The OVAL Repository5.42015-09-03T07:07:33.638-04:00Solaris cachefsd Buffer Overrun VulnerabilitySun Solaris 8cachefsdBuffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument.David ProulxBrian SobyBrian SobyINTERIMACCEPTEDTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSolaris Xsun and Xprt Unspecified Local Privilege EscalationSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10XsunUnspecified vulnerability in the (1) Xsun and (2) Xprt commands in Solaris 7, 8, 9, and 10 allows local users to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDACCEPTEDSolaris 8 mibiisa Remote Buffer Overflow VulnerabilitySun Solaris 8mibiisaBuffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges.David ProulxACCEPTEDSecurity Vulnerability in the IP Implementation for Solaris 8 and 9 May Allow a Denial of ServiceSun Solaris 8Sun Solaris 9Unspecified vulnerability in the IP implementation in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (CPU consumption) via crafted IP packets, probably related to fragmented packets with duplicate or missing fragments.Todd DolinskyDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 RPC xdr_array Buffer OverflowSun Solaris 8libnslInteger overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.David ProulxMatthew WojcikINTERIMACCEPTEDTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDBourne Shell Local-DoS VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10The Bourne shell (sh) in Solaris 8, 9, and 10 allows local users to cause a denial of service (sh crash) via an unspecified attack vector that causes sh processes to crash during creation of temporary files.Robert L. HollisDRAFTINTERIMACCEPTEDPai PengINTERIMACCEPTEDACCEPTEDSolaris 8 LBXProxy Display Name Buffer OverflowSun Solaris 8lbxproxyBuffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option.David ProulxACCEPTEDA Security Vulnerability in lbxproxy(1) may Allow Unauthorized Read Access to FilesSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in Low Bandwidth X proxy (lbxproxy) on Sun Solaris 8 through 10 before 20070725 allows local users to read arbitrary files with root group ownership via unknown vectors.Todd DolinskyDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in rm(1) may Lead to Unauthorized Deletion of Files or DirectoriesSun Solaris 8Sun Solaris 9Sun Solaris 10Race condition in recursive directory deletion with the (1) -r or (2) -R option in rm in Solaris 8 through 10 before 20070208 allows local users to delete files and directories as the user running rm by moving a low-level directory to a higher level as it is being deleted, which causes rm to chdir to a ".." directory that is higher than expected, possibly up to the root file system, a related issue to CVE-2002-0435.Todd DolinskyDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) Protocols Involving Handshake Renegotiation Affects Applications Utilizing Network Security Services (NSS)Sun Solaris 8Sun Solaris 9Sun Solaris 10The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 RWall Daemon Syslog Format String VulnerabilitySun Solaris 8rpc.rwalldFormat string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed.David ProulxTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDGNU GZip CHMod File Permission Modification Race ConditionWeaknessSun Solaris 8Sun Solaris 9Sun Solaris 10gzipRace condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDPai PengINTERIMACCEPTEDACCEPTEDMIT Kerberos 5 Key Distribution Center Remote Denial of Service VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10KerberosHeap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (apllication crash) and possibly execute arbitrary code via a certain valid TCP or UDP request.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDACCEPTEDMIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Name Buffer Overrun VulnerabilitiesSun Solaris 9Sun Solaris 8Sun Solaris 7Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDSolaris 8 CDE dtspcd Buffer OverflowSun Solaris 8dtspcdBuffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands.David ProulxTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSolaris 8 kcms_configure Command-Line Buffer OverflowSun Solaris 8kcms_configurekcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument.David ProulxACCEPTEDSolaris 8 admintool Local Buffer OverflowSun Solaris 8AdmintoolBuffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file.David ProulxMatthew WojcikMatthew WojcikMatthew WojcikINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDlpsched Local System Corruption VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Multiple unspecified vulnerabilities in lpsched in Sun Solaris 8, 9, and 10 allow local users to delete arbitrary files or disable the LP print service via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Solaris rpc.nisd(1M) Daemon may Cause a Denial of Service (DoS) Condition to a NIS+ ServerSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in rpc.nisd in Sun Solaris 8 through 10, and OpenSolaris before snv_104, allows remote authenticated users to cause a denial of service (NIS+ daemon hang) via unspecified vectors related to NIS+ callbacks.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Solaris Print Service (in.lpd(1M)) May Lead to a Denial of Service (DoS) ConditionSun Solaris 8Sun Solaris 9in.lpd in the print service in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors that trigger a "fork()/exec() bomb."Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8, 9, 10 Blind Connection Reset Attack VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMMatthew WojcikACCEPTEDPai PengINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Solaris dircmp(1) Shell Script may Allow Overwriting of Arbitrary FilesSun Solaris 8Sun Solaris 9Sun Solaris 10Race condition in the dircmp script in Sun Solaris 8 through 10, and OpenSolaris snv_01 through snv_111, allows local users to overwrite arbitrary files, probably involving a symlink attack on temporary files.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Solaris Kernel Involving the Interaction of the Filesystem and Virtual Memory SubsystemsSun Solaris 8Sun Solaris 9Sun Solaris 10The kernel in Sun Solaris 8, 9, and 10, and OpenSolaris before snv_103, does not properly handle interaction between the filesystem and virtual-memory implementations, which allows local users to cause a denial of service (deadlock and system halt) via vectors involving mmap and write operations on the same file.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Simple Authentication and Security Layer (SASL) Library Bundled with the Java Enterprise System (JES) may Allow Unprivileged Users to Crash Applications Using the sasl_encode64 FunctionSun Solaris 8Sun Solaris 9Sun Solaris 10Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDInteger Overflow Vulnerability in the Solaris 8 and 9 sadmind(1M) Daemon May Lead to Arbitrary Code ExecutionSun Solaris 8Sun Solaris 9Integer overflow in sadmind in Sun Solaris 8 and 9 allows remote attackers to execute arbitrary code via a crafted RPC request that triggers a heap-based buffer overflow, related to improper memory allocation.Pai PengDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Solaris Pseudo-terminal Driver (pty(7D)) may Cause a System PanicSun Solaris 8Sun Solaris 9Sun Solaris 10Race condition in the pseudo-terminal (aka pty) driver module in Sun Solaris 8 through 10, and OpenSolaris before snv_103, allows local users to cause a denial of service (panic) via unspecified vectors related to lack of "properly sequenced code" in ptc and ptsl.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Solaris IP(7p) Implementation, Related to Minor Number Allocation, may Lead to a Denial of Service (DoS) ConditionSun Solaris 8Sun Solaris 9Sun Solaris 10The IP implementation in Sun Solaris 8 through 10, and OpenSolaris before snv_82, uses an improper arena when allocating minor numbers for sockets, which allows local users to cause a denial of service (32-bit application failure and login outage) by opening a large number of sockets.