The OVAL Repository 5.4 2008-08-21T09:09:12.281-04:00 Red Hat Linux 9 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Sendmail Signal handler race condition in Sendmail 8.13.x before 8.13.6 allows remote attackers to execute arbitrary code by triggering timeouts in a way that causes the setjmp and longjmp function calls to be interrupted and modify unexpected memory locations. Robert L. Hollis DRAFT INTERIM ACCEPTED Vladimir Giszpenc INTERIM ACCEPTED Sudhir Gandhe INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 The operating system installed on the system is Red Hat Enterprise Linux 4 for x86. Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 for x86. Mark Villanova DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mod_python Unknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED Robert L. Hollis DEPRECATED DEPRECATED Red Hat Linux 9 OpenSSL The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 OpenSSL OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Red Hat 9 Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector. Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal The SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (crash) via an invalid ASN.1 value. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Red Hat 9 The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference. Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Red Hat 9 Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors. Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Red Hat 9 The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mozilla Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mozilla Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mozilla Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 httpd Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures. Jay Beale Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 KDE Personal Information Management (kdepim) Buffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Tethereal The Q.931 dissector in Ethereal before 0.10.0, and Tethereal, allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal The SMB dissector in Ethereal before 0.10.0 allows remote attackers to cause a denial of service via a malformed SMB packet that triggers a segmentation fault during processing of Selected packets. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 CVS server CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 tcpdump The rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 tcpdump The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 sysstat The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108. Jay Beale Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 tcpdump tcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 gdk-pixbuf gdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file. Jay Beale INTERIM Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal The OSI dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mremap The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Vicam USB driver The Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking." Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mod_python Unknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 KDE Konqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Midnight Commander Stack-based buffer overflow in vfs_s_resolve_symlink of vfs/direntry.c for Midnight Commander (mc) 4.6.0 and earlier, and possibly later versions, allows remote attackers to execute arbitrary code during symlink conversion. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 slocate Heap-based buffer overflow in main.c of slocate 2.6, and possibly other versions, may allow local users to gain privileges via a modified slocate database that causes a negative "pathlen" value to be used. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Gaim Integer overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Gaim Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Gaim Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Mailman Cross-site scripting (XSS) vulnerability in the create CGI script for Mailman before 2.1.3 allows remote attackers to steal cookies of other users. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Mailman Cross-site scripting (XSS) vulnerability in the admin CGI script for Mailman before 2.1.4 allows remote attackers to steal session cookies and conduct unauthorized activities. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Mutt Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 XFree86 Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 XFree86 Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 XFree86 Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 netpbm netpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED