Race condition in the page fault handler (fault.c) for Linux kernel 2.2.x to 2.2.7, 2.4 to 2.4.29, and 2.6 to 2.6.10, when running on multiprocessor machines, allows local users to execute arbitrary code via concurrent threads that share the same virtual memory space and simultaneously request stack expansion.20050112 Linux kernel i386 SMP page fault handler privilege escalation20050112 Linux kernel i386 SMP page fault handler privilege escalationhttp://isec.pl/vulnerabilities/isec-0022-pagefault.txtCLA-2005:930FLSA:2336MDKSA-2005:022RHSA-2005:043RHSA-2005:0922005-000120050114 [USN-60-0] Linux kernel vulnerabilitieslinux-fault-handler-gain-privileges(18849)101286213822RHSA-2005:016DSA-1070DSA-1067DSA-1069RHSA-2005:017122442016320202DSA-108220338MDKSA-2005:022poppassd_pam 1.0 and earlier, when changing a user password, does not verify that the user entered the old password correctly, which allows remote attackers to change passwords for arbitrary users.GLSA-200501-22Gentoo update for poppassd_pam 101284013865The 64 bit ELF support in Linux kernel 2.6 before 2.6.10, on 64-bit architectures, does not properly check for overlapping VMA (virtual memory address) allocations, which allows local users to cause a denial of service (system crash) or execute arbitrary code via a crafted ELF or a.out file.Updated kernel packages fix security vulnerabilitiesbid 12261http://linux.bkbits.net:8080/linux-2.4/cset@41c36fb6q1Z68WUzKQFjJR-40Ev3twMDKSA-2005:022SUSE-SA:2005:0182005-0001http://linux.bkbits.net:8080/linux-2.6/cset@41a6721cce-LoPqkzKXudYby_3TUmglinux-vma-gain-privileges(18886)1012885DSA-1070DSA-1067DSA-1069RHSA-2005:0172016320202DSA-108220338MDKSA-2005:022The mysqlaccess script in MySQL 4.0.23 and earlier, 4.1.x before 4.1.10, 5.0.x before 5.0.3, and other versions including 3.x, allows local users to overwrite arbitrary files or read temporary files via a symlink attack on temporary files.mysql -- insecure temporary filesMySQL mysqlaccess Script Insecure Temporary File Creationbid 12277http://lists.mysql.com/internals/20600http://mysql.osuosl.org/doc/mysql/en/News-4.1.10.htmlCLA-2005:947MDKSA-2005:03620050118 [USN-63-1] MySQL client vulnerabilitymysql-mysqlaccess-symlink(18922)101864MDKSA-2005:036Heap-based buffer overflow in psd.c for ImageMagick 6.1.0, 6.1.7, and possibly earlier versions allows remote attackers to execute arbitrary code via a .PSD image file with a large number of layers.20050117 Multiple Vendor ImageMagick .psd Image File Decode Heap Overflow VulnerabilityDSA-646GLSA-200501-37RHSA-2005:07120050118 [USN-62-1] imagemagick vulnerability12287RHSA-2005:070The COPS dissector in Ethereal 0.10.6 through 0.10.8 allows remote attackers to cause a denial of service (infinite loop).http://www.ethereal.com/appnotes/enpa-sa-00017.htmlGLSA-200501-27MDKSA-2005:013RHSA-2005:037P-10613946ethereal-cops-dos(18999)FLSA-2006:152922RHSA-2005:01112326MDKSA-2005:013Unknown vulnerability in the DLSw dissector in Ethereal 0.10.6 through 0.10.8 allows remote attackers to cause a denial of service (application crash from assertion).http://www.ethereal.com/appnotes/enpa-sa-00017.htmlGLSA-200501-27MDKSA-2005:013RHSA-2005:037P-10613946ethereal-dlsw-dos(19000)FLSA-2006:152922RHSA-2005:01112326MDKSA-2005:013Unknown vulnerability in the DNP dissector in Ethereal 0.10.5 through 0.10.8 allows remote attackers to cause "memory corruption."http://www.ethereal.com/appnotes/enpa-sa-00017.htmlGLSA-200501-27MDKSA-2005:013RHSA-2005:037P-10613946ethereal-dnp-memory-corruption(19001)FLSA-2006:152922RHSA-2005:01112326MDKSA-2005:013Unknown vulnerability in the Gnutella dissector in Ethereal 0.10.6 through 0.10.8 allows remote attackers to cause a denial of service (application crash).http://www.ethereal.com/appnotes/enpa-sa-00017.htmlGLSA-200501-27MDKSA-2005:013RHSA-2005:037P-10613946ethereal-gnutella-dos(19002)FLSA-2006:152922RHSA-2005:01112326MDKSA-2005:013Unknown vulnerability in the MMSE dissector in Ethereal 0.10.4 through 0.10.8 allows remote attackers to cause a denial of service by triggering a free of statically allocated memory.http://www.ethereal.com/appnotes/enpa-sa-00017.htmlGLSA-200501-27MDKSA-2005:013RHSA-2005:037P-10613946ethereal-mmse-free-memory(19003)FLSA-2006:152922RHSA-2005:01112326MDKSA-2005:013Multiple vulnerabilities in fliccd, when installed setuid root as part of the kdeedu Kstars support for Instrument Neutral Distributed Interface (INDI) in KDE 3.3 to 3.3.2, allow local users and remote attackers to execute arbitrary code via stack-based buffer overflows.http://www.kde.org/info/security/advisory-20050215-1.txtFEDORA-2005-148GLSA-200502-2314306Format string vulnerability in the a_Interface_msg function in Dillo before 0.8.3-r4 allows remote attackers to execute arbitrary code via format string specifiers in a web page.GLSA-200501-111220313760dillo-capi-format-string(18807)13764nwclient.c in ncpfs before 2.2.6 does not drop root privileges before executing utilities using the NetWare client functions, which allows local users to gain privileges.ftp://platan.vc.cvut.cz/pub/linux/ncpfs/Changes-2.2.6DSA-665GLSA-200501-44MDKSA-2005:028RHSA-2005:371FLSA:15290412400132971013019MDKSA-2005:028Buffer overflow in ncplogin in ncpfs before 2.2.6 allows remote malicious NetWare servers to execute arbitrary code on the NetWare client.ftp://platan.vc.cvut.cz/pub/linux/ncpfs/Changes-2.2.6GLSA-200501-44MDKSA-2005:028FLSA:15290412400132981013019MDKSA-2005:028diatheke.pl in Sword 1.5.7a allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.DSA-650http://www.securitytracker.com/alerts/2005/Jan/1012955.html13897sword-diatheke-command-execution(18997)10129551232013941Buffer overflow in the exported_display function in xatitv in gatos before 0.0.5 allows local users to execute arbitrary code.gatos -- buffer overflowDebian GATOS xatitv "exported_display()" Buffer OverflowGATOS xatitv buffer overflowThe f2c translator in the f2c package 3.1 allows local users to read arbitrary files via a symlink attack on temporary files.DSA-661GLSA-200501-43123801013028140411405214067The f2 shell script in the f2c package 3.1 allows local users to read arbitrary files via a symlink attack on temporary files.DSA-66110130281404114052Unknown vulnerability in hztty 2.0 and earlier allows local users to execute arbitrary commands.hztty -- privilege escalationbid 12518hztty command execution101315414236Buffer overflow in playmidi before 2.4 allows local users to execute arbitrary code.playmidi -- buffer overflowplaymidiPlaymidi buffer overflow12274130491012957138281389013898MDKSA-2005:010Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function.20050107 Exim host_aton() Buffer Overflow Vulnerability20050114 Exim dns_buld_reverse() Buffer Overflow Vulnerability[exim] 20050104 2 smallish security issueshttp://ftp6.us.freebsd.org/pub/mail/exim/ChangeLogs/ChangeLog-4.44DSA-635DSA-637GLSA-200501-23RHSA-2005:025VU#132992Buffer overflow in the spa_base64_to_bits function in Exim before 4.43, as originally obtained from Samba code, and as called by the auth_spa_client function, may allow attackers to execute arbitrary code during SPA authentication.20050107 Exim auth_spa_server() Buffer Overflow Vulnerability20050212 exim auth_spa_server() PoC exploit[exim] 20050104 2 smallish security issueshttp://ftp6.us.freebsd.org/pub/mail/exim/ChangeLogs/ChangeLog-4.44GLSA-200501-23RHSA-2005:02512188gnome-pty-helper in GNOME libzvt2 and libvte4 allows local users to spoof the logon hostname via a modified DISPLAY environment variable. NOTE: the severity of this issue has been disputed.15004ADV-2005-193117023libzvt-gnomeptyhelper-spoof(22496)20051007 gnome-pty-helper writes arbitrary utmp recordsBuffer overflow in the code for recursion and glue fetching in BIND 8.4.4 and 8.4.5 allows remote attackers to cause a denial of service (crash) via queries that trigger the overflow in the q_usedns array that tracks nameservers and addresses.http://www.uniras.gov.uk/niscc/docs/al-20050125-00059.htmlhttp://www.isc.org/index.pl?/sw/bind/bind-security.phphttp://www.isc.org/index.pl?/sw/bind/bind8.phpVU#327633bind-qusedns-bo(19063)12364SCOSA-2006.114009182911012996An "incorrect assumption" in the authvalidated validator function in BIND 9.3.0, when DNSSEC is enabled, allows remote attackers to cause a denial of service (named server exit) via crafted DNS packets that cause an internal consistency test (self-check) to fail.http://www.uniras.gov.uk/niscc/docs/al-20050125-00060.htmlVU#938617http://www.isc.org/index.pl?/sw/bind/bind-security.phphttp://www.isc.org/index.pl?/sw/bind/bind9.php2005-0003bind-named-dns-dos(19062)12365101299514008The Acrobat web control in Adobe Acrobat and Acrobat Reader 7.0 and earlier, when used with Internet Explorer, allows remote attackers to determine the existence of arbitrary files via the LoadFile ActiveX method.http://www.adobe.com/support/techdocs/331465.htmlhttp://www.niscc.gov.uk/niscc/docs/re-20050401-00264.pdfhttp://www.frsirt.com/english/advisories/2005/0310http://www.hyperdose.com/advisories/H2005-06.txt129891524214813The DNS implementation in DeleGate 8.10.2 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop.NISCC Vulnerability Advisory 589088Id: 20050524-004331372925291The DNS implementation of DNRD before 2.10 allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop.This vulnerability is addressed in the following product release: dnrd, dnrd, 2.10 Id: 20050524-004331372925291The DNS implementation of PowerDNS 2.9.16 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop.Id: 20050524-004331372925291Certain configurations of IPsec, when using Encapsulating Security Payload (ESP) in tunnel mode, integrity protection at a higher layer, or Authentication Header (AH), allow remote attackers to decrypt IPSec communications by modifying the outer packet in ways that cause plaintext data from the inner packet to be returned in ICMP messages, as demonstrated using bit-flipping attacks and (1) Destination Address Rewriting, (2) a modified header length that causes portions of the packet to be interpreted as IP Options, or (3) a modified protocol field and source address.http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=enHPSBTU01217VU#30222013562ADV-2005-0507ADV-2005-280610153201793820050509 NISCC Vulnerability Advisory IPSEC - 004033Multiple cross-site scripting (XSS) vulnerabilities in DotNetNuke before 3.0.12 allow remote attackers to inject arbitrary web script or HTML via the (1) register a new user page, (2) User-Agent, or (3) Username, which is not properly quoted before sending to the error log.20050516 DotNetNuke (Multiple XSS)http://www.woany.co.uk/advisories/dotnetnukexss.txt15397136441364613647Buffer overflow in Apple iTunes 4.7 allows remote attackers to execute arbitrary code via a long URL in (1) .m3u or (2) .pls playlist files.20050113 Apple iTunes Playlist Parsing Buffer Overflow VulnerabilityAPPLE-SA-2005-01-11VU#3773681223812833101283913804itunes-m3u-pls-bo(18851)The OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability."MS05-012VU#927889OVAL1180OVAL2917OVAL3568OVAL4499win-ole-code-execution(19109)TA05-039Aoval:org.mitre.oval:def:1180oval:org.mitre.oval:def:2917oval:org.mitre.oval:def:3568oval:org.mitre.oval:def:4499The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields.20050209 EEYE: Windows SMB Client Transaction Response Handling Vulnerability20050209 EEYE: Windows SMB Client Transaction Response Handling Vulnerability20050309 Update: MS05-011 EEYE: Windows SMB Client Transaction Response Handling VulnerabilityMS05-011TA05-039AVU#652537OVAL1606OVAL1847OVAL1889OVAL4043win-smb-code-execution(19089)12484oval:org.mitre.oval:def:1606oval:org.mitre.oval:def:1847oval:org.mitre.oval:def:1889oval:org.mitre.oval:def:4043Windows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability."MS05-012TA05-039AVU#597889OVAL1159OVAL2351OVAL2892OVAL901win-com-gain-privileges(19105)http://www.argeniss.com/research/SSExploit.c20050530 [Argeniss] MS05-012 Exploitoval:org.mitre.oval:def:1159oval:org.mitre.oval:def:2351oval:org.mitre.oval:def:2892oval:org.mitre.oval:def:901Microsoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability."MS05-01920050412 Windows IP Options Remote CompromiseTA05-102AVU#233754OVAL3824OVAL1744OVAL4549oval:org.mitre.oval:def:3824oval:org.mitre.oval:def:1744oval:org.mitre.oval:def:4549Windows SharePoint Services and SharePoint Team Services for Windows Server 2003 does not properly validate an HTTP redirection query, which allows remote attackers to inject arbitrary HTML and web script via a cross-site scripting (XSS) attack, or to spoof the web cache.MS05-006TA05-039AVU#340409win-sharepoint-services-xss(19091)The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability."MS05-010TA05-039AVU#130433OVAL2568OVAL3582OVAL4786OVAL644win-license-code-execution(19101)oval:org.mitre.oval:def:2568oval:org.mitre.oval:def:3582oval:org.mitre.oval:def:4786oval:org.mitre.oval:def:644The Server service (srvsvc.dll) in Windows XP SP1 and SP2 allows remote attackers to obtain sensitive information (users who are accessing resources) via an anonymous logon using a named pipe, which is not properly authenticated, aka the "Named Pipe Vulnerability."MS05-007TA05-039AVU#939074OVAL2292OVAL3055win-named-pipe-information-disclosure (19093)14189124861013112oval:org.mitre.oval:def:2292oval:org.mitre.oval:def:3055Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."MS05-014MS05-008TA05-039AVU#698835OVAL1334OVAL2046OVAL2953OVAL3006OVAL4726OVAL4864ie-dragdrop-gain-privileges(19117)11466OVAL1015oval:org.mitre.oval:def:1334oval:org.mitre.oval:def:2046oval:org.mitre.oval:def:2953oval:org.mitre.oval:def:3006oval:org.mitre.oval:def:4726oval:org.mitre.oval:def:4864oval:org.mitre.oval:def:1015Internet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability."20050209 Internet Explorer zone spoofing with encoded URLsMS05-014TA05-039AVU#580299OVAL1308OVAL1736OVAL3060OVAL3196OVAL3586ie-file-url-encode(19214)oval:org.mitre.oval:def:1308oval:org.mitre.oval:def:1736oval:org.mitre.oval:def:3060oval:org.mitre.oval:def:3196oval:org.mitre.oval:def:3586Internet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability."MS05-014TA05-039AVU#84377112427OVAL1005OVAL2692OVAL3137OVAL3910OVAL710ie-cdf-execute-code(19137)1013125oval:org.mitre.oval:def:1005oval:org.mitre.oval:def:2692oval:org.mitre.oval:def:3137oval:org.mitre.oval:def:3910oval:org.mitre.oval:def:710Internet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability."MS05-014TA05-039AVU#823971OVAL2385OVAL2817OVAL3318OVAL4085OVAL4947ie-cdf-execute-code(19137)124271013126oval:org.mitre.oval:def:2385oval:org.mitre.oval:def:2817oval:org.mitre.oval:def:3318oval:org.mitre.oval:def:4085oval:org.mitre.oval:def:4947The Hyperlink Object Library for Windows 98, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a crafted link that triggers an "unchecked buffer" in the library, possibly due to a buffer overflow.MS05-015TA05-039AVU#820427OVAL2570OVAL3203OVAL713win-hyperlink-code-execution(19110)12479101311914195oval:org.mitre.oval:def:2570oval:org.mitre.oval:def:3203oval:org.mitre.oval:def:713Buffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message.MS05-040TA05-221A16354OVAL100084OVAL100085OVAL100086OVAL100088OVAL1075OVAL1213OVAL1297145181014639oval:org.mitre.oval:def:100084oval:org.mitre.oval:def:100085oval:org.mitre.oval:def:100086oval:org.mitre.oval:def:100088oval:org.mitre.oval:def:1075oval:org.mitre.oval:def:1213oval:org.mitre.oval:def:1297Buffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message.MS05-01713112OVAL4384OVAL4988oval:org.mitre.oval:def:4384oval:org.mitre.oval:def:4988Buffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application.MS05-01820050413 Windows kernel overflow fixedhttp://www.ngssoftware.com/advisories/ms-01.txtOVAL2562OVAL2731OVAL3941OVAL4797oval:org.mitre.oval:def:2562oval:org.mitre.oval:def:2731oval:org.mitre.oval:def:3941oval:org.mitre.oval:def:4797The kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests.MS05-01813121OVAL1656OVAL1761OVAL3994OVAL4593oval:org.mitre.oval:def:1656oval:org.mitre.oval:def:1761oval:org.mitre.oval:def:3994oval:org.mitre.oval:def:4593The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.MS05-01620050412 Microsoft MSHTA Script Execution Vulnerabilityhttp://www.securiteam.com/exploits/5YP0T0AFFW.htmlADV-2005-0335OVAL2184OVAL3456OVAL407OVAL4710OVAL573OVAL5871313220050529 Spam exploiting MS05-016oval:org.mitre.oval:def:2184oval:org.mitre.oval:def:3456oval:org.mitre.oval:def:407oval:org.mitre.oval:def:4710oval:org.mitre.oval:def:573oval:org.mitre.oval:def:587Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc for xpdf 3.00 and earlier allows remote attackers to execute arbitrary code via a PDF file with a large /Encrypt /Length keyLength value.20050118 Multiple Unix/Linux Vendor Xpdf makeFileKey2 Stack Overflowftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl3.patchCLA-2005:921DSA-645DSA-648FLSA:2352FLSA:2353GLSA-200502-10MDKSA-2005:016MDKSA-2005:017MDKSA-2005:018MDKSA-2005:019MDKSA-2005:020MDKSA-2005:021RHSA-2005:034RHSA-2005:053RHSA-2005:057RHSA-2005:059RHSA-2005:0662005-000320050119 [USN-64-1] xpdf, CUPS vulnerabilitiesSCOSA-2005.4217277RHSA-2005:026MDKSA-2005:016MDKSA-2005:017MDKSA-2005:018MDKSA-2005:019MDKSA-2005:020MDKSA-2005:021The original design of TCP does not check that the TCP sequence number in an ICMP error message is within the range of sequence numbers for data that has been sent but not acknowledged (aka "TCP sequence number checking"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html13124The original design of TCP does not check that the TCP Acknowledgement number in an ICMP error message generated by an intermediate router is within the range of possible values for data that has already been acknowledged (aka "TCP acknowledgement number checking"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html13124The original design of TCP does not require that port numbers be assigned randomly (aka "Port randomization"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html13124The original design of ICMP does not require authentication for host-generated ICMP error messages, which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html13124The (1) tcltags or (2) vimspell.sh scripts in vim 6.3 allow local users to overwrite or create arbitrary files via a symlink attack on temporary files.FLSA:2343RHSA-2005:036RHSA-2005:12220050118 [USN-61-1] vim vulnerabilities13841vim-symlink(18870)1012938Synaesthesia 2.1 and earlier, and possibly other versions, when installed setuid root, does not drop privileges before processing configuration and mixer files, which allows local users to read arbitrary files.DSA-68112546101320614300vdr before 1.2.6 does not securely create files, which allows attackers to overwrite arbitrary files.DSA-656GLSA-200501-42vdr-dvdapi-file-overwrite(19066)12356139301399514066zhcon before 0.2 does not drop privileges before reading a user configuration file, which allows local users to read arbitrary files.DSA-655MDKSA-2005:012zhcon-information-disclosure(19045)123431012977139771398213987MDKSA-2005:012Buffer overflow in queue.c in a support script for sympa 3.3.3, when running setuid, allows local users to execute arbitrary code.DSA-67710131631421714224Buffer overflow in pcdsvgaview in xpcd 2.08 allows local users to execute arbitrary code.DSA-6761252310131621424814250prefs.php in SquirrelMail before 1.4.4, with register_globals enabled, allows remote attackers to inject local code into the SquirrelMail code via custom preference handlers.20050129 SquirrelMail Security Advisoryhttp://www.squirrelmail.org/security/issue/2005-01-14APPLE-SA-2005-03-21RHSA-2005:099RHSA-2005:13513962GLSA-200501-39Multiple buffer overflows in the XView library 3.2 may allow local users to execute arbitrary code via setuid applications that use the library.DSA-672xview-xvparseone-bo(19271)The DBI library (libdbi-perl) for Perl allows local users to overwrite arbitrary files via a symlink attack on a temporary PID file.DSA-658GLSA-200501-38RHSA-2005:07220050125 [USN-70-1] Perl DBI module vulnerabilitydbi-library-file-overwrite(19068)MDKSA-2005:0301236010130071401514050 FLSA-2006:178989MDKSA-2005:030The KDE screen saver in KDE before 3.0.5 does not properly check the return value from a certain function call, which allows attackers with physical access to cause a crash and access the desktop session.DSA-660RHSA-2005:009kdebase-screensaver-security-bypass(19084)Buffer overflow in xtrlock 2.0 allows local users to cause a denial of service (application crash) and hijack the desktop session.DSA-649xtrlock-screen-lock-bypass(18991)1231613938The 55_options_traceback.dpatch patch for mailman 2.1.5 in Ubuntu 4.10 displays a different error message depending on whether the e-mail address is subscribed to a private list, which allows remote attackers to determine the list membership for a given e-mail address.20050110 [USN-59-1] mailman vulnerabilitieshttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285839http://qa.debian.org/bts-security.htmlMySQL MaxDB 7.5.0.0, and other versions before 7.5.0.21, allows remote attackers to cause a denial of service (crash) via an HTTP request with invalid headers.MySQL MaxDB Web Agent Multiple Denial of Service Vulnerabilitiesbid 1231320050119 MySQL MaxDB Web Agent Multiple Denial of Service VulnerabilitiesThe sapdbwa_GetUserData function in MySQL MaxDB 7.5.0.0, and other versions before 7.5.0.21, allows remote attackers to cause a denial of service (crash) via invalid parameters to the WebDAV handler code, which triggers a null dereference that causes the SAP DB Web Agent to crash.MySQL MaxDB Web Agent Multiple Denial of Service Vulnerabilities20050119 MySQL MaxDB Web Agent Multiple Denial of Service VulnerabilitiesMySQL MaxDB 7.5.00 for Windows, and possibly earlier versions and other platforms, allows remote attackers to cause a denial of service (application crash) via invalid parameters to the (1) DBMCli_String::ReallocString, (2) DBMCli_String::operator, (3) DBMCli_Buffer::ForceResize, (4) DBMCli_Wizard::InstallDatabase, (5) DBMCli_Devspaces::Complete, (6) DBMWeb_TemplateWizard::askForWriteCountStep5, or (7) DBMWeb_DBMWeb::wizardDB functions, which triggers a null dereference.20050314 MySQL MaxDB Web Agent Multiple Denial of Service Vulnerabilitiesmaxdb-null-pointer-dos(19687)20050314 MySQL MaxDB Web Agent Multiple Denial of Service VulnerabilitiesBuffer overflow in the X11 dissector in Ethereal 0.8.10 through 0.10.8 allows remote attackers to execute arbitrary code via a crafted packet.http://www.ethereal.com/appnotes/enpa-sa-00017.htmlDSA-653GLSA-200501-27MDKSA-2005:013RHSA-2005:037P-10613946ethereal-x11-bo(19004)FLSA-2006:15292212326MDKSA-2005:013Cross-site scripting (XSS) vulnerability in ht://dig (htdig) before 3.1.6-r7 allows remote attackers to execute arbitrary web script or HTML via the config parameter, which is not properly sanitized before it is displayed in an error message.htdig -- unsanitised inputht://dig Input Validation Hole in 'config' Parameter Permits Cross-Site Scripting Attacksbid 12442GLSA-200502-16MDKSA-2005:063RHSA-2005:0731013078htdig-config-xss(19223)SCOSA-2005.46142551741417415FLSA-2006:15290714276143031479515007RHSA-2005:090MDKSA-2005:063Heap-based buffer overflow in less in Red Hat Enterprise Linux 3 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted file, as demonstrated using the UTF-8 locale.FLSA:2404RHSA-2005:068https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145527less-file-bo(19131)The alsa-lib package in Red Hat Linux 4 disables stack protection for the libasound.so library, which makes it easier for attackers to execute arbitrary code if there are other vulnerabilities in the library.alsa-lib security updatebid 12575The publisher handler for mod_python 2.7.8 and earlier allows remote attackers to obtain access to restricted objects via a crafted URL.CLA-2005:926DSA-689GLSA-200502-14RHSA-2005:100RHSA-2005:1042005-000320050211 [USN-80-1] mod_python vulnerabilityVU#356409125191013156FLSA:152896The SimpleXMLRPCServer library module in Python 2.2, 2.3 before 2.3.5, and 2.4, when used by XML-RPC servers that use the register_instance method to register an object without a _dispatch method, allows remote attackers to read or modify globals of the associated module, and possibly execute arbitrary code, via dotted attributes.20050203 Python Security Advisory PSF-2005-001 - SimpleXMLRPCServer.pyhttp://www.python.org/security/PSF-2005-001/http://python.org/security/PSF-2005-001/patch-2.2.txtDSA-666MDKSA-2005:035RHSA-2005:1082005-0003python-simplexmlrpcserver-bypass(19217)12437101308314128MDKSA-2005:035A regression error in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch omits an "access check," which allows local users to cause a denial of service (crash).12599RHSA-2005:092red-hat-regression-dos(20618)Unknown vulnerability in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch, when using the hugemem kernel, allows local users to read and write to arbitrary kernel memory and gain privileges via certain syscalls.12599RHSA-2005:092red-hat-patch-gain-privileges(20619)Unknown vulnerability in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch, when running on x86 with the hugemem kernel, allows local users to cause a denial of service (crash).12599RHSA-2005:092red-hat-patch-dos(20620)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.Buffer overflow in the gopherToHTML function in the Gopher reply parser for Squid 2.5.STABLE7 and earlier allows remote malicious Gopher servers to cause a denial of service (crash) via crafted responses.http://www.squid-cache.org/Advisories/SQUID-2005_1.txthttp://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-gopher_html_parsing.patchCLA-2005:923DSA-651GLSA-200501-25MDKSA-2005:014RHSA-2005:060RHSA-2005:061SUSE-SA:2005:0062005-000313825FLSA-2006:15280912276MDKSA-2005:014The WCCP message parsing code in Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (crash) via malformed WCCP messages with source addresses that are spoofed to reference Squid's home router and invalid WCCP_I_SEE_YOU cache numbers.http://www.squid-cache.org/Advisories/SQUID-2005_2.txthttp://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_denial_of_service.patchCLA-2005:923DSA-651GLSA-200501-25MDKSA-2005:014RHSA-2005:060RHSA-2005:061SUSE-SA:2005:0062005-000313825128861012882FLSA-2006:15280912275MDKSA-2005:014Memory leak in the NTLM fakeauth_auth helper for Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (memory consumption).http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_authCLA-2005:923GLSA-200501-25RHSA-2005:060RHSA-2005:061SUSE-SA:2005:0062005-0003123241012818FLSA-2006:152809The NTLM component in Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (crash) via a malformed NTLM type 3 message that triggers a NULL dereference.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_authGLSA-200501-25RHSA-2005:060RHSA-2005:061SUSE-SA:2005:0062005-000313789122201012818FLSA-2006:152809Multiple buffer overflows in the SDL port of abuse (abuse-SDL) before 2.00 allow local users to execute arbitrary code via the command line.DSA-69114495The SDL port of abuse (abuse-SDL) before 2.00 does not properly drop privileges before creating certain files, which allows local users to create or overwrite arbitrary files.DSA-6911449514610Format string vulnerability in the movemail utility in (1) Emacs 20.x, 21.3, and possibly other versions, and (2) XEmacs 21.4 and earlier, allows remote malicious POP3 servers to execute arbitrary code via crafted packets.DSA-670DSA-671DSA-685MDKSA-2005:038RHSA-2005:110RHSA-2005:112RHSA-2005:13320050207 [USN-76-1] Emacs vulnerabilityxemacs-movemail-format-string(19246)12462 FLSA-2006:152898MDKSA-2005:038Buffer overflow in the socket_getline function in Newspost 2.1.1 and earlier allows remote malicious NNTP servers to execute arbitrary code via a long string without a newline character.20050202 RE: SECURITEY.NNOV.RU NewsPost buffer overflow [EXPLOIT]http://people.freebsd.org/~niels/issues/newspost-20050114.txthttp://www.vuxml.org/freebsd/7f13607b-6948-11d9-8937-00065be4b5b6.htmlGLSA-200502-0514092newspost-socketgetline-bo(19178)12418101305614098Integer overflow in camel-lock-helper in Evolution 2.0.2 and earlier allows local users or remote malicious POP3 servers to execute arbitrary code via a length value of -1, which leads to a zero byte memory allocation and a buffer overflow.20050124 [USN-69-1] Evolution vulnerabilityCLA-2005:925DSA-673GLSA-200501-35MDKSA-2005:02412354evolution-camellockhelper-bo(19031)RHSA-2005:397RHSA-2005:238USN-69-1101298113830MDKSA-2005:024PHP remote file inclusion vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to execute arbitrary PHP code by modifying a URL parameter to reference a URL on a remote web server that contains the code.20050129 SquirrelMail Security Advisoryhttp://www.squirrelmail.org/security/issue/2005-01-19?PHPSESSID=8af117822fb1ca3aa966a64248b5d223APPLE-SA-2005-03-21RHSA-2005:099RHSA-2005:13513962GLSA-200501-39squirrelmail-frame-file-include(19037)Cross-site scripting (XSS) vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to inject arbitrary web script or HTML via certain integer variables.20050129 SquirrelMail Security Advisoryhttp://www.squirrelmail.org/security/issue/2005-01-20APPLE-SA-2005-03-21DSA-662RHSA-2005:099RHSA-2005:1351396214096GLSA-200501-39squirrelmail-webmailphp-xss(19036)Unknown vulnerability in typespeed 0.4.1 and earlier allows local users to gain privileges.DSA-684SSLeay.pm in libnet-ssleay-perl before 1.25 uses the /tmp/entropy file for entropy if a source is not set in the EGD_PATH variable, which allows local users to reduce the cryptographic strength of certain operations by modifying the file.http://www.ubuntulinux.org/support/documentation/usn/usn-113-1MDKSA-2006:0231863913471MDKSA-2006:023bsmtpd 2.3 and earlier does not properly sanitize e-mail addresses, which allows remote attackers to execute arbitrary commands.DSA-690Apache mod_auth_radius 1.5.4 and libpam-radius-auth allow remote malicious RADIUS servers to cause a denial of service (crash) via a RADIUS_REPLY_MESSAGE with a RADIUS attribute length of 1, which leads to a memcpy operation with a -1 length argument.20050111 Apache mod_auth_radius remote integer overflowhttp://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-02DSA-659modauthradius-dos(18841)1221710128291377314046Hyper-Threading technology, as used in FreeBSD and other operating systems that are run on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses.12724http://www.daemonology.net/papers/htt.pdfhttp://www.daemonology.net/hyperthreading-considered-harmful/SCOSA-2005.24101739VU#911878ADV-2005-05401013967ADV-2005-30021534818165RHSA-2005:476RHSA-2005:800[openbsd-misc] 20050304 Re: FreeBSD hiding security stuff[freebsd-security] 20050304 [Fwd: Re: FW:FreeBSD hiding security stuff][freebsd-hackers] 20050304 Re: FW:FreeBSD hiding security stuffInternet Explorer 6 on Windows XP SP2 allows remote attackers to bypass the file download warning dialog and possibly trick an unknowledgeable user into executing arbitrary code via a web page with a body element containing an onclick tag, as demonstrated using the createElement function.20050114 Internet Explorer (SP2) - Remote File DownloadStack-based buffer overflow in the websql CGI program in MySQL MaxDB 7.5.00 allows remote attackers to execute arbitrary code via a long password parameter.20050113 MySQL MaxDB WebAgent websql logon Buffer Overflow Vulnerability20050113 MySQL MaxDB WebAgent websql logon Buffer Overflow Vulnerability122651012893The web-based administrative interface for 3Com OfficeConnect Wireless 11g Access Point (AP) 1.00.08, and possibly earlier versions before 1.03.07A, allows remote attackers to bypass authentication and obtain sensitive information by directly accessing the (1) config.bin (2) profile.wlp?PN=ggg or (3) event.logs URLs.3Com OfficeConnect Wireless 11g AP Information Disclosure VulnerabilityOfficeConnect Wireless information disclosurebid 12322101295813942inpview in SGI IRIX allows local users to execute arbitrary commands via the SUN_TTSESSION_CMD environment variable, which is executed by inpview without dropping privileges.20050113 SGI IRIX inpview Design Error Vulnerability13858irix-inpview-gain-privileges(18894)10128941225912915vsdatant.sys in Zone Lab ZoneAlarm before 5.5.062.011, ZoneAlarm Wireless before 5.5.080.000, Check Point Integrity Client 4.x before 4.5.122.000 and 5.x before 5.1.556.166 do not properly verify that the ServerPortName argument to the NtConnectPort function is a valid memory address, which allows local users to cause a denial of service (system crash) when ZoneAlarm attempts to dereference an invalid pointer.20050211 ZoneAlarm 5.1 Invalid Pointer Dereference Vulnerabilityhttp://download.zonelabs.com/bin/free/securityAlert/19.html1253114256Stack-based buffer overflow in DataRescue Interactive Disassembler (IDA) Pro 4.7 allows attackers to execute arbitrary code via a PE file with an Import Address Table containing a long import library name.20050124 DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerabilityhttp://www.datarescue.com/ubb/ultimatebb.php?