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the X Inter Client Exchange Library (libICE) Shipped With Solaris May Allow a Denial of Service (DoS)Sun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the X Inter Client Exchange library (aka libICE) in Sun Solaris 8 through 10 and OpenSolaris before snv_85 allows context-dependent attackers to cause a denial of service (application crash), as demonstrated by a port scan that triggers a segmentation violation in the Gnome session manager (aka gnome-session).Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 AdminTool Media Installation Path Buffer OverflowSun Solaris 8AdmintoolBuffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path.David ProulxMatthew WojcikMatthew WojcikMatthew WojcikINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Solaris "autofs" Kernel Module may Allow a Local Unprivileged User to Execute Arbitrary CodeSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the autofs module in the kernel in Sun Solaris 8 through 10, and OpenSolaris before snv_108, allows local users to cause a denial of service (autofs mount outage) or possibly gain privileges via vectors related to "xdr processing problems."Pai PengDRAFTINTERIMACCEPTEDACCEPTEDrwho daemon Code Execution VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Licence Logging ServiceUnknown vulnerability in the rwho daemon (in.rwhod) for Solaris 7 through 9 allows remote attackers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the DNS Protocol May Lead to DNS Cache PoisoningSun Solaris 8Sun Solaris 9Sun Solaris 10The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug."Pai PengDRAFTINTERIMACCEPTEDACCEPTEDManipulated Tag Files used with Solaris Text Editors May Lead to Execution of Arbitrary CodeSun Solaris 8Sun Solaris 9Sun Solaris 10Multiple unspecified vulnerabilities in Sun Solaris 8 through 10 allow local users to gain privileges via vectors related to handling of tags with (1) the -t option and (2) the :tag command in the (a) vi, (b) ex, (c) vedit, (d) view, and (e) edit programs.Todd DolinskyDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability May Allow Popup Windows to Appear Through the Solaris XScreenSaver Program on Xorg(1) ServersSun Solaris 8Sun Solaris 9Sun Solaris 10XScreenSaver in Sun Solaris 9 and 10, OpenSolaris before snv_120, and X11 6.4.1 for Solaris 8, when the Xorg or Xnewt server is used, allows physically proximate attackers to obtain sensitive information by reading popup windows, which are displayed even when the screen is locked, a different vulnerability than CVE-2009-1276.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerabilities in DHCP Handling of DHCP Requests May Allow Remote Users to Execute Arbitrary Code or Cause a Denial of the DHCP ServiceSun Solaris 8Sun Solaris 9Sun Solaris 10Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2, and some other dhcpd implementations based on ISC dhcp-2, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a DHCP request specifying a maximum message size smaller than the minimum IP MTU.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Management of Solaris Kerberos (see kerberos(5)) may Lead to a User Denial of Service (DoS) AttackSun Solaris 8Sun Solaris 9Sun Solaris 10The Kerberos credential renewal feature in Sun Solaris 8, 9, and 10, and OpenSolaris build snv_01 through snv_104, allows local users to cause a denial of service (authentication failure) via unspecified vectors related to incorrect cache file permissions, and lack of credential storage by the store_cred function in pam_krb5.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in Solaris snoop(1M) when Displaying SMB TrafficSun Solaris 8Sun Solaris 9Sun Solaris 10Multiple format string vulnerabilities in snoop on Sun Solaris 8 through 10 and OpenSolaris before snv_96, when the -o option is omitted, allow remote attackers to execute arbitrary code via format string specifiers in an SMB packet.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Solaris Kerberos PAM Module May Allow Use of a User Specified Kerberos Configuration File, Leading to Escalation of PrivilegesSun Solaris 8Sun Solaris 9Sun Solaris 10Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching a PAM-based setuid application.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Solaris sendfile(3EXT) and sendfilev(3EXT) Extended Library Functions may Result in a Denial of Service (DoS) Condition due to a System PanicSun Solaris 8Sun Solaris 9Sun Solaris 10The (1) sendfile and (2) sendfilev functions in Sun Solaris 8 through 10, and OpenSolaris before snv_110, allow local users to cause a denial of service (panic) via vectors related to vnode function calls.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerabilities in DHCP Handling of DHCP Requests May Allow Remote Users to Execute Arbitrary Code or Cause a Denial of the DHCP ServiceSun Solaris 8Sun Solaris 9Sun Solaris 10in.dhcpd in the DHCP implementation in Sun Solaris 8 through 10, and OpenSolaris before snv_103, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unknown DHCP requests related to the "number of offers," aka Bug ID 6713805.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the ACL (acl(2)) Implementation for UFS File Systems May Allow a Local User to Panic the SystemSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the UFS module in Sun Solaris 8 through 10 and OpenSolaris allows local users to cause a denial of service (NULL pointer dereference and kernel panic) via unknown vectors related to the Solaris Access Control List (ACL) implementation.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the namefs Kernel module may result in Arbitrary Code Execution or a Denial of Service (DoS)Sun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the namefs kernel module in Sun Solaris 8 through 10 allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 rpc.yppasswdd Buffer Overrun VulnerabilitySun Solaris 8rpc.yppasswddBuffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username.David ProulxACCEPTEDA Buffer Overflow Security Vulnerability in the Solaris sadmind(1M) Daemon May Lead to Execution of Arbitrary CodeSun Solaris 8Sun Solaris 9Stack-based buffer overflow in the adm_build_path function in sadmind in Sun Solstice AdminSuite on Solaris 8 and 9 allows remote attackers to execute arbitrary code via a crafted request.Pai PengDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in FreeType 2 Font Engine May Allow Privilege Escalation Due to Heap OverflowSun Solaris 8Sun Solaris 9Sun Solaris 10Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability May Allow Firewall Compromise or Creation of Denial of Service (DoS) ConditionSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the Internet Protocol (IP) implementation in Sun Solaris 8, 9, and 10 allows remote attackers to bypass intended firewall policies or cause a denial of service (panic) via unknown vectors, possibly related to ICMP packets and IP fragment reassembly.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in Solaris 8 Directory FunctionsSun Solaris 8Unspecified vulnerability in Sun Solaris 8 directory functions allows local users to cause a denial of service (panic) via an unspecified sequence of system calls or commands.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDCovert Channel Security Vulnerability in the Solaris KernelSun Solaris 8Sun Solaris 9Sun Solaris 10The kernel in Sun Solaris 8 through 10 and OpenSolaris before snv_90 allows local users to bypass chroot, zones, and the Solaris Trusted Extensions multi-level security policy, and establish a covert communication channel, via unspecified vectors involving system calls.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Solaris Kerberos PAM Module May Allow Use of a User Specified Kerberos Configuration File, Leading to Escalation of PrivilegesSun Solaris 8Sun Solaris 9Sun Solaris 10Russ Allbery pam-krb5 before 3.13, as used by libpam-heimdal, su in Solaris 10, and other software, does not properly handle calls to pam_setcred when running setuid, which allows local users to overwrite and change the ownership of arbitrary files by setting the KRB5CCNAME environment variable, and then launching a setuid application that performs certain pam_setcred operations.