420050803235347Red Hat Linux 9MuttJay BealeINTERIMJay BealeACCEPTEDBuffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder.CAN-2003-0140ACCEPTED1Red Hat Linux 9CUPSJay BealeINTERIMJay BealeACCEPTEDCUPS before 1.1.19 allows remote attackers to cause a denial of service via a partial printing request to the IPP port (631), which does not time out.CAN-2003-0195ACCEPTED1Red Hat Linux 9skkJay BealeINTERIMJay BealeACCEPTEDskk (Simple Kana to Kanji conversion program) 12.1 and earlier, and the ddskk package which is based on skk, creates temporary files insecurely, which allows local users to overwrite arbitrary files.CAN-2003-0539ACCEPTED1Red Hat Linux 9EOGJay BealeINTERIMJay BealeACCEPTEDFormat string vulnerability in Eye Of Gnome (EOG) allows attackers to execute arbitrary code via format string specifiers in a command line argument for the file to display.CAN-2003-0165ACCEPTED1Red Hat Linux 9EtherealJay BealeINTERIMJay BealeACCEPTEDFormat string vulnerability in packet-socks.c of the SOCKS dissector for Ethereal 0.8.7 through 0.9.9 allows remote attackers to execute arbitrary code via SOCKS packets containing format string specifiers.CVE-2003-0081ACCEPTED1Red Hat Linux 9EtherealJay BealeINTERIMJay BealeACCEPTEDHeap-based buffer overflow in the NTLMSSP code for Ethereal 0.9.9 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code.CAN-2003-0159ACCEPTED1Red Hat Linux 9EtherealJay BealeINTERIMJay BealeACCEPTEDMultiple off-by-one vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) AIM, (2) GIOP Gryphon, (3) OSPF, (4) PPTP, (5) Quake, (6) Quake2, (7) Quake3, (8) Rsync, (9) SMB, (10) SMPP, and (11) TSP dissectors, which do not properly use the tvb_get_nstringz and tvb_get_nstringz0 functions.CAN-2003-0356ACCEPTED1Red Hat Linux 9EtherealJay BealeINTERIMJay BealeACCEPTEDMultiple integer overflow vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) Mount and (2) PPP dissectors.CAN-2003-0357ACCEPTED1Red Hat Linux 9EtherealJay BealeINTERIMJay BealeACCEPTEDUnknown vulnerability in the DCERPC dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (memory consumption) via a certain NDR string.CAN-2003-0428ACCEPTED1Red Hat Linux 9EtherealJay BealeINTERIMJay BealeACCEPTEDThe OSI dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow.CAN-2003-0429ACCEPTED1Red Hat Linux 9EtherealJay BealeINTERIMJay BealeACCEPTEDThe SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (crash) via an invalid ASN.1 value.CAN-2003-0430ACCEPTED1Red Hat Linux 9EtherealJay BealeINTERIMJay BealeACCEPTEDThe tvb_get_nstringz0 function in Ethereal 0.9.12 and earlier does not properly handle a zero-length buffer size, with unknown consequences.CAN-2003-0431ACCEPTED1Red Hat Linux 9EtherealJay BealeINTERIMJay BealeACCEPTEDEthereal 0.9.12 and earlier does not handle certain strings properly, with unknown consequences, in the (1) BGP, (2) WTP, (3) DNS, (4) 802.11, (5) ISAKMP, (6) WSP, (7) CLNP, (8) ISIS, and (9) RMI dissectors.CAN-2003-0432ACCEPTED1Red Hat Linux 9Ximian EvolutionJay BealeINTERIMJay BealeACCEPTEDThe try_uudecoding function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malicious uuencoded (UUE) header, possibly triggering a heap-based buffer overflow.CAN-2003-0128ACCEPTED1Red Hat Linux 9Ximian EvolutionJay BealeINTERIMJay BealeACCEPTEDXimian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (memory consumption) via a mail message that is uuencoded multiple times.CAN-2003-0129ACCEPTED1Red Hat Linux 9Ximian EvolutionJay BealeINTERIMJay BealeACCEPTEDThe handle_image function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier does not properly escape HTML characters, which allows remote attackers inject arbitrary data and HTML via a MIME Content-ID header in a MIME-encoded image.CAN-2003-0130ACCEPTED1Red Hat Linux 9GDMJay BealeINTERIMACCEPTEDGDM before 2.4.1.6, when using the "examine session errors" feature, allows local users to read arbitrary files via a symlink attack on the ~/.xsession-errors file.CAN-2003-0547ACCEPTED1Red Hat Linux 9GDMJay BealeINTERIMACCEPTEDThe X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) when a chosen host expires, a different issue than CAN-2003-0549.CAN-2003-0548ACCEPTED1Red Hat Linux 9GDMJay BealeINTERIMACCEPTEDThe X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) via a short authorization key name.CAN-2003-0549ACCEPTED1Red Hat Linux 9GNU GhostscriptJay BealeINTERIMJay BealeACCEPTEDUnknown vulnerability in GNU Ghostscript before 7.07 allows attackers to execute arbitrary commands, even when -dSAFER is enabled, via a PostScript file that causes the commands to be executed from a malicious print job.CAN-2003-0354ACCEPTED1Red Hat Linux 9GnuPGJay BealeINTERIMJay BealeACCEPTEDThe key validation code in GnuPG before 1.2.2 does not properly determine the validity of keys with multiple user IDs and assigns the greatest validity of the most valid user ID, which prevents GnuPG from warning the encrypting user when a user ID does not have a trusted path.CAN-2003-0255ACCEPTED1Red Hat Linux 9GtkHTMLJay BealeINTERIMACCEPTEDGtkHTML, as included in Evolution before 1.2.4, allows remote attackers to cause a denial of service (crash) via certain malformed messages.CAN-2003-0133ACCEPTED1Red Hat Linux 9GtkHTMLJay BealeINTERIMJay BealeACCEPTEDgtkhtml before 1.1.10, as used in Evolution, allows remote attackers to cause a denial of service (crash) via a malformed message that causes a null pointer dereference.CAN-2003-0541ACCEPTED1Red Hat Linux 9ApacheJay BealeINTERIMJay BealeACCEPTEDApache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.CVE-2003-0020ACCEPTED1Red Hat Linux 9ApacheJay BealeINTERIMJay BealeACCEPTEDApache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CAN-2003-0020.CAN-2003-0083ACCEPTED1Red