The OVAL Repository5.62015-09-03T07:27:28.960-04:00Red Hat OpenSSL do_change_cipher_spec Function Denial of ServiceRed Hat Linux 9OpenSSLThe do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.Matt BusbyMatt BusbyINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat OpenSSL Improper Unknown Message Handling VulnerabilityRed Hat Linux 9OpenSSLOpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.Matt BusbyMatt BusbyINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Ethereal Denial of Service via 0-Length Presentation Protocol SelectorRed Hat Linux 9Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector.Jay BealeJay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDEthereal SPNEGO Dissector Denial of Service VulnerabilityRed Hat Linux 9EtherealThe SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (crash) via an invalid ASN.1 value.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJerome AthiasINTERIMACCEPTEDACCEPTEDRed Hat Ethereal Denial of Service via Malformed RADIUS PacketRed Hat Linux 9The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.Jay BealeJay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDMultiple BO Vulnerabilities in Red Hat EtherealRed Hat Linux 9Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors.Jay BealeJay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Squid ACL Bypass VulnerabilityRed Hat Linux 9The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDRed Hat Mozilla Zombie Document VulnerabilityRed Hat Linux 9mozillaMozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Mozilla Bypass Cookie Access Restrictions VulnerabilityRed Hat Linux 9mozillaMozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat S/MIME Protocol Denial of Service VulnerabilityRed Hat Linux 9mozillaMultiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Multiple stack-based BO Vulnerabilities in ApacheRed Hat Linux 9httpdMultiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.Jay BealeMatt BusbyINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDRed Hat Linux Kernel do_mremap Denial of Service VulnerabilityRed Hat Linux 9Linux kernelThe mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Kernel Real Time Clock Data LeakageRed Hat Linux 9Linux kernelReal time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat kdepim VCF File Information Reader BORed Hat Linux 9KDE Personal Information Management (kdepim)Buffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file.Jay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDEthereal Malformed Q.931 Packet VulnerabilityRed Hat Linux 9TetherealThe Q.931 dissector in Ethereal before 0.10.0, and Tethereal, allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDEthereal Malformed SMB Packet VulnerabilityRed Hat Linux 9EtherealThe SMB dissector in Ethereal before 0.10.0 allows remote attackers to cause a denial of service via a malformed SMB packet that triggers a segmentation fault during processing of Selected packets.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat CVS Server root Directory Access VulnerabilityRed Hat Linux 9CVS serverCVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat tcpdump Denial of Service via ISAKMP Packets IIRed Hat Linux 9tcpdumpThe rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989.Jay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat tcpdump Denial of Service via print_attr_string FunctionRed Hat Linux 9tcpdumpThe print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value.Jay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat sysstat port and trigger Scripts symlink Attack VulnerabilityRed Hat Linux 9sysstatThe (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108.Jay BealeMatt BusbyINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat tcpdump Denial of Service via ISAKMP PacketsRed Hat Linux 9tcpdumptcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057.Jay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat gdk-pixbuf Denial of ServiceRed Hat Linux 9gdk-pixbufgdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file.Jay BealeINTERIMMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDEthereal 0.9.12 Vulnerability in OSI DissectorRed Hat Linux 9EtherealThe OSI dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDmod_python Web Server Denial of ServiceRed Hat Linux 9mod_pythonUnknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDRobert L. HollisDEPRECATEDJonathan BakerDEPRECATEDRed Hat Linux Kernel do_mremap Privilege Escalation VulnerabilityRed Hat Linux 9mremapThe do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDVicam USB Driver Data Copy VulnerabilityRed Hat Linux 9Vicam USB driverThe Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Kernel ncp_lookup Function BORed Hat Linux 9Linux kernelStack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Kernel R128 DRI Limits Checking VulnerabilityRed Hat Linux 9Linux kernelUnknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking."Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDmod_python Web Server Denial of ServiceRed Hat Linux 9mod_pythonUnknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDKonqueror Cookie Access Restrictions Bypass VulnerabilityRed Hat Linux 9KDEKonqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDMidnight Commander vfs_s_resolve_symlink BORed Hat Linux 9Midnight CommanderStack-based buffer overflow in vfs_s_resolve_symlink of vfs/direntry.c for Midnight Commander (mc) 4.6.0 and earlier, and possibly later versions, allows remote attackers to execute arbitrary code during symlink conversion.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDslocate Privilege Escalation VulnerabilityRed Hat Linux 9slocateHeap-based buffer overflow in main.c of slocate 2.6, and possibly other versions, may allow local users to gain privileges via a modified slocate database that causes a negative "pathlen" value to be used.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDGaim / Ultramagnetic directIM Packet VulnerabilityRed Hat Linux 9GaimInteger overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow.Jay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDGaim / Ultramagnetic Extract Info Field Function BORed Hat Linux 9GaimBuffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code.Jay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDGaim / Ultramagnetic BO VulnerabilitiesRed Hat Linux 9GaimMultiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect.Jay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDMailman Cross-site Scripting Vulnerability IIRed Hat Linux 9MailmanCross-site scripting (XSS) vulnerability in the create CGI script for Mailman before 2.1.3 allows remote attackers to steal cookies of other users.Jay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDMailman Cross-site Scripting VulnerabilityRed Hat Linux 9MailmanCross-site scripting (XSS) vulnerability in the admin CGI script for Mailman before 2.1.4 allows remote attackers to steal session cookies and conduct unauthorized activities.Jay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDRed Hat Mutt BO in Index MenuRed Hat Linux 9MuttBuffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages.Jay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDXFree86 Font File Handling VulnerabilityRed Hat Linux 9XFree86Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat XFree86 Buffer Overflow in ReadFontAlias IIRed Hat Linux 9XFree86Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat XFree86 Buffer Overflow in ReadFontAliasRed Hat Linux 9XFree86Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat netpbm File Overwrite VulnerabilityRed Hat Linux 9netpbmnetpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRedHat Code Execution and DoS Vulnerabilities in PWLibRed Hat Linux 9PWLibMultiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.Jay BealeMatt BusbyACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDEthereal 0.9.12 Vulnerability in DCERPC DissectorRed Hat Linux 9EtherealUnknown vulnerability in the DCERPC (DCE/RPC) dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (memory consumption) via a certain NDR string.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDInteger Overflow Vulnerabilities in Ethereal 0.9.11Red Hat Linux 9EtherealMultiple integer overflow vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) Mount and (2) PPP dissectors.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDOff-by-one Vulnerabilities in Ethereal 0.9.11Red Hat Linux 9EtherealMultiple off-by-one vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) AIM, (2) GIOP Gryphon, (3) OSPF, (4) PPTP, (5) Quake, (6) Quake2, (7) Quake3, (8) Rsync, (9) SMB, (10) SMPP, and (11) TSP dissectors, which do not properly use the tvb_get_nstringz and tvb_get_nstringz0 functions.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDypserv NIS Server Denial of ServiceRed Hat Linux 9ypservypserv NIS server before 2.7 allows remote attackers to cause a denial of service via a TCP client request that does not respond to the server, which causes ypserv to block.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDCode Execution Vulnerability in XPDF PDF ViewerRed Hat Linux 9xpdfVarious PDF viewers including (1) Adobe Acrobat 5.06 and (2) Xpdf 1.01 allow remote attackers to execute arbitrary commands via shell metacharacters in an embedded hyperlink.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDxinitd Memory Leak Invites Denial of Service AttackRed Hat Linux 9xinetdMemory leak in xinetd 2.3.10 allows remote attackers to cause a denial of service (memory consumption) via a large number of rejected connections.Jay BealeINTERIMJay BealeJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDvsftpd Fails to Integrate with TCP WrappersRed Hat Linux 9vsftpdvsftpd FTP daemon in Red Hat Linux 9 is not compiled against TCP wrappers (tcp_wrappers) but is installed as a standalone service, which inadvertently prevents vsftpd from restricting access as intended.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDup2date RPM GPG Signature Verification VulnerabilityRed Hat Linux 9up2dateup2date 3.0.7 and 3.1.23 does not properly verify RPM GPG signatures, which could allow remote attackers to cause unsigned packages to be installed from the Red Hat Network, if that network is compromised.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDUnZip 5.0 Directory Traversal VulnerabilityRed Hat Linux 9unzipDirectory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDSqirrelMail Cross-site Scripting VulnerabilitiesRed Hat Linux 9SquirrelMailMultiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.2.11 allow remote attackers to inject arbitrary HTML code and steal information from a client's web browser.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDSendmail BO in prescan FunctionRed Hat Linux 9SendmailThe prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDCommon Unix Printing System Partial Print DOSRed Hat Linux 9Common Unix Printing SystemCUPS before 1.1.19 allows remote attackers to cause a denial of service via a partial printing request to the IPP port (631), which does not time out.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDDenial of Service in Sendmail via the enhdnsbl FeatureRed Hat Linux 9SendmailThe DNS map code in Sendmail 8.12.8 and earlier, when using the "enhdnsbl" feature, does not properly initialize certain data structures, which allows remote attackers to cause a denial of service (process crash) via an invalid DNS response that causes Sendmail to free incorrect data.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDPotential BO in Ruleset Parsing for SendmailRed Hat Linux 9SendmailA "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSendmail BO in Prescan FunctionRed Hat Linux 9SendmailThe prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSymlink Attack Vulnerability in semi/wemi MIME LibrariesRed Hat Linux 9semi MIME libraryThe (1) semi MIME library 1.14.5 and earlier, and (2) wemi 1.14.0 and possibly other versions, allows local users to overwrite arbitrary files via a symlink attack on temporary files.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDBO in Samba call_trans2open FunctionRed Hat Linux 9Samba, Samba-TNGBuffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDMultiple Buffer Overflows in SambaRed Hat Linux 9SambaMultiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CVE-2003-0201.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSamba Arbitrary File Overwrite VulnerabilityRed Hat Linux 9SambaThe code for writing reg files in Samba before 2.2.8 allows local users to overwrite arbitrary files via a race condition involving chown.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDSMB/CIFS Packet Fragment Re-assembly BORed Hat Linux 9smbdBuffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDEthereal NTLMSSP Buffer OverflowRed Hat Linux 9EtherealHeap-based buffer overflow in the NTLMSSP code for Ethereal 0.9.9 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDDenial of Service Vulnerability in Postfix Parser CodeRed Hat Linux 9PostfixThe address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDEthereal SOCKS String Format VulnerabilityRed Hat Linux 9EtherealFormat string vulnerability in packet-socks.c of the SOCKS dissector for Ethereal 0.8.7 through 0.9.9 allows remote attackers to execute arbitrary code via SOCKS packets containing format string specifiers.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDPostfix Bounce Scans VulnerabilityRed Hat Linux 9PostfixPostfix 1.1.11 and earlier allows remote attackers to use Postfix to conduct "bounce scans" or DDos attacks of other hosts via an email address to the local host containing the target IP address and service name followed by a "!" string, which causes Postfix to attempt to use SMTP to communicate with the target on the associated port.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDRed Hat Eye of GNOME (EOG) Packages Fix Format String VulnerabilityRed Hat Linux 9EOGFormat string vulnerability in Eye Of Gnome (EOG) allows attackers to execute arbitrary code via format string specifiers in a command line argument for the file to display.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDInteger Signedness Error in PINERed Hat Linux 9pineInteger signedness error in rfc2231_get_param from strings.c in PINE before 4.58 allows remote attackers to execute arbitrary code via an email that causes an out-of-bounds array access using a negative number.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDPINE Buffer OverflowRed Hat Linux 9pineBuffer overflow in PINE before 4.58 allows remote attackers to execute arbitrary code via a malformed message/external-body MIME type.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDPH Cross-site Scripting VulnerabilityRed Hat Linux 9phpCross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDCGI.pm Cross-site Scripting VulnerabilityRed Hat Linux 9CGI.pmCross-site scripting (XSS) vulnerability in start_form() of CGI.pm allows remote attackers to insert web script via a URL that is fed into the form's action parameter.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDBuffer Overflow in PAM SMB ModuleRed Hat Linux 9pam_smbBuffer overflow in PAM SMB module (pam_smb) 1.1.6 and earlier, when authenticating to a remote service, allows remote attackers to execute arbitrary code.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDOpenSSL No RSA Blinding VulnerabilityRed Hat Linux 9OpenSSLOpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal).Jay BealeINTERIMJay BealeJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDKlima-Pokorny-Rosa Attack VulnerabilityRed Hat Linux 9OpenSSLThe SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack."Jay BealeINTERIMJay BealeJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDMutliple Buffer Management Errors in OpenSSHRed Hat Linux 9OpenSSHMultiple "buffer management errors" in OpenSSH before 3.7.1 may allow attackers to cause a denial of service or execute arbitrary code using (1) buffer_init in buffer.c, (2) buffer_free in buffer.c, or (3) a separate function in channels.c, a different vulnerability than CVE-2003-0693.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDMutliple Buffer Management Errors in OpenSSH IIRed Hat Linux 9OpenSSHA "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDMemory Bugs in OpenSSHRed Hat Linux 9OpenSSH"Memory bugs" in OpenSSH 3.7.1 and earlier, with unknown impact, a different set of vulnerabilities than CVE-2003-0693 and CVE-2003-0695.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDOpenSSH Indirect User Disclosure VulnerabilityRed Hat Linux 9OpenSSHOpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDmountd xlog Function Off-by-One VulnerabilityRed Hat Linux 9nfs-utilsOff-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDMYSQL Privilege Escalation Vulnerability via INFO OUTFILE SelectRed Hat Linux 9MySQLMySQL 3.23.55 and earlier creates world-writeable files and allows mysql users to gain root privileges by using the "SELECT * INFO OUTFILE" operator to overwrite a configuration file and cause mysql to run as root upon restart, as demonstrated by modifying my.cnf.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDMYSQLd Double-free VulnerabilityRed Hat Linux 9MySQLDouble-free vulnerability in mysqld for MySQL before 3.23.55 allows attackers with MySQL access to cause a denial of service (crash) via mysql_change_user.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDMutt BO VulnerabilityRed Hat Linux 9MuttBuffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDMultilingual File Viewer .lv File Sneak Attack VulnerabilityRed Hat Linux 9lvlv reads a .lv file from the current working directory, which allows local users to execute arbitrary commands as other lv users by placing malicious .lv files into other directories.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDLPRng Symbolic Link Attack VulnerabilityRed Hat Linux 9LPRngpsbanner in the LPRng package allows local users to overwrite arbitrary files via a symbolic link attack on the /tmp/before file.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDKDE Konqueror Userid/Password Disclosure VulnerabilityRed Hat Linux 9KonquerorKDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the "user:password@host" form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDC-Media Sound Driver Userspace Access VulnerabilityRed Hat Linux 9Linux kernelThe C-Media PCI sound driver in Linux before 2.4.22 does not use the get_user function to access userspace in certain conditions, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CVE-2003-0699.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDC-Media Sound Driver Userspace Access Vulnerability IIRed Hat Linux 9Linux kernelThe C-Media PCI sound driver in Linux before 2.4.21 does not use the get_user function to access userspace, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CVE-2003-0700.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDLunix Kernel NFSv3 Procedure Kernel Panic VulnerabilityRed Hat Linux 9Linux kernelInteger signedness error in the decode_fh function of nfs3xdr.c in Linux kernel before 2.4.21 allows remote attackers to cause a denial of service (kernel panic) via a negative size value within XDR data of an NFSv3 procedure call.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDLinux Kernel Bridge Forwarding Table Spoof VulnerabilityRed Hat Linux 9Linux kernelLinux 2.4.x allows remote attackers to spoof the bridge Forwarding table via forged packets whose source addresses are the same as the target.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDSTP Protocol Length Verification VulnerabilityRed Hat Linux 9Linux kernelThe STP protocol implementation in Linux 2.4.x does not properly verify certain lengths, which could allow attackers to cause a denial of service.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDInsecure Design of the STP ProtocolRed Hat Linux 9Linux kernelThe STP protocol, as enabled in Linux 2.4.x, does not provide sufficient security by design, which allows attackers to modify the bridge topology.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDLinux Kernel /proc/self setuid VulnerabilityRed Hat Linux 9Linux kernelThe /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program, which causes the program to fail to change the ownership and permissions of those entries.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDLinux Kernel execve Read Access to Restricted File DescriptorsRed Hat Linux 9Linux kernelThe execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, which allows local users to gain read access to restricted file descriptors.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJerome AthiasINTERIMACCEPTEDACCEPTEDLinux Kernel Reuse Flag VulnerabilityRed Hat Linux 9Linux kernelThe RPC code in Linux kernel 2.4 sets the reuse flag when sockets are created, which could allow local users to bind to UDP ports that are used by privileged services such as nfsd.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDLinux Kernel execve Race Condition VulnerabilityRed Hat Linux 9Linux kernelA race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash).Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat Linux Kernel Serial Link Information Disclosure VulnerabilityRed Hat Linux 9/proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDLinux Kernel TCP/IP Fragment Reassembly Denial of ServiceRed Hat Linux 9Linux kernelThe TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDLinux Kernel mxcsr Code VulnerabilityRed Hat Linux 9Linux kernelThe mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDLinux Kernel TTY VulnerabilityRed Hat Linux 9Linux kernelUnknown vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ("kernel oops").Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDSKK/DDSKK Insecure Temporary File VulnerabilityRed Hat Linux 9skkskk (Simple Kana to Kanji conversion program) 12.1 and earlier, and the ddskk package which is based on skk, creates temporary files insecurely, which allows local users to overwrite arbitrary files.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDLinux ioperm Privilege Restriction VulnerabilityRed Hat Linux 9Linux kernelThe ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDLinux Route Cache / Netfilter Denial of ServiceRed Hat Linux 9NetfilterThe route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDNetfilter Denial of ServiceRed Hat Linux 9NetfilterThe connection tracking core of Netfilter for Linux 2.4.20, with CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, allows remote attackers to cause a denial of service (resource consumption) due to an inconsistency with Linux 2.4.20's support of linked lists, which causes Netfilter to fail to identify connections with an UNCONFIRMED status and use large timeouts.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDLinux Kernel ptrace Privilege Escalation VulnerabilityRed Hat Linux 9Linux kernelThe kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDKerberos krb4 Ticket Splicing VulnerabilityRed Hat Linux 9krb5Certain weaknesses in the implementation of version 4 of the Kerberos protocol (krb4) in the krb5 distribution, when triple-DES keys are used to key krb4 services, allow an attacker to create krb4 tickets for unauthorized principals using a cut-and-paste attack and "ticket splicing."Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDKerberos krb4 Plaintext Attack VulnerabilityRed Hat Linux 9krb5Version 4 of the Kerberos protocol (krb4), as used in Heimdal and other packages, allows an attacker to impersonate any principal in a realm via a chosen-plaintext attack.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDKerberos KDC Heap Corruption Denial of ServiceRed Hat Linux 9krb5The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDxdrmem_bytes() Integer Overflow VulnerabilityRed Hat Linux 9krb5Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDKDM Weak Cookie VulnerabilityRed Hat Linux 9KDMKDM in KDE 3.1.3 and earlier uses a weak session cookie generation algorithm that does not provide 128 bits of entropy, which allows attackers to guess session cookies via brute force methods and gain access to the user session.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDMutt BO Vulnerability in balsaRed Hat Linux 9MuttBuffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDKDM pam_setcred Privilege Escalation VulnerabilityRed Hat Linux 9KDMKDM in KDE 3.1.3 and earlier does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the MIT pam_krb5 module.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDApache IPv6 Socket Failure Denial of ServiceRed Hat Linux 9ApacheApache 2 before 2.0.47, when running on an IPv6 host, allows attackers to cause a denial of service (CPU consumption by infinite loop) when the FTP proxy server fails to create an IPv6 socket.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDApache prefork MPM Denial of ServiceRed Hat Linux 9ApacheThe prefork MPM in Apache 2 before 2.0.47 does not properly handle certain errors from accept, which could lead to a denial of service.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDApache Weak Cipher Suite VulnerabilityRed Hat Linux 9ApacheApache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSendmail setjmp longjmp bo (Red Hat Internal)Red Hat Linux 9Red Hat Enterprise Linux 3Red Hat Enterprise Linux 4SendmailSignal handler race condition in Sendmail 8.13.x before 8.13.6 allows remote attackers to execute arbitrary code by triggering timeouts in a way that causes the setjmp and longjmp function calls to be interrupted and modify unexpected memory locations.Robert L. HollisDRAFTINTERIMACCEPTEDVladimir GiszpencINTERIMACCEPTEDSudhir GandheINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDThe operating system installed on the system is Red Hat Enterprise Linux 3 for x86Red Hat Enterprise Linux 3The operating system installed on the system is Red Hat Enterprise Linux 3 for x86.Sudhir GandheDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDDavid RothenbergINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDThe operating system installed on the system is Red Hat Enterprise Linux 4 for x86Red Hat Enterprise Linux 4The operating system installed on the system is Red Hat Enterprise Linux 4 for x86.Mark VillanovaDRAFTINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDACCEPTEDApache Linefeed Allocation VulnerabilityRed Hat Linux 9ApacheA memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDApache Terminal Escape Sequence Vulnerability IIRed Hat Linux 9ApacheApache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDApache Terminal Escape Sequence VulnerabilityRed Hat Linux 9ApacheApache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDEvolution GtkHTML DoS via null Pointer DereferenceRed Hat Linux 9GtkHTMLgtkhtml before 1.1.10, as used in Evolution, allows remote attackers to cause a denial of service (crash) via a malformed message that causes a null pointer dereference.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDEvolution GtkHTML DoS via Malformed MessageRed Hat Linux 9GtkHTMLGtkHTML, as included in Evolution before 1.2.4, allows remote attackers to cause a denial of service (crash) via certain malformed messages.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDGnuPG Invalid User ID VulnerabilityRed Hat Linux 9GnuPGThe key validation code in GnuPG before 1.2.2 does not properly determine the validity of keys with multiple user IDs and assigns the greatest validity of the most valid user ID, which prevents GnuPG from warning the encrypting user when a user ID does not have a trusted path.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDGNU Ghostscript -dSAFER VulnerabilityRed Hat Linux 9GNU GhostscriptUnknown vulnerability in GNU Ghostscript before 7.07 allows attackers to execute arbitrary commands, even when -dSAFER is enabled, via a PostScript file that causes the commands to be executed from a malicious print job.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDGDM X Display Manager Authorization VulnerabilityRed Hat Linux 9GDMThe X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) via a short authorization key name.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDX Display Manager Control Protocol Denial of ServiceRed Hat Linux 9GDMThe X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) when a chosen host expires, a different issue than CVE-2003-0549.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDGDM Examine Errors Symlink VulnerabilityRed Hat Linux 9GDMGDM before 2.4.1.6, when using the "examine session errors" feature, allows local users to read arbitrary files via a symlink attack on the ~/.xsession-errors file.Jay BealeINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDXimian Evolution MIME-encoded Image Buffer OverflowRed Hat Linux 9Ximian EvolutionThe handle_image function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier does not properly escape HTML characters, which allows remote attackers inject arbitrary data and HTML via a MIME Content-ID header in a MIME-encoded image.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDXimian Evolution User Agent Multiple uuencoding Denial of ServiceRed Hat Linux 9Ximian EvolutionXimian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (memory consumption) via a mail message that is uuencoded multiple times.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDXimian Evolution Mail User Agent uuencoded header Denial of ServiceRed Hat Linux 9Ximian EvolutionThe try_uudecoding function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malicious uuencoded (UUE) header, possibly triggering a heap-based buffer overflow.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDVarious Ethereal Dissector VulnerabilitiesRed Hat Linux 9EtherealEthereal 0.9.12 and earlier does not handle certain strings properly, with unknown consequences, in the (1) BGP, (2) WTP, (3) DNS, (4) 802.11, (5) ISAKMP, (6) WSP, (7) CLNP, (8) ISIS, and (9) RMI dissectors.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDRed Hat OpenSSL Kerberos Handshake VulnerabilityRed Hat Linux 9OpenSSLThe SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read.Matt BusbyMatt BusbyINTERIMACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDEthereal 0-Length Buffer Size Vulnerability in tvb_get_nstring0()Red Hat Linux 9EtherealThe tvb_get_nstringz0 function in Ethereal 0.9.12 and earlier does not properly handle a zero-length buffer size, with unknown consequences.Jay BealeINTERIMJay BealeACCEPTEDThomas R. JonesINTERIMACCEPTEDACCEPTEDetherealethereal-gnome/usr/bintetherealsquid.*.*0mozilla/usr/binmozillamozilla-nsshttpdkernelkernel-smpkernel-bigmemkdepim/usr/share/serviceskfile_vcf.desktopetherealethereal=gnome/usr/binethereal/usr/sbinethereal/usr/sbintetherealcvs/sysstattcpdump/usr/sbintcpdumpgdk-pixbufgdk-pixbuf-develgdk-pixbuf-gnomekernelkernel-smpkernel-bigmemmod_pythonTCP.*0kdelibsmc/usr/binmcslocate/usr/binslocategaim/usr/bingaimmailmanTCP.*0muttXFree86/usr/X11R6/binXFree86netpbmnetpbm-develnetpbm-progs/usr/bin411toppm/usr/binasciitopgm/usr/binatktopbm/usr/binbioradtopgm/usr/binbmptoppm/usr/binbrushtopbm/usr/bincmuwmtopbm/usr/bineyuvtoppm/usr/binfiascotopnm/usr/binfitstopnm/usr/binfstopgm/usr/bing3topbm/usr/bingemtopbm/usr/bingemtopnm/usr/bingiftopnm/usr/bingouldtoppm/usr/binhipstopgm/usr/binhpcdtoppm/usr/binicontopbm/usr/binilbmtoppm/usr/binimgtoppm/usr/binjpegtopnm/usr/binleaftoppm/usr/binlispmtopgm/usr/binmacptopbm/usr/binmdatopbm/usr/binmgrtopbm/usr/binmtvtoppm/usr/binneotoppm/usr/binpalmtopnm/usr/binpamchannel/usr/binpamcut/usr/binpamdeinterlace/usr/binpamfile/usr/binpamoil/usr/binpamstretch/usr/binpamtopnm/usr/binpbmclean/usr/binpbmlife/usr/binpbmmake/usr/binpbmmask/usr/binpbmpage/usr/binpbmpscale/usr/binpbmreduce/usr/binpbmtext/usr/binpbmto10x/usr/binpbmto4425/usr/binpbmtoascii/usr/binpbmtoatk/usr/binpbmtobbnbg/usr/binpbmtocmuwm/usr/binpbmtoepsi/usr/binpbmtoepson/usr/binpbmtog3/usr/binpbmtogem/usr/binpbmtogo/usr/binpbmtoicon/usr/binpbmtolj/usr/binpbmtoln03/usr/binpbmtolps/usr/binpbmtomacp/usr/binpbmtomda/usr/binpbmtomgr/usr/binpbmtonokia/usr/binpbmtopgm/usr/binpbmtopi3/usr/binpbmtopk/usr/binpbmtoplot/usr/binpbmtoppa/usr/binpbmtopsg3/usr/binpbmtoptx/usr/binpbmtowbmp/usr/binpbmtox10bm/usr/binpbmtoxbm/usr/binpbmtoybm/usr/binpbmtozinc/usr/binpbmupc/usr/binpcxtoppm/usr/binpgmbentley/usr/binpgmcrater/usr/binpgmedge/usr/binpgmenhance/usr/binpgmhist/usr/binpgmkernel/usr/binpgmnoise/usr/binpgmnorm/usr/binpgmoil/usr/binpgmramp/usr/binpgmslice/usr/binpgmtexture/usr/binpgmtofs/usr/binpgmtolispm/usr/binpgmtopbm/usr/binpgmtoppm/usr/binpi1toppm/usr/binpi3topbm/usr/binpjtoppm/usr/binpktopbm/usr/binpngtopnm/usr/binpnmalias/usr/binpnmarith/usr/binpnmcat/usr/binpnmcolormap/usr/binpnmcomp/usr/binpnmconvol/usr/binpnmcrop/usr/binpnmcut/usr/binpnmdepth/usr/binpnmenlarge/usr/binpnmfile/usr/binpnmflip/usr/binpnmgamma/usr/binpnmhisteq/usr/binpnmhistmap/usr/binpnminterp/usr/binpnminvert/usr/binpnmmontage/usr/binpnmnlfilt/usr/binpnmnoraw/usr/binpnmpad/usr/binpnmpaste/usr/binpnmpsnr/usr/binpnmremap/usr/binpnmrotate/usr/binpnmscale/usr/binppmtopict/usr/binppmtopj/usr/binppmtopjxl/usr/binppmtopuzz/usr/binppmtorgb3/usr/binppmtosixel/usr/binppmtotga/usr/binppmtouil/usr/binppmtowinicon/usr/binppmtoxpm/usr/binppmtoyuv/usr/binppmtoyuvsplit/usr/binppmtv/usr/binpsidtopgm/usr/binpstopnm/usr/binqrttoppm/usr/binrasttopnm/usr/binrawtopgm/usr/binrawtoppm/usr/binrgb3toppm/usr/binrletopnm/usr/binsbigtopgm/usr/binsgitopnm/usr/binsirtopnm/usr/binsldtoppm/usr/binspctoppm/usr/binspottopgm/usr/binsputoppm/usr/bintgatoppm/usr/binthinkjettopbm/usr/bintifftopnm/usr/binwbmptopbm/usr/binwinicontoppm/usr/binxbmtopbm/usr/binximtoppm/usr/binxpmtoppm/usr/binxvminitoppm/usr/binxwdtopnm/usr/binybmtopbm/usr/binyuvsplittoppm/usr/binyuvtoppm/usr/binzeisstopnm/usr/binpnmscalefixed/usr/binpnmshear/usr/binpnmsmooth/usr/binpnmsplit/usr/binpnmtile/usr/binpnmtoddif/usr/binpnmtofiasco/usr/binpnmtofits/usr/binpnmtojpeg/usr/binpnmtopalm/usr/binpnmtoplainpnm/usr/binpnmtopng/usr/binpnmtops/usr/binpnmtorast/usr/binpnmtorle/usr/binpnmtosgi/usr/binpnmtosir/usr/binpnmtotiff/usr/binpnmtotiffcmyk/usr/binpnmtoxwd/usr/binppm3d/usr/binppmbrighten/usr/binppmchange/usr/binppmcie/usr/binppmcolormask/usr/binppmcolors/usr/binppmdim/usr/binppmdist/usr/binppmdither/usr/binppmflash/usr/binppmforge/usr/binppmhist/usr/binppmlabel/usr/binppmmake/usr/binppmmix/usr/binppmnorm/usr/binppmntsc/usr/binppmpat/usr/binppmquant/usr/binppmqvga/usr/binppmrelief/usr/binppmshift/usr/binppmspread/usr/binppmtoacad/usr/binppmtobmp/usr/binppmtoeyuv/usr/binppmtogif/usr/binppmtoicr/usr/binppmtoilbm/usr/binppmtojpeg/usr/binppmtoleaf/usr/binppmtolj/usr/binppmtomitsu/usr/binppmtompeg/usr/binppmtoneo/usr/binppmtopcx/usr/binppmtopgm/usr/binppmtopi1pwlib.*.*1720ypserv.*.*0xpdf/usr/binxpdfxinetd.*.*0vsftpdTCP.*0up2date^.*rhnsd.*$unzip/usr/binunzipsquirrelmailcups.*.*0sendmail.*.*0sendmailsendmail/usr/sbinsendmail.sendmailTCP.*0wlwl-xemacs/usr/binemacs/usr/binxemacssamba.*.*0sambaTCP.*0etherealpostfix.*.*0eog/usr/bineogpine/usr/binpinephpperl-CGIpam_smbopensslopenssl-developenssl-perlopenssl096openssl096bopenssh-serveropenssh-server.*.*0nfs-utils.*.*0mysql-server.*.*0mutt/usr/binmuttlvlprng/usr/libexec/filterspsbanner.*.*0kdelibs/usr/binkonquerorkernelkernelddskkddskk-xemacskernelkernelkrb5-libskrb5-workstationkrb5-serverbalsa/usr/binbalsakdebase/usr/binkdmhttpd.*.*0sendmailhttpd.*.*0gtkhtml/usr/binevolutiongtkhtmlgnupg/usr/bingnupgghostscript/usr/bingsgdmevolutionopensslopenssl-developenssl-perlopenssl096openssl096bredhat-releaseetherealethereal-gnome0:0.10.3-0.90.10:0.10.3-0.90.1truetruetruetruetruetruetruetruetrue7:2.5STABLE1-3.9^.*squid.*37:1.4.2-0.9.0truetruetrue37:1.4.2-0.9.00:2.0.40-21.90:2.4.20-28.90:2.4.20-28.90:2.4.20-28.96:3.1-6truetruetrue0:0.10.0a-0.90.10:0.10.0a-0.90.1truetruetruetruetruetruetruetruetrue0:1.11.2-13true0:4.0.7-4.rhl9.114:3.7.2-7.9.1truetruetrue1:0.22.0-6.1.01:0.22.0-6.1.01:0.22.0-6.1.00:2.4.20-30.90:2.4.20-30.90:2.4.20-30.90:3.0.1-4^.*httpd6:3.1-131:4.6.0-7.9truetruetrue0:2.7-2truetrue1:0.75-0.9.0truetruetrue3:2.1.1-5^.*httpd.*5:1.4.1-3.30:4.3.0-2.90.55truetruetrue0:9.24-10.90.10:9.24-10.90.10:9.24-10.90.1truetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetrue0:1.4.7-4.1.*0:2.8-0.9E^.*ypserv.*1:2.0.1-11truetruetrue2:2.3.11-1.9.0^.*xinetd.*0:1.1.3-8^.*vsftpd.*0:3.1.23.1-50:5.50-33truetruetrue0:1.2.11-10:1.1.17-13.3^.*cupsd.*0:8.12.8-6.90^.*sendmail.*0:8.12.8-9.900:8.12.8-5.90truetruetruetrue^.*sendmail.*0:2.10.1-1.10:2.10.1-1.1truetruetruetruetruetrue0:2.2.7a-8.9.0^.*smbd.*0:2.2.7a-7.9.0^.*smbd.*0:0.9.11-0.90.12:1.1.12-1^.*smtpd.*0:2.2.0-2truetruetrue0:4.44-19.90.0truetruetrue0:4.2.2-17.22:2.81-88.30:1.1.6-9.90:0.9.7a-50:0.9.7a-50:0.9.7a-50:0.9.6-170:0.9.6b-60:3.5p1-110:3.5p1-6.9^.*sshd.*0:1.0.1-3.9^.*rpc\.mountd.*0:3.23.56-1.9^.*mysqld.*5:1.4.1-1truetruetrue0:4.49.4-9.9.10:3.8.19-3.1true^.*lpd.*6:3.1-12truetruetrue0:2.4.20-19.90:2.4.20-18.90:11.6.0-11.900:11.6.0-11.900:2.4.20-13.962.4.202.4.20-60:1.2.7-140:1.2.7-140:1.2.7-140:2.0.6-2truetruetrue6:3.1-15truetruetrue0:2.0.40-21.5^.*httpd\.worker.*^3\D.+$^i.*86^4\D.+$0:8.12.11-4.RHEL3.4^(?:([0-7]\..*)|(8\.([0-9]|1[01])))$8\.12\.([0-9]|10)8\.13\.[0-5]0:8.13.1-3.RHEL4.30:2.0.40-21.1^.*httpd.*0:1.1.9-0.9.1truetruetrue0:1.1.9-0.90:1.2.1-4truetrue0:7.05-32.1truetruetrue1:2.4.1.3-5.10:1.2.2-50:0.9.7a-20.20:0.9.7a-20.20:0.9.7a-20.20:0.9.6-25.90:0.9.6b-159^i[3-6]86$0:0.9.13-1.90.10:0.9.13-1.90.1