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Solaris X Server May Lead to Unauthorized Disclosure of Information on Access Restricted Files and DirectoriesSun Solaris 8Sun Solaris 9Sun Solaris 10X.Org Xserver before 1.4.1 allows local users to determine the existence of arbitrary files via a filename argument in the -sp option to the X program, which produces different error messages depending on whether the filename exists.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDHeap-based Buffer Overflow Vulnerability in the Solaris 8 and 9 sadmind(1M) Daemon May Lead to Arbitrary Code ExecutionSun Solaris 8Sun Solaris 9Heap-based buffer overflow in sadmind in Sun Solaris 8 and 9 allows remote attackers to execute arbitrary code via a crafted RPC request, related to improper decoding of request parameters.Pai PengDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in Solaris snoop(1M) when Displaying SMB TrafficSun Solaris 8Sun Solaris 9Sun Solaris 10Multiple stack-based buffer overflows in snoop on Sun Solaris 8 through 10 and OpenSolaris before snv_96, when the -o option is omitted, allow remote attackers to execute arbitrary code via a crafted SMB packet.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerabilities in Solaris Print Service May Lead to Denial of Service (DoS) or Execution of Arbitrary CodeSun Solaris 8Sun Solaris 9Sun Solaris 10Multiple unspecified vulnerabilities in Solaris print service for Sun Solaris 8, 9, and 10 allow remote attackers to cause a denial of service or execute arbitrary code via unknown vectors.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDCDE libDtHelp Buffer OverflowSun Solaris 7Sun Solaris 8Sun Solaris 9Common Desktop EnvironmentBuffer overflow in CDE libDtHelp library allows local users to execute arbitrary code via (1) a modified DTHELPUSERSEARCHPATH environment variable and the Help feature, (2) DTSEARCHPATH, or (3) LOGNAME.Brian SobyDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDApache Mod_Proxy Remote Negative Content-Length Buffer OverflowSun Solaris 8Sun Solaris 9ApacheHeap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Handling of Self Encapsulated IP Packets may Lead to a Denial of Service (DOS) Condition.Sun Solaris 8Sun Solaris 9Sun Solaris 10Sun Solaris 8, 9, and 10 allows "remote privileged" users to cause a denial of service (panic) via unknown vectors related to self encapsulated IP packets.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDLDAP RBAC Privilege Escalation VulnerabilitySun Solaris 8Sun Solaris 9LDAPUnknown vulnerability in LDAP on Sun Solaris 8 and 9, when using Role Based Access Control (RBAC), allows local users to execute certain commands with additional privileges.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDMozilla, Firebird, Firefox Frame Injection VulnerabilitySun Solaris 8mozillaThe (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4) Netscape 7.1 web browsers do not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Solaris crontab(1) utility may allow execution of Arbitrary CodeSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in crontab on Sun Solaris 8 through 10, and OpenSolaris before snv_93, allows local users to insert cron jobs into the crontab files of arbitrary users via unspecified vectors.Nicholas HansenDRAFTINTERIMDragos PrisacaACCEPTEDACCEPTEDSolaris 8 whodo Buffer Overflow VulnerabilitySun Solaris 8whodoBuffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable.David ProulxMatthew WojcikINTERIMMatthew WojcikMatthew WojcikMatthew WojcikACCEPTEDACCEPTEDApache Mod_Access Access Control Rule Bypass VulnerabilitySun Solaris 8Sun Solaris 9Apachemod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions.Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8, 9, 10 ICMP Source Quench Attack VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMMatthew WojcikACCEPTEDPai PengINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDMozilla, Netscape SOAPParameter Integer OverflowSun Solaris 8mozillaInteger overflow in the SOAPParameter object constructor in (1) Netscape version 7.0 and 7.1 and (2) Mozilla 1.6, and possibly earlier versions, allows remote attackers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDOpenSSL ASN.1 Inputs Character Tracking VulnerabilitySun Solaris 8Sun Solaris 9Sun ClusterOpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.Brian SobyDRAFTINTERIMACCEPTEDEvgeniy PavlovINTERIMACCEPTEDACCEPTEDSolaris Code Execution DoS VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9kernelUnknown vulnerability in Solaris 2.6 through 9 causes a denial of service (system panic) via "a rare race condition" or an attack by local users.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability With Loading Arbitrary Kernel Modules in Solaris KernelSun Solaris 8Sun Solaris 9Sun Solaris 7Sun Solaris 2.6The kernel in Solaris 2.6, 7, 8, and 9 allows local users to gain privileges by loading arbitrary loadable kernel modules (LKM), possibly involving the modload function.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDApache mod_digest Nonce Verification VulnerabilitySun Solaris 8Sun Solaris 9Apachemod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret.Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDMozilla, Firefox, Thunderbird XPInstall Security VulnerabilitySun Solaris 8mozillaMozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDcachefsd DoS via Invalid RPC RequestSun Solaris 7Sun Solaris 8Sun Solaris 9cachefsdcachefsd in Solaris 2.6, 7, and 8 allows remote attackers to cause a denial of service (crash) via an invalid procedure call in an RPC request.Brian SobyDRAFTINTERIMACCEPTEDTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDOpenSSL Integer Overflow VulnerabilitySun Solaris 8Sun Solaris 9Sun ClusterInteger overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.Brian SobyDRAFTINTERIMACCEPTEDEvgeniy PavlovINTERIMACCEPTEDACCEPTEDApache Error Log Escape Sequence Injection VulnerabilitySun Solaris 8Sun Solaris 9ApacheApache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDShell Redirect Symlink Attack VulnerabilitySun Solaris 7Sun Solaris 8Bourne Shell (sh)Bourne Again Shell (bash)TENEX C Shell (tcsh)C Shell (csh)Korn Shell (ksh)Multiple shell programs on various Unix systems, including (1) tcsh, (2) csh, (3) sh, and (4) bash, follow symlinks when processing << redirects (aka here-documents or in-here documents), which allows local users to overwrite files of other users via a symlink attack.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMMatthew WojcikACCEPTEDACCEPTEDDtMail Local Command Line Format String VulnerabilitySun Solaris 8Sun Solaris 9DtMailFormat string vulnerability in CDE Mailer (dtmail) on Solaris 8 and 9 allows local users to gain privileges via format strings in the argv[0] value.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMozilla Firefox Certificate Spoofing VulnerabilitySun Solaris 8mozillaMozilla Firefox 0.9.1 and 0.9.2 allows remote web sites to spoof certificates of trusted web sites via redirects and Javascript that uses the "onunload" method.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMIT Kerberos 5 Key Distribution Center Remote Denial of Service VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10KerberosMIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDACCEPTEDin.named Process Crash VulnerabilitySun Solaris 8BindUnknown vulnerability in in.named on Solaris 8 allows remote attackers to cause a denial of service (process crash).Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow in ntp Daemon via readvarSun Solaris 7Sun Solaris 8sendfilev()Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDApache Web Server Multiple Module Local Buffer OverflowSun Solaris 8Sun Solaris 9ApacheMultiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDpriocntl Directory Traversal VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9priocntl()Directory traversal vulnerability in priocntl system call in Solaris does allows local users to execute arbitrary code via ".." sequences in the pc_clname field of a pcinfo_t structure, which cause priocntl to load a malicious kernel module.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSendmail Ruleset Parsing Buffer OverflowSun Solaris 7Sun Solaris 8Sun Solaris 9SendmailA "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences.Brian SobyDRAFTINTERIMMozilla, Firefox, Thunderbird Security Lock Icon Spoof VulnerabilitySun Solaris 8mozillaMozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote attackers to use certain redirect sequences to spoof the security lock icon that makes a web page appear to be encrypted.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSun Java System Access Manager Local Authentication Bypass VulnerabilitySun Solaris 10Sun Solaris 9Sun Solaris 8Access ManagerUnspecified vulnerability in Sun Java System Access Manager 7.0 allows local users logged in as "root" to bypass authentication and gain top-level administrator privileges via the amadmin CLI tool.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDACCEPTEDBuffer Overflow in Solaris ping DaemonSun Solaris 7Sun Solaris 8Sun Solaris 9Licence Logging ServiceBuffer overflow in the ping daemon of Sun Solaris 7 through 9 may allow local users to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMozilla, Firefox, Thunderbird POP3 SendUidl Buffer OverflowSun Solaris 8mozillaHeap-based buffer overflow in the SendUidl in the POP3 capability for Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, may allow remote POP3 mail servers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in RPCSEC_GSS (rpcsec_gss(3NSL)) Affects Kerberos Administration Daemon (kadmind(1M))Sun Solaris 8Sun Solaris 9Sun Solaris 10Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss.c in the RPCSEC_GSS RPC library (librpcsecgss) in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and some third-party applications that use krb5, allows remote attackers to cause a denial of service (daemon crash) and probably execute arbitrary code via a long string in an RPC message.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDMozilla CA Certificate DoSSun Solaris 8mozillaMozilla 1.5 through 1.7 allows a CA certificate to be imported even when their DN is the same as that of the built-in CA root certificate, which allows remote attackers to cause a denial of service to SSL pages because the malicious certificate is treated as invalid.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8/9 cachefsd Heap Overflow VulnerabilitySun Solaris 8cachefsdHeap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name.David ProulxBrian SobyINTERIMACCEPTEDTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDCGI.pm start_form Cross-Site Scripting VulnerabilitySun Solaris 8Sun Solaris 9PerlCross-site scripting (XSS) vulnerability in start_form() of CGI.pm allows remote attackers to insert web script via a URL that is fed into the form's action parameter.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDSecurity Vulnerabilities in Solaris Kernel Statistics Retrieval Process May Allow a Denial of Service (DoS)Sun Solaris 8Sun Solaris 9Sun Solaris 10Multiple unspecified vulnerabilities in the kernel in Sun Solaris 8 through 10 allow local users to cause a denial of service (panic), related to the support for retrieval of kernel statistics, and possibly related to the sfmmu_mlspl_enter or sfmmu_mlist_enter functions.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDSolaris TCP/IP Stack System Panic VulnerabilitySun Solaris 8Sun Solaris 9TCP/IPUnknown vulnerability in the TCP/IP stack for Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDOpenSSL Denial of Service VulnerabilitiesSun Solaris 8Sun Crypto Accelerator 4000The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDKCMS KCS_OPEN_PROFILE File Disclosure VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9kcms_serverDirectory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.Brian SobyDRAFTINTERIMACCEPTEDTodd DolinskyINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDOpenSSL Double-free VulnerabilitySun Solaris 8Sun Solaris 9Sun ClusterDouble free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding.Brian SobyDRAFTINTERIMACCEPTEDEvgeniy PavlovINTERIMACCEPTEDACCEPTEDKerberos 5 KDC Heap Corruption VulnerabilitySun Solaris 8Kerberos5The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDVulnerability exists in standard Solaris kerberos and SEAM. This definition only covers Solaris kerberosBSM Audit Kernel PanicSun Solaris 7Sun Solaris 8Sun Solaris 9Basic Security ModuleUnknown vulnerability in the Basic Security Module (BSM), when configured to audit either the Administrative (ad) or the System-Wide Administration (as) audit class in Solaris 7, 8, and 9, allows local users to cause a denial of service (kernel panic).Brian SobyDRAFTSudhir GandheINTERIMMozilla, Firefox, Thunderbird User Interface Hijacking VulnerabilitySun Solaris 8mozillaMozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSendmail Address Processor Buffer OverflowSun Solaris 7Sun Solaris 8Sun Solaris 9SendmailBuffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, related to sender and recipient header comments as processed by the crackaddr function of headers.c.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Handling of Thread Contexts in the Solaris Kernel May Allow a Denial of Service (DoS)Sun Solaris 8Sun Solaris 9Sun Solaris 10Race condition in the kernel in Sun Solaris 8 through 10 allows local users to cause a denial of service (panic) via unspecified vectors related to "the handling of thread contexts."Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in Solaris libnsl(3LIB) may lead to a Denial of Service (DoS) to the rpcbind(1M) ServiceSun Solaris 8Sun Solaris 9Unspecified vulnerability in libnsl in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (crash) via malformed RPC requests that trigger a crash in rpcbind.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in X Display Manager (xdm(1)) Xsession ScriptSun Solaris 8Sun Solaris 9Sun Solaris 10The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006, allows local users to overwrite arbitrary files, or read another user's Xsession errors file, via a symlink attack on a /tmp/xses-$USER file.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability With the Special File System (SPECFS) strfreectty() Function May Allow a Local Unprivileged User to Panic a SystemSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the strfreectty function in the Special File System (SPECFS) in Sun Solaris 8 through 10 allows local users to cause a denial of service (system panic), related to passing a NULL pointer to the pgsignal function.Todd DolinskyDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in Solaris Named Pipes (pipe(2)) May Allow Unauthorized Data AccessSun Solaris 8Sun Solaris 9Sun Solaris 10Integer signedness error in FIFO filesystems (named pipes) on Sun Solaris 8 through 10 allows local users to read the contents of unspecified memory locations via a negative maximum length value to the I_PEEK ioctl.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability Due to Buffer Overflow in The format(1M) Command May Allow Privilege Elevation For Certain RBAC ProfilesSun Solaris 8Sun Solaris 9Sun Solaris 10Buffer overflow in the format command in Solaris 8, 9, and 10 allows local users with access to format (such as the "File System Management" RBAC profile) to execute arbitrary code via unknown vectors, a different vulnerability than CVE-2006-4307.