5.12007-01-29T12:57:13.488-05:00The MITRE CorporationData Leak in NICSun Solaris 7Sun Am7990 Ethernet DriverMultiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.Brian SobyDRAFTMatthew WojcikDRAFTSolaris 7 whodo Buffer Overflow VulnerabilitySun Solaris 7whodoBuffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable.David ProulxMatthew WojcikINTERIMMatthew WojcikMatthew WojcikMatthew WojcikINTERIMSunOS 5.9: ufs and fsck patchSun Solaris 9Solaris Volume Manager (SVM)The Sun Solaris Volume Manager (SVM) on Solaris 9 allows local users to cause a denial of service (kernel panic) via a malformed probe request to the SVM.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDJonathan BakerINTERIMMatthew WojcikINTERIMSolaris 8 whodo Buffer Overflow VulnerabilitySun Solaris 8whodoBuffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable.David ProulxMatthew WojcikINTERIMMatthew WojcikMatthew WojcikMatthew WojcikINTERIMSolaris 7 AdminTool Media Installation Path Buffer OverflowSun Solaris 7AdmintoolBuffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path.David ProulxMatthew WojcikMatthew WojcikMatthew WojcikINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMSolaris 8 AdminTool Media Installation Path Buffer OverflowSun Solaris 8AdmintoolBuffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path.David ProulxMatthew WojcikMatthew WojcikMatthew WojcikINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMlpsched Local System Corruption VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Operating SystemMultiple unspecified vulnerabilities in lpsched in Sun Solaris 8, 9, and 10 allow local users to delete arbitrary files or disable the LP print service via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMSolaris 8 admintool Local Buffer OverflowSun Solaris 8AdmintoolBuffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file.David ProulxMatthew WojcikMatthew WojcikMatthew WojcikINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMSolaris 7 admintool Local Buffer OverflowSun Solaris 7AdmintoolBuffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file.David ProulxMatthew WojcikMatthew WojcikMatthew WojcikINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMLinux Kernel ISO9660 File System Component BORed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Buffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x, allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry.Jay BealeINTERIMACCEPTEDACCEPTEDgedit Format String VulnerabilityRed Hat Enterprise Linux 3geditFormat string vulnerability in gedit 2.10.2 may allow attackers to cause a denial of service (application crash) via a bin file with format string specifiers in the filename. NOTE: while this issue is triggered on the command line by the gedit user, it has been reported that web browsers and email clients could be configured to provide a file name as an argument to gedit, so there is a valid attack that crosses security boundaries.Jay BealeDRAFTINTERIMACCEPTEDBob TowbesINTERIMINTERIMSolaris SAdmin Client Credentials Remote Administrative Access VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9SadminThe default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets.Brian SobyBrian SobyDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMSolaris CDE DTLogin XDMCP Parser Remote Double Free VulnerabilitySun Solaris 7CDEDouble-free vulnerability in dtlogin in CDE on Solaris, HP-UX, and other operating systems allows remote attackers to execute arbitrary code via a crafted XDMCP packet.Brian SobyBrian SobyDRAFTINTERIMACCEPTEDJonathan BakerINTERIMJonathan BakerINTERIMSolaris 8 CDE dtspcd Buffer OverflowSun Solaris 8dtspcdBuffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands.David ProulxACCEPTEDSolaris 7 CDE dtspcd Buffer OverflowSun Solaris 7dtspcdBuffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands.David ProulxACCEPTEDRed Hat Linux Kernel do_mremap Denial of Service VulnerabilityRed Hat Linux 9Linux kernelThe mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.Jay BealeMatt BusbyACCEPTEDACCEPTEDRed Hat Enterprise 3 Linux Kernel do_mremap Denial of Service VulnerabilityRed Hat Enterprise Linux 3Linux kernelThe mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.Matt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDInteger overflow in the "Max-dotdot" CVS protocol commandRed Hat Enterprise Linux 3CVSInteger overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space.Jay BealeINTERIMACCEPTEDACCEPTEDCVS serve_notify Improper Handling of Empty Data LinesRed Hat Enterprise Linux 3CVSserve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle empty data lines, which may allow remote attackers to perform an "out-of-bounds" write for a single byte to execute arbitrary code or modify critical program data.Jay BealeINTERIMACCEPTEDACCEPTEDSquirrelMail Cross-site Scripting Vulnerability IRed Hat Enterprise Linux 3SquirrelMailMultiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.Jay BealeINTERIMACCEPTEDACCEPTEDEthereal 0-Length Buffer Size Vulnerability in tvb_get_nstring0()Red Hat Linux 9EtherealThe tvb_get_nstringz0 function in Ethereal 0.9.12 and earlier does not properly handle a zero-length buffer size, with unknown consequences.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDSquirrelMail Cross-site Scripting Vulnerability IIRed Hat Enterprise Linux 3SquirrelMailCross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php.Jay BealeINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Kernel Real Time Clock Data LeakageRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space.Jay BealeINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Kernel R128 DRI Limits Checking VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking."Jay BealeINTERIMACCEPTEDACCEPTEDSquirrelMail SQL Injection VulnerabilityRed Hat Enterprise Linux 3SquirrelMailSQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php.Jay BealeINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Kernel ncp_lookup Function BORed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges.Jay BealeINTERIMACCEPTEDACCEPTEDRHE3 Fetchmail Buffer Overflow via Long UIDL ResponsesRed Hat Enterprise Linux 3fetchmailBuffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows remote POP3 servers to cause a denial of service and possibly execute arbitrary code via long UIDL responses. NOTE: a typo in an advisory accidentally used the wrong CVE identifier for the Fetchmail issue. This is the correct identifier.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDMalicious CVS Server RCS diff File Vulnerability in CVS ClientRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405.Jay BealeINTERIMACCEPTEDACCEPTEDVarious Ethereal Dissector VulnerabilitiesRed Hat Linux 9EtherealEthereal 0.9.12 and earlier does not handle certain strings properly, with unknown consequences, in the (1) BGP, (2) WTP, (3) DNS, (4) 802.11, (5) ISAKMP, (6) WSP, (7) CLNP, (8) ISIS, and (9) RMI dissectors.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDDirectory Traversal Vulnerability in CVS ServerRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3CVS before 1.11 allows CVS clients to read arbitrary files via .. (dot dot) sequences in filenames via CVS client requests, a different vulnerability than CVE-2004-0180.Jay BealeINTERIMACCEPTEDACCEPTEDMultiple Format String Vulnerabilities in neon and Dependent ProductsRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other products that use neon including (2) Cadaver, (3) Subversion, and (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code.Jay BealeINTERIMACCEPTEDMatthew WojcikMatthew WojcikMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDXimian Evolution Mail User Agent uuencoded header Denial of ServiceRed Hat Linux 9Ximian EvolutionThe try_uudecoding function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malicious uuencoded (UUE) header, possibly triggering a heap-based buffer overflow.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDRHE4 Firefox External App Code Acceptance VulnerabilityRed Hat Enterprise Linux 4mozillaFirefox before 1.0.5 allows remote attackers to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL, which is run in the context of the previous page, and may lead to code execution if the standalone application loads a privileged chrome: URL.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDXimian Evolution User Agent Multiple uuencoding Denial of ServiceRed Hat Linux 9Ximian EvolutionXimian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (memory consumption) via a mail message that is uuencoded multiple times.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDgzip Argument Sanitation VulnerabilityRed Hat Enterprise Linux 3zgrepzgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDPostgreSQL tsearch2 "internal" Functions VulnerabilityRed Hat Enterprise Linux 3postgresqlThe tsearch2 module in PostgreSQL 7.4 through 8.0.x declares the (1) dex_init, (2) snb_en_init, (3) snb_ru_init, (4) spell_init, and (5) syn_init functions as "internal" even when they do not take an internal argument, which allows attackers to cause a denial of service (application crash) and possibly have other impacts via SQL commands that call other functions that accept internal arguments.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDgzip zgrep Sanitation VulnerabilityRed Hat Enterprise Linux 3gzipzgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDXimian Evolution MIME-encoded Image Buffer OverflowRed Hat Linux 9Ximian EvolutionThe handle_image function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier does not properly escape HTML characters, which allows remote attackers inject arbitrary data and HTML via a MIME Content-ID header in a MIME-encoded image.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDmlock Memory Page Tracking VulnerabilityRed Hat Enterprise Linux 3Linux kernelThe linux-2.4.21-mlock.patch in Red Hat Enterprise Linux 3 does not properly maintain the mlock page count when one process unlocks pages that belong to another process, which allows local users to mlock more memory than specified by the rlimit.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDGDM Examine Errors Symlink VulnerabilityRed Hat Linux 9GDMGDM before 2.4.1.6, when using the "examine session errors" feature, allows local users to read arbitrary files via a symlink attack on the ~/.xsession-errors file.Jay BealeINTERIMACCEPTEDACCEPTEDLinux Kernel elf_core_dump() Buffer OverflowRed Hat Enterprise Linux 3Linux kernelThe elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE4 Fetchmail Buffer Overflow via Long UIDL ResponsesRed Hat Enterprise Linux 4fetchmailBuffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows remote POP3 servers to cause a denial of service and possibly execute arbitrary code via long UIDL responses. NOTE: a typo in an advisory accidentally used the wrong CVE identifier for the Fetchmail issue. This is the correct identifier.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDX Display Manager Control Protocol Denial of ServiceRed Hat Linux 9GDMThe X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) when a chosen host expires, a different issue than CVE-2003-0549.Jay BealeINTERIMACCEPTEDACCEPTEDTelnet Client Information Disclosure VulnerabilityRed Hat Enterprise Linux 3telnetCertain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDbzip2 Arbitrary File Permission Modification VulnerabilityRed Hat Enterprise Linux 3bzip2Race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDgzip Hard Link AttackRed Hat Enterprise Linux 3gzipRace condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE3 Firefox External App Code Acceptance VulnerabilityRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5 allows remote attackers to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL, which is run in the context of the previous page, and may lead to code execution if the standalone application loads a privileged chrome: URL.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDMultiple Buffer Overflows in libXML2Red Hat Enterprise Linux 3libxml2Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is not properly handled by the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy function, and other overflows related to manipulation of DNS length values, including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5) xmlNanoHTTPConnectHost.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDMultiple Buffer Overflows in libgdRed Hat Enterprise Linux 3libgdMultiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function, a different set of vulnerabilities than CVE-2004-0990.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel shmctl() Memory Swap VulnerabilityRed Hat Enterprise Linux 3Linux kernelThe shmctl function in Linux 2.6.9 and earlier allows local users to unlock the memory of other processes, which could cause sensitive memory to be swapped to disk, which could allow it to be read by other users once it has been released.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE4 Improper Handling of Synthetic Events in MozillaRed Hat Enterprise Linux 4mozillaThe browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDsudo Symlink VulnerabilityRed Hat Enterprise Linux 3sudoRace condition in sudo 1.3.1 up to 1.6.8p8, when the ALL pseudo-command is used after a user entry in the sudoers file, allows local users to gain privileges via a symlink attack.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDIt appears that we can't parse the vulnerable configuration condition (an ALL in the second field of a line after a line that has no ALL in the second field) with our existing regexp.RHE3 Firefox and Mozilla DOM Node SpoofingRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing").Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDInteger Overflow in libgd2Red Hat Enterprise Linux 3libgdInteger overflow in GD Graphics Library libgd 2.0.28 (libgd2), and possibly other versions, allows remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx function, a different set of vulnerabilities than CVE-2004-0941.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE3 Firefox and Mozilla Javascript Dialog Box SpoofingRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability."Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE3 Firefox InstallTrigger Callback VulnerabilityRed Hat Enterprise Linux 3mozillaThe InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDGDM X Display Manager Authorization VulnerabilityRed Hat Linux 9GDMThe X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) via a short authorization key name.Jay BealeINTERIMACCEPTEDACCEPTEDRHE4 Firefox InstallTrigger Callback VulnerabilityRed Hat Enterprise Linux 4The InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE4 Firefox and Mozilla Javascript Dialog Box SpoofingRed Hat Enterprise Linux 4mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability."Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDGNU Ghostscript -dSAFER VulnerabilityRed Hat Linux 9GNU GhostscriptUnknown vulnerability in GNU Ghostscript before 7.07 allows attackers to execute arbitrary commands, even when -dSAFER is enabled, via a PostScript file that causes the commands to be executed from a malicious print job.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDFreeRADIUS Ascend-Send-Secret Server CrashRed Hat Enterprise Linux 3FreeRADIUSFreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (server crash) by sending an Ascend-Send-Secret attribute without the required leading packet.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE3 XBL Script Security Bypass VulnerabilityRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDGnuPG Invalid User ID VulnerabilityRed Hat Linux 9GnuPGThe key validation code in GnuPG before 1.2.2 does not properly determine the validity of keys with multiple user IDs and assigns the greatest validity of the most valid user ID, which prevents GnuPG from warning the encrypting user when a user ID does not have a trusted path.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDEvolution GtkHTML DoS via Malformed MessageRed Hat Linux 9GtkHTMLGtkHTML, as included in Evolution before 1.2.4, allows remote attackers to cause a denial of service (crash) via certain malformed messages.Jay BealeINTERIMACCEPTEDACCEPTEDRHE4 Mozilla top.focus() Cross-Site Scripting VulnerabilityRed Hat Enterprise Linux 4mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDEvolution GtkHTML DoS via null Pointer DereferenceRed Hat Linux 9GtkHTMLgtkhtml before 1.1.10, as used in Evolution, allows remote attackers to cause a denial of service (crash) via a malformed message that causes a null pointer dereference.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDApache Terminal Escape Sequence VulnerabilityRed Hat Linux 9ApacheApache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDApache Terminal Escape Sequence Vulnerability IIRed Hat Linux 9ApacheApache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDApache Linefeed Allocation VulnerabilityRed Hat Linux 9ApacheA memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDTrustix Secure Linux der_chop Script Symlink Attack VulnerabilityRed Hat Enterprise Linux 3OpenSSLThe der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDApache Weak Cipher Suite VulnerabilityRed Hat Linux 9ApacheApache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDApache prefork MPM Denial of ServiceRed Hat Linux 9ApacheThe prefork MPM in Apache 2 before 2.0.47 does not properly handle certain errors from accept, which could lead to a denial of service.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDApache IPv6 Socket Failure Denial of ServiceRed Hat Linux 9ApacheApache 2 before 2.0.47, when running on an IPv6 host, allows attackers to cause a denial of service (CPU consumption by infinite loop) when the FTP proxy server fails to create an IPv6 socket.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDKDM pam_setcred Privilege Escalation VulnerabilityRed Hat Linux 9KDMKDM in KDE 3.1.3 and earlier does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the MIT pam_krb5 module.Jay BealeINTERIMACCEPTEDACCEPTEDMutt BO Vulnerability in balsaRed Hat Linux 9MuttBuffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDKDM Weak Cookie VulnerabilityRed Hat Linux 9KDMKDM in KDE 3.1.3 and earlier uses a weak session cookie generation algorithm that does not provide 128 bits of entropy, which allows attackers to guess session cookies via brute force methods and gain access to the user session.Jay BealeINTERIMACCEPTEDACCEPTEDxdrmem_bytes() Integer Overflow VulnerabilityRed Hat Linux 9krb5Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDKerberos KDC Heap Corruption Denial of ServiceRed Hat Linux 9krb5The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDKerberos krb4 Plaintext Attack VulnerabilityRed Hat Linux 9krb5Version 4 of the Kerberos protocol (krb4), as used in Heimdal and other packages, allows an attacker to impersonate any principal in a realm via a chosen-plaintext attack.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDKerberos krb4 Ticket Splicing VulnerabilityRed Hat Linux 9krb5Certain weaknesses in the implementation of version 4 of the Kerberos protocol (krb4) in the krb5 distribution, when triple-DES keys are used to key krb4 services, allow an attacker to create krb4 tickets for unauthorized principals using a cut-and-paste attack and "ticket splicing."Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDLinux Kernel ptrace Privilege Escalation VulnerabilityRed Hat Linux 9Linux kernelThe kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDNetfilter Denial of ServiceRed Hat Linux 9NetfilterThe connection tracking core of Netfilter for Linux 2.4.20, with CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, allows remote attackers to cause a denial of service (resource consumption) due to an inconsistency with Linux 2.4.20's support of linked lists, which causes Netfilter to fail to identify connections with an UNCONFIRMED status and use large timeouts.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDLinux Route Cache / Netfilter Denial of ServiceRed Hat Linux 9NetfilterThe route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDGaim DoS via Malformed MSN MessageRed Hat Enterprise Linux 3GaimGaim before 1.3.1 allows remote attackers to cause a denial of service (crash) via a malformed MSN message that leads to a memory allocation of a large size, possibly due to an integer signedness error.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDLinux ioperm Privilege Restriction VulnerabilityRed Hat Linux 9Linux kernelThe ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDSKK/DDSKK Insecure Temporary File VulnerabilityRed Hat Linux 9skkskk (Simple Kana to Kanji conversion program) 12.1 and earlier, and the ddskk package which is based on skk, creates temporary files insecurely, which allows local users to overwrite arbitrary files.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDDenial of Service Vulnerability in Linux Kernel do_fork Function via CLONE_VMRed Hat Enterprise Linux 3Linux kernelThe do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2.6.6, does not properly decrement the mm_count counter when an error occurs after the mm_struct for a child process has been activated, which triggers a memory leak that allows local users to cause a denial of service (memory exhaustion) via the clone (CLONE_VM) system call.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel TTY VulnerabilityRed Hat Linux 9Linux kernelUnknown vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ("kernel oops").Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDLinux Kernel Denial of Service Vulnerability via fsave and frstor InstructionsRed Hat Enterprise Linux 3Linux kernelLinux kernel 2.4.x and 2.6.x for x86 allows local users to cause a denial of service (system crash), possibly via an infinite loop that triggers a signal handler with a certain sequence of fsave and frstor instructions, as originally demonstrated using a "crash.c" program.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel mxcsr Code VulnerabilityRed Hat Linux 9Linux kernelThe mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDLinux Kernel TCP/IP Fragment Reassembly Denial of ServiceRed Hat Linux 9Linux kernelThe TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMultiple Privilege Escalation Vulnerabilities in Linux KernelRed Hat Enterprise Linux 3Linux kernelMultiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRed Hat Linux Kernel Serial Link Information Disclosure VulnerabilityRed Hat Linux 9/proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDLinux Kernel execve Race Condition VulnerabilityRed Hat Linux 9Linux kernelA race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash).Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDLinux Kernel Reuse Flag VulnerabilityRed Hat Linux 9Linux kernelThe RPC code in Linux kernel 2.4 sets the reuse flag when sockets are created, which could allow local users to bind to UDP ports that are used by privileged services such as nfsd.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDLinux Kernel execve Read Acces to Restricted File DescriptorsRed Hat Linux 9Linux kernelThe execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, which allows local users to gain read access to restricted file descriptors.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDLinux Kernel /proc/self setuid VulnerabilityRed Hat Linux 9Linux kernelThe /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program, which causes the program to fail to change the ownership and permissions of those entries.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDshtool Race ConditionRed Hat Enterprise Linux 3phpRace condition in shtool 2.0.1 and earlier allows local users to create or modify arbitrary files via a symlink attack on the .shtool.$$ temporary file, a different vulnerability than CVE-2005-1759.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDPEAR XML_RPC PHP Code Execution VulnerabilityRed Hat Enterprise Linux 3phpEval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDcpio Race ConditionRed Hat Enterprise Linux 3cpioRace condition in cpio 2.6 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDPortable Network Graphics Library Offset Calculation VulnerabilityRed Hat Enterprise Linux 3libpngPortable Network Graphics (PNG) library libpng 1.2.5 and earlier does not correctly calculate offsets, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a buffer overflow attack on the row buffers.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDInsecure Design of the STP ProtocolRed Hat Linux 9Linux kernelThe STP protocol, as enabled in Linux 2.4.x, does not provide sufficient security by design, which allows attackers to modify the bridge topology.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDgzip Directory Traversal VulnerabilityRed Hat Enterprise Linux 3gzipDirectory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDSTP Protocol Length Verification VulnerabilityRed Hat Linux 9Linux kernelThe STP protocol implementation in Linux 2.4.x does not properly verify certain lengths, which could allow attackers to cause a denial of service.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDLinux Kernel Bridge Forwarding Table Spoof VulnerabilityRed Hat Linux 9Linux kernelLinux 2.4.x allows remote attackers to spoof the bridge Forwarding table via forged packets whose source addresses are the same as the target.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDLunix Kernel NFSv3 Procedure Kernel Panic VulnerabilityRed Hat Linux 9Linux kernelInteger signedness error in the decode_fh function of nfs3xdr.c in Linux kernel before 2.4.21 allows remote attackers to cause a denial of service (kernel panic) via a negative size value within XDR data of an NFSv3 procedure call.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDC-Media Sound Driver Userspace Access Vulnerability IIRed Hat Linux 9Linux kernelThe C-Media PCI sound driver in Linux before 2.4.21 does not use the get_user function to access userspace, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CVE-2003-0700.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDC-Media Sound Driver Userspace Access VulnerabilityRed Hat Linux 9Linux kernelThe C-Media PCI sound driver in Linux before 2.4.22 does not use the get_user function to access userspace in certain conditions, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CVE-2003-0699.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDKDE Konqueror Userid/Password Disclosure VulnerabilityRed Hat Linux 9KonquerorKDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the "user:password@host" form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites.Jay BealeINTERIMACCEPTEDACCEPTEDRHE4 InstallVersion.compareTo() DoS and Code Execution VulnerabilityRed Hat Enterprise Linux 4mozillaFirefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDLPRng Symbolic Link Attack VulnerabilityRed Hat Linux 9LPRngpsbanner in the LPRng package allows local users to overwrite arbitrary files via a symbolic link attack on the /tmp/before file.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMultilingual File Viewer .lv File Sneak Attack VulnerabilityRed Hat Linux 9lvlv reads a .lv file from the current working directory, which allows local users to execute arbitrary commands as other lv users by placing malicious .lv files into other directories.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMutt BO VulnerabilityRed Hat Linux 9MuttBuffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder.Jay BealeINTERIMACCEPTEDACCEPTEDMYSQLd Double-free VulnerabilityRed Hat Linux 9MySQLDouble-free vulnerability in mysqld for MySQL before 3.23.55 allows attackers with MySQL access to cause a denial of service (crash) via mysql_change_user.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMYSQL Privilege Escalation Vulnerability via INFO OUTFILE SelectRed Hat Linux 9MySQLMySQL 3.23.55 and earlier creates world-writeable files and allows mysql users to gain root privileges by using the "SELECT * INFO OUTFILE" operator to overwrite a configuration file and cause mysql to run as root upon restart, as demonstrated by modifying my.cnf.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDmountd xlog Function Off-by-One VulnerabilityRed Hat Linux 9nfs-utilsOff-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDOpenSSH Indirect User Disclosure VulnerabilityRed Hat Linux 9OpenSSHOpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMemory Bugs in OpenSSHRed Hat Linux 9OpenSSH"Memory bugs" in OpenSSH 3.7.1 and earlier, with unknown impact, a different set of vulnerabilities than CVE-2003-0693 and CVE-2003-0695.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMutliple Buffer Management Errors in OpenSSH IIRed Hat Linux 9OpenSSHA "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMutliple Buffer Management Errors in OpenSSHRed Hat Linux 9OpenSSHMultiple "buffer management errors" in OpenSSH before 3.7.1 may allow attackers to cause a denial of service or execute arbitrary code using (1) buffer_init in buffer.c, (2) buffer_free in buffer.c, or (3) a separate function in channels.c, a different vulnerability than CVE-2003-0693.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDKlima-Pokorny-Rosa Attack VulnerabilityRed Hat Linux 9OpenSSLThe SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack."Jay BealeINTERIMJay BealeJay BealeACCEPTEDACCEPTEDOpenSSL No RSA Blinding VulnerabilityRed Hat Linux 9OpenSSLOpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal).Jay BealeINTERIMJay BealeJay BealeACCEPTEDACCEPTEDBuffer Overflow in PAM SMB ModuleRed Hat Linux 9pam_smbBuffer overflow in PAM SMB module (pam_smb) 1.1.6 and earlier, when authenticating to a remote service, allows remote attackers to execute arbitrary code.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDCGI.pm Cross-site Scripting VulnerabilityRed Hat Linux 9CGI.pmCross-site scripting (XSS) vulnerability in start_form() of CGI.pm allows remote attackers to insert web script via a URL that is fed into the form's action parameter.Jay BealeINTERIMACCEPTEDACCEPTEDPH Cross-site Scripting VulnerabilityRed Hat Linux 9phpCross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDPINE Buffer OverflowRed Hat Linux 9pineBuffer overflow in PINE before 4.58 allows remote attackers to execute arbitrary code via a malformed message/external-body MIME type.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDInteger Signedness Error in PINERed Hat Linux 9pineInteger signedness error in rfc2231_get_param from strings.c in PINE before 4.58 allows remote attackers to execute arbitrary code via an email that causes an out-of-bounds array access using a negative number.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDRed Hat Eye of GNOME (EOG) Packages Fix Format String VulnerabilityRed Hat Linux 9EOGFormat string vulnerability in Eye Of Gnome (EOG) allows attackers to execute arbitrary code via format string specifiers in a command line argument for the file to display.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDPostfix Bounce Scans VulnerabilityRed Hat Linux 9PostfixPostfix 1.1.11 and earlier allows remote attackers to use Postfix to conduct "bounce scans" or DDos attacks of other hosts via an email address to the local host containing the target IP address and service name followed by a "!" string, which causes Postfix to attempt to use SMTP to communicate with the target on the associated port.Jay BealeINTERIMACCEPTEDACCEPTEDEthereal SOCKS String Format VulnerabilityRed Hat Linux 9EtherealFormat string vulnerability in packet-socks.c of the SOCKS dissector for Ethereal 0.8.7 through 0.9.9 allows remote attackers to execute arbitrary code via SOCKS packets containing format string specifiers.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDDenial of Service Vulnerability in Postfix Parser CodeRed Hat Linux 9PostfixThe address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up.Jay BealeINTERIMACCEPTEDACCEPTEDEthereal NTLMSSP Buffer OverflowRed Hat Linux 9EtherealHeap-based buffer overflow in the NTLMSSP code for Ethereal 0.9.9 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDRHE4 Firefox and Mozilla Shared Object Code ExecutionRed Hat Enterprise Linux 4mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone base objects, which allows remote attackers to execute arbitrary code by navigating the prototype chain to reach a privileged object.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDSMB/CIFS Packet Fragment Re-assembly BORed Hat Linux 9smbdBuffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDSamba Arbitrary File Overwrite VulnerabilityRed Hat Linux 9SambaThe code for writing reg files in Samba before 2.2.8 allows local users to overwrite arbitrary files via a race condition involving chown.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMultiple Buffer Overflows in SambaRed Hat Linux 9SambaMultiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CVE-2003-0201.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDBO in Samba call_trans2open FunctionRed Hat Linux 9Samba, Samba-TNGBuffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDSymlink Attack Vulnerability in semi/wemi MIME LibrariesRed Hat Linux 9semi MIME libraryThe (1) semi MIME library 1.14.5 and earlier, and (2) wemi 1.14.0 and possibly other versions, allows local users to overwrite arbitrary files via a symlink attack on temporary files.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDSendmail BO in Prescan FunctionRed Hat Linux 9SendmailThe prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDPotential BO in Ruleset Parsing for SendmailRed Hat Linux 9SendmailA "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDDenial of Service in Sendmail via the enhdnsbl FeatureRed Hat Linux 9SendmailThe DNS map code in Sendmail 8.12.8 and earlier, when using the "enhdnsbl" feature, does not properly initialize certain data structures, which allows remote attackers to cause a denial of service (process crash) via an invalid DNS response that causes Sendmail to free incorrect data.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDCUPS Partial Print DOSRed Hat Linux 9CUPSCUPS before 1.1.19 allows remote attackers to cause a denial of service via a partial printing request to the IPP port (631), which does not time out.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDSendmail BO in prescan FunctionRed Hat Linux 9SendmailThe prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDSqirrelMail Cross-site Scripting VulnerabilitiesRed Hat Linux 9SquirrelMailMultiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.2.11 allow remote attackers to inject arbitrary HTML code and steal information from a client's web browser.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDUnZip 5.0 Directory Traversal VulnerabilityRed Hat Linux 9unzipDirectory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDsysreport Plaintext Password LeakRed Hat Enterprise Linux 3sysreportsysreport 1.3.15 and earlier includes contents of the up2date file in a report, which leaks the password for a proxy server in plaintext and allows local users to gain privileges.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDup2date RPM GPG Signature Verification VulnerabilityRed Hat Linux 9up2dateup2date 3.0.7 and 3.1.23 does not properly verify RPM GPG signatures, which could allow remote attackers to cause unsigned packages to be installed from the Red Hat Network, if that network is compromised.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDvsftpd Fails to Integrate with TCP WrappersRed Hat Linux 9vsftpdvsftpd FTP daemon in Red Hat Linux 9 is not compiled against TCP wrappers (tcp_wrappers) but is installed as a standalone service, which inadvertently prevents vsftpd from restricting access as intended.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDRHE3 Firefox and Mozilla Framed Site Spoofing VulnerabilityRed Hat Enterprise Linux 3mozillaA regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDmikmod Long Filename Buffer OverflowRed Hat Enterprise Linux 3mikmodBuffer overflow in mikmod 3.1.6 and earlier allows remote attackers to execute arbitrary code via an archive file that contains a file with a long filename.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDxinitd Memory Leak Invites Denial of Service AttackRed Hat Linux 9xinetdMemory leak in xinetd 2.3.10 allows remote attackers to cause a denial of service (memory consumption) via a large number of rejected connections.Jay BealeINTERIMJay BealeJay BealeACCEPTEDACCEPTEDCode Execution Vulnerability in XPDF PDF ViewerRed Hat Linux 9xpdfVarious PDF viewers including (1) Adobe Acrobat 5.06 and (2) Xpdf 1.01 allow remote attackers to execute arbitrary commands via shell metacharacters in an embedded hyperlink.Jay BealeINTERIMACCEPTEDACCEPTEDypserv NIS Server Denial of ServiceRed Hat Linux 9ypservypserv NIS server before 2.7 allows remote attackers to cause a denial of service via a TCP client request that does not respond to the server, which causes ypserv to block.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDPostgreSQL Character Conversion VulnerabilityRed Hat Enterprise Linux 3postgresqlPostgreSQL 7.3.x through 8.0.x gives public EXECUTE access to certain character conversion functions, which allows unprivileged users to call those functions with malicious values, with unknown impact, aka the "Character conversion vulnerability."Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDOff-by-one Vulnerabilities in Ethereal 0.9.11Red Hat Linux 9EtherealMultiple off-by-one vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) AIM, (2) GIOP Gryphon, (3) OSPF, (4) PPTP, (5) Quake, (6) Quake2, (7) Quake3, (8) Rsync, (9) SMB, (10) SMPP, and (11) TSP dissectors, which do not properly use the tvb_get_nstringz and tvb_get_nstringz0 functions.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDImageMagick Buffer Overflow in ReadPNMImage()Red Hat Enterprise Linux 3ImageMagickHeap-based buffer overflow in the ReadPNMImage function in pnm.c for ImageMagick 6.2.1 and earlier allows remote attackers to cause a denial of service (application crash) via a PNM file with a small colors value.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDgftp Directory Traversal VulnerabilityRed Hat Enterprise Linux 3gftpDirectory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command.Jay BealeDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDRHE4 Firefox and Mozilla DOM Node SpoofingRed Hat Enterprise Linux 4mozillaFirefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing").Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDInteger Overflow Vulnerabilities in Ethereal 0.9.11Red Hat Linux 9EtherealMultiple integer overflow vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) Mount and (2) PPP dissectors.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDRHE3 Improper Handling of Synthetic Events in MozillaRed Hat Enterprise Linux 3mozillaThe browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDGaim DoS via Yahoo! MessageRed Hat Enterprise Linux 3GaimGaim before 1.3.1 allows remote attackers to cause a denial of service (application crash) via a Yahoo! message with non-ASCII characters in a file name.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDbzip2 Decompression BombRed Hat Enterprise Linux 3bzip2bzip2 allows remote attackers to cause a denial of service (hard drive consumption) via a crafted bzip2 file that causes an infinite loop (a.k.a "decompression bomb").Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDEthereal 0.9.12 Vulnerability in DCERPC DissectorRed Hat Linux 9EtherealUnknown vulnerability in the DCERPC (DCE/RPC) dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (memory consumption) via a certain NDR string.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDRHE4 Firefox and Mozilla Framed Site Spoofing VulnerabilityRed Hat Enterprise Linux 4mozillaA regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE3 Mozilla top.focus() Cross-Site Scripting VulnerabilityRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE3 InstallVersion.compareTo() DoS and Code Execution VulnerabilityRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRedHat Code Execution and DoS Vulnerabilities in PWLibRed Hat Linux 9PWLibMultiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.Jay BealeMatt BusbyACCEPTEDACCEPTEDRed Hat netpbm File Overwrite VulnerabilityRed Hat Linux 9netpbmnetpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files.Jay BealeMatt BusbyACCEPTEDACCEPTEDRed Hat XFree86 Buffer Overflow in ReadFontAliasRed Hat Linux 9XFree86Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106.Jay BealeMatt BusbyACCEPTEDACCEPTEDRed Hat XFree86 Buffer Overflow in ReadFontAlias IIRed Hat Linux 9XFree86Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106.Jay BealeMatt BusbyACCEPTEDACCEPTEDRHE4 XBL Script Security Bypass VulnerabilityRed Hat Enterprise Linux 4mozillaFirefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDXFree86 Font File Handling VulnerabilityRed Hat Linux 9XFree86Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084.Jay BealeMatt BusbyACCEPTEDACCEPTEDRed Hat Enterprise 3 netpbm File Overwrite VulnerabilityRed Hat Enterprise Linux 3netpbmnetpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files.Jay BealeMatt BusbyACCEPTEDACCEPTEDRed Hat Mutt BO in Index MenuRed Hat Linux 9MuttBuffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages.Jay BealeACCEPTEDACCEPTEDMailman Cross-site Scripting VulnerabilityRed Hat Linux 9MailmanCross-site scripting (XSS) vulnerability in the admin CGI script for Mailman before 2.1.4 allows remote attackers to steal session cookies and conduct unauthorized activities.Jay BealeACCEPTEDACCEPTEDMailman Cross-site Scripting Vulnerability IIRed Hat Linux 9MailmanCross-site scripting (XSS) vulnerability in the create CGI script for Mailman before 2.1.3 allows remote attackers to steal cookies of other users.Jay BealeACCEPTEDACCEPTEDRHE3 Firefox and Mozilla Shared Object Code ExecutionRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone base objects, which allows remote attackers to execute arbitrary code by navigating the prototype chain to reach a privileged object.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDGaim / Ultramagnetic BO VulnerabilitiesRed Hat Linux 9GaimMultiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect.Jay BealeACCEPTEDACCEPTEDGaim / Ultramagnetic Extract Info Field Function BORed Hat Linux 9GaimBuffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code.Jay BealeACCEPTEDACCEPTEDGaim / Ultramagnetic directIM Packet VulnerabilityRed Hat Linux 9GaimInteger overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow.Jay BealeACCEPTEDACCEPTEDslocate Privilege Escalation VulnerabilityRed Hat Linux 9slocateHeap-based buffer overflow in main.c of slocate 2.6, and possibly other versions, may allow local users to gain privileges via a modified slocate database that causes a negative "pathlen" value to be used.Jay BealeMatt BusbyACCEPTEDACCEPTEDMidnight Commander vfs_s_resolve_symlink BORed Hat Linux 9Midnight CommanderStack-based buffer overflow in vfs_s_resolve_symlink of vfs/direntry.c for Midnight Commander (mc) 4.6.0 and earlier, and possibly later versions, allows remote attackers to execute arbitrary code during symlink conversion.Jay BealeMatt BusbyACCEPTEDACCEPTEDKonqueror Cookie Access Restrictions Bypass VulnerabilityRed Hat Linux 9KDEKonqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.Jay BealeINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Linux Kernel do_mremap Privilege Escalation VulnerabilityRed Hat Enterprise Linux 3mremapThe do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.Jay BealeMatt BusbyACCEPTEDACCEPTEDRedHat Enterprise 3 Code Execution and DoS Vulnerabilities in PWLibRed Hat Enterprise Linux 3PWLibMultiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.Jay BealeMatt BusbyACCEPTEDACCEPTEDSamba mksmboasswd Disabled Account Creation VulnerabilityRed Hat Enterprise Linux 3Samba 3.0.0 and 3.0.1The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password.Jay BealeMatt BusbyACCEPTEDACCEPTEDmod_python Web Server Denial of ServiceRed Hat Linux 9mod_pythonUnknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string.Jay BealeMatt BusbyACCEPTEDACCEPTEDXFree86 Buffer Overflow in dirfileRed Hat Enterprise Linux 3XFree86Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106.Jay BealeMatt BusbyMatt BusbyACCEPTEDACCEPTEDXFree86 Buffer Overflow in CopyISOLatin1Lowered FunctionRed Hat Enterprise Linux 3XFree86Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106.Jay BealeMatt BusbyMatt BusbyACCEPTEDACCEPTEDXFree86 Improper Handling of Font FilesRed Hat Enterprise Linux 3XFree86Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084.Jay BealeMatt BusbyACCEPTEDACCEPTEDXMLSoft Libxml2 Code Execution VulnerabilityRed Hat Enterprise Linux 3XMLSoft Libxml2Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.Jay BealeMatt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat Kernel R128 DRI Limits Checking VulnerabilityRed Hat Linux 9Linux kernelUnknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking."Jay BealeMatt BusbyACCEPTEDACCEPTEDRed Hat Kernel ncp_lookup Function BORed Hat Linux 9Linux kernelStack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges.Jay BealeMatt BusbyACCEPTEDACCEPTEDVicam USB Driver Data Copy VulnerabilityRed Hat Linux 9Vicam USB driverThe Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service.Jay BealeMatt BusbyACCEPTEDACCEPTEDRed Hat Linux Kernel do_mremap Privilege Escalation VulnerabilityRed Hat Linux 9mremapThe do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.Jay BealeMatt BusbyACCEPTEDACCEPTEDRed Hat Enterprise 3 Mutt BO in Index MenuRed Hat Enterprise Linux 3MuttBuffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages.Jay BealeACCEPTEDMatt BusbyINTERIMACCEPTEDACCEPTEDmod_python Web Server Denial of ServiceRed Hat Linux 9mod_pythonUnknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string.Jay BealeMatt BusbyACCEPTEDACCEPTEDEthereal 0.9.12 Vulnerability in OSI DissectorRed Hat Linux 9EtherealThe OSI dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDRed Hat Enterprise 3 gdk-pixbuf Denial of ServiceRed Hat Enterprise Linux 3gdk-pixbufgdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file.Jay BealeINTERIMMatt BusbyACCEPTEDACCEPTEDRed Hat gdk-pixbuf Denial of ServiceRed Hat Linux 9gdk-pixbufgdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file.Jay BealeINTERIMMatt BusbyACCEPTEDACCEPTEDRed Hat tcpdump Denial of Service via ISAKMP PacketsRed Hat Linux 9tcpdumptcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057.Jay BealeACCEPTEDACCEPTEDRed Hat sysstat port and trigger Scripts symlink Attack VulnerabilityRed Hat Linux 9sysstatThe (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108.Jay BealeMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat tcpdump Denial of Service via print_attr_string FunctionRed Hat Linux 9tcpdumpThe print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value.Jay BealeACCEPTEDACCEPTEDRed Hat tcpdump Denial of Service via ISAKMP Packets IIRed Hat Linux 9tcpdumpThe rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989.Jay BealeACCEPTEDACCEPTEDRHE3 tcpdump DoS via ISAKMP PacketsRed Hat Enterprise Linux 3tcpdumptcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057.Jay BealeACCEPTEDACCEPTEDRed Hat Enterprise 3 tcpdump Denial of Service via print_attr_string FunctionRed Hat Enterprise Linux 3tcpdumpThe print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value.Jay BealeACCEPTEDACCEPTEDRHE3 tcpdump DoS via ISAKMP Packets IIRed Hat Enterprise Linux 3tcpdumpThe rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989.Jay BealeACCEPTEDMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat CVS Server root Directory Access VulnerabilityRed Hat Linux 9CVS serverCVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.Jay BealeMatt BusbyACCEPTEDACCEPTEDEthereal Malformed SMB Packet VulnerabilityRed Hat Linux 9EtherealThe SMB dissector in Ethereal before 0.10.0 allows remote attackers to cause a denial of service via a malformed SMB packet that triggers a segmentation fault during processing of Selected packets.Jay BealeMatt BusbyACCEPTEDACCEPTEDEthereal Malformed Q.931 Packet VulnerabilityRed Hat Linux 9TetherealThe Q.931 dissector in Ethereal before 0.10.0, and Tethereal, allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference.Jay BealeMatt BusbyACCEPTEDACCEPTEDRed Hat kdepim VCF File Information Reader BORed Hat Linux 9KDE Personal Information Management (kdepim)Buffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file.Jay BealeACCEPTEDACCEPTEDRed Hat Kernel Real Time Clock Data LeakageRed Hat Linux 9Linux kernelReal time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space.Jay BealeMatt BusbyACCEPTEDACCEPTEDrpc.mountd Denial of Service via NFS MountRed Hat Enterprise Linux 3nfs-utils packagesrpc.mountd in nfs-utils after 1.0.3 and before 1.0.6 allows attackers to cause a denial of service (crash) via an NFS mount of a directory from a client whose reverse DNS lookup name is different from the forward lookup name.Jay BealeMatt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 sysstat port and trigger Scripts symlink Attack VulnerabilityRed Hat Enterprise Linux 3SysstatThe (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108.Jay BealeMatt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat Multiple stack-based BO Vulnerabilities in ApacheRed Hat Linux 9httpdMultiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.Jay BealeMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Multiple stack-based BO Vulnerabilities in ApacheRed Hat Enterprise Linux 3ApacheMultiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.Jay BealeMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 kdepim VCF File Information Reader BORed Hat Enterprise Linux 3KDE Personal Information Management (kdepim)Buffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file.Jay BealeINTERIMMatt BusbyACCEPTEDACCEPTEDRed Hat Enterprise 3 CVS Server root Directory Access VulnerabilityRed Hat Enterprise Linux 3CVS serverCVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.Jay BealeMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat S/MIME Protocol Denial of Service VulnerabilityRed Hat Linux 9mozillaMultiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite.Jay BealeINTERIMACCEPTEDACCEPTEDRed Hat Mozilla Bypass Cookie Access Restrictions VulnerabilityRed Hat Linux 9mozillaMozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.Jay BealeINTERIMACCEPTEDACCEPTEDRed Hat Mozilla Zombie Document VulnerabilityRed Hat Linux 9mozillaMozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events.Jay BealeINTERIMACCEPTEDACCEPTEDXMLSoft Libxml2 Code Execution VulnerabilityRed Hat Enterprise Linux 3libxml2Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.Jay BealeJay BealeINTERIMACCEPTEDACCEPTEDApache 2 Denial of Service due to Memory Leak in mod_sslRed Hat Enterprise Linux 3httpdMemory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server.Jay BealeJay BealeINTERIMACCEPTEDACCEPTEDRed Hat Squid ACL Bypass VulnerabilityRed Hat Linux 9Red Hat 9The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists.Jay BealeINTERIMACCEPTEDACCEPTEDMultiple BO Vulnerabilities in Red Hat EtherealRed Hat Linux 9Red Hat 9Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors.Jay BealeJay BealeINTERIMACCEPTEDACCEPTEDRed Hat Ethereal Denial of Service via Malformed RADIUS PacketRed Hat Linux 9Red Hat 9The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.Jay BealeJay BealeINTERIMACCEPTEDACCEPTEDEthereal SPNEGO Dissoector Denial of Service VulnerabilityRed Hat Linux 9EtherealThe SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (crash) via an invalid ASN.1 value.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDRed Hat Ethereal Denial of Service via 0-Length Presentation Protocol SelectorRed Hat Linux 9Red Hat 9Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector.Jay BealeJay BealeINTERIMACCEPTEDACCEPTEDMultiple BO Vulnerabilities in Red Hat Enterprise 3 EtherealRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors.Jay BealeJay BealeJay BealeINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Ethereal Denial of Service via Malformed RADIUS PacketRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.Jay BealeJay BealeJay BealeINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Ethereal Denial of Service via 0-Length Presentation Protocol SelectorRed Hat Enterprise Linux 3Red Hat Enteprise Linux3Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector.Jay BealeJay BealeJay BealeINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 S/MIME Protocol Denial of Service VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDRed Hat Enterprise 3 Mozilla Bypass Cookie Access Restrictions VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDRed Hat Enterprise 3 Mozilla Zombie Document VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDLinux Kernel ip_setsockopt Integer OverflowRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or execute arbitrary code via the MCAST_MSFILTER socket option.Jay BealeINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Squid ACL Bypass VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists.Jay BealeINTERIMACCEPTEDACCEPTEDRacoon IKE Daemon Unauthorized X.509 Certificate Connection VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3The KAME IKE Daemon Racoon, when authenticating a peer during Phase 1, validates the X.509 certificate but does not verify the RSA signature authentication, which allows remote attackers to establish unauthorized IP connections or conduct man-in-the-middle attacks using a valid, trusted X.509 certificate.Jay BealeINTERIMACCEPTEDACCEPTEDKAME IKE Daemon Improper Hash Value HandlingRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3KAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c.Jay BealeINTERIMACCEPTEDACCEPTEDKonqueror URI Handler "-" Filter VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code.Jay BealeINTERIMACCEPTEDACCEPTEDMagick XWD Decoder DoSRed Hat Enterprise Linux 3ImageMagickThe XWD Decoder in ImageMagick before 6.2.2.3, and GraphicsMagick before 1.1.6-r1, allows remote attackers to cause a denial of service (infinite loop) via an image with a zero color mask.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDrsync Path Sanitation VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path.Jay BealeINTERIMACCEPTEDACCEPTEDCVS pserver BORed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines.Jay BealeINTERIMACCEPTEDACCEPTEDlibpng Malformed PNG Image VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message.Jay BealeINTERIMACCEPTEDACCEPTEDtcpdump Delete Payload in ISAKMP Packets VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.Jay BealeINTERIMACCEPTEDACCEPTEDtcpdump Identification Payload in ISAKMP Packets VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.Jay BealeINTERIMACCEPTEDACCEPTEDMultiple BO Vulnerabilities in LHA get_header FunctionRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive.Jay BealeINTERIMACCEPTEDACCEPTEDMultiple Directory Traversal Vulnerabilities in LHARed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path").Jay BealeINTERIMACCEPTEDACCEPTEDUtempter Directory Traversal VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files.Jay BealeINTERIMACCEPTEDACCEPTEDNTLM Authentication BO in Squid Web Proxy CacheRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).Jay BealeINTERIMACCEPTEDACCEPTEDEthereal Denial of Service via SIP MessagesRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Ethereal 0.10.3 allows remote attackers to cause a denial of service (crash) via certain SIP messages between Hotsip servers and clients.Jay BealeINTERIMACCEPTEDACCEPTEDRacoon Denial of Service via Large Length FieldRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field.Jay BealeINTERIMACCEPTEDACCEPTEDEthereal AIM Dissector VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3The AIM dissector in Ethereal 0.10.3 allows remote attackers to cause a denial of service (assert error) via unknown attack vectors.Jay BealeINTERIMACCEPTEDACCEPTEDEthereal SPNEGO Dissector VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3The SPNEGO dissector in Ethereal 0.9.8 to 0.10.3 allows remote attackers to cause a denial of service (crash) via unknown attack vectors that cause a null pointer dereference.Jay BealeINTERIMACCEPTEDACCEPTEDEthereal MMSE Dissector VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Buffer overflow in the MMSE dissector for Ethereal 0.10.1 to 0.10.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code.Jay BealeINTERIMACCEPTEDACCEPTEDMutliple BO Vulnerabilities in MIT Kerberos 5Red Hat Enterprise Linux 3MIT Kerberos 5 (krb5)Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.Jay BealeINTERIMACCEPTEDACCEPTEDCVS Improper Handling of Malformed Entry LinesRed Hat Enterprise Linux 3CVSCVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution.Jay BealeINTERIMACCEPTEDACCEPTEDCVS error_prog_name Double-free VulnerabilityRed Hat Enterprise Linux 3CVSDouble-free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code.Jay BealeINTERIMACCEPTEDACCEPTEDRed Hat Enterprise Linux 3 Kernel Serial Link Information Disclosure VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3/proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords.Jay BealeINTERIMINTERIMACCEPTEDACCEPTEDSun Solaris 10Operating SystemUnspecified vulnerability in the kernel processing in Solaris 10 64 bit platform, when running in 64-bit mode, allows local users to cause a denial of service (system panic) via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11swagentdAn undisclosed vulnerability has been identified in swagentd that could potentially be exploited remotely by an unauthenticated attacker to cause swagentd to abort.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 8Sun Solaris 9PerlSafe.pm 2.0.7 and earlier, when used in Perl 5.8.0 and earlier, may allow attackers to break out of safe compartments in (1) Safe::reval or (2) Safe::rdo using a redefined @_ variable, which is not reset between successive calls.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 10Operating SystemUnspecified vulnerability in the kernel processing in Solaris 10 64 bit platform, when running in 64-bit mode, allows local users to cause a denial of service (system panic) via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 8Sun Solaris 9Sun Solaris 10gzipDirectory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemAn SCLT_INCOMPLETE error was blocking receipt of proper READY status from the array. A timer was changed to allow array to reach full READY before SCSI response is tested.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 9Operating SystemSolaris 9 patches 112908-12 and 115168-03 introduced a logging flaw that can log passwords in clear text. This can lead to privilege escalation for a local user. It can also lead to the compromise of other systems if passwords are reuse introduced a logging flaw that can log passwords in clear text. This can lead to privilege escalation for a local user. It can also lead to the compromise of other systems if passwords are reused.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 10patchaddThe patchadd facility for Solaris 10 fails to install T-patches. Sun sometimes releases a T-patch as a temporary version of a patch prior to the final release of that patch. While this flaw does not directly represent a vulnerability, it does prevent the timely application of some (possibly critical) updates.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 8Sun Solaris 9PerlCross-site scripting (XSS) vulnerability in start_form() of CGI.pm allows remote attackers to insert web script via a URL that is fed into the form's action parameter.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11swagentdAn undisclosed vulnerability has been identified in swagentd that could potentially be exploited remotely by an unauthenticated attacker to cause swagentd to abort.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemAn SCLT_INCOMPLETE error was blocking receipt of proper READY status from the array. A timer was changed to allow array to reach full READY before SCSI response is tested.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 10Sun Solaris 9Sun Solaris 8Access ManagerUnspecified vulnerability in Sun Java System Access Manager 7.0 allows local users logged in as "root" to bypass authentication and gain top-level administrator privileges via the amadmin CLI tool.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10KerberosMIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 8Sun Solaris 9Sun Solaris 10Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 10Operating SystemAn SCLT_INCOMPLETE error was blocking receipt of proper READY status from the array. A timer was changed to allow array to reach full READY before SCSI response is tested.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11swagentdAn undisclosed vulnerability has been identified in swagentd that could potentially be exploited remotely by an unauthenticated attacker to cause swagentd to abort.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 8Sun Solaris 9Sun Solaris 10Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 9Sun Solaris 8Sun Solaris 7Operating SystemMultiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMPSource Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11PerlRace condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10KerberosHeap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (apllication crash) and possibly execute arbitrary code via a certain valid TCP or UDP request.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 10Sun Solaris 9Access ManagerUnspecified vulnerability in Sun Java System Access Manager 7.0 allows local users logged in as "root" to bypass authentication and gain top-level administrator privileges via the amadmin CLI tool.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 8Sun Solaris 9Sun Solaris 10gzipRace condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10XsunA security vulnerability in Xsun and Xprt may allow a local unprivileged user to execute arbitrary code at the privilege level of either the XSun or Xprt command.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris Xsun Privilege Escalation via Pixmaps VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10XMultiple integer overflows in XFree86 before 4.3.0 allow user-assisted attackers to execute arbitrary code via a crafted pixmap image.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX Shared Library Privilege Escalation Vulnerability (B.11.00)HP-UX 11Operating SystemUnspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain privileges via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX wuftpd Privilege Escalation Vulnerability (B.11.23)HP-UX 11ftpdwu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDHP-UX Core Stack Size DoS Vulnerability (B.11.23)HP-UX 11Operating SystemUnspecified vulnerability in HP-UX B.11.23 on Itanium platforms allows local users to cause a denial of service due to a "specific stack size."Robert L. HollisDRAFTMatthew WojcikINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDSolaris Xorg Privilege Escalation via Pixmaps VulnerabilitySun Solaris 9Sun Solaris 10XMultiple integer overflows in XFree86 before 4.3.0 allow user-assisted attackers to execute arbitrary code via a crafted pixmap image.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Nonce Verification Response Replay VulnerabilitySun Solaris 8Sun Solaris 9Apachemod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Error Log Escape Sequence Filtering VulnerabilitySun Solaris 8Sun Solaris 9ApacheApache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Listening Socket Starvation VulnerabilitySun Solaris 8Sun Solaris 9ApacheApache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Allow/Deny Parsing ErrorSun Solaris 8Sun Solaris 9Apachemod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache mod_proxy Content-Length Header Buffer OverflowSun Solaris 8Sun Solaris 9ApacheHeap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDX Display Manager DoS via Invalid XDMCP RequestSun Solaris 7Sun Solaris 8Sun Solaris 9XDMX Display Manager (XDM) on Solaris 8 allows remote attackers to cause a denial of service (XDM crash) via an invalid X Display Manager Control Protocol (XDMCP) request.Robert L. HollisChristine WalzerDRAFTINTERIMACCEPTEDACCEPTEDlibtiff RLE Decoder Buffer Overflow VulnerabilitiesSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffMultiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDlibtiff tif_dirread divide-by-zero Denial of ServiceSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffVulnerability in tif_dirread.c for libtiff allows remote attackers to cause a denial of service (application crash) via a TIFF image that causes a divide-by-zero error when the number of row bytes is zero, a different vulnerability than CVE-2005-2452.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDlibtiff Malloc Error Denial of ServiceSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffMultiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDlibtiff Directory Entry Count Integer Overflow VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffInteger overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3.5.7 and 3.7.0 allows remote attackers to execute arbitrary code via a TIFF file containing a TIFF_ASCII or TIFF_UNDEFINED directory entry with a -1 entry count, which leads to a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX ftpd Remote Unauthorized Data Access (B.11.04)HP-UX 11ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDPerl Format String Integer Overflow VulnerabilitySun Solaris 10PerlInteger overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDusermod Recursive Ownership Error (B.11.23)HP-UX 11ApacheA security flaw in some versions of the HP-UX usermod command can result in recursively changing the ownership of all directories and files under a user's home directory. Specifically, executing # usermod -d <old home dir> -u <new gid> -m <username> or # usermod -d <old home dir> -u <new or old gid> -m <username> incorrectly changes ownership recursively to <username>. If the home directory is '/', this action will render the system inoperable.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDKerberos V5 Null Pointer DoS VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Solaris Enterprise Authentication Mechanism (SEAM)MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDHP-UX wuftpd Privilege Escalation Vulnerability (B.11.11)HP-UX 11ftpdwu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX Trusted Mode remshd Remote Unauthorized Access (B.11.11)HP-UX 11remshdUnknown vulnerability in remshd daemon in HP-UX B.11.00, B.11.11, and B.11.23 while running in "Trusted Mode" allows remote attackers to gain unauthorized system access via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX ftpd Remote Unauthorized Data Access (B.10.24)HP-UX 11ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWebproxy HTTP Request Smuggling (B.11.04)HP-UX 11Apache'An undisclosed vulnerability has been identified in Apache HTTP server versions prior to Apache 1.3.34 that may allow HTTP Request Splitting/Spoofing attacks, resulting in remote unauthorized access.'Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDVirusVault CGI Byterange Request DoSHP-UX 11ApacheThe byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDzlib Compression Remote DoS Vulnerability (B.11.23)HP-UX 11SecureShellzlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWU-FTPD "glob-*" Remote DoS Vulnerability (B.11.23)HP-UX 11ftpdThe wu_fnmatch function in wu_fnmatch.c for wu-fptd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir copmmand.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX ftpd Remote Unauthorized Data Access (B.11.00)HP-UX 11ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla IDN heap overrun using soft-hyphensHP-UX 11mozillaBuffer overflow in the International Domain Name (IDN) support in Mozilla Firefox 1.0.6 and earlier, and Netscape 8.0.3.3 and 7.2, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a hostname with all "soft" hyphens (character 0xAD), which is not properly handled by the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWU-FTPD "glob-*" Remote DoS Vulnerability (B.11.00)HP-UX 11ftpdThe wu_fnmatch function in wu_fnmatch.c for wu-fptd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir copmmand.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDLeaking GSSAPI Credentials Vulnerability (B.11.23)HP-UX 11SecureShellsshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache mod_ssl CRL off-by-one DoSHP-UX 11ApacheOff-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX PMTUD Remote DoS (B.11.23-IPSEC)HP-UX 11Operating SystemUnknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDPC Netlink 2.0 Privilege Escalation VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Solaris Management ConsoleThe (1) slsmgr and (2) slsadmin programs in Sun Solaris PC NetLink 2.0 create temporary files insecurely, which allows local users to gain privileges.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDpasswd Local DoS Vulnerability (B.11.00)HP-UX 11Operating System'An undisclosed vulnerability has been identified in /sbin/passwd which could be exploited to create a Denial of Service condition..'Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX envd Local Execution of Privileged Code (B.11.00)HP-UX 11envdenvd daemon in HP-UX B.11.00 through B.11.11 allows local users to obtain privileges via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX ftpd Remote Unauthorized Data Access (B.11.11)HP-UX 11ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMC TRACE HTTP VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Solaris Management ConsoleThe default configuration of the web server for the Solaris Management Console (SMC) in Solaris 8, 9, and 10 enables the HTTP TRACE method, which could allow remote attackers to obtain sensitive information such as cookies and authentication data from HTTP headers.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX Shared Library Privilege Escalation Vulnerability (B.11.11)HP-UX 11Operating SystemUnspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain privileges via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-Samba DACL Remote Integer Overflow Vulnerability (CIFS A.01)HP-UX 11SambaInteger overflow in the Samba daemon (smbd) in Samba 2.x and 3.0.x through 3.0.9 allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a Samba request with a large number of security descriptors that triggers a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX xterm Privilege Escalation Vulnerability (B.11.11)HP-UX 11Operating SystemUnspecified vulnerability in xterm for HP-UX 11.00, 11.11, and 11.23 allows local users to gain privileges via unknown vectors.Robert L. HollisDRAFTMatthew WojcikINTERIMACCEPTEDACCEPTEDAlternate ps Command Information Disclosure VulnerabilitySun Solaris 8Sun Solaris 9Operating System'An unspecified vulnerability in the \"/usr/ucb/ps\" command could allow unprivileged local users to see environment settings for processes of other users. When the \'e\' flag is used, a low-privileged user can see environment variables and values for processes that belong to root and any other system users. NOTE: \"/usr/bin/ps\" is the default \'ps\' command for most users per the command search path and is not affected by this vulnerability'Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX ftpd Remote Unauthorized Data Access (B.10.20)HP-UX 10ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWebproxy Integer Overflow in pcre_compileHP-UX 11ApacheInteger overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDVirusVault HTTP Request SmugglingHP-UX 11ApacheThe Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX PMTUD Remote DoS (B.11.11-IPSEC)HP-UX 11Operating SystemUnknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDuucp/uustat Privilege Escalation VulnerabilitySun Solaris 8Sun Solaris 9Operating SystemUnspecified vulnerability in uucp in Sun Solaris 8 and 9 has unknown impact and attack vectors. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2004-0780.Robert L. HollisDRAFTMatthew WojcikINTERIMACCEPTEDACCEPTEDzlib Compression Remote DoS Vulnerability (B.11.00/B.11.11)HP-UX 11SecureShellzlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX PMTUD Remote DoS (B.11.22)HP-UX 11Operating SystemUnknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDLeaking GSSAPI Credentials Vulnerability (B.11.00/B.11.11)HP-UX 11SecureShellsshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX envd Local Execution of Privileged Code (B.11.11)HP-UX 11envdenvd daemon in HP-UX B.11.00 through B.11.11 allows local users to obtain privileges via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX Trusted Mode remshd Remote Unauthorized Access (B.11.23)HP-UX 11remshdUnknown vulnerability in remshd daemon in HP-UX B.11.00, B.11.11, and B.11.23 while running in "Trusted Mode" allows remote attackers to gain unauthorized system access via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDKerberos Command Execution Vulnerability rexec DaemonSun Solaris 10XUnspecified vulnerability in in.rexecd in Solaris 10 allows local users to gain privileges on Kerberos systems via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX SIM Hangs MS-IE Due to MS04-025 ChangesHP-UX 11Operating SystemUnknown vulnerability in the login page for HP Systems Insight Manager (SIM) 4.0 and 4.1, when accessed by Microsoft Internet Explorer with the MS04-025 patch, leads to a denial of service (browser hang). NOTE: although the advisory is vague, this issue does not appear to involve an attacker at all. If not, then this issue is not a vulnerability.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX Shared Library Privilege Escalation Vulnerability (B.11.04)HP-UX 11Operating SystemUnspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain privileges via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX PMTUD Remote DoS (B.11.11)HP-UX 11Operating SystemUnknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris 10 find on /proc panic DoS VulnerabilitySun Solaris 10Operating SystemUnspecified vulnerability in Sun Solaris 10 allows local users to cause a denial of service (null dereference) via unspecified vectors involving the use of the find command on the "/proc" filesystem. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2005-3250.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDXPM Image Decoder Buffer OverflowSun Solaris 8Sun Solaris 9Operating SystemInteger overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687).Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDpagedata Subsystem Local DoS VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Operating System'An undisclosed vulnerability in the pagedata subsystem in /proc may allow a local unprivileged user to cause significant performance degradation and even panic the system.'Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCD Drive DoS VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Operating SystemUnspecified vulnerability in the hsfs filesystem in Solaris 8, 9, and 10 allows unspecified attackers to cause a denial of service (panic) or execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWebproxy HTTP Request SmugglingHP-UX 11ApacheThe Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX wuftpd Privilege Escalation Vulnerability (B.11.22)HP-UX 11ftpdwu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX wuftpd Privilege Escalation Vulnerability (B.11.00)HP-UX 11ftpdwu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDVirusVault Integer Overflow in pcre_compileHP-UX 11ApacheInteger overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDpasswd Local DoS Vulnerability (B.11.11)HP-UX 11Operating SystemAn undisclosed vulnerability has been identified in /sbin/passwd which could be exploited to create a Denial of Service condition..Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSendmail setjmp longjmp bo (Red Hat Internal)Red Hat Linux 9Red Hat Enterprise Linux 3Red Hat Enterprise Linux 4SendmailSignal handler race condition in Sendmail 8.13.x before 8.13.6 allows remote attackers to execute arbitrary code by triggering timeouts in a way that causes the setjmp and longjmp function calls to be interrupted and modify unexpected memory locations.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDpasswd Local DoS Vulnerability (B.11.23)HP-UX 11Operating SystemAn undisclosed vulnerability has been identified in /sbin/passwd which could be exploited to create a Denial of Service condition..Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDX.Org Privilege Escalation Vulnerability in X11R6.9, X11R7.0Sun Solaris 10Operating SystemX.Org server (xorg-server) 1.0.0 and later, X11R6.9.0, and X11R7.0 inadvertently treats the address of the geteuid function as if it is the return value of a call to geteuid, which allows local users to bypass intended restrictions and (1) execute arbitrary code via the -modulepath command line option or (2) overwrite arbitrary files via -logfile.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDVirusVault Off-by-One Error in mod_ssl CRLHP-UX 11ApacheOff-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWebproxy CGI Byterange Request DoSHP-UX 11ApacheThe byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWebproxy Off-by-One Error in mod_ssl CRLHP-UX 11ApacheOff-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTED"su" Privilege Escalation VulnerabilityHP-UX 11LDAP'An undisclosed vulnerability has been identified in su when used with LDAP. The potential vulnerability could be exploited by a local authorized user to gain unauthorized access.'Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWU-FTPD "glob-*" Remote DoS Vulnerability (B.11.11)HP-UX 11ftpdThe wu_fnmatch function in wu_fnmatch.c for wu-fptd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir copmmand.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDXPM Image Decoder Malicious Color String VulnerabilitySun Solaris 8Sun Solaris 9Operating SystemStack-based buffer overflow in xpm_extract_color (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, may allow remote attackers to execute arbitrary code via a certain color string. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0688).Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDLDAP rootDN Password Disclosure VulnerabilitySun Solaris 8Sun Solaris 9LDAPUnspecified vulnerability in Solaris 8 and 9 allows local users to obtain the LDAP Directory Server root Distinguished Name (rootDN) password when a privileged user (1) runs idsconfig; or "insecurely" runs LDAP2 commands with the -w option, including (2) ldapadd, (3) ldapdelete, (4) ldapmodify, (5) ldapmodrdn, and (6) ldapsearch.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMultiple Buffer Overflows in Kerberos 5 (krb5_aname_to_localname)Sun Solaris 7Solaris Enterprise Authentication Mechanism (SEAM)Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.Brian SobyDRAFTBrian SobyINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDSystem V login Buffer OverflowSun Solaris 7loginBuffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDKerberos 5 KDC Heap Corruption VulnerabilitySun Solaris 8Kerberos5The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDVulnerability exists in standard Solaris kerberos and SEAM. This definition only covers Solaris kerberosShell Redirect Symlink Attack VulnerabilitySun Solaris 7Sun Solaris 8Bourne Shell (sh)Bourne Again Shell (bash)TENEX C Shell (tcsh)C Shell (csh)Korn Shell (ksh)Multiple shell programs on various Unix systems, including (1) tcsh, (2) csh, (3) sh, and (4) bash, follow symlinks when processing <<redirects (aka here-documents or in-here documents), which allows local users to overwrite files of other users via a symlink attack.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMMatthew WojcikACCEPTEDACCEPTEDSolaris 7 RPC xdr_array Buffer OverflowSun Solaris 7libnslInteger overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.David ProulxMatthew WojcikINTERIMACCEPTEDACCEPTEDKerberos 5 KDC Buffer Underrun in Principle Name HandlingSun Solaris 7Solaris Enterprise Authentication Mechanism (SEAM)The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDVulnerability exists in standard Solaris kerberos and SEAM. This definition only covers SEAMSunRPC xdr_array Function Integer OverflowSun Solaris 7Sun RPCInteger overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDSpecific applications using this library are not tested for because Suns advisory only provides a sample of known vulnerable applications and states that they are still investigating.HP-UX xterm Local Unauthorized Access due to Bad PatchHP-UX 11remshdUnspecified vulnerability in xterm for HP-UX 11.00, 11.11, and 11.23 allows local users to gain privileges via unknown vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-Samba DACL Remote Integer Overflow Vulnerability (CIFS A.02)HP-UX 11SambaInteger overflow in the Samba daemon (smbd) in Samba 2.x and 3.0.x through 3.0.9 allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a Samba request with a large number of security descriptors that triggers a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris Privilege Escalation/DoS Vulnerability (6293270)Sun Solaris 9Sun Solaris 10Operating SystemUnspecified vulnerability in Sun Solaris 9 and 10 for the x86 platform allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors, possibly involving functions from the mm driver.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Integer Overflow in pcre_compile.cHP-UX 11ApacheInteger overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache HTTP Byte-range DoS VulnerabilityHP-UX 11ApacheThe byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX Trusted Mode remshd Remote Unauthorized Access (B.11.00)HP-UX 11remshdUnknown vulnerability in remshd daemon in HP-UX B.11.00, B.11.11, and B.11.23 while running in "Trusted Mode" allows remote attackers to gain unauthorized system access via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX ftpd Remote Unauthorized Data Access (B.10.01, B.10.10)HP-UX 10ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDusermod Recursive Ownership Error (B.11.00)HP-UX 11Apache'A security flaw in some versions of the HP-UX usermod command can result in recursively changing the ownership of all directories and files under a user\'s home directory. Specifically, executing # usermod -d <old home dir> -u <new gid> -m <username> or # usermod -d <old home dir> -u <new or old gid> -m <username> incorrectly changes ownership recursively to <username>. If the home directory is \'/\', this action will render the system inoperable.'Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDusermod Recursive Ownership Error (B.11.11)HP-UX 11ApacheA security flaw in some versions of the HP-UX usermod command can result in recursively changing the ownership of all directories and files under a user's home directory. Specifically, executing # usermod -d <old home dir> -u <new gid> -m <username> or # usermod -d <old home dir> -u <new or old gid> -m <username> incorrectly changes ownership recursively to <username>. If the home directory is '/', this action will render the system inoperable.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache HTTP Request SmugglingHP-UX 11ApacheThe Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDBourne Shell Local-DoS VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Operating SystemThe Bourne shell (sh) in Solaris 8, 9, and 10 allows local users to cause a denial of service (sh crash) via an unspecified attack vector that causes sh processes to crash during creation of temporary files.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 RPC xdr_array Buffer OverflowSun Solaris 8libnslInteger overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.David ProulxMatthew WojcikINTERIMACCEPTEDACCEPTEDHP-UX PMTUD Remote DoS (B.11.23)HP-UX 11Operating SystemUnknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHeap Overflow in Solaris 8 xlockSun Solaris 8xlockHeap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable.David ProulxACCEPTEDSolaris 7 rpc.yppasswdd Buffer Overrun VulnerabilitySun Solaris 7rpc.yppasswddBuffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username.David ProulxACCEPTEDSNMP Trap Handling VulnerabilitySun Solaris 7Sun Solaris 8snmpdxVulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDRed Hat OpenSSL Kerberos Handshake VulnerabilityRed Hat Linux 9OpenSSLThe SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read.Matt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDSolaris 9 CDE ToolTalk Database Null Write VulnerabilitySun Solaris 9CDECDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure.Brian SobyDRAFTINTERIMACCEPTEDBrian SobyBrian SobyINTERIMACCEPTEDACCEPTEDString Format Vulnerability in Solaris 8 snmpdxSun Solaris 8snmpdxFormat string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges.David ProulxACCEPTEDBuffer Overflows in uucpSun Solaris 7Sun Solaris 8Sun Solaris 9uucpMultiple buffer overflows in uucp for Sun Solaris 2.6, 7, 8, and 9 allow local users to execute arbitrary code as the uucp user.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMACCEPTEDACCEPTEDString Format Vulnerability in Solaris 7 snmpdxSun Solaris 7snmpdxFormat string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges.David ProulxACCEPTEDSolaris 7 KCMS Arbitrary File Access VulnerabilitySun Solaris 7kcms_serverDirectory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.David ProulxACCEPTEDMozilla FTP URI MIME Type Exploit VulnerabilitySun Solaris 8mozillaMozilla allows remote attackers to cause Mozilla to open a URI as a different MIME type than expected via a null character (%00) in an FTP URI.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 cachefsd Heap Overflow VulnerabilitySun Solaris 7cachefsdHeap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name.David ProulxBrian SobyINTERIMACCEPTEDACCEPTEDHeap Overflow in Solaris 7 xlockSun Solaris 7xlockHeap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable.David ProulxACCEPTEDSun Solaris 8 XSun Color Database File Heap OverflowSun Solaris 8XsunBuffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument.David ProulxACCEPTEDSamba Encrypted Password DoSSun Solaris 9SambaBuffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an encrypted password that causes the overflow during decryption in which a DOS codepage string is converted to a little-endian UCS2 unicode string.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDInteger Overflow in libpng via Malformed PNG ImageSun Solaris 7libpngMultiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDManagement Console Directory Traversal VulnerabilitySun Solaris 8Sun Solaris 9Solaris Management Console (SMC)The Solaris Management Console (SMC) in Sun Solaris 8 and 9 generates different 404 error messages when a file does not exist versus when a file exists but is otherwise inacessible, which could allow remote attackers to obtain sensitive information in conjunction with a directory traversal (..) attack.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMACCEPTEDACCEPTEDSolaris 8 X Font Server Remote Buffer OverrunSun Solaris 8fs.auto, xfsBuffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query.David ProulxACCEPTEDSolaris 8 CDE ToolTalk Database Null Write VulnerabilitySun Solaris 8CDECDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure.David ProulxACCEPTEDSolaris 7 X Font Server Remote Buffer OverrunSun Solaris 7fs.auto, xfsBuffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query.David ProulxACCEPTEDls-F Privilege Escalation VulnerabilitySun Solaris 8TENEX C Shell (tcsh)Unknown vulnerability in the ls-F builtin function in tcsh on Solaris 8 allows local users to create or delete files as other users, and gain privileges.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMDRAFTINTERIMACCEPTEDACCEPTEDgzip -force File Permission Alteration VulnerabilitySun Solaris 8Licence Logging Servicegzip before 1.3 in Solaris 8, when called with the -f or -force flags, will change the permissions of files that are hard linked to the target files, which allows local users to view or modify these files.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDsendfilev DoS VulnerabilitySun Solaris 8Sun Solaris 9sendfilev()Unknown vulnerability in the sendfilev function in Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDEnterprise Storage Manager 2.1 SAN Manager management station patchSun Solaris 8Sun Enterprise Storage Manager (ESM)Brian SobyDRAFTINTERIMACCEPTEDACCEPTED/usr/lib/print/conv_fix Privilege Escalation VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Unknown vulnerability in conv_fix in Sun Solaris 7 through 9, when invoked by conv_lpd, allows local users to overwrite arbitrary files.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 CDE ToolTalk Database Server Symbolic Link VulnerabilitySun Solaris 8CDECDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure.David ProulxACCEPTEDSolaris 7 CDE ToolTalk Database Heap Corruption VulnerabilitySun Solaris 7CDEBuffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure.David ProulxACCEPTEDSolaris 7 LBXProxy Display Name Buffer OverflowSun Solaris 7lbxproxyBuffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option.David ProulxACCEPTEDypbind Daemon Buffer OverflowSun Solaris 7NISBuffer overflow in ypbind daemon in Solaris 5.4 through 8 allows remote attackers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDCDE dtspcd Daemon Symlink VulnerabilitySun Solaris 7dtspcdThe CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDdtsession Buffer Overflow via HOME EnvvarSun Solaris 7Sun Solaris 8Sun Solaris 9CDEHeap-based buffer overflow in dtsession for Solaris 2.5.1 through Solaris 9 allows local users to gain root privileges via a long HOME environment variable.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 CDE ToolTalk Database Heap Corruption VulnerabilitySun Solaris 8CDEBuffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure.David ProulxACCEPTEDSolaris 8 KCMS Arbitrary File Access VulnerabilitySun Solaris 8kcms_serverDirectory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.David ProulxACCEPTEDOff-by-one Error in fb_realpath()Sun Solaris 9Solaris Management Console (SMC)Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDApache Connection Blocking Denial Of Service VulnerabilitySun Solaris 8Sun Solaris 9ApacheApache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket."Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDISC BIND Cache Poison Denial Of ServiceSun Solaris 7BindISC BIND 8.3.x before 8.3.7, and 8.4.x before 8.4.3, allows remote attackers to poison the cache via a malicious name server that returns negative responses with a large TTL (time-to-live) value.Brian SobyDRAFTINTERIMACCEPTEDBrian SobyBrian SobyINTERIMACCEPTEDACCEPTEDKerberos Client Plaintext Password VulnerabilitySun Solaris 9pam_krb5Solaris 9, when configured as a Kerberos client with patch 112908-12 or 115168-03 and using pam_krb5 as an "auth" module with the debug feature enabled, records passwords in plaintext, which could allow local users to gain other user's passwords by reading log files.Brian SobyDRAFTBrian SobyINTERIMACCEPTEDACCEPTEDBIND DoS via SIG RR ElementsSun Solaris 7BindBIND 8.x through 8.3.3 allows remote attackers to cause a denial of service (crash) via SIG RR elements with invalid expiry times, which are removed from the internal BIND database and later cause a null dereference.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDKerberos 5 ASN.1 Library DoSSun Solaris 9Kerberos5The asn1buf_skiptail function in the ASN.1 decoder library for MIT Kerberos 5 (krb5) 1.2.2 through 1.3.4 allows remote attackers to cause a denial of service (infinite loop) via a certain BER encoding.Brian SobyDRAFTBrian SobyINTERIMACCEPTEDACCEPTEDSamba call_trans2open() Buffer OverflowSun Solaris 9SambaBuffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSendmail Custom DNS Map Buffer OverflowSun Solaris 9SendmailBuffer overflow in Sendmail before 8.12.5, when configured to use a custom DNS map to query TXT records, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malicious DNS server.Brian SobyDRAFTBrian SobyINTERIMACCEPTEDACCEPTEDSendmail Address Processor Buffer OverflowSun Solaris 7Sun Solaris 8Sun Solaris 9SendmailBuffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, related to sender and recipient header comments as processed by the crackaddr function of headers.c.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSun RPC No Timeout Denial of Service on TCP PortsSun Solaris 7libcThe Sun RPC functionality in multiple libc implementations does not provide a time-out mechanism when reading data from TCP connections, which allows remote attackers to cause a denial of service (hang).Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMultiple Buffer Overflows in libpngSun Solaris 7libpngMultiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMozilla, Firefox, Thunderbird User Interface Hijacking VulnerabilitySun Solaris 8mozillaMozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDypxfrd File Disclosure VulnerabilitySun Solaris 7NISThe getdbm procedure in ypxfrd allows local users to read arbitrary files, and remote attackers to read databases outside /var/yp, via a directory traversal and symlink attack on the domain and map arguments.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDBSM Audit Kernel PanicSun Solaris 7Sun Solaris 8Sun Solaris 9Basic Security ModuleUnknown vulnerability in the Basic Security Module (BSM), when configured to audit either the Administrative (ad) or the System-Wide Administration (as) audit class in Solaris 7, 8, and 9, allows local users to cause a denial of service (kernel panic).Brian SobyDRAFTDRAFTBIND SIG Resource Records Buffer OverflowSun Solaris 7BindBuffer overflow in named in BIND 4 versions 4.9.10 and earlier, and 8 versions 8.3.3 and earlier, allows remote attackers to execute arbitrary code via a certain DNS server response containing SIG resource records (RR).Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDDoS Vulnerability in libpng function png_handle_iCCP()Sun Solaris 7libpngThe png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDOpenSSL Double-free VulnerabilitySun Solaris 8Sun Solaris 9Sun ClusterDouble-free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDKCMS KCS_OPEN_PROFILE File Disclosure VulnerabilitySun Solaris 7kcms_serverDirectory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDOpenSSL Denial of Service VulnerabilitiesSun Solaris 8Sun Crypto Accelerator 4000The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDBuffer Management Error in OpenSSHSun Solaris 9OpenSSHA "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris 9 CDE ToolTalk Database Server Symbolic Link VulnerabilitySun Solaris 9CDECDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure.Brian SobyDRAFTINTERIMACCEPTEDBrian SobyBrian SobyINTERIMACCEPTEDACCEPTEDXFS Dispatch() Buffer OverflowSun Solaris 9fs.auto, xfsBuffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris TCP/IP Stack System Panic VulnerabilitySun Solaris 8Sun Solaris 9TCP/IPUnknown vulnerability in the TCP/IP stack for Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDSendmail prescan function Buffer OverflowSun Solaris 7SendmailThe prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDCDE AddSuLog Function Buffer OverflowSun Solaris 7CDEBuffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8/9 cachefsd Heap Overflow VulnerabilitySun Solaris 8cachefsdHeap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name.David ProulxBrian SobyINTERIMACCEPTEDACCEPTEDMozilla CA Certificate DoSSun Solaris 8mozillaMozilla 1.5 through 1.7 allows a CA certificate to be imported even when their DN is the same as that of the built-in CA root certificate, which allows remote attackers to cause a denial of service to SSL pages because the malicious certificate is treated as invalid.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMozilla, Firefox, Thunderbird POP3 SendUidl Buffer OverflowSun Solaris 8mozillaHeap-based buffer overflow in the SendUidl in the POP3 capability for Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, may allow remote POP3 mail servers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 7 XSun Color Database File Heap OverflowSun Solaris 7XsunBuffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument.David ProulxACCEPTEDKerberos 5 Double-free Vulnerability in krb5_rd_cred FunctionSun Solaris 9Kerberos5Double-free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code.Brian SobyDRAFTBrian SobyINTERIMACCEPTEDACCEPTEDBuffer Overflow in Solaris ping DaemonSun Solaris 7Sun Solaris 8Sun Solaris 9Licence Logging ServiceBuffer overflow in the ping daemon of Sun Solaris 7 through 9 may allow local users to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDsshd Log Bypass VulnerabilitySun Solaris 9sshdThe Secure Shell (SSH) Daemon (SSHD) in Sun Solaris 9 does not properly log IP addresses when SSHD is configured with the ListenAddress as 0.0.0.0, which makes it easier for remote attackers to hide the source of their activities.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDPatches Disable Basic Security Module Auditing FunctionalitySun Solaris 9Basic Security ModuleThe patches (1) 114332-08 and (2) 114929-06 for Sun Solaris 9 disable the auditing functionality of the Basic Security Module (BSM), which allows attackers to avoid having their activity logged.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDRuntime linker, ld.so.1 LD_PRELOAD Envvar Buffer OverflowSun Solaris 7Solaris Runtime LinkerStack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6 through 9 allows local users to gain root privileges via a long LD_PRELOAD environment variable.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMozilla, Firefox, Thunderbird Security Lock Icon Spoof VulnerabilitySun Solaris 8mozillaMozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote attackers to use certain redirect sequences to spoof the security lock icon that makes a web page appear to be encrypted.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSendmail Ruleset Parsing Buffer OverflowSun Solaris 7Sun Solaris 8Sun Solaris 9SendmailA "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences.Brian SobyDRAFTDRAFTpriocntl Directory Traversal VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9priocntl()Directory traversal vulnerability in priocntl system call in Solaris does allows local users to execute arbitrary code via ".." sequences in the pc_clname field of a pcinfo_t structure, which cause priocntl to load a malicious kernel module.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDApache Web Server Multiple Module Local Buffer OverflowSun Solaris 8Sun Solaris 9ApacheMultiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow in ntp Daemon via readvarSun Solaris 7Sun Solaris 8sendfilev()Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDin.named Process Crash VulnerabilitySun Solaris 8BindUnknown vulnerability in in.named on Solaris 8 allows remote attackers to cause a denial of service (process crash).Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMozilla Firefox Certificate Spoofing VulnerabilitySun Solaris 8mozillaMozilla Firefox 0.9.1 and 0.9.2 allows remote web sites to spoof certificates of trusted web sites via redirects and Javascript that uses the "onunload" method.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDDtMail Local Command Line Format String VulnerabilitySun Solaris 8Sun Solaris 9DtMailFormat string vulnerability in CDE Mailer (dtmail) on Solaris 8 and 9 allows local users to gain privileges via format strings in the argv[0] value.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMultiple Vulnerabilities in lpstat and libprintSun Solaris 7lpstat, libprintUnknown multiple vulnerabilities in (1) lpstat and (2) the libprint library in Solaris 2.6 through 9 may allow attackers to execute arbitrary code or read or write arbitrary files.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 RWall Daemon Syslog Format String VulnerabilitySun Solaris 7rpc.rwalldFormat string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed.David ProulxACCEPTEDApache Error Log Escape Sequence Injection VulnerabilitySun Solaris 8Sun Solaris 9ApacheApache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow in DNS Resolver LibrarySun Solaris 7BindBuffer overflow in the DNS resolver code used in libc, glibc, and libbind, as derived from ISC BIND, allows remote malicious DNS servers to cause a denial of service and possibly execute arbitrary code via the stub resolvers.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDOpenSSL Integer Overflow VulnerabilitySun Solaris 8Sun Solaris 9Sun ClusterInteger overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 cachefsd Buffer Overrun VulnerabilitySun Solaris 7cachefsdBuffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument.David ProulxBrian SobyINTERIMACCEPTEDACCEPTEDcachefsd DoS via Invalid RPC RequestSun Solaris 7Sun Solaris 8Sun Solaris 9cachefsdcachefsd in Solaris 2.6, 7, and 8 allows remote attackers to cause a denial of service (crash) via an invalid procedure call in an RPC request.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDToolTalk Buffer Overflow via TT_SESSION EnvvarSun Solaris 7CDEBuffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDlpq Buffer Overflow in bsd_queue()Sun Solaris 7lpstatStack-based buffer overflow in the bsd_queue() function for lpq on Solaris 2.6 and 7 allows local users to gain root privilege.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMozilla, Firefox, Thunderbird XPInstall Security VulnerabilitySun Solaris 8mozillaMozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDApache mod_digest Nonce Verification VulnerabilitySun Solaris 8Sun Solaris 9Apachemod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret.Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDBind OPT Resource Record DoS VulnerabilitySun Solaris 9BindBIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris Code Execution DoS VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9kernelUnknown vulnerability in Solaris 2.6 through 9 causes a denial of service (system panic) via "a rare race condition" or an attack by local users.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDOpenSSL ASN.1 Inputs Character Tracking VulnerabilitySun Solaris 8Sun Solaris 9Sun ClusterOpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMozilla, Netscape SOAPParameter Integer OverflowSun Solaris 8mozillaInteger overflow in the SOAPParameter object constructor in (1) Netscape version 7.0 and 7.1 and (2) Mozilla 1.6, and possibly earlier versions, allows remote attackers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMIT Kerberos 5 Multiple Double-Free VulnerabilitiesSun Solaris 9Kerberos5Double-free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDApache Mod_Access Access Control Rule Bypass VulnerabilitySun Solaris 8Sun Solaris 9Apachemod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions.Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDMozilla, Firebird, Firefox Frame Injection VulnerabilitySun Solaris 8mozillaThe (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4) Netscape 7.1 web browsers do not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDLDAP RBAC Privilege Escalation VulnerabilitySun Solaris 8Sun Solaris 9LDAPUnknown vulnerability in LDAP on Sun Solaris 8 and 9, when using Role Based Access Control (RBAC), allows local users to execute certain commands with additional privileges.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDApache Mod_Proxy Remote Negative Content-Length Buffer OverflowSun Solaris 8Sun Solaris 9ApacheHeap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDKerberos 5 KDC ASN.1 Error Handling Double-free VulnerabilitiesSun Solaris 9Kerberos5Double-free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code.Brian SobyDRAFTBrian SobyINTERIMACCEPTEDACCEPTEDCDE libDtHelp Buffer OverflowSun Solaris 7Sun Solaris 8Sun Solaris 9CDEBuffer overflow in CDE libDtHelp library allows local users to execute arbitrary code via (1) a modified DTHELPUSERSEARCHPATH environment variable and the Help feature, (2) DTSEARCHPATH, or (3) LOGNAME.Brian SobyDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDXsun Buffer Overflow via HOME EnvvarSun Solaris 7XsunBuffer overflow in Xsun in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 rpc.yppasswdd Buffer Overrun VulnerabilitySun Solaris 8rpc.yppasswddBuffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username.David ProulxACCEPTEDrwho daemon Code Execution VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Licence Logging ServiceUnknown vulnerability in the rwho daemon (in.rwhod) for Solaris 7 through 9 allows remote attackers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 mibiisa Remote Buffer Overflow VulnerabilitySun Solaris 7mibiisaBuffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges.David ProulxACCEPTEDSolaris 7 kcms_configure Command-Line Buffer OverflowSun Solaris 7kcms_configurekcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument.David ProulxACCEPTEDSolaris 8 kcms_configure Command-Line Buffer OverflowSun Solaris 8kcms_configurekcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument.David ProulxACCEPTEDSolaris 8 RWall Daemon Syslog Format String VulnerabilitySun Solaris 8rpc.rwalldFormat string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed.David ProulxACCEPTEDSolaris 7 CDE ToolTalk Database Symbolic Link VulnerabilitySun Solaris 7CDECDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure.David ProulxACCEPTEDSolaris 8 LBXProxy Display Name Buffer OverflowSun Solaris 8lbxproxyBuffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option.David ProulxACCEPTEDLinux Kernel eflags Checking Privilege Escalation VulnerabilityRed Hat Enterprise Linux 3Linux kernelUnknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges.Matt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDNet-SNMP MIB Information Disclosure VulnerabilityRed Hat Enterprise Linux 3Net-SNMPNet-SNMP before 5.0.9 allows a user or community to access data in MIB objects, even if that data is not allowed to be viewed.Matt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 OpenSSL do_change_cipher_spec Function Denial of ServiceRed Hat Enterprise Linux 3OpenSSLThe do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.Matt BusbyMatt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 OpenSSL Improper Unknown Message Handling VulnerabilityRed Hat Enterprise Linux 3OpenSSLOpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.Matt BusbyMatt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat OpenSSL Improper Unknown Message Handling VulnerabilityRed Hat Linux 9OpenSSLOpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.Matt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDSolaris 7 CDE ToolTalk Database Null Write VulnerabilitySun Solaris 7CDECDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure.David ProulxACCEPTEDRed Hat Enterprise 3 OpenSSL Kerberos Handshake VulnerabilityRed Hat Enterprise Linux 3OpenSSLThe SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read.Matt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDSolaris 8 mibiisa Remote Buffer Overflow VulnerabilitySun Solaris 8mibiisaBuffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges.David ProulxACCEPTEDSolaris cachefsd Buffer Overrun VulnerabilitySun Solaris 8cachefsdBuffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument.David ProulxBrian SobyBrian SobyINTERIMACCEPTEDACCEPTEDRed Hat OpenSSL do_change_cipher_spec Function Denial of ServiceRed Hat Linux 9OpenSSLThe do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.Matt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDFor "/tmp is readable by non-root users," use a compound test.The ImageMagick-devel, ImageMagick-c++-devel, and ImageMagick-c++ RPMs all require that the exact same version of the ImageMagick RPM is present. As such, we can test for a vulnerable version of the former alone, rather than testing for the presence of each of these RPMs in particular.Multiple RPMs were updated in this release, but all but mozilla-nspr have mozilla-with-their-same-version as an installation dependency. So, if mozilla is up to date, mozilla-chat, mozilla-devel, ... , mozilla-js-debugger are all up to date. Mozilla itself requires that mozilla-nspr and mozilla-nss be installed with the same version as itself. This closes the loop -- if mozilla is up to date, so are the other mozilla-FOO RPMs.Multiple RPMs were updated in this release, but all but mozilla-nspr have mozilla-with-their-same-version as an installation dependency. So, if mozilla is up to date, mozilla-chat, mozilla-devel, ... , mozilla-js-debugger are all up to date. Mozilla itself requires that mozilla-nspr and mozilla-nss be installed with the same version as itself. This closes the loop -- if mozilla is up to date, so are the other mozilla-FOO RPMs.The ImageMagick-* RPMs all require that the main ImageMagick RPM have the same version and release number.SUNWkrbu - 32bit, SUNWkrbux - 64bitSolaris Management Console web interfaceSUNWcsu = 32bit, SUNWcsxu = 64bitCVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265Package which contains /usr/lib/netsvc/yp/ypxfrdgrep c2audit /etc/system True if "set c2audit:audit_load = 1" or similiaregrep ^flags:.*a[sd] /etc/security/audit_control True if any lines returnedegrep "^[Srecipient=2|S2]|^[^#]*\$>2|^[^#]*\$>recipient|^[^#]*\$>4|^[^#]*\$>final" /etc/mail/sendmail.cf True if any lines returnedThe presence of /etc/named.conf indicates that system system is probably configured as a DNS serverRough translation of the Sun recommended test of: % grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm___ default_realm = EXAMPLE.COM112604
112609
115172
/etchostname6?\.le.*111600
113073
SUNWlvmr/etc/rc[2-4].dS[0-9][0-9]svm.init/etcvfstab^/dev/md/^/usr/sbin/sparcv.$whodo111826
109321
114890
120467
120468
^/etc/lp/printers/.*110453
^(/usr)?/bin$admintool108721
/binmountgedit/usr/bingeditSUNWadmfw.*/usr/sbin/sadmind116457
116442
116454
.*/usr/sbin/sadmind/usr/dt/bindtlogin^.*dtlogin.*108919
112807
107180
.*/usr/dt/bin/dtspcd/usr/dt/bindtspcd106934
kernelkernel-smpkernel-bigmemsquirrelmailphp/etc/httpd/moduleslibphp4.sokernel-unsupportedfetchmailcvsopenoffice/usr/binoocalc/usr/binoodraw/usr/binooffice/usr/binooimpress/usr/binoowriter/usr/binbzgreprh-postgresql-contrib/usr/lib/pgsqltsearch.so/usr/binzgrepevolution/usr/binfetchmailfetchmailtelnetlibxmllibxml-develkernelkernel-hugememkernel-smpsudo/etcsudoers/usr/binsudolibgdlibgd-develgdmghostscript/usr/bingsFreeRADIUSudp.*1812gnupg/usr/bingnupggtkhtmlgtkhtml/usr/binevolutionhttpdopenssl-perlopenssl-developensslopenssl096b.*.*.*httpdbalsa/usr/binbalsakdebase/usr/binkdmkrb5-serverkrb5-libskrb5-workstationkernelddskkddskk-xemacskernelkernelkernel-hugememkernel-smpphp/etc/httpd/conf.dphp.confcpio/bincpiolibpnglibpng-devellibpng10-devellibpng10gzip/usr/bingzip/usr/bingunzipkernelkernelkdelibslprng/usr/libexec/filterspsbanner.*.*.*lvmuttmysql-server.*.*.*nfs-utils.*.*.*openssh-server.*.*.*openssh-serveropensslopenssl-developenssl-perlopenssl096openssl096bpam_smbperl-CGIphppine/usr/binpineeog/usr/bineogpostfix.*.*.*etherealTCP.*.*sambasambawlwl-xemacs/usr/binemacs/usr/binxemacssendmailsendmail.*.*.*cups.*.*.*/usr/sbinsendmail.sendmailTCP.*.*sendmailsquirrelmailunzip/usr/binunzipsysreport/tmpup2date^.*rhnsd.*$vsftpdTCP.*.*mikmod/usr/binmikmodxinetd.*.*.*xpdf/usr/binxpdfypserv.*.*.*rh-postgresql-server\bpostmaster\bImageMagickgftp/usr/bingftpgaimbzip2/usr/binbzip2pwlibnetpbmnetpbm-develnetpbm-progsmozillaXFree86/usr/bin411toppm/usr/binasciitopgm/usr/binatktopbm/usr/binbioradtopgm/usr/binbmptoppm/usr/binbrushtopbm/usr/bincmuwmtopbm/usr/bineyuvtoppm/usr/binfiascotopnm/usr/binfitstopnm/usr/binfstopgm/usr/bing3topbm/usr/bingemtopbm/usr/bingemtopnm/usr/bingiftopnm/usr/bingouldtoppm/usr/binhipstopgm/usr/binhpcdtoppm/usr/binicontopbm/usr/binilbmtoppm/usr/binimgtoppm/usr/binjpegtopnm/usr/binleaftoppm/usr/binlispmtopgm/usr/binmacptopbm/usr/binmdatopbm/usr/binmgrtopbm/usr/binmtvtoppm/usr/binneotoppm/usr/binpalmtopnm/usr/binpamchannel/usr/binpamcut/usr/binpamdeinterlace/usr/binpamfile/usr/binpamoil/usr/binpamstretch/usr/binpamtopnm/usr/binpbmclean/usr/binpbmlife/usr/binpbmmake/usr/binpbmmask/usr/binpbmpage/usr/binpbmpscale/usr/binpbmreduce/usr/binpbmtext/usr/binpbmto10x/usr/binpbmto4425/usr/binpbmtoascii/usr/binpbmtoatk/usr/binpbmtobbnbg/usr/binpbmtocmuwm/usr/binpbmtoepsi/usr/binpbmtoepson/usr/binpbmtog3/usr/binpbmtogem/usr/binpbmtogo/usr/binpbmtoicon/usr/binpbmtolj/usr/binpbmtoln03/usr/binpbmtolps/usr/binpbmtomacp/usr/binpbmtomda/usr/binpbmtomgr/usr/binpbmtonokia/usr/binpbmtopgm/usr/binpbmtopi3/usr/binpbmtopk/usr/binpbmtoplot/usr/binpbmtoppa/usr/binpbmtopsg3/usr/binpbmtoptx/usr/binpbmtowbmp/usr/binpbmtox10bm/usr/binpbmtoxbm/usr/binpbmtoybm/usr/binpbmtozinc/usr/binpbmupc/usr/binpcxtoppm/usr/binpgmbentley/usr/binpgmcrater/usr/binpgmedge/usr/binpgmenhance/usr/binpgmhist/usr/binpgmkernel/usr/binpgmnoise/usr/binpgmnorm/usr/binpgmoil/usr/binpgmramp/usr/binpgmslice/usr/binpgmtexture/usr/binpgmtofs/usr/binpgmtolispm/usr/binpgmtopbm/usr/binpgmtoppm/usr/binpi1toppm/usr/binpi3topbm/usr/binpjtoppm/usr/binpktopbm/usr/binpngtopnm/usr/binpnmalias/usr/binpnmarith/usr/binpnmcat/usr/binpnmcolormap/usr/binpnmcomp/usr/binpnmconvol/usr/binpnmcrop/usr/binpnmcut/usr/binpnmdepth/usr/binpnmenlarge/usr/binpnmfile/usr/binpnmflip/usr/binpnmgamma/usr/binpnmhisteq/usr/binpnmhistmap/usr/binpnminterp/usr/binpnminvert/usr/binpnmmontage/usr/binpnmnlfilt/usr/binpnmnoraw/usr/binpnmpad/usr/binpnmpaste/usr/binpnmpsnr/usr/binpnmremap/usr/binpnmrotate/usr/binpnmscale/usr/binppmtopict/usr/binppmtopj/usr/binppmtopjxl/usr/binppmtopuzz/usr/binppmtorgb3/usr/binppmtosixel/usr/binppmtotga/usr/binppmtouil/usr/binppmtowinicon/usr/binppmtoxpm/usr/binppmtoyuv/usr/binppmtoyuvsplit/usr/binppmtv/usr/binpsidtopgm/usr/binpstopnm/usr/binqrttoppm/usr/binrasttopnm/usr/binrawtopgm/usr/binrawtoppm/usr/binrgb3toppm/usr/binrletopnm/usr/binsbigtopgm/usr/binsgitopnm/usr/binsirtopnm/usr/binsldtoppm/usr/binspctoppm/usr/binspottopgm/usr/binsputoppm/usr/bintgatoppm/usr/binthinkjettopbm/usr/bintifftopnm/usr/binwbmptopbm/usr/binwinicontoppm/usr/binxbmtopbm/usr/binximtoppm/usr/binxpmtoppm/usr/binxvminitoppm/usr/binxwdtopnm/usr/binybmtopbm/usr/binyuvsplittoppm/usr/binyuvtoppm/usr/binzeisstopnm/usr/binpnmscalefixed/usr/binpnmshear/usr/binpnmsmooth/usr/binpnmsplit/usr/binpnmtile/usr/binpnmtoddif/usr/binpnmtofiasco/usr/binpnmtofits/usr/binpnmtojpeg/usr/binpnmtopalm/usr/binpnmtoplainpnm/usr/binpnmtopng/usr/binpnmtops/usr/binpnmtorast/usr/binpnmtorle/usr/binpnmtosgi/usr/binpnmtosir/usr/binpnmtotiff/usr/binpnmtotiffcmyk/usr/binpnmtoxwd/usr/binppm3d/usr/binppmbrighten/usr/binppmchange/usr/binppmcie/usr/binppmcolormask/usr/binppmcolors/usr/binppmdim/usr/binppmdist/usr/binppmdither/usr/binppmflash/usr/binppmforge/usr/binppmhist/usr/binppmlabel/usr/binppmmake/usr/binppmmix/usr/binppmnorm/usr/binppmntsc/usr/binppmpat/usr/binppmquant/usr/binppmqvga/usr/binppmrelief/usr/binppmshift/usr/binppmspread/usr/binppmtoacad/usr/binppmtobmp/usr/binppmtoeyuv/usr/binppmtogif/usr/binppmtoicr/usr/binppmtoilbm/usr/binppmtojpeg/usr/binppmtoleaf/usr/binppmtolj/usr/binppmtomitsu/usr/binppmtompeg/usr/binppmtoneo/usr/binppmtopcx/usr/binppmtopgm/usr/binppmtopi1netpbmnetpbm-develnetpbm-progsmuttmailmanTCP.*.*mozillagaim/usr/bingaimslocate/usr/binslocatemc/usr/binmc/usr/binkonquerorkdelibskernelkernel-smpkernel-hugemem.*.*1720pwlib.*.*.*samba/usr/X11R6/binXFree86XFree86kernelkernel-smpkernel-bigmem/usr/binmuttmuttmod_pythongdk-pixbufgdk-pixbuf-develgdk-pixbuf-gnomegdk-pixbufgdk-pixbuf-develgdk-pixbuf-gnomesysstattcpdumptcpdumpcvsetherealethereal=gnome/usr/sbintetherealkdepimkernelkernel-smpkernel-bigmemnfs-utils.*.*.*sysstathttpd.*.*.*httpd/usr/share/serviceskfile_vcf.desktopkdepim/cvsmozilla-nssmozilla/usr/binmozillalibxml2libxml2-devellibxml2-pythonTCP.*.*mod_sslsquidetherealethereal-gnomeetherealethereal-gnomeetherealethereal-gnomemozilla-nsskernelkernel-smpkernel-hugemem.*.*.*squidkdelibs/usr/bintelnet/usr/kerberos/bintelnet/usr/binrlogin/usr/kerberos/binrlogin/usr/binssh/usr/binkmailImageMagickrsynccvslibpnglibpng-devellibpnglibpng-develtcpdump/usr/sbintcpdumplha/usr/binlhautempter/usr/sbinutemptersquid.*.*.*ipsec-toolsUDP.*.*/usr/binethereal/usr/sbinethereal/usr/bintetherealetherealethereal-gnomekrb5-libs/usr/bincvscvskernel/proc/tty/driverserial/proc/tty/driver/proc/tty/proc118844
PHCO_28847PHSS_29963OS-Core.ARRAY-MGMTOS-Core.ADMN-ENG-A-MANPHCO_23263PHNE_33159/etcpam.conf[^#]*pam_krb5.+debug.*/etc/pam\.conf.*/etcsyslog.conf[^#]*(debug|daemon\.debug).*/etc/syslog\.conf119255
119254
119450
119449
PHSS_30302PHCO_30006OS-Core.ARRAY-MGMTOS-Core.ADMN-ENG-A-MANPHCO_23262OS-Core.ARRAY-MGMTOS-Core.ADMN-ENG-A-MAN120954
PHNE_34077InternetSrvcs.INETSVCS-RUNPHNE_33412InternetSrvcs.INETSVCS-RUNWUFTP-26.INETSVCS-FTPInternetSrvcs.INETSVCS-RUNPHNE_33414PHCO_23261OS-Core.C2400-UTILOS-Core.ADMN-ENG-A-MANWUFTP-26.INETSVCS-FTPPHSS_29964DCE-Core.DCE-CORE-SHLIBSW-DIST.SD-AGENTPHCO_28848118822
118844
TOUR_PRODUCT.T-NET2-KRNPHNE_32606SUNWkrgdoSUNWkr5sv/etc/krb5krb5.conf[^(#|_)]*default_realm[^_]*SUNWkrgglSUNWkr5slPHNE_33395Perl5.*\.PERL-RUNPerl5.*\.PERL-RUNPerl5.*\.PERL-RUNPerl5.*\.PERL-RUNPerl5.*\.PERL-RUN112238
SUNWCryr112390
115168
112237
120469
112240
112537
120470
112908
112536
SUNWCrySUNWamsvc120955
112669
112668
116341
116340
120720
120719
PHNE_33427112785
119059
/usr/openwin/binXprt119060
112786
108652
108653
/usr/openwin/binXsun119059
108653
119060
.*Xsun\b.*PHCO_29249PHNE_30983PHNE_31732OS-Core.CORE2-KRNPHKL_33713PHKL_33714118908
/usr/X11/binXorg.*Xorg\b.*116974
114145
111844
111845
112785
112786
118953
118954
109931
109932
114219
SUNWTiffSUNWTiffx114220
119900
119901
PHNE_24395119985
122082
SUNWkr5slSUNWkrgdoSUNWkrgglPHNE_33791PHNE_24395VaultTS.VV-IWSVaultWS.WS-COREPHSS_34121VaultTS.VV-IWSPHSS_34170VaultWS.WS-COREPHSS_34120VaultTS.VV-IWSPHSS_34171VaultWS.WS-COREPHSS_34119HP_Webproxy.HPWEB-PX-COREPHSS_34203HP_Webproxy.HPWEB-PX-COREPHSS_34204PHNE_34306PHNE_23949Mozilla.MOZ-COMMozilla.MOZ-COMPHNE_34543WUFTP-26.INETSVCS-FTPSecure_Shell.SECURE_SHELLSUNWlzas121332
PHCO_33219OS-Core.CORE-ENG-A-MANOS-Core.UX-COREPHCO_33989PHNE_23950InternetSrvcs.INETSVCS-RUNInternetSrvcs.INET-ENG-A-MAN111314
116808
121308
121309
PHCO_30402CIFS-Server.CIFS-RUNCIFS-Server.CIFS-UTILCIFS-Server.CIFS-ADMINCIFS-Server.CIFS-LIBPHSS_34102109023
120240
109024
120239
InternetSrvcs.INETSVCS-RUNInternetSrvcs.INET-ENG-A-MANPHNE_23948IPSec.IPSEC2-KRNIPSec.IPSEC2-KRNTOUR_PRODUCT.T-NET2-KRN111571
115880
Secure_Shell.SECURE_SHELLSecure_Shell.SECURE_SHELLOS-Core.CORE-ENG-A-MANOS-Core.UX-COREPHCO_33967InternetSrvcs.INET-ENG-A-MANPHNE_33792InternetSrvcs.INETSVCS2-RUN120329
120330
/etcpam.conf^other.*krb5.*SysMgmtServer.MX-PORTALSysMgmtServer.MX-PORTALPHCO_32280InternetSrvcs.INETSVCS-RUNInternetSrvcs.INET-ENG-A-MANVirtualVaultOS.VVOS-AUX-IAPHNE_33159117350
118558
118822
117351
109764
116047
119596
109765
121995
118813
InternetSrvcs.INETSVCS2-RUNPHNE_29462WUFTP-26.INETSVCS-FTPOS-Core.UX-COREPHCO_33214PHCO_33215sendmailOS-Core.UX2-COREPHCO_32149PHCO_32926118966
VaultWS.WS-COREPHSS_34123HP_Webproxy.HPWEB-PX-COREPHSS_34163PHCO_34545InternetSrvcs.INETSVCS-RUNPHNE_34544WUFTP-26.INETSVCS-FTP/usr/share/gnome/gnome-aboutgnome-version.xml\s*<description>2\.0\.0.*</description>\s*114644
114645
114686
/usr/share/gnome/gnome-aboutgnome-version.xml\s*<description>2\.0\.2.*</description>\s*115738
114687
115739
/usr/share/gnome-aboutgnome-version.xml\s*<distributor-version>Sun Java Desktop System, Release 2</distributor-version>\s*121092
115677
121321
108994
115678
121322
/etc/krb5krb5.conf^[^#]auth_to_local.*112300
112085
SUNWkrbrSUNWkrbux?112237
112390
112925
112923
112921
108574
108162
108416
110898
108541
112536
110057
110060
116462
SUNWkr5sv108451
113319
11233
X11.X11-RUN-CLPHSS_32109PHSS_30791PHSS_33589PHSS_31833PHSS_32366CIFS-Server.CIFS-RUNCIFS-Server.CIFS-UTILCIFS-Server.CIFS-ADMINCIFS-Server.CIFS-LIB112234
117172
118559
118844
InternetSrvcs.INETSVCS-RUNInternetSrvcs.INET-ENG-A-MANPHNE_33790InternetSrvcs.INETSVCS-RUNInternetSrvcs.INET-ENG-A-MANInternetSrvcs.INETSVCS-RUNInternetSrvcs.INET-ENG-A-MANPHNE_23947PHCO_29269PHCO_30275PHCO_32181PHSS_34169hpuxwsAPACHEhpuxwsAPACHE109324
118535
121004
109325
118536
121005
/usr/lib/dmidmispd108827
108901
.*/usr/dt/bin/rpc.cmsd/usr/dt/binrpc.cmsd^.*dmispd.*Networking.NET2-KRNPHNE_32606111590
SUNWsasnmSUNWbnuu106952
111570
113322
/usr/lib/snmpsnmpdx^.*snmpdx.*/usr/openwin/binxlockSUNWsmbauSUNWwbmc111313
116807
.*smcboot109862
/usr/openwin/libfs.auto/usr/openwin/binxfs108117
110943
SUNWgzip112668
SUNWstm117367
107654
SUNWnisu110322
^.*ypbind.*SUNWdtdmn108221
107702
109354
114497
110286
/usr/openwin/binkcms_serverSUNWftpu114564
.*/usr/sbin/in.ftpdSUNWcsx?u/etcpam.conf[^#]*pam_krb5.*debug/etcsyslog.conf^[^#]*(\*|daemon)\.debug^.*smbd.*SUWNsmbar114684
.*^.*smbd.*108748
108750
108752
106942
107477
108551
108754
108756
108758
108760
108762
108764
.*rpcbind.*SUNWypu109328
113579
^.*ypxfrd.*109007
SUNWnsbSUNWkcsr[tx]114636
111400
.*/usr/openwin/bin/kcms_server114796
SUNWkcl2rSUNWtltkx?112808
SUNWxwfs113923
.*/usr/openwin/lib/fs.auto116895
117000
SUNWsndmu108219
/usr/openwin/binXsunSUNWbip118313
116986
116774
^.*sshd.*SUNWsshdu113273
/etc/sshsshd_config^[^#]*ListenAddress.*0\.0\.0\.0114332
/etcsystem^[^\*]*set.*c2audit.*106950
109147
112963
SUNWsndmr.*sendmail .*113575
107684
110615
SUNWntpu109409
109667
/usr/lib/inet/xntpd/etcnamed.conf109613
112810
SUNWdtdstSUNWpcrSUNWpcuSUNWpsrSUNWpsu109320
113329
112899
106938
109326
/etcnsswitch.conf^[^#]*hosts:.*dns108800
SUNWdtwmSUNWpcu107115
SUNWinamd112970
/usr/sbin/in.named106541
108528
112233
113505
113508
115054
115055
SUNWscvw^/usr/apache/bin/httpd.*SUNWscvw/conf/httpd.conf.*.*krb5kdc.*SUNWmoznavSUNWmozmail117765
117767
108993
112960
/etcnsswitch.conf^[^#].*_attr.*ldap116973
113146
.*httpdSUNWapchu/etc/krb5krb5.conf112908
/etc/krb5krb5.conf^[^#_]*default_realm[^=]*=[^_]*$SUNWdtba[sx]SUNWdthep107178
108949
116308
108376
SUNWxwplt/usr/lib/netsvcrpc.yppasswdd111596
^.*rpc\.yppasswdd.*SUNWrcmds118239
116984
117455
/usr/sbin/in.rwhod107709
107337
/usr/openwin/binkcms_configure.*/usr/lib/netsvc/rwall/rpc.rwalld/usr/lib/netsvc/rwallrpc.rwalld112846
108652
/usr/openwin/binlbxproxykernelnet-snmp.*.*.*.*/usr/dt/bin/rpc.ttdbserverd/usr/dt/binrpc.ttdbserverd107893
opensslopenssl-developenssl-perlopenssl096b108869
/usr/lib/snmpmibiisa^.*mibiisa.*^.*inetd.*114008
.*/usr/lib/fs/cachefs/cachefsd/usr/lib/fs/cachefscachefsd110896
redhat-releaseopensslopenssl-developenssl-perlopenssl096openssl096b020201113truetrue11717161703031truetrue2truetrue1:2.2.2-4.rhel3truetruetrue/usr/sbin/sadmind020101/usr/sbin/sadmind2109317/usr/dt/bin/dtspcdtruetruetrue40:2.4.21-4.0.2.EL0:2.4.21-4.0.2.EL0:2.4.21-4.0.2.EL0:1.4.3-0.e3.10:2.4.21-15.EL0:6.2.0-3.el3.10:1.11.2-180:1.1.0-15.ELtruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetrue0:7.3.10-1truetruetrue0:1.2.2-5truetruetrue0:6.2.5-6.el4.21:0.17-20.EL3.3truetruetrue1:1.8.17-9.21:1.8.17-9.20:2.4.21-32.0.1.EL0:2.4.21-32.0.1.EL0:2.4.21-32.0.1.EL0:1.6.7p5-1.1true0:1.8.4-12.3.10:1.8.4-12.3.11:2.4.1.3-5.10:7.05-32.1truetruetrue0:1.0.1-1.*/radiusd0:1.2.1-4truetrue0:1.1.9-0.90:1.1.9-0.9.1truetruetrue0:2.0.40-21.10:0.9.7a-33.150:0.9.7a-33.150:0.9.7a-33.150:0.9.6b-16.22.3^.*httpd.*0:2.0.40-21.50:2.0.6-2truetruetrue6:3.1-15truetruetrue0:1.2.7-140:1.2.7-140:1.2.7-1462.4.202.4.20-60:11.6.0-11.900:11.6.0-11.900:2.4.20-18.90:2.4.21-15.0.2.EL0:2.4.21-15.0.2.EL0:2.4.21-15.0.2.ELtrue0:4.3.2-24.ent0:2.5-4.RHEL3true2:1.2.2-242:1.2.2-240:1.0.13-140:1.0.13-140:1.3.3-12.rhel3truetruetruetruetruetrue0:2.4.20-13.90:2.4.20-19.96:3.1-120:3.8.19-3.1true^.*lpd.*0:4.49.4-9.9.15:1.4.1-10:3.23.56-1.9^.*mysqld.*0:1.0.1-3.9^.*rpc\.mountd.*0:3.5p1-6.9^.*sshd.*0:3.5p1-110:0.9.7a-50:0.9.7a-50:0.9.7a-50:0.9.6-170:0.9.6b-60:1.1.6-9.92:2.81-88.30:4.2.2-17.20:4.44-19.90.0truetruetrue0:2.2.0-2truetruetrue2:1.1.12-1^.*smtpd.*0:0.9.11-0.90.1^.*smbd.*0:2.2.7a-7.9.00:2.2.7a-8.9.00:2.10.1-1.10:2.10.1-1.1truetruetruetruetruetrue0:8.12.8-5.900:8.12.8-6.90^.*sendmail.*0:1.1.17-13.3^.*cupsd.*truetruetruetrue^.*sendmail.*0:8.12.8-9.900:1.2.11-10:5.50-33truetruetrue0:1.3.7.2-6true0:3.1.23.1-50:1.1.3-8^.*vsftpd.*0:3.1.6-22.EL3truetruetrue2:2.3.11-1.9.0^.*xinetd.*1:2.0.1-11truetruetrue0:2.8-0.9E^.*ypserv.*0:7.3.10-10:5.5.6-141:2.0.14-4truetruetrue1:1.3.1-0.el3truetruetrue0:1.0.2-11.EL3.4truetruetrue0:1.4.7-4.10:9.24-10.90.10:9.24-10.90.10:9.24-10.90.1^.*4.S37:1.7.10-1.4.10:4.3.0-2.90.55truetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetrue0:9.24-11.30.10:9.24-11.30.10:9.24-11.30.15:1.4.1-3.33:2.1.1-5^.*httpd.*truetruetrue37:1.7.10-1.1.3.11:0.75-0.9.0truetruetrue0:2.7-2truetrue1:4.6.0-7.9truetruetruetruetruetrue6:3.1-130:2.4.21-9.0.1.EL0:2.4.21-9.0.1.EL0:2.4.21-9.0.1.EL.*0:1.4.7-7.EL^.*smbd.*0:3.0.2-6.3Etruetruetrue0:4.3.0-55.EL0:2.4.20-30.90:2.4.20-30.90:2.4.20-30.9truetruetrue5:1.4.1-3.40:3.0.1-41:0.22.0-6.0.31:0.22.0-6.0.31:0.22.0-6.0.31:0.22.0-6.1.01:0.22.0-6.1.01:0.22.0-6.1.00:4.0.7-4.rhl9.114:3.7.2-7.9.1truetruetrue14:3.7.2-7.E3.10:1.11.2-130:0.10.0a-0.90.10:0.10.0a-0.90.1truetruetruetruetruetruetruetruetrue6:3.1-60:2.4.20-28.90:2.4.20-28.90:2.4.20-28.90:1.0.6-7.EL^.*rpc\.mountd0:4.0.7-4.EL3.20:2.0.40-21.9^.*httpd\.worker.*0:2.0.46-26.enttruetruetrue6:3.1.3-3.3true0:1.11.2-1437:1.4.2-0.9.037:1.4.2-0.9.0truetruetrue0:2.5.10-60:2.5.10-60:2.5.10-6^.*httpd0:2.0.46-32.ent7:2.5STABLE1-3.90:0.9.13-1.90.10:0.9.13-1.90.10:0.10.3-0.90.10:0.10.3-0.90.10:0.10.3-0.30E.10:0.10.3-0.30E.137:1.4.2-3.0.20:2.4.21-9.0.3.EL0:2.4.21-9.0.3.EL0:2.4.21-9.0.3.EL^.*squid.*7:2.5.STABLE3-5.3E6:3.1.3-6.4truetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetrue0:5.5.6-150:2.5.7-4.3E0:1.11.2-222:1.2.2-212:1.2.2-210:1.0.13-120:1.0.13-12^.*3.S14:3.7.2-7.E3.2truetruetrue0:1.14i-10.2truetruetrue0:0.5.5-1.3EL.0truetruetruetrue7:2.5.STABLE3-6.3E^.*squid0:0.2.5-0.4^.*racoontruetruetruetruetruetruetruetruetrue0:0.10.3-0.30E.20:0.10.3-0.30E.20:1.2.7-24truetruetrue0:1.11.2-240:2.4.21-15.ELtruetruetruetrue5.1064^i.*8614PHCO28847PHSS2996314B.11.11B.11.11PHCO23263PHNE331591204130303030101PHSS30302PHCO30006B.11.00B.11.00B.11.10PHCO23262B.11.10B.11.1001PHNE34077B.11.04PHNE33412B.11.11B\.11\.00\.(00.*|01\.00[0-4])B.11.23PHNE33414B.10.10B.10.20PHCO23261B.10.01B.10.30B\.11\.11\.(00.*|01\.00[0-5])PHSS29964PHCO288482728A\.0[12]\..*PHNE326060510150509050811PHNE33395D\.5\.8\.0\.[ABCDEF]B.11.23D.5.8.3.AB.11.11D\.5\.8\.2\.[ABCDE]B.11.00D\.5\.6\..*D\.5\.8\.2\.[ABC]121108130110060120067\.0,.*7\.0,.*01030304040101\d+/8\d+PHNE33427\d+/7\d+B.11.045005true^i.*865.105.7true055.8399382[Ss][Pp][Aa][Rr][Cc]true5.9945208834108PHCO29249PHNE30983PHNE31732B.11.23PHKL33713PHKL33714020902020504030338270202101011110101PHNE24395020102040707PHNE33791B.10.24PHNE24395A.04.70A.04.70PHSS34121A.04.60PHSS34170A.04.60PHSS34120A.04.50PHSS34171A.04.50PHSS34119A.02.10PHSS34203A.02.00PHSS34204PHNE34306PHNE23949((1\.7\.12\..*)|(1\.(([8-9])|(\d{2,}))\..*)|(1\.7\.((1[3-9])|([2-9]\d+))\..*))PHNE34543B\.11\.11\.(00.*|01\.00[0-5])A(\.0[0-3]\..*|\.04\.[0-1].*|\.04\.20\.00[0-4])01PHCO33219B.11.00B.11.00PHCO33989PHNE23950B.11.11B.11.11030302020101PHCO30402A\.01\.(0.*|10.*|11[^\.]|11\.0[0-3])A\.01\.(0.*|10.*|11[^\.]|11\.0[0-3])A\.01\.(0.*|10.*|11[^\.]|11\.0[0-3])A\.01\.(0.*|10.*|11[^\.]|11\.0[0-3])PHSS3410205010501B.10.20B.10.20B.10.20PHNE23948A\.([01].*|2\.00\.00)A\.0[12]\..*04040302A(\.0[0-3]\..*|\.04\.[0-1].*|\.04\.20\.00[0-3])B.11.11B.11.11PHCO33967B.11.23PHNE33792B.11.230202C.04.00.00.00C.04.01.00.00PHCO32280B.11.04B.11.04B.11.04PHNE3315924332229332229060303060103B.11.22PHNE29462B.11.22B\.11\.00\.(00.*|01\.00[0-3])PHCO33214PHCO33215([0-7]|8\.([0-9]|1[01]))8\.12\.([0-9]|10)8\.13\.[0-5]PHCO32149PHCO329261417PHSS34123PHSS34163B.11.04PHCO34545PHNE34544B\.11\.11\.(00.*|01\.00[0-7])03030304030401145102011451020116051109010209080303021003040201020360407040106010222PHSS32109PHSS30791PHSS33589PHSS31833PHSS32366A.02.01A.02.01A.02.01A.02.011112161924B.11.00B.11.00PHNE33790B.10.01B.10.01B.10.10B.10.10B.10.01B.10.10PHNE23947PHCO29269PHCO30275PHCO32181PHSS34169B.11.11B.11.00(((A|B)\.2\.0\.55\.\d+)|((A|B)\.[3-9]\..*)|((A|B)\.[1-9]\d+\..*)|((A|B)\.2\.[1-9]\d*\..*)|((A|B)\.2\.\d+\.[6-9]\d+\..*)|((A|B)\.2\.\d+\.5[6-9]\d*\..*)|((A|B)\.2\.\d+\.\d{3,}\..*))[Ss][Pp][Aa][Rr][Cc]^i.*865.10090301090301306/usr/dt/bin/rpc.cmsdtruetruetrue\d+/7\d+\d+/8\d+B.11.23PHNE326063821815040302truetrue30520102013truetruetrue6020227011409059201002010112190110truetruetrue02/usr/sbin/in.ftpd081306131202^.*smbd.*010808030101011409030301010101010103013318120710010302/usr/openwin/bin/kcms_server04040202/usr/openwin/lib/fs.auto1201031010012truetrue38010203050810140709051111241804030404160706130702106090202051203251905020201010202381701051503080125302010101192truetruetrue/usr/lib/netsvc/rwall/rpc.rwalldtruetruetrue151truetruex86_640:2.4.21-9.EL0:5.0.9-2.30E.1^.*snmpd.*/usr/dt/bin/rpc.ttdbserverdtruetruetrue5.719^3.S0:0.9.7a-33.40:0.9.7a-33.40:0.9.7a-33.40:0.9.6b-16165.8root5.901/usr/lib/fs/cachefs/cachefsdtruetruetrue029^i.*860:0.9.7a-20.20:0.9.7a-20.20:0.9.7a-20.20:0.9.6-25.90:0.9.6b-15