The OVAL Repository 5.6 2009-11-20T04:31:59.182-05:00 HP-UX 11 Unspecified vulnerability in libc on HP HP-UX B.11.23 and B.11.31 allows remote attackers to cause a denial of service via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED Pai Peng INTERIM INTERIM HP-UX 11 Unspecified vulnerability in Role-Based Access Control (RBAC) in HP HP-UX B.11.23 and B.11.31 allows local users to bypass intended access restrictions via unknown vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in bootpd in HP HP-UX B.11.11, B.11.23, and B.11.31 allows remote attackers to cause a denial of service via unknown attack vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The asn1buf_imbed function in the ASN.1 decoder in MIT Kerberos 5 (aka krb5) 1.6.3, when PK-INIT is used, allows remote attackers to cause a denial of service (application crash) via a crafted length value that triggers an erroneous malloc call, related to incorrect calculations with pointer arithmetic. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in HP-UX B.11.31 allows local users to cause a denial of service (system crash) via unknown vectors related to the ttrace system call. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in useradd in HP HP-UX B.11.11, B.11.23, and B.11.31 allows local users to access arbitrary files and directories via unknown vectors, a different issue than CVE-2008-1660. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache Unspecified vulnerability in usermod in HP-UX B.11.00, B.11.11, and B.11.23, when run with certain options that involve a new home directory, might cause usermod to change the ownership of all directories and files under the new directory, which might result in less secure permissions than intended. Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM Nabil Ouchn ACCEPTED ACCEPTED HP-UX 11 Apache The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Perl Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED HP-UX 11 Samba Integer overflow in the Samba daemon (smbd) in Samba 2.x and 3.0.x through 3.0.9 allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a Samba request with a large number of security descriptors that triggers a heap-based buffer overflow. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 ftpd The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED HP-UX 11 ftpd The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED HP-UX 11 ftpd wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Unknown vulnerability in the login page for HP Systems Insight Manager (SIM) 4.0 and 4.1, when accessed by Microsoft Internet Explorer with the MS04-025 patch, leads to a denial of service (browser hang). NOTE: although the advisory is vague, this issue does not appear to involve an attacker at all. If not, then this issue is not a vulnerability. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 SecureShell sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Unknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 SecureShell zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Unknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Samba Integer overflow in the Samba daemon (smbd) in Samba 2.x and 3.0.x through 3.0.9 allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a Samba request with a large number of security descriptors that triggers a heap-based buffer overflow. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 SecureShell sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 mozilla Buffer overflow in the International Domain Name (IDN) support in Mozilla Firefox 1.0.6 and earlier, and Netscape 8.0.3.3 and 7.2, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a hostname with all "soft" hyphens (character 0xAD), which is not properly handled by the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 SecureShell zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 ftpd wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in usermod in HP-UX B.11.00, B.11.11, and B.11.23, when run with certain options that involve a new home directory, might cause usermod to change the ownership of all directories and files under the new directory, which might result in less secure permissions than intended. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Unknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 ftpd wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 swagentd Unspecified vulnerability in swagentd in HP-UX B.11.00, B.11.04, and B.11.11 allows remote attackers to cause a denial of service (application crash) via unspecified vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 ftpd The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 ftpd The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 ftpd The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 AutoRAID Manager Possible unknown vulnerability or vulnerabilities in HP DiskArray Utilities with AutoRAID Manager. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 swagentd Unspecified vulnerability in swagentd in HP-UX B.11.00, B.11.04, and B.11.11 allows remote attackers to cause a denial of service (application crash) via unspecified vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 ftpd The wu_fnmatch function in wu_fnmatch.c in wu-ftpd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir command. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 AutoRAID Manager Possible unknown vulnerability or vulnerabilities in HP DiskArray Utilities with AutoRAID Manager. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System /sbin/passwd in HP-UX B.11.00, B.11.11, and B.11.23 before 20060326 "does not recover gracefully from some error conditions," which allows local users to cause a denial of service. Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System /sbin/passwd in HP-UX B.11.00, B.11.11, and B.11.23 before 20060326 "does not recover gracefully from some error conditions," which allows local users to cause a denial of service. Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 ftpd wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Unknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Unspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain privileges via unknown attack vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 remshd Unknown vulnerability in remshd daemon in HP-UX B.11.00, B.11.11, and B.11.23 while running in "Trusted Mode" allows remote attackers to gain unauthorized system access via unknown attack vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Unspecified vulnerability in xterm for HP-UX 11.00, 11.11, and 11.23 allows local users to gain privileges via unknown vectors. Robert L. Hollis DRAFT Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Unspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain privileges via unknown attack vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 ftpd The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 envd envd daemon in HP-UX B.11.00 through B.11.11 allows local users to obtain privileges via unknown attack vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Unknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 ftpd The wu_fnmatch function in wu_fnmatch.c in wu-ftpd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir command. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 ftpd The wu_fnmatch function in wu_fnmatch.c in wu-ftpd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir command. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 ftpd The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM Matthew Wojcik ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 remshd Unknown vulnerability in remshd daemon in HP-UX B.11.00, B.11.11, and B.11.23 while running in "Trusted Mode" allows remote attackers to gain unauthorized system access via unknown attack vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM Matthew Wojcik ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 ftpd The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED Michael Wood INTERIM ACCEPTED ACCEPTED HP-UX 11 envd daemon in HP-UX B.11.00 through B.11.11 allows local users to obtain privileges via unknown attack vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED Michael Wood INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain privileges via unknown attack vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED Michael Wood INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in su in HP HP-UX B.11.11, when using the LDAP netgroup feature, allows local users to gain unspecified access. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED Michael Wood INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in xterm for HP-UX 11.00, 11.11, and 11.23 allows local users to gain privileges via unknown vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED Michael Wood INTERIM ACCEPTED ACCEPTED HP-UX 11 Unknown vulnerability in remshd daemon in HP-UX B.11.00, B.11.11, and B.11.23 while running in "Trusted Mode" allows remote attackers to gain unauthorized system access via unknown attack vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED Michael Wood INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in usermod in HP-UX B.11.00, B.11.11, and B.11.23, when run with certain options that involve a new home directory, might cause usermod to change the ownership of all directories and files under the new directory, which might result in less secure permissions than intended. Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED Michael Wood INTERIM ACCEPTED ACCEPTED HP-UX 11 The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbitrary code via a crafted URI. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Stack-based buffer overflow in nmbd in Samba 3.0.0 through 3.0.26a, when configured as a Primary or Backup Domain controller, allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a crafted SMB response. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Buffer overflow in dtmail on HP Tru64 UNIX 4.0F through 5.1B and HP-UX B.11.00 through B.11.23 allows local users to execute arbitrary code via a long -a (aka attachment) argument. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in the Address and Routing Parameter Area (ARPA) transport functionality in HP-UX B.11.11 and B.11.23 allows local users to cause an unspecified denial of service via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in the FTP server for HP-UX B.11.11, B.11.23, and B.11.31 allows remote authenticated users to cause a denial of service (FTP server outage) via unknown attack vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in the Address and Routing Parameter Area (ARPA) transport software in HP-UX B.11.11 and B.11.23 before 20060912 allows local users to cause a denial of service via unspecified vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in the LP subsystem in HP-UX B.11.00, B.11.04, B.11.11, and B.11.23 allows remote attackers to cause a denial of service via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in the Aries PA-RISC emulator on HP-UX B.11.23 and B.11.31 on the IA-64 platform allows local users to obtain unspecified access. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in HP-UX B.11.00, B.11.11 and B.11.23, when running in trusted mode, allows local users to cause a denial of service via unspecified vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in useradd on HP-UX B.11.11, B.11.23, and B.11.31 allows local users to access arbitrary files and directories via unspecified vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in the Address and Routing Parameter Area (ARPA) transport functionality in HP-UX B.11.00 allows local users to cause a denial of service via unknown vectors. NOTE: due to lack of vendor details, it is not clear whether this is the same as CVE-2007-0916. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in HP-UX B.11.11 and B.11.23 CIFS Server (Samba) allows local users to gain privileges or obtain "unauthorized access" via unspecified vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in HP Ignite-UX server before C.6.9.150 for HP-UX B.11.00, B.11.11, and B.11.23 allows remote attackers to "gain root access" via unspecified vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in mkdir in HP-UX B.11.00, B.11.04, B.11.11, and B.11.23 allows local users to gain privileges via unknown attack vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Buffer overflow in the sw_rpc_agent_init function in swagentd in Software Distributor (SD), and possibly other DCE applications, in HP HP-UX B.11.11 and B.11.23 allows remote attackers to execute arbitrary code or cause a denial of service via malformed arguments in an opcode 0x04 DCE RPC request. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in rpc.yppasswdd in HP HP-UX B.11.11, B.11.23, and B.11.31 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Multiple cross-site scripting (XSS) vulnerabilities in HP System Management Homepage (SMH) in HP-UX B.11.11, B.11.23, and B.11.31, and SMH before 2.1.10 for Linux and Windows, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The logins command in HP-UX B.11.31, B.11.23, and B.11.11 does not correctly report password status, which allows remote attackers to obtain privileges when certain "password issues" are not detected. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Buffer overflow in rwrite for HP-UX 11.0 could allow local users to execute arbitrary code via a long argument. NOTE: the vendor was unable to reproduce the problem on a system that had been patched for an lp vulnerability (CVE-2002-1473). Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in xntpd of HP-UX 10.20 through 11.11 allows remote attackers to cause a denial of service (hang) via unknown attack vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Stack-based buffer overflow in the (1) swpackage and (2) swmodify commands in HP-UX B.11.11 and possibly other versions allows local users to execute arbitrary code via a long -S argument. NOTE: this might be a duplicate of CVE-2006-2574, but the details relating to CVE-2006-2574 are too vague to be certain. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 HP asecure creates the Audio Security File audio.sec with insecure permissions, which allows local users to cause a denial of service or gain additional privileges. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Partition Manager (parmgr) in HP-UX B.11.23 does not properly validate certificates that are provided by the cimserver, which allows attackers to obtain sensitive data or gain privileges. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Vulnerability in top in HP-UX 11.04 and earlier allows local users to overwrite files owned by the "sys" group. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in the Address and Routing Parameter Area (ARPA) transport functionality in HP-UX B.11.11, B.11.23, and B.11.31 allows remote attackers to cause an unspecified denial of service via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 rpc.pcnfsd in HP gives remote root access by changing the permissions on the main printer spool directory. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in the ied command in HP-UX 10.10, 10.20, and 11.0 allows local users to view "normally invisible data" via unknown attack vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Vulnerability in Predictive on HP-UX 11.0 and earlier, and MPE/iX 5.5 and earlier, allows attackers to compromise data transfer for Predictive messages (using e-mail or modem) between customer and Response Center Predictive systems. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 geteuid in Itanium Architecture (IA) running on HP-UX 11.20 does not properly identify a user's effective user id, which could allow local users to gain privileges. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unknown vulnerability in System Administration Manager (SAM) in HP-UX B.11.00, B.11.11, B.11.22, and B.11.23 allows local users to gain privileges. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in HP-UX B.11.31, when running ARPA Transport, allows remote attackers to cause a denial of service via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Buffer overflow in wall for HP-UX 10.20 through 11.11 may allow local users to execute arbitrary code by calling wall with a large file as an argument. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unknown vulnerability in ftpd on HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23 allows remote authenticated users to gain "unauthorized access to files." Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Buffer overflow in the Software Distributor utilities for HP-UX B.11.00 and B.11.11 allows local users to execute arbitrary code via a long LANG environment variable to setuid programs such as (1) swinstall and (2) swmodify. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The kernel in HP-UX 11.11 does not properly provide arguments for setrlimit, which could allow local attackers to cause a denial of service (kernel panic) and possibly gain privileges. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Dynamically Loadable Kernel Module (dlkm) static kernel symbol table in HP-UX 11.11 is not properly configured, which allows local users to gain privileges. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd). Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unknown vulnerability in ndd for HP-UX 11.11 with certain TRANSPORT patches allows attackers to cause a denial of service. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Vulnerability in inetd server in HP-UX 11.04 and earlier allows attackers to cause a denial of service when the "swait" state is used by a server. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The get_system_info command in Ignite-UX C.7.0 through C.7.3, and DynRootDisk (DRD) A.1.0.16.417 through A.2.0.0.592, on HP-UX B.11.11, B.11.23, and B.11.31 does not inform local users of networking changes made by the command, which has unknown impact and attack vectors. Michael Wood DRAFT Michael Wood INTERIM ACCEPTED ACCEPTED HP-UX 11 Vulnerability in passwd for HP-UX 11.00 and 11.11 allows local users to corrupt the password file and cause a denial of service. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Buffer overflow in line printer daemon (rlpdaemon) in HP-UX 10.01 through 11.11 allows remote attackers to execute arbitrary commands. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 stmkfont in HP-UX B.11.00 through B.11.23 relies on the user-specified PATH when executing certain commands, which allows local users to execute arbitrary code by modifying the PATH environment variable to point to malicious programs. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 ftp on HP-UX 11.00 allows local users to gain privileges. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The October 1998 version of the HP-UX aserver program allows local users to gain privileges by specifying an alternate PATH which aserver uses to find the ps and grep commands. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Multiple unknown vulnerabilities in the "r-cmnds" (1) remshd, (2) rexecd, (3) rlogind, (4) rlogin, (5) remsh, (6) rcp, (7) rexec, and (8) rdist for HP-UX 10.00 through 11.00 allow attackers to gain privileges or access files. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Multiple unspecified vulnerabilities in Software Distributor in HP-UX B.11.00, B.11.04, B.11.11, and B.11.23 allow local users to gain privileges via unspecified attack vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Vulnerability in shutdown command for HP-UX 11.X and 10.X allows allows local users to gain privileges via malformed input variables. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Teardrop IP denial of service. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 ptrace on HP-UX 11.00 through 11.11 allows local users to cause a denial of service (data page fault panic) via "an incorrect reference to thread register state." Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Buffer overflow in stmkfont utility of HP-UX 10.0 through 11.22 allows local users to gain privileges via a long command line argument. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unknown vulnerability in pam_authz in the LDAP-UX Integration product on HP-UX 11.00 and 11.11 allows remote attackers to execute r-commands with privileges of other users. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Buffer overflow in rexec on HP-UX B.10.20, B.11.00, and B.11.04, when setuid root, may allow local users to gain privileges via a long -l option. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in HP-UX B.11.00 to B.11.23, when IPSEC is running, allows remote attackers to have unknown impact. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 asecure as included with HP-UX 10.01 through 11.00 can allow a local attacker to create a denial of service and gain additional privileges via unsafe permissions on the asecure program, a different vulnerability than CVE-2000-0083. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unknown vulnerability in newgrp in HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain elevated privileges. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Vulnerability in swinstall for HP-UX 11.00 and 11.11 allows local users to view obtain data views for files that cannot be directly read by the user, which reportedly can be used to cause a denial of service. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in Support Tools Manager (xstm, cstm, and stm) on HP-UX B.11.11 and B.11.23 allows local users to cause an unspecified denial of service via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 kmmodreg in HP-UX 11.11, 11.04 and 11.00 allows local users to create arbitrary world-writeable files via a symlink attack on the (1) /tmp/.kmmodreg_lock and (2) /tmp/kmpath.tmp temporary files. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 HP-UX aserver program allows local users to gain privileges via a symlink attack. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Buffer overflow in Kermit communications software in HP-UX 11.0 and earlier allows local users to cause a denial of service and possibly execute arbitrary commands. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in Software Distributor in HP-UX B.11.11 allows remote attackers to gain access via unspecified attack vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Multiple unspecified vulnerabilities in the Internet Key Exchange version 1 (IKEv1) implementation in HP HP-UX B.11.00, B.11.11, and B.11.23 running IPSec, HP Jetdirect 635n IPv6/IPsec Print Server, and HP Tru64 UNIX 5.1B-3 and 5.1B-2/PK4, allow remote attackers to cause a denial of service via certain IKE packets, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1. NOTE: due to the lack of details in the HP advisory, it is unclear which of CVE-2005-3666, CVE-2005-3667, and/or CVE-2005-3668 this issue applies to. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 RFC-NETBIOS in HP Advanced Server/9000 B.04.05 through B.04.09, when running HP-UX 11.00 or 11.11, allows remote attackers to cause a denial of sevrice (panic) via a malformed UDP packet on port 139. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Vulnerability in auto_parms and set_parms in HP-UX 11.00 and earlier allows remote attackers to execute arbitrary commands or cause a denial of service. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Vulnerability in newgrp command in HP-UX 11.0 allows local users to gain privileges. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Vulnerability in login in HP-UX 11.00, 11.11, and 10.20 allows restricted shell users to bypass certain security checks and gain privileges. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Vulnerability in CIFS/9000 Server (SAMBA) A.01.06 and earlier in HP-UX 11.0 and 11.11, when configured as a print server, allows local users to overwrite arbitrary files by modifying certain resources. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The Sun Java Plugin capability in Java 2 Runtime Environment (JRE) 1.4.2_01, 1.4.2_04, and possibly earlier versions, does not properly restrict access between Javascript and Java applets during data transfer, which allows remote attackers to load unsafe classes and execute arbitrary code by using the reflection API to access private Java packages. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 rpcbind in HP-UX 11.00, 11.04 and 11.11 allows remote attackers to cause a denial of service (core dump) via a malformed RPC portmap requests, possibly related to a buffer overflow. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unknown vulnerability in BIND 9.2.0 in HP-UX B.11.00, B.11.11, and B.11.23 allows remote attackers to cause a denial of service. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in the Address and Routing Parameter Area (ARPA) transport software in HP-UX B.11.00, B.11.04, and B.11.11 before 20040628 allows local users to cause a denial of service via unspecified vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 JFS (JFS3.1 and OnlineJFS) in HP-UX 10.20, 11.00, and 11.04 does not properly implement the sticky bit functionality, which could allow attackers to bypass intended restrictions on filesystems. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Stack-based buffer overflow in the FTP daemon in HP-UX 11.11i, with the -v (debug) option enabled, allows remote attackers to execute arbitrary code via a long command request. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in the kernel in HP-UX B.11.00 allows local users to cause an unspecified denial of service via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in the FTP Daemon (ftpd) for HP Tru64 UNIX 4.0F PK8 and other versions up to HP Tru64 UNIX 5.1B-3, and HP-UX B.11.00, B.11.04, B.11.11, and B.11.23, allows remote authenticated users to cause a denial of service (hang). Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Land IP denial of service. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The June 1999 version of the HP-UX aserver program allows local users to gain privileges by specifying an alternate PATH which aserver uses to find the awk command. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Buffer overflows in lpspooler in the fileset PrinterMgmt.LP-SPOOL of HP-UX 11.0 and earlier allows local users to gain privileges. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The NSAPI plugins for TGA and the Java Servlet proxy in HP-UX VVOS 10.24 and 11.04 allows an attacker to cause a denial of service (high CPU utilization). Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in the kernel in HP-UX B.11.00, B.11.11, and B.11.23 allows local users to cause an unspecified denial of service via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in X.25 on HP-UX B.11.00, B.11.11, and B.11.23 allows local users to cause an unspecified denial of service via unknown vectors. Michael Wood Michael Wood INTERIM ACCEPTED ACCEPTED HP-UX 11 Denial of service in HP-UX SharedX recserv program. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The "file handling" in sort in HP-UX 10.01 through 10.20, and 11.00 through 11.11 is "incorrect," which allows attackers to gain access or cause a denial of service via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 HP-UX B.11.00, B.11.04, B.11.11, and B.11.23 allows remote attackers to cause a denial of service via a "Rose Attack" that involves sending a subset of small IP fragments that do not form a complete, larger packet. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 RLPDaemon in HP-UX 10.20 and 11.0 allows local users to overwrite arbitrary files and gain privileges by specifying the target file in the -L option. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The Xserver for HP-UX 11.22 was not properly built, which introduced a vulnerability that allows local users to gain privileges. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 HP-UX B.11.00 through B.11.23, when running Ignite-UX and using the add_new_client command, causes the TFTP server to set world-writable permissions on part of the directory tree, which allows remote attackers to modify data or cause disk consumption. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Buffer overflows in HP Software Distributor (SD) for HPUX 10.x and 11.x. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED