The OVAL Repository5.42015-09-03T07:07:36.666-04:00Solaris Xorg Privilege Escalation via Pixmaps VulnerabilitySun Solaris 9Sun Solaris 10XMultiple integer overflows in XFree86 before 4.3.0 allow user-assisted attackers to execute arbitrary code via a crafted pixmap image.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris Xsun and Xprt Unspecified Local Privilege EscalationSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10XsunUnspecified vulnerability in the (1) Xsun and (2) Xprt commands in Solaris 7, 8, 9, and 10 allows local users to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the IP Implementation for Solaris 8 and 9 May Allow a Denial of ServiceSun Solaris 8Sun Solaris 9Unspecified vulnerability in the IP implementation in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (CPU consumption) via crafted IP packets, probably related to fragmented packets with duplicate or missing fragments.Todd DolinskyDRAFTINTERIMACCEPTEDACCEPTEDBourne Shell Local-DoS VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10The Bourne shell (sh) in Solaris 8, 9, and 10 allows local users to cause a denial of service (sh crash) via an unspecified attack vector that causes sh processes to crash during creation of temporary files.Robert L. HollisDRAFTINTERIMACCEPTEDPai PengINTERIMACCEPTEDACCEPTEDSecurity Vulnerabilities in GNU tar (see gtar(1)) May Lead to Files Being Overwritten, Execution of Arbitrary Code, or a Denial of Service (DoS)Sun Solaris 9Sun Solaris 10Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a "crashing stack."Pai PengDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in lbxproxy(1) may Allow Unauthorized Read Access to FilesSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in Low Bandwidth X proxy (lbxproxy) on Sun Solaris 8 through 10 before 20070725 allows local users to read arbitrary files with root group ownership via unknown vectors.Todd DolinskyDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in rm(1) may Lead to Unauthorized Deletion of Files or DirectoriesSun Solaris 8Sun Solaris 9Sun Solaris 10Race condition in recursive directory deletion with the (1) -r or (2) -R option in rm in Solaris 8 through 10 before 20070208 allows local users to delete files and directories as the user running rm by moving a low-level directory to a higher level as it is being deleted, which causes rm to chdir to a ".." directory that is higher than expected, possibly up to the root file system, a related issue to CVE-2002-0435.Todd DolinskyDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) Protocols Involving Handshake Renegotiation Affects Applications Utilizing Network Security Services (NSS)Sun Solaris 8Sun Solaris 9Sun Solaris 10The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerabilities in GNU tar (see gtar(1)) May Lead to Files Being Overwritten, Execution of Arbitrary Code, or a Denial of Service (DoS)Sun Solaris 9Sun Solaris 10Directory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDGNU GZip CHMod File Permission Modification Race ConditionWeaknessSun Solaris 8Sun Solaris 9Sun Solaris 10gzipRace condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDPai PengINTERIMACCEPTEDACCEPTEDSun Java System Access Manager Local Authentication Bypass VulnerabilitySun Solaris 10Sun Solaris 9Access ManagerUnspecified vulnerability in Sun Java System Access Manager 7.0 allows local users logged in as "root" to bypass authentication and gain top-level administrator privileges via the amadmin CLI tool.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in BIND DNS Software Shipped With Solaris May Allow DNS Cache PoisoningSun Solaris 9Sun Solaris 10Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDA vulnerability in the way named(1M) handles recursive client queries may allow a remote unprivileged user to cause named(1M) to return NXDOMAIN (Non-Existent Domain) for Internet hosts thus causing a Denial of Service (DoS) for those hosts to end usersSun Solaris 9Sun Solaris 10ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta does not properly validate DNSSEC (1) NSEC and (2) NSEC3 records, which allows remote attackers to add the Authenticated Data (AD) flag to a forged NXDOMAIN response for an existing domain.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDMIT Kerberos 5 Key Distribution Center Remote Denial of Service VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10KerberosHeap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (apllication crash) and possibly execute arbitrary code via a certain valid TCP or UDP request.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDACCEPTEDMIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Name Buffer Overrun VulnerabilitiesSun Solaris 9Sun Solaris 8Sun Solaris 7Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDSolaris Privilege Escalation/DoS Vulnerability (6293270)Sun Solaris 9Sun Solaris 10Unspecified vulnerability in Sun Solaris 9 and 10 for the x86 platform allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors, possibly involving functions from the mm driver.Robert L. HollisDRAFTINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDlpsched Local System Corruption VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Multiple unspecified vulnerabilities in lpsched in Sun Solaris 8, 9, and 10 allow local users to delete arbitrary files or disable the LP print service via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Solaris rpc.nisd(1M) Daemon may Cause a Denial of Service (DoS) Condition to a NIS+ ServerSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in rpc.nisd in Sun Solaris 8 through 10, and OpenSolaris before snv_104, allows remote authenticated users to cause a denial of service (NIS+ daemon hang) via unspecified vectors related to NIS+ callbacks.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in Solaris 9 fstat(2) System Call May Lead to a System Panic, Resulting in a Denial of Service (DoS)Sun Solaris 9The kernel in Sun Solaris 9 allows local users to cause a denial of service (panic) by calling fstat with a first argument of AT_FDCWD.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerabilities in the libxml2 Library Routines xmlBufferResize() May Lead to Denial of Service (DoS)Sun Solaris 9Sun Solaris 10Integer overflow in the xmlBufferResize function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (infinite loop) via a large XML document.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Solaris Print Service (in.lpd(1M)) May Lead to a Denial of Service (DoS) ConditionSun Solaris 8Sun Solaris 9in.lpd in the print service in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors that trigger a "fork()/exec() bomb."Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8, 9, 10 Blind Connection Reset Attack VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMMatthew WojcikACCEPTEDPai PengINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDSecurity Vulnerabilities in the libxml2 Library Routines xmlSAX2Characters() May Lead to Arbitrary Code Execution or Denial of Service (DoS)Sun Solaris 9Sun Solaris 10Integer overflow in the xmlSAX2Characters function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a large XML document.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Solaris dircmp(1) Shell Script may Allow Overwriting of Arbitrary FilesSun Solaris 8Sun Solaris 9Sun Solaris 10Race condition in the dircmp script in Sun Solaris 8 through 10, and OpenSolaris snv_01 through snv_111, allows local users to overwrite arbitrary files, probably involving a symlink attack on temporary files.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDRace Condition Security Vulnerability in Solaris Auditing Related to Extended File Attributes May Allow Local Unprivileged Users to Panic the SystemSun Solaris 9Sun Solaris 10Race condition in the Solaris Auditing subsystem in Sun Solaris 9 and 10 and OpenSolaris before snv_121, when extended file attributes are used, allows local users to cause a denial of service (panic) via vectors related to "pathnames for invalid fds."Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Solaris Kernel Involving the Interaction of the Filesystem and Virtual Memory SubsystemsSun Solaris 8Sun Solaris 9Sun Solaris 10The kernel in Sun Solaris 8, 9, and 10, and OpenSolaris before snv_103, does not properly handle interaction between the filesystem and virtual-memory implementations, which allows local users to cause a denial of service (deadlock and system halt) via vectors involving mmap and write operations on the same file.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Simple Authentication and Security Layer (SASL) Library Bundled with the Java Enterprise System (JES) may Allow Unprivileged Users to Crash Applications Using the sasl_encode64 FunctionSun Solaris 8Sun Solaris 9Sun Solaris 10Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability with IKE Packet Handling in Solaris libike Library may Lead to a Crash of in.iked(1M)Sun Solaris 9Sun Solaris 10libike in Sun Solaris 9 and 10, and OpenSolaris before snv_100, does not properly check packets, which allows remote attackers to cause a denial of service (in.iked daemon crash) via an unspecified IKE packet, a different vulnerability than CVE-2007-2989.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in GNU tar May Lead to Arbitrary Code Execution or Denial of Service (DoS)Sun Solaris 9Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDInteger Overflow Vulnerability in the Solaris 8 and 9 sadmind(1M) Daemon May Lead to Arbitrary Code ExecutionSun Solaris 8Sun Solaris 9Integer overflow in sadmind in Sun Solaris 8 and 9 allows remote attackers to execute arbitrary code via a crafted RPC request that triggers a heap-based buffer overflow, related to improper memory allocation.Pai PengDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Solaris ip(7P) Kernel Module's IP-in-IP Packet Processing May Lead to a Denial of Service (DoS)Sun Solaris 9Sun Solaris 10The IP-in-IP packet processing implementation in the IPsec and IP stacks in the kernel in Sun Solaris 9 and 10, and OpenSolaris snv_01 though snv_85, allows local users to cause a denial of service (panic) via a self-encapsulated packet that lacks IPsec protection.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in Solaris SSH May Allow Unauthorized Access to X11 SessionsSun Solaris 9Sun Solaris 10OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Solaris Pseudo-terminal Driver (pty(7D)) may Cause a System PanicSun Solaris 8Sun Solaris 9Sun Solaris 10Race condition in the pseudo-terminal (aka pty) driver module in Sun Solaris 8 through 10, and OpenSolaris before snv_103, allows local users to cause a denial of service (panic) via unspecified vectors related to lack of "properly sequenced code" in ptc and ptsl.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Solaris IP(7p) Implementation, Related to Minor Number Allocation, may Lead to a Denial of Service (DoS) ConditionSun Solaris 8Sun Solaris 9Sun Solaris 10The IP implementation in Sun Solaris 8 through 10, and OpenSolaris before snv_82, uses an improper arena when allocating minor numbers for sockets, which allows local users to cause a denial of service (32-bit application failure and login outage) by opening a large number of sockets.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity vulnerability in the Virtual Host Manager in Tomcat 5.5 bundled with Solaris 9 and Solaris 10 may lead to Cross Site Scripting (XSS).Sun Solaris 9Sun Solaris 10Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the X Inter Client Exchange Library (libICE) Shipped With Solaris May Allow a Denial of Service (DoS)Sun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the X Inter Client Exchange library (aka libICE) in Sun Solaris 8 through 10 and OpenSolaris before snv_85 allows context-dependent attackers to cause a denial of service (application crash), as demonstrated by a port scan that triggers a segmentation violation in the Gnome session manager (aka gnome-session).Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in GNU tar May Lead to Arbitrary Code Execution or Denial of Service (DoS)Sun Solaris 9Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSecurity vulnerability in the HttpServletResponse.sendError method in Tomcat 5.5 bundled with Solaris 9 and Solaris 10 may lead to Cross Site Scripting (XSS).Sun Solaris 9Sun Solaris 10Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Solaris "autofs" Kernel Module may Allow a Local Unprivileged User to Execute Arbitrary CodeSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the autofs module in the kernel in Sun Solaris 8 through 10, and OpenSolaris before snv_108, allows local users to cause a denial of service (autofs mount outage) or possibly gain privileges via vectors related to "xdr processing problems."Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSUNRAS Plugin of Gimp VulnerabilitySun Solaris 9Sun Solaris 10Stack-based buffer overflow in the set_color_table function in sunras.c in the SUNRAS plugin in Gimp 2.2.14 allows user-assisted remote attackers to execute arbitrary code via a crafted RAS file.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDrwho daemon Code Execution VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Licence Logging ServiceUnknown vulnerability in the rwho daemon (in.rwhod) for Solaris 7 through 9 allows remote attackers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the DNS Protocol May Lead to DNS Cache PoisoningSun Solaris 8Sun Solaris 9Sun Solaris 10The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug."Pai PengDRAFTINTERIMACCEPTEDACCEPTEDManipulated Tag Files used with Solaris Text Editors May Lead to Execution of Arbitrary CodeSun Solaris 8Sun Solaris 9Sun Solaris 10Multiple unspecified vulnerabilities in Sun Solaris 8 through 10 allow local users to gain privileges via vectors related to handling of tags with (1) the -t option and (2) the :tag command in the (a) vi, (b) ex, (c) vedit, (d) view, and (e) edit programs.Todd DolinskyDRAFTINTERIMACCEPTEDACCEPTEDSecurity vulnerability in the RequestDispatcher class in Tomcat 5.5 bundled with Solaris 9 and Solaris 10 may lead to Directory Traversal.Sun Solaris 9Sun Solaris 10Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability May Allow Popup Windows to Appear Through the Solaris XScreenSaver Program on Xorg(1) ServersSun Solaris 8Sun Solaris 9Sun Solaris 10XScreenSaver in Sun Solaris 9 and 10, OpenSolaris before snv_120, and X11 6.4.1 for Solaris 8, when the Xorg or Xnewt server is used, allows physically proximate attackers to obtain sensitive information by reading popup windows, which are displayed even when the screen is locked, a different vulnerability than CVE-2009-1276.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerabilities in DHCP Handling of DHCP Requests May Allow Remote Users to Execute Arbitrary Code or Cause a Denial of the DHCP ServiceSun Solaris 8Sun Solaris 9Sun Solaris 10Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2, and some other dhcpd implementations based on ISC dhcp-2, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a DHCP request specifying a maximum message size smaller than the minimum IP MTU.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDPCX Plugin of Gimp VulnerabilitySun Solaris 9Sun Solaris 10Buffer overflow in the kimgio library for KDE 3.4.0 allows remote attackers to execute arbitrary code via a crafted PCX image file.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Management of Solaris Kerberos (see kerberos(5)) may Lead to a User Denial of Service (DoS) AttackSun Solaris 8Sun Solaris 9Sun Solaris 10The Kerberos credential renewal feature in Sun Solaris 8, 9, and 10, and OpenSolaris build snv_01 through snv_104, allows local users to cause a denial of service (authentication failure) via unspecified vectors related to incorrect cache file permissions, and lack of credential storage by the store_cred function in pam_krb5.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDPSD Plugin of Gimp vulnerabilitySun Solaris 9Sun Solaris 10Integer overflow in the seek_to_and_unpack_pixeldata function in the psd.c plugin in Gimp 2.2.15 allows remote attackers to execute arbitrary code via a crafted PSD file that contains a large (1) width or (2) height value.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in Solaris snoop(1M) when Displaying SMB TrafficSun Solaris 8Sun Solaris 9Sun Solaris 10Multiple format string vulnerabilities in snoop on Sun Solaris 8 through 10 and OpenSolaris before snv_96, when the -o option is omitted, allow remote attackers to execute arbitrary code via format string specifiers in an SMB packet.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Solaris Kerberos PAM Module May Allow Use of a User Specified Kerberos Configuration File, Leading to Escalation of PrivilegesSun Solaris 8Sun Solaris 9Sun Solaris 10Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching a PAM-based setuid application.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDThe Solaris rpc.metad(1M) Daemon is Vulnerable to a Denial of Service (DoS) AttackSun Solaris 9Sun Solaris 10rpc.metad in Sun Solaris 10 allows remote attackers to cause a denial of service (daemon crash) via a malformed RPC request.Michael WoodDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Solaris sendfile(3EXT) and sendfilev(3EXT) Extended Library Functions may Result in a Denial of Service (DoS) Condition due to a System PanicSun Solaris 8Sun Solaris 9Sun Solaris 10The (1) sendfile and (2) sendfilev functions in Sun Solaris 8 through 10, and OpenSolaris before snv_110, allow local users to cause a denial of service (panic) via vectors related to vnode function calls.