows were recently discovered in
      XFree86, prompted by initial discoveries by iDEFENSE.  These
      buffer overflows are present in the font alias handling.  An
      attacker with authenticated access to a running X server may
      exploit these vulnerabilities to obtain root privileges on
      the machine running the X server.</p>
      </body>
    </description>
    <references>
      <url>http://www.idefense.com/application/poi/display?id=72</url>
      <url>http://www.idefense.com/application/poi/display?id=73</url>
      <cvename>CAN-2004-0083</cvename>
      <cvename>CAN-2004-0084</cvename>
      <cvename>CAN-2004-0106</cvename>
      <bid>9636</bid>
      <bid>9652</bid>
      <bid>9655</bid>
    </references>
    <dates>
      <discovery>2004-02-10</discovery>
      <entry>2004-02-12</entry>
      <modified>2004-03-29</modified>
    </dates>
  </vuln>

  <vuln vid="e25566d5-6d3f-11d8-83a4-000a95bc6fae">
    <topic>multiple buffer overflows in xboing</topic>
    <affects>
      <package>
    <name>xboing</name>
    <range><lt>2.4_2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Steve Kemp reports (in a Debian bug submission):</p>
    <blockquote cite="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=174924">
      <p>Due to improper bounds checking it is possible for a
        malicious user to gain a shell with membership group
        'games'.  (The binary is installed setgid games).</p>
      <p>Environmental variables are used without being bounds-checked
        in any way, from the source code:</p>
<pre>
highscore.c:
   /* Use the environment variable if it exists */
   if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
    strcpy(filename, str);
   else
    strcpy(filename, HIGH_SCORE_FILE);

misc.c:
    if ((ptr = getenv("HOME")) != NULL)
    (void) strcpy(dest, ptr);
</pre>
    <p>Neither of these checks are boundschecked, and will allow
      arbitary shell code to be run.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0149</cvename>
      <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=174924</url>
      <bid>9764</bid>
    </references>
    <dates>
      <discovery>2003-01-01</discovery>
      <entry>2004-03-05</entry>
      <modified>2004-03-29</modified>
    </dates>
  </vuln>

  <vuln vid="a20082c3-6255-11d8-80e3-0020ed76ef5a">
    <topic>metamail format string bugs and buffer overflows</topic>
    <affects>
      <package>
    <name>metamail</name>
    <range><lt>2.7_2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Ulf Härnhammar reported four bugs in metamail: two are format
      string bugs and two are buffer overflows.  The bugs are in
      SaveSquirrelFile(), PrintHeader(), and ShareThisHeader().</p>
    <p>These vulnerabilities could be triggered by a maliciously
      formatted email message if `metamail' or `splitmail' is used
      to process it, possibly resulting in arbitrary code execution
      with the privileges of the user reading mail.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0104</cvename>
      <cvename>CAN-2004-0105</cvename>
      <bid>9692</bid>
    </references>
    <dates>
      <discovery>2004-02-18</discovery>
      <entry>2004-02-18</entry>
      <modified>2004-03-29</modified>
    </dates>
  </vuln>

  <vuln vid="ce46b93a-80f2-11d8-9645-0020ed76ef5a">
    <topic>Buffer overflows and format string bugs in Emil</topic>
    <affects>
      <package>
    <name>emil</name>
    <range><le>2.1b9</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Ulf Härnhammar reports multiple buffer overflows in
      Emil, some of which are triggered during the parsing
      of attachment filenames.  In addition, some format string bugs
      are present in the error reporting code.</p>
    <p>Depending upon local configuration, these vulnerabilities
      may be exploited using specially crafted messages in order
      to execute arbitrary code running with the privileges of
      the user invoking Emil.</p>
      </body>
    </description>
    <references>
      <mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-March/019325.html</mlist>
      <url>http://www.debian.org/security/2004/dsa-468</url>
      <cvename>CAN-2004-0152</cvename>
      <cvename>CAN-2004-0153</cvename>
    </references>
    <dates>
      <discovery>2004-03-24</discovery>
      <entry>2004-03-28</entry>
    </dates>
  </vuln>

  <vuln vid="70f5b3c6-80f0-11d8-9645-0020ed76ef5a">
    <topic>Critical SQL injection in phpBB</topic>
    <affects>
      <package>
    <name>phpbb</name>
    <range><le>2.0.8</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Anyone can get admin's username and password's md5 hash via a
      single web request.
      A working example is provided in the advisory.</p>
      </body>
    </description>
    <references>
      <mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108032454818873</mlist>
      <bid>9984</bid>
    </references>
    <dates>
      <discovery>2004-03-26</discovery>
      <entry>2004-03-28</entry>
    </dates>
  </vuln>

  <vuln vid="6c7661ff-7912-11d8-9645-0020ed76ef5a">
    <topic>uudeview buffer overflows</topic>
    <affects>
      <package>
    <name>uulib</name>
    <name>uudeview</name>
    <name>xdeview</name>
    <range><lt>0.5.20</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>The authors of UUDeview report repairing two buffer
      overflows in their software.</p>
      </body>
    </description>
    <references>
      <url>http://www.fpx.de/fp/Software/UUDeview/HISTORY.txt</url>
    </references>
    <dates>
      <discovery>2004-03-01</discovery>
      <entry>2004-03-18</entry>
      <modified>2004-03-25</modified>
    </dates>
  </vuln>

  <vuln vid="09d418db-70fd-11d8-873f-0020ed76ef5a">
    <topic>Apache 1.3 IP address access control failure on some 64-bit platforms</topic>
    <affects>
      <package>
    <name>apache</name>
    <range><lt>1.3.29_2</lt></range>
      </package>
      <package>
    <name>apache+mod_ssl</name>
    <range><lt>1.3.29+2.8.16_1</lt></range>
      </package>
      <package>
    <name>apache+ssl</name>
    <range><lt>1.3.29.1.53_1</lt></range>
      </package>
      <package>
    <name>ru-apache</name>
    <range><lt>1.3.29+30.19_1</lt></range>
      </package>
      <package>
    <name>ru-apache+mod_ssl</name>
    <range><lt>1.3.29+30.19+2.8.16_1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Henning Brauer discovered a programming error in Apache
      1.3's mod_access that results in the netmasks in IP address
      access control rules being interpreted incorrectly on
      64-bit, big-endian platforms.  In some cases, this could
      cause a `deny from' IP address access control rule including
      a netmask to fail.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0993</cvename>
      <url>http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/modules/standard/mod_access.c?r1=1.46&amp;r2=1.47</url>
      <url>http://www.apacheweek.com/features/security-13</url>
      <url>http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23850</url>
      <mlist>http://marc.theaimsgroup.com/?l=apache-cvs&amp;m=107869603013722</mlist>
      <bid>9829</bid>
    </references>
    <dates>
      <discovery>2004-03-07</discovery>
      <entry>2004-03-08</entry>
      <modified>2004-03-12</modified>
    </dates>
  </vuln>

  <vuln vid="1a448eb7-6988-11d8-873f-0020ed76ef5a">
    <topic>mod_python denial-of-service vulnerability in parse_qs</topic>
    <affects>
      <package>
    <name>mod_python</name>
    <range><ge>2.7</ge><lt>2.7.10</lt></range>
    <range><ge>3.0</ge><lt>3.0.4</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>An attacker may cause Apache with mod_python to crash
      by using a specially constructed query string.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0973</cvename>
      <bid>9129</bid>
      <url>http://www.modpython.org/pipermail/mod_python/2003-November/014532.html</url>
      <url>http://www.modpython.org/pipermail/mod_python/2004-January/014879.html</url>
    </references>
    <dates>
      <discovery>2003-11-28</discovery>
      <entry>2004-03-03</entry>
      <modified>2004-03-11</modified>
    </dates>
  </vuln>

  <vuln vid="9fccad5a-7096-11d8-873f-0020ed76ef5a">
    <topic>mpg123 vulnerabilities</topic>
    <affects>
      <package>
    <name>mpg123</name>
    <name>mpg123-esound</name>
    <range><le>0.59r_12</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>In 2003, two vulnerabilities were discovered in mpg123
      that could result in remote code execution when using
      untrusted input or streaming from an untrusted server.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0577</cvename>
      <cvename>CAN-2003-0865</cvename>
      <bid>6629</bid>
      <bid>8680</bid>
    </references>
    <dates>
      <discovery>2003-01-16</discovery>
      <entry>2004-03-07</entry>
    </dates>
  </vuln>

  <vuln vid="ac4b9d18-67a9-11d8-80e3-0020ed76ef5a">
    <topic>fetchmail denial-of-service vulnerability</topic>
    <affects>
      <package>
    <name>fetchmail</name>
    <range><lt>6.2.5</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Dave Jones discovered a denial-of-service vulnerability
      in fetchmail. An email message containing a very long line
      could cause fetchmail to segfault due to missing NUL
      termination in transact.c.</p>
    <p>Eric Raymond decided not to mention this issue in the
      release notes for fetchmail 6.2.5, but it was fixed
      there.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0792</cvename>
      <bid>8843</bid>
      <url>http://xforce.iss.net/xforce/xfdb/13450</url>
      <url>http://www.openbsd.org/cgi-bin/cvsweb/ports/mail/fetchmail/patches/Attic/patch-rfc822_c?rev=1.1</url>
    </references>
    <dates>
      <discovery>2003-10-16</discovery>
      <entry>2004-02-25</entry>
      <modified>2004-03-05</modified>
    </dates>
  </vuln>

  <vuln vid="b0e76877-67a8-11d8-80e3-0020ed76ef5a">
    <topic>mailman denial-of-service vulnerability in MailCommandHandler</topic>
    <affects>
      <package>
    <name>mailman</name>
    <range><lt>2.1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A malformed message could cause mailman to crash.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0991</cvename>
      <url>http://umn.dl.sourceforge.net/sourceforge/mailman/mailman-2.0.13-2.0.14-diff.txt</url>
    </references>
    <dates>
      <discovery>2003-11-18</discovery>
      <entry>2004-02-25</entry>
    </dates>
  </vuln>

  <vuln vid="3cb88bb2-67a6-11d8-80e3-0020ed76ef5a">
    <topic>mailman XSS in admin script</topic>
    <affects>
      <package>
    <name>mailman</name>
    <range><lt>2.1.4</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Dirk Mueller reports:</p>
      <blockquote><p>I've found a cross-site scripting
       vulnerability in the admin interface of mailman 2.1.3 that
       allows, under certain circumstances, for anyone to retrieve
       the (valid) session cookie.</p></blockquote>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0965</cvename>
      <url>http://mail.python.org/pipermail/mailman-announce/2003-December/000066.html</url>
      <url>http://xforce.iss.net/xforce/xfdb/14121</url>
    </references>
    <dates>
      <discovery>2003-12-31</discovery>
      <entry>2004-02-25</entry>
    </dates>
  </vuln>

  <vuln vid="429249d2-67a7-11d8-80e3-0020ed76ef5a">
    <topic>mailman XSS in create script</topic>
    <affects>
      <package>
    <name>mailman</name>
    <range><lt>2.1.3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>From the 2.1.3 release notes:</p>
    <blockquote><p>Closed a cross-site scripting exploit in the
    create cgi script.</p></blockquote>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0992</cvename>
      <url>http://mail.python.org/pipermail/mailman-announce/2003-September/000061.html</url>
    </references>
    <dates>
      <discovery>2003-09-28</discovery>
      <entry>2004-02-25</entry>
    </dates>
  </vuln>

  <vuln vid="00263aa3-67a8-11d8-80e3-0020ed76ef5a">
    <topic>mailman XSS in user options page</topic>
    <affects>
      <package>
    <name>mailman</name>
    <range><lt>2.1.1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>From the 2.1.1 release notes:</p>
    <blockquote><p>Closed a cross-site scripting vulnerability in
    the user options page.</p></blockquote>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0038</cvename>
      <url>http://mail.python.org/pipermail/mailman-announce/2003-February/000056.html</url>
    </references>
    <dates>
      <discovery>2003-02-08</discovery>
      <entry>2004-02-25</entry>
    </dates>
  </vuln>

  <vuln vid="75770425-67a2-11d8-80e3-0020ed76ef5a">
    <topic>SQL injection vulnerability in phpnuke</topic>
    <affects>
      <package>
    <name>phpnuke</name>
    <range><le>6.9</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Multiple researchers have discovered multiple SQL injection
      vulnerabilities in some versions of Php-Nuke.  These
      vulnerabilities may lead to information disclosure, compromise
      of the Php-Nuke site, or compromise of the back-end
      database.</p>
      </body>
    </description>
    <references>
      <url>http://security.nnov.ru/search/document.asp?docid=5748</url>
      <mlist>http://www.securityfocus.com/archive/1/348375</mlist>
      <url>http://www.security-corporation.com/advisories-027.html</url>
      <mlist>http://www.securityfocus.com/archive/1/353201</mlist>
    </references>
    <dates>
      <discovery>2003-12-12</discovery>
      <entry>2004-02-25</entry>
    </dates>
  </vuln>

  <vuln vid="ad4f6ca4-6720-11d8-9fb5-000a95bc6fae">
    <topic>lbreakout2 vulnerability in environment variable handling</topic>
    <affects>
      <package>
    <name>lbreakout2</name>
    <range><le>2.2.2_1</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Ulf Härnhammar discovered an exploitable vulnerability in
      lbreakout2's environmental variable handling.  In several
      instances, the contents of the HOME environmental variable
      are copied to a stack or global buffer without range
      checking.  A local attacker may use this vulnerability to
      acquire group-ID `games' privileges.</p>
    <p>An exploit for this vulnerability has been published by
      ``Li0n7 voila fr''.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0158</cvename>
      <url>http://www.debian.org/security/2004/dsa-445</url>
      <mlist>http://www.securityfocus.com/archive/1/354760</mlist>
    </references>
    <dates>
      <discovery>2004-02-21</discovery>
      <entry>2004-02-25</entry>
    </dates>
  </vuln>

  <vuln vid="316e1c9b-671c-11d8-9aad-000a95bc6fae">
    <topic>hsftp format string vulnerabilities</topic>
    <affects>
      <package>
    <name>hsftp</name>
    <range><lt>1.14</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Ulf Härnhammar discovered a format string bug in hsftp's file
      listing code may allow a malicious server to cause arbitrary
      code execution by the client.</p>
      </body>
    </description>
    <references>
      <mlist>http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00044.html</mlist>
    </references>
    <dates>
      <discovery>2004-02-22</discovery>
      <entry>2004-02-25</entry>
    </dates>
  </vuln>

  <vuln vid="c7cad0f0-671a-11d8-bdeb-000a95bc6fae">
    <topic>Darwin Streaming Server denial-of-service vulnerability</topic>
    <affects>
      <package>
    <name>DarwinStreamingServer</name>
    <range><le>4.1.3g</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>An attacker can cause an assertion to trigger by sending
      a long User-Agent field in a request.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0169</cvename>
      <url>http://www.idefense.com/application/poi/display?id=75</url>
    </references>
    <dates>
      <discovery>2004-02-23</discovery>
      <entry>2004-02-25</entry>
    </dates>
  </vuln>

  <vuln vid="847ade05-6717-11d8-b321-000a95bc6fae">
    <topic>libxml2 stack buffer overflow in URI parsing</topic>
    <affects>
      <package>
    <name>libxml2</name>
    <range><lt>2.6.6</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Yuuichi Teranishi reported a crash in libxml2's URI handling
      when a long URL is supplied.  The implementation in nanohttp.c
      and nanoftp.c uses a 4K stack buffer, and longer URLs will
      overwrite the stack.  This could result in denial-of-service
      or arbitrary code execution in applications using libxml2
      to parse documents.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0110</cvename>
      <url>http://www.xmlsoft.org/news.html</url>
      <url>http://mail.gnome.org/archives/xml/2004-February/msg00070.html</url>
    </references>
    <dates>
      <discovery>2004-02-08</discovery>
      <entry>2004-02-25</entry>
    </dates>
  </vuln>

  <vuln vid="cc0fb686-6550-11d8-80e3-0020ed76ef5a">
    <topic>file disclosure in phpMyAdmin</topic>
    <affects>
      <package>
    <name>phpMyAdmin</name>
    <range><le>2.5.4</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Lack of proper input validation in phpMyAdmin may allow an
      attacker to obtain the contents of any file on the target
      system that is readable by the web server.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0129</cvename>
      <mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=107582619125932&amp;w=2</mlist>
      <url>http://cvs.sourceforge.net/viewcvs.py/phpmyadmin/phpMyAdmin/export.php#rev2.3.2.1</url>
    </references>
    <dates>
      <discovery>2004-02-17</discovery>
      <entry>2004-02-22</entry>
    </dates>
  </vuln>

  <vuln vid="87cc48fd-5fdd-11d8-80e3-0020ed76ef5a">
    <topic>mnGoSearch buffer overflow in UdmDocToTextBuf()</topic>
    <affects>
      <package>
    <name>mnogosearch</name>
    <range><ge>3.2</ge></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Jedi/Sector One &lt;j@pureftpd.org&gt; reported the following
      on the full-disclosure list:</p>
    <blockquote>
      <p>Every document is stored in multiple parts according to
        its sections (description, body, etc) in databases. And
        when the content has to be sent to the client,
        UdmDocToTextBuf() concatenates those parts together and
        skips metadata.</p>
      <p>Unfortunately, that function lacks bounds checking and
        a buffer overflow can be triggered by indexing a large
        enough document.</p>
      <p>'len' is fixed to 10K [in UdmDocToTextBuf] in searchd.c
        . S-&gt;val length depends on the length of the original
        document and on the indexer settings (the sample
        configuration file has low limits that work around the
        bug, though).</p>
      <p>Exploitation should be easy, moreover textbuf points to
      the stack.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <mlist>http://lists.netsys.com/pipermail/full-disclosure/2004-February/017366.html</mlist>
    </references>
    <dates>
      <discovery>2004-02-15</discovery>
      <entry>2004-02-15</entry>
    </dates>
  </vuln>

  <vuln vid="cacaffbc-5e64-11d8-80e3-0020ed76ef5a">
    <topic>GNU libtool insecure temporary file handling</topic>
    <affects>
      <package>
    <name>libtool</name>
    <range><ge>1.3</ge><lt>1.3.5_2</lt></range>
    <range><ge>1.4</ge><lt>1.4.3_3</lt></range>
    <range><ge>1.5</ge><lt>1.5.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>libtool attempts to create a temporary directory in
      which to write scratch files needed during processing.  A
      malicious user may create a symlink and then manipulate
      the directory so as to write to files to which she normally
      has no permissions.</p>
    <p>This has been reported as a ``symlink vulnerability'',
      although I do not think that is an accurate description.</p>
    <p>This vulnerability could possibly be used on a multi-user
      system to gain elevated privileges, e.g. root builds some
      packages, and another user successfully exploits this
      vulnerability to write to a system file.</p>
      </body>
    </description>
    <references>
      <mlist>http://www.geocrawler.com/mail/msg.php3?msg_id=3438808&amp;list=405</mlist>
      <mlist>http://www.securityfocus.com/archive/1/352333</mlist>
    </references>
    <dates>
      <discovery>2004-01-30</discovery>
      <entry>2004-02-13</entry>
    </dates>
  </vuln>

  <vuln vid="0e154a9c-5d7a-11d8-80e3-0020ed76ef5a">
    <topic>seti@home remotely exploitable buffer overflow</topic>
    <affects>
      <package>
    <name>setiathome</name>
    <range><lt>3.0.8</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>The seti@home client contains a buffer overflow in the HTTP
      response handler.  A malicious, spoofed seti@home server can
      exploit this buffer overflow to cause remote code execution
      on the client.  Exploit programs are widely available.</p>
      </body>
    </description>
    <references>
      <url>http://setiathome.berkeley.edu/version308.html</url>
      <url>http://web.archive.org/web/20030609204812/http://spoor12.edup.tudelft.nl/</url>
    </references>
    <dates>
      <discovery>2003-04-08</discovery>
      <entry>2004-02-12</entry>
    </dates>
  </vuln>

  <vuln vid="5e92e8a2-5d7b-11d8-80e3-0020ed76ef5a">
    <topic>icecast 1.x multiple vulnerabilities</topic>
    <affects>
      <package>
    <name>icecast</name>
    <range><lt>1.3.12</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>icecast 1.3.11 and earlier contained numerous security
      vulnerabilities, the most severe allowing a remote attacker
      to execute arbitrary code as root.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2002-0177</cvename>
      <cvename>CAN-2001-1230</cvename>
      <cvename>CAN-2001-1229</cvename>
      <cvename>CAN-2001-1083</cvename>
      <cvename>CAN-2001-0784</cvename>
      <bid>4415</bid>
      <bid>2933</bid>
    </references>
    <dates>
      <discovery>2002-04-28</discovery>
      <entry>2004-02-12</entry>
    </dates>
  </vuln>

  <vuln vid="83119e27-5d7c-11d8-80e3-0020ed76ef5a">
    <topic>nap allows arbitrary file access</topic>
    <affects>
      <package>
    <name>nap</name>
    <range><lt>1.4.5</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>According to the author:</p>
    <blockquote>
      <p>Fixed security loophole which allowed remote
        clients to access arbitrary files on our
        system.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <url>http://quasar.mathstat.uottawa.ca/~selinger/nap/NEWS</url>
    </references>
    <dates>
      <discovery>2001-04-12</discovery>
      <entry>2004-02-12</entry>
    </dates>
  </vuln>

  <vuln vid="a736deab-5d7d-11d8-80e3-0020ed76ef5a">
    <topic>CCE contains exploitable buffer overflows</topic>
    <affects>
      <package>
    <name>zh-cce</name>
    <range><lt>0.40</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>The Chinese Console Environment contains exploitable buffer
      overflows.</p>
      </body>
    </description>
    <references>
      <url>http://programmer.lib.sjtu.edu.cn/cce/cce.html</url>
    </references>
    <dates>
      <discovery>2000-06-22</discovery>
      <entry>2004-02-12</entry>
    </dates>
  </vuln>

