From 7a6bf8effcade2d8cb9a38b299711e951d1ca44c Mon Sep 17 00:00:00 2001 From: Alec Warner Date: Thu, 3 Mar 2011 14:17:24 -0800 Subject: Add main/ proj/ rdf/ security/ Purge commited CVS dirs in images. Don't add more CVS dirs --- xml/htdocs/security/en/glsa/glsa-200310-03.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200310-04.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200311-01.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200311-02.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200311-03.xml | 62 +++++ xml/htdocs/security/en/glsa/glsa-200311-04.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200311-05.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200311-06.xml | 60 +++++ xml/htdocs/security/en/glsa/glsa-200311-07.xml | 60 +++++ xml/htdocs/security/en/glsa/glsa-200311-08.xml | 57 +++++ xml/htdocs/security/en/glsa/glsa-200312-01.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200312-03.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200312-04.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200312-05.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200312-06.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200312-07.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200312-08.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200401-01.xml | 230 ++++++++++++++++++ xml/htdocs/security/en/glsa/glsa-200401-02.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200401-03.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200401-04.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200402-01.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200402-02.xml | 94 ++++++++ xml/htdocs/security/en/glsa/glsa-200402-03.xml | 61 +++++ xml/htdocs/security/en/glsa/glsa-200402-04.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200402-05.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200402-06.xml | 92 +++++++ xml/htdocs/security/en/glsa/glsa-200402-07.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200403-01.xml | 55 +++++ xml/htdocs/security/en/glsa/glsa-200403-02.xml | 244 +++++++++++++++++++ xml/htdocs/security/en/glsa/glsa-200403-03.xml | 93 +++++++ xml/htdocs/security/en/glsa/glsa-200403-04.xml | 113 +++++++++ xml/htdocs/security/en/glsa/glsa-200403-05.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200403-06.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200403-07.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200403-08.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200403-09.xml | 59 +++++ xml/htdocs/security/en/glsa/glsa-200403-10.xml | 61 +++++ xml/htdocs/security/en/glsa/glsa-200403-11.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200403-12.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200403-13.xml | 100 ++++++++ xml/htdocs/security/en/glsa/glsa-200403-14.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200404-01.xml | 95 ++++++++ xml/htdocs/security/en/glsa/glsa-200404-02.xml | 61 +++++ xml/htdocs/security/en/glsa/glsa-200404-03.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200404-04.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200404-05.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200404-06.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200404-07.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200404-08.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200404-09.xml | 61 +++++ xml/htdocs/security/en/glsa/glsa-200404-10.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200404-11.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200404-12.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200404-13.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200404-14.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200404-15.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200404-16.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200404-17.xml | 87 +++++++ xml/htdocs/security/en/glsa/glsa-200404-18.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200404-19.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200404-20.xml | 89 +++++++ xml/htdocs/security/en/glsa/glsa-200404-21.xml | 99 ++++++++ xml/htdocs/security/en/glsa/glsa-200405-01.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200405-02.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200405-03.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200405-04.xml | 123 ++++++++++ xml/htdocs/security/en/glsa/glsa-200405-05.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200405-06.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200405-07.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200405-08.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200405-09.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200405-10.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200405-11.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200405-12.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200405-13.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200405-14.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200405-15.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200405-16.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200405-17.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200405-18.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200405-19.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200405-20.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200405-21.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200405-22.xml | 85 +++++++ xml/htdocs/security/en/glsa/glsa-200405-23.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200405-24.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200405-25.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200406-01.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200406-02.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200406-03.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200406-04.xml | 62 +++++ xml/htdocs/security/en/glsa/glsa-200406-05.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200406-06.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200406-07.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200406-08.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200406-09.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200406-10.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200406-11.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200406-12.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200406-13.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200406-14.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200406-15.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200406-16.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200406-17.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200406-18.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200406-19.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200406-20.xml | 122 ++++++++++ xml/htdocs/security/en/glsa/glsa-200406-21.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200406-22.xml | 62 +++++ xml/htdocs/security/en/glsa/glsa-200407-01.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200407-02.xml | 320 +++++++++++++++++++++++++ xml/htdocs/security/en/glsa/glsa-200407-03.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200407-04.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200407-05.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200407-06.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200407-07.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200407-08.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200407-09.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200407-10.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200407-11.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200407-12.xml | 135 +++++++++++ xml/htdocs/security/en/glsa/glsa-200407-13.xml | 93 +++++++ xml/htdocs/security/en/glsa/glsa-200407-14.xml | 91 +++++++ xml/htdocs/security/en/glsa/glsa-200407-15.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200407-16.xml | 299 +++++++++++++++++++++++ xml/htdocs/security/en/glsa/glsa-200407-17.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200407-18.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200407-19.xml | 60 +++++ xml/htdocs/security/en/glsa/glsa-200407-20.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200407-21.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200407-22.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200407-23.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200408-01.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200408-02.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200408-03.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200408-04.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200408-05.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200408-06.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200408-07.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200408-08.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200408-09.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200408-10.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200408-11.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200408-12.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200408-13.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200408-14.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200408-15.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200408-16.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200408-17.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200408-18.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200408-19.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200408-20.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200408-21.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200408-22.xml | 119 +++++++++ xml/htdocs/security/en/glsa/glsa-200408-23.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200408-24.xml | 233 ++++++++++++++++++ xml/htdocs/security/en/glsa/glsa-200408-25.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200408-26.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200408-27.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200409-01.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200409-02.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200409-03.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200409-04.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200409-05.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200409-06.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200409-07.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200409-08.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200409-09.xml | 85 +++++++ xml/htdocs/security/en/glsa/glsa-200409-10.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200409-11.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200409-12.xml | 100 ++++++++ xml/htdocs/security/en/glsa/glsa-200409-13.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200409-14.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200409-15.xml | 99 ++++++++ xml/htdocs/security/en/glsa/glsa-200409-16.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200409-17.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200409-18.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200409-19.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200409-20.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200409-21.xml | 101 ++++++++ xml/htdocs/security/en/glsa/glsa-200409-22.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200409-23.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200409-24.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200409-25.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200409-26.xml | 121 ++++++++++ xml/htdocs/security/en/glsa/glsa-200409-27.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200409-28.xml | 94 ++++++++ xml/htdocs/security/en/glsa/glsa-200409-29.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200409-30.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200409-31.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200409-32.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200409-33.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200409-34.xml | 98 ++++++++ xml/htdocs/security/en/glsa/glsa-200409-35.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200410-01.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200410-02.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200410-03.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200410-04.xml | 93 +++++++ xml/htdocs/security/en/glsa/glsa-200410-05.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200410-06.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200410-07.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200410-08.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200410-09.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200410-10.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200410-11.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200410-12.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200410-13.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200410-14.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200410-15.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200410-16.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200410-17.xml | 102 ++++++++ xml/htdocs/security/en/glsa/glsa-200410-18.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200410-19.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200410-20.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200410-21.xml | 85 +++++++ xml/htdocs/security/en/glsa/glsa-200410-22.xml | 91 +++++++ xml/htdocs/security/en/glsa/glsa-200410-23.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200410-24.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200410-25.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200410-26.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200410-27.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200410-28.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200410-29.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200410-30.xml | 98 ++++++++ xml/htdocs/security/en/glsa/glsa-200410-31.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200411-01.xml | 62 +++++ xml/htdocs/security/en/glsa/glsa-200411-02.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200411-03.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200411-04.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200411-05.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200411-06.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200411-07.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200411-08.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200411-09.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200411-10.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200411-11.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200411-12.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200411-13.xml | 85 +++++++ xml/htdocs/security/en/glsa/glsa-200411-14.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200411-15.xml | 91 +++++++ xml/htdocs/security/en/glsa/glsa-200411-16.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200411-17.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200411-18.xml | 62 +++++ xml/htdocs/security/en/glsa/glsa-200411-19.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200411-20.xml | 61 +++++ xml/htdocs/security/en/glsa/glsa-200411-21.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200411-22.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200411-23.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200411-24.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200411-25.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200411-26.xml | 90 +++++++ xml/htdocs/security/en/glsa/glsa-200411-27.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200411-28.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200411-29.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200411-30.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200411-31.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200411-32.xml | 98 ++++++++ xml/htdocs/security/en/glsa/glsa-200411-33.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200411-34.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200411-35.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200411-36.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200411-37.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200411-38.xml | 107 +++++++++ xml/htdocs/security/en/glsa/glsa-200412-01.xml | 85 +++++++ xml/htdocs/security/en/glsa/glsa-200412-02.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200412-03.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200412-04.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200412-05.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200412-06.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200412-07.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200412-08.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200412-09.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200412-10.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200412-11.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200412-12.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200412-13.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200412-14.xml | 114 +++++++++ xml/htdocs/security/en/glsa/glsa-200412-15.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200412-16.xml | 93 +++++++ xml/htdocs/security/en/glsa/glsa-200412-17.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200412-18.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200412-19.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200412-20.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200412-21.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200412-22.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200412-23.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200412-24.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200412-25.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200412-26.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200412-27.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200501-01.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200501-02.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200501-03.xml | 133 ++++++++++ xml/htdocs/security/en/glsa/glsa-200501-04.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200501-05.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200501-06.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200501-07.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200501-08.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200501-09.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200501-10.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200501-11.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200501-12.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200501-13.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200501-14.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200501-15.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200501-16.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200501-17.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200501-18.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200501-19.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200501-20.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200501-21.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200501-22.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200501-23.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200501-24.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200501-25.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200501-26.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200501-27.xml | 89 +++++++ xml/htdocs/security/en/glsa/glsa-200501-28.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200501-29.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200501-30.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200501-31.xml | 101 ++++++++ xml/htdocs/security/en/glsa/glsa-200501-32.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200501-33.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200501-34.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200501-35.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200501-36.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200501-37.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200501-38.xml | 86 +++++++ xml/htdocs/security/en/glsa/glsa-200501-39.xml | 85 +++++++ xml/htdocs/security/en/glsa/glsa-200501-40.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200501-41.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200501-42.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200501-43.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200501-44.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200501-45.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200501-46.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200502-01.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200502-02.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200502-03.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200502-04.xml | 87 +++++++ xml/htdocs/security/en/glsa/glsa-200502-05.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200502-06.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200502-07.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200502-08.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200502-09.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200502-10.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200502-11.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200502-12.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200502-13.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200502-14.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200502-15.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200502-16.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200502-17.xml | 85 +++++++ xml/htdocs/security/en/glsa/glsa-200502-18.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200502-19.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200502-20.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200502-21.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200502-22.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200502-23.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200502-24.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200502-25.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200502-26.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200502-27.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200502-28.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200502-29.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200502-30.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200502-31.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200502-32.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200502-33.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200503-01.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200503-02.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200503-03.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200503-04.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200503-05.xml | 85 +++++++ xml/htdocs/security/en/glsa/glsa-200503-06.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200503-07.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200503-08.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200503-09.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200503-10.xml | 141 +++++++++++ xml/htdocs/security/en/glsa/glsa-200503-11.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200503-12.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200503-13.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200503-14.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200503-15.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200503-16.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200503-17.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200503-18.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200503-19.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200503-20.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200503-21.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200503-22.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200503-23.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200503-24.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200503-25.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200503-26.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200503-27.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200503-28.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200503-29.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200503-30.xml | 140 +++++++++++ xml/htdocs/security/en/glsa/glsa-200503-31.xml | 99 ++++++++ xml/htdocs/security/en/glsa/glsa-200503-32.xml | 95 ++++++++ xml/htdocs/security/en/glsa/glsa-200503-33.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200503-34.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200503-35.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200503-36.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200503-37.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200504-01.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200504-02.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200504-03.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200504-04.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200504-05.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200504-06.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200504-07.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200504-08.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200504-09.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200504-10.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200504-11.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200504-12.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200504-13.xml | 102 ++++++++ xml/htdocs/security/en/glsa/glsa-200504-14.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200504-15.xml | 97 ++++++++ xml/htdocs/security/en/glsa/glsa-200504-16.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200504-17.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200504-18.xml | 137 +++++++++++ xml/htdocs/security/en/glsa/glsa-200504-19.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200504-20.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200504-21.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200504-22.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200504-23.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200504-24.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200504-25.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200504-26.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200504-27.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200504-28.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200504-29.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200504-30.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200505-01.xml | 167 +++++++++++++ xml/htdocs/security/en/glsa/glsa-200505-02.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200505-03.xml | 103 ++++++++ xml/htdocs/security/en/glsa/glsa-200505-04.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200505-05.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200505-06.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200505-07.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200505-08.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200505-09.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200505-10.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200505-11.xml | 118 +++++++++ xml/htdocs/security/en/glsa/glsa-200505-12.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200505-13.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200505-14.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200505-15.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200505-16.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200505-17.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200505-18.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200505-19.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200505-20.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200506-01.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200506-02.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200506-03.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200506-04.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200506-05.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200506-06.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200506-07.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200506-08.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200506-09.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200506-10.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200506-11.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200506-12.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200506-13.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200506-14.xml | 105 ++++++++ xml/htdocs/security/en/glsa/glsa-200506-15.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200506-16.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200506-17.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200506-18.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200506-19.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200506-20.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200506-21.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200506-22.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200506-23.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200506-24.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200507-01.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200507-02.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200507-03.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200507-04.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200507-05.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200507-06.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200507-07.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200507-08.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200507-09.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200507-10.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200507-11.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200507-12.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200507-13.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200507-14.xml | 100 ++++++++ xml/htdocs/security/en/glsa/glsa-200507-15.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200507-16.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200507-17.xml | 101 ++++++++ xml/htdocs/security/en/glsa/glsa-200507-18.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200507-19.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200507-20.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200507-21.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200507-22.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200507-23.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200507-24.xml | 112 +++++++++ xml/htdocs/security/en/glsa/glsa-200507-25.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200507-26.xml | 115 +++++++++ xml/htdocs/security/en/glsa/glsa-200507-27.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200507-28.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200507-29.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200508-01.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200508-02.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200508-03.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200508-04.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200508-05.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200508-06.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200508-07.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200508-08.xml | 103 ++++++++ xml/htdocs/security/en/glsa/glsa-200508-09.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200508-10.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200508-11.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200508-12.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200508-13.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200508-14.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200508-15.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200508-16.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200508-17.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200508-18.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200508-19.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200508-20.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200508-21.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200508-22.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200509-01.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200509-02.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200509-03.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200509-04.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200509-05.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200509-06.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200509-07.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200509-08.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200509-09.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200509-10.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200509-11.xml | 134 +++++++++++ xml/htdocs/security/en/glsa/glsa-200509-12.xml | 87 +++++++ xml/htdocs/security/en/glsa/glsa-200509-13.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200509-14.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200509-15.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200509-16.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200509-17.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200509-18.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200509-19.xml | 97 ++++++++ xml/htdocs/security/en/glsa/glsa-200509-20.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200509-21.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200510-01.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200510-02.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200510-03.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200510-04.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200510-05.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200510-06.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200510-07.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200510-08.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200510-09.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200510-10.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200510-11.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200510-12.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200510-13.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200510-14.xml | 97 ++++++++ xml/htdocs/security/en/glsa/glsa-200510-15.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200510-16.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200510-17.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200510-18.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200510-19.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200510-20.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200510-21.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200510-22.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200510-23.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200510-24.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200510-25.xml | 87 +++++++ xml/htdocs/security/en/glsa/glsa-200510-26.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200511-01.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200511-02.xml | 93 +++++++ xml/htdocs/security/en/glsa/glsa-200511-03.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200511-04.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200511-05.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200511-06.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200511-07.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200511-08.xml | 118 +++++++++ xml/htdocs/security/en/glsa/glsa-200511-09.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200511-10.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200511-11.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200511-12.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200511-13.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200511-14.xml | 85 +++++++ xml/htdocs/security/en/glsa/glsa-200511-15.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200511-16.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200511-17.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200511-18.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200511-19.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200511-20.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200511-21.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200511-22.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200511-23.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200512-01.xml | 86 +++++++ xml/htdocs/security/en/glsa/glsa-200512-02.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200512-03.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200512-04.xml | 89 +++++++ xml/htdocs/security/en/glsa/glsa-200512-05.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200512-06.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200512-07.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200512-08.xml | 104 ++++++++ xml/htdocs/security/en/glsa/glsa-200512-09.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200512-10.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200512-11.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200512-12.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200512-13.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200512-14.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200512-15.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200512-16.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200512-17.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200512-18.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200601-01.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200601-02.xml | 108 +++++++++ xml/htdocs/security/en/glsa/glsa-200601-03.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200601-04.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200601-05.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200601-06.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200601-07.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200601-08.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200601-09.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200601-10.xml | 106 ++++++++ xml/htdocs/security/en/glsa/glsa-200601-11.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200601-12.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200601-13.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200601-14.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200601-15.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200601-16.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200601-17.xml | 117 +++++++++ xml/htdocs/security/en/glsa/glsa-200602-01.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200602-02.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200602-03.xml | 101 ++++++++ xml/htdocs/security/en/glsa/glsa-200602-04.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200602-05.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200602-06.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200602-07.xml | 87 +++++++ xml/htdocs/security/en/glsa/glsa-200602-08.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200602-09.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200602-10.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200602-11.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200602-12.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200602-13.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200602-14.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200603-01.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200603-02.xml | 93 +++++++ xml/htdocs/security/en/glsa/glsa-200603-03.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200603-04.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200603-05.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200603-06.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200603-07.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200603-08.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200603-09.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200603-10.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200603-11.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200603-12.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200603-13.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200603-14.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200603-15.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200603-16.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200603-17.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200603-18.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200603-19.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200603-20.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200603-21.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200603-22.xml | 91 +++++++ xml/htdocs/security/en/glsa/glsa-200603-23.xml | 95 ++++++++ xml/htdocs/security/en/glsa/glsa-200603-24.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200603-25.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200603-26.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200604-01.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200604-02.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200604-03.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200604-04.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200604-05.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200604-06.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200604-07.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200604-08.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200604-09.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200604-10.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200604-11.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200604-12.xml | 100 ++++++++ xml/htdocs/security/en/glsa/glsa-200604-13.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200604-14.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200604-15.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200604-16.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200604-17.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200604-18.xml | 106 ++++++++ xml/htdocs/security/en/glsa/glsa-200605-01.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200605-02.xml | 62 +++++ xml/htdocs/security/en/glsa/glsa-200605-03.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200605-04.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200605-05.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200605-06.xml | 86 +++++++ xml/htdocs/security/en/glsa/glsa-200605-07.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200605-08.xml | 93 +++++++ xml/htdocs/security/en/glsa/glsa-200605-09.xml | 106 ++++++++ xml/htdocs/security/en/glsa/glsa-200605-10.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200605-11.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200605-12.xml | 87 +++++++ xml/htdocs/security/en/glsa/glsa-200605-13.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200605-14.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200605-15.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200605-16.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200605-17.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200606-01.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200606-02.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200606-03.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200606-04.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200606-05.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200606-06.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200606-07.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200606-08.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200606-09.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200606-10.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200606-11.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200606-12.xml | 95 ++++++++ xml/htdocs/security/en/glsa/glsa-200606-13.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200606-14.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200606-15.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200606-16.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200606-17.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200606-18.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200606-19.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200606-20.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200606-21.xml | 90 +++++++ xml/htdocs/security/en/glsa/glsa-200606-22.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200606-23.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200606-24.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200606-25.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200606-26.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200606-27.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200606-28.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200606-29.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200606-30.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200607-01.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200607-02.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200607-03.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200607-04.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200607-05.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200607-06.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200607-07.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200607-08.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200607-09.xml | 91 +++++++ xml/htdocs/security/en/glsa/glsa-200607-10.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200607-11.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200607-12.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200607-13.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200608-01.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200608-02.xml | 131 ++++++++++ xml/htdocs/security/en/glsa/glsa-200608-03.xml | 135 +++++++++++ xml/htdocs/security/en/glsa/glsa-200608-04.xml | 128 ++++++++++ xml/htdocs/security/en/glsa/glsa-200608-05.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200608-06.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200608-07.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200608-08.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200608-09.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200608-10.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200608-11.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200608-12.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200608-13.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200608-14.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200608-15.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200608-16.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200608-17.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200608-18.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200608-19.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200608-20.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200608-21.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200608-22.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200608-23.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200608-24.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200608-25.xml | 165 +++++++++++++ xml/htdocs/security/en/glsa/glsa-200608-26.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200608-27.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200608-28.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200609-01.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200609-02.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200609-03.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200609-04.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200609-05.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200609-06.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200609-07.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200609-08.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200609-09.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200609-10.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200609-11.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200609-12.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200609-13.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200609-14.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200609-15.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200609-16.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200609-17.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200609-18.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200609-19.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200609-20.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200610-01.xml | 85 +++++++ xml/htdocs/security/en/glsa/glsa-200610-02.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200610-03.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200610-04.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200610-05.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200610-06.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200610-07.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200610-08.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200610-09.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200610-10.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200610-11.xml | 86 +++++++ xml/htdocs/security/en/glsa/glsa-200610-12.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200610-13.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200610-14.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200610-15.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200611-01.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200611-02.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200611-03.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200611-04.xml | 90 +++++++ xml/htdocs/security/en/glsa/glsa-200611-05.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200611-06.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200611-07.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200611-08.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200611-09.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200611-10.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200611-11.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200611-12.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200611-13.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200611-14.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200611-15.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200611-16.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200611-17.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200611-18.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200611-19.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200611-20.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200611-21.xml | 61 +++++ xml/htdocs/security/en/glsa/glsa-200611-22.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200611-23.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200611-24.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200611-25.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200611-26.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200612-01.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200612-02.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200612-03.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200612-04.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200612-05.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200612-06.xml | 102 ++++++++ xml/htdocs/security/en/glsa/glsa-200612-07.xml | 89 +++++++ xml/htdocs/security/en/glsa/glsa-200612-08.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200612-09.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200612-10.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200612-11.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200612-12.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200612-13.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200612-14.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200612-15.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200612-16.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200612-17.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200612-18.xml | 61 +++++ xml/htdocs/security/en/glsa/glsa-200612-19.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200612-20.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200612-21.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200701-01.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200701-02.xml | 90 +++++++ xml/htdocs/security/en/glsa/glsa-200701-03.xml | 88 +++++++ xml/htdocs/security/en/glsa/glsa-200701-04.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200701-05.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200701-06.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200701-07.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200701-08.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200701-09.xml | 61 +++++ xml/htdocs/security/en/glsa/glsa-200701-10.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200701-11.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200701-12.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200701-13.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200701-14.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200701-15.xml | 99 ++++++++ xml/htdocs/security/en/glsa/glsa-200701-16.xml | 86 +++++++ xml/htdocs/security/en/glsa/glsa-200701-17.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200701-18.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200701-19.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200701-20.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200701-21.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200701-22.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200701-23.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200701-24.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200701-25.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200701-26.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200701-27.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200701-28.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200702-01.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200702-02.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200702-03.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200702-04.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200702-05.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200702-06.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200702-07.xml | 108 +++++++++ xml/htdocs/security/en/glsa/glsa-200702-08.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200702-09.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200702-10.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200702-11.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200702-12.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200703-01.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200703-02.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200703-03.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200703-04.xml | 120 ++++++++++ xml/htdocs/security/en/glsa/glsa-200703-05.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200703-06.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200703-07.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200703-08.xml | 106 ++++++++ xml/htdocs/security/en/glsa/glsa-200703-09.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200703-10.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200703-11.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200703-12.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200703-13.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200703-14.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200703-15.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200703-16.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200703-17.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200703-18.xml | 88 +++++++ xml/htdocs/security/en/glsa/glsa-200703-19.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200703-20.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200703-21.xml | 93 +++++++ xml/htdocs/security/en/glsa/glsa-200703-22.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200703-23.xml | 92 +++++++ xml/htdocs/security/en/glsa/glsa-200703-24.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200703-25.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200703-26.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200703-27.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200703-28.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200704-01.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200704-02.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200704-03.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200704-04.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200704-05.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200704-06.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200704-07.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200704-08.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200704-09.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200704-10.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200704-11.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200704-12.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200704-13.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200704-14.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200704-15.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200704-16.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200704-17.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200704-18.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200704-19.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200704-20.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200704-21.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200704-22.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200704-23.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200705-01.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200705-02.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200705-03.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200705-04.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200705-05.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200705-06.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200705-07.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200705-08.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200705-09.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200705-10.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200705-11.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200705-12.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200705-13.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200705-14.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200705-15.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200705-16.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200705-17.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200705-18.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200705-19.xml | 104 ++++++++ xml/htdocs/security/en/glsa/glsa-200705-20.xml | 90 +++++++ xml/htdocs/security/en/glsa/glsa-200705-21.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200705-22.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200705-23.xml | 102 ++++++++ xml/htdocs/security/en/glsa/glsa-200705-24.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200705-25.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200706-01.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200706-02.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200706-03.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200706-04.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200706-05.xml | 85 +++++++ xml/htdocs/security/en/glsa/glsa-200706-06.xml | 149 ++++++++++++ xml/htdocs/security/en/glsa/glsa-200706-07.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200706-08.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200706-09.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200707-01.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200707-02.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200707-03.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200707-04.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200707-05.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200707-06.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200707-07.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200707-08.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200707-09.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200707-10.xml | 62 +++++ xml/htdocs/security/en/glsa/glsa-200707-11.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200707-12.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200707-13.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200707-14.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200708-01.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200708-02.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200708-03.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200708-04.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200708-05.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200708-06.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200708-07.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200708-08.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200708-09.xml | 153 ++++++++++++ xml/htdocs/security/en/glsa/glsa-200708-10.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200708-11.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200708-12.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200708-13.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200708-14.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200708-15.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200708-16.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200708-17.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200709-01.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200709-02.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200709-03.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200709-04.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200709-05.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200709-06.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200709-07.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200709-08.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200709-09.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200709-10.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200709-11.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200709-12.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200709-13.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200709-14.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200709-15.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200709-16.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200709-17.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200709-18.xml | 85 +++++++ xml/htdocs/security/en/glsa/glsa-200710-01.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200710-02.xml | 154 ++++++++++++ xml/htdocs/security/en/glsa/glsa-200710-03.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200710-04.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200710-05.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200710-06.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200710-07.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200710-08.xml | 100 ++++++++ xml/htdocs/security/en/glsa/glsa-200710-09.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200710-10.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200710-11.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200710-12.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200710-13.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200710-14.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200710-15.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200710-16.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200710-17.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200710-18.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200710-19.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200710-20.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200710-21.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200710-22.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200710-23.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200710-24.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200710-25.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200710-26.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200710-27.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200710-28.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200710-29.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200710-30.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200710-31.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200711-01.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200711-02.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200711-03.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200711-04.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200711-05.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200711-06.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200711-07.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200711-08.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200711-09.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200711-10.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200711-11.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200711-12.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200711-13.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200711-14.xml | 127 ++++++++++ xml/htdocs/security/en/glsa/glsa-200711-15.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200711-16.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200711-17.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200711-18.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200711-19.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200711-20.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200711-21.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200711-22.xml | 120 ++++++++++ xml/htdocs/security/en/glsa/glsa-200711-23.xml | 112 +++++++++ xml/htdocs/security/en/glsa/glsa-200711-24.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200711-25.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200711-26.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200711-27.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200711-28.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200711-29.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200711-30.xml | 102 ++++++++ xml/htdocs/security/en/glsa/glsa-200711-31.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200711-32.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200711-33.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200711-34.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200712-01.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200712-02.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200712-03.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200712-04.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200712-05.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200712-06.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200712-07.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200712-08.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200712-09.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200712-10.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200712-11.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200712-12.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200712-13.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200712-14.xml | 92 +++++++ xml/htdocs/security/en/glsa/glsa-200712-15.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200712-16.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200712-17.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200712-18.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200712-19.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200712-20.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200712-21.xml | 104 ++++++++ xml/htdocs/security/en/glsa/glsa-200712-22.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200712-23.xml | 92 +++++++ xml/htdocs/security/en/glsa/glsa-200712-24.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200712-25.xml | 89 +++++++ xml/htdocs/security/en/glsa/glsa-200801-01.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200801-02.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200801-03.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200801-04.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200801-05.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200801-06.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200801-07.xml | 102 ++++++++ xml/htdocs/security/en/glsa/glsa-200801-08.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200801-09.xml | 106 ++++++++ xml/htdocs/security/en/glsa/glsa-200801-10.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200801-11.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200801-12.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200801-13.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200801-14.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200801-15.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200801-16.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200801-17.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200801-18.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200801-19.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200801-20.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200801-21.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200801-22.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200802-01.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200802-02.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200802-03.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200802-04.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200802-05.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200802-06.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200802-07.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200802-08.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200802-09.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200802-10.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200802-11.xml | 87 +++++++ xml/htdocs/security/en/glsa/glsa-200802-12.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200803-01.xml | 89 +++++++ xml/htdocs/security/en/glsa/glsa-200803-02.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200803-03.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200803-04.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200803-05.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200803-06.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200803-07.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200803-08.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200803-09.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200803-10.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200803-11.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200803-12.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200803-13.xml | 100 ++++++++ xml/htdocs/security/en/glsa/glsa-200803-14.xml | 89 +++++++ xml/htdocs/security/en/glsa/glsa-200803-15.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200803-16.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200803-17.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200803-18.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200803-19.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200803-20.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200803-21.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200803-22.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200803-23.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200803-24.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200803-25.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200803-26.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200803-27.xml | 90 +++++++ xml/htdocs/security/en/glsa/glsa-200803-28.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200803-29.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200803-30.xml | 170 +++++++++++++ xml/htdocs/security/en/glsa/glsa-200803-31.xml | 102 ++++++++ xml/htdocs/security/en/glsa/glsa-200803-32.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200804-01.xml | 89 +++++++ xml/htdocs/security/en/glsa/glsa-200804-02.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200804-03.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200804-04.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200804-05.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200804-06.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200804-07.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200804-08.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200804-09.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200804-10.xml | 110 +++++++++ xml/htdocs/security/en/glsa/glsa-200804-11.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200804-12.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200804-13.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200804-14.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200804-15.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200804-16.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200804-17.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200804-18.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200804-19.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200804-20.xml | 234 ++++++++++++++++++ xml/htdocs/security/en/glsa/glsa-200804-21.xml | 106 ++++++++ xml/htdocs/security/en/glsa/glsa-200804-22.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200804-23.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200804-24.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200804-25.xml | 95 ++++++++ xml/htdocs/security/en/glsa/glsa-200804-26.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200804-27.xml | 104 ++++++++ xml/htdocs/security/en/glsa/glsa-200804-28.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200804-29.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200804-30.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200805-01.xml | 131 ++++++++++ xml/htdocs/security/en/glsa/glsa-200805-02.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200805-03.xml | 136 +++++++++++ xml/htdocs/security/en/glsa/glsa-200805-04.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200805-05.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200805-06.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200805-07.xml | 88 +++++++ xml/htdocs/security/en/glsa/glsa-200805-08.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200805-09.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200805-10.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200805-11.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200805-12.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200805-13.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200805-14.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200805-15.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200805-16.xml | 110 +++++++++ xml/htdocs/security/en/glsa/glsa-200805-17.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200805-18.xml | 282 ++++++++++++++++++++++ xml/htdocs/security/en/glsa/glsa-200805-19.xml | 102 ++++++++ xml/htdocs/security/en/glsa/glsa-200805-20.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200805-21.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200805-22.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200805-23.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200806-01.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200806-02.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200806-03.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200806-04.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200806-05.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200806-06.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200806-07.xml | 99 ++++++++ xml/htdocs/security/en/glsa/glsa-200806-08.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200806-09.xml | 88 +++++++ xml/htdocs/security/en/glsa/glsa-200806-10.xml | 85 +++++++ xml/htdocs/security/en/glsa/glsa-200806-11.xml | 99 ++++++++ xml/htdocs/security/en/glsa/glsa-200807-01.xml | 89 +++++++ xml/htdocs/security/en/glsa/glsa-200807-02.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200807-03.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200807-04.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200807-05.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200807-06.xml | 86 +++++++ xml/htdocs/security/en/glsa/glsa-200807-07.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200807-08.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200807-09.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200807-10.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200807-11.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200807-12.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200807-13.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200807-14.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200807-15.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200807-16.xml | 109 +++++++++ xml/htdocs/security/en/glsa/glsa-200808-01.xml | 89 +++++++ xml/htdocs/security/en/glsa/glsa-200808-02.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200808-03.xml | 249 +++++++++++++++++++ xml/htdocs/security/en/glsa/glsa-200808-04.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200808-05.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200808-06.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200808-07.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200808-08.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200808-09.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200808-10.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200808-11.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200808-12.xml | 126 ++++++++++ xml/htdocs/security/en/glsa/glsa-200809-01.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200809-02.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200809-03.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200809-04.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200809-05.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200809-06.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200809-07.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200809-08.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200809-09.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200809-10.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200809-11.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200809-12.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200809-13.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200809-14.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200809-15.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200809-16.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200809-17.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200809-18.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200810-01.xml | 94 ++++++++ xml/htdocs/security/en/glsa/glsa-200810-02.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200810-03.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200811-01.xml | 129 ++++++++++ xml/htdocs/security/en/glsa/glsa-200811-02.xml | 98 ++++++++ xml/htdocs/security/en/glsa/glsa-200811-03.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200811-04.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200811-05.xml | 134 +++++++++++ xml/htdocs/security/en/glsa/glsa-200812-01.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200812-02.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200812-03.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200812-04.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200812-05.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200812-06.xml | 99 ++++++++ xml/htdocs/security/en/glsa/glsa-200812-07.xml | 88 +++++++ xml/htdocs/security/en/glsa/glsa-200812-08.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200812-09.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200812-10.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200812-11.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200812-12.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200812-13.xml | 85 +++++++ xml/htdocs/security/en/glsa/glsa-200812-14.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200812-15.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200812-16.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200812-17.xml | 122 ++++++++++ xml/htdocs/security/en/glsa/glsa-200812-18.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200812-19.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200812-20.xml | 88 +++++++ xml/htdocs/security/en/glsa/glsa-200812-21.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200812-22.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200812-23.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200812-24.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-200901-01.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200901-02.xml | 85 +++++++ xml/htdocs/security/en/glsa/glsa-200901-03.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200901-04.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200901-05.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200901-06.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200901-07.xml | 85 +++++++ xml/htdocs/security/en/glsa/glsa-200901-08.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200901-09.xml | 106 ++++++++ xml/htdocs/security/en/glsa/glsa-200901-10.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200901-11.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200901-12.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200901-13.xml | 95 ++++++++ xml/htdocs/security/en/glsa/glsa-200901-14.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200901-15.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200902-01.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200902-02.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200902-03.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200902-04.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200902-05.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200902-06.xml | 93 +++++++ xml/htdocs/security/en/glsa/glsa-200903-01.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200903-02.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200903-03.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200903-04.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200903-05.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200903-06.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200903-07.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200903-08.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200903-09.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200903-10.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200903-11.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200903-12.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200903-13.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200903-14.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200903-15.xml | 86 +++++++ xml/htdocs/security/en/glsa/glsa-200903-16.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200903-17.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200903-18.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200903-19.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200903-20.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-200903-21.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200903-22.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200903-23.xml | 139 +++++++++++ xml/htdocs/security/en/glsa/glsa-200903-24.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200903-25.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200903-26.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200903-27.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200903-28.xml | 89 +++++++ xml/htdocs/security/en/glsa/glsa-200903-29.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200903-30.xml | 93 +++++++ xml/htdocs/security/en/glsa/glsa-200903-31.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200903-32.xml | 100 ++++++++ xml/htdocs/security/en/glsa/glsa-200903-33.xml | 112 +++++++++ xml/htdocs/security/en/glsa/glsa-200903-34.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200903-35.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200903-36.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200903-37.xml | 97 ++++++++ xml/htdocs/security/en/glsa/glsa-200903-38.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200903-39.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200903-40.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200903-41.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-200904-01.xml | 98 ++++++++ xml/htdocs/security/en/glsa/glsa-200904-02.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200904-03.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200904-04.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200904-05.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200904-06.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200904-07.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200904-08.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200904-09.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200904-10.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200904-11.xml | 97 ++++++++ xml/htdocs/security/en/glsa/glsa-200904-12.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200904-13.xml | 63 +++++ xml/htdocs/security/en/glsa/glsa-200904-14.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200904-15.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200904-16.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200904-17.xml | 102 ++++++++ xml/htdocs/security/en/glsa/glsa-200904-18.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200904-19.xml | 86 +++++++ xml/htdocs/security/en/glsa/glsa-200904-20.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200905-01.xml | 87 +++++++ xml/htdocs/security/en/glsa/glsa-200905-02.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200905-03.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200905-04.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200905-05.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200905-06.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200905-07.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200905-08.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200905-09.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200906-01.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200906-02.xml | 64 +++++ xml/htdocs/security/en/glsa/glsa-200906-03.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200906-04.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200906-05.xml | 154 ++++++++++++ xml/htdocs/security/en/glsa/glsa-200907-01.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200907-02.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-200907-03.xml | 90 +++++++ xml/htdocs/security/en/glsa/glsa-200907-04.xml | 96 ++++++++ xml/htdocs/security/en/glsa/glsa-200907-05.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200907-06.xml | 125 ++++++++++ xml/htdocs/security/en/glsa/glsa-200907-07.xml | 95 ++++++++ xml/htdocs/security/en/glsa/glsa-200907-08.xml | 86 +++++++ xml/htdocs/security/en/glsa/glsa-200907-09.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200907-10.xml | 73 ++++++ xml/htdocs/security/en/glsa/glsa-200907-11.xml | 112 +++++++++ xml/htdocs/security/en/glsa/glsa-200907-12.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200907-13.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200907-14.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200907-15.xml | 96 ++++++++ xml/htdocs/security/en/glsa/glsa-200907-16.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-200908-01.xml | 81 +++++++ xml/htdocs/security/en/glsa/glsa-200908-02.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200908-03.xml | 80 +++++++ xml/htdocs/security/en/glsa/glsa-200908-04.xml | 115 +++++++++ xml/htdocs/security/en/glsa/glsa-200908-05.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200908-06.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200908-07.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200908-08.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200908-09.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200908-10.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200909-01.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200909-02.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-200909-03.xml | 83 +++++++ xml/htdocs/security/en/glsa/glsa-200909-04.xml | 89 +++++++ xml/htdocs/security/en/glsa/glsa-200909-05.xml | 77 ++++++ xml/htdocs/security/en/glsa/glsa-200909-06.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200909-07.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200909-08.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200909-09.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-200909-10.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200909-11.xml | 65 +++++ xml/htdocs/security/en/glsa/glsa-200909-12.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200909-13.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200909-14.xml | 115 +++++++++ xml/htdocs/security/en/glsa/glsa-200909-15.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-200909-16.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200909-17.xml | 67 ++++++ xml/htdocs/security/en/glsa/glsa-200909-18.xml | 84 +++++++ xml/htdocs/security/en/glsa/glsa-200909-19.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-200909-20.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200910-01.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-200910-02.xml | 92 +++++++ xml/htdocs/security/en/glsa/glsa-200910-03.xml | 91 +++++++ xml/htdocs/security/en/glsa/glsa-200911-01.xml | 96 ++++++++ xml/htdocs/security/en/glsa/glsa-200911-02.xml | 240 +++++++++++++++++++ xml/htdocs/security/en/glsa/glsa-200911-03.xml | 99 ++++++++ xml/htdocs/security/en/glsa/glsa-200911-04.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-200911-05.xml | 88 +++++++ xml/htdocs/security/en/glsa/glsa-200911-06.xml | 71 ++++++ xml/htdocs/security/en/glsa/glsa-200912-01.xml | 97 ++++++++ xml/htdocs/security/en/glsa/glsa-200912-02.xml | 118 +++++++++ xml/htdocs/security/en/glsa/glsa-201001-01.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-201001-02.xml | 85 +++++++ xml/htdocs/security/en/glsa/glsa-201001-03.xml | 118 +++++++++ xml/htdocs/security/en/glsa/glsa-201001-04.xml | 107 +++++++++ xml/htdocs/security/en/glsa/glsa-201001-05.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-201001-06.xml | 70 ++++++ xml/htdocs/security/en/glsa/glsa-201001-07.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-201001-08.xml | 87 +++++++ xml/htdocs/security/en/glsa/glsa-201001-09.xml | 79 ++++++ xml/htdocs/security/en/glsa/glsa-201003-01.xml | 78 ++++++ xml/htdocs/security/en/glsa/glsa-201006-01.xml | 75 ++++++ xml/htdocs/security/en/glsa/glsa-201006-02.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-201006-03.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-201006-04.xml | 94 ++++++++ xml/htdocs/security/en/glsa/glsa-201006-05.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-201006-06.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-201006-07.xml | 82 +++++++ xml/htdocs/security/en/glsa/glsa-201006-08.xml | 69 ++++++ xml/htdocs/security/en/glsa/glsa-201006-09.xml | 68 ++++++ xml/htdocs/security/en/glsa/glsa-201006-10.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-201006-11.xml | 76 ++++++ xml/htdocs/security/en/glsa/glsa-201006-12.xml | 87 +++++++ xml/htdocs/security/en/glsa/glsa-201006-13.xml | 86 +++++++ xml/htdocs/security/en/glsa/glsa-201006-14.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-201006-15.xml | 74 ++++++ xml/htdocs/security/en/glsa/glsa-201006-16.xml | 72 ++++++ xml/htdocs/security/en/glsa/glsa-201006-17.xml | 66 +++++ xml/htdocs/security/en/glsa/glsa-201006-18.xml | 143 +++++++++++ xml/htdocs/security/en/glsa/glsa-201006-19.xml | 87 +++++++ xml/htdocs/security/en/glsa/glsa-201006-20.xml | 90 +++++++ xml/htdocs/security/en/glsa/glsa-201006-21.xml | 78 ++++++ xml/htdocs/security/en/glsa/index.xml | 31 +++ 1522 files changed, 115777 insertions(+) create mode 100644 xml/htdocs/security/en/glsa/glsa-200310-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200310-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200311-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200311-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200311-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200311-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200311-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200311-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200311-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200311-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200312-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200312-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200312-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200312-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200312-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200312-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200312-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200401-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200401-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200401-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200401-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200402-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200402-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200402-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200402-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200402-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200402-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200402-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200403-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200403-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200403-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200403-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200403-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200403-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200403-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200403-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200403-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200403-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200403-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200403-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200403-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200403-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200404-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200405-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200406-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200407-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200408-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-28.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-29.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-30.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-31.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-32.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-33.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-34.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200409-35.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-28.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-29.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-30.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200410-31.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-28.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-29.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-30.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-31.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-32.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-33.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-34.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-35.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-36.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-37.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200411-38.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200412-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-28.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-29.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-30.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-31.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-32.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-33.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-34.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-35.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-36.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-37.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-38.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-39.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-40.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-41.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-42.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-43.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-44.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-45.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200501-46.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-28.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-29.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-30.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-31.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-32.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200502-33.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-28.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-29.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-30.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-31.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-32.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-33.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-34.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-35.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-36.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200503-37.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-28.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-29.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200504-30.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200505-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200506-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-28.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200507-29.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200508-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200509-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200510-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200511-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200512-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200512-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200512-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200512-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200512-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200512-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200512-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200512-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200512-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200512-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200512-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200512-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200512-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200512-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200512-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200512-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200512-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200512-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200601-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200601-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200601-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200601-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200601-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200601-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200601-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200601-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200601-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200601-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200601-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200601-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200601-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200601-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200601-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200601-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200601-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200602-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200602-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200602-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200602-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200602-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200602-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200602-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200602-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200602-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200602-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200602-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200602-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200602-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200602-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200603-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200604-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200604-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200604-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200604-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200604-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200604-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200604-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200604-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200604-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200604-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200604-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200604-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200604-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200604-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200604-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200604-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200604-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200604-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200605-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200605-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200605-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200605-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200605-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200605-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200605-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200605-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200605-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200605-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200605-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200605-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200605-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200605-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200605-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200605-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200605-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-28.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-29.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200606-30.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200607-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200607-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200607-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200607-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200607-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200607-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200607-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200607-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200607-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200607-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200607-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200607-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200607-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200608-28.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200609-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200610-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200610-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200610-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200610-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200610-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200610-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200610-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200610-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200610-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200610-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200610-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200610-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200610-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200610-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200610-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200611-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200612-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200701-28.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200702-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200702-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200702-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200702-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200702-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200702-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200702-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200702-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200702-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200702-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200702-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200702-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200703-28.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200704-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200705-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200706-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200706-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200706-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200706-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200706-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200706-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200706-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200706-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200706-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200707-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200707-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200707-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200707-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200707-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200707-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200707-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200707-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200707-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200707-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200707-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200707-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200707-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200707-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200708-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200708-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200708-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200708-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200708-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200708-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200708-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200708-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200708-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200708-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200708-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200708-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200708-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200708-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200708-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200708-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200708-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200709-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200709-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200709-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200709-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200709-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200709-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200709-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200709-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200709-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200709-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200709-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200709-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200709-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200709-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200709-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200709-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200709-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200709-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-28.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-29.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-30.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200710-31.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-28.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-29.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-30.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-31.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-32.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-33.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200711-34.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200712-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200801-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200802-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200802-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200802-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200802-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200802-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200802-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200802-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200802-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200802-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200802-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200802-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200802-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-28.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-29.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-30.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-31.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200803-32.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-28.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-29.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200804-30.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200805-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200806-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200806-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200806-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200806-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200806-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200806-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200806-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200806-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200806-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200806-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200806-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200807-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200807-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200807-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200807-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200807-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200807-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200807-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200807-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200807-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200807-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200807-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200807-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200807-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200807-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200807-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200807-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200808-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200808-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200808-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200808-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200808-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200808-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200808-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200808-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200808-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200808-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200808-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200808-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200809-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200809-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200809-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200809-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200809-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200809-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200809-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200809-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200809-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200809-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200809-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200809-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200809-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200809-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200809-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200809-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200809-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200809-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200810-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200810-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200810-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200811-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200811-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200811-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200811-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200811-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200812-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200901-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200901-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200901-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200901-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200901-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200901-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200901-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200901-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200901-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200901-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200901-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200901-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200901-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200901-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200901-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200902-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200902-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200902-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200902-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200902-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200902-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-21.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-22.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-23.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-24.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-25.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-26.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-27.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-28.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-29.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-30.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-31.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-32.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-33.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-34.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-35.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-36.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-37.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-38.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-39.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-40.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200903-41.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200904-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200905-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200905-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200905-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200905-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200905-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200905-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200905-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200905-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200905-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200906-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200906-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200906-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200906-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200906-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200907-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200907-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200907-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200907-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200907-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200907-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200907-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200907-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200907-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200907-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200907-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200907-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200907-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200907-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200907-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200907-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200908-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200908-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200908-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200908-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200908-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200908-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200908-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200908-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200908-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200908-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200909-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200910-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200910-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200910-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200911-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200911-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200911-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200911-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200911-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200911-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200912-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-200912-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201001-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201001-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201001-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201001-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201001-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201001-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201001-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201001-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201001-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201003-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-01.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-02.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-03.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-04.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-05.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-06.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-07.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-08.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-09.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-10.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-11.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-12.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-13.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-14.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-15.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-16.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-17.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-18.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-19.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-20.xml create mode 100644 xml/htdocs/security/en/glsa/glsa-201006-21.xml create mode 100644 xml/htdocs/security/en/glsa/index.xml (limited to 'xml/htdocs/security/en/glsa') diff --git a/xml/htdocs/security/en/glsa/glsa-200310-03.xml b/xml/htdocs/security/en/glsa/glsa-200310-03.xml new file mode 100644 index 00000000..11916d6c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200310-03.xml @@ -0,0 +1,64 @@ + + + + + + + Apache: multiple buffer overflows + + Multiple stack-based buffer overflows in mod_alias and mod_rewrite can allow + execution of arbitrary code and cause a denial of service. + + Apache + 2003-10-28 + December 30, 2007: 02 + 32194 + local + + + 1.3.29 + 1.3.29 + + + +

+ The Apache HTTP Server is one of the most popular web servers on the + Internet. +

+ + +

+ Multiple stack-based buffer overflows in mod_alias and mod_rewrite allow + attackers who can create or edit configuration files including .htaccess + files, to cause a denial of service and execute arbitrary code via a regular + expression containing more than 9 captures. +

+ + +

+ An attacker may cause a denial of service or execute arbitrary code with the + privileges of the user that is running apache. +

+ + +

+ There is no known workaround at this time, other than to disable both + mod_alias and mod_rewrite. +

+ + +

+ It is recommended that all Gentoo Linux users who are running + net-misc/apache 1.x upgrade: +

+ + # emerge sync + # emerge -pv apache + # emerge '>=www-servers/apache-1.3.29' + # emerge clean + # /etc/init.d/apache restart + + + CAN-2003-0542 (under review at time of GLSA) + + diff --git a/xml/htdocs/security/en/glsa/glsa-200310-04.xml b/xml/htdocs/security/en/glsa/glsa-200310-04.xml new file mode 100644 index 00000000..68787c56 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200310-04.xml @@ -0,0 +1,73 @@ + + + + + + + Apache: buffer overflows and a possible information disclosure + + Multiple stack-based buffer overflows in mod_alias and mod_rewrite can allow + execution of arbitrary code and cause a denial of service, and a bug in the + way mod_cgid handles CGI redirect paths could result in CGI output going to + the wrong client. + + Apache + 2003-10-31 + December 30, 2007: 02 + 32271 + local + + + 2.0.48 + 2.0 + 2.0.48 + + + +

+ The Apache HTTP Server is one of the most popular web servers on the + Internet. +

+ + +

+ Multiple stack-based buffer overflows in mod_alias and mod_rewrite allow + attackers who can create or edit configuration files including .htaccess + files, to cause a denial of service and execute arbitrary code via a regular + expression containing more than 9 captures, and a bug in the way mod_cgid + handles CGI redirect paths could result in CGI output going to the wrong + client when a threaded MPM is used, resulting in an information disclosure. +

+ + +

+ An attacker may cause a denial of service or execute arbitrary code with the + privileges of the user that is running apache. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ It is recommended that all Gentoo Linux users who are running + net-misc/apache 2.x upgrade: +

+ + # emerge sync + # emerge -pv '>=www-servers/apache-2.0.48' + # emerge '>=www-servers/apache-2.0.48' + # emerge clean + # /etc/init.d/apache2 restart +

+ Please remember to update your config files in /etc/apache2 as --datadir has + been changed to /var/www/localhost. +

+ + + CAN-2003-0789 + CAN-2003-0542 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200311-01.xml b/xml/htdocs/security/en/glsa/glsa-200311-01.xml new file mode 100644 index 00000000..d45ccbed --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200311-01.xml @@ -0,0 +1,67 @@ + + + + + + + kdebase: KDM vulnerabilities + + A bug in KDM can allow privilege escalation with certain configurations of + PAM modules. + + kdebase + 2003-11-15 + 2003-11-15: 01 + 29406 + local / remote + + + 3.1.4 + 3.1.3 + + + +

+ KDM is the desktop manager included with the K Desktop Environment. +

+ + +

+ Firstly, versions of KDM <=3.1.3 are vulnerable to a privilege escalation + bug with a specific configuration of PAM modules. Users who do not use PAM + with KDM and users who use PAM with regular Unix crypt/MD5 based + authentication methods are not affected. +

+

+ Secondly, KDM uses a weak cookie generation algorithm. Users are advised to + upgrade to KDE 3.1.4, which uses /dev/urandom as a non-predictable source of + entropy to improve security. +

+ + +

+ A remote or local attacker could gain root privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ It is recommended that all Gentoo Linux users who are running + kde-base/kdebase <=3.1.3 upgrade: +

+ + # emerge sync + # emerge -pv '>=kde-base/kde-3.1.4' + # emerge '>=kde-base/kde-3.1.4' + # emerge clean + + + CAN-2003-0690 + CAN-2003-0692 + KDE Security Advisory + + diff --git a/xml/htdocs/security/en/glsa/glsa-200311-02.xml b/xml/htdocs/security/en/glsa/glsa-200311-02.xml new file mode 100644 index 00000000..2844958a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200311-02.xml @@ -0,0 +1,66 @@ + + + + + + + Opera: buffer overflows in 7.11 and 7.20 + + Buffer overflows exist in Opera 7.11 and 7.20 that can cause Opera to crash, + and can potentially overwrite arbitrary bytes on the heap leading to a + system compromise. + + Opera + 2003-11-19 + 2003-11-19: 01 + 31775 + local / remote + + + 7.21 + 7.20 + 7.11 + + + +

+ Opera is a multi-platform web browser. +

+ + +

+ The Opera browser can cause a buffer allocated on the heap to overflow under + certain HREFs when rendering HTML. The mail system is also deemed + vulnerable and an attacker can send an email containing a malformed HREF, or + plant the malicious HREF on a web site. +

+ + +

+ Certain HREFs can cause a buffer allocated on the heap to overflow when + rendering HTML which can allow arbitrary bytes on the heap to be overwritten + which can result in a system compromise. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ Users are encouraged to perform an 'emerge sync' and upgrade the package + to the latest available version. Opera 7.22 is recommended as Opera 7.21 is + vulnerable to other security flaws. Specific steps to upgrade: +

+ + # emerge sync + # emerge -pv '>=www-client/opera-7.22' + # emerge '>=www-client/opera-7.22' + # emerge clean + + + CAN-2003-0870 + @stake Security Advisory + + diff --git a/xml/htdocs/security/en/glsa/glsa-200311-03.xml b/xml/htdocs/security/en/glsa/glsa-200311-03.xml new file mode 100644 index 00000000..8afc2751 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200311-03.xml @@ -0,0 +1,62 @@ + + + + + + + HylaFAX: Remote code exploit in hylafax + + A format bug condition allows a remote attacjer to execute arbitrary code as + the root user. + + HylaFAX + 2003-11-10 + 2003-11-10: 01 + 33368 + remote + + + 4.1.8 + 4.1.7 + + + +

+ HylaFAX is a popular client-server fax package. +

+ + +

+ During a code review of the hfaxd server, the SuSE Security Team discovered + a format bug condition that allows a remote attacker to execute arbitrary + code as the root user. However, the bug cannot be triggered in the default + hylafax configuration. +

+ + +

+ A remote attacker could execute arbitrary code with root privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ Users are encouraged to perform an 'emerge sync' and upgrade the package to + the latest available version. Vulnerable versions of hylafax have been + removed from portage. Specific steps to upgrade: +

+ + # emerge sync + # emerge -pv '>=net-misc/hylafax-4.1.8' + # emerge '>=net-misc/hylafax-4.1.8' + # emerge clean + + + CAN-2003-0886 + SuSE Security Announcment + + diff --git a/xml/htdocs/security/en/glsa/glsa-200311-04.xml b/xml/htdocs/security/en/glsa/glsa-200311-04.xml new file mode 100644 index 00000000..e126b59b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200311-04.xml @@ -0,0 +1,67 @@ + + + + + + + FreeRADIUS: heap exploit and NULL pointer dereference vulnerability + + FreeRADIUS is vulnerable to a heap exploit and a NULL pointer dereference + vulnerability. + + FreeRADIUS + 2003-11-23 + 2003-11-23: 01 + 33989 + remote + + + 0.9.3 + 0.9.2 + + + +

+ FreeRADIUS is a popular open source RADIUS server. +

+ + +

+ FreeRADIUS versions below 0.9.3 are vulnerable to a heap exploit, however, + the attack code must be in the form of a valid RADIUS packet which limits + the possible exploits. +

+

+ Also corrected in the 0.9.3 release is another vulnerability which causes + the RADIUS server to de-reference a NULL pointer and crash when an + Access-Request packet with a Tunnel-Password is received. +

+ + +

+ A remote attacker could craft a RADIUS packet which would cause the RADIUS + server to crash, or could possibly overflow the heap resulting in a system + compromise. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ Users are encouraged to perform an 'emerge sync' and upgrade the package to + the latest available version - 0.9.3 is available in portage and is marked + as stable. +

+ + # emerge sync + # emerge -pv '>=net-dialup/freeradius-0.9.3' + # emerge '>=net-dialup/freeradius-0.9.3' + # emerge clean + + + SecurityTracker.com Security Alert + + diff --git a/xml/htdocs/security/en/glsa/glsa-200311-05.xml b/xml/htdocs/security/en/glsa/glsa-200311-05.xml new file mode 100644 index 00000000..57ec9ae4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200311-05.xml @@ -0,0 +1,63 @@ + + + + + + + Ethereal: security problems in ethereal 0.9.15 + + Ethereal is vulnerable to heap and buffer overflows in the GTP, ISAKMP, + MEGACO, and SOCKS protocol dissectors. + + Ethereal + 2003-11-22 + 2003-11-22: 01 + 32691 + remote + + + 0.9.16 + 0.9.16 + + + +

+ Ethereal is a popular network protocol analyzer. +

+ + +

+ Ethereal contains buffer overflow vulnerabilities in the GTP, ISAKMP, and + MEGACO protocol dissectors, and a heap overflow vulnerability in the SOCKS + protocol dissector, which could cause Ethereal to crash or to execute + arbitrary code. +

+ + +

+ A remote attacker could craft a malformed packet which would cause Ethereal + to crash or run arbitrary code with the permissions of the user running + Ethereal. +

+ + +

+ There is no known workaround at this time, other than to disable the GTP, + ISAKMP, MEGACO, and SOCKS protocol dissectors. +

+ + +

+ It is recommended that all Gentoo Linux users who are running + net-analyzer/ethereal 0.9.x upgrade: +

+ + # emerge sync + # emerge -pv '>=net-analyzer/ethereal-0.9.16' + # emerge '>=net-analyzer/ethereal-0.9.16' + # emerge clean + + + Ethereal Security Advisory + + diff --git a/xml/htdocs/security/en/glsa/glsa-200311-06.xml b/xml/htdocs/security/en/glsa/glsa-200311-06.xml new file mode 100644 index 00000000..a766ed16 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200311-06.xml @@ -0,0 +1,60 @@ + + + + + + + glibc: getgrouplist buffer overflow vulnerability + + glibc contains a buffer overflow in the getgrouplist function. + + glibc + 2003-11-22 + 2003-11-22: 01 + 33383 + local + + + 2.2.5 + 2.2.4 + + + +

+ glibc is the GNU C library. +

+ + +

+ A bug in the getgrouplist function can cause a buffer overflow if the size + of the group list is too small to hold all the user's groups. This overflow + can cause segmentation faults in user applications. This vulnerability + exists only when an administrator has placed a user in a number of groups + larger than that expected by an application. +

+ + +

+ Applications that use getgrouplist can crash. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ It is recommended that all Gentoo Linux users update their systems as + follows: +

+ + # emerge sync + # emerge -pv '>=sys-libs/glibc-2.2.5' + # emerge '>=sys-libs/glibc-2.2.5' + # emerge clean + + + CAN-2003-0689 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200311-07.xml b/xml/htdocs/security/en/glsa/glsa-200311-07.xml new file mode 100644 index 00000000..969005f1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200311-07.xml @@ -0,0 +1,60 @@ + + + + + + + phpSysInfo: arbitrary code execution and directory traversal + + phpSysInfo contains two vulnerabilities that can allow arbitrary code + execution and local directory traversal. + + phpSysInfo + 2003-11-22 + December 30, 2007: 02 + 26782 + local + + + 2.1-r1 + 2.1 + + + +

+ phpSysInfo is a PHP system information tool. +

+ + +

+ phpSysInfo contains two vulnerabilities which could allow local files to be + read or arbitrary PHP code to be executed, under the privileges of the web + server process. +

+ + +

+ An attacker could read local files or execute arbitrary code with the + permissions of the user running the host web server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ It is recommended that all Gentoo Linux users who are running + www-apps/phpsysinfo upgrade to the fixed version: +

+ + # emerge sync + # emerge -pv '>=www-apps/phpsysinfo-2.1-r1' + # emerge '>=www-apps/phpsysinfo-2.1-r1' + # emerge clean + + + CAN-2003-0536 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200311-08.xml b/xml/htdocs/security/en/glsa/glsa-200311-08.xml new file mode 100644 index 00000000..28315f90 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200311-08.xml @@ -0,0 +1,57 @@ + + + + + + + Libnids: remote code execution vulnerability + + Libnids contains a bug which could allow remote code execution. + + Libnids + 2003-11-22 + 2003-11-22: 01 + 32724 + remote + + + 1.18 + 1.17 + + + +

+ Libnids is a component of a network intrusion detection system. +

+ + +

+ There is a bug in the part of libnids code responsible for TCP reassembly. + The flaw probably allows remote code execution. +

+ + +

+ A remote attacker could possibly execute arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ It is recommended that all Gentoo Linux users who are running + net-libs/libnids update their systems as follows: +

+ + # emerge sync + # emerge -pv '>=net-libs/libnids-1.18' + # emerge '>=net-libs/libnids-1.18' + # emerge clean + + + CAN-2003-0850 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200312-01.xml b/xml/htdocs/security/en/glsa/glsa-200312-01.xml new file mode 100644 index 00000000..81d8ddc8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200312-01.xml @@ -0,0 +1,81 @@ + + + + + + + rsync.gentoo.org: rotation server compromised + + A server in the rsync.gentoo.org rotation was compromised. + + rsync mirror + 2003-12-02 + 2003-12-02: 01 + + + + +

+ The rsync.gentoo.org rotation of servers provides an up to date Portage + tree using the rsync file transfer protocol. +

+ + +

+ On December 2nd at approximately 03:45 UTC, one of the servers that makes up + the rsync.gentoo.org rotation was compromised via a remote exploit. At this + point, we are still performing forensic analysis. However, the compromised + system had both an IDS and a file integrity checker installed and we have a + very detailed forensic trail of what happened once the box was breached, so + we are reasonably confident that the portage tree stored on that box was + unaffected. +

+

+ The attacker appears to have installed a rootkit and modified/deleted some + files to cover their tracks, but left the server otherwise untouched. The + box was in a compromised state for approximately one hour before it was + discovered and shut down. During this time, approximately 20 users + synchronized against the portage mirror stored on this box. The method used + to gain access to the box remotely is still under investigation. We will + release more details once we have ascertained the cause of the remote + exploit. +

+

+ This box is not an official Gentoo infrastructure box and is instead donated + by a sponsor. The box provides other services as well and the sponsor has + requested that we not publicly identify the box at this time. Because the + Gentoo part of this box appears to be unaffected by this exploit, we are + currently honoring the sponsor's request. That said, if at any point, we + determine that any file in the portage tree was modified in any way, we will + release full details about the compromised server. +

+ + +

+ There is no known impact at this time. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ Again, based on the forensic analysis done so far, we are reasonably + confident that no files within the Portage tree on the box were affected. + However, the server has been removed from all rsync.*.gentoo.org rotations + and will remain so until the forensic analysis has been completed and the + box has been wiped and rebuilt. Thus, users preferring an extra level of + security may ensure that they have a correct and accurate portage tree by + running: +

+ + # emerge sync +

+ Which will perform a sync against another server and ensure that all files + are up to date. +

+ + + diff --git a/xml/htdocs/security/en/glsa/glsa-200312-03.xml b/xml/htdocs/security/en/glsa/glsa-200312-03.xml new file mode 100644 index 00000000..8f1d6714 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200312-03.xml @@ -0,0 +1,77 @@ + + + + + + + rsync: exploitable heap overflow + + rsync contains a heap overflow vulnerability that can be used to execute + arbitrary code. + + rsync + 2003-12-04 + 2003-12-04: 01 + remote + + + 2.5.7 + 2.5.7 + + + +

+ rsync is a popular file transfer package used to synchronize the Portage + tree. +

+ + +

+ Rsync version 2.5.6 contains a vulnerability that can be used to run + arbitrary code. The Gentoo infrastructure team has some reasonably good + forensic evidence that this exploit may have been used in combination with + the Linux kernel do_brk() vulnerability (see GLSA 200312-02) to exploit a + rsync.gentoo.org rotation server (see GLSA-200312-01.) +

+

+ Please see http://lwn.net/Articles/61541/ for the security advisory released + by the rsync development team. +

+ + +

+ A remote attacker could execute arbitrary code with the permissions of the + root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ To address this vulnerability, all Gentoo users should read GLSA-200312-02 + and ensure that all systems are upgraded to a version of the Linux kernel + without the do_brk() vulnerability, and upgrade to version 2.5.7 of rsync: +

+ + # emerge sync + # emerge -pv '>=net-misc/rsync-2.5.7' + # emerge '>=net-misc/rsync-2.5.7' + # emerge clean +

+ Review your /etc/rsync/rsyncd.conf configuration file; ensure that the use + chroot="no" command is commented out or removed, or change use chroot="no" + to use chroot="yes". Then, if necessary, restart rsyncd: +

+ + # /etc/init.d/rsyncd restart + + + Rsync Security Advisory + CAN-2003-0962 + GLSA-200312-02 + GLSA-200312-01 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200312-04.xml b/xml/htdocs/security/en/glsa/glsa-200312-04.xml new file mode 100644 index 00000000..29953115 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200312-04.xml @@ -0,0 +1,68 @@ + + + + + + + CVS: malformed module request vulnerability + + A bug in cvs could allow attempts to create files and directories outside a + repository. + + CVS + 2003-12-08 + 2003-12-08: 01 + 35371 + unknown + + + 1.11.10 + 1.11.9 + + + +

+ CVS, which stands for Concurrent Versions System, is a client/server + application which tracks changes to sets of files. It allows multiple users + to work concurrently on files, and then merge their changes back into the + main tree (which can be on a remote system). It also allows branching, or + maintaining separate versions for files. +

+ + +

+ Quote from ccvs.cvshome.org/servlets/NewsItemView?newsID=84: + "Stable CVS 1.11.10 has been released. Stable releases contain only bug + fixes from previous versions of CVS. This release fixes a security issue + with no known exploits that could cause previous versions of CVS to attempt + to create files and directories in the filesystem root. This release also + fixes several issues relevant to case insensitive filesystems and some other + bugs. We recommend this upgrade for all CVS clients and servers!" +

+ + +

+ Attempts to create files and directories outside the repository may be + possible. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Gentoo Linux machines with cvs installed should be updated to use + dev-util/cvs-1.11.10 or higher: +

+ + # emerge sync + # emerge -pv '>=dev-util/cvs-1.11.10' + # emerge '>=dev-util/cvs-1.11.10' + # emerge clean + + + CAN-2003-0977 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200312-05.xml b/xml/htdocs/security/en/glsa/glsa-200312-05.xml new file mode 100644 index 00000000..bb254c01 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200312-05.xml @@ -0,0 +1,74 @@ + + + + + + + GnuPG: ElGamal signing keys compromised and format string vulnerability + + A bug in GnuPG allows ElGamal signing keys to be compromised, and a format + string bug in the gpgkeys_hkp utility may allow arbitrary code execution. + + GnuPG + 2003-12-12 + 2003-12-12: 01 + 34504 + unknown + + + 1.2.3-r5 + 1.2.3-r4 + + + +

+ GnuPG is a popular open source signing and encryption tool. +

+ + +

+ Two flaws have been found in GnuPG 1.2.3. +

+

+ First, ElGamal signing keys can be compromised. These keys are not commonly + used, but this is "a significant security failure which can lead to a + compromise of almost all ElGamal keys used for signing. Note that this is a + real world vulnerability which will reveal your private key within a few + seconds". +

+

+ Second, there is a format string flaw in the 'gpgkeys_hkp' utility which + "would allow a malicious keyserver in the worst case to execute an arbitrary + code on the user's machine." +

+ + +

+ If you have used ElGamal keys for signing your private key can be + compromised, and a malicious keyserver could remotely execute arbitrary code + with the permissions of the user running gpgkeys_hkp. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All users who have created ElGamal signing keys should immediately revoke + them. In addition, all Gentoo Linux machines with gnupg installed should be + updated to use gnupg-1.2.3-r5 or higher: +

+ + # emerge sync + # emerge -pv '>=app-crypt/gnupg-1.2.3-r5' + # emerge '>=app-crypt/gnupg-1.2.3-r5' + # emerge clean + + + CAN-2003-0971 + GnuPG Announcement + S-Quadra Advisory + + diff --git a/xml/htdocs/security/en/glsa/glsa-200312-06.xml b/xml/htdocs/security/en/glsa/glsa-200312-06.xml new file mode 100644 index 00000000..1d0ba5e2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200312-06.xml @@ -0,0 +1,66 @@ + + + + + + + XChat: malformed dcc send request denial of service + + A bug in XChat could allow malformed dcc send requests to cause a denial of + service. + + xchat + 2003-12-14 + 2003-12-14: 01 + 35623 + remote + + + 2.0.6-r1 + 2.0.6 + + + +

+ XChat is a multiplatform IRC client. +

+ + +

+ There is a remotely exploitable bug in XChat 2.0.6 that could lead to a + denial of service attack. Gentoo wishes to thank lloydbates for discovering + this bug, as well as jcdutton and rac for submitting patches to fix the bug. +

+ + +

+ A malformed DCC packet sent by a remote attacker can cause XChat to crash. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ For Gentoo users, xchat-2.0.6 was marked ~arch (unstable) for most + architectures. Since it was never marked as stable in the portage tree, + only xchat users who have explictly added the unstable keyword to + ACCEPT_KEYWORDS are affected. Users may updated affected machines to the + patched version of xchat using the following commands: +

+ + # emerge sync + # emerge -pv '>=net-irc/xchat-2.0.6-r1' + # emerge '>=net-irc/xchat-2.0.6-r1' + # emerge clean +

+ This assumes that users are running with ACCEPT_KEYWORDS enabled for their + architecture. +

+ + + XChat Announcement + + diff --git a/xml/htdocs/security/en/glsa/glsa-200312-07.xml b/xml/htdocs/security/en/glsa/glsa-200312-07.xml new file mode 100644 index 00000000..1f6b5efc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200312-07.xml @@ -0,0 +1,76 @@ + + + + + + + Two buffer overflows in lftp + + Two buffer overflow problems are found in lftp that, in case the user visits + a malicious ftp server, could lead to malicious code being executed. + + lftp + December 13, 2003 + 200312-07: 2 + 35866 + remote + + + 2.6.10 + 2.6.10 + + + +

+ lftp is a multithreaded command-line based FTP client. It allows you to + execute multiple commands simultaneously or in the background. If features + mirroring capabilities, resuming downloads, etc. +

+ + +

+ Two buffer overflows exist in lftp. Both can occur when the user connects to + a malicious web server using the HTTP or HTTPS protocol and issues lftp's + "ls" or "rels" commands. +

+

+ Ulf Harnhammar explains: +

+

+ Technically, the problem lies in the file src/HttpDir.cc and the + functions try_netscape_proxy() and try_squid_eplf(), which both + have sscanf() calls that take data of an arbitrary length and + store it in a char array with 32 elements. (Back in version 2.3.0, + the problematic code was located in some other function, but the + problem existed back then too.) Depending on the HTML document in the + specially prepared directory, buffers will be overflown in either one + function or the other. +

+ + +

+ When a user issues "ls" or "rels" on a malicious server, the tftp + application can be tricked into running arbitrary code on the user his + machine. +

+ + +

+ There is no workaround available. +

+ + +

+ All Gentoo users who have net-ftp/lftp installed should update to use + version 2.6.0 or higher using these commands: +

+ + # emerge sync + # emerge -pv '>=net-ftp/lftp-2.6.10' + # emerge '>=net-ftp/lftp-2.6.10' + # emerge clean + + + Initial report by Ulf Harnhammar + + diff --git a/xml/htdocs/security/en/glsa/glsa-200312-08.xml b/xml/htdocs/security/en/glsa/glsa-200312-08.xml new file mode 100644 index 00000000..57872052 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200312-08.xml @@ -0,0 +1,66 @@ + + + + + + + CVS: possible root compromise when using CVS pserver + + A possible root compromise exists for CVS pservers. + + cvs + 2003-12-28 + 2003-12-28: 01 + 36142 + unknown + + + 1.11.11 + 1.11.10 + + + +

+ CVS, which stands for Concurrent Versions System, is a client/server + application which tracks changes to sets of files. It allows multiple users + to work concurrently on files, and then merge their changes back into the + main tree (which can be on a remote system). It also allows branching, or + maintaining separate versions for files. +

+ + +

+ Quote from ccvs.cvshome.org/servlets/NewsItemView?newsID=88: + "Stable CVS 1.11.11 has been released. Stable releases contain only bug + fixes from previous versions of CVS. This release adds code to the CVS + server to prevent it from continuing as root after a user login, as an extra + failsafe against a compromise of the CVSROOT/passwd file. Previously, any + user with the ability to write the CVSROOT/passwd file could execute + arbitrary code as the root user on systems with CVS pserver access enabled. + We recommend this upgrade for all CVS servers!" +

+ + +

+ A remote user could execute arbitrary code with the permissions of the root + user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Gentoo Linux machines with cvs installed should be updated to use + cvs-1.11.11 or higher. +

+ + # emerge sync + # emerge -pv '>=dev-util/cvs-1.11.11' + # emerge '>=dev-util/cvs-1.11.11' + # emerge clean + + + diff --git a/xml/htdocs/security/en/glsa/glsa-200401-01.xml b/xml/htdocs/security/en/glsa/glsa-200401-01.xml new file mode 100644 index 00000000..0716288f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200401-01.xml @@ -0,0 +1,230 @@ + + + + + + + Linux kernel do_mremap() local privilege escalation vulnerability + + A critical security vulnerability has been found in recent Linux kernels + which allows for local privelege escalation. + + Kernel + January 08, 2004 + January 08, 2004: 01 + 37292 + local + + + 2.4.23-r1 + 2.4.23-r1 + + + 2.4.21-r2 + 2.4.21-r2 + + + 2.4.19-r2 + 2.4.19-r2 + + + 2.4.23-r1 + 2.4.23-r1 + + + 2.4.9.32.7-r1 + 2.4.9.32.7-r1 + + + 2.6.1_rc3 + 2.6.1_rc3 + + + 2.4.20-r7 + 2.4.20-r7 + + + 2.6.1_rc3 + 2.6.1_rc3 + + + 2.4.22-r3 + 2.4.22-r3 + + + 2.4.23.2.0_rc4-r1 + 2.4.23.2.0_rc4-r1 + + + 2.4.23_pre8-r2 + 2.4.23_pre8-r2 + + + 2.4.22-r2 + 2.4.22-r2 + + + 2.4.23_p4-r2 + 2.4.23_p4-r2 + + + 2.4.22-r2 + 2.4.22-r2 + + + 2.4.24_pre2-r1 + 2.4.24_pre2-r1 + + + 2.4.23-r2 + 2.4.23-r2 + + + 2.6.1_rc1-r2 + 2.6.1_rc1-r2 + + + 2.4.22-r3 + 2.4.22-r3 + + + 2.4.23-r1 + 2.4.23-r1 + + + 2.4.21.1_pre4-r1 + 2.4.21.1_pre4-r1 + + + 2.4.21-r4 + 2.4.21-r4 + + + 2.6.1_rc1-r1 + 2.6.1_rc1-r1 + + + 2.4.23-r1 + 2.4.23-r1 + + + 2.4.22-r4 + 2.4.22-r4 + + + 2.4.20-r2 + 2.4.20-r2 + + + 2.4.24 + 2.4.24 + + + 2.6.1_rc2 + 2.6.1_rc2 + + + 2.4.24 + 2.4.24 + + + 2.4.23-r1 + 2.4.23-r1 + + + 2.4.25_pre4 + 2.4.25_pre4 + + + 2.4.24 + 2.4.24 + + + 2.6.0-r1 + 2.6.0-r1 + + + 4.10_pre7-r2 + 4.10_pre7-r2 + + + 2.4.23-r1 + 2.4.23-r1 + + + +

+ The Linux kernel is responsible for memory management in a working + system - to allow this, processes are allowed to allocate and unallocate + memory. +

+ + +

+ The memory subsystem allows for shrinking, growing, and moving of + chunks of memory along any of the allocated memory areas which the kernel + posesses. +

+

+ A typical virtual memory area covers at least one memory page. An incorrect + bound check discovered inside the do_mremap() kernel code performing + remapping of a virtual memory area may lead to creation of a virtual memory + area of 0 bytes length. +

+

+ The problem is based on the general mremap flaw that remapping 2 pages from + inside a VMA creates a memory hole of only one page in length but an + additional VMA of two pages. In the case of a zero sized remapping request + no VMA hole is created but an additional VMA descriptor of 0 + bytes in length is created. +

+

+ This advisory also addresses an information leak in the Linux RTC system. +

+ + +

+ Arbitrary code may be able to exploit this vulnerability and may + disrupt the operation of other + parts of the kernel memory management subroutines finally leading to + unexpected behavior. +

+

+ Since no special privileges are required to use the mremap(2) system call + any process may misuse its unexpected behavior to disrupt the kernel memory + management subsystem. Proper exploitation of this vulnerability may lead to + local privilege escalation including execution of arbitrary code + with kernel level access. +

+

+ Proof-of-concept exploit code has been created and successfully tested, + permitting root escalation on vulnerable systems. As a result, all users + should upgrade their kernels to new or patched versions. +

+ + +

+ There is no temporary workaround - a kernel upgrade is required. A list + of unaffected kernels is provided along with this announcement. +

+ + +

+ Users are encouraged to upgrade to the latest available sources for + their system: +

+ + $> emerge sync + $> emerge -pv your-favourite-sources + $> emerge your-favourite-sources + $> # Follow usual procedure for compiling and installing a kernel. + $> # If you use genkernel, run genkernel as you would do normally. + + $> # IF YOUR KERNEL IS MARKED as "remerge required!" THEN + $> # YOU SHOULD UPDATE YOUR KERNEL EVEN IF PORTAGE + $> # REPORTS THAT THE SAME VERSION IS INSTALLED. + + + Vulnerability + + diff --git a/xml/htdocs/security/en/glsa/glsa-200401-02.xml b/xml/htdocs/security/en/glsa/glsa-200401-02.xml new file mode 100644 index 00000000..5cd9b2be --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200401-02.xml @@ -0,0 +1,63 @@ + + + + + + + Honeyd remote detection vulnerability via a probe packet + + Identification of Honeyd installations allows an adversary to launch + attacks specifically against Honeyd. No remote root exploit is currently + known. + + honeyd + January 21, 2004 + January 21, 2004: 01 + 38934 + remote + + + 0.8 + 0.8 + + + +

+ Honeyd is a virtual honeypot daemon that can simulate virtual hosts on + unallocated IP addresses. +

+ + +

+ A bug in handling NMAP fingerprints caused Honeyd to reply to TCP + packets with both the SYN and RST flags set. Watching for replies, it is + possible to detect IP addresses simulated by Honeyd. +

+ + +

+ Although there are no public exploits known for Honeyd, the detection + of Honeyd IP addresses may in some cases be undesirable. +

+ + +

+ Honeyd 0.8 has been released along with an advisory to address this + issue. In addition, Honeyd 0.8 drops privileges if permitted by the + configuration file and contains command line flags to force dropping + of privileges. +

+ + +

+ All users are recommended to update to honeyd version 0.8: +

+ + $> emerge sync + $> emerge -pv ">=net-analyzer/honeyd-0.8" + $> emerge ">=net-analyzer/honeyd-0.8" + + + Honeyd Security Advisory 2004-001 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200401-03.xml b/xml/htdocs/security/en/glsa/glsa-200401-03.xml new file mode 100644 index 00000000..affef9ae --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200401-03.xml @@ -0,0 +1,69 @@ + + + + + + + Apache mod_python Denial of Service vulnerability + + Apache's mod_python module could crash the httpd process if a specific, + malformed query string was sent. + + mod_python + January 27, 2004 + December 30, 2007: 02 + 39154 + remote + + + 2.7.10 + 2.7.10 + + + +

+ Mod_python is an Apache module that embeds the Python interpreter + within the server allowing Python-based web-applications to be + created. +

+ + +

+ The Apache Foundation has reported that mod_python may be prone to + Denial of Service attacks when handling a malformed + query. Mod_python 2.7.9 was released to fix the vulnerability, + however, because the vulnerability has not been fully fixed, + version 2.7.10 has been released. +

+

+ Users of mod_python 3.0.4 are not affected by this vulnerability. +

+ + +

+ Although there are no known public exploits known for this + exploit, users are recommended to upgrade mod_python to ensure the + security of their infrastructure. +

+ + +

+ Mod_python 2.7.10 has been released to solve this issue; there is + no immediate workaround. +

+ + +

+ All users using mod_python 2.7.9 or below are recommended to + update their mod_python installation: +

+ + $> emerge sync + $> emerge -pv ">=www-apache/mod_python-2.7.10" + $> emerge ">=www-apache/mod_python-2.7.10" + $> /etc/init.d/apache restart + + + Mod_python 2.7.10 release announcement + + diff --git a/xml/htdocs/security/en/glsa/glsa-200401-04.xml b/xml/htdocs/security/en/glsa/glsa-200401-04.xml new file mode 100644 index 00000000..1291d6b2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200401-04.xml @@ -0,0 +1,80 @@ + + + + + + + GAIM 0.75 Remote overflows + + Various overflows in the handling of AIM DirectIM packets was revealed in + GAIM that could lead to a remote compromise of the IM client. + + GAIM + January 26, 2004 + January 26, 2004: 01 + 39470 + man-in-the-middle + + + 0.75-r7 + 0.75-r7 + + + +

+ Gaim is a multi-platform and multi-protocol instant messaging + client. It is compatible with AIM , ICQ, MSN Messenger, Yahoo, + IRC, Jabber, Gadu-Gadu, and the Zephyr networks. +

+ + +

+ Yahoo changed the authentication methods to their IM servers, + rendering GAIM useless. The GAIM team released a rushed release + solving this issue, however, at the same time a code audit + revealed 12 new vulnerabilities. +

+ + +

+ Due to the nature of instant messaging many of these bugs require + man-in-the-middle attacks between the client and the server. But + the underlying protocols are easy to implement and attacking + ordinary TCP sessions is a fairly simple task. As a result, all + users are advised to upgrade their GAIM installation. +

+
    +
  • + Users of GAIM 0.74 or below are affected by 7 of the + vulnerabilities and are encouraged to upgrade. +
    • +
  • + Users of GAIM 0.75 are affected by 11 of the vulnerabilities + and are encouraged to upgrade to the patched version of GAIM + offered by Gentoo. +
    • +
  • + Users of GAIM 0.75-r6 are only affected by + 4 of the vulnerabilities, but are still urged to upgrade to + maintain security. +
    • +
+ + +

+ There is no immediate workaround; a software upgrade is required. +

+ + +

+ All users are recommended to upgrade GAIM to 0.75-r7. +

+ + $> emerge sync + $> emerge -pv ">=net-im/gaim-0.75-r7" + $> emerge ">=net-im/gaim-0.75-r7" + + + Security advisory from Stefan Esser + + diff --git a/xml/htdocs/security/en/glsa/glsa-200402-01.xml b/xml/htdocs/security/en/glsa/glsa-200402-01.xml new file mode 100644 index 00000000..5cff9f88 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200402-01.xml @@ -0,0 +1,75 @@ + + + + + + + PHP setting leaks from .htaccess files on virtual hosts + + If the server configuration "php.ini" file has + "register_globals = on" and a request is made to one virtual host + (which has "php_admin_flag register_globals off") and the next + request is sent to the another virtual host (which does not have the + setting) global variables may leak and may be used to exploit the + site. + + PHP + February 07, 2004 + February 07, 2004: 01 + 39952 + remote + + + 4.3.4-r4 + 4.3.4-r4 + + + +

+ PHP is a widely-used general-purpose scripting language that is + especially suited for Web development and can be embedded into HTML. +

+ + +

+ If the server configuration "php.ini" file has + "register_globals = on" and a request is made to one virtual host + (which has "php_admin_flag register_globals off") and the next + request is sent to the another virtual host (which does not have the + setting) through the same apache child, the setting will persist. +

+ + +

+ Depending on the server and site, an attacker may be able to exploit + global variables to gain access to reserved areas, such as MySQL passwords, + or this vulnerability may simply cause a lack of functionality. As a + result, users are urged to upgrade their PHP installations. +

+

+ Gentoo ships PHP with "register_globals" set to "off" + by default. +

+

+ This issue affects both servers running Apache 1.x and servers running + Apache 2.x. +

+ + +

+ No immediate workaround is available; a software upgrade is required. +

+ + +

+ All users are recommended to upgrade their PHP installation to 4.3.4-r4: +

+ + # emerge sync + # emerge -pv ">=dev-php/mod_php-4.3.4-r4" + # emerge ">=dev-php/mod_php-4.3.4-r4" + + + Corresponding PHP bug + + diff --git a/xml/htdocs/security/en/glsa/glsa-200402-02.xml b/xml/htdocs/security/en/glsa/glsa-200402-02.xml new file mode 100644 index 00000000..c96c3326 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200402-02.xml @@ -0,0 +1,94 @@ + + + + + + + XFree86 Font Information File Buffer Overflow + + Exploitation of a buffer overflow in the XFree86 Project Inc.'s XFree86 X + Window System allows local attackers to gain root privileges. + + 200402-02 + February 11, 2004 + February 11, 2004: 01 + local + + + 4.3.99.902-r1 + 4.2.1-r3 + 4.3.0-r4 + 4.3.99.902-r1 + + + +

+ XFree86, provides a client/server interface between display + hardware and the desktop environment while also providing both the + windowing infrastructure and a standardized API. XFree86 is + platform independent, network-transparent and extensible. +

+ + +

+ Exploitation of a buffer overflow in The XFree86 Window System + discovered by iDefence allows local attackers to gain root + privileges. +

+

+ The problem exists in the parsing of the 'font.alias' file. The X + server (running as root) fails to check the length of the user + provided input, so a malicious user may craft a malformed + 'font.alias' file causing a buffer overflow upon parsing, + eventually leading to the execution of arbitrary code. +

+

+ To reproduce the overflow on the command line one can run: +

+ + # cat > fonts.dir <<EOF + 1 + word.bdf -misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1 + EOF + # perl -e 'print "0" x 1024 . "A" x 96 . "\n"' > fonts.alias + # X :0 -fp $PWD +

+ {Some output removed}... Server aborting... Segmentation fault (core dumped) +

+ + +

+ Successful exploitation can lead to a root compromise provided + that the attacker is able to execute commands in the X11 + subsystem. This can be done either by having console access to the + target or through a remote exploit against any X client program + such as a web-browser, mail-reader or game. +

+ + +

+ No immediate workaround is available; a software upgrade is required. +

+

+ Gentoo has released XFree 4.2.1-r3, 4.3.0-r4 and 4.3.99.902-r1 and + encourages all users to upgrade their XFree86 + installations. Vulnerable versions are no longer available in + Portage. +

+ + +

+ All users are recommended to upgrade their XFree86 installation: +

+ + # emerge sync + # emerge -pv x11-base/xfree + # emerge x11-base/xfree + + + CVE: CAN-2004-0083 + Vulnerability: + XFree86 Font Information File Buffer Overflow + + diff --git a/xml/htdocs/security/en/glsa/glsa-200402-03.xml b/xml/htdocs/security/en/glsa/glsa-200402-03.xml new file mode 100644 index 00000000..ffeefb17 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200402-03.xml @@ -0,0 +1,61 @@ + + + + + + + Monkeyd Denial of Service vulnerability + + A bug in get_real_string() function allows for a Denial of Service attack to be + launched against the webserver. + + monkeyd + February 11, 2004 + February 11, 2004: 01 + 41156 + remote + + + 0.8.2 + 0.8.2 + + + +

+ The Monkey HTTP daemon is a Web server written in C that works + under Linux and is based on the HTTP/1.1 protocol. It aims to develop + a fast, efficient and small web server. +

+ + +

+ A bug in the URI processing of incoming requests allows for a Denial of + Service to be launched against the webserver, which may cause the server + to crash or behave sporadically. +

+ + +

+ Although there are no public exploits known for bug, users are recommended + to upgrade to ensure the security of their infrastructure. +

+ + +

+ There is no immediate workaround; a software upgrade is + required. The vulnerable function in the code has been rewritten. +

+ + +

+ All users are recommended to upgrade monkeyd to 0.8.2: +

+ + # emerge sync + # emerge -pv ">=www-servers/monkeyd-0.8.2" + # emerge ">=www-servers/monkeyd-0.8.2" + + + CVS Patch + + diff --git a/xml/htdocs/security/en/glsa/glsa-200402-04.xml b/xml/htdocs/security/en/glsa/glsa-200402-04.xml new file mode 100644 index 00000000..407a1987 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200402-04.xml @@ -0,0 +1,67 @@ + + + + + + + Gallery 1.4.1 and below remote exploit vulnerability + + The Gallery developers have discovered a potentially serious security flaw + in Gallery 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1 which can allow a + remote exploit of your webserver. + + Gallery + February 11, 2004 + February 11, 2004: 01 + 39638 + remote + + + 1.4.1_p1 + 1.4.1_p1 + + + +

+ Gallery is an open source image management system written in PHP. + More information is available at http://gallery.sourceforge.net +

+ + +

+ Starting in the 1.3.1 release, Gallery includes code to simulate the behaviour + of the PHP 'register_globals' variable in environments where that setting + is disabled. It is simulated by extracting the values of the various + $HTTP_ global variables into the global namespace. +

+ + +

+ A crafted URL such as + http://example.com/gallery/init.php?HTTP_POST_VARS=xxx causes the + 'register_globals' simulation code to overwrite the $HTTP_POST_VARS which, + when it is extracted, will deliver the given payload. If the + payload compromises $GALLERY_BASEDIR then the malicious user can perform a + PHP injection exploit and gain remote access to the webserver with PHP + user UID access rights. +

+ + +

+ The workaround for the vulnerability is to replace init.php and + setup/init.php with the files in the following ZIP file: + http://prdownloads.sourceforge.net/gallery/patch_1.4.1-to-1.4.1-pl1.zip?download +

+ + +

+ All users are encouraged to upgrade their gallery installation: +

+ + # emerge sync + # emerge -p ">=www-apps/gallery-1.4.1_p1" + # emerge ">=www-apps/gallery-1.4.1_p1" + + + + diff --git a/xml/htdocs/security/en/glsa/glsa-200402-05.xml b/xml/htdocs/security/en/glsa/glsa-200402-05.xml new file mode 100644 index 00000000..3b84cf46 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200402-05.xml @@ -0,0 +1,67 @@ + + + + + + + phpMyAdmin < 2.5.6-rc1: possible attack against export.php + + A vulnerability in phpMyAdmin which was not properly verifying user + generated input could lead to a directory traversal attack. + + phpmyadmin + February 17, 2004 + February 17, 2004: 01 + 40268 + remote + + + 2.5.6_rc1 + 2.5.5_p1 + + + +

+ phpMyAdmin is a tool written in PHP intended to handle the administration + of MySQL databased over the Web. +

+ + +

+ One component of the phpMyAdmin software package (export.php) does not + properly verify input that is passed to it from a remote user. Since the + input is used to include other files, it is possible to launch a directory + traversal attack. +

+ + +

+ Private information could be gleaned from the remote server if an attacker + uses a malformed URL such as http://phpmyadmin.example.com/export.php?what=../../../[existing_file] +

+

+ In this scenario, the script does not sanitize the "what" argument passed + to it, allowing directory traversal attacks to take place, disclosing + the contents of files if the file is readable as the web-server user. +

+ + +

+ The workaround is to either patch the export.php file using the + referenced CVS patch or upgrade the software via Portage. +

+ + +

+ Users are encouraged to upgrade to phpMyAdmin-2.5.6_rc1: +

+ + # emerge sync + # emerge -pv ">=dev-db/phpmyadmin-2.5.6_rc1" + # emerge ">=dev-db/phpmyadmin-2.5.6_rc1" + # emerge clean + + + CVS Patch + + diff --git a/xml/htdocs/security/en/glsa/glsa-200402-06.xml b/xml/htdocs/security/en/glsa/glsa-200402-06.xml new file mode 100644 index 00000000..fbbcf64e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200402-06.xml @@ -0,0 +1,92 @@ + + + + + + + Updated kernel packages fix the AMD64 ptrace vulnerability + + A vulnerability has been discovered by in the ptrace emulation code for + AMD64 platforms when eflags are processed, allowing a local user to obtain + elevated priveleges. + + Kernel + February 17, 2004 + February 17, 2004: 01 + local + + + 2.6.2 + 2.6.2 + + + 2.6.2 + 2.6.2 + + + 2.6.2 + 2.6.2 + + + 2.4.22-r6 + 2.4.22-r6 + + + 2.6.2-r1 + 2.6.2 + + + 2.4.25_pre7-r1 + 2.4.25_pre7-r1 + + + 2.4.25_rc3 + 2.4.25_rc3 + + + 2.4.24-r1 + 2.4.24-r1 + + + +

+ A vulnerability has been discovered by Andi Kleen in the ptrace emulation + code for AMD64 platforms when eflags are processed, allowing a local user + to obtain elevated priveleges. The Common Vulnerabilities and Exposures + project, http://cve.mitre.org, has assigned CAN-2004-0001 to this issue. +

+ + +

+ Only users of the AMD64 platform are affected: in this scenario, a user may + be able to obtain elevated priveleges, including root access. However, no + public exploit is known for the vulnerability at this time. +

+ + +

+ There is no temporary workaround - a kernel upgrade is required. A list of + unaffected kernels is provided along with this announcement. +

+ + +

+ Users are encouraged to upgrade to the latest available sources for + their system: +

+ + # emerge sync + # emerge -pv your-favourite-sources + # emerge your-favourite-sources + # # Follow usual procedure for compiling and installing a kernel. + # # If you use genkernel, run genkernel as you would do normally. + + + # # IF YOUR KERNEL IS MARKED as "remerge required!" THEN + # # YOU SHOULD UPDATE YOUR KERNEL EVEN IF PORTAGE + # # REPORTS THAT THE SAME VERSION IS INSTALLED. + + + + + diff --git a/xml/htdocs/security/en/glsa/glsa-200402-07.xml b/xml/htdocs/security/en/glsa/glsa-200402-07.xml new file mode 100644 index 00000000..89904223 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200402-07.xml @@ -0,0 +1,68 @@ + + + + + + + Clam Antivirus DoS vulnerability + + Oliver Eikemeier has reported a vulnerability in Clam AV, which can be + exploited by a malformed uuencoded message causing a denial of service for + programs that rely on the clamav daemon, such as SMTP daemons. + + clamav + February 17, 2004 + February 17, 2004: 01 + 41248 + remote + + + 0.67 + 0.67 + + + +

+ Clam AntiVirus is a GPLed anti-virus toolkit, designed for integration with + mail servers to perform attachment scanning. Clam AV also provides a + command line scanner and a tool for fetching updates of the virus database. +

+ + +

+ Oliver Eikemeier of Fillmore Labs discovered the overflow in Clam AV 0.65 + when it handled malformed UUEncoded messages, causing the daemon to shut + down. +

+

+ The problem originated in libclamav which calculates the line length of an + uuencoded message by taking the ASCII value of the first character minus 64 + while doing an assertion if the length is not in the allowed range, + effectively terminating the calling program as clamav would not be + available. +

+ + +

+ A malformed message would cause a denial of service, + and depending on the server configuration this may impact other daemons + relying on Clam AV in a fatal manner. +

+ + +

+ There is no immediate workaround, a software upgrade is required. +

+ + +

+ All users are urged to upgrade their Clam AV installations to Clam AV 0.67: +

+ + # emerge sync + # emerge -pv ">=app-antivirus/clamav-0.6.7" + # emerge ">=app-antivirus/clamav-0.6.7" + + + + diff --git a/xml/htdocs/security/en/glsa/glsa-200403-01.xml b/xml/htdocs/security/en/glsa/glsa-200403-01.xml new file mode 100644 index 00000000..0cde74d9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200403-01.xml @@ -0,0 +1,55 @@ + + + + + + + Libxml2 URI Parsing Buffer Overflow Vulnerabilities + + A buffer overflow has been discovered in libxml2 versions prior to + 2.6.6 which may be exploited by an attacker allowing the execution of + arbitrary code. + + libxml + March 05, 2004 + March 05, 2004: 01 + 42735 + local and remote combination + + + 2.6.6 + 2.6.6 + + + +

+ Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. + When the libxml2 library fetches a remote resource via FTP or HTTP, libxml2 + uses parsing routines that can overflow a buffer caused by improper bounds + checking if they are passed a URL longer than 4096 bytes. +

+ + +

+ If an attacker is able to exploit an application using libxml2 that parses + remote resources, then this flaw could be used to execute arbitrary code. +

+ + +

+ No workaround is available; users are urged to upgrade libxml2 to 2.6.6. +

+ + +

+ All users are recommended to upgrade their libxml2 installation: +

+ + # emerge sync + # emerge -pv ">=dev-libs/libxml2-2.6.6" + # emerge ">=dev-libs/libxml2-2.6.6" + + + CVE 2004-0110 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200403-02.xml b/xml/htdocs/security/en/glsa/glsa-200403-02.xml new file mode 100644 index 00000000..6c91741f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200403-02.xml @@ -0,0 +1,244 @@ + + + + + + + Linux kernel do_mremap local privilege escalation vulnerability + + A critical security vulnerability has been found in recent Linux kernels by + Paul Starzetz of iSEC Security Research which allows for local privilege + escalations. + + Kernel + March 05, 2004 + May 22, 2006: 03 + 42024 + local + + + 2.4.23-r1 + 2.4.23-r1 + + + 2.4.21-r4 + 2.4.21-r4 + + + 2.4.24-r1 + 2.6.2-r1 + 2.6.2-r1 + + + 2.4.9.32.7-r2 + 2.4.9.32.7-r2 + + + 2.6.3_rc1 + 2.6.3_rc1 + + + 2.4.20-r8 + 2.4.20-r8 + + + 2.6.3_rc1 + 2.6.3_rc1 + + + 2.4.19-r11 + 2.4.20-r12 + 2.4.22-r7 + 2.4.22-r7 + + + 2.4.24.1.9.13-r1 + 2.4.24.1.9.13-r1 + + + 2.4.25_pre7-r2 + 2.4.25_pre7-r2 + + + 2.4.24-r1 + 2.4.24-r1 + + + 2.6.2_p3-r1 + 2.6.2_p3-r1 + + + 2.4.24_p0-r1 + 2.4.24_p0-r1 + + + 2.4.24-r1 + 2.4.24-r1 + + + 2.4.25_pre6-r1 + 2.4.25_pre6-r1 + + + 2.4.25_rc4 + 2.4.25_rc4 + + + 2.6.3_rc1-r1 + 2.6.3_rc1-r1 + + + 2.4.22-r4 + 2.4.22-r4 + + + 2.4.23-r3 + 2.4.23-r3 + + + 2.4.21-r5 + 2.4.21-r5 + + + 2.6.3_rc1-r1 + 2.6.3_rc1-r1 + + + 2.4.24-r1 + 2.4.24-r1 + + + 2.4.22-r5 + 2.4.22-r5 + + + 2.4.20-r3 + 2.4.20-r3 + + + 2.4.24-r2 + 2.4.24-r2 + + + 2.4.24-r2 + 2.4.24-r2 + + + 2.6.3_rc1 + 2.6.3_rc1 + + + 2.4.24-r2 + 2.4.24-r2 + + + 2.4.24-r1 + 2.4.26 + 2.6.3-r1 + 2.6.3-r1 + + + 2.4.25_rc4 + 2.4.25_rc4 + + + 2.4.25 + 2.4.25 + + + 2.4.23-r2 + 2.6.2-r1 + 2.6.2-r1 + + + 4.9-r4 + 4.10_pre7-r3 + 4.10_pre7-r3 + + + 2.4.24-r2 + 2.4.24-r2 + + + +

+ The Linux kernel is responsible for memory management in a working + system - to allow this, processes are allowed to allocate and + unallocate memory. +

+ + +

+ The memory subsystem allows for shrinking, growing, and moving of + chunks of memory along any of the allocated memory areas which the + kernel posesses. +

+

+ To accomplish this, the do_mremap code calls the do_munmap() kernel + function to remove any old memory mappings in the new location - but, + the code doesn't check the return value of the do_munmap() function + which may fail if the maximum number of available virtual memory area + descriptors has been exceeded. +

+

+ Due to the missing return value check after trying to unmap the middle + of the first memory area, the corresponding page table entries from the + second new area are inserted into the page table locations described by + the first old one, thus they are subject to page protection flags of + the first area. As a result, arbitrary code can be executed. +

+ + +

+ Arbitrary code with normal non-super-user privelerges may be able to + exploit this vulnerability and may disrupt the operation of other parts + of the kernel memory management subroutines finally leading to + unexpected behavior. +

+

+ Since no special privileges are required to use the mremap() and + mummap() system calls any process may misuse this unexpected behavior + to disrupt the kernel memory management subsystem. Proper exploitation + of this vulnerability may lead to local privilege escalation allowing + for the execution of arbitrary code with kernel level root access. +

+

+ Proof-of-concept exploit code has been created and successfully tested, + permitting root escalation on vulnerable systems. As a result, all + users should upgrade their kernels to new or patched versions. +

+ + +

+ Users who are unable to upgrade their kernels may attempt to use + "sysctl -w vm.max_map_count=1000000", however, this is a temporary fix + which only solves the problem by increasing the number of memory areas + that can be created by each process. Because of the static nature of + this workaround, it is not recommended and users are urged to upgrade + their systems to the latest avaiable patched sources. +

+ + +

+ Users are encouraged to upgrade to the latest available sources for + their system: +

+ + # emerge sync + # emerge -pv your-favourite-sources + # emerge your-favourite-sources + # # Follow usual procedure for compiling and installing a kernel. + # # If you use genkernel, run genkernel as you would do normally. + + # # IF YOUR KERNEL IS MARKED as "remerge required!" THEN + # # YOU SHOULD UPDATE YOUR KERNEL EVEN IF PORTAGE + # # REPORTS THAT THE SAME VERSION IS INSTALLED. + + + Advisory released by iSEC + CVE-2004-0077 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200403-03.xml b/xml/htdocs/security/en/glsa/glsa-200403-03.xml new file mode 100644 index 00000000..9088df95 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200403-03.xml @@ -0,0 +1,93 @@ + + + + + + + Multiple OpenSSL Vulnerabilities + + Three vulnerabilities have been found in OpenSSL via a commercial test + suite for the TLS protocol developed by Codenomicon Ltd. + + OpenSSL + March 17, 2004 + May 22, 2006: 02 + 44941 + remote + + + 0.9.7d + 0.9.6m + 0.9.7c + + + +

+ The OpenSSL Project is a collaborative effort to develop a robust, + commercial-grade, full-featured, and Open Source toolkit implementing + the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS + v1) protocols as well as a full-strength general purpose cryptography + library. +

+ + +
    +
  1. + Testing performed by the OpenSSL group using the Codenomicon TLS Test + Tool uncovered a null-pointer assignment in the do_change_cipher_spec() + function. A remote attacker could perform a carefully crafted SSL/TLS + handshake against a server that used the OpenSSL library in such a way + as to cause OpenSSL to crash. Depending on the application this could + lead to a denial of service. All versions of OpenSSL from 0.9.6c to + 0.9.6l inclusive and from 0.9.7a to 0.9.7c inclusive are affected by + this issue. +
    2. +
  2. + A flaw has been discovered in SSL/TLS handshaking code when using + Kerberos ciphersuites. A remote attacker could perform a carefully + crafted SSL/TLS handshake against a server configured to use Kerberos + ciphersuites in such a way as to cause OpenSSL to crash. Most + applications have no ability to use Kerberos cipher suites and will + therefore be unaffected. Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL + are affected by this issue. +
    3. +
  3. + Testing performed by the OpenSSL group using the Codenomicon TLS Test + Tool uncovered a bug in older versions of OpenSSL 0.9.6 that can lead + to a Denial of Service attack (infinite loop). This issue was traced to + a fix that was added to OpenSSL 0.9.6d some time ago. This issue will + affect vendors that ship older versions of OpenSSL with backported + security patches. +
    4. +
+ + +

+ Although there are no public exploits known for bug, users are + recommended to upgrade to ensure the security of their infrastructure. +

+ + +

+ There is no immediate workaround; a software upgrade is required. The + vulnerable function in the code has been rewritten. +

+ + +

+ All users are recommened to upgrade openssl to either 0.9.7d or 0.9.6m: +

+ + # emerge sync + # emerge -pv ">=dev-libs/openssl-0.9.7d" + # emerge ">=dev-libs/openssl-0.9.7d" + + + CVE-2004-0079 + CVE-2004-0081 + CVE-2004-0112 + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200403-04.xml b/xml/htdocs/security/en/glsa/glsa-200403-04.xml new file mode 100644 index 00000000..c6a9d9d2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200403-04.xml @@ -0,0 +1,113 @@ + + + + + + + Multiple security vulnerabilities in Apache 2 + + A memory leak in mod_ssl allows a remote denial of service attack against + an SSL-enabled server via plain HTTP requests. Another flaw was found when + arbitrary client-supplied strings can be written to the error log, allowing + the exploit of certain terminal emulators. A third flaw exists with the + mod_disk_cache module. + + Apache + March 22, 2004 + December 30, 2007: 03 + 45206 + remote + + + 1.3* + 2.0.49 + 2.0.48 + + + +

+ The Apache HTTP Server Project is an effort to develop and maintain an + open-source HTTP server for modern operating systems. The goal of this + project is to provide a secure, efficient and extensible server that + provides services in tune with the current HTTP standards. +

+ + +

+ Three vulnerabilities were found: +

+
    +
  1. + A memory leak in ssl_engine_io.c for mod_ssl in Apache 2.0.48 and below + allows remote attackers to cause a denial of service attack via plain + HTTP requests to the SSL port of an SSL-enabled server. +
    2. +
  2. + Apache fails to filter terminal escape sequences from error logs that + begin with the ASCII (0x1B) sequence and are followed by a series of + arguments. If a remote attacker could inject escape sequences into an + Apache error log, the attacker could take advantages of weaknesses in + various terminal emulators, launching attacks against remote users + including further denial of service attacks, file modification, and the + execution of arbitrary commands. +
    3. +
  3. + The Apache mod_disk_cache has been found to be vulnerable to a weakness + that allows attackers to gain access to authentication credentials + through the issue of caching HTTP hop-by-hop headers which would + contain plaintext user passwords. There is no available resolution for + this issue yet. +
    4. +
+ + +

+ No special privileges are required for these vulnerabilities. As a + result, all users are recommended to upgrade their Apache + installations. +

+ + +

+ There is no immediate workaround; a software upgrade is required. There + is no workaround for the mod_disk_cache issue; users are recommended to + disable the feature on their servers until a patched version is + released. +

+ + +

+ Users are urged to upgrade to Apache 2.0.49: +

+ + # emerge sync + # emerge -pv ">=www-servers/apache-2.0.49" + # emerge ">=www-servers/apache-2.0.49" + + # ** IMPORTANT ** + + # If you are migrating from Apache 2.0.48-r1 or earlier versions, + # it is important that the following directories are removed. + + # The following commands should cause no data loss since these + # are symbolic links. + + # rm /etc/apache2/lib /etc/apache2/logs /etc/apache2/modules + # rm /etc/apache2/modules + + # ** ** ** ** ** + + # ** ALSO NOTE ** + + # Users who use mod_disk_cache should edit their Apache + # configuration and disable mod_disk_cache. + + + Apache mod_disk_cache authentication storage weakness vulnerability + Apache HTTP Server 2.0.49 Announcement + CVE-2004-0113 + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200403-05.xml b/xml/htdocs/security/en/glsa/glsa-200403-05.xml new file mode 100644 index 00000000..4f60a180 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200403-05.xml @@ -0,0 +1,70 @@ + + + + + + + UUDeview MIME Buffer Overflow + + A specially-crafted MIME file (.mim, .uue, .uu, .b64, .bhx, .hqx, and .xxe + extensions) may cause UUDeview to crash or execute arbitrary code. + + UUDeview + March 26, 2004 + March 26, 2004: 01 + 44859 + remote + + + 0.5.20 + 0.5.20 + + + +

+ UUDeview is a program which is used to transmit binary files over the + Internet in a text-only format. It is commonly used for email and Usenet + attachments. It supports multiple encoding formats, including Base64, + BinHex and UUEncoding. +

+ + +

+ By decoding a MIME archive with excessively long strings for various + parameters, it is possible to crash UUDeview, or cause it to execute + arbitrary code. +

+

+ This vulnerability was originally reported by iDEFENSE as part of a WinZip + advisory [ Reference: 1 ]. +

+ + +

+ An attacker could create a specially-crafted MIME file and send it via + email. When recipient decodes the file, UUDeview may execute arbitrary code + which is embedded in the MIME file, thus granting the attacker access to + the recipient's account. +

+ + +

+ There is no known workaround at this time. As a result, a software upgrade + is required and users should upgrade to uudeview 0.5.20. +

+ + +

+ All users should upgrade to uudeview 0.5.20: +

+ + # emerge sync + # emerge -pv ">=app-text/uudeview-0.5.20" + # emerge ">=app-text/uudeview-0.5.20" + + + + iDEFENSE advisory + SecurityFocus advisory + + diff --git a/xml/htdocs/security/en/glsa/glsa-200403-06.xml b/xml/htdocs/security/en/glsa/glsa-200403-06.xml new file mode 100644 index 00000000..7dfad640 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200403-06.xml @@ -0,0 +1,74 @@ + + + + + + + Multiple remote buffer overflow vulnerabilities in Courier + + Remote buffer overflow vulnerabilites have been found in Courier-IMAP and + Courier MTA. These exploits may allow the execution of abritrary code, + allowing unauthorized access to a vulnerable system. + + Courier + March 26, 2004 + March 26, 2004: 01 + 45584 + remote + + + 3.0.0 + 3.0.0 + + + 0.45 + 0.45 + + + +

+ Courier MTA is a multiprotocol mail server suite that provides webmail, + mailing lists, IMAP, and POP3 services. Courier-IMAP is a standalone server + that gives IMAP access to local mailboxes. +

+ + +

+ The vulnerabilities have been found in the 'SHIFT_JIS' converter in + 'shiftjis.c' and 'ISO2022JP' converter in 'so2022jp.c'. An attacker may + supply Unicode characters that exceed BMP (Basic Multilingual Plane) range, + causing an overflow. +

+ + +

+ An attacker without privileges may exploit this vulnerability remotely, allowing arbitrary code to be executed in order to gain unauthorized access. +

+ + +

+ While a workaround is not currently known for this issue, all users are + advised to upgrade to the latest version of the affected packages. +

+ + +

+ All users should upgrade to current versions of the affected packages: +

+ + # emerge sync + + # emerge -pv ">=net-mail/courier-imap-3.0.0" + # emerge ">=net-mail/courier-imap-3.0.0" + + # ** Or; depending on your installation... ** + + # emerge -pv ">=mail-mta/courier-0.45" + # emerge ">=mail-mta/courier-0.45" + + + + Courier Multiple Remote Buffer Overflow Vulnerabilities + CAN-2004-0224 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200403-07.xml b/xml/htdocs/security/en/glsa/glsa-200403-07.xml new file mode 100644 index 00000000..bab50d0c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200403-07.xml @@ -0,0 +1,74 @@ + + + + + + + Multiple remote overflows and vulnerabilities in Ethereal + + Mulitple overflows and vulnerabilities exist in Ethereal which may allow an + attacker to crash the program or run arbitrary code. + + ethereal + March 28, 2004 + March 28, 2004: 01 + 45543 + remote + + + 0.10.3 + 0.10.2 + + + +

+ Quote from http://www.ethereal.com +

+

+ "Ethereal is used by network professionals around the world for + troubleshooting, analysis, software and protocol development, and + education. It has all of the standard features you would expect in a + protocol analyzer, and several features not seen in any other product. Its + open source license allows talented experts in the networking community to + add enhancements. It runs on all popular computing platforms, including + Unix, Linux, and Windows." +

+ + +

There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.3, including:

+
    +
  • Thirteen buffer overflows in the following protocol dissectors: NetFlow, IGAP, EIGRP, PGM, IrDA, BGP, ISUP, and TCAP.
    • +
  • A zero-length Presentation protocol selector could make Ethereal crash.
    • +
  • A vulnerability in the RADIUS packet dissector which may crash ethereal.
    • +
  • A corrupt color filter file could cause a segmentation fault.
    • +
+ + +

+ These vulnerabilities may cause Ethereal to crash or may allow an attacker + to run arbitrary code on the user's computer. +

+ + +

+ While a workaround is not currently known for this issue, all users are + advised to upgrade to the latest version of the affected package. +

+ + +

+ All users should upgrade to the current version of the affected package: +

+ + # emerge sync + + # emerge -pv ">=net-analyzer/ethereal-0.10.3" + # emerge ">=net-analyzer/ethereal-0.10.3" + + + Multiple security problems in Ethereal 0.10.2 + CAN-2004-0176 + CAN-2004-0365 + CAN-2004-0367 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200403-08.xml b/xml/htdocs/security/en/glsa/glsa-200403-08.xml new file mode 100644 index 00000000..3a7f2c7a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200403-08.xml @@ -0,0 +1,77 @@ + + + + + + + oftpd DoS vulnerability + + A remotely-exploitable overflow exists in oftpd, allowing an attacker to + crash the oftpd daemon. + + oftpd + March 29, 2004 + May 22, 2006: 02 + 45738 + remote + + + 0.3.7 + 0.3.6 + + + +

+ Quote from http://www.time-travellers + .org/oftpd/ +

+

+ "oftpd is designed to be as secure as an anonymous FTP server can + possibly be. It runs as non-root for most of the time, and uses the + Unix chroot() command to hide most of the systems directories from + external users - they cannot change into them even if the server is + totally compromised! It contains its own directory change code, so that + it can run efficiently as a threaded server, and its own directory + listing code (most FTP servers execute the system "ls" command to list + files)." +

+ + +

+ Issuing a port command with a number higher than 255 causes the server + to crash. The port command may be issued before any authentication + takes place, meaning the attacker does not need to know a valid + username and password in order to exploit this vulnerability. +

+ + +

+ This exploit causes a denial of service. +

+ + +

+ While a workaround is not currently known for this issue, all users are + advised to upgrade to the latest version of the affected package. +

+ + +

+ All users should upgrade to the current version of the affected + package: +

+ + # emerge sync + + # emerge -pv ">=net-ftp/oftpd-0.3.7" + # emerge ">=net-ftp/oftpd-0.3.7" + + + osftpd DoS Vulnerability + CVE-2004-0376 + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200403-09.xml b/xml/htdocs/security/en/glsa/glsa-200403-09.xml new file mode 100644 index 00000000..ebf4ff60 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200403-09.xml @@ -0,0 +1,59 @@ + + + + + + + Buffer overflow in Midnight Commander + + A remotely-exploitable buffer overflow in Midnight Commander allows + arbitrary code to be run on a user's computer + + mc + March 29, 2004 + March 29, 2004: 01 + 45957 + remote + + + 4.6.0-r5 + 4.6.0-r4 + + + +

+ Midnight Commander is a visual file manager. +

+ + +

+ A stack-based buffer overflow has been found in Midnight Commander's + virtual filesystem. +

+ + +

+ This overflow allows an attacker to run arbitrary code on the user's + computer during the symlink conversion process. +

+ + +

+ While a workaround is not currently known for this issue, all users are + advised to upgrade to the latest version of the affected package. +

+ + +

+ All users should upgrade to the current version of the affected package: +

+ + # emerge sync + + # emerge -pv ">=app-misc/mc-4.6.0-r5" + # emerge ">=app-misc/mc-4.6.0-r5" + + + CAN-2003-1023 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200403-10.xml b/xml/htdocs/security/en/glsa/glsa-200403-10.xml new file mode 100644 index 00000000..3459fc88 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200403-10.xml @@ -0,0 +1,61 @@ + + + + + + + Fetchmail 6.2.5 fixes a remote DoS + + Fetchmail versions 6.2.4 and earlier can be crashed by sending a + specially-crafted email to a fetchmail user. + + fetchmail + March 30, 2004 + March 30, 2004: 01 + 37717 + remote + + + 6.2.5 + 6.2.4 + + + +

+ Fetchmail is a utility that retrieves and forwards mail from remote systems + using IMAP, POP, and other protocols. +

+ + +

+ Fetchmail versions 6.2.4 and earlier can be crashed by sending a + specially-crafted email to a fetchmail user. This problem occurs because + Fetchmail does not properly allocate memory for long lines in an incoming + email. +

+ + +

+ Fetchmail users who receive a malicious email may have their fetchmail + program crash. +

+ + +

+ While a workaround is not currently known for this issue, all users are advised to upgrade to the latest version of fetchmail. +

+ + +

+ Fetchmail users should upgrade to version 6.2.5 or later: +

+ + # emerge sync + # emerge -pv ">=net-mail/fetchmail-6.2.5" + # emerge ">=net-mail/fetchmail-6.2.5" + + + ISS X-Force Listing + CVE Candidate (CAN-2003-0792) + + diff --git a/xml/htdocs/security/en/glsa/glsa-200403-11.xml b/xml/htdocs/security/en/glsa/glsa-200403-11.xml new file mode 100644 index 00000000..a52fe8eb --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200403-11.xml @@ -0,0 +1,80 @@ + + + + + + + Squid ACL [url_regex] bypass vulnerability + + Squid versions 2.0 through to 2.5.STABLE4 could allow a remote attacker to + bypass Access Control Lists by sending a specially-crafted URL request + containing '%00': in such circumstances; the url_regex ACL may not properly + detect the malicious URL, allowing the attacker to effectively bypass the + ACL. + + Squid + March 30, 2004 + September 02, 2004: 02 + 45273 + remote + + + 2.5.5 + 2.5.5 + + + +

+ Squid is a fully-featured Web Proxy Cache designed to run on Unix systems + that supports proxying and caching of HTTP, FTP, and other URLs, as well as + SSL support, cache hierarchies, transparent caching, access control lists + and many other features. +

+ + +

+ A bug in Squid allows users to bypass certain access controls by passing a + URL containing "%00" which exploits the Squid decoding function. + This may insert a NUL character into decoded URLs, which may allow users to + bypass url_regex access control lists that are enforced upon them. +

+

+ In such a scenario, Squid will insert a NUL character after + the"%00" and it will make a comparison between the URL to the end + of the NUL character rather than the contents after it: the comparison does + not result in a match, and the user's request is not denied. +

+ + +

+ Restricted users may be able to bypass url_regex access control lists that + are enforced upon them which may cause unwanted network traffic as well as + a route for other possible exploits. Users of Squid 2.5STABLE4 and below + who require the url_regex features are recommended to upgrade to 2.5STABLE5 + to maintain the security of their infrastructure. +

+ + +

+ A workaround is not currently known for this issue. All users are advised + to upgrade to the latest version of Squid. +

+ + +

+ Squid can be updated as follows: +

+ + # emerge sync + + # emerge -pv ">=net-proxy/squid-2.5.5" + # emerge ">=net-proxy/squid-2.5.5" + + + CAN-2004-0189 + Squid 2.5.STABLE5 Release Announcement + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200403-12.xml b/xml/htdocs/security/en/glsa/glsa-200403-12.xml new file mode 100644 index 00000000..65e6c203 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200403-12.xml @@ -0,0 +1,71 @@ + + + + + + + OpenLDAP DoS Vulnerability + + A failed password operation can cause the OpenLDAP slapd server, if it is + using the back-ldbm backend, to free memory that was never allocated. + + openldap + March 31, 2004 + May 22, 2006: 02 + 26728 + remote + + + 2.1.13 + 2.1.12 + + + +

+ OpenLDAP is a suite of LDAP-related application and development tools. + It includes slapd (the standalone LDAP server), slurpd (the standalone + LDAP replication server), and various LDAP libraries, utilities and + example clients. +

+ + +

+ A password extended operation (password EXOP) which fails will cause + the slapd server to free() an uninitialized pointer, possibly resulting + in a segfault. This only affects servers using the back-ldbm backend. +

+

+ Such a crash is not guaranteed with every failed operation, however, it + is possible. +

+ + +

+ An attacker (or indeed, a normal user) may crash the OpenLDAP server, + creating a Denial of Service condition. +

+ + +

+ A workaround is not currently known for this issue. All users are + advised to upgrade to the latest version of the affected package. +

+ + +

+ OpenLDAP users should upgrade to version 2.1.13 or later: +

+ + # emerge sync + + # emerge -pv ">=net-nds/openldap-2.1.13" + # emerge ">=net-nds/openldap-2.1.13" + + + OpenLDAP ITS Bug and Patch + CVE-2003-1201 + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200403-13.xml b/xml/htdocs/security/en/glsa/glsa-200403-13.xml new file mode 100644 index 00000000..5df64b56 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200403-13.xml @@ -0,0 +1,100 @@ + + + + + + + Remote buffer overflow in MPlayer + + MPlayer contains a remotely exploitable buffer overflow in the HTTP parser + that may allow attackers to run arbitrary code on a user's computer. + + mplayer + March 31, 2004 + October 11, 2006: 03 + 46246 + remote + + + 0.92-r1 + 0.92 + + + 1.0_pre2-r1 + 1.0_pre2 + + + 1.0_pre3-r3 + 1.0_pre3 + + + +

+ Quote from http://mplayerhq.hu +

+

+ "MPlayer is a movie player for LINUX (runs on many other Unices, and + non-x86 CPUs, see the documentation). It plays most MPEG, VOB, AVI, + OGG/OGM, VIVO, ASF/WMA/WMV, QT/MOV/MP4, FLI, RM, NuppelVideo, YUV4MPEG, + FILM, RoQ, PVA files, supported by many native, XAnim, and Win32 DLL + codecs. You can watch VideoCD, SVCD, DVD, 3ivx, DivX 3/4/5 and even WMV + movies, too." +

+ + +

+ A vulnerability exists in the MPlayer HTTP parser which may allow an + attacker to craft a special HTTP header ("Location:") which will trick + MPlayer into executing arbitrary code on the user's computer. +

+ + +

+ An attacker without privileges may exploit this vulnerability remotely, + allowing arbitrary code to be executed in order to gain unauthorized + access. +

+ + +

+ A workaround is not currently known for this issue. All users are + advised to upgrade to the latest version of the affected package. +

+ + +

+ MPlayer may be upgraded as follows: +

+

+ x86 and SPARC users should: +

+ + # emerge sync + + # emerge -pv ">=media-video/mplayer-0.92-r1" + # emerge ">=media-video/mplayer-0.92-r1" +

+ AMD64 users should: +

+ + # emerge sync + + # emerge -pv ">=media-video/mplayer-1.0_pre2-r1" + # emerge ">=media-video/mplayer-1.0_pre2-r1" +

+ PPC users should: +

+ + # emerge sync + + # emerge -pv ">=media-video/mplayer-1.0_pre3-r2" + # emerge ">=media-video/mplayer-1.0_pre3-r2" + + + MPlayerHQ News + CVE-2004-0386 + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200403-14.xml b/xml/htdocs/security/en/glsa/glsa-200403-14.xml new file mode 100644 index 00000000..6451659d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200403-14.xml @@ -0,0 +1,75 @@ + + + + + + + Multiple Security Vulnerabilities in Monit + + A denial of service and a buffer overflow vulnerability have been found in + Monit. + + app-admin/monit + March 31, 2004 + May 22, 2006: 02 + 43967 + remote + + + 4.2 + 4.1 + + + +

+ Monit is a system administration utility that allows management and + monitoring of processes, files, directories and devices on a Unix + system. +

+ + +

+ A denial of service may occur due to Monit not sanitizing remotely + supplied HTTP parameters before passing them to memory allocation + functions. This could allow an attacker to cause an unexpected + condition that could lead to the Monit daemon crashing. +

+

+ An overly long http request method may cause a buffer overflow due to + Monit performing insufficient bounds checking when handling HTTP + requests. +

+ + +

+ An attacker may crash the Monit daemon to create a denial of service + condition or cause a buffer overflow that would allow arbitrary code to + be executed with root privileges. +

+ + +

+ A workaround is not currently known for this issue. All users are + advised to upgrade to the latest version of the affected package. +

+ + +

+ Monit users should upgrade to version 4.2 or later: +

+ + # emerge sync + + # emerge -pv ">=app-admin/monit-4.2" + # emerge ">=app-admin/monit-4.2" + + + Monit HTTP Content-Length Parameter Denial of Service Vulnerability + Monit Overly Long HTTP Request Buffer Overrun Vulnerability + CVE-2003-1083 + CVE-2003-1084 + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-01.xml b/xml/htdocs/security/en/glsa/glsa-200404-01.xml new file mode 100644 index 00000000..0c2e1a4e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-01.xml @@ -0,0 +1,95 @@ + + + + + + + Insecure sandbox temporary lockfile vulnerabilities in Portage + + A flaw has been found in the temporary file handling algorithms for the + sandboxing code used within Portage. Lockfiles created during normal Portage + operation of portage could be manipulated by local users resulting in the + truncation of hard linked files; causing a Denial of Service attack on + the system. + + Portage + April 04, 2004 + April 04, 2004: 01 + 21923 + local + + + 2.0.50-r3 + 2.0.50-r3 + + + +

+ Portage is Gentoo's package management system which is responsible for + installing, compiling and updating any ebuilds on the system through the + Gentoo rsync tree. Under default configurations, most ebuilds run under a + sandbox which prevent the build process writing to the "real" + system outside the build directory - packages are installed into a + temporary location and then copied over safely by Portage instead. During + the process the sandbox wrapper creates lockfiles in the /tmp directory + which are vulnerable to a hard-link attack. +

+ + +

+ A flaw in Portage's sandbox wrapper has been found where the temporary + lockfiles are subject to a hard-link attack which allows linkable files to + be overwritten to an empty file. This can be used to damage critical files + on a system causing a Denial of Service, or alternatively this attack may + be used to cause other security risks; for example firewall configuration + data could be overwritten without notice. +

+

+ The vulnerable sandbox functions have been patched to test for these new + conditions: namely; for the existance of a hard-link which would be removed + before the sandbox process would continue, for the existance of a + world-writable lockfile in which case the sandbox would also remove it, and + also for any mismatches in the UID ( anything but root ) and the GID ( + anything but the group of the sandbox process ). +

+

+ If the vulnerable files cannot be removed by the sandbox, then the sandbox + would exit with a fatal error warning the adminstrator of the issue. The + patched functions also fix any other sandbox I/O operations which do not + explicitly include the mentioned lockfile. +

+ + +

+ Any user with write access to the /tmp directory can hard-link a file to + /tmp/sandboxpids.tmp - this file would eventually be replaced with an empty + one; effectively wiping out the file it was linked to as well with no prior + warning. This could be used to potentially disable a vital component of the + system and cause a path for other possible exploits. +

+

+ This vulnerability only affects systems that have /tmp on the root + partition: since symbolic link attacks are filtered, /tmp has to be on the + same partition for an attack to take place. +

+ + +

+ A workaround is not currently known for this issue. All users are advised + to upgrade to the latest version of the affected package. +

+ + +

+ Users should upgrade to Portage 2.0.50-r3 or later: +

+ + # emerge sync + + # emerge -pv ">=sys-apps/portage-2.0.50-r3" + # emerge ">=sys-apps/portage-2.0.50-r3" + + + + plasmaroo + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-02.xml b/xml/htdocs/security/en/glsa/glsa-200404-02.xml new file mode 100644 index 00000000..3b6f7c9f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-02.xml @@ -0,0 +1,61 @@ + + + + + + + KDE Personal Information Management Suite Remote Buffer Overflow Vulnerability + + KDE-PIM may be vulnerable to a remote buffer overflow attack that may allow + unauthorized access to an affected system. + + kde-base/kde + April 06, 2004 + April 06, 2004: 01 + 38256 + remote + + + 3.1.5 + 3.1.4 + + + +

+ KDE-PIM is an application suite designed to manage mail, addresses, + appointments, and contacts. +

+ + +

+ A buffer overflow may occur in KDE-PIM's VCF file reader when a maliciously + crafted VCF file is opened by a user on a vulnerable system. +

+ + +

+ A remote attacker may unauthorized access to a user's personal data or + execute commands with the user's privileges. +

+ + +

+ A workaround is not currently known for this issue. All users are advised + to upgrade to the latest version of the affected package. +

+ + +

+ KDE users should upgrade to version 3.1.5 or later: +

+ + # emerge sync + + # emerge -pv ">=kde-base/kde-3.1.5" + # emerge ">=kde-base/kde-3.1.5" + + + CAN-2003-0988 + + aescriva + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-03.xml b/xml/htdocs/security/en/glsa/glsa-200404-03.xml new file mode 100644 index 00000000..329c442e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-03.xml @@ -0,0 +1,72 @@ + + + + + + + Tcpdump Vulnerabilities in ISAKMP Parsing + + There are multiple vulnerabilities in tcpdump and libpcap related to + parsing of ISAKMP packets. + + tcpdump + March 31, 2004 + March 31, 2004: 01 + 38206 + 46258 + remote + + + 3.8.3-r1 + 3.8.1 + + + 0.8.3-r1 + 0.8.1-r1 + + + +

+ Tcpdump is a program for monitoring IP network traffic. Libpcap is a + supporting library which is responsibile for capturing packets off a network + interface. +

+ + +

+ There are two specific vulnerabilities in tcpdump, outlined in [ reference + 1 ]. In the first scenario, an attacker may send a specially-crafted ISAKMP + Delete packet which causes tcpdump to read past the end of its buffer. In + the second scenario, an attacker may send an ISAKMP packet with the wrong + payload length, again causing tcpdump to read past the end of a buffer. +

+ + +

+ Remote attackers could potentially cause tcpdump to crash or execute + arbitrary code as the 'pcap' user. +

+ + +

+ There is no known workaround at this time. All tcpdump users are encouraged + to upgrade to the latest available version. +

+ + +

+ All tcpdump users should upgrade to the latest available version. + ADDITIONALLY, the net-libs/libpcap package should be upgraded. +

+ + # emerge sync + + # emerge -pv ">=net-libs/libpcap-0.8.3-r1" ">=net-analyzer/tcpdump-3.8.3-r1" + # emerge ">=net-libs/libpcap-0.8.3-r1" ">=net-analyzer/tcpdump-3.8.3-r1" + + + Rapid7 Advisory + Red Hat Security Advisory + CVE Advisory + + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-04.xml b/xml/htdocs/security/en/glsa/glsa-200404-04.xml new file mode 100644 index 00000000..862c1362 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-04.xml @@ -0,0 +1,68 @@ + + + + + + + Multiple vulnerabilities in sysstat + + Multiple vulnerabilities in the way sysstat handles symlinks may allow an + attacker to execute arbitrary code or overwrite arbitrary files + + sysstat + April 06, 2004 + April 06, 2004: 01 + 45159 + local + + + 5.0.2 + 5.0.2 + + + +

+ sysstat is a package containing a number of performance monitoring + utilities for Linux, including sar, mpstat, iostat and sa tools +

+ + +

+ There are two vulnerabilities in the way sysstat handles symlinks: +

+
    +
  1. The isag utility, which displays sysstat data in a graphical format, + creates a temporary file in an insecure manner.
    2. +
  2. Two scripts in the sysstat package, post and trigger, create temporary + files in an insecure manner.
    3. +
+ + +

+ Both vulnerabilities may allow an attacker to overwrite arbitrary files + under the permissions of the user executing any of the affected + utilities. +

+ + +

+ A workaround is not currently known for this issue. All users are advised + to upgrade to the latest version of the affected package. +

+ + +

+ Systat users should upgrade to version 4.2 or later: +

+ + # emerge sync + + # emerge -pv ">=app-admin/sysstat-5.0.2" + # emerge ">=app-admin/sysstat-5.0.2" + + + CVE (1) + CVE (2) + + klieber + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-05.xml b/xml/htdocs/security/en/glsa/glsa-200404-05.xml new file mode 100644 index 00000000..1ba1d3a6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-05.xml @@ -0,0 +1,65 @@ + + + + + + + ipsec-tools contains an X.509 certificates vulnerability. + + ipsec-tools contains a vulnerability that affects connections authenticated + with X.509 certificates. + + ipsec-tools + April 07, 2004 + April 07, 2004: 01 + 47013 + remote + + + 0.2.5 + 0.2.4 + + + +

+ From http://ipsec-tools.sourceforge.net/ : +

+

+ "IPsec-Tools is a port of KAME's IPsec utilities to the Linux-2.6 + IPsec implementation." +

+ + +

+ racoon (a utility in the ipsec-tools package) does not verify digital + signatures on Phase1 packets. This means that anybody holding the correct + X.509 certificate would be able to establish a connection, even if they did + not have the corresponding private key. +

+ + +

+ Since digital signatures are not verified by the racoon tool, an attacker may + be able to connect to the VPN gateway and/or execute a man-in-the-middle attack. +

+ + +

+ A workaround is not currently known for this issue. All users are advised + to upgrade to the latest version of the affected package. +

+ + +

+ ipsec-tools users should upgrade to version 0.2.5 or later: +

+ + # emerge sync + + # emerge -pv ">=net-firewall/ipsec-tools-0.2.5" + # emerge ">=net-firewall/ipsec-tools-0.2.5" + + + + klieber + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-06.xml b/xml/htdocs/security/en/glsa/glsa-200404-06.xml new file mode 100644 index 00000000..478eb527 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-06.xml @@ -0,0 +1,67 @@ + + + + + + + Util-linux login may leak sensitive data + + The login program included in util-linux could leak sensitive information + under certain conditions. + + + April 07, 2004 + April 07, 2004: 01 + 46422 + remote + + + 2.12 + 2.11 + + + +

+ Util-linux is a suite of essential system utilites, including login, + agetty, fdisk. +

+ + +

+ In some situations the login program could leak sensitive data due to an + incorrect usage of a reallocated pointer. +

+

+ NOTE: Only users who have PAM support disabled on their + systems (i.e. -PAM in their USE variable) will be affected by this + vulnerability. By default, this USE flag is enabled on all + architectures. Users with PAM support on their system receive login binaries + as part of the pam-login package, which remains unaffected. +

+ + +

+ A remote attacker may obtain sensitive data. +

+ + +

+ A workaround is not currently known for this issue. All users are advised to upgrade to the latest version of the affected package. +

+ + +

+ All util-linux users should upgrade to version 2.12 or later: +

+ + # emerge sync + + # emerge -pv ">=sys-apps/util-linux-2.12" + # emerge ">=sys-apps/util-linux-2.12" + + + + CAN-2004-0080 + + lcars + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-07.xml b/xml/htdocs/security/en/glsa/glsa-200404-07.xml new file mode 100644 index 00000000..8f740db3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-07.xml @@ -0,0 +1,73 @@ + + + + + + + ClamAV RAR Archive Remote Denial Of Service Vulnerability + + ClamAV is vulnerable to a denial of service attack when processing certain + RAR archives. + + clamav + April 07, 2004 + May 22, 2006: 02 + 45357 + remote + + + 0.68.1 + 0.68 + + + +

+ From http://www.clamav.net/ : +

+

+ "Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose + of this software is the integration with mail servers (attachment + scanning). The package provides a flexible and scalable multi-threaded + daemon, a command line scanner, and a tool for automatic updating via + Internet. The programs are based on a shared library distributed with + the Clam AntiVirus package, which you can use with your own software. + Most importantly, the virus database is kept up to date." +

+ + +

+ Certain types of RAR archives, including those created by variants of + the W32.Beagle.A@mm worm, may cause clamav to crash when it attempts to + process them. +

+ + +

+ This vulnerability causes a Denial of Service in the clamav process. + Depending on configuration, this may cause dependent services such as + mail to fail as well. +

+ + +

+ A workaround is not currently known for this issue. All users are + advised to upgrade to the latest version of the affected package. +

+ + +

+ ClamAV users should upgrade to version 0.68.1 or later: +

+ + # emerge sync + + # emerge -pv ">=app-antivirus/clamav-0.68.1" + # emerge ">=app-antivirus/clamav-0.68.1" + + + CVE-2004-1909 + + + klieber + + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-08.xml b/xml/htdocs/security/en/glsa/glsa-200404-08.xml new file mode 100644 index 00000000..8e4bc840 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-08.xml @@ -0,0 +1,68 @@ + + + + + + + GNU Automake symbolic link vulnerability + + Automake may be vulnerable to a symbolic link attack which may allow an + attacker to modify data or elevate their privileges. + + automake + April 08, 2004 + January 31, 2005: 05 + 45646 + local + + + 1.8.5-r3 + 1.7.9-r1 + 1.7 + 1.8.5-r2 + + + +

+ Automake is a tool for automatically generating `Makefile.in' files + which is often used in conjuction with Autoconf and other GNU Autotools + to ease portability among applications. It also provides a standardized + and light way of writing complex Makefiles through the use of many + built-in macros. +

+ + +

+ Automake may be vulnerable to a symbolic link attack which may allow an + attacker to modify data or escalate their privileges. This is due to + the insecure way Automake creates directories during compilation. An + attacker may be able to create symbolic links in the place of files + contained in the affected directories, which may potentially lead to + elevated privileges due to modification of data. +

+ + +

+ An attacker may be able to use this vulnerability to modify data in an + unauthorized fashion or elevate their privileges. +

+ + +

+ A workaround is not currently known for this issue. All users are + advised to upgrade to the latest version of the affected package. +

+ + +

+ Automake users should upgrade to the latest versions: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose sys-devel/automake + + + + klieber + + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-09.xml b/xml/htdocs/security/en/glsa/glsa-200404-09.xml new file mode 100644 index 00000000..f53b2133 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-09.xml @@ -0,0 +1,61 @@ + + + + + + + Cross-realm trust vulnerability in Heimdal + + Heimdal contains cross-realm vulnerability allowing someone with control + over a realm to impersonate anyone in the cross-realm trust path. + + heimdal + April 09, 2004 + April 09, 2004: 01 + 46590 + local + + + 0.6.1 + 0.6.0 + + + +

+ Heimdal is a free implementation of Kerberos 5. +

+ + +

+ Heimdal does not properly perform certain consistency checks for + cross-realm requests, which allows remote attackers with control of a realm + to impersonate others in the cross-realm trust path. +

+ + +

+ Remote attackers with control of a realm may be able to impersonate other + users in the cross-realm trust path. +

+ + +

+ A workaround is not currently known for this issue. All users are advised + to upgrade to the latest version of the affected package. +

+ + +

+ Heimdal users should upgrade to version 0.6.1 or later: +

+ + # emerge sync + + # emerge -pv ">=app-crypt/heimdal-0.6.1" + # emerge ">=app-crypt/heimdal-0.6.1" + + + CVE + + klieber + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-10.xml b/xml/htdocs/security/en/glsa/glsa-200404-10.xml new file mode 100644 index 00000000..cf514427 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-10.xml @@ -0,0 +1,63 @@ + + + + + + + iproute local Denial of Service vulnerability + + The iproute package allows local users to cause a denial of service. + + + April 09, 2004 + April 09, 2004: 01 + 34294 + local + + + 20010824-r5 + 20010824-r4 + + + +

+ iproute is a set of tools for managing linux network routing and advanced + features. +

+ + +

+ It has been reported that iproute can accept spoofed messages on the kernel + netlink interface from local users. This could lead to a local Denial of + Service condition. +

+ + +

+ Local users could cause a Denial of Service. +

+ + +

+ A workaround is not currently known for this issue. All users are advised + to upgrade to the latest version of the affected package. +

+ + +

+ All iproute users should upgrade to version 20010824-r5 or later: +

+ + # emerge sync + + # emerge -pv ">=sys-apps/iproute-20010824-r5"; + # emerge ">=sys-apps/iproute-20010824-r5"; + + + + CAN-2003-0856 + + + lcars + + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-11.xml b/xml/htdocs/security/en/glsa/glsa-200404-11.xml new file mode 100644 index 00000000..d06093da --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-11.xml @@ -0,0 +1,66 @@ + + + + + + + Multiple Vulnerabilities in pwlib + + Multiple vulnerabilites have been found in pwlib that may lead to a remote + denial of service or buffer overflow attack. + + dev-libs/pwlib + April 09, 2004 + April 09, 2004: 01 + 45846 + remote + + + 1.5.2-r3 + 1.5.2-r2 + + + +

+ pwlib is a multi-platform library designed for OpenH323. +

+ + +

+ Multiple vulnerabilities have been found in the implimentation of protocol + H.323 contained in pwlib. Most of the vulnerabilies are in the parsing of + ASN.1 elements which would allow an attacker to use a maliciously crafted + ASN.1 element to cause unpredictable behavior in pwlib. +

+ + +

+ An attacker may cause a denial of service condition or cause a buffer + overflow that would allow arbitrary code to be executed with root + privileges. +

+ + +

+ Blocking ports 1719 and 1720 may reduce the likelihood of an attack. All + users are advised to upgrade to the latest version of the affected package. +

+ + +

+ All pwlib users are advised to upgrade to version 1.5.2-r3 or later: +

+ + # emerge sync + + # emerge -pv ">=dev-libs/pwlib-1.5.2-r3" + # emerge ">=dev-libs/pwlib-1.5.2-r3" + + + CAN-2004-0097 + NISCC Vulnerability Advisory 006489/H323 + + + aescriva + + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-12.xml b/xml/htdocs/security/en/glsa/glsa-200404-12.xml new file mode 100644 index 00000000..4ef2052e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-12.xml @@ -0,0 +1,69 @@ + + + + + + + Scorched 3D server chat box format string vulnerability + + Scorched 3D is vulnerable to a format string attack in the chat box that + leads to Denial of Service on the game server and possibly allows execution + of arbitrary code. + + scorched3d + April 09, 2004 + April 09, 2004: 08 + 39302 + remote + + + 37 + 37 + + + +

+ Scorched 3D is a game based loosely on the classic DOS game "Scorched + Earth". Scorched 3D adds amongst other new features a 3D island + environment and LAN and internet play. Scorched 3D is totally free and is + available for multiple operating systems. +

+ + +

+ Scorched 3D (build 36.2 and before) does not properly check the text + entered in the Chat box (T key). Using format string characters, you can + generate a heap overflow. This and several other unchecked buffers have + been corrected in the build 37 release. +

+ + +

+ This vulnerability can be easily exploited to remotely crash the Scorched + 3D server, disconnecting all clients. It could also theorically be used to + execute arbitrary code on the server with the rights of the user running + the server. +

+ + +

+ A workaround is not currently known for this issue. All users are advised + to upgrade to the latest version of the affected package. +

+ + +

+ Scorched 3D users should upgrade to version 37 or later: +

+ + # emerge sync + + # emerge -pv ">=games-strategy/scorched3d-37" + # emerge ">=games-strategy/scorched3d-37" + + + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-13.xml b/xml/htdocs/security/en/glsa/glsa-200404-13.xml new file mode 100644 index 00000000..f12f710a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-13.xml @@ -0,0 +1,73 @@ + + + + + + + CVS Server and Client Vulnerabilities + + There are two vulnerabilities in CVS; one in the server and one in the + client. These vulnerabilities allow the reading and writing of arbitrary + files on both client and server. + + cvs + April 14, 2004 + May 22, 2006: 02 + 47800 + remote + + + 1.11.15 + 1.11.14 + + + +

+ CVS, which stands for Concurrent Versions System, is a client/server + application which tracks changes to sets of files. It allows multiple + users to work concurrently on files, and then merge their changes back + into the main tree (which can be on a remote system). It also allows + branching, or maintaining separate versions for files. +

+ + +

+ There are two vulnerabilities in CVS; one in the server and one in the + client. The server vulnerability allows a malicious client to request + the contents of any RCS file to which the server has permission, even + those not located under $CVSROOT. The client vulnerability allows a + malicious server to overwrite files on the client machine anywhere the + client has permissions. +

+ + +

+ Arbitrary files may be read or written on CVS clients and servers by + anybody with access to the CVS tree. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest stable version of CVS. +

+ + +

+ All CVS users should upgrade to the latest stable version. +

+ + # emerge sync + + # emerge -pv ">=dev-util/cvs-1.11.15" + # emerge ">=dev-util/cvs-1.11.15" + + + CVS commit log + CVE-2004-0180 + CVE-2004-0405 + + + condordes + + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-14.xml b/xml/htdocs/security/en/glsa/glsa-200404-14.xml new file mode 100644 index 00000000..9cfea2c0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-14.xml @@ -0,0 +1,70 @@ + + + + + + + Multiple format string vulnerabilities in cadaver + + There are multiple format string vulnerabilities in the neon library used + in cadaver, possibly leading to execution of arbitrary code when connected + to a malicious server. + + cadaver + April 19, 2004 + April 19, 2004: 01 + 47799 + remote + + + 0.22.1 + 0.22.1 + + + +

+ According to http://www.webdav.org/cadaver, + cadaver is a command-line WebDAV client for Unix. It supports file upload, + download, on-screen display, namespace operations (move/copy), collection + creation and deletion, and locking operations. +

+ + +

+ Cadaver code includes the neon library, which in versions 0.24.4 and + previous is vulnerable to multiple format string attacks. The latest + version of cadaver uses version 0.24.5 of the neon library, which makes it + immune to this vulnerability. +

+ + +

+ When using cadaver to connect to an untrusted WebDAV server, this + vulnerability can allow a malicious remote server to execute arbitrary code + on the client with the rights of the user using cadaver. +

+ + +

+ A workaround is not currently known for this issue. All users are advised + to upgrade to the latest version of the affected package. +

+ + +

+ cadaver users should upgrade to version 0.22.1 or later: +

+ + # emerge sync + + # emerge -pv ">=net-misc/cadaver-0.22.1" + # emerge ">=net-misc/cadaver-0.22.1" + + + CAN-2004-0179 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-15.xml b/xml/htdocs/security/en/glsa/glsa-200404-15.xml new file mode 100644 index 00000000..1b1071d7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-15.xml @@ -0,0 +1,74 @@ + + + + + + + XChat 2.0.x SOCKS5 Vulnerability + + XChat is vulnerable to a stack overflow that may allow a remote attacker to + run arbitrary code. + + xchat + April 19, 2004 + May 22, 2006: 02 + 46856 + remote + + + 2.0.8-r1 + 2.0.8-r1 + + + +

+ XChat is a multiplatform IRC client. +

+ + +

+ The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. + Users would have to be using XChat through a SOCKS 5 server, enable + SOCKS 5 traversal which is disabled by default and also connect to an + attacker's custom proxy server. +

+ + +

+ This vulnerability may allow an attacker to run arbitrary code within + the context of the user ID of the XChat client. +

+ + +

+ A workaround is not currently known for this issue. All users are + advised to upgrade to the latest version of the affected package. +

+ + +

+ All XChat users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=net-irc/xchat-2.0.8-r1" + # emerge ">=net-irc/xchat-2.0.8-r1" +

+ Note that users of the gtk1 version of xchat (1.8.*) should upgrade to + xchat-1.8.11-r1: +

+ + # emerge sync + + # emerge -pv "=net-irc/xchat-1.8.11-r1" + # emerge "=net-irc/xchat-1.8.11-r1" + + + XChat 2.0.x SOCKS5 Vulnerability + CVE-2004-0409 + + + klieber + + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-16.xml b/xml/htdocs/security/en/glsa/glsa-200404-16.xml new file mode 100644 index 00000000..777b0fac --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-16.xml @@ -0,0 +1,65 @@ + + + + + + + Multiple new security vulnerabilities in monit + + Two new vulnerabilities have been found in the HTTP interface of monit, + possibly leading to denial of service or execution of arbitrary code. + + monit + April 19, 2004 + April 19, 2004: 01 + 47631 + remote + + + 4.2.1 + 4.2 + + + +

+ Monit is a system administration utility that allows management and + monitoring of processes, files, directories and devices on a Unix system. +

+ + +

+ Monit has several vulnerabilities in its HTTP interface : a buffer overflow + vulnerability in the authentication handling code and a off-by-one error in + the POST method handling code. +

+ + +

+ An attacker may exploit the off-by-one error to crash the Monit daemon and + create a denial of service condition, or cause a buffer overflow that would + allow arbitrary code to be executed with root privileges. +

+ + +

+ A workaround is not currently known for this issue. All users are advised + to upgrade to the latest version of the affected package. +

+ + +

+ Monit users should upgrade to version 4.2.1 or later: +

+ + # emerge sync + + # emerge -pv ">=app-admin/monit-4.2.1" + # emerge ">=app-admin/monit-4.2.1" + + + Monit security advisory 20040305 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-17.xml b/xml/htdocs/security/en/glsa/glsa-200404-17.xml new file mode 100644 index 00000000..53f36113 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-17.xml @@ -0,0 +1,87 @@ + + + + + + + ipsec-tools and iputils contain a remote DoS vulnerability + + racoon, which is included in the ipsec-tools and iputils packages in + Portage, does not check the length of ISAKMP headers. Attackers may be able + to craft an ISAKMP header of sufficient length to consume all available + system resoources, causing a Denial of Service. + + ipsec-utils + April 24, 2004 + April 24, 2004: 01 + 48847 + remote + + + 0.3.1 + 0.3.1 + + + 021109-r3 + 021109-r1 + + + +

+ From http://ipsec-tools.sourceforge.n + et/ +

+

+ "IPsec-Tools is a port of KAME's IPsec utilities to the Linux-2.6 IPsec + implementation." +

+

+ iputils is a collection of network monitoring tools, including racoon, ping + and ping6. +

+ + +

+ When racoon receives an ISAKMP header, it allocates memory based on the + length of the header field. Thus, an attacker may be able to cause a Denial + of Services by creating a header that is large enough to consume all + available system resources. +

+ + +

+ This vulnerability may allow an attacker to remotely cause a Denial of + Service. +

+ + +

+ A workaround is not currently known for this issue. All users are advised + to upgrade to the latest version of the affected package. +

+ + +

+ ipsec-tools users should upgrade to version 0.2.5 or later: +

+ + # emerge sync + + # emerge -pv ">=net-firewall/ipsec-tools-0.3.1" + # emerge ">=net-firewall/ipsec-tools-0.3.1" +

+ iputils users should upgrade to version 021109-r3 or later: +

+ + # emerge sync + + # emerge -pv ">=net-misc/iputils-021109-r3" + # emerge ">=net-misc/iputils-021109-r3" + + + CVE + + + klieber + + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-18.xml b/xml/htdocs/security/en/glsa/glsa-200404-18.xml new file mode 100644 index 00000000..1873c799 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-18.xml @@ -0,0 +1,71 @@ + + + + + + + Multiple Vulnerabilities in ssmtp + + There are multiple format string vulnerabilities in the SSMTP package, + which may allow an attacker to run arbitrary code with ssmtp's privileges + (potentially root). + + ssmtp + April 26, 2004 + April 26, 2004: 01 + 47918 + 48435 + remote root + + + 2.60.7 + 2.60.4-r2 + + + +

+ SSMTP is a very simple mail transfer agent (MTA) that relays mail from the + local machine to another SMTP host. It is not designed to function as a + full mail server; its sole purpose is to relay mail. +

+ + +

+ There are two format string vulnerabilities inside the log_event() and + die() functions of ssmtp. Strings from outside ssmtp are passed to various + printf()-like functions from within log_event() and die() as format + strings. An attacker could cause a specially-crafted string to be passed to + these functions, and potentially cause ssmtp to execute arbitrary code. +

+ + +

+ If ssmtp connects to a malicious mail relay server, this vulnerability can + be used to execute code with the rights of the mail sender, including root. +

+ + +

+ There is no known workaround at this time. All users are advised to upgrade + to the latest available version of ssmtp. +

+ + +

+ All users are advised to upgrade to the latest available version of ssmtp. +

+ + # emerge sync + + # emerge -pv ">=mail-mta/ssmtp-2.60.7" + # emerge ">=mail-mta/ssmtp-2.60.7" + + + Secunia Advisory + CVE Reference + Debian Advisory + + + condordes + + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-19.xml b/xml/htdocs/security/en/glsa/glsa-200404-19.xml new file mode 100644 index 00000000..b5bf011b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-19.xml @@ -0,0 +1,67 @@ + + + + + + + Buffer overflows and format string vulnerabilities in LCDproc + + Multiple remote vulnerabilities have been found in the LCDd server, + allowing execution of arbitrary code with the rights of the LCDd user. + + lcdproc + April 27, 2004 + April 27, 2004: 01 + 47340 + remote + + + 0.4.5 + 0.4.4-r1 + + + +

+ LCDproc is a program that displays various bits of real-time system + information on an LCD. It makes use of a local server (LCDd) to collect + information to display on the LCD. +

+ + +

+ Due to insufficient checking of client-supplied data, the LCDd server is + susceptible to two buffer overflows and one string buffer vulnerability. If + the server is configured to listen on all network interfaces (see the Bind + parameter in LCDproc configuration), these vulnerabilities can be triggered + remotely. +

+ + +

+ These vulnerabilities allow an attacker to execute code with the rights of + the user running the LCDproc server. By default, this is the "nobody" user. +

+ + +

+ A workaround is not currently known for this issue. All users are advised + to upgrade to the latest version of the affected package. +

+ + +

+ LCDproc users should upgrade to version 0.4.5 or later: +

+ + # emerge sync + + # emerge -pv ">=app-misc/lcdproc-0.4.5" + # emerge ">=app-misc/lcdproc-0.4.5" + + + LCDproc advisory + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-20.xml b/xml/htdocs/security/en/glsa/glsa-200404-20.xml new file mode 100644 index 00000000..8944b860 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-20.xml @@ -0,0 +1,89 @@ + + + + + + + Multiple vulnerabilities in xine + + Several vulnerabilities have been found in xine-ui and xine-lib, + potentially allowing an attacker to overwrite files with the rights of the + user. + + xine + April 27, 2004 + May 22, 2006: 02 + 45448 + 48107 + 48108 + remote + + + 0.9.23-r2 + 0.9.23-r1 + + + 1_rc3-r3 + 1_rc3-r2 + + + +

+ xine is a multimedia player allowing to play back CDs, DVDs, and VCDs + and decoding multimedia files like AVI, MOV, WMV, and MP3 from local + disk drives, and displays multimedia streamed over the Internet. It is + available in Gentoo as a reusable library (xine-lib) with a standard + user interface (xine-ui). +

+ + +

+ Several vulnerabilities were found in xine-ui and xine-lib. By opening + a malicious MRL in any xine-lib based media player, an attacker can + write arbitrary content to an arbitrary file, only restricted by the + permissions of the user running the application. By opening a malicious + playlist in the xine-ui media player, an attacker can write arbitrary + content to an arbitrary file, only restricted by the permissions of the + user running xine-ui. Finally, a temporary file is created in an + insecure manner by the xine-check and xine-bugreport scripts, + potentially allowing a local attacker to use a symlink attack. +

+ + +

+ These three vulnerabilities may alow an attacker to corrupt system + files, thus potentially leading to a Denial of Service. It is also + theoretically possible, though very unlikely, to use these + vulnerabilities to elevate the privileges of the attacker. +

+ + +

+ There is no known workaround at this time. All users are advised to + upgrade to the latest available versions of xine-ui and xine-lib. +

+ + +

+ All users of xine-ui or another xine-based player should upgrade to the + latest stable versions: +

+ + # emerge sync + + # emerge -pv ">=media-video/xine-ui-0.9.23-r2" + # emerge ">=media-video/xine-ui-0.9.23-r2" + + # emerge -pv ">=media-libs/xine-lib-1_rc3-r3" + # emerge ">=media-libs/xine-lib-1_rc3-r3" + + + Xine Security Advisories + xine-bugreport and xine-check vulnerability + CVE-2004-0372 + CVE-2004-1951 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200404-21.xml b/xml/htdocs/security/en/glsa/glsa-200404-21.xml new file mode 100644 index 00000000..cd05b6be --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200404-21.xml @@ -0,0 +1,99 @@ + + + + + + + Multiple Vulnerabilities in Samba + + There is a bug in smbfs which may allow local users to gain root via a + setuid file on a mounted Samba share. Also, there is a tmpfile symlink + vulnerability in the smbprint script distributed with Samba. + + samba + April 29, 2004 + April 29, 2004: 01 + 41800 + 45965 + local + + + 3.0.2a-r2 + 3.0.2a + + + +

+ Samba is a package which allows UNIX systems to act as file servers for + Windows computers. It also allows UNIX systems to mount shares exported by + a Samba/CIFS/Windows server. smbmount is a program in the Samba package + which allows normal users on a UNIX system to mount remote shares. smbprint + is an example script included in the Samba package which can be used to + facilitate network printing. +

+ + +

+ Two vulnerabilities have been discovered in Samba. The first vulnerability + allows a local user who has access to the smbmount command to gain root. An + attacker could place a setuid-root binary on a Samba share/server he or she + controls, and then use the smbmount command to mount the share on the + target UNIX box. The remote Samba server must support UNIX extensions for + this to work. This has been fixed in version 3.0.2a. +

+

+ The second vulnerability is in the smbprint script. By creating a symlink + from /tmp/smbprint.log, an attacker could cause the smbprint script to + write to an arbitrary file on the system. This has been fixed in version + 3.0.2a-r2. +

+ + +

+ Local users with access to the smbmount command may gain root access. Also, + arbitrary files may be overwritten using the smbprint script. +

+ + +

+ To workaround the setuid bug, remove the setuid bits from the + /usr/bin/smbmnt, /usr/bin/smbumount and /usr/bin/mount.cifs binaries. + However, please note that this workaround will prevent ordinary users from + mounting remote SMB and CIFS shares. +

+

+ To work around the smbprint vulnerability, set "debug=no" in the smbprint + configuration. +

+ + +

+ All users should update to the latest version of the Samba package. +

+

+ The following commands will perform the upgrade: +

+ + # emerge sync + + # emerge -pv ">=net-fs/samba-3.0.2a-r2" + # emerge ">=net-fs/samba-3.0.2a-r2" +

+ Those who are using Samba's password database also need to run the + following command: +

+ + # pdbedit --force-initialized-passwords +

+ Those using LDAP for Samba passwords also need to check the sambaPwdLastSet + attribute on each account, and ensure it is not 0. +

+ + + BugTraq Thread: Samba 3.x + kernel 2.6.x local root vulnerability + BugTraq: smbprint Vulnerability + + + condordes + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-01.xml b/xml/htdocs/security/en/glsa/glsa-200405-01.xml new file mode 100644 index 00000000..e74351d1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-01.xml @@ -0,0 +1,63 @@ + + + + + + + Multiple format string vulnerabilities in neon 0.24.4 and earlier + + There are multiple format string vulnerabilities in libneon which may allow + a malicious WebDAV server to execute arbitrary code. + + neon + May 09, 2004 + May 09, 2004: 01 + 48448 + remote + + + 0.24.5 + 0.24.4 + + + +

+ neon provides an HTTP and WebDAV client library. +

+ + +

+ There are multiple format string vulnerabilities in libneon which may allow + a malicious WebDAV server to execute arbitrary code under the context of + the process using libneon. +

+ + +

+ An attacker may be able to execute arbitrary code under the context of the + process using libneon. +

+ + +

+ A workaround is not currently known for this issue. All users are advised + to upgrade to the latest version of the affected package. +

+ + +

+ Neon users should upgrade to version 0.24.5 or later: +

+ + # emerge sync + + # emerge -pv ">=net-misc/neon-0.24.5" + # emerge ">=net-misc/neon-0.24.5" + + + CVE + + + klieber + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-02.xml b/xml/htdocs/security/en/glsa/glsa-200405-02.xml new file mode 100644 index 00000000..0a7c999c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-02.xml @@ -0,0 +1,72 @@ + + + + + + + Multiple vulnerabilities in LHa + + Two stack-based buffer overflows and two directory traversal problems have + been found in LHa. These vulnerabilities can be used to execute arbitrary + code or as a denial of service attack. + + lha + May 09, 2004 + October 20, 2006: 02 + 49961 + remote + + + 114i-r2 + 114i-r1 + + + +

+ LHa is a console-based program for packing and unpacking LHarc archives. +

+ + +

+ Ulf Harnhammar found two stack overflows and two directory traversal + vulnerabilities in LHa version 1.14 and 1.17. A stack overflow occurs when + testing or extracting archives containing long file or directory names. + Furthermore, LHa doesn't contain sufficient protection against relative or + absolute archive paths. +

+ + +

+ The stack overflows can be exploited to execute arbitrary code with the + rights of the user testing or extracting the archive. The directory + traversal vulnerabilities can be used to overwrite files in the filesystem + with the rights of the user extracting the archive, potentially leading to + denial of service or privilege escalation. Since LHa is often interfaced to + other software like an email virus scanner, this attack can be used + remotely. +

+ + +

+ There is no known workaround at this time. All users are advised to upgrade + to the latest available version of LHa. +

+ + +

+ All users of LHa should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=app-arch/lha-114i-r2" + # emerge ">=app-arch/lha-114i-r2" + + + CAN-2004-0234 + CAN-2004-0235 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-03.xml b/xml/htdocs/security/en/glsa/glsa-200405-03.xml new file mode 100644 index 00000000..06008e60 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-03.xml @@ -0,0 +1,78 @@ + + + + + + + ClamAV VirusEvent parameter vulnerability + + With a specific configuration (using %f in the VirusEvent parameter), Clam + AntiVirus is vulnerable to an attack allowing execution of arbitrary + commands. + + ClamAV + May 11, 2004 + May 22, 2006: 02 + 46264 + remote + + + 0.70 + 0.70 + + + +

+ From http://www.clamav.net/ : +

+

+ "Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose + of this software is the integration with mail servers (attachment + scanning). The package provides a flexible and scalable multi-threaded + daemon, a command line scanner, and a tool for automatic updating via + Internet. The programs are based on a shared library distributed with + the Clam AntiVirus package, which you can use with your own software. + Most importantly, the virus database is kept up to date." +

+ + +

+ The VirusEvent parameter in the clamav.conf configuration file allows + to specify a system command to run whenever a virus is found. This + system command can make use of the "%f" parameter which is replaced by + the name of the file infected. The name of the file scanned is under + control of the attacker and is not sufficiently checked. Version 0.70 + of clamav disables the use of the "%f" parameter. +

+ + +

+ Sending a virus with a malicious file name can result in execution of + arbirary system commands with the rights of the antivirus process. + Since clamav is often associated to mail servers for email scanning, + this attack can be used remotely. +

+ + +

+ You should not use the "%f" parameter in your VirusEvent configuration. +

+ + +

+ All users of Clam AntiVirus should upgrade to the latest stable + version: +

+ + # emerge sync + + # emerge -pv ">=app-antivirus/clamav-0.70" + # emerge ">=app-antivirus/clamav-0.70" + + + CVE-2004-1876 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-04.xml b/xml/htdocs/security/en/glsa/glsa-200405-04.xml new file mode 100644 index 00000000..fedfce51 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-04.xml @@ -0,0 +1,123 @@ + + + + + + + OpenOffice.org vulnerability when using DAV servers + + Several format string vulnerabilities are present in the Neon library + included in OpenOffice.org, allowing remote execution of arbitrary code + when connected to an untrusted WebDAV server. + + openoffice + May 11, 2004 + October 27, 2004: 02 + 47926 + remote + + + 1.1.1-r1 + 1.1.1 + + + 1.0.3-r2 + 1.0.3-r1 + + + 1.1.0-r4 + 1.1.0-r3 + + + 1.1.51-r1 + 1.1.51 + + + 1.1.2 + 1.1.2 + + + 1.1.52 + + + +

+ OpenOffice.org is an office productivity suite, including word processing, + spreadsheets, presentations, drawings, data charting, formula editing, and + file conversion facilities. +

+ + +

+ OpenOffice.org includes code from the Neon library in functions related to + publication on WebDAV servers. This library is vulnerable to several format + string attacks. +

+ + +

+ If you use the WebDAV publication and connect to a malicious WebDAV server, + this server can exploit these vulnerabilities to execute arbitrary code + with the rights of the user running OpenOffice.org. +

+ + +

+ As a workaround, you should not use the WebDAV publication facilities. +

+ + +

+ There is no Ximian OpenOffice.org binary version including the fix yet. All + users of the openoffice-ximian-bin package making use of the WebDAV + openoffice-ximian source-based package. +

+

+ openoffice users on the x86 architecture should: +

+ + # emerge sync + + # emerge -pv ">=app-office/openoffice-1.1.1-r1" + # emerge ">=app-office/openoffice-1.1.1-r1" +

+ openoffice users on the sparc architecture should: +

+ + # emerge sync + + # emerge -pv ">=app-office/openoffice-1.1.0-r3" + # emerge ">=app-office/openoffice-1.1.0-r3" +

+ openoffice users on the ppc architecture should: +

+ + # emerge sync + + # emerge -pv ">=app-office/openoffice-1.0.3-r1" + # emerge ">=app-office/openoffice-1.0.3-r1" +

+ openoffice-ximian users should: +

+ + # emerge sync + + # emerge -pv ">=app-office/openoffice-ximian-1.1.51-r1" + # emerge ">=app-office/openoffice-ximian-1.1.51-r1" +

+ openoffice-bin users should: +

+ + # emerge sync + + # emerge -pv ">=app-office/openoffice-bin-1.1.2" + # emerge ">=app-office/openoffice-bin-1.1.2" + + + CAN-2004-0179 + Neon vulnerabilities (GLSA 200405-01) + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-05.xml b/xml/htdocs/security/en/glsa/glsa-200405-05.xml new file mode 100644 index 00000000..620a84e6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-05.xml @@ -0,0 +1,63 @@ + + + + + + + Utempter symlink vulnerability + + Utempter contains a vulnerability that may allow local users to overwrite + arbitrary files via a symlink attack. + + utempter + May 13, 2004 + May 13, 2004: 01 + 49536 + local + + + 0.5.5.4 + 0.5.5.4 + + + +

+ Utempter is an application that allows non-privileged apps to write utmp + (login) info, which otherwise needs root access. +

+ + +

+ Utempter contains a vulnerability that may allow local users to overwrite + arbitrary files via a symlink attack. +

+ + +

+ This vulnerability may allow arbitrary files to be overwritten with root + privileges. +

+ + +

+ There is no known workaround at this time. All users are advised to upgrade + to the latest available version of utempter. +

+ + +

+ All users of utempter should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=sys-apps/utempter-0.5.5.4" + # emerge ">=sys-apps/utempter-0.5.5.4" + + + CAN-2004-0233 + + + klieber + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-06.xml b/xml/htdocs/security/en/glsa/glsa-200405-06.xml new file mode 100644 index 00000000..85926a9b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-06.xml @@ -0,0 +1,73 @@ + + + + + + + libpng denial of service vulnerability + + A bug in the libpng library can be abused to crash programs making use of + that library to decode PNG images. + + libpng + May 14, 2004 + May 14, 2004: 01 + 49887 + remote + + + 1.2.5-r5 + 1.2.5-r4 + + + +

+ libpng is a standard library used to process PNG (Portable Network + Graphics) images. +

+ + +

+ libpng provides two functions (png_chunk_error and png_chunk_warning) for + default error and warning messages handling. These functions do not perform + proper bounds checking on the provided message, which is limited to 64 + bytes. Programs linked against this library may crash when handling a + malicious PNG image. +

+ + +

+ This vulnerability could be used to crash various programs using the libpng + library, potentially resulting in a denial of service attack on vulnerable + daemon processes. +

+ + +

+ There is no known workaround at this time. All users are advised to upgrade + to the latest available version of libpng. +

+ + +

+ All users of libpng should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=media-libs/libpng-1.2.5-r5" + # emerge ">=media-libs/libpng-1.2.5-r5" +

+ You should also run revdep-rebuild to rebuild any packages that depend on + older versions of libpng : +

+ + # revdep-rebuild + + + CAN-2004-0421 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-07.xml b/xml/htdocs/security/en/glsa/glsa-200405-07.xml new file mode 100644 index 00000000..c224178f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-07.xml @@ -0,0 +1,66 @@ + + + + + + + Exim verify=header_syntax buffer overflow + + When the verify=header_syntax option is set, there is a buffer overflow in + Exim that allows remote execution of arbitrary code. + + Exim + May 14, 2004 + May 14, 2004: 01 + 50217 + remote + + + 4.33-r1 + 4.33 + + + +

+ Exim is an highly configurable message transfer agent (MTA) developed at + the University of Cambridge. +

+ + +

+ When the option "verify = header_syntax" is used in an ACL in the + configuration file, Exim is vulnerable to a buffer overflow attack that can + be triggered remotely by sending malicious headers in an email message. + Note that this option is not enabled in Exim's default configuration file. +

+ + +

+ This vulnerability can be exploited to trigger a denial of service attack + and potentially execute arbitrary code with the rights of the user used by + the Exim daemon (by default this is the "mail" user in Gentoo Linux). +

+ + +

+ Make sure the verify=header_syntax option is not used in your exim.conf + file. +

+ + +

+ All users of Exim should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=mail-mta/exim-4.33-r1" + # emerge ">=mail-mta/exim-4.33-r1" + + + CAN-2004-0400 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-08.xml b/xml/htdocs/security/en/glsa/glsa-200405-08.xml new file mode 100644 index 00000000..4de9c02c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-08.xml @@ -0,0 +1,66 @@ + + + + + + + Pound format string vulnerability + + There is a format string flaw in Pound, allowing remote execution of + arbitrary code with the rights of the Pound process. + + pound + May 18, 2004 + May 22, 2006: 02 + 50421 + remote + + + 1.6 + 1.5 + + + +

+ Pound is a reverse proxy, load balancer and HTTPS front-end. It allows + to distribute the load on several web servers and offers a SSL wrapper + for web servers that do not support SSL directly. +

+ + +

+ A format string flaw in the processing of syslog messages was + discovered and corrected in Pound. +

+ + +

+ This flaw may allow remote execution of arbitrary code with the rights + of the Pound daemon process. By default, Gentoo uses the "nobody" user + to run the Pound daemon. +

+ + +

+ There is no known workaround at this time. All users are advised to + upgrade to the latest available version of Pound. +

+ + +

+ All users of Pound should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=www-servers/pound-1.6" + # emerge ">=www-servers/pound-1.6" + + + Pound announcement + CVE-2004-2026 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-09.xml b/xml/htdocs/security/en/glsa/glsa-200405-09.xml new file mode 100644 index 00000000..ee35e367 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-09.xml @@ -0,0 +1,66 @@ + + + + + + + ProFTPD Access Control List bypass vulnerability + + Version 1.2.9 of ProFTPD introduced a vulnerability that causes CIDR-based + Access Control Lists (ACLs) to be treated as "AllowAll", thereby + allowing remote users full access to files available to the FTP daemon. + + proftpd + May 19, 2004 + May 19, 2004: 01 + 49496 + remote + + + 1.2.9-r2 + 1.2.9-r1 + 1.2.9 + + + +

+ ProFTPD is an FTP daemon. +

+ + +

+ ProFTPD 1.2.9 introduced a vulnerability that allows CIDR-based ACLs (such + as 10.0.0.1/24) to be bypassed. The CIDR ACLs are disregarded, with the net + effect being similar to an "AllowAll" directive. +

+ + +

+ This vulnerability may allow unauthorized files, including critical system + files to be downloaded and/or modified, thereby allowing a potential remote + compromise of the server. +

+ + +

+ Users may work around the problem by avoiding use of CIDR-based ACLs. +

+ + +

+ ProFTPD users are encouraged to upgrade to the latest version of the + package: +

+ + # emerge sync + + # emerge -pv ">=net-ftp/proftpd-1.2.9-r2" + # emerge ">=net-ftp/proftpd-1.2.9-r2" + + + CAN-2004-0432 + + + klieber + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-10.xml b/xml/htdocs/security/en/glsa/glsa-200405-10.xml new file mode 100644 index 00000000..32a8fb9d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-10.xml @@ -0,0 +1,66 @@ + + + + + + + Icecast denial of service vulnerability + + Icecast is vulnerable to a denial of service attack allowing remote users + to crash the application. + + icecast + May 19, 2004 + May 22, 2006: 02 + 50935 + remote + + + 2.0.1 + 2.0.0 + + + +

+ Icecast is a program that streams audio data to listeners over the + Internet. +

+ + +

+ There is an out-of-bounds read error in the web interface of Icecast + when handling Basic Authorization requests. This vulnerability can + theorically be exploited by sending a specially crafted Authorization + header to the server. +

+ + +

+ By exploiting this vulnerability, it is possible to crash the Icecast + server remotely, resulting in a denial of service attack. +

+ + +

+ There is no known workaround at this time. All users are advised to + upgrade to the latest available version of Icecast. +

+ + +

+ All users of Icecast should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=net-misc/icecast-2.0.1" + # emerge ">=net-misc/icecast-2.0.1" + + + Icecast 2.0.1 announcement + CVE-2004-2027 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-11.xml b/xml/htdocs/security/en/glsa/glsa-200405-11.xml new file mode 100644 index 00000000..3282ad9c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-11.xml @@ -0,0 +1,78 @@ + + + + + + + KDE URI Handler Vulnerabilities + + Vulnerabilities in KDE URI handlers makes your system vulnerable to various + attacks. + + kdelibs + May 19, 2004 + May 19, 2004: 01 + 51276 + remote + + + 3.2.2-r1 + 3.1.5-r1 + 3.2.2 + + + +

+ The K Desktop Environment (KDE) is a powerful Free Software graphical + desktop environment. KDE makes use of URI handlers to trigger various + programs when specific URLs are received. +

+ + +

+ The telnet, rlogin, ssh and mailto URI handlers in KDE do not check for '-' + at the beginning of the hostname passed. By crafting a malicious URI and + entice an user to click on it, it is possible to pass an option to the + programs started by the handlers (typically telnet, kmail...). +

+ + +

+ If the attacker controls the options passed to the URI handling programs, + it becomes possible for example to overwrite arbitrary files (possibly + leading to denial of service), to open kmail on an attacker-controlled + remote display or with an alternate configuration file (possibly leading to + control of the user account). +

+ + +

+ There is no known workaround at this time. All users are advised to upgrade + to a corrected version of kdelibs. +

+ + +

+ Users of KDE 3.1 should upgrade to the corrected version of kdelibs: +

+ + # emerge sync + + # emerge -pv "=kde-base/kdelibs-3.1.5-r1" + # emerge "=kde-base/kdelibs-3.1.5-r1" +

+ Users of KDE 3.2 should upgrade to the latest available version of kdelibs: +

+ + # emerge sync + + # emerge -pv ">=kde-base/kdelibs-3.2.2-r1" + # emerge ">=kde-base/kdelibs-3.2.2-r1" + + + CAN-2004-0411 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-12.xml b/xml/htdocs/security/en/glsa/glsa-200405-12.xml new file mode 100644 index 00000000..5708e3af --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-12.xml @@ -0,0 +1,68 @@ + + + + + + + CVS heap overflow vulnerability + + CVS is subject to a heap overflow vulnerability allowing source repository + compromise. + + cvs + May 20, 2004 + May 20, 2004: 01 + 51460 + remote + + + 1.11.16 + 1.11.15 + + + +

+ CVS (Concurrent Versions System) is an open-source network-transparent + version control system. It contains both a client utility and a server. +

+ + +

+ Stefan Esser discovered a heap overflow in the CVS server, which can be + triggered by sending malicious "Entry" lines and manipulating the flags + related to that Entry. This vulnerability was proven to be exploitable. +

+ + +

+ A remote attacker can execute arbitrary code on the CVS server, with the + rights of the CVS server. By default, Gentoo uses the "cvs" user to run the + CVS server. In particular, this flaw allows a complete compromise of CVS + source repositories. If you're not running a server, then you are not + vulnerable. +

+ + +

+ There is no known workaround at this time. All users are advised to upgrade + to the latest available version of CVS. +

+ + +

+ All users running a CVS server should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=dev-util/cvs-1.11.16" + # emerge ">=dev-util/cvs-1.11.16" + + + E-matters advisory 07/2004 + CAN-2004-0396 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-13.xml b/xml/htdocs/security/en/glsa/glsa-200405-13.xml new file mode 100644 index 00000000..4a76ee58 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-13.xml @@ -0,0 +1,65 @@ + + + + + + + neon heap-based buffer overflow + + A vulnerability potentially allowing remote execution of arbitrary code has + been discovered in the neon library. + + neon + May 20, 2004 + May 20, 2004: 01 + 51490 + remote + + + 0.24.6 + 0.24.5 + + + +

+ neon provides an HTTP and WebDAV client library. +

+ + +

+ Stefan Esser discovered a vulnerability in the code of the neon library : + if a malicious date string is passed to the ne_rfc1036_parse() function, it + can trigger a string overflow into static heap variables. +

+ + +

+ Depending on the application linked against libneon and when connected to a + malicious WebDAV server, this vulnerability could allow execution of + arbitrary code with the rights of the user running that application. +

+ + +

+ There is no known workaround at this time. All users are advised to upgrade + to the latest available version of neon. +

+ + +

+ All users of neon should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=net-misc/neon-0.24.6" + # emerge ">=net-misc/neon-0.24.6" + + + E-matters advisory 06/2004 + CAN-2004-0398 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-14.xml b/xml/htdocs/security/en/glsa/glsa-200405-14.xml new file mode 100644 index 00000000..3f481268 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-14.xml @@ -0,0 +1,76 @@ + + + + + + + Buffer overflow in Subversion + + There is a vulnerability in the Subversion date parsing code which may lead + to denial of service attacks, or execution of arbitrary code. Both the + client and server are vulnerable. + + subversion + May 20, 2004 + May 22, 2006: 02 + 51462 + remote + + + 1.0.3 + 1.0.2 + + + +

+ Subversion is a version control system intended to eventually replace + CVS. Like CVS, it has an optional client-server architecture (where the + server can be an Apache server running mod_svn, or an ssh program as in + CVS's :ext: method). In addition to supporting the features found in + CVS, Subversion also provides support for moving and copying files and + directories. +

+ + +

+ All releases of Subversion prior to 1.0.3 have a vulnerability in the + date-parsing code. This vulnerability may allow denial of service or + arbitrary code execution as the Subversion user. Both the client and + server are vulnerable, and write access is NOT required to the server's + repository. +

+ + +

+ All servers and clients are vulnerable. Specifically, clients that + allow other users to write to administrative files in a working copy + may be exploited. Additionally all servers (whether they are httpd/DAV + or svnserve) are vulnerable. Write access to the server is not + required; public read-only Subversion servers are also exploitable. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version. +

+ + +

+ All Subversion users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=dev-util/subversion-1.0.3" + # emerge ">=dev-util/subversion-1.0.3" + + + Subversion Announcement + E-Matters Advisory + CVE-2004-0397 + + + condordes + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-15.xml b/xml/htdocs/security/en/glsa/glsa-200405-15.xml new file mode 100644 index 00000000..fae074cf --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-15.xml @@ -0,0 +1,65 @@ + + + + + + + cadaver heap-based buffer overflow + + There is a heap-based buffer overflow vulnerability in the neon library + used in cadaver, possibly leading to execution of arbitrary code when + connected to a malicious server. + + cadaver + May 20, 2004 + May 20, 2004: 01 + 51461 + remote + + + 0.22.2 + 0.22.1 + + + +

+ cadaver is a command-line WebDAV client. +

+ + +

+ Stefan Esser discovered a vulnerability in the code of the neon library + (see GLSA 200405-13). This library is also included in cadaver. +

+ + +

+ When connected to a malicious WebDAV server, this vulnerability could allow + remote execution of arbitrary code with the rights of the user running + cadaver. +

+ + +

+ There is no known workaround at this time. All users are advised to upgrade + to the latest available version of cadaver. +

+ + +

+ All users of cadaver should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=net-misc/cadaver-0.22.2" + # emerge ">=net-misc/cadaver-0.22.2" + + + CAN-2004-0398 + GLSA 200405-13 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-16.xml b/xml/htdocs/security/en/glsa/glsa-200405-16.xml new file mode 100644 index 00000000..d854cbba --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-16.xml @@ -0,0 +1,72 @@ + + + + + + + Multiple XSS Vulnerabilities in SquirrelMail + + SquirrelMail is subject to several XSS and one SQL injection vulnerability. + + SquirrelMail + May 25, 2004 + May 27, 2006: 04 + 49675 + remote + + + 1.4.3_rc1 + 1.4.3_rc1 + + + +

+ SquirrelMail is a webmail package written in PHP. It supports IMAP and + SMTP, and can optionally be installed with SQL support. +

+ + +

+ Several unspecified cross-site scripting (XSS) vulnerabilities and a + well hidden SQL injection vulnerability were found. An XSS attack + allows an attacker to insert malicious code into a web-based + application. SquirrelMail does not check for code when parsing + variables received via the URL query string. +

+ + +

+ One of the XSS vulnerabilities could be exploited by an attacker to + steal cookie-based authentication credentials from the user's browser. + The SQL injection issue could potentially be used by an attacker to run + arbitrary SQL commands inside the SquirrelMail database with privileges + of the SquirrelMail database user. +

+ + +

+ There is no known workaround at this time. All users are advised to + upgrade to version 1.4.3_rc1 or higher of SquirrelMail. +

+ + +

+ All SquirrelMail users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=mail-client/squirrelmail-1.4.3_rc1" + # emerge ">=mail-client/squirrelmail-1.4.3_rc1" + + + SquirrelMail 1.4.3_rc1 release annoucement + Bugtraq security annoucement + CERT description of XSS + CVE-2004-0519 + CVE-2004-0521 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-17.xml b/xml/htdocs/security/en/glsa/glsa-200405-17.xml new file mode 100644 index 00000000..d4448381 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-17.xml @@ -0,0 +1,63 @@ + + + + + + + Multiple vulnerabilities in metamail + + Several format string bugs and buffer overflows were discovered in + metamail, potentially allowing execution of arbitrary code remotely. + + metamail + May 21, 2004 + May 21, 2004: 01 + 42133 + remote + + + 2.7.45.3 + 2.7.45.3 + + + +

+ Metamail is a program that decodes MIME encoded mail. It is therefore often + automatically called when an email is received or read. +

+ + +

+ Ulf Harnhammar found two format string bugs and two buffer overflow bugs in + Metamail. +

+ + +

+ A remote attacker could send a malicious email message and execute + arbitrary code with the rights of the process calling the Metamail program. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All users of Metamail should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=net-mail/metamail-2.7.45.3" + # emerge ">=net-mail/metamail-2.7.45.3" + + + CAN-2004-0104 + CAN-2004-0105 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-18.xml b/xml/htdocs/security/en/glsa/glsa-200405-18.xml new file mode 100644 index 00000000..5643c175 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-18.xml @@ -0,0 +1,68 @@ + + + + + + + Buffer Overflow in Firebird + + A buffer overflow via environmental variables in Firebird may allow a local + user to manipulate or destroy local databases and trojan the Firebird + binaries. + + firebird + May 23, 2004 + May 22, 2006: 02 + 20837 + local + + + 1.5 + 1.5 + + + +

+ Firebird is an open source relational database that runs on Linux, + Windows, and various UNIX systems. +

+ + +

+ A buffer overflow exists in three Firebird binaries (gds_inet_server, + gds_lock_mgr, and gds_drop) that is exploitable by setting a large + value to the INTERBASE environment variable. +

+ + +

+ An attacker could control program execution, allowing privilege + escalation to the UID of Firebird, full access to Firebird databases, + and trojaning the Firebird binaries. An attacker could use this to + compromise other user or root accounts. +

+ + +

+ There is no known workaround. +

+ + +

+ All users should upgrade to the latest version of Firebird: +

+ + # emerge sync + + # emerge -pv ">=dev-db/firebird-1.5" + # emerge ">=dev-db/firebird-1.5" + + + Bugtraq Security Announcement + Sourceforge BugTracker Announcement + CVE-2003-0281 + + + dmargoli + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-19.xml b/xml/htdocs/security/en/glsa/glsa-200405-19.xml new file mode 100644 index 00000000..a7323d86 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-19.xml @@ -0,0 +1,77 @@ + + + + + + + Opera telnet URI handler file creation/truncation vulnerability + + A vulnerability exists in Opera's telnet URI handler that may allow a + remote attacker to overwrite arbitrary files. + + opera + May 25, 2004 + December 30, 2007: 03 + 50857 + remote + + + 7.50_beta1 + 7.50_beta1 + + + +

+ Opera is a multi-platform web browser. +

+ + +

+ The telnet URI handler in Opera does not check for leading '-' + characters in the host name. Consequently, a maliciously-crafted + telnet:// link may be able to pass options to the telnet program + itself. One example would be the following: +

+

+ telnet://-nMyFile +

+

+ If MyFile exists in the user's home directory and the user clicking on + the link has write permissions to it, the contents of the file will be + overwritten with the output of the telnet trace information. If MyFile + does not exist, the file will be created in the user's home directory. +

+ + +

+ This exploit has two possible impacts. First, it may create new files + in the user's home directory. Second, and far more serious, it may + overwrite existing files that the user has write permissions to. An + attacker with some knowledge of a user's home directory might be able + to destroy important files stored within. +

+ + +

+ Disable the telnet URI handler from within Opera. +

+ + +

+ All Opera users are encouraged to upgrade to the latest version of the + program: +

+ + # emerge sync + + # emerge -pv ">=www-client/opera-7.50_beta1" + # emerge ">=www-client/opera-7.50_beta1" + + + iDEFENSE Security Advisory 05.12.04 + CVE-2004-0473 + + + klieber + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-20.xml b/xml/htdocs/security/en/glsa/glsa-200405-20.xml new file mode 100644 index 00000000..d87d7831 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-20.xml @@ -0,0 +1,70 @@ + + + + + + + Insecure Temporary File Creation In MySQL + + Two MySQL utilities create temporary files with hardcoded paths, allowing + an attacker to use a symlink to trick MySQL into overwriting important + data. + + MySQL + May 25, 2004 + May 25, 2004: 01 + 46242 + local + + + 4.0.18-r2 + 4.0.18-r2 + + + +

+ MySQL is a popular open-source multi-threaded, multi-user SQL database + server. +

+ + +

+ The MySQL bug reporting utility (mysqlbug) creates a temporary file to log + bug reports to. A malicious local user with write access to the /tmp + directory could create a symbolic link of the name mysqlbug-N + pointing to a protected file, such as /etc/passwd, such that when mysqlbug + creates the Nth log file, it would end up overwriting the target + file. A similar vulnerability exists with the mysql_multi utility, which + creates a temporary file called mysql_multi.log. +

+ + +

+ Since mysql_multi runs as root, a local attacker could use this to destroy + any other users' data or corrupt and destroy system files. +

+ + +

+ One could modify both scripts to log to a directory that users do not have + write permission to, such as /var/log/mysql/. +

+ + +

+ All users should upgrade to the latest stable version of MySQL. +

+ + # emerge sync + + # emerge -pv ">=dev-db/mysql-4.0.18-r2" + # emerge ">=dev-db/mysql-4.0.18-r2" + + + CAN-2004-0381 + CAN-2004-0388 + + + dmargoli + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-21.xml b/xml/htdocs/security/en/glsa/glsa-200405-21.xml new file mode 100644 index 00000000..af584984 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-21.xml @@ -0,0 +1,69 @@ + + + + + + + Midnight Commander: Multiple vulnerabilities + + Multiple security issues have been discovered in Midnight Commander + including several buffer overflows and string format vulnerabilities. + + MC + May 26, 2004 + May 26, 2004: 01 + 49990 + local + + + 4.6.0-r7 + 4.6.0-r6 + + + +

+ Midnight Commander is a visual console file manager. +

+ + +

+ Numerous security issues have been discovered in Midnight Commander, + including several buffer overflow vulnerabilities, multiple vulnerabilities + in the handling of temporary file and directory creation, and multiple + format string vulnerabilities. +

+ + +

+ The buffer overflows and format string vulnerabilites may allow attackers + to cause a denial of service or execute arbitrary code with permissions of + the user running MC. The insecure creation of temporary files and + directories could lead to a privilege escalation, including root + privileges, for a local attacker. +

+ + +

+ There is no known workaround at this time. All users are advised to upgrade + to version 4.6.0-r7 or higher of Midnight Commander. +

+ + +

+ All Midnight Commander users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=app-misc/mc-4.6.0-r7 + # emerge ">=app-misc/mc-4.6.0-r7" + + + CAN-2004-0226 + CAN-2004-0231 + CAN-2004-0232 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-22.xml b/xml/htdocs/security/en/glsa/glsa-200405-22.xml new file mode 100644 index 00000000..c2c4beec --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-22.xml @@ -0,0 +1,85 @@ + + + + + + + Apache 1.3: Multiple vulnerabilities + + Several security vulnerabilites have been fixed in the latest release of + Apache 1.3. + + Apache + May 26, 2004 + December 30, 2007: 02 + 51815 + remote + + + 1.3.31 + 1.3.31 + + + +

+ The Apache HTTP Server Project is an effort to develop and maintain an + open-source HTTP server for modern operating systems. The goal of this + project is to provide a secure, efficient and extensible server that + provides services in tune with the current HTTP standards. +

+ + +

+ On 64-bit big-endian platforms, mod_access does not properly parse + Allow/Deny rules using IP addresses without a netmask which could result in + failure to match certain IP addresses. +

+

+ Terminal escape sequences are not filtered from error logs. This could be + used by an attacker to insert escape sequences into a terminal emulater + vulnerable to escape sequences. +

+

+ mod_digest does not properly verify the nonce of a client response by using + a AuthNonce secret. This could permit an attacker to replay the response of + another website. This does not affect mod_auth_digest. +

+

+ On certain platforms there is a starvation issue where listening sockets + fails to handle short-lived connection on a rarely-accessed listening + socket. This causes the child to hold the accept mutex and block out new + connections until another connection arrives on the same rarely-accessed + listening socket thus leading to a denial of service. +

+ + +

+ These vulnerabilities could lead to attackers bypassing intended access + restrictions, denial of service, and possibly execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All users should upgrade to the latest stable version of Apache 1.3. +

+ + # emerge sync + + # emerge -pv ">=www-servers/apache-1.3.31" + # emerge ">=www-servers/apache-1.3.31" + + + CAN-2003-0993 + CAN-2003-0020 + CAN-2003-0987 + CAN-2004-0174 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-23.xml b/xml/htdocs/security/en/glsa/glsa-200405-23.xml new file mode 100644 index 00000000..a2fe3d71 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-23.xml @@ -0,0 +1,65 @@ + + + + + + + Heimdal: Kerberos 4 buffer overflow in kadmin + + A possible buffer overflow in the Kerberos 4 component of Heimdal has been + discovered. + + Heimdal + May 27, 2004 + May 27, 2004: 01 + 50208 + remote + + + 0.6.2 + 0.6.2 + + + +

+ Heimdal is a free implementation of Kerberos. +

+ + +

+ A buffer overflow was discovered in kadmind, a server for administrative + access to the Kerberos database. +

+ + +

+ By sending a specially formatted message to kadmind, a remote attacker may + be able to crash kadmind causing a denial of service, or execute arbitrary + code with the permissions of the kadmind process. +

+ + +

+ For a temporary workaround, providing you do not require Kerberos 4 + support, you may turn off Kerberos 4 kadmin by running kadmind with the + --no-kerberos4 option. +

+ + +

+ All Heimdal users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=app-crypt/heimdal-0.6.2" + # emerge ">=app-crypt/heimdal-0.6.2" + + + Heimdal 0.6.2 Release Notice + CAN-2004-0434 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-24.xml b/xml/htdocs/security/en/glsa/glsa-200405-24.xml new file mode 100644 index 00000000..5a3c9afe --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-24.xml @@ -0,0 +1,79 @@ + + + + + + + MPlayer, xine-lib: vulnerabilities in RTSP stream handling + + Multiple vulnerabilities, including remotely exploitable buffer overflows, + have been found in code common to MPlayer and the xine library. + + mplayer + May 28, 2004 + May 28, 2004: 01 + 49387 + remote + + + 1.0_pre4 + 0.92-r1 + 1.0_pre4 + + + 1_rc4 + 0.9.13-r3 + 1_rc4 + + + +

+ MPlayer is a movie player capable of handling multiple multimedia file + formats. xine-lib is a multimedia player library used by several graphical + user interfaces, including xine-ui. They both use the same code to handle + Real-Time Streaming Protocol (RTSP) streams from RealNetworks servers. +

+ + +

+ Multiple vulnerabilities have been found and fixed in the RTSP handling + code common to recent versions of these two packages. These vulnerabilities + include several remotely exploitable buffer overflows. +

+ + +

+ A remote attacker, posing as a RTSP stream server, can execute arbitrary + code with the rights of the user of the software playing the stream + (MPlayer or any player using xine-lib). Another attacker may entice a user + to use a maliciously crafted URL or playlist to achieve the same results. +

+ + +

+ For MPlayer, there is no known workaround at this time. For xine-lib, you + can delete the xineplug_inp_rtsp.so file. +

+ + +

+ All users should upgrade to non-vulnerable versions of MPlayer and + xine-lib: +

+ + # emerge sync + + # emerge -pv ">=media-video/mplayer-1.0_pre4" + # emerge ">=media-video/mplayer-1.0_pre4" + + # emerge -pv ">=media-libs/xine-lib-1_rc4" + # emerge ">=media-libs/xine-lib-1_rc4" + + + Xine security advisory + CAN-2004-0433 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200405-25.xml b/xml/htdocs/security/en/glsa/glsa-200405-25.xml new file mode 100644 index 00000000..f951ba78 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200405-25.xml @@ -0,0 +1,65 @@ + + + + + + + tla: Multiple vulnerabilities in included libneon + + tla includes a vulnerable version of the neon library. + + tla + May 30, 2004 + June 02, 2004: 02 + 51586 + remote + + + 1.2-r2 + 1.2-r1 + 1.2.1_pre1 + + + +

+ GNU Arch (tla) is a revision control system suited for widely distributed + development. +

+ + +

+ Multiple format string vulnerabilities and a heap overflow vulnerability + were discovered in the code of the neon library (GLSA 200405-01 and + 200405-13). Current versions of the tla package include their own version + of this library. +

+ + +

+ When connected to a malicious WebDAV server, these vulnerabilities could + allow execution of arbitrary code with the rights of the user running tla. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All users of tla should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=dev-util/tla-1.2-r2" + # emerge ">=dev-util/tla-1.2-r2" + + + GLSA 200405-01 + GLSA 200405-13 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-01.xml b/xml/htdocs/security/en/glsa/glsa-200406-01.xml new file mode 100644 index 00000000..3ca995c4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-01.xml @@ -0,0 +1,78 @@ + + + + + + + Ethereal: Multiple security problems + + Multiple vulnerabilities including one buffer overflow exist in Ethereal, + which may allow an attacker to run arbitrary code or crash the program. + + Ethereal + June 04, 2004 + May 22, 2006: 02 + 51022 + remote + + + 0.10.4 + 0.10.3 + + + +

+ Ethereal is a feature rich network protocol analyzer. +

+ + +

+ There are multiple vulnerabilities in versions of Ethereal earlier than + 0.10.4, including: +

+
    +
  • A buffer overflow in the MMSE dissector.
    • +
  • Under specific conditions a SIP packet could make Ethereal + crash.
    • +
  • The AIM dissector could throw an assertion, causing Ethereal to + crash.
    • +
  • The SPNEGO dissector could dereference a null pointer, causing a + crash.
    • +
+ + +

+ An attacker could use these vulnerabilities to crash Ethereal or even + execute arbitrary code with the permissions of the user running + Ethereal, which could be the root user. +

+ + +

+ For a temporary workaround you can disable all affected protocol + dissectors by selecting Analyze->Enabled Protocols... and deselecting + them from the list. However, it is strongly recommended to upgrade to + the latest stable release. +

+ + +

+ All Ethereal users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=net-analyzer/ethereal-0.10.4" + # emerge ">=net-analyzer/ethereal-0.10.4" + + + Ethereal enpa-sa-00014 + CVE-2004-0504 + CVE-2004-0505 + CVE-2004-0506 + CVE-2004-0507 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-02.xml b/xml/htdocs/security/en/glsa/glsa-200406-02.xml new file mode 100644 index 00000000..5286aa39 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-02.xml @@ -0,0 +1,63 @@ + + + + + + + tripwire: Format string vulnerability + + A vulnerability allowing arbitrary code execution under certain + circumstances has been found. + + tripwire + June 04, 2004 + May 22, 2006: 02 + 52945 + local + + + 2.3.1.2-r1 + 2.3.1.2 + + + +

+ tripwire is an open source file integrity checker. +

+ + +

+ The code that generates email reports contains a format string + vulnerability in pipedmailmessage.cpp. +

+ + +

+ With a carefully crafted filename on a local filesystem an attacker + could cause execution of arbitrary code with permissions of the user + running tripwire, which could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All tripwire users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=app-admin/tripwire-2.3.1.2-r1" + # emerge ">=app-admin/tripwire-2.3.1.2-r1" + + + Bugtraq Announcement + CVE-2004-0536 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-03.xml b/xml/htdocs/security/en/glsa/glsa-200406-03.xml new file mode 100644 index 00000000..5830b11f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-03.xml @@ -0,0 +1,66 @@ + + + + + + + sitecopy: Multiple vulnerabilities in included libneon + + sitecopy includes a vulnerable version of the neon library. + + sitecopy + June 05, 2004 + August 15, 2004: 04 + 51585 + remote + + + 0.13.4-r2 + 0.13.4-r1 + + + +

+ sitecopy easily maintains remote websites. It makes it simple to keep a + remote site synchronized with the local site with one command. +

+ + +

+ Multiple format string vulnerabilities and a heap overflow vulnerability + were discovered in the code of the neon library (GLSA 200405-01 and + 200405-13). Current versions of the sitecopy package include their own + version of this library. +

+ + +

+ When connected to a malicious WebDAV server, these vulnerabilities could + allow execution of arbitrary code with the rights of the user running + sitecopy. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of sitecopy. +

+ + +

+ All sitecopy users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-misc/sitecopy-0.13.4-r2" + # emerge ">=net-misc/sitecopy-0.13.4-r2" + + + GLSA 200405-01 + GLSA 200405-13 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-04.xml b/xml/htdocs/security/en/glsa/glsa-200406-04.xml new file mode 100644 index 00000000..361bcf22 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-04.xml @@ -0,0 +1,62 @@ + + + + + + + Mailman: Member password disclosure vulnerability + + Mailman contains a bug allowing 3rd parties to retrieve member passwords. + + mailman + June 09, 2004 + June 09, 2004: 01 + 51671 + remote + + + 2.1.5 + 2.1.5 + + + +

+ Mailman is a python-based mailing list server with an extensive web + interface. +

+ + +

+ Mailman contains an unspecified vulnerability in the handling of request + emails. +

+ + +

+ By sending a carefully crafted email request to the mailman server an + attacker could obtain member passwords. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All users of Mailman should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=net-mail/mailman-2.1.5" + # emerge ">=net-mail/mailman-2.1.5" + + + Mailman 2.1.5 Release Announcement + CAN-2004-0412 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-05.xml b/xml/htdocs/security/en/glsa/glsa-200406-05.xml new file mode 100644 index 00000000..2264a933 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-05.xml @@ -0,0 +1,82 @@ + + + + + + + Apache: Buffer overflow in mod_ssl + + A bug in mod_ssl may allow a remote attacker to execute remote code when + Apache is configured a certain way. + + Apache + June 09, 2004 + December 30, 2007: 03 + 51368 + remote + + + 2.8.18 + 2.8.18 + + + 2.0 + 2.0.49-r3 + 2.0.49-r2 + + + +

+ Apache is the most popular Web server on the Internet. mod_ssl provides + Secure Sockets Layer encryption and authentication to Apache 1.3. Apache 2 + contains the functionality of mod_ssl. +

+ + +

+ A bug in the function ssl_util_uuencode_binary in ssl_util.c may lead to a + remote buffer overflow on a server configured to use FakeBasicAuth that + will trust a client certificate with an issuing CA with a subject DN longer + than 6k. +

+ + +

+ Given the right server configuration, an attacker could cause a Denial of + Service or execute code as the user running Apache, usually + "apache". It is thought to be impossible to exploit this to + execute code on the x86 platform, but the possibility for other platforms + is unknown. This does not preclude a DoS on x86 systems. +

+ + +

+ A server should not be vulnerable if it is not configured to use + FakeBasicAuth and to trust a client CA with a long subject DN. +

+ + +

+ Apache 1.x users should upgrade to the latest version of mod_ssl: +

+ + # emerge sync + + # emerge -pv ">=net-www/mod_ssl-2.8.18" + # emerge ">=net-www/mod_ssl-2.8.18" +

+ Apache 2.x users should upgrade to the latest version of Apache: +

+ + # emerge sync + + # emerge -pv ">=www-servers/apache-2.0.49-r3" + # emerge ">=www-servers/apache-2.0.49-r3" + + + CAN-2004-0488 + + + dmargoli + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-06.xml b/xml/htdocs/security/en/glsa/glsa-200406-06.xml new file mode 100644 index 00000000..277cea6e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-06.xml @@ -0,0 +1,74 @@ + + + + + + + CVS: additional DoS and arbitrary code execution vulnerabilities + + Several serious new vulnerabilities have been found in CVS, which may allow + an attacker to remotely compromise a CVS server. + + CVS + June 10, 2004 + June 10, 2004: 01 + 53408 + remote + + + 1.11.17 + 1.11.16-r1 + + + +

+ CVS (Concurrent Versions System) is an open-source network-transparent + version control system. It contains both a client utility and a server. +

+ + +

+ A team audit of the CVS source code performed by Stefan Esser and Sebastian + Krahmer resulted in the discovery of several remotely exploitable + vulnerabilities including: +

+
    +
  • no-null-termination of "Entry" lines
    • +
  • error_prog_name "double-free()"
    • +
  • Argument integer overflow
    • +
  • serve_notify() out of bounds writes
    • +
+ + +

+ An attacker could use these vulnerabilities to cause a Denial of Service or + execute arbitrary code with the permissions of the user running cvs. +

+ + +

+ There is no known workaround at this time. All users are advised to upgrade + to the latest available version of CVS. +

+ + +

+ All CVS users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=dev-util/cvs-1.11.17" + # emerge ">=dev-util/cvs-1.11.17" + + + E-matters Advisory 09/2004 + CAN-2004-0414 + CAN-2004-0416 + CAN-2004-0417 + CAN-2004-0418 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-07.xml b/xml/htdocs/security/en/glsa/glsa-200406-07.xml new file mode 100644 index 00000000..de8fc117 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-07.xml @@ -0,0 +1,72 @@ + + + + + + + Subversion: Remote heap overflow + + Subversion is vulnerable to a remote Denial of Service that may be + exploitable to execute arbitrary code on the server running svnserve. + + dev-util/subversion + June 10, 2004 + June 10, 2004: 01 + remote + + + 1.0.4-r1 + 1.0.4 + + + +

+ Subversion is a revision control system that aims to be a "compelling + replacement for CVS". It enjoys wide use in the open source community. + svnserve allows access to Subversion repositories using URIs with the + svn://, svn+ssh://, and other tunelled svn+*:// protocols. +

+ + +

+ The svn protocol parser trusts the indicated length of a URI string sent by + a client. This allows a client to specify a very long string, thereby + causing svnserve to allocate enough memory to hold that string. This may + cause a Denial of Service. Alternately, given a string that causes an + integer overflow in the variable holding the string length, the server + might allocate less memory than required, allowing a heap overflow. This + heap overflow may then be exploitable, allowing remote code execution. The + attacker does not need read or write access to the Subversion repository + being served, since even un-authenticated users can send svn protocol + requests. +

+ + +

+ Ranges from remote Denial of Service to potential arbitrary code execution + with privileges of the svnserve process. +

+ + +

+ Servers without svnserve running are not vulnerable. Disable svnserve and + use DAV for access instead. +

+ + +

+ All users should upgrade to the latest version of Subversion. +

+ + # emerge sync + + # emerge -pv ">=dev-util/subversion-1.0.4-r1" + # emerge ">=dev-util/subversion-1.0.4-r1" + + + CAN-2004-0413 + + + dmargoli + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-08.xml b/xml/htdocs/security/en/glsa/glsa-200406-08.xml new file mode 100644 index 00000000..a736f7d3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-08.xml @@ -0,0 +1,67 @@ + + + + + + + Squirrelmail: Another XSS vulnerability + + Squirrelmail fails to properly sanitize user input, which could lead to a + compromise of webmail accounts. + + Squirrelmail + June 15, 2004 + May 22, 2006: 02 + 52434 + remote + + + 1.4.3 + 1.4.3_rc1-r1 + + + +

+ SquirrelMail is a webmail package written in PHP. It supports IMAP and + SMTP, and can optionally be installed with SQL support. +

+ + +

+ A new cross-site scripting (XSS) vulnerability in + Squirrelmail-1.4.3_rc1 has been discovered. In functions/mime.php + Squirrelmail fails to properly sanitize user input. +

+ + +

+ By enticing a user to read a specially crafted e-mail, an attacker can + execute arbitrary scripts running in the context of the victim's + browser. This could lead to a compromise of the user's webmail account, + cookie theft, etc. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SquirrelMail users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=mail-client/squirrelmail-1.4.3" + # emerge ">=mail-client/squirrelmail-1.4.3" + + + RS-Labs Advisory + CERT description of XSS + CVE-2004-0520 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-09.xml b/xml/htdocs/security/en/glsa/glsa-200406-09.xml new file mode 100644 index 00000000..30858750 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-09.xml @@ -0,0 +1,63 @@ + + + + + + + Horde-Chora: Remote code execution + + A vulnerability in Chora allows remote code execution and file upload. + + www-apps/horde-chora + June 15, 2004 + December 30, 2007: 02 + 53800 + remote + + + 1.2.2 + 1.2.2 + + + +

+ Chora is a PHP-based SVN/CVS repository viewer by the HORDE project. +

+ + +

+ A vulnerability in the diff viewer of Chora allows an attacker to inject + shellcode. An attacker can exploit PHP's file upload functionality to + upload a malicious binary to a vulnerable server, chmod it as executable, + and run the file. +

+ + +

+ An attacker could remotely execute arbitrary binaries with the permissions + of the PHP script, conceivably allowing further exploitation of local + vulnerabilities and remote root access. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All users are advised to upgrade to the latest version of Chora: +

+ + # emerge sync + + # emerge -pv ">=www-apps/horde-chora-1.2.2" + # emerge ">=www-apps/horde-chora-1.2.2" + + + e-matters Advisory + + + dmargoli + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-10.xml b/xml/htdocs/security/en/glsa/glsa-200406-10.xml new file mode 100644 index 00000000..be4326f3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-10.xml @@ -0,0 +1,68 @@ + + + + + + + Gallery: Privilege escalation vulnerability + + There is a vulnerability in the Gallery photo album software which may + allow an attacker to gain administrator privileges within Gallery. + + gallery + June 15, 2004 + May 22, 2006: 02 + 52798 + remote + + + 1.4.3_p2 + 1.4.3_p1 + + + +

+ Gallery is a web application written in PHP which is used to organize + and publish photo albums. It allows multiple users to build and + maintain their own albums. It also supports the mirroring of images on + other servers. +

+ + +

+ There is a vulnerability in the Gallery photo album software which may + allow an attacker to gain administrator privileges within Gallery. A + Gallery administrator has full access to all albums and photos on the + server, thus attackers may add or delete photos at will. +

+ + +

+ Attackers may gain full access to all Gallery albums. There is no risk + to the webserver itself, or the server on which it runs. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version. +

+ + +

+ All users should upgrade to the latest available version of Gallery. +

+ + # emerge sync + + # emerge -pv ">=www-apps/gallery-1.4.3_p2" + # emerge ">=www-apps/gallery-1.4.3_p2" + + + Gallery Announcement + CVE-2004-0522 + + + condordes + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-11.xml b/xml/htdocs/security/en/glsa/glsa-200406-11.xml new file mode 100644 index 00000000..7ebd0fbf --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-11.xml @@ -0,0 +1,64 @@ + + + + + + + Horde-IMP: Input validation vulnerability + + An input validation vulnerability has been discovered in Horde-IMP. + + horde-imp + June 16, 2004 + May 22, 2006: 02 + 53862 + remote + + + 3.2.4 + 3.2.3 + + + +

+ Horde-IMP is the Internet Messaging Program. It is written in PHP and + provides webmail access to IMAP and POP3 accounts. +

+ + +

+ Horde-IMP fails to properly sanitize email messages that contain + malicious HTML or script code. +

+ + +

+ By enticing a user to read a specially crafted e-mail, an attacker can + execute arbitrary scripts running in the context of the victim's + browser. This could lead to a compromise of the user's webmail account, + cookie theft, etc. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Horde-IMP users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=www-apps/horde-imp-3.2.4" + # emerge ">=www-apps/horde-imp-3.2.4" + + + Bugtraq Announcement + CVE-2004-0584 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-12.xml b/xml/htdocs/security/en/glsa/glsa-200406-12.xml new file mode 100644 index 00000000..e438dda3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-12.xml @@ -0,0 +1,69 @@ + + + + + + + Webmin: Multiple vulnerabilities + + Webmin contains two security vulnerabilities which could lead to a Denial + of Service attack and information disclosure. + + webmin + June 16, 2004 + May 22, 2006: 02 + 53375 + remote + + + 1.150 + 1.140-r1 + + + +

+ Webmin is a web-based administration tool for Unix. It supports a wide + range of applications including Apache, DNS, file sharing and others. +

+ + +

+ Webmin contains two security vulnerabilities. One allows any user to + view the configuration of any module and the other could allow an + attacker to lock out a valid user by sending an invalid username and + password. +

+ + +

+ An authenticated user could use these vulnerabilities to view the + configuration of any module thus potentially obtaining important + knowledge about configuration settings. Furthermore an attacker could + lock out legitimate users by sending invalid login information. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Webmin users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=app-admin/app-admin/webmin-1.150" + # emerge ">=app-admin/app-admin/webmin-1.150" + + + Bugtraq Announcement + Webmin Changelog + CVE-2004-0582 + CVE-2004-0583 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-13.xml b/xml/htdocs/security/en/glsa/glsa-200406-13.xml new file mode 100644 index 00000000..97e9a7df --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-13.xml @@ -0,0 +1,66 @@ + + + + + + + Squid: NTLM authentication helper buffer overflow + + Squid contains a bug where it fails to properly check bounds of the 'pass' + variable. + + squid + June 17, 2004 + September 02, 2004: 02 + 53367 + remote + + + 2.5.5-r2 + 2.5.5-r1 + + + +

+ Squid contains a bug in the function ntlm_check_auth(). It fails to do + proper bounds checking on the values copyied to the 'pass' variable. +

+ + +

+ Squid is a full-featured Web Proxy Cache designed to run on Unix systems. + It supports proxying and caching of HTTP, FTP, and other URLs, as well as + SSL support, cache hierarchies, transparent caching, access control lists + and many other features. +

+ + +

+ If Squid is configured to use NTLM authentication, an attacker could + exploit this vulnerability by sending a very long password. This could lead + to arbitrary code execution with the permissions of the user running Squid. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version. +

+ + +

+ All Squid users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=net-proxy/squid-2.5.5-r2" + # emerge ">=net-proxy/squid-2.5.5-r2" + + + CAN-2004-0541 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-14.xml b/xml/htdocs/security/en/glsa/glsa-200406-14.xml new file mode 100644 index 00000000..8e00a488 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-14.xml @@ -0,0 +1,66 @@ + + + + + + + aspell: Buffer overflow in word-list-compress + + A bug in the aspell utility word-list-compress can allow an attacker to + execute arbitrary code. + + aspell + June 17, 2004 + May 22, 2006: 03 + 53389 + local + + + 0.50.5-r4 + 0.50.5-r3 + + + +

+ aspell is a popular spell-checker. Dictionaries are available for many + languages. +

+ + +

+ aspell includes a utility for handling wordlists called + word-list-compress. This utility fails to do proper bounds checking + when processing words longer than 256 bytes. +

+ + +

+ If an attacker could entice a user to handle a wordlist containing very + long word lengths it could result in the execution of arbitrary code + with the permissions of the user running the program. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version. +

+ + +

+ All users should upgrade to the latest available version of aspell. +

+ + # emerge sync + + # emerge -pv ">=app-text/aspell-0.50.5-r4" + # emerge ">=app-text/aspell-0.50.5-r4" + + + Nettwerked Advisory + CVE-2004-0548 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-15.xml b/xml/htdocs/security/en/glsa/glsa-200406-15.xml new file mode 100644 index 00000000..28fc8125 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-15.xml @@ -0,0 +1,72 @@ + + + + + + + Usermin: Multiple vulnerabilities + + Usermin contains two security vulnerabilities which could lead to a Denial + of Service attack and information disclosure. + + Usermin + June 18, 2004 + May 22, 2006: 02 + 54030 + remote + + + 1.080 + 1.070-r1 + + + +

+ Usermin is a web-based administration tool for Unix. It supports a wide + range of user applications including configuring mail forwarding, + setting up SSH or reading mail. +

+ + +

+ Usermin contains two security vulnerabilities. One fails to properly + sanitize email messages that contain malicious HTML or script code and + the other could allow an attacker to lock out a valid user by sending + an invalid username and password. +

+ + +

+ By sending a specially crafted e-mail, an attacker can execute + arbitrary scripts running in the context of the victim's browser. This + can be lead to cookie theft and potentially to compromise of user + accounts. Furthermore, an attacker could lock out legitimate users by + sending invalid login information. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version. +

+ + +

+ Usermin users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=app-admin/usermin-1.080" + # emerge ">=app-admin/usermin-1.080" + + + Bugtraq Announcement + SNS Advisory + CVE-2004-0583 + CVE-2004-0588 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-16.xml b/xml/htdocs/security/en/glsa/glsa-200406-16.xml new file mode 100644 index 00000000..06454de4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-16.xml @@ -0,0 +1,69 @@ + + + + + + + Apache 1.3: Buffer overflow in mod_proxy + + A bug in mod_proxy may allow a remote attacker to execute arbitrary code + when Apache is configured a certain way. + + Apache + June 21, 2004 + December 30, 2007: 02 + 53544 + remote + + + 1.3.31-r2 + 1.3.31-r1 + + + +

+ The Apache HTTP Server Project is an effort to develop and maintain an + open-source HTTP server for modern operating systems. The goal of this + project is to provide a secure, efficient and extensible server that + provides services in tune with the current HTTP standards. +

+ + +

+ A bug in the proxy_util.c file may lead to a remote buffer overflow. To + trigger the vulnerability an attacker would have to get mod_proxy to + connect to a malicous server which returns an invalid (negative) + Content-Length. +

+ + +

+ An attacker could cause a Denial of Service as the Apache child handling + the request, which will die and under some circumstances execute arbitrary + code as the user running Apache, usually "apache". +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version: +

+ + +

+ Apache 1.x users should upgrade to the latest version of Apache: +

+ + # emerge sync + + # emerge -pv ">=www-servers/apache-1.3.31-r2" + # emerge ">=www-servers/apache-1.3.31-r2" + + + Georgi Guninski security advisory #69, 2004 + CAN-2004-0492 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-17.xml b/xml/htdocs/security/en/glsa/glsa-200406-17.xml new file mode 100644 index 00000000..e812634e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-17.xml @@ -0,0 +1,68 @@ + + + + + + + IPsec-Tools: authentication bug in racoon + + racoon provided as part of IPsec-Tools fails do proper authentication. + + IPsec-Tools + June 22, 2004 + May 22, 2006: 02 + 53915 + remote + + + 0.3.3 + 0.3.3 + + + +

+ IPsec-Tools is a port of KAME's implementation of the IPsec utilities. + It contains a collection of network monitoring tools, including racoon, + ping, and ping6. +

+ + +

+ The KAME IKE daemon racoon is used to authenticate peers during Phase 1 + when using either preshared keys, GSS-API, or RSA signatures. When + using RSA signatures racoon validates the X.509 certificate but not the + RSA signature. +

+ + +

+ By sending a valid and trusted X.509 certificate and any private key an + attacker could exploit this vulnerability to perform man-in-the-middle + attacks and initiate unauthorized connections. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version. +

+ + +

+ All IPsec-Tools users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=net-firewall/ipsec-tools-0.3.3" + # emerge ">=net-firewall/ipsec-tools-0.3.3" + + + IPsec-Tools Advisory + CVE-2004-0155 + CVE-2004-0607 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-18.xml b/xml/htdocs/security/en/glsa/glsa-200406-18.xml new file mode 100644 index 00000000..13e5188d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-18.xml @@ -0,0 +1,71 @@ + + + + + + + gzip: Insecure creation of temporary files + + gzip contain a bug potentially allowing an attacker to execute arbitrary + commands. + + gzip + June 24, 2004 + May 22, 2006: 02 + 54890 + local + + + 1.3.3-r4 + 1.3.3-r3 + + + +

+ gzip (GNU zip) is popular compression program. The included gzexe + utility allows you to compress executables in place and have them + automatically uncompress and execute when you run them. +

+ + +

+ The script gzexe included with gzip contains a bug in the code that + handles tempfile creation. If the creation of a temp file fails when + using gzexe fails instead of bailing out it executes the command given + as argument. +

+ + +

+ This could lead to priviege escalation by running commands under the + rights of the user running the self extracting file. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version. +

+ + +

+ All gzip users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=app-arch/gzip-1.3.3-r4" + # emerge ">=app-arch/gzip-1.3.3-r4" +

+ Additionally, once the upgrade is complete, all self extracting files + created with earlier versions gzexe should be recreated, since the + vulnerability is actually embedded in those executables. +

+ + + CVE-2004-0603 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-19.xml b/xml/htdocs/security/en/glsa/glsa-200406-19.xml new file mode 100644 index 00000000..cb12a021 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-19.xml @@ -0,0 +1,66 @@ + + + + + + + giFT-FastTrack: remote denial of service attack + + There is a vulnerability where a carefully crafted signal sent to the + giFT-FastTrack plugin will cause the giFT daemon to crash. + + giFT-FastTrack + June 24, 2004 + May 22, 2006: 02 + 54452 + remote + + + 0.8.7 + 0.8.6 + + + +

+ giFT-FastTrack is a plugin for the giFT file-sharing application. It + allows giFT users to connect to the fasttrack network to share files. +

+ + +

+ Alan Fitton found a vulnerability in the giFT-FastTrack plugin in + version 0.8.6 and earlier. It can be used to remotely crash the giFT + daemon. +

+ + +

+ Attackers may use this vulnerability to perform a Denial of Service + attack against the giFT daemon. There is no risk of code execution. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version. +

+ + +

+ All users should upgrade to the latest available version of + gift-fasttrack: +

+ + # emerge sync + + # emerge -pv ">=net-p2p/gift-fasttrack-0.8.7" + # emerge ">=net-p2p/gift-fasttrack-0.8.7" + + + giFT-FastTrack announcement + CVE-2004-0604 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-20.xml b/xml/htdocs/security/en/glsa/glsa-200406-20.xml new file mode 100644 index 00000000..abefada9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-20.xml @@ -0,0 +1,122 @@ + + + + + + + FreeS/WAN, Openswan, strongSwan: Vulnerabilities in certificate handling + + FreeS/WAN, Openswan, strongSwan and Super-FreeS/WAN contain two bugs when + authenticating PKCS#7 certificates. This could allow an attacker to + authenticate with a fake certificate. + + Openswan + June 25, 2004 + May 22, 2006: 02 + remote + + + 2.04-r1 + 1.99-r1 + 2.04-r1 + + + 2.1.4 + 1.0.6_rc1 + 2.1.4 + + + 2.1.3 + 2.1.3 + + + 1.99.7.3 + + + +

+ FreeS/WAN, Openswan, strongSwan and Super-FreeS/WAN are Open Source + implementations of IPsec for the Linux operating system. They are all + based on the discontinued FreeS/WAN project. +

+ + +

+ All these IPsec implementations have several bugs in the + verify_x509cert() function, which performs certificate validation, that + make them vulnerable to malicious PKCS#7 wrapped objects. +

+ + +

+ With a carefully crafted certificate payload an attacker can + successfully authenticate against FreeS/WAN, Openswan, strongSwan or + Super-FreeS/WAN, or make the daemon go into an endless loop. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version. +

+ + +

+ All FreeS/WAN 1.9x users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv "=net-misc/freeswan-1.99-r1" + # emerge "=net-misc/freeswan-1.99-r1" +

+ All FreeS/WAN 2.x users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=net-misc/freeswan-2.04-r1" + # emerge ">=net-misc/freeswan-2.04-r1" +

+ All Openswan 1.x users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv "=net-misc/openswan-1.0.6_rc1" + # emerge "=net-misc/openswan-1.0.6_rc1" +

+ All Openswan 2.x users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=net-misc/openswan-2.1.4" + # emerge ">=net-misc/openswan-2.1.4" +

+ All strongSwan users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=net-misc/strongswan-2.1.3" + # emerge ">=net-misc/strongswan-2.1.3" +

+ All Super-FreeS/WAN users should migrate to the latest stable version + of Openswan. Note that Portage will force a move for Super-FreeS/WAN + users to Openswan. +

+ + # emerge sync + + # emerge -pv "=net-misc/openswan-1.0.6_rc1" + # emerge "=net-misc/openswan-1.0.6_rc1" + + + Openswan/strongSwan Authentication Bug + CVE-2004-0590 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-21.xml b/xml/htdocs/security/en/glsa/glsa-200406-21.xml new file mode 100644 index 00000000..866ed896 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-21.xml @@ -0,0 +1,76 @@ + + + + + + + mit-krb5: Multiple buffer overflows in krb5_aname_to_localname + + mit-krb5 contains multiple buffer overflows in the function + krb5_aname_to_localname(). This could potentially lead to a complete remote + system compromise. + + mit-krb5 + June 29, 2004 + June 29, 2004: 01 + 52744 + remote + + + 1.3.3-r1 + 1.3.3 + + + +

+ mit-krb5 is the free implementation of the Kerberos network authentication + protocol by the Massachusetts Institute of Technology. +

+ + +

+ The library function krb5_aname_to_localname() contains multiple buffer + overflows. This is only exploitable if explicit mapping or rules-based + mapping is enabled. These are not enabled as default. +

+

+ With explicit mapping enabled, an attacker must authenticate using a + principal name listed in the explicit mapping list. +

+

+ With rules-based mapping enabled, an attacker must first be able to create + arbitrary principal names either in the local realm Kerberos realm or in a + remote realm from which the local realm's service are reachable by + cross-realm authentication. +

+ + +

+ An attacker could use these vulnerabilities to execute arbitrary code with + the permissions of the user running mit-krb5, which could be the root user. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version. +

+ + +

+ mit-krb5 users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=app-crypt/mit-krb5-1.3.3-r1" + # emerge ">=app-crypt/mit-krb5-1.3.3-r1" + + + CAN-2004-0523 + MIT krb5 Security Advisory + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200406-22.xml b/xml/htdocs/security/en/glsa/glsa-200406-22.xml new file mode 100644 index 00000000..f70e3694 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200406-22.xml @@ -0,0 +1,62 @@ + + + + + + + Pavuk: Remote buffer overflow + + Pavuk contains a bug potentially allowing an attacker to run arbitrary + code. + + Pavuk + June 30, 2004 + May 22, 2006: 02 + remote + + + 0.9.28-r2 + 0.9.28-r1 + + + +

+ Pavuk is web spider and website mirroring tool. +

+ + +

+ When Pavuk connects to a web server and the server sends back the HTTP + status code 305 (Use Proxy), Pavuk copies data from the HTTP Location + header in an unsafe manner. +

+ + +

+ An attacker could cause a stack-based buffer overflow which could lead + to arbitrary code execution with the rights of the user running Pavuk. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version. +

+ + +

+ All Pavuk users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=net-misc/pavuk-0.9.28-r2" + # emerge ">="net-misc/pavuk-0.9.28-r2 + + + CVE-2004-0456 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-01.xml b/xml/htdocs/security/en/glsa/glsa-200407-01.xml new file mode 100644 index 00000000..fef7a809 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-01.xml @@ -0,0 +1,70 @@ + + + + + + + Esearch: Insecure temp file handling + + The eupdatedb utility in esearch creates a file in /tmp without first + checking for symlinks. This makes it possible for any user to create + arbitrary files. + + esearch + July 01, 2004 + May 22, 2006: 02 + 55424 + local + + + 0.6.2 + 0.6.1 + + + +

+ Esearch is a replacement for the Portage command "emerge search". It + uses an index to speed up searching of the Portage tree. +

+ + +

+ The eupdatedb utility uses a temporary file (/tmp/esearchdb.py.tmp) to + indicate that the eupdatedb process is running. When run, eupdatedb + checks to see if this file exists, but it does not check to see if it + is a broken symlink. In the event that the file is a broken symlink, + the script will create the file pointed to by the symlink, instead of + printing an error and exiting. +

+ + +

+ An attacker could create a symlink from /tmp/esearchdb.py.tmp to a + nonexistent file (such as /etc/nologin), and the file will be created + the next time esearchdb is run. +

+ + +

+ There is no known workaround at this time. All users should upgrade to + the latest available version of esearch. +

+ + +

+ All users should upgrade to the latest available version of esearch, as + follows: +

+ + # emerge sync + + # emerge -pv ">=app-portage/esearch-0.6.2" + # emerge ">=app-portage/esearch-0.6.2" + + + CVE-2004-0655 + + + condordes + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-02.xml b/xml/htdocs/security/en/glsa/glsa-200407-02.xml new file mode 100644 index 00000000..51b29dff --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-02.xml @@ -0,0 +1,320 @@ + + + + + + + Linux Kernel: Multiple vulnerabilities + + Multiple vulnerabilities have been found in the Linux kernel used by + GNU/Linux systems. Patched, or updated versions of these kernels have been + released and details are included in this advisory. + + Kernel + July 03, 2004 + May 22, 2006: 03 + 47881 + 49637 + 53804 + 54976 + 55698 + local + + + 2.4.23-r2 + 2.4.23-r2 + + + 2.4.21-r8 + 2.4.21-r8 + + + 2.4.26-r1 + 2.6.7-r1 + 2.6.7-r1 + + + 2.4.9.32.7-r7 + 2.4.9.32.7-r7 + + + 2.6.7 + 2.6.7 + + + 2.4.20-r14 + 2.4.20-r14 + + + 2.6.7 + 2.6.7 + + + 2.4.19-r17 + 2.4.20-r20 + 2.4.22-r12 + 2.4.25-r5 + 2.4.26-r3 + 2.4.26-r3 + + + 2.4.26.2.0-r5 + 2.4.26.2.0-r5 + + + 2.4.25_pre7-r7 + 2.4.25_pre7-r7 + + + 2.6.7 + 2.6.7 + + + 2.4.26-r2 + 2.4.26-r2 + + + 2.6.7 + 2.6.7 + + + 2.4.26_p6 + 2.4.26_p6 + + + 2.4.24-r5 + 2.4.24-r5 + + + 2.4.26-r3 + 2.4.26-r3 + + + 2.6.7-r1 + 2.6.7-r1 + + + 2.4.22-r10 + 2.4.22-r10 + + + 2.4.23-r8 + 2.4.23-r8 + + + 2.6.7 + 2.6.7 + + + 2.4.26-r2 + 2.4.26-r2 + + + 2.4.21-r10 + 2.4.21-r10 + + + 2.4.26-r2 + 2.4.26-r2 + + + 2.6.7 + 2.6.7 + + + 2.4.26-r2 + 2.4.26-r2 + + + 2.6.7-r1 + 2.6.7-r1 + + + 2.4.26-r2 + 2.4.26-r2 + + + 2.4.26-r2 + 2.4.26-r2 + + + 2.4.26_p0-r2 + 2.4.26_p0-r2 + + + 2.4.24-r5 + 2.4.26-r2 + 2.4.26-r2 + + + 2.4.26.1.3.9-r2 + 2.4.26.1.3.9-r2 + + + 2.4.26-r2 + 2.4.26-r2 + + + 4.9-r9 + 4.11-r6 + 4.14-r3 + 4.14-r3 + + + 2.6.7 + 2.6.7 + + + 2.4.24-r8 + 2.4.24-r8 + + + 2.4.27 + 2.4.26 + + + +

+ The Linux kernel is responsible for managing the core aspects of a + GNU/Linux system, providing an interface for core system applications + as well as providing the essential structure and capability to access + hardware that is needed for a running system. +

+ + +

+ Multiple flaws have been discovered in the Linux kernel. This advisory + corrects the following issues: +

+
    +
  • + CAN-2004-0109: This vulnerability allows privilege escalation using + ISO9660 file systems through a buffer overflow via a malformed file + system containing a long symbolic link entry. This can allow arbitrary + code execution at kernel level. +
    • +
  • + CAN-2004-0133: The XFS file system in 2.4 series kernels has an + information leak by which data in the memory can be written to the + device hosting the file system, allowing users to obtain portions of + kernel memory by reading the raw block device. +
    • +
  • + CAN-2004-0177: The ext3 file system in 2.4 series kernels does not + properly initialize journal descriptor blocks, causing an information + leak by which data in the memory can be written to the device hosting + the file system, allowing users to obtain portions of kernel memory by + reading the raw device. +
    • +
  • + CAN-2004-0181: The JFS file system in 2.4 series kernels has an + information leak by which data in the memory can be written to the + device hosting the file system, allowing users to obtain portions of + kernel memory by reading the raw device. +
    • +
  • + CAN-2004-0178: The OSS Sound Blaster [R] Driver has a Denial of Service + vulnerability since it does not handle certain sample sizes properly. + This allows local users to hang the kernel. +
    • +
  • + CAN-2004-0228: Due to an integer signedness error in the CPUFreq /proc + handler code in 2.6 series Linux kernels, local users can escalate + their privileges. +
    • +
  • + CAN-2004-0229: The framebuffer driver in 2.6 series kernel drivers does + not use the fb_copy_cmap method of copying structures. The impact of + this issue is unknown, however. +
    • +
  • + CAN-2004-0394: A buffer overflow in the panic() function of 2.4 series + Linux kernels exists, but it may not be exploitable under normal + circumstances due to its functionality. +
    • +
  • + CAN-2004-0427: The do_fork() function in both 2.4 and 2.6 series Linux + kernels does not properly decrement the mm_count counter when an error + occurs, triggering a memory leak that allows local users to cause a + Denial of Service by exhausting other applications of memory; causing + the kernel to panic or to kill services. +
    • +
  • + CAN-2004-0495: Multiple vulnerabilities found by the Sparse source + checker in the kernel allow local users to escalate their privileges or + gain access to kernel memory. +
    • +
  • + CAN-2004-0535: The e1000 NIC driver does not properly initialize memory + structures before using them, allowing users to read kernel memory. +
    • +
  • + CAN-2004-0554: 2.4 and 2.6 series kernels running on an x86 or an AMD64 + architecture allow local users to cause a Denial of Service by a total + system hang, due to an infinite loop that triggers a signal handler + with a certain sequence of fsave and frstor instructions. +
    • +
  • + Local DoS in PaX: If ASLR is enabled as a GRSecurity PaX feature, a + Denial of Service can be achieved by putting the kernel into an + infinite loop. Only 2.6 series GRSecurity kernels are affected by this + issue. +
    • +
  • + RSBAC 1.2.3 JAIL issues: A flaw in the RSBAC JAIL implementation allows + suid/sgid files to be created inside the jail since the relevant module + does not check the corresponding mode values. This can allow privilege + escalation inside the jail. Only rsbac-(dev-)sources are affected by + this issue. +
    • +
+ + +

+ Arbitrary code with normal non-super-user privileges may be able to + exploit any of these vulnerabilities; gaining kernel level access to + memory structures and hardware devices. This may be used for further + exploitation of the system, to leak sensitive data or to cause a Denial + of Service on the affected kernel. +

+ + +

+ Although users may not be affected by certain vulnerabilities, all + kernels are affected by the CAN-2004-0394, CAN-2004-0427 and + CAN-2004-0554 issues which have no workaround. As a result, all users + are urged to upgrade their kernels to patched versions. +

+ + +

+ Users are encouraged to upgrade to the latest available sources for + their system: +

+ + # emerge sync + # emerge -pv your-favorite-sources + # emerge your-favorite-sources + + # # Follow usual procedure for compiling and installing a kernel. + # # If you use genkernel, run genkernel as you would do normally. + + + CVE-2004-0109 + CVE-2004-0133 + CVE-2004-0177 + CVE-2004-0178 + CVE-2004-0181 + CVE-2004-0228 + CVE-2004-0229 + CVE-2004-0394 + CVE-2004-0427 + CVE-2004-0495 + CVE-2004-0535 + CVE-2004-0554 + CVE-2004-1983 + + + plasmaroo + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-03.xml b/xml/htdocs/security/en/glsa/glsa-200407-03.xml new file mode 100644 index 00000000..932c6b44 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-03.xml @@ -0,0 +1,72 @@ + + + + + + + Apache 2: Remote denial of service attack + + A bug in Apache may allow a remote attacker to perform a Denial of Service + attack. With certain configurations this could lead to a heap based buffer + overflow. + + Apache + July 04, 2004 + December 30, 2007: 02 + 55441 + remote + + + 2.0.49-r4 + 2 + 2.0.49-r3 + + + +

+ The Apache HTTP Server Project is an effort to develop and maintain an + open-source HTTP server for modern operating systems. The goal of this + project is to provide a secure, efficient and extensible server that + provides services in tune with the current HTTP standards. +

+ + +

+ A bug in the protocol.c file handling header lines will cause Apache to + allocate memory for header lines starting with TAB or SPACE. +

+ + +

+ An attacker can exploit this vulnerability to perform a Denial of Service + attack by causing Apache to exhaust all memory. On 64 bit systems with more + than 4GB of virtual memory a possible integer signedness error could lead + to a buffer based overflow causing Apache to crash and under some + circumstances execute arbitrary code as the user running Apache, usually + "apache". +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version: +

+ + +

+ Apache 2 users should upgrade to the latest version of Apache: +

+ + # emerge sync + + # emerge -pv ">=www-servers/apache-2.0.49-r4" + # emerge ">=www-servers/apache-2.0.49-r4" + + + Georgi Guninski security advisory #70, 2004 + CAN-2004-0493 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-04.xml b/xml/htdocs/security/en/glsa/glsa-200407-04.xml new file mode 100644 index 00000000..9598b0ef --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-04.xml @@ -0,0 +1,64 @@ + + + + + + + Pure-FTPd: Potential DoS when maximum connections is reached + + Pure-FTPd contains a bug potentially allowing a Denial of Service attack + when the maximum number of connections is reached. + + Pure-FTPd + July 04, 2004 + May 22, 2006: 02 + 54590 + remote + + + 1.0.18-r1 + 1.0.18 + + + +

+ Pure-FTPd is a fast, production-quality and standards-compliant FTP + server. +

+ + +

+ Pure-FTPd contains a bug in the accept_client function handling the + setup of new connections. +

+ + +

+ When the maximum number of connections is reached an attacker could + exploit this vulnerability to perform a Denial of Service attack. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version. +

+ + +

+ All Pure-FTPd users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=net-ftp/pure-ftpd-1.0.18-r1" + # emerge ">=net-ftp/pure-ftpd-1.0.18-r1" + + + Pure-FTPd website + CVE-2004-0656 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-05.xml b/xml/htdocs/security/en/glsa/glsa-200407-05.xml new file mode 100644 index 00000000..c8adc33a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-05.xml @@ -0,0 +1,83 @@ + + + + + + + XFree86, X.org: XDM ignores requestPort setting + + XDM will open TCP sockets for its chooser, even if the + DisplayManager.requestPort setting is set to 0. This may allow authorized + users to access a machine remotely via X, even if the administrator has + configured XDM to refuse such connections. + + xdm + July 05, 2004 + July 05, 2004: 01 + 53226 + remote + + + 4.3.0-r6 + 4.3.0-r5 + + + 6.7.0-r1 + 6.7.0 + + + +

+ The X Display Manager (XDM) is a program which provides a graphical login + prompt to users on the console or on remote X terminals. It has largely + been superseded by programs such as GDM and KDM. +

+ + +

+ XDM will open TCP sockets for its chooser, even if the + DisplayManager.requestPort setting is set to 0. Remote clients can use this + port to connect to XDM and request a login window, thus allowing access to + the system. +

+ + +

+ Authorized users may be able to login remotely to a machine running XDM, + even if this option is disabled in XDM's configuration. Please note that an + attacker must have a preexisting account on the machine in order to exploit + this vulnerability. +

+ + +

+ There is no known workaround at this time. All users should upgrade to the + latest available version of X. +

+ + +

+ If you are using XFree86, you should run the following: +

+ + # emerge sync + + # emerge -pv ">=x11-base/xfree-4.3.0-r6" + # emerge ">=x11-base/xfree-4.3.0-r6" +

+ If you are using X.org's X11 server, you should run the following: +

+ + # emerge sync + + # emerge -pv ">=x11-base/xorg-x11-6.7.0-r1" + # emerge ">=x11-base/xorg-x11-6.7.0-r1" + + + CAN 2004-0419 + XFree86 Bug + + + condordes + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-06.xml b/xml/htdocs/security/en/glsa/glsa-200407-06.xml new file mode 100644 index 00000000..bccd352d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-06.xml @@ -0,0 +1,74 @@ + + + + + + + libpng: Buffer overflow on row buffers + + libpng contains a buffer overflow vulnerability potentially allowing an + attacker to perform a Denial of Service attack or even execute arbitrary + code. + + libpng + July 08, 2004 + July 08, 2004: 01 + 56307 + remote + + + 1.2.5-r7 + 1.2.5-r6 + + + +

+ libpng is a standard library used to process PNG (Portable Network + Graphics) images. It is used by several other programs, including web + browsers and potentially server processes. +

+ + +

+ Due to a wrong calculation of loop offset values, libpng contains a buffer + overflow vulnerability on the row buffers. This vulnerability was initially + patched in January 2003 but since it has been discovered that libpng + contains the same vulnerability in two other places. +

+ + +

+ An attacker could exploit this vulnerability to cause programs linked + against the library to crash or execute arbitrary code with the permissions + of the user running the vulnerable program, which could be the root user. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version. +

+ + +

+ All libpng users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=media-libs/libpng-1.2.5-r7" + # emerge ">=media-libs/libpng-1.2.5-r7" +

+ You should also run revdep-rebuild to rebuild any packages that depend on + older versions of libpng : +

+ + # revdep-rebuild + + + CAN-2002-1363 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-07.xml b/xml/htdocs/security/en/glsa/glsa-200407-07.xml new file mode 100644 index 00000000..8057469c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-07.xml @@ -0,0 +1,69 @@ + + + + + + + Shorewall : Insecure temp file handling + + Shorewall contains a bug in the code handling the creation of temporary + files and directories. This can allow a non-root user to overwrite + arbitrary system files. + + Shorewall + July 08, 2004 + May 22, 2006: 02 + 55675 + local + + + 1.4.10f + 1.4.10c + + + +

+ Shorewall is a high level tool for configuring Netfilter, the firewall + facility included in the Linux Kernel. +

+ + +

+ Shorewall uses temporary files and directories in an insecure manner. A + local user could create symbolic links at specific locations, + eventually overwriting other files on the filesystem with the rights of + the shorewall process. +

+ + +

+ An attacker could exploit this vulnerability to overwrite arbitrary + system files with root privileges, resulting in Denial of Service or + further exploitation. +

+ + +

+ There is no known workaround at this time. All users should upgrade to + the latest available version of Shorewall. +

+ + +

+ All users should upgrade to the latest available version of Shorewall, + as follows: +

+ + # emerge sync + + # emerge -pv ">=net-firewall/shorewall-1.4.10f" + # emerge ">=net-firewall/shorewall-1.4.10f" + + + Shorewall Announcement + CVE-2004-0647 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-08.xml b/xml/htdocs/security/en/glsa/glsa-200407-08.xml new file mode 100644 index 00000000..4ae3df7e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-08.xml @@ -0,0 +1,77 @@ + + + + + + + Ethereal: Multiple security problems + + Multiple vulnerabilities including one buffer overflow exist in Ethereal, + which may allow an attacker to run arbitrary code or crash the program. + + Ethereal + July 09, 2004 + May 22, 2006: 02 + 56423 + remote + + + 0.10.5 + 0.10.4 + + + +

+ Ethereal is a feature rich network protocol analyzer. +

+ + +

+ There are multiple vulnerabilities in versions of Ethereal earlier than + 0.10.5, including: +

+
    +
  • In some cases the iSNS dissector could cause Ethereal to + abort.
    • +
  • If there was no policy name for a handle for SMB SID snooping it + could cause a crash.
    • +
  • A malformed or missing community string could cause the SNMP + dissector to crash.
    • +
+ + +

+ An attacker could use these vulnerabilities to crash Ethereal or even + execute arbitrary code with the permissions of the user running + Ethereal, which could be the root user. +

+ + +

+ For a temporary workaround you can disable all affected protocol + dissectors by selecting Analyze->Enabled Protocols... and deselecting + them from the list. For SMB you can disable SID snooping in the SMB + protocol preference. However, it is strongly recommended to upgrade to + the latest stable version. +

+ + +

+ All Ethereal users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=net-analyzer/ethereal-0.10.5" + # emerge ">=net-analyzer/ethereal-0.10.5" + + + Ethereal enpa-sa-00015 + CVE-2004-0633 + CVE-2004-0634 + CVE-2004-0635 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-09.xml b/xml/htdocs/security/en/glsa/glsa-200407-09.xml new file mode 100644 index 00000000..35400e32 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-09.xml @@ -0,0 +1,68 @@ + + + + + + + MoinMoin: Group ACL bypass + + MoinMoin contains a bug allowing a user to bypass group ACLs (Access + Control Lists). + + MoinMoin + July 11, 2004 + May 22, 2006: 02 + 53126 + remote + + + 1.2.2 + 1.2.1 + + + +

+ MoinMoin is a Python clone of WikiWiki, based on PikiPiki. +

+ + +

+ MoinMoin contains a bug in the code handling administrative group ACLs. + A user created with the same name as an administrative group gains the + privileges of the administrative group. +

+ + +

+ If an administrative group called AdminGroup existed an attacker could + create a user called AdminGroup and gain the privileges of the group + AdminGroup. This could lead to unauthorized users gaining + administrative access. +

+ + +

+ For every administrative group with special privileges create a user + with the same name as the group. +

+ + +

+ All users should upgrade to the latest available version of MoinMoin, + as follows: +

+ + # emerge sync + + # emerge -pv ">=www-apps/moinmoin-1.2.2" + # emerge ">=www-apps/moinmoin-1.2.2" + + + MoinMoin Announcement + OSVDB Entry + CVE-2004-0708 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-10.xml b/xml/htdocs/security/en/glsa/glsa-200407-10.xml new file mode 100644 index 00000000..afef1cb3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-10.xml @@ -0,0 +1,71 @@ + + + + + + + rsync: Directory traversal in rsync daemon + + Under specific conditions, the rsync daemon is vulnerable to a directory + traversal allowing to write files outside a sync module. + + rsync + July 12, 2004 + July 12, 2004: 01 + 49534 + remote + + + 2.6.0-r2 + 2.6.0-r1 + + + +

+ rsync is a utility that provides fast incremental file transfers. It is + used to efficiently synchronize files between hosts and is used by emerge + to fetch Gentoo's Portage tree. rsyncd is the rsync daemon, which listens + to connections from rsync clients. +

+ + +

+ When rsyncd is used without chroot ("use chroot = false" in the rsyncd.conf + file), the paths sent by the client are not checked thoroughly enough. If + rsyncd is used with read-write permissions ("read only = false"), this + vulnerability can be used to write files anywhere with the rights of the + rsyncd daemon. With default Gentoo installations, rsyncd runs in a chroot, + without write permissions and with the rights of the "nobody" user. +

+ + +

+ On affected configurations and if the rsync daemon runs under a privileged + user, a remote client can exploit this vulnerability to completely + compromise the host. +

+ + +

+ You should never set the rsync daemon to run with "use chroot = false". If + for some reason you have to run rsyncd without a chroot, then you should + not set "read only = false". +

+ + +

+ All users should update to the latest version of the rsync package. +

+ + # emerge sync + + # emerge -pv ">=net-misc/rsync-2.6.0-r2" + # emerge ">=net-misc/rsync-2.6.0-r2" + + + CAN-2004-0426 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-11.xml b/xml/htdocs/security/en/glsa/glsa-200407-11.xml new file mode 100644 index 00000000..236f03da --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-11.xml @@ -0,0 +1,72 @@ + + + + + + + wv: Buffer overflow vulnerability + + A buffer overflow vulnerability exists in the wv library that can allow an + attacker to execute arbitrary code with the privileges of the user running + the vulnerable application. + + app-text/wv + July 14, 2004 + May 22, 2006: 02 + 56595 + remote + + + 1.0.0-r1 + 1.0.0-r1 + + + +

+ The wv library allows access to MS Word files. It can parse Word files + and allow other applications, such as abiword, to import those files + into their native formats. +

+ + +

+ A use of strcat without proper bounds checking leads to an exploitable + buffer overflow. The vulnerable code is executed when wv encounters an + unrecognized token, so a specially crafted file, loaded in wv, can + trigger the vulnerable code and execute it's own arbitrary code. This + exploit is only possible when the user loads the document into HTML + view mode. +

+ + +

+ By inducing a user into running wv on a special file, an attacker can + execute arbitrary code with the permissions of the user running the + vulnerable program. +

+ + +

+ Users should not view untrusted documents with wvHtml or applications + using wv. When loading an untrusted document in an application using + the wv library, make sure HTML view is disabled. +

+ + +

+ All users should upgrade to the latest available version. +

+ + # emerge sync + + # emerge -pv ">=app-text/wv-1.0.0-r1" + # emerge ">=app-text/wv-1.0.0-r1" + + + iDEFENSE Security Advisory + CVE-2004-0645 + + + dmargoli + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-12.xml b/xml/htdocs/security/en/glsa/glsa-200407-12.xml new file mode 100644 index 00000000..ec83f446 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-12.xml @@ -0,0 +1,135 @@ + + + + + + + Linux Kernel: Remote DoS vulnerability with IPTables TCP Handling + + A flaw has been discovered in 2.6 series Linux kernels that allows an + attacker to send a malformed TCP packet, causing the affected kernel to + possibly enter an infinite loop and hang the vulnerable machine. + + Kernel + July 14, 2004 + October 10, 2004: 02 + 55694 + remote + + + 2.6.5-r5 + 2.6 + 2.6.5-r5 + + + 2.6.7-r2 + 2.6 + 2.6.7-r2 + + + 2.6.8 + 2.6.8 + + + 2.6.7-r7 + 2.6.7-r7 + + + 2.6.7-r1 + 2.6.7-r1 + + + 2.6.7_p1-r1 + 2.6.7_p1-r1 + + + 2.6.4-r4 + 2.6 + 2.6.4-r4 + + + 2.6.7-r4 + 2.6 + 2.6.7-r4 + + + 2.6.7-r1 + 2.6.7-r1 + + + 2.6.7-r1 + 2.6.7-r1 + + + 2.6.7_p0-r1 + 2.6 + 2.6.7_p0 + + + 2.6.6-r2 + 2.6 + 2.6.6-r2 + + + 2.6.7-r1 + 2.6 + 2.6.7-r1 + + + 2.6.7-r1 + 2.6 + 2.6.7-r1 + + + +

+ The Linux kernel is responsible for managing the core aspects of a + GNU/Linux system, providing an interface for core system applications as + well as providing the essential structure and capability to access hardware + that is needed for a running system. +

+ + +

+ An attacker can utilize an erroneous data type in the IPTables TCP option + handling code, which lies in an iterator. By making a TCP packet with a + header length larger than 127 bytes, a negative integer would be implied in + the iterator. +

+ + +

+ By sending one malformed packet, the kernel could get stuck in a loop, + consuming all of the CPU resources and rendering the machine useless, + causing a Denial of Service. This vulnerability requires no local access. +

+ + +

+ If users do not use the netfilter functionality or do not use any + ``--tcp-option'' rules they are not vulnerable to this exploit. Users that + are may remove netfilter support from their kernel or may remove any + ``--tcp-option'' rules they might be using. However, all users are urged to + upgrade their kernels to patched versions. +

+ + +

+ Users are encouraged to upgrade to the latest available sources for their + system: +

+ + # emerge sync + # emerge -pv your-favorite-sources + # emerge your-favorite-sources + + # # Follow usual procedure for compiling and installing a kernel. + # # If you use genkernel, run genkernel as you would do normally. + + + CAN-2004-0626 + + + plasmaroo + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-13.xml b/xml/htdocs/security/en/glsa/glsa-200407-13.xml new file mode 100644 index 00000000..2bd83e99 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-13.xml @@ -0,0 +1,93 @@ + + + + + + + PHP: Multiple security vulnerabilities + + Multiple security vulnerabilities, potentially allowing remote code + execution, were found and fixed in PHP. + + PHP + July 15, 2004 + July 15, 2004: 01 + 56985 + remote + + + 4.3.8 + 4.3.7-r1 + + + 4.3.8 + 4.3.7-r1 + + + 4.3.8 + 4.3.7-r1 + + + +

+ PHP is a general-purpose scripting language widely used to develop + web-based applications. It can run inside a web server using the mod_php + module or the CGI version of PHP, or can run stand-alone in a CLI. +

+ + +

+ Several security vulnerabilities were found and fixed in version 4.3.8 of + PHP. The strip_tags() function, used to sanitize user input, could in + certain cases allow tags containing \0 characters (CAN-2004-0595). When + memory_limit is used, PHP might unsafely interrupt other functions + (CAN-2004-0594). The ftok and itpc functions were missing safe_mode checks. + It was possible to bypass open_basedir restrictions using MySQL's LOAD DATA + LOCAL function. Furthermore, the IMAP extension was incorrectly allocating + memory and alloca() calls were replaced with emalloc() for better stack + protection. +

+ + +

+ Successfully exploited, the memory_limit problem could allow remote + excution of arbitrary code. By exploiting the strip_tags vulnerability, it + is possible to pass HTML code that would be considered as valid tags by the + Microsoft Internet Explorer and Safari browsers. Using ftok, itpc or + MySQL's LOAD DATA LOCAL, it is possible to bypass PHP configuration + restrictions. +

+ + +

+ There is no known workaround that would solve all these problems. All users + are encouraged to upgrade to the latest available versions. +

+ + +

+ All PHP, mod_php and php-cgi users should upgrade to the latest stable + version: +

+ + # emerge sync + + # emerge -pv ">=dev-php/php-4.3.8" + # emerge ">=dev-php/php-4.3.8" + + # emerge -pv ">=dev-php/mod_php-4.3.8" + # emerge ">=dev-php/mod_php-4.3.8" + + # emerge -pv ">=dev-php/php-cgi-4.3.8" + # emerge ">=dev-php/php-cgi-4.3.8" + + + CAN-2004-0594 + CAN-2004-0595 + E-Matters Advisory 11/2004 + E-Matters Advisory 12/2004 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-14.xml b/xml/htdocs/security/en/glsa/glsa-200407-14.xml new file mode 100644 index 00000000..b5ee6e93 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-14.xml @@ -0,0 +1,91 @@ + + + + + + + Unreal Tournament 2003/2004: Buffer overflow in 'secure' queries + + Game servers based on the Unreal engine are vulnerable to remote code + execution through malformed 'secure' queries. + + Unreal Tournament + July 19, 2004 + July 19, 2004: 01 + 54726 + remote + + + 2225-r3 + 2225-r2 + + + 2225-r2 + 2225-r1 + + + 3236 + 3236 + + + 3120-r4 + 3120-r3 + + + +

+ Unreal Tournament 2003 and 2004 are popular first-person-shooter games. + They are both based on the Unreal engine, and can be used in a game server + / client setup. +

+ + +

+ The Unreal-based game servers support a specific type of query called + 'secure'. Part of the Gamespy protocol, this query is used to ask if the + game server is able to calculate an exact response using a provided string. + Luigi Auriemma found that sending a long 'secure' query triggers a buffer + overflow in the game server. +

+ + +

+ By sending a malicious UDP-based 'secure' query, an attacker could execute + arbitrary code on the game server. +

+ + +

+ Users can avoid this vulnerability by not using Unreal Tournament to host + games as a server. All users running a server should upgrade to the latest + versions. +

+ + +

+ All Unreal Tournament users should upgrade to the latest available + versions: +

+ + # emerge sync + + # emerge -pv ">=games-fps/ut2003-2225-r3" + # emerge ">=games-fps/ut2003-2225-r3" + + # emerge -pv ">=games-server/ut2003-ded-2225-r2" + # emerge ">=games-server/ut2003-ded-2225-r2" + + # emerge -pv ">=games-fps/ut2004-3236" + # emerge ">=games-fps/ut2004-3236" + + # emerge -pv ">=games-fps/ut2004-demo-3120-r4" + # emerge ">=games-fps/ut2004-demo-3120-r4" + + + Luigi Auriemma advisory + CAN-2004-0608 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-15.xml b/xml/htdocs/security/en/glsa/glsa-200407-15.xml new file mode 100644 index 00000000..93dbc7b2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-15.xml @@ -0,0 +1,71 @@ + + + + + + + Opera: Multiple spoofing vulnerabilities + + Opera contains three vulnerabilities, allowing an attacker to impersonate + legitimate websites with URI obfuscation or to spoof websites with frame + injection. + + opera + July 20, 2004 + July 20, 2004: 01 + 56311 + 56109 + remote + + + 7.53 + 7.52 + + + +

+ Opera is a multi-platform web browser. +

+ + +

+ Opera fails to remove illegal characters from an URI of a link and to check + that the target frame of a link belongs to the same website as the link. + Opera also updates the address bar before loading a page. Additionally, + Opera contains a certificate verification problem. +

+ + +

+ These vulnerabilities could allow an attacker to impersonate legitimate + websites to steal sensitive information from users. This could be done by + obfuscating the real URI of a link or by injecting a malicious frame into + an arbitrary frame of another browser window. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version. +

+ + +

+ All Opera users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=www-client/opera-7.53" + # emerge ">=www-client/opera-7.53" + + + Bugtraq Announcement + Secunia Advisory SA11978 + Secunia Advisory SA12028 + Opera Changelog + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-16.xml b/xml/htdocs/security/en/glsa/glsa-200407-16.xml new file mode 100644 index 00000000..33a29bcd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-16.xml @@ -0,0 +1,299 @@ + + + + + + + Linux Kernel: Multiple DoS and permission vulnerabilities + + Multiple permission vulnerabilities have been found in the Linux kernel, + allowing an attacker to change the group IDs of files mounted on a remote + filesystem (CAN-2004-0497), as well as an issue in 2.6 series kernels which + allows /proc permissions to be bypassed. A context sharing vulnerability in + vserver-sources is also handled by this advisory as well as CAN-2004-0447, + CAN-2004-0496 and CAN-2004-0565. Patched, or updated versions of these + kernels have been released and details are included along with this + advisory. + + Kernel + July 22, 2004 + October 29, 2004: 02 + 56171 + 56479 + local + + + 2.4.23-r2 + 2.6.5-r5 + 2.6.5-r5 + + + 2.4.21-r9 + 2.4.21-r9 + + + 2.4.26-r1 + 2.6.7-r5 + 2.6.7-r5 + + + 2.4.9.32.7-r8 + 2.4.9.32.7-r8 + + + 2.6.8_rc1 + 2.6.8_rc1 + + + 2.6.7-r8 + 2.6.7-r8 + + + 2.4.19-r18 + 2.4.20-r21 + 2.4.22-r13 + 2.4.25-r6 + 2.4.26-r5 + 2.4.26-r5 + + + 2.4.26.2.0-r6 + 2.4.26.2.0-r6 + + + 2.4.25_pre7-r8 + 2.4.25_pre7-r8 + + + 2.6.7-r2 + 2.6.7-r2 + + + 2.4.26-r3 + 2.4.26-r3 + + + 2.6.7_p1-r2 + 2.6.7_p1-r2 + + + 2.4.26_p6-r1 + 2.4.26_p6-r1 + + + 2.4.24-r7 + 2.4.24-r7 + + + 2.6.7-r6 + 2.6.7-r6 + + + 2.4.22-r11 + 2.4.22-r11 + + + 2.4.23-r9 + 2.4.23-r9 + + + 2.4.21-r11 + 2.4.21-r11 + + + 2.6.7-r2 + 2.6.7-r2 + + + 2.4.26-r3 + 2.4.26-r3 + + + 2.4.26-r3 + 2.4.26-r3 + + + 2.4.26-r3 + 2.4.26-r3 + + + 2.6.7-r2 + 2.6.7-r2 + + + 2.4.26-r2 + 2.4.26-r2 + + + 2.4.26-r3 + 2.4.26-r3 + + + 2.4.26_p0-r3 + 2.6.7_p0-r2 + 2.6.7_p0-r2 + + + 2.4.24-r6 + 2.4.26-r3 + 2.6.6-r4 + 2.6.6-r4 + + + 2.4.26.1.28-r1 + 2.4.26.1.28-r1 + + + 2.4.26-r3 + 2.6.7-r2 + 2.6.7-r2 + + + 4.9-r10 + 4.11-r7 + 4.14-r4 + 4.14-r4 + + + 2.4.26-r3 + 2.6.7-r2 + 2.6.7-r2 + + + 2.4.27 + 2.4.27 + + + 2.4.27 + 2.4.26 + + + +

+ The Linux kernel is responsible for managing the core aspects of a + GNU/Linux system, providing an interface for core system applications as + well as providing the essential structure and capability to access hardware + that is needed for a running system. +

+ + +

+ The Linux kernel allows a local attacker to mount a remote file system on a + vulnerable Linux host and modify files' group IDs. On 2.4 series kernels + this vulnerability only affects shared NFS file systems. This vulnerability + has been assigned CAN-2004-0497 by the Common Vulnerabilities and Exposures + project. +

+

+ Also, a flaw in the handling of /proc attributes has been found in 2.6 + series kernels; allowing the unauthorized modification of /proc entries, + especially those which rely solely on file permissions for security to + vital kernel parameters. +

+

+ An issue specific to the VServer Linux sources has been found, by which + /proc related changes in one virtual context are applied to other contexts + as well, including the host system. +

+

+ CAN-2004-0447 resolves a local DoS vulnerability on IA64 platforms which + can cause unknown behaviour and CAN-2004-0565 resolves a floating point + information leak on IA64 platforms by which registers of other processes + can be read by a local user. +

+

+ Finally, CAN-2004-0496 addresses some more unknown vulnerabilities in 2.6 + series Linux kernels older than 2.6.7 which were found by the Sparse source + code checking tool. +

+ + +

+ Bad Group IDs can possibly cause a Denial of Service on parts of a host if + the changed files normally require a special GID to properly operate. By + exploiting this vulnerability, users in the original file group would also + be blocked from accessing the changed files. +

+

+ The /proc attribute vulnerability allows local users with previously no + permissions to certain /proc entries to exploit the vulnerability and then + gain read, write and execute access to entries. +

+

+ These new privileges can be used to cause unknown behaviour ranging from + reduced system performance to a Denial of Service by manipulating various + kernel options which are usually reserved for the superuser. This flaw + might also be used for opening restrictions set through /proc entries, + allowing further attacks to take place through another possibly unexpected + attack vector. +

+

+ The VServer issue can also be used to induce similar unexpected behaviour + to other VServer contexts, including the host. By successful exploitation, + a Denial of Service for other contexts can be caused allowing only root to + read certain /proc entries. Such a change would also be replicated to other + contexts, forbidding normal users on those contexts to read /proc entries + which could contain details needed by daemons running as a non-root user, + for example. +

+

+ Additionally, this vulnerability allows an attacker to read information + from another context, possibly hosting a different server, gaining critical + information such as what processes are running. This may be used for + furthering the exploitation of either context. +

+

+ CAN-2004-0447 and CAN-2004-0496 permit various local unknown Denial of + Service vulnerabilities with unknown impacts - these vulnerabilities can be + used to possibly elevate privileges or access reserved kernel memory which + can be used for further exploitation of the system. +

+

+ CAN-2004-0565 allows FPU register values of other processes to be read by a + local user setting the MFH bit during a floating point operation - since no + check was in place to ensure that the FPH bit was owned by the requesting + process, but only an MFH bit check, an attacker can simply set the MFH bit + and access FPU registers of processes running as other users, possibly + those running as root. +

+ + +

+ 2.4 users may not be affected by CAN-2004-0497 if they do not use remote + network filesystems and do not have support for any such filesystems in + their kernel configuration. All 2.6 users are affected by the /proc + attribute issue and the only known workaround is to disable /proc support. + The VServer flaw applies only to vserver-sources, and no workaround is + currently known for the issue. There is no known fix to CAN-2004-0447, + CAN-2004-0496 or CAN-2004-0565 other than to upgrade the kernel to a + patched version. +

+

+ As a result, all users affected by any of these vulnerabilities should + upgrade their kernels to ensure the integrity of their systems. +

+ + +

+ Users are encouraged to upgrade to the latest available sources for their + system: +

+ + # emerge sync + # emerge -pv your-favorite-sources + # emerge your-favorite-sources + + # # Follow usual procedure for compiling and installing a kernel. + # # If you use genkernel, run genkernel as you would do normally. + + + CAN-2004-0447 + CAN-2004-0496 + CAN-2004-0497 + CAN-2004-0565 + VServer /proc Context Vulnerability + + + plasmaroo + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-17.xml b/xml/htdocs/security/en/glsa/glsa-200407-17.xml new file mode 100644 index 00000000..3c1211b5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-17.xml @@ -0,0 +1,66 @@ + + + + + + + l2tpd: Buffer overflow + + A buffer overflow in l2tpd could lead to remote code execution. It is not + known whether this bug is exploitable. + + net-dialup/l2tpd + July 22, 2004 + July 22, 2004: 01 + 53009 + remote + + + 0.69-r2 + 0.69-r2 + + + +

+ l2tpd is a GPL implentation of the Layer 2 Tunneling Protocol. +

+ + +

+ Thomas Walpuski discovered a buffer overflow that may be exploitable by + sending a specially crafted packet. In order to exploit the vulnerable + code, an attacker would need to fake the establishment of an L2TP tunnel. +

+ + +

+ A remote attacker may be able to execute arbitrary code with the privileges + of the user running l2tpd. +

+ + +

+ There is no known workaround for this vulnerability. +

+ + +

+ All users are recommended to upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=net-l2tpd-0.69-r2" + # emerge ">=net-l2tpd-0.69-r2" + + + CAN-2004-0649 + Full Disclosure Report + + + koon + + + dmargoli + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-18.xml b/xml/htdocs/security/en/glsa/glsa-200407-18.xml new file mode 100644 index 00000000..ea0429bd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-18.xml @@ -0,0 +1,63 @@ + + + + + + + mod_ssl: Format string vulnerability + + A bug in mod_ssl may allow a remote attacker to execute arbitrary code when + Apache is configured to use mod_ssl and mod_proxy. + + mod_ssl + July 22, 2004 + July 22, 2004: 01 + 57379 + remote + + + 2.8.19 + 2.8.18 + + + +

+ mod_ssl provides Secure Sockets Layer encryption and authentication to + Apache 1.3. +

+ + +

+ A bug in ssl_engine_ext.c makes mod_ssl vulnerable to a ssl_log() related + format string vulnerability in the mod_proxy hook functions. +

+ + +

+ Given the right server configuration, an attacker could execute code as the + user running Apache, usually "apache". +

+ + +

+ A server should not be vulnerable if it is not using both mod_ssl and + mod_proxy. Otherwise there is no workaround other than to disable mod_ssl. +

+ + +

+ All mod_ssl users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-www/mod_ssl-2.8.19" + # emerge ">=net-www/mod_ssl-2.8.19" + + + mod_ssl Announcement + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-19.xml b/xml/htdocs/security/en/glsa/glsa-200407-19.xml new file mode 100644 index 00000000..313f65d4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-19.xml @@ -0,0 +1,60 @@ + + + + + + + Pavuk: Digest authentication helper buffer overflow + + Pavuk contains a bug that can allow an attacker to run arbitrary code. + + Pavuk + July 26, 2004 + May 22, 2006: 02 + remote + + + 0.9.28-r3 + 0.9.28-r2 + + + +

+ Pavuk is web spider and website mirroring tool. +

+ + +

+ Pavuk contains several buffer overflow vulnerabilities in the code + handling digest authentication. +

+ + +

+ An attacker could cause a buffer overflow, leading to arbitrary code + execution with the rights of the user running Pavuk. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of Pavuk. +

+ + +

+ All Pavuk users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-misc/pavuk-0.9.28-r3" + # emerge ">=net-misc/pavuk-0.9.28-r3" + + + CVE-2004-1437 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-20.xml b/xml/htdocs/security/en/glsa/glsa-200407-20.xml new file mode 100644 index 00000000..b962a02d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-20.xml @@ -0,0 +1,82 @@ + + + + + + + Subversion: Vulnerability in mod_authz_svn + + Users with write access to parts of a Subversion repository may bypass read + restrictions in mod_authz_svn and read any part of the repository they + wish. + + subversion + July 26, 2004 + May 22, 2006: 02 + 57747 + remote + + + 1.0.6 + 1.0.4-r1 + + + +

+ Subversion is an advanced version control system, similar to CVS, which + supports additional functionality such as the ability to move, copy and + delete files and directories. A Subversion server may be run as an + Apache module, a standalone server (svnserve), or on-demand over ssh (a + la CVS' ":ext:" protocol). The mod_authz_svn Apache module works with + Subversion in Apache to limit access to parts of Subversion + repositories based on policy set by the administrator. +

+ + +

+ Users with write access to part of a Subversion repository may bypass + read restrictions on any part of that repository. This can be done + using an "svn copy" command to copy the portion of a repository the + user wishes to read into an area where they have write access. +

+

+ Since copies are versioned, any such copy attempts will be readily + apparent. +

+ + +

+ This is a low-risk vulnerability. It affects only users of Subversion + who are running servers inside Apache and using mod_authz_svn. + Additionally, this vulnerability may be exploited only by users with + write access to some portion of a repository. +

+ + +

+ Keep sensitive content separated into different Subversion + repositories, or disable the Apache Subversion server and use svnserve + instead. +

+ + +

+ All Subversion users should upgrade to the latest available version: +

+ + # emerge sync + + # emerge -pv ">=dev-util/subversion-1.0.6" + # emerve ">=dev-util/subversion-1.0.6" + + + ChangeLog for Subversion 1.0.6 + CVE-2004-1438 + + + koon + + + condordes + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-21.xml b/xml/htdocs/security/en/glsa/glsa-200407-21.xml new file mode 100644 index 00000000..65e1a7db --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-21.xml @@ -0,0 +1,78 @@ + + + + + + + Samba: Multiple buffer overflows + + Two buffer overflows vulnerabilities were found in Samba, potentially + allowing the remote execution of arbitrary code. + + Samba + July 29, 2004 + July 29, 2004: 02 + 57962 + remote + + + 3.0.5 + 3.0.4-r1 + + + +

+ Samba is a package which allows *nix systems to act as file servers for + Windows computers. It also allows *nix systems to mount shares exported by + a Samba/CIFS/Windows server. The Samba Web Administration Tool (SWAT) is a + web-based configuration tool part of the Samba package. +

+ + +

+ Evgeny Demidov found a buffer overflow in SWAT, located in the base64 data + decoder used to handle HTTP basic authentication (CAN-2004-0600). The same + flaw is present in the code used to handle the sambaMungedDial attribute + value, when using the ldapsam passdb backend. Another buffer overflow was + found in the code used to support the 'mangling method = hash' smb.conf + option (CAN-2004-0686). Note that the default Samba value for this option + is 'mangling method = hash2' which is not vulnerable. +

+ + +

+ The SWAT authentication overflow could be exploited to execute arbitrary + code with the rights of the Samba daemon process. The overflow in the + sambaMungedDial handling code is not thought to be exploitable. The buffer + overflow in 'mangling method = hash' code could also be used to execute + arbitrary code on vulnerable configurations. +

+ + +

+ Users disabling SWAT, not using ldapsam passdb backends and not using the + 'mangling method = hash' option are not vulnerable. +

+ + +

+ All Samba users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-fs/samba-3.0.5" + # emerge ">=net-fs/samba-3.0.5" + + + Samba 3.0.5 Release Notes + CAN-2004-0600 + CAN-2004-0686 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-22.xml b/xml/htdocs/security/en/glsa/glsa-200407-22.xml new file mode 100644 index 00000000..31696d2c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-22.xml @@ -0,0 +1,79 @@ + + + + + + + phpMyAdmin: Multiple vulnerabilities + + Multiple vulnerabilities in phpMyAdmin may allow a remote attacker with a + valid user account to alter configuration variables and execute arbitrary + PHP code. + + dev-db/phpmyadmin + July 29, 2004 + May 22, 2006: 02 + 57890 + remote + + + 2.5.7_p1 + 2.5.7 + + + +

+ phpMyAdmin is a popular, web-based MySQL administration tool written in + PHP. It allows users to administer a MySQL database from a web-browser. +

+ + +

+ Two serious vulnerabilities exist in phpMyAdmin. The first allows any + user to alter the server configuration variables (including host, name, + and password) by appending new settings to the array variables that + hold the configuration in a GET statement. The second allows users to + include arbitrary PHP code to be executed within an eval() statement in + table name configuration settings. This second vulnerability is only + exploitable if $cfg['LeftFrameLight'] is set to FALSE. +

+ + +

+ Authenticated users can alter configuration variables for their running + copy of phpMyAdmin. The impact of this should be minimal. However, the + second vulnerability would allow an authenticated user to execute + arbitrary PHP code with the permissions of the webserver, potentially + allowing a serious Denial of Service or further remote compromise. +

+ + +

+ The second, more serious vulnerability is only exploitable if + $cfg['LeftFrameLight'] is set to FALSE. In the default Gentoo + installation, this is set to TRUE. There is no known workaround for the + first. +

+ + +

+ All phpMyAdmin users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=dev-db/phpmyadmin-2.5.7_p1" + # emerge ">=dev-db/phpmyadmin-2.5.7_p1" + + + BugTraq Announcement + CVE-2004-2631 + CVE-2004-2632 + + + koon + + + dmargoli + + diff --git a/xml/htdocs/security/en/glsa/glsa-200407-23.xml b/xml/htdocs/security/en/glsa/glsa-200407-23.xml new file mode 100644 index 00000000..3e7f35b6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200407-23.xml @@ -0,0 +1,65 @@ + + + + + + + SoX: Multiple buffer overflows + + SoX contains two buffer overflow vulnerabilities in the WAV header parser + code. + + SoX + July 30, 2004 + May 22, 2006: 02 + 58733 + remote + + + 12.17.4-r2 + 12.17.4-r1 + + + +

+ SoX is a command line utility that can convert various formats of + computer audio files in to other formats. +

+ + +

+ Ulf Harnhammar discovered two buffer overflows in the sox and play + commands when handling WAV files with specially crafted header fields. +

+ + +

+ By enticing a user to play or convert a specially crafted WAV file an + attacker could execute arbitrary code with the permissions of the user + running SoX. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of SoX. +

+ + +

+ All SoX users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=media-sound/sox-12.17.4-r2" + # emerge ">=media-sound/sox-12.17.4-r2" + + + Full Disclosure Announcement + CVE-2004-0557 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-01.xml b/xml/htdocs/security/en/glsa/glsa-200408-01.xml new file mode 100644 index 00000000..26fe5c0d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-01.xml @@ -0,0 +1,70 @@ + + + + + + + MPlayer: GUI filename handling overflow + + When compiled with GUI support MPlayer is vulnerable to a remotely + exploitable buffer overflow attack. + + MPlayer + August 01, 2004 + May 22, 2006: 02 + 55456 + remote + + + 1.0_pre4-r7 + 1.0_pre4-r7 + + + +

+ MPlayer is a media player capable of handling multiple multimedia file + formats. +

+ + +

+ The MPlayer GUI code contains several buffer overflow vulnerabilities, + and at least one in the TranslateFilename() function is exploitable. +

+ + +

+ By enticing a user to play a file with a carefully crafted filename an + attacker could execute arbitrary code with the permissions of the user + running MPlayer. +

+ + +

+ To work around this issue, users can compile MPlayer without GUI + support by disabling the gtk USE flag. All users are encouraged to + upgrade to the latest available version of MPlayer. +

+ + +

+ All MPlayer users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=media-video/mplayer-1.0_pre4-r7" + # emerge ">=media-video/mplayer-1.0_pre4-r7" + + + Bugtraq Announcement + Open-Security Announcement + CVE-2004-0659 + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-02.xml b/xml/htdocs/security/en/glsa/glsa-200408-02.xml new file mode 100644 index 00000000..e04e2f25 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-02.xml @@ -0,0 +1,73 @@ + + + + + + + Courier: Cross-site scripting vulnerability in SqWebMail + + The SqWebMail web application, included in the Courier suite, is vulnerable + to cross-site scripting attacks. + + Courier + August 04, 2004 + August 04, 2004: 01 + 58020 + remote + + + 0.45.6.20040618 + 0.45.6 + + + +

+ Courier is an integrated mail and groupware server based on open protocols. + It provides ESMTP, IMAP, POP3, webmail, and mailing list services within a + single framework. The webmail functionality included in Courier called + SqWebMail allows you to access mailboxes from a web browser. +

+ + +

+ Luca Legato found that SqWebMail is vulnerable to a cross-site scripting + (XSS) attack. An XSS attack allows an attacker to insert malicious code + into a web-based application. SqWebMail doesn't filter appropriately data + coming from message headers before displaying them. +

+ + +

+ By sending a carefully crafted message, an attacker can inject and execute + script code in the victim's browser window. This allows to modify the + behaviour of the SqWebMail application, and/or leak session information + such as cookies to the attacker. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of Courier. +

+ + +

+ All Courier users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=mail-mta/courier-0.45.6.20040618" + # emerge ">=mail-mta/courier-0.45.6.20040618" + + + CAN-2004-0591 + XSS definition + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-03.xml b/xml/htdocs/security/en/glsa/glsa-200408-03.xml new file mode 100644 index 00000000..f19c9bec --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-03.xml @@ -0,0 +1,73 @@ + + + + + + + libpng: Numerous vulnerabilities + + libpng contains numerous vulnerabilities potentially allowing an attacker + to perform a Denial of Service attack or even execute arbitrary code. + + libpng + August 05, 2004 + August 05, 2004: 01 + 59424 + remote + + + 1.2.5-r8 + 1.2.5-r7 + + + +

+ libpng is a standard library used to process PNG (Portable Network + Graphics) images. It is used by several other programs, including web + browsers and potentially server processes. +

+ + +

+ libpng contains numerous vulnerabilities including null pointer dereference + errors and boundary errors in various functions. +

+ + +

+ An attacker could exploit these vulnerabilities to cause programs linked + against the library to crash or execute arbitrary code with the permissions + of the user running the vulnerable program, which could be the root user. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version. +

+ + +

+ All libpng users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=media-libs/libpng-1.2.5-r8" + # emerge ">=media-libs/libpng-1.2.5-r8" +

+ You should also run revdep-rebuild to rebuild any packages that depend on + older versions of libpng : +

+ + # revdep-rebuild + + + CAN-2004-0597 + CAN-2004-0598 + CAN-2004-0599 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-04.xml b/xml/htdocs/security/en/glsa/glsa-200408-04.xml new file mode 100644 index 00000000..c4e2d219 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-04.xml @@ -0,0 +1,70 @@ + + + + + + + PuTTY: Pre-authentication arbitrary code execution + + PuTTY contains a vulnerability allowing a SSH server to execute arbitrary + code on the connecting client. + + PuTTY + August 05, 2004 + May 22, 2006: 03 + 59383 + remote + + + 0.55 + 0.54 + + + +

+ PuTTY is a free implementation of Telnet and SSH for Win32 and Unix + platforms, along with an xterm terminal emulator. +

+ + +

+ PuTTY contains a vulnerability allowing a malicious server to execute + arbitrary code on the connecting client before host key verification. +

+ + +

+ When connecting to a server using the SSH2 protocol an attacker is able + to execute arbitrary code with the permissions of the user running + PuTTY by sending specially crafted packets to the client during the + authentication process but before host key verification. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of PuTTY. +

+ + +

+ All PuTTY users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-misc/putty-0.55" + # emerge ">=net-misc/putty-0.55" + + + Corelabs Advisory + PuTTY ChangeLog + CVE-2004-1440 + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-05.xml b/xml/htdocs/security/en/glsa/glsa-200408-05.xml new file mode 100644 index 00000000..332bf4d4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-05.xml @@ -0,0 +1,72 @@ + + + + + + + Opera: Multiple new vulnerabilities + + Several new vulnerabilities were found and fixed in Opera, including one + allowing an attacker to read the local filesystem remotely. + + Opera + August 05, 2004 + December 30, 2007: 03 + 59503 + remote + + + 7.54 + 7.53 + + + +

+ Opera is a multi-platform web browser. +

+ + +

+ Multiple vulnerabilities have been found in the Opera web browser. + Opera fails to deny write access to the "location" browser object. An + attacker can overwrite methods in this object and gain script access to + any page that uses one of these methods. Furthermore, access to file:// + URLs is possible even from pages loaded using other protocols. Finally, + spoofing a legitimate web page is still possible, despite the fixes + announced in GLSA 200407-15. +

+ + +

+ By enticing an user to visit specially crafted web pages, an attacker + can read files located on the victim's file system, read emails written + or received by M2, Opera's mail program, steal cookies, spoof URLs, + track user browsing history, etc. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version. +

+ + +

+ All Opera users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=www-client/opera-7.54" + # emerge ">=www-client/opera-7.54" + + + Opera Changelog + Address bar spoofing issue disclosure + GreyMagic Security Advisory GM#008-OP + CVE-2004-2570 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-06.xml b/xml/htdocs/security/en/glsa/glsa-200408-06.xml new file mode 100644 index 00000000..be32f9d3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-06.xml @@ -0,0 +1,66 @@ + + + + + + + SpamAssassin: Denial of Service vulnerability + + SpamAssassin is vulnerable to a Denial of Service attack when handling + certain malformed messages. + + SpamAssassin + August 09, 2004 + May 22, 2006: 02 + 59483 + remote + + + 2.64 + 2.63-r1 + + + +

+ SpamAssassin is an extensible email filter which is used to identify + spam. +

+ + +

+ SpamAssassin contains an unspecified Denial of Service vulnerability. +

+ + +

+ By sending a specially crafted message an attacker could cause a Denial + of Service attack against the SpamAssassin service. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of SpamAssassin. +

+ + +

+ All SpamAssassin users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=mail-filter/spamassassin-2.64" + # emerge ">=mail-filter/spamassassin-2.64" + + + SpamAssassin Release Announcement + CVE-2004-0796 + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-07.xml b/xml/htdocs/security/en/glsa/glsa-200408-07.xml new file mode 100644 index 00000000..0a0b2f5a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-07.xml @@ -0,0 +1,67 @@ + + + + + + + Horde-IMP: Input validation vulnerability for Internet Explorer users + + An input validation vulnerability has been discovered in Horde-IMP. This + only affects users of Internet Explorer. + + horde-imp + August 10, 2004 + May 22, 2006: 02 + 59336 + remote + + + 3.2.5 + 3.2.4 + + + +

+ Horde-IMP is the Internet Messaging Program. It is written in PHP and + provides webmail access to IMAP and POP3 accounts. +

+ + +

+ Horde-IMP fails to properly sanitize email messages that contain + malicious HTML or script code so that it is not safe for users of + Internet Explorer when using the inline MIME viewer for HTML messages. +

+ + +

+ By enticing a user to read a specially crafted e-mail, an attacker can + execute arbitrary scripts running in the context of the victim's + browser. This could lead to a compromise of the user's webmail account, + cookie theft, etc. +

+ + +

+ Do not use Internet Explorer to access Horde-IMP. +

+ + +

+ All Horde-IMP users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=www-apps/horde-imp-3.2.5" + # emerge ">=www-apps/horde-imp-3.2.5" + + + Horde-IMP Changelog + Secunia Advisory SA12202 + CVE-2004-1443 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-08.xml b/xml/htdocs/security/en/glsa/glsa-200408-08.xml new file mode 100644 index 00000000..8e31510f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-08.xml @@ -0,0 +1,75 @@ + + + + + + + Cfengine: RSA Authentication Heap Corruption + + Cfengine is vulnerable to a remote root exploit from clients in + AllowConnectionsFrom. + + Cfengine + August 10, 2004 + May 22, 2006: 05 + 59895 + remote + + + 2.1.8 + 2.0.0 + 2.1.7 + + + +

+ Cfengine is an agent/software robot and a high level policy language + for building expert systems to administrate and configure large + computer networks. +

+ + +

+ Two vulnerabilities have been found in cfservd. One is a buffer + overflow in the AuthenticationDialogue function and the other is a + failure to check the proper return value of the ReceiveTransaction + function. +

+ + +

+ An attacker could use the buffer overflow to execute arbitrary code + with the permissions of the user running cfservd, which is usually the + root user. However, before such an attack could be mounted, the + IP-based ACL would have to be bypassed. With the second vulnerability, + an attacker could cause a denial of service attack. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of Cfengine. (It should be + noted that disabling cfservd will work around this particular problem. + However, in many cases, doing so will cripple your Cfengine setup. + Upgrading is strongly recommended.) +

+ + +

+ All Cfengine users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-misc/cfengine-2.1.8" + # emerge ">=net-misc/cfengine-2.1.8" + + + Corelabs Advisory + CVE-2004-1701 + CVE-2004-1702 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-09.xml b/xml/htdocs/security/en/glsa/glsa-200408-09.xml new file mode 100644 index 00000000..c00e780e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-09.xml @@ -0,0 +1,64 @@ + + + + + + + Roundup: Filesystem access vulnerability + + Roundup will make files owned by the user that it's running as accessable + to a remote attacker. + + Roundup + August 11, 2004 + May 22, 2006: 03 + 53494 + remote + + + 0.7.6 + 0.6.4 + + + +

+ Roundup is a simple to use issue-tracking system with command-line, + web, and e-mail interfaces. +

+ + +

+ Improper handling of a specially crafted URL allows access to the + server's filesystem, which could contain sensitive information. +

+ + +

+ An attacker could view files owned by the user running Roundup. This + will never be root however, as Roundup will not run as root. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of Roundup. +

+ + +

+ All Roundup users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=www-apps/roundup-0.7.6" + # emerge ">=www-apps/roundup-0.7.6" + + + Secunia Advisory SA11801 + CVE-2004-1444 + + + chriswhite + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-10.xml b/xml/htdocs/security/en/glsa/glsa-200408-10.xml new file mode 100644 index 00000000..d34bc33e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-10.xml @@ -0,0 +1,66 @@ + + + + + + + gv: Exploitable Buffer Overflow + + gv contains an exploitable buffer overflow that allows an attacker to + execute arbitrary code. + + gv + August 12, 2004 + August 12, 2004: 01 + 59385 + remote + + + 3.5.8-r4 + 3.5.8-r3 + + + +

+ gv is a PostScript and PDF viewer for X which provides a user interface for + the ghostscript interpreter. +

+ + +

+ gv contains a buffer overflow vulnerability where an unsafe sscanf() call + is used to interpret PDF and PostScript files. +

+ + +

+ By enticing a user to view a malformed PDF or PostScript file an attacker + could execute arbitrary code with the permissions of the user running gv. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of gv. +

+ + +

+ All gv users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=app-text/gv-3.5.8-r4" + # emerge ">=app-text/gv-3.5.8-r4" + + + CAN-2002-0838 + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-11.xml b/xml/htdocs/security/en/glsa/glsa-200408-11.xml new file mode 100644 index 00000000..0dcdb9ef --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-11.xml @@ -0,0 +1,66 @@ + + + + + + + Nessus: "adduser" race condition vulnerability + + Nessus contains a vulnerability allowing a user to perform a privilege + escalation attack. + + Nessus + August 12, 2004 + May 22, 2006: 02 + 58014 + local + + + 2.0.12 + 2.0.11 + + + +

+ Nessus is a free and powerful network security scanner. +

+ + +

+ A race condition can occur in "nessus-adduser" if the user has not + configured their TMPDIR variable. +

+ + +

+ A malicious user could exploit this bug to escalate privileges to the + rights of the user running "nessus-adduser". +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of Nessus. +

+ + +

+ All Nessus users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-analyzer/nessus-2.0.12" + # emerge ">=net-analyzer/nessus-2.0.12" + + + Secunia Advisory + CVE-2004-1445 + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-12.xml b/xml/htdocs/security/en/glsa/glsa-200408-12.xml new file mode 100644 index 00000000..130ddb35 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-12.xml @@ -0,0 +1,66 @@ + + + + + + + Gaim: MSN protocol parsing function buffer overflow + + Gaim contains a remotely exploitable buffer overflow vulnerability in the + MSN-protocol parsing code that may allow remote execution of arbitrary + code. + + gaim + August 12, 2004 + May 22, 2006: 03 + 60034 + remote + + + 0.81-r1 + 0.81 + + + +

+ Gaim is a multi-protocol instant messaging client for Linux which + supports many instant messaging protocols. +

+ + +

+ Sebastian Krahmer of the SuSE Security Team has discovered a remotely + exploitable buffer overflow vulnerability in the code handling MSN + protocol parsing. +

+ + +

+ By sending a carefully-crafted message, an attacker may execute + arbitrary code with the permissions of the user running Gaim. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of Gaim. +

+ + +

+ All Gaim users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-im/gaim-0.81-r1" + # emerge ">=net-im/gaim-0.81-r1" + + + OSVDB ID: 8382 + CVE-2004-0500 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-13.xml b/xml/htdocs/security/en/glsa/glsa-200408-13.xml new file mode 100644 index 00000000..6f740ee3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-13.xml @@ -0,0 +1,81 @@ + + + + + + + kdebase, kdelibs: Multiple security issues + + KDE contains three security issues that can allow an attacker to compromise + system accounts, cause a Denial of Service, or spoof websites via frame + injection. + + kde, kdebase, kdelibs + August 12, 2004 + August 12, 2004: 01 + 60068 + remote and local + + + 3.2.3-r1 + 3.2.3-r1 + + + 3.2.3-r1 + 3.2.3-r1 + + + +

+ KDE is a powerful Free Software graphical desktop environment for Linux and + Unix-like Operating Systems. +

+ + +

+ KDE contains three security issues: +

+
    +
  • Insecure handling of temporary files when running KDE applications + outside of the KDE environment
    • +
  • DCOPServer creates temporary files in an insecure manner
    • +
  • The Konqueror browser allows websites to load webpages into a target + frame of any other open frame-based webpage
    • +
+ + +

+ An attacker could exploit these vulnerabilities to create or overwrite + files with the permissions of another user, compromise the account of users + running a KDE application and insert arbitrary frames into an otherwise + trusted webpage. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of kdebase. +

+ + +

+ All KDE users should upgrade to the latest versions of kdelibs and kdebase: +

+ + # emerge sync + + # emerge -pv ">=kde-base/kdebase-3.2.3-r1" + # emerge ">=kde-base/kdebase-3.2.3-r1" + + # emerge -pv ">=kde-base/kdelibs-3.2.3-r1" + # emerge ">=kde-base/kdelibs-3.2.3-r1" + + + KDE Advisory: Temporary Directory Vulnerability + KDE Advisory: DCOPServer Temporary Filename Vulnerability + KDE Advisory: Konqueror Frame Injection Vulnerability + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-14.xml b/xml/htdocs/security/en/glsa/glsa-200408-14.xml new file mode 100644 index 00000000..b1bf7c8d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-14.xml @@ -0,0 +1,69 @@ + + + + + + + acroread: UUDecode filename buffer overflow + + acroread contains two errors in the handling of UUEncoded filenames that + may lead to execution of arbitrary code or programs. + + acroread + August 15, 2004 + May 22, 2006: 03 + 60205 + remote + + + 5.09 + 5.08 + + + +

+ acroread is Adobe's Acrobat PDF reader for Linux. +

+ + +

+ acroread contains two errors in the handling of UUEncoded filenames. + First, it fails to check the length of a filename before copying it + into a fixed size buffer and, secondly, it fails to check for the + backtick shell metacharacter in the filename before executing a command + with a shell. +

+ + +

+ By enticing a user to open a PDF with a specially crafted filename, an + attacker could execute arbitrary code or programs with the permissions + of the user running acroread. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of acroread. +

+ + +

+ All acroread users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=app-text/acroread-5.09" + # emerge ">=app-text/acroread-5.09" + + + iDEFENSE Advisory 124 + iDEFENSE Advisory 125 + CVE-2004-0630 + CVE-2004-0631 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-15.xml b/xml/htdocs/security/en/glsa/glsa-200408-15.xml new file mode 100644 index 00000000..8b41b116 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-15.xml @@ -0,0 +1,71 @@ + + + + + + + Tomcat: Insecure installation + + Improper file ownership may allow a member of the tomcat group to execute + scripts as root. + + tomcat + August 15, 2004 + May 22, 2006: 04 + 59232 + local + + + 5.0.27-r3 + 4.1.30-r4 + 3.3.2-r2 + 5.0.27-r3 + + + +

+ Tomcat is the Apache Jakarta Project's official implementation of Java + Servlets and Java Server Pages. +

+ + +

+ The Gentoo ebuild for Tomcat sets the ownership of the Tomcat init + scripts as tomcat:tomcat, but those scripts are executed with root + privileges when the system is started. This may allow a member of the + tomcat group to run arbitrary code with root privileges when the Tomcat + init scripts are run. +

+ + +

+ This could lead to a local privilege escalation or root compromise by + authenticated users. +

+ + +

+ Users may change the ownership of /etc/init.d/tomcat* and + /etc/conf.d/tomcat* to be root:root: +

+ + # chown -R root:root /etc/init.d/tomcat* + # chown -R root:root /etc/conf.d/tomcat* + + +

+ All Tomcat users can upgrade to the latest stable version, or simply + apply the workaround: +

+ + # emerge sync + # emerge -pv ">=www-servers/tomcat-5.0.27-r3" + # emerge ">=www-servers/tomcat-5.0.27-r3" + + + CVE-2004-1452 + + + dmargoli + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-16.xml b/xml/htdocs/security/en/glsa/glsa-200408-16.xml new file mode 100644 index 00000000..51f23abf --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-16.xml @@ -0,0 +1,83 @@ + + + + + + + glibc: Information leak with LD_DEBUG + + glibc contains an information leak vulnerability allowing the debugging of + SUID binaries. + + glibc + August 16, 2004 + May 28, 2006: 04 + 59526 + local + + + 2.3.2-r11 + 2.3.2-r10 + + + 2.3.3.20040420-r1 + 2.3.3.20040420 + + + 2.3.4.20040619-r1 + 2.3.3.20040420 + + + 2.3.4.20040619-r1 + 2.3.4.20040619 + + + 2.3.4.20040808 + 2.3.4.20040605 + + + +

+ The GNU C library defines various Unix-like "system calls" and other + basic facilities needed for a standard POSIX-like application to + operate. +

+ + +

+ Silvio Cesare discovered a potential information leak in glibc. It + allows LD_DEBUG on SUID binaries where it should not be allowed. This + has various security implications, which may be used to gain + confidentional information. +

+ + +

+ An attacker can gain the list of symbols a SUID application uses and + their locations and can then use a trojaned library taking precendence + over those symbols to gain information or perform further exploitation. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of glibc. +

+ + +

+ All glibc users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv your_version + # emerge your_version + + + CVE-2004-1453 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-17.xml b/xml/htdocs/security/en/glsa/glsa-200408-17.xml new file mode 100644 index 00000000..c49553d7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-17.xml @@ -0,0 +1,73 @@ + + + + + + + rsync: Potential information leakage + + rsync fails to properly sanitize paths. This vulnerability could allow the + listing of arbitrary files and allow file overwriting outside module's path + on rsync server configurations that allow uploading. + + rsync + August 17, 2004 + May 22, 2006: 02 + 60309 + remote + + + 2.6.0-r3 + 2.6.0-r2 + + + +

+ rsync is a utility that provides fast incremental file transfers. It is + used to efficiently synchronize files between hosts and is used by + emerge to fetch Gentoo's Portage tree. rsyncd is the rsync daemon, + which listens to connections from rsync clients. +

+ + +

+ The paths sent by the rsync client are not checked thoroughly enough. + It does not affect the normal send/receive filenames that specify what + files should be transferred. It does affect certain option paths that + cause auxilliary files to be read or written. +

+ + +

+ When rsyncd is used without chroot ("use chroot = false" in the + rsyncd.conf file), this vulnerability could allow the listing of + arbitrary files outside module's path and allow file overwriting + outside module's path on rsync server configurations that allows + uploading. Both possibilities are exposed only when chroot option is + disabled. +

+ + +

+ You should never set the rsync daemon to run with "use chroot = false". +

+ + +

+ All users should update to the latest version of the rsync package. +

+ + # emerge sync + + # emerge -pv ">=net-misc/rsync-2.6.0-r3" + # emerge ">=net-misc/rsync-2.6.0-r3" + + + rsync Advisory + rsync 2.6.2 announcement + CVE-2004-0792 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-18.xml b/xml/htdocs/security/en/glsa/glsa-200408-18.xml new file mode 100644 index 00000000..bdfaae11 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-18.xml @@ -0,0 +1,70 @@ + + + + + + + xine-lib: VCD MRL buffer overflow + + xine-lib contains an exploitable buffer overflow in the VCD handling code + + xine-lib + August 17, 2004 + May 22, 2006: 02 + 59948 + remote + + + 1_rc5-r3 + 1_rc5-r2 + + + +

+ xine-lib is a multimedia library which can be utilized to create + multimedia frontends. +

+ + +

+ xine-lib contains a bug where it is possible to overflow the vcd:// + input source identifier management buffer through carefully crafted + playlists. +

+ + +

+ An attacker may construct a carefully-crafted playlist file which will + cause xine-lib to execute arbitrary code with the permissions of the + user. In order to conform with the generic naming standards of most + Unix-like systems, playlists can have extensions other than .asx (the + standard xine playlist format), and made to look like another file + (MP3, AVI, or MPEG for example). If an attacker crafts a playlist with + a valid header, they can insert a VCD playlist line that can cause a + buffer overflow and possible shellcode execution. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of xine-lib. +

+ + +

+ All xine-lib users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=media-libs/xine-lib-1_rc5-r3" + # emerge ">=media-libs/xine-lib-1_rc5-r3" + + + Open Security Advisory + CVE-2004-1475 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-19.xml b/xml/htdocs/security/en/glsa/glsa-200408-19.xml new file mode 100644 index 00000000..7f19d2ec --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-19.xml @@ -0,0 +1,73 @@ + + + + + + + courier-imap: Remote Format String Vulnerability + + There is a format string vulnerability in non-standard configurations of + courier-imapd which may be exploited remotely. An attacker may be able to + execute arbitrary code as the user running courier-imapd (oftentimes root). + + courier-imap + August 19, 2004 + May 22, 2006: 02 + 60865 + remote + + + 3.0.5 + 3.0.2-r1 + + + +

+ Courier-IMAP is an IMAP server which is part of the Courier mail + system. It provides access only to maildirs. +

+ + +

+ There is a format string vulnerability in the auth_debug() function + which can be exploited remotely, potentially leading to arbitrary code + execution as the user running the IMAP daemon (oftentimes root). A + remote attacker may send username or password information containing + printf() format tokens (such as "%s"), which will crash the server or + cause it to execute arbitrary code. +

+

+ This vulnerability can only be exploited if DEBUG_LOGIN is set to + something other than 0 in the imapd config file. +

+ + +

+ If DEBUG_LOGIN is enabled in the imapd configuration, a remote attacker + may execute arbitrary code as the root user. +

+ + +

+ Set the DEBUG_LOGIN option in /etc/courier-imap/imapd to 0. (This is + the default value.) +

+ + +

+ All courier-imap users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-mail/courier-imap-3.0.5" + # emerge ">=net-mail/courier-imap-3.0.5" + + + iDEFENSE Advisory + CVE-2004-0777 + + + condordes + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-20.xml b/xml/htdocs/security/en/glsa/glsa-200408-20.xml new file mode 100644 index 00000000..84a7273d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-20.xml @@ -0,0 +1,74 @@ + + + + + + + Qt: Image loader overflows + + There are several bugs in Qt's image-handling code which could lead to + crashes or arbitrary code execution. + + Qt + August 22, 2004 + May 22, 2006: 02 + 60855 + local + + + 3.3.3 + 3.3.2 + + + +

+ Qt is a cross-platform GUI toolkit used by KDE. +

+ + +

+ There are several unspecified bugs in the QImage class which may cause + crashes or allow execution of arbitrary code as the user running the Qt + application. These bugs affect the PNG, XPM, BMP, GIF and JPEG image + types. +

+ + +

+ An attacker may exploit these bugs by causing a user to open a + carefully-constructed image file in any one of these formats. This may + be accomplished through e-mail attachments (if the user uses KMail), or + by simply placing a malformed image on a website and then convicing the + user to load the site in a Qt-based browser (such as Konqueror). +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of Qt. +

+ + +

+ All Qt users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=x11-libs/qt-3.3.3" + # emerge ">=x11-libs/qt-3.3.3" + + + Mandrake Advisory + Qt 3.3.3 ChangeLog + CVE-2004-0691 + CVE-2004-0692 + CVE-2004-0693 + + + jaervosz + + + condordes + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-21.xml b/xml/htdocs/security/en/glsa/glsa-200408-21.xml new file mode 100644 index 00000000..6335d0cf --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-21.xml @@ -0,0 +1,69 @@ + + + + + + + Cacti: SQL injection vulnerability + + With special configurations of Cacti it is possible to change passwords via + a SQL injection attack. + + cacti + August 23, 2004 + May 22, 2006: 04 + 60630 + remote + + + 0.8.5a-r1 + 0.8.5a + + + +

+ Cacti is a complete web-based front end to rrdtool. +

+ + +

+ Cacti is vulnerable to a SQL injection attack where an attacker may + inject SQL into the Username field. +

+ + +

+ An attacker could compromise the Cacti service and potentially execute + programs with the permissions of the user running Cacti. Only systems + with php_flag magic_quotes_gpc set to Off are vulnerable. By default, + Gentoo Linux installs PHP with this option set to On. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of Cacti. +

+ + +

+ All users should upgrade to the latest available version of Cacti, as + follows: +

+ + # emerge sync + + # emerge -pv ">=net-analyzer/cacti-0.8.5a-r1" + # emerge ">=net-analyzer/cacti-0.8.5a-r1" + + + Full Disclosure Announcement + CVE-2004-1737 + + + dmargoli + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-22.xml b/xml/htdocs/security/en/glsa/glsa-200408-22.xml new file mode 100644 index 00000000..870888e4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-22.xml @@ -0,0 +1,119 @@ + + + + + + + Mozilla, Firefox, Thunderbird, Galeon, Epiphany: New releases fix vulnerabilities + + New releases of Mozilla, Epiphany, Galeon, Mozilla Thunderbird, and Mozilla + Firefox fix several vulnerabilities, including remote DoS and buffer + overflows. + + www-client/mozilla, www-client/mozilla-firefox, mail-client/mozilla-thunderbird, www-client/galeon, www-client/epiphany + August 23, 2004 + December 30, 2007: 06 + 57380 + 59419 + remote + + + 1.7.2 + 1.7.2 + + + 0.9.3 + 0.9.3 + + + 0.7.3 + 0.7.3 + + + 1.7.2 + 1.7.2 + + + 0.9.3 + 0.9.3 + + + 0.7.3 + 0.7.3 + + + 1.2.7-r1 + 1.2.7-r1 + + + 1.3.17 + 1.3.17 + + + +

+ Mozilla is a popular web browser that includes a mail and newsreader. + Galeon and Epiphany are both web browsers that use gecko, the Mozilla + rendering engine. Mozilla Firefox is the next-generation browser from + the Mozilla project that incorporates advanced features that are yet to + be incorporated into Mozilla. Mozilla Thunderbird is the + next-generation mail client from the Mozilla project. +

+ + +

+ Mozilla, Galeon, Epiphany, Mozilla Firefox and Mozilla Thunderbird + contain the following vulnerabilities: +

+
    +
  • All Mozilla tools use libpng for graphics. This library contains a + buffer overflow which may lead to arbitrary code execution.
    • +
  • If a user imports a forged Certificate Authority (CA) certificate, + it may overwrite and corrupt the valid CA already installed on the + machine.
    • +
+

+ Mozilla, Mozilla Firefox, and other gecko-based browsers also contain a + bug in their caching which may allow the SSL icon to remain visible, + even when the site in question is an insecure site. +

+ + +

+ Users of Mozilla, Mozilla Firefox, and other gecko-based browsers are + susceptible to SSL certificate spoofing, a Denial of Service against + legitimate SSL sites, crashes, and arbitrary code execution. Users of + Mozilla Thunderbird are susceptible to crashes and arbitrary code + execution via malicious e-mails. +

+ + +

+ There is no known workaround for most of these vulnerabilities. All + users are advised to upgrade to the latest available version. +

+ + +

+ All users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv your-version + # emerge your-version + + + CAN-2004-0763 + CAN-2004-0758 + CAN-2004-0597 + CAN-2004-0598 + CAN-2004-0599 + + + koon + + + dmargoli + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-23.xml b/xml/htdocs/security/en/glsa/glsa-200408-23.xml new file mode 100644 index 00000000..38fd9261 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-23.xml @@ -0,0 +1,81 @@ + + + + + + + kdelibs: Cross-domain cookie injection vulnerability + + The cookie manager component in kdelibs contains a vulnerability allowing + an attacker to potentially gain access to a user's session on a legitimate + web server. + + kdelibs + August 24, 2004 + August 24, 2004: 01 + 61389 + remote + + + 3.2.3-r2 + 3.2.3-r1 + + + +

+ KDE is a widely-used desktop environment based on the Qt toolkit. + kcookiejar in kdelibs is responsible for storing and managing HTTP cookies. + Konqueror uses kcookiejar for storing and managing cookies. +

+ + +

+ kcookiejar contains a vulnerability which may allow a malicious website to + set cookies for other websites under the same second-level domain. +

+

+ This vulnerability applies to country-specific secondary top level domains + that use more than 2 characters in the secondary part of the domain name, + and that use a secondary part other than com, net, mil, org, gov, edu or + int. However, certain popular domains, such as co.uk, are not affected. +

+ + +

+ Users visiting a malicious website using the Konqueror browser may have a + session cookie set for them by that site. Later, when the user visits + another website under the same domain, the attacker's session cookie will + be used instead of the cookie issued by the legitimate site. Depending on + the design of the legitimate site, this may allow an attacker to gain + access to the user's session. For further explanation on this type of + attack, see the paper titled "Session Fixation Vulnerability in + Web-based Applications" (reference 2). +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of kdelibs. +

+ + +

+ All kdelibs users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=kde-base/kdelibs-3.2.3-r2" + # emerge ">=kde-base/kdelibs-3.2.3-r2" + + + KDE Advisory + Session Fixation Vulnerability in Web-based Applications + + + jaervosz + + + condordes + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-24.xml b/xml/htdocs/security/en/glsa/glsa-200408-24.xml new file mode 100644 index 00000000..a0584ec2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-24.xml @@ -0,0 +1,233 @@ + + + + + + + Linux Kernel: Multiple information leaks + + Multiple information leaks have been found in the Linux kernel, allowing an + attacker to obtain sensitive data which may be used for further + exploitation of the system. + + Kernel + August 25, 2004 + May 22, 2006: 02 + 59378 + 59905 + 59769 + local + + + 2.4.23-r2 + 2.6.5-r5 + 2.6.5-r5 + + + 2.4.21-r12 + 2.4.21-r12 + + + 2.4.26-r1 + 2.6.7-r5 + 2.6.7-r5 + + + 2.6.8 + 2.6.8 + + + 2.6.7-r12 + 2.6.7-r12 + + + 2.4.19-r22 + 2.4.20-r25 + 2.4.22-r16 + 2.4.25-r9 + 2.4.26-r9 + 2.4.26-r9 + + + 2.4.27.2.0.1-r1 + 2.4.27.2.0.1-r1 + + + 2.4.25_pre7-r11 + 2.4.25_pre7-r11 + + + 2.6.7-r7 + 2.6.7-r7 + + + 2.4.27-r1 + 2.4.27-r1 + + + 2.6.7_p14-r1 + 2.6.7_p14-r1 + + + 2.4.26_p7-r1 + 2.4.26_p7-r1 + + + 2.4.24-r10 + 2.4.24-r10 + + + 2.4.25-r8 + 2.4.26-r8 + 2.6.4-r8 + 2.6.6-r8 + 2.6.7-r5 + 2.6.6-r8 + + + 2.6.8_rc4-r1 + 2.6.8_rc4-r1 + + + 2.4.24-r4 + 2.4.24-r4 + + + 2.4.23-r12 + 2.4.23-r12 + + + 2.6.8 + 2.6.8 + + + 2.4.26-r5 + 2.4.26-r5 + + + 2.6.7-r5 + 2.6.7-r5 + + + 2.4.26-r3 + 2.4.26-r3 + + + 2.4.27-r1 + 2.4.27-r1 + + + 2.4.26_p0-r6 + 2.6.7_p0-r5 + 2.6.7_p0-r5 + + + 2.4.24-r9 + 2.4.26-r6 + 2.6.6-r6 + 2.6.6-r6 + + + 2.4.27 + 2.4.27 + + + 2.4.26.1.28-r4 + 2.4.26.1.28-r4 + + + 2.4.26-r6 + 2.6.7-r2 + 2.6.7-r5 + + + 4.9-r14 + 4.11-r10 + 4.14-r7 + 4.14-r7 + + + 2.4.27-r1 + 2.6.7-r5 + 2.6.7-r5 + + + +

+ The Linux kernel is responsible for managing the core aspects of a + GNU/Linux system, providing an interface for core system applications + as well as providing the essential structure and capability to access + hardware that is needed for a running system. +

+ + +

+ The Linux kernel allows a local attacker to obtain sensitive kernel + information by gaining access to kernel memory via several leaks in the + /proc interfaces. These vulnerabilities exist in various drivers which + make up a working Linux kernel, some of which are present across all + architectures and configurations. +

+

+ CAN-2004-0415 deals with addressing invalid 32 to 64 bit conversions in + the kernel, as well as insecure direct access to file offset pointers + in kernel code which can be modified by the open(...), lseek(...) and + other core system I/O functions by an attacker. +

+

+ CAN-2004-0685 deals with certain USB drivers using uninitialized + structures and then using the copy_to_user(...) kernel call to copy + these structures. This may leak uninitialized kernel memory, which can + contain sensitive information from user applications. +

+

+ Finally, a race condition with the /proc/.../cmdline node was found, + allowing environment variables to be read while the process was still + spawning. If the race is won, environment variables of the process, + which might not be owned by the attacker, can be read. +

+ + +

+ These vulnerabilities allow a local unprivileged attacker to access + segments of kernel memory or environment variables which may contain + sensitive information. Kernel memory may contain passwords, data + transferred between processes and any memory which applications did not + clear upon exiting as well as the kernel cache and kernel buffers. +

+

+ This information may be used to read sensitive data, open other attack + vectors for further exploitation or cause a Denial of Service if the + attacker can gain superuser access via the leaked information. +

+ + +

+ There is no temporary workaround for any of these information leaks + other than totally disabling /proc support - otherwise, a kernel + upgrade is required. A list of unaffected kernels is provided along + with this announcement. +

+ + +

+ Users are encouraged to upgrade to the latest available sources for + their system: +

+ + # emerge sync + # emerge -pv your-favorite-sources + # emerge your-favorite-sources + + # # Follow usual procedure for compiling and installing a kernel. + # # If you use genkernel, run genkernel as you would normally. + + + CAN-2004-0415 + CAN-2004-0685 + CVE-2004-1058 + + + plasmaroo + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-25.xml b/xml/htdocs/security/en/glsa/glsa-200408-25.xml new file mode 100644 index 00000000..97a72e91 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-25.xml @@ -0,0 +1,70 @@ + + + + + + + MoinMoin: Group ACL bypass + + MoinMoin contains a bug allowing anonymous users to bypass ACLs (Access + Control Lists) and carry out operations that should be limited to + authorized users. + + MoinMoin + August 26, 2004 + May 22, 2006: 02 + 57913 + remote + + + 1.2.3 + 1.2.2 + + + +

+ MoinMoin is a Python clone of WikiWiki, based on PikiPiki. +

+ + +

+ MoinMoin contains two unspecified bugs, one allowing anonymous users + elevated access when not using ACLs, and the other in the ACL handling + in the PageEditor. +

+ + +

+ Restrictions on anonymous users were not properly enforced. This could + lead to unauthorized users gaining administrative access to functions + such as "revert" and "delete". Sites are vulnerable whether or not they + are using ACLs. +

+ + +

+ There is no known workaround. +

+ + +

+ All users should upgrade to the latest available version of MoinMoin, + as follows: +

+ + # emerge sync + + # emerge -pv ">=www-apps/moinmoin-1.2.3" + # emerge ">=www-apps/moinmoin-1.2.3" + + + MoinMoin Announcement + OSVDB Advisory 8194 + OSVDB Advisory 8195 + CVE-2004-1462 + CVE-2004-1463 + + + dmargoli + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-26.xml b/xml/htdocs/security/en/glsa/glsa-200408-26.xml new file mode 100644 index 00000000..0efe6071 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-26.xml @@ -0,0 +1,71 @@ + + + + + + + zlib: Denial of service vulnerability + + The zlib library contains a Denial of Service vulnerability. + + zlib + August 27, 2004 + May 22, 2006: 02 + 61749 + remote + + + 1.2.1-r3 + 1.2.1-r2 + + + +

+ zlib is a general-purpose data-compression library. +

+ + +

+ zlib contains a bug in the handling of errors in the "inflate()" and + "inflateBack()" functions. +

+ + +

+ An attacker could exploit this vulnerability to launch a Denial of + Service attack on any application using the zlib library. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of zlib. +

+ + +

+ All zlib users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=sys-libs/zlib-1.2.1-r3" + # emerge ">=sys-libs/zlib-1.2.1-r3" +

+ You should also run revdep-rebuild to rebuild any packages that depend + on older versions of zlib : +

+ + # revdep-rebuild + + + OpenPKG-SA-2004.038-zlib + CVE-2004-0797 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200408-27.xml b/xml/htdocs/security/en/glsa/glsa-200408-27.xml new file mode 100644 index 00000000..bc97a369 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200408-27.xml @@ -0,0 +1,83 @@ + + + + + + + Gaim: New vulnerabilities + + Gaim contains several security issues that might allow an attacker to + execute arbitrary code or commands. + + Gaim + August 27, 2004 + May 22, 2006: 02 + 61457 + remote + + + 0.81-r5 + 0.81-r5 + + + +

+ Gaim is a multi-protocol instant messaging client for Linux which + supports many instant messaging protocols. +

+ + +

+ Gaim fails to do proper bounds checking when: +

+
    +
  • Handling MSN messages (partially fixed with GLSA 200408-12).
    • +
  • Handling rich text format messages.
    • +
  • Resolving local hostname.
    • +
  • Receiving long URLs.
    • +
  • Handling groupware messages.
    • +
  • Allocating memory for webpages with fake content-length + header.
    • +
+

+ Furthermore Gaim fails to escape filenames when using drag and drop + installation of smiley themes. +

+ + +

+ These vulnerabilites could allow an attacker to crash Gaim or execute + arbitrary code or commands with the permissions of the user running + Gaim. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of Gaim. +

+ + +

+ All gaim users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-im/gaim-0.81-r5" + # emerge ">=net-im/gaim-0.81-r5" + + + Gaim security issues + CVE-2004-0500 + CVE-2004-0754 + CVE-2004-0784 + CVE-2004-0785 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-01.xml b/xml/htdocs/security/en/glsa/glsa-200409-01.xml new file mode 100644 index 00000000..76a7d249 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-01.xml @@ -0,0 +1,66 @@ + + + + + + + vpopmail: Multiple vulnerabilities + + vpopmail contains several bugs making it vulnerable to several SQL + injection exploits as well as one buffer overflow and one format string + exploit when using Sybase. This could lead to the execution of arbitrary + code. + + vpopmail + September 01, 2004 + September 01, 2004: 01 + 60844 + remote + + + 5.4.6 + 5.4.6 + + + +

+ vpopmail handles virtual mail domains for qmail and Postfix. +

+ + +

+ vpopmail is vulnerable to several unspecified SQL injection exploits. + Furthermore when using Sybase as the backend database vpopmail is + vulnerable to a buffer overflow and format string exploit. +

+ + +

+ These vulnerabilities could allow an attacker to execute code with the + permissions of the user running vpopmail. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of vpopmail. +

+ + +

+ All vpopmail users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-mail/vpopmail-5.4.6" + # emerge ">=net-mail/vpopmail-5.4.6" + + + vpopmail Announcement + Bugtraq Announcement + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-02.xml b/xml/htdocs/security/en/glsa/glsa-200409-02.xml new file mode 100644 index 00000000..8204ab27 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-02.xml @@ -0,0 +1,72 @@ + + + + + + + MySQL: Insecure temporary file creation in mysqlhotcopy + + The mysqlhotcopy utility can create temporary files with predictable paths, + allowing an attacker to use a symlink to trick MySQL into overwriting + important data. + + MySQL + September 01, 2004 + September 01, 2004: 01 + 60744 + local + + + 4.0.20-r1 + 4.0.20 + + + +

+ MySQL is a popular open-source multi-threaded, multi-user SQL database + server. +

+ + +

+ Jeroen van Wolffelaar discovered that the MySQL database hot copy utility + (mysqlhotcopy.sh), when using the scp method, uses temporary files with + predictable names. A malicious local user with write access to the /tmp + directory could create a symbolic link pointing to a file, which may then + be overwritten. In cases where mysqlhotcopy is run as root, a malicious + user could create a symlink to a critical file such as /etc/passwd and + cause it to be overwritten. +

+ + +

+ A local attacker could use this vulnerability to destroy other users' data + or corrupt and destroy system files, possibly leading to a denial of + service condition. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MySQL users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=dev-db/mysql-4.0.20-r1" + # emerge ">=dev-db/mysql-4.0.20-r1" + + + CAN-2004-0457 + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-03.xml b/xml/htdocs/security/en/glsa/glsa-200409-03.xml new file mode 100644 index 00000000..bb244491 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-03.xml @@ -0,0 +1,63 @@ + + + + + + + Python 2.2: Buffer overflow in getaddrinfo() + + Python 2.2 has a vulnerability in DNS handling when IPV6 is disabled and a + malformed IPV6 address is encountered by getaddrinfo(). + + Python + September 02, 2004 + September 02, 2004: 01 + 62440 + remote + + + 2.2.2 + 2.2 + 2.2.2 + + + +

+ Python is an interpreted, interactive, object-oriented, cross-platform + programming language. +

+ + +

+ If IPV6 is disabled in Python 2.2, getaddrinfo() is not able to handle IPV6 + DNS requests properly and a buffer overflow occurs. +

+ + +

+ An attacker can execute arbitrary code as the user running python. +

+ + +

+ Users with IPV6 enabled are not affected by this vulnerability. +

+ + +

+ All Python 2.2 users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=dev-lang/python-2.2.2" + # emerge ">=dev-lang/python-2.2.2" + + + CVE-2004-0150 + OSVDB:4172 + + + chriswhite + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-04.xml b/xml/htdocs/security/en/glsa/glsa-200409-04.xml new file mode 100644 index 00000000..7868f03d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-04.xml @@ -0,0 +1,68 @@ + + + + + + + Squid: Denial of service when using NTLM authentication + + Squid is vulnerable to a denial of service attack which could crash its + NTLM helpers. + + squid + September 02, 2004 + December 30, 2007: 03 + 61280 + remote + + + 2.5.6-r2 + 2.5 + 2.5.6-r1 + + + +

+ Squid is a full-featured Web Proxy Cache designed to run on Unix + systems. It supports proxying and caching of HTTP, FTP, and other URLs, + as well as SSL support, cache hierarchies, transparent caching, access + control lists and many other features. +

+ + +

+ Squid 2.5.x versions contain a bug in the functions ntlm_fetch_string() + and ntlm_get_string() which lack checking the int32_t offset "o" for + negative values. +

+ + +

+ A remote attacker could cause a denial of service situation by sending + certain malformed NTLMSSP packets if NTLM authentication is enabled. +

+ + +

+ Disable NTLM authentication by removing any "auth_param ntlm program + ..." directives from squid.conf or use ntlm_auth from Samba-3.x. +

+ + +

+ All Squid users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=net-www/squid-2.5.6-r2" + # emerge ">=net-www/squid-2.5.6-r2" + + + Squid-2.5 Patches + CVE-2004-0832 + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-05.xml b/xml/htdocs/security/en/glsa/glsa-200409-05.xml new file mode 100644 index 00000000..38d29d2e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-05.xml @@ -0,0 +1,79 @@ + + + + + + + Gallery: Arbitrary command execution + + The Gallery image upload code contains a temporary file handling + vulnerability which could lead to execution of arbitrary commands. + + Gallery + September 02, 2004 + May 22, 2006: 02 + 60742 + remote + + + 1.4.4_p2 + 1.4.4_p2 + + + +

+ Gallery is a PHP script for maintaining online photo albums. +

+ + +

+ The upload handling code in Gallery places uploaded files in a + temporary directory. After 30 seconds, these files are deleted if they + are not valid images. However, since the file exists for 30 seconds, a + carefully crafted script could be initiated by the remote attacker + during this 30 second timeout. Note that the temporary directory has to + be located inside the webroot and an attacker needs to have upload + rights either as an authenticated user or via "EVERYBODY". +

+ + +

+ An attacker could run arbitrary code as the user running PHP. +

+ + +

+ There are several workarounds to this vulnerability: +

+
    +
  • Make sure that your temporary directory is not contained in the + webroot; by default it is located outside the webroot.
    • +
  • Disable upload rights to all albums for "EVERYBODY"; upload is + disabled by default.
    • +
  • Disable debug and dev mode; these settings are disabled by + default.
    • +
  • Disable allow_url_fopen in php.ini.
    • +
+ + +

+ All Gallery users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=www-apps/gallery-1.4.4_p2" + # emerge ">=www-apps/gallery-1.4.4_p2" + + + Full Disclosure Announcement + Gallery Announcement + CVE-2004-1466 + + + jaervosz + + + chriswhite + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-06.xml b/xml/htdocs/security/en/glsa/glsa-200409-06.xml new file mode 100644 index 00000000..2e296117 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-06.xml @@ -0,0 +1,70 @@ + + + + + + + eGroupWare: Multiple XSS vulnerabilities + + The eGroupWare software contains multiple cross site scripting + vulnerabilities. + + eGroupWare + September 02, 2004 + May 22, 2006: 02 + 61510 + remote + + + 1.0.00.004 + 1.0.00.003 + + + +

+ eGroupWare is a suite of web-based group applications including + calendar, address book, messenger and email. +

+ + +

+ Joxean Koret recently discovered multiple cross site scripting + vulnerabilities in various modules for the eGroupWare suite. This + includes the calendar, address book, messenger and ticket modules. +

+ + +

+ These vulnerabilities give an attacker the ability to inject and + execute malicious script code, potentially compromising the victim's + browser. +

+ + +

+ There is no known workaround at this time. All users are encouraged to + upgrade to the latest available version of eGroupWare. +

+ + +

+ All eGroupWare users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=www-apps/egroupware-1.0.00.004" + # emerge ">=www-apps/egroupware-1.0.00.004" + + + eGroupWare Announcement + Bugtraq Announcement + CVE-2004-1467 + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-07.xml b/xml/htdocs/security/en/glsa/glsa-200409-07.xml new file mode 100644 index 00000000..309c6aef --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-07.xml @@ -0,0 +1,67 @@ + + + + + + + xv: Buffer overflows in image handling + + xv contains multiple exploitable buffer overflows in the image handling + code. + + xv + September 03, 2004 + September 03, 2004: 01 + 61619 + remote + + + 3.10a-r7 + 3.10a-r7 + + + +

+ xv is a multi-format image manipulation utility. +

+ + +

+ Multiple buffer overflow and integer handling vulnerabilities have been + discovered in xv's image processing code. These vulnerabilities have been + found in the xvbmp.c, xviris.c, xvpcx.c and xvpm.c source files. +

+ + +

+ An attacker might be able to embed malicious code into an image, which + would lead to the execution of arbitrary code under the privileges of the + user viewing the image. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xv users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=media-gfx/xv-3.10a-r7" + # emerge ">=media-gfx/xv-3.10a-r7" + + + BugTraq Advisory + CAN-2004-0802 + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-08.xml b/xml/htdocs/security/en/glsa/glsa-200409-08.xml new file mode 100644 index 00000000..5fef8c7a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-08.xml @@ -0,0 +1,74 @@ + + + + + + + Ruby: CGI::Session creates files insecurely + + When used for CGI scripting, Ruby creates session files in /tmp with the + permissions of the default umask. Depending on that umask, local users may + be able to read sensitive data stored in session files. + + dev-lang/ruby + September 03, 2004 + September 03, 2004: 01 + 60525 + local + + + 1.6.8-r11 + 1.8.0-r7 + 1.8.2_pre2 + 1.8.2_pre2 + + + +

+ Ruby is an Object Oriented, interpreted scripting language used for many + system scripting tasks. It can also be used for CGI web applications. +

+ + +

+ The CGI::Session::FileStore implementation (and presumably + CGI::Session::PStore), which allow data associated with a particular + Session instance to be written to a file, writes to a file in /tmp with no + regard for secure permissions. As a result, the file is left with whatever + the default umask permissions are, which commonly would allow other local + users to read the data from that session file. +

+ + +

+ Depending on the default umask, any data stored using these methods could + be read by other users on the system. +

+ + +

+ By changing the default umask on the system to not permit read access to + other users (e.g. 0700), one can prevent these files from being readable by + other users. +

+ + +

+ All Ruby users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=dev-lang/ruby-your_version" + # emerge ">=dev-lang/ruby-your_version" + + + CAN-2004-0755 + + + jaervosz + + + dmargoli + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-09.xml b/xml/htdocs/security/en/glsa/glsa-200409-09.xml new file mode 100644 index 00000000..ee1fe863 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-09.xml @@ -0,0 +1,85 @@ + + + + + + + MIT krb5: Multiple vulnerabilities + + MIT krb5 contains several double-free vulnerabilities, potentially allowing + the execution of arbitrary code, as well as a denial of service + vulnerability. + + mit-krb5 + September 06, 2004 + September 06, 2004: 01 + 62417 + remote + + + 1.3.4 + 1.3.4 + + + +

+ MIT krb5 is the free implementation of the Kerberos network authentication + protocol by the Massachusetts Institute of Technology. +

+ + +

+ The implementation of the Key Distribution Center (KDC) and the MIT krb5 + library contain double-free vulnerabilities, making client programs as well + as application servers vulnerable. +

+

+ The ASN.1 decoder library is vulnerable to a denial of service attack, + including the KDC. +

+ + +

+ The double-free vulnerabilities could allow an attacker to execute + arbitrary code on a KDC host and hosts running krb524d or vulnerable + services. In the case of a KDC host, this can lead to a compromise of the + entire Kerberos realm. Furthermore, an attacker impersonating a legitimate + KDC or application server can potentially execute arbitrary code on + authenticating clients. +

+

+ An attacker can cause a denial of service for a KDC or application server + and clients, the latter if impersonating a legitimate KDC or application + server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mit-krb5 users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=app-crypt/mit-krb5-1.3.4" + # emerge ">=app-crypt/mit-krb5-1.3.4" + + + MIT krb5 Security Advisory 2004-002 + MIT krb5 Security Advisory 2004-003 + CAN-2004-0642 + CAN-2004-0643 + CAN-2004-0644 + CAN-2004-0772 + + + jaervosz + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-10.xml b/xml/htdocs/security/en/glsa/glsa-200409-10.xml new file mode 100644 index 00000000..e0d27a58 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-10.xml @@ -0,0 +1,70 @@ + + + + + + + multi-gnome-terminal: Information leak + + Active keystroke logging in multi-gnome-terminal has been discovered in + potentially world-readable files. This could allow any authorized user on + the system to read sensitive data, including passwords. + + multi-gnome-terminal + September 06, 2004 + September 06, 2004: 01 + 62322 + local + + + 1.6.2-r1 + 1.6.2-r1 + + + +

+ multi-gnome-terminal is an enhanced terminal emulator that is derived from + gnome-terminal. +

+ + +

+ multi-gnome-terminal contains debugging code that has been known to output + active keystrokes to a potentially unsafe location. Output has been seen to + show up in the '.xsession-errors' file in the users home directory. Since + this file is world-readable on many machines, this bug has the potential to + leak sensitive information to anyone using the system. +

+ + +

+ Any authorized user on the local machine has the ability to read any + critical data that has been entered into the terminal, including passwords. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All multi-gnome-terminal users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=x11-terms/multi-gnome-terminal-1.6.2-r1" + # emerge ">=x11-terms/multi-gnome-terminal-1.6.2-r1" + + + + koon + + + lewk + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-11.xml b/xml/htdocs/security/en/glsa/glsa-200409-11.xml new file mode 100644 index 00000000..ce39b680 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-11.xml @@ -0,0 +1,69 @@ + + + + + + + star: Suid root vulnerability + + star contains a suid root vulnerability which could potentially grant + unauthorized root access to an attacker. + + star + September 07, 2004 + May 30, 2006: 03 + 61797 + local + + + 1.5_alpha46 + 1.5_alpha46 + + + +

+ star is an enhanced tape archiver, much like tar, that is recognized + for it's speed as well as it's enhanced mt/rmt support. +

+ + +

+ A suid root vulnerability exists in versions of star that are + configured to use ssh for remote tape access. +

+ + +

+ Attackers with local user level access could potentially gain root + level access. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All star users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=app-arch/star-1.5_alpha46" + # emerge ">=app-arch/star-1.5_alpha46" + + + Star Mailing List Announcement + CVE-2004-0850 + + + jaervosz + + + lewk + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-12.xml b/xml/htdocs/security/en/glsa/glsa-200409-12.xml new file mode 100644 index 00000000..4a3a7fa0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-12.xml @@ -0,0 +1,100 @@ + + + + + + + ImageMagick, imlib, imlib2: BMP decoding buffer overflows + + ImageMagick, imlib and imlib2 contain exploitable buffer overflow + vulnerabilities in the BMP image processing code. + + imagemagick imlib + September 08, 2004 + September 08, 2004: 01 + 62309 + 62487 + remote + + + 6.0.7.1 + 6.0.7.1 + + + 1.9.14-r2 + 1.9.14-r2 + + + 1.1.2 + 1.1.2 + + + +

+ ImageMagick is a suite of image manipulation utilities and libraries used + for a wide variety of image formats. imlib is a general image loading and + rendering library. +

+ + +

+ Due to improper bounds checking, ImageMagick and imlib are vulnerable to a + buffer overflow when decoding runlength-encoded bitmaps. This bug can be + exploited using a specially-crafted BMP image and could potentially allow + remote code execution when this image is decoded by the user. +

+ + +

+ A specially-crafted runlength-encoded BMP could lead ImageMagick and imlib + to crash or potentially execute arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ImageMagick users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=media-gfx/imagemagick-6.0.7.1" + # emerge ">=media-gfx/imagemagick-6.0.7.1" +

+ All imlib users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=media-libs/imlib-1.9.14-r2" + # emerge ">=media-libs/imlib-1.9.14-r2" +

+ All imlib2 users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=media-libs/imlib2-1.1.2" + # emerge ">=media-libs/imlib2-1.1.2" + + + CAN-2004-0817 + CAN-2004-0802 + ImageMagick Mailing List + SecurityTracker #1011104 + SecurityTracker #1011105 + + + koon + + + lewk + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-13.xml b/xml/htdocs/security/en/glsa/glsa-200409-13.xml new file mode 100644 index 00000000..9cd8112e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-13.xml @@ -0,0 +1,73 @@ + + + + + + + LHa: Multiple vulnerabilities + + Several buffer overflows and a shell metacharacter command execution + vulnerability have been found in LHa. These vulnerabilities can be used to + execute arbitrary code. + + lha + September 08, 2004 + October 20, 2006: 02 + 62618 + remote + + + 114i-r4 + 114i-r3 + + + +

+ LHa is a console-based program for packing and unpacking LHarc archives. +

+ + +

+ The command line argument as well as the archive parsing code of LHa lack + sufficient bounds checking. Furthermore, a shell meta character command + execution vulnerability exists in LHa, since it does no proper filtering on + directory names. +

+ + +

+ Using a specially crafted command line argument or archive, an attacker can + cause a buffer overflow and could possibly run arbitrary code. The shell + meta character command execution could lead to the execution of arbitrary + commands by an attacker using directories containing shell meta characters + in their names. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All LHa users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=app-arch/lha-114i-r4" + # emerge ">=app-arch/lha-114i-r4" + + + CAN-2004-0694 + CAN-2004-0745 + CAN-2004-0769 + CAN-2004-0771 + + + vorlon078 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-14.xml b/xml/htdocs/security/en/glsa/glsa-200409-14.xml new file mode 100644 index 00000000..20b8715d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-14.xml @@ -0,0 +1,68 @@ + + + + + + + Samba: Remote printing non-vulnerability + + Samba has a bug with out of sequence print change notification requests, + but it cannot be used to perform a remote denial of service attack. + + samba + September 09, 2004 + May 22, 2006: 03 + 62476 + remote + + + +

+ Samba is a freely available SMB/CIFS implementation which allows + seamless interoperability of file and print services to other SMB/CIFS + clients. +

+ + +

+ Due to a bug in the printer_notify_info() function, authorized users + could potentially crash their smbd process by sending improperly + handled print change notification requests in an invalid order. Windows + XP SP2 clients can trigger this behavior by sending a + FindNextPrintChangeNotify() request before previously sending a + FindFirstPrintChangeNotify() request. +

+ + +

+ We incorrectly thought that this bug could be exploited to deny service + to all Samba users. It is not the case, this bug has no security impact + whatsoever. Many thanks to Jerry Carter from the Samba team for + correcting our mistake. +

+ + +

+ There is no need for a workaround. +

+ + +

+ Samba users can keep their current versions. +

+ + + Samba Release Notes + Samba Bug #1520 + CVE-2004-0829 + + + jaervosz + + + lewk + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-15.xml b/xml/htdocs/security/en/glsa/glsa-200409-15.xml new file mode 100644 index 00000000..21e23529 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-15.xml @@ -0,0 +1,99 @@ + + + + + + + Webmin, Usermin: Multiple vulnerabilities in Usermin + + A vulnerability in the webmail function of Usermin could be used by an + attacker to execute shell code via a specially-crafted e-mail. A bug in the + installation script of Webmin and Usermin also allows a local user to + execute a symlink attack at installation time. + + Usermin + September 12, 2004 + May 22, 2006: 02 + 63167 + remote + + + 1.090 + 1.090 + + + 1.160 + 1.160 + + + +

+ Webmin and Usermin are web-based system administration consoles. Webmin + allows an administrator to easily configure servers and other features. + Usermin allows users to configure their own accounts, execute commands, + and read e-mail. The Usermin functionality, including webmail, is also + included in Webmin. +

+ + +

+ There is an input validation bug in the webmail feature of Usermin. +

+

+ Additionally, the Webmin and Usermin installation scripts write to + /tmp/.webmin without properly checking if it exists first. +

+ + +

+ The first vulnerability allows a remote attacker to inject arbitrary + shell code in a specially-crafted e-mail. This could lead to remote + code execution with the privileges of the user running Webmin or + Usermin. +

+

+ The second could allow local users who know Webmin or Usermin is going + to be installed to have arbitrary files be overwritten by creating a + symlink by the name /tmp/.webmin that points to some target file, e.g. + /etc/passwd. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Usermin users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=app-admin/usermin-1.090" + # emerge ">=app-admin/usermin-1.090" +

+ All Webmin users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=app-admin/webmin-1.160" + # emerge ">=app-admin/webmin-1.160" + + + Secunia Advisory SA12488 + Usermin Changelog + CVE-2004-0559 + CVE-2004-1468 + + + koon + + + koon + + + dmargoli + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-16.xml b/xml/htdocs/security/en/glsa/glsa-200409-16.xml new file mode 100644 index 00000000..72873741 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-16.xml @@ -0,0 +1,72 @@ + + + + + + + Samba: Denial of Service vulnerabilities + + Two Denial of Service vulnerabilities have been found and fixed in Samba. + + Samba + September 13, 2004 + September 13, 2004: 01 + remote + + + 3.0.7 + 3.0 + 3.0.7 + + + +

+ Samba is a freely available SMB/CIFS implementation which allows seamless + interoperability of file and print services to other SMB/CIFS clients. smbd + and nmbd are two daemons used by the Samba server. +

+ + +

+ There is a defect in smbd's ASN.1 parsing. A bad packet received during the + authentication request could throw newly-spawned smbd processes into an + infinite loop (CAN-2004-0807). Another defect was found in nmbd's + processing of mailslot packets, where a bad NetBIOS request could crash the + nmbd process (CAN-2004-0808). +

+ + +

+ A remote attacker could send specially crafted packets to trigger both + defects. The ASN.1 parsing issue can be exploited to exhaust all available + memory on the Samba host, potentially denying all service to that server. + The nmbd issue can be exploited to crash the nmbd process, resulting in a + Denial of Service condition on the Samba server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Samba 3.x users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-fs/samba-3.0.7" + # emerge ">=net-fs/samba-3.0.7" + + + CAN-2004-0807 + CAN-2004-0808 + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-17.xml b/xml/htdocs/security/en/glsa/glsa-200409-17.xml new file mode 100644 index 00000000..1eaad893 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-17.xml @@ -0,0 +1,72 @@ + + + + + + + SUS: Local root vulnerability + + SUS contains a string format bug that could lead to local privilege + escalation. + + SUS + September 14, 2004 + May 22, 2006: 02 + 63927 + local + + + 2.0.2-r1 + 2.0.2-r1 + + + +

+ SUS is a utility that allows regular users to be able to execute + certain commands as root. +

+ + +

+ Leon Juranic found a bug in the logging functionality of SUS that can + lead to local privilege escalation. A format string vulnerability + exists in the log() function due to an incorrect call to the syslog() + function. +

+ + +

+ An attacker with local user privileges can potentially exploit this + vulnerability to gain root access. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SUS users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=app-admin/sus-2.0.2-r1" + # emerge ">=app-admin/sus-2.0.2-r1" + + + SUS ChangeLog + BugTraq Advisory + CVE-2004-1469 + + + jaervosz + + + lewk + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-18.xml b/xml/htdocs/security/en/glsa/glsa-200409-18.xml new file mode 100644 index 00000000..802c527b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-18.xml @@ -0,0 +1,76 @@ + + + + + + + cdrtools: Local root vulnerability in cdrecord if set SUID root + + cdrecord, if manually set SUID root, is vulnerable to a local root exploit + allowing users to escalate privileges. + + cdrtools + September 14, 2004 + September 14, 2004: 01 + 63187 + local + + + 2.01_alpha37-r1 + 2.01_alpha28-r2 + 2.01_alpha37 + + + +

+ The cdrtools package is a set of tools for CD recording, including the + popular cdrecord command-line utility. +

+ + +

+ Max Vozeler discovered that the cdrecord utility, when set to SUID root, + fails to drop root privileges before executing a user-supplied RSH program. + By default, Gentoo does not ship the cdrecord utility as SUID root and + therefore is not vulnerable. However, many users (and CD-burning + front-ends) set this manually after installation. +

+ + +

+ A local attacker could specify a malicious program using the $RSH + environment variable and have it executed by the SUID cdrecord, resulting + in root privileges escalation. +

+ + +

+ As a workaround, you could remove the SUID rights from your cdrecord + utility : +

+ + # chmod a-s /usr/bin/cdrecord + + +

+ All cdrtools users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=app-cdr/cdrtools-2.01_alpha37-r1" + # emerge ">=app-cdr/cdrtools-2.01_alpha37-r1" + + + CAN-2004-0806 + + + jaervosz + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-19.xml b/xml/htdocs/security/en/glsa/glsa-200409-19.xml new file mode 100644 index 00000000..0389b568 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-19.xml @@ -0,0 +1,71 @@ + + + + + + + Heimdal: ftpd root escalation + + Several bugs exist in the Heimdal ftp daemon which could allow a remote + attacker to gain root privileges. + + heimdal + September 16, 2004 + September 16, 2004: 01 + 61412 + remote + + + 0.6.3 + 0.6.3 + + + +

+ Heimdal is an implementation of Kerberos 5. +

+ + +

+ Przemyslaw Frasunek discovered several flaws in lukemftpd, which also apply + to Heimdal ftpd's out-of-band signal handling code. +

+

+ Additionally, a potential vulnerability that could lead to Denial of + Service by the Key Distribution Center (KDC) has been fixed in this + version. +

+ + +

+ A remote attacker could be able to run arbitrary code with escalated + privileges, which can result in a total compromise of the server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Heimdal users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=app-crypt/heimdal-0.6.3" + # emerge ">=app-crypt/heimdal-0.6.3" + + + Heimdal advisory + Advisory by Przemyslaw Frasunek + CAN-2004-0794 + + + vorlon078 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-20.xml b/xml/htdocs/security/en/glsa/glsa-200409-20.xml new file mode 100644 index 00000000..5d99f240 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-20.xml @@ -0,0 +1,68 @@ + + + + + + + mpg123: Buffer overflow vulnerability + + mpg123 decoding routines contain a buffer overflow bug that might + lead to arbitrary code execution. + + mpg123 + September 16, 2004 + September 16, 2004: 01 + 63079 + remote + + + 0.59s-r4 + 0.59s-r3 + + + +

+ mpg123 is a MPEG Audio Player. +

+ + +

+ mpg123 contains a buffer overflow in the code that handles layer2 + decoding of media files. +

+ + +

+ An attacker can possibly exploit this bug with a specially-crafted mp3 or mp2 file + to execute arbitrary code with the permissions of the user running mpg123. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mpg123 users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=media-sound/mpg123-0.59s-r4" + # emerge ">=media-sound/mpg123-0.59s-r4" + + + BugTraq Announcement + CAN-2004-0805 + + + jaervosz + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-21.xml b/xml/htdocs/security/en/glsa/glsa-200409-21.xml new file mode 100644 index 00000000..32a238d3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-21.xml @@ -0,0 +1,101 @@ + + + + + + + Apache 2, mod_dav: Multiple vulnerabilities + + Several vulnerabilities have been found in Apache 2 and mod_dav for Apache + 1.3 which could allow a remote attacker to cause a Denial of Service or a + local user to get escalated privileges. + + apache + September 16, 2004 + December 30, 2007: 02 + 62626 + 63948 + 64145 + remote + + + 2.0.51 + 2.0 + 2.0.51 + + + 1.0.3-r2 + 1.0.3-r1 + + + +

+ The Apache HTTP server is one of most popular web servers on the internet. + mod_ssl provides SSL v2/v3 and TLS v1 support for it and mod_dav is the + Apache module for Distributed Authoring and Versioning (DAV). +

+ + +

+ A potential infinite loop has been found in the input filter of mod_ssl + (CAN-2004-0748) as well as a possible segmentation fault in the + char_buffer_read function if reverse proxying to a SSL server is being used + (CAN-2004-0751). Furthermore, mod_dav, as shipped in Apache httpd 2 or + mod_dav 1.0.x for Apache 1.3, contains a NULL pointer dereference which can + be triggered remotely (CAN-2004-0809). The third issue is an input + validation error found in the IPv6 URI parsing routines within the apr-util + library (CAN-2004-0786). Additionally a possible buffer overflow has been + reported when expanding environment variables during the parsing of + configuration files (CAN-2004-0747). +

+ + +

+ A remote attacker could cause a Denial of Service either by aborting a SSL + connection in a special way, resulting in CPU consumption, by exploiting + the segmentation fault in mod_ssl or the mod_dav flaw. A remote attacker + could also crash a httpd child process by sending a specially crafted URI. + The last vulnerabilty could be used by a local user to gain the privileges + of a httpd child, if the server parses a carefully prepared .htaccess file. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Apache 2 users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=www-servers/apache-2.0.51" + # emerge ">=www-servers/apache-2.0.51" +

+ All mod_dav users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-www/mod_dav-1.0.3-r2" + # emerge ">=net-www/mod_dav-1.0.3-r2" + + + CAN-2004-0747 + CAN-2004-0748 + CAN-2004-0751 + CAN-2004-0786 + CAN-2004-0809 + + + jaervosz + + + vorlon078 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-22.xml b/xml/htdocs/security/en/glsa/glsa-200409-22.xml new file mode 100644 index 00000000..12557420 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-22.xml @@ -0,0 +1,71 @@ + + + + + + + phpGroupWare: XSS vulnerability in wiki module + + The phpGroupWare software contains a cross site scripting vulnerability in + the wiki module. + + phpGroupWare + September 16, 2004 + May 22, 2006: 02 + 63063 + remote + + + 0.9.16.003 + 0.9.16.003 + + + +

+ phpGroupWare is a web-based suite of group applications including + calendar, todo-list, addressbook, email, wiki, news headlines, and a + file manager. +

+ + +

+ Due to an input validation error, the wiki module in the phpGroupWare + suite is vulnerable to cross site scripting attacks. +

+ + +

+ This vulnerability gives an attacker the ability to inject and execute + malicious script code, potentially compromising the victim's browser. +

+ + +

+ The is no known workaround at this time. +

+ + +

+ All phpGroupWare users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=www-apps/phpgroupware-0.9.16.003" + # emerge ">=www-apps/phpgroupware-0.9.16.003" + + + phpGroupWare ChangeLog + Secunia Advisory SA12466 + CVE-2004-0875 + + + koon + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-23.xml b/xml/htdocs/security/en/glsa/glsa-200409-23.xml new file mode 100644 index 00000000..717ee2e5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-23.xml @@ -0,0 +1,70 @@ + + + + + + + SnipSnap: HTTP response splitting + + SnipSnap is vulnerable to HTTP response splitting attacks such as web cache + poisoning, cross-user defacement, and cross-site scripting. + + snipsnap + September 17, 2004 + May 22, 2006: 02 + 64154 + remote + + + 1.0_beta1 + 1.0_beta1 + + + +

+ SnipSnap is a user friendly content management system with features + such as wiki and weblog. +

+ + +

+ SnipSnap contains various HTTP response splitting vulnerabilities that + could potentially compromise the sites data. Some of these attacks + include web cache poisoning, cross-user defacement, hijacking pages + with sensitive user information, and cross-site scripting. This + vulnerability is due to the lack of illegal input checking in the + software. +

+ + +

+ A malicious user could inject and execute arbitrary script code, + potentially compromising the victim's data or browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SnipSnap users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=dev-java/snipsnap-bin-1.0_beta1" + # emerge ">=dev-java/snipsnap-bin-1.0beta1" + + + SnipSnap Release Notes + CVE-2004-1470 + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-24.xml b/xml/htdocs/security/en/glsa/glsa-200409-24.xml new file mode 100644 index 00000000..d42ed0e3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-24.xml @@ -0,0 +1,78 @@ + + + + + + + Foomatic: Arbitrary command execution in foomatic-rip filter + + The foomatic-rip filter in foomatic-filters contains a vulnerability which + may allow arbitrary command execution on the print server. + + foomatic + September 20, 2004 + September 20, 2004: 01 + 64166 + remote + + + 3.0.2 + 3.0.1 + + + 3.0.2 + 3.0.1 + + + +

+ Foomatic is a system for connecting printer drivers with spooler systems + such as CUPS and LPD. The foomatic-filters package contains wrapper scripts + which are designed to be used with Foomatic. +

+ + +

+ There is a vulnerability in the foomatic-filters package. This + vulnerability is due to insufficient checking of command-line parameters + and environment variables in the foomatic-rip filter. +

+ + +

+ This vulnerability may allow both local and remote attackers to execute + arbitrary commands on the print server with the permissions of the spooler + (oftentimes the "lp" user). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All foomatic users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-print/foomatic-3.0.2" + # emerge ">=net-print/foomatic-3.0.2" +

+ PLEASE NOTE: You should update foomatic, instead of foomatic-filters. This + will help to ensure that all other foomatic components remain functional. +

+ + + Foomatic Announcement + Mandrakesoft Security Advisory + CAN 2004-0801 + + + condordes + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-25.xml b/xml/htdocs/security/en/glsa/glsa-200409-25.xml new file mode 100644 index 00000000..0c0f8a57 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-25.xml @@ -0,0 +1,70 @@ + + + + + + + CUPS: Denial of service vulnerability + + A vulnerability in CUPS allows remote attackers to cause a denial of + service when sending a carefully-crafted UDP packet to the IPP port. + + CUPS + September 20, 2004 + September 21, 2004: 02 + 64168 + remote + + + 1.1.20-r2 + 1.1.20-r2 + + + +

+ The Common UNIX Printing System (CUPS) is a cross-platform print spooler. +

+ + +

+ Alvaro Martinez Echevarria discovered a hole in the CUPS Internet Printing + Protocol (IPP) implementation that allows remote attackers to cause CUPS to + stop listening on the IPP port. +

+ + +

+ A remote user with malicious intent can easily cause a denial of service to + the CUPS daemon by sending a specially-crafted UDP datagram packet to the + IPP port. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All CUPS users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-print/cups-1.1.20-r2" + # emerge ">=net-print/cups-1.1.20-r2" + + + CUPS Software Trouble Report + CAN-2004-0558 + + + lewk + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-26.xml b/xml/htdocs/security/en/glsa/glsa-200409-26.xml new file mode 100644 index 00000000..84d24725 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-26.xml @@ -0,0 +1,121 @@ + + + + + + + Mozilla, Firefox, Thunderbird, Epiphany: New releases fix vulnerabilities + + New releases of Mozilla, Epiphany, Mozilla Thunderbird, and Mozilla Firefox + fix several vulnerabilities, including the remote execution of arbitrary + code. + + Mozilla + September 20, 2004 + December 30, 2007: 03 + 63996 + remote + + + 1.7.3 + 1.7.3 + + + 1.0_pre + 1.0_pre + + + 0.8 + 0.8 + + + 1.7.3 + 1.7.3 + + + 1.0_pre + 1.0_pre + + + 0.8 + 0.8 + + + 1.2.9-r1 + 1.2.9-r1 + + + +

+ Mozilla is a popular web browser that includes a mail and newsreader. + Epiphany is a web browser that uses Gecko, the Mozilla rendering + engine. Mozilla Firefox and Mozilla Thunderbird are respectively the + next-generation browser and mail client from the Mozilla project. +

+ + +

+ Mozilla-based products are vulnerable to multiple security issues. + Firstly routines handling the display of BMP images and VCards contain + an integer overflow and a stack buffer overrun. Specific pages with + long links, when sent using the "Send Page" function, and links with + non-ASCII hostnames could both cause heap buffer overruns. +

+

+ Several issues were found and fixed in JavaScript rights handling: + untrusted script code could read and write to the clipboard, signed + scripts could build confusing grant privileges dialog boxes, and when + dragged onto trusted frames or windows, JavaScript links could access + information and rights of the target frame or window. Finally, + Mozilla-based mail clients (Mozilla and Mozilla Thunderbird) are + vulnerable to a heap overflow caused by invalid POP3 mail server + responses. +

+ + +

+ An attacker might be able to run arbitrary code with the rights of the + user running the software by enticing the user to perform one of the + following actions: view a specially-crafted BMP image or VCard, use the + "Send Page" function on a malicious page, follow links with malicious + hostnames, drag multiple JavaScript links in a row to another window, + or connect to an untrusted POP3 mail server. An attacker could also use + a malicious page with JavaScript to disclose clipboard contents or + abuse previously-given privileges to request XPI installation + privileges through a confusing dialog. +

+ + +

+ There is no known workaround covering all vulnerabilities. +

+ + +

+ All users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv your-version + # emerge your-version + + + Mozilla Security Advisory + US-CERT Security Alert TA04-261A + CVE-2004-0902 + CVE-2004-0903 + CVE-2004-0904 + CVE-2004-0905 + CVE-2004-0906 + CVE-2004-0907 + CVE-2004-0908 + CVE-2004-0909 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-27.xml b/xml/htdocs/security/en/glsa/glsa-200409-27.xml new file mode 100644 index 00000000..d2420686 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-27.xml @@ -0,0 +1,69 @@ + + + + + + + glFTPd: Local buffer overflow vulnerability + + glFTPd is vulnerable to a local buffer overflow which may allow arbitrary + code execution. + + glftpd + September 21, 2004 + September 21, 2004: 01 + 64809 + local + + + 1.32-r1 + 1.32-r1 + + + +

+ glFTPd is a highly configurable FTP server with many features. +

+ + +

+ The glFTPd server is vulnerable to a buffer overflow in the 'dupescan' + program. This vulnerability is due to an unsafe strcpy() call which can + cause the program to crash when a large argument is passed. +

+ + +

+ A local user with malicious intent can pass a parameter to the dupescan + program that exceeds the size of the buffer, causing it to overflow. This + can lead the program to crash, and potentially allow arbitrary code + execution with the permissions of the user running glFTPd, which could be + the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All glFTPd users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-ftp/glftpd-1.32-r1" + # emerge ">=net-ftp/glftpd-1.32-r1" + + + BugTraq Advisory + glFTPd Announcement + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-28.xml b/xml/htdocs/security/en/glsa/glsa-200409-28.xml new file mode 100644 index 00000000..809ad51e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-28.xml @@ -0,0 +1,94 @@ + + + + + + + GTK+ 2, gdk-pixbuf: Multiple image decoding vulnerabilities + + The GdkPixbuf library, which is also included in GTK+ 2, contains several + vulnerabilities that could lead to a Denial of Service or the execution of + arbitrary code. + + gtk+ + September 21, 2004 + September 21, 2004: 01 + 64230 + remote + + + 2.4.9-r1 + 2.0.0 + 2.4.9-r1 + + + 0.22.0-r3 + 0.22.0-r3 + + + +

+ GTK+ (GIMP Toolkit +) is a toolkit for creating graphical user interfaces. + The GdkPixbuf library provides facilities for image handling. It is + available as a standalone library as well as shipped with GTK+ 2. +

+ + +

+ A vulnerability has been discovered in the BMP image preprocessor + (CAN-2004-0753). Furthermore, Chris Evans found a possible integer overflow + in the pixbuf_create_from_xpm() function, resulting in a heap overflow + (CAN-2004-0782). He also found a potential stack-based buffer overflow in + the xpm_extract_color() function (CAN-2004-0783). A possible integer + overflow has also been found in the ICO decoder. +

+ + +

+ With a specially crafted BMP image an attacker could cause an affected + application to enter an infinite loop when that image is being processed. + Also, by making use of specially crafted XPM or ICO images an attacker + could trigger the overflows, which potentially allows the execution of + arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GTK+ 2 users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=x11-libs/gtk+-2.4.9-r1" + # emerge ">=x11-libs/gtk+-2.4.9-r1" +

+ All GdkPixbuf users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=media-libs/gdk-pixbuf-0.22.0-r3" + # emerge ">=media-libs/gdk-pixbuf-0.22.0-r3" + + + CAN-2004-0753 + CAN-2004-0782 + CAN-2004-0783 + CAN-2004-0788 + GNOME Bug 150601 + + + jaervosz + + + koon + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-29.xml b/xml/htdocs/security/en/glsa/glsa-200409-29.xml new file mode 100644 index 00000000..b4ee4902 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-29.xml @@ -0,0 +1,72 @@ + + + + + + + FreeRADIUS: Multiple Denial of Service vulnerabilities + + Multiple Denial of Service vulnerabilities were found and fixed in + FreeRADIUS. + + FreeRADIUS + September 22, 2004 + May 22, 2006: 02 + 60587 + remote + + + 1.0.1 + 1.0.1 + + + +

+ FreeRADIUS is an open source RADIUS authentication server + implementation. +

+ + +

+ There are undisclosed defects in the way FreeRADIUS handles incorrect + received packets. +

+ + +

+ A remote attacker could send specially-crafted packets to the + FreeRADIUS server to deny service to other users by crashing the + server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All FreeRADIUS users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-dialup/freeradius-1.0.1" + # emerge ">=net-dialup/freeradius-1.0.1" + + + FreeRADIUS Vulnerability Notifications + CVE-2004-0938 + CVE-2004-0960 + CVE-2004-0961 + + + jaervosz + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-30.xml b/xml/htdocs/security/en/glsa/glsa-200409-30.xml new file mode 100644 index 00000000..a0cf7fa0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-30.xml @@ -0,0 +1,81 @@ + + + + + + + xine-lib: Multiple vulnerabilities + + xine-lib contains several vulnerabilities potentially allowing the + execution of arbitrary code. + + xine-lib + September 22, 2004 + May 22, 2006: 02 + 64348 + remote + + + 1_rc6 + 1_rc5-r3 + + + +

+ xine-lib is a multimedia library which can be utilized to create + multimedia frontends. +

+ + +

+ xine-lib contains two stack-based overflows and one heap-based + overflow. In the code reading VCD disc labels, the ISO disc label is + copied into an unprotected stack buffer of fixed size. Also, there is a + buffer overflow in the code that parses subtitles and prepares them for + display (XSA-2004-4). Finally, xine-lib contains a heap-based overflow + in the DVD sub-picture decoder (XSA-2004-5). +

+

+ (Please note that the VCD MRL issue mentioned in XSA-2004-4 was fixed + with GLSA 200408-18.) +

+ + +

+ With carefully-crafted VCDs, DVDs, MPEGs or subtitles, an attacker may + cause xine-lib to execute arbitrary code with the permissions of the + user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xine-lib users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=media-libs/xine-lib-1_rc6" + # emerge ">=media-libs/xine-lib-1_rc6" + + + BugTraq Announcement (XSA-2004-4) + BugTraq Announcement (XSA-2004-5) + CVE-2004-1379 + CVE-2004-1475 + CVE-2004-1476 + + + jaervosz + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-31.xml b/xml/htdocs/security/en/glsa/glsa-200409-31.xml new file mode 100644 index 00000000..f0ff35b6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-31.xml @@ -0,0 +1,72 @@ + + + + + + + jabberd 1.x: Denial of Service vulnerability + + The jabberd server was found to be vulnerable to a remote Denial of Service + attack. + + jabberd + September 23, 2004 + May 22, 2006: 02 + 64741 + remote + + + 1.4.3-r4 + 1.4.3-r3 + + + +

+ Jabber is a set of streaming XML protocols enabling message, presence, + and other structured information exchange between two hosts. jabberd is + the original implementation of the Jabber protocol server. +

+ + +

+ Jose Antonio Calvo found a defect in routines handling XML parsing of + incoming data. jabberd 1.x may crash upon reception of invalid data on + any socket connection on which XML is parsed. +

+ + +

+ A remote attacker may send a specific sequence of bytes to an open + socket to crash the jabberd server, resulting in a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All jabberd users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-im/jabberd-1.4.3-r4" + # emerge ">=net-im/jabberd-1.4.3-r4" + + + Vulnerability disclosure + Jabber announcement + CVE-2004-1378 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-32.xml b/xml/htdocs/security/en/glsa/glsa-200409-32.xml new file mode 100644 index 00000000..4a7af905 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-32.xml @@ -0,0 +1,74 @@ + + + + + + + getmail: Filesystem overwrite vulnerability + + getmail contains a vulnerability that could potentially allow any local + user to create or overwrite files in any directory on the system. This flaw + can be escalated further and possibly lead to a complete system compromise. + + getmail + September 23, 2004 + May 22, 2006: 02 + 64643 + local + + + 4.2.0 + 4.2.0 + + + +

+ getmail is a reliable fetchmail replacement that supports Maildir, + Mboxrd and external MDA delivery. +

+ + +

+ David Watson discovered a vulnerability in getmail when it is + configured to run as root and deliver mail to the maildirs/mbox files + of untrusted local users. A malicious local user can then exploit a + race condition, or a similar symlink attack, and potentially cause + getmail to create or overwrite files in any directory on the system. +

+ + +

+ An untrusted local user could potentially create or overwrite files in + any directory on the system. This vulnerability may also be exploited + to have arbitrary commands executed as root. +

+ + +

+ Do not run getmail as a privileged user; or, in version 4, use an + external MDA with explicitly configured user and group privileges. +

+ + +

+ All getmail users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-mail/getmail-4.2.0" + # emerge ">=net-mail/getmail-4.2.0" + + + getmail ChangeLog + getmail Mailing List + CVE-2004-0880 + CVE-2004-0881 + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-33.xml b/xml/htdocs/security/en/glsa/glsa-200409-33.xml new file mode 100644 index 00000000..fc9ca4d1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-33.xml @@ -0,0 +1,68 @@ + + + + + + + Apache: Exposure of protected directories + + A bug in the way Apache handles the Satisfy directive can lead to the + exposure of protected directories to unauthorized users. + + net=www/apache + September 24, 2004 + December 30, 2007: 02 + 64804 + remote + + + 2.0.51-r1 + 2.0.51 + 2.0.51 + + + +

+ The Apache HTTP server is one of most popular web servers on the Internet. +

+ + +

+ A bug in the way Apache handles the Satisfy directive, which is used to + require that certain conditions (client host, client authentication, etc) + be met before access to a certain directory is granted, could allow the + exposure of protected directories to unauthorized clients. +

+ + +

+ Directories containing protected data could be exposed to all visitors to + the webserver. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Apache users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=www-servers/apache-2.0.51-r1" + # emerge ">=www-servers/apache-2.0.51-r1" + + + Apache Bug #31315 + CAN-2004-0811 + + + dmargoli + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-34.xml b/xml/htdocs/security/en/glsa/glsa-200409-34.xml new file mode 100644 index 00000000..fa09ad28 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-34.xml @@ -0,0 +1,98 @@ + + + + + + + X.org, XFree86: Integer and stack overflows in libXpm + + libXpm, the X Pixmap library that is a part of the X Window System, + contains multiple stack and integer overflows that may allow a + carefully-crafted XPM file to crash applications linked against libXpm, + potentially allowing the execution of arbitrary code. + + X + September 27, 2004 + May 27, 2006: 02 + 64152 + remote + + + 6.7.0-r2 + 6.8.0-r1 + 6.7.0-r2 + 6.8.0 + + + 4.3.0-r7 + 4.3.0-r7 + + + 4.3.0-r7 + + + +

+ XFree86 and X.org are both implementations of the X Window System. +

+ + +

+ Chris Evans has discovered multiple integer and stack overflow + vulnerabilities in the X Pixmap library, libXpm, which is a part of the + X Window System. These overflows can be exploited by the execution of a + malicious XPM file, which can crash applications that are dependent on + libXpm. +

+ + +

+ A carefully-crafted XPM file could crash applications that are linked + against libXpm, potentially allowing the execution of arbitrary code + with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All X.org users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=x11-base/xorg-x11-6.7.0-r2" + # emerge ">=x11-base/xorg-x11-6.7.0-r2" +

+ All XFree86 users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=x11-base/xfree-4.3.0-r7" + # emerge ">=x11-base/xfree-4.3.0-r7" +

+ Note: Usage of XFree86 is deprecated on the AMD64, HPPA, IA64, MIPS, + PPC and SPARC architectures: XFree86 users on those architectures + should switch to X.org rather than upgrading XFree86. +

+ + + X.org Security Advisory + X11R6.8.1 Release Notes + CAN-2004-0687 + CAN-2004-0688 + + + koon + + + lewk + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200409-35.xml b/xml/htdocs/security/en/glsa/glsa-200409-35.xml new file mode 100644 index 00000000..e211aff2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200409-35.xml @@ -0,0 +1,73 @@ + + + + + + + Subversion: Metadata information leak + + An information leak in mod_authz_svn could allow sensitive metadata of + protected areas to be leaked to unauthorized users. + + Subversion + September 29, 2004 + September 29, 2004: 01 + 65085 + remote + + + 1.0.8 + 1.0.8 + + + +

+ Subversion is a versioning system designed to be a replacement for CVS. + mod_authz_svn is an Apache module to do path-based authentication for + Subversion repositories. +

+ + +

+ There is a bug in mod_authz_svn that causes it to reveal logged metadata + regarding commits to protected areas. +

+ + +

+ Protected files themselves will not be revealed, but an attacker could use + the metadata to reveal the existence of protected areas, such as paths, + file versions, and the commit logs from those areas. +

+ + +

+ Rather than using mod_authz_svn, move protected areas into seperate + repositories and use native Apache authentication to make these + repositories unreadable. +

+ + +

+ All Subversion users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=dev-util/subversion-1.0.8" + # emerge ">=dev-util/subversion-1.0.8" + + + CAN-2004-0749 + Subversion Advisory + + + jaervosz + + + dmargoli + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-01.xml b/xml/htdocs/security/en/glsa/glsa-200410-01.xml new file mode 100644 index 00000000..594b2fca --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-01.xml @@ -0,0 +1,70 @@ + + + + + + + sharutils: Buffer overflows in shar.c and unshar.c + + sharutils contains two buffer overflow vulnerabilities that could lead to + arbitrary code execution. + + sharutils + October 01, 2004 + May 22, 2006: 02 + 65773 + remote + + + 4.2.1-r10 + 4.2.1-r9 + + + +

+ sharutils contains utilities to manage shell archives. +

+ + +

+ sharutils contains two buffer overflows. Ulf Harnhammar discovered a + buffer overflow in shar.c, where the length of data returned by the wc + command is not checked. Florian Schilhabel discovered another buffer + overflow in unshar.c. +

+ + +

+ An attacker could exploit these vulnerabilities to execute arbitrary + code as the user running one of the sharutils programs. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All sharutils users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=app-arch/sharutils-4.2.1-r10" + # emerge ">=app-arch/sharutils-4.2.1-r10" + + + Debian Bug #265904 + CVE-2004-1773 + + + jaervosz + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-02.xml b/xml/htdocs/security/en/glsa/glsa-200410-02.xml new file mode 100644 index 00000000..d5f185c4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-02.xml @@ -0,0 +1,74 @@ + + + + + + + Netpbm: Multiple temporary file issues + + Utilities included in old Netpbm versions are vulnerable to multiple + temporary files issues, potentially allowing a local attacker to overwrite + files with the rights of the user running the utility. + + Netpbm + October 04, 2004 + October 04, 2004: 01 + 65647 + local + + + 10.0 + 9.12-r4 + + + +

+ Netpbm is a toolkit containing more than 200 separate utilities for + manipulation and conversion of graphic images. +

+ + +

+ Utilities contained in the Netpbm package prior to the 9.25 version contain + defects in temporary file handling. They create temporary files with + predictable names without checking first that the target file doesn't + already exist. +

+ + +

+ A local attacker could create symbolic links in the temporary files + directory, pointing to a valid file somewhere on the filesystem. When a + user or a tool calls one of the affected utilities, this would result in + file overwriting with the rights of the user running the utility. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Netpbm users should upgrade to an unaffected version: +

+ + # emerge sync + + # emerge -pv ">=media-libs/netpbm-10.0" + # emerge ">=media-libs/netpbm-10.0" + + + CVE-2003-0924 + US-CERT VU#487102 + + + lewk + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-03.xml b/xml/htdocs/security/en/glsa/glsa-200410-03.xml new file mode 100644 index 00000000..2ccace36 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-03.xml @@ -0,0 +1,76 @@ + + + + + + + NetKit-telnetd: buffer overflows in telnet and telnetd + + Buffer overflows exist in the telnet client and daemon provided by + netkit-telnetd, which could possibly allow a remote attacker to gain root + privileges and compromise the system. + + netkit-telnetd + October 05, 2004 + October 05, 2004: 01 + 64632 + remote + + + 0.17-r4 + 0.17-r3 + + + +

+ NetKit-telnetd is a standard Linux telnet client and server from the NetKit + utilities. +

+ + +

+ A possible buffer overflow exists in the parsing of option strings by the + telnet daemon, where proper bounds checking is not applied when writing to + a buffer. Additionaly, another possible buffer overflow has been found by + Josh Martin in the handling of the environment variable HOME. +

+ + +

+ A remote attacker sending a specially-crafted options string to the telnet + daemon could be able to run arbitrary code with the privileges of the user + running the telnet daemon, usually root. Furthermore, an attacker could + make use of an overlong HOME variable to cause a buffer overflow in the + telnet client, potentially leading to the local execution of arbitrary + code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All NetKit-telnetd users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-misc/netkit-telnetd-0.17-r4" + # emerge ">=net-misc/netkit-telnetd-0.17-r4" + + + CVE-2001-0554 + Debian Bug #264846 + + + koon + + + vorlon078 + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-04.xml b/xml/htdocs/security/en/glsa/glsa-200410-04.xml new file mode 100644 index 00000000..b3f504e3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-04.xml @@ -0,0 +1,93 @@ + + + + + + + PHP: Memory disclosure and arbitrary location file upload + + Two bugs in PHP may allow the disclosure of portions of memory and allow + remote attackers to upload files to arbitrary locations. + + PHP + October 06, 2004 + October 06, 2004: 01 + 64223 + remote + + + 4.3.9 + 4.3.9 + + + 4.3.9 + 4.3.9 + + + 4.3.9 + 4.3.9 + + + +

+ PHP is a general-purpose scripting language widely used to develop + web-based applications. It can run inside a web server using the mod_php + module or the CGI version of PHP, or can run stand-alone in a CLI. +

+ + +

+ Stefano Di Paola discovered two bugs in PHP. The first is a parse error in + php_variables.c that could allow a remote attacker to view the contents of + the target machine's memory. Additionally, an array processing error in the + SAPI_POST_HANDLER_FUNC() function inside rfc1867.c could lead to the + $_FILES array being overwritten. +

+ + +

+ A remote attacker could exploit the first vulnerability to view memory + contents. On a server with a script that provides file uploads, an attacker + could exploit the second vulnerability to upload files to an arbitrary + location. On systems where the HTTP server is allowed to write in a + HTTP-accessible location, this could lead to remote execution of arbitrary + commands with the rights of the HTTP server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PHP, mod_php and php-cgi users should upgrade to the latest stable + version: +

+ + # emerge sync + + # emerge -pv ">=dev-php/php-4.3.9" + # emerge ">=dev-php/php-4.3.9" + + # emerge -pv ">=dev-php/mod_php-4.3.9" + # emerge ">=dev-php/mod_php-4.3.9" + + # emerge -pv ">=dev-php/php-cgi-4.3.9" + # emerge ">=dev-php/php-cgi-4.3.9" + + + Secunia Advisory + BugTraq post regarding the php_variables.c issue + BugTraq post regarding the rfc1867.c issue + + + dmargoli + + + koon + + + dmargoli + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-05.xml b/xml/htdocs/security/en/glsa/glsa-200410-05.xml new file mode 100644 index 00000000..8c119f80 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-05.xml @@ -0,0 +1,68 @@ + + + + + + + Cyrus-SASL: Buffer overflow and SASL_PATH vulnerabilities + + Cyrus-SASL contains two vulnerabilities that might allow an attacker to + completely compromise the vulnerable system. + + Cyrus-SASL + October 07, 2004 + May 22, 2006: 02 + 56016 + remote + + + 2.1.18-r2 + 2.1.18-r1 + + + +

+ Cyrus-SASL is an implementation of the Simple Authentication and + Security Layer. +

+ + +

+ Cyrus-SASL contains a remote buffer overflow in the digestmda5.c file. + Additionally, under certain conditions it is possible for a local user + to exploit a vulnerability in the way the SASL_PATH environment + variable is honored (CAN-2004-0884). +

+ + +

+ An attacker might be able to execute arbitrary code with the Effective + ID of the application calling the Cyrus-SASL libraries. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Cyrus-SASL users should upgrade to the latest stable version: +

+ + # emerge sync + + # emerge -pv ">=dev-libs/cyrus-sasl-2.1.18-r2" + # emerge ">=dev-libs/cyrus-sasl-2.1.18-r2" + + + CAN-2004-0884 + CVE-2005-0373 + + + jaervosz + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-06.xml b/xml/htdocs/security/en/glsa/glsa-200410-06.xml new file mode 100644 index 00000000..5d05ccda --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-06.xml @@ -0,0 +1,65 @@ + + + + + + + CUPS: Leakage of sensitive information + + CUPS leaks information about user names and passwords when using remote + printing to SMB-shared printers which require authentication. + + cups + October 09, 2004 + October 09, 2004: 01 + 66501 + local + + + 1.1.20-r3 + 1.1.21-r1 + 1.1.20-r2 + 1.1.21 + + + +

+ The Common UNIX Printing System (CUPS) is a cross-platform print spooler. +

+ + +

+ When printing to a SMB-shared printer requiring authentication, CUPS leaks + the user name and password to a logfile. +

+ + +

+ A local user could gain knowledge of sensitive authentication data. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All CUPS users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-print/cups-1.1.20-r3" + # emerge ">=net-print/cups-1.1.20-r3" + + + CAN-2004-0923 + + + vorlon078 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-07.xml b/xml/htdocs/security/en/glsa/glsa-200410-07.xml new file mode 100644 index 00000000..78192739 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-07.xml @@ -0,0 +1,72 @@ + + + + + + + ed: Insecure temporary file handling + + The ed utility is vulnerable to symlink attacks, potentially allowing a + local user to overwrite or change rights on arbitrary files with the rights + of the user running ed, which could be the root user. + + ed + October 09, 2004 + October 09, 2004: 01 + 66400 + local + + + 0.2-r4 + 0.2-r3 + + + +

+ ed is a line-oriented text editor, used to create or modify text files, + both interactively and via shell scripts. +

+ + +

+ ed insecurely creates temporary files in world-writeable directories with + predictable names. Given that ed is used in various system shell scripts, + they are by extension affected by the same vulnerability. +

+ + +

+ A local attacker could create symbolic links in the temporary files + directory, pointing to a valid file somewhere on the filesystem. When ed is + called, this would result in file access with the rights of the user + running the utility, which could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ed users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=sys-apps/ed-0.2-r4" + # emerge ">=sys-apps/ed-0.2-r4" + + + CVE-2000-1137 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-08.xml b/xml/htdocs/security/en/glsa/glsa-200410-08.xml new file mode 100644 index 00000000..d9e7e5de --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-08.xml @@ -0,0 +1,76 @@ + + + + + + + ncompress: Buffer overflow + + compress and uncompress, which could be used by daemon programs, contain a + buffer overflow that could lead to remote execution of arbitrary code with + the rights of the daemon process. + + ncompress + October 09, 2004 + May 22, 2006: 02 + 66251 + remote + + + 4.2.4-r1 + 4.2.4 + + + +

+ ncompress is a utility handling compression and decompression of + Lempel-Ziv archives, compatible with the original *nix compress and + uncompress utilities (.Z extensions). +

+ + +

+ compress and uncompress do not properly check bounds on command line + options, including the filename. Large parameters would trigger a + buffer overflow. +

+ + +

+ By supplying a carefully crafted filename or other option, an attacker + could execute arbitrary code on the system. A local attacker could only + execute code with his own rights, but since compress and uncompress are + called by various daemon programs, this might also allow a remote + attacker to execute code with the rights of the daemon making use of + ncompress. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ncompress users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=app-arch/ncompress-4.2.4-r1" + # emerge ">=app-arch/ncompress-4.2.4-r1" + + + US-CERT Vulnerability Note VU#176363 + CVE-2001-1413 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-09.xml b/xml/htdocs/security/en/glsa/glsa-200410-09.xml new file mode 100644 index 00000000..4673dfd3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-09.xml @@ -0,0 +1,70 @@ + + + + + + + LessTif: Integer and stack overflows in libXpm + + Multiple vulnerabilities have been discovered in libXpm, which is included + in LessTif, that can potentially lead to remote code execution. + + lesstif + October 09, 2004 + October 09, 2004: 01 + 66647 + remote + + + 0.93.97 + 0.93.97 + + + +

+ LessTif is a clone of OSF/Motif, which is the standard user interface + toolkit available on Unix and Linux. +

+ + +

+ Chris Evans has discovered various integer and stack overflows in libXpm, + which is shipped as a part of the X Window System. LessTif, an application + that includes this library, is susceptible to the same issues. +

+ + +

+ A carefully-crafted XPM file could crash applications that are linked + against libXpm, such as LessTif, potentially allowing the execution of + arbitrary code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All LessTif users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=x11-libs/lesstif-0.93.97" + # emerge ">=x11-libs/lesstif-0.93.97" + + + CAN-2004-0687 + CAN-2004-0688 + GLSA-200409-34 + LessTif Release Notes + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-10.xml b/xml/htdocs/security/en/glsa/glsa-200410-10.xml new file mode 100644 index 00000000..b17382f5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-10.xml @@ -0,0 +1,73 @@ + + + + + + + gettext: Insecure temporary file handling + + The gettext utility is vulnerable to symlink attacks, potentially allowing + a local user to overwrite or change permissions on arbitrary files with the + rights of the user running gettext, which could be the root user. + + gettext + October 10, 2004 + May 22, 2006: 04 + 66355 + 85766 + local + + + 0.14.1-r1 + 0.12.1-r2 + 0.14.1-r1 + + + +

+ gettext is a set of utilities for the GNU Translation Project which + provides a set of tools and documentation to help produce multi-lingual + messages in programs. +

+ + +

+ gettext insecurely creates temporary files in world-writeable + directories with predictable names. +

+ + +

+ A local attacker could create symbolic links in the temporary files + directory, pointing to a valid file somewhere on the filesystem. When + gettext is called, this would result in file access with the rights of + the user running the utility, which could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All gettext users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-devel/gettext-0.14.1-r1" + + + BugTraq Advisory + CVE-2004-0966 + + + koon + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-11.xml b/xml/htdocs/security/en/glsa/glsa-200410-11.xml new file mode 100644 index 00000000..c4e42bfb --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-11.xml @@ -0,0 +1,84 @@ + + + + + + + tiff: Buffer overflows in image decoding + + Multiple heap-based overflows have been found in the tiff library image + decoding routines, potentially allowing to execute arbitrary code with the + rights of the user viewing a malicious image. + + tiff + October 13, 2004 + October 13, 2004: 01 + remote + + + 3.6.1-r2 + 3.6.1-r2 + + + 3.10a-r8 + 3.10a-r7 + + + +

+ The tiff library contains encoding and decoding routines for the Tag Image + File Format. It is called by numerous programs, including GNOME and KDE, to + help in displaying TIFF images. xv is a multi-format image manipulation + utility that is statically linked to the tiff library. +

+ + +

+ Chris Evans found heap-based overflows in RLE decoding routines in + tif_next.c, tif_thunder.c and potentially tif_luv.c. +

+ + +

+ A remote attacker could entice a user to view a carefully crafted TIFF + image file, which would potentially lead to execution of arbitrary code + with the rights of the user viewing the image. This affects any program + that makes use of the tiff library, including GNOME and KDE web browsers or + mail readers. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All tiff library users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=media-libs/tiff-3.6.1-r2" + # emerge ">=media-libs/tiff-3.6.1-r2" +

+ xv makes use of the tiff library and needs to be recompiled to receive the + new patched version of the library. All xv users should also upgrade to the + latest version: +

+ + # emerge sync + + # emerge -pv ">=media-gfx/xv-3.10a-r8" + # emerge ">=media-gfx/xv-3.10a-r8" + + + CAN-2004-0803 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-12.xml b/xml/htdocs/security/en/glsa/glsa-200410-12.xml new file mode 100644 index 00000000..2887a46a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-12.xml @@ -0,0 +1,70 @@ + + + + + + + WordPress: HTTP response splitting and XSS vulnerabilities + + WordPress contains HTTP response splitting and cross-site scripting + vulnerabilities. + + wordpress + October 14, 2004 + May 22, 2006: 04 + 65798 + remote + + + 1.2.2 + 1.2.2 + + + +

+ WordPress is a PHP and MySQL based content management and publishing + system. +

+ + +

+ Due to the lack of input validation in the administration panel + scripts, WordPress is vulnerable to HTTP response splitting and + cross-site scripting attacks. +

+ + +

+ A malicious user could inject arbitrary response data, leading to + content spoofing, web cache poisoning and other cross-site scripting or + HTTP response splitting attacks. This could result in compromising the + victim's data or browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All WordPress users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/wordpress-1.2.2" + + + WordPress 1.2.2 Release Notes + CVE-2004-1584 + + + koon + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-13.xml b/xml/htdocs/security/en/glsa/glsa-200410-13.xml new file mode 100644 index 00000000..b2d4ea98 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-13.xml @@ -0,0 +1,69 @@ + + + + + + + BNC: Input validation flaw + + BNC contains an input validation flaw which might allow a remote attacker + to issue arbitrary IRC related commands. + + bnc + October 15, 2004 + May 22, 2006: 02 + 66912 + remote + + + 2.8.9 + 2.8.9 + + + +

+ BNC is an IRC proxying server +

+ + +

+ A flaw exists in the input parsing of BNC where part of the + sbuf_getmsg() function handles the backspace character incorrectly. +

+ + +

+ A remote user could issue commands using fake authentication + credentials and possibly gain access to scripts running on the client + side. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All BNC users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-irc/bnc-2.8.9" + # emerge ">=net-irc/bnc-2.8.9" + + + BNC Changes + CVE-2004-1482 + + + koon + + + koon + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-14.xml b/xml/htdocs/security/en/glsa/glsa-200410-14.xml new file mode 100644 index 00000000..6e331245 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-14.xml @@ -0,0 +1,75 @@ + + + + + + + phpMyAdmin: Vulnerability in MIME-based transformation system + + A vulnerability has been found in the MIME-based transformation system of + phpMyAdmin, which may allow remote execution of arbitrary commands if PHP's + "safe mode" is disabled. + + phpMyAdmin + October 18, 2004 + May 22, 2006: 02 + 67409 + remote + + + 2.6.0_p2 + 2.6.0_p2 + + + +

+ phpMyAdmin is a popular web-based MySQL administration tool written in + PHP. It allows users to browse and administer a MySQL database from a + web-browser. Transformations are a phpMyAdmin feature allowing plug-ins + to rewrite the contents of any column seen in phpMyAdmin's Browsing + mode, including using insertion of PHP or JavaScript code. +

+ + +

+ A defect was found in phpMyAdmin's MIME-based transformation system, + when used with "external" transformations. +

+ + +

+ A remote attacker could exploit this vulnerability to execute arbitrary + commands on the server with the rights of the HTTP server user. +

+ + +

+ Enabling PHP safe mode ("safe_mode = On" in php.ini) may serve as a + temporary workaround. +

+ + +

+ All phpMyAdmin users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=dev-db/phpmyadmin-2.6.0_p2" + # emerge ">=dev-db/phpmyadmin-2.6.0_p2" + + + phpMyAdmin 2.6.0_pl2 Release Announcement + Secunia Advisory SA12813 + CVE-2004-2630 + + + vorlon078 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-15.xml b/xml/htdocs/security/en/glsa/glsa-200410-15.xml new file mode 100644 index 00000000..8dd7093c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-15.xml @@ -0,0 +1,82 @@ + + + + + + + Squid: Remote DoS vulnerability + + Squid contains a vulnerability in the SNMP module which may lead to a + denial of service. + + squid + October 18, 2004 + December 30, 2007: 03 + 67167 + remote + + + 2.5.7 + 2.5.7 + + + +

+ Squid is a full-featured Web proxy cache designed to run on Unix + systems. It supports proxying and caching of HTTP, FTP, and other URLs, + as well as SSL support, cache hierarchies, transparent caching, access + control lists and many other features. +

+ + +

+ A parsing error exists in the SNMP module of Squid where a + specially-crafted UDP packet can potentially cause the server to + restart, closing all current connections. This vulnerability only + exists in versions of Squid compiled with the 'snmp' USE flag. +

+ + +

+ An attacker can repeatedly send these malicious UDP packets to the + Squid server, leading to a denial of service. +

+ + +

+ Disable SNMP support or filter the port that has SNMP processing + (default is 3401) to allow only SNMP data from trusted hosts. +

+

+ To disable SNMP support put the entry snmp_port 0 in the squid.conf + configuration file. +

+

+ To allow only the local interface to process SNMP, add the entry + "snmp_incoming_address 127.0.0.1" in the squid.conf configuration file. +

+ + +

+ All Squid users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-proxy/squid-2.5.7" + # emerge ">=net-proxy/squid-2.5.7" + + + iDEFENSE Advisory + CVE-2004-0918 + + + koon + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-16.xml b/xml/htdocs/security/en/glsa/glsa-200410-16.xml new file mode 100644 index 00000000..0bf02a47 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-16.xml @@ -0,0 +1,80 @@ + + + + + + + PostgreSQL: Insecure temporary file use in make_oidjoins_check + + The make_oidjoins_check script, part of the PostgreSQL package, is + vulnerable to symlink attacks, potentially allowing a local user to + overwrite arbitrary files with the rights of the user running the utility. + + PostgreSQL + October 18, 2004 + May 28, 2009: 04 + 66371 + local + + + 7.4.5-r2 + 7.3.7-r2 + 7.3.15 + 7.3.16 + 7.3.18 + 7.3.21 + 7.4.5-r1 + + + +

+ PostgreSQL is an open source database based on the POSTGRES database + management system. It includes several contributed scripts including + the make_oidjoins_check script. +

+ + +

+ The make_oidjoins_check script insecurely creates temporary files in + world-writeable directories with predictable names. +

+ + +

+ A local attacker could create symbolic links in the temporary files + directory, pointing to a valid file somewhere on the filesystem. When + make_oidjoins_check is called, this would result in file overwrite with + the rights of the user running the utility, which could be the root + user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PostgreSQL users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=dev-db/postgresql-7.4.5-r2" + # emerge ">=dev-db/postgresql-7.4.5-r2" +

+ Upgrade notes: PostgreSQL 7.3.x users should upgrade to the latest + available 7.3.x version to retain database compatibility. +

+ + + Trustix Advisory #2004-0050 + CVE-2004-0977 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-17.xml b/xml/htdocs/security/en/glsa/glsa-200410-17.xml new file mode 100644 index 00000000..b006688b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-17.xml @@ -0,0 +1,102 @@ + + + + + + + OpenOffice.org: Temporary files disclosure + + OpenOffice.org uses insecure temporary files which could allow a malicious + local user to gain knowledge of sensitive information from other users' + documents. + + openoffice + October 20, 2004 + October 20, 2004: 01 + 63556 + local + + + 1.1.2 + 1.1.3 + 1.1.2 + + + 1.1.2 + 1.1.3 + 1.1.2 + + + 1.1.60 + 1.3.4 + 1.1.60 + 1.1.61 + + + +

+ OpenOffice.org is an office productivity suite, including word processing, + spreadsheets, presentations, drawings, data charting, formula editing, and + file conversion facilities. +

+ + +

+ On start-up, OpenOffice.org 1.1.2 creates a temporary directory with + insecure permissions. When a document is saved, a compressed copy of it can + be found in that directory. +

+ + +

+ A malicious local user could obtain the temporary files and thus read + documents belonging to other users. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All affected OpenOffice.org users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=app-office/openoffice-1.1.3" + # emerge ">=app-office/openoffice-1.1.3" +

+ All affected OpenOffice.org binary users should upgrade to the latest + version: +

+ + # emerge sync + + # emerge -pv ">=app-office/openoffice-bin-1.1.3" + # emerge ">=app-office/openoffice-bin-1.1.3" +

+ All affected OpenOffice.org Ximian users should upgrade to the latest + version: +

+ + # emerge sync + + # emerge -pv ">=app-office/openoffice-ximian-1.3.4" + # emerge ">=app-office/openoffice-1.3.4" + + + CAN-2004-0752 + OpenOffice.org Issue 33357 + + + koon + + + vorlon078 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-18.xml b/xml/htdocs/security/en/glsa/glsa-200410-18.xml new file mode 100644 index 00000000..c878f711 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-18.xml @@ -0,0 +1,81 @@ + + + + + + + Ghostscript: Insecure temporary file use in multiple scripts + + Multiple scripts in the Ghostscript package are vulnerable to symlink + attacks, potentially allowing a local user to overwrite arbitrary files + with the rights of the user running the script. + + Ghostscript + October 20, 2004 + December 30, 2007: 02 + 66357 + local + + + 7.07.1-r7 + 7.05.6-r2 + 7.07.1-r7 + + + +

+ Ghostscript is a software package providing an interpreter for the + PostScript language and the PDF file format. It also provides output + drivers for various file formats and printers. +

+ + +

+ The pj-gs.sh, ps2epsi, pv.sh and sysvlp.sh scripts create temporary files + in world-writeable directories with predictable names. +

+ + +

+ A local attacker could create symbolic links in the temporary files + directory, pointing to a valid file somewhere on the filesystem. When an + affected script is called, this would result in the file to be overwritten + with the rights of the user running the script, which could be the root + user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ Ghostscript users on all architectures except PPC should upgrade to the + latest version: +

+ + # emerge sync + + # emerge -pv ">=app-text/ghostscript-esp-7.07.1-r7" + # emerge ">=app-text/ghostscript-esp-7.07.1-r7" +

+ Ghostscript users on the PPC architecture should upgrade to the latest + stable version on their architecture: +

+ + # emerge sync + + # emerge -pv ">=app-text/ghostscript-esp-7.05.6-r2" + # emerge ">=app-text/ghostscript-esp-7.05.6-r2" + + + CAN-2004-0967 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-19.xml b/xml/htdocs/security/en/glsa/glsa-200410-19.xml new file mode 100644 index 00000000..ad9e6b22 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-19.xml @@ -0,0 +1,75 @@ + + + + + + + glibc: Insecure tempfile handling in catchsegv script + + The catchsegv script in the glibc package is vulnerable to symlink attacks, + potentially allowing a local user to overwrite arbitrary files with the + rights of the user running the script. + + glibc + October 21, 2004 + October 21, 2004: 01 + 66358 + local + + + 2.2.5-r9 + 2.3.2-r12 + 2.3.3.20040420-r2 + 2.3.4.20040619-r2 + 2.3.4.20040808-r1 + 2.3.4.20040808 + + + +

+ glibc is a package that contains the GNU C library. +

+ + +

+ The catchsegv script creates temporary files in world-writeable directories + with predictable names. +

+ + +

+ A local attacker could create symbolic links in the temporary files + directory, pointing to a valid file somewhere on the filesystem. When + catchsegv script is called, this would result in the file being overwritten + with the rights of the user running the utility, which could be the root + user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All glibc users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv sys-libs/glibc + # emerge sys-libs/glibc + + + CAN-2004-0968 + + + koon + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-20.xml b/xml/htdocs/security/en/glsa/glsa-200410-20.xml new file mode 100644 index 00000000..1fd20d59 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-20.xml @@ -0,0 +1,79 @@ + + + + + + + Xpdf, CUPS: Multiple integer overflows + + Multiple integer overflows were discovered in Xpdf, potentially resulting + in execution of arbitrary code upon viewing a malicious PDF file. CUPS + includes Xpdf code and therefore is vulnerable to the same issues. + + Xpdf + October 21, 2004 + November 06, 2004: 02 + 69662 + remote + + + 3.00-r5 + 3.00-r4 + + + 1.1.20-r5 + 1.1.20-r4 + + + +

+ Xpdf is an open source viewer for Portable Document Format (PDF) files. The + Common UNIX Printing System (CUPS) is a cross-platform print spooler that + includes some Xpdf code. +

+ + +

+ Chris Evans discovered multiple integer overflow issues in Xpdf. +

+ + +

+ An attacker could entice an user to open a specially-crafted PDF file, + potentially resulting in execution of arbitrary code with the rights of the + user running Xpdf. By enticing an user to directly print the PDF file to a + CUPS printer, an attacker could also crash the CUPS spooler or execute + arbitrary code with the rights of the CUPS spooler, which is usually the + "lp" user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Xpdf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/xpdf-3.00-r5" +

+ All CUPS users should also upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-print/cups-1.1.20-r5" + + + CAN-2004-0888 + CAN-2004-0889 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-21.xml b/xml/htdocs/security/en/glsa/glsa-200410-21.xml new file mode 100644 index 00000000..5d14459c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-21.xml @@ -0,0 +1,85 @@ + + + + + + + Apache 2, mod_ssl: Bypass of SSLCipherSuite directive + + In certain configurations, it can be possible to bypass restrictions set by + the "SSLCipherSuite" directive of mod_ssl. + + apache + October 21, 2004 + December 30, 2007: 02 + 66807 + remote + + + 2.0.52 + 2.0 + 2.0.52 + + + 2.8.20 + 2.8.20 + + + +

+ The Apache HTTP server is one of the most popular web servers on the + internet. mod_ssl provides SSL v2/v3 and TLS v1 support for Apache 1.3 and + is also included in Apache 2. +

+ + +

+ A flaw has been found in mod_ssl where the "SSLCipherSuite" directive could + be bypassed in certain configurations if it is used in a directory or + location context to restrict the set of allowed cipher suites. +

+ + +

+ A remote attacker could gain access to a location using any cipher suite + allowed by the server/virtual host configuration, disregarding the + restrictions by "SSLCipherSuite" for that location. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Apache 2 users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=www-servers/apache-2.0.52" + # emerge ">=www-servers/apache-2.0.52" +

+ All mod_ssl users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-www/mod_ssl-2.8.20" + # emerge ">=net-www/mod_ssl-2.8.20" + + + CAN-2004-0885 + Apache HTTPD Bug 31505 + + + koon + + + vorlon078 + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-22.xml b/xml/htdocs/security/en/glsa/glsa-200410-22.xml new file mode 100644 index 00000000..4ae77575 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-22.xml @@ -0,0 +1,91 @@ + + + + + + + MySQL: Multiple vulnerabilities + + Several vulnerabilities including privilege abuse, Denial of Service, and + potentially remote arbitrary code execution have been discovered in MySQL. + + MySQL + October 24, 2004 + October 24, 2004: 01 + 67062 + remote + + + 4.0.21 + 4.0.21 + + + +

+ MySQL is a popular open-source, multi-threaded, multi-user SQL database + server. +

+ + +

+ The following vulnerabilities were found and fixed in MySQL: +

+

+ Oleksandr Byelkin found that ALTER TABLE ... RENAME checks CREATE/INSERT + rights of the old table instead of the new one (CAN-2004-0835). Another + privilege checking bug allowed users to grant rights on a database they had + no rights on. +

+

+ Dean Ellis found a defect where multiple threads ALTERing the MERGE tables + to change the UNION could cause the server to crash (CAN-2004-0837). + Another crash was found in MATCH ... AGAINST() queries with missing closing + double quote. +

+

+ Finally, a buffer overrun in the mysql_real_connect function was found by + Lukasz Wojtow (CAN-2004-0836). +

+ + +

+ The privilege checking issues could be used by remote users to bypass their + rights on databases. The two crashes issues could be exploited by a remote + user to perform a Denial of Service attack on MySQL server. The buffer + overrun issue could also be exploited as a Denial of Service attack, and + may allow to execute arbitrary code with the rights of the MySQL daemon + (typically, the "mysql" user). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MySQL users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=dev-db/mysql-4.0.21" + # emerge ">=dev-db/mysql-4.0.21" + + + CAN-2004-0835 + CAN-2004-0836 + CAN-2004-0837 + Privilege granting bug + MATCH ... AGAINST crash bug + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-23.xml b/xml/htdocs/security/en/glsa/glsa-200410-23.xml new file mode 100644 index 00000000..95d3b701 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-23.xml @@ -0,0 +1,74 @@ + + + + + + + Gaim: Multiple vulnerabilities + + Multiple vulnerabilities have been found in Gaim which could allow a remote + attacker to crash the application, or possibly execute arbitrary code. + + gaim + October 24, 2004 + October 24, 2004: 01 + 68271 + remote + + + 1.0.2 + 1.0.2 + + + +

+ Gaim is a full featured instant messaging client which handls a variety of + instant messaging protocols. +

+ + +

+ A possible buffer overflow exists in the code processing MSN SLP messages + (CAN-2004-0891). memcpy() was used without validating the size of the + buffer, and an incorrect buffer was used as destination under certain + circumstances. Additionally, memory allocation problems were found in the + processing of MSN SLP messages and the receiving of files. These issues + could lead Gaim to try to allocate more memory than available, resulting in + the crash of the application. +

+ + +

+ A remote attacker could crash Gaim and possibly execute arbitrary code by + exploiting the buffer overflow. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Gaim users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-im/gaim-1.0.2" + # emerge ">=net-im/gaim-1.0.2" + + + CAN-2004-0891 + Gaim Security Issues + + + lewk + + + koon + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-24.xml b/xml/htdocs/security/en/glsa/glsa-200410-24.xml new file mode 100644 index 00000000..311fe5a6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-24.xml @@ -0,0 +1,71 @@ + + + + + + + MIT krb5: Insecure temporary file use in send-pr.sh + + The send-pr.sh script, included in the mit-krb5 package, is vulnerable to + symlink attacks, potentially allowing a local user to overwrite arbitrary + files with the rights of the user running the utility. + + mit-krb5 + October 25, 2004 + January 30, 2005: 02 + 66359 + local + + + 1.3.5-r1 + 1.3.4-r1 + 1.3.5 + + + +

+ MIT krb5 is the free implementation of the Kerberos network + authentication protocol written by the Massachusetts Institute of + Technology. +

+ + +

+ The send-pr.sh script creates temporary files in world-writeable + directories with predictable names. +

+ + +

+ A local attacker could create symbolic links in the temporary files + directory, pointing to a valid file somewhere on the filesystem. When + send-pr.sh is called, this would result in the file being overwritten + with the rights of the user running the utility, which could be the + root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MIT krb5 users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=app-crypt/mit-krb5-1.3.4-r1" + # emerge ">=app-crypt/mit-krb5-1.3.4-r1" + + + CAN-2004-0971 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-25.xml b/xml/htdocs/security/en/glsa/glsa-200410-25.xml new file mode 100644 index 00000000..c0ea862d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-25.xml @@ -0,0 +1,69 @@ + + + + + + + Netatalk: Insecure tempfile handling in etc2ps.sh + + The etc2ps.sh script, included in the Netatalk package, is vulnerable to + symlink attacks, potentially allowing a local user to overwrite arbitrary + files with the rights of the user running the utility. + + Netatalk + October 25, 2004 + October 25, 2004: 01 + 66370 + local + + + 1.6.4-r1 + 1.6.4-r1 + + + +

+ Netatalk is a kernel level implementation of the AppleTalk Protocol Suite, + which allows Unix hosts to act as file, print, and time servers for Apple + computers. It includes several script utilities, including etc2ps.sh. +

+ + +

+ The etc2ps.sh script creates temporary files in world-writeable directories + with predictable names. +

+ + +

+ A local attacker could create symbolic links in the temporary files + directory, pointing to a valid file somewhere on the filesystem. When + etc2ps.sh is executed, this would result in the file being overwritten with + the rights of the user running the utility, which could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Netatalk users should upgrade to the latest version: +

+ + # emerge sync + + # emerge -pv ">=net-fs/netatalk-1.6.4-r1" + # emerge ">=net-fs/netatalk-1.6.4-r1" + + + CAN-2004-0974 + + + lewk + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-26.xml b/xml/htdocs/security/en/glsa/glsa-200410-26.xml new file mode 100644 index 00000000..b57a30d0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-26.xml @@ -0,0 +1,73 @@ + + + + + + + socat: Format string vulnerability + + socat contains a format string vulnerability that can potentially lead to + remote or local execution of arbitrary code with the privileges of the + socat process. + + socat + October 25, 2004 + May 22, 2006: 02 + 68547 + remote + + + 1.4.0.3 + 1.4.0.3 + + + +

+ socat is a multipurpose bidirectional relay, similar to netcat. +

+ + +

+ socat contains a syslog() based format string vulnerablility in the + '_msg()' function of 'error.c'. Exploitation of this bug is only + possible when socat is run with the '-ly' option, causing it to log + messages to syslog. +

+ + +

+ Remote exploitation is possible when socat is used as a HTTP proxy + client and connects to a malicious server. Local privilege escalation + can be achieved when socat listens on a UNIX domain socket. Potential + execution of arbitrary code with the privileges of the socat process is + possible with both local and remote exploitations. +

+ + +

+ Disable logging to syslog by not using the '-ly' option when starting + socat. +

+ + +

+ All socat users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/socat-1.4.0.3" + + + socat Security Advisory + CVE-2004-1484 + + + vorlon078 + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-27.xml b/xml/htdocs/security/en/glsa/glsa-200410-27.xml new file mode 100644 index 00000000..4f3aa101 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-27.xml @@ -0,0 +1,69 @@ + + + + + + + mpg123: Buffer overflow vulnerabilities + + Buffer overflow vulnerabilities have been found in mpg123 which could lead + to execution of arbitrary code. + + mpg123 + October 27, 2004 + May 22, 2006: 02 + 68343 + remote + + + 0.59s-r5 + 0.59s-r5 + + + +

+ mpg123 is a MPEG Audio Player. +

+ + +

+ Buffer overflow vulnerabilities in the getauthfromURL() and http_open() + functions have been reported by Carlos Barros. Additionally, the Gentoo + Linux Sound Team fixed additional boundary checks which were found to + be lacking. +

+ + +

+ By enticing a user to open a malicious playlist or URL or making use of + a specially-crafted symlink, an attacker could possibly execute + arbitrary code with the rights of the user running mpg123. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mpg123 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/mpg123-0.59s-r5" + + + Security Advisory by Carlos Barros + CVE-2004-0982 + + + koon + + + vorlon078 + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-28.xml b/xml/htdocs/security/en/glsa/glsa-200410-28.xml new file mode 100644 index 00000000..786e8b9e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-28.xml @@ -0,0 +1,70 @@ + + + + + + + rssh: Format string vulnerability + + rssh is vulnerable to a format string vulnerability that allows arbitrary + execution of code with the rights of the connected user, thereby bypassing + rssh restrictions. + + rssh + October 27, 2004 + May 22, 2006: 02 + 66988 + remote + + + 2.2.2 + 2.2.2 + + + +

+ rssh is a restricted shell, allowing only a few commands like scp or + sftp. It is often used as a complement to OpenSSH to provide limited + access to users. +

+ + +

+ Florian Schilhabel from the Gentoo Linux Security Audit Team found a + format string vulnerability in rssh syslogging of failed commands. +

+ + +

+ Using a malicious command, it may be possible for a remote + authenticated user to execute arbitrary code on the target machine with + user rights, effectively bypassing any restriction of rssh. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All rssh users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-shells/rssh-2.2.2" + + + rssh security announcement + CVE-2004-1628 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-29.xml b/xml/htdocs/security/en/glsa/glsa-200410-29.xml new file mode 100644 index 00000000..81bf9e64 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-29.xml @@ -0,0 +1,73 @@ + + + + + + + PuTTY: Pre-authentication buffer overflow + + PuTTY contains a vulnerability allowing an SSH server to execute arbitrary + code on the connecting client. + + putty + October 27, 2004 + May 22, 2006: 02 + 69123 + remote + + + 0.56 + 0.55 + + + +

+ PuTTY is a free implementation of Telnet and SSH for Win32 and Unix + platforms, along with an xterm terminal emulator. +

+ + +

+ PuTTY fails to do proper bounds checking on SSH2_MSG_DEBUG packets. The + "stringlen" parameter value is incorrectly checked due to signedness + issues. Note that this vulnerability is similar to the one described in + GLSA 200408-04 but not the same. +

+ + +

+ When PuTTY connects to a server using the SSH2 protocol, an attacker + may be able to send specially crafted packets to the client, resulting + in the execution of arbitrary code with the permissions of the user + running PuTTY. Note that this is possible during the authentication + process but before host key verification. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PuTTY users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/putty-0.56" + + + iDEFENSE Security Advisory 10.27.04 + PuTTY ChangeLog + CVE-2004-1008 + + + koon + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-30.xml b/xml/htdocs/security/en/glsa/glsa-200410-30.xml new file mode 100644 index 00000000..2a05e645 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-30.xml @@ -0,0 +1,98 @@ + + + + + + + GPdf, KPDF, KOffice: Vulnerabilities in included xpdf + + GPdf, KPDF and KOffice all include vulnerable xpdf code to handle PDF + files, making them vulnerable to execution of arbitrary code upon viewing a + malicious PDF file. + + GPdf + October 28, 2004 + November 06, 2004: 02 + 68558 + 68665 + 68571 + 69936 + 69624 + remote + + + 1.3.4-r1 + 1.3.3-r2 + 1.3.4-r1 + + + 2.8.0-r2 + 0.132-r2 + 2.8.0-r2 + + + 3.3.1-r2 + 3.3.0-r2 + 3.2.3-r2 + 3.3.1-r2 + + + +

+ GPdf is a Gnome-based PDF viewer. KPDF, part of the kdegraphics package, is + a KDE-based PDF viewer. KOffice is an integrated office suite for KDE. +

+ + +

+ GPdf, KPDF and KOffice all include xpdf code to handle PDF files. xpdf is + vulnerable to multiple integer overflows, as described in GLSA 200410-20. +

+ + +

+ An attacker could entice a user to open a specially-crafted PDF file, + potentially resulting in execution of arbitrary code with the rights of the + user running the affected utility. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GPdf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/gpdf-0.132-r2" +

+ All KDE users should upgrade to the latest version of kdegraphics: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kdegraphics-3.3.0-r2" +

+ All KOffice users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/koffice-1.3.3-r2" + + + GLSA 200410-20 + CAN-2004-0888 + CAN-2004-0889 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200410-31.xml b/xml/htdocs/security/en/glsa/glsa-200410-31.xml new file mode 100644 index 00000000..004e4949 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200410-31.xml @@ -0,0 +1,73 @@ + + + + + + + Archive::Zip: Virus detection evasion + + Email virus scanning software relying on Archive::Zip can be fooled into + thinking a ZIP attachment is empty while it contains a virus, allowing + detection evasion. + + Archive::Zip + October 29, 2004 + May 22, 2006: 02 + 68616 + remote + + + 1.14 + 1.14 + + + +

+ Archive::Zip is a Perl module containing functions to handle ZIP + archives. +

+ + +

+ Archive::Zip can be used by email scanning software (like amavisd-new) + to uncompress attachments before virus scanning. By modifying the + uncompressed size of archived files in the global header of the ZIP + file, it is possible to fool Archive::Zip into thinking some files + inside the archive have zero length. +

+ + +

+ An attacker could send a carefully crafted ZIP archive containing a + virus file and evade detection on some email virus-scanning software + relying on Archive::Zip for decompression. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Archive::Zip users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-perl/Archive-Zip-1.14" + + + iDEFENSE Security Advisory 10.18.04 + rt.cpan.org bug #8077 + CVE-2004-1096 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-01.xml b/xml/htdocs/security/en/glsa/glsa-200411-01.xml new file mode 100644 index 00000000..beb03aaa --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-01.xml @@ -0,0 +1,62 @@ + + + + + + + ppp: No denial of service vulnerability + + pppd contains a bug that allows an attacker to crash his own connection, + but it cannot be used to deny service to other users. + + ppp + November 01, 2004 + November 02, 2004: 02 + 69152 + remote + + + +

+ ppp is a Unix implementation of the Point-to-Point Protocol. +

+ + +

+ The pppd server improperly verifies header fields, potentially leading to a + crash of the pppd process handling the connection. However, since a + separate pppd process handles each ppp connection, this would not affect + any other connection, or prevent new connections from being established. +

+ + +

+ We incorrectly thought that this bug could be exploited to deny service to + all ppp users. It is not the case, this bug has no security impact + whatsoever. Many thanks to Paul Mackerras from the Samba team for + correcting our mistake. +

+ + +

+ There is no need for a workaround. +

+ + +

+ ppp users can keep their current versions. +

+ + + Incorrect BugTraq Advisory + + + koon + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-02.xml b/xml/htdocs/security/en/glsa/glsa-200411-02.xml new file mode 100644 index 00000000..8e30e3d5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-02.xml @@ -0,0 +1,68 @@ + + + + + + + Cherokee: Format string vulnerability + + Cherokee contains a format string vulnerability that could lead to denial + of service or the execution of arbitary code. + + cherokee + November 01, 2004 + May 22, 2006: 02 + 67667 + remote + + + 0.4.17.1 + 0.4.17 + + + +

+ Cherokee is an extra-light web server. +

+ + +

+ Florian Schilhabel from the Gentoo Linux Security Audit Team found a + format string vulnerability in the cherokee_logger_ncsa_write_string() + function. +

+ + +

+ Using a specially crafted URL when authenticating via auth_pam, a + malicious user may be able to crash the server or execute arbitrary + code on the target machine with permissions of the user running + Cherokee. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Cherokee users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/cherokee-0.4.17.1" + + + CVE-2004-1097 + + + koon + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-03.xml b/xml/htdocs/security/en/glsa/glsa-200411-03.xml new file mode 100644 index 00000000..97902726 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-03.xml @@ -0,0 +1,69 @@ + + + + + + + Apache 1.3: Buffer overflow vulnerability in mod_include + + A buffer overflow vulnerability exists in mod_include which could possibly + allow a local attacker to gain escalated privileges. + + apache + November 02, 2004 + December 30, 2007: 02 + 68564 + local + + + 1.3.32-r1 + 1.3.32-r1 + + + +

+ The Apache HTTP server is one of the most popular web servers on the + internet. mod_include is an Apache module to handle Server Side Includes + (SSI). +

+ + +

+ A possible buffer overflow exists in the get_tag() function of + mod_include.c. +

+ + +

+ If Server Side Includes (SSI) are enabled, a local attacker may be able to + run arbitrary code with the rights of an httpd child process by making use + of a specially-crafted document with malformed SSI. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Apache users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/apache-1.3.32-r1" + + + CAN-2004-0940 + Security vulnerabilities in Apache httpd 1.3 + + + koon + + + vorlon078 + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-04.xml b/xml/htdocs/security/en/glsa/glsa-200411-04.xml new file mode 100644 index 00000000..215195af --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-04.xml @@ -0,0 +1,68 @@ + + + + + + + Speedtouch USB driver: Privilege escalation vulnerability + + A vulnerability in the Speedtouch USB driver can be exploited to allow + local users to execute arbitrary code with escalated privileges. + + speedtouch + November 02, 2004 + November 02, 2004: 01 + 68436 + local + + + 1.3.1 + 1.3.1 + + + +

+ The speedtouch package contains a driver for the ADSL SpeedTouch USB modem. +

+ + +

+ The Speedtouch USB driver contains multiple format string vulnerabilities + in modem_run, pppoa2 and pppoa3. This flaw is due to an improperly made + syslog() system call. +

+ + +

+ A malicious local user could exploit this vulnerability by causing a buffer + overflow, and potentially allowing the execution of arbitrary code with + escalated privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Speedtouch USB driver users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dialup/speedtouch-1.3.1" + + + CAN-2004-0834 + Speedtouch Project News Announcements + + + koon + + + lewk + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-05.xml b/xml/htdocs/security/en/glsa/glsa-200411-05.xml new file mode 100644 index 00000000..260ac2bc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-05.xml @@ -0,0 +1,69 @@ + + + + + + + libxml2: Remotely exploitable buffer overflow + + libxml2 contains multiple buffer overflows which could lead to the + execution of arbitrary code. + + libxml2 + November 02, 2004 + November 02, 2004: 01 + 69154 + remote + + + 2.6.15 + 2.6.15 + + + +

+ libxml2 is an XML parsing library written in C. +

+ + +

+ Multiple buffer overflows have been detected in the nanoftp and nanohttp + modules. These modules are responsible for parsing URLs with ftp + information, and resolving names via DNS. +

+ + +

+ An attacker could exploit an application that uses libxml2 by forcing it to + parse a specially-crafted XML file, potentially causing remote execution of + arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libxml2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.6.15" + + + BugTraq Advisory + libxml2 ChangeLog + CAN-2004-0989 + + + koon + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-06.xml b/xml/htdocs/security/en/glsa/glsa-200411-06.xml new file mode 100644 index 00000000..c5c82bc1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-06.xml @@ -0,0 +1,69 @@ + + + + + + + MIME-tools: Virus detection evasion + + MIME-tools doesn't handle empty MIME boundaries correctly. This may prevent + some virus-scanning programs which use MIME-tools from detecting certain + viruses. + + MIME-tools + November 02, 2004 + May 22, 2006: 02 + 69181 + remote + + + 5.415 + 5.415 + + + +

+ MIME-tools is a Perl module containing functions to handle MIME + attachments. +

+ + +

+ MIME-tools doesn't correctly parse attachment boundaries with an empty + name (boundary=""). +

+ + +

+ An attacker could send a carefully crafted email and evade detection on + some email virus-scanning programs using MIME-tools for attachment + decoding. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MIME-tools users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-perl/MIME-tools-5.415" + + + MIMEDefang announcement + CVE-2004-1098 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-07.xml b/xml/htdocs/security/en/glsa/glsa-200411-07.xml new file mode 100644 index 00000000..b7b2a8ca --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-07.xml @@ -0,0 +1,73 @@ + + + + + + + Proxytunnel: Format string vulnerability + + Proxytunnel is vulnerable to a format string vulnerability, potentially + allowing a remote server to execute arbitrary code with the rights of the + Proxytunnel process. + + Proxytunnel + November 03, 2004 + November 03, 2004: 01 + 69379 + remote + + + 1.2.3 + 1.2.3 + + + +

+ Proxytunnel is a program that tunnels connections to a remote server + through a standard HTTPS proxy. +

+ + +

+ Florian Schilhabel of the Gentoo Linux Security Audit project found a + format string vulnerability in Proxytunnel. When the program is started in + daemon mode (-a [port]), it improperly logs invalid proxy answers to + syslog. +

+ + +

+ A malicious remote server could send specially-crafted invalid answers to + exploit the format string vulnerability, potentially allowing the execution + of arbitrary code on the tunnelling host with the rights of the Proxytunnel + process. +

+ + +

+ You can mitigate the issue by only allowing connections to trusted remote + servers. +

+ + +

+ All Proxytunnel users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/proxytunnel-1.2.3" + + + CAN-2004-0992 + Proxytunnel News + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-08.xml b/xml/htdocs/security/en/glsa/glsa-200411-08.xml new file mode 100644 index 00000000..cc1a745f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-08.xml @@ -0,0 +1,72 @@ + + + + + + + GD: Integer overflow + + The PNG image decoding routines in the GD library contain an integer + overflow that may allow execution of arbitrary code with the rights of the + program decoding a malicious PNG image. + + GD + November 03, 2004 + November 03, 2004: 01 + 69070 + remote + + + 2.0.32 + 2.0.32 + + + +

+ The GD graphics library is an open source library which allows programmers + to easily generate PNG, JPEG, GIF and WBMP images from many different + programming languages. +

+ + +

+ infamous41md found an integer overflow in the memory allocation procedure + of the GD routine that handles loading PNG image files. +

+ + +

+ A remote attacker could entice a user to load a carefully crafted PNG image + file in a GD-powered application, or send a PNG image to a web application + which uses GD PNG decoding functions. This could potentially lead to + execution of arbitrary code with the rights of the program loading the + image. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GD users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/gd-2.0.32" + + + Original BugTraq advisory + CAN-2004-0990 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-09.xml b/xml/htdocs/security/en/glsa/glsa-200411-09.xml new file mode 100644 index 00000000..c96a801b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-09.xml @@ -0,0 +1,67 @@ + + + + + + + shadow: Unauthorized modification of account information + + A flaw in the chfn and chsh utilities might allow modification of account + properties by unauthorized users. + + shadow + November 04, 2004 + November 05, 2004: 02 + 69212 + local + + + 4.0.5-r1 + 4.0.5-r1 + + + +

+ shadow provides a set of utilities to deal with user accounts. +

+ + +

+ Martin Schulze reported a flaw in the passwd_check() function in + "libmisc/pwdcheck.c" which is used by chfn and chsh. +

+ + +

+ A logged-in local user with an expired password may be able to use chfn and + chsh to change his standard shell or GECOS information (full name, phone + number...) without being required to change his password. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All shadow users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.0.5-r1" + + + shadow NEWS file + CAN-2004-1001 + + + koon + + + koon + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-10.xml b/xml/htdocs/security/en/glsa/glsa-200411-10.xml new file mode 100644 index 00000000..ee80ba61 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-10.xml @@ -0,0 +1,66 @@ + + + + + + + Gallery: Cross-site scripting vulnerability + + Gallery is vulnerable to cross-site scripting attacks. + + gallery + November 06, 2004 + May 22, 2006: 02 + 69904 + remote + + + 1.4.4_p4 + 1.4.4_p4 + + + +

+ Gallery is a web application written in PHP which is used to organize + and publish photo albums. It allows multiple users to build and + maintain their own albums. It also supports the mirroring of images on + other servers. +

+ + +

+ Jim Paris has discovered a cross-site scripting vulnerability in + Gallery. +

+ + +

+ By sending a carefully crafted URL, an attacker can inject and execute + script code in the victim's browser window, and potentially compromise + the users gallery. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Gallery users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/gallery-1.4.4_p4" + + + Gallery Announcement + CVE-2004-1106 + + + lewk + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-11.xml b/xml/htdocs/security/en/glsa/glsa-200411-11.xml new file mode 100644 index 00000000..2466c9f1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-11.xml @@ -0,0 +1,69 @@ + + + + + + + ImageMagick: EXIF buffer overflow + + ImageMagick contains an error in boundary checks when handling EXIF + information, which could lead to arbitrary code execution. + + imagemagick + November 06, 2004 + November 06, 2004: 01 + 69825 + remote + + + 6.1.3.2 + 6.1.3.2 + + + +

+ ImageMagick is a collection of tools to read, write and manipulate images + in many formats. +

+ + +

+ ImageMagick fails to do proper bounds checking when handling image files + with EXIF information. +

+ + +

+ An attacker could use an image file with specially-crafted EXIF information + to cause arbitrary code execution with the permissions of the user running + ImageMagick. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ImageMagick users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.1.3.2" + + + CAN-2004-0981 + ImageMagick ChangeLog + SA 12995 + + + koon + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-12.xml b/xml/htdocs/security/en/glsa/glsa-200411-12.xml new file mode 100644 index 00000000..f12f1f83 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-12.xml @@ -0,0 +1,67 @@ + + + + + + + zgv: Multiple buffer overflows + + zgv contains multiple buffer overflows that can potentially lead to the + execution of arbitrary code. + + zgv + November 07, 2004 + May 22, 2006: 02 + 69150 + remote + + + 5.8 + 5.8 + + + +

+ zgv is a console image viewer based on svgalib. +

+ + +

+ Multiple arithmetic overflows have been detected in the image + processing code of zgv. +

+ + +

+ An attacker could entice a user to open a specially-crafted image file, + potentially resulting in execution of arbitrary code with the rights of + the user running zgv. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All zgv users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/zgv-5.8" + + + BugTraq Advisory + CVE-2004-1095 + + + lewk + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-13.xml b/xml/htdocs/security/en/glsa/glsa-200411-13.xml new file mode 100644 index 00000000..1b699e0f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-13.xml @@ -0,0 +1,85 @@ + + + + + + + Portage, Gentoolkit: Temporary file vulnerabilities + + dispatch-conf (included in Portage) and qpkg (included in Gentoolkit) are + vulnerable to symlink attacks, potentially allowing a local user to + overwrite arbitrary files with the rights of the user running the script. + + portage gentoolkit + November 07, 2004 + May 22, 2006: 02 + 68846 + 69147 + local + + + 2.0.51-r3 + 2.0.51-r2 + + + 0.2.0_pre10-r1 + 0.2.0_pre8-r1 + 0.2.0_pre10 + + + +

+ Portage is Gentoo's package management tool. The dispatch-conf utility + allows for easy rollback of configuration file changes and automatic + updates of configurations files never modified by users. Gentoolkit is + a collection of Gentoo specific administration scripts, one of which is + the portage querying tool qpkg. +

+ + +

+ dispatch-conf and qpkg use predictable filenames for temporary files. +

+ + +

+ A local attacker could create symbolic links in the temporary files + directory, pointing to a valid file somewhere on the filesystem. When + an affected script is called, this would result in the file to be + overwritten with the rights of the user running the dispatch-conf or + qpkg, which could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Portage users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/portage-2.0.51-r3" +

+ All Gentoolkit users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-portage/gentoolkit-0.2.0_pre8-r1" + + + CVE-2004-1107 + CVE-2004-1108 + + + koon + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-14.xml b/xml/htdocs/security/en/glsa/glsa-200411-14.xml new file mode 100644 index 00000000..960d6d9a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-14.xml @@ -0,0 +1,83 @@ + + + + + + + Kaffeine, gxine: Remotely exploitable buffer overflow + + Kaffeine and gxine both contain a buffer overflow that can be exploited + when accessing content from a malicious HTTP server with specially crafted + headers. + + kaffeine gxine + November 07, 2004 + May 22, 2006: 02 + 69663 + 70055 + remote + + + 0.5_rc1-r1 + 0.4.3b-r1 + 0.5_rc1-r1 + + + 0.3.3-r1 + 0.3.3-r1 + + + +

+ Kaffeine and gxine are graphical front-ends for xine-lib multimedia + library. +

+ + +

+ KF of Secure Network Operations has discovered an overflow that occurs + during the Content-Type header processing of Kaffeine. The vulnerable + code in Kaffeine is reused from gxine, making gxine vulnerable as well. +

+ + +

+ An attacker could create a specially-crafted Content-type header from a + malicious HTTP server, and crash a user's instance of Kaffeine or + gxine, potentially allowing the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Kaffeine users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/kaffeine-0.4.3b-r1" +

+ All gxine users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/gxine-0.3.3-r1" + + + SecurityTracker Advisory + gxine Bug Report + CVE-2004-1034 + + + koon + + + lewk + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-15.xml b/xml/htdocs/security/en/glsa/glsa-200411-15.xml new file mode 100644 index 00000000..5a56055e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-15.xml @@ -0,0 +1,91 @@ + + + + + + + OpenSSL, Groff: Insecure tempfile handling + + groffer, included in the Groff package, and the der_chop script, included + in the OpenSSL package, are both vulnerable to symlink attacks, potentially + allowing a local user to overwrite arbitrary files with the rights of the + user running the utility. + + OpenSSL + November 08, 2004 + August 23, 2006: 02 + 68404 + 68407 + local + + + 0.9.7d-r2 + 0.9.7d-r2 + + + 1.19.1-r2 + 1.18.1.1 + 1.19.1-r2 + + + +

+ OpenSSL is a toolkit implementing the Secure Sockets Layer and + Transport Layer Security protocols as well as a general-purpose + cryptography library. It includes the der_chop script, which is used to + convert DER-encoded certificates to PEM format. Groff (GNU Troff) is a + typesetting package which reads plain text mixed with formatting + commands and produces formatted output. It includes groffer, a command + used to display groff files and man pages on X and tty. +

+ + +

+ groffer and the der_chop script create temporary files in + world-writeable directories with predictable names. +

+ + +

+ A local attacker could create symbolic links in the temporary files + directory, pointing to a valid file somewhere on the filesystem. When + groffer or der_chop is executed, this would result in the file being + overwritten with the rights of the user running the utility, which + could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Groff users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose sys-apps/groff +

+ All OpenSSL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.7d-r2" +

+ Note: /etc/ssl/misc/der_chop is protected by Portage as a configuration + file. Don't forget to use etc-update and overwrite the old version with + the new one. +

+ + + CAN-2004-0969 + CAN-2004-0975 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-16.xml b/xml/htdocs/security/en/glsa/glsa-200411-16.xml new file mode 100644 index 00000000..e6c006bd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-16.xml @@ -0,0 +1,68 @@ + + + + + + + zip: Path name buffer overflow + + zip contains a buffer overflow when creating a ZIP archive of files with + very long path names. This could lead to the execution of arbitrary code. + + zip + November 09, 2004 + May 22, 2006: 02 + 70227 + remote + + + 2.3-r4 + 2.3-r3 + + + +

+ zip is a compression and file packaging utility. +

+ + +

+ zip does not check the resulting path length when doing recursive + folder compression. +

+ + +

+ An attacker could exploit this by enticing another user or web + application to create an archive including a specially-crafted path + name, potentially resulting in the execution of arbitrary code with the + permissions of the user running zip. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All zip users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/zip-2.3-r4" + + + HexView zip Advisory + CVE-2004-1010 + + + koon + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-17.xml b/xml/htdocs/security/en/glsa/glsa-200411-17.xml new file mode 100644 index 00000000..bdd34612 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-17.xml @@ -0,0 +1,70 @@ + + + + + + + mtink: Insecure tempfile handling + + mtink is vulnerable to symlink attacks, potentially allowing a local user + to overwrite arbitrary files with the rights of the user running the + utility. + + mtink + November 09, 2004 + May 22, 2006: 02 + 70310 + local + + + 1.0.5 + 1.0.5 + + + +

+ mtink is a status monitor and inkjet cartridge changer for some Epson + printers. +

+ + +

+ Tavis Ormandy from Gentoo Linux discovered that mtink uses insecure + permissions on temporary files. +

+ + +

+ A local attacker could create symbolic links in the temporary files + directory, pointing to a valid file somewhere on the filesystem. When + mtink is executed, this would result in the file being overwritten with + the rights of the user running the utility, which could be the root + user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mtink users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-print/mtink-1.0.5" + + + CVE-2004-1110 + + + jaervosz + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-18.xml b/xml/htdocs/security/en/glsa/glsa-200411-18.xml new file mode 100644 index 00000000..cd323ca5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-18.xml @@ -0,0 +1,62 @@ + + + + + + + Apache 2.0: Denial of Service by memory consumption + + A flaw in Apache 2.0 could allow a remote attacker to cause a Denial of + Service. + + apache + November 10, 2004 + December 30, 2007: 02 + 70138 + remote + + + 2.0.52-r1 + 2.0 + 2.0.52-r1 + + + +

+ The Apache HTTP Server is one of the most popular web servers on the Internet. +

+ + +

+ Chintan Trivedi discovered a vulnerability in Apache httpd 2.0 that is caused by improper enforcing of the field length limit in the header-parsing code. +

+ + +

+ By sending a large amount of specially-crafted HTTP GET requests a remote attacker could cause a Denial of Service of the targeted system. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Apache 2.0 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/apache-2.0.52-r1" + + + CAN-2004-0942 + Security vulnerabilities in Apache httpd 2.0 + + + vorlon078 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-19.xml b/xml/htdocs/security/en/glsa/glsa-200411-19.xml new file mode 100644 index 00000000..3173207f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-19.xml @@ -0,0 +1,65 @@ + + + + + + + Pavuk: Multiple buffer overflows + + Pavuk contains multiple buffer overflows that can allow a remote attacker + to run arbitrary code. + + pavuk + November 10, 2004 + November 10, 2004: 01 + 70516 + remote + + + 0.9.31 + 0.9.31 + + + +

+ Pavuk is web spider and website mirroring tool. +

+ + +

+ Pavuk contains several buffer overflow vulnerabilities in the code handling digest authentication and HTTP header processing. This issue is similar to GLSA 200407-19, but contains more vulnerabilities. +

+ + +

+ A remote attacker could cause a buffer overflow, leading to arbitrary code execution with the rights of the user running Pavuk. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Pavuk users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/pavuk-0.9.31" + + + GLSA-200407-19 + SA13120 + CAN-2004-0456 + + + jaervosz + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-20.xml b/xml/htdocs/security/en/glsa/glsa-200411-20.xml new file mode 100644 index 00000000..838c3d89 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-20.xml @@ -0,0 +1,61 @@ + + + + + + + ez-ipupdate: Format string vulnerability + + ez-ipupdate contains a format string vulnerability that could lead to + execution of arbitrary code. + + ez-ipupdate + November 11, 2004 + November 11, 2004: 01 + 69658 + remote + + + 3.0.11_beta8-r1 + 3.0.11_beta8 + + + +

+ ez-ipupdate is a utility for updating host name information for a large number of dynamic DNS services. +

+ + +

+ Ulf Harnhammar from the Debian Security Audit Project discovered a format string vulnerability in ez-ipupdate. +

+ + +

+ An attacker could exploit this to execute arbitrary code with the permissions of the user running ez-ipupdate, which could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ez-ipupdate users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/ez-ipupdate-3.0.11_beta8-r1" + + + CAN-2004-0980 + Full Disclosure Announcement + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-21.xml b/xml/htdocs/security/en/glsa/glsa-200411-21.xml new file mode 100644 index 00000000..eb612d24 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-21.xml @@ -0,0 +1,76 @@ + + + + + + + Samba: Multiple vulnerabilities + + Samba is vulnerable to a buffer overflow that could lead to execution of + arbitrary code (CAN-2004-0882). Another flaw in Samba may allow a remote + attacker to cause a Denial of Service by excessive consumption of CPU + cycles (CAN-2004-0930). + + samba + November 11, 2004 + November 15, 2004: 02 + 70429 + remote + + + 3.0.8 + 3.0 + 3.0.8 + + + +

+ Samba is a freely available SMB/CIFS implementation which allows + seamless interoperability of file and print services to other SMB/CIFS + clients. +

+ + +

+ Samba fails to do proper bounds checking when handling + TRANSACT2_QFILEPATHINFO replies. Additionally an input validation flaw + exists in ms_fnmatch.c when matching filenames that contain wildcards. +

+ + +

+ An attacker may be able to execute arbitrary code with the permissions + of the user running Samba. A remote attacker may also be able to cause + an abnormal consumption of CPU resources, resulting in slower + performance of the server or even a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Samba users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-3.0.8" + + + Samba Security Announcement + CAN-2004-0930 + CAN-2004-0882 + E-Matters Advisory 13/2004 + + + koon + + + koon + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-22.xml b/xml/htdocs/security/en/glsa/glsa-200411-22.xml new file mode 100644 index 00000000..5db9dfb0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-22.xml @@ -0,0 +1,82 @@ + + + + + + + Davfs2, lvm-user: Insecure tempfile handling + + Davfs2 and the lvmcreate_initrd script (included in the lvm-user package) + are both vulnerable to symlink attacks, potentially allowing a local user + to overwrite arbitrary files with the rights of the user running them. + + davfs2 + November 11, 2004 + November 11, 2004: 01 + 68406 + 69149 + local + + + 0.2.2-r1 + 0.2.2-r1 + + + 1.0.7-r2 + 1.0.7-r2 + + + +

+ Davfs2 is a file system driver that allows you to mount a WebDAV + server as a local disk drive. lvm-user is a package providing userland + utilities for LVM (Logical Volume Management) 1.x features. +

+ + +

+ Florian Schilhabel from the Gentoo Linux Security Audit Team found + that Davfs2 insecurely created .pid files in /tmp. Furthermore, Trustix + Secure Linux found that the lvmcreate_initrd script, included in the + lvm-user Gentoo package, also creates temporary files in + world-writeable directories with predictable names. +

+ + +

+ A local attacker could create symbolic links in the temporary + files directory, pointing to a valid file somewhere on the filesystem. + When Davfs2 or lvmcreate_initrd is called, this would result in the + file being overwritten with the rights of the user running the + software, which could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Davfs2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/davfs2-0.2.2-r1" +

+ All lvm-user users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-fs/lvm-user-1.0.7-r2" + + + CAN-2004-0972 + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-23.xml b/xml/htdocs/security/en/glsa/glsa-200411-23.xml new file mode 100644 index 00000000..fcb36703 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-23.xml @@ -0,0 +1,75 @@ + + + + + + + Ruby: Denial of Service issue + + The CGI module in Ruby can be sent into an infinite loop, resulting in a + Denial of Service condition. + + Ruby + November 16, 2004 + November 16, 2004: 01 + 69985 + remote + + + 1.6.8-r12 + 1.8.2_pre3 + 1.8.2_pre3 + + + +

+ Ruby is an interpreted scripting language for quick and easy + object-oriented programming. Ruby's CGI module can be used to build web + applications. +

+ + +

+ Ruby's developers found and fixed an issue in the CGI module that + can be triggered remotely and cause an infinite loop. +

+ + +

+ A remote attacker could trigger the vulnerability through an + exposed Ruby web application and cause the server to use unnecessary + CPU resources, potentially resulting in a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ruby 1.6.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.6.8-r12" +

+ All Ruby 1.8.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.2_pre3" + + + CAN-2004-0983 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-24.xml b/xml/htdocs/security/en/glsa/glsa-200411-24.xml new file mode 100644 index 00000000..f18149b2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-24.xml @@ -0,0 +1,67 @@ + + + + + + + BNC: Buffer overflow vulnerability + + BNC contains a buffer overflow vulnerability that may lead to Denial of + Service and execution of arbitrary code. + + BNC + November 16, 2004 + November 16, 2004: 01 + 70674 + remote + + + 2.9.1 + 2.9.1 + + + +

+ BNC (BouNCe) is an IRC proxy server. +

+ + +

+ Leon Juranic discovered that BNC fails to do proper bounds + checking when checking server response. +

+ + +

+ An attacker could exploit this to cause a Denial of Service and + potentially execute arbitary code with the permissions of the user + running BNC. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All BNC users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-irc/bnc-2.9.1" + + + BNC ChangeLog + LSS-2004-11-03 + + + lewk + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-25.xml b/xml/htdocs/security/en/glsa/glsa-200411-25.xml new file mode 100644 index 00000000..05174c69 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-25.xml @@ -0,0 +1,73 @@ + + + + + + + SquirrelMail: Encoded text XSS vulnerability + + Squirrelmail fails to properly sanitize user input, which could lead to a + compromise of webmail accounts. + + SquirrelMail + November 17, 2004 + May 22, 2006: 02 + 70739 + remote + + + 1.4.3a-r2 + 1.4.3a-r2 + + + +

+ SquirrelMail is a webmail package written in PHP. It supports IMAP and + SMTP, and can optionally be installed with SQL support. +

+ + +

+ SquirrelMail fails to properly sanitize certain strings when decoding + specially-crafted headers. +

+ + +

+ By enticing a user to read a specially-crafted e-mail, an attacker can + execute arbitrary scripts running in the context of the victim's + browser. This could lead to a compromise of the user's webmail account, + cookie theft, etc. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SquirrelMail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/squirrelmail-1.4.3a-r2" +

+ Note: Users with the vhosts USE flag set should manually use + webapp-config to finalize the update. +

+ + + SquirrelMail Advisory + CVE-2004-1036 + + + jaervosz + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-26.xml b/xml/htdocs/security/en/glsa/glsa-200411-26.xml new file mode 100644 index 00000000..fbc81a6d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-26.xml @@ -0,0 +1,90 @@ + + + + + + + GIMPS, SETI@home, ChessBrain: Insecure installation + + Improper file ownership allows user-owned files to be run with root + privileges by init scripts. + + GIMPS,SETI@home,ChessBrain + November 17, 2004 + May 22, 2006: 03 + 69868 + local + + + 23.9-r1 + 23.9 + + + 3.08-r4 + 3.03-r2 + 3.08-r3 + + + 20407-r1 + 20407 + + + +

+ GIMPS is a client for the distributed Great Internet Mersenne Prime + Search. SETI@home is the client for the Search for Extraterrestrial + Intelligence (SETI) project. ChessBrain is the client for the + distributed chess supercomputer. +

+ + +

+ GIMPS, SETI@home and ChessBrain ebuilds install user-owned binaries and + init scripts which are executed with root privileges. +

+ + +

+ This could lead to a local privilege escalation or root compromise. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GIMPS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sci-misc/gimps-23.9-r1" +

+ All SETI@home users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sci-misc/setiathome-3.03-r2" +

+ All ChessBrain users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sci-misc/chessbrain-20407-r1" + + + CVE-2004-1115 + CVE-2004-1116 + CVE-2004-1117 + + + jaervosz + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-27.xml b/xml/htdocs/security/en/glsa/glsa-200411-27.xml new file mode 100644 index 00000000..e42743f2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-27.xml @@ -0,0 +1,75 @@ + + + + + + + Fcron: Multiple vulnerabilities + + Multiple vulnerabilities in Fcron can allow a local user to potentially + cause a Denial of Service. + + fcron + November 18, 2004 + November 18, 2004: 01 + 71311 + local + + + 2.0.2 + 2.9.5.1 + 2.9.5 + + + +

+ Fcron is a command scheduler with extended capabilities over cron + and anacron. +

+ + +

+ Due to design errors in the fcronsighup program, Fcron may allow a + local user to bypass access restrictions (CAN-2004-1031), view the + contents of root owned files (CAN-2004-1030), remove arbitrary files or + create empty files (CAN-2004-1032), and send a SIGHUP to any process. A + vulnerability also exists in fcrontab which may allow local users to + view the contents of fcron.allow and fcron.deny (CAN-2004-1033). +

+ + +

+ A local attacker could exploit these vulnerabilities to perform a + Denial of Service on the system running Fcron. +

+ + +

+ Make sure the fcronsighup and fcrontab binaries are only + executable by trusted users. +

+ + +

+ All Fcron users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-process/fcron-2.0.2" + + + CAN-2004-1030 + CAN-2004-1031 + CAN-2004-1032 + CAN-2004-1033 + + + lewk + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-28.xml b/xml/htdocs/security/en/glsa/glsa-200411-28.xml new file mode 100644 index 00000000..dcdf0029 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-28.xml @@ -0,0 +1,79 @@ + + + + + + + X.Org, XFree86: libXpm vulnerabilities + + libXpm contains several vulnerabilities that could lead to a Denial of + Service and arbitrary code execution. + + X.Org, XFree86 + November 19, 2004 + November 19, 2004: 01 + 68544 + remote + + + 6.8.0-r3 + 6.7.0-r3 + 6.8.0-r3 + + + 4.3.0-r8 + 4.3.0-r8 + + + +

+ libXpm is a pixmap manipulation library for the X Window System, + included in both X.Org and XFree86. +

+ + +

+ Several issues were discovered in libXpm, including integer + overflows, out-of-bounds memory accesses, insecure path traversal and + an endless loop. +

+ + +

+ An attacker could craft a malicious pixmap file and entice a user + to use it with an application linked against libXpm. This could lead to + Denial of Service or arbitrary code execution. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All X.Org users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-base/xorg-x11-6.7.0-r3" +

+ All XFree86 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-base/xfree-x11-4.3.0-r8" + + + CAN-2004-0914 + + + jaervosz + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-29.xml b/xml/htdocs/security/en/glsa/glsa-200411-29.xml new file mode 100644 index 00000000..1cf979aa --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-29.xml @@ -0,0 +1,71 @@ + + + + + + + unarj: Long filenames buffer overflow and a path traversal vulnerability + + unarj contains a buffer overflow and a directory traversal vulnerability. + This could lead to overwriting of arbitrary files or the execution of + arbitrary code. + + unarj + November 19, 2004 + November 19, 2004: 01 + 70966 + remote + + + 2.63a-r2 + 2.63a-r2 + + + +

+ unarj is an ARJ archive decompressor. +

+ + +

+ unarj has a bounds checking vulnerability within the handling of + long filenames in archives. It also fails to properly sanitize paths + when extracting an archive (if the "x" option is used to preserve + paths). +

+ + +

+ An attacker could trigger a buffer overflow or a path traversal by + enticing a user to open an archive containing specially-crafted path + names, potentially resulting in the overwrite of files or execution of + arbitrary code with the permissions of the user running unarj. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All unarj users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/unarj-2.63a-r2" + + + CAN-2004-0947 + CAN-2004-1027 + + + jaervosz + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-30.xml b/xml/htdocs/security/en/glsa/glsa-200411-30.xml new file mode 100644 index 00000000..ad6a110a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-30.xml @@ -0,0 +1,66 @@ + + + + + + + pdftohtml: Vulnerabilities in included Xpdf + + pdftohtml includes vulnerable Xpdf code to handle PDF files, making it + vulnerable to execution of arbitrary code upon converting a malicious PDF + file. + + pdftohtml + November 23, 2004 + November 23, 2004: 01 + 69019 + remote + + + 0.36-r1 + 0.36 + + + +

+ pdftohtml is a utility to convert PDF files to HTML or XML + formats. It makes use of Xpdf code to decode PDF files. +

+ + +

+ Xpdf is vulnerable to multiple integer overflows, as described in + GLSA 200410-20. +

+ + +

+ An attacker could entice a user to convert a specially-crafted PDF + file, potentially resulting in execution of arbitrary code with the + rights of the user running pdftohtml. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All pdftohtml users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/pdftohtml-0.36-r1" + + + GLSA 200410-20 + CAN-2004-0888 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-31.xml b/xml/htdocs/security/en/glsa/glsa-200411-31.xml new file mode 100644 index 00000000..c410c894 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-31.xml @@ -0,0 +1,69 @@ + + + + + + + ProZilla: Multiple vulnerabilities + + ProZilla contains several buffer overflow vulnerabilities that can be + exploited by a malicious server to execute arbitrary code with the rights + of the user running ProZilla. + + ProZilla + November 23, 2004 + May 22, 2006: 03 + 70090 + remote + + + 1.3.7.3 + + + +

+ ProZilla is a download accelerator for Linux. +

+ + +

+ ProZilla contains several exploitable buffer overflows in the code + handling the network protocols. +

+ + +

+ A remote attacker could setup a malicious server and entice a user to + retrieve files from that server using ProZilla. This could lead to the + execution of arbitrary code with the rights of the user running + ProZilla. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ Currently, there is no released version of ProZilla that contains a fix + for these issues. The original author did not respond to our queries, + the code contains several other problems and more secure alternatives + exist. Therefore, the ProZilla package has been hard-masked prior to + complete removal from Portage, and current users are advised to unmerge + the package. +

+ + + CVE-2004-1120 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-32.xml b/xml/htdocs/security/en/glsa/glsa-200411-32.xml new file mode 100644 index 00000000..993af155 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-32.xml @@ -0,0 +1,98 @@ + + + + + + + phpBB: Remote command execution + + phpBB contains a vulnerability which allows a remote attacker to execute + arbitrary commands with the rights of the web server user. + + phpBB + November 24, 2004 + May 22, 2006: 02 + 71681 + remote + + + 2.0.11 + 2.0.10 + + + +

+ phpBB is an Open Source bulletin board package. +

+ + +

+ phpBB contains a vulnerability in the highlighting code and several + vulnerabilities in the username handling code. +

+ + +

+ An attacker can exploit the highlighting vulnerability to access the + PHP exec() function without restriction, allowing them to run arbitrary + commands with the rights of the web server user (for example the apache + user). Furthermore, the username handling vulnerability might be abused + to execute SQL statements on the phpBB database. +

+ + +

+ There is a one-line patch which will remediate the remote execution + vulnerability. +

+

+ Locate the following block of code in viewtopic.php: +

+ + // + // Was a highlight request part of the URI? + // + $highlight_match = $highlight = ''; + if (isset($HTTP_GET_VARS['highlight'])) + { + // Split words and phrases + $words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight'])))); + + for($i = 0; $i < sizeof($words); $i++) + { +

+ Replace with the following: +

+ + // + // Was a highlight request part of the URI? + // + $highlight_match = $highlight = ''; + if (isset($HTTP_GET_VARS['highlight'])) + { + // Split words and phrases + $words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight']))); + + for($i = 0; $i < sizeof($words); $i++) + { + + +

+ All phpBB users should upgrade to the latest version to fix all known + vulnerabilities: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/phpbb-2.0.11" + + + phpBB.com Announcement + CVE-2004-1315 + + + klieber + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-33.xml b/xml/htdocs/security/en/glsa/glsa-200411-33.xml new file mode 100644 index 00000000..38f1696b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-33.xml @@ -0,0 +1,70 @@ + + + + + + + TWiki: Arbitrary command execution + + A bug in the TWiki search function allows an attacker to execute arbitrary + commands with the permissions of the user running TWiki. + + www-apps/twiki + November 24, 2004 + September 08, 2006: 02 + 71035 + remote + + + 20040902 + 20000000 + 20040902 + + + +

+ TWiki is a Web-based groupware tool based around the concept of wiki + pages that can be edited by anybody with a Web browser. +

+ + +

+ The TWiki search function, which uses a shell command executed via the + Perl backtick operator, does not properly escape shell metacharacters + in the user-provided search string. +

+ + +

+ An attacker can insert malicious commands into a search request, + allowing the execution of arbitrary commands with the privileges of the + user running TWiki (usually the Web server user). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All TWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/twiki-20040902" + + + TWiki Security Alert + CAN-2004-1037 + + + koon + + + dmargoli + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-34.xml b/xml/htdocs/security/en/glsa/glsa-200411-34.xml new file mode 100644 index 00000000..dea4f274 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-34.xml @@ -0,0 +1,74 @@ + + + + + + + Cyrus IMAP Server: Multiple remote vulnerabilities + + The Cyrus IMAP Server contains multiple vulnerabilities which could lead to + remote execution of arbitrary code. + + cyrus-imapd + November 25, 2004 + November 25, 2004: 01 + 72194 + remote + + + 2.2.10 + 2.2.10 + + + +

+ The Cyrus IMAP Server is an efficient, highly-scalable IMAP e-mail + server. +

+ + +

+ Multiple vulnerabilities have been discovered in the argument + parsers of the 'partial' and 'fetch' commands of the Cyrus IMAP Server + (CAN-2004-1012, CAN-2004-1013). There are also buffer overflows in the + 'imap magic plus' code that are vulnerable to exploitation as well + (CAN-2004-1011, CAN-2004-1015). +

+ + +

+ An attacker can exploit these vulnerabilities to execute arbitrary + code with the rights of the user running the Cyrus IMAP Server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Cyrus-IMAP Server users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/cyrus-imapd-2.2.10" + + + CAN-2004-1011 + CAN-2004-1012 + CAN-2004-1013 + CAN-2004-1015 + e-matters Advisory + Cyrus IMAP Server ChangeLog + + + koon + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-35.xml b/xml/htdocs/security/en/glsa/glsa-200411-35.xml new file mode 100644 index 00000000..00c07bd8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-35.xml @@ -0,0 +1,68 @@ + + + + + + + phpWebSite: HTTP response splitting vulnerability + + phpWebSite is vulnerable to possible HTTP response splitting attacks. + + phpwebsite + November 26, 2004 + May 22, 2006: 03 + 71502 + remote + + + 0.9.3_p4-r2 + 0.9.3_p4-r2 + + + +

+ phpWebSite is a web site content management system. +

+ + +

+ Due to lack of proper input validation, phpWebSite has been found to be + vulnerable to HTTP response splitting attacks. +

+ + +

+ A malicious user could inject arbitrary response data, leading to + content spoofing, web cache poisoning and other cross-site scripting or + HTTP response splitting attacks. This could result in compromising the + victim's data or browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All phpWebSite users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/phpwebsite-0.9.3_p4-r2" + + + BugTraq Posting + phpWebSite Announcement + CVE-2004-1516 + + + lewk + + + koon + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-36.xml b/xml/htdocs/security/en/glsa/glsa-200411-36.xml new file mode 100644 index 00000000..1839174a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-36.xml @@ -0,0 +1,71 @@ + + + + + + + phpMyAdmin: Multiple XSS vulnerabilities + + phpMyAdmin is vulnerable to cross-site scripting attacks. + + phpmyadmin + November 27, 2004 + November 27, 2004: 01 + 71819 + remote + + + 2.6.0_p3 + 2.6.0_p3 + + + +

+ phpMyAdmin is a tool written in PHP intended to handle the + administration of MySQL databases from a web-browser. +

+ + +

+ Cedric Cochin has discovered multiple cross-site scripting + vulnerabilities in phpMyAdmin. These vulnerabilities can be exploited + through the PmaAbsoluteUri parameter, the zero_rows parameter in + read_dump.php, the confirm form, or an error message generated by the + internal phpMyAdmin parser. +

+ + +

+ By sending a specially-crafted request, an attacker can inject and + execute malicious script code, potentially compromising the victim's + browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All phpMyAdmin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.6.0_p3" + + + CAN-2004-1055 + PMASA-2004-3 + netVigilance Advisory + + + jaervosz + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-37.xml b/xml/htdocs/security/en/glsa/glsa-200411-37.xml new file mode 100644 index 00000000..78eca696 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-37.xml @@ -0,0 +1,64 @@ + + + + + + + Open DC Hub: Remote code execution + + Open DC Hub contains a buffer overflow that can be exploited to allow + remote code execution. + + opendchub + November 28, 2004 + May 22, 2006: 02 + 72371 + remote + + + 0.7.14-r2 + 0.7.14-r2 + + + +

+ Open DC Hub is the hub software for the Direct Connect file sharing + network. +

+ + +

+ Donato Ferrante discovered a buffer overflow vulnerability in the + RedirectAll command of the Open DC Hub. +

+ + +

+ Upon exploitation, a remote user with administrative privileges can + execute arbitrary code on the system running the Open DC Hub. +

+ + +

+ Only give administrative rights to trusted users. +

+ + +

+ All Open DC Hub users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/opendchub-0.7.14-r2" + + + Full-Disclosure Advisory + CVE-2004-1127 + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200411-38.xml b/xml/htdocs/security/en/glsa/glsa-200411-38.xml new file mode 100644 index 00000000..baeddb85 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200411-38.xml @@ -0,0 +1,107 @@ + + + + + + + Sun and Blackdown Java: Applet privilege escalation + + The Java plug-in security in Sun and Blackdown Java environments can be + bypassed to access arbitrary packages, allowing untrusted Java applets to + perform unrestricted actions on the host system. + + Java + November 29, 2004 + May 31, 2006: 02 + 72172 + 72221 + remote + + + 1.4.2.06 + 1.4.2.06 + + + 1.4.2.06 + 1.4.2.06 + + + 1.4.2.01 + 1.4.2.01 + + + 1.4.2.01 + 1.4.2.01 + + + +

+ Sun and Blackdown both provide implementations of Java Development Kits + (JDK) and Java Runtime Environments (JRE). All these implementations + provide a Java plug-in that can be used to execute Java applets in a + restricted environment for web browsers. +

+ + +

+ All Java plug-ins are subject to a vulnerability allowing unrestricted + Java package access. +

+ + +

+ A remote attacker could embed a malicious Java applet in a web page and + entice a victim to view it. This applet can then bypass security + restrictions and execute any command or access any file with the rights + of the user running the web browser. +

+ + +

+ As a workaround you could disable Java applets on your web browser. +

+ + +

+ All Sun JDK users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.4.2.06" +

+ All Sun JRE users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.4.2.06" +

+ All Blackdown JDK users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/blackdown-jdk-1.4.2.01" +

+ All Blackdown JRE users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/blackdown-jre-1.4.2.01" +

+ Note: You should unmerge all vulnerable versions to be fully protected. +

+ + + iDEFENSE Security Advisory 11.22.04 + CAN-2004-1029 + Blackdown Security Advisory 2004-01 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-01.xml b/xml/htdocs/security/en/glsa/glsa-200412-01.xml new file mode 100644 index 00000000..f5909d83 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-01.xml @@ -0,0 +1,85 @@ + + + + + + + rssh, scponly: Unrestricted command execution + + rssh and scponly do not filter command-line options that can be exploited + to execute any command, thereby allowing a remote user to completely bypass + the restricted shell. + + scponly + December 03, 2004 + May 22, 2006: 03 + 72815 + 72816 + remote + + + 4.0 + 4.0 + + + 2.2.3 + 2.2.2 + + + +

+ rssh and scponly are two restricted shells, allowing only a few + predefined commands. They are often used as a complement to OpenSSH to + provide access to remote users without providing any remote execution + privileges. +

+ + +

+ Jason Wies discovered that when receiving an authorized command from an + authorized user, rssh and scponly do not filter command-line options + that can be used to execute any command on the target host. +

+ + +

+ Using a malicious command, it is possible for a remote authenticated + user to execute any command (or upload and execute any file) on the + target machine with user rights, effectively bypassing any restriction + of scponly or rssh. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All scponly users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/scponly-4.0" +

+ All rssh users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-shells/rssh/rssh-2.2.3" + + + BugTraq Posting + CVE-2004-1161 + CVE-2004-1162 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-02.xml b/xml/htdocs/security/en/glsa/glsa-200412-02.xml new file mode 100644 index 00000000..bbaec224 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-02.xml @@ -0,0 +1,69 @@ + + + + + + + PDFlib: Multiple overflows in the included TIFF library + + PDFlib is vulnerable to multiple overflows, which can potentially lead to + the execution of arbitrary code. + + PDFlib + December 05, 2004 + December 05, 2004: 01 + 69043 + remote + + + 5.0.4_p1 + 5.0.4_p1 + + + +

+ PDFlib is a library providing functions to handle PDF files. It + includes a modified TIFF library used to process TIFF images. +

+ + +

+ The TIFF library is subject to several known vulnerabilities (see + GLSA 200410-11). Most of these overflows also apply to PDFlib. +

+ + +

+ A remote attacker could entice a user or web application to + process a carefully crafted PDF file or TIFF image using a + PDFlib-powered program. This can potentially lead to the execution of + arbitrary code with the rights of the program processing the file. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PDFlib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/pdflib-5.0.4_p1" + + + PDFlib ChangeLog + CAN-2004-0803 + CAN-2004-0804 + CAN-2004-0886 + GLSA 200410-11 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-03.xml b/xml/htdocs/security/en/glsa/glsa-200412-03.xml new file mode 100644 index 00000000..c7f311bd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-03.xml @@ -0,0 +1,68 @@ + + + + + + + imlib: Buffer overflows in image decoding + + Multiple overflows have been found in the imlib library image decoding + routines, potentially allowing execution of arbitrary code. + + imlib + December 06, 2004 + December 06, 2004: 01 + 72681 + remote + + + 1.9.14-r3 + 1.9.14-r2 + + + +

+ imlib is an advanced replacement library for image manipulation + libraries like libXpm. It is called by numerous programs, including + gkrellm and several window managers, to help in displaying images. +

+ + +

+ Pavel Kankovsky discovered that several overflows found in the + libXpm library (see GLSA 200409-34) also applied to imlib. He also + fixed a number of other potential flaws. +

+ + +

+ A remote attacker could entice a user to view a carefully-crafted + image file, which would potentially lead to execution of arbitrary code + with the rights of the user viewing the image. This affects any program + that makes use of the imlib library. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All imlib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/imlib-1.9.14-r3" + + + GLSA 200409-34 + CAN-2004-1026 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-04.xml b/xml/htdocs/security/en/glsa/glsa-200412-04.xml new file mode 100644 index 00000000..48edb080 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-04.xml @@ -0,0 +1,69 @@ + + + + + + + Perl: Insecure temporary file creation + + Perl is vulnerable to symlink attacks, potentially allowing a local user to + overwrite arbitrary files. + + perl + December 07, 2004 + December 07, 2004: 01 + 66360 + local + + + 5.8.5-r2 + 5.8.6-r1 + 5.8.5-r2 + 5.8.6 + + + +

+ Perl is a stable, cross-platform programming language created by + Larry Wall. +

+ + +

+ Some Perl modules create temporary files in world-writable + directories with predictable names. +

+ + +

+ A local attacker could create symbolic links in the temporary + files directory, pointing to a valid file somewhere on the filesystem. + When a Perl script is executed, this would result in the file being + overwritten with the rights of the user running the utility, which + could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Perl users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=perl-5.8.5-r2" + + + CAN-2004-0976 + Trustix Advisory #2004-0050 + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-05.xml b/xml/htdocs/security/en/glsa/glsa-200412-05.xml new file mode 100644 index 00000000..e1d3e27f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-05.xml @@ -0,0 +1,65 @@ + + + + + + + mirrorselect: Insecure temporary file creation + + mirrorselect is vulnerable to symlink attacks, potentially allowing a local + user to overwrite arbitrary files. + + mirrorselect + December 07, 2004 + May 22, 2006: 04 + 73545 + local + + + 0.89 + 0.89 + + + +

+ mirrorselect is a tool to help select distfiles mirrors for Gentoo. +

+ + +

+ Ervin Nemeth discovered that mirrorselect creates temporary files in + world-writable directories with predictable names. +

+ + +

+ A local attacker could create symbolic links in the temporary files + directory, pointing to a valid file somewhere on the filesystem. When + mirrorselect is executed, this would result in the file being + overwritten with the rights of the user running the utility, which + could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mirrorselect users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-portage/mirrorselect-0.89" + + + CVE-2004-1167 + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-06.xml b/xml/htdocs/security/en/glsa/glsa-200412-06.xml new file mode 100644 index 00000000..67b3e0db --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-06.xml @@ -0,0 +1,68 @@ + + + + + + + PHProjekt: setup.php vulnerability + + PHProjekt contains a vulnerability in the setup procedure allowing remote + users without admin rights to change the configuration. + + PHProjekt + December 10, 2004 + December 10, 2004: 01 + 73021 + remote + + + 4.2-r1 + 4.2-r1 + + + +

+ PHProjekt is a modular groupware web application used to + coordinate group activities and share files. +

+ + +

+ Martin Muench, from it.sec, found a flaw in the setup.php file. +

+ + +

+ Successful exploitation of the flaw allows a remote attacker + without admin rights to make unauthorized changes to PHProjekt + configuration. +

+ + +

+ As a workaround, you could replace the existing setup.php file in + PHProjekt root directory by the one provided on the PHProjekt Advisory + (see References). +

+ + +

+ All PHProjekt users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/phprojekt-4.2-r1" + + + PHProjekt Advisory + + + vorlon078 + + + koon + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-07.xml b/xml/htdocs/security/en/glsa/glsa-200412-07.xml new file mode 100644 index 00000000..a710f815 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-07.xml @@ -0,0 +1,66 @@ + + + + + + + file: Arbitrary code execution + + The code for parsing ELF headers in file contains a flaw which may allow an + attacker to execute arbitrary code. + + file + December 13, 2004 + May 22, 2006: 02 + 72521 + remote + + + 4.12 + 4.12 + + + +

+ file is a utility used to identify the type of a file. +

+ + +

+ A possible stack overflow has been found in the ELF header parsing code + of file. +

+ + +

+ An attacker may be able to create a specially crafted ELF file which, + when processed with file, may allow the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All file users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/file-4.12" + + + SecurityTracker Alert ID 1012433 + CVE-2004-1304 + + + koon + + + koon + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-08.xml b/xml/htdocs/security/en/glsa/glsa-200412-08.xml new file mode 100644 index 00000000..c56c69d2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-08.xml @@ -0,0 +1,71 @@ + + + + + + + nfs-utils: Multiple remote vulnerabilities + + Multiple vulnerabilities have been discovered in nfs-utils that could lead + to a Denial of Service, or the execution of arbitrary code. + + nfs-utils + December 14, 2004 + December 14, 2004: 01 + 72113 + remote + + + 1.0.6-r6 + 1.0.6-r6 + + + +

+ nfs-utils is a package containing the client and daemon + implementations for the NFS protocol. +

+ + +

+ Arjan van de Ven has discovered a buffer overflow on 64-bit + architectures in 'rquota_server.c' of nfs-utils (CAN-2004-0946). A + remotely exploitable flaw on all architectures also exists in the + 'statd.c' file of nfs-utils (CAN-2004-1014), which can be triggered by + a mishandled SIGPIPE. +

+ + +

+ A remote attacker could potentially cause a Denial of Service, or + even execute arbitrary code (64-bit architectures only) on a remote NFS + server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All nfs-utils users should upgarde to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/nfs-utils-1.0.6-r6" + + + CAN-2004-0946 + CAN-2004-1014 + + + koon + + + lewk + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-09.xml b/xml/htdocs/security/en/glsa/glsa-200412-09.xml new file mode 100644 index 00000000..e61bb740 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-09.xml @@ -0,0 +1,70 @@ + + + + + + + ncpfs: Buffer overflow in ncplogin and ncpmap + + ncpfs is vulnerable to a buffer overflow that could lead to local execution + of arbitrary code with elevated privileges. + + ncpfs + December 15, 2004 + December 15, 2004: 01 + 72820 + local + + + 2.2.5 + 2.2.5 + + + +

+ ncpfs is a NCP protocol network filesystem that allows access to + Netware services, for example to mount volumes of NetWare servers or + print to NetWare print queues. +

+ + +

+ Karol Wiesek discovered a buffer overflow in the handling of the + '-T' option in the ncplogin and ncpmap utilities, which are both + installed as SUID root by default. +

+ + +

+ A local attacker could trigger the buffer overflow by calling one + of these utilities with a carefully crafted command line, potentially + resulting in execution of arbitrary code with root privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ncpfs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/ncpfs-2.2.5" + + + Full Disclosure Advisory + CAN-2004-1079 + + + jaervosz + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-10.xml b/xml/htdocs/security/en/glsa/glsa-200412-10.xml new file mode 100644 index 00000000..46adfbfb --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-10.xml @@ -0,0 +1,82 @@ + + + + + + + Vim, gVim: Vulnerable options in modelines + + Several vulnerabilities related to the use of options in modelines have + been found and fixed in Vim. They could potentially result in a local user + escalating privileges. + + vim + December 15, 2004 + December 15, 2004: 01 + 73715 + local + + + 6.3-r2 + 6.3-r2 + + + 6.3-r2 + 6.3-r2 + + + +

+ Vim is an efficient, highly configurable improved version of the + classic 'vi' text editor. gVim is the GUI version of Vim. +

+ + +

+ Gentoo's Vim maintainer, Ciaran McCreesh, found several + vulnerabilities related to the use of options in Vim modelines. Options + like 'termcap', 'printdevice', 'titleold', 'filetype', 'syntax', + 'backupext', 'keymap', 'patchmode' or 'langmenu' could be abused. +

+ + +

+ A local attacker could write a malicious file in a world readable + location which, when opened in a modeline-enabled Vim, could trigger + arbitrary commands with the rights of the user opening the file, + resulting in privilege escalation. Please note that modelines are + disabled by default in the /etc/vimrc file provided in Gentoo. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Vim users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/vim-6.3-r2" +

+ All gVim users should also upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/gvim-6.3-r2" + + + CAN-2004-1138 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-11.xml b/xml/htdocs/security/en/glsa/glsa-200412-11.xml new file mode 100644 index 00000000..67683885 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-11.xml @@ -0,0 +1,70 @@ + + + + + + + Cscope: Insecure creation of temporary files + + Cscope is vulnerable to symlink attacks, potentially allowing a local user + to overwrite arbitrary files. + + cscope + December 16, 2004 + December 16, 2004: 01 + 71595 + local + + + 15.5-r2 + 15.5-r2 + + + +

+ Cscope is a developer utility used to browse and manage source + code. +

+ + +

+ Cscope creates temporary files in world-writable directories with + predictable names. +

+ + +

+ A local attacker could create symbolic links in the temporary + files directory, pointing to a valid file somewhere on the filesystem. + When Cscope is executed, this would result in the file being + overwritten with the rights of the user running the utility, which + could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Cscope users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/cscope-15.5-r2" + + + CAN-2004-0996 + BugTraq Advisory + + + lewk + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-12.xml b/xml/htdocs/security/en/glsa/glsa-200412-12.xml new file mode 100644 index 00000000..0127b832 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-12.xml @@ -0,0 +1,71 @@ + + + + + + + Adobe Acrobat Reader: Buffer overflow vulnerability + + Adobe Acrobat Reader is vulnerable to a buffer overflow that could lead to + remote execution of arbitrary code. + + acroread + December 16, 2004 + December 16, 2004: 01 + 74406 + remote + + + 5.10 + 5.10 + + + +

+ Adobe Acrobat Reader is a utility used to view PDF files. +

+ + +

+ A buffer overflow has been discovered in the email processing of + Adobe Acrobat Reader. This flaw exists in the mailListIsPdf function, + which checks if the input file is an email message containing a PDF + file. +

+ + +

+ A remote attacker could send the victim a specially-crafted email + and PDF attachment, which would trigger the buffer overflow and + possibly lead to the execution of arbitrary code with the permissions + of the user running Adobe Acrobat Reader. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Adobe Acrobat Reader users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/acroread-5.10" + + + CAN-2004-1152 + Adobe Announcement + + + koon + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-13.xml b/xml/htdocs/security/en/glsa/glsa-200412-13.xml new file mode 100644 index 00000000..f1e28e20 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-13.xml @@ -0,0 +1,64 @@ + + + + + + + Samba: Integer overflow + + Samba contains a bug that could lead to remote execution of arbitrary code. + + Samba + December 17, 2004 + December 17, 2004: 01 + 73943 + remote + + + 3.0.9-r1 + 3.0.9 + + + +

+ Samba is a freely available SMB/CIFS implementation which allows + seamless interoperability of file and print services to other SMB/CIFS + clients. +

+ + +

+ Samba contains a bug when unmarshalling specific MS-RPC requests from + clients. +

+ + +

+ A remote attacker may be able to execute arbitrary code with the + permissions of the user running Samba, which could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All samba users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-3.0.9-r1" + + + CAN 2004-1154 + Samba Announcement + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-14.xml b/xml/htdocs/security/en/glsa/glsa-200412-14.xml new file mode 100644 index 00000000..ad0784a8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-14.xml @@ -0,0 +1,114 @@ + + + + + + + PHP: Multiple vulnerabilities + + Several vulnerabilities were found and fixed in PHP, ranging from an + information leak and a safe_mode restriction bypass to a potential remote + execution of arbitrary code. + + PHP + December 19, 2004 + May 22, 2006: 02 + 74547 + remote + + + 4.3.10 + 4.3.10 + + + 4.3.10 + 4.3.10 + + + 4.3.10 + 4.3.10 + + + +

+ PHP is a general-purpose scripting language widely used to develop + web-based applications. It can run inside a web server using the + mod_php module or the CGI version of PHP, or can run stand-alone in a + CLI. +

+ + +

+ Stefan Esser and Marcus Boerger reported several different issues in + the unserialize() function, including serious exploitable bugs in the + way it handles negative references (CAN-2004-1019). +

+

+ Stefan Esser also discovered that the pack() and unpack() functions are + subject to integer overflows that can lead to a heap buffer overflow + and a heap information leak. Finally, he found that the way + multithreaded PHP handles safe_mode_exec_dir restrictions can be + bypassed, and that various path truncation issues also allow to bypass + path and safe_mode restrictions. +

+

+ Ilia Alshanetsky found a stack overflow issue in the exif_read_data() + function (CAN-2004-1065). Finally, Daniel Fabian found that addslashes + and magic_quotes_gpc do not properly escape null characters and that + magic_quotes_gpc contains a bug that could lead to one level directory + traversal. +

+ + +

+ These issues could be exploited by a remote attacker to retrieve web + server heap information, bypass safe_mode or path restrictions and + potentially execute arbitrary code with the rights of the web server + running a PHP application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PHP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/php-4.3.10" +

+ All mod_php users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/mod_php-4.3.10" +

+ All php-cgi users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/php-cgi-4.3.10" + + + PHP 4.3.10 Release Announcement + Hardened-PHP Security Advisory + SEC Consult Advisory + CAN-2004-1019 + CAN-2004-1020 + CVE-2004-1063 + CVE-2004-1064 + CVE-2004-1065 + + + jaervosz + + + Koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-15.xml b/xml/htdocs/security/en/glsa/glsa-200412-15.xml new file mode 100644 index 00000000..7a06c590 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-15.xml @@ -0,0 +1,83 @@ + + + + + + + Ethereal: Multiple vulnerabilities + + Multiple vulnerabilities exist in Ethereal, which may allow an attacker to + run arbitrary code, crash the program or perform DoS by CPU and disk + utilization. + + Ethereal + December 19, 2004 + December 19, 2004: 01 + 74443 + remote + + + 0.10.8 + 0.10.8 + + + +

+ Ethereal is a feature rich network protocol analyzer. +

+ + +

+ There are multiple vulnerabilities in versions of Ethereal earlier + than 0.10.8, including: +

+
    +
  • Bug in DICOM dissection + discovered by Bing could make Ethereal crash (CAN 2004-1139).
    • +
  • An invalid RTP timestamp could make Ethereal hang and create a + large temporary file (CAN 2004-1140).
    • +
  • The HTTP dissector could + access previously-freed memory (CAN 2004-1141).
    • +
  • Brian Caswell + discovered that an improperly formatted SMB could make Ethereal hang + (CAN 2004-1142).
    • +
+ + +

+ An attacker might be able to use these vulnerabilities to crash + Ethereal, perform DoS by CPU and disk space utilization or even execute + arbitrary code with the permissions of the user running Ethereal, which + could be the root user. +

+ + +

+ For a temporary workaround you can disable all affected protocol + dissectors by selecting Analyze->Enabled Protocols... and deselecting + them from the list. However, it is strongly recommended to upgrade to + the latest stable version. +

+ + +

+ All ethereal users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/ethereal-0.10.8" + + + Ethereal enpa-sa-00016 + CAN 2004-1139 + CAN 2004-1140 + CAN 2004-1141 + CAN 2004-1142 + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-16.xml b/xml/htdocs/security/en/glsa/glsa-200412-16.xml new file mode 100644 index 00000000..ce5a697e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-16.xml @@ -0,0 +1,93 @@ + + + + + + + kdelibs, kdebase: Multiple vulnerabilities + + kdelibs and kdebase contain a flaw allowing password disclosure when + creating a link to a remote file. Furthermore Konqueror is vulnerable to + window injection. + + KDE + December 19, 2004 + December 19, 2004: 01 + 72804 + 73869 + remote and local + + + 3.2.3-r4 + 3.3.1-r2 + 3.3.2-r1 + 3.3.2-r1 + + + 3.2.3-r3 + 3.3.1-r2 + 3.3.2-r1 + + + +

+ KDE is a feature-rich graphical desktop environment for Linux and + Unix-like Operating Systems. The KDE core libraries (kdebase and + kdelibs) provide native support for many protocols. Konqueror is the + KDE web browser and filemanager. +

+ + +

+ Daniel Fabian discovered that the KDE core libraries contain a + flaw allowing password disclosure by making a link to a remote file. + When creating this link, the resulting URL contains authentication + credentials used to access the remote file (CAN 2004-1171). +

+

+ The Konqueror webbrowser allows websites to load webpages into a window + or tab currently used by another website (CAN-2004-1158). +

+ + +

+ A malicious user could have access to the authentication + credentials of other users depending on the file permissions. +

+

+ A malicious website could use the window injection vulnerability to + load content in a window apparently belonging to another website. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All kdelibs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kdelibs-3.2.3-r4" +

+ All kdebase users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kdebase-3.2.3-r3" + + + KDE Security Advisory: plain text password exposure + CAN 2004-1171 + KDE Security Advisory: Konqueror Window Injection Vulnerability + CAN 2004-1158 + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-17.xml b/xml/htdocs/security/en/glsa/glsa-200412-17.xml new file mode 100644 index 00000000..df579ad9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-17.xml @@ -0,0 +1,82 @@ + + + + + + + kfax: Multiple overflows in the included TIFF library + + kfax contains several buffer overflows potentially leading to execution of + arbitrary code. + + kfax + December 19, 2004 + January 12, 2005: 04 + 73795 + remote + + + 3.3.2 + 3.3.2 + + + +

+ KDE is a feature-rich graphical desktop environment for Linux and + Unix-like Operating Systems. kfax (part of kdegraphics) is the KDE fax + file viewer. +

+ + +

+ Than Ngo discovered that kfax contains a private copy of the TIFF + library and is therefore subject to several known vulnerabilities (see + References). +

+ + +

+ A remote attacker could entice a user to view a carefully-crafted TIFF + image file with kfax, which would potentially lead to execution of + arbitrary code with the rights of the user running kfax. +

+ + +

+ The KDE Team recommends to remove the kfax binary as well as the + kfaxpart.la KPart: +

+ + rm /usr/kde/3.*/lib/kde3/kfaxpart.la + rm /usr/kde/3.*/bin/kfax +

+ Note: This will render the kfax functionality useless, if kfax + functionality is needed you should upgrade to the KDE 3.3.2 which is + not stable at the time of this writing. +

+

+ There is no known workaround at this time. +

+ + +

+ All kfax users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kdegraphics-3.3.2" + + + KDE Security Advisory: kfax libtiff vulnerabilities + GLSA 200410-11 + CAN-2004-0803 + CAN-2004-0804 + CAN-2004-0886 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-18.xml b/xml/htdocs/security/en/glsa/glsa-200412-18.xml new file mode 100644 index 00000000..d40bc06c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-18.xml @@ -0,0 +1,69 @@ + + + + + + + abcm2ps: Buffer overflow vulnerability + + abcm2ps is vulnerable to a buffer overflow that could lead to remote + execution of arbitrary code. + + abcm2ps + December 19, 2004 + December 19, 2004: 02 + 74702 + remote + + + 3.7.21 + 3.7.21 + + + +

+ abcm2ps is a utility used to convert ABC music sheet files into + PostScript format. +

+ + +

+ Limin Wang has located a buffer overflow inside the put_words() + function in the abcm2ps code. +

+ + +

+ A remote attacker could convince the victim to download a + specially-crafted ABC file. Upon execution, this file would trigger the + buffer overflow and lead to the execution of arbitrary code with the + permissions of the user running abcm2ps. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All abcm2ps users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/abcm2ps-3.7.21" + + + abcm2ps ChangeLog + Secunia Advisory + + + lewk + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-19.xml b/xml/htdocs/security/en/glsa/glsa-200412-19.xml new file mode 100644 index 00000000..3cc27a35 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-19.xml @@ -0,0 +1,72 @@ + + + + + + + phpMyAdmin: Multiple vulnerabilities + + phpMyAdmin contains multiple vulnerabilities which could lead to file + disclosure or command execution. + + phpmyadmin + December 19, 2004 + December 19, 2004: 01 + 74303 + remote + + + 2.6.1_rc1 + 2.6.1_rc1 + + + +

+ phpMyAdmin is a tool written in PHP intended to handle the + administration of MySQL databases from a web-browser. +

+ + +

+ Nicolas Gregoire (exaprobe.com) has discovered two vulnerabilities + that exist only on a webserver where PHP safe_mode is off. These + vulnerabilities could lead to command execution or file disclosure. +

+ + +

+ On a system where external MIME-based transformations are enabled, + an attacker can insert offensive values in MySQL, which would start a + shell when the data is browsed. On a system where the UploadDir is + enabled, read_dump.php could use the unsanitized sql_localfile variable + to disclose a file. +

+ + +

+ You can temporarily enable PHP safe_mode or disable external + MIME-based transformation AND disable the UploadDir. But instead, we + strongly advise to update your version to 2.6.1_rc1. +

+ + +

+ All phpMyAdmin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.6.1_rc1" + + + CAN-2004-1147 + CAN-2004-1148 + PHPMyAdmin advisory: PMASA-2004-4 + Exaprobe.com advisory: esa-2004-1213 + + + SeJo + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-20.xml b/xml/htdocs/security/en/glsa/glsa-200412-20.xml new file mode 100644 index 00000000..686a8812 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-20.xml @@ -0,0 +1,70 @@ + + + + + + + NASM: Buffer overflow vulnerability + + NASM is vulnerable to a buffer overflow that allows an attacker to execute + arbitrary code through the use of a malicious object file. + + NASM + December 20, 2004 + December 20, 2004: 01 + 74477 + remote + + + 0.98.38-r1 + 0.98.38 + + + +

+ NASM is a 80x86 assembler that has been created for portability + and modularity. NASM supports Pentium, P6, SSE MMX, and 3DNow + extensions. It also supports a wide range of objects formats (ELF, + a.out, COFF, ...), and has its own disassembler. +

+ + +

+ Jonathan Rockway discovered that NASM-0.98.38 has an unprotected + vsprintf() to an array in preproc.c. This code vulnerability may lead + to a buffer overflow and potential execution of arbitrary code. +

+ + +

+ A remote attacker could craft a malicious object file which, when + supplied in NASM, would result in the execution of arbitrary code with + the rights of the user running NASM. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All NASM users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/nasm-0.98.38-r1" + + + Original Advisory + + + koon + + + koon + + + SeJo + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-21.xml b/xml/htdocs/security/en/glsa/glsa-200412-21.xml new file mode 100644 index 00000000..bfd5c69c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-21.xml @@ -0,0 +1,74 @@ + + + + + + + MPlayer: Multiple overflows + + Multiple overflow vulnerabilities have been found in MPlayer, potentially + resulting in remote executing of arbitrary code. + + MPlayer + December 20, 2004 + December 20, 2004: 01 + 74473 + remote + + + 1.0_pre5-r5 + 1.0_pre5-r4 + + + +

+ MPlayer is a media player capable of handling multiple multimedia + file formats. +

+ + +

+ iDEFENSE, Ariel Berkman and the MPlayer development team found + multiple vulnerabilities in MPlayer. These include potential heap + overflows in Real RTSP and pnm streaming code, stack overflows in MMST + streaming code and multiple buffer overflows in BMP demuxer and mp3lib + code. +

+ + +

+ A remote attacker could craft a malicious file or design a + malicious streaming server. Using MPlayer to view this file or connect + to this server could trigger an overflow and execute + attacker-controlled code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MPlayer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/mplayer-1.0_pre5-r5" + + + iDEFENSE Advisory + iDEFENSE Advisory + iDEFENSE Advisory + Ariel Berkman Advisory + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-22.xml b/xml/htdocs/security/en/glsa/glsa-200412-22.xml new file mode 100644 index 00000000..4ed0057f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-22.xml @@ -0,0 +1,68 @@ + + + + + + + mpg123: Playlist buffer overflow + + mpg123 is vulnerable to a buffer overflow that allows an attacker to + execute arbitrary code through the use of a malicious playlist. + + mpg123 + December 21, 2004 + December 21, 2004: 01 + 74692 + remote + + + 0.59s-r8 + 0.59s-r8 + + + +

+ mpg123 is a MPEG Audio Player. +

+ + +

+ Bartlomiej Sieka discovered that mpg123 contains an unsafe + strcat() to an array in playlist.c. This code vulnerability may lead to + a buffer overflow. +

+ + +

+ A remote attacker could craft a malicious playlist which, when + used, would result in the execution of arbitrary code with the rights + of the user running mpg123. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mpg123 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/mpg123-0.59s-r8" + + + Original Advisory + CAN-2004-1284 + + + koon + + + koon + + + SeJo + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-23.xml b/xml/htdocs/security/en/glsa/glsa-200412-23.xml new file mode 100644 index 00000000..b072ff87 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-23.xml @@ -0,0 +1,66 @@ + + + + + + + Zwiki: XSS vulnerability + + Zwiki is vulnerable to cross-site scripting attacks. + + zwiki + December 21, 2004 + May 22, 2006: 02 + 72315 + remote + + + 0.36.2-r1 + 0.36.2-r1 + + + +

+ Zwiki is a Zope wiki-clone for easy-to-edit collaborative websites. +

+ + +

+ Due to improper input validation, Zwiki can be exploited to perform + cross-site scripting attacks. +

+ + +

+ By enticing a user to read a specially-crafted wiki entry, an attacker + can execute arbitrary script code running in the context of the + victim's browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Zwiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-zope/zwiki-0.36.2-r1" + + + Zwiki Bug Report + CVE-2004-1075 + + + vorlon078 + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-24.xml b/xml/htdocs/security/en/glsa/glsa-200412-24.xml new file mode 100644 index 00000000..23e0627f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-24.xml @@ -0,0 +1,77 @@ + + + + + + + Xpdf, GPdf: New integer overflows + + New integer overflows were discovered in Xpdf, potentially resulting in the + execution of arbitrary code. GPdf includes Xpdf code and therefore is + vulnerable to the same issues. + + Xpdf + December 28, 2004 + December 28, 2004: 01 + 75191 + 75201 + remote + + + 3.00-r7 + 3.00-r6 + + + 2.8.1-r1 + 2.8.1 + + + +

+ Xpdf is an open source viewer for Portable Document Format (PDF) + files. GPdf is a Gnome-based PDF viewer that includes some Xpdf code. +

+ + +

+ A new integer overflow issue was discovered in Xpdf's + Gfx::doImage() function. +

+ + +

+ An attacker could entice an user to open a specially-crafted PDF + file, potentially resulting in execution of arbitrary code with the + rights of the user running Xpdf or GPdf. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Xpdf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/xpdf-3.00-r7" +

+ All GPdf users should also upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/gpdf-2.8.1-r1" + + + CAN-2004-1125 + iDEFENSE Advisory + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-25.xml b/xml/htdocs/security/en/glsa/glsa-200412-25.xml new file mode 100644 index 00000000..407d4c86 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-25.xml @@ -0,0 +1,84 @@ + + + + + + + CUPS: Multiple vulnerabilities + + Multiple vulnerabilities have been found in CUPS, ranging from local Denial + of Service attacks to the remote execution of arbitrary code. + + CUPS + December 28, 2004 + January 12, 2005: 02 + 74479 + 75197 + 77023 + remote and local + + + 1.1.23 + 1.1.23 + + + +

+ The Common UNIX Printing System (CUPS) is a cross-platform print + spooler, hpgltops is a CUPS filter handling printing of HPGL files and + lppasswd is a program used locally to manage spooler passwords. +

+ + +

+ CUPS makes use of vulnerable Xpdf code to handle PDF files + (CAN-2004-1125). Furthermore, Ariel Berkman discovered a buffer + overflow in the ParseCommand function in hpgl-input.c in the hpgltops + program (CAN-2004-1267). Finally, Bartlomiej Sieka discovered several + problems in the lppasswd program: it ignores some write errors + (CAN-2004-1268), it can leave the passwd.new file in place + (CAN-2004-1269) and it does not verify that passwd.new file is + different from STDERR (CAN-2004-1270). +

+ + +

+ The Xpdf and hpgltops vulnerabilities may be exploited by a remote + attacker to execute arbitrary code by sending specific print jobs to a + CUPS spooler. The lppasswd vulnerabilities may be exploited by a local + attacker to write data to the CUPS password file or deny further + password modifications. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All CUPS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-print/cups-1.1.23" + + + CAN-2004-1125 + CAN-2004-1267 + CAN-2004-1268 + CAN-2004-1269 + CAN-2004-1270 + Ariel Berkman Advisory + Bartlomiej Sieka Advisory + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-26.xml b/xml/htdocs/security/en/glsa/glsa-200412-26.xml new file mode 100644 index 00000000..c8a6fc87 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-26.xml @@ -0,0 +1,70 @@ + + + + + + + ViewCVS: Information leak and XSS vulnerabilities + + ViewCVS is vulnerable to an information leak and to cross-site scripting + (XSS) issues. + + ViewCVS + December 28, 2004 + December 28, 2004: 01 + 72461 + 73772 + remote + + + 0.9.2_p20041207-r1 + 0.9.2_p20041207 + + + +

+ ViewCVS is a browser interface for viewing CVS and Subversion + version control repositories through a web browser. +

+ + +

+ The tar export functions in ViewCVS bypass the 'hide_cvsroot' and + 'forbidden' settings and therefore expose information that should be + kept secret (CAN-2004-0915). Furthermore, some error messages in + ViewCVS do not filter user-provided information, making it vulnerable + to a cross-site scripting attack (CAN-2004-1062). +

+ + +

+ By using the tar export functions, a remote attacker could access + information that is configured as restricted. Through the use of a + malicious request, an attacker could also inject and execute malicious + script code, potentially compromising another user's browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ViewCVS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/viewcvs-0.9.2_p20041207-r1" + + + CAN-2004-0915 + CAN-2004-1062 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200412-27.xml b/xml/htdocs/security/en/glsa/glsa-200412-27.xml new file mode 100644 index 00000000..4bb1cfc5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200412-27.xml @@ -0,0 +1,64 @@ + + + + + + + PHProjekt: Remote code execution vulnerability + + PHProjekt contains a vulnerability that allows a remote attacker to execute + arbitrary PHP code. + + PHProjekt + December 30, 2004 + December 30, 2004: 01 + 75858 + remote + + + 4.2-r2 + 4.2-r2 + + + +

+ PHProjekt is a modular groupware web application used to + coordinate group activities and share files. +

+ + +

+ cYon discovered that the authform.inc.php script allows a remote + user to define the global variable $path_pre. +

+ + +

+ A remote attacker can exploit this vulnerability to force + authform.inc.php to download and execute arbitrary PHP code with the + privileges of the web server user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PHProjekt users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/phprojekt-4.2-r2" + + + PHProjekt Advisory + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-01.xml b/xml/htdocs/security/en/glsa/glsa-200501-01.xml new file mode 100644 index 00000000..e4d75028 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-01.xml @@ -0,0 +1,70 @@ + + + + + + + LinPopUp: Buffer overflow in message reply + + LinPopUp contains a buffer overflow potentially allowing execution of + arbitrary code. + + Linpopup + January 04, 2005 + January 04, 2005: 01 + 74705 + remote + + + 2.0.4-r1 + 2.0.4-r1 + + + +

+ LinPopUp is a graphical application that acts as a frontend to + Samba client messaging functions, allowing a Linux desktop to + communicate with a Microsoft Windows computer that runs Winpopup. +

+ + +

+ Stephen Dranger discovered that LinPopUp contains a buffer + overflow in string.c, triggered when replying to a remote user message. +

+ + +

+ A remote attacker could craft a malicious message that, when + replied using LinPopUp, would exploit the buffer overflow. This would + result in the execution of arbitrary code with the privileges of the + user running LinPopUp. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All LinPopUp users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/linpopup-2.0.4-r1" + + + CAN-2004-1282 + Stephen Dranger Advisory + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-02.xml b/xml/htdocs/security/en/glsa/glsa-200501-02.xml new file mode 100644 index 00000000..980ee245 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-02.xml @@ -0,0 +1,81 @@ + + + + + + + a2ps: Multiple vulnerabilities + + The fixps and psmandup scripts in the a2ps package are vulnerable to + symlink attacks, potentially allowing a local user to overwrite arbitrary + files. A vulnerability in a2ps filename handling could also result in + arbitrary command execution. + + a2ps + January 04, 2005 + May 22, 2006: 03 + 75784 + 61500 + local and remote + + + 4.13c-r2 + 4.13c-r2 + + + +

+ a2ps is an Any to Postscript filter that can convert to Postscript from + many filetypes. fixps is a script that fixes errors in Postscript + files. psmandup produces a Postscript file for printing in manual + duplex mode. +

+ + +

+ Javier Fernandez-Sanguino Pena discovered that the a2ps package + contains two scripts that create insecure temporary files (fixps and + psmandup). Furthermore, we fixed in a previous revision a vulnerability + in a2ps filename handling (CAN-2004-1170). +

+ + +

+ A local attacker could create symbolic links in the temporary files + directory, pointing to a valid file somewhere on the filesystem. When + fixps or psmandup is executed, this would result in the file being + overwritten with the rights of the user running the utility. By + enticing a user or script to run a2ps on a malicious filename, an + attacker could execute arbitrary commands on the system with the rights + of that user or script. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All a2ps users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/a2ps-4.13c-r2" + + + Secunia SA13641 + CAN-2004-1170 + CVE-2004-1377 + Full-Disclosure Advisory + + + koon + + + koon + + + SeJo + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-03.xml b/xml/htdocs/security/en/glsa/glsa-200501-03.xml new file mode 100644 index 00000000..74d53c8c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-03.xml @@ -0,0 +1,133 @@ + + + + + + + Mozilla, Firefox, Thunderbird: Various vulnerabilities + + Various vulnerabilities were found and fixed in Mozilla-based products, + ranging from a potential buffer overflow and temporary files disclosure to + anti-spoofing issues. + + Mozilla + January 05, 2005 + December 30, 2007: 03 + 76112 + 68976 + 70749 + remote and local + + + 1.7.5 + 1.7.5 + + + 1.7.5 + 1.7.5 + + + 1.0 + 1.0 + + + 1.0 + 1.0 + + + 0.9 + 0.9 + + + 0.9 + 0.9 + + + +

+ Mozilla is a popular web browser that includes a mail and newsreader. + Mozilla Firefox and Mozilla Thunderbird are respectively the + next-generation browser and mail client from the Mozilla project. +

+ + +

+ Maurycy Prodeus from isec.pl found a potentially exploitable buffer + overflow in the handling of NNTP URLs. Furthermore, Martin (from + ptraced.net) discovered that temporary files in recent versions of + Mozilla-based products were sometimes stored world-readable with + predictable names. The Mozilla Team also fixed a way of spoofing + filenames in Firefox's "What should Firefox do with this file" dialog + boxes and a potential information leak about the existence of local + filenames. +

+ + +

+ A remote attacker could craft a malicious NNTP link and entice a user + to click it, potentially resulting in the execution of arbitrary code + with the rights of the user running the browser. A local attacker could + leverage the temporary file vulnerability to read the contents of + another user's attachments or downloads. A remote attacker could also + design a malicious web page that would allow to spoof filenames if the + user uses the "Open with..." function in Firefox, or retrieve + information on the presence of specific files in the local filesystem. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-1.7.5" +

+ All Mozilla binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-bin-1.7.5" +

+ All Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.0" +

+ All Firefox binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.0" +

+ All Thunderbird users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-0.9" +

+ All Thunderbird binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-0.9" + + + isec.pl Advisory + Martin (from ptraced.net) Advisory + Secunia Advisory SA13144 + CVE-2004-2227 + CVE-2004-2228 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-04.xml b/xml/htdocs/security/en/glsa/glsa-200501-04.xml new file mode 100644 index 00000000..5fc98d9a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-04.xml @@ -0,0 +1,69 @@ + + + + + + + Shoutcast Server: Remote code execution + + Shoutcast Server contains a possible buffer overflow that could lead to the + execution of arbitrary code. + + Shoutcast-server-bin + January 05, 2005 + May 22, 2006: 02 + 75482 + remote + + + 1.9.5 + 1.9.4-r1 + + + +

+ Shoutcast Server is Nullsoft's streaming audio server. It runs on a + variety of platforms, including Linux, and is extremely popular with + Internet broadcasters. +

+ + +

+ Part of the Shoutcast Server Linux binary has been found to improperly + handle sprintf() parsing. +

+ + +

+ A malicious attacker could send a formatted URL request to the + Shoutcast Server. This formatted URL would cause either the server + process to crash, or the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Shoutcast Server users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/shoutcast-server-bin-1.9.5" + + + BugTraq Announcement + CVE-2004-1373 + + + lewk + + + koon + + + chriswhite + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-05.xml b/xml/htdocs/security/en/glsa/glsa-200501-05.xml new file mode 100644 index 00000000..d528611d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-05.xml @@ -0,0 +1,67 @@ + + + + + + + mit-krb5: Heap overflow in libkadm5srv + + The MIT Kerberos 5 administration library (libkadm5srv) contains a heap + overflow that could lead to execution of arbitrary code. + + mit-krb5 + January 05, 2005 + January 05, 2005: 01 + 75143 + remote + + + 1.3.6 + 1.3.6 + + + +

+ MIT krb5 is the free implementation of the Kerberos network + authentication protocol by the Massachusetts Institute of Technology. +

+ + +

+ The MIT Kerberos 5 administration library libkadm5srv contains a + heap overflow in the code handling password changing. +

+ + +

+ Under specific circumstances an attacker could execute arbitary + code with the permissions of the user running mit-krb5, which could be + the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mit-krb5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.3.6" + + + CAN 2004-1189 + + + koon + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-06.xml b/xml/htdocs/security/en/glsa/glsa-200501-06.xml new file mode 100644 index 00000000..f8c1db1e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-06.xml @@ -0,0 +1,72 @@ + + + + + + + tiff: New overflows in image decoding + + An integer overflow has been found in the TIFF library image decoding + routines and the tiffdump utility, potentially allowing arbitrary code + execution. + + tiff + January 05, 2005 + January 05, 2005: 01 + 75213 + remote + + + 3.7.1-r1 + 3.7.1-r1 + + + +

+ The TIFF library contains encoding and decoding routines for the + Tag Image File Format. It is called by numerous programs, including + GNOME and KDE applications, to interpret TIFF images. +

+ + +

+ infamous41md found a potential integer overflow in the directory + entry count routines of the TIFF library (CAN-2004-1308). Dmitry V. + Levin found another similar issue in the tiffdump utility + (CAN-2004-1183). +

+ + +

+ A remote attacker could entice a user to view a carefully crafted + TIFF image file, which would potentially lead to execution of arbitrary + code with the rights of the user viewing the image. This affects any + program that makes use of the TIFF library, including many web browsers + or mail readers. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All TIFF library users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/tiff-3.7.1-r1" + + + CAN-2004-1183 + CAN-2004-1308 + iDEFENSE Advisory + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-07.xml b/xml/htdocs/security/en/glsa/glsa-200501-07.xml new file mode 100644 index 00000000..81ae5353 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-07.xml @@ -0,0 +1,80 @@ + + + + + + + xine-lib: Multiple overflows + + xine-lib contains multiple overflows potentially allowing execution of + arbitrary code. + + xine-lib + January 06, 2005 + January 06, 2005: 01 + 74475 + remote + + + 1_rc8-r1 + 1_rc6-r1 + 1_rc8-r1 + + + +

+ xine-lib is a multimedia library which can be utilized to create + multimedia frontends. +

+ + +

+ Ariel Berkman discovered that xine-lib reads specific input data + into an array without checking the input size in demux_aiff.c, making + it vulnerable to a buffer overflow (CAN-2004-1300) . iDefense + discovered that the PNA_TAG handling code in pnm_get_chunk() does not + check if the input size is larger than the buffer size (CAN-2004-1187). + iDefense also discovered that in this same function, a negative value + could be given to an unsigned variable that specifies the read length + of input data (CAN-2004-1188). +

+ + +

+ A remote attacker could craft a malicious movie or convince a + targeted user to connect to a malicious PNM server, which could result + in the execution of arbitrary code with the rights of the user running + any xine-lib frontend. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xine-lib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose media-libs/xine-lib + + + CAN-2004-1187 + CAN-2004-1188 + CAN-2004-1300 + iDefense Advisory + iDefense Advisory + Ariel Berkman Advisory + + + koon + + + SeJo + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-08.xml b/xml/htdocs/security/en/glsa/glsa-200501-08.xml new file mode 100644 index 00000000..9675f84d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-08.xml @@ -0,0 +1,75 @@ + + + + + + + phpGroupWare: Various vulnerabilities + + Multiple vulnerabilities have been discovered in phpGroupWare that could + lead to information disclosure or remote compromise. + + phpgroupware + January 06, 2005 + May 22, 2006: 04 + 74487 + remote + + + 0.9.16.004 + 0.9.16.004 + + + +

+ phpGroupWare is a web-based suite of group applications including a + calendar, todo-list, addressbook, email, wiki, news headlines, and a + file manager. +

+ + +

+ Several flaws were discovered in phpGroupWare making it vulnerable to + cross-site scripting attacks, SQL injection, and full path disclosure. +

+ + +

+ These vulnerabilities could allow an attacker to perform cross-site + scripting attacks, execute SQL queries, and disclose the full path of + the web directory. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All phpGroupWare users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/phpgroupware-0.9.16.004" +

+ Note: Users with the vhosts USE flag set should manually use + webapp-config to finalize the update. +

+ + + BugTraq Advisory + CVE-2004-1383 + CVE-2004-1384 + CVE-2004-1385 + + + koon + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-09.xml b/xml/htdocs/security/en/glsa/glsa-200501-09.xml new file mode 100644 index 00000000..6555e140 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-09.xml @@ -0,0 +1,66 @@ + + + + + + + xzgv: Multiple overflows + + xzgv contains multiple overflows that may lead to the execution of + arbitrary code. + + xzgv + January 06, 2005 + January 06, 2005: 01 + 74069 + remote + + + 0.8-r1 + 0.8 + + + +

+ xzgv is a picture viewer for X, with a thumbnail-based file + selector. +

+ + +

+ Multiple overflows have been found in the image processing code of + xzgv, including an integer overflow in the PRF parsing code + (CAN-2004-0994). +

+ + +

+ An attacker could entice a user to open or browse a + specially-crafted image file, potentially resulting in the execution of + arbitrary code with the rights of the user running xzgv. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xzgv users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/xzgv-0.8-r1" + + + CAN-2004-0994 + iDEFENSE Advisory + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-10.xml b/xml/htdocs/security/en/glsa/glsa-200501-10.xml new file mode 100644 index 00000000..13f342c7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-10.xml @@ -0,0 +1,68 @@ + + + + + + + Vilistextum: Buffer overflow vulnerability + + Vilistextum is vulnerable to a buffer overflow that allows an attacker to + execute arbitrary code through the use of a malicious webpage. + + vilistextum + January 06, 2005 + January 06, 2005: 01 + 74694 + remote + + + 2.6.7 + 2.6.7 + + + +

+ Vilistextum is an HTML to text converter. +

+ + +

+ Ariel Berkman discovered that Vilistextum unsafely reads data into + an array without checking the length. This code vulnerability may lead + to a buffer overflow. +

+ + +

+ A remote attacker could craft a malicious webpage which, when + converted, would result in the execution of arbitrary code with the + rights of the user running Vilistextum. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Vilistextum users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/vilistextum-2.6.7" + + + Original Advisory + CAN-2004-1299 + + + koon + + + koon + + + SeJo + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-11.xml b/xml/htdocs/security/en/glsa/glsa-200501-11.xml new file mode 100644 index 00000000..9abc676e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-11.xml @@ -0,0 +1,68 @@ + + + + + + + Dillo: Format string vulnerability + + Dillo is vulnerable to a format string bug, which may result in the + execution of arbitrary code. + + Dillo + January 09, 2005 + January 09, 2005: 01 + 76665 + remote + + + 0.8.3-r4 + 0.8.3-r4 + + + +

+ Dillo is a small and fast multi-platform web browser based on + GTK+. +

+ + +

+ Gentoo Linux developer Tavis Ormandy found a format string bug in + Dillo's handling of messages in a_Interface_msg(). +

+ + +

+ An attacker could craft a malicious web page which, when accessed + using Dillo, would trigger the format string vulnerability and + potentially execute arbitrary code with the rights of the user running + Dillo. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Dillo users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/dillo-0.8.3-r4" + + + CAN-2005-0012 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-12.xml b/xml/htdocs/security/en/glsa/glsa-200501-12.xml new file mode 100644 index 00000000..430e56bc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-12.xml @@ -0,0 +1,70 @@ + + + + + + + TikiWiki: Arbitrary command execution + + A bug in TikiWiki allows certain users to upload and execute malicious PHP + scripts. + + tikiwiki + January 10, 2005 + May 22, 2006: 03 + 75568 + remote + + + 1.8.4.1 + 1.8.4.1 + + + +

+ TikiWiki is a web-based groupware and content management system (CMS), + using PHP, ADOdb and Smarty. +

+ + +

+ TikiWiki lacks a check on uploaded images in the Wiki edit page. +

+ + +

+ A malicious user could run arbitrary commands on the server by + uploading and calling a PHP script. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All TikiWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/tikiwiki-1.8.4.1" +

+ Note: Users with the vhosts USE flag set should manually use + webapp-config to finalize the update. +

+ + + TikiWiki Advisory + CVE-2004-1386 + + + koon + + + koon + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-13.xml b/xml/htdocs/security/en/glsa/glsa-200501-13.xml new file mode 100644 index 00000000..83668be8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-13.xml @@ -0,0 +1,66 @@ + + + + + + + pdftohtml: Vulnerabilities in included Xpdf + + pdftohtml includes vulnerable Xpdf code to handle PDF files, making it + vulnerable to execution of arbitrary code upon converting a malicious PDF + file. + + pdftohtml + January 10, 2005 + January 10, 2005: 01 + 75200 + remote + + + 0.36-r2 + 0.36-r2 + + + +

+ pdftohtml is a utility to convert PDF files to HTML or XML + formats. It makes use of Xpdf code to decode PDF files. +

+ + +

+ Xpdf is vulnerable to integer overflows, as described in GLSA + 200412-24. +

+ + +

+ An attacker could entice a user to convert a specially-crafted PDF + file, potentially resulting in the execution of arbitrary code with the + rights of the user running pdftohtml. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All pdftohtml users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/pdftohtml-0.36-r2" + + + GLSA 200412-24 + CAN-2004-1125 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-14.xml b/xml/htdocs/security/en/glsa/glsa-200501-14.xml new file mode 100644 index 00000000..dea99fe1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-14.xml @@ -0,0 +1,66 @@ + + + + + + + mpg123: Buffer overflow + + An attacker may be able to execute arbitrary code by way of specially + crafted MP2 or MP3 files. + + media-sound/mpg123 + January 10, 2005 + January 10, 2005: 01 + 76862 + remote + + + 0.59s-r9 + 0.59s-r9 + + + +

+ mpg123 is a real-time MPEG audio player. +

+ + +

+ mpg123 improperly parses frame headers in input streams. +

+ + +

+ By inducing a user to play a malicious file, an attacker may be + able to exploit a buffer overflow to execute arbitrary code with the + permissions of the user running mpg123. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mpg123 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/mpg123-0.59s-r9" + + + CAN-2004-0991 + Bugtraq Announcement + + + koon + + + vorlon078 + + + dmargoli + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-15.xml b/xml/htdocs/security/en/glsa/glsa-200501-15.xml new file mode 100644 index 00000000..8bdb253b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-15.xml @@ -0,0 +1,67 @@ + + + + + + + UnRTF: Buffer overflow + + A buffer overflow in UnRTF allows an attacker to execute arbitrary code by + way of a specially crafted RTF file. + + app-text/unrtf + January 10, 2005 + January 10, 2005: 01 + 74480 + remote + + + 0.19.3-r1 + 0.19.3-r1 + + + +

+ UnRTF is a utility to convert files in the Rich Text Format into + other formats. +

+ + +

+ An unchecked strcat() in unrtf may overflow the bounds of a static + buffer. +

+ + +

+ Using a specially crafted file, possibly delivered by e-mail or + over the web, an attacker may execute arbitrary code with the + permissions of the user running UnRTF. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All unrtf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/unrtf-0.19.3-r1" + + + Original Announcement + + + vorlon078 + + + vorlon078 + + + dmargoli + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-16.xml b/xml/htdocs/security/en/glsa/glsa-200501-16.xml new file mode 100644 index 00000000..bae40297 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-16.xml @@ -0,0 +1,68 @@ + + + + + + + Konqueror: Java sandbox vulnerabilities + + The Java sandbox environment in Konqueror can be bypassed to access + arbitrary packages, allowing untrusted Java applets to perform unrestricted + actions on the host system. + + Konqueror, kde, kdelibs + January 11, 2005 + January 12, 2005: 02 + 72750 + remote + + + 3.3.2 + 3.3.2 + + + +

+ KDE is a feature-rich graphical desktop environment for Linux and + Unix-like Operating Systems. Konqueror is the KDE web browser and file + manager. +

+ + +

+ Konqueror contains two errors that allow JavaScript scripts and Java + applets to have access to restricted Java classes. +

+ + +

+ A remote attacker could embed a malicious Java applet in a web page and + entice a victim to view it. This applet can then bypass security + restrictions and execute any command, or access any file with the + rights of the user running Konqueror. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All kdelibs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose kde-base/kdelibs + + + KDE Security Advisory: Konqueror Java Vulnerability + CAN 2004-1145 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-17.xml b/xml/htdocs/security/en/glsa/glsa-200501-17.xml new file mode 100644 index 00000000..f2d5a65a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-17.xml @@ -0,0 +1,81 @@ + + + + + + + KPdf, KOffice: More vulnerabilities in included Xpdf + + KPdf and KOffice both include vulnerable Xpdf code to handle PDF files, + making them vulnerable to the execution of arbitrary code if a user is + enticed to view a malicious PDF file. + + kpdf, koffice + January 11, 2005 + January 12, 2005: 02 + 75203 + 75204 + remote + + + 1.3.5-r1 + 1.3.5-r1 + + + 3.3.2-r1 + 3.2.3-r3 + 3.3.2-r1 + + + +

+ KPdf is a KDE-based PDF viewer included in the kdegraphics package. + KOffice is an integrated office suite for KDE. +

+ + +

+ KPdf and KOffice both include Xpdf code to handle PDF files. Xpdf is + vulnerable to multiple new integer overflows, as described in GLSA + 200412-24. +

+ + +

+ An attacker could entice a user to open a specially-crafted PDF file, + potentially resulting in the execution of arbitrary code with the + rights of the user running the affected utility. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All KPdf users should upgrade to the latest version of kdegraphics: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose kde-base/kdegraphics +

+ All KOffice users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose app-office/koffice + + + GLSA 200412-24 + CAN-2004-1125 + KDE Security Advisory: kpdf Buffer Overflow Vulnerability + KOffice XPDF Integer Overflow 2 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-18.xml b/xml/htdocs/security/en/glsa/glsa-200501-18.xml new file mode 100644 index 00000000..4be9419a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-18.xml @@ -0,0 +1,69 @@ + + + + + + + KDE FTP KIOslave: Command injection + + The FTP KIOslave contains a bug allowing users to execute arbitrary FTP + commands. + + konqueror + January 11, 2005 + January 12, 2005: 02 + 73759 + remote + + + 3.3.2-r2 + 3.2.3-r5 + 3.3.2-r2 + + + +

+ KDE is a feature-rich graphical desktop environment for Linux and + Unix-like Operating Systems. KDE provided KIOslaves for many protocols + in the kdelibs package, one of them being FTP. These are used by KDE + applications such as Konqueror. +

+ + +

+ The FTP KIOslave fails to properly parse URL-encoded newline + characters. +

+ + +

+ An attacker could exploit this to execute arbitrary FTP commands on the + server and due to similiarities between the FTP and the SMTP protocol, + this vulnerability also allows an attacker to connect to a SMTP server + and issue arbitrary commands, for example sending an email. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All kdelibs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose kde-base/kdelibs + + + KDE Security Advisory: ftp kioslave command injection + CAN-2004-1165 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-19.xml b/xml/htdocs/security/en/glsa/glsa-200501-19.xml new file mode 100644 index 00000000..bc60f456 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-19.xml @@ -0,0 +1,72 @@ + + + + + + + imlib2: Buffer overflows in image decoding + + Multiple overflows have been found in the imlib2 library image decoding + routines, potentially allowing the execution of arbitrary code. + + imlib2 + January 11, 2005 + January 11, 2005: 01 + 77002 + remote + + + 1.2.0 + 1.2.0 + + + +

+ imlib2 is an advanced replacement for image manipulation libraries + such as libXpm. It is utilized by numerous programs, including gkrellm + and several window managers, to display images. +

+ + +

+ Pavel Kankovsky discovered that several buffer overflows found in + the libXpm library (see GLSA 200409-34) also apply to imlib (see GLSA + 200412-03) and imlib2. He also fixed a number of other potential + security vulnerabilities. +

+ + +

+ A remote attacker could entice a user to view a carefully-crafted + image file, which would potentially lead to the execution of arbitrary + code with the rights of the user viewing the image. This affects any + program that utilizes of the imlib2 library. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All imlib2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/imlib2-1.2.0" + + + CAN-2004-1026 + GLSA 200412-03 + + + koon + + + dmargoli + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-20.xml b/xml/htdocs/security/en/glsa/glsa-200501-20.xml new file mode 100644 index 00000000..2d34b953 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-20.xml @@ -0,0 +1,69 @@ + + + + + + + o3read: Buffer overflow during file conversion + + A buffer overflow in o3read allows an attacker to execute arbitrary code by + way of a specially crafted XML file. + + o3read + January 11, 2005 + January 11, 2005: 01 + 74478 + remote + + + 0.0.4 + 0.0.3 + + + +

+ o3read is a standalone converter for OpenOffice.org files. It + allows a user to dump the contents tree (o3read) and convert to plain + text (o3totxt) or to HTML (o3tohtml) Writer and Calc files. +

+ + +

+ Wiktor Kopec discovered that the parse_html function in o3read.c + copies any number of bytes into a 1024-byte t[] array. +

+ + +

+ Using a specially crafted file, possibly delivered by e-mail or + over the Web, an attacker may execute arbitrary code with the + permissions of the user running o3read. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All o3read users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/o3read-0.0.4" + + + CAN-2004-1288 + Wiktor Kopec advisory + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-21.xml b/xml/htdocs/security/en/glsa/glsa-200501-21.xml new file mode 100644 index 00000000..08be642a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-21.xml @@ -0,0 +1,75 @@ + + + + + + + HylaFAX: hfaxd unauthorized login vulnerability + + HylaFAX is subject to a vulnerability in its username matching code, + potentially allowing remote users to bypass access control lists. + + HylaFAX + January 11, 2005 + January 11, 2005: 01 + 75941 + remote + + + 4.2.0-r2 + 4.2.0-r2 + + + +

+ HylaFAX is a software package for sending and receiving facsimile + messages. +

+ + +

+ The code used by hfaxd to match a given username and hostname with + an entry in the hosts.hfaxd file is insufficiently protected against + malicious entries. +

+ + +

+ If the HylaFAX installation uses a weak hosts.hfaxd file, a remote + attacker could authenticate using a malicious username or hostname and + bypass the intended access restrictions. +

+ + +

+ As a workaround, administrators may consider adding passwords to + all entries in the hosts.hfaxd file. +

+ + +

+ All HylaFAX users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/hylafax-4.2.0-r2" +

+ Note: Due to heightened security, weak entries in the + hosts.hfaxd file may no longer work. Please see the HylaFAX + documentation for details of accepted syntax in the hosts.hfaxd file. +

+ + + CAN-2004-1182 + HylaFAX Announcement + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-22.xml b/xml/htdocs/security/en/glsa/glsa-200501-22.xml new file mode 100644 index 00000000..2bbe656d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-22.xml @@ -0,0 +1,79 @@ + + + + + + + poppassd_pam: Unauthorized password changing + + poppassd_pam allows anyone to change any user's password without + authenticating the user first. + + poppassd_pam + January 11, 2005 + January 11, 2005: 01 + 75820 + remote + + + 1.8.4 + 1.0 + + + 1.0 + + + +

+ poppassd_pam is a PAM-enabled server for changing system passwords + that can be used to change POP server passwords. +

+ + +

+ Gentoo Linux developer Marcus Hanwell discovered that poppassd_pam + did not check that the old password was valid before changing + passwords. Our investigation revealed that poppassd_pam did not call + pam_authenticate before calling pam_chauthtok. +

+ + +

+ A remote attacker could change the system password of any user, + including root. This leads to a complete compromise of the POP + accounts, and may also lead to a complete root compromise of the + affected server, if it also provides shell access authenticated using + system passwords. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All poppassd_pam users should migrate to the new package called + poppassd_ceti: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/poppassd_ceti-1.8.4" +

+ Note: Portage will automatically replace the poppassd_pam + package by the poppassd_ceti package. +

+ + + CAN-2005-0002 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-23.xml b/xml/htdocs/security/en/glsa/glsa-200501-23.xml new file mode 100644 index 00000000..67853b70 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-23.xml @@ -0,0 +1,74 @@ + + + + + + + Exim: Two buffer overflows + + Buffer overflow vulnerabilities, which could lead to arbitrary code + execution, have been found in the handling of IPv6 addresses as well as in + the SPA authentication mechanism in Exim. + + exim + January 12, 2005 + January 12, 2005: 01 + 76893 + remote + + + 4.43-r2 + 4.43-r2 + + + +

+ Exim is an highly configurable message transfer agent (MTA) + developed at the University of Cambridge. +

+ + +

+ Buffer overflows have been found in the host_aton() function + (CAN-2005-0021) as well as in the spa_base64_to_bits() function + (CAN-2005-0022), which is part of the SPA authentication code. +

+ + +

+ A local attacker could trigger the buffer overflow in host_aton() + by supplying an illegal IPv6 address with more than 8 components, using + a command line option. The second vulnerability could be remotely + exploited during SPA authentication, if it is enabled on the server. + Both buffer overflows can potentially lead to the execution of + arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Exim users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-mta/exim-4.43-r2" + + + Exim Announcement + CAN-2005-0021 + CAN-2005-0022 + + + koon + + + vorlon078 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-24.xml b/xml/htdocs/security/en/glsa/glsa-200501-24.xml new file mode 100644 index 00000000..1011c441 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-24.xml @@ -0,0 +1,67 @@ + + + + + + + tnftp: Arbitrary file overwriting + + tnftp fails to validate filenames when downloading files, making it + vulnerable to arbitrary file overwriting. + + tnftp + January 14, 2005 + January 14, 2005: 01 + 74704 + remote + + + 20050103 + 20050103 + + + +

+ tnftp is a NetBSD FTP client with several advanced features. +

+ + +

+ The 'mget' function in cmds.c lacks validation of the filenames + that are supplied by the server. +

+ + +

+ An attacker running an FTP server could supply clients with + malicious filenames, potentially allowing the overwriting of arbitrary + files with the permission of the connected user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All tnftp users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/tnftp-20050103" + + + CAN-2004-1294 + Original Advisory + + + koon + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-25.xml b/xml/htdocs/security/en/glsa/glsa-200501-25.xml new file mode 100644 index 00000000..6e5ea636 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-25.xml @@ -0,0 +1,83 @@ + + + + + + + Squid: Multiple vulnerabilities + + Squid contains vulnerabilities in the the code handling NTLM (NT Lan + Manager), Gopher to HTML, ACLs and WCCP (Web Cache Communication Protocol) + which could lead to ACL bypass, denial of service and arbitrary code + execution. + + squid + January 16, 2005 + February 07, 2005: 03 + 77934 + 77521 + remote + + + 2.5.7-r2 + 2.5.7-r2 + + + +

+ Squid is a full-featured Web proxy cache designed to run on Unix + systems. It supports proxying and caching of HTTP, FTP, and other URLs, + as well as SSL support, cache hierarchies, transparent caching, access + control lists and many other features. +

+ + +

+ Squid contains a vulnerability in the gopherToHTML function + (CAN-2005-0094) and incorrectly checks the 'number of caches' field + when parsing WCCP_I_SEE_YOU messages (CAN-2005-0095). Furthermore the + NTLM code contains two errors. One is a memory leak in the + fakeauth_auth helper (CAN-2005-0096) and the other is a NULL pointer + dereferencing error (CAN-2005-0097). Finally Squid also contains an + error in the ACL parsing code (CAN-2005-0194). +

+ + +

+ With the WCCP issue an attacker could cause denial of service by + sending a specially crafted UDP packet. With the Gopher issue an + attacker might be able to execute arbitrary code by enticing a user to + connect to a malicious Gopher server. The NTLM issues could lead to + denial of service by memory consumption or by crashing Squid. The ACL + issue could lead to ACL bypass. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Squid users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/squid-2.5.7-r2" + + + Secunia Advisory SA13825 + Secunia Advisory SA13789 + CAN-2005-0094 + CAN-2005-0095 + CAN-2005-0096 + CAN-2005-0097 + CAN-2005-0194 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-26.xml b/xml/htdocs/security/en/glsa/glsa-200501-26.xml new file mode 100644 index 00000000..d98f3205 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-26.xml @@ -0,0 +1,65 @@ + + + + + + + ImageMagick: PSD decoding heap overflow + + ImageMagick is vulnerable to a heap overflow when decoding Photoshop + Document (PSD) files, which could lead to arbitrary code execution. + + imagemagick + January 20, 2005 + January 20, 2005: 01 + 77932 + remote + + + 6.1.8.8 + 6.1.8.8 + + + +

+ ImageMagick is a collection of tools to read, write and manipulate + images in many formats. +

+ + +

+ Andrei Nigmatulin discovered that a Photoshop Document (PSD) file + with more than 24 layers could trigger a heap overflow. +

+ + +

+ An attacker could potentially design a mailicous PSD image file to + cause arbitrary code execution with the permissions of the user running + ImageMagick. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ImageMagick users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.1.8.8" + + + CAN-2005-0005 + iDEFENSE Advisory + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-27.xml b/xml/htdocs/security/en/glsa/glsa-200501-27.xml new file mode 100644 index 00000000..8d37577b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-27.xml @@ -0,0 +1,89 @@ + + + + + + + Ethereal: Multiple vulnerabilities + + Multiple vulnerabilities exist in Ethereal, which may allow an attacker to + run arbitrary code, crash the program or perform DoS by CPU and disk + utilization. + + ethereal + January 20, 2005 + January 20, 2005: 01 + 78559 + remote + + + 0.10.9 + 0.10.9 + + + +

+ Ethereal is a feature rich network protocol analyzer. +

+ + +

+ There are multiple vulnerabilities in versions of Ethereal earlier + than 0.10.9, including: +

+
    +
  • The COPS dissector could go into + an infinite loop (CAN-2005-0006).
    • +
  • The DLSw dissector could + cause an assertion, making Ethereal exit prematurely + (CAN-2005-0007).
    • +
  • The DNP dissector could cause memory + corruption (CAN-2005-0008).
    • +
  • The Gnutella dissector could cause + an assertion, making Ethereal exit prematurely (CAN-2005-0009).
    • +
  • The MMSE dissector could free statically-allocated memory + (CAN-2005-0010).
    • +
  • The X11 dissector is vulnerable to a string + buffer overflow (CAN-2005-0084).
    • +
+ + +

+ An attacker might be able to use these vulnerabilities to crash + Ethereal, perform DoS by CPU and disk space utilization or even execute + arbitrary code with the permissions of the user running Ethereal, which + could be the root user. +

+ + +

+ For a temporary workaround you can disable all affected protocol + dissectors by selecting Analyze->Enabled Protocols... and deselecting + them from the list. However, it is strongly recommended to upgrade to + the latest stable version. +

+ + +

+ All Ethereal users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/ethereal-0.10.9" + + + CAN-2005-0006 + CAN-2005-0007 + CAN-2005-0008 + CAN-2005-0009 + CAN-2005-0010 + CAN-2005-0084 + Ethereal Release Notes + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-28.xml b/xml/htdocs/security/en/glsa/glsa-200501-28.xml new file mode 100644 index 00000000..fbed6d35 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-28.xml @@ -0,0 +1,79 @@ + + + + + + + Xpdf, GPdf: Stack overflow in Decrypt::makeFileKey2 + + A stack overflow was discovered in Xpdf, potentially resulting in the + execution of arbitrary code. GPdf includes Xpdf code and therefore is + vulnerable to the same issue. + + Xpdf + January 21, 2005 + January 21, 2005: 01 + 77888 + 78128 + remote + + + 3.00-r8 + 3.00-r7 + + + 2.8.2 + 2.8.2 + + + +