Hat Linux 9ApacheJay BealeINTERIMJay BealeACCEPTEDA memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed.CAN-2003-0132ACCEPTED1Red Hat Enterprise Linux 3OpenSSLJay BealeDRAFTINTERIMThe der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.CAN-2004-0975INTERIM0Red Hat Linux 9ApacheJay BealeINTERIMJay BealeACCEPTEDApache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite.CAN-2003-0192ACCEPTED1Red Hat Linux 9ApacheJay BealeINTERIMJay BealeACCEPTEDThe prefork MPM in Apache 2 before 2.0.47 does not properly handle certain errors from accept, which could lead to a denial of service.CAN-2003-0253ACCEPTED1Red Hat Linux 9ApacheJay BealeINTERIMJay BealeACCEPTEDApache 2 before 2.0.47, when running on an IPv6 host, allows attackers to cause a denial of service (CPU consumption by infinite loop) when the FTP proxy server fails to create an IPv6 socket.CAN-2003-0254ACCEPTED1Red Hat Linux 9KDMJay BealeINTERIMACCEPTEDKDM in KDE 3.1.3 and earlier does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the MIT pam_krb5 module.CAN-2003-0690ACCEPTED1Red Hat Linux 9KDMJay BealeINTERIMACCEPTEDKDM in KDE 3.1.3 and earlier uses a weak session cookie generation algorithm that does not provide 128 bits of entropy, which allows attackers to guess session cookies via brute force methods and gain access to the user session.CAN-2003-0692ACCEPTED1Red Hat Linux 9krb5Jay BealeINTERIMJay BealeACCEPTEDInteger overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CAN-2002-0391.CAN-2003-0028ACCEPTED1Red Hat Linux 9krb5Jay BealeINTERIMJay BealeACCEPTEDThe Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").CAN-2003-0082ACCEPTED1Red Hat Linux 9krb5Jay BealeINTERIMJay BealeACCEPTEDVersion 4 of the Kerberos protocol (krb4), as used in Heimdal and other packages, allows an attacker to impersonate any principal in a realm via a chosen-plaintext attack.CAN-2003-0138ACCEPTED1Red Hat Linux 9krb5Jay BealeINTERIMJay BealeACCEPTEDCertain weaknesses in the implementation of version 4 of the Kerberos protocol (krb4) in the krb5 distribution, when triple-DES keys are used to key krb4 services, allow an attacker to create krb4 tickets for unauthorized principals using a cut-and-paste attack and "ticket splicing."CAN-2003-0139ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.CAN-2003-0127ACCEPTED1Red Hat Linux 9NetfilterJay BealeINTERIMJay BealeACCEPTEDThe connection tracking core of Netfilter for Linux 2.4.20, with CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, allows remote attackers to cause a denial of service (resource consumption) due to an inconsistency with Linux 2.4.20's support of linked lists, which causes Netfilter to fail to identify connections with an UNCONFIRMED status and use large timeouts.CAN-2003-0187ACCEPTED1Red Hat Linux 9NetfilterJay BealeINTERIMJay BealeACCEPTEDThe route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions.CAN-2003-0244ACCEPTED1Red Hat Enterprise Linux 3GaimJay BealeDRAFTGaim before 1.3.1 allows remote attackers to cause a denial of service (crash) via a malformed MSN message that leads to a memory allocation of a large size, possibly due to an integer signedness error.CAN-2005-1934DRAFT0Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.CAN-2003-0246ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDUnknown vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ("kernel oops").CAN-2003-0247ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address.CAN-2003-0248ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions.CAN-2003-0364ACCEPTED1Red Hat Linux 9/proc/tty/driver/serialJay BealeINTERIMJay BealeACCEPTED/proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords.CAN-2003-0461ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDA race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash).CAN-2003-0462ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe RPC code in Linux kernel 2.4 sets the reuse flag when sockets are created, which could allow local users to bind to UDP ports that are used by privileged services such as nfsd.CAN-2003-0464ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, which allows local users to gain read access to restricted file descriptors.CAN-2003-0476ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program, which causes the program to fail to change the ownership and permissions of those entries.CAN-2003-0501ACCEPTED1Red Hat Enterprise Linux 3phpJay BealeDRAFTRace condition in shtool 2.0.1 and earlier allows local users to create or modify arbitrary files via a symlink attack on the .shtool.$$ temporary file, a different vulnerability than CAN-2005-1759.CAN-2005-1751DRAFT0Red Hat Enterprise Linux 3phpJay BealeDRAFTPEAR XML_RPC 1.3.0 and earlier, as used in products such as WordPress, Serendipity, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.CAN-2005-1921DRAFT0Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe STP protocol, as enabled in Linux 2.4.x, does not provide sufficient security by design, which allows attackers to modify the bridge topology.CAN-2003-0550ACCEPTED1Red Hat Enterprise Linux 3gzipJay BealeDRAFTINTERIMDirectory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file.CAN-2005-1228INTERIM0Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe STP protocol implementation in Linux 2.4.x does not properly verify certain lengths, which could allow attackers to cause a denial of service.CAN-2003-0551ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDLinux 2.4.x allows remote attackers to spoof the bridge Forwarding table via forged packets whose source addresses are the same as the target.CAN-2003-0552ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDInteger signedness error in the decode_fh function of nfs3xdr.c in Linux kernel before 2.4.21 allows remote attackers to cause a denial of service (kernel panic) via a negative size value within XDR data of an NFSv3 procedure call.CAN-2003-0619ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe C-Media PCI sound driver in Linux before 2.4.21 does not use the get_user function to access userspace, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CAN-2003-0700.CAN-2003-0699ACCEPTED1Red Hat Linux 9Linux kernelJay BealeINTERIMJay BealeACCEPTEDThe C-Media PCI sound driver in Linux before 2.4.22 does not use the get_user function to access userspace in certain conditions, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CAN-2003-0699.CAN-2003-0700ACCEPTED1Red Hat Linux 9KonquerorJay BealeINTERIMACCEPTEDKDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the "user:password@host" form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites.CAN-2003-0459ACCEPTED1Red Hat Linux 9LPRngJay BealeINTERIMJay BealeACCEPTEDpsbanner in the LPRng package allows local users to overwrite arbitrary files via a symbolic link attack on the /tmp/before file.CAN-2003-0136ACCEPTED1Red Hat Linux 9lvJay BealeINTERIMJay BealeACCEPTEDlv reads a .lv file from the current working directory, which allows local users to execute arbitrary commands as other lv users by placing malicious .lv files into other directories.CAN-2003-0188ACCEPTED1Red Hat Linux 9MuttJay BealeINTERIMACCEPTEDBuffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder.CAN-2003-0140ACCEPTED1Red Hat Linux 9MySQLJay BealeINTERIMJay BealeACCEPTEDDouble-free vulnerability in mysqld for MySQL before 3.23.55 allows attackers with MySQL access to cause a denial of service (crash) via mysql_change_user.CVE-2003-0073ACCEPTED1Red Hat Linux 9MySQLJay BealeINTERIMJay BealeACCEPTEDMySQL 3.23.55 and earlier creates world-writeable files and allows mysql users to gain root privileges by using the "SELECT * INFO OUTFILE" operator to overwrite a configuration file and cause mysql to run as root upon restart.CAN-2003-0150ACCEPTED1Red Hat Linux 9nfs-utilsJay BealeINTERIMJay BealeACCEPTEDOff-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines.CAN-2003-0252ACCEPTED1Red Hat Linux 9OpenSSHJay BealeINTERIMJay BealeACCEPTEDOpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.CAN-2003-0190ACCEPTED1Red Hat Linux 9OpenSSHJay BealeINTERIMJay BealeACCEPTED"Memory bugs" in OpenSSH 3.7.1 and earlier, with unknown impact, a different set of vulnerabilities than CAN-2003-0693 and CAN-2003-0695.CAN-2003-0682ACCEPTED1Red Hat Linux 9OpenSSHJay BealeINTERIMJay BealeACCEPTEDA "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CAN-2003-0695.CAN-2003-0693ACCEPTED1Red Hat Linux 9OpenSSHJay BealeINTERIMJay BealeACCEPTEDMultiple "buffer management errors" in OpenSSH before 3.7.1 may allow attackers to cause a denial of service or execute arbitrary code using (1) buffer_init in buffer.c, (2) buffer_free in buffer.c, or (3) a separate function in channels.c, a different vulnerability than CAN-2003-0693.CAN-2003-0695ACCEPTED1Red Hat Linux 9OpenSSLJay BealeINTERIMJay BealeJay BealeACCEPTEDThe SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack."CAN-2003-0131ACCEPTED1Red Hat Linux 9OpenSSLJay BealeINTERIMJay BealeJay BealeACCEPTEDOpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal).CAN-2003-0147ACCEPTED1Red Hat Linux 9pam_smbJay BealeINTERIMJay BealeACCEPTEDBuffer overflow in PAM SMB module (pam_smb) 1.1.6 and earlier, when authenticating to a remote service, allows remote attackers to execute arbitrary code.CAN-2003-0686ACCEPTED1Red Hat Linux 9CGI.pmJay BealeINTERIMACCEPTEDCross-site scripting (XSS) vulnerability in start_form() of CGI.pm allows remote attackers to insert web script via a URL that is fed into the form's action parameter.CAN-2003-0615ACCEPTED1Red Hat Linux 9phpJay BealeINTERIMJay BealeACCEPTEDCross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter.CAN-2003-0442ACCEPTED1Red Hat Linux 9pineJay BealeINTERIMJay BealeACCEPTEDBuffer overflow in PINE before 4.58 allows remote attackers to execute arbitrary code via a malformed message/external-body MIME type.CAN-2003-0720ACCEPTED1Red Hat Linux 9pineJay BealeINTERIMJay BealeACCEPTEDInteger signedness error in rfc2231_get_param from strings.c in PINE before 4.58 allows remote attackers to execute arbitrary code via an email that causes an out-of-bounds array access using a negative number.CAN-2003-0721ACCEPTED1Red Hat Linux 9PostfixJay BealeINTERIMACCEPTEDPostfix 1.1.11 and earlier allows remote attackers to use Postfix to conduct "bounce scans" or DDos attacks of other hosts via an email address to the local host containing the target IP address and service name followed by a "!" string, which causes Postfix to attempt to use SMTP to communicate with the target on the associated port.CAN-2003-0468ACCEPTED1Red Hat Linux 9PostfixJay BealeINTERIMACCEPTEDThe address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up.CAN-2003-0540ACCEPTED1Red Hat Linux 9smbdJay BealeINTERIMJay BealeACCEPTEDBuffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code.CAN-2003-0085ACCEPTED1Red Hat Linux 9SambaJay BealeINTERIMJay BealeACCEPTEDThe code for writing reg files in Samba before 2.2.8 allows local users to overwrite arbitrary files via a race condition involving chown.CAN-2003-0086ACCEPTED1Red Hat Linux 9SambaJay BealeINTERIMJay BealeACCEPTEDMultiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CAN-2003-0201.CAN-2003-0196ACCEPTED1Red Hat Linux 9Samba, Samba-TNGJay BealeINTERIMJay BealeACCEPTEDBuffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.CAN-2003-0201ACCEPTED1Red Hat Linux 9semi MIME libraryJay BealeINTERIMJay