4.120051116211256Sun Solaris 8kcms_configureDavid Proulxkcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument.CVE-2001-0594ACCEPTED1Sun Solaris 8libnslDavid ProulxInteger overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.CVE-2002-0391ACCEPTED1Sun Solaris 8xlockDavid ProulxHeap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable.CVE-2001-0652ACCEPTED1Sun Solaris 8snmpdxDavid ProulxFormat string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges.CVE-2002-0796ACCEPTED1Sun Solaris 8XsunDavid ProulxBuffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument.CVE-2002-0158ACCEPTED1Sun Solaris 8CDEDavid ProulxCDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure.CVE-2002-0677ACCEPTED1Sun Solaris 8cachefsdDavid ProulxBrian SobyINTERIMACCEPTEDHeap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name.CVE-2002-0033ACCEPTED3Sun Solaris 7XsunDavid ProulxBuffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument.CVE-2002-0158ACCEPTED1Sun Solaris 7whodoDavid ProulxBuffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable.CVE-2001-1076ACCEPTED1Sun Solaris 7rpc.rwalldDavid ProulxFormat string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed.CVE-2002-0573ACCEPTED1Sun Solaris 7libnslDavid ProulxInteger overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.CVE-2002-0391ACCEPTED1Sun Solaris 7cachefsdDavid ProulxBrian SobyINTERIMACCEPTEDBuffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument.CVE-2002-0084ACCEPTED2Sun Solaris 8whodoDavid ProulxBuffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable.CVE-2001-1076ACCEPTED1Sun Solaris 7admintoolDavid ProulxBuffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path.CVE-2002-0088ACCEPTED1Sun Solaris 8rpc.yppasswddDavid ProulxBuffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username.CVE-2001-0779ACCEPTED1Sun Solaris 8admintoolDavid ProulxBuffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path.CVE-2002-0088ACCEPTED1Sun Solaris 7mibiisaDavid ProulxBuffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges.CVE-2002-0797ACCEPTED1Sun Solaris 7kcms_configureDavid Proulxkcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument.CVE-2001-0594ACCEPTED1Sun Solaris 8admintoolDavid ProulxBuffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file.CVE-2002-0089ACCEPTED1Sun Solaris 7admintoolDavid ProulxBuffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file.CVE-2002-0089ACCEPTED1Sun Solaris 8dtspcdDavid ProulxBuffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commandsCVE-2001-0803ACCEPTED1Sun Solaris 7dtspcdDavid ProulxBuffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commandsCVE-2001-0803ACCEPTED1Sun Solaris 8rpc.rwalldDavid ProulxFormat string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed.CVE-2002-0573ACCEPTED1Sun Solaris 7CDEDavid ProulxCDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure.CVE-2002-0678ACCEPTED1Sun Solaris 8lbxproxyDavid ProulxBuffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option.CVE-2002-0090ACCEPTED1Sun Solaris 7CDEDavid ProulxCDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure.CVE-2002-0677ACCEPTED1Sun Solaris 8mibiisaDavid ProulxBuffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges.CVE-2002-0797ACCEPTED1Sun Solaris 8cachefsdDavid ProulxBrian SobyBrian SobyINTERIMACCEPTEDBuffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument.CVE-2002-0084ACCEPTED2Sun Solaris 7rpc.yppasswddDavid ProulxBuffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username.CVE-2001-0779ACCEPTED1Sun Solaris 7snmpdxDavid ProulxFormat string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges.CVE-2002-0796ACCEPTED1Sun Solaris 7kcms_serverDavid ProulxDirectory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.CVE-2003-0027ACCEPTED1Sun Solaris 7cachefsdDavid ProulxBrian SobyINTERIMACCEPTEDHeap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name.CVE-2002-0033ACCEPTED2Sun Solaris 7xlockDavid ProulxHeap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable.CVE-2001-0652ACCEPTED1Sun Solaris 8fs.auto, xfsDavid ProulxBuffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query.CVE-2002-1317ACCEPTED2Sun Solaris 7fs.auto, xfsDavid ProulxBuffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query.CVE-2002-1317ACCEPTED2Sun Solaris 8CDEDavid ProulxCDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure.CVE-2002-0678ACCEPTED1Sun Solaris 7CDEDavid ProulxBuffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure.CVE-2002-0679ACCEPTED1Sun Solaris 7lbxproxyDavid ProulxBuffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option.CVE-2002-0090ACCEPTED1Sun Solaris 8CDEDavid ProulxBuffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure.CVE-2002-0679ACCEPTED1Sun Solaris 8kcms_serverDavid ProulxDirectory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.CVE-2003-0027ACCEPTED1Sun Solaris 9BindBrian SobyDRAFTINTERIMACCEPTEDBIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size.CVE-2002-1220ACCEPTED1Sun Solaris 7XsunBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in Xsun in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable.CVE-2001-0422ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9Licence Logging ServiceBrian SobyDRAFTINTERIMACCEPTEDUnknown vulnerability in the rwho daemon (in.rwhod) for Solaris 7 through 9 allows remote attackers to execute arbitrary code.CVE-2004-1351ACCEPTED1Sun Solaris 7Sun Solaris 8snmpdxBrian SobyDRAFTINTERIMACCEPTEDVulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.CVE-2002-0012ACCEPTED1Sun Solaris 9CDEBrian SobyDRAFTINTERIMACCEPTEDBrian SobyBrian SobyINTERIMACCEPTEDCDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure.CVE-2002-0677ACCEPTED2Sun Solaris 7Sun Solaris 8Sun Solaris 9Solaris Enterprise Authentication Mechanism (SEAM)Brian SobyDRAFTINTERIMACCEPTEDMIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference.CVE-2003-0058ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9uucpBrian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMACCEPTEDMultiple buffer overflows in uucp for Sun Solaris 2.6, 7, 8, and 9 allow local users to execute arbitrary code as the uucp user.CVE-2004-1359ACCEPTED2Sun Solaris 8mozillaBrian SobyDRAFTINTERIMACCEPTEDMozilla allows remote attackers to cause Mozilla to open a URI as a different MIME type than expected via a null character (%00) in an FTP URI.CVE-2004-0760ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9SadminBrian SobyBrian SobyDRAFTINTERIMACCEPTEDThe default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets.CVE-2003-0722ACCEPTED1Sun Solaris 7CDEBrian SobyBrian SobyDRAFTINTERIMACCEPTEDDouble-free vulnerability in dtlogin in CDE on Solaris, HP-UX, and other operating systems allows remote attackers to execute arbitrary code via a crafted XDMCP packet.CVE-2004-0368ACCEPTED1Sun Solaris 9SambaBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an encrypted password that causes the overflow during decryption in which a DOS codepage string is converted to a little-endian UCS2 unicode string.CVE-2002-1318ACCEPTED1Sun Solaris 7libpngBrian SobyDRAFTINTERIMACCEPTEDMultiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image.CVE-2004-0599ACCEPTED1Sun Solaris 8Sun Solaris 9Solaris Management Console (SMC)Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMACCEPTEDThe Solaris Management Console (SMC) in Sun Solaris 8 and 9 generates different 404 error messages when a file does not exist versus when a file exists but is otherwise inacessible, which could allow remote attackers to obtain sensitive information in conjunction with a directory traversal (..) attack.CVE-2004-1354ACCEPTED2Sun Solaris 8tcshBrian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMDRAFTINTERIMACCEPTEDUnknown vulnerability in the ls-F builtin function in tcsh on Solaris 8 allows local users to create or delete files as other users, and gain privileges.CVE-2003-1024ACCEPTED2Sun Solaris 8Licence Logging ServiceBrian SobyDRAFTINTERIMACCEPTEDgzip before 1.3 in Solaris 8, when called with the -f or -force flags, will change the permissions of files that are hard linked to the target files, which allows local users to view or modify these files.CVE-2004-1349ACCEPTED1Sun Solaris 8Sun Solaris 9sendfilev()Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDUnknown vulnerability in the sendfilev function in Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors.CVE-2004-1356ACCEPTED2Sun Solaris 8Sun Enterprise Storage Manager (ESM)Brian SobyDRAFTINTERIMACCEPTEDACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9/usr/lib/print/conv_fixBrian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDUnknown vulnerability in conv_fix in Sun Solaris 7 through 9, when invoked by conv_lpd, allows local users to overwrite arbitrary files.CVE-2004-1360ACCEPTED2Sun Solaris 7NISBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in ypbind daemon in Solaris 5.4 through 8 allows remote attackers to execute arbitrary code.CVE-2001-1328ACCEPTED1Sun Solaris 7dtspcdBrian SobyDRAFTINTERIMACCEPTEDThe CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack.CVE-1999-0689ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9CDEBrian SobyDRAFTINTERIMACCEPTEDHeap-based buffer overflow in dtsession for Solaris 2.5.1 through Solaris 9 allows local users to gain root privileges via a long HOME environment variable.CVE-2003-0092ACCEPTED1Sun Solaris 9Solaris Management Console (SMC)Brian SobyDRAFTINTERIMACCEPTEDOff-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.CVE-2003-0466ACCEPTED1Sun Solaris 8Sun Solaris 9ApacheBrian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDApache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket."CVE-2004-0174ACCEPTED1Sun Solaris 7Solaris Enterprise Authentication Mechanism (SEAM)Brian SobyDRAFTBrian SobyINTERIMACCEPTEDMultiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.CVE-2004-0523ACCEPTED1Sun Solaris 7BindBrian SobyDRAFTINTERIMACCEPTEDBrian SobyBrian SobyINTERIMACCEPTEDISC BIND 8.3.x before 8.3.7, and 8.4.x before 8.4.3, allows remote attackers to poison the cache via a malicious name server that returns negative responses with a large TTL (time-to-live) value.CVE-2003-0914ACCEPTED2Sun Solaris 7loginBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin.CVE-2001-0797ACCEPTED1Sun Solaris 9pam_krb5Brian SobyDRAFTBrian SobyINTERIMACCEPTEDSolaris 9, when configured as a Kerberos client with patch 112908-12 or 115168-03 and using pam_krb5 as an "auth" module with the debug feature enabled, records passwords in plaintext, which could allow local users to gain other user's passwords by reading log files.CVE-2004-0653ACCEPTED1Sun Solaris 7BindBrian SobyDRAFTINTERIMACCEPTEDBIND 8.x through 8.3.3 allows remote attackers to cause a denial of service (crash) via SIG RR elements with invalid expiry times, which are removed from the internal BIND database and later cause a null dereference.CVE-2002-1221ACCEPTED1Sun Solaris 9Kerberos5Brian SobyDRAFTBrian SobyINTERIMACCEPTEDThe asn1buf_skiptail function in the ASN.1 decoder library for MIT Kerberos 5 (krb5) 1.2.2 through 1.3.4 allows remote attackers to cause a denial of service (infinite loop) via a certain BER encoding.CVE-2004-0644ACCEPTED1Sun Solaris 9SambaBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.CVE-2003-0201ACCEPTED1Sun Solaris 9SendmailBrian SobyDRAFTBrian SobyINTERIMACCEPTEDBuffer overflow in Sendmail before 8.12.5, when configured to use a custom DNS map to query TXT records, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malicious DNS server.CVE-2002-0906ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9SendmailBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, related to sender