+ Xpdf is an open source viewer for Portable Document Format (PDF) + files. GPdf is a Gnome-based PDF viewer that includes some Xpdf code. +

+ + +

+ iDEFENSE reports that the Decrypt::makeFileKey2 function in Xpdf's + Decrypt.cc insufficiently checks boundaries when processing /Encrypt + /Length tags in PDF files. +

+ + +

+ An attacker could entice an user to open a specially-crafted PDF + file which would trigger a stack overflow, potentially resulting in + execution of arbitrary code with the rights of the user running Xpdf or + GPdf. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Xpdf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/xpdf-3.00-r8" +

+ All GPdf users should also upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/gpdf-2.8.2" + + + CAN-2005-0064 + iDEFENSE Advisory + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-29.xml b/xml/htdocs/security/en/glsa/glsa-200501-29.xml new file mode 100644 index 00000000..69814dc3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-29.xml @@ -0,0 +1,66 @@ + + + + + + + Mailman: Cross-site scripting vulnerability + + Mailman is vulnerable to cross-site scripting attacks. + + mailman + January 22, 2005 + January 22, 2005: 01 + 77524 + remote + + + 2.1.5-r3 + 2.1.5-r3 + + + +

+ Mailman is a Python-based mailing list server with an extensive + web interface. +

+ + +

+ Florian Weimer has discovered a cross-site scripting vulnerability + in the error messages that are produced by Mailman. +

+ + +

+ By enticing a user to visiting a specially-crafted URL, an + attacker can execute arbitrary script code running in the context of + the victim's browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mailman users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/mailman-2.1.5-r3" + + + CAN-2004-1177 + + + koon + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-30.xml b/xml/htdocs/security/en/glsa/glsa-200501-30.xml new file mode 100644 index 00000000..a4f288c9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-30.xml @@ -0,0 +1,66 @@ + + + + + + + CUPS: Stack overflow in included Xpdf code + + CUPS includes Xpdf code and therefore is vulnerable to the recent stack + overflow issue, potentially resulting in the remote execution of arbitrary + code. + + CUPS + January 22, 2005 + January 22, 2005: 01 + 78249 + remote + + + 1.1.23-r1 + 1.1.23-r1 + + + +

+ The Common UNIX Printing System (CUPS) is a cross-platform print + spooler. It makes use of Xpdf code to handle PDF files. +

+ + +

+ The Decrypt::makeFileKey2 function in Xpdf's Decrypt.cc + insufficiently checks boundaries when processing /Encrypt /Length tags + in PDF files (GLSA 200501-28). +

+ + +

+ This issue could be exploited by a remote attacker to execute + arbitrary code by sending a malicious print job to a CUPS spooler. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All CUPS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-print/cups-1.1.23-r1" + + + CAN-2005-0064 + GLSA 200501-28 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-31.xml b/xml/htdocs/security/en/glsa/glsa-200501-31.xml new file mode 100644 index 00000000..01e80f12 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-31.xml @@ -0,0 +1,101 @@ + + + + + + + teTeX, pTeX, CSTeX: Multiple vulnerabilities + + teTeX, pTeX and CSTeX make use of vulnerable Xpdf code which may allow the + remote execution of arbitrary code. Furthermore, the xdvizilla script is + vulnerable to temporary file handling issues. + + teTeX + January 23, 2005 + January 23, 2005: 01 + 75801 + remote and local + + + 2.0.2-r5 + 2.0.2-r5 + + + 2.0.2-r1 + 2.0.2-r1 + + + 3.1.4-r2 + 3.1.4-r2 + + + +

+ teTeX is a complete and open source TeX distribution. CSTeX is + another TeX distribution including Czech and Slovak support. pTeX is + another alternative that allows Japanese publishing with TeX. xdvizilla + is an auxiliary script used to integrate DVI file viewing in + Mozilla-based browsers. +

+ + +

+ teTeX, pTeX and CSTeX all make use of Xpdf code and may therefore + be vulnerable to the various overflows that were discovered in Xpdf + code (CAN-2004-0888, CAN-2004-0889, CAN-2004-1125 and CAN-2005-0064). + Furthermore, Javier Fernandez-Sanguino Pena discovered that the + xdvizilla script does not handle temporary files correctly. +

+ + +

+ An attacker could design a malicious input file which, when + processed using one of the TeX distributions, could lead to the + execution of arbitrary code. Furthermore, a local attacker could create + symbolic links in the temporary files directory, pointing to a valid + file somewhere on the filesystem. When xdvizilla is called, this would + result in the file being overwritten with the rights of the user + running the script. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All teTeX users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/tetex-2.0.2-r5" +

+ All CSTeX users should also upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/cstetex-2.0.2-r1" +

+ Finally, all pTeX users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/ptex-3.1.4-r2" + + + CAN-2004-0888 + CAN-2004-0889 + CAN-2004-1125 + CAN-2005-0064 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-32.xml b/xml/htdocs/security/en/glsa/glsa-200501-32.xml new file mode 100644 index 00000000..8564fe51 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-32.xml @@ -0,0 +1,80 @@ + + + + + + + KPdf, KOffice: Stack overflow in included Xpdf code + + KPdf and KOffice both include vulnerable Xpdf code to handle PDF files, + making them vulnerable to the execution of arbitrary code. + + kpdf, koffice + January 23, 2005 + January 23, 2005: 01 + 78619 + 78620 + remote + + + 1.3.5-r2 + 1.3.5-r2 + + + 3.3.2-r2 + 3.2.3-r4 + 3.3.2-r2 + + + +

+ KPdf is a KDE-based PDF viewer included in the kdegraphics + package. KOffice is an integrated office suite for KDE. +

+ + +

+ KPdf and KOffice both include Xpdf code to handle PDF files. Xpdf + is vulnerable to a new stack overflow, as described in GLSA 200501-28. +

+ + +

+ An attacker could entice a user to open a specially-crafted PDF + file, potentially resulting in the execution of arbitrary code with the + rights of the user running the affected application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All KPdf users should upgrade to the latest version of + kdegraphics: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose kde-base/kdegraphics +

+ All KOffice users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose app-office/koffice + + + GLSA 200501-18 + CAN-2005-0064 + KDE Security Advisory: kpdf Buffer Overflow Vulnerability + KDE Security Advisory: KOffice PDF Import Filter Vulnerability + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-33.xml b/xml/htdocs/security/en/glsa/glsa-200501-33.xml new file mode 100644 index 00000000..6b0d21c0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-33.xml @@ -0,0 +1,70 @@ + + + + + + + MySQL: Insecure temporary file creation + + MySQL is vulnerable to symlink attacks, potentially allowing a local user + to overwrite arbitrary files. + + mysql + January 23, 2005 + January 23, 2005: 01 + 77805 + local + + + 4.0.22-r2 + 4.0.22-r2 + + + +

+ MySQL is a fast, multi-threaded, multi-user SQL database server. +

+ + +

+ Javier Fernandez-Sanguino Pena from the Debian Security Audit + Project discovered that the 'mysqlaccess' script creates temporary + files in world-writeable directories with predictable names. +

+ + +

+ A local attacker could create symbolic links in the temporary + files directory, pointing to a valid file somewhere on the filesystem. + When the mysqlaccess script is executed, this would result in the file + being overwritten with the rights of the user running the software, + which could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MySQL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mysql-4.0.22-r2" + + + CAN-2005-0004 + Secunia Advisory SA13867 + + + koon + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-34.xml b/xml/htdocs/security/en/glsa/glsa-200501-34.xml new file mode 100644 index 00000000..fc90b8be --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-34.xml @@ -0,0 +1,81 @@ + + + + + + + Konversation: Various vulnerabilities + + Konversation contains multiple vulnerabilities that could lead to remote + command execution or information leaks. + + konversation + January 24, 2005 + January 24, 2005: 01 + 78712 + remote + + + 0.15.1 + 0.15.1 + + + +

+ Konversation is a user-friendly IRC client for KDE. +

+ + +

+ Wouter Coekaerts has discovered three vulnerabilites within + Konversation: +

+
    +
  • The Server::parseWildcards function, which + is used by the "Quick Buttons", does not properly handle variable + expansion (CAN-2005-0129).
    • +
  • Perl scripts included with + Konversation do not properly escape shell metacharacters + (CAN-2005-0130).
    • +
  • The 'Nick' and 'Password' fields in the Quick + Connect dialog can be easily confused (CAN-2005-0131).
    • +
+ + +

+ A malicious server could create specially-crafted channels, which + would exploit certain flaws in Konversation, potentially leading to the + execution of shell commands. A user could also unintentionally input + their password into the 'Nick' field in the Quick Connect dialog, + exposing his password to IRC users, and log files. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Konversation users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-irc/konversation-0.15.1" + + + CAN-2005-0129 + CAN-2005-0130 + CAN-2005-0131 + KDE Security Advisory: Multiple vulnerabilities in Konversation + + + jaervosz + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-35.xml b/xml/htdocs/security/en/glsa/glsa-200501-35.xml new file mode 100644 index 00000000..14b94c19 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-35.xml @@ -0,0 +1,66 @@ + + + + + + + Evolution: Integer overflow in camel-lock-helper + + An overflow in the camel-lock-helper application can be exploited by an + attacker to execute arbitrary code with elevated privileges. + + evolution + January 24, 2005 + January 24, 2005: 01 + 79183 + local and remote + + + 2.0.2-r1 + 2.0.2 + + + +

+ Evolution is a GNOME groupware application similar to Microsoft + Outlook. +

+ + +

+ Max Vozeler discovered an integer overflow in the + camel-lock-helper application, which is installed as setgid mail by + default. +

+ + +

+ A local attacker could exploit this vulnerability to execute + malicious code with the privileges of the 'mail' group. A remote + attacker could also setup a malicious POP server to execute arbitrary + code when an Evolution user connects to it. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Evolution users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/evolution-2.0.2-r1" + + + CAN-2005-0102 + + + DerCorny + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-36.xml b/xml/htdocs/security/en/glsa/glsa-200501-36.xml new file mode 100644 index 00000000..4306a7aa --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-36.xml @@ -0,0 +1,79 @@ + + + + + + + AWStats: Remote code execution + + AWStats fails to validate certain input, which could lead to the remote + execution of arbitrary code or to the leak of information. + + awstats + January 25, 2005 + May 28, 2009: 04 + 77963 + 81775 + remote + + + 6.3-r2 + 6.3-r2 + + + +

+ AWStats is an advanced log file analyzer and statistics generator. +

+ + +

+ When 'awstats.pl' is run as a CGI script, it fails to validate specific + inputs which are used in a Perl open() function call. Furthermore, a + user could read log file content even when plugin rawlog was not + enabled. +

+ + +

+ A remote attacker could supply AWStats malicious input, potentially + allowing the execution of arbitrary code with the rights of the web + server. He could also access raw log contents. +

+ + +

+ Making sure that AWStats does not run as a CGI script will avoid the + issue, but we recommend that users upgrade to the latest version, which + fixes these bugs. +

+ + +

+ All AWStats users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-misc/awstats-6.3-r2" +

+ Note: Users with the vhosts USE flag set should manually use + webapp-config to finalize the update. +

+ + + AWStats ChangeLog + iDEFENSE Advisory + CAN-2005-0116 + CAN-2005-0362 + CAN-2005-0363 + + + koon + + + lewk + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-37.xml b/xml/htdocs/security/en/glsa/glsa-200501-37.xml new file mode 100644 index 00000000..5f79f3e0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-37.xml @@ -0,0 +1,68 @@ + + + + + + + GraphicsMagick: PSD decoding heap overflow + + GraphicsMagick is vulnerable to a heap overflow when decoding Photoshop + Document (PSD) files, which could lead to arbitrary code execution. + + GraphicsMagick + January 26, 2005 + January 26, 2005: 01 + 79336 + remote + + + 1.1.5 + 1.1.5 + + + +

+ GraphicsMagick is a collection of tools to read, write and + manipulate images in many formats. GraphicsMagick is originally derived + from ImageMagick 5.5.2. +

+ + +

+ Andrei Nigmatulin discovered that handling a Photoshop Document + (PSD) file with more than 24 layers in ImageMagick could trigger a heap + overflow (GLSA 200501-26). GraphicsMagick is based on the same code and + therefore suffers from the same flaw. +

+ + +

+ An attacker could potentially design a malicious PSD image file to + cause arbitrary code execution with the permissions of the user running + GraphicsMagick. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GraphicsMagick users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/graphicsmagick-1.1.5" + + + CAN-2005-0005 + GLSA 200501-26 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-38.xml b/xml/htdocs/security/en/glsa/glsa-200501-38.xml new file mode 100644 index 00000000..944f107c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-38.xml @@ -0,0 +1,86 @@ + + + + + + + Perl: rmtree and DBI tmpfile vulnerabilities + + The Perl DBI library and File::Path::rmtree function are vulnerable to + symlink attacks. + + Perl + January 26, 2005 + March 15, 2005: 03 + 75696 + 78634 + 79685 + local + + + 1.37-r1 + 1.38-r1 + 1.38 + + + 5.8.6-r4 + 5.8.5-r5 + 5.8.4-r4 + 5.8.2-r4 + 5.8.6-r3 + + + +

+ Perl is a cross platform programming language. The DBI is the standard + database interface module for Perl. +

+ + +

+ Javier Fernandez-Sanguino Pena discovered that the DBI library creates + temporary files in an insecure, predictable way (CAN-2005-0077). Paul + Szabo found out that "File::Path::rmtree" is vulnerable to various race + conditions (CAN-2004-0452, CAN-2005-0448). +

+ + +

+ A local attacker could create symbolic links in the temporary files + directory that point to a valid file somewhere on the filesystem. When + the DBI library or File::Path::rmtree is executed, this could be used + to overwrite or remove files with the rights of the user calling these + functions. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All Perl users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-lang/perl +

+ All DBI library users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-perl/DBI + + + CAN-2004-0452 + CAN-2005-0077 + CAN-2005-0448 + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-39.xml b/xml/htdocs/security/en/glsa/glsa-200501-39.xml new file mode 100644 index 00000000..6e2a976e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-39.xml @@ -0,0 +1,85 @@ + + + + + + + SquirrelMail: Multiple vulnerabilities + + SquirrelMail fails to properly sanitize user input, which could lead to + arbitrary code execution and compromise webmail accounts. + + SquirrelMail + January 28, 2005 + January 28, 2005: 01 + 78116 + remote + + + 1.4.4 + 1.4.3a-r2 + + + +

+ SquirrelMail is a webmail package written in PHP. It supports IMAP + and SMTP and can optionally be installed with SQL support. +

+ + +

+ SquirrelMail fails to properly sanitize certain strings when + decoding specially-crafted strings, which can lead to PHP file + inclusion and XSS. +

+
    +
  • Insufficient checking of incoming URLs + in prefs.php (CAN-2005-0075) and in webmail.php (CAN-2005-0103).
    • +
  • Insufficient escaping of integers in webmail.php + (CAN-2005-0104).
    • +
+ + +

+ By sending a specially-crafted URL, an attacker can execute + arbitrary code from the local system with the permissions of the web + server. Furthermore by enticing a user to load a specially-crafted URL, + it is possible to display arbitrary remote web pages in Squirrelmail's + frameset and execute arbitrary scripts running in the context of the + victim's browser. This could lead to a compromise of the user's webmail + account, cookie theft, etc. +

+ + +

+ The arbitrary code execution is only possible with + "register_globals" set to "On". Gentoo ships PHP with + "register_globals" set to "Off" by default. There are no known + workarounds for the other issues at this time. +

+ + +

+ All SquirrelMail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/squirrelmail-1.4.4" +

+ Note: Users with the vhosts USE flag set should manually use + webapp-config to finalize the update. +

+ + + SquirrelMail Advisory + CAN-2005-0075 + CAN-2005-0103 + CAN-2005-0104 + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-40.xml b/xml/htdocs/security/en/glsa/glsa-200501-40.xml new file mode 100644 index 00000000..e3478521 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-40.xml @@ -0,0 +1,67 @@ + + + + + + + ngIRCd: Buffer overflow + + ngIRCd is vulnerable to a buffer overflow that can be used to crash the + daemon and possibly execute arbitrary code. + + ngIRCd + January 28, 2005 + May 22, 2006: 02 + 79705 + remote + + + 0.8.2 + 0.8.2 + + + +

+ ngIRCd is a free open source daemon for Internet Relay Chat (IRC). +

+ + +

+ Florian Westphal discovered a buffer overflow caused by an integer + underflow in the Lists_MakeMask() function of lists.c. +

+ + +

+ A remote attacker can exploit this buffer overflow to crash the ngIRCd + daemon and possibly execute arbitrary code with the rights of the + ngIRCd daemon process. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ngIRCd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-irc/ngIRCd-0.8.2" + + + ngIRCd Release Annoucement + CVE-2005-0199 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-41.xml b/xml/htdocs/security/en/glsa/glsa-200501-41.xml new file mode 100644 index 00000000..db34d4ed --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-41.xml @@ -0,0 +1,63 @@ + + + + + + + TikiWiki: Arbitrary command execution + + A bug in TikiWiki allows certain users to upload and execute malicious PHP + scripts. + + tikiwiki + January 30, 2005 + May 22, 2006: 02 + 78944 + remote + + + 1.8.5 + 1.8.5 + + + +

+ TikiWiki is a web-based groupware and content management system (CMS), + using PHP, ADOdb and Smarty. +

+ + +

+ TikiWiki does not validate files uploaded to the "temp" directory. +

+ + +

+ A malicious user could run arbitrary commands on the server by + uploading and calling a PHP script. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All TikiWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/tikiwiki-1.8.5" + + + TikiWiki Advisory + CVE-2005-0200 + + + DerCorny + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-42.xml b/xml/htdocs/security/en/glsa/glsa-200501-42.xml new file mode 100644 index 00000000..4bea8140 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-42.xml @@ -0,0 +1,67 @@ + + + + + + + VDR: Arbitrary file overwriting issue + + VDR insecurely accesses files with elevated privileges, which may result in + the overwriting of arbitrary files. + + VDR + January 30, 2005 + January 30, 2005: 01 + 78230 + local + + + 1.2.6-r1 + 1.2.6-r1 + + + +

+ Video Disk Recorder (VDR) is a Linux-based digital video recorder. + The VDR program handles the On Screen Menu system that offers complete + control over channel settings, timers and recordings. +

+ + +

+ Javier Fernandez-Sanguino Pena from the Debian Security Audit Team + discovered that VDR accesses user-controlled files insecurely. +

+ + +

+ A local attacker could create malicious links and invoke a VDR + recording that would overwrite arbitrary files on the system. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All VDR users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/vdr-1.2.6-r1" + + + CAN-2005-0071 + + + jaervosz + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-43.xml b/xml/htdocs/security/en/glsa/glsa-200501-43.xml new file mode 100644 index 00000000..262bad25 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-43.xml @@ -0,0 +1,67 @@ + + + + + + + f2c: Insecure temporary file creation + + f2c is vulnerable to symlink attacks, potentially allowing a local user to + overwrite arbitrary files. + + f2c + January 30, 2005 + January 30, 2005: 01 + 79725 + local + + + 20030320-r1 + 20030320 + + + +

+ f2c is a Fortran to C translator. Portage uses this package in + some ebuilds to build Fortran sources. +

+ + +

+ Javier Fernandez-Sanguino Pena from the Debian Security Audit Team + discovered that f2c creates temporary files in world-writeable + directories with predictable names. +

+ + +

+ A local attacker could create symbolic links in the temporary + files directory, pointing to a valid file somewhere on the filesystem. + When f2c is executed, this would result in the file being overwritten + with the rights of the user running the software, which could be the + root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All f2c users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/f2c-20030320-r1" + + + CAN-2005-0017 + + + koon + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-44.xml b/xml/htdocs/security/en/glsa/glsa-200501-44.xml new file mode 100644 index 00000000..fc1906a3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-44.xml @@ -0,0 +1,75 @@ + + + + + + + ncpfs: Multiple vulnerabilities + + The ncpfs utilities contain multiple flaws, potentially resulting in the + remote execution of arbitrary code or local file access with elevated + privileges. + + ncpfs + January 30, 2005 + January 30, 2005: 01 + 77414 + remote and local + + + 2.2.6 + 2.2.6 + + + +

+ ncpfs is a NCP protocol network filesystem driver that allows + access to NetWare services, to mount volumes of NetWare servers or + print to NetWare print queues. +

+ + +

+ Erik Sjolund discovered two vulnerabilities in the programs + bundled with ncpfs: there is a potentially exploitable buffer overflow + in ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities + using the NetWare client functions insecurely access files with + elevated privileges (CAN-2005-0013). +

+ + +

+ The buffer overflow might allow a malicious remote NetWare server + to execute arbitrary code on the NetWare client. Furthermore, a local + attacker may be able to create links and access files with elevated + privileges using SUID ncpfs utilities. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ncpfs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/ncpfs-2.2.6" + + + CAN-2005-0013 + CAN-2005-0014 + ncpfs ChangeLog + + + jaervosz + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-45.xml b/xml/htdocs/security/en/glsa/glsa-200501-45.xml new file mode 100644 index 00000000..5cf28c2b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-45.xml @@ -0,0 +1,71 @@ + + + + + + + Gallery: Cross-site scripting vulnerability + + Gallery is vulnerable to cross-site scripting attacks. + + gallery + January 30, 2005 + May 22, 2006: 04 + 78522 + remote + + + 1.4.4_p6 + 1.4.4_p6 + + + +

+ Gallery is a web application written in PHP which is used to organize + and publish photo albums. It allows multiple users to build and + maintain their own albums. It also supports the mirroring of images on + other servers. +

+ + +

+ Rafel Ivgi has discovered a cross-site scripting vulnerability where + the 'username' parameter is not properly sanitized in 'login.php'. +

+ + +

+ By sending a carefully crafted URL, an attacker can inject and execute + script code in the victim's browser window, and potentially compromise + the user's gallery. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Gallery users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/gallery-1.4.4_p6" +

+ Note: Users with the vhosts USE flag set should manually use + webapp-config to finalize the update. +

+ + + Gallery Announcement + Secunia Advisory SA13887 + CVE-2005-0220 + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200501-46.xml b/xml/htdocs/security/en/glsa/glsa-200501-46.xml new file mode 100644 index 00000000..d90e3c9f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200501-46.xml @@ -0,0 +1,71 @@ + + + + + + + ClamAV: Multiple issues + + ClamAV contains two vulnerabilities that could lead to Denial of Service + and evasion of virus scanning. + + clamav + January 31, 2005 + May 22, 2006: 02 + 78656 + 79194 + remote + + + 0.81 + 0.80 + + + +

+ ClamAV is an antivirus toolkit. It includes a multi-threaded daemon and + a command line scanner. +

+ + +

+ ClamAV fails to properly scan ZIP files with special headers + (CAN-2005-0133) and base64 encoded images in URLs. +

+ + +

+ By sending a base64 encoded image file in a URL an attacker could evade + virus scanning. By sending a specially-crafted ZIP file an attacker + could cause a Denial of Service by crashing the clamd daemon. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.81" + + + CAN-2005-0133 + CVE-2005-0218 + ClamAV Release Announcement + Secunia SA13900 + + + koon + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-01.xml b/xml/htdocs/security/en/glsa/glsa-200502-01.xml new file mode 100644 index 00000000..886c5410 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-01.xml @@ -0,0 +1,67 @@ + + + + + + + FireHOL: Insecure temporary file creation + + FireHOL is vulnerable to symlink attacks, potentially allowing a local user + to overwrite arbitrary files. + + FireHOL + February 01, 2005 + May 22, 2006: 02 + 79330 + local + + + 1.224 + 1.224 + + + +

+ FireHOL is an iptables rules generator. +

+ + +

+ FireHOL insecurely creates temporary files with predictable names. +

+ + +

+ A local attacker could create malicious symbolic links to arbitrary + system files. When FireHOL is executed, this could lead to these files + being overwritten with the rights of the user launching FireHOL, + usually the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All FireHOL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-firewall/firehol-1.224" + + + FireHOL CVS log + CVE-2005-0225 + + + koon + + + vorlon078 + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-02.xml b/xml/htdocs/security/en/glsa/glsa-200502-02.xml new file mode 100644 index 00000000..f3ee8e88 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-02.xml @@ -0,0 +1,67 @@ + + + + + + + UW IMAP: CRAM-MD5 authentication bypass + + UW IMAP contains a vulnerability in the code handling CRAM-MD5 + authentication allowing authentication bypass. + + uw-imap + February 02, 2005 + May 22, 2006: 02 + 79874 + remote + + + 2004b + 2004a + + + +

+ UW IMAP is the University of Washington IMAP toolkit which includes + POP3 and IMAP daemons. +

+ + +

+ A logic bug in the code handling CRAM-MD5 authentication incorrectly + specifies the condition for successful authentication. +

+ + +

+ An attacker could exploit this vulnerability to authenticate as any + mail user on a server with CRAM-MD5 authentication enabled. +

+ + +

+ Disable CRAM-MD5 authentication. +

+ + +

+ All UW IMAP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/uw-imap-2004b" + + + US-CERT VU#702777 + CVE-2005-0198 + + + koon + + + jaervosz + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-03.xml b/xml/htdocs/security/en/glsa/glsa-200502-03.xml new file mode 100644 index 00000000..65169f33 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-03.xml @@ -0,0 +1,71 @@ + + + + + + + enscript: Multiple vulnerabilities + + enscript suffers from vulnerabilities and design flaws, potentially + resulting in the execution of arbitrary code. + + enscript + February 02, 2005 + February 02, 2005: 01 + 77408 + remote + + + 1.6.3-r3 + 1.6.3-r3 + + + +

+ enscript is a powerful ASCII to PostScript file converter. +

+ + +

+ Erik Sjolund discovered several issues in enscript: it suffers + from several buffer overflows (CAN-2004-1186), quotes and shell escape + characters are insufficiently sanitized in filenames (CAN-2004-1185), + and it supported taking input from an arbitrary command pipe, with + unwanted side effects (CAN-2004-1184). +

+ + +

+ An attacker could design malicious files or input data which, once + feeded into enscript, would trigger the execution of arbitrary code + with the rights of the user running enscript. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All enscript users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/enscript-1.6.3-r3" + + + CAN-2004-1184 + CAN-2004-1185 + CAN-2004-1186 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-04.xml b/xml/htdocs/security/en/glsa/glsa-200502-04.xml new file mode 100644 index 00000000..01095742 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-04.xml @@ -0,0 +1,87 @@ + + + + + + + Squid: Multiple vulnerabilities + + Squid contains vulnerabilities in the code handling WCCP, HTTP and LDAP + which could lead to Denial of Service, access control bypass, web cache and + log poisoning. + + squid + February 02, 2005 + February 02, 2005: 02 + 79495 + 78776 + 80201 + 80341 + remote + + + 2.5.7-r5 + 2.5.7-r5 + + + +

+ Squid is a full-featured Web proxy cache designed to run on Unix + systems. It supports proxying and caching of HTTP, FTP, and other + protocols, as well as SSL support, cache hierarchies, transparent + caching, access control lists and many other features. +

+ + +

+ Squid contains several vulnerabilities: +

+
    +
  • Buffer overflow when handling WCCP recvfrom() + (CAN-2005-0211).
    • +
  • Loose checking of HTTP headers (CAN-2005-0173 and + CAN-2005-0174).
    • +
  • Incorrect handling of LDAP login names with spaces + (CAN-2005-0175).
    • +
+ + +

+ An attacker could exploit: +

+
    +
  • the WCCP buffer overflow to cause Denial of Service.
    • +
  • the HTTP header parsing vulnerabilities to inject arbitrary + response data, potentially leading to content spoofing, web cache + poisoning and other cross-site scripting or HTTP response splitting + attacks.
    • +
  • the LDAP issue to login with several variations of the same login + name, leading to log poisoning.
    • +
+ + +

+ There is no known workaround at this time. +

+ + +

+ All Squid users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/squid-2.5.7-r5" + + + CAN-2005-0173 + CAN-2005-0174 + CAN-2005-0175 + CAN-2005-0211 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-05.xml b/xml/htdocs/security/en/glsa/glsa-200502-05.xml new file mode 100644 index 00000000..354b6612 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-05.xml @@ -0,0 +1,66 @@ + + + + + + + Newspost: Buffer overflow vulnerability + + A buffer overflow can be exploited to crash Newspost remotely and + potentially execute arbitrary code. + + newspost + February 03, 2005 + February 21, 2005: 02 + 78530 + remote + + + 2.0-r1 + 2.1.1-r1 + 2.1.1-r1 + + + +

+ Newspost is a Usenet News binary autoposter. +

+ + +

+ Niels Heinen has discovered a buffer overflow in the socket_getline() + function of Newspost, which can be triggered by providing long strings + that do not end with a newline character. +

+ + +

+ A remote attacker could setup a malicious NNTP server and entice a + Newspost user to post to it, leading to the crash of the Newspost + process and potentially the execution of arbitrary code with the rights + of the Newspost user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Newspost users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-nntp/newspost-2.0-r1" + + + CAN-2005-0101 + + + DerCorny + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-06.xml b/xml/htdocs/security/en/glsa/glsa-200502-06.xml new file mode 100644 index 00000000..539f32af --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-06.xml @@ -0,0 +1,67 @@ + + + + + + + LessTif: Multiple vulnerabilities in libXpm + + Multiple vulnerabilities have been discovered in libXpm, which is included + in LessTif, that can potentially lead to remote code execution. + + lesstif + February 06, 2005 + February 06, 2005: 01 + 78483 + remote + + + 0.94.0 + 0.94.0 + + + +

+ LessTif is a clone of OSF/Motif, which is a standard user + interface toolkit available on Unix and Linux. +

+ + +

+ Multiple vulnerabilities, including buffer overflows, out of + bounds memory access and directory traversals, have been discovered in + libXpm, which is shipped as a part of the X Window System. LessTif, an + application that includes libXpm, suffers from the same issues. +

+ + +

+ A carefully-crafted XPM file could crash applications making use + of the LessTif toolkit, potentially allowing the execution of arbitrary + code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All LessTif users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/lesstif-0.94.0" + + + CAN-2004-0914 + LessTif Release Notes + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-07.xml b/xml/htdocs/security/en/glsa/glsa-200502-07.xml new file mode 100644 index 00000000..45fb9927 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-07.xml @@ -0,0 +1,79 @@ + + + + + + + OpenMotif: Multiple vulnerabilities in libXpm + + Multiple vulnerabilities have been discovered in libXpm, which is included + in OpenMotif, that can potentially lead to remote code execution. + + openmotif + February 07, 2005 + February 25, 2005: 03 + 78111 + remote + + + 2.2.3-r1 + 2.1.30-r7 + 2.2.3-r1 + + + +

+ OpenMotif provides a free version of the Motif toolkit for open source + applications. +

+ + +

+ Multiple vulnerabilities, such as buffer overflows, out of bounds + memory access or directory traversals, have been discovered in libXpm + that is shipped as a part of the X Window System (see GLSA 200409-34 + and 200411-28). OpenMotif, an application that includes this library, + suffers from the same issues. +

+ + +

+ A carefully-crafted XPM file could crash applications making use of the + OpenMotif toolkit, potentially allowing the execution of arbitrary code + with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenMotif users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose x11-libs/openmotif +

+ Note: You should run 'revdep-rebuild' to ensure that all applications + linked to OpenMotif are properly rebuilt. +

+ + + CAN-2004-0687 + CAN-2004-0688 + CAN-2004-0914 + GLSA 200409-34 + GLSA 200411-28 + + + koon + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-08.xml b/xml/htdocs/security/en/glsa/glsa-200502-08.xml new file mode 100644 index 00000000..7f65dedb --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-08.xml @@ -0,0 +1,84 @@ + + + + + + + PostgreSQL: Multiple vulnerabilities + + PostgreSQL contains several vulnerabilities which could lead to execution + of arbitrary code, Denial of Service and security bypass. + + postgresql + February 07, 2005 + June 26, 2007: 06 + 80342 + remote and local + + + 7.3* + 7.4* + 8.0.1 + 7.3.10 + 7.4.7 + 8.0.1 + + + +

+ PostgreSQL is a SQL compliant, open source object-relational database + management system. +

+ + +

+ PostgreSQL's contains several vulnerabilities: +

+
    +
  • John Heasman discovered that the LOAD extension is vulnerable to + local privilege escalation (CAN-2005-0227).
    • +
  • It is possible to bypass the EXECUTE permission check for functions + (CAN-2005-0244).
    • +
  • The PL/PgSQL parser is vulnerable to heap-based buffer overflow + (CAN-2005-0244).
    • +
  • The intagg contrib module is vulnerable to a Denial of Service + (CAN-2005-0246).
    • +
+ + +

+ An attacker could exploit this to execute arbitrary code with the + privileges of the PostgreSQL server, bypass security restrictions and + crash the server. +

+ + +

+ There is no know workaround at this time. +

+ + +

+ All PostgreSQL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-db/postgresql + + + PostgreSQL Announcement + CAN-2005-0227 + CAN-2005-0244 + CAN-2005-0245 + CAN-2005-0246 + + + koon + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-09.xml b/xml/htdocs/security/en/glsa/glsa-200502-09.xml new file mode 100644 index 00000000..41ccfd31 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-09.xml @@ -0,0 +1,74 @@ + + + + + + + Python: Arbitrary code execution through SimpleXMLRPCServer + + Python-based XML-RPC servers may be vulnerable to remote execution of + arbitrary code. + + Python + February 08, 2005 + February 08, 2005: 01 + 80592 + remote + + + 2.3.4-r1 + 2.3.3-r2 + 2.2.3-r6 + 2.3.4 + + + +

+ Python is an interpreted, interactive, object-oriented, + cross-platform programming language. +

+ + +

+ Graham Dumpleton discovered that XML-RPC servers making use of the + SimpleXMLRPCServer library that use the register_instance() method to + register an object without a _dispatch() method are vulnerable to a + flaw allowing to read or modify globals of the associated module. +

+ + +

+ A remote attacker may be able to exploit the flaw in such XML-RPC + servers to execute arbitrary code on the server host with the rights of + the XML-RPC server. +

+ + +

+ Python users that don't make use of any SimpleXMLRPCServer-based + XML-RPC servers, or making use of servers using only the + register_function() method are not affected. +

+ + +

+ All Python users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-lang/python + + + CAN-2005-0089 + Python PSF-2005-001 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-10.xml b/xml/htdocs/security/en/glsa/glsa-200502-10.xml new file mode 100644 index 00000000..b9eca76c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-10.xml @@ -0,0 +1,66 @@ + + + + + + + pdftohtml: Vulnerabilities in included Xpdf + + pdftohtml includes vulnerable Xpdf code to handle PDF files, making it + vulnerable to execution of arbitrary code upon converting a malicious PDF + file. + + pdftohtml + February 09, 2005 + February 09, 2005: 01 + 78629 + remote + + + 0.36-r3 + 0.36-r3 + + + +

+ pdftohtml is a utility to convert PDF files to HTML or XML + formats. It makes use of Xpdf code to decode PDF files. +

+ + +

+ Xpdf is vulnerable to a buffer overflow, as described in GLSA + 200501-28. +

+ + +

+ An attacker could entice a user to convert a specially-crafted PDF + file, potentially resulting in the execution of arbitrary code with the + rights of the user running pdftohtml. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All pdftohtml users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/pdftohtml-0.36-r3" + + + GLSA 200501-28 + CAN-2005-0064 + + + vorlon078 + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-11.xml b/xml/htdocs/security/en/glsa/glsa-200502-11.xml new file mode 100644 index 00000000..666d5c03 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-11.xml @@ -0,0 +1,67 @@ + + + + + + + Mailman: Directory traversal vulnerability + + Mailman fails to properly sanitize input, leading to information + disclosure. + + mailman + February 10, 2005 + February 10, 2005: 01 + 81109 + remote + + + 2.1.5-r4 + 2.1.5-r4 + + + +

+ Mailman is a Python-based mailing list server with an extensive + web interface. +

+ + +

+ Mailman contains an error in private.py which fails to properly + sanitize input paths. +

+ + +

+ An attacker could exploit this flaw to obtain arbitrary files on + the web server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mailman users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/mailman-2.1.5-r4" + + + Full Disclosure Announcement + CAN-2005-0202 + + + koon + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-12.xml b/xml/htdocs/security/en/glsa/glsa-200502-12.xml new file mode 100644 index 00000000..5d34ca45 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-12.xml @@ -0,0 +1,75 @@ + + + + + + + Webmin: Information leak in Gentoo binary package + + Portage-built Webmin binary packages accidentally include a file containing + the local encrypted root password. + + Webmin + February 11, 2005 + May 22, 2006: 02 + 77731 + remote + + + 1.170-r3 + 1.170-r3 + + + +

+ Webmin is a web-based system administration console allowing an + administrator to easily configure servers and other features. Using the + 'buildpkg' FEATURE, or the -b/-B emerge options, Portage can build + reusable binary packages for any of the packages available through the + Portage tree. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that + the Webmin ebuild contains a design flaw. It imports the encrypted + local root password into the miniserv.users file before building binary + packages that include this file. +

+ + +

+ A remote attacker could retrieve Portage-built Webmin binary packages + and recover the encrypted root password from the build host. +

+ + +

+ Users who never built or shared a Webmin binary package are unaffected + by this. +

+ + +

+ Webmin users should delete any old shared Webmin binary package as soon + as possible. They should also consider their buildhost root password + potentially exposed and follow proper audit procedures. +

+

+ If you plan to build binary packages, you should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/webmin-1.170-r3" + + + CVE-2005-0427 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-13.xml b/xml/htdocs/security/en/glsa/glsa-200502-13.xml new file mode 100644 index 00000000..de74750f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-13.xml @@ -0,0 +1,77 @@ + + + + + + + Perl: Vulnerabilities in perl-suid wrapper + + Vulnerabilities leading to file overwriting and code execution with + elevated privileges have been discovered in the perl-suid wrapper. + + Perl + February 11, 2005 + February 11, 2005: 01 + 80460 + local + + + 5.8.6-r3 + 5.8.5-r4 + 5.8.4-r3 + 5.8.2-r3 + 5.8.6-r3 + + + +

+ Perl is a stable, cross-platform programming language created by + Larry Wall. The perl-suid wrapper allows the use of setuid perl + scripts, i.e. user-callable Perl scripts which have elevated + privileges. This function is enabled only if you have the perlsuid USE + flag set. +

+ + +

+ perl-suid scripts honor the PERLIO_DEBUG environment variable and + write to that file with elevated privileges (CAN-2005-0155). + Furthermore, calling a perl-suid script with a very long path while + PERLIO_DEBUG is set could trigger a buffer overflow (CAN-2005-0156). +

+ + +

+ A local attacker could set the PERLIO_DEBUG environment variable + and call existing perl-suid scripts, resulting in file overwriting and + potentially the execution of arbitrary code with root privileges. +

+ + +

+ You are not vulnerable if you do not have the perlsuid USE flag + set or do not use perl-suid scripts. +

+ + +

+ All Perl users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-lang/perl + + + CAN-2005-0155 + CAN-2005-0156 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-14.xml b/xml/htdocs/security/en/glsa/glsa-200502-14.xml new file mode 100644 index 00000000..284aa72c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-14.xml @@ -0,0 +1,67 @@ + + + + + + + mod_python: Publisher Handler vulnerability + + mod_python contains a vulnerability in the Publisher Handler potentially + leading to information disclosure. + + mod_python + February 13, 2005 + December 30, 2007: 03 + 80109 + remote + + + 3.1.3-r1 + 2.7.11 + 3.1.3-r1 + + + +

+ mod_python is an Apache module that embeds the Python interpreter + within the server allowing Python-based web-applications to be created. +

+ + +

+ Graham Dumpleton discovered a vulnerability in mod_python's Publisher + Handler. +

+ + +

+ By requesting a specially crafted URL for a published module page, an + attacker could obtain information about restricted variables. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mod_python users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose www-apache/mod_python + + + CAN-2005-0088 + + + jaervosz + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-15.xml b/xml/htdocs/security/en/glsa/glsa-200502-15.xml new file mode 100644 index 00000000..03eccf8c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-15.xml @@ -0,0 +1,64 @@ + + + + + + + PowerDNS: Denial of Service vulnerability + + A vulnerability in PowerDNS could lead to a temporary Denial of Service. + + PowerDNS + February 13, 2005 + May 22, 2006: 02 + 80713 + remote + + + 2.9.17 + 2.9.17 + + + +

+ The PowerDNS Nameserver is an authoritative-only nameserver which uses + a flexible backend architecture. +

+ + +

+ A vulnerability has been reported in the DNSPacket::expand method of + dnspacket.cc. +

+ + +

+ An attacker could cause a temporary Denial of Service by sending a + random stream of bytes to the PowerDNS Daemon. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PowerDNS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/pdns-2.9.17" + + + PowerDNS Release Notes + PowerDNS Ticket #21 + CVE-2005-0428 + + + vorlon078 + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-16.xml b/xml/htdocs/security/en/glsa/glsa-200502-16.xml new file mode 100644 index 00000000..4c45bb68 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-16.xml @@ -0,0 +1,69 @@ + + + + + + + ht://Dig: Cross-site scripting vulnerability + + ht://Dig is vulnerable to cross-site scripting attacks. + + htdig + February 13, 2005 + February 13, 2005: 01 + 80602 + remote + + + 3.1.6-r7 + 3.1.6-r7 + + + +

+ ht://Dig is an HTTP/HTML indexing and searching system. +

+ + +

+ Michael Krax discovered that ht://Dig fails to validate the + 'config' parameter before displaying an error message containing the + parameter. This flaw could allow an attacker to conduct cross-site + scripting attacks. +

+ + +

+ By sending a carefully crafted message, an attacker can inject and + execute script code in the victim's browser window. This allows to + modify the behaviour of ht://Dig, and/or leak session information such + as cookies to the attacker. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ht://Dig users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-misc/htdig-3.1.6-r7" + + + CAN-2005-0085 + SecurityTracker #1013078 + + + vorlon078 + + + vorlon078 + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-17.xml b/xml/htdocs/security/en/glsa/glsa-200502-17.xml new file mode 100644 index 00000000..6cbc7dae --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-17.xml @@ -0,0 +1,85 @@ + + + + + + + Opera: Multiple vulnerabilities + + Opera is vulnerable to several vulnerabilities which could result in + information disclosure and facilitate execution of arbitrary code. + + Opera + February 14, 2005 + December 30, 2007: 03 + 73871 + 74076 + 74321 + 81747 + remote + + + 7.54-r3 + 7.54-r3 + + + +

+ Opera is a multi-platform web browser. +

+ + +

+ Opera contains several vulnerabilities: +

+
    +
  • fails to properly validate Content-Type and filename.
    • +
  • fails to properly validate date: URIs.
    • +
  • uses kfmclient exec as the Default Application to handle downloaded + files when integrated with KDE.
    • +
  • fails to properly control frames.
    • +
  • uses Sun Java packages insecurely.
    • +
  • searches an insecure path for plugins.
    • +
+ + +

+ An attacker could exploit these vulnerabilities to: +

+
    +
  • execute arbitrary code.
    • +
  • load a malicious frame in the context of another browser + session.
    • +
  • leak information.
    • +
+ + +

+ There is no known workaround at this time. +

+ + +

+ All Opera users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/opera-7.54-r3" + + + Opera Changelog for 7.54u1 + Opera Changelog for 7.54u2 + CVE-2004-1157 + CVE-2004-1489 + CVE-2004-1490 + CVE-2004-1491 + CVE-2005-0456 + CVE-2005-0457 + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-18.xml b/xml/htdocs/security/en/glsa/glsa-200502-18.xml new file mode 100644 index 00000000..4b586e11 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-18.xml @@ -0,0 +1,72 @@ + + + + + + + VMware Workstation: Untrusted library search path + + VMware may load shared libraries from an untrusted, world-writable + directory, resulting in the execution of arbitrary code. + + VMware + February 14, 2005 + May 25, 2006: 03 + 81344 + local + + + 4.5.2.8848-r5 + 3.2.1.2242-r4 + 4.5.2.8848-r5 + + + +

+ VMware Workstation is a powerful virtual machine for developers and + system administrators. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Audit Team has discovered + that VMware Workstation searches for gdk-pixbuf loadable modules in an + untrusted, world-writable directory. +

+ + +

+ A local attacker could create a malicious shared object that would be + loaded by VMware, resulting in the execution of arbitrary code with the + privileges of the user running VMware. +

+ + +

+ The system administrator may create the file /tmp/rrdharan to prevent + malicious users from creating a directory at that location: +

+ + # touch /tmp/rrdharan + + +

+ All VMware Workstation users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/vmware-workstation-3.2.1.2242-r4" + + + CVE-2005-0444 + + + koon + + + koon + + + taviso + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-19.xml b/xml/htdocs/security/en/glsa/glsa-200502-19.xml new file mode 100644 index 00000000..1eb8528b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-19.xml @@ -0,0 +1,71 @@ + + + + + + + PostgreSQL: Buffer overflows in PL/PgSQL parser + + PostgreSQL is vulnerable to several buffer overflows in the PL/PgSQL parser + leading to execution of arbitrary code. + + postgresql + February 14, 2005 + June 26, 2007: 04 + 81350 + remote + + + 7.3* + 7.4* + 8.0.1-r1 + 7.3.9-r1 + 7.4.13 + 8.0.1-r1 + + + +

+ PostgreSQL is a SQL compliant, open source object-relational database + management system. +

+ + +

+ PostgreSQL is vulnerable to several buffer overflows in the PL/PgSQL + parser. +

+ + +

+ A remote attacker could send a malicious query resulting in the + execution of arbitrary code with the permissions of the user running + PostgreSQL. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PostgreSQL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-db/postgresql + + + CAN-2005-0247 + + + koon + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-20.xml b/xml/htdocs/security/en/glsa/glsa-200502-20.xml new file mode 100644 index 00000000..23356905 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-20.xml @@ -0,0 +1,80 @@ + + + + + + + Emacs, XEmacs: Format string vulnerabilities in movemail + + The movemail utility shipped with Emacs and XEmacs contains several format + string vulnerabilities, potentially leading to the execution of arbitrary + code. + + Emacs + February 15, 2005 + July 23, 2006: 02 + 79686 + remote + + + 21.4 + 19 + 21.4 + + + 21.4.15-r3 + 21.4.15-r3 + + + +

+ GNU Emacs and XEmacs are highly extensible and customizable text + editors. movemail is an Emacs utility that can fetch mail on remote + mail servers. +

+ + +

+ Max Vozeler discovered that the movemail utility contains several + format string errors. +

+ + +

+ An attacker could set up a malicious POP server and entice a user to + connect to it using movemail, resulting in the execution of arbitrary + code with the rights of the victim user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Emacs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/emacs-21.4" +

+ All XEmacs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/xemacs-21.4.15-r3" + + + CAN-2005-0100 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-21.xml b/xml/htdocs/security/en/glsa/glsa-200502-21.xml new file mode 100644 index 00000000..dff9d18d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-21.xml @@ -0,0 +1,69 @@ + + + + + + + lighttpd: Script source disclosure + + An attacker can trick lighttpd into revealing the source of scripts that + should be executed as CGI or FastCGI applications. + + lighttpd + February 15, 2005 + May 22, 2006: 02 + 81776 + remote + + + 1.3.10-r1 + 1.3.10-r1 + + + +

+ lighttpd is a small-footprint, fast, compliant and very flexible + web-server which is optimized for high-performance environments. +

+ + +

+ lighttpd uses file extensions to determine which elements are programs + that should be executed and which are static pages that should be sent + as-is. By appending %00 to the filename, you can evade the extension + detection mechanism while still accessing the file. +

+ + +

+ A remote attacker could send specific queries and access the source of + scripts that should have been executed as CGI or FastCGI applications. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All lighttpd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.3.10-r1" + + + lighttpd-announce Advisory + CVE-2005-0453 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-22.xml b/xml/htdocs/security/en/glsa/glsa-200502-22.xml new file mode 100644 index 00000000..e87ef06f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-22.xml @@ -0,0 +1,67 @@ + + + + + + + wpa_supplicant: Buffer overflow vulnerability + + wpa_supplicant contains a buffer overflow that could lead to a Denial of + Service. + + wpa_supplicant + February 16, 2005 + May 22, 2006: 02 + 81993 + remote + + + 0.2.7 + 0.2.7 + + + +

+ wpa_supplicant is a WPA Supplicant with support for WPA and WPA2 (IEEE + 802.11i / RSN). +

+ + +

+ wpa_supplicant contains a possible buffer overflow due to the lacking + validation of received EAPOL-Key frames. +

+ + +

+ An attacker could cause the crash of wpa_supplicant using a specially + crafted packet. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All wpa_supplicant users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-wireless/wpa_supplicant-0.2.7" + + + wpa_supplicant Announcement + CVE-2005-0470 + + + jaervosz + + + koon + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-23.xml b/xml/htdocs/security/en/glsa/glsa-200502-23.xml new file mode 100644 index 00000000..46356d48 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-23.xml @@ -0,0 +1,67 @@ + + + + + + + KStars: Buffer overflow in fliccd + + KStars is vulnerable to a buffer overflow that could lead to arbitrary code + execution with elevated privileges. + + kstars + February 16, 2005 + February 16, 2005: 01 + 79585 + remote and local + + + 3.3.2-r1 + 3.3.2-r1 + + + +

+ KDE is a feature-rich graphical desktop environment for Linux and + Unix-like Operating Systems. KStars is a desktop planetarium for KDE. + It includes support for the Instrument Neutral Distributed Interface + (INDI). +

+ + +

+ Erik Sjolund discovered a buffer overflow in fliccd which is part + of the INDI support in KStars. +

+ + +

+ An attacker could exploit this vulnerability to execute code with + elevated privileges. If fliccd does not run as daemon remote + exploitation of this vulnerability is not possible. KDE as shipped by + Gentoo does not start the daemon in the default installation. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All KStars users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kdeedu-3.3.2-r1" + + + CAN-2005-0011 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-24.xml b/xml/htdocs/security/en/glsa/glsa-200502-24.xml new file mode 100644 index 00000000..095031d9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-24.xml @@ -0,0 +1,71 @@ + + + + + + + Midnight Commander: Multiple vulnerabilities + + Midnight Commander contains several format string errors, buffer overflows + and one buffer underflow leading to execution of arbitrary code. + + mc + February 17, 2005 + February 17, 2005: 01 + 77992 + remote + + + 4.6.0-r13 + 4.6.0-r13 + + + +

+ Midnight Commander is a visual console file manager. +

+ + +

+ Midnight Commander contains several format string vulnerabilities + (CAN-2004-1004), buffer overflows (CAN-2004-1005), a memory + deallocation error (CAN-2004-1092) and a buffer underflow + (CAN-2004-1176). +

+ + +

+ An attacker could exploit these vulnerabilities to execute + arbitrary code with the permissions of the user running Midnight + Commander or cause Denial of Service by freeing unallocated memory. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Midnight Commander users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-misc/mc-4.6.0-r13" + + + CAN-2004-1004 + CAN-2004-1005 + CAN-2004-1092 + CAN-2004-1176 + + + koon + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-25.xml b/xml/htdocs/security/en/glsa/glsa-200502-25.xml new file mode 100644 index 00000000..eec272b0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-25.xml @@ -0,0 +1,67 @@ + + + + + + + Squid: Denial of Service through DNS responses + + Squid contains a bug in the handling of certain DNS responses resulting in + a Denial of Service. + + Squid + February 18, 2005 + February 18, 2005: 01 + 81997 + remote + + + 2.5.8 + 2.5.8 + + + +

+ Squid is a full-featured Web proxy cache designed to run on + Unix-like systems. It supports proxying and caching of HTTP, FTP, and + other protocols, as well as SSL support, cache hierarchies, transparent + caching, access control lists and many other features. +

+ + +

+ Handling of certain DNS responses trigger assertion failures. +

+ + +

+ By returning a specially crafted DNS response an attacker could + cause Squid to crash by triggering an assertion failure. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Squid users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/squid-2.5.8" + + + CAN-2005-0446 + + + vorlon078 + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-26.xml b/xml/htdocs/security/en/glsa/glsa-200502-26.xml new file mode 100644 index 00000000..ae2ae8e0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-26.xml @@ -0,0 +1,69 @@ + + + + + + + GProFTPD: gprostats format string vulnerability + + gprostats, distributed with GProFTPD, is vulnerable to a format string + vulnerability, potentially leading to the execution of arbitrary code. + + GProFTPD + February 18, 2005 + May 22, 2006: 02 + 81894 + remote + + + 8.1.9 + 8.1.9 + + + +

+ GProFTPD is a GTK+ administration tool for the ProFTPD server. GProFTPD + is distributed with gprostats, a utility to parse ProFTPD transfer + logs. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Audit Team has identified a + format string vulnerability in the gprostats utility. +

+ + +

+ An attacker could exploit the vulnerability by performing a specially + crafted FTP transfer, the resulting ProFTPD transfer log could + potentially trigger the execution of arbitrary code when parsed by + GProFTPD. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GProFTPD users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/gproftpd-8.1.9" + + + CVE-2005-0484 + + + koon + + + taviso + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-27.xml b/xml/htdocs/security/en/glsa/glsa-200502-27.xml new file mode 100644 index 00000000..cde9d261 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-27.xml @@ -0,0 +1,68 @@ + + + + + + + gFTP: Directory traversal vulnerability + + gFTP is vulnerable to directory traversal attacks, possibly leading to the + creation or overwriting of arbitrary files. + + gFTP + February 19, 2005 + February 19, 2005: 01 + 81994 + remote + + + 2.0.18-r1 + 2.0.18-r1 + + + +

+ gFTP is a GNOME based, multi-threaded file transfer client. +

+ + +

+ gFTP lacks input validation of filenames received by remote + servers. +

+ + +

+ An attacker could entice a user to connect to a malicious FTP + server and conduct a directory traversal attack by making use of + specially crafted filenames. This could lead to arbitrary files being + created or overwritten. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All gFTP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/gftp-2.0.18-r1" + + + gFTP Announcement + CAN-2005-0372 + + + koon + + + vorlon078 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-28.xml b/xml/htdocs/security/en/glsa/glsa-200502-28.xml new file mode 100644 index 00000000..76ea1e1a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-28.xml @@ -0,0 +1,72 @@ + + + + + + + PuTTY: Remote code execution + + PuTTY was found to contain vulnerabilities that can allow a malicious SFTP + server to execute arbitrary code on unsuspecting PSCP and PSFTP clients. + + Putty + February 21, 2005 + February 21, 2005: 01 + 82753 + remote + + + 0.57 + 0.57 + + + +

+ PuTTY is a popular SSH client, PSCP is a secure copy + implementation, and PSFTP is a SSH File Transfer Protocol client. +

+ + +

+ Two vulnerabilities have been discovered in the PSCP and PSFTP + clients, which can be triggered by the SFTP server itself. These issues + are caused by the improper handling of the FXP_READDIR response, along + with other string fields. +

+ + +

+ An attacker can setup a malicious SFTP server that would send + these malformed responses to a client, potentially allowing the + execution of arbitrary code on their system. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PuTTY users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/putty-0.57" + + + PuTTY vulnerability vuln-sftp-readdir + PuTTY vulnerability vuln-sftp-string + CAN-2005-0467 + iDEFENSE Advisory + + + vorlon078 + + + vorlon078 + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-29.xml b/xml/htdocs/security/en/glsa/glsa-200502-29.xml new file mode 100644 index 00000000..79af3a18 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-29.xml @@ -0,0 +1,70 @@ + + + + + + + Cyrus IMAP Server: Multiple overflow vulnerabilities + + The Cyrus IMAP Server is affected by several overflow vulnerabilities which + could potentially lead to the remote execution of arbitrary code. + + cyrus-imapd + February 23, 2005 + May 22, 2006: 02 + 82404 + remote + + + 2.2.12 + 2.2.12 + + + +

+ The Cyrus IMAP Server is an efficient, highly-scalable IMAP e-mail + server. +

+ + +

+ Possible single byte overflows have been found in the imapd annotate + extension and mailbox handling code. Furthermore stack buffer overflows + have been found in fetchnews, the backend and imapd. +

+ + +

+ An attacker, who could be an authenticated user or an admin of a + peering news server, could exploit these vulnerabilities to execute + arbitrary code with the rights of the user running the Cyrus IMAP + Server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Cyrus IMAP Server users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/cyrus-imapd-2.2.12" + + + Cyrus IMAP Announcement + CVE-2005-0546 + + + koon + + + vorlon078 + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-30.xml b/xml/htdocs/security/en/glsa/glsa-200502-30.xml new file mode 100644 index 00000000..cbf3d073 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-30.xml @@ -0,0 +1,67 @@ + + + + + + + cmd5checkpw: Local password leak vulnerability + + cmd5checkpw contains a flaw allowing local users to access other users + cmd5checkpw passwords. + + cmd5checkpw + February 25, 2005 + May 22, 2006: 02 + 78256 + local + + + 0.22-r2 + 0.22-r1 + + + +

+ cmd5checkpw is a checkpassword compatible authentication program that + uses CRAM-MD5 authentication mode. +

+ + +

+ Florian Westphal discovered that cmd5checkpw is installed setuid + cmd5checkpw but does not drop privileges before calling execvp(), so + the invoked program retains the cmd5checkpw euid. +

+ + +

+ Local users that know at least one valid /etc/poppasswd user/password + combination can read the /etc/poppasswd file. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All cmd5checkpw users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/cmd5checkpw-0.22-r2" + + + CVE-2005-0580 + + + vorlon078 + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-31.xml b/xml/htdocs/security/en/glsa/glsa-200502-31.xml new file mode 100644 index 00000000..531a5950 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-31.xml @@ -0,0 +1,69 @@ + + + + + + + uim: Privilege escalation vulnerability + + Under certain conditions, applications linked against uim suffer from a + privilege escalation vulnerability. + + uim + February 28, 2005 + February 28, 2005: 01 + 82678 + local + + + 0.4.5.1 + 0.4.5.1 + + + +

+ uim is a simple, secure and flexible input method library. +

+ + +

+ Takumi Asaki discovered that uim insufficiently checks environment + variables. setuid/setgid applications linked against libuim could end + up executing arbitrary code. This vulnerability only affects + immodule-enabled Qt (if you build Qt 3.3.2 or later versions with + USE="immqt" or USE="immqt-bc"). +

+ + +

+ A malicious local user could exploit this vulnerability to execute + arbitrary code with escalated privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All uim users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-i18n/uim-0.4.5.1" + + + CAN-2005-0503 + uim announcement + + + koon + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-32.xml b/xml/htdocs/security/en/glsa/glsa-200502-32.xml new file mode 100644 index 00000000..5ed247df --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-32.xml @@ -0,0 +1,73 @@ + + + + + + + UnAce: Buffer overflow and directory traversal vulnerabilities + + UnAce is vulnerable to several buffer overflow and directory traversal + attacks. + + unace + February 28, 2005 + February 28, 2005: 01 + 81958 + remote + + + 1.2b-r1 + 1.2b + 2.0 + + + +

+ UnAce is an utility to extract, view and test the contents of an + ACE archive. +

+ + +

+ Ulf Harnhammar discovered that UnAce suffers from buffer overflows + when testing, unpacking or listing specially crafted ACE archives + (CAN-2005-0160). He also found out that UnAce is vulnerable to + directory traversal attacks, if an archive contains "./.." sequences or + absolute filenames (CAN-2005-0161). +

+ + +

+ An attacker could exploit the buffer overflows to execute + malicious code or the directory traversals to overwrite arbitrary + files. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All UnAce users should upgrade to the latest available 1.2 + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/unace-1.2b-r1" + + + CAN-2005-0160 + CAN-2005-0161 + + + vorlon078 + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200502-33.xml b/xml/htdocs/security/en/glsa/glsa-200502-33.xml new file mode 100644 index 00000000..76c36cb1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200502-33.xml @@ -0,0 +1,78 @@ + + + + + + + MediaWiki: Multiple vulnerabilities + + MediaWiki is vulnerable to cross-site scripting, data manipulation and + security bypass attacks. + + mediawiki + February 28, 2005 + February 28, 2005: 01 + 80729 + 82954 + remote + + + 1.3.11 + 1.3.11 + + + +

+ MediaWiki is a collaborative editing software, used by big + projects like Wikipedia. +

+ + +

+ A security audit of the MediaWiki project discovered that + MediaWiki is vulnerable to several cross-site scripting and cross-site + request forgery attacks, and that the image deletion code does not + sufficiently sanitize input parameters. +

+ + +

+ By tricking a user to load a carefully crafted URL, a remote + attacker could hijack sessions and authentication cookies to inject + malicious script code that will be executed in a user's browser session + in context of the vulnerable site, or use JavaScript submitted forms to + perform restricted actions. Using the image deletion flaw, it is also + possible for authenticated administrators to delete arbitrary files via + directory traversal. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MediaWiki users should upgrade to the latest available + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.3.11" + + + Secunia Advisory SA14125 + CAN-2005-0534 + CAN-2005-0535 + CAN-2005-0536 + + + vorlon078 + + + koon + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-01.xml b/xml/htdocs/security/en/glsa/glsa-200503-01.xml new file mode 100644 index 00000000..129dc08e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-01.xml @@ -0,0 +1,64 @@ + + + + + + + Qt: Untrusted library search path + + Qt may load shared libraries from an untrusted, world-writable directory, + resulting in the execution of arbitrary code. + + qt + March 01, 2005 + May 22, 2006: 02 + 75181 + local + + + 3.3.4-r2 + 3.3.4-r2 + + + +

+ Qt is a cross-platform GUI toolkit used by KDE. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Audit Team has discovered + that Qt searches for shared libraries in an untrusted, world-writable + directory. +

+ + +

+ A local attacker could create a malicious shared object that would be + loaded by Qt, resulting in the execution of arbitrary code with the + privileges of the Qt application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Qt users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/qt-3.3.4-r2" + + + CVE-2005-0627 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-02.xml b/xml/htdocs/security/en/glsa/glsa-200503-02.xml new file mode 100644 index 00000000..fd9cfc3d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-02.xml @@ -0,0 +1,79 @@ + + + + + + + phpBB: Multiple vulnerabilities + + Several vulnerabilities allow remote attackers to gain phpBB administrator + rights or expose and manipulate sensitive data. + + phpbb + March 01, 2005 + March 01, 2005: 01 + 82955 + local and remote + + + 2.0.13 + 2.0.13 + + + +

+ phpBB is an Open Source bulletin board package. +

+ + +

+ It was discovered that phpBB contains a flaw in the session + handling code and a path disclosure bug. AnthraX101 discovered that + phpBB allows local users to read arbitrary files, if the "Enable remote + avatars" and "Enable avatar uploading" options are set (CAN-2005-0259). + He also found out that incorrect input validation in + "usercp_avatar.php" and "usercp_register.php" makes phpBB vulnerable to + directory traversal attacks, if the "Gallery avatars" setting is + enabled (CAN-2005-0258). +

+ + +

+ Remote attackers can exploit the session handling flaw to gain + phpBB administrator rights. By providing a local and a remote location + for an avatar and setting the "Upload Avatar from a URL:" field to + point to the target file, a malicious local user can read arbitrary + local files. By inserting "/../" sequences into the "avatarselect" + parameter, a remote attacker can exploit the directory traversal + vulnerability to delete arbitrary files. A flaw in the "viewtopic.php" + script can be exploited to expose the full path of PHP scripts. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All phpBB users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/phpBB-2.0.13" + + + CAN-2005-0258 + CAN-2005-0259 + phpBB announcement + + + koon + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-03.xml b/xml/htdocs/security/en/glsa/glsa-200503-03.xml new file mode 100644 index 00000000..3c110ced --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-03.xml @@ -0,0 +1,70 @@ + + + + + + + Gaim: Multiple Denial of Service issues + + Multiple vulnerabilities have been found in Gaim which could allow a remote + attacker to crash the application. + + gaim + March 01, 2005 + March 01, 2005: 01 + 83253 + remote + + + 1.1.4 + 1.1.4 + + + +

+ Gaim is a full featured instant messaging client which handles a + variety of instant messaging protocols. +

+ + +

+ Specially crafted SNAC packets sent by other instant-messaging + users can cause Gaim to loop endlessly (CAN-2005-0472). Malformed HTML + code could lead to invalid memory accesses (CAN-2005-0208 and + CAN-2005-0473). +

+ + +

+ Remote attackers could exploit these issues, resulting in a Denial + of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Gaim users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/gaim-1.1.4" + + + CAN-2005-0208 + CAN-2005-0472 + CAN-2005-0473 + + + koon + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-04.xml b/xml/htdocs/security/en/glsa/glsa-200503-04.xml new file mode 100644 index 00000000..8b70d276 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-04.xml @@ -0,0 +1,69 @@ + + + + + + + phpWebSite: Arbitrary PHP execution and path disclosure + + Remote attackers can upload and execute arbitrary PHP scripts, another flaw + reveals the full path of scripts. + + phpwebsite + March 01, 2005 + May 22, 2006: 02 + 83297 + remote + + + 0.10.0-r2 + 0.10.0-r2 + + + +

+ phpWebSite provides a complete web site content management system. +

+ + +

+ NST discovered that, when submitting an announcement, uploaded files + aren't correctly checked for malicious code. They also found out that + phpWebSite is vulnerable to a path disclosure. +

+ + +

+ A remote attacker can exploit this issue to upload files to a directory + within the web root. By calling the uploaded script the attacker could + then execute arbitrary PHP code with the rights of the web server. By + passing specially crafted requests to the search module, remote + attackers can also find out the full path of PHP scripts. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All phpWebSite users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/phpwebsite-0.10.0-r2" + + + Secunia Advisory SA14399 + phpWebSite announcement + CVE-2005-0565 + CVE-2005-0572 + + + koon + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-05.xml b/xml/htdocs/security/en/glsa/glsa-200503-05.xml new file mode 100644 index 00000000..a7defff6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-05.xml @@ -0,0 +1,85 @@ + + + + + + + xli, xloadimage: Multiple vulnerabilities + + xli and xloadimage are vulnerable to multiple issues, potentially leading + to the execution of arbitrary code. + + xli + March 02, 2005 + May 22, 2006: 02 + 79762 + remote + + + 4.1-r2 + 4.1-r2 + + + 1.17.0-r1 + 1.17.0-r1 + + + +

+ xli and xloadimage are X11 utilities for displaying and manipulating a + wide range of image formats. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Audit Team has reported that + xli and xloadimage contain a flaw in the handling of compressed images, + where shell meta-characters are not adequately escaped. Rob Holland of + the Gentoo Linux Security Audit Team has reported that an xloadimage + vulnerability in the handling of Faces Project images discovered by + zen-parse in 2001 remained unpatched in xli. Additionally, it has been + reported that insufficient validation of image properties in xli could + potentially result in buffer management errors. +

+ + +

+ Successful exploitation would permit a remote attacker to execute + arbitrary shell commands, or arbitrary code with the privileges of the + xloadimage or xli user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xli users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/xli-1.17.0-r1" +

+ All xloadimage users should also upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/xloadimage-4.1-r2" + + + CAN-2001-0775 + CVE-2005-0638 + CVE-2005-0639 + + + koon + + + taviso + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-06.xml b/xml/htdocs/security/en/glsa/glsa-200503-06.xml new file mode 100644 index 00000000..eec4b0ec --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-06.xml @@ -0,0 +1,67 @@ + + + + + + + BidWatcher: Format string vulnerability + + BidWatcher is vulnerable to a format string vulnerability, potentially + allowing arbitrary code execution. + + bidwatcher + March 03, 2005 + March 03, 2005: 01 + 82460 + remote + + + 1.3.17 + 1.3.17 + + + +

+ BidWatcher is a free auction tool for eBay users to keep track of + their auctions. +

+ + +

+ Ulf Harnhammar discovered a format string vulnerability in + "netstuff.cpp". +

+ + +

+ Remote attackers can potentially exploit this vulnerability by + sending specially crafted responses via an eBay HTTP server or a + man-in-the-middle attack to execute arbitrary malicious code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All BidWatcher users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/bidwatcher-1.13.17" + + + CAN-2005-0158 + + + koon + + + koon + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-07.xml b/xml/htdocs/security/en/glsa/glsa-200503-07.xml new file mode 100644 index 00000000..6b4e54cf --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-07.xml @@ -0,0 +1,83 @@ + + + + + + + phpMyAdmin: Multiple vulnerabilities + + phpMyAdmin contains multiple vulnerabilities that could lead to command + execution, XSS issues and bypass of security restrictions. + + phpMyAdmin + March 03, 2005 + May 22, 2006: 02 + 83190 + 83792 + remote + + + 2.6.1_p2-r1 + 2.6.1_p2-r1 + + + +

+ phpMyAdmin is a tool written in PHP intended to handle the + administration of MySQL databases from a web-browser. +

+ + +

+ phpMyAdmin contains several security issues: +

+
    +
  • Maksymilian Arciemowicz has discovered multiple variable injection + vulnerabilities that can be exploited through "$cfg" and "GLOBALS" + variables and localized strings
    • +
  • It is possible to force phpMyAdmin to disclose information in error + messages
    • +
  • Failure to correctly escape special characters
    • +
+ + +

+ By sending a specially-crafted request, an attacker can include and + execute arbitrary PHP code or cause path information disclosure. + Furthermore the XSS issue allows an attacker to inject malicious script + code, potentially compromising the victim's browser. Lastly the + improper escaping of special characters results in unintended privilege + settings for MySQL. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All phpMyAdmin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.6.1_p2-r1" + + + PMASA-2005-1 + PMASA-2005-2 + phpMyAdmin bug 1113788 + CVE-2005-0543 + CVE-2005-0544 + CVE-2005-0653 + + + koon + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-08.xml b/xml/htdocs/security/en/glsa/glsa-200503-08.xml new file mode 100644 index 00000000..d51300e8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-08.xml @@ -0,0 +1,82 @@ + + + + + + + OpenMotif, LessTif: New libXpm buffer overflows + + A new vulnerability has been discovered in libXpm, which is included in + OpenMotif and LessTif, that can potentially lead to remote code execution. + + openmotif + March 04, 2005 + March 04, 2005: 01 + 83655 + 83656 + remote + + + 2.2.3-r3 + 2.1.30-r9 + 2.2.3-r3 + + + 0.94.0-r2 + 0.94.0-r2 + + + +

+ LessTif is a clone of OSF/Motif, which is a standard user + interface toolkit available on Unix and Linux. OpenMotif also provides + a free version of the Motif toolkit for open source applications. +

+ + +

+ Chris Gilbert discovered potentially exploitable buffer overflow + cases in libXpm that weren't fixed in previous libXpm security + advisories. +

+ + +

+ A carefully-crafted XPM file could crash applications making use + of the OpenMotif or LessTif toolkits, potentially allowing the + execution of arbitrary code with the privileges of the user running the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenMotif users should upgrade to an unaffected version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose x11-libs/openmotif +

+ All LessTif users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/lesstif-0.94.0-r2" + + + CAN-2005-0605 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-09.xml b/xml/htdocs/security/en/glsa/glsa-200503-09.xml new file mode 100644 index 00000000..8cf107bb --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-09.xml @@ -0,0 +1,66 @@ + + + + + + + xv: Filename handling vulnerability + + xv contains a format string vulnerability, potentially resulting in the + execution of arbitrary code. + + xv + March 04, 2005 + May 22, 2006: 02 + 83686 + remote + + + 3.10a-r10 + 3.10a-r10 + + + +

+ xv is an interactive image manipulation package for X11. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Audit Team identified a flaw + in the handling of image filenames by xv. +

+ + +

+ Successful exploitation would require a victim to process a specially + crafted image with a malformed filename, potentially resulting in the + execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xv users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/xv-3.10a-r10" + + + CVE-2005-0665 + + + koon + + + taviso + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-10.xml b/xml/htdocs/security/en/glsa/glsa-200503-10.xml new file mode 100644 index 00000000..09165f36 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-10.xml @@ -0,0 +1,141 @@ + + + + + + + Mozilla Firefox: Various vulnerabilities + + Mozilla Firefox is vulnerable to a local file deletion issue and to various + issues allowing to trick the user into trusting fake web sites or + interacting with privileged content. + + Firefox + March 04, 2005 + March 04, 2005: 01 + 83267 + remote and local + + + 1.0.1 + 1.0.1 + + + 1.0.1 + 1.0.1 + + + +

+ Mozilla Firefox is the popular next-generation browser from the + Mozilla project. +

+ + +

+ The following vulnerabilities were found and fixed in Mozilla + Firefox: +

+
    +
  • Michael Krax reported that plugins can be used + to load privileged content and trick the user to interact with it + (CAN-2005-0232, CAN-2005-0527)
    • +
  • Michael Krax also reported + potential spoofing or cross-site-scripting issues through overlapping + windows, image drag-and-drop, and by dropping javascript: links on tabs + (CAN-2005-0230, CAN-2005-0231, CAN-2005-0591)
    • +
  • Daniel de Wildt + and Gael Delalleau discovered a memory overwrite in a string library + (CAN-2005-0255)
    • +
  • Wind Li discovered a possible heap overflow in + UTF8 to Unicode conversion (CAN-2005-0592)
    • +
  • Eric Johanson + reported that Internationalized Domain Name (IDN) features allow + homograph attacks (CAN-2005-0233)
    • +
  • Mook, Doug Turner, Kohei + Yoshino and M. Deaudelin reported various ways of spoofing the SSL + "secure site" indicator (CAN-2005-0593)
    • +
  • Matt Brubeck reported + a possible Autocomplete data leak (CAN-2005-0589)
    • +
  • Georgi + Guninski discovered that XSLT can include stylesheets from arbitrary + hosts (CAN-2005-0588)
    • +
  • Secunia discovered a way of injecting + content into a popup opened by another website (CAN-2004-1156)
    • +
  • Phil Ringnalda reported a possible way to spoof Install source with + user:pass@host (CAN-2005-0590)
    • +
  • Jakob Balle from Secunia + discovered a possible way of spoofing the Download dialog source + (CAN-2005-0585)
    • +
  • Christian Schmidt reported a potential + spoofing issue in HTTP auth prompt tab (CAN-2005-0584)
    • +
  • Andreas + Sanblad from Secunia discovered a possible way of spoofing the Download + dialog using the Content-Disposition header (CAN-2005-0586)
    • +
  • Finally, Tavis Ormandy of the Gentoo Linux Security Audit Team + discovered that Firefox insecurely creates temporary filenames in + /tmp/plugtmp (CAN-2005-0578)
    • +
+ + +
    +
  • By setting up malicious websites and convincing users to + follow untrusted links or obey very specific drag-and-drop or download + instructions, attackers may leverage the various spoofing issues to + fake other websites to get access to confidential information, push + users to download malicious files or make them interact with their + browser preferences.
    • +
  • The temporary directory issue allows + local attackers to overwrite arbitrary files with the rights of another + local user.
    • +
  • The overflow issues, while not thought to be + exploitable, may allow a malicious downloaded page to execute arbitrary + code with the rights of the user viewing the page.
    • +
+ + +

+ There is no known workaround at this time. +

+ + +

+ All Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.0.1" +

+ All Firefox binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.0.1" + + + CAN-2004-1156 + CAN-2005-0230 + CAN-2005-0231 + CAN-2005-0232 + CAN-2005-0233 + CAN-2005-0255 + CAN-2005-0527 + CAN-2005-0578 + CAN-2005-0584 + CAN-2005-0585 + CAN-2005-0586 + CAN-2005-0588 + CAN-2005-0589 + CAN-2005-0590 + CAN-2005-0591 + CAN-2005-0592 + CAN-2005-0593 + Mozilla Security Advisories + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-11.xml b/xml/htdocs/security/en/glsa/glsa-200503-11.xml new file mode 100644 index 00000000..469e3865 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-11.xml @@ -0,0 +1,66 @@ + + + + + + + ImageMagick: Filename handling vulnerability + + A format string vulnerability exists in ImageMagick that may allow an + attacker to execute arbitrary code. + + ImageMagick + March 06, 2005 + May 22, 2006: 02 + 83542 + remote + + + 6.2.0.4 + 6.2.0.4 + + + +

+ ImageMagick is a collection of tools and libraries for manipulating a + wide variety of image formats. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Audit Team has identified a + flaw in the handling of filenames by the ImageMagick utilities. +

+ + +

+ Successful exploitation may disrupt web applications that depend on + ImageMagick for image processing, potentially executing arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ImageMagick users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.2.0.4" + + + CVE-2005-0397 + + + koon + + + taviso + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-12.xml b/xml/htdocs/security/en/glsa/glsa-200503-12.xml new file mode 100644 index 00000000..339c99e0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-12.xml @@ -0,0 +1,67 @@ + + + + + + + Hashcash: Format string vulnerability + + A format string vulnerability in the Hashcash utility could allow an + attacker to execute arbitrary code. + + Hashcash + March 06, 2005 + May 22, 2006: 02 + 83541 + remote + + + 1.16-r1 + 1.16-r1 + + + +

+ Hashcash is a utility for generating Hashcash tokens, a proof-of-work + system to reduce the impact of spam. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Audit Team identified a flaw + in the Hashcash utility that an attacker could expose by specifying a + malformed reply address. +

+ + +

+ Successful exploitation would permit an attacker to disrupt Hashcash + users, and potentially execute arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Hashcash users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/hashcash-1.16-r1" + + + CVE-2005-0687 + + + koon + + + taviso + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-13.xml b/xml/htdocs/security/en/glsa/glsa-200503-13.xml new file mode 100644 index 00000000..574616c9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-13.xml @@ -0,0 +1,69 @@ + + + + + + + mlterm: Integer overflow vulnerability + + mlterm is vulnerable to an integer overflow, which could potentially allow + the execution of arbitrary code. + + mlterm + March 07, 2005 + May 22, 2006: 02 + 84174 + remote + + + 2.9.2 + 2.9.2 + + + +

+ mlterm is a multi-lingual terminal emulator. +

+ + +

+ mlterm is vulnerable to an integer overflow that can be triggered by + specifying a large image file as a background. This only effects users + that have compiled mlterm with the 'gtk' USE flag, which enables + gdk-pixbuf support. +

+ + +

+ An attacker can create a specially-crafted image file which, when used + as a background by the victim, can lead to the execution of arbitrary + code with the privileges of the user running mlterm. +

+ + +

+ Re-compile mlterm without the 'gtk' USE flag. +

+ + +

+ All mlterm users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-terms/mlterm-2.9.2" + + + mlterm ChangeLog + CVE-2005-0686 + + + koon + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-14.xml b/xml/htdocs/security/en/glsa/glsa-200503-14.xml new file mode 100644 index 00000000..f7588ac1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-14.xml @@ -0,0 +1,68 @@ + + + + + + + KDE dcopidlng: Insecure temporary file creation + + The dcopidlng script is vulnerable to symlink attacks, potentially allowing + a local user to overwrite arbitrary files. + + dcopidlng + March 07, 2005 + March 07, 2005: 01 + 81652 + local + + + 3.3.2-r5 + 3.2.3-r7 + 3.3.2-r5 + + + +

+ KDE is a feature-rich graphical desktop environment for Linux and + Unix-like Operating Systems. DCOP is KDE's simple IPC/RPC mechanism. + dcopidlng is a DCOP helper script. +

+ + +

+ Davide Madrisan has discovered that the dcopidlng script creates + temporary files in a world-writable directory with predictable names. +

+ + +

+ A local attacker could create symbolic links in the temporary + files directory, pointing to a valid file somewhere on the filesystem. + When dcopidlng is executed, this would result in the file being + overwritten with the rights of the user running the utility, which + could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All kdelibs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose kde-base/kdelibs + + + CAN-2005-0365 + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-15.xml b/xml/htdocs/security/en/glsa/glsa-200503-15.xml new file mode 100644 index 00000000..3cfa1c03 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-15.xml @@ -0,0 +1,69 @@ + + + + + + + X.org: libXpm vulnerability + + A new vulnerability has been discovered in libXpm, which is included in + X.org, that can potentially lead to remote code execution. + + X.org + March 12, 2005 + March 12, 2005: 02 + 83598 + remote + + + 6.8.0-r5 + 6.8.2-r1 + 6.8.2-r1 + + + +

+ libXpm is a pixmap manipulation library for the X Window System, + included in X.org. +

+ + +

+ Chris Gilbert has discovered potentially exploitable buffer overflow + cases in libXpm that weren't fixed in previous libXpm versions. +

+ + +

+ A carefully-crafted XPM file could crash X.org, potentially allowing + the execution of arbitrary code with the privileges of the user running + the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All X.org users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose x11-base/xorg-x11 + + + CAN-2005-0605 + Freedesktop bug + + + koon + + + SeJo + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-16.xml b/xml/htdocs/security/en/glsa/glsa-200503-16.xml new file mode 100644 index 00000000..997e18ad --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-16.xml @@ -0,0 +1,78 @@ + + + + + + + Ethereal: Multiple vulnerabilities + + Multiple vulnerabilities exist in Ethereal, which may allow an attacker to + run arbitrary code or crash the program. + + ethereal + March 12, 2005 + May 22, 2006: 03 + 84547 + remote + + + 0.10.10 + 0.10.10 + + + +

+ Ethereal is a feature rich network protocol analyzer. +

+ + +

+ There are multiple vulnerabilities in versions of Ethereal earlier than + 0.10.10, including: +

+
    +
  • The Etheric, 3GPP2 A11 and IAPP dissectors are vulnerable to buffer + overflows (CAN-2005-0704, CAN-2005-0699 and CAN-2005-0739).
    • +
  • The GPRS-LLC could crash when the "ignore cipher bit" option is + enabled (CAN-2005-0705).
    • +
  • Various vulnerabilities in JXTA and sFlow dissectors.
    • +
+ + +

+ An attacker might be able to use these vulnerabilities to crash + Ethereal and execute arbitrary code with the permissions of the user + running Ethereal, which could be the root user. +

+ + +

+ For a temporary workaround you can disable all affected protocol + dissectors. However, it is strongly recommended that you upgrade to the + latest stable version. +

+ + +

+ All Ethereal users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/ethereal-0.10.10" + + + CAN-2005-0699 + CAN-2005-0704 + CAN-2005-0705 + CAN-2005-0739 + CVE-2005-0765 + CVE-2005-0766 + Ethereal enpa-sa-00018 + + + jaervosz + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-17.xml b/xml/htdocs/security/en/glsa/glsa-200503-17.xml new file mode 100644 index 00000000..1ca48ac6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-17.xml @@ -0,0 +1,68 @@ + + + + + + + libexif: Buffer overflow vulnerability + + libexif fails to validate certain inputs, making it vulnerable to buffer + overflows. + + libexif + March 12, 2005 + March 12, 2005: 01 + 84076 + remote + + + 0.5.12-r1 + 0.5.12-r1 + + + +

+ libexif is a library for parsing, editing and saving EXIF data. +

+ + +

+ libexif contains a buffer overflow vulnerability in the EXIF tag + validation code. When opening an image with a specially crafted EXIF + tag, the lack of validation can cause applications linked to libexif to + crash. +

+ + +

+ A specially crafted EXIF file could crash applications making use + of libexif, potentially allowing the execution of arbitrary code with + the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libexif users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libexif-0.5.12-r1" + + + CAN-2005-0664 + + + vorlon078 + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-18.xml b/xml/htdocs/security/en/glsa/glsa-200503-18.xml new file mode 100644 index 00000000..d35ceadf --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-18.xml @@ -0,0 +1,68 @@ + + + + + + + Ringtone Tools: Buffer overflow vulnerability + + The Ringtone Tools utilities contain a buffer overflow vulnerability, + potentially leading to the execution of arbitrary code. + + ringtonetools + March 15, 2005 + March 15, 2005: 01 + 74700 + remote + + + 2.23 + 2.23 + + + +

+ Ringtone Tools is a program for creating ringtones and logos for + mobile phones. +

+ + +

+ Qiao Zhang has discovered a buffer overflow vulnerability in the + 'parse_emelody' function in 'parse_emelody.c'. +

+ + +

+ A remote attacker could entice a Ringtone Tools user to open a + specially crafted eMelody file, which would potentially lead to the + execution of arbitrary code with the rights of the user running the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ringtone Tools users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-mobilephone/ringtonetools-2.23" + + + CAN-2004-1292 + + + lewk + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-19.xml b/xml/htdocs/security/en/glsa/glsa-200503-19.xml new file mode 100644 index 00000000..e21f5bcd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-19.xml @@ -0,0 +1,72 @@ + + + + + + + MySQL: Multiple vulnerabilities + + MySQL contains several vulnerabilities potentially leading to the + overwriting of local files or to the execution of arbitrary code. + + mysql + March 16, 2005 + March 16, 2005: 02 + 84819 + remote and local + + + 4.0.24 + 4.0.24 + + + +

+ MySQL is a fast, multi-threaded, multi-user SQL database server. +

+ + +

+ MySQL fails to properly validate input for authenticated users with + INSERT and DELETE privileges (CAN-2005-0709 and CAN-2005-0710). + Furthermore MySQL uses predictable filenames when creating temporary + files with CREATE TEMPORARY TABLE (CAN-2005-0711). +

+ + +

+ An attacker with INSERT and DELETE privileges could exploit this to + manipulate the mysql table or accessing libc calls, potentially leading + to the execution of arbitrary code with the permissions of the user + running MySQL. An attacker with CREATE TEMPORARY TABLE privileges could + exploit this to overwrite arbitrary files via a symlink attack. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MySQL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mysql-4.0.24" + + + CAN-2005-0709 + CAN-2005-0710 + CAN-2005-0711 + + + jaervosz + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-20.xml b/xml/htdocs/security/en/glsa/glsa-200503-20.xml new file mode 100644 index 00000000..cb837b14 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-20.xml @@ -0,0 +1,68 @@ + + + + + + + curl: NTLM response buffer overflow + + curl is vulnerable to a buffer overflow which could lead to the execution + of arbitrary code. + + curl + March 16, 2005 + March 16, 2005: 01 + 82534 + remote + + + 7.13.1 + 7.13.1 + + + +

+ curl is a command line tool for transferring files via many + different protocols. +

+ + +

+ curl fails to properly check boundaries when handling NTLM + authentication. +

+ + +

+ With a malicious server an attacker could send a carefully crafted + NTLM response to a connecting client leading to the execution of + arbitrary code with the permissions of the user running curl. +

+ + +

+ Disable NTLM authentication by not using the --anyauth or --ntlm + options. +

+ + +

+ All curl users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/curl-7.13.1" + + + CAN-2005-0490 + + + vorlon078 + + + lewk + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-21.xml b/xml/htdocs/security/en/glsa/glsa-200503-21.xml new file mode 100644 index 00000000..85940d48 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-21.xml @@ -0,0 +1,68 @@ + + + + + + + Grip: CDDB response overflow + + Grip contains a buffer overflow that can be triggered by a large CDDB + response, potentially allowing the execution of arbitrary code. + + grip + March 17, 2005 + March 17, 2005: 01 + 84704 + remote + + + 3.3.0 + 3.3.0 + + + +

+ Grip is a GTK+ based audio CD player/ripper. +

+ + +

+ Joseph VanAndel has discovered a buffer overflow in Grip when + processing large CDDB results. +

+ + +

+ A malicious CDDB server could cause Grip to crash by returning + more then 16 matches, potentially allowing the execution of arbitrary + code with the privileges of the user running the application. +

+ + +

+ Disable automatic CDDB queries, but we highly encourage users to + upgrade to 3.3.0. +

+ + +

+ All Grip users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/grip-3.3.0" + + + CAN-2005-0706 + Original Bug Report + + + koon + + + lewk + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-22.xml b/xml/htdocs/security/en/glsa/glsa-200503-22.xml new file mode 100644 index 00000000..dd0a6d59 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-22.xml @@ -0,0 +1,64 @@ + + + + + + + KDE: Local Denial of Service + + KDE is vulnerable to a local Denial of Service attack. + + kde, dcopserver + March 19, 2005 + March 19, 2005: 01 + 83814 + local + + + 3.3.2-r7 + 3.2.3-r8 + 3.3.2-r7 + + + +

+ KDE is a feature-rich graphical desktop environment for Linux and + Unix-like Operating Systems. DCOP is KDE's simple IPC/RPC mechanism. +

+ + +

+ Sebastian Krahmer discovered that it is possible to stall the + dcopserver of other users. +

+ + +

+ An attacker could exploit this to cause a local Denial of Service + by stalling the dcopserver in the authentication process. As a result + all desktop functionality relying on DCOP will cease to function. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All kdelibs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose kde-base/kdelibs + + + CAN-2005-0396 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-23.xml b/xml/htdocs/security/en/glsa/glsa-200503-23.xml new file mode 100644 index 00000000..2fdcf3e1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-23.xml @@ -0,0 +1,66 @@ + + + + + + + rxvt-unicode: Buffer overflow + + rxvt-unicode is vulnerable to a buffer overflow that could lead to the + execution of arbitrary code. + + rxvt-unicode + March 20, 2005 + March 20, 2005: 01 + 84680 + remote + + + 5.3 + 4.8 + 5.3 + + + +

+ rxvt-unicode is a clone of the well known terminal emulator rxvt. +

+ + +

+ Rob Holland of the Gentoo Linux Security Audit Team discovered + that rxvt-unicode fails to properly check input length. +

+ + +

+ Successful exploitation would allow an attacker to execute + arbitrary code with the permissions of the user running rxvt-unicode. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All rxvt-unicode users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-terms/rxvt-unicode-5.3" + + + CAN-2005-0764 + + + koon + + + lewk + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-24.xml b/xml/htdocs/security/en/glsa/glsa-200503-24.xml new file mode 100644 index 00000000..9d7b495b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-24.xml @@ -0,0 +1,63 @@ + + + + + + + LTris: Buffer overflow + + LTris is vulnerable to a buffer overflow which could lead to the execution + of arbitrary code. + + LTris + March 20, 2005 + March 20, 2005: 01 + 85770 + local + + + 1.0.10 + 1.0.10 + + + +

+ LTris is a Tetris clone. +

+ + +

+ LTris is vulnerable to a buffer overflow when reading the global + highscores file. +

+ + +

+ By modifying the global highscores file a malicious user could + trick another user to execute arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All LTris users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-puzzle/ltris-1.0.10" + + + + koon + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-25.xml b/xml/htdocs/security/en/glsa/glsa-200503-25.xml new file mode 100644 index 00000000..5e2d7ff1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-25.xml @@ -0,0 +1,68 @@ + + + + + + + OpenSLP: Multiple buffer overflows + + Multiple buffer overflows have been found in OpenSLP, which could lead to + the remote execution of arbitrary code. + + OpenSLP + March 20, 2005 + May 22, 2006: 02 + 85347 + remote + + + 1.2.1 + 1.2.1 + + + +

+ OpenSLP is an open-source implementation of Service Location Protocol + (SLP). +

+ + +

+ Multiple buffer overflows have been found in OpenSLP, when handling + malformed SLP packets. +

+ + +

+ By sending specially crafted SLP packets, a remote attacker could + potentially execute arbitrary code with the rights of the OpenSLP + daemon. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenSLP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/openslp-1.2.1" + + + SUSE Security Announcement + CVE-2005-0769 + + + lewk + + + formula7 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-26.xml b/xml/htdocs/security/en/glsa/glsa-200503-26.xml new file mode 100644 index 00000000..bb90e1a4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-26.xml @@ -0,0 +1,79 @@ + + + + + + + Sylpheed, Sylpheed-claws: Message reply overflow + + Sylpheed and Sylpheed-claws contain a vulnerability that can be triggered + when replying to specially crafted messages. + + sylpheed sylpheed-claws + March 20, 2005 + March 20, 2005: 01 + 84056 + remote + + + 1.0.3 + 1.0.3 + + + 1.0.3 + 1.0.3 + + + +

+ Sylpheed is a lightweight email client and newsreader. + Sylpheed-claws is a 'bleeding edge' version of Sylpheed. +

+ + +

+ Sylpheed and Sylpheed-claws fail to properly handle non-ASCII + characters in email headers when composing reply messages. +

+ + +

+ An attacker can send an email containing a malicious non-ASCII + header which, when replied to, would cause the program to crash, + potentially allowing the execution of arbitrary code with the + privileges of the user running the software. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Sylpheed users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/sylpheed-1.0.3" +

+ All Sylpheed-claws users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/sylpheed-claws-1.0.3" + + + Sylpheed ChangeLog + CAN-2005-0667 + + + koon + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-27.xml b/xml/htdocs/security/en/glsa/glsa-200503-27.xml new file mode 100644 index 00000000..27657f95 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-27.xml @@ -0,0 +1,66 @@ + + + + + + + Xzabite dyndnsupdate: Multiple vulnerabilities + + Xzabite's dyndnsupdate software suffers from multiple vulnerabilities, + potentially resulting in the remote execution of arbitrary code. + + dyndnsupdate + March 21, 2005 + May 22, 2006: 02 + 84659 + remote + + + 0.6.15 + + + +

+ dyndnsupdate is a dyndns.org data updater written by Fredrik "xzabite" + Haglund. +

+ + +

+ Toby Dickenson discovered that dyndnsupdate suffers from multiple + overflows. +

+ + +

+ A remote attacker, posing as a dyndns.org server, could execute + arbitrary code with the rights of the user running dyndnsupdate. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ Currently, there is no released version of dyndnsupdate that contains a + fix for these issues. The original xzabite.org distribution site is + dead, the code contains several other problems and more secure + alternatives exist, such as the net-dns/ddclient package. Therefore, + the dyndnsupdate package has been hard-masked prior to complete removal + from Portage, and current users are advised to unmerge the package: +

+ + # emerge --unmerge net-misc/dyndnsupdate + + + CVE-2005-0830 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-28.xml b/xml/htdocs/security/en/glsa/glsa-200503-28.xml new file mode 100644 index 00000000..3d6a8d81 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-28.xml @@ -0,0 +1,84 @@ + + + + + + + Sun Java: Web Start argument injection vulnerability + + Java Web Start JNLP files can be abused to evade sandbox restriction and + execute arbitrary code. + + Java + March 24, 2005 + May 22, 2006: 02 + 85804 + remote + + + 1.4.2.07 + 1.4.2 + 1.4.2.07 + + + 1.4.2.07 + 1.4.2 + 1.4.2.07 + + + +

+ Sun provides implementations of Java Development Kits (JDK) and Java + Runtime Environments (JRE). These implementations provide the Java Web + Start technology that can be used for easy client-side deployment of + Java applications. +

+ + +

+ Jouko Pynnonen discovered that Java Web Start contains a vulnerability + in the way it handles property tags in JNLP files. +

+ + +

+ By enticing a user to open a malicious JNLP file, a remote attacker + could pass command line arguments to the Java Virtual machine, which + can be used to bypass the Java "sandbox" and to execute arbitrary code + with the permissions of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Sun JDK users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.4.2.07" +

+ All Sun JRE users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.4.2.07" + + + Jouko Pynnonen advisory + Sun Microsystems Alert Notification + CVE-2005-0836 + + + koon + + + koon + + + formula7 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-29.xml b/xml/htdocs/security/en/glsa/glsa-200503-29.xml new file mode 100644 index 00000000..e912b503 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-29.xml @@ -0,0 +1,70 @@ + + + + + + + GnuPG: OpenPGP protocol attack + + Automated systems using GnuPG may leak plaintext portions of an encrypted + message. + + GnuPG + March 24, 2005 + March 24, 2005: 01 + 85547 + remote + + + 1.4.1 + 1.4.1 + + + +

+ GnuPG is complete and free replacement for PGP, a tool for secure + communication and data storage. +

+ + +

+ A flaw has been identified in an integrity checking mechanism of + the OpenPGP protocol. +

+ + +

+ An automated system using GnuPG that allows an attacker to + repeatedly discover the outcome of an integrity check (perhaps by + observing the time required to return a response, or via overly verbose + error messages) could theoretically reveal a small portion of + plaintext. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GnuPG users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/gnupg-1.4.1" + + + CERT VU#303094 + CAN-2005-0366 + + + koon + + + taviso + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-30.xml b/xml/htdocs/security/en/glsa/glsa-200503-30.xml new file mode 100644 index 00000000..432af8db --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-30.xml @@ -0,0 +1,140 @@ + + + + + + + Mozilla Suite: Multiple vulnerabilities + + The Mozilla Suite is vulnerable to multiple issues ranging from the remote + execution of arbitrary code to various issues allowing to trick the user + into trusting fake web sites or interacting with privileged content. + + Mozilla + March 25, 2005 + March 25, 2005: 01 + 84074 + remote and local + + + 1.7.6 + 1.7.6 + + + 1.7.6 + 1.7.6 + + + +

+ The Mozilla Suite is a popular all-in-one web browser that + includes a mail and news reader. +

+ + +

+ The following vulnerabilities were found and fixed in the Mozilla + Suite: +

+
    +
  • Mark Dowd from ISS X-Force reported an exploitable + heap overrun in the GIF processing of obsolete Netscape extension 2 + (CAN-2005-0399)
    • +
  • Michael Krax reported that plugins can be used + to load privileged content and trick the user to interact with it + (CAN-2005-0232, CAN-2005-0527)
    • +
  • Michael Krax also reported + potential spoofing or cross-site-scripting issues through overlapping + windows, image or scrollbar drag-and-drop, and by dropping javascript: + links on tabs (CAN-2005-0230, CAN-2005-0231, CAN-2005-0401, + CAN-2005-0591)
    • +
  • Daniel de Wildt and Gael Delalleau discovered a + memory overwrite in a string library (CAN-2005-0255)
    • +
  • Wind Li + discovered a possible heap overflow in UTF8 to Unicode conversion + (CAN-2005-0592)
    • +
  • Eric Johanson reported that Internationalized + Domain Name (IDN) features allow homograph attacks (CAN-2005-0233)
    • +
  • Mook, Doug Turner, Kohei Yoshino and M. Deaudelin reported various + ways of spoofing the SSL "secure site" indicator (CAN-2005-0593)
    • +
  • Georgi Guninski discovered that XSLT can include stylesheets from + arbitrary hosts (CAN-2005-0588)
    • +
  • Secunia discovered a way of + injecting content into a popup opened by another website + (CAN-2004-1156)
    • +
  • Phil Ringnalda reported a possible way to + spoof Install source with user:pass@host (CAN-2005-0590)
    • +
  • Jakob + Balle from Secunia discovered a possible way of spoofing the Download + dialog source (CAN-2005-0585)
    • +
  • Christian Schmidt reported a + potential spoofing issue in HTTP auth prompt tab (CAN-2005-0584)
    • +
  • Finally, Tavis Ormandy of the Gentoo Linux Security Audit Team + discovered that Mozilla insecurely creates temporary filenames in + /tmp/plugtmp (CAN-2005-0578)
    • +
+ + +
    +
  • The GIF heap overflow could be triggered by a malicious GIF + image that would end up executing arbitrary code with the rights of the + user running Mozilla. The other overflow issues, while not thought to + be exploitable, would have the same impact
    • +
  • By setting up + malicious websites and convincing users to follow untrusted links or + obey very specific drag-and-drop or download instructions, attackers + may leverage the various spoofing issues to fake other websites to get + access to confidential information, push users to download malicious + files or make them interact with their browser preferences
    • +
  • The + temporary directory issue allows local attackers to overwrite arbitrary + files with the rights of another local user
    • +
+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Suite users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-1.7.6" +

+ All Mozilla Suite binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-bin-1.7.6" + + + CAN-2004-1156 + CAN-2005-0230 + CAN-2005-0231 + CAN-2005-0232 + CAN-2005-0233 + CAN-2005-0255 + CAN-2005-0399 + CAN-2005-0401 + CAN-2005-0527 + CAN-2005-0578 + CAN-2005-0584 + CAN-2005-0585 + CAN-2005-0588 + CAN-2005-0590 + CAN-2005-0591 + CAN-2005-0592 + CAN-2005-0593 + Mozilla Security Advisories + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-31.xml b/xml/htdocs/security/en/glsa/glsa-200503-31.xml new file mode 100644 index 00000000..507fafb8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-31.xml @@ -0,0 +1,99 @@ + + + + + + + Mozilla Firefox: Multiple vulnerabilities + + Mozilla Firefox 1.0.2 fixes new security vulnerabilities, including the + remote execution of arbitrary code through malicious GIF images or + sidebars. + + Firefox + March 25, 2005 + March 25, 2005: 01 + 86148 + remote + + + 1.0.2 + 1.0.2 + + + 1.0.2 + 1.0.2 + + + +

+ Mozilla Firefox is the popular next-generation browser from the + Mozilla project. +

+ + +

+ The following vulnerabilities were found and fixed in Mozilla + Firefox: +

+
    +
  • Mark Dowd from ISS X-Force reported an + exploitable heap overrun in the GIF processing of obsolete Netscape + extension 2 (CAN-2005-0399)
    • +
  • Kohei Yoshino discovered that a + page bookmarked as a sidebar could bypass privileges control + (CAN-2005-0402)
    • +
  • Michael Krax reported a new way to bypass XUL + security restrictions through drag-and-drop of items like scrollbars + (CAN-2005-0401)
    • +
+ + +
    +
  • The GIF heap overflow could be triggered by a malicious GIF + image that would end up executing arbitrary code with the rights of the + user running Firefox
    • +
  • By tricking the user into bookmarking a + malicious page as a Sidebar, a remote attacker could potentially + execute arbitrary code with the rights of the user running the + browser
    • +
  • By setting up a malicious website and convincing users + to obey very specific drag-and-drop instructions, attackers may + leverage drag-and-drop features to bypass XUL security restrictions, + which could be used as a stepping stone to exploit other + vulnerabilities
    • +
+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.0.2" +

+ All Mozilla Firefox binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.0.2" + + + CAN-2005-0399 + CAN-2005-0401 + CAN-2005-0402 + Mozilla Security Advisories + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-32.xml b/xml/htdocs/security/en/glsa/glsa-200503-32.xml new file mode 100644 index 00000000..b7db2ae7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-32.xml @@ -0,0 +1,95 @@ + + + + + + + Mozilla Thunderbird: Multiple vulnerabilities + + Mozilla Thunderbird is vulnerable to multiple issues, including the remote + execution of arbitrary code through malicious GIF images. + + Thunderbird + March 25, 2005 + March 25, 2005: 01 + 84075 + remote + + + 1.0.2 + 1.0.2 + + + 1.0.2 + 1.0.2 + + + +

+ Mozilla Thunderbird is the next-generation mail client from the + Mozilla project. +

+ + +

+ The following vulnerabilities were found and fixed in Mozilla + Thunderbird: +

+
    +
  • Mark Dowd from ISS X-Force reported an + exploitable heap overrun in the GIF processing of obsolete Netscape + extension 2 (CAN-2005-0399)
    • +
  • Daniel de Wildt and Gael Delalleau + discovered a memory overwrite in a string library (CAN-2005-0255)
    • +
  • Wind Li discovered a possible heap overflow in UTF8 to Unicode + conversion (CAN-2005-0592)
    • +
  • Phil Ringnalda reported a possible + way to spoof Install source with user:pass@host (CAN-2005-0590)
    • +
+ + +

+ The GIF heap overflow could be triggered by a malicious GIF image + that would end up executing arbitrary code with the rights of the user + running Thunderbird. The other overflow issues, while not thought to be + exploitable, would have the same impact. Furthermore, by setting up + malicious websites and convincing users to follow untrusted links, + attackers may leverage the spoofing issue to trick user into installing + malicious extensions. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Thunderbird users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-1.0.2" +

+ All Mozilla Thunderbird binary users should upgrade to the + latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-1.0.2" + + + CAN-2005-0255 + CAN-2005-0399 + CAN-2005-0590 + CAN-2005-0592 + Mozilla Security Advisories + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-33.xml b/xml/htdocs/security/en/glsa/glsa-200503-33.xml new file mode 100644 index 00000000..ab867d39 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-33.xml @@ -0,0 +1,68 @@ + + + + + + + IPsec-Tools: racoon Denial of Service + + IPsec-Tools' racoon is affected by a remote Denial of Service vulnerability. + + IPsec-Tools + March 25, 2005 + March 25, 2005: 01 + 84479 + remote + + + 0.4-r1 + 0.5-r1 + 0.5-r1 + + + +

+ IPsec-Tools is a port of KAME's implementation of the IPsec + utilities. It contains a collection of network monitoring tools, + including racoon, ping, and ping6. +

+ + +

+ Sebastian Krahmer has reported a potential remote Denial of + Service vulnerability in the ISAKMP header parsing code of racoon. +

+ + +

+ An attacker could possibly cause a Denial of Service of racoon + using a specially crafted ISAKMP packet. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All IPsec-Tools users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-firewall/ipsec-tools-0.4-r1" + + + CAN-2005-0398 + ipsec-tools-devel posting + + + jaervosz + + + koon + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-34.xml b/xml/htdocs/security/en/glsa/glsa-200503-34.xml new file mode 100644 index 00000000..e5a80789 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-34.xml @@ -0,0 +1,69 @@ + + + + + + + mpg321: Format string vulnerability + + A flaw in the processing of ID3 tags in mpg321 could potentially lead to + the execution of arbitrary code. + + mpg321 + March 28, 2005 + March 28, 2005: 01 + 86033 + remote + + + 0.2.10-r2 + 0.2.10-r2 + + + +

+ mpg321 is a GPL replacement for mpg123, a command line audio + player with support for ID3. ID3 is a tagging system that allows + metadata to be embedded within media files. +

+ + +

+ A routine security audit of the mpg321 package revealed a known + security issue remained unpatched. The vulnerability is a result of + mpg321 printing embedded ID3 data to the console in an unsafe manner. +

+ + +

+ Successful exploitation would require a victim to play a specially + crafted audio file using mpg321, potentially resulting in the execution + of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mpg321 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/mpg321-0.2.10-r2" + + + CVE-2003-0969 + + + koon + + + taviso + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-35.xml b/xml/htdocs/security/en/glsa/glsa-200503-35.xml new file mode 100644 index 00000000..7979683f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-35.xml @@ -0,0 +1,70 @@ + + + + + + + Smarty: Template vulnerability + + Smarty's "Template security" feature can be bypassed, potentially allowing + a remote attacker to execute arbitrary PHP code. + + smarty + March 30, 2005 + May 22, 2006: 03 + 86488 + remote + + + 2.6.9 + 2.6.9 + + + +

+ Smarty is a template engine for PHP. The "template security" feature of + Smarty is designed to help reduce the risk of a system compromise when + you have untrusted parties editing templates. +

+ + +

+ A vulnerability has been discovered within the regex_replace modifier + of the Smarty templates when allowing access to untrusted users. + Furthermore, it was possible to call functions from {if} statements and + {math} functions. +

+ + +

+ These issues may allow a remote attacker to bypass the "template + security" feature of Smarty, and execute arbitrary PHP code. +

+ + +

+ Do not grant template access to untrusted users. +

+ + +

+ All Smarty users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/smarty-2.6.9" + + + Smarty ChangeLog + CVE-2005-0913 + + + koon + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-36.xml b/xml/htdocs/security/en/glsa/glsa-200503-36.xml new file mode 100644 index 00000000..aa843928 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-36.xml @@ -0,0 +1,68 @@ + + + + + + + netkit-telnetd: Buffer overflow + + The netkit-telnetd telnet client is vulnerable to a buffer overflow, which + could allow a malicious telnet server operator to execute arbitrary code. + + netkit-telnetd + March 31, 2005 + March 31, 2005: 01 + 87211 + remote + + + 0.17-r6 + 0.17-r6 + + + +

+ netkit-telnetd provides standard Linux telnet client and server. +

+ + +

+ A buffer overflow has been identified in the slc_add_reply() + function of netkit-telnetd client, where a large number of SLC commands + can overflow a fixed size buffer. +

+ + +

+ Successful explotation would require a vulnerable user to connect + to an attacker-controlled host using telnet, potentially executing + arbitrary code with the permissions of the telnet user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All netkit-telnetd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/netkit-telnetd-0.17-r6" + + + CAN-2005-0469 + iDEFENSE Advisory 03-28-05 + + + koon + + + formula7 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200503-37.xml b/xml/htdocs/security/en/glsa/glsa-200503-37.xml new file mode 100644 index 00000000..e90b5bde --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200503-37.xml @@ -0,0 +1,69 @@ + + + + + + + LimeWire: Disclosure of sensitive information + + Two vulnerabilities in LimeWire can be exploited to disclose sensitive + information. + + LimeWire + March 31, 2005 + March 31, 2005: 01 + 85380 + remote + + + 4.8.1 + 4.8.1 + + + +

+ LimeWire is a Java peer-to-peer client compatible with the + Gnutella file-sharing protocol. +

+ + +

+ Two input validation errors were found in the handling of Gnutella + GET requests (CAN-2005-0788) and magnet requests (CAN-2005-0789). +

+ + +

+ A remote attacker can craft a specific Gnutella GET request or use + directory traversal on magnet requests to read arbitrary files on the + system with the rights of the user running LimeWire. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All LimeWire users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/limewire-4.8.1" + + + CAN-2005-0788 + CAN-2005-0789 + Secunia Advisory SA14555 + + + koon + + + koon + + + formula7 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-01.xml b/xml/htdocs/security/en/glsa/glsa-200504-01.xml new file mode 100644 index 00000000..965f3802 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-01.xml @@ -0,0 +1,73 @@ + + + + + + + telnet-bsd: Multiple buffer overflows + + The telnet-bsd telnet client is vulnerable to two buffer overflows, which + could allow a malicious telnet server operator to execute arbitrary code. + + telnet + April 01, 2005 + April 01, 2005: 01 + 87019 + remote + + + 1.0-r1 + 1.0-r1 + + + +

+ telnet-bsd provides a command line telnet client which is used for + remote login using the telnet protocol. +

+ + +

+ A buffer overflow has been identified in the env_opt_add() + function of telnet-bsd, where a response requiring excessive escaping + can cause a heap-based buffer overflow. Another issue has been + identified in the slc_add_reply() function, where a large number of SLC + commands can overflow a fixed size buffer. +

+ + +

+ Successful exploitation would require a vulnerable user to connect + to an attacker-controlled host using telnet, potentially executing + arbitrary code with the permissions of the telnet user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All telnet-bsd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/telnet-bsd-1.0-r1" + + + CAN-2005-0468 + IDEF0867 + CAN-2005-0469 + IDEF0866 + + + koon + + + taviso + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-02.xml b/xml/htdocs/security/en/glsa/glsa-200504-02.xml new file mode 100644 index 00000000..3064cc7e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-02.xml @@ -0,0 +1,75 @@ + + + + + + + Sylpheed, Sylpheed-claws: Buffer overflow on message display + + Sylpheed and Sylpheed-claws contain a vulnerability that can be triggered + when displaying messages with specially crafted attachments. + + sylpheed + April 02, 2005 + April 02, 2005: 01 + 86541 + remote + + + 1.0.4 + 1.0.4 + + + 1.0.4 + 1.0.4 + + + +

+ Sylpheed is a lightweight email client and newsreader. + Sylpheed-claws is a 'bleeding edge' version of Sylpheed. +

+ + +

+ Sylpheed and Sylpheed-claws fail to properly handle messages + containing attachments with MIME-encoded filenames. +

+ + +

+ An attacker can send a malicious email message which, when + displayed, would cause the program to crash, potentially allowing the + execution of arbitrary code with the privileges of the user running the + software. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Sylpheed users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/sylpheed-1.0.4" +

+ All Sylpheed-claws users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/sylpheed-claws-1.0.4" + + + Sylpheed ChangeLog + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-03.xml b/xml/htdocs/security/en/glsa/glsa-200504-03.xml new file mode 100644 index 00000000..124868bc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-03.xml @@ -0,0 +1,71 @@ + + + + + + + Dnsmasq: Poisoning and Denial of Service vulnerabilities + + Dnsmasq is vulnerable to DNS cache poisoning attacks and a potential Denial + of Service from the local network. + + Dnsmasq + April 04, 2005 + April 04, 2005: 01 + 86718 + remote + + + 2.22 + 2.22 + + + +

+ Dnsmasq is a lightweight and easily-configurable DNS forwarder and + DHCP server. +

+ + +

+ Dnsmasq does not properly detect that DNS replies received do not + correspond to any DNS query that was sent. Rob Holland of the Gentoo + Linux Security Audit team also discovered two off-by-one buffer + overflows that could crash DHCP lease files parsing. +

+ + +

+ A remote attacker could send malicious answers to insert arbitrary + DNS data into the Dnsmasq cache. These attacks would in turn help an + attacker to perform man-in-the-middle and site impersonation attacks. + The buffer overflows might allow an attacker on the local network to + crash Dnsmasq upon restart. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Dnsmasq users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/dnsmasq-2.22" + + + Dnsmasq Changelog + + + jaervosz + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-04.xml b/xml/htdocs/security/en/glsa/glsa-200504-04.xml new file mode 100644 index 00000000..a9cf3065 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-04.xml @@ -0,0 +1,69 @@ + + + + + + + mit-krb5: Multiple buffer overflows in telnet client + + The mit-krb5 telnet client is vulnerable to two buffer overflows, which + could allow a malicious telnet server operator to execute arbitrary code. + + telnet + April 06, 2005 + April 06, 2005: 01 + 87145 + remote + + + 1.3.6-r2 + 1.3.6-r2 + + + +

+ The MIT Kerberos 5 implementation provides a command line telnet + client which is used for remote login via the telnet protocol. +

+ + +

+ A buffer overflow has been identified in the env_opt_add() + function, where a response requiring excessive escaping can cause a + heap-based buffer overflow. Another issue has been identified in the + slc_add_reply() function, where a large number of SLC commands can + overflow a fixed size buffer. +

+ + +

+ Successful exploitation would require a vulnerable user to connect + to an attacker-controlled telnet host, potentially executing arbitrary + code with the permissions of the telnet user on the client. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mit-krb5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.3.6-r2" + + + CAN-2005-0468 + CAN-2005-0469 + MITKRB5-SA-2005-001 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-05.xml b/xml/htdocs/security/en/glsa/glsa-200504-05.xml new file mode 100644 index 00000000..77b2cd07 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-05.xml @@ -0,0 +1,76 @@ + + + + + + + Gaim: Denial of Service issues + + Gaim contains multiple vulnerabilities that can lead to a Denial of + Service. + + Gaim + April 06, 2005 + April 06, 2005: 03 + 87903 + remote + + + 1.2.1 + 1.2.1 + + + +

+ Gaim is a full featured instant messaging client which handles a + variety of instant messaging protocols. +

+ + +

+ Multiple vulnerabilities have been addressed in the latest release of + Gaim: +

+
  • A buffer overread in the gaim_markup_strip_html() function, + which is used when logging conversations (CAN-2005-0965).
    • +
  • Markup tags are improperly escaped using Gaim's IRC plugin + (CAN-2005-0966).
    • +
  • Sending a specially crafted file transfer request to a Gaim Jabber + user can trigger a crash (CAN-2005-0967).
    • +
+ + +

+ An attacker could possibly cause a Denial of Service by exploiting any + of these vulnerabilities. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Gaim users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/gaim-1.2.1" + + + CAN-2005-0967 + CAN-2005-0966 + CAN-2005-0965 + Gaim Vulnerability Index + + + koon + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-06.xml b/xml/htdocs/security/en/glsa/glsa-200504-06.xml new file mode 100644 index 00000000..95b23ebe --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-06.xml @@ -0,0 +1,69 @@ + + + + + + + sharutils: Insecure temporary file creation + + The unshar utility is vulnerable to symlink attacks, potentially allowing a + local user to overwrite arbitrary files. + + sharutils + April 06, 2005 + April 06, 2005: 01 + 87939 + local + + + 4.2.1-r11 + 4.2.1-r11 + + + +

+ sharutils is a collection of tools to deal with shar archives. +

+ + +

+ Joey Hess has discovered that the program unshar, which is a part + of sharutils, creates temporary files in a world-writable directory + with predictable names. +

+ + +

+ A local attacker could create symbolic links in the temporary + files directory, pointing to a valid file somewhere on the filesystem. + When unshar is executed, this would result in the file being + overwritten with the rights of the user running the utility, which + could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All sharutils users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/sharutils-4.2.1-r11" + + + Ubuntu Advisory + + + koon + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-07.xml b/xml/htdocs/security/en/glsa/glsa-200504-07.xml new file mode 100644 index 00000000..8c7b385b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-07.xml @@ -0,0 +1,80 @@ + + + + + + + GnomeVFS, libcdaudio: CDDB response overflow + + The GnomeVFS and libcdaudio libraries contain a buffer overflow that can be + triggered by a large CDDB response, potentially allowing the execution of + arbitrary code. + + GnomeVFS + April 08, 2005 + April 13, 2005: 02 + 84936 + remote + + + 2.8.4-r1 + 1.0.5-r4 + 2.8.4-r1 + + + 0.99.10-r1 + 0.99.10-r1 + + + +

+ GnomeVFS is a filesystem abstraction library for the GNOME desktop + environment. libcdaudio is a multi-platform CD player development + library. They both include code to query CDDB servers to get Audio CD + track titles. +

+ + +

+ Joseph VanAndel has discovered a buffer overflow in Grip when + processing large CDDB results (see GLSA 200503-21). The same overflow + is present in GnomeVFS and libcdaudio code. +

+ + +

+ A malicious CDDB server could cause applications making use of GnomeVFS + or libcdaudio libraries to crash, potentially allowing the execution of + arbitrary code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GnomeVFS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose gnome-base/gnome-vfs +

+ All libcdaudio users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libcdaudio-0.99.10-r1" + + + CAN-2005-0706 + GLSA 200503-21 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-08.xml b/xml/htdocs/security/en/glsa/glsa-200504-08.xml new file mode 100644 index 00000000..cac48fc4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-08.xml @@ -0,0 +1,68 @@ + + + + + + + phpMyAdmin: Cross-site scripting vulnerability + + phpMyAdmin is vulnerable to a cross-site scripting attack. + + phpMyAdmin + April 11, 2005 + May 22, 2006: 02 + 87952 + remote + + + 2.6.2_rc1 + 2.6.2_rc1 + + + +

+ phpMyAdmin is a tool written in PHP intended to handle the + administration of MySQL databases from a web-browser. +

+ + +

+ Oriol Torrent Santiago has discovered that phpMyAdmin fails to validate + input to the "convcharset" variable, rendering it vulnerable to + cross-site scripting attacks. +

+ + +

+ By sending a specially-crafted request, an attacker can inject and + execute malicious script code, potentially compromising the victim's + browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All phpMyAdmin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.6.2_rc1" + + + PMASA-2005-3 + CVE-2005-0992 + + + lewk + + + lewk + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-09.xml b/xml/htdocs/security/en/glsa/glsa-200504-09.xml new file mode 100644 index 00000000..0f95f1d5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-09.xml @@ -0,0 +1,67 @@ + + + + + + + Axel: Vulnerability in HTTP redirection handling + + A buffer overflow vulnerability has been found in Axel which could lead to + the execution of arbitrary code. + + Axel + April 12, 2005 + April 12, 2005: 01 + 88264 + remote + + + 1.0b + 1.0b + + + +

+ Axel is a console-based FTP/HTTP download accelerator. +

+ + +

+ A possible buffer overflow has been reported in the HTTP + redirection handling code in conn.c. +

+ + +

+ A remote attacker could exploit this vulnerability by setting up a + malicious site and enticing a user to connect to it. This could + possibly lead to the execution of arbitrary code with the permissions + of the user running Axel. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Axel users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/axel-1.0b" + + + CAN-2005-0390 + + + koon + + + vorlon078 + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-10.xml b/xml/htdocs/security/en/glsa/glsa-200504-10.xml new file mode 100644 index 00000000..3d422a9e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-10.xml @@ -0,0 +1,65 @@ + + + + + + + Gld: Remote execution of arbitrary code + + Gld contains several serious vulnerabilities, potentially resulting in the + execution of arbitrary code as the root user. + + Gld + April 13, 2005 + May 22, 2006: 02 + 88904 + remote + + + 1.5 + 1.4 + + + +

+ Gld is a standalone greylisting server for Postfix. +

+ + +

+ dong-hun discovered several buffer overflows in server.c, as well as + several format string vulnerabilities in cnf.c. +

+ + +

+ An attacker could exploit this vulnerability to execute arbitrary code + with the permissions of the user running Gld, the default user being + root. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Gld users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-filter/gld-1.5" + + + SecurityTracker ID 1013678 + CVE-2005-1099 + CVE-2005-1100 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-11.xml b/xml/htdocs/security/en/glsa/glsa-200504-11.xml new file mode 100644 index 00000000..7a0e4ce6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-11.xml @@ -0,0 +1,74 @@ + + + + + + + JunkBuster: Multiple vulnerabilities + + JunkBuster is vulnerable to a heap corruption vulnerability, and under + certain configurations may allow an attacker to modify settings. + + junkbuster + April 13, 2005 + April 21, 2005: 02 + 88537 + remote + + + 2.0.2-r3 + 2.0.2-r3 + + + +

+ JunkBuster is a filtering HTTP proxy, designed to enhance privacy and + remove unwanted content. +

+ + +

+ James Ranson reported a vulnerability when JunkBuster is configured to + run in single-threaded mode, an attacker can modify the referrer + setting by getting a victim to request a specially crafted URL + (CAN-2005-1108). Tavis Ormandy of the Gentoo Linux Security Audit Team + identified a heap corruption issue in the filtering of URLs + (CAN-2005-1109). +

+ + +

+ If JunkBuster has been configured to run in single-threaded mode, an + attacker can disable or modify the filtering of Referrer: HTTP headers, + potentially compromising the privacy of users. The heap corruption + vulnerability could crash or disrupt the operation of the proxy, + potentially executing arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All JunkBuster users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/junkbuster-2.0.2-r3" + + + CAN-2005-1108 + CAN-2005-1109 + + + jaervosz + + + taviso + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-12.xml b/xml/htdocs/security/en/glsa/glsa-200504-12.xml new file mode 100644 index 00000000..2d10a790 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-12.xml @@ -0,0 +1,71 @@ + + + + + + + rsnapshot: Local privilege escalation + + rsnapshot allows a local user to take ownership of local files, resulting + in privilege escalation. + + rsnapshot + April 13, 2005 + December 30, 2007: 05 + 88681 + local + + + 1.2.1 + 1.1.7 + 1.2.1 + + + +

+ rsnapshot is a filesystem snapshot utility based on rsync, allowing + local and remote systems backups. +

+ + +

+ The copy_symlink() subroutine in rsnapshot follows symlinks when + changing file ownership, instead of changing the ownership of the + symlink itself. +

+ + +

+ Under certain circumstances, local attackers can exploit this + vulnerability to take ownership of arbitrary files, resulting in local + privilege escalation. +

+ + +

+ The copy_symlink() subroutine is not called if the cmd_cp parameter has + been enabled. +

+ + +

+ All rsnapshot users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose app-backup/rsnapshot + + + rsnapshot Security Advisory 001 + CVE-2005-1064 + + + koon + + + lewk + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-13.xml b/xml/htdocs/security/en/glsa/glsa-200504-13.xml new file mode 100644 index 00000000..5418c862 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-13.xml @@ -0,0 +1,102 @@ + + + + + + + OpenOffice.Org: DOC document Heap Overflow + + OpenOffice.Org is vulnerable to a heap overflow when processing DOC + documents, which could lead to arbitrary code execution. + + OpenOffice + April 15, 2005 + May 08, 2005: 02 + 88863 + remote + + + 1.1.4-r1 + 1.1.4-r1 + + + 1.1.4-r1 + 1.1.4-r1 + + + 1.3.9-r1 + 1.3.6-r1 + 1.3.7-r1 + 1.3.9-r1 + + + +

+ OpenOffice.org is an office productivity suite, including word + processing, spreadsheets, presentations, drawings, data charting, + formula editing, and file conversion facilities. +

+ + +

+ AD-LAB has discovered a heap overflow in the "StgCompObjStream::Load()" + function when processing DOC documents. +

+ + +

+ An attacker could design a malicious DOC document containing a + specially crafted header which, when processed by OpenOffice.Org, would + result in the execution of arbitrary code with the rights of the user + running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenOffice.Org users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-1.1.4-r1" +

+ All OpenOffice.Org binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-bin-1.1.4-r1" +

+ All OpenOffice.Org Ximian users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose app-office/openoffice-ximian +

+ Note to PPC users: There is no stable OpenOffice.Org fixed version for + the PPC architecture. Affected users should switch to the latest + OpenOffice.Org Ximian version. +

+

+ Note to SPARC users: There is no stable OpenOffice.Org fixed version + for the SPARC architecture. Affected users should switch to the latest + OpenOffice.Org Ximian version. +

+ + + OpenOffice.Org Issue 46388 + CAN-2005-0941 + + + koon + + + formula7 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-14.xml b/xml/htdocs/security/en/glsa/glsa-200504-14.xml new file mode 100644 index 00000000..56df3467 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-14.xml @@ -0,0 +1,74 @@ + + + + + + + monkeyd: Multiple vulnerabilities + + Format string and Denial of Service vulnerabilities have been discovered in + the monkeyd HTTP server, potentially resulting in the execution of + arbitrary code. + + monkeyd + April 15, 2005 + May 22, 2006: 02 + 87916 + remote + + + 0.9.1 + 0.9.1 + + + +

+ monkeyd is a fast, efficient, small and easy to configure web server + for Linux. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a + double expansion error in monkeyd, resulting in a format string + vulnerability. Ciaran McCreesh of Gentoo Linux discovered a Denial of + Service vulnerability, a syntax error caused monkeyd to zero out + unallocated memory should a zero byte file be requested. +

+ + +

+ The format string vulnerability could allow an attacker to send a + specially crafted request to the monkeyd server, resulting in the + execution of arbitrary code with the permissions of the user running + monkeyd. The DoS vulnerability could allow an attacker to disrupt the + operation of the web server, should a zero byte file be accessible. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All monkeyd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/monkeyd-0.9.1" + + + CVE-2005-1122 + CVE-2005-1123 + + + koon + + + taviso + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-15.xml b/xml/htdocs/security/en/glsa/glsa-200504-15.xml new file mode 100644 index 00000000..389eaa23 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-15.xml @@ -0,0 +1,97 @@ + + + + + + + PHP: Multiple vulnerabilities + + Several vulnerabilities were found and fixed in PHP image handling + functions, potentially resulting in Denial of Service conditions or the + remote execution of arbitrary code. + + PHP + April 18, 2005 + April 18, 2005: 01 + 87517 + remote + + + 4.3.11 + 4.3.11 + + + 4.3.11 + 4.3.11 + + + 4.3.11 + 4.3.11 + + + +

+ PHP is a general-purpose scripting language widely used to develop + web-based applications. It can run inside a web server using the + mod_php module or the CGI version of PHP, or can run stand-alone in a + CLI. +

+ + +

+ An integer overflow and an unbound recursion were discovered in + the processing of Image File Directory tags in PHP's EXIF module + (CAN-2005-1042, CAN-2005-1043). Furthermore, two infinite loops have + been discovered in the getimagesize() function when processing IFF or + JPEG images (CAN-2005-0524, CAN-2005-0525). +

+ + +

+ A remote attacker could craft an image file with a malicious EXIF + IFD tag, a large IFD nesting level or invalid size parameters and send + it to a web application that would process this user-provided image + using one of the affected functions. This could result in denying + service on the attacked server and potentially executing arbitrary code + with the rights of the web server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PHP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/php-4.3.11" +

+ All mod_php users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/mod_php-4.3.11" +

+ All php-cgi users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/php-cgi-4.3.11" + + + PHP 4.3.11 Release Announcement + CAN-2005-0524 + CAN-2005-0525 + CAN-2005-1042 + CAN-2005-1043 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-16.xml b/xml/htdocs/security/en/glsa/glsa-200504-16.xml new file mode 100644 index 00000000..8260ae6f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-16.xml @@ -0,0 +1,68 @@ + + + + + + + CVS: Multiple vulnerabilities + + Several serious vulnerabilities have been found in CVS, which may allow an + attacker to remotely compromise a CVS server or cause a DoS. + + CVS + April 18, 2005 + April 22, 2005: 03 + 86476 + 89579 + remote + + + 1.11.20 + 1.11.20 + + + +

+ CVS (Concurrent Versions System) is an open-source network-transparent + version control system. It contains both a client utility and a server. +

+ + +

+ Alen Zukich has discovered several serious security issues in CVS, + including at least one buffer overflow (CAN-2005-0753), memory leaks + and a NULL pointer dereferencing error. Furthermore when launching + trigger scripts CVS includes a user controlled directory. +

+ + +

+ An attacker could exploit these vulnerabilities to cause a Denial of + Service or execute arbitrary code with the permissions of the CVS + pserver or the authenticated user (depending on the connection method + used). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All CVS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/cvs-1.11.20" + + + CAN-2005-0753 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-17.xml b/xml/htdocs/security/en/glsa/glsa-200504-17.xml new file mode 100644 index 00000000..4df93fac --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-17.xml @@ -0,0 +1,69 @@ + + + + + + + XV: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in XV, potentially resulting + in the execution of arbitrary code. + + xv + April 19, 2005 + April 19, 2005: 01 + 88742 + remote + + + 3.10a-r11 + 3.10a-r11 + + + +

+ XV is an interactive image manipulation program for the X Window + System. +

+ + +

+ Greg Roelofs has reported multiple input validation errors in XV + image decoders. Tavis Ormandy of the Gentoo Linux Security Audit Team + has reported insufficient validation in the PDS (Planetary Data System) + image decoder, format string vulnerabilities in the TIFF and PDS + decoders, and insufficient protection from shell meta-characters in + malformed filenames. +

+ + +

+ Successful exploitation would require a victim to view a specially + created image file using XV, potentially resulting in the execution of + arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All XV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/xv-3.10a-r11" + + + + koon + + + taviso + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-18.xml b/xml/htdocs/security/en/glsa/glsa-200504-18.xml new file mode 100644 index 00000000..54f324ad --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-18.xml @@ -0,0 +1,137 @@ + + + + + + + Mozilla Firefox, Mozilla Suite: Multiple vulnerabilities + + New Mozilla Firefox and Mozilla Suite releases fix new security + vulnerabilities, including memory disclosure and various ways of executing + JavaScript code with elevated privileges. + + Mozilla + April 19, 2005 + May 22, 2006: 02 + 89303 + 89305 + remote + + + 1.0.3 + 1.0.3 + + + 1.0.3 + 1.0.3 + + + 1.7.7 + 1.7.7 + + + 1.7.7 + 1.7.7 + + + +

+ The Mozilla Suite is a popular all-in-one web browser that includes a + mail and news reader. Mozilla Firefox is the next-generation browser + from the Mozilla project. +

+ + +

+ The following vulnerabilities were found and fixed in the Mozilla Suite + and Mozilla Firefox: +

+
    +
  • Vladimir V. Perepelitsa reported a memory disclosure bug in + JavaScript's regular expression string replacement when using an + anonymous function as the replacement argument (CAN-2005-0989).
    • +
  • moz_bug_r_a4 discovered that Chrome UI code was overly trusting DOM + nodes from the content window, allowing privilege escalation via DOM + property overrides.
    • +
  • Michael Krax reported a possibility to run JavaScript code with + elevated privileges through the use of javascript: favicons.
    • +
  • Michael Krax also discovered that malicious Search plugins could + run JavaScript in the context of the displayed page or stealthily + replace existing search plugins.
    • +
  • shutdown discovered a technique to pollute the global scope of a + window in a way that persists from page to page.
    • +
  • Doron Rosenberg discovered a possibility to run JavaScript with + elevated privileges when the user asks to "Show" a blocked popup that + contains a JavaScript URL.
    • +
  • Finally, Georgi Guninski reported missing Install object instance + checks in the native implementations of XPInstall-related JavaScript + objects.
    • +
+

+ The following Firefox-specific vulnerabilities have also been + discovered: +

+
    +
  • Kohei Yoshino discovered a new way to abuse the sidebar panel to + execute JavaScript with elevated privileges.
    • +
  • Omar Khan reported that the Plugin Finder Service can be tricked to + open javascript: URLs with elevated privileges.
    • +
+ + +

+ The various JavaScript execution with elevated privileges issues can be + exploited by a remote attacker to install malicious code or steal data. + The memory disclosure issue can be used to reveal potentially sensitive + information. Finally, the cache pollution issue and search plugin abuse + can be leveraged in cross-site-scripting attacks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.0.3" +

+ All Mozilla Firefox binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.0.3" +

+ All Mozilla Suite users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-1.7.7" +

+ All Mozilla Suite binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-bin-1.7.7" + + + Mozilla Security Advisories + CAN-2005-0989 + CVE-2005-1153 + CVE-2005-1154 + CVE-2005-1155 + CVE-2005-1156 + CVE-2005-1159 + CVE-2005-1160 + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-19.xml b/xml/htdocs/security/en/glsa/glsa-200504-19.xml new file mode 100644 index 00000000..c0ec32c4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-19.xml @@ -0,0 +1,70 @@ + + + + + + + MPlayer: Two heap overflow vulnerabilities + + Two vulnerabilities have been found in MPlayer which could lead to the + remote execution of arbitrary code. + + MPlayer + April 20, 2005 + May 22, 2006: 02 + 89277 + remote + + + 1.0_pre6-r4 + 1.0_pre6-r4 + + + +

+ MPlayer is a media player capable of handling multiple multimedia file + formats. +

+ + +

+ Heap overflows have been found in the code handling RealMedia RTSP and + Microsoft Media Services streams over TCP (MMST). +

+ + +

+ By setting up a malicious server and enticing a user to use its + streaming data, a remote attacker could possibly execute arbitrary code + on the client computer with the permissions of the user running + MPlayer. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MPlayer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/mplayer-1.0_pre6-r4" + + + MPlayer News: Real RTSP heap overflow + MPlayer News: MMST heap overflow + CVE-2005-1195 + + + koon + + + vorlon078 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-20.xml b/xml/htdocs/security/en/glsa/glsa-200504-20.xml new file mode 100644 index 00000000..9f870828 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-20.xml @@ -0,0 +1,68 @@ + + + + + + + openMosixview: Insecure temporary file creation + + openMosixview and the openMosixcollector daemon are vulnerable to symlink + attacks, potentially allowing a local user to overwrite arbitrary files. + + openMosixview + April 21, 2005 + April 21, 2005: 01 + 86686 + local + + + 1.5-r1 + 1.5-r1 + + + +

+ The openMosixview package contains several tools used to manage + openMosix clusters, including openMosixview (the main monitoring and + administration application) and openMosixcollector (a daemon collecting + cluster and node information). +

+ + +

+ Gangstuck and Psirac from Rexotec discovered that openMosixview + insecurely creates several temporary files with predictable filenames. +

+ + +

+ A local attacker could create symbolic links in the temporary + files directory, pointing to a valid file somewhere on the filesystem. + When openMosixView or the openMosixcollector daemon runs, this would + result in the file being overwritten with the rights of the user + running the utility, which could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All openMosixview users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-cluster/openmosixview-1.5-r1" + + + CAN-2005-0894 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-21.xml b/xml/htdocs/security/en/glsa/glsa-200504-21.xml new file mode 100644 index 00000000..ab90f871 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-21.xml @@ -0,0 +1,79 @@ + + + + + + + RealPlayer, Helix Player: Buffer overflow vulnerability + + RealPlayer and Helix Player are vulnerable to a buffer overflow that could + lead to remote execution of arbitrary code. + + RealPlayer + April 22, 2005 + April 22, 2005: 01 + 89862 + remote + + + 10.0.4 + 10.0.4 + + + 1.0.4 + 1.0.4 + + + +

+ RealPlayer is a multimedia player capable of handling multiple + multimedia file formats. Helix Player is the Open Source version of + RealPlayer. +

+ + +

+ Piotr Bania has discovered a buffer overflow vulnerability in + RealPlayer and Helix Player when processing malicious RAM files. +

+ + +

+ By enticing a user to play a specially crafted RAM file an + attacker could execute arbitrary code with the permissions of the user + running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All RealPlayer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/realplayer-10.0.4" +

+ All Helix Player users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/helixplayer-1.0.4" + + + CAN-2005-0755 + RealNetworks Advisory + + + koon + + + formula7 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-22.xml b/xml/htdocs/security/en/glsa/glsa-200504-22.xml new file mode 100644 index 00000000..8055fbff --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-22.xml @@ -0,0 +1,65 @@ + + + + + + + KDE kimgio: PCX handling buffer overflow + + KDE fails to properly validate input when handling PCX images, potentially + resulting in the execution of arbitrary code. + + KDE + April 22, 2005 + April 22, 2005: 01 + 88862 + remote + + + 3.2.3-r9 + 3.3.2-r8 + 3.3.2-r8 + + + +

+ KDE is a feature-rich graphical desktop environment for Linux and + Unix-like Operating Systems. kimgio is the KDE image handler provided + by kdelibs. +

+ + +

+ kimgio fails to properly validate input when handling PCX files. +

+ + +

+ By enticing a user to load a specially-crafted PCX image in a KDE + application, an attacker could execute arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All kdelibs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose kde-base/kdelibs + + + CAN-2005-1046 + KDE Security Advisory: kimgio input validation errors + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-23.xml b/xml/htdocs/security/en/glsa/glsa-200504-23.xml new file mode 100644 index 00000000..51eb660f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-23.xml @@ -0,0 +1,65 @@ + + + + + + + Kommander: Insecure remote script execution + + Kommander executes remote scripts without confirmation, potentially + resulting in the execution of arbitrary code. + + Kommander + April 22, 2005 + May 20, 2005: 02 + 89092 + remote + + + 3.3.2-r2 + 3.3.2-r2 + + + +

+ KDE is a feature-rich graphical desktop environment for Linux and + Unix-like Operating Systems. Kommander is a visual dialog editor and + interpreter for KDE applications, part of the kdewebdev package. +

+ + +

+ Kommander executes data files from possibly untrusted locations without + user confirmation. +

+ + +

+ An attacker could exploit this to execute arbitrary code with the + permissions of the user running Kommander. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All kdewebdev users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kdewebdev-3.3.2-r2" + + + CAN-2005-0754 + KDE Security Advisory: Kommander untrusted code execution + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-24.xml b/xml/htdocs/security/en/glsa/glsa-200504-24.xml new file mode 100644 index 00000000..7da0ec76 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-24.xml @@ -0,0 +1,71 @@ + + + + + + + eGroupWare: XSS and SQL injection vulnerabilities + + eGroupWare is affected by several SQL injection and cross-site scripting + (XSS) vulnerabilities. + + eGroupWare + April 25, 2005 + May 22, 2006: 02 + 89517 + remote + + + 1.0.0.007 + 1.0.0.007 + + + +

+ eGroupWare is a suite of web-based group applications including + calendar, address book, messenger and email. +

+ + +

+ Multiple SQL injection and cross-site scripting vulnerabilities have + been found in several eGroupWare modules. +

+ + +

+ An attacker could possibly use the SQL injection vulnerabilites to gain + information from the database. Furthermore the cross-site scripting + issues give an attacker the ability to inject and execute malicious + script code or to steal cookie based authentication credentials, + potentially compromising the victim's browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All eGroupWare users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/egroupware-1.0.0.007" + + + GulfTech Security Research Advisory + CVE-2005-1202 + CVE-2005-1203 + + + jaervosz + + + koon + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-25.xml b/xml/htdocs/security/en/glsa/glsa-200504-25.xml new file mode 100644 index 00000000..201341b2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-25.xml @@ -0,0 +1,70 @@ + + + + + + + Rootkit Hunter: Insecure temporary file creation + + Rootkit Hunter is vulnerable to symlink attacks, potentially allowing a + local user to overwrite arbitrary files. + + rkhunter + April 26, 2005 + April 26, 2005: 01 + 90007 + local + + + 1.2.3-r1 + 1.2.3-r1 + + + +

+ Rootkit Hunter is a scanning tool to detect rootkits, backdoors + and local exploits on a local machine. Rootkit Hunter uses downloaded + data files to check file integrity. These files are updated via the + check_update.sh script. +

+ + +

+ Sune Kloppenborg Jeppesen and Tavis Ormandy of the Gentoo Linux + Security Team have reported that the check_update.sh script and the + main rkhunter script insecurely creates several temporary files with + predictable filenames. +

+ + +

+ A local attacker could create symbolic links in the temporary + files directory, pointing to a valid file somewhere on the filesystem. + When rkhunter or the check_update.sh script runs, this would result in + the file being overwritten with the rights of the user running the + utility, which could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Rootkit Hunter users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-forensics/rkhunter-1.2.3-r1" + + + CAN-2005-1270 + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-26.xml b/xml/htdocs/security/en/glsa/glsa-200504-26.xml new file mode 100644 index 00000000..02a24ed0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-26.xml @@ -0,0 +1,68 @@ + + + + + + + Convert-UUlib: Buffer overflow + + A buffer overflow has been reported in Convert-UUlib, potentially resulting + in the execution of arbitrary code. + + Convert-UUlib + April 26, 2005 + May 22, 2006: 02 + 89501 + remote + + + 1.051 + 1.051 + + + +

+ Convert-UUlib provides a Perl interface to the uulib library, allowing + Perl applications to access data encoded in a variety of formats. +

+ + +

+ A vulnerability has been reported in Convert-UUlib where a malformed + parameter can be provided by an attacker allowing a read operation to + overflow a buffer. The vendor credits Mark Martinec and Robert Lewis + with the discovery. +

+ + +

+ Successful exploitation would permit an attacker to run arbitrary code + with the privileges of the user running the Perl application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Convert-UUlib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-perl/Convert-UUlib-1.051" + + + CVE-2005-1349 + + + koon + + + koon + + + taviso + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-27.xml b/xml/htdocs/security/en/glsa/glsa-200504-27.xml new file mode 100644 index 00000000..0c0df02d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-27.xml @@ -0,0 +1,66 @@ + + + + + + + xine-lib: Two heap overflow vulnerabilities + + Two vulnerabilities have been found in xine-lib which could lead to the + remote execution of arbitrary code. + + xine-lib + April 26, 2005 + April 26, 2005: 01 + 89976 + remote + + + 1.0-r2 + 1_rc6-r2 + 1.0-r2 + + + +

+ xine-lib is a multimedia library which can be utilized to create + multimedia frontends. +

+ + +

+ Heap overflows have been found in the code handling RealMedia RTSP + and Microsoft Media Services streams over TCP (MMST). +

+ + +

+ By setting up a malicious server and enticing a user to use its + streaming data, a remote attacker could possibly execute arbitrary code + on the client computer with the permissions of the user running any + multimedia frontend making use of the xine-lib library. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xine-lib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose media-libs/xine-lib + + + Xine Advisory XSA-2004-8 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-28.xml b/xml/htdocs/security/en/glsa/glsa-200504-28.xml new file mode 100644 index 00000000..dd83edfc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-28.xml @@ -0,0 +1,70 @@ + + + + + + + Heimdal: Buffer overflow vulnerabilities + + Buffer overflow vulnerabilities have been found in the telnet client in + Heimdal which could lead to execution of arbitrary code. + + Heimdal + April 28, 2005 + April 28, 2005: 01 + 89861 + remote + + + 0.6.4 + 0.6.4 + + + +

+ Heimdal is a free implementation of Kerberos 5 that includes a + telnet client program. +

+ + +

+ Buffer overflow vulnerabilities in the slc_add_reply() and + env_opt_add() functions have been discovered by Gael Delalleau in the + telnet client in Heimdal. +

+ + +

+ Successful exploitation would require a vulnerable user to connect + to an attacker-controlled host using the telnet client, potentially + executing arbitrary code with the permissions of the user running the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Heimdal users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/heimdal-0.6.4" + + + CAN-2005-0468 + CAN-2005-0469 + + + koon + + + formula7 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-29.xml b/xml/htdocs/security/en/glsa/glsa-200504-29.xml new file mode 100644 index 00000000..64f7a615 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-29.xml @@ -0,0 +1,68 @@ + + + + + + + Pound: Buffer overflow vulnerability + + Pound is vulnerable to a buffer overflow that could lead to the remote + execution of arbitrary code. + + Pound + April 30, 2005 + May 22, 2006: 02 + 90851 + remote + + + 1.8.3 + 1.8.3 + + + +

+ Pound is a reverse proxy, load balancer and HTTPS front-end. +

+ + +

+ Steven Van Acker has discovered a buffer overflow vulnerability in the + "add_port()" function in Pound. +

+ + +

+ A remote attacker could send a request for an overly long hostname + parameter, which could lead to the remote execution of arbitrary code + with the rights of the Pound daemon process (by default, Gentoo uses + the "nobody" user to run the Pound daemon). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Pound users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/pound-1.8.3" + + + Original announcement + CVE-2005-1391 + + + koon + + + formula7 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200504-30.xml b/xml/htdocs/security/en/glsa/glsa-200504-30.xml new file mode 100644 index 00000000..c6f68102 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200504-30.xml @@ -0,0 +1,75 @@ + + + + + + + phpMyAdmin: Insecure SQL script installation + + phpMyAdmin leaves the SQL install script with insecure permissions, + potentially leading to a database compromise. + + phpmyadmin + April 30, 2005 + May 22, 2006: 02 + 88831 + local + + + 2.6.2-r1 + 2.6.2-r1 + + + +

+ phpMyAdmin is a tool written in PHP intended to handle the + administration of MySQL databases from a web-browser. phpMyAdmin uses a + pma MySQL user to control the linked-tables infrastructure. The SQL + install script sets the initial password for the pma user. +

+ + +

+ The phpMyAdmin installation process leaves the SQL install script with + insecure permissions. +

+ + +

+ A local attacker could exploit this vulnerability to obtain the initial + phpMyAdmin password and from there obtain information about databases + accessible by phpMyAdmin. +

+ + +

+ Change the password for the phpMyAdmin MySQL user (pma): +

+ + mysql -u root -p + SET PASSWORD FOR 'pma'@'localhost' = PASSWORD('MyNewPassword'); +

+ Update your phpMyAdmin config.inc.php: +

+ + $cfg['Servers'][$i]['controlpass'] = 'MyNewPassword'; + + +

+ All phpMyAdmin users should change password for the pma user as + described above and upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.6.2-r1" + + + CVE-2005-1392 + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-01.xml b/xml/htdocs/security/en/glsa/glsa-200505-01.xml new file mode 100644 index 00000000..4d69c34c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-01.xml @@ -0,0 +1,167 @@ + + + + + + + Horde Framework: Multiple XSS vulnerabilities + + Various modules of the Horde Framework are vulnerable to multiple + cross-site scripting (XSS) vulnerabilities. + + Horde + May 01, 2005 + May 01, 2005: 01 + 90365 + remote + + + 2.2.2 + 2.2.2 + + + 1.2.5 + 1.2.5 + + + 2.2.2 + 2.2.2 + + + 1.1.3 + 1.1.3 + + + 1.1.4 + 1.1.4 + + + 1.1.4 + 1.1.4 + + + 3.2.8 + 3.2.8 + + + 2.1.2 + 2.1.2 + + + 2.2.2 + 2.2.2 + + + 1.2.3 + 1.2.3 + + + 2.2.8 + 2.2.8 + + + +

+ The Horde Framework is a PHP based framework for building web + applications. It provides many modules including calendar, address + book, CVS viewer and Internet Messaging Program. +

+ + +

+ Cross-site scripting vulnerabilities have been discovered in + various modules of the Horde Framework. +

+ + +

+ These vulnerabilities could be exploited by an attacker to execute + arbitrary HTML and script code in context of the victim's browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Horde users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-2.2.8" +

+ All Horde Vacation users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-vacation-2.2.2" +

+ All Horde Turba users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-turba-1.2.5" +

+ All Horde Passwd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-passwd-2.2.2" +

+ All Horde Nag users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-nag-1.1.3" +

+ All Horde Mnemo users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-mnemo-1.1.4" +

+ All Horde Kronolith users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-kronolith-1.1.4" +

+ All Horde IMP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-imp-3.2.8" +

+ All Horde Accounts users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-accounts-2.1.2" +

+ All Horde Forwards users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-forwards-2.2.2" +

+ All Horde Chora users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-chora-1.2.3" + + + Horde Announcement + + + koon + + + koon + + + formula7 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-02.xml b/xml/htdocs/security/en/glsa/glsa-200505-02.xml new file mode 100644 index 00000000..f052a770 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-02.xml @@ -0,0 +1,68 @@ + + + + + + + Oops!: Remote code execution + + The Oops! proxy server contains a remotely exploitable format string + vulnerability, which could potentially lead to the execution of arbitrary + code. + + oops + May 05, 2005 + May 05, 2005: 02 + 91303 + remote + + + 1.5.24_pre20050503 + 1.5.24_pre20050503 + + + +

+ Oops! is an advanced, multithreaded caching web proxy. +

+ + +

+ A format string flaw has been detected in the my_xlog() function of the + Oops! proxy, which is called by the passwd_mysql and passwd_pgsql + module's auth() functions. +

+ + +

+ A remote attacker could send a specially crafted HTTP request to the + Oops! proxy, potentially triggering this vulnerability and leading to + the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Oops! users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/oops-1.5.24_pre20050503" + + + CAN-2005-1121 + + + jaervosz + + + jaervosz + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-03.xml b/xml/htdocs/security/en/glsa/glsa-200505-03.xml new file mode 100644 index 00000000..ab06b409 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-03.xml @@ -0,0 +1,103 @@ + + + + + + + Ethereal: Numerous vulnerabilities + + Ethereal is vulnerable to numerous vulnerabilities potentially resulting in + the execution of arbitrary code or abnormal termination. + + Ethereal + May 06, 2005 + May 06, 2005: 01 + 90539 + remote + + + 0.10.11 + 0.10.11 + + + +

+ Ethereal is a feature rich network protocol analyzer. +

+ + +

+ There are numerous vulnerabilities in versions of Ethereal prior + to 0.10.11, including: +

+
    +
  • The ANSI A and DHCP dissectors are + vulnerable to format string vulnerabilities.
    • +
  • The DISTCC, + FCELS, SIP, ISIS, CMIP, CMP, CMS, CRMF, ESS, OCSP, PKIX1Explitit, PKIX + Qualified, X.509, Q.931, MEGACO, NCP, ISUP, TCAP and Presentation + dissectors are vulnerable to buffer overflows.
    • +
  • The KINK, WSP, + SMB Mailslot, H.245, MGCP, Q.931, RPC, GSM and SMB NETLOGON dissectors + are vulnerable to pointer handling errors.
    • +
  • The LMP, KINK, + MGCP, RSVP, SRVLOC, EIGRP, MEGACO, DLSw, NCP and L2TP dissectors are + vulnerable to looping problems.
    • +
  • The Telnet and DHCP dissectors + could abort.
    • +
  • The TZSP, Bittorrent, SMB, MGCP and ISUP + dissectors could cause a segmentation fault.
    • +
  • The WSP, 802.3 + Slow protocols, BER, SMB Mailslot, SMB, NDPS, IAX2, RADIUS, SMB PIPE, + MRDISC and TCAP dissectors could throw assertions.
    • +
  • The DICOM, + NDPS and ICEP dissectors are vulnerable to memory handling errors.
    • +
  • The GSM MAP, AIM, Fibre Channel,SRVLOC, NDPS, LDAP and NTLMSSP + dissectors could terminate abnormallly.
    • +
+ + +

+ An attacker might be able to use these vulnerabilities to crash + Ethereal and execute arbitrary code with the permissions of the user + running Ethereal, which could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ethereal users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/ethereal-0.10.11" + + + Ethereal enpa-sa-00019 + CAN-2005-1456 + CAN-2005-1457 + CAN-2005-1458 + CAN-2005-1459 + CAN-2005-1460 + CAN-2005-1461 + CAN-2005-1462 + CAN-2005-1463 + CAN-2005-1464 + CAN-2005-1465 + CAN-2005-1466 + CAN-2005-1467 + CAN-2005-1468 + CAN-2005-1469 + CAN-2005-1470 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-04.xml b/xml/htdocs/security/en/glsa/glsa-200505-04.xml new file mode 100644 index 00000000..ecdf6633 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-04.xml @@ -0,0 +1,83 @@ + + + + + + + GnuTLS: Denial of Service vulnerability + + The GnuTLS library is vulnerable to Denial of Service attacks. + + GnuTLS + May 09, 2005 + May 09, 2005: 01 + 90726 + remote + + + 1.2.3 + 1.0.25 + 1.2.3 + + + +

+ GnuTLS is a free TLS 1.0 and SSL 3.0 implementation for the GNU + project. +

+ + +

+ A vulnerability has been discovered in the record packet parsing + in the GnuTLS library. Additionally, a flaw was also found in the RSA + key export functionality. +

+ + +

+ A remote attacker could exploit this vulnerability and cause a + Denial of Service to any application that utilizes the GnuTLS library. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GnuTLS users should remove the existing installation and + upgrade to the latest version: +

+ + # emerge --sync + # emerge --unmerge gnutls + # emerge --ask --oneshot --verbose net-libs/gnutls +

+ Due to small API changes with the previous version, please do + the following to ensure your applications are using the latest GnuTLS + that you just emerged. +

+ + # revdep-rebuild --soname-regexp libgnutls.so.1[0-1] +

+ Previously exported RSA keys can be fixed by executing the + following command on the key files: +

+ + # certtool -k infile outfile + + + GnuTLS Announcement + CAN-2005-1431 + + + koon + + + koon + + + lewk + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-05.xml b/xml/htdocs/security/en/glsa/glsa-200505-05.xml new file mode 100644 index 00000000..b840f42d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-05.xml @@ -0,0 +1,70 @@ + + + + + + + gzip: Multiple vulnerabilities + + gzip contains multiple vulnerabilities potentially allowing an attacker to + execute arbitrary commands. + + gzip + May 09, 2005 + May 09, 2005: 01 + 89946 + 90626 + local + + + 1.3.5-r6 + 1.3.5-r6 + + + +

+ gzip (GNU zip) is a popular compression program. The included + zgrep utility allows you to grep gzipped files in place. +

+ + +

+ The gzip and gunzip programs are vulnerable to a race condition + when setting file permissions (CAN-2005-0988), as well as improper + handling of filename restoration (CAN-2005-1228). The zgrep utility + improperly sanitizes arguments, which may come from an untrusted source + (CAN-2005-0758). +

+ + +

+ These vulnerabilities could allow arbitrary command execution, + changing the permissions of arbitrary files, and installation of files + to an aribitrary location in the filesystem. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All gzip users should upgrade to the latest stable version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/gzip-1.3.5-r6" + + + CAN-2005-0758 + CAN-2005-0988 + CAN-2005-1228 + + + r2d2 + + + r2d2 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-06.xml b/xml/htdocs/security/en/glsa/glsa-200505-06.xml new file mode 100644 index 00000000..ec3abaa1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-06.xml @@ -0,0 +1,72 @@ + + + + + + + TCPDump: Decoding routines Denial of Service vulnerability + + A flaw in the decoding of network packets renders TCPDump vulnerable to a + remote Denial of Service attack. + + tcpdump + May 09, 2005 + June 12, 2005: 02 + 90541 + 95349 + remote + + + 3.8.3-r3 + 3.8.3-r3 + + + +

+ TCPDump is a tool for network monitoring and data acquisition. +

+ + +

+ TCPDump improperly handles and decodes ISIS (CAN-2005-1278), BGP + (CAN-2005-1267, CAN-2005-1279), LDP (CAN-2005-1279) and RSVP + (CAN-2005-1280) packets. TCPDump might loop endlessly after receiving + malformed packets. +

+ + +

+ A malicious remote attacker can exploit the decoding issues for a + Denial of Service attack by sending specially crafted packets, possibly + causing TCPDump to loop endlessly. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All TCPDump users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/tcpdump-3.8.3-r3" + + + CAN-2005-1267 + CAN-2005-1278 + CAN-2005-1279 + CAN-2005-1280 + + + jaervosz + + + DerCorny + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-07.xml b/xml/htdocs/security/en/glsa/glsa-200505-07.xml new file mode 100644 index 00000000..daf14b5b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-07.xml @@ -0,0 +1,65 @@ + + + + + + + libTIFF: Buffer overflow + + The libTIFF library is vulnerable to a buffer overflow, potentially + resulting in the execution of arbitrary code. + + tiff + May 10, 2005 + May 22, 2006: 02 + 91584 + remote + + + 3.7.2 + 3.7.2 + + + +

+ libTIFF provides support for reading and manipulating TIFF (Tag Image + File Format) images. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a + stack based buffer overflow in the libTIFF library when reading a TIFF + image with a malformed BitsPerSample tag. +

+ + +

+ Successful exploitation would require the victim to open a specially + crafted TIFF image, resulting in the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libTIFF users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/tiff-3.7.2" + + + LIBTIFF BUG#863 + CVE-2005-1544 + + + taviso + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-08.xml b/xml/htdocs/security/en/glsa/glsa-200505-08.xml new file mode 100644 index 00000000..0a954661 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-08.xml @@ -0,0 +1,70 @@ + + + + + + + HT Editor: Multiple buffer overflows + + Two vulnerabilities have been discovered in HT Editor, potentially leading + to the execution of arbitrary code. + + hteditor + May 10, 2005 + May 22, 2006: 02 + 91569 + remote + + + 0.8.0-r2 + 0.8.0-r2 + + + +

+ HT is a hex editor, designed to help analyse and modify executable + files. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Team discovered an integer + overflow in the ELF parser, leading to a heap-based buffer overflow. + The vendor has reported that an unrelated buffer overflow has been + discovered in the PE parser. +

+ + +

+ Successful exploitation would require the victim to open a specially + crafted file using HT, potentially permitting an attacker to execute + arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All hteditor users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/hteditor-0.8.0-r2" + + + CVE-2005-1545 + CVE-2005-1546 + + + jaervosz + + + taviso + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-09.xml b/xml/htdocs/security/en/glsa/glsa-200505-09.xml new file mode 100644 index 00000000..5e75daab --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-09.xml @@ -0,0 +1,71 @@ + + + + + + + Gaim: Denial of Service and buffer overflow vulnerabilties + + Gaim contains two vulnerabilities, potentially resulting in the execution + of arbitrary code or Denial of Service. + + gaim + May 12, 2005 + May 12, 2005: 01 + 91862 + remote + + + 1.3.0 + 1.3.0 + + + +

+ Gaim is a full featured instant messaging client which handles a + variety of instant messaging protocols. +

+ + +

+ Stu Tomlinson discovered that Gaim is vulnerable to a remote stack + based buffer overflow when receiving messages in certain protocols, + like Jabber and SILC, with a very long URL (CAN-2005-1261). Siebe + Tolsma discovered that Gaim is also vulnerable to a remote Denial of + Service attack when receiving a specially crafted MSN message + (CAN-2005-1262). +

+ + +

+ A remote attacker could cause a buffer overflow by sending an + instant message with a very long URL, potentially leading to the + execution of malicious code. By sending a SLP message with an empty + body, a remote attacker could cause a Denial of Service or crash of the + Gaim client. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All Gaim users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/gaim-1.3.0" + + + CAN-2005-1261 + CAN-2005-1262 + + + DerCorny + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-10.xml b/xml/htdocs/security/en/glsa/glsa-200505-10.xml new file mode 100644 index 00000000..eaf7fdae --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-10.xml @@ -0,0 +1,69 @@ + + + + + + + phpBB: Cross-Site Scripting Vulnerability + + phpBB is vulnerable to a cross-site scripting attack that could allow + arbitrary scripting code execution. + + phpBB + May 14, 2005 + May 14, 2005: 01 + 90213 + remote + + + 2.0.15 + 2.0.15 + + + +

+ phpBB is an Open Source bulletin board package. +

+ + +

+ phpBB is vulnerable to a cross-site scripting vulnerability due to + improper sanitization of user supplied input. Coupled with poor + validation of BBCode URLs which may be included in a forum post, an + unsuspecting user may follow a posted link triggering the + vulnerability. +

+ + +

+ Successful exploitation of the vulnerability could cause arbitrary + scripting code to be executed in the browser of a user. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All phpBB users should upgrade to the latest version: +

+ + emerge --sync + emerge --ask --oneshot --verbose ">=www-apps/phpBB-2.0.15" + + + BugTraq ID 13344 + SecurityTracker ID 1013918 + + + koon + + + koon + + + r2d2 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-11.xml b/xml/htdocs/security/en/glsa/glsa-200505-11.xml new file mode 100644 index 00000000..42e44807 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-11.xml @@ -0,0 +1,118 @@ + + + + + + + Mozilla Suite, Mozilla Firefox: Remote compromise + + Several vulnerabilities in the Mozilla Suite and Firefox allow an attacker + to conduct cross-site scripting attacks or to execute arbitrary code. + + mozilla + May 15, 2005 + May 15, 2005: 01 + 91859 + 92393 + 92394 + remote + + + 1.0.4 + 1.0.4 + + + 1.0.4 + 1.0.4 + + + 1.7.8 + 1.7.8 + + + 1.7.8 + 1.7.8 + + + +

+ The Mozilla Suite is a popular all-in-one web browser that + includes a mail and news reader. Mozilla Firefox is the next-generation + browser from the Mozilla project. +

+ + +

+ The Mozilla Suite and Firefox do not properly protect "IFRAME" + JavaScript URLs from being executed in context of another URL in the + history list (CAN-2005-1476). The Mozilla Suite and Firefox also fail + to verify the "IconURL" parameter of the "InstallTrigger.install()" + function (CAN-2005-1477). Michael Krax and Georgi Guninski discovered + that it is possible to bypass JavaScript-injection security checks by + wrapping the javascript: URL within the view-source: or jar: + pseudo-protocols (MFSA2005-43). +

+ + +

+ A malicious remote attacker could use the "IFRAME" issue to + execute arbitrary JavaScript code within the context of another + website, allowing to steal cookies or other sensitive data. By + supplying a javascript: URL as the "IconURL" parameter of the + "InstallTrigger.Install()" function, a remote attacker could also + execute arbitrary JavaScript code. Combining both vulnerabilities with + a website which is allowed to install software or wrapping javascript: + URLs within the view-source: or jar: pseudo-protocols could possibly + lead to the execution of arbitrary code with user privileges. +

+ + +

+ Affected systems can be protected by disabling JavaScript. + However, we encourage Mozilla Suite or Mozilla Firefox users to upgrade + to the latest available version. +

+ + +

+ All Mozilla Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.0.4" +

+ All Mozilla Firefox binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.0.4" +

+ All Mozilla Suite users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-1.7.8" +

+ All Mozilla Suite binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-bin-1.7.8" + + + CAN-2005-1476 + CAN-2005-1477 + Mozilla Foundation Security Advisory 2005-43 + + + jaervosz + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-12.xml b/xml/htdocs/security/en/glsa/glsa-200505-12.xml new file mode 100644 index 00000000..35b90dcc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-12.xml @@ -0,0 +1,80 @@ + + + + + + + PostgreSQL: Multiple vulnerabilities + + PostgreSQL is vulnerable to Denial of Service attacks and possibly allows + unprivileged users to gain administrator rights. + + postgresql + May 15, 2005 + June 26, 2007: 04 + 91231 + remote + + + 7.3* + 7.4* + 8.0.1-r3 + 8.0.2-r1 + 7.3.10 + 7.4.7-r2 + 8.0.2-r1 + + + +

+ PostgreSQL is a SQL compliant, open source object-relational database + management system. +

+ + +

+ PostgreSQL gives public EXECUTE access to a number of character + conversion routines, but doesn't validate the given arguments + (CAN-2005-1409). It has also been reported that the contrib/tsearch2 + module of PostgreSQL misdeclares the return value of some functions as + "internal" (CAN-2005-1410). +

+ + +

+ An attacker could call the character conversion routines with specially + setup arguments to crash the backend process of PostgreSQL or to + potentially gain administrator rights. A malicious user could also call + the misdeclared functions of the contrib/tsearch2 module, resulting in + a Denial of Service or other, yet uninvestigated, impacts. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PostgreSQL users should update to the latest available version and + follow the guide at http://www.postgresql.o + rg/about/news.315 +

+ + + # emerge --sync + # emerge --ask --oneshot --verbose dev-db/postgresql + + + CAN-2005-1409 + CAN-2005-1410 + PostgreSQL Announcement + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-13.xml b/xml/htdocs/security/en/glsa/glsa-200505-13.xml new file mode 100644 index 00000000..eaecafde --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-13.xml @@ -0,0 +1,74 @@ + + + + + + + FreeRADIUS: SQL injection and Denial of Service vulnerability + + The FreeRADIUS server is vulnerable to an SQL injection attack and a buffer + overflow, possibly resulting in disclosure and modification of data and + Denial of Service. + + freeradius + May 17, 2005 + May 22, 2006: 03 + 91736 + remote + + + 1.0.2-r4 + 1.0.2-r4 + + + +

+ FreeRADIUS is an open source RADIUS authentication server + implementation. +

+ + +

+ Primoz Bratanic discovered that the sql_escape_func function of + FreeRADIUS may be vulnerable to a buffer overflow (BID 13541). He also + discovered that FreeRADIUS fails to sanitize user-input before using it + in a SQL query, possibly allowing SQL command injection (BID 13540). +

+ + +

+ By supplying carefully crafted input, a malicious user could cause an + SQL injection or a buffer overflow, possibly leading to the disclosure + and the modification of sensitive data or Denial of Service by crashing + the server. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All FreeRADIUS users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dialup/freeradius-1.0.2-r4" + + + BugTraq ID 13540 + BugTraq ID 13541 + CVE-2005-1454 + CVE-2005-1455 + + + koon + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-14.xml b/xml/htdocs/security/en/glsa/glsa-200505-14.xml new file mode 100644 index 00000000..615774fb --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-14.xml @@ -0,0 +1,65 @@ + + + + + + + Cheetah: Untrusted module search path + + Cheetah contains a vulnerability in the module importing code that can + allow a local user to gain escalated privileges. + + Cheetah + May 19, 2005 + May 17, 2006: 02 + 92926 + local + + + 0.9.17_rc1 + 0.9.17_rc1 + + + +

+ Cheetah is a Python powered template engine and code generator. +

+ + +

+ Brian Bird discovered that Cheetah searches for modules in the + world-writable /tmp directory. +

+ + +

+ A malicious local user could place a module containing arbitrary code + in /tmp, which when imported would run with escalated privileges. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All Cheetah users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/cheetah-0.9.17_rc1" + + + Secunia Advisory SA15386 + + + jaervosz + + + r2d2 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-15.xml b/xml/htdocs/security/en/glsa/glsa-200505-15.xml new file mode 100644 index 00000000..1888b2c3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-15.xml @@ -0,0 +1,73 @@ + + + + + + + gdb: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in the GNU debugger, + potentially allowing the execution of arbitrary code. + + gdb + May 20, 2005 + May 22, 2006: 02 + 88398 + 91398 + 91654 + local + + + 6.3-r3 + 6.3-r3 + + + +

+ gdb is the GNU project's debugger, facilitating the analysis and + debugging of applications. The BFD library provides a uniform method of + accessing a variety of object file formats. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an + integer overflow in the BFD library, resulting in a heap overflow. A + review also showed that by default, gdb insecurely sources + initialisation files from the working directory. +

+ + +

+ Successful exploitation would result in the execution of arbitrary code + on loading a specially crafted object file or the execution of + arbitrary commands. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All gdb users should upgrade to the latest stable version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-devel/gdb-6.3-r3" + + + CVE-2005-1704 + CVE-2005-1705 + + + jaervosz + + + r2d2 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-16.xml b/xml/htdocs/security/en/glsa/glsa-200505-16.xml new file mode 100644 index 00000000..28c5e1d2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-16.xml @@ -0,0 +1,79 @@ + + + + + + + ImageMagick, GraphicsMagick: Denial of Service vulnerability + + ImageMagick and GraphicsMagick utilities can be abused to perform a Denial + of Service attack. + + ImageMagick + May 21, 2005 + May 22, 2006: 02 + 90423 + 90595 + remote + + + 6.2.2.3 + 6.2.2.3 + + + 1.1.6-r1 + 1.1.6-r1 + + + +

+ Both ImageMagick and GraphicsMagick are collection of tools to read, + write and manipulate images in many formats. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a + Denial of Service vulnerability in the XWD decoder of ImageMagick and + GraphicsMagick when setting a color mask to zero. +

+ + +

+ A remote attacker could submit a specially crafted image to a user or + an automated system making use of an affected utility, resulting in a + Denial of Service by consumption of CPU time. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ImageMagick users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.2.2.3" +

+ All GraphicsMagick users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/graphicsmagick-1.1.6-r1" + + + CVE-2005-1739 + + + jaervosz + + + formula7 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-17.xml b/xml/htdocs/security/en/glsa/glsa-200505-17.xml new file mode 100644 index 00000000..42448f4f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-17.xml @@ -0,0 +1,66 @@ + + + + + + + Qpopper: Multiple Vulnerabilities + + Qpopper contains two vulnerabilities allowing an attacker to overwrite + arbitrary files and create files with insecure permissions. + + qpopper + May 23, 2005 + May 23, 2005: 01 + 90622 + local + + + 4.0.5-r3 + 4.0.5-r3 + + + +

+ Qpopper is a widely used server for the POP3 protocol. +

+ + +

+ Jens Steube discovered that Qpopper doesn't drop privileges to + process local files from normal users (CAN-2005-1151). The upstream + developers discovered that Qpopper can be forced to create group or + world writeable files (CAN-2005-1152). +

+ + +

+ A malicious local attacker could exploit Qpopper to overwrite + arbitrary files as root or create new files which are group or world + writeable. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Qpopper users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/qpopper-4.0.5-r3" + + + CAN-2005-1151 + CAN-2005-1152 + + + DerCorny + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-18.xml b/xml/htdocs/security/en/glsa/glsa-200505-18.xml new file mode 100644 index 00000000..0bec838f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-18.xml @@ -0,0 +1,70 @@ + + + + + + + Net-SNMP: fixproc insecure temporary file creation + + Net-SNMP creates temporary files in an insecure manner, possibly allowing + the execution of arbitrary code. + + net-snmp + May 23, 2005 + May 22, 2006: 02 + 91792 + local + + + 5.2.1-r1 + 5.2.1-r1 + + + +

+ Net-SNMP is a suite of applications used to implement the Simple + Network Management Protocol. +

+ + +

+ The fixproc application of Net-SNMP creates temporary files with + predictable filenames. +

+ + +

+ A malicious local attacker could exploit a race condition to change the + content of the temporary files before they are executed by fixproc, + possibly leading to the execution of arbitrary code. A local attacker + could also create symbolic links in the temporary files directory, + pointing to a valid file somewhere on the filesystem. When fixproc is + executed, this would result in the file being overwritten. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Net-SNMP users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/net-snmp-5.2.1-r1" + + + CVE-2005-1740 + + + vorlon078 + + + koon + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-19.xml b/xml/htdocs/security/en/glsa/glsa-200505-19.xml new file mode 100644 index 00000000..665ec40b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-19.xml @@ -0,0 +1,66 @@ + + + + + + + gxine: Format string vulnerability + + A format string vulnerability in gxine could allow a remote attacker to + execute arbitrary code. + + gxine + May 26, 2005 + May 26, 2005: 01 + 93532 + remote + + + 0.3.3-r2 + 0.4.1-r1 + 0.4.4 + 0.4.4 + + + +

+ gxine is a GTK+ and xine-lib based media player. +

+ + +

+ Exworm discovered that gxine insecurely implements formatted + printing in the hostname decoding function. +

+ + +

+ A remote attacker could entice a user to open a carefully crafted + file with gxine, possibly leading to the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All gxine users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose media-video/gxine + + + CAN-2005-1692 + Bugtraq ID 13707 + Original Advisory + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200505-20.xml b/xml/htdocs/security/en/glsa/glsa-200505-20.xml new file mode 100644 index 00000000..53aafd04 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200505-20.xml @@ -0,0 +1,79 @@ + + + + + + + Mailutils: Multiple vulnerabilities in imap4d and mail + + The imap4d server and the mail utility from GNU Mailutils contain multiple + vulnerabilities, potentially allowing a remote attacker to execute + arbitrary code with root privileges. + + mailutils + May 27, 2005 + May 27, 2005: 01 + 94053 + remote + + + 0.6-r1 + 0.6-r1 + + + +

+ GNU Mailutils is a collection of mail-related utilities, including + an IMAP4 server (imap4d) and a Mail User Agent (mail). +

+ + +

+ infamous41d discovered several vulnerabilities in GNU Mailutils. + imap4d does not correctly implement formatted printing of command tags + (CAN-2005-1523), fails to validate the range sequence of the "FETCH" + command (CAN-2005-1522), and contains an integer overflow in the + "fetch_io" routine (CAN-2005-1521). mail contains a buffer overflow in + "header_get_field_name()" (CAN-2005-1520). +

+ + +

+ A remote attacker can exploit the format string and integer + overflow in imap4d to execute arbitrary code as the imap4d user, which + is usually root. By sending a specially crafted email message, a remote + attacker could exploit the buffer overflow in the "mail" utility to + execute arbitrary code with the rights of the user running mail. + Finally, a remote attacker can also trigger a Denial of Service by + sending a malicious FETCH command to an affected imap4d, causing + excessive resource consumption. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All GNU Mailutils users should upgrade to the latest available + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/mailutils-0.6-r1" + + + CAN-2005-1520 + CAN-2005-1521 + CAN-2005-1522 + CAN-2005-1523 + iDEFENSE 05.25.05 advisories + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-01.xml b/xml/htdocs/security/en/glsa/glsa-200506-01.xml new file mode 100644 index 00000000..9c736061 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-01.xml @@ -0,0 +1,83 @@ + + + + + + + Binutils, elfutils: Buffer overflow + + Various utilities from the GNU Binutils and elfutils packages are + vulnerable to a heap based buffer overflow, potentially resulting in the + execution of arbitrary code. + + binutils + June 01, 2005 + May 22, 2006: 02 + 91398 + 91817 + remote + + + 0.108 + 0.108 + + + 2.14.90.0.8-r3 + 2.15.90.0.1.1-r5 + 2.15.90.0.3-r5 + 2.15.91.0.2-r2 + 2.15.92.0.2-r10 + 2.16-r1 + 2.16-r1 + + + +

+ The GNU Binutils are a collection of tools to create, modify and + analyse binary files. Many of the files use BFD, the Binary File + Descriptor library, to do low-level manipulation. Elfutils provides a + library and utilities to access, modify and analyse ELF objects. +

+ + +

+ Tavis Ormandy and Ned Ludd of the Gentoo Linux Security Audit Team + discovered an integer overflow in the BFD library and elfutils, + resulting in a heap based buffer overflow. +

+ + +

+ Successful exploitation would require a user to access a specially + crafted binary file, resulting in the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GNU Binutils users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose sys-devel/binutils +

+ All elfutils users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/elfutils-0.108" + + + CVE-2005-1704 + + + taviso + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-02.xml b/xml/htdocs/security/en/glsa/glsa-200506-02.xml new file mode 100644 index 00000000..e363ed64 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-02.xml @@ -0,0 +1,67 @@ + + + + + + + Mailutils: SQL Injection + + GNU Mailutils is vulnerable to SQL command injection attacks. + + mailutils + June 06, 2005 + June 06, 2005: 01 + 94824 + remote + + + 0.6-r1 + 0.6-r1 + + + +

+ GNU Mailutils is a collection of mail-related utilities. +

+ + +

+ When GNU Mailutils is built with the "mysql" or "postgres" USE + flag, the sql_escape_string function of the authentication module fails + to properly escape the "\" character, rendering it vulnerable to a SQL + command injection. +

+ + +

+ A malicious remote user could exploit this vulnerability to inject + SQL commands to the underlying database. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GNU Mailutils users should upgrade to the latest available + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/mailutils-0.6-r1" + + + CAN-2005-1824 + + + jaervosz + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-03.xml b/xml/htdocs/security/en/glsa/glsa-200506-03.xml new file mode 100644 index 00000000..e6886393 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-03.xml @@ -0,0 +1,65 @@ + + + + + + + Dzip: Directory traversal vulnerability + + Dzip is vulnerable to a directory traversal attack. + + dzip + June 06, 2005 + May 22, 2006: 02 + 93079 + remote + + + 2.9-r1 + 2.9-r1 + + + +

+ Dzip is a compressor and uncompressor especially made for demo + recordings of id's Quake. +

+ + +

+ Dzip is vulnerable to a directory traversal attack when extracting + archives. +

+ + +

+ An attacker could exploit this vulnerability by creating a specially + crafted archive to extract files to arbitrary locations. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Dzip users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-utils/dzip-2.9-r1" + + + CVE-2005-1874 + + + koon + + + koon + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-04.xml b/xml/htdocs/security/en/glsa/glsa-200506-04.xml new file mode 100644 index 00000000..ccfc5d26 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-04.xml @@ -0,0 +1,71 @@ + + + + + + + Wordpress: Multiple vulnerabilities + + Wordpress contains SQL injection and XSS vulnerabilities. + + Wordpress + June 06, 2005 + May 22, 2006: 02 + 88926 + 94512 + remote + + + 1.5.1.2 + 1.5.1.2 + + + +

+ WordPress is a PHP and MySQL based content management and publishing + system. +

+ + +

+ Due to a lack of input validation, WordPress is vulnerable to SQL + injection and XSS attacks. +

+ + +

+ An attacker could use the SQL injection vulnerabilites to gain + information from the database. Furthermore the cross-site scripting + issues give an attacker the ability to inject and execute malicious + script code or to steal cookie-based authentication credentials, + potentially compromising the victim's browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Wordpress users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/wordpress-1.5.1.2" + + + CVE-2005-1102 + CVE-2005-1687 + CVE-2005-1810 + + + koon + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-05.xml b/xml/htdocs/security/en/glsa/glsa-200506-05.xml new file mode 100644 index 00000000..2ac4a13d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-05.xml @@ -0,0 +1,67 @@ + + + + + + + SilverCity: Insecure file permissions + + Executable files with insecure permissions can be modified causing an + unsuspecting user to run arbitrary code. + + silvercity + June 08, 2005 + May 22, 2006: 02 + 93558 + local + + + 0.9.5-r1 + 0.9.5-r1 + + + +

+ SilverCity provides lexical analysis for over 20 programming and markup + languages. +

+ + +

+ The SilverCity package installs three executable files with insecure + permissions. +

+ + +

+ A local attacker could modify the executable files, causing arbitrary + code to be executed with the permissions of an unsuspecting SilverCity + user. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All SilverCity users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/silvercity-0.9.5-r1" + + + CVE-2005-1941 + + + koon + + + koon + + + r2d2 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-06.xml b/xml/htdocs/security/en/glsa/glsa-200506-06.xml new file mode 100644 index 00000000..9fade7f4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-06.xml @@ -0,0 +1,72 @@ + + + + + + + libextractor: Multiple overflow vulnerabilities + + libextractor is affected by several overflow vulnerabilities in the PDF, + Real and PNG extractors, making it vulnerable to execution of arbitrary + code. + + libextractor + June 09, 2005 + June 09, 2005: 01 + 79704 + remote + + + 0.5.0 + 0.5.0 + + + +

+ libextractor is a library used to extract meta-data from files. It + makes use of Xpdf code to extract information from PDF files. +

+ + +

+ Xpdf is vulnerable to multiple overflows, as described in GLSA + 200501-28. Also, integer overflows were discovered in Real and PNG + extractors. +

+ + +

+ An attacker could design malicious PDF, PNG or Real files which, + when processed by an application making use of libextractor, would + result in the execution of arbitrary code with the rights of the user + running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libextractor users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libextractor-0.5.0" + + + CAN-2005-0064 + GLSA 200501-28 + libextractor security announcement + + + koon + + + formula7 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-07.xml b/xml/htdocs/security/en/glsa/glsa-200506-07.xml new file mode 100644 index 00000000..213793f2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-07.xml @@ -0,0 +1,67 @@ + + + + + + + Ettercap: Format string vulnerability + + A format string vulnerability in Ettercap could allow a remote attacker to + execute arbitrary code. + + ettercap + June 11, 2005 + June 11, 2005: 01 + 94474 + remote + + + 0.7.3 + 0.7.3 + + + +

+ Ettercap is a suite of tools for content filtering, sniffing and + man in the middle attacks on a LAN. +

+ + +

+ The curses_msg function of Ettercap's Ncurses-based user interface + insecurely implements formatted printing. +

+ + +

+ A remote attacker could craft a malicious network flow that would + result in executing arbitrary code with the rights of the user running + the Ettercap tool, which is often root. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ettercap users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/ettercap-0.7.3" + + + CAN-2005-1796 + + + koon + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-08.xml b/xml/htdocs/security/en/glsa/glsa-200506-08.xml new file mode 100644 index 00000000..9953f9d1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-08.xml @@ -0,0 +1,83 @@ + + + + + + + GNU shtool, ocaml-mysql: Insecure temporary file creation + + GNU shtool and ocaml-mysql are vulnerable to symlink attacks, potentially + allowing a local user to overwrite arbitrary files. + + GNU shtool + June 11, 2005 + June 11, 2005: 01 + 93782 + 93784 + local + + + 2.0.1-r2 + 2.0.1-r2 + + + 1.0.3-r1 + 1.0.3-r1 + + + +

+ GNU shtool is a compilation of small shell scripts into a single + shell tool. The ocaml-mysql package includes the GNU shtool code. +

+ + +

+ Eric Romang has discovered that GNU shtool insecurely creates + temporary files with predictable filenames (CAN-2005-1751). On closer + inspection, Gentoo Security discovered that the shtool temporary file, + once created, was being reused insecurely (CAN-2005-1759). +

+ + +

+ A local attacker could create symbolic links in the temporary + files directory, pointing to a valid file somewhere on the filesystem. + When a GNU shtool script is executed, this would result in the file + being overwritten with the rights of the user running the script, which + could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GNU shtool users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/shtool-2.0.1-r2" +

+ All ocaml-mysql users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-ml/ocaml-mysql-1.0.3-r1" + + + CAN-2005-1751 + CAN-2005-1759 + + + vorlon078 + + + formula7 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-09.xml b/xml/htdocs/security/en/glsa/glsa-200506-09.xml new file mode 100644 index 00000000..83f87cc8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-09.xml @@ -0,0 +1,67 @@ + + + + + + + gedit: Format string vulnerability + + gedit suffers from a format string vulnerability that could allow arbitrary + code execution. + + gedit + June 11, 2005 + May 22, 2006: 02 + 93352 + remote + + + 2.10.3 + 2.10.3 + + + +

+ gedit is the official text editor of the GNOME desktop environement. +

+ + +

+ A format string vulnerability exists when opening files with names + containing format specifiers. +

+ + +

+ A specially crafted file with format specifiers in the filename can + cause arbitrary code execution. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All gedit users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/gedit-2.10.3" + + + BugTraq ID 13699 + gedit 10.3 Release Notes + CVE-2005-1686 + + + koon + + + r2d2 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-10.xml b/xml/htdocs/security/en/glsa/glsa-200506-10.xml new file mode 100644 index 00000000..2c0f7066 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-10.xml @@ -0,0 +1,68 @@ + + + + + + + LutelWall: Insecure temporary file creation + + LutelWall is vulnerable to symlink attacks, potentially allowing a local + user to overwrite arbitrary files. + + LutelWall + June 11, 2005 + June 11, 2005: 01 + 95378 + local + + + 0.98 + 0.98 + + + +

+ LutelWall is a high-level Linux firewall configuration tool. +

+ + +

+ Eric Romang has discovered that the new_version_check() function + in LutelWall insecurely creates a temporary file when updating to a new + version. +

+ + +

+ A local attacker could create symbolic links in the temporary file + directory, pointing to a valid file somewhere on the filesystem. When + the update script is executed (usually by the root user), this would + result in the file being overwritten with the rights of this user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All LutelWall users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-firewall/lutelwall-0.98" + + + CAN-2005-1879 + + + vorlon078 + + + koon + + + formula7 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-11.xml b/xml/htdocs/security/en/glsa/glsa-200506-11.xml new file mode 100644 index 00000000..e719d2c1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-11.xml @@ -0,0 +1,73 @@ + + + + + + + Gaim: Denial of Service vulnerabilities + + Gaim contains two remote Denial of Service vulnerabilities. + + gaim + June 12, 2005 + June 12, 2005: 01 + 95347 + remote + + + 1.3.1 + 1.3.1 + + + +

+ Gaim is a full featured instant messaging client which handles a + variety of instant messaging protocols. +

+ + +

+ Jacopo Ottaviani discovered a vulnerability in the Yahoo! file + transfer code when being offered files with names containing non-ASCII + characters (CAN-2005-1269). +

+

+ Hugo de Bokkenrijder discovered a + vulnerability when receiving malformed MSN messages (CAN-2005-1934). +

+ + +

+ Both vulnerabilities cause Gaim to crash, resulting in a Denial of + Service. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All Gaim users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/gaim-1.3.1" + + + Gaim Vulnerability: Remote Yahoo! crash + Gaim Vulnerability: MSN Remote DoS + CAN-2005-1269 + CAN-2005-1934 + + + koon + + + r2d2 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-12.xml b/xml/htdocs/security/en/glsa/glsa-200506-12.xml new file mode 100644 index 00000000..0bc6d304 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-12.xml @@ -0,0 +1,69 @@ + + + + + + + MediaWiki: Cross-site scripting vulnerability + + MediaWiki is vulnerable to a cross-site scripting attack that could allow + arbitrary scripting code execution. + + mediawiki + June 13, 2005 + June 13, 2005: 01 + 95255 + remote + + + 1.4.5 + 1.3.13 + 1.4.5 + + + +

+ MediaWiki is a collaborative editing software, used by big + projects like Wikipedia. +

+ + +

+ MediaWiki incorrectly handles page template inclusions, rendering + it vulnerable to cross-site scripting attacks. +

+ + +

+ A remote attacker could exploit this vulnerability to inject + malicious script code that will be executed in a user's browser session + in the context of the vulnerable site. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MediaWiki users should upgrade to the latest available + versions: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose www-apps/mediawiki + + + MediaWiki 1.4.5 Release Notes + + + koon + + + koon + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-13.xml b/xml/htdocs/security/en/glsa/glsa-200506-13.xml new file mode 100644 index 00000000..642bcaa9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-13.xml @@ -0,0 +1,71 @@ + + + + + + + webapp-config: Insecure temporary file handling + + The webapp-config utility insecurely creates temporary files in a world + writable directory, potentially allowing the execution of arbitrary + commands. + + webapp-config + June 17, 2005 + December 30, 2007: 03 + 91785 + local + + + 1.11 + 1.11 + + + +

+ webapp-config is a Gentoo Linux utility to help manage the installation + of web-based applications. +

+ + +

+ Eric Romang discovered webapp-config uses a predictable temporary + filename while processing certain options, resulting in a race + condition. +

+ + +

+ Successful exploitation of the race condition would allow an attacker + to disrupt the operation of webapp-config, or execute arbitrary shell + commands with the privileges of the user running webapp-config. A local + attacker could use a symlink attack to create or overwrite files with + the permissions of the user running webapp-config. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All webapp-config users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/webapp-config-1.11" + + + CVE-2005-1707 + + + jaervosz + + + taviso + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-14.xml b/xml/htdocs/security/en/glsa/glsa-200506-14.xml new file mode 100644 index 00000000..8fab8197 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-14.xml @@ -0,0 +1,105 @@ + + + + + + + Sun and Blackdown Java: Applet privilege escalation + + Sun's and Blackdown's JDK or JRE may allow untrusted applets to elevate + their privileges. + + sun-jdk sun-jre-bin blackdown-jre blackdown-jdk + June 19, 2005 + June 19, 2005: 01 + 96092 + 96229 + remote + + + 1.4.2.08 + 1.4.2.08 + + + 1.4.2.08 + 1.4.2.08 + + + 1.4.2.02 + 1.4.2.02 + + + 1.4.2.02 + 1.4.2.02 + + + +

+ Sun and Blackdown both provide implementations of the Java + Development Kit (JDK) and Java Runtime Environment (JRE). +

+ + +

+ Both Sun's and Blackdown's JDK and JRE may allow untrusted applets + to elevate privileges. +

+ + +

+ A remote attacker could embed a malicious Java applet in a web + page and entice a victim to view it. This applet can then bypass + security restrictions and execute any command or access any file with + the rights of the user running the web browser. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All Sun JDK users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.4.2.08" +

+ All Sun JRE users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.4.2.08" +

+ All Blackdown JDK users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/blackdown-jdk-1.4.2.02" +

+ All Blackdown JRE users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/blackdown-jre-1.4.2.02" +

+ Note to SPARC users: There is no stable secure Blackdown Java + for the SPARC architecture. Affected users should remove the package + until a SPARC package is released. +

+ + + Sun Security Alert ID 101749 + Blackdown Java Security Advisory + + + koon + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-15.xml b/xml/htdocs/security/en/glsa/glsa-200506-15.xml new file mode 100644 index 00000000..b34d27c6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-15.xml @@ -0,0 +1,69 @@ + + + + + + + PeerCast: Format string vulnerability + + PeerCast suffers from a format string vulnerability that could allow + arbitrary code execution. + + peercast + June 19, 2005 + May 22, 2006: 02 + 96199 + remote + + + 0.1212 + 0.1212 + + + +

+ PeerCast is a media streaming system based on P2P technology. +

+ + +

+ James Bercegay of the GulfTech Security Research Team discovered that + PeerCast insecurely implements formatted printing when receiving a + request with a malformed URL. +

+ + +

+ A remote attacker could exploit this vulnerability by sending a request + with a specially crafted URL to a PeerCast server to execute arbitrary + code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PeerCast users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/peercast-0.1212" + + + GulfTech Advisory + PeerCast Announcement + CVE-2005-1806 + + + koon + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-16.xml b/xml/htdocs/security/en/glsa/glsa-200506-16.xml new file mode 100644 index 00000000..b27b972f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-16.xml @@ -0,0 +1,71 @@ + + + + + + + cpio: Directory traversal vulnerability + + cpio contains a flaw which may allow a specially crafted cpio archive to + extract files to an arbitrary directory. + + cpio + June 20, 2005 + June 20, 2005: 01 + 90619 + local + + + 2.6-r3 + 2.6-r3 + + + +

+ cpio is a file archival tool which can also read and write tar + files. +

+ + +

+ A vulnerability has been found in cpio that can potentially allow + a cpio archive to extract its files to an arbitrary directory of the + creator's choice. +

+ + +

+ An attacker could create a malicious cpio archive which would + create files in arbitrary locations on the victim's system. This issue + could also be used in conjunction with a previous race condition + vulnerability (CAN-2005-1111) to change permissions on files owned by + the victim. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All cpio users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/cpio-2.6-r3" + + + Original Advisory + CAN-2005-1111 + + + jaervosz + + + lewk + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-17.xml b/xml/htdocs/security/en/glsa/glsa-200506-17.xml new file mode 100644 index 00000000..c7a81228 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-17.xml @@ -0,0 +1,80 @@ + + + + + + + SpamAssassin 3, Vipul's Razor: Denial of Service vulnerability + + SpamAssassin and Vipul's Razor are vulnerable to a Denial of Service attack + when handling certain malformed messages. + + SpamAssassin, Vipul's Razor + June 21, 2005 + May 22, 2006: 03 + 94722 + 95492 + 96776 + remote + + + 3.0.4 + 3.0.1 + 3.0.4 + + + 2.74 + 2.74 + + + +

+ SpamAssassin is an extensible email filter which is used to identify + junk email. Vipul's Razor is a client for a distributed, collaborative + spam detection and filtering network. +

+ + +

+ SpamAssassin and Vipul's Razor contain a Denial of Service + vulnerability when handling special misformatted long message headers. +

+ + +

+ By sending a specially crafted message an attacker could cause a Denial + of Service attack against the SpamAssassin/Vipul's Razor server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SpamAssassin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-filter/spamassassin-3.0.4" +

+ All Vipul's Razor users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-filter/razor-2.74" + + + CAN-2005-1266 + CVE-2005-2024 + SpamAssassin Announcement + Vipul's Razor Announcement + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-18.xml b/xml/htdocs/security/en/glsa/glsa-200506-18.xml new file mode 100644 index 00000000..99767367 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-18.xml @@ -0,0 +1,66 @@ + + + + + + + Tor: Information disclosure + + A flaw in Tor may allow the disclosure of arbitrary memory portions. + + tor + June 21, 2005 + May 22, 2006: 02 + 96320 + remote + + + 0.0.9.10 + 0.0.9.10 + + + +

+ Tor is an implementation of second generation Onion Routing, a + connection-oriented anonymizing communication service. +

+ + +

+ A bug in Tor allows attackers to view arbitrary memory contents from an + exit server's process space. +

+ + +

+ A remote attacker could exploit the memory disclosure to gain sensitive + information and possibly even private keys. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Tor users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/tor-0.0.9.10" + + + Tor Security Announcement + CVE-2005-2050 + + + vorlon078 + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-19.xml b/xml/htdocs/security/en/glsa/glsa-200506-19.xml new file mode 100644 index 00000000..16d06c88 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-19.xml @@ -0,0 +1,71 @@ + + + + + + + SquirrelMail: Several XSS vulnerabilities + + Squirrelmail is vulnerable to several cross-site scripting vulnerabilities + which could lead to a compromise of webmail accounts. + + SquirrelMail + June 21, 2005 + June 21, 2005: 01 + 95937 + remote + + + 1.4.4 + 1.4.0 + 1.4.4 + + + +

+ SquirrelMail is a webmail package written in PHP. It supports IMAP + and SMTP protocols. +

+ + +

+ SquirrelMail is vulnerable to several cross-site scripting issues, + most reported by Martijn Brinkers. +

+ + +

+ By enticing a user to read a specially-crafted e-mail or using a + manipulated URL, an attacker can execute arbitrary scripts running in + the context of the victim's browser. This could lead to a compromise of + the user's webmail account, cookie theft, etc. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SquirrelMail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/squirrelmail-1.4.4" +

+ Note: Users with the vhosts USE flag set should manually use + webapp-config to finalize the update. +

+ + + SquirrelMail Advisory + CAN-2005-1769 + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-20.xml b/xml/htdocs/security/en/glsa/glsa-200506-20.xml new file mode 100644 index 00000000..12569753 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-20.xml @@ -0,0 +1,82 @@ + + + + + + + Cacti: Several vulnerabilities + + Cacti is vulnerable to several SQL injection, authentication bypass and + file inclusion vulnerabilities. + + cacti + June 22, 2005 + May 22, 2006: 03 + 96243 + 97475 + remote + + + 0.8.6f + 0.8.6f + + + +

+ Cacti is a complete web-based frontend to rrdtool. +

+ + +

+ Cacti fails to properly sanitize input which can lead to SQL injection, + authentication bypass as well as PHP file inclusion. +

+ + +

+ An attacker could potentially exploit the file inclusion to execute + arbitrary code with the permissions of the web server. An attacker + could exploit these vulnerabilities to bypass authentication or inject + SQL queries to gain information from the database. Only systems with + register_globals set to "On" are affected by the file inclusion and + authentication bypass vulnerabilities. Gentoo Linux ships with + register_globals set to "Off" by default. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Cacti users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-0.8.6f" +

+ Note: Users with the vhosts USE flag set should manually use + webapp-config to finalize the update. +

+ + + Cacti Release Notes - 0.8.6e + iDEFENSE SQL injection advisory + iDEFENSE config_settings advisory + iDEFENSE remote file inclusion advisory + Cacti Release Notes - 0.8.6f + Hardened - PHP Project Cacti Multiple SQL Injection Vulnerabilities + Hardened - PHP Project Cacti Remote Command Execution Vulnerability + Hardened - PHP Project Cacti Authentification/Addslashes Bypass Vulnerability + CVE-2005-1524 + CVE-2005-1525 + CVE-2005-1526 + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-21.xml b/xml/htdocs/security/en/glsa/glsa-200506-21.xml new file mode 100644 index 00000000..1583ec1d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-21.xml @@ -0,0 +1,68 @@ + + + + + + + Trac: File upload vulnerability + + Trac may allow remote attackers to upload files, possibly leading to the + execution of arbitrary code. + + trac + June 22, 2005 + June 22, 2005: 01 + 96572 + remote + + + 0.8.4 + 0.8.4 + + + +

+ Trac is a minimalistic web-based project management, wiki and bug + tracking system including a Subversion interface. +

+ + +

+ Stefan Esser of the Hardened-PHP project discovered that Trac + fails to validate the "id" parameter when uploading attachments to the + wiki or the bug tracking system. +

+ + +

+ A remote attacker could exploit the vulnerability to upload + arbitrary files to a directory where the webserver has write access to, + possibly leading to the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Trac users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/trac-0.8.4" + + + Hardened PHP Advisory 012005 + + + koon + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-22.xml b/xml/htdocs/security/en/glsa/glsa-200506-22.xml new file mode 100644 index 00000000..495ed057 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-22.xml @@ -0,0 +1,68 @@ + + + + + + + sudo: Arbitrary command execution + + A vulnerability in sudo may allow local users to elevate privileges. + + sudo + June 23, 2005 + June 23, 2005: 01 + 96618 + local + + + 1.6.8_p9 + 1.6.8_p9 + + + +

+ sudo allows a system administrator to give users the ability to + run commands as other users. +

+ + +

+ The sudoers file is used to define the actions sudo users are + permitted to perform. Charles Morris discovered that a specific layout + of the sudoers file could cause the results of an internal check to be + clobbered, leaving sudo vulnerable to a race condition. +

+ + +

+ Successful exploitation would permit a local sudo user to execute + arbitrary commands as another user. +

+ + +

+ Reorder the sudoers file using the visudo utility to ensure the + 'ALL' pseudo-command precedes other command definitions. +

+ + +

+ All sudo users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.6.8_p9" + + + Sudo Announcement + + + koon + + + taviso + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-23.xml b/xml/htdocs/security/en/glsa/glsa-200506-23.xml new file mode 100644 index 00000000..6f3a6fbf --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-23.xml @@ -0,0 +1,71 @@ + + + + + + + Clam AntiVirus: Denial of Service vulnerability + + Clam AntiVirus is vulnerable to a Denial of Service attack when processing + certain Quantum archives. + + clamav + June 27, 2005 + May 22, 2006: 02 + 96960 + remote + + + 0.86.1 + 0.86.1 + + + +

+ Clam AntiVirus is a GPL anti-virus toolkit, designed for integration + with mail servers to perform attachment scanning. Clam AntiVirus also + provides a command line scanner and a tool for fetching updates of the + virus database. +

+ + +

+ Andrew Toller and Stefan Kanthak discovered that a flaw in libmspack's + Quantum archive decompressor renders Clam AntiVirus vulnerable to a + Denial of Service attack. +

+ + +

+ A remote attacker could exploit this vulnerability to cause a Denial of + Service by sending a specially crafted Quantum archive to the server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Clam AntiVirus users should upgrade to the latest available + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.86.1" + + + Clam AntiVirus Release Notes + CVE-2005-2056 + + + jaervosz + + + DerCorny + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200506-24.xml b/xml/htdocs/security/en/glsa/glsa-200506-24.xml new file mode 100644 index 00000000..a948b1c6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200506-24.xml @@ -0,0 +1,67 @@ + + + + + + + Heimdal: Buffer overflow vulnerabilities + + Multiple buffer overflow vulnerabilities in Heimdal's telnetd server could + allow the execution of arbitrary code. + + heimdal + June 29, 2005 + June 29, 2005: 01 + 96727 + remote + + + 0.6.5 + 0.6.5 + + + +

+ Heimdal is a free implementation of Kerberos 5 that includes a + telnetd server. +

+ + +

+ It has been reported that the "getterminaltype" function of + Heimdal's telnetd server is vulnerable to buffer overflows. +

+ + +

+ An attacker could exploit this vulnerability to execute arbitrary + code with the permission of the telnetd server program. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/heimdal-0.6.5" + + + CAN-2005-2040 + Heimdal Advisory 2005-06-20 + + + koon + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-01.xml b/xml/htdocs/security/en/glsa/glsa-200507-01.xml new file mode 100644 index 00000000..8899f349 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-01.xml @@ -0,0 +1,82 @@ + + + + + + + PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability + + The PEAR XML-RPC and phpxmlrpc libraries allow remote attackers to execute + arbitrary PHP script commands. + + pear-xml_rpc phpxmlrpc + July 03, 2005 + July 03, 2005: 01 + 97399 + 97629 + remote + + + 1.3.1 + 1.3.1 + + + 1.1.1 + 1.1.1 + + + +

+ The PEAR XML-RPC and phpxmlrpc libraries are both PHP + implementations of the XML-RPC protocol. +

+ + +

+ James Bercegay of GulfTech Security Research discovered that the + PEAR XML-RPC and phpxmlrpc libraries fail to sanatize input sent using + the "POST" method. +

+ + +

+ A remote attacker could exploit this vulnerability to execute + arbitrary PHP script code by sending a specially crafted XML document + to web applications making use of these libraries. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All PEAR-XML_RPC users should upgrade to the latest available + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/PEAR-XML_RPC-1.3.1" +

+ All phpxmlrpc users should upgrade to the latest available + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/phpxmlrpc-1.1.1" + + + CAN-2005-1921 + GulfTech Advisory + + + koon + + + koon + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-02.xml b/xml/htdocs/security/en/glsa/glsa-200507-02.xml new file mode 100644 index 00000000..d6ae95fe --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-02.xml @@ -0,0 +1,73 @@ + + + + + + + WordPress: Multiple vulnerabilities + + WordPress contains PHP script injection, cross-site scripting and path + disclosure vulnerabilities. + + wordpress + July 04, 2005 + July 04, 2005: 01 + 97374 + remote + + + 1.5.1.3 + 1.5.1.3 + + + +

+ WordPress is a PHP and MySQL based content management and + publishing system. +

+ + +

+ James Bercegay of the GulfTech Security Research Team discovered + that WordPress insufficiently checks data passed to the XML-RPC server. + He also discovered that WordPress has several cross-site scripting and + full path disclosure vulnerabilities. +

+ + +

+ An attacker could use the PHP script injection vulnerabilities to + execute arbitrary PHP script commands. Furthermore the cross-site + scripting vulnerabilities could be exploited to execute arbitrary + script code in a user's browser session in context of a vulnerable + site. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All WordPress users should upgrade to the latest available + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/wordpress-1.5.1.3" + + + CAN-2005-1921 + GulfTech Advisory + + + jaervosz + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-03.xml b/xml/htdocs/security/en/glsa/glsa-200507-03.xml new file mode 100644 index 00000000..68436d2e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-03.xml @@ -0,0 +1,71 @@ + + + + + + + phpBB: Arbitrary command execution + + A vulnerability in phpBB allows a remote attacker to execute arbitrary + commands with the rights of the web server. + + phpBB + July 04, 2005 + September 03, 2005: 03 + 97278 + remote + + + 2.0.16 + 2.0.16 + + + +

+ phpBB is an Open Source bulletin board package. +

+ + +

+ Ron van Daal discovered that phpBB contains a vulnerability in the + highlighting code. +

+ + +

+ Successful exploitation would grant an attacker unrestricted access to + the PHP exec() or system() functions, allowing the execution of + arbitrary commands with the rights of the web server. +

+ + +

+ Please follow the instructions given in the phpBB announcement. +

+ + +

+ The phpBB package is no longer supported by Gentoo Linux and has been + masked in the Portage repository, no further announcements will be + issued regarding phpBB updates. Users who wish to continue using phpBB + are advised to monitor and refer to www.phpbb.com for more information. +

+

+ To continue using the Gentoo-provided phpBB package, please refer to + the Portage documentation on unmasking packages and upgrade to 2.0.16. +

+ + + CAN-2005-2086 + phpBB Announcement + + + jaervosz + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-04.xml b/xml/htdocs/security/en/glsa/glsa-200507-04.xml new file mode 100644 index 00000000..ce8dc8bd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-04.xml @@ -0,0 +1,69 @@ + + + + + + + RealPlayer: Heap overflow vulnerability + + RealPlayer is vulnerable to a heap overflow that could lead to remote + execution of arbitrary code. + + realplayer + July 06, 2005 + July 06, 2005: 01 + 96923 + remote + + + 10.0.5 + 10.0.5 + + + +

+ RealPlayer is a multimedia player capable of handling multiple + multimedia file formats. +

+ + +

+ RealPlayer is vulnerable to a heap overflow when opening RealMedia + files which make use of RealText. +

+ + +

+ By enticing a user to play a specially crafted RealMedia file an + attacker could execute arbitrary code with the permissions of the user + running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All RealPlayer users should upgrade to the latest available + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/realplayer-10.0.5" + + + RealNetworks Security Advisory + CAN-2005-1766 + + + koon + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-05.xml b/xml/htdocs/security/en/glsa/glsa-200507-05.xml new file mode 100644 index 00000000..d24a779f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-05.xml @@ -0,0 +1,67 @@ + + + + + + + zlib: Buffer overflow + + A buffer overflow has been discovered in zlib, potentially resulting in the + execution of arbitrary code. + + zlib + July 06, 2005 + July 06, 2005: 01 + 98121 + remote + + + 1.2.2-r1 + 1.2.2-r1 + + + +

+ zlib is a widely used free and patent unencumbered data + compression library. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a + buffer overflow in zlib. A bounds checking operation failed to take + invalid data into account, allowing a specifically malformed deflate + data stream to overrun a buffer. +

+ + +

+ An attacker could construct a malformed data stream, embedding it + within network communication or an application file format, potentially + resulting in the execution of arbitrary code when decoded by the + application using the zlib library. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All zlib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-libs/zlib-1.2.2-r1" + + + CAN-2005-2096 + + + taviso + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-06.xml b/xml/htdocs/security/en/glsa/glsa-200507-06.xml new file mode 100644 index 00000000..dab53ec4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-06.xml @@ -0,0 +1,68 @@ + + + + + + + TikiWiki: Arbitrary command execution through XML-RPC + + TikiWiki includes PHP XML-RPC code, making it vulnerable to arbitrary + command execution. + + Tikiwiki + July 06, 2005 + July 06, 2005: 01 + 97648 + remote + + + 1.8.5-r1 + 1.8.5-r1 + + + +

+ TikiWiki is a web-based groupware and content management system + (CMS), using PHP, ADOdb and Smarty. TikiWiki includes vulnerable PHP + XML-RPC code. +

+ + +

+ TikiWiki is vulnerable to arbitrary command execution as described + in GLSA 200507-01. +

+ + +

+ A remote attacker could exploit this vulnerability to execute + arbitrary PHP code by sending specially crafted XML data. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All TikiWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/tikiwiki-1.8.5-r1" + + + GLSA 200507-01 + CAN-2005-1921 + + + koon + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-07.xml b/xml/htdocs/security/en/glsa/glsa-200507-07.xml new file mode 100644 index 00000000..577ffc22 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-07.xml @@ -0,0 +1,70 @@ + + + + + + + phpWebSite: Multiple vulnerabilities + + phpWebSite is vulnerable to the remote execution of arbitrary PHP script + code and to other, yet undisclosed, vulnerabilities. + + phpwebsite + July 10, 2005 + July 10, 2005: 01 + 97461 + remote + + + 0.10.1-r1 + 0.10.1-r1 + + + +

+ phpWebSite is a content management system written in PHP. +

+ + +

+ phpWebSite fails to sanitize input sent to the XML-RPC server + using the "POST" method. Other unspecified vulnerabilities have been + discovered by Diabolic Crab of Hackers Center. +

+ + +

+ A remote attacker could exploit the XML-RPC vulnerability to + execute arbitrary PHP script code by sending specially crafted XML data + to phpWebSite. The undisclosed vulnerabilities do have an unknown + impact. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All phpWebSite users should upgrade to the latest available + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-app/phpwebsite-0.10.1-r1" + + + CAN-2005-1921 + phpWebSite announcement + + + koon + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-08.xml b/xml/htdocs/security/en/glsa/glsa-200507-08.xml new file mode 100644 index 00000000..5ffe8c9b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-08.xml @@ -0,0 +1,80 @@ + + + + + + + phpGroupWare, eGroupWare: PHP script injection vulnerability + + phpGroupWare and eGroupWare include an XML-RPC implementation which allows + remote attackers to execute arbitrary PHP script commands. + + phpgroupware egroupware + July 10, 2005 + July 10, 2005: 01 + 97460 + 97651 + remote + + + 0.9.16.006 + 0.9.16.006 + + + 1.0.0.008 + 1.0.0.008 + + + +

+ phpGroupWare and eGroupWare are web based collaboration software + suites. +

+ + +

+ The XML-RPC implementations of phpGroupWare and eGroupWare fail to + sanitize input sent to the XML-RPC server using the "POST" method. +

+ + +

+ A remote attacker could exploit the XML-RPC vulnerability to + execute arbitrary PHP script code by sending specially crafted XML data + to the XML-RPC servers of phpGroupWare or eGroupWare. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All phpGroupWare users should upgrade to the latest available + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-app/phpgroupware-0.9.16.006" +

+ All eGroupWare users should upgrade to the latest available + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-app/egroupware-1.0.0.008" + + + CAN-2005-1921 + + + koon + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-09.xml b/xml/htdocs/security/en/glsa/glsa-200507-09.xml new file mode 100644 index 00000000..9b4aa779 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-09.xml @@ -0,0 +1,71 @@ + + + + + + + Adobe Acrobat Reader: Buffer overflow vulnerability + + Adobe Acrobat Reader is vulnerable to a buffer overflow that could lead to + remote execution of arbitrary code. + + acroread + July 11, 2005 + July 11, 2005: 01 + 98101 + remote + + + 7.0 + 5.10 + + + +

+ Adobe Acrobat Reader is a utility used to view PDF files. +

+ + +

+ A buffer overflow has been discovered in the + UnixAppOpenFilePerform() function, which is called when Adobe Acrobat + Reader tries to open a file with the "\Filespec" tag. +

+ + +

+ By enticing a user to open a specially crafted PDF document, a + remote attacker could exploit this vulnerability to execute arbitrary + code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ Since Adobe will most likely not update the 5.0 series of Adobe + Acrobat Reader for Linux, all users should upgrade to the latest + available version of the 7.0 series: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/acroread-7.0" + + + CAN-2005-1625 + iDEFENSE Security Advisory + Adobe Security Advisory + + + koon + + + DerCorny + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-10.xml b/xml/htdocs/security/en/glsa/glsa-200507-10.xml new file mode 100644 index 00000000..b4a77564 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-10.xml @@ -0,0 +1,68 @@ + + + + + + + Ruby: Arbitrary command execution through XML-RPC + + A vulnerability in XMLRPC.iPIMethods allows remote attackers to execute + arbitrary commands. + + ruby + July 11, 2005 + July 11, 2005: 01 + 96784 + remote + + + 1.8.2-r2 + 1.8.2-r2 + + + +

+ Ruby is an interpreted scripting language for quick and easy + object-oriented programming. XML-RPC is a remote procedure call + protocol encoded in XML. +

+ + +

+ Nobuhiro IMAI reported that an invalid default value in "utils.rb" + causes the security protections of the XML-RPC server to fail. +

+ + +

+ A remote attacker could exploit this vulnerability to execute + arbitrary commands. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ruby users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.2-r2" + + + CAN-2005-1992 + Ruby Security Announcement + + + vorlon078 + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-11.xml b/xml/htdocs/security/en/glsa/glsa-200507-11.xml new file mode 100644 index 00000000..503153dc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-11.xml @@ -0,0 +1,79 @@ + + + + + + + MIT Kerberos 5: Multiple vulnerabilities + + MIT Kerberos 5 is vulnerable to a Denial of Service attack and remote + execution of arbitrary code, possibly leading to the compromise of the + entire Kerberos realm. + + mit-krb5 + July 12, 2005 + July 12, 2005: 01 + 98799 + remote + + + 1.4.1-r1 + 1.4.1-r1 + + + +

+ MIT Kerberos 5 is the free implementation of the Kerberos network + authentication protocol by the Massachusetts Institute of Technology. +

+ + +

+ Daniel Wachdorf discovered that MIT Kerberos 5 could corrupt the + heap by freeing unallocated memory when receiving a special TCP request + (CAN-2005-1174). He also discovered that the same request could lead to + a single-byte heap overflow (CAN-2005-1175). Magnus Hagander discovered + that krb5_recvauth() function of MIT Kerberos 5 might try to + double-free memory (CAN-2005-1689). +

+ + +

+ Although exploitation is considered difficult, a remote attacker + could exploit the single-byte heap overflow and the double-free + vulnerability to execute arbitrary code, which could lead to the + compromise of the whole Kerberos realm. A remote attacker could also + use the heap corruption to cause a Denial of Service. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All MIT Kerberos 5 users should upgrade to the latest available + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.4.1-r1" + + + CAN-2005-1174 + CAN-2005-1175 + CAN-2005-1689 + MITKRB5-SA-2005-002 + MITKRB5-SA-2005-003 + + + koon + + + DerCorny + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-12.xml b/xml/htdocs/security/en/glsa/glsa-200507-12.xml new file mode 100644 index 00000000..8149cac4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-12.xml @@ -0,0 +1,73 @@ + + + + + + + Bugzilla: Unauthorized access and information disclosure + + Multiple vulnerabilities in Bugzilla could allow remote users to modify bug + flags or gain sensitive information. + + bugzilla + July 13, 2005 + July 13, 2005: 01 + 98348 + remote + + + 2.18.3 + 2.18.3 + + + +

+ Bugzilla is a web-based bug-tracking system used by many projects. +

+ + +

+ Bugzilla allows any user to modify the flags of any bug + (CAN-2005-2173). Bugzilla inserts bugs into the database before marking + them as private, in connection with MySQL replication this could lead + to a race condition (CAN-2005-2174). +

+ + +

+ By manually changing the URL to process_bug.cgi, a remote attacker + could modify the flags of any given bug, which could trigger an email + including the bug summary to be sent to the attacker. The race + condition when using Bugzilla with MySQL replication could lead to a + short timespan (usually less than a second) where the summary of + private bugs is exposed to all users. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All Bugzilla users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/bugzilla-2.18.3" + + + CAN-2005-2173 + CAN-2005-2174 + Bugzilla Security Advisory + + + vorlon078 + + + koon + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-13.xml b/xml/htdocs/security/en/glsa/glsa-200507-13.xml new file mode 100644 index 00000000..7acf469d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-13.xml @@ -0,0 +1,83 @@ + + + + + + + pam_ldap and nss_ldap: Plain text authentication leak + + pam_ldap and nss_ldap fail to restart TLS when following a referral, + possibly leading to credentials being sent in plain text. + + pam_ldap nss_ldap + July 14, 2005 + July 14, 2005: 01 + 96767 + remote + + + 239-r1 + 226-r1 + 239-r1 + + + 178-r1 + 178-r1 + + + +

+ pam_ldap is a Pluggable Authentication Module which allows + authentication against an LDAP directory. nss_ldap is a Name Service + Switch module which allows 'passwd', 'group' and 'host' database + information to be pulled from LDAP. TLS is Transport Layer Security, a + protocol that allows encryption of network communications. +

+ + +

+ Rob Holland of the Gentoo Security Audit Team discovered that + pam_ldap and nss_ldap fail to use TLS for referred connections if they + are referred to a master after connecting to a slave, regardless of the + "ssl start_tls" ldap.conf setting. +

+ + +

+ An attacker could sniff passwords or other sensitive information + as the communication is not encrypted. +

+ + +

+ pam_ldap and nss_ldap can be set to force the use of SSL instead + of TLS. +

+ + +

+ All pam_ldap users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-auth/pam_ldap-178-r1" +

+ All nss_ldap users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose sys-auth/nss_ldap + + + CAN-2005-2069 + + + tigger + + + tigger + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-14.xml b/xml/htdocs/security/en/glsa/glsa-200507-14.xml new file mode 100644 index 00000000..27fc1c7e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-14.xml @@ -0,0 +1,100 @@ + + + + + + + Mozilla Firefox: Multiple vulnerabilities + + Several vulnerabilities in Mozilla Firefox allow attacks ranging from + execution of script code with elevated privileges to information leak. + + mozilla + July 15, 2005 + July 15, 2005: 01 + 95199 + remote + + + 1.0.5 + 1.0.5 + + + 1.0.5 + 1.0.5 + + + +

+ Mozilla Firefox is the next-generation web browser from the + Mozilla project. +

+ + +

+ The following vulnerabilities were found and fixed in Mozilla + Firefox: +

+
    +
  • "moz_bug_r_a4" and "shutdown" discovered that + Firefox was improperly cloning base objects (MFSA 2005-56).
    • +
  • Michael Krax reported that Firefox was not correctly handling + JavaScript URLs from external applications (MFSA 2005-53), and that the + "Set as wallpaper" function in versions 1.0.3 and 1.0.4 could be abused + to load JavaScript (MFSA 2005-47).
    • +
  • Several researchers + reported ways to trick Firefox into accepting events generated by web + content (MFSA 2005-45).
    • +
  • Kohei Yoshino discovered a new way to + inject script from the sidebar panel using data: (MFSA 2005-49).
    • +
  • "moz_bug_r_a4" reported that Firefox failed to validate XHTML DOM + nodes properly (MFSA 2005-55), and that XBL scripts ran even when + Javascript is disabled (MFSA 2005-46).
    • +
  • "shutdown" discovered a + possibly exploitable crash in InstallVersion.compareTo (MFSA + 2005-50).
    • +
  • Finally, Secunia discovered that a child frame can + call top.focus() even if the framing page comes from a different origin + and has overridden the focus() routine (MFSA 2005-52), and that the + frame injection spoofing bug fixed in 1.0.2 was mistakenly reintroduced + in 1.0.3 and 1.0.4 (MFSA 2005-51).
    • +
+ + +

+ A remote attacker could craft malicious web pages that would + leverage these issues to inject and execute arbitrary script code with + elevated privileges, steal cookies or other information from web pages, + or spoof content. +

+ + +

+ There are no known workarounds for all the issues at this time. +

+ + +

+ All Mozilla Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.0.5" +

+ All Mozilla Firefox binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.0.5" + + + Mozilla Foundation Security Advisories + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-15.xml b/xml/htdocs/security/en/glsa/glsa-200507-15.xml new file mode 100644 index 00000000..38d9cd30 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-15.xml @@ -0,0 +1,70 @@ + + + + + + + PHP: Script injection through XML-RPC + + PHP includes an XML-RPC implementation which allows remote attackers to + execute arbitrary PHP script commands. + + PHP + July 15, 2005 + July 15, 2005: 01 + 97655 + remote + + + 4.4.0 + 4.4.0 + + + +

+ PHP is a general-purpose scripting language widely used to develop + web-based applications. It can run inside a web server using the + mod_php module or the CGI version of PHP, or can run stand-alone in a + CLI. +

+ + +

+ James Bercegay has discovered that the XML-RPC implementation in + PHP fails to sanitize input passed in an XML document, which is used in + an "eval()" statement. +

+ + +

+ A remote attacker could exploit the XML-RPC vulnerability to + execute arbitrary PHP script code by sending specially crafted XML data + to applications making use of this XML-RPC implementation. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PHP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/php-4.4.0" + + + CAN-2005-1921 + + + koon + + + formula7 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-16.xml b/xml/htdocs/security/en/glsa/glsa-200507-16.xml new file mode 100644 index 00000000..2322c919 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-16.xml @@ -0,0 +1,67 @@ + + + + + + + dhcpcd: Denial of Service vulnerability + + A vulnerability in dhcpcd may cause the dhcpcd daemon to crash. + + dhcpcd + July 15, 2005 + July 15, 2005: 01 + 98394 + remote + + + 1.3.22_p4-r11 + 1.3.22_p4-r11 + + + +

+ dhcpcd is a standards compliant DHCP client daemon. It requests an + IP address and other information from the DHCP server, automatically + configures the network interface, and tries to renew the lease time. +

+ + +

+ infamous42md discovered that dhcpcd can be tricked to read past + the end of the supplied DHCP buffer. As a result, this might lead to a + crash of the daemon. +

+ + +

+ With a malicious DHCP server an attacker could cause a Denial of + Service by crashing the DHCP client. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All dhcpcd users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/dhcpcd-1.3.22_p4-r11" + + + CAN-2005-1848 + + + koon + + + adir + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-17.xml b/xml/htdocs/security/en/glsa/glsa-200507-17.xml new file mode 100644 index 00000000..db1fe5e2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-17.xml @@ -0,0 +1,101 @@ + + + + + + + Mozilla Thunderbird: Multiple vulnerabilities + + Several vulnerabilities in Mozilla Thunderbird allow attacks ranging from + execution of script code with elevated privileges to information leak. + + thunderbird + July 18, 2005 + July 18, 2005: 01 + 98855 + remote + + + 1.0.5 + 1.0.5 + + + 1.0.5 + 1.0.5 + + + +

+ Mozilla Thunderbird is the next-generation mail client from the + Mozilla project. +

+ + +

+ The following vulnerabilities were found and fixed in Mozilla + Thunderbird: +

+
    +
  • "moz_bug_r_a4" and "shutdown" discovered + that Thunderbird was improperly cloning base objects (MFSA + 2005-56).
    • +
  • "moz_bug_r_a4" also reported that Thunderbird was + overly trusting contents, allowing privilege escalation via property + overrides (MFSA 2005-41, 2005-44), that it failed to validate XHTML DOM + nodes properly (MFSA 2005-55), and that XBL scripts ran even when + Javascript is disabled (MFSA 2005-46).
    • +
  • "shutdown" discovered a + possibly exploitable crash in InstallVersion.compareTo (MFSA + 2005-50).
    • +
  • Andreas Sandblad from Secunia reported that a child + frame can call top.focus() even if the framing page comes from a + different origin and has overridden the focus() routine (MFSA + 2005-52).
    • +
  • Georgi Guninski reported missing Install object + instance checks in the native implementations of XPInstall-related + JavaScript objects (MFSA 2005-40).
    • +
  • Finally, Vladimir V. + Perepelitsa discovered a memory disclosure bug in JavaScript's regular + expression string replacement when using an anonymous function as the + replacement argument (CAN-2005-0989 and MFSA 2005-33).
    • +
+ + +

+ A remote attacker could craft malicious email messages that would + leverage these issues to inject and execute arbitrary script code with + elevated privileges or help in stealing information. +

+ + +

+ There are no known workarounds for all the issues at this time. +

+ + +

+ All Mozilla Thunderbird users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-1.0.5" +

+ All Mozilla Thunderbird binary users should upgrade to the + latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-1.0.5" + + + Mozilla Foundation Security Advisories + CAN-2005-0989 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-18.xml b/xml/htdocs/security/en/glsa/glsa-200507-18.xml new file mode 100644 index 00000000..43f6f58c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-18.xml @@ -0,0 +1,69 @@ + + + + + + + MediaWiki: Cross-site scripting vulnerability + + MediaWiki is vulnerable to a cross-site scripting attack that could allow + arbitrary JavaScript code execution. + + mediawiki + July 20, 2005 + August 11, 2005: 03 + 99132 + remote + + + 1.4.6 + 1.4.6 + + + +

+ MediaWiki is a collaborative editing software, used by big projects + like Wikipedia. +

+ + +

+ MediaWiki fails to escape a parameter in the page move template + correctly. +

+ + +

+ By enticing a user to visit a specially crafted URL, a remote attacker + could exploit this vulnerability to inject malicious JavaScript code + that will be executed in a user's browser session in the context of the + vulnerable site. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MediaWiki users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.4.7" + + + CAN-2005-2396 + MediaWiki Release Notes + + + koon + + + koon + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-19.xml b/xml/htdocs/security/en/glsa/glsa-200507-19.xml new file mode 100644 index 00000000..03b765f5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-19.xml @@ -0,0 +1,68 @@ + + + + + + + zlib: Buffer overflow + + zlib is vulnerable to a buffer overflow which could potentially lead to + execution of arbitrary code. + + zlib + July 22, 2005 + July 22, 2005: 01 + 99751 + remote + + + 1.2.3 + 1.2.3 + + + +

+ zlib is a widely used free and patent unencumbered data + compression library. +

+ + +

+ zlib improperly handles invalid data streams which could lead to a + buffer overflow. +

+ + +

+ By creating a specially crafted compressed data stream, attackers + can overwrite data structures for applications that use zlib, resulting + in arbitrary code execution or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All zlib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-libs/zlib-1.2.3" + + + Full Disclosure Announcement + CAN-2005-1849 + + + jaervosz + + + adir + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-20.xml b/xml/htdocs/security/en/glsa/glsa-200507-20.xml new file mode 100644 index 00000000..9f038dd5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-20.xml @@ -0,0 +1,72 @@ + + + + + + + Shorewall: Security policy bypass + + A vulnerability in Shorewall allows clients authenticated by MAC address + filtering to bypass all other security rules. + + shorewall + July 22, 2005 + September 14, 2005: 02 + 99398 + remote + + + 2.4.2 + 2.4.1 + + + +

+ Shorewall is a high level tool for configuring Netfilter, the firewall + facility included in the Linux Kernel. +

+ + +

+ Shorewall fails to enforce security policies if configured with + "MACLIST_DISPOSITION" set to "ACCEPT" or "MACLIST_TTL" set to a value + greater or equal to 0. +

+ + +

+ A client authenticated by MAC address filtering could bypass all + security policies, possibly allowing him to gain access to restricted + services. The default installation has MACLIST_DISPOSITION=REJECT and + MACLIST_TTL=(blank) (equivalent to 0). This can be checked by looking + at the settings in /etc/shorewall/shorewall.conf +

+ + +

+ Set "MACLIST_TTL" to "0" and "MACLIST_DISPOSITION" to "REJECT" in the + Shorewall configuration file (usually /etc/shorewall/shorewall.conf). +

+ + +

+ All Shorewall users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose net-firewall/shorewall + + + CAN-2005-2317 + Shorewall Announcement + + + koon + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-21.xml b/xml/htdocs/security/en/glsa/glsa-200507-21.xml new file mode 100644 index 00000000..7062e6c2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-21.xml @@ -0,0 +1,66 @@ + + + + + + + fetchmail: Buffer Overflow + + fetchmail is susceptible to a buffer overflow resulting in a Denial of + Service or arbitrary code execution. + + fetchmail + July 25, 2005 + July 25, 2005: 01 + 99865 + remote + + + 6.2.5.2 + 6.2.5.2 + + + +

+ fetchmail is a utility that retrieves and forwards mail from + remote systems using IMAP, POP, and other protocols. +

+ + +

+ fetchmail does not properly validate UIDs coming from a POP3 mail + server. The UID is placed in a fixed length buffer on the stack, which + can be overflown. +

+ + +

+ Very long UIDs returned from a malicious or compromised POP3 + server can cause fetchmail to crash, resulting in a Denial of Service, + or allow arbitrary code to be placed on the stack. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All fetchmail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/fetchmail-6.2.5.2" + + + Fetchmail Security Advisory + CAN-2005-2335 + + + r2d2 + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-22.xml b/xml/htdocs/security/en/glsa/glsa-200507-22.xml new file mode 100644 index 00000000..7d9cc3a2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-22.xml @@ -0,0 +1,66 @@ + + + + + + + sandbox: Insecure temporary file handling + + The sandbox utility may create temporary files in an insecure manner. + + sandbox + July 25, 2005 + August 11, 2005: 02 + 96782 + local + + + 1.2.11 + 1.2.11 + + + +

+ sandbox is a Gentoo Linux utility used by the Portage package + management system. +

+ + +

+ The Gentoo Linux Security Audit Team discovered that the sandbox + utility was vulnerable to multiple TOCTOU (Time of Check, Time of Use) + file creation race conditions. +

+ + +

+ Local users may be able to create or overwrite arbitrary files with the + permissions of the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All sandbox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/sandbox-1.2.11" + + + CAN-2005-2449 + + + jaervosz + + + taviso + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-23.xml b/xml/htdocs/security/en/glsa/glsa-200507-23.xml new file mode 100644 index 00000000..9b2f3739 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-23.xml @@ -0,0 +1,77 @@ + + + + + + + Kopete: Vulnerability in included Gadu library + + Kopete is vulnerable to several input validation vulnerabilities which may + lead to execution of arbitrary code. + + kopete + July 25, 2005 + July 25, 2005: 01 + 99754 + remote + + + 3.4.1-r1 + 3.3.2-r2 + 3.4.1-r1 + + + 3.4.1-r1 + 3.4.1-r1 + + + +

+ KDE is a feature-rich graphical desktop environment for Linux and + Unix-like Operating Systems. Kopete (also part of kdenetwork) is the + KDE Instant Messenger. +

+ + +

+ Kopete contains an internal copy of libgadu and is therefore + subject to several input validation vulnerabilities in libgadu. +

+ + +

+ A remote attacker could exploit this vulnerability to execute + arbitrary code or crash Kopete. +

+ + +

+ Delete all Gadu Gadu contacts. +

+ + +

+ All Kopete users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose kde-base/kdenetwork +

+ All KDE Split Ebuild Kopete users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kopete-3.4.1-r1" + + + KDE Security Advisory: libgadu vulnerabilities + CAN-2005-1852 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-24.xml b/xml/htdocs/security/en/glsa/glsa-200507-24.xml new file mode 100644 index 00000000..b8ab7f74 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-24.xml @@ -0,0 +1,112 @@ + + + + + + + Mozilla Suite: Multiple vulnerabilities + + Several vulnerabilities in the Mozilla Suite allow attacks ranging from the + execution of javascript code with elevated privileges to information + leakage. + + mozilla + July 26, 2005 + July 26, 2005: 01 + 98846 + remote + + + 1.7.10 + 1.7.10 + + + 1.7.10 + 1.7.10 + + + +

+ The Mozilla Suite is an all-in-one Internet application suite + including a web browser, an advanced e-mail and newsgroup client, IRC + client and HTML editor. +

+ + +

+ The following vulnerabilities were found and fixed in the Mozilla + Suite: +

+
    +
  • "moz_bug_r_a4" and "shutdown" discovered that the + Mozilla Suite was improperly cloning base objects (MFSA 2005-56).
    • +
  • "moz_bug_r_a4" reported that the suite failed to validate XHTML DOM + nodes properly (MFSA 2005-55).
    • +
  • Secunia reported that alerts + and prompts scripts are presented with the generic title [JavaScript + Application] which could lead to tricking a user (MFSA 2005-54).
    • +
  • Andreas Sandblad of Secunia reported that top.focus() can be called + in the context of a child frame even if the framing page comes from a + different origin and has overridden the focus() routine (MFSA + 2005-52).
    • +
  • Secunia reported that a frame-injection spoofing bug + which was fixed in earlier versions, was accidently bypassed in Mozilla + Suite 1.7.7 (MFSA 2005-51).
    • +
  • "shutdown" reported that + InstallVersion.compareTo() might be exploitable. When it gets an object + rather than a string, the browser would generally crash with an access + violation (MFSA 2005-50).
    • +
  • Matthew Mastracci reported that by + forcing a page navigation immediately after calling the install method + can end up running in the context of the new page selected by the + attacker (MFSA 2005-48).
    • +
  • "moz_bug_r_a4" reported that XBL + scripts run even when Javascript is disabled (MFSA 2005-46).
    • +
  • + Omar Khan, Jochen, "shutdown" and Matthew Mastracci reported that the + Mozilla Suite incorrectly distinguished between true events like mouse + clicks or keystrokes and synthetic events generated by a web content + (MFSA 2005-45).
    • +
+ + +

+ A remote attacker could craft malicious web pages that would + leverage these issues to inject and execute arbitrary javascript code + with elevated privileges, steal cookies or other information from web + pages, or spoof content. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Suite users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-1.7.10" +

+ All Mozilla Suite binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-bin-1.7.10" + + + Mozilla Foundation Security Advisories + + + DerCorny + + + DerCorny + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-25.xml b/xml/htdocs/security/en/glsa/glsa-200507-25.xml new file mode 100644 index 00000000..0b2ea759 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-25.xml @@ -0,0 +1,70 @@ + + + + + + + Clam AntiVirus: Integer overflows + + Clam AntiVirus is vulnerable to integer overflows when handling several + file formats, potentially resulting in the execution of arbitrary code. + + clamav + July 26, 2005 + August 11, 2005: 02 + 100178 + remote + + + 0.86.2 + 0.86.2 + + + +

+ Clam AntiVirus is a GPL anti-virus toolkit, designed for integration + with mail servers to perform attachment scanning. Clam AntiVirus also + provides a command line scanner and a tool for fetching updates of the + virus database. +

+ + +

+ Neel Mehta and Alex Wheeler discovered that Clam AntiVirus is + vulnerable to integer overflows when handling the TNEF, CHM and FSG + file formats. +

+ + +

+ By sending a specially-crafted file an attacker could execute arbitrary + code with the permissions of the user running Clam AntiVirus. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Clam AntiVirus users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.86.2" + + + CAN-2005-2450 + Clam AntiVirus: Release Notes + + + jaervosz + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-26.xml b/xml/htdocs/security/en/glsa/glsa-200507-26.xml new file mode 100644 index 00000000..caf86243 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-26.xml @@ -0,0 +1,115 @@ + + + + + + + GNU Gadu, CenterICQ, Kadu, EKG, libgadu: Remote code execution in Gadu library + + GNU Gadu, CenterICQ, Kadu, EKG and libgadu are vulnerable to an integer + overflow which could potentially lead to the execution of arbitrary code or + a Denial of Service. + + gnugadu centericq kadu ekg libgadu + July 27, 2005 + February 26, 2007: 02 + 99816 + 99890 + 99583 + remote + + + 2.2.6-r1 + 2.2.6-r1 + + + 4.20.0-r3 + 4.20.0-r3 + + + 0.4.1 + 0.4.1 + + + 1.6_rc3 + 1.6_rc3 + + + 1.7.0_pre20050719 + 1.7.0_pre20050719 + + + +

+ GNU Gadu, CenterICQ, Kadu and EKG are instant messaging applications + created to support Gadu Gadu instant messaging protocol. libgadu is a + library that implements the client side of the Gadu-Gadu protocol. +

+ + +

+ GNU Gadu, CenterICQ, Kadu, EKG and libgadu are vulnerable to an integer + overflow. +

+ + +

+ A remote attacker could exploit the integer overflow to execute + arbitrary code or cause a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GNU Gadu users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/gnugadu-2.2.6-r1" +

+ All Kadu users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/kadu-0.4.1" +

+ All EKG users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/ekg-1.6_rc3" +

+ All libgadu users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/libgadu-20050719" +

+ All CenterICQ users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/centericq-4.20.0-r3" +

+ CenterICQ is no longer distributed with Gadu Gadu support, affected + users are encouraged to migrate to an alternative package. +

+ + + CAN-2005-1852 + BugTraq Announcement + + + jaervosz + + + adir + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-27.xml b/xml/htdocs/security/en/glsa/glsa-200507-27.xml new file mode 100644 index 00000000..e604d1a1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-27.xml @@ -0,0 +1,81 @@ + + + + + + + Ethereal: Multiple vulnerabilities + + Ethereal is vulnerable to numerous vulnerabilities potentially resulting in + the execution of arbitrary code or abnormal termination. + + Ethereal + July 28, 2005 + July 28, 2005: 01 + 100316 + remote + + + 0.10.12 + 0.10.12 + + + +

+ Ethereal is a feature-rich network protocol analyzer. +

+ + +

+ There are numerous vulnerabilities in versions of Ethereal prior + to 0.10.12, including: +

+
    +
  • The SMB dissector could overflow a + buffer or exhaust memory (CAN-2005-2365).
    • +
  • iDEFENSE discovered + that several dissectors are vulnerable to format string overflows + (CAN-2005-2367).
    • +
  • Additionally multiple potential crashes in + many dissectors have been fixed, see References for further + details.
    • +
+ + +

+ An attacker might be able to use these vulnerabilities to crash + Ethereal or execute arbitrary code with the permissions of the user + running Ethereal, which could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ethereal users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/ethereal-0.10.12" + + + Ethereal enpa-sa-00020 + CAN-2005-2360 + CAN-2005-2361 + CAN-2005-2362 + CAN-2005-2363 + CAN-2005-2364 + CAN-2005-2365 + CAN-2005-2366 + CAN-2005-2367 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-28.xml b/xml/htdocs/security/en/glsa/glsa-200507-28.xml new file mode 100644 index 00000000..eec04e84 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-28.xml @@ -0,0 +1,72 @@ + + + + + + + AMD64 x86 emulation base libraries: Buffer overflow + + The x86 emulation base libraries for AMD64 contain a vulnerable version of + zlib which could potentially lead to execution of arbitrary code. + + emul-linux-x86-baselibs + July 30, 2005 + August 02, 2005: 02 + 100686 + remote + + + 2.1.2 + 2.1.2 + + + +

+ The x86 emulation base libraries for AMD64 emulate the x86 (32-bit) + architecture on the AMD64 (64-bit) architecture. +

+ + +

+ Earlier versions of emul-linux-x86-baselibs contain a vulnerable + version of zlib, which may lead to a buffer overflow. +

+ + +

+ By creating a specially crafted compressed data stream, attackers can + overwrite data structures for applications that use the x86 emulation + base libraries for AMD64, resulting in a Denial of Service and + potentially arbitrary code execution. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All AMD64 x86 emulation base libraries users should upgrade to the + latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose app-emulation/emul-linux-x86-baselibs + + + GLSA 200507-05 + GLSA 200507-19 + CAN-2005-1849 + CAN-2005-2096 + + + koon + + + koon + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200507-29.xml b/xml/htdocs/security/en/glsa/glsa-200507-29.xml new file mode 100644 index 00000000..2c652690 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200507-29.xml @@ -0,0 +1,68 @@ + + + + + + + pstotext: Remote execution of arbitrary code + + pstotext contains a vulnerability which can potentially result in the + execution of arbitrary code. + + pstotext + July 31, 2005 + August 11, 2005: 02 + 100245 + remote + + + 1.8g-r1 + 1.8g-r1 + + + +

+ pstotext is a program that works with GhostScript to extract plain text + from PostScript and PDF files. +

+ + +

+ Max Vozeler reported that pstotext calls the GhostScript interpreter on + untrusted PostScript files without specifying the -dSAFER option. +

+ + +

+ An attacker could craft a malicious PostScript file and entice a user + to run pstotext on it, resulting in the execution of arbitrary commands + with the permissions of the user running pstotext. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All pstotext users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/pstotext-1.8g-r1" + + + CAN-2005-2536 + Secunia Advisory SA16183 + + + koon + + + adir + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-01.xml b/xml/htdocs/security/en/glsa/glsa-200508-01.xml new file mode 100644 index 00000000..a189b348 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-01.xml @@ -0,0 +1,71 @@ + + + + + + + Compress::Zlib: Buffer overflow + + Compress::Zlib is vulnerable to a buffer overflow which could potentially + lead to execution of arbitrary code. + + Compress-Zlib + August 01, 2005 + May 28, 2009: 02 + 100540 + remote + + + 1.35 + 1.35 + + + +

+ The Compress::Zlib is a Perl module which provides an interface to + the zlib compression library. +

+ + +

+ Compress::Zlib 1.34 contains a local vulnerable version of zlib, + which may lead to a buffer overflow. +

+ + +

+ By creating a specially crafted compressed data stream, attackers + can overwrite data structures for applications that use Compress::Zlib, + resulting in a Denial of Service and potentially arbitrary code + execution. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Compress::Zlib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=perl-core/Compress-Zlib-1.35" + + + GLSA 200507-19 + GLSA 200507-05 + CAN-2005-1849 + CAN-2005-2096 + + + koon + + + adir + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-02.xml b/xml/htdocs/security/en/glsa/glsa-200508-02.xml new file mode 100644 index 00000000..6d657876 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-02.xml @@ -0,0 +1,74 @@ + + + + + + + ProFTPD: Format string vulnerabilities + + Under specific circumstances, ProFTPD is vulnerable to format string + vulnerabilities, potentially resulting in the execution of arbitrary code. + + proftpd + August 01, 2005 + August 01, 2005: 01 + 100364 + remote + + + 1.2.10-r7 + 1.2.10-r7 + + + +

+ ProFTPD is a configurable GPL-licensed FTP server software. +

+ + +

"infamous42md" reported that ProFTPD is vulnerable to format + string vulnerabilities when displaying a shutdown message containing + the name of the current directory, and when displaying response + messages to the client using information retrieved from a database + using mod_sql. +

+ + +

+ A remote attacker could create a directory with a malicious name + that would trigger the format string issue if specific variables are + used in the shutdown message, potentially resulting in a Denial of + Service or the execution of arbitrary code with the rights of the user + running the ProFTPD server. An attacker with control over the database + contents could achieve the same result by introducing malicious + messages that would trigger the other format string issue when used in + server responses. +

+ + +

+ Do not use the "%C", "%R", or "%U" in shutdown messages, and do + not set the "SQLShowInfo" directive. +

+ + +

+ All ProFTPD users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.2.10-r7" + + + CAN-2005-2390 + + + koon + + + adir + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-03.xml b/xml/htdocs/security/en/glsa/glsa-200508-03.xml new file mode 100644 index 00000000..6f7af32e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-03.xml @@ -0,0 +1,67 @@ + + + + + + + nbSMTP: Format string vulnerability + + nbSMTP is vulnerable to a format string vulnerability which may result in + remote execution of arbitrary code. + + nbsmtp + August 02, 2005 + August 11, 2005: 02 + 100274 + remote + + + 1.00 + 1.00 + + + +

+ nbSMTP is an SMTP client suitable to run in chroot jails, in embedded + systems, laptops and workstations. +

+ + +

+ Niels Heinen discovered a format string vulnerability. +

+ + +

+ An attacker can setup a malicious SMTP server and exploit this + vulnerability to execute arbitrary code with the permissions of the + user running nbSMTP. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All nbSMTP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-mta/nbsmtp-1.0" + + + CAN-2005-2409 + nbSMTP official site + + + koon + + + adir + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-04.xml b/xml/htdocs/security/en/glsa/glsa-200508-04.xml new file mode 100644 index 00000000..849c257d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-04.xml @@ -0,0 +1,79 @@ + + + + + + + Netpbm: Arbitrary code execution in pstopnm + + The pstopnm utility, part of the Netpbm tools, contains a vulnerability + which can potentially result in the execution of arbitrary code. + + Netpbm + August 05, 2005 + May 28, 2009: 06 + 100398 + remote + + + 10.28 + 10.26.32 + 10.26.33 + 10.26.42 + 10.26.43 + 10.26.44 + 10.26.48 + 10.26.49 + 10.26.59 + 10.26.61 + 10.28 + + + +

+ Netpbm is a package of 220 graphics programs and a programming + libraries, including pstopnm. pstopnm is a tool which converts + PostScript files to PNM image files. +

+ + +

+ Max Vozeler reported that pstopnm calls the GhostScript interpreter on + untrusted PostScript files without specifying the -dSAFER option, to + convert a PostScript file into a PBM, PGM, or PNM file. +

+ + +

+ An attacker could craft a malicious PostScript file and entice a user + to run pstopnm on it, resulting in the execution of arbitrary commands + with the permissions of the user running pstopnm. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Netpbm users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose media-libs/netpbm + + + CAN-2005-2471 + Secunia Advisory SA16184 + + + koon + + + adir + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-05.xml b/xml/htdocs/security/en/glsa/glsa-200508-05.xml new file mode 100644 index 00000000..897de7a5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-05.xml @@ -0,0 +1,70 @@ + + + + + + + Heartbeat: Insecure temporary file creation + + Heartbeat is vulnerable to symlink attacks, potentially allowing a local + user to overwrite arbitrary files. + + Heartbeat + August 07, 2005 + August 07, 2005: 01 + 97175 + local + + + 1.2.3-r1 + 1.2.3-r1 + + + +

+ Heartbeat is a component of the High-Availability Linux project. + It it used to perform death-of-node detection, communications and + cluster management. +

+ + +

+ Eric Romang has discovered that Heartbeat insecurely creates + temporary files with predictable filenames. +

+ + +

+ A local attacker could create symbolic links in the temporary file + directory, pointing to a valid file somewhere on the filesystem. When a + vulnerable script is executed, this could lead to the file being + overwritten with the rights of the user running the affected + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Heartbeat users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-cluster/heartbeat-1.2.3-r1" + + + CAN-2005-2231 + + + koon + + + formula7 + + + formula7 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-06.xml b/xml/htdocs/security/en/glsa/glsa-200508-06.xml new file mode 100644 index 00000000..9ad35420 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-06.xml @@ -0,0 +1,71 @@ + + + + + + + Gaim: Remote execution of arbitrary code + + Gaim is vulnerable to a buffer overflow which could lead to the execution + of arbitrary code or to a Denial of Service. + + Gaim + August 15, 2005 + August 15, 2005: 01 + 102000 + remote + + + 1.5.0 + 1.5.0 + + + +

+ Gaim is a full featured instant messaging client which handles a + variety of instant messaging protocols. +

+ + +

+ Brandon Perry discovered that Gaim is vulnerable to a heap-based + buffer overflow when handling away messages (CAN-2005-2103). + Furthermore, Daniel Atallah discovered a vulnerability in the handling + of file transfers (CAN-2005-2102). +

+ + +

+ A remote attacker could create a specially crafted away message + which, when viewed by the target user, could lead to the execution of + arbitrary code. Also, an attacker could send a file with a non-UTF8 + filename to a user, which would result in a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Gaim users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/gaim-1.5.0" + + + CAN-2005-2102 + CAN-2005-2103 + + + koon + + + formula7 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-07.xml b/xml/htdocs/security/en/glsa/glsa-200508-07.xml new file mode 100644 index 00000000..ae8e8e77 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-07.xml @@ -0,0 +1,72 @@ + + + + + + + AWStats: Arbitrary code execution using malicious Referrer information + + AWStats fails to validate certain log input, which could lead to the + execution of arbitrary Perl code during the generation of the statistics. + + awstats + August 16, 2005 + May 28, 2009: 02 + 102145 + remote + + + 6.5 + 6.5 + + + +

+ AWStats is an advanced log file analyzer and statistics generator. + In HTTP reports it parses Referrer information in order to display the + most common Referrer values that caused users to visit the website. +

+ + +

+ When using a URLPlugin, AWStats fails to sanitize Referrer URL + data before using them in a Perl eval() routine. +

+ + +

+ A remote attacker can include arbitrary Referrer information in a + HTTP request to a web server, therefore injecting tainted data in the + log files. When AWStats is run on this log file, this can result in the + execution of arbitrary Perl code with the rights of the user running + AWStats. +

+ + +

+ Disable all URLPlugins in the AWStats configuration. +

+ + +

+ All AWStats users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-misc/awstats-6.5" +

+ Note: Users with the vhosts USE flag set should manually use + webapp-config to finalize the update. +

+ + + CAN-2005-1527 + iDEFENSE Advisory + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-08.xml b/xml/htdocs/security/en/glsa/glsa-200508-08.xml new file mode 100644 index 00000000..b4bd6ae8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-08.xml @@ -0,0 +1,103 @@ + + + + + + + Xpdf, Kpdf, GPdf: Denial of Service vulnerability + + Xpdf, Kpdf and GPdf may crash as a result of a Denial of Service + vulnerability. + + xpdf kpdf gpdf + August 16, 2005 + August 16, 2005: 01 + 99769 + 100263 + 100265 + remote + + + 3.00-r10 + 3.00-r10 + + + 3.3.2-r3 + 3.3.2-r3 + + + 3.4.1-r1 + 3.4.1-r1 + + + 2.10.0-r1 + 2.10.0-r1 + + + +

+ Xpdf, Kpdf and GPdf are PDF file viewers that run under the X + Window System. Kpdf and GPdf both contain Xpdf code. Kpdf is also part + of kdegraphics. +

+ + +

+ Xpdf, Kpdf and GPdf do not handle a broken table of embedded + TrueType fonts correctly. After detecting such a table, Xpdf, Kpdf and + GPdf attempt to reconstruct the information in it by decoding the PDF + file, which causes the generation of a huge temporary file. +

+ + +

+ A remote attacker may cause a Denial of Service by creating a + specially crafted PDF file, sending it to a CUPS printing system (which + uses Xpdf), or by enticing a user to open it in Xpdf, Kpdf, or GPdf. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Xpdf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/xpdf-3.00-r10" +

+ All GPdf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/gpdf-2.10.0-r1" +

+ All Kpdf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kdegraphics-3.3.2-r3" +

+ All KDE Split Ebuild Kpdf users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kpdf-3.4.1-r1" + + + CAN-2005-2097 + + + koon + + + adir + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-09.xml b/xml/htdocs/security/en/glsa/glsa-200508-09.xml new file mode 100644 index 00000000..be8e16c7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-09.xml @@ -0,0 +1,68 @@ + + + + + + + bluez-utils: Bluetooth device name validation vulnerability + + Improper validation of Bluetooth device names can lead to arbitrary command + execution. + + bluez-utils + August 17, 2005 + August 17, 2005: 01 + 101557 + remote + + + 2.19 + 2.19 + + + +

+ bluez-utils are the utilities for use with the BlueZ + implementation of the Bluetooth wireless standards for Linux. +

+ + +

+ The name of a Bluetooth device is improperly validated by the hcid + utility when a remote device attempts to pair itself with a computer. +

+ + +

+ An attacker could create a malicious device name on a Bluetooth + device resulting in arbitrary commands being executed as root upon + attempting to pair the device with the computer. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All bluez-utils users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-wireless/bluez-utils-2.19" + + + CAN-2005-2547 + bluez-utils ChangeLog + + + koon + + + r2d2 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-10.xml b/xml/htdocs/security/en/glsa/glsa-200508-10.xml new file mode 100644 index 00000000..d2cccf26 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-10.xml @@ -0,0 +1,68 @@ + + + + + + + Kismet: Multiple vulnerabilities + + Kismet is vulnerable to multiple issues potentially resulting in the + execution of arbitrary code. + + Kismet + August 19, 2005 + May 22, 2006: 02 + 102702 + remote + + + 2005.08.1 + 2005.08.1 + + + +

+ Kismet is an 802.11 Layer 2 wireless network detector, sniffer, and + intrusion detection system. +

+ + +

+ Kismet is vulnerable to a heap overflow when handling pcap captures and + to an integer underflow in the CDP protocol dissector. +

+ + +

+ With a specially crafted packet an attacker could cause Kismet to + execute arbitrary code with the rights of the user running the program. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Kismet users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-wireless/kismet-2005.08.1" + + + Kismet Release Notes + CVE-2005-2626 + CVE-2005-2627 + + + jaervosz + + + jaervosz + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-11.xml b/xml/htdocs/security/en/glsa/glsa-200508-11.xml new file mode 100644 index 00000000..a98a0681 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-11.xml @@ -0,0 +1,67 @@ + + + + + + + Adobe Reader: Buffer Overflow + + Adobe Reader is vulnerable to a buffer overflow which could potentially + lead to execution of arbitrary code. + + acroread + August 19, 2005 + August 19, 2005: 01 + 102730 + remote + + + 7.0.1.1 + 7.0.1.1 + + + +

+ Adobe Reader is a utility used to view PDF files. +

+ + +

+ A buffer overflow has been reported within a core application + plug-in, which is part of Adobe Reader. +

+ + +

+ An attacker may create a specially-crafted PDF file, enticing a + user to open it. This could trigger a buffer overflow as the file is + being loaded, resulting in the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Adobe Reader users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/acroread-7.0.1.1" + + + CAN-2005-2470 + Adobe Document 321644 + + + formula7 + + + adir + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-12.xml b/xml/htdocs/security/en/glsa/glsa-200508-12.xml new file mode 100644 index 00000000..3fec98bc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-12.xml @@ -0,0 +1,74 @@ + + + + + + + Evolution: Format string vulnerabilities + + Evolution is vulnerable to format string vulnerabilities which may result + in remote execution of arbitrary code. + + evolution + August 23, 2005 + August 23, 2005: 01 + 102051 + remote + + + 2.2.3-r3 + 2.2.3-r3 + + + +

+ Evolution is a GNOME groupware application. +

+ + +

+ Ulf Harnhammar discovered that Evolution is vulnerable to format + string bugs when viewing attached vCards and when displaying contact + information from remote LDAP servers or task list data from remote + servers (CAN-2005-2549). He also discovered that Evolution fails to + handle special calendar entries if the user switches to the Calendars + tab (CAN-2005-2550). +

+ + +

+ An attacker could attach specially crafted vCards to emails or + setup malicious LDAP servers or calendar entries which would trigger + the format string vulnerabilities when viewed or accessed from + Evolution. This could potentially result in the execution of arbitrary + code with the rights of the user running Evolution. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Evolution users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/evolution-2.2.3-r3" + + + CAN-2005-2549 + CAN-2005-2550 + SITIC Vulnerability Advisory SA05-001 + + + koon + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-13.xml b/xml/htdocs/security/en/glsa/glsa-200508-13.xml new file mode 100644 index 00000000..9585761b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-13.xml @@ -0,0 +1,80 @@ + + + + + + + PEAR XML-RPC, phpxmlrpc: New PHP script injection vulnerability + + The PEAR XML-RPC and phpxmlrpc libraries allow remote attackers to execute + arbitrary PHP script commands. + + pear-xml_rpc phpxmlrpc + August 24, 2005 + August 24, 2005: 01 + 102378 + 102576 + remote + + + 1.4.0 + 1.4.0 + + + 1.2-r1 + 1.2-r1 + + + +

+ The PEAR XML-RPC and phpxmlrpc libraries are both PHP + implementations of the XML-RPC protocol. +

+ + +

+ Stefan Esser of the Hardened-PHP Project discovered that the PEAR + XML-RPC and phpxmlrpc libraries were improperly handling XMLRPC + requests and responses with malformed nested tags. +

+ + +

+ A remote attacker could exploit this vulnerability to inject + arbitrary PHP script code into eval() statements by sending a specially + crafted XML document to web applications making use of these libraries. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All PEAR-XML_RPC users should upgrade to the latest available + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/PEAR-XML_RPC-1.4.0" +

+ All phpxmlrpc users should upgrade to the latest available + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/phpxmlrpc-1.2-r1" + + + CAN-2005-2498 + Hardened-PHP 14/2005 Advisory + Hardened-PHP 15/2005 Advisory + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-14.xml b/xml/htdocs/security/en/glsa/glsa-200508-14.xml new file mode 100644 index 00000000..ad596c1f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-14.xml @@ -0,0 +1,80 @@ + + + + + + + TikiWiki, eGroupWare: Arbitrary command execution through XML-RPC + + TikiWiki and eGroupWare both include PHP XML-RPC code vulnerable to + arbitrary command execution. + + tikiwiki egroupware + August 24, 2005 + August 24, 2005: 01 + 102374 + 102377 + remote + + + 1.8.5-r2 + 1.8.5-r2 + + + 1.0.0.009 + 1.0.0.009 + + + +

+ TikiWiki is a full featured Free Software Wiki, CMS and Groupware + written in PHP. eGroupWare is a web-based collaboration software suite. + Both TikiWiki and eGroupWare include a PHP library to handle XML-RPC + requests. +

+ + +

+ The XML-RPC library shipped in TikiWiki and eGroupWare improperly + handles XML-RPC requests and responses with malformed nested tags. +

+ + +

+ A remote attacker could exploit this vulnerability to inject + arbitrary PHP script code into eval() statements by sending a specially + crafted XML document to TikiWiki or eGroupWare. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All TikiWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/tikiwiki-1.8.5-r2" +

+ All eGroupWare users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/egroupware-1.0.0.009" + + + CAN-2005-2498 + + + DerCorny + + + adir + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-15.xml b/xml/htdocs/security/en/glsa/glsa-200508-15.xml new file mode 100644 index 00000000..9d9a13e3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-15.xml @@ -0,0 +1,69 @@ + + + + + + + Apache 2.0: Denial of Service vulnerability + + A bug in Apache may allow a remote attacker to perform a Denial of Service + attack. + + apache + August 25, 2005 + December 30, 2007: 03 + 102991 + remote + + + 2.0.54-r9 + 2.0 + 2.0.54-r9 + + + +

+ The Apache HTTP Server Project is a featureful, freely-available HTTP + (Web) server. +

+ + +

+ Filip Sneppe discovered that Apache improperly handles byterange + requests to CGI scripts. +

+ + +

+ A remote attacker may access vulnerable scripts in a malicious way, + exhausting all RAM and swap space on the server, resulting in a Denial + of Service of the Apache server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All apache users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/apache-2.0.54-r9" + + + ASF Bugzilla Bug 29962 + CVE-2005-2728 + + + DerCorny + + + koon + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-16.xml b/xml/htdocs/security/en/glsa/glsa-200508-16.xml new file mode 100644 index 00000000..e7938a1a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-16.xml @@ -0,0 +1,68 @@ + + + + + + + Tor: Information disclosure + + A flaw in Tor leads to the disclosure of information and the loss of + anonymity, integrity and confidentiality. + + tor + August 25, 2005 + August 25, 2005: 01 + 102245 + remote + + + 0.1.0.14 + 0.1.0.14 + + + +

+ Tor is an implementation of second generation Onion Routing, a + connection-oriented anonymizing communication service. +

+ + +

+ The Diffie-Hellman implementation of Tor fails to verify the + cryptographic strength of keys which are used during handshakes. +

+ + +

+ By setting up a malicious Tor server and enticing users to use + this server as first hop, a remote attacker could read and modify all + traffic of the user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Tor users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/tor-0.1.0.14" + + + CAN-2005-2643 + Tor Security Announcement + + + koon + + + koon + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-17.xml b/xml/htdocs/security/en/glsa/glsa-200508-17.xml new file mode 100644 index 00000000..7a3ee81c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-17.xml @@ -0,0 +1,68 @@ + + + + + + + libpcre: Heap integer overflow + + libpcre is vulnerable to a heap integer overflow, possibly leading to the + execution of arbitrary code. + + libpcre + August 25, 2005 + August 25, 2005: 01 + 103337 + remote + + + 6.3 + 6.3 + + + +

+ libpcre is a library providing functions for Perl-compatible + regular expressions. +

+ + +

+ libpcre fails to check certain quantifier values in regular + expressions for sane values. +

+ + +

+ An attacker could possibly exploit this vulnerability to execute + arbitrary code by sending specially crafted regular expressions to + applications making use of the libpcre library. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libpcre users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libpcre-6.3" + + + CAN-2005-2491 + SecurityTracker Alert ID 1014744 + + + koon + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-18.xml b/xml/htdocs/security/en/glsa/glsa-200508-18.xml new file mode 100644 index 00000000..6b0ffbea --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-18.xml @@ -0,0 +1,68 @@ + + + + + + + PhpWiki: Arbitrary command execution through XML-RPC + + PhpWiki includes PHP XML-RPC code which is vulnerable to arbitrary command + execution. + + phpwiki + August 26, 2005 + August 26, 2005: 01 + 102380 + remote + + + 1.3.10-r2 + 1.3.10-r2 + + + +

+ PhpWiki is an application that creates a web site where anyone can + edit the pages through HTML forms. +

+ + +

+ Earlier versions of PhpWiki contain an XML-RPC library that + improperly handles XML-RPC requests and responses with malformed nested + tags. +

+ + +

+ A remote attacker could exploit this vulnerability to inject + arbitrary PHP script code into eval() statements by sending a specially + crafted XML document to PhpWiki. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PhpWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/phpwiki-1.3.10-r2" + + + CAN-2005-2498 + + + koon + + + adir + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-19.xml b/xml/htdocs/security/en/glsa/glsa-200508-19.xml new file mode 100644 index 00000000..35b613e5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-19.xml @@ -0,0 +1,71 @@ + + + + + + + lm_sensors: Insecure temporary file creation + + lm_sensors is vulnerable to linking attacks, potentially allowing a local + user to overwrite arbitrary files. + + lm_sensors + August 30, 2005 + August 30, 2005: 01 + 103568 + local + + + 2.9.1-r1 + 2.9.1-r1 + + + +

+ lm_sensors is a software package that provides drivers for + monitoring the temperatures, voltages, and fans of Linux systems with + hardware monitoring devices. +

+ + +

+ Javier Fernandez-Sanguino Pena has discovered that lm_sensors + insecurely creates temporary files with predictable filenames when + saving configurations. +

+ + +

+ A local attacker could create symbolic links in the temporary file + directory, pointing to a valid file somewhere on the filesystem. When + the pwmconfig script of lm_sensors is executed, this would result in + the file being overwritten with the rights of the user running the + script, which typically is the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All lm_sensors users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/lm_sensors-2.9.1-r1" + + + CAN-2005-2672 + + + koon + + + koon + + + formula7 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-20.xml b/xml/htdocs/security/en/glsa/glsa-200508-20.xml new file mode 100644 index 00000000..85306a91 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-20.xml @@ -0,0 +1,70 @@ + + + + + + + phpGroupWare: Multiple vulnerabilities + + phpGroupWare is vulnerable to multiple issues ranging from information + disclosure to a potential execution of arbitrary code. + + phpgroupware + August 30, 2005 + August 30, 2005: 01 + 102379 + remote + + + 0.9.16.008 + 0.9.16.008 + + + +

+ phpGroupWare is a multi-user groupware suite written in PHP. +

+ + +

+ phpGroupWare improperly validates the "mid" parameter retrieved + via a forum post. The current version of phpGroupWare also adds several + safeguards to prevent XSS issues, and disables the use of a potentially + vulnerable XML-RPC library. +

+ + +

+ A remote attacker may leverage the XML-RPC vulnerability to + execute arbitrary PHP script code. He could also create a specially + crafted request that will reveal private posts. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All phpGroupWare users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/phpgroupware-0.9.16.008" + + + CAN-2005-2498 + CAN-2005-2600 + Secunia Advisory SA16414 + + + DerCorny + + + adir + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-21.xml b/xml/htdocs/security/en/glsa/glsa-200508-21.xml new file mode 100644 index 00000000..fc67d73a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-21.xml @@ -0,0 +1,70 @@ + + + + + + + phpWebSite: Arbitrary command execution through XML-RPC and SQL injection + + phpWebSite is vulnerable to multiple issues which result in the execution + of arbitrary code and SQL injection. + + phpwebsite + August 31, 2005 + August 31, 2005: 01 + 102785 + remote + + + 0.10.2_rc2 + 0.10.2_rc2 + + + +

+ phpWebSite is a web site content management system. +

+ + +

+ phpWebSite uses an XML-RPC library that improperly handles XML-RPC + requests and responses with malformed nested tags. Furthermore, + "matrix_killer" reported that phpWebSite is vulnerable to an SQL + injection attack. +

+ + +

+ A malicious remote user could exploit this vulnerability to inject + arbitrary PHP script code into eval() statements by sending a specially + crafted XML document, and also inject SQL commands to access the + underlying database directly. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All phpWebSite users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/phpwebsite-0.10.2_rc2" + + + CAN-2005-2498 + Original Advisory + + + koon + + + adir + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200508-22.xml b/xml/htdocs/security/en/glsa/glsa-200508-22.xml new file mode 100644 index 00000000..7d6b74db --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200508-22.xml @@ -0,0 +1,70 @@ + + + + + + + pam_ldap: Authentication bypass vulnerability + + pam_ldap contains a vulnerability that may allow a remote attacker to gain + system access. + + pam_ldap + August 31, 2005 + August 31, 2005: 01 + 103659 + remote + + + 180 + 180 + + + +

+ pam_ldap is a Pluggable Authentication Module which allows + authentication against LDAP directories. +

+ + +

+ When a pam_ldap client attempts to authenticate against an LDAP + server that omits the optional error value from the + PasswordPolicyResponseValue, the authentication attempt will always + succeed. +

+ + +

+ A remote attacker may exploit this vulnerability to bypass the + LDAP authentication mechanism, gaining access to the system possibly + with elevated privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All pam_ldap users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-auth/pam_ldap-180" + + + CAN-2005-2641 + US-CERT VU#778916 + + + koon + + + koon + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-01.xml b/xml/htdocs/security/en/glsa/glsa-200509-01.xml new file mode 100644 index 00000000..3b03aaa3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-01.xml @@ -0,0 +1,66 @@ + + + + + + + MPlayer: Heap overflow in ad_pcm.c + + A heap overflow in MPlayer might lead to the execution of arbitrary code. + + MPlayer + September 01, 2005 + September 01, 2005: 01 + 103555 + remote + + + 1.0_pre7-r1 + 1.0_pre7-r1 + + + +

+ MPlayer is a media player capable of handling multiple multimedia + file formats. +

+ + +

+ Sven Tantau discovered a heap overflow in the code handling the + strf chunk of PCM audio streams. +

+ + +

+ An attacker could craft a malicious video or audio file which, + when opened using MPlayer, would end up executing arbitrary code on the + victim's computer with the permissions of the user running MPlayer. +

+ + +

+ You can mitigate the issue by adding "ac=-pcm," to your MPlayer + configuration file (note that this will prevent you from playing + uncompressed audio). +

+ + +

+ All MPlayer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/mplayer-1.0_pre7-r1" + + + CAN-2005-2718 + Original Advisory + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-02.xml b/xml/htdocs/security/en/glsa/glsa-200509-02.xml new file mode 100644 index 00000000..e62534ab --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-02.xml @@ -0,0 +1,70 @@ + + + + + + + Gnumeric: Heap overflow in the included PCRE library + + Gnumeric is vulnerable to a heap overflow, possibly leading to the + execution of arbitrary code. + + Gnumeric + September 03, 2005 + September 03, 2005: 01 + 104010 + remote + + + 1.4.3-r2 + 1.4.3-r2 + + + +

+ The Gnumeric spreadsheet is a versatile application developed as + part of the GNOME Office project. libpcre is a library providing + functions for Perl-compatible regular expressions. +

+ + +

+ Gnumeric contains a private copy of libpcre which is subject to an + integer overflow leading to a heap overflow (see GLSA 200508-17). +

+ + +

+ An attacker could potentially exploit this vulnerability by + tricking a user into opening a specially crafted spreadsheet, which + could lead to the execution of arbitrary code with the privileges of + the user running Gnumeric. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Gnumeric users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/gnumeric-1.4.3-r2" + + + CAN-2005-2491 + GLSA 200508-17 + + + koon + + + koon + + + formula7 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-03.xml b/xml/htdocs/security/en/glsa/glsa-200509-03.xml new file mode 100644 index 00000000..3f24cf34 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-03.xml @@ -0,0 +1,68 @@ + + + + + + + OpenTTD: Format string vulnerabilities + + OpenTTD is vulnerable to format string vulnerabilities which may result in + remote execution of arbitrary code. + + openttd + September 05, 2005 + May 22, 2006: 02 + 102631 + remote + + + 0.4.0.1-r1 + 0.4.0.1-r1 + + + +

+ OpenTTD is an open source clone of the simulation game "Transport + Tycoon Deluxe" by Microprose. +

+ + +

+ Alexey Dobriyan discovered several format string vulnerabilities in + OpenTTD. +

+ + +

+ A remote attacker could exploit these vulnerabilities to crash the + OpenTTD server or client and possibly execute arbitrary code with the + rights of the user running OpenTTD. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All OpenTTD users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-simulation/openttd-0.4.0.1-r1" + + + CAN-2005-2763 + CVE-2005-2764 + + + jaervosz + + + adir + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-04.xml b/xml/htdocs/security/en/glsa/glsa-200509-04.xml new file mode 100644 index 00000000..8a4807ab --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-04.xml @@ -0,0 +1,68 @@ + + + + + + + phpLDAPadmin: Authentication bypass + + A flaw in phpLDAPadmin may allow attackers to bypass security restrictions + and connect anonymously. + + phpLDAPadmin + September 06, 2005 + September 06, 2005: 01 + 104293 + remote + + + 0.9.7_alpha6 + 0.9.7_alpha6 + + + +

+ phpLDAPadmin is a web-based LDAP client allowing to easily manage + LDAP servers. +

+ + +

+ Alexander Gerasiov discovered a flaw in login.php preventing the + application from validating whether anonymous bind has been disabled in + the target LDAP server configuration. +

+ + +

+ Anonymous users can access the LDAP server, even if the + "disable_anon_bind" parameter was explicitly set to avoid this. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All phpLDAPadmin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-nds/phpldapadmin-0.9.7_alpha6" + + + CAN-2005-2654 + Secunia Advisory SA16611 + + + DerCorny + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-05.xml b/xml/htdocs/security/en/glsa/glsa-200509-05.xml new file mode 100644 index 00000000..009a8d47 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-05.xml @@ -0,0 +1,69 @@ + + + + + + + Net-SNMP: Insecure RPATH + + The Gentoo Net-SNMP package may provide Perl modules containing an insecure + DT_RPATH, potentially allowing privilege escalation. + + net-snmp + September 06, 2005 + May 22, 2006: 02 + 103776 + local + + + 5.2.1.2-r1 + 5.2.1.2-r1 + + + +

+ Net-SNMP is a suite of applications used to implement the Simple + Network Management Protocol. +

+ + +

+ James Cloos reported that Perl modules from the Net-SNMP package look + for libraries in an untrusted location. This is due to a flaw in the + Gentoo package, and not the Net-SNMP suite. +

+ + +

+ A local attacker (member of the portage group) may be able to create a + shared object that would be loaded by the Net-SNMP Perl modules, + executing arbitrary code with the privileges of the user invoking the + Perl script. +

+ + +

+ Limit group portage access to trusted users. +

+ + +

+ All Net-SNMP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/net-snmp-5.2.1.2-r1" + + + CVE-2005-2811 + + + DerCorny + + + DerCorny + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-06.xml b/xml/htdocs/security/en/glsa/glsa-200509-06.xml new file mode 100644 index 00000000..6a2bcc6b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-06.xml @@ -0,0 +1,68 @@ + + + + + + + Squid: Denial of Service vulnerabilities + + Squid contains several bugs when handling certain malformed requests + resulting in a Denial of Service. + + Squid + September 07, 2005 + May 22, 2006: 03 + 104603 + remote + + + 2.5.10-r2 + 2.5.10-r2 + + + +

+ Squid is a full-featured Web proxy cache designed to run on Unix-like + systems. It supports proxying and caching of HTTP, FTP, and other + protocols, as well as SSL support, cache hierarchies, transparent + caching, access control lists and many more features. +

+ + +

+ Certain malformed requests result in a segmentation fault in the + sslConnectTimeout function, handling of other certain requests trigger + assertion failures. +

+ + +

+ By performing malformed requests an attacker could cause Squid to crash + by triggering an assertion failure or invalid memory reference. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Squid users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/squid-2.5.10-r2" + + + Squid Patches + CVE-2005-2794 + CVE-2005-2796 + + + jaervosz + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-07.xml b/xml/htdocs/security/en/glsa/glsa-200509-07.xml new file mode 100644 index 00000000..89bad546 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-07.xml @@ -0,0 +1,63 @@ + + + + + + + X.Org: Heap overflow in pixmap allocation + + An integer overflow in pixmap memory allocation potentially allows any + X.Org user to execute arbitrary code with elevated privileges. + + X.Org + September 12, 2005 + September 12, 2005: 01 + 105688 + local + + + 6.8.2-r3 + 6.8.2-r3 + + + +

+ X.Org is X.Org Foundation's Public Implementation of the X Window + System. +

+ + +

+ X.Org is missing an integer overflow check during pixmap memory + allocation. +

+ + +

+ An X.Org user could exploit this issue to make the X server + execute arbitrary code with elevated privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All X.org users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-base/xorg-x11-6.8.2-r3" + + + CAN-2005-2495 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-08.xml b/xml/htdocs/security/en/glsa/glsa-200509-08.xml new file mode 100644 index 00000000..b1647480 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-08.xml @@ -0,0 +1,73 @@ + + + + + + + Python: Heap overflow in the included PCRE library + + The "re" Python module is vulnerable to a heap overflow, possibly leading + to the execution of arbitrary code. + + Python + September 12, 2005 + September 12, 2005: 01 + 104009 + remote + + + 2.3.5-r2 + 2.3.5-r2 + + + +

+ Python is an interpreted, interactive, object-oriented, + cross-platform programming language. The "re" Python module provides + regular expression functions. +

+ + +

+ The "re" Python module makes use of a private copy of libpcre + which is subject to an integer overflow leading to a heap overflow (see + GLSA 200508-17). +

+ + +

+ An attacker could target a Python-based web application (or SUID + application) that would use untrusted data as regular expressions, + potentially resulting in the execution of arbitrary code (or privilege + escalation). +

+ + +

+ Python users that don't run any Python web application or SUID + application (or that run one that wouldn't use untrusted inputs as + regular expressions) are not affected by this issue. +

+ + +

+ All Python users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.3.5-r2" + + + CAN-2005-2491 + GLSA 200508-17 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-09.xml b/xml/htdocs/security/en/glsa/glsa-200509-09.xml new file mode 100644 index 00000000..53b5edb3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-09.xml @@ -0,0 +1,69 @@ + + + + + + + Py2Play: Remote execution of arbitrary Python code + + A design error in Py2Play allows attackers to execute arbitrary code. + + py2play + September 17, 2005 + September 05, 2006: 02 + 103524 + remote + + + 0.1.8 + 0.1.7 + + + +

+ Py2Play is a peer-to-peer network game engine written in Python. + Pickling is a Python feature allowing to serialize Python objects into + string representations (called pickles) that can be sent over the + network. +

+ + +

+ Arc Riley discovered that Py2Play uses Python pickles to send objects + over a peer-to-peer game network, and that clients accept without + restriction the objects and code sent by peers. +

+ + +

+ A remote attacker participating in a Py2Play-powered game can send + malicious Python pickles, resulting in the execution of arbitrary + Python code on the targeted game client. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All py2play users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/py2play-0.1.8" + + + CAN-2005-2875 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-10.xml b/xml/htdocs/security/en/glsa/glsa-200509-10.xml new file mode 100644 index 00000000..b340036e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-10.xml @@ -0,0 +1,65 @@ + + + + + + + Mailutils: Format string vulnerability in imap4d + + The imap4d server contains a vulnerability allowing an authenticated user + to execute arbitrary code with the privileges of the imap4d process. + + mailutils + September 17, 2005 + May 22, 2006: 02 + 105458 + remote + + + 0.6-r2 + 0.6-r2 + + + +

+ The GNU Mailutils are a collection of mail-related utilities, including + an IMAP4 server (imap4d). +

+ + +

+ The imap4d server contains a format string bug in the handling of IMAP + SEARCH requests. +

+ + +

+ An authenticated IMAP user could exploit the format string error in + imap4d to execute arbitrary code as the imap4d user, which is usually + root. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All GNU Mailutils users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/mailutils-0.6-r2" + + + iDEFENSE 09.09.05 advisory + CVE-2005-2878 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-11.xml b/xml/htdocs/security/en/glsa/glsa-200509-11.xml new file mode 100644 index 00000000..c6b8d0fc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-11.xml @@ -0,0 +1,134 @@ + + + + + + + Mozilla Suite, Mozilla Firefox: Multiple vulnerabilities + + Mozilla Suite and Firefox are vulnerable to multiple issues, including some + that might be exploited to execute arbitrary code. + + mozilla + September 18, 2005 + September 29, 2005: 02 + 105396 + remote + + + 1.0.7-r2 + 1.0.7-r2 + + + 1.7.12-r2 + 1.7.12-r2 + + + 1.0.7 + 1.0.7 + + + 1.7.12 + 1.7.12 + + + 1.7.12 + 1.7.12 + + + +

+ The Mozilla Suite is a popular all-in-one web browser that includes a + mail and news reader. Mozilla Firefox is the next-generation browser + from the Mozilla project. Gecko is the layout engine used in both + products. +

+ + +

+ The Mozilla Suite and Firefox are both vulnerable to the following + issues: +

+
    +
  • Tom Ferris reported a heap overflow in IDN-enabled browsers with + malicious Host: headers (CAN-2005-2871).
    • +
  • "jackerror" discovered a heap overrun in XBM image processing + (CAN-2005-2701).
    • +
  • Mats Palmgren reported a potentially exploitable stack corruption + using specific Unicode sequences (CAN-2005-2702).
    • +
  • Georgi Guninski discovered an integer overflow in the JavaScript + engine (CAN-2005-2705)
    • +
  • Other issues ranging from DOM object spoofing to request header + spoofing were also found and fixed in the latest versions + (CAN-2005-2703, CAN-2005-2704, CAN-2005-2706, CAN-2005-2707).
    • +
+

+ The Gecko engine in itself is also affected by some of these issues and + has been updated as well. +

+ + +

+ A remote attacker could setup a malicious site and entice a victim to + visit it, potentially resulting in arbitrary code execution with the + victim's privileges or facilitated spoofing of known websites. +

+ + +

+ There is no known workaround for all the issues. +

+ + +

+ All Mozilla Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.0.7-r2" +

+ All Mozilla Suite users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-1.7.12-r2" +

+ All Mozilla Firefox binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.0.7" +

+ All Mozilla Suite binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-bin-1.7.12" +

+ All Gecko library users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/gecko-sdk-1.7.12" +

+ +

+ + + CAN-2005-2701 + CAN-2005-2702 + CAN-2005-2703 + CAN-2005-2704 + CAN-2005-2705 + CAN-2005-2706 + CAN-2005-2707 + CAN-2005-2871 + Mozilla Foundation Security Advisories + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-12.xml b/xml/htdocs/security/en/glsa/glsa-200509-12.xml new file mode 100644 index 00000000..acb59490 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-12.xml @@ -0,0 +1,87 @@ + + + + + + + Apache, mod_ssl: Multiple vulnerabilities + + mod_ssl and Apache are vulnerable to a restriction bypass and a potential + local privilege escalation. + + Apache + September 19, 2005 + December 30, 2007: 03 + 103554 + 104807 + remote and local + + + 2.8.24 + 2.8.24 + + + 2.0.54-r15 + 2 + 2.0.54-r15 + + + +

+ The Apache HTTP server is one of the most popular web servers on the + Internet. mod_ssl provides SSL v2/v3 and TLS v1 support for Apache 1.3 + and is also included in Apache 2. +

+ + +

+ mod_ssl contains a security issue when "SSLVerifyClient optional" is + configured in the global virtual host configuration (CAN-2005-2700). + Also, Apache's httpd includes a PCRE library, which makes it vulnerable + to an integer overflow (CAN-2005-2491). +

+ + +

+ Under a specific configuration, mod_ssl does not properly enforce the + client-based certificate authentication directive, "SSLVerifyClient + require", in a per-location context, which could be potentially used by + a remote attacker to bypass some restrictions. By creating a specially + crafted ".htaccess" file, a local attacker could possibly exploit + Apache's vulnerability, which would result in a local privilege + escalation. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mod_ssl users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-www/mod_ssl-2.8.24" +

+ All Apache 2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/apache-2.0.54-r15" + + + CAN-2005-2491 + CAN-2005-2700 + + + koon + + + koon + + + formula7 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-13.xml b/xml/htdocs/security/en/glsa/glsa-200509-13.xml new file mode 100644 index 00000000..3591f187 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-13.xml @@ -0,0 +1,70 @@ + + + + + + + Clam AntiVirus: Multiple vulnerabilities + + Clam AntiVirus is subject to vulnerabilities ranging from Denial of Service + to execution of arbitrary code when handling compressed executables. + + clamav + September 19, 2005 + September 19, 2005: 01 + 106279 + remote + + + 0.87 + 0.87 + + + +

+ Clam AntiVirus is a GPL anti-virus toolkit, designed for + integration with mail servers to perform attachment scanning. Clam + AntiVirus also provides a command line scanner and a tool for fetching + updates of the virus database. +

+ + +

+ Clam AntiVirus is vulnerable to a buffer overflow in + "libclamav/upx.c" when processing malformed UPX-packed executables. It + can also be sent into an infinite loop in "libclamav/fsg.c" when + processing specially-crafted FSG-packed executables. +

+ + +

+ By sending a specially-crafted file an attacker could execute + arbitrary code with the permissions of the user running Clam AntiVirus, + or cause a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Clam AntiVirus users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.87" + + + CAN-2005-2919 + CAN-2005-2920 + Clam AntiVirus: Release Notes + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-14.xml b/xml/htdocs/security/en/glsa/glsa-200509-14.xml new file mode 100644 index 00000000..5c0d60e7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-14.xml @@ -0,0 +1,68 @@ + + + + + + + Zebedee: Denial of Service vulnerability + + A bug in Zebedee allows a remote attacker to perform a Denial of Service + attack. + + zebedee + September 20, 2005 + May 22, 2006: 02 + 105115 + remote + + + 2.4.1-r1 + 2.5.3 + 2.5.3 + + + +

+ Zebedee is an application that establishes an encrypted, compressed + tunnel for TCP/IP or UDP data transfer between two systems. +

+ + +

+ "Shiraishi.M" reported that Zebedee crashes when "0" is received as the + port number in the protocol option header. +

+ + +

+ By performing malformed requests a remote attacker could cause Zebedee + to crash. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Zebedee users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose net-misc/zebedee + + + BugTraq ID 14796 + CVE-2005-2904 + + + koon + + + koon + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-15.xml b/xml/htdocs/security/en/glsa/glsa-200509-15.xml new file mode 100644 index 00000000..3e00dc8a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-15.xml @@ -0,0 +1,75 @@ + + + + + + + util-linux: umount command validation error + + A command validation error in umount can lead to an escalation of + privileges. + + util-linux + September 20, 2005 + September 20, 2005: 01 + 105805 + local + + + 2.12q-r3 + 2.12q-r3 + + + +

+ util-linux is a suite of useful Linux programs including umount, a + program used to unmount filesystems. +

+ + +

+ When a regular user mounts a filesystem, they are subject to + restrictions in the /etc/fstab configuration file. David Watson + discovered that when unmounting a filesystem with the '-r' option, the + read-only bit is set, while other bits, such as nosuid or nodev, are + not set, even if they were previously. +

+ + +

+ An unprivileged user facing nosuid or nodev restrictions can + umount -r a filesystem clearing those bits, allowing applications to be + executed suid, or have device nodes interpreted. In the case where the + user can freely modify the contents of the filesystem, privilege + escalation may occur as a custom program may execute with suid + permissions. +

+ + +

+ Two workarounds exist, first, the suid bit can be removed from the + umount utility, or users can be restricted from mounting and unmounting + filesystems in /etc/fstab. +

+ + +

+ All util-linux users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/util-linux-2.12q-r3" + + + CAN-2005-2876 + + + koon + + + r2d2 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-16.xml b/xml/htdocs/security/en/glsa/glsa-200509-16.xml new file mode 100644 index 00000000..8eb90529 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-16.xml @@ -0,0 +1,68 @@ + + + + + + + Mantis: XSS and SQL injection vulnerabilities + + Mantis is affected by an SQL injection and several cross-site scripting + (XSS) vulnerabilities. + + Mantis + September 24, 2005 + September 24, 2005: 01 + 103308 + remote + + + 0.19.2 + 0.19.2 + + + +

+ Mantis is a web-based bugtracking system written in PHP. +

+ + +

+ Mantis fails to properly sanitize untrusted input before using it. + This leads to an SQL injection and several cross-site scripting + vulnerabilities. +

+ + +

+ An attacker could possibly use the SQL injection vulnerability to + access or modify information from the Mantis database. Furthermore the + cross-site scripting issues give an attacker the ability to inject and + execute malicious script code or to steal cookie-based authentication + credentials, potentially compromising the victim's browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mantis users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/mantisbt-0.19.2" + + + CAN-2005-2556 + CAN-2005-2557 + Secunia Advisory SA16506 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-17.xml b/xml/htdocs/security/en/glsa/glsa-200509-17.xml new file mode 100644 index 00000000..7d98617c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-17.xml @@ -0,0 +1,81 @@ + + + + + + + Webmin, Usermin: Remote code execution through PAM authentication + + If Webmin or Usermin is configured to use full PAM conversations, it is + vulnerable to the remote execution of arbitrary code with root privileges. + + Webmin Usermin + September 24, 2005 + September 24, 2005: 01 + 106705 + remote + + + 1.230 + 1.230 + + + 1.160 + 1.160 + + + +

+ Webmin and Usermin are web-based system administration consoles. + Webmin allows an administrator to easily configure servers and other + features. Usermin allows users to configure their own accounts, execute + commands, and read e-mails. +

+ + +

+ Keigo Yamazaki discovered that the miniserv.pl webserver, used in + both Webmin and Usermin, does not properly validate authentication + credentials before sending them to the PAM (Pluggable Authentication + Modules) authentication process. The default configuration shipped with + Gentoo does not enable the "full PAM conversations" option and is + therefore unaffected by this flaw. +

+ + +

+ A remote attacker could bypass the authentication process and run + any command as the root user on the target server. +

+ + +

+ Do not enable "full PAM conversations" in the Authentication + options of Webmin and Usermin. +

+ + +

+ All Webmin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/webmin-1.230" +

+ All Usermin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/usermin-1.160" + + + CAN-2005-3042 + Original Advisory + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-18.xml b/xml/htdocs/security/en/glsa/glsa-200509-18.xml new file mode 100644 index 00000000..362c91b7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-18.xml @@ -0,0 +1,66 @@ + + + + + + + Qt: Buffer overflow in the included zlib library + + Qt is vulnerable to a buffer overflow which could potentially lead to the + execution of arbitrary code. + + qt + September 26, 2005 + September 26, 2005: 02 + 105695 + local + + + 3.3.4-r8 + 3.3.4-r8 + + + +

+ Qt is a cross-platform GUI toolkit used by KDE. +

+ + +

+ Qt links to a bundled vulnerable version of zlib when emerged with the + zlib USE-flag disabled. This may lead to a buffer overflow. +

+ + +

+ By creating a specially crafted compressed data stream, attackers can + overwrite data structures for applications that use Qt, resulting in a + Denial of Service or potentially arbitrary code execution. +

+ + +

+ Emerge Qt with the zlib USE-flag enabled. +

+ + +

+ All Qt users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/qt-3.3.4-r8" + + + GLSA 200507-05 + GLSA 200507-19 + CAN-2005-1849 + CAN-2005-2096 + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-19.xml b/xml/htdocs/security/en/glsa/glsa-200509-19.xml new file mode 100644 index 00000000..31d219da --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-19.xml @@ -0,0 +1,97 @@ + + + + + + + PHP: Vulnerabilities in included PCRE and XML-RPC libraries + + PHP makes use of an affected PCRE library and ships with an affected + XML-RPC library and is therefore potentially vulnerable to remote execution + of arbitrary code. + + PHP + September 27, 2005 + September 27, 2005: 01 + 102373 + remote + + + 4.3.11-r1 + 4.4.0-r1 + 4.4.0-r1 + + + 4.3.11-r1 + 4.4.0-r2 + 4.4.0-r2 + + + 4.3.11-r2 + 4.4.0-r2 + 4.4.0-r2 + + + +

+ PHP is a general-purpose scripting language widely used to develop + web-based applications. It can run inside a web server using the + mod_php module or the CGI version of PHP, or can run stand-alone in a + CLI. +

+ + +

+ PHP makes use of a private copy of libpcre which is subject to an + integer overflow leading to a heap overflow (see GLSA 200508-17). It + also ships with an XML-RPC library affected by a script injection + vulnerability (see GLSA 200508-13). +

+ + +

+ An attacker could target a PHP-based web application that would + use untrusted data as regular expressions, potentially resulting in the + execution of arbitrary code. If web applications make use of the + XML-RPC library shipped with PHP, they are also vulnerable to remote + execution of arbitrary PHP code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PHP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-php/php +

+ All mod_php users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-php/mod_php +

+ All php-cgi users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-php/php-cgi + + + CAN-2005-2491 + CAN-2005-2498 + GLSA 200508-13 + GLSA 200508-17 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-20.xml b/xml/htdocs/security/en/glsa/glsa-200509-20.xml new file mode 100644 index 00000000..ab2ae2e8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-20.xml @@ -0,0 +1,67 @@ + + + + + + + AbiWord: RTF import stack-based buffer overflow + + AbiWord is vulnerable to a stack-based buffer overflow during RTF import, + making it vulnerable to the execution of arbitrary code. + + AbiWord + September 30, 2005 + September 30, 2005: 01 + 107351 + remote + + + 2.2.10 + 2.2.10 + + + +

+ AbiWord is a free and cross-platform word processing program. It + allows to import RTF files into AbiWord documents. +

+ + +

+ Chris Evans discovered that the RTF import function in AbiWord is + vulnerable to a stack-based buffer overflow. +

+ + +

+ An attacker could design a malicious RTF file and entice the user + to import it in AbiWord, potentially resulting in the execution of + arbitrary code with the rights of the user running AbiWord. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All AbiWord users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/abiword-2.2.10" + + + CAN-2005-2964 + + + koon + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200509-21.xml b/xml/htdocs/security/en/glsa/glsa-200509-21.xml new file mode 100644 index 00000000..85999235 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200509-21.xml @@ -0,0 +1,72 @@ + + + + + + + Hylafax: Insecure temporary file creation in xferfaxstats script + + Hylafax is vulnerable to linking attacks, potentially allowing a local user + to overwrite arbitrary files. + + hylafax + September 30, 2005 + May 22, 2006: 02 + 106882 + local + + + 4.2.0-r3 + 4.2.1-r2 + 4.2.2 + 4.2.2 + + + +

+ Hylafax is a client-server fax package for class 1 and 2 fax modems. +

+ + +

+ Javier Fernandez-Sanguino has discovered that xferfaxstats cron script + supplied by Hylafax insecurely creates temporary files with predictable + filenames. +

+ + +

+ A local attacker could create symbolic links in the temporary file + directory, pointing to a valid file somewhere on the filesystem. When + the xferfaxstats script of Hylafax is executed, this would result in + the file being overwritten with the rights of the user running the + script, which typically is the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Hylafax users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose net-misc/hylafax + + + Original bug report + CVE-2005-3069 + + + jaervosz + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-01.xml b/xml/htdocs/security/en/glsa/glsa-200510-01.xml new file mode 100644 index 00000000..a829c45e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-01.xml @@ -0,0 +1,65 @@ + + + + + + + gtkdiskfree: Insecure temporary file creation + + gtkdiskfree is vulnerable to symlink attacks, potentially allowing a local + user to overwrite arbitrary files. + + gtkdiskfree + October 03, 2005 + October 03, 2005: 01 + 104565 + local + + + 1.9.3-r1 + 1.9.3-r1 + + + +

+ gtkdiskfree is a GTK-based GUI to show free disk space. +

+ + +

+ Eric Romang discovered that gtkdiskfree insecurely creates a + predictable temporary file to handle command output. +

+ + +

+ A local attacker could create a symbolic link in the temporary + files directory, pointing to a valid file somewhere on the filesystem. + When gtkdiskfree is executed, this would result in the file being + overwritten with the rights of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All gtkdiskfree users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/gtkdiskfree-1.9.3-r1" + + + CAN-2005-2918 + Original Advisory + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-02.xml b/xml/htdocs/security/en/glsa/glsa-200510-02.xml new file mode 100644 index 00000000..ec963c54 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-02.xml @@ -0,0 +1,73 @@ + + + + + + + Berkeley MPEG Tools: Multiple insecure temporary files + + The Berkeley MPEG Tools use temporary files in various insecure ways, + potentially allowing a local user to overwrite arbitrary files. + + MPEG Tools + October 03, 2005 + October 03, 2005: 01 + 107344 + local + + + 1.5b-r2 + 1.5b-r2 + + + +

+ The Berkeley MPEG Tools are a collection of utilities for + manipulating MPEG video technology, including an encoder (mpeg_encode) + and various conversion utilities. +

+ + +

+ Mike Frysinger of the Gentoo Security Team discovered that + mpeg_encode and the conversion utilities were creating temporary files + with predictable or fixed filenames. The 'test' make target of the MPEG + Tools also relied on several temporary files created insecurely. +

+ + +

+ A local attacker could create symbolic links in the temporary + files directory, pointing to a valid file somewhere on the filesystem. + When the utilities are executed (or 'make test' is run), this would + result in the file being overwritten with the rights of the user + running the command. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Berkeley MPEG Tools users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/mpeg-tools-1.5b-r2" + + + CAN-2005-3115 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-03.xml b/xml/htdocs/security/en/glsa/glsa-200510-03.xml new file mode 100644 index 00000000..f64b9cbd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-03.xml @@ -0,0 +1,70 @@ + + + + + + + Uim: Privilege escalation vulnerability + + Under certain conditions, applications linked against Uim suffer from a + privilege escalation vulnerability. + + uim + October 04, 2005 + May 22, 2006: 02 + 107748 + local + + + 0.4.9.1 + 0.4.9.1 + + + +

+ Uim is a multilingual input method library which provides secure and + useful input method for all languages. +

+ + +

+ Masanari Yamamoto discovered that Uim uses environment variables + incorrectly. This bug causes a privilege escalation if setuid/setgid + applications are linked to libuim. This bug only affects + immodule-enabled Qt (if you build Qt 3.3.2 or later versions with + USE="immqt" or USE="immqt-bc"). +

+ + +

+ A malicious local user could exploit this vulnerability to execute + arbitrary code with escalated privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Uim users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-i18n/uim-0.4.9.1" + + + Original advisory + CVE-2005-3149 + + + koon + + + koon + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-04.xml b/xml/htdocs/security/en/glsa/glsa-200510-04.xml new file mode 100644 index 00000000..d9f85c07 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-04.xml @@ -0,0 +1,69 @@ + + + + + + + Texinfo: Insecure temporary file creation + + Texinfo is vulnerable to symlink attacks, potentially allowing a local user + to overwrite arbitrary files. + + Texinfo + October 05, 2005 + October 05, 2005: 01 + 106105 + local + + + 4.8-r1 + 4.8-r1 + + + +

+ Texinfo is the official documentation system created by the GNU + project. +

+ + +

+ Frank Lichtenheld has discovered that the "sort_offline()" + function in texindex insecurely creates temporary files with + predictable filenames. +

+ + +

+ A local attacker could create symbolic links in the temporary + files directory, pointing to a valid file somewhere on the filesystem. + When texindex is executed, this would result in the file being + overwritten with the rights of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Texinfo users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/texinfo-4.8-r1" + + + CAN-2005-3011 + + + koon + + + formula7 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-05.xml b/xml/htdocs/security/en/glsa/glsa-200510-05.xml new file mode 100644 index 00000000..0ab4c7d2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-05.xml @@ -0,0 +1,67 @@ + + + + + + + Ruby: Security bypass vulnerability + + Ruby is vulnerable to a security bypass of the safe level mechanism. + + ruby + October 06, 2005 + October 06, 2005: 01 + 106996 + remote + + + 1.8.3 + 1.8.3 + + + +

+ Ruby is an interpreted scripting language for quick and easy + object-oriented programming. Ruby supports the safe execution of + untrusted code using a safe level and taint flag mechanism. +

+ + +

+ Dr. Yutaka Oiwa discovered that Ruby fails to properly enforce + safe level protections. +

+ + +

+ An attacker could exploit this vulnerability to execute arbitrary + code beyond the restrictions specified in each safe level. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ruby users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.3" + + + CAN-2005-2337 + Ruby release announcement + + + koon + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-06.xml b/xml/htdocs/security/en/glsa/glsa-200510-06.xml new file mode 100644 index 00000000..c53dbf8a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-06.xml @@ -0,0 +1,66 @@ + + + + + + + Dia: Arbitrary code execution through SVG import + + Improperly sanitised data in Dia allows remote attackers to execute + arbitrary code. + + dia + October 06, 2005 + October 06, 2005: 01 + 107916 + remote + + + 0.94-r3 + 0.94-r3 + + + +

+ Dia is a gtk+ based diagram creation program released under the + GPL license. +

+ + +

+ Joxean Koret discovered that the SVG import plugin in Dia fails to + properly sanitise data read from an SVG file. +

+ + +

+ An attacker could create a specially crafted SVG file, which, when + imported into Dia, could lead to the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Dia users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/dia-0.94-r3" + + + CAN-2005-2966 + + + koon + + + adir + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-07.xml b/xml/htdocs/security/en/glsa/glsa-200510-07.xml new file mode 100644 index 00000000..390cdce4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-07.xml @@ -0,0 +1,76 @@ + + + + + + + RealPlayer, Helix Player: Format string vulnerability + + RealPlayer and Helix Player are vulnerable to a format string vulnerability + resulting in the execution of arbitrary code. + + realplayer helixplayer + October 07, 2005 + November 22, 2005: 02 + 107309 + remote + + + 10.0.6 + 10.0.6 + + + 1.0.6 + + + +

+ RealPlayer is a multimedia player capable of handling multiple + multimedia file formats. Helix Player is an open source media player + for Linux. +

+ + +

+ "c0ntex" reported that RealPlayer and Helix Player suffer from a heap + overflow. +

+ + +

+ By enticing a user to play a specially crafted realpix (.rp) or + realtext (.rt) file, an attacker could execute arbitrary code with the + permissions of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All RealPlayer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/realplayer-10.0.6" +

+ Note to Helix Player users: There is currently no stable secure Helix + Player package. Affected users should remove the package until an + updated Helix Player package is released. +

+ + + CAN-2005-2710 + + + koon + + + adir + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-08.xml b/xml/htdocs/security/en/glsa/glsa-200510-08.xml new file mode 100644 index 00000000..97ec9404 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-08.xml @@ -0,0 +1,68 @@ + + + + + + + xine-lib: Format string vulnerability + + xine-lib contains a format string error in CDDB response handling that may + be exploited to execute arbitrary code. + + xine-lib + October 08, 2005 + October 08, 2005: 01 + 107854 + remote + + + 1.1.0-r5 + 1.0.1-r4 + 1_rc8-r2 + 1.1.0-r5 + + + +

+ xine-lib is a multimedia library which can be utilized to create + multimedia frontends. It includes functions to retrieve information + about audio CD contents from public CDDB servers. +

+ + +

+ Ulf Harnhammar discovered a format string bug in the routines + handling CDDB server response contents. +

+ + +

+ An attacker could submit malicious information about an audio CD + to a public CDDB server (or impersonate a public CDDB server). When the + victim plays this CD on a multimedia frontend relying on xine-lib, it + could end up executing arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xine-lib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose media-libs/xine-lib + + + CAN-2005-2967 + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-09.xml b/xml/htdocs/security/en/glsa/glsa-200510-09.xml new file mode 100644 index 00000000..9aed069c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-09.xml @@ -0,0 +1,65 @@ + + + + + + + Weex: Format string vulnerability + + Weex contains a format string error that may be exploited by malicious + servers to execute arbitrary code. + + Weex + October 08, 2005 + October 08, 2005: 01 + 107849 + remote + + + 2.6.1.5-r1 + 2.6.1.5-r1 + + + +

+ Weex is a non-interactive FTP client typically used to update web + pages. +

+ + +

+ Ulf Harnhammar discovered a format string bug in Weex that can be + triggered when it is first run (or when its cache files are rebuilt, + using the -r option). +

+ + +

+ An attacker could setup a malicious FTP server which, when + accessed using Weex, could trigger the format string bug and end up + executing arbitrary code with the rights of the user running Weex. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Weex users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/weex-2.6.1.5-r1" + + + CAN-2005-3150 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-10.xml b/xml/htdocs/security/en/glsa/glsa-200510-10.xml new file mode 100644 index 00000000..75f030ed --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-10.xml @@ -0,0 +1,68 @@ + + + + + + + uw-imap: Remote buffer overflow + + uw-imap is vulnerable to remote overflow of a buffer in the IMAP server + leading to execution of arbitrary code. + + uw-imap + October 11, 2005 + October 11, 2005: 01 + 108206 + remote + + + 2004g + 2004g + + + +

+ uw-imap is the University of Washington's IMAP and POP server + daemons. +

+ + +

+ Improper bounds checking of user supplied data while parsing IMAP + mailbox names can lead to overflowing the stack buffer. +

+ + +

+ Successful exploitation requires an authenticated IMAP user to + request a malformed mailbox name. This can lead to execution of + arbitrary code with the permissions of the IMAP server. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All uw-imap users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/uw-imap-2004g" + + + CAN-2005-2933 + iDEFENSE Security Advisory + + + koon + + + koon + + + r2d2 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-11.xml b/xml/htdocs/security/en/glsa/glsa-200510-11.xml new file mode 100644 index 00000000..e338971a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-11.xml @@ -0,0 +1,73 @@ + + + + + + + OpenSSL: SSL 2.0 protocol rollback + + When using a specific option, OpenSSL can be forced to fallback to the less + secure SSL 2.0 protocol. + + OpenSSL + October 12, 2005 + November 07, 2005: 02 + 108852 + remote + + + 0.9.7h + 0.9.7g-r1 + 0.9.7e-r2 + 0.9.7h + + + +

+ OpenSSL is a toolkit implementing the Secure Sockets Layer, Transport + Layer Security protocols and a general-purpose cryptography library. +

+ + +

+ Applications setting the SSL_OP_MSIE_SSLV2_RSA_PADDING option (or the + SSL_OP_ALL option, that implies it) can be forced by a third-party to + fallback to the less secure SSL 2.0 protocol, even if both parties + support the more secure SSL 3.0 or TLS 1.0 protocols. +

+ + +

+ A man-in-the-middle attacker can weaken the encryption used to + communicate between two parties, potentially revealing sensitive + information. +

+ + +

+ If possible, disable the use of SSL 2.0 in all OpenSSL-enabled + applications. +

+ + +

+ All OpenSSL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-libs/openssl + + + CAN-2005-2969 + OpenSSL security advisory + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-12.xml b/xml/htdocs/security/en/glsa/glsa-200510-12.xml new file mode 100644 index 00000000..68e58517 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-12.xml @@ -0,0 +1,75 @@ + + + + + + + KOffice, KWord: RTF import buffer overflow + + KOffice and KWord are vulnerable to a buffer overflow in the RTF importer, + potentially resulting in the execution of arbitrary code. + + koffice, kword + October 14, 2005 + October 14, 2005: 01 + 108411 + remote + + + 1.4.1-r1 + 1.4.1-r1 + + + 1.4.1-r1 + 1.4.1-r1 + + + +

+ KOffice is an integrated office suite for KDE. KWord is the + KOffice word processor. +

+ + +

+ Chris Evans discovered that the KWord RTF importer was vulnerable + to a heap-based buffer overflow. +

+ + +

+ An attacker could entice a user to open a specially-crafted RTF + file, potentially resulting in the execution of arbitrary code with the + rights of the user running the affected application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All KOffice users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/koffice-1.4.1-r1" +

+ All KWord users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/kword-1.4.1-r1" + + + CAN-2005-2971 + KDE Security Advisory: KWord RTF import buffer overflow + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-13.xml b/xml/htdocs/security/en/glsa/glsa-200510-13.xml new file mode 100644 index 00000000..3a6a9759 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-13.xml @@ -0,0 +1,67 @@ + + + + + + + SPE: Insecure file permissions + + SPE files are installed with world-writeable permissions, potentially + leading to privilege escalation. + + spe + October 15, 2005 + May 22, 2006: 02 + 108538 + local + + + 0.7.5c-r1 + 0.5.1f-r1 + 0.7.5c-r1 + + + +

+ SPE is a cross-platform Python Integrated Development Environment + (IDE). +

+ + +

+ It was reported that due to an oversight all SPE's files are set as + world-writeable. +

+ + +

+ A local attacker could modify the executable files, causing arbitrary + code to be executed with the permissions of the user running SPE. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SPE users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-util/spe + + + CVE-2005-3291 + + + jaervosz + + + adir + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-14.xml b/xml/htdocs/security/en/glsa/glsa-200510-14.xml new file mode 100644 index 00000000..31c1f40d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-14.xml @@ -0,0 +1,97 @@ + + + + + + + Perl, Qt-UnixODBC, CMake: RUNPATH issues + + Multiple packages suffer from RUNPATH issues that may allow users in the + "portage" group to escalate privileges. + + Perl Qt-UnixODBC CMake + October 17, 2005 + May 22, 2006: 03 + 105719 + 105721 + 106678 + local + + + 5.8.7-r1 + 5.8.6-r6 + 5.8.7-r1 + + + 3.3.4-r1 + 3.3.4-r1 + + + 2.2.0-r1 + 2.0.6-r1 + 2.2.0-r1 + + + +

+ Perl is a stable, cross-platform programming language created by Larry + Wall. Qt-UnixODBC is an ODBC library for Qt. CMake is a cross-platform + build environment. +

+ + +

+ Some packages may introduce insecure paths into the list of directories + that are searched for libraries at runtime. Furthermore, packages + depending on the MakeMaker Perl module for build configuration may have + incorrectly copied the LD_RUN_PATH into the DT_RPATH. +

+ + +

+ A local attacker, who is a member of the "portage" group, could create + a malicious shared object in the Portage temporary build directory that + would be loaded at runtime by a dependent executable, potentially + resulting in privilege escalation. +

+ + +

+ Only grant "portage" group rights to trusted users. +

+ + +

+ All Perl users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-lang/perl +

+ All Qt-UnixODBC users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/qt-unixODBC-3.3.4-r1" +

+ All CMake users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-util/cmake + + + CVE-2005-4278 + CVE-2005-4279 + CVE-2005-4280 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-15.xml b/xml/htdocs/security/en/glsa/glsa-200510-15.xml new file mode 100644 index 00000000..0a8198d7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-15.xml @@ -0,0 +1,68 @@ + + + + + + + Lynx: Buffer overflow in NNTP processing + + Lynx contains a buffer overflow that may be exploited to execute arbitrary + code. + + Lynx + October 17, 2005 + October 17, 2005: 01 + 108451 + remote + + + 2.8.5-r1 + 2.8.5-r1 + + + +

+ Lynx is a text-mode browser for the World Wide Web. It supports + multiple URL types, including HTTP and NNTP URLs. +

+ + +

+ When accessing a NNTP URL, Lynx connects to a NNTP server and + retrieves information about the available articles in the target + newsgroup. Ulf Harnhammar discovered a buffer overflow in a function + that handles the escaping of special characters. +

+ + +

+ An attacker could setup a malicious NNTP server and entice a user + to access it using Lynx (either by creating NNTP links on a web page or + by forcing a redirect for Lynx users). The data returned by the NNTP + server would trigger the buffer overflow and execute arbitrary code + with the rights of the user running Lynx. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Lynx users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/lynx-2.8.5-r1" + + + CAN-2005-3120 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-16.xml b/xml/htdocs/security/en/glsa/glsa-200510-16.xml new file mode 100644 index 00000000..a8d8bd0f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-16.xml @@ -0,0 +1,69 @@ + + + + + + + phpMyAdmin: Local file inclusion vulnerability + + phpMyAdmin contains a local file inclusion vulnerability that may lead to + the execution of arbitrary code. + + phpmyadmin + October 17, 2005 + May 22, 2006: 02 + 108939 + local + + + 2.6.4_p2 + 2.6.4_p2 + + + +

+ phpMyAdmin is a tool written in PHP intended to handle the + administration of MySQL over the web. +

+ + +

+ Maksymilian Arciemowicz reported that in + libraries/grab_globals.lib.php, the $__redirect parameter was not + correctly validated. Systems running PHP in safe mode are not affected. +

+ + +

+ A local attacker may exploit this vulnerability by sending malicious + requests, causing the execution of arbitrary code with the rights of + the user running the web server. +

+ + +

+ Run PHP in safe mode. +

+ + +

+ All phpMyAdmin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.6.4_p2" + + + PMASA-2005-4 + CVE-2005-3299 + + + koon + + + koon + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-17.xml b/xml/htdocs/security/en/glsa/glsa-200510-17.xml new file mode 100644 index 00000000..4d32e385 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-17.xml @@ -0,0 +1,69 @@ + + + + + + + AbiWord: New RTF import buffer overflows + + AbiWord is vulnerable to an additional set of buffer overflows during RTF + import, making it vulnerable to the execution of arbitrary code. + + AbiWord + October 20, 2005 + October 20, 2005: 01 + 109157 + remote + + + 2.2.11 + 2.2.11 + + + +

+ AbiWord is a free and cross-platform word processing program. It + allows to import RTF files into AbiWord documents. +

+ + +

+ Chris Evans discovered a different set of buffer overflows than + the one described in GLSA 200509-20 in the RTF import function in + AbiWord. +

+ + +

+ An attacker could design a malicious RTF file and entice a user to + import it in AbiWord, potentially resulting in the execution of + arbitrary code with the rights of the user running AbiWord. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All AbiWord users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/abiword-2.2.11" + + + GLSA-200509-20 + CAN-2005-2972 + + + koon + + + formula7 + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-18.xml b/xml/htdocs/security/en/glsa/glsa-200510-18.xml new file mode 100644 index 00000000..5b3dc916 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-18.xml @@ -0,0 +1,75 @@ + + + + + + + Netpbm: Buffer overflow in pnmtopng + + The pnmtopng utility, part of the Netpbm tools, contains a vulnerability + which can potentially result in the execution of arbitrary code. + + Netpbm + October 20, 2005 + May 28, 2009: 06 + 109705 + remote + + + 10.29 + 10.26.32 + 10.26.33 + 10.26.42 + 10.26.43 + 10.26.44 + 10.26.48 + 10.26.49 + 10.26.52 + 10.26.53 + 10.26.59 + 10.26.61 + 10.29 + + + +

+ Netpbm is a package of 220 graphics programs and a programming library, + including pnmtopng, a tool to convert PNM image files to the PNG + format. +

+ + +

+ RedHat reported that pnmtopng is vulnerable to a buffer overflow. +

+ + +

+ An attacker could craft a malicious PNM file and entice a user to run + pnmtopng on it, potentially resulting in the execution of arbitrary + code with the permissions of the user running pnmtopng. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Netpbm users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose media-libs/netpbm + + + CAN-2005-2978 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-19.xml b/xml/htdocs/security/en/glsa/glsa-200510-19.xml new file mode 100644 index 00000000..99089c12 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-19.xml @@ -0,0 +1,70 @@ + + + + + + + cURL: NTLM username stack overflow + + cURL is vulnerable to a buffer overflow which could lead to the execution + of arbitrary code. + + cURL + October 22, 2005 + October 22, 2005: 01 + 109097 + remote + + + 7.15.0 + 7.15.0 + + + +

+ cURL is a command line tool and library for transferring files via + many different protocols. It supports NTLM authentication to retrieve + files from Windows-based systems. +

+ + +

+ iDEFENSE reported that insufficient bounds checking on a memcpy() + of the supplied NTLM username can result in a stack overflow. +

+ + +

+ A remote attacker could setup a malicious server and entice an + user to connect to it using a cURL client, potentially leading to the + execution of arbitrary code with the permissions of the user running + cURL. +

+ + +

+ Disable NTLM authentication by not using the --anyauth or --ntlm + options when using cURL (the command line version). Workarounds for + programs that use the cURL library depend on the configuration options + presented by those programs. +

+ + +

+ All cURL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/curl-7.15.0" + + + CVE-2005-3185 + iDefense Security Advisory 10.13.05 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-20.xml b/xml/htdocs/security/en/glsa/glsa-200510-20.xml new file mode 100644 index 00000000..335f5de2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-20.xml @@ -0,0 +1,71 @@ + + + + + + + Zope: File inclusion through RestructuredText + + Zope is vulnerable to a file inclusion vulnerability when exposing + RestructuredText functionalities to untrusted users. + + Zope + October 25, 2005 + May 22, 2006: 02 + 109087 + remote + + + 2.7.8 + 2.7.8 + 2.8.0 + 2.8.1 + + + +

+ Zope is an application server that can be used to build content + management systems, intranets, portals or other custom applications. +

+ + +

+ Zope honors file inclusion directives in RestructuredText objects by + default. +

+ + +

+ An attacker could exploit the vulnerability by sending malicious input + that would be interpreted in a RestructuredText Zope object, + potentially resulting in the execution of arbitrary Zope code with the + rights of the Zope server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Zope users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose net-zope/zope + + + Zope Hotfix 2005-10-09 Alert + CVE-2005-3323 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-21.xml b/xml/htdocs/security/en/glsa/glsa-200510-21.xml new file mode 100644 index 00000000..6a227085 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-21.xml @@ -0,0 +1,74 @@ + + + + + + + phpMyAdmin: Local file inclusion and XSS vulnerabilities + + phpMyAdmin contains a local file inclusion vulnerability that may lead to + the execution of arbitrary code, along with several cross-site scripting + issues. + + phpmyadmin + October 25, 2005 + May 22, 2006: 02 + 110146 + local and remote + + + 2.6.4_p3 + 2.6.4_p3 + + + +

+ phpMyAdmin is a tool written in PHP intended to handle the + administration of MySQL over the web. +

+ + +

+ Stefan Esser discovered that by calling certain PHP files directly, it + was possible to workaround the grab_globals.lib.php security model and + overwrite the $cfg configuration array. Systems running PHP in safe + mode are not affected. Futhermore, Tobias Klein reported several + cross-site-scripting issues resulting from insufficient user input + sanitizing. +

+ + +

+ A local attacker may exploit this vulnerability by sending malicious + requests, causing the execution of arbitrary code with the rights of + the user running the web server. Furthermore, the cross-site scripting + issues give a remote attacker the ability to inject and execute + malicious script code or to steal cookie-based authentication + credentials, potentially compromising the victim's browser. +

+ + +

+ There is no known workaround for all those issues at this time. +

+ + +

+ All phpMyAdmin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.6.4_p3" + + + PMASA-2005-5 + CVE-2005-3300 + CVE-2005-3301 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-22.xml b/xml/htdocs/security/en/glsa/glsa-200510-22.xml new file mode 100644 index 00000000..c1fdd0ca --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-22.xml @@ -0,0 +1,71 @@ + + + + + + + SELinux PAM: Local password guessing attack + + A vulnerability in the SELinux version of PAM allows a local attacker to + brute-force system passwords. + + PAM + October 28, 2005 + October 28, 2005: 01 + 109485 + local + + + 0.78-r3 + 0.78-r3 + + + +

+ PAM (Pluggable Authentication Modules) is an architecture allowing + the separation of the development of privilege granting software from + the development of secure and appropriate authentication schemes. + SELinux is an operating system based on Linux which includes Mandatory + Access Control. +

+ + +

+ The SELinux patches for PAM introduce a vulnerability allowing a + password to be checked with the unix_chkpwd utility without delay or + logging. This vulnerability doesn't affect users who do not run + SELinux. +

+ + +

+ A local attacker could exploit this vulnerability to brute-force + passwords and escalate privileges on an SELinux system. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SELinux PAM users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-libs/pam-0.78-r3" + + + CVE-2005-2977 + + + jaervosz + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-23.xml b/xml/htdocs/security/en/glsa/glsa-200510-23.xml new file mode 100644 index 00000000..3659431c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-23.xml @@ -0,0 +1,67 @@ + + + + + + + TikiWiki: XSS vulnerability + + TikiWiki is vulnerable to cross-site scripting attacks. + + tikiwiki + October 28, 2005 + May 22, 2006: 02 + 109858 + remote + + + 1.9.1.1 + 1.9.1.1 + + + +

+ TikiWiki is a web-based groupware and content management system (CMS), + using PHP, ADOdb and Smarty. +

+ + +

+ Due to improper input validation, TikiWiki can be exploited to perform + cross-site scripting attacks. +

+ + +

+ A remote attacker could exploit this to inject and execute malicious + script code or to steal cookie-based authentication credentials, + potentially compromising the victim's browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All TikiWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/tikiwiki-1.9.1.1" +

+ Note: Users with the vhosts USE flag set should manually use + webapp-config to finalize the update. +

+ + + CVE-2005-3283 + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-24.xml b/xml/htdocs/security/en/glsa/glsa-200510-24.xml new file mode 100644 index 00000000..a1478cfc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-24.xml @@ -0,0 +1,78 @@ + + + + + + + Mantis: Multiple vulnerabilities + + Mantis is affected by multiple vulnerabilities ranging from information + disclosure to arbitrary script execution. + + Mantis + October 28, 2005 + May 22, 2006: 02 + 110326 + remote + + + 0.19.3 + 0.19.3 + + + +

+ Mantis is a web-based bugtracking system written in PHP. +

+ + +

+ Mantis contains several vulnerabilities, including: +

+
    +
  • a remote file inclusion vulnerability
    • +
  • an SQL injection vulnerability
    • +
  • multiple cross site scripting vulnerabilities
    • +
  • multiple information disclosure vulnerabilities
    • +
+ + +

+ An attacker could exploit the remote file inclusion vulnerability to + execute arbitrary script code, and the SQL injection vulnerability to + access or modify sensitive information from the Mantis database. + Furthermore the cross-site scripting issues give an attacker the + ability to inject and execute malicious script code or to steal + cookie-based authentication credentials, potentially compromising the + victim's browser. An attacker could exploit other vulnerabilities to + disclose information. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mantis users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/mantisbt-0.19.3" + + + Mantis ChangeLog + CVE-2005-3335 + CVE-2005-3336 + CVE-2005-3337 + CVE-2005-3338 + CVE-2005-3339 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-25.xml b/xml/htdocs/security/en/glsa/glsa-200510-25.xml new file mode 100644 index 00000000..14572956 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-25.xml @@ -0,0 +1,87 @@ + + + + + + + Ethereal: Multiple vulnerabilities in protocol dissectors + + Ethereal is vulnerable to numerous vulnerabilities, potentially resulting + in the execution of arbitrary code or abnormal termination. + + Ethereal + October 30, 2005 + October 30, 2005: 01 + 109348 + remote + + + 0.10.13-r1 + 0.10.13-r1 + + + +

+ Ethereal is a feature-rich network protocol analyzer. +

+ + +

+ There are numerous vulnerabilities in versions of Ethereal prior + to 0.10.13, including: +

+
    +
  • The SLIM3 and AgentX dissectors + could overflow a buffer (CVE-2005-3243).
    • +
  • iDEFENSE discovered a + buffer overflow in the SRVLOC dissector (CVE-2005-3184).
    • +
  • Multiple potential crashes in many dissectors have been fixed, see + References for further details.
    • +
+

+ Furthermore an infinite + loop was discovered in the IRC protocol dissector of the 0.10.13 + release (CVE-2005-3313). +

+ + +

+ An attacker might be able to use these vulnerabilities to crash + Ethereal or execute arbitrary code with the permissions of the user + running Ethereal, which could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ethereal users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/ethereal-0.10.13-r1" + + + CVE-2005-3184 + CVE-2005-3241 + CVE-2005-3242 + CVE-2005-3243 + CVE-2005-3244 + CVE-2005-3245 + CVE-2005-3246 + CVE-2005-3247 + CVE-2005-3248 + CVE-2005-3249 + CVE-2005-3313 + Ethereal enpa-sa-00021 + + + jaervosz + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200510-26.xml b/xml/htdocs/security/en/glsa/glsa-200510-26.xml new file mode 100644 index 00000000..c7bf2084 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200510-26.xml @@ -0,0 +1,81 @@ + + + + + + + XLI, Xloadimage: Buffer overflow + + XLI and Xloadimage contain a vulnerability which could potentially result + in the execution of arbitrary code. + + xli xloadimage + October 30, 2005 + October 30, 2005: 01 + 108365 + remote + + + 1.17.0-r2 + 1.17.0-r2 + + + 4.1-r4 + 4.1-r4 + + + +

+ XLI and Xloadimage are X11 image manipulation utilities. +

+ + +

+ When XLI or Xloadimage process an image, they create a new image + object to contain the new image, copying the title from the old image + to the newly created image. Ariel Berkman reported that the 'zoom', + 'reduce', and 'rotate' functions use a fixed length buffer to contain + the new title, which could be overwritten by the NIFF or XPM image + processors. +

+ + +

+ A malicious user could craft a malicious XPM or NIFF file and + entice a user to view it using XLI, or manipulate it using Xloadimage, + potentially resulting in the execution of arbitrary code with the + permissions of the user running XLI or Xloadimage. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All XLI users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/xli-1.17.0-r2" +

+ All Xloadimage users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/xloadimage-4.1-r4" + + + CAN-2005-3178 + + + koon + + + adir + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-01.xml b/xml/htdocs/security/en/glsa/glsa-200511-01.xml new file mode 100644 index 00000000..54bd5986 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-01.xml @@ -0,0 +1,69 @@ + + + + + + + libgda: Format string vulnerabilities + + Two format string vulnerabilities in libgda may lead to the execution of + arbitrary code. + + libgda + November 02, 2005 + November 02, 2005: 01 + 110467 + remote + + + 1.2.2-r1 + 1.2.2-r1 + + + +

+ libgda is the library handling the data abstraction layer in the + Gnome data access architecture (GNOME-DB). It can also be used by + non-GNOME applications to manage data stored in databases or XML files. +

+ + +

+ Steve Kemp discovered two format string vulnerabilities in the + gda_log_error and gda_log_message functions. Some applications may pass + untrusted input to those functions and be vulnerable. +

+ + +

+ An attacker could pass malicious input to an application making + use of the vulnerable libgda functions, potentially resulting in the + execution of arbitrary code with the rights of that application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libgda users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=gnome-extra/libgda-1.2.2-r1" + + + CVE-2005-2958 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-02.xml b/xml/htdocs/security/en/glsa/glsa-200511-02.xml new file mode 100644 index 00000000..a2dbb67a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-02.xml @@ -0,0 +1,93 @@ + + + + + + + QDBM, ImageMagick, GDAL: RUNPATH issues + + Multiple packages suffer from RUNPATH issues that may allow users in the + "portage" group to escalate privileges. + + QDBM ImageMagick GDAL + November 02, 2005 + May 22, 2006: 02 + 105717 + 105760 + 108534 + local + + + 1.8.33-r2 + 1.8.33-r2 + + + 6.2.4.2-r1 + 6.2.4.2-r1 + + + 1.3.0-r1 + 1.2.6-r4 + 1.3.0-r1 + + + +

+ QDBM is a library of routines for managing a database. ImageMagick is a + collection of tools to read, write and manipulate images. GDAL is a + geospatial data abstraction library. +

+ + +

+ Some packages may introduce insecure paths into the list of directories + that are searched for libraries at runtime. Furthermore, packages + depending on the MakeMaker Perl module for build configuration may have + incorrectly copied the LD_RUN_PATH into the DT_RPATH. +

+ + +

+ A local attacker, who is a member of the "portage" group, could create + a malicious shared object in the Portage temporary build directory that + would be loaded at runtime by a dependent executable, potentially + resulting in privilege escalation. +

+ + +

+ Only grant "portage" group rights to trusted users. +

+ + +

+ All QDBM users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/qdbm-1.8.33-r2" +

+ All ImageMagick users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.2.4.2-r1" +

+ All GDAL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose sci-libs/gdal + + + CVE-2005-3580 + CVE-2005-3581 + CVE-2005-3582 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-03.xml b/xml/htdocs/security/en/glsa/glsa-200511-03.xml new file mode 100644 index 00000000..e1fcdbe7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-03.xml @@ -0,0 +1,70 @@ + + + + + + + giflib: Multiple vulnerabilities + + giflib may dereference NULL or write out of bounds when processing + malformed images, potentially resulting in Denial of Service or arbitrary + code execution. + + giflib + November 04, 2005 + November 04, 2005: 01 + 109997 + remote + + + 4.1.4 + 4.1.4 + + + +

+ giflib is a library for reading and writing GIF images. +

+ + +

+ Chris Evans and Daniel Eisenbud independently discovered two + out-of-bounds memory write operations and a NULL pointer dereference in + giflib. +

+ + +

+ An attacker could craft a malicious GIF image and entice users to + load it using an application making use of the giflib library, + resulting in an application crash or potentially the execution of + arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All giflib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/giflib-4.1.4" + + + CVE-2005-2974 + CVE-2005-3350 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-04.xml b/xml/htdocs/security/en/glsa/glsa-200511-04.xml new file mode 100644 index 00000000..04a949d4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-04.xml @@ -0,0 +1,78 @@ + + + + + + + ClamAV: Multiple vulnerabilities + + ClamAV has many security flaws which make it vulnerable to remote execution + of arbitrary code and a Denial of Service. + + clamav + November 06, 2005 + May 22, 2006: 02 + 109213 + remote + + + 0.87.1 + 0.87.1 + + + +

+ ClamAV is a GPL anti-virus toolkit, designed for integration with mail + servers to perform attachment scanning. ClamAV also provides a command + line scanner and a tool for fetching updates of the virus database. +

+ + +

+ ClamAV has multiple security flaws: a boundary check was performed + incorrectly in petite.c, a buffer size calculation in unfsg_133 was + incorrect in fsg.c, a possible infinite loop was fixed in tnef.c and a + possible infinite loop in cabd_find was fixed in cabd.c . In addition + to this, Marcin Owsiany reported that a corrupted DOC file causes a + segmentation fault in ClamAV. +

+ + +

+ By sending a malicious attachment to a mail server that is hooked with + ClamAV, a remote attacker could cause a Denial of Service or the + execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.87.1" + + + CAN-2005-3239 + CAN-2005-3303 + CVE-2005-3500 + CVE-2005-3501 + CVE-2005-3587 + ClamAV release notes + Zero Day Initiative advisory + + + koon + + + adir + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-05.xml b/xml/htdocs/security/en/glsa/glsa-200511-05.xml new file mode 100644 index 00000000..067c32f8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-05.xml @@ -0,0 +1,72 @@ + + + + + + + GNUMP3d: Directory traversal and XSS vulnerabilities + + GNUMP3d is vulnerable to directory traversal and cross-site scripting + attacks that may result in information disclosure or the compromise of a + browser. + + gnump3d + November 06, 2005 + August 21, 2007: 02 + 109667 + remote + + + 2.9_pre7 + 2.9_pre7 + + + +

+ GNUMP3d is a streaming server for MP3s, OGG vorbis files, movies and + other media formats. +

+ + +

+ Steve Kemp reported about two cross-site scripting attacks that are + related to the handling of files (CVE-2005-3424, CVE-2005-3425). Also + reported is a directory traversal vulnerability which comes from the + attempt to sanitize input paths (CVE-2005-3123). +

+ + +

+ A remote attacker could exploit this to disclose sensitive information + or inject and execute malicious script code, potentially compromising + the victim's browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GNUMP3d users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/gnump3d-2.9_pre7" + + + CVE-2005-3123 + CVE-2005-3424 + CVE-2005-3425 + + + koon + + + adir + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-06.xml b/xml/htdocs/security/en/glsa/glsa-200511-06.xml new file mode 100644 index 00000000..0a84ca9a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-06.xml @@ -0,0 +1,67 @@ + + + + + + + fetchmail: Password exposure in fetchmailconf + + fetchmailconf fails to properly handle file permissions, temporarily + exposing sensitive information to other local users. + + fetchmail + November 06, 2005 + November 06, 2005: 01 + 110366 + local + + + 6.2.5.2-r1 + 6.2.5.2-r1 + + + +

+ fetchmail is a utility that retrieves and forwards mail from + remote systems using IMAP, POP, and other protocols. It ships with + fetchmailconf, a graphical utility used to create configuration files. +

+ + +

+ Thomas Wolff discovered that fetchmailconf opens the configuration + file with default permissions, writes the configuration to it, and only + then restricts read permissions to the owner. +

+ + +

+ A local attacker could exploit the race condition to retrieve + sensitive information like IMAP/POP passwords. +

+ + +

+ Run "umask 077" to temporarily strengthen default permissions, + then run "fetchmailconf" from the same shell. +

+ + +

+ All fetchmail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/fetchmail-6.2.5.2-r1" + + + Fetchmail Security Advisory + CVE-2005-3088 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-07.xml b/xml/htdocs/security/en/glsa/glsa-200511-07.xml new file mode 100644 index 00000000..976012a9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-07.xml @@ -0,0 +1,73 @@ + + + + + + + OpenVPN: Multiple vulnerabilities + + The OpenVPN client is potentially vulnerable to the execution of arbitrary + code and the OpenVPN server is vulnerable to a Denial of Service issue. + + OpenVPN + November 06, 2005 + November 06, 2005: 01 + 111116 + remote + + + 2.0.4 + 2.0.4 + + + +

+ OpenVPN is a multi-platform, full-featured SSL VPN solution. +

+ + +

+ The OpenVPN client contains a format string bug in the handling of + the foreign_option in options.c. Furthermore, when the OpenVPN server + runs in TCP mode, it may dereference a NULL pointer under specific + error conditions. +

+ + +

+ A remote attacker could setup a malicious OpenVPN server and trick + the user into connecting to it, potentially executing arbitrary code on + the client's computer. A remote attacker could also exploit the NULL + dereference issue by sending specific packets to an OpenVPN server + running in TCP mode, resulting in a Denial of Service condition. +

+ + +

+ Do not use "pull" or "client" options in the OpenVPN client + configuration file, and use UDP mode for the OpenVPN server. +

+ + +

+ All OpenVPN users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/openvpn-2.0.4" + + + CVE-2005-3393 + CVE-2005-3409 + OpenVPN changelog + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-08.xml b/xml/htdocs/security/en/glsa/glsa-200511-08.xml new file mode 100644 index 00000000..96194884 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-08.xml @@ -0,0 +1,118 @@ + + + + + + + PHP: Multiple vulnerabilities + + PHP suffers from multiple issues, resulting in security functions bypass, + local Denial of service, cross-site scripting or PHP variables overwrite. + + PHP + November 13, 2005 + November 13, 2005: 01 + 107602 + 111032 + remote and local + + + 4.3.11-r4 + 4.4.0-r4 + 4.4.0-r4 + + + 4.3.11-r4 + 4.4.0-r8 + 4.4.0-r8 + + + 4.3.11-r5 + 4.4.0-r5 + 4.4.0-r5 + + + +

+ PHP is a general-purpose scripting language widely used to develop + web-based applications. It can run inside a web server using the + mod_php module or the CGI version and also stand-alone in a CLI. +

+ + +

+ Multiple vulnerabilities have been found and fixed in PHP: +

+
    +
  • a possible $GLOBALS variable overwrite problem through file + upload handling, extract() and import_request_variables() + (CVE-2005-3390)
    • +
  • a local Denial of Service through the use of + the session.save_path option (CVE-2005-3319)
    • +
  • an issue with + trailing slashes in allowed basedirs (CVE-2005-3054)
    • +
  • an issue + with calling virtual() on Apache 2, allowing to bypass safe_mode and + open_basedir restrictions (CVE-2005-3392)
    • +
  • a problem when a + request was terminated due to memory_limit constraints during certain + parse_str() calls (CVE-2005-3389)
    • +
  • The curl and gd modules + allowed to bypass the safe mode open_basedir restrictions + (CVE-2005-3391)
    • +
  • a cross-site scripting (XSS) vulnerability in + phpinfo() (CVE-2005-3388)
    • +
+ + +

+ Attackers could leverage these issues to exploit applications that + are assumed to be secure through the use of proper register_globals, + safe_mode or open_basedir parameters. Remote attackers could also + conduct cross-site scripting attacks if a page calling phpinfo() was + available. Finally, a local attacker could cause a local Denial of + Service using malicious session.save_path options. +

+ + +

+ There is no known workaround that would solve all issues at this + time. +

+ + +

+ All PHP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-php/php +

+ All mod_php users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-php/mod_php +

+ All php-cgi users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-php/php-cgi + + + CVE-2005-3054 + CVE-2005-3319 + CVE-2005-3388 + CVE-2005-3389 + CVE-2005-3390 + CVE-2005-3391 + CVE-2005-3392 + + + koon + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-09.xml b/xml/htdocs/security/en/glsa/glsa-200511-09.xml new file mode 100644 index 00000000..27771d68 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-09.xml @@ -0,0 +1,73 @@ + + + + + + + Lynx: Arbitrary command execution + + Lynx is vulnerable to an issue which allows the remote execution of + arbitrary commands. + + lynx + November 13, 2005 + November 13, 2005: 01 + 112213 + remote + + + 2.8.5-r2 + 2.8.5-r2 + + + +

+ Lynx is a fully-featured WWW client for users running + cursor-addressable, character-cell display devices such as vt100 + terminals and terminal emulators. +

+ + +

+ iDefense labs discovered a problem within the feature to execute + local cgi-bin programs via the "lynxcgi:" URI handler. Due to a + configuration error, the default settings allow websites to specify + commands to run as the user running Lynx. +

+ + +

+ A remote attacker can entice a user to access a malicious HTTP + server, causing Lynx to execute arbitrary commands. +

+ + +

+ Disable "lynxcgi" links by specifying the following directive in + lynx.cfg: +

+ + TRUSTED_LYNXCGI:none + + +

+ All Lynx users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/lynx-2.8.5-r2" + + + CVE-2005-2929 + iDefense Security Advisory 11.11.05 + + + taviso + + + adir + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-10.xml b/xml/htdocs/security/en/glsa/glsa-200511-10.xml new file mode 100644 index 00000000..1fe25982 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-10.xml @@ -0,0 +1,83 @@ + + + + + + + RAR: Format string and buffer overflow vulnerabilities + + RAR contains a format string error and a buffer overflow vulnerability that + may be used to execute arbitrary code. + + rar + November 13, 2005 + November 13, 2005: 01 + 111926 + remote + + + 3.5.1 + 3.5.1 + + + +

+ RAR is a powerful archive manager that can decompress RAR, ZIP and + other files, and can create new archives in RAR and ZIP file format. +

+ + +

+ Tan Chew Keong reported about two vulnerabilities found in RAR: +

+
    +
  • A format string error exists when displaying a diagnostic + error message that informs the user of an invalid filename in an + UUE/XXE encoded file.
    • +
  • Some boundary errors in the processing + of malicious ACE archives can be exploited to cause a buffer + overflow.
    • +
+ + +

+ A remote attacker could exploit these vulnerabilities by enticing + a user to: +

+
  • decode a specially crafted UUE/XXE file, + or
    • +
  • extract a malicious ACE archive containing a file with an + overly long filename.
    • +
+

+ When the user performs these + actions, the arbitrary code of the attacker's choice will be executed. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All RAR users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/rar-3.5.1" + + + RAR Release Notes + Secunia Research 11/10/2005 + + + jaervosz + + + adir + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-11.xml b/xml/htdocs/security/en/glsa/glsa-200511-11.xml new file mode 100644 index 00000000..54116ace --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-11.xml @@ -0,0 +1,68 @@ + + + + + + + linux-ftpd-ssl: Remote buffer overflow + + A buffer overflow vulnerability has been found, allowing a remote attacker + to execute arbitrary code with escalated privileges on the local system. + + linux-ftpd-ssl + November 13, 2005 + December 30, 2007: 02 + 111573 + remote + + + 0.17-r3 + 0.17-r3 + + + +

+ linux-ftpd-ssl is the netkit FTP server with encryption support. +

+ + +

+ A buffer overflow vulnerability has been found in the + linux-ftpd-ssl package. A command that generates an excessively long + response from the server may overrun a stack buffer. +

+ + +

+ An attacker that has permission to create directories that are + accessible via the FTP server could exploit this vulnerability. + Successful exploitation would execute arbitrary code on the local + machine with root privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ftpd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/netkit-ftpd-0.17-r3" + + + CVE-2005-3524 + + + koon + + + shellsage + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-12.xml b/xml/htdocs/security/en/glsa/glsa-200511-12.xml new file mode 100644 index 00000000..6dbbab1d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-12.xml @@ -0,0 +1,70 @@ + + + + + + + Scorched 3D: Multiple vulnerabilities + + Multiple vulnerabilities in Scorched 3D allow a remote attacker to deny + service or execute arbitrary code on game servers. + + scorched3d + November 15, 2005 + August 10, 2006: 03 + 111421 + remote + + + 40 + 39.1 + + + +

+ Scorched 3D is a clone of the classic "Scorched Earth" DOS game, adding + features like a 3D island environment and Internet multiplayer + capabilities. +

+ + +

+ Luigi Auriemma discovered multiple flaws in the Scorched 3D game + server, including a format string vulnerability and several buffer + overflows. +

+ + +

+ A remote attacker can exploit these vulnerabilities to crash a game + server or execute arbitrary code with the rights of the game server + user. Users not running a Scorched 3D game server are not affected by + these flaws. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Scorched 3D users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-strategy/scorched3d-40" + + + Original advisory + CVE-2005-3486 + CVE-2005-3487 + CVE-2005-3488 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-13.xml b/xml/htdocs/security/en/glsa/glsa-200511-13.xml new file mode 100644 index 00000000..076174f1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-13.xml @@ -0,0 +1,82 @@ + + + + + + + Sylpheed, Sylpheed-Claws: Buffer overflow in LDIF importer + + Sylpheed and Sylpheed-Claws contain a buffer overflow vulnerability which + may lead to the execution of arbitrary code. + + sylpheed sylpheed-claws + November 15, 2005 + November 15, 2005: 01 + 111853 + remote + + + 2.0.4 + 2.0.4 + + + 1.0.5-r1 + 1.0.5-r1 + + + +

+ Sylpheed is a lightweight email client and newsreader. + Sylpheed-Claws is a 'bleeding edge' version of Sylpheed. They both + support the import of address books in LDIF (Lightweight Directory + Interchange Format). +

+ + +

+ Colin Leroy reported buffer overflow vulnerabilities in Sylpheed + and Sylpheed-Claws. The LDIF importer uses a fixed length buffer to + store data of variable length. Two similar problems exist also in the + Mutt and Pine addressbook importers of Sylpheed-Claws. +

+ + +

+ By convincing a user to import a specially-crafted LDIF file into + the address book, a remote attacker could cause the program to crash, + potentially allowing the execution of arbitrary code with the + privileges of the user running the software. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Sylpheed users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/sylpheed-2.0.4" +

+ All Sylpheed-Claws users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/sylpheed-claws-1.0.5-r1" + + + CVE-2005-3354 + + + koon + + + adir + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-14.xml b/xml/htdocs/security/en/glsa/glsa-200511-14.xml new file mode 100644 index 00000000..574a7658 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-14.xml @@ -0,0 +1,85 @@ + + + + + + + GTK+ 2, GdkPixbuf: Multiple XPM decoding vulnerabilities + + The GdkPixbuf library, that is also included in GTK+ 2, contains + vulnerabilities that could lead to a Denial of Service or the execution of + arbitrary code. + + gtk+ + November 16, 2005 + November 16, 2005: 01 + 112608 + remote + + + 2.8.6-r1 + 2.6.10-r1 + 2.0 + 2.8.6-r1 + + + 0.22.0-r5 + 0.22.0-r5 + + + +

+ GTK+ (the GIMP Toolkit) is a toolkit for creating graphical user + interfaces. The GdkPixbuf library provides facilities for image + handling. It is available as a standalone library and also packaged + with GTK+ 2. +

+ + +

+ iDEFENSE reported a possible heap overflow in the XPM loader + (CVE-2005-3186). Upon further inspection, Ludwig Nussel discovered two + additional issues in the XPM processing functions : an integer overflow + (CVE-2005-2976) that affects only gdk-pixbuf, and an infinite loop + (CVE-2005-2975). +

+ + +

+ Using a specially crafted XPM image an attacker could cause an + affected application to enter an infinite loop or trigger the + overflows, potentially allowing the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GTK+ 2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose x11-libs/gtk+ +

+ All GdkPixbuf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/gdk-pixbuf-0.22.0-r5" + + + CVE-2005-2975 + CVE-2005-2976 + CVE-2005-3186 + iDefense Security Advisory 11.15.05 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-15.xml b/xml/htdocs/security/en/glsa/glsa-200511-15.xml new file mode 100644 index 00000000..177260e7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-15.xml @@ -0,0 +1,69 @@ + + + + + + + Smb4k: Local unauthorized file access + + A vulnerability has been identified that allows unauthorized access to the + contents of /etc/sudoers and /etc/super.tab files. + + Smb4k + November 18, 2005 + November 18, 2005: 01 + 111089 + local + + + 0.6.4 + 0.6.4 + + + +

+ Smb4K is a SMB/CIFS share browser for KDE. +

+ + +

+ A vulnerability leading to unauthorized file access has been + found. A pre-existing symlink from /tmp/sudoers and /tmp/super.tab to a + textfile will cause Smb4k to write the contents of these files to the + target of the symlink, as Smb4k does not check for the existence of + these files before writing to them. +

+ + +

+ An attacker could acquire local privilege escalation by adding + username(s) to the list of sudoers. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All smb4k users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/smb4k-0.6.4" + + + CVE-2005-2851 + Smb4k Announcement + + + koon + + + koon + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-16.xml b/xml/htdocs/security/en/glsa/glsa-200511-16.xml new file mode 100644 index 00000000..6bb85b2e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-16.xml @@ -0,0 +1,75 @@ + + + + + + + GNUMP3d: Directory traversal and insecure temporary file creation + + Two vulnerabilities have been identified in GNUMP3d allowing for limited + directory traversal and insecure temporary file creation. + + GNUMP3d + November 21, 2005 + August 21, 2007: 02 + 111990 + remote + + + 2.9_pre7 + 2.9_pre7 + + + +

+ GNUMP3d is a streaming server for MP3s, OGG vorbis files, movies and + other media formats. +

+ + +

+ Ludwig Nussel from SUSE Linux has identified two vulnerabilities in + GNUMP3d. GNUMP3d fails to properly check for the existence of + /tmp/index.lok before writing to the file, allowing for local + unauthorized access to files owned by the user running GNUMP3d. GNUMP3d + also fails to properly validate the "theme" GET variable from CGI + input, allowing for unauthorized file inclusion. +

+ + +

+ An attacker could overwrite files owned by the user running GNUMP3d by + symlinking /tmp/index.lok to the file targeted for overwrite. An + attacker could also include arbitrary files by traversing up the + directory tree (at most two times, i.e. "../..") with the "theme" GET + variable. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GNUMP3d users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/gnump3d-2.9_pre7" + + + CVE-2005-3349 + CVE-2005-3355 + GNUMP3d Changelog + + + koon + + + koon + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-17.xml b/xml/htdocs/security/en/glsa/glsa-200511-17.xml new file mode 100644 index 00000000..b50a3f6a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-17.xml @@ -0,0 +1,71 @@ + + + + + + + FUSE: mtab corruption through fusermount + + The fusermount utility from FUSE can be abused to corrupt the /etc/mtab + file contents, potentially allowing a local attacker to set unauthorized + mount options. + + FUSE + November 22, 2005 + November 22, 2005: 01 + 112902 + local + + + 2.4.1-r1 + 2.4.1-r1 + + + +

+ FUSE (Filesystem in Userspace) allows implementation of a fully + functional filesystem in a userspace program. The fusermount utility is + used to mount/unmount FUSE file systems. +

+ + +

+ Thomas Biege discovered that fusermount fails to securely handle + special characters specified in mount points. +

+ + +

+ A local attacker could corrupt the contents of the /etc/mtab file + by mounting over a maliciously-named directory using fusermount, + potentially allowing the attacker to set unauthorized mount options. + This is possible only if fusermount is installed setuid root, which is + the default in Gentoo. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All FUSE users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-fs/fuse-2.4.1-r1" + + + CVE-2005-3531 + + + jaervosz + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-18.xml b/xml/htdocs/security/en/glsa/glsa-200511-18.xml new file mode 100644 index 00000000..795f1ddc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-18.xml @@ -0,0 +1,76 @@ + + + + + + + phpSysInfo: Multiple vulnerabilities + + phpSysInfo is vulnerable to multiple issues, including a local file + inclusion leading to information disclosure and the potential execution of + arbitrary code. + + phpsysinfo + November 22, 2005 + November 22, 2005: 01 + 112482 + local and remote + + + 2.4.1 + 2.4.1 + + + +

+ phpSysInfo displays various system stats via PHP scripts. +

+ + +

+ Christopher Kunz from the Hardened-PHP Project discovered + that phpSysInfo is vulnerable to local file inclusion, cross-site + scripting and a HTTP Response Splitting attacks. +

+ + +

+ A local attacker may exploit the file inclusion vulnerability by + sending malicious requests, causing the execution of arbitrary code + with the rights of the user running the web server. A remote attacker + could exploit the vulnerability to disclose local file content. + Furthermore, the cross-site scripting issues gives a remote attacker + the ability to inject and execute malicious script code in the user's + browser context or to steal cookie-based authentication credentials. + The HTTP response splitting issue give an attacker the ability to + perform site hijacking and cache poisoning. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All phpSysInfo users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/phpsysinfo-2.4.1" + + + Original advisory + CVE-2005-3347 + CVE-2005-3348 + + + jaervosz + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-19.xml b/xml/htdocs/security/en/glsa/glsa-200511-19.xml new file mode 100644 index 00000000..4feb51f9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-19.xml @@ -0,0 +1,71 @@ + + + + + + + eix: Insecure temporary file creation + + eix has an insecure temporary file creation vulnerability, potentially + allowing a local user to overwrite arbitrary files. + + eix + November 22, 2005 + May 22, 2006: 02 + 112061 + local + + + 0.5.0_pre2 + 0.3.0-r2 + 0.5.0_pre2 + + + +

+ eix is a small utility for searching ebuilds with indexing for fast + results. +

+ + +

+ Eric Romang discovered that eix creates a temporary file with a + predictable name. eix creates a temporary file in /tmp/eix.*.sync where + * is the process ID of the shell running eix. +

+ + +

+ A local attacker can watch the process list and determine the process + ID of the shell running eix while the "emerge --sync" command is + running, then create a link from the corresponding temporary file to a + system file, which would result in the file being overwritten with the + rights of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All eix users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose app-portage/eix + + + CVE-2005-3785 + + + koon + + + adir + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-20.xml b/xml/htdocs/security/en/glsa/glsa-200511-20.xml new file mode 100644 index 00000000..0c56e27b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-20.xml @@ -0,0 +1,74 @@ + + + + + + + Horde Application Framework: XSS vulnerability + + The Horde Application Framework is vulnerable to a cross-site scripting + vulnerability which could lead to the compromise of the victim's browser + content. + + horde + November 22, 2005 + November 22, 2005: 01 + 112491 + remote + + + 2.2.9 + 2.2.9 + + + +

+ The Horde Application Framework is a general-purpose web + application framework written in PHP, providing classes for handling + preferences, compression, browser detection, connection tracking, MIME, + and more. +

+ + +

+ The Horde Team reported a potential XSS vulnerability. Horde fails + to properly escape error messages which may lead to displaying + unsanitized error messages via Notification_Listener::getMessage() +

+ + +

+ By enticing a user to read a specially-crafted e-mail or using a + manipulated URL, an attacker can execute arbitrary scripts running in + the context of the victim's browser. This could lead to a compromise of + the user's browser content. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Horde Application Framework users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-2.2.9" + + + CVE-2005-3570 + Horde Announcement + + + jaervosz + + + adir + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-21.xml b/xml/htdocs/security/en/glsa/glsa-200511-21.xml new file mode 100644 index 00000000..111b9c4d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-21.xml @@ -0,0 +1,75 @@ + + + + + + + Macromedia Flash Player: Remote arbitrary code execution + + A vulnerability has been identified that allows arbitrary code execution on + a user's system via the handling of malicious SWF files. + + Flash + November 25, 2005 + May 28, 2009: 02 + 112251 + remote + + + 7.0.61 + 7.0.61 + + + +

+ The Macromedia Flash Player is a renderer for the popular SWF + filetype which is commonly used to provide interactive websites, + digital experiences and mobile content. +

+ + +

+ When handling a SWF file, the Macromedia Flash Player incorrectly + validates the frame type identifier stored in the SWF file which is + used as an index to reference an array of function pointers. A + specially crafted SWF file can cause this index to reference memory + outside of the scope of the Macromedia Flash Player, which in turn can + cause the Macromedia Flash Player to use unintended memory address(es) + as function pointers. +

+ + +

+ An attacker serving a maliciously crafted SWF file could entice a + user to view the SWF file and execute arbitrary code on the user's + machine. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Macromedia Flash Player users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-plugins/adobe-flash-7.0.61" + + + CVE-2005-2628 + Macromedia Announcement + + + koon + + + shellsage + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-22.xml b/xml/htdocs/security/en/glsa/glsa-200511-22.xml new file mode 100644 index 00000000..18805282 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-22.xml @@ -0,0 +1,69 @@ + + + + + + + Inkscape: Buffer overflow + + A vulnerability has been identified that allows a specially crafted SVG + file to exploit a buffer overflow and potentially execute arbitrary code + when opened. + + Inkscape + November 28, 2005 + November 28, 2005: 01 + 109993 + remote + + + 0.43 + 0.43 + + + +

+ Inkscape is an Open Source vector graphics editor using the W3C + standard Scalable Vector Graphics (SVG) file format. +

+ + +

+ Joxean Koret has discovered that Inkscape incorrectly allocates + memory when opening an SVG file, creating the possibility of a buffer + overflow if the SVG file being opened is specially crafted. +

+ + +

+ An attacker could entice a user into opening a maliciously crafted + SVG file, allowing for the execution of arbitrary code on a machine + with the privileges of the user running Inkscape. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Inkscape users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/inkscape-0.43" + + + CVE-2005-3737 + + + koon + + + shellsage + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200511-23.xml b/xml/htdocs/security/en/glsa/glsa-200511-23.xml new file mode 100644 index 00000000..3c950d46 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200511-23.xml @@ -0,0 +1,80 @@ + + + + + + + chmlib, KchmViewer: Stack-based buffer overflow + + chmlib and KchmViewer contain a buffer overflow vulnerability which may + lead to the execution of arbitrary code. + + chmlib kchmviewer + November 28, 2005 + May 28, 2009: 03 + 110557 + remote + + + 0.37.4 + 0.37.4 + + + 1.1 + 1.1 + + + +

+ chmlib is a library for dealing with Microsoft ITSS and CHM format + files. KchmViewer is a CHM viewer that includes its own copy of the + chmlib library. +

+ + +

+ Sven Tantau reported about a buffer overflow vulnerability in + chmlib. The function "_chm_decompress_block()" does not properly + perform boundary checking, resulting in a stack-based buffer overflow. +

+ + +

+ By convincing a user to open a specially crafted ITSS or CHM file, + using KchmViewer or a program makes use of chmlib, a remote attacker + could execute arbitrary code with the privileges of the user running + the software. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All chmlib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/chmlib-0.37.4" +

+ All KchmViewer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/kchmviewer-1.1" + + + CVE-2005-3318 + + + koon + + + adir + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200512-01.xml b/xml/htdocs/security/en/glsa/glsa-200512-01.xml new file mode 100644 index 00000000..7957827d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200512-01.xml @@ -0,0 +1,86 @@ + + + + + + + Perl: Format string errors can lead to code execution + + A fix is available for Perl to mitigate the effects of format string + programming errors, that could otherwise be exploited to execute arbitrary + code. + + Perl + December 07, 2005 + December 07, 2005: 01 + 114113 + remote and local + + + 5.8.7-r3 + 5.8.6-r8 + 5.8.7-r3 + + + +

+ Perl is a stable, cross-platform programming language created by + Larry Wall. It contains printf functions that allows construction of + strings from format specifiers and parameters, like the C printf + functions. A well-known class of vulnerabilities, called format string + errors, result of the improper use of the printf functions in C. Perl + in itself is vulnerable to a limited form of format string errors + through its own sprintf function, especially through wrapper functions + that call sprintf (for example the syslog function) and by taking + advantage of Perl powerful string expansion features rather than using + format string specifiers. +

+ + +

+ Jack Louis discovered a new way to exploit format string errors in + Perl that could lead to the execution of arbitrary code. This is + perfomed by causing an integer wrap overflow in the efix variable + inside the function Perl_sv_vcatpvfn. The proposed fix closes that + specific exploitation vector to mitigate the risk of format string + programming errors in Perl. This fix does not remove the need to fix + such errors in Perl code. +

+ + +

+ Perl applications making improper use of printf functions (or + derived functions) using untrusted data may be vulnerable to the + already-known forms of Perl format string exploits and also to the + execution of arbitrary code. +

+ + +

+ Fix all misbehaving Perl applications so that they make proper use + of the printf and derived Perl functions. +

+ + +

+ All Perl users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-lang/perl + + + CVE-2005-3962 + Dyad Security Advisory + Research on format string errors in Perl + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200512-02.xml b/xml/htdocs/security/en/glsa/glsa-200512-02.xml new file mode 100644 index 00000000..d6129b2f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200512-02.xml @@ -0,0 +1,83 @@ + + + + + + + Webmin, Usermin: Format string vulnerability + + Webmin and Usermin are vulnerable to a format string vulnerability which + may lead to the execution of arbitrary code. + + webmin usermin + December 07, 2005 + December 07, 2005: 01 + 113888 + remote + + + 1.250 + 1.250 + + + 1.180 + 1.180 + + + +

+ Webmin is a web-based interface for Unix-like systems. Usermin is + a simplified version of Webmin designed for use by normal users rather + than system administrators. +

+ + +

+ Jack Louis discovered that the Webmin and Usermin "miniserv.pl" + web server component is vulnerable to a Perl format string + vulnerability. Login with the supplied username is logged via the Perl + "syslog" facility in an unsafe manner. +

+ + +

+ A remote attacker can trigger this vulnerability via a specially + crafted username containing format string data. This can be exploited + to consume a large amount of CPU and memory resources on a vulnerable + system, and possibly to execute arbitrary code of the attacker's choice + with the permissions of the user running Webmin. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Webmin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/webmin-1.250" +

+ All Usermin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/usermin-1.180" + + + CVE-2005-3912 + Dyad Security Advisory + + + koon + + + jaervosz + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200512-03.xml b/xml/htdocs/security/en/glsa/glsa-200512-03.xml new file mode 100644 index 00000000..fc317eab --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200512-03.xml @@ -0,0 +1,80 @@ + + + + + + + phpMyAdmin: Multiple vulnerabilities + + Multiple flaws in phpMyAdmin may lead to several XSS issues and local and + remote file inclusion vulnerabilities. + + phpmyadmin + December 11, 2005 + December 11, 2005: 01 + 114662 + remote + + + 2.7.0_p1 + 2.7.0_p1 + + + +

+ phpMyAdmin is a tool written in PHP intended to handle the + administration of MySQL over the web. +

+ + +

+ Stefan Esser from Hardened-PHP reported about multiple + vulnerabilties found in phpMyAdmin. The $GLOBALS variable allows + modifying the global variable import_blacklist to open phpMyAdmin to + local and remote file inclusion, depending on your PHP version + (CVE-2005-4079, PMASA-2005-9). Furthermore, it is also possible to + conduct an XSS attack via the $HTTP_HOST variable and a local and + remote file inclusion because the contents of the variable are under + total control of the attacker (CVE-2005-3665, PMASA-2005-8). +

+ + +

+ A remote attacker may exploit these vulnerabilities by sending + malicious requests, causing the execution of arbitrary code with the + rights of the user running the web server. The cross-site scripting + issues allow a remote attacker to inject and execute malicious script + code or to steal cookie-based authentication credentials, potentially + allowing unauthorized access to phpMyAdmin. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All phpMyAdmin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.7.0_p1" + + + CVE-2005-3665 + CVE-2005-4079 + PMASA-2005-8 + PMASA-2005-9 + Hardened-PHP Advisory 25/2005 + + + jaervosz + + + adir + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200512-04.xml b/xml/htdocs/security/en/glsa/glsa-200512-04.xml new file mode 100644 index 00000000..0c78d0d9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200512-04.xml @@ -0,0 +1,89 @@ + + + + + + + Openswan, IPsec-Tools: Vulnerabilities in ISAKMP Protocol implementation + + Openswan and IPsec-Tools suffer from an implementation flaw which may allow + a Denial of Service attack. + + openswan ipsec-tools + December 12, 2005 + December 14, 2005: 02 + 112568 + 113201 + remote + + + 2.4.4 + 2.4.4 + + + 0.6.3 + 0.6.2-r1 + 0.4-r2 + 0.6.3 + + + +

+ Openswan is an implementation of IPsec for Linux. IPsec-Tools is a port + of KAME's implementation of the IPsec utilities, including racoon, an + Internet Key Exchange daemon. Internet Key Exchange version 1 (IKEv1), + a derivate of ISAKMP, is an important part of IPsec. IPsec is widely + used to secure exchange of packets at the IP layer and mostly used to + implement Virtual Private Networks (VPNs). +

+ + +

+ The Oulu University Secure Programming Group (OUSPG) discovered that + various ISAKMP implementations, including Openswan and racoon (included + in the IPsec-Tools package), behave in an anomalous way when they + receive and handle ISAKMP Phase 1 packets with invalid or abnormal + contents. +

+ + +

+ A remote attacker could craft specific packets that would result in a + Denial of Service attack, if Openswan and racoon are used in specific, + weak configurations. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Openswan users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/openswan-2.4.4" +

+ All IPsec-Tools users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose net-firewall/ipsec-tools + + + CVE-2005-3671 + CVE-2005-3732 + Original Advisory + + + jaervosz + + + adir + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200512-05.xml b/xml/htdocs/security/en/glsa/glsa-200512-05.xml new file mode 100644 index 00000000..4782c742 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200512-05.xml @@ -0,0 +1,68 @@ + + + + + + + Xmail: Privilege escalation through sendmail + + The sendmail program in Xmail is vulnerable to a buffer overflow, + potentially resulting in local privilege escalation. + + xmail + December 14, 2005 + December 14, 2005: 01 + 109381 + local + + + 1.22 + 1.22 + + + +

+ Xmail is an Internet and intranet mail server. +

+ + +

+ iDEFENSE reported that the AddressFromAtPtr function in the + sendmail program fails to check bounds on arguments passed from other + functions, and as a result an exploitable stack overflow condition + occurs when specifying the "-t" command line option. +

+ + +

+ A local attacker can make a malicious call to sendmail, + potentially resulting in code execution with elevated privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Xmail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-mta/xmail-1.22" + + + CVE-2005-2943 + iDEFENSE Security Advisory + + + koon + + + koon + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200512-06.xml b/xml/htdocs/security/en/glsa/glsa-200512-06.xml new file mode 100644 index 00000000..47bfd941 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200512-06.xml @@ -0,0 +1,69 @@ + + + + + + + Ethereal: Buffer overflow in OSPF protocol dissector + + Ethereal is missing bounds checking in the OSPF protocol dissector that + could lead to abnormal program termination or the execution of arbitrary + code. + + Ethereal + December 14, 2005 + December 14, 2005: 01 + 115030 + remote + + + 0.10.13-r2 + 0.10.13-r2 + + + +

+ Ethereal is a feature-rich network protocol analyzer. It provides + protocol analyzers for various network flows, including one for Open + Shortest Path First (OSPF) Interior Gateway Protocol. +

+ + +

+ iDEFENSE reported a possible overflow due to the lack of bounds + checking in the dissect_ospf_v3_address_prefix() function, part of the + OSPF protocol dissector. +

+ + +

+ An attacker might be able to craft a malicious network flow that + would crash Ethereal. It may be possible, though unlikely, to exploit + this flaw to execute arbitrary code with the permissions of the user + running Ethereal, which could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ethereal users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/ethereal-0.10.13-r2" + + + CVE-2005-3651 + iDEFENSE Advisory + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200512-07.xml b/xml/htdocs/security/en/glsa/glsa-200512-07.xml new file mode 100644 index 00000000..cf0e8b5e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200512-07.xml @@ -0,0 +1,79 @@ + + + + + + + OpenLDAP, Gauche: RUNPATH issues + + OpenLDAP and Gauche suffer from RUNPATH issues that may allow users in the + "portage" group to escalate privileges. + + OpenLDAP Gauche + December 15, 2005 + December 30, 2007: 03 + 105380 + 112577 + local + + + 2.2.28-r3 + 2.1.30-r6 + 2.2.28-r3 + + + 0.8.6-r1 + 0.8.6-r1 + + + +

+ OpenLDAP is a suite of LDAP-related application and development tools. + Gauche is an R5RS Scheme interpreter. +

+ + +

+ Gentoo packaging for OpenLDAP and Gauche may introduce insecure paths + into the list of directories that are searched for libraries at + runtime. +

+ + +

+ A local attacker, who is a member of the "portage" group, could create + a malicious shared object in the Portage temporary build directory that + would be loaded at runtime by a dependent binary, potentially resulting + in privilege escalation. +

+ + +

+ Only grant "portage" group rights to trusted users. +

+ + +

+ All OpenLDAP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose net-nds/openldap +

+ All Gauche users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-scheme/gauche-0.8.6-r1" + + + CVE-2005-4442 + CVE-2005-4443 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200512-08.xml b/xml/htdocs/security/en/glsa/glsa-200512-08.xml new file mode 100644 index 00000000..0d86732f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200512-08.xml @@ -0,0 +1,104 @@ + + + + + + + Xpdf, GPdf, CUPS, Poppler: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Xpdf, GPdf, CUPS and + Poppler potentially resulting in the execution of arbitrary code. + + xpdf, gpdf, poppler,cups + December 16, 2005 + December 17, 2005: 02 + 114428 + 115286 + remote + + + 3.01-r2 + 3.01-r2 + + + 2.10.0-r2 + 2.10.0-r2 + + + 0.4.2-r1 + 0.3.0-r1 + 0.4.2-r1 + + + 1.1.23-r3 + 1.1.23-r3 + + + +

+ Xpdf and GPdf are PDF file viewers that run under the X Window System. + Poppler is a PDF rendering library based on Xpdf code. The Common UNIX + Printing System (CUPS) is a cross-platform print spooler. It makes use + of Xpdf code to handle PDF files. +

+ + +

+ infamous41md discovered that several Xpdf functions lack sufficient + boundary checking, resulting in multiple exploitable buffer overflows. +

+ + +

+ An attacker could entice a user to open a specially-crafted PDF file + which would trigger an overflow, potentially resulting in execution of + arbitrary code with the rights of the user running Xpdf, CUPS, GPdf or + Poppler. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Xpdf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/xpdf-3.01-r2" +

+ All GPdf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/gpdf-2.10.0-r2" +

+ All Poppler users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose app-text/poppler +

+ All CUPS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-print/cups-1.1.23-r3" + + + CVE-2005-3191 + CVE-2005-3192 + CVE-2005-3193 + + + jaervosz + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200512-09.xml b/xml/htdocs/security/en/glsa/glsa-200512-09.xml new file mode 100644 index 00000000..6480cabd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200512-09.xml @@ -0,0 +1,77 @@ + + + + + + + cURL: Off-by-one errors in URL handling + + cURL is vulnerable to local arbitrary code execution via buffer overflow + due to the insecure parsing of URLs. + + cURL + December 16, 2005 + December 16, 2005: 01 + 114710 + local + + + 7.15.1 + 7.15.1 + + + +

+ cURL is a command line tool for transferring files with URL + syntax, supporting numerous protocols. +

+ + +

+ Stefan Esser from the Hardened-PHP Project has reported a + vulnerability in cURL that allows for a local buffer overflow when cURL + attempts to parse specially crafted URLs. The URL can be specially + crafted in one of two ways: the URL could be malformed in a way that + prevents a terminating null byte from being added to either a hostname + or path buffer; or the URL could contain a "?" separator in the + hostname portion, which causes a "/" to be prepended to the resulting + string. +

+ + +

+ An attacker capable of getting cURL to parse a maliciously crafted + URL could cause a denial of service or execute arbitrary code with the + privileges of the user making the call to cURL. An attacker could also + escape open_basedir or safe_mode pseudo-restrictions when exploiting + this problem from within a PHP program when PHP is compiled with + libcurl. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All cURL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/curl-7.15.1" + + + CVE-2005-4077 + Hardened-PHP Advisory + + + koon + + + shellsage + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200512-10.xml b/xml/htdocs/security/en/glsa/glsa-200512-10.xml new file mode 100644 index 00000000..6bbce4e9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200512-10.xml @@ -0,0 +1,69 @@ + + + + + + + Opera: Command-line URL shell command injection + + Lack of URL validation in Opera command-line wrapper could be abused to + execute arbitrary commands. + + opera + December 18, 2005 + December 18, 2005: 01 + 113239 + remote + + + 8.51 + 8.51 + + + +

+ Opera is a multi-platform web browser. +

+ + +

+ Peter Zelezny discovered that the shell script used to launch + Opera parses shell commands that are enclosed within backticks in the + URL provided via the command line. +

+ + +

+ A remote attacker could exploit this vulnerability by enticing a + user to follow a specially crafted URL from a tool that uses Opera to + open URLs, resulting in the execution of arbitrary commands on the + targeted machine. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Opera users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/opera-8.51" + + + CVE-2005-3750 + Opera 8.51 Changelog + + + koon + + + koon + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200512-11.xml b/xml/htdocs/security/en/glsa/glsa-200512-11.xml new file mode 100644 index 00000000..2606a2a2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200512-11.xml @@ -0,0 +1,75 @@ + + + + + + + CenterICQ: Multiple vulnerabilities + + CenterICQ is vulnerable to a Denial of Service issue, and also potentially + to the execution of arbitrary code through an included vulnerable ktools + library. + + CenterICQ + December 20, 2005 + December 20, 2005: 01 + 100519 + 114038 + remote + + + 4.21.0-r2 + 4.21.0-r2 + + + +

+ CenterICQ is a text-based instant messaging interface that + supports multiple protocols. It includes the ktools library, which + provides text-mode user interface controls. +

+ + +

+ Gentoo developer Wernfried Haas discovered that when the "Enable + peer-to-peer communications" option is enabled, CenterICQ opens a port + that insufficiently validates whatever is sent to it. Furthermore, + Zone-H Research reported a buffer overflow in the ktools library. +

+ + +

+ A remote attacker could cause a crash of CenterICQ by sending + packets to the peer-to-peer communications port, and potentially cause + the execution of arbitrary code by enticing a CenterICQ user to edit + overly long contact details. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All CenterICQ users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/centericq-4.21.0-r2" + + + CVE-2005-3694 + CVE-2005-3863 + Zone-H Research ZRCSA 200503 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200512-12.xml b/xml/htdocs/security/en/glsa/glsa-200512-12.xml new file mode 100644 index 00000000..30070e36 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200512-12.xml @@ -0,0 +1,79 @@ + + + + + + + Mantis: Multiple vulnerabilities + + Mantis is affected by multiple vulnerabilities ranging from file upload and + SQL injection to cross-site scripting and HTTP response splitting. + + Mantis + December 22, 2005 + May 22, 2006: 02 + 116036 + remote + + + 0.19.4 + 0.19.4 + + + +

+ Mantis is a web-based bugtracking system written in PHP. +

+ + +

+ Tobias Klein discovered that Mantis contains several vulnerabilities, + including: +

+
    +
  • a file upload vulnerability.
    • +
  • an injection vulnerability in filters.
    • +
  • an SQL injection vulnerability in the user-management page.
    • +
  • a port cross-site-scripting vulnerability in filters.
    • +
  • an HTTP header CRLF injection vulnerability.
    • +
+ + +

+ An attacker could possibly exploit the file upload vulnerability to + execute arbitrary script code, and the SQL injection vulnerability to + access or modify sensitive information from the Mantis database. + Furthermore, the cross-site scripting and HTTP response splitting may + allow an attacker to inject and execute malicious script code or to + steal cookie-based authentication credentials, potentially compromising + the victim's browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mantis users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/mantisbt-0.19.4" + + + Mantis ChangeLog + CVE-2005-4518 + CVE-2005-4519 + CVE-2005-4520 + CVE-2005-4521 + CVE-2005-4522 + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200512-13.xml b/xml/htdocs/security/en/glsa/glsa-200512-13.xml new file mode 100644 index 00000000..29c84163 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200512-13.xml @@ -0,0 +1,68 @@ + + + + + + + Dropbear: Privilege escalation + + A buffer overflow in Dropbear could allow authenticated users to execute + arbitrary code as the root user. + + dropbear + December 23, 2005 + December 23, 2005: 01 + 116006 + remote + + + 0.47 + 0.47 + + + +

+ Dropbear is an SSH server and client with a small memory + footprint. +

+ + +

+ Under certain conditions Dropbear could fail to allocate a + sufficient amount of memory, possibly resulting in a buffer overflow. +

+ + +

+ By sending specially crafted data to the server, authenticated + users could exploit this vulnerability to execute arbitrary code with + the permissions of the SSH server user, which is the root user by + default. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Dropbear users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/dropbear-0.47" + + + CVE-2005-4178 + + + koon + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200512-14.xml b/xml/htdocs/security/en/glsa/glsa-200512-14.xml new file mode 100644 index 00000000..08712ac4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200512-14.xml @@ -0,0 +1,64 @@ + + + + + + + NBD Tools: Buffer overflow in NBD server + + The NBD server is vulnerable to a buffer overflow that may result in the + execution of arbitrary code. + + NBD + December 23, 2005 + December 23, 2005: 01 + 116314 + remote + + + 2.8.2-r1 + 2.8.2-r1 + + + +

+ The NBD Tools are the Network Block Device utilities allowing one + to use remote block devices over a TCP/IP network. It includes a + userland NBD server. +

+ + +

+ Kurt Fitzner discovered that the NBD server allocates a request + buffer that fails to take into account the size of the reply header. +

+ + +

+ A remote attacker could send a malicious request that can result + in the execution of arbitrary code with the rights of the NBD server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All NBD Tools users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-block/nbd-2.8.2-r1" + + + CVE-2005-3534 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200512-15.xml b/xml/htdocs/security/en/glsa/glsa-200512-15.xml new file mode 100644 index 00000000..d8a652e5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200512-15.xml @@ -0,0 +1,68 @@ + + + + + + + rssh: Privilege escalation + + Local users could gain root privileges by chrooting into arbitrary + directories. + + rssh + December 27, 2005 + December 27, 2005: 01 + 115082 + local + + + 2.3.0 + 2.3.0 + + + +

+ rssh is a restricted shell, allowing only a few commands like scp + or sftp. It is often used as a complement to OpenSSH to provide limited + access to users. +

+ + +

+ Max Vozeler discovered that the rssh_chroot_helper command allows + local users to chroot into arbitrary directories. +

+ + +

+ A local attacker could exploit this vulnerability to gain root + privileges by chrooting into arbitrary directories. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All rssh users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-shells/rssh-2.3.0" + + + CVE-2005-3345 + rssh security announcement + + + koon + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200512-16.xml b/xml/htdocs/security/en/glsa/glsa-200512-16.xml new file mode 100644 index 00000000..05b0d779 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200512-16.xml @@ -0,0 +1,81 @@ + + + + + + + OpenMotif, AMD64 x86 emulation X libraries: Buffer overflows in libUil library + + Two buffer overflows have been discovered in libUil, part of the OpenMotif + toolkit, that can potentially lead to the execution of arbitrary code. + + openmotif + December 28, 2005 + January 29, 2006: 03 + 114234 + 116481 + remote + + + 2.2.3-r8 + 2.1.30-r13 + 2.2.3-r8 + + + 2.2.1 + 2.2.1 + + + +

+ OpenMotif provides a free version of the Motif toolkit for open source + applications. The OpenMotif libraries are included in the AMD64 x86 + emulation X libraries, which emulate the x86 (32-bit) architecture on + the AMD64 (64-bit) architecture. +

+ + +

+ xfocus discovered two potential buffer overflows in the libUil library, + in the diag_issue_diagnostic and open_source_file functions. +

+ + +

+ Remotely-accessible or SUID applications making use of the affected + functions might be exploited to execute arbitrary code with the + privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenMotif users should upgrade to an unaffected version: +

+ + # emerge --sync + # emerge --ask --oneshot --unmerge --verbose x11-libs/openmotif + # emerge --ask --oneshot --verbose x11-libs/openmotif +

+ All AMD64 x86 emulation X libraries users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose app-emulation/emul-linux-x86-xlibs + + + CVE-2005-3964 + xfocus SD-051202 Original Advisory + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200512-17.xml b/xml/htdocs/security/en/glsa/glsa-200512-17.xml new file mode 100644 index 00000000..abe2747e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200512-17.xml @@ -0,0 +1,72 @@ + + + + + + + scponly: Multiple privilege escalation issues + + Local users can exploit an scponly flaw to gain root privileges, and + scponly restricted users can use another vulnerability to evade shell + restrictions. + + scponly + December 29, 2005 + May 22, 2006: 02 + 116526 + local and remote + + + 4.2 + 4.2 + + + +

+ scponly is a restricted shell, allowing only a few predefined commands. + It is often used as a complement to OpenSSH to provide access to remote + users without providing any remote execution privileges. +

+ + +

+ Max Vozeler discovered that the scponlyc command allows users to chroot + into arbitrary directories. Furthermore, Pekka Pessi reported that + scponly insufficiently validates command-line parameters to a scp or + rsync command. +

+ + +

+ A local attacker could gain root privileges by chrooting into arbitrary + directories containing hardlinks to setuid programs. A remote scponly + user could also send malicious parameters to a scp or rsync command + that would allow to escape the shell restrictions and execute arbitrary + programs. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All scponly users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/scponly-4.2" + + + scponly release notes + CVE-2005-4532 + CVE-2005-4533 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200512-18.xml b/xml/htdocs/security/en/glsa/glsa-200512-18.xml new file mode 100644 index 00000000..a9491247 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200512-18.xml @@ -0,0 +1,73 @@ + + + + + + + XnView: Privilege escalation + + XnView may search for shared libraries in an untrusted location, + potentially allowing local users to execute arbitrary code with the + privileges of another user. + + xnview + December 30, 2005 + May 22, 2006: 02 + 117063 + local + + + 1.70-r1 + 1.70-r1 + + + +

+ XnView is an efficient multimedia viewer, browser and converter, + distributed free for non-commercial use. +

+ + +

+ Krzysiek Pawlik of Gentoo Linux discovered that the XnView package for + IA32 used the DT_RPATH field insecurely, causing the dynamic loader to + search for shared libraries in potentially untrusted directories. +

+ + +

+ A local attacker could create a malicious shared object that would be + loaded and executed when a user attempted to use an XnView utility. + This would allow a malicious user to effectively hijack XnView and + execute arbitrary code with the privileges of the user running the + program. +

+ + +

+ The system administrator may use the chrpath utility to remove the + DT_RPATH field from the XnView utilities: +

+ + # emerge app-admin/chrpath + # chrpath --delete /opt/bin/nconvert /opt/bin/nview /opt/bin/xnview + + +

+ All XnView users on the x86 platform should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-misc/xnview-1.70-r1" + + + CVE-2005-4595 + + + taviso + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200601-01.xml b/xml/htdocs/security/en/glsa/glsa-200601-01.xml new file mode 100644 index 00000000..605daa27 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200601-01.xml @@ -0,0 +1,67 @@ + + + + + + + pinentry: Local privilege escalation + + pinentry is vulnerable to privilege escalation. + + pinentry + January 03, 2006 + January 03, 2006: 01 + 116822 + local + + + 0.7.2-r2 + 0.7.2-r2 + + + +

+ pinentry is a collection of simple PIN or passphrase entry dialogs + which utilize the Assuan protocol. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Audit Team has + discovered that the pinentry ebuild incorrectly sets the permissions of + the pinentry binaries upon installation, so that the sgid bit is set + making them execute with the privileges of group ID 0. +

+ + +

+ A user of pinentry could potentially read and overwrite files with + a group ID of 0. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All pinentry users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/pinentry-0.7.2-r2" + + + CVE-2006-0071 + + + koon + + + koon + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200601-02.xml b/xml/htdocs/security/en/glsa/glsa-200601-02.xml new file mode 100644 index 00000000..19f7708a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200601-02.xml @@ -0,0 +1,108 @@ + + + + + + + KPdf, KWord: Multiple overflows in included Xpdf code + + KPdf and KWord both include vulnerable Xpdf code to handle PDF files, + making them vulnerable to the execution of arbitrary code. + + kdegraphics, kpdf, koffice, kword + January 04, 2006 + January 07, 2006: 03 + 114429 + 115851 + remote + + + 3.4.3-r3 + 3.4.3-r3 + + + 3.4.3-r3 + 3.4.3-r3 + + + 1.4.2-r6 + 1.4.2-r6 + + + 1.4.2-r6 + 1.4.2-r6 + + + +

+ KPdf is a KDE-based PDF viewer included in the kdegraphics package. + KWord is a KDE-based word processor also included in the koffice + package. +

+ + +

+ KPdf and KWord both include Xpdf code to handle PDF files. This Xpdf + code is vulnerable to several heap overflows (GLSA 200512-08) as well + as several buffer and integer overflows discovered by Chris Evans + (CESA-2005-003). +

+ + +

+ An attacker could entice a user to open a specially crafted PDF file + with Kpdf or KWord, potentially resulting in the execution of arbitrary + code with the rights of the user running the affected application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All kdegraphics users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kdegraphics-3.4.3-r3" +

+ All Kpdf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kpdf-3.4.3-r3" +

+ All KOffice users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/koffice-1.4.2-r6" +

+ All KWord users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/kword-1.4.2-r6" + + + CAN-2005-3191 + CAN-2005-3192 + CAN-2005-3193 + CVE-2005-3624 + CVE-2005-3625 + CVE-2005-3626 + CVE-2005-3627 + CVE-2005-3628 + GLSA 200512-08 + KDE Security Advisory: kpdf/xpdf multiple integer overflows + CESA-2005-003 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200601-03.xml b/xml/htdocs/security/en/glsa/glsa-200601-03.xml new file mode 100644 index 00000000..b0cf10d2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200601-03.xml @@ -0,0 +1,68 @@ + + + + + + + HylaFAX: Multiple vulnerabilities + + HylaFAX is vulnerable to arbitrary code execution and unauthorized access + vulnerabilities. + + hylafax + January 06, 2006 + January 06, 2006: 01 + 116389 + remote + + + 4.2.3-r1 + 4.2.3-r1 + + + +

+ HylaFAX is an enterprise-class system for sending and receiving + facsimile messages and for sending alpha-numeric pages. +

+ + +

+ Patrice Fournier discovered that HylaFAX runs the notify script on + untrusted user input. Furthermore, users can log in without a password + when HylaFAX is installed with the pam USE-flag disabled. +

+ + +

+ An attacker could exploit the input validation vulnerability to + run arbitrary code as the user running HylaFAX, which is usually uucp. + The password vulnerability could be exploited to log in without proper + user credentials. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All HylaFAX users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/hylafax-4.2.3-r1" + + + CVE-2005-3538 + CVE-2005-3539 + HylaFAX release announcement + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200601-04.xml b/xml/htdocs/security/en/glsa/glsa-200601-04.xml new file mode 100644 index 00000000..88842c05 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200601-04.xml @@ -0,0 +1,70 @@ + + + + + + + VMware Workstation: Vulnerability in NAT networking + + VMware guest operating systems can execute arbitrary code with elevated + privileges on the host operating system through a flaw in NAT networking. + + VMware + January 07, 2006 + May 25, 2006: 02 + 116238 + remote and local + + + 5.5.1.19175 + 4.5.3.19414 + 3.2.1.2242-r10 + 5.5.1.19175 + + + +

+ VMware Workstation is a powerful virtual machine for developers and + system administrators. +

+ + +

+ Tim Shelton discovered that vmnet-natd, the host module providing + NAT-style networking for VMware guest operating systems, is unable to + process incorrect 'EPRT' and 'PORT' FTP requests. +

+ + +

+ Malicious guest operating systems using the NAT networking feature or + local VMware Workstation users could exploit this vulnerability to + execute arbitrary code on the host system with elevated privileges. +

+ + +

+ Disable the NAT service by following the instructions at http://www.vmware.com/support/k + b, Answer ID 2002. +

+ + +

+ All VMware Workstation users should upgrade to a fixed version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose app-emulation/vmware-workstation + + + CVE-2005-4459 + VMware Security Response + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200601-05.xml b/xml/htdocs/security/en/glsa/glsa-200601-05.xml new file mode 100644 index 00000000..9a40445d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200601-05.xml @@ -0,0 +1,70 @@ + + + + + + + mod_auth_pgsql: Multiple format string vulnerabilities + + Format string vulnerabilities in mod_auth_pgsql may lead to the execution + of arbitrary code. + + mod_auth_pgsql + January 10, 2006 + December 30, 2007: 03 + 118096 + remote + + + 2.0.3 + 1.0.0 + 2.0.3 + + + +

+ mod_auth_pgsql is an Apache2 module that allows user authentication + against a PostgreSQL database. +

+ + +

+ The error logging functions of mod_auth_pgsql fail to validate certain + strings before passing them to syslog, resulting in format string + vulnerabilities. +

+ + +

+ An unauthenticated remote attacker could exploit these vulnerabilities + to execute arbitrary code with the rights of the user running the + Apache2 server by sending specially crafted login names. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mod_auth_pgsql users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apache/mod_auth_pgsql-2.0.3" + + + CVE-2005-3656 + FrSIRT ADV-2006-0070 + + + DerCorny + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200601-06.xml b/xml/htdocs/security/en/glsa/glsa-200601-06.xml new file mode 100644 index 00000000..cc9486a0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200601-06.xml @@ -0,0 +1,83 @@ + + + + + + + xine-lib, FFmpeg: Heap-based buffer overflow + + xine-lib and FFmpeg are vulnerable to a buffer overflow that may be + exploited by attackers to execute arbitrary code. + + xine-lib ffmpeg + January 10, 2006 + January 10, 2006: 01 + 115849 + 116181 + remote + + + 1.1.1-r3 + 1.1.1-r3 + + + 0.4.9_p20051216 + 0.4.9_p20051216 + + + +

+ xine is a GPL high-performance, portable and reusable multimedia + playback engine. xine-lib is xine's core engine. FFmpeg is a very fast + video and audio converter and is used in xine-lib. +

+ + +

+ Simon Kilvington has reported a vulnerability in FFmpeg + libavcodec. The flaw is due to a buffer overflow error in the + "avcodec_default_get_buffer()" function. This function doesn't properly + handle specially crafted PNG files as a result of a heap overflow. +

+ + +

+ A remote attacker could entice a user to run an FFmpeg based + application on a maliciously crafted PNG file, resulting in the + execution of arbitrary code with the permissions of the user running + the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xine-lib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.1-r3" +

+ All FFmpeg users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/ffmpeg-0.4.9_p20051216" + + + CVE-2005-4048 + Original advisory + + + koon + + + adir + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200601-07.xml b/xml/htdocs/security/en/glsa/glsa-200601-07.xml new file mode 100644 index 00000000..a221a206 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200601-07.xml @@ -0,0 +1,69 @@ + + + + + + + ClamAV: Remote execution of arbitrary code + + ClamAV is vulnerable to a buffer overflow which may lead to remote + execution of arbitrary code. + + clamav + January 13, 2006 + January 13, 2006: 01 + 118459 + remote + + + 0.88 + 0.88 + + + +

+ ClamAV is a GPL virus scanner. +

+ + +

+ Zero Day Initiative (ZDI) reported a heap buffer overflow + vulnerability. The vulnerability is due to an incorrect boundary check + of the user-supplied data prior to copying it to an insufficiently + sized memory buffer. The flaw occurs when the application attempts to + handle compressed UPX files. +

+ + +

+ For example by sending a maliciously crafted UPX file into a mail + server that is integrated with ClamAV, a remote attacker's supplied + code could be executed with escalated privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.88" + + + CVE-2006-0162 + + + DerCorny + + + adir + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200601-08.xml b/xml/htdocs/security/en/glsa/glsa-200601-08.xml new file mode 100644 index 00000000..ccc5bb8b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200601-08.xml @@ -0,0 +1,68 @@ + + + + + + + Blender: Heap-based buffer overflow + + Blender is vulnerable to a buffer overflow that may be exploited by + attackers to execute arbitrary code. + + blender + January 13, 2006 + January 13, 2006: 01 + 118163 + remote + + + 2.40 + 2.40 + + + +

+ Blender is an open source software for 3D modeling, animation, + rendering, post-production, interactive creation and playback. +

+ + +

+ Damian Put has reported a flaw due to an integer overflow in the + "get_bhead()" function, leading to a heap overflow when processing + malformed ".blend" files. +

+ + +

+ A remote attacker could entice a user into opening a specially + crafted ".blend" file, resulting in the execution of arbitrary code + with the permissions of the user running Blender. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Blender users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/blender-2.40" + + + CVE-2005-4470 + + + DerCorny + + + DerCorny + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200601-09.xml b/xml/htdocs/security/en/glsa/glsa-200601-09.xml new file mode 100644 index 00000000..66bcd456 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200601-09.xml @@ -0,0 +1,68 @@ + + + + + + + Wine: Windows Metafile SETABORTPROC vulnerability + + There is a flaw in Wine in the handling of Windows Metafiles (WMF) files, + which could possibly result in the execution of arbitrary code. + + wine + January 13, 2006 + February 26, 2007: 03 + 118101 + remote + + + 0.9 + 20060000 + 20040000 + + + +

+ Wine is a free implementation of Windows APIs for Unix-like systems. +

+ + +

+ H D Moore discovered that Wine implements the insecure-by-design + SETABORTPROC GDI Escape function for Windows Metafile (WMF) files. +

+ + +

+ An attacker could entice a user to open a specially crafted Windows + Metafile (WMF) file from within a Wine executed Windows application, + possibly resulting in the execution of arbitrary code with the rights + of the user running Wine. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Wine users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/wine-0.9.0" + + + CVE-2006-0106 + + + DerCorny + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200601-10.xml b/xml/htdocs/security/en/glsa/glsa-200601-10.xml new file mode 100644 index 00000000..1d779afb --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200601-10.xml @@ -0,0 +1,106 @@ + + + + + + + Sun and Blackdown Java: Applet privilege escalation + + Sun's and Blackdown's JDK or JRE may allow untrusted applets to elevate + their privileges. + + sun-jdk sun-jre-bin blackdown-jre blackdown-jdk + January 16, 2006 + January 16, 2006: 01 + 118114 + remote + + + 1.4.2.09 + 1.4.2.09 + + + 1.4.2.09 + 1.4.2.09 + + + 1.4.2.03 + 1.4.2.03 + + + 1.4.2.03 + 1.4.2.03 + + + +

+ Sun and Blackdown both provide implementations of the Java + Development Kit (JDK) and Java Runtime Environment (JRE). +

+ + +

+ Adam Gowdiak discovered multiple vulnerabilities in the Java + Runtime Environment's Reflection APIs that may allow untrusted applets + to elevate privileges. +

+ + +

+ A remote attacker could embed a malicious Java applet in a web + page and entice a victim to view it. This applet can then bypass + security restrictions and execute any command or access any file with + the rights of the user running the web browser. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All Sun JDK users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.4.2.09" +

+ All Sun JRE users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.4.2.09" +

+ All Blackdown JDK users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/blackdown-jdk-1.4.2.03" +

+ All Blackdown JRE users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/blackdown-jre-1.4.2.03" +

+ Note to SPARC and PPC users: There is no stable secure + Blackdown Java for the SPARC or PPC architectures. Affected users on + the PPC architecture should consider switching to the IBM Java packages + (ibm-jdk-bin and ibm-jre-bin). Affected users on the SPARC should + remove the package until a SPARC package is released. +

+ + + CVE-2005-3905 + CVE-2005-3906 + Sun Security Alert ID 102003 + Blackdown Java-Linux Security Advisory + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200601-11.xml b/xml/htdocs/security/en/glsa/glsa-200601-11.xml new file mode 100644 index 00000000..b7093f9a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200601-11.xml @@ -0,0 +1,66 @@ + + + + + + + KDE kjs: URI heap overflow vulnerability + + KDE fails to properly validate URIs when handling javascript, potentially + resulting in the execution of arbitrary code. + + KDE + January 22, 2006 + January 22, 2006: 01 + 118550 + remote + + + 3.4.3-r1 + 3.4.3-r1 + + + +

+ KDE is a feature-rich graphical desktop environment for Linux and + Unix-like Operating Systems. kjs is the javascript interpreter used in + Konqueror and other parts of KDE. +

+ + +

+ Maksim Orlovich discovered an incorrect bounds check in kjs when + handling URIs. +

+ + +

+ By enticing a user to load a specially crafted webpage containing + malicious javascript, an attacker could execute arbitrary code with the + rights of the user running kjs. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All kdelibs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose kde-base/kdelibs-3.4.3-r1 + + + CVE-2006-0019 + KDE Security Advisory: kjs encodeuri/decodeuri heap overflow vulnerability + + + jaervosz + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200601-12.xml b/xml/htdocs/security/en/glsa/glsa-200601-12.xml new file mode 100644 index 00000000..31a8d795 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200601-12.xml @@ -0,0 +1,72 @@ + + + + + + + Trac: Cross-site scripting vulnerability + + Trac is vulnerable to a cross-site scripting attack that could allow + arbitrary JavaScript code execution. + + trac + January 26, 2006 + January 26, 2006: 01 + 118302 + remote + + + 0.9.3 + 0.9.3 + + + +

+ Trac is a minimalistic web-based project management, wiki and bug + tracking system including a Subversion interface. +

+ + +

+ Christophe Truc discovered that Trac fails to properly sanitize + input passed in the URL. +

+ + +

+ A remote attacker could exploit this to inject and execute + malicious script code or to steal cookie-based authentication + credentials, potentially compromising the victim's browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Trac users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/trac-0.9.3" +

+ Note: Users with the vhosts USE flag set should manually use + webapp-config to finalize the update. +

+ + + CVE-2005-4305 + Trac Changelog + + + koon + + + koon + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200601-13.xml b/xml/htdocs/security/en/glsa/glsa-200601-13.xml new file mode 100644 index 00000000..47fdc3b3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200601-13.xml @@ -0,0 +1,75 @@ + + + + + + + Gallery: Cross-site scripting vulnerability + + Gallery is possibly vulnerable to a cross-site scripting attack that could + allow arbitrary JavaScript code execution. + + gallery + January 26, 2006 + January 26, 2006: 01 + 119590 + remote + + + 1.5.2 + 1.5.2 + + + +

+ Gallery is a web application written in PHP which is used to + organize and publish photo albums. It allows multiple users to build + and maintain their own albums. It also supports the mirroring of images + on other servers. +

+ + +

+ Peter Schumacher discovered that Gallery fails to sanitize the + fullname set by users, possibly leading to a cross-site scripting + vulnerability. +

+ + +

+ By setting a specially crafted fullname, an attacker can inject + and execute script code in the victim's browser window and potentially + compromise the user's gallery. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Gallery users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/gallery-1.5.2" +

+ Note: Users with the vhosts USE flag set should manually use + webapp-config to finalize the update. +

+ + + Gallery Announcement + CVE-2006-0330 + + + DerCorny + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200601-14.xml b/xml/htdocs/security/en/glsa/glsa-200601-14.xml new file mode 100644 index 00000000..1b99b6c5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200601-14.xml @@ -0,0 +1,69 @@ + + + + + + + LibAST: Privilege escalation + + A buffer overflow in LibAST may result in execution of arbitrary code with + escalated privileges. + + LibAST + January 29, 2006 + January 29, 2006: 02 + 120106 + local + + + 0.7 + 0.7 + + + +

+ LibAST is a utility library that was originally intended to accompany + Eterm, but may be used by various other applications. +

+ + +

+ Michael Jennings discovered an exploitable buffer overflow in the + configuration engine of LibAST. +

+ + +

+ The vulnerability can be exploited to gain escalated privileges if the + application using LibAST is setuid/setgid and passes a specifically + crafted filename to LibAST's configuration engine. +

+ + +

+ Identify all applications linking against LibAST and verify they are + not setuid/setgid. +

+ + +

+ All users should upgrade to the latest version and run revdep-rebuild: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/libast-0.7" + # revdep-rebuild + + + CVE-2006-0224 + + + DerCorny + + + frilled + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200601-15.xml b/xml/htdocs/security/en/glsa/glsa-200601-15.xml new file mode 100644 index 00000000..8e02aefe --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200601-15.xml @@ -0,0 +1,66 @@ + + + + + + + Paros: Default administrator password + + Paros's database component is installed without a password, allowing + execution of arbitrary system commands. + + Paros + January 29, 2006 + January 29, 2006: 01 + 120352 + remote + + + 3.2.5 + 3.2.5 + + + +

+ Paros is an intercepting proxy between a web server and a client + meant to be used for security assessments. It allows the user to watch + and modify the HTTP(S) traffic. +

+ + +

+ Andrew Christensen discovered that in older versions of Paros the + database component HSQLDB is installed with an empty password for the + database administrator "sa". +

+ + +

+ Since the database listens globally by default, an attacker can + connect and issue arbitrary commands, including execution of binaries + installed on the host. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Paros users should upgrade to the latest version: +

+ + # emerge --snyc + # emerge --ask --oneshot --verbose ">=net-proxy/paros-3.2.8" + + + CVE-2005-3280 + + + frilled + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200601-16.xml b/xml/htdocs/security/en/glsa/glsa-200601-16.xml new file mode 100644 index 00000000..e857483e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200601-16.xml @@ -0,0 +1,65 @@ + + + + + + + MyDNS: Denial of Service + + MyDNS contains a vulnerability that may lead to a Denial of Service attack. + + MyDNS + January 30, 2006 + January 30, 2006: 01 + 119548 + remote + + + 1.1.0 + 1.1.0 + + + +

+ MyDNS is a DNS server using a MySQL database as a backend. It is + designed to allow for fast updates and small resource usage. +

+ + +

+ MyDNS contains an unspecified flaw that may allow a remote Denial + of Service. +

+ + +

+ An attacker could cause a Denial of Service by sending malformed + DNS queries to the MyDNS server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MyDNS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/mydns-1.1.0" + + + CVE-2006-0351 + + + DerCorny + + + frilled + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200601-17.xml b/xml/htdocs/security/en/glsa/glsa-200601-17.xml new file mode 100644 index 00000000..5787192d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200601-17.xml @@ -0,0 +1,117 @@ + + + + + + + Xpdf, Poppler, GPdf, libextractor, pdftohtml: Heap overflows + + Xpdf, Poppler, GPdf, libextractor and pdftohtml are vulnerable to integer + overflows that may be exploited to execute arbitrary code. + + xpdf poppler gpdf libextractor pdftohtml + January 30, 2006 + January 30, 2006: 01 + 117481 + 117494 + 117495 + 115789 + 118665 + remote + + + 3.01-r5 + 3.01-r5 + + + 0.4.3-r4 + 0.4.3-r4 + + + 2.10.0-r3 + 2.10.0-r3 + + + 0.5.9 + 0.5.9 + + + 0.36-r4 + + + +

+ Xpdf is a PDF file viewer that runs under the X Window System. + Poppler is a PDF rendering library based on the Xpdf 3.0 code base. + GPdf is a PDF file viewer for the GNOME 2 platform, also based on Xpdf. + libextractor is a library which includes Xpdf code to extract arbitrary + meta-data from files. pdftohtml is a utility to convert PDF files to + HTML or XML formats that makes use of Xpdf code to decode PDF files. +

+ + +

+ Chris Evans has reported some integer overflows in Xpdf when + attempting to calculate buffer sizes for memory allocation, leading to + a heap overflow and a potential infinite loop when handling malformed + input files. +

+ + +

+ By sending a specially crafted PDF file to a victim, an attacker + could cause an overflow, potentially resulting in the execution of + arbitrary code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Xpdf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/xpdf-3.01-r5" +

+ All Poppler users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/poppler-0.4.3-r4" +

+ All GPdf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/gpdf-2.10.0-r3" +

+ All libextractor users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libextractor-0.5.9" +

+ All pdftohtml users should migrate to the latest stable version + of Poppler. +

+ + + CVE-2005-3627 + CVE-2005-3626 + CVE-2005-3625 + CVE-2005-3624 + + + jaervosz + + + adir + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200602-01.xml b/xml/htdocs/security/en/glsa/glsa-200602-01.xml new file mode 100644 index 00000000..14a3f158 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200602-01.xml @@ -0,0 +1,74 @@ + + + + + + + GStreamer FFmpeg plugin: Heap-based buffer overflow + + The GStreamer FFmpeg plugin is vulnerable to a buffer overflow that may be + exploited by attackers to execute arbitrary code. + + gst-plugins-ffmpeg + February 05, 2006 + February 05, 2006: 01 + 119512 + remote + + + 0.8.7-r1 + 0.8.7-r1 + + + +

+ The GStreamer FFmpeg plugin uses code from the FFmpeg library to + provide fast colorspace conversion and multimedia decoders to the + GStreamer open source media framework. +

+ + +

+ The GStreamer FFmpeg plugin contains derived code from the FFmpeg + library, which is vulnerable to a heap overflow in the + "avcodec_default_get_buffer()" function discovered by Simon Kilvington + (see GLSA 200601-06). +

+ + +

+ A remote attacker could entice a user to run an application using + the GStreamer FFmpeg plugin on a maliciously crafted PIX_FMT_PAL8 + format image file (like PNG images), possibly leading to the execution + of arbitrary code with the permissions of the user running the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GStreamer FFmpeg plugin users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-plugins/gst-plugins-ffmpeg-0.8.7-r1" + + + CVE-2005-4048 + GLSA 200601-06 + + + DerCorny + + + adir + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200602-02.xml b/xml/htdocs/security/en/glsa/glsa-200602-02.xml new file mode 100644 index 00000000..8b9608af --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200602-02.xml @@ -0,0 +1,64 @@ + + + + + + + ADOdb: PostgresSQL command injection + + ADOdb is vulnerable to SQL injections if used in conjunction with a + PostgreSQL database. + + ADOdb + February 06, 2006 + February 06, 2006: 01 + 120215 + remote + + + 4.71 + 4.71 + + + +

+ ADOdb is an abstraction library for PHP creating a common API for + a wide range of database backends. +

+ + +

+ Andy Staudacher discovered that ADOdb does not properly sanitize + all parameters. +

+ + +

+ By sending specifically crafted requests to an application that + uses ADOdb and a PostgreSQL backend, an attacker might exploit the flaw + to execute arbitrary SQL queries on the host. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ADOdb users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/adodb-4.71" + + + CVE-2006-0410 + + + DerCorny + + + frilled + + diff --git a/xml/htdocs/security/en/glsa/glsa-200602-03.xml b/xml/htdocs/security/en/glsa/glsa-200602-03.xml new file mode 100644 index 00000000..01591086 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200602-03.xml @@ -0,0 +1,101 @@ + + + + + + + Apache: Multiple vulnerabilities + + Apache can be exploited for cross-site scripting attacks and is vulnerable + to a Denial of Service attack. + + Apache + February 06, 2006 + December 30, 2007: 03 + 115324 + 118875 + remote + + + 2.0.55-r1 + 2.0.54-r16 + 1.3.34-r2 + 1.3.34-r11 + 1.3.37 + 2.0.55-r1 + + + +

+ The Apache HTTP server is one of the most popular web servers on the + Internet. mod_imap provides support for server-side image maps; mod_ssl + provides secure HTTP connections. +

+ + +

+ Apache's mod_imap fails to properly sanitize the "Referer" directive of + imagemaps in some cases, leaving the HTTP Referer header unescaped. A + flaw in mod_ssl can lead to a NULL pointer dereference if the site uses + a custom "Error 400" document. These vulnerabilities were reported by + Marc Cox and Hartmut Keil, respectively. +

+ + +

+ A remote attacker could exploit mod_imap to inject arbitrary HTML or + JavaScript into a user's browser to gather sensitive information. + Attackers could also cause a Denial of Service on hosts using the SSL + module (Apache 2.0.x only). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Apache users should upgrade to the latest version, depending on + whether they still use the old configuration style + (/etc/apache/conf/*.conf) or the new one (/etc/apache2/httpd.conf). +

+

+ 2.0.x users, new style config: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/apache-2.0.55-r1" +

+ 2.0.x users, old style config: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "=www-servers/apache-2.0.54-r16" +

+ 1.x users, new style config: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "=www-servers/apache-1.3.34-r11" +

+ 1.x users, old style config: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "=www-servers/apache-1.3.34-r2" + + + CVE-2005-3352 + CVE-2005-3357 + + + koon + + + frilled + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200602-04.xml b/xml/htdocs/security/en/glsa/glsa-200602-04.xml new file mode 100644 index 00000000..15376b59 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200602-04.xml @@ -0,0 +1,77 @@ + + + + + + + Xpdf, Poppler: Heap overflow + + Xpdf and Poppler are vulnerable to a heap overflow that may be exploited to + execute arbitrary code. + + xpdf poppler + February 12, 2006 + February 12, 2006: 01 + 120985 + remote + + + 3.01-r7 + 3.01-r7 + + + 0.5.0-r4 + 0.5.0-r4 + + + +

+ Xpdf is a PDF file viewer that runs under the X Window System. + Poppler is a PDF rendering library based on the Xpdf 3.0 code base. +

+ + +

+ Dirk Mueller has reported a vulnerability in Xpdf. It is caused by + a missing boundary check in the splash rasterizer engine when handling + PDF splash images with overly large dimensions. +

+ + +

+ By sending a specially crafted PDF file to a victim, an attacker + could cause an overflow, potentially resulting in the execution of + arbitrary code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Xpdf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/xpdf-3.01-r7" +

+ All Poppler users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/poppler-0.5.0-r4" +

+

+ + + CVE-2006-0301 + + + adir + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200602-05.xml b/xml/htdocs/security/en/glsa/glsa-200602-05.xml new file mode 100644 index 00000000..ce9c63ff --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200602-05.xml @@ -0,0 +1,76 @@ + + + + + + + KPdf: Heap based overflow + + KPdf includes vulnerable Xpdf code to handle PDF files, making it + vulnerable to the execution of arbitrary code. + + kdegraphics, kpdf + February 12, 2006 + February 12, 2006: 01 + 121375 + remote + + + 3.4.3-r4 + 3.4.3-r4 + + + 3.4.3-r4 + 3.4.3-r4 + + + +

+ KPdf is a KDE-based PDF viewer included in the kdegraphics + package. +

+ + +

+ KPdf includes Xpdf code to handle PDF files. Dirk Mueller + discovered that the Xpdf code is vulnerable a heap based overflow in + the splash rasterizer engine. +

+ + +

+ An attacker could entice a user to open a specially crafted PDF + file with Kpdf, potentially resulting in the execution of arbitrary + code with the rights of the user running the affected application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All kdegraphics users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kdegraphics-3.4.3-r4" +

+ All Kpdf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kpdf-3.4.3-r4" + + + CVE-2006-0301 + KDE Security Advisory: kpdf/xpdf heap based buffer overflow + + + jaervosz + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200602-06.xml b/xml/htdocs/security/en/glsa/glsa-200602-06.xml new file mode 100644 index 00000000..92a1d435 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200602-06.xml @@ -0,0 +1,71 @@ + + + + + + + ImageMagick: Format string vulnerability + + A vulnerability in ImageMagick allows attackers to crash the application + and potentially execute arbitrary code. + + ImageMagick + February 13, 2006 + February 13, 2006: 01 + 83542 + remote + + + 6.2.5.5 + 6.2.5.5 + + + +

+ ImageMagick is an application suite to manipulate and convert + images. It is often used as a utility backend by web applications like + forums, content management systems or picture galleries. +

+ + +

+ The SetImageInfo function was found vulnerable to a format string + mishandling. Daniel Kobras discovered that the handling of "%"-escaped + sequences in filenames passed to the function is inadequate. This is a + new vulnerability that is not addressed by GLSA 200503-11. +

+ + +

+ By feeding specially crafted file names to ImageMagick, an + attacker can crash the program and possibly execute arbitrary code with + the privileges of the user running ImageMagick. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ImageMagick users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.2.5.5" + + + CVE-2006-0082 + GLSA 200503-11 + + + jaervosz + + + frilled + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200602-07.xml b/xml/htdocs/security/en/glsa/glsa-200602-07.xml new file mode 100644 index 00000000..5d0eeae4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200602-07.xml @@ -0,0 +1,87 @@ + + + + + + + Sun JDK/JRE: Applet privilege escalation + + Sun's Java Development Kit (JDK) and Java Runtime Environment (JRE) do not + adequately constrain applets from privilege escalation and arbitrary code + execution. + + Sun JDK, applet + February 15, 2006 + February 15, 2006: 01 + 122156 + remote + + + 1.4.2.10 + 1.4.2.10 + + + 1.4.2.10 + 1.4.2.10 + + + +

+ Sun's JDK and JRE provide interpreters for Java Applets in a + sandboxed environment. These implementations provide the Java Web Start + technology that can be used for easy client-side deployment of Java + applications. +

+ + +

+ Applets executed using JRE or JDK can use "reflection" APIs + functions to elevate its privileges beyond the sandbox restrictions. + Adam Gowdiak discovered five vulnerabilities that use this method for + privilege escalation. Two more vulnerabilities were discovered by the + vendor. Peter Csepely discovered that Web Start Java applications also + can an escalate their privileges. +

+ + +

+ A malicious Java applet can bypass Java sandbox restrictions and + hence access local files, connect to arbitrary network locations and + execute arbitrary code on the user's machine. Java Web Start + applications are affected likewise. +

+ + +

+ Select another Java implementation using java-config. +

+ + +

+ All Sun JDK users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.4.2.10" +

+ All Sun JRE users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.4.2.10" + + + Sun Security Alert ID 102170 + Sun Security Alert ID 102171 + CVE-2006-0614 + CVE-2006-0615 + CVE-2006-0616 + CVE-2006-0617 + + + dragonheart + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200602-08.xml b/xml/htdocs/security/en/glsa/glsa-200602-08.xml new file mode 100644 index 00000000..d4139864 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200602-08.xml @@ -0,0 +1,82 @@ + + + + + + + libtasn1, GNU TLS: Security flaw in DER decoding + + A flaw in the parsing of Distinguished Encoding Rules (DER) has been + discovered in libtasn1, potentially resulting in the execution of arbitrary + code. + + libtasn1 + February 16, 2006 + February 16, 2006: 01 + 122307 + remote + + + 0.2.18 + 0.2.18 + + + 1.2.10 + 1.2.10 + + + +

+ Libtasn1 is a library used to parse ASN.1 (Abstract Syntax + Notation One) objects, and perform DER (Distinguished Encoding Rules) + decoding. Libtasn1 is included with the GNU TLS library, which is used + by applications to provide a cryptographically secure communications + channel. +

+ + +

+ Evgeny Legerov has reported a flaw in the DER decoding routines + provided by libtasn1, which could cause an out of bounds access to + occur. +

+ + +

+ A remote attacker could cause an application using libtasn1 to + crash and potentially execute arbitrary code by sending specially + crafted input. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libtasn1 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libtasn1-0.2.18" +

+ All GNU TLS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/gnutls-1.2.10" + + + CVE-2006-0645 + + + koon + + + koon + + + taviso + + diff --git a/xml/htdocs/security/en/glsa/glsa-200602-09.xml b/xml/htdocs/security/en/glsa/glsa-200602-09.xml new file mode 100644 index 00000000..384958de --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200602-09.xml @@ -0,0 +1,67 @@ + + + + + + + BomberClone: Remote execution of arbitrary code + + BomberClone is vulnerable to a buffer overflow which may lead to remote + execution of arbitrary code. + + games-action/bomberclone + February 16, 2006 + February 16, 2006: 01 + 121605 + remote + + + 0.11.6.2-r1 + 0.11.6.2-r1 + + + +

+ BomberClone is a remake of the classic game "BomberMan". It + supports multiple players via IP network connection. +

+ + +

+ Stefan Cornelius of the Gentoo Security team discovered multiple + missing buffer checks in BomberClone's code. +

+ + +

+ By sending overly long error messages to the game via network, a + remote attacker may exploit buffer overflows to execute arbitrary code + with the rights of the user running BomberClone. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All BomberClone users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-action/bomberclone-0.11.6.2-r1" + + + CVE-2006-0460 + + + koon + + + koon + + + frilled + + diff --git a/xml/htdocs/security/en/glsa/glsa-200602-10.xml b/xml/htdocs/security/en/glsa/glsa-200602-10.xml new file mode 100644 index 00000000..796aac90 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200602-10.xml @@ -0,0 +1,71 @@ + + + + + + + GnuPG: Incorrect signature verification + + Applications relying on GnuPG to authenticate digital signatures may + incorrectly believe a signature has been verified. + + gnupg + February 18, 2006 + February 18, 2006: 01 + 122721 + remote + + + 1.4.2.1 + 1.4.2.1 + + + +

+ GnuPG (The GNU Privacy Guard) is a free replacement for PGP + (Pretty Good Privacy). As GnuPG does not rely on any patented + algorithms, it can be used without any restrictions. gpgv is the + OpenPGP signature verification tool provided by the GnuPG system. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Auditing Team + discovered that automated systems relying on the return code of GnuPG + or gpgv to authenticate digital signatures may be misled by malformed + signatures. GnuPG documentation states that a return code of zero (0) + indicates success, however gpg and gpgv may also return zero if no + signature data was found in a detached signature file. +

+ + +

+ An attacker may be able to bypass authentication in automated + systems relying on the return code of gpg or gpgv to authenticate + digital signatures. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GnuPG users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/gnupg-1.4.2.1" + + + GnuPG Security Announcement + CVE-2006-0455 + + + taviso + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200602-11.xml b/xml/htdocs/security/en/glsa/glsa-200602-11.xml new file mode 100644 index 00000000..76a7f3d0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200602-11.xml @@ -0,0 +1,82 @@ + + + + + + + OpenSSH, Dropbear: Insecure use of system() call + + A flaw in OpenSSH and Dropbear allows local users to elevate their + privileges via scp. + + OpenSSH + February 20, 2006 + February 20, 2006: 01 + 119232 + local + + + 4.2_p1-r1 + 4.2_p1-r1 + + + 0.47-r1 + 0.47-r1 + + + +

+ OpenSSH is a free application suite consisting of server and + clients that replace tools like telnet, rlogin, rcp and ftp with more + secure versions offering additional functionality. Dropbear is an SSH + server and client designed with a small memory footprint that includes + OpenSSH scp code. +

+ + +

+ To copy from a local filesystem to another local filesystem, scp + constructs a command line using 'cp' which is then executed via + system(). Josh Bressers discovered that special characters are not + escaped by scp, but are simply passed to the shell. +

+ + +

+ By tricking other users or applications to use scp on maliciously + crafted filenames, a local attacker user can execute arbitrary commands + with the rights of the user running scp. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenSSH users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/openssh-4.2_p1-r1" +

+ All Dropbear users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/dropbear-0.47-r1" + + + CVE-2006-0225 + + + jaervosz + + + frilled + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200602-12.xml b/xml/htdocs/security/en/glsa/glsa-200602-12.xml new file mode 100644 index 00000000..b1ee7dfe --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200602-12.xml @@ -0,0 +1,67 @@ + + + + + + + GPdf: heap overflows in included Xpdf code + + GPdf includes vulnerable Xpdf code to handle PDF files, making it + vulnerable to the execution of arbitrary code. + + gpdf + February 21, 2006 + February 21, 2006: 01 + 121511 + remote + + + 2.10.0-r4 + 2.10.0-r4 + + + +

+ GPdf is a Gnome PDF viewer. +

+ + +

+ Dirk Mueller found a heap overflow vulnerability in the XPdf + codebase when handling splash images that exceed size of the associated + bitmap. +

+ + +

+ An attacker could entice a user to open a specially crafted PDF + file with GPdf, potentially resulting in the execution of arbitrary + code with the rights of the user running the affected application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GPdf users should upgrade to the latest version. +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/gpdf-2.10.0-r4" + + + CVE-2006-0301 + + + koon + + + koon + + + dragonheart + + diff --git a/xml/htdocs/security/en/glsa/glsa-200602-13.xml b/xml/htdocs/security/en/glsa/glsa-200602-13.xml new file mode 100644 index 00000000..2c7e26b6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200602-13.xml @@ -0,0 +1,71 @@ + + + + + + + GraphicsMagick: Format string vulnerability + + A vulnerability in GraphicsMagick allows attackers to crash the application + and potentially execute arbitrary code. + + graphicsmagick + February 26, 2006 + February 26, 2006: 01 + 119476 + remote + + + 1.1.7 + 1.1.7 + + + +

+ GraphicsMagick is a collection of tools to read, write and + manipulate images in many formats. +

+ + +

+ The SetImageInfo function was found vulnerable to a format string + mishandling. Daniel Kobras discovered that the handling of "%"-escaped + sequences in filenames passed to the function is inadequate in + ImageMagick GLSA 200602-06 and the same vulnerability exists in + GraphicsMagick. +

+ + +

+ By feeding specially crafted file names to GraphicsMagick an + attacker can crash the program and possibly execute arbitrary code with + the privileges of the user running GraphicsMagick. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GraphicsMagick users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/graphicsmagick-1.1.7" + + + GLSA 200602-06 + CVE-2006-0082 + + + koon + + + dragonheart + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200602-14.xml b/xml/htdocs/security/en/glsa/glsa-200602-14.xml new file mode 100644 index 00000000..2dd712d7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200602-14.xml @@ -0,0 +1,69 @@ + + + + + + + noweb: Insecure temporary file creation + + noweb is vulnerable to symlink attacks, potentially allowing a local user + to overwrite arbitrary files. + + noweb + February 26, 2006 + February 26, 2006: 01 + 122705 + local + + + 2.9-r5 + 2.9-r5 + + + +

+ noweb is a simple, extensible, and language independent literate + programming tool. +

+ + +

+ Javier Fernandez-Sanguino has discovered that the lib/toascii.nw + and shell/roff.mm scripts insecurely create temporary files with + predictable filenames. +

+ + +

+ A local attacker could create symbolic links in the temporary file + directory, pointing to a valid file somewhere on the filesystem. When + an affected script is called, this would result in the file being + overwritten with the rights of the user running the script. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All noweb users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/noweb-2.9-r5" + + + CVE-2005-3342 + + + DerCorny + + + DerCorny + + + formula7 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-01.xml b/xml/htdocs/security/en/glsa/glsa-200603-01.xml new file mode 100644 index 00000000..e7a55781 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-01.xml @@ -0,0 +1,68 @@ + + + + + + + WordPress: SQL injection vulnerability + + WordPress is vulnerable to an SQL injection vulnerability. + + WordPress + March 04, 2006 + March 04, 2006: 01 + 121661 + remote + + + 2.0.1 + 1.5.2 + + + +

+ WordPress is a PHP and MySQL based content management and + publishing system. +

+ + +

+ Patrik Karlsson reported that WordPress 1.5.2 makes use of an + insufficiently filtered User Agent string in SQL queries related to + comments posting. This vulnerability was already fixed in the + 2.0-series of WordPress. +

+ + +

+ An attacker could send a comment with a malicious User Agent + parameter, resulting in SQL injection and potentially in the subversion + of the WordPress database. This vulnerability wouldn't affect WordPress + sites which do not allow comments or which require that comments go + through a moderator. +

+ + +

+ Disable or moderate comments on your WordPress blogs. +

+ + +

+ All WordPress users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/wordpress-2.0.1" + + + CVE-2006-1012 + + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-02.xml b/xml/htdocs/security/en/glsa/glsa-200603-02.xml new file mode 100644 index 00000000..0a4b878d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-02.xml @@ -0,0 +1,93 @@ + + + + + + + teTeX, pTeX, CSTeX: Multiple overflows in included XPdf code + + CSTeTeX, pTeX, and teTeX include vulnerable XPdf code to handle PDF files, + making them vulnerable to the execution of arbitrary code. + + tetex + March 04, 2006 + March 04, 2006: 01 + 115775 + remote + + + 2.0.2-r8 + 2.0.2-r8 + + + 2.0.2-r2 + 2.0.2-r2 + + + 3.1.5-r1 + 3.1.5-r1 + + + +

+ teTex is a complete TeX distribution. It is used for creating and + manipulating LaTeX documents. CSTeX is a TeX distribution with Czech + and Slovak support. pTeX is and ASCII publishing TeX distribution. +

+ + +

+ CSTeX, teTex, and pTeX include XPdf code to handle PDF files. This + XPdf code is vulnerable to several heap overflows (GLSA 200512-08) as + well as several buffer and integer overflows discovered by Chris Evans + (CESA-2005-003). +

+ + +

+ An attacker could entice a user to open a specially crafted PDF + file with teTeX, pTeX or CSTeX, potentially resulting in the execution + of arbitrary code with the rights of the user running the affected + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All teTex users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/tetex-2.0.2-r8" +

+ All CSTeX users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/cstetex-2.0.2-r2" +

+ All pTeX users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/ptex-3.1.5-r1" + + + CVE-2005-3193 + GLSA 200512-08 + CESA-2005-003 + + + koon + + + dragonheart + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-03.xml b/xml/htdocs/security/en/glsa/glsa-200603-03.xml new file mode 100644 index 00000000..5e2062d0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-03.xml @@ -0,0 +1,73 @@ + + + + + + + MPlayer: Multiple integer overflows + + MPlayer is vulnerable to integer overflows in FFmpeg and ASF decoding that + could potentially result in the execution of arbitrary code. + + MPlayer + March 04, 2006 + June 21, 2006: 02 + 115760 + 122029 + remote + + + 1.0.20060217 + 1.0_pre8 + 1.0.20060217 + + + +

+ MPlayer is a media player capable of handling multiple multimedia file + formats. +

+ + +

+ MPlayer makes use of the FFmpeg library, which is vulnerable to a heap + overflow in the avcodec_default_get_buffer() function discovered by + Simon Kilvington (see GLSA 200601-06). Furthermore, AFI Security + Research discovered two integer overflows in ASF file format decoding, + in the new_demux_packet() function from libmpdemux/demuxer.h and the + demux_asf_read_packet() function from libmpdemux/demux_asf.c. +

+ + +

+ An attacker could craft a malicious media file which, when opened using + MPlayer, would lead to a heap-based buffer overflow. This could result + in the execution of arbitrary code with the permissions of the user + running MPlayer. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MPlayer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/mplayer-1.0.20060217" + + + CVE-2005-4048 + CVE-2006-0579 + GLSA 200601-06 + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-04.xml b/xml/htdocs/security/en/glsa/glsa-200603-04.xml new file mode 100644 index 00000000..512cd9f3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-04.xml @@ -0,0 +1,66 @@ + + + + + + + IMAP Proxy: Format string vulnerabilities + + Format string vulnerabilities in IMAP Proxy may lead to the execution of + arbitrary code when connected to malicious IMAP servers. + + up-imapproxy + March 06, 2006 + March 06, 2006: 01 + 107679 + remote + + + 1.2.4 + 1.2.4 + + + +

+ IMAP Proxy (also known as up-imapproxy) proxies IMAP transactions + between an IMAP client and an IMAP server. +

+ + +

+ Steve Kemp discovered two format string errors in IMAP Proxy. +

+ + +

+ A remote attacker could design a malicious IMAP server and entice + someone to connect to it using IMAP Proxy, resulting in the execution + of arbitrary code with the rights of the victim user. +

+ + +

+ Only connect to trusted IMAP servers using IMAP Proxy. +

+ + +

+ All IMAP Proxy users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/up-imapproxy-1.2.4" + + + CVE-2005-2661 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-05.xml b/xml/htdocs/security/en/glsa/glsa-200603-05.xml new file mode 100644 index 00000000..ad377313 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-05.xml @@ -0,0 +1,70 @@ + + + + + + + zoo: Stack-based buffer overflow + + A stack-based buffer overflow in zoo may be exploited to execute arbitrary + code through malicious ZOO archives. + + zoo + March 06, 2006 + March 06, 2006: 01 + 123782 + remote + + + 2.10-r1 + 2.10-r1 + + + +

+ zoo is a file archiving utility for maintaining collections of + files, written by Rahul Dhesi. +

+ + +

+ Jean-Sebastien Guay-Leroux discovered a boundary error in the + fullpath() function in misc.c when processing overly long file and + directory names in ZOO archives. +

+ + +

+ An attacker could craft a malicious ZOO archive and entice someone + to open it using zoo. This would trigger a stack-based buffer overflow + and potentially allow execution of arbitrary code with the rights of + the victim user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All zoo users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/zoo-2.10-r1" + + + CVE-2006-0855 + Original Advisory + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-06.xml b/xml/htdocs/security/en/glsa/glsa-200603-06.xml new file mode 100644 index 00000000..4b230f18 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-06.xml @@ -0,0 +1,69 @@ + + + + + + + GNU tar: Buffer overflow + + A malicious tar archive could trigger a Buffer overflow in GNU tar, + potentially resulting in the execution of arbitrary code. + + tar + March 10, 2006 + March 10, 2006: 01 + 123038 + remote + + + 1.15.1-r1 + 1.15.1-r1 + + + +

+ GNU tar is the standard GNU utility for creating and manipulating + tar archives, a common format used for creating backups and + distributing files on UNIX-like systems. +

+ + +

+ Jim Meyering discovered a flaw in the handling of certain header + fields that could result in a buffer overflow when extracting or + listing the contents of an archive. +

+ + +

+ A remote attacker could construct a malicious tar archive that + could potentially execute arbitrary code with the privileges of the + user running GNU tar. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GNU tar users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/tar-1.15.1-r1" + + + CVE-2006-0300 + + + koon + + + taviso + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-07.xml b/xml/htdocs/security/en/glsa/glsa-200603-07.xml new file mode 100644 index 00000000..99e54cfd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-07.xml @@ -0,0 +1,69 @@ + + + + + + + flex: Potential insecure code generation + + flex might generate code with a buffer overflow, making applications using + such scanners vulnerable to the execution of arbitrary code. + + flex + March 10, 2006 + March 10, 2006: 01 + 122940 + remote and local + + + 2.5.33-r1 + 2.5.33-r1 + + + +

+ flex is a programming tool used to generate scanners (programs + which recognize lexical patterns in text). +

+ + +

+ Chris Moore discovered a buffer overflow in a special class of + lexicographical scanners generated by flex. Only scanners generated by + grammars which use either REJECT, or rules with a "variable trailing + context" might be at risk. +

+ + +

+ An attacker could feed malicious input to an application making + use of an affected scanner and trigger the buffer overflow, potentially + resulting in the execution of arbitrary code. +

+ + +

+ Avoid using vulnerable grammar in your flex scanners. +

+ + +

+ All flex users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-devel/flex-2.5.33-r1" + + + CVE-2006-0459 + + + koon + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-08.xml b/xml/htdocs/security/en/glsa/glsa-200603-08.xml new file mode 100644 index 00000000..c0a31bb2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-08.xml @@ -0,0 +1,73 @@ + + + + + + + GnuPG: Incorrect signature verification + + GnuPG may erroneously report a modified or unsigned message has a valid + digital signature. + + gnupg + March 10, 2006 + March 10, 2006: 01 + 125217 + remote + + + 1.4.2.2 + 1.4.2.2 + + + +

+ The GNU Privacy Guard, GnuPG, is a free replacement for the PGP + suite of cryptographic software that may be used without restriction, + as it does not rely on any patented algorithms. GnuPG can be used to + digitally sign messages, a method of ensuring the authenticity of a + message using public key cryptography. +

+ + +

+ OpenPGP is the standard that defines the format of digital + signatures supported by GnuPG. OpenPGP signatures consist of multiple + sections, in a strictly defined order. Tavis Ormandy of the Gentoo + Linux Security Audit Team discovered that certain illegal signature + formats could allow signed data to be modified without detection. GnuPG + has previously attempted to be lenient when processing malformed or + legacy signature formats, but this has now been found to be insecure. +

+ + +

+ A remote attacker may be able to construct or modify a + digitally-signed message, potentially allowing them to bypass + authentication systems, or impersonate another user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GnuPG users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/gnupg-1.4.2.2" + + + CVE-2006-0049 + GnuPG Announcement + + + taviso + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-09.xml b/xml/htdocs/security/en/glsa/glsa-200603-09.xml new file mode 100644 index 00000000..b0c70bdd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-09.xml @@ -0,0 +1,82 @@ + + + + + + + SquirrelMail: Cross-site scripting and IMAP command injection + + SquirrelMail is vulnerable to several cross-site scripting vulnerabilities + and IMAP command injection. + + squirrelmail + March 12, 2006 + March 12, 2006: 01 + 123781 + remote + + + 1.4.6 + 1.4.6 + + + +

+ SquirrelMail is a webmail package written in PHP. It supports IMAP + and SMTP protocols. +

+ + +

+ SquirrelMail does not validate the right_frame parameter in + webmail.php, possibly allowing frame replacement or cross-site + scripting (CVE-2006-0188). Martijn Brinkers and Scott Hughes discovered + that MagicHTML fails to handle certain input correctly, potentially + leading to cross-site scripting (only Internet Explorer, + CVE-2006-0195). Vicente Aguilera reported that the + sqimap_mailbox_select function did not strip newlines from the mailbox + or subject parameter, possibly allowing IMAP command injection + (CVE-2006-0377). +

+ + +

+ By exploiting the cross-site scripting vulnerabilities, an + attacker can execute arbitrary scripts running in the context of the + victim's browser. This could lead to a compromise of the user's webmail + account, cookie theft, etc. A remote attacker could exploit the IMAP + command injection to execute arbitrary IMAP commands on the configured + IMAP server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SquirrelMail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/squirrelmail-1.4.6" +

+ Note: Users with the vhosts USE flag set should manually use + webapp-config to finalize the update. +

+ + + CVE-2006-0188 + CVE-2006-0195 + CVE-2006-0377 + + + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-10.xml b/xml/htdocs/security/en/glsa/glsa-200603-10.xml new file mode 100644 index 00000000..47999a37 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-10.xml @@ -0,0 +1,73 @@ + + + + + + + Cube: Multiple vulnerabilities + + Cube is vulnerable to a buffer overflow, invalid memory access and remote + client crashes, possibly leading to a Denial of Service or remote code + execution. + + cube + March 13, 2006 + March 13, 2006: 01 + 125289 + remote + + + 20050829 + + + +

+ Cube is an open source first person shooter game engine supporting + multiplayer via LAN or internet. +

+ + +

+ Luigi Auriemma reported that Cube is vulnerable to a buffer + overflow in the sgetstr() function (CVE-2006-1100) and that the + sgetstr() and getint() functions fail to verify the length of the + supplied argument, possibly leading to the access of invalid memory + regions (CVE-2006-1101). Furthermore, he discovered that a client + crashes when asked to load specially crafted mapnames (CVE-2006-1102). +

+ + +

+ A remote attacker could exploit the buffer overflow to execute + arbitrary code with the rights of the user running cube. An attacker + could also exploit the other vulnerabilities to crash a Cube client or + server, resulting in a Denial of Service. +

+ + +

+ Play solo games or restrict your multiplayer games to trusted + parties. +

+ + +

+ Upstream stated that there will be no fixed version of Cube, thus + the Gentoo Security Team decided to hardmask Cube for security reasons. + All Cube users are encouraged to uninstall Cube: +

+ + # emerge --ask --unmerge games-fps/cube + + + CVE-2006-1100 + CVE-2006-1101 + CVE-2006-1102 + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-11.xml b/xml/htdocs/security/en/glsa/glsa-200603-11.xml new file mode 100644 index 00000000..ccbef20d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-11.xml @@ -0,0 +1,68 @@ + + + + + + + Freeciv: Denial of Service + + A memory allocation bug in Freeciv allows a remote attacker to perform a + Denial of Service attack. + + freeciv + March 16, 2006 + March 16, 2006: 01 + 125304 + remote + + + 2.0.8 + 2.0.8 + + + +

+ Freeciv is an open source turn-based multiplayer strategy game, + similar to the famous Civilization series. +

+ + +

+ Luigi Auriemma discovered that Freeciv could be tricked into the + allocation of enormous chunks of memory when trying to uncompress + malformed data packages, possibly leading to an out of memory condition + which causes Freeciv to crash or freeze. +

+ + +

+ A remote attacker could exploit this issue to cause a Denial of + Service by sending specially crafted data packages to the Freeciv game + server. +

+ + +

+ Play solo games or restrict your multiplayer games to trusted + parties. +

+ + +

+ All Freeciv users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-strategy/freeciv-2.0.8" + + + CVE-2006-0047 + Original advisory + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-12.xml b/xml/htdocs/security/en/glsa/glsa-200603-12.xml new file mode 100644 index 00000000..4dcec005 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-12.xml @@ -0,0 +1,70 @@ + + + + + + + zoo: Buffer overflow + + A buffer overflow in zoo may be exploited to execute arbitrary when + creating archives of specially crafted directories and files. + + zoo + March 16, 2006 + March 16, 2006: 01 + 125622 + local + + + 2.10-r2 + 2.10-r2 + + + +

+ zoo is a file archiving utility for maintaining collections of + files, written by Rahul Dhesi. +

+ + +

+ zoo is vulnerable to a new buffer overflow due to insecure use of + the strcpy() function when trying to create an archive from certain + directories or filenames. +

+ + +

+ An attacker could exploit this issue by enticing a user to create + a zoo archive of specially crafted directories and filenames, possibly + leading to the execution of arbitrary code with the rights of the user + running zoo. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All zoo users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/zoo-2.10-r2" + + + RedHat Bug #183426 + CVE-2006-1269 + + + koon + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-13.xml b/xml/htdocs/security/en/glsa/glsa-200603-13.xml new file mode 100644 index 00000000..8cf1dee9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-13.xml @@ -0,0 +1,68 @@ + + + + + + + PEAR-Auth: Potential authentication bypass + + PEAR-Auth did not correctly verify data passed to the DB and LDAP + containers, thus allowing to inject false credentials to bypass the + authentication. + + pear-auth + March 17, 2006 + March 17, 2006: 01 + 123832 + remote + + + 1.2.4 + 1.2.4 + + + +

+ PEAR-Auth is a PEAR package that provides methods to create a PHP + based authentication system. +

+ + +

+ Matt Van Gundy discovered that PEAR-Auth did not correctly + validate data passed to the DB and LDAP containers. +

+ + +

+ A remote attacker could possibly exploit this vulnerability to + bypass the authentication mechanism by injecting specially crafted + input to the underlying storage containers. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PEAR-Auth users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/PEAR-Auth-1.2.4" + + + CVE-2006-0868 + + + koon + + + koon + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-14.xml b/xml/htdocs/security/en/glsa/glsa-200603-14.xml new file mode 100644 index 00000000..ec844637 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-14.xml @@ -0,0 +1,66 @@ + + + + + + + Heimdal: rshd privilege escalation + + An error in the rshd daemon of Heimdal could allow authenticated users to + elevate privileges. + + heimdal + March 17, 2006 + March 17, 2006: 01 + 121839 + remote + + + 0.7.2 + 0.7.2 + + + +

+ Heimdal is a free implementation of Kerberos 5. +

+ + +

+ An unspecified privilege escalation vulnerability in the rshd + server of Heimdal has been reported. +

+ + +

+ Authenticated users could exploit the vulnerability to escalate + privileges or to change the ownership and content of arbitrary files. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Heimdal users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/heimdal-0.7.2" + + + CVE-2006-0582 + Heimdal Advisory 2006-02-06 + + + koon + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-15.xml b/xml/htdocs/security/en/glsa/glsa-200603-15.xml new file mode 100644 index 00000000..787ffed2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-15.xml @@ -0,0 +1,71 @@ + + + + + + + Crypt::CBC: Insecure initialization vector + + Crypt::CBC uses an insecure initialization vector, potentially resulting in + a weaker encryption. + + crypt-cbc + March 17, 2006 + March 17, 2006: 01 + 126048 + remote + + + 2.17 + 2.17 + + + +

+ Crypt::CBC is a Perl module to encrypt data using cipher block + chaining (CBC). +

+ + +

+ Lincoln Stein discovered that Crypt::CBC fails to handle 16 bytes + long initializiation vectors correctly when running in the RandomIV + mode, resulting in a weaker encryption because the second part of every + block will always be encrypted with zeros if the blocksize of the + cipher is greater than 8 bytes. +

+ + +

+ An attacker could exploit weak ciphertext produced by Crypt::CBC + to bypass certain security restrictions or to gain access to sensitive + data. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Crypt::CBC users should upgrade to the latest available + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-perl/crypt-cbc-2.17" + + + CVE-2006-0898 + + + koon + + + koon + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-16.xml b/xml/htdocs/security/en/glsa/glsa-200603-16.xml new file mode 100644 index 00000000..fe9e3edb --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-16.xml @@ -0,0 +1,66 @@ + + + + + + + Metamail: Buffer overflow + + A buffer overflow in Metamail could possibly be exploited to execute + arbitrary code. + + metamail + March 17, 2006 + March 17, 2006: 01 + 126052 + remote + + + 2.7.45.3-r1 + 2.7.45.3-r1 + + + +

+ Metamail is a program that decodes MIME encoded mail. +

+ + +

+ Ulf Harnhammar discovered a buffer overflow in Metamail when + processing mime boundraries. +

+ + +

+ By sending a specially crafted email, attackers could potentially + exploit this vulnerability to crash Metamail or to execute arbitrary + code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Metamail users should update to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/metamail-2.7.45.3-r1" + + + CVE-2006-0709 + + + koon + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-17.xml b/xml/htdocs/security/en/glsa/glsa-200603-17.xml new file mode 100644 index 00000000..522c4196 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-17.xml @@ -0,0 +1,68 @@ + + + + + + + PeerCast: Buffer overflow + + PeerCast is vulnerable to a buffer overflow that may lead to the execution + of arbitrary code. + + peercast + March 21, 2006 + March 21, 2006: 01 + 123432 + remote + + + 0.1217 + 0.1217 + + + +

+ PeerCast is a Peer to Peer broadcasting technology for listening + to radio and watching video on the Internet. +

+ + +

+ INFIGO discovered a problem in the URL handling code. Buffers that + are allocated on the stack can be overflowed inside of nextCGIarg() + function. +

+ + +

+ By sending a specially crafted request to the HTTP server, a + remote attacker can cause a stack overflow, resulting in the execution + of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PeerCast users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/peercast-0.1217" + + + CVE-2006-1148 + + + koon + + + DerCorny + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-18.xml b/xml/htdocs/security/en/glsa/glsa-200603-18.xml new file mode 100644 index 00000000..2ac4622e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-18.xml @@ -0,0 +1,67 @@ + + + + + + + Pngcrush: Buffer overflow + + Pngcrush is vulnerable to a buffer overflow which could potentially lead to + the execution of arbitrary code. + + pngcrush + March 21, 2006 + March 21, 2006: 01 + 123286 + remote + + + 1.6.2 + 1.6.2 + + + +

+ Pngcrush is an optimizer for PNG files. +

+ + +

+ Carsten Lohrke of Gentoo Linux reported that Pngcrush contains a + vulnerable version of zlib (GLSA 200507-19). +

+ + +

+ By creating a specially crafted data stream, attackers can + overwrite data structures for applications that use Pngcrush, resulting + in a Denial of Service and potentially arbitrary code execution. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Pngcrush users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/pngcrush-1.6.2" + + + GLSA 200507-19 + CVE-2005-1849 + + + koon + + + koon + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-19.xml b/xml/htdocs/security/en/glsa/glsa-200603-19.xml new file mode 100644 index 00000000..886602b4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-19.xml @@ -0,0 +1,72 @@ + + + + + + + cURL/libcurl: Buffer overflow in the handling of TFTP URLs + + libcurl is affected by a buffer overflow in the handling of URLs for the + TFTP protocol, which could be exploited to compromise a user's system. + + curl + March 21, 2006 + March 21, 2006: 01 + 125766 + remote + + + 7.15.1-r1 + 7.15.3 + 7.14.1 + 7.15.3 + + + +

+ cURL is a command line tool for transferring files with URL + syntax, supporting numerous protocols. libcurl is the corresponding + client-side library. +

+ + +

+ Ulf Harnhammar reported a possible buffer overflow in the handling + of TFTP URLs in libcurl due to the lack of boundary checks. +

+ + +

+ An attacker could exploit this vulnerability to compromise a + user's system by enticing the user to request a malicious URL with + cURL/libcurl or to use a HTTP server redirecting to a malicious TFTP + URL. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All cURL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/curl-7.15.1-r1" + + + Project cURL Security Advisory, March 20th 2006 + CVE-2006-1061 + + + koon + + + koon + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-20.xml b/xml/htdocs/security/en/glsa/glsa-200603-20.xml new file mode 100644 index 00000000..801f1fb6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-20.xml @@ -0,0 +1,67 @@ + + + + + + + Macromedia Flash Player: Arbitrary code execution + + Multiple vulnerabilities have been identified that allows arbitrary code execution on + a user's system via the handling of malicious SWF files. + + Flash + March 21, 2006 + May 28, 2009: 02 + 102777 + remote + + + 7.0.63 + 7.0.63 + + + +

+ The Macromedia Flash Player is a renderer for the popular SWF + filetype which is commonly used to provide interactive websites, + digital experiences and mobile content. +

+ + +

+ The Macromedia Flash Player contains multiple unspecified + vulnerabilities. +

+ + +

+ An attacker serving a maliciously crafted SWF file could entice a + user to view the SWF file and execute arbitrary code on the user's + machine. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Macromedia Flash Player users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-plugins/adobe-flash-7.0.63" + + + CVE-2006-0024 + Macromedia Announcement + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-21.xml b/xml/htdocs/security/en/glsa/glsa-200603-21.xml new file mode 100644 index 00000000..b8631a77 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-21.xml @@ -0,0 +1,63 @@ + + + + + + + Sendmail: Race condition in the handling of asynchronous signals + + Sendmail is vulnerable to a race condition which could lead to the + execution of arbitrary code with sendmail privileges. + + sendmail + March 22, 2006 + March 22, 2006: 01 + 125623 + remote + + + 8.13.6 + 8.13.6 + + + +

+ Sendmail is a popular mail transfer agent (MTA). +

+ + +

+ ISS discovered that Sendmail is vulnerable to a race condition in + the handling of asynchronous signals. +

+ + +

+ An attacker could exploit this via certain crafted timing + conditions. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Sendmail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-mta/sendmail-8.13.6" + + + CVE-2006-0058 + Sendmail Inc. advisory + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-22.xml b/xml/htdocs/security/en/glsa/glsa-200603-22.xml new file mode 100644 index 00000000..47eb123b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-22.xml @@ -0,0 +1,91 @@ + + + + + + + PHP: Format string and XSS vulnerabilities + + Multiple vulnerabilities in PHP allow remote attackers to inject arbitrary + HTTP headers, perform cross site scripting or in some cases execute + arbitrary code. + + php + March 22, 2006 + March 22, 2006: 01 + 125878 + remote + + + 5.1.2 + 4.4.2 + 5.1.1 + 5.0.5 + 5.0.4 + + + +

+ PHP is a general-purpose scripting language widely used to develop + web-based applications. It can run on a web server with the mod_php + module or the CGI version and also stand-alone in a CLI. +

+ + +

+ Stefan Esser of the Hardened PHP project has reported a few + vulnerabilities found in PHP: +

+
    +
  • Input passed to the session + ID in the session extension isn't properly sanitised before being + returned to the user via a "Set-Cookie" HTTP header, which can contain + arbitrary injected data.
    • +
  • A format string error while + processing error messages using the mysqli extension in version 5.1 and + above.
    • +
+ + +

+ By sending a specially crafted request, a remote attacker can + exploit this vulnerability to inject arbitrary HTTP headers, which will + be included in the response sent to the user. The format string + vulnerability may be exploited to execute arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PHP 5.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-5.1.2" +

+ All PHP 4.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-4.4.2" + + + CVE-2006-0207 + CVE-2006-0208 + Hardened-PHP Advisory 01/2006 + Hardened-PHP Advisory 02/2006 + + + koon + + + koon + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-23.xml b/xml/htdocs/security/en/glsa/glsa-200603-23.xml new file mode 100644 index 00000000..34f49750 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-23.xml @@ -0,0 +1,95 @@ + + + + + + + NetHack, Slash'EM, Falcon's Eye: Local privilege escalation + + NetHack, Slash'EM and Falcon's Eye are vulnerable to local privilege + escalation vulnerabilities that could potentially allow the execution of + arbitrary code as other users. + + nethack slashem falconseye + March 23, 2006 + March 30, 2006: 01 + 125902 + 122376 + 127167 + 127319 + local + + + 3.4.3-r1 + + + 1.9.4a + + + 0.0.760 + + + +

+ NetHack is the classic single player dungeon exploration game. Slash'EM + and Falcon's Eye are NetHack variants. +

+ + +

+ NetHack, Slash'EM and Falcon's Eye have been found to be incompatible + with the system used for managing games on Gentoo Linux. As a result, + they cannot be played securely on systems with multiple users. +

+ + +

+ A local user who is a member of group "games" may be able to modify the + state data used by NetHack, Slash'EM or Falcon's Eye to trigger the + execution of arbitrary code with the privileges of other players. + Additionally, the games may create save game files in a manner not + suitable for use on Gentoo Linux, potentially allowing a local user to + create or overwrite files with the permissions of other players. +

+ + +

+ Do not add untrusted users to the "games" group. +

+ + +

+ NetHack has been masked in Portage pending the resolution of these + issues. Vulnerable NetHack users are advised to uninstall the package + until further notice. +

+ + # emerge --ask --verbose --unmerge "games-roguelike/nethack" +

+ Slash'EM has been masked in Portage pending the resolution of these + issues. Vulnerable Slash'EM users are advised to uninstall the package + until further notice. +

+ + # emerge --ask --verbose --unmerge "games-roguelike/slashem" +

+ Falcon's Eye has been masked in Portage pending the resolution of these + issues. Vulnerable Falcon's Eye users are advised to uninstall the + package until further notice. +

+ + # emerge --ask --verbose --unmerge "games-roguelike/falconseye" + + + CVE-2006-1390 + + + DerCorny + + + taviso + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-24.xml b/xml/htdocs/security/en/glsa/glsa-200603-24.xml new file mode 100644 index 00000000..3fe19bce --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-24.xml @@ -0,0 +1,68 @@ + + + + + + + RealPlayer: Buffer overflow vulnerability + + RealPlayer is vulnerable to a buffer overflow that could lead to remote + execution of arbitrary code. + + RealPlayer + March 26, 2006 + March 26, 2006: 01 + 127352 + remote + + + 10.0.7 + 10.0.7 + + + +

+ RealPlayer is a multimedia player capable of handling multiple + multimedia file formats. +

+ + +

+ RealPlayer is vulnerable to a buffer overflow when processing + malicious SWF files. +

+ + +

+ By enticing a user to open a specially crafted SWF file an + attacker could execute arbitrary code with the permissions of the user + running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All RealPlayer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/realplayer-10.0.7" + + + CVE-2006-0323 + RealNetworks Advisory + + + vorlon078 + + + formula7 + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-25.xml b/xml/htdocs/security/en/glsa/glsa-200603-25.xml new file mode 100644 index 00000000..7cb7cb65 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-25.xml @@ -0,0 +1,84 @@ + + + + + + + OpenOffice.org: Heap overflow in included libcurl + + OpenOffice.org contains a vulnerable version of libcurl that may cause a + heap overflow when parsing URLs. + + openoffice openoffice-bin + March 27, 2006 + March 27, 2006: 01 + 126433 + remote + + + 2.0.2 + 2.0.2 + + + 2.0.1-r1 + 2.0.1-r1 + + + +

+ OpenOffice.org is an office productivity suite, including word + processing, spreadsheet, presentation, data charting, formula editing + and file conversion facilities. libcurl, which is included in + OpenOffice.org, is a free and easy-to-use client-side library for + transferring files with URL syntaxes, supporting numerous protocols. +

+ + +

+ OpenOffice.org includes libcurl code. This libcurl code is + vulnerable to a heap overflow when it tries to parse a URL that exceeds + a 256-byte limit (GLSA 200512-09). +

+ + +

+ An attacker could entice a user to call a specially crafted URL + with OpenOffice.org, potentially resulting in the execution of + arbitrary code with the rights of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenOffice.org binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-bin-2.0.2" +

+ All OpenOffice.org users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-2.0.1-r1" + + + CVE-2005-4077 + Hardened-PHP Advisory 24/2005 + GLSA 200512-09 + + + DerCorny + + + koon + + + adir + + diff --git a/xml/htdocs/security/en/glsa/glsa-200603-26.xml b/xml/htdocs/security/en/glsa/glsa-200603-26.xml new file mode 100644 index 00000000..adc9a207 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200603-26.xml @@ -0,0 +1,70 @@ + + + + + + + bsd-games: Local privilege escalation in tetris-bsd + + tetris-bsd is prone to local privilege escalation vulnerabilities. + + bsd-games + March 29, 2006 + May 22, 2006: 02 + 122399 + local + + + 2.17-r1 + 2.17-r1 + + + +

+ bsd-games is a collection of NetBSD games ported to Linux. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that + the checkscores() function in scores.c reads in the data from the + /var/games/tetris-bsd.scores file without validation, rendering it + vulnerable to buffer overflows and incompatible with the system used + for managing games on Gentoo Linux. As a result, it cannot be played + securely on systems with multiple users. Please note that this is + probably a Gentoo-specific issue. +

+ + +

+ A local user who is a member of group "games" may be able to modify the + tetris-bsd.scores file to trigger the execution of arbitrary code with + the privileges of other players. +

+ + +

+ Do not add untrusted users to the "games" group. +

+ + +

+ All bsd-games users are advised to update to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-misc/bsd-games-2.17-r1" + + + CVE-2006-1539 + + + jaervosz + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200604-01.xml b/xml/htdocs/security/en/glsa/glsa-200604-01.xml new file mode 100644 index 00000000..9fb93825 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200604-01.xml @@ -0,0 +1,68 @@ + + + + + + + MediaWiki: Cross-site scripting vulnerability + + MediaWiki is vulnerable to a cross-site scripting attack that could allow + arbitrary JavaScript code execution. + + mediawiki + April 04, 2006 + April 04, 2006: 01 + 127971 + remote + + + 1.4.15 + 1.4.15 + + + +

+ MediaWiki is a collaborative editing software, used by big + projects like Wikipedia. +

+ + +

+ MediaWiki fails to decode certain encoded URLs correctly. +

+ + +

+ By supplying specially crafted links, a remote attacker could + exploit this vulnerability to inject malicious HTML or JavaScript code + that will be executed in a user's browser session in the context of the + vulnerable site. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MediaWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.4.15" + + + CVE-2006-1498 + MediaWiki 1.4.15 Release Notes + + + koon + + + koon + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200604-02.xml b/xml/htdocs/security/en/glsa/glsa-200604-02.xml new file mode 100644 index 00000000..fc534628 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200604-02.xml @@ -0,0 +1,77 @@ + + + + + + + Horde Application Framework: Remote code execution + + The help viewer of the Horde Framework allows attackers to execute + arbitrary remote code. + + horde + April 04, 2006 + April 04, 2006: 01 + 127889 + 126435 + remote + + + 3.1.1 + 3.1.1 + + + +

+ The Horde Application Framework is a general-purpose web + application framework written in PHP, providing classes for handling + preferences, compression, browser detection, connection tracking, MIME + and more. +

+ + +

+ Jan Schneider of the Horde team discovered a vulnerability in the + help viewer of the Horde Application Framework that could allow remote + code execution (CVE-2006-1491). Paul Craig reported that + "services/go.php" fails to validate the passed URL parameter correctly + (CVE-2006-1260). +

+ + +

+ An attacker could exploit the vulnerability in the help viewer to + execute arbitrary code with the privileges of the web server user. By + embedding a NULL character in the URL parameter, an attacker could + exploit the input validation issue in go.php to read arbitrary files. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All Horde Application Framework users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-3.1.1" + + + CVE-2006-1260 + CVE-2006-1491 + Horde Announcement + + + vorlon078 + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200604-03.xml b/xml/htdocs/security/en/glsa/glsa-200604-03.xml new file mode 100644 index 00000000..285859cf --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200604-03.xml @@ -0,0 +1,68 @@ + + + + + + + FreeRADIUS: Authentication bypass in EAP-MSCHAPv2 module + + The EAP-MSCHAPv2 module of FreeRADIUS is affected by a validation issue + which causes some authentication checks to be bypassed. + + freeradius + April 04, 2006 + April 04, 2006: 01 + 127229 + remote + + + 1.1.1 + 1.0.0 + 1.1.1 + + + +

+ FreeRADIUS is an open source RADIUS authentication server + implementation. +

+ + +

+ FreeRADIUS suffers from insufficient input validation in the + EAP-MSCHAPv2 state machine. +

+ + +

+ An attacker could cause the server to bypass authentication checks + by manipulating the EAP-MSCHAPv2 client state machine. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All FreeRADIUS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dialup/freeradius-1.1.1" + + + CVE-2006-1354 + FreeRADIUS Vulnerability Notifications + + + koon + + + koon + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200604-04.xml b/xml/htdocs/security/en/glsa/glsa-200604-04.xml new file mode 100644 index 00000000..97f3c4ad --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200604-04.xml @@ -0,0 +1,68 @@ + + + + + + + Kaffeine: Buffer overflow + + Kaffeine is vulnerable to a buffer overflow that could lead to the + execution of arbitrary code. + + kaffeine + April 05, 2006 + April 05, 2006: 01 + 127326 + remote + + + 0.7.1-r2 + 0.7.1-r2 + + + +

+ Kaffeine is a graphical front-end for the xine-lib multimedia + library. +

+ + +

+ Kaffeine uses an unchecked buffer when fetching remote RAM + playlists via HTTP. +

+ + +

+ A remote attacker could entice a user to play a specially-crafted + RAM playlist resulting in the execution of arbitrary code with the + permissions of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Kaffeine users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/kaffeine-0.7.1-r2" + + + CVE-2006-0051 + KDE Security Advisory: Kaffeine buffer overflow + + + DerCorny + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200604-05.xml b/xml/htdocs/security/en/glsa/glsa-200604-05.xml new file mode 100644 index 00000000..961bee44 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200604-05.xml @@ -0,0 +1,68 @@ + + + + + + + Doomsday: Format string vulnerability + + Format string vulnerabilities in Doomsday may lead to the execution of + arbitrary code. + + doomsday + April 06, 2006 + June 15, 2006: 02 + 128690 + remote + + + 1.9.0_beta4 + 1.9.0_beta4 + + + +

+ Doomsday is a modern gaming engine for popular ID games like Doom, + Heretic and Hexen. +

+ + +

+ Luigi Auriemma discovered that Doomsday incorrectly implements + formatted printing. +

+ + +

+ A remote attacker could exploit these vulnerabilities to execute + arbitrary code with the rights of the user running the Doomsday server + or client by sending specially crafted strings. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Doomsday users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-fps/doomsday-1.9.0_beta4" + + + CVE-2006-1618 + Original advisory by Luigi Auriemma + + + jaervosz + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200604-06.xml b/xml/htdocs/security/en/glsa/glsa-200604-06.xml new file mode 100644 index 00000000..892c19c8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200604-06.xml @@ -0,0 +1,69 @@ + + + + + + + ClamAV: Multiple vulnerabilities + + ClamAV contains multiple vulnerabilities that could lead to remote + execution of arbitrary code or cause an application crash. + + clamav + April 07, 2006 + April 07, 2006: 01 + 128963 + remote + + + 0.88.1 + 0.88.1 + + + +

+ ClamAV is a GPL virus scanner. +

+ + +

+ ClamAV contains format string vulnerabilities in the logging code + (CVE-2006-1615). Furthermore Damian Put discovered an integer overflow + in ClamAV's PE header parser (CVE-2006-1614) and David Luyer discovered + that ClamAV can be tricked into performing an invalid memory access + (CVE-2006-1630). +

+ + +

+ By sending a malicious attachment to a mail server running ClamAV, + a remote attacker could cause a Denial of Service or the execution of + arbitrary code. Note that the overflow in the PE header parser is only + exploitable when the ArchiveMaxFileSize option is disabled. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.88.1" + + + CVE-2006-1614 + CVE-2006-1615 + CVE-2006-1630 + + + jaervosz + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200604-07.xml b/xml/htdocs/security/en/glsa/glsa-200604-07.xml new file mode 100644 index 00000000..a0c0302c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200604-07.xml @@ -0,0 +1,75 @@ + + + + + + + Cacti: Multiple vulnerabilities in included ADOdb + + Multiple vulnerabilities have been discovered in the ADOdb layer included + in Cacti, potentially resulting in the execution of arbitrary code. + + Cacti + April 14, 2006 + April 14, 2006: 01 + 129284 + remote + + + 0.8.6h_p20060108-r2 + 0.8.6h_p20060108-r2 + + + +

+ Cacti is a complete web-based frontend to rrdtool. ADOdb is a + PHP-based database abstraction layer which is included in Cacti. +

+ + +

+ Several vulnerabilities have been identified in the copy of ADOdb + included in Cacti. Andreas Sandblad discovered a dynamic code + evaluation vulnerability (CVE-2006-0147) and a potential SQL injection + vulnerability (CVE-2006-0146). Andy Staudacher reported another SQL + injection vulnerability (CVE-2006-0410), and Gulftech Security + discovered multiple cross-site-scripting issues (CVE-2006-0806). +

+ + +

+ Remote attackers could trigger these vulnerabilities by sending + malicious queries to the Cacti web application, resulting in arbitrary + code execution, database compromise through arbitrary SQL execution, + and malicious HTML or JavaScript code injection. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Cacti users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-0.8.6h_p20060108-r2" + + + CVE-2006-0146 + CVE-2006-0147 + CVE-2006-0410 + CVE-2006-0806 + + + jaervosz + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200604-08.xml b/xml/htdocs/security/en/glsa/glsa-200604-08.xml new file mode 100644 index 00000000..03eb99bc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200604-08.xml @@ -0,0 +1,67 @@ + + + + + + + libapreq2: Denial of Service vulnerability + + A vulnerability has been reported in libapreq2 which could lead to a Denial + of Service. + + libapreq2 + April 17, 2006 + April 17, 2006: 01 + 128610 + remote + + + 2.07 + 2.07 + + + +

+ libapreq is a shared library with associated modules for + manipulating client request data via the Apache API. +

+ + +

+ A vulnerability has been reported in the apreq_parse_headers() and + apreq_parse_urlencoded() functions of Apache2::Request. +

+ + +

+ A remote attacker could possibly exploit the vulnerability to + cause a Denial of Service by CPU consumption. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libapreq2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apache/libapreq2-2.07" + + + CVE-2006-0042 + libapreq2 Changes + + + jaervosz + + + koon + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200604-09.xml b/xml/htdocs/security/en/glsa/glsa-200604-09.xml new file mode 100644 index 00000000..c08076c3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200604-09.xml @@ -0,0 +1,67 @@ + + + + + + + Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service + + Cyrus-SASL contains a vulnerability in the DIGEST-MD5 process that could + lead to a Denial of Service. + + cyrus-sasl + April 21, 2006 + April 21, 2006: 01 + 129523 + remote + + + 2.1.21-r2 + 2.1.21-r2 + + + +

+ Cyrus-SASL is an implementation of the Simple Authentication and + Security Layer. +

+ + +

+ Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 + process that could lead to a Denial of Service. +

+ + +

+ An attacker could possibly exploit this vulnerability by sending + specially crafted data stream to the Cyrus-SASL server, resulting in a + Denial of Service even if the attacker is not able to authenticate. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Cyrus-SASL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/cyrus-sasl-2.1.21-r2" + + + CVE-2006-1721 + + + koon + + + koon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200604-10.xml b/xml/htdocs/security/en/glsa/glsa-200604-10.xml new file mode 100644 index 00000000..3c625d19 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200604-10.xml @@ -0,0 +1,82 @@ + + + + + + + zgv, xzgv: Heap overflow + + xzgv and zgv attempt to decode JPEG images within the CMYK/YCCK colour + space incorrectly, potentially resulting in the execution of arbitrary + code. + + xzgv + April 21, 2006 + June 10, 2006: 02 + 127008 + remote + + + 0.8-r2 + 0.8-r2 + + + 5.9 + 5.9 + + + +

+ xzgv and zgv are picture viewing utilities with a thumbnail based file + selector. +

+ + +

+ Andrea Barisani of Gentoo Linux discovered xzgv and zgv allocate + insufficient memory when rendering images with more than 3 output + components, such as images using the YCCK or CMYK colour space. When + xzgv or zgv attempt to render the image, data from the image overruns a + heap allocated buffer. +

+ + +

+ An attacker may be able to construct a malicious image that executes + arbitrary code with the permissions of the xzgv or zgv user when + attempting to render the image. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xzgv users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/xzgv-0.8-r2" +

+ All zgv users should also upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/zgv-5.9" + + + CVE-2006-1060 + homepage plus Changelog + + + jaervosz + + + koon + + + taviso + + diff --git a/xml/htdocs/security/en/glsa/glsa-200604-11.xml b/xml/htdocs/security/en/glsa/glsa-200604-11.xml new file mode 100644 index 00000000..1214df53 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200604-11.xml @@ -0,0 +1,70 @@ + + + + + + + Crossfire server: Denial of Service and potential arbitrary code execution + + The Crossfire game server is vulnerable to a Denial of Service and + potentially to the execution of arbitrary code. + + Crossfire + April 22, 2006 + April 22, 2006: 01 + 126169 + remote + + + 1.9.0 + 1.9.0 + + + +

+ Crossfire is a cooperative multiplayer graphical adventure and + role-playing game. The Crossfire game server allows various compatible + clients to connect to participate in a cooperative game. +

+ + +

+ Luigi Auriemma discovered a vulnerability in the Crossfire game + server, in the handling of the "oldsocketmode" option when processing + overly large requests. +

+ + +

+ An attacker can set up a malicious Crossfire client that would + send a large request in "oldsocketmode", resulting in a Denial of + Service on the Crossfire server and potentially in the execution of + arbitrary code on the server with the rights of the game server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Crossfire server users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-server/crossfire-server-1.9.0" + + + CVE-2006-1010 + + + DerCorny + + + DerCorny + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200604-12.xml b/xml/htdocs/security/en/glsa/glsa-200604-12.xml new file mode 100644 index 00000000..de7ec528 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200604-12.xml @@ -0,0 +1,100 @@ + + + + + + + Mozilla Firefox: Multiple vulnerabilities + + Several vulnerabilities in Mozilla Firefox allow attacks ranging from + execution of script code with elevated privileges to information leaks. + + mozilla-firefox + April 23, 2006 + April 23, 2006: 01 + 129924 + remote + + + 1.0.8 + 1.0.8 + + + 1.0.8 + 1.0.8 + + + +

+ Mozilla Firefox is the next-generation web browser from the + Mozilla project. +

+ + +

+ Several vulnerabilities were found in Mozilla Firefox. Versions + 1.0.8 and 1.5.0.2 were released to fix them. +

+ + +

+ A remote attacker could craft malicious web pages that would + leverage these issues to inject and execute arbitrary script code with + elevated privileges, steal local files, cookies or other information + from web pages, and spoof content. Some of these vulnerabilities might + even be exploited to execute arbitrary code with the rights of the + browser user. +

+ + +

+ There are no known workarounds for all the issues at this time. +

+ + +

+ All Mozilla Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.0.8" +

+ All Mozilla Firefox binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.0.8" + + + CVE-2005-4134 + CVE-2006-0292 + CVE-2006-0296 + CVE-2006-0748 + CVE-2006-0749 + CVE-2006-1727 + CVE-2006-1728 + CVE-2006-1729 + CVE-2006-1730 + CVE-2006-1731 + CVE-2006-1732 + CVE-2006-1733 + CVE-2006-1734 + CVE-2006-1735 + CVE-2006-1736 + CVE-2006-1737 + CVE-2006-1738 + CVE-2006-1739 + CVE-2006-1740 + CVE-2006-1741 + CVE-2006-1742 + CVE-2006-1790 + Mozilla Foundation Security Advisories + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200604-13.xml b/xml/htdocs/security/en/glsa/glsa-200604-13.xml new file mode 100644 index 00000000..2c152ff4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200604-13.xml @@ -0,0 +1,68 @@ + + + + + + + fbida: Insecure temporary file creation + + fbida is vulnerable to linking attacks, potentially allowing a local user + to overwrite arbitrary files. + + fbida + April 23, 2006 + April 23, 2006: 01 + 129470 + local + + + 2.03-r3 + 2.03-r3 + + + +

+ fbida is a collection of image viewers and editors for the + framebuffer console and X11. +

+ + +

+ Jan Braun has discovered that the "fbgs" script provided by fbida + insecurely creates temporary files in the "/var/tmp" directory. +

+ + +

+ A local attacker could create links in the temporary file + directory, pointing to a valid file somewhere on the filesystem. When + an affected script is called, this could result in the file being + overwritten with the rights of the user running the script. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All fbida users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/fbida-2.03-r3" + + + CVE-2006-1695 + + + DerCorny + + + koon + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200604-14.xml b/xml/htdocs/security/en/glsa/glsa-200604-14.xml new file mode 100644 index 00000000..31f0099e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200604-14.xml @@ -0,0 +1,66 @@ + + + + + + + Dia: Arbitrary code execution through XFig import + + Buffer overflows in Dia's XFig import could allow remote attackers to + execute arbitrary code. + + dia + April 23, 2006 + April 23, 2006: 01 + 128107 + remote + + + 0.94-r5 + 0.94-r5 + + + +

+ Dia is a GTK+ based diagram creation program. +

+ + +

+ infamous41md discovered multiple buffer overflows in Dia's XFig + file import plugin. +

+ + +

+ By enticing a user to import a specially crafted XFig file into + Dia, an attacker could exploit this issue to execute arbitrary code + with the rights of the user running Dia. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Dia users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/dia-0.94-r5" + + + CVE-2006-1550 + + + koon + + + koon + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200604-15.xml b/xml/htdocs/security/en/glsa/glsa-200604-15.xml new file mode 100644 index 00000000..a936aa35 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200604-15.xml @@ -0,0 +1,68 @@ + + + + + + + xine-ui: Format string vulnerabilities + + Format string vulnerabilities in xine-ui may lead to the execution of + arbitrary code. + + xine-ui + April 26, 2006 + April 26, 2006: 01 + 130801 + remote + + + 0.99.4-r5 + 0.99.4-r5 + + + +

+ xine-ui is a skin-based user interface for xine. xine is a free + multimedia player. It plays CDs, DVDs, and VCDs, and can also decode + other common multimedia formats. +

+ + +

+ Ludwig Nussel discovered that xine-ui incorrectly implements + formatted printing. +

+ + +

+ By constructing a malicious playlist file, a remote attacker could + exploit these vulnerabilities to execute arbitrary code with the rights + of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xine-ui users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/xine-ui-0.99.4-r5" + + + CVE-2006-1905 + + + koon + + + adir + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200604-16.xml b/xml/htdocs/security/en/glsa/glsa-200604-16.xml new file mode 100644 index 00000000..3a539e48 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200604-16.xml @@ -0,0 +1,70 @@ + + + + + + + xine-lib: Buffer overflow vulnerability + + xine-lib contains a buffer overflow vulnerability which may lead to the + execution of arbitrary code. + + xine-lib + April 26, 2006 + April 26, 2006: 01 + 128838 + remote + + + 1.1.2_pre20060328-r1 + 1.1.2_pre20060328-r1 + + + +

+ xine-lib is the xine core engine. xine is a free multimedia + player. It plays CDs, DVDs, and VCDs, and can also decode other common + multimedia formats. +

+ + +

+ Federico L. Bossi Bonin discovered that when handling MPEG streams + xine-lib fails to make a proper boundary check of the input data + supplied by the user before copying it to an insufficiently sized + memory buffer. +

+ + +

+ A remote attacker could entice a user to play a specially-crafted + MPEG file, resulting in the execution of arbitrary code with the + permissions of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xine-lib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.2_pre20060328-r1" + + + CVE-2006-1664 + + + koon + + + adir + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200604-17.xml b/xml/htdocs/security/en/glsa/glsa-200604-17.xml new file mode 100644 index 00000000..9d2c7ea7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200604-17.xml @@ -0,0 +1,84 @@ + + + + + + + Ethereal: Multiple vulnerabilities in protocol dissectors + + Ethereal is vulnerable to numerous vulnerabilities, potentially resulting + in the execution of arbitrary code. + + Ethereal + April 27, 2006 + April 27, 2006: 01 + 130505 + remote + + + 0.99.0 + 0.99.0 + + + +

+ Ethereal is a feature-rich network protocol analyzer. +

+ + +

+ Coverity discovered numerous vulnerabilities in versions of + Ethereal prior to 0.99.0, including: +

+
    +
  • + buffer overflows in the ALCAP (CVE-2006-1934), COPS (CVE-2006-1935) + and telnet (CVE-2006-1936) dissectors.
    • +
  • buffer overflows + in the NetXray/Windows Sniffer and Network Instruments file code + (CVE-2006-1934).
    • +
+

+ For further details please consult the + references below. +

+ + +

+ An attacker might be able to exploit these vulnerabilities to crash + Ethereal or execute arbitrary code with the permissions of the user + running Ethereal, which could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ethereal users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/ethereal-0.99.0" + + + CVE-2006-1932 + CVE-2006-1933 + CVE-2006-1934 + CVE-2006-1935 + CVE-2006-1936 + CVE-2006-1937 + CVE-2006-1938 + CVE-2006-1939 + CVE-2006-1940 + Ethereal enpa-sa-00023 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200604-18.xml b/xml/htdocs/security/en/glsa/glsa-200604-18.xml new file mode 100644 index 00000000..b5bc444b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200604-18.xml @@ -0,0 +1,106 @@ + + + + + + + Mozilla Suite: Multiple vulnerabilities + + Several vulnerabilities in Mozilla Suite allow attacks ranging from script + execution with elevated privileges to information leaks. + + mozilla + April 28, 2006 + April 28, 2006: 01 + 130887 + remote + + + 1.7.13 + 1.7.13 + + + 1.7.13 + 1.7.13 + + + +

+ The Mozilla Suite is a popular all-in-one web browser that + includes a mail and news reader. +

+ + +

+ Several vulnerabilities were found in Mozilla Suite. Version + 1.7.13 was released to fix them. +

+ + +

+ A remote attacker could craft malicious web pages or emails that + would leverage these issues to inject and execute arbitrary script code + with elevated privileges, steal local files, cookies or other + information from web pages or emails, and spoof content. Some of these + vulnerabilities might even be exploited to execute arbitrary code with + the rights of the user running the client. +

+ + +

+ There are no known workarounds for all the issues at this time. +

+ + +

+ All Mozilla Suite users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-1.7.13" +

+ All Mozilla Suite binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-bin-1.7.13" + + + CVE-2005-4134 + CVE-2006-0292 + CVE-2006-0293 + CVE-2006-0296 + CVE-2006-0748 + CVE-2006-0749 + CVE-2006-0884 + CVE-2006-1045 + CVE-2006-1727 + CVE-2006-1728 + CVE-2006-1729 + CVE-2006-1730 + CVE-2006-1731 + CVE-2006-1732 + CVE-2006-1733 + CVE-2006-1734 + CVE-2006-1735 + CVE-2006-1736 + CVE-2006-1737 + CVE-2006-1738 + CVE-2006-1739 + CVE-2006-1740 + CVE-2006-1741 + CVE-2006-1742 + CVE-2006-1790 + Mozilla Foundation Security Advisories + + + koon + + + falco + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200605-01.xml b/xml/htdocs/security/en/glsa/glsa-200605-01.xml new file mode 100644 index 00000000..a12e053a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200605-01.xml @@ -0,0 +1,78 @@ + + + + + + + MPlayer: Heap-based buffer overflow + + MPlayer contains multiple integer overflows that may lead to a heap-based + buffer overflow. + + mplayer mplayer-bin + May 01, 2006 + June 21, 2006: 02 + 127969 + remote + + + 1.0.20060415 + 1.0_pre8 + 1.0.20060415 + + + 1.0.20060415 + 1.0_pre8 + 1.0.20060415 + + + +

+ MPlayer is a media player that supports many multimedia file types. +

+ + +

+ Xfocus Team discovered multiple integer overflows that may lead to a + heap-based buffer overflow. +

+ + +

+ An attacker could entice a user to play a specially crafted multimedia + file, potentially resulting in the execution of arbitrary code with the + privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MPlayer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/mplayer-1.0.20060415" +

+ All MPlayer binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/mplayer-bin-1.0.20060415" + + + CVE-2006-1502 + + + koon + + + adir + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200605-02.xml b/xml/htdocs/security/en/glsa/glsa-200605-02.xml new file mode 100644 index 00000000..6392eb79 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200605-02.xml @@ -0,0 +1,62 @@ + + + + + + + X.Org: Buffer overflow in XRender extension + + A buffer overflow in the XRender extension potentially allows any X.Org + user to execute arbitrary code with elevated privileges. + + X.Org + May 02, 2006 + May 02, 2006: 01 + 130979 + local + + + 6.8.2-r7 + 6.8.2-r7 + + + +

+ X.Org is X.Org Foundation's public implementation of the X Window + System. +

+ + +

+ X.Org miscalculates the size of a buffer in the XRender extension. +

+ + +

+ An X.Org user could exploit this issue to make the X server + execute arbitrary code with elevated privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All X.Org users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-base/xorg-x11-6.8.2-r7" + + + CVE-2006-1526 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200605-03.xml b/xml/htdocs/security/en/glsa/glsa-200605-03.xml new file mode 100644 index 00000000..79cfdb80 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200605-03.xml @@ -0,0 +1,64 @@ + + + + + + + ClamAV: Buffer overflow in Freshclam + + Freshclam is vulnerable to a buffer overflow that could lead to execution + of arbitrary code. + + clamav + May 02, 2006 + May 02, 2006: 01 + 131791 + remote + + + 0.88.2 + 0.88.2 + + + +

+ ClamAV is a GPL virus scanner. Freshclam is a utility to download + virus signature updates. +

+ + +

+ Ulf Harnhammar and an anonymous German researcher discovered that + Freshclam fails to check the size of the header data returned by a + webserver. +

+ + +

+ By enticing a user to connect to a malicious webserver an attacker + could cause the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.88.2" + + + CVE-2006-1989 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200605-04.xml b/xml/htdocs/security/en/glsa/glsa-200605-04.xml new file mode 100644 index 00000000..97a0b0b8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200605-04.xml @@ -0,0 +1,70 @@ + + + + + + + phpWebSite: Local file inclusion + + Remote attackers can include local files which may lead to the execution of + arbitrary code. + + phpwebsite + May 02, 2006 + May 02, 2006: 01 + 130295 + remote + + + 0.10.2 + 0.10.2 + + + +

+ phpWebSite provides a complete web site content management system. +

+ + +

+ rgod has reported that the "hub_dir" parameter in "index.php" + isn't properly verified. When "magic_quotes_gpc" is disabled, this can + be exploited to include arbitrary files from local ressources. +

+ + +

+ If "magic_quotes_gpc" is disabled, which is not the default on + Gentoo Linux, a remote attacker could exploit this issue to include and + execute PHP scripts from local ressources with the rights of the user + running the web server, or to disclose sensitive information and + potentially compromise a vulnerable system. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All phpWebSite users should upgrade to the latest available + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/phpwebsite-0.10.2" + + + CVE-2006-1819 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200605-05.xml b/xml/htdocs/security/en/glsa/glsa-200605-05.xml new file mode 100644 index 00000000..da90b4f2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200605-05.xml @@ -0,0 +1,71 @@ + + + + + + + rsync: Potential integer overflow + + An attacker having write access to an rsync module might be able to execute + arbitrary code on an rsync server. + + rsync + May 06, 2006 + May 06, 2006: 01 + 131631 + remote + + + 2.6.8 + 2.6.8 + + + +

+ rsync is a server and client utility that provides fast + incremental file transfers. It is used to efficiently synchronize files + between hosts and is used by emerge to fetch Gentoo's Portage tree. +

+ + +

+ An integer overflow was found in the receive_xattr function from + the extended attributes patch (xattr.c) for rsync. The vulnerable + function is only present when the "acl" USE flag is set. +

+ + +

+ A remote attacker with write access to an rsync module could craft + malicious extended attributes which would trigger the integer overflow, + potentially resulting in the execution of arbitrary code with the + rights of the rsync daemon. +

+ + +

+ Do not provide write access to an rsync module to untrusted + parties. +

+ + +

+ All rsync users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/rsync-2.6.8" + + + CVE-2006-2083 + + + jaervosz + + + koon + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200605-06.xml b/xml/htdocs/security/en/glsa/glsa-200605-06.xml new file mode 100644 index 00000000..0e6066b1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200605-06.xml @@ -0,0 +1,86 @@ + + + + + + + Mozilla Firefox: Potential remote code execution + + The Mozilla Firefox 1.5 line is vulnerable to a buffer overflow in the + JavaScript extension which may in theory lead to remote execution of + arbitrary code. + + mozilla-firefox + May 06, 2006 + May 06, 2006: 01 + 131138 + remote + + + 1.5.0.3 + 1.5 + 1.5.0.3 + + + 1.5.0.3 + 1.5 + 1.5.0.3 + + + +

+ Mozilla Firefox is the next-generation web browser from the + Mozilla project. +

+ + +

+ Martijn Wargers and Nick Mott discovered a vulnerability when + rendering malformed JavaScript content. The Mozilla Firefox 1.0 line is + not affected. +

+ + +

+ If JavaScript is enabled, by tricking a user into visiting a + malicious web page which would send a specially crafted HTML script + that contains references to deleted objects with the "designMode" + property enabled, an attacker can crash the web browser and in theory + manage to execute arbitrary code with the rights of the user running + the browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Firefox 1.5 users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.5.0.3" +

+ All Mozilla Firefox 1.5 binary users should upgrade to the + latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.5.0.3" + + + CVE-2006-1993 + + + koon + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200605-07.xml b/xml/htdocs/security/en/glsa/glsa-200605-07.xml new file mode 100644 index 00000000..6000f193 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200605-07.xml @@ -0,0 +1,69 @@ + + + + + + + Nagios: Buffer overflow + + Nagios is vulnerable to a buffer overflow which may lead to remote + execution of arbitrary code. + + nagios + May 07, 2006 + May 25, 2006: 03 + 132159 + 133487 + remote + + + 1.4.1 + 1.4.1 + + + +

+ Nagios is an open source host, service and network monitoring program. +

+ + +

+ Sebastian Krahmer of the SuSE security team discovered a buffer + overflow vulnerability in the handling of a negative HTTP + Content-Length header. +

+ + +

+ A buffer overflow in Nagios CGI scripts under certain web servers + allows remote attackers to execute arbitrary code via a negative + content length HTTP header. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Nagios users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/nagios-core-1.4.1" + + + CVE-2006-2162 + CVE-2006-2489 + + + koon + + + fox2mike + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200605-08.xml b/xml/htdocs/security/en/glsa/glsa-200605-08.xml new file mode 100644 index 00000000..f92c5a32 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200605-08.xml @@ -0,0 +1,93 @@ + + + + + + + PHP: Multiple vulnerabilities + + PHP is affected by multiple issues, including a buffer overflow in + wordwrap() which may lead to execution of arbitrary code. + + php + May 08, 2006 + May 15, 2007: 09 + 127939 + 128883 + 131135 + 133524 + remote + + + 5.1.4 + 4.4.2-r2 + 4.4.3-r1 + 4.4.4-r4 + 4.4.6 + 4.4.7 + 5.1.4 + + + 5.1.4-r4 + 4.4.2-r6 + 4.4.3-r1 + 4.4.4-r4 + 4.4.6 + 4.4.7 + 5.1.4-r4 + + + +

+ PHP is a widely-used general-purpose scripting language that is + especially suited for Web development and can be embedded into HTML. +

+ + +

+ Several vulnerabilities were discovered on PHP4 and PHP5 by Infigo, + Tonu Samuel and Maksymilian Arciemowicz. These included a buffer + overflow in the wordwrap() function, restriction bypasses in the copy() + and tempname() functions, a cross-site scripting issue in the phpinfo() + function, a potential crash in the substr_compare() function and a + memory leak in the non-binary-safe html_entity_decode() function. +

+ + +

+ Remote attackers might be able to exploit these issues in PHP + applications making use of the affected functions, potentially + resulting in the execution of arbitrary code, Denial of Service, + execution of scripted contents in the context of the affected site, + security bypass or information leak. +

+ + +

+ There is no known workaround at this point. +

+ + +

+ All PHP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-lang/php + + + CVE-2006-0996 + CVE-2006-1490 + CVE-2006-1990 + CVE-2006-1991 + + + koon + + + fox2mike + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200605-09.xml b/xml/htdocs/security/en/glsa/glsa-200605-09.xml new file mode 100644 index 00000000..3db3961b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200605-09.xml @@ -0,0 +1,106 @@ + + + + + + + Mozilla Thunderbird: Multiple vulnerabilities + + Several vulnerabilities in Mozilla Thunderbird allow attacks ranging from + script execution with elevated privileges to information leaks. + + mozilla-thunderbird + May 08, 2006 + May 08, 2006: 01 + 130888 + remote + + + 1.0.8 + 1.0.8 + + + 1.0.8 + 1.0.8 + + + +

+ Mozilla Thunderbird is the next-generation mail client from the + Mozilla project. +

+ + +

+ Several vulnerabilities were found and fixed in Mozilla + Thunderbird. +

+ + +

+ A remote attacker could craft malicious emails that would leverage + these issues to inject and execute arbitrary script code with elevated + privileges, steal local files or other information from emails, and + spoof content. Some of these vulnerabilities might even be exploited to + execute arbitrary code with the rights of the user running Thunderbird. +

+ + +

+ There are no known workarounds for all the issues at this time. +

+ + +

+ All Mozilla Thunderbird users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-1.0.8" +

+ All Mozilla Thunderbird binary users should upgrade to the + latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-1.0.8" +

+ Note: There is no stable fixed version for the ALPHA + architecture yet. Users of Mozilla Thunderbird on ALPHA should consider + unmerging it until such a version is available. +

+ + + CVE-2006-0292 + CVE-2006-0296 + CVE-2006-0748 + CVE-2006-0749 + CVE-2006-0884 + CVE-2006-1045 + CVE-2006-1727 + CVE-2006-1728 + CVE-2006-1730 + CVE-2006-1731 + CVE-2006-1732 + CVE-2006-1733 + CVE-2006-1734 + CVE-2006-1735 + CVE-2006-1737 + CVE-2006-1738 + CVE-2006-1739 + CVE-2006-1741 + CVE-2006-1742 + CVE-2006-1790 + Mozilla Foundation Security Advisories + + + koon + + + falco + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200605-10.xml b/xml/htdocs/security/en/glsa/glsa-200605-10.xml new file mode 100644 index 00000000..44a9990a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200605-10.xml @@ -0,0 +1,67 @@ + + + + + + + pdnsd: Denial of Service and potential arbitrary code execution + + pdnsd is vulnerable to a buffer overflow that may result in arbitrary code + execution. + + pdnsd + May 10, 2006 + May 10, 2006: 01 + 131341 + remote + + + 1.2.4 + 1.2.4 + + + +

+ pdnsd is a proxy DNS server with permanent caching that is + designed to cope with unreachable DNS servers. +

+ + +

+ The pdnsd team has discovered an unspecified buffer overflow + vulnerability. The PROTOS DNS Test Suite, by the Oulu University Secure + Programming Group (OUSPG), has also revealed a memory leak error within + the handling of the QTYPE and QCLASS DNS queries, leading to + consumption of large amounts of memory. +

+ + +

+ An attacker can craft malicious DNS queries leading to a Denial of + Service, and potentially the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All pdnsd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/pdnsd-1.2.4-r1" + + + CVE-2006-2076 + CVE-2006-2077 + + + koon + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200605-11.xml b/xml/htdocs/security/en/glsa/glsa-200605-11.xml new file mode 100644 index 00000000..aadf572e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200605-11.xml @@ -0,0 +1,63 @@ + + + + + + + Ruby: Denial of Service + + Ruby WEBrick and XMLRPC servers are vulnerable to Denial of Service. + + ruby + May 10, 2006 + May 10, 2006: 01 + 130657 + remote + + + 1.8.4-r1 + 1.8.4-r1 + + + +

+ Ruby is an interpreted scripting language for quick and easy + object-oriented programming. It comes bundled with HTTP ("WEBrick") and + XMLRPC server objects. +

+ + +

+ Ruby uses blocking sockets for WEBrick and XMLRPC servers. +

+ + +

+ An attacker could send large amounts of data to an affected server + to block the socket and thus deny other connections to the server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ruby users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.4-r1" + + + CVE-2006-1931 + Ruby release announcement + + + frilled + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200605-12.xml b/xml/htdocs/security/en/glsa/glsa-200605-12.xml new file mode 100644 index 00000000..415d3271 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200605-12.xml @@ -0,0 +1,87 @@ + + + + + + + Quake 3 engine based games: Buffer Overflow + + The Quake 3 engine has a vulnerability that could be exploited to execute + arbitrary code. + + quake + May 10, 2006 + May 10, 2006: 01 + 132377 + remote + + + 1.32c + 1.32c + + + 1.41b + 1.41b + + + 2.60b + 2.60b + + + +

+ Quake 3 is a multiplayer first person shooter. +

+ + +

+ landser discovered a vulnerability within the "remapShader" + command. Due to a boundary handling error in "remapShader", there is a + possibility of a buffer overflow. +

+ + +

+ An attacker could set up a malicious game server and entice users + to connect to it, potentially resulting in the execution of arbitrary + code with the rights of the game user. +

+ + +

+ Do not connect to untrusted game servers. +

+ + +

+ All Quake 3 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-fps/quake3-bin-1.32c" +

+ All RTCW users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-fps/rtcw-1.41b" +

+ All Enemy Territory users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-fps/enemy-territory-2.60b" + + + CVE-2006-2236 + + + koon + + + koon + + + fox2mike + + diff --git a/xml/htdocs/security/en/glsa/glsa-200605-13.xml b/xml/htdocs/security/en/glsa/glsa-200605-13.xml new file mode 100644 index 00000000..e60591d5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200605-13.xml @@ -0,0 +1,77 @@ + + + + + + + MySQL: Information leakage + + A MySQL server may leak information to unauthorized users. + + MySQL + May 11, 2006 + May 15, 2006: 04 + 132146 + remote + + + 4.1.19 + 4.0.27 + 4.1.19 + + + +

+ MySQL is a popular multi-threaded, multi-user SQL database server. +

+ + +

+ The processing of the COM_TABLE_DUMP command by a MySQL server fails to + properly validate packets that arrive from the client via a network + socket. +

+ + +

+ By crafting specific malicious packets an attacker could gather + confidential information from the memory of a MySQL server process, for + example results of queries by other users or applications. By using PHP + code injection or similar techniques it would be possible to exploit + this flaw through web applications that use MySQL as a database + backend. +

+

+ Note that on 5.x versions it is possible to overwrite the stack and + execute arbitrary code with this technique. Users of MySQL 5.x are + urged to upgrade to the latest available version. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MySQL users should upgrade to the latest version. +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mysql-4.0.27" + + + Original advisory + CVE-2006-1516 + CVE-2006-1517 + + + koon + + + frilled + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200605-14.xml b/xml/htdocs/security/en/glsa/glsa-200605-14.xml new file mode 100644 index 00000000..fcf34742 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200605-14.xml @@ -0,0 +1,71 @@ + + + + + + + libextractor: Two heap-based buffer overflows + + libextractor is vulnerable to two heap overflow vulnerabilities which could + lead to the execution of arbitrary code. + + libextractor + May 21, 2006 + May 21, 2006: 01 + 133570 + remote + + + 0.5.14 + 0.5.14 + + + +

+ libextractor is a library used to extract metadata from arbitrary + files. +

+ + +

+ Luigi Auriemma has found two heap-based buffer overflows in + libextractor 0.5.13 and earlier: one of them occurs in the + asf_read_header function in the ASF plugin, and the other occurs in the + parse_trak_atom function in the Qt plugin. +

+ + +

+ By enticing a user to open a malformed file using an application + that employs libextractor and its ASF or Qt plugins, an attacker could + execute arbitrary code in the context of the application running the + affected library. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libextractor users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libextractor-0.5.14" + + + CVE-2006-2458 + Original advisory + + + DerCorny + + + DerCorny + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200605-15.xml b/xml/htdocs/security/en/glsa/glsa-200605-15.xml new file mode 100644 index 00000000..1e373d9f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200605-15.xml @@ -0,0 +1,77 @@ + + + + + + + Quagga Routing Suite: Multiple vulnerabilities + + Quagga's RIP daemon allows the injection of routes and the disclosure of + routing information. The BGP daemon is vulnerable to a Denial of Service. + + quagga + May 21, 2006 + May 21, 2006: 01 + 132353 + remote + + + 0.98.6-r1 + 0.98.6-r1 + + + +

+ The Quagga Routing Suite implements three major routing protocols: + RIP (v1/v2/v3), OSPF (v2/v3) and BGP4. +

+ + +

+ Konstantin V. Gavrilenko discovered two flaws in the Routing + Information Protocol (RIP) daemon that allow the processing of RIP v1 + packets (carrying no authentication) even when the daemon is configured + to use MD5 authentication or, in another case, even if RIP v1 is + completely disabled. Additionally, Fredrik Widell reported that the + Border Gateway Protocol (BGP) daemon contains a flaw that makes it lock + up and use all available CPU when a specific command is issued from the + telnet interface. +

+ + +

+ By sending RIP v1 response packets, an unauthenticated attacker + can alter the routing table of a router running Quagga's RIP daemon and + disclose routing information. Additionally, it is possible to lock up + the BGP daemon from the telnet interface. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Quagga users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/quagga-0.98.6-r1" + + + CVE-2006-2223 + CVE-2006-2224 + CVE-2006-2276 + Official release information + + + jaervosz + + + koon + + + frilled + + diff --git a/xml/htdocs/security/en/glsa/glsa-200605-16.xml b/xml/htdocs/security/en/glsa/glsa-200605-16.xml new file mode 100644 index 00000000..9c84ba1c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200605-16.xml @@ -0,0 +1,66 @@ + + + + + + + CherryPy: Directory traversal vulnerability + + CherryPy is vulnerable to a directory traversal that could allow attackers + to read arbitrary files. + + cherrypy + May 30, 2006 + May 30, 2006: 01 + 134273 + remote + + + 2.1.1 + 2.1.1 + + + +

+ CherryPy is a Python-based, object-oriented web development + framework. +

+ + +

+ Ivo van der Wijk discovered that the "staticfilter" component of + CherryPy fails to sanitize input correctly. +

+ + +

+ An attacker could exploit this flaw to obtain arbitrary files from + the web server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All CherryPy users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/cherrypy-2.1.1" + + + CVE-2006-0847 + + + DerCorny + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200605-17.xml b/xml/htdocs/security/en/glsa/glsa-200605-17.xml new file mode 100644 index 00000000..234d0058 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200605-17.xml @@ -0,0 +1,66 @@ + + + + + + + libTIFF: Multiple vulnerabilities + + Multiple vulnerabilities in libTIFF could lead to the execution of + arbitrary code or a Denial of Service. + + libtiff + May 30, 2006 + May 30, 2006: 01 + 129675 + remote + + + 3.8.1 + 3.8.1 + + + +

+ libTIFF provides support for reading and manipulating TIFF images. +

+ + +

+ Multiple vulnerabilities, ranging from integer overflows and NULL + pointer dereferences to double frees, were reported in libTIFF. +

+ + +

+ An attacker could exploit these vulnerabilities by enticing a user + to open a specially crafted TIFF image, possibly leading to the + execution of arbitrary code or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libTIFF users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/tiff-3.8.1" + + + CVE-2006-0405 + CVE-2006-2024 + CVE-2006-2025 + CVE-2006-2026 + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-01.xml b/xml/htdocs/security/en/glsa/glsa-200606-01.xml new file mode 100644 index 00000000..ede050cf --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-01.xml @@ -0,0 +1,67 @@ + + + + + + + Opera: Buffer overflow + + Opera contains an integer signedness error resulting in a buffer overflow + which may allow a remote attacker to execute arbitrary code. + + opera + June 07, 2006 + June 07, 2006: 01 + 129800 + remote + + + 8.54 + 8.54 + + + +

+ Opera is a multi-platform web browser. +

+ + +

+ SEC Consult has discovered a buffer overflow in the code + processing style sheet attributes. It is caused by an integer + signedness error in a length check followed by a call to a string + function. It seems to be hard to exploit this buffer overflow to + execute arbitrary code because of the very large amount memory that has + to be copied. +

+ + +

+ A remote attacker can entice a user to visit a web page containing + a specially crafted style sheet attribute that will crash the user's + browser and maybe lead to the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Opera users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/opera-8.54" + + + CVE-2006-1834 + + + falco + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-02.xml b/xml/htdocs/security/en/glsa/glsa-200606-02.xml new file mode 100644 index 00000000..1543add1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-02.xml @@ -0,0 +1,69 @@ + + + + + + + shadow: Privilege escalation + + A security issue in shadow allows a local user to perform certain actions + with escalated privileges. + + shadow + June 07, 2006 + June 07, 2006: 01 + 133615 + local + + + 4.0.15-r2 + 4.0.15-r2 + + + +

+ shadow provides a set of utilities to deal with user accounts. +

+ + +

+ When the mailbox is created in useradd, the "open()" function does + not receive the three arguments it expects while O_CREAT is present, + which leads to random permissions on the created file, before fchmod() + is executed. +

+ + +

+ Depending on the random permissions given to the mailbox file + which is at this time owned by root, a local user may be able to open + this file for reading or writing, or even executing it, maybe as the + root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All shadow users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.0.15-r2" + + + CVE-2006-1174 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-03.xml b/xml/htdocs/security/en/glsa/glsa-200606-03.xml new file mode 100644 index 00000000..4ef79010 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-03.xml @@ -0,0 +1,68 @@ + + + + + + + Dia: Format string vulnerabilities + + Format string vulnerabilities in Dia may lead to the execution of arbitrary + code. + + dia + June 07, 2006 + June 07, 2006: 01 + 133699 + remote + + + 0.95.1 + 0.95.1 + + + +

+ Dia is a GTK+ based diagram creation program. +

+ + +

+ KaDaL-X discovered a format string error within the handling of + filenames. Hans de Goede also discovered several other format + string errors in the processing of dia files. +

+ + +

+ By enticing a user to open a specially crafted file, a remote + attacker could exploit these vulnerabilities to execute arbitrary code + with the rights of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Dia users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/dia-0.95.1" + + + CVE-2006-2453 + CVE-2006-2480 + + + DerCorny + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-04.xml b/xml/htdocs/security/en/glsa/glsa-200606-04.xml new file mode 100644 index 00000000..363852dd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-04.xml @@ -0,0 +1,72 @@ + + + + + + + Tor: Several vulnerabilities + + Tor is vulnerable to a possible buffer overflow, a Denial of Service, + information disclosure and information leak. + + tor + June 07, 2006 + September 05, 2006: 02 + 134329 + remote + + + 0.1.1.20 + 0.1.0.18 + 0.1.1.20 + + + +

+ Tor is an implementation of second generation Onion Routing, a + connection-oriented anonymizing communication service. +

+ + +

+ Some integer overflows exist when adding elements to the smartlists. + Non-printable characters received from the network are not properly + sanitised before being logged. There are additional unspecified bugs in + the directory server and in the internal circuits. +

+ + +

+ The possible buffer overflow may allow a remote attacker to execute + arbitrary code on the server by sending large inputs. The other + vulnerabilities can lead to a Denial of Service, a lack of logged + information, or some information disclosure. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Tor users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose net-misc/tor + + + CVE-2006-0414 + Tor ChangeLog + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-05.xml b/xml/htdocs/security/en/glsa/glsa-200606-05.xml new file mode 100644 index 00000000..04c5f30c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-05.xml @@ -0,0 +1,71 @@ + + + + + + + Pound: HTTP request smuggling + + Pound is vulnerable to HTTP request smuggling, which could be exploited to + bypass security restrictions or poison web caches. + + pound + June 07, 2006 + November 24, 2006: 03 + 118541 + remote + + + 2.0.5 + 1.10 + 1.9.4 + 2.0.5 + + + +

+ Pound is a reverse proxy, load balancer and HTTPS front-end. It allows + to distribute the load on several web servers and offers a SSL wrapper + for web servers that do not support SSL directly. +

+ + +

+ Pound fails to handle HTTP requests with conflicting "Content-Length" + and "Transfer-Encoding" headers correctly. +

+ + +

+ An attacker could exploit this vulnerability by sending HTTP requests + with specially crafted "Content-Length" and "Transfer-Encoding" headers + to bypass certain security restrictions or to poison the web proxy + cache. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Pound users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose www-servers/pound + + + CVE-2005-3751 + + + DerCorny + + + koon + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-06.xml b/xml/htdocs/security/en/glsa/glsa-200606-06.xml new file mode 100644 index 00000000..37face06 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-06.xml @@ -0,0 +1,75 @@ + + + + + + + AWStats: Remote execution of arbitrary code + + AWStats contains a bug in the sanitization of the input parameters which + can lead to the remote execution of arbitrary code. + + awstats + June 07, 2006 + May 28, 2009: 02 + 130487 + remote + + + 6.5-r1 + 6.5-r1 + + + +

+ AWStats is an advanced log file analyzer and statistics generator. +

+ + +

+ Hendrik Weimer has found that if updating the statistics via the + web frontend is enabled, it is possible to inject arbitrary code via a + pipe character in the "migrate" parameter. Additionally, r0t has + discovered that AWStats fails to properly sanitize user-supplied input + in awstats.pl. +

+ + +

+ A remote attacker can execute arbitrary code on the server in the + context of the application running the AWStats CGI script if updating + of the statistics via web frontend is allowed. Nonetheless, all + configurations are affected by a cross-site scripting vulnerability in + awstats.pl, allowing a remote attacker to execute arbitrary scripts + running in the context of the victim's browser. +

+ + +

+ Disable statistics updates using the web frontend to avoid code + injection. However, there is no known workaround at this time + concerning the cross-site scripting vulnerability. +

+ + +

+ All AWStats users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-misc/awstats-6.5-r1" + + + CVE-2006-1945 + CVE-2006-2237 + + + koon + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-07.xml b/xml/htdocs/security/en/glsa/glsa-200606-07.xml new file mode 100644 index 00000000..a73245ac --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-07.xml @@ -0,0 +1,67 @@ + + + + + + + Vixie Cron: Privilege Escalation + + Vixie Cron allows local users to execute programs as root. + + vixie-cron + June 09, 2006 + June 09, 2006: 01 + 134194 + local + + + 4.1-r9 + 4.1-r9 + + + +

+ Vixie Cron is a command scheduler with extended syntax over cron. +

+ + +

+ Roman Veretelnikov discovered that Vixie Cron fails to properly + check whether it can drop privileges accordingly if setuid() in + do_command.c fails due to a user exceeding assigned resource limits. +

+ + +

+ Local users can execute code with root privileges by deliberately + exceeding their assigned resource limits and then starting a command + through Vixie Cron. This requires resource limits to be in place on the + machine. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Vixie Cron users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-process/vixie-cron-4.1-r9" + + + CVE-2006-2607 + + + jaervosz + + + frilled + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-08.xml b/xml/htdocs/security/en/glsa/glsa-200606-08.xml new file mode 100644 index 00000000..d31b3c4c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-08.xml @@ -0,0 +1,64 @@ + + + + + + + WordPress: Arbitrary command execution + + WordPress fails to sufficiently check the format of cached username data. + + wordpress + June 09, 2006 + June 10, 2006: 02 + 134397 + remote + + + 2.0.3 + 2.0.3 + + + +

+ WordPress is a PHP and MySQL based content management and publishing + system. +

+ + +

+ rgod discovered that WordPress insufficiently checks the format of + cached username data. +

+ + +

+ An attacker could exploit this vulnerability to execute arbitrary + commands by sending a specially crafted username. As of Wordpress 2.0.2 + the user data cache is disabled by default. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All WordPress users should upgrade to the latest available version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/wordpress-2.0.3" + + + CVE-2006-2667 + CVE-2006-2702 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-09.xml b/xml/htdocs/security/en/glsa/glsa-200606-09.xml new file mode 100644 index 00000000..fcf802d9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-09.xml @@ -0,0 +1,69 @@ + + + + + + + SpamAssassin: Execution of arbitrary code + + SpamAssassin, when running with certain options, could allow local or even + remote attackers to execute arbitrary commands, possibly as the root user. + + Spamassassin + June 11, 2006 + June 11, 2006: 01 + 135746 + remote + + + 3.1.3 + 3.1.3 + + + +

+ SpamAssassin is an extensible email filter used to identify junk + email. spamd is the daemonized version of SpamAssassin. +

+ + +

+ When spamd is run with both the "--vpopmail" (-v) and + "--paranoid" (-P) options, it is vulnerable to an unspecified issue. +

+ + +

+ With certain configuration options, a local or even remote + attacker could execute arbitrary code with the rights of the user + running spamd, which is root by default, by sending a crafted message + to the spamd daemon. Furthermore, the attack can be remotely + performed if the "--allowed-ips" (-A) option is present and specifies + non-local adresses. Note that Gentoo Linux is not vulnerable in the + default configuration. +

+ + +

+ Don't use both the "--paranoid" (-P) and the "--vpopmail" (-v) + options. +

+ + +

+ All SpamAssassin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-filter/spamassassin-3.1.3" + + + CVE-2006-2447 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-10.xml b/xml/htdocs/security/en/glsa/glsa-200606-10.xml new file mode 100644 index 00000000..9f45d54d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-10.xml @@ -0,0 +1,66 @@ + + + + + + + Cscope: Many buffer overflows + + Cscope is vulnerable to multiple buffer overflows that could lead to the + execution of arbitrary code. + + Cscope + June 11, 2006 + June 11, 2006: 01 + 133829 + remote + + + 15.5-r6 + 15.5-r6 + + + +

+ Cscope is a developer's tool for browsing source code. +

+ + +

+ Cscope does not verify the length of file names sourced in + #include statements. +

+ + +

+ A user could be enticed to source a carefully crafted file which + will allow the attacker to execute arbitrary code with the permissions + of the user running Cscope. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Cscope users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/cscope-15.5-r6" + + + CVE-2004-2541 + + + falco + + + falco + + + dizzutch + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-11.xml b/xml/htdocs/security/en/glsa/glsa-200606-11.xml new file mode 100644 index 00000000..a6625695 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-11.xml @@ -0,0 +1,66 @@ + + + + + + + JPEG library: Denial of Service + + The JPEG library is vulnerable to a Denial of Service. + + jpeg + June 11, 2006 + July 29, 2006: 02 + 130889 + remote + + + 6b-r7 + 6b-r7 + + + +

+ The JPEG library is able to load, handle and manipulate images in the + JPEG format. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Auditing Team discovered that the + vulnerable JPEG library ebuilds compile JPEG without the --maxmem + feature which is not recommended. +

+ + +

+ By enticing a user to load a specially crafted JPEG image file an + attacker could cause a Denial of Service, due to memory exhaustion. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ JPEG users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/jpeg-6b-r7" + + + CVE-2006-3005 + + + falco + + + falco + + + daxomatic + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-12.xml b/xml/htdocs/security/en/glsa/glsa-200606-12.xml new file mode 100644 index 00000000..07b79414 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-12.xml @@ -0,0 +1,95 @@ + + + + + + + Mozilla Firefox: Multiple vulnerabilities + + Vulnerabilities in Mozilla Firefox allow privilege escalations for + JavaScript code, cross site scripting attacks, HTTP response smuggling and + possibly the execution of arbitrary code. + + mozilla-firefox + June 11, 2006 + June 11, 2006: 01 + 135254 + remote + + + 1.5.0.4 + 1.5.0.4 + + + 1.5.0.4 + 1.5.0.4 + + + +

+ Mozilla Firefox is the next-generation web browser from the + Mozilla project. +

+ + +

+ A number of vulnerabilities were found and fixed in Mozilla + Firefox. For details please consult the references below. +

+ + +

+ By enticing the user to visit a malicious website, a remote + attacker can inject arbitrary HTML and JavaScript Code into the user's + browser, execute JavaScript code with elevated privileges and possibly + execute arbitrary code with the permissions of the user running the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.5.0.4" +

+ All Mozilla Firefox binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.5.0.4" +

+ Note: There is no stable fixed version for the Alpha + architecture yet. Users of Mozilla Firefox on Alpha should consider + unmerging it until such a version is available. +

+ + + CVE-2006-2775 + CVE-2006-2776 + CVE-2006-2777 + CVE-2006-2778 + CVE-2006-2779 + CVE-2006-2780 + CVE-2006-2782 + CVE-2006-2783 + CVE-2006-2784 + CVE-2006-2785 + CVE-2006-2786 + CVE-2006-2787 + Mozilla Foundation Security Advisories + + + frilled + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-13.xml b/xml/htdocs/security/en/glsa/glsa-200606-13.xml new file mode 100644 index 00000000..e265d122 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-13.xml @@ -0,0 +1,74 @@ + + + + + + + MySQL: SQL Injection + + MySQL is vulnerable to an SQL Injection flaw in the multi-byte encoding + process. + + MySQL + June 11, 2006 + December 13, 2006: 04 + 135076 + remote + + + 5.0.22 + 4.1.20 + 4.1.21 + 4.1.22 + 4.1 + 5.0.22 + + + +

+ MySQL is a popular multi-threaded, multi-user SQL server. +

+ + +

+ MySQL is vulnerable to an injection flaw in mysql_real_escape() when + used with multi-byte characters. +

+ + +

+ Due to a flaw in the multi-byte character process, an attacker is still + able to inject arbitary SQL statements into the MySQL server for + execution. +

+ + +

+ There are a few workarounds available: NO_BACKSLASH_ESCAPES mode as a + workaround for a bug in mysql_real_escape_string(): SET + sql_mode='NO_BACKSLASH_ESCAPES'; SET GLOBAL + sql_mode='NO_BACKSLASH_ESCAPES'; and server command line options: + --sql-mode=NO_BACKSLASH_ESCAPES. +

+ + +

+ All MySQL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mysql-4.1.20" + + + CVE-2006-2753 + + + falco + + + falco + + + daxomatic + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-14.xml b/xml/htdocs/security/en/glsa/glsa-200606-14.xml new file mode 100644 index 00000000..1b3e55cf --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-14.xml @@ -0,0 +1,66 @@ + + + + + + + GDM: Privilege escalation + + An authentication error in GDM could allow users to gain elevated + privileges. + + gdm + June 12, 2006 + June 19, 2006: 02 + 135027 + local + + + 2.8.0.8 + 2.8.0.8 + + + +

+ GDM is the GNOME display manager. +

+ + +

+ GDM allows a normal user to access the configuration manager. +

+ + +

+ When the "face browser" in GDM is enabled, a normal user can use the + "configure login manager" with his/her own password instead of the root + password, and thus gain additional privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GDM users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=gnome-base/gdm-2.8.0.8" + + + Gnome Bugzilla entry + CVE-2006-2452 + + + falco + + + daxomatic + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-15.xml b/xml/htdocs/security/en/glsa/glsa-200606-15.xml new file mode 100644 index 00000000..da2668f8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-15.xml @@ -0,0 +1,68 @@ + + + + + + + Asterisk: IAX2 video frame buffer overflow + + Asterisk contains a bug in the IAX2 channel driver making it vulnerable to + the remote execution of arbitrary code. + + asterisk + June 14, 2006 + June 14, 2006: 01 + 135680 + remote + + + 1.0.11_p1 + 1.0.11_p1 + + + +

+ Asterisk is an open source implementation of a telephone private branch + exchange (PBX). +

+ + +

+ Asterisk fails to properly check the length of truncated video frames + in the IAX2 channel driver which results in a buffer overflow. +

+ + +

+ An attacker could exploit this vulnerability by sending a specially + crafted IAX2 video stream resulting in the execution of arbitrary code + with the permissions of the user running Asterisk. +

+ + +

+ Disable public IAX2 support. +

+ + +

+ All Asterisk users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.0.11_p1" + + + CVE-2006-2898 + Corelabs Asterisk PBX truncated video frame vulnerability advisory + + + falco + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-16.xml b/xml/htdocs/security/en/glsa/glsa-200606-16.xml new file mode 100644 index 00000000..bee8cf41 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-16.xml @@ -0,0 +1,68 @@ + + + + + + + DokuWiki: PHP code injection + + A flaw in DokuWiki's spell checker allows for the execution of arbitrary + PHP commands, even without proper authentication. + + DokuWiki + June 14, 2006 + June 14, 2006: 01 + 135623 + remote + + + 20060309-r1 + 20060309-r1 + + + +

+ DokuWiki is a simple to use wiki targeted at developer teams, + workgroups and small companies. +

+ + +

+ Stefan Esser discovered that the DokuWiki spell checker fails to + properly sanitize PHP's "complex curly syntax". +

+ + +

+ A unauthenticated remote attacker may execute arbitrary PHP commands - + and thus possibly arbitrary system commands - with the permissions of + the user running the webserver that serves DokuWiki pages. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All DokuWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/dokuwiki-20060309-r1" + + + Hardened-PHP advisory + CVE-2006-2878 + + + falco + + + frilled + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-17.xml b/xml/htdocs/security/en/glsa/glsa-200606-17.xml new file mode 100644 index 00000000..02a04399 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-17.xml @@ -0,0 +1,69 @@ + + + + + + + OpenLDAP: Buffer overflow + + The OpenLDAP replication server slurpd contains a buffer overflow that + could result in arbitrary code execution. + + net-nds/openldap + June 15, 2006 + June 15, 2006: 01 + 134010 + local + + + 2.3.22 + 2.3.22 + + + +

+ OpenLDAP is a suite of LDAP-related applications and development tools. + It includes slapd (the standalone LDAP server), slurpd (the standalone + LDAP replication server), various LDAP libraries, utilities and example + clients. +

+ + +

+ slurpd contains a buffer overflow when reading very long hostnames from + the status file. +

+ + +

+ By injecting an overly long hostname in the status file, an attacker + could possibly cause the execution of arbitrary code with the + permissions of the user running slurpd. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All openLDAP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-nds/openldap-2.3.22" + + + CVE-2006-2754 + + + falco + + + jaervosz + + + SeJo + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-18.xml b/xml/htdocs/security/en/glsa/glsa-200606-18.xml new file mode 100644 index 00000000..4b749fa9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-18.xml @@ -0,0 +1,70 @@ + + + + + + + PAM-MySQL: Multiple vulnerabilities + + Vulnerabilities in PAM-MySQL can lead to a Denial of Service, making it + impossible to log into a machine. + + pam_mysql + June 15, 2006 + July 29, 2006: 02 + 120842 + local + + + 0.7_rc1 + 0.7_rc1 + + + +

+ PAM-MySQL is a PAM module used to authenticate users against a MySQL + backend. +

+ + +

+ A flaw in handling the result of pam_get_item() as well as further + unspecified flaws were discovered in PAM-MySQL. +

+ + +

+ By exploiting the mentioned flaws an attacker can cause a Denial of + Service and thus prevent users that authenticate against PAM-MySQL from + logging into a machine. There is also a possible additional attack + vector with more malicious impact that has not been confirmed yet. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PAM-MySQL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-auth/pam_mysql-0.7_rc1" + + + Official release information + CVE-2005-4713 + CVE-2006-0056 + + + falco + + + falco + + + frilled + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-19.xml b/xml/htdocs/security/en/glsa/glsa-200606-19.xml new file mode 100644 index 00000000..fd378d39 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-19.xml @@ -0,0 +1,75 @@ + + + + + + + Sendmail: Denial of Service + + Faulty multipart MIME messages can cause forked Sendmail processes to + crash. + + sendmail + June 15, 2006 + June 15, 2006: 01 + 135141 + remote + + + 8.13.6-r1 + 8.13.6-r1 + + + +

+ Sendmail is a popular mail transfer agent (MTA). +

+ + +

+ Frank Sheiness discovered that the mime8to7() function can recurse + endlessly during the decoding of multipart MIME messages until the + stack of the process is filled and the process crashes. +

+ + +

+ By sending specially crafted multipart MIME messages, a remote + attacker can cause a subprocess forked by Sendmail to crash. If + Sendmail is not set to use a randomized queue processing, the attack + will effectively halt the delivery of queued mails as well as the + malformed one, incoming mail delivered interactively is not affected. + Additionally, on systems where core dumps with an individual naming + scheme (like "core.pid") are enabled, a filesystem may fill up with + core dumps. Core dumps are disabled by default in Gentoo. +

+ + +

+ The Sendmail 8.13.7 release information offers some workarounds, please + see the Reference below. Note that the issue has actually been fixed in + the 8.13.6-r1 ebuild. +

+ + +

+ All Sendmail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-mta/sendmail-8.13.6-r1" + + + CVE-2006-1173 + Sendmail 8.13.7 release information + + + jaervosz + + + frilled + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-20.xml b/xml/htdocs/security/en/glsa/glsa-200606-20.xml new file mode 100644 index 00000000..47d891a8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-20.xml @@ -0,0 +1,68 @@ + + + + + + + Typespeed: Remote execution of arbitrary code + + A buffer overflow in the network code of Typespeed can lead to the + execution of arbitrary code. + + typespeed + June 19, 2006 + June 19, 2006: 01 + 135071 + remote + + + 0.5.0 + 0.5.0 + + + +

+ Typespeed is a game to test and practice 10-finger-typing. Network code + allows two users to compete head-to-head. +

+ + +

+ Niko Tyni discovered a buffer overflow in the addnewword() function of + Typespeed's network code. +

+ + +

+ By sending specially crafted network packets to a machine running + Typespeed in multiplayer mode, a remote attacker can execute arbitrary + code with the permissions of the user running the game. +

+ + +

+ Do not run Typespeed in multiplayer mode. There is no known workaround + at this time for multiplayer mode. +

+ + +

+ All Typespeed users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-misc/typespeed-0.5.0" + + + CVE-2006-1515 + + + falco + + + frilled + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-21.xml b/xml/htdocs/security/en/glsa/glsa-200606-21.xml new file mode 100644 index 00000000..3aa69146 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-21.xml @@ -0,0 +1,90 @@ + + + + + + + Mozilla Thunderbird: Multiple vulnerabilities + + Several vulnerabilities in Mozilla Thunderbird allow cross site scripting, + JavaScript privilege escalation and possibly execution of arbitrary code. + + mozilla-thunderbird + June 19, 2006 + June 19, 2006: 01 + 135256 + remote + + + 1.5.0.4 + 1.5.0.4 + + + 1.5.0.4 + 1.5.0.4 + + + +

+ Mozilla Thunderbird is the next-generation mail client from the Mozilla + project. +

+ + +

+ Several vulnerabilities were found and fixed in Mozilla Thunderbird. + For details, please consult the references below. +

+ + +

+ A remote attacker could craft malicious emails that would leverage + these issues to inject and execute arbitrary script code with elevated + privileges, spoof content, and possibly execute arbitrary code with the + rights of the user running the application. +

+ + +

+ There are no known workarounds for all the issues at this time. +

+ + +

+ All Mozilla Thunderbird users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-1.5.0.4" +

+ All Mozilla Thunderbird binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-1.5.0.4" +

+ Note: There is no stable fixed version for the Alpha architecture yet. + Users of Mozilla Thunderbird on Alpha should consider unmerging it + until such a version is available. +

+ + + CVE-2006-2775 + CVE-2006-2776 + CVE-2006-2778 + CVE-2006-2779 + CVE-2006-2780 + CVE-2006-2781 + CVE-2006-2783 + CVE-2006-2786 + CVE-2006-2787 + Mozilla Foundation Security Advisories + + + frilled + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-22.xml b/xml/htdocs/security/en/glsa/glsa-200606-22.xml new file mode 100644 index 00000000..2d69b027 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-22.xml @@ -0,0 +1,66 @@ + + + + + + + aRts: Privilege escalation + + The artswrapper part of aRts allows local users to execute arbitrary code + with elevated privileges. + + aRts + June 22, 2006 + June 22, 2006: 01 + 135970 + local + + + 3.5.2-r1 + 3.4.3-r1 + 3.5.2-r1 + + + +

+ aRts is a real time modular system for synthesizing audio used by KDE. + artswrapper is a helper application used to start the aRts daemon. +

+ + +

+ artswrapper fails to properly check whether it can drop privileges + accordingly if setuid() fails due to a user exceeding assigned resource + limits. +

+ + +

+ Local attackers could exploit this vulnerability to execute arbitrary + code with elevated privileges. Note that the aRts package provided by + Gentoo is only vulnerable if the artswrappersuid USE-flag is enabled. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All aRts users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose kde-base/arts + + + CVE-2006-2916 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-23.xml b/xml/htdocs/security/en/glsa/glsa-200606-23.xml new file mode 100644 index 00000000..a9f2a179 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-23.xml @@ -0,0 +1,80 @@ + + + + + + + KDM: Symlink vulnerability + + KDM is vulnerable to a symlink vulnerability that can lead to disclosure of + information. + + kdebase, KDM + June 22, 2006 + June 24, 2006: 02 + 136201 + local + + + 3.5.2-r2 + 3.4.3-r2 + 3.5.2-r2 + + + 3.5.2-r1 + 3.4.3-r2 + 3.5.2-r1 + + + +

+ KDE is a feature-rich graphical desktop environment for Linux and + Unix-like Operating Systems. KDM is the KDE Display Manager and is part + of the kdebase package. +

+ + +

+ Ludwig Nussel discovered that KDM could be tricked into allowing users + to read files that would otherwise not be readable. +

+ + +

+ A local attacker could exploit this issue to obtain potentially + sensitive information that is usually not accessable to the local user + such as shadow files or other user's files. The default Gentoo user + running KDM is root and, as a result, the local attacker can read any + file. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All kdebase users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose kde-base/kdebase +

+ All KDE split ebuild users should upgrade to the latest KDM version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose kde-base/kdm + + + KDE Security Advisory: KDM symlink attack vulnerability + CVE-2006-2449 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-24.xml b/xml/htdocs/security/en/glsa/glsa-200606-24.xml new file mode 100644 index 00000000..b892e1be --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-24.xml @@ -0,0 +1,66 @@ + + + + + + + wv2: Integer overflow + + An integer overflow could allow an attacker to execute arbitrary code. + + wv2 + June 23, 2006 + June 23, 2006: 01 + 136759 + remote + + + 0.2.3 + 0.2.3 + + + +

+ wv2 is a filter library for Microsoft Word files, used in many Office + suites. +

+ + +

+ A boundary checking error was found in wv2, which could lead to an + integer overflow. +