BealeACCEPTEDThe (1) semi MIME library 1.14.5 and earlier, and (2) wemi 1.14.0 and possibly other versions, allows local users to overwrite arbitrary files via a symlink attack on temporary files.CAN-2003-0440ACCEPTED1Red Hat Linux 9SendmailJay BealeINTERIMJay BealeACCEPTEDThe prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c.CAN-2003-0694ACCEPTED1Red Hat Linux 9SendmailJay BealeINTERIMJay BealeACCEPTEDA "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences.CAN-2003-0681ACCEPTED1Red Hat Linux 9SendmailJay BealeINTERIMJay BealeACCEPTEDThe DNS map code in Sendmail 8.12.8 and earlier, when using the "enhdnsbl" feature, does not properly initialize certain data structures, which allows remote attackers to cause a denial of service (process crash) via an invalid DNS response that causes Sendmail to free incorrect data.CAN-2003-0688ACCEPTED1Red Hat Linux 9SendmailJay BealeINTERIMJay BealeACCEPTEDThe prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c.CAN-2003-0694ACCEPTED1Red Hat Linux 9SquirrelMailJay BealeINTERIMJay BealeACCEPTEDMultiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.2.11 allow remote attackers to inject arbitrary HTML code and steal information from a client's web browser.CAN-2003-0160ACCEPTED1Red Hat Linux 9unzipJay BealeINTERIMJay BealeACCEPTEDDirectory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.CAN-2003-0282ACCEPTED1Red Hat Enterprise Linux 3sysreportJay BealeDRAFTsysreport 1.3.15 and earlier includes contents of the up2date file in a report, which leaks the password for a proxy server in plaintext and allows local users to gain privileges.CAN-2005-1760DRAFT0Red Hat Linux 9up2dateJay BealeINTERIMJay BealeACCEPTEDup2date 3.0.7 and 3.1.23 does not properly verify RPM GPG signatures, which could allow remote attackers to cause unsigned packages to be installed from the Red Hat Network, if that network is compromised.CAN-2003-0546ACCEPTED1Red Hat Linux 9vsftpdJay BealeINTERIMJay BealeACCEPTEDvsftpd FTP daemon in Red Hat Linux 9 is not compiled against TCP wrappers (tcp_wrappers) but is installed as a standalone service, which inadvertently prevents vsftpd from restricting access as intended.CAN-2003-0135ACCEPTED1Red Hat Enterprise Linux 3mikmodJay BealeDRAFTINTERIMBuffer overflow in mikmod 3.1.6 and earlier allows remote attackers to execute arbitrary code via an archive file that contains a file with a long filename.CAN-2003-0427INTERIM0Red Hat Linux 9xinetdJay BealeINTERIMJay BealeJay BealeACCEPTEDMemory leak in xinetd 2.3.10 allows remote attackers to cause a denial of service (memory consumption) via a large number of rejected connections.CAN-2003-0211ACCEPTED1Red Hat Linux 9xpdfJay BealeINTERIMACCEPTEDVarious PDF viewers including Adobe Acrobat 5.06 and Xpdf 1.01 allow remote attackers to execute arbitrary commands via shell metacharacters in an embedded hyperlink.CAN-2003-0434ACCEPTED1Red Hat Linux 9ypservJay BealeINTERIMJay BealeACCEPTEDypserv NIS server before 2.7 allows remote attackers to cause a denial of service via a TCP client request that does not respond to the server, which causes ypserv to block.CAN-2003-0251ACCEPTED1Red Hat Enterprise Linux 3postgresqlJay BealeDRAFTINTERIMPostgreSQL 7.3.x through 8.0.x gives public EXECUTE access to certain character conversion functions, which allows unprivileged users to call those functions with malicious values, with unknown impact, aka the "Character conversion vulnerability."CAN-2005-1409INTERIM0Red Hat Enterprise Linux 3ImageMagickJay BealeDRAFTINTERIMHeap-based buffer overflow in the ReadPNMImage function in pnm.c for ImageMagick 6.2.1 and earlier allows remote attackers to cause a denial of service (application crash) via a PNM file with a small colors value.CAN-2005-1275INTERIM0Red Hat Enterprise Linux 3gftpJay BealeDRAFTINTERIMDirectory traversal vulnerability in gftp 2.0.18 and earlier for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command.CAN-2005-0372INTERIM0Red Hat Enterprise Linux 3GaimJay BealeDRAFTGaim before 1.3.1 allows remote attackers to cause a denial of service (application crash) via a Yahoo! message with non-ASCII characters in a file name.CAN-2005-1269DRAFT0Red Hat Enterprise Linux 3bzip2Jay BealeDRAFTbzip2 allows remote attackers to cause a denial of service (hard drive consumption) via a crafted bzip2 file that causes an infinite loop (a.k.a "decompression bomb").CAN-2005-1260DRAFT0Red Hat Linux 9PWLibJay BealeMatt BusbyACCEPTEDMultiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.CAN-2004-0097ACCEPTED1Red Hat Linux 9netpbmJay BealeMatt BusbyACCEPTEDnetpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files.CVE-2003-0924ACCEPTED1Red Hat Linux 9XFree86Jay BealeMatt BusbyACCEPTEDBuffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CAN-2004-0084 and CAN-2004-0106.CAN-2004-0083ACCEPTED1Red Hat Linux 9XFree86Jay BealeMatt BusbyACCEPTEDBuffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CAN-2004-0083 and CAN-2004-0106.CAN-2004-0084ACCEPTED1Red Hat Linux 9XFree86Jay BealeMatt BusbyACCEPTEDMultiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CAN-2004-0083 and CAN-2004-0084.CAN-2004-0106ACCEPTED1Red Hat Enterprise Linux 3netpbmJay BealeMatt BusbyACCEPTEDnetpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files.CVE-2003-0924ACCEPTED1Red Hat Linux 9MuttJay BealeACCEPTEDBuffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages.CVE-2004-0078ACCEPTED1Red Hat Linux 9MailmanJay BealeACCEPTEDCross-site scripting (XSS) vulnerability in the admin CGI script for Mailman before 2.1.4 allows remote attackers to steal session cookies and conduct unauthorized activities.CAN-2003-0965ACCEPTED1Red Hat Linux 9MailmanJay BealeACCEPTEDCross-site scripting (XSS) vulnerability