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in BIND 8 May Allow Cache Poisoning AttackSun Solaris 8Sun Solaris 9The (1) NSID_SHUFFLE_ONLY and (2) NSID_USE_POOL PRNG algorithms in ISC BIND 8 before 8.4.7-P1 generate predictable DNS query identifiers when sending outgoing queries such as NOTIFY messages when answering questions as a resolver, which allows remote attackers to poison DNS caches via unknown vectors. NOTE: this issue is different from CVE-2007-2926.Todd DolinskyDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Solaris libsldap Library May Allow a Denial of Service to nscd(1M)Sun Solaris 8Sun Solaris 9Sun Solaris 10The libsldap library in Sun Solaris 8, 9, and 10 allows local users to cause a denial of service (Name Service Caching Daemon (nscd) crash) via unspecified vectors.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerabilities in Solaris ld.so.1(1) may Lead to Execution of Arbitrary Code with Elevated PrivilegesSun Solaris 8Sun Solaris 9Sun Solaris 10Directory traversal vulnerability in ld.so.1 in Sun Solaris 8, 9, and 10 allows local users to execute arbitrary code via a .. (dot dot) sequence in the LANG environment variable that points to a locale file containing attacker-controlled format string specifiers.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVulnerability With Solaris IPv6 May Allow a Remote User the Ability to Create a Denial of Service ConditionSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in Sun Solaris 8, 9 and 10 allows remote attackers to cause a denial of service (panic) via crafted IPv6 packets, a different vulnerability than CVE-2006-5013.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerabilities in the tip(1) Command May Allow Execution of Arbitrary Code With Elevated PrivilegesSun Solaris 8Sun Solaris 9Sun Solaris 10Multiple unspecified vulnerabilities in tip in Sun Solaris 8, 9, and 10 allow local users to gain uucp account privileges via unspecified vectors.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDGNOME XScreenSaver in Solaris 8 and 9 may Allow Physically Proximate Attackers to Access the ConsoleSun Solaris 8Sun Solaris 9GNOME XScreenSaver in Sun Solaris 8 and 9 before 20070417, when root is logged into the console, does not automatically lock the screen after a session has been inactive, which might allow physically proximate attackers to access the console.Yuzheng ZhouDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the X Inter Client Exchange Library (libICE)Sun Solaris 8Sun Solaris 9Unspecified vulnerability in Sun Solaris X Inter Client Exchange library (libICE) on Solaris 8 and 9 allows context-dependent attackers to cause a denial of service (application crash) to applications that use the library.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Human Interface Device (HID) Class Driver for SolarisSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the HID (Human Interface Device) class driver in Sun Solaris 8, 9, and 10 before 20070925 allows local users to cause a denial of service (panic) via unspecified vectors.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDdtsession(1X) Contains a Buffer Overflow VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Buffer overflow in the dtsession Common Desktop Environment (CDE) Session Manager in Sun Solaris 8, 9, and 10 allows local users to execute arbitrary code via unspecified vectors.Yuzheng ZhouDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the vuidmice(7M) STREAMS Modules May Lead to a Denial of Service (DoS) ConditionSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the vuidmice STREAMS modules in Sun Solaris 8, 9, and 10 allows local users with console (/dev/console) access to cause a denial of service ("unusable" system console) via unspecified vectors.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDApache Connection Blocking Denial Of Service VulnerabilitySun Solaris 8Sun Solaris 9ApacheApache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket."Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDMultiple vulnerabilities in libfreetype, Xsun(1) and Xorg(1)Sun Solaris 8Sun Solaris 9Sun Solaris 10Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList function in the XC-MISC extension in the X.Org X11 server (xserver) 7.1-1.1.0, and other versions before 20070403, allows remote authenticated users to execute arbitrary code via a large expression, which results in memory corruption.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in NFS Client Module May Lead to a Denial of Service ConditionSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the NFS client module in Sun Solaris 8 through 10 before 20070524, when operating as an NFS server, allows remote attackers to cause a denial of service (crash) via certain Access Control List (acl) packets.John WregglesworthDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 KCMS Arbitrary File Access VulnerabilitySun Solaris 8kcms_serverDirectory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.David ProulxTodd DolinskyINTERIMACCEPTEDDragos PrisacaDEPRECATEDJonathan BakerDEPRECATEDTwo Security Vulnerabilities in Solaris 8 Role Based Access Control (rbac(5)) may Allow Unauthorized Remote AccessSun Solaris 8Multiple unspecified vulnerabilities in the Role Based Access Control (RBAC) functionality in Sun Solaris 8 allow remote attackers who know the password for a role to gain privileges via that role.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability With NIS server ypserv(1M) May Allow a Denial of Service (DoS) to OccurSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in NIS server on Sun Solaris 8, 9, and 10 allows local and remote attackers to cause a denial of service (ypserv hang) via unknown vectors.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in Sun Remote Services (SRS) Net Connect SoftwareSun Solaris 8Sun Solaris 9Sun Solaris 10srsexec in Sun Remote Services (SRS) Net Connect Software Proxy Core package in Sun Solaris 10 does not enforce file permissions when opening files, which allows local users to read the first line of arbitrary files via the -d and -v options.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 CDE ToolTalk Database Heap Corruption VulnerabilitySun Solaris 8Common Desktop EnvironmentBuffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure.David ProulxTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSecurity Vulnerabilities in Solaris ld.so.1(1) may Lead to Execution of Arbitrary Code with Elevated PrivilegesSun Solaris 8Sun Solaris 9Sun Solaris 10Stack-based buffer overflow in ld.so.1 in Sun Solaris 8, 9, and 10 allows local users to execute arbitrary code via large precision padding values in a format string specifier in the format parameter of the doprf function. NOTE: this issue normally does not cross privilege boundaries, except in cases of external introduction of malicious message files, or if it is leveraged with other vulnerabilities such as CVE-2006-6494.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDdtsession Buffer Overflow via HOME EnvvarSun Solaris 7Sun Solaris 8Sun Solaris 9Common Desktop EnvironmentHeap-based buffer overflow in dtsession for Solaris 2.5.1 through Solaris 9 allows local users to gain root privileges via a long HOME environment variable.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDLDAP rootDN Password Disclosure VulnerabilitySun Solaris 8Sun Solaris 9LDAPUnspecified vulnerability in Solaris 8 and 9 allows local users to obtain the LDAP Directory Server root Distinguished Name (rootDN) password when a privileged user (1) runs idsconfig; or "insecurely" runs LDAP2 commands with the -w option, including (2) ldapadd, (3) ldapdelete, (4) ldapmodify, (5) ldapmodrdn, and (6) ldapsearch.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow in "in.telnetd"or "telnetd"ProcessSun Solaris 7Sun Solaris 8Buffer overflow in BSD-based telnetd telnet daemon on various operating systems allows remote attackers to execute arbitrary commands via a set of options including AYT (Are You There), which is not properly handled by the telrcv function.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDMultiple vulnerabilities in libfreetype, Xsun(1) and Xorg(1)Sun Solaris 8Sun Solaris 9Sun Solaris 10Integer overflow in the bdfReadCharacters function in bdfread.c in (1) X.Org libXfont before 20070403 and (2) freetype 2.3.2 and earlier allows remote authenticated users to execute arbitrary code via crafted BDF fonts, which result in a heap overflow.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow Vulnerability in libX11Sun Solaris 8Sun Solaris 9Sun Solaris 10Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment variable value.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDXPM Image Decoder Malicious Color String VulnerabilitySun Solaris 8Sun Solaris 9Stack-based buffer overflow in xpm_extract_color (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, may allow remote attackers to execute arbitrary code via a certain color string. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0688).Robert L. HollisDRAFTINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the rcp(1) Command May Allow Execution of Unintended CommandsSun Solaris 8Sun Solaris 9Sun Solaris 10rcp on Sun Solaris 8, 9, and 10 before 20070710 does not properly call certain helper applications, which allows local users to gain privileges by creating files with certain names, possibly containing shell metacharacters or spaces, a similar issue to CVE-2006-0225.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in X Display Manager (xdm(1)) Xsession ScriptSun Solaris 8Sun Solaris 9Sun Solaris 10Race condition in the Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060225, and Solaris 8 through 10 before 20061006, causes a user's Xsession errors file to have weak permissions before a chmod is performed, which allows local users to read Xsession errors files of other users.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 CDE ToolTalk Database Server Symbolic Link VulnerabilitySun Solaris 8Common Desktop EnvironmentCDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure.David ProulxTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTED/usr/lib/print/conv_fix Privilege Escalation VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Unknown vulnerability in conv_fix in Sun Solaris 7 through 9, when invoked by conv_lpd, allows local users to overwrite arbitrary files.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDEnterprise Storage Manager 2.1 SAN Manager management station patchSun Solaris 8Sun Solaris 9Sun Enterprise Storage Manager (ESM)Unknown vulnerability in Sun StorEdge Enterprise Storage Manager (ESM) 2.1 for Solaris 8 and Solaris 9 allows local users with the "ESMUser" role to gain root access.Brian SobyDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSun Solaris Gzip Race condition and Directory Traversal IssuesSun Solaris 8Sun Solaris 9Sun Solaris 10gzipDirectory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDPai PengINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in libX11 for SolarisSun Solaris 8Sun Solaris 9Sun Solaris 10Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDsendfilev DoS VulnerabilitySun Solaris 8Sun Solaris 9sendfilev()Unknown vulnerability in the sendfilev function in Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Logging Mechanism for Solaris Management Console (SMC) May Lead to Escalation of PrivilegesSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the logging mechanism in Solaris Management Console (SMC) on Sun Solaris 8 through 10 before 20070605 allows remote attackers to execute arbitrary code via unspecified vectors, related to the WBEM server.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDgzip -force File Permission Alteration VulnerabilitySun Solaris 8Licence Logging Servicegzip before 1.3 in Solaris 8, when called with the -f or -force flags, will change the permissions of files that are hard linked to the target files, which allows local users to view or modify these files.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDCD Drive DoS VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the hsfs filesystem in Solaris 8, 9, and 10 allows unspecified attackers to cause a denial of service (panic) or execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Solaris Kernel May Allow a Denial of Service (DoS) Condition to OccurSun Solaris 8Sun Solaris 9Sun Solaris 10Race condition in the kernel in Sun Solaris 8 through 10 allows local users to cause a denial of service (panic) via unspecified vectors, possibly related to the exitlwps function and SIGKILL and /proc PCAGENT signals.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDpagedata Subsystem Local DoS VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the pagedata subsystem of the process file system (/proc) in Solaris 8 through 10 allows local users to cause a denial of service (system hang or panic) via unknown attack vectors that cause cause the kmem_oversize arena to allocate a large amount of system memory that does not get freed.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDXPM Image Decoder Buffer OverflowSun Solaris 8Sun Solaris 9Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687).Robert L. HollisDRAFTINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDSecurity Vulnerability May Allow Users With the "File System Management" RBAC Profile to Gain Elevated PrivilegesSun Solaris 8Sun Solaris 9Unspecified vulnerability in the format command in Sun Solaris 8 and 9 before 20060821 allows local users to modify arbitrary files via unspecified vectors involving profiles that permit running format with elevated privileges, a different issue than CVE-2006-4306 and CVE-2006-4319.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDuucp/uustat Privilege Escalation VulnerabilitySun Solaris 8Sun Solaris 9Unspecified vulnerability in uucp in Sun Solaris 8 and 9 has unknown impact and attack vectors. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2004-0780.Robert L. HollisDRAFTMatthew WojcikINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDls-F Privilege Escalation VulnerabilitySun Solaris 8TENEX C Shell (tcsh)Unknown vulnerability in the ls-F builtin function in tcsh on Solaris 8 allows local users to create or delete files as other users, and gain privileges.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability May Allow Users With the "File System Management" RBAC Profile to Gain Elevated PrivilegesSun Solaris 8Sun Solaris 9Unspecified vulnerability in Sun Solaris 8 and 9 before 20060821 allows local users to execute arbitrary commands via unspecified vectors, involving the default Role-Based Access Control (RBAC) settings in the "File System Management" profile.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 CDE ToolTalk Database Null Write VulnerabilitySun Solaris 8Common Desktop EnvironmentCDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure.David ProulxTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the kcms_calibrate(1) CommandSun Solaris 8Sun Solaris 9Unspecified vulnerability in kcms_calibrate in Sun Solaris 8 and 9 before 20071122 allows local users to execute arbitrary commands via unknown vectors.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 X Font Server Remote Buffer OverrunSun Solaris 8fs.auto, xfsBuffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query.David ProulxTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDManagement Console Directory Traversal VulnerabilitySun Solaris 8Sun Solaris 9Solaris Management Console (SMC)The Solaris Management Console (SMC) in Sun Solaris 8 and 9 generates different 404 error messages when a file does not exist versus when a file exists but is otherwise inacessible, which could allow remote attackers to obtain sensitive information in conjunction with a directory traversal (..) attack.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMACCEPTEDACCEPTEDAlternate ps Command Information Disclosure VulnerabilitySun Solaris 8Sun Solaris 9/usr/ucb/ps in Sun Microsystems Solaris 8 and 9, and certain earlier releases, allows local users to view the environment variables and values of arbitrary processes via the -e option.