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerabilities in DHCP Handling of DHCP Requests May Allow Remote Users to Execute Arbitrary Code or Cause a Denial of the DHCP ServiceSun Solaris 8Sun Solaris 9Sun Solaris 10in.dhcpd in the DHCP implementation in Sun Solaris 8 through 10, and OpenSolaris before snv_103, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unknown DHCP requests related to the "number of offers," aka Bug ID 6713805.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the ACL (acl(2)) Implementation for UFS File Systems May Allow a Local User to Panic the SystemSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the UFS module in Sun Solaris 8 through 10 and OpenSolaris allows local users to cause a denial of service (NULL pointer dereference and kernel panic) via unknown vectors related to the Solaris Access Control List (ACL) implementation.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the namefs Kernel module may result in Arbitrary Code Execution or a Denial of Service (DoS)Sun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the namefs kernel module in Sun Solaris 8 through 10 allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDA Buffer Overflow Security Vulnerability in the Solaris sadmind(1M) Daemon May Lead to Execution of Arbitrary CodeSun Solaris 8Sun Solaris 9Stack-based buffer overflow in the adm_build_path function in sadmind in Sun Solstice AdminSuite on Solaris 8 and 9 allows remote attackers to execute arbitrary code via a crafted request.Pai PengDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in FreeType 2 Font Engine May Allow Privilege Escalation Due to Heap OverflowSun Solaris 8Sun Solaris 9Sun Solaris 10Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability May Allow Firewall Compromise or Creation of Denial of Service (DoS) ConditionSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the Internet Protocol (IP) implementation in Sun Solaris 8, 9, and 10 allows remote attackers to bypass intended firewall policies or cause a denial of service (panic) via unknown vectors, possibly related to ICMP packets and IP fragment reassembly.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDMultiple Security Vulnerabilities in ICU 3.2 Library Regular Expression Processing May Cause a Denial of Service (DoS)Sun Solaris 9Sun Solaris 10libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the USB Mouse STREAMS Module May Lead to a System PanicSun Solaris 9Sun Solaris 10Unspecified vulnerability in the USB Mouse STREAMS module (usbms) in Sun Solaris 9 and 10, when 64-bit mode is enabled, allows local users to cause a denial of service (panic) via unspecified vectors.Pai PengDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDCovert Channel Security Vulnerability in the Solaris KernelSun Solaris 8Sun Solaris 9Sun Solaris 10The kernel in Sun Solaris 8 through 10 and OpenSolaris before snv_90 allows local users to bypass chroot, zones, and the Solaris Trusted Extensions multi-level security policy, and establish a covert communication channel, via unspecified vectors involving system calls.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDMultiple Security Vulnerabilities in ICU 3.2 Library Regular Expression Processing May Cause a Denial of Service (DoS)Sun Solaris 9Sun Solaris 10Heap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack. NOTE: some of these details are obtained from third party information.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Solaris Kerberos PAM Module May Allow Use of a User Specified Kerberos Configuration File, Leading to Escalation of PrivilegesSun Solaris 8Sun Solaris 9Sun Solaris 10Russ Allbery pam-krb5 before 3.13, as used by libpam-heimdal, su in Solaris 10, and other software, does not properly handle calls to pam_setcred when running setuid, which allows local users to overwrite and change the ownership of arbitrary files by setting the KRB5CCNAME environment variable, and then launching a setuid application that performs certain pam_setcred operations.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Solaris X Server May Lead to Unauthorized Disclosure of Information on Access Restricted Files and DirectoriesSun Solaris 8Sun Solaris 9Sun Solaris 10X.Org Xserver before 1.4.1 allows local users to determine the existence of arbitrary files via a filename argument in the -sp option to the X program, which produces different error messages depending on whether the filename exists.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDHeap-based Buffer Overflow Vulnerability in the Solaris 8 and 9 sadmind(1M) Daemon May Lead to Arbitrary Code ExecutionSun Solaris 8Sun Solaris 9Heap-based buffer overflow in sadmind in Sun Solaris 8 and 9 allows remote attackers to execute arbitrary code via a crafted RPC request, related to improper decoding of request parameters.Pai PengDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in Solaris snoop(1M) when Displaying SMB TrafficSun Solaris 8Sun Solaris 9Sun Solaris 10Multiple stack-based buffer overflows in snoop on Sun Solaris 8 through 10 and OpenSolaris before snv_96, when the -o option is omitted, allow remote attackers to execute arbitrary code via a crafted SMB packet.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSolaris 9 sshd(1M) Patches May Cause Incorrect Audit Data to be LoggedSun Solaris 9Solaris 9, with Solaris Auditing enabled and certain patches for sshd installed, can generate audit records with an audit-ID of 0 even when the user logging into ssh is not root, which makes it easier for attackers to avoid detection and can make it more difficult to conduct forensics activities.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerabilities in Solaris Print Service May Lead to Denial of Service (DoS) or Execution of Arbitrary CodeSun Solaris 8Sun Solaris 9Sun Solaris 10Multiple unspecified vulnerabilities in Solaris print service for Sun Solaris 8, 9, and 10 allow remote attackers to cause a denial of service or execute arbitrary code via unknown vectors.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the libxml2 Library May Lead to a Denial of Service (DoS)Sun Solaris 9Sun Solaris 10The xmlCurrentChar function in libxml2 before 2.6.31 allows context-dependent attackers to cause a denial of service (infinite loop) via XML containing invalid UTF-8 sequences.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDCDE libDtHelp Buffer OverflowSun Solaris 7Sun Solaris 8Sun Solaris 9Common Desktop EnvironmentBuffer overflow in CDE libDtHelp library allows local users to execute arbitrary code via (1) a modified DTHELPUSERSEARCHPATH environment variable and the Help feature, (2) DTSEARCHPATH, or (3) LOGNAME.Brian SobyDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDA Security Vulnerability in Floating Point Context Switch Implementation May Result in a Denial of Service (DoS) or Data Integrity IssuesSun Solaris 9Sun Solaris 10Unspecified vulnerability in the floating point context switch implementation in Sun Solaris 9 and 10 on x86 platforms might allow local users to cause a denial of service (application exit), corrupt data, or trigger incorrect calculations via unknown vectors.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDKerberos 5 KDC ASN.1 Error Handling Double-free VulnerabilitiesSun Solaris 9Kerberos5Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code.Brian SobyDRAFTBrian SobyINTERIMACCEPTEDACCEPTEDApache Mod_Proxy Remote Negative Content-Length Buffer OverflowSun Solaris 8Sun Solaris 9ApacheHeap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Handling of Self Encapsulated IP Packets may Lead to a Denial of Service (DOS) Condition.Sun Solaris 8Sun Solaris 9Sun Solaris 10Sun Solaris 8, 9, and 10 allows "remote privileged" users to cause a denial of service (panic) via unknown vectors related to self encapsulated IP packets.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDLDAP RBAC Privilege Escalation VulnerabilitySun Solaris 8Sun Solaris 9LDAPUnknown vulnerability in LDAP on Sun Solaris 8 and 9, when using Role Based Access Control (RBAC), allows local users to execute certain commands with additional privileges.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Solaris crontab(1) utility may allow execution of Arbitrary CodeSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in crontab on Sun Solaris 8 through 10, and OpenSolaris before snv_93, allows local users to insert cron jobs into the crontab files of arbitrary users via unspecified vectors.Nicholas HansenDRAFTINTERIMDragos PrisacaACCEPTEDACCEPTEDApache Mod_Access Access Control Rule Bypass VulnerabilitySun Solaris 8Sun Solaris 9Apachemod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions.Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDMIT Kerberos 5 Multiple Double-Free VulnerabilitiesSun Solaris 9Kerberos5Double free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8, 9, 10 ICMP Source Quench Attack VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMMatthew WojcikACCEPTEDPai PengINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDOpenSSL ASN.1 Inputs Character Tracking VulnerabilitySun Solaris 8Sun Solaris 9Sun ClusterOpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.Brian SobyDRAFTINTERIMACCEPTEDEvgeniy PavlovINTERIMACCEPTEDACCEPTEDSolaris Code Execution DoS VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9kernelUnknown vulnerability in Solaris 2.6 through 9 causes a denial of service (system panic) via "a rare race condition" or an attack by local users.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability With Loading Arbitrary Kernel Modules in Solaris KernelSun Solaris 8Sun Solaris 9Sun Solaris 7Sun Solaris 2.6The kernel in Solaris 2.6, 7, 8, and 9 allows local users to gain privileges by loading arbitrary loadable kernel modules (LKM), possibly involving the modload function.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDBind OPT Resource Record DoS VulnerabilitySun Solaris 9BindBIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDApache mod_digest Nonce Verification VulnerabilitySun Solaris 8Sun Solaris 9Apachemod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret.Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDcachefsd DoS via Invalid RPC RequestSun Solaris 7Sun Solaris 8Sun Solaris 9cachefsdcachefsd in Solaris 2.6, 7, and 8 allows remote attackers to cause a denial of service (crash) via an invalid procedure call in an RPC request.Brian SobyDRAFTINTERIMACCEPTEDTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDOpenSSL Integer Overflow VulnerabilitySun Solaris 8Sun Solaris 9Sun ClusterInteger overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.Brian SobyDRAFTINTERIMACCEPTEDEvgeniy PavlovINTERIMACCEPTEDACCEPTEDApache Error Log Escape Sequence Injection VulnerabilitySun Solaris 8Sun Solaris 9ApacheApache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in Solaris Volume Manager (SVM) May Allow a Denial of Service (DoS)Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the ioctl interface in the Solaris Volume Manager (SVM) in Sun Solaris 9 and 10 allows local users to cause a denial of service (panic) via unspecified vectors, a different vulnerability than CVE-2004-1346.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDDtMail Local Command Line Format String VulnerabilitySun Solaris 8Sun Solaris 9DtMailFormat string vulnerability in CDE Mailer (dtmail) on Solaris 8 and 9 allows local users to gain privileges via format strings in the argv[0] value.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMIT Kerberos 5 Key Distribution Center Remote Denial of Service VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10KerberosMIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDACCEPTEDApache Web Server Multiple Module Local Buffer OverflowSun Solaris 8Sun Solaris 9ApacheMultiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDpriocntl Directory Traversal VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9priocntl()Directory traversal vulnerability in priocntl system call in Solaris does allows local users to execute arbitrary code via ".." sequences in the pc_clname field of a pcinfo_t structure, which cause priocntl to load a malicious kernel module.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSendmail Ruleset Parsing Buffer OverflowSun Solaris 7Sun Solaris 8Sun Solaris 9SendmailA "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences.Brian SobyDRAFTINTERIMSun Java System Access Manager Local Authentication Bypass VulnerabilitySun Solaris 10Sun Solaris 9Sun Solaris 8Access ManagerUnspecified vulnerability in Sun Java System Access Manager 7.0 allows local users logged in as "root" to bypass authentication and gain top-level administrator privileges via the amadmin CLI tool.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDACCEPTEDPatches Disable Basic Security Module Auditing FunctionalitySun Solaris 9Basic Security ModuleThe patches (1) 114332-08 and (2) 114929-06 for Sun Solaris 9 disable the auditing functionality of the Basic Security Module (BSM), which allows attackers to avoid having their activity logged.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDsshd Log Bypass VulnerabilitySun Solaris 9sshdThe Secure Shell (SSH) Daemon (SSHD) in Sun Solaris 9 does not properly log IP addresses when SSHD is configured with the ListenAddress as 0.0.0.0, which makes it easier for remote attackers to hide the source of their activities.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDSunOS 5.9: ufs and fsck patchSun Solaris 9Solaris Volume Manager (SVM)The Sun Solaris Volume Manager (SVM) on Solaris 9 allows local users to cause a denial of service (kernel panic) via a malformed probe request to the SVM.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDJonathan BakerINTERIMMatthew WojcikACCEPTEDEvgeniy PavlovINTERIMACCEPTEDACCEPTEDBuffer Overflow in Solaris ping DaemonSun Solaris 7Sun Solaris 8Sun Solaris 9Licence Logging ServiceBuffer overflow in the ping daemon of Sun Solaris 7 through 9 may allow local users to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDKerberos 5 Double-free Vulnerability in krb5_rd_cred FunctionSun Solaris 9Kerberos5Double free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code.Brian SobyDRAFTBrian SobyINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in RPCSEC_GSS (rpcsec_gss(3NSL)) Affects Kerberos Administration Daemon (kadmind(1M))Sun Solaris 8Sun Solaris 9Sun Solaris 10Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss.c in the RPCSEC_GSS RPC library (librpcsecgss) in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and some third-party applications that use krb5, allows remote attackers to cause a denial of service (daemon crash) and probably execute arbitrary code via a long string in an RPC message.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDCGI.pm start_form Cross-Site Scripting VulnerabilitySun Solaris 8Sun Solaris 9PerlCross-site scripting (XSS) vulnerability in start_form() of CGI.pm allows remote attackers to insert web script via a URL that is fed into the form's action parameter.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDSecurity Vulnerabilities in Solaris Kernel Statistics Retrieval Process May Allow a Denial of Service (DoS)Sun Solaris 8Sun Solaris 9Sun Solaris 10Multiple unspecified vulnerabilities in the kernel in Sun Solaris 8 through 10 allow local users to cause a denial of service (panic), related to the support for retrieval of kernel statistics, and possibly related to the sfmmu_mlspl_enter or sfmmu_mlist_enter functions.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDSolaris TCP/IP Stack System Panic VulnerabilitySun Solaris 8Sun Solaris 9TCP/IPUnknown vulnerability in the TCP/IP stack for Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDXFS Dispatch() Buffer OverflowSun Solaris 9fs.auto, xfsBuffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query.Brian SobyDRAFTINTERIMACCEPTEDTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSolaris 9 CDE ToolTalk Database Server Symbolic Link VulnerabilitySun Solaris 9Common Desktop EnvironmentCDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure.Brian SobyDRAFTINTERIMACCEPTEDBrian SobyBrian SobyINTERIMACCEPTEDTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDBuffer Management Error in OpenSSHSun Solaris 9OpenSSHA "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDKCMS KCS_OPEN_PROFILE File Disclosure VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9kcms_serverDirectory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.Brian SobyDRAFTINTERIMACCEPTEDTodd DolinskyINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDOpenSSL Double-free VulnerabilitySun Solaris 8Sun Solaris 9Sun ClusterDouble free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding.Brian SobyDRAFTINTERIMACCEPTEDEvgeniy PavlovINTERIMACCEPTEDACCEPTEDClear Text Password Logging VulnerabilitySun Solaris 9Solaris 9, when configured as a Kerberos client with patch 112908-12 or 115168-03 and using pam_krb5 as an "auth" module with the debug feature enabled, records passwords in plaintext, which could allow local users to gain other user's passwords by reading log files.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDBSM Audit Kernel PanicSun Solaris 7Sun Solaris 8Sun Solaris 9Basic Security ModuleUnknown vulnerability in the Basic Security Module (BSM), when configured to audit either the Administrative (ad) or the System-Wide Administration (as) audit class in Solaris 7, 8, and 9, allows local users to cause a denial of service (kernel panic).Brian SobyDRAFTSudhir GandheINTERIMSendmail Address Processor Buffer OverflowSun Solaris 7Sun Solaris 8Sun Solaris 9SendmailBuffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, related to sender and recipient header comments as processed by the crackaddr function of headers.c.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Handling of Thread Contexts in the Solaris Kernel May Allow a Denial of Service (DoS)Sun Solaris 8Sun Solaris 9Sun Solaris 10Race condition in the kernel in Sun Solaris 8 through 10 allows local users to cause a denial of service (panic) via unspecified vectors related to "the handling of thread contexts."Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDA Security Vulnerability in Solaris libnsl(3LIB) may lead to a Denial of Service (DoS) to the rpcbind(1M) ServiceSun Solaris 8Sun Solaris 9Unspecified vulnerability in libnsl in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (crash) via malformed RPC requests that trigger a crash in rpcbind.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in X Display Manager (xdm(1)) Xsession ScriptSun Solaris 8Sun Solaris 9Sun Solaris 10The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006, allows local users to overwrite arbitrary files, or read another user's Xsession errors file, via a symlink attack on a /tmp/xses-$USER file.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSendmail Custom DNS Map Buffer OverflowSun Solaris 9SendmailBuffer overflow in Sendmail before 8.12.5, when configured to use a custom DNS map to query TXT records, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malicious DNS server.Brian SobyDRAFTBrian SobyINTERIMACCEPTEDACCEPTEDA Security Vulnerability With the Special File System (SPECFS) strfreectty() Function May Allow a Local Unprivileged User to Panic a SystemSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the strfreectty function in the Special File System (SPECFS) in Sun Solaris 8 through 10 allows local users to cause a denial of service (system panic), related to passing a NULL pointer to the pgsignal function.Todd DolinskyDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in Solaris Named Pipes (pipe(2)) May Allow Unauthorized Data AccessSun Solaris 8Sun Solaris 9Sun Solaris 10Integer signedness error in FIFO filesystems (named pipes) on Sun Solaris 8 through 10 allows local users to read the contents of unspecified memory locations via a negative maximum length value to the I_PEEK ioctl.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability Due to Buffer Overflow in The format(1M) Command May Allow Privilege Elevation For Certain RBAC ProfilesSun Solaris 8Sun Solaris 9Sun Solaris 10Buffer overflow in the format command in Solaris 8, 9, and 10 allows local users with access to format (such as the "File System Management" RBAC profile) to execute arbitrary code via unknown vectors, a different vulnerability than CVE-2006-4307.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSamba call_trans2open() Buffer OverflowSun Solaris 9SambaBuffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in BIND 8 May Allow Cache Poisoning AttackSun Solaris 8Sun Solaris 9The (1) NSID_SHUFFLE_ONLY and (2) NSID_USE_POOL PRNG algorithms in ISC BIND 8 before 8.4.7-P1 generate predictable DNS query identifiers when sending outgoing queries such as NOTIFY messages when answering questions as a resolver, which allows remote attackers to poison DNS caches via unknown vectors. NOTE: this issue is different from CVE-2007-2926.Todd DolinskyDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Solaris libsldap Library May Allow a Denial of Service to nscd(1M)Sun Solaris 8Sun Solaris 9Sun Solaris 10The libsldap library in Sun Solaris 8, 9, and 10 allows local users to cause a denial of service (Name Service Caching Daemon (nscd) crash) via unspecified vectors.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDKerberos 5 ASN.1 Library DoSSun Solaris 9Kerberos5The asn1buf_skiptail function in the ASN.1 decoder library for MIT Kerberos 5 (krb5) 1.2.2 through 1.3.4 allows remote attackers to cause a denial of service (infinite loop) via a certain BER encoding.Brian SobyDRAFTBrian SobyINTERIMACCEPTEDACCEPTEDSecurity Vulnerabilities in Solaris ld.so.1(1) may Lead to Execution of Arbitrary Code with Elevated PrivilegesSun Solaris 8Sun Solaris 9Sun Solaris 10Directory traversal vulnerability in ld.so.1 in Sun Solaris 8, 9, and 10 allows local users to execute arbitrary code via a .. (dot dot) sequence in the LANG environment variable that points to a locale file containing attacker-controlled format string specifiers.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVulnerability With Solaris IPv6 May Allow a Remote User the Ability to Create a Denial of Service ConditionSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in Sun Solaris 8, 9 and 10 allows remote attackers to cause a denial of service (panic) via crafted IPv6 packets, a different vulnerability than CVE-2006-5013.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDKerberos Client Plaintext Password VulnerabilitySun Solaris 9pam_krb5Solaris 9, when configured as a Kerberos client with patch 112908-12 or 115168-03 and using pam_krb5 as an "auth" module with the debug feature enabled, records passwords in plaintext, which could allow local users to gain other user's passwords by reading log files.Brian SobyDRAFTBrian SobyINTERIMACCEPTEDACCEPTEDSecurity Vulnerabilities in the tip(1) Command May Allow Execution of Arbitrary Code With Elevated PrivilegesSun Solaris 8Sun Solaris 9Sun Solaris 10Multiple unspecified vulnerabilities in tip in Sun Solaris 8, 9, and 10 allow local users to gain uucp account privileges via unspecified vectors.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDGNOME XScreenSaver in Solaris 8 and 9 may Allow Physically Proximate Attackers to Access the ConsoleSun Solaris 8Sun Solaris 9GNOME XScreenSaver in Sun Solaris 8 and 9 before 20070417, when root is logged into the console, does not automatically lock the screen after a session has been inactive, which might allow physically proximate attackers to access the console.Yuzheng ZhouDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the X Inter Client Exchange Library (libICE)Sun Solaris 8Sun Solaris 9Unspecified vulnerability in Sun Solaris X Inter Client Exchange library (libICE) on Solaris 8 and 9 allows context-dependent attackers to cause a denial of service (application crash) to applications that use the library.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Human Interface Device (HID) Class Driver for SolarisSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the HID (Human Interface Device) class driver in Sun Solaris 8, 9, and 10 before 20070925 allows local users to cause a denial of service (panic) via unspecified vectors.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDdtsession(1X) Contains a Buffer Overflow VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Buffer overflow in the dtsession Common Desktop Environment (CDE) Session Manager in Sun Solaris 8, 9, and 10 allows local users to execute arbitrary code via unspecified vectors.Yuzheng ZhouDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the vuidmice(7M) STREAMS Modules May Lead to a Denial of Service (DoS) ConditionSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the vuidmice STREAMS modules in Sun Solaris 8, 9, and 10 allows local users with console (/dev/console) access to cause a denial of service ("unusable" system console) via unspecified vectors.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDApache Connection Blocking Denial Of Service VulnerabilitySun Solaris 8Sun Solaris 9ApacheApache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket."Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDMultiple vulnerabilities in libfreetype, Xsun(1) and Xorg(1)Sun Solaris 8Sun Solaris 9Sun Solaris 10Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList function in the XC-MISC extension in the X.Org X11 server (xserver) 7.1-1.1.0, and other versions before 20070403, allows remote authenticated users to execute arbitrary code via a large expression, which results in memory corruption.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDOff-by-one Error in fb_realpath()Sun Solaris 9Solaris Management Console (SMC)Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.Brian SobyDRAFTINTERIMACCEPTEDTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the in.iked(1M) Service May Lead To a Denial of Service (DoS)Sun Solaris 9The libike library in Sun Solaris 9 before 20070529 contains a logic error related to a certain pointer, which allows remote attackers to cause a denial of service (in.iked daemon crash) by sending certain UDP packets with a source port different from 500. NOTE: this issue might overlap CVE-2006-2298.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in NFS Client Module May Lead to a Denial of Service ConditionSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the NFS client module in Sun Solaris 8 through 10 before 20070524, when operating as an NFS server, allows remote attackers to cause a denial of service (crash) via certain Access Control List (acl) packets.John WregglesworthDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability With NIS server ypserv(1M) May Allow a Denial of Service (DoS) to OccurSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in NIS server on Sun Solaris 8, 9, and 10 allows local and remote attackers to cause a denial of service (ypserv hang) via unknown vectors.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in Sun Remote Services (SRS) Net Connect SoftwareSun Solaris 8Sun Solaris 9Sun Solaris 10srsexec in Sun Remote Services (SRS) Net Connect Software Proxy Core package in Sun Solaris 10 does not enforce file permissions when opening files, which allows local users to read the first line of arbitrary files via the -d and -v options.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerabilities in Solaris ld.so.1(1) may Lead to Execution of Arbitrary Code with Elevated PrivilegesSun Solaris 8Sun Solaris 9Sun Solaris 10Stack-based buffer overflow in ld.so.1 in Sun Solaris 8, 9, and 10 allows local users to execute arbitrary code via large precision padding values in a format string specifier in the format parameter of the doprf function. NOTE: this issue normally does not cross privilege boundaries, except in cases of external introduction of malicious message files, or if it is leveraged with other vulnerabilities such as CVE-2006-6494.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDdtsession Buffer Overflow via HOME EnvvarSun Solaris 7Sun Solaris 8Sun Solaris 9Common Desktop EnvironmentHeap-based buffer overflow in dtsession for Solaris 2.5.1 through Solaris 9 allows local users to gain root privileges via a long HOME environment variable.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDLDAP rootDN Password Disclosure VulnerabilitySun Solaris 8Sun Solaris 9LDAPUnspecified vulnerability in Solaris 8 and 9 allows local users to obtain the LDAP Directory Server root Distinguished Name (rootDN) password when a privileged user (1) runs idsconfig; or "insecurely" runs LDAP2 commands with the -w option, including (2) ldapadd, (3) ldapdelete, (4) ldapmodify, (5) ldapmodrdn, and (6) ldapsearch.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMultiple vulnerabilities in libfreetype, Xsun(1) and Xorg(1)Sun Solaris 8Sun Solaris 9Sun Solaris 10Integer overflow in the bdfReadCharacters function in bdfread.c in (1) X.Org libXfont before 20070403 and (2) freetype 2.3.2 and earlier allows remote authenticated users to execute arbitrary code via crafted BDF fonts, which result in a heap overflow.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow Vulnerability in libX11Sun Solaris 8Sun Solaris 9Sun Solaris 10Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment variable value.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDXPM Image Decoder Malicious Color String VulnerabilitySun Solaris 8Sun Solaris 9Stack-based buffer overflow in xpm_extract_color (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, may allow remote attackers to execute arbitrary code via a certain color string. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0688).Robert L. HollisDRAFTINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the rcp(1) Command May Allow Execution of Unintended CommandsSun Solaris 8Sun Solaris 9Sun Solaris 10rcp on Sun Solaris 8, 9, and 10 before 20070710 does not properly call certain helper applications, which allows local users to gain privileges by creating files with certain names, possibly containing shell metacharacters or spaces, a similar issue to CVE-2006-0225.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in X Display Manager (xdm(1)) Xsession ScriptSun Solaris 8Sun Solaris 9Sun Solaris 10Race condition in the Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060225, and Solaris 8 through 10 before 20061006, causes a user's Xsession errors file to have weak permissions before a chmod is performed, which allows local users to read Xsession errors files of other users.Pai PengDRAFTINTERIMACCEPTEDACCEPTED/usr/lib/print/conv_fix Privilege Escalation VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Unknown vulnerability in conv_fix in Sun Solaris 7 through 9, when invoked by conv_lpd, allows local users to overwrite arbitrary files.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Kerberos Administration Daemon (kadmind(1M)) May Lead to Arbitrary Code ExecutionSun Solaris 9Sun Solaris 10Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.Nicholas HansenDRAFTINTERIMACCEPTEDNicholas HansenINTERIMACCEPTEDACCEPTEDEnterprise Storage Manager 2.1 SAN Manager management station patchSun Solaris 8Sun Solaris 9Sun Enterprise Storage Manager (ESM)Unknown vulnerability in Sun StorEdge Enterprise Storage Manager (ESM) 2.1 for Solaris 8 and Solaris 9 allows local users with the "ESMUser" role to gain root access.Brian SobyDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSun Solaris Gzip Race condition and Directory Traversal IssuesSun Solaris 8Sun Solaris 9Sun Solaris 10gzipDirectory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDPai PengINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in libX11 for SolarisSun Solaris 8Sun Solaris 9Sun Solaris 10Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDsendfilev DoS VulnerabilitySun Solaris 8Sun Solaris 9sendfilev()Unknown vulnerability in the sendfilev function in Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Logging Mechanism for Solaris Management Console (SMC) May Lead to Escalation of PrivilegesSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the logging mechanism in Solaris Management Console (SMC) on Sun Solaris 8 through 10 before 20070605 allows remote attackers to execute arbitrary code via unspecified vectors, related to the WBEM server.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability With RSA Signature Affects Solaris Applications Utilizing the libike LibrarySun Solaris 9Sun Solaris 10The libike library, as used by in.iked, elfsign, and kcfd in Sun Solaris 9 and 10, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents libike from correctly verifying X.509 and other certificates that use PKCS #1, a similar issue to CVE-2006-4339.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDCD Drive DoS VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the hsfs filesystem in Solaris 8, 9, and 10 allows unspecified attackers to cause a denial of service (panic) or execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDA Security Vulnerability in the Solaris Kernel May Allow a Denial of Service (DoS) Condition to OccurSun Solaris 8Sun Solaris 9Sun Solaris 10Race condition in the kernel in Sun Solaris 8 through 10 allows local users to cause a denial of service (panic) via unspecified vectors, possibly related to the exitlwps function and SIGKILL and /proc PCAGENT signals.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDpagedata Subsystem Local DoS VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the pagedata subsystem of the process file system (/proc) in Solaris 8 through 10 allows local users to cause a denial of service (system hang or panic) via unknown attack vectors that cause cause the kmem_oversize arena to allocate a large amount of system memory that does not get freed.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDXPM Image Decoder Buffer OverflowSun Solaris 8Sun Solaris 9Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687).Robert L. HollisDRAFTINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDSecurity Vulnerability May Allow Users With the "File System Management" RBAC Profile to Gain Elevated PrivilegesSun Solaris 8Sun Solaris 9Unspecified vulnerability in the format command in Sun Solaris 8 and 9 before 20060821 allows local users to modify arbitrary files via unspecified vectors involving profiles that permit running format with elevated privileges, a different issue than CVE-2006-4306 and CVE-2006-4319.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDuucp/uustat Privilege Escalation VulnerabilitySun Solaris 8Sun Solaris 9Unspecified vulnerability in uucp in Sun Solaris 8 and 9 has unknown impact and attack vectors. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2004-0780.Robert L. HollisDRAFTMatthew WojcikINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDSecurity Vulnerability May Allow Users With the "File System Management" RBAC Profile to Gain Elevated PrivilegesSun Solaris 8Sun Solaris 9Unspecified vulnerability in Sun Solaris 8 and 9 before 20060821 allows local users to execute arbitrary commands via unspecified vectors, involving the default Role-Based Access Control (RBAC) settings in the "File System Management" profile.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the kcms_calibrate(1) CommandSun Solaris 8Sun Solaris 9Unspecified vulnerability in kcms_calibrate in Sun Solaris 8 and 9 before 20071122 allows local users to execute arbitrary commands via unknown vectors.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDManagement Console Directory Traversal VulnerabilitySun Solaris 8Sun Solaris 9Solaris Management Console (SMC)The Solaris Management Console (SMC) in Sun Solaris 8 and 9 generates different 404 error messages when a file does not exist versus when a file exists but is otherwise inacessible, which could allow remote attackers to obtain sensitive information in conjunction with a directory traversal (..) attack.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMACCEPTEDACCEPTEDAlternate ps Command Information Disclosure VulnerabilitySun Solaris 8Sun Solaris 9/usr/ucb/ps in Sun Microsystems Solaris 8 and 9, and certain earlier releases, allows local users to view the environment variables and values of arbitrary processes via the -e option.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDACCEPTEDSamba Encrypted Password DoSSun Solaris 9SambaBuffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an encrypted password that causes the overflow during decryption in which a DOS codepage string is converted to a little-endian UCS2 unicode string.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSMC TRACE HTTP VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Solaris Management ConsoleThe default configuration of the web server for the Solaris Management Console (SMC) in Solaris 8, 9, and 10 enables the HTTP TRACE method, which could allow remote attackers to obtain sensitive information such as cookies and authentication data from HTTP headers.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDPC Netlink 2.0 Privilege Escalation VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Solaris Management ConsoleThe (1) slsmgr and (2) slsadmin programs in Sun Solaris PC NetLink 2.0 create temporary files insecurely, which allows local users to gain privileges.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability With Loading Arbitrary Kernel Modules in Solaris KernelSun Solaris 8Sun Solaris 9Sun Solaris 7Sun Solaris 2.6Directory traversal vulnerability in the vfs_getvfssw function in Solaris 2.6, 7, 8, and 9 allows local users to load arbitrary kernel modules via crafted (1) mount or (2) sysfs system calls. NOTE: this might be the same issue as CVE-2004-1767, but there are insufficient details to be sure.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 (SPARC) is installedSun Solaris 7The operating system installed on the system is Sun Solaris 7 for SPARC.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 (x86) is installedSun Solaris 7The operating system installed on the system is Sun Solaris 7 for x86.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSolaris 2.6 (x86) is installedSun Solaris 2.6The operating system installed on the system is Sun Solaris 2.6 for x86.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDSolaris 2.6 (SPARC) is installedSun Solaris 2.6The operating system installed on the system is Sun Solaris 2.6 for SPARC.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDSolaris Hosts are Vulnerable to a Denial of Service Induced by an Internet Transmission Control Protocol (TCP) "ACK Storm"Sun Solaris 8Sun Solaris 9Sun Solaris 10The TCP implementation in Sun Solaris 8, 9, and 10 before 20060726 allows remote attackers to cause a denial of service (resource exhaustion) via a TCP packet with an incorrect sequence number, which triggers an ACK storm.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the Authentication Mechanism for Solaris Management Console (SMC) May Lead to Escalation of PrivilegesSun Solaris 8Sun Solaris 9Sun Solaris 10Unspecified vulnerability in the authentication mechanism in Solaris Management Console (SMC) on Sun Solaris 8 through 10 before 20070605 allows remote authenticated users to execute arbitrary code via unspecified vectors, related to the WBEM server.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDMultiple vulnerabilities in libfreetype, Xsun(1) and Xorg(1)Sun Solaris 8Sun Solaris 9Sun Solaris 10Integer overflow in the FontFileInitTable function in X.Org libXfont before 20070403 allows remote authenticated users to execute arbitrary code via a long first line in the fonts.dir file, which results in a heap overflow.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSolaris SAdmin Client Credentials Remote Administrative Access VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9SadminThe default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets.Brian SobyBrian SobyDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDTodd DolinskyINTERIMTodd DolinskyACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSecurity Vulnerability in the sshd(1M) Protocol Version 1 Implementation May Allow a Denial of Service to the HostSun Solaris 9Sun Solaris 10sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector.Yuzheng ZhouDRAFTINTERIMACCEPTEDACCEPTEDSafe.PM Unsafe Code Execution VulnerabilitySun Solaris 8Sun Solaris 9PerlSafe.pm 2.0.7 and earlier, when used in Perl 5.8.0 and earlier, may allow attackers to break out of safe compartments in (1) Safe::reval or (2) Safe::rdo using a redefined @_ variable, which is not reset between successive calls.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDSolaris 8 (x86) is installedSun Solaris 8The operating system installed on the system is Sun Solaris 8 for x86.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 (SPARC) is installedSun Solaris 8The operating system installed on the system is Sun Solaris 8 for SPARC.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability Relating to scp(1) Command May Allow Attackers to Execute Arbitrary CommandsSun Solaris 9Sun Solaris 10scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.Yuzheng ZhouDRAFTINTERIMACCEPTEDJerome AthiasINTERIMACCEPTEDACCEPTEDSolaris 10 (x86) is installedSun Solaris 10The operating system installed on the system is Sun Solaris 10 for x86.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDSolaris 9 (x86) is installedSun Solaris 9The operating system installed on the system is Sun Solaris 9 for x86.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDSolaris 9 (SPARC) is installedSun Solaris 9The operating system installed on the system is Sun Solaris 9 for SPARC.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDSolaris 10 (SPARC) is installedSun Solaris 10The operating system installed on the system is Sun Solaris 10 for SPARC.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflows in uucpSun Solaris 7Sun Solaris 8Sun Solaris 9uucpMultiple buffer overflows in uucp for Sun Solaris 2.6, 7, 8, and 9 allow local users to execute arbitrary code as the uucp user.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMACCEPTEDACCEPTEDKerberos V5 Null Pointer DoS VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Solaris Enterprise Authentication Mechanism (SEAM)MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris 9 CDE ToolTalk Database Null Write VulnerabilitySun Solaris 9Common Desktop EnvironmentCDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure.Brian SobyDRAFTINTERIMACCEPTEDBrian SobyBrian SobyINTERIMACCEPTEDTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSolaris 9 Systems With Solaris Auditing (BSM) Enabled may Panic if Certain Audit Classes are Being AuditedSun Solaris 9Unspecified vulnerability in Sun Solaris 9, when Solaris Auditing (BSM) is enabled for file read, write, attribute modify, create, or delete audit classes, allows local users to cause a denial of service (panic) via unknown vectors, possibly related to the audit_savepath function.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSolaris Xsun Privilege Escalation via Pixmaps VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10XMultiple integer overflows in XFree86 before 4.3.0 allow user-assisted attackers to execute arbitrary code via a crafted pixmap image.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDlibtiff Directory Entry Count Integer Overflow VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffInteger overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3.5.7 and 3.7.0 allows remote attackers to execute arbitrary code via a TIFF file containing a TIFF_ASCII or TIFF_UNDEFINED directory entry with a -1 entry count, which leads to a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDlibtiff Malloc Error Denial of ServiceSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffMultiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDlibtiff tif_dirread divide-by-zero Denial of ServiceSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffVulnerability in tif_dirread.c for libtiff allows remote attackers to cause a denial of service (application crash) via a TIFF image that causes a divide-by-zero error when the number of row bytes is zero, a different vulnerability than CVE-2005-2452.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDlibtiff RLE Decoder Buffer Overflow VulnerabilitiesSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffMultiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDX Display Manager DoS via Invalid XDMCP RequestSun Solaris 7Sun Solaris 8Sun Solaris 9XDMX Display Manager (XDM) on Solaris 8 allows remote attackers to cause a denial of service (XDM crash) via an invalid X Display Manager Control Protocol (XDMCP) request.Robert L. HollisChristine WalzerDRAFTINTERIMACCEPTEDACCEPTEDApache mod_proxy Content-Length Header Buffer OverflowSun Solaris 8Sun Solaris 9Apache httpdHeap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDApache Allow/Deny Parsing ErrorSun Solaris 8Sun Solaris 9Apachemod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Listening Socket Starvation VulnerabilitySun Solaris 8Sun Solaris 9ApacheApache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Error Log Escape Sequence Filtering VulnerabilitySun Solaris 8Sun Solaris 9ApacheApache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Nonce Verification Response Replay VulnerabilitySun Solaris 8Sun Solaris 9Apachemod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDegrep "^[Srecipient=2|S2]|^[^#]*\$>2|^[^#]*\$>recipient|^[^#]*\$>4|^[^#]*\$>final" /etc/mail/sendmail.cf True if any lines returnedgrep c2audit /etc/system True if "set c2audit:audit_load = 1" or similiaregrep ^flags:.*a[sd] /etc/security/audit_control True if any lines returnedSolaris Management Console web interfaceRough translation of the Sun recommended test of: % grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm___ default_realm = EXAMPLE.COM118908