+ + +

+ An attacker could execute arbitrary code with the rights of the user + running the program that uses the library via a maliciously crafted + Microsoft Word document. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All wv2 users should update to the latest stable version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/wv2-0.2.3" + + + CVE 2006-2197 + + + DerCorny + + + hlieberman + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-25.xml b/xml/htdocs/security/en/glsa/glsa-200606-25.xml new file mode 100644 index 00000000..a1873a3b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-25.xml @@ -0,0 +1,69 @@ + + + + + + + Hashcash: Possible heap overflow + + A heap overflow vulnerability in the Hashcash utility could allow an + attacker to execute arbitrary code. + + hashcash + June 26, 2006 + July 29, 2006: 02 + 134960 + remote + + + 1.21 + 1.21 + + + +

+ Hashcash is a utility for generating Hashcash tokens, a proof-of-work + system to reduce the impact of spam. +

+ + +

+ Andreas Seltenreich has reported a possible heap overflow in the + array_push() function in hashcash.c, as a result of an incorrect amount + of allocated memory for the "ARRAY" structure. +

+ + +

+ By sending malicious entries to the Hashcash utility, an attacker may + be able to cause an overflow, potentially resulting in the execution of + arbitrary code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Hashcash users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/hashcash-1.21" + + + Hashcash ChangeLog + CVE-2006-3251 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-26.xml b/xml/htdocs/security/en/glsa/glsa-200606-26.xml new file mode 100644 index 00000000..e1ccf629 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-26.xml @@ -0,0 +1,66 @@ + + + + + + + EnergyMech: Denial of Service + + A Denial of Service vulnerability was discovered in EnergyMech that is + easily exploitable via IRC. + + emech + June 26, 2006 + July 29, 2006: 02 + 132749 + remote + + + 3.0.2 + 3.0.2 + + + +

+ EnergyMech is an IRC bot programmed in C. +

+ + +

+ A bug in EnergyMech fails to handle empty CTCP NOTICEs correctly, and + will cause a crash from a segmentation fault. +

+ + +

+ By sending an empty CTCP NOTICE, a remote attacker could exploit this + vulnerability to cause a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All EnergyMech users should update to the latest stable version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-irc/emech-3.0.2" + + + EnergyMech Changelog + CVE-2006-3293 + + + jaervosz + + + hlieberman + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-27.xml b/xml/htdocs/security/en/glsa/glsa-200606-27.xml new file mode 100644 index 00000000..35a8998a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-27.xml @@ -0,0 +1,67 @@ + + + + + + + Mutt: Buffer overflow + + Mutt contains a buffer overflow that could result in arbitrary code + execution. + + mutt + June 28, 2006 + June 28, 2006: 01 + 138125 + remote + + + 1.5.11-r2 + 1.5.11-r2 + + + +

+ Mutt is a small but very powerful text-based mail client. +

+ + +

+ TAKAHASHI Tamotsu has discovered that Mutt contains a boundary error in + the "browse_get_namespace()" function in browse.c, which can be + triggered when receiving an overly long namespace from an IMAP server. +

+ + +

+ A malicious IMAP server can send an overly long namespace to Mutt in + order to crash the application, and possibly execute arbitrary code + with the permissions of the user running Mutt. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mutt users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mutt-1.5.11-r2" + + + CVE-2006-3242 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-28.xml b/xml/htdocs/security/en/glsa/glsa-200606-28.xml new file mode 100644 index 00000000..debfe128 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-28.xml @@ -0,0 +1,65 @@ + + + + + + + Horde Web Application Framework: XSS vulnerability + + The Horde Web Application Framework is vulnerable to a cross-site scripting + vulnerability. + + horde + June 29, 2006 + June 29, 2006: 01 + 136830 + remote + + + 3.1.1-r1 + 3.1.1-r1 + + + +

+ The Horde Web Application Framework is a general-purpose web + application framework written in PHP, providing classes for handling + preferences, compression, browser detection, connection tracking, MIME, + and more. +

+ + +

+ Michael Marek discovered that the Horde Web Application Framework + performs insufficient input sanitizing. +

+ + +

+ An attacker could exploit these vulnerabilities to execute arbitrary + scripts running in the context of the victim's browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All horde users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-3.1.1-r1" + + + CVE-2006-2195 + + + dizzutch + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-29.xml b/xml/htdocs/security/en/glsa/glsa-200606-29.xml new file mode 100644 index 00000000..03b50f06 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-29.xml @@ -0,0 +1,66 @@ + + + + + + + Tikiwiki: SQL injection and multiple XSS vulnerabilities + + An SQL injection vulnerability and multiple XSS vulnerabilities have been + discovered. + + tikiwiki + June 29, 2006 + June 29, 2006: 01 + 136723 + 134483 + remote + + + 1.9.4 + 1.9.4 + + + +

+ Tikiwiki is a web-based groupware and content management system (CMS), + using PHP, ADOdb and Smarty. +

+ + +

+ Tikiwiki fails to properly sanitize user input before processing it, + including in SQL statements. +

+ + +

+ An attacker could execute arbitrary SQL statements on the underlying + database, or inject arbitrary scripts into the context of a user's + browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Tikiwiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/tikiwiki-1.9.4" + + + CVE-2006-3048 + CVE-2006-3047 + + + shellsage + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200606-30.xml b/xml/htdocs/security/en/glsa/glsa-200606-30.xml new file mode 100644 index 00000000..6c03921c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200606-30.xml @@ -0,0 +1,69 @@ + + + + + + + Kiax: Arbitrary code execution + + A security vulnerability in the iaxclient library could lead to the + execution of arbitrary code by a remote attacker. + + kiax + June 30, 2006 + June 30, 2006: 01 + 136099 + remote + + + 0.8.5_p1 + 0.8.5_p1 + + + +

+ Kiax is a graphical softphone supporting the IAX protocol (Inter + Asterisk eXchange), which allows PC users to make VoIP calls to + Asterisk servers. +

+ + +

+ The iax_net_read function in the iaxclient library fails to properly + handle IAX2 packets with truncated full frames or mini-frames. These + frames are detected in a length check but processed anyway, leading to + buffer overflows. +

+ + +

+ By sending a specially crafted IAX2 packet, an attacker could execute + arbitrary code with the permissions of the user running Kiax. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Kiax users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/kiax-0.8.5_p1" + + + CVE-2006-2923 + + + falco + + + falco + + + dizzutch + + diff --git a/xml/htdocs/security/en/glsa/glsa-200607-01.xml b/xml/htdocs/security/en/glsa/glsa-200607-01.xml new file mode 100644 index 00000000..65354828 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200607-01.xml @@ -0,0 +1,66 @@ + + + + + + + mpg123: Heap overflow + + A heap overflow in mpg123 was discovered, which could result in the + execution of arbitrary code. + + mpg123 + July 03, 2006 + July 29, 2006: 02 + 133988 + remote + + + 0.59s-r11 + 0.59s-r11 + + + +

+ mpg123 is a real time audio player designed for the MPEG format. +

+ + +

+ In httpdget.c, a variable is assigned to the heap, and is supposed to + receive a smaller allocation. As this variable was not terminated + properly, strncpy() will overwrite the data assigned next in memory. +

+ + +

+ By enticing a user to visit a malicious URL, an attacker could possibly + execute arbitrary code with the rights of the user running mpg123. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mpg123 users should update to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/mpg123-0.59s-r11" + + + CVE-2006-3355 + + + jaervosz + + + hlieberman + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200607-02.xml b/xml/htdocs/security/en/glsa/glsa-200607-02.xml new file mode 100644 index 00000000..28d6a1e9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200607-02.xml @@ -0,0 +1,67 @@ + + + + + + + FreeType: Multiple integer overflows + + Multiple remotely exploitable buffer overflows have been discovered in + FreeType, resulting in the execution of arbitrary code. + + FreeType + July 09, 2006 + September 03, 2006: 02 + 124828 + remote + + + 2.1.10-r2 + 2.0 + 2.1.10-r2 + + + +

+ FreeType is a portable font engine. +

+ + +

+ Multiple integer overflows exist in a variety of files (bdf/bdflib.c, + sfnt/ttcmap.c, cff/cffgload.c, base/ftmac.c). +

+ + +

+ A remote attacker could exploit these buffer overflows by enticing a + user to load a specially crafted font, which could result in the + execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All FreeType users should upgrade to the latest stable version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/freetype-2.1.10-r2" + + + CVE-2006-1861 + + + falco + + + hlieberman + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200607-03.xml b/xml/htdocs/security/en/glsa/glsa-200607-03.xml new file mode 100644 index 00000000..b307fb45 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200607-03.xml @@ -0,0 +1,65 @@ + + + + + + + libTIFF: Multiple buffer overflows + + libTIFF contains buffer overflows that could result in arbitrary code + execution. + + tiff + July 09, 2006 + July 09, 2006: 01 + 135881 + remote + + + 3.8.2-r1 + 3.8.2-r1 + + + +

+ libTIFF provides support for reading and manipulating TIFF images. +

+ + +

+ A buffer overflow has been found in the t2p_write_pdf_string function + in tiff2pdf, which can been triggered with a TIFF file containing a + DocumentName tag with UTF-8 characters. An additional buffer overflow + has been found in the handling of the parameters in tiffsplit. +

+ + +

+ A remote attacker could entice a user to load a specially crafted TIFF + file, resulting in the possible execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libTIFF users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/tiff-3.8.2-r1" + + + CVE-2006-2193 + CVE-2006-2656 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200607-04.xml b/xml/htdocs/security/en/glsa/glsa-200607-04.xml new file mode 100644 index 00000000..6a48a6d7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200607-04.xml @@ -0,0 +1,79 @@ + + + + + + + PostgreSQL: SQL injection + + A flaw in the multibyte character handling allows execution of arbitrary + SQL statements. + + postgresql + July 09, 2006 + June 26, 2007: 03 + 134168 + remote + + + 8.0.8 + 7.4* + 8.0.8 + 7.4.13 + + + +

+ PostgreSQL is an open source object-relational database management + system. +

+ + +

+ PostgreSQL contains a flaw in the string parsing routines that allows + certain backslash-escaped characters to be bypassed with some multibyte + character encodings. This vulnerability was discovered by Akio Ishida + and Yasuo Ohgaki. +

+ + +

+ An attacker could execute arbitrary SQL statements on the PostgreSQL + server. Be aware that web applications using PostgreSQL as a database + back-end might be used to exploit this vulnerability. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PostgreSQL users should upgrade to the latest version in the + respective branch they are using: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose dev-db/postgresql +

+ Note: While a fix exists for the 7.3 branch it doesn't currently work + on Gentoo. All 7.3.x users of PostgreSQL should consider updating their + installations to the 7.4 (or higher) branch as soon as possible! +

+ + + PostgreSQL technical information + CVE-2006-2313 + CVE-2006-2314 + + + falco + + + frilled + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200607-05.xml b/xml/htdocs/security/en/glsa/glsa-200607-05.xml new file mode 100644 index 00000000..ca549312 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200607-05.xml @@ -0,0 +1,75 @@ + + + + + + + SHOUTcast server: Multiple vulnerabilities + + The SHOUTcast server is vulnerable to a file disclosure vulnerability and + multiple XSS vulnerabilities. + + shoutcast + July 09, 2006 + July 29, 2006: 03 + 136721 + 136221 + remote + + + 1.9.7 + 1.9.7 + + + +

+ SHOUTcast server is a streaming audio server. +

+ + +

+ The SHOUTcast server is vulnerable to a file disclosure when the server + receives a specially crafted GET request. Furthermore it also fails to + sanitize the input passed to the "Description", "URL", "Genre", "AIM", + and "ICQ" fields. +

+ + +

+ By sending a specially crafted GET request to the SHOUTcast server, the + attacker can read any file that can be read by the SHOUTcast process. + Furthermore it is possible that various request variables could also be + exploited to execute arbitrary scripts in the context of a victim's + browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SHOUTcast server users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/shoutcast-server-bin-1.9.7" + + + Original advisory + SA20524 + CVE-2006-3007 + CVE-2006-3534 + CVE-2006-3535 + + + jaervosz + + + daxomatic + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200607-06.xml b/xml/htdocs/security/en/glsa/glsa-200607-06.xml new file mode 100644 index 00000000..1916f82d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200607-06.xml @@ -0,0 +1,82 @@ + + + + + + + libpng: Buffer overflow + + A buffer overflow has been found in the libpng library that could lead to + the execution of arbitrary code. + + libpng + July 19, 2006 + July 19, 2006: 01 + 138433 + 138672 + remote + + + 1.2.12 + 1.2.12 + + + 2.5.1 + 2.5.1 + + + +

+ libpng is an open, extensible image format library, with lossless + compression. +

+ + +

+ In pngrutil.c, the function png_decompress_chunk() allocates + insufficient space for an error message, potentially overwriting stack + data, leading to a buffer overflow. +

+ + +

+ By enticing a user to load a maliciously crafted PNG image, an attacker + could execute arbitrary code with the rights of the user, or crash the + application using the libpng library, such as the + emul-linux-x86-baselibs. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libpng users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libpng-1.2.12" +

+ All AMD64 emul-linux-x86-baselibs users should also upgrade to the + latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-baselibs-2.5.1" + + + libpng Changelog + CVE-2006-3334 + + + falco + + + daxomatic + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200607-07.xml b/xml/htdocs/security/en/glsa/glsa-200607-07.xml new file mode 100644 index 00000000..fffeb17b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200607-07.xml @@ -0,0 +1,67 @@ + + + + + + + xine-lib: Buffer overflow + + A buffer overflow has been found in the libmms library shipped with + xine-lib, potentially resulting in the execution of arbitrary code. + + xine-lib + July 20, 2006 + July 20, 2006: 01 + 139319 + remote + + + 1.1.2-r2 + 1.1.2-r2 + + + +

+ xine-lib is the core library of xine, a multimedia player. +

+ + +

+ There is a stack based overflow in the libmms library included with + xine-lib which can be triggered by malicious use of the send_command, + string_utf16, get_data and get_media_packet functions. +

+ + +

+ A remote attacker could design a malicious media file that would + trigger the overflow, potentially resulting in the execution of + arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xine-lib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.2-r2" + + + CVE-2006-2200 + + + jaervosz + + + daxomatic + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200607-08.xml b/xml/htdocs/security/en/glsa/glsa-200607-08.xml new file mode 100644 index 00000000..6134e6aa --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200607-08.xml @@ -0,0 +1,67 @@ + + + + + + + GIMP: Buffer overflow + + GIMP is prone to a buffer overflow which may lead to the execution of + arbitrary code when loading specially crafted XCF files. + + gimp + July 23, 2006 + July 24, 2006: 02 + 139524 + remote + + + 2.2.12 + 2.2.12 + + + +

+ GIMP is the GNU Image Manipulation Program. XCF is the native image + file format used by GIMP. +

+ + +

+ Henning Makholm discovered that the "xcf_load_vector()" function is + vulnerable to a buffer overflow when loading a XCF file with a large + "num_axes" value. +

+ + +

+ An attacker could exploit this issue to execute arbitrary code by + enticing a user to open a specially crafted XCF file. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GIMP users should update to the latest stable version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/gimp-2.2.12" + + + CVE-2006-3404 + + + jaervosz + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200607-09.xml b/xml/htdocs/security/en/glsa/glsa-200607-09.xml new file mode 100644 index 00000000..c80a1d05 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200607-09.xml @@ -0,0 +1,91 @@ + + + + + + + Wireshark: Multiple vulnerabilities + + Wireshark (formerly known as Ethereal) is vulnerable to several security + issues, potentially allowing the execution of arbitrary code by a remote + attacker. + + wireshark ethereal + July 25, 2006 + July 25, 2006: 01 + 140856 + remote + + + 0.99.2 + 0.99.2 + + + 0.99.0-r1 + + + +

+ Wireshark, formerly known as Ethereal, is a popular network protocol + analyzer. +

+ + +

+ Wireshark dissectors have been found vulnerable to a large number of + exploits, including off-by-one errors, buffer overflows, format string + overflows and an infinite loop. +

+ + +

+ Running an affected version of Wireshark or Ethereal could allow for a + remote attacker to execute arbitrary code on the user's computer by + sending specially crafted packets. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Wireshark users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-0.99.2" +

+ All Ethereal users should migrate to Wireshark: +

+ + # emerge --sync + # emerge --ask --unmerge net-analyzer/ethereal + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-0.99.2" +

+ To keep the [saved] configuration from Ethereal and reuse it with + Wireshark: +

+ + # mv ~/.ethereal ~/.wireshark + + + Wireshark wnpa-sec-2006-01 + CVE-2006-3627 + CVE-2006-3628 + CVE-2006-3629 + CVE-2006-3630 + CVE-2006-3631 + CVE-2006-3632 + + + koon + + + dizzutch + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200607-10.xml b/xml/htdocs/security/en/glsa/glsa-200607-10.xml new file mode 100644 index 00000000..ddb03ef8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200607-10.xml @@ -0,0 +1,69 @@ + + + + + + + Samba: Denial of Service vulnerability + + A large number of share connection requests could cause a Denial of Service + within Samba. + + samba + July 25, 2006 + July 25, 2006: 01 + 139369 + remote + + + 3.0.22-r3 + 3.0.22-r3 + + + +

+ Samba is a freely available SMB/CIFS implementation which allows + seamless interoperability of file and print services to other SMB/CIFS + clients. +

+ + +

+ During an internal audit the Samba team discovered that a flaw in the + way Samba stores share connection requests could lead to a Denial of + Service. +

+ + +

+ By sending a large amount of share connection requests to a vulnerable + Samba server, an attacker could cause a Denial of Service due to memory + consumption. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Samba users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-3.0.22-r3" + + + CVE-2006-3403 + + + koon + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200607-11.xml b/xml/htdocs/security/en/glsa/glsa-200607-11.xml new file mode 100644 index 00000000..74cd04c4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200607-11.xml @@ -0,0 +1,66 @@ + + + + + + + TunePimp: Buffer overflow + + A vulnerability in TunePimp has been reported which could lead to the + execution of arbitrary code. + + Tunepimp + July 28, 2006 + June 01, 2007: 02 + 140184 + remote + + + 0.5.0 + 0.4.2 + + + +

+ The TunePimp library (also referred to as libtunepimp) is a development + library geared towards developers who wish to create MusicBrainz + enabled tagging applications. +

+ + +

+ Kevin Kofler has reported a vulnerability where three stack variables + are allocated with 255, 255 and 100 bytes respectively, yet 256 bytes + are read into each. This could lead to buffer overflows. +

+ + +

+ Running an affected version of TunePimp could lead to the execution of + arbitrary code by a remote attacker. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All tunepimp users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/tunepimp-0.5." + + + CVE-2006-3600 + MusicBrainz bug #1764 + + + dizzutch + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200607-12.xml b/xml/htdocs/security/en/glsa/glsa-200607-12.xml new file mode 100644 index 00000000..931e37d6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200607-12.xml @@ -0,0 +1,83 @@ + + + + + + + OpenOffice.org: Multiple vulnerabilities + + OpenOffice.org is affected by three security vulnerabilities which can be + exploited to allow the execution of arbitrary code by a remote attacker. + + OpenOffice.org + July 28, 2006 + July 28, 2006: 01 + 138545 + remote + + + 2.0.3 + 2.0.3 + + + 2.0.3 + 2.0.3 + + + +

+ OpenOffice.org is an open source office productivity suite, including + word processing, spreadsheet, presentation, drawing, data charting, + formula editing, and file conversion facilities. +

+ + +

+ Internal security audits by OpenOffice.org have discovered three + security vulnerabilities related to Java applets, macros and the XML + file format parser. +

+
  • Specially crafted Java applets can + break through the "sandbox".
    • +
  • Specially crafted macros make it + possible to inject BASIC code into documents which is executed when the + document is loaded.
    • +
  • Loading a malformed XML file can cause a + buffer overflow.
    • +
+ + +

+ An attacker might exploit these vulnerabilities to escape the Java + sandbox, execute arbitrary code or BASIC code with the permissions of + the user running OpenOffice.org. +

+ + +

+ Disabling Java applets will protect against the vulnerability in the + handling of Java applets. There are no workarounds for the macro and + file format vulnerabilities. +

+ + +

+ All OpenOffice.org users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-2.0.3" + + + OpenOffice.org Security Bulletin 2006-06-29 + CVE-2006-2199 + CVE-2006-2198 + CVE-2006-3117 + + + dizzutch + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200607-13.xml b/xml/htdocs/security/en/glsa/glsa-200607-13.xml new file mode 100644 index 00000000..a2bf281f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200607-13.xml @@ -0,0 +1,69 @@ + + + + + + + Audacious: Multiple heap and buffer overflows + + The adplug library included in Audacious is vulnerable to various overflows + that could result in the execution of arbitrary code. + + audacious + July 29, 2006 + July 29, 2006: 01 + 139957 + remote + + + 1.1.0 + 1.1.0 + + + +

+ Audacious is a media player that has been forked from Beep Media + Player. +

+ + +

+ Luigi Auriemma has found that the adplug library fails to verify the + size of the destination buffers in the unpacking instructions, + resulting in various possible heap and buffer overflows. +

+ + +

+ An attacker can entice a user to load a specially crafted media file, + resulting in a crash or possible execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Audacious users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/audacious-1.1.0" + + + BugTraq Announcement + CVE-2006-3581 + CVE-2006-3582 + + + jaervosz + + + daxomatic + + + koon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-01.xml b/xml/htdocs/security/en/glsa/glsa-200608-01.xml new file mode 100644 index 00000000..640e69ee --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-01.xml @@ -0,0 +1,73 @@ + + + + + + + Apache: Off-by-one flaw in mod_rewrite + + A flaw in mod_rewrite could result in a Denial of Service or the execution + of arbitrary code. + + apache + August 01, 2006 + December 30, 2007: 02 + 141986 + remote + + + 1.3.34-r14 + 1.3.37 + 2.0.58-r2 + 2.0.58-r2 + + + +

+ The Apache HTTP server is one of the most popular web servers on the + Internet. The Apache module mod_rewrite provides a rule-based engine to + rewrite requested URLs on the fly. +

+ + +

+ An off-by-one flaw has been found in Apache's mod_rewrite module by + Mark Dowd of McAfee Avert Labs. This flaw is exploitable depending on + the types of rewrite rules being used. +

+ + +

+ A remote attacker could exploit the flaw to cause a Denial of Service + or execution of arbitrary code. Note that Gentoo Linux is not + vulnerable in the default configuration. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Apache users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose www-servers/apache + + + CVE-2006-3747 + Apache HTTP Server 2.0 Announcement + Apache HTTP Server 1.3 Announcement + + + vorlon078 + + + vorlon078 + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-02.xml b/xml/htdocs/security/en/glsa/glsa-200608-02.xml new file mode 100644 index 00000000..bbabe7f2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-02.xml @@ -0,0 +1,131 @@ + + + + + + + Mozilla SeaMonkey: Multiple vulnerabilities + + The Mozilla Foundation has reported numerous security vulnerabilities + related to Mozilla SeaMonkey. + + SeaMonkey + August 03, 2006 + August 03, 2006: 01 + 141842 + remote + + + 1.0.3 + 1.0.3 + + + +

+ The Mozilla SeaMonkey project is a community effort to deliver + production-quality releases of code derived from the application + formerly known as "Mozilla Application Suite". +

+ + +

+ The following vulnerabilities have been reported: +

+
    +
  • Benjamin Smedberg discovered that chrome URL's could be made to + reference remote files.
    • +
  • Developers in the Mozilla community + looked for and fixed several crash bugs to improve the stability of + Mozilla clients, which could lead to the execution of arbitrary code by + a remote attacker.
    • +
  • "shutdown" reports that cross-site + scripting (XSS) attacks could be performed using the construct + XPCNativeWrapper(window).Function(...), which created a function that + appeared to belong to the window in question even after it had been + navigated to the target site.
    • +
  • "shutdown" reports that scripts + granting the UniversalBrowserRead privilege can leverage that into the + equivalent of the far more powerful UniversalXPConnect since they are + allowed to "read" into a privileged context.
    • +
  • "moz_bug_r_a4" + reports that A malicious Proxy AutoConfig (PAC) server could serve a + PAC script that can execute code with elevated privileges by setting + the required FindProxyForURL function to the eval method on a + privileged object that leaked into the PAC sandbox.
    • +
  • "moz_bug_r_a4" discovered that Named JavaScript functions have a + parent object created using the standard Object() constructor + (ECMA-specified behavior) and that this constructor can be redefined by + script (also ECMA-specified behavior).
    • +
  • Igor Bukanov and + shutdown found additional places where an untimely garbage collection + could delete a temporary object that was in active use.
    • +
  • Georgi + Guninski found potential integer overflow issues with long strings in + the toSource() methods of the Object, Array and String objects as well + as string function arguments.
    • +
  • H. D. Moore reported a testcase + that was able to trigger a race condition where JavaScript garbage + collection deleted a temporary variable still being used in the + creation of a new Function object.
    • +
  • A malicious page can hijack + native DOM methods on a document object in another domain, which will + run the attacker's script when called by the victim page.
    • +
  • Secunia Research has discovered a vulnerability which is caused due + to an memory corruption error within the handling of simultaneously + happening XPCOM events. This leads to use of a deleted timer + object.
    • +
  • An anonymous researcher for TippingPoint and the Zero + Day Initiative showed that when used in a web page Java would reference + properties of the window.navigator object as it started up.
    • +
  • Thilo Girmann discovered that in certain circumstances a JavaScript + reference to a frame or window was not properly cleared when the + referenced content went away.
    • +
+ + +

+ A user can be enticed to open specially crafted URLs, visit webpages + containing malicious JavaScript or execute a specially crafted script. + These events could lead to the execution of arbitrary code, or the + installation of malware on the user's computer. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Thunderbird users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.0.3" + + + CVE-2006-3113 + CVE-2006-3677 + CVE-2006-3801 + CVE-2006-3802 + CVE-2006-3803 + CVE-2006-3804 + CVE-2006-3805 + CVE-2006-3806 + CVE-2006-3807 + CVE-2006-3808 + CVE-2006-3809 + CVE-2006-3810 + CVE-2006-3811 + CVE-2006-3812 + + + DerCorny + + + dizzutch + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-03.xml b/xml/htdocs/security/en/glsa/glsa-200608-03.xml new file mode 100644 index 00000000..06debbd1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-03.xml @@ -0,0 +1,135 @@ + + + + + + + Mozilla Firefox: Multiple vulnerabilities + + The Mozilla Foundation has reported numerous security vulnerabilities + related to Mozilla Firefox. + + Firefox + August 03, 2006 + August 03, 2006: 01 + 141842 + remote + + + 1.5.0.5 + 1.5.0.5 + + + 1.5.0.5 + 1.5.0.5 + + + +

+ Mozilla Firefox is a redesign of the Mozilla Navigator component. The + goal is to produce a cross-platform stand-alone browser application. +

+ + +

+ The following vulnerabilities have been reported: +

+
    +
  • Benjamin Smedberg discovered that chrome URL's could be made to + reference remote files.
    • +
  • Developers in the Mozilla community + looked for and fixed several crash bugs to improve the stability of + Mozilla clients.
    • +
  • "shutdown" reports that cross-site scripting + (XSS) attacks could be performed using the construct + XPCNativeWrapper(window).Function(...), which created a function that + appeared to belong to the window in question even after it had been + navigated to the target site.
    • +
  • "shutdown" reports that scripts + granting the UniversalBrowserRead privilege can leverage that into the + equivalent of the far more powerful UniversalXPConnect since they are + allowed to "read" into a privileged context.
    • +
  • "moz_bug_r_a4" + reports that A malicious Proxy AutoConfig (PAC) server could serve a + PAC script that can execute code with elevated privileges by setting + the required FindProxyForURL function to the eval method on a + privileged object that leaked into the PAC sandbox.
    • +
  • "moz_bug_r_a4" discovered that Named JavaScript functions have a + parent object created using the standard Object() constructor + (ECMA-specified behavior) and that this constructor can be redefined by + script (also ECMA-specified behavior).
    • +
  • Igor Bukanov and + shutdown found additional places where an untimely garbage collection + could delete a temporary object that was in active use.
    • +
  • Georgi + Guninski found potential integer overflow issues with long strings in + the toSource() methods of the Object, Array and String objects as well + as string function arguments.
    • +
  • H. D. Moore reported a testcase + that was able to trigger a race condition where JavaScript garbage + collection deleted a temporary variable still being used in the + creation of a new Function object.
    • +
  • A malicious page can hijack + native DOM methods on a document object in another domain, which will + run the attacker's script when called by the victim page.
    • +
  • Secunia Research has discovered a vulnerability which is caused due + to an memory corruption error within the handling of simultaneously + happening XPCOM events. This leads to use of a deleted timer + object.
    • +
  • An anonymous researcher for TippingPoint and the Zero + Day Initiative showed that when used in a web page Java would reference + properties of the window.navigator object as it started up.
    • +
  • Thilo Girmann discovered that in certain circumstances a JavaScript + reference to a frame or window was not properly cleared when the + referenced content went away.
    • +
+ + +

+ A user can be enticed to open specially crafted URLs, visit webpages + containing malicious JavaScript or execute a specially crafted script. + These events could lead to the execution of arbitrary code, or the + installation of malware on the user's computer. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.5.0.5" +

+ Users of the binary package should upgrade as well: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.5.0.5" + + + CVE-2006-3113 + CVE-2006-3677 + CVE-2006-3801 + CVE-2006-3802 + CVE-2006-3803 + CVE-2006-3805 + CVE-2006-3806 + CVE-2006-3807 + CVE-2006-3808 + CVE-2006-3809 + CVE-2006-3810 + CVE-2006-3811 + CVE-2006-3812 + + + dizzutch + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-04.xml b/xml/htdocs/security/en/glsa/glsa-200608-04.xml new file mode 100644 index 00000000..b0100f72 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-04.xml @@ -0,0 +1,128 @@ + + + + + + + Mozilla Thunderbird: Multiple vulnerabilities + + The Mozilla Foundation has reported numerous security vulnerabilities + related to Mozilla Thunderbird. + + Thunderbird + August 03, 2006 + August 03, 2006: 01 + 141842 + remote + + + 1.5.0.5 + 1.5.0.5 + + + 1.5.0.5 + 1.5.0.5 + + + +

+ The Mozilla Thunderbird mail client is a redesign of the Mozilla Mail + component. The goal is to produce a cross-platform stand-alone mail + application using XUL (XML User Interface Language). +

+ + +

+ The following vulnerabilities have been reported: +

+
    +
  • Benjamin Smedberg discovered that chrome URLss could be made to + reference remote files.
    • +
  • Developers in the Mozilla community + looked for and fixed several crash bugs to improve the stability of + Mozilla clients.
    • +
  • "shutdown" reports that cross-site scripting + (XSS) attacks could be performed using the construct + XPCNativeWrapper(window).Function(...), which created a function that + appeared to belong to the window in question even after it had been + navigated to the target site.
    • +
  • "shutdown" reports that scripts + granting the UniversalBrowserRead privilege can leverage that into the + equivalent of the far more powerful UniversalXPConnect since they are + allowed to "read" into a privileged context.
    • +
  • "moz_bug_r_a4" + discovered that Named JavaScript functions have a parent object created + using the standard Object() constructor (ECMA-specified behavior) and + that this constructor can be redefined by script (also ECMA-specified + behavior).
    • +
  • Igor Bukanov and shutdown found additional places + where an untimely garbage collection could delete a temporary object + that was in active use.
    • +
  • Georgi Guninski found potential + integer overflow issues with long strings in the toSource() methods of + the Object, Array and String objects as well as string function + arguments.
    • +
  • H. D. Moore reported a testcase that was able to + trigger a race condition where JavaScript garbage collection deleted a + temporary variable still being used in the creation of a new Function + object.
    • +
  • A malicious page can hijack native DOM methods on a + document object in another domain, which will run the attacker's script + when called by the victim page.
    • +
  • Secunia Research has + discovered a vulnerability which is caused due to an memory corruption + error within the handling of simultaneously happening XPCOM events. + This leads to use of a deleted timer object.
    • +
+ + +

+ A user can be enticed to open specially crafted URLs, visit webpages + containing malicious JavaScript or execute a specially crafted script. + These events could lead to the execution of arbitrary code, or the + installation of malware on the user's computer. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Thunderbird users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-1.5.0.5" +

+ All Mozilla Thunderbird binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-1.5.0.5" + + + CVE-2006-3113 + CVE-2006-3802 + CVE-2006-3803 + CVE-2006-3804 + CVE-2006-3805 + CVE-2006-3806 + CVE-2006-3807 + CVE-2006-3809 + CVE-2006-3810 + CVE-2006-3811 + CVE-2006-3812 + + + DerCorny + + + dizzutch + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-05.xml b/xml/htdocs/security/en/glsa/glsa-200608-05.xml new file mode 100644 index 00000000..e96fdf2a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-05.xml @@ -0,0 +1,68 @@ + + + + + + + LibVNCServer: Authentication bypass + + VNC servers created with LibVNCServer accept insecure protocol types, even + when the server does not offer it, resulting in unauthorized access to the + server. + + libvncserver + August 04, 2006 + August 04, 2006: 01 + 136916 + remote + + + 0.8.2 + 0.8.2 + + + +

+ LibVNCServer is a GPL'ed library for creating VNC servers. +

+ + +

+ LibVNCServer fails to properly validate protocol types effectively + letting users decide what protocol to use, such as "Type 1 - None". + LibVNCServer will accept this security type, even if it is not offered + by the server. +

+ + +

+ An attacker could use this vulnerability to gain unauthorized access + with the privileges of the user running the VNC server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All LibVNCServer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/libvncserver-0.8.2" + + + CVE-2006-2450 + + + vorlon078 + + + vorlon078 + + + hlieberman + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-06.xml b/xml/htdocs/security/en/glsa/glsa-200608-06.xml new file mode 100644 index 00000000..6865b2be --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-06.xml @@ -0,0 +1,67 @@ + + + + + + + Courier MTA: Denial of Service vulnerability + + Courier MTA has fixed a DoS issue related to usernames containing a "=" + character. + + Courier + August 04, 2006 + August 04, 2006: 01 + 135005 + remote + + + 0.53.2 + 0.53.2 + + + +

+ Courier MTA is an integrated mail and groupware server based on open + protocols. +

+ + +

+ Courier MTA has fixed a security issue relating to usernames containing + the "=" character, causing high CPU utilization. +

+ + +

+ An attacker could exploit this vulnerability by sending a specially + crafted email to a mail gateway running a vulnerable version of Courier + MTA. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Courier MTA users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-mta/courier-0.53.2" + + + CVE-2006-2659 + + + koon + + + koon + + + dizzutch + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-07.xml b/xml/htdocs/security/en/glsa/glsa-200608-07.xml new file mode 100644 index 00000000..431b5b86 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-07.xml @@ -0,0 +1,71 @@ + + + + + + + libTIFF: Multiple vulnerabilities + + libTIFF contains several vulnerabilities that could result in arbitrary + code execution. + + tiff + August 04, 2006 + August 04, 2006: 01 + 142383 + remote + + + 3.8.2-r2 + 3.8.2-r2 + + + +

+ libTIFF provides support for reading and manipulating TIFF images. +

+ + +

+ Tavis Ormandy of the Google Security Team discovered several heap and + stack buffer overflows and other flaws in libTIFF. The affected parts + include the TIFFFetchShortPair(), TIFFScanLineSize() and + EstimateStripByteCounts() functions, and the PixarLog and NeXT RLE + decoders. +

+ + +

+ A remote attacker could entice a user to open a specially crafted TIFF + file, resulting in the possible execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libTIFF users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/tiff-3.8.2-r2" + + + CVE-2006-3459 + CVE-2006-3460 + CVE-2006-3461 + CVE-2006-3462 + CVE-2006-3463 + CVE-2006-3464 + CVE-2006-3465 + + + falco + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-08.xml b/xml/htdocs/security/en/glsa/glsa-200608-08.xml new file mode 100644 index 00000000..10f5c5c4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-08.xml @@ -0,0 +1,67 @@ + + + + + + + GnuPG: Integer overflow vulnerability + + GnuPG is vulnerable to an integer overflow that could lead to the execution + of arbitrary code. + + gnupg + August 05, 2006 + August 08, 2006: 02 + 142248 + remote + + + 1.4.5 + 1.4.5 + + + +

+ The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite + of cryptographic software. +

+ + +

+ Evgeny Legerov discovered a vulnerability in GnuPG that when certain + packets are handled an integer overflow may occur. +

+ + +

+ By sending a specially crafted email to a user running an affected + version of GnuPG, a remote attacker could possibly execute arbitrary + code with the permissions of the user running GnuPG. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GnuPG users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "=app-crypt/gnupg-1.4*" + + + CVE-2006-3746 + + + koon + + + dizzutch + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-09.xml b/xml/htdocs/security/en/glsa/glsa-200608-09.xml new file mode 100644 index 00000000..17c841f7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-09.xml @@ -0,0 +1,68 @@ + + + + + + + MySQL: Denial of Service + + An authenticated user can crash MySQL through invalid parameters to the + date_format function. + + mysql + August 06, 2006 + August 07, 2006: 02 + 142429 + remote + + + 4.1.21 + 4.1.0 + 4.1.21 + + + +

+ MySQL is a popular multi-threaded, multi-user SQL server. +

+ + +

+ Jean-David Maillefer discovered a format string vulnerability in + time.cc where MySQL fails to properly handle specially formatted user + input to the date_format function. +

+ + +

+ By specifying a format string as the first parameter to the date_format + function, an authenticated attacker could cause MySQL to crash, + resulting in a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MySQL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --verbose --oneshot ">=dev-db/mysql-4.1.21" + + + CVE-2006-3469 + + + koon + + + koon + + + hlieberman + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-10.xml b/xml/htdocs/security/en/glsa/glsa-200608-10.xml new file mode 100644 index 00000000..f77af97c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-10.xml @@ -0,0 +1,67 @@ + + + + + + + pike: SQL injection vulnerability + + A flaw in the input handling could lead to the execution of arbitrary SQL + statements in the underlying PostgreSQL database. + + pike + August 06, 2006 + December 13, 2006: 02 + 136065 + remote + + + 7.6.86 + 7.6.86 + + + +

+ Pike is a general purpose programming language, able to be used for + multiple tasks. +

+ + +

+ Some input is not properly sanitised before being used in a SQL + statement in the underlying PostgreSQL database. +

+ + +

+ A remote attacker could provide malicious input to a pike program, + which might result in the execution of arbitrary SQL statements. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All pike users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/pike-7.6.86" + + + Secunia Advisory SA20494 + CVE-2006-4041 + + + koon + + + koon + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-11.xml b/xml/htdocs/security/en/glsa/glsa-200608-11.xml new file mode 100644 index 00000000..4802ad5f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-11.xml @@ -0,0 +1,77 @@ + + + + + + + Webmin, Usermin: File Disclosure + + Webmin and Usermin are vulnerable to an arbitrary file disclosure through a + specially crafted URL. + + webmin/usermin + August 06, 2006 + August 06, 2006: 01 + 138552 + remote + + + 1.290 + 1.290 + + + 1.220 + 1.220 + + + +

+ Webmin is a web-based interface for Unix-like systems. Usermin is a + simplified version of Webmin designed for use by normal users rather + than system administrators. +

+ + +

+ A vulnerability in both Webmin and Usermin has been discovered by Kenny + Chen, wherein simplify_path is called before the HTML is decoded. +

+ + +

+ A non-authenticated user can read any file on the server using a + specially crafted URL. +

+ + +

+ For a temporary workaround, IP Access Control can be setup on Webmin + and Usermin. +

+ + +

+ All Webmin users should update to the latest stable version: +

+ + # emerge --sync + # emerge --ask --verbose --oneshot ">=app-admin/webmin-1.290" +

+ All Usermin users should update to the latest stable version: +

+ + # emerge --sync + # emerge --ask --verbose --oneshot ">=app-admin/usermin-1.220" + + + CVE-2006-3392 + + + + + koon + + + hlieberman + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-12.xml b/xml/htdocs/security/en/glsa/glsa-200608-12.xml new file mode 100644 index 00000000..14a2a871 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-12.xml @@ -0,0 +1,69 @@ + + + + + + + x11vnc: Authentication bypass in included LibVNCServer code + + VNC servers created with x11vnc accept insecure protocol types, even when + the server does not offer it, resulting in the possibility of unauthorized + access to the server. + + x11vnc + August 07, 2006 + August 07, 2006: 01 + 142559 + remote + + + 0.8.1 + 0.8.1 + + + +

+ x11vnc provides VNC servers for X displays. +

+ + +

+ x11vnc includes vulnerable LibVNCServer code, which fails to properly + validate protocol types effectively letting users decide what protocol + to use, such as "Type 1 - None" (GLSA-200608-05). x11vnc will accept + this security type, even if it is not offered by the server. +

+ + +

+ An attacker could exploit this vulnerability to gain unauthorized + access with the privileges of the user running the VNC server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All x11vnc users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-misc/x11vnc-0.8.1" + + + CVE-2006-2450 + GLSA-200608-05 + + + jaervosz + + + koon + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-13.xml b/xml/htdocs/security/en/glsa/glsa-200608-13.xml new file mode 100644 index 00000000..4a71b0db --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-13.xml @@ -0,0 +1,67 @@ + + + + + + + ClamAV: Heap buffer overflow + + ClamAV is vulnerable to a heap-based buffer overflow resulting in a Denial + of Service and potentially remote execution of arbitrary code. + + clamav + August 08, 2006 + August 08, 2006: 02 + 143093 + remote + + + 0.88.4 + 0.88.4 + + + +

+ ClamAV is a GPL virus scanner. +

+ + +

+ Damian Put has discovered a boundary error in the pefromupx() function + used by the UPX extraction module, which unpacks PE Windows executable + files. Both the "clamscan" command-line utility and the "clamd" daemon + are affected. +

+ + +

+ By sending a malicious attachment to a mail server running ClamAV, a + remote attacker can cause a Denial of Service and potentially the + execution of arbitrary code with the permissions of the user running + ClamAV. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.88.4" + + + ClamAV security advisory + CVE-2006-4018 + + + falco + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-14.xml b/xml/htdocs/security/en/glsa/glsa-200608-14.xml new file mode 100644 index 00000000..c79b35da --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-14.xml @@ -0,0 +1,69 @@ + + + + + + + DUMB: Heap buffer overflow + + A heap-based buffer overflow in DUMB could result in the execution of + arbitrary code. + + dumb + August 08, 2006 + August 08, 2006: 01 + 142387 + remote + + + 0.9.3-r1 + 0.9.3-r1 + + + +

+ DUMB (Dynamic Universal Music Bibliotheque) is an IT, XM, S3M and MOD + player library. +

+ + +

+ Luigi Auriemma found a heap-based buffer overflow in the + it_read_envelope function which reads the envelope values for volume, + pan and pitch of the instruments referenced in a ".it" (Impulse + Tracker) file with a large number of nodes. +

+ + +

+ By enticing a user to load a malicious ".it" (Impulse Tracker) file, an + attacker may execute arbitrary code with the rights of the user running + the application that uses a vulnerable DUMB library. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All users of DUMB should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/dumb-0.9.3-r1" + + + CVE-2006-3668 + + + koon + + + falco + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-15.xml b/xml/htdocs/security/en/glsa/glsa-200608-15.xml new file mode 100644 index 00000000..59705ba6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-15.xml @@ -0,0 +1,70 @@ + + + + + + + MIT Kerberos 5: Multiple local privilege escalation vulnerabilities + + Some applications shipped with MIT Kerberos 5 are vulnerable to local + privilege escalation. + + MIT Kerberos 5 + August 10, 2006 + August 10, 2006: 01 + 143240 + local + + + 1.4.3-r3 + 1.4.3-r3 + + + +

+ MIT Kerberos 5 is a suite of applications that implement the Kerberos + network protocol. It is designed to provide strong authentication for + client/server applications by using secret-key cryptography. +

+ + +

+ Unchecked calls to setuid() in krshd and v4rcp, as well as unchecked + calls to seteuid() in kftpd and in ksu, have been found in the MIT + Kerberos 5 program suite and may lead to a local root privilege + escalation. +

+ + +

+ A local attacker could exploit this vulnerability to execute arbitrary + code with elevated privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MIT Kerberos 5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.4.3-r3" + + + CVE-2006-3083 + CVE-2006-3084 + + + jaervosz + + + daxomatic + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-16.xml b/xml/htdocs/security/en/glsa/glsa-200608-16.xml new file mode 100644 index 00000000..e84817cd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-16.xml @@ -0,0 +1,75 @@ + + + + + + + Warzone 2100 Resurrection: Multiple buffer overflows + + Warzone 2100 Resurrection server and client are vulnerable to separate + buffer overflows, potentially allowing remote code execution. + + warzone2100 + August 10, 2006 + September 04, 2006: 02 + 142389 + remote + + + 2.0.4 + 2.0.3 + + + +

+ Warzone 2100 Resurrection is a real-time strategy game, developed by + Pumpkin Studios and published by Eidos Interactive. +

+ + +

+ Luigi Auriemma discovered two buffer overflow vulnerabilities in + Warzone 2100 Resurrection. The recvTextMessage function of the Warzone + 2100 Resurrection server and the NETrecvFile function of the client use + insufficiently sized buffers. +

+ + +

+ A remote attacker could exploit these vulnerabilities by sending + specially crafted input to the server, or enticing a user to load a + specially crafted file from a malicious server. This may result in the + execution of arbitrary code with the permissions of the user running + Warzone 2100 Resurrection. +

+ + +

+ There is no known workaround for this issue. +

+

+ There is no known workaround at this time. +

+ + +

+ All Warzone 2100 Resurrection users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-strategy/warzone2100-2.0.4" + + + CVE-2006-3849 + + + jaervosz + + + jaervosz + + + dizzutch + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-17.xml b/xml/htdocs/security/en/glsa/glsa-200608-17.xml new file mode 100644 index 00000000..a29327bd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-17.xml @@ -0,0 +1,69 @@ + + + + + + + libwmf: Buffer overflow vulnerability + + libwmf is vulnerable to an integer overflow potentially resulting in the + execution of arbitrary code. + + libwmf + August 10, 2006 + August 10, 2006: 01 + 139325 + remote + + + 0.2.8.4 + 0.2.8.4 + + + +

+ libwmf is a library for reading and converting vector images in + Microsoft's native Windows Metafile Format (WMF). +

+ + +

+ infamous41md discovered that libwmf fails to do proper bounds checking + on the MaxRecordSize variable in the WMF file header. This could lead + to an head-based buffer overflow. +

+ + +

+ By enticing a user to open a specially crafted WMF file, a remote + attacker could cause a heap-based buffer overflow and execute arbitrary + code with the permissions of the user running the application that uses + libwmf. +

+ + +

+ There is no known workaround for this issue. +

+ + +

+ All libwmf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libwmf-0.2.8.4" + + + CVE-2006-3376 + + + falco + + + dizzutch + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-18.xml b/xml/htdocs/security/en/glsa/glsa-200608-18.xml new file mode 100644 index 00000000..ddc92b29 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-18.xml @@ -0,0 +1,66 @@ + + + + + + + Net::Server: Format string vulnerability + + A format string vulnerability has been reported in Net::Server which can be + exploited to cause a Denial of Service. + + net-server + August 10, 2006 + August 10, 2006: 01 + 142386 + remote + + + 0.88 + 0.88 + + + +

+ Net::Server is an extensible, generic Perl server engine. It is used by + several Perl applications like Postgrey. +

+ + +

+ The log function of Net::Server does not handle format string + specifiers properly before they are sent to syslog. +

+ + +

+ By sending a specially crafted datastream to an application using + Net::Server, an attacker could cause a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Net::Server should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-perl/net-server-0.88" + + + CVE-2005-1127 + + + falco + + + dizzutch + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-19.xml b/xml/htdocs/security/en/glsa/glsa-200608-19.xml new file mode 100644 index 00000000..91fcb383 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-19.xml @@ -0,0 +1,69 @@ + + + + + + + WordPress: Privilege escalation + + A flaw in WordPress allows registered WordPress users to elevate + privileges. + + wordpress + August 10, 2006 + December 13, 2006: 02 + 142142 + remote + + + 2.0.4 + 2.0.4 + + + +

+ WordPress is a PHP and MySQL based multiuser blogging system. +

+ + +

+ The WordPress developers have confirmed a vulnerability in capability + checking for plugins. +

+ + +

+ By exploiting a flaw, a user can circumvent WordPress access + restrictions when using plugins. The actual impact depends on the + configuration of WordPress and may range from trivial to critical, + possibly even the execution of arbitrary PHP code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All WordPress users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/wordpress-2.0.4" + + + CVE-2006-3389 + CVE-2006-3390 + CVE-2006-4028 + + + jaervosz + + + dizzutch + + + frilled + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-20.xml b/xml/htdocs/security/en/glsa/glsa-200608-20.xml new file mode 100644 index 00000000..7a22d363 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-20.xml @@ -0,0 +1,73 @@ + + + + + + + Ruby on Rails: Several vulnerabilities + + Ruby on Rails has some weaknesses potentially allowing a Denial of Service + and maybe the remote execution of arbitrary Ruby scripts. + + rails + August 14, 2006 + December 13, 2006: 02 + 143369 + remote + + + 1.1.6 + 1.1.6 + + + +

+ Ruby on Rails is an open-source web framework. +

+ + +

+ The Ruby on Rails developers have corrected some weaknesses in + action_controller/, relative to the handling of the user input and the + LOAD_PATH variable. A remote attacker could inject arbitrary entries + into the LOAD_PATH variable and alter the main Ruby on Rails process. + The security hole has only been partly solved in version 1.1.5. Version + 1.1.6 now fully corrects it. +

+ + +

+ A remote attacker that would exploit these weaknesses might cause a + Denial of Service of the web framework and maybe inject arbitrary Ruby + scripts. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ruby on Rails users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-ruby/rails-1.1.6" + + + Ruby on Rails original advisory (1.1.5) + Ruby on Rails update (1.1.6) + CVE-2006-4111 + CVE-2006-4112 + + + jaervosz + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-21.xml b/xml/htdocs/security/en/glsa/glsa-200608-21.xml new file mode 100644 index 00000000..9161435a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-21.xml @@ -0,0 +1,67 @@ + + + + + + + Heimdal: Multiple local privilege escalation vulnerabilities + + Certain Heimdal components, ftpd and rcp, are vulnerable to a local + privilege escalation. + + Heimdal + August 23, 2006 + August 23, 2006: 01 + 143371 + local + + + 0.7.2-r3 + 0.7.2-r3 + + + +

+ Heimdal is a free implementation of Kerberos 5. +

+ + +

+ The ftpd and rcp applications provided by Heimdal fail to check the + return value of calls to seteuid(). +

+ + +

+ A local attacker could exploit this vulnerability to execute arbitrary + code with elevated privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Heimdal users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/heimdal-0.7.2-r3" + + + Official advisory + CVE-2006-3083 + CVE-2006-3084 + + + koon + + + daxomatic + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-22.xml b/xml/htdocs/security/en/glsa/glsa-200608-22.xml new file mode 100644 index 00000000..697e2546 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-22.xml @@ -0,0 +1,71 @@ + + + + + + + fbida: Arbitrary command execution + + The fbgs script provided by fbida allows the execution of arbitrary code. + + fbida + August 23, 2006 + August 23, 2006: 01 + 141684 + remote + + + 2.03-r4 + 2.03-r4 + + + +

+ fbida is a collection of image viewers and editors for the framebuffer + console and X11. fbgs is a PostScript and PDF viewer for the linux + framebuffer console. +

+ + +

+ Toth Andras has discovered a typographic mistake in the "fbgs" script, + shipped with fbida if the "fbcon" and "pdf" USE flags are both enabled. + This script runs "gs" without the -dSAFER option, thus allowing a + PostScript file to execute, delete or create any kind of file on the + system. +

+ + +

+ A remote attacker can entice a vulnerable user to view a malicious + PostScript or PDF file with fbgs, which may result with the execution + of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All fbida users with the "fbcon" and "pdf" USE flags both enabled + should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/fbida-2.03-r4" + + + CVE-2006-3119 + + + jaervosz + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-23.xml b/xml/htdocs/security/en/glsa/glsa-200608-23.xml new file mode 100644 index 00000000..fc223cd3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-23.xml @@ -0,0 +1,73 @@ + + + + + + + Heartbeat: Denial of Service + + Heartbeat is vulnerable to a Denial of Service which can be triggered by a + remote attacker without authentication. + + heartbeat + August 24, 2006 + September 22, 2006: 02 + 141894 + remote + + + 2.0.7 + 1.2.5 + 2.0.7 + + + +

+ Heartbeat is a component of the High-Availability Linux project. It is + used to perform death-of-node detection, communications and cluster + management. +

+ + +

+ Yan Rong Ge discovered that the peel_netstring() function in + cl_netstring.c does not validate the "length" parameter of user input, + which can lead to an out-of-bounds memory access when processing + certain Heartbeat messages (CVE-2006-3121). Furthermore an unspecified + local DoS issue was fixed (CVE-2006-3815). +

+ + +

+ By sending a malicious UDP Heartbeat message, even before + authentication, a remote attacker can crash the master control process + of the cluster. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Heartbeat users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose sys-cluster/heartbeat + + + CVE-2006-3121 + CVE-2006-3815 + + + jaervosz + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-24.xml b/xml/htdocs/security/en/glsa/glsa-200608-24.xml new file mode 100644 index 00000000..f5fe1192 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-24.xml @@ -0,0 +1,68 @@ + + + + + + + AlsaPlayer: Multiple buffer overflows + + AlsaPlayer is vulnerable to multiple buffer overflows which could lead to + the execution of arbitrary code. + + AlsaPlayer + August 26, 2006 + August 26, 2006: 01 + 143402 + remote + + + 0.99.76-r3 + + + +

+ AlsaPlayer is a heavily multithreaded PCM player that tries to utilize + ALSA utilities and drivers. As of June 2004, the project is inactive. +

+ + +

+ AlsaPlayer contains three buffer overflows: in the function that + handles the HTTP connections, the GTK interface, and the CDDB querying + mechanism. +

+ + +

+ An attacker could exploit the first vulnerability by enticing a user to + load a malicious URL resulting in the execution of arbitrary code with + the permissions of the user running AlsaPlayer. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ AlsaPlayer has been masked in Portage pending the resolution of these + issues. AlsaPlayer users are advised to uninstall the package until + further notice: +

+ + # emerge --ask --unmerge "media-sound/alsaplayer" + + + CVE-2006-4089 + + + falco + + + hlieberman + + + hlieberman + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-25.xml b/xml/htdocs/security/en/glsa/glsa-200608-25.xml new file mode 100644 index 00000000..f6f1715e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-25.xml @@ -0,0 +1,165 @@ + + + + + + + X.org and some X.org libraries: Local privilege escalations + + X.org, libX11, xdm, xf86dga, xinit, xload, xtrans, and xterm are vulnerable + to local privilege escalations because of unchecked setuid() calls. + + xorg-x11,xorg-server,xtrans,xload,xinit,xterm,xf86dga,xdm,libX11 + August 28, 2006 + December 13, 2006: 02 + 135974 + local + + + 1.0.4-r1 + 1.0.4-r1 + + + 1.0.2-r6 + 1.0.2-r6 + + + 1.0.1-r1 + 1.0.1-r1 + + + 1.0.1-r1 + 1.0.1-r1 + + + 6.8.2-r8 + 6.9.0-r2 + 6.9.0-r2 + + + 1.0.2-r6 + 1.1.0-r1 + 1.1.0-r1 + + + 1.0.1-r1 + 1.0.1-r1 + + + 1.0.0-r1 + 1.0.0-r1 + + + 215 + 215 + + + 7.0-r2 + 7.0-r2 + + + +

+ X.org is an implementation of the X Window System. +

+ + +

+ Several X.org libraries and X.org itself contain system calls to + set*uid() functions, without checking their result. +

+ + +

+ Local users could deliberately exceed their assigned resource limits + and elevate their privileges after an unsuccessful set*uid() system + call. This requires resource limits to be enabled on the machine. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All X.Org xdm users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-apps/xdm-1.0.4-r1" +

+ All X.Org xinit users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-apps/xinit-1.0.2-r6" +

+ All X.Org xload users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-apps/xload-1.0.1-r1" +

+ All X.Org xf86dga users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-apps/xf86dga-1.0.1-r1" +

+ All X.Org users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-base/xorg-x11-6.9.0-r2" +

+ All X.Org X servers users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-1.1.0-r1" +

+ All X.Org X11 library users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/libx11-1.0.1-r1" +

+ All X.Org xtrans library users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/xtrans-1.0.1-r1" +

+ All xterm users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-terms/xterm-215" +

+ All users of the X11R6 libraries for emulation of 32bit x86 on amd64 + should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-xlibs-7.0-r2" +

+ Please note that the fixed packages have been available for most + architectures since June 30th but the GLSA release was held up waiting + for the remaining architectures. +

+ + + X.Org security advisory + CVE-2006-4447 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-26.xml b/xml/htdocs/security/en/glsa/glsa-200608-26.xml new file mode 100644 index 00000000..92af9282 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-26.xml @@ -0,0 +1,77 @@ + + + + + + + Wireshark: Multiple vulnerabilities + + Wireshark is vulnerable to several security issues that may lead to a + Denial of Service and/or the execution of arbitrary code. + + wireshark + August 29, 2006 + August 29, 2006: 01 + 144946 + remote + + + 0.99.3 + 0.99.3 + + + +

+ Wireshark is a feature-rich network protocol analyzer. +

+ + +

+ The following vulnerabilities have been discovered in Wireshark. + Firstly, if the IPsec ESP parser is used it is susceptible to + off-by-one errors, this parser is disabled by default; secondly, the + SCSI dissector is vulnerable to an unspecified crash; and finally, the + Q.2931 dissector of the SSCOP payload may use all the available memory + if a port range is configured. By default, no port ranges are + configured. +

+ + +

+ An attacker might be able to exploit these vulnerabilities, resulting + in a crash or the execution of arbitrary code with the permissions of + the user running Wireshark, possibly the root user. +

+ + +

+ Disable the SCSI and Q.2931 dissectors with the "Analyse" and "Enabled + protocols" menus. Make sure the ESP decryption is disabled, with the + "Edit -> Preferences -> Protocols -> ESP" menu. +

+ + +

+ All Wireshark users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-0.99.3" + + + CVE-2006-4330 + CVE-2006-4331 + CVE-2006-4332 + CVE-2006-4333 + Wireshark official advisory + + + jaervosz + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-27.xml b/xml/htdocs/security/en/glsa/glsa-200608-27.xml new file mode 100644 index 00000000..548f8b0a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-27.xml @@ -0,0 +1,76 @@ + + + + + + + Motor: Execution of arbitrary code + + Motor uses a vulnerable ktools library, which could lead to the execution + of arbitrary code. + + motor + August 29, 2006 + August 29, 2006: 01 + 135020 + remote + + + 3.3.0-r1 + 3.4.0-r1 + 3.4.0-r1 + + + +

+ Motor is a text mode based programming environment for Linux, with a + syntax highlighting feature, project manager, makefile generator, gcc + and gdb front-end, and CVS integration. +

+ + +

+ In November 2005, Zone-H Research reported a boundary error in the + ktools library in the VGETSTRING() macro of kkstrtext.h, which may + cause a buffer overflow via an overly long input string. +

+ + +

+ A remote attacker could entice a user to use a malicious file or input, + which could lead to the crash of Motor and possibly the execution of + arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Motor 3.3.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/motor-3.3.0-r1" +

+ All motor 3.4.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/motor-3.4.0-r1" + + + CVE-2005-3863 + + + jaervosz + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200608-28.xml b/xml/htdocs/security/en/glsa/glsa-200608-28.xml new file mode 100644 index 00000000..ee4b88bc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200608-28.xml @@ -0,0 +1,80 @@ + + + + + + + PHP: Arbitary code execution + + PHP contains a function that, when used, could allow a remote attacker to + execute arbitrary code. + + php + August 29, 2006 + March 29, 2008: 05 + 143126 + remote + + + 4.4.3-r1 + 4.4.4-r4 + 4.4.6 + 4.4.7 + 4.4.8_pre20070816 + 5.1.4-r6 + 5.1.4-r6 + + + +

+ PHP is a widely-used general-purpose scripting language that is + especially suited for Web development and can be embedded into HTML. +

+ + +

+ The sscanf() PHP function contains an array boundary error that can be + exploited to dereference a null pointer. This can possibly allow the + bypass of the safe mode protection by executing arbitrary code. +

+ + +

+ A remote attacker might be able to exploit this vulnerability in PHP + applications making use of the sscanf() function, potentially resulting + in the execution of arbitrary code or the execution of scripted + contents in the context of the affected site. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PHP 4.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-4.4.3-r1" +

+ All PHP 5.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-5.1.4-r6" + + + CVE-2006-4020 + + + jaervosz + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-01.xml b/xml/htdocs/security/en/glsa/glsa-200609-01.xml new file mode 100644 index 00000000..d5021876 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-01.xml @@ -0,0 +1,69 @@ + + + + + + + Streamripper: Multiple remote buffer overflows + + Streamripper is vulnerable to multiple remote buffer overflows, leading to + the execution of arbitrary code. + + streamripper + September 06, 2006 + September 06, 2006: 01 + 144861 + remote + + + 1.61.26 + 1.61.26 + + + +

+ Streamripper extracts and records individual MP3 file tracks from + SHOUTcast streams. +

+ + +

+ Ulf Harnhammar, from the Debian Security Audit Project, has found that + Streamripper is vulnerable to multiple stack based buffer overflows + caused by improper bounds checking when processing malformed HTTP + headers. +

+ + +

+ By enticing a user to connect to a malicious server, an attacker could + execute arbitrary code with the permissions of the user running + Streamripper +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Streamripper users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/streamripper-1.61.26" + + + CVE-2006-3124 + + + jaervosz + + + daxomatic + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-02.xml b/xml/htdocs/security/en/glsa/glsa-200609-02.xml new file mode 100644 index 00000000..125b82d8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-02.xml @@ -0,0 +1,65 @@ + + + + + + + GTetrinet: Remote code execution + + GTetrinet is vulnerable to a remote buffer overflow, potentially leading to + arbitrary code execution. + + GTetrinet + September 06, 2006 + September 07, 2006: 02 + 144867 + remote + + + 0.7.10 + 0.7.10 + + + +

+ GTetrinet is a networked Tetris clone for GNOME 2. +

+ + +

+ Michael Gehring has found that GTetrinet fails to properly handle array + indexes. +

+ + +

+ An attacker can potentially execute arbitrary code by sending a + negative number of players to the server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GTetrinet users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-puzzle/gtetrinet-0.7.10" + + + CVE-2006-3125 + + + jaervosz + + + daxomatic + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-03.xml b/xml/htdocs/security/en/glsa/glsa-200609-03.xml new file mode 100644 index 00000000..2b192ac9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-03.xml @@ -0,0 +1,65 @@ + + + + + + + OpenTTD: Remote Denial of Service + + The OpenTTD server is vulnerable to a remote Denial of Service. + + openttd + September 06, 2006 + September 06, 2006: 01 + 131010 + remote + + + 0.4.8 + 0.4.8 + + + +

+ OpenTTD is a clone of Transport Tycoon Deluxe. +

+ + +

+ OpenTTD is vulnerable to a Denial of Service attack due to a flaw in + the manner the game server handles errors in command packets. +

+ + +

+ An authenticated attacker can cause a Denial of Service by sending an + invalid error number to a vulnerable OpenTTD server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenTTD users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-simulation/openttd-0.4.8" + + + CVE-2006-1998 + CVE-2006-1999 + + + jaervosz + + + daxomatic + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-04.xml b/xml/htdocs/security/en/glsa/glsa-200609-04.xml new file mode 100644 index 00000000..3933da40 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-04.xml @@ -0,0 +1,65 @@ + + + + + + + LibXfont: Multiple integer overflows + + A buffer overflow was discovered in the PCF font parser, potentially + resulting in the execution of arbitrary code. + + LibXfont + September 06, 2006 + September 06, 2006: 01 + 144092 + local + + + 1.2.0-r1 + 1.2.0-r1 + + + +

+ libXfont is the X.Org Xfont library, some parts are based on the + FreeType code base. +

+ + +

+ Several integer overflows have been found in the PCF font parser. +

+ + +

+ A local attacker could possibly execute arbitrary code or crash the + Xserver by enticing a user to load a specially crafted PCF font file. +

+ + +

+ Do not use untrusted PCF Font files. +

+ + +

+ All libXfont users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/libXfont-1.2.0-r1" + + + CVE-2006-3467 + + + falco + + + daxomatic + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-05.xml b/xml/htdocs/security/en/glsa/glsa-200609-05.xml new file mode 100644 index 00000000..02a10f79 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-05.xml @@ -0,0 +1,79 @@ + + + + + + + OpenSSL, AMD64 x86 emulation base libraries: RSA signature forgery + + OpenSSL fails to properly validate PKCS #1 v1.5 signatures. + + openssl + September 07, 2006 + September 08, 2006: 02 + 146375 + 146438 + remote + + + 0.9.7k + 0.9.7k + + + 2.5.2 + 2.5.2 + + + +

+ OpenSSL is a toolkit implementing the Secure Sockets Layer, Transport + Layer Security protocols and a general-purpose cryptography library. + The x86 emulation base libraries for AMD64 contain a vulnerable version + of OpenSSL. +

+ + +

+ Daniel Bleichenbacher discovered that it might be possible to forge + signatures signed by RSA keys with the exponent of 3. +

+ + +

+ Since several CAs are using an exponent of 3 it might be possible for + an attacker to create a key with a false CA signature. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenSSL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.7k" +

+ All AMD64 x86 emulation base libraries users should upgrade to the + latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-baselibs-2.5.2" + + + CVE-2006-4339 + + + jaervosz + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-06.xml b/xml/htdocs/security/en/glsa/glsa-200609-06.xml new file mode 100644 index 00000000..8ebe8a20 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-06.xml @@ -0,0 +1,67 @@ + + + + + + + AdPlug: Multiple vulnerabilities + + Multiple heap and buffer overflows exist in AdPlug. + + adplug + September 12, 2006 + September 12, 2006: 01 + 139593 + local + + + 2.0.1 + 2.0.1 + + + +

+ AdPlug is a free, cross-platform, and hardware-independent AdLib sound + player library. +

+ + +

+ AdPlug is vulnerable to buffer and heap overflows when processing the + following types of files: CFF, MTK, DMO, U6M, DTM, and S3M. +

+ + +

+ By enticing a user to load a specially crafted file, an attacker could + execute arbitrary code with the privileges of the user running AdPlug. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All AdPlug users should update to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/adplug-2.0.1" + + + BugTraq Announcement + CVE-2006-3581 + CVE-2006-3582 + + + jaervosz + + + hlieberman + + + hlieberman + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-07.xml b/xml/htdocs/security/en/glsa/glsa-200609-07.xml new file mode 100644 index 00000000..2e12744c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-07.xml @@ -0,0 +1,77 @@ + + + + + + + LibXfont, monolithic X.org: Multiple integer overflows + + Some buffer overflows were discovered in the CID font parser, potentially + resulting in the execution of arbitrary code with elevated privileges. + + libxfont + September 13, 2006 + September 13, 2006: 01 + 145513 + local and remote + + + 1.2.1 + 1.2.1 + + + 7.0 + 7.0 + + + +

+ libXfont is the X.Org Xfont library, some parts are based on the + FreeType code base. +

+ + +

+ Several integer overflows have been found in the CID font parser. +

+ + +

+ A remote attacker could exploit this vulnerability by enticing a user + to load a malicious font file resulting in the execution of arbitrary + code with the permissions of the user running the X server which + typically is the root user. A local user could exploit this + vulnerability to gain elevated privileges. +

+ + +

+ Disable CID-encoded Type 1 fonts by removing the "type1" module and + replacing it with the "freetype" module in xorg.conf. +

+ + +

+ All libXfont users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/libXfont-1.2.1" +

+ All monolithic X.org users are advised to migrate to modular X.org. +

+ + + CVE-2006-3739 + CVE-2006-3740 + + + frilled + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-08.xml b/xml/htdocs/security/en/glsa/glsa-200609-08.xml new file mode 100644 index 00000000..1ff0c297 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-08.xml @@ -0,0 +1,71 @@ + + + + + + + xine-lib: Buffer overflows + + xine-lib is vulnerable to multiple buffer overflows that could be exploited + to execute arbitrary code. + + xine-lib + September 13, 2006 + September 13, 2006: 01 + 133520 + remote + + + 1.1.2-r2 + 1.1.2-r2 + + + +

+ xine is a high performance, portable and reusable multimedia playback + engine. xine-lib is xine's core engine. +

+ + +

+ xine-lib contains buffer overflows in the processing of AVI. + Additionally, xine-lib is vulnerable to a buffer overflow in the HTTP + plugin (xineplug_inp_http.so) via a long reply from an HTTP server. +

+ + +

+ An attacker could trigger the buffer overflow vulnerabilities by + enticing a user to load a specially crafted AVI file in xine. This + might result in the execution of arbitrary code with the rights of the + user running xine. Additionally, a remote HTTP server serving a xine + client a specially crafted reply could crash xine and possibly execute + arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xine-lib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.2-r2" + + + CVE-2006-2802 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-09.xml b/xml/htdocs/security/en/glsa/glsa-200609-09.xml new file mode 100644 index 00000000..04efadcc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-09.xml @@ -0,0 +1,64 @@ + + + + + + + FFmpeg: Buffer overflows + + FFmpeg is vulnerable to multiple buffer overflows that might be exploited + to execute arbitrary code. + + ffmpeg + September 13, 2006 + December 13, 2006: 02 + 133520 + remote + + + 0.4.9_p20060530 + 0.4.9_p20060530 + + + +

+ FFmpeg is a very fast video and audio converter. +

+ + +

+ FFmpeg contains buffer overflows in the AVI processing code. +

+ + +

+ An attacker could trigger the buffer overflows by enticing a user to + load a specially crafted AVI file in an application using the FFmpeg + library. This might result in the execution of arbitrary code in the + context of the running application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All FFmpeg users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/ffmpeg-0.4.9_p20060530" + + + CVE-2006-4799 + CVE-2006-4800 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-10.xml b/xml/htdocs/security/en/glsa/glsa-200609-10.xml new file mode 100644 index 00000000..b28353a9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-10.xml @@ -0,0 +1,71 @@ + + + + + + + DokuWiki: Arbitrary command execution + + Vulnerabilities in some accessory scripts of DokuWiki allow remote code + execution. + + dokuwiki + September 14, 2006 + September 14, 2006: 01 + 146800 + remote + + + 20060309d + 20060309d + + + +

+ DokuWiki is a wiki targeted at developer teams, workgroups and small + companies. It does not use a database backend. +

+ + +

+ "rgod" discovered that DokuWiki doesn't sanitize the X-FORWARDED-FOR + HTTP header, allowing the injection of arbitrary contents - such as PHP + commands - into a file. Additionally, the accessory scripts installed + in the "bin" DokuWiki directory are vulnerable to directory traversal + attacks, allowing to copy and execute the previously injected code. +

+ + +

+ A remote attacker may execute arbitrary PHP (and thus probably system) + commands with the permissions of the user running the process serving + DokuWiki pages. +

+ + +

+ Disable remote access to the "bin" subdirectory of the DokuWiki + installation. Remove the directory if you don't use the scripts in + there. +

+ + +

+ All DokuWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/dokuwiki-20060309d" + + + CVE-2006-4674 + CVE-2006-4675 + CVE-2006-4679 + + + frilled + + + frilled + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-11.xml b/xml/htdocs/security/en/glsa/glsa-200609-11.xml new file mode 100644 index 00000000..df5d9fd0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-11.xml @@ -0,0 +1,81 @@ + + + + + + + BIND: Denial of Service + + ISC BIND contains two vulnerabilities allowing a Denial of Service under + certain conditions. + + bind + September 15, 2006 + September 15, 2006: 01 + 146486 + remote + + + 9.3.2-r4 + 9.2.6-r4 + 9.3.2-r4 + + + +

+ ISC BIND is the Internet Systems Consortium implementation of the + Domain Name System (DNS) protocol. +

+ + +

+ Queries for SIG records will cause an assertion error if more than one + SIG RRset is returned. Additionally, an INSIST failure can be triggered + by sending multiple recursive queries if the response to the query + arrives after all the clients looking for the response have left the + recursion queue. +

+ + +

+ An attacker having access to a recursive server can crash the server by + querying the SIG records where there are multiple SIG RRsets, or by + sending many recursive queries in a short time. The exposure can be + lowered by restricting the clients that can ask for recursion. An + attacker can also crash an authoritative server serving a DNSSEC zone + in which there are multiple SIG RRsets. +

+ + +

+ There are no known workarounds at this time. +

+ + +

+ All BIND 9.3 users should update to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/bind-9.3.2-r4" +

+ All BIND 9.2 users should update to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/bind-9.2.6-r4" + + + CVE-2006-4095 + CVE-2006-4096 + + + falco + + + falco + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-12.xml b/xml/htdocs/security/en/glsa/glsa-200609-12.xml new file mode 100644 index 00000000..b434ebf6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-12.xml @@ -0,0 +1,70 @@ + + + + + + + Mailman: Multiple vulnerabilities + + Mailman has multiple vulnerable that can result in Denial of Service, log + file injection and XSS. + + mailman + September 19, 2006 + September 19, 2006: 01 + 139976 + remote + + + 2.1.9_rc1 + 2.1.9_rc1 + + + +

+ Mailman is a Python based mailing list server with an extensive web + interface. +

+ + +

+ Mailman fails to properly handle standards-breaking RFC 2231 formatted + headers. Furthermore, Moritz Naumann discovered several XSS + vulnerabilities and a log file injection. +

+ + +

+ An attacker could exploit these vulnerabilities to cause Mailman to + stop processing mails, to inject content into the log file or to + execute arbitrary scripts running in the context of the administrator + or mailing list user's browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mailman users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/mailman-2.1.9_rc1" + + + CVE-2006-2941 + CVE-2006-3636 + + + jaervosz + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-13.xml b/xml/htdocs/security/en/glsa/glsa-200609-13.xml new file mode 100644 index 00000000..dba5730a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-13.xml @@ -0,0 +1,79 @@ + + + + + + + gzip: Multiple vulnerabilities + + gzip is affected by multiple vulnerabilities, including buffer overflows + and infinite loops, possibly allowing the execution of arbitrary code. + + gzip + September 23, 2006 + September 23, 2006: 01 + 145511 + remote + + + 1.3.5-r9 + 1.3.5-r9 + + + +

+ gzip, the GNU zip compression utility, is a free and patent + unencumbered replacement for the standard compress utility. +

+ + +

+ Tavis Ormandy of the Google Security Team has reported multiple + vulnerabilities in gzip. A stack buffer modification vulnerability was + discovered in the LZH decompression code, where a pathological data + stream may result in the modification of stack data such as frame + pointer, return address or saved registers. A static buffer underflow + was discovered in the pack decompression support, allowing a specially + crafted pack archive to underflow a .bss buffer. A static buffer + overflow was uncovered in the LZH decompression code, allowing a data + stream consisting of pathological huffman codes to overflow a .bss + buffer. Multiple infinite loops were also uncovered in the LZH + decompression code. +

+ + +

+ A remote attacker may create a specially crafted gzip archive, which + when decompressed by a user or automated system exectues arbitrary code + with the privileges of the user id invoking gzip. The infinite loops + may be abused by an attacker to disrupt any automated systems invoking + gzip to handle data decompression. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All gzip users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/gzip-1.3.5-r9" + + + CVE-2006-4334 + CVE-2006-4335 + CVE-2006-4336 + CVE-2006-4337 + CVE-2006-4338 + + + taviso + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-14.xml b/xml/htdocs/security/en/glsa/glsa-200609-14.xml new file mode 100644 index 00000000..980f83b9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-14.xml @@ -0,0 +1,72 @@ + + + + + + + ImageMagick: Multiple Vulnerabilities + + Multiple buffer overflows have been discovered in ImageMagick, which could + potentially result in the execution of arbitrary code. + + Imagemagick + September 26, 2006 + September 26, 2006: 01 + 144091 + 143533 + remote + + + 6.2.9.5 + 6.2.9.5 + + + +

+ ImageMagick is a free software suite to manipulate, convert, and create + many image formats. +

+ + +

+ Tavis Ormandy of the Google Security Team discovered a stack and heap + buffer overflow in the GIMP XCF Image decoder and multiple heap and + integer overflows in the SUN bitmap decoder. Damian Put discovered a + heap overflow in the SGI image decoder. +

+ + +

+ An attacker may be able to create a specially crafted image that, when + processed with ImageMagick, executes arbitrary code with the privileges + of the executing user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ImageMagick users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.2.9.5" + + + CVE-2006-3743 + CVE-2006-3744 + CVE-2006-4144 + + + jaervosz + + + taviso + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-15.xml b/xml/htdocs/security/en/glsa/glsa-200609-15.xml new file mode 100644 index 00000000..894b5318 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-15.xml @@ -0,0 +1,67 @@ + + + + + + + GnuTLS: RSA Signature Forgery + + GnuTLS fails to handle excess data which could allow an attacker to forge a + PKCS #1 v1.5 signature. + + gnutls + September 26, 2006 + September 26, 2006: 01 + 147682 + remote + + + 1.4.4 + 1.4.4 + + + +

+ GnuTLS is an implementation of SSL 3.0 and TLS 1.0. +

+ + +

+ verify.c fails to properly handle excess data in + digestAlgorithm.parameters field while generating a hash when using an + RSA key with exponent 3. RSA keys that use exponent 3 are commonplace. +

+ + +

+ Remote attackers could forge PKCS #1 v1.5 signatures that are signed + with an RSA key, preventing GnuTLS from correctly verifying X.509 and + other certificates that use PKCS. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GnuTLS users should update both packages: +

+ + # emerge --sync + # emerge --update --ask --verbose ">=net-libs/gnutls-1.4.4" + + + CVE-2006-4790 + + + jaervosz + + + hlieberman + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-16.xml b/xml/htdocs/security/en/glsa/glsa-200609-16.xml new file mode 100644 index 00000000..4378261d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-16.xml @@ -0,0 +1,71 @@ + + + + + + + Tikiwiki: Arbitrary command execution + + Tikiwiki contains a cross-site scripting (XSS) vulnerability as well as a + second vulnerability which may allow remote execution of arbitrary code. + + tikiwiki + September 26, 2006 + September 26, 2006: 01 + 145714 + remote + + + 1.9.5 + 1.9.5 + + + +

+ Tikiwiki is a web-based groupware and content management system, + developed with PHP, ADOdb and Smarty. +

+ + +

+ A vulnerability in jhot.php allows for an unrestricted file upload to + the img/wiki/ directory. Additionally, an XSS exists in the highlight + parameter of tiki-searchindex.php. +

+ + +

+ An attacker could execute arbitrary code with the rights of the user + running the web server by uploading a file and executing it via a + filepath parameter. The XSS could be exploited to inject and execute + malicious script code or to steal cookie-based authentication + credentials, potentially compromising the victim's browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Tikiwiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --oneshot --verbose --ask ">=www-apps/tikiwiki-1.9.5" + + + CVE-2006-4299 + CVE-2006-4602 + + + jaervosz + + + hlieberman + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-17.xml b/xml/htdocs/security/en/glsa/glsa-200609-17.xml new file mode 100644 index 00000000..9b10b97e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-17.xml @@ -0,0 +1,66 @@ + + + + + + + OpenSSH: Denial of Service + + A flaw in the OpenSSH daemon allows remote unauthenticated attackers to + cause a Denial of Service. + + openssh + September 27, 2006 + September 27, 2006: 02 + 148228 + remote + + + 4.3_p2-r5 + 4.3_p2-r5 + + + +

+ OpenSSH is a free suite of applications for the SSH protocol, developed + and maintained by the OpenBSD project. +

+ + +

+ Tavis Ormandy of the Google Security Team discovered a Denial of + Service vulnerability in the SSH protocol version 1 CRC compensation + attack detector. +

+ + +

+ A remote unauthenticated attacker may be able to trigger excessive CPU + usage by sending a pathological SSH message, denying service to other + legitimate users or processes. +

+ + +

+ The system administrator may disable SSH protocol version 1 in + /etc/ssh/sshd_config. +

+ + +

+ All OpenSSH users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/openssh-4.3_p2-r5" + + + CVE-2006-4924 + + + taviso + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-18.xml b/xml/htdocs/security/en/glsa/glsa-200609-18.xml new file mode 100644 index 00000000..98e800c6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-18.xml @@ -0,0 +1,67 @@ + + + + + + + Opera: RSA signature forgery + + Opera fails to correctly verify certain signatures. + + opera + September 28, 2006 + September 28, 2006: 02 + 147838 + remote + + + 9.02 + 9.02 + + + +

+ Opera is a multi-platform web browser. +

+ + +

+ Opera makes use of OpenSSL, which fails to correctly verify PKCS #1 + v1.5 RSA signatures signed by a key with exponent 3. Some CAs in + Opera's list of trusted signers are using root certificates with + exponent 3. +

+ + +

+ An attacker could forge certificates which will appear valid and signed + by a trusted CA. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Opera users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/opera-9.02" + + + Opera Advisory + GLSA 200609-05 + + + jaervosz + + + vorlon078 + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-19.xml b/xml/htdocs/security/en/glsa/glsa-200609-19.xml new file mode 100644 index 00000000..64ada8b7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-19.xml @@ -0,0 +1,81 @@ + + + + + + + Mozilla Firefox: Multiple vulnerabilities + + The Mozilla Foundation has reported numerous vulnerabilities in Mozilla + Firefox, including one that may allow execution of arbitrary code. + + Firefox + September 28, 2006 + September 28, 2006: 01 + 147652 + remote + + + 1.5.0.7 + 1.5.0.7 + + + 1.5.0.7 + 1.5.0.7 + + + +

+ Mozilla Firefox is a redesign of the Mozilla Navigator component. The + goal is to produce a cross-platform, stand-alone browser application. +

+ + +

+ A number of vulnerabilities were found and fixed in Mozilla Firefox. + For details please consult the references below. +

+ + +

+ The most severe vulnerability involves enticing a user to visit a + malicious website, crashing the browser and executing arbitrary code + with the rights of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.5.0.7" +

+ Users of the binary package should upgrade as well: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.5.0.7" + + + CVE-2006-4253 + CVE-2006-4340 + CVE-2006-4565 + CVE-2006-4566 + CVE-2006-4567 + CVE-2006-4568 + CVE-2006-4569 + CVE-2006-4571 + + + frilled + + + frilled + + diff --git a/xml/htdocs/security/en/glsa/glsa-200609-20.xml b/xml/htdocs/security/en/glsa/glsa-200609-20.xml new file mode 100644 index 00000000..e33e9134 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200609-20.xml @@ -0,0 +1,69 @@ + + + + + + + DokuWiki: Shell command injection and Denial of Service + + DokuWiki is vulnerable to shell command injection and Denial of Service + attacks when using ImageMagick. + + dokuwiki + September 28, 2006 + December 13, 2006: 02 + 149266 + remote + + + 20060309e + 20060309e + + + +

+ DokuWiki is a wiki targeted at developer teams, workgroups and small + companies. It does not use a database backend. +

+ + +

+ Input validation flaws have been discovered in the image handling of + fetch.php if ImageMagick is used, which is not the default method. +

+ + +

+ A remote attacker could exploit the flaws to execute arbitrary shell + commands with the rights of the web server daemon or cause a Denial of + Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All DokuWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/dokuwiki-20060309e" + + + DokuWiki Announcement + CVE-2006-5098 + CVE-2006-5099 + + + vorlon078 + + + vorlon078 + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200610-01.xml b/xml/htdocs/security/en/glsa/glsa-200610-01.xml new file mode 100644 index 00000000..a336c0b1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200610-01.xml @@ -0,0 +1,85 @@ + + + + + + + Mozilla Thunderbird: Multiple vulnerabilities + + The Mozilla Foundation has reported multiple security vulnerabilities + related to Mozilla Thunderbird. + + thunderbird + October 04, 2006 + October 04, 2006: 01 + 147653 + remote + + + 1.5.0.7 + 1.5.0.7 + + + 1.5.0.7 + 1.5.0.7 + + + +

+ The Mozilla Thunderbird mail client is a redesign of the Mozilla Mail + component. +

+ + +

+ A number of vulnerabilities have been found and fixed in Mozilla + Thunderbird. For details please consult the references below. +

+ + +

+ The most severe vulnerabilities might lead to the execution of + arbitrary code with the rights of the user running the application. + Other vulnerabilities include program crashes and the acceptance of + forged certificates. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Thunderbird users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-1.5.0.7" +

+ All Mozilla Thunderbird binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-1.5.0.7" + + + CVE-2006-4253 + CVE-2006-4340 + CVE-2006-4565 + CVE-2006-4566 + CVE-2006-4567 + CVE-2006-4570 + CVE-2006-4571 + + + vorlon078 + + + vorlon078 + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200610-02.xml b/xml/htdocs/security/en/glsa/glsa-200610-02.xml new file mode 100644 index 00000000..5e9ed685 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200610-02.xml @@ -0,0 +1,69 @@ + + + + + + + Adobe Flash Player: Arbitrary code execution + + Multiple input validation errors have been identified that allow arbitrary + code execution on a user's system via the handling of malicious Flash + files. + + Flash + October 04, 2006 + May 28, 2009: 02 + 147421 + remote + + + 7.0.68 + 7.0.68 + + + +

+ The Adobe Flash Player is a renderer for Flash files - commonly used to + provide interactive websites, digital experiences and mobile content. +

+ + +

+ The Adobe Flash Player contains multiple unspecified vulnerabilities. +

+ + +

+ An attacker could entice a user to view a malicious Flash file and + execute arbitrary code with the rights of the user running the player. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Adobe Flash Player users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-plugins/adobe-flash-7.0.68" + + + Adobe Security Bulletin + CVE-2006-3311 + CVE-2006-3587 + CVE-2006-3588 + + + vorlon078 + + + plasmaroo + + + plasmaroo + + diff --git a/xml/htdocs/security/en/glsa/glsa-200610-03.xml b/xml/htdocs/security/en/glsa/glsa-200610-03.xml new file mode 100644 index 00000000..34d138b1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200610-03.xml @@ -0,0 +1,68 @@ + + + + + + + ncompress: Buffer Underflow + + A buffer underflow vulnerability has been reported in ncompress allowing + for the execution of arbitrary code. + + ncompress + October 06, 2006 + October 06, 2006: 01 + 141728 + remote + + + 4.2.4.1 + 4.2.4.1 + + + +

+ ncompress is a suite of utilities to create and extract + Lempel-Ziff-Welch (LZW) compressed archives. +

+ + +

+ Tavis Ormandy of the Google Security Team discovered a static buffer + underflow in ncompress. +

+ + +

+ An attacker could create a specially crafted LZW archive, that when + decompressed by a user or automated system would result in the + execution of arbitrary code with the permissions of the user invoking + the utility. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ncompress users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/ncompress-4.2.4.1" + + + CVE-2006-1168 + + + vorlon078 + + + taviso + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200610-04.xml b/xml/htdocs/security/en/glsa/glsa-200610-04.xml new file mode 100644 index 00000000..cd3ed395 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200610-04.xml @@ -0,0 +1,70 @@ + + + + + + + Seamonkey: Multiple vulnerabilities + + The Seamonkey project has reported multiple security vulnerabilities in the + application. + + seamonkey + October 16, 2006 + October 16, 2006: 01 + 147651 + remote + + + 1.0.5 + 1.0.5 + + + +

+ The SeaMonkey project is a community effort to deliver + production-quality releases of code derived from the application + formerly known as 'Mozilla Application Suite'. +

+ + +

+ A number of vulnerabilities have been found and fixed in Seamonkey. For + details please consult the references below. +

+ + +

+ The most severe vulnerability involves enticing a user to visit a + malicious website, crashing the application and executing arbitrary + code with the rights of the user running Seamonkey. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Seamonkey users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.0.5" + + + CVE-2006-4253 + CVE-2006-4565 + CVE-2006-4566 + CVE-2006-4568 + CVE-2006-4570 + CVE-2006-4571 + + + frilled + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200610-05.xml b/xml/htdocs/security/en/glsa/glsa-200610-05.xml new file mode 100644 index 00000000..1ddc79a3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200610-05.xml @@ -0,0 +1,66 @@ + + + + + + + CAPI4Hylafax fax receiver: Execution of arbitrary code + + CAPI4Hylafax allows remote attackers to execute arbitrary commands. + + capi4hylafax + October 17, 2006 + October 17, 2006: 01 + 145982 + remote + + + 01.03.00.99.300.3-r1 + 01.03.00.99.300.3-r1 + + + +

+ CAPI4Hylafax makes it possible to send and receive faxes via CAPI and + AVM Fritz!Cards. +

+ + +

+ Lionel Elie Mamane discovered an error in c2faxrecv, which doesn't + properly sanitize TSI strings when handling incoming calls. +

+ + +

+ A remote attacker can send null (\0) and shell metacharacters in the + TSI string from an anonymous fax number, leading to the execution of + arbitrary code with the rights of the user running c2faxrecv. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All CAPI4Hylafax users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/capi4hylafax-01.03.00.99.300.3-r1" + + + CVE-2006-3126 + + + vorlon078 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200610-06.xml b/xml/htdocs/security/en/glsa/glsa-200610-06.xml new file mode 100644 index 00000000..d8bed652 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200610-06.xml @@ -0,0 +1,75 @@ + + + + + + + Mozilla Network Security Service (NSS): RSA signature forgery + + NSS fails to properly validate PKCS #1 v1.5 signatures. + + nss + October 17, 2006 + October 17, 2006: 01 + 148283 + remote + + + 3.11.3 + 3.11.3 + + + +

+ The Mozilla Network Security Service is a library implementing security + features like SSL v.2/v.3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, + S/MIME and X.509 certificates. +

+ + +

+ Daniel Bleichenbacher discovered that it might be possible to forge + signatures signed by RSA keys with the exponent of 3. This affects a + number of RSA signature implementations, including Mozilla's NSS. +

+ + +

+ Since several Certificate Authorities (CAs) are using an exponent of 3 + it might be possible for an attacker to create a key with a false CA + signature. This impacts any software using the NSS library, like the + Mozilla products Firefox, Thunderbird and Seamonkey. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All NSS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/nss-3.11.3" +

+ Note: As usual after updating a library, you should run + 'revdep-rebuild' (from the app-portage/gentoolkit package) to ensure + that all applications linked to it are properly rebuilt. +

+ + + CVE-2006-4339 + CVE-2006-4340 + + + frilled + + + vorlon078 + + + frilled + + diff --git a/xml/htdocs/security/en/glsa/glsa-200610-07.xml b/xml/htdocs/security/en/glsa/glsa-200610-07.xml new file mode 100644 index 00000000..940320f0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200610-07.xml @@ -0,0 +1,70 @@ + + + + + + + Python: Buffer Overflow + + A buffer overflow in Python's "repr()" function can be exploited to cause a + Denial of Service and potentially allows the execution of arbitrary code. + + python + October 17, 2006 + February 26, 2007: 03 + 149065 + remote + + + 2.4.3-r4 + 2.3.5-r3 + 2.3.6 + 2.4.3-r4 + + + +

+ Python is an interpreted, interactive, object-oriented, cross-platform + programming language. +

+ + +

+ Benjamin C. Wiley Sittler discovered a buffer overflow in Python's + "repr()" function when handling UTF-32/UCS-4 encoded strings. +

+ + +

+ If a Python application processes attacker-supplied data with the + "repr()" function, this could potentially lead to the execution of + arbitrary code with the privileges of the affected application or a + Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Python users should update to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.4.3-r4" + + + CVE-2006-4980 + + + jaervosz + + + DerCorny + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200610-08.xml b/xml/htdocs/security/en/glsa/glsa-200610-08.xml new file mode 100644 index 00000000..04a2f54f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200610-08.xml @@ -0,0 +1,63 @@ + + + + + + + Cscope: Multiple buffer overflows + + Cscope is vulnerable to multiple buffer overflows that could lead to the + execution of arbitrary code. + + cscope + October 20, 2006 + October 20, 2006: 01 + 144869 + remote + + + 15.5.20060927 + 15.5.20060927 + + + +

+ Cscope is a developer's tool for browsing source code. +

+ + +

+ Unchecked use of strcpy() and *scanf() leads to several buffer + overflows. +

+ + +

+ A user could be enticed to open a carefully crafted file which would + allow the attacker to execute arbitrary code with the permissions of + the user running Cscope. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Cscope users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/cscope-15.5.20060927" + + + CVE-2006-4262 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200610-09.xml b/xml/htdocs/security/en/glsa/glsa-200610-09.xml new file mode 100644 index 00000000..dbc22dbe --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200610-09.xml @@ -0,0 +1,69 @@ + + + + + + + libmusicbrainz: Multiple buffer overflows + + Multiple buffer overflows have been found in libmusicbrainz, which could + lead to a Denial of Service or possibly the execution of arbitrary code. + + libmusicbrainz + October 22, 2006 + October 22, 2006: 01 + 144089 + remote + + + 2.1.4 + 2.1.4 + + + +

+ libmusicbrainz is a client library used to access MusicBrainz music + meta data. +

+ + +

+ Luigi Auriemma reported a possible buffer overflow in the + MBHttp::Download function of lib/http.cpp as well as several possible + buffer overflows in lib/rdfparse.c. +

+ + +

+ A remote attacker could be able to execute arbitrary code or cause + Denial of Service by making use of an overly long "Location" header in + an HTTP redirect message from a malicious server or a long URL in + malicious RDF feeds. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libmusicbrainz users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/musicbrainz-2.1.4" + + + CVE-2006-4197 + + + falco + + + vorlon078 + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200610-10.xml b/xml/htdocs/security/en/glsa/glsa-200610-10.xml new file mode 100644 index 00000000..6414cdb5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200610-10.xml @@ -0,0 +1,67 @@ + + + + + + + ClamAV: Multiple Vulnerabilities + + ClamAV is vulnerable to a heap-based buffer overflow potentially allowing + remote execution of arbitrary code and a Denial of Service. + + clamav + October 24, 2006 + October 24, 2006: 01 + 151561 + remote + + + 0.88.5 + 0.88.5 + + + +

+ ClamAV is a GPL virus scanner. +

+ + +

+ Damian Put and an anonymous researcher reported a potential heap-based + buffer overflow vulnerability in rebuildpe.c responsible for the + rebuilding of an unpacked PE file, and a possible crash in chmunpack.c + in the CHM unpacker. +

+ + +

+ By sending a malicious attachment to a mail server running ClamAV, or + providing a malicious file to ClamAV through any other method, a remote + attacker could cause a Denial of Service and potentially the execution + of arbitrary code with the permissions of the user running ClamAV. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.88.5" + + + Original commit log + CVE-2006-4182 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200610-11.xml b/xml/htdocs/security/en/glsa/glsa-200610-11.xml new file mode 100644 index 00000000..14cfbe97 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200610-11.xml @@ -0,0 +1,86 @@ + + + + + + + OpenSSL: Multiple vulnerabilities + + OpenSSL contains multiple vulnerabilities including the possible remote + execution of arbitrary code. + + openssl + October 24, 2006 + October 24, 2006: 01 + 145510 + remote + + + 0.9.8d + 0.9.7l + 0.9.8d + + + +

+ OpenSSL is a toolkit implementing the Secure Sockets Layer, Transport + Layer Security protocols and a general-purpose cryptography library. +

+ + +

+ Tavis Ormandy and Will Drewry, both of the Google Security Team, + discovered that the SSL_get_shared_ciphers() function contains a buffer + overflow vulnerability, and that the SSLv2 client code contains a flaw + leading to a crash. Additionally Dr. Stephen N. Henson found that the + ASN.1 handler contains two Denial of Service vulnerabilities: while + parsing an invalid ASN.1 structure and while handling certain types of + public key. +

+ + +

+ An attacker could trigger the buffer overflow vulnerability by sending + a malicious suite of ciphers to an application using the vulnerable + function, and thus execute arbitrary code with the rights of the user + running the application. An attacker could also consume CPU and/or + memory by exploiting the Denial of Service vulnerabilities. Finally a + malicious server could crash a SSLv2 client through the SSLv2 + vulnerability. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenSSL 0.9.8 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8d" +

+ All OpenSSL 0.9.7 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.7l" + + + CVE-2006-2937 + CVE-2006-2940 + CVE-2006-3738 + CVE-2006-4343 + + + vorlon078 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200610-12.xml b/xml/htdocs/security/en/glsa/glsa-200610-12.xml new file mode 100644 index 00000000..df158744 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200610-12.xml @@ -0,0 +1,66 @@ + + + + + + + Apache mod_tcl: Format string vulnerability + + A format string vulnerabilty has been found in Apache mod_tcl, which could + lead to the remote execution of arbitrary code. + + mod_tcl + October 24, 2006 + October 24, 2006: 01 + 151359 + remote + + + 1.0.1 + 1.0.1 + + + +

+ Apache mod_tcl is a TCL interpreting module for the Apache 2.x web + server. +

+ + +

+ Sparfell discovered format string errors in calls to the set_var + function in tcl_cmds.c and tcl_core.c. +

+ + +

+ A remote attacker could exploit the vulnerability to execute arbitrary + code with the rights of the user running the Apache server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mod_tcl users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apache/mod_tcl-1.0.1" + + + CVE-2006-4154 + + + falco + + + falco + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200610-13.xml b/xml/htdocs/security/en/glsa/glsa-200610-13.xml new file mode 100644 index 00000000..0d0b45d8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200610-13.xml @@ -0,0 +1,69 @@ + + + + + + + Cheese Tracker: Buffer Overflow + + Cheese Tracker contains a buffer overflow allowing the remote execution of + arbitrary code. + + cheesetracker + October 26, 2006 + October 26, 2006: 01 + 142391 + remote + + + 0.9.9-r1 + 0.9.9-r1 + + + +

+ Cheese Tracker is a Qt-based portable Impulse Tracker clone, a music + tracker for the CT, IT, XM and S3M file formats. +

+ + +

+ Luigi Auriemma reported that the XM loader of Cheese Tracker contains a + buffer overflow vulnerability in the + loader_XM::load_intrument_internal() function from + loaders/loader_xm.cpp. +

+ + +

+ An attacker could execute arbitrary code with the rights of the user + running Cheese Tracker by enticing a user to load a crafted file with + large amount of extra data. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Cheese Tracker users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/cheesetracker-0.9.9-r1" + + + CVE-2006-3814 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200610-14.xml b/xml/htdocs/security/en/glsa/glsa-200610-14.xml new file mode 100644 index 00000000..7e37ebcd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200610-14.xml @@ -0,0 +1,77 @@ + + + + + + + PHP: Integer overflow + + PHP is vulnerable to an integer overflow potentially allowing the remote + execution of arbitrary code. + + php + October 30, 2006 + March 29, 2008: 04 + 150261 + remote + + + 4.4.4-r6 + 4.4.6 + 4.4.7 + 4.4.8_pre20070816 + 5.1.6-r6 + 5.1.6-r6 + + + +

+ PHP is a widely-used general-purpose scripting language that is + especially suited for Web development and can be embedded into HTML. +

+ + +

+ A flaw in the PHP memory handling routines allows an unserialize() call + to be executed on non-allocated memory due to a previous integer + overflow. +

+ + +

+ An attacker could execute arbitrary code with the rights of the web + server user or the user running a vulnerable PHP script. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PHP 5.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-5.1.6-r6" +

+ All PHP 4.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-4.4.4-r6" + + + CVE-2006-4812 + + + falco + + + shellsage + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200610-15.xml b/xml/htdocs/security/en/glsa/glsa-200610-15.xml new file mode 100644 index 00000000..629b6000 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200610-15.xml @@ -0,0 +1,81 @@ + + + + + + + Asterisk: Multiple vulnerabilities + + Asterisk is vulnerable to the remote execution of arbitrary code or a + Denial of Service. + + asterisk + October 30, 2006 + January 30, 2007: 02 + 144941 + 151881 + remote + + + 1.2.13 + 1.0.12 + 1.2.13 + 1.0.12 + + + +

+ Asterisk is an open source implementation of a telephone private branch + exchange (PBX). +

+ + +

+ Asterisk contains buffer overflows in channels/chan_mgcp.c from the + MGCP driver and in channels/chan_skinny.c from the Skinny channel + driver for Cisco SCCP phones. It also dangerously handles + client-controlled variables to determine filenames in the Record() + function. Finally, the SIP channel driver in channels/chan_sip.c could + use more resources than necessary under unspecified circumstances. +

+ + +

+ A remote attacker could execute arbitrary code by sending a crafted + audit endpoint (AUEP) response, by sending an overly large Skinny + packet even before authentication, or by making use of format strings + specifiers through the client-controlled variables. An attacker could + also cause a Denial of Service by resource consumption through the SIP + channel driver. +

+ + +

+ There is no known workaround for the format strings vulnerability at + this time. You can comment the lines in /etc/asterisk/mgcp.conf, + /etc/asterisk/skinny.conf and /etc/asterisk/sip.conf to deactivate the + three vulnerable channel drivers. Please note that the MGCP channel + driver is disabled by default. +

+ + +

+ All Asterisk users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.2.13" + + + CVE-2006-4345 + CVE-2006-4346 + CVE-2006-5444 + CVE-2006-5445 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-01.xml b/xml/htdocs/security/en/glsa/glsa-200611-01.xml new file mode 100644 index 00000000..57f8290e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-01.xml @@ -0,0 +1,67 @@ + + + + + + + Screen: UTF-8 character handling vulnerability + + Screen contains an error in its UTF-8 character handling code that would + allow a remote Denial of Service or possibly the remote execution of + arbitrary code. + + screen + November 03, 2006 + November 03, 2006: 01 + 152770 + remote + + + 4.0.3 + 4.0.3 + + + +

+ Screen is a full-screen window manager that multiplexes a physical + terminal between several processes, typically interactive shells. +

+ + +

+ cstone and Richard Felker discovered a flaw in Screen's UTF-8 combining + character handling. +

+ + +

+ The vulnerability can be exploited by writing a special string of + characters to a Screen window. A remote attacker could cause a Denial + of Service or possibly execute arbitrary code with the privileges of + the user running Screen through a program being run inside a Screen + session, such as an IRC client or a mail client. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Screen users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-misc/screen-4.0.3" + + + CVE-2006-4573 + + + aetius + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-02.xml b/xml/htdocs/security/en/glsa/glsa-200611-02.xml new file mode 100644 index 00000000..ddad2fa7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-02.xml @@ -0,0 +1,75 @@ + + + + + + + Qt: Integer overflow + + An integer overflow flaw in the Qt pixmap handling could possibly lead to a + Denial of Service or the remote execution of arbitrary code. + + qt + November 06, 2006 + January 09, 2009: 03 + 151838 + remote + + + 4.1.4-r2 + 3.3.6-r4 + 3.3.8 + 3.3.8b + 4.1.4-r2 + + + +

+ Qt is a cross-platform GUI toolkit, which is used e.g. by KDE. +

+ + +

+ An integer overflow flaw has been found in the pixmap handling of Qt. +

+ + +

+ By enticing a user to open a specially crafted pixmap image in an + application using Qt, e.g. Konqueror, a remote attacker could be able + to cause an application crash or the execution of arbitrary code with + the rights of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Qt 3.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/qt-3.3.6-r4" +

+ All Qt 4.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/qt-4.1.4-r2" + + + CVE-2006-4811 + + + vorlon078 + + + vorlon078 + + + vorlon078 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-03.xml b/xml/htdocs/security/en/glsa/glsa-200611-03.xml new file mode 100644 index 00000000..becb4277 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-03.xml @@ -0,0 +1,76 @@ + + + + + + + NVIDIA binary graphics driver: Privilege escalation vulnerability + + The NVIDIA binary graphics driver is vulnerable to a local privilege + escalation through an X session. + + nvidia-drivers + November 07, 2006 + November 10, 2006: 02 + 151635 + remote, local + + + 1.0.8776 + 1.0.8762 + 1.0.8776 + + + +

+ The NVIDIA binary graphics driver from NVIDIA Corporation provides the + kernel module and the GL modules for graphic acceleration on the NVIDIA + based graphic cards. +

+ + +

+ Rapid7 reported a boundary error in the NVIDIA binary graphics driver + that leads to a buffer overflow in the accelerated rendering + functionality. +

+ + +

+ An X client could trigger the buffer overflow with a maliciously + crafted series of glyphs. A remote attacker could also entice a user to + open a specially crafted web page, document or X client that will + trigger the buffer overflow. This could result in the execution of + arbitrary code with root privileges or at least in the crash of the X + server. +

+ + +

+ Disable the accelerated rendering functionality in the Device section + of xorg.conf : +

+ Option "RenderAccel" "false" + + +

+ NVIDIA binary graphics driver users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-1.0.8776" + + + CVE-2006-5379 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-04.xml b/xml/htdocs/security/en/glsa/glsa-200611-04.xml new file mode 100644 index 00000000..73c492db --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-04.xml @@ -0,0 +1,90 @@ + + + + + + + Bugzilla: Multiple Vulnerabilities + + Bugzilla is vulnerable to cross-site scripting, script injection, and + request forgery. + + bugzilla + November 09, 2006 + November 09, 2006: 01 + 151563 + remote + + + 2.18.6 + 2.18.6 + + + +

+ Bugzilla is a bug tracking system used to allow developers to more + easily track outstanding bugs in products. +

+ + +

+ The vulnerabilities identified in Bugzilla are as follows: +

+
    +
  • Frederic Buclin and Gervase Markham discovered that input passed to + various fields throughout Bugzilla were not properly sanitized before + being sent back to users (CVE-2006-5453).
    • +
  • Frederic Buclin and Josh "timeless" Soref discovered a bug when + viewing attachments in diff mode that allows users not of the + "insidergroup" to read attachment descriptions. Additionally, it was + discovered that the "deadline" field is visible to users who do not + belong to the "timetrackinggroup" when bugs are exported to XML + (CVE-2006-5454).
    • +
  • Gavin Shelley reported that Bugzilla allows certain operations to + be performed via HTTP GET and HTTP POST requests without verifying + those requests properly (CVE-2006-5455).
    • +
  • Max Kanat-Alexander discovered that input passed to + showdependencygraph.cgi is not properly sanitized before being returned + to users (CVE-2006-5453).
    • +
+ + +

+ An attacker could inject scripts into the content loaded by a user's + browser in order to have those scripts executed in a user's browser in + the context of the site currently being viewed. This could include + gaining access to privileged session information for the site being + viewed. Additionally, a user could forge an HTTP request in order to + create, modify, or delete bugs within a Bugzilla instance. Lastly, an + unauthorized user could view sensitive information about bugs or bug + attachments. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Bugzilla users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/bugzilla-2.18.6" + + + CVE-2006-5453 + CVE-2006-5454 + CVE-2006-5455 + + + vorlon078 + + + shellsage + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-05.xml b/xml/htdocs/security/en/glsa/glsa-200611-05.xml new file mode 100644 index 00000000..054d0942 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-05.xml @@ -0,0 +1,69 @@ + + + + + + + Netkit FTP Server: Privilege escalation + + An incorrect seteuid() call could allow an FTP user to access some files or + directories that would normally be inaccessible. + + ftpd + November 10, 2006 + December 30, 2007: 02 + 150292 + remote + + + 0.17-r4 + 0.17-r4 + + + +

+ net-ftp/netkit-ftpd is the Linux Netkit FTP server with optional SSL support. +

+ + +

+ Paul Szabo reported that an incorrect seteuid() call after the chdir() + function can allow an attacker to access a normally forbidden + directory, in some very particular circumstances, for example when the + NFS-hosted targetted directory is not reachable by the client-side root + user. Additionally, some potentially exploitable unchecked setuid() + calls were also fixed. +

+ + +

+ A local attacker might craft his home directory to gain access through + ftpd to normally forbidden directories like /root, possibly with + writing permissions if seteuid() fails and if the ftpd configuration + allows that. The unchecked setuid() calls could also lead to a root FTP + login, depending on the FTP server configuration. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Netkit FTP Server users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/netkit-ftpd-0.17-r4" + + + CVE-2006-5778 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-06.xml b/xml/htdocs/security/en/glsa/glsa-200611-06.xml new file mode 100644 index 00000000..b51f2631 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-06.xml @@ -0,0 +1,73 @@ + + + + + + + OpenSSH: Multiple Denial of Service vulnerabilities + + Several Denial of Service vulnerabilities have been identified in OpenSSH. + + openssh + November 13, 2006 + November 13, 2006: 01 + 149502 + remote + + + 4.4_p1-r5 + 4.4_p1-r5 + + + +

+ OpenSSH is a complete SSH protocol version 1.3, 1.5 and 2.0 + implementation and includes sftp client and server support. +

+ + +

+ Tavis Ormandy of the Google Security Team has discovered a + pre-authentication vulnerability, causing sshd to spin until the login + grace time has been expired. Mark Dowd found an unsafe signal handler + that was vulnerable to a race condition. It has also been discovered + that when GSSAPI authentication is enabled, GSSAPI will in certain + cases incorrectly abort. +

+ + +

+ The pre-authentication and signal handler vulnerabilities can cause a + Denial of Service in OpenSSH. The vulnerability in the GSSAPI + authentication abort could be used to determine the validity of + usernames on some platforms. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenSSH users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/openssh-4.4_p1-r5" + + + CVE-2006-5051 + CVE-2006-5052 + OpenSSH Security Advisory + + + vorlon078 + + + vorlon078 + + + daxomatic + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-07.xml b/xml/htdocs/security/en/glsa/glsa-200611-07.xml new file mode 100644 index 00000000..84b217f5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-07.xml @@ -0,0 +1,70 @@ + + + + + + + GraphicsMagick: PALM and DCM buffer overflows + + GraphicsMagick improperly handles PALM and DCM images, potentially + resulting in the execution of arbitrary code. + + graphicsmagick + November 13, 2006 + November 13, 2006: 01 + 152668 + remote + + + 1.1.7-r3 + 1.1.7-r3 + + + +

+ GraphicsMagick is a collection of tools and libraries which support + reading, writing, and manipulating images in many major formats. +

+ + +

+ M. Joonas Pihlaja has reported that a boundary error exists within the + ReadDCMImage() function of coders/dcm.c, causing the improper handling + of DCM images. Pihlaja also reported that there are several boundary + errors in the ReadPALMImage() function of coders/palm.c, similarly + causing the improper handling of PALM images. +

+ + +

+ An attacker could entice a user to open a specially crafted DCM or PALM + image with GraphicsMagick, and possibly execute arbitrary code with the + privileges of the user running GraphicsMagick. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GraphicsMagick users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/graphicsmagick-1.1.7-r3" + + + CVE-2006-5456 + + + vorlon078 + + + shellsage + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-08.xml b/xml/htdocs/security/en/glsa/glsa-200611-08.xml new file mode 100644 index 00000000..336d84bb --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-08.xml @@ -0,0 +1,69 @@ + + + + + + + RPM: Buffer overflow + + RPM is vulnerable to a buffer overflow and possibly the execution of + arbitrary code when opening specially crafted packages. + + rpm + November 13, 2006 + November 13, 2006: 01 + 154218 + remote + + + 4.4.6-r3 + 4.4.6-r3 + + + +

+ The Red Hat Package Manager (RPM) is a command line driven package + management system capable of installing, uninstalling, verifying, + querying, and updating computer software packages. +

+ + +

+ Vladimir Mosgalin has reported that when processing certain packages, + RPM incorrectly allocates memory for the packages, possibly causing a + heap-based buffer overflow. +

+ + +

+ An attacker could entice a user to open a specially crafted RPM package + and execute code with the privileges of that user if certain locales + are set. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All RPM users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/rpm-4.4.6-r3" + + + CVE-2006-5466 + + + falco + + + shellsage + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-09.xml b/xml/htdocs/security/en/glsa/glsa-200611-09.xml new file mode 100644 index 00000000..97a02b8e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-09.xml @@ -0,0 +1,65 @@ + + + + + + + libpng: Denial of Service + + A vulnerability in libpng may allow a remote attacker to crash applications + that handle untrusted images. + + libpng + November 17, 2006 + November 17, 2006: 01 + 154380 + remote + + + 1.2.13 + 1.2.13 + + + +

+ libpng is a free ANSI C library used to process and manipulate PNG + images. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that a + vulnerability exists in the sPLT chunk handling code of libpng, a large + sPLT chunk may cause an application to attempt to read out of bounds. +

+ + +

+ A remote attacker could craft an image that when processed or viewed by + an application using libpng causes the application to terminate + abnormally. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libpng users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libpng-1.2.13" + + + CVE-2006-5793 + + + taviso + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-10.xml b/xml/htdocs/security/en/glsa/glsa-200611-10.xml new file mode 100644 index 00000000..1b22af57 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-10.xml @@ -0,0 +1,71 @@ + + + + + + + WordPress: Multiple vulnerabilities + + Flaws in WordPress allow a Denial of Service, the disclosure of user + metadata and the overwriting of restricted files. + + wordpress + November 17, 2006 + November 17, 2006: 01 + 153303 + remote + + + 2.0.5 + 2.0.5 + + + +

+ WordPress is a PHP and MySQL based multiuser blogging system. +

+ + +

+ "random" discovered that users can enter serialized objects as strings + in their profiles that will be harmful when unserialized. "adapter" + found out that user-edit.php fails to effectively deny non-permitted + users access to other user's metadata. Additionally, a directory + traversal vulnerability in the wp-db-backup module was discovered. +

+ + +

+ By entering specially crafted strings in his profile, an attacker can + crash PHP or even the web server running WordPress. Additionally, by + crafting a simple URL, an attacker can read metadata of any other user, + regardless of their own permissions. A user with the permission to use + the database backup plugin can possibly overwrite files he otherwise + has no access to. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All WordPress users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/wordpress-2.0.5" + + + CVE-2006-5705 + WordPress Ticket 3142 + WordPress Ticket 2591 + + + frilled + + + frilled + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-11.xml b/xml/htdocs/security/en/glsa/glsa-200611-11.xml new file mode 100644 index 00000000..883af676 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-11.xml @@ -0,0 +1,72 @@ + + + + + + + TikiWiki: Multiple vulnerabilities + + TikiWiki allows for the disclosure of MySQL database authentication + credentials and for cross-site scripting attacks. + + tikiwiki + November 20, 2006 + November 20, 2006: 01 + 153820 + remote + + + 1.9.6 + 1.9.6 + + + +

+ TikiWiki is an open source content management system written in PHP. +

+ + +

+ In numerous files TikiWiki provides an empty sort_mode parameter, + causing TikiWiki to display additional information, including database + authentication credentials, in certain error messages. TikiWiki also + improperly sanitizes the "url" request variable sent to + tiki-featured_link.php. +

+ + +

+ An attacker could cause a database error in various pages of a TikiWiki + instance by providing an empty sort_mode request variable, and gain + unauthorized access to credentials of the MySQL databases used by + TikiWiki. An attacker could also entice a user to browse to a specially + crafted URL that could run scripts in the scope of the user's browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All TikiWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/tikiwiki-1.9.6" + + + CVE-2006-5702 + CVE-2006-5703 + + + jaervosz + + + shellsage + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-12.xml b/xml/htdocs/security/en/glsa/glsa-200611-12.xml new file mode 100644 index 00000000..d6cc4d80 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-12.xml @@ -0,0 +1,66 @@ + + + + + + + Ruby: Denial of Service vulnerability + + The Ruby cgi.rb CGI library is vulnerable to a Denial of Service attack. + + ruby + November 20, 2006 + June 11, 2009: 02 + 153497 + remote + + + 1.8.5-r3 + 1.8.5-r3 + + + +

+ Ruby is a dynamic, open source programming language with a focus on + simplicity and productivity. +

+ + +

+ Zed Shaw, Jeremy Kemper, and Jamis Buck of the Mongrel project reported + that the CGI library shipped with Ruby is vulnerable to a remote Denial + of Service by an unauthenticated user. +

+ + +

+ The vulnerability can be exploited by sending the cgi.rb library an + HTTP request with multipart MIME encoding that contains a malformed + MIME boundary specifier beginning with "-" instead of "--". Successful + exploitation of the vulnerability causes the library to go into an + infinite loop waiting for additional nonexistent input. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ruby users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.5-r3" + + + CVE-2006-5467 + + + aetius + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-13.xml b/xml/htdocs/security/en/glsa/glsa-200611-13.xml new file mode 100644 index 00000000..53744b12 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-13.xml @@ -0,0 +1,67 @@ + + + + + + + Avahi: "netlink" message vulnerability + + Avahi fails to verify the origin of netlink messages, which could allow + local users to spoof network changes. + + avahi + November 20, 2006 + November 20, 2006: 01 + 154322 + local + + + 0.6.15 + 0.6.15 + + + +

+ Avahi is a system that facilitates service discovery on a local + network. +

+ + +

+ Avahi does not check that the netlink messages come from the kernel + instead of a user-space process. +

+ + +

+ A local attacker could exploit this vulnerability by crafting malicious + netlink messages and trick Avahi to react to fake network changes. This + could lead users to connect to untrusted services without knowing. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Avahi users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/avahi-0.6.15" + + + CVE-2006-5461 + + + vorlon + + + vorlon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-14.xml b/xml/htdocs/security/en/glsa/glsa-200611-14.xml new file mode 100644 index 00000000..b24e0720 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-14.xml @@ -0,0 +1,70 @@ + + + + + + + TORQUE: Insecure temporary file creation + + TORQUE creates temporary files in an insecure manner which could lead to + the execution of arbitrary code with elevated privileges. + + torque + November 20, 2006 + November 24, 2006: 03 + 152104 + local + + + 2.1.6 + 2.1.6 + + + +

+ TORQUE is a resource manager providing control over batch jobs and + distributed compute nodes. +

+ + +

+ TORQUE creates temporary files with predictable names. Please note that + the TORQUE package shipped in Gentoo Portage is not vulnerable in the + default configuration. Only systems with more permissive access rights + to the spool directory are vulnerable. +

+ + +

+ A local attacker could create links in the temporary file directory, + pointing to a valid file somewhere on the filesystem. This could lead + to the execution of arbitrary code with elevated privileges. +

+ + +

+ Ensure that untrusted users don't have write access to the spool + directory. +

+ + +

+ All TORQUE users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-cluster/torque-2.1.6" + + + CVE-2006-5677 + + + vorlon + + + vorlon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-15.xml b/xml/htdocs/security/en/glsa/glsa-200611-15.xml new file mode 100644 index 00000000..28a2e294 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-15.xml @@ -0,0 +1,68 @@ + + + + + + + qmailAdmin: Buffer overflow + + qmailAdmin is vulnerable to a buffer overflow that could lead to the remote + execution of arbitrary code. + + qmailadmin + November 21, 2006 + November 21, 2006: 01 + 153896 + remote + + + 1.2.10 + 1.2.10 + + + +

+ qmailAdmin is a free software package that provides a web interface for + managing a qmail system with virtual domains. +

+ + +

+ qmailAdmin fails to properly handle the "PATH_INFO" variable in + qmailadmin.c. The PATH_INFO is a standard CGI environment variable + filled with user supplied data. +

+ + +

+ A remote attacker could exploit this vulnerability by sending + qmailAdmin a maliciously crafted URL that could lead to the execution + of arbitrary code with the permissions of the user running qmailAdmin. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All qmailAdmin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/qmailadmin-1.2.10" + + + CVE-2006-1141 + + + vorlon + + + vorlon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-16.xml b/xml/htdocs/security/en/glsa/glsa-200611-16.xml new file mode 100644 index 00000000..f95d9939 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-16.xml @@ -0,0 +1,67 @@ + + + + + + + Texinfo: Buffer overflow + + Texinfo is vulnerable to a buffer overflow that could lead to the execution + of arbitrary code. + + texinfo + November 21, 2006 + November 21, 2006: 01 + 154316 + remote + + + 4.8-r5 + 4.8-r5 + + + +

+ Texinfo is the official documentation system of the GNU project. +

+ + +

+ Miloslav Trmac from Red Hat discovered a buffer overflow in the + "readline()" function of texindex.c. The "readline()" function is + called by the texi2dvi and texindex commands. +

+ + +

+ By enticing a user to open a specially crafted Texinfo file, an + attacker could execute arbitrary code with the rights of the user + running Texinfo. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Texinfo users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/texinfo-4.8-r5" + + + CVE-2006-4810 + + + vorlon + + + vorlon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-17.xml b/xml/htdocs/security/en/glsa/glsa-200611-17.xml new file mode 100644 index 00000000..13d5b080 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-17.xml @@ -0,0 +1,70 @@ + + + + + + + fvwm: fvwm-menu-directory fvwm command injection + + A flaw in fvwm-menu-directory may permit a local attacker to execute + arbitrary commands with the privileges of another user. + + fvwm + November 23, 2006 + November 23, 2006: 01 + 155078 + local + + + 2.5.18-r1 + 2.5.18-r1 + + + +

+ fvwm is a highly configurable virtual window manager for X11 desktops. + fvwm-menu-directory allows fvwm users to browse directories from within + fvwm. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that + fvwm-menu-directory does not sufficiently sanitise directory names + prior to generating menus. +

+ + +

+ A local attacker who can convince an fvwm-menu-directory user to browse + a directory they control could cause fvwm commands to be executed with + the privileges of the fvwm user. Fvwm commands can be used to execute + arbitrary shell commands. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All fvwm users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-wm/fvwm-2.5.18-r1" + + + CVE-2006-5969 + + + jaervosz + + + jaervosz + + + taviso + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-18.xml b/xml/htdocs/security/en/glsa/glsa-200611-18.xml new file mode 100644 index 00000000..f9479719 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-18.xml @@ -0,0 +1,69 @@ + + + + + + + TIN: Multiple buffer overflows + + Multiple buffer overflows have been reported in TIN, possibly leading to + the execution of arbitrary code. + + tin + November 24, 2006 + November 24, 2006: 01 + 150229 + remote + + + 1.8.2 + 1.8.2 + + + +

+ TIN is a threaded NNTP and spool based UseNet newsreader for a variety + of platforms. +

+ + +

+ Urs Janssen and Aleksey Salow have reported multiple buffer overflows + in TIN. Additionally, the OpenPKG project has reported an allocation + off-by-one flaw which can lead to a buffer overflow. +

+ + +

+ An attacker could entice a TIN user to read a specially crafted news + article, and execute arbitrary code with the rights of the user running + TIN. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All TIN users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-nntp/tin-1.8.2" + + + OpenPKG Advisory + CVE-2006-0804 + + + jaervosz + + + jaervosz + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-19.xml b/xml/htdocs/security/en/glsa/glsa-200611-19.xml new file mode 100644 index 00000000..d4145afe --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-19.xml @@ -0,0 +1,71 @@ + + + + + + + ImageMagick: PALM and DCM buffer overflows + + ImageMagick improperly handles PALM and DCM images, potentially resulting + in the execution of arbitrary code. + + imagemagick + November 24, 2006 + November 24, 2006: 01 + 152672 + remote + + + 6.3.0.5 + 6.3.0.5 + + + +

+ ImageMagick is a software suite to create, edit, and compose bitmap + images, that can also read, write, and convert images in many other + formats. +

+ + +

+ M. Joonas Pihlaja has reported that a boundary error exists within the + ReadDCMImage() function of coders/dcm.c, causing the improper handling + of DCM images. Pihlaja also reported that there are several boundary + errors in the ReadPALMImage() function of coders/palm.c, similarly + causing the improper handling of PALM images. +

+ + +

+ An attacker could entice a user to open a specially crafted DCM or PALM + image with ImageMagick, and possibly execute arbitrary code with the + privileges of the user running ImageMagick. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ImageMagick users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.3.0.5" + + + CVE-2006-5456 + + + jaervosz + + + shellsage + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-20.xml b/xml/htdocs/security/en/glsa/glsa-200611-20.xml new file mode 100644 index 00000000..ce58680e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-20.xml @@ -0,0 +1,66 @@ + + + + + + + GNU gv: Stack overflow + + GNU gv improperly handles user-supplied data possibly allowing for the + execution of arbitrary code. + + gv + November 24, 2006 + November 24, 2006: 01 + 154573 + remote + + + 3.6.2-r1 + 3.6.2-r1 + + + +

+ GNU gv is a viewer for PostScript and PDF documents. +

+ + +

+ GNU gv does not properly boundary check user-supplied data before + copying it into process buffers. +

+ + +

+ An attacker could entice a user to open a specially crafted document + with GNU gv and execute arbitrary code with the rights of the user on + the system. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All gv users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/gv-3.6.2-r1" + + + CVE-2006-5864 + + + jaervosz + + + shellsage + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-21.xml b/xml/htdocs/security/en/glsa/glsa-200611-21.xml new file mode 100644 index 00000000..374b30d9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-21.xml @@ -0,0 +1,61 @@ + + + + + + + Kile: Incorrect backup file permission + + Kile uses default permissions for backup files, potentially leading to + information disclosure. + + kile + November 27, 2006 + November 27, 2006: 01 + 155613 + local + + + 1.9.2-r1 + 1.9.2-r1 + + + +

+ Kile is a TeX/LaTeX editor for KDE. +

+ + +

+ Kile fails to set the same permissions on backup files as on the + original file. This is similar to CVE-2005-1920. +

+ + +

+ A kile user may inadvertently grant access to sensitive information. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Kile users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/kile-1.9.2-r1" + + + CVE-2005-1920 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-22.xml b/xml/htdocs/security/en/glsa/glsa-200611-22.xml new file mode 100644 index 00000000..68ba056d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-22.xml @@ -0,0 +1,66 @@ + + + + + + + Ingo H3: Folder name shell command injection + + Ingo H3 is vulnerable to arbitrary shell command execution when handling + procmail rules. + + horde-ingo + November 27, 2006 + November 27, 2006: 01 + 153927 + remote + + + 1.1.2 + 1.1.2 + + + +

+ Ingo H3 is a generic frontend for editing Sieve, procmail, maildrop and + IMAP filter rules. +

+ + +

+ Ingo H3 fails to properly escape shell metacharacters in procmail + rules. +

+ + +

+ A remote authenticated attacker could craft a malicious rule which + could lead to the execution of arbitrary shell commands on the server. +

+ + +

+ Don't use procmail with Ingo H3. +

+ + +

+ All Ingo H3 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-ingo-1.1.2" + + + CVE-2006-5449 + + + jaervosz + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-23.xml b/xml/htdocs/security/en/glsa/glsa-200611-23.xml new file mode 100644 index 00000000..c6a1b0be --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-23.xml @@ -0,0 +1,69 @@ + + + + + + + Mono: Insecure temporary file creation + + Mono is vulnerable to linking attacks, potentially allowing a local user to + overwrite arbitrary files. + + mono + November 28, 2006 + November 28, 2006: 01 + 150264 + local + + + 1.1.13.8.1 + 1.1.13.8.1 + + + +

+ Mono provides the necessary software to develop and run .NET client and + server applications. +

+ + +

+ Sebastian Krahmer of the SuSE Security Team discovered that the + System.CodeDom.Compiler classes of Mono create temporary files with + insecure permissions. +

+ + +

+ A local attacker could create links in the temporary file directory, + pointing to a valid file somewhere on the filesystem. When an affected + class is called, this could result in the file being overwritten with + the rights of the user running the script. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mono users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/mono-1.1.13.8.1" + + + CVE-2006-5072 + + + jaervosz + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-24.xml b/xml/htdocs/security/en/glsa/glsa-200611-24.xml new file mode 100644 index 00000000..ef9845c3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-24.xml @@ -0,0 +1,74 @@ + + + + + + + LHa: Multiple vulnerabilities + + LHa is affected by several vulnerabilities including the remote execution + of arbitrary code. + + lha + November 28, 2006 + November 28, 2006: 01 + 151252 + remote + + + 114i-r6 + 114i-r6 + + + +

+ LHa is a console-based program for packing and unpacking LHarc + archives. +

+ + +

+ Tavis Ormandy of the Google Security Team discovered several + vulnerabilities in the LZH decompression component used by LHa. The + make_table function of unlzh.c contains an array index error and a + buffer overflow vulnerability. The build_tree function of unpack.c + contains a buffer underflow vulnerability. Additionally, unlzh.c + contains a code that could run in an infinite loop. +

+ + +

+ By enticing a user to uncompress a specially crafted archive, a remote + attacker could cause a Denial of Service by CPU consumption or execute + arbitrary code with the rights of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All LHa users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/lha-114i-r6" + + + CVE-2006-4335 + CVE-2006-4336 + CVE-2006-4337 + CVE-2006-4338 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-25.xml b/xml/htdocs/security/en/glsa/glsa-200611-25.xml new file mode 100644 index 00000000..d232a14b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-25.xml @@ -0,0 +1,69 @@ + + + + + + + OpenLDAP: Denial of Service vulnerability + + A flaw in OpenLDAP allows remote unauthenticated attackers to cause a + Denial of Service. + + openldap + November 28, 2006 + November 28, 2006: 01 + 154349 + remote + + + 2.3.27-r3 + 2.2.28-r5 + 2.1.30-r8 + 2.3.27-r3 + + + +

+ OpenLDAP is a suite of LDAP-related applications and development tools. +

+ + +

+ Evgeny Legerov has discovered that the truncation of an incoming + authcid longer than 255 characters and ending with a space as the 255th + character will lead to an improperly computed name length. This will + trigger an assert in the libldap code. +

+ + +

+ By sending a BIND request with a specially crafted authcid parameter to + an OpenLDAP service, a remote attacker can cause the service to crash. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenLDAP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "net-nds/openldap" + + + CVE-2006-5779 + + + jaervosz + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200611-26.xml b/xml/htdocs/security/en/glsa/glsa-200611-26.xml new file mode 100644 index 00000000..345d3ef8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200611-26.xml @@ -0,0 +1,78 @@ + + + + + + + ProFTPD: Remote execution of arbitrary code + + ProFTPD is affected by mutiple vulnerabilities allowing for the remote + execution of arbitrary code. + + proftpd + November 30, 2006 + November 30, 2006: 01 + 154650 + remote + + + 1.3.0a + 1.3.0a + + + +

+ ProFTPD is a highly-configurable FTP server. +

+ + +

+ Evgeny Legerov discovered a stack-based buffer overflow in the + s_replace() function in support.c, as well as a buffer overflow in in + the mod_tls module. Additionally, an off-by-two error related to the + CommandBufferSize configuration directive was reported. +

+ + +

+ An authenticated attacker could exploit the s_replace() vulnerability + by uploading a crafted .message file or sending specially crafted + commands to the server, possibly resulting in the execution of + arbitrary code with the rights of the user running ProFTPD. An + unauthenticated attacker could send specially crafted data to the + server with mod_tls enabled which could result in the execution of + arbitrary code with the rights of the user running ProFTPD. Finally, + the off-by-two error related to the CommandBufferSize configuration + directive was fixed - exploitability of this error is disputed. Note + that the default configuration on Gentoo is to run ProFTPD as an + unprivileged user, and has mod_tls disabled. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ProFTPD users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.3.0a" + + + CVE-2006-5815 + CVE-2006-6170 + CVE-2006-6171 (disputed) + + + falco + + + aetius + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-01.xml b/xml/htdocs/security/en/glsa/glsa-200612-01.xml new file mode 100644 index 00000000..70533c46 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-01.xml @@ -0,0 +1,63 @@ + + + + + + + wv library: Multiple integer overflows + + The wv library is vulnerable to multiple integer overflows which could lead + to the execution of arbitrary code. + + wv library + December 07, 2006 + December 07, 2006: 01 + 153800 + remote + + + 1.2.3-r1 + 1.2.3-r1 + + + +

+ wv is a library for conversion of MS Word DOC and RTF files. +

+ + +

+ The wv library fails to do proper arithmetic checks in multiple places, + possibly leading to integer overflows. +

+ + +

+ An attacker could craft a malicious file that, when handled with the wv + library, could lead to the execution of arbitrary code with the + permissions of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All wv library users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/wv-1.2.3-r1" + + + CVE-2006-4513 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-02.xml b/xml/htdocs/security/en/glsa/glsa-200612-02.xml new file mode 100644 index 00000000..593f5d6a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-02.xml @@ -0,0 +1,69 @@ + + + + + + + xine-lib: Buffer overflow + + xine-lib is vulnerable to a buffer overflow in the Real Media input plugin, + which could lead to the execution of arbitrary code. + + xine-lib + December 09, 2006 + December 09, 2006: 01 + 156645 + remote + + + 1.1.2-r3 + 1.1.2-r3 + + + +

+ xine is a portable and reusable multimedia playback engine. xine-lib is + xine's core engine. +

+ + +

+ A possible buffer overflow has been reported in the Real Media input + plugin. +

+ + +

+ An attacker could exploit this vulnerability by enticing a user into + loading a specially crafted stream with xine or an application using + xine-lib. This can lead to a Denial of Service and possibly the + execution of arbitrary code with the rights of the user running the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xine-lib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.2-r3" + + + CVE-2006-6172 + + + DerCorny + + + vorlon + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-03.xml b/xml/htdocs/security/en/glsa/glsa-200612-03.xml new file mode 100644 index 00000000..9c6ed7d4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-03.xml @@ -0,0 +1,78 @@ + + + + + + + GnuPG: Multiple vulnerabilities + + GnuPG is vulnerable to a buffer overflow and an erroneous function pointer + dereference that can result in the execution of arbitrary code. + + gnupg + December 10, 2006 + December 10, 2006: 02 + 156476 + 156947 + remote + + + 1.4.6 + 1.4.6 + + + +

+ The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite + of cryptographic software. +

+ + +

+ Hugh Warrington has reported a boundary error in GnuPG, in the + "ask_outfile_name()" function from openfile.c: the + make_printable_string() function could return a string longer than + expected. Additionally, Tavis Ormandy of the Gentoo Security Team + reported a design error in which a function pointer can be incorrectly + dereferenced. +

+ + +

+ A remote attacker could entice a user to interactively use GnuPG on a + crafted file and trigger the boundary error, which will result in a + buffer overflow. They could also entice a user to process a signed or + encrypted file with gpg or gpgv, possibly called through another + application like a mail client, to trigger the dereference error. Both + of these vulnerabilities would result in the execution of arbitrary + code with the permissions of the user running GnuPG. gpg-agent, gpgsm + and other tools are not affected. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GnuPG users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "=app-crypt/gnupg-1.4*" + + + CVE-2006-6169 + CVE-2006-6235 + + + jaervosz + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-04.xml b/xml/htdocs/security/en/glsa/glsa-200612-04.xml new file mode 100644 index 00000000..f2024ff5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-04.xml @@ -0,0 +1,68 @@ + + + + + + + ModPlug: Multiple buffer overflows + + ModPlug contains several boundary errors that could lead to buffer + overflows resulting in the possible execution of arbitrary code. + + libmodplug + December 10, 2006 + December 10, 2006: 01 + 143404 + remote + + + 0.8-r1 + 0.8-r1 + + + +

+ ModPlug is a library for playing MOD-like music. +

+ + +

+ Luigi Auriemma has reported various boundary errors in load_it.cpp and + a boundary error in the "CSoundFile::ReadSample()" function in + sndfile.cpp. +

+ + +

+ A remote attacker can entice a user to read crafted modules or ITP + files, which may trigger a buffer overflow resulting in the execution + of arbitrary code with the privileges of the user running the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ModPlug users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libmodplug-0.8-r1" + + + CVE-2006-4192 + + + vorlon + + + vorlon + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-05.xml b/xml/htdocs/security/en/glsa/glsa-200612-05.xml new file mode 100644 index 00000000..8b84ec4b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-05.xml @@ -0,0 +1,70 @@ + + + + + + + KOffice shared libraries: Heap corruption + + An integer overflow in koffice-libs allows for a Denial of Service and + possibly the execution of arbitrary code when viewing malicious PowerPoint + files. + + koffice-libs + December 10, 2006 + December 10, 2006: 01 + 155914 + remote + + + 1.5.0 + 1.5.0 + + + +

+ KOffice is an integrated office suite for KDE. koffice-libs is a + package containing shared librares used by KOffice programs. +

+ + +

+ Kees Cook of Ubuntu discovered that 'KLaola::readBigBlockDepot()' in + klaola.cc fills 'num_of_bbd_blocks' while reading a .ppt (PowerPoint) + file without proper sanitizing, resulting in an integer overflow + subsequently overwriting the heap with parts of the file being read. +

+ + +

+ By enticing a user to open a specially crafted PowerPoint file, an + attacker could crash the application and possibly execute arbitrary + code with the rights of the user running KOffice. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All koffice-libs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/koffice-libs-1.5.0" + + + CVE-2006-6120 + + + DerCorny + + + frilled + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-06.xml b/xml/htdocs/security/en/glsa/glsa-200612-06.xml new file mode 100644 index 00000000..bfb73e47 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-06.xml @@ -0,0 +1,102 @@ + + + + + + + Mozilla Thunderbird: Multiple vulnerabilities + + Multiple vulnerabilities have been identified in Mozilla Thunderbird. + + mozilla-thunderbird + December 10, 2006 + December 10, 2006: 01 + 154448 + remote + + + 1.5.0.8 + 1.5.0.8 + + + 1.5.0.8 + 1.5.0.8 + + + +

+ Mozilla Thunderbird is a popular open-source email client from the + Mozilla Project. +

+ + +

+ It has been identified that Mozilla Thunderbird improperly handles + Script objects while they are being executed, allowing them to be + modified during execution. JavaScript is disabled in Mozilla + Thunderbird by default. Mozilla Thunderbird has also been found to be + vulnerable to various potential buffer overflows. Lastly, the binary + release of Mozilla Thunderbird is vulnerable to a low exponent RSA + signature forgery issue because it is bundled with a vulnerable version + of NSS. +

+ + +

+ An attacker could entice a user to view a specially crafted email that + causes a buffer overflow and again executes arbitrary code or causes a + Denial of Service. An attacker could also entice a user to view an + email containing specially crafted JavaScript and execute arbitrary + code with the rights of the user running Mozilla Thunderbird. It is + important to note that JavaScript is off by default in Mozilla + Thunderbird, and enabling it is strongly discouraged. It is also + possible for an attacker to create SSL/TLS or email certificates that + would not be detected as invalid by the binary release of Mozilla + Thunderbird, raising the possibility for Man-in-the-Middle attacks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ Users upgrading to the following releases of Mozilla Thunderbird should + note that this version of Mozilla Thunderbird has been found to not + display certain messages in some cases. +

+

+

+

All Mozilla Thunderbird users should upgrade to the + latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-1.5.0.8" +

+ All Mozilla Thunderbird binary release users should upgrade to the + latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-1.5.0.8" + + + CVE-2006-5462 + CVE-2006-5463 + CVE-2006-5464 + CVE-2006-5747 + CVE-2006-5748 + Mozilla Thunderbird Email Loss Bug + + + jaervosz + + + jaervosz + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-07.xml b/xml/htdocs/security/en/glsa/glsa-200612-07.xml new file mode 100644 index 00000000..23e531e2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-07.xml @@ -0,0 +1,89 @@ + + + + + + + Mozilla Firefox: Multiple vulnerabilities + + Multiple vulnerabilities have been reported in Mozilla Firefox. + + mozilla-firefox + December 10, 2006 + December 10, 2006: 01 + 154434 + remote + + + 1.5.0.8 + 1.5.0.8 + + + 1.5.0.8 + 1.5.0.8 + + + +

+ Mozilla Firefox is a popular open-source web browser from the Mozilla + Project. +

+ + +

+ Mozilla Firefox improperly handles Script objects while they are being + executed. Mozilla Firefox has also been found to be vulnerable to + various possible buffer overflows. Lastly, the binary release of + Mozilla Firefox is vulnerable to a low exponent RSA signature forgery + issue because it is bundled with a vulnerable version of NSS. +

+ + +

+ An attacker could entice a user to view specially crafted JavaScript + and execute arbitrary code with the rights of the user running Mozilla + Firefox. An attacker could also entice a user to view a specially + crafted web page that causes a buffer overflow and again executes + arbitrary code. It is also possible for an attacker to make up SSL/TLS + certificates that would not be detected as invalid by the binary + release of Mozilla Firefox, raising the possibility for + Man-in-the-Middle attacks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.5.0.8" +

+ All Mozilla Firefox binary release users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.5.0.8" + + + CVE-2006-5462 + CVE-2006-5463 + CVE-2006-5464 + CVE-2006-5747 + CVE-2006-5748 + + + jaervosz + + + jaervosz + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-08.xml b/xml/htdocs/security/en/glsa/glsa-200612-08.xml new file mode 100644 index 00000000..7087856f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-08.xml @@ -0,0 +1,73 @@ + + + + + + + SeaMonkey: Multiple vulnerabilities + + Multiple vulnerabilities have been identified in the SeaMonkey project. + + seamonkey + December 10, 2006 + December 10, 2006: 01 + 154449 + remote + + + 1.0.6 + 1.0.6 + + + +

+ The SeaMonkey project is a community effort to deliver + production-quality releases of code derived from the application + formerly known as 'Mozilla Application Suite'. +

+ + +

+ The SeaMonkey project is vulnerable to arbitrary JavaScript bytecode + execution and arbitrary code execution. +

+ + +

+ An attacker could entice a user to load malicious JavaScript or a + malicious web page with a SeaMonkey application and execute arbitrary + code with the rights of the user running those products. It is + important to note that in the SeaMonkey email client, JavaScript is + disabled by default. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SeaMonkey users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.0.6" + + + CVE-2006-5462 + CVE-2006-5463 + CVE-2006-5464 + CVE-2006-5747 + CVE-2006-5748 + + + jaervosz + + + shellsage + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-09.xml b/xml/htdocs/security/en/glsa/glsa-200612-09.xml new file mode 100644 index 00000000..3821daf9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-09.xml @@ -0,0 +1,69 @@ + + + + + + + MadWifi: Kernel driver buffer overflow + + MadWifi is vulnerable to a buffer overflow that could potentially lead to + the remote execution of arbitrary code with root privileges. + + madwifi-ng + December 10, 2006 + December 10, 2006: 01 + 157449 + remote + + + 0.9.2.1 + 0.9.2.1 + + + +

+ MadWifi (Multiband Atheros Driver for Wireless Fidelity) provides a + Linux kernel device driver for Atheros-based Wireless LAN devices. +

+ + +

+ Laurent Butti, Jerome Raznieski and Julien Tinnes reported a buffer + overflow in the encode_ie() and the giwscan_cb() functions from + ieee80211_wireless.c. +

+ + +

+ A remote attacker could send specially crafted wireless WPA packets + containing malicious RSN Information Headers (IE) that could + potentially lead to the remote execution of arbitrary code as the root + user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MadWifi users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-wireless/madwifi-ng-0.9.2.1" + + + CVE-2006-6332 + + + jaervosz + + + falco + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-10.xml b/xml/htdocs/security/en/glsa/glsa-200612-10.xml new file mode 100644 index 00000000..fcb66ed5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-10.xml @@ -0,0 +1,69 @@ + + + + + + + Tar: Directory traversal vulnerability + + Tar is vulnerable to directory traversal possibly allowing for the + overwriting of arbitrary files. + + tar + December 11, 2006 + December 11, 2006: 01 + 155901 + remote + + + 1.16-r2 + 1.16-r2 + + + +

+ The Tar program provides the ability to create and manipulate tar + archives. +

+ + +

+ Tar does not properly extract archive elements using the GNUTYPE_NAMES + record name, allowing files to be created at arbitrary locations using + symlinks. Once a symlink is extracted, files after the symlink in the + archive will be extracted to the destination of the symlink. +

+ + +

+ An attacker could entice a user to extract a specially crafted tar + archive, possibly allowing for the overwriting of arbitrary files on + the system extracting the archive. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Tar users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/tar-1.16-r2" + + + CVE-2006-6097 + + + vorlon + + + vorlon + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-11.xml b/xml/htdocs/security/en/glsa/glsa-200612-11.xml new file mode 100644 index 00000000..b40ac2a3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-11.xml @@ -0,0 +1,78 @@ + + + + + + + AMD64 x86 emulation base libraries: OpenSSL multiple vulnerabilities + + OpenSSL contains multiple vulnerabilities including the possible execution + of remote arbitrary code. + + emul-linux-x86-baselibs + December 11, 2006 + December 11, 2006: 01 + 152640 + remote + + + 2.5.5 + 2.5.5 + + + +

+ OpenSSL is a toolkit implementing the Secure Sockets Layer, Transport + Layer Security protocols and a general-purpose cryptography library. + The x86 emulation base libraries for AMD64 contain a vulnerable version + of OpenSSL. +

+ + +

+ Tavis Ormandy and Will Drewry, both of the Google Security Team, + discovered that the SSL_get_shared_ciphers() function contains a buffer + overflow vulnerability, and that the SSLv2 client code contains a flaw + leading to a crash. Additionally, Dr. Stephen N. Henson found that the + ASN.1 handler contains two Denial of Service vulnerabilities: while + parsing an invalid ASN.1 structure and while handling certain types of + public key. +

+ + +

+ An attacker could trigger the buffer overflow by sending a malicious + suite of ciphers to an application using the vulnerable function, and + thus execute arbitrary code with the rights of the user running the + application. An attacker could also consume CPU and/or memory by + exploiting the Denial of Service vulnerabilities. Finally, a malicious + server could crash a SSLv2 client through the SSLv2 vulnerability. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All AMD64 x86 emulation base libraries users should upgrade to the + latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-baselibs-2.5.5" + + + CVE-2006-2937 + CVE-2006-2940 + CVE-2006-3738 + CVE-2006-4343 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-12.xml b/xml/htdocs/security/en/glsa/glsa-200612-12.xml new file mode 100644 index 00000000..684c6b20 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-12.xml @@ -0,0 +1,70 @@ + + + + + + + F-PROT Antivirus: Multiple vulnerabilities + + F-Prot Antivirus contains a buffer overflow and other unspecified + vulnerabilities, possibly allowing the remote execution of arbitrary code. + + f-prot + December 12, 2006 + December 12, 2006: 01 + 157612 + remote + + + 4.6.7 + 4.6.7 + + + +

+ F-Prot Antivirus is a FRISK Software antivirus program that can used + with procmail. +

+ + +

+ F-Prot Antivirus version 4.6.7 fixes a heap-based buffer overflow, an + infinite loop, and other unspecified vulnerabilities. +

+ + +

+ Among other weaker impacts, a remote attacker could send an e-mail + containing a malicious file that would trigger the buffer overflow + vulnerability and execute arbitrary code with the privileges of the + user running F-Prot, which may be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All F-Prot users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/f-prot-4.6.7" + + + CVE-2006-6293 + CVE-2006-6294 + CVE-2006-6352 + + + jaervosz + + + jaervosz + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-13.xml b/xml/htdocs/security/en/glsa/glsa-200612-13.xml new file mode 100644 index 00000000..d8b98e1c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-13.xml @@ -0,0 +1,69 @@ + + + + + + + libgsf: Buffer overflow + + libgsf improperly allocates memory allowing for a heap overflow and + possibly the execution of arbitrary code. + + libgsf + December 12, 2006 + December 12, 2006: 01 + 156693 + remote + + + 1.14.2 + 1.14.2 + + + +

+ The GNOME Structured File Library is an I/O library that can read and + write common file types and handle structured formats that provide + file-system-in-a-file semantics. +

+ + +

+ "infamous41md" has discovered that the "ole_init_info" function may + allocate too little memory for storing the contents of an OLE document, + resulting in a heap buffer overflow. +

+ + +

+ An attacker could entice a user to open a specially crafted OLE + document, and possibly execute arbitrary code with the rights of the + user opening the document. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libgsf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=gnome-extra/libgsf-1.14.2" + + + CVE-2006-4514 + + + jaervosz + + + vorlon + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-14.xml b/xml/htdocs/security/en/glsa/glsa-200612-14.xml new file mode 100644 index 00000000..98466e99 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-14.xml @@ -0,0 +1,68 @@ + + + + + + + Trac: Cross-site request forgery + + Trac allows remote attackers to execute unauthorized actions as other + users. + + trac + December 12, 2006 + December 12, 2006: 01 + 154574 + remote + + + 0.10.1 + 0.10.1 + + + +

+ Trac is a wiki and issue tracking system for software development + projects. +

+ + +

+ Trac allows users to perform certain tasks via HTTP requests without + performing correct validation on those requests. +

+ + +

+ An attacker could entice an authenticated user to browse to a specially + crafted URL, allowing the attacker to execute actions in the Trac + instance as if they were the user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Trac users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/trac-0.10.1" + + + CVE-2006-5848 + CVE-2006-5878 + + + jaervosz + + + vorlon + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-15.xml b/xml/htdocs/security/en/glsa/glsa-200612-15.xml new file mode 100644 index 00000000..e6d0ef63 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-15.xml @@ -0,0 +1,70 @@ + + + + + + + McAfee VirusScan: Insecure DT_RPATH + + McAfee VirusScan for Linux is distributed with an insecure DT_RPATH, + potentially allowing a remote attacker to execute arbitrary code. + + vlnx + December 14, 2006 + December 14, 2006: 01 + 156989 + remote + + + 4510e + + + +

+ McAfee VirusScan for Linux is a commercial antivirus solution for + Linux. +

+ + +

+ Jakub Moc of Gentoo Linux discovered that McAfee VirusScan was + distributed with an insecure DT_RPATH which included the current + working directory, rather than $ORIGIN which was probably intended. +

+ + +

+ An attacker could entice a VirusScan user to scan an arbitrary file and + execute arbitrary code with the privileges of the VirusScan user by + tricking the dynamic loader into loading an untrusted ELF DSO. An + automated system, such as a mail scanner, may be subverted to execute + arbitrary code with the privileges of the process invoking VirusScan. +

+ + +

+ Do not scan files or execute VirusScan from an untrusted working + directory. +

+ + +

+ As VirusScan verifies that it has not been modified before executing, + it is not possible to correct the DT_RPATH. Furthermore, this would + violate the license that VirusScan is distributed under. For this + reason, the package has been masked in Portage pending the resolution + of this issue. +

+ + # emerge --ask --verbose --unmerge "app-antivirus/vlnx" + + + CVE-2006-6474 + + + taviso + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-16.xml b/xml/htdocs/security/en/glsa/glsa-200612-16.xml new file mode 100644 index 00000000..06bdd0fd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-16.xml @@ -0,0 +1,69 @@ + + + + + + + Links: Arbitrary Samba command execution + + Links does not properly validate "smb://" URLs, making it vulnerable to the + execution of arbitrary Samba commands. + + links + December 14, 2006 + December 14, 2006: 01 + 157028 + remote + + + 2.1_pre26 + 2.1_pre26 + + + +

+ Links is a web browser running in both graphics and text modes. +

+ + +

+ Teemu Salmela discovered that Links does not properly validate "smb://" + URLs when it runs smbclient commands. +

+ + +

+ A remote attacker could entice a user to browse to a specially crafted + "smb://" URL and execute arbitrary Samba commands, which would allow + the overwriting of arbitrary local files or the upload or the download + of arbitrary files. This vulnerability can be exploited only if + "smbclient" is installed on the victim's computer, which is provided by + the "samba" Gentoo package. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Links users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/links-2.1_pre26" + + + CVE-2006-5925 + + + vorlon + + + falco + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-17.xml b/xml/htdocs/security/en/glsa/glsa-200612-17.xml new file mode 100644 index 00000000..0bb36115 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-17.xml @@ -0,0 +1,71 @@ + + + + + + + GNU Radius: Format string vulnerability + + A format string vulnerabilty has been found in GNU Radius, which could lead + to the remote execution of arbitrary code. + + gnuradius + December 14, 2006 + December 14, 2006: 01 + 156376 + remote + + + 1.4 + 1.4 + + + +

+ GNU Radius is a GNU version of Radius, a server for remote user + authentication and accounting. +

+ + +

+ A format string vulnerability was found in the sqllog function from the + SQL accounting code for radiusd. That function is only used if one or + more of the "postgresql", "mysql" or "odbc" USE flags are enabled, + which is not the default, except for the "server" 2006.1 and 2007.0 + profiles which enable the "mysql" USE flag. +

+ + +

+ An unauthenticated remote attacker could execute arbitrary code with + the privileges of the user running radiusd, which may be the root user. + It is important to note that there is no default GNU Radius user for + Gentoo systems because no init script is provided with the package. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GNU Radius users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dialup/gnuradius-1.4" + + + CVE-2006-4181 + + + jaervosz + + + jaervosz + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-18.xml b/xml/htdocs/security/en/glsa/glsa-200612-18.xml new file mode 100644 index 00000000..75500e4d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-18.xml @@ -0,0 +1,61 @@ + + + + + + + ClamAV: Denial of Service + + ClamAV is vulnerable to Denial of Service. + + clamav + December 18, 2006 + December 18, 2006: 01 + 157698 + remote + + + 0.88.7 + 0.88.7 + + + +

+ ClamAV is a GPL virus scanner. +

+ + +

+ Hendrik Weimer discovered that ClamAV fails to properly handle deeply + nested MIME multipart/mixed content. +

+ + +

+ By sending a specially crafted email with deeply nested MIME + multipart/mixed content an attacker could cause ClamAV to crash. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.88.7" + + + CVE-2006-6481 + + + jaervosz + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-19.xml b/xml/htdocs/security/en/glsa/glsa-200612-19.xml new file mode 100644 index 00000000..de5a3eef --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-19.xml @@ -0,0 +1,66 @@ + + + + + + + pam_ldap: Authentication bypass vulnerability + + pam_ldap contains a vulnerability that may allow a remote user with a + locked account to gain unauthorized system access. + + pam_ldap + December 20, 2006 + December 20, 2006: 01 + 153916 + remote + + + 183 + 183 + + + +

+ pam_ldap is a Pluggable Authentication Module which allows + authentication against LDAP directories. +

+ + +

+ Steve Rigler discovered that pam_ldap does not correctly handle + "PasswordPolicyResponse" control responses from an LDAP directory. This + causes the pam_authenticate() function to always succeed, even if the + previous authentication failed. +

+ + +

+ A locked user may exploit this vulnerability to bypass the LDAP + authentication mechanism, possibly gaining unauthorized access to the + system. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All pam_ldap users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-auth/pam_ldap-183" + + + CVE-2006-5170 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-20.xml b/xml/htdocs/security/en/glsa/glsa-200612-20.xml new file mode 100644 index 00000000..a3153d5b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-20.xml @@ -0,0 +1,74 @@ + + + + + + + imlib2: Multiple vulnerabilities + + imlib2 contains several vulnerabilities that could lead to the remote + execution of arbitrary code or a Denial of Service. + + imlib2 + December 20, 2006 + December 20, 2006: 01 + 154216 + remote + + + 1.3.0 + 1.3.0 + + + +

+ imlib2 is an advanced replacement for image manipulation libraries such + as libXpm. It is utilized by numerous programs, including gkrellm and + several window managers, to display images. +

+ + +

+ M. Joonas Pihlaja discovered several buffer overflows in loader_argb.c, + loader_png.c, loader_lbm.c, loader_jpeg.c, loader_tiff.c, loader_tga.c, + loader_pnm.c and an out-of-bounds memory read access in loader_tga.c. +

+ + +

+ An attacker can entice a user to process a specially crafted JPG, ARGB, + PNG, LBM, PNM, TIFF, or TGA image with an "imlib2*" binary or another + application using the imlib2 libraries. Successful exploitation of the + buffer overflows causes the execution of arbitrary code with the + permissions of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All imlib2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/imlib2-1.3.0" + + + CVE-2006-4806 + CVE-2006-4807 + CVE-2006-4808 + CVE-2006-4809 + + + jaervosz + + + vorlon + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200612-21.xml b/xml/htdocs/security/en/glsa/glsa-200612-21.xml new file mode 100644 index 00000000..b9f8fc38 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200612-21.xml @@ -0,0 +1,65 @@ + + + + + + + Ruby: Denial of Service vulnerability + + The Ruby cgi.rb CGI library is vulnerable to a Denial of Service attack. + + ruby + December 20, 2006 + December 20, 2006: 01 + 157048 + remote + + + 1.8.5_p2 + 1.8.5_p2 + + + +

+ Ruby is a dynamic, open source programming language with a focus on + simplicity and productivity. +

+ + +

+ The read_multipart function of the CGI library shipped with Ruby + (cgi.rb) does not properly check boundaries in MIME multipart content. + This is a different issue than GLSA 200611-12. +

+ + +

+ The vulnerability can be exploited by sending the cgi.rb library a + crafted HTTP request with multipart MIME encoding that contains a + malformed MIME boundary specifier. Successful exploitation of the + vulnerability causes the library to go into an infinite loop. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ruby users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.5_p2" + + + CVE-2006-6303 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-01.xml b/xml/htdocs/security/en/glsa/glsa-200701-01.xml new file mode 100644 index 00000000..d49d2a45 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-01.xml @@ -0,0 +1,66 @@ + + + + + + + DenyHosts: Denial of Service + + DenyHosts does not correctly parse log entries, potentially causing a + remote Denial of Service. + + denyhosts + January 03, 2007 + January 03, 2007: 01 + 157163 + remote + + + 2.6 + 2.6 + + + +

+ DenyHosts is designed to monitor SSH servers for repeated failed login + attempts. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that + DenyHosts used an incomplete regular expression to parse failed login + attempts. +

+ + +

+ A remote unauthenticated attacker can add arbitrary hosts to the + blacklist by attempting to login with a specially crafted username. An + attacker may use this to prevent legitimate users from accessing a host + remotely. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All DenyHosts users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/denyhosts-2.6" + + + CVE-2006-6301 + + + taviso + + + taviso + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-02.xml b/xml/htdocs/security/en/glsa/glsa-200701-02.xml new file mode 100644 index 00000000..ac181ec9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-02.xml @@ -0,0 +1,90 @@ + + + + + + + Mozilla Firefox: Multiple vulnerabilities + + Multiple vulnerabilities have been reported in Mozilla Firefox, some of + which may allow the remote execution of arbitrary code. + + mozilla-firefox + January 04, 2007 + January 04, 2007: 01 + 156023 + remote + + + 1.5.0.9 + 1.5.0.9 + + + 1.5.0.9 + 1.5.0.9 + + + +

+ Mozilla Firefox is a popular open-source web browser from the Mozilla + Project. +

+ + +

+ An anonymous researcher found evidence of memory corruption in the way + Mozilla Firefox handles certain types of SVG comment DOM nodes. + Additionally, Frederik Reiss discovered a heap-based buffer overflow in + the conversion of a CSS cursor. Other issues with memory corruption + were also fixed. Mozilla Firefox also contains less severe + vulnerabilities involving JavaScript and Java. +

+ + +

+ An attacker could entice a user to view a specially crafted web page + that will trigger one of the vulnerabilities, possibly leading to the + execution of arbitrary code. It is also possible for an attacker to + perform cross-site scripting attacks, leading to the exposure of + sensitive information, like user credentials. +

+ + +

+ There are no known workarounds for all the issues at this time. +

+ + +

+ All Mozilla Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.5.0.9" +

+ All Mozilla Firefox binary release users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.5.0.9" + + + CVE-2006-6497 + CVE-2006-6498 + CVE-2006-6499 + CVE-2006-6500 + CVE-2006-6501 + CVE-2006-6502 + CVE-2006-6503 + CVE-2006-6504 + CVE-2006-6506 + CVE-2006-6507 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-03.xml b/xml/htdocs/security/en/glsa/glsa-200701-03.xml new file mode 100644 index 00000000..7ca05a20 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-03.xml @@ -0,0 +1,88 @@ + + + + + + + Mozilla Thunderbird: Multiple vulnerabilities + + Multiple vulnerabilities have been reported in Mozilla Thunderbird, some of + which may allow the remote execution of arbitrary code. + + mozilla-thunderbird + January 04, 2007 + January 04, 2007: 01 + 158571 + remote + + + 1.5.0.9 + 1.5.0.9 + + + 1.5.0.9 + 1.5.0.9 + + + +

+ Mozilla Thunderbird is a popular open-source email client from the + Mozilla Project. +

+ + +

+ Georgi Guninski and David Bienvenu discovered buffer overflows in the + processing of long "Content-Type:" and long non-ASCII MIME headers. + Additionally, Frederik Reiss discovered a heap-based buffer overflow in + the conversion of a CSS cursor. Different vulnerabilities involving + memory corruption in the browser engine were also fixed. Mozilla + Thunderbird also contains less severe vulnerabilities involving + JavaScript and Java. +

+ + +

+ An attacker could entice a user to view a specially crafted email that + will trigger one of these vulnerabilities, possibly leading to the + execution of arbitrary code. An attacker could also perform cross-site + scripting attacks, leading to the exposure of sensitive information, + like user credentials. Note that the execution of JavaScript or Java + applets is disabled by default and enabling it is strongly discouraged. +

+ + +

+ There are no known workarounds for all the issues at this time. +

+ + +

+ All Mozilla Thunderbird users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-1.5.0.9" +

+ All Mozilla Thunderbird binary release users should upgrade to the + latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-1.5.0.9" + + + CVE-2006-6497 + CVE-2006-6500 + CVE-2006-6501 + CVE-2006-6502 + CVE-2006-6503 + CVE-2006-6505 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-04.xml b/xml/htdocs/security/en/glsa/glsa-200701-04.xml new file mode 100644 index 00000000..16a03ad5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-04.xml @@ -0,0 +1,84 @@ + + + + + + + SeaMonkey: Multiple vulnerabilities + + Multiple vulnerabilities have been reported in the SeaMonkey project, some + of which may allow the remote execution of arbitrary code. + + seamonkey + January 10, 2007 + January 10, 2007: 01 + 158576 + remote + + + 1.0.7 + 1.0.7 + + + +

+ The SeaMonkey project is a community effort to deliver + production-quality releases of code derived from the application + formerly known as the 'Mozilla Application Suite'. +

+ + +

+ An anonymous researcher found evidence of memory corruption in the way + SeaMonkey handles certain types of SVG comment DOM nodes. Georgi + Guninski and David Bienvenu discovered buffer overflows in the + processing of long "Content-Type:" and long non-ASCII MIME email + headers. Additionally, Frederik Reiss discovered a heap-based buffer + overflow in the conversion of a CSS cursor. Several other issues with + memory corruption were also fixed. SeaMonkey also contains less severe + vulnerabilities involving JavaScript and Java. +

+ + +

+ An attacker could entice a user to load malicious JavaScript or a + malicious web page with a SeaMonkey application, possibly leading to + the execution of arbitrary code with the rights of the user running + those products. An attacker could also perform cross-site scripting + attacks, leading to the exposure of sensitive information, like user + credentials. Note that the execution of JavaScript or Java applets is + disabled by default in the SeaMonkey email client, and enabling it is + strongly discouraged. +

+ + +

+ There are no known workarounds for all the issues at this time. +

+ + +

+ All SeaMonkey users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.0.7" + + + CVE-2006-6497 + CVE-2006-6498 + CVE-2006-6499 + CVE-2006-6500 + CVE-2006-6501 + CVE-2006-6502 + CVE-2006-6503 + CVE-2006-6504 + CVE-2006-6505 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-05.xml b/xml/htdocs/security/en/glsa/glsa-200701-05.xml new file mode 100644 index 00000000..55e9b1de --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-05.xml @@ -0,0 +1,68 @@ + + + + + + + KDE kfile JPEG info plugin: Denial of Service + + The KDE kfile JPEG info plugin of kdegraphics could enter an endless loop + leading to a Denial of Service. + + kdegraphics-kfile-plugins + January 12, 2007 + January 12, 2007: 01 + 155949 + remote + + + 3.5.5-r1 + 3.5.5-r1 + + + +

+ The KDE kfile-info JPEG plugin provides meta-information about JPEG + files. +

+ + +

+ Marcus Meissner of the SUSE security team discovered a stack overflow + vulnerability in the code processing EXIF information in the kfile JPEG + info plugin. +

+ + +

+ A remote attacker could entice a user to view a specially crafted JPEG + image with a KDE application like Konqueror or digiKam, leading to a + Denial of Service by an infinite recursion. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All KDE users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kdegraphics-kfile-plugins-3.5.5-r1" + + + CVE-2006-6297 + + + jaervosz + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-06.xml b/xml/htdocs/security/en/glsa/glsa-200701-06.xml new file mode 100644 index 00000000..a90195db --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-06.xml @@ -0,0 +1,64 @@ + + + + + + + w3m: Format string vulnerability + + w3m does not correctly handle format string specifiers in SSL certificates. + + w3m + January 12, 2007 + January 12, 2007: 01 + 159145 + remote + + + 0.5.1-r4 + 0.5.1-r4 + + + +

+ w3m is a multi-platform text-based web browser. +

+ + +

+ w3m in -dump or -backend mode does not correctly handle printf() format + string specifiers in the Common Name (CN) field of an X.509 SSL + certificate. +

+ + +

+ An attacker could entice a user to visit a malicious website that would + load a specially crafted X.509 SSL certificate containing "%n" or other + format string specifiers, possibly resulting in the execution of + arbitrary code with the rights of the user running w3m. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All w3m users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/w3m-0.5.1-r4" + + + CVE-2006-6772 + + + aetius + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-07.xml b/xml/htdocs/security/en/glsa/glsa-200701-07.xml new file mode 100644 index 00000000..49997936 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-07.xml @@ -0,0 +1,81 @@ + + + + + + + OpenOffice.org: EMF/WMF file handling vulnerabilities + + A truncation error and integer overflows in the EMF/WMF file handling of + OpenOffice.org could be exploited to execute arbitrary code. + + openoffice + January 12, 2007 + January 12, 2007: 01 + 159951 + remote + + + 2.1.0 + 2.1.0 + + + 2.0.4 + 2.0.4 + + + +

+ OpenOffice.org is an open source office productivity suite, including + word processing, spreadsheet, presentation, drawing, data charting, + formula editing, and file conversion facilities. +

+ + +

+ John Heasman of NGSSoftware has discovered integer overflows in the + EMR_POLYPOLYGON and EMR_POLYPOLYGON16 processing and an error within + the handling of META_ESCAPE records. +

+ + +

+ An attacker could exploit these vulnerabilities to cause heap overflows + and potentially execute arbitrary code with the privileges of the user + running OpenOffice.org by enticing the user to open a document + containing a malicious WMF/EMF file. +

+ + +

+ There is no known workaround known at this time. +

+ + +

+ All OpenOffice.org binary users should update to version 2.1.0 or + later: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-bin-2.1.0" +

+ All OpenOffice.org users should update to version 2.0.4 or later: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-2.0.4" + + + CVE-2006-5870 + + + DerCorny + + + DerCorny + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-08.xml b/xml/htdocs/security/en/glsa/glsa-200701-08.xml new file mode 100644 index 00000000..5f4c82a9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-08.xml @@ -0,0 +1,73 @@ + + + + + + + Opera: Two remote code execution vulnerabilities + + Two vulnerabilities may allow the execution of arbitrary code. + + opera + January 12, 2007 + January 12, 2007: 01 + 160369 + remote + + + 9.10 + 9.10 + + + +

+ Opera is a multi-platform web browser. +

+ + +

+ Christoph Deal discovered that JPEG files with a specially crafted DHT + marker can be exploited to cause a heap overflow. Furthermore, an + anonymous person discovered that Opera does not correctly handle + objects passed to the "createSVGTransformFromMatrix()" function. +

+ + +

+ An attacker could potentially exploit the vulnerabilities to execute + arbitrary code with the privileges of the user running Opera by + enticing a victim to open a specially crafted JPEG file or a website + containing malicious JavaScript code. +

+ + +

+ The vendor recommends disabling JavaScript to avoid the + "createSVGTransformFromMatrix" vulnerability. There is no known + workaround for the other vulnerability. +

+ + +

+ All Opera users should update to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/opera-9.10" + + + Opera Advisory (createSVGTransformFromMatrix) + Opera Advisory (JPEG) + CVE-2007-0126 + CVE-2007-0127 + + + DerCorny + + + DerCorny + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-09.xml b/xml/htdocs/security/en/glsa/glsa-200701-09.xml new file mode 100644 index 00000000..d74811e8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-09.xml @@ -0,0 +1,61 @@ + + + + + + + oftpd: Denial of Service + + An assertion in oftpd could lead to a denial of service vulnerability. + + oftpd + January 15, 2007 + January 15, 2007: 01 + 159178 + remote + + + 0.3.7-r3 + 0.3.7-r3 + + + +

+ oftpd is a small, anonymous only ftp daemon. +

+ + +

+ By specifying an unsupported address family in the arguments to a LPRT + or LPASV command, an assertion in oftpd will cause the daemon to abort. +

+ + +

+ Remote, unauthenticated attackers may be able to terminate any oftpd + process, denying service to legitimate users. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All oftpd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/oftpd-0.3.7-r3" + + + CVE-2006-6767 + + + taviso + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-10.xml b/xml/htdocs/security/en/glsa/glsa-200701-10.xml new file mode 100644 index 00000000..f2b8e829 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-10.xml @@ -0,0 +1,78 @@ + + + + + + + WordPress: Multiple vulnerabilities + + WordPress is vulnerable to SQL injection, information disclosure, and + cross-site scripting attacks. + + wordpress + January 15, 2007 + January 15, 2007: 01 + 159229 + remote + + + 2.0.6 + 2.0.6 + + + +

+ WordPress is a popular personal publishing platform with a web + interface. +

+ + +

+ When decoding trackbacks with alternate character sets, WordPress does + not correctly sanitize the entries before further modifying a SQL + query. WordPress also displays different error messages in wp-login.php + based upon whether or not a user exists. David Kierznowski has + discovered that WordPress fails to properly sanitize recent file + information in /wp-admin/templates.php before sending that information + to a browser. +

+ + +

+ An attacker could inject arbitrary SQL into WordPress database queries. + An attacker could also determine if a WordPress user existed by trying + to login as that user, better facilitating brute force attacks. Lastly, + an attacker authenticated to view the administrative section of a + WordPress instance could try to edit a file with a malicious filename; + this may cause arbitrary HTML or JavaScript to be executed in users' + browsers viewing /wp-admin/templates.php. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All WordPress users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/wordpress-2.0.6" + + + CVE-2006-6808 + CVE-2007-0107 + CVE-2007-0109 + + + vorlon + + + shellsage + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-11.xml b/xml/htdocs/security/en/glsa/glsa-200701-11.xml new file mode 100644 index 00000000..f09c2b64 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-11.xml @@ -0,0 +1,69 @@ + + + + + + + Kronolith: Local file inclusion + + Kronolith contains a flaw that could allow the execution of arbitrary + files. + + horde-kronolith + January 16, 2007 + January 16, 2007: 01 + 156627 + remote + + + 2.1.4 + 2.1.4 + + + +

+ Kronolith is a web-based calendar which relies on the Horde Framework + for integration with other applications. +

+ + +

+ Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered + string is used instead of a sanitized string to view local files. +

+ + +

+ An authenticated attacker could craft an HTTP GET request that uses + directory traversal techniques to execute any file on the web server as + PHP code, which could allow information disclosure or arbitrary code + execution with the rights of the user running the PHP application + (usually the webserver user). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All horde-kronolith users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-kronolith-2.1.4" + + + CVE-2006-6175 + + + falco + + + falco + + + aetius + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-12.xml b/xml/htdocs/security/en/glsa/glsa-200701-12.xml new file mode 100644 index 00000000..5f896df3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-12.xml @@ -0,0 +1,70 @@ + + + + + + + Mono: Information disclosure + + Mono does not properly sanitize pathnames allowing unauthorized information + disclosure. + + mono + January 16, 2007 + January 17, 2007: 02 + 159886 + remote + + + 1.2.2.1 + 1.2.2.1 + + + +

+ Mono provides the necessary software to develop and run .NET client and + server applications on various platforms. +

+ + +

+ Jose Ramon Palanco has discovered that the System.Web class in the XSP + for the ASP.NET server 1.1 through 2.0 in Mono does not properly + validate or sanitize local pathnames which could allow server-side file + content disclosure. +

+ + +

+ An attacker could append a space character to a URI and obtain + unauthorized access to the source code of server-side files. An + attacker could also read credentials by requesting Web.Config%20 from a + Mono server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mono users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/mono-1.2.2.1" + + + CVE-2006-6104 + + + jaervosz + + + falco + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-13.xml b/xml/htdocs/security/en/glsa/glsa-200701-13.xml new file mode 100644 index 00000000..18a28efd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-13.xml @@ -0,0 +1,73 @@ + + + + + + + Fetchmail: Denial of Service and password disclosure + + Fetchmail has been found to have numerous vulnerabilities allowing for + Denial of Service and password disclosure. + + fetchmail + January 22, 2007 + January 22, 2007: 01 + 160463 + remote + + + 6.3.6 + 6.3.6 + + + +

+ Fetchmail is a remote mail retrieval and forwarding utility. +

+ + +

+ Neil Hoggarth has discovered that when delivering messages to a message + delivery agent by means of the "mda" option, Fetchmail passes a NULL + pointer to the ferror() and fflush() functions when refusing a message. + Isaac Wilcox has discovered numerous means of plain-text password + disclosure due to errors in secure connection establishment. +

+ + +

+ An attacker could deliver a message via Fetchmail to a message delivery + agent configured to refuse the message, and crash the Fetchmail + process. SMTP and LMTP delivery modes are not affected by this + vulnerability. An attacker could also perform a Man-in-the-Middle + attack, and obtain plain-text authentication credentials of users + connecting to a Fetchmail process. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All fetchmail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/fetchmail-6.3.6" + + + CVE-2006-5867 + CVE-2006-5974 + + + falco + + + falco + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-14.xml b/xml/htdocs/security/en/glsa/glsa-200701-14.xml new file mode 100644 index 00000000..78234654 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-14.xml @@ -0,0 +1,68 @@ + + + + + + + Mod_auth_kerb: Denial of Service + + Mod_auth_kerb is vulnerable to a buffer overflow possibly allowing a Denial + of Service. + + mod_auth_kerb + January 22, 2007 + December 30, 2007: 02 + 155782 + remote + + + 5.0_rc7-r1 + 5.0_rc7-r1 + + + +

+ Mod_auth_kerb is an Apache authentication module using Kerberos. +

+ + +

+ Mod_auth_kerb improperly handles component byte encoding in the + der_get_oid() function, allowing for a buffer overflow to occur if + there are no components which require more than one byte for encoding. +

+ + +

+ An attacker could try to access a Kerberos protected resource on an + Apache server with an incorrectly configured service principal and + crash the server process. It is important to note that this buffer + overflow is not known to allow for the execution of code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mod_auth_kerb users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apache/mod_auth_kerb-5.0_rc7-r1" + + + CVE-2006-5989 + + + falco + + + falco + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-15.xml b/xml/htdocs/security/en/glsa/glsa-200701-15.xml new file mode 100644 index 00000000..ad2822cb --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-15.xml @@ -0,0 +1,99 @@ + + + + + + + Sun JDK/JRE: Multiple vulnerabilities + + Multiple unspecified vulnerabilities have been identified in Sun Java + Development Kit (JDK) and Java Runtime Environment (JRE). + + java + January 22, 2007 + July 16, 2008: 04 + 158659 + remote + + + 1.5.0.09 + 1.4.2.18 + 1.4.2.17 + 1.4.2.15 + 1.4.2.14 + 1.4.2.13 + 1.5.0.09 + + + 1.5.0.09 + 1.4.2.18 + 1.4.2.17 + 1.4.2.15 + 1.4.2.14 + 1.4.2.13 + 1.5.0.09 + + + +

+ The Sun Java Development Kit (JDK) and the Sun Java Runtime Environment + (JRE) provide the Sun Java platform. +

+ + +

+ Chris Evans has discovered multiple buffer overflows in Sun JDK and Sun + JRE possibly related to various AWT or font layout functions. Tom + Hawtin has discovered an unspecified vulnerability in Sun JDK and Sun + JRE relating to unintended applet data access. He has also discovered + multiple other unspecified vulnerabilities in Sun JDK and Sun JRE + allowing unintended Java applet or application resource acquisition. +

+ + +

+ An attacker could entice a user to run a specially crafted Java applet + or application that could read, write, or execute local files with the + privileges of the user running the JVM; access data maintained in other + Java applets; or escalate the privileges of the currently running Java + applet or application allowing for unauthorized access to system + resources. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Sun Java Development Kit users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "dev-java/sun-jdk" +

+ All Sun Java Runtime Environment users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "dev-java/sun-jre-bin" + + + CVE-2006-6731 + CVE-2006-6736 + CVE-2006-6737 + CVE-2006-6745 + + + falco + + + falco + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-16.xml b/xml/htdocs/security/en/glsa/glsa-200701-16.xml new file mode 100644 index 00000000..c464b483 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-16.xml @@ -0,0 +1,86 @@ + + + + + + + Adobe Acrobat Reader: Multiple vulnerabilities + + Adobe Acrobat Reader is vulnerable to remote code execution, Denial of + Service, and cross-site scripting attacks. + + acroread + January 22, 2007 + January 22, 2007: 01 + 159874 + remote + + + 7.0.9 + 7.0.9 + + + +

+ Adobe Acrobat Reader is a PDF reader released by Adobe. +

+ + +

+ Adobe Acrobat Reader in stand-alone mode is vulnerable to remote code + execution via heap corruption when loading a specially crafted PDF + file. +

+

+ The browser plugin released with Adobe Acrobat Reader (nppdf.so) does + not properly handle URLs, and crashes if given a URL that is too long. + The plugin does not correctly handle JavaScript, and executes + JavaScript that is given as a GET variable to the URL of a PDF file. + Lastly, the plugin does not properly handle the FDF, xml, xfdf AJAX + request parameters following the # character in a URL, allowing for + multiple cross-site scripting vulnerabilities. +

+ + +

+ An attacker could entice a user to open a specially crafted PDF file + and execute arbitrary code with the rights of the user running Adobe + Acrobat Reader. An attacker could also entice a user to browse to a + specially crafted URL and either crash the Adobe Acrobat Reader browser + plugin, execute arbitrary JavaScript in the context of the user's + browser, or inject arbitrary HTML or JavaScript into the document being + viewed by the user. Note that users who have emerged Adobe Acrobat + Reader with the "nsplugin" USE flag disabled are not vulnerable to + issues with the Adobe Acrobat Reader browser plugin. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Adobe Acrobat Reader users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/acroread-7.0.9" + + + CVE-2006-5857 + CVE-2007-0044 + CVE-2007-0045 + CVE-2007-0046 + CVE-2007-0048 + + + falco + + + shellsage + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-17.xml b/xml/htdocs/security/en/glsa/glsa-200701-17.xml new file mode 100644 index 00000000..9f18d646 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-17.xml @@ -0,0 +1,71 @@ + + + + + + + libgtop: Privilege escalation + + libgtop improperly handles filenames, possibly allowing for the execution + of arbitrary code. + + libgtop + January 23, 2007 + January 23, 2007: 01 + 162169 + local + + + 2.14.6 + 2.14.6 + + + +

+ libgtop facilitates the libgtop_daemon, which is used by GNOME to + obtain information about remote systems. +

+ + +

+ Liu Qishuai discovered that glibtop_get_proc_map_s() in + sysdeps/linux/procmap.c does not properly allocate memory for storing a + filename, allowing certain filenames to cause the buffer to overflow on + the stack. +

+ + +

+ By tricking a victim into executing an application that uses the + libgtop library (e.g. libgtop_daemon or gnome-system-monitor), a local + attacker could specify a specially crafted filename to be used by + libgtop causing a buffer overflow and possibly execute arbitrary code + with the rights of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libgtop users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=gnome-base/libgtop-2.14.6" + + + CVE-2007-0235 + + + falco + + + shellsage + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-18.xml b/xml/htdocs/security/en/glsa/glsa-200701-18.xml new file mode 100644 index 00000000..03cd64b1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-18.xml @@ -0,0 +1,68 @@ + + + + + + + xine-ui: Format string vulnerabilities + + xine-ui improperly handles format strings, possibly allowing for the + execution of arbitrary code. + + xine-ui + January 23, 2007 + January 23, 2007: 01 + 161558 + remote + + + 0.99.5_pre20060716 + 0.99.5_pre20060716 + + + +

+ xine-ui is a skin-based user interface for xine. xine is a free + multimedia player. It plays CDs, DVDs, and VCDs, and can also decode + other common multimedia formats. +

+ + +

+ Due to the improper handling and use of format strings, the + errors_create_window() function in errors.c does not safely write data + to memory. +

+ + +

+ An attacker could entice a user to open a specially crafted media file + with xine-ui, and possibly execute arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xine-ui users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/xine-ui-0.99.5_pre20060716" + + + CVE-2007-0254 + + + falco + + + falco + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-19.xml b/xml/htdocs/security/en/glsa/glsa-200701-19.xml new file mode 100644 index 00000000..e47c4fce --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-19.xml @@ -0,0 +1,73 @@ + + + + + + + OpenLDAP: Insecure usage of /tmp during installation + + A shell script commonly released with OpenLDAP makes insecure usage of + files in /tmp during the emerge process. + + openldap + January 23, 2007 + March 11, 2007: 02 + 159508 + local + + + 2.1.30-r10 + 2.2.28-r7 + 2.3.30-r2 + 2.1.30-r10 + 2.2.28-r7 + 2.3.30-r2 + + + +

+ OpenLDAP Software is an open source implementation of the Lightweight + Directory Access Protocol. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Team has discovered that the + file gencert.sh distributed with the Gentoo ebuild for OpenLDAP does + not exit upon the existence of a directory in /tmp during installation + allowing for directory traversal. +

+ + +

+ A local attacker could create a symbolic link in /tmp and potentially + overwrite arbitrary system files upon a privileged user emerging + OpenLDAP. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenLDAP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "net-nds/openldap" + + + CVE-2007-0476 + + + falco + + + falco + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-20.xml b/xml/htdocs/security/en/glsa/glsa-200701-20.xml new file mode 100644 index 00000000..28c18231 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-20.xml @@ -0,0 +1,68 @@ + + + + + + + Centericq: Remote buffer overflow in LiveJournal handling + + Centericq does not properly handle communications with the LiveJournal + service, allowing for the remote execution of arbitrary code. + + centericq + January 24, 2007 + January 24, 2007: 01 + 160793 + remote + + + 4.21.0-r2 + + + +

+ Centericq is a text mode menu-driven and window-driven instant + messaging interface. +

+ + +

+ When interfacing with the LiveJournal service, Centericq does not + appropriately allocate memory for incoming data, in some cases creating + a buffer overflow. +

+ + +

+ An attacker could entice a user to connect to an unofficial LiveJournal + server causing Centericq to read specially crafted data from the + server, which could lead to the execution of arbitrary code with the + rights of the user running Centericq. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ Currently, Centericq is unmaintained. As such, Centericq has been + masked in Portage until it is again maintained. +

+ + # emerge --ask --verbose --unmerge "net-im/centericq" + + + CVE-2007-0160 + + + falco + + + falco + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-21.xml b/xml/htdocs/security/en/glsa/glsa-200701-21.xml new file mode 100644 index 00000000..c7f4e564 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-21.xml @@ -0,0 +1,69 @@ + + + + + + + MIT Kerberos 5: Arbitrary Remote Code Execution + + Multiple vulnerabilities in MIT Kerberos 5 could potentially result in the + execution of arbitrary code. + + mit-krb5 + January 24, 2007 + January 24, 2007: 01 + 158810 + remote + + + 1.5.2 + 1.5.2 + + + +

+ MIT Kerberos 5 is a suite of applications that implement the Kerberos + network protocol. +

+ + +

+ The Kerberos administration daemon, and possibly other applications + using the GSS-API or RPC libraries, could potentially call a function + pointer in a freed heap buffer, or attempt to free an uninitialized + pointer. +

+ + +

+ A remote attacker may be able to crash an affected application, or + potentially execute arbitrary code with root privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MIT Kerberos 5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.5.2" + + + CVE-2006-6143 + CVE-2006-6144 + + + falco + + + taviso + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-22.xml b/xml/htdocs/security/en/glsa/glsa-200701-22.xml new file mode 100644 index 00000000..1a2e577e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-22.xml @@ -0,0 +1,68 @@ + + + + + + + Squid: Multiple Denial of Service vulnerabilities + + Two vulnerabilities have been found in Squid which make it susceptible to + Denial of Service attacks. + + squid + January 25, 2007 + January 25, 2007: 01 + 162364 + remote + + + 2.6.7 + 2.6.7 + + + +

+ Squid is a multi-protocol proxy server. +

+ + +

+ Squid fails to correctly handle ftp:// URI's. There is also an error in + the external_acl queue which can cause an infinite looping condition. +

+ + +

+ An attacker could attempt to retrieve a specially crafted URI via a + Squid server causing the service to crash. If an attacker could + generate a sufficiently high load on the Squid services, they could + cause a Denial of Service by forcing Squid into an infinite loop. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Squid users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/squid-2.6.7" + + + CVE-2007-0247 + CVE-2007-0248 + + + vorlon + + + hyakuhei + + + hyakuhei + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-23.xml b/xml/htdocs/security/en/glsa/glsa-200701-23.xml new file mode 100644 index 00000000..5a4af2f6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-23.xml @@ -0,0 +1,71 @@ + + + + + + + Cacti: Command execution and SQL injection + + Cacti has three vulnerabilities that could allow shell command execution or + SQL injection. + + cacti + January 26, 2007 + January 26, 2007: 01 + 159278 + remote + + + 0.8.6i-r1 + 0.8.6i-r1 + + + +

+ Cacti is a web-based network graphing and reporting tool. +

+ + +

+ rgod discovered that the Cacti cmd.php and copy_cacti_user.php scripts + do not properly control access to the command shell, and are remotely + accessible by unauthenticated users. This allows SQL injection via + cmd.php and copy_cacti_user.php URLs. Further, the results from the + injected SQL query are not properly sanitized before being passed to a + command shell. The vulnerabilities require that the + "register_argc_argv" option is enabled, which is the Gentoo default. + Also, a number of similar problems in other scripts were reported. +

+ + +

+ These vulnerabilties can result in the execution of arbitrary shell + commands or information disclosure via crafted SQL queries. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Cacti users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-0.8.6i-r1" + + + CVE-2006-6799 + + + falco + + + aetius + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-24.xml b/xml/htdocs/security/en/glsa/glsa-200701-24.xml new file mode 100644 index 00000000..e61e0c93 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-24.xml @@ -0,0 +1,68 @@ + + + + + + + VLC media player: Format string vulnerability + + VLC media player improperly handles format strings, allowing for the + execution of arbitrary code. + + vlc + January 26, 2007 + January 26, 2007: 01 + 159845 + remote + + + 0.8.6-r1 + 0.8.6-r1 + + + +

+ VLC media player is a multimedia player for various audio and video + formats. +

+ + +

+ Kevin Finisterre has discovered that when handling media locations, + various functions throughout VLC media player make improper use of + format strings. +

+ + +

+ An attacker could entice a user to open a specially crafted media + location or M3U file with VLC media player, and execute arbitrary code + on the system with the rights of the user running VLC media player. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All VLC media player users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/vlc-0.8.6-r1" + + + CVE-2007-0017 + + + falco + + + falco + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-25.xml b/xml/htdocs/security/en/glsa/glsa-200701-25.xml new file mode 100644 index 00000000..35b38102 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-25.xml @@ -0,0 +1,71 @@ + + + + + + + X.Org X server: Multiple vulnerabilities + + Sean Larsson from iDefense Labs has found multiple vulnerabilities in the + DBE and Render extensions. + + X.Org + January 27, 2007 + February 26, 2007: 02 + 157421 + local + + + 1.1.1-r4 + 1.1.1-r4 + + + +

+ The X Window System is a graphical windowing system based on a + client/server model. +

+ + +

+ Multiple memory corruption vulnerabilities have been found in the + ProcDbeGetVisualInfo() and the ProcDbeSwapBuffers() of the DBE + extension, and ProcRenderAddGlyphs() in the Render extension. +

+ + +

+ A local attacker could execute arbitrary code with the privileges of + the user running the X server, typically root. +

+ + +

+ Disable the DBE extension by removing the "Load dbe" directive in the + Module section of xorg.conf, and explicitly disable the Render + extension with ' Option "RENDER" "disable" ' in the Extensions section. +

+

+ Note: This could affect the functionality of some applications. +

+ + +

+ All X.Org X server users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-1.1.1-r4" + + + CVE-2006-6101 + CVE-2006-6102 + CVE-2006-6103 + + + daxomatic + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-26.xml b/xml/htdocs/security/en/glsa/glsa-200701-26.xml new file mode 100644 index 00000000..7e7fe5a5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-26.xml @@ -0,0 +1,65 @@ + + + + + + + KSirc: Denial of Service vulnerability + + KSirc is vulnerable to a Denial of Service attack. + + ksirc + January 29, 2007 + January 30, 2007: 01 + 159658 + remote + + + 3.5.5-r1 + 3.5.5-r1 + + + +

+ KSirc is the default KDE IRC client. +

+ + +

+ KSirc fails to check the size of an incoming PRIVMSG string sent from + an IRC server during the connection process. +

+ + +

+ A malicious IRC server could send a long PRIVMSG string to the KSirc + client causing an assertion failure and the dereferencing of a null + pointer, resulting in a crash. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All KSirc users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/ksirc-3.5.5-r1" + + + CVE-2006-6811 + + + vorlon + + + vorlon + + + hyakuhei + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-27.xml b/xml/htdocs/security/en/glsa/glsa-200701-27.xml new file mode 100644 index 00000000..54f4328a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-27.xml @@ -0,0 +1,67 @@ + + + + + + + ELinks: Arbitrary Samba command execution + + ELinks does not properly validate "smb://" URLs, making it vulnerable to + the execution of arbitrary Samba commands. + + elinks + January 30, 2007 + January 30, 2007: 01 + 155358 + remote + + + 0.11.2 + 0.11.2 + + + +

+ ELinks is a text mode web browser. +

+ + +

+ Teemu Salmela discovered an error in the validation code of "smb://" + URLs used by ELinks, the same issue as reported in GLSA 200612-16 + concerning Links. +

+ + +

+ A remote attacker could entice a user to browse to a specially crafted + "smb://" URL and execute arbitrary Samba commands, which would allow + the overwriting of arbitrary local files or the upload or download of + arbitrary files. This vulnerability can be exploited only if + "smbclient" is installed on the victim's computer, which is provided by + the "samba" Gentoo package. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ELinks users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/elinks-0.11.2" + + + CVE-2006-5925 + + + hyakuhei + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200701-28.xml b/xml/htdocs/security/en/glsa/glsa-200701-28.xml new file mode 100644 index 00000000..f81fd6e9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200701-28.xml @@ -0,0 +1,75 @@ + + + + + + + thttpd: Unauthenticated remote file access + + The default configuration of the Gentoo thttpd package potentially allows + unauthenticated access to system files when used with newer versions of + baselayout. + + thttpd + January 31, 2007 + March 11, 2007: 02 + 142047 + remote + + + 2.25b-r6 + 2.25b-r6 + + + +

+ thttpd is a webserver designed to be simple, small, and fast. +

+ + +

+ thttpd is vulnerable to an underlying change made to the + start-stop-daemon command in the current stable Gentoo baselayout + package (version 1.12.6). In the new version, the start-stop-daemon + command performs a "chdir /" command just before starting the thttpd + process. In the Gentoo default configuration, this causes thttpd to + start with the document root set to "/", the sytem root directory. +

+ + +

+ When thttpd starts with the document root set to the system root + directory, all files on the system that are readable by the thttpd + process can be remotely accessed by unauthenticated users. +

+ + +

+ Alter the THTTPD_OPTS variable in /etc/conf.d/thttpd to include the + "-d" option to specify the document root. Alternatively, modify the + THTTPD_OPTS variable in /etc/conf.d/thttpd to specify a thttpd.conf + file using the "-C" option, and then configure the "dir=" directive in + that thttpd.conf file. +

+ + +

+ All thttpd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/thttpd-2.25b-r5" + + + CVE-2007-0664 + + + shellsage + + + aetius + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200702-01.xml b/xml/htdocs/security/en/glsa/glsa-200702-01.xml new file mode 100644 index 00000000..0cdbf211 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200702-01.xml @@ -0,0 +1,70 @@ + + + + + + + Samba: Multiple vulnerabilities + + Multiple flaws exist in the Samba suite of programs, the most serious of + which could result in the execution of arbitrary code. + + samba + February 13, 2007 + February 13, 2007: 01 + 165549 + remote + + + 3.0.24 + 3.0.24 + + + +

+ Samba is a suite of SMB and CIFS client/server programs for UNIX. +

+ + +

+ A format string vulnerability exists in the VFS module when handling + AFS file systems and an infinite loop has been discovered when handling + file rename operations. +

+ + +

+ A user with permission to write to a shared AFS file system may be able + to compromise the smbd process and execute arbitrary code with the + permissions of the daemon. The infinite loop could be abused to consume + excessive resources on the smbd host, denying service to legitimate + users. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Samba users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-3.0.24" + + + CVE-2007-0452 + CVE-2007-0454 + + + falco + + + falco + + + taviso + + diff --git a/xml/htdocs/security/en/glsa/glsa-200702-02.xml b/xml/htdocs/security/en/glsa/glsa-200702-02.xml new file mode 100644 index 00000000..6c40f999 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200702-02.xml @@ -0,0 +1,66 @@ + + + + + + + ProFTPD: Local privilege escalation + + A flaw in ProFTPD may allow a local attacker to obtain root privileges. + + proftpd + February 13, 2007 + February 13, 2007: 01 + 158122 + local + + + 1.3.1_rc1 + 1.3.1_rc1 + + + +

+ ProFTPD is a powerful, configurable, and free FTP daemon. +

+ + +

+ A flaw exists in the mod_ctrls module of ProFTPD, normally used to + allow FTP server administrators to configure the daemon at runtime. +

+ + +

+ An FTP server administrator permitted to interact with mod_ctrls could + potentially compromise the ProFTPD process and execute arbitrary code + with the privileges of the FTP Daemon, which is normally the root user. +

+ + +

+ Disable mod_ctrls, or ensure only trusted users can access this + feature. +

+ + +

+ All ProFTPD users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.3.1_rc1" + + + CVE-2006-6563 + + + falco + + + falco + + + taviso + + diff --git a/xml/htdocs/security/en/glsa/glsa-200702-03.xml b/xml/htdocs/security/en/glsa/glsa-200702-03.xml new file mode 100644 index 00000000..54706b97 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200702-03.xml @@ -0,0 +1,67 @@ + + + + + + + Snort: Denial of Service + + Snort contains a vulnerability in the rule matching algorithm that could + result in a Denial of Service. + + snort + February 13, 2007 + February 13, 2007: 01 + 161632 + remote + + + 2.6.1.2 + 2.6.1.2 + + + +

+ Snort is a widely deployed intrusion detection program. +

+ + +

+ Randy Smith, Christian Estan and Somesh Jha discovered that the rule + matching algorithm of Snort can be exploited in a way known as a + "backtracking attack" to perform numerous time-consuming operations. +

+ + +

+ A remote attacker could send specially crafted network packets, which + would result in the cessation of the detections and the consumption of + the CPU resources. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Snort users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/snort-2.6.1.2" + + + CVE-2006-6931 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200702-04.xml b/xml/htdocs/security/en/glsa/glsa-200702-04.xml new file mode 100644 index 00000000..b144d9e9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200702-04.xml @@ -0,0 +1,78 @@ + + + + + + + RAR, UnRAR: Buffer overflow + + RAR and UnRAR contain a buffer overflow allowing the execution of arbitrary + code. + + rar, unrar + February 13, 2007 + February 14, 2007: 02 + 166440 + remote + + + 3.7.0_beta1 + 3.7.0_beta1 + + + 3.7.3 + 3.7.3 + + + +

+ RAR and UnRAR provide command line interfaces for compressing and + decompressing RAR files. +

+ + +

+ RAR and UnRAR contain a boundary error when processing + password-protected archives that could result in a stack-based buffer + overflow. +

+ + +

+ A remote attacker could entice a user to process a specially crafted + password-protected archive and execute arbitrary code with the rights + of the user uncompressing the archive. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All UnRAR users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/unrar-3.7.3" +

+ All RAR users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/rar-3.7.0_beta1" + + + CVE-2007-0855 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200702-05.xml b/xml/htdocs/security/en/glsa/glsa-200702-05.xml new file mode 100644 index 00000000..8f600601 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200702-05.xml @@ -0,0 +1,67 @@ + + + + + + + Fail2ban: Denial of Service + + A flaw in Fail2ban may allow remote attackers to deny access to arbitrary + hosts. + + fail2ban + February 16, 2007 + February 16, 2007: 01 + 157166 + remote + + + 0.6.2 + 0.6.2 + + + +

+ Fail2ban monitors log files for failed authentication attempts and can + block hosts responsible for repeated attacks. +

+ + +

+ A flaw in the method used to parse log entries allows remote, + unauthenticated attackers to forge authentication attempts from other + hosts. +

+ + +

+ A remote attacker can add arbitrary hosts to the block list, denying + legitimate users access to a resource. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Fail2ban users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/fail2ban-0.6.2" + + + CVE-2006-6302 + + + falco + + + falco + + + taviso + + diff --git a/xml/htdocs/security/en/glsa/glsa-200702-06.xml b/xml/htdocs/security/en/glsa/glsa-200702-06.xml new file mode 100644 index 00000000..401e6090 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200702-06.xml @@ -0,0 +1,80 @@ + + + + + + + BIND: Denial of Service + + ISC BIND contains two vulnerabilities allowing a Denial of Service under + certain conditions. + + bind + February 17, 2007 + February 17, 2007: 01 + 163692 + remote + + + 9.3.4 + 9.2.8 + 9.3.4 + + + +

+ ISC BIND is the Internet Systems Consortium implementation of the + Domain Name System (DNS) protocol. +

+ + +

+ An unspecified improper usage of an already freed context has been + reported. Additionally, an assertion error could be triggered in the + DNSSEC validation of some responses to type ANY queries with multiple + RRsets. +

+ + +

+ A remote attacker could crash the server through unspecified vectors + or, if DNSSEC validation is enabled, by sending certain crafted ANY + queries. +

+ + +

+ There is no known workaround at this time for the first issue. The + DNSSEC validation Denial of Service can be prevented by disabling + DNSSEC validation until the upgrade to a fixed version. Note that + DNSSEC validation is disabled on a default configuration. +

+ + +

+ All ISC BIND 9.3 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/bind-9.3.4" +

+ All ISC BIND 9.2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/bind-9.2.8" + + + CVE-2007-0493 + CVE-2007-0494 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200702-07.xml b/xml/htdocs/security/en/glsa/glsa-200702-07.xml new file mode 100644 index 00000000..83ad751f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200702-07.xml @@ -0,0 +1,108 @@ + + + + + + + Sun JDK/JRE: Execution of arbitrary code + + Sun Java Development Kit (JDK) and Java Runtime Environment (JRE) contain a + memory corruption flaw that allows the applets to gain elevated privileges + potentially leading to the execute of arbitrary code. + + java + February 17, 2007 + July 16, 2008: 05 + 162511 + remote + + + 1.5.0.10 + 1.4.2.18 + 1.4.2.17 + 1.4.2.15 + 1.4.2.14 + 1.4.2.13 + 1.5.0.10 + 1.4.2.13 + + + 1.5.0.10 + 1.4.2.18 + 1.4.2.17 + 1.4.2.15 + 1.4.2.14 + 1.4.2.13 + 1.5.0.10 + 1.4.2.13 + + + +

+ The Sun Java Development Kit (JDK) and the Sun Java Runtime Environment + (JRE) provide the Sun Java platform. +

+ + +

+ A anonymous researcher discovered that an error in the handling of a + GIF image with a zero width field block leads to a memory corruption + flaw. +

+ + +

+ An attacker could entice a user to run a specially crafted Java applet + or application that would load a crafted GIF image, which could result + in escalation of privileges and unauthorized access to system + resources. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Sun Java Development Kit 1.5 users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.5.0.10" +

+ All Sun Java Development Kit 1.4 users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "=dev-java/sun-jdk-1.4.2*" +

+ All Sun Java Runtime Environment 1.5 users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.5.0.10" +

+ All Sun Java Runtime Environment 1.4 users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "=dev-java/sun-jre-bin-1.4.2*" + + + CVE-2007-0243 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200702-08.xml b/xml/htdocs/security/en/glsa/glsa-200702-08.xml new file mode 100644 index 00000000..fc5859d8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200702-08.xml @@ -0,0 +1,83 @@ + + + + + + + AMD64 x86 emulation Sun's J2SE Development Kit: Multiple vulnerabilities + + Multiple unspecified vulnerabilities have been identified in Sun Java + Development Kit (JDK) and Sun Java Runtime Environment (JRE). + + java + February 17, 2007 + May 28, 2009: 02 + 159547 + remote + + + 1.5.0.10 + 1.4.2.19 + 1.5.0.10 + + + +

+ The Sun Java Development Kit (JDK) and the Sun Java Runtime Environment + (JRE) provide the Sun Java platform. The x86 emulation Sun's J2SE + Development Kit for AMD64 contains a vulnerable version of Sun's JDK. +

+ + +

+ Chris Evans has discovered multiple buffer overflows in Sun JDK and Sun + JRE possibly related to various AWT or font layout functions. Tom + Hawtin has discovered an unspecified vulnerability in Sun JDK and Sun + JRE relating to unintended applet data access. He has also discovered + multiple other unspecified vulnerabilities in Sun JDK and Sun JRE + allowing unintended Java applet or application resource acquisition. + Additionally, a memory corruption error has been found in the handling + of GIF images with zero width field blocks. +

+ + +

+ An attacker could entice a user to run a specially crafted Java applet + or application that could read, write, or execute local files with the + privileges of the user running the JVM, access data maintained in other + Java applets, or escalate the privileges of the currently running Java + applet or application allowing for unauthorized access to system + resources. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All AMD64 x86 emulation Sun's J2SE Development Kit users should upgrade + to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.5.0.10" + + + CVE-2006-6731 + CVE-2006-6736 + CVE-2006-6737 + CVE-2006-6745 + CVE-2007-0243 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200702-09.xml b/xml/htdocs/security/en/glsa/glsa-200702-09.xml new file mode 100644 index 00000000..e29d5ab0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200702-09.xml @@ -0,0 +1,72 @@ + + + + + + + Nexuiz: Multiple vulnerabilities + + Two separate vulnerabilities have been found in Nexuiz allowing the remote + execution of arbitrary code and a Denial of Service. + + nexuiz + February 25, 2007 + February 25, 2007: 01 + 166044 + remote + + + 2.2.1 + 2.2.1 + + + +

+ Nexuiz is a multi-player FPS game which uses a modified version of the + Quake 1 engine. +

+ + +

+ Nexuiz fails to correctly validate input within "clientcommands". There + is also a failure to correctly handle connection attempts from remote + hosts. +

+ + +

+ Using a specially crafted "clientcommand" a remote attacker can cause a + buffer overflow in Nexuiz which could result in the execution of + arbitrary code. Additionally, there is a Denial of Service + vulnerability in Nexuiz allowing an attacker to cause Nexuiz to crash + or to run out of resources by overloading it with specially crafted + connection requests. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Nexuiz users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-fps/nexuiz-2.2.1" + + + CVE-2006-6609 + CVE-2006-6610 + + + falco + + + falco + + + hyakuhei + + diff --git a/xml/htdocs/security/en/glsa/glsa-200702-10.xml b/xml/htdocs/security/en/glsa/glsa-200702-10.xml new file mode 100644 index 00000000..fa52ac06 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200702-10.xml @@ -0,0 +1,79 @@ + + + + + + + UFO2000: Multiple vulnerabilities + + Multiple vulnerabilities have been found in the network components of + UFO2000 that could result in the remote execution of arbitrary code. + + ufo2000 + February 25, 2007 + February 25, 2007: 01 + 142392 + remote + + + 0.7.1062 + 0.7.1062 + + + +

+ UFO2000 is a multi-player, turn-based tactical simulation. +

+ + +

+ Five vulnerabilities were found: a buffer overflow in recv_add_unit(); + a problem with improperly trusting user-supplied string information in + decode_stringmap(); several issues with array manipulation via various + commands during play; an SQL injection in server_protocol.cpp; and + finally, a second buffer overflow in recv_map_data(). +

+ + +

+ An attacker could send crafted network traffic as part of a + multi-player game that could result in remote code execution on the + remote opponent or the server. A remote attacker could also run + arbitrary SQL queries against the server account database, and perform + a Denial of Service on a remote opponent by causing the game to crash. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ UFO2000 currently depends on the dumb-0.9.2 library, which has been + removed from portage due to security problems (GLSA 200608-14) . + Because of this, UFO2000 has been masked, and we recommend unmerging + the package until the next beta release can remove the dependency on + dumb. +

+ + # emerge --ask --verbose --unmerge ufo2000 + + + CVE-2006-3788 + CVE-2006-3789 + CVE-2006-3790 + CVE-2006-3791 + CVE-2006-3792 + GLSA 200608-14 + + + falco + + + aetius + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200702-11.xml b/xml/htdocs/security/en/glsa/glsa-200702-11.xml new file mode 100644 index 00000000..d6ea4e34 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200702-11.xml @@ -0,0 +1,68 @@ + + + + + + + MPlayer: Buffer overflow + + A buffer overflow was found in MPlayer's RTSP plugin that could lead to a + Denial of Service or arbitrary code execution. + + MPlayer + February 27, 2007 + February 27, 2007: 01 + 159727 + remote + + + 1.0_rc1-r2 + 1.0_rc1-r2 + + + +

+ MPlayer is a media player capable of playing multiple media formats. +

+ + +

+ When checking for matching asm rules in the asmrp.c code, the results + are stored in a fixed-size array without boundary checks which may + allow a buffer overflow. +

+ + +

+ An attacker can entice a user to connect to a manipulated RTSP server + resulting in a Denial of Service and possibly execution of arbitrary + code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MPlayer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/mplayer-1.0_rc1-r2" + + + Original Advisory + CVE-2006-6172 + + + falco + + + daxomatic + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200702-12.xml b/xml/htdocs/security/en/glsa/glsa-200702-12.xml new file mode 100644 index 00000000..604aa882 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200702-12.xml @@ -0,0 +1,70 @@ + + + + + + + CHMlib: User-assisted remote execution of arbitrary code + + A memory corruption vulnerability in CHMlib could lead to the remote + execution of arbitrary code. + + CHMlib + February 27, 2007 + May 20, 2008: 02 + 163989 + remote + + + 0.39 + 0.39 + + + +

+ CHMlib is a library for the MS CHM (Compressed HTML) file format plus + extracting and HTTP server utils. +

+ + +

+ When certain CHM files that contain tables and objects stored in pages + are parsed by CHMlib, an unsanitized value is passed to the alloca() + function resulting in a shift of the stack pointer to arbitrary memory + locations. +

+ + +

+ An attacker could entice a user to open a specially crafted CHM file, + resulting in the execution of arbitrary code with the permissions of + the user viewing the file. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All CHMlib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/chmlib-0.39" + + + Original Advisory + CVE-2007-0619 + + + falco + + + falco + + + daxomatic + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-01.xml b/xml/htdocs/security/en/glsa/glsa-200703-01.xml new file mode 100644 index 00000000..14def5e7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-01.xml @@ -0,0 +1,66 @@ + + + + + + + Snort: Remote execution of arbitrary code + + The Snort DCE/RPC preprocessor contains a buffer overflow that could result + in the remote execution of arbitrary code. + + snort + February 23, 2007 + March 02, 2007: 02 + 167730 + remote + + + 2.6.1.3 + 2.6.1.3 + + + +

+ Snort is a widely deployed intrusion detection program. +

+ + +

+ The Snort DCE/RPC preprocessor does not properly reassemble certain + types of fragmented SMB and DCE/RPC packets. +

+ + +

+ A remote attacker could send specially crafted fragmented SMB or + DCE/RPC packets, without the need to finish the TCP handshake, that + would trigger a stack-based buffer overflow while being reassembled. + This could lead to the execution of arbitrary code with the permissions + of the user running the Snort preprocessor. +

+ + +

+ Disable the DCE/RPC processor by commenting the 'preprocessor dcerpc' + section in /etc/snort/snort.conf . +

+ + +

+ All Snort users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/snort-2.6.1.3" + + + CVE-2006-5276 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-02.xml b/xml/htdocs/security/en/glsa/glsa-200703-02.xml new file mode 100644 index 00000000..3d2f1665 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-02.xml @@ -0,0 +1,65 @@ + + + + + + + SpamAssassin: Long URI Denial of Service + + SpamAssassin is vulnerable to a Denial of Service attack. + + spamassassin + March 02, 2007 + March 02, 2007: 01 + 166969 + remote + + + 3.1.8 + 3.1.8 + + + +

+ SpamAssassin is an extensible email filter used to identify junk email. +

+ + +

+ SpamAssassin does not correctly handle very long URIs when scanning + emails. +

+ + +

+ An attacker could cause SpamAssassin to consume large amounts of CPU + and memory resources by sending one or more emails containing very long + URIs. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SpamAssassin users should upgrade to the latest version. +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-filter/spamassassin-3.1.8" + + + CVE-2007-0451 + + + vorlon + + + vorlon + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-03.xml b/xml/htdocs/security/en/glsa/glsa-200703-03.xml new file mode 100644 index 00000000..4366fd02 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-03.xml @@ -0,0 +1,72 @@ + + + + + + + ClamAV: Denial of Service + + ClamAV contains two vulnerabilities allowing a Denial of Service. + + clamav + March 02, 2007 + March 02, 2007: 01 + 167201 + remote + + + 0.90 + 0.90 + + + +

+ ClamAV is a GPL virus scanner. +

+ + +

+ An anonymous researcher discovered a file descriptor leak error in the + processing of CAB archives and a lack of validation of the "id" + parameter string used to create local files when parsing MIME headers. +

+ + +

+ A remote attacker can send several crafted CAB archives with a + zero-length record header that will fill the available file descriptors + until no other is available, which will prevent ClamAV from scanning + most archives. An attacker can also send an email with specially + crafted MIME headers to overwrite local files with the permissions of + the user running ClamAV, such as the virus database file, which could + prevent ClamAV from detecting any virus. +

+ + +

+ The first vulnerability can be prevented by refusing any file of type + CAB, but there is no known workaround for the second issue. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.90" + + + CVE-2007-0897 + CVE-2007-0898 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-04.xml b/xml/htdocs/security/en/glsa/glsa-200703-04.xml new file mode 100644 index 00000000..42e3be6e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-04.xml @@ -0,0 +1,120 @@ + + + + + + + Mozilla Firefox: Multiple vulnerabilities + + Multiple vulnerabilities have been reported in Mozilla Firefox, some of + which may allow user-assisted arbitrary remote code execution. + + mozilla-firefox + March 02, 2007 + March 02, 2007: 01 + 165555 + remote + + + 1.5.0.10 + 2.0.0.2 + 2.0.0.2 + + + 1.5.0.10 + 2.0.0.2 + 2.0.0.2 + + + +

+ Mozilla Firefox is a popular open-source web browser from the Mozilla + Project. +

+ + +

+ Tom Ferris reported a heap-based buffer overflow involving wide SVG + stroke widths that affects Mozilla Firefox 2 only. Various researchers + reported some errors in the JavaScript engine potentially leading to + memory corruption. Mozilla Firefox also contains minor vulnerabilities + involving cache collision and unsafe pop-up restrictions, filtering or + CSS rendering under certain conditions. +

+ + +

+ An attacker could entice a user to view a specially crafted web page + that will trigger one of the vulnerabilities, possibly leading to the + execution of arbitrary code. It is also possible for an attacker to + spoof the address bar, steal information through cache collision, + bypass the local files protection mechanism with pop-ups, or perform + cross-site scripting attacks, leading to the exposure of sensitive + information, like user credentials. +

+ + +

+ There is no known workaround at this time for all of these issues, but + most of them can be avoided by disabling JavaScript. +

+ + +

+ Users upgrading to the following releases of Mozilla Firefox should + note that this upgrade has been found to lose the saved passwords file + in some cases. The saved passwords are encrypted and stored in the + 'signons.txt' file of ~/.mozilla/ and we advise our users to save that + file before performing the upgrade. +

+

+ All Mozilla Firefox 1.5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.5.0.10" +

+ All Mozilla Firefox 1.5 binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.5.0.10" +

+ All Mozilla Firefox 2.0 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-2.0.0.2" +

+ All Mozilla Firefox 2.0 binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-2.0.0.2" + + + CVE-2006-6077 + CVE-2007-0775 + CVE-2007-0776 + CVE-2007-0777 + CVE-2007-0778 + CVE-2007-0779 + CVE-2007-0780 + CVE-2007-0800 + CVE-2007-0801 + CVE-2007-0981 + CVE-2007-0995 + Mozilla password loss bug + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-05.xml b/xml/htdocs/security/en/glsa/glsa-200703-05.xml new file mode 100644 index 00000000..f3b1d5d8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-05.xml @@ -0,0 +1,79 @@ + + + + + + + Mozilla Suite: Multiple vulnerabilities + + Several vulnerabilities exist in the Mozilla Suite, which is no longer + supported by the Mozilla project. + + mozilla + March 03, 2007 + March 03, 2007: 01 + 135257 + remote + + + 1.7.13 + + + 1.7.13 + + + +

+ The Mozilla Suite is a popular all-in-one web browser that includes a + mail and news reader. +

+ + +

+ Several vulnerabilities ranging from code execution with elevated + privileges to information leaks affect the Mozilla Suite. +

+ + +

+ A remote attacker could entice a user to browse to a specially crafted + website or open a specially crafted mail that could trigger some of the + vulnerabilities, potentially allowing execution of arbitrary code, + denials of service, information leaks, or cross-site scripting attacks + leading to the robbery of cookies of authentication credentials. +

+ + +

+ Most of the issues, but not all of them, can be prevented by disabling + the HTML rendering in the mail client and JavaScript on every + application. +

+ + +

+ The Mozilla Suite is no longer supported and has been masked after some + necessary changes on all the other ebuilds which used to depend on it. + Mozilla Suite users should unmerge www-client/mozilla or + www-client/mozilla-bin, and switch to a supported product, like + SeaMonkey, Thunderbird or Firefox. +

+ + + # emerge --unmerge "www-client/mozilla" + + # emerge --unmerge "www-client/mozilla-bin" + + + Official Advisory + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-06.xml b/xml/htdocs/security/en/glsa/glsa-200703-06.xml new file mode 100644 index 00000000..84fe3d0e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-06.xml @@ -0,0 +1,71 @@ + + + + + + + AMD64 x86 emulation Qt library: Integer overflow + + The AMD64 x86 emulation Qt library makes use of an insecure version of the + Qt library, potentially allowing for the remote execution of arbitrary + code. + + emul-linux-x86-qtlibs + March 04, 2007 + March 04, 2007: 01 + 153704 + remote + + + 10.0 + 10.0 + + + +

+ The AMD64 x86 emulation Qt library for AMD64 emulates the x86 (32-bit) + Qt library on the AMD64 (64-bit) architecture. +

+ + +

+ An integer overflow flaw has been found in the pixmap handling of Qt, + making the AMD64 x86 emulation Qt library vulnerable as well. +

+ + +

+ By enticing a user to open a specially crafted pixmap image in an + application using the AMD64 x86 emulation Qt library, a remote attacker + could cause an application crash or the remote execution of arbitrary + code with the rights of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All AMD64 x86 emulation Qt library users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-qtlibs-10.0" + + + GLSA 200611-02 + CVE-2006-4811 + + + falco + + + falco + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-07.xml b/xml/htdocs/security/en/glsa/glsa-200703-07.xml new file mode 100644 index 00000000..13c09401 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-07.xml @@ -0,0 +1,67 @@ + + + + + + + STLport: Possible remote execution of arbitrary code + + Two buffer overflows have been discovered in STLport possibly leading to + the remote execution of arbitrary code. + + STLport + March 06, 2007 + March 06, 2007: 01 + 165837 + remote + + + 5.0.3 + 5.0.3 + + + +

+ STLport is a multi-platform C++ Standard Library implementation. +

+ + +

+ Two buffer overflows have been discovered, one in "print floats" and + one in the rope constructor. +

+ + +

+ Both of the buffer overflows could result in the remote execution of + arbitrary code. Please note that the exploitability of the + vulnerabilities depends on how the library is used by other software + programs. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All STLport users should upgrade to the latest version. +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/STLport-5.0.3" + + + CVE-2007-0803 + + + falco + + + falco + + + aetius + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-08.xml b/xml/htdocs/security/en/glsa/glsa-200703-08.xml new file mode 100644 index 00000000..e85c39d3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-08.xml @@ -0,0 +1,106 @@ + + + + + + + SeaMonkey: Multiple vulnerabilities + + Multiple vulnerabilities have been reported in SeaMonkey, some of which may + allow user-assisted arbitrary remote code execution. + + seamonkey + March 09, 2007 + March 09, 2007: 01 + 165555 + remote + + + 1.1.1 + 1.1.1 + + + 1.1.1 + 1.1.1 + + + +

+ The SeaMonkey project is a community effort to deliver + production-quality releases of code derived from the application + formerly known as the 'Mozilla Application Suite'. +

+ + +

+ Tom Ferris reported a heap-based buffer overflow involving wide SVG + stroke widths that affects SeaMonkey. Various researchers reported some + errors in the JavaScript engine potentially leading to memory + corruption. SeaMonkey also contains minor vulnerabilities involving + cache collision and unsafe pop-up restrictions, filtering or CSS + rendering under certain conditions. All those vulnerabilities are the + same as in GLSA 200703-04 affecting Mozilla Firefox. +

+ + +

+ An attacker could entice a user to view a specially crafted web page or + to read a specially crafted email that will trigger one of the + vulnerabilities, possibly leading to the execution of arbitrary code. + It is also possible for an attacker to spoof the address bar, steal + information through cache collision, bypass the local file protection + mechanism with pop-ups, or perform cross-site scripting attacks, + leading to the exposure of sensitive information, such as user + credentials. +

+ + +

+ There is no known workaround at this time for all of these issues, but + most of them can be avoided by disabling JavaScript. Note that the + execution of JavaScript is disabled by default in the SeaMonkey email + client, and enabling it is strongly discouraged. +

+ + +

+ Users upgrading to the following release of SeaMonkey should note that + the corresponding Mozilla Firefox upgrade has been found to lose the + saved passwords file in some cases. The saved passwords are encrypted + and stored in the 'signons.txt' file of ~/.mozilla/ and we advise our + users to save that file before performing the upgrade. +

+

+ All SeaMonkey users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.1.1" +

+ All SeaMonkey binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-bin-1.1.1" + + + CVE-2006-6077 + CVE-2007-0775 + CVE-2007-0776 + CVE-2007-0777 + CVE-2007-0778 + CVE-2007-0779 + CVE-2007-0780 + CVE-2007-0800 + CVE-2007-0801 + CVE-2007-0981 + CVE-2007-0995 + Mozilla Password Loss Bug + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-09.xml b/xml/htdocs/security/en/glsa/glsa-200703-09.xml new file mode 100644 index 00000000..405643b7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-09.xml @@ -0,0 +1,84 @@ + + + + + + + Smb4K: Multiple vulnerabilities + + Multiple vulnerabilities have been identified in Smb4K. + + smb4k + March 09, 2007 + March 09, 2007: 01 + 156152 + local + + + 0.6.10a + 0.6.10a + + + +

+ Smb4K is a SMB/CIFS (Windows) share browser for KDE. +

+ + +

+ Kees Cook of the Ubuntu Security Team has identified multiple + vulnerabilities in Smb4K. +

+
  • The writeFile() function of + smb4k/core/smb4kfileio.cpp makes insecure usage of temporary + files.
    • +
  • The writeFile() function also stores the contents of + the sudoers file with incorrect permissions, allowing for the file's + contents to be world-readable.
    • +
  • The createLockFile() and + removeLockFile() functions improperly handle lock files, possibly + allowing for a race condition in file handling.
    • +
  • The smb4k_kill + utility distributed with Smb4K allows any user in the sudoers group to + kill any process on the system.
    • +
  • Lastly, there is the potential + for multiple stack overflows when any Smb4K utility is used with the + sudo command.
    • +
+ + +

+ A local attacker could gain unauthorized access to arbitrary files via + numerous attack vectors. In some cases to obtain this unauthorized + access, an attacker would have to be a member of the sudoers list. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Smb4K users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/smb4k-0.6.10a" + + + CVE-2007-0472 + CVE-2007-0473 + CVE-2007-0474 + CVE-2007-0475 + + + falco + + + falco + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-10.xml b/xml/htdocs/security/en/glsa/glsa-200703-10.xml new file mode 100644 index 00000000..24fc38bd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-10.xml @@ -0,0 +1,68 @@ + + + + + + + KHTML: Cross-site scripting (XSS) vulnerability + + The KHTML component shipped with the KDE libraries is prone to a cross-site + scripting (XSS) vulnerability. + + kdelibs + March 10, 2007 + March 10, 2007: 01 + 165606 + remote + + + 3.5.5-r8 + 3.5.5-r8 + + + +

+ KDE is a feature-rich graphical desktop environment for Linux and + Unix-like Operating Systems. KHTML is the HTML interpreter used in + Konqueror and other parts of KDE. +

+ + +

+ The KHTML code allows for the execution of JavaScript code located + inside the "Title" HTML element, a related issue to the Safari error + found by Jose Avila. +

+ + +

+ When viewing a HTML page that renders unsanitized attacker-supplied + input in the page title, Konqueror and other parts of KDE will execute + arbitrary JavaScript code contained in the page title, allowing for the + theft of browser session data or cookies. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All KDElibs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kdelibs-3.5.5-r8" + + + CVE-2007-0537 + CVE-2007-0478 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-11.xml b/xml/htdocs/security/en/glsa/glsa-200703-11.xml new file mode 100644 index 00000000..243fcf0b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-11.xml @@ -0,0 +1,66 @@ + + + + + + + Amarok: User-assisted remote execution of arbitrary code + + The Magnatune component shipped with Amarok is vulnerable to the injection + of arbitrary shell code from a malicious Magnatune server. + + amarok + March 13, 2007 + March 13, 2007: 01 + 166901 + remote + + + 1.4.5-r1 + 1.4.5-r1 + + + +

+ Amarok is an advanced music player. +

+ + +

+ The Magnatune downloader doesn't quote the "m_currentAlbumFileName" + parameter while calling the "unzip" shell command. +

+ + +

+ A compromised or malicious Magnatune server can remotely execute + arbitrary shell code with the rights of the user running Amarok on a + client that have previously registered for buying music. +

+ + +

+ Do not use the Magnatune component of Amarok. +

+ + +

+ All Amarok users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/amarok-1.4.5-r1" + + + SA24159 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-12.xml b/xml/htdocs/security/en/glsa/glsa-200703-12.xml new file mode 100644 index 00000000..e4fda3a7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-12.xml @@ -0,0 +1,64 @@ + + + + + + + SILC Server: Denial of Service + + SILC Server is affected by a Denial of Service vulnerability. + + silc-server + March 14, 2007 + March 14, 2007: 01 + 169599 + remote + + + 1.0.2-r1 + 1.0.2-r1 + + + +

+ SILC Server is a server for the Secure Internet Live Conferencing + (SILC) protocol. +

+ + +

+ Frank Benkstein discovered a possible NULL pointer dereference in + apps/silcd/command.c if a new channel is created without specifying a + valid hmac or cipher algorithm name. +

+ + +

+ A remote attacker could cause the server to crash, resulting in a + Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SILC Server users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/silc-server-1.0.2-r1" + + + + DerCorny + + + vorlon + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-13.xml b/xml/htdocs/security/en/glsa/glsa-200703-13.xml new file mode 100644 index 00000000..1255db92 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-13.xml @@ -0,0 +1,71 @@ + + + + + + + SSH Communications Security's Secure Shell Server: SFTP privilege escalation + + The SSH Secure Shell Server SFTP function is vulnerable to privilege + escalation. + + net-misc/ssh + March 14, 2007 + March 14, 2007: 01 + 168584 + remote + + + 4.3.7 + + + +

+ The SSH Secure Shell Server from SSH Communications Security + (www.ssh.com) is a commercial SSH implementation available free for + non-commercial use. +

+ + +

+ The SSH Secure Shell Server contains a format string vulnerability in + the SFTP code that handles file transfers (scp2 and sftp2). In some + situations, this code passes the accessed filename to the system log. + During this operation, an unspecified error could allow uncontrolled + stack access. +

+ + +

+ An authenticated system user may be able to exploit this vulnerability + to bypass command restrictions, or run commands as another user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ This package is currently masked, there is no upgrade path for the + 3.2.x version, and a license must be purchased in order to update to a + non-vulnerable version. Because of this, we recommend unmerging this + package: +

+ + # emerge --ask --verbose --unmerge net-misc/ssh + + + CVE-2006-0705 + + + vorlon + + + vorlon + + + aetius + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-14.xml b/xml/htdocs/security/en/glsa/glsa-200703-14.xml new file mode 100644 index 00000000..42b31306 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-14.xml @@ -0,0 +1,69 @@ + + + + + + + Asterisk: SIP Denial of Service + + Asterisk is vulnerable to Denial of Service in the SIP channel. + + asterisk + March 16, 2007 + March 16, 2007: 01 + 169616 + remote + + + 1.2.14-r1 + 1.0.12-r1 + 1.2.14-r1 + + + +

+ Asterisk is an open source implementation of a telephone private branch + exchange (PBX). +

+ + +

+ The MU Security Research Team discovered that Asterisk contains a + NULL-pointer dereferencing error in the SIP channel when handling + request messages. +

+ + +

+ A remote attacker could cause an Asterisk server listening for SIP + messages to crash by sending a specially crafted SIP request message. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Asterisk users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose net-misc/asterisk +

+ Note: Asterisk 1.0.x is no longer supported upstream so users should + consider upgrading to Asterisk 1.2.x. +

+ + + CVE-2007-1306 + MU-200703-01 + + + jaervosz + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-15.xml b/xml/htdocs/security/en/glsa/glsa-200703-15.xml new file mode 100644 index 00000000..c911a480 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-15.xml @@ -0,0 +1,75 @@ + + + + + + + PostgreSQL: Multiple vulnerabilities + + PostgreSQL contains two vulnerabilities that could result in a Denial of + Service or unauthorized access to certain information. + + postgresql + March 16, 2007 + May 28, 2009: 04 + 165482 + remote + + + 8.0.11 + 7.4.17 + 7.4.16 + 7.3.19 + 7.3.13 + 7.3.21 + 7.4.19 + 8.0.11 + + + +

+ PostgreSQL is an open source object-relational database management + system. +

+ + +

+ PostgreSQL does not correctly check the data types of the SQL function + arguments under unspecified circumstances nor the format of the + provided tables in the query planner. +

+ + +

+ A remote authenticated attacker could send specially crafted queries to + the server that could result in a server crash and possibly the + unauthorized reading of some database content or arbitrary memory. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PostgreSQL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "dev-db/postgresql" + + + CVE-2007-0555 + CVE-2007-0556 + + + falco + + + vorlon + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-16.xml b/xml/htdocs/security/en/glsa/glsa-200703-16.xml new file mode 100644 index 00000000..44b92e73 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-16.xml @@ -0,0 +1,70 @@ + + + + + + + Apache JK Tomcat Connector: Remote execution of arbitrary code + + The Apache Tomcat Connector (mod_jk) contains a buffer overflow + vulnerability that could result in the remote execution of arbitrary code. + + mod_jk + March 16, 2007 + March 16, 2007: 01 + 169433 + remote + + + 1.2.21-r1 + 1.2.21-r1 + + + +

+ The Apache HTTP server is a very widely used web server. mod_jk + provides the JK module for connecting Tomcat and Apache using the ajp13 + protocol. +

+ + +

+ ZDI reported an unsafe memory copy in mod_jk that was discovered by an + anonymous researcher in the map_uri_to_worker function of + native/common/jk_uri_worker_map.c . +

+ + +

+ A remote attacker can send a long URL request to an Apache server using + Tomcat. That can trigger the vulnerability and lead to a stack-based + buffer overflow, which could result in the execution of arbitrary code + with the permissions of the Apache user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Apache Tomcat users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apache/mod_jk-1.2.21-r1" + + + CVE-2007-0774 + + + DerCorny + + + falco + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-17.xml b/xml/htdocs/security/en/glsa/glsa-200703-17.xml new file mode 100644 index 00000000..65d25d4f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-17.xml @@ -0,0 +1,67 @@ + + + + + + + ulogd: Remote execution of arbitrary code + + ulogd contains a possible buffer overflow potentially allowing for the + remote execution of arbitrary code. + + ulogd + March 18, 2007 + March 18, 2007: 01 + 161882 + remote + + + 1.23-r1 + 1.23-r1 + + + +

+ ulogd is a userspace daemon for netfilter related logging. +

+ + +

+ SUSE reported unspecified buffer overflows in ulogd involving the + calculation of string lengths. +

+ + +

+ A remote attacker could trigger a possible buffer overflow through + unspecified vectors, potentially leading to the remote execution of + arbitrary code with the rights of the user running the ulogd daemon, or + more probably leading to the crash of the daemon. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ulogd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/ulogd-1.23-r1" + + + CVE-2007-0460 + + + jaervosz + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-18.xml b/xml/htdocs/security/en/glsa/glsa-200703-18.xml new file mode 100644 index 00000000..db6519a9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-18.xml @@ -0,0 +1,88 @@ + + + + + + + Mozilla Thunderbird: Multiple vulnerabilities + + Multiple vulnerabilities have been reported in Mozilla Thunderbird, some of + which may allow user-assisted arbitrary remote code execution. + + mozilla-thunderbird + March 18, 2007 + March 18, 2007: 01 + 165555 + remote + + + 1.5.0.10 + 1.5.0.10 + + + 1.5.0.10 + 1.5.0.10 + + + +

+ Mozilla Thunderbird is a popular open-source email client from the + Mozilla Project. +

+ + +

+ Georgi Guninski reported a possible integer overflow in the code + handling text/enhanced or text/richtext MIME emails. Additionally, + various researchers reported errors in the JavaScript engine + potentially leading to memory corruption. Additionally, the binary + version of Mozilla Thunderbird includes a vulnerable NSS library which + contains two possible buffer overflows involving the SSLv2 protocol. +

+ + +

+ An attacker could entice a user to read a specially crafted email that + could trigger one of the vulnerabilities, some of them being related to + Mozilla Thunderbird's handling of JavaScript, possibly leading to the + execution of arbitrary code. +

+ + +

+ There is no known workaround at this time for all of these issues, but + some of them can be avoided by disabling JavaScript. Note that the + execution of JavaScript is disabled by default and enabling it is + strongly discouraged. +

+ + +

+ All Mozilla Thunderbird users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-1.5.0.10" +

+ All Mozilla Thunderbird binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-1.5.0.10" + + + CVE-2007-0008 + CVE-2007-0009 + CVE-2007-0775 + CVE-2007-0776 + CVE-2007-0777 + CVE-2007-1282 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-19.xml b/xml/htdocs/security/en/glsa/glsa-200703-19.xml new file mode 100644 index 00000000..ab2a3f34 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-19.xml @@ -0,0 +1,70 @@ + + + + + + + LTSP: Authentication bypass in included LibVNCServer code + + LTSP includes a version of libVNCServer that is vulnerable to an + authentication bypass. + + ltsp + March 18, 2007 + March 18, 2007: 01 + 142661 + remote + + + 4.2-r1 + 4.2-r1 + + + +

+ The Linux Terminal Server Project adds thin-client support to Linux + servers. +

+ + +

+ The LTSP server includes vulnerable LibVNCServer code, which fails to + properly validate protocol types effectively letting users decide what + protocol to use, such as "Type 1 - None" (GLSA-200608-05). The LTSP VNC + server will accept this security type, even if it is not offered by the + server. +

+ + +

+ An attacker could exploit this vulnerability to gain unauthorized + access with the privileges of the user running the VNC server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All LTSP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/ltsp-4.2-r1" + + + CVE-2006-2450 + GLSA 200608-05 + + + falco + + + falco + + + aetius + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-20.xml b/xml/htdocs/security/en/glsa/glsa-200703-20.xml new file mode 100644 index 00000000..3bae4852 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-20.xml @@ -0,0 +1,70 @@ + + + + + + + LSAT: Insecure temporary file creation + + LSAT insecurely creates temporary files which can lead to symlink attacks + allowing a local user to overwrite arbitrary files. + + lsat + March 18, 2007 + May 11, 2007: 02 + 159542 + local + + + 0.9.5 + 0.9.5 + + + +

+ The Linux Security Auditing Tool (LSAT) is a post install security + auditor which checks many system configurations and local network + settings on the system for common security or configuration errors and + for packages that are not needed. +

+ + +

+ LSAT insecurely writes in /tmp with a predictable filename. +

+ + +

+ A local attacker could create symbolic links in the temporary files + directory, pointing to a valid file somewhere on the filesystem. When + the LSAT script is executed, this would result in the file being + overwritten with the rights of the user running the software, which + could be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All lsat users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/lsat-0.9.5" + + + CVE-2007-1500 + + + falco + + + falco + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-21.xml b/xml/htdocs/security/en/glsa/glsa-200703-21.xml new file mode 100644 index 00000000..5f953be5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-21.xml @@ -0,0 +1,93 @@ + + + + + + + PHP: Multiple vulnerabilities + + PHP contains several vulnerabilities including a heap buffer overflow, + potentially leading to the remote execution of arbitrary code under certain + conditions. + + php + March 20, 2007 + March 29, 2008: 03 + 153911 + remote + + + 5.2.1-r3 + 5.1.6-r11 + 4.4.6 + 4.4.7 + 4.4.8_pre20070816 + 5.2.1-r3 + + + +

+ PHP is a widely-used general-purpose scripting language that is + especially suited for Web development and can be embedded into HTML. +

+ + +

+ Several vulnerabilities were found in PHP by the Hardened-PHP Project + and other researchers. These vulnerabilities include a heap-based + buffer overflow in htmlentities() and htmlspecialchars() if called with + UTF-8 parameters, and an off-by-one error in str_ireplace(). Other + vulnerabilities were also found in the PHP4 branch, including possible + overflows, stack corruptions and a format string vulnerability in the + *print() functions on 64 bit systems. +

+ + +

+ Remote attackers might be able to exploit these issues in PHP + applications making use of the affected functions, potentially + resulting in the execution of arbitrary code, Denial of Service, + execution of scripted contents in the context of the affected site, + security bypass or information leak. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PHP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "dev-lang/php" + + + CVE-2006-5465 + CVE-2007-0906 + CVE-2007-0907 + CVE-2007-0908 + CVE-2007-0909 + CVE-2007-0910 + CVE-2007-0911 + CVE-2007-0988 + CVE-2007-1286 + CVE-2007-1375 + CVE-2007-1376 + CVE-2007-1380 + CVE-2007-1383 + PHP 4.4.5 Release Announcement + PHP 5.2.1 Release Announcement + + + falco + + + falco + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-22.xml b/xml/htdocs/security/en/glsa/glsa-200703-22.xml new file mode 100644 index 00000000..29cb55e7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-22.xml @@ -0,0 +1,71 @@ + + + + + + + Mozilla Network Security Service: Remote execution of arbitrary code + + The Mozilla Network Security Services libraries are vulnerable to two + buffer overflows that could result in the remote execution of arbitrary + code. + + nss + March 20, 2007 + March 20, 2007: 01 + 165555 + remote + + + 3.11.5 + 3.11.5 + + + +

+ The Mozilla Network Security Service is a library implementing security + features like SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, + S/MIME and X.509 certificates. +

+ + +

+ iDefense has reported two potential buffer overflow vulnerabilities + found by researcher "regenrecht" in the code implementing the SSLv2 + protocol. +

+ + +

+ A remote attacker could send a specially crafted SSL master key to a + server using NSS for the SSLv2 protocol, or entice a user to connect to + a malicious server with a client-side application using NSS like one of + the Mozilla products. This could trigger the vulnerabilities and result + in the possible execution of arbitrary code with the rights of the + vulnerable application. +

+ + +

+ Disable the SSLv2 protocol in the applications using NSS. +

+ + +

+ All NSS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/nss-3.11.5" + + + CVE-2007-0008 + CVE-2007-0009 + + + falco + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-23.xml b/xml/htdocs/security/en/glsa/glsa-200703-23.xml new file mode 100644 index 00000000..6023907b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-23.xml @@ -0,0 +1,92 @@ + + + + + + + WordPress: Multiple vulnerabilities + + Wordpress contains several cross-site scripting, cross-site request forgery + and information leak vulnerabilities. + + wordpress + March 20, 2007 + March 20, 2007: 01 + 168529 + remote + + + 2.1.2 + + + +

+ WordPress is a popular personal publishing platform with a web + interface. +

+ + +

+ WordPress contains cross-site scripting or cross-site scripting forgery + vulnerabilities reported by: +

+
  • g30rg3_x in the "year" + parameter of the wp_title() function
    • +
  • Alexander Concha in the + "demo" parameter of wp-admin/admin.php
    • +
  • Samenspender and Stefan + Friedli in the "post" parameter of wp-admin/post.php and + wp-admin/page.php, in the "cat_ID" parameter of wp-admin/categories.php + and in the "c" parameter of wp-admin/comment.php
    • +
  • PsychoGun in + the "file" parameter of wp-admin/templates.php
    • +

+

+

+ Additionally, WordPress prints the full PHP script paths in some error + messages. +

+ + +

+ The cross-site scripting vulnerabilities can be triggered to steal + browser session data or cookies. A remote attacker can entice a user to + browse to a specially crafted web page that can trigger the cross-site + request forgery vulnerability and perform arbitrary WordPress actions + with the permissions of the user. Additionally, the path disclosure + vulnerability could help an attacker to perform other attacks. +

+ + +

+ There is no known workaround at this time for all these + vulnerabilities. +

+ + +

+ Due to the numerous recently discovered vulnerabilities in WordPress, + this package has been masked in the portage tree. All WordPress users + are advised to unmerge it. +

+ + + # emerge --unmerge "www-apps/wordpress" + + + CVE-2007-1049 + CVE-2007-1230 + CVE-2007-1244 + CVE-2007-1409 + SA 24430 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-24.xml b/xml/htdocs/security/en/glsa/glsa-200703-24.xml new file mode 100644 index 00000000..305d3982 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-24.xml @@ -0,0 +1,69 @@ + + + + + + + mgv: Stack overflow in included gv code + + mgv improperly handles user-supplied data possibly allowing for the + execution of arbitrary code. + + mgv + March 26, 2007 + March 26, 2007: 01 + 154645 + remote + + + 3.1.5 + + + +

+ mgv is a Postscript viewer with a Motif interface, based on Ghostview + and GNU gv. +

+ + +

+ mgv includes code from gv that does not properly boundary check + user-supplied data before copying it into process buffers. +

+ + +

+ An attacker could entice a user to open a specially crafted Postscript + document with mgv and possibly execute arbitrary code with the rights + of the user running mgv. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ mgv is currently unmaintained, and the mgv website no longer exists. As + such, the mgv package has been masked in Portage. We recommend that + users select an alternate Postscript viewer such as ghostview or + GSview, and unmerge mgv: +

+ + # emerge --unmerge "app-text/mgv" + + + CVE-2006-5864 + GLSA 200611-20 + + + jaervosz + + + aetius + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-25.xml b/xml/htdocs/security/en/glsa/glsa-200703-25.xml new file mode 100644 index 00000000..1f974e6c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-25.xml @@ -0,0 +1,66 @@ + + + + + + + Ekiga: Format string vulnerability + + A format string vulnerability in Ekiga may allow the remote execution of + arbitrary code. + + ekiga + March 29, 2007 + May 28, 2009: 02 + 167643 + remote + + + 2.0.7 + 2.0.7 + + + +

+ Ekiga is an open source VoIP and video conferencing application. +

+ + +

+ Mu Security has discovered that Ekiga fails to implement formatted + printing correctly. +

+ + +

+ An attacker could exploit this vulnerability to crash Ekiga and + potentially execute arbitrary code by sending a specially crafted Q.931 + SETUP packet to a victim. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ekiga users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-voip/ekiga-2.0.7" + + + CVE-2007-1006 + + + DerCorny + + + DerCorny + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-26.xml b/xml/htdocs/security/en/glsa/glsa-200703-26.xml new file mode 100644 index 00000000..2a5dc2fe --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-26.xml @@ -0,0 +1,70 @@ + + + + + + + file: Integer underflow + + A buffer underflow vulnerability has been reported in file allowing for the + user-assisted execution of arbitrary code. + + file + March 30, 2007 + March 30, 2007: 01 + 171452 + remote + + + 4.20 + 4.20 + + + +

+ file is a utility that guesses a file format by scanning binary data + for patterns. +

+ + +

+ Jean-Sebastien Guay-Leroux reported an integer underflow in + file_printf function. +

+ + +

+ A remote attacker could entice a user to run the "file" program on a + specially crafted file that would trigger a heap-based buffer overflow + possibly leading to the execution of arbitrary code with the rights of + the user running "file". Note that this vulnerability could be also + triggered through an automatic file scanner like amavisd-new. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ Since file is a system package, all Gentoo users should upgrade to the + latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/file-4.20" + + + CVE-2007-1536 + + + jaervosz + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-27.xml b/xml/htdocs/security/en/glsa/glsa-200703-27.xml new file mode 100644 index 00000000..fbad2ac9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-27.xml @@ -0,0 +1,65 @@ + + + + + + + Squid: Denial of Service + + Squid is affected by a Denial of Service vulnerability. + + squid + March 31, 2007 + March 31, 2007: 01 + 171681 + remote + + + 2.6.12 + 2.6.12 + + + +

+ Squid is a multi-protocol proxy server. +

+ + +

+ Squid incorrectly handles TRACE requests that contain a "Max-Forwards" + header field with value "0" in the clientProcessRequest() function. +

+ + +

+ A remote attacker can send specially crafted TRACE HTTP requests that + will terminate the child process. A quickly repeated attack will lead + to a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Squid users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/squid-2.6.12" + + + CVE-2007-1560 + + + aetius + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200703-28.xml b/xml/htdocs/security/en/glsa/glsa-200703-28.xml new file mode 100644 index 00000000..bf2e218e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200703-28.xml @@ -0,0 +1,69 @@ + + + + + + + CUPS: Denial of Service + + CUPS incorrectly handles partially-negotiated SSL connections allowing for + a Denial of Service. + + cups + March 31, 2007 + March 31, 2007: 01 + 170881 + remote + + + 1.2.9 + 1.2.9 + + + +

+ CUPS provides a portable printing layer for UNIX-based operating + systems. +

+ + +

+ CUPS does not properly handle partially-negotiated SSL connections. + Upon receiving a partially-negotiated SSL connection, CUPS no longer + accepts further incoming connections, as the initial connection never + times out. +

+ + +

+ An attacker could partially negotiate an SSL connection with a CUPS + server, and cause future connections to that server to fail, resulting + in a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All CUPS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-print/cups-1.2.9" + + + CVE-2007-0720 + + + jaervosz + + + shellsage + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-01.xml b/xml/htdocs/security/en/glsa/glsa-200704-01.xml new file mode 100644 index 00000000..b60b8b35 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-01.xml @@ -0,0 +1,72 @@ + + + + + + + Asterisk: Two SIP Denial of Service vulnerabilities + + Asterisk is vulnerable to two Denial of Service issues in the SIP channel. + + asterisk + April 02, 2007 + April 02, 2007: 01 + 171467 + remote + + + 1.2.14-r2 + 1.0.12-r2 + 1.2.14-r2 + + + +

+ Asterisk is an open source implementation of a telephone private branch + exchange (PBX). +

+ + +

+ The Madynes research team at INRIA has discovered that Asterisk + contains a null pointer dereferencing error in the SIP channel when + handling INVITE messages. Furthermore qwerty1979 discovered that + Asterisk 1.2.x fails to properly handle SIP responses with return code + 0. +

+ + +

+ A remote attacker could cause an Asterisk server listening for SIP + messages to crash by sending a specially crafted SIP message or + answering with a 0 return code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Asterisk users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose net-misc/asterisk +

+ Note: Asterisk 1.0.x is no longer supported upstream so users should + consider upgrading to Asterisk 1.2.x. +

+ + + CVE-2007-1561 + CVE-2007-1594 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-02.xml b/xml/htdocs/security/en/glsa/glsa-200704-02.xml new file mode 100644 index 00000000..8c897336 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-02.xml @@ -0,0 +1,72 @@ + + + + + + + MIT Kerberos 5: Arbitrary remote code execution + + Multiple vulnerabilities in MIT Kerberos 5 could potentially result in + unauthenticated remote root code execution. + + mit-krb5 + April 03, 2007 + April 03, 2007: 01 + 171889 + remote + + + 1.5.2-r1 + 1.5.2-r1 + + + +

+ MIT Kerberos 5 is a suite of applications that implement the Kerberos + network protocol. +

+ + +

+ The Kerberos telnet daemon fails to properly handle usernames allowing + unauthorized access to any account (CVE-2007-0956). The Kerberos + administration daemon, the KDC and possibly other applications using + the MIT Kerberos libraries are vulnerable to the following issues. The + krb5_klog_syslog function from the kadm5 library fails to properly + validate input leading to a stack overflow (CVE-2007-0957). The GSS-API + library is vulnerable to a double-free attack (CVE-2007-1216). +

+ + +

+ By exploiting the telnet vulnerability a remote attacker may obtain + access with root privileges. The remaining vulnerabilities may allow an + authenticated remote attacker to execute arbitrary code with root + privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MIT Kerberos 5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.5.2-r1" + + + CVE-2007-0956 + CVE-2007-0957 + CVE-2007-1216 + + + jaervosz + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-03.xml b/xml/htdocs/security/en/glsa/glsa-200704-03.xml new file mode 100644 index 00000000..777d72df --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-03.xml @@ -0,0 +1,71 @@ + + + + + + + OpenAFS: Privilege escalation + + OpenAFS is subject to a design flaw that could allow privilege escalation + on the client. + + openafs + April 03, 2007 + April 03, 2007: 01 + 171662 + remote + + + 1.4.4 + 1.4.4 + + + +

+ OpenAFS is a distributed network filesystem. +

+ + +

+ Benjamin Bennett discovered that the OpenAFS client contains a design + flaw where cache managers do not use authenticated server connections + when performing actions not requested by a user. +

+ + +

+ If setuid is enabled on the client cells, an attacker can supply a fake + FetchStatus reply that sets setuid and root ownership of a file being + executed. This could provide root access on the client. Remote attacks + may be possible if an attacker can entice a user to execute a known + file. Note that setuid is enabled by default in versions of OpenAFS + prior to 1.4.4. +

+ + +

+ Disable the setuid functionality on all client cells. This is now the + default configuration in OpenAFS. +

+ + +

+ All OpenAFS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/openafs-1.4.4" + + + CVE-2007-1507 + + + jaervosz + + + aetius + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-04.xml b/xml/htdocs/security/en/glsa/glsa-200704-04.xml new file mode 100644 index 00000000..34b8121a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-04.xml @@ -0,0 +1,69 @@ + + + + + + + OpenPBS: Multiple vulnerabilities + + OpenPBS contains unspecified vulnerabilities which may allow for the remote + execution of arbitrary code or a Denial of Service. + + openpbs + April 03, 2007 + April 03, 2007: 01 + 153495 + remote, local + + + 2.3.16-r4 + + + +

+ OpenPBS is the original version of the Portable Batch System. It is a + flexible batch queueing system developed for NASA in the early to + mid-1990s. +

+ + +

+ SUSE reported vulnerabilities due to unspecified errors in OpenPBS. +

+ + +

+ By unspecified attack vectors an attacker might be able execute + arbitrary code with the privileges of the user running openpbs, which + might be the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ OpenPBS has been masked in the Portage tree for replacement by Torque. + All OpenPBS users should unmerge OpenPBS and switch to Torque. +

+ + + # emerge --ask --unmerge sys-cluster/openpbs + # emerge --sync + # emerge --ask --verbose sys-cluster/torque + + + CVE-2006-5616 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-05.xml b/xml/htdocs/security/en/glsa/glsa-200704-05.xml new file mode 100644 index 00000000..13cca9e8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-05.xml @@ -0,0 +1,67 @@ + + + + + + + zziplib: Buffer Overflow + + The zziplib library contains a buffer overflow vulnerability that could + lead to user-assisted remote execution of arbitrary code. + + zziplib + April 03, 2007 + April 03, 2007: 01 + 171441 + remote + + + 0.13.49 + 0.13.49 + + + +

+ The zziplib library is a lightweight library for extracting data from + files archived in a single zip file. +

+ + +

+ dmcox dmcox discovered a boundary error in the zzip_open_shared_io() + function from zzip/file.c . +

+ + +

+ A remote attacker could entice a user to run a zziplib function with an + overly long string as an argument which would trigger the buffer + overflow and may lead to the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All zziplib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/zziplib-0.13.49" + + + CVE-2007-1614 + + + aetius + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-06.xml b/xml/htdocs/security/en/glsa/glsa-200704-06.xml new file mode 100644 index 00000000..ca61e1ff --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-06.xml @@ -0,0 +1,68 @@ + + + + + + + Evince: Stack overflow in included gv code + + Evince improperly handles user-supplied data possibly allowing for the + execution of arbitrary code. + + evince + April 06, 2007 + April 06, 2007: 01 + 156573 + remote + + + 0.6.1-r3 + 0.6.1-r3 + + + +

+ Evince is a document viewer for multiple document formats, including + PostScript. +

+ + +

+ Evince includes code from GNU gv that does not properly boundary check + user-supplied data before copying it into process buffers. +

+ + +

+ An attacker could entice a user to open a specially crafted PostScript + document with Evince and possibly execute arbitrary code with the + rights of the user running Evince. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Evince users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/evince-0.6.1-r3" + + + CVE-2006-5864 + GLSA-200611-20 + + + jaervosz + + + aetius + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-07.xml b/xml/htdocs/security/en/glsa/glsa-200704-07.xml new file mode 100644 index 00000000..5d799980 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-07.xml @@ -0,0 +1,68 @@ + + + + + + + libwpd: Multiple vulnerabilities + + libwpd is vulnerable to several heap overflows and an integer overflow. + + libwpd + April 06, 2007 + April 06, 2007: 01 + 169675 + remote + + + 0.8.9 + 0.8.9 + + + +

+ libwpd is a library used to convert Wordperfect documents into other + formats. +

+ + +

+ libwpd contains heap-based overflows in two functions that convert + WordPerfect document tables. In addition, it contains an integer + overflow in a text-conversion function. +

+ + +

+ An attacker could entice a user to convert a specially crafted + WordPerfect file, resulting in a crash or possibly the execution of + arbitrary code with the rights of the user running libwpd. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libwpd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/libwpd-0.8.9" + + + CVE-2007-0002 + CVE-2007-1466 + + + falco + + + aetius + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-08.xml b/xml/htdocs/security/en/glsa/glsa-200704-08.xml new file mode 100644 index 00000000..9a808784 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-08.xml @@ -0,0 +1,72 @@ + + + + + + + DokuWiki: Cross-site scripting vulnerability + + DokuWiki is vulnerable to a cross-site scripting attack. + + dokuwiki + April 12, 2007 + April 12, 2007: 01 + 163781 + remote + + + 20061106 + 20061106 + + + +

+ DokuWiki is a simple to use wiki aimed at creating documentation. +

+ + +

+ DokuWiki does not sanitize user input to the GET variable 'media' in + the fetch.php file. +

+ + +

+ An attacker could entice a user to click a specially crafted link and + inject CRLF characters into the variable. This would allow the creation + of new lines or fields in the returned HTTP Response header, which + would permit the attacker to execute arbitrary scripts in the context + of the user's browser. +

+ + +

+ Replace the following line in lib/exe/fetch.php: +

+ $MEDIA = getID('media',false); // no cleaning - maybe external +

+ with +

+ $MEDIA = preg_replace('/[\x00-\x1F]+/s','',getID('media',false)); + + +

+ All DokuWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/dokuwiki-20061106" + + + CVE-2006-6965 + + + falco + + + aetius + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-09.xml b/xml/htdocs/security/en/glsa/glsa-200704-09.xml new file mode 100644 index 00000000..55c923d8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-09.xml @@ -0,0 +1,68 @@ + + + + + + + xine-lib: Heap-based buffer overflow + + xine-lib is vulnerable to a heap-based buffer overflow. + + xine-lib + April 14, 2007 + April 14, 2007: 01 + 170208 + remote + + + 1.1.4-r2 + 1.1.4-r2 + + + +

+ xine-lib is the core library package for the xine media player. +

+ + +

+ xine-lib does not check boundaries on data being read into buffers from + DMO video files in code that is shared with MPlayer + (DMO_VideoDecoder.c). +

+ + +

+ An attacker could entice a user to play a specially crafted DMO video + file with a player using xine-lib, potentially resulting in the + execution of arbitrary code with the privileges of the user running the + player. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xine-lib users on the x86 platform should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.4-r2" + + + CVE-2007-1246 + + + jaervosz + + + aetius + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-10.xml b/xml/htdocs/security/en/glsa/glsa-200704-10.xml new file mode 100644 index 00000000..efc692eb --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-10.xml @@ -0,0 +1,67 @@ + + + + + + + Inkscape: Two format string vulnerabilities + + Two format string vulnerabilities have been discovered in Inkscape, + allowing for user-assisted execution of arbitrary code. + + Inkscape + April 16, 2007 + April 16, 2007: 01 + 171799 + remote + + + 0.45.1 + 0.45.1 + + + +

+ Inkscape is a vector graphics editor, using Scalable Vector Graphics + (SVG) Format. +

+ + +

+ Kees Cook has discovered two vulnerabilities in Inkscape. The + application does not properly handle format string specifiers in some + dialog boxes. Inkscape is also vulnerable to another format string + error in its Jabber whiteboard protocol. +

+ + +

+ A remote attacker could entice a user to open a specially crafted URI, + possibly leading to execution of arbitrary code with the privileges of + the user running Inkscape. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Inkscape users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/inkscape-0.45.1" + + + CVE-2007-1463 + CVE-2007-1464 + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-11.xml b/xml/htdocs/security/en/glsa/glsa-200704-11.xml new file mode 100644 index 00000000..116e7a6a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-11.xml @@ -0,0 +1,70 @@ + + + + + + + Vixie Cron: Denial of Service + + The Gentoo implementation of Vixie Cron is vulnerable to a local Denial of + Service. + + vixie-cron + April 16, 2007 + April 16, 2007: 01 + 164466 + local + + + 4.1-r10 + 4.1-r10 + + + +

+ Vixie Cron is a command scheduler with extended syntax over cron. +

+ + +

+ During an internal audit, Raphael Marichez of the Gentoo Linux Security + Team found that Vixie Cron has weak permissions set on Gentoo, allowing + for a local user to create hard links to system and users cron files, + while a st_nlink check in database.c will generate a superfluous error. +

+ + +

+ Depending on the partitioning scheme and the "cron" group membership, a + malicious local user can create hard links to system or users cron + files that will trigger the st_link safety check and prevent the + targeted cron file from being run from the next restart or database + reload. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Vixie Cron users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-process/vixie-cron-4.1-r10" + + + CVE-2007-1856 + + + jaervosz + + + falco + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-12.xml b/xml/htdocs/security/en/glsa/glsa-200704-12.xml new file mode 100644 index 00000000..4d6a5170 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-12.xml @@ -0,0 +1,84 @@ + + + + + + + OpenOffice.org: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in OpenOffice.org, allowing + for remote execution of arbitrary code. + + OpenOffice.org + April 16, 2007 + April 16, 2007: 01 + 170828 + remote + + + 2.1.0-r1 + 2.1.0-r1 + + + 2.2.0 + 2.2.0 + + + +

+ OpenOffice.org is an open source office productivity suite, including + word processing, spreadsheet, presentation, drawing, data charting, + formula editing, and file conversion facilities. +

+ + +

+ John Heasman of NGSSoftware has discovered a stack-based buffer + overflow in the StarCalc parser and an input validation error when + processing metacharacters in a link. Also OpenOffice.Org includes code + from libwpd making it vulnerable to heap-based overflows when + converting WordPerfect document tables (GLSA 200704-07). +

+ + +

+ A remote attacker could entice a user to open a specially crafted + document, possibly leading to execution of arbitrary code with the + rights of the user running OpenOffice.org. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenOffice.org users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-2.1.0-r1" +

+ All OpenOffice.org binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-bin-2.2.0" + + + CVE-2007-0002 + CVE-2007-0238 + CVE-2007-0239 + GLSA-200704-07 + + + jaervosz + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-13.xml b/xml/htdocs/security/en/glsa/glsa-200704-13.xml new file mode 100644 index 00000000..24762ce6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-13.xml @@ -0,0 +1,68 @@ + + + + + + + File: Denial of Service + + A vulnerability has been discovered in file allowing for a denial of + service. + + file + April 17, 2007 + September 17, 2007: 02 + 174217 + remote + + + 4.21-r1 + 4.21 + + + +

+ file is a utility that identifies a file format by scanning binary data + for patterns. +

+ + +

+ Conor Edberg discovered an error in the way file processes a specific + regular expression. +

+ + +

+ A remote attacker could entice a user to open a specially crafted file, + using excessive CPU ressources and possibly leading to a Denial of + Service. Note that this vulnerability could be also triggered through + an automatic file scanner like amavisd-new. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All file users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/file-4.20-r1" + + + CVE-2007-2026 + + + aetius + + + vorlon + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-14.xml b/xml/htdocs/security/en/glsa/glsa-200704-14.xml new file mode 100644 index 00000000..fce94652 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-14.xml @@ -0,0 +1,68 @@ + + + + + + + FreeRADIUS: Denial of Service + + A memory leak has been discovered in FreeRADIUS, possibly allowing for a + Denial of Service. + + FreeRADIUS + April 17, 2007 + April 17, 2007: 01 + 174292 + remote + + + 1.1.6 + 1.1.6 + + + +

+ FreeRADIUS is an open source RADIUS authentication server + implementation. +

+ + +

+ The Coverity Scan project has discovered a memory leak within the + handling of certain malformed Diameter format values inside an EAP-TTLS + tunnel. +

+ + +

+ A remote attacker could send a large amount of specially crafted + packets to a FreeRADIUS server using EAP-TTLS authentication and + exhaust all memory, possibly resulting in a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All FreeRADIUS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dialup/freeradius-1.1.6" + + + CVE-2007-2028 + + + jaervosz + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-15.xml b/xml/htdocs/security/en/glsa/glsa-200704-15.xml new file mode 100644 index 00000000..e1708ab9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-15.xml @@ -0,0 +1,72 @@ + + + + + + + MadWifi: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in the MadWifi driver, + possibly leading to a Denial of Service and information disclosure. + + Madwifi-ng + April 17, 2007 + April 21, 2007: 02 + 173434 + remote + + + 0.9.3 + 0.9.3 + + + +

+ The MadWifi driver provides support for Atheros based IEEE 802.11 + Wireless Lan cards. +

+ + +

+ The driver does not properly process Channel Switch Announcement + Information Elements, allowing for an abnormal channel change. The + ieee80211_input() function does not properly handle AUTH frames and the + driver sends unencrypted packets before WPA authentication succeeds. +

+ + +

+ A remote attacker could send specially crafted AUTH frames to the + vulnerable host, resulting in a Denial of Service by crashing the + kernel. A remote attacker could gain access to sensitive information + about network architecture by sniffing unencrypted packets. A remote + attacker could also send a Channel Switch Count less than or equal to + one to trigger a channel change, resulting in a communication loss and + a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MadWifi users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-wireless/madwifi-ng-0.9.3" + + + CVE-2006-7178 + CVE-2006-7179 + CVE-2006-7180 + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-16.xml b/xml/htdocs/security/en/glsa/glsa-200704-16.xml new file mode 100644 index 00000000..54ccf318 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-16.xml @@ -0,0 +1,70 @@ + + + + + + + Aircrack-ng: Remote execution of arbitrary code + + Aircrack-ng contains a buffer overflow that could lead to the remote + execution of arbitrary code with root privileges. + + aircrack-ng + April 22, 2007 + April 22, 2007: 01 + 174340 + remote + + + 0.7-r2 + 0.7-r2 + + + +

+ Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can + recover keys once enough data packets have been captured. +

+ + +

+ Jonathan So reported that the airodump-ng module does not correctly + check the size of 802.11 authentication packets before copying them + into a buffer. +

+ + +

+ A remote attacker could trigger a stack-based buffer overflow by + sending a specially crafted 802.11 authentication packet to a user + running airodump-ng with the -w (--write) option. This could lead to + the remote execution of arbitrary code with the permissions of the user + running airodump-ng, which is typically the root user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Aircrack-ng users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-wireless/aircrack-ng-0.7-r2" + + + CVE-2007-2057 + + + shellsage + + + shellsage + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-17.xml b/xml/htdocs/security/en/glsa/glsa-200704-17.xml new file mode 100644 index 00000000..dd3b28aa --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-17.xml @@ -0,0 +1,67 @@ + + + + + + + 3proxy: Buffer overflow + + A vulnerability has been discovered in 3proxy allowing for the remote + execution of arbitrary code. + + 3proxy + April 22, 2007 + April 22, 2007: 01 + 174429 + remote + + + 0.5.3h + 0.5.3h + + + +

+ 3proxy is a multi-protocol proxy, including HTTP/HTTPS/FTP and SOCKS + support. +

+ + +

+ The 3proxy development team reported a buffer overflow in the logurl() + function when processing overly long requests. +

+ + +

+ A remote attacker could send a specially crafted transparent request to + the proxy, resulting in the execution of arbitrary code with privileges + of the user running 3proxy. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All 3proxy users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/3proxy-0.5.3h" + + + CVE-2007-2031 + + + jaervosz + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-18.xml b/xml/htdocs/security/en/glsa/glsa-200704-18.xml new file mode 100644 index 00000000..b58cbfa6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-18.xml @@ -0,0 +1,66 @@ + + + + + + + Courier-IMAP: Remote execution of arbitrary code + + A vulnerability has been discovered in Courier-IMAP allowing for remote + code execution with root privileges. + + courier-imap + April 22, 2007 + April 23, 2007: 02 + 168196 + remote + + + 4.0.6-r2 + 4.0.0 + 4.0.6-r2 + + + +

+ Courier-IMAP is an IMAP server which is part of the Courier mail + system. It provides access only to maildirs. +

+ + +

+ CJ Kucera has discovered that some Courier-IMAP scripts don't properly + handle the XMAILDIR variable, allowing for shell command injection. +

+ + +

+ A remote attacker could send specially crafted login credentials to a + Courier-IMAP server instance, possibly leading to remote code execution + with root privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Courier-IMAP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/courier-imap-4.0.6-r2" + + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-19.xml b/xml/htdocs/security/en/glsa/glsa-200704-19.xml new file mode 100644 index 00000000..2cd47532 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-19.xml @@ -0,0 +1,66 @@ + + + + + + + Blender: User-assisted remote execution of arbitrary code + + A vulnerability has been discovered in Blender allowing for user-assisted + arbitrary code execution. + + Blender + April 23, 2007 + April 23, 2007: 01 + 168907 + remote + + + 2.43 + 2.43 + + + +

+ Blender is a 3D creation, animation and publishing program. +

+ + +

+ Stefan Cornelius of Secunia Research discovered an insecure use of the + "eval()" function in kmz_ImportWithMesh.py. +

+ + +

+ A remote attacker could entice a user to open a specially crafted + Blender file (.kmz or .kml), resulting in the execution of arbitrary + Python code with the privileges of the user running Blender. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Blender users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/blender-2.43" + + + CVE-2007-1253 + + + jaervosz + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-20.xml b/xml/htdocs/security/en/glsa/glsa-200704-20.xml new file mode 100644 index 00000000..87472532 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-20.xml @@ -0,0 +1,74 @@ + + + + + + + NAS: Multiple vulnerabilities + + The Network Audio System is vulnerable to a buffer overflow that could + result in the execution of arbitrary code with root privileges. + + NAS + April 23, 2007 + April 23, 2007: 01 + 171428 + remote + + + 1.8b + 1.8b + + + +

+ NAS is a network transparent, client/server audio transport system. +

+ + +

+ Luigi Auriemma has discovered multiple vulnerabilities in NAS, some of + which include a buffer overflow in the function accept_att_local(), an + integer overflow in the function ProcAuWriteElement(), and a null + pointer error in the function ReadRequestFromClient(). +

+ + +

+ An attacker having access to the NAS daemon could send an overly long + slave name to the server, leading to the execution of arbitrary code + with root privileges. A remote attacker could also send a specially + crafted packet containing an invalid client ID, which would crash the + server and result in a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All NAS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/nas-1.8b" + + + CVE-2007-1543 + CVE-2007-1544 + CVE-2007-1545 + CVE-2007-1546 + CVE-2007-1547 + + + p-y + + + p-y + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-21.xml b/xml/htdocs/security/en/glsa/glsa-200704-21.xml new file mode 100644 index 00000000..accb406a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-21.xml @@ -0,0 +1,69 @@ + + + + + + + ClamAV: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in ClamAV allowing for the + remote execution of arbitrary code. + + ClamAV + April 24, 2007 + April 24, 2007: 01 + 174375 + remote + + + 0.90.2 + 0.90.2 + + + +

+ ClamAV is a GPL virus scanner. +

+ + +

+ iDefense Labs have reported a stack-based buffer overflow in the + cab_unstore() function when processing negative values in .cab files. + Multiple file descriptor leaks have also been reported in chmunpack.c, + pdf.c and dblock.c when processing .chm files. +

+ + +

+ A remote attacker could send a specially crafted CHM file to the + scanner, possibly resulting in the remote execution of arbitrary code + with the privileges of the user running ClamAV. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.90.2" + + + CVE-2007-1745 + CVE-2007-1997 + + + falco + + + p-y + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-22.xml b/xml/htdocs/security/en/glsa/glsa-200704-22.xml new file mode 100644 index 00000000..b751315d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-22.xml @@ -0,0 +1,71 @@ + + + + + + + BEAST: Denial of Service + + A vulnerability has been discovered in BEAST allowing for a Denial of + Service. + + BEAST + April 27, 2007 + April 27, 2007: 01 + 163146 + local + + + 0.7.1 + 0.7.1 + + + +

+ BEdevilled Audio SysTem is an audio compositor, supporting a wide range + of audio formats. +

+ + +

+ BEAST, which is installed as setuid root, fails to properly check + whether it can drop privileges accordingly if seteuid() fails due to a + user exceeding assigned resource limits. +

+ + +

+ A local user could exceed his resource limit in order to prevent the + seteuid() call from succeeding. This may lead BEAST to keep running + with root privileges. Then, the local user could use the "save as" + dialog box to overwrite any file on the vulnerable system, potentially + leading to a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All BEAST users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/beast-0.7.1" + + + CVE-2006-2916 + CVE-2006-4447 + + + jaervosz + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200704-23.xml b/xml/htdocs/security/en/glsa/glsa-200704-23.xml new file mode 100644 index 00000000..677ae69d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200704-23.xml @@ -0,0 +1,65 @@ + + + + + + + capi4k-utils: Buffer overflow + + capi4k-utils is vulnerable to a buffer overflow in the bufprint() function. + + capi4k-utils + April 27, 2007 + April 27, 2007: 01 + 170870 + local + + + 20050718-r3 + 20050718-r3 + + + +

+ capi4k-utils is a set of utilities for accessing COMMON-ISDN-API + software interfaces for ISDN devices. +

+ + +

+ The bufprint() function in capi4k-utils fails to properly check + boundaries of data coming from CAPI packets. +

+ + +

+ A local attacker could possibly escalate privileges or cause a Denial + of Service by sending a crafted CAPI packet. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All capi4k-utils users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dialup/capi4k-utils-20050718-r3" + + + CVE-2007-1217 + + + jaervosz + + + aetius + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-01.xml b/xml/htdocs/security/en/glsa/glsa-200705-01.xml new file mode 100644 index 00000000..eb0a68fc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-01.xml @@ -0,0 +1,69 @@ + + + + + + + Ktorrent: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Ktorrent allowing for the + remote execution of arbitrary code and a Denial of Service. + + ktorrent + May 01, 2007 + May 01, 2007: 01 + 170303 + remote + + + 2.1.3 + 2.1.3 + + + +

+ Ktorrent is a Bittorrent client for KDE. +

+ + +

+ Bryan Burns of Juniper Networks discovered a vulnerability in + chunkcounter.cpp when processing large or negative idx values, and a + directory traversal vulnerability in torrent.cpp. +

+ + +

+ A remote attacker could entice a user to download a specially crafted + torrent file, possibly resulting in the remote execution of arbitrary + code with the privileges of the user running Ktorrent. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ktorrent users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/ktorrent-2.1.3" + + + CVE-2007-1384 + CVE-2007-1385 + CVE-2007-1799 + + + aetius + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-02.xml b/xml/htdocs/security/en/glsa/glsa-200705-02.xml new file mode 100644 index 00000000..2b5c77d2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-02.xml @@ -0,0 +1,67 @@ + + + + + + + FreeType: User-assisted execution of arbitrary code + + A vulnerability has been discovered in FreeType allowing for user-assisted + remote execution of arbitrary code. + + freetype + May 01, 2007 + May 27, 2007: 02 + 172577 + remote + + + 2.1.10-r3 + 2.0 + 2.1.10-r3 + + + +

+ FreeType is a True Type Font rendering library. +

+ + +

+ Greg MacManus of iDefense Labs has discovered an integer overflow in + the function bdfReadCharacters() when parsing BDF fonts. +

+ + +

+ A remote attacker could entice a user to use a specially crafted BDF + font, possibly resulting in a heap-based buffer overflow and the remote + execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All FreeType users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/freetype-2.1.10-r3" + + + CVE-2007-1351 + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-03.xml b/xml/htdocs/security/en/glsa/glsa-200705-03.xml new file mode 100644 index 00000000..e8bddb67 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-03.xml @@ -0,0 +1,69 @@ + + + + + + + Tomcat: Information disclosure + + A vulnerability has been discovered in Tomcat that allows for the + disclosure of sensitive information. + + tomcat + May 01, 2007 + May 01, 2007: 01 + 173122 + remote + + + 5.5.22 + 5.5.22 + + + +

+ Tomcat is the Apache Jakarta Project's official implementation of Java + Servlets and Java Server Pages. +

+ + +

+ Tomcat allows special characters like slash, backslash or URL-encoded + backslash as a separator, while Apache does not. +

+ + +

+ A remote attacker could send a specially crafted URL to the vulnerable + Tomcat server, possibly resulting in a directory traversal and read + access to arbitrary files with the privileges of the user running + Tomcat. Note that this vulnerability can only be exploited when using + apache proxy modules like mod_proxy, mod_rewrite or mod_jk. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Tomcat users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/tomcat-5.5.22" + + + CVE-2007-0450 + + + aetius + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-04.xml b/xml/htdocs/security/en/glsa/glsa-200705-04.xml new file mode 100644 index 00000000..d213fd3e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-04.xml @@ -0,0 +1,74 @@ + + + + + + + Apache mod_perl: Denial of Service + + The mod_perl Apache module is vulnerable to a Denial of Service when + processing regular expressions. + + mod_perl + May 02, 2007 + May 02, 2007: 02 + 172676 + remote + + + 2.0.3-r1 + 1.30 + 2.0.3-r1 + + + +

+ Mod_perl is an Apache module that embeds the Perl interpreter within + the server, allowing Perl-based web-applications to be created. +

+ + +

+ Alex Solvey discovered that the "path_info" variable used in file + RegistryCooker.pm (mod_perl 2.x) or file PerlRun.pm (mod_perl 1.x), is + not properly escaped before being processed. +

+ + +

+ A remote attacker could send a specially crafted URL to the vulnerable + server, possibly resulting in a massive resource consumption. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mod_perl 1.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apache/mod_perl-1.30" +

+ All mod_perl 2.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apache/mod_perl-2.0.3-r1" + + + CVE-2007-1349 + + + falco + + + vorlon + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-05.xml b/xml/htdocs/security/en/glsa/glsa-200705-05.xml new file mode 100644 index 00000000..62c68543 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-05.xml @@ -0,0 +1,67 @@ + + + + + + + Quagga: Denial of Service + + A vulnerability has been discovered in Quagga allowing for a Denial of + Service. + + quagga + May 02, 2007 + May 02, 2007: 01 + 174206 + remote + + + 0.98.6-r2 + 0.98.6-r2 + + + +

+ Quagga is a free routing daemon, supporting RIP, OSPF and BGP + protocols. +

+ + +

+ The Quagga development team reported a vulnerability in the BGP routing + deamon when processing NLRI attributes inside UPDATE messages. +

+ + +

+ A malicious peer inside a BGP area could send a specially crafted + packet to a Quagga instance, possibly resulting in a crash of the + Quagga daemon. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Quagga users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/quagga-0.98.6-r2" + + + CVE-2007-1995 + + + falco + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-06.xml b/xml/htdocs/security/en/glsa/glsa-200705-06.xml new file mode 100644 index 00000000..8929a242 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-06.xml @@ -0,0 +1,67 @@ + + + + + + + X.Org X11 library: Multiple integer overflows + + The X.Org X11 library contains multiple integer overflows, which could lead + to the execution of arbitrary code. + + libx11 + May 05, 2007 + May 05, 2007: 01 + 172752 + remote + + + 1.0.3-r2 + 1.0.3-r2 + + + +

+ X.Org is an implementation of the X Window System. The X.Org X11 + library provides the X11 protocol library files. +

+ + +

+ Multiple integer overflows have been reported in the XGetPixel() + function of the X.Org X11 library. +

+ + +

+ By enticing a user to open a specially crafted image, an attacker could + cause a Denial of Service or an integer overflow, potentially resulting + in the execution of arbitrary code with root privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All X.Org X11 library users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/libX11-1.0.3-r2" + + + CVE-2007-1667 + + + jaervosz + + + dizzutch + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-07.xml b/xml/htdocs/security/en/glsa/glsa-200705-07.xml new file mode 100644 index 00000000..b18fb45b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-07.xml @@ -0,0 +1,70 @@ + + + + + + + Lighttpd: Two Denials of Service + + Two vulnerabilities have been discovered in Lighttpd, each allowing for a + Denial of Service. + + lighttpd + May 07, 2007 + May 07, 2007: 01 + 174043 + remote + + + 1.4.14 + 1.4.14 + + + +

+ Lighttpd is a lightweight HTTP web server. +

+ + +

+ Robert Jakabosky discovered an infinite loop triggered by a connection + abort when Lighttpd processes carriage return and line feed sequences. + Marcus Rueckert discovered a NULL pointer dereference when a server + running Lighttpd tries to access a file with a mtime of 0. +

+ + +

+ A remote attacker could upload a specially crafted file to the server + or send a specially crafted request and then abort the connection, + possibly resulting in a crash or a Denial of Service by CPU + consumption. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Lighttpd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.4.14" + + + CVE-2007-1869 + CVE-2007-1870 + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-08.xml b/xml/htdocs/security/en/glsa/glsa-200705-08.xml new file mode 100644 index 00000000..76bc55ab --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-08.xml @@ -0,0 +1,63 @@ + + + + + + + GIMP: Buffer overflow + + GIMP is vulnerable to a buffer overflow which may lead to the execution of + arbitrary code. + + gimp + May 07, 2007 + May 07, 2007: 01 + 176226 + remote + + + 2.2.14 + 2.2.14 + + + +

+ GIMP is the GNU Image Manipulation Program. +

+ + +

+ Marsu discovered that the "set_color_table()" function in the SUNRAS + plugin is vulnerable to a stack-based buffer overflow. +

+ + +

+ An attacker could entice a user to open a specially crafted .RAS file, + possibly leading to the execution of arbitrary code with the privileges + of the user running GIMP. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GIMP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/gimp-2.2.14" + + + CVE-2007-2356 + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-09.xml b/xml/htdocs/security/en/glsa/glsa-200705-09.xml new file mode 100644 index 00000000..c803ff73 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-09.xml @@ -0,0 +1,69 @@ + + + + + + + IPsec-Tools: Denial of Service + + IPsec-Tools contains a vulnerability that allows a remote attacker to crash + the IPsec tunnel. + + ipsec-tools + May 08, 2007 + May 08, 2007: 01 + 173219 + remote + + + 0.6.7 + 0.6.7 + + + +

+ IPsec-Tools is a port of KAME's implementation of the IPsec utilities. + It contains a collection of network monitoring tools, including racoon, + ping, and ping6. +

+ + +

+ The isakmp_info_recv() function in src/racoon/isakmp_inf.c does not + always check that DELETE (ISAKMP_NPTYPE_D) and NOTIFY (ISAKMP_NPTYPE_N) + packets are encrypted. +

+ + +

+ A remote attacker could send a specially crafted IPsec message to one + of the two peers during the beginning of phase 1, resulting in the + termination of the IPsec exchange. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All IPsec-Tools users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-firewall/ipsec-tools-0.6.7" + + + CVE-2007-1841 + + + jaervosz + + + falco + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-10.xml b/xml/htdocs/security/en/glsa/glsa-200705-10.xml new file mode 100644 index 00000000..6094732d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-10.xml @@ -0,0 +1,80 @@ + + + + + + + LibXfont, TightVNC: Multiple vulnerabilities + + Multiple vulnerabilities have been reported in libXfont and TightVNC, + allowing for the execution of arbitrary code with root privileges. + + tightvnc, libxfont + May 08, 2007 + May 08, 2007: 01 + 172575 + 174200 + local + + + 1.2.9-r4 + 1.2.9-r4 + + + 1.2.7-r1 + 1.2.7-r1 + + + +

+ LibXfont is the X.Org font library. TightVNC is a VNC client/server for + X displays. +

+ + +

+ The libXfont code is prone to several integer overflows, in functions + ProcXCMiscGetXIDList(), bdfReadCharacters() and FontFileInitTable(). + TightVNC contains a local copy of this code and is also affected. +

+ + +

+ A local attacker could use a specially crafted BDF Font to gain root + privileges on the vulnerable host. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libXfont users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/libXfont-1.2.7-r1" +

+ All TightVNC users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/tightvnc-1.2.9-r4" + + + CVE-2007-1003 + CVE-2007-1351 + CVE-2007-1352 + + + jaervosz + + + vorlon + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-11.xml b/xml/htdocs/security/en/glsa/glsa-200705-11.xml new file mode 100644 index 00000000..9d2e8e04 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-11.xml @@ -0,0 +1,70 @@ + + + + + + + MySQL: Two Denial of Service vulnerabilities + + Two Denial of Service vulnerabilities have been discovered in MySQL. + + MySQL + May 08, 2007 + May 08, 2007: 01 + 170126 + 171934 + remote + + + 5.0.38 + 5.0 + 5.0.38 + + + +

+ MySQL is a popular multi-threaded, multi-user SQL server. +

+ + +

+ mu-b discovered a NULL pointer dereference in item_cmpfunc.cc when + processing certain types of SQL requests. Sec Consult also discovered + another NULL pointer dereference when sorting certain types of queries + on the database metadata. +

+ + +

+ In both cases, a remote attacker could send a specially crafted SQL + request to the server, possibly resulting in a server crash. Note that + the attacker needs the ability to execute SELECT queries. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MySQL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.0.38" + + + Original Report + CVE-2007-1420 + + + aetius + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-12.xml b/xml/htdocs/security/en/glsa/glsa-200705-12.xml new file mode 100644 index 00000000..eb93181b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-12.xml @@ -0,0 +1,77 @@ + + + + + + + PostgreSQL: Privilege escalation + + PostgreSQL contains a vulnerability that could result in SQL privilege + escalation. + + postgresql + May 10, 2007 + May 28, 2009: 02 + 175791 + remote + + + 8.0.13 + 7.4.17 + 7.3.19 + 7.3.21 + 7.4.19 + 8.0.13 + + + +

+ PostgreSQL is an open source object-relational database management + system. +

+ + +

+ An error involving insecure search_path settings in the SECURITY + DEFINER functions has been reported in PostgreSQL. +

+ + +

+ If allowed to call a SECURITY DEFINER function, an attacker could gain + the SQL privileges of the owner of the called function. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PostgreSQL users should upgrade to the latest version and fix their + SECURITY DEFINER functions: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "dev-db/postgresql" +

+ In order to fix the SECURITY DEFINER functions, PostgreSQL users are + advised to refer to the PostgreSQL documentation: http://www.postgresql + .org/docs/techdocs.77 +

+ + + CVE-2007-2138 + + + aetius + + + falco + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-13.xml b/xml/htdocs/security/en/glsa/glsa-200705-13.xml new file mode 100644 index 00000000..9d0cbff7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-13.xml @@ -0,0 +1,73 @@ + + + + + + + ImageMagick: Multiple buffer overflows + + Multiple integer overflows have been discovered in ImageMagick allowing for + the execution of arbitrary code. + + imagemagick + May 10, 2007 + June 07, 2007: 02 + 152672 + 159567 + 173186 + remote + + + 6.3.3 + 6.3.3 + + + +

+ ImageMagick is a collection of tools allowing various manipulations on + image files. +

+ + +

+ iDefense Labs has discovered multiple integer overflows in ImageMagick + in the functions ReadDCMImage() and ReadXWDImage(), that are used to + process DCM and XWD files. +

+ + +

+ An attacker could entice a user to open specially crafted XWD or DCM + file, resulting in heap-based buffer overflows and possibly the + execution of arbitrary code with the privileges of the user running + ImageMagick. Note that this user may be httpd or any other account used + by applications relying on the ImageMagick tools to automatically + process images. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ImageMagick users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.3.3" + + + CVE-2007-1797 + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-14.xml b/xml/htdocs/security/en/glsa/glsa-200705-14.xml new file mode 100644 index 00000000..dcc64d2e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-14.xml @@ -0,0 +1,67 @@ + + + + + + + XScreenSaver: Privilege escalation + + XScreenSaver allows local users to bypass authentication under certain + configurations. + + xscreensaver + May 13, 2007 + May 13, 2007: 01 + 176584 + local + + + 5.02 + 5.02 + + + +

+ XScreenSaver is a widely used screen saver collection shipped on + systems running the X11 Window System. +

+ + +

+ XScreenSaver incorrectly handles the results of the getpwuid() function + in drivers/lock.c when using directory servers during a network outage. +

+ + +

+ A local user can crash XScreenSaver by preventing network connectivity + if the system uses a remote directory service for credentials such as + NIS or LDAP, which will unlock the screen. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All XScreenSaver users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-misc/xscreensaver-5.02" + + + CVE-2007-1859 + + + jaervosz + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-15.xml b/xml/htdocs/security/en/glsa/glsa-200705-15.xml new file mode 100644 index 00000000..a2b2e7a1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-15.xml @@ -0,0 +1,67 @@ + + + + + + + Samba: Multiple vulnerabilities + + Samba contains multiple vulnerabilities potentially resulting in the + execution of arbitrary code with root privileges. + + samba + May 15, 2007 + May 15, 2007: 01 + 177029 + remote + + + 3.0.24-r2 + 3.0.24-r2 + + + +

+ Samba is a suite of SMB and CIFS client/server programs for UNIX. +

+ + +

+ Samba contains a logical error in the smbd daemon when translating + local SID to user names (CVE-2007-2444). Furthermore, Samba contains + several bugs when parsing NDR encoded RPC parameters (CVE-2007-2446). + Lastly, Samba fails to properly sanitize remote procedure input + provided via Microsoft Remote Procedure Calls (CVE-2007-2447). +

+ + +

+ A remote attacker could exploit these vulnerabilities to gain root + privileges via various vectors. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Samba users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-3.0.24-r2" + + + CVE-2007-2444 + CVE-2007-2446 + CVE-2007-2447 + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-16.xml b/xml/htdocs/security/en/glsa/glsa-200705-16.xml new file mode 100644 index 00000000..ef91d43d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-16.xml @@ -0,0 +1,67 @@ + + + + + + + PhpWiki: Remote execution of arbitrary code + + A vulnerability has been discovered in PhpWiki allowing for the remote + execution of arbitrary code. + + phpwiki + May 17, 2007 + May 17, 2007: 01 + 174451 + remote + + + 1.3.10-r3 + 1.3.10-r3 + + + +

+ PhpWiki is an open source content management system written in PHP. +

+ + +

+ Harold Hallikainen has reported that the Upload page fails to properly + check the extension of a file. +

+ + +

+ A remote attacker could upload a specially crafted PHP file to the + vulnerable server, resulting in the execution of arbitrary PHP code + with the privileges of the user running PhpWiki. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PhpWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/phpwiki-1.3.10-r3" + + + CVE-2007-2024 + CVE-2007-2025 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-17.xml b/xml/htdocs/security/en/glsa/glsa-200705-17.xml new file mode 100644 index 00000000..de5b0ef9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-17.xml @@ -0,0 +1,70 @@ + + + + + + + Apache mod_security: Rule bypass + + A vulnerability has been discovered in mod_security, allowing a remote + attacker to bypass rules. + + mod_security + May 17, 2007 + December 30, 2007: 02 + 169778 + remote + + + 2.1.1 + 2.1.1 + + + +

+ mod_security is an Apache module designed for enhancing the security of + the Apache web server. +

+ + +

+ Stefan Esser discovered that mod_security processes NULL characters as + terminators in POST requests using the + application/x-www-form-urlencoded encoding type, while other parsers + used in web applications do not. +

+ + +

+ A remote attacker could send a specially crafted POST request, possibly + bypassing the module ruleset and leading to the execution of arbitrary + code in the scope of the web server with the rights of the user running + the web server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mod_security users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apache/mod_security-2.1.1" + + + CVE-2007-1359 + + + shellsage + + + shellsage + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-18.xml b/xml/htdocs/security/en/glsa/glsa-200705-18.xml new file mode 100644 index 00000000..88550686 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-18.xml @@ -0,0 +1,65 @@ + + + + + + + PPTPD: Denial of Service attack + + A vulnerability has been reported in PPTPD which could lead to a Denial of + Service. + + pptpd + May 20, 2007 + May 20, 2007: 01 + 176936 + remote + + + 1.3.4 + 1.3.4 + + + +

+ PPTPD is a Point-to-Point Tunnelling Protocol Daemon for Linux. +

+ + +

+ James Cameron from HP has reported a vulnerability in PPTPD caused by + malformed GRE packets. +

+ + +

+ A remote attacker could exploit this vulnerability to cause a Denial of + Service on the PPTPD connection. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PPTPD users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dialup/pptpd-1.3.4" + + + CVE-2007-0244 + + + jaervosz + + + jaervosz + + + dizzutch + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-19.xml b/xml/htdocs/security/en/glsa/glsa-200705-19.xml new file mode 100644 index 00000000..0d1918eb --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-19.xml @@ -0,0 +1,104 @@ + + + + + + + PHP: Multiple vulnerabilities + + PHP contains several vulnerabilities including buffer and integer overflows + which could under certain conditions lead to the remote execution of + arbitrary code. + + php + May 26, 2007 + March 29, 2008: 02 + 169372 + remote + + + 4.4.7 + 4.4.8_pre20070816 + 5.2.2 + 5.2.2 + + + +

+ PHP is a widely-used general-purpose scripting language that is + especially suited for Web development and can be embedded into HTML. +

+ + +

+ Several vulnerabilities were found in PHP, most of them during the + Month Of PHP Bugs (MOPB) by Stefan Esser. The most severe of these + vulnerabilities are integer overflows in wbmp.c from the GD library + (CVE-2007-1001) and in the substr_compare() PHP 5 function + (CVE-2007-1375). Ilia Alshanetsky also reported a buffer overflow in + the make_http_soap_request() and in the user_filter_factory_create() + functions (CVE-2007-2510, CVE-2007-2511), and Stanislav Malyshev + discovered another buffer overflow in the bundled XMLRPC library + (CVE-2007-1864). Additionally, the session_regenerate_id() and the + array_user_key_compare() functions contain a double-free vulnerability + (CVE-2007-1484, CVE-2007-1521). Finally, there exist implementation + errors in the Zend engine, in the mb_parse_str(), the unserialize() and + the mail() functions and other elements. +

+ + +

+ Remote attackers might be able to exploit these issues in PHP + applications making use of the affected functions, potentially + resulting in the execution of arbitrary code, Denial of Service, + execution of scripted contents in the context of the affected site, + security bypass or information leak. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PHP 5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-5.2.2" +

+ All PHP 4 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-4.4.7" + + + CVE-2007-1001 + CVE-2007-1285 + CVE-2007-1286 + CVE-2007-1484 + CVE-2007-1521 + CVE-2007-1583 + CVE-2007-1700 + CVE-2007-1701 + CVE-2007-1711 + CVE-2007-1717 + CVE-2007-1718 + CVE-2007-1864 + CVE-2007-1900 + CVE-2007-2509 + CVE-2007-2510 + CVE-2007-2511 + + + jaervosz + + + jaervosz + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-20.xml b/xml/htdocs/security/en/glsa/glsa-200705-20.xml new file mode 100644 index 00000000..f8436581 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-20.xml @@ -0,0 +1,90 @@ + + + + + + + Blackdown Java: Applet privilege escalation + + The Blackdown JDK and the Blackdown JRE suffer from the multiple + unspecified vulnerabilities that already affected the Sun JDK and JRE. + + blackdown-jdk,blackdown-jre + May 26, 2007 + May 26, 2007: 01 + 161835 + remote + + + 1.4.2.03-r14 + 1.4.2.03-r14 + + + 1.4.2.03-r14 + 1.4.2.03-r14 + + + +

+ Blackdown provides implementations of the Java Development Kit (JDK) + and the Java Runtime Environment (JRE). +

+ + +

+ Chris Evans has discovered multiple buffer overflows in the Sun JDK and + the Sun JRE possibly related to various AWT and font layout functions. + Tom Hawtin has discovered an unspecified vulnerability in the Sun JDK + and the Sun JRE relating to unintended applet data access. He has also + discovered multiple other unspecified vulnerabilities in the Sun JDK + and the Sun JRE allowing unintended Java applet or application resource + acquisition. Additionally, a memory corruption error has been found in + the handling of GIF images with zero width field blocks. +

+ + +

+ An attacker could entice a user to run a specially crafted Java applet + or application that could read, write, or execute local files with the + privileges of the user running the JVM, access data maintained in other + Java applets, or escalate the privileges of the currently running Java + applet or application allowing for unauthorized access to system + resources. +

+ + +

+ Disable the "nsplugin" USE flag in order to prevent web applets from + being run. +

+ + +

+ Since there is no fixed update from Blackdown and since the flaw only + occurs in the applets, the "nsplugin" USE flag has been masked in the + portage tree. Emerge the ebuild again in order to fix the + vulnerability. Another solution is to switch to another Java + implementation such as the Sun implementation (dev-java/sun-jdk and + dev-java/sun-jre-bin). +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "dev-java/blackdown-jdk" + # emerge --ask --oneshot --verbose "dev-java/blackdown-jre" + + + CVE-2006-6731 + CVE-2006-6736 + CVE-2006-6737 + CVE-2006-6745 + + + jaervosz + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-21.xml b/xml/htdocs/security/en/glsa/glsa-200705-21.xml new file mode 100644 index 00000000..c6ec3438 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-21.xml @@ -0,0 +1,72 @@ + + + + + + + MPlayer: Two buffer overflows + + Two vulnerabilities have been discovered in MPlayer, each one could lead to + the execution of arbitrary code. + + mplayer + May 30, 2007 + October 12, 2007: 02 + 168917 + remote + + + 1.0.20070321 + 1.0 + 1.0.20070321 + + + +

+ MPlayer is a media player incuding support for a wide range of audio + and video formats. +

+ + +

+ A buffer overflow has been reported in the DMO_VideoDecoder_Open() + function in file loader/dmo/DMO_VideoDecoder.c. Another buffer overflow + has been reported in the DS_VideoDecoder_Open() function in file + loader/dshow/DS_VideoDecoder.c. +

+ + +

+ A remote attacker could entice a user to open a specially crafted video + file, potentially resulting in the execution of arbitrary code with the + privileges of the user running MPlayer. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MPlayer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/mplayer-1.0.20070321" + + + CVE-2007-1246 + CVE-2007-1387 + GLSA 200704-09 + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-22.xml b/xml/htdocs/security/en/glsa/glsa-200705-22.xml new file mode 100644 index 00000000..9b8ea179 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-22.xml @@ -0,0 +1,68 @@ + + + + + + + FreeType: Buffer overflow + + A vulnerability has been discovered in FreeType allowing for the execution + of arbitrary code. + + freetype + May 30, 2007 + May 30, 2007: 01 + 179161 + remote + + + 2.3.4-r2 + 2.0 + 2.3.4-r2 + + + +

+ FreeType is a True Type Font rendering library. +

+ + +

+ Victor Stinner discovered a heap-based buffer overflow in the function + Get_VMetrics() in src/truetype/ttgload.c when processing TTF files with + a negative n_points attribute. +

+ + +

+ A remote attacker could entice a user to open a specially crafted TTF + file, possibly resulting in the execution of arbitrary code with the + privileges of the user running FreeType. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All FreeType users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/freetype-2.3.4-r2" + + + CVE-2007-2754 + + + jaervosz + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-23.xml b/xml/htdocs/security/en/glsa/glsa-200705-23.xml new file mode 100644 index 00000000..2afaad39 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-23.xml @@ -0,0 +1,102 @@ + + + + + + + Sun JDK/JRE: Multiple vulnerabilities + + Multiple vulnerabilities have been identified in Sun Java Development Kit + (JDK) and Java Runtime Environment (JRE). + + sun-jdk,sun-jre-bin + May 31, 2007 + May 28, 2009: 05 + 176675 + 178851 + remote + + + 1.5.0.11 + 1.4.2.14 + 1.4.2.15 + 1.4.2.19 + 1.5.0.11 + + + 1.6.0.01 + 1.5.0.16 + 1.5.0.15 + 1.5.0.12 + 1.5.0.11 + 1.4.2.18 + 1.4.2.17 + 1.4.2.15 + 1.4.2.14 + 1.4.2.19 + 1.5.0.17 + 1.5.0.18 + 1.6.0.01 + + + +

+ The Sun Java Development Kit (JDK) and the Sun Java Runtime Environment + (JRE) provide the Sun Java platform. +

+ + +

+ An unspecified vulnerability involving an "incorrect use of system + classes" was reported by the Fujitsu security team. Additionally, Chris + Evans from the Google Security Team reported an integer overflow + resulting in a buffer overflow in the ICC parser used with JPG or BMP + files, and an incorrect open() call to /dev/tty when processing certain + BMP files. +

+ + +

+ A remote attacker could entice a user to run a specially crafted Java + class or applet that will trigger one of the vulnerabilities. This + could lead to the execution of arbitrary code outside of the Java + sandbox and of the Java security restrictions, or crash the Java + application or the browser. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Sun Java Development Kit users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "dev-java/sun-jdk" +

+ All Sun Java Runtime Environment users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "dev-java/sun-jre-bin" + + + CVE-2007-2435 + CVE-2007-2788 + CVE-2007-2789 + + + jaervosz + + + falco + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-24.xml b/xml/htdocs/security/en/glsa/glsa-200705-24.xml new file mode 100644 index 00000000..6f822d88 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-24.xml @@ -0,0 +1,70 @@ + + + + + + + libpng: Denial of Service + + A vulnerability in libpng may allow a remote attacker to crash applications + that handle untrusted images. + + libpng + May 31, 2007 + May 31, 2007: 01 + 178004 + remote + + + 1.2.17 + 1.2.17 + + + +

+ libpng is a free ANSI C library used to process and manipulate PNG + images. +

+ + +

+ Mats Palmgren fixed an error in file pngrutil.c in which the trans[] + array might be not allocated because of images with a bad tRNS chunk + CRC value. +

+ + +

+ A remote attacker could craft an image that when processed or viewed by + an application using libpng causes the application to terminate + abnormally. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ Please note that due to separate bugs in libpng 1.2.17, Gentoo does not + provide libpng-1.2.17 but libpng-1.2.18. All libpng users should + upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libpng-1.2.18" + + + CVE-2007-2445 + + + jaervosz + + + falco + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200705-25.xml b/xml/htdocs/security/en/glsa/glsa-200705-25.xml new file mode 100644 index 00000000..94699600 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200705-25.xml @@ -0,0 +1,66 @@ + + + + + + + file: Integer overflow + + An integer overflow vulnerability has been reported in file allowing for + the user-assisted execution of arbitrary code. + + file + May 31, 2007 + June 01, 2007: 02 + 179583 + remote + + + 4.21 + 4.21 + + + +

+ file is a utility that guesses a file format by scanning binary data + for patterns. +

+ + +

+ Colin Percival from FreeBSD reported that the previous fix for the + file_printf() buffer overflow introduced a new integer overflow. +

+ + +

+ A remote attacker could entice a user to run the file program on an + overly large file (more than 1Gb) that would trigger an integer + overflow on 32-bit systems, possibly leading to the execution of + arbitrary code with the rights of the user running file. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ Since file is a system package, all Gentoo users should upgrade to the + latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/file-4.21" + + + CVE-2007-2799 + + + falco + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200706-01.xml b/xml/htdocs/security/en/glsa/glsa-200706-01.xml new file mode 100644 index 00000000..d7bf5d43 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200706-01.xml @@ -0,0 +1,68 @@ + + + + + + + libexif: Integer overflow vulnerability + + libexif fails to handle Exif (EXchangeable Image File) data inputs, making + it vulnerable to an integer overflow. + + libexif + June 05, 2007 + June 05, 2007: 01 + 178081 + remote + + + 0.6.15 + 0.6.15 + + + +

+ libexif is a library for parsing, editing and saving Exif data. +

+ + +

+ Victor Stinner reported an integer overflow in the + exif_data_load_data_entry() function from file exif-data.c while + handling Exif data. +

+ + +

+ An attacker could entice a user to process a file with specially + crafted Exif extensions with an application making use of libexif, + which will trigger the integer overflow and potentially execute + arbitrary code or crash the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libexif users should upgrade to the latest version. Please note + that users upgrading from "<=media-libs/libexif-0.6.13" should also run + revdep-rebuild after their upgrade. +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libexif-0.6.15" + # revdep-rebuild --library=/usr/lib/libexif.so + + + CVE-2007-2645 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200706-02.xml b/xml/htdocs/security/en/glsa/glsa-200706-02.xml new file mode 100644 index 00000000..5f8ee0a4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200706-02.xml @@ -0,0 +1,67 @@ + + + + + + + Evolution: User-assisted execution of arbitrary code + + A vulnerability has been discovered in Evolution allowing for the execution + of arbitrary code. + + evolution + June 06, 2007 + June 06, 2007: 01 + 170879 + remote + + + 2.8.3-r2 + 2.8.3-r2 + + + +

+ Evolution is the mail client of the GNOME desktop environment. +

+ + +

+ Ulf Harnhammar from Secunia Research has discovered a format string + error in the write_html() function in the file + calendar/gui/e-cal-component-memo-preview.c. +

+ + +

+ A remote attacker could entice a user to open a specially crafted + shared memo, possibly resulting in the execution of arbitrary code with + the privileges of the user running Evolution. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Evolution users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/evolution-2.8.3-r2" + + + CVE-2007-1002 + + + jaervosz + + + p-y + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200706-03.xml b/xml/htdocs/security/en/glsa/glsa-200706-03.xml new file mode 100644 index 00000000..adc00ab2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200706-03.xml @@ -0,0 +1,68 @@ + + + + + + + ELinks: User-assisted execution of arbitrary code + + A vulnerability has been discovered in ELinks allowing for the + user-assisted execution of arbitrary code. + + elinks + June 06, 2007 + June 06, 2007: 01 + 177512 + local + + + 0.11.2-r1 + 0.11.2-r1 + + + +

+ ELinks is a text-mode web browser. +

+ + +

+ Arnaud Giersch discovered that the "add_filename_to_string()" function + in file intl/gettext/loadmsgcat.c uses an untrusted relative path, + allowing for a format string attack with a malicious .po file. +

+ + +

+ A local attacker could entice a user to run ELinks in a specially + crafted directory environment containing a malicious ".po" file, + possibly resulting in the execution of arbitrary code with the + privileges of the user running ELinks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ELinks users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/elinks-0.11.2-r1" + + + CVE-2007-2027 + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200706-04.xml b/xml/htdocs/security/en/glsa/glsa-200706-04.xml new file mode 100644 index 00000000..d9306c44 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200706-04.xml @@ -0,0 +1,74 @@ + + + + + + + MadWifi: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in MadWifi, possibly allowing + for the execution of arbitrary code or a Denial of Service. + + madwifi-ng + June 11, 2007 + June 11, 2007: 01 + 179532 + remote + + + 0.9.3.1 + 0.9.3.1 + + + +

+ The MadWifi driver provides support for Atheros based IEEE 802.11 + Wireless Lan cards. +

+ + +

+ Md Sohail Ahmad from AirTight Networks has discovered a divison by zero + in the ath_beacon_config() function (CVE-2007-2830). The vendor has + corrected an input validation error in the + ieee80211_ioctl_getwmmparams() and ieee80211_ioctl_getwmmparams() + functions(CVE-207-2831), and an input sanitization error when parsing + nested 802.3 Ethernet frame lengths (CVE-2007-2829). +

+ + +

+ An attacker could send specially crafted packets to a vulnerable host + to exploit one of these vulnerabilities, possibly resulting in the + execution of arbitrary code with root privileges, or a Denial of + Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MadWifi users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-wireless/madwifi-ng-0.9.3.1" + + + CVE-2007-2829 + CVE-2007-2830 + CVE-2007-2831 + + + jaervosz + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200706-05.xml b/xml/htdocs/security/en/glsa/glsa-200706-05.xml new file mode 100644 index 00000000..64d7a37f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200706-05.xml @@ -0,0 +1,85 @@ + + + + + + + ClamAV: Multiple Denials of Service + + ClamAV contains several vulnerabilities leading to a Denial of Service. + + clamav + June 15, 2007 + June 15, 2007: 01 + 178082 + remote, local + + + 0.90.3 + 0.90.3 + + + +

+ ClamAV is a GPL virus scanner. +

+ + +

+ Several vulnerabilities were discovered in ClamAV by various + researchers: +

+
  • Victor Stinner (INL) discovered that the OLE2 + parser may enter in an infinite loop (CVE-2007-2650).
    • +
  • A + boundary error was also reported by an anonymous researcher in the file + unsp.c, which might lead to a buffer overflow (CVE-2007-3023).
    • +
  • The file unrar.c contains a heap-based buffer overflow via a + modified vm_codesize value from a RAR file (CVE-2007-3123).
    • +
  • The RAR parsing engine can be bypassed via a RAR file with a header + flag value of 10 (CVE-2007-3122).
    • +
  • The cli_gentempstream() + function from clamdscan creates temporary files with insecure + permissions (CVE-2007-3024).
    • +
+ + +

+ A remote attacker could send a specially crafted file to the scanner, + possibly triggering one of the vulnerabilities. The two buffer + overflows are reported to only cause Denial of Service. This would lead + to a Denial of Service by CPU consumption or a crash of the scanner. + The insecure temporary file creation vulnerability could be used by a + local user to access sensitive data. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.90.3" + + + CVE-2007-2650 + CVE-2007-3023 + CVE-2007-3024 + CVE-2007-3122 + CVE-2007-3123 + + + jaervosz + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200706-06.xml b/xml/htdocs/security/en/glsa/glsa-200706-06.xml new file mode 100644 index 00000000..adb269ec --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200706-06.xml @@ -0,0 +1,149 @@ + + + + + + + Mozilla products: Multiple vulnerabilities + + Multiple vulnerabilities have been reported in Mozilla Firefox, + Thunderbird, SeaMonkey and XULRunner, some of which may allow user-assisted + arbitrary remote code execution. + + mozilla-firefox,mozilla-thunderbird,mozilla-firefox-bin,mozilla-thunderbird-bin,seamonkey,seamonkey-bin,xulrunner + June 19, 2007 + June 19, 2007: 01 + 180436 + remote + + + 2.0.0.4 + 2.0.0.4 + + + 2.0.0.4 + 2.0.0.4 + + + 2.0.0.4 + 1.5.0.12 + 2.0.0.4 + + + 2.0.0.4 + 1.5.0.12 + 2.0.0.4 + + + 1.1.2 + 1.1.2 + + + 1.1.2 + 1.1.2 + + + 1.8.1.4 + 1.8.1.4 + + + +

+ Mozilla Firefox is an open-source web browser from the Mozilla Project, + and Mozilla Thunderbird an email client. The SeaMonkey project is a + community effort to deliver production-quality releases of code derived + from the application formerly known as the 'Mozilla Application Suite'. + XULRunner is a Mozilla runtime package that can be used to bootstrap + XUL+XPCOM applications like Firefox and Thunderbird. +

+ + +

+ Mozilla developers fixed several bugs involving memory corruption + through various vectors (CVE-2007-2867, CVE-2007-2868). Additionally, + several errors leading to crash, memory exhaustion or CPU consumption + were fixed (CVE-2007-1362, CVE-2007-2869). Finally, errors related to + the APOP protocol (CVE-2007-1558), XSS prevention (CVE-2007-2870) and + spoofing prevention (CVE-2007-2871) were fixed. +

+ + +

+ A remote attacker could entice a user to view a specially crafted web + page that will trigger one of the vulnerabilities, possibly leading to + the execution of arbitrary code or a Denial of Service. It is also + possible for an attacker to spoof the address bar or other browser + elements, obtain sensitive APOP information, or perform cross-site + scripting attacks, leading to the exposure of sensitive information, + like user credentials. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-2.0.0.4" +

+ All Mozilla Firefox binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-2.0.0.4" +

+ All Mozilla Thunderbird users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-2.0.0.4" +

+ All Mozilla Thunderbird binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-2.0.0.4" +

+ All SeaMonkey users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.1.2" +

+ All SeaMonkey binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-bin-1.1.2" +

+ All XULRunner users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/xulrunner-1.8.1.4" + + + CVE-2007-1362 + CVE-2007-1558 + CVE-2007-2867 + CVE-2007-2868 + CVE-2007-2869 + CVE-2007-2870 + CVE-2007-2871 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200706-07.xml b/xml/htdocs/security/en/glsa/glsa-200706-07.xml new file mode 100644 index 00000000..14595836 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200706-07.xml @@ -0,0 +1,75 @@ + + + + + + + PHProjekt: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in PHProjekt, allowing for + the execution of arbitrary PHP and SQL code, and cross-site scripting + attacks. + + phprojekt + June 19, 2007 + June 19, 2007: 01 + 170905 + remote + + + 5.2.1 + 5.2.1 + + + +

+ PHProjekt is a project management and coordination tool written in PHP. +

+ + +

+ Alexios Fakos from n.runs AG has discovered multiple vulnerabilities in + PHProjekt, including the execution of arbitrary SQL commands using + unknown vectors (CVE-2007-1575), the execution of arbitrary PHP code + using an unrestricted file upload (CVE-2007-1639), cross-site request + forgeries using different modules (CVE-2007-1638), and a cross-site + scripting attack using unkown vectors (CVE-2007-1576). +

+ + +

+ An authenticated user could elevate their privileges by exploiting the + vulnerabilities described above. Note that the magic_quotes_gpc PHP + configuration setting must be set to "off" to exploit these + vulnerabilities. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PHProjekt users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/phprojekt-5.2.1" + + + CVE-2007-1575 + CVE-2007-1576 + CVE-2007-1638 + CVE-2007-1639 + + + falco + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200706-08.xml b/xml/htdocs/security/en/glsa/glsa-200706-08.xml new file mode 100644 index 00000000..22cf7e65 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200706-08.xml @@ -0,0 +1,78 @@ + + + + + + + emul-linux-x86-java: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in emul-linux-x86-java, + possibly resulting in the execution of arbitrary code or a Denial of + Service. + + emul-linux-x86-java + June 26, 2007 + May 28, 2009: 03 + 178962 + remote + + + 1.5.0.11 + 1.4.2.16 + 1.4.2.17 + 1.4.2.19 + 1.5.0.11 + + + +

+ emul-linux-x86-java is the 32 bit version of the Sun's J2SE Development + Kit. +

+ + +

+ Chris Evans of the Google Security Team has discovered an integer + overflow in the ICC parser, and another vulnerability in the BMP + parser. An unspecified vulnerability involving an "incorrect use of + system classes" was reported by the Fujitsu security team. +

+ + +

+ A remote attacker could entice a user to open a specially crafted + image, possibly resulting in the execution of arbitrary code with the + privileges of the user running Emul-linux-x86-java. They also could + entice a user to open a specially crafted BMP image, resulting in a + Denial of Service. Note that these vulnerabilities may also be + triggered by a tool processing image files automatically. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Emul-linux-x86-java users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.5.0.11" + + + CVE-2007-2435 + CVE-2007-2788 + CVE-2007-2789 + + + falco + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200706-09.xml b/xml/htdocs/security/en/glsa/glsa-200706-09.xml new file mode 100644 index 00000000..af5a4068 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200706-09.xml @@ -0,0 +1,70 @@ + + + + + + + libexif: Buffer overflow + + libexif does not properly handle image EXIF information, possibly allowing + for the execution of arbitrary code. + + libexif + June 26, 2007 + June 26, 2007: 01 + 181922 + remote + + + 0.6.16 + 0.6.16 + + + +

+ libexif is a library for parsing, editing and saving EXIF metadata from + images. +

+ + +

+ iDefense Labs have discovered that the exif_data_load_data_entry() + function in libexif/exif-data.c improperly handles integer data while + working with an image with many EXIF components, allowing an integer + overflow possibly leading to a heap-based buffer overflow. +

+ + +

+ An attacker could entice a user of an application making use of a + vulnerable version of libexif to load a specially crafted image file, + possibly resulting in a crash of the application or the execution of + arbitrary code with the rights of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libexif users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libexif-0.6.16" + + + CVE-2006-4168 + + + jaervosz + + + jaervosz + + + shellsage + + diff --git a/xml/htdocs/security/en/glsa/glsa-200707-01.xml b/xml/htdocs/security/en/glsa/glsa-200707-01.xml new file mode 100644 index 00000000..328e2259 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200707-01.xml @@ -0,0 +1,65 @@ + + + + + + + Firebird: Buffer overflow + + A vulnerability has been discovered in Firebird, allowing for the execution + of arbitrary code. + + firebird + July 01, 2007 + July 01, 2007: 01 + 181811 + remote + + + 2.0.1 + 2.0.1 + + + +

+ Firebird is an open source relational database that runs on Linux, + Windows, and various UNIX systems. +

+ + +

+ Cody Pierce from TippingPoint DVLabs has discovered a buffer overflow + when processing "connect" requests with an overly large "p_cnct_count" + value. +

+ + +

+ An unauthenticated remote attacker could send a specially crafted + request to a vulnerable server, possibly resulting in the execution of + arbitrary code with the privileges of the user running Firebird. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Firebird users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/firebird-2.0.1" + + + CVE-2007-3181 + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200707-02.xml b/xml/htdocs/security/en/glsa/glsa-200707-02.xml new file mode 100644 index 00000000..35d3cf10 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200707-02.xml @@ -0,0 +1,82 @@ + + + + + + + OpenOffice.org: Two buffer overflows + + Multiple vulnerabilities have been discovered in OpenOffice.org, allowing + for the remote execution of arbitrary code. + + openoffice + July 02, 2007 + July 02, 2007: 01 + 181773 + remote + + + 2.2.1 + 2.2.1 + + + 2.2.1 + 2.2.1 + + + +

+ OpenOffice.org is an open source office productivity suite, including + word processing, spreadsheet, presentation, drawing, data charting, + formula editing, and file conversion facilities. +

+ + +

+ John Heasman of NGSSoftware has discovered a heap-based buffer overflow + when parsing the "prdata" tag in RTF files where the first token is + smaller than the second one (CVE-2007-0245). Additionally, the + OpenOffice binary program is shipped with a version of FreeType that + contains an integer signedness error in the n_points variable in file + truetype/ttgload.c, which was covered by GLSA 200705-22 + (CVE-2007-2754). +

+ + +

+ A remote attacker could entice a user to open a specially crafted + document, possibly leading to execution of arbitrary code with the + rights of the user running OpenOffice.org. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenOffice.org users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-2.2.1" +

+ All OpenOffice.org binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-bin-2.2.1" + + + CVE-2007-0245 + CVE-2007-2754 + GLSA 200705-22 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200707-03.xml b/xml/htdocs/security/en/glsa/glsa-200707-03.xml new file mode 100644 index 00000000..b88057ae --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200707-03.xml @@ -0,0 +1,70 @@ + + + + + + + Evolution: User-assisted remote execution of arbitrary code + + The IMAP client of Evolution contains a vulnerability potentially leading + to the execution of arbitrary code. + + evolution-data-server + July 02, 2007 + July 02, 2007: 01 + 182011 + remote + + + 1.8.3-r5 + 1.6.2-r1 + 1.8.3-r5 + + + +

+ Evolution is the mail client of the GNOME desktop environment. Camel is + the Evolution Data Server module that handles mail functions. +

+ + +

+ The imap_rescan() function of the file camel-imap-folder.c does not + properly sanitize the "SEQUENCE" response sent by an IMAP server before + being used to index arrays. +

+ + +

+ A malicious or compromised IMAP server could trigger the vulnerability + and execute arbitrary code with the permissions of the user running + Evolution. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Evolution users should upgrade evolution-data-server to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "gnome-extra/evolution-data-server" + + + CVE-2007-3257 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200707-04.xml b/xml/htdocs/security/en/glsa/glsa-200707-04.xml new file mode 100644 index 00000000..11230aba --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200707-04.xml @@ -0,0 +1,71 @@ + + + + + + + GNU C Library: Integer overflow + + An integer overflow in the dynamic loader, ld.so, could result in the + execution of arbitrary code with escalated privileges. + + glibc + July 03, 2007 + July 03, 2007: 01 + 183844 + local + + + 2.5-r4 + 2.5-r4 + + + +

+ The GNU C library is the standard C library used by Gentoo Linux + systems. It provides programs with basic facilities and interfaces to + system calls. ld.so is the dynamic linker which prepares dynamically + linked programs for execution by resolving runtime dependencies and + related functions. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Team discovered a flaw in + the handling of the hardware capabilities mask by the dynamic loader. + If a mask is specified with a high population count, an integer + overflow could occur when allocating memory. +

+ + +

+ As the hardware capabilities mask is honored by the dynamic loader + during the execution of suid and sgid programs, in theory this + vulnerability could result in the execution of arbitrary code with root + privileges. This update is provided as a precaution against currently + unknown attack vectors. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.5-r4" + + + CVE-2007-3508 + + + taviso + + + taviso + + diff --git a/xml/htdocs/security/en/glsa/glsa-200707-05.xml b/xml/htdocs/security/en/glsa/glsa-200707-05.xml new file mode 100644 index 00000000..2a711c3b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200707-05.xml @@ -0,0 +1,77 @@ + + + + + + + Webmin, Usermin: Cross-site scripting vulnerabilities + + Webmin and Usermin are vulnerable to cross-site scripting vulnerabilities + (XSS). + + webmin/usermin + July 05, 2007 + July 05, 2007: 01 + 181385 + remote + + + 1.350 + 1.350 + + + 1.280 + 1.280 + + + +

+ Webmin is a web-based administrative interface for Unix-like systems. + Usermin is a simplified version of Webmin designed for use by normal + users rather than system administrators. +

+ + +

+ The pam_login.cgi file does not properly sanitize user input before + sending it back as output to the user. +

+ + +

+ An unauthenticated attacker could entice a user to browse a specially + crafted URL, allowing for the execution of script code in the context + of the user's browser and for the theft of browser credentials. This + may permit the attacker to login to Webmin or Usermin with the user's + permissions. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Webmin users should update to the latest stable version: +

+ + # emerge --sync + # emerge --ask --verbose --oneshot ">=app-admin/webmin-1.350" +

+ All Usermin users should update to the latest stable version: +

+ + # emerge --sync + # emerge --ask --verbose --oneshot ">=app-admin/usermin-1.280" + + + CVE-2007-3156 + + + falco + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200707-06.xml b/xml/htdocs/security/en/glsa/glsa-200707-06.xml new file mode 100644 index 00000000..4c233d9d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200707-06.xml @@ -0,0 +1,69 @@ + + + + + + + XnView: Stack-based buffer overflow + + XnView is vulnerable to a stack-based buffer overflow and possible remote + code execution when handling XPM image files. + + xnview + July 11, 2007 + July 11, 2007: 01 + 175670 + remote + + + 1.70 + + + +

+ XnView is software to view and convert graphics files. XPixMap (XPM) is + a simple ascii-based graphics format. +

+ + +

+ XnView is vulnerable to a stack-based buffer overflow while processing + an XPM file with an overly long section string (greater than 1024 + bytes). +

+ + +

+ An attacker could entice a user to view a specially crafted XPM file + with XnView that could trigger the vulnerability and possibly execute + arbitrary code with the rights of the user running XnView. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ No update appears to be forthcoming from the XnView developer and + XnView is proprietary, so the XnView package has been masked in + Portage. We recommend that users select an alternate graphics viewer + and conversion utility, and unmerge XnView: +

+ + # emerge --unmerge xnview + + + CVE-2007-2194 + + + jaervosz + + + aetius + + + DerCorny + + diff --git a/xml/htdocs/security/en/glsa/glsa-200707-07.xml b/xml/htdocs/security/en/glsa/glsa-200707-07.xml new file mode 100644 index 00000000..7d4c1e4f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200707-07.xml @@ -0,0 +1,70 @@ + + + + + + + MPlayer: Multiple buffer overflows + + Multiple vulnerabilities have been discovered in MPlayer, possibly allowing + for the remote execution of arbitrary code. + + mplayer + July 24, 2007 + October 12, 2007: 03 + 181097 + remote + + + 1.0.20070622 + 1.0 + 1.0.20070622 + + + +

+ MPlayer is a media player incuding support for a wide range of audio + and video formats. +

+ + +

+ Stefan Cornelius and Reimar Doffinger of Secunia Research discovered + several boundary errors in the functions cddb_query_parse(), + cddb_parse_matches_list() and cddb_read_parse(), each allowing for a + stack-based buffer overflow. +

+ + +

+ A remote attacker could entice a user to open a specially crafted file + with malicious CDDB entries, possibly resulting in the execution of + arbitrary code with the privileges of the user running MPlayer. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MPlayer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/mplayer-1.0.20070622" + + + CVE-2007-2948 + + + jaervosz + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200707-08.xml b/xml/htdocs/security/en/glsa/glsa-200707-08.xml new file mode 100644 index 00000000..09d8e562 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200707-08.xml @@ -0,0 +1,67 @@ + + + + + + + NVClock: Insecure file usage + + A vulnerability has been discovered in NVClock, allowing for the execution + of arbitrary code. + + nvclock + July 24, 2007 + July 24, 2007: 01 + 184071 + local + + + 0.7-r2 + 0.7-r2 + + + +

+ NVClock is an utility for changing NVidia graphic chipsets internal + frequency. +

+ + +

+ Tavis Ormandy of the Gentoo Linux Security Team discovered that NVClock + makes usage of an insecure temporary file in the /tmp directory. +

+ + +

+ A local attacker could create a specially crafted temporary file in + /tmp to execute arbitrary code with the privileges of the user running + NVCLock. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All NVClock users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/nvclock-0.7-r2" + + + CVE-2007-3531 + + + jaervosz + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200707-09.xml b/xml/htdocs/security/en/glsa/glsa-200707-09.xml new file mode 100644 index 00000000..a67f7145 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200707-09.xml @@ -0,0 +1,70 @@ + + + + + + + GIMP: Multiple integer overflows + + Multiple vulnerabilities have been discovered in GIMP, allowing for the + remote execution of arbitrary code. + + gimp + July 25, 2007 + July 25, 2007: 01 + 182047 + remote + + + 2.2.16 + 2.2.16 + + + +

+ GIMP is the GNU Image Manipulation Program. +

+ + +

+ Sean Larsson from iDefense Labs discovered multiple integer overflows + in various GIMP plugins (CVE-2006-4519). Stefan Cornelius from Secunia + Research discovered an integer overflow in the + seek_to_and_unpack_pixeldata() function when processing PSD files + (CVE-2007-2949). +

+ + +

+ A remote attacker could entice a user to open a specially crafted image + file, possibly resulting in the execution of arbitrary code with the + privileges of the user running GIMP. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GIMP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/gimp-2.2.16" + + + CVE-2006-4519 + CVE-2007-2949 + + + DerCorny + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200707-10.xml b/xml/htdocs/security/en/glsa/glsa-200707-10.xml new file mode 100644 index 00000000..4a2b1e41 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200707-10.xml @@ -0,0 +1,62 @@ + + + + + + + Festival: Privilege elevation + + A vulnerability has been discovered in Festival, allowing for a local + privilege escalation. + + festival + July 25, 2007 + July 25, 2007: 01 + 170477 + local + + + 1.95_beta-r4 + 1.95_beta-r4 + + + +

+ Festival is a text-to-speech accessibility program. +

+ + +

+ Konstantine Shirow reported a vulnerability in default Gentoo + configurations of Festival. The daemon is configured to run with root + privileges and to listen on localhost, without requiring a password. +

+ + +

+ A local attacker could gain root privileges by connecting to the daemon + and execute arbitrary commands. +

+ + +

+ Set a password in the configuration file /etc/festival/server.scm by + adding the line: (set! server_passwd password) +

+ + +

+ All Festival users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-accessibility/festival-1.95_beta-r4" + + + + p-y + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200707-11.xml b/xml/htdocs/security/en/glsa/glsa-200707-11.xml new file mode 100644 index 00000000..c794c6c2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200707-11.xml @@ -0,0 +1,71 @@ + + + + + + + MIT Kerberos 5: Arbitrary remote code execution + + Multiple vulnerabilities in MIT Kerberos 5 could potentially result in + remote code execution with root privileges by unauthenticated users. + + mit-krb5 + July 25, 2007 + July 25, 2007: 01 + 183338 + remote + + + 1.5.2-r3 + 1.5.2-r3 + + + +

+ MIT Kerberos 5 is a suite of applications that implement the Kerberos + network protocol. +

+ + +

+ kadmind is affected by multiple vulnerabilities in the RPC library + shipped with MIT Kerberos 5. It fails to properly handle zero-length + RPC credentials (CVE-2007-2442) and the RPC library can write past the + end of the stack buffer (CVE-2007-2443). Furthermore kadmind fails to + do proper bounds checking (CVE-2007-2798). +

+ + +

+ A remote unauthenticated attacker could exploit these vulnerabilities + to execute arbitrary code with root privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MIT Kerberos 5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.5.2-r3" + + + CVE-2007-2442 + CVE-2007-2443 + CVE-2007-2798 + + + jaervosz + + + jaervosz + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200707-12.xml b/xml/htdocs/security/en/glsa/glsa-200707-12.xml new file mode 100644 index 00000000..d6f03f58 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200707-12.xml @@ -0,0 +1,68 @@ + + + + + + + VLC media player: Format string vulnerabilities + + A vulnerability has been discovered in VLC media player, allowing for the + remote execution of arbitrary code. + + vlc + July 28, 2007 + July 28, 2007: 01 + 182389 + remote + + + 0.8.6c + 0.8.6c + + + +

+ VLC media player is a multimedia player for various audio and video + formats. +

+ + +

+ David Thiel from iSEC Partners Inc. discovered format string errors in + various plugins when parsing data. The affected plugins include Vorbis, + Theora, CDDA and SAP. +

+ + +

+ A remote attacker could entice a user to open a specially crafted media + file, possibly resulting in the execution of arbitrary code with the + privileges of the user running VLC media player. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All VLC media player users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/vlc-0.8.6c" + + + CVE-2007-3316 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200707-13.xml b/xml/htdocs/security/en/glsa/glsa-200707-13.xml new file mode 100644 index 00000000..c3df6f5d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200707-13.xml @@ -0,0 +1,66 @@ + + + + + + + Fail2ban: Denial of Service + + Fail2ban is vulnerable to a Denial of Service attack. + + fail2ban + July 28, 2007 + January 09, 2008: 02 + 181214 + remote + + + 0.8.0-r1 + 0.8.0-r1 + + + +

+ Fail2ban is a tool for parsing log files and banning IP addresses which + make too many password failures. +

+ + +

+ A vulnerability has been discovered in Fail2ban when parsing log files. +

+ + +

+ A remote attacker could send specially crafted SSH login banners to the + vulnerable host, which would prevent any ssh connection to the host and + result in a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Fail2ban users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/fail2ban-0.8.0-r1" + + + CVE-2007-4321 + Original advisory + + + aetius + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200707-14.xml b/xml/htdocs/security/en/glsa/glsa-200707-14.xml new file mode 100644 index 00000000..dec9c075 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200707-14.xml @@ -0,0 +1,68 @@ + + + + + + + tcpdump: Integer overflow + + A vulnerability has been discovered in tcpdump, allowing for the execution + of arbitrary code, possibly with root privileges. + + tcpdump + July 28, 2007 + July 28, 2007: 01 + 184815 + remote + + + 3.9.5-r3 + 3.9.5-r3 + + + +

+ tcpdump is a tool for capturing and inspecting network traffic. +

+ + +

+ mu-b from Digital Labs discovered that the return value of a snprintf() + call is not properly checked before being used. This could lead to an + integer overflow. +

+ + +

+ A remote attacker could send specially crafted BGP packets on a network + being monitored with tcpdump, possibly resulting in the execution of + arbitrary code with the privileges of the user running tcpdump, which + is usually root. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All tcpdump users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/tcpdump-3.9.5-r3" + + + CVE-2007-3798 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200708-01.xml b/xml/htdocs/security/en/glsa/glsa-200708-01.xml new file mode 100644 index 00000000..17f72bcc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200708-01.xml @@ -0,0 +1,74 @@ + + + + + + + Macromedia Flash Player: Remote arbitrary code execution + + Multiple vulnerabilities have been discovered in Macromedia Flash Player, + allowing for the remote execution of arbitrary code. + + adobe-flash + August 08, 2007 + May 28, 2009: 02 + 185141 + remote + + + 9.0.48.0 + 9.0.48.0 + + + +

+ The Macromedia Flash Player is a renderer for the popular SWF file type + which is commonly used to provide interactive websites, digital + experiences and mobile content. +

+ + +

+ Mark Hills discovered some errors when interacting with a browser for + keystrokes handling (CVE-2007-2022). Stefano Di Paola and Giorgio Fedon + from Minded Security discovered a boundary error when processing FLV + files (CVE-2007-3456). An input validation error when processing HTTP + referrers has also been reported (CVE-2007-3457). +

+ + +

+ A remote attacker could entice a user to open a specially crafted file, + possibly leading to the execution of arbitrary code with the privileges + of the user running the Macromedia Flash Player, or sensitive data + access. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Macromedia Flash Player users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-plugins/adobe-flash-9.0.48.0" + + + CVE-2007-2022 + CVE-2007-3456 + CVE-2007-3457 + + + jaervosz + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200708-02.xml b/xml/htdocs/security/en/glsa/glsa-200708-02.xml new file mode 100644 index 00000000..54659680 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200708-02.xml @@ -0,0 +1,68 @@ + + + + + + + Xvid: Array indexing vulnerabilities + + Several array indexing vulnerabilities were discovered in Xvid, possibly + allowing for the remote execution of arbitrary code. + + xvid + August 08, 2007 + August 08, 2007: 01 + 183145 + remote + + + 1.1.3 + 1.1.3 + + + +

+ Xvid is a popular open source video codec licensed under the GPL. +

+ + +

+ Trixter Jack discovered an array indexing error in the + get_intra_block() function in the file src/bitstream/mbcoding.c. The + get_inter_block_h263() and get_inter_block_mpeg() functions in the same + file were also reported as vulnerable. +

+ + +

+ An attacker could exploit these vulnerabilities to execute arbitrary + code by tricking a user or automated system into processing a malicious + video file with an application that makes use of the Xvid library. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Xvid users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/xvid-1.1.3" + + + CVE-2007-3329 + + + p-y + + + DerCorny + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200708-03.xml b/xml/htdocs/security/en/glsa/glsa-200708-03.xml new file mode 100644 index 00000000..16d8a6d1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200708-03.xml @@ -0,0 +1,74 @@ + + + + + + + libarchive (formerly named as bsdtar): Multiple PaX Extension Header Vulnerabilities + + Multiple vulnerabilities were found in libarchive (formerly named as + app-archive/bsdtar), possibly allowing for the execution of arbitrary code + or a Denial of Service. + + libarchive + August 08, 2007 + August 08, 2007: 02 + 184984 + remote + + + 2.2.4 + 2.2.4 + + + +

+ libarchive is a library for manipulating different streaming archive + formats, including certain tar variants, several cpio formats, and both + BSD and GNU ar variants. +

+ + +

+ CPNI, CERT-FI, Tim Kientzle, and Colin Percival reported a buffer + overflow (CVE-2007-3641), an infinite loop (CVE-2007-3644), and a NULL + pointer dereference (CVE-2007-3645) within the processing of archives + having corrupted PaX extension headers. +

+ + +

+ An attacker can trick a user or automated system to process an archive + with malformed PaX extension headers into execute arbitrary code, crash + an application using the library, or cause a high CPU load. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libarchive or bsdtar users should upgrade to the latest libarchive + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/libarchive-2.2.4" + + + CVE-2007-3641 + CVE-2007-3644 + CVE-2007-3645 + + + jaervosz + + + DerCorny + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200708-04.xml b/xml/htdocs/security/en/glsa/glsa-200708-04.xml new file mode 100644 index 00000000..a66f2d49 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200708-04.xml @@ -0,0 +1,65 @@ + + + + + + + ClamAV: Denial of Service + + A vulnerability has been discovered in ClamAV, allowing for a Denial of + Service. + + clamav + August 09, 2007 + August 09, 2007: 01 + 185013 + remote + + + 0.91 + 0.91 + + + +

+ ClamAV is a GPL virus scanner. +

+ + +

+ Metaeye Security Group reported a NULL pointer dereference in ClamAV + when processing RAR archives. +

+ + +

+ A remote attacker could send a specially crafted RAR archive to the + clamd daemon, resulting in a crash and a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.91" + + + CVE-2007-3725 + + + falco + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200708-05.xml b/xml/htdocs/security/en/glsa/glsa-200708-05.xml new file mode 100644 index 00000000..3db531df --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200708-05.xml @@ -0,0 +1,84 @@ + + + + + + + GD: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in GD, allowing for the + execution of arbitrary code. + + gd + August 09, 2007 + August 09, 2007: 01 + 179154 + remote + + + 2.0.35 + 2.0.35 + + + +

+ GD is a graphic library for fast image creation. +

+ + +

+ Xavier Roche discovered an infinite loop in the gdPngReadData() + function when processing a truncated PNG file (CVE-2007-2756). An + integer overflow has been discovered in the gdImageCreateTrueColor() + function (CVE-2007-3472). An error has been discovered in the function + gdImageCreateXbm() function (CVE-2007-3473). Unspecified + vulnerabilities have been discovered in the GIF reader (CVE-2007-3474). + An error has been discovered when processing a GIF image that has no + global color map (CVE-2007-3475). An array index error has been + discovered in the file gd_gif_in.c when processing images with an + invalid color index (CVE-2007-3476). An error has been discovered in + the imagearc() and imagefilledarc() functions when processing overly + large angle values (CVE-2007-3477). A race condition has been + discovered in the gdImageStringFTEx() function (CVE-2007-3478). +

+ + +

+ A remote attacker could exploit one of these vulnerabilities to cause a + Denial of Service or possibly execute arbitrary code with the + privileges of the user running GD. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GD users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/gd-2.0.35" + + + CVE-2007-2756 + CVE-2007-3472 + CVE-2007-3473 + CVE-2007-3474 + CVE-2007-3475 + CVE-2007-3476 + CVE-2007-3477 + CVE-2007-3478 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200708-06.xml b/xml/htdocs/security/en/glsa/glsa-200708-06.xml new file mode 100644 index 00000000..e3f71c46 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200708-06.xml @@ -0,0 +1,68 @@ + + + + + + + Net::DNS: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in the Net::DNS Perl module, + allowing for a Denial of Service and a cache poisoning attack. + + net-dns + August 11, 2007 + August 11, 2007: 01 + 184029 + remote + + + 0.60 + 0.60 + + + +

+ Net::DNS is a Perl implementation of a DNS resolver. +

+ + +

+ hjp discovered an error when handling DNS query IDs which make them + partially predictable. Steffen Ullrich discovered an error in the + dn_expand() function which could lead to an endless loop. +

+ + +

+ A remote attacker could send a specially crafted DNS request to the + server which could result in a Denial of Service with an infinite + recursion, or perform a cache poisoning attack. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Net::DNS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-perl/Net-DNS-0.60" + + + CVE-2007-3377 + CVE-2007-3409 + + + aetius + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200708-07.xml b/xml/htdocs/security/en/glsa/glsa-200708-07.xml new file mode 100644 index 00000000..d3fe6ab7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200708-07.xml @@ -0,0 +1,68 @@ + + + + + + + Xfce Terminal: Remote arbitrary code execution + + A vulnerability has been discovered in the Xfce Terminal program, allowing + for the remote execution of arbitrary code. + + terminal + August 11, 2007 + July 12, 2008: 02 + 184886 + remote + + + 0.2.6_p25931 + 0.2.6_p25931 + + + +

+ Xfce Terminal is a console tool for the Xfce desktop environment. +

+ + +

+ Lasse Karkkainen discovered that the function terminal_helper_execute() + in file terminal-helper.c does not properly escape the URIs before + processing. +

+ + +

+ A remote attacker could entice a user to open a specially crafted link, + possibly leading to the remote execution of arbitrary code with the + privileges of the user running Xfce Terminal. Note that the exploit + code depends on the browser used to open the crafted link. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Xfce Terminal users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-terms/terminal-0.2.6_p25931" + + + CVE-2007-3770 + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200708-08.xml b/xml/htdocs/security/en/glsa/glsa-200708-08.xml new file mode 100644 index 00000000..bdd5615f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200708-08.xml @@ -0,0 +1,75 @@ + + + + + + + SquirrelMail G/PGP plugin: Arbitrary code execution + + Multiple vulnerabilities have been discovered in SquirrelMail, allowing for + the remote execution of arbitrary code. + + squirrelmail + August 11, 2007 + August 11, 2007: 01 + 185010 + remote + + + 1.4.10a-r2 + 1.4.10a-r2 + + + +

+ SquirrelMail is a webmail package written in PHP. It supports IMAP and + SMTP protocols. +

+ + +

+ The functions deletekey(), gpg_check_sign_pgp_mime() and gpg_recv_key() + used in the SquirrelMail G/PGP encryption plugin do not properly escape + user-supplied data. +

+ + +

+ An authenticated user could use the plugin to execute arbitrary code on + the server, or a remote attacker could send a specially crafted e-mail + to a SquirrelMail user, possibly leading to the execution of arbitrary + code with the privileges of the user running the underlying web server. + Note that the G/PGP plugin is disabled by default. +

+ + +

+ Enter the SquirrelMail configuration directory + (/usr/share/webapps/squirrelmail/version/htdocs/config), then execute + the conf.pl script. Select the plugins menu, then select the gpg plugin + item number in the "Installed Plugins" list to disable it. Press S to + save your changes, then Q to quit. +

+ + +

+ All SquirrelMail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/squirrelmail-1.4.10a-r2" + + + CVE-2005-1924 + CVE-2006-4169 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200708-09.xml b/xml/htdocs/security/en/glsa/glsa-200708-09.xml new file mode 100644 index 00000000..3c00063a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200708-09.xml @@ -0,0 +1,153 @@ + + + + + + + Mozilla products: Multiple vulnerabilities + + Multiple vulnerabilities have been reported in Mozilla Firefox, + Thunderbird, SeaMonkey and XULRunner, some of which may allow user-assisted + arbitrary remote code execution. + + mozilla-firefox,mozilla-firefox-bin,seamonkey,seamonkey-bin,mozilla-thunderbird,mozilla-thunderbird-bin,xulrunner + August 14, 2007 + August 14, 2007: 01 + 185737 + 187205 + remote + + + 2.0.0.6 + 2.0.0.6 + + + 2.0.0.6 + 2.0.0.6 + + + 2.0.0.6 + 2.0.0.6 + + + 2.0.0.6 + 2.0.0.6 + + + 1.1.4 + 1.1.4 + + + 1.1.4 + 1.1.4 + + + 1.8.1.6 + 1.8.1.6 + + + +

+ Mozilla Firefox is an open-source web browser from the Mozilla Project, + and Mozilla Thunderbird an email client. The SeaMonkey project is a + community effort to deliver production-quality releases of code derived + from the application formerly known as the 'Mozilla Application Suite'. + XULRunner is a Mozilla runtime package that can be used to bootstrap + XUL+XPCOM applications like Firefox and Thunderbird. +

+ + +

+ Mozilla developers fixed several bugs, including an issue with + modifying XPCNativeWrappers (CVE-2007-3738), a problem with event + handlers executing elements outside of the document (CVE-2007-3737), + and a cross-site scripting (XSS) vulnerability (CVE-2007-3736). They + also fixed a problem with promiscuous IFRAME access (CVE-2007-3089) and + an XULRunner URL spoofing issue with the wyciwyg:// URI and HTTP 302 + redirects (CVE-2007-3656). Denials of Service involving corrupted + memory were fixed in the browser engine (CVE-2007-3734) and the + JavaScript engine (CVE-2007-3735). Finally, another XSS vulnerability + caused by a regression in the CVE-2007-3089 patch was fixed + (CVE-2007-3844). +

+ + +

+ A remote attacker could entice a user to view a specially crafted web + page that will trigger one of the vulnerabilities, possibly leading to + the execution of arbitrary code or a Denial of Service. It is also + possible for an attacker to perform cross-site scripting attacks, which + could result in the exposure of sensitive information such as login + credentials. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-2.0.0.6" +

+ All Mozilla Firefox binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-2.0.0.6" +

+ All Mozilla Thunderbird users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-2.0.0.6" +

+ All Mozilla Thunderbird binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-2.0.0.6" +

+ All SeaMonkey users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.1.4" +

+ All SeaMonkey binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-bin-1.1.4" +

+ All XULRunner users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/xulrunner-1.8.1.6" + + + CVE-2007-3089 + CVE-2007-3656 + CVE-2007-3734 + CVE-2007-3735 + CVE-2007-3736 + CVE-2007-3737 + CVE-2007-3738 + CVE-2007-3844 + + + aetius + + + aetius + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200708-10.xml b/xml/htdocs/security/en/glsa/glsa-200708-10.xml new file mode 100644 index 00000000..a871ecd5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200708-10.xml @@ -0,0 +1,70 @@ + + + + + + + MySQL: Denial of Service and information leakage + + A Denial of Service vulnerability and a table structure information leakage + vulnerability were found in MySQL. + + mysql + August 16, 2007 + August 16, 2007: 01 + 185333 + remote + + + 5.0.44 + 5.0.44 + + + +

+ MySQL is a popular multi-threaded, multi-user SQL server. +

+ + +

+ Dormando reported a vulnerability within the handling of password + packets in the connection protocol (CVE-2007-3780). Andrei Elkin also + found that the "CREATE TABLE LIKE" command didn't require SELECT + privileges on the source table (CVE-2007-3781). +

+ + +

+ A remote unauthenticated attacker could use the first vulnerability to + make the server crash. The second vulnerability can be used by + authenticated users to obtain information on tables they are not + normally able to access. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MySQL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.0.44" + + + CVE-2007-3780 + CVE-2007-3781 + + + falco + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200708-11.xml b/xml/htdocs/security/en/glsa/glsa-200708-11.xml new file mode 100644 index 00000000..35826347 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200708-11.xml @@ -0,0 +1,74 @@ + + + + + + + Lighttpd: Multiple vulnerabilities + + Several vulnerabilities were reported in Lighttpd, most of them allowing a + Denial of Service and potentially the remote execution of arbitrary code. + + lighttpd + August 16, 2007 + August 16, 2007: 01 + 185442 + remote + + + 1.4.16 + 1.4.16 + + + +

+ Lighttpd is a lightweight HTTP web server. +

+ + +

+ Stefan Esser discovered errors with evidence of memory corruption in + the code parsing the headers. Several independent researchers also + reported errors involving the handling of HTTP headers, the mod_auth + and mod_scgi modules, and the limitation of active connections. +

+ + +

+ A remote attacker can trigger any of these vulnerabilities by sending + malicious data to the server, which may lead to a crash or memory + exhaustion, and potentially the execution of arbitrary code. + Additionally, access-deny settings can be evaded by appending a final / + to a URL. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Lighttpd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.4.16" + + + CVE-2007-3946 + CVE-2007-3947 + CVE-2007-3948 + CVE-2007-3949 + CVE-2007-3950 + + + jaervosz + + + falco + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200708-12.xml b/xml/htdocs/security/en/glsa/glsa-200708-12.xml new file mode 100644 index 00000000..6bbd1f5a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200708-12.xml @@ -0,0 +1,76 @@ + + + + + + + Wireshark: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Wireshark, allowing for + the remote execution of arbitrary code and a Denial of Service. + + wireshark + August 16, 2007 + August 16, 2007: 01 + 183520 + remote + + + 0.99.6 + 0.99.6 + + + +

+ Wireshark is a network protocol analyzer with a graphical front-end. +

+ + +

+ Wireshark doesn't properly handle chunked encoding in HTTP responses + (CVE-2007-3389), iSeries capture files (CVE-2007-3390), certain types + of DCP ETSI packets (CVE-2007-3391), and SSL or MMS packets + (CVE-2007-3392). An off-by-one error has been discovered in the + DHCP/BOOTP dissector when handling DHCP-over-DOCSIS packets + (CVE-2007-3393). +

+ + +

+ A remote attacker could send specially crafted packets on a network + being monitored with Wireshark, possibly resulting in the execution of + arbitrary code with the privileges of the user running Wireshark which + might be the root user, or a Denial of Service. +

+ + +

+ In order to prevent root compromise, take network captures with tcpdump + and analyze them running Wireshark as a least privileged user. +

+ + +

+ All Wireshark users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-0.99.6" + + + CVE-2007-3389 + CVE-2007-3390 + CVE-2007-3391 + CVE-2007-3392 + CVE-2007-3393 + + + aetius + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200708-13.xml b/xml/htdocs/security/en/glsa/glsa-200708-13.xml new file mode 100644 index 00000000..1d36d1ef --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200708-13.xml @@ -0,0 +1,81 @@ + + + + + + + BIND: Weak random number generation + + The ISC BIND random number generator uses a weak algorithm, making it + easier to guess the next query ID and perform a DNS cache poisoning attack. + + bind + August 18, 2007 + August 18, 2007: 01 + 186556 + remote + + + 9.4.1_p1 + 9.4.1_p1 + + + +

+ ISC BIND is the Internet Systems Consortium implementation of the + Domain Name System (DNS) protocol. +

+ + +

+ Amit Klein from Trusteer reported that the random number generator of + ISC BIND leads, half the time, to predictable (1 chance to 8) query IDs + in the resolver routine or in zone transfer queries (CVE-2007-2926). + Additionally, the default configuration file has been strengthen with + respect to the allow-recursion{} and the allow-query{} options + (CVE-2007-2925). +

+ + +

+ A remote attacker can use this weakness by sending queries for a domain + he handles to a resolver (directly to a recursive server, or through + another process like an email processing) and then observing the + resulting IDs of the iterative queries. The attacker will half the time + be able to guess the next query ID, then perform cache poisoning by + answering with those guessed IDs, while spoofing the UDP source address + of the reply. Furthermore, with empty allow-recursion{} and + allow-query{} options, the default configuration allowed anybody to + make recursive queries and query the cache. +

+ + +

+ There is no known workaround at this time for the random generator + weakness. The allow-recursion{} and allow-query{} options should be set + to trusted hosts only in /etc/bind/named.conf, thus preventing several + security risks. +

+ + +

+ All ISC BIND users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/bind-9.4.1_p1" + + + CVE-2007-2925 + CVE-2007-2926 + + + aetius + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200708-14.xml b/xml/htdocs/security/en/glsa/glsa-200708-14.xml new file mode 100644 index 00000000..be60801a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200708-14.xml @@ -0,0 +1,68 @@ + + + + + + + NVIDIA drivers: Denial of Service + + A vulnerability has been discovered in the NVIDIA graphic drivers, allowing + for a Denial of Service. + + nvidia-drivers + August 19, 2007 + October 11, 2007: 03 + 183567 + local + + + 71.86.01 + 1.0.7185 + 1.0.9639 + 100.14.06 + + + +

+ The NVIDIA drivers provide support for NVIDIA graphic boards. +

+ + +

+ Gregory Shikhman discovered that the default Gentoo setup of NVIDIA + drivers creates the /dev/nvidia* with insecure file permissions. +

+ + +

+ A local attacker could send arbitrary values into the devices, possibly + resulting in hardware damage on the graphic board or a Denial of + Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All NVIDIA drivers users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "x11-drivers/nvidia-drivers" + + + CVE-2007-3532 + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200708-15.xml b/xml/htdocs/security/en/glsa/glsa-200708-15.xml new file mode 100644 index 00000000..d7fad8e1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200708-15.xml @@ -0,0 +1,64 @@ + + + + + + + Apache mod_jk: Directory traversal + + A directory traversal vulnerability has been discovered in Apache mod_jk. + + mod_jk + August 19, 2007 + August 19, 2007: 01 + 186218 + remote + + + 1.2.23 + 1.2.23 + + + +

+ Apache mod_jk is a connector for the Tomcat web server. +

+ + +

+ Apache mod_jk decodes the URL within Apache before passing them to + Tomcat, which decodes them a second time. +

+ + +

+ A remote attacker could browse a specially crafted URL on an Apache + server running mod_jk, possibly gaining access to restricted resources. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Apache mod_jk users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apache/mod_jk-1.2.23" + + + CVE-2007-1860 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200708-16.xml b/xml/htdocs/security/en/glsa/glsa-200708-16.xml new file mode 100644 index 00000000..cf79ae3c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200708-16.xml @@ -0,0 +1,68 @@ + + + + + + + Qt: Multiple format string vulnerabilities + + Format string vulnerabilities in Qt 3 may lead to the remote execution of + arbitrary code in some Qt applications. + + qt + August 22, 2007 + August 22, 2007: 01 + 185446 + remote, local + + + 3.3.8-r3 + 3.3.8-r3 + + + +

+ Qt is a cross-platform GUI framework, which is used e.g. by KDE. +

+ + +

+ Tim Brown of Portcullis Computer Security Ltd and Dirk Mueller of KDE + reported multiple format string errors in qWarning() calls in files + qtextedit.cpp, qdatatable.cpp, qsqldatabase.cpp, qsqlindex.cpp, + qsqlrecord.cpp, qglobal.cpp, and qsvgdevice.cpp. +

+ + +

+ An attacker could trigger one of the vulnerabilities by causing a Qt + application to parse specially crafted text, which may lead to the + execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Qt 3 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "=x11-libs/qt-3*" + + + CVE-2007-3388 + + + jaervosz + + + jaervosz + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200708-17.xml b/xml/htdocs/security/en/glsa/glsa-200708-17.xml new file mode 100644 index 00000000..1ddd1b56 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200708-17.xml @@ -0,0 +1,82 @@ + + + + + + + Opera: Multiple vulnerabilities + + Opera contain several vulnerabilities, some of which may allow the + execution of arbitrary code. + + opera + August 22, 2007 + August 22, 2007: 01 + 185497 + 188987 + remote + + + 9.23 + 9.23 + + + +

+ Opera is a multi-platform web browser. +

+ + +

+ An error known as "a virtual function call on an invalid pointer" has + been discovered in the JavaScript engine (CVE-2007-4367). Furthermore, + iDefense Labs reported that an already-freed pointer may be still used + under unspecified circumstances in the BitTorrent support + (CVE-2007-3929). At last, minor other errors have been discovered, + relative to memory read protection (Opera Advisory 861) and URI + displays (CVE-2007-3142, CVE-2007-3819). +

+ + +

+ A remote attacker could trigger the BitTorrent vulnerability by + enticing a user into starting a malicious BitTorrent download, and + execute arbitrary code through unspecified vectors. Additionally, a + specially crafted JavaScript may trigger the "virtual function" + vulnerability. The JavaScript engine can also access previously freed + but uncleaned memory. Finally, a user can be fooled with a too long + HTTP server name that does not fit the dialog box, or a URI containing + whitespaces. +

+ + +

+ There is no known workaround at this time for all these + vulnerabilities. +

+ + +

+ All Opera users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/opera-9.23" + + + CVE-2007-3142 + CVE-2007-3819 + CVE-2007-3929 + CVE-2007-4367 + Opera Advisory 861 + + + jaervosz + + + jaervosz + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200709-01.xml b/xml/htdocs/security/en/glsa/glsa-200709-01.xml new file mode 100644 index 00000000..a667068b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200709-01.xml @@ -0,0 +1,74 @@ + + + + + + + MIT Kerberos 5: Multiple vulnerabilities + + Two vulnerabilites have been found in MIT Kerberos 5, which could allow a + remote unauthenticated user to execute arbitrary code with root privileges. + + mit-krb5 + September 11, 2007 + September 11, 2007: 01 + 191301 + remote + + + 1.5.3-r1 + 1.5.3-r1 + + + +

+ MIT Kerberos 5 is a suite of applications that implement the Kerberos + network protocol. kadmind is the MIT Kerberos 5 administration daemon. +

+ + +

+ A stack buffer overflow (CVE-2007-3999) has been reported in + svcauth_gss_validate() of the RPC library of kadmind. Another + vulnerability (CVE-2007-4000) has been found in + kadm5_modify_policy_internal(), which does not check the return values + of krb5_db_get_policy() correctly. +

+ + +

+ The RPC related vulnerability can be exploited by a remote + unauthenticated attacker to execute arbitrary code with root privileges + on the host running kadmind. The second vulnerability requires the + remote attacker to be authenticated and to have "modify policy" + privileges. It could then also allow for the remote execution of + arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MIT Kerberos 5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.5.3-r1" + + + CVE-2007-3999 + CVE-2007-4000 + + + p-y + + + jaervosz + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200709-02.xml b/xml/htdocs/security/en/glsa/glsa-200709-02.xml new file mode 100644 index 00000000..40824244 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200709-02.xml @@ -0,0 +1,70 @@ + + + + + + + KVIrc: Remote arbitrary code execution + + A vulnerability has been discovered in KVIrc, allowing for the remote + execution of arbitrary code. + + kvirc + September 13, 2007 + September 13, 2007: 01 + 183174 + remote + + + 3.2.6_pre20070714 + 3.2.6_pre20070714 + + + +

+ KVIrc is a free portable IRC client based on Qt. +

+ + +

+ Stefan Cornelius from Secunia Research discovered that the + "parseIrcUrl()" function in file src/kvirc/kernel/kvi_ircurl.cpp does + not properly sanitise parts of the URI when building the command for + KVIrc's internal script system. +

+ + +

+ A remote attacker could entice a user to open a specially crafted + irc:// URI, possibly leading to the remote execution of arbitrary code + with the privileges of the user running KVIrc. Successful exploitation + requires that KVIrc is registered as the default handler for irc:// or + similar URIs. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All KVIrc users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-irc/kvirc-3.2.6_pre20070714" + + + CVE-2007-2951 + + + p-y + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200709-03.xml b/xml/htdocs/security/en/glsa/glsa-200709-03.xml new file mode 100644 index 00000000..5fe88724 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200709-03.xml @@ -0,0 +1,67 @@ + + + + + + + Streamripper: Buffer overflow + + A buffer overflow vulnerability has been discovered in Streamripper, + allowing for user-assisted execution of arbitrary code. + + streamripper + September 13, 2007 + September 13, 2007: 01 + 188698 + remote + + + 1.62.2 + 1.62.2 + + + +

+ Streamripper is a tool for extracting and recording mp3 files from a + Shoutcast stream. +

+ + +

+ Chris Rohlf discovered several boundary errors in the + httplib_parse_sc_header() function when processing HTTP headers. +

+ + +

+ A remote attacker could entice a user to connect to a malicious + streaming server, resulting in the execution of arbitrary code with the + privileges of the user running Streamripper. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Streamripper users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/streamripper-1.62.2" + + + CVE-2007-4337 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200709-04.xml b/xml/htdocs/security/en/glsa/glsa-200709-04.xml new file mode 100644 index 00000000..50ba1454 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200709-04.xml @@ -0,0 +1,65 @@ + + + + + + + po4a: Insecure temporary file creation + + A vulnerability has been discovered in po4a, allowing for a symlink attack. + + po4a + September 13, 2007 + September 13, 2007: 01 + 189440 + local + + + 0.32-r1 + 0.32-r1 + + + +

+ po4a is a set of tools for helping with the translation of + documentation. +

+ + +

+ The po4a development team reported a race condition in the gettextize() + function when creating the file "/tmp/gettextization.failed.po". +

+ + +

+ A local attacker could perform a symlink attack, possibly overwriting + files with the permissions of the user running po4a. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All po4a users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/po4a-0.32-r1" + + + CVE-2007-4462 + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200709-05.xml b/xml/htdocs/security/en/glsa/glsa-200709-05.xml new file mode 100644 index 00000000..0d719601 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200709-05.xml @@ -0,0 +1,69 @@ + + + + + + + RealPlayer: Buffer overflow + + RealPlayer is vulnerable to a buffer overflow allowing for execution of + arbitrary code. + + realplayer + September 14, 2007 + September 14, 2007: 01 + 183421 + remote + + + 10.0.9 + 10.0.9 + + + +

+ RealPlayer is a multimedia player capable of handling multiple + multimedia file formats. +

+ + +

+ A stack-based buffer overflow vulnerability has been reported in the + SmilTimeValue::parseWallClockValue() function in smlprstime.cpp when + handling HH:mm:ss.f type time formats. +

+ + +

+ By enticing a user to open a specially crafted SMIL (Synchronized + Multimedia Integration Language) file, an attacker could be able to + execute arbitrary code with the privileges of the user running the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All RealPlayer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/realplayer-10.0.9" + + + CVE-2007-3410 + + + p-y + + + p-y + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200709-06.xml b/xml/htdocs/security/en/glsa/glsa-200709-06.xml new file mode 100644 index 00000000..a34702bf --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200709-06.xml @@ -0,0 +1,66 @@ + + + + + + + flac123: Buffer overflow + + flac123 is affected by a buffer overflow vulnerability, which could allow + for the execution of arbitrary code. + + flac123 + September 14, 2007 + September 14, 2007: 01 + 186220 + remote + + + 0.0.11 + 0.0.11 + + + +

+ flac123 is a command-line application for playing FLAC audio files. +

+ + +

+ A possible buffer overflow vulnerability has been reported in the + local__vcentry_parse_value() function in vorbiscomment.c. +

+ + +

+ An attacker could entice a user to play a specially crafted audio file, + which could lead to the execution of arbitrary code with the privileges + of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All flac123 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/flac123-0.0.11" + + + CVE-2007-3507 + + + p-y + + + p-y + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200709-07.xml b/xml/htdocs/security/en/glsa/glsa-200709-07.xml new file mode 100644 index 00000000..301eae1f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200709-07.xml @@ -0,0 +1,66 @@ + + + + + + + Eggdrop: Buffer overflow + + A remote stack-based buffer overflow has been discovered in Eggdrop. + + eggdrop + September 15, 2007 + September 26, 2007: 02 + 179354 + remote + + + 1.6.18-r3 + 1.6.18-r3 + + + +

+ Eggdrop is an IRC bot extensible with C or Tcl. +

+ + +

+ Bow Sineath discovered a boundary error in the file + mod/server.mod/servrmsg.c when processing overly long private messages + sent by an IRC server. +

+ + +

+ A remote attacker could entice an Eggdrop user to connect the bot to a + malicious server, possibly resulting in the execution of arbitrary code + on the host running Eggdrop. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Eggdrop users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-irc/eggdrop-1.6.18-r3" + + + CVE-2007-2807 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200709-08.xml b/xml/htdocs/security/en/glsa/glsa-200709-08.xml new file mode 100644 index 00000000..3e5d7b09 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200709-08.xml @@ -0,0 +1,63 @@ + + + + + + + id3lib: Insecure temporary file creation + + A vulnerability has been discovered in id3lib allowing local users to + overwrite arbitrary files via a symlink attack. + + id3lib + September 15, 2007 + September 15, 2007: 01 + 189610 + local + + + 3.8.3-r6 + 3.8.3-r6 + + + +

+ id3lib is an open-source, cross-platform software development library + for reading, writing, and manipulating ID3v1 and ID3v2 tags. +

+ + +

+ Nikolaus Schulz discovered that the function RenderV2ToFile() in file + src/tag_file.cpp creates temporary files in an insecure manner. +

+ + +

+ A local attacker could exploit this vulnerability via a symlink attack + to overwrite arbitrary files. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All id3lib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/id3lib-3.8.3-r6" + + + CVE-2007-4460 + + + mfleming + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200709-09.xml b/xml/htdocs/security/en/glsa/glsa-200709-09.xml new file mode 100644 index 00000000..bc026cb8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200709-09.xml @@ -0,0 +1,63 @@ + + + + + + + GNU Tar: Directory traversal vulnerability + + A directory traversal vulnerability has been discovered in GNU Tar. + + tar + September 15, 2007 + September 15, 2007: 01 + 189682 + remote + + + 1.18-r2 + 1.18-r2 + + + +

+ The GNU Tar program provides the ability to create tar archives, as + well as various other kinds of manipulation. +

+ + +

+ Dmitry V. Levin discovered a directory traversal vulnerability in the + contains_dot_dot() function in file src/names.c. +

+ + +

+ By enticing a user to extract a specially crafted tar archive, a remote + attacker could extract files to arbitrary locations outside of the + specified directory with the permissions of the user running GNU Tar. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GNU Tar users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/tar-1.18-r2" + + + CVE-2007-4131 + + + mfleming + + + mfleming + + diff --git a/xml/htdocs/security/en/glsa/glsa-200709-10.xml b/xml/htdocs/security/en/glsa/glsa-200709-10.xml new file mode 100644 index 00000000..a9467534 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200709-10.xml @@ -0,0 +1,68 @@ + + + + + + + PhpWiki: Authentication bypass + + A vulnerability has been discovered in PhpWiki authentication mechanism. + + phpwiki + September 18, 2007 + September 18, 2007: 01 + 181692 + remote + + + 1.3.14 + 1.3.14 + + + +

+ PhpWiki is an application that creates a web site where anyone can edit + the pages through HTML forms. +

+ + +

+ The PhpWiki development team reported an authentication error within + the file lib/WikiUser/LDAP.php when binding to an LDAP server with an + empty password. +

+ + +

+ A remote attacker could provide an empty password when authenticating. + Depending on the LDAP implementation used, this could bypass the + PhpWiki authentication mechanism and grant the attacker access to the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PhpWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/phpwiki-1.3.14" + + + CVE-2007-3193 + + + aetius + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200709-11.xml b/xml/htdocs/security/en/glsa/glsa-200709-11.xml new file mode 100644 index 00000000..ddf01472 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200709-11.xml @@ -0,0 +1,69 @@ + + + + + + + GDM: Local Denial of Service + + GDM can be crashed by a local user, preventing it from managing future + displays. + + gdm + September 18, 2007 + September 18, 2007: 01 + 187919 + local + + + 2.18.4 + 2.16.7 + 2.18.4 + + + +

+ GDM is the GNOME display manager. +

+ + +

+ The result of a g_strsplit() call is incorrectly parsed in the files + daemon/gdm.c, daemon/gdmconfig.c, gui/gdmconfig.c and + gui/gdmflexiserver.c, allowing for a null pointer dereference. +

+ + +

+ A local user could send a crafted message to /tmp/.gdm_socket that + would trigger the null pointer dereference and crash GDM, thus + preventing it from managing future displays. +

+ + +

+ Restrict the write permissions on /tmp/.gdm_socket to trusted users + only after each GDM restart. +

+ + +

+ All GDM users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "gnome-base/gdm" + + + CVE-2007-3381 + + + jaervosz + + + jaervosz + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200709-12.xml b/xml/htdocs/security/en/glsa/glsa-200709-12.xml new file mode 100644 index 00000000..ecba5e21 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200709-12.xml @@ -0,0 +1,72 @@ + + + + + + + Poppler: Two buffer overflow vulnerabilities + + Poppler is vulnerable to an integer overflow and a stack overflow. + + poppler + September 19, 2007 + September 19, 2007: 01 + 188863 + remote + + + 0.5.4-r2 + 0.5.4-r2 + + + +

+ Poppler is a cross-platform PDF rendering library originally based on + Xpdf. +

+ + +

+ Poppler and Xpdf are vulnerable to an integer overflow in the + StreamPredictor::StreamPredictor function, and a stack overflow in the + StreamPredictor::getNextLine function. The original vulnerability was + discovered by Maurycy Prodeus. Note: Gentoo's version of Xpdf is + patched to use the Poppler library, so the update to Poppler will also + fix Xpdf. +

+ + +

+ By enticing a user to view a specially crafted program with a + Poppler-based PDF viewer such as Gentoo's Xpdf, Epdfview, or Evince, a + remote attacker could cause an overflow, potentially resulting in the + execution of arbitrary code with the privileges of the user running the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Poppler users should upgrade to the latest version of Poppler: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/poppler-0.5.4-r2" + + + CVE-2007-3387 + + + p-y + + + p-y + + + aetius + + diff --git a/xml/htdocs/security/en/glsa/glsa-200709-13.xml b/xml/htdocs/security/en/glsa/glsa-200709-13.xml new file mode 100644 index 00000000..93c764a5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200709-13.xml @@ -0,0 +1,68 @@ + + + + + + + rsync: Two buffer overflows + + Two user-assisted buffer overflow vulnerabilities have been discovered in + rsync. + + rsync + September 20, 2007 + September 20, 2007: 01 + 189132 + remote + + + 2.6.9-r3 + 2.6.9-r3 + + + +

+ rsync is a file transfer program to keep remote directories + synchronized. +

+ + +

+ Sebastian Krahmer from the SUSE Security Team discovered two off-by-one + errors in the function "f_name()" in file sender.c when processing + overly long directory names. +

+ + +

+ A remote attacker could entice a user to synchronize a repository + containing specially crafted directories, leading to the execution of + arbitrary code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All rsync users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/rsync-2.6.9-r3" + + + CVE-2007-4091 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200709-14.xml b/xml/htdocs/security/en/glsa/glsa-200709-14.xml new file mode 100644 index 00000000..458ee4b9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200709-14.xml @@ -0,0 +1,75 @@ + + + + + + + ClamAV: Multiple vulnerabilities + + Vulnerabilities have been discovered in ClamAV allowing remote execution of + arbitrary code and Denial of Service attacks. + + clamav + September 20, 2007 + September 20, 2007: 01 + 189912 + remote + + + 0.91.2 + 0.91.2 + + + +

+ Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, + designed especially for e-mail scanning on mail gateways. +

+ + +

+ Nikolaos Rangos discovered a vulnerability in ClamAV which exists + because the recipient address extracted from email messages is not + properly sanitized before being used in a call to "popen()" when + executing sendmail (CVE-2007-4560). Also, NULL-pointer dereference + errors exist within the "cli_scanrtf()" function in libclamav/rtf.c and + Stefanos Stamatis discovered a NULL-pointer dereference vulnerability + within the "cli_html_normalise()" function in libclamav/htmlnorm.c + (CVE-2007-4510). +

+ + +

+ The unsanitized recipient address can be exploited to execute arbitrary + code with the privileges of the clamav-milter process by sending an + email with a specially crafted recipient address to the affected + system. Also, the NULL-pointer dereference errors can be exploited to + crash ClamAV. Successful exploitation of the latter vulnerability + requires that clamav-milter is started with the "black hole" mode + activated, which is not enabled by default. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.91.2" + + + CVE-2007-4510 + CVE-2007-4560 + + + mfleming + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200709-15.xml b/xml/htdocs/security/en/glsa/glsa-200709-15.xml new file mode 100644 index 00000000..313eaa5e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200709-15.xml @@ -0,0 +1,82 @@ + + + + + + + BEA JRockit: Multiple vulnerabilities + + BEA JRockit contains several vulnerabilities, some of which may allow the + execution of arbitrary code. + + jrockit-jdk-bin + September 23, 2007 + September 23, 2007: 01 + 190686 + remote + + + 1.5.0.11_p1 + 1.5.0.11_p1 + + + +

+ BEA JRockit provides tools, utilities, and a complete runtime + environment for developing and running applications using the Java + programming language. +

+ + +

+ An integer overflow vulnerability exists in the embedded ICC profile + image parser (CVE-2007-2788), an unspecified vulnerability exists in + the font parsing implementation (CVE-2007-4381), and an error exists + when processing XSLT stylesheets contained in XSLT Transforms in XML + signatures (CVE-2007-3716), among other vulnerabilities. +

+ + +

+ A remote attacker could trigger the integer overflow to execute + arbitrary code or crash the JVM through a specially crafted file. Also, + an attacker could perform unauthorized actions via an applet that + grants certain privileges to itself because of the font parsing + vulnerability. The error when processing XSLT stylesheets can be + exploited to execute arbitrary code. Other vulnerabilities could lead + to establishing restricted network connections to certain services, + Cross Site Scripting and Denial of Service attacks. +

+ + +

+ There is no known workaround at this time for all these + vulnerabilities. +

+ + +

+ All BEA JRockit users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/jrockit-jdk-bin-1.5.0.11_p1" + + + CVE-2007-2788 + CVE-2007-2789 + CVE-2007-3004 + CVE-2007-3005 + CVE-2007-3503 + CVE-2007-3698 + CVE-2007-3716 + CVE-2007-3922 + CVE-2007-4381 + + + mfleming + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200709-16.xml b/xml/htdocs/security/en/glsa/glsa-200709-16.xml new file mode 100644 index 00000000..39a99ac5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200709-16.xml @@ -0,0 +1,68 @@ + + + + + + + Lighttpd: Buffer overflow + + Lighttpd is vulnerable to the remote execution of arbitrary code. + + lighttpd + September 27, 2007 + September 27, 2007: 01 + 191912 + remote + + + 1.4.18 + 1.4.18 + + + +

+ Lighttpd is a lightweight HTTP web server. +

+ + +

+ Mattias Bengtsson and Philip Olausson have discovered a buffer overflow + vulnerability in the function fcgi_env_add() in the file mod_fastcgi.c + when processing overly long HTTP headers. +

+ + +

+ A remote attacker could send a specially crafted request to the + vulnerable Lighttpd server, resulting in the remote execution of + arbitrary code with privileges of the user running the web server. Note + that mod_fastcgi is disabled in Gentoo's default configuration. +

+ + +

+ Edit the file /etc/lighttpd/lighttpd.conf and comment the following + line: "include mod_fastcgi.conf" +

+ + +

+ All Lighttpd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.4.18" + + + CVE-2007-4727 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200709-17.xml b/xml/htdocs/security/en/glsa/glsa-200709-17.xml new file mode 100644 index 00000000..c83b79b5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200709-17.xml @@ -0,0 +1,74 @@ + + + + + + + teTeX: Multiple buffer overflows + + Multiple vulnerabilities have been discovered in teTeX, allowing for + user-assisted execution of arbitrary code. + + tetex + September 27, 2007 + September 27, 2007: 01 + 170861 + 182055 + 188172 + remote + + + 3.0_p1-r4 + 3.0_p1-r4 + + + +

+ teTeX is a complete TeX distribution for editing documents. +

+ + +

+ Mark Richters discovered a buffer overflow in the open_sty() function + in file mkind.c. Other vulnerabilities have also been discovered in the + same file but might not be exploitable (CVE-2007-0650). Tetex also + includes vulnerable code from GD library (GLSA 200708-05), and from + Xpdf (CVE-2007-3387). +

+ + +

+ A remote attacker could entice a user to process a specially crafted + PNG, GIF or PDF file, or to execute "makeindex" on an overly long + filename. In both cases, this could lead to the remote execution of + arbitrary code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All teTeX users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/tetex-3.0_p1-r4" + + + CVE-2007-0650 + CVE-2007-3387 + GLSA-200708-05 + + + jaervosz + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200709-18.xml b/xml/htdocs/security/en/glsa/glsa-200709-18.xml new file mode 100644 index 00000000..47cae56d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200709-18.xml @@ -0,0 +1,85 @@ + + + + + + + Bugzilla: Multiple vulnerabilities + + Bugzilla contains several vulnerabilities, some of them possibly leading to + the remote execution of arbitrary code. + + bugzilla + September 30, 2007 + May 28, 2009: 03 + 190112 + remote + + + 2.20.5 + 2.22.3 + 3.0.1 + 2.22.5 + 2.20.6 + 3.0.1 + + + +

+ Bugzilla is a web application designed to help with managing software + development. +

+ + +

+ Masahiro Yamada found that from the 2.17.1 version, Bugzilla does not + properly sanitize the content of the "buildid" parameter when filing + bugs (CVE-2007-4543). The next two vulnerabilities only affect Bugzilla + 2.23.3 or later, hence the stable Gentoo Portage tree does not contain + these two vulnerabilities: Loic Minier reported that the + "Email::Send::Sendmail()" function does not properly sanitise "from" + email information before sending it to the "-f" parameter of + /usr/sbin/sendmail (CVE-2007-4538), and Frederic Buclin discovered that + the XML-RPC interface does not correctly check permissions in the + time-tracking fields (CVE-2007-4539). +

+ + +

+ A remote attacker could trigger the "buildid" vulnerability by sending + a specially crafted form to Bugzilla, leading to a persistent XSS, thus + allowing for theft of credentials. With Bugzilla 2.23.3 or later, an + attacker could also execute arbitrary code with the permissions of the + web server by injecting a specially crafted "from" email address and + gain access to normally restricted time-tracking information through + the XML-RPC service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Bugzilla users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose www-apps/bugzilla + + + CVE-2007-4538 + CVE-2007-4539 + CVE-2007-4543 + + + p-y + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-01.xml b/xml/htdocs/security/en/glsa/glsa-200710-01.xml new file mode 100644 index 00000000..6c346395 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-01.xml @@ -0,0 +1,69 @@ + + + + + + + RPCSEC_GSS library: Buffer overflow + + A buffer overflow vulnerability has been discovered in librpcsecgss. + + librcpsecgss + October 04, 2007 + October 04, 2007: 01 + 191479 + remote + + + 0.16 + 0.16 + + + +

+ librpcsecgss is an implementation of RPCSEC_GSS for secure RPC + communications. +

+ + +

+ A stack based buffer overflow has been discovered in the + svcauth_gss_validate() function in file lib/rpc/svc_auth_gss.c when + processing an overly long string in a RPC message. +

+ + +

+ A remote attacker could send a specially crafted RPC request to an + application relying on this library, e.g NFSv4 or Kerberos + (GLSA-200709-01), resulting in the execution of arbitrary code with the + privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All librpcsecgss users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/librpcsecgss-0.16" + + + CVE-2007-3999 + GLSA-200709-01 + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-02.xml b/xml/htdocs/security/en/glsa/glsa-200710-02.xml new file mode 100644 index 00000000..89df8630 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-02.xml @@ -0,0 +1,154 @@ + + + + + + + PHP: Multiple vulnerabilities + + PHP contains several vulnerabilities including buffer and integer overflows + which could lead to the remote execution of arbitrary code. + + php + October 07, 2007 + October 07, 2007: 01 + 179158 + 180556 + 191034 + remote + + + 5.2.4_p20070914-r2 + 5.2.4_p20070914-r2 + + + +

+ PHP is a widely-used general-purpose scripting language that is + especially suited for Web development and can be embedded into HTML. +

+ + +

+ Several vulnerabilities were found in PHP. Mattias Bengtsson and Philip + Olausson reported integer overflows in the gdImageCreate() and + gdImageCreateTrueColor() functions of the GD library which can cause + heap-based buffer overflows (CVE-2007-3996). Gerhard Wagner discovered + an integer overflow in the chunk_split() function that can lead to a + heap-based buffer overflow (CVE-2007-2872). Its incomplete fix caused + incorrect buffer size calculation due to precision loss, also resulting + in a possible heap-based buffer overflow (CVE-2007-4661 and + CVE-2007-4660). A buffer overflow in the sqlite_decode_binary() of the + SQLite extension found by Stefan Esser that was addressed in PHP 5.2.1 + was not fixed correctly (CVE-2007-1887). +

+

+ Stefan Esser discovered an error in the zend_alter_ini_entry() function + handling a memory_limit violation (CVE-2007-4659). Stefan Esser also + discovered a flaw when handling interruptions with userspace error + handlers that can be exploited to read arbitrary heap memory + (CVE-2007-1883). Disclosure of sensitive memory can also be triggered + due to insufficient boundary checks in the strspn() and strcspn() + functions, an issue discovered by Mattias Bengtsson and Philip Olausson + (CVE-2007-4657) +

+

+ Stefan Esser reported incorrect validation in the FILTER_VALIDATE_EMAIL + filter of the Filter extension allowing arbitrary email header + injection (CVE-2007-1900). NOTE: This CVE was referenced, but not fixed + in GLSA 200705-19. +

+

+ Stanislav Malyshev found an error with unknown impact in the + money_format() function when processing "%i" and "%n" tokens + (CVE-2007-4658). zatanzlatan reported a buffer overflow in the + php_openssl_make_REQ() function with unknown impact when providing a + manipulated SSL configuration file (CVE-2007-4662). Possible memory + corruption when trying to read EXIF data in exif_read_data() and + exif_thumbnail() occurred with unknown impact. +

+

+ Several vulnerabilities that allow bypassing of open_basedir and other + restrictions were reported, including the glob() function + (CVE-2007-4663), the session_save_path(), ini_set(), and error_log() + functions which can allow local command execution (CVE-2007-3378), + involving the readfile() function (CVE-2007-3007), via the Session + extension (CVE-2007-4652), via the MySQL extension (CVE-2007-3997) and + in the dl() function which allows loading extensions outside of the + specified directory (CVE-2007-4825). +

+

+ Multiple Denial of Service vulnerabilities were discovered, including a + long "library" parameter in the dl() function (CVE-2007-4887), in + several iconv and xmlrpc functions (CVE-2007-4840 and CVE-2007-4783), + in the setlocale() function (CVE-2007-4784), in the glob() and + fnmatch() function (CVE-2007-4782 and CVE-2007-3806), a floating point + exception in the wordwrap() function (CVE-2007-3998), a stack + exhaustion via deeply nested arrays (CVE-2007-4670), an infinite loop + caused by a specially crafted PNG image in the png_read_info() function + of libpng (CVE-2007-2756) and several issues related to array + conversion. +

+ + +

+ Remote attackers might be able to exploit these issues in PHP + applications making use of the affected functions, potentially + resulting in the execution of arbitrary code, Denial of Service, + execution of scripted contents in the context of the affected site, + security bypass or information leak. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PHP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-5.2.4_p20070914-r2" + + + CVE-2007-1883 + CVE-2007-1887 + CVE-2007-1900 + CVE-2007-2756 + CVE-2007-2872 + CVE-2007-3007 + CVE-2007-3378 + CVE-2007-3806 + CVE-2007-3996 + CVE-2007-3997 + CVE-2007-3998 + CVE-2007-4652 + CVE-2007-4657 + CVE-2007-4658 + CVE-2007-4659 + CVE-2007-4660 + CVE-2007-4661 + CVE-2007-4662 + CVE-2007-4663 + CVE-2007-4670 + CVE-2007-4727 + CVE-2007-4782 + CVE-2007-4783 + CVE-2007-4784 + CVE-2007-4825 + CVE-2007-4840 + CVE-2007-4887 + GLSA 200705-19 + + + jaervosz + + + jaervosz + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-03.xml b/xml/htdocs/security/en/glsa/glsa-200710-03.xml new file mode 100644 index 00000000..f0365179 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-03.xml @@ -0,0 +1,77 @@ + + + + + + + libvorbis: Multiple vulnerabilities + + A buffer overflow vulnerability and several memory corruptions have been + discovered in libvorbis. + + libvorbis + October 07, 2007 + October 07, 2007: 01 + 186716 + remote + + + 1.2.0 + 1.2.0 + + + +

+ libvorbis is the reference implementation of the Xiph.org Ogg Vorbis + audio file format. It is used by many applications for playback of Ogg + Vorbis files. +

+ + +

+ David Thiel of iSEC Partners discovered a heap-based buffer overflow in + the _01inverse() function in res0.c and a boundary checking error in + the vorbis_info_clear() function in info.c (CVE-2007-3106 and + CVE-2007-4029). libvorbis is also prone to several Denial of Service + vulnerabilities in form of infinite loops and invalid memory access + with unknown impact (CVE-2007-4065 and CVE-2007-4066). +

+ + +

+ A remote attacker could exploit these vulnerabilities by enticing a + user to open a specially crafted Ogg Vorbis file or network stream with + an application using libvorbis. This might lead to the execution of + arbitrary code with privileges of the user playing the file or a Denial + of Service by a crash or CPU consumption. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libvorbis users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libvorbis-1.2.0" + + + CVE-2007-3106 + CVE-2007-4029 + CVE-2007-4065 + CVE-2007-4066 + + + aetius + + + p-y + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-04.xml b/xml/htdocs/security/en/glsa/glsa-200710-04.xml new file mode 100644 index 00000000..40cfe310 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-04.xml @@ -0,0 +1,69 @@ + + + + + + + libsndfile: Buffer overflow + + A buffer overflow vulnerability has been discovered in libsndfile. + + libsndfile + October 07, 2007 + October 07, 2007: 01 + 192834 + remote + + + 1.0.17-r1 + 1.0.17-r1 + + + +

+ libsndfile is a library for reading and writing various formats of + audio files including WAV and FLAC. +

+ + +

+ Robert Buchholz of the Gentoo Security team discovered that the + flac_buffer_copy() function does not correctly handle FLAC streams with + variable block sizes which leads to a heap-based buffer overflow + (CVE-2007-4974). +

+ + +

+ A remote attacker could exploit this vulnerability by enticing a user + to open a specially crafted FLAC file or network stream with an + application using libsndfile. This might lead to the execution of + arbitrary code with privileges of the user playing the file. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libsndfile users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libsndfile-1.0.17-r1" + + + CVE-2007-4974 + + + p-y + + + rbu + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-05.xml b/xml/htdocs/security/en/glsa/glsa-200710-05.xml new file mode 100644 index 00000000..0bc2898f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-05.xml @@ -0,0 +1,68 @@ + + + + + + + QGit: Insecure temporary file creation + + A vulnerability has been discovered in QGit allowing local users to + overwrite arbitrary files and execute arbitrary code with another user's + rights. + + qgit + October 07, 2007 + October 07, 2007: 01 + 190697 + local + + + 1.5.7 + 1.5.7 + + + +

+ QGit is a graphical interface to git repositories that allows you to + browse revisions history, view patch content and changed files. +

+ + +

+ Raphael Marichez discovered that the DataLoader::doStart() method + creates temporary files in an insecure manner and executes them. +

+ + +

+ A local attacker could perform a symlink attack, possibly overwriting + files or executing arbitrary code with the rights of the user running + QGit. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All QGit users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/qgit-1.5.7" + + + CVE-2007-4631 + + + p-y + + + p-y + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-06.xml b/xml/htdocs/security/en/glsa/glsa-200710-06.xml new file mode 100644 index 00000000..29712a88 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-06.xml @@ -0,0 +1,74 @@ + + + + + + + OpenSSL: Multiple vulnerabilities + + A buffer underflow vulnerability and an information disclosure + vulnerability have been discovered in OpenSSL. + + openssl + October 07, 2007 + October 07, 2007: 01 + 188799 + 194039 + local, remote + + + 0.9.8e-r3 + 0.9.8e-r3 + + + +

+ OpenSSL is an implementation of the Secure Socket Layer and Transport + Layer Security protocols. +

+ + +

+ Moritz Jodeit reported an off-by-one error in the + SSL_get_shared_ciphers() function, resulting from an incomplete fix of + CVE-2006-3738. A flaw has also been reported in the + BN_from_montgomery() function in crypto/bn/bn_mont.c when performing + Montgomery multiplication. +

+ + +

+ A remote attacker sending a specially crafted packet to an application + relying on OpenSSL could possibly execute arbitrary code with the + privileges of the user running the application. A local attacker could + perform a side channel attack to retrieve the RSA private keys. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenSSL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8e-r3" + + + CVE-2006-3738 + CVE-2007-3108 + CVE-2007-5135 + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-07.xml b/xml/htdocs/security/en/glsa/glsa-200710-07.xml new file mode 100644 index 00000000..fb72ee82 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-07.xml @@ -0,0 +1,66 @@ + + + + + + + Tk: Buffer overflow + + A buffer overflow vulnerability has been discovered in Tk. + + tk + October 07, 2007 + October 07, 2007: 01 + 192539 + remote + + + 8.4.15-r1 + 8.4.15-r1 + + + +

+ Tk is a toolkit for creating graphical user interfaces. +

+ + +

+ Reinhard Max discovered a boundary error in Tk when processing an + interlaced GIF with two frames where the second is smaller than the + first one. +

+ + +

+ A remote attacker could entice a user to open a specially crafted GIF + image with a Tk-based software, possibly resulting in the execution of + arbitrary code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Tk users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/tk-8.4.15-r1" + + + CVE-2007-4851 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-08.xml b/xml/htdocs/security/en/glsa/glsa-200710-08.xml new file mode 100644 index 00000000..439245b0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-08.xml @@ -0,0 +1,100 @@ + + + + + + + KOffice, KWord, KPDF, KDE Graphics Libraries: Stack-based buffer overflow + + KPDF includes code from xpdf that is vulnerable to a stack-based buffer + overflow. + + koffice, kword, kdegraphics, kpdf + October 09, 2007 + October 09, 2007: 01 + 187139 + remote + + + 1.6.3-r1 + 1.6.3-r1 + + + 1.6.3-r1 + 1.6.3-r1 + + + 3.5.7-r1 + 3.5.7-r1 + + + 3.5.7-r1 + 3.5.7-r1 + + + +

+ KOffice is an integrated office suite for KDE. KWord is the KOffice + word processor. KPDF is a KDE-based PDF viewer included in the + kdegraphics package. +

+ + +

+ KPDF includes code from xpdf that is vulnerable to an integer overflow + in the StreamPredictor::StreamPredictor() function. +

+ + +

+ A remote attacker could entice a user to open a specially crafted PDF + file in KWord or KPDF that would exploit the integer overflow to cause + a stack-based buffer overflow in the StreamPredictor::getNextLine() + function, possibly resulting in the execution of arbitrary code with + the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All KOffice users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/koffice-1.6.3-r1" +

+ All KWord users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/kword-1.6.3-r1" +

+ All KDE Graphics Libraries users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kdegraphics-3.5.7-r1" +

+ All KPDF users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kpdf-3.5.7-r1" + + + CVE-2007-3387 + + + p-y + + + p-y + + + aetius + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-09.xml b/xml/htdocs/security/en/glsa/glsa-200710-09.xml new file mode 100644 index 00000000..572f8d64 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-09.xml @@ -0,0 +1,82 @@ + + + + + + + NX 2.1: User-assisted execution of arbitrary code + + NX in the 2.1 series uses XFree86 4.3 code which is prone to an integer + overflow vulnerability. + + nx, nxnode + October 09, 2007 + October 09, 2007: 01 + 192712 + remote + + + 3.0.0 + 3.0.0 + + + 3.0.0-r3 + 3.0.0-r3 + + + +

+ NoMachine's NX establishes remote connections to X11 desktops over + small bandwidth links. NX and NX Node are the compression core + libraries, whereas NX is used by FreeNX and NX Node by the binary-only + NX servers. +

+ + +

+ Chris Evans reported an integer overflow within the FreeType PCF font + file parser (CVE-2006-1861). NX and NX Node are vulnerable to this due + to shipping XFree86 4.3.0, which includes the vulnerable FreeType code. +

+ + +

+ A remote attacker could exploit these integer overflows by enticing a + user to load a specially crafted PCF font file which might lead to the + execution of arbitrary code with the privileges of the user on the + machine running the NX server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All NX users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/nx-3.0.0" +

+ All NX Node users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/nxnode-3.0.0-r3" + + + CVE-2006-1861 + GLSA 200607-02 + + + p-y + + + p-y + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-10.xml b/xml/htdocs/security/en/glsa/glsa-200710-10.xml new file mode 100644 index 00000000..baaa4206 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-10.xml @@ -0,0 +1,67 @@ + + + + + + + SKK Tools: Insecure temporary file creation + + SKK insecurely creates temporary files. + + skktools + October 12, 2007 + October 12, 2007: 01 + 193121 + local + + + 1.2-r1 + 1.2-r1 + + + +

+ SKK is a Japanese input method for Emacs. +

+ + +

+ skkdic-expr.c insecurely writes temporary files to a location in the + form $TMPDIR/skkdic$PID.{pag,dir,db}, where $PID is the process ID. +

+ + +

+ A local attacker could create symbolic links in the directory where the + temporary files are written, pointing to a valid file somewhere on the + filesystem that is writable by the user running the SKK software. When + SKK writes the temporary file, the target valid file would then be + overwritten with the contents of the SKK temporary file. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SKK Tools users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-i18n/skktools-1.2-r1" + + + CVE-2007-3916 + + + p-y + + + p-y + + + aetius + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-11.xml b/xml/htdocs/security/en/glsa/glsa-200710-11.xml new file mode 100644 index 00000000..05d5cea7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-11.xml @@ -0,0 +1,79 @@ + + + + + + + X Font Server: Multiple Vulnerabilities + + Three vulnerabilities have been discovered in the X Font Server possibly + allowing local attackers to gain elevated privileges. + + xfs + October 12, 2007 + October 12, 2007: 01 + 185660 + 194606 + local + + + 1.0.5 + 1.0.5 + + + +

+ The X.Org X11 X Font Server provides a standard mechanism for an X + server to communicate with a font renderer. +

+ + +

+ iDefense reported that the xfs init script does not correctly handle a + race condition when setting permissions of a temporary file + (CVE-2007-3103). Sean Larsson discovered an integer overflow + vulnerability in the build_range() function possibly leading to a + heap-based buffer overflow when handling "QueryXBitmaps" and + "QueryXExtents" protocol requests (CVE-2007-4568). Sean Larsson also + discovered an error in the swap_char2b() function possibly leading to a + heap corruption when handling the same protocol requests + (CVE-2007-4990). +

+ + +

+ The first issue would allow a local attacker to change permissions of + arbitrary files to be world-writable by performing a symlink attack. + The second and third issues would allow a local attacker to execute + arbitrary code with privileges of the user running the X Font Server, + usually xfs. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All X Font Server users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-apps/xfs-1.0.5" + + + CVE-2007-3103 + CVE-2007-4568 + CVE-2007-4990 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-12.xml b/xml/htdocs/security/en/glsa/glsa-200710-12.xml new file mode 100644 index 00000000..54532bd4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-12.xml @@ -0,0 +1,68 @@ + + + + + + + T1Lib: Buffer overflow + + T1Lib is vulnerable to a buffer overflow allowing for the user-assisted + execution of arbitrary code. + + t1lib + October 12, 2007 + October 12, 2007: 01 + 193437 + remote + + + 5.0.2-r1 + 5.0.2-r1 + + + +

+ T1Lib is a library for rasterizing bitmaps from Adobe Type 1 fonts. +

+ + +

+ Hamid Ebadi discovered a boundary error in the + intT1_EnvGetCompletePath() function which can lead to a buffer overflow + when processing an overly long filename. +

+ + +

+ A remote attacker could entice a user to open a font file with a + specially crafted filename, possibly leading to the execution of + arbitrary code with the privileges of the user running the application + using T1Lib. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All T1Lib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/t1lib-5.0.2-r1" + + + CVE-2007-4033 + + + p-y + + + p-y + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-13.xml b/xml/htdocs/security/en/glsa/glsa-200710-13.xml new file mode 100644 index 00000000..242999a6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-13.xml @@ -0,0 +1,70 @@ + + + + + + + Ampache: Multiple vulnerabilities + + An SQL injection vulnerability and a possible identity theft have been + discovered in Ampache. + + ampache + October 13, 2007 + October 13, 2007: 01 + 189607 + remote + + + 3.3.3.5 + 3.3.3.5 + + + +

+ Ampache is a PHP-based tool for managing, updating and playing audio + files via a web interface. +

+ + +

+ LT discovered that the "match" parameter in albums.php is not properly + sanitized before being processed. The Ampache development team also + reported an error when handling user sessions. +

+ + +

+ A remote attacker could provide malicious input to the application, + possibly resulting in the execution of arbitrary SQL code. He could + also entice a user to open a specially crafted link to steal the user's + session. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ampache users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/ampache-3.3.3.5" + + + CVE-2007-4437 + CVE-2007-4438 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-14.xml b/xml/htdocs/security/en/glsa/glsa-200710-14.xml new file mode 100644 index 00000000..c9b1008c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-14.xml @@ -0,0 +1,70 @@ + + + + + + + DenyHosts: Denial of Service + + DenyHosts does not correctly parse log entries, potentially causing a + remote Denial of Service. + + denyhosts + October 13, 2007 + October 13, 2007: 01 + 181213 + remote + + + 2.6-r1 + 2.6-r1 + + + +

+ DenyHosts is designed to monitor SSH servers for repeated failed login + attempts. +

+ + +

+ Daniel B. Cid discovered that DenyHosts used an incomplete regular + expression to parse failed login attempts, a different issue than GLSA + 200701-01. +

+ + +

+ A remote unauthenticated attacker can add arbitrary hosts into the + blacklist, including the "all" keyword, by submitting specially crafted + version identification strings to the SSH server banner. An attacker + may use this to prevent legitimate users from accessing a host + remotely. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All DenyHosts users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/denyhosts-2.6-r1" + + + CVE-2007-4323 + + + p-y + + + p-y + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-15.xml b/xml/htdocs/security/en/glsa/glsa-200710-15.xml new file mode 100644 index 00000000..80b10d28 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-15.xml @@ -0,0 +1,78 @@ + + + + + + + KDM: Local privilege escalation + + KDM allows logins without password under certain circumstances allowing a + local user to gain elevated privileges. + + KDM + October 14, 2007 + October 14, 2007: 01 + 192373 + local + + + 3.5.7-r2 + 3.5.7-r2 + + + 3.5.7-r4 + 3.5.7-r4 + + + +

+ KDM is the Display Manager for the graphical desktop environment KDE. + It is part of the kdebase package. +

+ + +

+ Kees Huijgen discovered an error when checking the credentials which + can lead to a login without specifying a password. This only occurs + when auto login is configured for at least one user and a password is + required to shut down the machine. +

+ + +

+ A local attacker could gain root privileges and execute arbitrary + commands by logging in as root without specifying root's password. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All KDM users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kdm-3.5.7-r2" +

+ All kdebase users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kdebase-3.5.7-r4" + + + CVE-2007-4569 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-16.xml b/xml/htdocs/security/en/glsa/glsa-200710-16.xml new file mode 100644 index 00000000..0b128228 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-16.xml @@ -0,0 +1,71 @@ + + + + + + + X.Org X server: Composite local privilege escalation + + A vulnerability has been discovered in the Composite extension of the X.Org + X server, allowing for a local privilege escalation. + + X.Org + October 14, 2007 + October 14, 2007: 01 + 191964 + local + + + 1.3.0.0-r1 + 1.3.0.0-r1 + + + +

+ The X Window System is a graphical windowing system based on a + client/server model. +

+ + +

+ Aaron Plattner discovered a buffer overflow in the compNewPixmap() + function when copying data from a large pixel depth pixmap into a + smaller pixel depth pixmap. +

+ + +

+ A local attacker could execute arbitrary code with the privileges of + the user running the X server, typically root. +

+ + +

+ Disable the Composite extension by setting ' Option "Composite" + "disable" ' in the Extensions section of xorg.conf. +

+

+ Note: This could affect the functionality of some applications. +

+ + +

+ All X.Org X server users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-1.3.0.0-r1" + + + CVE-2007-4730 + + + p-y + + + p-y + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-17.xml b/xml/htdocs/security/en/glsa/glsa-200710-17.xml new file mode 100644 index 00000000..ffad8eb9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-17.xml @@ -0,0 +1,67 @@ + + + + + + + Balsa: Buffer overflow + + Balsa is vulnerable to a buffer overflow allowing for the user-assisted + execution of arbitrary code. + + balsa + October 16, 2007 + October 16, 2007: 01 + 193179 + remote + + + 2.3.20 + 2.3.20 + + + +

+ Balsa is a highly configurable email client for GNOME. +

+ + +

+ Evil Ninja Squirrel discovered a stack-based buffer overflow in the + ir_fetch_seq() function when receiving a long response to a FETCH + command (CVE-2007-5007). +

+ + +

+ A remote attacker could entice a user to connect to a malicious or + compromised IMAP server, possibly leading to the execution of arbitrary + code with the rights of the user running Balsa. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Balsa users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/balsa-2.3.20" + + + CVE-2007-5007 + + + p-y + + + p-y + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-18.xml b/xml/htdocs/security/en/glsa/glsa-200710-18.xml new file mode 100644 index 00000000..9c381527 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-18.xml @@ -0,0 +1,69 @@ + + + + + + + util-linux: Local privilege escalation + + The mount and umount programs might allow local attackers to gain root + privileges. + + util-linux + October 18, 2007 + October 18, 2007: 01 + 195390 + local + + + 2.12r-r8 + 2.12r-r8 + + + +

+ util-linux is a suite of Linux programs including mount and umount, + programs used to mount and unmount filesystems. +

+ + +

+ Ludwig Nussel discovered that the check_special_mountprog() and + check_special_umountprog() functions call setuid() and setgid() in the + wrong order and do not check the return values, which can lead to + privileges being dropped improperly. +

+ + +

+ A local attacker may be able to exploit this vulnerability by using + mount helpers such as the mount.nfs program to gain root privileges and + run arbitrary commands. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All util-linux users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/util-linux-2.12r-r8" + + + CVE-2007-5191 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-19.xml b/xml/htdocs/security/en/glsa/glsa-200710-19.xml new file mode 100644 index 00000000..c2ab1f70 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-19.xml @@ -0,0 +1,75 @@ + + + + + + + The Sleuth Kit: Integer underflow + + An integer underflow vulnerability has been reported in The Sleuth Kit + allowing for the user-assisted execution of arbitrary code. + + sleuthkit + October 18, 2007 + October 18, 2007: 01 + 181977 + remote + + + 2.0.9 + 2.0.9 + + + +

+ The Sleuth Kit is a collection of file system and media management + forensic analysis tools. +

+ + +

+ Jean-Sebastien Guay-Leroux reported an integer underflow in the + file_printf() function of the "file" utility which is bundled with The + Sleuth Kit (CVE-2007-1536, GLSA 200703-26). Note that Gentoo is not + affected by the improper fix for this vulnerability (identified as + CVE-2007-2799, see GLSA 200705-25) since version 4.20 of "file" was + never shipped with The Sleuth Kit ebuilds. +

+ + +

+ A remote attacker could entice a user to run The Sleuth Kit on a file + system containing a specially crafted file that would trigger a + heap-based buffer overflow possibly leading to the execution of + arbitrary code with the rights of the user running The Sleuth Kit. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All The Sleuth Kit users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-forensics/sleuthkit-2.0.9" + + + CVE-2007-1536 + CVE-2007-2799 + GLSA 200703-26 + GLSA 200705-25 + + + p-y + + + p-y + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-20.xml b/xml/htdocs/security/en/glsa/glsa-200710-20.xml new file mode 100644 index 00000000..8788be87 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-20.xml @@ -0,0 +1,80 @@ + + + + + + + PDFKit, ImageKits: Buffer overflow + + PDFKit and ImageKits are vulnerable to an integer overflow and a stack + overflow allowing for the user-assisted execution of arbitrary code. + + pdfkit imagekits + October 18, 2007 + October 18, 2007: 01 + 188185 + remote + + + 0.9_pre062906 + + + 0.6 + + + +

+ PDFKit is a framework for rendering of PDF content in GNUstep + applications. ImageKits is a collection of frameworks to support + imaging in GNUstep applications. +

+ + +

+ Maurycy Prodeus discovered an integer overflow vulnerability possibly + leading to a stack-based buffer overflow in the XPDF code which PDFKit + is based on. ImageKits also contains a copy of PDFKit. +

+ + +

+ By enticing a user to view a specially crafted PDF file with a viewer + based on ImageKits or PDFKit such as Gentoo's ViewPDF, a remote + attacker could cause an overflow, potentially resulting in the + execution of arbitrary code with the privileges of the user running the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ PDFKit and ImageKits are not maintained upstream, so the packages were + masked in Portage. We recommend that users unmerge PDFKit and + ImageKits: +

+ + # emerge --unmerge gnustep-libs/pdfkit + # emerge --unmerge gnustep-libs/imagekits +

+ As an alternative, users should upgrade their systems to use PopplerKit + instead of PDFKit and Vindaloo instead of ViewPDF. +

+ + + CVE-2007-3387 + GLSA 200709-12 + + + falco + + + rbu + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-21.xml b/xml/htdocs/security/en/glsa/glsa-200710-21.xml new file mode 100644 index 00000000..ce4b1be3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-21.xml @@ -0,0 +1,67 @@ + + + + + + + TikiWiki: Arbitrary command execution + + Tikiwiki contains a command injection vulnerability which may allow remote + execution of arbitrary code. + + tikiwiki + October 20, 2007 + October 20, 2007: 01 + 195503 + remote + + + 1.9.8.1 + 1.9.8.1 + + + +

+ TikiWiki is an open source content management system written in PHP. +

+ + +

+ ShAnKaR reported that input passed to the "f" array parameter in + tiki-graph_formula.php is not properly verified before being used to + execute PHP functions. +

+ + +

+ An attacker could execute arbitrary code with the rights of the user + running the web server by passing a specially crafted parameter string + to the tiki-graph_formula.php file. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All TikiWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/tikiwiki-1.9.8.1" + + + CVE-2007-5423 + + + p-y + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-22.xml b/xml/htdocs/security/en/glsa/glsa-200710-22.xml new file mode 100644 index 00000000..257b1c04 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-22.xml @@ -0,0 +1,69 @@ + + + + + + + TRAMP: Insecure temporary file creation + + The TRAMP package for GNU Emacs insecurely creates temporary files. + + tramp + October 20, 2007 + December 30, 2007: 02 + 194713 + local + + + 2.1.10-r2 + 2.1 + 2.1.10-r2 + + + +

+ TRAMP is a remote file editing package for GNU Emacs, a highly + extensible and customizable text editor. +

+ + +

+ Stefan Monnier discovered that the tramp-make-tramp-temp-file() + function creates temporary files in an insecure manner. +

+ + +

+ A local attacker could create symbolic links in the directory where the + temporary files are written, pointing to a valid file somewhere on the + filesystem that is writable by the user running TRAMP. When TRAMP + writes the temporary file, the target valid file would then be + overwritten with the contents of the TRAMP temporary file. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All TRAMP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emacs/tramp-2.1.10-r2" + + + CVE-2007-5377 + + + p-y + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-23.xml b/xml/htdocs/security/en/glsa/glsa-200710-23.xml new file mode 100644 index 00000000..ae009159 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-23.xml @@ -0,0 +1,68 @@ + + + + + + + Star: Directory traversal vulnerability + + A directory traversal vulnerability has been discovered in Star. + + star + October 22, 2007 + October 22, 2007: 01 + 189690 + remote + + + 1.5_alpha84 + 1.5_alpha84 + + + +

+ The Star program provides the ability to create and extract tar + archives. +

+ + +

+ Robert Buchholz of the Gentoo Security team discovered a directory + traversal vulnerability in the has_dotdot() function which does not + identify //.. (slash slash dot dot) sequences in file names inside tar + files. +

+ + +

+ By enticing a user to extract a specially crafted tar archive, a remote + attacker could extract files to arbitrary locations outside of the + specified directory with the permissions of the user running Star. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Star users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/star-1.5_alpha84" + + + CVE-2007-4134 + + + aetius + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-24.xml b/xml/htdocs/security/en/glsa/glsa-200710-24.xml new file mode 100644 index 00000000..ea05af3a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-24.xml @@ -0,0 +1,79 @@ + + + + + + + OpenOffice.org: Heap-based buffer overflow + + A heap-based buffer overflow vulnerability has been discovered in + OpenOffice.org, allowing for the remote execution of arbitrary code. + + openoffice + October 23, 2007 + October 23, 2007: 01 + 192818 + remote + + + 2.3.0 + 2.3.0 + + + 2.3.0 + 2.3.0 + + + +

+ OpenOffice.org is an open source office productivity suite, including + word processing, spreadsheet, presentation, drawing, data charting, + formula editing, and file conversion facilities. +

+ + +

+ iDefense Labs reported that the TIFF parsing code uses untrusted values + to calculate buffer sizes, which can lead to an integer overflow + resulting in heap-based buffer overflow. +

+ + +

+ A remote attacker could entice a user to open a specially crafted + document, possibly leading to execution of arbitrary code with the + privileges of the user running OpenOffice.org. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenOffice.org users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-2.3.0" +

+ All OpenOffice.org binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-bin-2.3.0" + + + CVE-2007-2834 + + + p-y + + + p-y + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-25.xml b/xml/htdocs/security/en/glsa/glsa-200710-25.xml new file mode 100644 index 00000000..c27f6b87 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-25.xml @@ -0,0 +1,75 @@ + + + + + + + MLDonkey: Privilege escalation + + The Gentoo MLDonkey ebuild adds a user to the system with a valid login + shell and no password. + + mldonkey + October 24, 2007 + November 07, 2007: 02 + 189412 + remote + + + 2.9.0-r3 + 2.9.0-r3 + + + +

+ MLDonkey is a peer-to-peer filesharing client that connects to several + different peer-to-peer networks, including Overnet and BitTorrent. +

+ + +

+ The Gentoo MLDonkey ebuild adds a user to the system named "p2p" so + that the MLDonkey service can run under a user with low privileges. + With older Portage versions this user is created with a valid login + shell and no password. +

+ + +

+ A remote attacker could log into a vulnerable system as the p2p user. + This would require an installed login service that permitted empty + passwords, such as SSH configured with the "PermitEmptyPasswords yes" + option, a local login console, or a telnet server. +

+ + +

+ See Resolution. +

+ + +

+ Change the p2p user's shell to disallow login. For example, as root run + the following command: +

+ + # usermod -s /bin/false p2p +

+ NOTE: updating to the current MLDonkey ebuild will not remove this + vulnerability, it must be fixed manually. The updated ebuild is to + prevent this problem from occurring in the future. +

+ + + CVE-2007-5714 + + + jaervosz + + + aetius + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-26.xml b/xml/htdocs/security/en/glsa/glsa-200710-26.xml new file mode 100644 index 00000000..8176b46b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-26.xml @@ -0,0 +1,71 @@ + + + + + + + HPLIP: Privilege escalation + + The hpssd daemon might allow local attackers to execute arbitrary commands + with root privileges. + + hplip + October 24, 2007 + October 24, 2007: 01 + 195565 + local + + + 1.7.4a-r2 + 2.7.9-r1 + 2.7.9-r1 + + + +

+ The Hewlett-Packard Linux Imaging and Printing system (HPLIP) provides + drivers for HP's inkjet and laser printers, scanners and fax machines. + It integrates with the Common UNIX Printing System (CUPS) and Scanner + Access Now Easy (SANE). +

+ + +

+ Kees Cook from the Ubuntu Security team discovered that the hpssd + daemon does not correctly validate user supplied data before passing it + to a "popen3()" call. +

+ + +

+ A local attacker may be able to exploit this vulnerability by sending a + specially crafted request to the hpssd daemon to execute arbitrary + commands with the privileges of the user running hpssd, usually root. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All HPLIP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "net-print/hplip" + + + CVE-2007-5208 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-27.xml b/xml/htdocs/security/en/glsa/glsa-200710-27.xml new file mode 100644 index 00000000..00198b2d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-27.xml @@ -0,0 +1,74 @@ + + + + + + + ImageMagick: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in ImageMagick, possibly + resulting in arbitrary code execution or a Denial of Service. + + imagemagick + October 24, 2007 + October 24, 2007: 01 + 186030 + remote + + + 6.3.5.10 + 6.3.5.10 + + + +

+ ImageMagick is a collection of tools and libraries for manipulating + various image formats. +

+ + +

+ regenrecht reported multiple infinite loops in functions ReadDCMImage() + and ReadXCFImage() (CVE-2007-4985), multiple integer overflows when + handling certain types of images (CVE-2007-4986, CVE-2007-4988), and an + off-by-one error in the ReadBlobString() function (CVE-2007-4987). +

+ + +

+ A remote attacker could entice a user to open a specially crafted + image, possibly resulting in the remote execution of arbitrary code + with the privileges of the user running the application, or an + excessive CPU consumption. Note that applications relying on + ImageMagick to process images can also trigger the vulnerability. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ImageMagick users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.3.5.10" + + + CVE-2007-4985 + CVE-2007-4986 + CVE-2007-4987 + CVE-2007-4988 + + + rbu + + + p-y + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-28.xml b/xml/htdocs/security/en/glsa/glsa-200710-28.xml new file mode 100644 index 00000000..0177a39f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-28.xml @@ -0,0 +1,68 @@ + + + + + + + Qt: Buffer overflow + + An off-by-one vulnerability has been discovered in Qt, possibly resulting + in the execution of arbitrary code. + + qt + October 25, 2007 + October 25, 2007: 01 + 192472 + remote + + + 3.3.8-r4 + 3.3.8-r4 + + + +

+ Qt is a cross-platform GUI framework, which is used e.g. by KDE. +

+ + +

+ Dirk Mueller from the KDE development team discovered a boundary error + in file qutfcodec.cpp when processing Unicode strings. +

+ + +

+ A remote attacker could send a specially crafted Unicode string to a + vulnerable Qt application, possibly resulting in the remote execution + of arbitrary code with the privileges of the user running the + application. Note that the boundary error is present but reported to be + not exploitable in 4.x series. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Qt 3.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/qt-3.3.8-r4" + + + CVE-2007-4137 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-29.xml b/xml/htdocs/security/en/glsa/glsa-200710-29.xml new file mode 100644 index 00000000..7be5d5a8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-29.xml @@ -0,0 +1,77 @@ + + + + + + + Sylpheed, Claws Mail: User-assisted remote execution of arbitrary code + + A format string error has been discovered in Sylpheed and Claws Mail, + potentially leading to the remote execution of arbitrary code. + + sylpheed claws-mail + October 25, 2007 + October 25, 2007: 01 + 190104 + remote + + + 2.4.5 + 2.4.5 + + + 3.0.0 + 3.0.0 + + + +

+ Sylpheed and Claws Mail are two GTK based e-mail clients. +

+ + +

+ Ulf Harnhammar from Secunia Research discovered a format string error + in the inc_put_error() function in file src/inc.c. +

+ + +

+ A remote attacker could entice a user to connect to a malicious POP + server sending specially crafted replies, possibly resulting in the + execution of arbitrary code with the privileges of the user running the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Sylpheed users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/sylpheed-2.4.5" +

+ All Claws Mail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/claws-mail-3.0.0" + + + CVE-2007-2958 + + + rbu + + + rbu + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-30.xml b/xml/htdocs/security/en/glsa/glsa-200710-30.xml new file mode 100644 index 00000000..88b49f8b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-30.xml @@ -0,0 +1,69 @@ + + + + + + + OpenSSL: Remote execution of arbitrary code + + OpenSSL contains a vulnerability allowing execution of arbitrary code or a + Denial of Service. + + openssl + October 27, 2007 + October 30, 2007: 03 + 195634 + remote + + + 0.9.8f + 0.9.8f + + + +

+ OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer + (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general + purpose cryptography library. +

+ + +

+ Andy Polyakov reported a vulnerability in the OpenSSL toolkit, that is + caused due to an unspecified off-by-one error within the DTLS + implementation. +

+ + +

+ A remote attacker could exploit this issue to execute arbitrary code or + cause a Denial of Service. Only clients and servers explicitly using + DTLS are affected, systems using SSL and TLS are not. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenSSL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8f" + + + CVE-2007-4995 + + + rbu + + + rbu + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200710-31.xml b/xml/htdocs/security/en/glsa/glsa-200710-31.xml new file mode 100644 index 00000000..44f2e528 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200710-31.xml @@ -0,0 +1,71 @@ + + + + + + + Opera: Multiple vulnerabilities + + Opera contains multiple vulnerabilities, which may allow the execution of + arbitrary code. + + opera + October 30, 2007 + October 30, 2007: 01 + 196164 + remote + + + 9.24 + 9.24 + + + +

+ Opera is a multi-platform web browser. +

+ + +

+ Michael A. Puls II discovered an unspecified flaw when launching + external email or newsgroup clients (CVE-2007-5541). David Bloom + discovered that when displaying frames from different websites, the + same-origin policy is not correctly enforced (CVE-2007-5540). +

+ + +

+ An attacker could potentially exploit the first vulnerability to + execute arbitrary code with the privileges of the user running Opera by + enticing a user to visit a specially crafted URL. Note that this + vulnerability requires an external e-mail or newsgroup client + configured in Opera to be exploitable. The second vulnerability allows + an attacker to execute arbitrary script code in a user's browser + session in context of other sites or the theft of browser credentials. +

+ + +

+ There is no known workaround at this time for all these + vulnerabilities. +

+ + +

+ All Opera users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/opera-9.24" + + + CVE-2007-5540 + CVE-2007-5541 + + + rbu + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-01.xml b/xml/htdocs/security/en/glsa/glsa-200711-01.xml new file mode 100644 index 00000000..ddf38fac --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-01.xml @@ -0,0 +1,68 @@ + + + + + + + gFTP: Multiple vulnerabilities + + Two buffer overflow vulnerabilities have been discovered in fsplib code + used in gFTP. + + gftp + November 01, 2007 + November 01, 2007: 01 + 188252 + remote + + + 2.0.18-r6 + 2.0.18-r6 + + + +

+ gFTP is an FTP client for the GNOME desktop environment. +

+ + +

+ Kalle Olavi Niemitalo discovered two boundary errors in fsplib code + included in gFTP when processing overly long directory or file names. +

+ + +

+ A remote attacker could trigger these vulnerabilities by enticing a + user to download a file with a specially crafted directory or file + name, possibly resulting in the execution of arbitrary code + (CVE-2007-3962) or a Denial of Service (CVE-2007-3961). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All gFTP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/gftp-2.0.18-r6" + + + CVE-2007-3961 + CVE-2007-3962 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-02.xml b/xml/htdocs/security/en/glsa/glsa-200711-02.xml new file mode 100644 index 00000000..42c49602 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-02.xml @@ -0,0 +1,66 @@ + + + + + + + OpenSSH: Security bypass + + A flaw has been discovered in OpenSSH which could allow a local attacker to + bypass security restrictions. + + openssh + November 01, 2007 + November 01, 2007: 01 + 191321 + remote + + + 4.7 + 4.7 + + + +

+ OpenSSH is a complete SSH protocol implementation that includes an SFTP + client and server support. +

+ + +

+ Jan Pechanec discovered that OpenSSH uses a trusted X11 cookie when it + cannot create an untrusted one. +

+ + +

+ An attacker could bypass the SSH client security policy and gain + privileges by causing an X client to be treated as trusted. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenSSH users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/openssh-4.7" + + + CVE-2007-4752 + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-03.xml b/xml/htdocs/security/en/glsa/glsa-200711-03.xml new file mode 100644 index 00000000..5df61cbc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-03.xml @@ -0,0 +1,67 @@ + + + + + + + Gallery: Multiple vulnerabilities + + The WebDAV and Reupload modules of Gallery contain multiple unspecified + vulnerabilities. + + gallery + November 01, 2007 + November 11, 2007: 02 + 191587 + remote + + + 2.2.3 + 2.0 + 2.2.3 + + + +

+ Gallery is a PHP based photo album manager. +

+ + +

+ Merrick Manalastas and Nicklous Roberts have discovered multiple + vulnerabilities in the WebDAV and Reupload modules. +

+ + +

+ A remote attacker could exploit these vulnerabilities to bypass + security restrictions and rename, replace and change properties of + items, or edit item data using WebDAV. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Gallery users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/gallery-2.2.3" + + + CVE-2007-4650 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-04.xml b/xml/htdocs/security/en/glsa/glsa-200711-04.xml new file mode 100644 index 00000000..db1c5cc8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-04.xml @@ -0,0 +1,73 @@ + + + + + + + Evolution: User-assisted remote execution of arbitrary code + + The IMAP client of Evolution contains a vulnerability potentially leading + to the execution of arbitrary code. + + evolution-data-server + November 06, 2007 + November 06, 2007: 01 + 190861 + remote + + + 1.10.3.1 + 1.10.3.1 + + + +

+ Evolution is the mail client of the GNOME desktop environment. Camel is + the Evolution Data Server module that handles mail functions. +

+ + +

+ The imap_rescan() function of the file camel-imap-folder.c does not + properly sanitize the "SEQUENCE" response sent by an IMAP server before + being used to index arrays. +

+ + +

+ A malicious or compromised IMAP server could trigger the vulnerability + and execute arbitrary code with the permissions of the user running + Evolution. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ Note that this GLSA addresses the same issue as GLSA 200707-03, but for + the 1.10 branch of Evolution Data Server. +

+

+ All Evolution users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=gnome-extra/evolution-data-server-1.10.3.1" + + + GLSA 200707-03 + CVE-2007-3257 + + + p-y + + + p-y + + + aetius + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-05.xml b/xml/htdocs/security/en/glsa/glsa-200711-05.xml new file mode 100644 index 00000000..997aebfa --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-05.xml @@ -0,0 +1,80 @@ + + + + + + + SiteBar: Multiple issues + + Multiple issues have been identified in SiteBar that might allow execution + of arbitrary code and arbitrary file disclosure. + + sitebar + November 06, 2007 + November 06, 2007: 01 + 195810 + remote + + + 3.3.9 + 3.3.9 + + + +

+ SiteBar is a PHP application that allows users to store their bookmarks + on a web server. +

+ + +

+ Tim Brown discovered these multiple issues: the translation module does + not properly sanitize the value to the "dir" parameter (CVE-2007-5491, + CVE-2007-5694); the translation module also does not sanitize the + values of the "edit" and "value" parameters which it passes to eval() + and include() (CVE-2007-5492, CVE-2007-5693); the log-in command does + not validate the URL to redirect users to after logging in + (CVE-2007-5695); SiteBar also contains several cross-site scripting + vulnerabilities (CVE-2007-5692). +

+ + +

+ An authenticated attacker in the "Translators" or "Admins" group could + execute arbitrary code, read arbitrary files and possibly change their + permissions with the privileges of the user running the web server by + passing a specially crafted parameter string to the "translator.php" + file. An unauthenticated attacker could entice a user to browse a + specially crafted URL, allowing for the execution of script code in the + context of the user's browser, for the theft of browser credentials or + for a redirection to an arbitrary web site after login. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SiteBar users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/sitebar-3.3.9" + + + CVE-2007-5491 + CVE-2007-5492 + CVE-2007-5692 + CVE-2007-5693 + CVE-2007-5694 + CVE-2007-5695 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-06.xml b/xml/htdocs/security/en/glsa/glsa-200711-06.xml new file mode 100644 index 00000000..bd05737e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-06.xml @@ -0,0 +1,79 @@ + + + + + + + Apache: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Apache, possibly resulting + in a Denial of Service or the disclosure of sensitive information. + + apache + November 07, 2007 + November 07, 2007: 01 + 186219 + remote + + + 2.0.59-r5 + 2.2.6 + 2.2.6 + + + +

+ The Apache HTTP server is one of the most popular web servers on the + Internet. +

+ + +

+ Multiple cross-site scripting vulnerabilities have been discovered in + mod_status and mod_autoindex (CVE-2006-5752, CVE-2007-4465). An error + has been discovered in the recall_headers() function in mod_mem_cache + (CVE-2007-1862). The mod_cache module does not properly sanitize + requests before processing them (CVE-2007-1863). The Prefork module + does not properly check PID values before sending signals + (CVE-2007-3304). The mod_proxy module does not correctly check headers + before processing them (CVE-2007-3847). +

+ + +

+ A remote attacker could exploit one of these vulnerabilities to inject + arbitrary script or HTML content, obtain sensitive information or cause + a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Apache users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/apache-2.0.59-r5" + + + CVE-2006-5752 + CVE-2007-1862 + CVE-2007-1863 + CVE-2007-3304 + CVE-2007-3847 + CVE-2007-4465 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-07.xml b/xml/htdocs/security/en/glsa/glsa-200711-07.xml new file mode 100644 index 00000000..830e35a6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-07.xml @@ -0,0 +1,79 @@ + + + + + + + Python: User-assisted execution of arbitrary code + + Multiple integer overflow vulnerabilities have been discovered in Python, + possibly resulting in the execution of arbitrary code or a Denial of + Service. + + python + November 07, 2007 + November 07, 2007: 01 + 192876 + remote + + + 2.3.6-r3 + 2.4.4-r6 + 2.4.4-r6 + + + +

+ Python is an interpreted, interactive, object-oriented programming + language. +

+ + +

+ Slythers Bro discovered multiple integer overflows in the imageop + module, one of them in the tovideo() method, in various locations in + files imageop.c, rbgimgmodule.c, and also in other files. +

+ + +

+ A remote attacker could entice a user to process specially crafted + images with an application using the Python imageop module, resulting + in the execution of arbitrary code with the privileges of the user + running the application, or a Denial of Service. Note that this + vulnerability may or may not be exploitable, depending on the + application using the module. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Python 2.3.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.3.6-r3" +

+ All Python 2.4.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.4.4-r6" + + + CVE-2007-4965 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-08.xml b/xml/htdocs/security/en/glsa/glsa-200711-08.xml new file mode 100644 index 00000000..5c5bd170 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-08.xml @@ -0,0 +1,73 @@ + + + + + + + libpng: Multiple Denials of Service + + Several vulnerabilities in libpng may allow a remote attacker to crash + applications that handle untrusted images. + + libpng + November 07, 2007 + November 07, 2007: 01 + 195261 + remote + + + 1.2.21-r3 + 1.2.21-r3 + + + +

+ libpng is a free ANSI C library used to process and manipulate PNG + images. +

+ + +

+ An off-by-one error when handling ICC profile chunks in the + png_set_iCCP() function was discovered (CVE-2007-5266). George Cook and + Jeff Phillips reported several errors in pngrtran.c, the use of logical + instead of a bitwise functions and incorrect comparisons + (CVE-2007-5268). Tavis Ormandy reported out-of-bounds read errors in + several PNG chunk handling functions (CVE-2007-5269). +

+ + +

+ A remote attacker could craft an image that when processed or viewed by + an application using libpng would cause the application to terminate + abnormally. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libpng users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libpng-1.2.21-r3" + + + CVE-2007-5266 + CVE-2007-5268 + CVE-2007-5269 + + + p-y + + + p-y + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-09.xml b/xml/htdocs/security/en/glsa/glsa-200711-09.xml new file mode 100644 index 00000000..c0d76c85 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-09.xml @@ -0,0 +1,68 @@ + + + + + + + MadWifi: Denial of Service + + MadWifi does not correctly process beacon frames which can lead to a + remotely triggered Denial of Service. + + madwifi-ng + November 07, 2007 + November 07, 2007: 01 + 195705 + remote + + + 0.9.3.3 + 0.9.3.3 + + + +

+ The MadWifi driver provides support for Atheros based IEEE 802.11 + Wireless Lan cards. +

+ + +

+ Clemens Kolbitsch and Sylvester Keil reported an error when processing + beacon frames with an overly large "length" value in the "xrates" + element. +

+ + +

+ A remote attacker could act as an access point and send a specially + crafted packet to an Atheros based wireless client, possibly resulting + in a Denial of Service (kernel panic). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MadWifi users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-wireless/madwifi-ng-0.9.3.3" + + + CVE-2007-5448 + + + p-y + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-10.xml b/xml/htdocs/security/en/glsa/glsa-200711-10.xml new file mode 100644 index 00000000..a244cc6f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-10.xml @@ -0,0 +1,67 @@ + + + + + + + Mono: Buffer overflow + + Mono's BigInteger implementation contains a buffer overflow vulnerability + that might lead to the execution of arbitrary code. + + mono + November 07, 2007 + November 07, 2007: 01 + 197067 + remote + + + 1.2.5.1-r1 + 1.2.5.1-r1 + + + +

+ Mono provides the necessary software to develop and run .NET client and + server applications on various platforms. +

+ + +

+ IOActive discovered an error in the Mono.Math.BigInteger class, in the + reduction step of the Montgomery-based Pow methods, that could lead to + a buffer overflow. +

+ + +

+ A remote attacker could exploit this vulnerability by sending specially + crafted data to Mono applications using the BigInteger class, which + might lead to the execution of arbitrary code with the privileges of + the user running the application (possibly root) or a Denial of + Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mono users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/mono-1.2.5.1-r1" + + + CVE-2007-5197 + + + rbu + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-11.xml b/xml/htdocs/security/en/glsa/glsa-200711-11.xml new file mode 100644 index 00000000..0aaf4e0d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-11.xml @@ -0,0 +1,77 @@ + + + + + + + Nagios Plugins: Two buffer overflows + + Two buffer overflow vulnerabilities in the Nagios Plugins might allow for + remote execution of arbitrary code. + + nagios-plugins + November 08, 2007 + November 08, 2007: 01 + 196308 + 194178 + remote + + + 1.4.10-r1 + 1.4.10-r1 + + + +

+ The Nagios Plugins are an official set of plugins for Nagios, an open + source host, service and network monitoring program. +

+ + +

+ fabiodds reported a boundary checking error in the "check_snmp" plugin + when processing SNMP "GET" replies that could lead to a stack-based + buffer overflow (CVE-2007-5623). Nobuhiro Ban reported a boundary + checking error in the redir() function of the "check_http" plugin when + processing HTTP "Location:" header information which might lead to a + buffer overflow (CVE-2007-5198). +

+ + +

+ A remote attacker could exploit these vulnerabilities to execute + arbitrary code with the privileges of the user running Nagios or cause + a Denial of Service by (1) sending a specially crafted SNMP "GET" reply + to the Nagios daemon or (2) sending an overly long string in the + "Location:" header of an HTTP reply. Note that to exploit (2), the + malicious or compromised web server has to be configured in Nagios and + the "-f" (follow) option has to be enabled. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All users of the Nagios Plugins should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/nagios-plugins-1.4.10-r1" + + + CVE-2007-5198 + CVE-2007-5623 + + + rbu + + + rbu + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-12.xml b/xml/htdocs/security/en/glsa/glsa-200711-12.xml new file mode 100644 index 00000000..97e12d2b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-12.xml @@ -0,0 +1,69 @@ + + + + + + + Tomboy: User-assisted execution of arbitrary code + + Tomboy doesn't properly handle environment variables, potentially allowing + a local attacker to execute arbitrary code. + + tomboy + November 08, 2007 + November 08, 2007: 01 + 189249 + local + + + 0.8.1-r1 + 0.8.1-r1 + + + +

+ Tomboy is a GTK-based desktop note-taking application written in C# and + the Mono C#. +

+ + +

+ Jan Oravec reported that the "/usr/bin/tomboy" script sets the + "LD_LIBRARY_PATH" environment variable incorrectly, which might result + in the current working directory (.) to be included when searching for + dynamically linked libraries of the Mono Runtime application. +

+ + +

+ A local attacker could entice a user into running Tomboy in a directory + containing a specially crafted library file to execute arbitrary code + with the privileges of the user running Tomboy. +

+ + +

+ Do not run Tomboy from an untrusted working directory. +

+ + +

+ All Tomboy users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-misc/tomboy-0.8.1-r1" + + + CVE-2005-4790 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-13.xml b/xml/htdocs/security/en/glsa/glsa-200711-13.xml new file mode 100644 index 00000000..eeba4eac --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-13.xml @@ -0,0 +1,68 @@ + + + + + + + 3proxy: Denial of Service + + A vulnerability has been discovered in 3proxy, possibly resulting in a + Denial of Service. + + 3proxy + November 08, 2007 + November 08, 2007: 01 + 196772 + remote + + + 0.5.3j + 0.5.3j + + + +

+ 3proxy is a really tiny cross-platform proxy servers set, including + HTTP, HTTPS, FTP, SOCKS and POP3 support. +

+ + +

+ 3proxy contains a double free vulnerability in the ftpprchild() + function, which frees param->hostname and calls the parsehostname() + function, which in turn attempts to free param->hostname again. +

+ + +

+ A remote attacker could send a specially crafted request to the proxy, + possibly resulting in a Denial of Service. Under typical configuration, + the scope of this vulnerability is limited to the local network. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All 3proxy users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/3proxy-0.5.3j" + + + CVE-2007-5622 + + + p-y + + + keytoaster + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-14.xml b/xml/htdocs/security/en/glsa/glsa-200711-14.xml new file mode 100644 index 00000000..87364c36 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-14.xml @@ -0,0 +1,127 @@ + + + + + + + Mozilla Firefox, SeaMonkey, XULRunner: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Mozilla Firefox, SeaMonkey + and XULRunner, potentially allowing to compromise a user's system. + + firefox seamonkey xulrunner + November 12, 2007 + November 12, 2007: 01 + 196480 + remote + + + 2.0.0.9 + 2.0.0.9 + + + 2.0.0.9 + 2.0.0.9 + + + 1.1.6 + 1.1.6 + + + 1.1.6 + 1.1.6 + + + 1.8.1.9 + 1.8.1.9 + + + +

+ Mozilla Firefox is a cross-platform web browser from Mozilla. SeaMonkey + is a free, cross-platform Internet suite. +

+ + +

+ Multiple vulnerabilities have been reported in Mozilla Firefox and + SeaMonkey. Various errors in the browser engine and the Javascript + engine can be exploited to cause a memory corruption (CVE-2007-5339 and + CVE-2007-5340). Before being used in a request, input passed to the + user ID when making an HTTP request with digest authentication is not + properly sanitised (CVE-2007-2292). The titlebar can be hidden by a XUL + markup language document (CVE-2007-5334). Additionally, an error exists + in the handling of "smb:" and "sftp:" URI schemes on systems with + gnome-vfs support (CVE-2007-5337). An unspecified error in the handling + of "XPCNativeWrappers" and not properly implementing JavaScript + onUnload() handlers may allow the execution of arbitrary Javascript + code (CVE-2007-5338 and CVE-2007-1095). Another error is triggered by + using the addMicrosummaryGenerator sidebar method to access file: URIs + (CVE-2007-5335). +

+ + +

+ A remote attacker could exploit these issues to execute arbitrary code, + gain the privileges of the user running the application, disclose + sensitive information, conduct phishing attacks, and read and + manipulate certain data. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-2.0.0.9" +

+ All Mozilla Firefox binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-2.0.0.9" +

+ All SeaMonkey users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.1.6" +

+ All SeaMonkey binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-bin-1.1.6" +

+ All XULRunner users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/xulrunner-1.8.1.9" + + + CVE-2007-1095 + CVE-2007-2292 + CVE-2007-5334 + CVE-2007-5335 + CVE-2007-5337 + CVE-2007-5338 + CVE-2007-5339 + CVE-2007-5340 + + + rbu + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-15.xml b/xml/htdocs/security/en/glsa/glsa-200711-15.xml new file mode 100644 index 00000000..68c8ee6d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-15.xml @@ -0,0 +1,76 @@ + + + + + + + FLAC: Buffer overflow + + Multiple integer overflow vulnerabilities were found in FLAC possibly + allowing for the execution of arbitrary code. + + flac + November 12, 2007 + November 12, 2007: 01 + 195700 + remote + + + 1.2.1-r1 + 1.2.1-r1 + + + +

+ The Xiph.org Free Lossless Audio Codec (FLAC) library is the reference + implementation of the FLAC audio file format. It contains encoders and + decoders in library and executable form. +

+ + +

+ Sean de Regge reported multiple integer overflows when processing FLAC + media files that could lead to improper memory allocations resulting in + heap-based buffer overflows. +

+ + +

+ A remote attacker could entice a user to open a specially crafted FLAC + file or network stream with an application using FLAC. This might lead + to the execution of arbitrary code with privileges of the user playing + the file. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All FLAC users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/flac-1.2.1-r1" +

+ You should also run revdep-rebuild to rebuild any packages that depend + on older versions of FLAC: +

+ + # revdep-rebuild --library=libFLAC.* + + + CVE-2007-4619 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-16.xml b/xml/htdocs/security/en/glsa/glsa-200711-16.xml new file mode 100644 index 00000000..ad33c61e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-16.xml @@ -0,0 +1,71 @@ + + + + + + + CUPS: Memory corruption + + CUPS contains a boundary checking error that might lead to the execution of + arbitrary code. + + cups + November 12, 2007 + November 12, 2007: 01 + 196736 + remote + + + 1.2.12-r2 + 1.2.12-r2 + + + +

+ CUPS provides a portable printing layer for UNIX-based operating + systems. +

+ + +

+ Alin Rad Pop (Secunia Research) discovered an off-by-one error in the + ippReadIO() function when handling Internet Printing Protocol (IPP) + tags that might allow to overwrite one byte on the stack. +

+ + +

+ A local attacker could send a specially crafted IPP request containing + "textWithLanguage" or "nameWithLanguage" tags, leading to a Denial of + Service or the execution of arbitrary code with the privileges of the + "lp" user. If CUPS is configured to allow network printing, this + vulnerability might be remotely exploitable. +

+ + +

+ To avoid remote exploitation, network access to CUPS servers on port + 631/udp should be restricted. In order to do this, update the "Listen" + setting in cupsd.conf to "Listen localhost:631" or add a rule to + the system's firewall. However, this will not avoid local users from + exploiting this vulnerability. +

+ + +

+ All CUPS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-print/cups-1.2.12-r2" + + + CVE-2007-4351 + + + rbu + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-17.xml b/xml/htdocs/security/en/glsa/glsa-200711-17.xml new file mode 100644 index 00000000..c9ad00df --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-17.xml @@ -0,0 +1,77 @@ + + + + + + + Ruby on Rails: Multiple vulnerabilities + + Several vulnerabilities were found in Ruby on Rails allowing for file + disclosure and theft of user credentials. + + rails + November 14, 2007 + November 14, 2007: 01 + 195315 + 182223 + remote + + + 1.2.5 + 1.2.5 + + + +

+ Ruby on Rails is a free web framework used to develop database-driven + web applications. +

+ + +

+ candlerb found that ActiveResource, when processing responses using the + Hash.from_xml() function, does not properly sanitize filenames + (CVE-2007-5380). The session management functionality allowed the + "session_id" to be set in the URL (CVE-2007-5380). BCC discovered that + the to_json() function does not properly sanitize input before + returning it to the user (CVE-2007-3227). +

+ + +

+ Unauthenticated remote attackers could exploit these vulnerabilities to + determine the existence of files or to read the contents of arbitrary + XML files; conduct session fixation attacks and gain unauthorized + access; and to execute arbitrary HTML and script code in a user's + browser session in context of an affected site by enticing a user to + browse a specially crafted URL. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ruby on Rails users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-ruby/rails-1.2.5" + + + CVE-2007-3227 + CVE-2007-5379 + CVE-2007-5380 + + + p-y + + + p-y + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-18.xml b/xml/htdocs/security/en/glsa/glsa-200711-18.xml new file mode 100644 index 00000000..97d8d95d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-18.xml @@ -0,0 +1,67 @@ + + + + + + + Cpio: Buffer overflow + + GNU cpio contains a buffer overflow vulnerability, possibly resulting in a + Denial of Service. + + cpio + November 14, 2007 + November 14, 2007: 01 + 196978 + remote + + + 2.9-r1 + 2.9-r1 + + + +

+ GNU cpio copies files into or out of a cpio or tar archive. +

+ + +

+ A buffer overflow vulnerability in the safer_name_suffix() function in + GNU cpio has been discovered. +

+ + +

+ A remote attacker could entice a user to open a specially crafted + archive file resulting in a stack-based buffer overflow, possibly + crashing the application. It is disputed whether the execution of + arbitrary code is possible. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GNU cpio users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/cpio-2.9-r1" + + + CVE-2007-4476 + + + p-y + + + p-y + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-19.xml b/xml/htdocs/security/en/glsa/glsa-200711-19.xml new file mode 100644 index 00000000..fc935eb5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-19.xml @@ -0,0 +1,69 @@ + + + + + + + TikiWiki: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in TikiWiki, possibly + resulting in the remote execution of arbitrary code. + + tikiwiki + November 14, 2007 + November 14, 2007: 01 + 195503 + remote + + + 1.9.8.3 + 1.9.8.3 + + + +

+ TikiWiki is an open source content management system written in PHP. +

+ + +

+ Stefan Esser reported that a previous vulnerability (CVE-2007-5423, + GLSA 200710-21) was not properly fixed in TikiWiki 1.9.8.1 + (CVE-2007-5682). The TikiWiki development team also added several + checks to avoid file inclusion. +

+ + +

+ A remote attacker could exploit these vulnerabilities to inject + arbitrary code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All TikiWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/tikiwiki-1.9.8.3" + + + GLSA 200710-21 + CVE-2007-5423 + CVE-2007-5682 + + + rbu + + + rbu + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-20.xml b/xml/htdocs/security/en/glsa/glsa-200711-20.xml new file mode 100644 index 00000000..ee7710d1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-20.xml @@ -0,0 +1,69 @@ + + + + + + + Pioneers: Multiple Denials of Service + + Two Denial of Service vulnerabilities were discovered in Pioneers. + + pioneers + November 14, 2007 + November 29, 2007: 04 + 198807 + remote + + + 0.11.3-r1 + 0.11.3-r1 + + + +

+ Pioneers (formerly gnocatan) is a clone of the popular board game "The + Settlers of Catan". +

+ + +

+ Roland Clobus discovered that the Pioneers server may free sessions + objects while they are still in use, resulting in access to invalid + memory zones (CVE-2007-5933). Bas Wijnen discovered an error when + closing connections which can lead to a failed assertion + (CVE-2007-6010). +

+ + +

+ A remote attacker could send specially crafted data to the vulnerable + server, resulting in a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Pioneers users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-board/pioneers-0.11.3-r1" + + + CVE-2007-5933 + CVE-2007-6010 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-21.xml b/xml/htdocs/security/en/glsa/glsa-200711-21.xml new file mode 100644 index 00000000..4d11264c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-21.xml @@ -0,0 +1,69 @@ + + + + + + + Bochs: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Bochs, possibly allowing + for the execution of arbitrary code or a Denial of Service. + + bochs + November 17, 2007 + November 17, 2007: 01 + 188148 + local + + + 2.3 + 2.3 + + + +

+ Bochs is a IA-32 (x86) PC emulator written in C++. +

+ + +

+ Tavis Ormandy of the Google Security Team discovered a heap-based + overflow vulnerability in the NE2000 driver (CVE-2007-2893). He also + discovered a divide-by-zero error in the emulated floppy disk + controller (CVE-2007-2894). +

+ + +

+ A local attacker in the guest operating system could exploit these + issues to execute code outside of the virtual machine, or cause Bochs + to crash. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Bochs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/bochs-2.3" + + + CVE-2007-2893 + CVE-2007-2894 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-22.xml b/xml/htdocs/security/en/glsa/glsa-200711-22.xml new file mode 100644 index 00000000..db2d60ba --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-22.xml @@ -0,0 +1,120 @@ + + + + + + + Poppler, KDE: User-assisted execution of arbitrary code + + Poppler and various KDE components are vulnerable to multiple memory + management issues possibly resulting in the execution of arbitrary code. + + poppler koffice kword kdegraphics kpdf + November 18, 2007 + November 18, 2007: 01 + 196735 + 198409 + remote + + + 0.6.1-r1 + 0.6.1-r1 + + + 3.5.7-r3 + 3.5.8-r1 + 3.5.8-r1 + + + 3.5.7-r3 + 3.5.8-r1 + 3.5.8-r1 + + + 1.6.3-r2 + 1.6.3-r2 + + + 1.6.3-r2 + 1.6.3-r2 + + + +

+ Poppler is a cross-platform PDF rendering library originally based on + Xpdf. KOffice is an integrated office suite for KDE. KWord is the + KOffice word processor. KPDF is a KDE-based PDF viewer included in the + kdegraphics package. +

+ + +

+ Alin Rad Pop (Secunia Research) discovered several vulnerabilities in + the "Stream.cc" file of Xpdf: An integer overflow in the + DCTStream::reset() method and a boundary error in the + CCITTFaxStream::lookChar() method, both leading to heap-based buffer + overflows (CVE-2007-5392, CVE-2007-5393). He also discovered a boundary + checking error in the DCTStream::readProgressiveDataUnit() method + causing memory corruption (CVE-2007-4352). Note: Gentoo's version of + Xpdf is patched to use the Poppler library, so the update to Poppler + will also fix Xpdf. +

+ + +

+ By enticing a user to view or process a specially crafted PDF file with + KWord or KPDF or a Poppler-based program such as Gentoo's viewers Xpdf, + ePDFView, and Evince or the CUPS printing system, a remote attacker + could cause an overflow, potentially resulting in the execution of + arbitrary code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Poppler users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/poppler-0.6.1-r1" +

+ All KPDF users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kpdf-3.5.7-r3" +

+ All KDE Graphics Libraries users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kdegraphics-3.5.7-r3" +

+ All KWord users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/kword-1.6.3-r2" +

+ All KOffice users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/koffice-1.6.3-r2" + + + CVE-2007-4352 + CVE-2007-5392 + CVE-2007-5393 + + + rbu + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-23.xml b/xml/htdocs/security/en/glsa/glsa-200711-23.xml new file mode 100644 index 00000000..2cf06dff --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-23.xml @@ -0,0 +1,112 @@ + + + + + + + VMware Workstation and Player: Multiple vulnerabilities + + VMware guest operating systems might be able to execute arbitrary code with + elevated privileges on the host operating system through multiple flaws. + + vmware-workstation vmware-player + November 18, 2007 + April 16, 2008: 03 + 193196 + remote + + + 5.5.5.56455 + 5.5.5.56455 + 6.0.0.45731 + + + 1.0.5.56455 + 1.0.5.56455 + 2.0.0.45731 + + + +

+ VMware Workstation is a virtual machine for developers and system + administrators. VMware Player is a freeware virtualization software + that can run guests produced by other VMware products. +

+ + +

+ Multiple vulnerabilities have been discovered in several VMware + products. Neel Mehta and Ryan Smith (IBM ISS X-Force) discovered that + the DHCP server contains an integer overflow vulnerability + (CVE-2007-0062), an integer underflow vulnerability (CVE-2007-0063) and + another error when handling malformed packets (CVE-2007-0061), leading + to stack-based buffer overflows or stack corruption. Rafal Wojtczvk + (McAfee) discovered two unspecified errors that allow authenticated + users with administrative or login privileges on a guest operating + system to corrupt memory or cause a Denial of Service (CVE-2007-4496, + CVE-2007-4497). Another unspecified vulnerability related to untrusted + virtual machine images was discovered (CVE-2007-5617). +

+

+ VMware products also shipped code copies of software with several + vulnerabilities: Samba (GLSA-200705-15), BIND (GLSA-200702-06), MIT + Kerberos 5 (GLSA-200707-11), Vixie Cron (GLSA-200704-11), shadow + (GLSA-200606-02), OpenLDAP (CVE-2006-4600), PAM (CVE-2004-0813, + CVE-2007-1716), GCC (CVE-2006-3619) and GDB (CVE-2006-4146). +

+ + +

+ Remote attackers within a guest system could possibly exploit these + vulnerabilities to execute code on the host system with elevated + privileges or to cause a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All VMware Workstation users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/vmware-workstation-5.5.5.56455" +

+ All VMware Player users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/vmware-player-1.0.5.56455" + + + CVE-2004-0813 + CVE-2006-3619 + CVE-2006-4146 + CVE-2006-4600 + CVE-2007-0061 + CVE-2007-0062 + CVE-2007-0063 + CVE-2007-1716 + CVE-2007-4496 + CVE-2007-4497 + CVE-2007-5617 + GLSA-200606-02 + GLSA-200702-06 + GLSA-200704-11 + GLSA-200705-15 + GLSA-200707-11 + VMSA-2007-0006 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-24.xml b/xml/htdocs/security/en/glsa/glsa-200711-24.xml new file mode 100644 index 00000000..2dc240e5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-24.xml @@ -0,0 +1,82 @@ + + + + + + + Mozilla Thunderbird: Multiple vulnerabilities + + Multiple vulnerabilities have been reported in Mozilla Thunderbird, which + may allow user-assisted arbitrary remote code execution. + + mozilla-thunderbird mozilla-thunderbird-bin + November 18, 2007 + November 18, 2007: 01 + 196481 + remote + + + 2.0.0.9 + 2.0.0.9 + + + 2.0.0.9 + 2.0.0.9 + + + +

+ Mozilla Thunderbird is a popular open-source email client from the + Mozilla project. +

+ + +

+ Multiple vulnerabilities have been reported in Mozilla Thunderbird's + HTML browser engine (CVE-2007-5339) and JavaScript engine + (CVE-2007-5340) that can be exploited to cause a memory corruption. +

+ + +

+ A remote attacker could entice a user to read a specially crafted email + that could trigger one of the vulnerabilities, possibly leading to the + execution of arbitrary code. +

+ + +

+ There is no known workaround at this time for all of these issues, but + some of them can be avoided by disabling JavaScript. +

+ + +

+ All Mozilla Thunderbird users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-2.0.0.9" +

+ All Mozilla Thunderbird binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-2.0.0.9" + + + CVE-2007-5339 + CVE-2007-5340 + GLSA 200711-14 + + + p-y + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-25.xml b/xml/htdocs/security/en/glsa/glsa-200711-25.xml new file mode 100644 index 00000000..f26a8558 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-25.xml @@ -0,0 +1,67 @@ + + + + + + + MySQL: Denial of Service + + A Denial of Service vulnerability was found in MySQL. + + mysql + November 18, 2007 + November 18, 2007: 01 + 198988 + remote + + + 5.0.44-r2 + 5.0.44-r2 + + + +

+ MySQL is a popular multi-threaded, multi-user SQL server. +

+ + +

+ Joe Gallo and Artem Russakovskii reported an error in the + convert_search_mode_to_innobase() function in ha_innodb.cc in the + InnoDB engine that is leading to a failed assertion when handling + CONTAINS operations. +

+ + +

+ A remote authenticated attacker with ALTER privileges could send a + specially crafted request to a vulnerable database server possibly + leading to a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MySQL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.0.44-r2" + + + CVE-2007-5925 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-26.xml b/xml/htdocs/security/en/glsa/glsa-200711-26.xml new file mode 100644 index 00000000..e8dd045f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-26.xml @@ -0,0 +1,77 @@ + + + + + + + teTeX: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in teTeX, possibly allowing + to execute arbitrary code or overwrite arbitrary files. + + tetex + November 18, 2007 + November 18, 2007: 01 + 198238 + remote + + + 3.0_p1-r6 + 3.0_p1-r6 + + + +

+ teTeX is a complete TeX distribution for editing documents. +

+ + +

+ Joachim Schrod discovered several buffer overflow vulnerabilities and + an insecure temporary file creation in the "dvilj" application that is + used by dvips to convert DVI files to printer formats (CVE-2007-5937, + CVE-2007-5936). Bastien Roucaries reported that the "dvips" application + is vulnerable to two stack-based buffer overflows when processing DVI + documents with long \href{} URIs (CVE-2007-5935). teTeX also includes + code from Xpdf that is vulnerable to a memory corruption and two + heap-based buffer overflows (GLSA 200711-22); and it contains code from + T1Lib that is vulnerable to a buffer overflow when processing an overly + long font filename (GLSA 200710-12). +

+ + +

+ A remote attacker could entice a user to process a specially crafted + DVI or PDF file which could lead to the execution of arbitrary code + with the privileges of the user running the application. A local + attacker could exploit the "dvilj" vulnerability to conduct a symlink + attack to overwrite arbitrary files. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All teTeX users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/tetex-3.0_p1-r6" + + + CVE-2007-5935 + CVE-2007-5936 + CVE-2007-5937 + GLSA 200710-12 + GLSA 200711-22 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-27.xml b/xml/htdocs/security/en/glsa/glsa-200711-27.xml new file mode 100644 index 00000000..d359d625 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-27.xml @@ -0,0 +1,69 @@ + + + + + + + Link Grammar: User-assisted execution of arbitrary code + + A buffer overflow vulnerability has been discovered in Link Grammar. + + link-grammar + November 18, 2007 + November 18, 2007: 01 + 196803 + remote + + + 4.2.4-r1 + 4.2.4-r1 + + + +

+ The Link Grammar parser is a syntactic parser of English, based on link + grammar, an original theory of English syntax. +

+ + +

+ Alin Rad Pop from Secunia Research discovered a boundary error in the + function separate_sentence() in file tokenize.c when processing an + overly long word which might lead to a stack-based buffer overflow. +

+ + +

+ A remote attacker could entice a user to parse a specially crafted + sentence, resulting in the remote execution of arbitrary code with the + privileges of the user running the application. Note that this + vulnerability may be triggered by an application using Link Grammar to + parse sentences (e.g. AbiWord). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Link Grammar users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/link-grammar-4.2.4-r1" + + + CVE-2007-5395 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-28.xml b/xml/htdocs/security/en/glsa/glsa-200711-28.xml new file mode 100644 index 00000000..0e511c72 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-28.xml @@ -0,0 +1,71 @@ + + + + + + + Perl: Buffer overflow + + A buffer overflow in the Regular Expression engine in Perl possibly allows + for the execution of arbitrary code. + + perl + November 19, 2007 + November 19, 2007: 01 + 198196 + remote + + + 5.8.8-r4 + 5.8.8-r4 + + + +

+ Perl is a stable, cross-platform programming language created by Larry + Wall. +

+ + +

+ Tavis Ormandy and Will Drewry (Google Security Team) discovered a + heap-based buffer overflow in the Regular Expression engine (regcomp.c) + that occurs when switching from byte to Unicode (UTF-8) characters in a + regular expression. +

+ + +

+ A remote attacker could either entice a user to compile a specially + crafted regular expression or actively compile it in case the script + accepts remote input of regular expressions, possibly leading to the + execution of arbitrary code with the privileges of the user running + Perl. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Perl users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/perl-5.8.8-r4" + + + CVE-2007-5116 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-29.xml b/xml/htdocs/security/en/glsa/glsa-200711-29.xml new file mode 100644 index 00000000..aef528d6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-29.xml @@ -0,0 +1,80 @@ + + + + + + + Samba: Execution of arbitrary code + + Samba contains two buffer overflow vulnerabilities potentially resulting in + the execution of arbitrary code. + + samba + November 20, 2007 + December 05, 2007: 03 + 197519 + remote + + + 3.0.27a + 3.0.27a + + + +

+ Samba is a suite of SMB and CIFS client/server programs for UNIX. +

+ + +

+ Two vulnerabilities have been reported in nmbd. Alin Rad Pop (Secunia + Research) discovered a boundary checking error in the + reply_netbios_packet() function which could lead to a stack-based + buffer overflow (CVE-2007-5398). The Samba developers discovered a + boundary error when processing GETDC logon requests also leading to a + buffer overflow (CVE-2007-4572). +

+ + +

+ To exploit the first vulnerability, a remote unauthenticated attacker + could send specially crafted WINS "Name Registration" requests followed + by a WINS "Name Query" request. This might lead to execution of + arbitrary code with elevated privileges. Note that this vulnerability + is exploitable only when WINS server support is enabled in Samba. The + second vulnerability could be exploited by sending specially crafted + "GETDC" mailslot requests, but requires Samba to be configured as a + Primary or Backup Domain Controller. It is not believed the be + exploitable to execute arbitrary code. +

+ + +

+ To work around the first vulnerability, disable WINS support in Samba + by setting "wins support = no" in the "global" section of your + smb.conf and restart Samba. +

+ + +

+ All Samba users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-3.0.27a" +

+ The first vulnerability (CVE-2007-5398) was already fixed in Samba + 3.0.26a-r2. +

+ + + CVE-2007-4572 + CVE-2007-5398 + + + rbu + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-30.xml b/xml/htdocs/security/en/glsa/glsa-200711-30.xml new file mode 100644 index 00000000..85dfbdbc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-30.xml @@ -0,0 +1,102 @@ + + + + + + + PCRE: Multiple vulnerabilities + + PCRE is vulnerable to multiple buffer overflow and memory corruption + vulnerabilities, possibly leading to the execution of arbitrary code. + + libpcre + November 20, 2007 + November 20, 2007: 01 + 198198 + remote + + + 7.3-r1 + 7.3-r1 + + + +

+ PCRE is a library providing functions for Perl-compatible regular + expressions. +

+ + +

+ Tavis Ormandy (Google Security) discovered multiple vulnerabilities in + PCRE. He reported an error when processing "\Q\E" sequences with + unmatched "\E" codes that can lead to the compiled bytecode being + corrupted (CVE-2007-1659). PCRE does not properly calculate sizes for + unspecified "multiple forms of character class", which triggers a + buffer overflow (CVE-2007-1660). Further improper calculations of + memory boundaries were reported when matching certain input bytes + against regex patterns in non UTF-8 mode (CVE-2007-1661) and when + searching for unmatched brackets or parentheses (CVE-2007-1662). + Multiple integer overflows when processing escape sequences may lead to + invalid memory read operations or potentially cause heap-based buffer + overflows (CVE-2007-4766). PCRE does not properly handle "\P" and + "\P{x}" sequences which can lead to heap-based buffer overflows or + trigger the execution of infinite loops (CVE-2007-4767), PCRE is also + prone to an error when optimizing character classes containing a + singleton UTF-8 sequence which might lead to a heap-based buffer + overflow (CVE-2007-4768). +

+

+ Chris Evans also reported multiple integer overflow vulnerabilities in + PCRE when processing a large number of named subpatterns ("name_count") + or long subpattern names ("max_name_size") (CVE-2006-7227), and via + large "min", "max", or "duplength" values (CVE-2006-7228) both possibly + leading to buffer overflows. Another vulnerability was reported when + compiling patterns where the "-x" or "-i" UTF-8 options change within + the pattern, which might lead to improper memory calculations + (CVE-2006-7230). +

+ + +

+ An attacker could exploit these vulnerabilities by sending specially + crafted regular expressions to applications making use of the PCRE + library, which could possibly lead to the execution of arbitrary code, + a Denial of Service or the disclosure of sensitive information. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PCRE users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libpcre-7.3-r1" + + + CVE-2006-7227 + CVE-2006-7228 + CVE-2006-7230 + CVE-2007-1659 + CVE-2007-1660 + CVE-2007-1661 + CVE-2007-1662 + CVE-2007-4766 + CVE-2007-4767 + CVE-2007-4768 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-31.xml b/xml/htdocs/security/en/glsa/glsa-200711-31.xml new file mode 100644 index 00000000..17c69e95 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-31.xml @@ -0,0 +1,67 @@ + + + + + + + Net-SNMP: Denial of Service + + A Denial of Service vulnerability has been discovered in Net-SNMP when + processing GETBULK requests. + + net-snmp + November 20, 2007 + November 20, 2007: 01 + 198346 + remote + + + 5.4.1-r1 + 5.4.1-r1 + + + +

+ Net-SNMP is a collection of tools for generating and retrieving SNMP + data. +

+ + +

+ The SNMP agent (snmpd) does not properly handle GETBULK requests with + an overly large "max-repetitions" field. +

+ + +

+ A remote unauthenticated attacker could send a specially crafted SNMP + request to the vulnerable application, possibly resulting in a high CPU + and memory consumption. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Net-SNMP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/net-snmp-5.4.1-r1" + + + CVE-2007-5846 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-32.xml b/xml/htdocs/security/en/glsa/glsa-200711-32.xml new file mode 100644 index 00000000..979bd22b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-32.xml @@ -0,0 +1,70 @@ + + + + + + + Feynmf: Insecure temporary file creation + + A vulnerability has been discovered in Feynmf allowing local users to + overwrite arbitrary files via a symlink attack. + + feynmf + November 20, 2007 + November 20, 2007: 01 + 198231 + local + + + 1.08-r2 + 1.08-r2 + + + +

+ Feynmf is a combined LaTeX and Metafont package for easy drawing of + professional quality Feynman (and maybe other) diagrams. +

+ + +

+ Kevin B. McCarty discovered that the feynmf.pl script creates a + temporary "properly list" file at the location "$TMPDIR/feynmf$PID.pl", + where $PID is the process ID. +

+ + +

+ A local attacker could create symbolic links in the directory where the + temporary files are written, pointing to a valid file somewhere on the + filesystem that is writable by the user running Feynmf. When Feynmf + writes the temporary file, the target valid file would then be + overwritten with the contents of the Feynmf temporary file. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Feynmf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-tex/feynmf-1.08-r2" + + + CVE-2007-5940 + + + p-y + + + p-y + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-33.xml b/xml/htdocs/security/en/glsa/glsa-200711-33.xml new file mode 100644 index 00000000..77b08915 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-33.xml @@ -0,0 +1,70 @@ + + + + + + + nss_ldap: Information disclosure + + A race condition might lead to theft of user credentials or information + disclosure in services using nss_ldap. + + nss_ldap + November 25, 2007 + November 25, 2007: 01 + 198390 + remote + + + 258 + 258 + + + +

+ nss_ldap is a Name Service Switch module which allows 'passwd', 'group' + and 'host' database information to be pulled from LDAP. +

+ + +

+ Josh Burley reported that nss_ldap does not properly handle the LDAP + connections due to a race condition that can be triggered by + multi-threaded applications using nss_ldap, which might lead to + requested data being returned to a wrong process. +

+ + +

+ Remote attackers could exploit this race condition by sending queries + to a vulnerable server using nss_ldap, possibly leading to theft of + user credentials or information disclosure (e.g. Dovecot returning + wrong mailbox contents). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All nss_ldap users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-auth/nss_ldap-258" + + + CVE-2007-5794 + + + p-y + + + p-y + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200711-34.xml b/xml/htdocs/security/en/glsa/glsa-200711-34.xml new file mode 100644 index 00000000..12e07f77 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200711-34.xml @@ -0,0 +1,74 @@ + + + + + + + CSTeX: Multiple vulnerabilities + + Multiple vulnerabilities were discovered in CSTeX, possibly allowing to + execute arbitrary code or overwrite arbitrary files. + + cstetex + November 25, 2007 + November 25, 2007: 01 + 196673 + remote + + + 2.0.2-r2 + + + +

+ CSTeX is a TeX distribution with Czech and Slovak support. It is used + for creating and manipulating LaTeX documents. +

+ + +

+ Multiple issues were found in the teTeX 2 codebase that CSTeX builds + upon (GLSA 200709-17, GLSA 200711-26). CSTeX also includes vulnerable + code from the GD library (GLSA 200708-05), from Xpdf (GLSA 200709-12, + GLSA 200711-22) and from T1Lib (GLSA 200710-12). +

+ + +

+ Remote attackers could possibly execute arbitrary code and local + attackers could possibly overwrite arbitrary files with the privileges + of the user running CSTeX via multiple vectors. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ CSTeX is not maintained upstream, so the package was masked in Portage. + We recommend that users unmerge CSTeX: +

+ + # emerge --unmerge app-text/cstetex +

+ As an alternative, users should upgrade their systems to use teTeX or + TeX Live with its Babel packages. +

+ + + GLSA 200708-05 + GLSA 200709-12 + GLSA 200709-17 + GLSA 200710-12 + GLSA 200711-22 + GLSA 200711-26 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-01.xml b/xml/htdocs/security/en/glsa/glsa-200712-01.xml new file mode 100644 index 00000000..fa61c6c4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-01.xml @@ -0,0 +1,64 @@ + + + + + + + Hugin: Insecure temporary file creation + + A vulnerability has been discovered in Hugin, potentially allowing for a + Denial of Service. + + hugin + December 05, 2007 + December 05, 2007: 01 + 195996 + local + + + 0.6.1-r1 + 0.7_beta4-r1 + 0.7_beta4-r1 + + + +

+ Hugin is a GUI for creating and processing panoramic images. +

+ + +

+ Suse Linux reported that Hugin creates the + "hugin_debug_optim_results.txt" temporary file in an insecure manner. +

+ + +

+ A local attacker could exploit this vulnerability with a symlink + attack, potentially overwriting an arbitrary file with the privileges + of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Hugin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/hugin-0.6.1-r1" + + + CVE-2007-5200 + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-02.xml b/xml/htdocs/security/en/glsa/glsa-200712-02.xml new file mode 100644 index 00000000..72043280 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-02.xml @@ -0,0 +1,67 @@ + + + + + + + Cacti: SQL injection + + An SQL injection vulnerability has been discovered in Cacti. + + cacti + December 05, 2007 + December 05, 2007: 02 + 199509 + remote + + + 0.8.6j-r7 + 0.8.7a + 0.8.7a + + + +

+ Cacti is a complete web-based frontend to rrdtool. +

+ + +

+ It has been reported that the "local_graph_id" variable used in the + file graph.php is not properly sanitized before being processed in an + SQL statement. +

+ + +

+ A remote attacker could send a specially crafted request to the + vulnerable host, possibly resulting in the execution of arbitrary SQL + code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Cacti users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-0.8.6j-r7" + + + CVE-2007-6035 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-03.xml b/xml/htdocs/security/en/glsa/glsa-200712-03.xml new file mode 100644 index 00000000..5d53a3a3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-03.xml @@ -0,0 +1,79 @@ + + + + + + + GNU Emacs: Multiple vulnerabilities + + Two vulnerabilities were found in GNU Emacs possibly leading to the + execution of arbitrary code. + + emacs + December 09, 2007 + December 09, 2007: 01 + 197958 + 200297 + remote + + + 22.1-r3 + 21.4-r14 + 19 + 22.1-r3 + + + +

+ GNU Emacs is a highly extensible and customizable text editor. +

+ + +

+ Drake Wilson reported that the hack-local-variables() function in GNU + Emacs 22 does not properly match assignments of local variables in a + file against a list of unsafe or risky variables, allowing to override + them (CVE-2007-5795). Andreas Schwab (SUSE) discovered a stack-based + buffer overflow in the format function when handling values with high + precision (CVE-2007-6109). +

+ + +

+ Remote attackers could entice a user to open a specially crafted file + in GNU Emacs, possibly leading to the execution of arbitrary Emacs Lisp + code (via CVE-2007-5795) or arbitrary code (via CVE-2007-6109) with the + privileges of the user running GNU Emacs. +

+ + +

+ The first vulnerability can be worked around by setting the + "enable-local-variables" option to "nil", disabling the processing of + local variable lists. GNU Emacs prior to version 22 is not affected by + this vulnerability. There is no known workaround for the second + vulnerability at this time. +

+ + +

+ All GNU Emacs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/emacs-22.1-r3" + + + CVE-2007-5795 + CVE-2007-6109 + + + p-y + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-04.xml b/xml/htdocs/security/en/glsa/glsa-200712-04.xml new file mode 100644 index 00000000..33246e00 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-04.xml @@ -0,0 +1,69 @@ + + + + + + + Cairo: User-assisted execution of arbitrary code + + Multiple integer overflows were discovered in Cairo, possibly leading to + the execution of arbitrary code. + + cairo + December 09, 2007 + December 09, 2007: 01 + 200350 + remote + + + 1.4.12 + 1.4.12 + + + +

+ Cairo is a 2D vector graphics library with cross-device output support. +

+ + +

+ Multiple integer overflows were reported, one of which Peter Valchev + (Google Security) found to be leading to a heap-based buffer overflow + in the cairo_image_surface_create_from_png() function that processes + PNG images. +

+ + +

+ A remote attacker could entice a user to view or process a specially + crafted PNG image file in an application linked against Cairo, possibly + leading to the execution of arbitrary code with the privileges of the + user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Cairo users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/cairo-1.4.12" + + + CVE-2007-5503 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-05.xml b/xml/htdocs/security/en/glsa/glsa-200712-05.xml new file mode 100644 index 00000000..7db39df6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-05.xml @@ -0,0 +1,70 @@ + + + + + + + PEAR::MDB2: Information disclosure + + A vulnerability when handling database input in PEAR::MDB2 allows remote + attackers to obtain sensitive information. + + PEAR-MDB2 + December 09, 2007 + December 09, 2007: 01 + 198446 + remote + + + 2.5.0_alpha1 + 2.5.0_alpha1 + + + +

+ PEAR::MDB2 is a database abstraction layer for PHP aimed to provide a + common API for all supported relational database management systems. A + LOB ("large object") is a database field holding binary data. +

+ + +

+ priyadi discovered that the request to store a URL string as a LOB is + treated as a request to retrieve and store the contents of the URL. +

+ + +

+ If an application using PEAR::MDB2 allows input of LOB values via a web + form, remote attackers could use the application as an indirect proxy + or obtain sensitive information, including "file://" URLs local to the + web server. +

+ + +

+ As a workaround, manually filter input before storing it as a LOB in + PEAR::MDB2. +

+ + +

+ All PEAR::MDB2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/PEAR-MDB2-2.5.0_alpha1" + + + CVE-2007-5934 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-06.xml b/xml/htdocs/security/en/glsa/glsa-200712-06.xml new file mode 100644 index 00000000..14b9ec49 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-06.xml @@ -0,0 +1,68 @@ + + + + + + + Firebird: Multiple buffer overflows + + Multiple stack-based buffer overflows were discovered in Firebird. + + firebird + December 09, 2007 + December 09, 2007: 01 + 195569 + remote + + + 2.0.3.12981.0-r2 + 2.0.3.12981.0-r2 + + + +

+ Firebird is a multi-platfrom, open source relational database. +

+ + +

+ Adriano Lima and Ramon de Carvalho Valle reported that functions + isc_attach_database() and isc_create_database() do not perform proper + boundary checking when processing their input. +

+ + +

+ A remote attacker could send specially crafted requests to the Firebird + server on TCP port 3050, possibly resulting in the execution of + arbitrary code with the privileges of the user running Firebird + (usually firebird). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Firebird users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/firebird-2.0.3.12981.0-r2" + + + CVE-2007-4992 + CVE-2007-5246 + + + rbu + + + rbu + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-07.xml b/xml/htdocs/security/en/glsa/glsa-200712-07.xml new file mode 100644 index 00000000..e54ef4b8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-07.xml @@ -0,0 +1,65 @@ + + + + + + + Lookup: Insecure temporary file creation + + Lookup uses temporary files in an insecure manner, allowing for a symlink + attack. + + lookup + December 09, 2007 + December 09, 2007: 01 + 197306 + local + + + 1.4.1 + 1.4.1 + + + +

+ Lookup is a search interface to books and dictionnaries for Emacs. +

+ + +

+ Tatsuya Kinoshita reported that the ndeb-binary function does not + handle temporay files correctly. +

+ + +

+ A local attacker could use a symlink attack to overwrite files with the + privileges of the user running Lookup. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Lookup users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emacs/lookup-1.4.1" + + + CVE-2007-0237 + + + p-y + + + rbu + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-08.xml b/xml/htdocs/security/en/glsa/glsa-200712-08.xml new file mode 100644 index 00000000..439da382 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-08.xml @@ -0,0 +1,71 @@ + + + + + + + AMD64 x86 emulation Qt library: Multiple vulnerabilities + + Multiple vulnerabilities in the AMD64 x86 emulation Qt library may lead to + the remote execution of arbitrary code in Qt applications. + + emul-linux-x86-qtlibs + December 09, 2007 + December 09, 2007: 01 + 189536 + remote + + + 20071114-r2 + 20071114-r2 + + + +

+ Qt is a cross-platform GUI framework, which is used e.g. by KDE. The + AMD64 x86 emulation Qt library packages Qt libraries for 32bit x86 + emulation on AMD64. +

+ + +

+ The Qt versions used by the AMD64 x86 emulation Qt libraries were + vulnerable to several flaws (GLSA 200708-16, GLSA 200710-28) +

+ + +

+ An attacker could trigger one of the vulnerabilities by causing a Qt + application to parse specially crafted text or Unicode strings, which + may lead to the execution of arbitrary code with the privileges of the + user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All AMD64 x86 emulation Qt library users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-qtlibs-20071114-r2" + + + GLSA 200708-16 + GLSA 200710-28 + + + rbu + + + welp + + + welp + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-09.xml b/xml/htdocs/security/en/glsa/glsa-200712-09.xml new file mode 100644 index 00000000..50c67694 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-09.xml @@ -0,0 +1,69 @@ + + + + + + + Ruby-GNOME2: Format string error + + A format string error has been discovered in Ruby-GNOME2, possibly leading + to the execution of arbitrary code. + + ruby-gtk2 + December 09, 2007 + December 09, 2007: 01 + 200623 + remote + + + 0.16.0-r2 + 0.16.0-r2 + + + +

+ Ruby-GNOME2 is a set of bindings for using GTK+ within the Ruby + programming language. +

+ + +

+ Chris Rohlf discovered that the "Gtk::MessageDialog.new()" method in + the file gtk/src/rbgtkmessagedialog.c does not properly sanitize the + "message" parameter before passing it to the gtk_message_dialog_new() + function. +

+ + +

+ A remote attacker could send a specially crafted string to an + application using Ruby-GNOME2, possibly leading to the execution of + arbitrary code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ruby-GNOME2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-ruby/ruby-gtk2-0.16.0-r2" + + + CVE-2007-6183 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-10.xml b/xml/htdocs/security/en/glsa/glsa-200712-10.xml new file mode 100644 index 00000000..afb02377 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-10.xml @@ -0,0 +1,67 @@ + + + + + + + Samba: Execution of arbitrary code + + Samba contains a buffer overflow vulnerability potentially resulting in the + execution of arbitrary code. + + samba + December 10, 2007 + December 10, 2007: 01 + 200773 + remote + + + 3.0.28 + 3.0.28 + + + +

+ Samba is a suite of SMB and CIFS client/server programs for UNIX. +

+ + +

+ Alin Rad Pop (Secunia Research) discovered a boundary checking error in + the send_mailslot() function which could lead to a stack-based buffer + overflow. +

+ + +

+ A remote attacker could send a specially crafted "SAMLOGON" domain + logon packet, possibly leading to the execution of arbitrary code with + elevated privileges. Note that this vulnerability is exploitable only + when domain logon support is enabled in Samba, which is not the case in + Gentoo's default configuration. +

+ + +

+ Disable domain logon in Samba by setting "domain logons = no" in + the "global" section of your smb.conf and restart Samba. +

+ + +

+ All Samba users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-3.0.28" + + + CVE-2007-6015 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-11.xml b/xml/htdocs/security/en/glsa/glsa-200712-11.xml new file mode 100644 index 00000000..80f40753 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-11.xml @@ -0,0 +1,66 @@ + + + + + + + Portage: Information disclosure + + Portage may disclose sensitive information when updating configuration + files. + + portage + December 13, 2007 + December 13, 2007: 01 + 193589 + local + + + 2.1.3.11 + 2.1.3.11 + + + +

+ Portage is the default Gentoo package management system. +

+ + +

+ Mike Frysinger reported that the "etc-update" utility uses temporary + files with the standard umask, which results in the files being + world-readable when merging configuration files in a default setup. +

+ + +

+ A local attacker could access sensitive information when configuration + files are being merged. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Portage users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/portage-2.1.3.11" + + + CVE-2007-6249 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-12.xml b/xml/htdocs/security/en/glsa/glsa-200712-12.xml new file mode 100644 index 00000000..7d0a761d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-12.xml @@ -0,0 +1,65 @@ + + + + + + + IRC Services: Denial of Service + + A Denial of Service vulnerability has been reported in IRC Services. + + ircservices + December 13, 2007 + December 13, 2007: 01 + 199897 + remote + + + 5.0.63 + 5.0.63 + + + +

+ IRC Services is a system of services to be used with Internet Relay + Chat networks. +

+ + +

+ loverboy reported that the "default_encrypt()" function in file + encrypt.c does not properly handle overly long passwords. +

+ + +

+ A remote attacker could provide an overly long password to the + vulnerable server, resulting in a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All IRC Services users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-irc/ircservices-5.0.63" + + + CVE-2007-6122 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-13.xml b/xml/htdocs/security/en/glsa/glsa-200712-13.xml new file mode 100644 index 00000000..702aead1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-13.xml @@ -0,0 +1,71 @@ + + + + + + + E2fsprogs: Multiple buffer overflows + + Multiple heap-based buffer overflows in E2fsprogs could result in the + execution of arbitrary code. + + e2fsprogs + December 18, 2007 + December 18, 2007: 01 + 201546 + remote + + + 1.40.3 + 1.40.3 + + + +

+ E2fsprogs provides utilities for use with the ext2 and ext3 file + systems including the libext2fs library that allows user-level programs + to manipulate an ext2 or ext3 file system. +

+ + +

+ Rafal Wojtczuk (McAfee AVERT Research) discovered multiple integer + overflows in libext2fs, that are triggered when processing information + from within the file system, resulting in heap-based buffer overflows. +

+ + +

+ An attacker could entice a user to process a specially-crafted ext2 or + ext3 file system image (with tools linking against libext2fs, e.g. + fsck, forensic tools or Xen's pygrub), possibly resulting in the + execution of arbitrary code with the privileges of the user running the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All E2fsprogs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-fs/e2fsprogs-1.40.3" + + + CVE-2007-5497 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-14.xml b/xml/htdocs/security/en/glsa/glsa-200712-14.xml new file mode 100644 index 00000000..798daebe --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-14.xml @@ -0,0 +1,92 @@ + + + + + + + CUPS: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in CUPS, allowing for the + remote execution of arbitrary code and a Denial of Service. + + cups + December 18, 2007 + December 18, 2007: 01 + 199195 + 201042 + 201570 + remote + + + 1.2.12-r4 + 1.3.5 + 1.3.5 + + + +

+ CUPS provides a portable printing layer for UNIX-based operating + systems. The alternate pdftops filter is a CUPS filter used to convert + PDF files to the Postscript format via Poppler; the filter is installed + by default in Gentoo Linux. +

+ + +

+ Wei Wang (McAfee AVERT Research) discovered an integer underflow in the + asn1_get_string() function of the SNMP backend, leading to a + stack-based buffer overflow when handling SNMP responses + (CVE-2007-5849). Elias Pipping (Gentoo) discovered that the alternate + pdftops filter creates temporary files with predictable file names when + reading from standard input (CVE-2007-6358). Furthermore, the + resolution of a Denial of Service vulnerability covered in GLSA + 200703-28 introduced another Denial of Service vulnerability within SSL + handling (CVE-2007-4045). +

+ + +

+ A remote attacker on the local network could exploit the first + vulnerability to execute arbitrary code with elevated privileges by + sending specially crafted SNMP messages as a response to an SNMP + broadcast request. A local attacker could exploit the second + vulnerability to overwrite arbitrary files with the privileges of the + user running the CUPS spooler (usually lp) by using symlink attacks. A + remote attacker could cause a Denial of Service condition via the third + vulnerability when SSL is enabled in CUPS. +

+ + +

+ To disable SNMP support in CUPS, you have have to manually delete the + file "/usr/libexec/cups/backend/snmp". Please note that the file is + reinstalled if you merge CUPS again later. To disable the pdftops + filter, delete all lines referencing "pdftops" in CUPS' "mime.convs" + configuration file. To work around the third vulnerability, disable SSL + support via the corresponding USE flag. +

+ + +

+ All CUPS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-print/cups-1.2.12-r4" + + + CVE-2007-4045 + CVE-2007-5849 + CVE-2007-6358 + GLSA 200703-28 + + + p-y + + + p-y + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-15.xml b/xml/htdocs/security/en/glsa/glsa-200712-15.xml new file mode 100644 index 00000000..8552b155 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-15.xml @@ -0,0 +1,72 @@ + + + + + + + libexif: Multiple vulnerabilities + + Two vulnerabilities in libexif possibly allow for the execution of + arbitrary code or a Denial of Service. + + libexif + December 29, 2007 + December 29, 2007: 01 + 202350 + remote + + + 0.6.16-r1 + 0.6.16-r1 + + + +

+ libexif is a library for parsing, editing and saving Exif metadata from + images. Exif, the Exchangeable image file format, specifies the + addition of metadata tags to JPEG, TIFF and RIFF files. +

+ + +

+ Meder Kydyraliev (Google Security) discovered an integer overflow + vulnerability in the exif_data_load_data_thumbnail() function leading + to a memory corruption (CVE-2007-6352) and an infinite recursion in the + exif_loader_write() function (CVE-2007-6351). +

+ + +

+ An attacker could entice the user of an application making use of + libexif to load an image file with specially crafted Exif tags, + possibly resulting in the execution of arbitrary code with the + privileges of the user running the application or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libexif users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libexif-0.6.16-r1" + + + CVE-2007-6351 + CVE-2007-6352 + + + keytoaster + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-16.xml b/xml/htdocs/security/en/glsa/glsa-200712-16.xml new file mode 100644 index 00000000..b5191f61 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-16.xml @@ -0,0 +1,71 @@ + + + + + + + Exiv2: Integer overflow + + An integer overflow vulnerability in Exiv2 possibly allows for the + execution of arbitrary code. + + exiv2 + December 29, 2007 + December 29, 2007: 01 + 202351 + remote + + + 0.13-r1 + 0.13-r1 + + + +

+ Exiv2 is a C++ library and set of tools for parsing, editing and saving + Exif and IPTC metadata from images. Exif, the Exchangeable image file + format, specifies the addition of metadata tags to JPEG, TIFF and RIFF + files. +

+ + +

+ Meder Kydyraliev (Google Security) discovered an integer overflow + vulnerability in the JpegThumbnail::setDataArea() method leading to a + heap-based buffer overflow. +

+ + +

+ An attacker could entice the user of an application making use of Exiv2 + or an application included in Exiv2 to load an image file with + specially crafted Exif tags, possibly resulting in the execution of + arbitrary code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Exiv2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/exiv2-0.13-r1" + + + CVE-2007-6353 + + + keytoaster + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-17.xml b/xml/htdocs/security/en/glsa/glsa-200712-17.xml new file mode 100644 index 00000000..43e5157f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-17.xml @@ -0,0 +1,76 @@ + + + + + + + exiftags: Multiple vulnerabilities + + Multiple vulnerabilities in exiftags possibly allow for the execution of + arbitrary code or a Denial of Service. + + exiftags + December 29, 2007 + December 29, 2007: 01 + 202354 + remote + + + 1.01 + 1.01 + + + +

+ exiftags is a library and set of tools for parsing, editing and saving + Exif metadata from images. Exif, the Exchangeable image file format, + specifies the addition of metadata tags to JPEG, TIFF and RIFF files. +

+ + +

+ Meder Kydyraliev (Google Security) discovered that Exif metadata is not + properly sanitized before being processed, resulting in illegal memory + access in the postprop() and other functions (CVE-2007-6354). He also + discovered integer overflow vulnerabilities in the parsetag() and other + functions (CVE-2007-6355) and an infinite recursion in the readifds() + function caused by recursive IFD references (CVE-2007-6356). +

+ + +

+ An attacker could entice the user of an application making use of + exiftags or an application included in exiftags to load an image file + with specially crafted Exif tags, possibly resulting in the execution + of arbitrary code with the privileges of the user running the + application or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All exiftags users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/exiftags-1.01" + + + CVE-2007-6354 + CVE-2007-6355 + CVE-2007-6356 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-18.xml b/xml/htdocs/security/en/glsa/glsa-200712-18.xml new file mode 100644 index 00000000..13f6756d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-18.xml @@ -0,0 +1,76 @@ + + + + + + + Multi-Threaded DAAP Daemon: Multiple vulnerabilities + + Multiple vulnerabilities in the web server in the Multi-Threaded DAAP + Daemon may lead to the remote execution of arbitrary code. + + mt-daapd + December 29, 2007 + December 29, 2007: 01 + 200110 + remote + + + 0.2.4.1 + 0.2.4.1 + + + +

+ Multi-Threaded DAAP Daemon (mt-daapd), also known as the Firefly Media + Server, is a software to serve digital music to the Roku Soundbridge + and Apple's iTunes. +

+ + +

+ nnp discovered multiple vulnerabilities in the XML-RPC handler in the + file webserver.c. The ws_addarg() function contains a format string + vulnerability, as it does not properly sanitize username and password + data from the "Authorization: Basic" HTTP header line (CVE-2007-5825). + The ws_decodepassword() and ws_getheaders() functions do not correctly + handle empty Authorization header lines, or header lines without a ':' + character, leading to NULL pointer dereferences (CVE-2007-5824). +

+ + +

+ A remote attacker could send specially crafted HTTP requests to the web + server in the Multi-Threaded DAAP Daemon, possibly leading to the + execution of arbitrary code with the privileges of the user running the + web server or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Multi-Threaded DAAP Daemon users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/mt-daapd-0.2.4.1" + + + CVE-2007-5824 + CVE-2007-5825 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-19.xml b/xml/htdocs/security/en/glsa/glsa-200712-19.xml new file mode 100644 index 00000000..cc78f7c8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-19.xml @@ -0,0 +1,65 @@ + + + + + + + Syslog-ng: Denial of Service + + A Denial of Service vulnerability has been discovered in Syslog-ng. + + syslog-ng + December 29, 2007 + December 29, 2007: 01 + 202718 + remote + + + 2.0.6 + 2.0.6 + + + +

+ Syslog-ng is a flexible and scalable system logger. +

+ + +

+ Oriol Carreras reported a NULL pointer dereference in the + log_msg_parse() function when processing timestamps without a + terminating whitespace character. +

+ + +

+ A remote attacker could send a specially crafted event to a vulnerable + Syslog-ng server, resulting in a crash. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Syslog-ng users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-2.0.6" + + + CVE-2007-6437 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-20.xml b/xml/htdocs/security/en/glsa/glsa-200712-20.xml new file mode 100644 index 00000000..901937d7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-20.xml @@ -0,0 +1,72 @@ + + + + + + + ClamAV: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in ClamAV allowing remote + execution of arbitrary code and Denial of Service attacks. + + clamav + December 29, 2007 + December 29, 2007: 01 + 202762 + remote + + + 0.91.2-r1 + 0.91.2-r1 + + + +

+ Clam AntiVirus is a free anti-virus toolkit for UNIX, designed + especially for e-mail scanning on mail gateways. +

+ + +

+ iDefense reported an integer overflow vulnerability in the cli_scanpe() + function when parsing Portable Executable (PE) files packed in the MEW + format, that could be exploited to cause a heap-based buffer overflow + (CVE-2007-6335). Toeroek Edwin reported an off-by-one error when + decompressing MS-ZIP compressed CAB files (CVE-2007-6336). An + unspecified vulnerability related to the bzip2 decompression algorithm + has also been discovered (CVE-2007-6337). +

+ + +

+ A remote attacker could entice a user or automated system to scan a + specially crafted file, possibly leading to the execution of arbitrary + code with the privileges of the user running ClamAV (either a system + user or the "clamav" user if clamd is compromised). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.91.2-r1" + + + CVE-2007-6335 + CVE-2007-6336 + CVE-2007-6337 + + + rbu + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-21.xml b/xml/htdocs/security/en/glsa/glsa-200712-21.xml new file mode 100644 index 00000000..49fc327c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-21.xml @@ -0,0 +1,104 @@ + + + + + + + Mozilla Firefox, SeaMonkey: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Mozilla Firefox and + Mozilla Seamonkey. + + firefox seamonkey + December 29, 2007 + December 29, 2007: 01 + 198965 + 200909 + remote + + + 2.0.0.11 + 2.0.0.11 + + + 2.0.0.11 + 2.0.0.11 + + + 1.1.7 + 1.1.7 + + + 1.1.7 + 1.1.7 + + + +

+ Mozilla Firefox is a cross-platform web browser from Mozilla. SeaMonkey + is a free, cross-platform Internet suite. +

+ + +

+ Jesse Ruderman and Petko D. Petkov reported that the jar protocol + handler in Mozilla Firefox and Seamonkey does not properly check MIME + types (CVE-2007-5947). Gregory Fleischer reported that the + window.location property can be used to generate a fake HTTP Referer + (CVE-2007-5960). Multiple memory errors have also been reported + (CVE-2007-5959). +

+ + +

+ A remote attacker could possibly exploit these vulnerabilities to + execute arbitrary code in the context of the browser and conduct + Cross-Site-Scripting or Cross-Site Request Forgery attacks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-2.0.0.11" +

+ All Mozilla Firefox binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-2.0.0.11" +

+ All SeaMonkey users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.1.7" +

+ All SeaMonkey binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-bin-1.1.7" + + + CVE-2007-5947 + CVE-2007-5959 + CVE-2007-5960 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-22.xml b/xml/htdocs/security/en/glsa/glsa-200712-22.xml new file mode 100644 index 00000000..24880087 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-22.xml @@ -0,0 +1,71 @@ + + + + + + + Opera: Multiple vulnerabilities + + Multiple vulnerabilities were discovered in Opera, allowing for the + execution of arbitrary code and cross domain scripting. + + opera + December 30, 2007 + December 30, 2007: 01 + 202770 + remote + + + 9.25 + 9.25 + + + +

+ Opera is a fast Web browser that is available free of charge. +

+ + +

+ David Bloom reported two vulnerabilities where plug-ins (CVE-2007-6520) + and Rich text editing (CVE-2007-6522) could be used to allow cross + domain scripting. Alexander Klink (Cynops GmbH) discovered an issue + with TLS certificates (CVE-2007-6521). Gynvael Coldwind reported that + bitmaps might reveal random data from memory (CVE-2007-6524). +

+ + +

+ A remote attacker could exploit these vulnerabilites, possibly leading + to the execution of arbitrary code and cross domain scripting. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Opera users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/opera-9.25" + + + CVE-2007-6520 + CVE-2007-6521 + CVE-2007-6522 + CVE-2007-6524 + + + keytoaster + + + keytoaster + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-23.xml b/xml/htdocs/security/en/glsa/glsa-200712-23.xml new file mode 100644 index 00000000..522e96bd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-23.xml @@ -0,0 +1,92 @@ + + + + + + + Wireshark: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Wireshark, allowing for + the remote execution of arbitrary code and a Denial of Service. + + wireshark + December 30, 2007 + December 30, 2007: 01 + 199958 + remote + + + 0.99.7 + 0.99.7 + + + +

+ Wireshark is a network protocol analyzer with a graphical front-end. +

+ + +

+ Multiple buffer overflows and infinite loops were discovered in + multiple dissector and parser components, including those for MP3 and + NCP (CVE-2007-6111), PPP (CVE-2007-6112), DNP (CVE-2007-6113), SSL and + iSeries (OS/400) Communication traces (CVE-2007-6114), ANSI MAP + (CVE-2007-6115), Firebird/Interbase (CVE-2007-6116), HTTP + (CVE-2007-6117), MEGACO (CVE-2007-6118), DCP ETSI (CVE-2007-6119), + Bluetooth SDP (CVE-2007-6120), RPC Portmap (CVE-2007-6121), SMB + (CVE-2007-6438), IPv6 amd USB (CVE-2007-6439), WiMAX (CVE-2007-6441), + RPL (CVE-2007-6450), CIP (CVE-2007-6451). The vulnerabilities were + discovered by Stefan Esser, Beyond Security, Fabiodds, Peter Leeming, + Steve and ainsley. +

+ + +

+ A remote attacker could send specially crafted packets on a network + being monitored with Wireshark or entice a user to open a specially + crafted file, possibly resulting in the execution of arbitrary code + with the privileges of the user running Wireshark (which might be the + root user), or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Wireshark users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-0.99.7" + + + CVE-2007-6111 + CVE-2007-6112 + CVE-2007-6113 + CVE-2007-6114 + CVE-2007-6115 + CVE-2007-6116 + CVE-2007-6117 + CVE-2007-6118 + CVE-2007-6119 + CVE-2007-6120 + CVE-2007-6121 + CVE-2007-6438 + CVE-2007-6439 + CVE-2007-6441 + CVE-2007-6450 + CVE-2007-6451 + + + keytoaster + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-24.xml b/xml/htdocs/security/en/glsa/glsa-200712-24.xml new file mode 100644 index 00000000..511749eb --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-24.xml @@ -0,0 +1,71 @@ + + + + + + + AMD64 x86 emulation GTK+ library: User-assisted execution of arbitrary code + + Multiple integer overflow vulnerabilities in the AMD64 x86 emulation GTK+ + libraries may result in the execution of arbitrary code in applications + using Cairo. + + emul-linux-x86-gtklibs + December 30, 2007 + December 30, 2007: 01 + 201860 + remote + + + 20071214 + 20071214 + + + +

+ Cairo is a 2D vector graphics library with cross-device output support. + The AMD64 x86 emulation GTK+ library packages Cairo libraries for 32bit + x86 emulation on AMD64. +

+ + +

+ The Cairo versions used by the AMD64 x86 emulation GTK+ libraries were + vulnerable to integer overflow vulnerabilities (GLSA 200712-04). +

+ + +

+ A remote attacker could entice a user to view or process a specially + crafted PNG image file in an application linked against Cairo, possibly + leading to the execution of arbitrary code with the privileges of the + user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All AMD64 x86 emulation GTK+ library users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-gtklibs-20071214" + + + GLSA 200712-04 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200712-25.xml b/xml/htdocs/security/en/glsa/glsa-200712-25.xml new file mode 100644 index 00000000..7425aa45 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200712-25.xml @@ -0,0 +1,89 @@ + + + + + + + OpenOffice.org: User-assisted arbitrary code execution + + An unspecified vulnerability has been reported in OpenOffice.org, possibly + allowing for the execution of arbitrary code. + + openoffice openoffice-bin hsqldb + December 30, 2007 + December 30, 2007: 01 + 200771 + 201799 + remote + + + 2.3.1 + 2.3.1 + + + 2.3.1 + 2.3.1 + + + 1.8.0.9 + 1.8.0.9 + + + +

+ OpenOffice.org is an open source office productivity suite, including + word processing, spreadsheet, presentation, drawing, data charting, + formula editing, and file conversion facilities. +

+ + +

+ The HSQLDB engine, as used in Openoffice.org, does not properly enforce + restrictions to SQL statements. +

+ + +

+ A remote attacker could entice a user to open a specially crafted + document, possibly resulting in the remote execution of arbitrary Java + code with the privileges of the user running OpenOffice.org. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenOffice.org users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-2.3.1" +

+ All OpenOffice.org binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-bin-2.3.1" +

+ All HSQLDB users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/hsqldb-1.8.0.9" + + + CVE-2007-4575 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-01.xml b/xml/htdocs/security/en/glsa/glsa-200801-01.xml new file mode 100644 index 00000000..3993a32c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-01.xml @@ -0,0 +1,66 @@ + + + + + + + unp: Arbitrary command execution + + unp allows execution of arbitrary code via malicious file names. + + remote + January 09, 2008 + January 09, 2008: 01 + 203106 + remote + + + 1.0.14 + 1.0.14 + + + +

+ unp is a script for unpacking various file formats. +

+ + +

+ Erich Schubert from Debian discovered that unp does not escape file + names properly before passing them to calls of the shell. +

+ + +

+ A remote attacker could entice a user or automated system to unpack a + compressed archive with a specially crafted file name, leading to the + execution of shell commands from within the filename. That code will be + executed with the privileges of the user running unp. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All unp users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/unp-1.0.14" + + + CVE-2007-6610 + + + rbu + + + rbu + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-02.xml b/xml/htdocs/security/en/glsa/glsa-200801-02.xml new file mode 100644 index 00000000..fe528803 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-02.xml @@ -0,0 +1,69 @@ + + + + + + + R: Multiple vulnerabilities + + Multiple vulnerabilities in R could result in the execution of arbitrary + code. + + R + January 09, 2008 + January 09, 2008: 02 + 198976 + remote + + + 2.2.1-r1 + 2.2.1-r1 + + + +

+ R is a GPL licensed implementation of S, a language and environment for + statistical computing and graphics. PCRE is a library providing + functions for Perl-compatible regular expressions. +

+ + +

+ R includes a copy of PCRE which is vulnerable to multiple buffer + overflows and memory corruptions vulnerabilities (GLSA 200711-30). +

+ + +

+ An attacker could entice a user to process specially crafted regular + expressions with R, which could possibly lead to the execution of + arbitrary code, a Denial of Service or the disclosure of sensitive + information. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All R users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/R-2.2.1-r1" + + + GLSA 200711-30 + + + rbu + + + rbu + + + py2 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-03.xml b/xml/htdocs/security/en/glsa/glsa-200801-03.xml new file mode 100644 index 00000000..f6cb19ef --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-03.xml @@ -0,0 +1,67 @@ + + + + + + + Claws Mail: Insecure temporary file creation + + Claws Mail uses temporary files in an insecure manner, allowing for a + symlink attack. + + claws-mail + January 09, 2008 + January 09, 2008: 01 + 201244 + local + + + 3.0.2-r1 + 3.0.2-r1 + + + +

+ Claws Mail is a GTK based e-mail client. +

+ + +

+ Nico Golde from Debian reported that the sylprint.pl script that is + part of the Claws Mail tools creates temporary files in an insecure + manner. +

+ + +

+ A local attacker could exploit this vulnerability to conduct symlink + attacks to overwrite files with the privileges of the user running + Claws Mail. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Claws Mail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/claws-mail-3.0.2-r1" + + + CVE-2007-6208 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-04.xml b/xml/htdocs/security/en/glsa/glsa-200801-04.xml new file mode 100644 index 00000000..b09b8e20 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-04.xml @@ -0,0 +1,65 @@ + + + + + + + OpenAFS: Denial of Service + + A Denial of Service vulnerability has been discovered in OpenAFS. + + openafs + January 09, 2008 + January 09, 2008: 01 + 203573 + remote + + + 1.4.6 + 1.4.6 + + + +

+ OpenAFS is a distributed network filesystem. +

+ + +

+ Russ Allbery, Jeffrey Altman, Dan Hyde and Thomas Mueller discovered a + race condition due to an improper handling of the clients callbacks + lists. +

+ + +

+ A remote attacker could construct cases which trigger the race + condition, resulting in a server crash. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenAFS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/openafs-1.4.6" + + + CVE-2007-6599 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-05.xml b/xml/htdocs/security/en/glsa/glsa-200801-05.xml new file mode 100644 index 00000000..9025ee1c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-05.xml @@ -0,0 +1,64 @@ + + + + + + + Squid: Denial of Service + + A Denial of Service vulnerability has been reported in Squid. + + squid + January 09, 2008 + January 09, 2008: 01 + 201209 + remote + + + 2.6.17 + 2.6.17 + + + +

+ Squid is a multi-protocol proxy server. +

+ + +

+ The Wikimedia Foundation reported a memory leak vulnerability when + performing cache updates. +

+ + +

+ A remote attacker could perform numerous specially crafted requests to + the vulnerable server, resulting in a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Squid users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/squid-2.6.17" + + + CVE-2007-6239 + + + p-y + + + p-y + + + py2 + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-06.xml b/xml/htdocs/security/en/glsa/glsa-200801-06.xml new file mode 100644 index 00000000..68e8c5cf --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-06.xml @@ -0,0 +1,84 @@ + + + + + + + Xfce: Multiple vulnerabilities + + Multiple vulnerabilities in Xfce might allow user-assisted attackers to + execute arbitrary code. + + xfce4-panel libxfcegui4 + January 09, 2008 + January 10, 2008: 03 + 201292 + 201293 + remote + + + 4.4.2 + 4.4.2 + + + 4.4.2 + 4.4.2 + + + +

+ Xfce is a GTK+ 2 based desktop environment that allows to run a modern + desktop environment on modest hardware. +

+ + +

+ Gregory Andersen reported that the Xfce4 panel does not correctly + calculate memory boundaries, leading to a stack-based buffer overflow + in the launcher_update_panel_entry() function (CVE-2007-6531). Daichi + Kawahata reported libxfcegui4 did not copy provided values when + creating "SessionClient" structs, possibly leading to access of freed + memory areas (CVE-2007-6532). +

+ + +

+ A remote attacker could entice a user to install a specially crafted + "rc" file to execute arbitrary code via long strings in the "Name" and + "Comment" fields or via unspecified vectors involving the second + vulnerability. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Xfce4 panel users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=xfce-base/xfce4-panel-4.4.2" +

+ All libxfcegui4 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=xfce-base/libxfcegui4-4.4.2" + + + CVE-2007-6531 + CVE-2007-6532 + + + p-y + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-07.xml b/xml/htdocs/security/en/glsa/glsa-200801-07.xml new file mode 100644 index 00000000..cc4622a2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-07.xml @@ -0,0 +1,102 @@ + + + + + + + Adobe Flash Player: Multiple vulnerabilities + + Multiple vulnerabilities have been identified, the worst of which allow + arbitrary code execution on a user's system via a malicious Flash file. + + adobe-flash + January 20, 2008 + May 28, 2009: 03 + 193519 + remote + + + 9.0.115.0 + 9.0.115.0 + + + +

+ The Adobe Flash Player is a renderer for the popular SWF file format, + which is commonly used to provide interactive websites, digital + experiences and mobile content. +

+ + +
    +
  • Flash contains a copy of PCRE which is vulnerable to a heap-based + buffer overflow (GLSA 200711-30, CVE-2007-4768).
    • +
  • Aaron Portnoy reported an unspecified vulnerability related to + input validation (CVE-2007-6242).
    • +
  • Jesse Michael and Thomas Biege reported that Flash does not + correctly set memory permissions (CVE-2007-6246).
    • +
  • Dan Boneh, Adam Barth, Andrew Bortz, Collin Jackson, and Weidong + Shao reported that Flash does not pin DNS hostnames to a single IP + addresses, allowing for DNS rebinding attacks (CVE-2007-5275).
    • +
  • David Neu reported an error withing the implementation of the + Socket and XMLSocket ActionScript 3 classes (CVE-2007-4324).
    • +
  • Toshiharu Sugiyama reported that Flash does not sufficiently + restrict the interpretation and usage of cross-domain policy files, + allowing for easier cross-site scripting attacks (CVE-2007-6243).
    • +
  • Rich Cannings reported a cross-site scripting vulnerability in the + way the "asfunction:" protocol was handled (CVE-2007-6244).
    • +
  • Toshiharu Sugiyama discovered that Flash allows remote attackers to + modify HTTP headers for client requests and conduct HTTP Request + Splitting attacks (CVE-2007-6245).
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted file + (usually in a web browser), possibly leading to the execution of + arbitrary code with the privileges of the user running the Adobe Flash + Player. The attacker could also cause a user's machine to establish TCP + sessions with arbitrary hosts, bypass the Security Sandbox Model, + obtain sensitive information, port scan arbitrary hosts, or conduct + cross-site-scripting attacks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Adobe Flash Player users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-plugins/adobe-flash-9.0.115.0" +

+ Please be advised that unaffected packages of the Adobe Flash Player + have known problems when used from within the Konqueror and Opera + browsers. +

+ + + CVE-2007-4324 + CVE-2007-4768 + CVE-2007-5275 + CVE-2007-6242 + CVE-2007-6243 + CVE-2007-6244 + CVE-2007-6245 + CVE-2007-6246 + GLSA 200711-30 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-08.xml b/xml/htdocs/security/en/glsa/glsa-200801-08.xml new file mode 100644 index 00000000..7128b211 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-08.xml @@ -0,0 +1,68 @@ + + + + + + + libcdio: User-assisted execution of arbitrary code + + A buffer overflow vulnerability has been discovered in libcdio. + + libcdio + January 20, 2008 + January 20, 2008: 01 + 203777 + remote + + + 0.78.2-r4 + 0.78.2-r4 + + + +

+ libcdio is a library for accessing CD-ROM and CD images. +

+ + +

+ Devon Miller reported a boundary error in the "print_iso9660_recurse()" + function in files cd-info.c and iso-info.c when processing long + filenames within Joliet images. +

+ + +

+ A remote attacker could entice a user to open a specially crafted ISO + image in the cd-info and iso-info applications, resulting in the + execution of arbitrary code with the privileges of the user running the + application. Applications linking against shared libraries of libcdio + are not affected. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libcdio users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libcdio-0.78.2-r4" + + + CVE-2007-6613 + + + rbu + + + p-y + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-09.xml b/xml/htdocs/security/en/glsa/glsa-200801-09.xml new file mode 100644 index 00000000..0a8d1a71 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-09.xml @@ -0,0 +1,106 @@ + + + + + + + X.Org X server and Xfont library: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in the X.Org X server and + Xfont library, allowing for a local privilege escalation and arbitrary code + execution. + + xorg-server libXfont + January 20, 2008 + March 05, 2008: 03 + 204362 + 208343 + remote, local + + + 1.3.0.0-r5 + 1.3.0.0-r5 + + + 1.3.1-r1 + 1.3.1-r1 + + + +

+ The X Window System is a graphical windowing system based on a + client/server model. +

+ + +

+ regenrecht reported multiple vulnerabilities in various X server + extension via iDefense: +

+
    +
  • The XFree86-Misc extension does not properly sanitize a parameter + within a PassMessage request, allowing the modification of a function + pointer (CVE-2007-5760).
    • +
  • Multiple functions in the XInput extension do not properly sanitize + client requests for swapping bytes, leading to corruption of heap + memory (CVE-2007-6427).
    • +
  • Integer overflow vulnerabilities in the EVI extension and in the + MIT-SHM extension can lead to buffer overflows (CVE-2007-6429).
    • +
  • The TOG-CUP extension does not sanitize an index value in the + ProcGetReservedColormapEntries() function, leading to arbitrary memory + access (CVE-2007-6428).
    • +
  • A buffer overflow was discovered in the Xfont library when + processing PCF font files (CVE-2008-0006).
    • +
  • The X server does not enforce restrictions when a user specifies a + security policy file and attempts to open it (CVE-2007-5958).
    • +
+ + +

+ Remote attackers could exploit the vulnerability in the Xfont library + by enticing a user to load a specially crafted PCF font file resulting + in the execution of arbitrary code with the privileges of the user + running the X server, typically root. Local attackers could exploit + this and the vulnerabilities in the X.org extensions to gain elevated + privileges. If the X server allows connections from the network, these + vulnerabilities could be exploited remotely. A local attacker could + determine the existence of arbitrary files by exploiting the last + vulnerability or possibly cause a Denial of Service. +

+ + +

+ Workarounds for some of the vulnerabilities can be found in the X.Org + security advisory as listed under References. +

+ + +

+ All X.Org X server users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-1.3.0.0-r5" +

+ All X.Org Xfont library users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/libXfont-1.3.1-r1" + + + CVE-2007-5760 + CVE-2007-5958 + CVE-2007-6427 + CVE-2007-6428 + CVE-2007-6429 + CVE-2008-0006 + X.Org security advisory + + + rbu + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-10.xml b/xml/htdocs/security/en/glsa/glsa-200801-10.xml new file mode 100644 index 00000000..5bc8066b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-10.xml @@ -0,0 +1,81 @@ + + + + + + + TikiWiki: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in TikiWiki, some of them + having unknown impact. + + tikiwiki + January 23, 2008 + January 23, 2008: 01 + 203265 + remote + + + 1.9.9 + 1.9.9 + + + +

+ TikiWiki is an open source content management system written in PHP. +

+ + +
  • Jesus Olmos Gonzalez from isecauditors reported insufficient + sanitization of the "movies" parameter in file tiki-listmovies.php + (CVE-2007-6528).
    • +
  • Mesut Timur from H-Labs discovered that the + input passed to the "area_name" parameter in file + tiki-special_chars.php is not properly sanitised before being returned + to the user (CVE-2007-6526).
    • +
  • redflo reported multiple + unspecified vulnerabilities in files tiki-edit_css.php, + tiki-list_games.php, and tiki-g-admin_shared_source.php + (CVE-2007-6529).
    • +
+ + +

+ A remote attacker can craft the "movies" parameter to run a directory + traversal attack through a ".." sequence and read the first 1000 bytes + of any arbitrary file, or conduct a cross-site scripting (XSS) attack + through the "area_name" parameter. This attack can be exploited to + execute arbitrary HTML and script code in a user's browser session, + allowing for the theft of browser session data or cookies in the + context of the affected web site. The impacts of the unspecified + vulnerabilities are still unknown. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All TikiWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/tikiwiki-1.9.9" + + + CVE-2007-6526 + CVE-2007-6528 + CVE-2007-6529 + + + jaervosz + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-11.xml b/xml/htdocs/security/en/glsa/glsa-200801-11.xml new file mode 100644 index 00000000..abfd4361 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-11.xml @@ -0,0 +1,76 @@ + + + + + + + CherryPy: Directory traversal vulnerability + + CherryPy is vulnerable to a directory traversal that could allow attackers + to read and write arbitrary files. + + cherrypy + January 27, 2008 + January 27, 2008: 01 + 204829 + remote + + + 2.2.1-r2 + 3.0.2-r1 + 3.0.2-r1 + + + +

+ CherryPy is a Python-based, object-oriented web development framework. +

+ + +

+ CherryPy does not sanitize the session id, provided as a cookie value, + in the FileSession._get_file_path() function before using it as part of + the file name. +

+ + +

+ A remote attacker could exploit this vulnerability to read and possibly + write arbitrary files on the web server, or to hijack valid sessions, + by providing a specially crafted session id. This only affects + applications using file-based sessions. +

+ + +

+ Disable the "FileSession" functionality by using "PostgresqlSession" or + "RamSession" session management in your CherryPy application. +

+ + +

+ All CherryPy 2.2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/cherrypy-2.2.1-r2" +

+ All CherryPy 3.0 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/cherrypy-3.0.2-r1" + + + CVE-2008-0252 + + + rbu + + + rbu + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-12.xml b/xml/htdocs/security/en/glsa/glsa-200801-12.xml new file mode 100644 index 00000000..d98124e9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-12.xml @@ -0,0 +1,69 @@ + + + + + + + xine-lib: User-assisted execution of arbitrary code + + xine-lib is vulnerable to multiple heap-based buffer overflows when + processing RTSP streams. + + xine-lib + January 27, 2008 + January 27, 2008: 01 + 205197 + remote + + + 1.1.9.1 + 1.1.9.1 + + + +

+ xine-lib is the core library package for the xine media player. +

+ + +

+ Luigi Auriemma reported that xine-lib does not properly check + boundaries when processing SDP attributes of RTSP streams, leading to + heap-based buffer overflows. +

+ + +

+ An attacker could entice a user to play specially crafted RTSP video + streams with a player using xine-lib, potentially resulting in the + execution of arbitrary code with the privileges of the user running the + player. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xine-lib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.9.1" + + + CVE-2008-0225 + CVE-2008-0238 + + + jaervosz + + + rbu + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-13.xml b/xml/htdocs/security/en/glsa/glsa-200801-13.xml new file mode 100644 index 00000000..7e28d3a9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-13.xml @@ -0,0 +1,66 @@ + + + + + + + ngIRCd: Denial of Service + + ngIRCd does not properly sanitize commands sent by users, allowing for a + Denial of Service. + + ngircd + January 27, 2008 + January 27, 2008: 02 + 204834 + remote + + + 0.10.4 + 0.10.4 + + + +

+ ngIRCd is a free open source daemon for Internet Relay Chat (IRC). +

+ + +

+ The IRC_PART() function in the file irc-channel.c does not properly + check the number of parameters, referencing an invalid pointer if no + channel is supplied. +

+ + +

+ A remote attacker can exploit this vulnerability to crash the ngIRCd + daemon. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ngIRCd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-irc/ngircd-0.10.4" + + + CVE-2008-0285 + + + jaervosz + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-14.xml b/xml/htdocs/security/en/glsa/glsa-200801-14.xml new file mode 100644 index 00000000..9fd470f2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-14.xml @@ -0,0 +1,66 @@ + + + + + + + Blam: User-assisted execution of arbitrary code + + Blam doesn't properly handle environment variables, potentially allowing a + local attacker to execute arbitrary code. + + blam + January 27, 2008 + January 27, 2008: 01 + 199841 + local + + + 1.8.4 + 1.8.4 + + + +

+ Blam is an RSS and Atom feed reader for GNOME written in C#. +

+ + +

+ The "/usr/bin/blam" script sets the "LD_LIBRARY_PATH" environment + variable incorrectly, which might result in the current working + directory (.) being included when searching for dynamically linked + libraries of the Mono Runtime application. +

+ + +

+ A local attacker could entice a user to run Blam in a directory + containing a specially crafted library file which could result in the + execution of arbitrary code with the privileges of the user running + Blam. +

+ + +

+ Do not run Blam from an untrusted working directory. +

+ + +

+ All Blam users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-news/blam-1.8.4" + + + CVE-2005-4790 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-15.xml b/xml/htdocs/security/en/glsa/glsa-200801-15.xml new file mode 100644 index 00000000..bc74daa7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-15.xml @@ -0,0 +1,84 @@ + + + + + + + PostgreSQL: Multiple vulnerabilities + + PostgreSQL contains multiple vulnerabilities that could result in privilege + escalation or a Denial of Service. + + postgresql + January 29, 2008 + January 29, 2008: 01 + 204760 + remote + + + 8.0.15 + 7.4.19 + 7.3.21 + 8.0.15 + + + +

+ PostgreSQL is an open source object-relational database management + system. +

+ + +

+ If using the "expression indexes" feature, PostgreSQL executes index + functions as the superuser during VACUUM and ANALYZE instead of the + table owner, and allows SET ROLE and SET SESSION AUTHORIZATION in the + index functions (CVE-2007-6600). Additionally, several errors involving + regular expressions were found (CVE-2007-4769, CVE-2007-4772, + CVE-2007-6067). Eventually, a privilege escalation vulnerability via + unspecified vectors in the DBLink module was reported (CVE-2007-6601). + This vulnerability is exploitable when local trust or ident + authentication is used, and is due to an incomplete fix of + CVE-2007-3278. +

+ + +

+ A remote authenticated attacker could send specially crafted queries + containing complex regular expressions to the server that could result + in a Denial of Service by a server crash (CVE-2007-4769), an infinite + loop (CVE-2007-4772) or a memory exhaustion (CVE-2007-6067). The two + other vulnerabilities can be exploited to gain additional privileges. +

+ + +

+ There is no known workaround for all these issues at this time. +

+ + +

+ All PostgreSQL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "dev-db/postgresql" + + + CVE-2007-3278 + CVE-2007-4769 + CVE-2007-4772 + CVE-2007-6067 + CVE-2007-6600 + CVE-2007-6601 + + + rbu + + + rbu + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-16.xml b/xml/htdocs/security/en/glsa/glsa-200801-16.xml new file mode 100644 index 00000000..a985dc9a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-16.xml @@ -0,0 +1,67 @@ + + + + + + + MaraDNS: CNAME Denial of Service + + MaraDNS is prone to a Denial of Service vulnerability impacting CNAME + resolution. + + maradns + January 29, 2008 + January 29, 2008: 01 + 204351 + remote + + + 1.2.12.08 + 1.2.12.08 + + + +

+ MaraDNS is a package that implements the Domain Name Service (DNS) with + resolver and caching ability. +

+ + +

+ Michael Krieger reported that a specially crafted DNS could prevent an + authoritative canonical name (CNAME) record from being resolved because + of an "improper rotation of resource records". +

+ + +

+ A remote attacker could send specially crafted DNS packets to a + vulnerable server, making it unable to resolve CNAME records. +

+ + +

+ Add "max_ar_chain = 2" to the "marac" configuration file. +

+ + +

+ All MaraDNS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/maradns-1.2.12.09" + + + CVE-2008-0061 + + + rbu + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-17.xml b/xml/htdocs/security/en/glsa/glsa-200801-17.xml new file mode 100644 index 00000000..aac19bd2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-17.xml @@ -0,0 +1,66 @@ + + + + + + + Netkit FTP Server: Denial of Service + + Netkit FTP Server contains a Denial of Service vulnerability. + + netkit-ftpd + January 29, 2008 + January 29, 2008: 01 + 199206 + remote + + + 0.17-r7 + 0.17-r7 + + + +

+ net-ftp/netkit-ftpd is the Linux Netkit FTP server with optional SSL + support. +

+ + +

+ Venustech AD-LAB discovered that an FTP client connected to a + vulnerable server with passive mode and SSL support can trigger an + fclose() function call on an uninitialized stream in ftpd.c. +

+ + +

+ A remote attacker can send specially crafted FTP data to a server with + passive mode and SSL support, causing the ftpd daemon to crash. +

+ + +

+ Disable passive mode or SSL. +

+ + +

+ All Netkit FTP Server users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/netkit-ftpd-0.17-r7" + + + CVE-2007-6263 + + + rbu + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-18.xml b/xml/htdocs/security/en/glsa/glsa-200801-18.xml new file mode 100644 index 00000000..024cbc22 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-18.xml @@ -0,0 +1,68 @@ + + + + + + + Kazehakase: Multiple vulnerabilities + + Multiple vulnerabilities in Kazehakase could result in the execution of + arbitrary code. + + kazehakase + January 30, 2008 + January 30, 2008: 01 + 198983 + remote + + + 0.5.0 + 0.5.0 + + + +

+ Kazehakase is a web browser based on the Gecko engine. +

+ + +

+ Kazehakase includes a copy of PCRE which is vulnerable to multiple + buffer overflows and memory corruptions vulnerabilities (GLSA + 200711-30). +

+ + +

+ A remote attacker could entice a user to open specially crafted input + (e.g bookmarks) with Kazehakase, which could possibly lead to the + execution of arbitrary code, a Denial of Service or the disclosure of + sensitive information. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Kazehakase users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/kazehakase-0.5.0" + + + GLSA-200711-30 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-19.xml b/xml/htdocs/security/en/glsa/glsa-200801-19.xml new file mode 100644 index 00000000..75ff7075 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-19.xml @@ -0,0 +1,74 @@ + + + + + + + GOffice: Multiple vulnerabilities + + Multiple vulnerabilities in GOffice could result in the execution of + arbitrary code. + + goffice + January 30, 2008 + January 30, 2008: 01 + 198385 + remote + + + 0.6.1 + 0.4.3 + 0.6.1 + + + +

+ GOffice is a library of document-centric objects and utilities based on + GTK. +

+ + +

+ GOffice includes a copy of PCRE which is vulnerable to multiple buffer + overflows and memory corruptions vulnerabilities (GLSA 200711-30). +

+ + +

+ An attacker could entice a user to open specially crafted documents + with GOffice, which could possibly lead to the execution of arbitrary + code, a Denial of Service or the disclosure of sensitive information. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GOffice 0.4.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/goffice-0.4.3" +

+ All GOffice 0.6.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/goffice-0.6.1" + + + GLSA-200711-30 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-20.xml b/xml/htdocs/security/en/glsa/glsa-200801-20.xml new file mode 100644 index 00000000..7923a4aa --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-20.xml @@ -0,0 +1,68 @@ + + + + + + + libxml2: Denial of Service + + A Denial of Service vulnerability has been reported in libxml2. + + libxml2 + January 30, 2008 + January 30, 2008: 01 + 202628 + remote + + + 2.6.30-r1 + 2.6.30-r1 + + + +

+ libxml2 is the XML (eXtended Markup Language) C parser and toolkit + initially developed for the Gnome project. +

+ + +

+ Brad Fitzpatrick reported that the xmlCurrentChar() function does not + properly handle some UTF-8 multibyte encodings. +

+ + +

+ A remote attacker could entice a user to open a specially crafted XML + document with an application using libxml2, possibly resulting in a + high CPU consumption. Note that this vulnerability could also be + triggered without user interaction by an automated system processing + XML content. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libxml2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.6.30-r1" + + + CVE-2007-6284 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-21.xml b/xml/htdocs/security/en/glsa/glsa-200801-21.xml new file mode 100644 index 00000000..83be6af1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-21.xml @@ -0,0 +1,68 @@ + + + + + + + Xdg-Utils: Arbitrary command execution + + A vulnerability has been discovered in Xdg-Utils, allowing for the remote + execution of arbitrary commands. + + xdg-utils + January 30, 2008 + January 30, 2008: 01 + 207331 + remote + + + 1.0.2-r1 + 1.0.2-r1 + + + +

+ Xdg-Utils is a set of tools allowing all applications to easily + integrate with the Free Desktop configuration. +

+ + +

+ Miroslav Lichvar discovered that the "xdg-open" and "xdg-email" shell + scripts do not properly sanitize their input before processing it. +

+ + +

+ A remote attacker could entice a user to open a specially crafted link + with a vulnerable application using Xdg-Utils (e.g. an email client), + resulting in the execution of arbitrary code with the privileges of the + user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Xdg-Utils users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-misc/xdg-utils-1.0.2-r1" + + + CVE-2008-0386 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200801-22.xml b/xml/htdocs/security/en/glsa/glsa-200801-22.xml new file mode 100644 index 00000000..99db828e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200801-22.xml @@ -0,0 +1,66 @@ + + + + + + + PeerCast: Buffer overflow + + A buffer overflow vulnerability has been discovered in PeerCast. + + peercast + January 30, 2008 + January 30, 2008: 02 + 202747 + remote + + + 0.1218 + 0.1218 + + + +

+ PeerCast is a client and server for P2P-radio network +

+ + +

+ Luigi Auriemma reported a heap-based buffer overflow within the + "handshakeHTTP()" function when processing HTTP requests. +

+ + +

+ A remote attacker could send a specially crafted request to the + vulnerable server, possibly resulting in the remote execution of + arbitrary code with the privileges of the user running the PeerCast + server, usually "nobody". +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PeerCast users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/peercast-0.1218" + + + CVE-2007-6454 + + + p-y + + + p-y + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200802-01.xml b/xml/htdocs/security/en/glsa/glsa-200802-01.xml new file mode 100644 index 00000000..83811479 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200802-01.xml @@ -0,0 +1,72 @@ + + + + + + + SDL_image: Two buffer overflow vulnerabilities + + Two boundary errors have been identified in SDL_image allowing for the + remote execution of arbitrary code or the crash of the application using + the library. + + sdl-image + February 06, 2008 + February 06, 2008: 01 + 207933 + remote + + + 1.2.6-r1 + 1.2.6-r1 + + + +

+ SDL_image is an image file library that loads images as SDL surfaces, + and supports various formats like BMP, GIF, JPEG, LBM, PCX, PNG, PNM, + TGA, TIFF, XCF, XPM, and XV. +

+ + +

+ The LWZReadByte() function in file IMG_gif.c and the IMG_LoadLBM_RW() + function in file IMG_lbm.c each contain a boundary error that can be + triggered to cause a static buffer overflow and a heap-based buffer + overflow. The first boundary error comes from some old vulnerable GD + PHP code (CVE-2006-4484). +

+ + +

+ A remote attacker can make an application using the SDL_image library + to process a specially crafted GIF file or IFF ILBM file that will + trigger a buffer overflow, resulting in the execution of arbitrary code + with the permissions of the application or the application crash. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SDL_image users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/sdl-image-1.2.6-r1" + + + SA28640 + CVE-2007-6697 + CVE-2008-0544 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200802-02.xml b/xml/htdocs/security/en/glsa/glsa-200802-02.xml new file mode 100644 index 00000000..42e3df4d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200802-02.xml @@ -0,0 +1,77 @@ + + + + + + + Doomsday: Multiple vulnerabilities + + Multiple vulnerabilities in Doomsday might allow remote execution of + arbitrary code or a Denial of Service. + + doomsday + February 06, 2008 + February 10, 2008: 02 + 190835 + remote + + + 1.9.0_beta52 + + + +

+ The Doomsday Engine (deng) is a modern gaming engine for popular ID + games like Doom, Heretic and Hexen. +

+ + +

+ Luigi Auriemma discovered multiple buffer overflows in the + D_NetPlayerEvent() function, the Msg_Write() function and the + NetSv_ReadCommands() function. He also discovered errors when handling + chat messages that are not NULL-terminated (CVE-2007-4642) or contain a + short data length, triggering an integer underflow (CVE-2007-4643). + Furthermore a format string vulnerability was discovered in the + Cl_GetPackets() function when processing PSV_CONSOLE_TEXT messages + (CVE-2007-4644). +

+ + +

+ A remote attacker could exploit these vulnerabilities to execute + arbitrary code with the rights of the user running the Doomsday server + or cause a Denial of Service by sending specially crafted messages to + the server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ While some of these issues could be resolved in + "games-fps/doomsday-1.9.0-beta5.2", the format string vulnerability + (CVE-2007-4644) remains unfixed. We recommend that users unmerge + Doomsday: +

+ + # emerge --unmerge games-fps/doomsday + + + CVE-2007-4642 + CVE-2007-4643 + CVE-2007-4644 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200802-03.xml b/xml/htdocs/security/en/glsa/glsa-200802-03.xml new file mode 100644 index 00000000..455041ff --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200802-03.xml @@ -0,0 +1,64 @@ + + + + + + + Horde IMP: Security bypass + + Insufficient checks in Horde may allow a remote attacker to bypass security + restrictions. + + horde-imp + February 11, 2008 + February 11, 2008: 01 + 205377 + remote + + + 4.1.6 + 4.1.6 + + + +

+ Horde IMP provides a web-based access to IMAP and POP3 mailboxes. +

+ + +

+ Ulf Harnhammar, Secunia Research discovered that the "frame" and + "frameset" HTML tags are not properly filtered out. He also reported + that certain HTTP requests are executed without being checked. +

+ + +

+ A remote attacker could entice a user to open a specially crafted HTML + e-mail, possibly resulting in the deletion of arbitrary e-mail + messages. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Horde IMP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-imp-4.1.6" + + + CVE-2007-6018 + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200802-04.xml b/xml/htdocs/security/en/glsa/glsa-200802-04.xml new file mode 100644 index 00000000..7d943ffc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200802-04.xml @@ -0,0 +1,77 @@ + + + + + + + Gallery: Multiple vulnerabilities + + Multiple vulnerabilities were discovered in Gallery. + + gallery + February 11, 2008 + February 11, 2008: 01 + 203217 + remote + + + 2.2.4 + 2.0 + 2.2.4 + + + +

+ Gallery is a web-based application for creating and viewing photo + albums. +

+ + +

+ The Gallery developement team reported and fixed critical + vulnerabilities during an internal audit (CVE-2007-6685, CVE-2007-6686, + CVE-2007-6687, CVE-2007-6688, CVE-2007-6689, CVE-2007-6690, + CVE-2007-6691, CVE-2007-6692, CVE-2007-6693). +

+ + +

+ A remote attacker could exploit these vulnerabilities to execute + arbitrary code, conduct Cross-Site Scripting and Cross-Site Request + Forgery attacks, or disclose sensitive informations. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Gallery users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/gallery-2.2.4" + + + CVE-2007-6685 + CVE-2007-6686 + CVE-2007-6687 + CVE-2007-6688 + CVE-2007-6689 + CVE-2007-6690 + CVE-2007-6691 + CVE-2007-6692 + CVE-2007-6693 + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200802-05.xml b/xml/htdocs/security/en/glsa/glsa-200802-05.xml new file mode 100644 index 00000000..67f9c4aa --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200802-05.xml @@ -0,0 +1,68 @@ + + + + + + + Gnumeric: User-assisted execution of arbitrary code + + Several integer overflow vulnerabilities have been reported in Gnumeric, + possibly resulting in user-assisted execution of arbitrary code. + + gnumeric + February 12, 2008 + February 12, 2008: 01 + 208356 + remote + + + 1.8.1 + 1.8.1 + + + +

+ The Gnumeric spreadsheet is a versatile application developed as part + of the GNOME Office project. +

+ + +

+ Multiple integer overflow and signedness errors have been reported in + the excel_read_HLINK() function in file plugins/excel/ms-excel-read.c + when processing XLS HLINK opcodes. +

+ + +

+ A remote attacker could entice a user to open a specially crafted XLS + file, possibly resulting in the remote execution of arbitrary code with + the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Gnumeric users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/gnumeric-1.8.1" + + + CVE-2008-0668 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200802-06.xml b/xml/htdocs/security/en/glsa/glsa-200802-06.xml new file mode 100644 index 00000000..8c36bdb8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200802-06.xml @@ -0,0 +1,75 @@ + + + + + + + scponly: Multiple vulnerabilities + + Multiple vulnerabilities in scponly allow authenticated users to bypass + security restrictions. + + scponly + February 12, 2008 + February 13, 2008: 02 + 201726 + 203099 + local + + + 4.8 + 4.8 + + + +

+ scponly is a shell for restricting user access to file transfer only + using sftp and scp. +

+ + +

+ Joachim Breitner reported that Subversion and rsync support invokes + subcommands in an insecure manner (CVE-2007-6350). It has also been + discovered that scponly does not filter the -o and -F options to the + scp executable (CVE-2007-6415). +

+ + +

+ A local attacker could exploit these vulnerabilities to elevate + privileges and execute arbitrary commands on the vulnerable host. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All scponly users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/scponly-4.8" +

+ Due to the design of scponly's Subversion support, security + restrictions can still be circumvented. Please read carefully the + SECURITY file included in the package. +

+ + + CVE-2007-6350 + CVE-2007-6415 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200802-07.xml b/xml/htdocs/security/en/glsa/glsa-200802-07.xml new file mode 100644 index 00000000..b0c4e2f5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200802-07.xml @@ -0,0 +1,67 @@ + + + + + + + Pulseaudio: Privilege escalation + + A vulnerability in pulseaudio may allow a local user to execute actions + with escalated privileges. + + pulseaudio + February 13, 2008 + February 13, 2008: 01 + 207214 + local + + + 0.9.9 + 0.9.9 + + + +

+ Pulseaudio is a networked sound server with an advanced plugin system. +

+ + +

+ Marcus Meissner from SUSE reported that the pa_drop_root() function + does not properly check the return value of the system calls setuid(), + seteuid(), setresuid() and setreuid() when dropping its privileges. +

+ + +

+ A local attacker could cause a resource exhaustion to make the system + calls fail, which would cause Pulseaudio to run as root. The attacker + could then perform actions with root privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Pulseaudio users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/pulseaudio-0.9.9" + + + CVE-2008-0008 + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200802-08.xml b/xml/htdocs/security/en/glsa/glsa-200802-08.xml new file mode 100644 index 00000000..0f7a2882 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200802-08.xml @@ -0,0 +1,70 @@ + + + + + + + Boost: Denial of Service + + Two vulnerabilities have been reported in Boost, each one possibly + resulting in a Denial of Service. + + boost + February 14, 2008 + February 14, 2008: 01 + 205955 + remote + + + 1.34.1-r2 + 1.34.1-r2 + + + +

+ Boost is a set of C++ libraries, including the Boost.Regex library to + process regular expressions. +

+ + +

+ Tavis Ormandy and Will Drewry from the Google Security Team reported a + failed assertion in file regex/v4/perl_matcher_non_recursive.hpp + (CVE-2008-0171) and a NULL pointer dereference in function + get_repeat_type() file basic_regex_creator.hpp (CVE-2008-0172) when + processing regular expressions. +

+ + +

+ A remote attacker could provide specially crafted regular expressions + to an application using Boost, resulting in a crash. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Boost users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/boost-1.34.1-r2" + + + CVE-2008-0171 + CVE-2008-0172 + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200802-09.xml b/xml/htdocs/security/en/glsa/glsa-200802-09.xml new file mode 100644 index 00000000..cc1556a7 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200802-09.xml @@ -0,0 +1,70 @@ + + + + + + + ClamAV: Multiple vulnerabilities + + Multiple vulnerabilities in ClamAV may result in the remote execution of + arbitrary code. + + clamav + February 21, 2008 + February 21, 2008: 01 + 209915 + remote + + + 0.92.1 + 0.92.1 + + + +

+ Clam AntiVirus is a free anti-virus toolkit for UNIX, designed + especially for e-mail scanning on mail gateways. +

+ + +

+ An integer overflow has been reported in the "cli_scanpe()" function in + file libclamav/pe.c (CVE-2008-0318). Another unspecified vulnerability + has been reported in file libclamav/mew.c (CVE-2008-0728). +

+ + +

+ A remote attacker could entice a user or automated system to scan a + specially crafted file, possibly leading to the execution of arbitrary + code with the privileges of the user running ClamAV (either a system + user or the "clamav" user if clamd is compromised). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.92.1" + + + CVE-2008-0318 + CVE-2008-0728 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200802-10.xml b/xml/htdocs/security/en/glsa/glsa-200802-10.xml new file mode 100644 index 00000000..ac0c4123 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200802-10.xml @@ -0,0 +1,69 @@ + + + + + + + Python: PCRE Integer overflow + + A vulnerability within Python's copy of PCRE might lead to the execution of + arbitrary code. + + python + February 23, 2008 + February 23, 2008: 01 + 198373 + remote + + + 2.3.6-r4 + 2.3.6-r4 + + + +

+ Python is an interpreted, interactive, object-oriented programming + language. +

+ + +

+ Python 2.3 includes a copy of PCRE which is vulnerable to an integer + overflow vulnerability, leading to a buffer overflow. +

+ + +

+ An attacker could exploit the vulnerability by tricking a vulnerable + Python application to compile a regular expressions, which could + possibly lead to the execution of arbitrary code, a Denial of Service + or the disclosure of sensitive information. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Python 2.3 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.3.6-r4" + + + CVE-2006-7228 + GLSA 200711-30 + + + rbu + + + jaervosz + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200802-11.xml b/xml/htdocs/security/en/glsa/glsa-200802-11.xml new file mode 100644 index 00000000..a337aa14 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200802-11.xml @@ -0,0 +1,87 @@ + + + + + + + Asterisk: Multiple vulnerabilities + + Multiple vulnerabilities have been found in Asterisk. + + asterisk + February 26, 2008 + February 26, 2008: 01 + 185713 + remote + + + 1.2.17-r1 + 1.2.21.1-r1 + 1.2.21.1-r1 + + + +

+ Asterisk is an open source telephony engine and tool kit. +

+ + +

+ Multiple vulnerabilities have been found in Asterisk: +

+
    +
  • Russel Bryant reported a stack buffer overflow in the IAX2 channel + driver (chan_iax2) when bridging calls between chan_iax2 and any + channel driver that uses RTP for media (CVE-2007-3762).
    • +
  • Chris + Clark and Zane Lackey (iSEC Partners) reported a NULL pointer + dereference in the IAX2 channel driver (chan_iax2) + (CVE-2007-3763).
    • +
  • Will Drewry (Google Security) reported a + vulnerability in the Skinny channel driver (chan_skinny), resulting in + an overly large memcpy (CVE-2007-3764).
    • +
  • Will Drewry (Google + Security) reported a vulnerability in the IAX2 channel driver + (chan_iax2), that does not correctly handle unauthenticated + transactions using a 3-way handshake (CVE-2007-4103).
    • +
+ + +

+ By sending a long voice or video RTP frame, a remote attacker could + possibly execute arbitrary code on the target machine. Sending + specially crafted LAGRQ or LAGRP frames containing information elements + of IAX frames, or a certain data length value in a crafted packet, or + performing a flood of calls not completing a 3-way handshake, could + result in a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Asterisk users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.2.17-r1" + + + CVE-2007-3762 + CVE-2007-3763 + CVE-2007-3764 + CVE-2007-4103 + + + jaervosz + + + keytoaster + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200802-12.xml b/xml/htdocs/security/en/glsa/glsa-200802-12.xml new file mode 100644 index 00000000..94174169 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200802-12.xml @@ -0,0 +1,73 @@ + + + + + + + xine-lib: User-assisted execution of arbitrary code + + xine-lib is vulnerable to multiple buffer overflows when processing FLAC + and ASF streams. + + xine-lib + February 26, 2008 + March 03, 2008: 02 + 209106 + 208100 + remote + + + 1.1.10.1 + 1.1.10.1 + + + +

+ xine-lib is the core library package for the xine media player. +

+ + +

+ Damian Frizza and Alfredo Ortega (Core Security Technologies) + discovered a stack-based buffer overflow within the open_flac_file() + function in the file demux_flac.c when parsing tags within a FLAC file + (CVE-2008-0486). A buffer overflow when parsing ASF headers, which is + similar to CVE-2006-1664, has also been discovered (CVE-2008-1110). +

+ + +

+ A remote attacker could entice a user to play specially crafted FLAC or + ASF video streams with a player using xine-lib, potentially resulting + in the execution of arbitrary code with the privileges of the user + running the player. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xine-lib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.10.1" + + + CVE-2006-1664 + CVE-2008-0486 + CVE-2008-1110 + + + jaervosz + + + jaervosz + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-01.xml b/xml/htdocs/security/en/glsa/glsa-200803-01.xml new file mode 100644 index 00000000..75eb3d69 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-01.xml @@ -0,0 +1,89 @@ + + + + + + + Adobe Acrobat Reader: Multiple vulnerabilities + + Adobe Acrobat Reader is vulnerable to remote code execution, Denial of + Service, and cross-site request forgery attacks. + + acroread + March 02, 2008 + March 05, 2008: 05 + 170177 + remote + + + 8.1.2 + 8.1.2 + + + +

+ Adobe Acrobat Reader is a PDF reader released by Adobe. +

+ + +

+ Multiple vulnerabilities have been discovered in Adobe Acrobat Reader, + including: +

+
  • A file disclosure when using file:// in PDF documents + (CVE-2007-1199)
    • +
  • Multiple buffer overflows in unspecified Javascript methods + (CVE-2007-5659)
    • +
  • An unspecified vulnerability in the Escript.api plugin + (CVE-2007-5663)
    • +
  • An untrusted search path (CVE-2007-5666)
    • +
  • Incorrect handling of printers (CVE-2008-0667)
    • +
  • An integer overflow when passing incorrect arguments to + "printSepsWithParams" (CVE-2008-0726)
    • +
+

+ Other unspecified vulnerabilities have also been reported + (CVE-2008-0655). +

+ + +

+ A remote attacker could entice a user to open a specially crafted + document, possibly resulting in the remote execution of arbitrary code + with the privileges of the user running the application. A remote + attacker could also perform cross-site request forgery attacks, or + cause a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Adobe Acrobat Reader users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/acroread-8.1.2" + + + CVE-2007-1199 + CVE-2007-5659 + CVE-2007-5663 + CVE-2007-5666 + CVE-2008-0655 + CVE-2008-0667 + CVE-2008-0726 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-02.xml b/xml/htdocs/security/en/glsa/glsa-200803-02.xml new file mode 100644 index 00000000..0881ddab --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-02.xml @@ -0,0 +1,70 @@ + + + + + + + Firebird: Multiple vulnerabilities + + Multiple vulnerabilities in Firebird may allow the remote execution of + arbitrary code. + + firebird + March 02, 2008 + March 02, 2008: 01 + 208034 + remote + + + 2.0.3.12981.0-r5 + 2.0.3.12981.0-r5 + + + +

+ Firebird is a multi-platform, open source relational database. +

+ + +

+ Firebird does not properly handle certain types of XDR requests, + resulting in an integer overflow (CVE-2008-0387). Furthermore, it is + vulnerable to a buffer overflow when processing usernames + (CVE-2008-0467). +

+ + +

+ A remote attacker could send specially crafted XDR requests or an + overly long username to the vulnerable server, possibly resulting in + the remote execution of arbitrary code with the privileges of the user + running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Firebird users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/firebird-2.0.3.12981.0-r5" + + + CVE-2008-0387 + CVE-2008-0467 + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-03.xml b/xml/htdocs/security/en/glsa/glsa-200803-03.xml new file mode 100644 index 00000000..0ec40067 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-03.xml @@ -0,0 +1,66 @@ + + + + + + + Audacity: Insecure temporary file creation + + Audacity uses temporary files in an insecure manner, allowing for a symlink + attack. + + audacity + March 02, 2008 + March 02, 2008: 01 + 199751 + local + + + 1.3.4-r1 + 1.3.4-r1 + + + +

+ Audacity is a free cross-platform audio editor. +

+ + +

+ Viktor Griph reported that the "AudacityApp::OnInit()" method in file + src/AudacityApp.cpp does not handle temporary files properly. +

+ + +

+ A local attacker could exploit this vulnerability to conduct symlink + attacks to delete arbitrary files and directories with the privileges + of the user running Audacity. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Audacity users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/audacity-1.3.4-r1" + + + CVE-2007-6061 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-04.xml b/xml/htdocs/security/en/glsa/glsa-200803-04.xml new file mode 100644 index 00000000..ee019459 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-04.xml @@ -0,0 +1,67 @@ + + + + + + + Mantis: Cross-Site Scripting + + A persistent Cross-Site Scripting vulnerability has been discovered in + Mantis. + + mantis + March 03, 2008 + March 03, 2008: 01 + 203791 + remote + + + 1.0.8-r1 + 1.0.8-r1 + + + +

+ Mantis is a web-based bug tracking system. +

+ + +

+ seiji reported that the filename for the uploaded file in + bug_report.php is not properly sanitised before being stored. +

+ + +

+ A remote attacker could upload a file with a specially crafted to a bug + report, resulting in the execution of arbitrary HTML and script code + within the context of the users's browser. Note that this vulnerability + is only exploitable by authenticated users. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mantis users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/mantisbt-1.0.8-r1" + + + CVE-2007-6611 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-05.xml b/xml/htdocs/security/en/glsa/glsa-200803-05.xml new file mode 100644 index 00000000..0b77a3e5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-05.xml @@ -0,0 +1,65 @@ + + + + + + + SplitVT: Privilege escalation + + A vulnerability in SplitVT may allow local users to gain escalated + privileges. + + splitvt + March 03, 2008 + March 03, 2008: 01 + 211240 + local + + + 1.6.6-r1 + 1.6.6-r1 + + + +

+ SplitVT is a program for splitting terminals into two shells. +

+ + +

+ Mike Ashton reported that SplitVT does not drop group privileges before + executing the xprop utility. +

+ + +

+ A local attacker could exploit this vulnerability to gain the "utmp" + group privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SplitVT users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-misc/splitvt-1.6.6-r1" + + + CVE-2008-0162 + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-06.xml b/xml/htdocs/security/en/glsa/glsa-200803-06.xml new file mode 100644 index 00000000..e7e14a84 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-06.xml @@ -0,0 +1,67 @@ + + + + + + + SWORD: Shell command injection + + Insufficient input checking in SWORD may allow shell command injection. + + sword + March 03, 2008 + March 03, 2008: 01 + 210754 + remote + + + 1.5.8-r2 + 1.5.8-r2 + + + +

+ SWORD is a library for Bible study software. +

+ + +

+ Dan Dennison reported that the diatheke.pl script used in SWORD does + not properly sanitize shell meta-characters in the "range" parameter + before processing it. +

+ + +

+ A remote attacker could provide specially crafted input to a vulnerable + application, possibly resulting in the remote execution of arbitrary + shell commands with the privileges of the user running SWORD (generally + the web server account). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SWORD users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/sword-1.5.8-r2" + + + CVE-2008-0932 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-07.xml b/xml/htdocs/security/en/glsa/glsa-200803-07.xml new file mode 100644 index 00000000..a14ee8ac --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-07.xml @@ -0,0 +1,66 @@ + + + + + + + Paramiko: Information disclosure + + Unsafe randomness usage in Paramiko may allow access to sensitive + information. + + paramiko + March 03, 2008 + March 03, 2008: 01 + 205777 + remote + + + 1.7.2 + 1.7.2 + + + +

+ Paramiko is a Secure Shell Server implementation written in Python. +

+ + +

+ Dwayne C. Litzenberger reported that the file "common.py" does not + properly use RandomPool when using threads or forked processes. +

+ + +

+ A remote attacker could predict the values generated by applications + using Paramiko for encryption purposes, potentially gaining access to + sensitive information. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Paramiko users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/paramiko-1.7.2" + + + CVE-2008-0299 + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-08.xml b/xml/htdocs/security/en/glsa/glsa-200803-08.xml new file mode 100644 index 00000000..58fa06bd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-08.xml @@ -0,0 +1,80 @@ + + + + + + + Win32 binary codecs: Multiple vulnerabilities + + Multiple vulnerabilities in the Win32 codecs for Linux may result in the + remote execution of arbitrary code. + + win32codecs + March 04, 2008 + March 04, 2008: 01 + 150288 + remote + + + 20071007-r2 + 20071007-r2 + + + +

+ Win32 binary codecs provide support for video and audio playback. +

+ + +

+ Multiple buffer overflow, heap overflow, and integer overflow + vulnerabilities were discovered in the Quicktime plugin when processing + MOV, FLC, SGI, H.264 and FPX files. +

+ + +

+ A remote attacker could entice a user to open a specially crafted video + file, possibly resulting in the remote execution of arbitrary code with + the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Win32 binary codecs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/win32codecs-20071007-r2" +

+ Note: Since no updated binary versions have been released, the + Quicktime libraries have been removed from the package. Please use the + free alternative Quicktime implementations within VLC, MPlayer or Xine + for playback. +

+ + + CVE-2006-4382 + CVE-2006-4384 + CVE-2006-4385 + CVE-2006-4386 + CVE-2006-4388 + CVE-2006-4389 + CVE-2007-4674 + CVE-2007-6166 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-09.xml b/xml/htdocs/security/en/glsa/glsa-200803-09.xml new file mode 100644 index 00000000..748fc653 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-09.xml @@ -0,0 +1,74 @@ + + + + + + + Opera: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Opera, allowing for file + disclosure, privilege escalation and Cross-Site scripting. + + opera + March 04, 2008 + March 04, 2008: 01 + 210260 + remote + + + 9.26 + 9.26 + + + +

+ Opera is a fast web browser that is available free of charge. +

+ + +

+ Mozilla discovered that Opera does not handle input to file form fields + properly, allowing scripts to manipulate the file path (CVE-2008-1080). + Max Leonov found out that image comments might be treated as scripts, + and run within the wrong security context (CVE-2008-1081). Arnaud + reported that a wrong representation of DOM attribute values of + imported XML documents allows them to bypass sanitization filters + (CVE-2008-1082). +

+ + +

+ A remote attacker could entice a user to upload a file with a known + path by entering text into a specially crafted form, to execute scripts + outside intended security boundaries and conduct Cross-Site Scripting + attacks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Opera users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/opera-9.26" + + + CVE-2008-1080 + CVE-2008-1081 + CVE-2008-1082 + + + jaervosz + + + jaervosz + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-10.xml b/xml/htdocs/security/en/glsa/glsa-200803-10.xml new file mode 100644 index 00000000..5ef0c99e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-10.xml @@ -0,0 +1,68 @@ + + + + + + + lighttpd: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in lighttpd. + + lighttpd + March 05, 2008 + March 05, 2008: 01 + 211230 + 211956 + remote + + + 1.4.18-r2 + 1.4.18-r2 + + + +

+ lighttpd is a lightweight high-performance web server. +

+ + +

+ lighttpd contains a calculation error when allocating the global file + descriptor array (CVE-2008-0983). Furthermore, it sends the source of a + CGI script instead of returning a 500 error (Internal Server Error) + when the fork() system call fails (CVE-2008-1111). +

+ + +

+ A remote attacker could exploit these vulnerabilities to cause a Denial + of Service or gain the source of a CGI script. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All lighttpd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.4.18-r2" + + + CVE-2008-0983 + CVE-2008-1111 + + + rbu + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-11.xml b/xml/htdocs/security/en/glsa/glsa-200803-11.xml new file mode 100644 index 00000000..fd2b65a5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-11.xml @@ -0,0 +1,67 @@ + + + + + + + Vobcopy: Insecure temporary file creation + + Vobcopy uses temporary files in an insecure manner, allowing for a symlink + attack. + + vobcopy + March 05, 2008 + March 05, 2008: 01 + 197578 + local + + + 1.1.0 + 1.1.0 + + + +

+ Vobcopy is a tool for decrypting and copying DVD .vob files to a hard + disk. +

+ + +

+ Joey Hess reported that vobcopy appends data to the file + "/tmp/vobcopy.bla" in an insecure manner. +

+ + +

+ A local attacker could exploit this vulnerability to conduct symlink + attacks and append data to arbitrary files with the privileges of the + user running Vobcopy. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Vobcopy users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/vobcopy-1.1.0" + + + CVE-2007-5718 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-12.xml b/xml/htdocs/security/en/glsa/glsa-200803-12.xml new file mode 100644 index 00000000..5b5ad44a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-12.xml @@ -0,0 +1,68 @@ + + + + + + + Evolution: Format string vulnerability + + A format string error has been discovered in Evolution, possibly resulting + in the execution of arbitrary code. + + evolution + March 05, 2008 + March 05, 2008: 01 + 212272 + remote + + + 2.12.3-r1 + 2.12.3-r1 + + + +

+ Evolution is a GNOME groupware application. +

+ + +

+ Ulf Harnhammar from Secunia Research discovered a format string error + in the emf_multipart_encrypted() function in the file mail/em-format.c + when reading certain data (e.g. the "Version:" field) from an encrypted + e-mail. +

+ + +

+ A remote attacker could entice a user to open a specially crafted + encrypted e-mail, potentially resulting in the execution of arbitrary + code with the privileges of the user running Evolution. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Evolution users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/evolution-2.12.3-r1" + + + CVE-2008-0072 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-13.xml b/xml/htdocs/security/en/glsa/glsa-200803-13.xml new file mode 100644 index 00000000..fc2d50b9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-13.xml @@ -0,0 +1,100 @@ + + + + + + + VLC: Multiple vulnerabilities + + Multiple vulnerabilities were found in VLC, allowing for the execution of + arbitrary code and Denial of Service. + + vlc + March 07, 2008 + March 07, 2008: 01 + 203345 + 211575 + 205299 + remote + + + 0.8.6e + 0.8.6e + + + +

+ VLC is a cross-platform media player and streaming server. +

+ + +

+ Multiple vulnerabilities were found in VLC: +

+
    +
  • Michal Luczaj + and Luigi Auriemma reported that VLC contains boundary errors when + handling subtitles in the ParseMicroDvd(), ParseSSA(), and + ParseVplayer() functions in the modules/demux/subtitle.c file, allowing + for a stack-based buffer overflow (CVE-2007-6681).
    • +
  • The web + interface listening on port 8080/tcp contains a format string error in + the httpd_FileCallBack() function in the network/httpd.c file + (CVE-2007-6682).
    • +
  • The browser plugin possibly contains an + argument injection vulnerability (CVE-2007-6683).
    • +
  • The RSTP + module triggers a NULL pointer dereference when processing a request + without a "Transport" parameter (CVE-2007-6684).
    • +
  • Luigi + Auriemma and Remi Denis-Courmont found a boundary error in the + modules/access/rtsp/real_sdpplin.c file when processing SDP data for + RTSP sessions (CVE-2008-0295) and a vulnerability in the + libaccess_realrtsp plugin (CVE-2008-0296), possibly resulting in a + heap-based buffer overflow.
    • +
  • Felipe Manzano and Anibal Sacco + (Core Security Technologies) discovered an arbitrary memory overwrite + vulnerability in VLC's MPEG-4 file format parser (CVE-2008-0984).
    • +
+ + +

+ A remote attacker could send a long subtitle in a file that a user is + enticed to open, a specially crafted MP4 input file, long SDP data, or + a specially crafted HTTP request with a "Connection" header value + containing format specifiers, possibly resulting in the remote + execution of arbitrary code. Also, a Denial of Service could be caused + and arbitrary files could be overwritten via the "demuxdump-file" + option in a filename in a playlist or via an EXTVLCOPT statement in an + MP3 file. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All VLC users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/vlc-0.8.6e" + + + CVE-2007-6681 + CVE-2007-6682 + CVE-2007-6683 + CVE-2007-6684 + CVE-2008-0295 + CVE-2008-0296 + CVE-2008-0984 + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-14.xml b/xml/htdocs/security/en/glsa/glsa-200803-14.xml new file mode 100644 index 00000000..fc3ede17 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-14.xml @@ -0,0 +1,89 @@ + + + + + + + Ghostscript: Buffer overflow + + A stack-based buffer overflow has been discovered in Ghostscript, allowing + arbitrary code execution. + + ghostscript + March 08, 2008 + March 08, 2008: 01 + 208999 + remote + + + 8.15.4-r1 + 8.15.4-r1 + + + 8.61-r3 + 8.61-r3 + + + 8.60.0-r2 + 8.60.0-r2 + + + +

+ Ghostscript is a suite of software based on an interpreter for + PostScript and PDF. +

+ + +

+ Chris Evans (Google Security) discovered a stack-based buffer overflow + within the zseticcspace() function in the file zicc.c when processing a + PostScript file containing a long "Range" array in a .seticcscpate + operator. +

+ + +

+ A remote attacker could exploit this vulnerability by enticing a user + to open a specially crafted PostScript file, which could possibly lead + to the execution of arbitrary code or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ghostscript ESP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/ghostscript-esp-8.15.4-r1" +

+ All Ghostscript GPL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-8.61-r3" +

+ All Ghostscript GNU users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/ghostscript-gnu-8.60.0-r2" + + + CVE-2008-0411 + + + jaervosz + + + jaervosz + + + psychoschlumpf + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-15.xml b/xml/htdocs/security/en/glsa/glsa-200803-15.xml new file mode 100644 index 00000000..8a6e3c5f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-15.xml @@ -0,0 +1,66 @@ + + + + + + + phpMyAdmin: SQL injection vulnerability + + A SQL injection vulnerability has been discovered in phpMyAdmin. + + phpmyadmin + March 09, 2008 + March 09, 2008: 01 + 212000 + local + + + 2.11.5 + 2.11.5 + + + +

+ phpMyAdmin is a free web-based database administration tool. +

+ + +

+ Richard Cunningham reported that phpMyAdmin uses the $_REQUEST variable + of $_GET and $_POST as a source for its parameters. +

+ + +

+ An attacker could entice a user to visit a malicious web application + that sets an "sql_query" cookie and is hosted on the same domain as + phpMyAdmin, and thereby conduct SQL injection attacks with the + privileges of the user authenticating in phpMyAdmin afterwards. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All phpMyAdmin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.11.5" + + + CVE-2008-1149 + + + rbu + + + psychoschlumpf + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-16.xml b/xml/htdocs/security/en/glsa/glsa-200803-16.xml new file mode 100644 index 00000000..b66893c1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-16.xml @@ -0,0 +1,83 @@ + + + + + + + MPlayer: Multiple buffer overflows + + Multiple vulnerabilities have been discovered in MPlayer, possibly allowing + for the remote execution of arbitrary code. + + mplayer + March 10, 2008 + March 10, 2008: 01 + 208566 + remote + + + 1.0_rc2_p25993 + 1.0_rc2_p25993 + + + +

+ MPlayer is a media player incuding support for a wide range of audio + and video formats. +

+ + +

+ The following errors have been discovered in MPlayer: +

+
    +
  • Felipe Manzano and Anibal Sacco (Core Security Technologies) + reported an array indexing error in the file libmpdemux/demux_mov.c + when parsing MOV file headers (CVE-2008-0485).
    • +
  • Damian Frizza + and Alfredo Ortega (Core Security Technologies) reported a boundary + error in the file libmpdemux/demux_audio.c when parsing FLAC comments + (CVE-2008-0486).
    • +
  • Adam Bozanich (Mu Security) reported boundary + errors in the cddb_parse_matches_list() and cddb_query_parse() + functions in the file stream_cddb.c when parsing CDDB album titles + (CVE-2008-0629) and in the url_scape_string() function in the file + stream/url.c when parsing URLS (CVE-2008-0630).
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted file, + possibly resulting in the execution of arbitrary code with the + privileges of the user running MPlayer. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MPlayer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/mplayer-1.0_rc2_p25993" + + + CVE-2008-0485 + CVE-2008-0486 + CVE-2008-0629 + CVE-2008-0630 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-17.xml b/xml/htdocs/security/en/glsa/glsa-200803-17.xml new file mode 100644 index 00000000..5366f3ff --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-17.xml @@ -0,0 +1,65 @@ + + + + + + + PDFlib: Multiple buffer overflows + + Multiple stack-based buffer overflows have been reported in PDFlib. + + pdflib + March 10, 2008 + March 10, 2008: 01 + 203287 + remote + + + 7.0.2_p8 + 7.0.2_p8 + + + +

+ PDFlib is a library for generating PDF on the fly. +

+ + +

+ poplix reported multiple boundary errors in the pdc_fsearch_fopen() + function when processing overly long filenames. +

+ + +

+ A remote attacker could send specially crafted content to a vulnerable + application using PDFlib, possibly resulting in the remote execution of + arbitrary code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PDFlib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/pdflib-7.0.2_p8" + + + CVE-2007-6561 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-18.xml b/xml/htdocs/security/en/glsa/glsa-200803-18.xml new file mode 100644 index 00000000..40e13b5a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-18.xml @@ -0,0 +1,81 @@ + + + + + + + Cacti: Multiple vulnerabilities + + Multiple vulnerabilities were discovered in Cacti. + + cacti + March 10, 2008 + May 28, 2009: 02 + 209918 + remote + + + 0.8.7b + 0.8.6j-r8 + 0.8.7b + + + +

+ Cacti is a web-based network graphing and reporting tool. +

+ + +

+ The following inputs are not properly sanitized before being processed: +

+
  • "view_type" parameter in the file graph.php, "filter" parameter + in the file graph_view.php, "action" and "login_username" parameters in + the file index.php (CVE-2008-0783).
    • +
  • "local_graph_id" parameter in the file graph.php + (CVE-2008-0784).
    • +
  • "graph_list" parameter in the file graph_view.php, "leaf_id" and + "id" parameters in the file tree.php, "local_graph_id" in the file + graph_xport.php (CVE-2008-0785).
    • +
+

+ Furthermore, CRLF injection attack are possible via unspecified vectors + (CVE-2008-0786). +

+ + +

+ A remote attacker could exploit these vulnerabilities, leading to path + disclosure, Cross-Site Scripting attacks, SQL injection, and HTTP + response splitting. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Cacti users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-0.8.7b" + + + CVE-2008-0783 + CVE-2008-0784 + CVE-2008-0785 + CVE-2008-0786 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-19.xml b/xml/htdocs/security/en/glsa/glsa-200803-19.xml new file mode 100644 index 00000000..4433cc97 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-19.xml @@ -0,0 +1,80 @@ + + + + + + + Apache: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Apache. + + apache + March 11, 2008 + March 12, 2008: 02 + 201163 + 204410 + 205195 + 209899 + remote + + + 2.2.8 + 2.2.8 + + + +

+ The Apache HTTP server is one of the most popular web servers on the + Internet. +

+ + +

+ Adrian Pastor and Amir Azam (ProCheckUp) reported that the HTTP Method + specifier header is not properly sanitized when the HTTP return code is + "413 Request Entity too large" (CVE-2007-6203). The mod_proxy_balancer + module does not properly check the balancer name before using it + (CVE-2007-6422). The mod_proxy_ftp does not define a charset in its + answers (CVE-2008-0005). Stefano Di Paola (Minded Security) reported + that filenames are not properly sanitized within the mod_negotiation + module (CVE-2008-0455, CVE-2008-0456). +

+ + +

+ A remote attacker could entice a user to visit a malicious URL or send + specially crafted HTTP requests (i.e using Adobe Flash) to perform + Cross-Site Scripting and HTTP response splitting attacks, or conduct a + Denial of Service attack on the vulnerable web server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Apache users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/apache-2.2.8" + + + CVE-2007-6203 + CVE-2007-6422 + CVE-2008-0005 + CVE-2008-0455 + CVE-2008-0456 + + + jaervosz + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-20.xml b/xml/htdocs/security/en/glsa/glsa-200803-20.xml new file mode 100644 index 00000000..2166c286 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-20.xml @@ -0,0 +1,76 @@ + + + + + + + International Components for Unicode: Multiple vulnerabilities + + Two vulnerabilities have been discovered in the International Components + for Unicode, possibly resulting in the remote execution of arbitrary code + or a Denial of Service. + + icu + March 11, 2008 + May 28, 2009: 03 + 208001 + remote + + + 3.8.1-r1 + 3.6-r2 + 3.8.1-r1 + + + +

+ International Components for Unicode is a set of C/C++ and Java + libraries providing Unicode and Globalization support for software + applications. +

+ + +

+ Will Drewry (Google Security) reported a vulnerability in the regular + expression engine when using back references to capture \0 characters + (CVE-2007-4770). He also found that the backtracking stack size is not + limited, possibly allowing for a heap-based buffer overflow + (CVE-2007-4771). +

+ + +

+ A remote attacker could submit specially crafted regular expressions to + an application using the library, possibly resulting in the remote + execution of arbitrary code with the privileges of the user running the + application or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All International Components for Unicode users should upgrade to the + latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/icu-3.8.1-r1" + + + CVE-2007-4770 + CVE-2007-4771 + + + jaervosz + + + jaervosz + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-21.xml b/xml/htdocs/security/en/glsa/glsa-200803-21.xml new file mode 100644 index 00000000..4234474b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-21.xml @@ -0,0 +1,72 @@ + + + + + + + Sarg: Remote execution of arbitrary code + + Sarg is vulnerable to the execution of arbitrary code when processed with + untrusted input files. + + sarg + March 12, 2008 + March 12, 2008: 01 + 212208 + 212731 + remote + + + 2.2.5 + 2.2.5 + + + +

+ Sarg (Squid Analysis Report Generator) is a tool that provides many + informations about the Squid web proxy server users activities: time, + sites, traffic, etc. +

+ + +

+ Sarg doesn't properly check its input for abnormal content when + processing Squid log files. +

+ + +

+ A remote attacker using a vulnerable Squid as a proxy server or a + reverse-proxy server can inject arbitrary content into the "User-Agent" + HTTP client header, that will be processed by sarg, which will lead to + the execution of arbitrary code, or JavaScript injection, allowing + Cross-Site Scripting attacks and the theft of credentials. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All sarg users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/sarg-2.2.5" + + + CVE-2008-1167 + CVE-2008-1168 + + + rbu + + + falco + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-22.xml b/xml/htdocs/security/en/glsa/glsa-200803-22.xml new file mode 100644 index 00000000..864dfb57 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-22.xml @@ -0,0 +1,69 @@ + + + + + + + LIVE555 Media Server: Denial of Service + + A Denial of Service vulnerability has been reported in LIVE555 Media + Server. + + live + March 13, 2008 + March 13, 2008: 01 + 204065 + remote + + + 2008.02.08 + 2008.02.08 + + + +

+ LIVE555 Media Server is a set of libraries for multimedia streaming. +

+ + +

+ Luigi Auriemma reported a signedness error in the + parseRTSPRequestString() function when processing short RTSP queries. +

+ + +

+ A remote attacker could send a specially crafted RTSP query to the + vulnerable server, resulting in a crash. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All LIVE555 Media Server users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-plugins/live-2008.02.08" +

+ Note: Due to ABI changes, applications built against LIVE555 Media + Server such as VLC or MPlayer should also be rebuilt. +

+ + + CVE-2007-6036 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-23.xml b/xml/htdocs/security/en/glsa/glsa-200803-23.xml new file mode 100644 index 00000000..d7bef873 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-23.xml @@ -0,0 +1,69 @@ + + + + + + + Website META Language: Insecure temporary file usage + + Multiple insecure temporary file vulnerabilities have been discovered in + the Website META Language. + + wml + March 15, 2008 + March 15, 2008: 01 + 209927 + local + + + 2.0.11-r3 + 2.0.11-r3 + + + +

+ Website META Language is a free and extensible Webdesigner's off-line + HTML generation toolkit for Unix. +

+ + +

+ Temporary files are handled insecurely in the files + wml_backend/p1_ipp/ipp.src, wml_contrib/wmg.cgi, and + wml_backend/p3_eperl/eperl_sys.c, allowing users to overwrite or delete + arbitrary files with the privileges of the user running the program. +

+ + +

+ Local users can exploit the insecure temporary file vulnerabilities via + symlink attacks to perform certain actions with escalated privileges. +

+ + +

+ Restrict access to the temporary directory to trusted users only. +

+ + +

+ All Website META Language users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/wml-2.0.11-r3" + + + CVE-2008-0665 + CVE-2008-0666 + + + p-y + + + p-y + + + mfleming + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-24.xml b/xml/htdocs/security/en/glsa/glsa-200803-24.xml new file mode 100644 index 00000000..293c4414 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-24.xml @@ -0,0 +1,81 @@ + + + + + + + PCRE: Buffer overflow + + A buffer overflow vulnerability has been discovered in PCRE, allowing for + the execution of arbitrary code and Denial of Service. + + libpcre glib + March 17, 2008 + March 17, 2008: 02 + 209067 + 209293 + remote + + + 7.6-r1 + 7.6-r1 + + + 2.14.6 + 2.14.0 + 2.14.6 + + + +

+ PCRE is a Perl-compatible regular expression library. GLib includes a + copy of PCRE. +

+ + +

+ PCRE contains a buffer overflow vulnerability when processing a + character class containing a very large number of characters with + codepoints greater than 255. +

+ + +

+ A remote attacker could exploit this vulnerability by sending a + specially crafted regular expression to an application making use of + the PCRE library, which could possibly lead to the execution of + arbitrary code or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PCRE users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libpcre-7.6-r1" +

+ All GLib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/glib-2.14.6" + + + CVE-2008-0674 + + + jaervosz + + + jaervosz + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-25.xml b/xml/htdocs/security/en/glsa/glsa-200803-25.xml new file mode 100644 index 00000000..70954c1c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-25.xml @@ -0,0 +1,84 @@ + + + + + + + Dovecot: Multiple vulnerabilities + + Two vulnerabilities in Dovecot allow for information disclosure and + argument injection. + + dovecot + March 18, 2008 + March 18, 2008: 01 + 212336 + 213030 + remote + + + 1.0.13-r1 + 1.0.13-r1 + + + +

+ Dovecot is a lightweight, fast and easy to configure IMAP and POP3 mail + server. +

+ + +

+ Dovecot uses the group configured via the "mail_extra_groups" setting, + which should be used to create lockfiles in the /var/mail directory, + when accessing arbitrary files (CVE-2008-1199). Dovecot does not escape + TAB characters in passwords when saving them, which might allow for + argument injection in blocking passdbs such as MySQL, PAM or shadow + (CVE-2008-1218). +

+ + +

+ Remote attackers can exploit the first vulnerability to disclose + sensitive data, such as the mail of other users, or modify files or + directories that are writable by group via a symlink attack. Please + note that the "mail_extra_groups" setting is set to the "mail" group by + default when the "mbox" USE flag is enabled. +

+

+ The second vulnerability can be abused to inject arguments for internal + fields. No exploitation vectors are known for this vulnerability that + affect previously stable versions of Dovecot in Gentoo. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Dovecot users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/dovecot-1.0.13-r1" +

+ This version removes the "mail_extra_groups" option and introduces a + "mail_privileged_group" setting which is handled safely. +

+ + + CVE-2008-1199 + CVE-2008-1218 + + + keytoaster + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-26.xml b/xml/htdocs/security/en/glsa/glsa-200803-26.xml new file mode 100644 index 00000000..cb5b587d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-26.xml @@ -0,0 +1,66 @@ + + + + + + + Adobe Acrobat Reader: Insecure temporary file creation + + An insecure temporary file creation vulnerability has been discovered in + Adobe Acrobat Reader. + + acroread + March 18, 2008 + March 18, 2008: 01 + 212367 + local + + + 8.1.2-r1 + 8.1.2-r1 + + + +

+ Acrobat Reader is a PDF reader released by Adobe. +

+ + +

+ SUSE reported that the "acroread" wrapper script does not create + temporary files in a secure manner when handling SSL certificates + (CVE-2008-0883). +

+ + +

+ A local attacker could exploit this vulnerability to overwrite + arbitrary files via a symlink attack on temporary files. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Adobe Acrobat Reader users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/acroread-8.1.2-r1" + + + CVE-2008-0883 + + + mfleming + + + mfleming + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-27.xml b/xml/htdocs/security/en/glsa/glsa-200803-27.xml new file mode 100644 index 00000000..14ef5075 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-27.xml @@ -0,0 +1,90 @@ + + + + + + + MoinMoin: Multiple vulnerabilities + + Several vulnerabilities have been reported in MoinMoin Wiki Engine. + + moinmoin + March 18, 2008 + March 18, 2008: 01 + 209133 + remote + + + 1.6.1 + 1.6.1 + + + +

+ MoinMoin is an advanced, easy to use and extensible Wiki Engine. +

+ + +

+ Multiple vulnerabilities have been discovered: +

+
    +
  • + A vulnerability exists in the file wikimacro.py because the + _macro_Getval function does not properly enforce ACLs + (CVE-2008-1099).
    • +
  • + A directory traversal vulnerability exists in the userform action + (CVE-2008-0782).
    • +
  • + A Cross-Site Scripting vulnerability exists in the login action + (CVE-2008-0780).
    • +
  • + Multiple Cross-Site Scripting vulnerabilities exist in the file + action/AttachFile.py when using the message, pagename, and target + filenames (CVE-2008-0781).
    • +
  • + Multiple Cross-Site Scripting vulnerabilities exist in + formatter/text_gedit.py (aka the gui editor formatter) which can be + exploited via a page name or destination page name, which trigger an + injection in the file PageEditor.py (CVE-2008-1098). +
    • +
+ + +

+ These vulnerabilities can be exploited to allow remote attackers to + inject arbitrary web script or HTML, overwrite arbitrary files, or read + protected pages. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MoinMoin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/moinmoin-1.6.1" + + + CVE-2008-0780 + CVE-2008-0781 + CVE-2008-0782 + CVE-2008-1098 + CVE-2008-1099 + + + p-y + + + p-y + + + mfleming + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-28.xml b/xml/htdocs/security/en/glsa/glsa-200803-28.xml new file mode 100644 index 00000000..3a99b192 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-28.xml @@ -0,0 +1,79 @@ + + + + + + + OpenLDAP: Denial of Service vulnerabilities + + Multiple Denial of Service vulnerabilities have been reported in OpenLDAP. + + openldap + March 19, 2008 + March 19, 2008: 01 + 197446 + 209677 + remote + + + 2.3.41 + 2.3.41 + + + +

+ OpenLDAP Software is an open source implementation of the Lightweight + Directory Access Protocol. +

+ + +

+ The following errors have been discovered in OpenLDAP: +

+
    +
  • + Tony Blake discovered an error which exists within the normalisation of + "objectClasses" (CVE-2007-5707).
    • +
  • + Thomas Sesselmann reported that, when running as a proxy-caching server + the "add_filter_attrs()" function in servers/slapd/overlay/pcache.c + does not correctly NULL terminate "new_attrs" (CVE-2007-5708).
    • +
  • + A double-free bug exists in attrs_free() in the file + servers/slapd/back-bdb/modrdn.c, which was discovered by Jonathan + Clarke (CVE-2008-0658).
    • +
+ + +

+ A remote attacker can cause a Denial of Serivce by sending a malformed + "objectClasses" attribute, and via unknown vectors that prevent the + "new_attrs" array from being NULL terminated, and via a modrdn + operation with a NOOP (LDAP_X_NO_OPERATION) control. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenLDAP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-nds/openldap-2.3.41" + + + CVE-2007-5707 + CVE-2007-5708 + CVE-2008-0658 + + + mfleming + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-29.xml b/xml/htdocs/security/en/glsa/glsa-200803-29.xml new file mode 100644 index 00000000..d63ca774 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-29.xml @@ -0,0 +1,70 @@ + + + + + + + ViewVC: Multiple vulnerabilities + + Multiple security issues have been reported in ViewVC, which can be + exploited by malicious people to bypass certain security restrictions. + + viewvc + March 19, 2008 + April 01, 2009: 02 + 212288 + remote + + + 1.0.5 + 1.0.5 + + + +

+ ViewVC is a browser interface for CVS and Subversion version control + repositories. +

+ + +

+ Multiple unspecified errors were reportedly fixed by the ViewVC + development team. +

+ + +

+ A remote attacker could send a specially crafted URL to the server to + list CVS or SVN commits on "all-forbidden" files, access hidden CVSROOT + folders, and view restricted content via the revision view, the log + history, or the diff view. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ViewVC users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/viewvc-1.0.5" + + + CVE-2008-1290 + CVE-2008-1291 + CVE-2008-1292 + + + p-y + + + p-y + + + mfleming + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-30.xml b/xml/htdocs/security/en/glsa/glsa-200803-30.xml new file mode 100644 index 00000000..68d20184 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-30.xml @@ -0,0 +1,170 @@ + + + + + + + ssl-cert eclass: Certificate disclosure + + An error in the usage of the ssl-cert eclass within multiple ebuilds might + allow for disclosure of generated SSL private keys. + + ssl-cert.eclass + March 20, 2008 + March 20, 2008: 01 + 174759 + remote + + + 8.1.16 + 8.1.16 + + + 2.4.6-r2 + 2.3.8-r1 + 2.2.11-r1 + 2.4.6-r2 + + + 0.17-r7 + 0.17-r7 + + + 1.1.3 + 1.1.3 + + + 3.2.7-r2 + 3.2.7-r2 + + + 2.3.9-r1 + 2.3.9-r1 + + + 1.0.10 + 1.0.10 + + + 4.21-r1 + 4.0 + 4.21-r1 + + + 2.4.3-r1 + 2.4.3-r1 + + + +

+ The ssl-cert eclass is a code module used by Gentoo ebuilds to generate + SSL certificates. +

+ + +

+ Robin Johnson reported that the docert() function provided by + ssl-cert.eclass can be called by source building stages of an ebuild, + such as src_compile() or src_install(), which will result in the + generated SSL keys being included inside binary packages (binpkgs). +

+ + +

+ A local attacker could recover the SSL keys from publicly readable + binary packages when "emerge" is called with the "--buildpkg + (-b)" or "--buildpkgonly (-B)" option. Remote attackers can + recover these keys if the packages are served to a network. Binary + packages built using "quickpkg" are not affected. +

+ + +

+ Do not use pre-generated SSL keys, but use keys that were generated + using a different Certificate Authority. +

+ + +

+ Upgrading to newer versions of the above packages will neither remove + possibly compromised SSL certificates, nor old binary packages. Please + remove the certificates installed by Portage, and then emerge an + upgrade to the package. +

+

+ All Conserver users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/conserver-8.1.16" +

+ All Postfix 2.4 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.4.6-r2" +

+ All Postfix 2.3 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.3.8-r1" +

+ All Postfix 2.2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.2.11-r1" +

+ All Netkit FTP Server users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/netkit-ftpd-0.17-r7" +

+ All ejabberd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/ejabberd-1.1.3" +

+ All UnrealIRCd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-irc/unrealircd-3.2.7-r2" +

+ All Cyrus IMAP Server users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/cyrus-imapd-2.3.9-r1" +

+ All Dovecot users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/dovecot-1.0.10" +

+ All stunnel 4 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/stunnel-4.21" +

+ All InterNetNews users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-nntp/inn-2.4.3-r1" + + + CVE-2008-1383 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-31.xml b/xml/htdocs/security/en/glsa/glsa-200803-31.xml new file mode 100644 index 00000000..fa6b3ba5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-31.xml @@ -0,0 +1,102 @@ + + + + + + + MIT Kerberos 5: Multiple vulnerabilities + + Multiple vulnerabilites have been found in MIT Kerberos 5, which could + allow a remote unauthenticated user to execute arbitrary code with root + privileges. + + mit-krb5 + March 24, 2008 + March 24, 2008: 01 + 199205 + 212363 + remote + + + 1.6.3-r1 + 1.6.3-r1 + + + +

+ MIT Kerberos 5 is a suite of applications that implement the Kerberos + network protocol. kadmind is the MIT Kerberos 5 administration daemon, + KDC is the Key Distribution Center. +

+ + +
  • Two vulnerabilities were found in the Kerberos 4 support in + KDC: A global variable is not set for some incoming message types, + leading to a NULL pointer dereference or a double free() + (CVE-2008-0062) and unused portions of a buffer are not properly + cleared when generating an error message, which results in stack + content being contained in a reply (CVE-2008-0063).
    • +
  • Jeff + Altman (Secure Endpoints) discovered a buffer overflow in the RPC + library server code, used in the kadmin server, caused when too many + file descriptors are opened (CVE-2008-0947).
    • +
  • Venustech AD-LAB + discovered multiple vulnerabilities in the GSSAPI library: usage of a + freed variable in the gss_indicate_mechs() function (CVE-2007-5901) and + a double free() vulnerability in the gss_krb5int_make_seal_token_v3() + function (CVE-2007-5971).
    • +
+ + +

+ The first two vulnerabilities can be exploited by a remote + unauthenticated attacker to execute arbitrary code on the host running + krb5kdc, compromise the Kerberos key database or cause a Denial of + Service. These bugs can only be triggered when Kerberos 4 support is + enabled. +

+

+ The RPC related vulnerability can be exploited by a remote + unauthenticated attacker to crash kadmind, and theoretically execute + arbitrary code with root privileges or cause database corruption. This + bug can only be triggered in configurations that allow large numbers of + open file descriptors in a process. +

+

+ The GSSAPI vulnerabilities could be exploited by a remote attacker to + cause Denial of Service conditions or possibly execute arbitrary code. +

+ + +

+ Kerberos 4 support can be disabled via disabling the "krb4" USE flag + and recompiling the ebuild, or setting "v4_mode=none" in the + [kdcdefaults] section of /etc/krb5/kdc.conf. This will only work around + the KDC related vulnerabilities. +

+ + +

+ All MIT Kerberos 5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.6.3-r1" + + + CVE-2007-5901 + CVE-2007-5971 + CVE-2008-0062 + CVE-2008-0063 + CVE-2008-0947 + + + p-y + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200803-32.xml b/xml/htdocs/security/en/glsa/glsa-200803-32.xml new file mode 100644 index 00000000..fadee2f3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200803-32.xml @@ -0,0 +1,67 @@ + + + + + + + Wireshark: Denial of Service + + Multiple Denial of Service vulnerabilities have been discovered in + Wireshark. + + wireshark + March 24, 2008 + March 24, 2008: 01 + 212149 + remote + + + 0.99.8 + 0.99.8 + + + +

+ Wireshark is a network protocol analyzer with a graphical front-end. +

+ + +

+ Multiple unspecified errors exist in the SCTP, SNMP, and TFTP + dissectors. +

+ + +

+ A remote attacker could cause a Denial of Service by sending a + malformed packet. +

+ + +

+ Disable the SCTP, SNMP, and TFTP dissectors. +

+ + +

+ All Wireshark users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-0.99.8" + + + CVE-2008-1070 + CVE-2008-1071 + CVE-2008-1072 + + + rbu + + + mfleming + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-01.xml b/xml/htdocs/security/en/glsa/glsa-200804-01.xml new file mode 100644 index 00000000..8e620e4c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-01.xml @@ -0,0 +1,89 @@ + + + + + + + CUPS: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in CUPS, allowing for the + remote execution of arbitrary code and a Denial of Service. + + cups + April 01, 2008 + April 01, 2008: 01 + 211449 + 212364 + 214068 + remote + + + 1.2.12-r7 + 1.2.12-r7 + + + +

+ CUPS provides a portable printing layer for UNIX-based operating + systems. +

+ + +

+ Multiple vulnerabilities have been reported in CUPS: +

+
    +
  • regenrecht (VeriSign iDefense) discovered that the + cgiCompileSearch() function used in several CGI scripts in CUPS' + administration interface does not correctly calculate boundaries when + processing a user-provided regular expression, leading to a heap-based + buffer overflow (CVE-2008-0047).
    • +
  • Helge Blischke reported a + double free() vulnerability in the process_browse_data() function when + adding or removing remote shared printers (CVE-2008-0882).
    • +
  • Tomas Hoger (Red Hat) reported that the gif_read_lzw() function + uses the code_size value from GIF images without properly checking it, + leading to a buffer overflow (CVE-2008-1373).
    • +
  • An unspecified + input validation error was discovered in the HP-GL/2 filter + (CVE-2008-0053).
    • +
+ + +

+ A local attacker could send specially crafted network packets or print + jobs and possibly execute arbitrary code with the privileges of the + user running CUPS (usually lp), or cause a Denial of Service. The + vulnerabilities are exploitable via the network when CUPS is sharing + printers remotely. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All CUPS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-print/cups-1.2.12-r7" + + + CVE-2008-0047 + CVE-2008-0053 + CVE-2008-0882 + CVE-2008-1373 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-02.xml b/xml/htdocs/security/en/glsa/glsa-200804-02.xml new file mode 100644 index 00000000..49d2a4df --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-02.xml @@ -0,0 +1,66 @@ + + + + + + + bzip2: Denial of Service + + A buffer overread vulnerability has been discovered in Bzip2. + + bzip2 + April 02, 2008 + April 02, 2008: 01 + 213820 + remote + + + 1.0.5 + 1.0.5 + + + +

+ bzip2 is a free and open source lossless data compression program. +

+ + +

+ The Oulu University discovered that bzip2 does not properly check + offsets provided by the bzip2 file, leading to a buffer overread. +

+ + +

+ Remote attackers can entice a user or automated system to open a + specially crafted file that triggers a buffer overread, causing a + Denial of Service. libbz2 and programs linking against it are also + affected. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All bzip2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/bzip2-1.0.5" + + + CVE-2008-1372 + + + rbu + + + mfleming + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-03.xml b/xml/htdocs/security/en/glsa/glsa-200804-03.xml new file mode 100644 index 00000000..791430c0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-03.xml @@ -0,0 +1,81 @@ + + + + + + + OpenSSH: Privilege escalation + + Two flaws have been discovered in OpenSSH which could allow local attackers + to escalate their privileges. + + openssh + April 05, 2008 + April 05, 2008: 01 + 214985 + 215702 + local + + + 4.7_p1-r6 + 4.7_p1-r6 + + + +

+ OpenSSH is a complete SSH protocol implementation that includes an SFTP + client and server support. +

+ + +

+ Two issues have been discovered in OpenSSH: +

+
    +
  • Timo Juhani + Lindfors discovered that OpenSSH sets the DISPLAY variable in SSH + sessions using X11 forwarding even when it cannot bind the X11 server + to a local port in all address families (CVE-2008-1483).
    • +
  • OpenSSH will execute the contents of the ".ssh/rc" file even when + the "ForceCommand" directive is enabled in the global sshd_config + (CVE-2008-1657).
    • +
+ + +

+ A local attacker could exploit the first vulnerability to hijack + forwarded X11 sessions of other users and possibly execute code with + their privileges, disclose sensitive data or cause a Denial of Service, + by binding a local X11 server to a port using only one address family. + The second vulnerability might allow local attackers to bypass intended + security restrictions and execute commands other than those specified + by "ForceCommand" if they are able to write to their home directory. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenSSH users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/openssh-4.7_p1-r6" + + + CVE-2008-1483 + CVE-2008-1657 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-04.xml b/xml/htdocs/security/en/glsa/glsa-200804-04.xml new file mode 100644 index 00000000..2648d6b3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-04.xml @@ -0,0 +1,81 @@ + + + + + + + MySQL: Multiple vulnerabilities + + Multiple vulnerabilities in MySQL might lead to privilege escalation and + Denial of Service. + + mysql + April 06, 2008 + April 06, 2008: 01 + 201669 + remote + + + 5.0.54 + 5.0.54 + + + +

+ MySQL is a popular multi-threaded, multi-user SQL server. +

+ + +

+ Multiple vulnerabilities have been reported in MySQL: +

+
    +
  • Mattias Jonsson reported that a "RENAME TABLE" command against a + table with explicit "DATA DIRECTORY" and "INDEX DIRECTORY" options + would overwrite the file to which the symlink points + (CVE-2007-5969).
    • +
  • Martin Friebe discovered that MySQL does not + update the DEFINER value of a view when the view is altered + (CVE-2007-6303).
    • +
  • Philip Stoev discovered that the federated + engine expects the response of a remote MySQL server to contain a + minimum number of columns in query replies (CVE-2007-6304).
    • +
+ + +

+ An authenticated remote attacker could exploit the first vulnerability + to overwrite MySQL system tables and escalate privileges, or use the + second vulnerability to gain privileges via an "ALTER VIEW" statement. + Remote federated MySQL servers could cause a Denial of Service in the + local MySQL server by exploiting the third vulnerability. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MySQL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.0.54" + + + CVE-2007-5969 + CVE-2007-6303 + CVE-2007-6304 + + + jaervosz + + + jaervosz + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-05.xml b/xml/htdocs/security/en/glsa/glsa-200804-05.xml new file mode 100644 index 00000000..224cc460 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-05.xml @@ -0,0 +1,80 @@ + + + + + + + NX: User-assisted execution of arbitrary code + + NX uses code from the X.org X11 server which is prone to multiple + vulnerabilities. + + nx, nxnode + April 06, 2008 + April 06, 2008: 02 + 210317 + remote + + + 3.1.0-r2 + 3.1.0-r2 + + + 3.1.0-r1 + 3.1.0-r1 + + + +

+ NoMachine's NX establishes remote connections to X11 desktops over + small bandwidth links. NX and NX Node are the compression core + libraries, whereas NX is used by FreeNX and NX Node by the binary-only + NX servers. +

+ + +

+ Multiple integer overflow and buffer overflow vulnerabilities have been + discovered in the X.Org X server as shipped by NX and NX Node + (vulnerabilities 1-4 in GLSA 200801-09). +

+ + +

+ A remote attacker could exploit these vulnerabilities via unspecified + vectors, leading to the execution of arbitrary code with the privileges + of the user on the machine running the NX server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All NX Node users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/nxnode-3.1.0-r2" +

+ All NX users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/nx-3.1.0-r1" + + + GLSA 200801-09 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-06.xml b/xml/htdocs/security/en/glsa/glsa-200804-06.xml new file mode 100644 index 00000000..f34ab2a3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-06.xml @@ -0,0 +1,68 @@ + + + + + + + UnZip: User-assisted execution of arbitrary code + + A double free vulnerability discovered in UnZip might lead to the execution + of arbitrary code. + + unzip + April 06, 2008 + April 06, 2008: 01 + 213761 + remote + + + 5.52-r2 + 5.52-r2 + + + +

+ Info-ZIP's UnZip is a tool to list and extract files inside PKZIP + compressed files. +

+ + +

+ Tavis Ormandy of the Google Security Team discovered that the NEEDBITS + macro in the inflate_dynamic() function in the file inflate.c can be + invoked using invalid buffers, which can lead to a double free. +

+ + +

+ Remote attackers could entice a user or automated system to open a + specially crafted ZIP file that might lead to the execution of + arbitrary code or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All UnZip users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/unzip-5.52-r2" + + + CVE-2008-0888 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-07.xml b/xml/htdocs/security/en/glsa/glsa-200804-07.xml new file mode 100644 index 00000000..5c3616d0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-07.xml @@ -0,0 +1,68 @@ + + + + + + + PECL APC: Buffer Overflow + + A buffer overflow vulnerability in PECL APC might allow for the remote + execution of arbitrary code. + + pecl-apc + April 09, 2008 + April 09, 2008: 01 + 214576 + remote + + + 3.0.16-r1 + 3.0.16-r1 + + + +

+ PECL Alternative PHP Cache (PECL APC) is a free, open, and robust + framework for caching and optimizing PHP intermediate code. +

+ + +

+ Daniel Papasian discovered a stack-based buffer overflow in the + apc_search_paths() function in the file apc.c when processing long + filenames. +

+ + +

+ A remote attacker could exploit this vulnerability to execute arbitrary + code in PHP applications that pass user-controlled input to the + include() function. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PECL APC users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php5/pecl-apc-3.0.16-r1" + + + CVE-2008-1488 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-08.xml b/xml/htdocs/security/en/glsa/glsa-200804-08.xml new file mode 100644 index 00000000..32b3157b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-08.xml @@ -0,0 +1,74 @@ + + + + + + + lighttpd: Multiple vulnerabilities + + Multiple vulnerabilities in lighttpd may lead to information disclosure or + a Denial of Service. + + lighttpd + April 10, 2008 + April 10, 2008: 01 + 212930 + 214892 + remote + + + 1.4.19-r2 + 1.4.19-r2 + + + +

+ lighttpd is a lightweight high-performance web server. +

+ + +

+ Julien Cayzax discovered that an insecure default setting exists in + mod_userdir in lighttpd. When userdir.path is not set the default value + used is $HOME. It should be noted that the "nobody" user's $HOME is "/" + (CVE-2008-1270). An error also exists in the SSL connection code which + can be triggered when a user prematurely terminates his connection + (CVE-2008-1531). +

+ + +

+ A remote attacker could exploit the first vulnerability to read + arbitrary files. The second vulnerability can be exploited by a remote + attacker to cause a Denial of Service by terminating a victim's SSL + connection. +

+ + +

+ As a workaround for CVE-2008-1270 you can set userdir.path to a + sensible value, e.g. "public_html". +

+ + +

+ All lighttpd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.4.19-r2" + + + CVE-2008-1270 + CVE-2008-1531 + + + keytoaster + + + rbu + + + mfleming + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-09.xml b/xml/htdocs/security/en/glsa/glsa-200804-09.xml new file mode 100644 index 00000000..bb7534fc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-09.xml @@ -0,0 +1,66 @@ + + + + + + + am-utils: Insecure temporary file creation + + am-utils creates temporary files insecurely allowing local users to + overwrite arbitrary files via a symlink attack. + + am-utils + April 10, 2008 + April 10, 2008: 01 + 210158 + local + + + 6.1.5 + 6.1.5 + + + +

+ am-utils is a collection of utilities for use with the Berkeley + Automounter. +

+ + +

+ Tavis Ormandy discovered that, when creating temporary files, the + 'expn' utility does not check whether the file already exists. +

+ + +

+ A local attacker could exploit the vulnerability via a symlink attack + to overwrite arbitrary files. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All am-utils users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/am-utils-6.1.5" + + + CVE-2008-1078 + + + p-y + + + mfleming + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-10.xml b/xml/htdocs/security/en/glsa/glsa-200804-10.xml new file mode 100644 index 00000000..d2d2bb19 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-10.xml @@ -0,0 +1,110 @@ + + + + + + + Tomcat: Multiple vulnerabilities + + Multiple vulnerabilities in Tomcat may lead to local file overwriting, + session hijacking or information disclosure. + + tomcat + April 10, 2008 + May 28, 2009: 02 + 196066 + 203169 + local, remote + + + 5.5.26 + 6.0.16 + 5.5.27 + 6.0.16 + + + +

+ Tomcat is the Apache Jakarta Project's official implementation of Java + Servlets and Java Server Pages. +

+ + +

+ The following vulnerabilities were reported: +

+
    +
  • Delian Krustev discovered that the JULI logging component does not + properly enforce access restrictions, allowing web application to add + or overwrite files (CVE-2007-5342).
    • +
  • + When the native APR connector is used, Tomcat does not properly handle + an empty request to the SSL port, which allows remote attackers to + trigger handling of a duplicate copy of one of the recent requests + (CVE-2007-6286).
    • +
  • + If the processing or parameters is interrupted, i.e. by an exception, + then it is possible for the parameters to be processed as part of later + request (CVE-2008-0002).
    • +
  • + An absolute path traversal vulnerability exists due to the way that + WebDAV write requests are handled (CVE-2007-5461).
    • +
  • + Tomcat does not properly handle double quote (") characters or %5C + (encoded backslash) sequences in a cookie value, which might cause + sensitive information such as session IDs to be leaked to remote + attackers and enable session hijacking attacks + (CVE-2007-5333).
    • +
+ + +

+ These vulnerabilities can be exploited by: +

+
    +
  • + a malicious web application to add or overwrite files with the + permissions of the user running Tomcat. +
    • +
  • + a remote attacker to conduct session hijacking or disclose sensitive + data. +
    • +
+ + +

+ There is no known workaround at this time. +

+ + +

+ All Tomcat 5.5.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/tomcat-5.5.26" +

+ All Tomcat 6.0.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/tomcat-6.0.16" + + + CVE-2007-5333 + CVE-2007-5342 + CVE-2007-5461 + CVE-2007-6286 + CVE-2008-0002 + + + rbu + + + mfleming + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-11.xml b/xml/htdocs/security/en/glsa/glsa-200804-11.xml new file mode 100644 index 00000000..9d15689d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-11.xml @@ -0,0 +1,73 @@ + + + + + + + policyd-weight: Insecure temporary file creation + + policyd-weight uses temporary files in an insecure manner, allowing for a + symlink attack. + + policyd-weight + April 11, 2008 + April 11, 2008: 01 + 214403 + local + + + 0.1.14.17 + 0.1.14.17 + + + +

+ policyd-weight is a Perl policy daemon for the Postfix MTA intended to + eliminate forged envelope senders and HELOs. +

+ + +

+ Chris Howells reported that policyd-weight creates and uses the + "/tmp/.policyd-weight/" directory in an insecure manner. +

+ + +

+ A local attacker could exploit this vulnerability to delete arbitrary + files or change the ownership to the "polw" user via symlink attacks. +

+ + +

+ Set "$LOCKPATH = '/var/run/policyd-weight/'" manually in + "/etc/policyd-weight.conf". +

+ + +

+ All policyd-weight users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-filter/policyd-weight-0.1.14.17" +

+ This version changes the default path for sockets to + "/var/run/policyd-weight", which is only writable by a privileged user. + Users need to restart policyd-weight immediately after the upgrade due + to this change. +

+ + + CVE-2008-1569 + + + keytoaster + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-12.xml b/xml/htdocs/security/en/glsa/glsa-200804-12.xml new file mode 100644 index 00000000..e886411e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-12.xml @@ -0,0 +1,66 @@ + + + + + + + gnome-screensaver: Privilege escalation + + gnome-screensaver allows local users to bypass authentication under certain + configurations. + + gnome-screensaver + April 11, 2008 + April 11, 2008: 01 + 213940 + local + + + 2.20.0-r3 + 2.20.0-r3 + + + +

+ gnome-screensaver is a screensaver, designed to integrate with the + Gnome desktop, that can replace xscreensaver. +

+ + +

+ gnome-screensaver incorrectly handles the results of the getpwuid() + function in the file src/setuid.c when using directory servers (like + NIS) during a network outage, a similar issue to GLSA 200705-14. +

+ + +

+ A local user can crash gnome-xscreensaver by preventing network + connectivity if the system uses a remote directory service for + credentials such as NIS or LDAP, which will unlock the screen. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All gnome-screensaver users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=gnome-extra/gnome-screensaver-2.20.0-r3" + + + CVE-2008-0887 + GLSA 200705-14 + + + falco + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-13.xml b/xml/htdocs/security/en/glsa/glsa-200804-13.xml new file mode 100644 index 00000000..13f86f04 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-13.xml @@ -0,0 +1,83 @@ + + + + + + + Asterisk: Multiple vulnerabilities + + Multiple vulnerabilities have been found in Asterisk allowing for SQL + injection, session hijacking and unauthorized usage. + + asterisk + April 14, 2008 + April 14, 2008: 01 + 200792 + 202733 + 213883 + remote + + + 1.2.27 + 1.2.27 + + + +

+ Asterisk is an open source telephony engine and tool kit. +

+ + +

+ Asterisk upstream developers reported multiple vulnerabilities: +

+
    +
  • The Call Detail Record Postgres logging engine (cdr_pgsql) + does not correctly escape the ANI and DNIS arguments before using them + in SQL statements (CVE-2007-6170).
    • +
  • When using database-based + registrations ("realtime") and host-based authentication, Asterisk does + not check the IP address when the username is correct and there is no + password provided (CVE-2007-6430).
    • +
  • The SIP channel driver does + not correctly determine if authentication is required + (CVE-2008-1332).
    • +
+ + +

+ Remote authenticated attackers could send specially crafted data to + Asterisk to execute arbitrary SQL commands and compromise the + administrative database. Remote unauthenticated attackers could bypass + authentication using a valid username to hijack other user's sessions, + and establish sessions on the SIP channel without authentication. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Asterisk users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.2.27" + + + CVE-2007-6170 + CVE-2007-6430 + CVE-2008-1332 + + + keytoaster + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-14.xml b/xml/htdocs/security/en/glsa/glsa-200804-14.xml new file mode 100644 index 00000000..6714025f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-14.xml @@ -0,0 +1,68 @@ + + + + + + + Opera: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Opera, allowing for + execution of arbitrary code. + + opera + April 14, 2008 + April 14, 2008: 01 + 216022 + remote + + + 9.27 + 9.27 + + + +

+ Opera is a fast web browser that is available free of charge. +

+ + +

+ Michal Zalewski reported two vulnerabilities, memory corruption when + adding news feed sources from a website (CVE-2008-1761) as well as when + processing HTML CANVAS elements to use scaled images (CVE-2008-1762). + Additionally, an unspecified weakness related to keyboard handling of + password inputs has been reported (CVE-2008-1764). +

+ + +

+ A remote attacker could entice a user to visit a specially crafted web + site or news feed and possibly execute arbitrary code with the + privileges of the user running Opera. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Opera users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/opera-9.27" + + + CVE-2008-1761 + CVE-2008-1762 + CVE-2008-1764 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-15.xml b/xml/htdocs/security/en/glsa/glsa-200804-15.xml new file mode 100644 index 00000000..0fdf9808 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-15.xml @@ -0,0 +1,72 @@ + + + + + + + libpng: Execution of arbitrary code + + A vulnerability in libpng may allow for execution of arbitrary code in + certain applications that handle untrusted images. + + libpng + April 15, 2008 + April 15, 2008: 01 + 217047 + remote + + + 1.2.26-r1 + 1.2.26-r1 + + + +

+ libpng is a free ANSI C library used to process and manipulate PNG + images. +

+ + +

+ Tavis Ormandy of the Google Security Team discovered that libpng does + not handle zero-length unknown chunks in PNG files correctly, which + might lead to memory corruption in applications that call + png_set_read_user_chunk_fn() or png_set_keep_unknown_chunks(). +

+ + +

+ A remote attacker could entice a user or automated system to process a + specially crafted PNG image in an application using libpng and possibly + execute arbitrary code with the privileges of the user running the + application. Note that processing of unknown chunks is disabled by + default in most PNG applications, but some such as ImageMagick are + affected. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libpng users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libpng-1.2.26-r1" + + + CVE-2008-1382 + + + rbu + + + rbu + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-16.xml b/xml/htdocs/security/en/glsa/glsa-200804-16.xml new file mode 100644 index 00000000..a2910746 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-16.xml @@ -0,0 +1,78 @@ + + + + + + + rsync: Execution of arbitrary code + + A buffer overflow in rsync might lead to the remote execution of arbitrary + code when extended attributes are being used. + + rsync + April 17, 2008 + April 17, 2008: 01 + 216887 + remote + + + 2.6.9-r6 + 2.6.9-r6 + + + +

+ rsync is a file transfer program to keep remote directories + synchronized. +

+ + +

+ Sebastian Krahmer of SUSE reported an integer overflow in the + expand_item_list() function in the file util.c which might lead to a + heap-based buffer overflow when extended attribute (xattr) support is + enabled. +

+ + +

+ A remote attacker could send a file containing specially crafted + extended attributes to an rsync deamon, or entice a user to sync from + an rsync server containing specially crafted files, possibly leading to + the execution of arbitrary code. +

+

+ Please note that extended attributes are only enabled when USE="acl" is + enabled, which is the default setting. +

+ + +

+ Disable extended attributes in the rsync daemon by setting "refuse + options = xattrs" in the file "/etc/rsyncd.conf" (or append + "xattrs" to an existing "refuse" statement). When synchronizing to a + server, do not provide the "-X" parameter to rsync. You can also + disable the "acl" USE flag for rsync and recompile the package. +

+ + +

+ All rsync users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/rsync-2.6.9-r6" + + + CVE-2008-1720 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-17.xml b/xml/htdocs/security/en/glsa/glsa-200804-17.xml new file mode 100644 index 00000000..cb9fd3c9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-17.xml @@ -0,0 +1,72 @@ + + + + + + + Speex: User-assisted execution of arbitrary code + + Improper input validation in Speex might lead to array indexing + vulnerabilities in multiple player applications. + + speex + April 17, 2008 + April 17, 2008: 01 + 217715 + remote + + + 1.2_beta3_p2 + 1.2_beta3_p2 + + + +

+ Speex is an audio compression format designed for speech that is free + of patent restrictions. +

+ + +

+ oCERT reported that the Speex library does not properly validate the + "mode" value it derives from Speex streams, allowing for array indexing + vulnerabilities inside multiple player applications. Within Gentoo, + xine-lib, VLC, gst-plugins-speex from the GStreamer Good Plug-ins, + vorbis-tools, libfishsound, Sweep, SDL_sound, and speexdec were found + to be vulnerable. +

+ + +

+ A remote attacker could entice a user to open a specially crafted Speex + file or network stream with an application listed above. This might + lead to the execution of arbitrary code with privileges of the user + playing the file. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Speex users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/speex-1.2_beta3_p2" + + + CVE-2008-1686 + + + vorlon + + + vorlon + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-18.xml b/xml/htdocs/security/en/glsa/glsa-200804-18.xml new file mode 100644 index 00000000..c8f21a6e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-18.xml @@ -0,0 +1,67 @@ + + + + + + + Poppler: User-assisted execution of arbitrary code + + Poppler does not handle fonts inside PDF files safely, allowing for + execution of arbitrary code. + + poppler + April 17, 2008 + April 17, 2008: 02 + 216850 + remote + + + 0.6.3 + 0.6.3 + + + +

+ Poppler is a cross-platform PDF rendering library originally based on + Xpdf. +

+ + +

+ Kees Cook from the Ubuntu Security Team reported that the + CairoFont::create() function in the file CairoFontEngine.cc does not + verify the type of an embedded font object inside a PDF file before + dereferencing a function pointer from it. +

+ + +

+ A remote attacker could entice a user to open a specially crafted PDF + file with a Poppler-based PDF viewer such as Gentoo's Xpdf, Epdfview, + or Evince, potentially resulting in the execution of arbitrary code + with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Poppler users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/poppler-0.6.3" + + + CVE-2008-1693 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-19.xml b/xml/htdocs/security/en/glsa/glsa-200804-19.xml new file mode 100644 index 00000000..216af3f9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-19.xml @@ -0,0 +1,72 @@ + + + + + + + PHP Toolkit: Data disclosure and Denial of Service + + PHP Toolkit does not quote parameters, allowing for PHP source code + disclosure on Apache, and a Denial of Service. + + php-toolkit + April 17, 2008 + April 17, 2008: 01 + 209535 + local + + + 1.0.1 + 1.0.1 + + + +

+ PHP Toolkit is a utility to manage parallel installations of PHP within + Gentoo. It is executed by the PHP ebuilds at setup. +

+ + +

+ Toni Arnold, David Sveningsson, Michal Bartoszkiewicz, and Joseph + reported that php-select does not quote parameters passed to the "tr" + command, which could convert the "-D PHP5" argument in the + "APACHE2_OPTS" setting in the file /etc/conf.d/apache2 to lower case. +

+ + +

+ An attacker could entice a system administrator to run "emerge + php" or call "php-select -t apache2 php5" directly in a + directory containing a lower case single-character named file, which + would prevent Apache from loading mod_php and thereby disclose PHP + source code and cause a Denial of Service. +

+ + +

+ Do not run "emerge" or "php-select" from a working directory which + contains a lower case single-character named file. +

+ + +

+ All PHP Toolkit users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/php-toolkit-1.0.1" + + + CVE-2008-1734 + + + rbu + + + vorlon + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-20.xml b/xml/htdocs/security/en/glsa/glsa-200804-20.xml new file mode 100644 index 00000000..e0b23be1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-20.xml @@ -0,0 +1,234 @@ + + + + + + + Sun JDK/JRE: Multiple vulnerabilities + + Multiple vulnerabilities have been identified in Sun Java Development Kit + (JDK) and Java Runtime Environment (JRE). + + sun-jdk, sun-jre-bin, emul-linux-x86-java + April 17, 2008 + March 05, 2010: 06 + 178851 + 178962 + 183580 + 185256 + 194711 + 212425 + remote + + + 1.6.0.05 + 1.5.0.21 + 1.5.0.20 + 1.5.0.19 + 1.5.0.18 + 1.5.0.17 + 1.5.0.16 + 1.5.0.15 + 1.4.2.17 + 1.5.0.22 + 1.6.0.05 + + + 1.6.0.05 + 1.5.0.21 + 1.5.0.20 + 1.5.0.19 + 1.5.0.18 + 1.5.0.17 + 1.5.0.16 + 1.5.0.15 + 1.4.2.17 + 1.5.0.22 + 1.6.0.05 + + + 1.6.0.05 + 1.5.0.21 + 1.5.0.20 + 1.5.0.19 + 1.5.0.18 + 1.5.0.17 + 1.5.0.16 + 1.5.0.15 + 1.4.2.17 + 1.5.0.22 + 1.6.0.05 + + + +

+ The Sun Java Development Kit (JDK) and the Sun Java Runtime Environment + (JRE) provide the Sun Java platform. +

+ + +

+ Multiple vulnerabilities have been discovered in Sun Java: +

+
    +
  • Daniel Soeder discovered that a long codebase attribute string in a + JNLP file will overflow a stack variable when launched by Java WebStart + (CVE-2007-3655).
    • +
  • Multiple vulnerabilities (CVE-2007-2435, CVE-2007-2788, + CVE-2007-2789) that were previously reported as GLSA 200705-23 and GLSA + 200706-08 also affect 1.4 and 1.6 SLOTs, which was not mentioned in the + initial revision of said GLSAs.
    • +
  • The Zero Day Initiative, TippingPoint and John Heasman reported + multiple buffer overflows and unspecified vulnerabilities in Java Web + Start (CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, + CVE-2008-1191).
    • +
  • Hisashi Kojima of Fujitsu and JPCERT/CC reported a security issue + when performing XSLT transformations (CVE-2008-1187).
    • +
  • CERT/CC reported a Stack-based buffer overflow in Java Web Start + when using JNLP files (CVE-2008-1196).
    • +
  • Azul Systems reported an unspecified vulnerability that allows + applets to escalate their privileges (CVE-2007-5689).
    • +
  • Billy Rios, Dan Boneh, Collin Jackson, Adam Barth, Andrew Bortz, + Weidong Shao, and David Byrne discovered multiple instances where Java + applets or JavaScript programs run within browsers do not pin DNS + hostnames to a single IP address, allowing for DNS rebinding attacks + (CVE-2007-5232, CVE-2007-5273, CVE-2007-5274).
    • +
  • Peter Csepely reported that Java Web Start does not properly + enforce access restrictions for untrusted applications (CVE-2007-5237, + CVE-2007-5238).
    • +
  • Java Web Start does not properly enforce access restrictions for + untrusted Java applications and applets, when handling drag-and-drop + operations (CVE-2007-5239).
    • +
  • Giorgio Maone discovered that warnings for untrusted code can be + hidden under applications' windows (CVE-2007-5240).
    • +
  • Fujitsu reported two security issues where security restrictions of + web applets and applications were not properly enforced (CVE-2008-1185, + CVE-2008-1186).
    • +
  • John Heasman of NGSSoftware discovered that the Java Plug-in does + not properly enforce the same origin policy (CVE-2008-1192).
    • +
  • Chris Evans of the Google Security Team discovered multiple + unspecified vulnerabilities within the Java Runtime Environment Image + Parsing Library (CVE-2008-1193, CVE-2008-1194).
    • +
  • Gregory Fleischer reported that web content fetched via the "jar:" + protocol was not subject to network access restrictions + (CVE-2008-1195).
    • +
  • Chris Evans and Johannes Henkel of the Google Security Team + reported that the XML parsing code retrieves external entities even + when that feature is disabled (CVE-2008-0628).
    • +
  • Multiple unspecified vulnerabilities might allow for escalation of + privileges (CVE-2008-0657).
    • +
+ + +

+ A remote attacker could entice a user to run a specially crafted applet + on a website or start an application in Java Web Start to execute + arbitrary code outside of the Java sandbox and of the Java security + restrictions with the privileges of the user running Java. The attacker + could also obtain sensitive information, create, modify, rename and + read local files, execute local applications, establish connections in + the local network, bypass the same origin policy, and cause a Denial of + Service via multiple vectors. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Sun JRE 1.6 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.05" +

+ All Sun JRE 1.5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.5.0.15" +

+ All Sun JRE 1.4 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.4.2.17" +

+ All Sun JDK 1.6 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.05" +

+ All Sun JDK 1.5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.5.0.15" +

+ All Sun JDK 1.4 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.4.2.17" +

+ All emul-linux-x86-java 1.6 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.6.0.05" +

+ All emul-linux-x86-java 1.5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.5.0.15" +

+ All emul-linux-x86-java 1.4 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.4.2.17" + + + CVE-2007-2435 + CVE-2007-2788 + CVE-2007-2789 + CVE-2007-3655 + CVE-2007-5232 + CVE-2007-5237 + CVE-2007-5238 + CVE-2007-5239 + CVE-2007-5240 + CVE-2007-5273 + CVE-2007-5274 + CVE-2007-5689 + CVE-2008-0628 + CVE-2008-0657 + CVE-2008-1185 + CVE-2008-1186 + CVE-2008-1187 + CVE-2008-1188 + CVE-2008-1189 + CVE-2008-1190 + CVE-2008-1191 + CVE-2008-1192 + CVE-2008-1193 + CVE-2008-1194 + CVE-2008-1195 + CVE-2008-1196 + GLSA 200705-23 + GLSA 200706-08 + + + jaervosz + + + jaervosz + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-21.xml b/xml/htdocs/security/en/glsa/glsa-200804-21.xml new file mode 100644 index 00000000..271e3435 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-21.xml @@ -0,0 +1,106 @@ + + + + + + + Adobe Flash Player: Multiple vulnerabilities + + Multiple vulnerabilities have been identified, the worst of which allow + arbitrary code execution on a user's system via a malicious Flash file. + + adobe-flash + April 18, 2008 + May 28, 2009: 02 + 204344 + remote + + + 9.0.124.0 + 9.0.124.0 + + + +

+ The Adobe Flash Player is a renderer for the popular SWF file format, + which is commonly used to provide interactive websites, digital + experiences and mobile content. +

+ + +

+ Multiple vulnerabilities have been discovered in Adobe Flash: +

+
    +
  • + Secunia Research and Zero Day Initiative reported a boundary error + related to DeclareFunction2 Actionscript tags in SWF files + (CVE-2007-6019). +
    • +
  • + The ISS X-Force and the Zero Day Initiative reported an unspecified + input validation error that might lead to a buffer overflow + (CVE-2007-0071). +
    • +
  • + Microsoft, UBsecure and JPCERT/CC reported that cross-domain policy + files are not checked before sending HTTP headers to another domain + (CVE-2008-1654) and that it does not sufficiently restrict the + interpretation and usage of cross-domain policy files (CVE-2007-6243). +
    • +
  • + The Stanford University and Ernst and Young's Advanced Security Center + reported that Flash does not pin DNS hostnames to a single IP + addresses, allowing for DNS rebinding attacks (CVE-2007-5275, + CVE-2008-1655). +
    • +
  • + The Google Security Team and Minded Security Multiple reported multiple + cross-site scripting vulnerabilities when passing input to Flash + functions (CVE-2007-6637). +
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted file + (usually in a web browser), possibly leading to the execution of + arbitrary code with the privileges of the user running the Adobe Flash + Player. The attacker could also cause a user's machine to send HTTP + requests to other hosts, establish TCP sessions with arbitrary hosts, + bypass the security sandbox model, or conduct Cross-Site Scripting and + Cross-Site Request Forgery attacks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Adobe Flash Player users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-plugins/adobe-flash-9.0.124.0" + + + CVE-2007-0071 + CVE-2007-5275 + CVE-2007-6019 + CVE-2007-6243 + CVE-2007-6637 + CVE-2008-1654 + CVE-2008-1655 + + + vorlon + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-22.xml b/xml/htdocs/security/en/glsa/glsa-200804-22.xml new file mode 100644 index 00000000..36457fd2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-22.xml @@ -0,0 +1,72 @@ + + + + + + + PowerDNS Recursor: DNS Cache Poisoning + + Use of insufficient randomness in PowerDNS Recursor might lead to DNS cache + poisoning. + + pdns-recursor + April 18, 2008 + August 21, 2008: 03 + 215567 + 231335 + remote + + + 3.1.6 + 3.1.6 + + + +

+ The PowerDNS Recursor is an advanced recursing nameserver. +

+ + +

+ Amit Klein of Trusteer reported that insufficient randomness is used to + calculate the TRXID values and the UDP source port numbers + (CVE-2008-1637). Thomas Biege of SUSE pointed out that a prior fix to + resolve this issue was incomplete, as it did not always enable the + stronger random number generator for source port selection + (CVE-2008-3217). +

+ + +

+ A remote attacker could send malicious answers to insert arbitrary DNS + data into the cache. These attacks would in turn help an attacker to + perform man-in-the-middle and site impersonation attacks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PowerDNS Recursor users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/pdns-recursor-3.1.6" + + + CVE-2008-1637 + CVE-2008-3217 + + + keytoaster + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-23.xml b/xml/htdocs/security/en/glsa/glsa-200804-23.xml new file mode 100644 index 00000000..948fae73 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-23.xml @@ -0,0 +1,69 @@ + + + + + + + CUPS: Integer overflow vulnerability + + A vulnerability in CUPS might allow for the execution of arbitrary code or + a Denial of Service. + + cups + April 18, 2008 + April 18, 2008: 01 + 217232 + remote, local + + + 1.2.12-r8 + 1.2.12-r8 + + + +

+ CUPS provides a portable printing layer for UNIX-based operating + systems. +

+ + +

+ Thomas Pollet reported a possible integer overflow vulnerability in the + PNG image handling in the file filter/image-png.c. +

+ + +

+ A malicious user might be able to execute arbitrary code with the + privileges of the user running CUPS (usually lp), or cause a Denial of + Service by sending a specially crafted PNG image to the print server. + The vulnerability is exploitable via the network if CUPS is sharing + printers remotely. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All CUPS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-print/cups-1.2.12-r8" + + + CVE-2008-1722 + + + vorlon + + + vorlon + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-24.xml b/xml/htdocs/security/en/glsa/glsa-200804-24.xml new file mode 100644 index 00000000..4f779e5f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-24.xml @@ -0,0 +1,71 @@ + + + + + + + DBmail: Data disclosure + + A vulnerability in DBMail could allow for passwordless login to any account + under certain configurations. + + dbmail + April 18, 2008 + April 18, 2008: 01 + 218154 + remote + + + 2.2.9 + 2.2.9 + + + +

+ DBMail is a mail storage and retrieval daemon that uses SQL databases + as its data store. IMAP and POP3 can be used to retrieve mails from the + database. +

+ + +

+ A vulnerability in DBMail's authldap module when used in conjunction + with an Active Directory server has been reported by vugluskr. When + passing a zero length password to the module, it tries to bind + anonymously to the LDAP server. If the LDAP server allows anonymous + binds, this bind succeeds and results in a successful authentication to + DBMail. +

+ + +

+ By passing an empty password string to the server, an attacker could be + able to log in to any account. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All DBMail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/dbmail-2.2.9" + + + CVE-2007-6714 + + + vorlon + + + vorlon + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-25.xml b/xml/htdocs/security/en/glsa/glsa-200804-25.xml new file mode 100644 index 00000000..092e29c3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-25.xml @@ -0,0 +1,95 @@ + + + + + + + VLC: User-assisted execution of arbitrary code + + Multiple vulnerabilities were found in VLC, allowing for the execution of + arbitrary code. + + vlc + April 23, 2008 + April 23, 2008: 01 + 214277 + 214627 + remote + + + 0.8.6f + 0.8.6f + + + +

+ VLC is a cross-platform media player and streaming server. +

+ + +

+ Multiple vulnerabilities were found in VLC: +

+
    +
  • + Luigi Auriemma discovered that the stack-based buffer overflow when + reading subtitles, which has been reported as CVE-2007-6681 in GLSA + 200803-13, was not properly fixed (CVE-2008-1881). +
    • +
  • + Alin Rad Pop of Secunia reported an array indexing vulnerability in the + sdpplin_parse() function when processing streams from RTSP servers in + Xine code, which is also used in VLC (CVE-2008-0073). +
    • +
  • + Drew Yao and Nico Golde reported an integer overflow in the + MP4_ReadBox_rdrf() function in the file libmp4.c leading to a + heap-based buffer overflow when reading MP4 files (CVE-2008-1489). +
    • +
  • Drew Yao also reported integer overflows in the MP4 demuxer, + the Real demuxer and in the Cinepak codec, which might lead to buffer + overflows (CVE-2008-1768).
    • +
  • Drew Yao finally discovered and a + boundary error in Cinepak, which might lead to memory corruption + (CVE-2008-1769).
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted media + file or stream, possibly resulting in the remote execution of arbitrary + code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All VLC users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/vlc-0.8.6f" + + + CVE-2007-6681 + CVE-2008-0073 + CVE-2008-1489 + CVE-2008-1768 + CVE-2008-1769 + CVE-2008-1881 + GLSA 200803-13 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-26.xml b/xml/htdocs/security/en/glsa/glsa-200804-26.xml new file mode 100644 index 00000000..74251072 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-26.xml @@ -0,0 +1,66 @@ + + + + + + + Openfire: Denial of Service + + A design error in Openfire might lead to a Denial of Service. + + openfire + April 23, 2008 + April 23, 2008: 01 + 217234 + remote + + + 3.5.0 + 3.5.0 + + + +

+ Openfire (formerly Wildfire) is a Java implementation of a complete + Jabber server. +

+ + +

+ Openfire's connection manager in the file ConnectionManagerImpl.java + cannot handle clients that fail to read messages, and has no limit on + their session's send buffer. +

+ + +

+ Remote authenticated attackers could trigger large outgoing queues + without reading messages, causing a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Openfire users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/openfire-3.5.0" + + + CVE-2008-1728 + + + keytoaster + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-27.xml b/xml/htdocs/security/en/glsa/glsa-200804-27.xml new file mode 100644 index 00000000..18e4736f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-27.xml @@ -0,0 +1,104 @@ + + + + + + + SILC: Multiple vulnerabilities + + Multiple vulnerabilities were found in SILC Client, Server, and Toolkit, + allowing for Denial of Service and execution of arbitrary code. + + silc-toolkit silc-client silc-server + April 24, 2008 + April 24, 2008: 01 + 212362 + 214116 + 214812 + remote + + + 1.1.7 + 1.1.7 + + + 1.1.4 + 1.1.4 + + + 1.1.2 + 1.1.2 + + + +

+ SILC (Secure Internet Live Conferencing protocol) Toolkit is a software + development kit for use in clients, SILC Server is a communication + server, and SILC Client is an IRSSI-based text client. +

+ + +
    +
  • Nathan G. Grennan reported a boundary error in SILC Toolkit + within the silc_fingerprint() function in the file + lib/silcutil/silcutil.c when passing overly long data, resulting in a + stack-based buffer overflow (CVE-2008-1227).
    • +
  • A vulnerability + has been reported in SILC Server which is caused due to an error in the + handling of "NEW_CLIENT" packets that do not contain a nickname + (CVE-2008-1429).
    • +
  • Ariel Waissbein, Pedro Varangot, Martin + Mizrahi, Oren Isacson, Carlos Garcia, and Ivan Arce of Core Security + Technologies reported that SILC Client, Server, and Toolkit contain a + vulnerability in the silc_pkcs1_decode() function in the silccrypt + library (silcpkcs1.c), resulting in an integer underflow, signedness + error, and a buffer overflow (CVE-2008-1552).
    • +
+ + +

+ A remote attacker could exploit these vulnerabilities to cause a Denial + of Service or execute arbitrary code with the privileges of the user + running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SILC Toolkit users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/silc-toolkit-1.1.7" +

+ All SILC Client users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/silc-client-1.1.4" +

+ All SILC Server users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/silc-server-1.1.2" + + + CVE-2008-1227 + CVE-2008-1429 + CVE-2008-1552 + + + rbu + + + rbu + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-28.xml b/xml/htdocs/security/en/glsa/glsa-200804-28.xml new file mode 100644 index 00000000..3a206dd3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-28.xml @@ -0,0 +1,77 @@ + + + + + + + JRockit: Multiple vulnerabilities + + Multiple vulnerabilities have been identified in BEA JRockit. + + jrockit-jdk-bin + April 24, 2008 + April 24, 2008: 01 + 218226 + remote + + + 1.4.2.16 + 1.5.0.14 + 1.5.0.14 + + + +

+ JRockit is BEA WebLogic's J2SE Development Kit. +

+ + +

+ Because of sharing the same codebase, JRockit is affected by the + vulnerabilities mentioned in GLSA 200804-20. +

+ + +

+ A remote attacker could entice a user to run a specially crafted applet + on a website or start an application in Java Web Start to execute + arbitrary code outside of the Java sandbox and of the Java security + restrictions with the privileges of the user running Java. The attacker + could also obtain sensitive information, create, modify, rename and + read local files, execute local applications, establish connections in + the local network, bypass the same origin policy, and cause a Denial of + Service via multiple vectors. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All JRockit 1.4 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/jrockit-jdk-bin-1.4.2.16" +

+ All JRockit 1.5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/jrockit-jdk-bin-1.5.0.14" + + + GLSA 200804-20 + + + rbu + + + keytoaster + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-29.xml b/xml/htdocs/security/en/glsa/glsa-200804-29.xml new file mode 100644 index 00000000..626ef294 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-29.xml @@ -0,0 +1,72 @@ + + + + + + + Comix: Multiple vulnerabilities + + Multiple vulnerabilities in Comix may lead to execution of arbitrary + commands and a Denial of Service. + + comix + April 25, 2008 + April 25, 2008: 01 + 215694 + local, remote + + + 3.6.4-r1 + 3.6.4-r1 + + + +

+ Comix is a GTK comic book viewer. +

+ + +

+ Comix does not properly sanitize filenames containing shell + metacharacters when they are passed to the rar, unrar, or jpegtran + programs (CVE-2008-1568). Comix also creates directories with + predictable names (CVE-2008-1796). +

+ + +

+ A remote attacker could exploit the first vulnerability by enticing a + user to use Comix to open a file with a specially crafted filename, + resulting in the execution of arbitrary commands. The second + vulnerability could be exploited by a local attacker to cause a Denial + of Service by creating a file or directory with the same filename as + the predictable filename used by Comix. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Comix users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/comix-3.6.4-r1" + + + CVE-2008-1568 + CVE-2008-1796 + + + keytoaster + + + mfleming + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200804-30.xml b/xml/htdocs/security/en/glsa/glsa-200804-30.xml new file mode 100644 index 00000000..9c616729 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200804-30.xml @@ -0,0 +1,68 @@ + + + + + + + KDE start_kdeinit: Multiple vulnerabilities + + Multiple vulnerabilities in start_kdeinit could possibly allow a local + attacker to execute arbitrary code with root privileges. + + kdelibs + April 29, 2008 + April 08, 2009: 02 + 218933 + local + + + 3.5.8-r4 + 3.5.9-r3 + 4.0 + 3.5.5 + 3.5.10-r2 + 4.0 + + + +

+ KDE is a feature-rich graphical desktop environment for Linux and + Unix-like operating systems. start_kdeinit is a wrapper for kdeinit. +

+ + +

+ Vulnerabilities have been reported in the processing of user-controlled + data by start_kdeinit, which is setuid root by default. +

+ + +

+ A local attacker could possibly execute arbitrary code with root + privileges, cause a Denial of Service or send Unix signals to other + processes, when start_kdeinit is setuid root. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All kdelibs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-base/kdelibs-3.5.8-r4" + + + CVE-2008-1671 + + + vorlon + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-01.xml b/xml/htdocs/security/en/glsa/glsa-200805-01.xml new file mode 100644 index 00000000..48a6ddc6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-01.xml @@ -0,0 +1,131 @@ + + + + + + + Horde Application Framework: Multiple vulnerabilities + + Multiple vulnerabilities in the Horde Application Framework may lead to the + execution of arbitrary files, information disclosure, and allow a remote + attacker to bypass security restrictions. + + horde + May 05, 2008 + May 05, 2008: 01 + 212635 + 213493 + remote + + + 3.1.7 + 3.1.7 + + + 1.0.5 + 1.0.5 + + + 2.1.7 + 2.1.7 + + + 2.1.2 + 2.1.2 + + + 2.1.4 + 2.1.4 + + + 1.0.6 + 1.0.6 + + + +

+ The Horde Application Framework is a general-purpose web application + framework written in PHP, providing classes for handling preferences, + compression, browser detection, connection tracking, MIME and more. +

+ + +

+ Multiple vulnerabilities have been reported in the Horde Application + Framework: +

+
    +
  • David Collins, Patrick Pelanne and the + HostGator.com LLC support team discovered that the theme preference + page does not sanitize POST variables for several options, allowing the + insertion of NULL bytes and ".." sequences (CVE-2008-1284).
    • +
  • An + error exists in the Horde API allowing users to bypass security + restrictions.
    • +
+ + +

+ The first vulnerability can be exploited by a remote attacker to read + arbitrary files and by remote authenticated attackers to execute + arbitrary files. The second vulnerability can be exploited by + authenticated remote attackers to perform restricted operations. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Horde Application Framework users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-3.1.7" +

+ All horde-groupware users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-groupware-1.0.5" +

+ All horde-kronolith users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-kronolith-2.1.7" +

+ All horde-mnemo users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-mnemo-2.1.2" +

+ All horde-nag users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-nag-2.1.4" +

+ All horde-webmail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-webmail-1.0.6" + + + CVE-2008-1284 + + + keytoaster + + + rbu + + + mfleming + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-02.xml b/xml/htdocs/security/en/glsa/glsa-200805-02.xml new file mode 100644 index 00000000..9f21a487 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-02.xml @@ -0,0 +1,66 @@ + + + + + + + phpMyAdmin: Information disclosure + + A vulnerability in phpMyAdmin may lead to information disclosure. + + phpmyadmin + May 05, 2008 + May 05, 2008: 01 + 219005 + remote + + + 2.11.5.2 + 2.11.5.2 + + + +

+ phpMyAdmin is a tool written in PHP intended to handle the + administration of MySQL databases from a web-browser. +

+ + +

+ Cezary Tomczak reported that an undefined UploadDir variable exposes an + information disclosure vulnerability when running on shared hosts. +

+ + +

+ A remote attacker with CREATE TABLE permissions can exploit this + vulnerability via a specially crafted HTTP POST request in order to + read arbitrary files. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All phpMyAdmin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.11.5.2" + + + CVE-2008-1924 + + + vorlon + + + vorlon + + + mfleming + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-03.xml b/xml/htdocs/security/en/glsa/glsa-200805-03.xml new file mode 100644 index 00000000..f165288b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-03.xml @@ -0,0 +1,136 @@ + + + + + + + Multiple X11 terminals: Local privilege escalation + + A vulnerability was found in aterm, Eterm, Mrxvt, multi-aterm, RXVT, + rxvt-unicode, and wterm, allowing for local privilege escalation. + + aterm eterm rxvt mrxvt multi-aterm wterm rxvt-unicode + May 07, 2008 + May 10, 2008: 02 + 216833 + 217819 + 219746 + 219750 + 219754 + 219760 + 219762 + local + + + 1.0.1-r1 + 1.0.1-r1 + + + 0.9.4-r1 + 0.9.4-r1 + + + 0.5.3-r2 + 0.5.3-r2 + + + 0.2.1-r1 + 0.2.1-r1 + + + 2.7.10-r4 + 2.7.10-r4 + + + 9.02-r1 + 9.02-r1 + + + 6.2.9-r3 + 6.2.9-r3 + + + +

+ Aterm, Eterm, Mrxvt, multi-aterm, RXVT, rxvt-unicode, and wterm are X11 + terminal emulators. +

+ + +

+ Bernhard R. Link discovered that RXVT opens a terminal on :0 if the + "-display" option is not specified and the DISPLAY environment variable + is not set. Further research by the Gentoo Security Team has shown that + aterm, Eterm, Mrxvt, multi-aterm, rxvt-unicode, and wterm are also + affected. +

+ + +

+ A local attacker could exploit this vulnerability to hijack X11 + terminals of other users. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All aterm users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-terms/aterm-1.0.1-r1" +

+ All Eterm users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-terms/eterm-0.9.4-r1" +

+ All Mrxvt users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-terms/mrxvt-0.5.3-r2" +

+ All multi-aterm users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-terms/multi-aterm-0.2.1-r1" +

+ All RXVT users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-terms/rxvt-2.7.10-r4" +

+ All rxvt-unicode users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-terms/rxvt-unicode-9.02-r1" +

+ All wterm users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-terms/wterm-6.2.9-r3" + + + CVE-2008-1142 + CVE-2008-1692 + + + keytoaster + + + keytoaster + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-04.xml b/xml/htdocs/security/en/glsa/glsa-200805-04.xml new file mode 100644 index 00000000..820a3e7e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-04.xml @@ -0,0 +1,77 @@ + + + + + + + eGroupWare: Multiple vulnerabilities + + Multiple vulnerabilities in eGroupWare may lead to execution of arbitrary + PHP code, the ability to upload malicious files and cross-site scripting + attacks. + + egroupware + May 07, 2008 + May 07, 2008: 01 + 214212 + 218625 + remote + + + 1.4.004 + 1.4.004 + + + +

+ eGroupWare is a suite of web-based group applications including + calendar, address book, messenger and email. +

+ + +

+ A vulnerability has been reported in FCKEditor due to the way that file + uploads are handled in the file + editor/filemanager/upload/php/upload.php when a filename has multiple + file extensions (CVE-2008-2041). Another vulnerability exists in the + _bad_protocol_once() function in the file + phpgwapi/inc/class.kses.inc.php, which allows remote attackers to + bypass HTML filtering (CVE-2008-1502). +

+ + +

+ The first vulnerability can be exploited to upload malicious files and + execute arbitrary PHP code provided that a directory is writable by the + webserver. The second vulnerability can be exploited by remote + attackers via a specially crafted URL in order to conduct cross-site + scripting attacks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All eGroupWare users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/egroupware-1.4.004" + + + CVE-2008-1502 + CVE-2008-2041 + + + keytoaster + + + mfleming + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-05.xml b/xml/htdocs/security/en/glsa/glsa-200805-05.xml new file mode 100644 index 00000000..3bce4343 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-05.xml @@ -0,0 +1,79 @@ + + + + + + + Wireshark: Denial of Service + + Multiple Denial of Service vulnerabilities have been discovered in + Wireshark. + + wireshark + May 07, 2008 + May 07, 2008: 01 + 215276 + remote + + + 1.0.0 + 1.0.0 + + + +

+ Wireshark is a network protocol analyzer with a graphical front-end. +

+ + +

+ Errors exist in: +

+
    +
  • + the X.509sat dissector because of an uninitialized variable and the + Roofnet dissector because a NULL pointer may be passed to the + g_vsnprintf() function (CVE-2008-1561).
    • +
  • + the LDAP dissector because a NULL pointer may be passed to the + ep_strdup_printf() function (CVE-2008-1562).
    • +
  • + the SCCP dissector because it does not reset a pointer once the packet + has been processed (CVE-2008-1563).
    • +
+ + +

+ A remote attacker could exploit these vulnerabilities by sending a + malformed packet or enticing a user to read a malformed packet trace + file, causing a Denial of Service. +

+ + +

+ Disable the X.509sat, Roofnet, LDAP, and SCCP dissectors. +

+ + +

+ All Wireshark users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.0.0" + + + CVE-2008-1561 + CVE-2008-1562 + CVE-2008-1563 + + + vorlon + + + vorlon + + + mfleming + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-06.xml b/xml/htdocs/security/en/glsa/glsa-200805-06.xml new file mode 100644 index 00000000..8f982a93 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-06.xml @@ -0,0 +1,70 @@ + + + + + + + Firebird: Data disclosure + + Firebird allows remote connections to the administrative account without + verifying credentials. + + firebird + May 09, 2008 + May 09, 2008: 01 + 216158 + remote + + + 2.0.3.12981.0-r6 + 2.0.3.12981.0-r6 + + + +

+ Firebird is a multi-platform, open source relational database. +

+ + +

+ Viesturs reported that the default configuration for Gentoo's init + script ("/etc/conf.d/firebird") sets the "ISC_PASSWORD" environment + variable when starting Firebird. It will be used when no password is + supplied by a client connecting as the "SYSDBA" user. +

+ + +

+ A remote attacker can authenticate as the "SYSDBA" user without + providing the credentials, resulting in complete disclosure of all + databases except for the user and password database (security2.fdb). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Firebird users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/firebird-2.0.3.12981.0-r6" +

+ Note: /etc/conf.d is protected by Portage as a configuration directory. + Do not forget to use "etc-update" or "dispatch-conf" to + overwrite the "firebird" configuration file, and then restart Firebird. +

+ + + CVE-2008-1880 + + + rbu + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-07.xml b/xml/htdocs/security/en/glsa/glsa-200805-07.xml new file mode 100644 index 00000000..9ec5abda --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-07.xml @@ -0,0 +1,88 @@ + + + + + + + Linux Terminal Server Project: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in components shipped with + LTSP which allow remote attackers to compromise terminal clients. + + ltsp + May 09, 2008 + May 09, 2008: 01 + 215699 + remote + + + 5.0 + + + +

+ The Linux Terminal Server Project adds thin-client support to Linux + servers. +

+ + +

+ LTSP version 4.2, ships prebuilt copies of programs such as the Linux + Kernel, the X.org X11 server (GLSA 200705-06, GLSA 200710-16, GLSA + 200801-09), libpng (GLSA 200705-24, GLSA 200711-08), Freetype (GLSA + 200705-02, GLSA 200705-22) and OpenSSL (GLSA 200710-06, GLSA 200710-30) + which were subject to multiple security vulnerabilities since 2006. + Please note that the given list of vulnerabilities might not be + exhaustive. +

+ + +

+ A remote attacker could possibly exploit vulnerabilities in the + aforementioned programs and execute arbitrary code, disclose sensitive + data or cause a Denial of Service within LTSP 4.2 clients. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ LTSP 4.2 is not maintained upstream in favor of version 5. Since + version 5 is not yet available in Gentoo, the package has been masked. + We recommend that users unmerge LTSP: +

+ + # emerge --unmerge net-misc/ltsp +

+ If you have a requirement for Linux Terminal Servers, please either set + up a terminal server by hand or use one of the distributions that + already migrated to LTSP 5. If you want to contribute to the + integration of LTSP 5 in Gentoo, or want to follow its development, + find details in bug 177580. +

+ + + GLSA 200705-02 + GLSA 200705-06 + GLSA 200705-22 + GLSA 200705-24 + GLSA 200710-06 + GLSA 200710-16 + GLSA 200710-30 + GLSA 200711-08 + GLSA 200801-09 + Gentoo bug 177580: Port LTSP 5 to Gentoo + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-08.xml b/xml/htdocs/security/en/glsa/glsa-200805-08.xml new file mode 100644 index 00000000..74921afe --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-08.xml @@ -0,0 +1,65 @@ + + + + + + + InspIRCd: Denial of Service + + A buffer overflow in InspIRCd allows remote attackers to cause a Denial of + Service. + + inspircd + May 09, 2008 + May 09, 2008: 01 + 215704 + remote + + + 1.1.19 + 1.1.19 + + + +

+ InspIRCd (Inspire IRCd) is a modular C++ IRC daemon. +

+ + +

+ The "namesx" and "uhnames" modules do not properly validate network + input, leading to a buffer overflow. +

+ + +

+ A remote attacker can send specially crafted IRC commands to the + server, causing a Denial of Service. +

+ + +

+ Unload the "uhnames" module in the InspIRCd configuration. +

+ + +

+ All InspIRCd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-irc/inspircd-1.1.19" + + + CVE-2008-1925 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-09.xml b/xml/htdocs/security/en/glsa/glsa-200805-09.xml new file mode 100644 index 00000000..47a22db1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-09.xml @@ -0,0 +1,66 @@ + + + + + + + MoinMoin: Privilege escalation + + A vulnerability in MoinMoin may allow a remote attacker to elevate his + privileges. + + moinmoin + May 11, 2008 + May 11, 2008: 01 + 218752 + remote + + + 1.6.3 + 1.6.3 + + + +

+ MoinMoin is an advanced and extensible Wiki Engine. +

+ + +

+ It has been reported that the user form processing in the file + userform.py does not properly manage users when using Access Control + Lists or a non-empty superusers list. +

+ + +

+ A remote attacker could exploit this vulnerability to gain superuser + privileges on the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MoinMoin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/moinmoin-1.6.3" + + + CVE-2008-1937 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-10.xml b/xml/htdocs/security/en/glsa/glsa-200805-10.xml new file mode 100644 index 00000000..688b1009 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-10.xml @@ -0,0 +1,69 @@ + + + + + + + Pngcrush: User-assisted execution of arbitrary code + + A vulnerability in Pngcrush might result in user-assisted execution of + arbitrary code. + + pngcrush + May 11, 2008 + May 11, 2008: 01 + 219033 + remote + + + 1.6.4-r1 + 1.6.4-r1 + + + +

+ Pngcrush is a multi platform optimizer for PNG (Portable Network + Graphics) files. +

+ + +

+ It has been reported that Pngcrush includes a copy of libpng that is + vulnerable to a memory corruption (GLSA 200804-15). +

+ + +

+ A remote attacker could entice a user to process a specially crafted + PNG image, possibly resulting in the execution of arbitrary code with + the privileges of the user running the application, or a Denial of + Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Pngcrush users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/pngcrush-1.6.4-r1" + + + CVE-2008-1382 + GLSA 200804-15 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-11.xml b/xml/htdocs/security/en/glsa/glsa-200805-11.xml new file mode 100644 index 00000000..00d338ca --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-11.xml @@ -0,0 +1,67 @@ + + + + + + + Chicken: Multiple vulnerabilities + + Multiple vulnerabilities in Chicken could result in the execution of + arbitrary code. + + chicken + May 12, 2008 + May 12, 2008: 01 + 198979 + remote + + + 3.1.0 + 3.1.0 + + + +

+ Chicken is a Scheme interpreter and native Scheme to C compiler. +

+ + +

+ Chicken includes a copy of PCRE which is vulnerable to multiple buffer + overflows and memory corruption vulnerabilities (GLSA 200711-30). +

+ + +

+ An attacker could entice a user to process specially crafted regular + expressions with Chicken, which could possibly lead to the execution of + arbitrary code, a Denial of Service or the disclosure of sensitive + information. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Chicken users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-scheme/chicken-3.1.0" + + + GLSA 200711-30 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-12.xml b/xml/htdocs/security/en/glsa/glsa-200805-12.xml new file mode 100644 index 00000000..7f058376 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-12.xml @@ -0,0 +1,70 @@ + + + + + + + Blender: Multiple vulnerabilities + + Multiple vulnerabilities in Blender might result in the remote execution of + arbitrary code. + + blender + May 12, 2008 + May 12, 2008: 01 + 219008 + remote + + + 2.43-r2 + 2.43-r2 + + + +

+ Blender is a 3D creation, animation and publishing program. +

+ + +

+ Stefan Cornelius (Secunia Research) reported a boundary error within + the imb_loadhdr() function in in the file + source/blender/imbuf/intern/radiance_hdr.c when processing RGBE images + (CVE-2008-1102). Multiple vulnerabilities involving insecure usage of + temporary files have also been reported (CVE-2008-1103). +

+ + +

+ A remote attacker could entice a user to open a specially crafted file + (.hdr or .blend), possibly resulting in the remote execution of + arbitrary code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Blender users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/blender-2.43-r2" + + + CVE-2008-1102 + CVE-2008-1103 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-13.xml b/xml/htdocs/security/en/glsa/glsa-200805-13.xml new file mode 100644 index 00000000..a05e78df --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-13.xml @@ -0,0 +1,75 @@ + + + + + + + PTeX: Multiple vulnerabilities + + Multiple vulnerabilities were discovered in PTeX, possibly allowing the + execution of arbitrary code or overwriting arbitrary files. + + ptex + May 12, 2008 + May 12, 2008: 01 + 196673 + remote + + + 3.1.10_p20071203 + 3.1.10_p20071203 + + + +

+ PTeX is a TeX distribution with Japanese support. It is used for + creating and manipulating LaTeX documents. +

+ + +

+ Multiple issues were found in the teTeX 2 codebase that PTeX builds + upon (GLSA 200709-17, GLSA 200711-26). PTeX also includes vulnerable + code from the GD library (GLSA 200708-05), from Xpdf (GLSA 200709-12, + GLSA 200711-22) and from T1Lib (GLSA 200710-12). +

+ + +

+ Remote attackers could possibly execute arbitrary code and local + attackers could possibly overwrite arbitrary files with the privileges + of the user running PTeX via multiple vectors, e.g. enticing users to + open specially crafted files. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PTeX users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/ptex-3.1.10_p20071203" + + + GLSA 200708-05 + GLSA 200709-12 + GLSA 200709-17 + GLSA 200710-12 + GLSA 200711-22 + GLSA 200711-26 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-14.xml b/xml/htdocs/security/en/glsa/glsa-200805-14.xml new file mode 100644 index 00000000..82d58748 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-14.xml @@ -0,0 +1,70 @@ + + + + + + + Common Data Format library: User-assisted execution of arbitrary code + + A buffer overflow vulnerability has been discovered in the Common Data + Format library. + + cdf + May 13, 2008 + May 13, 2008: 01 + 220391 + remote + + + 3.2.1 + 3.2.1 + + + +

+ The Common Data Format library is a scientific data management package + which allows programmers and application developers to manage and + manipulate scalar, vector, and multi-dimensional data arrays in a + platform independent fashion. +

+ + +

+ Alfredo Ortega (Core Security Technologies) reported a boundary error + within the Read32s_64() function when processing CDF files. +

+ + +

+ A remote attacker could entice a user to open a specially crafted CDF + file, possibly resulting in the remote execution of arbitrary code with + the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Common Data Format library users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sci-libs/cdf-3.2.1" + + + CVE-2008-2080 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-15.xml b/xml/htdocs/security/en/glsa/glsa-200805-15.xml new file mode 100644 index 00000000..2b27bfc4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-15.xml @@ -0,0 +1,64 @@ + + + + + + + libid3tag: Denial of Service + + A Denial of Service vulnerability was found in libid3tag. + + libid3tag + May 14, 2008 + May 14, 2008: 01 + 210564 + remote + + + 0.15.1b-r2 + 0.15.1b-r2 + + + +

+ libid3tag is an ID3 tag manipulation library. +

+ + +

+ Kentaro Oda reported an infinite loop in the file field.c when parsing + an MP3 file with an ID3_FIELD_TYPE_STRINGLIST field that ends in '\0'. +

+ + +

+ A remote attacker could entice a user to open a specially crafted MP3 + file, possibly resulting in a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libid3tag users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libid3tag-0.15.1b-r2" + + + CVE-2008-2109 + + + p-y + + + p-y + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-16.xml b/xml/htdocs/security/en/glsa/glsa-200805-16.xml new file mode 100644 index 00000000..65823df0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-16.xml @@ -0,0 +1,110 @@ + + + + + + + OpenOffice.org: Multiple vulnerabilities + + Multiple vulnerabilities have been reported in OpenOffice.org, possibly + allowing for user-assisted execution of arbitrary code. + + openoffice openoffice-bin + May 14, 2008 + May 14, 2008: 02 + 218080 + remote + + + 2.4.0 + 2.4.0 + + + 2.4.0 + 2.4.0 + + + +

+ OpenOffice.org is an open source office productivity suite, including + word processing, spreadsheet, presentation, drawing, data charting, + formula editing, and file conversion facilities. +

+ + +

+ iDefense Labs reported multiple vulnerabilities in OpenOffice.org: +

+
    +
  • + multiple heap-based buffer overflows when parsing the "Attribute" and + "Font" Description records of Quattro Pro (QPRO) files + (CVE-2007-5745), +
    • +
  • + an integer overflow when parsing the EMR_STRETCHBLT record of an EMF + file, resulting in a heap-based buffer overflow (CVE-2007-5746), +
    • +
  • + an integer underflow when parsing Quattro Pro (QPRO) files, resulting + in an excessive loop and a stack-based buffer overflow + (CVE-2007-5747), +
    • +
  • + and a heap-based buffer overflow when parsing the + "DocumentSummaryInformation" stream in an OLE file (CVE-2008-0320). +
    • +
+

+ Furthermore, Will Drewry (Google Security) reported vulnerabilities in + the memory management of the International Components for Unicode + (CVE-2007-4770, CVE-2007-4771), which was resolved with GLSA 200803-20. + However, the binary version of OpenOffice.org uses an internal copy of + said library. +

+ + +

+ A remote attacker could entice a user to open a specially crafted + document, possibly resulting in the remote execution of arbitrary code + with the privileges of the user running OpenOffice.org. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenOffice.org users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-2.4.0" +

+ All OpenOffice.org binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-bin-2.4.0" + + + CVE-2007-4770 + CVE-2007-4771 + CVE-2007-5745 + CVE-2007-5746 + CVE-2007-5747 + CVE-2008-0320 + GLSA 200803-20 + + + keytoaster + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-17.xml b/xml/htdocs/security/en/glsa/glsa-200805-17.xml new file mode 100644 index 00000000..d99ba9a4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-17.xml @@ -0,0 +1,76 @@ + + + + + + + Perl: Execution of arbitrary code + + A double free vulnerability was discovered in Perl, possibly resulting in + the execution of arbitrary code and a Denial of Service. + + perl libperl + May 20, 2008 + May 20, 2008: 01 + 219203 + remote + + + 5.8.8-r5 + 5.8.8-r5 + + + 5.8.8-r2 + 5.8.8-r2 + + + +

+ Perl is a stable, cross platform programming language. +

+ + +

+ Tavis Ormandy and Will Drewry of the Google Security Team have reported + a double free vulnerability when processing a crafted regular + expression containing UTF-8 characters. +

+ + +

+ A remote attacker could possibly exploit this vulnerability to execute + arbitrary code or cause a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Perl users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/perl-5.8.8-r5" +

+ All libperl users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-devel/libperl-5.8.8-r2" + + + CVE-2008-1927 + + + p-y + + + p-y + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-18.xml b/xml/htdocs/security/en/glsa/glsa-200805-18.xml new file mode 100644 index 00000000..e5794355 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-18.xml @@ -0,0 +1,282 @@ + + + + + + + Mozilla products: Multiple vulnerabilities + + Multiple vulnerabilities have been reported in Mozilla Firefox, + Thunderbird, SeaMonkey and XULRunner, some of which may allow user-assisted + execution of arbitrary code. + + mozilla-firefox mozilla-firefox-bin seamonkey seamonkey-bin mozilla-thunderbird mozilla-thunderbird-bin xulrunner + May 20, 2008 + May 20, 2008: 01 + 208128 + 214816 + 218065 + remote + + + 2.0.0.14 + 2.0.0.14 + + + 2.0.0.14 + 2.0.0.14 + + + 2.0.0.14 + 2.0.0.14 + + + 2.0.0.14 + 2.0.0.14 + + + 1.1.9-r1 + 1.1.9-r1 + + + 1.1.9 + 1.1.9 + + + 1.8.1.14 + 1.8.1.14 + + + +

+ Mozilla Firefox is an open-source web browser and Mozilla Thunderbird + an open-source email client, both from the Mozilla Project. The + SeaMonkey project is a community effort to deliver production-quality + releases of code derived from the application formerly known as the + 'Mozilla Application Suite'. XULRunner is a Mozilla runtime package + that can be used to bootstrap XUL+XPCOM applications like Firefox and + Thunderbird. +

+ + +

+ The following vulnerabilities were reported in all mentioned Mozilla + products: +

+
    +
  • + Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren, and Paul + Nickerson reported browser crashes related to JavaScript methods, + possibly triggering memory corruption (CVE-2008-0412). +
    • +
  • + Carsten Book, Wesley Garland, Igor Bukanov, moz_bug_r_a4, shutdown, + Philip Taylor, and tgirmann reported crashes in the JavaScript engine, + possibly triggering memory corruption (CVE-2008-0413). +
    • +
  • + David Bloom discovered a vulnerability in the way images are treated by + the browser when a user leaves a page, possibly triggering memory + corruption (CVE-2008-0419). +
    • +
  • + moz_bug_r_a4, Boris Zbarsky, and Johnny Stenback reported a series of + privilege escalation vulnerabilities related to JavaScript + (CVE-2008-1233, CVE-2008-1234, CVE-2008-1235). +
    • +
  • + Mozilla developers identified browser crashes caused by the layout and + JavaScript engines, possibly triggering memory corruption + (CVE-2008-1236, CVE-2008-1237). +
    • +
  • + moz_bug_r_a4 and Boris Zbarsky discovered that pages could escape from + its sandboxed context and run with chrome privileges, and inject script + content into another site, violating the browser's same origin policy + (CVE-2008-0415). +
    • +
  • + Gerry Eisenhaur discovered a directory traversal vulnerability when + using "flat" addons (CVE-2008-0418). +
    • +
  • + Alexey Proskuryakov, Yosuke Hasegawa and Simon Montagu reported + multiple character handling flaws related to the backspace character, + the "0x80" character, involving zero-length non-ASCII sequences in + multiple character sets, that could facilitate Cross-Site Scripting + attacks (CVE-2008-0416). +
    • +

+ The following vulnerability was reported in Thunderbird and SeaMonkey: +

+
    +
  • + regenrecht (via iDefense) reported a heap-based buffer overflow when + rendering an email message with an external MIME body (CVE-2008-0304). +
    • +

+ The following vulnerabilities were reported in Firefox, SeaMonkey and + XULRunner: +

+
    +
  • The fix for CVE-2008-1237 in Firefox 2.0.0.13 + and SeaMonkey 1.1.9 introduced a new crash vulnerability + (CVE-2008-1380).
    • +
  • hong and Gregory Fleischer each reported a + variant on earlier reported bugs regarding focus shifting in file input + controls (CVE-2008-0414). +
    • +
  • + Gynvael Coldwind (Vexillium) discovered that BMP images could be used + to reveal uninitialized memory, and that this data could be extracted + using a "canvas" feature (CVE-2008-0420). +
    • +
  • + Chris Thomas reported that background tabs could create a borderless + XUL pop-up in front of pages in other tabs (CVE-2008-1241). +
    • +
  • + oo.rio.oo discovered that a plain text file with a + "Content-Disposition: attachment" prevents Firefox from rendering + future plain text files within the browser (CVE-2008-0592). +
    • +
  • + Martin Straka reported that the ".href" property of stylesheet DOM + nodes is modified to the final URI of a 302 redirect, bypassing the + same origin policy (CVE-2008-0593). +
    • +
  • + Gregory Fleischer discovered that under certain circumstances, leading + characters from the hostname part of the "Referer:" HTTP header are + removed (CVE-2008-1238). +
    • +
  • + Peter Brodersen and Alexander Klink reported that the browser + automatically selected and sent a client certificate when SSL Client + Authentication is requested by a server (CVE-2007-4879). +
    • +
  • + Gregory Fleischer reported that web content fetched via the "jar:" + protocol was not subject to network access restrictions + (CVE-2008-1240). +
    • +

+ The following vulnerabilities were reported in Firefox: +

+
    +
  • + Justin Dolske discovered a CRLF injection vulnerability when storing + passwords (CVE-2008-0417). +
    • +
  • + Michal Zalewski discovered that Firefox does not properly manage a + delay timer used in confirmation dialogs (CVE-2008-0591). +
    • +
  • + Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery + warning dialog is not displayed if the entire contents of a web page + are in a DIV tag that uses absolute positioning (CVE-2008-0594). +
    • +
+ + +

+ A remote attacker could entice a user to view a specially crafted web + page or email that will trigger one of the vulnerabilities, possibly + leading to the execution of arbitrary code or a Denial of Service. It + is also possible for an attacker to trick a user to upload arbitrary + files when submitting a form, to corrupt saved passwords for other + sites, to steal login credentials, or to conduct Cross-Site Scripting + and Cross-Site Request Forgery attacks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-2.0.0.14" +

+ All Mozilla Firefox binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-2.0.0.14" +

+ All Mozilla Thunderbird users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-2.0.0.14" +

+ All Mozilla Thunderbird binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-2.0.0.14" +

+ All SeaMonkey users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.1.9-r1" +

+ All SeaMonkey binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-bin-1.1.9" +

+ All XULRunner users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/xulrunner-1.8.1.14" +

+ NOTE: The crash vulnerability (CVE-2008-1380) is currently unfixed in + the SeaMonkey binary ebuild, as no precompiled packages have been + released. Until an update is available, we recommend all SeaMonkey + users to disable JavaScript, use Firefox for JavaScript-enabled + browsing, or switch to the SeaMonkey source ebuild. +

+ + + CVE-2007-4879 + CVE-2008-0304 + CVE-2008-0412 + CVE-2008-0413 + CVE-2008-0414 + CVE-2008-0415 + CVE-2008-0416 + CVE-2008-0417 + CVE-2008-0418 + CVE-2008-0419 + CVE-2008-0420 + CVE-2008-0591 + CVE-2008-0592 + CVE-2008-0593 + CVE-2008-0594 + CVE-2008-1233 + CVE-2008-1234 + CVE-2008-1235 + CVE-2008-1236 + CVE-2008-1237 + CVE-2008-1238 + CVE-2008-1240 + CVE-2008-1241 + CVE-2008-1380 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-19.xml b/xml/htdocs/security/en/glsa/glsa-200805-19.xml new file mode 100644 index 00000000..cedfc0d0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-19.xml @@ -0,0 +1,102 @@ + + + + + + + ClamAV: Multiple vulnerabilities + + Multiple vulnerabilities in ClamAV may result in the remote execution of + arbitrary code. + + clamav + May 20, 2008 + May 20, 2008: 01 + 213762 + remote + + + 0.93 + 0.93 + + + +

+ Clam AntiVirus is a free anti-virus toolkit for UNIX, designed + especially for e-mail scanning on mail gateways. +

+ + +

+ Multiple vulnerabilities have been reported: +

+
    +
  • + Damian Put reported a heap-based buffer overflow when processing PeSpin + packed PE binaries (CVE-2008-0314). +
    • +
  • + Alin Rad Pop of Secunia Research reported a buffer overflow in the + cli_scanpe() function when processing Upack PE binaries + (CVE-2008-1100). +
    • +
  • + Hanno Boeck reported an infinite loop when processing ARJ archives + (CVE-2008-1387). +
    • +
  • + Damian Put and Thomas Pollet reported a heap-based buffer overflow when + processing WWPack compressed PE binaries (CVE-2008-1833). +
    • +
  • + A buffer over-read was discovered in the rfc2231() function when + producing a string that is not NULL terminated (CVE-2008-1836). +
    • +
  • + An unspecified vulnerability leading to "memory problems" when scanning + RAR files was reported (CVE-2008-1837). +
    • +
  • + Thierry Zoller reported that scanning of RAR files could be + circumvented (CVE-2008-1835). +
    • +
+ + +

+ A remote attacker could entice a user or automated system to scan a + specially crafted file, possibly leading to the execution of arbitrary + code with the privileges of the user running ClamAV (either a system + user or the "clamav" user if clamd is compromised), or a Denial of + Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.93" + + + CVE-2008-0314 + CVE-2008-1100 + CVE-2008-1387 + CVE-2008-1833 + CVE-2008-1835 + CVE-2008-1836 + CVE-2008-1837 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-20.xml b/xml/htdocs/security/en/glsa/glsa-200805-20.xml new file mode 100644 index 00000000..c19c4d00 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-20.xml @@ -0,0 +1,82 @@ + + + + + + + GnuTLS: Execution of arbitrary code + + Multiple vulnerabilities might allow for the execution of arbitrary code in + daemons using GnuTLS. + + gnutls + May 21, 2008 + May 21, 2008: 01 + 222823 + remote + + + 2.2.5 + 2.2.5 + + + +

+ GnuTLS is an implementation of Secure Sockets Layer (SSL) 3.0 and + Transport Layer Security (TLS) 1.0, 1.1 and 1.2. +

+ + +

+ Ossi Herrala and Jukka Taimisto of Codenomicon reported three + vulnerabilities in libgnutls of GnuTLS: +

+
    +
  • + "Client Hello" messages containing an invalid server name can lead to a + buffer overflow when evaluating "Security Parameters" (CVE-2008-1948). +
    • +
  • + Multiple "Client Hello" messages can lead to a NULL pointer dereference + (CVE-2008-1949). +
    • +
  • + A TLS handshake including an encrypted "Client Hello" message and an + invalid record length could lead to a buffer overread (CVE-2008-1950). +
    • +
+ + +

+ Unauthenticated remote attackers could exploit these vulnerabilities to + cause Denial of Service conditions in daemons using GnuTLS. The first + vulnerability (CVE-2008-1948) might allow for the execution of + arbitrary code with the privileges of the daemon handling incoming TLS + connections. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GnuTLS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/gnutls-2.2.5" + + + CVE-2008-1948 + CVE-2008-1949 + CVE-2008-1950 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-21.xml b/xml/htdocs/security/en/glsa/glsa-200805-21.xml new file mode 100644 index 00000000..b87517c0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-21.xml @@ -0,0 +1,71 @@ + + + + + + + Roundup: Permission bypass + + A vulnerability in Roundup allows for bypassing permission restrictions. + + roundup + May 27, 2008 + May 27, 2008: 01 + 212488 + 214666 + remote + + + 1.4.4-r1 + 1.4.4-r1 + + + +

+ Roundup is an issue-tracking system with command-line, web and e-mail + interfaces. +

+ + +

+ Philipp Gortan reported that the xml-rpc server in Roundup does not + check property permissions (CVE-2008-1475). Furthermore, Roland Meister + discovered multiple vulnerabilities caused by unspecified errors, some + of which may be related to cross-site scripting (CVE-2008-1474). +

+ + +

+ A remote attacker could possibly exploit the first vulnerability to + edit or view restricted properties via the list(), display(), and set() + methods. The impact and attack vectors of the second vulnerability are + unknown. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Roundup users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/roundup-1.4.4-r1" + + + CVE-2008-1474 + CVE-2008-1475 + + + keytoaster + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-22.xml b/xml/htdocs/security/en/glsa/glsa-200805-22.xml new file mode 100644 index 00000000..ae0a085a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-22.xml @@ -0,0 +1,69 @@ + + + + + + + MPlayer: User-assisted execution of arbitrary code + + An integer overflow vulnerability in MPlayer may allow for the execution of + arbitrary code. + + mplayer + May 29, 2008 + May 29, 2008: 01 + 215006 + remote + + + 1.0_rc2_p26753 + 1.0_rc2_p26753 + + + +

+ MPlayer is a media player including support for a wide range of audio + and video formats. +

+ + +

+ k`sOSe reported an integer overflow vulnerability in the + sdpplin_parse() function in the file stream/realrtsp/sdpplin.c, which + can be exploited to overwrite arbitrary memory regions via an overly + large "StreamCount" SDP parameter. +

+ + +

+ A remote attacker could entice a user to open a specially crafted media + file, possibly resulting in the execution of arbitrary code with the + privileges of the user running MPlayer. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MPlayer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/mplayer-1.0_rc2_p26753" + + + CVE-2008-1558 + + + keytoaster + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200805-23.xml b/xml/htdocs/security/en/glsa/glsa-200805-23.xml new file mode 100644 index 00000000..3ad6123b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200805-23.xml @@ -0,0 +1,69 @@ + + + + + + + Samba: Heap-based buffer overflow + + A heap-based buffer overflow vulnerability was found in Samba, allowing for + the execution of arbitrary code. + + samba + May 29, 2008 + May 29, 2008: 01 + 222299 + remote + + + 3.0.28a-r1 + 3.0.28a-r1 + + + +

+ Samba is a suite of SMB and CIFS client/server programs. +

+ + +

+ Alin Rad Pop (Secunia Research) reported a vulnerability in Samba + within the receive_smb_raw() function in the file lib/util_sock.c when + parsing SMB packets, possibly leading to a heap-based buffer overflow + via an overly large SMB packet. +

+ + +

+ A remote attacker could possibly exploit this vulnerability by enticing + a user to connect to a malicious server or by sending specially crafted + packets to an nmbd server configured as a local or domain master + browser, resulting in the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Samba users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-3.0.28a-r1" + + + CVE-2008-1105 + + + vorlon + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200806-01.xml b/xml/htdocs/security/en/glsa/glsa-200806-01.xml new file mode 100644 index 00000000..5cd1da3a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200806-01.xml @@ -0,0 +1,69 @@ + + + + + + + mtr: Stack-based buffer overflow + + A stack-based buffer overflow was found in mtr, possibly resulting in the + execution of arbitrary code. + + mtr + June 03, 2008 + June 03, 2008: 01 + 223017 + remote + + + 0.73-r1 + 0.73-r1 + + + +

+ mtr combines the functionality of the 'traceroute' and 'ping' programs + in a single network diagnostic tool. +

+ + +

+ Adam Zabrocki reported a boundary error within the split_redraw() + function in the file split.c, possibly leading to a stack-based buffer + overflow. +

+ + +

+ A remote attacker could use a specially crafted resolved hostname to + execute arbitrary code with root privileges. However, it is required + that the attacker controls the DNS server used by the victim, and that + the "-p" (or "--split") command line option is used. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mtr users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/mtr-0.73-r1" + + + CVE-2008-2357 + + + keytoaster + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200806-02.xml b/xml/htdocs/security/en/glsa/glsa-200806-02.xml new file mode 100644 index 00000000..0e949b89 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200806-02.xml @@ -0,0 +1,68 @@ + + + + + + + libxslt: Execution of arbitrary code + + A vulnerability was found in libxslt, possibly resulting in the execution + of arbitrary code and Denial of Service. + + libxslt + June 03, 2008 + June 03, 2008: 01 + 222499 + remote + + + 1.1.24 + 1.1.24 + + + +

+ Libxslt is the XSLT C library developed for the GNOME project. XSLT + itself is an XML language to define transformations for XML. +

+ + +

+ Anthony de Almeida Lopes reported a vulnerability in libxslt when + handling XSL style-sheet files, which could be exploited to trigger the + use of uninitialized memory, e.g. in a call to "free()". +

+ + +

+ A remote attacker could entice a user or automated system to process an + XML file using a specially crafted XSL transformation file, possibly + resulting in the execution of arbitrary code or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libxslt users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libxslt-1.1.24" + + + CVE-2008-1767 + + + keytoaster + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200806-03.xml b/xml/htdocs/security/en/glsa/glsa-200806-03.xml new file mode 100644 index 00000000..965b7f5c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200806-03.xml @@ -0,0 +1,74 @@ + + + + + + + Imlib 2: User-assisted execution of arbitrary code + + Two vulnerabilities in Imlib 2 may allow for the execution of arbitrary + code. + + imlib2 + June 08, 2008 + June 08, 2008: 01 + 223965 + remote + + + 1.4.0-r1 + 1.4.0-r1 + + + +

+ Imlib 2 is an advanced replacement library for libraries like libXpm. +

+ + +

+ Stefan Cornelius (Secunia Research) reported two boundary errors in + Imlib2: +

+
    +
  • One of them within the load() function in the + file src/modules/loaders/loader_pnm.c when processing the header of a + PNM image file, possibly leading to a stack-based buffer overflow.
    • +
  • The second one within the load() function in the file + src/modules/loader_xpm.c when processing an XPM image file, possibly + leading to a stack-based buffer overflow.
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted PNM + or XPM image, possibly resulting in the execution of arbitrary code + with the rights of the user running the application using Imlib 2. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Imlib 2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/imlib2-1.4.0-r1" + + + CVE-2008-2426 + + + rbu + + + keytoaster + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200806-04.xml b/xml/htdocs/security/en/glsa/glsa-200806-04.xml new file mode 100644 index 00000000..2541f1aa --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200806-04.xml @@ -0,0 +1,82 @@ + + + + + + + rdesktop: Multiple vulnerabilities + + Multiple vulnerabilities in rdesktop may lead to the execution of arbitrary + code or a Denial of Service. + + rdesktop + June 14, 2008 + June 14, 2008: 01 + 220911 + remote + + + 1.6.0 + 1.6.0 + + + +

+ rdesktop is an open source Remote Desktop Protocol (RDP) client. +

+ + +

+ An anonymous researcher reported multiple vulnerabilities in rdesktop + via iDefense Labs: +

+
    +
  • An integer underflow error exists in + the function iso_recv_msg() in the file iso.c which can be triggered + via a specially crafted RDP request, causing a heap-based buffer + overflow (CVE-2008-1801).
    • +
  • An input validation error exists in + the function process_redirect_pdu() in the file rdp.c which can be + triggered via a specially crafted RDP redirect request, causing a + BSS-based buffer overflow (CVE-2008-1802).
    • +
  • + An integer signedness error exists in the function xrealloc() in the + file rdesktop.c which can be be exploited to cause a heap-based buffer + overflow (CVE-2008-1803).
    • +
+ + +

+ An attacker could exploit these vulnerabilities by enticing a user to + connect to a malicious RDP server thereby allowing the attacker to + execute arbitrary code or cause a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All rdesktop users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/rdesktop-1.6.0" + + + CVE-2008-1801 + CVE-2008-1802 + CVE-2008-1803 + + + keytoaster + + + vorlon + + + mfleming + + diff --git a/xml/htdocs/security/en/glsa/glsa-200806-05.xml b/xml/htdocs/security/en/glsa/glsa-200806-05.xml new file mode 100644 index 00000000..9073d92a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200806-05.xml @@ -0,0 +1,67 @@ + + + + + + + cbrPager: User-assisted execution of arbitrary code + + Insecure filename usage in cbrPager may allow for the remote execution of + arbitrary code. + + cbrpager + June 16, 2008 + June 16, 2008: 01 + 223657 + remote + + + 0.9.17 + 0.9.17 + + + +

+ cbrPager is a comic book pager. +

+ + +

+ Mamoru Tasaka discovered that filenames of the image archives are not + properly sanitized before being passed to decompression utilities like + unrar and unzip, which use the system() libc library call. +

+ + +

+ A remote attacker could entice a user to open an archive with a + specially crafted filename, resulting in arbitrary code execution with + the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All cbrPager users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-misc/cbrpager-0.9.17" + + + CVE-2008-2575 + + + keytoaster + + + vorlon + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200806-06.xml b/xml/htdocs/security/en/glsa/glsa-200806-06.xml new file mode 100644 index 00000000..ac26ccbd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200806-06.xml @@ -0,0 +1,77 @@ + + + + + + + Evolution: User-assisted execution of arbitrary code + + Multiple vulnerabilities in Evolution may allow for user-assisted execution + of arbitrary code. + + evolution + June 16, 2008 + June 16, 2008: 01 + 223963 + remote + + + 2.12.3-r2 + 2.12.3-r2 + + + +

+ Evolution is the mail client of the GNOME desktop environment. +

+ + +

+ Alin Rad Pop (Secunia Research) reported two vulnerabilities in + Evolution: +

+
  • + A boundary error exists when parsing overly long timezone strings + contained within iCalendar attachments and when the ITip formatter is + disabled (CVE-2008-1108).
    • +
  • + A boundary error exists when replying to an iCalendar request with an + overly long "DESCRIPTION" property while in calendar view + (CVE-2008-1109). +
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted + iCalendar attachment, resulting in the execution of arbitrary code with + the privileges of the user running Evolution. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Evolution users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/evolution-2.12.3-r2" + + + CVE-2008-1108 + CVE-2008-1109 + + + vorlon + + + vorlon + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200806-07.xml b/xml/htdocs/security/en/glsa/glsa-200806-07.xml new file mode 100644 index 00000000..90136c83 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200806-07.xml @@ -0,0 +1,99 @@ + + + + + + + X.Org X server: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in the X.Org X server, + possibly allowing for the remote execution of arbitrary code with root + privileges. + + xorg-server + June 19, 2008 + June 19, 2008: 01 + 225419 + remote, local + + + 1.3.0.0-r6 + 1.3.0.0-r6 + + + +

+ The X Window System is a graphical windowing system based on a + client/server model. +

+ + +

+ Regenrecht reported multiple vulnerabilities in various X server + extensions via iDefense: +

+
    +
  • The + SProcSecurityGenerateAuthorization() and SProcRecordCreateContext() + functions of the RECORD and Security extensions are lacking proper + parameter validation (CVE-2008-1377).
    • +
  • An integer overflow is + possible in the function ShmPutImage() of the MIT-SHM extension + (CVE-2008-1379).
    • +
  • The RENDER extension contains several + possible integer overflows in the AllocateGlyph() function + (CVE-2008-2360) which could possibly lead to a heap-based buffer + overflow. Further possible integer overflows have been found in the + ProcRenderCreateCursor() function (CVE-2008-2361) as well as in the + SProcRenderCreateLinearGradient(), SProcRenderCreateRadialGradient() + and SProcRenderCreateConicalGradient() functions (CVE-2008-2362).
    • +
+ + +

+ Exploitation of these vulnerabilities could possibly lead to the remote + execution of arbitrary code with root privileges, if the server is + running as root, which is the default. It is also possible to crash the + server by making use of these vulnerabilities. +

+ + +

+ It is possible to avoid these vulnerabilities by disabling the affected + server extensions. Therefore edit the configuration file + (/etc/X11/xorg.conf) to contain the following in the appropriate + places: +

+ + Section "Extensions" + Option "MIT-SHM" "disable" + Option "RENDER" "disable" + Option "SECURITY" "disable" + EndSection + + Section "Module" + Disable "record" + EndSection + + +

+ All X.org X Server users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-1.3.0.0-r6" + + + CVE-2008-1377 + CVE-2008-1379 + CVE-2008-2360 + CVE-2008-2361 + CVE-2008-2362 + + + vorlon + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200806-08.xml b/xml/htdocs/security/en/glsa/glsa-200806-08.xml new file mode 100644 index 00000000..9b54bc79 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200806-08.xml @@ -0,0 +1,79 @@ + + + + + + + OpenSSL: Denial of Service + + Two vulnerabilities might allow for a Denial of Service of daemons using + OpenSSL. + + openssl + June 23, 2008 + June 23, 2008: 01 + 223429 + remote + + + 0.9.8g-r2 + 0.9.8f + 0.9.8g-r2 + + + +

+ OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer + (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general + purpose cryptography library. +

+ + +

+ Ossi Herrala and Jukka Taimisto of Codenomicon discovered two + vulnerabilities: +

+
    +
  • + A double free() call in the TLS server name extension (CVE-2008-0891). +
    • +
  • + The OpenSSL client code does not properly handle servers that omit the + Server Key Exchange message in the TLS handshake (CVE-2008-1672). +
    • +
+ + +

+ A remote attacker could connect to a vulnerable server, or entice a + daemon to connect to a malicious server, causing a Denial of Service of + the daemon in both cases. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenSSL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8g-r2" + + + CVE-2008-0891 + CVE-2008-1672 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200806-09.xml b/xml/htdocs/security/en/glsa/glsa-200806-09.xml new file mode 100644 index 00000000..c9b040a4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200806-09.xml @@ -0,0 +1,88 @@ + + + + + + + libvorbis: Multiple vulnerabilities + + Multiple vulnerabilities in libvorbis might lead to the execution of + arbitrary code. + + libvorbis + June 23, 2008 + June 23, 2008: 02 + 222085 + remote + + + 1.2.1_rc1 + 1.2.1_rc1 + + + +

+ libvorbis is the reference implementation of the Xiph.org Ogg Vorbis + audio file format. It is used by many applications for playback of Ogg + Vorbis files. +

+ + +

+ Will Drewry of the Google Security Team reported multiple + vulnerabilities in libvorbis: +

+
    +
  • + A zero value for "codebook.dim" is not properly handled, leading to a + crash, infinite loop or triggering an integer overflow + (CVE-2008-1419). +
    • +
  • + An integer overflow in "residue partition value" evaluation might lead + to a heap-based buffer overflow (CVE-2008-1420). +
    • +
  • + An integer overflow in a certain "quantvals" and "quantlist" + calculation might lead to a heap-based buffer overflow + (CVE-2008-1423). +
    • +
+ + +

+ A remote attacker could exploit these vulnerabilities by enticing a + user to open a specially crafted Ogg Vorbis file or network stream with + an application using libvorbis. This might lead to the execution of + arbitrary code with the privileges of the user playing the file or a + Denial of Service by a crash or CPU consumption. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libvorbis users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libvorbis-1.2.1_rc1" + + + CVE-2008-1419 + CVE-2008-1420 + CVE-2008-1423 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200806-10.xml b/xml/htdocs/security/en/glsa/glsa-200806-10.xml new file mode 100644 index 00000000..e015fb59 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200806-10.xml @@ -0,0 +1,85 @@ + + + + + + + FreeType: User-assisted execution of arbitrary code + + Font parsing vulnerabilities in FreeType might lead to user-assisted + execution of arbitrary code. + + freetype + June 23, 2008 + May 28, 2009: 03 + 225851 + remote + + + 2.3.6 + 1.4_pre20080316-r1 + 2.3.6 + + + +

+ FreeType is a font rendering library for TrueType Font (TTF) and + Printer Font Binary (PFB). +

+ + +

+ Regenrecht reported multiple vulnerabilities in FreeType via iDefense: +

+
    +
  • + An integer overflow when parsing values in the Private dictionary table + in a PFB file, leading to a heap-based buffer overflow + (CVE-2008-1806). +
    • +
  • + An invalid free() call related to parsing an invalid "number of axes" + field in a PFB file (CVE-2008-1807). +
    • +
  • + Multiple off-by-one errors when parsing PBF and TTF files, leading to + heap-based buffer overflows (CVE-2008-1808). +
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted TTF + or PBF file, possibly resulting in the execution of arbitrary code with + the privileges of the user running an application linked against + FreeType (such as the X.org X server, running as root). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All FreeType users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/freetype-2.3.6" + + + CVE-2008-1806 + CVE-2008-1807 + CVE-2008-1808 + + + vorlon + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200806-11.xml b/xml/htdocs/security/en/glsa/glsa-200806-11.xml new file mode 100644 index 00000000..2cb49462 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200806-11.xml @@ -0,0 +1,99 @@ + + + + + + + IBM JDK/JRE: Multiple vulnerabilities + + Multiple vulnerabilities have been found in IBM Java Development Kit (JDK) + and Java Runtime Environment (JRE), resulting in the execution of arbitrary + code. + + ibm-jdk-bin ibm-jre-bin + June 25, 2008 + June 25, 2008: 01 + 186277 + 198644 + 216112 + remote + + + 1.5.0.7 + 1.4.2.11 + 1.5.0.7 + + + 1.5.0.7 + 1.4.2.11 + 1.5.0.7 + + + +

+ The IBM Java Development Kit (JDK) and the IBM Java Runtime Environment + (JRE) provide the IBM Java platform. +

+ + +

+ Because of sharing the same codebase, IBM JDK and JRE are affected by + the vulnerabilities mentioned in GLSA 200804-20. +

+ + +

+ A remote attacker could entice a user to run a specially crafted applet + on a website or start an application in Java Web Start to execute + arbitrary code outside of the Java sandbox and of the Java security + restrictions with the privileges of the user running Java. The attacker + could also obtain sensitive information, create, modify, rename and + read local files, execute local applications, establish connections in + the local network, bypass the same origin policy, and cause a Denial of + Service via multiple vectors. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All IBM JDK 1.5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/ibm-jdk-bin-1.5.0.7" +

+ All IBM JDK 1.4 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/ibm-jdk-bin-1.4.2.11" +

+ All IBM JRE 1.5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/ibm-jre-bin-1.5.0.7" +

+ All IBM JRE 1.4 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/ibm-jre-bin-1.4.2.11" + + + GLSA 200804-20 + + + rbu + + + keytoaster + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200807-01.xml b/xml/htdocs/security/en/glsa/glsa-200807-01.xml new file mode 100644 index 00000000..b25a6312 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200807-01.xml @@ -0,0 +1,89 @@ + + + + + + + Python: Multiple integer overflows + + Multiple integer overflows may allow for Denial of Service. + + python + July 01, 2008 + July 01, 2008: 01 + 216673 + 217221 + remote + + + 2.3.6-r6 + 2.4.4-r13 + 2.4.4-r13 + + + +

+ Python is an interpreted, interactive, object-oriented programming + language. +

+ + +

+ Multiple vulnerabilities were discovered in Python: +

+
    +
  • David + Remahl reported multiple integer overflows in the file imageop.c, + leading to a heap-based buffer overflow (CVE-2008-1679). This issue is + due to an incomplete fix for CVE-2007-4965.
    • +
  • Justin Ferguson + discovered that an integer signedness error in the zlib extension + module might trigger insufficient memory allocation and a buffer + overflow via a negative signed integer (CVE-2008-1721).
    • +
  • Justin + Ferguson discovered that insufficient input validation in the + PyString_FromStringAndSize() function might lead to a buffer overflow + (CVE-2008-1887).
    • +
+ + +

+ A remote attacker could exploit these vulnerabilities to cause a Denial + of Service or possibly the remote execution of arbitrary code with the + privileges of the user running Python. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ The imageop module is no longer built in the unaffected versions. +

+

+ All Python 2.3 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.3.6-r6" +

+ All Python 2.4 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.4.4-r13" + + + CVE-2008-1679 + CVE-2008-1721 + CVE-2008-1887 + + + keytoaster + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200807-02.xml b/xml/htdocs/security/en/glsa/glsa-200807-02.xml new file mode 100644 index 00000000..0c9a224e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200807-02.xml @@ -0,0 +1,72 @@ + + + + + + + Motion: Execution of arbitrary code + + Multiple vulnerabilities in Motion might result in the execution of + arbitrary code. + + motion + July 01, 2008 + July 01, 2008: 01 + 227053 + remote + + + 3.2.10.1 + 3.2.10.1 + + + +

+ Motion is a program that monitors the video signal from one or more + cameras and is able to detect motions. +

+ + +

+ Nico Golde reported an off-by-one error within the read_client() + function in the webhttpd.c file, leading to a stack-based buffer + overflow. Stefan Cornelius (Secunia Research) reported a boundary error + within the same function, also leading to a stack-based buffer + overflow. Both vulnerabilities require that the HTTP Control interface + is enabled. +

+ + +

+ A remote attacker could exploit these vulnerabilities by sending an + overly long or specially crafted request to a vulnerable Motion HTTP + control interface, possibly resulting in the execution of arbitrary + code with the privileges of the motion user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Motion users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/motion-3.2.10.1" + + + CVE-2008-2654 + + + rbu + + + keytoaster + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200807-03.xml b/xml/htdocs/security/en/glsa/glsa-200807-03.xml new file mode 100644 index 00000000..32da5857 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200807-03.xml @@ -0,0 +1,78 @@ + + + + + + + PCRE: Buffer overflow + + A buffer overflow vulnerability has been discovered in PCRE, allowing for + the execution of arbitrary code and a Denial of Service. + + libpcre glib + July 07, 2008 + July 07, 2008: 01 + 228091 + 230039 + remote + + + 7.7-r1 + 7.7-r1 + + + 2.16.3-r1 + 2.14.0 + 2.16.3-r1 + + + +

+ PCRE is a Perl-compatible regular expression library. GLib includes a + copy of PCRE. +

+ + +

+ Tavis Ormandy of the Google Security team reported a heap-based buffer + overflow when compiling regular expression patterns containing + "Internal Option Settings" such as "(?i)". +

+ + +

+ A remote attacker could exploit this vulnerability by sending a + specially crafted regular expression to an application making use of + the PCRE library, which could possibly lead to the execution of + arbitrary code or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PCRE users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libpcre-7.7-r1" +

+ All GLib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/glib-2.16.3-r1" + + + CVE-2008-2371 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200807-04.xml b/xml/htdocs/security/en/glsa/glsa-200807-04.xml new file mode 100644 index 00000000..92ef61a2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200807-04.xml @@ -0,0 +1,65 @@ + + + + + + + Poppler: User-assisted execution of arbitrary code + + Poppler is affected by a memory management issue, which could lead to the + execution of arbitrary code. + + poppler + July 08, 2008 + July 08, 2008: 01 + 229931 + remote + + + 0.6.3-r1 + 0.6.3-r1 + + + +

+ Poppler is a cross-platform PDF rendering library originally based on + Xpdf. +

+ + +

+ Felipe Andres Manzano reported a memory management issue in the Page + class constructor/destructor. +

+ + +

+ A remote attacker could entice a user to open a specially crafted PDF + file with a Poppler-based PDF viewer such as Gentoo's Xpdf, Epdfview, + or Evince, potentially resulting in the execution of arbitrary code + with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All poppler users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/poppler-0.6.3-r1" + + + CVE-2008-2950 + + + vorlon + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-200807-05.xml b/xml/htdocs/security/en/glsa/glsa-200807-05.xml new file mode 100644 index 00000000..3f93b327 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200807-05.xml @@ -0,0 +1,78 @@ + + + + + + + OpenOffice.org: User-assisted execution of arbitrary code + + An integer overflow vulnerability has been reported in OpenOffice.org. + + openoffice openoffice-bin + July 09, 2008 + July 09, 2008: 01 + 225723 + remote + + + 2.4.1 + 2.4.1 + + + 2.4.1 + 2.4.1 + + + +

+ OpenOffice.org is an open source office productivity suite, including + word processing, spreadsheet, presentation, drawing, data charting, + formula editing, and file conversion facilities. +

+ + +

+ Sean Larsson (iDefense Labs) reported an integer overflow in the + function rtl_allocateMemory() in the file + sal/rtl/source/alloc_global.c. +

+ + +

+ A remote attacker could entice a user to open a specially crafted + document, possibly resulting in the remote execution of arbitrary code + with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenOffice.org users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-2.4.1" +

+ All OpenOffice.org binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-bin-2.4.1" + + + CVE-2008-2152 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200807-06.xml b/xml/htdocs/security/en/glsa/glsa-200807-06.xml new file mode 100644 index 00000000..7b8a9ccd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200807-06.xml @@ -0,0 +1,86 @@ + + + + + + + Apache: Denial of Service + + Multiple vulnerabilities in Apache might lead to a Denial of Service. + + apache + July 09, 2008 + July 09, 2008: 01 + 222643 + 227111 + remote + + + 2.2.9 + 2.2.9 + + + +

+ The Apache HTTP server is one of the most popular web servers on the + Internet. +

+ + +

+ Multiple vulnerabilities have been discovered in Apache: +

+
    +
  • + Dustin Kirkland reported that the mod_ssl module can leak memory when + the client reports support for a compression algorithm (CVE-2008-1678). +
    • +
  • + Ryujiro Shibuya reported that the ap_proxy_http_process_response() + function in the mod_proxy module does not limit the number of forwarded + interim responses (CVE-2008-2364). +
    • +
  • + sp3x of SecurityReason reported a Cross-Site Request Forgery + vulnerability in the balancer-manager in the mod_proxy_balancer module + (CVE-2007-6420). +
    • +
+ + +

+ A remote attacker could exploit these vulnerabilities by connecting to + an Apache httpd, by causing an Apache proxy server to connect to a + malicious server, or by enticing a balancer administrator to connect to + a specially-crafted URL, resulting in a Denial of Service of the Apache + daemon. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Apache users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/apache-2.2.9" + + + CVE-2007-6420 + CVE-2008-1678 + CVE-2008-2364 + + + keytoaster + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200807-07.xml b/xml/htdocs/security/en/glsa/glsa-200807-07.xml new file mode 100644 index 00000000..bea41c45 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200807-07.xml @@ -0,0 +1,77 @@ + + + + + + + NX: User-assisted execution of arbitrary code + + NX uses code from the X.org X11 server which is prone to multiple + vulnerabilities. + + nx, nxnode + July 09, 2008 + July 09, 2008: 01 + 230147 + remote + + + 3.2.0-r3 + 3.2.0-r3 + + + 3.2.0-r2 + 3.2.0-r2 + + + +

+ NoMachine's NX establishes remote connections to X11 desktops over + small bandwidth links. NX and NX Node are the compression core + libraries, whereas NX is used by FreeNX and NX Node by the binary-only + NX servers. +

+ + +

+ Multiple integer overflow and buffer overflow vulnerabilities have been + discovered in the X.Org X server as shipped by NX and NX Node (GLSA + 200806-07). +

+ + +

+ A remote attacker could exploit these vulnerabilities via unspecified + vectors, leading to the execution of arbitrary code with the privileges + of the user on the machine running the NX server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All NX Node users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/nxnode-3.2.0-r3" +

+ All NX users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/nx-3.2.0-r2" + + + GLSA 200806-07 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200807-08.xml b/xml/htdocs/security/en/glsa/glsa-200807-08.xml new file mode 100644 index 00000000..45e805f4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200807-08.xml @@ -0,0 +1,75 @@ + + + + + + + BIND: Cache poisoning + + A weakness in the DNS protocol has been reported, which could lead to cache + poisoning on recursive resolvers. + + bind + July 11, 2008 + July 11, 2008: 01 + 231201 + remote + + + 9.4.2_p1 + 9.4.2_p1 + + + +

+ ISC BIND is the Internet Systems Consortium implementation of the + Domain Name System (DNS) protocol. +

+ + +

+ Dan Kaminsky of IOActive has reported a weakness in the DNS protocol + related to insufficient randomness of DNS transaction IDs and query + source ports. +

+ + +

+ An attacker could exploit this weakness to poison the cache of a + recursive resolver and thus spoof DNS traffic, which could e.g. lead to + the redirection of web or mail traffic to malicious sites. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All BIND users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/bind-9.4.2_p1" +

+ Note: In order to utilize the query port randomization to mitigate the + weakness, you need to make sure that your network setup allows the DNS + server to use random source ports for query and that you have not set a + fixed query port via the "query-source port" directive in the BIND + configuration. +

+ + + CVE-2008-1447 + + + vorlon + + + vorlon + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200807-09.xml b/xml/htdocs/security/en/glsa/glsa-200807-09.xml new file mode 100644 index 00000000..b53a7d43 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200807-09.xml @@ -0,0 +1,66 @@ + + + + + + + Mercurial: Directory traversal + + A directory traversal vulnerability in Mercurial allows for the renaming of + arbitrary files. + + mercurial + July 15, 2008 + July 15, 2008: 01 + 230193 + remote + + + 1.0.1-r2 + 1.0.1-r2 + + + +

+ Mercurial is a distributed Source Control Management system. +

+ + +

+ Jakub Wilk discovered a directory traversal vulnerabilty in the + applydiff() function in the mercurial/patch.py file. +

+ + +

+ A remote attacker could entice a user to import a specially crafted + patch, possibly resulting in the renaming of arbitrary files, even + outside the repository. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mercurial users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/mercurial-1.0.1-r2" + + + CVE-2008-2942 + + + keytoaster + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200807-10.xml b/xml/htdocs/security/en/glsa/glsa-200807-10.xml new file mode 100644 index 00000000..37b07d2e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200807-10.xml @@ -0,0 +1,68 @@ + + + + + + + Bacula: Information disclosure + + A vulnerability in Bacula may allow local attackers to obtain sensitive + information. + + bacula + July 21, 2008 + July 21, 2008: 01 + 196834 + local + + + 2.4.1 + 2.4.1 + + + +

+ Bacula is a network based backup suite. +

+ + +

+ Matthijs Kooijman reported that the "make_catalog_backup" script uses + the MySQL password as a command line argument when invoking other + programs. +

+ + +

+ A local attacker could list the processes on the local machine when the + script is running to obtain the MySQL password. Note: The password + could also be disclosed via network sniffing attacks when the script + fails, in which case it would be sent via cleartext e-mail. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ A warning about this issue has been added in version 2.4.1, but the + issue is still unfixed. We advise not to use the make_catalog_backup + script, but to put all MySQL parameters into a dedicated file readable + only by the user running Bacula. +

+ + + CVE-2007-5626 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200807-11.xml b/xml/htdocs/security/en/glsa/glsa-200807-11.xml new file mode 100644 index 00000000..a63ac6c1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200807-11.xml @@ -0,0 +1,67 @@ + + + + + + + PeerCast: Buffer overflow + + A buffer overflow vulnerability in PeerCast may allow for the remote + execution of arbitrary code. + + peercast + July 21, 2008 + July 21, 2008: 01 + 220281 + remote + + + 0.1218-r1 + 0.1218-r1 + + + +

+ PeerCast is a client and server for P2P-radio networks. +

+ + +

+ Nico Golde reported a boundary error in the HTTP::getAuthUserPass() + function when processing overly long HTTP Basic authentication + requests. +

+ + +

+ A remote attacker could send a specially crafted HTTP request to the + vulnerable server, possibly resulting in the remote execution of + arbitrary code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PeerCast users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/peercast-0.1218-r1" + + + CVE-2008-2040 + + + rbu + + + vorlon + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200807-12.xml b/xml/htdocs/security/en/glsa/glsa-200807-12.xml new file mode 100644 index 00000000..84ea28b9 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200807-12.xml @@ -0,0 +1,69 @@ + + + + + + + BitchX: Multiple vulnerabilities + + Multiple vulnerabilities in BitchX may allow for the remote execution of + arbitrary code or symlink attacks. + + bitchx + July 21, 2008 + July 21, 2008: 01 + 190667 + remote + + + 1.1-r4 + + + +

+ BitchX is an IRC client. +

+ + +

+ bannedit reported a boundary error when handling overly long IRC MODE + messages (CVE-2007-4584). Nico Golde reported an insecure creation of a + temporary file within the e_hostname() function (CVE-2007-5839). +

+ + +

+ A remote attacker could entice a user to connect to a malicious IRC + server, resulting in the remote execution of arbitrary code with the + privileges of the user running the application. A local attacker could + perform symlink attacks to overwrite arbitrary files on the local + machine. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ Since BitchX is no longer maintained, we recommend that users unmerge + the vulnerable package and switch to another IRC client: +

+ + # emerge --unmerge "net-irc/bitchx" + + + CVE-2007-4584 + CVE-2007-5839 + + + vorlon + + + vorlon + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200807-13.xml b/xml/htdocs/security/en/glsa/glsa-200807-13.xml new file mode 100644 index 00000000..a0bdc306 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200807-13.xml @@ -0,0 +1,72 @@ + + + + + + + VLC: Multiple vulnerabilities + + Multiple vulnerabilities in VLC may allow for the execution of arbitrary + code. + + vlc + July 31, 2008 + July 31, 2008: 01 + 221959 + 230692 + local, remote + + + 0.8.6i + 0.8.6i + + + +

+ VLC is a cross-platform media player and streaming server. +

+ + +
  • Remi Denis-Courmont reported that VLC loads plugins from the + current working directory in an unsafe manner (CVE-2008-2147).
    • +
  • Alin Rad Pop (Secunia Research) reported an integer overflow error + in the Open() function in the file modules/demux/wav.c + (CVE-2008-2430).
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted .wav + file, and a local attacker could entice a user to run VLC from a + directory containing specially crafted modules, possibly resulting in + the execution of arbitrary code with the privileges of the user running + the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All VLC users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/vlc-0.8.6i" + + + CVE-2008-2147 + CVE-2008-2430 + + + keytoaster + + + vorlon + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200807-14.xml b/xml/htdocs/security/en/glsa/glsa-200807-14.xml new file mode 100644 index 00000000..55375b1a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200807-14.xml @@ -0,0 +1,65 @@ + + + + + + + Linux Audit: Buffer overflow + + A buffer overflow vulnerability in Linux Audit may allow local attackers to + execute arbitrary code. + + audit + July 31, 2008 + July 31, 2008: 01 + 215705 + local + + + 1.7.3 + 1.7.3 + + + +

+ Linux Audit is a set of userspace utilities for storing and processing + auditing records. +

+ + +

+ A stack-based buffer overflow has been reported in the + audit_log_user_command() function in the file lib/audit_logging.c when + processing overly long arguments. +

+ + +

+ A local attacker could execute a specially crafted command on the host + running Linux Audit, possibly resulting in the execution of arbitrary + code with the privileges of the user running Linux Audit. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Linux Audit users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-process/audit-1.7.3" + + + CVE-2008-1628 + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200807-15.xml b/xml/htdocs/security/en/glsa/glsa-200807-15.xml new file mode 100644 index 00000000..074edab8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200807-15.xml @@ -0,0 +1,68 @@ + + + + + + + Pan: User-assisted execution of arbitrary code + + A buffer overflow vulnerability in Pan may allow remote attacker to execute + arbitrary code. + + pan + July 31, 2008 + July 31, 2008: 01 + 224051 + remote + + + 0.132-r3 + 0.14.2.91-r2 + 0.14.2 + 0.132-r3 + + + +

+ Pan is a newsreader for the GNOME desktop. +

+ + +

+ Pavel Polischouk reported a boundary error in the PartsBatch class when + processing .nzb files. +

+ + +

+ A remote attacker could entice a user to open a specially crafted .nzb + file, possibly resulting in the remote execution of arbitrary code with + the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Pan users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-nntp/pan-0.132-r3" + + + CVE-2008-2363 + + + rbu + + + vorlon + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200807-16.xml b/xml/htdocs/security/en/glsa/glsa-200807-16.xml new file mode 100644 index 00000000..c1b2dfa1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200807-16.xml @@ -0,0 +1,109 @@ + + + + + + + Python: Multiple vulnerabilities + + Multiple vulnerabilities in Python may allow for the execution of arbitrary + code. + + python + July 31, 2008 + July 19, 2009: 02 + 230640 + 232137 + remote + + + 2.4.4-r14 + 2.5.2-r6 + 2.4.6 + 2.5.2-r6 + + + +

+ Python is an interpreted, interactive, object-oriented programming + language. +

+ + +

+ Multiple vulnerabilities were discovered in Python: +

+
    +
  • + David Remahl of Apple Product Security reported several integer + overflows in core modules such as stringobject, unicodeobject, + bufferobject, longobject, tupleobject, stropmodule, gcmodule, + mmapmodule (CVE-2008-2315). +
    • +
  • + David Remahl of Apple Product Security also reported an integer + overflow in the hashlib module, leading to unreliable cryptographic + digest results (CVE-2008-2316). +
    • +
  • + Justin Ferguson reported multiple buffer overflows in unicode string + processing that only affect 32bit systems (CVE-2008-3142). +
    • +
  • + The Google Security Team reported multiple integer overflows + (CVE-2008-3143). +
    • +
  • + Justin Ferguson reported multiple integer underflows and overflows in + the PyOS_vsnprintf() function, and an off-by-one error when passing + zero-length strings, leading to memory corruption (CVE-2008-3144). +
    • +
+ + +

+ A remote attacker could exploit these vulnerabilities in Python + applications or daemons that pass user-controlled input to vulnerable + functions. Exploitation might lead to the execution of arbitrary code + or a Denial of Service. Vulnerabilities within the hashlib might lead + to weakened cryptographic protection of data integrity or authenticity. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Python 2.4 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.4.4-r14" +

+ All Python 2.5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.5.2-r6" +

+ Please note that Python 2.3 is masked since June 24, and we will not be + releasing updates to it. It will be removed from the tree in the near + future. +

+ + + CVE-2008-2315 + CVE-2008-2316 + CVE-2008-3142 + CVE-2008-3143 + CVE-2008-3144 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200808-01.xml b/xml/htdocs/security/en/glsa/glsa-200808-01.xml new file mode 100644 index 00000000..3fdb8c4e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200808-01.xml @@ -0,0 +1,89 @@ + + + + + + + xine-lib: User-assisted execution of arbitrary code + + xine-lib is vulnerable to multiple buffer overflows when processing media + streams. + + xine-lib + August 06, 2008 + August 06, 2008: 01 + 213039 + 214270 + 218059 + remote + + + 1.1.13 + 1.1.13 + + + +

+ xine-lib is the core library package for the xine media player, and + other players such as Amarok, Codeine/Dragon Player and Kaffeine. +

+ + +

+ Multiple vulnerabilities have been discovered in xine-lib: +

+
    +
  • + Alin Rad Pop of Secunia reported an array indexing vulnerability in the + sdpplin_parse() function in the file input/libreal/sdpplin.c when + processing streams from RTSP servers that contain a large "streamid" + SDP parameter (CVE-2008-0073). +
    • +
  • + Luigi Auriemma reported multiple integer overflows that result in + heap-based buffer overflows when processing ".FLV", ".MOV" ".RM", + ".MVE", ".MKV", and ".CAK" files (CVE-2008-1482). +
    • +
  • + Guido Landi reported a stack-based buffer overflow in the + demux_nsf_send_chunk() function when handling titles within NES Music + (.NSF) files (CVE-2008-1878). +
    • +
+ + +

+ A remote attacker could entice a user to play a specially crafted video + file or stream with a player using xine-lib, potentially resulting in + the execution of arbitrary code with the privileges of the user running + the player. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xine-lib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.13" + + + CVE-2008-0073 + CVE-2008-1482 + CVE-2008-1878 + + + rbu + + + vorlon + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200808-02.xml b/xml/htdocs/security/en/glsa/glsa-200808-02.xml new file mode 100644 index 00000000..7f44d3e8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200808-02.xml @@ -0,0 +1,76 @@ + + + + + + + Net-SNMP: Multiple vulnerabilities + + Multiple vulnerabilities in Net-SNMP allow for authentication bypass in + snmpd and execution of arbitrary code in Perl applications using Net-SMNP. + + net-snmp + August 06, 2008 + August 06, 2008: 01 + 222265 + 225105 + remote + + + 5.4.1.1 + 5.4.1.1 + + + +

+ Net-SNMP is a collection of tools for generating and retrieving SNMP + data. The SNMPv3 protocol uses a keyed-Hash Message Authentication Code + (HMAC) to verify data integrity and authenticity of SNMP messages. +

+ + +

+ Wes Hardaker reported that the SNMPv3 HMAC verification relies on the + client to specify the HMAC length (CVE-2008-0960). John Kortink + reported a buffer overflow in the Perl bindings of Net-SNMP when + processing the OCTETSTRING in an attribute value pair (AVP) received by + an SNMP agent (CVE-2008-2292). +

+ + +

+ An attacker could send SNMPv3 packets to an instance of snmpd providing + a valid user name and an HMAC length value of 1, and easily conduct + brute-force attacks to bypass SNMP authentication. An attacker could + further entice a user to connect to a malicious SNMP agent with an SNMP + client using the Perl bindings, possibly resulting in the execution of + arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Net-SNMP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/net-snmp-5.4.1.1" + + + CVE-2008-0960 + CVE-2008-2292 + + + keytoaster + + + vorlon + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200808-03.xml b/xml/htdocs/security/en/glsa/glsa-200808-03.xml new file mode 100644 index 00000000..94249543 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200808-03.xml @@ -0,0 +1,249 @@ + + + + + + + Mozilla products: Multiple vulnerabilities + + Multiple vulnerabilities have been reported in Mozilla Firefox, + Thunderbird, SeaMonkey and XULRunner, some of which may allow user-assisted + execution of arbitrary code. + + mozilla-firefox mozilla-firefox-bin mozilla-thunderbird mozilla-thunderbird-bin seamonkey seamonkey-bin xulrunner xulrunner-bin + August 06, 2008 + August 06, 2008: 01 + 204337 + 218065 + 230567 + 231975 + remote + + + 2.0.0.16 + 2.0.0.16 + + + 2.0.0.16 + 2.0.0.16 + + + 2.0.0.16 + 2.0.0.16 + + + 2.0.0.16 + 2.0.0.16 + + + 1.1.11 + 1.1.11 + + + 1.1.11 + 1.1.11 + + + 1.8.1.16 + 1.8.1.16 + + + 1.8.1.16 + 1.8.1.16 + + + +

+ Mozilla Firefox is an open-source web browser and Mozilla Thunderbird + an open-source email client, both from the Mozilla Project. The + SeaMonkey project is a community effort to deliver production-quality + releases of code derived from the application formerly known as the + 'Mozilla Application Suite'. XULRunner is a Mozilla runtime package + that can be used to bootstrap XUL+XPCOM applications like Firefox and + Thunderbird. +

+ + +

+ The following vulnerabilities were reported in all mentioned Mozilla + products: +

+
    +
  • + TippingPoint's Zero Day Initiative reported that an incorrect integer + data type is used as a CSS object reference counter, leading to a + counter overflow and a free() of in-use memory (CVE-2008-2785). +
    • +
  • + Igor Bukanov, Jesse Ruderman and Gary Kwong reported crashes in the + JavaScript engine, possibly triggering memory corruption + (CVE-2008-2799). +
    • +
  • + Devon Hubbard, Jesse Ruderman, and Martijn Wargers reported crashes in + the layout engine, possibly triggering memory corruption + (CVE-2008-2798). +
    • +
  • + moz_bug_r_a4 reported that XUL documents that include a script from a + chrome: URI that points to a fastload file would be executed with the + privileges specified in the file (CVE-2008-2802). +
    • +
  • + moz_bug_r_a4 reported that the mozIJSSubScriptLoader.LoadScript() + function only apply XPCNativeWrappers to scripts loaded from standard + "chrome:" URIs, which could be the case in third-party add-ons + (CVE-2008-2803). +
    • +
  • + Astabis reported a crash in the block reflow implementation related to + large images (CVE-2008-2811). +
    • +
  • + John G. Myers, Frank Benkstein and Nils Toedtmann reported a weakness + in the trust model used by Mozilla, that when a user accepts an SSL + server certificate on the basis of the CN domain name in the DN field, + the certificate is also regarded as accepted for all domain names in + subjectAltName:dNSName fields (CVE-2008-2809). +
    • +

+ The following vulnerabilities were reported in Firefox, SeaMonkey and + XULRunner: +

+
    +
  • + moz_bug_r_a4 reported that the Same Origin Policy is not properly + enforced on JavaScript (CVE-2008-2800). +
    • +
  • + Collin Jackson and Adam Barth reported that JAR signing is not properly + implemented, allowing injection of JavaScript into documents within a + JAR archive (CVE-2008-2801). +
    • +
  • + Opera Software reported an error allowing for arbitrary local file + upload (CVE-2008-2805). +
    • +
  • + Daniel Glazman reported that an invalid .properties file for an add-on + might lead to the usage of uninitialized memory (CVE-2008-2807). +
    • +
  • + Masahiro Yamada reported that HTML in "file://" URLs in directory + listings is not properly escaped (CVE-2008-2808). +
    • +
  • + Geoff reported that the context of Windows Internet shortcut files is + not correctly identified (CVE-2008-2810). +
    • +
  • + The crash vulnerability (CVE-2008-1380) that was previously announced + in GLSA 200805-18 is now also also resolved in Seamonkey binary + ebuilds. +
    • +

+ The following vulnerability was reported in Firefox only: +

+
    +
  • + Billy Rios reported that the Pipe character in a command-line URI is + identified as a request to open multiple tabs, allowing to open + "chrome" and "file" URIs (CVE-2008-2933). +
    • +
+ + +

+ A remote attacker could entice a user to view a specially crafted web + page or email that will trigger one of the vulnerabilities, possibly + leading to the execution of arbitrary code or a Denial of Service. It + is also possible for an attacker to trick a user to upload arbitrary + files or to accept an invalid certificate for a spoofed web site, to + read uninitialized memory, to violate Same Origin Policy, or to conduct + Cross-Site Scripting attacks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Firefox users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-2.0.0.16" +

+ All Mozilla Firefox binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-2.0.0.16" +

+ All Mozilla Thunderbird users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-2.0.0.16" +

+ All Mozilla Thunderbird binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-2.0.0.16" +

+ All Seamonkey users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.1.11" +

+ All Seamonkey binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-bin-1.1.11" +

+ All XULRunner users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/xulrunner-1.8.1.16" +

+ All XULRunner binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/xulrunner-bin-1.8.1.16" + + + CVE-2008-1380 + CVE-2008-2785 + CVE-2008-2798 + CVE-2008-2799 + CVE-2008-2800 + CVE-2008-2801 + CVE-2008-2802 + CVE-2008-2803 + CVE-2008-2805 + CVE-2008-2807 + CVE-2008-2808 + CVE-2008-2809 + CVE-2008-2810 + CVE-2008-2811 + CVE-2008-2933 + GLSA 200805-18 + + + p-y + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200808-04.xml b/xml/htdocs/security/en/glsa/glsa-200808-04.xml new file mode 100644 index 00000000..6707e707 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200808-04.xml @@ -0,0 +1,76 @@ + + + + + + + Wireshark: Denial of Service + + Multiple Denial of Service vulnerabilities have been discovered in + Wireshark. + + wireshark + August 06, 2008 + August 06, 2008: 01 + 230411 + 231587 + remote + + + 1.0.2 + 1.0.2 + + + +

+ Wireshark is a network protocol analyzer with a graphical front-end. +

+ + +

+ Multiple vulnerabilities related to memory management were discovered + in the GSM SMS dissector (CVE-2008-3137), the PANA and KISMET + dissectors (CVE-2008-3138), the RTMPT dissector (CVE-2008-3139), the + syslog dissector (CVE-2008-3140) and the RMI dissector (CVE-2008-3141) + and when reassembling fragmented packets (CVE-2008-3145). +

+ + +

+ A remote attacker could exploit these vulnerabilities by sending a + specially crafted packet on a network being monitored by Wireshark or + enticing a user to read a malformed packet trace file, causing a Denial + of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Wireshark users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.0.2" + + + CVE-2008-3137 + CVE-2008-3138 + CVE-2008-3139 + CVE-2008-3140 + CVE-2008-3141 + CVE-2008-3145 + + + keytoaster + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200808-05.xml b/xml/htdocs/security/en/glsa/glsa-200808-05.xml new file mode 100644 index 00000000..b9a82601 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200808-05.xml @@ -0,0 +1,66 @@ + + + + + + + ISC DHCP: Denial of Service + + A Denial of Service vulnerability was discovered in ISC DHCP. + + dhcp + August 06, 2008 + August 06, 2008: 01 + 227135 + remote + + + 3.1.1 + 3.1.1 + + + +

+ ISC DHCP is ISC's reference implementation of all aspects of the + Dynamic Host Configuration Protocol. +

+ + +

+ A buffer overflow error was found in ISC DHCP server, that can only be + exploited under unusual server configurations where the DHCP server is + configured to provide clients with a large set of DHCP options. +

+ + +

+ A remote attacker could exploit this vulnerability to cause a Denial of + Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ISC DHCP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/dhcp-3.1.1" + + + CVE-2007-0062 + + + rbu + + + vorlon + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200808-06.xml b/xml/htdocs/security/en/glsa/glsa-200808-06.xml new file mode 100644 index 00000000..6e21c89f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200808-06.xml @@ -0,0 +1,70 @@ + + + + + + + libxslt: Execution of arbitrary code + + libxslt is affected by a heap-based buffer overflow, possibly leading to + the execution of arbitrary code. + + libxslt + August 06, 2008 + August 06, 2008: 01 + 232172 + remote + + + 1.1.24-r1 + 1.1.8 + 1.1.24-r1 + + + +

+ libxslt is the XSLT C library developed for the GNOME project. XSLT is + an XML language to define transformations for XML. +

+ + +

+ Chris Evans (Google Security) reported that the libexslt library that + is part of libxslt is affected by a heap-based buffer overflow in the + RC4 encryption/decryption functions. +

+ + +

+ A remote attacker could entice a user to process an XML file using a + specially crafted XSLT stylesheet in an application linked against + libxslt, possibly leading to the execution of arbitrary code with the + privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libxslt users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libxslt-1.1.24-r1" + + + CVE-2008-2935 + + + rbu + + + keytoaster + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200808-07.xml b/xml/htdocs/security/en/glsa/glsa-200808-07.xml new file mode 100644 index 00000000..fef05c97 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200808-07.xml @@ -0,0 +1,74 @@ + + + + + + + ClamAV: Multiple Denials of Service + + Multiple vulnerabilities in ClamAV may result in a Denial of Service. + + clamav + August 08, 2008 + August 08, 2008: 01 + 204340 + 227351 + remote + + + 0.93.3 + 0.93.3 + + + +

+ Clam AntiVirus is a free anti-virus toolkit for UNIX, designed + especially for e-mail scanning on mail gateways. +

+ + +

+ Damian Put has discovered an out-of-bounds memory access while + processing Petite files (CVE-2008-2713, CVE-2008-3215). Also, please + note that the 0.93 ClamAV branch fixes the first of the two attack + vectors of CVE-2007-6595 concerning an insecure creation of temporary + files vulnerability. The sigtool attack vector seems still unfixed. +

+ + +

+ A remote attacker could entice a user or automated system to scan a + specially crafted Petite file, possibly resulting in a Denial of + Service (daemon crash). Also, the insecure creation of temporary files + vulnerability can be triggered by a local user to perform a symlink + attack. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.93.3" + + + CVE-2007-6595 + CVE-2008-2713 + CVE-2008-3215 + + + rbu + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200808-08.xml b/xml/htdocs/security/en/glsa/glsa-200808-08.xml new file mode 100644 index 00000000..f7a589db --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200808-08.xml @@ -0,0 +1,71 @@ + + + + + + + stunnel: Security bypass + + stunnel does not properly prevent the authentication of a revoked + certificate which would be published by OCSP. + + stunnel + August 08, 2008 + August 09, 2009: 02 + 222805 + remote + + + 4.24 + 4 + 4.24 + + + +

+ The stunnel program is designed to work as an SSL encryption wrapper + between a remote client and a local or remote server. OCSP (Online + Certificate Status Protocol), as described in RFC 2560, is an internet + protocol used for obtaining the revocation status of an X.509 digital + certificate. +

+ + +

+ An unspecified bug in the OCSP search functionality of stunnel has been + discovered. +

+ + +

+ A remote attacker can use a revoked certificate that would be + successfully authenticated by stunnel. This issue only concerns the + users who have enabled the OCSP validation in stunnel. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All stunnel users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/stunnel-4.24" + + + CVE-2008-2420 + + + rbu + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200808-09.xml b/xml/htdocs/security/en/glsa/glsa-200808-09.xml new file mode 100644 index 00000000..60d8c59e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200808-09.xml @@ -0,0 +1,65 @@ + + + + + + + OpenLDAP: Denial of Service vulnerability + + A flaw in OpenLDAP allows remote unauthenticated attackers to cause a + Denial of Service. + + openldap + August 08, 2008 + August 08, 2008: 01 + 230269 + remote + + + 2.3.43 + 2.3.43 + + + +

+ OpenLDAP Software is an open source implementation of the Lightweight + Directory Access Protocol. +

+ + +

+ Cameron Hotchkies discovered an error within the parsing of ASN.1 BER + encoded packets in the "ber_get_next()" function in + libraries/liblber/io.c. +

+ + +

+ A remote unauthenticated attacker can send a specially crafted ASN.1 + BER encoded packet which will trigger the error and cause an + "assert()", terminating the "slapd" daemon. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenLDAP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-nds/openldap-2.3.43" + + + CVE-2008-2952 + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200808-10.xml b/xml/htdocs/security/en/glsa/glsa-200808-10.xml new file mode 100644 index 00000000..38013f19 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200808-10.xml @@ -0,0 +1,64 @@ + + + + + + + Adobe Reader: User-assisted execution of arbitrary code + + Adobe Reader is vulnerable to execution of arbitrary code via a crafted + PDF. + + acroread + August 09, 2008 + August 09, 2008: 01 + 233383 + remote + + + 8.1.2-r3 + 8.1.2-r3 + + + +

+ Adobe Reader (formerly Adobe Acrobat Reader) is a closed-source PDF + reader. +

+ + +

+ The Johns Hopkins University Applied Physics Laboratory reported that + input to an unspecified JavaScript method is not properly validated. +

+ + +

+ A remote attacker could entice a user to open a specially crafted PDF + document, possibly resulting in the remote execution of arbitrary code + with the privileges of the user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Adobe Reader users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/acroread-8.1.2-r3" + + + CVE-2008-2641 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200808-11.xml b/xml/htdocs/security/en/glsa/glsa-200808-11.xml new file mode 100644 index 00000000..8c848a43 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200808-11.xml @@ -0,0 +1,78 @@ + + + + + + + UUDeview: Insecure temporary file creation + + A vulnerability in UUDeview may allow local attackers to conduct symlink + attacks. + + nzbget uudeview + August 11, 2008 + August 11, 2008: 01 + 222275 + 224193 + local + + + 0.5.20-r1 + 0.5.20-r1 + + + 0.4.0 + 0.4.0 + + + +

+ UUdeview is encoder and decoder supporting various binary formats. + NZBGet is a command-line based binary newsgrabber supporting .nzb + files. +

+ + +

+ UUdeview makes insecure usage of the tempnam() function when creating + temporary files. NZBGet includes a copy of the vulnerable code. +

+ + +

+ A local attacker could exploit this vulnerability to overwrite + arbitrary files on the system. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All UUDview users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/uudeview-0.5.20-r1" +

+ All NZBget users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=news-nntp/nzbget-0.4.0" + + + CVE-2008-2266 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200808-12.xml b/xml/htdocs/security/en/glsa/glsa-200808-12.xml new file mode 100644 index 00000000..7f564f49 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200808-12.xml @@ -0,0 +1,126 @@ + + + + + + + Postfix: Local privilege escalation vulnerability + + Postfix incorrectly checks the ownership of a mailbox, allowing, in certain + circumstances, to append data to arbitrary files on a local system with + root privileges. + + postfix + August 14, 2008 + October 23, 2008: 02 + 232642 + local + + + 2.4.7-r1 + 2.5.3-r1 + 2.4.8 + 2.4.9 + 2.5.3-r1 + + + +

+ Postfix is Wietse Venema's mailer that attempts to be fast, easy to + administer, and secure, as an alternative to the widely-used Sendmail + program. +

+ + +

+ Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail + to root-owned symlinks in an insecure manner under certain conditions. + Normally, Postfix does not deliver mail to symlinks, except to + root-owned symlinks, for compatibility with the systems using symlinks + in /dev like Solaris. Furthermore, some systems like Linux allow to + hardlink a symlink, while the POSIX.1-2001 standard requires that the + symlink is followed. Depending on the write permissions and the + delivery agent being used, this can lead to an arbitrary local file + overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix + delivery agent does not properly verify the ownership of a mailbox + before delivering mail (CVE-2008-2937). +

+ + +

+ The combination of these features allows a local attacker to hardlink a + root-owned symlink such that the newly created symlink would be + root-owned and would point to a regular file (or another symlink) that + would be written by the Postfix built-in local(8) or virtual(8) + delivery agents, regardless the ownership of the final destination + regular file. Depending on the write permissions of the spool mail + directory, the delivery style, and the existence of a root mailbox, + this could allow a local attacker to append a mail to an arbitrary file + like /etc/passwd in order to gain root privileges. +

+

+ The default configuration of Gentoo Linux does not permit any kind of + user privilege escalation. +

+

+ The second vulnerability (CVE-2008-2937) allows a local attacker, + already having write permissions to the mail spool directory which is + not the case on Gentoo by default, to create a previously nonexistent + mailbox before Postfix creates it, allowing to read the mail of another + user on the system. +

+ + +

+ The following conditions should be met in order to be vulnerable to + local privilege escalation. +

+
    +
  • The mail delivery style is mailbox, with the Postfix built-in + local(8) or virtual(8) delivery agents.
    • +
  • The mail spool directory (/var/spool/mail) is user-writeable.
    • +
  • The user can create hardlinks pointing to root-owned symlinks + located in other directories.
    • +
+

+ Consequently, each one of the following workarounds is efficient. +

+
    +
  • Verify that your /var/spool/mail directory is not writeable by a + user. Normally on Gentoo, only the mail group has write access, and no + end-user should be granted the mail group ownership.
    • +
  • Prevent the local users from being able to create hardlinks + pointing outside of the /var/spool/mail directory, e.g. with a + dedicated partition.
    • +
  • Use a non-builtin Postfix delivery agent, like procmail or + maildrop.
    • +
  • Use the maildir delivery style of Postfix ("home_mailbox=Maildir/" + for example).
    • +
+

+ Concerning the second vulnerability, check the write permissions of + /var/spool/mail, or check that every Unix account already has a + mailbox, by using Wietse Venema's Perl script available in the official + advisory. +

+ + +

+ All Postfix users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.5.3-r1" + + + CVE-2008-2936 + CVE-2008-2937 + Official Advisory + + + falco + + + falco + + diff --git a/xml/htdocs/security/en/glsa/glsa-200809-01.xml b/xml/htdocs/security/en/glsa/glsa-200809-01.xml new file mode 100644 index 00000000..816ecfd6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200809-01.xml @@ -0,0 +1,73 @@ + + + + + + + yelp: User-assisted execution of arbitrary code + + A vulnerability in yelp can lead to the execution of arbitrary code when + opening a URI, for example through Firefox. + + yelp + September 04, 2008 + September 04, 2008: 01 + 234079 + remote + + + 2.22.1-r2 + 2.20.0-r1 + 2.22.1-r2 + + + +

+ yelp is the default help browser for GNOME. +

+ + +

+ Aaron Grattafiori reported a format string vulnerability in the + window_error() function in yelp-window.c. +

+ + +

+ A remote attacker can entice a user to open specially crafted "man:" or + "ghelp:" URIs in yelp, or an application using yelp such as Firefox or + Evolution, and execute arbitrary code with the privileges of that user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All yelp users running GNOME 2.22 should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=gnome-extra/yelp-2.22.1-r2" +

+ All yelp users running GNOME 2.20 should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=gnome-extra/yelp-2.20.0-r1" + + + CVE-2008-3533 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200809-02.xml b/xml/htdocs/security/en/glsa/glsa-200809-02.xml new file mode 100644 index 00000000..e5f2418f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200809-02.xml @@ -0,0 +1,79 @@ + + + + + + + dnsmasq: Denial of Service and DNS spoofing + + Two vulnerabilities in dnsmasq might allow for a Denial of Service or + spoofing of DNS replies. + + dnsmasq + September 04, 2008 + September 04, 2008: 01 + 231282 + 232523 + remote + + + 2.45 + 2.45 + + + +

+ Dnsmasq is a lightweight and easily-configurable DNS forwarder and DHCP + server. +

+ + +
    +
  • + Dan Kaminsky of IOActive reported that dnsmasq does not randomize UDP + source ports when forwarding DNS queries to a recursing DNS server + (CVE-2008-1447). +
    • +
  • + Carlos Carvalho reported that dnsmasq in the 2.43 version does not + properly handle clients sending inform or renewal queries for unknown + DHCP leases, leading to a crash (CVE-2008-3350). +
    • +
+ + +

+ A remote attacker could send spoofed DNS response traffic to dnsmasq, + possibly involving generating queries via multiple vectors, and spoof + DNS replies, which could e.g. lead to the redirection of web or mail + traffic to malicious sites. Furthermore, an attacker could generate + invalid DHCP traffic and cause a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All dnsmasq users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/dnsmasq-2.45" + + + CVE-2008-3350 + CVE-2008-1447 + + + p-y + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200809-03.xml b/xml/htdocs/security/en/glsa/glsa-200809-03.xml new file mode 100644 index 00000000..757ea9cb --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200809-03.xml @@ -0,0 +1,64 @@ + + + + + + + RealPlayer: Buffer overflow + + RealPlayer is vulnerable to a buffer overflow allowing for the execution of + arbitrary code. + + realplayer + September 04, 2008 + September 04, 2008: 01 + 232997 + remote + + + 11.0.0.4028-r1 + 11.0.0.4028-r1 + + + +

+ RealPlayer is a multimedia player capable of handling multiple + multimedia file formats. +

+ + +

+ Dyon Balding of Secunia Research reported an unspecified heap-based + buffer overflow in the Shockwave Flash (SWF) frame handling. +

+ + +

+ By enticing a user to open a specially crafted SWF (Shockwave Flash) + file, a remote attacker could be able to execute arbitrary code with + the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All RealPlayer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/realplayer-11.0.0.4028-r1" + + + CVE-2007-5400 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200809-04.xml b/xml/htdocs/security/en/glsa/glsa-200809-04.xml new file mode 100644 index 00000000..298a69e1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200809-04.xml @@ -0,0 +1,65 @@ + + + + + + + MySQL: Privilege bypass + + A vulnerability in MySQL might allow users to bypass privileges and gain + access to other databases. + + mysql + September 04, 2008 + September 04, 2008: 01 + 220399 + remote + + + 5.0.60-r1 + 5.0.60-r1 + + + +

+ MySQL is a popular multi-threaded, multi-user SQL server. +

+ + +

+ Sergei Golubchik reported that MySQL imposes no restrictions on the + specification of "DATA DIRECTORY" or "INDEX DIRECTORY" in SQL "CREATE + TABLE" statements. +

+ + +

+ An authenticated remote attacker could create MyISAM tables, specifying + DATA or INDEX directories that contain future table files by other + database users, or existing table files in the MySQL data directory, + gaining access to those tables. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MySQL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.0.60-r1" + + + CVE-2008-2079 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200809-05.xml b/xml/htdocs/security/en/glsa/glsa-200809-05.xml new file mode 100644 index 00000000..a6ae8425 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200809-05.xml @@ -0,0 +1,71 @@ + + + + + + + Courier Authentication Library: SQL injection vulnerability + + An SQL injection vulnerability has been discovered in the Courier + Authentication Library. + + courier-authlib + September 05, 2008 + September 05, 2008: 01 + 225407 + remote + + + 0.60.6 + 0.60.6 + + + +

+ The Courier Authentication Library is a generic authentication API that + encapsulates the process of validating account passwords. +

+ + +

+ It has been discovered that some input (e.g. the username) passed to + the library are not properly sanitised before being used in SQL + queries. +

+ + +

+ A remote attacker could provide specially crafted input to the library, + possibly resulting in the remote execution of arbitrary SQL commands. + NOTE: Exploitation of this vulnerability requires that a MySQL database + is used for authentication and that a Non-Latin character set is + selected. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Courier Authentication Library users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/courier-authlib-0.60.6" + + + CVE-2008-2667 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200809-06.xml b/xml/htdocs/security/en/glsa/glsa-200809-06.xml new file mode 100644 index 00000000..1a749eb0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200809-06.xml @@ -0,0 +1,74 @@ + + + + + + + VLC: Multiple vulnerabilities + + Two vulnerabilities in VLC may lead to the remote execution of arbitrary + code. + + vlc + September 07, 2008 + September 07, 2008: 01 + 235238 + 235589 + remote + + + 0.8.6i-r2 + 0.8.6i-r2 + + + +

+ VLC is a cross-platform media player and streaming server. +

+ + +

+ g_ reported the following vulnerabilities: +

+
  • An integer + overflow leading to a heap-based buffer overflow in the Open() function + in modules/demux/tta.c (CVE-2008-3732).
    • +
  • A signedness error + leading to a stack-based buffer overflow in the mms_ReceiveCommand() + function in modules/access/mms/mmstu.c (CVE-2008-3794).
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted file, + possibly resulting in the remote execution of arbitrary code with the + privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All VLC users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/vlc-0.8.6i-r2" + + + CVE-2008-3732 + CVE-2008-3794 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200809-07.xml b/xml/htdocs/security/en/glsa/glsa-200809-07.xml new file mode 100644 index 00000000..8dc82871 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200809-07.xml @@ -0,0 +1,69 @@ + + + + + + + libTIFF: User-assisted execution of arbitrary code + + Multiple buffer underflow vulnerabilities in libTIFF may allow for the + remote execution of arbitrary code. + + tiff + September 08, 2008 + September 08, 2008: 01 + 234080 + remote + + + 3.8.2-r4 + 3.8.2-r4 + + + +

+ libTIFF provides support for reading and manipulating TIFF (Tagged + Image File Format) images. +

+ + +

+ Drew Yao (Apple Product Security) and Clay Wood reported multiple + buffer underflows in the LZWDecode() and LZWDecodeCompat() functions in + tif_lzw.c when processing TIFF files. +

+ + +

+ A remote attacker could entice a user to open a specially crafted TIFF + file with an application making use of libTIFF, possibly resulting in + the remote execution of arbitrary code with the privileges of the user + running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libTIFF users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/tiff-3.8.2-r4" + + + CVE-2008-2327 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200809-08.xml b/xml/htdocs/security/en/glsa/glsa-200809-08.xml new file mode 100644 index 00000000..e211c067 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200809-08.xml @@ -0,0 +1,68 @@ + + + + + + + Amarok: Insecure temporary file creation + + Amarok uses temporary files in an insecure manner, allowing for a symlink + attack. + + amarok + September 08, 2008 + September 08, 2008: 01 + 234689 + local + + + 1.4.10 + 1.4.10 + + + +

+ Amarok is an advanced music player. +

+ + +

+ Dwayne Litzenberger reported that the + MagnatuneBrowser::listDownloadComplete() function in + magnatunebrowser/magnatunebrowser.cpp uses the album_info.xml temporary + file in an insecure manner. +

+ + +

+ A local attacker could perform a symlink attack to overwrite arbitrary + files on the system with the privileges of the user running the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Amarok users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/amarok-1.4.10" + + + CVE-2008-3699 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200809-09.xml b/xml/htdocs/security/en/glsa/glsa-200809-09.xml new file mode 100644 index 00000000..e8a9d29d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200809-09.xml @@ -0,0 +1,78 @@ + + + + + + + Postfix: Denial of Service + + A memory leak in Postfix might allow local users to cause a Denial of + Service. + + postfix + September 19, 2008 + September 19, 2008: 01 + 236453 + local + + + 2.4.9 + 2.5.5 + 2.4.9 + 2.5.5 + + + +

+ Postfix is Wietse Venema's mailer that attempts to be fast, easy to + administer, and secure, as an alternative to the widely-used Sendmail + program. +

+ + +

+ It has been discovered than Postfix leaks an epoll file descriptor when + executing external commands, e.g. user-controlled $HOME/.forward or + $HOME/.procmailrc files. NOTE: This vulnerability only concerns Postfix + instances running on Linux 2.6 kernels. +

+ + +

+ A local attacker could exploit this vulnerability to reduce the + performance of Postfix, and possibly trigger an assertion, resulting in + a Denial of Service. +

+ + +

+ Allow only trusted users to control delivery to non-Postfix commands. +

+ + +

+ All Postfix 2.4 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.4.9" +

+ All Postfix 2.5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.5.5" + + + CVE-2008-3889 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200809-10.xml b/xml/htdocs/security/en/glsa/glsa-200809-10.xml new file mode 100644 index 00000000..3d9152e1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200809-10.xml @@ -0,0 +1,74 @@ + + + + + + + Mantis: Multiple vulnerabilities + + Multiple vulnerabilities have been reported in Mantis. + + mantisbt + September 21, 2008 + November 26, 2008: 02 + 222649 + 233336 + remote + + + 1.1.2 + 1.1.2 + + + +

+ Mantis is a PHP/MySQL/Web based bugtracking system. +

+ + +

+ Antonio Parata and Francesco Ongaro reported a Cross-Site Request + Forgery vulnerability in manage_user_create.php (CVE-2008-2276), a + Cross-Site Scripting vulnerability in return_dynamic_filters.php + (CVE-2008-3331), and an insufficient input validation in + adm_config_set.php (CVE-2008-3332). A directory traversal vulnerability + in core/lang_api.php (CVE-2008-3333) has also been reported. +

+ + +

+ A remote attacker could exploit these vulnerabilities to execute + arbitrary HTML and script code, create arbitrary users with + administrative privileges, execute arbitrary PHP commands, and include + arbitrary files. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mantis users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/mantisbt-1.1.2" + + + CVE-2008-2276 + CVE-2008-3331 + CVE-2008-3332 + CVE-2008-3333 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200809-11.xml b/xml/htdocs/security/en/glsa/glsa-200809-11.xml new file mode 100644 index 00000000..3c8db002 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200809-11.xml @@ -0,0 +1,64 @@ + + + + + + + HAVP: Denial of Service + + A Denial of Service vulnerability has been reported in HAVP. + + havp + September 21, 2008 + September 21, 2008: 01 + 234715 + remote + + + 0.89 + 0.89 + + + +

+ HAVP is a HTTP AntiVirus Proxy. +

+ + +

+ Peter Warasin reported an infinite loop in sockethandler.cpp when + connecting to a non-responsive HTTP server. +

+ + +

+ A remote attacker could send requests to unavailable servers, resulting + in a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All HAVP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/havp-0.89" + + + CVE-2008-3688 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200809-12.xml b/xml/htdocs/security/en/glsa/glsa-200809-12.xml new file mode 100644 index 00000000..18292024 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200809-12.xml @@ -0,0 +1,67 @@ + + + + + + + Newsbeuter: User-assisted execution of arbitrary code + + Insufficient input validation in newsbeuter may allow remote attackers to + execute arbitrary shell commands. + + newsbeuter + September 22, 2008 + September 22, 2008: 01 + 236506 + remote + + + 1.2 + 1.2 + + + +

+ Newsbeuter is a RSS/Atom feed reader for the text console. +

+ + +

+ J.H.M. Dassen reported that the open-in-browser command does not + properly escape shell metacharacters in the URL before passing it to + system(). +

+ + +

+ A remote attacker could entice a user to open a feed with specially + crafted URLs, possibly resulting in the remote execution of arbitrary + shell commands with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Newsbeuter users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-news/newsbeuter-1.2" + + + CVE-2008-3907 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200809-13.xml b/xml/htdocs/security/en/glsa/glsa-200809-13.xml new file mode 100644 index 00000000..8dfb858d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200809-13.xml @@ -0,0 +1,67 @@ + + + + + + + R: Insecure temporary file creation + + R is vulnerable to symlink attacks due to an insecure usage of temporary + files. + + R + September 22, 2008 + September 22, 2008: 01 + 235822 + local + + + 2.7.1 + 2.7.1 + + + +

+ R is a GPL licensed implementation of S, a language and environment for + statistical computing and graphics. +

+ + +

+ Dmitry E. Oboukhov reported that the "javareconf" script uses temporary + files in an insecure manner. +

+ + +

+ A local attacker could exploit this vulnerability to overwrite + arbitrary files with the privileges of the user running the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All R users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/R-2.7.1" + + + CVE-2008-3931 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200809-14.xml b/xml/htdocs/security/en/glsa/glsa-200809-14.xml new file mode 100644 index 00000000..ebde6ddf --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200809-14.xml @@ -0,0 +1,66 @@ + + + + + + + BitlBee: Security bypass + + Multiple vulnerabilities in Bitlbee may allow to bypass security + restrictions and hijack accounts. + + bitlbee + September 23, 2008 + September 23, 2008: 01 + 236160 + remote + + + 1.2.3 + 1.2.3 + + + +

+ BitlBee is an IRC to IM gateway that support multiple IM protocols. +

+ + +

+ Multiple unspecified vulnerabilities were reported, including a NULL + pointer dereference. +

+ + +

+ A remote attacker could exploit these vulnerabilities to overwrite + existing IM accounts. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All BitlBee users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/bitlbee-1.2.3" + + + CVE-2008-3920 + CVE-2008-3969 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200809-15.xml b/xml/htdocs/security/en/glsa/glsa-200809-15.xml new file mode 100644 index 00000000..71c1ff46 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200809-15.xml @@ -0,0 +1,68 @@ + + + + + + + GNU ed: User-assisted execution of arbitrary code + + A buffer overflow vulnerability in ed may allow for the remote execution of + arbitrary code. + + ed + September 23, 2008 + September 23, 2008: 01 + 236521 + remote + + + 1.0 + 1.0 + + + +

+ GNU ed is a basic line editor. red is a restricted version of ed that + does not allow shell command execution. +

+ + +

+ Alfredo Ortega from Core Security Technologies reported a heap-based + buffer overflow in the strip_escapes() function when processing overly + long filenames. +

+ + +

+ A remote attacker could entice a user to process specially crafted + commands with ed or red, possibly resulting in the execution of + arbitrary code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GNU ed users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/ed-1.0" + + + CVE-2008-3916 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200809-16.xml b/xml/htdocs/security/en/glsa/glsa-200809-16.xml new file mode 100644 index 00000000..5cf03066 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200809-16.xml @@ -0,0 +1,67 @@ + + + + + + + Git: User-assisted execution of arbitrary code + + Multiple buffer overflow vulnerabilities have been discovered in Git. + + git + September 25, 2008 + September 25, 2008: 01 + 234075 + remote + + + 1.5.6.4 + 1.5.6.4 + + + +

+ Git is a distributed version control system. +

+ + +

+ Multiple boundary errors in the functions diff_addremove() and + diff_change() when processing overly long repository path names were + reported. +

+ + +

+ A remote attacker could entice a user to run commands like "git-diff" + or "git-grep" on a specially crafted repository, possibly resulting in + the remote execution of arbitrary code with the privileges of the user + running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Git users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/git-1.5.6.4" + + + CVE-2008-3546 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200809-17.xml b/xml/htdocs/security/en/glsa/glsa-200809-17.xml new file mode 100644 index 00000000..d6b15c02 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200809-17.xml @@ -0,0 +1,84 @@ + + + + + + + Wireshark: Multiple Denials of Service + + Multiple Denial of Service vulnerabilities have been discovered in + Wireshark. + + wireshark + September 25, 2008 + September 25, 2008: 01 + 236515 + remote + + + 1.0.3 + 1.0.3 + + + +

+ Wireshark is a network protocol analyzer with a graphical front-end. +

+ + +

+ The following vulnerabilities were reported: +

+
    +
  • + Multiple buffer overflows in the NCP dissector (CVE-2008-3146). +
    • +
  • + Infinite loop in the NCP dissector (CVE-2008-3932). +
    • +
  • + Invalid read in the tvb_uncompress() function when processing zlib + compressed data (CVE-2008-3933). +
    • +
  • + Unspecified error when processing Textronix .rf5 files + (CVE-2008-3934).
    • +
+ + +

+ A remote attacker could exploit these vulnerabilities by sending + specially crafted packets on a network being monitored by Wireshark or + by enticing a user to read a malformed packet trace file, causing a + Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Wireshark users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.0.3" + + + CVE-2008-3146 + CVE-2008-3932 + CVE-2008-3933 + CVE-2008-3934 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200809-18.xml b/xml/htdocs/security/en/glsa/glsa-200809-18.xml new file mode 100644 index 00000000..c412926e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200809-18.xml @@ -0,0 +1,74 @@ + + + + + + + ClamAV: Multiple Denials of Service + + Multiple vulnerabilities in ClamAV may result in a Denial of Service. + + clamav + September 25, 2008 + September 25, 2008: 01 + 236665 + remote + + + 0.94 + 0.94 + + + +

+ Clam AntiVirus is a free anti-virus toolkit for UNIX, designed + especially for e-mail scanning on mail gateways. +

+ + +

+ Hanno boeck reported an error in libclamav/chmunpack.c when processing + CHM files (CVE-2008-1389). Other unspecified vulnerabilites were also + reported, including a NULL pointer dereference in libclamav + (CVE-2008-3912), memory leaks in freshclam/manager.c (CVE-2008-3913), + and file descriptor leaks in libclamav/others.c and libclamav/sis.c + (CVE-2008-3914). +

+ + +

+ A remote attacker could entice a user or automated system to scan a + specially crafted CHM, possibly resulting in a Denial of Service + (daemon crash). The other attack vectors mentioned above could also + result in a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.94" + + + CVE-2008-1389 + CVE-2008-3912 + CVE-2008-3913 + CVE-2008-3914 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200810-01.xml b/xml/htdocs/security/en/glsa/glsa-200810-01.xml new file mode 100644 index 00000000..587686c2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200810-01.xml @@ -0,0 +1,94 @@ + + + + + + + WordNet: Execution of arbitrary code + + Multiple vulnerabilities were found in WordNet, possibly allowing for the + execution of arbitrary code. + + wordnet + October 07, 2008 + October 07, 2008: 01 + 211491 + local, remote + + + 3.0-r2 + 3.0-r2 + + + +

+ WordNet is a large lexical database of English. +

+ + +

+ Jukka Ruohonen initially reported a boundary error within the + searchwn() function in src/wn.c. A thorough investigation by the oCERT + team revealed several other vulnerabilities in WordNet: +

+
    +
  • Jukka Ruohonen and Rob Holland (oCERT) reported multiple boundary + errors within the searchwn() function in src/wn.c, the wngrep() + function in lib/search.c, the morphstr() and morphword() functions in + lib/morph.c, and the getindex() in lib/search.c, which lead to + stack-based buffer overflows.
    • +
  • Rob Holland (oCERT) reported two + boundary errors within the do_init() function in lib/morph.c, which + lead to stack-based buffer overflows via specially crafted + "WNSEARCHDIR" or "WNHOME" environment variables.
    • +
  • Rob Holland + (oCERT) reported multiple boundary errors in the bin_search() and + bin_search_key() functions in binsrch.c, which lead to stack-based + buffer overflows via specially crafted data files.
    • +
  • Rob Holland + (oCERT) reported a boundary error within the parse_index() function in + lib/search.c, which leads to a heap-based buffer overflow via specially + crafted data files.
    • +
+ + +
    +
  • In case the application is accessible e.g. via a web server, + a remote attacker could pass overly long strings as arguments to the + "wm" binary, possibly leading to the execution of arbitrary code.
    • +
  • A local attacker could exploit the second vulnerability via + specially crafted "WNSEARCHDIR" or "WNHOME" environment variables, + possibly leading to the execution of arbitrary code with escalated + privileges.
    • +
  • A local attacker could exploit the third and + fourth vulnerability by making the application use specially crafted + data files, possibly leading to the execution of arbitrary code.
    • +
+ + +

+ There is no known workaround at this time. +

+ + +

+ All WordNet users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-dicts/wordnet-3.0-r2" + + + CVE-2008-2149 + CVE-2008-3908 + + + p-y + + + p-y + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200810-02.xml b/xml/htdocs/security/en/glsa/glsa-200810-02.xml new file mode 100644 index 00000000..d729542a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200810-02.xml @@ -0,0 +1,75 @@ + + + + + + + Portage: Untrusted search path local root vulnerability + + A search path vulnerability in Portage allows local attackers to execute + commands with root privileges if emerge is called from untrusted + directories. + + portage + October 09, 2008 + October 09, 2008: 01 + 239560 + local + + + 2.1.4.5 + 2.1.4.5 + + + +

+ Portage is Gentoo's package manager which is responsible for + installing, compiling and updating all packages on the system through + the Gentoo rsync tree. +

+ + +

+ The Gentoo Security Team discovered that several ebuilds, such as + sys-apps/portage, net-mail/fetchmail or app-editors/leo execute Python + code using "python -c", which includes the current working directory in + Python's module search path. For several ebuild functions, Portage did + not change the working directory from emerge's working directory. +

+ + +

+ A local attacker could place a specially crafted Python module in a + directory (such as /tmp) and entice the root user to run commands such + as "emerge sys-apps/portage" from that directory, resulting in the + execution of arbitrary Python code with root privileges. +

+ + +

+ Do not run "emerge" from untrusted working directories. +

+ + +

+ All Portage users should upgrade to the latest version: +

+ + # cd /root + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/portage-2.1.4.5" +

+ NOTE: To upgrade to Portage 2.1.4.5 using 2.1.4.4 or prior, you must + run emerge from a trusted working directory, such as "/root". +

+ + + CVE-2008-4394 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200810-03.xml b/xml/htdocs/security/en/glsa/glsa-200810-03.xml new file mode 100644 index 00000000..5f1653b5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200810-03.xml @@ -0,0 +1,71 @@ + + + + + + + libspf2: DNS response buffer overflow + + A memory management error in libspf2 might allow for remote execution of + arbitrary code. + + libspf2 + October 30, 2008 + October 30, 2008: 01 + 242254 + remote + + + 1.2.8 + 1.2.8 + + + +

+ libspf2 is a library that implements the Sender Policy Framework, + allowing mail transfer agents to make sure that an email is authorized + by the domain name that it is coming from. Currently, only the exim MTA + uses libspf2 in Gentoo. +

+ + +

+ libspf2 uses a fixed-length buffer to receive DNS responses and does + not properly check the length of TXT records, leading to buffer + overflows. +

+ + +

+ A remote attacker could store a specially crafted DNS entry and entice + a user or automated system using libspf2 to lookup that SPF entry (e.g. + by sending an email to the MTA), possibly allowing for the execution of + arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libspf2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-filter/libspf2-1.2.8" + + + CVE-2008-2469 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200811-01.xml b/xml/htdocs/security/en/glsa/glsa-200811-01.xml new file mode 100644 index 00000000..97f4e319 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200811-01.xml @@ -0,0 +1,129 @@ + + + + + + + Opera: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Opera, allowing for the + execution of arbitrary code. + + opera + November 03, 2008 + November 03, 2008: 01 + 235298 + 240500 + 243060 + 244980 + remote + + + 9.62 + 9.62 + + + +

+ Opera is a fast web browser that is available free of charge. +

+ + +

+ Multiple vulnerabilities have been discovered in Opera: +

+
    +
  • Opera does not restrict the ability of a framed web page to change + the address associated with a different frame (CVE-2008-4195).
    • +
  • Chris Weber (Casaba Security) discovered a Cross-site scripting + vulnerability (CVE-2008-4196).
    • +
  • Michael A. Puls II discovered + that Opera can produce argument strings that contain uninitialized + memory, when processing custom shortcut and menu commands + (CVE-2008-4197).
    • +
  • Lars Kleinschmidt discovered that Opera, when + rendering an HTTP page that has loaded an HTTPS page into a frame, + displays a padlock icon and offers a security information dialog + reporting a secure connection (CVE-2008-4198).
    • +
  • Opera does not + prevent use of links from web pages to feed source files on the local + disk (CVE-2008-4199).
    • +
  • Opera does not ensure that the address + field of a news feed represents the feed's actual URL + (CVE-2008-4200).
    • +
  • Opera does not check the CRL override upon + encountering a certificate that lacks a CRL (CVE-2008-4292).
    • +
  • Chris (Matasano Security) reported that Opera may crash if it is + redirected by a malicious page to a specially crafted address + (CVE-2008-4694).
    • +
  • Nate McFeters reported that Opera runs Java + applets in the context of the local machine, if that applet has been + cached and a page can predict the cache path for that applet and load + it from the cache (CVE-2008-4695).
    • +
  • Roberto Suggi Liverani + (Security-Assessment.com) reported that Opera's History Search results + does not escape certain constructs correctly, allowing for the + injection of scripts into the page (CVE-2008-4696).
    • +
  • David + Bloom reported that Opera's Fast Forward feature incorrectly executes + scripts from a page held in a frame in the outermost page instead of + the page the JavaScript URL was located (CVE-2008-4697).
    • +
  • David + Bloom reported that Opera does not block some scripts when previewing a + news feed (CVE-2008-4698).
    • +
  • Opera does not correctly sanitize + content when certain parameters are passed to Opera's History Search, + allowing scripts to be injected into the History Search results page + (CVE-2008-4794).
    • +
  • Opera's links panel incorrectly causes + scripts from a page held in a frame to be executed in the outermost + page instead of the page where the URL was located + (CVE-2008-4795).
    • +
+ + +

+ These vulnerabilties allow remote attackers to execute arbitrary code, + to run scripts injected into Opera's History Search with elevated + privileges, to inject arbitrary web script or HTML into web pages, to + manipulate the address bar, to change Opera's preferences, to determine + the validity of local filenames, to read cache files, browsing history, + and subscribed feeds or to conduct other attacks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Opera users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/opera-9.62" + + + CVE-2008-4195 + CVE-2008-4196 + CVE-2008-4197 + CVE-2008-4198 + CVE-2008-4199 + CVE-2008-4200 + CVE-2008-4292 + CVE-2008-4694 + CVE-2008-4695 + CVE-2008-4696 + CVE-2008-4697 + CVE-2008-4698 + CVE-2008-4794 + CVE-2008-4795 + + + keytoaster + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200811-02.xml b/xml/htdocs/security/en/glsa/glsa-200811-02.xml new file mode 100644 index 00000000..ff6c7828 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200811-02.xml @@ -0,0 +1,98 @@ + + + + + + + Gallery: Multiple vulnerabilities + + Multiple vulnerabilities in Gallery may lead to execution of arbitrary + code, disclosure of local files or theft of user's credentials. + + gallery + November 09, 2008 + May 28, 2009: 02 + 234137 + 238113 + remote + + + 2.2.6 + 1.5.9 + 1.5.10 + 2.2.6 + + + +

+ Gallery is an open source web based photo album organizer. +

+ + +

+ Multiple vulnerabilities have been discovered in Gallery 1 and 2: +

+
    +
  • + Digital Security Research Group reported a directory traversal + vulnerability in contrib/phpBB2/modules.php in Gallery 1, when + register_globals is enabled (CVE-2008-3600). +
    • +
  • + Hanno Boeck reported that Gallery 1 and 2 did not set the secure flag + for the session cookie in an HTTPS session (CVE-2008-3662). +
    • +
  • + Alex Ustinov reported that Gallery 1 and 2 does not properly handle ZIP + archives containing symbolic links (CVE-2008-4129). +
    • +
  • + The vendor reported a Cross-Site Scripting vulnerability in Gallery 2 + (CVE-2008-4130). +
    • +
+ + +

+ Remote attackers could send specially crafted requests to a server + running Gallery, allowing for the execution of arbitrary code when + register_globals is enabled, or read arbitrary files via directory + traversals otherwise. Attackers could also entice users to visit + crafted links allowing for theft of login credentials. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Gallery 2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/gallery-2.2.6" +

+ All Gallery 1 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/gallery-1.5.9" + + + CVE-2008-3600 + CVE-2008-3662 + CVE-2008-4129 + CVE-2008-4130 + + + keytoaster + + + keytoaster + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200811-03.xml b/xml/htdocs/security/en/glsa/glsa-200811-03.xml new file mode 100644 index 00000000..ec1117e6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200811-03.xml @@ -0,0 +1,66 @@ + + + + + + + FAAD2: User-assisted execution of arbitrary code + + A buffer overflow in FAAD2 might lead to user-assisted execution of + arbitrary code via an MP4 file. + + faad2 + November 09, 2008 + November 09, 2008: 01 + 238445 + remote + + + 2.6.1-r2 + 2.6.1-r2 + + + +

+ FAAD2 is an open source MPEG-4 and MPEG-2 AAC decoder. +

+ + +

+ The ICST-ERCIS (Peking University) reported a heap-based buffer + overflow in the decodeMP4file() function in frontend/main.c. +

+ + +

+ A remote attacker could entice a user to open a specially crafted + MPEG-4 (MP4) file in an application using FAAD2, possibly leading to + the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All FAAD2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/faad2-2.6.1-r2" + + + CVE-2008-4201 + + + keytoaster + + + keytoaster + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200811-04.xml b/xml/htdocs/security/en/glsa/glsa-200811-04.xml new file mode 100644 index 00000000..7e424ef2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200811-04.xml @@ -0,0 +1,67 @@ + + + + + + + Graphviz: User-assisted execution of arbitrary code + + A buffer overflow in Graphviz might lead to user-assisted execution of + arbitrary code via a DOT file. + + graphviz + November 09, 2008 + November 09, 2008: 01 + 240636 + remote + + + 2.20.3 + 2.20.3 + + + +

+ Graphviz is an open source graph visualization software. +

+ + +

+ Roee Hay reported a stack-based buffer overflow in the push_subg() + function in parser.y when processing a DOT file with a large number of + Agraph_t elements. +

+ + +

+ A remote attacker could entice a user or automated system to open a + specially crafted DOT file in an application using Graphviz, possibly + leading to the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Graphviz users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/graphviz-2.20.3" + + + CVE-2008-4555 + + + keytoaster + + + keytoaster + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200811-05.xml b/xml/htdocs/security/en/glsa/glsa-200811-05.xml new file mode 100644 index 00000000..a90a91ea --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200811-05.xml @@ -0,0 +1,134 @@ + + + + + + + PHP: Multiple vulnerabilities + + PHP contains several vulnerabilities including buffer and integer overflows + which could lead to the remote execution of arbitrary code. + + php + November 16, 2008 + November 16, 2008: 01 + 209148 + 212211 + 215266 + 228369 + 230575 + 234102 + remote + + + 5.2.6-r6 + 5.2.6-r6 + + + +

+ PHP is a widely-used general-purpose scripting language that is + especially suited for Web development and can be embedded into HTML. +

+ + +

+ Several vulnerabilitites were found in PHP: +

+
    +
  • PHP ships a + vulnerable version of the PCRE library which allows for the + circumvention of security restrictions or even for remote code + execution in case of an application which accepts user-supplied regular + expressions (CVE-2008-0674).
    • +
  • Multiple crash issues in several + PHP functions have been discovered.
    • +
  • Ryan Permeh reported that + the init_request_info() function in sapi/cgi/cgi_main.c does not + properly consider operator precedence when calculating the length of + PATH_TRANSLATED (CVE-2008-0599).
    • +
  • An off-by-one error in the + metaphone() function may lead to memory corruption.
    • +
  • Maksymilian Arciemowicz of SecurityReason Research reported an + integer overflow, which is triggerable using printf() and related + functions (CVE-2008-1384).
    • +
  • Andrei Nigmatulin reported a + stack-based buffer overflow in the FastCGI SAPI, which has unknown + attack vectors (CVE-2008-2050).
    • +
  • Stefan Esser reported that PHP + does not correctly handle multibyte characters inside the + escapeshellcmd() function, which is used to sanitize user input before + its usage in shell commands (CVE-2008-2051).
    • +
  • Stefan Esser + reported that a short-coming in PHP's algorithm of seeding the random + number generator might allow for predictible random numbers + (CVE-2008-2107, CVE-2008-2108).
    • +
  • The IMAP extension in PHP uses + obsolete c-client API calls making it vulnerable to buffer overflows as + no bounds checking can be done (CVE-2008-2829).
    • +
  • Tavis Ormandy + reported a heap-based buffer overflow in pcre_compile.c in the PCRE + version shipped by PHP when processing user-supplied regular + expressions (CVE-2008-2371).
    • +
  • CzechSec reported that specially + crafted font files can lead to an overflow in the imageloadfont() + function in ext/gd/gd.c, which is part of the GD extension + (CVE-2008-3658).
    • +
  • Maksymilian Arciemowicz of SecurityReason + Research reported that a design error in PHP's stream wrappers allows + to circumvent safe_mode checks in several filesystem-related PHP + functions (CVE-2008-2665, CVE-2008-2666).
    • +
  • Laurent Gaffie + discovered a buffer overflow in the internal memnstr() function, which + is used by the PHP function explode() (CVE-2008-3659).
    • +
  • An + error in the FastCGI SAPI when processing a request with multiple dots + preceding the extension (CVE-2008-3660).
    • +
+ + +

+ These vulnerabilities might allow a remote attacker to execute + arbitrary code, to cause a Denial of Service, to circumvent security + restrictions, to disclose information, and to manipulate files. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PHP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-5.2.6-r6" + + + CVE-2008-0599 + CVE-2008-0674 + CVE-2008-1384 + CVE-2008-2050 + CVE-2008-2051 + CVE-2008-2107 + CVE-2008-2108 + CVE-2008-2371 + CVE-2008-2665 + CVE-2008-2666 + CVE-2008-2829 + CVE-2008-3658 + CVE-2008-3659 + CVE-2008-3660 + + + rbu + + + keytoaster + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-01.xml b/xml/htdocs/security/en/glsa/glsa-200812-01.xml new file mode 100644 index 00000000..b233c772 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-01.xml @@ -0,0 +1,67 @@ + + + + + + + OptiPNG: User-assisted execution of arbitrary code + + A vulnerability in OptiPNG might result in user-assisted execution of + arbitrary code. + + optipng + December 02, 2008 + December 02, 2008: 01 + 246522 + remote + + + 0.6.2 + 0.6.2 + + + +

+ OptiPNG is a PNG optimizer that recompresses image files to a smaller + size, without losing any information. +

+ + +

+ A buffer overflow in the BMP reader in OptiPNG has been reported. +

+ + +

+ A remote attacker could entice a user to process a specially crafted + BMP image, possibly resulting in the execution of arbitrary code with + the privileges of the user running the application, or a Denial of + Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OptiPNG users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/optipng-0.6.2" + + + CVE-2008-5101 + + + keytoaster + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-02.xml b/xml/htdocs/security/en/glsa/glsa-200812-02.xml new file mode 100644 index 00000000..467cca5d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-02.xml @@ -0,0 +1,71 @@ + + + + + + + enscript: User-assisted execution of arbitrary code + + Two buffer overflows in enscript might lead to the execution of arbitrary + code. + + enscript + December 02, 2008 + December 02, 2008: 02 + 243228 + remote + + + 1.6.4-r4 + 1.6.4-r4 + + + +

+ enscript is a powerful ASCII to PostScript file converter. +

+ + +

+ Two stack-based buffer overflows in the read_special_escape() function + in src/psgen.c have been reported. Ulf Harnhammar of Secunia Research + discovered a vulnerability related to the "setfilename" command + (CVE-2008-3863), and Kees Cook of Ubuntu discovered a vulnerability + related to the "font" escape sequence (CVE-2008-4306). +

+ + +

+ An attacker could entice a user or automated system to process + specially crafted input with the special escapes processing enabled + using the "-e" option, possibly resulting in the execution of arbitrary + code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All enscript users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/enscript-1.6.4-r4" + + + CVE-2008-3863 + CVE-2008-4306 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-03.xml b/xml/htdocs/security/en/glsa/glsa-200812-03.xml new file mode 100644 index 00000000..8918975e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-03.xml @@ -0,0 +1,78 @@ + + + + + + + IPsec-Tools: racoon Denial of Service + + IPsec-Tools' racoon is affected by a remote Denial of Service + vulnerability. + + ipsec-tools + December 02, 2008 + December 02, 2008: 01 + 232831 + remote + + + 0.7.1 + 0.7.1 + + + +

+ IPsec-Tools is a port of KAME's implementation of the IPsec utilities. + It contains a collection of network monitoring tools, including racoon, + ping, and ping6. +

+ + +

+ Two Denial of Service vulnerabilities have been reported in racoon: +

+
    +
  • + The vendor reported a memory leak in racoon/proposal.c that can be + triggered via invalid proposals (CVE-2008-3651). +
    • +
  • + Krzysztof Piotr Oledzk reported that src/racoon/handler.c does not + remove an "orphaned ph1" (phase 1) handle when it has been initiated + remotely (CVE-2008-3652). +
    • +
+ + +

+ An attacker could exploit these vulnerabilities to cause a Denial of + Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All IPsec-Tools users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-firewall/ipsec-tools-0.7.1" + + + CVE-2008-3651 + CVE-2008-3652 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-04.xml b/xml/htdocs/security/en/glsa/glsa-200812-04.xml new file mode 100644 index 00000000..2eb97a2f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-04.xml @@ -0,0 +1,82 @@ + + + + + + + lighttpd: Multiple vulnerabilities + + Multiple vulnerabilities in lighttpd may lead to information disclosure or + a Denial of Service. + + lighttpd + December 02, 2008 + December 02, 2008: 01 + 238180 + remote + + + 1.4.20 + 1.4.20 + + + +

+ lighttpd is a lightweight high-performance web server. +

+ + +

+ Multiple vulnerabilities have been reported in lighttpd: +

+
    +
  • + Qhy reported a memory leak in the http_request_parse() function in + request.c (CVE-2008-4298). +
    • +
  • + Gaetan Bisson reported that URIs are not decoded before applying + url.redirect and url.rewrite rules (CVE-2008-4359). +
    • +
  • + Anders1 reported that mod_userdir performs case-sensitive comparisons + on filename components in configuration options, which is insufficient + when case-insensitive filesystems are used (CVE-2008-4360). +
    • +
+ + +

+ A remote attacker could exploit these vulnerabilities to cause a Denial + of Service, to bypass intended access restrictions, to obtain sensitive + information, or to possibly modify data. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All lighttpd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.4.20" + + + CVE-2008-4298 + CVE-2008-4359 + CVE-2008-4360 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-05.xml b/xml/htdocs/security/en/glsa/glsa-200812-05.xml new file mode 100644 index 00000000..a7c7e26b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-05.xml @@ -0,0 +1,67 @@ + + + + + + + libsamplerate: User-assisted execution of arbitrary code + + A buffer overflow vulnerability in libsamplerate might lead to the + execution of arbitrary code. + + libsamplerate + December 02, 2008 + December 02, 2008: 01 + 237037 + remote + + + 0.1.4 + 0.1.4 + + + +

+ Secret Rabbit Code (aka libsamplerate) is a Sample Rate Converter for + audio. +

+ + +

+ Russell O'Connor reported a buffer overflow in src/src_sinc.c related + to low conversion ratios. +

+ + +

+ A remote attacker could entice a user or automated system to process a + specially crafted audio file possibly leading to the execution of + arbitrary code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libsamplerate users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libsamplerate-0.1.4" + + + CVE-2008-5008 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-06.xml b/xml/htdocs/security/en/glsa/glsa-200812-06.xml new file mode 100644 index 00000000..4073884f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-06.xml @@ -0,0 +1,99 @@ + + + + + + + libxml2: Multiple vulnerabilities + + Multiple vulnerabilities in libxml2 might lead to execution of arbitrary + code or Denial of Service. + + libxml2 + December 02, 2008 + December 02, 2008: 01 + 234099 + 237806 + 239346 + 245960 + remote + + + 2.7.2-r1 + 2.7.2-r1 + + + +

+ libxml2 is the XML (eXtended Markup Language) C parser and toolkit + initially developed for the Gnome project. +

+ + +

+ Multiple vulnerabilities were reported in libxml2: +

+
    +
  • + Andreas Solberg reported that libxml2 does not properly detect + recursion during entity expansion in an attribute value + (CVE-2008-3281). +
    • +
  • + A heap-based buffer overflow has been reported in the + xmlParseAttValueComplex() function in parser.c (CVE-2008-3529). +
    • +
  • + Christian Weiske reported that predefined entity definitions in + entities are not properly handled (CVE-2008-4409). +
    • +
  • + Drew Yao of Apple Product Security reported an integer overflow in the + xmlBufferResize() function that can lead to an infinite loop + (CVE-2008-4225). +
    • +
  • + Drew Yao of Apple Product Security reported an integer overflow in the + xmlSAX2Characters() function leading to a memory corruption + (CVE-2008-4226). +
    • +
+ + +

+ A remote attacker could entice a user or automated system to open a + specially crafted XML document with an application using libxml2, + possibly resulting in the exeution of arbitrary code or a high CPU and + memory consumption. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libxml2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.7.2-r1" + + + CVE-2008-3281 + CVE-2008-3529 + CVE-2008-4409 + CVE-2008-4225 + CVE-2008-4226 + + + keytoaster + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-07.xml b/xml/htdocs/security/en/glsa/glsa-200812-07.xml new file mode 100644 index 00000000..2fc8dbd3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-07.xml @@ -0,0 +1,88 @@ + + + + + + + Mantis: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Mantis, the most severe of + which leading to the remote execution of arbitrary code. + + mantisbt + December 02, 2008 + December 02, 2008: 01 + 238570 + 241940 + 242722 + remote + + + 1.1.4-r1 + 1.1.4-r1 + + + +

+ Mantis is a PHP/MySQL/Web based bugtracking system. +

+ + +

+ Multiple issues have been reported in Mantis: +

+
    +
  • + EgiX reported that manage_proj_page.php does not correctly sanitize the + sort parameter before passing it to create_function() in + core/utility_api.php (CVE-2008-4687). +
    • +
  • + Privileges of viewers are not sufficiently checked before composing a + link with issue data in the source anchor (CVE-2008-4688). +
    • +
  • + Mantis does not unset the session cookie during logout (CVE-2008-4689). +
    • +
  • + Mantis does not set the secure flag for the session cookie in an HTTPS + session (CVE-2008-3102). +
    • +
+ + +

+ Remote unauthenticated attackers could exploit these vulnerabilities to + execute arbitrary PHP commands, disclose sensitive issue data, or + hijack a user's sessions. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mantis users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/mantisbt-1.1.4-r1" + + + CVE-2008-3102 + CVE-2008-4687 + CVE-2008-4688 + CVE-2008-4689 + + + keytoaster + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-08.xml b/xml/htdocs/security/en/glsa/glsa-200812-08.xml new file mode 100644 index 00000000..3f7fdd3f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-08.xml @@ -0,0 +1,66 @@ + + + + + + + Mgetty: Insecure temporary file usage + + Mgetty uses temporary files in an insecure manner, allowing for symlink + attacks. + + mgetty + December 06, 2008 + December 23, 2008: 02 + 235806 + local + + + 1.1.36-r3 + 1.1.36-r3 + + + +

+ Mgetty is a set of fax and voice modem programs. +

+ + +

+ Dmitry E. Oboukhov reported that the "spooldir" directory in + fax/faxspool.in is created in an insecure manner. +

+ + +

+ A local attacker could exploit this vulnerability to overwrite + arbitrary files with the privileges of the user running the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mgetty users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dialup/mgetty-1.1.36-r3" + + + CVE-2008-4936 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-09.xml b/xml/htdocs/security/en/glsa/glsa-200812-09.xml new file mode 100644 index 00000000..09f10f26 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-09.xml @@ -0,0 +1,71 @@ + + + + + + + OpenSC: Insufficient protection of smart card PIN + + Smart cards formatted using OpenSC do not sufficiently protect the PIN, + allowing attackers to reset it. + + opensc + December 10, 2008 + December 10, 2008: 01 + 233543 + local + + + 0.11.6 + 0.11.6 + + + +

+ OpenSC is a smart card application that allows reading and writing via + PKCS#11. +

+ + +

+ Chaskiel M Grundman reported that OpenSC uses weak permissions (ADMIN + file control information of 00) for the 5015 directory on smart cards + and USB crypto tokens running Siemens CardOS M4. +

+ + +

+ A physically proximate attacker can exploit this vulnerability to + change the PIN on a smart card and use it for authentication, leading + to privilege escalation. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenSC users should upgrade to the latest version, and then check + and update their smart cards: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/opensc-0.11.6" + # pkcs15-tool --test-update + # pkcs15-tool --test-update --update + + + CVE-2008-2235 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-10.xml b/xml/htdocs/security/en/glsa/glsa-200812-10.xml new file mode 100644 index 00000000..1d4daac8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-10.xml @@ -0,0 +1,66 @@ + + + + + + + Archive::Tar: Directory traversal vulnerability + + A directory traversal vulnerability has been discovered in Archive::Tar. + + Archive-Tar + December 10, 2008 + December 10, 2008: 01 + 192989 + remote + + + 1.40 + 1.40 + + + +

+ Archive::Tar is a Perl module for creation and manipulation of tar + files. +

+ + +

+ Jonathan Smith of rPath reported that Archive::Tar does not check for + ".." in file names. +

+ + +

+ A remote attacker could entice a user or automated system to extract a + specially crafted tar archive, overwriting files at arbitrary locations + outside of the specified directory. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Archive::Tar users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=perl-core/Archive-Tar-1.40" + + + CVE-2007-4829 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-11.xml b/xml/htdocs/security/en/glsa/glsa-200812-11.xml new file mode 100644 index 00000000..29ed121f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-11.xml @@ -0,0 +1,83 @@ + + + + + + + CUPS: Multiple vulnerabilities + + Several remotely exploitable bugs have been found in CUPS, which allow + remote execution of arbitrary code. + + cups + December 10, 2008 + December 10, 2008: 01 + 238976 + 249727 + remote + + + 1.3.9-r1 + 1.3.9-r1 + + + +

+ CUPS is the Common Unix Printing System. +

+ + +

+ Several buffer overflows were found in: +

+
    +
  • + The read_rle16 function in imagetops (CVE-2008-3639, found by + regenrecht, reported via ZDI) +
    • +
  • + The WriteProlog function in texttops (CVE-2008-3640, found by + regenrecht, reported via ZDI) +
    • +
  • + The Hewlett-Packard Graphics Language (HPGL) filter (CVE-2008-3641, + found by regenrecht, reported via iDefense) +
    • +
  • + The _cupsImageReadPNG function (CVE-2008-5286, reported by iljavs) +
    • +
+ + +

+ A remote attacker could send specially crafted input to a vulnerable + server, resulting in the remote execution of arbitrary code with the + privileges of the user running the server. +

+ + +

+ None this time. +

+ + +

+ All CUPS users should upgrade to the latest version. +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-print/cups-1.3.9-r1" + + + CVE-2008-3639 + CVE-2008-3640 + CVE-2008-3641 + CVE-2008-5286 + + + craig + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-12.xml b/xml/htdocs/security/en/glsa/glsa-200812-12.xml new file mode 100644 index 00000000..66789b7f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-12.xml @@ -0,0 +1,65 @@ + + + + + + + Honeyd: Insecure temporary file creation + + An insecure temporary file usage has been reported in Honeyd, possibly + leading to symlink attacks. + + honeyd + December 12, 2008 + December 12, 2008: 01 + 237481 + local + + + 1.5c-r1 + 1.5c-r1 + + + +

+ Honeyd is a small daemon that creates virtual hosts on a network. +

+ + +

+ Dmitry E. Oboukhov reported an insecure temporary file usage within the + "test.sh" script. +

+ + +

+ A local attacker could perform symlink attacks and overwrite arbitrary + files with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Honeyd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/honeyd-1.5c-r1" + + + CVE-2008-3928 + + + keytoaster + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-13.xml b/xml/htdocs/security/en/glsa/glsa-200812-13.xml new file mode 100644 index 00000000..5de43c50 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-13.xml @@ -0,0 +1,85 @@ + + + + + + + OpenOffice.org: Multiple vulnerabilities + + Multiple vulnerabilities in OpenOffice.org might allow for user-assisted + execution of arbitrary code or symlink attacks. + + openoffice openoffice-bin + December 12, 2008 + December 12, 2008: 01 + 235824 + 244995 + local, remote + + + 3.0.0 + 3.0.0 + + + 3.0.0 + 3.0.0 + + + +

+ OpenOffice.org is an open source office productivity suite, including + word processing, spreadsheet, presentation, drawing, data charting, + formula editing, and file conversion facilities. +

+ + +

+ Two heap-based buffer overflows when processing WMF files + (CVE-2008-2237) and EMF files (CVE-2008-2238) were discovered. Dmitry + E. Oboukhov also reported an insecure temporary file usage within the + senddoc script (CVE-2008-4937). +

+ + +

+ A remote attacker could entice a user to open a specially crafted + document, resulting in the remote execution of arbitrary code. A local + attacker could perform symlink attacks to overwrite arbitrary files on + the system. Both cases happen with the privileges of the user running + the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenOffice.org users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-3.0.0" +

+ All OpenOffice.org binary users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/openoffice-bin-3.0.0" + + + CVE-2008-2237 + CVE-2008-2238 + CVE-2008-4937 + + + keytoaster + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-14.xml b/xml/htdocs/security/en/glsa/glsa-200812-14.xml new file mode 100644 index 00000000..ea92aa68 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-14.xml @@ -0,0 +1,66 @@ + + + + + + + aview: Insecure temporary file usage + + An insecure temporary file usage has been reported in aview, leading to + symlink attacks. + + aview + December 14, 2008 + December 14, 2008: 01 + 235808 + local + + + 1.3.0_rc1-r1 + 1.3.0_rc1-r1 + + + +

+ aview is an ASCII image viewer and animation player. +

+ + +

+ Dmitry E. Oboukhov reported that aview uses the "/tmp/aview$$.pgm" file + in an insecure manner when processing files. +

+ + +

+ A local attacker could perform symlink attacks to overwrite arbitrary + files on the system with the privileges of the user running the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All aview users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/aview-1.3.0_rc1-r1" + + + CVE-2008-4935 + + + keytoaster + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-15.xml b/xml/htdocs/security/en/glsa/glsa-200812-15.xml new file mode 100644 index 00000000..b1239c9c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-15.xml @@ -0,0 +1,73 @@ + + + + + + + POV-Ray: User-assisted execution of arbitrary code + + POV-Ray includes a version of libpng that might allow for the execution of + arbitrary code when reading a specially crafted PNG file + + povray + December 14, 2008 + December 14, 2008: 01 + 153538 + local + + + 3.6.1-r4 + 3.6.1-r4 + + + +

+ POV-Ray is a well known open-source ray tracer. +

+ + +

+ POV-Ray uses a statically linked copy of libpng to view and output PNG + files. The version shipped with POV-Ray is vulnerable to CVE-2008-3964, + CVE-2008-1382, CVE-2006-3334, CVE-2006-0481, CVE-2004-0768. A bug in + POV-Ray's build system caused it to load the old version when your + installed copy of libpng was >=media-libs/libpng-1.2.10. +

+ + +

+ An attacker could entice a user to load a specially crafted PNG file as + a texture, resulting in the execution of arbitrary code with the + permissions of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All POV-Ray users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/povray-3.6.1-r4" + + + CVE-2004-0768 + CVE-2006-0481 + CVE-2006-3334 + CVE-2008-1382 + CVE-2008-3964 + + + mabi + + + mabi + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-16.xml b/xml/htdocs/security/en/glsa/glsa-200812-16.xml new file mode 100644 index 00000000..36f381b5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-16.xml @@ -0,0 +1,83 @@ + + + + + + + Dovecot: Multiple vulnerabilities + + Multiple vulnerabilities were found in the Dovecot mailserver. + + dovecot + December 14, 2008 + December 14, 2008: 01 + 240409 + 244962 + 245316 + remote + + + 1.1.7-r1 + 1.1.7-r1 + + + +

+ Dovecot is an IMAP and POP3 server written with security primarily in + mind. +

+ + +

+ Several vulnerabilities were found in Dovecot: +

+
    +
  • The "k" + right in the acl_plugin does not work as expected (CVE-2008-4577, + CVE-2008-4578)
    • +
  • The dovecot.conf is world-readable, providing + improper protection for the ssl_key_password setting + (CVE-2008-4870)
    • +
  • A permanent Denial of Service with broken mail + headers is possible (CVE-2008-4907)
    • +
+ + +

+ These vulnerabilities might allow a remote attacker to cause a Denial + of Service, to circumvent security restrictions or allow local + attackers to disclose the passphrase of the SSL private key. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Dovecot users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/dovecot-1.1.7-r1" +

+ Users should be aware that dovecot.conf will still be world-readable + after the update. If employing ssl_key_password, it should not be used + in dovecot.conf but in a separate file which should be included with + "include_try". +

+ + + CVE-2008-4577 + CVE-2008-4578 + CVE-2008-4870 + CVE-2008-4907 + + + craig + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-17.xml b/xml/htdocs/security/en/glsa/glsa-200812-17.xml new file mode 100644 index 00000000..d7c769ce --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-17.xml @@ -0,0 +1,122 @@ + + + + + + + Ruby: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Ruby that allow for + attacks including arbitrary code execution and Denial of Service. + + ruby + December 16, 2008 + December 16, 2008: 01 + 225465 + 236060 + remote + + + 1.8.6_p287-r1 + 1.8.6_p287-r1 + + + +

+ Ruby is an interpreted object-oriented programming language. The + elaborate standard library includes an HTTP server ("WEBRick") and a + class for XML parsing ("REXML"). +

+ + +

+ Multiple vulnerabilities have been discovered in the Ruby interpreter + and its standard libraries. Drew Yao of Apple Product Security + discovered the following flaws: +

+
    +
  • Arbitrary code execution + or Denial of Service (memory corruption) in the rb_str_buf_append() + function (CVE-2008-2662).
    • +
  • Arbitrary code execution or Denial + of Service (memory corruption) in the rb_ary_stor() function + (CVE-2008-2663).
    • +
  • Memory corruption via alloca in the + rb_str_format() function (CVE-2008-2664).
    • +
  • Memory corruption + ("REALLOC_N") in the rb_ary_splice() and rb_ary_replace() functions + (CVE-2008-2725).
    • +
  • Memory corruption ("beg + rlen") in the + rb_ary_splice() and rb_ary_replace() functions (CVE-2008-2726).
    • +

+ Furthermore, several other vulnerabilities have been reported: +

+
    +
  • Tanaka Akira reported an issue with resolv.rb that enables + attackers to spoof DNS responses (CVE-2008-1447).
    • +
  • Akira Tagoh + of RedHat discovered a Denial of Service (crash) issue in the + rb_ary_fill() function in array.c (CVE-2008-2376).
    • +
  • Several + safe level bypass vulnerabilities were discovered and reported by Keita + Yamaguchi (CVE-2008-3655).
    • +
  • Christian Neukirchen is credited + for discovering a Denial of Service (CPU consumption) attack in the + WEBRick HTTP server (CVE-2008-3656).
    • +
  • A fault in the dl module + allowed the circumvention of taintness checks which could possibly lead + to insecure code execution was reported by "sheepman" + (CVE-2008-3657).
    • +
  • Tanaka Akira again found a DNS spoofing + vulnerability caused by the resolv.rb implementation using poor + randomness (CVE-2008-3905).
    • +
  • Luka Treiber and Mitja Kolsek + (ACROS Security) disclosed a Denial of Service (CPU consumption) + vulnerability in the REXML module when dealing with recursive entity + expansion (CVE-2008-3790).
    • +
+ + +

+ These vulnerabilities allow remote attackers to execute arbitrary code, + spoof DNS responses, bypass Ruby's built-in security and taintness + checks, and cause a Denial of Service via crash or CPU exhaustion. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ruby users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.6_p287-r1" + + + CVE-2008-1447 + CVE-2008-2376 + CVE-2008-2662 + CVE-2008-2663 + CVE-2008-2664 + CVE-2008-2725 + CVE-2008-2726 + CVE-2008-3655 + CVE-2008-3656 + CVE-2008-3657 + CVE-2008-3790 + CVE-2008-3905 + + + keytoaster + + + hoffie + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-18.xml b/xml/htdocs/security/en/glsa/glsa-200812-18.xml new file mode 100644 index 00000000..f8a50316 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-18.xml @@ -0,0 +1,80 @@ + + + + + + + JasPer: User-assisted execution of arbitrary code + + Multiple memory management errors in JasPer might lead to execution of + arbitrary code via jpeg2k files. + + jasper + December 16, 2008 + December 16, 2008: 01 + 222819 + remote + + + 1.900.1-r3 + 1.900.1-r3 + + + +

+ The JasPer Project is an open-source initiative to provide a free + software-based reference implementation of the codec specified in the + JPEG-2000 Part-1 (jpeg2k) standard. +

+ + +

+ Marc Espie and Christian Weisgerber have discovered multiple + vulnerabilities in JasPer: +

+
    +
  • + Multiple integer overflows might allow for insufficient memory + allocation, leading to heap-based buffer overflows (CVE-2008-3520). +
    • +
  • + The jas_stream_printf() function in libjasper/base/jas_stream.c uses + vsprintf() to write user-provided data to a static to a buffer, leading + to an overflow (CVE-2008-3522). +
    • +
+ + +

+ Remote attackers could entice a user or automated system to process + specially crafted jpeg2k files with an application using JasPer, + possibly leading to the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All JasPer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/jasper-1.900.1-r3" + + + CVE-2008-3520 + CVE-2008-3522 + + + keytoaster + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-19.xml b/xml/htdocs/security/en/glsa/glsa-200812-19.xml new file mode 100644 index 00000000..c01543ac --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-19.xml @@ -0,0 +1,75 @@ + + + + + + + PowerDNS: Multiple vulnerabilities + + Two vulnerabilities have been discovered in PowerDNS, possibly leading to a + Denial of Service and easing cache poisoning attacks. + + pdns + December 19, 2008 + December 19, 2008: 01 + 234032 + 247079 + remote + + + 2.9.21.2 + 2.9.21.2 + + + +

+ The PowerDNS Nameserver is an authoritative-only nameserver which uses + a flexible backend architecture. +

+ + +

+ Daniel Drown reported an error when receiving a HINFO CH query + (CVE-2008-5277). Brian J. Dowling of Simplicity Communications + discovered a previously unknown security implication of the PowerDNS + behavior to not respond to certain queries it considers malformed + (CVE-2008-3337). +

+ + +

+ A remote attacker could send specially crafted queries to cause a + Denial of Service. The second vulnerability in itself does not pose a + security risk to PowerDNS Nameserver. However, not answering a query + for an invalid DNS record within a valid domain allows for a larger + spoofing window on third-party nameservers for domains being hosted by + PowerDNS Nameserver itself. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PowerDNS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/pdns-2.9.21.2" + + + CVE-2008-3337 + CVE-2008-5277 + + + p-y + + + p-y + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-20.xml b/xml/htdocs/security/en/glsa/glsa-200812-20.xml new file mode 100644 index 00000000..7e174a8f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-20.xml @@ -0,0 +1,88 @@ + + + + + + + phpCollab: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in phpCollab allowing for + remote injection of shell commands, PHP code and SQL statements. + + phpcollab + December 21, 2008 + December 21, 2008: 01 + 235052 + remote + + + 2.5_rc3 + + + +

+ phpCollab is a web-enabled groupware and project management software + written in PHP. It uses SQL-based database backends. +

+ + +

+ Multiple vulnerabilities have been found in phpCollab: +

+
    +
  • rgod reported that data sent to general/sendpassword.php via the + loginForm parameter is not properly sanitized before being used in an + SQL statement (CVE-2006-1495).
    • +
  • Christian Hoffmann of Gentoo + Security discovered multiple vulnerabilites where input is + insufficiently sanitized before being used in an SQL statement, for + instance in general/login.php via the loginForm parameter. + (CVE-2008-4303).
    • +
  • Christian Hoffmann also found out that the + variable $SSL_CLIENT_CERT in general/login.php is not properly + sanitized before being used in a shell command. (CVE-2008-4304).
    • +
  • User-supplied data to installation/setup.php is not checked before + being written to include/settings.php which is executed later. This + issue was reported by Christian Hoffmann as well (CVE-2008-4305).
    • +
+ + +

+ These vulnerabilities enable remote attackers to execute arbitrary SQL + statements and PHP code. NOTE: Some of the SQL injection + vulnerabilities require the php.ini option "magic_quotes_gpc" to be + disabled. Furthermore, an attacker might be able to execute arbitrary + shell commands if "register_globals" is enabled, "magic_quotes_gpc" is + disabled, the PHP OpenSSL extension is not installed or loaded and the + file "installation/setup.php" has not been deleted after installation. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ phpCollab has been removed from the Portage tree. We recommend that + users unmerge phpCollab: +

+ + # emerge --unmerge "www-apps/phpcollab" + + + CVE-2006-1495 + CVE-2008-4303 + CVE-2008-4304 + CVE-2008-4305 + + + rbu + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-21.xml b/xml/htdocs/security/en/glsa/glsa-200812-21.xml new file mode 100644 index 00000000..1506ce51 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-21.xml @@ -0,0 +1,73 @@ + + + + + + + ClamAV: Multiple vulnerabilities + + Two vulnerabilities in ClamAV may allow for the remote execution of + arbitrary code or a Denial of Service. + + clamav + December 23, 2008 + December 23, 2008: 01 + 245450 + 249833 + remote + + + 0.94.2 + 0.94.2 + + + +

+ Clam AntiVirus is a free anti-virus toolkit for UNIX, designed + especially for e-mail scanning on mail gateways. +

+ + +

+ Moritz Jodeit reported an off-by-one error within the + get_unicode_name() function in libclamav/vba_extract.c when processing + VBA project files (CVE-2008-5050). Ilja van Sprundel reported an + infinite recursion error within the cli_check_jpeg_exploit() function + in libclamav/special.c when processing JPEG files (CVE-2008-5314). +

+ + +

+ A remote attacker could send a specially crafted VBA or JPEG file to + the clamd daemon, possibly resulting in the remote execution of + arbitrary code with the privileges of the user running the application + or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ClamAV users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.94.2" + + + CVE-2008-5050 + CVE-2008-5314 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-22.xml b/xml/htdocs/security/en/glsa/glsa-200812-22.xml new file mode 100644 index 00000000..bfd8f88d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-22.xml @@ -0,0 +1,66 @@ + + + + + + + Ampache: Insecure temporary file usage + + An insecure temporary file usage has been reported in Ampache, allowing for + symlink attacks. + + ampache + December 23, 2008 + December 23, 2008: 01 + 237483 + local + + + 3.4.3 + 3.4.3 + + + +

+ Ampache is a PHP based tool for managing, updating and playing audio + files via a web interface. +

+ + +

+ Dmitry E. Oboukhov reported an insecure temporary file usage within the + gather-messages.sh script. +

+ + +

+ A local attacker could perform symlink attacks to overwrite arbitrary + files with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ampache users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/ampache-3.4.3" + + + CVE-2008-3929 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-23.xml b/xml/htdocs/security/en/glsa/glsa-200812-23.xml new file mode 100644 index 00000000..133d969c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-23.xml @@ -0,0 +1,67 @@ + + + + + + + Imlib2: User-assisted execution of arbitrary code + + A buffer overflow vulnerability has been discovered in Imlib2. + + imlib2 + December 23, 2008 + December 23, 2008: 01 + 248057 + remote + + + 1.4.2-r1 + 1.4.2-r1 + + + +

+ Imlib2 is replacement library from the Enlightenment project for + libraries like libXpm. +

+ + +

+ Julien Danjou reported a pointer arithmetic error and a heap-based + buffer overflow within the load() function of the XPM image loader. +

+ + +

+ A remote attacker could entice a user to process a specially crafted + XPM image, possibly resulting in the remote execution of arbitrary code + with the privileges of the user running the application, or a Denial of + Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Imlib2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/imlib2-1.4.2-r1" + + + CVE-2008-5187 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200812-24.xml b/xml/htdocs/security/en/glsa/glsa-200812-24.xml new file mode 100644 index 00000000..793a1734 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200812-24.xml @@ -0,0 +1,82 @@ + + + + + + + VLC: Multiple vulnerabilities + + Multiple vulnerabilities in VLC may lead to the remote execution of + arbitrary code. + + vlc + December 24, 2008 + December 24, 2008: 01 + 245774 + 249391 + remote + + + 0.9.8a + 0.9.8a + + + +

+ VLC is a cross-platform media player and streaming server. +

+ + +

+ Tobias Klein reported the following vulnerabilities: +

+
    +
  • A + stack-based buffer overflow when processing CUE image files in + modules/access/vcd/cdrom.c (CVE-2008-5032).
    • +
  • A stack-based + buffer overflow when processing RealText (.rt) subtitle files in the + ParseRealText() function in modules/demux/subtitle.c + (CVE-2008-5036).
    • +
  • An integer overflow when processing RealMedia + (.rm) files in the ReadRealIndex() function in real.c in the Real + demuxer plugin, leading to a heap-based buffer overflow + (CVE-2008-5276).
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted CUE + image file, RealMedia file or RealText subtitle file, possibly + resulting in the execution of arbitrary code with the privileges of the + user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All VLC users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/vlc-0.9.8a" + + + CVE-2008-5032 + CVE-2008-5036 + CVE-2008-5276 + + + keytoaster + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200901-01.xml b/xml/htdocs/security/en/glsa/glsa-200901-01.xml new file mode 100644 index 00000000..b0c27606 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200901-01.xml @@ -0,0 +1,67 @@ + + + + + + + NDISwrapper: Arbitrary remote code execution + + Multiple buffer overflows might lead to remote execution of arbitrary code + with root privileges. + + ndiswrapper + January 11, 2009 + January 11, 2009: 01 + 239371 + remote + + + 1.53-r1 + 1.53-r1 + + + +

+ NDISwrapper is a Linux kernel module that enables the use of Microsoft + Windows drivers for wireless network devices. +

+ + +

+ Anders Kaseorg reported multiple buffer overflows related to long + ESSIDs. +

+ + +

+ A physically proximate attacker could send packets over a wireless + network that might lead to the execution of arbitrary code with root + privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All NDISwrapper users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-wireless/ndiswrapper-1.53-r1" + + + CVE-2008-4395 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200901-02.xml b/xml/htdocs/security/en/glsa/glsa-200901-02.xml new file mode 100644 index 00000000..26540205 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200901-02.xml @@ -0,0 +1,85 @@ + + + + + + + JHead: Multiple vulnerabilities + + Multiple vulnerabilities in JHead might lead to the execution of arbitrary + code or data loss. + + jhead + January 11, 2009 + January 11, 2009: 01 + 242702 + 243238 + remote + + + 2.84-r1 + 2.84-r1 + + + +

+ JHead is an exif jpeg header manipulation tool. +

+ + +

+ Marc Merlin and John Dong reported multiple vulnerabilities in JHead: +

+
    +
  • + A buffer overflow in the DoCommand() function when processing the cmd + argument and related to potential string overflows (CVE-2008-4575). +
    • +
  • + An insecure creation of a temporary file (CVE-2008-4639). +
    • +
  • + A error when unlinking a file (CVE-2008-4640). +
    • +
  • + Insufficient escaping of shell metacharacters (CVE-2008-4641). +
    • +
+ + +

+ A remote attacker could possibly execute arbitrary code by enticing a + user or automated system to open a file with a long filename or via + unspecified vectors. It is also possible to trick a user into deleting + or overwriting files. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All JHead users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/jhead-2.84-r1" + + + CVE-2008-4575 + CVE-2008-4639 + CVE-2008-4640 + CVE-2008-4641 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200901-03.xml b/xml/htdocs/security/en/glsa/glsa-200901-03.xml new file mode 100644 index 00000000..e50daca0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200901-03.xml @@ -0,0 +1,81 @@ + + + + + + + pdnsd: Denial of Service and cache poisoning + + Two errors in pdnsd allow for Denial of Service and cache poisoning. + + pdnsd + January 11, 2009 + January 11, 2009: 01 + 231285 + remote + + + 1.2.7 + 1.2.7 + + + +

+ pdnsd is a proxy DNS server with permanent caching that is designed to + cope with unreachable DNS servers. +

+ + +

+ Two issues have been reported in pdnsd: +

+
    +
  • + The p_exec_query() function in src/dns_query.c does not properly handle + many entries in the answer section of a DNS reply, related to a + "dangling pointer bug" (CVE-2008-4194). +
    • +
  • + The default value for query_port_start was set to 0, disabling UDP + source port randomization for outgoing queries (CVE-2008-1447). +
    • +
+ + +

+ An attacker could exploit the second weakness to poison the cache of + pdnsd and thus spoof DNS traffic, which could e.g. lead to the + redirection of web or mail traffic to malicious sites. The first issue + can be exploited by enticing pdnsd to send a query to a malicious DNS + server, or using the port randomization weakness, and might lead to a + Denial of Service. +

+ + +

+ Port randomization can be enabled by setting the "query_port_start" + option to 1024 which would resolve the CVE-2008-1447 issue. +

+ + +

+ All pdnsd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/pdnsd-1.2.7" + + + CVE-2008-1447 + CVE-2008-4194 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200901-04.xml b/xml/htdocs/security/en/glsa/glsa-200901-04.xml new file mode 100644 index 00000000..b7a5f160 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200901-04.xml @@ -0,0 +1,66 @@ + + + + + + + D-Bus: Denial of Service + + An error condition can cause D-Bus to crash. + + dbus + January 11, 2009 + January 11, 2009: 01 + 240308 + local + + + 1.2.3-r1 + 1.2.3-r1 + + + +

+ D-Bus is a daemon providing a framework for applications to communicate + with one another. +

+ + +

+ schelte reported that the dbus_signature_validate() function can + trigger a failed assertion when processing a message containing a + malformed signature. +

+ + +

+ A local user could send a specially crafted message to the D-Bus + daemon, leading to a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All D-Bus users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/dbus-1.2.3-r1" + + + CVE-2008-3834 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200901-05.xml b/xml/htdocs/security/en/glsa/glsa-200901-05.xml new file mode 100644 index 00000000..1dcd3213 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200901-05.xml @@ -0,0 +1,69 @@ + + + + + + + Streamripper: Multiple vulnerabilities + + Multiple buffer overflows have been discovered in Streamripper, allowing + for user-assisted execution of arbitrary code. + + streamripper + January 11, 2009 + January 11, 2009: 01 + 249039 + remote + + + 1.64.0 + 1.64.0 + + + +

+ Streamripper is a tool for extracting and recording mp3 files from a + Shoutcast stream. +

+ + +

+ Stefan Cornelius from Secunia Research reported multiple buffer + overflows in the http_parse_sc_header(), http_get_pls() and + http_get_m3u() functions in lib/http.c when parsing overly long HTTP + headers, or pls and m3u playlists with overly long entries. +

+ + +

+ A remote attacker could entice a user to connect to a malicious server, + possibly resulting in the remote execution of arbitrary code with the + privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Streamripper users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/streamripper-1.64.0" + + + CVE-2008-4829 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200901-06.xml b/xml/htdocs/security/en/glsa/glsa-200901-06.xml new file mode 100644 index 00000000..b347ddb1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200901-06.xml @@ -0,0 +1,73 @@ + + + + + + + Tremulous: User-assisted execution of arbitrary code + + A buffer overflow vulnerability has been discovered in Tremulous. + + tremulous tremulous-bin + January 11, 2009 + January 11, 2009: 01 + 222119 + remote + + + 1.1.0-r2 + 1.1.0-r2 + + + 1.1.0 + + + +

+ Tremulous is a team-based First Person Shooter game. +

+ + +

+ It has been reported that Tremulous includes a vulnerable version of + the ioQuake3 engine (GLSA 200605-12, CVE-2006-2236). +

+ + +

+ A remote attacker could entice a user to connect to a malicious games + server, possibly resulting in the execution of arbitrary code with the + privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ Tremulous users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-fps/tremulous-1.1.0-r2" +

+ Note: The binary version of Tremulous has been removed from the Portage + tree. +

+ + + CVE-2006-2236 + GLSA 200605-12 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200901-07.xml b/xml/htdocs/security/en/glsa/glsa-200901-07.xml new file mode 100644 index 00000000..e83dcc2c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200901-07.xml @@ -0,0 +1,85 @@ + + + + + + + MPlayer: Multiple vulnerabilities + + Multiple vulnerabilities in MPlayer may lead to the execution of arbitrary + code or a Denial of Service. + + mplayer + January 12, 2009 + January 12, 2009: 01 + 231836 + 239130 + 251017 + remote + + + 1.0_rc2_p28058-r1 + 1.0_rc2_p28058-r1 + + + +

+ MPlayer is a media player including support for a wide range of audio + and video formats. +

+ + +

+ Multiple vulnerabilities have been reported in MPlayer: +

+
    +
  • A + stack-based buffer overflow was found in the str_read_packet() function + in libavformat/psxstr.c when processing crafted STR files that + interleave audio and video sectors (CVE-2008-3162).
    • +
  • Felipe + Andres Manzano reported multiple integer underflows in the + demux_real_fill_buffer() function in demux_real.c when processing + crafted Real Media files that cause the stream_read() function to read + or write arbitrary memory (CVE-2008-3827).
    • +
  • Tobias Klein + reported a stack-based buffer overflow in the demux_open_vqf() function + in libmpdemux/demux_vqf.c when processing malformed TwinVQ files + (CVE-2008-5616).
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted STR, + Real Media, or TwinVQ file to execute arbitrary code or cause a Denial of + Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MPlayer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/mplayer-1.0_rc2_p28058-r1 " + + + CVE-2008-3162 + CVE-2008-3827 + CVE-2008-5616 + + + rbu + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200901-08.xml b/xml/htdocs/security/en/glsa/glsa-200901-08.xml new file mode 100644 index 00000000..955d3fde --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200901-08.xml @@ -0,0 +1,74 @@ + + + + + + + Online-Bookmarks: Multiple vulnerabilities + + Multiple vulnerabilities have been reported in Online-Bookmarks. + + online-bookmarks + January 12, 2009 + January 12, 2009: 01 + 235053 + remote + + + 0.6.28 + 0.6.28 + + + +

+ Online-Bookmarks is a web-based bookmark management system to store + your bookmarks, favorites and links. +

+ + +

+ The following vulnerabilities were reported: +

+
  • Authentication bypass when directly requesting certain pages + (CVE-2004-2155).
    • +
  • Insufficient input validation in the login + function in auth.inc (CVE-2006-6358).
    • +
  • Unspecified cross-site + scripting vulnerability (CVE-2006-6359).
    • +
+ + +

+ A remote attacker could exploit these vulnerabilities to bypass + authentication mechanisms, execute arbitrary SQL statements or inject + arbitrary web scripts. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Online-Bookmarks users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/online-bookmarks-0.6.28" + + + CVE-2004-2155 + CVE-2006-6358 + CVE-2006-6359 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200901-09.xml b/xml/htdocs/security/en/glsa/glsa-200901-09.xml new file mode 100644 index 00000000..849447f2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200901-09.xml @@ -0,0 +1,106 @@ + + + + + + + Adobe Reader: User-assisted execution of arbitrary code + + Adobe Reader is vulnerable to execution of arbitrary code. + + acroread + January 13, 2009 + January 13, 2009: 01 + 225483 + remote + + + 8.1.3 + 8.1.3 + + + +

+ Adobe Reader (formerly Adobe Acrobat Reader) is a closed-source PDF + reader. +

+ + +
    +
  • + An unspecified vulnerability can be triggered by a malformed PDF + document, as demonstrated by 2008-HI2.pdf (CVE-2008-2549). +
    • +
  • + Peter Vreugdenhil, Dyon Balding, Will Dormann, Damian Frizza, and Greg + MacManus reported a stack-based buffer overflow in the util.printf + JavaScript function that incorrectly handles the format string argument + (CVE-2008-2992). +
    • +
  • + Greg MacManus of iDefense Labs reported an array index error that can + be leveraged for an out-of-bounds write, related to parsing of Type 1 + fonts (CVE-2008-4812). +
    • +
  • + Javier Vicente Vallejo and Peter Vregdenhil, via Zero Day Initiative, + reported multiple unspecified memory corruption vulnerabilities + (CVE-2008-4813). +
    • +
  • + Thomas Garnier of SkyRecon Systems reported an unspecified + vulnerability in a JavaScript method, related to an "input validation + issue" (CVE-2008-4814). +
    • +
  • + Josh Bressers of Red Hat reported an untrusted search path + vulnerability (CVE-2008-4815). +
    • +
  • + Peter Vreugdenhil reported through iDefense that the Download Manager + can trigger a heap corruption via calls to the AcroJS function + (CVE-2008-4817). +
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted PDF + document, and local attackers could entice a user to run acroread from + an untrusted working directory. Both might result in the execution of + arbitrary code with the privileges of the user running the application, + or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Adobe Reader users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/acroread-8.1.3" + + + CVE-2008-2549 + CVE-2008-2992 + CVE-2008-4812 + CVE-2008-4813 + CVE-2008-4814 + CVE-2008-4815 + CVE-2008-4817 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200901-10.xml b/xml/htdocs/security/en/glsa/glsa-200901-10.xml new file mode 100644 index 00000000..7d55910a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200901-10.xml @@ -0,0 +1,66 @@ + + + + + + + GnuTLS: Certificate validation error + + A certificate validation error in GnuTLS might allow for spoofing attacks. + + gnutls + January 14, 2009 + January 14, 2009: 01 + 245850 + remote + + + 2.4.1-r2 + 2.4.1-r2 + + + +

+ GnuTLS is an open-source implementation of TLS 1.0 and SSL 3.0. +

+ + +

+ Martin von Gagern reported that the _gnutls_x509_verify_certificate() + function in lib/x509/verify.c trusts certificate chains in which the + last certificate is an arbitrary trusted, self-signed certificate. +

+ + +

+ A remote attacker could exploit this vulnerability and spoof arbitrary + names to conduct Man-In-The-Middle attacks and intercept sensitive + information. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GnuTLS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/gnutls-2.4.1-r2" + + + CVE-2008-4989 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200901-11.xml b/xml/htdocs/security/en/glsa/glsa-200901-11.xml new file mode 100644 index 00000000..ff9bcbcf --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200901-11.xml @@ -0,0 +1,67 @@ + + + + + + + Avahi: Denial of Service + + A Denial of Service vulnerability has been discovered in Avahi. + + avahi + January 14, 2009 + January 14, 2009: 01 + 250913 + remote + + + 0.6.24 + 0.6.24 + + + +

+ Avahi is a system that facilitates service discovery on a local + network. +

+ + +

+ Hugo Dias reported a failed assertion in the + originates_from_local_legacy_unicast_socket() function in + avahi-core/server.c when processing mDNS packets with a source port of + 0. +

+ + +

+ A remote attacker could send specially crafted packets to the daemon, + leading to its crash. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Avahi users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/avahi-0.6.24" + + + CVE-2008-5081 + + + craig + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200901-12.xml b/xml/htdocs/security/en/glsa/glsa-200901-12.xml new file mode 100644 index 00000000..ab87f86d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200901-12.xml @@ -0,0 +1,67 @@ + + + + + + + noip-updater: Execution of arbitrary code + + A buffer overflow in noip-updater can lead to arbitrary code execution. + + noip-updater + January 18, 2009 + January 18, 2009: 01 + 248709 + remote + + + 2.1.9 + 2.1.9 + + + +

+ noip-updater is a tool used for updating IP addresses of dynamic DNS + records at no-ip.com. +

+ + +

+ xenomuta found out that the GetNextLine() function in noip2.c misses a + length check, leading to a stack-based buffer overflow. +

+ + +

+ A remote attacker could exploit this vulnerability to execute arbitrary + code by sending a specially crafted HTTP message to the client. NOTE: + Successful exploitation requires a man in the middle attack, a DNS + spoofing attack or a compromise of no-ip.com servers. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All noip-updater users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/noip-updater-2.1.9" + + + CVE-2008-5297 + + + keytoaster + + + a3li + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200901-13.xml b/xml/htdocs/security/en/glsa/glsa-200901-13.xml new file mode 100644 index 00000000..0debc868 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200901-13.xml @@ -0,0 +1,95 @@ + + + + + + + Pidgin: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Pidgin, allowing for + remote arbitrary code execution, Denial of Service and service spoofing. + + pidgin + January 20, 2009 + January 20, 2009: 01 + 230045 + 234135 + remote + + + 2.5.1 + 2.5.1 + + + +

+ Pidgin (formerly Gaim) is an instant messaging client for a variety of + instant messaging protocols. It is based on the libpurple instant + messaging library. +

+ + +

+ Multiple vulnerabilities have been discovered in Pidgin and the + libpurple library: +

+
  • + A participant to the TippingPoint ZDI reported multiple integer + overflows in the msn_slplink_process_msg() function in the MSN protocol + implementation (CVE-2008-2927). +
    • +
  • + Juan Pablo Lopez Yacubian is credited for reporting a use-after-free + flaw in msn_slplink_process_msg() in the MSN protocol implementation + (CVE-2008-2955). +
    • +
  • + The included UPnP server does not limit the size of data to be + downloaded for UPnP service discovery, according to a report by Andrew + Hunt and Christian Grothoff (CVE-2008-2957). +
    • +
  • + Josh Triplett discovered that the NSS plugin for libpurple does not + properly verify SSL certificates (CVE-2008-3532). +
    • +
+ + +

+ A remote attacker could send specially crafted messages or files using + the MSN protocol which could result in the execution of arbitrary code + or crash Pidgin. NOTE: Successful exploitation might require the + victim's interaction. Furthermore, an attacker could conduct + man-in-the-middle attacks to obtain sensitive information using bad + certificates and cause memory and disk resources to exhaust. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Pidgin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/pidgin-2.5.1" + + + CVE-2008-2927 + CVE-2008-2955 + CVE-2008-2957 + CVE-2008-3532 + + + p-y + + + a3li + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200901-14.xml b/xml/htdocs/security/en/glsa/glsa-200901-14.xml new file mode 100644 index 00000000..9660443d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200901-14.xml @@ -0,0 +1,65 @@ + + + + + + + Scilab: Insecure temporary file usage + + An insecure temporary file usage has been reported in Scilab, allowing for + symlink attacks. + + scilab + January 21, 2009 + January 21, 2009: 01 + 245922 + local + + + 4.1.2-r1 + 4.1.2-r1 + + + +

+ Scilab is a scientific software package for numerical computations. +

+ + +

+ Dmitry E. Oboukhov reported an insecure temporary file usage within the + scilink, scidoc and scidem scripts. +

+ + +

+ A local attacker could perform symlink attacks to overwrite arbitrary + files with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Scilab users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sci-mathematics/scilab-4.1.2-r1" + + + CVE-2008-4983 + + + rbu + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200901-15.xml b/xml/htdocs/security/en/glsa/glsa-200901-15.xml new file mode 100644 index 00000000..394a657f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200901-15.xml @@ -0,0 +1,67 @@ + + + + + + + Net-SNMP: Denial of Service + + A vulnerability in Net-SNMP could lead to a Denial of Service. + + net-snmp + January 21, 2009 + January 21, 2009: 01 + 245306 + remote + + + 5.4.2.1 + 5.4.2.1 + + + +

+ Net-SNMP is a collection of tools for generating and retrieving SNMP + data. +

+ + +

+ Oscar Mira-Sanchez reported an integer overflow in the + netsnmp_create_subtree_cache() function in agent/snmp_agent.c when + processing GETBULK requests. +

+ + +

+ A remote attacker could send a specially crafted request to crash the + SNMP server. NOTE: The attacker needs to know the community string to + exploit this vulnerability. +

+ + +

+ Restrict access to trusted entities only. +

+ + +

+ All Net-SNMP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/net-snmp-5.4.2.1" + + + CVE-2008-4309 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200902-01.xml b/xml/htdocs/security/en/glsa/glsa-200902-01.xml new file mode 100644 index 00000000..19c3d56f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200902-01.xml @@ -0,0 +1,68 @@ + + + + + + + sudo: Privilege escalation + + A vulnerability in sudo may allow for privilege escalation. + + sudo + February 06, 2009 + February 06, 2009: 01 + 256633 + local + + + 1.7.0 + 1.7.0 + + + +

+ sudo allows a system administrator to give users the ability to run + commands as other users. +

+ + +

+ Harald Koenig discovered that sudo incorrectly handles group + specifications in Runas_Alias (and related) entries when a group is + specified in the list (using %group syntax, to allow a user to run + commands as any member of that group) and the user is already a member + of that group. +

+ + +

+ A local attacker could possibly run commands as an arbitrary system + user (including root). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All sudo users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.7.0" + + + CVE-2009-0034 + + + keytoaster + + + keytoaster + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200902-02.xml b/xml/htdocs/security/en/glsa/glsa-200902-02.xml new file mode 100644 index 00000000..9b51c8ef --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200902-02.xml @@ -0,0 +1,71 @@ + + + + + + + OpenSSL: Certificate validation error + + An error in the OpenSSL certificate chain validation might allow for + spoofing attacks. + + openssl + February 12, 2009 + February 12, 2009: 01 + 251346 + remote + + + 0.9.8j + 0.9.8j + + + +

+ OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer + (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general + purpose cryptography library. +

+ + +

+ The Google Security Team reported that several functions incorrectly + check the result after calling the EVP_VerifyFinal() function, allowing + a malformed signature to be treated as a good signature rather than as + an error. This issue affects the signature checks on DSA and ECDSA keys + used with SSL/TLS. +

+ + +

+ A remote attacker could exploit this vulnerability and spoof arbitrary + names to conduct Man-In-The-Middle attacks and intercept sensitive + information. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenSSL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8j" + + + CVE-2008-5077 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200902-03.xml b/xml/htdocs/security/en/glsa/glsa-200902-03.xml new file mode 100644 index 00000000..4567cfcd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200902-03.xml @@ -0,0 +1,67 @@ + + + + + + + Valgrind: Untrusted search path + + An untrusted search path vulnerability in Valgrind might result in the + execution of arbitrary code. + + valgrind + February 12, 2009 + February 12, 2009: 01 + 245317 + local + + + 3.4.0 + 3.4.0 + + + +

+ Valgrind is an open-source memory debugger. +

+ + +

+ Tavis Ormandy reported that Valgrind loads a .valgrindrc file in the + current working directory, executing commands specified there. +

+ + +

+ A local attacker could prepare a specially crafted .valgrindrc file and + entice a user to run Valgrind from the directory containing that file, + resulting in the execution of arbitrary code with the privileges of the + user running Valgrind. +

+ + +

+ Do not run "valgrind" from untrusted working directories. +

+ + +

+ All Valgrind users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/valgrind-3.4.0" + + + CVE-2008-4865 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200902-04.xml b/xml/htdocs/security/en/glsa/glsa-200902-04.xml new file mode 100644 index 00000000..4b2a2f13 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200902-04.xml @@ -0,0 +1,67 @@ + + + + + + + xterm: User-assisted arbitrary commands execution + + An error in the processing of special sequences in xterm may lead to + arbitrary commands execution. + + xterm + February 12, 2009 + February 12, 2009: 01 + 253155 + remote + + + 239 + 239 + + + +

+ xterm is a terminal emulator for the X Window system. +

+ + +

+ Paul Szabo reported an insufficient input sanitization when processing + Device Control Request Status String (DECRQSS) sequences. +

+ + +

+ A remote attacker could entice a user to display a file containing + specially crafted DECRQSS sequences, possibly resulting in the remote + execution of arbitrary commands with the privileges of the user viewing + the file. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xterm users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-terms/xterm-239" + + + CVE-2008-2383 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200902-05.xml b/xml/htdocs/security/en/glsa/glsa-200902-05.xml new file mode 100644 index 00000000..5b6218ce --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200902-05.xml @@ -0,0 +1,70 @@ + + + + + + + KTorrent: Multiple vulnerabilitites + + Two vulnerabilities in the web interface plugin in KTorrent allow for + remote execution of code and arbitrary torrent uploads. + + ktorrent + February 23, 2009 + February 23, 2009: 01 + 244741 + remote + + + 2.2.8 + 2.2.8 + + + +

+ KTorrent is a BitTorrent program for KDE. +

+ + +

+ The web interface plugin does not restrict access to the torrent upload + functionality (CVE-2008-5905) and does not sanitize request parameters + properly (CVE-2008-5906) . +

+ + +

+ A remote attacker could send specially crafted parameters to the web + interface that would allow for arbitrary torrent uploads and remote + code execution with the privileges of the KTorrent process. +

+ + +

+ Disabling the web interface plugin will prevent exploitation of both + issues. Click "Plugins" in the configuration menu and uncheck the + checkbox left of "WebInterface", then apply the changes. +

+ + +

+ All KTorrent users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/ktorrent-2.2.8" + + + CVE-2008-5905 + CVE-2008-5906 + + + keytoaster + + + craig + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200902-06.xml b/xml/htdocs/security/en/glsa/glsa-200902-06.xml new file mode 100644 index 00000000..e0b35a64 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200902-06.xml @@ -0,0 +1,93 @@ + + + + + + + GNU Emacs, XEmacs: Multiple vulnerabilities + + Two vulnerabilities were found in GNU Emacs, possibly leading to + user-assisted execution of arbitrary code. One also affects edit-utils in + XEmacs. + + emacs edit-utils + February 23, 2009 + February 23, 2009: 01 + 221197 + 236498 + remote + + + 22.2-r3 + 21.4-r17 + 19 + 22.2-r3 + + + 2.39 + 2.39 + + + +

+ GNU Emacs and XEmacs are highly extensible and customizable text + editors. edit-utils are miscellaneous extensions to XEmacs. +

+ + +

+ Morten Welinder reports about GNU Emacs and edit-utils in XEmacs: By + shipping a .flc accompanying a source file (.c for example) and setting + font-lock-support-mode to fast-lock-mode in the source file through + local variables, any Lisp code in the .flc file is executed without + warning (CVE-2008-2142). +

+

+ Romain Francoise reported a security risk in a feature of GNU Emacs + related to interacting with Python. The vulnerability arises because + Python, by default, prepends the current directory to the module search + path, allowing for arbitrary code execution when launched from a + specially crafted directory (CVE-2008-3949). +

+ + +

+ Remote attackers could entice a user to open a specially crafted file + in GNU Emacs, possibly leading to the execution of arbitrary Emacs Lisp + code or arbitrary Python code with the privileges of the user running + GNU Emacs or XEmacs. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GNU Emacs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/emacs-22.2-r3" +

+ All edit-utils users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-xemacs/edit-utils-2.39" + + + CVE-2008-2142 + CVE-2008-3949 + + + rbu + + + vorlon + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-01.xml b/xml/htdocs/security/en/glsa/glsa-200903-01.xml new file mode 100644 index 00000000..140a7489 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-01.xml @@ -0,0 +1,68 @@ + + + + + + + Vinagre: User-assisted execution of arbitrary code + + A format string error in Vinagre may allow for the execution of arbitrary + code. + + vinagre + March 06, 2009 + March 06, 2009: 01 + 250314 + remote + + + 0.5.2 + 0.5.2 + + + +

+ Vinagre is a VNC Client for the GNOME Desktop. +

+ + +

+ Alfredo Ortega (Core Security Technologies) reported a format string + error in the vinagre_utils_show_error() function in + src/vinagre-utils.c. +

+ + +

+ A remote attacker could entice a user into opening a specially crafted + .vnc file or connecting to a malicious server, possibly resulting in + the remote execution of arbitrary code with the privileges of the user + running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Vinagre users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/vinagre-0.5.2" + + + CVE-2008-5660 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-02.xml b/xml/htdocs/security/en/glsa/glsa-200903-02.xml new file mode 100644 index 00000000..346cea31 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-02.xml @@ -0,0 +1,65 @@ + + + + + + + ZNC: Privilege escalation + + A vulnerability in ZNC allows for privilege escalation. + + znc + March 06, 2009 + March 06, 2009: 01 + 260148 + remote + + + 0.066 + 0.066 + + + +

+ ZNC is an advanced IRC bouncer. +

+ + +

+ cnu discovered multiple CRLF injection vulnerabilities in ZNC's + webadmin module. +

+ + +

+ A remote authenticated attacker could modify the znc.conf configuration + file and gain privileges via newline characters in e.g. the QuitMessage + field, and possibly execute arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ZNC users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-irc/znc-0.066" + + + CVE-2009-0759 + + + keytoaster + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-03.xml b/xml/htdocs/security/en/glsa/glsa-200903-03.xml new file mode 100644 index 00000000..62372569 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-03.xml @@ -0,0 +1,66 @@ + + + + + + + Audacity: User-assisted execution of arbitrary code + + A boundary error in Audacity allows for the execution of arbitrary code. + + audacity + March 06, 2009 + March 06, 2009: 01 + 253493 + remote + + + 1.3.6 + 1.3.6 + + + +

+ Audacity is a free cross-platform audio editor. +

+ + +

+ Houssamix discovered a boundary error in the + String_parse::get_nonspace_quoted() function in + lib-src/allegro/strparse.cpp. +

+ + +

+ A remote attacker could entice a user into importing a specially + crafted *.gro file, resulting in the execution of arbitrary code or a + Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Audacity users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/audacity-1.3.6" + + + CVE-2009-0490 + + + keytoaster + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-04.xml b/xml/htdocs/security/en/glsa/glsa-200903-04.xml new file mode 100644 index 00000000..f1b07992 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-04.xml @@ -0,0 +1,66 @@ + + + + + + + DevIL: User-assisted execution of arbitrary code + + Multiple boundary errors in DevIL may allow for the execution of arbitrary + code. + + devil + March 06, 2009 + March 06, 2009: 01 + 255217 + remote + + + 1.7.7 + 1.7.7 + + + +

+ Developer's Image Library (DevIL) is a cross-platform image library. +

+ + +

+ Stefan Cornelius (Secunia Research) discovered two boundary errors + within the iGetHdrHeader() function in src-IL/src/il_hdr.c. +

+ + +

+ A remote attacker could entice a user to open a specially crafted + Radiance RGBE file, possibly resulting in the execution of arbitrary + code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All DevIL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/devil-1.7.7" + + + CVE-2008-5262 + + + keytoaster + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-05.xml b/xml/htdocs/security/en/glsa/glsa-200903-05.xml new file mode 100644 index 00000000..d2e3a210 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-05.xml @@ -0,0 +1,77 @@ + + + + + + + PDFjam: Multiple vulnerabilities + + Multiple vulnerabilities in the PDFjam scripts allow for local privilege + escalation. + + pdfjam + March 07, 2009 + March 07, 2009: 01 + 252734 + local + + + 1.20-r1 + 1.20-r1 + + + +

+ PDFjam is a small collection of shell scripts to edit PDF documents, + including pdfnup, pdfjoin and pdf90. +

+ + +
    +
  • + Martin Vaeth reported multiple untrusted search path vulnerabilities + (CVE-2008-5843). +
    • +
  • Marcus Meissner of the SUSE Security Team reported that + temporary files are created with a predictable name (CVE-2008-5743). +
    • +

+

+ + +

+ A local attacker could place a specially crafted Python module in the + current working directory or the /var/tmp directory, and entice a user + to run the PDFjam scripts, leading to the execution of arbitrary code + with the privileges of the user running the application. A local + attacker could also leverage symlink attacks to overwrite arbitrary + files. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PDFjam users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/pdfjam-1.20-r1" + + + CVE-2008-5843 + CVE-2008-5743 + + + p-y + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-06.xml b/xml/htdocs/security/en/glsa/glsa-200903-06.xml new file mode 100644 index 00000000..9d172377 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-06.xml @@ -0,0 +1,66 @@ + + + + + + + nfs-utils: Access restriction bypass + + An error in nfs-utils allows for bypass of the netgroups restriction. + + nfs-utils + March 07, 2009 + March 07, 2009: 01 + 242696 + remote + + + 1.1.3 + 1.1.3 + + + +

+ nfs-utils contains the client and daemon implementations for the NFS + protocol. +

+ + +

+ Michele Marcionelli reported that nfs-utils invokes the hosts_ctl() + function with the wrong order of arguments, which causes TCP Wrappers + to ignore netgroups. +

+ + +

+ A remote attacker could bypass intended access restrictions, i.e. NFS + netgroups, and gain access to restricted services. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All nfs-utils users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/nfs-utils-1.1.3" + + + CVE-2008-4552 + + + craig + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-07.xml b/xml/htdocs/security/en/glsa/glsa-200903-07.xml new file mode 100644 index 00000000..e65a0408 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-07.xml @@ -0,0 +1,66 @@ + + + + + + + Samba: Data disclosure + + A missing boundary check in Samba might lead to the disclosure of memory + contents. + + samba + March 07, 2009 + March 07, 2009: 01 + 247620 + remote + + + 3.0.33 + 3.0.33 + + + +

+ Samba is a suite of SMB and CIFS client/server programs. +

+ + +

+ Samba does not properly check memory boundaries when handling trans, + rans2, and nttrans requests. +

+ + +

+ A remote attacker could send specially crafted requests to a Samba + daemon, leading to the disclosure of arbitrary memory or to a Denial of + Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Samba users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-3.0.33" + + + CVE-2008-4314 + + + craig + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-08.xml b/xml/htdocs/security/en/glsa/glsa-200903-08.xml new file mode 100644 index 00000000..da5ee81f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-08.xml @@ -0,0 +1,66 @@ + + + + + + + gEDA: Insecure temporary file creation + + An insecure temporary file usage has been reported in gEDA, allowing for + symlink attacks. + + geda + March 07, 2009 + March 07, 2009: 01 + 247538 + local + + + 1.4.0-r1 + 1.4.0-r1 + + + +

+ gEDA is an Electronic Design Automation tool used for electrical + circuit design. +

+ + +

+ Dmitry E. Oboukhov reported an insecure temporary file usage within the + sch2eaglepos.sh script. +

+ + +

+ A local attacker could perform symlink attacks to overwrite arbitrary + files with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All gEDA users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sci-electronics/geda-1.4.0-r1" + + + CVE-2008-5148 + + + p-y + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-09.xml b/xml/htdocs/security/en/glsa/glsa-200903-09.xml new file mode 100644 index 00000000..5e656e07 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-09.xml @@ -0,0 +1,70 @@ + + + + + + + OpenTTD: Execution of arbitrary code + + Multiple buffer overflows in OpenTTD might allow for the execution of + arbitrary code in the server. + + openttd + March 07, 2009 + March 07, 2009: 01 + 233929 + remote + + + 0.6.3 + 0.6.3 + + + +

+ OpenTTD is a clone of Transport Tycoon Deluxe. +

+ + +

+ Multiple buffer overflows have been reported in OpenTTD, when storing + long for client names (CVE-2008-3547), in the TruncateString function + in src/gfx.cpp (CVE-2008-3576) and in src/openttd.cpp when processing a + large filename supplied to the "-g" parameter in the ttd_main function + (CVE-2008-3577). +

+ + +

+ An authenticated attacker could exploit these vulnerabilities to + execute arbitrary code with the privileges of the OpenTTD server. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenTTD users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=games-simulation/openttd-0.6.3" + + + CVE-2008-3547 + CVE-2008-3576 + CVE-2008-3577 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-10.xml b/xml/htdocs/security/en/glsa/glsa-200903-10.xml new file mode 100644 index 00000000..e3d32fab --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-10.xml @@ -0,0 +1,68 @@ + + + + + + + Irrlicht: User-assisted execution of arbitrary code + + A buffer overflow might lead to the execution of arbitrary code or a Denial + of Service. + + irrlicht + March 07, 2009 + March 07, 2009: 01 + 252203 + remote + + + 1.5 + 1.5 + + + +

+ The Irrlicht Engine is an open source cross-platform high performance + realtime 3D engine written in C++. +

+ + +

+ An unspecified component of the B3D loader is vulnerable to a buffer + overflow due to missing boundary checks. +

+ + +

+ A remote attacker could entice a user to open a specially crafted .irr + file, possibly resulting in the execution of arbitrary code with the + privileges of the user running the application, or a Denial of Service + (crash). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All irrlicht users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-games/irrlicht-1.5" + + + CVE-2008-5876 + + + rbu + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-11.xml b/xml/htdocs/security/en/glsa/glsa-200903-11.xml new file mode 100644 index 00000000..d8c71d98 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-11.xml @@ -0,0 +1,66 @@ + + + + + + + PyCrypto: Execution of arbitrary code + + A buffer overflow in PyCrypto might lead to the execution of arbitrary code + when decrypting using ARC2. + + pycrypto + March 09, 2009 + March 09, 2009: 01 + 258049 + remote + + + 2.0.1-r8 + 2.0.1-r8 + + + +

+ PyCrypto is the Python Cryptography Toolkit. +

+ + +

+ Mike Wiacek of the Google Security Team reported a buffer overflow in + the ARC2 module when processing a large ARC2 key length. +

+ + +

+ A remote attacker could entice a user or automated system to decrypt an + ARC2 stream in an application using PyCrypto, possibly resulting in the + execution of arbitrary code or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PyCrypto users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/pycrypto-2.0.1-r8" + + + CVE-2009-0544 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-12.xml b/xml/htdocs/security/en/glsa/glsa-200903-12.xml new file mode 100644 index 00000000..f7301ea3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-12.xml @@ -0,0 +1,69 @@ + + + + + + + OptiPNG: User-assisted execution of arbitrary code + + A vulnerability in OptiPNG might result in user-assisted execution of + arbitrary code. + + optipng + March 09, 2009 + March 09, 2009: 01 + 260265 + remote + + + 0.6.2-r1 + 0.6.2-r1 + + + +

+ OptiPNG is a PNG optimizer that recompresses image files to a smaller + size, without losing any information. +

+ + +

+ Roy Tam reported a use-after-free vulnerability in the + GIFReadNextExtension() function in lib/pngxtern/gif/gifread.c leading + to a memory corruption when reading a GIF image. +

+ + +

+ A remote attacker could entice a user to process a specially crafted + GIF image, possibly resulting in the execution of arbitrary code with + the privileges of the user running the application, or a Denial of + Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OptiPNG users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/optipng-0.6.2-r1" + + + CVE-2009-0749 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-13.xml b/xml/htdocs/security/en/glsa/glsa-200903-13.xml new file mode 100644 index 00000000..a424a5ca --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-13.xml @@ -0,0 +1,65 @@ + + + + + + + MPFR: Denial of Service + + Multiple buffer overflows in MPFR might lead to a Denial of Service. + + mpfr + March 09, 2009 + March 09, 2009: 01 + 260968 + remote + + + 2.4.1 + 2.4.1 + + + +

+ MPFR is a library for multiple-precision floating-point computations + with exact rounding. +

+ + +

+ Multiple buffer overflows have been reported in the mpfr_snprintf() and + mpfr_vsnprintf() functions. +

+ + +

+ A remote user could exploit the vulnerability to cause a Denial of + Service in an application using MPFR via unknown vectors. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MPRF users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/mpfr-2.4.1" + + + CVE-2009-0757 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-14.xml b/xml/htdocs/security/en/glsa/glsa-200903-14.xml new file mode 100644 index 00000000..5b6a14de --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-14.xml @@ -0,0 +1,69 @@ + + + + + + + BIND: Incorrect signature verification + + Incomplete verification of RSA and DSA certificates might lead to spoofed + records authenticated using DNSSEC. + + bind + March 09, 2009 + March 09, 2009: 01 + 254134 + 257949 + remote + + + 9.4.3_p1 + 9.4.3_p1 + + + +

+ ISC BIND is the Internet Systems Consortium implementation of the + Domain Name System (DNS) protocol. +

+ + +

+ BIND does not properly check the return value from the OpenSSL + functions to verify DSA (CVE-2009-0025) and RSA (CVE-2009-0265) + certificates. +

+ + +

+ A remote attacker could bypass validation of the certificate chain to + spoof DNSSEC-authenticated records. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All BIND users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/bind-9.4.3_p1" + + + CVE-2009-0025 + CVE-2009-0265 + + + p-y + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-15.xml b/xml/htdocs/security/en/glsa/glsa-200903-15.xml new file mode 100644 index 00000000..bc95d87a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-15.xml @@ -0,0 +1,86 @@ + + + + + + + git: Multiple vulnerabilties + + Multiple vulnerabilities in gitweb allow for remote execution of arbitrary + commands. + + git + March 09, 2009 + March 09, 2009: 01 + 251343 + remote + + + 1.6.0.6 + 1.6.0.6 + + + +

+ GIT - the stupid content tracker, the revision control system used by + the Linux kernel team. +

+ + +

+ Multiple vulnerabilities have been reported in gitweb that is part of + the git package: +

+
    +
  • + Shell metacharacters related to git_search are not properly sanitized + (CVE-2008-5516). +
    • +
  • + Shell metacharacters related to git_snapshot and git_object are not + properly sanitized (CVE-2008-5517). +
    • +
  • + The diff.external configuration variable as set in a repository can be + executed by gitweb (CVE-2008-5916). +
    • +
+ + +

+ A remote unauthenticated attacker can execute arbitrary commands via + shell metacharacters in a query, remote attackers with write access to + a git repository configuration can execute arbitrary commands with the + privileges of the user running gitweb by modifying the diff.external + configuration variable in the repository and sending a crafted query to + gitweb. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All git users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/git-1.6.0.6" + + + CVE-2008-5516 + CVE-2008-5517 + CVE-2008-5916 + + + p-y + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-16.xml b/xml/htdocs/security/en/glsa/glsa-200903-16.xml new file mode 100644 index 00000000..b5613d25 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-16.xml @@ -0,0 +1,68 @@ + + + + + + + Epiphany: Untrusted search path + + An untrusted search path vulnerability in Epiphany might result in the + execution of arbitrary code. + + epiphany + March 09, 2009 + March 09, 2009: 01 + 257000 + local + + + 2.22.3-r2 + 2.22.3-r2 + + + +

+ Epiphany is a GNOME webbrowser based on the Mozilla rendering engine + Gecko. +

+ + +

+ James Vega reported an untrusted search path vulnerability in the + Python interface. +

+ + +

+ A local attacker could entice a user to run Epiphany from a directory + containing a specially crafted python module, resulting in the + execution of arbitrary code with the privileges of the user running + Epiphany. +

+ + +

+ Do not run "epiphany" from untrusted working directories. +

+ + +

+ All Epiphany users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/epiphany-2.22.3-r2" + + + CVE-2008-5985 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-17.xml b/xml/htdocs/security/en/glsa/glsa-200903-17.xml new file mode 100644 index 00000000..5386b2ca --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-17.xml @@ -0,0 +1,68 @@ + + + + + + + Real VNC: User-assisted execution of arbitrary code + + The Real VNC client is vulnerable to execution of arbitrary code when + connecting to a malicious server. + + vnc + March 09, 2009 + March 09, 2009: 01 + 255225 + remote + + + 4.1.3 + 4.1.3 + + + +

+ Real VNC is a remote desktop viewer display system. +

+ + +

+ An unspecified vulnerability has been discovered int the + CMsgReader::readRect() function in the VNC Viewer component, related to + the encoding type of RFB protocol data. +

+ + +

+ A remote attacker could entice a user to connect to a malicious VNC + server, or leverage Man-in-the-Middle attacks, to cause the execution + of arbitrary code with the privileges of the user running the VNC + viewer. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Real VNC users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/vnc-4.1.3" + + + CVE-2008-4770 + + + keytoaster + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-18.xml b/xml/htdocs/security/en/glsa/glsa-200903-18.xml new file mode 100644 index 00000000..3e26da6e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-18.xml @@ -0,0 +1,67 @@ + + + + + + + Openswan: Insecure temporary file creation + + An insecure temporary file usage has been reported in Openswan, allowing + for symlink attacks. + + openswan + March 09, 2009 + March 09, 2009: 01 + 238574 + local + + + 2.4.13-r2 + 2.4.13-r2 + + + +

+ Openswan is an implementation of IPsec for Linux. +

+ + +

+ Dmitry E. Oboukhov reported that the IPSEC livetest tool does not + handle the ipseclive.conn and ipsec.olts.remote.log temporary files + securely. +

+ + +

+ A local attacker could perform symlink attacks to execute arbitrary + code and overwrite arbitrary files with the privileges of the user + running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Openswan users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/openswan-2.4.13-r2" + + + CVE-2008-4190 + + + p-y + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-19.xml b/xml/htdocs/security/en/glsa/glsa-200903-19.xml new file mode 100644 index 00000000..810ea67d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-19.xml @@ -0,0 +1,69 @@ + + + + + + + Xerces-C++: Denial of Service + + An error in Xerces-C++ allows for a Denial of Service via malicious XML + schema files. + + xerces-c + March 09, 2009 + March 09, 2009: 01 + 240496 + remote + + + 3.0.0-r1 + 3.0.0-r1 + + + +

+ Xerces-C++ is a validating XML parser written in a portable subset of + C++. +

+ + +

+ Frank Rast reported that the XML parser in Xerces-C++ does not + correctly handle an XML schema definition with a large maxOccurs value, + which triggers excessive memory consumption during the validation of an + XML file. +

+ + +

+ A remote attacker could entice a user or automated system to validate + an XML file using a specially crafted XML schema file, leading to a + Denial of Service (stack consumption and crash). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Xerces-C++ users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/xerces-c-3.0.0-r1" + + + CVE-2008-4482 + + + falco + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-20.xml b/xml/htdocs/security/en/glsa/glsa-200903-20.xml new file mode 100644 index 00000000..86836237 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-20.xml @@ -0,0 +1,79 @@ + + + + + + + WebSVN: Multiple vulnerabilities + + Multiple vulnerabilities in WebSVN allow for file overwrite and information + disclosure. + + websvn + March 09, 2009 + March 09, 2009: 01 + 243852 + remote + + + 2.1.0 + 2.1.0 + + + +

+ WebSVN is a web-based browsing tool for Subversion repositories written + in PHP. +

+ + +
    +
  • + James Bercegay of GulfTech Security reported a Cross-site scripting + (XSS) vulnerability in the getParameterisedSelfUrl() function in + index.php (CVE-2008-5918) and a directory traversal vulnerability in + rss.php when magic_quotes_gpc is disabled (CVE-2008-5919). +
    • +
  • + Bas van Schaik reported that listing.php does not properly enforce + access restrictions when using an SVN authz file to authenticate users + (CVE-2009-0240). +
    • +

+

+ + +

+ A remote attacker can exploit these vulnerabilities to overwrite + arbitrary files, to read changelogs or diffs for restricted projects + and to hijack a user's session. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All WebSVN users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/websvn-2.1.0" + + + CVE-2008-5918 + CVE-2008-5919 + CVE-2009-0240 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-21.xml b/xml/htdocs/security/en/glsa/glsa-200903-21.xml new file mode 100644 index 00000000..21536e76 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-21.xml @@ -0,0 +1,68 @@ + + + + + + + cURL: Arbitrary file access + + A vulnerability in cURL may allow for arbitrary file access. + + curl + March 09, 2009 + March 09, 2009: 01 + 260361 + remote + + + 7.19.4 + 7.19.4 + + + +

+ cURL is a command line tool for transferring files with URL syntax, + supporting numerous protocols. +

+ + +

+ David Kierznowski reported that the redirect implementation accepts + arbitrary Location values when CURLOPT_FOLLOWLOCATION is enabled. +

+ + +

+ A remote attacker could possibly exploit this vulnerability to make + remote HTTP servers trigger arbitrary requests to intranet servers and + read or overwrite arbitrary files via a redirect to a file: URL, or, if + the libssh2 USE flag is enabled, execute arbitrary commands via a + redirect to an scp: URL. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All cURL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/curl-7.19.4" + + + CVE-2009-0037 + + + keytoaster + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-22.xml b/xml/htdocs/security/en/glsa/glsa-200903-22.xml new file mode 100644 index 00000000..5a69554d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-22.xml @@ -0,0 +1,68 @@ + + + + + + + Ganglia: Execution of arbitrary code + + A buffer-overflow in Ganglia's gmetad might lead to the execution of + arbitrary code. + + ganglia + March 10, 2009 + March 10, 2009: 01 + 255366 + remote + + + 3.1.1-r2 + 3.1.1-r2 + + + +

+ Ganglia is a scalable distributed monitoring system for clusters and + grids. +

+ + +

+ Spike Spiegel reported a stack-based buffer overflow in the + process_path() function when processing overly long pathnames in + gmetad/server.c. +

+ + +

+ A remote attacker could send a specially crafted request to the gmetad + service leading to the execution of arbitrary code or a Denial of + Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ganglia users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-cluster/ganglia-3.1.1-r2" + + + CVE-2009-0241 + + + keytoaster + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-23.xml b/xml/htdocs/security/en/glsa/glsa-200903-23.xml new file mode 100644 index 00000000..a6d4f48f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-23.xml @@ -0,0 +1,139 @@ + + + + + + + Adobe Flash Player: Multiple vulnerabilities + + Multiple vulnerabilities have been identified, the worst of which allow + arbitrary code execution on a user's system via a malicious Flash file. + + adobe-flash + March 10, 2009 + May 28, 2009: 04 + 239543 + 251496 + 260264 + remote + + + 10.0.22.87 + 10.0.22.87 + + + +

+ The Adobe Flash Player is a renderer for the popular SWF file format, + which is commonly used to provide interactive websites, digital + experiences and mobile content. +

+ + +

+ Multiple vulnerabilities have been discovered in Adobe Flash Player: +

+
    +
  • The access scope of SystemsetClipboard() allows ActionScript + programs to execute the method without user interaction + (CVE-2008-3873).
    • +
  • The access scope of FileReference.browse() and + FileReference.download() allows ActionScript programs to execute the + methods without user interaction (CVE-2008-4401).
    • +
  • The Settings Manager controls can be disguised as normal graphical + elements. This so-called "clickjacking" vulnerability was disclosed by + Robert Hansen of SecTheory, Jeremiah Grossman of WhiteHat Security, + Eduardo Vela, Matthew Mastracci of DotSpots, and Liu Die Yu of + TopsecTianRongXin (CVE-2008-4503).
    • +
  • Adan Barth (UC Berkely) and Collin Jackson (Stanford University) + discovered a flaw occurring when interpreting HTTP response headers + (CVE-2008-4818).
    • +
  • Nathan McFeters and Rob Carter of Ernst and Young's Advanced + Security Center are credited for finding an unspecified vulnerability + facilitating DNS rebinding attacks (CVE-2008-4819).
    • +
  • When used in a Mozilla browser, Adobe Flash Player does not + properly interpret jar: URLs, according to a report by Gregory + Fleischer of pseudo-flaw.net (CVE-2008-4821).
    • +
  • Alex "kuza55" K. reported that Adobe Flash Player does not properly + interpret policy files (CVE-2008-4822).
    • +
  • The vendor credits Stefano Di Paola of Minded Security for + reporting that an ActionScript attribute is not interpreted properly + (CVE-2008-4823).
    • +
  • Riley Hassell and Josh Zelonis of iSEC Partners reported multiple + input validation errors (CVE-2008-4824).
    • +
  • The aforementioned researchers also reported that ActionScript 2 + does not verify a member element's size when performing several known + and other unspecified actions, that DefineConstantPool accepts an + untrusted input value for a "constant count" and that character + elements are not validated when retrieved from a data structure, + possibly resulting in a null-pointer dereference (CVE-2008-5361, + CVE-2008-5362, CVE-2008-5363).
    • +
  • The vendor reported an unspecified arbitrary code execution + vulnerability (CVE-2008-5499).
    • +
  • Liu Die Yu of TopsecTianRongXin reported an unspecified flaw in the + Settings Manager related to "clickjacking" (CVE-2009-0114).
    • +
  • The vendor credits Roee Hay from IBM Rational Application Security + for reporting an input validation error when processing SWF files + (CVE-2009-0519).
    • +
  • Javier Vicente Vallejo reported via the iDefense VCP that Adobe + Flash does not remove object references properly, leading to a freed + memory dereference (CVE-2009-0520).
    • +
  • Josh Bressers of Red Hat and Tavis Ormandy of the Google Security + Team reported an untrusted search path vulnerability + (CVE-2009-0521).
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted SWF + file, possibly resulting in the execution of arbitrary code with the + privileges of the user or a Denial of Service (crash). Furthermore a + remote attacker could gain access to sensitive information, disclose + memory contents by enticing a user to open a specially crafted PDF file + inside a Flash application, modify the victim's clipboard or render it + temporarily unusable, persuade a user into uploading or downloading + files, bypass security restrictions with the assistance of the user to + gain access to camera and microphone, conduct Cross-Site Scripting and + HTTP Header Splitting attacks, bypass the "non-root domain policy" of + Flash, and gain escalated privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Adobe Flash Player users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-plugins/adobe-flash-10.0.22.87" + + + CVE-2008-3873 + CVE-2008-4401 + CVE-2008-4503 + CVE-2008-4818 + CVE-2008-4819 + CVE-2008-4821 + CVE-2008-4822 + CVE-2008-4823 + CVE-2008-4824 + CVE-2008-5361 + CVE-2008-5362 + CVE-2008-5363 + CVE-2008-5499 + CVE-2009-0114 + CVE-2009-0519 + CVE-2009-0520 + CVE-2009-0521 + + + a3li + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-24.xml b/xml/htdocs/security/en/glsa/glsa-200903-24.xml new file mode 100644 index 00000000..be0e7fc0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-24.xml @@ -0,0 +1,65 @@ + + + + + + + Shadow: Privilege escalation + + An insecure temporary file usage in Shadow may allow local users to gain + root privileges. + + shadow + March 10, 2009 + March 10, 2009: 01 + 251320 + local + + + 4.1.2.2 + 4.1.2.2 + + + +

+ Shadow is a set of tools to deal with user accounts. +

+ + +

+ Paul Szabo reported a race condition in the "login" executable when + setting up tty permissions. +

+ + +

+ A local attacker belonging to the "utmp" group could use symlink + attacks to overwrite arbitrary files and possibly gain root privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Shadow users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.1.2.2" + + + CVE-2008-5394 + + + craig + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-25.xml b/xml/htdocs/security/en/glsa/glsa-200903-25.xml new file mode 100644 index 00000000..71339ac5 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-25.xml @@ -0,0 +1,69 @@ + + + + + + + Courier Authentication Library: SQL Injection vulnerability + + An SQL injection vulnerability has been discovered in the Courier + Authentication Library. + + courier-authlib + March 11, 2009 + March 11, 2009: 01 + 252576 + remote + + + 0.62.2 + 0.62.2 + + + +

+ The Courier Authentication Library is a generic authentication API that + encapsulates the process of validating account passwords. +

+ + +

+ It has been reported that some parameters used in SQL queries are not + properly sanitized before being processed when using a non-Latin locale + Postgres database. +

+ + +

+ A remote attacker could send specially crafted input to an application + using the library, possibly resulting in the execution of arbitrary SQL + commands. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Courier Authentication Library users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/courier-authlib-0.62.2" + + + CVE-2008-2380 + + + craig + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-26.xml b/xml/htdocs/security/en/glsa/glsa-200903-26.xml new file mode 100644 index 00000000..79d56957 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-26.xml @@ -0,0 +1,65 @@ + + + + + + + TMSNC: Execution of arbitrary code + + A buffer overflow in TMSNC might lead to the execution of arbitrary code + when processing an instant message. + + tmsnc + March 12, 2009 + March 12, 2009: 01 + 229157 + remote + + + 0.3.2-r1 + + + +

+ TMSNC is a Textbased client for the MSN instant messaging protocol. +

+ + +

+ Nico Golde reported a stack-based buffer overflow when processing a MSN + packet with a UBX command containing a large UBX payload length field. +

+ + +

+ A remote attacker could send a specially crafted message, possibly + resulting in the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ Since TMSNC is no longer maintained, we recommend that users unmerge + the vulnerable package and switch to another console-based MSN client + such as CenterIM or Pebrot: +

+ + # emerge --unmerge "net-im/tmsnc" + + + CVE-2008-2828 + + + p-y + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-27.xml b/xml/htdocs/security/en/glsa/glsa-200903-27.xml new file mode 100644 index 00000000..b462eb40 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-27.xml @@ -0,0 +1,75 @@ + + + + + + + ProFTPD: Multiple vulnerabilities + + Two vulnerabilities in ProFTPD might allow for SQL injection attacks. + + proftpd + March 12, 2009 + March 12, 2009: 01 + 258450 + remote + + + 1.3.2 + 1.3.2 + + + +

+ ProFTPD is an advanced and very configurable FTP server. +

+ + +

+ The following vulnerabilities were reported: +

+
  • + Percent characters in the username are not properly handled, which + introduces a single quote character during variable substitution by + mod_sql (CVE-2009-0542). +
    • +
  • + Some invalid, encoded multibyte characters are not properly handled in + mod_sql_mysql and mod_sql_postgres when NLS support is enabled + (CVE-2009-0543). +
    • +
+ + +

+ A remote attacker could send specially crafted requests to the server, + possibly resulting in the execution of arbitrary SQL statements. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ProFTPD users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.3.2" + + + CVE-2009-0542 + CVE-2009-0543 + + + craig + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-28.xml b/xml/htdocs/security/en/glsa/glsa-200903-28.xml new file mode 100644 index 00000000..a325ec6d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-28.xml @@ -0,0 +1,89 @@ + + + + + + + libpng: Multiple vulnerabilities + + Multiple vulnerabilities were found in libpng, which might result in the + execution of arbitrary code + + libpng + March 15, 2009 + March 15, 2009: 01 + 244808 + 255231 + 259578 + remote + + + 1.2.35 + 1.2.35 + + + +

+ libpng is the official PNG reference library used to read, write and + manipulate PNG images. +

+ + +

+ Multiple vulnerabilities were discovered in libpng: +

+
    +
  • A + memory leak bug was reported in png_handle_tEXt(), a function that is + used while reading PNG images (CVE-2008-6218).
    • +
  • A memory + overwrite bug was reported by Jon Foster in png_check_keyword(), caused + by writing overlong keywords to a PNG file (CVE-2008-5907).
    • +
  • A + memory corruption issue, caused by an incorrect handling of an out of + memory condition has been reported by Tavis Ormandy of the Google + Security Team. That vulnerability affects direct uses of + png_read_png(), pCAL chunk and 16-bit gamma table handling + (CVE-2009-0040).
    • +
+ + +

+ A remote attacker may execute arbitrary code with the privileges of the + user opening a specially crafted PNG file by exploiting the erroneous + out-of-memory handling. An attacker may also exploit the + png_check_keyword() error to set arbitrary memory locations to 0, if + the application allows overlong, user-controlled keywords when writing + PNG files. The png_handle_tEXT() vulnerability may be exploited by an + attacker to potentially consume all memory on a users system when a + specially crafted PNG file is opened. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libpng users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libpng-1.2.35" + + + CVE-2008-5907 + CVE-2008-6218 + CVE-2009-0040 + + + craig + + + mabi + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-29.xml b/xml/htdocs/security/en/glsa/glsa-200903-29.xml new file mode 100644 index 00000000..f20a5047 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-29.xml @@ -0,0 +1,78 @@ + + + + + + + BlueZ: Arbitrary code execution + + Insufficient input validation in BlueZ may lead to arbitrary code execution + or a Denial of Service. + + bluez-utils bluez-libs + March 16, 2009 + March 16, 2009: 01 + 230591 + local, remote + + + 3.36 + 3.36 + + + 3.36 + 3.36 + + + +

+ BlueZ is a set of Bluetooth tools and system daemons for Linux. +

+ + +

+ It has been reported that the Bluetooth packet parser does not validate + string length fields in SDP packets. +

+ + +

+ A physically proximate attacker using a Bluetooth device with an + already established trust relationship could send specially crafted + requests, possibly leading to arbitrary code execution or a crash. + Exploitation may also be triggered by a local attacker registering a + service record via a UNIX socket or D-Bus interface. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All bluez-utils users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-wireless/bluez-utils-3.36" +

+ All bluez-libs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-wireless/bluez-libs-3.36" + + + CVE-2008-2374 + + + p-y + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-30.xml b/xml/htdocs/security/en/glsa/glsa-200903-30.xml new file mode 100644 index 00000000..c30604c4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-30.xml @@ -0,0 +1,93 @@ + + + + + + + Opera: Multiple vulnerabilities + + Multiple vulnerabilities were found in Opera, the worst of which allow for + the execution of arbitrary code. + + opera + March 16, 2009 + March 17, 2009: 02 + 247229 + 261032 + remote + + + 9.64 + 9.64 + + + +

+ Opera is a fast web browser that is available free of charge. +

+ + +

+ Multiple vulnerabilities were discovered in Opera: +

+
    +
  • Vitaly McLain reported a heap-based buffer overflow when processing + host names in file:// URLs (CVE-2008-5178).
    • +
  • Alexios Fakos reported a vulnerability in the HTML parsing engine + when processing web pages that trigger an invalid pointer calculation + and heap corruption (CVE-2008-5679).
    • +
  • Red XIII reported that certain text-area contents can be + manipulated to cause a buffer overlow (CVE-2008-5680).
    • +
  • David Bloom discovered that unspecified "scripted URLs" are not + blocked during the feed preview (CVE-2008-5681).
    • +
  • Robert Swiecki of the Google Security Team reported a Cross-site + scripting vulnerability (CVE-2008-5682).
    • +
  • An unspecified vulnerability reveals random data + (CVE-2008-5683).
    • +
  • Tavis Ormandy of the Google Security Team reported a vulnerability + when processing JPEG images that may corrupt memory + (CVE-2009-0914).
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted JPEG + image to cause a Denial of Service or execute arbitrary code, to + process an overly long file:// URL or to open a specially crafted web + page to execute arbitrary code. He could also read existing + subscriptions and force subscriptions to arbitrary feed URLs, as well + as inject arbitrary web script or HTML via built-in XSLT templates. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Opera users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/opera-9.64" + + + CVE-2008-5178 + CVE-2008-5679 + CVE-2008-5680 + CVE-2008-5681 + CVE-2008-5682 + CVE-2008-5683 + CVE-2009-0914 + + + a3li + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-31.xml b/xml/htdocs/security/en/glsa/glsa-200903-31.xml new file mode 100644 index 00000000..38e8333d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-31.xml @@ -0,0 +1,64 @@ + + + + + + + libcdaudio: User-assisted execution of arbitrary code + + A vulnerability in libcdaudio might allow for the remote execution of + arbitrary code. + + libcdaudio + March 17, 2009 + March 17, 2009: 01 + 245649 + remote + + + 0.99.12-r1 + 0.99.12-r1 + + + +

+ libcdaudio is a library of CD audio related routines. +

+ + +

+ A heap-based buffer overflow has been reported in the + cddb_read_disc_data() function in cddb.c when processing overly long + CDDB data. +

+ + +

+ A remote attacker could entice a user to connect to a malicious CDDB + server, possibly resulting in the remote execution of arbitrary code + with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libcdaudio users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libcdaudio-0.99.12-r1" + + + CVE-2008-5030 + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-32.xml b/xml/htdocs/security/en/glsa/glsa-200903-32.xml new file mode 100644 index 00000000..6ebea927 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-32.xml @@ -0,0 +1,100 @@ + + + + + + + phpMyAdmin: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in phpMyAdmin, the worst of + which may allow for remote code execution. + + phpmyadmin + March 18, 2009 + March 18, 2009: 01 + 237781 + 244914 + 246831 + 250752 + remote + + + 2.11.9.4 + 2.11.9.4 + + + +

+ phpMyAdmin is a web-based management tool for MySQL databases. +

+ + +

+ Multiple vulnerabilities have been reported in phpMyAdmin: +

+
    +
  • + libraries/database_interface.lib.php in phpMyAdmin allows remote + authenticated users to execute arbitrary code via a request to + server_databases.php with a sort_by parameter containing PHP sequences, + which are processed by create_function (CVE-2008-4096). +
    • +
  • + Cross-site scripting (XSS) vulnerability in pmd_pdf.php allows remote + attackers to inject arbitrary web script or HTML via the db parameter, + a different vector than CVE-2006-6942 and CVE-2007-5977 + (CVE-2008-4775). +
    • +
  • + Cross-site request forgery (CSRF) vulnerability in phpMyAdmin allows + remote authenticated attackers to perform unauthorized actions as the + administrator via a link or IMG tag to tbl_structure.php with a + modified table parameter. NOTE: this can be leveraged to conduct SQL + injection attacks and execute arbitrary code (CVE-2008-5621). +
    • +
  • + Multiple cross-site request forgery (CSRF) vulnerabilities in + phpMyAdmin allow remote attackers to conduct SQL injection attacks via + unknown vectors related to the table parameter, a different vector than + CVE-2008-5621 (CVE-2008-5622). +
    • +
+ + +

+ A remote attacker may execute arbitrary code with the rights of the + webserver, inject and execute SQL with the rights of phpMyAdmin or + conduct XSS attacks against other users. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All phpMyAdmin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.11.9.4" + + + CVE-2006-6942 + CVE-2007-5977 + CVE-2008-4096 + CVE-2008-4775 + CVE-2008-5621 + CVE-2008-5622 + + + keytoaster + + + mabi + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-33.xml b/xml/htdocs/security/en/glsa/glsa-200903-33.xml new file mode 100644 index 00000000..ba1f37dd --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-33.xml @@ -0,0 +1,112 @@ + + + + + + + FFmpeg: Multiple vulnerabilities + + Multiple vulnerabilities in FFmpeg may lead to the remote execution of + arbitrary code or a Denial of Service. + + ffmpeg gst-plugins-ffmpeg mplayer + March 19, 2009 + March 19, 2009: 01 + 231831 + 231834 + 245313 + 257217 + 257381 + remote + + + 0.4.9_p20090201 + 0.4.9_p20090201 + + + 0.10.5 + 0.10.5 + + + 1.0_rc2_p28450 + 1.0_rc2_p28450 + + + +

+ FFmpeg is a complete solution to record, convert and stream audio and + video. gst-plugins-ffmpeg is a FFmpeg based gstreamer plugin which + includes a vulnerable copy of FFmpeg code. Mplayer is a multimedia + player which also includes a vulnerable copy of the code. +

+ + +

+ Multiple vulnerabilities were found in FFmpeg: +

+
  • astrange + reported a stack-based buffer overflow in the str_read_packet() in + libavformat/psxstr.c when processing .str files (CVE-2008-3162).
    • +
  • Multiple buffer overflows in libavformat/utils.c + (CVE-2008-4866).
    • +
  • A buffer overflow in libavcodec/dca.c + (CVE-2008-4867).
    • +
  • An unspecified vulnerability in the + avcodec_close() function in libavcodec/utils.c (CVE-2008-4868).
    • +
  • Unspecified memory leaks (CVE-2008-4869).
    • +
  • Tobias Klein + repoerted a NULL pointer dereference due to an integer signedness error + in the fourxm_read_header() function in libavformat/4xm.c + (CVE-2009-0385).
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted media + file, possibly leading to the execution of arbitrary code with the + privileges of the user running the application, or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All FFmpeg users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/ffmpeg-0.4.9_p20090201" +

+ All gst-plugins-ffmpeg users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-plugins/gst-plugins-ffmpeg-0.10.5" +

+ All Mplayer users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/mplayer-1.0_rc2_p28450" + + + CVE-2008-3162 + CVE-2008-4866 + CVE-2008-4867 + CVE-2008-4868 + CVE-2008-4869 + CVE-2009-0385 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-34.xml b/xml/htdocs/security/en/glsa/glsa-200903-34.xml new file mode 100644 index 00000000..a8997940 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-34.xml @@ -0,0 +1,76 @@ + + + + + + + Amarok: User-assisted execution of arbitrary code + + Multiple vulnerabilities in Amarok might allow for user-assisted execution + of arbitrary code. + + amarok + March 20, 2009 + March 20, 2009: 01 + 254896 + remote + + + 1.4.10-r2 + 1.4.10-r2 + + + +

+ Amarok is an advanced music player. +

+ + +

+ Tobias Klein has discovered multiple vulnerabilities in Amarok: +

+
    +
  • Multiple integer overflows in the Audible::Tag::readTag() + function in metadata/audible/audibletag.cpp trigger heap-based buffer + overflows (CVE-2009-0135).
    • +
  • Multiple array index errors in the + Audible::Tag::readTag() function in metadata/audible/audibletag.cpp can + lead to invalid pointer dereferences, or the writing of a 0x00 byte to + an arbitrary memory location after an allocation failure + (CVE-2009-0136).
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted + Audible Audio (.aa) file with a large "nlen" or "vlen" tag value to + execute arbitrary code or cause a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Amarok users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/amarok-1.4.10-r2" + + + CVE-2009-0135 + CVE-2009-0136 + + + a3li + + + keytoaster + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-35.xml b/xml/htdocs/security/en/glsa/glsa-200903-35.xml new file mode 100644 index 00000000..30c2d012 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-35.xml @@ -0,0 +1,65 @@ + + + + + + + Muttprint: Insecure temporary file usage + + An insecure temporary file usage in Muttprint allows for symlink attacks. + + muttprint + March 23, 2009 + March 23, 2009: 01 + 250554 + local + + + 0.72d-r1 + 0.72d-r1 + + + +

+ Muttprint formats the output of mail clients to a good-looking printing + using LaTeX. +

+ + +

+ Dmitry E. Oboukhov reported an insecure usage of the temporary file + "/tmp/muttprint.log" in the muttprint script. +

+ + +

+ A local attacker could perform symlink attacks to overwrite arbitrary + files with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Muttprint users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-misc/muttprint-0.72d-r1" + + + CVE-2008-5368 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-36.xml b/xml/htdocs/security/en/glsa/glsa-200903-36.xml new file mode 100644 index 00000000..c2739062 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-36.xml @@ -0,0 +1,67 @@ + + + + + + + MLDonkey: Information disclosure + + A vulnerability in the MLDonkey web interface allows remote attackers to + disclose arbitrary files. + + mldonkey + March 23, 2009 + March 23, 2009: 01 + 260072 + remote + + + 3.0.0 + 3.0.0 + + + +

+ MLDonkey is a multi-network P2P application written in Ocaml, coming + with its own Gtk GUI, web and telnet interface. +

+ + +

+ Michael Peselnik reported that src/utils/lib/url.ml in the web + interface of MLDonkey does not handle file names with leading double + slashes properly. +

+ + +

+ A remote attacker could gain access to arbitrary files readable by the + user running the application. +

+ + +

+ Disable the web interface or restrict access to it. +

+ + +

+ All MLDonkey users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/mldonkey-3.0.0" + + + CVE-2009-0753 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-37.xml b/xml/htdocs/security/en/glsa/glsa-200903-37.xml new file mode 100644 index 00000000..2a6bd645 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-37.xml @@ -0,0 +1,97 @@ + + + + + + + Ghostscript: User-assisted execution of arbitrary code + + Multiple integer overflows in the Ghostscript ICC library might allow for + user-assisted execution of arbitrary code. + + ghostscript-gpl ghostscript-esp ghostscript-gnu + March 23, 2009 + March 23, 2009: 01 + 261087 + remote + + + 8.64-r2 + 8.64-r2 + + + 8.62.0 + 8.62.0 + + + 8.15.4-r1 + + + +

+ Ghostscript is an interpreter for the PostScript language and the + Portable Document Format (PDF). +

+ + +

+ Jan Lieskovsky from the Red Hat Security Response Team discovered the + following vulnerabilities in Ghostscript's ICC Library: +

+
    +
  • Multiple integer overflows (CVE-2009-0583).
    • +
  • Multiple + insufficient bounds checks on certain variable sizes + (CVE-2009-0584).
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted + PostScript file containing images and a malicious ICC profile, possibly + resulting in the execution of arbitrary code with the privileges of the + user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GPL Ghostscript users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-8.64-r2" +

+ All GNU Ghostscript users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/ghostscript-gnu-8.62.0" +

+ We recommend that users unmerge ESP Ghostscript and use GPL or GNU + Ghostscript instead: +

+ + # emerge --unmerge "app-text/ghostscript-esp" +

+ For installation instructions, see above. +

+ + + CVE-2009-0583 + CVE-2009-0584 + + + keytoaster + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-38.xml b/xml/htdocs/security/en/glsa/glsa-200903-38.xml new file mode 100644 index 00000000..4ef1e781 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-38.xml @@ -0,0 +1,73 @@ + + + + + + + Squid: Multiple Denial of Service vulnerabilities + + Multiple vulnerabilities have been found in Squid which allow for remote + Denial of Service attacks. + + Squid + March 24, 2009 + March 24, 2009: 01 + 216319 + 257585 + remote + + + 2.7.6 + 2.7.6 + + + +

+ Squid is a full-featured web proxy cache. +

+ + +
    +
  • The arrayShrink function in lib/Array.c can cause an array to + shrink to 0 entries, which triggers an assert error. NOTE: this issue + is due to an incorrect fix for CVE-2007-6239 (CVE-2008-1612).
    • +
  • An invalid version number in a HTTP request may trigger an + assertion in HttpMsg.c and HttpStatusLine.c (CVE-2009-0478).
    • +
+ + +

+ The issues allows for Denial of Service attacks against the service via + an HTTP request with an invalid version number and other specially + crafted requests. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Squid users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/squid-2.7.6" + + + CVE-2007-6239 + CVE-2008-1612 + CVE-2009-0478 + GLSA-200801-05 + + + rbu + + + craig + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-39.xml b/xml/htdocs/security/en/glsa/glsa-200903-39.xml new file mode 100644 index 00000000..b7e4da5e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-39.xml @@ -0,0 +1,74 @@ + + + + + + + pam_krb5: Privilege escalation + + Two vulnerabilities in pam_krb5 might allow local users to elevate their + privileges or overwrite arbitrary files. + + pam_krb5 + March 25, 2009 + March 25, 2009: 01 + 257075 + local + + + 3.12 + 3.12 + + + +

+ pam_krb5 is a a Kerberos v5 PAM module. +

+ + +

+ The following vulnerabilities were discovered: +

+
  • pam_krb5 + does not properly initialize the Kerberos libraries for setuid use + (CVE-2009-0360).
    • +
  • Derek Chan reported that calls to + pam_setcred() are not properly handled when running setuid + (CVE-2009-0361).
    • +
+ + +

+ A local attacker could set an environment variable to point to a + specially crafted Kerberos configuration file and launch a PAM-based + setuid application to elevate privileges, or change ownership and + overwrite arbitrary files. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All pam_krb5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-auth/pam_krb5-3.12" + + + CVE-2009-0360 + CVE-2009-0361 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-40.xml b/xml/htdocs/security/en/glsa/glsa-200903-40.xml new file mode 100644 index 00000000..d30e4c1f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-40.xml @@ -0,0 +1,70 @@ + + + + + + + Analog: Denial of Service + + A Denial of Service vulnerability was discovered in Analog. + + analog + March 29, 2009 + March 29, 2009: 01 + 249140 + local + + + 6.0-r2 + 6.0-r2 + + + +

+ Analog is a a webserver log analyzer. +

+ + +

+ Diego E. Petteno reported that the Analog package in Gentoo is built + with its own copy of bzip2, making it vulnerable to CVE-2008-1372 (GLSA + 200804-02). +

+ + +

+ A local attacker could place specially crafted log files into a log + directory being analyzed by analog, e.g. /var/log/apache, resulting in + a crash when being processed by the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Analog users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/analog-6.0-r2" +

+ NOTE: Analog is now linked against the system bzip2 library. +

+ + + CVE-2008-1372 + GLSA 200804-02 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200903-41.xml b/xml/htdocs/security/en/glsa/glsa-200903-41.xml new file mode 100644 index 00000000..266cd8be --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200903-41.xml @@ -0,0 +1,74 @@ + + + + + + + gedit: Untrusted search path + + A vulnerability in gedit might allow local attackers to execute arbitrary + code. + + gedit + March 30, 2009 + March 30, 2009: 01 + 257004 + local + + + 2.22.3-r1 + 2.24.3 + 2.24.3 + + + +

+ gedit is a text editor for the GNOME desktop. +

+ + +

+ James Vega reported that gedit uses the current working directory when + searching for python modules, a vulnerability related to CVE-2008-5983. +

+ + +

+ A local attacker could entice a user to open gedit from a specially + crafted environment, possibly resulting in the execution of arbitrary + code with the privileges of the user running the application. +

+ + +

+ Do not run gedit from untrusted working directories. +

+ + +

+ All gedit 2.22.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/gedit-2.22.3-r1" +

+ All gedit 2.24.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/gedit-2.24.3" + + + CVE-2008-5983 + CVE-2009-0314 + + + a3li + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-01.xml b/xml/htdocs/security/en/glsa/glsa-200904-01.xml new file mode 100644 index 00000000..aea890dc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-01.xml @@ -0,0 +1,98 @@ + + + + + + + Openfire: Multiple vulnerabilities + + Multiple vulnerabilities were discovered in Openfire, the worst of which + may allow remote execution of arbitrary code. + + openfire + April 02, 2009 + April 02, 2009: 01 + 246008 + 254309 + remote + + + 3.6.3 + 3.6.3 + + + +

+ Ignite Realtime Openfire is a fast real-time collaboration server. +

+ + +

+ Two vulnerabilities have been reported by Federico Muttis, from CORE + IMPACT's Exploit Writing Team: +

+
    +
  • + Multiple missing or incomplete input validations in several .jsps + (CVE-2009-0496). +
    • +
  • + Incorrect input validation of the "log" parameter in log.jsp + (CVE-2009-0497). +
    • +

+ Multiple vulnerabilities have been reported by Andreas Kurtz: +

+
    +
  • + Erroneous built-in exceptions to input validation in login.jsp + (CVE-2008-6508). +
    • +
  • + Unsanitized user input to the "type" parameter in + sipark-log-summary.jsp used in SQL statement. (CVE-2008-6509) +
    • +
  • + A Cross-Site-Scripting vulnerability due to unsanitized input to the + "url" parameter. (CVE-2008-6510, CVE-2008-6511) +
    • +
+ + +

+ A remote attacker could execute arbitrary code on clients' systems by + uploading a specially crafted plugin, bypassing authentication. + Additionally, an attacker could read arbitrary files on the server or + execute arbitrary SQL statements. Depending on the server's + configuration the attacker might also execute code on the server via an + SQL injection. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Openfire users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/openfire-3.6.3" + + + CVE-2008-6508 + CVE-2008-6509 + CVE-2008-6510 + CVE-2008-6511 + CVE-2009-0496 + CVE-2009-0497 + + + mabi + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-02.xml b/xml/htdocs/security/en/glsa/glsa-200904-02.xml new file mode 100644 index 00000000..f4528125 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-02.xml @@ -0,0 +1,75 @@ + + + + + + + GLib: Execution of arbitrary code + + Multiple integer overflows might allow for the execution of arbitrary code + when performing base64 conversion. + + glib + April 03, 2009 + April 05, 2009: 02 + 249214 + remote + + + 2.18.4-r1 + 2.16.6-r1 + 2 + 2.18.4-r1 + + + +

+ The GLib is a library of C routines that is used by a multitude of + programs. +

+ + +

+ Diego E. Petteno` reported multiple integer overflows in glib/gbase64.c + when converting a long string from or to a base64 representation. +

+ + +

+ A remote attacker could entice a user or automated system to perform a + base64 conversion via an application using GLib, possibly resulting in + the execution of arbitrary code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GLib 2.18 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/glib-2.18.4-r1" +

+ All GLib 2.16 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/glib-2.16.6-r1" + + + CVE-2008-4316 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-03.xml b/xml/htdocs/security/en/glsa/glsa-200904-03.xml new file mode 100644 index 00000000..ab8c2de0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-03.xml @@ -0,0 +1,65 @@ + + + + + + + Gnumeric: Untrusted search path + + An untrusted search path vulnerability in Gnumeric might result in the + execution of arbitrary code. + + gnumeric + April 03, 2009 + April 03, 2009: 01 + 257012 + local + + + 1.8.4-r1 + 1.8.4-r1 + + + +

+ The Gnumeric spreadsheet is a versatile application developed as part + of the GNOME Office project. +

+ + +

+ James Vega reported an untrusted search path vulnerability in the + GObject Python interpreter wrapper in Gnumeric. +

+ + +

+ A local attacker could entice a user to run Gnumeric from a directory + containing a specially crafted python module, resulting in the + execution of arbitrary code with the privileges of the user running + Gnumeric. +

+ + +

+ Do not run "gnumeric" from untrusted working directories. +

+ + +

+ All Gnumeric users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/gnumeric-1.8.4-r1" + + + CVE-2009-0318 + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-04.xml b/xml/htdocs/security/en/glsa/glsa-200904-04.xml new file mode 100644 index 00000000..71eeea22 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-04.xml @@ -0,0 +1,65 @@ + + + + + + + WeeChat: Denial of Service + + A processing error in WeeChat might lead to a Denial of Service. + + weechat + April 04, 2009 + April 04, 2009: 01 + 262997 + remote + + + 0.2.6.1 + 0.2.6.1 + + + +

+ Wee Enhanced Environment for Chat (WeeChat) is a light and extensible + console IRC client. +

+ + +

+ Sebastien Helleu reported an array out-of-bounds error in the colored + message handling. +

+ + +

+ A remote attacker could send a specially crafted PRIVMSG command, + possibly leading to a Denial of Service (application crash). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All WeeChat users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-irc/weechat-0.2.6.1" + + + CVE-2009-0661 + + + a3li + + + a3li + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-05.xml b/xml/htdocs/security/en/glsa/glsa-200904-05.xml new file mode 100644 index 00000000..cfe50f7a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-05.xml @@ -0,0 +1,67 @@ + + + + + + + ntp: Certificate validation error + + An error in the OpenSSL certificate chain validation in ntp might allow for + spoofing attacks. + + ntp + April 05, 2009 + April 05, 2009: 01 + 254098 + remote + + + 4.2.4_p6 + 4.2.4_p6 + + + +

+ ntp contains the client and daemon implementations for the Network Time + Protocol. +

+ + +

+ It has been reported that ntp incorrectly checks the return value of + the EVP_VerifyFinal(), a vulnerability related to CVE-2008-5077 (GLSA + 200902-02). +

+ + +

+ A remote attacker could exploit this vulnerability to spoof arbitrary + names to conduct Man-In-The-Middle attacks and intercept sensitive + information. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ntp users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.4_p6" + + + CVE-2008-5077 + CVE-2009-0021 + GLSA 200902-02 + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-06.xml b/xml/htdocs/security/en/glsa/glsa-200904-06.xml new file mode 100644 index 00000000..0b9a568a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-06.xml @@ -0,0 +1,67 @@ + + + + + + + Eye of GNOME: Untrusted search path + + An untrusted search path vulnerability in the Eye of GNOME might result in + the execution of arbitrary code. + + eog + April 06, 2009 + April 06, 2009: 01 + 257002 + local + + + 2.22.3-r3 + 2.22.3-r3 + + + +

+ The Eye of GNOME is the official image viewer for the GNOME Desktop + environment. +

+ + +

+ James Vega reported an untrusted search path vulnerability in the + GObject Python interpreter wrapper in the Eye of GNOME, a vulnerabiliy + related to CVE-2008-5983. +

+ + +

+ A local attacker could entice a user to run the Eye of GNOME from a + directory containing a specially crafted python module, resulting in + the execution of arbitrary code with the privileges of the user running + the application. +

+ + +

+ Do not run "eog" from untrusted working directories. +

+ + +

+ All Eye of GNOME users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/eog-2.22.3-r3" + + + CVE-2008-5983 + CVE-2008-5987 + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-07.xml b/xml/htdocs/security/en/glsa/glsa-200904-07.xml new file mode 100644 index 00000000..9150bf93 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-07.xml @@ -0,0 +1,69 @@ + + + + + + + Xpdf: Untrusted search path + + A vulnerability in Xpdf might allow local attackers to execute arbitrary + code. + + xpdf + April 07, 2009 + April 07, 2009: 01 + 242930 + local + + + 3.02-r2 + 3.02-r2 + + + +

+ Xpdf is a PDF file viewer that runs under the X Window System. +

+ + +

+ Erik Wallin reported that Gentoo's Xpdf attempts to read the "xpdfrc" + file from the current working directory if it cannot find a ".xpdfrc" + file in the user's home directory. This is caused by a missing + definition of the SYSTEM_XPDFRC macro when compiling a repackaged + version of Xpdf. +

+ + +

+ A local attacker could entice a user to run "xpdf" from a directory + containing a specially crafted "xpdfrc" file, resulting in the + execution of arbitrary code when attempting to, e.g., print a file. +

+ + +

+ Do not run Xpdf from untrusted working directories. +

+ + +

+ All Xpdf users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/xpdf-3.02-r2" + + + CVE-2009-1144 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-08.xml b/xml/htdocs/security/en/glsa/glsa-200904-08.xml new file mode 100644 index 00000000..5ee7a6de --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-08.xml @@ -0,0 +1,68 @@ + + + + + + + OpenSSL: Denial of Service + + An error in OpenSSL might allow for a Denial of Service when printing + certificate details. + + openssl + April 07, 2009 + April 07, 2009: 01 + 263751 + remote + + + 0.9.8k + 0.9.8k + + + +

+ OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer + (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general + purpose cryptography library. +

+ + +

+ The ASN1_STRING_print_ex() function does not properly check the + provided length of a BMPString or UniversalString, leading to an + invalid memory access. +

+ + +

+ A remote attacker could entice a user or automated system to print a + specially crafted certificate, possibly leading to a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenSSL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8k" + + + CVE-2009-0590 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-09.xml b/xml/htdocs/security/en/glsa/glsa-200904-09.xml new file mode 100644 index 00000000..51e82265 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-09.xml @@ -0,0 +1,84 @@ + + + + + + + MIT Kerberos 5: Multiple vulnerabilities + + Multiple vulnerabilites in MIT Kerberos 5 might allow remote + unauthenticated users to execute arbitrary code with root privileges. + + mit-krb5 + April 08, 2009 + April 08, 2009: 01 + 262736 + 263398 + remote + + + 1.6.3-r6 + 1.6.3-r6 + + + +

+ MIT Kerberos 5 is a suite of applications that implement the Kerberos + network protocol. kadmind is the MIT Kerberos 5 administration daemon, + KDC is the Key Distribution Center. +

+ + +

+ Multiple vulnerabilities have been reported in MIT Kerberos 5: +

+
    +
  • A free() call on an uninitialized pointer in the ASN.1 decoder + when decoding an invalid encoding (CVE-2009-0846).
    • +
  • A buffer + overread in the SPNEGO GSS-API application, reported by Apple Product + Security (CVE-2009-0844).
    • +
  • A NULL pointer dereference in the + SPNEGO GSS-API application, reported by Richard Evans + (CVE-2009-0845).
    • +
  • An incorrect length check inside an ASN.1 + decoder leading to spurious malloc() failures (CVE-2009-0847).
    • +
+ + +

+ A remote unauthenticated attacker could exploit the first vulnerability + to cause a Denial of Service or, in unlikely circumstances, execute + arbitrary code on the host running krb5kdc or kadmind with root + privileges and compromise the Kerberos key database. Exploitation of + the other vulnerabilities might lead to a Denial of Service in kadmind, + krb5kdc, or other daemons performing authorization against Kerberos + that utilize GSS-API or an information disclosure. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All MIT Kerberos 5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.6.3-r6" + + + CVE-2009-0844 + CVE-2009-0845 + CVE-2009-0846 + CVE-2009-0847 + + + rbu + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-10.xml b/xml/htdocs/security/en/glsa/glsa-200904-10.xml new file mode 100644 index 00000000..8cc5e073 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-10.xml @@ -0,0 +1,70 @@ + + + + + + + Avahi: Denial of Service + + An error in Avahi might lead to a Denial of Service via network and CPU + consumption. + + avahi + April 08, 2009 + April 08, 2009: 01 + 260971 + remote + + + 0.6.24-r2 + 0.6.24-r2 + + + +

+ Avahi is a system that facilitates service discovery on a local + network. +

+ + +

+ Rob Leslie reported that the + originates_from_local_legacy_unicast_socket() function in + avahi-core/server.c does not account for the network byte order of a + port number when processing incoming multicast packets, leading to a + multicast packet storm. +

+ + +

+ A remote attacker could send specially crafted legacy unicast mDNS + query packets to the Avahi daemon, resulting in a Denial of Service due + to network bandwidth and CPU consumption. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Avahi users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/avahi-0.6.24-r2" + + + CVE-2009-0758 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-11.xml b/xml/htdocs/security/en/glsa/glsa-200904-11.xml new file mode 100644 index 00000000..9a28ec0c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-11.xml @@ -0,0 +1,97 @@ + + + + + + + Tor: Multiple vulnerabilities + + Multiple vulnerabilities in Tor might allow for heap corruption, Denial of + Service, escalation of privileges and information disclosure. + + tor + April 08, 2009 + April 08, 2009: 01 + 250018 + 256078 + 258833 + remote + + + 0.2.0.34 + 0.2.0.34 + + + +

+ Tor is an implementation of second generation Onion Routing, a + connection-oriented anonymizing communication service. +

+ + +
    +
  • + Theo de Raadt reported that the application does not properly drop + privileges to the primary groups of the user specified via the "User" + configuration option (CVE-2008-5397). +
    • +
  • + rovv reported that the "ClientDNSRejectInternalAddresses" configuration + option is not always enforced (CVE-2008-5398). +
    • +
  • + Ilja van Sprundel reported a heap-corruption vulnerability that might + be remotely triggerable on some platforms (CVE-2009-0414). +
    • +
  • + It has been reported that incomplete IPv4 addresses are treated as + valid, violating the specification (CVE-2009-0939). +
    • +
  • + Three unspecified vulnerabilities have also been reported + (CVE-2009-0936, CVE-2009-0937, CVE-2009-0938). +
    • +
+ + +

+ A local attacker could escalate privileges by leveraging unintended + supplementary group memberships of the Tor process. A remote attacker + could exploit these vulnerabilities to cause a heap corruption with + unknown impact and attack vectors, to cause a Denial of Service via CPU + consuption or daemon crash, and to weaken anonymity provided by the + service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Tor users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/tor-0.2.0.34" + + + CVE-2008-5397 + CVE-2008-5398 + CVE-2009-0414 + CVE-2009-0936 + CVE-2009-0937 + CVE-2009-0938 + CVE-2009-0939 + + + craig + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-12.xml b/xml/htdocs/security/en/glsa/glsa-200904-12.xml new file mode 100644 index 00000000..bd1ef845 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-12.xml @@ -0,0 +1,65 @@ + + + + + + + Wicd: Information disclosure + + A vulnerability in Wicd may allow for disclosure of sensitive information. + + wicd + April 10, 2009 + April 10, 2009: 01 + 258596 + local + + + 1.5.9 + 1.5.9 + + + +

+ Wicd is an open source wired and wireless network manager for Linux. +

+ + +

+ Tiziano Mueller of Gentoo discovered that the DBus configuration file + for Wicd allows arbitrary users to own the org.wicd.daemon object. +

+ + +

+ A local attacker could exploit this vulnerability to receive messages + that were intended for the Wicd daemon, possibly including credentials + e.g. for wireless networks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Wicd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/wicd-1.5.9" + + + CVE-2009-0489 + + + rbu + + + keytoaster + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-13.xml b/xml/htdocs/security/en/glsa/glsa-200904-13.xml new file mode 100644 index 00000000..7d0955d2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-13.xml @@ -0,0 +1,63 @@ + + + + + + + Ventrilo: Denial of Service + + A vulnerability has been discovered in Ventrilo, allowing for a Denial of + Service. + + ventrilo-server-bin + April 14, 2009 + April 14, 2009: 01 + 234819 + remote + + + 3.0.3 + 3.0.3 + + + +

+ Ventrilo is a Voice over IP group communication server. +

+ + +

+ Luigi Auriemma reported a NULL pointer dereference in Ventrilo when + processing packets with an invalid version number followed by another + packet. +

+ + +

+ A remote attacker could send specially crafted packets to the server, + resulting in a crash. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ventrilo users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/ventrilo-server-bin-3.0.3" + + + CVE-2008-3680 + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-14.xml b/xml/htdocs/security/en/glsa/glsa-200904-14.xml new file mode 100644 index 00000000..3281dca6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-14.xml @@ -0,0 +1,78 @@ + + + + + + + F-PROT Antivirus: Multiple Denial of Service vulnerabilities + + Multiple errors in F-PROT Antivirus may lead to a Denial of Service. + + f-prot + April 14, 2009 + April 17, 2009: 04 + 232665 + 253497 + remote + + + 6.0.2 + 6.0.2 + + + +

+ F-PROT Antivirus is a multi-platform virus scanner for workstations and + mail servers. +

+ + +

+ The following vulnerabilities were found: +

+
    +
  • Multiple errors when processing UPX, ASPack or Microsoft Office + files (CVE-2008-3243).
    • +
  • Infinite Sergio Alvarez of n.runs AG reported an invalid memory + access when processing a CHM file with a large nb_dir value + (CVE-2008-3244).
    • +
  • Jonathan Brossard from iViZ Techno Solutions reported that F-PROT + Antivirus does not correctly process ELF binaries with corrupted + headers (CVE-2008-5747). +
    • +
+ + +

+ A remote attacker could entice a user or automated system to scan a + specially crafted file, leading to a crash or infinite loop. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All F-PROT Antivirus users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/f-prot-6.0.2" + + + CVE-2008-3243 + CVE-2008-3244 + CVE-2008-5747 + + + craig + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-15.xml b/xml/htdocs/security/en/glsa/glsa-200904-15.xml new file mode 100644 index 00000000..9dcf58ec --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-15.xml @@ -0,0 +1,67 @@ + + + + + + + mpg123: User-assisted execution of arbitrary code + + An error in mpg123 might allow for the execution of arbitrary code. + + mpg123 + April 16, 2009 + April 16, 2009: 01 + 265342 + remote + + + 1.7.2 + 1.7.2 + + + +

+ mpg123 is a realtime MPEG 1.0/2.0/2.5 audio player for layers 1, 2 and + 3. +

+ + +

+ The vendor reported a signedness error in the store_id3_text() function + in id3.c, allowing for out-of-bounds memory access. +

+ + +

+ A remote attacker could entice a user to open an MPEG-1 Audio Layer 3 + (MP3) file containing a specially crafted ID3 tag, possibly resulting + in the execution of arbitrary code with the privileges of the user + running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All mpg123 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/mpg123-1.7.2" + + + CVE-2009-1301 + + + keytoaster + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-16.xml b/xml/htdocs/security/en/glsa/glsa-200904-16.xml new file mode 100644 index 00000000..26917c5f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-16.xml @@ -0,0 +1,68 @@ + + + + + + + libsndfile: User-assisted execution of arbitrary code + + A buffer overflow vulnerability in libsndfile might allow remote attackers + to execute arbitrary code. + + libsndfile + April 17, 2009 + April 17, 2009: 01 + 261173 + remote + + + 1.0.19 + 1.0.19 + + + +

+ libsndfile is a C library for reading and writing files containing + sampled sound. +

+ + +

+ Alin Rad Pop from Secunia Research reported an integer overflow when + processing CAF description chunks, leading to a heap-based buffer + overflow. +

+ + +

+ A remote attacker could entice a user to open a specially crafted CAF + file, resulting in the remote execution of arbitrary code with the + privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libsndfile users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libsndfile-1.0.19" + + + CVE-2009-0186 + + + a3li + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-17.xml b/xml/htdocs/security/en/glsa/glsa-200904-17.xml new file mode 100644 index 00000000..dd49db41 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-17.xml @@ -0,0 +1,102 @@ + + + + + + + Adobe Reader: User-assisted execution of arbitrary code + + Adobe Reader is vulnerable to execution of arbitrary code. + + acroread + April 18, 2009 + April 18, 2009: 01 + 259992 + remote + + + 8.1.4 + 8.1.4 + + + +

+ Adobe Reader (formerly Adobe Acrobat Reader) is a closed-source PDF + reader. +

+ + +

+ Multiple vulnerabilities have been discovered in Adobe Reader: +

+
    +
  • + Alin Rad Pop of Secunia Research reported a heap-based buffer overflow + when processing PDF files containing a malformed JBIG2 symbol + dictionary segment (CVE-2009-0193). +
    • +
  • + A buffer overflow related to a non-JavaScript function call and + possibly an embedded JBIG2 image stream has been reported + (CVE-2009-0658). +
    • +
  • + Tenable Network Security reported a stack-based buffer overflow that + can be triggered via a crafted argument to the getIcon() method of a + Collab object (CVE-2009-0927). +
    • +
  • + Sean Larsson of iDefense Labs reported a heap-based buffer overflow + when processing a PDF file containing a JBIG2 stream with a size + inconsistency related to an unspecified table (CVE-2009-0928). +
    • +
  • + Jonathan Brossard of the iViZ Security Research Team reported an + unspecified vulnerability related to JBIG2 and input validation + (CVE-2009-1061). +
    • +
  • + Will Dormann of CERT/CC reported a vulnerability lading to memory + corruption related to JBIG2 (CVE-2009-1062). +
    • +

+

+ + +

+ A remote attacker could entice a user to open a specially crafted PDF + document, possibly leading to the execution of arbitrary code with the + privileges of the user running the application, or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Adobe Reader users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/acroread-8.1.4" + + + CVE-2009-0193 + CVE-2009-0658 + CVE-2009-0927 + CVE-2009-0928 + CVE-2009-1061 + CVE-2009-1062 + + + keytoaster + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-18.xml b/xml/htdocs/security/en/glsa/glsa-200904-18.xml new file mode 100644 index 00000000..57290405 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-18.xml @@ -0,0 +1,71 @@ + + + + + + + udev: Multiple vulnerabilities + + Two errors in udev allow for a local root compromise and a Denial of + Service. + + udev + April 18, 2009 + April 18, 2009: 01 + 266290 + local + + + 124-r2 + 124-r2 + + + +

+ udev is the device manager used in the Linux 2.6 kernel series. +

+ + +

+ Sebastian Krahmer of SUSE discovered the following two vulnerabilities: +

+
    +
  • udev does not verify the origin of NETLINK messages + properly (CVE-2009-1185).
    • +
  • A buffer overflow exists in the + util_path_encode() function in lib/libudev-util.c (CVE-2009-1186).
    • +
+ + +

+ A local attacker could gain root privileges by sending specially + crafted NETLINK messages to udev or cause a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All udev users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-fs/udev-124-r2" + + + CVE-2009-1185 + CVE-2009-1186 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-19.xml b/xml/htdocs/security/en/glsa/glsa-200904-19.xml new file mode 100644 index 00000000..076d6a4c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-19.xml @@ -0,0 +1,86 @@ + + + + + + + LittleCMS: Multiple vulnerabilities + + Multiple errors in LittleCMS allow for attacks including the remote + execution of arbitrary code. + + littlecms + April 19, 2009 + April 19, 2009: 01 + 260269 + 264604 + remote + + + 1.18-r1 + 1.18-r1 + + + +

+ LittleCMS, or short lcms, is a color management system for working with + ICC profiles. It is used by many applications including GIMP and + Firefox. +

+ + +

+ RedHat reported a null-pointer dereference flaw while processing + monochrome ICC profiles (CVE-2009-0793). +

+

+ Chris Evans of Google discovered the following vulnerabilities: +

+
    +
  • LittleCMS contains severe memory leaks (CVE-2009-0581).
    • +
  • LittleCMS is prone to multiple integer overflows, leading to a + heap-based buffer overflow (CVE-2009-0723).
    • +
  • The + ReadSetOfCurves() function is vulnerable to stack-based buffer + overflows when called from code paths without a bounds check on channel + counts (CVE-2009-0733).
    • +
+ + +

+ A remote attacker could entice a user or automated system to open a + specially crafted file containing a malicious ICC profile, possibly + resulting in the execution of arbitrary code with the privileges of the + user running the application or memory exhaustion, leading to a Denial + of Service condition. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All LittleCMS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/lcms-1.18-r1" + + + CVE-2009-0581 + CVE-2009-0723 + CVE-2009-0733 + CVE-2009-0793 + + + rbu + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200904-20.xml b/xml/htdocs/security/en/glsa/glsa-200904-20.xml new file mode 100644 index 00000000..52fec8a4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200904-20.xml @@ -0,0 +1,84 @@ + + + + + + + CUPS: Multiple vulnerabilities + + Multiple errors in CUPS might allow for the remote execution of arbitrary + code or DNS rebinding attacks. + + cups + April 23, 2009 + April 23, 2009: 01 + 263070 + remote + + + 1.3.10 + 1.3.10 + + + +

+ CUPS, the Common Unix Printing System, is a full-featured print server. +

+ + +

+ The following issues were reported in CUPS: +

+
    +
  • iDefense + reported an integer overflow in the _cupsImageReadTIFF() function in + the "imagetops" filter, leading to a heap-based buffer overflow + (CVE-2009-0163).
    • +
  • Aaron Siegel of Apple Product Security + reported that the CUPS web interface does not verify the content of the + "Host" HTTP header properly (CVE-2009-0164).
    • +
  • Braden Thomas and + Drew Yao of Apple Product Security reported that CUPS is vulnerable to + CVE-2009-0146, CVE-2009-0147 and CVE-2009-0166, found earlier in xpdf + and poppler.
    • +
+ + +

+ A remote attacker might send or entice a user to send a specially + crafted print job to CUPS, possibly resulting in the execution of + arbitrary code with the privileges of the configured CUPS user -- by + default this is "lp", or a Denial of Service. Furthermore, the web + interface could be used to conduct DNS rebinding attacks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All CUPS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-print/cups-1.3.10" + + + CVE-2009-0146 + CVE-2009-0147 + CVE-2009-0163 + CVE-2009-0164 + CVE-2009-0166 + + + a3li + + + a3li + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200905-01.xml b/xml/htdocs/security/en/glsa/glsa-200905-01.xml new file mode 100644 index 00000000..b27f1fae --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200905-01.xml @@ -0,0 +1,87 @@ + + + + + + + Asterisk: Multiple vulnerabilities + + Multiple vulnerabilities have been found in Asterisk allowing for Denial of + Service and username disclosure. + + asterisk + May 02, 2009 + May 02, 2009: 01 + 218966 + 224835 + 232696 + 232698 + 237476 + 250748 + 254304 + remote + + + 1.2.32 + 1.2.32 + + + +

+ Asterisk is an open source telephony engine and toolkit. +

+ + +

+ Multiple vulnerabilities have been discovered in the IAX2 channel + driver when performing the 3-way handshake (CVE-2008-1897), when + handling a large number of POKE requests (CVE-2008-3263), when handling + authentication attempts (CVE-2008-5558) and when handling firmware + download (FWDOWNL) requests (CVE-2008-3264). Asterisk does also not + correctly handle SIP INVITE messages that lack a "From" header + (CVE-2008-2119), and responds differently to a failed login attempt + depending on whether the user account exists (CVE-2008-3903, + CVE-2009-0041). +

+ + +

+ Remote unauthenticated attackers could send specially crafted data to + Asterisk, possibly resulting in a Denial of Service via a daemon crash, + call-number exhaustion, CPU or traffic consumption. Remote + unauthenticated attackers could furthermore enumerate valid usernames + to facilitate brute force login attempts. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Asterisk users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.2.32" + + + CVE-2008-1897 + CVE-2008-2119 + CVE-2008-3263 + CVE-2008-3264 + CVE-2008-3903 + CVE-2008-5558 + CVE-2009-0041 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200905-02.xml b/xml/htdocs/security/en/glsa/glsa-200905-02.xml new file mode 100644 index 00000000..9942a7dc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200905-02.xml @@ -0,0 +1,70 @@ + + + + + + + Cscope: User-assisted execution of arbitrary code + + Multiple vulnerabilities in Cscope might allow for the remote execution of + arbitrary code. + + cscope + May 24, 2009 + May 24, 2009: 01 + 263023 + remote + + + 15.7a + 15.7a + + + +

+ Cscope is a developer's tool for browsing source code. +

+ + +

+ James Peach of Apple discovered a stack-based buffer overflow in + cscope's handling of long file system paths (CVE-2009-0148). Multiple + stack-based buffer overflows were reported in the putstring function + when processing an overly long function name or symbol in a source code + file (CVE-2009-1577). +

+ + +

+ A remote attacker could entice a user to open a specially crafted + source file, possibly resulting in the remote execution of arbitrary + code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Cscope users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/cscope-15.7a" + + + CVE-2009-0148 + CVE-2009-1577 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200905-03.xml b/xml/htdocs/security/en/glsa/glsa-200905-03.xml new file mode 100644 index 00000000..c07b5fa0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200905-03.xml @@ -0,0 +1,78 @@ + + + + + + + IPSec Tools: Denial of Service + + Multiple errors in the IPSec Tools racoon daemon might allow remote + attackers to cause a Denial of Service. + + ipsec-tools + May 24, 2009 + May 24, 2009: 01 + 267135 + remote + + + 0.7.2 + 0.7.2 + + + +

+ The IPSec Tools are a port of KAME's IPsec utilities to the Linux-2.6 + IPsec implementation. They include racoon, an Internet Key Exchange + daemon for automatically keying IPsec connections. +

+ + +

+ The following vulnerabilities have been found in the racoon daemon as + shipped with IPSec Tools: +

+
    +
  • Neil Kettle reported that + racoon/isakmp_frag.c is prone to a null-pointer dereference + (CVE-2009-1574).
    • +
  • Multiple memory leaks exist in (1) the + eay_check_x509sign() function in racoon/crypto_openssl.c and (2) + racoon/nattraversal.c (CVE-2009-1632).
    • +
+ + +

+ A remote attacker could send specially crafted fragmented ISAKMP + packets without a payload or exploit vectors related to X.509 + certificate authentication and NAT traversal, possibly resulting in a + crash of the racoon daemon. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All IPSec Tools users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-firewall/ipsec-tools-0.7.2" + + + CVE-2009-1574 + CVE-2009-1632 + + + craig + + + a3li + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200905-04.xml b/xml/htdocs/security/en/glsa/glsa-200905-04.xml new file mode 100644 index 00000000..6ece3329 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200905-04.xml @@ -0,0 +1,84 @@ + + + + + + + GnuTLS: Multiple vulnerabilities + + Multiple vulnerabilities in GnuTLS might result in a Denial of Service, + spoofing or the generation of invalid keys. + + gnutls + May 24, 2009 + May 24, 2009: 01 + 267774 + remote + + + 2.6.6 + 2.6.6 + + + +

+ GnuTLS is an Open Source implementation of the TLS 1.0 and SSL 3.0 + protocols. +

+ + +

+ The following vulnerabilities were found in GnuTLS: +

+
    +
  • Miroslav Kratochvil reported that lib/pk-libgcrypt.c does not + properly handle corrupt DSA signatures, possibly leading to a + double-free vulnerability (CVE-2009-1415).
    • +
  • Simon Josefsson + reported that GnuTLS generates RSA keys stored in DSA structures when + creating a DSA key (CVE-2009-1416).
    • +
  • Romain Francoise reported + that the _gnutls_x509_verify_certificate() function in + lib/x509/verify.c does not perform time checks, resulting in the + "gnutls-cli" program accepting X.509 certificates with validity times + in the past or future (CVE-2009-1417).
    • +
+ + +

+ A remote attacker could entice a user or automated system to process a + specially crafted DSA certificate, possibly resulting in a Denial of + Service condition. NOTE: This issue might have other unspecified impact + including the execution of arbitrary code. Furthermore, a remote + attacker could spoof signatures on certificates and the "gnutls-cli" + application can be tricked into accepting an invalid certificate. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GnuTLS users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/gnutls-2.6.6" + + + CVE-2009-1415 + CVE-2009-1416 + CVE-2009-1417 + + + a3li + + + a3li + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200905-05.xml b/xml/htdocs/security/en/glsa/glsa-200905-05.xml new file mode 100644 index 00000000..db47fa83 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200905-05.xml @@ -0,0 +1,70 @@ + + + + + + + FreeType: Multiple vulnerabilities + + Multiple integer overflows in FreeType might allow for the remote execution + of arbitrary code or a Denial of Service. + + freetype + May 24, 2009 + May 25, 2009: 02 + 263032 + remote + + + 2.3.9-r1 + 2.0 + 2.3.9-r1 + + + +

+ FreeType is a high-quality and portable font engine. +

+ + +

+ Tavis Ormandy reported multiple integer overflows in the + cff_charset_compute_cids() function in cff/cffload.c, sfnt/tccmap.c and + the ft_smooth_render_generic() function in smooth/ftsmooth.c, possibly + leading to heap or stack-based buffer overflows. +

+ + +

+ A remote attacker could entice a user or automated system to open a + specially crafted font file, possibly resulting in the execution of + arbitrary code with the privileges of the user running the application, + or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All FreeType users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/freetype-2.3.9-r1" + + + CVE-2009-0946 + + + a3li + + + a3li + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200905-06.xml b/xml/htdocs/security/en/glsa/glsa-200905-06.xml new file mode 100644 index 00000000..8ba48999 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200905-06.xml @@ -0,0 +1,66 @@ + + + + + + + acpid: Denial of Service + + An error in acpid might allow remote attackers to cause a Denial of + Service. + + acpid + May 24, 2009 + May 24, 2009: 01 + 268079 + remote + + + 1.0.10 + 1.0.10 + + + +

+ acpid is a daemon for the Advanced Configuration and Power Interface + (ACPI). +

+ + +

+ The acpid daemon allows opening a large number of UNIX sockets without + closing them, triggering an infinite loop. +

+ + +

+ Remote attackers can cause a Denial of Service (CPU consumption and + connectivity loss). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All acpid users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-power/acpid-1.0.10" + + + CVE-2009-0798 + + + craig + + + craig + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200905-07.xml b/xml/htdocs/security/en/glsa/glsa-200905-07.xml new file mode 100644 index 00000000..f9df3614 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200905-07.xml @@ -0,0 +1,81 @@ + + + + + + + Pidgin: Multiple vulnerabilities + + Multiple vulnerabilities in Pidgin might allow for the remote execution of + arbitrary code or a Denial of Service. + + pidgin + May 25, 2009 + May 25, 2009: 01 + 270811 + remote + + + 2.5.6 + 2.5.6 + + + +

+ Pidgin (formerly Gaim) is an instant messaging client for a variety of + instant messaging protocols. +

+ + +

+ Multiple vulnerabilities have been discovered in Pidgin: +

+
    +
  • Veracode reported a boundary error in the "XMPP SOCKS5 bytestream + server" when initiating an outgoing file transfer (CVE-2009-1373).
    • +
  • Ka-Hing Cheung reported a heap corruption flaw in the QQ protocol + handler (CVE-2009-1374).
    • +
  • A memory corruption flaw in + "PurpleCircBuffer" was disclosed by Josef Andrysek + (CVE-2009-1375).
    • +
  • The previous fix for CVE-2008-2927 contains a + cast from uint64 to size_t, possibly leading to an integer overflow + (CVE-2009-1376, GLSA 200901-13).
    • +
+ + +

+ A remote attacker could send specially crafted messages or files using + the MSN, XMPP or QQ protocols, possibly resulting in the execution of + arbitrary code with the privileges of the user running the application, + or a Denial of Service. NOTE: Successful exploitation might require the + victim's interaction. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Pidgin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/pidgin-2.5.6" + + + CVE-2009-1373 + CVE-2009-1374 + CVE-2009-1375 + CVE-2009-1376 + GLSA 200901-13 + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200905-08.xml b/xml/htdocs/security/en/glsa/glsa-200905-08.xml new file mode 100644 index 00000000..83a563e1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200905-08.xml @@ -0,0 +1,84 @@ + + + + + + + NTP: Remote execution of arbitrary code + + Multiple errors in the NTP client and server programs might allow for the + remote execution of arbitrary code. + + ntp + May 26, 2009 + May 26, 2009: 01 + 263033 + 268962 + remote + + + 4.2.4_p7 + 4.2.4_p7 + + + +

+ NTP contains the client and daemon implementations for the Network Time + Protocol. +

+ + +

+ Multiple vulnerabilities have been found in the programs included in + the NTP package: +

+
    +
  • Apple Product Security reported a + boundary error in the cookedprint() function in ntpq/ntpq.c, possibly + leading to a stack-based buffer overflow (CVE-2009-0159).
    • +
  • Chris Ries of CMU reported a boundary error within the + crypto_recv() function in ntpd/ntp_crypto.c, possibly leading to a + stack-based buffer overflow (CVE-2009-1252).
    • +
+ + +

+ A remote attacker might send a specially crafted package to a machine + running ntpd, possibly resulting in the remote execution of arbitrary + code with the privileges of the user running the daemon, or a Denial of + Service. NOTE: Successful exploitation requires the "autokey" feature + to be enabled. This feature is only available if NTP was built with the + 'ssl' USE flag. +

+

+ Furthermore, a remote attacker could entice a user into connecting to a + malicious server using ntpq, possibly resulting in the remote execution + of arbitrary code with the privileges of the user running the + application, or a Denial of Service. +

+ + +

+ You can protect against CVE-2009-1252 by disabling the 'ssl' USE flag + and recompiling NTP. +

+ + +

+ All NTP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.4_p7" + + + CVE-2009-0159 + CVE-2009-1252 + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200905-09.xml b/xml/htdocs/security/en/glsa/glsa-200905-09.xml new file mode 100644 index 00000000..8a5e3a0e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200905-09.xml @@ -0,0 +1,77 @@ + + + + + + + libsndfile: User-assisted execution of arbitrary code + + Multiple heap-based buffer overflow vulnerabilities in libsndfile might + allow remote attackers to execute arbitrary code. + + libsndfile + May 27, 2009 + May 27, 2009: 01 + 269863 + remote + + + 1.0.20 + 1.0.20 + + + +

+ libsndfile is a C library for reading and writing files containing + sampled sound. +

+ + +

+ The following vulnerabilities have been found in libsndfile: +

+
    +
  • Tobias Klein reported that the header_read() function in + src/common.c uses user input for calculating a buffer size, possibly + leading to a heap-based buffer overflow (CVE-2009-1788).
    • +
  • The + vendor reported a boundary error in the aiff_read_header() function in + src/aiff.c, possibly leading to a heap-based buffer overflow + (CVE-2009-1791).
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted AIFF + or VOC file in a program using libsndfile, possibly resulting in the + execution of arbitrary code with the privileges of the user running the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libsndfile users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libsndfile-1.0.20" + + + CVE-2009-1788 + CVE-2009-1791 + + + keytoaster + + + a3li + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-200906-01.xml b/xml/htdocs/security/en/glsa/glsa-200906-01.xml new file mode 100644 index 00000000..6b961601 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200906-01.xml @@ -0,0 +1,69 @@ + + + + + + + libpng: Information disclosure + + A vulnerability has been discovered in libpng that allows for information + disclosure. + + libpng + June 27, 2009 + June 27, 2009: 01 + 272970 + remote + + + 1.2.37 + 1.2.37 + + + +

+ libpng is the official PNG reference library used to read, write and + manipulate PNG images. +

+ + +

+ Jeff Phillips discovered that libpng does not properly parse 1-bit + interlaced images with width values that are not divisible by 8, which + causes libpng to include uninitialized bits in certain rows of a PNG + file. +

+ + +

+ A remote attacker might entice a user to open a specially crafted PNG + file, possibly resulting in the disclosure of sensitive memory + portions. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libpng users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libpng-1.2.37" + + + CVE-2009-2042 + + + keytoaster + + + keytoaster + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200906-02.xml b/xml/htdocs/security/en/glsa/glsa-200906-02.xml new file mode 100644 index 00000000..d9cfc64d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200906-02.xml @@ -0,0 +1,64 @@ + + + + + + + Ruby: Denial of Service + + A flaw in the Ruby standard library might allow remote attackers to cause a + Denial of Service attack. + + ruby + June 28, 2009 + June 28, 2009: 01 + 273213 + remote + + + 1.8.6_p369 + 1.8.6_p369 + + + +

+ Ruby is an interpreted object-oriented programming language. The + elaborate standard library includes the "BigDecimal" class. +

+ + +

+ Tadayoshi Funaba reported that BigDecimal in + ext/bigdecimal/bigdecimal.c does not properly handle string arguments + containing overly long numbers. +

+ + +

+ A remote attacker could exploit this issue to remotely cause a Denial + of Service attack. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ruby users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.6_p369" + + + CVE-2009-1904 + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200906-03.xml b/xml/htdocs/security/en/glsa/glsa-200906-03.xml new file mode 100644 index 00000000..4cb6b327 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200906-03.xml @@ -0,0 +1,72 @@ + + + + + + + phpMyAdmin: Multiple vulnerabilities + + Multiple errors in phpMyAdmin might allow the remote execution of arbitrary + code or a Cross-Site Scripting attack. + + phpmyadmin + June 29, 2009 + June 29, 2009: 01 + 263711 + remote + + + 2.11.9.5 + 2.11.9.5 + + + +

+ phpMyAdmin is a web-based management tool for MySQL databases. +

+ + +

+ Multiple vulnerabilities have been reported in phpMyAdmin: +

+
    +
  • Greg Ose discovered that the setup script does not sanitize input + properly, leading to the injection of arbitrary PHP code into the + configuration file (CVE-2009-1151).
    • +
  • Manuel Lopez Gallego and + Santiago Rodriguez Collazo reported that data from cookies used in the + "Export" page is not properly sanitized (CVE-2009-1150).
    • +
+ + +

+ A remote unauthorized attacker could exploit the first vulnerability to + execute arbitrary code with the privileges of the user running + phpMyAdmin and conduct Cross-Site Scripting attacks using the second + vulnerability. +

+ + +

+ Removing the "scripts/setup.php" file protects you from CVE-2009-1151. +

+ + +

+ All phpMyAdmin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.11.9.5" + + + CVE-2009-1150 + CVE-2009-1151 + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200906-04.xml b/xml/htdocs/security/en/glsa/glsa-200906-04.xml new file mode 100644 index 00000000..34440d4f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200906-04.xml @@ -0,0 +1,70 @@ + + + + + + + Apache Tomcat JK Connector: Information disclosure + + An error in the Apache Tomcat JK Connector might allow for an information + disclosure flaw. + + mod_jk + June 29, 2009 + June 29, 2009: 01 + 265455 + remote + + + 1.2.27 + 1.2.27 + + + +

+ The Apache Tomcat JK Connector (aka mod_jk) connects the Tomcat + application server with the Apache HTTP Server. +

+ + +

+ The Red Hat Security Response Team discovered that mod_jk does not + properly handle (1) requests setting the "Content-Length" header while + not providing data and (2) clients sending repeated requests very + quickly. +

+ + +

+ A remote attacker could send specially crafted requests or a large + number of requests at a time, possibly resulting in the disclosure of a + response intended for another client. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Apache Tomcat JK Connector users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apache/mod_jk-1.2.27" + + + CVE-2008-5519 + + + keytoaster + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200906-05.xml b/xml/htdocs/security/en/glsa/glsa-200906-05.xml new file mode 100644 index 00000000..cc9eee55 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200906-05.xml @@ -0,0 +1,154 @@ + + + + + + + Wireshark: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Wireshark which allow for + Denial of Service or remote code execution. + + wireshark + June 30, 2009 + June 30, 2009: 02 + 242996 + 248425 + 258013 + 264571 + 271062 + remote + + + 1.0.8 + 1.0.8 + + + +

+ Wireshark is a versatile network protocol analyzer. +

+ + +

+ Multiple vulnerabilities have been discovered in Wireshark: +

+
    +
  • + David Maciejak discovered a vulnerability in packet-usb.c in the USB + dissector via a malformed USB Request Block (URB) (CVE-2008-4680). +
    • +
  • + Florent Drouin and David Maciejak reported an unspecified vulnerability + in the Bluetooth RFCOMM dissector (CVE-2008-4681). +
    • +
  • + A malformed Tamos CommView capture file (aka .ncf file) with an + "unknown/unexpected packet type" triggers a failed assertion in wtap.c + (CVE-2008-4682). +
    • +
  • + An unchecked packet length parameter in the dissect_btacl() function in + packet-bthci_acl.c in the Bluetooth ACL dissector causes an erroneous + tvb_memcpy() call (CVE-2008-4683). +
    • +
  • + A vulnerability where packet-frame does not properly handle exceptions + thrown by post dissectors caused by a certain series of packets + (CVE-2008-4684). +
    • +
  • + Mike Davies reported a use-after-free vulnerability in the + dissect_q931_cause_ie() function in packet-q931.c in the Q.931 + dissector via certain packets that trigger an exception + (CVE-2008-4685). +
    • +
  • + The Security Vulnerability Research Team of Bkis reported that the SMTP + dissector could consume excessive amounts of CPU and memory + (CVE-2008-5285). +
    • +
  • + The vendor reported that the WLCCP dissector could go into an infinite + loop (CVE-2008-6472). +
    • +
  • + babi discovered a buffer overflow in wiretap/netscreen.c via a + malformed NetScreen snoop file (CVE-2009-0599). +
    • +
  • + A specially crafted Tektronix K12 text capture file can cause an + application crash (CVE-2009-0600). +
    • +
  • + A format string vulnerability via format string specifiers in the HOME + environment variable (CVE-2009-0601). +
    • +
  • THCX Labs reported a format string vulnerability in the + PROFINET/DCP (PN-DCP) dissector via a PN-DCP packet with format string + specifiers in the station name (CVE-2009-1210). +
    • +
  • An unspecified vulnerability with unknown impact and attack vectors + (CVE-2009-1266). +
    • +
  • + Marty Adkins and Chris Maynard discovered a parsing error in the + dissector for the Check Point High-Availability Protocol (CPHAP) + (CVE-2009-1268). +
    • +
  • + Magnus Homann discovered a parsing error when loading a Tektronix .rf5 + file (CVE-2009-1269). +
    • +
  • The vendor reported that the PCNFSD dissector could crash + (CVE-2009-1829).
    • +
+ + +

+ A remote attacker could exploit these vulnerabilities by sending + specially crafted packets on a network being monitored by Wireshark or + by enticing a user to read a malformed packet trace file which can + trigger a Denial of Service (application crash or excessive CPU and + memory usage) and possibly allow for the execution of arbitrary code + with the privileges of the user running Wireshark. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Wireshark users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.0.8" + + + CVE-2008-4680 + CVE-2008-4681 + CVE-2008-4682 + CVE-2008-4683 + CVE-2008-4684 + CVE-2008-4685 + CVE-2008-5285 + CVE-2008-6472 + CVE-2009-0599 + CVE-2009-0600 + CVE-2009-0601 + CVE-2009-1210 + CVE-2009-1266 + CVE-2009-1268 + CVE-2009-1269 + CVE-2009-1829 + + + craig + + + craig + + diff --git a/xml/htdocs/security/en/glsa/glsa-200907-01.xml b/xml/htdocs/security/en/glsa/glsa-200907-01.xml new file mode 100644 index 00000000..0523645a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200907-01.xml @@ -0,0 +1,67 @@ + + + + + + + libwmf: User-assisted execution of arbitrary code + + libwmf bundles an old GD version which contains a "use-after-free" + vulnerability. + + libwmf + July 02, 2009 + July 02, 2009: 01 + 268161 + remote + + + 0.2.8.4-r3 + 0.2.8.4-r3 + + + +

+ libwmf is a library for converting WMF files. +

+ + +

+ The embedded fork of the GD library introduced a "use-after-free" + vulnerability in a modification which is specific to libwmf. +

+ + +

+ A remote attacker could entice a user to open a specially crafted WMF + file, possibly resulting in the execution of arbitrary code with the + privileges of the user running the application, or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libwmf users should upgrade to the latest version which no longer + builds the GD library: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libwmf-0.2.8.4-r3" + + + CVE-2009-1364 + + + keytoaster + + + craig + + + craig + + diff --git a/xml/htdocs/security/en/glsa/glsa-200907-02.xml b/xml/htdocs/security/en/glsa/glsa-200907-02.xml new file mode 100644 index 00000000..72aad7b6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200907-02.xml @@ -0,0 +1,75 @@ + + + + + + + ModSecurity: Denial of Service + + Two vulnerabilities in ModSecurity might lead to a Denial of Service. + + mod_security + July 02, 2009 + July 02, 2009: 01 + 262302 + remote + + + 2.5.9 + 2.5.9 + + + +

+ ModSecurity is a popular web application firewall for the Apache HTTP + server. +

+ + +

+ Multiple vulnerabilities were discovered in ModSecurity: +

+
    +
  • Juan Galiana Lara of ISecAuditors discovered a NULL pointer + dereference when processing multipart requests without a part header + name (CVE-2009-1902).
    • +
  • Steve Grubb of Red Hat reported that the + "PDF XSS protection" feature does not properly handle HTTP requests to + a PDF file that do not use the GET method (CVE-2009-1903).
    • +
+ + +

+ A remote attacker might send requests containing specially crafted + multipart data or send certain requests to access a PDF file, possibly + resulting in a Denial of Service (crash) of the Apache HTTP daemon. + NOTE: The PDF XSS protection is not enabled by default. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ModSecurity users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apache/mod_security-2.5.9" + + + CVE-2009-1902 + CVE-2009-1903 + + + craig + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200907-03.xml b/xml/htdocs/security/en/glsa/glsa-200907-03.xml new file mode 100644 index 00000000..84868968 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200907-03.xml @@ -0,0 +1,90 @@ + + + + + + + APR Utility Library: Multiple vulnerabilities + + Multiple vulnerabilities in the Apache Portable Runtime Utility Library + might enable remote attackers to cause a Denial of Service or disclose + sensitive information. + + apr-util + July 04, 2009 + July 04, 2009: 01 + 268643 + 272260 + 274193 + remote + + + 1.3.7 + 1.3.7 + + + +

+ The Apache Portable Runtime Utility Library (aka apr-util) provides an + interface to functionality such as XML parsing, string matching and + databases connections. +

+ + +

+ Multiple vulnerabilities have been discovered in the APR Utility + Library: +

+
    +
  • Matthew Palmer reported a heap-based buffer + underflow while compiling search patterns in the + apr_strmatch_precompile() function in strmatch/apr_strmatch.c + (CVE-2009-0023).
    • +
  • kcope reported that the expat XML parser in + xml/apr_xml.c does not limit the amount of XML entities expanded + recursively (CVE-2009-1955).
    • +
  • C. Michael Pilato reported an + off-by-one error in the apr_brigade_vprintf() function in + buckets/apr_brigade.c (CVE-2009-1956).
    • +
+ + +

+ A remote attacker could exploit these vulnerabilities to cause a Denial + of Service (crash or memory exhaustion) via an Apache HTTP server + running mod_dav or mod_dav_svn, or using several configuration files. + Additionally, a remote attacker could disclose sensitive information or + cause a Denial of Service by sending a specially crafted input. NOTE: + Only big-endian architectures such as PPC and HPPA are affected by the + latter flaw. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Apache Portable Runtime Utility Library users should upgrade to the + latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/apr-util-1.3.7" + + + CVE-2009-0023 + CVE-2009-1955 + CVE-2009-1956 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200907-04.xml b/xml/htdocs/security/en/glsa/glsa-200907-04.xml new file mode 100644 index 00000000..cf09ec7e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200907-04.xml @@ -0,0 +1,96 @@ + + + + + + + Apache: Multiple vulnerabilities + + Multiple vulnerabilities in the Apache HTTP daemon allow for local + privilege escalation, information disclosure or Denial of Service attacks. + + apache + July 12, 2009 + July 12, 2009: 01 + 268154 + 271470 + 276426 + 276792 + local, remote + + + 2.2.11-r2 + 2.2.11-r2 + + + +

+ The Apache HTTP server is one of the most popular web servers on the + Internet. +

+ + +

+ Multiple vulnerabilities have been discovered in the Apache HTTP + server: +

+
    +
  • Jonathan Peatfield reported that the + "Options=IncludesNoEXEC" argument to the "AllowOverride" directive is + not processed properly (CVE-2009-1195).
    • +
  • Sander de Boer + discovered that the AJP proxy module (mod_proxy_ajp) does not correctly + handle POST requests that do not contain a request body + (CVE-2009-1191).
    • +
  • The vendor reported that the HTTP proxy + module (mod_proxy_http), when being used as a reverse proxy, does not + properly handle requests containing more data as stated in the + "Content-Length" header (CVE-2009-1890).
    • +
  • Francois Guerraz + discovered that mod_deflate does not abort the compression of large + files even when the requesting connection is closed prematurely + (CVE-2009-1891).
    • +
+ + +

+ A local attacker could circumvent restrictions put up by the server + administrator and execute arbitrary commands with the privileges of the + user running the Apache server. A remote attacker could send multiple + requests to a server with the AJP proxy module, possibly resulting in + the disclosure of a request intended for another client, or cause a + Denial of Service by sending specially crafted requests to servers + running mod_proxy_http or mod_deflate. +

+ + +

+ Remove "include", "proxy_ajp", "proxy_http" and "deflate" from + APACHE2_MODULES in make.conf and rebuild Apache, or disable the + aforementioned modules in the Apache configuration. +

+ + +

+ All Apache users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/apache-2.2.11-r2" + + + CVE-2009-1195 + CVE-2009-1191 + CVE-2009-1890 + CVE-2009-1891 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200907-05.xml b/xml/htdocs/security/en/glsa/glsa-200907-05.xml new file mode 100644 index 00000000..8facbd6b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200907-05.xml @@ -0,0 +1,67 @@ + + + + + + + git: git-daemon Denial of Service + + An error in git-daemon might lead to a Denial of Service via resource + consumption. + + git + July 12, 2009 + July 12, 2009: 01 + 273905 + remote + + + 1.6.3.3 + 1.6.3.3 + + + +

+ git - the stupid content tracker, the revision control system used by + the Linux kernel team. +

+ + +

+ Shawn O. Pearce reported that git-daemon runs into an infinite loop + when handling requests that contain unrecognized arguments. +

+ + +

+ A remote unauthenticated attacker could send a specially crafted + request to git-daemon, possibly leading to a Denial of Service (CPU + consumption). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All git users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/git-1.6.3.3" + + + CVE-2009-2108 + + + craig + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200907-06.xml b/xml/htdocs/security/en/glsa/glsa-200907-06.xml new file mode 100644 index 00000000..67e59973 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200907-06.xml @@ -0,0 +1,125 @@ + + + + + + + Adobe Reader: User-assisted execution of arbitrary code + + Adobe Reader is vulnerable to remote code execution via crafted PDF files. + + acroread + July 12, 2009 + July 12, 2009: 01 + 267846 + 273908 + remote + + + 8.1.6 + 8.1.6 + + + +

+ Adobe Reader is a PDF reader released by Adobe. +

+ + +

+ Multiple vulnerabilities have been reported in Adobe Reader: +

+
    +
  • Alin Rad Pop of Secunia Research reported a heap-based buffer + overflow in the JBIG2 filter (CVE-2009-0198). +
    • +
  • Mark Dowd of the IBM Internet Security Systems X-Force and + Nicolas Joly of VUPEN Security reported multiple heap-based buffer + overflows in the JBIG2 filter (CVE-2009-0509, CVE-2009-0510, + CVE-2009-0511, CVE-2009-0512, CVE-2009-0888, CVE-2009-0889) +
    • +
  • Arr1val reported that multiple methods in the JavaScript API + might lead to memory corruption when called with crafted arguments + (CVE-2009-1492, CVE-2009-1493). +
    • +
  • + An anonymous researcher reported a stack-based buffer overflow related + to U3D model files with a crafted extension block (CVE-2009-1855). +
    • +
  • + Jun Mao and Ryan Smith of iDefense Labs reported an integer overflow + related to the FlateDecode filter, which triggers a heap-based buffer + overflow (CVE-2009-1856). +
    • +
  • + Haifei Li of Fortinet's FortiGuard Global Security Research Team + reported a memory corruption vulnerability related to TrueType fonts + (CVE-2009-1857). +
    • +
  • + The Apple Product Security Team reported a memory corruption + vulnerability in the JBIG2 filter (CVE-2009-1858). +
    • +
  • + Matthew Watchinski of Sourcefire VRT reported an unspecified memory + corruption (CVE-2009-1859). +
    • +
  • + Will Dormann of CERT reported multiple heap-based buffer overflows when + processing JPX (aka JPEG2000) stream that trigger heap memory + corruption (CVE-2009-1861). +
    • +
  • + Multiple unspecified vulnerabilities have been discovered + (CVE-2009-2028). +
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted + document, possibly resulting in the execution of arbitrary code with + the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Adobe Reader users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/acroread-8.1.6" + + + CVE-2009-0198 + CVE-2009-0509 + CVE-2009-0510 + CVE-2009-0511 + CVE-2009-0512 + CVE-2009-0888 + CVE-2009-0889 + CVE-2009-1492 + CVE-2009-1493 + CVE-2009-1855 + CVE-2009-1856 + CVE-2009-1857 + CVE-2009-1858 + CVE-2009-1859 + CVE-2009-1861 + CVE-2009-2028 + + + keytoaster + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200907-07.xml b/xml/htdocs/security/en/glsa/glsa-200907-07.xml new file mode 100644 index 00000000..e746b2ae --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200907-07.xml @@ -0,0 +1,95 @@ + + + + + + + ModPlug: User-assisted execution of arbitrary code + + ModPlug contains several buffer overflows that could lead to the execution + of arbitrary code. + + libmodplug gst-plugins-bad + July 12, 2009 + July 12, 2009: 01 + 266913 + remote + + + 0.8.7 + 0.8.7 + + + 0.10.11 + 0.10.11 + + + +

+ ModPlug is a library for playing MOD-like music. +

+ + +

+ Two vulnerabilities have been reported in ModPlug: +

+
    +
  • + dummy reported an integer overflow in the CSoundFile::ReadMed() + function when processing a MED file with a crafted song comment or song + name, which triggers a heap-based buffer overflow (CVE-2009-1438). +
    • +
  • + Manfred Tremmel and Stanislav Brabec reported a buffer overflow in the + PATinst() function when processing a long instrument name + (CVE-2009-1513). +
    • +

+ The GStreamer Bad plug-ins (gst-plugins-bad) before 0.10.11 built a + vulnerable copy of ModPlug. +

+ + +

+ A remote attacker could entice a user to read specially crafted files, + possibly resulting in the execution of arbitrary code with the + privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ModPlug users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libmodplug-0.8.7" +

+ gst-plugins-bad 0.10.11 and later versions do not include the ModPlug + plug-in (it has been moved to media-plugins/gst-plugins-modplug). All + gst-plugins-bad users should upgrade to the latest version and install + media-plugins/gst-plugins-modplug: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/gst-plugins-bad-0.10.11" + # emerge --ask --verbose "media-plugins/gst-plugins-modplug" + + + CVE-2009-1438 + CVE-2009-1513 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200907-08.xml b/xml/htdocs/security/en/glsa/glsa-200907-08.xml new file mode 100644 index 00000000..f2bfa883 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200907-08.xml @@ -0,0 +1,86 @@ + + + + + + + Multiple Ralink wireless drivers: Execution of arbitrary code + + An integer overflow in multiple Ralink wireless drivers might lead to the + execution of arbitrary code with elevated privileges. + + rt2400 rt2500 rt2570 rt61 ralink-rt61 + July 12, 2009 + July 12, 2009: 01 + 257023 + remote + + + 1.2.2_beta3 + + + 1.1.0_pre2007071515 + + + 20070209 + + + 1.1.0_beta2 + + + 1.1.1.0 + + + +

+ All listed packages are external kernel modules that provide drivers + for multiple Ralink devices. ralink-rt61 is released by ralinktech.com, + the other packages by the rt2x00.serialmonkey.com project. +

+ + +

+ Aviv reported an integer overflow in multiple Ralink wireless card + drivers when processing a probe request packet with a long SSID, + possibly related to an integer signedness error. +

+ + +

+ A physically proximate attacker could send specially crafted packets to + a user who has wireless networking enabled, possibly resulting in the + execution of arbitrary code with root privileges. +

+ + +

+ Unload the kernel modules. +

+ + +

+ All external kernel modules have been masked and we recommend that + users unmerge those drivers. The Linux mainline kernel has equivalent + support for these devices and the vulnerability has been resolved in + stable versions of sys-kernel/gentoo-sources. +

+ + # emerge --unmerge "net-wireless/rt2400" + # emerge --unmerge "net-wireless/rt2500" + # emerge --unmerge "net-wireless/rt2570" + # emerge --unmerge "net-wireless/rt61" + # emerge --unmerge "net-wireless/ralink-rt61" + + + CVE-2009-0282 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200907-09.xml b/xml/htdocs/security/en/glsa/glsa-200907-09.xml new file mode 100644 index 00000000..995d4e4a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200907-09.xml @@ -0,0 +1,69 @@ + + + + + + + Cyrus-SASL: Execution of arbitrary code + + A buffer overflow in Cyrus-SASL might allow for the execution of arbitrary + code in applications or daemons that authenticate using SASL. + + cyrus-sasl + July 12, 2009 + July 12, 2009: 01 + 270261 + remote + + + 2.1.23 + 2.1.23 + + + +

+ Cyrus-SASL is an implementation of the Simple Authentication and + Security Layer. +

+ + +

+ James Ralston reported that in certain situations, Cyrus-SASL does not + properly terminate strings which can result in buffer overflows when + performing Base64 encoding. +

+ + +

+ A remote unauthenticated user might send specially crafted packets to a + daemon using Cyrus-SASL, possibly resulting in the execution of + arbitrary code with the privileges of the user running the daemon or a + Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Cyrus-SASL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/cyrus-sasl-2.1.23" + + + CVE-2009-0688 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200907-10.xml b/xml/htdocs/security/en/glsa/glsa-200907-10.xml new file mode 100644 index 00000000..0dd56011 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200907-10.xml @@ -0,0 +1,73 @@ + + + + + + + Syslog-ng: Chroot escape + + Syslog-ng does not properly initialize its chroot jail allowing for an + escape if a separate vulnerability in Syslog-ng is exploited. + + syslog-ng + July 12, 2009 + July 12, 2009: 01 + 247278 + local + + + 2.0.10 + 2.1.3 + 2.1.3 + + + +

+ Syslog-ng is a flexible and scalable system logger. +

+ + +

+ Florian Grandel reported that Syslog-ng does not call chdir() before + chroot() which leads to an inherited file descriptor to the current + working directory. +

+ + +

+ A local attacker might exploit a separate vulnerability in Syslog-ng + and use this vulnerability to escape the chroot jail. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Syslog-ng 2.0 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-2.0.10" +

+ All Syslog-ng 2.1 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-2.1.3" + + + CVE-2008-5110 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200907-11.xml b/xml/htdocs/security/en/glsa/glsa-200907-11.xml new file mode 100644 index 00000000..2dce701c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200907-11.xml @@ -0,0 +1,112 @@ + + + + + + + GStreamer plug-ins: User-assisted execution of arbitrary code + + Multiple vulnerabilities in multiple GStreamer plug-ins might allow for the + execution of arbitrary code. + + gst-plugins-good gst-plugins-base gst-plugins-libpng + July 12, 2009 + July 12, 2009: 01 + 256096 + 261594 + 272972 + remote + + + 0.10.14 + 0.10.14 + + + 0.10.22 + 0.10.22 + + + 0.10.14-r1 + 0.10.14-r1 + + + +

+ The GStreamer plug-ins provide decoders to the GStreamer open source + media framework. +

+ + +

+ Multiple vulnerabilities have been reported in several GStreamer + plug-ins: +

+
    +
  • + Tobias Klein reported two heap-based buffer overflows and an array + index error in the qtdemux_parse_samples() function in gst-plugins-good + when processing a QuickTime media .mov file (CVE-2009-0386, + CVE-2009-0387, CVE-2009-0397). +
    • +
  • + Thomas Hoger of the Red Hat Security Response Team reported an integer + overflow that can lead to a heap-based buffer overflow in the + gst_vorbis_tag_add_coverart() function in gst-plugins-base when + processing COVERART tags (CVE-2009-0586). +
    • +
  • + Tielei Wang of ICST-ERCIS, Peking University reported multiple integer + overflows leading to buffer overflows in gst-plugins-libpng when + processing a PNG file (CVE-2009-1932). +
    • +
+ + +

+ A remote attacker could entice a user or automated system using a + GStreamer plug-in to process a specially crafted file, resulting in the + execution of arbitrary code or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All gst-plugins-good users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/gst-plugins-good-0.10.14" +

+ All gst-plugins-base users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/gst-plugins-base-0.10.22" +

+ All gst-plugins-libpng users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-plugins/gst-plugins-libpng-0.10.14-r1" + + + CVE-2009-0386 + CVE-2009-0387 + CVE-2009-0397 + CVE-2009-0586 + CVE-2009-1932 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200907-12.xml b/xml/htdocs/security/en/glsa/glsa-200907-12.xml new file mode 100644 index 00000000..d429c31c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200907-12.xml @@ -0,0 +1,67 @@ + + + + + + + ISC DHCP: dhcpclient Remote execution of arbitrary code + + A buffer overflow in dhclient as included in the ISC DHCP implementation + allows for the remote execution of arbitrary code with root privileges. + + dhcp + July 14, 2009 + July 14, 2009: 01 + 277729 + remote + + + 3.1.1-r1 + 3.1.1-r1 + + + +

+ ISC DHCP is the reference implementation of the Dynamic Host + Configuration Protocol as specified in RFC 2131. +

+ + +

+ The Mandriva Linux Engineering Team has reported a stack-based buffer + overflow in the subnet-mask handling of dhclient. +

+ + +

+ A remote attacker might set up a rogue DHCP server in a victim's local + network, possibly leading to the execution of arbitrary code with root + privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ISC DHCP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/dhcp-3.1.1-r1" + + + CVE-2009-0692 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200907-13.xml b/xml/htdocs/security/en/glsa/glsa-200907-13.xml new file mode 100644 index 00000000..db9d0b1c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200907-13.xml @@ -0,0 +1,70 @@ + + + + + + + PulseAudio: Local privilege escalation + + A vulnerability in PulseAudio may allow a local user to execute code with + escalated privileges. + + pulseaudio + July 16, 2009 + July 16, 2009: 01 + 276986 + local + + + 0.9.9-r54 + 0.9.9-r54 + + + +

+ PulseAudio is a network-enabled sound server with an advanced plug-in + system. +

+ + +

+ Tavis Ormandy and Julien Tinnes of the Google Security Team discovered + that the pulseaudio binary is installed setuid root, and does not drop + privileges before re-executing itself. The vulnerability has + independently been reported to oCERT by Yorick Koster. +

+ + +

+ A local user who has write access to any directory on the file system + containing /usr/bin can exploit this vulnerability using a race + condition to execute arbitrary code with root privileges. +

+ + +

+ Ensure that the file system holding /usr/bin does not contain + directories that are writable for unprivileged users. +

+ + +

+ All PulseAudio users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/pulseaudio-0.9.9-r54" + + + CVE-2009-1894 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200907-14.xml b/xml/htdocs/security/en/glsa/glsa-200907-14.xml new file mode 100644 index 00000000..c28ca2de --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200907-14.xml @@ -0,0 +1,80 @@ + + + + + + + Rasterbar libtorrent: Directory traversal + + A directory traversal vulnerability in Rasterbar libtorrent might allow a + remote attacker to overwrite arbitrary files. + + rb_libtorrent deluge + July 17, 2009 + July 17, 2009: 01 + 273156 + 273961 + remote + + + 0.13-r1 + 0.13-r1 + + + 1.1.9 + 1.1.9 + + + +

+ Rasterbar libtorrent is a C++ BitTorrent implementation focusing on + efficiency and scalability. Deluge is a BitTorrent client that ships a + copy of libtorrent. +

+ + +

+ census reported a directory traversal vulnerability in + src/torrent_info.cpp that can be triggered via .torrent files. +

+ + +

+ A remote attacker could entice a user or automated system using + Rasterbar libtorrent to load a specially crafted BitTorrent file to + create or overwrite arbitrary files using dot dot sequences in + filenames. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Rasterbar libtorrent users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/rb_libtorrent-0.13-r1" +

+ All Deluge users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/deluge-1.1.9" + + + CVE-2009-1760 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200907-15.xml b/xml/htdocs/security/en/glsa/glsa-200907-15.xml new file mode 100644 index 00000000..b928bdf2 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200907-15.xml @@ -0,0 +1,96 @@ + + + + + + + Nagios: Execution of arbitrary code + + Multiple vulnerabilities in Nagios may lead to the execution of arbitrary + code. + + nagios-core + July 19, 2009 + July 19, 2009: 01 + 245887 + 249876 + 275288 + remote + + + 3.0.6-r2 + 3.0.6-r2 + + + +

+ Nagios is an open source host, service and network monitoring program. +

+ + +

+ Multiple vulnerabilities have been reported in Nagios: +

+
    +
  • + Paul reported that statuswml.cgi does not properly sanitize shell + metacharacters in the (1) ping and (2) traceroute parameters + (CVE-2009-2288). +
    • +
  • + Nagios does not properly verify whether an authenticated user is + authorized to run certain commands (CVE-2008-5027). +
    • +
  • + Andreas Ericsson reported that Nagios does not perform validity checks + to verify HTTP requests, leading to Cross-Site Request Forgery + (CVE-2008-5028). +
    • +
  • + An unspecified vulnerability in Nagios related to CGI programs, + "adaptive external commands," and "writing newlines and submitting + service comments" has been reported (CVE-2008-6373). +
    • +
+ + +

+ A remote authenticated or unauthenticated attacker may exploit these + vulnerabilities to execute arbitrary commands or elevate privileges. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Nagios users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/nagios-core-3.0.6-r2" +

+ NOTE: Users of the Nagios 2 branch can update to version 2.12-r1 which + contains a patch to fix CVE-2009-2288. However, that branch is not + supported upstream or in Gentoo and we are unaware whether the other + vulnerabilities affect 2.x installations. +

+ + + CVE-2008-5027 + CVE-2008-5028 + CVE-2008-6373 + CVE-2009-2288 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200907-16.xml b/xml/htdocs/security/en/glsa/glsa-200907-16.xml new file mode 100644 index 00000000..42588aa4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200907-16.xml @@ -0,0 +1,76 @@ + + + + + + + Python: Integer overflows + + Multiple integer overflows in Python have an unspecified impact. + + python + July 19, 2009 + July 19, 2009: 01 + 246991 + remote + + + 2.5.4-r2 + 2.4.6 + 2.5.4-r2 + + + +

+ Python is an interpreted, interactive, object-oriented programming + language. +

+ + +

+ Chris Evans reported multiple integer overflows in the expandtabs + method, as implemented by (1) the string_expandtabs function in + Objects/stringobject.c and (2) the unicode_expandtabs function in + Objects/unicodeobject.c. +

+ + +

+ A remote attacker could exploit these vulnerabilities in Python + applications or daemons that pass user-controlled input to vulnerable + functions. The security impact is currently unknown but may include the + execution of arbitrary code or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Python 2.5 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.5.4-r2" +

+ All Python 2.4 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.4.6" + + + CVE-2008-5031 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200908-01.xml b/xml/htdocs/security/en/glsa/glsa-200908-01.xml new file mode 100644 index 00000000..5617dd17 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200908-01.xml @@ -0,0 +1,81 @@ + + + + + + + OpenSC: Multiple vulnerabilities + + Multiple vulnerabilities were found in OpenSC. + + opensc + August 01, 2009 + August 01, 2009: 01 + 260514 + 269920 + local + + + 0.11.8 + 0.11.8 + + + +

+ OpenSC provides a set of libraries and utilities to access smart cards. +

+ + +

+ Multiple vulnerabilities were found in OpenSC: +

+
    +
  • b.badrignans discovered that OpenSC incorrectly initialises private + data objects (CVE-2009-0368).
    • +
  • Miquel Comas Marti discovered + that src/tools/pkcs11-tool.c in pkcs11-tool in OpenSC 0.11.7, when used + with unspecified third-party PKCS#11 modules, generates RSA keys with + incorrect public exponents (CVE-2009-1603).
    • +
+ + +

+ The first vulnerabilty allows physically proximate attackers to bypass + intended PIN requirements and read private data objects. The second + vulnerability allows attackers to read the cleartext form of messages + that were intended to be encrypted. +

+

+ NOTE: Smart cards which were initialised using an affected version of + OpenSC need to be modified or re-initialised. See the vendor's advisory + for details. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenSC users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/opensc-0.11.8" + + + CVE-2009-0368 + CVE-2009-1603 + OpenSC Security Advisory + + + keytoaster + + + keytoaster + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200908-02.xml b/xml/htdocs/security/en/glsa/glsa-200908-02.xml new file mode 100644 index 00000000..2cb6ab71 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200908-02.xml @@ -0,0 +1,70 @@ + + + + + + + BIND: Denial of Service + + Dynamic Update packets can cause a Denial of Service in the BIND daemon. + + bind + August 01, 2009 + August 01, 2009: 01 + 279508 + remote + + + 9.4.3_p3 + 9.4.3_p3 + + + +

+ ISC BIND is the Internet Systems Consortium implementation of the + Domain Name System (DNS) protocol. +

+ + +

+ Matthias Urlichs reported that the dns_db_findrdataset() function fails + when the prerequisite section of the dynamic update message contains a + record of type "ANY" and where at least one RRset for this FQDN exists + on the server. +

+ + +

+ A remote unauthenticated attacker could send a specially crafted + dynamic update message to the BIND daemon (named), leading to a Denial + of Service (daemon crash). This vulnerability affects all primary + (master) servers -- it is not limited to those that are configured to + allow dynamic updates. +

+ + +

+ Configure a firewall that performs Deep Packet Inspection to prevent + nsupdate messages from reaching named. Alternatively, expose only + secondary (slave) servers to untrusted networks. +

+ + +

+ All BIND users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/bind-9.4.3_p3" + + + CVE-2009-0696 + ISC advisory + + + rbu + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200908-03.xml b/xml/htdocs/security/en/glsa/glsa-200908-03.xml new file mode 100644 index 00000000..60dbda51 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200908-03.xml @@ -0,0 +1,80 @@ + + + + + + + libTIFF: User-assisted execution of arbitrary code + + Multiple boundary checking vulnerabilities in libTIFF may allow for the + remote execution of arbitrary code. + + tiff + August 07, 2009 + August 07, 2009: 01 + 276339 + 276988 + remote + + + 3.8.2-r8 + 3.8.2-r8 + + + +

+ libTIFF provides support for reading and manipulating TIFF (Tagged + Image File Format) images. +

+ + +

+ Two vulnerabilities have been reported in libTIFF: +

+
    +
  • + wololo reported a buffer underflow in the LZWDecodeCompat() function + (CVE-2009-2285). +
    • +
  • + Tielei Wang of ICST-ERCIS, Peking University reported two integer + overflows leading to heap-based buffer overflows in the tiff2rgba and + rgb2ycbcr tools (CVE-2009-2347). +
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted TIFF + file with an application making use of libTIFF or the tiff2rgba and + rgb2ycbcr tools, possibly resulting in the execution of arbitrary code + with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libTIFF users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/tiff-3.8.2-r8" + + + CVE-2009-2285 + CVE-2009-2347 + + + rbu + + + rbu + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200908-04.xml b/xml/htdocs/security/en/glsa/glsa-200908-04.xml new file mode 100644 index 00000000..c4872d37 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200908-04.xml @@ -0,0 +1,115 @@ + + + + + + + Adobe products: Multiple vulnerabilities + + Multiple vulnerabilities in Adobe Reader and Adobe Flash Player allow for + attacks including the remote execution of arbitrary code. + + adobe-flash acroread + August 07, 2009 + August 07, 2009: 01 + 278813 + 278819 + remote + + + 10.0.32.18 + 10.0.32.18 + + + 9.1.3 + 9.1.3 + + + +

+ Adobe Flash Player is a closed-source playback software for Flash SWF + files. Adobe Reader is a closed-source PDF reader that plays Flash + content as well. +

+ + +

+ Multiple vulnerabilities have been reported in Adobe Flash Player: +

+
    +
  • lakehu of Tencent Security Center reported an unspecified + memory corruption vulnerability (CVE-2009-1862).
    • +
  • Mike Wroe + reported an unspecified vulnerability, related to "privilege + escalation" (CVE-2009-1863).
    • +
  • An anonymous researcher through + iDefense reported an unspecified heap-based buffer overflow + (CVE-2009-1864).
    • +
  • Chen Chen of Venustech reported an + unspecified "null pointer vulnerability" (CVE-2009-1865).
    • +
  • Chen + Chen of Venustech reported an unspecified stack-based buffer overflow + (CVE-2009-1866).
    • +
  • Joran Benker reported that Adobe Flash Player + facilitates "clickjacking" attacks (CVE-2009-1867).
    • +
  • Jun Mao of + iDefense reported a heap-based buffer overflow, related to URL parsing + (CVE-2009-1868).
    • +
  • Roee Hay of IBM Rational Application Security + reported an unspecified integer overflow (CVE-2009-1869).
    • +
  • Gareth Heyes and Microsoft Vulnerability Research reported that the + sandbox in Adobe Flash Player allows for information disclosure, when + "SWFs are saved to the hard drive" (CVE-2009-1870).
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted PDF + file or web site containing Adobe Flash (SWF) contents, possibly + resulting in the execution of arbitrary code with the privileges of the + user running the application, or a Denial of Service (application + crash). Furthermore, a remote attacker could trick a user into clicking + a button on a dialog by supplying a specially crafted SWF file and + disclose sensitive information by exploiting a sandbox issue. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Adobe Flash Player users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-plugins/adobe-flash-10.0.32.18" +

+ All Adobe Reader users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/acroread-9.1.3" + + + CVE-2009-1862 + CVE-2009-1863 + CVE-2009-1864 + CVE-2009-1865 + CVE-2009-1866 + CVE-2009-1867 + CVE-2009-1868 + CVE-2009-1869 + CVE-2009-1870 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200908-05.xml b/xml/htdocs/security/en/glsa/glsa-200908-05.xml new file mode 100644 index 00000000..f8313393 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200908-05.xml @@ -0,0 +1,70 @@ + + + + + + + Subversion: Remote execution of arbitrary code + + Multiple integer overflows, leading to heap-based buffer overflows in the + Subversion client and server might allow remote attackers to execute + arbitrary code. + + subversion + August 18, 2009 + August 18, 2009: 01 + 280494 + remote + + + 1.6.4 + 1.6.4 + + + +

+ Subversion is a versioning system designed to be a replacement for CVS. +

+ + +

+ Matt Lewis of Google reported multiple integer overflows in the + libsvn_delta library, possibly leading to heap-based buffer overflows. +

+ + +

+ A remote attacker with commit access could exploit this vulnerability + by sending a specially crafted commit to a Subversion server, or a + remote attacker could entice a user to check out or update a repository + from a malicious Subversion server, possibly resulting in the execution + of arbitrary code with the privileges of the user running the server or + client. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Subversion users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/subversion-1.6.4" + + + CVE-2009-2411 + + + keytoaster + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200908-06.xml b/xml/htdocs/security/en/glsa/glsa-200908-06.xml new file mode 100644 index 00000000..0d162b0f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200908-06.xml @@ -0,0 +1,69 @@ + + + + + + + CDF: User-assisted execution of arbitrary code + + Multiple heap-based buffer overflows in CDF might result in the execution + of arbitrary code. + + cdf + August 18, 2009 + August 18, 2009: 01 + 278679 + remote + + + 3.3.0 + 3.3.0 + + + +

+ CDF is a library for the Common Data Format which is a self-describing + data format for the storage and manipulation of scalar and + multidimensional data. It is developed by the NASA. +

+ + +

+ Leon Juranic reported multiple heap-based buffer overflows for instance + in the ReadAEDRList64(), SearchForRecord_r_64(), LastRecord64(), and + CDFsel64() functions. +

+ + +

+ A remote attacker could entice a user to open a specially crafted CDF + file, possibly resulting in the execution of arbitrary code with the + privileges of the user running the application, or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All CDF users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sci-libs/cdf-3.3.0" + + + CVE-2009-2850 + + + rbu + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200908-07.xml b/xml/htdocs/security/en/glsa/glsa-200908-07.xml new file mode 100644 index 00000000..60dfa23f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200908-07.xml @@ -0,0 +1,84 @@ + + + + + + + Perl Compress::Raw modules: Denial of Service + + An off-by-one error in Compress::Raw::Zlib and Compress::Raw::Bzip2 might + lead to a Denial of Service. + + Compress-Raw-Zlib Compress-Raw-Bzip2 + August 18, 2009 + August 18, 2009: 01 + 273141 + 281955 + remote + + + 2.020 + 2.020 + + + 2.020 + 2.020 + + + +

+ Compress::Raw::Zlib and Compress::Raw::Bzip2 are Perl low-level + interfaces to the zlib and bzip2 compression libraries. +

+ + +

+ Leo Bergolth reported an off-by-one error in the inflate() function in + Zlib.xs of Compress::Raw::Zlib, possibly leading to a heap-based buffer + overflow (CVE-2009-1391). +

+

+ Paul Marquess discovered a similar vulnerability in the bzinflate() + function in Bzip2.xs of Compress::Raw::Bzip2 (CVE-2009-1884). +

+ + +

+ A remote attacker might entice a user or automated system (for instance + running SpamAssassin or AMaViS) to process specially crafted files, + possibly resulting in a Denial of Service condition. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Compress::Raw::Zlib users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=perl-core/Compress-Raw-Zlib-2.020" +

+ All Compress::Raw::Bzip2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=perl-core/Compress-Raw-Bzip2-2.020" + + + CVE-2009-1391 + CVE-2009-1884 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200908-08.xml b/xml/htdocs/security/en/glsa/glsa-200908-08.xml new file mode 100644 index 00000000..e1419628 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200908-08.xml @@ -0,0 +1,67 @@ + + + + + + + ISC DHCP: dhcpd Denial of Service + + dhcpd as included in the ISC DHCP implementation does not properly handle + special conditions, leading to a Denial of Service. + + dhcp + August 18, 2009 + August 18, 2009: 01 + 275231 + remote + + + 3.1.2_p1 + 3.1.2_p1 + + + +

+ ISC DHCP is the reference implementation of the Dynamic Host + Configuration Protocol as specified in RFC 2131. +

+ + +

+ Christoph Biedl discovered that dhcpd does not properly handle certain + DHCP requests when configured both using "dhcp-client-identifier" and + "hardware ethernet". +

+ + +

+ A remote attacker might send a specially crafted request to dhcpd, + possibly resulting in a Denial of Service (daemon crash). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ISC DHCP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/dhcp-3.1.2_p1" + + + CVE-2009-1892 + + + rbu + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200908-09.xml b/xml/htdocs/security/en/glsa/glsa-200908-09.xml new file mode 100644 index 00000000..29c1c620 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200908-09.xml @@ -0,0 +1,68 @@ + + + + + + + DokuWiki: Local file inclusion + + An input sanitation error in DokuWiki might lead to the dislosure of local + files or even the remote execution of arbitrary code. + + dokuwiki + August 18, 2009 + August 19, 2009: 02 + 272431 + remote + + + 20090214b + 20090214b + + + +

+ DokuWiki is a standards compliant Wiki system written in PHP. +

+ + +

+ girex reported that data from the "config_cascade" parameter in + inc/init.php is not properly sanitized before being used. +

+ + +

+ A remote attacker could exploit this vulnerability to execute PHP code + from arbitrary local, or, when the used PHP version supports ftp:// + URLs, also from remote files via FTP. Furthermore, it is possible to + disclose the contents of local files. NOTE: Successful exploitation + requires the PHP option "register_globals" to be enabled. +

+ + +

+ Disable "register_globals" in php.ini. +

+ + +

+ All DokuWiki users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/dokuwiki-2009-02-14b" + + + CVE-2009-1960 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200908-10.xml b/xml/htdocs/security/en/glsa/glsa-200908-10.xml new file mode 100644 index 00000000..53664442 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200908-10.xml @@ -0,0 +1,68 @@ + + + + + + + Dillo: User-assisted execution of arbitrary code + + An integer overflow in the PNG handling of Dillo might result in the remote + execution of arbitrary code. + + dillo + August 18, 2009 + August 18, 2009: 01 + 276432 + remote + + + 2.1.1 + 2.1.1 + + + +

+ Dillo is a graphical web browser known for its speed and small + footprint. +

+ + +

+ Tilei Wang reported an integer overflow in the Png_datainfo_callback() + function, possibly leading to a heap-based buffer overflow. +

+ + +

+ A remote attacker could entice a user to open an HTML document + containing a specially crafted, large PNG image, possibly resulting in + the execution of arbitrary code with the privileges of the user running + the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Dillo users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/dillo-2.1.1" + + + CVE-2009-2294 + + + rbu + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-01.xml b/xml/htdocs/security/en/glsa/glsa-200909-01.xml new file mode 100644 index 00000000..59738f2a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-01.xml @@ -0,0 +1,71 @@ + + + + + + + Linux-PAM: Privilege escalation + + An error in the handling of user names of Linux-PAM might allow remote + attackers to cause a Denial of Service or escalate privileges. + + pam + September 07, 2009 + September 07, 2009: 01 + 261512 + remote + + + 1.0.4 + 1.0.4 + + + +

+ Linux-PAM (Pluggable Authentication Modules) is an architecture + allowing the separation of the development of privilege granting + software from the development of secure and appropriate authentication + schemes. +

+ + +

+ Marcus Granado repoted that Linux-PAM does not properly handle user + names that contain Unicode characters. This is related to integer + signedness errors in the pam_StrTok() function in libpam/pam_misc.c. +

+ + +

+ A remote attacker could exploit this vulnerability to cause a Denial of + Service. A remote authenticated attacker could exploit this + vulnerability to log in to a system with the account of a user that has + a similar user name, but with non-ASCII characters. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Linux-PAM users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-libs/pam-1.0.4" + + + CVE-2009-0887 + + + craig + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-02.xml b/xml/htdocs/security/en/glsa/glsa-200909-02.xml new file mode 100644 index 00000000..5c59b8b0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-02.xml @@ -0,0 +1,69 @@ + + + + + + + libvorbis: User-assisted execution of arbitrary code + + A processing error in libvorbis might result in the execution of arbitrary + code or a Denial of Service. + + libvorbis + September 07, 2009 + September 07, 2009: 01 + 280590 + remote + + + 1.2.3 + 1.2.3 + + + +

+ libvorbis is the reference implementation of the Xiph.org Ogg Vorbis + audio file format. It is used by many applications for playback of Ogg + Vorbis files. +

+ + +

+ Lucas Adamski reported that libvorbis does not correctly process file + headers, related to static mode headers and encoding books. +

+ + +

+ A remote attacker could entice a user to play a specially crafted OGG + Vorbis file using an application that uses libvorbis, possibly + resulting in the execution of arbitrary code with the privileges of the + user running the application, or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All libvorbis users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libvorbis-1.2.3" + + + CVE-2009-2663 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-03.xml b/xml/htdocs/security/en/glsa/glsa-200909-03.xml new file mode 100644 index 00000000..13f56901 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-03.xml @@ -0,0 +1,83 @@ + + + + + + + Apache Portable Runtime, APR Utility Library: Execution of arbitrary code + + Multiple integer overflows in the Apache Portable Runtime and its Utility + Library might allow for the remote execution of arbitrary code. + + apr apr-util + September 09, 2009 + September 09, 2009: 01 + 280514 + remote + + + 1.3.8 + 1.3.8 + + + 1.3.9 + 1.3.9 + + + +

+ The Apache Portable Runtime (aka APR) provides a set of APIs for + creating platform-independent applications. The Apache Portable Runtime + Utility Library (aka APR-Util) provides an interface to functionality + such as XML parsing, string matching and databases connections. +

+ + +

+ Matt Lewis reported multiple Integer overflows in the apr_rmm_malloc(), + apr_rmm_calloc(), and apr_rmm_realloc() functions in misc/apr_rmm.c of + APR-Util and in memory/unix/apr_pools.c of APR, both occurring when + aligning memory blocks. +

+ + +

+ A remote attacker could entice a user to connect to a malicious server + with software that uses the APR or act as a malicious client to a + server that uses the APR (such as Subversion or Apache servers), + possibly resulting in the execution of arbitrary code with the + privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Apache Portable Runtime users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/apr-1.3.8" +

+ All APR Utility Library users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/apr-util-1.3.9" + + + CVE-2009-2412 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-04.xml b/xml/htdocs/security/en/glsa/glsa-200909-04.xml new file mode 100644 index 00000000..186ccdfc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-04.xml @@ -0,0 +1,89 @@ + + + + + + + Clam AntiVirus: Multiple vulnerabilities + + Multiple vulnerabilities in ClamAV allow for the remote execution of + arbitrary code or Denial of Service. + + clamav + September 09, 2009 + September 09, 2009: 01 + 264834 + 265545 + remote + + + 0.95.2 + 0.95.2 + + + +

+ Clam AntiVirus (short: ClamAV) is an anti-virus toolkit for UNIX, + designed especially for e-mail scanning on mail gateways. +

+ + +

+ Multiple vulnerabilities have been found in ClamAV: +

+
    +
  • The + vendor reported a Divide-by-zero error in the PE ("Portable + Executable"; Windows .exe) file handling of ClamAV + (CVE-2008-6680).
    • +
  • Jeffrey Thomas Peckham found a flaw in + libclamav/untar.c, possibly resulting in an infinite loop when + processing TAR archives in clamd and clamscan (CVE-2009-1270).
    • +
  • Martin Olsen reported a vulnerability in the CLI_ISCONTAINED macro + in libclamav/others.h, when processing UPack archives + (CVE-2009-1371).
    • +
  • Nigel disclosed a stack-based buffer overflow + in the "cli_url_canon()" function in libclamav/phishcheck.c when + processing URLs (CVE-2009-1372).
    • +
+ + +

+ A remote attacker could entice a user or automated system to process a + specially crafted UPack archive or a file containing a specially + crafted URL, possibly resulting in the remote execution of arbitrary + code with the privileges of the user running the application, or a + Denial of Service. Furthermore, a remote attacker could cause a Denial + of Service by supplying a specially crafted TAR archive or PE + executable to a Clam AntiVirus instance. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Clam AntiVirus users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.95.2" + + + CVE-2008-6680 + CVE-2009-1270 + CVE-2009-1371 + CVE-2009-1372 + + + keytoaster + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-05.xml b/xml/htdocs/security/en/glsa/glsa-200909-05.xml new file mode 100644 index 00000000..4c87a875 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-05.xml @@ -0,0 +1,77 @@ + + + + + + + Openswan: Denial of Service + + Multiple vulnerabilities in the pluto IKE daemon of Openswan might allow + remote attackers to cause a Denial of Service. + + openswan + September 09, 2009 + September 09, 2009: 01 + 264346 + 275233 + remote + + + 2.4.15 + 2.4.15 + + + +

+ Openswan is an implementation of IPsec for Linux. +

+ + +

+ Multiple vulnerabilities have been discovered in Openswan: +

+
    +
  • Gerd v. Egidy reported a NULL pointer dereference in the Dead Peer + Detection of the pluto IKE daemon as included in Openswan + (CVE-2009-0790).
    • +
  • The Orange Labs vulnerability research team + discovered multiple vulnerabilities in the ASN.1 parser + (CVE-2009-2185).
    • +
+ + +

+ A remote attacker could exploit these vulnerabilities by sending + specially crafted R_U_THERE or R_U_THERE_ACK packets, or a specially + crafted X.509 certificate containing a malicious Relative Distinguished + Name (RDN), UTCTIME string or GENERALIZEDTIME string to cause a Denial + of Service of the pluto IKE daemon. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Openswan users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/openswan-2.4.15" + + + CVE-2009-0790 + CVE-2009-2185 + + + craig + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-06.xml b/xml/htdocs/security/en/glsa/glsa-200909-06.xml new file mode 100644 index 00000000..56d7b652 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-06.xml @@ -0,0 +1,67 @@ + + + + + + + aMule: Parameter injection + + An input validation error in aMule enables remote attackers to pass + arbitrary parameters to a victim's media player. + + amule + September 09, 2009 + September 09, 2009: 01 + 268163 + remote + + + 2.2.5 + 2.2.5 + + + +

+ aMule is an eMule-like client for the eD2k and Kademlia networks, + supporting multiple platforms. +

+ + +

+ Sam Hocevar discovered that the aMule preview function does not + properly sanitize file names. +

+ + +

+ A remote attacker could entice a user to download a file with a + specially crafted file name to inject arbitrary arguments to the + victim's video player. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All aMule users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/amule-2.2.5" + + + CVE-2009-1440 + + + rbu + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-07.xml b/xml/htdocs/security/en/glsa/glsa-200909-07.xml new file mode 100644 index 00000000..96d6baa0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-07.xml @@ -0,0 +1,66 @@ + + + + + + + TkMan: Insecure temporary file usage + + An insecure temporary file usage has been reported in TkMan, allowing for + symlink attacks. + + tkman + September 09, 2009 + September 09, 2009: 01 + 247540 + local + + + 2.2-r1 + 2.2-r1 + + + +

+ TkMan is a graphical, hypertext manual page and Texinfo browser for + UNIX. +

+ + +

+ Dmitry E. Oboukhov reported that TkMan does not handle the + "/tmp/tkman#####" and "/tmp/ll" temporary files securely. +

+ + +

+ A local attacker could perform symlink attacks to overwrite arbitrary + files with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All TkMan users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/tkman-2.2-r1" + + + CVE-2008-5137 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-08.xml b/xml/htdocs/security/en/glsa/glsa-200909-08.xml new file mode 100644 index 00000000..b6469a76 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-08.xml @@ -0,0 +1,66 @@ + + + + + + + C* music player: Insecure temporary file usage + + An insecure temporary file usage has been reported in the C* music player, + allowing for symlink attacks. + + cmus + September 09, 2009 + September 09, 2009: 01 + 250474 + local + + + 2.2.0-r1 + 2.2.0-r1 + + + +

+ The C* Music Player (cmus) is a modular and very configurable + ncurses-based audio player. +

+ + +

+ Dmitry E. Oboukhov reported that cmus-status-display does not handle + the "/tmp/cmus-status" temporary file securely. +

+ + +

+ A local attacker could perform symlink attacks to overwrite arbitrary + files with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All C* music player users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/cmus-2.2.0-r1" + + + CVE-2008-5375 + + + craig + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-09.xml b/xml/htdocs/security/en/glsa/glsa-200909-09.xml new file mode 100644 index 00000000..f901c03a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-09.xml @@ -0,0 +1,66 @@ + + + + + + + Screenie: Insecure temporary file usage + + An insecure temporary file usage has been reported in Screenie, allowing + for symlink attacks. + + screenie + September 09, 2009 + September 09, 2009: 01 + 250476 + local + + + 1.30.0-r1 + 1.30.0-r1 + + + +

+ Screenie is a small screen frontend that is designed to be a session + handler. +

+ + +

+ Dmitry E. Oboukhov reported that Screenie does not handle + "/tmp/.screenie.#####" temporary files securely. +

+ + +

+ A local attacker could perform symlink attacks to overwrite arbitrary + files with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Screenie users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-misc/screenie-1.30.0-r1" + + + CVE-2008-5371 + + + craig + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-10.xml b/xml/htdocs/security/en/glsa/glsa-200909-10.xml new file mode 100644 index 00000000..e6c011a3 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-10.xml @@ -0,0 +1,65 @@ + + + + + + + LMBench: Insecure temporary file usage + + Multiple insecure temporary file usage issues have been reported in + LMBench, allowing for symlink attacks. + + lmbench + September 09, 2009 + September 09, 2009: 01 + 246015 + local + + + 3 + + + +

+ LMBench is a suite of simple, portable benchmarks for UNIX platforms. +

+ + +

+ Dmitry E. Oboukhov reported that the rccs and STUFF scripts do not + handle "/tmp/sdiff.#####" temporary files securely. NOTE: There might + be further occurances of insecure temporary file usage. +

+ + +

+ A local attacker could perform symlink attacks to overwrite arbitrary + files with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ LMBench has been removed from Portage. We recommend that users unmerge + LMBench: +

+ + # emerge --unmerge app-benchmarks/lmbench + + + CVE-2008-4968 + + + rbu + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-11.xml b/xml/htdocs/security/en/glsa/glsa-200909-11.xml new file mode 100644 index 00000000..26e36b1d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-11.xml @@ -0,0 +1,65 @@ + + + + + + + GCC-XML: Insecure temporary file usage + + An insecure temporary file usage has been reported in GCC-XML allowing for + symlink attacks. + + gccxml + September 09, 2009 + September 09, 2009: 01 + 245765 + local + + + 0.9.0_pre20090516 + 0.9.0_pre20090516 + + + +

+ GCC-XML is an XML output extension to the C++ front-end of GCC. +

+ + +

+ Dmitry E. Oboukhov reported that find_flags in GCC-XML does not handle + "/tmp/*.cxx" temporary files securely. +

+ + +

+ A local attacker could perform symlink attacks to overwrite arbitrary + files with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GCC-XML users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-cpp/gccxml-0.9.0_pre20090516" + + + CVE-2008-4957 + + + rbu + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-12.xml b/xml/htdocs/security/en/glsa/glsa-200909-12.xml new file mode 100644 index 00000000..d0575495 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-12.xml @@ -0,0 +1,72 @@ + + + + + + + HTMLDOC: User-assisted execution of arbitrary code + + Multiple insecure calls to the sscanf() function in HTMLDOC might result in + the execution of arbitrary code. + + htmldoc + September 12, 2009 + September 12, 2009: 01 + 278186 + remote + + + 1.8.27-r1 + 1.8.27-r1 + + + +

+ HTMLDOC is a HTML indexer and HTML to PS and PDF converter. +

+ + +

+ ANTHRAX666 reported an insecure call to the sscanf() function in the + set_page_size() function in htmldoc/util.cxx. Nico Golde of the Debian + Security Team found two more insecure calls in the write_type1() + function in htmldoc/ps-pdf.cxx and the htmlLoadFontWidths() function in + htmldoc/htmllib.cxx. +

+ + +

+ A remote attacker could entice a user to process a specially crafted + HTML file using htmldoc, possibly resulting in the execution of + arbitrary code with the privileges of the user running the application. + NOTE: Additional vectors via specially crafted AFM font metric files do + not cross trust boundaries, as the files can only be modified by + privileged users. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All HTMLDOC users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/htmldoc-1.8.27-r1" + + + CVE-2009-3050 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-13.xml b/xml/htdocs/security/en/glsa/glsa-200909-13.xml new file mode 100644 index 00000000..36414faf --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-13.xml @@ -0,0 +1,68 @@ + + + + + + + irssi: Execution of arbitrary code + + A remotely exploitable off-by-one error leading to a heap overflow was + found in irssi which might result in the execution of arbitrary code. + + irssi + September 12, 2009 + September 12, 2009: 01 + 271875 + remote + + + 0.8.13-r1 + 0.8.13-r1 + + + +

+ irssi is a modular textUI IRC client with IPv6 support. +

+ + +

+ Nemo discovered an off-by-one error leading to a heap overflow in + irssi's event_wallops() parsing function. +

+ + +

+ A remote attacker might entice a user to connect to a malicious IRC + server, use a man-in-the-middle attack to redirect a user to such a + server or use ircop rights to send a specially crafted WALLOPS message, + which might result in the execution of arbitrary code with the + privileges of the user running irssi. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All irssi users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-irc/irssi-0.8.13-r1" + + + CVE-2009-1959 + + + a3li + + + craig + + + craig + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-14.xml b/xml/htdocs/security/en/glsa/glsa-200909-14.xml new file mode 100644 index 00000000..4025274f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-14.xml @@ -0,0 +1,115 @@ + + + + + + + Horde: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Horde and two modules, + allowing for the execution of arbitrary code, information disclosure, or + Cross-Site Scripting. + + horde horde-imp horde-passwd + September 12, 2009 + September 12, 2009: 01 + 256125 + 262976 + 262978 + 277294 + remote + + + 3.3.4 + 3.3.4 + + + 4.3.4 + 4.3.4 + + + 3.1.1 + 3.1.1 + + + +

+ Horde is a web application framework written in PHP. Horde IMP, the + "Internet Messaging Program", is a Webmail module and Horde Passwd is a + password changing module for Horde. +

+ + +

+ Multiple vulnerabilities have been discovered in Horde: +

+
    +
  • Gunnar Wrobel reported an input sanitation and directory traversal + flaw in framework/Image/Image.php, related to the "Horde_Image driver + name" (CVE-2009-0932).
    • +
  • Gunnar Wrobel reported that data sent + to horde/services/portal/cloud_search.php is not properly sanitized + before used in the output (CVE-2009-0931).
    • +
  • It was reported + that data sent to framework/Text_Filter/Filter/xss.php is not properly + sanitized before used in the output (CVE-2008-5917).
    • +

+ Horde Passwd: David Wharton reported that data sent via the "backend" + parameter to passwd/main.php is not properly sanitized before used in + the output (CVE-2009-2360). +

+

+ Horde IMP: Gunnar Wrobel reported that data sent to smime.php, pgp.php, + and message.php is not properly sanitized before used in the output + (CVE-2009-0930). +

+ + +

+ A remote authenticated attacker could exploit these vulnerabilities to + execute arbitrary PHP files on the server, or disclose the content of + arbitrary files, both only if the file is readable to the web server. A + remote authenticated attacker could conduct Cross-Site Scripting + attacks. NOTE: Some Cross-Site Scripting vectors are limited to the + usage of Microsoft Internet Explorer. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Horde users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-3.3.4" +

+ All Horde IMP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-imp-4.3.4" +

+ All Horde Passwd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-passwd-3.1.1" + + + CVE-2008-5917 + CVE-2009-0930 + CVE-2009-0931 + CVE-2009-0932 + CVE-2009-2360 + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-15.xml b/xml/htdocs/security/en/glsa/glsa-200909-15.xml new file mode 100644 index 00000000..80ad0184 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-15.xml @@ -0,0 +1,72 @@ + + + + + + + Lynx: Arbitrary command execution + + An incomplete fix for an issue related to the Lynx URL handler might allow + for the remote execution of arbitrary commands. + + lynx + September 12, 2009 + September 12, 2009: 01 + 243058 + remote + + + 2.8.6-r4 + 2.8.6-r4 + + + +

+ Lynx is a fully-featured WWW client for users running + cursor-addressable, character-cell display devices such as vt100 + terminals and terminal emulators. +

+ + +

+ Clint Ruoho reported that the fix for CVE-2005-2929 (GLSA 200511-09) + only disabled the lynxcgi:// handler when not using the advanced mode. +

+ + +

+ A remote attacker can entice a user to access a malicious HTTP server, + causing Lynx to execute arbitrary commands. NOTE: The advanced mode is + not enabled by default. Successful exploitation requires the + "lynxcgi://" protocol to be registered with lynx on the victim's + system. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Lynx users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/lynx-2.8.6-r4" + + + CVE-2005-2929 + CVE-2008-4690 + GLSA 200511-09 + + + rbu + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-16.xml b/xml/htdocs/security/en/glsa/glsa-200909-16.xml new file mode 100644 index 00000000..c50c13ad --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-16.xml @@ -0,0 +1,84 @@ + + + + + + + Wireshark: Denial of Service + + Multiple vulnerabilities have been discovered in Wireshark which allow for + Denial of Service. + + wireshark + September 13, 2009 + September 13, 2009: 01 + 278564 + remote + + + 1.2.1 + 1.2.1 + + + +

+ Wireshark is a versatile network protocol analyzer. +

+ + +

+ Multiple vulnerabilities were discovered in Wireshark: +

+
    +
  • A + buffer overflow in the IPMI dissector related to an array index error + (CVE-2009-2559).
    • +
  • Multiple unspecified vulnerabilities in the + Bluetooth L2CAP, RADIUS, and MIOP dissectors (CVE-2009-2560).
    • +
  • An unspecified vulnerability in the sFlow dissector + (CVE-2009-2561).
    • +
  • An unspecified vulnerability in the AFS + dissector (CVE-2009-2562).
    • +
  • An unspecified vulnerability in the + Infiniband dissector when running on unspecified platforms + (CVE-2009-2563).
    • +
+ + +

+ A remote attacker could exploit these vulnerabilities by sending + specially crafted packets on a network being monitored by Wireshark or + by enticing a user to read a malformed packet trace file to cause a + Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Wireshark users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.2.1" + + + CVE-2009-2559 + CVE-2009-2560 + CVE-2009-2561 + CVE-2009-2562 + CVE-2009-2563 + + + keytoaster + + + keytoaster + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-17.xml b/xml/htdocs/security/en/glsa/glsa-200909-17.xml new file mode 100644 index 00000000..400d7d8b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-17.xml @@ -0,0 +1,67 @@ + + + + + + + ZNC: Directory traversal + + A directory traversal was found in ZNC, allowing for overwriting of + arbitrary files. + + znc + September 13, 2009 + September 13, 2009: 01 + 278684 + remote + + + 0.074 + 0.074 + + + +

+ ZNC is an advanced IRC bouncer. +

+ + +

+ The vendor reported a directory traversal vulnerability when processing + DCC SEND requests. +

+ + +

+ A remote, authenticated user could send a specially crafted DCC SEND + request to overwrite arbitrary files with the privileges of the user + running ZNC, and possibly cause the execution of arbitrary code e.g. by + uploading a malicious ZNC module. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ZNC users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-irc/znc-0.074" + + + CVE-2009-2658 + + + keytoaster + + + keytoaster + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-18.xml b/xml/htdocs/security/en/glsa/glsa-200909-18.xml new file mode 100644 index 00000000..5ecfc534 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-18.xml @@ -0,0 +1,84 @@ + + + + + + + nginx: Remote execution of arbitrary code + + A buffer underflow vulnerability in the request URI processing of nginx + might enable remote attackers to execute arbitrary code or cause a Denial + of Service. + + nginx + September 18, 2009 + September 18, 2009: 01 + 285162 + remote + + + 0.5.38 + 0.6.39 + 0.7.62 + 0.7.62 + + + +

+ nginx is a robust, small and high performance HTTP and reverse proxy + server. +

+ + +

+ Chris Ries reported a heap-based buffer underflow in the + ngx_http_parse_complex_uri() function in http/ngx_http_parse.c when + parsing the request URI. +

+ + +

+ A remote attacker might send a specially crafted request URI to a nginx + server, possibly resulting in the remote execution of arbitrary code + with the privileges of the user running the server, or a Denial of + Service. NOTE: By default, nginx runs as the "nginx" user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All nginx 0.5.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/nginx-0.5.38" +

+ All nginx 0.6.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/nginx-0.6.39" +

+ All nginx 0.7.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/nginx-0.7.62" + + + CVE-2009-2629 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-19.xml b/xml/htdocs/security/en/glsa/glsa-200909-19.xml new file mode 100644 index 00000000..96207670 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-19.xml @@ -0,0 +1,78 @@ + + + + + + + Dnsmasq: Multiple vulnerabilities + + Multiple vulnerabilities in Dnsmasq might result in the remote execution of + arbitrary code, or a Denial of Service. + + dnsmasq + September 20, 2009 + September 20, 2009: 01 + 282653 + remote + + + 2.5.0 + 2.5.0 + + + +

+ Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP + server. It includes support for Trivial FTP (TFTP). +

+ + +

+ Multiple vulnerabilities have been reported in the TFTP functionality + included in Dnsmasq: +

+
    +
  • Pablo Jorge and Alberto Solino + discovered a heap-based buffer overflow (CVE-2009-2957).
    • +
  • An + anonymous researcher reported a NULL pointer reference + (CVE-2009-2958).
    • +
+ + +

+ A remote attacker in the local network could exploit these + vulnerabilities by sending specially crafted TFTP requests to a machine + running Dnsmasq, possibly resulting in the remote execution of + arbitrary code with the privileges of the user running the daemon, or a + Denial of Service. NOTE: The TFTP server is not enabled by default. +

+ + +

+ You can disable the TFTP server either at buildtime by not enabling the + "tftp" USE flag, or at runtime. Make sure "--enable-tftp" is not set in + the DNSMASQ_OPTS variable in the /etc/conf.d/dnsmasq file and + "enable-tftp" is not set in /etc/dnsmasq.conf, either of which would + enable TFTP support if it is compiled in. +

+ + +

+ All Dnsmasq users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/dnsmasq-2.5.0" + + + CVE-2009-2957 + CVE-2009-2958 + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200909-20.xml b/xml/htdocs/security/en/glsa/glsa-200909-20.xml new file mode 100644 index 00000000..01bdfe91 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200909-20.xml @@ -0,0 +1,70 @@ + + + + + + + cURL: Certificate validation error + + An error in the X.509 certificate handling of cURL might enable remote + attackers to conduct man-in-the-middle attacks. + + curl + September 25, 2009 + September 25, 2009: 01 + 281515 + remote + + + 7.19.6 + 7.19.6 + + + +

+ cURL is a command line tool for transferring files with URL syntax, + supporting numerous protocols. +

+ + +

+ Scott Cantor reported that cURL does not properly handle fields in + X.509 certificates that contain an ASCII NUL (\0) character. + Specifically, the processing of such fields is stopped at the first + occurence of a NUL character. This type of vulnerability was recently + discovered by Dan Kaminsky and Moxie Marlinspike. +

+ + +

+ A remote attacker might employ a specially crafted X.509 certificate + (that for instance contains a NUL character in the Common Name field) + to conduct man-in-the-middle attacks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All cURL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/curl-7.19.6" + + + CVE-2009-2417 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200910-01.xml b/xml/htdocs/security/en/glsa/glsa-200910-01.xml new file mode 100644 index 00000000..d3f4428e --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200910-01.xml @@ -0,0 +1,70 @@ + + + + + + + Wget: Certificate validation error + + An error in the X.509 certificate handling of Wget might enable remote + attackers to conduct man-in-the-middle attacks. + + wget + October 20, 2009 + October 20, 2009: 01 + 286058 + remote + + + 1.12 + 1.12 + + + +

+ GNU Wget is a free software package for retrieving files using HTTP, + HTTPS and FTP, the most widely-used Internet protocols. +

+ + +

+ The vendor reported that Wget does not properly handle Common Name (CN) + fields in X.509 certificates that contain an ASCII NUL (\0) character. + Specifically, the processing of such fields is stopped at the first + occurrence of a NUL character. This type of vulnerability was recently + discovered by Dan Kaminsky and Moxie Marlinspike. +

+ + +

+ A remote attacker might employ a specially crafted X.509 certificate, + containing a NUL character in the Common Name field to conduct + man-in-the-middle attacks on SSL connections made using Wget. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Wget users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/wget-1.12" + + + CVE-2009-3490 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200910-02.xml b/xml/htdocs/security/en/glsa/glsa-200910-02.xml new file mode 100644 index 00000000..730e83c8 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200910-02.xml @@ -0,0 +1,92 @@ + + + + + + + Pidgin: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Pidgin, leading to the + remote execution of arbitrary code, unauthorized information disclosure, or + Denial of Service. + + pidgin + October 22, 2009 + October 22, 2009: 01 + 276000 + 281545 + 283324 + remote + + + 2.5.9-r1 + 2.5.9-r1 + + + +

+ Pidgin is a client for a variety of instant messaging protocols. +

+ + +

+ Multiple vulnerabilities were found in Pidgin: +

+
    +
  • Yuriy + Kaminskiy reported that the OSCAR protocol implementation in Pidgin + misinterprets the ICQWebMessage message type as the ICQSMS message + type, triggering an allocation of a large amount of memory + (CVE-2009-1889).
    • +
  • Federico Muttis of Core Security Technologies + reported that the msn_slplink_process_msg() function in + libpurple/protocols/msn/slplink.c in libpurple as used in Pidgin + doesn't properly process incoming SLP messages, triggering an overwrite + of an arbitrary memory location (CVE-2009-2694). NOTE: This issue + reportedly exists because of an incomplete fix for CVE-2009-1376 (GLSA + 200905-07).
    • +
  • bugdave reported that protocols/jabber/auth.c in + libpurple as used in Pidgin does not follow the "require TSL/SSL" + preference when connecting to older Jabber servers that do not follow + the XMPP specification, resulting in a connection to the server without + the expected encryption (CVE-2009-3026).
    • +
+ + +

+ A remote attacker could send specially crafted SLP (via MSN) or ICQ web + messages, possibly leading to execution of arbitrary code with the + privileges of the user running Pidgin, unauthorized information + disclosure, or a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Pidgin users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/pidgin-2.5.9-r1" + + + CVE-2009-1376 + CVE-2009-1889 + CVE-2009-2694 + CVE-2009-3026 + GLSA 200905-07 + + + a3li + + + keytoaster + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-200910-03.xml b/xml/htdocs/security/en/glsa/glsa-200910-03.xml new file mode 100644 index 00000000..e97184cb --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200910-03.xml @@ -0,0 +1,91 @@ + + + + + + + Adobe Reader: Multiple vulnerabilities + + Multiple vulnerabilities in Adobe Reader might result in the execution of + arbitrary code, or other attacks. + + acroread + October 25, 2009 + October 25, 2009: 01 + 289016 + remote + + + 9.2 + 9.2 + + + +

+ Adobe Reader (formerly Adobe Acrobat Reader) is a closed-source PDF + reader. +

+ + +

+ Multiple vulnerabilities were discovered in Adobe Reader. For further + information please consult the CVE entries and the Adobe Security + Bulletin referenced below. +

+ + +

+ A remote attacker might entice a user to open a specially crafted PDF + file, possibly resulting in the execution of arbitrary code with the + privileges of the user running the application, Denial of Service, the + creation of arbitrary files on the victim's system, "Trust Manager" + bypass, or social engineering attacks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Adobe Reader users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/acroread-9.2" + + + APSB09-15 + CVE-2007-0045 + CVE-2007-0048 + CVE-2009-2979 + CVE-2009-2980 + CVE-2009-2981 + CVE-2009-2982 + CVE-2009-2983 + CVE-2009-2985 + CVE-2009-2986 + CVE-2009-2988 + CVE-2009-2990 + CVE-2009-2991 + CVE-2009-2993 + CVE-2009-2994 + CVE-2009-2996 + CVE-2009-2997 + CVE-2009-2998 + CVE-2009-3431 + CVE-2009-3458 + CVE-2009-3459 + CVE-2009-3462 + + + keytoaster + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200911-01.xml b/xml/htdocs/security/en/glsa/glsa-200911-01.xml new file mode 100644 index 00000000..869fe1c0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200911-01.xml @@ -0,0 +1,96 @@ + + + + + + + Horde: Multiple vulnerabilities + + Multiple vulnerabilities in the Horde Application Framework can allow for + arbitrary files to be overwritten and cross-site scripting attacks. + + horde horde-webmail horde-groupware + November 06, 2009 + November 06, 2009: 01 + 285052 + remote + + + 3.3.5 + 3.3.5 + + + 1.2.4 + 1.2.4 + + + 1.2.4 + 1.2.4 + + + +

+ Horde is a web application framework written in PHP. +

+ + +

+ Multiple vulnerabilities have been discovered in Horde: +

+
    +
  • Stefan Esser of Sektion1 reported an error within the form library + when handling image form fields (CVE-2009-3236).
    • +
  • Martin + Geisler and David Wharton reported that an error exists in the MIME + viewer library when viewing unknown text parts and the preferences + system in services/prefs.php when handling number preferences + (CVE-2009-3237).
    • +
+ + +

+ A remote authenticated attacker could exploit these vulnerabilities to + overwrite arbitrary files on the server, provided that the user has + write permissions. A remote authenticated attacker could conduct + Cross-Site Scripting attacks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Horde users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-3.3.5" +

+ All Horde webmail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-webmail-1.2.4" +

+ All Horde groupware users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/horde-groupware-1.2.4" + + + CVE-2009-3236 + CVE-2009-3237 + + + keytoaster + + + chainsaw + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200911-02.xml b/xml/htdocs/security/en/glsa/glsa-200911-02.xml new file mode 100644 index 00000000..e7ed9d7a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200911-02.xml @@ -0,0 +1,240 @@ + + + + + + + Sun JDK/JRE: Multiple vulnerabilites + + Multiple vulnerabilites in the Sun JDK and JRE allow for several attacks, + including the remote execution of arbitrary code. + + sun-jre-bin sun-jdk emul-linux-x86-java blackdown-jre blackdown-jdk + November 17, 2009 + November 17, 2009: 01 + 182824 + 231337 + 250012 + 263810 + 280409 + 291817 + remote + + + 1.5.0.22 + 1.6.0.17 + 1.6.0.17 + + + 1.5.0.22 + 1.6.0.17 + 1.6.0.17 + + + 1.4.2.03-r14 + + + 1.4.2.03-r16 + + + 1.5.0.22 + 1.6.0.17 + 1.6.0.17 + + + +

+ The Sun Java Development Kit (JDK) and the Sun Java Runtime Environment + (JRE) provide the Sun Java platform. +

+ + +

+ Multiple vulnerabilites have been reported in the Sun Java + implementation. Please review the CVE identifiers referenced below and + the associated Sun Alerts for details. +

+ + +

+ A remote attacker could entice a user to open a specially crafted JAR + archive, applet, or Java Web Start application, possibly resulting in + the execution of arbitrary code with the privileges of the user running + the application. Furthermore, a remote attacker could cause a Denial of + Service affecting multiple services via several vectors, disclose + information and memory contents, write or execute local files, conduct + session hijacking attacks via GIFAR files, steal cookies, bypass the + same-origin policy, load untrusted JAR files, establish network + connections to arbitrary hosts and posts via several vectors, modify + the list of supported graphics configurations, bypass HMAC-based + authentication systems, escalate privileges via several vectors and + cause applet code to be executed with older, possibly vulnerable + versions of the JRE. +

+

+ NOTE: Some vulnerabilities require a trusted environment, user + interaction, a DNS Man-in-the-Middle or Cross-Site-Scripting attack. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Sun JRE 1.5.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.5.0.22" +

+ All Sun JRE 1.6.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.17" +

+ All Sun JDK 1.5.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.5.0.22" +

+ All Sun JDK 1.6.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.17" +

+ All users of the precompiled 32bit Sun JRE 1.5.x should upgrade to the + latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.5.0.22" +

+ All users of the precompiled 32bit Sun JRE 1.6.x should upgrade to the + latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.6.0.17" +

+ All Sun JRE 1.4.x, Sun JDK 1.4.x, Blackdown JRE, Blackdown JDK and + precompiled 32bit Sun JRE 1.4.x users are strongly advised to unmerge + Java 1.4: +

+ + # emerge --unmerge =app-emulation/emul-linux-x86-java-1.4* + # emerge --unmerge =dev-java/sun-jre-bin-1.4* + # emerge --unmerge =dev-java/sun-jdk-1.4* + # emerge --unmerge dev-java/blackdown-jdk + # emerge --unmerge dev-java/blackdown-jre +

+ Gentoo is ceasing support for the 1.4 generation of the Sun Java + Platform in accordance with upstream. All 1.4 JRE and JDK versions are + masked and will be removed shortly. +

+ + + CVE-2008-2086 + CVE-2008-3103 + CVE-2008-3104 + CVE-2008-3105 + CVE-2008-3106 + CVE-2008-3107 + CVE-2008-3108 + CVE-2008-3109 + CVE-2008-3110 + CVE-2008-3111 + CVE-2008-3112 + CVE-2008-3113 + CVE-2008-3114 + CVE-2008-3115 + CVE-2008-5339 + CVE-2008-5340 + CVE-2008-5341 + CVE-2008-5342 + CVE-2008-5343 + CVE-2008-5344 + CVE-2008-5345 + CVE-2008-5346 + CVE-2008-5347 + CVE-2008-5348 + CVE-2008-5349 + CVE-2008-5350 + CVE-2008-5351 + CVE-2008-5352 + CVE-2008-5353 + CVE-2008-5354 + CVE-2008-5355 + CVE-2008-5356 + CVE-2008-5357 + CVE-2008-5358 + CVE-2008-5359 + CVE-2008-5360 + CVE-2009-1093 + CVE-2009-1094 + CVE-2009-1095 + CVE-2009-1096 + CVE-2009-1097 + CVE-2009-1098 + CVE-2009-1099 + CVE-2009-1100 + CVE-2009-1101 + CVE-2009-1102 + CVE-2009-1103 + CVE-2009-1104 + CVE-2009-1105 + CVE-2009-1106 + CVE-2009-1107 + CVE-2009-2409 + CVE-2009-2475 + CVE-2009-2476 + CVE-2009-2670 + CVE-2009-2671 + CVE-2009-2672 + CVE-2009-2673 + CVE-2009-2674 + CVE-2009-2675 + CVE-2009-2676 + CVE-2009-2689 + CVE-2009-2690 + CVE-2009-2716 + CVE-2009-2718 + CVE-2009-2719 + CVE-2009-2720 + CVE-2009-2721 + CVE-2009-2722 + CVE-2009-2723 + CVE-2009-2724 + CVE-2009-3728 + CVE-2009-3729 + CVE-2009-3865 + CVE-2009-3866 + CVE-2009-3867 + CVE-2009-3868 + CVE-2009-3869 + CVE-2009-3871 + CVE-2009-3872 + CVE-2009-3873 + CVE-2009-3874 + CVE-2009-3875 + CVE-2009-3876 + CVE-2009-3877 + CVE-2009-3879 + CVE-2009-3880 + CVE-2009-3881 + CVE-2009-3882 + CVE-2009-3883 + CVE-2009-3884 + CVE-2009-3886 + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200911-03.xml b/xml/htdocs/security/en/glsa/glsa-200911-03.xml new file mode 100644 index 00000000..06c25cff --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200911-03.xml @@ -0,0 +1,99 @@ + + + + + + + UW IMAP toolkit: Multiple vulnerabilities + + Multiple vulnerabilities have been found in the UW IMAP toolkit and the + c-client library, the worst of which leading to the execution of arbitrary + code. + + c-client uw-imap + November 25, 2009 + November 25, 2009: 01 + 245425 + 252567 + remote + + + 2007e + 2007e + + + 2007e + 2007e + + + +

+ The UW IMAP toolkit is a daemon for the IMAP and POP3 network mail + protocols. The c-client library provides an API for IMAP, POP3 and + other protocols. +

+ + +

+ Multiple vulnerabilities were found in the UW IMAP toolkit: +

+
    +
  • Aron Andersson and Jan Sahlin of Bitsec reported boundary errors in + the "tmail" and "dmail" utilities when processing overly long mailbox + names, leading to stack-based buffer overflows (CVE-2008-5005).
    • +
  • An error in smtp.c in the c-client library was found, leading to a + NULL pointer dereference vulnerability (CVE-2008-5006).
    • +
  • Ludwig + Nussel reported an off-by-one error in the rfc822_output_char() + function in the RFC822BUFFER routines in the c-client library, as used + by the UW IMAP toolkit (CVE-2008-5514).
    • +
+ + +

+ A remote attacker could send an e-mail to a destination mailbox name + composed of a username and '+' character followed by a long string, + possibly leading to the execution of arbitrary code. A local attacker + could gain privileges by specifying a long folder extension argument to + the tmail or dmail program. Furthermore, a remote attacker could send a + specially crafted mail message to the UW IMAP toolkit or another daemon + using the c-client library, leading to a Denial of Service. A remote + SMTP server could respond to the QUIT command with a close of the TCP + connection instead of the expected 221 response code, possibly leading + to a Denial of Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All c-client library users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/c-client-2007e" +

+ All UW IMAP toolkit users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/uw-imap-2007e" + + + CVE-2008-5005 + CVE-2008-5006 + CVE-2008-5514 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200911-04.xml b/xml/htdocs/security/en/glsa/glsa-200911-04.xml new file mode 100644 index 00000000..46bdc39c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200911-04.xml @@ -0,0 +1,68 @@ + + + + + + + dstat: Untrusted search path + + An untrusted search path vulnerability in the dstat might result in the + execution of arbitrary code. + + dstat + November 25, 2009 + November 25, 2009: 01 + 293497 + local + + + 0.6.9-r1 + 0.6.9-r1 + + + +

+ dstat is a versatile system resource monitor written in Python. +

+ + +

+ Robert Buchholz of the Gentoo Security Team reported that dstat + includes the current working directory and subdirectories in the Python + module search path (sys.path) before calling "import". +

+ + +

+ A local attacker could entice a user to run "dstat" from a directory + containing a specially crafted Python module, resulting in the + execution of arbitrary code with the privileges of the user running the + application. +

+ + +

+ Do not run "dstat" from untrusted working directories. +

+ + +

+ All dstat users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/dstat-0.6.9-r1" + + + CVE-2009-3894 + + + rbu + + + rbu + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-200911-05.xml b/xml/htdocs/security/en/glsa/glsa-200911-05.xml new file mode 100644 index 00000000..b594167c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200911-05.xml @@ -0,0 +1,88 @@ + + + + + + + Wireshark: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Wireshark, allowing for + the remote execution of arbitrary code, or Denial of Service. + + wireshark + November 25, 2009 + November 25, 2009: 01 + 285280 + 290710 + remote + + + 1.2.3 + 1.2.3 + + + +

+ Wireshark is a versatile network protocol analyzer. +

+ + +

+ Multiple vulnerabilities have been discovered in Wireshark: +

+
  • Ryan Giobbi reported an integer overflow in wiretap/erf.c + (CVE-2009-3829).
    • +
  • The vendor reported multiple unspecified + vulnerabilities in the Bluetooth L2CAP, RADIUS, and MIOP dissectors + (CVE-2009-2560), in the OpcUa dissector (CVE-2009-3241), in packet.c in + the GSM A RR dissector (CVE-2009-3242), in the TLS dissector + (CVE-2009-3243), in the Paltalk dissector (CVE-2009-3549), in the + DCERPC/NT dissector (CVE-2009-3550), and in the + dissect_negprot_response() function in packet-smb.c in the SMB + dissector (CVE-2009-3551).
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted "erf" + file using Wireshark, possibly resulting in the execution of arbitrary + code with the privileges of the user running the application. A remote + attacker could furthermore send specially crafted packets on a network + being monitored by Wireshark or entice a user to open a malformed + packet trace file using Wireshark, possibly resulting in a Denial of + Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Wireshark users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.2.3" + + + CVE-2009-2560 + CVE-2009-3241 + CVE-2009-3242 + CVE-2009-3243 + CVE-2009-3549 + CVE-2009-3550 + CVE-2009-3551 + CVE-2009-3829 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200911-06.xml b/xml/htdocs/security/en/glsa/glsa-200911-06.xml new file mode 100644 index 00000000..5ab8b37d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200911-06.xml @@ -0,0 +1,71 @@ + + + + + + + PEAR Net_Traceroute: Command injection + + An input sanitation error in PEAR Net_Traceroute might allow remote + attackers to execute arbitrary commands. + + PEAR-Net_Traceroute + November 26, 2009 + November 26, 2009: 01 + 294264 + remote + + + 0.21.2 + 0.21.2 + + + +

+ PEAR Net_Traceroute is an OS independent wrapper class for executing + traceroute calls from PHP. +

+ + +

+ Pasquale Imperato reported that the $host parameter to the traceroute() + function in Traceroute.php is not properly sanitized before being + passed to exec(). +

+ + +

+ A remote attacker could exploit this vulnerability when user input is + passed directly to PEAR Net_Traceroute in a PHP script, possibly + resulting in the remote execution of arbitrary shell commands with the + privileges of the user running the affected PHP script. +

+ + +

+ Ensure that all data that is passed to the traceroute() function is + properly shell escaped (for instance using the escapeshellcmd() + function). +

+ + +

+ All PEAR Net_Traceroute users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/PEAR-Net_Traceroute-0.21.2" + + + CVE-2009-4025 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200912-01.xml b/xml/htdocs/security/en/glsa/glsa-200912-01.xml new file mode 100644 index 00000000..b8efbb45 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200912-01.xml @@ -0,0 +1,97 @@ + + + + + + + OpenSSL: Multiple vulnerabilities + + Multiple vulnerabilities in OpenSSL might allow remote attackers to conduct + multiple attacks, including the injection of arbitrary data into encrypted + byte streams. + + openssl + December 01, 2009 + December 02, 2009: 02 + 270305 + 280591 + 292022 + remote + + + 0.9.8l-r2 + 0.9.8l-r2 + + + +

+ OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer + (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general + purpose cryptography library. +

+ + +

+ Multiple vulnerabilities have been reported in OpenSSL: +

+
    +
  • Marsh Ray of PhoneFactor and Martin Rex of SAP independently + reported that the TLS protocol does not properly handle session + renegotiation requests (CVE-2009-3555).
    • +
  • The MD2 hash algorithm is no longer considered to be + cryptographically strong, as demonstrated by Dan Kaminsky. Certificates + using this algorithm are no longer accepted (CVE-2009-2409).
    • +
  • Daniel Mentz and Robin Seggelmann reported the following + vulnerabilities related to DTLS: A use-after-free flaw (CVE-2009-1379) + and a NULL pointer dereference (CVE-2009-1387) in the + dtls1_retrieve_buffered_fragment() function in src/d1_both.c, multiple + memory leaks in the dtls1_process_out_of_seq_message() function in + src/d1_both.c (CVE-2009-1378), and a processing error related to a + large amount of DTLS records with a future epoch in the + dtls1_buffer_record() function in ssl/d1_pkt.c + (CVE-2009-1377).
    • +
+ + +

+ A remote unauthenticated attacker, acting as a Man in the Middle, could + inject arbitrary plain text into a TLS session, possibly leading to the + ability to send requests as if authenticated as the victim. A remote + attacker could furthermore send specially crafted DTLS packages to a + service using OpenSSL for DTLS support, possibly resulting in a Denial + of Service. Also, a remote attacker might be able to create rogue + certificates, facilitated by a MD2 collision. NOTE: The amount of + computation needed for this attack is still very large. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All OpenSSL users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8l-r2" + + + CVE-2009-1377 + CVE-2009-1378 + CVE-2009-1379 + CVE-2009-1387 + CVE-2009-2409 + CVE-2009-3555 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-200912-02.xml b/xml/htdocs/security/en/glsa/glsa-200912-02.xml new file mode 100644 index 00000000..f09e90a1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-200912-02.xml @@ -0,0 +1,118 @@ + + + + + + + Ruby on Rails: Multiple vulnerabilities + + Multiple vulnerabilities have been discovered in Rails, the worst of which + leading to the execution of arbitrary SQL statements. + + rails + December 20, 2009 + December 20, 2009: 01 + 200159 + 237385 + 247549 + 276279 + 283396 + 294797 + remote + + + 2.3.5 + 2.2.3-r1 + 2.2.2 + + + +

+ Ruby on Rails is a web-application and persistence framework. +

+ + +

+ The following vulnerabilities were discovered: +

+
    +
  • sameer + reported that lib/action_controller/cgi_process.rb removes the + :cookie_only attribute from the default session options + (CVE-2007-6077), due to an incomplete fix for CVE-2007-5380 (GLSA + 200711-17).
    • +
  • Tobias Schlottke reported that the :limit and + :offset parameters of ActiveRecord::Base.find() are not properly + sanitized before being processed (CVE-2008-4094).
    • +
  • Steve from + Coderrr reported that the CRSF protection in protect_from_forgery() + does not parse the text/plain MIME format (CVE-2008-7248).
    • +
  • Nate reported a documentation error that leads to the assumption + that a block returning nil passed to + authenticate_or_request_with_http_digest() would deny access to the + requested resource (CVE-2009-2422).
    • +
  • Brian Mastenbrook reported + an input sanitation flaw, related to multibyte characters + (CVE-2009-3009).
    • +
  • Gabe da Silveira reported an input sanitation + flaw in the strip_tags() function (CVE-2009-4214).
    • +
  • Coda Hale + reported an information disclosure vulnerability related to HMAC + digests (CVE-2009-3086).
    • +
+ + +

+ A remote attacker could send specially crafted requests to a vulnerable + application, possibly leading to the execution of arbitrary SQL + statements or a circumvention of access control. A remote attacker + could also conduct session fixation attacks to hijack a user's session + or bypass the CSRF protection mechanism, or furthermore conduct + Cross-Site Scripting attacks or forge a digest via multiple attempts. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ruby on Rails 2.3.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-ruby/rails-2.3.5" +

+ All Ruby on Rails 2.2.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "=dev-ruby/rails-2.2.3-r1" +

+ NOTE: All applications using Ruby on Rails should also be configured to + use the latest version available by running "rake rails:update" inside + the application directory. +

+ + + CVE-2007-5380 + CVE-2007-6077 + CVE-2008-4094 + CVE-2008-7248 + CVE-2009-2422 + CVE-2009-3009 + CVE-2009-3086 + CVE-2009-4214 + GLSA 200711-17 + + + keytoaster + + + p-y + + + p-y + + diff --git a/xml/htdocs/security/en/glsa/glsa-201001-01.xml b/xml/htdocs/security/en/glsa/glsa-201001-01.xml new file mode 100644 index 00000000..9063161f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201001-01.xml @@ -0,0 +1,68 @@ + + + + + + + NTP: Denial of Service + + A Denial of Service condition in ntpd can cause excessive CPU or bandwidth + consumption. + + ntp + January 03, 2010 + January 03, 2010: 01 + 290881 + remote + + + 4.2.4_p7-r1 + 4.2.4_p7-r1 + + + +

+ NTP is a set of the Network Time Protocol programs. +

+ + +

+ Robin Park and Dmitri Vinokurov discovered that ntp_request.c in ntpd + does not handle MODE_PRIVATE packets correctly, causing a continuous + exchange of MODE_PRIVATE error responses between two NTP daemons or + causing high CPU load on a single host. +

+ + +

+ A remote, unauthenticated attacker could send a specially crafted + MODE_PRIVATE packet, allowing for a Denial of Service condition (CPU + and bandwidth consumption). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All NTP users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.4_p7-r1" + + + CVE-2009-3563 + + + craig + + + craig + + + craig + + diff --git a/xml/htdocs/security/en/glsa/glsa-201001-02.xml b/xml/htdocs/security/en/glsa/glsa-201001-02.xml new file mode 100644 index 00000000..4d68d073 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201001-02.xml @@ -0,0 +1,85 @@ + + + + + + + Adobe Flash Player: Multiple vulnerabilities + + Multiple vulnerabilities in Adobe Flash Player might allow remote attackers + to execute arbitrary code or cause a Denial of Service. + + adobe-flash + January 03, 2010 + January 03, 2010: 01 + 296407 + remote + + + 10.0.42.34 + 10.0.42.34 + + + +

+ The Adobe Flash Player is a renderer for the SWF file format, which is + commonly used to provide interactive websites. +

+ + +

+ Multiple vulnerabilities have been discovered in Adobe Flash Player: +

+
  • An anonymous researcher working with the Zero Day + Initiative reported that Adobe Flash Player does not properly process + JPEG files (CVE-2009-3794).
    • +
  • Jim Cheng of EffectiveUI reported + an unspecified data injection vulnerability (CVE-2009-3796).
    • +
  • Bing Liu of Fortinet's FortiGuard Labs reported multiple + unspecified memory corruption vulnerabilities (CVE-2009-3797, + CVE-2009-3798).
    • +
  • Damian Put reported an integer overflow in the + Verifier::parseExceptionHandlers() function (CVE-2009-3799).
    • +
  • Will Dormann of CERT reported multiple unspecified Denial of + Service vulnerabilities (CVE-2009-3800).
    • +
+ + +

+ A remote attacker could entice a user to open a specially crafted SWF + file, possibly resulting in the remote execution of arbitrary code with + the privileges of the user running the application, or a Denial of + Service via unknown vectors. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Adobe Flash Player users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-plugins/adobe-flash-10.0.42.34" + + + CVE-2009-3794 + CVE-2009-3796 + CVE-2009-3797 + CVE-2009-3798 + CVE-2009-3799 + CVE-2009-3800 + + + craig + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-201001-03.xml b/xml/htdocs/security/en/glsa/glsa-201001-03.xml new file mode 100644 index 00000000..09e9ee24 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201001-03.xml @@ -0,0 +1,118 @@ + + + + + + + PHP: Multiple vulnerabilities + + Multiple vulnerabilities were found in PHP, the worst of which leading to + the remote execution of arbitrary code. + + php + January 05, 2010 + January 05, 2010: 01 + 249875 + 255121 + 260576 + 261192 + 266125 + 274670 + 280602 + 285434 + 292132 + 293888 + 297369 + 297370 + local remote + + + 5.2.12 + 5.2.12 + + + +

+ PHP is a widely-used general-purpose scripting language that is + especially suited for Web development and can be embedded into HTML. +

+ + +

+ Multiple vulnerabilities have been discovered in PHP. Please review the + CVE identifiers referenced below and the associated PHP release notes + for details. +

+ + +

+ A context-dependent attacker could execute arbitrary code via a + specially crafted string containing an HTML entity when the mbstring + extension is enabled. Furthermore a remote attacker could execute + arbitrary code via a specially crafted GD graphics file. +

+

+ A remote attacker could also cause a Denial of Service via a malformed + string passed to the json_decode() function, via a specially crafted + ZIP file passed to the php_zip_make_relative_path() function, via a + malformed JPEG image passed to the exif_read_data() function, or via + temporary file exhaustion. It is also possible for an attacker to spoof + certificates, bypass various safe_mode and open_basedir restrictions + when certain criteria are met, perform Cross-site scripting attacks, + more easily perform SQL injection attacks, manipulate settings of other + virtual hosts on the same server via a malicious .htaccess entry when + running on Apache, disclose memory portions, and write arbitrary files + via a specially crafted ZIP archive. Some vulnerabilities with unknown + impact and attack vectors have been reported as well. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All PHP users should upgrade to the latest version. As PHP is + statically linked against a vulnerable version of the c-client library + when the imap or kolab USE flag is enabled (GLSA 200911-03), users + should upgrade net-libs/c-client beforehand: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/c-client-2007e" + # emerge --ask --oneshot --verbose ">=dev-lang/php-5.2.12" + + + CVE-2008-5498 + CVE-2008-5514 + CVE-2008-5557 + CVE-2008-5624 + CVE-2008-5625 + CVE-2008-5658 + CVE-2008-5814 + CVE-2008-5844 + CVE-2008-7002 + CVE-2009-0754 + CVE-2009-1271 + CVE-2009-1272 + CVE-2009-2626 + CVE-2009-2687 + CVE-2009-3291 + CVE-2009-3292 + CVE-2009-3293 + CVE-2009-3546 + CVE-2009-3557 + CVE-2009-3558 + CVE-2009-4017 + CVE-2009-4142 + CVE-2009-4143 + GLSA 200911-03 + + + keytoaster + + + rbu + + diff --git a/xml/htdocs/security/en/glsa/glsa-201001-04.xml b/xml/htdocs/security/en/glsa/glsa-201001-04.xml new file mode 100644 index 00000000..4a2f22b1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201001-04.xml @@ -0,0 +1,107 @@ + + + + + + + VirtualBox: Multiple vulnerabilities + + Multiple vulnerabilities in VirtualBox were found, the worst of which + allowing for privilege escalation. + + virtualbox-bin virtualbox-ose virtualbox-guest-additions virtualbox-ose-additions + January 13, 2010 + January 13, 2010: 01 + 288836 + 294678 + local + + + 3.0.12 + 3.0.12 + + + 3.0.12 + 3.0.12 + + + 3.0.12 + 3.0.12 + + + 3.0.12 + 3.0.12 + + + +

+ The VirtualBox family provides powerful x86 virtualization products. +

+ + +

+ Thomas Biege of SUSE discovered multiple vulnerabilities: +

+
  • A shell metacharacter injection in popen() (CVE-2009-3692) and + a possible buffer overflow in strncpy() in the VBoxNetAdpCtl + configuration tool.
    • +
  • An unspecified vulnerability in VirtualBox + Guest Additions (CVE-2009-3940).
    • +
+ + +

+ A local, unprivileged attacker with the permission to run VirtualBox + could gain root privileges. A guest OS local user could cause a Denial + of Service (memory consumption) on the guest OS via unknown vectors. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All users of the binary version of VirtualBox should upgrade to the + latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-bin-3.0.12" +

+ All users of the Open Source version of VirtualBox should upgrade to + the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-ose-3.0.12" +

+ All users of the binary VirtualBox Guest Additions should upgrade to + the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-guest-additions-3.0.12" +

+ All users of the Open Source VirtualBox Guest Additions should upgrade + to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-ose-additions-3.0.12" + + + CVE-2009-3692 + CVE-2009-3940 + + + craig + + + craig + + + craig + + diff --git a/xml/htdocs/security/en/glsa/glsa-201001-05.xml b/xml/htdocs/security/en/glsa/glsa-201001-05.xml new file mode 100644 index 00000000..51bfb5f0 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201001-05.xml @@ -0,0 +1,69 @@ + + + + + + + net-snmp: Authorization bypass + + A remote attacker can bypass the tcp-wrappers client authorization in + net-snmp. + + net-snmp + January 13, 2010 + January 13, 2010: 01 + 250429 + remote + + + 5.4.2.1-r1 + 5.4.2.1-r1 + + + +

+ net-snmp bundles software for generating and retrieving SNMP data. +

+ + +

+ The netsnmp_udp_fmtaddr() function (snmplib/snmpUDPDomain.c), when + using TCP wrappers for client authorization, does not properly parse + hosts.allow rules. +

+ + +

+ A remote, unauthenticated attacker could bypass the ACL filtering, + possibly resulting in the execution of arbitrary SNMP queries. +

+ + +

+ If possible, protect net-snmp with custom iptables rules: +

+ + iptables -s [client] -d [host] -p udp --dport 161 -j ACCEPT + iptables -s 0.0.0.0/0 -d [host] -p udp --dport 161 -j DROP + + +

+ All net-snmp users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/net-snmp-5.4.2.1-r1" + + + CVE-2008-6123 + + + craig + + + craig + + + craig + + diff --git a/xml/htdocs/security/en/glsa/glsa-201001-06.xml b/xml/htdocs/security/en/glsa/glsa-201001-06.xml new file mode 100644 index 00000000..fc4830e4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201001-06.xml @@ -0,0 +1,70 @@ + + + + + + + aria2: Multiple vulnerabilities + + A buffer overflow and a format string vulnerability in aria2 allow remote + attackers to execute arbitrary code. + + aria2 + January 13, 2010 + January 13, 2010: 01 + 288291 + remote + + + 1.6.3 + 1.6.3 + + + +

+ aria2 is a download utility with resuming and segmented downloading + with HTTP/HTTPS/FTP/BitTorrent support. +

+ + +

+ Tatsuhiro Tsujikawa reported a buffer overflow in + DHTRoutingTableDeserializer.cc (CVE-2009-3575) and a format string + vulnerability in the AbstractCommand::onAbort() function in + src/AbstractCommand.cc (CVE-2009-3617). +

+ + +

+ A remote, unauthenticated attacker could possibly execute arbitrary + code with the privileges of the user running the application or cause a + Denial of Service (application crash). +

+ + +

+ Do not use DHT (CVE-2009-3575) and disable logging (CVE-2009-3617). +

+ + +

+ All aria2 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/aria2-1.6.3" + + + CVE-2009-3575 + CVE-2009-3617 + + + keytoaster + + + craig + + + craig + + diff --git a/xml/htdocs/security/en/glsa/glsa-201001-07.xml b/xml/htdocs/security/en/glsa/glsa-201001-07.xml new file mode 100644 index 00000000..071aa2c1 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201001-07.xml @@ -0,0 +1,68 @@ + + + + + + + Blender: Untrusted search path + + An untrusted search path vulnerability in Blender might result in the + execution of arbitrary code. + + blender + January 13, 2010 + January 13, 2010: 01 + 245310 + local + + + 2.48a-r3 + 2.48a-r3 + + + +

+ Blender is a 3D Creation/Animation/Publishing System. +

+ + +

+ Steffen Joeris reported that Blender's BPY_interface calls + PySys_SetArgv() in such a way that Python prepends sys.path with an + empty string. +

+ + +

+ A local attacker could entice a user to run "blender" from a directory + containing a specially crafted Python module, resulting in the + execution of arbitrary code with the privileges of the user running the + application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Blender users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/blender-2.48a-r3" + + + CVE-2008-4863 + + + keytoaster + + + craig + + + craig + + diff --git a/xml/htdocs/security/en/glsa/glsa-201001-08.xml b/xml/htdocs/security/en/glsa/glsa-201001-08.xml new file mode 100644 index 00000000..babfc096 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201001-08.xml @@ -0,0 +1,87 @@ + + + + + + + SquirrelMail: Multiple vulnerabilities + + Multiple vulnerabilities were found in SquirrelMail of which the worst + results in remote code execution. + + squirrelmail + January 13, 2010 + January 13, 2010: 01 + 269567 + 270671 + remote + + + 1.4.19 + 1.4.19 + + + +

+ SquirrelMail is a standards-based webmail package written in PHP. +

+ + +

+ Multiple vulnerabilities were found in SquirrelMail: +

+
  • Niels + Teusink reported multiple input sanitation flaws in certain encrypted + strings in e-mail headers, related to contrib/decrypt_headers.php, + PHP_SELF and the query string (aka QUERY_STRING) (CVE-2009-1578). +
    • +
  • Niels Teusink also reported that the map_yp_alias() function + in functions/imap_general.php does not filter shell metacharacters in a + username and that the original patch was incomplete (CVE-2009-1381, + CVE-2009-1579). +
    • +
  • Tomas Hoger discovered an unspecified session fixation + vulnerability (CVE-2009-1580). +
    • +
  • Luc Beurton reported that functions/mime.php does not protect + the application's content from Cascading Style Sheets (CSS) positioning + in HTML e-mail messages (CVE-2009-1581). +
    • +
+ + +

+ The vulnerabilities allow remote attackers to execute arbitrary code + with the privileges of the user running the web server, to hijack web + sessions via a crafted cookie, to spoof the user interface and to + conduct Cross-Site Scripting and phishing attacks, via a specially + crafted message. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SquirrelMail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/squirrelmail-1.4.19" + + + CVE-2009-1381 + CVE-2009-1578 + CVE-2009-1579 + CVE-2009-1580 + CVE-2009-1581 + + + craig + + + craig + + diff --git a/xml/htdocs/security/en/glsa/glsa-201001-09.xml b/xml/htdocs/security/en/glsa/glsa-201001-09.xml new file mode 100644 index 00000000..db1255a6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201001-09.xml @@ -0,0 +1,79 @@ + + + + + + + Ruby: Terminal Control Character Injection + + An input sanitation flaw in the WEBrick HTTP server included in Ruby might + allow remote attackers to inject arbitrary control characters into terminal + sessions. + + ruby + January 14, 2010 + January 14, 2010: 01 + 300468 + remote + + + 1.8.7_p249 + 1.8.6_p388 + 1.8.7_p249 + + + +

+ Ruby is an interpreted scripting language for quick and easy + object-oriented programming. It comes bundled with a HTTP server + ("WEBrick"). +

+ + +

+ Giovanni Pellerano, Alessandro Tanasi and Francesco Ongaro reported + that WEBrick does not filter terminal control characters, for instance + when handling HTTP logs. +

+ + +

+ A remote attacker could send a specially crafted HTTP request to a + WEBrick server to inject arbitrary terminal control characters, + possibly resulting in the execution of arbitrary commands, data loss, + or other unspecified impact. This could also be used to facilitate + other attacks. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Ruby 1.8.7 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.7_p249" +

+ All Ruby 1.8.6 users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.6_p388" + + + CVE-2009-4492 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-201003-01.xml b/xml/htdocs/security/en/glsa/glsa-201003-01.xml new file mode 100644 index 00000000..8cdf7b8a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201003-01.xml @@ -0,0 +1,78 @@ + + + + + + + sudo: Privilege escalation + + Two vulnerabilities in sudo might allow local users to escalate privileges + and execute arbitrary code with root privileges. + + sudo + March 03, 2010 + March 03, 2010: 01 + 306865 + local + + + 1.7.2_p4 + 1.7.2_p4 + + + +

+ sudo allows a system administrator to give users the ability to run + commands as other users. +

+ + +

+ Multiple vulnerabilities have been discovered in sudo: +

+
    +
  • Glenn Waller and neonsignal reported that sudo does not properly + handle access control of the "sudoedit" pseudo-command + (CVE-2010-0426).
    • +
  • Harald Koenig reported that sudo does not + properly set supplementary groups when using the "runas_default" option + (CVE-2010-0427).
    • +
+ + +

+ A local attacker with privileges to use "sudoedit" or the privilege to + execute commands with the "runas_default" setting enabled could + leverage these vulnerabilities to execute arbitrary code with elevated + privileges. +

+ + +

+ CVE-2010-0426: Revoke all "sudoedit" privileges, or use the full path + to sudoedit. CVE-2010-0427: Remove all occurrences of the + "runas_default" setting. +

+ + +

+ All sudo users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.7.2_p4" + + + CVE-2010-0426 + CVE-2010-0427 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-01.xml b/xml/htdocs/security/en/glsa/glsa-201006-01.xml new file mode 100644 index 00000000..da2a6fbc --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-01.xml @@ -0,0 +1,75 @@ + + + + + + + FreeType 1: User-assisted execution of arbitrary code + + Multiple vulnerabilities in FreeType might result in the remote execution + of arbitrary code. + + freetype + June 01, 2010 + June 01, 2010: 01 + 271234 + remote + + + 1.4_pre20080316-r2 + 1.4_pre20080316-r2 + + + +

+ FreeType is a True Type Font rendering library. +

+ + +

+ Multiple issues found in FreeType 2 were also discovered in FreeType 1. + For details on these issues, please review the Gentoo Linux Security + Advisories and CVE identifiers referenced below. +

+ + +

+ A remote attacker could entice a user to open a specially crafted TTF + file, possibly resulting in the execution of arbitrary code with the + privileges of the user running FreeType. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All FreeType 1 users should upgrade to an unaffected version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/freetype-1.4_pre20080316-r2" +

+ NOTE: This is a legacy GLSA. Updates for all affected architectures are + available since May 27, 2009. It is likely that your system is already + no longer affected by this issue. +

+ + + CVE-2006-1861 + CVE-2007-2754 + GLSA 200607-02 + GLSA 200705-22 + + + keytoaster + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-02.xml b/xml/htdocs/security/en/glsa/glsa-201006-02.xml new file mode 100644 index 00000000..9ddb3e23 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-02.xml @@ -0,0 +1,76 @@ + + + + + + + CamlImages: User-assisted execution of arbitrary code + + Multiple integer overflows in CamlImages might result in the remote + execution of arbitrary code. + + camlimages + June 01, 2010 + June 01, 2010: 01 + 276235 + 290222 + remote + + + 3.0.2 + 3.0.2 + + + +

+ CamlImages is an image processing library for Objective Caml. +

+ + +

+ Tielei Wang reported multiple integer overflows, possibly leading to + heap-based buffer overflows in the (1) read_png_file() and + read_png_file_as_rgb24() functions, when processing a PNG image + (CVE-2009-2295) and (2) gifread.c and jpegread.c files when processing + GIF or JPEG images (CVE-2009-2660). +

+

+ Other integer overflows were also found in tiffread.c (CVE-2009-3296). +

+ + +

+ A remote attacker could entice a user to open a specially crafted, + overly large PNG, GIF, TIFF, or JPEG image using an application that + uses the CamlImages library, possibly resulting in the execution of + arbitrary code with the privileges of the user running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All CamlImages users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose =dev-ml/camlimages-3.0.2 + + + CVE-2009-2295 + CVE-2009-2660 + CVE-2009-3296 + + + rbu + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-03.xml b/xml/htdocs/security/en/glsa/glsa-201006-03.xml new file mode 100644 index 00000000..ca09ecec --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-03.xml @@ -0,0 +1,74 @@ + + + + + + + ImageMagick: User-assisted execution of arbitrary code + + An integer overflow in ImageMagick might allow remote attackers to cause + the remote execution of arbitrary code. + + imagemagick + June 01, 2010 + June 01, 2010: 01 + 271502 + remote + + + 6.5.2.9 + 6.5.2.9 + + + +

+ ImageMagick is a collection of tools and libraries for manipulating + various image formats. +

+ + +

+ Tielei Wang has discovered that the XMakeImage() function in + magick/xwindow.c is prone to an integer overflow, possibly leading to a + buffer overflow. +

+ + +

+ A remote attacker could entice a user to open a specially crafted + image, possibly resulting in the remote execution of arbitrary code + with the privileges of the user running the application, or a Denial of + Service. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All ImageMagick users should upgrade to an unaffected version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.5.2.9" +

+ NOTE: This is a legacy GLSA. Updates for all affected architectures are + available since June 4, 2009. It is likely that your system is already + no longer affected by this issue. +

+ + + CVE-2009-1882 + + + keytoaster + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-04.xml b/xml/htdocs/security/en/glsa/glsa-201006-04.xml new file mode 100644 index 00000000..9c80a091 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-04.xml @@ -0,0 +1,94 @@ + + + + + + + xine-lib: User-assisted execution of arbitrary code + + Multiple vulnerabilities in xine-lib might result in the remote execution + of arbitrary code. + + xine-lib + June 01, 2010 + June 01, 2010: 01 + 234777 + 249041 + 260069 + 265250 + remote + + + 1.1.16.3 + 1.1.16.3 + + + +

+ xine-lib is the core library package for the xine media player, and + other players such as Amarok, Codeine/Dragon Player and Kaffeine. +

+ + +

+ Multiple vulnerabilites have been reported in xine-lib. Please review + the CVE identifiers referenced below for details. +

+ + +

+ A remote attacker could entice a user to play a specially crafted video + file or stream with a player using xine-lib, potentially resulting in + the execution of arbitrary code with the privileges of the user running + the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All xine-lib users should upgrade to an unaffected version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.16.3" +

+ NOTE: This is a legacy GLSA. Updates for all affected architectures are + available since April 10, 2009. It is likely that your system is + already no longer affected by this issue. +

+ + + CVE-2008-3231 + CVE-2008-5233 + CVE-2008-5234 + CVE-2008-5235 + CVE-2008-5236 + CVE-2008-5237 + CVE-2008-5238 + CVE-2008-5239 + CVE-2008-5240 + CVE-2008-5241 + CVE-2008-5242 + CVE-2008-5243 + CVE-2008-5244 + CVE-2008-5245 + CVE-2008-5246 + CVE-2008-5247 + CVE-2008-5248 + CVE-2009-0698 + CVE-2009-1274 + + + keytoaster + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-05.xml b/xml/htdocs/security/en/glsa/glsa-201006-05.xml new file mode 100644 index 00000000..872a66fe --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-05.xml @@ -0,0 +1,69 @@ + + + + + + + Wireshark: Multiple vulnerabilities + + Multiple vulnerabilities were found in Wireshark. + + wireshark + June 01, 2010 + June 01, 2010: 01 + 297388 + 318935 + remote + + + 1.2.8-r1 + 1.2.8-r1 + + + +

+ Wireshark is a versatile network protocol analyzer. +

+ + +

+ Multiple vulnerabilities were found in the Daintree SNA file parser, + the SMB, SMB2, IPMI, and DOCSIS dissectors. For further information + please consult the CVE entries referenced below. +

+ + +

+ A remote attacker could cause a Denial of Service and possibly execute + arbitrary code via crafted packets or malformed packet trace files. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Wireshark users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.2.8-r1" + + + CVE-2009-4376 + CVE-2009-4377 + CVE-2009-4378 + CVE-2010-1455 + + + a3li + + + keytoaster + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-06.xml b/xml/htdocs/security/en/glsa/glsa-201006-06.xml new file mode 100644 index 00000000..fc48d80f --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-06.xml @@ -0,0 +1,66 @@ + + + + + + + Transmission: Multiple vulnerabilities + + Stack-based buffer overflows in Transmission may allow for remote execution + of arbitrary code. + + transmission + June 01, 2010 + June 01, 2010: 01 + 309831 + remote + + + 1.92 + 1.92 + + + +

+ Transmission is a cross-platform BitTorrent client. +

+ + +

+ Multiple stack-based buffer overflows in the tr_magnetParse() function + in libtransmission/magnet.c have been discovered. +

+ + +

+ A remote attacker could cause a Denial of Service or possibly execute + arbitrary code via a crafted magnet URL with a large number of tr or ws + links. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Transmission users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/transmission-1.92" + + + CVE-2010-1853 + + + craig + + + keytoaster + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-07.xml b/xml/htdocs/security/en/glsa/glsa-201006-07.xml new file mode 100644 index 00000000..02ee9716 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-07.xml @@ -0,0 +1,82 @@ + + + + + + + SILC: Multiple vulnerabilities + + Multiple vulnerabilities were discovered in SILC Toolkit and SILC Client, + the worst of which allowing for execution of arbitrary code. + + silc-toolkit silc-client + June 01, 2010 + June 01, 2010: 01 + 284561 + remote + + + 1.1.10 + 1.1.10 + + + 1.1.8 + 1.1.8 + + + +

+ SILC (Secure Internet Live Conferencing protocol) Toolkit is a software + development kit for use in clients, and SILC Client is an IRSSI-based + text client. +

+ + +

+ Multiple vulnerabilities were discovered in SILC Toolkit and SILC + Client. For further information please consult the CVE entries + referenced below. +

+ + +

+ A remote attacker could overwrite stack locations and possibly execute + arbitrary code via a crafted OID value, Content-Length header or format + string specifiers in a nickname field or channel name. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SILC Toolkit users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/silc-toolkit-1.1.10" +

+ All SILC Client users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/silc-client-1.1.8" + + + CVE-2008-7159 + CVE-2008-7160 + CVE-2009-3051 + CVE-2009-3163 + + + craig + + + keytoaster + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-08.xml b/xml/htdocs/security/en/glsa/glsa-201006-08.xml new file mode 100644 index 00000000..186578fa --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-08.xml @@ -0,0 +1,69 @@ + + + + + + + nano: Multiple vulnerabilities + + Race conditions when editing files could lead to symlink attacks or changes + of ownerships of important files. + + nano + June 01, 2010 + June 01, 2010: 01 + 315355 + local + + + 2.2.4 + 2.2.4 + + + +

+ nano is a GNU GPL'd Pico clone with more functionality. +

+ + +

+ Multiple race condition vulnerabilities have been discovered in nano. + For further information please consult the CVE entries referenced + below. +

+ + +

+ Under certain conditions, a local, user-assisted attacker could + possibly overwrite arbitrary files via a symlink attack on an + attacker-owned file that is being edited by the victim, or change the + ownership of arbitrary files. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All nano users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/nano-2.2.4" + + + CVE-2010-1160 + CVE-2010-1161 + + + chiiph + + + keytoaster + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-09.xml b/xml/htdocs/security/en/glsa/glsa-201006-09.xml new file mode 100644 index 00000000..a9a7fe2c --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-09.xml @@ -0,0 +1,68 @@ + + + + + + + sudo: Privilege escalation + + A flaw in sudo's -e option may allow local attackers to execute arbitrary + commands. + + sudo + June 01, 2010 + June 01, 2010: 01 + 321697 + local + + + 1.7.2_p6 + 1.7.2_p6 + + + +

+ sudo allows a system administrator to give users the ability to run + commands as other users. +

+ + +

+ The command matching functionality does not properly handle when a file + in the current working directory has the same name as a pseudo-command + in the sudoers file and the PATH contains an entry for ".". +

+ + +

+ A local attacker with the permission to run sudoedit could, under + certain circumstances, execute arbitrary commands as whichever user he + has permission to run sudoedit as, typically root. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All sudo users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.7.2_p6" + + + CVE-2010-1163 + + + keytoaster + + + keytoaster + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-10.xml b/xml/htdocs/security/en/glsa/glsa-201006-10.xml new file mode 100644 index 00000000..b88a4d0d --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-10.xml @@ -0,0 +1,72 @@ + + + + + + + multipath-tools: World-writeable socket + + multipath-tools does not set correct permissions on the socket file, making + it possible to send arbitrary commands to the multipath daemon for local + users. + + multipath-tools + June 01, 2010 + June 01, 2010: 01 + 264564 + local + + + 0.4.8-r1 + 0.4.8-r1 + + + +

+ multipath-tools are used to drive the Device Mapper multipathing + driver. +

+ + +

+ multipath-tools uses world-writable permissions for the socket file + (/var/run/multipathd.sock). +

+ + +

+ Local users could send arbitrary commands to the multipath daemon, + causing cluster failures and data loss. +

+ + +

+ chmod o-rwx /var/run/multipath.sock +

+ + +

+ All multipath-tools users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-fs/multipath-tools-0.4.8-r1" +

+ NOTE: This is a legacy GLSA. Updates for all affected architectures are + available since November 13, 2009. It is likely that your system is + already no longer affected by this issue. +

+ + + CVE-2009-0115 + + + craig + + + craig + + + keytoaster + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-11.xml b/xml/htdocs/security/en/glsa/glsa-201006-11.xml new file mode 100644 index 00000000..2658ba91 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-11.xml @@ -0,0 +1,76 @@ + + + + + + + BIND: Multiple vulnerabilities + + Several cache poisoning vulnerabilities have been found in BIND. + + BIND + June 01, 2010 + June 01, 2010: 01 + 301548 + 308035 + remote + + + 9.4.3_p5 + 9.4.3_p5 + + + +

+ ISC BIND is the Internet Systems Consortium implementation of the + Domain Name System (DNS) protocol. +

+ + +

+ Multiple cache poisoning vulnerabilities were discovered in BIND. For + further information please consult the CVE entries and the ISC Security + Bulletin referenced below. +

+

+ Note: CVE-2010-0290 and CVE-2010-0382 exist because of an incomplete + fix and a regression for CVE-2009-4022. +

+ + +

+ An attacker could exploit this weakness to poison the cache of a + recursive resolver and thus spoof DNS traffic, which could e.g. lead to + the redirection of web or mail traffic to malicious sites. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All BIND users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/bind-9.4.3_p5" + + + ISC Advisory + CVE-2009-4022 + CVE-2010-0097 + CVE-2010-0290 + CVE-2010-0382 + + + craig + + + craig + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-12.xml b/xml/htdocs/security/en/glsa/glsa-201006-12.xml new file mode 100644 index 00000000..064ea87a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-12.xml @@ -0,0 +1,87 @@ + + + + + + + Fetchmail: Multiple vulnerabilities + + Multiple vulnerabilities have been reported in Fetchmail, allowing remote + attackers to execute arbitrary code or to conduct Man-in-the-Middle + attacks. + + fetchmail + June 01, 2010 + June 01, 2010: 01 + 280537 + 307761 + remote + + + 6.3.14 + 6.3.14 + + + +

+ Fetchmail is a remote mail retrieval and forwarding utility. +

+ + +

+ Multiple vulnerabilities have been reported in Fetchmail: +

+
    +
  • The sdump() function might trigger a heap-based buffer overflow + during the escaping of non-printable characters with the high bit set + from an X.509 certificate (CVE-2010-0562).
    • +
  • The vendor reported + that Fetchmail does not properly handle Common Name (CN) fields in + X.509 certificates that contain an ASCII NUL character. Specifically, + the processing of such fields is stopped at the first occurrence of a + NUL character. This type of vulnerability was recently discovered by + Dan Kaminsky and Moxie Marlinspike (CVE-2009-2666).
    • +
+ + +

+ A remote attacker could entice a user to connect with Fetchmail to a + specially crafted SSL-enabled server in verbose mode, possibly + resulting in the execution of arbitrary code with the privileges of the + user running the application. NOTE: The issue is only existent on + platforms on which char is signed. +

+

+ Furthermore, a remote attacker might employ a specially crafted X.509 + certificate, containing a NUL character in the Common Name field to + conduct man-in-the-middle attacks on SSL connections made using + Fetchmail. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Fetchmail users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/fetchmail-6.3.14" + + + CVE-2010-0562 + CVE-2009-2666 + + + craig + + + craig + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-13.xml b/xml/htdocs/security/en/glsa/glsa-201006-13.xml new file mode 100644 index 00000000..ce2367e4 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-13.xml @@ -0,0 +1,86 @@ + + + + + + + Smarty: Multiple vulnerabilities + + Multiple vulnerabilities in the Smarty template engine might allow remote + attackers to execute arbitrary PHP code. + + smarty + June 02, 2010 + June 02, 2010: 01 + 212147 + 243856 + 270494 + remote + + + 2.6.23 + 2.6.23 + + + +

+ Smarty is a template engine for PHP. +

+ + +

+ Multiple vulnerabilities have been discovered in Smarty: +

+
    +
  • The vendor reported that the modifier.regex_replace.php plug-in + contains an input sanitation flaw related to the ASCII NUL character + (CVE-2008-1066).
    • +
  • The vendor reported that the + _expand_quoted_text() function in libs/Smarty_Compiler.class.php + contains an input sanitation flaw via multiple vectors (CVE-2008-4810, + CVE-2008-4811).
    • +
  • Nine:Situations:Group::bookoo reported that + the smarty_function_math() function in libs/plugins/function.math.php + contains input sanitation flaw (CVE-2009-1669).
    • +
+ + +

+ These issues might allow a remote attacker to execute arbitrary PHP + code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Smarty users should upgrade to an unaffected version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/smarty-2.6.23" +

+ NOTE: This is a legacy GLSA. Updates for all affected architectures are + available since June 2, 2009. It is likely that your system is already + no longer affected by this issue. +

+ + + CVE-2008-1066 + CVE-2008-4810 + CVE-2008-4811 + CVE-2009-1669 + + + p-y + + + p-y + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-14.xml b/xml/htdocs/security/en/glsa/glsa-201006-14.xml new file mode 100644 index 00000000..4e89a94b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-14.xml @@ -0,0 +1,72 @@ + + + + + + + Newt: User-assisted execution of arbitrary code + + A heap-based buffer overflow in the Newt library might allow remote, + user-assisted attackers to execute arbitrary code. + + newt + June 02, 2010 + June 02, 2010: 01 + 285854 + remote + + + 0.52.10-r1 + 0.52.10-r1 + + + +

+ Newt is a library for displaying text mode user interfaces. +

+ + +

+ Miroslav Lichvar reported that Newt is prone to a heap-based buffer + overflow in textbox.c. +

+ + +

+ A remote attacker could entice a user to enter a specially crafted + string into a text dialog box rendered by Newt, possibly resulting in + the remote execution of arbitrary code with the privileges of the user + running the application, or a Denial of Service condition. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Newt users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/newt-0.52.10-r1" +

+ NOTE: This is a legacy GLSA. Updates for all affected architectures are + available since October 26, 2009. It is likely that your system is + already no longer affected by this issue. +

+ + + CVE-2009-2905 + + + keytoaster + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-15.xml b/xml/htdocs/security/en/glsa/glsa-201006-15.xml new file mode 100644 index 00000000..7559c614 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-15.xml @@ -0,0 +1,74 @@ + + + + + + + XEmacs: User-assisted execution of arbitrary code + + Multiple integer overflow errors in XEmacs might allow remote, + user-assisted attackers to execute arbitrary code. + + xemacs + June 03, 2010 + June 03, 2010: 01 + 275397 + remote + + + 21.4.22-r1 + 21.4.22-r1 + + + +

+ XEmacs is a highly extensible and customizable text editor. +

+ + +

+ Tielei Wang reported multiple integer overflow vulnerabilities in the + tiff_instantiate(), png_instantiate() and jpeg_instantiate() functions + in glyphs-eimage.c, all possibly leading to heap-based buffer + overflows. +

+ + +

+ A remote attacker could entice a user to open a specially crafted TIFF, + JPEG or PNG file using XEmacs, possibly resulting in the remote + execution of arbitrary code with the privileges of the user running the + application, or a Denial of Service condition. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All XEmacs users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/xemacs-21.4.22-r1" +

+ NOTE: This is a legacy GLSA. Updates for all affected architectures are + available since July 26, 2009. It is likely that your system is already + no longer affected by this issue. +

+ + + CVE-2009-2688 + + + keytoaster + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-16.xml b/xml/htdocs/security/en/glsa/glsa-201006-16.xml new file mode 100644 index 00000000..4e5b9584 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-16.xml @@ -0,0 +1,72 @@ + + + + + + + GD: User-assisted execution of arbitrary code + + The GD library is prone to a buffer overflow vulnerability. + + gd + June 03, 2010 + June 03, 2010: 01 + 292130 + remote + + + 2.0.35-r1 + 2.0.35-r1 + + + +

+ GD is a graphic library for fast image creation. +

+ + +

+ Tomas Hoger reported that the _gdGetColors() function in gd_gd.c does + not properly verify the colorsTotal struct member, possibly leading to + a buffer overflow. +

+ + +

+ A remote attacker could entice a user to open a specially crafted image + file with a program using the GD library, possibly resulting in the + remote execution of arbitrary code with the privileges of the user + running the application, or a Denial of Service condition. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All GD users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/gd-2.0.35-r1" +

+ NOTE: This is a legacy GLSA. Updates for all affected architectures are + available since November 21, 2009. It is likely that your system is + already no longer affected by this issue. +

+ + + CVE-2009-3546 + + + craig + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-17.xml b/xml/htdocs/security/en/glsa/glsa-201006-17.xml new file mode 100644 index 00000000..bee58a6b --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-17.xml @@ -0,0 +1,66 @@ + + + + + + + lighttpd: Denial of Service + + A processing error in lighttpd might result in a Denial of Service + condition. + + lighttpd + June 03, 2010 + June 03, 2010: 01 + 303213 + remote + + + 1.4.25-r1 + 1.4.25-r1 + + + +

+ lighttpd is a lightweight high-performance web server. +

+ + +

+ Li Ming reported that lighttpd does not properly process packets that + are sent overly slow. +

+ + +

+ A remote attacker might send specially crafted packets to a server + running lighttpd, possibly resulting in a Denial of Service condition + via host memory exhaustion. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All lighttpd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.4.25-r1" + + + CVE-2010-0295 + + + keytoaster + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-18.xml b/xml/htdocs/security/en/glsa/glsa-201006-18.xml new file mode 100644 index 00000000..5f37aa8a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-18.xml @@ -0,0 +1,143 @@ + + + + + + + Oracle JRE/JDK: Multiple vulnerabilities + + The Oracle JDK and JRE are vulnerable to multiple unspecified + vulnerabilities. + + sun-jre-bin sun-jdk emul-linux-x86-java + June 04, 2010 + June 04, 2010: 01 + 306579 + 314531 + remote + + + 1.6.0.20 + 1.6.0.20 + + + 1.6.0.20 + 1.6.0.20 + + + 1.6.0.20 + 1.6.0.20 + + + +

+ The Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and + the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE) + provide the Oracle Java platform (formerly known as Sun Java Platform). +

+ + +

+ Multiple vulnerabilities have been reported in the Oracle Java + implementation. Please review the CVE identifiers referenced below and + the associated Oracle Critical Patch Update Advisory for details. +

+ + +

+ A remote attacker could exploit these vulnerabilities to cause + unspecified impact, possibly including remote execution of arbitrary + code. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Oracle JRE 1.6.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.20" +

+ All Oracle JDK 1.6.x users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.20" +

+ All users of the precompiled 32bit Oracle JRE 1.6.x should upgrade to + the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.6.0.20" +

+ All Oracle JRE 1.5.x, Oracle JDK 1.5.x, and precompiled 32bit Oracle + JRE 1.5.x users are strongly advised to unmerge Java 1.5: +

+ + # emerge --unmerge =app-emulation/emul-linux-x86-java-1.5* + # emerge --unmerge =dev-java/sun-jre-bin-1.5* + # emerge --unmerge =dev-java/sun-jdk-1.5* +

+ Gentoo is ceasing support for the 1.5 generation of the Oracle Java + Platform in accordance with upstream. All 1.5 JRE versions are masked + and will be removed shortly. All 1.5 JDK versions are marked as + "build-only" and will be masked for removal shortly. Users are advised + to change their default user and system Java implementation to an + unaffected version. For example: +

+ + # java-config --set-system-vm sun-jdk-1.6 +

+ For more information, please consult the Gentoo Linux Java + documentation. +

+ + + CVE-2009-3555 + CVE-2010-0082 + CVE-2010-0084 + CVE-2010-0085 + CVE-2010-0087 + CVE-2010-0088 + CVE-2010-0089 + CVE-2010-0090 + CVE-2010-0091 + CVE-2010-0092 + CVE-2010-0093 + CVE-2010-0094 + CVE-2010-0095 + CVE-2010-0837 + CVE-2010-0838 + CVE-2010-0839 + CVE-2010-0840 + CVE-2010-0841 + CVE-2010-0842 + CVE-2010-0843 + CVE-2010-0844 + CVE-2010-0845 + CVE-2010-0846 + CVE-2010-0847 + CVE-2010-0848 + CVE-2010-0849 + CVE-2010-0850 + CVE-2010-0886 + CVE-2010-0887 + Gentoo Linux Java documentation + Oracle Java SE and Java for Business Critical Patch Update Advisory - March 2010 + + + a3li + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-19.xml b/xml/htdocs/security/en/glsa/glsa-201006-19.xml new file mode 100644 index 00000000..875da00a --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-19.xml @@ -0,0 +1,87 @@ + + + + + + + Bugzilla: Multiple vulnerabilities + + Bugzilla is prone to multiple medium severity vulnerabilities. + + bugzilla + June 04, 2010 + June 04, 2010: 02 + 239564 + 258592 + 264572 + 284824 + 303437 + 303725 + remote + + + 3.2.6 + 3.2.6 + + + +

+ Bugzilla is a bug tracking system from the Mozilla project. +

+ + +

+ Multiple vulnerabilities have been reported in Bugzilla. Please review + the CVE identifiers referenced below for details. +

+ + +

+ A remote attacker might be able to disclose local files, bug + information, passwords, and other data under certain circumstances. + Furthermore, a remote attacker could conduct SQL injection, Cross-Site + Scripting (XSS) or Cross-Site Request Forgery (CSRF) attacks via + various vectors. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Bugzilla users should upgrade to an unaffected version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/bugzilla-3.2.6" +

+ Bugzilla 2.x and 3.0 have reached their end of life. There will be no + more security updates. All Bugzilla 2.x and 3.0 users should update to + a supported Bugzilla 3.x version. +

+ + + CVE-2008-4437 + CVE-2008-6098 + CVE-2009-0481 + CVE-2009-0482 + CVE-2009-0483 + CVE-2009-0484 + CVE-2009-0485 + CVE-2009-0486 + CVE-2009-1213 + CVE-2009-3125 + CVE-2009-3165 + CVE-2009-3166 + CVE-2009-3387 + CVE-2009-3989 + + + a3li + + + jaervosz + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-20.xml b/xml/htdocs/security/en/glsa/glsa-201006-20.xml new file mode 100644 index 00000000..5d593140 --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-20.xml @@ -0,0 +1,90 @@ + + + + + + + Asterisk: Multiple vulnerabilities + + Multiple vulnerabilities in Asterisk might allow remote attackers to cause + a Denial of Service condition, or conduct other attacks. + + asterisk + June 04, 2010 + June 04, 2010: 01 + 281107 + 283624 + 284892 + 295270 + remote + + + 1.2.37 + 1.2.37 + + + +

+ Asterisk is an open source telephony engine and toolkit. +

+ + +

+ Multiple vulnerabilities have been reported in Asterisk: +

+
    +
  • Nick Baggott reported that Asterisk does not properly process + overly long ASCII strings in various packets (CVE-2009-2726).
    • +
  • Noam Rathaus and Blake Cornell reported a flaw in the IAX2 protocol + implementation (CVE-2009-2346).
    • +
  • amorsen reported an input + processing error in the RTP protocol implementation + (CVE-2009-4055).
    • +
  • Patrik Karlsson reported an information + disclosure flaw related to the REGISTER message (CVE-2009-3727).
    • +
  • A vulnerability was found in the bundled Prototype JavaScript + library, related to AJAX calls (CVE-2008-7220).
    • +
+ + +

+ A remote attacker could exploit these vulnerabilities by sending a + specially crafted package, possibly causing a Denial of Service + condition, or resulting in information disclosure. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Asterisk users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.2.37" +

+ NOTE: This is a legacy GLSA. Updates for all affected architectures are + available since January 5, 2010. It is likely that your system is + already no longer affected by this issue. +

+ + + CVE-2009-2726 + CVE-2009-2346 + CVE-2009-4055 + CVE-2009-3727 + CVE-2008-7220 + + + craig + + + a3li + + + a3li + + diff --git a/xml/htdocs/security/en/glsa/glsa-201006-21.xml b/xml/htdocs/security/en/glsa/glsa-201006-21.xml new file mode 100644 index 00000000..034229db --- /dev/null +++ b/xml/htdocs/security/en/glsa/glsa-201006-21.xml @@ -0,0 +1,78 @@ + + + + + + + UnrealIRCd: Multiple vulnerabilities + + Multiple vulnerabilities in UnrealIRCd might allow remote attackers to + compromise the "unrealircd" account, or cause a Denial of Service. + + unrealircd + June 14, 2010 + June 14, 2010: 02 + 260806 + 323691 + remote + + + 3.2.8.1-r1 + 3.2.8.1-r1 + + + +

+ UnrealIRCd is an Internet Relay Chat (IRC) daemon. +

+ + +

+ Multiple vulnerabilities have been reported in UnrealIRCd: +

+
    +
  • The vendor reported a buffer overflow in the user authorization + code (CVE-2009-4893).
    • +
  • The vendor reported that the distributed source code of UnrealIRCd + was compromised and altered to include a system() call that could be + called with arbitrary user input (CVE-2010-2075).
    • +
+ + +

+ A remote attacker could exploit these vulnerabilities to cause the + execution of arbitrary commands with the privileges of the user running + UnrealIRCd, or a Denial of Service condition. NOTE: By default + UnrealIRCd on Gentoo is run with the privileges of the "unrealircd" + user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All UnrealIRCd users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-irc/unrealircd-3.2.8.1-r1" + + + UnrealIRCd Security Advisory 20090413 + UnrealIRCd Security Advisory 20100612 + CVE-2009-4893 + CVE-2010-2075 + + + a3li + + + a3li + + + vorlon + + diff --git a/xml/htdocs/security/en/glsa/index.xml b/xml/htdocs/security/en/glsa/index.xml new file mode 100644 index 00000000..008373e6 --- /dev/null +++ b/xml/htdocs/security/en/glsa/index.xml @@ -0,0 +1,31 @@ + + + + + +Gentoo Linux Security Advisories + + + Security Team + + + +This index is automatically generated from XML source. Please contact the +Gentoo Linux Security Team (security@gentoo.org) for related inquiries. + + + +0.7 +every 60 minutes + + +GLSA Chronological Index +
+ + + + + +
+ + -- cgit v1.2.3-65-gdbad