Sun Solaris 8 kcms_configure David Proulx 2001-0594 kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument ACCEPTED 1 Sun Solaris 8 libnsl David Proulx 2002-0391 Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd ACCEPTED 1 Sun Solaris 8 xlock David Proulx 2001-0652 Heap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable ACCEPTED 1 Sun Solaris 8 snmpdx David Proulx 2002-0796 Format string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges ACCEPTED 1 Sun Solaris 8 Xsun David Proulx 2002-0158 Buffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument ACCEPTED 1 Sun Solaris 8 CDE David Proulx 2002-0677 CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure ACCEPTED 1 Sun Solaris 8 cachefsd David Proulx Brian Soby 2002-0033 Updated to include Solaris 9 and Solaris 9 patch info INTERIM ACCEPTED Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name ACCEPTED 3 Sun Solaris 7 Xsun David Proulx 2002-0158 Buffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument ACCEPTED 1 Sun Solaris 7 whodo David Proulx 2001-1076 Buffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable ACCEPTED 1 Sun Solaris 7 rpc.rwalld David Proulx 2002-0573 Format string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed ACCEPTED 1 Sun Solaris 7 libnsl David Proulx 2002-0391 Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd ACCEPTED 1 Sun Solaris 7 cachefsd David Proulx Brian Soby 2002-0084 Updated to add patch test INTERIM ACCEPTED Buffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument ACCEPTED 2 Sun Solaris 8 whodo David Proulx 2001-1076 Buffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable ACCEPTED 1 Sun Solaris 7 admintool David Proulx 2002-0088 Buffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path ACCEPTED 1 Sun Solaris 8 rpc.yppasswdd David Proulx 2001-0779 Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username ACCEPTED 1 Sun Solaris 8 admintool David Proulx 2002-0088 Buffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path ACCEPTED 1 Sun Solaris 7 mibiisa David Proulx 2002-0797 Buffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges ACCEPTED 1 Sun Solaris 7 kcms_configure David Proulx 2001-0594 kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument ACCEPTED 1 Sun Solaris 8 admintool David Proulx 2002-0089 Buffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file ACCEPTED 1 Sun Solaris 7 admintool David Proulx 2002-0089 Buffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file ACCEPTED 1 Sun Solaris 8 dtspcd David Proulx 2001-0803 Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary command ACCEPTED 1 Sun Solaris 7 dtspcd David Proulx 2001-0803 Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary command ACCEPTED 1 Sun Solaris 8 rpc.rwalld David Proulx 2002-0573 Format string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed ACCEPTED 1 Sun Solaris 7 CDE David Proulx 2002-0678 CDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure ACCEPTED 1 Sun Solaris 8 lbxproxy David Proulx 2002-0090 Buffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option ACCEPTED 1 Sun Solaris 7 CDE David Proulx 2002-0677 CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure ACCEPTED 1 Sun Solaris 8 mibiisa David Proulx 2002-0797 Buffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges ACCEPTED 1 Sun Solaris 8 cachefsd David Proulx Brian Soby 2002-0084 Updated to add patch test Added Solaris 9 and Solaris 9 patch test to the definition INTERIM ACCEPTED Buffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument ACCEPTED 2 Sun Solaris 7 rpc.yppasswdd David Proulx 2001-0779 Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username ACCEPTED 1 Sun Solaris 7 snmpdx David Proulx 2002-0796 Format string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges ACCEPTED 1 Sun Solaris 7 kcms_server David Proulx 2003-0027 Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure ACCEPTED 1 Sun Solaris 7 cachefsd David Proulx Brian Soby 2002-0033 Added patch test INTERIM ACCEPTED Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name ACCEPTED 2 Sun Solaris 7 xlock David Proulx 2001-0652 Heap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable ACCEPTED 1 Sun Solaris 8 fs.auto, xfs David Proulx David Proulx 2002-1317 Buffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query ACCEPTED 2 Sun