U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Bulletin (SB05-166)

Summary of Security Items from June 8 through June 14, 2005

Original release date: June 15, 2005

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, so the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to vulnerabilities that appeared in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.

Wireless

Vulnerabilities The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.

Note: All the information included in the following tables has been discussed in newsgroups and on web sites.

The Risk levels defined below are based on how the system may be impacted:

Note: Even though a vulnerability may allow several malicious acts to be performed, only the highest level risk will be defined in the Risk column.

  • High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
  • Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
  • Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.

Windows Operating Systems Only

Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name /
CVE Reference
Risk
Source

Adobe

Photoshop CS, Creative Suite 1.0, Premiere Pro 1.5

A vulnerability has been reported that could let a malicious local user can gain elevated privileges. A local user can exploit the service to run arbitrary code with administrator privileges.

Updates available:
http://www.adobe.com/support/
techdocs/331688.html

Currently we are not aware of any exploits for this vulnerability.

Adobe License Management Service Elevated Privilege Vulnerability

CAN-2005-0151

Medium

Adobe Advisory Document 331688, June 9, 2005

America OnLine

Instant Messenger 5.9.3797, 5.5.3595, 5.5.3415 Beta, 5.5, 5.2.3292, 5.1.3036, 5.0.2938

A remote Denial of Service vulnerability has been reported when a malicious user crafts a malformed GIF file that is used as a Buddy Icon and followed by sending an instant message.

No workaround or patch available at time of publishing.

There is no exploit code required.

Categorized incorrectly in SB05-159 as Multiple Operating System vulnerability.

AOL Instant Messenger Buddy Icon Remote Denial of Service

CAN-2005-1891

Low
Security Focus, 13880, June 7, 2005

Avaya

Avaya Call Management System (CMS)

A vulnerability has been reported that could let a remote malicious user cause a Denial of Service.

The vendor recommends disabling the FTP daemon.

Currently we are not aware of any exploits for this vulnerability.

Avaya CMS FTP Daemon Wildcard Denial of Service

CAN-2005-0256

Low
Avaya Advisory, ASA-2005-126, June 6, 2005

Early Impact

ProductCart 2.7 and prior

An input validation vulnerability has been reported that could let a remote malicious user inject SQL commands and conduct cross-site scripting attacks. Input is not properly verified in 'viewPrd.asp' and various 'pcadmin' scripts.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Early Impact ProductCart Input Validation Flaws in Lets Remote Users Inject SQL Commands

CAN-2005-1967
CAN-2005-1968

High
Security Tracker Alert, 1014129, June 8, 2005

GoodTech Systems

GoodTech SMTP Server 5.14 for Windows NT/2000/XP 5.x

A vulnerability has been reported that could let a remote malicious user cause a Denial of Service. The vulnerability is caused due to an error in the handling of recipients.

Update to version 5.15: http://www.goodtechsys.com/
smtpdnt2000.asp

A Proof of Concept exploit script has been published.

GoodTech Systems GoodTech SMTP Server "RCPT TO" Denial of Service Vulnerability

CAN-2005-1931

Low
Secunia SA15623, June 8, 2005

Ipswitch

IMail Server 8.x

Multiple vulnerabilities have been reported in IMail Server, which could let a remote malicious user gain sensitive information or cause a Denial of Service. These are due to unspecified errors in the IMAP4d32 service and Web Calendaring.

Apply IMail Server 8.2 Hotfix 2: ftp://ftp.ipswitch.com/Ipswitch/
Product_Support/IMail/imail82hf2.exe

An exploit script has been published.

Ipswitch IMail Server Multiple Vulnerabilities

CAN-2005-1249
CAN-2005-1252
CAN-2005-1254
CAN-2005-1255
CAN-2005-1256

Medium

Ipswitch Support Advisory, IMail Server 8.2 Hotfix 2, May 23, 2005

Security Focus, 13727, June 8, 2005

Loki

Loki Download Manager Category Version 2.0

An SQL injection vulnerability has been reported in the 'Default.asp' and 'catinfo.asp' scripts due to insufficient validation before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proofs of Concept exploits have been published.

Loki Download Manager SQL Injection

CAN-2005-1943

High
Security Focus, 13898 & 13900, June 8, 2005

Macromedia

All Macromedia MX 2004 products (Studio, Studio with Flash Professional, Flash Professional, Flash, FreeHand, Dreamweaver, Fireworks, and Director)

Captivate, Contribute 2, and Contribute 3

A vulnerability has been reported in the Macromedia eLicensing client activation code in many Macromedia products that could let a local malicious user obtain elevated privileges. A local user in the "Users" group can modify the 'path to executable' configuration setting in the 'Macromedia Licensing Service' settings to point to an alternate file containing arbitrary code. Then, when the service is activated, the arbitrary code will run with Local System privileges.

A fix is available at: http://download.macromedia.com/pub/
security/licensing_installer_updater.exe

Currently we are not aware of any exploits for this vulnerability.

Macromedia Products eLicensing Function Escalated Privilege Vulnerability
High
Macromedia Advisory MPSB05-04, June 9, 2005

Microsoft

Internet Explorer 6 SP2

A vulnerability has been reported that could let a malicious remote user hide scripting code. The IE browser does not properly process certain javascript scripting code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Microsoft Internet Explorer Lets Remote Users Hide Scripting Code
Medium

Security Tracker Alert, 1014174, June 12, 2005

Microsoft

Outlook Web Access for Exchange Server 5.5

A Cross-Site Scripting vulnerability has been reported that could allow a malicious user to convince a user to run a malicious script. If this malicious script is run, it would execute in the security context of the user. This could allow an attacker access to any data on the Outlook Web Access server that was accessible to the individual user.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-029.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks

CAN-2005-0563

High

Microsoft, MS05-029, June 14, 2004

US-CERT VU#300373

Microsoft

Windows 2000, XP, Server 2003

A remote code execution vulnerability has been reported in Server Message Block (SMB) that could allow a malicious user to take complete control of the affected system.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-027.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft Server Message Block Could Allow Remote Code Execution

CAN-2005-1206

High

Microsoft, MS05-027, June 14, 2004

US-CERT VU#489397

Technical Cyber Security Alert TA05-165A

Microsoft

Windows 2000, XP, Server 2003, 98, 98 (SE), (ME)

A spoofing vulnerability has been reported that could enable a malicious user to spoof trusted Internet content.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-032.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft Agent Could Allow Spoofing

CAN-2005-1214

Medium

Microsoft, MS05-032, June 14, 2004

US-CERT VU#718542

Microsoft

Windows XP, Server 2003

Windows Services for UNIX 2.2, 3.0, 3.5 when running on Windows 2000

An information disclosure vulnerability has been reported that could let a remote malicious user read the session variables for users who have open connections to a malicious telnet server.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-033.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft Telnet Client Could Allow Information Disclosure

CAN-2005-1205

Medium

Microsoft, MS05-033, June 14, 2004

US-CERT VU#800829

Microsoft

Windows XP, Server 2003

A remote code execution vulnerability has been reported in the way that Windows processes Web Client requests that could allow a malicious user who successfully exploited this vulnerable to take complete control of the affected system.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-028.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft Web Client Service Could Allow Remote Code Execution

CAN-2005-1207

High
Microsoft, MS05-028, June 14, 2004

Microsoft

Internet Explorer 5.01, 5.5, 6

Remote code execution and information disclosure vulnerabilities have been reported due to the way that IE handles PNG images and the way that it handles certain requests to display XML content.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-025.mspx

Currently we are not aware of any exploits for these vulnerabilities.

Microsoft Internet Explorer Could Allow Remote Code Execution

CAN-2005-1211

CAN-2002-0648

High

Microsoft, MS05-025, June 14, 2004

US-CERT VU#189754

Technical Cyber Security Alert TA05-165A

Microsoft

Microsoft Internet Security and Acceleration (ISA) Server 2000 Service Pack 2

A vulnerability has been reported in ISA Server 2000 because of the way that it handles malformed HTTP requests that could allow a remote malicious user to either bypass content restrictions and access content that they would normally not have access to or they could cause users to be directed to unexpected content. An elevation of privilege vulnerability also exists in ISA Server 2000 that could allow an attacker who successfully exploited this vulnerability to create a NetBIOS connection with an ISA Server by utilizing the NetBIOS (all) predefined packet filter.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-034.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft ISA Access and Elevation of Privilege Vulnerabilities

CAN-2005-1215
CAN-2005-1216

High

Microsoft, MS05-034, June 14, 2004

US-CERT VU#367077

Microsoft

Outlook Express 5.5, 6

A remote code execution vulnerability has been reported in Outlook Express when it is used as a newsgroup reader. A malicious user could exploit the vulnerability by constructing a malicious newsgroup server that could that potentially allow remote code execution if a user queried the server for news.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-030.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft Outlook Express Could Allow Remote Code Execution

CAN-2005-1213

High

Microsoft, MS05-030, June 14, 2004

US-CERT VU#130614

Microsoft

Step-by-Step Interactive Training

A remote code execution vulnerability has been reported in Step-by-Step Interactive Training due to the way Interactive Training handles bookmark link files.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-031.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft Step-by-Step Interactive Training Could Allow Remote Code Execution

CAN-2005-1212

High
Microsoft, MS05-031, June 14, 2004

Microsoft

Windows 2000, XP, Server 2003 98, 98 (SE), and ME

A remote code execution vulnerability has been reported in HTML Help that could allow a malicious user to take complete control of the affected system.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-026.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft HTML Help Could Allow Remote Code Execution

CAN-2005-1208

High

Microsoft, MS05-026, June 14, 2004

US-CERT VU#851869

Technical Cyber Security Alert TA05-165A

Novell

eDirectory 8.7.3

A vulnerability has been reported that could let a remote malicious user cause a denial of service. A remote user can supply a specially crafted HTTP request for an MS-DOS device name to cause the target service to crash.

A fixed version (8.7.3 IR6) is available.

A Proof of Concept exploit has been published.

Novell eDirectory Can Be Crashed With Requests Containing MS-DOS Device Names

CAN-2005-1729

Low

Security Tracker Alert ID: 1014177, June 13, 2005

CIRT.DK Advisory NOVL102201

Pragma Systems

Pragma TelnetServer 6.0

A vulnerability has been reported that could let a remote malicious user hide certain log entries. With a certain command line sequence, the user can hide arbitrary commands from the administrator in the HTML log files.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Pragma TelnetServer Lets Remote Users Hide Log Entries

CAN-2005-1969

Medium

Security Tracker Alert, 1014127, June 8, 2005

Symantec

pcAnywhere 9.x, 10.x, 11.x

A vulnerability has been reported that could let malicious, local users gain escalated privileges by manipulating the "Caller Properties" feature to run arbitrary commands when the system is restarted. "Launch with Windows" setting enabled must be enabled to exploit.

Update to version 11.5 or apply patch.

Patch for consumer versions: http://www.symantec.com/techsupp/
files/pca/index.html

Patch for enterprise versions: http://www.symantec.com/techsupp/enterprise/
products/spca/files.html

Currently we are not aware of any exploits for this vulnerability.

Symantec pcAnywhere Privilege Escalation Vulnerability

CAN-2005-1970

Medium
Symantec Advisory SYM05-010, June 10, 2005

[back to top]

UNIX / Linux Operating Systems Only
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name /
CVE Reference
Risk
Source

Alexis Sukrieh

Backup Manager 0.5.6, 0.5.7

A vulnerability has been reported because archives are created with insecure permissions, which could let a remote malicious user obtain sensitive information.

Upgrades available at:
http://www.sukria.net/packages/
backup-manager/sources/
backup-manager-0 .5.8.tar.gz

There is no exploit code required.

Alexis Sukrieh Backup Manager Information Disclosure

CAN-2005-1958

Medium
Security Tracker Alert, 1014124, June 7, 2005

Apple

Mac OS X 10.3-10.3.9, Mac OS X Server 10.3- 10.3.9

Multiple vulnerabilities have been reported: a buffer overflow vulnerability was reported in 'htdigest' due to a boundary error, which could let a remote malicious user execute arbitrary code; a vulnerability was reported in the AppKit component when processing TIFF files, which could let a remote malicious user execute arbitrary code; a remote Denial of Service vulnerability was reported in the AppKit component when parsing certain TIFF images because an invalid call is made to the 'NXSeek()' function; a vulnerability was reported due to an error when handling AppleScript because code is displayed that is different than the code that is actually run, which could let a remote malicious user execute arbitrary code; a vulnerability was reported due to an error in the Bluetooth support because files are shared without notifying the user properly, which could let a remote malicious user obtain sensitive information; a Directory Traversal vulnerability was reported in the Bluetooth file, which could let a remote malicious user obtain sensitive information; a vulnerability was reported in the 'chfn,' 'chpass,' and 'chsh' utilities because certain external helper programs are invoked insecurely, which could let a malicious user obtain elevated privileges; a vulnerability was reported in Finder due to the insecure creation of '.DS_Store' files, which could let a malicious user obtain elevated privileges; a vulnerability was reported in Help Viewer because a remote malicious user can run JavaScript without imposed security restrictions; a vulnerability was reported in the LDAP functionality because passwords are stored in plaintext, which could let a remote malicious user obtain sensitive information; a vulnerability was reported due to errors when parsing XPM files, which could let a remote malicious user compromise the system; a vulnerability was reported in 'lukemftpd' because chroot restrictions can be bypassed, which could let a remote malicious user bypass restrictions; a vulnerability was reported in the Netinfo Setup Tool (NeST) when processing input passed to the ' -target' command line parameter due to a boundary error, which could let a malicious user execute arbitrary code; a vulnerability was reported when the HTTP proxy service in Server Admin is enabled because by default it is possible for everyone to use the proxy service; a vulnerability was reported in the HTTP proxy service in Server Admin for Mac OS X due to insufficient access restrictions, which could let a remote malicious user obtain unauthorized access; a vulnerability was reported in sudo in the environment clearing, which could let a malicious user obtain elevated privileges; a vulnerability was reported in the Terminal utility, which could let a remote malicious user inject arbitrary data; a vulnerability was reported due to an error in the Terminal utility, which could let a remote malicious user inject commands in x-man-path URIs; and a vulnerability was reported in vpnd due to a boundary error, which could let a malicious user execute arbitrary code.

Upgrades available at:
http://www.apple.com/support/downloads/
securityupdate2005005client.html

http://www.apple.com/support/downloads/
securityupdate2005005server.html

Apple:
http://www.apple.com/
support/downloads/

Proofs of Concept exploits have been published.

High

 

Apple Security Update, APPLE-SA-2005-05-03, May 3, 2005

US-CERT
VU#140470

US-CERT
VU#145486

US-CERT
VU#258390

US-CERT
VU#356070

US-CERT
VU#582934

US-CERT
VU#331694

US-CERT
VU#706838

Technical Cyber Security Alert TA05-136A

Apple Security Update, APPLE-SA-2005-06-08, June 8, 2005

 

Apple

Mac OS X Server 10.4.1, 10.4, 10.3.9, OS X 10.4.1, 10.4, 10.3.9

Multiple vulnerabilities have been reported: a Denial of Service vulnerability was reported in the AFP Server when copying POSIX-only permissions files; a buffer overflow vulnerability was reported in the Apple File Protocol Server legacy client support, which could let a remote malicious user execute arbitrary code; a remote Denial of Service vulnerability was reported in CoreGraphics and PDFKit when processing PDF documents; a vulnerability was reported in LaunchServices when an file extension and mime type is marked as unsafe but not mapped to an Apple Uniform Type Identifier (UTI), which could let a remote malicious user bypass download safety checks; a vulnerability was reported in NFS because certain export restrictions are not honored, which could let a remote malicious user obtain sensitive information; a vulnerability was reported in the 'launchd_server_init()' function due to the creation of temporary files in an unsafe manner, which could let a malicious user obtain elevated privileges; a vulnerability was reported in the CoreGraphics component, which could let a malicious user obtain root access; a race condition vulnerability was reported due to insecure folder permissions on the system's cache folder and Dashboard system widgets; and a vulnerability was reported in the MCX Client, which could let a malicious user obtain access to Portable Home Directory credentials.

Updates available at:
http://www.apple.com/
support/downloads/

Currently we are not aware of any exploits for these vulnerabilities.

High
Apple Security Update Advisory, APPLE-SA-2005-06-08, June 8, 2005

Apple

Macintosh OS X

 

Multiple vulnerabilities have been reported:a Denial of Service vulnerability was reported in the 'nfs_mount()' function due to insufficient input value checks; a Directory Traversal vulnerability was reported in bluetooth-enabled systems due to an input validation error, which could let a remote malicious user obtain sensitive information; a vulnerability was reported in two system calls used to search filesystem objects due to insufficient checks on directory permissions, which could let a malicious user obtain sensitive information; a vulnerability was reported in the SecurityAgent because a malicious user can bypass a locked screensaver to start background applications; and a vulnerability was reported because a remote malicious user can bypass a download warning dialog to install potentially malicious Dashboard widgets.

Updates available at:
http://www.apple.com/
support/downloads/

Currently we are not aware of any exploits for these vulnerabilities.

Medium

Apple Security Advisory, APPLE-SA-2005-05-19, May 19, 2005

US-CERT VU#775661

APSIS

Pound 1.8.2

A buffer overflow vulnerability has been reported in the 'add_port()' function due to a boundary error, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code.

Upgrade available at:
http://www.apsis.ch/
pound/Pound-1.8.3.tgz

SUSE:
ftp://ftp.SUSE.com/
pub/SUSE

Currently we are not aware of any exploits for this vulnerability.

APSIS Pound Remote Buffer Overflow

CAN-2005-1391

High

 

Security Focus, 13436, April 29, 2005

SUSE Security Summary Report, SUSE-SR:2005:015, June 7, 2005

bzip2

bzip2 1.0.2

A remote Denial of Service vulnerability has been reported when the application processes malformed archives.

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/b/bzip2/

Mandriva:
http://www.mandriva.com/
security/advisories

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

SUSE:
ftp://ftp.SUSE.com/
pub/SUSE

OpenPKG:
http://www.openpkg.org/
security/OpenPKG-SA-2005.008
-openpkg.html

Currently we are not aware of any exploits for this vulnerability.

bzip2 Remote Denial of Service

CAN-2005-1260

Low

Ubuntu Security Notice, USN-127-1, May 17, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:091, May 19, 2005

Turbolinux Security Advisory, TLSA-2005-60, June 1, 2005

SUSE Security Summary Report, SUSE-SR:2005:015, June 7, 2005

OpenPKG Security Advisory, OpenPKG-SA-2005.008, June 10, 2005

bzip2

bzip2 1.0.2 & prior

A vulnerability has been reported when an archive is extracted into a world or group writeable directory, which could let a malicious user modify file permissions of target files.

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/b/bzip2/

Mandriva:
http://www.mandriva.com/
security/advisories

Debian:
http://security.debian.org/
pool/updates/main/b/bzip2/

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

OpenPKG:
http://www.openpkg.org/security/
OpenPKG-SA-2005.008-openpkg.html

There is no exploit code required.

BZip2 File Permission Modification

CAN-2005-0953

Medium

Security Focus,
12954,
March 31, 2005

Ubuntu Security Notice, USN-127-1, May 17, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:091, May 19, 2005

Debian Security Advisory, DSA 730-1, May 27, 2005

Turbolinux Security Advisory , TLSA-2005-60, June 1, 2005

OpenPKG Security Advisory, OpenPKG-SA-2005.008, June 10, 2005

Darryl Burgdo

Webhints 1.3

A vulnerability was reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary commands.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Darryl Burgdorf Webhints Remote Command Execution

CAN-2005-1950

High
Security Focus, 13930, June 10, 2005

Ethereal Group

Ethereal 0.8.14, 0.8.15, 0.8.18, 0.8.19, 0.9-0.9.16, 0.10-0.10.9

Multiple vulnerabilities were reported that affects more 50 different dissectors, which could let a remote malicious user cause a Denial of Service, enter an endless loop, or execute arbitrary code. The following dissectors are affected: 802.3 Slow, AIM, ANSI A, BER, Bittorrent, CMIP, CMP, CMS, CRMF, DHCP, DICOM, DISTCC, DLSw, E IGRP, ESS, FCELS, Fibre Channel, GSM, GSM MAP, H.245, IAX2, ICEP, ISIS, ISUP, KINK, L2TP, LDAP, LMP, MEGACO, MGCP, MRDISC, NCP, NDPS, NTLMSSP, OCSP, PKIX Qualified, PKIX1Explitit, Presentation, Q.931, RADIUS, RPC, RSVP, SIP, SMB, SMB Mailslot, SMB NETLOGON, SMB PIPE, SRVLOC, TCAP, Telnet, TZSP, WSP, and X.509.

Upgrades available at:
http://www.ethereal.com/
distribution/ethereal-0.10.11.tar.gz

Gentoo:
http://security.gentoo.org/
glsa/glsa-200505-03.xml

Mandriva:
http://www.mandriva.com/
security/advisories

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-427.html

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/index.php?id=
a&anuncio=000963

SuSE:
ftp://ftp.suse.com/pub/suse/

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

An exploit script has been published.

High

 

Ethereal Security Advisory, enpa-sa-00019, May 4, 2005

Gentoo Linux Security Advisory, GLSA 200505-03, May 6, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:083, May 11, 2005

RedHat Security Advisory, RHSA-2005:427-05, May 24, 2005

Conectiva Security Advisory, CLSA-2005:963, June 6, 2005

SUSE Security Summary Report, SUSE-SR:2005:014, June 7, 2005

SGI Security Advisory, 20050503-01-U, June 8, 2005

Ettercap

Ettercap 0.6 .b, 0.6 .a, 0.6.3.1, 0.6.4, 0.6.5, 0.6.6 .6, 0.6.7, 0.6.9, Ettercap-NG 0.7 .0-0.7.2

A format string vulnerability has been reported in the 'curses_msg()' function in the Ncurses interface, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://prdownloads.sourceforge.net/
ettercap/ettercap-
NG-0.7.3.tar.gz?download

Gentoo:
http://security.gentoo.org/
glsa/glsa-200506-07.xml

Currently we are not aware of any exploits for this vulnerability.

Ettercap Remote Format String

CAN-2005-1796

High

Secunia Advisory, SA15535, May 31, 2005

Gentoo Linux Security Advisory, GLSA 200506-07, June 11, 2005

Freedesktop.org

D-BUS 0.23 & prior

A vulnerability exists in 'bus/policy.c' due to insufficient restriction of connections, which could let a malicious user hijack a session bus.

Patch available at:
https://bugs.freedesktop.org/
show_bug.cgi?id=2436

Fedora:
http://download.fedora.redhat.com
/pub/fedora/linux/core/updates/3/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-102.html

There is no exploit code required.

D-BUS Session Hijack

CAN-2005-0201

Medium

Security Tracker Alert ID,1013075, February 3, 2005

RedHat Security Advisory, RHSA-2005:102-09, June 8, 2005

FreeRADIUS Server Project

FreeRADIUS 1.0.2

Two vulnerabilities have been reported: a vulnerability was reported in the 'radius_xlat()' function call due to insufficient validation, which could let a remote malicious user execute arbitrary SQL code; and a buffer overflow vulnerability was reported in the 'sql_escape_func()' function, which could let a remote malicious user execute arbitrary code.

Gentoo:
http://security.gentoo.org/
glsa/glsa-200505-13.xml

SuSE:
ftp://ftp.suse.com/pub/suse/

FreeRadius:
ftp://ftp.freeradius.org/pub/
radius/freeradius-1.0.3.tar.gz

There is no exploit code required.

FreeRadius 'rlm_sql.c' SQL Injection & Buffer Overflow

CAN-2005-1454
CAN-2005-1455

High

Security Tracker Alert ID: 1013909, May 6, 2005

Gentoo Linux Security Advisory, GLSA 200505-13, May 17, 2005

SUSE Security Summary Report, SUSE-SR:2005:014, June 7, 2005

Security Focus, 13541, June 10, 2005

gFTP

gFTP 0.1, 0.2, 0.21, 1.0, 1.1-1.13, 2.0-2.0.17

A Directory Traversal vulnerability exists due to insufficient sanitization of input, which could let a remote malicious user obtain sensitive information.

Upgrades available at:
http://www.gftp.org/gftp-2.0.18.tar.gz

Debian:
http://security.debian.org/pool/
updates/main/g/gftp/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200502-27.xml

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Mandrake:
http://www.mandrakesecure.net/
en/ftp.php

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/index.php?id=
a&anuncio=000957

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-410.html

There is no exploit code required.

gFTP Remote Directory Traversal

CAN-2005-0372

Medium

Security Focus, February 14, 2005

Debian Security Advisory, DSA 686-1, February 17, 2005

SUSE Security Summary Report, SUSE-SR:2005:005, February 18, 2005

Gentoo Linux Security Advisory, GLSA 200502-27, February 19, 2005

Mandrakelinux Security Update Advisory, MDKSA-2005:050, March 4, 2005

RedHat Security Advisory, RHSA-2005:410-07, June 13, 2005

Conectiva Security Advisory, CLSA-2005:957, May 31, 2005

GNOME

gEdit 2.0.2, 2.2 .0, 2.10.2

A format string vulnerability has been reported when invoking the program with a filename that includes malicious format specifiers, which could let a remote malicious user cause a Denial of Service and potentially execute arbitrary code.

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/g/gedit/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200506-09.xml

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-499.html

An exploit has been published.

Gedit Filename Format String

CAN-2005-1686

High

Securiteam, May 22, 2005

Ubuntu Security Notice, USN-138-1, June 09, 2005

Gentoo Linux Security Advisory, GLSA 200506-09, June 11, 2005

RedHat Security Advisory, RHSA-2005:499-05, June 13, 2005

GNU

a2ps 4.13b

Two vulnerabilities exist in GNU a2ps, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerabilities are caused due to the fixps.in and psmandup.in scripts creating temporary files insecurely. This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running a vulnerable script.

Debian:
http://security.debian.org/
pool/updates/main/a/a2ps/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200501-02.xml

Mandriva:
http://www.mandriva.com/
security/advisories

Currently we are not aware of any exploits for these vulnerabilities.

GNU a2ps
Two Scripts Insecure Temporary File
Creation

CAN-2004-1377

 

Medium

Secunia SA13641, December 27, 2004

Gentoo Linux Security Advisory, GLSA 200501-02, January 4, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:097, June 7, 2005

GNU

gzip 1.2.4 a, 1.2.4, 1.3.3-1.3.5

A Directory Traversal vulnerability has been reported due to an input validation error when using 'gunzip' to extract a file with the '-N' flag, which could let a remote malicious user obtain sensitive information.

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/g/gzip/

Trustix:
http://http.trustix.org/
pub/trustix/updates/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200505-05.xml

IPCop:
http://ipcop.org/modules.php?
op=modload&name=Downloads
&file=index&req=viewdownload
&cid=3&orderby=dateD

Mandriva:
http://www.mandriva.com/
security/advisories

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

FreeBSD:
ftp://ftp.FreeBSD.org/pub/
FreeBSD/CERT/patches/
SA-05:11/gzip.patch

OpenPKG:
http://www.openpkg.org/
security/OpenPKG-SA-2005.009-
openpkg.html

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-357.html

Proof of Concept exploit has been published.

GNU GZip
Directory Traversal

CAN-2005-1228

Medium

Bugtraq, 396397, April 20, 2005

Ubuntu Security Notice, USN-116-1, May 4, 2005

Trustix Secure Linux Security Advisory, TSLSA-2005-0018, May 6, 2005

Gentoo Linux Security Advisory, GLSA 200505-05, May 9, 2005

Security Focus,13290, May 11, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:092, May 19, 2005

Turbolinux Security Advisory, TLSA-2005-59, June 1, 2005

FreeBSD Security Advisory, FreeBSD-SA-05:11, June 9, 2005

OpenPKG Security Advisory, OpenPKG-SA-2005.009, June 10, 2005

RedHat Security Advisory, RHSA-2005:357-19, June 13, 2005

GNU

Mailutils 0.5, 0.6

Multiple vulnerabilities have been reported that could let a remote malicious user execute arbitrary code or cause a Denial of Service. These vulnerabilities are due to a buffer overflow in the 'header_get_field_name()' function in 'mailbox/header.c'; an integer overflow in the 'fetch_io()' function; an input validation error in the imap4d server in the FETCH command; and a format string flaw in the imap4d server.

A fixed version (0.6.90) is available at:
ftp://alpha.gnu.org/gnu/mailutils/
mailutils-0.6.90.tar.gz

Gentoo:
http://security.gentoo.org/
glsa/glsa-200505-20.xml

Debian:
http://security.debian.org/pool/
updates/main/m/mailutils/

A Proof of Concept exploit script has been published.

GNU Mailutils Buffer Overflow and Format String Bugs Let Remote Users Execute Arbitrary Code

CAN-2005-1520
CAN-2005-1521
CAN-2005-1522
CAN-2005-1523

High

iDEFENSE Security Advisory 05.25.05

Gentoo Linux Security Advisory, GLSA 200505-20, May 27, 2005

Debian Security Advisory, DSA 732-1, June 3, 2005

Security Focus, 13764, June 13, 2005

GNU

shtool 2.0.1 & prior

A vulnerability has been reported that could let a local malicious user gain escalated privileges. The vulnerability is caused due to temporary files being created insecurely.

Gentoo:
http://security.gentoo.org/
glsa/glsa-200506-08.xml

There is no exploit code required.

GNU shtool Insecure Temporary File Creation

CAN-2005-1751

Medium

Secunia Advisory, SA15496, May 25, 2005

Gentoo Linux Security Advisory, GLSA 200506-08, June 11, 2005

GNU

gzip 1.2.4, 1.3.3

A vulnerability has been reported when an archive is extracted into a world or group writeable directory, which could let a malicious user modify file permissions.

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/g/gzip/

Trustix:
http://http.trustix.org/
pub/trustix/updates/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200505-05.xml

Mandriva:
http://www.mandriva.com/
security/advisories

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

FreeBSD:
ftp://ftp.FreeBSD.org/pub/
FreeBSD/CERT/patches/
SA-05:11/gzip.patch

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-357.html

There is no exploit code required.

GNU GZip File Permission Modification

CAN-2005-0988

Medium

Security Focus,
12996,
April 5, 2005

Ubuntu Security Notice, USN-116-1, May 4, 2005

Trustix Secure Linux Security Advisory, TSLSA-2005-0018, May 6, 2005

Gentoo Linux Security Advisory, GLSA 200505-05, May 9, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:092, May 19, 2005

Turbolinux Security Advisory, TLSA-2005-59, June 1, 2005

FreeBSD Security Advisory, FreeBSD-SA-05:11, June 9, 2005

RedHat Security Advisory, RHSA-2005:357-19, June 13, 2005

GNU

wget 1.9.1

A vulnerability exists which could permit a remote malicious user to create or overwrite files on the target user's system. wget does not properly validate user-supplied input. A remote user can bypass the filtering mechanism if DNS can be modified so that '..' resolves to an IP address. A specially crafted HTTP response can include control characters to overwrite portions of the terminal window.

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Mandriva:
http://www.mandriva.com/
security/advisories

Trustix:
http://http.trustix.org/
pub/trustix/updates/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-357.html

A Proof of Concept exploit script has been published.

GNU wget File Creation & Overwrite

CAN-2004-1487
CAN-2004-1488

Medium

Security Tracker Alert ID: 1012472, December 10, 2004

SUSE Security Summary Report, SUSE-SR:2005:004, February 11, 2005

SUSE Security Summary Report, SUSE-SR:2005:006, February 25, 2005

SUSE Security Summary Report, SUSE-SR:2005:011, April 15, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:098, June 9, 2005

Trustix Secure Linux Security Advisory, TLSA-2005-0028, June 13, 2005

GNU

zgrep 1.2.4

A vulnerability has been reported in 'zgrep.in' due to insufficient validation of user-supplied arguments, which could let a remote malicious user execute arbitrary commands.

A patch for 'zgrep.in' is available in the following bug report:
http://bugs.gentoo.org/
show_bug.cgi?id=90626

Mandriva:
http://www.mandriva.com/
security/advisories

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-357.html

There is no exploit code required.

Gzip Zgrep Arbitrary Command Execution

CAN-2005-0758

High

Security Tracker Alert, 1013928, May 10, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:092, May 19, 2005

Turbolinux Security Advisory , TLSA-2005-59, June 1, 2005

RedHat Security Advisory, RHSA-2005:357-19, June 13, 2005

IBM

AIX 5.3

Buffer overflow vulnerabilities have been reported in the 'invscout,' 'paginit,' 'diagTasksWebSM,' 'getlvname,' and 'swcons' commands and multiple 'p' commands, which could let a malicious user execute arbitrary code, potentially with root privileges.

IBM has released an advisory (IBM-06-10-2005) to address this and other issues. Fixes are not yet available.

There is no exploit code required; however, Proofs of Concept exploits have been published.

IBM AIX Multiple Buffer Overflows
High

Security Tracker Alert, 1014132, June 8, 2005

IBM Security Advisory, IBM-06-10-2005, June 10, 2005

Iron Bars

Shell ibsh 0.3 a-0.3 d, 0.2 a, 0.1 b, 0.1 a

Several vulnerabilities have been reported: a vulnerability was reported due to an unspecified boundary error, which could let a remote malicious user execute arbitrary code; and two off-by-one errors were reported which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://prdownloads.sourceforge.net/
ibsh/ibsh-0.3e.tar.gz?download

Currently we are not aware of any exploits for these vulnerabilities.

Iron Bars Shell Buffer Overflow & Off-By-One
High
Secunia Advisory, SA15591, June 14, 2005

jamchen

JamMail 1.8

A vulnerability was reported in the ''jammail.pl' script due to insufficient validation of the 'mail' parameter, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

JamMail 'Jammail.pl' Remote Arbitrary Command Execution

CAN-2005-1959

High
Security Tracker Alert, 1014175, June 12, 2005

LBL

tcpdump 3.4 a6, 3.4, 3.5, alpha, 3.5.2, 3.6.2, 3.6.3, 3.7-3.7.2, 3.8.1 -3.8.3; IPCop 1.4.1, 1.4.2, 1.4.4, 1.4.5

Remote Denials of Service vulnerabilities have been reported due to the way tcpdump decodes Border Gateway Protocol (BGP) packets, Label Distribution Protocol (LDP) datagrams, Resource ReSerVation Protocol (RSVP) packets, and Intermediate System to Intermediate System (ISIS) packets.

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/3/

Trustix:
http://http.trustix.org/
pub/trustix/updates/

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/t/tcpdump/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200505-06.xml

Mandriva:
http://www.mandriva.com/
security/advisories

IPCop:
http://ipcop.org/modules.php?
op=modload&name=Downloads
&file=index&req=viewdownload
&cid=3&orderby=dateD

FreeBSD:
ftp://ftp.FreeBSD.org/pub/
FreeBSD/CERT/patches/
SA-05:10/tcpdump.patch

Exploit scripts have been published.

LBL TCPDump Remote Denials of Service

CAN-2005-1278
CAN-2005-1279

CAN-2005-1280

Low

Bugtraq, 396932, April 26, 2005

Fedora Update Notification,
FEDORA-2005-351, May 3, 2005

Trustix Secure Linux Security Advisory, TSLSA-2005-0018, May 6, 2005

Ubuntu Security Notice, USN-119-1 May 06, 2005

Gentoo Linux Security Advisory, GLSA 200505-06, May 9, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:087, May 12, 2005

Security Focus, 13392, May 12, 2005

FreeBSD Security Advisory, FreeBSD-SA-05:10, June 9, 2005

Leafnode

Leafnode 1.11.2, 1.11.1, 1.9.47-1.9.29-1.9.31, 1.9.19-1.9.27

A remote Denial of Service vulnerability has been reported in the fetchnews program (the NNTP client) due to a failure to handle network delays.

Upgrades available at:
http://sourceforge.net
/project/showfiles.php?group_id=57767

There is no exploit code required.

Leafnode Remote Denial of Service

CAN-2005-1911

Low
leafnode-SA-2005:02, June 8, 2005

Libextractor

libextractor 0.4-0.4.2, 0.3.6 -0.3.11

Buffer overflow vulnerabilities have been reported in the PDF, Real, and PNG extractors, which could let a remote malicious user execute arbitrary code.

The vendor has released libextractor 0.5.0 to address these issues.

Gentoo:
http://security.gentoo.org/
glsa/glsa-200506-06.xml

Currently we are not aware of any exploits for these vulnerabilities.

Libextractor Multiple Remote Buffer Overflows
High
Gentoo Linux Security Advisory. GLSA 200506-06, June 9, 2005

Multiple Vendors

FreeBSD 5.4 & prior

A vulnerability was reported in FreeBSD when using Hyper-Threading Technology due to a design error, which could let a malicious user obtain sensitive information and possibly elevated privileges.

Patches and updates available at:
ftp://ftp.freebsd.org/pub/FreeBSD/
CERT/advisories/
FreeBSD-SA-05:09.htt.asc

SCO:
ftp://ftp.sco.com/pub/updates/
UnixWare/SCOSA-2005.24

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/l/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-476.html

Sun:
http://sunsolve.sun.com/
search/document.do?
assetkey=1-26-101739-1

Mandriva:
http://www.mandriva.com/
security/advisories

Trustix:
ftp://ftp.trustix.org/pub/trustix/
updates/

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendor FreeBSD Hyper-Threading Technology Support Information Disclosure

CAN-2005-0109

Medium

FreeBSD Security Advisory, FreeBSD-SA-05:09, May 13, 2005

SCO Security Advisory, SCOSA-2005.24, May 13, 2005

Ubuntu Security Notice, USN-131-1, May 23, 2005

US-CERT VU#911878

RedHat Security Advisory, RHSA-2005:476-08, June 1, 2005

Sun(sm) Alert Notification, 101739, June 1, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:096, June 7, 2005

Trustix Secure Linux Security Advisory, TLSA-2005-0028, June 13, 2005

Multiple Vendors

ImageMagick 6.0-6.0.8, 6.1-6.1.8, 6.2 .0.7, 6.2 .0.4, 6.2, 6.2.1

A buffer overflow vulnerability has been reported due to a failure to properly validate user-supplied string lengths before copying into static process buffers, which could let a remote malicious user cause a Denial of Service.

Upgrades available at:
http://www.imagemagick.org/
script/binary-releases.php

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/3/

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/i/imagemagick/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-413.html

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

A Proof of Concept exploit has been published.

ImageMagick
Remote Buffer Overflow

CAN-2005-1275

Low

Security Focus, 13351, April 25, 2005

Fedora Update Notification
FEDORA-2005-344, April 28, 2005

Ubuntu Security Notice, USN-132-1 May 23, 2005, May 23, 2005

RedHat Security Advisory, RHSA-2005:413-04, May 25, 2005

SGI Security Advisory, 20050503-01-U, June 8, 2005

Multiple Vendors

ISC BIND 9.3;
MandrakeSoft Linux Mandrake 10.1 X86_64, 10.1

A remote Denial of Service vulnerability exists in the 'authvalidated()' function due to an error in the validator.

Upgrade available at:
http://www.isc.org/index.pl

Mandrake:
http://www.mandrakesecure.net/
en/ftp.php

Trustix:
http://www.trustix.org/
errata/2005/0003/

FreeBSD:
ftp://ftp.FreeBSD.org/pub/
FreeBSD/CERT/patches/
SA-05:12/bind9.patch

Currently we are not aware of any exploits for this vulnerability.

BIND Validator Self Checking Remote Denial of Service

CAN-2005-0034

Low

US-CERT Vulnerability Note. VU#938617, January 25, 2005

Trustix Secure Linux Security Advisory, TSLSA-2005-0003, February 11, 2005

FreeBSD Security Advisory, FreeBSD-SA-05:12, June 9, 2005

Multiple Vendors

MandrakeSoft Corporate Server 3.0, x86_64, Linux Mandrake 10.0, AMD64, 10.1, X86_64;Novell Evolution 2.0.2l Ubuntu Linux 4.1 ppc, ia64, ia32;
Ximian Evolution 1.0.3-1.0.8, 1.1.1, 1.2-1.2.4, 1.3.2 (beta)

A buffer overflow vulnerability exists in the main() function of the 'camel-lock-helper.c' source file, which could let a remote malicious user execute arbitrary code.

Update available at:
http://cvs.gnome.org/viewcvs/evolution/
camel/camel-lock-helper.c?rev=1.7
&hideattic=0&view=log

Gentoo:
http://security.gentoo.org/
glsa/glsa-200501-35.xml

Mandrake:
http://www.mandrakesecure.net/
en/ftp.php

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/e/evolution/

SUSE:
ftp://ftp.suse.com/pub/suse/

Debian:
http://security.debian.org/pool/
updates/main/e/evolution/

Conectiva:
ftp://atualizacoes.conectiva.com.br/

ALT Linux:
http://lists.altlinux.ru/pipermail/
security-announce/2005-March
/000287.html

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-238.html

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

Currently we are not aware of any exploits for this vulnerability.

Evolution Camel-Lock-Helper Application Remote Buffer Overflow

CAN-2005-0102

High

Gentoo Linux Security Advisory, GLSA 200501-35, January 25, 2005

Ubuntu Security Notice, USN-69-1, January 25, 2005

Mandrakelinux Security Update Advisory, MDKSA-2005:024, January 27, 2005

SUSE Security Summary Report, SUSE-SR:2005:003, February 4, 2005

Debian Security Advisory, DSA 673-1, February 10, 2005

Conectiva Linux Security Announcement, CLA-2005:925, February 16, 2005

ALTLinux Security Advisory, March 29, 2005

RedHat Security Advisory, RHSA-2005:238-18, May 19, 2005

SGI Security Advisory, 20050503-01-U, June 8, 2005

Multiple Vendors

RedHat Enterprise Linux WS 4, ES 4, AS 4, Desktop 4.0;
Linux kernel 2.6.9, 2.6-2.6.8

A Denial of Service vulnerability has been reported in the auditing code.

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-420.html

Currently we are not aware of any exploits for this vulnerability.

Linux Kernel Auditing Code Denial of Service

CAN-2005-0136

Low
RedHat Security Advisory, RHSA-2005:420-22, June 8, 2005

Multiple Vendors

Linux Kernel 2.6.10, 2.6 -test1-test11, 2.6-2.6.11

A Denial of Service vulnerability has been reported in the 'load_elf_library' function.

Patches available at:
http://www.kernel.org/pub/
linux/kernel/v2.6/patch-2.6.11.6.bz2

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/2/

Trustix:
http://http.trustix.org/pub/
trustix/updates/

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-366.html

Conectiva:
ftp://atualizacoes.conectiva.
com.br/

FedoraLegacy:
http://download.fedoralegacy.org/
redhat/

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Currently we are not aware of any exploits for this vulnerability.

Linux Kernel Local Denial of Service

CAN-2005-0749

Low

Fedora Security
Update Notification,
FEDORA-2005-262, March 28, 2005

Trustix Secure
Linux Security Advisory,
TSLSA-2005-0011, April 5, 2005

Fedora Update Notification
FEDORA-2005-313, April 11, 2005

RedHat Security Advisory, RHSA-2005:366-19, April 19, 2005

Conectiva Linux Security Announcement, CLA-2005:952, May 2, 2005

Fedora Legacy Update Advisory, FLSA:152532, June 4, 1005

SUSE Security Announcement, SUSE-SA:2005:29, June 9, 2005

Multiple Vendors

RedHat Fedora Core3;
LBL tcpdump 3.9.1, 3.9, 3.8.1-3.8.3, 3.7-3.7.2, 3.6.3, 3.6.2, 3.5.2, 3.5, alpha, 3.4, 3.4 a6

A remote Denial of Service vulnerability has been reported in the 'bgp_update_print()' function in 'print-bgp.c' when a malicious user submits specially crafted BGP protocol data.

Update available at:
http://cvs.tcpdump.org/cgi-bin/
cvsweb/tcpdump/print-bgp.c

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/3/

Trustix:
ftp://ftp.trustix.org/pub/trustix/
updates/

A Proof of Concept exploit script has been published.

TCPDump BGP Decoding Routines Denial of Service

CAN-2005-1267

Low

Security Tracker Alert, 1014133, June 8, 2005

Fedora Update Notification,
FEDORA-2005-406, June 9, 2005

Trustix Secure Linux Security Advisory, TLSA-2005-0028, June 13, 2005

Multiple Vendors

SilverCity SilverCity 0.9.4;
Gentoo Linux

A vulnerability has been reported because three of the SilverCity executables are installed with insecure permissions, which could let a malicious user modify the executables and replace them with trojaned versions.

Gentoo:
http://security.gentoo.org/
glsa/glsa-200506-05.xml

There is no exploit code required.

SilverCity Insecure File Permissions

CAN-2005-1941

High
Gentoo Linux Security Advisory, GLSA 200506-05, June 8,2005

Multiple Vendors

SuSE Linux Enterprise Server 9, Linux 9.3 x86_64;
Linux kernel 2.6.11, 2.6.8, l 2.6.5

A vulnerability has been reported in 'ptrace' 64-bit platforms which could let a malicious user access kernel memory pages.

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Currently we are not aware of any exploits for this vulnerability.

Linux Kernel 64 Bit PTrace Kernel Memory Access

CAN-2005-1763

Medium
SUSE Security Announcement, SUSE-SA:2005:029, June 9, 2005

Multiple Vendors

Linux kernel 2.4-2.4.29, 2.6 .10, 2.6-2.6.11

A vulnerability has been reported in the 'bluez_sock_create()' function when a negative integer value is submitted, which could let a malicious user execute arbitrary code with root privileges.

Patches available at:
http://www.kernel.org/pub/linux/
kernel/v2.4/testing/patch-
2.4.30-rc3.bz2

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Trustix:
http://http.trustix.org/pub/
trustix/updates/

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-366.html

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-283.html

http://rhn.redhat.com/
errata/RHSA-2005-284.html

Conectiva:
ftp://atualizacoes.conectiva.
com.br/

FedoraLegacy:
http://download.fedoralegacy.org/
redhat/

A Proof of Concept exploit script has been published.

Linux Kernel
Bluetooth Signed Buffer Index

CAN-2005-0750

High

Security Tracker
Alert, 1013567,
March 27, 2005

SUSE Security Announcement, SUSE-SA:2005
:021, April 4, 2005

Trustix Secure
Linux Security Advisory,
TSLSA-2005-0011, April 5, 2005

US-CERT
VU#685461

Fedora Update Notification
FEDORA-2005-313, April 11, 2005

RedHat Security Advisory, RHSA-2005:366-19, April 19, 2005

RedHat Security Advisories, RHSA-2005:283-15 & RHSA-2005:284-11, April 28, 2005

Conectiva Linux Security Announcement, CLA-2005:952, May 2, 2005

Fedora Legacy Update Advisory, FLSA:152532, June 4, 1005

SUSE Security Announcement, SUSE-SA:2005:29, June 9, 2005

Multiple Vendors

Ubuntu Linux 5.0 4 amd64, 4.1 ia64;
SuSE Linux 9.3 x86_64, 9.1 x86_64, 9.0 x86_64;
Linux kernel 2.6.10, 2.6.8

A Denial of Service has been reported in 'ptrace()' due to insufficient validation of memory addresses.

Updates available at:
http://kernel.org/

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/l/linux-source-2.6.8.1/

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Currently we are not aware of any exploits for this vulnerability.

Linux Kernel 'ptrace()' Denial of Service

CAN-2005-0756

Low

Ubuntu Security Notice, USN-137-1, June 08, 2005

SUSE Security Announcement, SUSE-SA:2005:029, June 9, 2005

Multiple Vendors

Ubuntu Linux 5.0 4 powerpc, i386, amd64, 4.1 ppc, ia64, ia32;
Linux kernel 2.6.10, 2.6.8

A vulnerability was reported has been reported in the 'mmap()' function because memory maps can be created with a start address after the end address, which could let a malicious user cause a Denial of service or potentially obtain elevated privileges.

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/l/linux-source-2.6.8.1/

Currently we are not aware of any exploits for this vulnerability.

Linux Kernel 'MMap()' Denial of Service

CAN-2005-1265

Medium
Ubuntu Security Notice, USN-137-1, June 08, 2005

Multiple Vendors

Concurrent Versions System (CVS) 1.x;Gentoo Linux; SuSE Linux 8.2, 9.0, 9.1, x86_64, 9.2, x86_64, 9.3, Linux Enterprise Server 9, 8, Open-Enterprise-Server 9.0, School-Server 1.0, SUSE CORE 9 for x86, UnitedLinux 1.0

Multiple vulnerabilities have been reported: a buffer overflow vulnerability was reported due to an unspecified boundary error, which could let a remote malicious user potentially execute arbitrary code; a remote Denial of Service vulnerability was reported due to memory leaks and NULL pointer dereferences; an unspecified error was reported due to an arbitrary free (the impact was not specified), and several errors were reported in the contributed Perl scripts, which could let a remote malicious user execute arbitrary code.

Update available at:
https://ccvs.cvshome.org/
servlets/ProjectDocumentList

Gentoo:
http://security.gentoo.org/
glsa/glsa-200504-16.xml

SuSE:
ftp://ftp.suse.com/pub/suse/i

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/3/

Mandrake:
http://www.mandrakesecure.net/
en/ftp.php

Trustix:
http://http.trustix.org/pub/
trustix/updates/

FreeBSD:
ftp://ftp.FreeBSD.org/pub/

Peachtree:
http://peachtree.burdell.org/
updates/

RedHat:
http://rhn.redhat.com/errata/
RHSA-2005-387.html

OpenBSD:
http://www.openbsd.org/
errata.html#cvs

TurboLinux:
ftp://ftp.turbolinux.co.jp/p
ub/TurboLinux/TurboLinux/ia32/

OpenBSD:
http://www.openbsd.org/
errata35.html#

Ubuntu:
http://security.ubuntu.com/
Subunit/pool/main/c/cvs/

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

OpenBSD:
http://www.openbsd.org/
errata.html#cvs

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/index.php?id=
a&anuncio=000966

Currently we are not aware of any exploits for these vulnerabilities.

CVS Multiple Vulnerabilities

CAN-2005-0753

High

 

Gentoo Linux Security Advisory, GLSA 200504-16, April 18, 2005

SuSE Security Announcement, SUSE-SA:2005:024, April 18, 2005

Secunia Advisory, SA14976, April 19, 2005

Fedora Update Notification,
FEDORA-2005-330, April 20, 2006

Mandriva Linux Security Update Advisory, MDKSA-2005:073, April 21, 2005

Trustix Secure Linux Security Advisory, TSLSA-2005-0013, April 21, 2005

Gentoo Linux Security Advisory [UPDATE], GLSA 200504-16:02, April 22, 2005

FreeBSD Security Advisory, FreeBSD-SA-05:05, April 22, 2005

Peachtree Linux Security Notice, PLSN-0005, April 22, 2005

RedHat Security Advisory, RHSA-2005:387-06, April 25, 2005

Turbolinux Security Advisory, TLSA-2005-51, April 28, 2005

Ubuntu Security Notice, USN-117-1 May 04, 2005

SGI Security Advisory, 20050501-01-U, May 5, 2005

Conectiva Security Advisory, CLSA-2005:966, June 13, 2005

Multiple Vendors

Linux kernel 2.6.10, 2.6, -test1-test 11, 2.6.1- 2.6.11;
RedHat Fedora Core2

A vulnerability has been reported in the EXT2 filesystem handling code, which could let malicious user obtain sensitive information.

Patches available at:
http://www.kernel.org/pub/linux/
kernel/v2.6/patch-2.6.11.6.bz2

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/2/

Trustix:
http://http.trustix.org/pub/
trustix/updates/

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-366.html

Conectiva:
ftp://atualizacoes.conectiva.
com.br/

FedoraLegacy:
http://download.fedoralegacy.org/
redhat/

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Currently we are not aware of any exploits for this vulnerability.

Linux Kernel
EXT2 File
System
Information Leak

CAN-2005-0400

Medium

Security Focus,
12932,
March 29, 2005

Trustix Secure
Linux Security Advisory,
TSLSA-2005-0011, April 5, 2005

Fedora Update Notification
FEDORA-2005-313, April 11, 2005

RedHat Security Advisory, RHSA-2005:366-19, April 19, 2005

Conectiva Linux Security Announcement, CLA-2005:952, May 2, 2005

Fedora Legacy Update Advisory, FLSA:152532, June 4, 1005

SUSE Security Announcement, SUSE-SA:2005:029, June 9, 2005

 

Multiple Vendors

X.org X11R6 6.7.0, 6.8, 6.8.1;
XFree86 X11R6 3.3, 3.3.2-3.3.6, 4.0, 4.0.1, 4.0.2 -11, 4.0.3, 4.1.0, 4.1 -12, 4.1 -11, 4.2 .0, 4.2.1 Errata, 4.2.1, 4.3.0.2, 4.3.0.1, 4.3.0

An integer overflow vulnerability exists in 'scan.c' due to insufficient sanity checks on on the 'bitmap_unit' value, which could let a remote malicious user execute arbitrary code.

Patch available at:
https://bugs.freedesktop.org/
attachment.cgi?id=1909

Gentoo:
http://security.gentoo.org/glsa/
glsa-200503-08.xml

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/l/lesstif1-1/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200503-15.xml

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/x/xfree86/

ALTLinux:
http://lists.altlinux.ru/
pipermail/security-announce/
2005-March/000287.html

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

RedHat:
http://rhn.redhat.com/errata/
RHSA-2005-331.html

SGI:
ftp://oss.sgi.com/projects/
sgi_propack/download/3/updates/

RedHat:
http://rhn.redhat.com/errata/
RHSA-2005-044.html

Mandrake:
http://www.mandrakesecure.net/
en/ftp.php

Mandriva:
http://www.mandriva.com/
security/advisories

Debian:
http://security.debian.org/
pool/updates/main/x/xfree86/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-412.html

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-473.html

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-198.html

Currently we are not aware of any exploits for this vulnerability.

LibXPM Bitmap_unit
Integer Overflow

CAN-2005-0605

 

 

High

Security Focus,
12714,
March 2, 2005

Gentoo Linux
Security Advisory,
GLSA 200503-08, March 4, 2005

Ubuntu Security
Notice, USN-92-1 March 07, 2005

Gentoo Linux
Security Advisory, GLSA 200503-15,
March 12, 2005

Ubuntu Security
Notice, USN-97-1
March 16, 2005

ALTLinux Security Advisory, March 29, 2005

Fedora Update Notifications,
FEDORA-2005
-272 & 273,
March 29, 2005

RedHat Security Advisory,
RHSA-2005:
331-06,
March 30, 2005

SGI Security Advisory, 20050401-01-U, April 6, 2005

RedHat Security Advisory, RHSA-2005:044-15, April 6, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:080, April 29, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:081, May 6, 2005

Debian Security Advisory, DSA 723-1, May 9, 2005

RedHat Security Advisory, RHSA-2005:412-05, May 11, 2005

RedHat Security Advisory, RHSA-2005:473-03, May 24, 2005

RedHat Security Advisory, RHSA-2005:198-35, June 8, 2005

Multiple Vendors

Sun Solaris 9 Operating System, Solaris 10 Operating System, Solaris 7 Operating System, Solaris 8 Operating System, Sun Enterprise Authentication Mechanism Software; Red Hat Desktop 3, 4, Enterprise Linux AS 2.1, 3, 4, ES 2.1, 3, 4,
2.1, 3, 4, WS 2.1, 3, 4, Advanced Workstation 2.1 for the Itanium Processor

 

A vulnerability has been reported due to the way the NEW-ENVIRON command is handled, which could let a remote malicious user obtain sensitive information.

Sun:
http://sunsolve.sun.com/search/
document.do?assetkey=
1-26-57755-1

http://sunsolve.sun.com/search/
document.do?assetkey=
1-26-57761-1

RedHat:
rhn.redhat.com/errata/
RHSA-2005-504.html

A Proof of Concept exploit has been published.

Multiple Vendor Telnet Client Information Disclosure

CAN-2005-0488

Medium

iDEFENSE Security Advisory, June 14, 2005

US-CERT VU#800829

OpenSLP

OpenSLP 1.0.0-1.0.11, 1.1.5, 1.2 .0

Multiple buffer overflow vulnerabilities have been reported when processing malformed SLP (Service Location Protocol) packets, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://sourceforge.net/project/
showfiles.php?group_id=1730

SuSE:
ftp://ftp.suse.com/pub/suse/

Mandrake:
http://www.mandrakesecure.
net/en/ftp.php

Ubuntu:
http://security.ubuntu.com
/ubuntu/pool/main/o/openslp/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200503-25.xml

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/index.php?id=
a&anuncio=000967

Currently we are not aware of any exploits for these vulnerabilities.

OpenSLP Multiple Buffer Overflows

CAN-2005-0769

High

SuSE Security Announcement, SUSE-SA:2005:015, March 14, 2005

Mandrakelinux Security Update Advisory, MDKSA-2005:055, March 16, 2005

Ubuntu Security Notice, USN-98-1 March 17, 2005

Gentoo Linux Security Advisory, GLSA 200503-25, March 20, 2005

Conectiva Security Advisory, CLSA-2005:967, June 13, 2005

PHP Group

PHP 4.3-4.3.10; Peachtree Linux release 1

A remote Denial of Service vulnerability has been reported when processing deeply nested EXIF IFD (Image File Directory) data.

Upgrades available at:
http://ca.php.net/get/php
4.3.11.tar.gz/from/a/mirror

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/p/php4/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200504-15.xml

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

Mandrake:
http://www.mandrakesecure.net/
en/ftp.php

Peachtree:
http://peachtree.burdell.org/
updates/

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/index.php?id=
a&anuncio=000955

Apple:
http://www.apple.com/
support/downloads/

Currently, we are not aware of any exploits for this vulnerability.

PHP Group Exif Module IFD Nesting Remote Denial of Service

CAN-2005-1043

Low

Security Focus, 13164, April 14, 2005

Ubuntu Security Notice, USN-112-1, April 14, 2005

Gentoo Linux Security Advisory, GLSA 200504-15, April 18, 2005

Fedora Update Notification,
FEDORA-2005-315, April 18, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:072, April 19, 2005

Peachtree Linux Security Notice, PLSN-0001, April 21, 2005

SGI Security Advisory, 20050501-01-U, May 5, 2005

Conectiva Security Advisory, CLSA-2005:955, May 31, 2005

Apple Security Update, APPLE-SA-2005-06-08, June 8, 2005

PHP Group

PHP 4.3-4.3.10; Peachtree Linux release 1

A vulnerability has been reported in the 'exif_process_IFD_TAG()' function when processing malformed IFD (Image File Directory) tags, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://ca.php.net/get/php
4.3.11.tar.gz/from/a/mirror

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/p/php4/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200504-15.xml

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

Mandrake:
http://www.mandrakesecure.net/
en/ftp.php

Peachtree:
http://peachtree.burdell.org/
updates/

TurboLinux:
ftp://ftp.turbolinux.co.jp/p
ub/TurboLinux/TurboLinux/ia32/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-405.html

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/index.php?id=
a&anuncio=000955

Apple:
http://www.apple.com/
support/downloads/

Currently, we are not aware of any exploits for this vulnerability.

PHP Group Exif Module IFD Tag Integer Overflow

CAN-2005-1042

High

Security Focus, 13163, April 14, 2005

Ubuntu Security Notice, USN-112-1, April 14, 2005

Gentoo Linux Security Advisory, GLSA 200504-15, April 18, 2005

Fedora Update Notification,
FEDORA-2005-315, April 18, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:072, April 19, 2005

Peachtree Linux Security Notice, PLSN-0001, April 21, 2005

Turbolinux Security Advisory, TLSA-2005-50, April 28, 2005

RedHat Security Advisory, RHSA-2005:405-06, April 28, 2005

SUSE Security Summary Report, SUSE-SR:2005:012, April 29, 2005

SGI Security Advisory, 20050501-01-U, May 5, 2005

Conectiva Security Advisory, CLSA-2005:955, May 31, 2005

Apple Security Update, APPLE-SA-2005-06-08, June 8, 2005

Pico Server

Pico Server 3.3

Several vulnerabilities have been reported: a Directory Traversal vulnerability was reported in URL request handling due to an input validation error, which could let a remote malicious user obtain sensitive information; and a buffer overflow vulnerability has been reported in URL request handling, which could let a remote malicious user execute arbitrary code.

Upgrade available at:
http://pserv.sourceforge.net

There is no exploit code required.

Pico Server Directory Traversal & Buffer Overflow

CAN-2005-1952
CAN-2005-1953

High
Secunia Advisory, SA15663, June 13, 2005

RedHat

sysreport 1.1-1.3, Enterprise Linux WS 4, WS 3, WS 2.1 IA64, WS 2.1, ES 4, ES 3, ES 2.1 IA64, ES 2.1, AS 4, AS 3, AS 2.1 IA64, AS 2.1, Desktop 4.0, 3.0, Advanced Workstation for the Itanium Processor 2.1, IA64

A vulnerability has been reported in the Sysreport proxy due to a failure to ensure that sensitive information is not included in generated reports, which could let a remote malicious user obtain sensitive information.

Updates available at:
http://rhn.redhat.com/
errata/RHSA-2005-502.html

There is no exploit code required.

RedHat Linux SysReport Proxy Information Disclosure

CAN-2005-1760

Medium
RedHat Security Advisory, RHSA-2005:502-03, June 13, 2005

Rob Flynn

Gaim prior to 1.3.1

Several vulnerabilities have been reported: a remote Denial of Service vulnerability has been reported when using the Yahoo! protocol to download a file; and a remote Denial of Service vulnerability was reported in the MSN Messenger service when a malicious user submits a specially crafted MSN message.

Updates available at:
http://gaim.sourceforge.net
/downloads.php

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/g/gaim/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200506-11.xml

Mandriva:
http://www.mandriva.com/
security/advisories

There is no exploit code required.

Gaim Remote Denial of Services

CAN-2005-1269
CAN-2005-1934

Low

Secunia Advisory, SA15648, June 10, 2005

Ubuntu Security Notice USN-139-1, June 10, 2005

Gentoo Linux Security Advisory, GLSA 200506-11, June 12, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:099, June 14, 2005

SGI

IRIX 6.5.25-6.5.27

Several vulnerabilities have been reported in 'rpc.mountd' because anonymous clients that have an unlisted hostname in DNS, NIS, etc. are denied and also excessive rights for read-mostly exports is allowed.

Patches available at:
ftp://patches.sgi.com/support/
free/security/patches/6.5.25/

There is no exploit code required.

SGI IRIX RPC.MountD Read-Mostly Mount Unspecified File Access

CAN-2005-0138
CAN-2005-0139

Medium
SGI Security Advisory, 20050601-01-P, June 8, 2005

Tomasz Lutelmowski

LutelWall 0.97 & prior

A vulnerability has been reported in the 'new_version_check()' function due to the insecure creation of temporary files when updating to a new version, which could let a malicious user obtain root privileges.

Gentoo:
http://security.gentoo.org/
glsa/glsa-200506-10.xml

There is no exploit code required.

LutelWall Insecure Temporary File Creation

CAN-2005-1879

High

Security Tracker Alert, 1014112, June 6, 2005

Gentoo Linux Security Advisory, GLSA 200506-10, June 11, 2005

xMySQLadmin

xMySQLadmin 1.0

A vulnerability has been reported due to the insecure creation of temporary files when dropping the database, which could let a malicious user perform actions with elevated privileges.

No workaround or patch available at time of publishing.

There is no exploit code required.

xMySQLadmin Insecure Temporary File Creation

CAN-2005-1944

Medium
Secunia Advisory, SA15635, June 9, 2005

[back to top] 

Multiple Operating Systems - Windows / UNIX / Linux / Other
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name /
CVE Reference
Risk
Source

1two.org

Annuaire 1Two 1.1, 1.0

Several Cross-Site Scripting vulnerabilities have been reported: a vulnerability was reported in the 'index.php' script due to insufficient validation of user-supplied input in the 'id' parameter, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported in the form for adding comments due to insufficient validation of the 'site_id,' 'nom,' 'email,' and 'commentaire' parameters, which could let a remote malicious user execute arbitrary HTML and script code.

The vendor has issued a fixed version (2.0) available at:
http://www.1two.org/

There is no exploit code required; however, a Proof of Concept exploit has been published.

Annuaire 1Two Cross-Site Scripting

CAN-2005-1975

High
Security Tracker Alert, 1014187, June 14, 2005

Broadpool

Siteframe

A vulnerability has bee reported in the 'siteframe.php' script due to insufficient validation of the 'LOCAL_PATH' parameter, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Broadpool Siteframe 'siteframe.php' Remote Arbitrary Code Execution

CAN-2005-1965

High
Security Tracker Alert, 1014150, June 9, 2005

C.J. Steele

tattle

A vulnerability has been reported in 'getemails()' due to an input validation error, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

C.J. Steele Tattle Remote Arbitrary Command Execution

CAN-2005-1960

High
Secunia Advisory, SA15582, June 8, 2005

Cantico

Ovidentia

A vulnerability has been reported in the 'index.php' script because the 'utilit/utilit.php' is included without validating the 'babInstallPath' parameter, which could let a remote malicious user execute arbitrary code.

Patch information available at:
http://www.ovidentia.org/
index.php?tg=articles&idx=M
ore&topics=1&article=290

There is no exploit code required; however, a Proof of Concept exploit has been published.

Cantico Ovidentia 'index.php' Remote Arbitrary Code Execution

CAN-2005-1964

High
Security Tracker Alert, 1014149, June 9, 2005

Cisco Systems

CatOS, Catalyst, Call Manager

 

A vulnerability has been reported in Cisco CallManager and Cisco voice-enabled switches because they don't contain 802.1x supplicants, which could let a remote malicious user spoof the Cisco Discovery Protocol (CDP) to obtain anonymous voice VLAN access.

Workaround available at:
http://www.cisco.com/warp/
public/707/cisco-sn-
20050608-8021x.shtml

There is no exploit code required.

Cisco Voice VLAN 802.1x Authentication Bypass

CAN-2005-1942

Medium
Cisco Security Notice, 65152, June 8, 2005

Cisco Systems

IOS 12.x, R12.x

Two vulnerabilities have been reported; a vulnerability has been reported due to an error when processing IKE (Internet Key Exchange) XAUTH messages, which could let a remote malicious user obtain unauthorized access; and a vulnerability has been reported when handling ISAKMP profile attributes, which could let a remote malicious user obtain unauthorized access.

Patches available at:
http://www.cisco.com/warp/
public...sa-20050406-xauth.shtml#software

Currently we are not aware of any exploits for these vulnerabilities.

Cisco IOS XAUTH Authentication Bypass

CAN-2005-1057
CAN-2005-1058

Medium

Cisco Security Advisory, cisco-sa-20050406, April 6, 2005

US-CERT VU#344900

US-CERT VU#236748

Cisco

ACNS Software Version 4.2 and prior

Multiple vulnerabilities exist that could let remote users cause a Denial of Service. These are due to errors within the processing of TCP connections, IP packets, and network packets. he vulnerabilities affect devices configured as a transparent, forward, or reverse proxy server. A default password may also be available in the administrative account.

Updates available:
http://www.cisco.com/warp/
public/707/cisco-sa-
20050224-acnsdos.shtml

Currently we are not aware of any exploits for these vulnerabilities.

Cisco ACNS Denial of Service Vulnerabilities

CAN-2005-0601
CAN-2005-0600
CAN-2005-0599
CAN-2005-0598
CAN-2005-0597

Low

Cisco Security Advisory: 64069
Revision 1.0, February 24, 2005

US-CERT VU#579240

US-CERT U#360296

 

e107.org

eTrace 1.0.1

A vulnerability has been reported in eTrace, which could let a remote malicious user execute arbitrary commands.

No workaround or patch available at time of publishing.

There is no exploit code required.

e107 eTrace Remote Command Execution

CAN-2005-1966

High
Security Focus, 13934, June 10, 2005

InteractivePHP

FusionBB 0.1 Beta-0.11 Beta

Multiple vulnerabilities have been reported: a vulnerability was reported due to insufficient sanitization of certain values retrieved from cookie data, which could let a remote malicious user obtain sensitive information or execute arbitrary code; an SQL injection vulnerability was reported when registering an account with the FusionBB software due to insufficient sanitization of the 'username' in the'insertUser()' function, which could let a remote malicious user execute arbitrary SQL code; and an SQL injection vulnerability was reported when an arbitrary statement is entered in the cookie's session id variable, which could let a remote malicious user execute arbitrary SQL code and bypass authentication

Updates available at:
http://www.interactivephp.com/
misc/CHANGELOG.html

There is no exploit code required; however, a Proof of Concept exploit has been published.

FusionBB Multiple Input Validation

CAN-2005-1971
CAN-2005-1972

High
Gulftech Research Security Advisory, June 13, 2005

Invision Power Services

Invision Community Blog 1.1, 1.0

Multiple vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of the 'convert_highlite_words()' function, which could let a remote malicious user execute arbitrary HTML and script code; and an SQL injection vulnerability was reported in 'index.php' due to insufficient sanitization of the 'mid' parameter before used in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

Updates available at:
http://www.invisionblog.com/
download_blog/

There is no exploit code required; however, Proofs of Concept exploits have been published.

Invision Community Blog Cross-Site Scripting & SQL Injection

CAN-2005-1945
CAN-2005-1946

High
Secunia Advisory, SA15626, June 9, 2005

Invision Power Services

Invision Gallery 1.3, 1.0.1

Several vulnerabilities have been reported: an SQL injection vulnerability was reported in the 'index.php' script due to insufficient sanitization before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site request forgery (CSRF) vulnerability was reported which could let a remote malicious user delete albums and images.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Invision Power Services Invision Gallery SQL Injection & Cross-SIte Request Forgery

CAN-2005-1947
CAN-2005-1948

High
GulfTech Security Advisory, June 9, 2005

MediaWiki

MediaWiki 1.x

A vulnerability has been reported due to insufficient sanitization of input passed to certain HTML attributes, which could let a remote malicious user execute arbitrary script code.

Upgrades available at:
http://prdownloads.sf.net/wikipedia/
mediawiki-1.4.5.tar.gz?download

Gentoo:
http://www.gentoo.org/security/
en/glsa/glsa-200506-12.xml

There is no exploit code required.

MediaWiki Page Template Arbitrary Code Execution

CAN-2005-1888

High

Security Focus, 13861, June 6, 2005

Gentoo Security Advisory, GLSA 200506-12, June 13, 2005

 

Mozilla

Firefox Preview Release, 0.8, 0.9 rc, 0.9-0.9.3, 0.10, 0.10.1, 1.0-1.0.3

Several vulnerabilities have been reported: a vulnerability was reported due to insufficient protection of 'IFRAME' JavaScript URLS from being executed in the context of another history list URL, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported in 'InstallTrigger .install()' due to insufficient verification of the 'Icon URL' parameter, which could let a remote malicious user execute arbitrary JavaScript code.

Workaround:
Disable "tools/options/web-Features/>Allow web sites to install software"

Slackware:
ftp://ftp.slackware.com/
pub/slack ware/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200505-11.xml

TurboLinux:
ftp://ftp.turbolinux.co.jp/
pub/TurboLinux/
TurboLinux/ia32/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-434.html

http://rhn.redhat.com/
errata/RHSA-2005-435.html

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/m/
mozilla-firefox/

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

Proofs of Concept exploit scripts have been published.

Mozilla Firefox Remote Arbitrary Code Execution

CAN-2005-1476
CAN-2005-1477

High

Secunia Advisory,
SA15292,
May 9, 2005

US-CERT VU#534710

US-CERT VU#648758

Slackware Security Advisory, SSA:2005-135-01, May 15, 2005

Gentoo Linux Security Advisory, GLSA 200505-11, May 16, 2005

Turbolinux Security Advisory, TLSA-2005
-56, May 16, 2005

RedHat Security Advisories, RHSA-2005:434-10 & RHSA-2005:435-10, May 23 & 24, 2005

Ubuntu Security Notice, USN-134-1, May 26, 2005

SUSE Security Summary Report, SUSE-SR:2005:014, June 7, 2005

SGI Security Advisory, 20050503-01-U, June 8, 2005

Mozilla

Mozilla Browser prior to 1.7.8; Mozilla Suite prior to 1.7.8; Firefox prior to 1.0.4; Firebird 0.5, 0.6.1, 0.7

A vulnerability was reported due to a failure in the application to properly verify Document Object Model (DOM) property values, which could let a remote malicious user execute arbitrary code.

Firefox:
http://www.mozilla.org/
products/firefox/

Mozilla Browser Suite:
http://www.mozilla.org/
products/mozilla1.x/

TurboLinux::
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-434.html

http://rhn.redhat.com/
errata/RHSA-2005-435.html

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/m/
mozilla-firefox/

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

Currently we are not aware of any exploits for this vulnerability.

Mozilla Suite And Firefox DOM Property Overrides

CAN-2005-1532

High

Mozilla Foundation Security Advisory,
2005-44,
May 12, 2005

Turbolinux Security Advisory,
TLSA-2005
-56, May 16, 2005

RedHat Security Advisories, RHSA-2005:434-10 & RHSA-2005:435-10, May 23 & 24, 2005

Ubuntu Security Notice, USN-134-1, May 26, 2005

SUSE Security Summary Report, SUSE-SR:2005:014, June 7, 2005

SGI Security Advisory, 20050503-01-U, June 8, 2005

SUSE Security Announcement, SUSE-SA:2005:030, June 9, 2005

Mozilla

Mozilla Browser prior to 1.7.8; Mozilla Suite prior to 1.7.8; Firefox prior to 1.0.4; Firebird 0.5, 0.6.1, 0.7

A vulnerability was reported when processing 'javascript:' URLs, which could let a remote malicious user execute arbitrary code.

Firefox:
http://www.mozilla.org/
products/firefox/

Mozilla Browser Suite:
http://www.mozilla.org/
products/mozilla1.x/

TurboLinux::
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-434.html

http://rhn.redhat.com/
errata/RHSA-2005-435.html

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/m/
mozilla-firefox/

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

Currently we are not aware of any exploits for this vulnerability.

Mozilla Suite And Firefox Wrapped 'javascript:' URLs

CAN-2005-1531

High

Mozilla Foundation Security Advisory,
2005-43,
May 12, 2005

Turbolinux Security Advisory,
TLSA-2005-56, May 16, 2005

RedHat Security Advisories, RHSA-2005:434-10 & RHSA-2005:435-10, May 23 & 24, 2005

Ubuntu Security Notice, USN-134-1, May 26, 2005

SUSE Security Summary Report, SUSE-SR:2005:014, June 7, 2005

SGI Security Advisory, 20050503-01-U, June 8, 2005

SUSE Security Announcement, SUSE-SA:2005:030, June 9, 2005

Multiple Vendors

ALT Linux Compact 2.3, Junior 2.3; Apple Mac OS X 10.0-10.0.4, 10.1-10.1.5, 10.2-10.2.8, 10.3-10.3.8, Mac OS X Server 10.0, 10.1-10.1.5, 10.2-10.2.8, 10.3-10.3.8; MIT Kerberos 5 1.0, 5 1.0.6, 5 1.0.8, 51.1-5 1.4; Netkit Linux Netkit 0.9-0.12, 0.14-0.17, 0.17.17; Openwall GNU/*/Linux (Owl)-current, 1.0, 1.1; FreeBSD 4.10-PRERELEASE, 2.0, 4.0 .x, -RELENG, alpha, 4.0, 4.1, 4.1.1 -STABLE, -RELEASE, 4.1.1, 4.2, -STABLEpre122300, -STABLEpre050201, 4.2 -STABLE, -RELEASE,
4.2, 4.3 -STABLE, -RELENG, 4.3 -RELEASE-p38, 4.3 -RELEASE, 4.3, 4.4 -STABLE, -RELENG, -RELEASE-p42, 4.4, 4.5 -STABLEpre2002-03-07, 4.5 -STABLE,
-RELENG, 4.5 -RELEASE-p32, 4.5 -RELEASE, 4.5, 4.6 -STABLE, -RELENG, 4.6 -RELEASE-p20, 4.6 -RELEASE, 4.6, 4.6.2, 4.7 -STABLE, 4.7 -RELENG, 4.7 -RELEASE-p17, 4.7 -RELEASE, 4.7, 4.8 -RELENG,
4.8 -RELEASE-p7, 4.8 -PRERELEASE, 4.8, 4.9 -RELENG, 4.9 -PRERELEASE, 4.9, 4.10 -RELENG, 4.10 -RELEASE,
4.10, 4.11 -STABLE, 5.0 -RELENG, 5.0, 5.1 -RELENG, 5.1 -RELEASE-p5, 5.1 -RELEASE, 5.1, 5.2 -RELENG, 5.2 -RELEASE, 5.2,
5.2.1 -RELEASE, 5.3 -STABLE, 5.3 -RELEASE, 5.3, 5.4 -PRERELEASE; SuSE Linux 7.0, sparc, ppc, i386, alpha, 7.1, x86, sparc, ppc, alpha, 7.2, i386

SGI IRIX 6.5.24-6.5.27

Two buffer overflow vulnerabilities have been reported in Telnet: a buffer overflow vulnerability has been reported in the 'slc_add_reply()' function when a large number of specially crafted LINEMODE Set Local Character (SLC) commands is submitted, which could let a remote malicious user execute arbitrary code; and a buffer overflow vulnerability has been reported in the 'env_opt_add()' function, which could let a remote malicious user execute arbitrary code.

ALTLinux:
http://lists.altlinux.ru/pipermail
/security-announce/2005-
March/000287.html

Apple:
http://wsidecar.apple.com/cgi-bin/
nph-reg3rdpty1.pl/product=05529&
platform=osx&method=sa/SecUpd
2005-003Pan.dmg

Debian:
http://security.debian.org/pool/
updates/main/n/netkit-telnet/

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates/

FreeBSD:
ftp://ftp.FreeBSD.org/pub/
FreeBSD/CERT/patches/
SA-05:01/

MIT Kerberos:
http://web.mit.edu/kerberos/|
advisories/2005-001-patch
_1.4.txt

Netkit:
ftp://ftp.uk.linux.org/pub/linux/
Networking/netkit/

Openwall:
http://www.openwall.com/Owl/
CHANGES-current.shtml

RedHat:
http://rhn.redhat.com/errata/
RHSA-2005-327.html

Sun:
http://sunsolve.sun.com/search/
document.do?assetkey=
1-26-57755-1

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/n/netkit-telnet/

OpenBSD:
http://www.openbsd.org/
errata.html#telnet

Mandrake:
http://www.mandrakesecure.net/
en/ftp.php

Gentoo:
http://security.gentoo.org/
glsa/glsa-200503-36.xml

http://security.gentoo.org/
glsa/glsa-200504-01.xml

Debian:
http://security.debian.org/
pool/updates/main/k/krb5/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200504-04.xml

SGI:
ftp://oss.sgi.com/projects/
sgi_propack/download
/3/updates/

SCO:
ftp://ftp.sco.com/pub/updates/
UnixWare/SCOSA-2005.21

Sun:
http://sunsolve.sun.com/
search/document.do?
assetkey=1-26-57761-1

Openwall:
http://www.openwall.com/
Owl/CHANGES-current.shtml

Avaya:
http://support.avaya.com/
elmodocs2/security/
ASA-2005-088_RHSA-2005-330.pdf

Gentoo:
http://security.gentoo.org/
glsa/glsa-200504-28.xml

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

Sun:
http://sunsolve.sun.com/search/
document.do?assetkey=1-26-57761-1

OpenWall:
http://www.openwall.com/
Owl/CHANGES-current.shtml

SCO:
ftp://ftp.sco.com/pub/updates/
OpenServer/SCOSA-2005.23

SGI IRIX:
Apply patch 5892 for IRIX 6.5.24-6.5.27:
ftp://patches.sgi.com/
support/free/security/patches/

Debian:
http://security.debian.org/
pool/updates/main/k/krb4/

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/index.php?id=
a&anuncio=000962

Trustix:
ftp://ftp.trustix.org/pub/trustix/
updates/

Currently we are not aware of any exploits for these vulnerabilities.

Telnet Client 'slc_add_reply()' & 'env_opt_add()'
Buffer Overflows

CAN-2005-0468
CAN-2005-0469

High

iDEFENSE Security Advisory,
March 28, 2005

US-CERT VU#291924

Mandrakelinux Security Update Advisory, MDKSA-2005:061,
March 30, 2005

Gentoo Linux Security Advisories, GLSA 200503-36 & GLSA 200504-01, March 31 &
April 1, 2005

Debian Security Advisory, DSA 703-1, April 1, 2005

US-CERT VU#341908

Gentoo Linux Security Advisory, GLSA 200504-04,
April 6, 2005

SGI Security Advisory, 20050401-01-U, April 6, 2005

Sun(sm) Alert Notification, 57761,
April 7, 2005

SCO Security Advisory, SCOSA-2005.21,
April 8, 2005

Avaya Security Advisory, ASA-2005-088, April 27, 2005

Gentoo Linux Security Advisory, GLSA 200504-28, April 28, 2005

Turbolinux Security Advisory, TLSA-2005-52, April 28, 2005

Sun(sm) Alert Notification, 57761, April 29, 2005

SCO Security Advisory, SCOSA-2005.23, May 17, 2005

SGI Security Advisory, 20050405-01-P, May 26, 2005

Debian Security Advisory, DSA 731-1, June 2, 2005

Conectiva Security Advisory, CLSA-2005:962, June 6, 2005

Trustix Secure Linux Security Advisory, TLSA-2005-0028, June 13, 2005

Multiple Vendors

MandrakeSoft Linux Mandrake 10.2 X86_64, 10.2; Rob Flynn Gaim 0.10 x, 0.10.3, 0.50-0.75, 0.78, 0.82, 0.82.1, 1.0-1.0.2, 1.1.1-1.1.4, 1.2, 1.2.1; Ubuntu Linux 4.1 ppc, ia64, ia32, 5.0 4 powerpc, i386, amd64

Several vulnerabilities have been reported: a buffer overflow vulnerability was reported when handling long URIs due to insufficient bounds checking, which could let a remote malicious user execute arbitrary code; and a remote Denial of Service vulnerability was reported due to a NULL pointer dereference error when handling MSN messages.

Rob Flynn:
http://prdownloads.
sourceforge.net/gaim/
gaim-1.3.0.tar.gz?download

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-429.html

Fedora:
http://download.fedora.
redhat.com/
pub/fedora/
linux/core/updates/3/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200505-09.xml

Mandriva:
http://www.mandriva.com/
security/advisories

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/g/gaim/

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/index.php?id=
a&anuncio=000964

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

A Proof of Concept exploit script has been published.

Gaim Remote Buffer Overflow & Denial of Service

CAN-2005-1261
CAN-2005-1262

High

 

Fedora Update Notification,
FEDORA-
2005-369,
May 11, 2005

RedHat Security Advisory, RHSA-2005:429-06, May 11, 2005

Gentoo Linux Security Advisory, GLSA 200505-09,
May 12, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:086,
May 12, 2005

Ubuntu Security Notice, USN-125-1, May 12, 2005

Conectiva Security Advisory, CLSA-2005:964, June 7, 2005

SUSE Security Report, SUSE-SR:2005:015, June 7,2005

Novell

NetMail 3.52 A&B, 3.10, a-h, 3.1, 3.1f, 3.0.3, a&b, 3.0.1

Multiple vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in the Modweb agent due to insufficient sanitization of various calendar display fields, which could let a remote malicious user execute arbitrary HTML and script code; a remote Denial of Service vulnerability was reported in the Modweb agent due to an unspecified error when decoding headers; and a vulnerability was reported in the IMAP command continuation function when handling long command tags (impact not specified).

Upgrades available at:
http://support.novell.com/servlet/
filedownload/sec/pub/

Currently we are not aware of any exploits for these vulnerabilities.

Novell NetMail Multiple Remote Vulnerabilities

CAN-2005-1756
CAN-2005-1757
CAN-2005-1758

High
Secunia Advisory, SA15644, June 10, 2005

Novell

ZENworks Desktop Management 6.5, ZENworks for Desktops 3.2 SP2, 4.0, 4.0.1, ZENworks for Servers 3.2, ZENworks Remote Management
Novell ZENworks Server Management 6.5

Several vulnerabilities were reported in the Remote Management authentication protocol in 'zenrem32.exe' due to integer overflows and boundary errors, which could let a remote malicious user execute arbitrary code.

Patches available at:
http://support.novell.com/servlet/
filedownload/sec/ftf/zfd401ir6rm.exe

Currently we are not aware of any exploits for these vulnerabilities.

Novell ZENworks Remote Management Buffer Overflows

CAN-2005-1543

High

Securiteam, May 19, 2005

Security Tracker, 13678, June 14, 2005

ObjectWeb Consortium

C-JDBC 1.1, 1.0-1.0.2, 1.2, 1.2.1, 1.3

A vulnerability has been reported in the caching mechanism due to insufficient verification of database rights access, which could let a remote malicious user obtain sensitive information.

Upgrades available at:
http://forge.objectweb.org/project/
download.php?group_id=42&file_id=40 61

There is no exploit code required.

ObjectWeb Consortium C-JDBC Caching Information Disclosure

CAN-2005-1961

Medium
Security Tracker Alert, 1014118, June 7, 2005

PHP Group

PHP prior to 5.0.4; Peachtree Linux release 1

Multiple Denial of Service vulnerabilities have been reported in 'getimagesize().'

Upgrade available at:
http://ca.php.net/get/php-
4.3.11.tar.gz/from/a/mirror

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/p/php4/

Slackware:
ftp://ftp.slackware.com/
pub/slackware/

Debian:
http://security.debian.org/
pool/updates/main/p/php3/

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Gentoo:
http://security.gentoo.org/
glsa/glsa-200504-15.xml

Mandrake:
http://www.mandrakesecure.net/
en/ftp.php

Peachtree:
http://peachtree.burdell.org/
updates/

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-405.html

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

Debian:
http://security.debian.org/
pool/updates/main/p/php4/

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/index.php?id=
a&anuncio=000955

Apple:
http://www.apple.com/
support/downloads/

Currently we are not aware of any exploits for these vulnerabilities.

PHP
'getimagesize()' Multiple
Denials of Service

CAN-2005-0524
CAN-2005-0525

Low

iDEFENSE Security Advisory,
March 31, 2005

Ubuntu Security Notice, USN-105-1, April 05, 2005

Slackware Security Advisory, SSA:2005-
095-01,
April 6, 2005

Debian Security Advisory, DSA 708-1, April 15, 2005

SUSE Security Announcement, SUSE-SA:2005:023, April 15, 2005

Gentoo Linux Security Advisory, GLSA 200504-15, April 18, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:072, April 19, 2005

Peachtree Linux Security Notice, PLSN-0001, April 21, 2005

Turbolinux Security Advisory, TLSA-2005-50, April 28, 2005

RedHat Security Advisory, RHSA-2005:405-06, April 28, 2005

SGI Security Advisory, 20050501-01-U, May 5, 2005

Debian Security Advisory, DSA 729-1, May 26, 2005

Conectiva Security Advisory, CLSA-2005:955, May 31, 2005

Apple Security Update, APPLE-SA-2005-06-08, June 8, 2005

singapore

singapore 0.9.11 beta

A Cross-Site Scripting vulnerability has been reported in 'index.php' due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Singapore Image Gallery Index.PHP Cross-Site Scripting

CAN-2005-1955

High
Security Focus, 13938, June 13, 2005

Sun Microsystems, Inc.

Java Web Start 1.x,
Sun Java JDK 1.5.x, 1.4.x, Sun Java JRE 1.4.x, 1.5.x

Several vulnerabilities have been reported: a vulnerability was reported due to an unspecified error which could let malicious untrusted applications execute arbitrary code; and a vulnerability was reported due to an unspecified error which could let a malicious untrusted applets execute arbitrary code.

Upgrades available at:
http://java.sun.com/
j2se/1.5.0/index.jsp

http://java.sun.com/
j2se/1.4.2/download.html

Currently we are not aware of any exploits for these vulnerabilities.

Java Web Start / Sun JRE Sandbox Security Bypass

CAN-2005-1973
CAN-2005-1974

High
Sun(sm) Alert Notification, 101748 & 101749, June 13, 2005

Symantec

Brightmail Anti-Spam 6.0.1, 6.0, 5.5, 4.0

A vulnerability has been reported due to a static database administration password, which could let a remote malicious user obtain administrative access to the quarantined message database.

Updated version information

Updates available at:
http://www.symantec.com/
techsupp/

There is no exploit code required.

Symantec Brightmail AntiSpam Remote Information Disclosure

CAN-2005-1867

High

Symantec Security Advisory, SYM05-009,
May 31, 2005

Symantec Security Advisory, SYM05-009, June 9, 2005

WebGroup Media

Cerberus Helpdesk 2.6.1, 0.97.3

Several vulnerabilities have been reported: a Cross-Site Script vulnerability was reported in 'index.php' due to insufficient sanitization of the 'errorcode' parameter, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported when a specially crafted URL is submitted, which could let a remote malicious user obtain sensitive information.

The vulnerability has been fixed in the CVS repository.

There is no exploit code required; however, a Proof of Concept exploit has been published.

WebGroup Media Cerberus Helpdesk Cross-Site Scripting & Information Disclosure

CAN-2005-1962
CAN-2005-1963

High
ECHO_ADV_
15$2005 Advisory, June 7, 2005

[back to top] 

Wireless

The section below contains wireless vulnerabilities, articles, and viruses/trojans identified during this reporting period.

  • Quantum cryptography network gets wireless link : The world's first quantum encryption computer network has been expanded to include a wireless link that uses quantum communications codes. Quantum cryptography guarantees security by encoding information as polarized photons which can be sent down a fibre optic cable or through the air. Intercepting these photons disturbs their quantum state, alerting both sides to an eavesdropper's presence. Source: http://www.newscientist.com/article.ns?id=dn7484
  • Phishing: The new wireless danger for business travelers: Wireless devices make users targets for industrial espionage, fraud, and other crimes. Hackers are no longer intercepting travelers` wireless connections just to intercept e-mails. They are using 'access point phishing' which sets up a bogus log-in screen for a legitimate wireless hotspot. When the victim tunes in to it to start communicating, the hacker sends out viruses that bring back the personal information they are looking for. Source: http://www.traveldailynews.com/new.asp?newid=22997&subcategory_id=95.
  • Top wireless cities are Seattle and San Francisco: Intel ranked cities based on the number of commercial or free "Wi-Fi" points from January to April 15 in the 100 largest urban regions in the United States. According to their ranking, Seattle and San Francisco are the most "unwired cities" in America. Also included in the top ten: Austin, Texas; Portland, Ore.; Toledo, Ohio; Atlanta; Denver; the Research Triangle area of North Carolina; Minneapolis; and Orange County, Calif. Source: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=
    ZEJVZKACCIQ0YQSNDBCCKH0CJUMEKJVN?articleID=164300934
    .
  • Don't do wireless security in isolation: Corporations should think of wireless security as an add on to their existing security architecture, not as a separate entity, either integrating the new wireless piece into the overall company security policy, if one already exists, or taking the opportunity to create a plan for the entire IT infrastructure. Source: http://www.techworld.com/security/features/index.cfm?FeatureID=1502
  • Research Shows Bluetooth Can Be Hacked In Milliseconds: Bluetooth devices including phones, PDAs, and personal computers can be hacked even when Bluetooth's security is enabled, a pair of researchers said this week, letting attackers eavesdrop on wireless networks, even charge mobile calls to another user's phone. Source: http://www.securitypipeline.com/news/164301974

Wireless Vulnerabilities

  • Linux Kernel Bluetooth Signed Buffer Index vulnerability: A vulnerability has been reported in the 'bluez_sock_create()' function when a negative integer value is submitted, which could let a malicious user execute arbitrary code. (For more information, see entry in the Unix / Linux Systems Table)

[back to top] 

Recent Exploit Scripts/Techniques The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.

Note: At times, scripts/techniques may contain names or content that may be considered offensive.

Date of Script
(Reverse
Chronological Order)

Script name
Workaround or Patch Available
Script Description
June 13, 2005 gun-imapd.c
Yes
Exploit for the GNU Mailutils Format String vulnerability.
June 13, 2005 tcpdump-bgp-update-poc.c
Yes
Proof of Concept exploit for the TCPDump BGP Decoding Routines Denial of Service vulnerability.
June 8, 2005 GoodTechSMTPServer_DOS.pl
Yes
A Proof of Concept exploit script for the GoodTech SMTP Malformed RCTP TO Request Denial of Service vulnerability.
June 8, 2005 ipswitch_login_bof.c
Yes
Script that exploits the IpSwitch IMail Server 'username' parameter vulnerability.

[back to top]

Trends
  • Hashing exploit threatens digital security: Cryptographers have found a way to snip a digital signature from one document and attach it to a fraudulent document without invalidating the signature and giving the fraud away. The development means that attackers could potentially forge legal documents, load certified software with bogus code, or turn a digitally-signed letter of recommendation into one that authorizes access to private information. Source: http://www.newscientist.com/article.ns?id=dn7519&feedId=online-news_rss20.
  • Firms warned they may be targets of Trojan spies: After police discovered one of the world's largest industrial espionage and hacking operations, they are warning that UK businesses should take urgent steps to check their systems are secure. Senior directors of at least 15 leading businesses in Israel are under investigation for hiring private detective agencies to obtain confidential documents from rivals' computer systems. Operation Horse Race, an international investigation by police in Israel, Germany, the US and the UK, has led to the arrest of 22 suspects in Israel and London. Source: http://81.144.183.106/Articles/Article.aspx?liArticleID=210254&PrinterFriendly=true.
  • Bank Mergers Provide Opportunity for Phishing: Bank mergers are being used by fraudsters as an opportunity to craft customized phishing scams timed to transitions between the banks' online systems, hoping that customer awareness of mergers will bring more bites on "bait" emails. Wachovia Bank issued a warning about phishing emails "designed to capitalize on our merger activities. Source: http://news.netcraft.com/archives/2005/06/09/bank_mergers_provide_opportunity_for_phishing.html11.
  • W32/Mytob Virus: US-CERT has received reports of three new variants of the W32/Mytob virus. These variants, 'W32/Mytob.DP', 'W32/Mytob.DV', and 'W32/Mytob.DY', propagate via email and contain backdoor functionality. Source: http://www.us-cert.gov/current/.
  • Exploitation of ASN.1 Vulnerabilities: US-CERT has received reports indicating an increase in the scanning for and exploitation of systems affected by one or more vulnerabilities in the Microsoft ASN.1 Library (MSASN1.DLL). These vulnerabilities are caused by the way that certain ASN.1 length values and bit strings are decoded. By sending specially crafted ASN.1 data, an attacker may be able to execute arbitrary code with SYSTEM privileges and gain complete control of a vulnerable system. MS04-007 explains how an attacker could exploit these vulnerabilities. Source: http://www.us-cert.gov/current/.
  • Skulls Trojan poses as security code: Virus writers have created mobile phone malware that poses as a pirated copy of F-Secure's mobile anti-virus software. Skulls-L is a minor modification of the Skulls-C Trojan. Source: http://www.securityfocus.com/news/11207.

[back to top]

Viruses/Trojans

Top Ten Virus Threats

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.

Rank
Common Name
Type of Code
Trend
Date
Description
1
Mytob.C Win32 Worm Stable March 2004 A mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the Windows LSASS (MS04-011) exploit. The worm will attempt to harvest email addresses from the local hard disk by scanning files.
2
Netsky-P Win32 Worm Stable March 2004 A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders.
3
Netsky-Q Win32 Worm Stable March 2004 A mass-mailing worm that attempts to launch Denial of Service attacks against several web pages, deletes the entries belonging to several worms, and emits a sound through the internal speaker.
4
Zafi-D Win32 Worm Stable December 2004 A mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer.
5
Netsky-D Win32 Worm Stable March 2004 A simplified variant of the Netsky mass-mailing worm in that it does not contain many of the text strings that were present in NetSky.C and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only.
6
Lovgate.w Win32 Worm Stable April 2004 A mass-mailing worm that propagates via by using MAPI as a reply to messages, by using an internal SMTP, by dropping copies of itself on network shares, and through peer-to-peer networks. Attempts to access all machines in the local area network.
7
Zafi-B Win32 Worm Stable June 2004 A mass-mailing worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names.
8
Netsky-Z Win32 Worm Stable April 2004 A mass-mailing worm that is very close to previous variants. The worm spreads in e-mails, but does not spread to local network and P2P and does not uninstall Bagle worm. The worm has a backdoor that listens on port 665.
9
Netsky-B Win32 Worm Stable February 2004 A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. Also searches drives for certain folder names and then copies itself to those folders.
10
MyDoom-O Win32 Worm Stable July 2004 A mass-mailing worm that uses its own SMTP engine to generate email messages. It gathers its target email addresses from files with certain extension names. It also avoids sending email messages to email addresses that contain certain strings.

Table Updated June 14, 2005

Viruses or Trojans Considered to be a High Level of Threat

  • Nothing significant to report.

[back to top]

 

 

 

Last updated

Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, so the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to vulnerabilities that appeared in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.

Wireless

Vulnerabilities The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.

Note: All the information included in the following tables has been discussed in newsgroups and on web sites.

The Risk levels defined below are based on how the system may be impacted:

Note: Even though a vulnerability may allow several malicious acts to be performed, only the highest level risk will be defined in the Risk column.

  • High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
  • Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
  • Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.

Windows Operating Systems Only

Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name /
CVE Reference
Risk
Source

Adobe

Photoshop CS, Creative Suite 1.0, Premiere Pro 1.5

A vulnerability has been reported that could let a malicious local user can gain elevated privileges. A local user can exploit the service to run arbitrary code with administrator privileges.

Updates available:
http://www.adobe.com/support/
techdocs/331688.html

Currently we are not aware of any exploits for this vulnerability.

Adobe License Management Service Elevated Privilege Vulnerability

CAN-2005-0151

Medium

Adobe Advisory Document 331688, June 9, 2005

America OnLine

Instant Messenger 5.9.3797, 5.5.3595, 5.5.3415 Beta, 5.5, 5.2.3292, 5.1.3036, 5.0.2938

A remote Denial of Service vulnerability has been reported when a malicious user crafts a malformed GIF file that is used as a Buddy Icon and followed by sending an instant message.

No workaround or patch available at time of publishing.

There is no exploit code required.

Categorized incorrectly in SB05-159 as Multiple Operating System vulnerability.

AOL Instant Messenger Buddy Icon Remote Denial of Service

CAN-2005-1891

Low
Security Focus, 13880, June 7, 2005

Avaya

Avaya Call Management System (CMS)

A vulnerability has been reported that could let a remote malicious user cause a Denial of Service.

The vendor recommends disabling the FTP daemon.

Currently we are not aware of any exploits for this vulnerability.

Avaya CMS FTP Daemon Wildcard Denial of Service

CAN-2005-0256

Low
Avaya Advisory, ASA-2005-126, June 6, 2005

Early Impact

ProductCart 2.7 and prior

An input validation vulnerability has been reported that could let a remote malicious user inject SQL commands and conduct cross-site scripting attacks. Input is not properly verified in 'viewPrd.asp' and various 'pcadmin' scripts.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Early Impact ProductCart Input Validation Flaws in Lets Remote Users Inject SQL Commands

CAN-2005-1967
CAN-2005-1968

High
Security Tracker Alert, 1014129, June 8, 2005

GoodTech Systems

GoodTech SMTP Server 5.14 for Windows NT/2000/XP 5.x

A vulnerability has been reported that could let a remote malicious user cause a Denial of Service. The vulnerability is caused due to an error in the handling of recipients.

Update to version 5.15: http://www.goodtechsys.com/
smtpdnt2000.asp

A Proof of Concept exploit script has been published.

GoodTech Systems GoodTech SMTP Server "RCPT TO" Denial of Service Vulnerability

CAN-2005-1931

Low
Secunia SA15623, June 8, 2005

Ipswitch

IMail Server 8.x

Multiple vulnerabilities have been reported in IMail Server, which could let a remote malicious user gain sensitive information or cause a Denial of Service. These are due to unspecified errors in the IMAP4d32 service and Web Calendaring.

Apply IMail Server 8.2 Hotfix 2: ftp://ftp.ipswitch.com/Ipswitch/
Product_Support/IMail/imail82hf2.exe

An exploit script has been published.

Ipswitch IMail Server Multiple Vulnerabilities

CAN-2005-1249
CAN-2005-1252
CAN-2005-1254
CAN-2005-1255
CAN-2005-1256

Medium

Ipswitch Support Advisory, IMail Server 8.2 Hotfix 2, May 23, 2005

Security Focus, 13727, June 8, 2005

Loki

Loki Download Manager Category Version 2.0

An SQL injection vulnerability has been reported in the 'Default.asp' and 'catinfo.asp' scripts due to insufficient validation before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proofs of Concept exploits have been published.

Loki Download Manager SQL Injection

CAN-2005-1943

High
Security Focus, 13898 & 13900, June 8, 2005

Macromedia

All Macromedia MX 2004 products (Studio, Studio with Flash Professional, Flash Professional, Flash, FreeHand, Dreamweaver, Fireworks, and Director)

Captivate, Contribute 2, and Contribute 3

A vulnerability has been reported in the Macromedia eLicensing client activation code in many Macromedia products that could let a local malicious user obtain elevated privileges. A local user in the "Users" group can modify the 'path to executable' configuration setting in the 'Macromedia Licensing Service' settings to point to an alternate file containing arbitrary code. Then, when the service is activated, the arbitrary code will run with Local System privileges.

A fix is available at: http://download.macromedia.com/pub/
security/licensing_installer_updater.exe

Currently we are not aware of any exploits for this vulnerability.

Macromedia Products eLicensing Function Escalated Privilege Vulnerability
High
Macromedia Advisory MPSB05-04, June 9, 2005

Microsoft

Internet Explorer 6 SP2

A vulnerability has been reported that could let a malicious remote user hide scripting code. The IE browser does not properly process certain javascript scripting code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Microsoft Internet Explorer Lets Remote Users Hide Scripting Code
Medium

Security Tracker Alert, 1014174, June 12, 2005

Microsoft

Outlook Web Access for Exchange Server 5.5

A Cross-Site Scripting vulnerability has been reported that could allow a malicious user to convince a user to run a malicious script. If this malicious script is run, it would execute in the security context of the user. This could allow an attacker access to any data on the Outlook Web Access server that was accessible to the individual user.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-029.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks

CAN-2005-0563

High

Microsoft, MS05-029, June 14, 2004

US-CERT VU#300373

Microsoft

Windows 2000, XP, Server 2003

A remote code execution vulnerability has been reported in Server Message Block (SMB) that could allow a malicious user to take complete control of the affected system.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-027.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft Server Message Block Could Allow Remote Code Execution

CAN-2005-1206

High

Microsoft, MS05-027, June 14, 2004

US-CERT VU#489397

Technical Cyber Security Alert TA05-165A

Microsoft

Windows 2000, XP, Server 2003, 98, 98 (SE), (ME)

A spoofing vulnerability has been reported that could enable a malicious user to spoof trusted Internet content.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-032.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft Agent Could Allow Spoofing

CAN-2005-1214

Medium

Microsoft, MS05-032, June 14, 2004

US-CERT VU#718542

Microsoft

Windows XP, Server 2003

Windows Services for UNIX 2.2, 3.0, 3.5 when running on Windows 2000

An information disclosure vulnerability has been reported that could let a remote malicious user read the session variables for users who have open connections to a malicious telnet server.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-033.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft Telnet Client Could Allow Information Disclosure

CAN-2005-1205

Medium

Microsoft, MS05-033, June 14, 2004

US-CERT VU#800829

Microsoft

Windows XP, Server 2003

A remote code execution vulnerability has been reported in the way that Windows processes Web Client requests that could allow a malicious user who successfully exploited this vulnerable to take complete control of the affected system.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-028.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft Web Client Service Could Allow Remote Code Execution

CAN-2005-1207

High
Microsoft, MS05-028, June 14, 2004

Microsoft

Internet Explorer 5.01, 5.5, 6

Remote code execution and information disclosure vulnerabilities have been reported due to the way that IE handles PNG images and the way that it handles certain requests to display XML content.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-025.mspx

Currently we are not aware of any exploits for these vulnerabilities.

Microsoft Internet Explorer Could Allow Remote Code Execution

CAN-2005-1211

CAN-2002-0648

High

Microsoft, MS05-025, June 14, 2004

US-CERT VU#189754

Technical Cyber Security Alert TA05-165A

Microsoft

Microsoft Internet Security and Acceleration (ISA) Server 2000 Service Pack 2

A vulnerability has been reported in ISA Server 2000 because of the way that it handles malformed HTTP requests that could allow a remote malicious user to either bypass content restrictions and access content that they would normally not have access to or they could cause users to be directed to unexpected content. An elevation of privilege vulnerability also exists in ISA Server 2000 that could allow an attacker who successfully exploited this vulnerability to create a NetBIOS connection with an ISA Server by utilizing the NetBIOS (all) predefined packet filter.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-034.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft ISA Access and Elevation of Privilege Vulnerabilities

CAN-2005-1215
CAN-2005-1216

High

Microsoft, MS05-034, June 14, 2004

US-CERT VU#367077

Microsoft

Outlook Express 5.5, 6

A remote code execution vulnerability has been reported in Outlook Express when it is used as a newsgroup reader. A malicious user could exploit the vulnerability by constructing a malicious newsgroup server that could that potentially allow remote code execution if a user queried the server for news.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-030.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft Outlook Express Could Allow Remote Code Execution

CAN-2005-1213

High

Microsoft, MS05-030, June 14, 2004

US-CERT VU#130614

Microsoft

Step-by-Step Interactive Training

A remote code execution vulnerability has been reported in Step-by-Step Interactive Training due to the way Interactive Training handles bookmark link files.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-031.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft Step-by-Step Interactive Training Could Allow Remote Code Execution

CAN-2005-1212

High
Microsoft, MS05-031, June 14, 2004

Microsoft

Windows 2000, XP, Server 2003 98, 98 (SE), and ME

A remote code execution vulnerability has been reported in HTML Help that could allow a malicious user to take complete control of the affected system.

Updates available: http://www.microsoft.com/technet/
security/Bulletin/MS05-026.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft HTML Help Could Allow Remote Code Execution

CAN-2005-1208

High

Microsoft, MS05-026, June 14, 2004

US-CERT VU#851869

Technical Cyber Security Alert TA05-165A

Novell

eDirectory 8.7.3

A vulnerability has been reported that could let a remote malicious user cause a denial of service. A remote user can supply a specially crafted HTTP request for an MS-DOS device name to cause the target service to crash.

A fixed version (8.7.3 IR6) is available.

A Proof of Concept exploit has been published.

Novell eDirectory Can Be Crashed With Requests Containing MS-DOS Device Names

CAN-2005-1729

Low

Security Tracker Alert ID: 1014177, June 13, 2005

CIRT.DK Advisory NOVL102201

Pragma Systems

Pragma TelnetServer 6.0

A vulnerability has been reported that could let a remote malicious user hide certain log entries. With a certain command line sequence, the user can hide arbitrary commands from the administrator in the HTML log files.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Pragma TelnetServer Lets Remote Users Hide Log Entries

CAN-2005-1969

Medium

Security Tracker Alert, 1014127, June 8, 2005

Symantec

pcAnywhere 9.x, 10.x, 11.x

A vulnerability has been reported that could let malicious, local users gain escalated privileges by manipulating the "Caller Properties" feature to run arbitrary commands when the system is restarted. "Launch with Windows" setting enabled must be enabled to exploit.

Update to version 11.5 or apply patch.

Patch for consumer versions: http://www.symantec.com/techsupp/
files/pca/index.html

Patch for enterprise versions: http://www.symantec.com/techsupp/enterprise/
products/spca/files.html

Currently we are not aware of any exploits for this vulnerability.

Symantec pcAnywhere Privilege Escalation Vulnerability

CAN-2005-1970

Medium
Symantec Advisory SYM05-010, June 10, 2005

[back to top]

UNIX / Linux Operating Systems Only
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name /
CVE Reference
Risk
Source

Alexis Sukrieh

Backup Manager 0.5.6, 0.5.7

A vulnerability has been reported because archives are created with insecure permissions, which could let a remote malicious user obtain sensitive information.

Upgrades available at:
http://www.sukria.net/packages/
backup-manager/sources/
backup-manager-0 .5.8.tar.gz

There is no exploit code required.

Alexis Sukrieh Backup Manager Information Disclosure

CAN-2005-1958

Medium
Security Tracker Alert, 1014124, June 7, 2005

Apple

Mac OS X 10.3-10.3.9, Mac OS X Server 10.3- 10.3.9

Multiple vulnerabilities have been reported: a buffer overflow vulnerability was reported in 'htdigest' due to a boundary error, which could let a remote malicious user execute arbitrary code; a vulnerability was reported in the AppKit component when processing TIFF files, which could let a remote malicious user execute arbitrary code; a remote Denial of Service vulnerability was reported in the AppKit component when parsing certain TIFF images because an invalid call is made to the 'NXSeek()' function; a vulnerability was reported due to an error when handling AppleScript because code is displayed that is different than the code that is actually run, which could let a remote malicious user execute arbitrary code; a vulnerability was reported due to an error in the Bluetooth support because files are shared without notifying the user properly, which could let a remote malicious user obtain sensitive information; a Directory Traversal vulnerability was reported in the Bluetooth file, which could let a remote malicious user obtain sensitive information; a vulnerability was reported in the 'chfn,' 'chpass,' and 'chsh' utilities because certain external helper programs are invoked insecurely, which could let a malicious user obtain elevated privileges; a vulnerability was reported in Finder due to the insecure creation of '.DS_Store' files, which could let a malicious user obtain elevated privileges; a vulnerability was reported in Help Viewer because a remote malicious user can run JavaScript without imposed security restrictions; a vulnerability was reported in the LDAP functionality because passwords are stored in plaintext, which could let a remote malicious user obtain sensitive information; a vulnerability was reported due to errors when parsing XPM files, which could let a remote malicious user compromise the system; a vulnerability was reported in 'lukemftpd' because chroot restrictions can be bypassed, which could let a remote malicious user bypass restrictions; a vulnerability was reported in the Netinfo Setup Tool (NeST) when processing input passed to the ' -target' command line parameter due to a boundary error, which could let a malicious user execute arbitrary code; a vulnerability was reported when the HTTP proxy service in Server Admin is enabled because by default it is possible for everyone to use the proxy service; a vulnerability was reported in the HTTP proxy service in Server Admin for Mac OS X due to insufficient access restrictions, which could let a remote malicious user obtain unauthorized access; a vulnerability was reported in sudo in the environment clearing, which could let a malicious user obtain elevated privileges; a vulnerability was reported in the Terminal utility, which could let a remote malicious user inject arbitrary data; a vulnerability was reported due to an error in the Terminal utility, which could let a remote malicious user inject commands in x-man-path URIs; and a vulnerability was reported in vpnd due to a boundary error, which could let a malicious user execute arbitrary code.

Upgrades available at:
http://www.apple.com/support/downloads/
securityupdate2005005client.html

http://www.apple.com/support/downloads/
securityupdate2005005server.html

Apple:
http://www.apple.com/
support/downloads/

Proofs of Concept exploits have been published.

High

 

Apple Security Update, APPLE-SA-2005-05-03, May 3, 2005

US-CERT
VU#140470

US-CERT
VU#145486

US-CERT
VU#258390

US-CERT
VU#356070

US-CERT
VU#582934

US-CERT
VU#331694

US-CERT
VU#706838

Technical Cyber Security Alert TA05-136A

Apple Security Update, APPLE-SA-2005-06-08, June 8, 2005

 

Apple

Mac OS X Server 10.4.1, 10.4, 10.3.9, OS X 10.4.1, 10.4, 10.3.9

Multiple vulnerabilities have been reported: a Denial of Service vulnerability was reported in the AFP Server when copying POSIX-only permissions files; a buffer overflow vulnerability was reported in the Apple File Protocol Server legacy client support, which could let a remote malicious user execute arbitrary code; a remote Denial of Service vulnerability was reported in CoreGraphics and PDFKit when processing PDF documents; a vulnerability was reported in LaunchServices when an file extension and mime type is marked as unsafe but not mapped to an Apple Uniform Type Identifier (UTI), which could let a remote malicious user bypass download safety checks; a vulnerability was reported in NFS because certain export restrictions are not honored, which could let a remote malicious user obtain sensitive information; a vulnerability was reported in the 'launchd_server_init()' function due to the creation of temporary files in an unsafe manner, which could let a malicious user obtain elevated privileges; a vulnerability was reported in the CoreGraphics component, which could let a malicious user obtain root access; a race condition vulnerability was reported due to insecure folder permissions on the system's cache folder and Dashboard system widgets; and a vulnerability was reported in the MCX Client, which could let a malicious user obtain access to Portable Home Directory credentials.

Updates available at:
http://www.apple.com/
support/downloads/

Currently we are not aware of any exploits for these vulnerabilities.

High
Apple Security Update Advisory, APPLE-SA-2005-06-08, June 8, 2005

Apple

Macintosh OS X

 

Multiple vulnerabilities have been reported:a Denial of Service vulnerability was reported in the 'nfs_mount()' function due to insufficient input value checks; a Directory Traversal vulnerability was reported in bluetooth-enabled systems due to an input validation error, which could let a remote malicious user obtain sensitive information; a vulnerability was reported in two system calls used to search filesystem objects due to insufficient checks on directory permissions, which could let a malicious user obtain sensitive information; a vulnerability was reported in the SecurityAgent because a malicious user can bypass a locked screensaver to start background applications; and a vulnerability was reported because a remote malicious user can bypass a download warning dialog to install potentially malicious Dashboard widgets.

Updates available at:
http://www.apple.com/
support/downloads/

Currently we are not aware of any exploits for these vulnerabilities.

Medium

Apple Security Advisory, APPLE-SA-2005-05-19, May 19, 2005

US-CERT VU#775661

APSIS

Pound 1.8.2

A buffer overflow vulnerability has been reported in the 'add_port()' function due to a boundary error, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code.

Upgrade available at:
http://www.apsis.ch/
pound/Pound-1.8.3.tgz

SUSE:
ftp://ftp.SUSE.com/
pub/SUSE

Currently we are not aware of any exploits for this vulnerability.

APSIS Pound Remote Buffer Overflow

CAN-2005-1391

High

 

Security Focus, 13436, April 29, 2005

SUSE Security Summary Report, SUSE-SR:2005:015, June 7, 2005

bzip2

bzip2 1.0.2

A remote Denial of Service vulnerability has been reported when the application processes malformed archives.

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/b/bzip2/

Mandriva:
http://www.mandriva.com/
security/advisories

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

SUSE:
ftp://ftp.SUSE.com/
pub/SUSE

OpenPKG:
http://www.openpkg.org/
security/OpenPKG-SA-2005.008
-openpkg.html

Currently we are not aware of any exploits for this vulnerability.

bzip2 Remote Denial of Service

CAN-2005-1260

Low

Ubuntu Security Notice, USN-127-1, May 17, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:091, May 19, 2005

Turbolinux Security Advisory, TLSA-2005-60, June 1, 2005

SUSE Security Summary Report, SUSE-SR:2005:015, June 7, 2005

OpenPKG Security Advisory, OpenPKG-SA-2005.008, June 10, 2005

bzip2

bzip2 1.0.2 & prior

A vulnerability has been reported when an archive is extracted into a world or group writeable directory, which could let a malicious user modify file permissions of target files.

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/b/bzip2/

Mandriva:
http://www.mandriva.com/
security/advisories

Debian:
http://security.debian.org/
pool/updates/main/b/bzip2/

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

OpenPKG:
http://www.openpkg.org/security/
OpenPKG-SA-2005.008-openpkg.html

There is no exploit code required.

BZip2 File Permission Modification

CAN-2005-0953

Medium

Security Focus,
12954,
March 31, 2005

Ubuntu Security Notice, USN-127-1, May 17, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:091, May 19, 2005

Debian Security Advisory, DSA 730-1, May 27, 2005

Turbolinux Security Advisory , TLSA-2005-60, June 1, 2005

OpenPKG Security Advisory, OpenPKG-SA-2005.008, June 10, 2005

Darryl Burgdo

Webhints 1.3

A vulnerability was reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary commands.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Darryl Burgdorf Webhints Remote Command Execution

CAN-2005-1950

High
Security Focus, 13930, June 10, 2005

Ethereal Group

Ethereal 0.8.14, 0.8.15, 0.8.18, 0.8.19, 0.9-0.9.16, 0.10-0.10.9

Multiple vulnerabilities were reported that affects more 50 different dissectors, which could let a remote malicious user cause a Denial of Service, enter an endless loop, or execute arbitrary code. The following dissectors are affected: 802.3 Slow, AIM, ANSI A, BER, Bittorrent, CMIP, CMP, CMS, CRMF, DHCP, DICOM, DISTCC, DLSw, E IGRP, ESS, FCELS, Fibre Channel, GSM, GSM MAP, H.245, IAX2, ICEP, ISIS, ISUP, KINK, L2TP, LDAP, LMP, MEGACO, MGCP, MRDISC, NCP, NDPS, NTLMSSP, OCSP, PKIX Qualified, PKIX1Explitit, Presentation, Q.931, RADIUS, RPC, RSVP, SIP, SMB, SMB Mailslot, SMB NETLOGON, SMB PIPE, SRVLOC, TCAP, Telnet, TZSP, WSP, and X.509.

Upgrades available at:
http://www.ethereal.com/
distribution/ethereal-0.10.11.tar.gz

Gentoo:
http://security.gentoo.org/
glsa/glsa-200505-03.xml

Mandriva:
http://www.mandriva.com/
security/advisories

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-427.html

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/index.php?id=
a&anuncio=000963

SuSE:
ftp://ftp.suse.com/pub/suse/

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

An exploit script has been published.

High

 

Ethereal Security Advisory, enpa-sa-00019, May 4, 2005

Gentoo Linux Security Advisory, GLSA 200505-03, May 6, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:083, May 11, 2005

RedHat Security Advisory, RHSA-2005:427-05, May 24, 2005

Conectiva Security Advisory, CLSA-2005:963, June 6, 2005

SUSE Security Summary Report, SUSE-SR:2005:014, June 7, 2005

SGI Security Advisory, 20050503-01-U, June 8, 2005

Ettercap

Ettercap 0.6 .b, 0.6 .a, 0.6.3.1, 0.6.4, 0.6.5, 0.6.6 .6, 0.6.7, 0.6.9, Ettercap-NG 0.7 .0-0.7.2

A format string vulnerability has been reported in the 'curses_msg()' function in the Ncurses interface, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://prdownloads.sourceforge.net/
ettercap/ettercap-
NG-0.7.3.tar.gz?download

Gentoo:
http://security.gentoo.org/
glsa/glsa-200506-07.xml

Currently we are not aware of any exploits for this vulnerability.

Ettercap Remote Format String

CAN-2005-1796

High

Secunia Advisory, SA15535, May 31, 2005

Gentoo Linux Security Advisory, GLSA 200506-07, June 11, 2005

Freedesktop.org

D-BUS 0.23 & prior

A vulnerability exists in 'bus/policy.c' due to insufficient restriction of connections, which could let a malicious user hijack a session bus.

Patch available at:
https://bugs.freedesktop.org/
show_bug.cgi?id=2436

Fedora:
http://download.fedora.redhat.com
/pub/fedora/linux/core/updates/3/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-102.html

There is no exploit code required.

D-BUS Session Hijack

CAN-2005-0201

Medium

Security Tracker Alert ID,1013075, February 3, 2005

RedHat Security Advisory, RHSA-2005:102-09, June 8, 2005

FreeRADIUS Server Project

FreeRADIUS 1.0.2

Two vulnerabilities have been reported: a vulnerability was reported in the 'radius_xlat()' function call due to insufficient validation, which could let a remote malicious user execute arbitrary SQL code; and a buffer overflow vulnerability was reported in the 'sql_escape_func()' function, which could let a remote malicious user execute arbitrary code.

Gentoo:
http://security.gentoo.org/
glsa/glsa-200505-13.xml

SuSE:
ftp://ftp.suse.com/pub/suse/

FreeRadius:
ftp://ftp.freeradius.org/pub/
radius/freeradius-1.0.3.tar.gz

There is no exploit code required.

FreeRadius 'rlm_sql.c' SQL Injection & Buffer Overflow

CAN-2005-1454
CAN-2005-1455

High

Security Tracker Alert ID: 1013909, May 6, 2005

Gentoo Linux Security Advisory, GLSA 200505-13, May 17, 2005

SUSE Security Summary Report, SUSE-SR:2005:014, June 7, 2005

Security Focus, 13541, June 10, 2005

gFTP

gFTP 0.1, 0.2, 0.21, 1.0, 1.1-1.13, 2.0-2.0.17

A Directory Traversal vulnerability exists due to insufficient sanitization of input, which could let a remote malicious user obtain sensitive information.

Upgrades available at:
http://www.gftp.org/gftp-2.0.18.tar.gz

Debian:
http://security.debian.org/pool/
updates/main/g/gftp/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200502-27.xml

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Mandrake:
http://www.mandrakesecure.net/
en/ftp.php

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/index.php?id=
a&anuncio=000957

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-410.html

There is no exploit code required.

gFTP Remote Directory Traversal

CAN-2005-0372

Medium

Security Focus, February 14, 2005

Debian Security Advisory, DSA 686-1, February 17, 2005

SUSE Security Summary Report, SUSE-SR:2005:005, February 18, 2005

Gentoo Linux Security Advisory, GLSA 200502-27, February 19, 2005

Mandrakelinux Security Update Advisory, MDKSA-2005:050, March 4, 2005

RedHat Security Advisory, RHSA-2005:410-07, June 13, 2005

Conectiva Security Advisory, CLSA-2005:957, May 31, 2005

GNOME

gEdit 2.0.2, 2.2 .0, 2.10.2

A format string vulnerability has been reported when invoking the program with a filename that includes malicious format specifiers, which could let a remote malicious user cause a Denial of Service and potentially execute arbitrary code.

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/g/gedit/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200506-09.xml

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-499.html

An exploit has been published.

Gedit Filename Format String

CAN-2005-1686

High

Securiteam, May 22, 2005

Ubuntu Security Notice, USN-138-1, June 09, 2005

Gentoo Linux Security Advisory, GLSA 200506-09, June 11, 2005

RedHat Security Advisory, RHSA-2005:499-05, June 13, 2005

GNU

a2ps 4.13b

Two vulnerabilities exist in GNU a2ps, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerabilities are caused due to the fixps.in and psmandup.in scripts creating temporary files insecurely. This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running a vulnerable script.

Debian:
http://security.debian.org/
pool/updates/main/a/a2ps/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200501-02.xml

Mandriva:
http://www.mandriva.com/
security/advisories

Currently we are not aware of any exploits for these vulnerabilities.

GNU a2ps
Two Scripts Insecure Temporary File
Creation

CAN-2004-1377

 

Medium

Secunia SA13641, December 27, 2004

Gentoo Linux Security Advisory, GLSA 200501-02, January 4, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:097, June 7, 2005

GNU

gzip 1.2.4 a, 1.2.4, 1.3.3-1.3.5

A Directory Traversal vulnerability has been reported due to an input validation error when using 'gunzip' to extract a file with the '-N' flag, which could let a remote malicious user obtain sensitive information.

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/g/gzip/

Trustix:
http://http.trustix.org/
pub/trustix/updates/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200505-05.xml

IPCop:
http://ipcop.org/modules.php?
op=modload&name=Downloads
&file=index&req=viewdownload
&cid=3&orderby=dateD

Mandriva:
http://www.mandriva.com/
security/advisories

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

FreeBSD:
ftp://ftp.FreeBSD.org/pub/
FreeBSD/CERT/patches/
SA-05:11/gzip.patch

OpenPKG:
http://www.openpkg.org/
security/OpenPKG-SA-2005.009-
openpkg.html

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-357.html

Proof of Concept exploit has been published.

GNU GZip
Directory Traversal

CAN-2005-1228

Medium

Bugtraq, 396397, April 20, 2005

Ubuntu Security Notice, USN-116-1, May 4, 2005

Trustix Secure Linux Security Advisory, TSLSA-2005-0018, May 6, 2005

Gentoo Linux Security Advisory, GLSA 200505-05, May 9, 2005

Security Focus,13290, May 11, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:092, May 19, 2005

Turbolinux Security Advisory, TLSA-2005-59, June 1, 2005

FreeBSD Security Advisory, FreeBSD-SA-05:11, June 9, 2005

OpenPKG Security Advisory, OpenPKG-SA-2005.009, June 10, 2005

RedHat Security Advisory, RHSA-2005:357-19, June 13, 2005

GNU

Mailutils 0.5, 0.6

Multiple vulnerabilities have been reported that could let a remote malicious user execute arbitrary code or cause a Denial of Service. These vulnerabilities are due to a buffer overflow in the 'header_get_field_name()' function in 'mailbox/header.c'; an integer overflow in the 'fetch_io()' function; an input validation error in the imap4d server in the FETCH command; and a format string flaw in the imap4d server.

A fixed version (0.6.90) is available at:
ftp://alpha.gnu.org/gnu/mailutils/
mailutils-0.6.90.tar.gz

Gentoo:
http://security.gentoo.org/
glsa/glsa-200505-20.xml

Debian:
http://security.debian.org/pool/
updates/main/m/mailutils/

A Proof of Concept exploit script has been published.

GNU Mailutils Buffer Overflow and Format String Bugs Let Remote Users Execute Arbitrary Code

CAN-2005-1520
CAN-2005-1521
CAN-2005-1522
CAN-2005-1523

High

iDEFENSE Security Advisory 05.25.05

Gentoo Linux Security Advisory, GLSA 200505-20, May 27, 2005

Debian Security Advisory, DSA 732-1, June 3, 2005

Security Focus, 13764, June 13, 2005

GNU

shtool 2.0.1 & prior

A vulnerability has been reported that could let a local malicious user gain escalated privileges. The vulnerability is caused due to temporary files being created insecurely.

Gentoo:
http://security.gentoo.org/
glsa/glsa-200506-08.xml

There is no exploit code required.

GNU shtool Insecure Temporary File Creation

CAN-2005-1751

Medium

Secunia Advisory, SA15496, May 25, 2005

Gentoo Linux Security Advisory, GLSA 200506-08, June 11, 2005

GNU

gzip 1.2.4, 1.3.3

A vulnerability has been reported when an archive is extracted into a world or group writeable directory, which could let a malicious user modify file permissions.

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/g/gzip/

Trustix:
http://http.trustix.org/
pub/trustix/updates/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200505-05.xml

Mandriva:
http://www.mandriva.com/
security/advisories

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

FreeBSD:
ftp://ftp.FreeBSD.org/pub/
FreeBSD/CERT/patches/
SA-05:11/gzip.patch

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-357.html

There is no exploit code required.

GNU GZip File Permission Modification

CAN-2005-0988

Medium

Security Focus,
12996,
April 5, 2005

Ubuntu Security Notice, USN-116-1, May 4, 2005

Trustix Secure Linux Security Advisory, TSLSA-2005-0018, May 6, 2005

Gentoo Linux Security Advisory, GLSA 200505-05, May 9, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:092, May 19, 2005

Turbolinux Security Advisory, TLSA-2005-59, June 1, 2005

FreeBSD Security Advisory, FreeBSD-SA-05:11, June 9, 2005

RedHat Security Advisory, RHSA-2005:357-19, June 13, 2005

GNU

wget 1.9.1

A vulnerability exists which could permit a remote malicious user to create or overwrite files on the target user's system. wget does not properly validate user-supplied input. A remote user can bypass the filtering mechanism if DNS can be modified so that '..' resolves to an IP address. A specially crafted HTTP response can include control characters to overwrite portions of the terminal window.

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Mandriva:
http://www.mandriva.com/
security/advisories

Trustix:
http://http.trustix.org/
pub/trustix/updates/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-357.html

A Proof of Concept exploit script has been published.

GNU wget File Creation & Overwrite

CAN-2004-1487
CAN-2004-1488

Medium

Security Tracker Alert ID: 1012472, December 10, 2004

SUSE Security Summary Report, SUSE-SR:2005:004, February 11, 2005

SUSE Security Summary Report, SUSE-SR:2005:006, February 25, 2005

SUSE Security Summary Report, SUSE-SR:2005:011, April 15, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:098, June 9, 2005

Trustix Secure Linux Security Advisory, TLSA-2005-0028, June 13, 2005

GNU

zgrep 1.2.4

A vulnerability has been reported in 'zgrep.in' due to insufficient validation of user-supplied arguments, which could let a remote malicious user execute arbitrary commands.

A patch for 'zgrep.in' is available in the following bug report:
http://bugs.gentoo.org/
show_bug.cgi?id=90626

Mandriva:
http://www.mandriva.com/
security/advisories

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-357.html

There is no exploit code required.

Gzip Zgrep Arbitrary Command Execution

CAN-2005-0758

High

Security Tracker Alert, 1013928, May 10, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:092, May 19, 2005

Turbolinux Security Advisory , TLSA-2005-59, June 1, 2005

RedHat Security Advisory, RHSA-2005:357-19, June 13, 2005

IBM

AIX 5.3

Buffer overflow vulnerabilities have been reported in the 'invscout,' 'paginit,' 'diagTasksWebSM,' 'getlvname,' and 'swcons' commands and multiple 'p' commands, which could let a malicious user execute arbitrary code, potentially with root privileges.

IBM has released an advisory (IBM-06-10-2005) to address this and other issues. Fixes are not yet available.

There is no exploit code required; however, Proofs of Concept exploits have been published.

IBM AIX Multiple Buffer Overflows
High

Security Tracker Alert, 1014132, June 8, 2005

IBM Security Advisory, IBM-06-10-2005, June 10, 2005

Iron Bars

Shell ibsh 0.3 a-0.3 d, 0.2 a, 0.1 b, 0.1 a

Several vulnerabilities have been reported: a vulnerability was reported due to an unspecified boundary error, which could let a remote malicious user execute arbitrary code; and two off-by-one errors were reported which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://prdownloads.sourceforge.net/
ibsh/ibsh-0.3e.tar.gz?download

Currently we are not aware of any exploits for these vulnerabilities.

Iron Bars Shell Buffer Overflow & Off-By-One
High
Secunia Advisory, SA15591, June 14, 2005

jamchen

JamMail 1.8

A vulnerability was reported in the ''jammail.pl' script due to insufficient validation of the 'mail' parameter, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

JamMail 'Jammail.pl' Remote Arbitrary Command Execution

CAN-2005-1959

High
Security Tracker Alert, 1014175, June 12, 2005

LBL

tcpdump 3.4 a6, 3.4, 3.5, alpha, 3.5.2, 3.6.2, 3.6.3, 3.7-3.7.2, 3.8.1 -3.8.3; IPCop 1.4.1, 1.4.2, 1.4.4, 1.4.5

Remote Denials of Service vulnerabilities have been reported due to the way tcpdump decodes Border Gateway Protocol (BGP) packets, Label Distribution Protocol (LDP) datagrams, Resource ReSerVation Protocol (RSVP) packets, and Intermediate System to Intermediate System (ISIS) packets.

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/3/

Trustix:
http://http.trustix.org/
pub/trustix/updates/

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/t/tcpdump/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200505-06.xml

Mandriva:
http://www.mandriva.com/
security/advisories

IPCop:
http://ipcop.org/modules.php?
op=modload&name=Downloads
&file=index&req=viewdownload
&cid=3&orderby=dateD

FreeBSD:
ftp://ftp.FreeBSD.org/pub/
FreeBSD/CERT/patches/
SA-05:10/tcpdump.patch

Exploit scripts have been published.

LBL TCPDump Remote Denials of Service

CAN-2005-1278
CAN-2005-1279

CAN-2005-1280

Low

Bugtraq, 396932, April 26, 2005

Fedora Update Notification,
FEDORA-2005-351, May 3, 2005

Trustix Secure Linux Security Advisory, TSLSA-2005-0018, May 6, 2005

Ubuntu Security Notice, USN-119-1 May 06, 2005

Gentoo Linux Security Advisory, GLSA 200505-06, May 9, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:087, May 12, 2005

Security Focus, 13392, May 12, 2005

FreeBSD Security Advisory, FreeBSD-SA-05:10, June 9, 2005

Leafnode

Leafnode 1.11.2, 1.11.1, 1.9.47-1.9.29-1.9.31, 1.9.19-1.9.27

A remote Denial of Service vulnerability has been reported in the fetchnews program (the NNTP client) due to a failure to handle network delays.

Upgrades available at:
http://sourceforge.net
/project/showfiles.php?group_id=57767

There is no exploit code required.

Leafnode Remote Denial of Service

CAN-2005-1911

Low
leafnode-SA-2005:02, June 8, 2005

Libextractor

libextractor 0.4-0.4.2, 0.3.6 -0.3.11

Buffer overflow vulnerabilities have been reported in the PDF, Real, and PNG extractors, which could let a remote malicious user execute arbitrary code.

The vendor has released libextractor 0.5.0 to address these issues.

Gentoo:
http://security.gentoo.org/
glsa/glsa-200506-06.xml

Currently we are not aware of any exploits for these vulnerabilities.

Libextractor Multiple Remote Buffer Overflows
High
Gentoo Linux Security Advisory. GLSA 200506-06, June 9, 2005

Multiple Vendors

FreeBSD 5.4 & prior

A vulnerability was reported in FreeBSD when using Hyper-Threading Technology due to a design error, which could let a malicious user obtain sensitive information and possibly elevated privileges.

Patches and updates available at:
ftp://ftp.freebsd.org/pub/FreeBSD/
CERT/advisories/
FreeBSD-SA-05:09.htt.asc

SCO:
ftp://ftp.sco.com/pub/updates/
UnixWare/SCOSA-2005.24

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/l/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-476.html

Sun:
http://sunsolve.sun.com/
search/document.do?
assetkey=1-26-101739-1

Mandriva:
http://www.mandriva.com/
security/advisories

Trustix:
ftp://ftp.trustix.org/pub/trustix/
updates/

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendor FreeBSD Hyper-Threading Technology Support Information Disclosure

CAN-2005-0109

Medium

FreeBSD Security Advisory, FreeBSD-SA-05:09, May 13, 2005

SCO Security Advisory, SCOSA-2005.24, May 13, 2005

Ubuntu Security Notice, USN-131-1, May 23, 2005

US-CERT VU#911878

RedHat Security Advisory, RHSA-2005:476-08, June 1, 2005

Sun(sm) Alert Notification, 101739, June 1, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:096, June 7, 2005

Trustix Secure Linux Security Advisory, TLSA-2005-0028, June 13, 2005

Multiple Vendors

ImageMagick 6.0-6.0.8, 6.1-6.1.8, 6.2 .0.7, 6.2 .0.4, 6.2, 6.2.1

A buffer overflow vulnerability has been reported due to a failure to properly validate user-supplied string lengths before copying into static process buffers, which could let a remote malicious user cause a Denial of Service.

Upgrades available at:
http://www.imagemagick.org/
script/binary-releases.php

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/3/

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/i/imagemagick/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-413.html

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

A Proof of Concept exploit has been published.

ImageMagick
Remote Buffer Overflow

CAN-2005-1275

Low

Security Focus, 13351, April 25, 2005

Fedora Update Notification
FEDORA-2005-344, April 28, 2005

Ubuntu Security Notice, USN-132-1 May 23, 2005, May 23, 2005

RedHat Security Advisory, RHSA-2005:413-04, May 25, 2005

SGI Security Advisory, 20050503-01-U, June 8, 2005

Multiple Vendors

ISC BIND 9.3;
MandrakeSoft Linux Mandrake 10.1 X86_64, 10.1

A remote Denial of Service vulnerability exists in the 'authvalidated()' function due to an error in the validator.

Upgrade available at:
http://www.isc.org/index.pl

Mandrake:
http://www.mandrakesecure.net/
en/ftp.php

Trustix:
http://www.trustix.org/
errata/2005/0003/

FreeBSD:
ftp://ftp.FreeBSD.org/pub/
FreeBSD/CERT/patches/
SA-05:12/bind9.patch

Currently we are not aware of any exploits for this vulnerability.

BIND Validator Self Checking Remote Denial of Service

CAN-2005-0034

Low

US-CERT Vulnerability Note. VU#938617, January 25, 2005

Trustix Secure Linux Security Advisory, TSLSA-2005-0003, February 11, 2005

FreeBSD Security Advisory, FreeBSD-SA-05:12, June 9, 2005

Multiple Vendors

MandrakeSoft Corporate Server 3.0, x86_64, Linux Mandrake 10.0, AMD64, 10.1, X86_64;Novell Evolution 2.0.2l Ubuntu Linux 4.1 ppc, ia64, ia32;
Ximian Evolution 1.0.3-1.0.8, 1.1.1, 1.2-1.2.4, 1.3.2 (beta)

A buffer overflow vulnerability exists in the main() function of the 'camel-lock-helper.c' source file, which could let a remote malicious user execute arbitrary code.

Update available at:
http://cvs.gnome.org/viewcvs/evolution/
camel/camel-lock-helper.c?rev=1.7
&hideattic=0&view=log

Gentoo:
http://security.gentoo.org/
glsa/glsa-200501-35.xml

Mandrake:
http://www.mandrakesecure.net/
en/ftp.php

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/e/evolution/

SUSE:
ftp://ftp.suse.com/pub/suse/

Debian:
http://security.debian.org/pool/
updates/main/e/evolution/

Conectiva:
ftp://atualizacoes.conectiva.com.br/

ALT Linux:
http://lists.altlinux.ru/pipermail/
security-announce/2005-March
/000287.html

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-238.html

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

Currently we are not aware of any exploits for this vulnerability.

Evolution Camel-Lock-Helper Application Remote Buffer Overflow

CAN-2005-0102

High

Gentoo Linux Security Advisory, GLSA 200501-35, January 25, 2005

Ubuntu Security Notice, USN-69-1, January 25, 2005

Mandrakelinux Security Update Advisory, MDKSA-2005:024, January 27, 2005

SUSE Security Summary Report, SUSE-SR:2005:003, February 4, 2005

Debian Security Advisory, DSA 673-1, February 10, 2005

Conectiva Linux Security Announcement, CLA-2005:925, February 16, 2005

ALTLinux Security Advisory, March 29, 2005

RedHat Security Advisory, RHSA-2005:238-18, May 19, 2005

SGI Security Advisory, 20050503-01-U, June 8, 2005

Multiple Vendors

RedHat Enterprise Linux WS 4, ES 4, AS 4, Desktop 4.0;
Linux kernel 2.6.9, 2.6-2.6.8

A Denial of Service vulnerability has been reported in the auditing code.

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-420.html

Currently we are not aware of any exploits for this vulnerability.

Linux Kernel Auditing Code Denial of Service

CAN-2005-0136

Low
RedHat Security Advisory, RHSA-2005:420-22, June 8, 2005

Multiple Vendors

Linux Kernel 2.6.10, 2.6 -test1-test11, 2.6-2.6.11

A Denial of Service vulnerability has been reported in the 'load_elf_library' function.

Patches available at:
http://www.kernel.org/pub/
linux/kernel/v2.6/patch-2.6.11.6.bz2

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/2/

Trustix:
http://http.trustix.org/pub/
trustix/updates/

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-366.html

Conectiva:
ftp://atualizacoes.conectiva.
com.br/

FedoraLegacy:
http://download.fedoralegacy.org/
redhat/

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Currently we are not aware of any exploits for this vulnerability.

Linux Kernel Local Denial of Service

CAN-2005-0749

Low

Fedora Security
Update Notification,
FEDORA-2005-262, March 28, 2005

Trustix Secure
Linux Security Advisory,
TSLSA-2005-0011, April 5, 2005

Fedora Update Notification
FEDORA-2005-313, April 11, 2005

RedHat Security Advisory, RHSA-2005:366-19, April 19, 2005

Conectiva Linux Security Announcement, CLA-2005:952, May 2, 2005

Fedora Legacy Update Advisory, FLSA:152532, June 4, 1005

SUSE Security Announcement, SUSE-SA:2005:29, June 9, 2005

Multiple Vendors

RedHat Fedora Core3;
LBL tcpdump 3.9.1, 3.9, 3.8.1-3.8.3, 3.7-3.7.2, 3.6.3, 3.6.2, 3.5.2, 3.5, alpha, 3.4, 3.4 a6

A remote Denial of Service vulnerability has been reported in the 'bgp_update_print()' function in 'print-bgp.c' when a malicious user submits specially crafted BGP protocol data.

Update available at:
http://cvs.tcpdump.org/cgi-bin/
cvsweb/tcpdump/print-bgp.c

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/3/

Trustix:
ftp://ftp.trustix.org/pub/trustix/
updates/

A Proof of Concept exploit script has been published.

TCPDump BGP Decoding Routines Denial of Service

CAN-2005-1267

Low

Security Tracker Alert, 1014133, June 8, 2005

Fedora Update Notification,
FEDORA-2005-406, June 9, 2005

Trustix Secure Linux Security Advisory, TLSA-2005-0028, June 13, 2005

Multiple Vendors

SilverCity SilverCity 0.9.4;
Gentoo Linux

A vulnerability has been reported because three of the SilverCity executables are installed with insecure permissions, which could let a malicious user modify the executables and replace them with trojaned versions.

Gentoo:
http://security.gentoo.org/
glsa/glsa-200506-05.xml

There is no exploit code required.

SilverCity Insecure File Permissions

CAN-2005-1941

High
Gentoo Linux Security Advisory, GLSA 200506-05, June 8,2005

Multiple Vendors

SuSE Linux Enterprise Server 9, Linux 9.3 x86_64;
Linux kernel 2.6.11, 2.6.8, l 2.6.5

A vulnerability has been reported in 'ptrace' 64-bit platforms which could let a malicious user access kernel memory pages.

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Currently we are not aware of any exploits for this vulnerability.

Linux Kernel 64 Bit PTrace Kernel Memory Access

CAN-2005-1763

Medium
SUSE Security Announcement, SUSE-SA:2005:029, June 9, 2005

Multiple Vendors

Linux kernel 2.4-2.4.29, 2.6 .10, 2.6-2.6.11

A vulnerability has been reported in the 'bluez_sock_create()' function when a negative integer value is submitted, which could let a malicious user execute arbitrary code with root privileges.

Patches available at:
http://www.kernel.org/pub/linux/
kernel/v2.4/testing/patch-
2.4.30-rc3.bz2

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Trustix:
http://http.trustix.org/pub/
trustix/updates/

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-366.html

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-283.html

http://rhn.redhat.com/
errata/RHSA-2005-284.html

Conectiva:
ftp://atualizacoes.conectiva.
com.br/

FedoraLegacy:
http://download.fedoralegacy.org/
redhat/

A Proof of Concept exploit script has been published.

Linux Kernel
Bluetooth Signed Buffer Index

CAN-2005-0750

High

Security Tracker
Alert, 1013567,
March 27, 2005

SUSE Security Announcement, SUSE-SA:2005
:021, April 4, 2005

Trustix Secure
Linux Security Advisory,
TSLSA-2005-0011, April 5, 2005

US-CERT
VU#685461

Fedora Update Notification
FEDORA-2005-313, April 11, 2005

RedHat Security Advisory, RHSA-2005:366-19, April 19, 2005

RedHat Security Advisories, RHSA-2005:283-15 & RHSA-2005:284-11, April 28, 2005

Conectiva Linux Security Announcement, CLA-2005:952, May 2, 2005

Fedora Legacy Update Advisory, FLSA:152532, June 4, 1005

SUSE Security Announcement, SUSE-SA:2005:29, June 9, 2005

Multiple Vendors

Ubuntu Linux 5.0 4 amd64, 4.1 ia64;
SuSE Linux 9.3 x86_64, 9.1 x86_64, 9.0 x86_64;
Linux kernel 2.6.10, 2.6.8

A Denial of Service has been reported in 'ptrace()' due to insufficient validation of memory addresses.

Updates available at:
http://kernel.org/

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/l/linux-source-2.6.8.1/

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Currently we are not aware of any exploits for this vulnerability.

Linux Kernel 'ptrace()' Denial of Service

CAN-2005-0756

Low

Ubuntu Security Notice, USN-137-1, June 08, 2005

SUSE Security Announcement, SUSE-SA:2005:029, June 9, 2005

Multiple Vendors

Ubuntu Linux 5.0 4 powerpc, i386, amd64, 4.1 ppc, ia64, ia32;
Linux kernel 2.6.10, 2.6.8

A vulnerability was reported has been reported in the 'mmap()' function because memory maps can be created with a start address after the end address, which could let a malicious user cause a Denial of service or potentially obtain elevated privileges.

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/l/linux-source-2.6.8.1/

Currently we are not aware of any exploits for this vulnerability.

Linux Kernel 'MMap()' Denial of Service

CAN-2005-1265

Medium
Ubuntu Security Notice, USN-137-1, June 08, 2005

Multiple Vendors

Concurrent Versions System (CVS) 1.x;Gentoo Linux; SuSE Linux 8.2, 9.0, 9.1, x86_64, 9.2, x86_64, 9.3, Linux Enterprise Server 9, 8, Open-Enterprise-Server 9.0, School-Server 1.0, SUSE CORE 9 for x86, UnitedLinux 1.0

Multiple vulnerabilities have been reported: a buffer overflow vulnerability was reported due to an unspecified boundary error, which could let a remote malicious user potentially execute arbitrary code; a remote Denial of Service vulnerability was reported due to memory leaks and NULL pointer dereferences; an unspecified error was reported due to an arbitrary free (the impact was not specified), and several errors were reported in the contributed Perl scripts, which could let a remote malicious user execute arbitrary code.

Update available at:
https://ccvs.cvshome.org/
servlets/ProjectDocumentList

Gentoo:
http://security.gentoo.org/
glsa/glsa-200504-16.xml

SuSE:
ftp://ftp.suse.com/pub/suse/i

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/3/

Mandrake:
http://www.mandrakesecure.net/
en/ftp.php

Trustix:
http://http.trustix.org/pub/
trustix/updates/

FreeBSD:
ftp://ftp.FreeBSD.org/pub/

Peachtree:
http://peachtree.burdell.org/
updates/

RedHat:
http://rhn.redhat.com/errata/
RHSA-2005-387.html

OpenBSD:
http://www.openbsd.org/
errata.html#cvs

TurboLinux:
ftp://ftp.turbolinux.co.jp/p
ub/TurboLinux/TurboLinux/ia32/

OpenBSD:
http://www.openbsd.org/
errata35.html#

Ubuntu:
http://security.ubuntu.com/
Subunit/pool/main/c/cvs/

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

OpenBSD:
http://www.openbsd.org/
errata.html#cvs

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/index.php?id=
a&anuncio=000966

Currently we are not aware of any exploits for these vulnerabilities.

CVS Multiple Vulnerabilities

CAN-2005-0753

High

 

Gentoo Linux Security Advisory, GLSA 200504-16, April 18, 2005

SuSE Security Announcement, SUSE-SA:2005:024, April 18, 2005

Secunia Advisory, SA14976, April 19, 2005

Fedora Update Notification,
FEDORA-2005-330, April 20, 2006

Mandriva Linux Security Update Advisory, MDKSA-2005:073, April 21, 2005

Trustix Secure Linux Security Advisory, TSLSA-2005-0013, April 21, 2005

Gentoo Linux Security Advisory [UPDATE], GLSA 200504-16:02, April 22, 2005

FreeBSD Security Advisory, FreeBSD-SA-05:05, April 22, 2005

Peachtree Linux Security Notice, PLSN-0005, April 22, 2005

RedHat Security Advisory, RHSA-2005:387-06, April 25, 2005

Turbolinux Security Advisory, TLSA-2005-51, April 28, 2005

Ubuntu Security Notice, USN-117-1 May 04, 2005

SGI Security Advisory, 20050501-01-U, May 5, 2005

Conectiva Security Advisory, CLSA-2005:966, June 13, 2005

Multiple Vendors

Linux kernel 2.6.10, 2.6, -test1-test 11, 2.6.1- 2.6.11;
RedHat Fedora Core2

A vulnerability has been reported in the EXT2 filesystem handling code, which could let malicious user obtain sensitive information.

Patches available at:
http://www.kernel.org/pub/linux/
kernel/v2.6/patch-2.6.11.6.bz2

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/2/

Trustix:
http://http.trustix.org/pub/
trustix/updates/

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-366.html

Conectiva:
ftp://atualizacoes.conectiva.
com.br/

FedoraLegacy:
http://download.fedoralegacy.org/
redhat/

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Currently we are not aware of any exploits for this vulnerability.

Linux Kernel
EXT2 File
System
Information Leak

CAN-2005-0400

Medium

Security Focus,
12932,
March 29, 2005

Trustix Secure
Linux Security Advisory,
TSLSA-2005-0011, April 5, 2005

Fedora Update Notification
FEDORA-2005-313, April 11, 2005

RedHat Security Advisory, RHSA-2005:366-19, April 19, 2005

Conectiva Linux Security Announcement, CLA-2005:952, May 2, 2005

Fedora Legacy Update Advisory, FLSA:152532, June 4, 1005

SUSE Security Announcement, SUSE-SA:2005:029, June 9, 2005

 

Multiple Vendors

X.org X11R6 6.7.0, 6.8, 6.8.1;
XFree86 X11R6 3.3, 3.3.2-3.3.6, 4.0, 4.0.1, 4.0.2 -11, 4.0.3, 4.1.0, 4.1 -12, 4.1 -11, 4.2 .0, 4.2.1 Errata, 4.2.1, 4.3.0.2, 4.3.0.1, 4.3.0

An integer overflow vulnerability exists in 'scan.c' due to insufficient sanity checks on on the 'bitmap_unit' value, which could let a remote malicious user execute arbitrary code.

Patch available at:
https://bugs.freedesktop.org/
attachment.cgi?id=1909

Gentoo:
http://security.gentoo.org/glsa/
glsa-200503-08.xml

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/l/lesstif1-1/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200503-15.xml

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/x/xfree86/

ALTLinux:
http://lists.altlinux.ru/
pipermail/security-announce/
2005-March/000287.html

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

RedHat:
http://rhn.redhat.com/errata/
RHSA-2005-331.html

SGI:
ftp://oss.sgi.com/projects/
sgi_propack/download/3/updates/

RedHat:
http://rhn.redhat.com/errata/
RHSA-2005-044.html

Mandrake:
http://www.mandrakesecure.net/
en/ftp.php

Mandriva:
http://www.mandriva.com/
security/advisories

Debian:
http://security.debian.org/
pool/updates/main/x/xfree86/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-412.html

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-473.html

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-198.html

Currently we are not aware of any exploits for this vulnerability.

LibXPM Bitmap_unit
Integer Overflow

CAN-2005-0605

 

 

High

Security Focus,
12714,
March 2, 2005

Gentoo Linux
Security Advisory,
GLSA 200503-08, March 4, 2005

Ubuntu Security
Notice, USN-92-1 March 07, 2005

Gentoo Linux
Security Advisory, GLSA 200503-15,
March 12, 2005

Ubuntu Security
Notice, USN-97-1
March 16, 2005

ALTLinux Security Advisory, March 29, 2005

Fedora Update Notifications,
FEDORA-2005
-272 & 273,
March 29, 2005

RedHat Security Advisory,
RHSA-2005:
331-06,
March 30, 2005

SGI Security Advisory, 20050401-01-U, April 6, 2005

RedHat Security Advisory, RHSA-2005:044-15, April 6, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:080, April 29, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:081, May 6, 2005

Debian Security Advisory, DSA 723-1, May 9, 2005

RedHat Security Advisory, RHSA-2005:412-05, May 11, 2005

RedHat Security Advisory, RHSA-2005:473-03, May 24, 2005

RedHat Security Advisory, RHSA-2005:198-35, June 8, 2005

Multiple Vendors

Sun Solaris 9 Operating System, Solaris 10 Operating System, Solaris 7 Operating System, Solaris 8 Operating System, Sun Enterprise Authentication Mechanism Software; Red Hat Desktop 3, 4, Enterprise Linux AS 2.1, 3, 4, ES 2.1, 3, 4,
2.1, 3, 4, WS 2.1, 3, 4, Advanced Workstation 2.1 for the Itanium Processor

 

A vulnerability has been reported due to the way the NEW-ENVIRON command is handled, which could let a remote malicious user obtain sensitive information.

Sun:
http://sunsolve.sun.com/search/
document.do?assetkey=
1-26-57755-1

http://sunsolve.sun.com/search/
document.do?assetkey=
1-26-57761-1

RedHat:
rhn.redhat.com/errata/
RHSA-2005-504.html

A Proof of Concept exploit has been published.

Multiple Vendor Telnet Client Information Disclosure

CAN-2005-0488

Medium

iDEFENSE Security Advisory, June 14, 2005

US-CERT VU#800829

OpenSLP

OpenSLP 1.0.0-1.0.11, 1.1.5, 1.2 .0

Multiple buffer overflow vulnerabilities have been reported when processing malformed SLP (Service Location Protocol) packets, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://sourceforge.net/project/
showfiles.php?group_id=1730

SuSE:
ftp://ftp.suse.com/pub/suse/

Mandrake:
http://www.mandrakesecure.
net/en/ftp.php

Ubuntu:
http://security.ubuntu.com
/ubuntu/pool/main/o/openslp/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200503-25.xml

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/index.php?id=
a&anuncio=000967

Currently we are not aware of any exploits for these vulnerabilities.

OpenSLP Multiple Buffer Overflows

CAN-2005-0769

High

SuSE Security Announcement, SUSE-SA:2005:015, March 14, 2005

Mandrakelinux Security Update Advisory, MDKSA-2005:055, March 16, 2005

Ubuntu Security Notice, USN-98-1 March 17, 2005

Gentoo Linux Security Advisory, GLSA 200503-25, March 20, 2005

Conectiva Security Advisory, CLSA-2005:967, June 13, 2005

PHP Group

PHP 4.3-4.3.10; Peachtree Linux release 1

A remote Denial of Service vulnerability has been reported when processing deeply nested EXIF IFD (Image File Directory) data.

Upgrades available at:
http://ca.php.net/get/php
4.3.11.tar.gz/from/a/mirror

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/p/php4/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200504-15.xml

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

Mandrake:
http://www.mandrakesecure.net/
en/ftp.php

Peachtree:
http://peachtree.burdell.org/
updates/

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/index.php?id=
a&anuncio=000955

Apple:
http://www.apple.com/
support/downloads/

Currently, we are not aware of any exploits for this vulnerability.

PHP Group Exif Module IFD Nesting Remote Denial of Service

CAN-2005-1043

Low

Security Focus, 13164, April 14, 2005

Ubuntu Security Notice, USN-112-1, April 14, 2005

Gentoo Linux Security Advisory, GLSA 200504-15, April 18, 2005

Fedora Update Notification,
FEDORA-2005-315, April 18, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:072, April 19, 2005

Peachtree Linux Security Notice, PLSN-0001, April 21, 2005

SGI Security Advisory, 20050501-01-U, May 5, 2005

Conectiva Security Advisory, CLSA-2005:955, May 31, 2005

Apple Security Update, APPLE-SA-2005-06-08, June 8, 2005

PHP Group

PHP 4.3-4.3.10; Peachtree Linux release 1

A vulnerability has been reported in the 'exif_process_IFD_TAG()' function when processing malformed IFD (Image File Directory) tags, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://ca.php.net/get/php
4.3.11.tar.gz/from/a/mirror

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/p/php4/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200504-15.xml

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

Mandrake:
http://www.mandrakesecure.net/
en/ftp.php

Peachtree:
http://peachtree.burdell.org/
updates/

TurboLinux:
ftp://ftp.turbolinux.co.jp/p
ub/TurboLinux/TurboLinux/ia32/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-405.html

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/index.php?id=
a&anuncio=000955

Apple:
http://www.apple.com/
support/downloads/

Currently, we are not aware of any exploits for this vulnerability.

PHP Group Exif Module IFD Tag Integer Overflow

CAN-2005-1042

High

Security Focus, 13163, April 14, 2005

Ubuntu Security Notice, USN-112-1, April 14, 2005

Gentoo Linux Security Advisory, GLSA 200504-15, April 18, 2005

Fedora Update Notification,
FEDORA-2005-315, April 18, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:072, April 19, 2005

Peachtree Linux Security Notice, PLSN-0001, April 21, 2005

Turbolinux Security Advisory, TLSA-2005-50, April 28, 2005

RedHat Security Advisory, RHSA-2005:405-06, April 28, 2005

SUSE Security Summary Report, SUSE-SR:2005:012, April 29, 2005

SGI Security Advisory, 20050501-01-U, May 5, 2005

Conectiva Security Advisory, CLSA-2005:955, May 31, 2005

Apple Security Update, APPLE-SA-2005-06-08, June 8, 2005

Pico Server

Pico Server 3.3

Several vulnerabilities have been reported: a Directory Traversal vulnerability was reported in URL request handling due to an input validation error, which could let a remote malicious user obtain sensitive information; and a buffer overflow vulnerability has been reported in URL request handling, which could let a remote malicious user execute arbitrary code.

Upgrade available at:
http://pserv.sourceforge.net

There is no exploit code required.

Pico Server Directory Traversal & Buffer Overflow

CAN-2005-1952
CAN-2005-1953

High
Secunia Advisory, SA15663, June 13, 2005

RedHat

sysreport 1.1-1.3, Enterprise Linux WS 4, WS 3, WS 2.1 IA64, WS 2.1, ES 4, ES 3, ES 2.1 IA64, ES 2.1, AS 4, AS 3, AS 2.1 IA64, AS 2.1, Desktop 4.0, 3.0, Advanced Workstation for the Itanium Processor 2.1, IA64

A vulnerability has been reported in the Sysreport proxy due to a failure to ensure that sensitive information is not included in generated reports, which could let a remote malicious user obtain sensitive information.

Updates available at:
http://rhn.redhat.com/
errata/RHSA-2005-502.html

There is no exploit code required.

RedHat Linux SysReport Proxy Information Disclosure

CAN-2005-1760

Medium
RedHat Security Advisory, RHSA-2005:502-03, June 13, 2005

Rob Flynn

Gaim prior to 1.3.1

Several vulnerabilities have been reported: a remote Denial of Service vulnerability has been reported when using the Yahoo! protocol to download a file; and a remote Denial of Service vulnerability was reported in the MSN Messenger service when a malicious user submits a specially crafted MSN message.

Updates available at:
http://gaim.sourceforge.net
/downloads.php

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/g/gaim/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200506-11.xml

Mandriva:
http://www.mandriva.com/
security/advisories

There is no exploit code required.

Gaim Remote Denial of Services

CAN-2005-1269
CAN-2005-1934

Low

Secunia Advisory, SA15648, June 10, 2005

Ubuntu Security Notice USN-139-1, June 10, 2005

Gentoo Linux Security Advisory, GLSA 200506-11, June 12, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:099, June 14, 2005

SGI

IRIX 6.5.25-6.5.27

Several vulnerabilities have been reported in 'rpc.mountd' because anonymous clients that have an unlisted hostname in DNS, NIS, etc. are denied and also excessive rights for read-mostly exports is allowed.

Patches available at:
ftp://patches.sgi.com/support/
free/security/patches/6.5.25/

There is no exploit code required.

SGI IRIX RPC.MountD Read-Mostly Mount Unspecified File Access

CAN-2005-0138
CAN-2005-0139

Medium
SGI Security Advisory, 20050601-01-P, June 8, 2005

Tomasz Lutelmowski

LutelWall 0.97 & prior

A vulnerability has been reported in the 'new_version_check()' function due to the insecure creation of temporary files when updating to a new version, which could let a malicious user obtain root privileges.

Gentoo:
http://security.gentoo.org/
glsa/glsa-200506-10.xml

There is no exploit code required.

LutelWall Insecure Temporary File Creation

CAN-2005-1879

High

Security Tracker Alert, 1014112, June 6, 2005

Gentoo Linux Security Advisory, GLSA 200506-10, June 11, 2005

xMySQLadmin

xMySQLadmin 1.0

A vulnerability has been reported due to the insecure creation of temporary files when dropping the database, which could let a malicious user perform actions with elevated privileges.

No workaround or patch available at time of publishing.

There is no exploit code required.

xMySQLadmin Insecure Temporary File Creation

CAN-2005-1944

Medium
Secunia Advisory, SA15635, June 9, 2005

[back to top] 

Multiple Operating Systems - Windows / UNIX / Linux / Other
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name /
CVE Reference
Risk
Source

1two.org

Annuaire 1Two 1.1, 1.0

Several Cross-Site Scripting vulnerabilities have been reported: a vulnerability was reported in the 'index.php' script due to insufficient validation of user-supplied input in the 'id' parameter, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported in the form for adding comments due to insufficient validation of the 'site_id,' 'nom,' 'email,' and 'commentaire' parameters, which could let a remote malicious user execute arbitrary HTML and script code.

The vendor has issued a fixed version (2.0) available at:
http://www.1two.org/

There is no exploit code required; however, a Proof of Concept exploit has been published.

Annuaire 1Two Cross-Site Scripting

CAN-2005-1975

High
Security Tracker Alert, 1014187, June 14, 2005

Broadpool

Siteframe

A vulnerability has bee reported in the 'siteframe.php' script due to insufficient validation of the 'LOCAL_PATH' parameter, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Broadpool Siteframe 'siteframe.php' Remote Arbitrary Code Execution

CAN-2005-1965

High
Security Tracker Alert, 1014150, June 9, 2005

C.J. Steele

tattle

A vulnerability has been reported in 'getemails()' due to an input validation error, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

C.J. Steele Tattle Remote Arbitrary Command Execution

CAN-2005-1960

High
Secunia Advisory, SA15582, June 8, 2005

Cantico

Ovidentia

A vulnerability has been reported in the 'index.php' script because the 'utilit/utilit.php' is included without validating the 'babInstallPath' parameter, which could let a remote malicious user execute arbitrary code.

Patch information available at:
http://www.ovidentia.org/
index.php?tg=articles&idx=M
ore&topics=1&article=290

There is no exploit code required; however, a Proof of Concept exploit has been published.

Cantico Ovidentia 'index.php' Remote Arbitrary Code Execution

CAN-2005-1964

High
Security Tracker Alert, 1014149, June 9, 2005

Cisco Systems

CatOS, Catalyst, Call Manager

 

A vulnerability has been reported in Cisco CallManager and Cisco voice-enabled switches because they don't contain 802.1x supplicants, which could let a remote malicious user spoof the Cisco Discovery Protocol (CDP) to obtain anonymous voice VLAN access.

Workaround available at:
http://www.cisco.com/warp/
public/707/cisco-sn-
20050608-8021x.shtml

There is no exploit code required.

Cisco Voice VLAN 802.1x Authentication Bypass

CAN-2005-1942

Medium
Cisco Security Notice, 65152, June 8, 2005

Cisco Systems

IOS 12.x, R12.x

Two vulnerabilities have been reported; a vulnerability has been reported due to an error when processing IKE (Internet Key Exchange) XAUTH messages, which could let a remote malicious user obtain unauthorized access; and a vulnerability has been reported when handling ISAKMP profile attributes, which could let a remote malicious user obtain unauthorized access.

Patches available at:
http://www.cisco.com/warp/
public...sa-20050406-xauth.shtml#software

Currently we are not aware of any exploits for these vulnerabilities.

Cisco IOS XAUTH Authentication Bypass

CAN-2005-1057
CAN-2005-1058

Medium

Cisco Security Advisory, cisco-sa-20050406, April 6, 2005

US-CERT VU#344900

US-CERT VU#236748

Cisco

ACNS Software Version 4.2 and prior

Multiple vulnerabilities exist that could let remote users cause a Denial of Service. These are due to errors within the processing of TCP connections, IP packets, and network packets. he vulnerabilities affect devices configured as a transparent, forward, or reverse proxy server. A default password may also be available in the administrative account.

Updates available:
http://www.cisco.com/warp/
public/707/cisco-sa-
20050224-acnsdos.shtml

Currently we are not aware of any exploits for these vulnerabilities.

Cisco ACNS Denial of Service Vulnerabilities

CAN-2005-0601
CAN-2005-0600
CAN-2005-0599
CAN-2005-0598
CAN-2005-0597

Low

Cisco Security Advisory: 64069
Revision 1.0, February 24, 2005

US-CERT VU#579240

US-CERT U#360296

 

e107.org

eTrace 1.0.1

A vulnerability has been reported in eTrace, which could let a remote malicious user execute arbitrary commands.

No workaround or patch available at time of publishing.

There is no exploit code required.

e107 eTrace Remote Command Execution

CAN-2005-1966

High
Security Focus, 13934, June 10, 2005

InteractivePHP

FusionBB 0.1 Beta-0.11 Beta

Multiple vulnerabilities have been reported: a vulnerability was reported due to insufficient sanitization of certain values retrieved from cookie data, which could let a remote malicious user obtain sensitive information or execute arbitrary code; an SQL injection vulnerability was reported when registering an account with the FusionBB software due to insufficient sanitization of the 'username' in the'insertUser()' function, which could let a remote malicious user execute arbitrary SQL code; and an SQL injection vulnerability was reported when an arbitrary statement is entered in the cookie's session id variable, which could let a remote malicious user execute arbitrary SQL code and bypass authentication

Updates available at:
http://www.interactivephp.com/
misc/CHANGELOG.html

There is no exploit code required; however, a Proof of Concept exploit has been published.

FusionBB Multiple Input Validation

CAN-2005-1971
CAN-2005-1972

High
Gulftech Research Security Advisory, June 13, 2005

Invision Power Services

Invision Community Blog 1.1, 1.0

Multiple vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of the 'convert_highlite_words()' function, which could let a remote malicious user execute arbitrary HTML and script code; and an SQL injection vulnerability was reported in 'index.php' due to insufficient sanitization of the 'mid' parameter before used in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

Updates available at:
http://www.invisionblog.com/
download_blog/

There is no exploit code required; however, Proofs of Concept exploits have been published.

Invision Community Blog Cross-Site Scripting & SQL Injection

CAN-2005-1945
CAN-2005-1946

High
Secunia Advisory, SA15626, June 9, 2005

Invision Power Services

Invision Gallery 1.3, 1.0.1

Several vulnerabilities have been reported: an SQL injection vulnerability was reported in the 'index.php' script due to insufficient sanitization before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site request forgery (CSRF) vulnerability was reported which could let a remote malicious user delete albums and images.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Invision Power Services Invision Gallery SQL Injection & Cross-SIte Request Forgery

CAN-2005-1947
CAN-2005-1948

High
GulfTech Security Advisory, June 9, 2005

MediaWiki

MediaWiki 1.x

A vulnerability has been reported due to insufficient sanitization of input passed to certain HTML attributes, which could let a remote malicious user execute arbitrary script code.

Upgrades available at:
http://prdownloads.sf.net/wikipedia/
mediawiki-1.4.5.tar.gz?download

Gentoo:
http://www.gentoo.org/security/
en/glsa/glsa-200506-12.xml

There is no exploit code required.

MediaWiki Page Template Arbitrary Code Execution

CAN-2005-1888

High

Security Focus, 13861, June 6, 2005

Gentoo Security Advisory, GLSA 200506-12, June 13, 2005

 

Mozilla

Firefox Preview Release, 0.8, 0.9 rc, 0.9-0.9.3, 0.10, 0.10.1, 1.0-1.0.3

Several vulnerabilities have been reported: a vulnerability was reported due to insufficient protection of 'IFRAME' JavaScript URLS from being executed in the context of another history list URL, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported in 'InstallTrigger .install()' due to insufficient verification of the 'Icon URL' parameter, which could let a remote malicious user execute arbitrary JavaScript code.

Workaround:
Disable "tools/options/web-Features/>Allow web sites to install software"

Slackware:
ftp://ftp.slackware.com/
pub/slack ware/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200505-11.xml

TurboLinux:
ftp://ftp.turbolinux.co.jp/
pub/TurboLinux/
TurboLinux/ia32/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-434.html

http://rhn.redhat.com/
errata/RHSA-2005-435.html

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/m/
mozilla-firefox/

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

Proofs of Concept exploit scripts have been published.

Mozilla Firefox Remote Arbitrary Code Execution

CAN-2005-1476
CAN-2005-1477

High

Secunia Advisory,
SA15292,
May 9, 2005

US-CERT VU#534710

US-CERT VU#648758

Slackware Security Advisory, SSA:2005-135-01, May 15, 2005

Gentoo Linux Security Advisory, GLSA 200505-11, May 16, 2005

Turbolinux Security Advisory, TLSA-2005
-56, May 16, 2005

RedHat Security Advisories, RHSA-2005:434-10 & RHSA-2005:435-10, May 23 & 24, 2005

Ubuntu Security Notice, USN-134-1, May 26, 2005

SUSE Security Summary Report, SUSE-SR:2005:014, June 7, 2005

SGI Security Advisory, 20050503-01-U, June 8, 2005

Mozilla

Mozilla Browser prior to 1.7.8; Mozilla Suite prior to 1.7.8; Firefox prior to 1.0.4; Firebird 0.5, 0.6.1, 0.7

A vulnerability was reported due to a failure in the application to properly verify Document Object Model (DOM) property values, which could let a remote malicious user execute arbitrary code.

Firefox:
http://www.mozilla.org/
products/firefox/

Mozilla Browser Suite:
http://www.mozilla.org/
products/mozilla1.x/

TurboLinux::
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-434.html

http://rhn.redhat.com/
errata/RHSA-2005-435.html

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/m/
mozilla-firefox/

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

Currently we are not aware of any exploits for this vulnerability.

Mozilla Suite And Firefox DOM Property Overrides

CAN-2005-1532

High

Mozilla Foundation Security Advisory,
2005-44,
May 12, 2005

Turbolinux Security Advisory,
TLSA-2005
-56, May 16, 2005

RedHat Security Advisories, RHSA-2005:434-10 & RHSA-2005:435-10, May 23 & 24, 2005

Ubuntu Security Notice, USN-134-1, May 26, 2005

SUSE Security Summary Report, SUSE-SR:2005:014, June 7, 2005

SGI Security Advisory, 20050503-01-U, June 8, 2005

SUSE Security Announcement, SUSE-SA:2005:030, June 9, 2005

Mozilla

Mozilla Browser prior to 1.7.8; Mozilla Suite prior to 1.7.8; Firefox prior to 1.0.4; Firebird 0.5, 0.6.1, 0.7

A vulnerability was reported when processing 'javascript:' URLs, which could let a remote malicious user execute arbitrary code.

Firefox:
http://www.mozilla.org/
products/firefox/

Mozilla Browser Suite:
http://www.mozilla.org/
products/mozilla1.x/

TurboLinux::
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-434.html

http://rhn.redhat.com/
errata/RHSA-2005-435.html

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/m/
mozilla-firefox/

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

Currently we are not aware of any exploits for this vulnerability.

Mozilla Suite And Firefox Wrapped 'javascript:' URLs

CAN-2005-1531

High

Mozilla Foundation Security Advisory,
2005-43,
May 12, 2005

Turbolinux Security Advisory,
TLSA-2005-56, May 16, 2005

RedHat Security Advisories, RHSA-2005:434-10 & RHSA-2005:435-10, May 23 & 24, 2005

Ubuntu Security Notice, USN-134-1, May 26, 2005

SUSE Security Summary Report, SUSE-SR:2005:014, June 7, 2005

SGI Security Advisory, 20050503-01-U, June 8, 2005

SUSE Security Announcement, SUSE-SA:2005:030, June 9, 2005

Multiple Vendors

ALT Linux Compact 2.3, Junior 2.3; Apple Mac OS X 10.0-10.0.4, 10.1-10.1.5, 10.2-10.2.8, 10.3-10.3.8, Mac OS X Server 10.0, 10.1-10.1.5, 10.2-10.2.8, 10.3-10.3.8; MIT Kerberos 5 1.0, 5 1.0.6, 5 1.0.8, 51.1-5 1.4; Netkit Linux Netkit 0.9-0.12, 0.14-0.17, 0.17.17; Openwall GNU/*/Linux (Owl)-current, 1.0, 1.1; FreeBSD 4.10-PRERELEASE, 2.0, 4.0 .x, -RELENG, alpha, 4.0, 4.1, 4.1.1 -STABLE, -RELEASE, 4.1.1, 4.2, -STABLEpre122300, -STABLEpre050201, 4.2 -STABLE, -RELEASE,
4.2, 4.3 -STABLE, -RELENG, 4.3 -RELEASE-p38, 4.3 -RELEASE, 4.3, 4.4 -STABLE, -RELENG, -RELEASE-p42, 4.4, 4.5 -STABLEpre2002-03-07, 4.5 -STABLE,
-RELENG, 4.5 -RELEASE-p32, 4.5 -RELEASE, 4.5, 4.6 -STABLE, -RELENG, 4.6 -RELEASE-p20, 4.6 -RELEASE, 4.6, 4.6.2, 4.7 -STABLE, 4.7 -RELENG, 4.7 -RELEASE-p17, 4.7 -RELEASE, 4.7, 4.8 -RELENG,
4.8 -RELEASE-p7, 4.8 -PRERELEASE, 4.8, 4.9 -RELENG, 4.9 -PRERELEASE, 4.9, 4.10 -RELENG, 4.10 -RELEASE,
4.10, 4.11 -STABLE, 5.0 -RELENG, 5.0, 5.1 -RELENG, 5.1 -RELEASE-p5, 5.1 -RELEASE, 5.1, 5.2 -RELENG, 5.2 -RELEASE, 5.2,
5.2.1 -RELEASE, 5.3 -STABLE, 5.3 -RELEASE, 5.3, 5.4 -PRERELEASE; SuSE Linux 7.0, sparc, ppc, i386, alpha, 7.1, x86, sparc, ppc, alpha, 7.2, i386

SGI IRIX 6.5.24-6.5.27

Two buffer overflow vulnerabilities have been reported in Telnet: a buffer overflow vulnerability has been reported in the 'slc_add_reply()' function when a large number of specially crafted LINEMODE Set Local Character (SLC) commands is submitted, which could let a remote malicious user execute arbitrary code; and a buffer overflow vulnerability has been reported in the 'env_opt_add()' function, which could let a remote malicious user execute arbitrary code.

ALTLinux:
http://lists.altlinux.ru/pipermail
/security-announce/2005-
March/000287.html

Apple:
http://wsidecar.apple.com/cgi-bin/
nph-reg3rdpty1.pl/product=05529&
platform=osx&method=sa/SecUpd
2005-003Pan.dmg

Debian:
http://security.debian.org/pool/
updates/main/n/netkit-telnet/

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates/

FreeBSD:
ftp://ftp.FreeBSD.org/pub/
FreeBSD/CERT/patches/
SA-05:01/

MIT Kerberos:
http://web.mit.edu/kerberos/|
advisories/2005-001-patch
_1.4.txt

Netkit:
ftp://ftp.uk.linux.org/pub/linux/
Networking/netkit/

Openwall:
http://www.openwall.com/Owl/
CHANGES-current.shtml

RedHat:
http://rhn.redhat.com/errata/
RHSA-2005-327.html

Sun:
http://sunsolve.sun.com/search/
document.do?assetkey=
1-26-57755-1

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/n/netkit-telnet/

OpenBSD:
http://www.openbsd.org/
errata.html#telnet

Mandrake:
http://www.mandrakesecure.net/
en/ftp.php

Gentoo:
http://security.gentoo.org/
glsa/glsa-200503-36.xml

http://security.gentoo.org/
glsa/glsa-200504-01.xml

Debian:
http://security.debian.org/
pool/updates/main/k/krb5/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200504-04.xml

SGI:
ftp://oss.sgi.com/projects/
sgi_propack/download
/3/updates/

SCO:
ftp://ftp.sco.com/pub/updates/
UnixWare/SCOSA-2005.21

Sun:
http://sunsolve.sun.com/
search/document.do?
assetkey=1-26-57761-1

Openwall:
http://www.openwall.com/
Owl/CHANGES-current.shtml

Avaya:
http://support.avaya.com/
elmodocs2/security/
ASA-2005-088_RHSA-2005-330.pdf

Gentoo:
http://security.gentoo.org/
glsa/glsa-200504-28.xml

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

Sun:
http://sunsolve.sun.com/search/
document.do?assetkey=1-26-57761-1

OpenWall:
http://www.openwall.com/
Owl/CHANGES-current.shtml

SCO:
ftp://ftp.sco.com/pub/updates/
OpenServer/SCOSA-2005.23

SGI IRIX:
Apply patch 5892 for IRIX 6.5.24-6.5.27:
ftp://patches.sgi.com/
support/free/security/patches/

Debian:
http://security.debian.org/
pool/updates/main/k/krb4/

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/index.php?id=
a&anuncio=000962

Trustix:
ftp://ftp.trustix.org/pub/trustix/
updates/

Currently we are not aware of any exploits for these vulnerabilities.

Telnet Client 'slc_add_reply()' & 'env_opt_add()'
Buffer Overflows

CAN-2005-0468
CAN-2005-0469

High

iDEFENSE Security Advisory,
March 28, 2005

US-CERT VU#291924

Mandrakelinux Security Update Advisory, MDKSA-2005:061,
March 30, 2005

Gentoo Linux Security Advisories, GLSA 200503-36 & GLSA 200504-01, March 31 &
April 1, 2005

Debian Security Advisory, DSA 703-1, April 1, 2005

US-CERT VU#341908

Gentoo Linux Security Advisory, GLSA 200504-04,
April 6, 2005

SGI Security Advisory, 20050401-01-U, April 6, 2005

Sun(sm) Alert Notification, 57761,
April 7, 2005

SCO Security Advisory, SCOSA-2005.21,
April 8, 2005

Avaya Security Advisory, ASA-2005-088, April 27, 2005

Gentoo Linux Security Advisory, GLSA 200504-28, April 28, 2005

Turbolinux Security Advisory, TLSA-2005-52, April 28, 2005

Sun(sm) Alert Notification, 57761, April 29, 2005

SCO Security Advisory, SCOSA-2005.23, May 17, 2005

SGI Security Advisory, 20050405-01-P, May 26, 2005

Debian Security Advisory, DSA 731-1, June 2, 2005

Conectiva Security Advisory, CLSA-2005:962, June 6, 2005

Trustix Secure Linux Security Advisory, TLSA-2005-0028, June 13, 2005

Multiple Vendors

MandrakeSoft Linux Mandrake 10.2 X86_64, 10.2; Rob Flynn Gaim 0.10 x, 0.10.3, 0.50-0.75, 0.78, 0.82, 0.82.1, 1.0-1.0.2, 1.1.1-1.1.4, 1.2, 1.2.1; Ubuntu Linux 4.1 ppc, ia64, ia32, 5.0 4 powerpc, i386, amd64

Several vulnerabilities have been reported: a buffer overflow vulnerability was reported when handling long URIs due to insufficient bounds checking, which could let a remote malicious user execute arbitrary code; and a remote Denial of Service vulnerability was reported due to a NULL pointer dereference error when handling MSN messages.

Rob Flynn:
http://prdownloads.
sourceforge.net/gaim/
gaim-1.3.0.tar.gz?download

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-429.html

Fedora:
http://download.fedora.
redhat.com/
pub/fedora/
linux/core/updates/3/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200505-09.xml

Mandriva:
http://www.mandriva.com/
security/advisories

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/g/gaim/

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/index.php?id=
a&anuncio=000964

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

A Proof of Concept exploit script has been published.

Gaim Remote Buffer Overflow & Denial of Service

CAN-2005-1261
CAN-2005-1262

High

 

Fedora Update Notification,
FEDORA-
2005-369,
May 11, 2005

RedHat Security Advisory, RHSA-2005:429-06, May 11, 2005

Gentoo Linux Security Advisory, GLSA 200505-09,
May 12, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:086,
May 12, 2005

Ubuntu Security Notice, USN-125-1, May 12, 2005

Conectiva Security Advisory, CLSA-2005:964, June 7, 2005

SUSE Security Report, SUSE-SR:2005:015, June 7,2005

Novell

NetMail 3.52 A&B, 3.10, a-h, 3.1, 3.1f, 3.0.3, a&b, 3.0.1

Multiple vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in the Modweb agent due to insufficient sanitization of various calendar display fields, which could let a remote malicious user execute arbitrary HTML and script code; a remote Denial of Service vulnerability was reported in the Modweb agent due to an unspecified error when decoding headers; and a vulnerability was reported in the IMAP command continuation function when handling long command tags (impact not specified).

Upgrades available at:
http://support.novell.com/servlet/
filedownload/sec/pub/

Currently we are not aware of any exploits for these vulnerabilities.

Novell NetMail Multiple Remote Vulnerabilities

CAN-2005-1756
CAN-2005-1757
CAN-2005-1758

High
Secunia Advisory, SA15644, June 10, 2005

Novell

ZENworks Desktop Management 6.5, ZENworks for Desktops 3.2 SP2, 4.0, 4.0.1, ZENworks for Servers 3.2, ZENworks Remote Management
Novell ZENworks Server Management 6.5

Several vulnerabilities were reported in the Remote Management authentication protocol in 'zenrem32.exe' due to integer overflows and boundary errors, which could let a remote malicious user execute arbitrary code.

Patches available at:
http://support.novell.com/servlet/
filedownload/sec/ftf/zfd401ir6rm.exe

Currently we are not aware of any exploits for these vulnerabilities.

Novell ZENworks Remote Management Buffer Overflows

CAN-2005-1543

High

Securiteam, May 19, 2005

Security Tracker, 13678, June 14, 2005

ObjectWeb Consortium

C-JDBC 1.1, 1.0-1.0.2, 1.2, 1.2.1, 1.3

A vulnerability has been reported in the caching mechanism due to insufficient verification of database rights access, which could let a remote malicious user obtain sensitive information.

Upgrades available at:
http://forge.objectweb.org/project/
download.php?group_id=42&file_id=40 61

There is no exploit code required.

ObjectWeb Consortium C-JDBC Caching Information Disclosure

CAN-2005-1961

Medium
Security Tracker Alert, 1014118, June 7, 2005

PHP Group

PHP prior to 5.0.4; Peachtree Linux release 1

Multiple Denial of Service vulnerabilities have been reported in 'getimagesize().'

Upgrade available at:
http://ca.php.net/get/php-
4.3.11.tar.gz/from/a/mirror

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/p/php4/

Slackware:
ftp://ftp.slackware.com/
pub/slackware/

Debian:
http://security.debian.org/
pool/updates/main/p/php3/

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Gentoo:
http://security.gentoo.org/
glsa/glsa-200504-15.xml

Mandrake:
http://www.mandrakesecure.net/
en/ftp.php

Peachtree:
http://peachtree.burdell.org/
updates/

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-405.html

SGI:
ftp://patches.sgi.com/support/
free/security/advisories/

Debian:
http://security.debian.org/
pool/updates/main/p/php4/

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/index.php?id=
a&anuncio=000955

Apple:
http://www.apple.com/
support/downloads/

Currently we are not aware of any exploits for these vulnerabilities.

PHP
'getimagesize()' Multiple
Denials of Service

CAN-2005-0524
CAN-2005-0525

Low

iDEFENSE Security Advisory,
March 31, 2005

Ubuntu Security Notice, USN-105-1, April 05, 2005

Slackware Security Advisory, SSA:2005-
095-01,
April 6, 2005

Debian Security Advisory, DSA 708-1, April 15, 2005

SUSE Security Announcement, SUSE-SA:2005:023, April 15, 2005

Gentoo Linux Security Advisory, GLSA 200504-15, April 18, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:072, April 19, 2005

Peachtree Linux Security Notice, PLSN-0001, April 21, 2005

Turbolinux Security Advisory, TLSA-2005-50, April 28, 2005

RedHat Security Advisory, RHSA-2005:405-06, April 28, 2005

SGI Security Advisory, 20050501-01-U, May 5, 2005

Debian Security Advisory, DSA 729-1, May 26, 2005

Conectiva Security Advisory, CLSA-2005:955, May 31, 2005

Apple Security Update, APPLE-SA-2005-06-08, June 8, 2005

singapore

singapore 0.9.11 beta

A Cross-Site Scripting vulnerability has been reported in 'index.php' due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Singapore Image Gallery Index.PHP Cross-Site Scripting

CAN-2005-1955

High
Security Focus, 13938, June 13, 2005

Sun Microsystems, Inc.

Java Web Start 1.x,
Sun Java JDK 1.5.x, 1.4.x, Sun Java JRE 1.4.x, 1.5.x

Several vulnerabilities have been reported: a vulnerability was reported due to an unspecified error which could let malicious untrusted applications execute arbitrary code; and a vulnerability was reported due to an unspecified error which could let a malicious untrusted applets execute arbitrary code.

Upgrades available at:
http://java.sun.com/
j2se/1.5.0/index.jsp

http://java.sun.com/
j2se/1.4.2/download.html

Currently we are not aware of any exploits for these vulnerabilities.

Java Web Start / Sun JRE Sandbox Security Bypass

CAN-2005-1973
CAN-2005-1974

High
Sun(sm) Alert Notification, 101748 & 101749, June 13, 2005

Symantec

Brightmail Anti-Spam 6.0.1, 6.0, 5.5, 4.0

A vulnerability has been reported due to a static database administration password, which could let a remote malicious user obtain administrative access to the quarantined message database.

Updated version information

Updates available at:
http://www.symantec.com/
techsupp/

There is no exploit code required.

Symantec Brightmail AntiSpam Remote Information Disclosure

CAN-2005-1867

High

Symantec Security Advisory, SYM05-009,
May 31, 2005

Symantec Security Advisory, SYM05-009, June 9, 2005

WebGroup Media

Cerberus Helpdesk 2.6.1, 0.97.3

Several vulnerabilities have been reported: a Cross-Site Script vulnerability was reported in 'index.php' due to insufficient sanitization of the 'errorcode' parameter, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported when a specially crafted URL is submitted, which could let a remote malicious user obtain sensitive information.

The vulnerability has been fixed in the CVS repository.

There is no exploit code required; however, a Proof of Concept exploit has been published.

WebGroup Media Cerberus Helpdesk Cross-Site Scripting & Information Disclosure

CAN-2005-1962
CAN-2005-1963

High
ECHO_ADV_
15$2005 Advisory, June 7, 2005

[back to top] 

Wireless

The section below contains wireless vulnerabilities, articles, and viruses/trojans identified during this reporting period.

  • Quantum cryptography network gets wireless link : The world's first quantum encryption computer network has been expanded to include a wireless link that uses quantum communications codes. Quantum cryptography guarantees security by encoding information as polarized photons which can be sent down a fibre optic cable or through the air. Intercepting these photons disturbs their quantum state, alerting both sides to an eavesdropper's presence. Source: http://www.newscientist.com/article.ns?id=dn7484
  • Phishing: The new wireless danger for business travelers: Wireless devices make users targets for industrial espionage, fraud, and other crimes. Hackers are no longer intercepting travelers` wireless connections just to intercept e-mails. They are using 'access point phishing' which sets up a bogus log-in screen for a legitimate wireless hotspot. When the victim tunes in to it to start communicating, the hacker sends out viruses that bring back the personal information they are looking for. Source: http://www.traveldailynews.com/new.asp?newid=22997&subcategory_id=95.
  • Top wireless cities are Seattle and San Francisco: Intel ranked cities based on the number of commercial or free "Wi-Fi" points from January to April 15 in the 100 largest urban regions in the United States. According to their ranking, Seattle and San Francisco are the most "unwired cities" in America. Also included in the top ten: Austin, Texas; Portland, Ore.; Toledo, Ohio; Atlanta; Denver; the Research Triangle area of North Carolina; Minneapolis; and Orange County, Calif. Source: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=
    ZEJVZKACCIQ0YQSNDBCCKH0CJUMEKJVN?articleID=164300934
    .
  • Don't do wireless security in isolation: Corporations should think of wireless security as an add on to their existing security architecture, not as a separate entity, either integrating the new wireless piece into the overall company security policy, if one already exists, or taking the opportunity to create a plan for the entire IT infrastructure. Source: http://www.techworld.com/security/features/index.cfm?FeatureID=1502
  • Research Shows Bluetooth Can Be Hacked In Milliseconds: Bluetooth devices including phones, PDAs, and personal computers can be hacked even when Bluetooth's security is enabled, a pair of researchers said this week, letting attackers eavesdrop on wireless networks, even charge mobile calls to another user's phone. Source: http://www.securitypipeline.com/news/164301974

Wireless Vulnerabilities

  • Linux Kernel Bluetooth Signed Buffer Index vulnerability: A vulnerability has been reported in the 'bluez_sock_create()' function when a negative integer value is submitted, which could let a malicious user execute arbitrary code. (For more information, see entry in the Unix / Linux Systems Table)

[back to top] 

Recent Exploit Scripts/Techniques The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.

Note: At times, scripts/techniques may contain names or content that may be considered offensive.

Date of Script
(Reverse
Chronological Order)

Script name
Workaround or Patch Available
Script Description
June 13, 2005 gun-imapd.c
Yes
Exploit for the GNU Mailutils Format String vulnerability.
June 13, 2005 tcpdump-bgp-update-poc.c
Yes
Proof of Concept exploit for the TCPDump BGP Decoding Routines Denial of Service vulnerability.
June 8, 2005 GoodTechSMTPServer_DOS.pl
Yes
A Proof of Concept exploit script for the GoodTech SMTP Malformed RCTP TO Request Denial of Service vulnerability.
June 8, 2005 ipswitch_login_bof.c
Yes
Script that exploits the IpSwitch IMail Server 'username' parameter vulnerability.

[back to top]

Trends
  • Hashing exploit threatens digital security: Cryptographers have found a way to snip a digital signature from one document and attach it to a fraudulent document without invalidating the signature and giving the fraud away. The development means that attackers could potentially forge legal documents, load certified software with bogus code, or turn a digitally-signed letter of recommendation into one that authorizes access to private information. Source: http://www.newscientist.com/article.ns?id=dn7519&feedId=online-news_rss20.
  • Firms warned they may be targets of Trojan spies: After police discovered one of the world's largest industrial espionage and hacking operations, they are warning that UK businesses should take urgent steps to check their systems are secure. Senior directors of at least 15 leading businesses in Israel are under investigation for hiring private detective agencies to obtain confidential documents from rivals' computer systems. Operation Horse Race, an international investigation by police in Israel, Germany, the US and the UK, has led to the arrest of 22 suspects in Israel and London. Source: http://81.144.183.106/Articles/Article.aspx?liArticleID=210254&PrinterFriendly=true.
  • Bank Mergers Provide Opportunity for Phishing: Bank mergers are being used by fraudsters as an opportunity to craft customized phishing scams timed to transitions between the banks' online systems, hoping that customer awareness of mergers will bring more bites on "bait" emails. Wachovia Bank issued a warning about phishing emails "designed to capitalize on our merger activities. Source: http://news.netcraft.com/archives/2005/06/09/bank_mergers_provide_opportunity_for_phishing.html11.
  • W32/Mytob Virus: US-CERT has received reports of three new variants of the W32/Mytob virus. These variants, 'W32/Mytob.DP', 'W32/Mytob.DV', and 'W32/Mytob.DY', propagate via email and contain backdoor functionality. Source: http://www.us-cert.gov/current/.
  • Exploitation of ASN.1 Vulnerabilities: US-CERT has received reports indicating an increase in the scanning for and exploitation of systems affected by one or more vulnerabilities in the Microsoft ASN.1 Library (MSASN1.DLL). These vulnerabilities are caused by the way that certain ASN.1 length values and bit strings are decoded. By sending specially crafted ASN.1 data, an attacker may be able to execute arbitrary code with SYSTEM privileges and gain complete control of a vulnerable system. MS04-007 explains how an attacker could exploit these vulnerabilities. Source: http://www.us-cert.gov/current/.
  • Skulls Trojan poses as security code: Virus writers have created mobile phone malware that poses as a pirated copy of F-Secure's mobile anti-virus software. Skulls-L is a minor modification of the Skulls-C Trojan. Source: http://www.securityfocus.com/news/11207.

[back to top]

Viruses/Trojans

Top Ten Virus Threats

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.

Rank
Common Name
Type of Code
Trend
Date
Description
1
Mytob.C Win32 Worm Stable March 2004 A mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the Windows LSASS (MS04-011) exploit. The worm will attempt to harvest email addresses from the local hard disk by scanning files.
2
Netsky-P Win32 Worm Stable March 2004 A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders.
3
Netsky-Q Win32 Worm Stable March 2004 A mass-mailing worm that attempts to launch Denial of Service attacks against several web pages, deletes the entries belonging to several worms, and emits a sound through the internal speaker.
4
Zafi-D Win32 Worm Stable December 2004 A mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer.
5
Netsky-D Win32 Worm Stable March 2004 A simplified variant of the Netsky mass-mailing worm in that it does not contain many of the text strings that were present in NetSky.C and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only.
6
Lovgate.w Win32 Worm Stable April 2004 A mass-mailing worm that propagates via by using MAPI as a reply to messages, by using an internal SMTP, by dropping copies of itself on network shares, and through peer-to-peer networks. Attempts to access all machines in the local area network.
7
Zafi-B Win32 Worm Stable June 2004 A mass-mailing worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names.
8
Netsky-Z Win32 Worm Stable April 2004 A mass-mailing worm that is very close to previous variants. The worm spreads in e-mails, but does not spread to local network and P2P and does not uninstall Bagle worm. The worm has a backdoor that listens on port 665.
9
Netsky-B Win32 Worm Stable February 2004 A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. Also searches drives for certain folder names and then copies itself to those folders.
10
MyDoom-O Win32 Worm Stable July 2004 A mass-mailing worm that uses its own SMTP engine to generate email messages. It gathers its target email addresses from files with certain extension names. It also avoids sending email messages to email addresses that contain certain strings.

Table Updated June 14, 2005

Viruses or Trojans Considered to be a High Level of Threat

  • Nothing significant to report.

[back to top]

 

 

 

Last updated

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top