and recipient header comments as processed by the crackaddr function of headers.c.CVE-2002-1337ACCEPTED1Sun Solaris 7libcBrian SobyDRAFTINTERIMACCEPTEDThe Sun RPC functionality in multiple libc implementations does not provide a time-out mechanism when reading data from TCP connections, which allows remote attackers to cause a denial of service (hang).CVE-2002-1265ACCEPTED1Sun Solaris 7libpngBrian SobyDRAFTINTERIMACCEPTEDMultiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.CVE-2004-0597ACCEPTED1Sun Solaris 8mozillaBrian SobyDRAFTINTERIMACCEPTEDMozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files.CVE-2004-0764ACCEPTED1Sun Solaris 7NISBrian SobyDRAFTINTERIMACCEPTEDThe getdbm procedure in ypxfrd allows local users to read arbitrary files, and remote attackers to read databases outside /var/yp, via a directory traversal and symlink attack on the domain and map arguments.CVE-2002-1199ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9Basic Security ModuleBrian SobyDRAFTUnknown vulnerability in the Basic Security Module (BSM), when configured to audit either the Administrative (ad) or the System-Wide Administration (as) audit class in Solaris 7, 8, and 9, allows local users to cause a denial of service (kernel panic).CVE-2004-0654DRAFT0Sun Solaris 8Kerberos5Brian SobyDRAFTINTERIMACCEPTEDThe Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").CVE-2003-0082ACCEPTED1Vulnerability exists in standard Solaris kerberos and SEAM. This definition only covers Solaris kerberosSun Solaris 7BindBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in named in BIND 4 versions 4.9.10 and earlier, and 8 versions 8.3.3 and earlier, allows remote attackers to execute arbitrary code via a certain DNS server response containing SIG resource records (RR).CVE-2002-1219ACCEPTED1Sun Solaris 7libpngBrian SobyDRAFTINTERIMACCEPTEDThe png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference.CVE-2004-0598ACCEPTED1Sun Solaris 8Sun Solaris 9Sun ClusterBrian SobyDRAFTINTERIMACCEPTEDDouble-free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding.CVE-2003-0545ACCEPTED1Sun Solaris 7kcms_serverBrian SobyDRAFTINTERIMACCEPTEDDirectory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.CVE-2003-0027ACCEPTED1Sun Solaris 8Sun Crypto Accelerator 4000Brian SobyDRAFTINTERIMACCEPTEDThe do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.CVE-2004-0079ACCEPTED1Sun Solaris 7Sun Am7990 Ethernet DriverBrian SobyDRAFTMultiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.CVE-2003-0001DRAFT0Sun Solaris 9OpenSSHBrian SobyDRAFTINTERIMACCEPTEDA "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695.CVE-2003-0693ACCEPTED1Sun Solaris 9CDEBrian SobyDRAFTINTERIMACCEPTEDBrian SobyBrian SobyINTERIMACCEPTEDCDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure.CVE-2002-0678ACCEPTED2Sun Solaris 9fs.auto, xfsBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query.CVE-2002-1317ACCEPTED1Sun Solaris 8Sun Solaris 9TCP/IPBrian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDUnknown vulnerability in the TCP/IP stack for Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors.CVE-2004-1355ACCEPTED2Sun Solaris 7SendmailBrian SobyDRAFTINTERIMACCEPTEDThe prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c.CVE-2003-0694ACCEPTED1Sun Solaris 7CDEBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name.CVE-1999-0691ACCEPTED1Sun Solaris 8mozillaBrian SobyDRAFTINTERIMACCEPTEDMozilla 1.5 through 1.7 allows a CA certificate to be imported even when their DN is the same as that of the built-in CA root certificate, which allows remote attackers to cause a denial of service to SSL pages because the malicious certificate is treated as invalid.CVE-2004-0758ACCEPTED1Sun Solaris 8mozillaBrian SobyDRAFTINTERIMACCEPTEDHeap-based buffer overflow in the SendUidl in the POP3 capability for Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, may allow remote POP3 mail servers to execute arbitrary code.CVE-2004-0757ACCEPTED1Sun Solaris 9Kerberos5Brian SobyDRAFTBrian SobyINTERIMACCEPTEDDouble-free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code.CVE-2004-0643ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9Licence Logging ServiceBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in the ping daemon of Sun Solaris 7 through 9 may allow local users to execute arbitrary code.CVE-2004-1352ACCEPTED1Sun Solaris 9Solaris Volume Manager (SVM)Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDThe Sun Solaris Volume Manager (SVM) on Solaris 9 allows local users to cause a denial of service (kernel panic) via a malformed probe request to the SVM.CVE-2004-1346ACCEPTED2Sun Solaris 9sshdBrian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDThe Secure Shell (SSH) Daemon (SSHD) in Sun Solaris 9 does not properly log IP addresses when SSHD is configured with the ListenAddress as 0.0.0.0, which makes it easier for remote attackers to hide the source of their activities.CVE-2004-1357ACCEPTED2Sun Solaris 9Basic Security ModuleBrian SobyDRAFTINTERIMACCEPTEDThe patches (1) 114332-08 and (2) 114929-06 for Sun Solaris 9 disable the auditing functionality of the Basic Security Module (BSM), which allows attackers to avoid having their activity logged.CVE-2004-1358ACCEPTED1Sun Solaris 7Solaris Runtime LinkerBrian SobyDRAFTINTERIMACCEPTEDStack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6 through 9 allows local users to gain root privileges via a long LD_PRELOAD environment variable.CVE-2003-0609ACCEPTED1Sun Solaris 8mozillaBrian SobyDRAFTINTERIMACCEPTEDMozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote attackers to use certain redirect sequences to spoof the security lock icon that makes a web page appear to be encrypted.CVE-2004-0761ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9SendmailBrian SobyDRAFTA "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences.CVE-2003-0681DRAFT0Sun Solaris 7Sun Solaris 8Sun Solaris 9priocntl()Brian SobyDRAFTINTERIMACCEPTEDDirectory traversal vulnerability in priocntl system call in Solaris does allows local users to execute arbitrary code via ".." sequences in the pc_clname field of a pcinfo_t structure, which cause priocntl to load a malicious kernel module.CVE-2002-1296ACCEPTED1Sun Solaris 8Sun Solaris 9ApacheBrian SobyDRAFTINTERIMACCEPTEDMultiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.CVE-2003-0542ACCEPTED1Sun Solaris 7Sun Solaris 8sendfilev()Brian SobyDRAFTINTERIMACCEPTEDBuffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument.CVE-2001-0414ACCEPTED1Sun Solaris 8BindBrian SobyDRAFTINTERIMACCEPTEDUnknown vulnerability in in.named on Solaris 8 allows remote attackers to cause a denial of service (process crash).CVE-2004-1348ACCEPTED1Sun Solaris 8mozillaBrian SobyDRAFTINTERIMACCEPTEDMozilla Firefox 0.9.1 and 0.9.2 allows remote web sites to spoof certificates of trusted web sites via redirects and Javascript that uses the "onunload" method.CVE-2004-0763ACCEPTED1Sun Solaris 8Sun Solaris 9DtMailBrian SobyDRAFTINTERIMACCEPTEDFormat string vulnerability in CDE Mailer (dtmail) on Solaris 8 and 9 allows local users to gain privileges via format strings in the argv[0] value.CVE-2004-0800ACCEPTED1Sun Solaris 7bash, tcsh, cash, sh, kshBrian SobyDRAFTINTERIMACCEPTEDMultiple shell programs on various Unix systems, including (1) tcsh, (2) csh, (3) sh, and (4) bash, follow symlinks when processing << redirects (aka here-documents or in-here documents), which allows local users to overwrite files of other users via a symlink attack.CVE-2000-1134ACCEPTED1Sun Solaris 7lpstat, libprintBrian SobyDRAFTINTERIMACCEPTEDUnknown multiple vulnerabilities in (1) lpstat and (2) the libprint library in Solaris 2.6 through 9 may allow attackers to execute arbitrary code or read or write arbitrary files.CVE-2003-0999ACCEPTED1Sun Solaris 8Sun Solaris 9ApacheBrian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDApache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.CVE-2003-0020ACCEPTED1Sun Solaris 7BindBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in the DNS resolver code used in libc, glibc, and libbind, as derived from ISC BIND, allows remote malicious DNS servers to cause a denial of service and possibly execute arbitrary code via the stub resolvers.CVE-2002-0651ACCEPTED1Sun Solaris 8Sun Solaris 9Sun ClusterBrian SobyDRAFTINTERIMACCEPTEDInteger overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.CVE-2003-0543ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9cachefsdBrian SobyDRAFTINTERIMACCEPTEDcachefsd in Solaris 2.6, 7, and 8 allows remote attackers to cause a denial of service (crash) via an invalid procedure call in an RPC request.CVE-2002-0085ACCEPTED1Sun Solaris 7CDEBrian SobyDRAFTINTERIMACCEPTEDBuffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges.CVE-1999-0693ACCEPTED1Sun Solaris 7lpstatBrian SobyDRAFTINTERIMACCEPTEDStack-based buffer overflow in the bsd_queue() function for lpq on Solaris 2.6 and 7 allows local users to gain root privilege.CVE-2003-0091ACCEPTED1Sun Solaris 8mozillaBrian SobyDRAFTINTERIMACCEPTEDMozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box.CVE-2004-0762ACCEPTED1Sun Solaris 8Sun Solaris 9ApacheBrian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDmod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret.CVE-2003-0987ACCEPTED1Sun Solaris 7Solaris Enterprise Authentication Mechanism (SEAM)Brian SobyDRAFTINTERIMACCEPTEDThe Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").CVE-2003-0082ACCEPTED1Vulnerability exists in standard Solaris kerberos and SEAM. This definition only covers SEAMSun Solaris 7Sun Solaris 8Sun Solaris 9kernelBrian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDUnknown vulnerability in Solaris 2.6 through 9 causes a denial of service (system panic) via "a rare race condition" or an attack by local users.CVE-2003-0669ACCEPTED2Sun Solaris 8Sun Solaris 9Sun ClusterBrian SobyDRAFTINTERIMACCEPTEDOpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.CVE-2003-0544ACCEPTED1Sun Solaris 8mozillaBrian SobyDRAFTINTERIMACCEPTEDInteger overflow in the SOAPParameter object constructor in (1) Netscape version 7.0 and 7.1 and (2) Mozilla 1.6, and possibly earlier versions, allows remote attackers to execute arbitrary code.CVE-2004-0722ACCEPTED1Sun Solaris 9Kerberos5Brian SobyDRAFTINTERIMACCEPTEDDouble-free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code.CVE-2004-0772ACCEPTED1Sun Solaris 8Sun Solaris 9ApacheBrian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDmod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions.CVE-2003-0993ACCEPTED1Sun Solaris 7Sun RPCBrian SobyDRAFTINTERIMACCEPTEDInteger overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.CVE-2002-0391ACCEPTED1Specific applications using this library are not tested for because Suns advisory only provides a sample of known vulnerable applications and states that they are still investigating.Sun Solaris 8mozillaBrian SobyDRAFTINTERIMACCEPTEDThe (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4) Netscape 7.1 web browsers do not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability.CVE-2004-0718ACCEPTED1Sun Solaris 8Sun Solaris 9LDAPBrian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDUnknown vulnerability in LDAP on Sun Solaris 8 and 9, when using Role Based Access Control (RBAC), allows local users to execute certain commands with additional privileges.CVE-2004-1353ACCEPTED2Sun Solaris 8Sun Solaris 9ApacheBrian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDHeap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.CVE-2004-0492ACCEPTED1Sun Solaris 9Kerberos5Brian SobyDRAFTBrian