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDACCEPTEDSMC TRACE HTTP VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Solaris Management ConsoleThe default configuration of the web server for the Solaris Management Console (SMC) in Solaris 8, 9, and 10 enables the HTTP TRACE method, which could allow remote attackers to obtain sensitive information such as cookies and authentication data from HTTP headers.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDPC Netlink 2.0 Privilege Escalation VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Solaris Management ConsoleThe (1) slsmgr and (2) slsadmin programs in Sun Solaris PC NetLink 2.0 create temporary files insecurely, which allows local users to gain privileges.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 8 XSun Color Database File Heap OverflowSun Solaris 8XsunBuffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument.David ProulxACCEPTEDSecurity Vulnerability With Loading Arbitrary Kernel Modules in Solaris KernelSun Solaris 8Sun Solaris 9Sun Solaris 7Sun Solaris 2.6Directory traversal vulnerability in the vfs_getvfssw function in Solaris 2.6, 7, 8, and 9 allows local users to load arbitrary kernel modules via crafted (1) mount or (2) sysfs system calls. NOTE: this might be the same issue as CVE-2004-1767, but there are insufficient details to be sure.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 (SPARC) is installedSun Solaris 7The operating system installed on the system is Sun Solaris 7 for SPARC.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 (x86) is installedSun Solaris 7The operating system installed on the system is Sun Solaris 7 for x86.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSolaris 2.6 (x86) is installedSun Solaris 2.6The operating system installed on the system is Sun Solaris 2.6 for x86.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDSolaris 2.6 (SPARC) is installedSun Solaris 2.6The operating system installed on the system is Sun Solaris 2.6 for SPARC.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDSolaris Hosts are Vulnerable to a Denial of Service Induced by an Internet Transmission Control Protocol (TCP) "ACK Storm"Sun Solaris 8Sun Solaris 9Sun Solaris 10The TCP implementation in Sun Solaris 8, 9, and 10 before 20060726 allows remote attackers to cause a denial of service (resource exhaustion) via a TCP packet with an incorrect sequence number, which triggers an ACK storm.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Authentication Mechanism for Solaris Management Console (SMC) May Lead to Escalation of PrivilegesSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the authentication mechanism in Solaris Management Console (SMC) on Sun Solaris 8 through 10 before 20070605 allows remote authenticated users to execute arbitrary code via unspecified vectors, related to the WBEM server.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDMultiple vulnerabilities in libfreetype, Xsun(1) and Xorg(1)Sun Solaris 8Sun Solaris 9Sun Solaris 10Integer overflow in the FontFileInitTable function in X.Org libXfont before 20070403 allows remote authenticated users to execute arbitrary code via a long first line in the fonts.dir file, which results in a heap overflow.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSolaris 10 (x86) is installedSun Solaris 10The operating system installed on the system is Sun Solaris 10 for x86.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDSolaris 10 (SPARC) is installedSun Solaris 10The operating system installed on the system is Sun Solaris 10 for SPARC.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDSolaris SAdmin Client Credentials Remote Administrative Access VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9SadminThe default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets.Brian SobyBrian SobyDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDTodd DolinskyINTERIMTodd DolinskyACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDMozilla FTP URI MIME Type Exploit VulnerabilitySun Solaris 8mozillaMozilla allows remote attackers to cause Mozilla to open a URI as a different MIME type than expected via a null character (%00) in an FTP URI.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSafe.PM Unsafe Code Execution VulnerabilitySun Solaris 8Sun Solaris 9PerlSafe.pm 2.0.7 and earlier, when used in Perl 5.8.0 and earlier, may allow attackers to break out of safe compartments in (1) Safe::reval or (2) Safe::rdo using a redefined @_ variable, which is not reset between successive calls.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDSolaris 8 (x86) is installedSun Solaris 8The operating system installed on the system is Sun Solaris 8 for x86.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDSolaris 9 (x86) is installedSun Solaris 9The operating system installed on the system is Sun Solaris 9 for x86.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 (SPARC) is installedSun Solaris 8The operating system installed on the system is Sun Solaris 8 for SPARC.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDSolaris 9 (SPARC) is installedSun Solaris 9The operating system installed on the system is Sun Solaris 9 for SPARC.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflows in uucpSun Solaris 7Sun Solaris 8Sun Solaris 9uucpMultiple buffer overflows in uucp for Sun Solaris 2.6, 7, 8, and 9 allow local users to execute arbitrary code as the uucp user.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMACCEPTEDACCEPTEDKerberos V5 Null Pointer DoS VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Solaris Enterprise Authentication Mechanism (SEAM)MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDString Format Vulnerability in Solaris 8 snmpdxSun Solaris 8snmpdxFormat string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges.David ProulxACCEPTEDSNMP Trap Handling VulnerabilitySun Solaris 7Sun Solaris 8snmpdxVulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris Xsun Privilege Escalation via Pixmaps VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10XMultiple integer overflows in XFree86 before 4.3.0 allow user-assisted attackers to execute arbitrary code via a crafted pixmap image.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDlibtiff Directory Entry Count Integer Overflow VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffInteger overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3.5.7 and 3.7.0 allows remote attackers to execute arbitrary code via a TIFF file containing a TIFF_ASCII or TIFF_UNDEFINED directory entry with a -1 entry count, which leads to a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDlibtiff Malloc Error Denial of ServiceSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffMultiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDlibtiff tif_dirread divide-by-zero Denial of ServiceSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffVulnerability in tif_dirread.c for libtiff allows remote attackers to cause a denial of service (application crash) via a TIFF image that causes a divide-by-zero error when the number of row bytes is zero, a different vulnerability than CVE-2005-2452.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDlibtiff RLE Decoder Buffer Overflow VulnerabilitiesSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffMultiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDX Display Manager DoS via Invalid XDMCP RequestSun Solaris 7Sun Solaris 8Sun Solaris 9XDMX Display Manager (XDM) on Solaris 8 allows remote attackers to cause a denial of service (XDM crash) via an invalid X Display Manager Control Protocol (XDMCP) request.Robert L. HollisChristine WalzerDRAFTINTERIMACCEPTEDACCEPTEDApache mod_proxy Content-Length Header Buffer OverflowSun Solaris 8Sun Solaris 9Apache httpdHeap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDApache Allow/Deny Parsing ErrorSun Solaris 8Sun Solaris 9Apachemod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Listening Socket Starvation VulnerabilitySun Solaris 8Sun Solaris 9ApacheApache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Error Log Escape Sequence Filtering VulnerabilitySun Solaris 8Sun Solaris 9ApacheApache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Nonce Verification Response Replay VulnerabilitySun Solaris 8Sun Solaris 9Apachemod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHeap Overflow in Solaris 8 xlockSun Solaris 8xlockHeap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable.David ProulxACCEPTEDThe presence of /etc/named.conf indicates that system system is probably configured as a DNS serveregrep "^[Srecipient=2|S2]|^[^#]*\$>2|^[^#]*\$>recipient|^[^#]*\$>4|^[^#]*\$>final" /etc/mail/sendmail.cf True if any lines returnedSUNWkrbu - 32bit, SUNWkrbux - 64bitgrep c2audit /etc/system True if "set c2audit:audit_load = 1" or similiaregrep ^flags:.*a[sd] /etc/security/audit_control True if any lines returnedSolaris Management Console web interfaceRough translation of the Sun recommended test of: % grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm___ default_realm = EXAMPLE.COM112785
119059
/usr/openwin/binXprt119060
112786
108652
108653
/usr/openwin/binXsun/usr/lib/snmpmibiisa^.*mibiisa.*119435
114344
116966
116965
/usr/lib/dmidmispd108827
108901
.*100068/2-5/usr/dt/binrpc.cmsd^.*dmispd.*118535
121004
109325
118536
121005
/usr/openwin/binlbxproxy119067
119060
112786
119059
119068
112785
123373
123372
124970
124245
124969
124244
119211
22119212
22119213
21SUNWtls119214
21119209
22.*walld/1/usr/lib/netsvc/rwallrpc.rwalld112846
SUNWkrgdoSUNWkr5sv/etc/krb5krb5.conf[^(#|_)]*default_realm[^_]*SUNWkrgglSUNWkr5sl.*dtspc/usr/dt/bindtspcd/usr/openwin/binkcms_configure110453
109321
114890
120467
120468
^/etc/lp/printers/.*112960
114242
128624
140917
rpc\.nisd128625
140918
svc:/network/rpc/nisplus:default113329
114980
109320
109321
138896
140837
138897
140838
141014
141015
139555
139556
119346
SUNWsasl115343
115328
115342
119345
140383
140384
113685
140427
113686
140426
116966
138889
116965
114344
138888
119435
112785
119067
119059
119068
119060
112786
^(/usr)?/bin$admintool128624
139560
116053
113318
128625
autofs139561
SUNWrcmds118239
116984
117455
/usr/sbin/in.rwhod114265
112837
109327
109326
119784
119783
116479
113031
120831
120830
110904
110903
.*Xorg\b.*115158
SUNWxwsvr120095
120094
115299
115159
115298
109077
112837
109078
114265
138876
138877
115168
112908
109806
139479
109805
139478
141414
122300
127722
127721
141415
122301
138876
109077
114265
109078
138877
svc:/network/dhcp-server:default112837
117351
139484
139483
122300
117350
/etcmnttab^[^\t]+\t[^\t]+\tufs\t(.+)122301
136717
114984
114971
114985
138570
136716
/usr/lib/netsvcrpc.yppasswdd111596
^.*rpc\.yppasswdd.*124420
119812
116106
124421
116105
119813
114344
116966
118822
116965
118844
119435
117350
117351
122301
117350
137111
122300
137112
117351
138372
138371
112237
115168
112908
112238
112240
112390
112785
119060
125719
119059
119068
119067
118908
125720
112786
116455
116453
116454
116442
108965
112915
138083
108964
114262
138084
113329
109321
127128
114980
109320
127127
SUNWdtba[sx]SUNWdthep107178
108949
116308
127111
116965
119435
127112
116966
114344
112960
/etcnsswitch.conf^[^#].*_attr.*ldap137017
137018
109008
109007
122301
122300
^/usr/sbin/sparcv.$whodo111826
117470
116966
116965
118822
118844
118305
108800
108574
108162
108416
110898
109324
109613
112810
SUNWdtdst112238
SUNWCryr112390
115168
112237
120469
112240
112537
120470
112908
112536
SUNWCry109326
/etcnamed.confSUNWinamdSUNWntpu109409
109667
/usr/lib/inet/xntpdSUNWsndmr120954
SUNWamsvcSUNWbip118313
116986
116774
126661
126662
126929
126928
113318
117468
.*kadmind110896
114008
.*100235/1/usr/lib/fs/cachefscachefsd122092
122091
127112
122301
117351
117350
127111
122300
116895
117000
114796
SUNWkcl2rSUNWkcsr[tx]114636
107337
111400
113505
113508
115054
115055
SUNWscvw^/usr/apache/bin/httpd.*SUNWscvw/conf/httpd\.conf.*SUNWkrbrSUNWkrbux?112925
112923
112921
106541
109007
114332
SUNWsndmu107684
110615
113575
.*sendmail .*122301
117351
117350
125100
125101
122300
113719
113319
108993
108994
109025
118844
117350
117351
118822
109026
122301
122300
127738
127737
117472
109454
109455
117471
118997
114265
112837
109327
109326
/usr/sbin/in.named120037
126374
112960
120036
126373
114242
114344
119435
119075
119076
124998
124997
123368
111505
111504
123369
/usr/share/gnome/gnome-aboutgnome-version.xml\s*<minor>0</minor>\s*115159
115298
115158
115299
/usr/share/gnome/gnome-aboutgnome-version.xml\s*<platform>2</platform>\s*115553
115554
125124
125123
109896
113241
125279
125280
109354
109355
113240
127751
114154
117419
SUNWapchu116960
113318
117468
116959
124259
124258
.*100221/1/usr/openwin/binkcms_server127034
/etcuser_attrtype=role127033
109329
122078
123186
114342
113579
109328
123870
SUNWsrspx125713
124922
113986
112963
109147
109148
124923
107702
109354
114497
108993
115677
121321
108994
115678
121322
107475
110061
107476
110669
110057
110668
110060
110058
119813
119812
116106
124421
124420
116105
112785
112786
119067
119059
119068
119060
125794
121132
114717
114669
114716
114670
110671
110670
111845
124830
124457
124831
124458
111844
SUNWpcu107115
109320
113329
SUNWstm117367
112669
112668
116341
116340
120720
120719
112785
112786
119067
119059
119060
119068
108528
112233
SUNWgzip112668
109764
116047
119596
109765
121995
118813
121316
123703
117350
116960
117125
120884
118558
120662
123704
121317
118559
119439
113278
116959
117351
118822
120661
118844
117350
118558
118822
117351
118559
118844
/usr/share/gnome/gnome-aboutgnome-version.xml\s*<description>2\.0\.0.*</description>\s*114644
114645
114686
/usr/share/gnome/gnome-aboutgnome-version.xml\s*<description>2\.0\.2.*</description>\s*115738
114687
115739
/usr/share/gnome-aboutgnome-version.xml\s*<distributor-version>Sun Java Desktop System, Release 2</distributor-version>\s*121092
111571
115880
110943
113072
114423
108975
108976
110286
.*100083/1/usr/dt/binrpc.ttdbserverd111400
114637
111401
114636
/usr/openwin/libfs.auto109862
.*fs/usr/openwin/binxfsSUNWwbmc.*smcboot109023
120240
109024
120239
111313
111314
116807
116808
121308
121309
SUNWlzas121332
/usr/openwin/binXsun108529
108528
106541
112234
112233
105181
106542
105182
118855
118305
117470
116966
116965
118833
114193
112945
121308
111313
111314
121309
SUNWwbmc125720
112785
119059
112786
124833
119060
119068
119067
^.*inetd.*SUNWadmfw.*100232/10116457
116442
116454
.*100232/10SUNWmoznavSUNWmozmail117765
117767
122092
122091
119450
119449
SUNWbnuu106952
111570
113322
SUNWkr5svSUNWkr5slSUNWkrgdoSUNWkrggl112536
112908
112237
112390
/etc/krb5krb5.conf^[^#_]*default_realm[^=]*=[^_]*$/usr/lib/snmpsnmpdx^.*snmpdx.*SUNWsasnm107709
108869
/usr/X11/binXorg119059
108653
119060
.*Xsun\b.*SUNWdtwm118953
118954
109931
109932
114219
SUNWTiffSUNWTiffx114220
119900
119901
111844
111845
112785
112786
.*httpd116973
116974
113146
114145
108652
/usr/openwin/binxlock5005truetrue05399382true152526306/usr/dt/bin/rpc.cmsdtruetruetrue09030109030151truetrue27512808620201/usr/lib/netsvc/rwall/rpc.rwalldtruetruetrue105101505090508117/usr/dt/bin/dtspcdtruetruetruetruetruetrue117171617030365500901ONLINE070923010841080707060133343701256546114554truetrue033409automountd01010101141523060204060823110216211518331901020542152101ONLINE160160\brw\b340302012050308073229273028205330055606161934151314633707380904175203020511040119201103080132221131343817022627truetrue1071819272808251905020203040201020307061211081301100601200616040403241804051111017\.0,.*7\.0,.*010203023218201/usr/lib/fs/cachefs/cachefsdtruetruetrue500113010304010302020201010908030302103318120808034802106507492408110604181314202120131103015328240135022625130102030105291516/usr/openwin/bin/kcms_servertruetruetrue01093\.2\.3,.*3\.2\.3,.*3\.2\.4,.*3\.2\.4,.*10222742411219011451020114510201031004040656450203050414090501030304040101625126250827120406020603030601030102301415400319332229332229030303040304010404030202089/usr/dt/bin/rpc.ttdbserverdtruetruetrue043/usr/openwin/lib/fs.autotruetruetrue0201050105010303020201010152truetrue5.75.627112937100706161712354505095.10036125500224070/usr/sbin/sadmind020101/usr/sbin/sadmind0202^i.*865.8[Ss][Pp][Aa][Rr][Cc]5.90101040302020407071618159452088341085.1002021010111101015.7030338275.9sparc^i.*86020205045.838truetrue