  <vuln vid="49ad1bf8-5d7e-11d8-80e3-0020ed76ef5a">
    <topic>ChiTeX/ChiLaTeX unsafe set-user-id root</topic>
    <affects>
      <package>
    <name>zh-chitex</name>
    <range><gt>0</gt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Niels Heinen reports that ChiTeX installs set-user-id root
      executables that invoked system(3) without setting up the
      environment, trivially allowing local root compromise.</p>
      </body>
    </description>
    <references>
      <url>http://cvsweb.freebsd.org/ports/chinese/chitex/Attic/Makefile?rev=1.5&amp;content-type=text/x-cvsweb-markup</url>
    </references>
    <dates>
      <discovery>2003-04-25</discovery>
      <entry>2004-02-12</entry>
    </dates>
  </vuln>

  <vuln vid="5789a92e-5d7f-11d8-80e3-0020ed76ef5a">
    <topic>pine remotely exploitable buffer overflow in newmail.c</topic>
    <affects>
      <package>
    <name>zh-pine</name>
    <name>iw-pine</name>
    <name>pine</name>
    <name>pine4-ssl</name>
    <range><le>4.21</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Kris Kennaway reports a remotely exploitable buffer overflow
      in newmail.c.  Mike Silbersack submitted the fix.</p>
      </body>
    </description>
    <references>
      <url>http://www.freebsd.org/cgi/cvsweb.cgi/ports/mail/pine4/Makefile?rev=1.43&amp;content-type=text/x-cvsweb-markup</url>
    </references>
    <dates>
      <discovery>2000-09-29</discovery>
      <entry>2004-02-12</entry>
    </dates>
  </vuln>

  <vuln vid="34134fd4-5d81-11d8-80e3-0020ed76ef5a">
    <topic>pine insecure URL handling</topic>
    <affects>
      <package>
    <name>pine</name>
    <name>zh-pine</name>
    <name>iw-pine</name>
    <range><lt>4.44</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>An attacker may send an email message containing a specially
      constructed URL that will execute arbitrary commands when
      viewed.</p>
      </body>
    </description>
    <references>
      <freebsdsa>SA-02:05.pine</freebsdsa>
    </references>
    <dates>
      <discovery>2002-01-04</discovery>
      <entry>2004-02-12</entry>
    </dates>
  </vuln>

  <vuln vid="5abfee2d-5d82-11d8-80e3-0020ed76ef5a">
    <topic>pine remote denial-of-service attack</topic>
    <affects>
      <package>
    <name>pine</name>
    <name>zh-pine</name>
    <name>iw-pine</name>
    <range><lt>4.50</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>An attacker may send a specially-formatted email message
      that will cause pine to crash.</p>
      </body>
    </description>
    <references>
      <mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=103668430620531&amp;w=2</mlist>
      <cvename>CAN-2002-1320</cvename>
    </references>
    <dates>
      <discovery>2002-10-23</discovery>
      <entry>2004-02-12</entry>
    </dates>
  </vuln>

  <vuln vid="39bd57e6-5d83-11d8-80e3-0020ed76ef5a">
    <topic>pine remotely exploitable vulnerabilities</topic>
    <affects>
      <package>
    <name>pine</name>
    <name>zh-pine</name>
    <name>iw-pine</name>
    <range><lt>4.58</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Pine versions prior to 4.58 are affected by two
      vulnerabilities discovered by iDEFENSE, a buffer overflow
      in mailview.c and an integer overflow in strings.c.  Both
      vulnerabilities can result in arbitrary code execution
      when processing a malicious message.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0720</cvename>
      <cvename>CAN-2003-0721</cvename>
      <url>http://www.idefense.com/application/poi/display?id=5</url>
    </references>
    <dates>
      <discovery>2003-09-10</discovery>
      <entry>2004-02-12</entry>
    </dates>
  </vuln>

  <vuln vid="5729b8ed-5d75-11d8-80e3-0020ed76ef5a">
    <topic>rsync buffer overflow in server mode</topic>
    <affects>
      <package>
    <name>rsync</name>
    <range><lt>2.5.7</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>When rsync is run in server mode, a buffer overflow could
      allow a remote attacker to execute arbitrary code with the
      privileges of the rsync server.  Anonymous rsync servers are
      at the highest risk.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0962</cvename>
      <mlist>http://lists.samba.org/archive/rsync-announce/2003/000011.html</mlist>
      <url>http://rsync.samba.org/#security</url>
    </references>
    <dates>
      <discovery>2003-12-04</discovery>
      <entry>2004-02-12</entry>
    </dates>
  </vuln>

  <vuln vid="3388eff9-5d6e-11d8-80e3-0020ed76ef5a">
    <topic>Samba 3.0.x password initialization bug</topic>
    <affects>
      <package>
    <name>samba</name>
    <range><ge>3.0,1</ge><lt>3.0.1_2,1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>From the Samba 3.0.2 release notes:</p>
    <blockquote cite="http://www.samba.org/samba/whatsnew/samba-3.0.2.html">
      <p>Security Announcement: It has been confirmed that
      previous versions of Samba 3.0 are susceptible to a password
      initialization bug that could grant an attacker unauthorized
      access to a user account created by the mksmbpasswd.sh shell
      script.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <url>http://www.samba.org/samba/whatsnew/samba-3.0.2.html</url>
      <cvename>CAN-2004-0082</cvename>
    </references>
    <dates>
      <discovery>2004-02-09</discovery>
      <entry>2004-02-12</entry>
    </dates>
  </vuln>

  <vuln vid="74a9541d-5d6c-11d8-80e3-0020ed76ef5a">
    <topic>clamav remote denial-of-service</topic>
    <affects>
      <package>
    <name>clamav</name>
    <range><lt>0.65_7</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>clamav will exit when a programming
      assertion is not met.  A malformed uuencoded message can
      trigger this assertion, allowing an attacker to trivially
      crash clamd or other components of clamav.</p>
      </body>
    </description>
    <references>
      <freebsdpr>ports/62586</freebsdpr>
      <mlist msgid="40279811.9050407@fillmore-labs.com">http://www.securityfocus.com/archive/1/353186</mlist>
      <url>http://www.osvdb.org/3894</url>
      <bid>9610</bid>
      <url>http://secunia.com/advisories/10826</url>
      <cvename>CAN-2004-0270</cvename>
      <url>http://xforce.iss.net/xforce/xfdb/15077</url>
    </references>
    <dates>
      <discovery>2004-02-09</discovery>
      <entry>2004-02-12</entry>
      <modified>2004-06-27</modified>
    </dates>
  </vuln>

  <vuln vid="67c05283-5d62-11d8-80e3-0020ed76ef5a">
    <topic>Buffer overflow in Mutt 1.4</topic>
    <affects>
      <package>
    <name>mutt</name>
    <name>ja-mutt</name>
    <range><ge>1.4</ge><lt>1.4.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Mutt 1.4 contains a buffer overflow that could be exploited
      with a specially formed message, causing Mutt to crash or
      possibly execute arbitrary code.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0078</cvename>
      <url>http://www.mutt.org/news.html</url>
    </references>
    <dates>
      <discovery>2004-02-11</discovery>
      <entry>2004-02-12</entry>
    </dates>
  </vuln>

  <vuln vid="7557a2b1-5d63-11d8-80e3-0020ed76ef5a">
    <topic>Apache-SSL optional client certificate vulnerability</topic>
    <affects>
      <package>
    <name>apache+ssl</name>
    <range><lt>1.3.29.1.53</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>From the Apache-SSL security advisory:</p>
    <blockquote>
      <p>If configured with SSLVerifyClient set to 1 or 3 (client
      certificates optional) and SSLFakeBasicAuth, Apache-SSL
      1.3.28+1.52 and all earlier versions would permit a
      client to use real basic authentication to forge a client
      certificate.</p>

      <p>All the attacker needed is the "one-line DN" of a valid
      user, as used by faked basic auth in Apache-SSL, and the
      fixed password ("password" by default).</p>
    </blockquote>
      </body>
    </description>
    <references>
      <url>http://www.apache-ssl.org/advisory-20040206.txt</url>
    </references>
    <dates>
      <discovery>2004-02-06</discovery>
      <entry>2004-02-10</entry>
    </dates>
  </vuln>

  <vuln vid="96ba2dae-4ab0-11d8-96f2-0020ed76ef5a">
    <topic>L2TP, ISAKMP, and RADIUS parsing vulnerabilities in tcpdump</topic>
    <affects>
      <package>
    <name>tcpdump</name>
    <range><lt>3.8.1_351</lt></range>
      </package>
      <system>
    <name>FreeBSD</name>
    <range><lt>5.2.1</lt></range>
      </system>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Jonathan Heusser discovered vulnerabilities in tcpdump's
    L2TP, ISAKMP, and RADIUS protocol handlers.  These
    vulnerabilities may be used by an attacker to crash a running
    `tcpdump' process.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0989</cvename>
      <cvename>CAN-2003-1029</cvename>
      <cvename>CAN-2004-0057</cvename>
      <mlist>http://www.tcpdump.org/lists/workers/2003/12/msg00083.html</mlist>
      <mlist>http://marc.theaimsgroup.com/?l=tcpdump-workers&amp;m=107325073018070&amp;w=2</mlist>
    </references>
    <dates>
      <discovery>2003-12-24</discovery>
      <entry>2004-01-19</entry>
    </dates>
  </vuln>

  <vuln vid="fd376b8b-41e1-11d8-b096-0020ed76ef5a">
    <topic>Buffer overflow in INN control message handling</topic>
    <affects>
      <package>
    <name>inn</name>
    <range><lt>2.4.1</lt></range>
      </package>
      <package>
    <name>inn-stable</name>
    <range><lt>20031022_1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A small, fixed-size stack buffer is used to construct a
      filename based on a received control message.  This could
      result in a stack buffer overflow.</p>
      </body>
    </description>
    <references>
      <mlist>http://lists.litech.org/pipermail/inn-workers/2004q1/002763.html</mlist>
    </references>
    <dates>
      <discovery>2004-01-07</discovery>
      <entry>2004-01-08</entry>
    </dates>
  </vuln>

  <vuln vid="cf0fb426-3f96-11d8-b096-0020ed76ef5a">
    <topic>ProFTPD ASCII translation bug resulting in remote root compromise</topic>
    <affects>
      <package>
    <name>proftpd</name>
    <range><lt>1.2.8_1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A buffer overflow exists in the ProFTPD code that handles
      translation of newline characters during ASCII-mode file
      uploads.  An attacker may exploit this buffer overflow by
      uploading a specially crafted file, resulting in code
      execution and ultimately a remote root compromise.</p>
      </body>
    </description>
    <references>
      <url>http://xforce.iss.net/xforce/alerts/id/154</url>
      <cvename>CAN-2003-0831</cvename>
    </references>
    <dates>
      <discovery>2003-09-23</discovery>
      <entry>2004-01-05</entry>
    </dates>
  </vuln>

  <vuln vid="81313647-2d03-11d8-9355-0020ed76ef5a">
    <topic>ElGamal sign+encrypt keys created by GnuPG can be compromised</topic>
    <affects>
      <package>
    <name>gnupg</name>
    <range><ge>1.0.2</ge><lt>1.2.3_4</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Any ElGamal sign+encrypt keys created by GnuPG contain a
      cryptographic weakness that may allow someone to obtain
      the private key. <strong>These keys should be considered
      unusable and should be revoked.</strong></p>
    <p>The following summary was written by Werner Koch, GnuPG
      author:</p>
    <blockquote cite="http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html">
      <p>Phong Nguyen identified a severe bug in the way GnuPG
        creates and uses ElGamal keys for signing.  This is
        a significant security failure which can lead to a
        compromise of almost all ElGamal keys used for signing.
        Note that this is a real world vulnerability which will
        reveal your private key within a few seconds.</p>
      <p>...</p>
      <p>Please <em>take immediate action and revoke your ElGamal
        signing keys</em>.  Furthermore you should take whatever
        measures necessary to limit the damage done for signed or
        encrypted documents using that key.</p>
      <p>Note that the standard keys as generated by GnuPG (DSA
        and ElGamal encryption) as well as RSA keys are NOT
        vulnerable.  Note also that ElGamal signing keys cannot
        be generated without the use of a special flag to enable
        hidden options and even then overriding a warning message
        about this key type.  See below for details on how to
        identify vulnerable keys.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0971</cvename>
      <mlist>http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html</mlist>
    </references>
    <dates>
      <discovery>2003-11-27</discovery>
      <entry>2003-12-12</entry>
    </dates>
  </vuln>

  <vuln vid="96fdbf5b-2cfd-11d8-9355-0020ed76ef5a">
    <topic>Mathopd buffer overflow</topic>
    <affects>
      <package>
    <name>mathopd</name>
    <range><lt>1.4p2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Mathopd contains a buffer overflow in the prepare_reply()
      function that may be remotely exploitable.</p>
      </body>
    </description>
    <references>
      <url>http://www.mail-archive.com/mathopd%40mathopd.org/msg00136.html</url>
    </references>
    <dates>
      <discovery>2003-12-04</discovery>
      <entry>2003-12-12</entry>
    </dates>
  </vuln>

  <vuln vid="d7af61c8-2cc0-11d8-9355-0020ed76ef5a">
    <topic>lftp HTML parsing vulnerability</topic>
    <affects>
      <package>
    <name>lftp</name>
    <range><le>2.6.10</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>A buffer overflow exists in lftp which may be triggered when
      requesting a directory listing from a malicious server over
      HTTP.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2003-0963</cvename>
      <url>http://lftp.yar.ru/news.html#2.6.10</url>
    </references>
    <dates>
      <discovery>2003-12-11</discovery>
      <entry>2003-12-12</entry>
    </dates>
  </vuln>

  <vuln vid="ebdf65c7-2ca6-11d8-9355-0020ed76ef5a">
    <topic>qpopper format string vulnerability</topic>
    <affects>
      <package>
    <name>qpopper</name>
    <range><lt>2.53_1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>An authenticated user may trigger a format string
      vulnerability present in qpopper's UIDL code, resulting
      in arbitrary code execution with group ID `mail'
      privileges.</p>
      </body>
    </description>
    <references>
      <bid>1241</bid>
      <cvename>CVE-2000-0442</cvename>
      <url>http://www.netsys.com/suse-linux-security/2000-May/att-0137/01-b0f5-Qpopper.txt</url>
    </references>
    <dates>
      <discovery>2000-05-23</discovery>
      <entry>2003-12-12</entry>
    </dates>
  </vuln>

  <vuln vid="af0296be-2455-11d8-82e5-0020ed76ef5a">
    <topic>Fetchmail address parsing vulnerability</topic>
    <affects>
      <package>
    <name>fetchmail</name>
    <range><le>6.2.0</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Fetchmail can be crashed by a malicious email message.</p>
      </body>
    </description>
    <references>
      <url>http://security.e-matters.de/advisories/052002.html</url>
    </references>
    <dates>
      <discovery>2003-10-25</discovery>
      <entry>2003-10-25</entry>
    </dates>
  </vuln>

  <vuln vid="2bcd2d24-24ca-11d8-82e5-0020ed76ef5a">
    <topic>Buffer overflow in pam_smb password handling</topic>
    <affects>
      <package>
    <name>pam_smb</name>
    <range><lt>1.9.9_3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Applications utilizing pam_smb can be compromised by
      any user who can enter a password.  In many cases,
      this is a remote root compromise.</p>
      </body>
    </description>
    <references>
      <url>http://www.skynet.ie/~airlied/pam_smb/</url>
      <cvename>CAN-2003-0686</cvename>
    </references>
    <dates>
      <discovery>2003-10-25</discovery>
      <entry>2003-10-25</entry>
      <modified>2003-10-25</modified>
    </dates>
  </vuln>

  <vuln vid="c4b7badf-24ca-11d8-82e5-0020ed76ef5a">
    <topic>Buffer overflows in libmcrypt</topic>
    <affects>
      <package>
    <name>libmcrypt</name>
    <range><lt>2.5.6</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>libmcrypt does incomplete input validation, leading to
      several buffer overflows.  Additionally,
      a memory leak is present.  Both of these problems may be
      exploited in a denial-of-service attack.</p>
      </body>
    </description>
    <references>
      <mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=104162752401212&amp;w=2</mlist>
      <cvename>CAN-2003-0031</cvename>
      <cvename>CAN-2003-0032</cvename>
    </references>
    <dates>
      <discovery>2003-10-25</discovery>
      <entry>2003-10-25</entry>
      <modified>2003-10-25</modified>
    </dates>
  </vuln>

  <vuln vid="0d4c31ac-cb91-11d8-8898-000d6111a684">
    <topic>Remote code injection in phpMyAdmin</topic>
    <affects>
      <package>
    <name>phpmyadmin</name>
    <range><lt>2.5.7.1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>This vulnerability would allow remote user to inject PHP code
      to be executed by eval() function.  This vulnerability is only
      exploitable if variable $cfg['LeftFrameLight'] is set to FALSE (in
      file config.inc.php).</p>
      </body>
    </description>
    <references>
      <url>http://sf.net/forum/forum.php?forum_id=387635</url>
      <mlist msgid="20040629025752.976.qmail@www.securityfocus.com">http://www.securityfocus.com/archive/1/367486</mlist>
      <url>http://secunia.com/advisories/11974</url>
      <url>http://eagle.kecapi.com/sec/fd/phpMyAdmin.html</url>
    </references>
    <dates>
      <discovery>2004-06-29</discovery>
      <entry>2004-07-02</entry>
    </dates>
  </vuln>

  <vuln vid="4d837296-cc28-11d8-a54c-02e0185c0b53">
    <topic>GNATS local privilege elevation</topic>
    <affects>
      <package>
    <name>gnats</name>
    <range><le>3.113.1_9</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>GNATS 3.113.1 contains multiple buffer overflows, through which a
      local attacker could gain elevated privileges on the system.</p>
      </body>
    </description>
    <references>
      <freebsdpr>ports/56006</freebsdpr>
      <mlist msgid="20040625164231.7437.qmail@www.securityfocus.com">http://www.securityfocus.com/archive/1/326337</mlist>
      <url>http://www.securiteam.com/unixfocus/5CP0N0UAAA.html</url>
      <url>http://secunia.com/advisories/9096</url>
      <url>http://x82.inetcop.org/h0me/adv1sor1es/INCSA.2003-0x82-018-GNATS-bt.txt</url>
      <url>http://www.gnu.org/software/gnats/gnats.html</url>
      <url>http://www.osvdb.org/2190</url>
      <url>http://www.osvdb.org/4600</url>
      <url>http://www.osvdb.org/4601</url>
      <url>http://www.osvdb.org/4607</url>
    </references>
    <dates>
      <discovery>2003-06-21</discovery>
      <entry>2004-07-02</entry>
    </dates>
  </vuln>

  <vuln vid="c5519420-cec2-11d8-8898-000d6111a684">
    <topic>"Content-Type" XSS vulnerability affecting other webmail systems</topic>
    <affects>
      <package>
        <name>openwebmail</name>
        <range><le>2.32</le></range>
      </package>
      <package>
        <name>ilohamail</name>
        <range><lt>0.8.13</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Roman Medina-Heigl Hernandez did a survey which other webmail systems
          where vulnerable to a bug he discovered in SquirrelMail. This advisory
          summarizes the results.</p>
      </body>
    </description>
    <references>
      <url>http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-2.txt</url>
      <url>http://www.freebsd.org/ports/portaudit/89a0de27-bf66-11d8-a252-02e0185c0b53.html</url>
      <url>http://www.freebsd.org/ports/portaudit/911f1b19-bd20-11d8-84f9-000bdb1444a4.html</url>
      <url>http://www.freebsd.org/ports/portaudit/c3e56efa-c42f-11d8-864c-02e0185c0b53.html</url>
      <cvename>CAN-2004-0519</cvename>
    </references>
    <dates>
      <discovery>2004-05-29</discovery>
      <entry>2004-07-05</entry>
    </dates>
  </vuln>

  <vuln vid="e5e2883d-ceb9-11d8-8898-000d6111a684">
    <topic>MySQL authentication bypass / buffer overflow</topic>
    <affects>
      <package>
        <name>mysql-server</name>
        <range><ge>4.1</ge><lt>4.1.3</lt></range>
        <range><ge>5</ge><le>5.0.0_2</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>By submitting a carefully crafted authentication packet, it is possible
          for an attacker to bypass password authentication in MySQL 4.1. Using a
          similar method, a stack buffer used in the authentication mechanism can
          be overflowed.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0627</cvename>
      <cvename>CAN-2004-0628</cvename>
      <certvu>184030</certvu>
      <certvu>645326</certvu>
      <url>http://www.nextgenss.com/advisories/mysql-authbypass.txt</url>
      <url>http://dev.mysql.com/doc/mysql/en/News-4.1.3.html</url>
      <url>http://secunia.com/advisories/12020</url>
      <url>http://www.osvdb.org/7475</url>
      <url>http://www.osvdb.org/7476</url>
      <mlist msgid="Pine.LNX.4.44.0407080940550.9602-200000@pineapple.shacknet.nu">http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0003.html</mlist>
    </references>
    <dates>
      <discovery>2004-07-01</discovery>
      <entry>2004-07-05</entry>
      <modified>2004-08-28</modified>
    </dates>
  </vuln>

  <vuln vid="74d06b67-d2cf-11d8-b479-02e0185c0b53">
    <topic>multiple vulnerabilities in ethereal</topic>
    <affects>
      <package>
    <name>ethereal</name>
    <name>ethereal-lite</name>
    <name>tethereal</name>
    <name>tethereal-lite</name>
    <range><lt>0.10.4</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Issues have been discovered in multiple protocol dissectors.</p>
      </body>
    </description>
    <references>
      <url>http://www.ethereal.com/appnotes/enpa-sa-00014.html</url>
      <cvename>CAN-2004-0504</cvename>
      <cvename>CAN-2004-0505</cvename>
      <cvename>CAN-2004-0506</cvename>
      <cvename>CAN-2004-0507</cvename>
      <url>http://secunia.com/advisories/11608</url>
      <bid>10347</bid>
      <url>http://www.osvdb.org/6131</url>
      <url>http://www.osvdb.org/6132</url>
      <url>http://www.osvdb.org/6133</url>
      <url>http://www.osvdb.org/6134</url>
    </references>
    <dates>
      <discovery>2004-05-13</discovery>
      <entry>2004-07-11</entry>
    </dates>
  </vuln>

  <vuln vid="265c8b00-d2d0-11d8-b479-02e0185c0b53">
    <topic>multiple vulnerabilities in ethereal</topic>
    <affects>
      <package>
    <name>ethereal</name>
    <name>ethereal-lite</name>
    <name>tethereal</name>
    <name>tethereal-lite</name>
    <range><lt>0.10.5</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Issues have been discovered in multiple protocol dissectors.</p>
      </body>
    </description>
    <references>
      <url>http://www.ethereal.com/appnotes/enpa-sa-00015.html</url>
      <cvename>CAN-2004-0633</cvename>
      <cvename>CAN-2004-0634</cvename>
      <cvename>CAN-2004-0635</cvename>
      <url>http://secunia.com/advisories/12024</url>
      <bid>10672</bid>
      <url>http://www.osvdb.org/7536</url>
      <url>http://www.osvdb.org/7537</url>
      <url>http://www.osvdb.org/7538</url>
    </references>
    <dates>
      <discovery>2004-07-06</discovery>
      <entry>2004-07-11</entry>
    </dates>
  </vuln>

  <vuln vid="4764cfd6-d630-11d8-b479-02e0185c0b53">
    <topic>PHP memory_limit and strip_tags() vulnerabilities</topic>
    <affects>
      <package>
        <name>php4</name>
        <name>php4-cgi</name>
        <name>php4-cli</name>
        <name>php4-dtc</name>
        <name>php4-horde</name>
        <name>php4-nms</name>
        <name>mod_php4-twig</name>
        <range><lt>4.3.8</lt></range>
      </package>
      <package>
        <name>mod_php4</name>
        <range><lt>4.3.8,1</lt></range>
      </package>
      <package>
        <name>php5</name>
        <name>php5-cgi</name>
        <name>php5-cli</name>
        <range><lt>5.0.0</lt></range>
      </package>
      <package>
        <name>mod_php5</name>
        <range><lt>5.0.0,1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Stefan Esser has reported two vulnerabilities in PHP, which can
          be exploited by malicious people to bypass security functionality
          or compromise a vulnerable system. An error within PHP's memory_limit
          request termination allows remote code execution on PHP servers
          with activated memory_limit. A binary safety problem within PHP's
          strip_tags() function may allow injection of arbitrary tags in
          Internet Explorer and Safari browsers.</p>
      </body>
    </description>
    <references>
      <url>http://www.php.net/ChangeLog-4.php</url>
      <url>http://www.php.net/ChangeLog-5.php</url>
      <url>http://security.e-matters.de/advisories/112004.html</url>
      <url>http://security.e-matters.de/advisories/122004.html</url>
      <url>http://secunia.com/advisories/12064</url>
      <url>http://www.osvdb.org/7870</url>
      <url>http://www.osvdb.org/7871</url>
      <cvename>CAN-2004-0594</cvename>
      <cvename>CAN-2004-0595</cvename>
    </references>
    <dates>
      <discovery>2007-07-07</discovery>
      <entry>2004-07-15</entry>
      <modified>2004-08-12</modified>
    </dates>
  </vuln>

  <vuln vid="730db824-e216-11d8-9b0a-000347a4fa7d">
    <topic>Mozilla / Firefox user interface spoofing vulnerability</topic>
    <affects>
      <package>
        <name>firefox</name>
        <range><le>0.9.1_1</le></range>
      </package>
      <package>
        <name>linux-mozilla</name>
        <range><le>1.7.1</le></range>
      </package>
      <package>
        <name>linux-mozilla-devel</name>
        <range><le>1.7.1</le></range>
      </package>
      <package>
        <name>mozilla</name>
        <range><le>1.7.1,2</le></range>
        <range><ge>1.8.a,2</ge><le>1.8.a2,2</le></range>
      </package>
      <package>
        <name>mozilla-gtk1</name>
        <range><le>1.7.1_1</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>The Mozilla project's family of browsers contain a design
      flaw that can allow a website to spoof almost perfectly any
      part of the Mozilla user interface, including spoofing web
      sites for phishing or internal elements such as the "Master
      Password" dialog box.  This achieved by manipulating "chrome"
      through remote XUL content.  Recent versions of Mozilla have
      been fixed to not allow untrusted documents to utilize
      "chrome" in this way.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0764</cvename>
      <url>http://bugzilla.mozilla.org/show_bug.cgi?id=22183</url>
      <url>http://bugzilla.mozilla.org/show_bug.cgi?id=244965</url>
      <url>http://bugzilla.mozilla.org/show_bug.cgi?id=252198</url>
      <url>http://www.nd.edu/~jsmith30/xul/test/spoof.html</url>
      <url>http://secunia.com/advisories/12188</url>
      <bid>10832</bid>
    </references>
    <dates>
      <discovery>2004-07-19</discovery>
      <entry>2004-07-30</entry>
      <modified>2004-08-15</modified>
    </dates>
  </vuln>

  <vuln vid="f9e3e60b-e650-11d8-9b0a-000347a4fa7d">
    <topic>libpng stack-based buffer overflow and other code concerns</topic>
    <affects>
      <package>
        <name>png</name>
        <range><le>1.2.5_7</le></range>
      </package>
      <package>
        <name>linux-png</name>
        <range><le>1.0.14_3</le></range>
        <range><ge>1.2</ge><le>1.2.2</le></range>
      </package>
      <package>
        <name>firefox</name>
        <range><lt>0.9.3</lt></range>
      </package>
      <package>
        <name>thunderbird</name>
        <range><lt>0.7.3</lt></range>
      </package>
      <package>
        <name>linux-mozilla</name>
        <range><lt>1.7.2</lt></range>
      </package>
      <package>
        <name>linux-mozilla-devel</name>
        <range><lt>1.7.2</lt></range>
      </package>
      <package>
        <name>mozilla</name>
        <range><lt>1.7.2,2</lt></range>
        <range><ge>1.8.a,2</ge><le>1.8.a2,2</le></range>
      </package>
      <package>
        <name>mozilla-gtk1</name>
        <range><lt>1.7.2</lt></range>
      </package>
      <package>
        <name>netscape-communicator</name>
        <name>netscape-navigator</name>
        <range><le>4.78</le></range>
      </package>
      <package>
        <name>linux-netscape-communicator</name>
        <name>linux-netscape-navigator</name>
        <name>ko-netscape-navigator-linux</name>
        <name>ko-netscape-communicator-linux</name>
        <name>ja-netscape-communicator-linux</name>
        <name>ja-netscape-navigator-linux</name>
        <range><le>4.8</le></range>
      </package>
      <package>
        <name>netscape7</name>
        <name>ja-netscape7</name>
        <range><le>7.1</le></range>
      </package>
      <package>
        <name>pt_BR-netscape7</name>
        <name>fr-netscape7</name>
        <name>de-netscape7</name>
        <range><le>7.02</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Chris Evans has discovered multiple vulnerabilities in libpng,
          which can be exploited by malicious people to compromise a
          vulnerable system or cause a DoS (Denial of Service).</p>
      </body>
    </description>
    <references>
      <mlist msgid="Pine.LNX.4.58.0408041840080.20655@sphinx.mythic-beasts.com">http://www.securityfocus.com/archive/1/370853</mlist>
      <url>http://scary.beasts.org/security/CESA-2004-001.txt</url>
      <url>http://www.osvdb.org/8312</url>
      <url>http://www.osvdb.org/8313</url>
      <url>http://www.osvdb.org/8314</url>
      <url>http://www.osvdb.org/8315</url>
      <url>http://www.osvdb.org/8316</url>
      <cvename>CAN-2004-0597</cvename>
      <cvename>CAN-2004-0598</cvename>
      <cvename>CAN-2004-0599</cvename>
      <certvu>388984</certvu>
      <certvu>236656</certvu>
      <certvu>160448</certvu>
      <certvu>477512</certvu>
      <certvu>817368</certvu>
      <certvu>286464</certvu>
      <url>http://secunia.com/advisories/12219</url>
      <url>http://secunia.com/advisories/12232</url>
      <url>http://bugzilla.mozilla.org/show_bug.cgi?id=251381</url>
      <uscertta>TA04-217A</uscertta>
      <url>http://dl.sourceforge.net/sourceforge/libpng/ADVISORY.txt</url>
    </references>
    <dates>
      <discovery>2004-08-04</discovery>
      <entry>2004-08-04</entry>
      <modified>2004-08-15</modified>
    </dates>
  </vuln>

  <vuln vid="abe47a5a-e23c-11d8-9b0a-000347a4fa7d">
    <topic>Mozilla certificate spoofing</topic>
    <affects>
      <package>
        <name>firefox</name>
        <range><ge>0.9.1</ge><le>0.9.2</le></range>
      </package>
      <package>
        <name>linux-mozilla</name>
        <range><lt>1.7.2</lt></range>
      </package>
      <package>
        <name>linux-mozilla-devel</name>
        <range><lt>1.7.2</lt></range>
      </package>
      <package>
        <name>mozilla</name>
        <range><lt>1.7.2,2</lt></range>
        <range><ge>1.8,2</ge><le>1.8.a2,2</le></range>
      </package>
      <package>
        <name>mozilla-gtk1</name>
        <range><lt>1.7.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Mozilla and Mozilla Firefox contains a flaw that may
          allow a malicious user to spoof SSL certification.</p>
      </body>
    </description>
    <references>
      <mlist msgid="003a01c472ba$b2060900$6501a8c0@sec">http://www.securityfocus.com/archive/1/369953</mlist>
      <url>http://www.cipher.org.uk/index.php?p=advisories/Certificate_Spoofing_Mozilla_FireFox_25-07-2004.advisory</url>
      <url>http://secunia.com/advisories/12160</url>
      <url>http://bugzilla.mozilla.org/show_bug.cgi?id=253121</url>
      <url>http://www.osvdb.org/8238</url>
      <bid>10796</bid>
      <cvename>CAN-2004-0763</cvename>
    </references>
    <dates>
      <discovery>2004-07-25</discovery>
      <entry>2004-07-30</entry>
      <modified>2004-08-12</modified>
    </dates>
  </vuln>

  <vuln vid="a713c0f9-ec54-11d8-9440-000347a4fa7d">
    <topic>ImageMagick png vulnerability fix</topic>
    <affects>
      <package>
        <name>ImageMagick</name>
        <name>ImageMagick-nox11</name>
        <range><lt>6.0.4.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Glenn Randers-Pehrson has contributed a fix for the png
          vulnerabilities discovered by Chris Evans.</p>
      </body>
    </description>
    <references>
      <url>http://studio.imagemagick.org/pipermail/magick-users/2004-August/013218.html</url>
      <url>http://freshmeat.net/releases/169228</url>
      <url>http://secunia.com/advisories/12236</url>
      <url>http://www.freebsd.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.html</url>
    </references>
    <dates>
      <discovery>2004-08-04</discovery>
      <entry>2004-08-04</entry>
      <modified>2004-08-12</modified>
    </dates>
  </vuln>

  <vuln vid="e811aaf1-f015-11d8-876f-00902714cc7c">
    <topic>Ruby insecure file permissions in the CGI session management</topic>
    <affects>
      <package>
        <name>ruby</name>
        <range><lt>1.6.8.2004.07.26</lt></range>
        <range><ge>1.7.0</ge><lt>1.8.1.2004.07.23</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>According to a Debian Security Advisory:</p>
    <blockquote cite="http://www.debian.org/security/2004/dsa-537">
          <p>Andres Salomon noticed a problem in the CGI session
            management of Ruby, an object-oriented scripting language.
            CGI::Session's FileStore (and presumably PStore [...])
            implementations store session information insecurely.
            They simply create files, ignoring permission issues.
            This can lead an attacker who has also shell access to the
            webserver to take over a session.</p>
    </blockquote>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0755</cvename>
      <url>http://xforce.iss.net/xforce/xfdb/16996</url>
      <url>http://www.debian.org/security/2004/dsa-537</url>
      <mlist>http://marc.theaimsgroup.com/?l=bugtraq&amp;m=109267579822250&amp;w=2</mlist>
    </references>
    <dates>
      <discovery>2004-08-16</discovery>
      <entry>2004-08-16</entry>
      <modified>2004-08-28</modified>
    </dates>
  </vuln>

  <vuln vid="d2102505-f03d-11d8-81b0-000347a4fa7d">
    <topic>multiple CVS vulnerabilities</topic>
    <affects>
      <package>
    <name>cvs+ipv6</name>
    <range><lt>1.11.17</lt></range>
      </package>
<!--
      <system>
    <name>FreeBSD</name>
    <range><lt>491101</lt></range>
    <range><ge>500000</ge><lt>502114</lt></range>
      </system>
-->
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
    <p>Stefan Esser reports multiple remote exploitable vulnerabilites
          in the cvs code base.</p>
        <p>Additionaly there exists an undocumented switch to the history
          command allows an attacker to determine whether arbitrary files
          exist and whether the CVS process can access them.</p>
      </body>
    </description>
    <references>
      <cvename>CAN-2004-0414</cvename>
      <cvename>CAN-2004-0416</cvename>
      <cvename>CAN-2004-0417</cvename>
      <cvename>CAN-2004-0418</cvename>
      <cvename>CAN-2004-0778</cvename>
      <url>http://secunia.com/advisories/11817</url>
      <url>http://secunia.com/advisories/12309</url>
      <url>http://security.e-matters.de/advisories/092004.html</url>
      <url>http://www.idefense.com/application/poi/display?id=130&amp;type=vulnerabilities&amp;flashstatus=false</url>
      <url>https://ccvs.cvshome.org/source/browse/ccvs/NEWS?rev=1.116.2.104</url>
      <url>http://www.osvdb.org/6830</url>
      <url>http://www.osvdb.org/6831</url>
      <url>http://www.osvdb.org/6832</url>
      <url>http://www.osvdb.org/6833</url>
      <url>http://www.osvdb.org/6834</url>
      <url>http://www.osvdb.org/6835</url>
      <url>http://www.osvdb.org/6836</url>
      <url>http://www.packetstormsecurity.org/0405-exploits/cvs_linux_freebsd_HEAP.c</url>
      <bid>10499</bid>
    </references>
    <dates>
      <discovery>2004-05-20</discovery>
      <entry>2004-08-17</entry>
    </dates>
  </vuln>
</vuxml>