SobyINTERIMACCEPTEDDouble-free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code.CVE-2004-0642ACCEPTED1Sun Solaris 7Sun Solaris 8Sun Solaris 9CDEBrian SobyDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDBuffer overflow in CDE libDtHelp library allows local users to execute arbitrary code via (1) a modified DTHELPUSERSEARCHPATH environment variable and the Help feature, (2) DTSEARCHPATH, or (3) LOGNAME.CVE-2003-0834ACCEPTED2Sun Solaris 8Sun Solaris 9ApacheRobert L. HollisDRAFTINTERIMACCEPTEDmod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret.CVE-2003-0987ACCEPTED5Sun Solaris 8Sun Solaris 9ApacheRobert L. HollisDRAFTINTERIMACCEPTEDApache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.CVE-2003-0020ACCEPTED5Sun Solaris 8Sun Solaris 9ApacheRobert L. HollisDRAFTINTERIMACCEPTEDApache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket."CVE-2004-0174ACCEPTED5Sun Solaris 8Sun Solaris 9ApacheRobert L. HollisDRAFTINTERIMACCEPTEDmod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions.CVE-2003-0993ACCEPTED5Sun Solaris 8Sun Solaris 9ApacheRobert L. HollisDRAFTINTERIMACCEPTEDHeap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.CVE-2004-0492ACCEPTED5Sun Solaris 7Sun Solaris 8Sun Solaris 9XDMRobert L. HollisChristine WalzerDRAFTINTERIMACCEPTEDX Display Manager (XDM) on Solaris 8 allows remote attackers to cause a denial of service (XDM crash) via an invalid X Display Manager Control Protocol (XDMCP) request.CVE-2004-1347ACCEPTED5Sun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffRobert L. HollisDRAFTINTERIMACCEPTEDMultiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files.CVE-2004-0803ACCEPTED5Sun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffRobert L. HollisDRAFTINTERIMACCEPTEDVulnerability in tif_dirread.c for libtiff allows remote attackers to cause a denial of service (application crash) via a TIFF image that causes a divide-by-zero error when the number of row bytes is zero, a different vulnerability than CVE-2005-2452.CVE-2004-0804ACCEPTED5Sun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffRobert L. HollisDRAFTINTERIMACCEPTEDMultiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls.CVE-2004-0886ACCEPTED5Sun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffRobert L. HollisDRAFTINTERIMACCEPTEDInteger overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3.5.7 and 3.7.0 allows remote attackers to execute arbitrary code via a TIFF file containing a TIFF_ASCII or TIFF_UNDEFINED directory entry with a -1 entry count, which leads to a heap-based buffer overflow.CVE-2004-1308ACCEPTED50101SunOS5.1011111010020227380303040502^i.*8602[Ss][Pp][Aa][Rr][Cc]01080317380201060519250104070412050209060207130302010204030607The presence of /etc/named.conf indicates that system system is probably configured as a DNS server1604040304181111egrep "^[Srecipient=2|S2]|^[^#]*\$>2|^[^#]*\$>recipient|^[^#]*\$>4|^[^#]*\$>final" /etc/mail/sendmail.cf True if any lines returned0907141008051303020101051010030102040102020402030101010202100203030809SUNWkrbu - 32bit, SUNWkrbux - 64bitegrep ^flags:.*a[sd] /etc/security/audit_control True if any lines returnedgrep c2audit /etc/system True if "set c2audit:audit_load = 1" or similiar121833010324Package which contains /usr/lib/netsvc/yp/ypxfrdCVE-2002-126501CVE-2002-126501CVE-2002-126501CVE-2002-126501CVE-2002-126501CVE-2002-126501CVE-2002-126503CVE-2002-126503CVE-2002-126509CVE-2002-126514CVE-2002-126501CVE-2002-126501CVE-2002-126501030808010215100712130201SUNWcsu = 32bit, SUNWcsxu = 64bit061308091105160501020119120101020509140112270202Solaris Management Console web interface010201310921-S 20101020202020304Rough translation of the Sun recommended test of: % grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm___ default_realm = EXAMPLE.COM07070402021518010101302503101020611133011120211511914111721219211102622111111138SunOS5.711101SunOS5.9211191152161138111root630111SunOS5.8