Solaris 7 fs.auto, xfs David Proulx David Proulx 2002-1317 Buffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query ACCEPTED 2 Sun Solaris 8 CDE David Proulx 2002-0678 CDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure ACCEPTED 1 Sun Solaris 7 CDE David Proulx 2002-0679 Buffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure ACCEPTED 1 Sun Solaris 7 lbxproxy David Proulx 2002-0090 Buffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option ACCEPTED 1 Sun Solaris 8 CDE David Proulx 2002-0679 Buffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure ACCEPTED 1 Sun Solaris 8 kcms_server David Proulx 2003-0027 Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure ACCEPTED 1 Sun Solaris 9 Bind Brian Soby 2002-1220 DRAFT INTERIM ACCEPTED BIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size ACCEPTED 1 Sun Solaris 7 Xsun Brian Soby Brian Soby 2001-0422 DRAFT INTERIM ACCEPTED Buffer overflow in Xsun in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 snmpdx Brian Soby 2002-0012 DRAFT INTERIM ACCEPTED Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available ACCEPTED 1 Sun Solaris 9 CDE Brian Soby 2002-0677 modified sat-6 - Changed test to pattern match and added check for 64bit version modified sat-6 - Changed regular expression test to properly check for 64bit package DRAFT INTERIM ACCEPTED INTERIM ACCEPTED CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure ACCEPTED 2 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Solaris Enterprise Authentication Mechanism (SEAM) Brian Soby 2003-0058 DRAFT INTERIM ACCEPTED MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference ACCEPTED 1 Sun Solaris 8 mozilla Brian Soby 2004-0760 DRAFT INTERIM ACCEPTED Mozilla allows remote attackers to cause Mozilla to open a URI as a different MIME type than expected via a null character (%00) in an FTP URI ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sadmin Brian Soby 2003-0722 Added check for sadmind called with strong authentication DRAFT INTERIM ACCEPTED The default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets ACCEPTED 1 Sun Solaris 7 CDE Brian Soby 2004-0368 Added patch 107180-31 test for Solaris 7. Changed vulnerable software test logic a little DRAFT INTERIM ACCEPTED Double-free vulnerability in dtlogin in CDE on Solaris, HP-UX, and other operating systems allows remote attackers to execute arbitrary code via a crafted XDMCP packet ACCEPTED 1 Sun Solaris 9 Samba Brian Soby 2002-1318 DRAFT INTERIM ACCEPTED Buffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an encrypted password that causes the overflow during decryption in which a DOS codepage string is converted to a little-endian UCS2 unicode string ACCEPTED 1 Sun Solaris 7 libpng Brian Soby 2004-0599 DRAFT INTERIM ACCEPTED Multiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image ACCEPTED 1 Sun Solaris 8 Sun Enterprise Storage Manager (ESM) Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED 1 Sun Solaris 7 NIS Brian Soby Brian Soby 2001-1328 DRAFT INTERIM ACCEPTED Buffer overflow in ypbind daemon in Solaris 5.4 through 8 allows remote attackers to execute arbitrary code ACCEPTED 1 Sun Solaris 7 dtspcd Brian Soby 1999-0689 DRAFT INTERIM ACCEPTED The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 CDE Brian Soby 2003-0092 DRAFT INTERIM ACCEPTED Heap-based buffer overflow in dtsession for Solaris 2.5.1 through Solaris 9 allows local users to gain root privileges via a long HOME environment variable ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Apache Brian Soby 2004-0174 Changed apache test to file test Changed apache test to package test DRAFT INTERIM ACCEPTED Apache before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket. ACCEPTED 1 Sun Solaris 7 Solaris Enterprise Authentication Mechanism (SEAM) Brian Soby 2004-0523 Changed two unknown tests for kerberos configuration to Solaris text file contents tests DRAFT INTERIM ACCEPTED Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root ACCEPTED 1 Sun Solaris 7 Bind Brian Soby 2003-0914 modified sat-10 - Changed test to pattern match to check for 64bit version of Core Solaris modified sat-10 - Changed regular expression to properly check for 64bit package DRAFT INTERIM ACCEPTED INTERIM ACCEPTED ISC BIND 8.3.x before 8.3.7, and 8.4.x before 8.4.3, allows remote attackers to poison the cache via a malicious name server that returns negative responses with a large TTL (time-to-live) value ACCEPTED 2 Sun Solaris 7 login Brian Soby Brian Soby 2001-0797 DRAFT INTERIM ACCEPTED Buffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin ACCEPTED 1 Sun Solaris 9 pam_krb5 Brian Soby 2004-0653 Changed all unknown tests to solaris file contents tests DRAFT INTERIM ACCEPTED Solaris 9, when configured as a Kerberos client with patch 112908-12 or 115168-03 and using pam_krb5 as an "auth" module with the debug feature enabled, records passwords in plaintext, which could allow local users to gain other user's passwords by reading log files ACCEPTED 1 Sun Solaris 7 Bind Brian Soby 2002-1221 DRAFT INTERIM ACCEPTED BIND 8.x through 8.3.3 allows remote attackers to cause a denial of service (crash) via SIG RR elements with invalid expiry times, which are removed from the internal BIND database and later cause a null dereference ACCEPTED 1 Sun Solaris 9 Kerberos5 Brian Soby 2004-0644 Changed kerberos unknown test to solaris file contents test DRAFT INTERIM ACCEPTED The asn1buf_skiptail function in the ASN.1 decoder library for MIT Kerberos 5 (krb5) 1.2.2 through 1.3.4 allows remote attackers to cause a denial of service (infinite loop) via a certain BER encoding ACCEPTED 1 Sun Solaris 9 Samba Brian Soby 2003-0201 DRAFT INTERIM ACCEPTED Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code ACCEPTED 1 Sun Solaris 9 Sendmail Brian Soby 2002-0906 DRAFT INTERIM ACCEPTED Buffer overflow in Sendmail before 8.12.5, when configured to use a custom DNS map to query TXT records, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malicious DNS server ACCEPTED 1 Sun Solaris 7 libpng Brian Soby 2004-0597 DRAFT INTERIM ACCEPTED Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking ACCEPTED 1 Sun Solaris 8 mozilla Brian Soby 2004-0764 DRAFT INTERIM ACCEPTED Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files ACCEPTED 1 Sun Solaris 7 NIS Brian Soby 2002-1199 DRAFT INTERIM ACCEPTED The getdbm procedure in ypxfrd allows local users to read arbitrary files, and remote attackers to read databases outside /var/yp, via a directory traversal and symlink attack on the domain and map arguments ACCEPTED 1 Sun Solaris 8 Kerberos5 Brian Soby 2003-0082 DRAFT INTERIM ACCEPTED The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun") ACCEPTED 1 Sun Solaris 7 Bind Brian Soby 2002-1219 DRAFT INTERIM ACCEPTED Buffer overflow in named in BIND 4 versions 4.9.10 and earlier, and 8 versions 8.3.3 and earlier, allows remote attackers to execute arbitrary code via a certain DNS server response containing SIG resource records (RR) ACCEPTED 1 Sun Solaris 7 libpng Brian Soby 2004-0598 DRAFT INTERIM ACCEPTED The png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Sun Cluster Brian Soby 2003-0545 DRAFT INTERIM ACCEPTED Double-free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding ACCEPTED 1 Sun Solaris 7 kcms_server Brian Soby 2003-0027 DRAFT INTERIM ACCEPTED Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure ACCEPTED 1 Sun Solaris 8 Sun Crypto Accelerator 4000 Brian Soby 2004-0079 DRAFT INTERIM ACCEPTED The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference ACCEPTED 1 Sun Solaris 9 OpenSSH Brian Soby 2003-0693 DRAFT INTERIM ACCEPTED A "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CAN-2003-0695 ACCEPTED 1 Sun Solaris 9 CDE Brian Soby 2002-0678 modified sat-6 - Changed test to pattern match and added check for 64bit version modified sat-6 - Changed regular expression test to properly check for 64bit package DRAFT INTERIM ACCEPTED INTERIM ACCEPTED CDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure ACCEPTED 2 Sun Solaris 9 fs.auto, xfs Brian Soby 2002-1317 DRAFT INTERIM ACCEPTED Buffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query ACCEPTED 1 Sun Solaris 7 Sendmail Brian Soby Brian Soby 2003-0694 DRAFT INTERIM ACCEPTED The prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c ACCEPTED 1 Sun Solaris 7 CDE Brian Soby 1999-0691 DRAFT INTERIM ACCEPTED Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name ACCEPTED 1 Sun Solaris 8 mozilla Brian Soby 2004-0758 DRAFT INTERIM ACCEPTED Mozilla 1.5 through 1.7 allows a CA certificate to be imported even when their DN is the same as that of the built-in CA root certificate, which allows remote attackers to cause a denial of service to SSL pages because the malicious certificate is treated as invalid ACCEPTED 1 Sun Solaris 8 mozilla Brian Soby 2004-0757 DRAFT INTERIM ACCEPTED Heap-based buffer overflow in the SendUidl in the POP3 capability for Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, may allow remote POP3 mail servers to execute arbitrary code ACCEPTED 1 Sun Solaris 9 Kerberos5 Brian Soby 2004-0643 Changed kerberos unknown test to solaris file contents test DRAFT INTERIM ACCEPTED Double-free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code ACCEPTED 1 Sun Solaris 9 Solaris Volume Manager (SVM) Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED 1 Sun Solaris 7 Solaris Runtime Linker Brian Soby Brian Soby 2003-0609 DRAFT INTERIM ACCEPTED Stack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6 through 9 allows local users to gain root privileges via a long LD_PRELOAD environment variable ACCEPTED 1 Sun Solaris 8 mozilla Brian Soby 2004-0761 DRAFT INTERIM ACCEPTED Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote attackers to use certain redirect sequences to spoof the security lock icon that makes a web page appear to be encrypted ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 priocntl() Brian Soby 2002-1296 DRAFT INTERIM ACCEPTED Directory traversal vulnerability in priocntl system call in Solaris does allows local users to execute arbitrary code via ".." sequences in the pc_clname field of a pcinfo_t structure, which cause priocntl to load a malicious kernel module ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Apache Brian Soby 2003-0542 DRAFT INTERIM ACCEPTED Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures ACCEPTED 1 Sun Solaris 8 mozilla Brian Soby 2004-0763 DRAFT INTERIM ACCEPTED Mozilla Firefox 0.9.1 and 0.9.2 allows remote web sites to spoof certificates of trusted web sites via redirects and Javascript that uses the "onunload" method ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 DtMail Brian Soby 2004-0800 DRAFT INTERIM ACCEPTED Format string vulnerability in CDE Mailer (dtmail) on Solaris 8 and 9 allows local users to gain privileges via format strings in the argv[0] value ACCEPTED 1 Sun Solaris 7 bash, tcsh, cash, sh, ksh Brian Soby 2000-1134 DRAFT INTERIM ACCEPTED tcsh, csh, sh, and bash on various Unix systems follow symlinks when processing << redirects (aka here-documents or in-here documents), which allows local users to overwrite files of other users via a symlink attack ACCEPTED 1 Sun Solaris 7 lpstat, libprint Brian Soby 2003-0999 DRAFT INTERIM ACCEPTED Unknown multiple vulnerabilities in (1) lpstat and (2) the libprint library in Solaris 2.6 through 9 may allow attackers to execute arbitrary code or read or write arbitrary files ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Apache Brian Soby 2003-0020 Change apache test to file test Changed apache test to package test DRAFT INTERIM ACCEPTED Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences ACCEPTED 1 Sun Solaris 7 Bind Brian Soby 2002-0651 DRAFT INTERIM ACCEPTED Buffer overflow in the DNS resolver code used in libc, glibc, and libbind, as derived from ISC BIND, allows remote malicious DNS servers to cause a denial of service and possibly execute arbitrary code via the stub resolvers ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Sun Cluster Brian Soby 2003-0543 DRAFT INTERIM ACCEPTED Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 cachefsd Brian Soby 2002-0085 DRAFT INTERIM ACCEPTED cachefsd in Solaris 2.6, 7, and 8 allows remote attackers to cause a denial of service (crash) via an invalid procedure call in an RPC request ACCEPTED 1 Sun Solaris 7 CDE Brian Soby 1999-0693 DRAFT INTERIM ACCEPTED Buffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges ACCEPTED 1 Sun Solaris 7 lpstat Brian Soby 2003-0091 DRAFT INTERIM ACCEPTED Stack-based buffer overflow in the bsd_queue() function for lpq on Solaris 2.6 and 7 allows local users to gain root privilege ACCEPTED 1 Sun Solaris 8 mozilla Brian Soby 2004-0762 DRAFT INTERIM ACCEPTED Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Apache Brian Soby 2003-0987 Change apache test to file test Changed apache test to package test DRAFT INTERIM ACCEPTED mod_digest for Apache does not properly verify the nonce of a client response by using a AuthNonce secret ACCEPTED 1