in the create CGI script for Mailman before 2.1.3 allows remote attackers to steal cookies of other users.CAN-2003-0992ACCEPTED1Red Hat Linux 9GaimJay BealeACCEPTEDMultiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect.CAN-2004-0006ACCEPTED1Red Hat Linux 9GaimJay BealeACCEPTEDBuffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code.CAN-2004-0007ACCEPTED1Red Hat Linux 9GaimJay BealeACCEPTEDInteger overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow.CAN-2004-0008ACCEPTED1Red Hat Linux 9slocateJay BealeMatt BusbyACCEPTEDHeap-based buffer overflow in main.c of slocate 2.6, and possibly other versions, may allow local users to gain privileges via a modified slocate database that causes a negative "pathlen" value to be used.CAN-2003-0848ACCEPTED1Red Hat Linux 9Midnight CommanderJay BealeMatt BusbyACCEPTEDStack-based buffer overflow in vfs_s_resolve_symlink of vfs/direntry.c for Midnight Commander (mc) 4.6.0 and earlier, and possibly later versions, allows remote attackers to execute arbitrary code during symlink conversion.CAN-2003-1023ACCEPTED1Red Hat Linux 9KDEJay BealeINTERIMACCEPTEDKonqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.CAN-2003-0592ACCEPTED1Red Hat Enterprise Linux 3mremapJay BealeMatt BusbyACCEPTEDThe do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.CVE-2004-0077ACCEPTED1Red Hat Enterprise Linux 3PWLibJay BealeMatt BusbyACCEPTEDMultiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.CAN-2004-0097ACCEPTED1Red Hat Enterprise Linux 3Samba 3.0.0 and 3.0.1Jay BealeMatt BusbyACCEPTEDThe mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password.CVE-2004-0082ACCEPTED1Red Hat Linux 9mod_pythonJay BealeMatt BusbyACCEPTEDUnknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string.CAN-2003-0973ACCEPTED1Red Hat Enterprise Linux 3XFree86Jay BealeMatt BusbyMatt BusbyACCEPTEDBuffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CAN-2004-0084 and CAN-2004-0106.CAN-2004-0083ACCEPTED1Red Hat Enterprise Linux 3XFree86Jay BealeMatt BusbyMatt BusbyACCEPTEDBuffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CAN-2004-0083 and CAN-2004-0106.CAN-2004-0084ACCEPTED1Red Hat Enterprise Linux 3XFree86Jay BealeMatt BusbyACCEPTEDMultiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CAN-2004-0083 and CAN-2004-0084.CAN-2004-0106ACCEPTED1Red Hat Enterprise Linux 3XMLSoft Libxml2Jay BealeMatt BusbyMatt BusbyINTERIMACCEPTEDBuffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml2 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.CAN-2004-0110ACCEPTED1Red Hat Linux 9Linux kernelJay BealeMatt BusbyACCEPTEDUnknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking."CAN-2004-0003ACCEPTED1Red Hat Linux 9Linux kernelJay BealeMatt BusbyACCEPTEDStack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges.CAN-2004-0010ACCEPTED1Red Hat Linux 9Vicam USB driverJay BealeMatt BusbyACCEPTEDThe Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service.CVE-2004-0075ACCEPTED1Red Hat Linux 9mremapJay BealeMatt BusbyACCEPTEDThe do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.CVE-2004-0077ACCEPTED1Red Hat Enterprise Linux 3MuttJay BealeACCEPTEDMatt BusbyBuffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages.CVE-2004-0078ACCEPTED1Red Hat Linux 9mod_pythonJay BealeMatt BusbyACCEPTEDUnknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string.CAN-2003-0973ACCEPTED1Red Hat Enterprise Linux 3gdk-pixbufJay BealeINTERIMMatt BusbyACCEPTEDgdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file.CVE-2004-0111ACCEPTED1Red Hat Linux 9gdk-pixbufJay BealeINTERIMMatt BusbyACCEPTEDgdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file.CVE-2004-0111ACCEPTED1Red Hat Linux 9tcpdumpJay BealeACCEPTEDtcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CAN-2004-0057.CAN-2003-0989ACCEPTED1Red Hat Linux 9sysstatJay BealeMatt BusbyINTERIMACCEPTEDThe (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CAN-2004-0108.CAN-2004-0107ACCEPTED1Red Hat Linux 9tcpdumpJay BealeACCEPTEDThe print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value.CAN-2004-0055ACCEPTED1Red Hat Linux 9tcpdumpJay BealeACCEPTEDThe rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CAN-2003-0989.CAN-2004-0057ACCEPTED1Red Hat Enterprise Linux 3tcpdumpJay BealeACCEPTEDtcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CAN-2004-0057.CAN-2003-0989ACCEPTED1Red Hat Enterprise Linux 3tcpdumpJay BealeACCEPTEDThe print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value.CAN-2004-0055ACCEPTED1Red Hat Enterprise Linux 3tcpdumpJay BealeACCEPTEDMatt BusbyThe rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CAN-2003-0989.CAN-2004-0057ACCEPTED1Red Hat Linux 9CVS serverJay BealeMatt BusbyACCEPTEDCVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.CAN-2003-0977ACCEPTED1Red Hat Linux 9EtherealJay BealeMatt BusbyACCEPTEDThe SMB dissector in Ethereal before 0.10.0 allows remote attackers to cause a denial of service via a malformed SMB packet that triggers a segmentation fault during processing of Selected packets.CAN-2003-1012ACCEPTED1Red Hat Linux 9TetherealJay BealeMatt BusbyACCEPTEDThe Q.931 dissector in Ethereal before 0.10.0, and Tethereal, allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference.CAN-2003-1013ACCEPTED1Red Hat Linux 9KDE Personal Information Management (kdepim)Jay BealeACCEPTEDBuffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file.CVE-2003-0988ACCEPTED1Red Hat Linux 9Linux kernelJay BealeMatt BusbyACCEPTEDReal time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space.CAN-2003-0984ACCEPTED1Red Hat Linux 9Linux kernelJay BealeMatt BusbyACCEPTEDThe mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21 does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.CVE-2003-0985ACCEPTED1Red