The MITRE Corporation 5.0 2006-11-01T10:03:13.762-05:00 Red Hat Enterprise Linux 3 CVS Integer overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 CVS serve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle empty data lines, which may allow remote attackers to perform an "out-of-bounds" write for a single byte to execute arbitrary code or modify critical program data. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 SquirrelMail Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal The tvb_get_nstringz0 function in Ethereal 0.9.12 and earlier does not properly handle a zero-length buffer size, with unknown consequences. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 SquirrelMail Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking." Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 SquirrelMail SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 fetchmail Buffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows remote POP3 servers to cause a denial of service and possibly execute arbitrary code via long UIDL responses. NOTE: a typo in an advisory accidentally used the wrong CVE identifier for the Fetchmail issue. This is the correct identifier. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal Ethereal 0.9.12 and earlier does not handle certain strings properly, with unknown consequences, in the (1) BGP, (2) WTP, (3) DNS, (4) 802.11, (5) ISAKMP, (6) WSP, (7) CLNP, (8) ISIS, and (9) RMI dissectors. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 CVS before 1.11 allows CVS clients to read arbitrary files via .. (dot dot) sequences in filenames via CVS client requests, a different vulnerability than CVE-2004-0180. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other products that use neon including (2) Cadaver, (3) Subversion, and (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code. Jay Beale INTERIM ACCEPTED Matthew Wojcik Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ximian Evolution The try_uudecoding function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malicious uuencoded (UUE) header, possibly triggering a heap-based buffer overflow. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 mozilla Firefox before 1.0.5 allows remote attackers to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL, which is run in the context of the previous page, and may lead to code execution if the standalone application loads a privileged chrome: URL. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ximian Evolution Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (memory consumption) via a mail message that is uuencoded multiple times. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 zgrep zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 postgresql The tsearch2 module in PostgreSQL 7.4 through 8.0.x declares the (1) dex_init, (2) snb_en_init, (3) snb_ru_init, (4) spell_init, and (5) syn_init functions as "internal" even when they do not take an internal argument, which allows attackers to cause a denial of service (application crash) and possibly have other impacts via SQL commands that call other functions that accept internal arguments. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 gzip zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ximian Evolution The handle_image function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier does not properly escape HTML characters, which allows remote attackers inject arbitrary data and HTML via a MIME Content-ID header in a MIME-encoded image. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel The linux-2.4.21-mlock.patch in Red Hat Enterprise Linux 3 does not properly maintain the mlock page count when one process unlocks pages that belong to another process, which allows local users to mlock more memory than specified by the rlimit. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 GDM GDM before 2.4.1.6, when using the "examine session errors" feature, allows local users to read arbitrary files via a symlink attack on the ~/.xsession-errors file. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 fetchmail Buffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows remote POP3 servers to cause a denial of service and possibly execute arbitrary code via long UIDL responses. NOTE: a typo in an advisory accidentally used the wrong CVE identifier for the Fetchmail issue. This is the correct identifier. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 GDM The X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) when a chosen host expires, a different issue than CVE-2003-0549. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 telnet Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 bzip2 Race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 gzip Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla Firefox before 1.0.5 allows remote attackers to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL, which is run in the context of the previous page, and may lead to code execution if the standalone application loads a privileged chrome: URL. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 libxml2 Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is not properly handled by the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy function, and other overflows related to manipulation of DNS length values, including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5) xmlNanoHTTPConnectHost. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 libgd Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function, a different set of vulnerabilities than CVE-2004-0990. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel The shmctl function in Linux 2.6.9 and earlier allows local users to unlock the memory of other processes, which could cause sensitive memory to be swapped to disk, which could allow it to be read by other users once it has been released. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 mozilla The browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 sudo Race condition in sudo 1.3.1 up to 1.6.8p8, when the ALL pseudo-command is used after a user entry in the sudoers file, allows local users to gain privileges via a symlink attack. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED It appears that we can't parse the vulnerable configuration condition (an ALL in the second field of a line after a line that has no ALL in the second field) with our existing regexp. Red Hat Enterprise Linux 3 gedit Format string vulnerability in gedit 2.10.2 may allow attackers to cause a denial of service (application crash) via a bin file with format string specifiers in the filename. NOTE: while this issue is triggered on the command line by the gedit user, it has been reported that web browsers and email clients could be configured to provide a file name as an argument to gedit, so there is a valid attack that crosses security boundaries. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing"). Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 libgd Integer overflow in GD Graphics Library libgd 2.0.28 (libgd2), and possibly other versions, allows remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx function, a different set of vulnerabilities than CVE-2004-0941. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla Firefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability." Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla The InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 GDM The X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) via a short authorization key name. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 The InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 mozilla Firefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability." Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 GNU Ghostscript Unknown vulnerability in GNU Ghostscript before 7.07 allows attackers to execute arbitrary commands, even when -dSAFER is enabled, via a PostScript file that causes the commands to be executed from a malicious print job. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 FreeRADIUS FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (server crash) by sending an Ascend-Send-Secret attribute without the required leading packet. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla Firefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 GnuPG The key validation code in GnuPG before 1.2.2 does not properly determine the validity of keys with multiple user IDs and assigns the greatest validity of the most valid user ID, which prevents GnuPG from warning the encrypting user when a user ID does not have a trusted path. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 GtkHTML GtkHTML, as included in Evolution before 1.2.4, allows remote attackers to cause a denial of service (crash) via certain malformed messages. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 mozilla Firefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 GtkHTML gtkhtml before 1.1.10, as used in Evolution, allows remote attackers to cause a denial of service (crash) via a malformed message that causes a null pointer dereference. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Apache Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Apache Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Apache A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 OpenSSL The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Apache Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Apache The prefork MPM in Apache 2 before 2.0.47 does not properly handle certain errors from accept, which could lead to a denial of service. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Apache Apache 2 before 2.0.47, when running on an IPv6 host, allows attackers to cause a denial of service (CPU consumption by infinite loop) when the FTP proxy server fails to create an IPv6 socket. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 KDM KDM in KDE 3.1.3 and earlier does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the MIT pam_krb5 module. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Mutt Buffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 KDM KDM in KDE 3.1.3 and earlier uses a weak session cookie generation algorithm that does not provide 128 bits of entropy, which allows attackers to guess session cookies via brute force methods and gain access to the user session. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 krb5 Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 krb5 The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun"). Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 krb5 Version 4 of the Kerberos protocol (krb4), as used in Heimdal and other packages, allows an attacker to impersonate any principal in a realm via a chosen-plaintext attack. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 krb5 Certain weaknesses in the implementation of version 4 of the Kerberos protocol (krb4) in the krb5 distribution, when triple-DES keys are used to key krb4 services, allow an attacker to create krb4 tickets for unauthorized principals using a cut-and-paste attack and "ticket splicing." Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Netfilter The connection tracking core of Netfilter for Linux 2.4.20, with CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, allows remote attackers to cause a denial of service (resource consumption) due to an inconsistency with Linux 2.4.20's support of linked lists, which causes Netfilter to fail to identify connections with an UNCONFIRMED status and use large timeouts. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Netfilter The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Gaim Gaim before 1.3.1 allows remote attackers to cause a denial of service (crash) via a malformed MSN message that leads to a memory allocation of a large size, possibly due to an integer signedness error. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 skk skk (Simple Kana to Kanji conversion program) 12.1 and earlier, and the ddskk package which is based on skk, creates temporary files insecurely, which allows local users to overwrite arbitrary files. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel The do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2.6.6, does not properly decrement the mm_count counter when an error occurs after the mm_struct for a child process has been activated, which triggers a memory leak that allows local users to cause a denial of service (memory exhaustion) via the clone (CLONE_VM) system call. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel Unknown vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ("kernel oops"). Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel Linux kernel 2.4.x and 2.6.x for x86 allows local users to cause a denial of service (system crash), possibly via an infinite loop that triggers a signal handler with a certain sequence of fsave and frstor instructions, as originally demonstrated using a "crash.c" program. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel Multiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel A race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash). Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel The RPC code in Linux kernel 2.4 sets the reuse flag when sockets are created, which could allow local users to bind to UDP ports that are used by privileged services such as nfsd. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, which allows local users to gain read access to restricted file descriptors. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program, which causes the program to fail to change the ownership and permissions of those entries. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 php Race condition in shtool 2.0.1 and earlier allows local users to create or modify arbitrary files via a symlink attack on the .shtool.$$ temporary file, a different vulnerability than CVE-2005-1759. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 php Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 cpio Race condition in cpio 2.6 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 libpng Portable Network Graphics (PNG) library libpng 1.2.5 and earlier does not correctly calculate offsets, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a buffer overflow attack on the row buffers. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel The STP protocol, as enabled in Linux 2.4.x, does not provide sufficient security by design, which allows attackers to modify the bridge topology. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 gzip Directory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel The STP protocol implementation in Linux 2.4.x does not properly verify certain lengths, which could allow attackers to cause a denial of service. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel Linux 2.4.x allows remote attackers to spoof the bridge Forwarding table via forged packets whose source addresses are the same as the target. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel Integer signedness error in the decode_fh function of nfs3xdr.c in Linux kernel before 2.4.21 allows remote attackers to cause a denial of service (kernel panic) via a negative size value within XDR data of an NFSv3 procedure call. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel The C-Media PCI sound driver in Linux before 2.4.21 does not use the get_user function to access userspace, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CVE-2003-0700. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel The C-Media PCI sound driver in Linux before 2.4.22 does not use the get_user function to access userspace in certain conditions, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CVE-2003-0699. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Konqueror KDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the "user:password@host" form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 mozilla Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 LPRng psbanner in the LPRng package allows local users to overwrite arbitrary files via a symbolic link attack on the /tmp/before file. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 lv lv reads a .lv file from the current working directory, which allows local users to execute arbitrary commands as other lv users by placing malicious .lv files into other directories. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Mutt Buffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 MySQL Double-free vulnerability in mysqld for MySQL before 3.23.55 allows attackers with MySQL access to cause a denial of service (crash) via mysql_change_user. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 MySQL MySQL 3.23.55 and earlier creates world-writeable files and allows mysql users to gain root privileges by using the "SELECT * INFO OUTFILE" operator to overwrite a configuration file and cause mysql to run as root upon restart, as demonstrated by modifying my.cnf. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 nfs-utils Off-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 OpenSSH OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 OpenSSH "Memory bugs" in OpenSSH 3.7.1 and earlier, with unknown impact, a different set of vulnerabilities than CVE-2003-0693 and CVE-2003-0695. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 OpenSSH A "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 OpenSSH Multiple "buffer management errors" in OpenSSH before 3.7.1 may allow attackers to cause a denial of service or execute arbitrary code using (1) buffer_init in buffer.c, (2) buffer_free in buffer.c, or (3) a separate function in channels.c, a different vulnerability than CVE-2003-0693. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 OpenSSL The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack." Jay Beale INTERIM Jay Beale Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 OpenSSL OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal). Jay Beale INTERIM Jay Beale Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 pam_smb Buffer overflow in PAM SMB module (pam_smb) 1.1.6 and earlier, when authenticating to a remote service, allows remote attackers to execute arbitrary code. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 CGI.pm Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm allows remote attackers to insert web script via a URL that is fed into the form's action parameter. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 php Cross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 pine Buffer overflow in PINE before 4.58 allows remote attackers to execute arbitrary code via a malformed message/external-body MIME type. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 pine Integer signedness error in rfc2231_get_param from strings.c in PINE before 4.58 allows remote attackers to execute arbitrary code via an email that causes an out-of-bounds array access using a negative number. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 EOG Format string vulnerability in Eye Of Gnome (EOG) allows attackers to execute arbitrary code via format string specifiers in a command line argument for the file to display. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Postfix Postfix 1.1.11 and earlier allows remote attackers to use Postfix to conduct "bounce scans" or DDos attacks of other hosts via an email address to the local host containing the target IP address and service name followed by a "!" string, which causes Postfix to attempt to use SMTP to communicate with the target on the associated port. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal Format string vulnerability in packet-socks.c of the SOCKS dissector for Ethereal 0.8.7 through 0.9.9 allows remote attackers to execute arbitrary code via SOCKS packets containing format string specifiers. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Postfix The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal Heap-based buffer overflow in the NTLMSSP code for Ethereal 0.9.9 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 mozilla Firefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone base objects, which allows remote attackers to execute arbitrary code by navigating the prototype chain to reach a privileged object. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 smbd Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Samba The code for writing reg files in Samba before 2.2.8 allows local users to overwrite arbitrary files via a race condition involving chown. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Samba Multiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CVE-2003-0201. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Samba, Samba-TNG Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 semi MIME library The (1) semi MIME library 1.14.5 and earlier, and (2) wemi 1.14.0 and possibly other versions, allows local users to overwrite arbitrary files via a symlink attack on temporary files. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Sendmail The prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Sendmail A "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Sendmail The DNS map code in Sendmail 8.12.8 and earlier, when using the "enhdnsbl" feature, does not properly initialize certain data structures, which allows remote attackers to cause a denial of service (process crash) via an invalid DNS response that causes Sendmail to free incorrect data. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 CUPS CUPS before 1.1.19 allows remote attackers to cause a denial of service via a partial printing request to the IPP port (631), which does not time out. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 Sendmail The prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 SquirrelMail Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.2.11 allow remote attackers to inject arbitrary HTML code and steal information from a client's web browser. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 unzip Directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 sysreport sysreport 1.3.15 and earlier includes contents of the up2date file in a report, which leaks the password for a proxy server in plaintext and allows local users to gain privileges. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 up2date up2date 3.0.7 and 3.1.23 does not properly verify RPM GPG signatures, which could allow remote attackers to cause unsigned packages to be installed from the Red Hat Network, if that network is compromised. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 vsftpd vsftpd FTP daemon in Red Hat Linux 9 is not compiled against TCP wrappers (tcp_wrappers) but is installed as a standalone service, which inadvertently prevents vsftpd from restricting access as intended. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla A regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mikmod Buffer overflow in mikmod 3.1.6 and earlier allows remote attackers to execute arbitrary code via an archive file that contains a file with a long filename. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 xinetd Memory leak in xinetd 2.3.10 allows remote attackers to cause a denial of service (memory consumption) via a large number of rejected connections. Jay Beale INTERIM Jay Beale Jay Beale ACCEPTED ACCEPTED Red Hat Linux 9 xpdf Various PDF viewers including (1) Adobe Acrobat 5.06 and (2) Xpdf 1.01 allow remote attackers to execute arbitrary commands via shell metacharacters in an embedded hyperlink. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 ypserv ypserv NIS server before 2.7 allows remote attackers to cause a denial of service via a TCP client request that does not respond to the server, which causes ypserv to block. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 postgresql PostgreSQL 7.3.x through 8.0.x gives public EXECUTE access to certain character conversion functions, which allows unprivileged users to call those functions with malicious values, with unknown impact, aka the "Character conversion vulnerability." Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal Multiple off-by-one vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) AIM, (2) GIOP Gryphon, (3) OSPF, (4) PPTP, (5) Quake, (6) Quake2, (7) Quake3, (8) Rsync, (9) SMB, (10) SMPP, and (11) TSP dissectors, which do not properly use the tvb_get_nstringz and tvb_get_nstringz0 functions. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 ImageMagick Heap-based buffer overflow in the ReadPNMImage function in pnm.c for ImageMagick 6.2.1 and earlier allows remote attackers to cause a denial of service (application crash) via a PNM file with a small colors value. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 gftp Directory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command. Jay Beale DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 mozilla Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing"). Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal Multiple integer overflow vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) Mount and (2) PPP dissectors. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla The browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Gaim Gaim before 1.3.1 allows remote attackers to cause a denial of service (application crash) via a Yahoo! message with non-ASCII characters in a file name. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 bzip2 bzip2 allows remote attackers to cause a denial of service (hard drive consumption) via a crafted bzip2 file that causes an infinite loop (a.k.a "decompression bomb"). Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal Unknown vulnerability in the DCERPC (DCE/RPC) dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (memory consumption) via a certain NDR string. Jay Beale INTERIM Jay Beale ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 mozilla A regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla Firefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 PWLib Multiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. Jay Beale Matt Busby ACCEPTED ACCEPTED Red Hat Linux 9 netpbm netpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files. Jay Beale Matt Busby ACCEPTED ACCEPTED Red Hat Linux 9 XFree86 Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106. Jay Beale Matt Busby ACCEPTED ACCEPTED Red Hat Linux 9 XFree86 Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106. Jay Beale Matt Busby ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 mozilla Firefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 XFree86 Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084. Jay Beale Matt Busby ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 netpbm netpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files. Jay Beale Matt Busby ACCEPTED ACCEPTED