118966
112785
119059
/usr/openwin/binXprt119060
112786
108652
108653
/usr/openwin/binXsun119435
114344
116966
116965
109324
118535
121004
109325
118536
121005
119067
119060
112786
119059
119068
112785
123373
123372
124970
124245
124969
124244
119211
22119212
22119213
21SUNWtls119214
21119209
22118191
04118192
04139100
03139099
03120955
119783
14119784
14112837
21114265
20119784
15/etcnamed.conftrusted\-keys119783
15SUNWkrgdoSUNWkr5svSUNWkrgglSUNWkr5sl112234
117172
109321
114890
120467
120468
^/etc/lp/printers/.*112960
114242
128624
140917
rpc\.nisd128625
140918
svc:/network/rpc/nisplus:default122300
122301
113329
114980
109320
109321
114014
125732
114015
125731
138896
140837
138897
140838
141014
141015
140922
140921
122301
/etcsystem^[^*].+c2audit122300
139555
139556
119346
SUNWsasl115343
115328
115342
119345
114435
113451
/etc/inet/ikeconfig140196
140414
118192
118192
114344
119435
138889
138888
126133
/etc/sshsshd_config^\s*X11Forwarding\s+no\s*114357
114356
/etc/sshsshd_config^\s*X11Forwarding\s+yes\s*126134
140383
140384
113685
140427
113686
140426
116966
138889
116965
114344
138888
119435
112785
119067
119059
119068
119060
112786
118191
118191
128624
139560
116053
113318
128625
autofs139561
SUNWrcmds118239
116984
117455
/usr/sbin/in.rwhod114265
112837
109327
109326
119784
119783
116479
113031
120831
120830
110904
110903
114016
122911
SUNWtcatr114017
122912
.*Xorg\b.*115158
SUNWxwsvr120095
120094
115299
115159
115298
109077
112837
109078
114265
138876
138877
115168
112908
109806
139479
109805
139478
121775
122212
122213
138882
116669
138574
138632
141414
122300
127722
127721
141415
122301
138876
109077
114265
109078
138877
svc:/network/dhcp-server:default112837
117351
139484
139483
122300
117350
/etcmnttab^[^\t]+\t[^\t]+\tufs\t(.+)122301
136717
114984
114971
114985
138570
136716
124420
119812
116106
124421
116105
119813
114344
116966
118822
116965
118844
119435
123402
123403
115553
115554
122301
117350
137111
122300
137112
117351
114678
119810
114677
119811
138372
138371
112237
115168
112908
112238
112240
112390
112785
119060
125719
119059
119068
119067
118908
125720
112786
/usr/openwin/binXsun116455
116453
116454
116442
108965
112915
138083
108964
114262
138084
122300
113273
122301
114858
113329
109321
127128
114980
109320
127127
114014
125731
125732
114015
SUNWdtba[sx]SUNWdthep107178
108949
116308
122301
127111
116965
119435
127112
116966
114344
112960
/etcnsswitch.conf^[^#].*_attr.*ldap137017
137018
109008
109007
122301
122300
.*krb5kdc.*117470
116966
116965
118822
118844
118305
SUNWinamd112970
114008
.*100235/1108800
110896
113073
118559
113026
122371
113994
126257
124256
116669
109613
112810
SUNWdtdst112238
SUNWCryr112390
112237
120469
112240
112537
120470
112536
SUNWCry120954
SUNWamsvc/etcsystem^[^\*]*set.*c2audit.*SUNWsshdu/etc/sshsshd_config^[^#]*ListenAddress.*0\.0\.0\.0113073
SUNWlvmr^/etc/rc[2-4]\.d$^S[0-9][0-9]svm\.init$/etcvfstab^/dev/md/SUNWbip118313
116986
116774
126661
126662
126929
126928
113318
117468
122092
122091
127112
122301
117351
117350
127111
122300
116895
117000
SUNWxwfs113923
.*fs113273
^.*sshd.*SUNWkcsr[tx]114636
107337
111400
.*100221/1113505
113508
115054
115055
SUNWscvw^/usr/apache/bin/httpd.*SUNWscvw/conf/httpd\.conf.*/etcpam.conf[^#]*pam_krb5.+debug.*/etc/pam\.conf.*112908
/etc/krb5krb5.conf[^(#|_)]*default_realm[^_]*/etcsyslog.conf[^#]*(debug|daemon\.debug).*/etc/syslog\.conf115168
106541
109007
114332
SUNWsndmu107684
110615
.*sendmail .*122301
117351
117350
125100
125101
122300
113719
113319
108993
108994
SUNWsndmr113575
109025
118844
117350
117351
118822
109026
122301
122300
127738
127737
117472
109454
109455
117471
118997
SUWNsmbar.*^.*smbd.*114265
112837
109327
109326
/usr/sbin/in.named120037
126374
112960
120036
126373
114242
114344
119435
119075
119076
/etc/krb5krb5.conf/etcpam.conf[^#]*pam_krb5.*debug/etcsyslog.conf^[^#]*(\*|daemon)\.debug124998
124997
123368
111505
111504
123369
/usr/share/gnome/gnome-aboutgnome-version.xml\s*<minor>0</minor>\s*115159
115298
115158
115299
/usr/share/gnome/gnome-aboutgnome-version.xml\s*<platform>2</platform>\s*115553
115554
125124
125123
109896
113241
125279
125280
109354
109355
113240
127751
114154
117419
SUNWapchuSUNWftpu114564
.*ftp114435
113451
/etc/inet/ikeconfig116960
113318
117468
116959
124259
124258
109329
122078
123186
114342
113579
109328
123870
SUNWsrspx125713
124922
113986
112963
109147
109148
124923
107702
109354
114497
108993
115677
121321
108994
115678
121322
119813
119812
116106
124421
124420
116105
112785
112786
119067
119059
119068
119060
125794
121132
114717
114669
114716
114670
110671
110670
111845
124830
124457
124831
124458
111844
SUNWpcu107115
109320
113329
SUNWkr5ma.*kadmindSUNWstm117367
112669
112668
116341
116340
120720
120719
112785
112786
119067
119059
119060
119068
108528
112233
118372
114435
113451
118371
109764
116047
119596
109765
121995
118813
121316
123703
117350
116960
117125
120884
118558
120662
123704
121317
118559
119439
113278
116959
117351
118822
120661
118844
117350
118558
118822
117351
118559
118844
/usr/share/gnome/gnome-aboutgnome-version.xml\s*<description>2\.0\.0.*</description>\s*114644
114645
114686
/usr/share/gnome/gnome-aboutgnome-version.xml\s*<description>2\.0\.2.*</description>\s*115738
114687
115739
/usr/share/gnome-aboutgnome-version.xml\s*<distributor-version>Sun Java Desktop System, Release 2</distributor-version>\s*121092
111571
115880
113072
114423
108975
108976
111400
114637
111401
114636
SUNWwbmc.*smcboot109023
120240
109024
120239
SUNWsmbau114684
^.*smbd.*111313
111314
116807
116808
121308
121309
SUNWlzas121332
108529
108528
106541
112234
112233
105181
106542
105182
118855
118305
117470
116966
116965
118833
114193
112945
121308
111313
111314
121309
SUNWwbmc125720
112785
119059
112786
124833
119060
119068
119067
SUNWadmfw.*100232/10116457
116442
116454
.*100232/10113273
/etc/sshsshd_config^\s*Protocol\s+123324
/etc/sshsshd_config^\s*Protocol\s+.*1114858
123325
122092
122091
119450
119449
123325
114357
123324
114356
SUNWbnuu106952
111570
113322
SUNWkr5svSUNWkr5slSUNWkrgdoSUNWkrggl112536
112908
112237
112390
/etc/krb5krb5.conf^[^#_]*default_realm[^=]*=[^_]*$^.*inetd.*.*100083/1SUNWtltkx?112808
122300
122301
/usr/X11/binXorg108652
119059
108653
119060
.*Xsun\b.*SUNWdtwm118953
118954
109931
109932
114219
SUNWTiffSUNWTiffx114220
119900
119901
111844
111845
112785
112786
.*httpd116973
116974
113146
114145
02095005truetrue05399382true15252609030109030127512808620201010510150509050811111216192417171617030365500901ONLINE40070923220401420841080714153826131403070601333437012565461145540201033409automountd010101011415230602040608031523110216211518331901012202340103020542152101ONLINE160160\brw\b3403020105030807322927302820012925643005561505061619341513146337073809041752030205110401160911171319201102180308011023322211313438170226270718192728082519050301/usr/lib/fs/cachefs/cachefsd02021112070204033107061211081301100601200603241804051111017\.0,.*7\.0,.*08100513010203023218500113010302/usr/openwin/lib/fs.auto04010302/usr/openwin/bin/kcms_server02020101120413033318120808034802106501074924081106041802^.*smbd.*1314201521201313120301532824013502262513010203010502/usr/sbin/in.ftpd121329151604093\.2\.3,.*3\.2\.3,.*3\.2\.4,.*3\.2\.4,.*2227424112190114510201145102010406564502030504140905010303040401016251262508271204061106030306010301023014154003193322293322290303030403040104040302080402010501050101030302020101015.75.6271129371007061617123545050903612550022407/usr/sbin/sadmind020101/usr/sbin/sadmind1512035.801015.10110312040302020407070/usr/dt/bin/rpc.ttdbserverd02^i.*8606[Ss][Pp][Aa][Rr][Cc]5.99452088341085.1002021010111101015.7030338275.85.9sparc^i.*8602020504