Hat Enterprise Linux 3nfs-utils packagesJay BealeMatt BusbyMatt BusbyINTERIMACCEPTEDrpc.mountd in nfs-utils after 1.0.3 and before 1.0.6 allows attackers to cause a denial of service (crash) via an NFS mount of a directory from a client whose reverse DNS lookup name is different from the forward lookup name.CAN-2004-0154ACCEPTED1Red Hat Enterprise Linux 3SysstatJay BealeMatt BusbyMatt BusbyINTERIMACCEPTEDThe (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CAN-2004-0108.CAN-2004-0107ACCEPTED1Red Hat Linux 9httpdJay BealeMatt BusbyINTERIMACCEPTEDMultiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.CAN-2003-0542ACCEPTED1Red Hat Enterprise Linux 3ApacheJay BealeMatt BusbyINTERIMACCEPTEDMultiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.CAN-2003-0542ACCEPTED1Red Hat Enterprise Linux 3KDE Personal Information Management (kdepim)Jay BealeINTERIMMatt BusbyACCEPTEDBuffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file.CVE-2003-0988ACCEPTED1Red Hat Enterprise Linux 3CVS serverJay BealeMatt BusbyINTERIMACCEPTEDCVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.CAN-2003-0977ACCEPTED1Red Hat Enterprise Linux 3Linux kernelMatt BusbyMatt BusbyINTERIMACCEPTEDThe mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21 does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.CVE-2003-0985ACCEPTED1Red Hat Enterprise Linux 3Linux kernelMatt BusbyMatt BusbyINTERIMACCEPTEDUnknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges.CVE-2004-0001ACCEPTED1Red Hat Enterprise Linux 3Net-SNMPMatt BusbyMatt BusbyINTERIMACCEPTEDNet-SNMP before 5.0.9 allows a user or community to access data in MIB objects, even if that data is not allowed to be viewed.CAN-2003-0935ACCEPTED1Red Hat Enterprise Linux 3OpenSSLMatt BusbyMatt BusbyMatt BusbyINTERIMACCEPTEDThe do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.CAN-2004-0079ACCEPTED1Red Hat Enterprise Linux 3OpenSSLMatt BusbyMatt BusbyMatt BusbyINTERIMACCEPTEDOpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.CAN-2004-0081ACCEPTED1Red Hat Linux 9mozillaJay BealeINTERIMACCEPTEDMultiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite.CAN-2003-0564ACCEPTED1Red Hat Linux 9mozillaJay BealeINTERIMACCEPTEDMozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.CAN-2003-0594ACCEPTED1Red Hat Linux 9mozillaJay BealeINTERIMACCEPTEDMozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events.CVE-2004-0191ACCEPTED1Red Hat Enterprise Linux 3libxml2Jay BealeJay BealeINTERIMACCEPTEDBuffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml2 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.CAN-2004-0110ACCEPTED1Red Hat Enterprise Linux 3httpdJay BealeJay BealeINTERIMACCEPTEDMemory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server.CVE-2004-0113ACCEPTED1Red Hat Linux 9Red Hat 9Jay BealeINTERIMACCEPTEDThe "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists.CVE-2004-0189ACCEPTED1Red Hat Linux 9Red Hat 9Jay BealeJay BealeINTERIMACCEPTEDMultiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors.CAN-2004-0176ACCEPTED1Red Hat Linux 9Red Hat 9Jay BealeJay BealeINTERIMACCEPTEDThe dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.CAN-2004-0365ACCEPTED1Red Hat Linux 9Red Hat 9Jay BealeJay BealeINTERIMACCEPTEDEthereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector.CAN-2004-0367ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeJay BealeJay BealeINTERIMACCEPTEDMultiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors.CAN-2004-0176ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeJay BealeJay BealeINTERIMACCEPTEDThe dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.CAN-2004-0365ACCEPTED1Red Hat Linux 9OpenSSLMatt BusbyMatt BusbyINTERIMACCEPTEDOpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.CAN-2004-0081ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeJay BealeJay BealeINTERIMACCEPTEDEthereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector.CAN-2004-0367ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMJay BealeACCEPTEDMultiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite.CAN-2003-0564ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMJay BealeACCEPTEDMozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.CAN-2003-0594ACCEPTED1Red Hat Enterprise Linux 3OpenSSLMatt BusbyMatt BusbyINTERIMACCEPTEDThe SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read.CAN-2004-0112ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMJay BealeACCEPTEDMozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events.CVE-2004-0191ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDInteger overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or executee arbitrary code via the MCAST_MSFILTER socket option.CAN-2004-0424ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDBuffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x , allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry.CAN-2004-0109ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDThe "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists.CVE-2004-0189ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDThe KAME IKE Daemon Racoon, when authenticating a peer during Phase 1, validates the X.509 certificate but does not verify the RSA signature authentication, which allows remote attackers to establish unauthorized IP connections or conduct man-in-the-middle attacks using a valid, trusted X.509 certificate.CAN-2004-0155ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDKAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c.CAN-2004-0164ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDThe URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code.CAN-2004-0411ACCEPTED1Red Hat Enterprise Linux 3ImageMagickJay BealeDRAFTThe XWD Decoder in ImageMagick before 6.2.2.3, and GraphicsMagick before 1.1.6-r1, allows remote attackers to cause a denial of service (infinite loop) via an image with a zero color mask.CAN-2005-1739DRAFT0Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDrsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path.CAN-2004-0426ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDHeap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines.CAN-2004-0396ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDThe Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message.CAN-2004-0421ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDTCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.CAN-2004-0183ACCEPTED1Red Hat Linux 9OpenSSLMatt BusbyMatt BusbyINTERIMACCEPTEDThe do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.CAN-2004-0079ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDInteger underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.CAN-2004-0184ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDMultiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14 allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive.CAN-2004-0234ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDMultiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path").CAN-2004-0235ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDUtempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files.CAN-2004-0233ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDBuffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).CAN-2004-0541ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDEthereal 0.10.3 allows remote attackers to cause a denial of service (crash) via certain SIP messages between Hotsip servers and clients.CAN-2004-0504ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDRacoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field.CAN-2004-0403ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDThe AIM dissector in Ethereal 0.10.3 allows remote attackers to cause a denial of service (assert error) via unknown attack vectors.CAN-2004-0505ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDThe SPNEGO dissector in Ethereal 0.9.8 to 0.10.3 allows remote attackers to cause a denial of service (crash) via unknown attack vectors that cause a null pointer dereference.CAN-2004-0506ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDBuffer overflow in the MMSE dissector for Ethereal 0.10.1 to 0.10.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code.CAN-2004-0507ACCEPTED1Red Hat Enterprise Linux 3MIT Kerberos 5 (krb5)Jay BealeINTERIMACCEPTEDMultiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.CAN-2004-0523ACCEPTED1Red Hat Enterprise Linux 3CVSJay BealeINTERIMACCEPTEDCVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution.CAN-2004-0414ACCEPTED1Red Hat Enterprise Linux 3CVSJay BealeINTERIMACCEPTEDDouble-free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code.CAN-2004-0416ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMINTERIMACCEPTED/proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords.CAN-2003-0461ACCEPTED1Red Hat Enterprise Linux 3CVSJay BealeINTERIMACCEPTEDInteger overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space.CAN-2004-0417ACCEPTED1Red Hat Enterprise Linux 3CVSJay BealeINTERIMACCEPTEDserve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle empty data lines, which may allow remote attackers to perform an "out-of-bounds" write for a single byte to execute arbitrary code or modify critical program data.CAN-2004-0418ACCEPTED1Red Hat Enterprise Linux 3SquirrelMailJay BealeINTERIMACCEPTEDMultiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.CAN-2004-0519ACCEPTED0Red Hat Enterprise Linux 3SquirrelMailJay BealeINTERIMACCEPTEDCross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php.CAN-2004-0520ACCEPTED0Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDReal time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space.CAN-2003-0984ACCEPTED2Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDUnknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking."CAN-2004-0003ACCEPTED1Red Hat Enterprise Linux 3SquirrelMailJay BealeINTERIMACCEPTEDSQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php.CAN-2004-0521ACCEPTED0Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDStack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges.CAN-2004-0010ACCEPTED2Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDThe client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CAN-2004-0405.CAN-2004-0180ACCEPTED1Red Hat Linux 9OpenSSLMatt BusbyMatt BusbyINTERIMACCEPTEDThe SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read.CAN-2004-0112ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDCVS before 1.11 allows CVS clients to read arbitrary files via .. (dot dot) sequences in filenames via CVS client requests, a different vulnerability than CAN-2004-0180.CAN-2004-0405ACCEPTED1Red Hat Enterprise Linux 3Red Hat Enteprise Linux 3Jay BealeINTERIMACCEPTEDMultiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other producs that use neon including (2) Cadaver, (3) Subversion, or (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code.CAN-2004-0179ACCEPTED1Red Hat Enterprise Linux 3zgrepJay BealeDRAFTzgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script.CAN-2005-0758DRAFT0Red Hat Enterprise Linux 3postgresqlJay BealeDRAFTINTERIMThe tsearch2 module in PostgreSQL 7.4 through 8.0.x declares the (1) dex_init, (2) snb_en_init, (3) snb_ru_init, (4) spell_init, and (5) syn_init functions as "internal" even when they do not take an internal argument, which allows attackers to cause a denial of service (application crash) and possibly have other impacts via SQL commands that call other functions that accept internal arguments.CAN-2005-1410INTERIM0Red Hat Enterprise Linux 3gzipJay BealeDRAFTINTERIMzgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script.CAN-2005-0758INTERIM0Red Hat Enterprise Linux 3Linux kernelJay BealeDRAFTINTERIMThe linux-2.4.21-mlock.patch in Red Hat Enterprise Linux 3 does not properly maintain the mlock page count when one process unlocks pages that belong to another process, which allows local users to mlock more memory than specified by the rlimit.CAN-2004-0491INTERIM0Red Hat Enterprise Linux 3Linux kernelJay BealeDRAFTINTERIMThe elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow.CAN-2005-1263INTERIM0Red Hat Enterprise Linux 3telnetJay BealeDRAFTCertain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telner servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.CAN-2005-0488DRAFT0Red Hat Enterprise Linux 3bzip2Jay BealeDRAFTRace condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete.CAN-2005-0953DRAFT0Red Hat Enterprise Linux 3gzipJay BealeDRAFTINTERIMRace condition in gzip 1.2.4, 1.3.3, and earlier when decompressing a gzip allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete.CAN-2005-0988INTERIM0Red Hat Enterprise Linux 3libxml2Jay BealeDRAFTINTERIMMultiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is not properly handled by the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy function, and other overflows related to manipulation of DNS length values, including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5) xmlNanoHTTPConnectHost.CAN-2004-0989INTERIM0Red Hat Enterprise Linux 3libgdJay BealeDRAFTINTERIMMultiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function, a different set of vulnerabilities than CAN-2004-0990.CAN-2004-0941INTERIM0Red Hat Enterprise Linux 3Linux kernelJay BealeDRAFTINTERIMThe shmctl function in Linux 2.6.9 and earlier allows local users to unlock the memory of other processes, which could cause sensitive memory to be swapped to disk, which could allow it to be read by other users once it has been released.CAN-2005-0176INTERIM0Red Hat Enterprise Linux 3sudoJay BealeDRAFTRace condition in sudo 1.3.1 up to 1.6.8p8, when the ALL pseudo-command is used after a user entry in the sudoers file, allows local users to gain privileges via a symlink attack.CAN-2005-1993DRAFT0It appears that we can't parse the vulnerable configuration condition (an ALL in the second field of a line after a line that has no ALL in the second field) with our existing regexp.Red Hat Enterprise Linux 3geditJay BealeDRAFTFormat string vulnerability in gedit 2.10.2 may allow attackers to cause a denial of service (application crash) via a bin file with format string specifiers in the filename. NOTE: while this issue is triggered on the command line by the gedit user, it has been reported that web browsers and email clients could be configured to provide a file name as an argument to gedit, so there is a valid attack that crosses security boundaries.CAN-2005-1686DRAFT0Red Hat Enterprise Linux 3libgdJay BealeDRAFTINTERIMInteger overflow in GD Graphics Library libgd 2.0.28 (libgd2), and possibly other versions, allows remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx function, a different set of vulnerabilities than CAN-2004-0941.CAN-2004-0990INTERIM0Red Hat Enterprise Linux 3FreeRADIUSJay BealeDRAFTINTERIMACCEPTEDFreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (server crash) by sending an Ascend-Send-Secret attribute without the required leading packetCAN-2004-0938ACCEPTED1Red Hat Enterprise Linux 3Linux kernelJay BealeDRAFTINTERIMACCEPTEDThe do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2.6.6, does not properly decrement the mm_count counter when an error occurs after the mm_struct for a child process has been activated, which triggers a memory leak that allows local users to cause a denial of service (memory exhaustion) via the clone (CLONE_VM) system call.CAN-2004-0427ACCEPTED1Red Hat Enterprise Linux 3Linux kernelJay BealeDRAFTINTERIMACCEPTEDLinux kernel 2.4.2x and 2.6.x for x86 allows local users to cause a denial of service (system crash), possibly via an infinite loop that triggers a signal handler with a certain sequence of fsave and frstor instructions, as originally demonstrated using a "crash.c" program.CAN-2004-0554ACCEPTED1Red Hat Enterprise Linux 3Linux kernelJay BealeDRAFTINTERIMACCEPTEDMultiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool.CAN-2004-0495ACCEPTED1Red Hat Enterprise Linux 3libpngJay BealeDRAFTINTERIMACCEPTEDPortable Network Graphics (PNG) library libpng 1.2.5 and earlier does not correctly calculate offsets, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a buffer overflow attack on the row buffers.CVE-2002-1363ACCEPTED111111111111111111111111111111111111111111111111111111111111111111For "/tmp is readable by non-root users," use a compound test.111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111regularTCPTCPTCP1720TCPTCPUDP1812udp9NULL62.4.20^3.S^.*3.S^i.*862.4.20-6x86_64earlierearlierearlierearlierearlierearlierThe ImageMagick-devel, ImageMagick-c++-devel, and ImageMagick-c++ RPMs all require that the exact same version of the ImageMagick RPM is present. As such, we can test for a vulnerable version of the former alone, rather than testing for the presence of each of these RPMs in particular.earlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierThe ImageMagick-* RPMs all require that the main ImageMagick RPM have the same version and release number.earlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlierearlier