The OVAL Repository 5.3 2007-12-31T09:00:08.584-05:00 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Stack-based buffer overflow in the HrShellOpenWithMonikerDisplayName function in Microsoft Hyperlink Object Library (hlink.dll) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long hyperlink, as demonstrated using an Excel worksheet with a long link in Unicode, aka "Hyperlink COM Object Buffer Overflow Vulnerability." NOTE: this is a different issue than CVE-2006-3059. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 X Multiple integer overflows in XFree86 before 4.3.0 allow user-assisted attackers to execute arbitrary code via a crafted pixmap image. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords. Jay Beale INTERIM INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 File and Print Sharing File and Print Sharing service in Windows 95, Windows 98, and Windows Me does not properly check the password for a file share, which allows remote attackers to bypass share access controls by sending a 1-byte password that matches the first character of the real password, aka the "Share Level Password" vulnerability. Tiffany Bergeron INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 COM Internet Services Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request. Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 CVS Double-free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 CVS CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution. Jay Beale INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Unspecified vulnerability in HP-UX B.11.23 on Itanium platforms allows local users to cause a denial of service due to a "specific stack size." Robert L. Hollis DRAFT Matthew Wojcik INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 MIT Kerberos 5 (krb5) Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Outlook Express The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability." Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability. Andrew Buttner Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Outlook Express Stack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field. Ingrid Skoog DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Buffer overflow in the MMSE dissector for Ethereal 0.10.1 to 0.10.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The SPNEGO dissector in Ethereal 0.9.8 to 0.10.3 allows remote attackers to cause a denial of service (crash) via unknown attack vectors that cause a null pointer dereference. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The AIM dissector in Ethereal 0.10.3 allows remote attackers to cause a denial of service (assert error) via unknown attack vectors. Jay Beale INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Information Server (IIS) Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation." Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Ethereal 0.10.3 allows remote attackers to cause a denial of service (crash) via certain SIP messages between Hotsip servers and clients. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable). Jay Beale INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Buffer overflow in gopher client for Microsoft Internet Explorer 5.1 through 6.0, Proxy Server 2.0, or ISA Server 2000 allows remote attackers to execute arbitrary code via a gopher:// URL that redirects the user to a real or simulated gopher server that sends a long response. David Proulx Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path"). Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 OpenSSL The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.5 and 6.0 allows remote attackers to read certain files and spoof the URL in the address bar by using the Document.open function to pass information between two frames from different domains, a new variant of the "Frame Domain Verification" vulnerability described in MS:MS01-058/CAN-2001-0874. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 8 cachefsd Buffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument. David Proulx Brian Soby Brian Soby INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows NT COM Internet Services Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request. Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Jet Database Engine Buffer overflow in Microsoft Jet Database Engine 4.0 allows remote attackers to execute arbitrary code via a specially-crafted database query. Andrew Buttner INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows XP H.323 Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code. Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Internet Explorer The file upload control in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to automatically upload files from the local system via a web page containing a script to upload the files. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Data Access Components 2.6 Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 MDAC 2.5 Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434. Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 ImageMagick The XWD Decoder in ImageMagick before 6.2.2.3, and GraphicsMagick before 1.1.6-r1, allows remote attackers to cause a denial of service (infinite loop) via an image with a zero color mask. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer The zone determination function in Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to run scripts in the Local Computer zone by embedding the script in a cookie, aka the "Cookie-based Script Execution" vulnerability. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Enhanced Metafile (EMF) Windows Metafile (WMF) Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image. Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Remote Procedure Call (RPC) An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Remote Procedure Call (RPC) An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. Christine Walzer Christine Walzer DRAFT Microsoft Windows NT HTML Help Facility Internet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CVE-2004-0475. Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Robert L. Hollis INTERIM Robert L. Hollis Jonathan Baker ACCEPTED ACCEPTED Microsoft Windows 2000 Remote Procedure Call (RPC) An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows NT SNMP Memory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries. Christine Walzer INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Private Communications Transport (PCT) Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. Andrew Buttner INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel Microsoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted BIFF record with an attacker-controlled array index that is used for a function pointer, aka "Malformed OBJECT record Vulnerability." Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names. Tiffany Bergeron ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to bypass security zone restrictions and execute arbitrary programs via a web document with a large number of duplicate file:// or other requests that point to the program and open multiple file download dialogs, which eventually cause Internet Explorer to execute the program, as demonstrated using a large number of FRAME or IFRAME tags, aka the "File Download Dialog Vulnerability." Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 KAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 H.323 Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code. Jonathan Baker INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The KAME IKE Daemon Racoon, when authenticating a peer during Phase 1, validates the X.509 certificate but does not verify the RSA signature authentication, which allows remote attackers to establish unauthorized IP connections or conduct man-in-the-middle attacks using a valid, trusted X.509 certificate. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Multiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors. Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Xsun Unspecified vulnerability in the (1) Xsun and (2) Xprt commands in Solaris 7, 8, 9, and 10 allows local users to execute arbitrary code. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Multiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors. Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Buffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x, allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 8 mibiisa Buffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges. David Proulx ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or execute arbitrary code via the MCAST_MSFILTER socket option. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Buffer overflow in the streaming media component for logging multicast requests in the ISAPI for the logging capability of Microsoft Windows Media Services (nsiislog.dll), as installed in IIS 5.0, allows remote attackers to execute arbitrary code via a large POST request to nsiislog.dll. Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request. Christine Walzer INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Unknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Microsoft Internet Information Services (IIS) 5.0 and 5.1 allows remote attackers to cause a denial of service via a long WebDAV request with a (1) PROPFIND or (2) SEARCH method, which generates an error condition that is not properly handled. Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) A typographical error in the script source access permissions for Internet Information Server (IIS) 5.0 does not properly exclude .COM files, which allows attackers with only write permissions to upload malicious .COM files, aka "Script Source Access Vulnerability." Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation." Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation." Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 OpenSSL The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read. Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Internet Explorer Buffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via an HTTP response containing long values in (1) Content-type and (2) Content-encoding fields. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Buffer overflow in the implementation of an HTML directive in mshtml.dll in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code via a web page that specifies embedded ActiveX controls in a way that causes 2 Unicode strings to be concatenated. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft ASN.1 Library Double-free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code. David Proulx INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code under fewer security restrictions via a malformed web page that requires NetBIOS connectivity, aka "Zone Spoofing through Malformed Web Page" vulnerability. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Buffer overflow in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to execute arbitrary code via / (slash) characters in the Type property of an Object tag in a web page. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 6.0 allows remote attackers to execute arbitrary code by modifying the Content-Disposition and Content-Type header fields in a way that causes Internet Explorer to believe that the file is safe to open without prompting the user, aka the "File Execution Vulnerability." Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.5 and earlier allows remote attackers to obtain the physical location of cached content and open the content in the Local Computer Zone, then use compiled HTML help (.chm) files to execute arbitrary programs. Tiffany Bergeron INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page. Harvey Rubinovitz ACCEPTED Microsoft Windows Server 2003 Local Security Authority Subsystem Service (LSASS) Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via an Office file with malformed string that triggers memory corruption related to record lengths, aka "Microsoft Office Parsing Vulnerability," a different vulnerability than CVE-2006-2389. Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Multiple unspecified vulnerabilities in the KSSL kernel module in Sun Solaris 10, when configured with the KSSL proxy, allow remote attackers to cause a denial of service (kernel panic) via unspecified vectors related to "memory buffers" of Secure Socket Layer (SSL) records. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions. Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL. Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Unspecified vulnerability in the IP implementation in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (CPU consumption) via crafted IP packets, probably related to fragmented packets with duplicate or missing fragments. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability. Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Local Descriptor Table (LDT) The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory. Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 NetWare The Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 CDE CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure. David Proulx Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability. Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Stack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to execute arbitrary code via NetrJoinDomain2 RPC messages with a long hostname. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky DEPRECATED DEPRECATED Microsoft Windows 2000 H.323 Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code. Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Agent Microsoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page. Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux3 Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector. Jay Beale Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Help and Support Center (HSC) Help and Support Center in Microsoft Windows XP SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an hcp:// URL, which are not quoted when constructing the argument list to HelpCtr.exe. Harvey Rubinovitz Harvey Rubinovitz INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the dynamic tracing framework (DTrace) on Sun Solaris 10 before 20070730 allows local users with PRIV_DTRACE_USER privileges to cause a denial of service (panic or hang) via unspecified use of certain DTrace programs. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Private Communications Transport (PCT) Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. Andrew Buttner INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 OpenSSL OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 COM Internet Services Windows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability." Christine Walzer Christine Walzer DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Remote Procedure Call (RPC) A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) IIS 5.0 allows remote attackers to cause a denial of service via a series of malformed WebDAV requests. Tiffany Bergeron INTERIM Ingrid Skoog ACCEPTED ACCEPTED Sun Solaris 8 libnsl Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd. David Proulx Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Local Security Authority Subsystem Service (LSASS) Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Enhanced Metafile (EMF) Windows Metafile (WMF) Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image. Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Windows logon process (winlogon) Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code. Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED John Hoyland Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Windows logon process (winlogon) Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code. Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Remote Procedure Call (RPC) A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities. Christine Walzer DRAFT Microsoft Windows 2000 Remote Procedure Call (RPC) A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Secure Sockets Layer (SSL) The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages. David Proulx INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference. Jay Beale Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Local Descriptor Table (LDT) The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory. Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Multiple UNC Provider (MUP) Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request. Tiffany Bergeron ACCEPTED Microsoft Windows XP Private Communications Transport (PCT) Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability". Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors. Jay Beale Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Secure Sockets Layer (SSL) The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages. David Proulx INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Secure Sockets Layer (SSL) The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages. David Proulx INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Local Security Authority Subsystem Service (LSASS) Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. Tiffany Bergeron INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Outlook Express The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability." Andrew Buttner INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Operating System The Bourne shell (sh) in Solaris 8, 9, and 10 allows local users to cause a denial of service (sh crash) via an unspecified attack vector that causes sh processes to crash during creation of temporary files. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Red Hat 9 Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector. Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal The SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (crash) via an invalid ASN.1 value. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Red Hat 9 The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference. Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Red Hat 9 Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors. Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Red Hat 9 The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 httpd Memory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server. Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 libxml2 Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL. Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mozilla Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mozilla Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mozilla Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 OpenSSL OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. Matt Busby Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 OpenSSL The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. Matt Busby Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Simple Network Management Protocol (SNMP) Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. Harvey Rubinovitz ACCEPTED Red Hat Enterprise Linux 3 Net-SNMP Net-SNMP before 5.0.9 allows a user or community to access data in MIB objects, even if that data is not allowed to be viewed. Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel Unknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges. Matt Busby Matt Busby INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077. Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 CVS server CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests. Jay Beale Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the TCP Loopback/Fusion implementation in Sun Solaris 10 allows local users to cause a denial of service (resource exhaustion and service hang) via unspecified vectors. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 KDE Personal Information Management (kdepim) Buffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file. Jay Beale INTERIM Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Apache Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures. Jay Beale Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 httpd Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures. Jay Beale Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Sysstat The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108. Jay Beale Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 nfs-utils packages rpc.mountd in nfs-utils after 1.0.3 and before 1.0.6 allows attackers to cause a denial of service (crash) via an NFS mount of a directory from a client whose reverse DNS lookup name is different from the forward lookup name. Jay Beale Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 8 lbxproxy Buffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option. David Proulx ACCEPTED Red Hat Linux 9 Linux kernel Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 KDE Personal Information Management (kdepim) Buffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Tethereal The Q.931 dissector in Ethereal before 0.10.0, and Tethereal, allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal The SMB dissector in Ethereal before 0.10.0 allows remote attackers to cause a denial of service via a malformed SMB packet that triggers a segmentation fault during processing of Selected packets. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 CVS server CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 tcpdump The rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989. Jay Beale ACCEPTED Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 tcpdump The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 tcpdump tcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 tcpdump The rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 tcpdump The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 sysstat The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108. Jay Beale Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Operating System Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 tcpdump tcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 gdk-pixbuf gdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file. Jay Beale INTERIM Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 gdk-pixbuf gdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file. Jay Beale INTERIM Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 MSN Messenger Microsoft MSN Messenger 6.0 and 6.1 does not properly handle certain requests, which allows remote attackers to read arbitrary files. Christine Walzer INTERIM Andrew Buttner ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Outlook Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs. Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Windows Media Services Unknown vulnerability in Windows Media Station Service and Windows Media Monitor Service components of Windows Media Services 4.1 allows remote attackers to cause a denial of service (disallowing new connections) via a certain sequence of TCP/IP packets. Tiffany Bergeron INTERIM John Hoyland INTERIM John Hoyland Jeff Cheng Jeff Cheng INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Unspecified vulnerability in Microsoft Windows 2000 SP4, XP SP1 and SP2, Server 2003 and 2003 SP1, allows remote attackers to execute arbitrary code via unspecified vectors involving unhandled exceptions, memory resident applications, and incorrectly "unloading chained exception." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal The OSI dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mod_python Unknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED Robert L. Hollis DEPRECATED DEPRECATED Red Hat Enterprise Linux 3 Mutt Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages. Jay Beale ACCEPTED Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mremap The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Vicam USB driver The Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking." Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in Low Bandwidth X proxy (lbxproxy) on Sun Solaris 8 through 10 before 20070725 allows local users to read arbitrary files with root group ownership via unknown vectors. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 XMLSoft Libxml2 Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL. Jay Beale Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED Robert L. Hollis DEPRECATED DEPRECATED Red Hat Enterprise Linux 3 XFree86 Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 XFree86 Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106. Jay Beale Matt Busby Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 XFree86 Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106. Jay Beale Matt Busby Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED