4.2 20060614215733 Sun Solaris 8 kcms_configure David Proulx kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument. CVE-2001-0594 ACCEPTED 1 Sun Solaris 8 libnsl David Proulx Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd. CVE-2002-0391 ACCEPTED 1 Sun Solaris 8 xlock David Proulx Heap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable. CVE-2001-0652 ACCEPTED 1 Sun Solaris 8 snmpdx David Proulx Format string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges. CVE-2002-0796 ACCEPTED 1 Sun Solaris 8 Xsun David Proulx Buffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument. CVE-2002-0158 ACCEPTED 1 Sun Solaris 8 CDE David Proulx CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure. CVE-2002-0677 ACCEPTED 1 Sun Solaris 8 cachefsd David Proulx Brian Soby INTERIM ACCEPTED Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name. CVE-2002-0033 ACCEPTED 3 Sun Solaris 7 Xsun David Proulx Buffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument. CVE-2002-0158 ACCEPTED 1 Sun Solaris 7 whodo David Proulx Buffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable. CVE-2001-1076 ACCEPTED 1 Sun Solaris 7 rpc.rwalld David Proulx Format string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed. CVE-2002-0573 ACCEPTED 1 Sun Solaris 7 libnsl David Proulx Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd. CVE-2002-0391 ACCEPTED 1 Sun Solaris 7 cachefsd David Proulx Brian Soby INTERIM ACCEPTED Buffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument. CVE-2002-0084 ACCEPTED 2 Sun Solaris 8 whodo David Proulx Buffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable. CVE-2001-1076 ACCEPTED 1 Sun Solaris 7 Admintool David Proulx Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM Buffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path. CVE-2002-0088 INTERIM 1 Sun Solaris 8 rpc.yppasswdd David Proulx Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username. CVE-2001-0779 ACCEPTED 1 Sun Solaris 8 Admintool David Proulx Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM Buffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path. CVE-2002-0088 INTERIM 1 Sun Solaris 7 mibiisa David Proulx Buffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges. CVE-2002-0797 ACCEPTED 1 Sun Solaris 7 kcms_configure David Proulx kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument. CVE-2001-0594 ACCEPTED 1 Sun Solaris 8 Admintool David Proulx Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM Buffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file. CVE-2002-0089 INTERIM 1 Sun Solaris 7 Admintool David Proulx Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM Buffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file. CVE-2002-0089 INTERIM 1 Sun Solaris 8 dtspcd David Proulx Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands CVE-2001-0803 ACCEPTED 1 Sun Solaris 7 dtspcd David Proulx Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands CVE-2001-0803 ACCEPTED 1 Sun Solaris 8 rpc.rwalld David Proulx Format string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed. CVE-2002-0573 ACCEPTED 1 Sun Solaris 7 CDE David Proulx CDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure. CVE-2002-0678 ACCEPTED 1 Sun Solaris 8 lbxproxy David Proulx Buffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option. CVE-2002-0090 ACCEPTED 1 Sun Solaris 7 CDE David Proulx CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure. CVE-2002-0677 ACCEPTED 1 Sun Solaris 8 mibiisa David Proulx Buffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges. CVE-2002-0797 ACCEPTED 1 Sun Solaris 8 cachefsd David Proulx Brian Soby Brian Soby INTERIM ACCEPTED Buffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument. CVE-2002-0084 ACCEPTED 2 Sun Solaris 7 rpc.yppasswdd David Proulx Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username. CVE-2001-0779 ACCEPTED 1 Sun Solaris 7 snmpdx David Proulx Format string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges. CVE-2002-0796 ACCEPTED 1 Sun Solaris 7 kcms_server David Proulx Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure. CVE-2003-0027 ACCEPTED 1 Sun Solaris 7 cachefsd David Proulx Brian Soby INTERIM ACCEPTED Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name. CVE-2002-0033 ACCEPTED 2 Sun Solaris 7 xlock David Proulx Heap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable. CVE-2001-0652 ACCEPTED 1 Sun Solaris 8 fs.auto, xfs David Proulx Buffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query. CVE-2002-1317 ACCEPTED 2 Sun Solaris 7 fs.auto, xfs David Proulx Buffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query. CVE-2002-1317 ACCEPTED 2 Sun Solaris 8 CDE David Proulx CDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure. CVE-2002-0678 ACCEPTED 1 Sun Solaris 7 CDE David Proulx Buffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure. CVE-2002-0679 ACCEPTED 1 Sun Solaris 7 lbxproxy David Proulx Buffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option. CVE-2002-0090 ACCEPTED 1 Sun Solaris 8 CDE David Proulx Buffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure. CVE-2002-0679 ACCEPTED 1 Sun Solaris 8 kcms_server David Proulx Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure. CVE-2003-0027 ACCEPTED 1 Sun Solaris 9 Bind Brian Soby DRAFT INTERIM ACCEPTED BIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size. CVE-2002-1220 ACCEPTED 1 Sun Solaris 7 Xsun Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in Xsun in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable. CVE-2001-0422 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Licence Logging Service Brian Soby DRAFT INTERIM ACCEPTED Unknown vulnerability in the rwho daemon (in.rwhod) for Solaris 7 through 9 allows remote attackers to execute arbitrary code. CVE-2004-1351 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple unspecified vulnerabilities in lpsched in Sun Solaris 8, 9, and 10 allow local users to delete arbitrary files or disable the LP print service via unknown attack vectors. CVE-2006-0227 ACCEPTED 1 Sun Solaris 9 Sun Solaris 10 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Sun Solaris 9 and 10 for the x86 platform allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors, possibly involving functions from the mm driver. CVE-2006-0190 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The Bourne shell (sh) in Solaris 8, 9, and 10 allows local users to cause a denial of service (sh crash) via an unspecified attack vector that causes sh processes to crash during creation of temporary files. CVE-2006-1780 ACCEPTED 1 Sun Solaris 9 Sun Solaris 10 X Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple integer overflows in XFree86 before 4.3.0 allow user-complicit attackers to execute arbitrary code via a crafted pixmap image. CVE-2005-2495 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 X Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple integer overflows in XFree86 before 4.3.0 allow user-complicit attackers to execute arbitrary code via a crafted pixmap image. CVE-2005-2495 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 snmpdx Brian Soby DRAFT INTERIM ACCEPTED Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. CVE-2002-0012 ACCEPTED 1 Sun Solaris 10 Perl Robert L. Hollis DRAFT INTERIM ACCEPTED Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications. CVE-2005-3962 ACCEPTED 1 Sun Solaris 9 CDE Brian Soby DRAFT INTERIM ACCEPTED Brian Soby Brian Soby INTERIM ACCEPTED CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure. CVE-2002-0677 ACCEPTED 2 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Solaris Enterprise Authentication Mechanism (SEAM) Brian Soby DRAFT INTERIM ACCEPTED MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference. CVE-2003-0058 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 uucp Brian Soby DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM INTERIM ACCEPTED Multiple buffer overflows in uucp for Sun Solaris 2.6, 7, 8, and 9 allow local users to execute arbitrary code as the uucp user. CVE-2004-1359 ACCEPTED 2 Sun Solaris 8 mozilla Brian Soby DRAFT INTERIM ACCEPTED Mozilla allows remote attackers to cause Mozilla to open a URI as a different MIME type than expected via a null character (%00) in an FTP URI. CVE-2004-0760 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sadmin Brian Soby Brian Soby DRAFT INTERIM ACCEPTED The default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets. CVE-2003-0722 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Solaris Management Console Robert L. Hollis DRAFT INTERIM ACCEPTED The (1) slsmgr and (2) slsadmin programs in Sun Solaris PC NetLink 2.0 create temporary files insecurely, which allows local users to gain privileges. CVE-2005-4552 ACCEPTED 1 Sun Solaris 7 CDE Brian Soby Brian Soby DRAFT INTERIM ACCEPTED Double-free vulnerability in dtlogin in CDE on Solaris, HP-UX, and other operating systems allows remote attackers to execute arbitrary code via a crafted XDMCP packet. CVE-2004-0368 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Solaris Management Console Robert L. Hollis DRAFT INTERIM ACCEPTED The default configuration of the web server for the Solaris Management Console (SMC) in Solaris 8, 9, and 10 enables the HTTP TRACE method, which could allow remote attackers to obtain sensitive information such as cookies and authentication data from HTTP headers. CVE-2005-3398 ACCEPTED 1 Sun Solaris 9 Samba Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an encrypted password that causes the overflow during decryption in which a DOS codepage string is converted to a little-endian UCS2 unicode string. CVE-2002-1318 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED 'An unspecified vulnerability in the \"/usr/ucb/ps\" command could allow unprivileged local users to see environment settings for processes of other users. When the \'e\' flag is used, a low-privileged user can see environment variables and values for processes that belong to root and any other system users. NOTE: \"/usr/bin/ps\" is the default \'ps\' command for most users per the command search path and is not affected by this vulnerability' http://sunsolve9.sun.com/search/document.do?assetkey=1-26-102215-1&searchclause= ACCEPTED 1 Sun Solaris 7 libpng Brian Soby DRAFT INTERIM ACCEPTED Multiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image. CVE-2004-0599 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Solaris Management Console (SMC) Brian Soby DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM INTERIM ACCEPTED The Solaris Management Console (SMC) in Sun Solaris 8 and 9 generates different 404 error messages when a file does not exist versus when a file exists but is otherwise inacessible, which could allow remote attackers to obtain sensitive information in conjunction with a directory traversal (..) attack. CVE-2004-1354 ACCEPTED 2 Sun Solaris 8 TENEX C Shell (tcsh) Brian Soby DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM DRAFT INTERIM ACCEPTED Unknown vulnerability in the ls-F builtin function in tcsh on Solaris 8 allows local users to create or delete files as other users, and gain privileges. CVE-2003-1024 ACCEPTED 2 Sun Solaris 8 Sun Solaris 9 Operating System Robert L. Hollis DRAFT Matthew Wojcik INTERIM ACCEPTED Unspecified vulnerability in uucp in Sun Solaris 8 and 9 has unknown impact and attack vectors. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2004-0780. CVE-2006-0161 ACCEPTED 1 Sun Solaris 10 X Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in in.rexecd in Solaris 10 allows local users to gain privileges on Kerberos systems via unknown attack vectors. CVE-2006-0769 ACCEPTED 1 Sun Solaris 10 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Sun Solaris 10 allows local users to cause a denial of service (null dereference) via unspecified vectors involving the use of the find command on the "/proc" filesystem. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2005-3250. CVE-2006-0191 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687). CVE-2004-0782 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED 'An undisclosed vulnerability in the pagedata subsystem in /proc may allow a local unprivileged user to cause significant performance degradation and even panic the system.' http://sunsolve9.sun.com/search/document.do?assetkey=1-26-102159-1&searchclause= ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in the hsfs filesystem in Solaris 8, 9, and 10 allows unspecified attackers to cause a denial of service (panic) or execute arbitrary code. CVE-2006-0901 ACCEPTED 1 Sun Solaris 8 Licence Logging Service Brian Soby DRAFT INTERIM ACCEPTED gzip before 1.3 in Solaris 8, when called with the -f or -force flags, will change the permissions of files that are hard linked to the target files, which allows local users to view or modify these files. CVE-2004-1349 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 sendfilev() Brian Soby DRAFT INTERIM ACCEPTED INTERIM DRAFT INTERIM ACCEPTED Unknown vulnerability in the sendfilev function in Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors. CVE-2004-1356 ACCEPTED 2 Sun Solaris 10 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED X.Org server (xorg-server) 1.0.0 and later, X11R6.9.0, and X11R7.0 inadvertently treats the address of the geteuid function as if it is the return value of a call to geteuid, which allows local users to bypass intended restrictions and (1) execute arbitrary code via the -modulepath command line option or (2) overwrite arbitrary files via -logfile. CVE-2006-0745 ACCEPTED 1 Sun Solaris 8 Sun Enterprise Storage Manager (ESM) Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Brian Soby DRAFT INTERIM ACCEPTED INTERIM DRAFT INTERIM ACCEPTED Unknown vulnerability in conv_fix in Sun Solaris 7 through 9, when invoked by conv_lpd, allows local users to overwrite arbitrary files. CVE-2004-1360 ACCEPTED 2 Sun Solaris 8 Sun Solaris 9 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Stack-based buffer overflow in xpm_extract_color (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, may allow remote attackers to execute arbitrary code via a certain color string. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0688). CVE-2004-0783 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 LDAP Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Solaris 8 and 9 allows local users to obtain the LDAP Directory Server root Distinguished Name (rootDN) password when a privileged user (1) runs idsconfig; or "insecurely" runs LDAP2 commands with the -w option, including (2) ldapadd, (3) ldapdelete, (4) ldapmodify, (5) ldapmodrdn, and (6) ldapsearch. CVE-2006-1782 ACCEPTED 1 Sun Solaris 7 NIS Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in ypbind daemon in Solaris 5.4 through 8 allows remote attackers to execute arbitrary code. CVE-2001-1328 ACCEPTED 1 Sun Solaris 7 dtspcd Brian Soby DRAFT INTERIM ACCEPTED The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack. CVE-1999-0689 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 CDE Brian Soby DRAFT INTERIM ACCEPTED Heap-based buffer overflow in dtsession for Solaris 2.5.1 through Solaris 9 allows local users to gain root privileges via a long HOME environment variable. CVE-2003-0092 ACCEPTED 1 Sun Solaris 9 Solaris Management Console (SMC) Brian Soby DRAFT INTERIM ACCEPTED Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO. CVE-2003-0466 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Apache Brian Soby Brian Soby Brian Soby DRAFT INTERIM ACCEPTED Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket." CVE-2004-0174 ACCEPTED 1