/topic/2/146.htmldatabase-ida-portable-executable-bo(19042)12353101297513980AWStats 6.1, and other versions before 6.3, allows remote attackers to execute arbitrary commands via shell metacharacters in the configdir parameter to aswtats.pl.20050117 AWStats Remote Command Execution Vulnerabilityhttp://awstats.sourceforge.net/docs/awstats_changelog.txtVU#272296138931300212298Buffer overflow in XShisen before 1.36 allows local users to execute arbitrary code via a long GECOS field.289784: xshisen: buffer overflow when handling GECOS fieldhttp://www.vuxml.org/freebsd/56971fa6-641c-11d9-a097-000854d03344.htmlhelvis 1.8h2_1 and earlier stores recovery files in world readable directories with world readable permissions, which allows local users to read the recovered files of other users.http://www.vuxml.org/freebsd/bb99f803-5fde-11d9-b721-00065be4b5b6.htmlhelvis 1.8h2_1 and earlier allows local users to recover and read the files of other users via the elvrec setuid program.http://www.vuxml.org/freebsd/bb99f803-5fde-11d9-b721-00065be4b5b6.htmlhelvis 1.8h2_1 and earlier allows local users to delete arbitrary files via the elvprsv setuid program.http://people.freebsd.org/~niels/ports/korean/helvis/issues.txtMultiple buffer overflows in golddig 2.0 and earlier allow local users to execute arbitrary code via (1) a long map name command line argument or (2) a long username as recorded in the USER environment variable.http://www.vuxml.org/freebsd/949c470e-528f-11d9-ac20-00065be4b5b6.htmlgolddig-long-mapname-bo(19039)golddig-long-username-bo(19040)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0975. Reason: This candidate is a duplicate of CVE-2005-0975. Notes: All CVE users should reference CVE-2005-0975 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.The coda_pioctl function in the coda functionality (pioctl.c) for Linux kernel 2.6.9 and 2.4.x before 2.4.29 may allow local users to cause a denial of service (crash) or execute arbitrary code via negative vi.in_size or vi.out_size values, which may trigger a buffer overflow.Re: Make pipe data structure be a circular list of pages, rather than[linux-kernel] 20041216 [Coverity] Untrusted user data in kernel[linux-kernel] 20050105 Re: [Coverity] Untrusted user data in kernel[linux-kernel] 20050107 [PATCH 2.6.10-mm2] fs/coda Re: [Coverity] Untrusted user data in kernel1013018RHSA-2006:019118684RHSA-2005:663FLSA:157459-1DSA-1017193741700214967DSA-1070DSA-1067DSA-10692016320202DSA-1082ADV-2005-187820338The "at" commands on Mac OS X 10.3.7 and earlier do not properly drop privileges, which allows local users to (1) delete arbitrary files via atrm, (2) execute arbitrary programs via the -f argument to batch, or (3) read arbitrary files via the -f argument to batch, which generates a job file that is readable by the local user.20050127 DMA[2005-0127a] - 'Apple OSX batch family poor use of setuid'http://www.digitalmunition.com/DMA[2005-0127a].txtAPPLE-SA-2005-01-25VU#678150macos-at-gain-privileges(18981)ColorSync on Mac OS X 10.3.7 and 10.3.8 allows attackers to execute arbitrary code via malformed ICC color profiles that modify the heap.APPLE-SA-2005-01-25VU#980078macos-icc-profile-bo(19083)123671013000Mail in Mac OS X 10.3.7, when generating a Message-ID header, generates a GUUID that includes information that identifies the Ethernet hardware being used, which allows remote attackers to link mail messages to a particular machine.APPLE-SA-2005-01-25macos-ethernet-address-disclosure(19085)VU#464662140051013001The Quick Buttons feature in Konversation 0.15 allows remote attackers to execute certain IRC commands via a channel name containing "%" variables, which are recursively expanded by the Server::parseWildcards function when the Part Button is selected.Multiple vulnerabilities in KonversationKonversation expansion execute code20050119 Multiple vulnerabilities in KonversationGLSA-200501-341231210129721391913989Certain Perl scripts in Konversation 0.15 allow remote attackers to execute arbitrary commands via shell metacharacters in (1) channel names or (2) song names that are not properly quoted when the user runs IRC sripts.Multiple vulnerabilities in KonversationKonversation Perl script may allow execution of code20050119 Multiple vulnerabilities in KonversationGLSA-200501-341231210129721391913989The Quick Connection dialog in Konversation 0.15 inadvertently uses the user-provided password as the nickname instead of the user-provided nickname when connecting to the IRC server, which could leak the password to other users.Multiple vulnerabilities in Konversation20050119 Multiple vulnerabilities in Konversationkonversation-nick-password-information-disclosure(19038)GLSA-200501-341231210129721391913989ClamAV 0.80 and earlier allows remote attackers to cause a denial of service (clamd daemon crash) via a ZIP file with malformed headers.http://sourceforge.net/project/shownotes.php?release_id=300116CLA-2005:928GLSA-200501-46MDKSA-2005:0252005-0003MDKSA-2005:025The X server in SCO UnixWare 7.1.1, 7.1.3, and 7.1.4 does not properly create socket directories in /tmp, which could allow attackers to hijack local sockets.ADV-2005-0077SCOSA-2005.8UnixWare x.org Local Socket Hijacking VulnerabilityThe unw_unwind_to_user function in unwind.c on Itanium (ia64) architectures in Linux kernel 2.6 allows local users to cause a denial of service (system crash).RHSA-2005:366https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=148868http://linux.bkbits.net:8080/linux-2.6/cset@41f2beablXVnAs_6fznhhITh1j5hZg15019RHSA-2005:284RHSA-2005:293DSA-1070DSA-1067DSA-1069132662016320202DSA-108220338The Linux kernel before 2.6.11 on the Itanium IA64 platform has certain "ptrace corner cases" that allow local users to cause a denial of service (crash) via crafted syscalls, possibly related to MCA/INIT, a different vulnerability than CVE-2005-1761.RHSA-2005:420RHSA-2005:66317002[kernel-svn-changes] 20050816 r3920 - in branches/dist/sarge-security: . kernel kernel/i386 kernel/source kernel/source/kernel-source-2.6.8-2.6.8/debian[linux-ia64] 20040916 Re: [Patch] Per CPU MCA/INIT data save areasADV-2005-1878Linux kernel 2.6 on Itanium (ia64) architectures allows local users to cause a denial of service via a "missing Itanium syscall table entry."RHSA-2005:293RHSA-2005:284rpc.mountd in SGI IRIX 6.5.25, 6.5.26, and 6.5.27 does not correctly allow access to anonymous clients that connect from a system whose hostname can not be determined. NOTE: while this issue occurs in a security mechanism, there is no apparent attacker role and probably does not satisfy the CVE definition of a vulnerability.P-214ADV-2005-070215619Unknown vulnerability in rpc.mountd in SGI IRIX 6.5.25, 6.5.26, and 6.5.27 does not sufficiently restrict access rights for read-mostly exports, which allows attackers to conduct unauthorized activities.P-214ADV-2005-070215619Buffer overflow in PeID allows attackers to execute arbitrary code via a PE file with an Import Address Table containing a long import library name.20050124 DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerabilitydatabase-ida-portable-executable-bo(19042)1235513984Firefox before 1.0 and Mozilla before 1.7.5 allow remote attackers to load local files via links "with a custom getter and toString method" that are middle-clicked by the user to be opened in a new tab.http://www.mozilla.org/security/announce/mfsa2005-01.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=249332RHSA-2005:323RHSA-2005:335mozilla-firefox-file-upload(19168)OVAL10005712407oval:org.mitre.oval:def:100057Firefox 0.9, Thunderbird 0.6 and other versions before 0.9, and Mozilla 1.7 before 1.7.5 save temporary files with world-readable permissions, which allows local users to read certain web content or attachments that belong to other users, e.g. content that is managed by helper applications such as PDF.http://www.mozilla.org/security/announce/mfsa2005-02.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=251297RHSA-2005:335mozilla-world-readable(17832)OVAL100056RHSA-2005:384SUSE-SA:2006:02219823oval:org.mitre.oval:def:100056Firefox before 1.0 and Mozilla before 1.7.5 display the SSL lock icon when an insecure page loads a binary file from a trusted site, which could facilitate phishing attacks.http://www.mozilla.org/security/announce/mfsa2005-03.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=257308RHSA-2005:335mozilla-ssl-spoofing(19166)OVAL100055RHSA-2005:38412407oval:org.mitre.oval:def:100055Firefox before 1.0 and Mozilla before 1.7.5 display the secure site lock icon when a view-source: URL references a secure SSL site while an insecure page is being loaded, which could facilitate phishing attacks.http://www.mozilla.org/security/announce/mfsa2005-04.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=262689RHSA-2005:323RHSA-2005:335mozilla-ssl-view-source-spoofing(19169)OVAL10005412407oval:org.mitre.oval:def:100054Firefox before 1.0 does not properly distinguish between user-generated and synthetic click events, which allows remote attackers to use Javascript to bypass the file download prompt when the user uses the Alt-click feature.http://www.mozilla.org/security/announce/mfsa2005-07.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=265176mozilla-script-click-event-bypass(19170)OVAL10005112407oval:org.mitre.oval:def:100051Firefox before 1.0 and Mozilla before 1.7.5 allow remote attackers to obtain sensitive data from the clipboard via Javascript that generates a middle-click event on systems for which a middle-click performs a paste operation.http://www.mozilla.org/security/announce/mfsa2005-08.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=265728RHSA-2005:335mozilla-middle-click-information-disclosure(19171)RHSA-2005:38412407Firefox before 1.0 and Mozilla before 1.7.5, when configured to use a proxy, respond to 407 proxy auth requests from arbitrary servers, which allows remote attackers to steal NTLM or SPNEGO credentials.http://www.mozilla.org/security/announce/mfsa2005-09.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=267263RHSA-2005:323mozilla-407-proxy-obtain-information(19174)OVAL10004912407oval:org.mitre.oval:def:100049Thunderbird before 0.9, when running on Windows systems, uses the default handler when processing javascript: links, which invokes Internet Explorer and may expose the Thunderbird user to vulnerabilities in the version of Internet Explorer that is installed on the user's system. NOTE: since the invocation between multiple products is a common practice, and the vulnerabilities inherent in multi-product interactions are not easily enumerable, this issue might be REJECTED in the future.http://www.mozilla.org/security/announce/mfsa2005-10.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=263546thunderbird-javascript-handler-launch(19173)OVAL10004812407oval:org.mitre.oval:def:100048Thunderbird 0.6 through 0.9 and Mozilla 1.7 through 1.7.3 does not obey the network.cookie.disableCookieForMailNews preference, which could allow remote attackers bypass the user's intended privacy and security policy by using cookies in e-mail messages.http://www.mozilla.org/security/announce/mfsa2005-11.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=268107RHSA-2005:094RHSA-2005:323RHSA-2005:335mozilla-cookie-policy-bypass(19172)OVAL100047SUSE-SA:2006:0221982312407oval:org.mitre.oval:def:100047Firefox before 1.0 allows the user to store a (1) javascript: or (2) data: URLs as a Livefeed bookmark, then executes it in the security context of the currently loaded page when the user later accesses the bookmark, which could allow remote attackers to execute arbitrary code.http://www.mozilla.org/security/announce/mfsa2005-12.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=265668mozilla-firefox-livefeed-xss(19187)OVAL10004612407oval:org.mitre.oval:def:100046Unknown vulnerability in the installation of Adobe License Management Service, as used in Adobe Photoshop CS, Adobe Creative Suite 1.0, and Adobe Premiere Pro 1.5, allows attackers to gain administrator privileges.http://www.adobe.com/support/techdocs/331688.html101416810141691014170PHP remote file inclusion vulnerability in Squirrelmail 1.2.6 allows remote attackers to execute arbitrary code via "URL manipulation."DSA-662VU#20321414096The PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to create arbitrary files via the PERLIO_DEBUG variable.20050207 DMA[2005-0131a] - 'Setuid Perl PERLIO_DEBUG root owned file creation'http://www.digitalmunition.com/DMA[2005-0131a].txtGLSA-200502-13MDKSA-2005:031RHSA-2005:103RHSA-2005:1052005-000320050202 [USN-72-1] Perl vulnerabilities12426perl-perliodebug-file-overwrite(19207)14120FLSA-2006:152845CLSA-2006:105621646MDKSA-2005:031Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree.20050207 DMA[2005-0131b] - 'Setuid Perl PERLIO_DEBUGhttp://www.digitalmunition.com/DMA[2005-0131b].txtGLSA-200502-13MDKSA-2005:031RHSA-2005:103RHSA-2005:1052005-000320050202 [USN-72-1] Perl vulnerabilities12426perl-perliodebug-bo(19208)14120FLSA-2006:152845CLSA-2006:1056MDKSA-2005:031The confirm add-on in SmartList 3.15 and earlier allows attackers to subscribe arbitrary e-mail addresses by using a valid cookie that specifies an address other than the address for which the cookie was assigned.DSA-720SmartList ListManager Arbitrary List Addition VulnerabilityFormat string vulnerability in bidwatcher before 1.3.17 allows remote malicious web servers from eBay, or a spoofed eBay server, to cause a denial of service and possibly execute arbitrary code via certain responses.DSA-687GLSA-200503-06The tpkg-* scripts in the toolchain-source 3.0.4 package on Debian GNU/Linux 3.0 allow local users to overwrite arbitrary files via a symlink attack on temporary files.toolchain-source -- insecure temporary filesbid 12540toolchain-source-symlink(19317)14277Multiple buffer overflows in unace 1.2b allow attackers to execute arbitrary code via (1) 2 overflows in ACE archives, (2) a long command line argument, or (3) certain "Ready for next volume" messages.20050222 unace-1.2b multiple buffer overflows and directory traversal bugs14359SUSE-SR:2005:016VU#21500612630Multiple directory traversal vulnerabilities in unace 1.2b allow attackers to overwrite arbitrary files via an ACE archive containing (1) ../ sequences or (2) absolute pathnames.20050222 unace-1.2b multiple buffer overflows and directory traversal bugs14359SUSE-SR:2005:01612628Stack-based buffer overflow in the get_internal_addresses function in the pluto application for Openswan 1.x before 1.0.9, and Openswan 2.x before 2.3.0, when compiled with XAUTH and PAM enabled, allows remote authenticated attackers to execute arbitrary code.20050126 Openswan XAUTH/PAM Buffer Overflow Vulnerabilityhttp://www.openswan.org/support/vuln/IDEF0785/openswan-xauth-pam-bo(19078)FEDORA-2005-082123771319510130141403814062squid_ldap_auth in Squid 2.5 and earlier allows remote authenticated users to bypass username-based Access Control Lists (ACLs) via a username with a space at the beginning or end, which is ignored by the LDAP server.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaceshttp://www.squid-cache.org/bugs/show_bug.cgi?id=1187http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-ldap_spaces.patchCLA-2005:923DSA-667MDKSA-2005:034RHSA-2005:060RHSA-2005:061SUSE-SA:2005:006VU#92419820050207 [USN-77-1] Squid vulnerabilities12431FLSA-2006:152809MDKSA-2005:034Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache or conduct certain attacks via headers that do not follow the HTTP specification, including (1) multiple Content-Length headers, (2) carriage return (CR) characters that are not part of a CRLF pair, and (3) header names containing whitespace characters.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsingCLA-2005:931MDKSA-2005:034RHSA-2005:060RHSA-2005:061SUSE-SA:2005:00620050207 [USN-77-1] Squid vulnerabilitiesVU#768702FEDORA-2005-373FLSA-2006:15280912412MDKSA-2005:034Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache via an HTTP response splitting attack.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_splittingCLA-2005:931DSA-667MDKSA-2005:034RHSA-2005:060RHSA-2005:061SUSE-SA:2005:00620050207 [USN-77-1] Squid vulnerabilitiesVU#625878http://www.squid-cache.org/Advisories/SQUID-2005_5.txtFEDORA-2005-373FLSA-2006:15280912433MDKSA-2005:034The shmctl function in Linux 2.6.9 and earlier allows local users to unlock the memory of other processes, which could cause sensitive memory to be swapped to disk, which could allow it to be read by other users once it has been released.20050215 [USN-82-1] Linux kernel vulnerabilitiesCLA-2005:930RHSA-2005:092OVAL1225RHSA-2005:47212598oval:org.mitre.oval:def:1225 20060402-01-U 19607nls_ascii.c in Linux before 2.6.8.1 uses an incorrect table size, which allows attackers to cause a denial of service (kernel crash) via a buffer overflow.http://linux.bkbits.net:8080/linux-2.6/cset@41e2bfbeOiXFga62XrBhzm7Kv9QDmQCLA-2005:930RHSA-2005:09220050215 [USN-82-1] Linux kernel vulnerabilities12598Race condition in the setsid function in Linux before 2.6.8.1 allows local users to cause a denial of service (crash) and possibly access portions of kernel memory, related to TTY changes, locking, and semaphores.http://linux.bkbits.net:8080/linux-2.6/cset@41ddda70CWJb5nNL71T4MOlG2sMG8ACLA-2005:930RHSA-2005:09220050215 [USN-82-1] Linux kernel vulnerabilities12598Linux kernel 2.4.x and 2.6.x allows local users to cause a denial of service (CPU and memory consumption) and bypass RLIM_MEMLOCK limits via the mlockall call.20050107 grsecurity 2.1.0 release / 5 Linux kernel advisoriesCLA-2005:930RHSA-2005:092RHSA-2005:66317002ADV-2005-1878Multiple integer signedness errors in the sg_scsi_ioctl function in scsi_ioctl.c for Linux 2.6.x allow local users to read or modify kernel memory via negative integers in arguments to the scsi ioctl, which bypass a maximum length check before calling the copy_from_user and copy_to_user functions.20050107 grsecurity 2.1.0 release / 5 Linux kernel advisoriesCLA-2005:930RHSA-2005:092MDKSA-2005:218MDKSA-2005:219121981782620050107 grsecurity 2.1.0 release / 5 Linux kernel advisoriesMDKSA-2005:218MDKSA-2005:219The mod_dosevasive module 1.9 and earlier for Apache creates temporary files with predictable filenames, which could allow remote attackers to overwrite arbitrary files via a symlink attack.20050111 Mod_dosevasive symlink and race vulnerabilityhttp://security.lss.hr/index.php?page=details&ID=LSS-2005-01-0112181moddosevasive-symlink(18765)13725ftpfile in the Vacation plugin 0.15 and earlier for Squirrelmail allows local users to execute arbitrary commands via shell metacharacters in a command line argument.20050111 Squirrelmail vacation v0.15 local root exploithttp://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03vacation-ftpfile-command-execution(18855)12222101286613791Directory traversal vulnerability in ftpfile in the Vacation plugin 0.15 and earlier for Squirrelmail allows local users to read arbitrary files via a .. (dot dot) in a get request.20050111 Squirrelmail vacation v0.15 local root exploithttp://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03vacation-ftpfile-directory-traversal(18856)12222101286613791Stack-based buffer overflow in NodeManager Professional 2.00 allows remote attackers to execute arbitrary commands via a LinkDown-Trap packet that contains a long OCTET-STRING in the Trap variable-bindings field.20050117 [SIG^2 G-TEC] NodeManager Professional V2.00 Buffer Overflow Vulnerabilityhttp://www.security.org.sg/vuln/nodemanager200.html13881nodemanager-linkdown-bo(18937)122831012915Cisco IOS 12.1YD, 12.2T, 12.3 and 12.3T, when configured for the IOS Telephony Service (ITS), CallManager Express (CME) or Survivable Remote Site Telephony (SRST), allows remote attackers to cause a denial of service (device reboot) via a malformed packet to the SCCP port.20050119 Vulnerability in Cisco IOS Embedded Call Processing Solutionscisco-ios-sccp-dos(18956)101294513913Stack-based buffer overflow in the SetSkin function in AtHoc toolbar allows remote attackers to execute arbitrary code via a long skin name.20041006 Patch available for high risk flaws in the AtHoc Toolbar20050119 Multiple vulnerabilities in the AtHoc Toolbar (#NISR19012005c)http://www.ngssoftware.com/advisories/athoc-01full.txt11341athoc-toolbar-bo(17627)Format string vulnerability in the SetBaseURL function in AtHoc toolbar allows remote attackers to execute arbitrary code via format string specifiers in an invalid URL that is recorded in the debug log.20041006 Patch available for high risk flaws in the AtHoc Toolbar20050119 Multiple vulnerabilities in the AtHoc Toolbar (#NISR19012005c)http://www.ngssoftware.com/advisories/athoc-01full.txt11341athoc-toolbar-format-string(17628)Stack-based buffer overflow in the HandleAction function in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to execute arbitrary code via a long ShowPreferences argument.20041006 Patch available for multiple high risk vulnerabilities in RealPlayer20050119 RealPlayer 'ShowPreferences' Buffer Overflow Vulnerability (#NISR19012005e)20050119 RealPlayer 'ShowPreferences' Buffer Overflow Vulnerability (#NISR19012005e)http://service.real.com/help/faq/security/040928_player/EN/VU#6983901231120041006 Patch available for multiple high risk vulnerabilities in RealPlayer20050119 RealPlayer 'ShowPreferences' Buffer Overflow Vulnerability (#NISR19012005e)Directory traversal vulnerability in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to delete arbitrary files via a Real Metadata Packages (RMP) file with a FILENAME tag containing .. (dot dot) sequences in a filename that ends with a ? (question mark) and an allowed file extension (e.g. .mp3), which bypasses the check for the file extension.20041006 Patch available for multiple high risk vulnerabilities in RealPlayer20050119 RealPlayer Arbitrary File Deletion Vulnerability (#NISR19012005f)http://www.ngssoftware.com/advisories/real-02full.txthttp://service.real.com/help/faq/security/040928_player/EN/1130812672realplayer-media-file-deletion(17551)20041006 Patch available for multiple high risk vulnerabilities in RealPlayer20050119 RealPlayer Arbitrary File Deletion Vulnerability (#NISR19012005f)Off-by-one buffer overflow in the processing of tags in Real Metadata Package (RMP) files in RealPlayer 10.5 (6.0.12.1040) and earlier could allow remote attackers to execute arbitrary code via a long tag.20041006 Patch available for multiple high risk vulnerabilities in RealPlayer20050119 RealPlayer Miscellaneous Vulnerabilities (#NISR19012005g)http://www.ngssoftware.com/advisories/real-03full.txthttp://service.real.com/help/faq/security/040928_player/EN/realplayer-long-filename-offbyone-bo(18982)20041006 Patch available for multiple high risk vulnerabilities in RealPlayer20050119 RealPlayer Miscellaneous Vulnerabilities (#NISR19012005g)Directory traversal vulnerability in the parsing of Skin file names in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in an RJS filename.20041006 Patch available for multiple high risk vulnerabilities in RealPlayer20050119 RealPlayer Miscellaneous Vulnerabilities (#NISR19012005g)http://www.ngssoftware.com/advisories/real-03full.txthttp://service.real.com/help/faq/security/040928_player/EN/realplayer-rjs-filenane-directory-traversal(18984)20041006 Patch available for multiple high risk vulnerabilities in RealPlayer20050119 RealPlayer Miscellaneous Vulnerabilities (#NISR19012005g)Buffer overflow in the (1) -v and (2) -a switches in mRouter in iSync 1.5 in Mac OS X 10.3.7 and earlier allows local users to execute arbitrary code.20050122 Mac OS X 10.3 iSync Privilege EscalationAPPLE-SA-2005-04-19isync-mrouter-bo(19011)12334101297413965Squid 2.5, when processing the configuration file, parses empty Access Control Lists (ACLs), including proxy_auth ACLs without defined auth schemes, in a way that effectively removes arguments, which could allow remote attackers to bypass intended ACLs if the administrator ignores the parser warnings.http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-empty_acls.patchhttp://www.squid-cache.org/bugs/show_bug.cgi?id=1166http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_aclsCLA-2005:923DSA-66720050221 [USN-84-1] Squid vulnerabilitiesVU#260421FLSA-2006:152809Cisco IOS 12.0S through 12.3YH allows remote attackers to cause a denial of service (device restart) via a crafted IPv6 packet.20050126 Multiple Crafted IPv6 Packets Cause ReloadTA05-026AVU#472582cisco-ios-ipv6-dos(19072)Cisco IOS 12.0 through 12.3YL, with BGP enabled and running the bgp log-neighbor-changes command, allows remote attackers to cause a denial of service (device reload) via a malformed BGP packet.20050126 Cisco IOS Misformed BGP Packet Causes ReloadTA05-026AVU#689326cisco-ios-bgp-packetdos(19074)101301314034Cisco IOS 12.1T, 12.2, 12.2T, 12.3 and 12.3T, with Multi Protocol Label Switching (MPLS) installed but disabled, allows remote attackers to cause a denial of service (device reload) via a crafted packet sent to the disabled interface.20050126 Crafted Packet Causes Reload on Cisco RoutersTA05-026AVU#583638cisco-ios-mpls-dos(19071)12369101301514031A logic error in the CRAM-MD5 code for the University of Washington IMAP (UW-IMAP) server, when Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, does not properly enforce all the required conditions for successful authentication, which allows remote attackers to authenticate as arbitrary users.VU#702777http://www.kb.cert.org/vuls/id/CRDY-68QSL5GLSA-200502-02MDKSA-2005:026RHSA-2005:1281239110130371405714097MDKSA-2005:026Integer underflow in the Lists_MakeMask() function in lists.c in ngIRCd before 0.8.2 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long MODE line that causes an incorrect length calculation, which leads to a buffer overflow.[ngIRCd-ML] 20050126 ngIRCd 0.8.2http://bugs.gentoo.org/show_bug.cgi?id=79705GLSA-200501-4012397ngircd-listmakemask-bo(19143)10130471405614059TikiWiki before 1.8.5 does not properly validate files that have been uploaded to the temp directory, which could allow remote attackers to upload and execute arbitrary PHP scripts, a different vulnerability than CVE-2004-1386.GLSA-200501-41http://tikiwiki.org/art102http://www.lovebug.org/imd_advisory.txt13948D-BUS (dbus) before 0.22 does not properly restrict access to a socket, if the socket address is known, which allows local users to listen or send arbitrary messages on another user's per-user session bus via that socket.MDKSA-2005:105RHSA-2005:102ESB-2005.0435USN-144-112435101307514119156381583315844Directory traversal vulnerability in the true_path function in private.py for Mailman 2.1.5 and earlier allows remote attackers to read arbitrary files via ".../....///" sequences, which are not properly cleansed by regular expressions that are intended to remove "../" and "./" sequences.20050209 Administrivia: List Compromised due to Mailman VulnerabilityAPPLE-SA-2005-03-21DSA-674GLSA-200502-11MDKSA-2005:037RHSA-2005:136RHSA-2005:13720050209 [USN-78-1] Mailman vulnerability101314514211MDKSA-2005:037SUSE-SA:2005:007** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate has been revoked by its Candidate Numbering Authority (CNA) because it was initially assigned to a problem that was not a security issue. Notes: none.Linux kernel before 2.6.9, when running on the AMD64 and Intel EM64T architectures, allows local users to write to privileged IO ports via the OUTS instruction.RHSA-2005:092RHSA-2005:2932006-00061878412598KPPP 2.1.2 in KDE 3.1.5 and earlier, when setuid root without certain wrappers, does not properly close a privileged file descriptor for a domain socket, which allows local users to read and write to /etc/hosts and /etc/resolv.conf and gain control over DNS name resolution by opening a number of file descriptors before executing kppp.20050228 KPPP Privileged File Descriptor Leak Vulnerabilityhttp://www.kde.org/info/security/advisory-20050228-1.txtCLA-2005:934DSA-692RHSA-2005:175The patch for integer overflow vulnerabilities in Xpdf 2.0 and 3.0 (CVE-2004-0888) is incomplete for 64-bit architectures on certain Linux distributions such as Red Hat, which could leave Xpdf users exposed to the original vulnerabilities.xpdf security updatebid 11501MDKSA-2005:041MDKSA-2005:042MDKSA-2005:043MDKSA-2005:044MDKSA-2005:052MDKSA-2005:056RHSA-2005:034RHSA-2005:053RHSA-2005:057RHSA-2005:132xpdf-pdf-bo(17818)MDKSA-2005:041MDKSA-2005:042MDKSA-2005:043MDKSA-2005:044MDKSA-2005:052MDKSA-2005:056Unknown vulnerability in Linux kernel 2.4.x, 2.5.x, and 2.6.x allows NFS clients to cause a denial of service via O_DIRECT.CLA-2005:930SUSE-SA:2005:00312330RHSA-2005:366The HTML parsing functions in Gaim before 1.1.4 allow remote attackers to cause a denial of service (application crash) via malformed HTML that causes "an invalid memory access," a different vulnerability than CVE-2005-0473.http://gaim.sourceforge.net/security/?id=12CLA-2005:933GLSA-200503-03MDKSA-2005:049RHSA-2005:21520050225 [USN-85-1] Gaim vulnerabilitiesVU#79581214386FLSA:15854312660SUSE-SA:2005:036MDKSA-2005:049Netfilter in Linux kernel 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) via crafted IP packet fragments.20050315 [USN-95-1] Linux kernel vulnerabilitiesCLA-2005:945SUSE-SA:2005:018RHSA-2005:36612598RHSA-2005:420Netfilter in the Linux kernel 2.6.8.1 allows local users to cause a denial of service (memory consumption) via certain packet fragments that are reassembled twice, which causes a data structure to be allocated twice.20050315 [USN-95-1] Linux kernel vulnerabilitiesCLA-2005:945SUSE-SA:2005:018MDKSA-2005:218MDKSA-2005:219RHSA-2005:366RHSA-2005:6631281614966142951782617002ADV-2005-1878MDKSA-2005:218MDKSA-2005:219Buffer overflow in wccp.c in Squid 2.5 before 2.5.STABLE7 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long WCCP packet, which is processed by a recvfrom function call that uses an incorrect length parameter.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_buffer_overflowhttp://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_buffer_overflow.patchDSA-667MDKSA-2005:034RHSA-2005:060RHSA-2005:061SUSE-SA:2005:00620050207 [USN-77-1] Squid vulnerabilitiesVU#8860061243213319101304514076FLSA-2006:152809MDKSA-2005:034The Amp II engine as used by Gore: Ultimate Soldier 1.50 and earlier allows remote attackers to cause a denial of service (infinite loop) via a zero byte UDP packet.http://aluigi.altervista.org/adv/amp2zero-adv.txt12192amp-3d-socket-dos(18789)1375420050106 Socket unreacheable in Amp II engineDirectory traversal vulnerability in WinHKI 1.4d allows remote attackers to overwrite arbitrary files via a .. (dot dot) in a zip file.20050106 WinAc AND WinHKI ZIP File Directory Transversal 12176winhki-zip-directory-traversal(18798)101279813738Directory traversal vulnerability in Simple PHP Blog (SPHPBlog) 0.3.7c allows remote attackers to read or create arbitrary files via a .. (dot dot) in the entry parameter.20050107 Simple PHP Blog directory traversal vulnerability 20050107 Simple PHP Blog directory traversal vulnerability 12193sphp-dotdot-directory-traversal(18802)Mozilla 1.6 and possibly other versions allows remote attackers to cause a denial of service (application crash) via a XBM (X BitMap) file with a large (1) height or (2) width value.20050107 Mozilla XBM Image Vulnerabilitymozilla-xbm-dos(18803)Cross-site scripting (XSS) vulnerability in formmail.php in Woltlab Burning Board Lite 1.0.0, 1.0.1e, and possibly other versions, allows remote attackers to inject arbitrary web sript and HTML via the userid parameter.20050108 Security Advisory: Woltlab Burning Board Lite formmail.php XSS 12199wbb-formmail-userid-xss(18814)13782SQL injection vulnerability in index.php in Invision Community Blog allows remote attackers to execute arbitrary SQL commands via the eid parameter.20050109 SQL Injection Vulnerability in Invision Community Blog12205icb-sql-injection(18815)12817101283113783ClamAV 0.80 and earlier allows remote attackers to bypass virus scanning via a base64 encoded image in a data: (RFC 2397) URL.http://sourceforge.net/project/shownotes.php?release_id=300116GLSA-200501-46MDKSA-2005:02513900MDKSA-2005:025Multiple cross-site scripting (XSS) vulnerabilities in Gallery 1.3.4-pl1 allow remote attackers to inject arbitrary web script or HTML via (1) the index field in add_comment.php, (2) set_albumName, (3) slide_index, (4) slide_full, (5) slide_loop, (6) slide_pause, (7) slide_dir fields in slideshow_low.php, or (8) username field in search.php.20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerabilityhttp://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=147gallery-multiple-xss(18938)gallery-multiple-scripts-xss(43473)Cross-site scripting vulnerability in login.php in Gallery 1.4.4-pl2 allows remote attackers to inject arbitrary web script or HTML via the username field.20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting VulnerabilityGLSA-200501-45http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=14713887gallery-multiple-xss(18938)Cross-site scripting (XSS) vulnerability in login.php in Gallery 2.0 Alpha allows remote attackers to inject arbitrary web script or HTML via the g2_form[subject] field.20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability20050117 [VulnWatch] Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerabilityhttp://theinsider.deep-ice.com/texts/advisory69.txthttp://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=147gallery-multiple-xss(18938)gallery-g2formsubject-xss(43472)main.php in Gallery 2.0 Alpha allows remote attackers to gain sensitive information by changing the value of g2_subView parameter, which reveals the path in an error message.20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability20050117 [VulnWatch] Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerabilityhttp://theinsider.deep-ice.com/texts/advisory69.txthttp://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=147gallery-mainphp-obtain-information(18940)The Software Development Kit (SDK) and Run Time Environment (RTE) 1.4.1 and 1.4.2 for Tru64 UNIX allows remote attackers to cause a denial of service (Java Virtual Machine hang) via object deserialization.SSRT4875Unknown vulnerability in HP-UX B.11.04 running Virtualvault 4.5 through 4.7, when running the TGA daemon, allows remote attackers to cause a denial of service via certain network traffic.SSRT590014082firehol.sh in FireHOL before 1.224 creates temporary files with predictable file names, which could allow local users to overwrite arbitrary files via a symlink attack.GLSA-200502-01http://cvs.sourceforge.net/viewcvs.py/firehol/firehol/firehol.sh123361313710129691397014102firehol-symlink(19032)Format string vulnerability in the Log_Resolver function in log.c for ngIRCd 0.8.2 and earlier, when compiled with IDENT, logging to SYSLOG, and with DEBUG enabled, allows remote attackers to execute arbitrary code.20050203 ngIRCd <= v0.8.2 Format String Vulnerabilityhttp://www.nosystem.com.ar/advisories/advisory-11.txt1411412434PostgreSQL (pgsql) 7.4.x, 7.2.x, and other versions allows local users to load arbitrary shared libraries and execute code via the LOAD extension.[pgsql-bugs] 20050121 Privilege escalation via LOAD[pgsql-announce] 20050201 PostgreSQL Security ReleaseDSA-668200502-08MDKSA-2005:040RHSA-2005:138RHSA-2005:1502005-000320050201 [USN-71-1] PostgreSQL vulnerability12948SUSE-SA:2005:036 12411MDKSA-2005:040** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-1388. Reason: This candidate is a duplicate of CVE-2004-1388. Notes: All CVE users should reference CVE-2004-1388 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.CitrusDB 0.3.5 and earlier stores the newfile.txt temporary data file under the web root, which allows remote attackers to steal credit card information via a direct request to newfile.txt.bid 1240220050212 Credit Card data disclosure in CitrusDBhttp://www.citrusdb.org/forums/viewtopic.php?t=49citrus-information-disclosure(19145)1013040Firefox 1.0 does not prevent the user from dragging an executable file to the desktop when it has an image/gif content type but has a dangerous extension such as .bat or .exe, which allows remote attackers to bypass the intended restriction and execute arbitrary commands via malformed GIF files that can still be parsed by the Windows batch file parser, aka "firedragging."GLSA-200503-30OVAL100033SUSE-SA:2006:02219823oval:org.mitre.oval:def:10003320050207 Firedragging [Firefox 1.0]http://www.mikx.de/firedragging/https://bugzilla.mozilla.org/show_bug.cgi?id=279945http://www.mozilla.org/security/announce/mfsa2005-25.htmlGLSA-200503-10Firefox 1.0 does not invoke the Javascript Security Manager when a user drags a javascript: or data: URL to a tab, which allows remote attackers to bypass the security model, aka "firetabbing."20050207 Firetabbing [Firefox 1.0]http://www.mikx.de/firetabbing/https://bugzilla.mozilla.org/show_bug.cgi?id=280056http://www.mozilla.org/security/announce/mfsa2005-26.htmlGLSA-200503-10GLSA-200503-30SUSE-SA:2005:016mozilla-firefox-tab-gain-access(19264)OVAL100032RHSA-2005:176RHSA-2005:384oval:org.mitre.oval:def:100032Firefox 1.0 allows remote attackers to modify Boolean configuration parameters for the about:config site by using a plugin such as Flash, and the -moz-opacity filter, to display the about:config site then cause the user to double-click at a certain screen position, aka "Fireflashing."http://www.mikx.de/fireflashing/https://bugzilla.mozilla.org/show_bug.cgi?id=280664http://www.mozilla.org/security/announce/mfsa2005-27.htmlGLSA-200503-10GLSA-200503-30RHSA-2005:323SUSE-SA:2005:016mozilla-firefox-aboutconfig-modify(19266)20050207 Fireflashing [Firefox 1.0]RHSA-2005:176RHSA-2005:384The International Domain Name (IDN) support in Firefox 1.0, Camino .8.5, and Mozilla before 1.7.6 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.20050206 state of homograph attacks20050208 International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.http://www.shmoo.com/idnhttp://www.shmoo.com/idn/homograph.txthttp://www.mozilla.org/security/announce/mfsa2005-29.htmlGLSA-200503-10GLSA-200503-30SUSE-SA:2005:016multiple-browsers-idn-spoof(19236)OVAL100029RHSA-2005:176RHSA-2005:38412461oval:org.mitre.oval:def:100029The International Domain Name (IDN) support in Safari 1.2.5 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.20050206 state of homograph attacks20050208 International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.http://www.shmoo.com/idnhttp://www.shmoo.com/idn/homograph.txtAPPLE-SA-2005-03-21multiple-browsers-idn-spoof(19236)12461The International Domain Name (IDN) support in Opera 7.54 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.20050206 state of homograph attacks20050208 International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.http://www.shmoo.com/idnhttp://www.shmoo.com/idn/homograph.txtmultiple-browsers-idn-spoof(19236)12461SUSE-SA:2005:031The International Domain Name (IDN) support in Omniweb 5 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.20050206 state of homograph attacks20050208 International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.http://www.shmoo.com/idnhttp://www.shmoo.com/idn/homograph.txtmultiple-browsers-idn-spoof(19236)12461The International Domain Name (IDN) support in Konqueror 3.2.1 on KDE 3.2.1 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.20050206 state of homograph attacks20050206 Re: state of homograph attackshttp://www.shmoo.com/idnhttp://www.shmoo.com/idn/homograph.txthttp://www.kde.org/info/security/advisory-20050316-2.txtMDKSA-2005:05814162multiple-browsers-idn-spoof(19236)RHSA-2005:325FLSA:17860612461MDKSA-2005:058The International Domain Name (IDN) support in Epiphany allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.20050206 state of homograph attackshttp://www.shmoo.com/idnhttp://www.shmoo.com/idn/homograph.txthttps://bugzilla.redhat.com/beta/show_bug.cgi?id=147399multiple-browsers-idn-spoof(19236)12461viewcert.php in the S/MIME plugin 0.4 and 0.5 for Squirrelmail allows remote attackers to execute arbitrary commands via shell metacharacters in the cert parameter.20050207 SquirrelMail S/MIME Plugin Command Injection Vulnerabilityhttp://www.squirrelmail.org/plugin_view.php?id=54VU#502328squirrelmail-smime-command-execution(19242)Format string vulnerability in chdev on IBM AIX 5.2 allows local users to execute arbitrary code via format string specifiers in a command line argument, which is not properly handled when printing an error message.20050207 IBM AIX chdev Local Format String VulnerabilityIY67455IY67654aix-chdev-format-string(19244)The httpProcessReplyHeader function in http.c for Squid 2.5-STABLE7 and earlier does not properly set the debug context when it is handling "oversized" HTTP reply headers, which might allow remote attackers to poison the cache or bypass access controls based on header size.http://www.squid-cache.org/bugs/show_bug.cgi?id=1216http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-oversize_reply_headershttp://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-oversize_reply_headers.patchCLA-2005:931RHSA-2005:060RHSA-2005:061SUSE-SA:2005:006VU#823350squid-http-cache-poisoning(19060)14091FLSA-2006:15280912412The Audio Setup Wizard (asw.dll) in Yahoo! Messenger 6.0.0.1750, and possibly other versions, allows attackers to arbitrary code by placing a malicious ping.exe program into the Messenger program directory, which is installed with weak default permissions.http://secunia.com/secunia_research/2004-6/advisory/11815Yahoo! Messenger 6.0.0.1750, and possibly other versions before 6.0.0.1921, does not properly display long filenames in file dialog boxes, which could allow remote attackers to trick users into downloading and executing programs via file names containing a large number of spaces and multiple file extensions.http://secunia.com/secunia_research/2005-2/advisory/13712PostgreSQL 8.0.0 and earlier allows local users to bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command.[pgsql-hackers] 20050127 Permissions on aggregate component functionsMDKSA-2005:040RHSA-2005:13820050210 [USN-79-1] PostgreSQL vulnerabilities12948postgresql-security-bypass(19184)SUSE-SA:2005:036 12417MDKSA-2005:040Buffer overflow in gram.y for PostgreSQL 8.0.0 and earlier may allow attackers to execute arbitrary code via a large number of arguments to a refcursor function (gram.y), which leads to a heap-based buffer overflow, a different vulnerability than CVE-2005-0247.[pgsql-patches] 20050120 Re: WIP: pl/pgsql cleanup[pgsql-committers] 20050121 pgsql: Prevent overrunning a heap-allocated buffer is more than 1024[pgsql-committers] 20050207 pgsql: Prevent 4 more buffer overruns in the PL/PgSQL parser.DSA-683MDKSA-2005:040RHSA-2005:138RHSA-2005:15020050210 [USN-79-1] PostgreSQL vulnerabilities12948postgresql-cursor-bo(19188)SUSE-SA:2005:036 12417MDKSA-2005:040The intagg contrib module for PostgreSQL 8.0.0 and earlier allows attackers to cause a denial of service (crash) via crafted arrays.[pgsql-committers] 20050127 pgsql: Fix security and 64-bit issues in contrib/intagg.MDKSA-2005:040RHSA-2005:13820050210 [USN-79-1] PostgreSQL vulnerabilities12948postgresql-contribintagg-dos(19185)SUSE-SA:2005:036 12417MDKSA-2005:040Multiple buffer overflows in gram.y for PostgreSQL 8.0.1 and earlier may allow attackers to execute arbitrary code via (1) a large number of variables in a SQL statement being handled by the read_sql_construct function, (2) a large number of INTO variables in a SELECT statement being handled by the make_select_stmt function, (3) a large number of arbitrary variables in a SELECT statement being handled by the make_select_stmt function, and (4) a large number of INTO variables in a FETCH statement being handled by the make_fetch_stmt function, a different set of vulnerabilities than CVE-2005-0245.[pgsql-committers] 20050207 pgsql: Prevent 4 more buffer overruns in the PL/PgSQL parser.DSA-683GLSA-200502-19MDKSA-2005:040RHSA-2005:138RHSA-2005:150SUSE-SA:2005:02720050210 [USN-79-1] PostgreSQL vulnerabilitiespostgresql-fetch-makefetchstmt-bo(19378)postgresql-makeselectstmt-arbitrary-bo(19377)postgresql-makeselectstmt-input-bo(19376)postgresql-readsqlconstruct-bo(19375)SUSE-SA:2005:036 12417MDKSA-2005:040The Solaris Management Console (SMC) GUI for Solaris 8 and 9, when creating user accounts that are configured for password aging, creates the accounts with a blank password, which allows remote or local attackers to break into those accounts.57717P-0961226013803solaris-smc-blank-password(18868)122601012860Heap-based buffer overflow in the DEC2EXE module for Symantec AntiVirus Library allows remote attackers to execute arbitrary code via a UPX compressed file containing a negative virtual offset to a crafted PE header.20050208 Symantec AntiVirus Library Heap Overflowhttp://www.symantec.com/avcenter/security/Content/2005.02.08.htmlVU#107822upx-engine-gain-control(18869)1013133Format string vulnerability in auditselect on IBM AIX 5.1, 5.2, and 5.3 allows local users to execute arbitrary code via format string specifiers in a command line argument.20050208 IBM AIX auditselect Local Format String VulnerabilityIY67519IY67472IY67802VU#8967291249614198aix-auditselect-format-string(19255)1013103Cross-site scripting (XSS) vulnerability in bibindex.php for BibORB 1.3.2, and possibly earlier versions, allows remote attackers to inject arbitrary HTML and web script via the search parameter.20050217 Advisory: Multiple Vulnerabilities in BibORB20050217 Advisory: Multiple Vulnerabilities in BibORB12583SQL injection vulnerability in BibORB 1.3.2, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the (1) Username or (2) Password.20050217 Advisory: Multiple Vulnerabilities in BibORB20050217 Advisory: Multiple Vulnerabilities in BibORB12583Directory traversal vulnerability in index.php for BibORB 1.3.2, and possibly earlier versions, allows remote attackers to delete arbitrary files via a Delete action and .. (dot dot) sequences in the database_name parameter.20050217 Advisory: Multiple Vulnerabilities in BibORB20050217 Advisory: Multiple Vulnerabilities in BibORB12583BibORB 1.3.2, and possibly earlier versions, does not properly enforce a restriction for uploading only PDF and PS files, which allows remote attackers to upload arbitrary files that are presented to other users with PDF or PS icons, which may trick some users into downloading and executing those files.20050217 Advisory: Multiple Vulnerabilities in BibORB20050217 Advisory: Multiple Vulnerabilities in BibORB12583String handling functions in Mozilla 1.7.3, Firefox 1.0, and Thunderbird before 1.0.2, such as the nsTSubstring_CharT::Replace function, do not properly check the return values of other functions that resize the string, which allows remote attackers to cause a denial of service and possibly execute arbitrary code by forcing an out-of-memory state that causes a reallocation to fail and return a pointer to a fixed address, which leads to heap corruption.20050228 Mozilla Firefox and Mozilla Browser Out Of Memory Heap Corruption Design Errorhttp://www.mozilla.org/security/announce/mfsa2005-18.htmlGLSA-200503-10GLSA-200503-30RHSA-2005:277RHSA-2005:337SUSE-SA:2005:016OVAL100040RHSA-2005:176SUSE-SA:2006:0221982312659oval:org.mitre.oval:def:100040The wu_fnmatch function in wu_fnmatch.c in wu-ftpd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir command.20050225 WU-FTPD File Globbing Denial of Service VulnerabilityDSA-70557795SCOSA-2005.6318210HPSBUX02110ADV-2005-0588ADV-2006-12711441119561101699oval:org.mitre.oval:def:1265oval:org.mitre.oval:def:1333oval:org.mitre.oval:def:176214203Directory traversal vulnerability in (1) usercp_register.php and (2) usercp_avatar.php for phpBB 2.0.11, and possibly other versions, with gallery avatars enabled, allows remote attackers to delete (unlink) arbitrary files via "/../" sequences in the avatarselect parameter.phpBB Group phpBB2 Arbitrary File Unlink VulnerabilityPhPBB CHANGELOGbid 12623GLSA-200503-02phpBB 2.0.11, and possibly other versions, with remote avatars and avatar uploading enabled, allows local users to read arbitrary files by providing both a local and remote location for an avatar, then modifying the "Upload Avatar from a URL:" field to reference the target file.phpBB Group phpBB Arbitrary File Disclosure VulnerabilityPhPBB CHANGELOGbid 12621GLSA-200503-02VU#77468614362Stack-based buffer overflow in the Discovery Service for BrightStor ARCserve Backup 11.1 and earlier allows remote attackers to execute arbitrary code via a long packet to UDP port 41524, which is not properly handled in a recvfrom call.20050209 Computer Associates BrightStor ARCserve Backup v11 Discovery Service Remote Buffer Overflow Vulnerabilityhttp://supportconnectw.ca.com/public/enews/BrightStor/brigcurrent.asp#news1brightstor-discovery-bo(19251)101313814183lspath in AIX 5.2, 5.3, and possibly earlier versions, does not drop privileges before processing the -f option, which allows local users to read one line of arbitrary files.20050210 IBM AIX lspath Local File Access VulnerabilityIY67457IY67655ibm-aix-ispath-information-disclosure(19281)1251314232Buffer overflow in ipl_varyon on AIX 5.1, 5.2, and 5.3 allows local users to execute arbitrary code via a long -d argument.20050210 IBM AIX ipl_varyon Local Buffer Overflow VulnerabilityIY67812IY67750IY66933ibm-aix-iplvaryon-bo(19282)1251614231Buffer overflow in netpmon on AIX 5.1, 5.2, and 5.3 allows local users to execute arbitrary code via a long -O argument.20050210 IBM AIX netpmon Local Buffer Overflow VulnerabilityIY67807IY67136IY67124ibm-aix-netpmon-bo(19278)1251714237Multiple cross-site scripting (XSS) vulnerabilities in browse.php in OWL 0.7 and 0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) expand or (2) order parameter.20050101 Various Vulnerabilities in OWL Intranet Engine12114owl-intranet-engine-xss(18705)13695Multiple SQL injection vulnerabilities in browse.php in OWL 0.7 and 0.8 allow remote attackers to execute arbitrary SQL commands via the (1) parent or (2) sortposted parameter.20050101 Various Vulnerabilities in OWL Intranet Engine12114owl-intranet-engine-sql-injection(18704)13695Cross-site scripting (XSS) vulnerability in index.php in SugarCRM 1.X allows remote attackers to inject arbitrary web script or HTML via the (1) return_module, (2) return_action, (3) name, (4) module, or (5) record parameter.20050101 Cross Site Scripting Vulnerabilities and Possible Code Execution12113sugar-sales-index-xss(18719)index.php in FlatNuke 2.5.1 allows remote attackers to create an andministrator account via carriage returns and #10 in the url_avatar field, which is interpreted as a sensitive directive.20050102 Multiple Vulnerabilities in FlatNuke12150flatnuke-indexphp-gain-access(18741)Direct code injection vulnerability in FlatNuke 2.5.1 allows remote attackers to execute arbitrary PHP code by placing the code into the url_avatar field.20050102 Multiple Vulnerabilities in FlatNuke12150flatnuke-indexphp-xss(18746)The file extension check in GNUBoard 3.40 and earlier only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters.20050103 STG Security Advisory: [SSA-20041224-21] File extensionsgnuboard-gbupdate-file-upload(18729)1214913711Multiple cross-site scripting (XSS) vulnerabilities in ReviewPost PHP Pro before 2.84 allow remote attackers to inject arbitrary web script or HTML via the (1) si parameter to showcat.php, (2) cat or (3) page parameter to showproduct.php, or (4) report parameter to reportproduct.php.20050103 Serious Vulnerabilities In PhotoPost ReviewPosthttp://www.gulftech.org/?node=research&article_id=00062-0102200513697reviewpost-php-xss(18731)Multiple SQL injection vulnerabilities in ReviewPost PHP Pro before 2.84 allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter to showcat.php or (2) product parameter to addfav.php.20050103 Serious Vulnerabilities In PhotoPost ReviewPosthttp://www.gulftech.org/?node=research&article_id=00062-0102200513697reviewpost-php-sql-injection(18732)ReviewPost PHP Pro before 2.84 allows remote attackers to upload and execute arbitrary PHP files by posting a review file with multiple extensions, which bypasses the intended restrictions.20050103 Serious Vulnerabilities In PhotoPost ReviewPost13697reviewpost-php-file-upload(18735)Multiple SQL injection vulnerabilities in showgallery.php in PhotoPost before 4.86 allow remote attackers to execute arbitrary SQL commands via the (1) cat or (2) ppuser parameter.20050103 Multiple PhotoPost Pro Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00063-010320051215613680photopost-php-showgallery-xss(18744)Multiple cross-site scripting (XSS) vulnerabilities in showgallery.php in PhotoPost before 4.86 allow remote attackers to inject arbitrary web script or HTML via the (1) cat, (2) si, (3) page, or (4) ppuser parameters.20050103 Multiple PhotoPost Pro Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00063-010320051215613680photopost-php-showgallery-xss(18744)TFTP in 3Com 3CDaemon 2.0 revision 10 allows remote attackers to cause a denial of service (application crash) via a GET request containing an MS-DOS device name.20050104 3Com 3CDaemon Multiple Vulnerabilities3cdaemon-reserved-name-dos(18750)Multiple format string vulnerabilities in the FTP service in 3Com 3CDaemon 2.0 revision 10 allow remote attackers to cause a denial of service (application crash) via format string specifiers in (1) the username, (2) cd, (3) delete, (4) rename, (5) rmdir, (6) literal, (7) stat, or (8) CWD commands.20050104 3Com 3CDaemon Multiple Vulnerabilities121553cdaemon-login-dos(18751)Buffer overflow in the FTP service in 3Com 3CDaemon 2.0 revision 10 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via (1) a long username in the USER command or (2) an FTP command that contains a long argument, such as cd, send, or ls.20050104 3Com 3CDaemon Multiple Vulnerabilities20050218 3com 3CDaemon FTP Unauthorized 121553cdaemon-long-command-dos(18754)The FTP service in 3Com 3CDaemon 2.0 revision 10 allows remote attackers to gain sensitive information via a cd command that contains an MS-DOS device name, which reveals the installation path in an error message.20050104 3Com 3CDaemon Multiple Vulnerabilities121553cdaemon-command-obtain-information(18756)Soldner Secret Wars 30830 and earlier does not properly handle the "message too long" socket error, which allows remote attackers to cause a denial of service (socket termination) via a long UDP packet.20050104 Socket termination, format string and XSS in Soldner Secret Wars12162soldner-secret-wars-dos(18749)13716Format string vulnerability in Soldner Secret Wars 30830 and earlier allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via format string specifiers in a message.20050104 Socket termination, format string and XSS in Soldner Secret Wars12162soldner-secret-wars-format-string(18752)13716Cross-site scripting (XSS) vulnerability in the web interface in Soldner Secret Wars 30830 allows remote attackers to inject arbitrary web script or HTML via a user message, which is not filtered or quoted when the administrator views the server logs.20050104 Socket termination, format string and XSS in Soldner Secret Wars12162soldner-secret-wars-xss(18753)13716SQL injection vulnerability in member.php in MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the uid parameter.20050104 MyBB SQL Injection12161mybb-member-sql-injection(18755)Directory traversal vulnerability in index.php in QwikiWiki allows remote attackers to read arbitrary files via a .. (dot dot) and a %00 at the end of the filename in the page parameter.20050104 QWikiwiki directory traversal vulnerability12163qwikiwiki-directory-traversal(18748)12044SQL injection vulnerability in addentry.php in Woltlab Burning Book 1.0 Gold, 1.1.1e, and possibly other versions, allows remote attackers to execute arbitrary SQL commands via the user-agent parameter.20050110 Woltlab Burning Book addentry.php SQL Injectionwoltlab-book-addentry-sql-injection(18859)Webseries Payment Application does not properly restrict privileged operations, which allows remote authenticated users to gain privileges by directly accessing certain URLs.20050110 Portcullis Security Advisory 05-00112216webseries-pa-url-security-bypass(18848)101285413821eMotion MediaPartner Web Server 5.0 and 5.1 allows remote attackers to obtain sensitive information via an HTTP request for a .bhtml file that contains a (1) . (dot) or (2) + (plus sign) at the end, which returns the source code for that file.20050110 Portcullis Security Advisory 05-00412236mediapartner-bhtml-source-disclosure(18861)101285513820Bottomline Webseries Payment Application allows remote attackers to read arbitrary files on the network via a report template with modified ReportPath or ReportName values.20050110 Portcullis Security Advisory 05-009webseries-report-execution(18862)101285413821The change password functionality in Bottomline Webseries Payment Application does not require the old password when users enter a new password, which could allow remote authenticated users to change other users' passwords.20050110 Portcullis Security Advisory 05-00812231webseries-pa-password-gain-access(18860)101285413821Apple AirPort Express prior to 6.1.1 and Extreme prior to 5.5.1, configured as a Wireless Data Service (WDS), allows remote attackers to cause a denial of service (device freeze) by connecting to UDP port 161 and before link-state change occurs.20050115 Apple Airport WDS DoSapple-airport-dos(18865)1215213753NETGEAR FVS318 running firmware 2.4, and possibly other versions, allows remote attackers to bypass the filters using hex encoded URLs, as demonstrated using a hex encoded file extension.20050117 Multiple Vulnerabilities in Netgear FVS318 Router20050117 Multiple Vulnerabilities in Netgear FVS318 Router12278netgear-fvs318-filter-bypass(18920)101291313787Cross-site scripting (XSS) vulnerability in the log viewer in NETGEAR FVS318 running firmware 2.4, and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via a blocked URL phrase.20050117 Multiple Vulnerabilities in Netgear FVS318 Router20050117 Multiple Vulnerabilities in Netgear FVS318 Router12278netgear-fvs318-log-xss(18921)13012101291313787Multiple SQL injection vulnerabilities in index.php in PHP Gift Registry (phpGiftReg) 1.4.0, and possibly other versions before 1.5.0b1, allow remote attackers to execute arbitrary SQL commands via the (1) messageid, (2) shopper, (3) shopfor, or (4) itemid parameters.20050116 phpGiftReq SQL Injection20050116 phpGiftReq SQL Injection20050307 Re: phpGiftReq SQL Injection1228913873phpgiftregistry-sql-injection(18925)1012910Directory traversal vulnerability in minis.php in Minis 0.2.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the month parameter.20050116 Minis directory traversal vulnerability12279minis-month-directory-traversal(18928)101291113866minis.php in Minis 0.2.1 allows remote attackers to cause a denial of service (infinite loop) via an HTTP request for a file that the web server does not have permission to read, as demonstrated using the month parameter.20050116 Minis directory traversal vulnerability20050116 Minis directory traversal vulnerabilityminis-month-dos(18929)101291113866npptnt2.sys in nProtect Gameguard provides unrestricted I/O to any process that calls it, which allows local users to gain privileges.20050116 Unrestricted I/O access vulnerability in INCA Gameguard12280nprotect-npptnt2-gain-access(18952)13928** DISPUTED ** NOTE: this issue has been disputed by the vendor. The error module in Novell GroupWise WebAccess allows remote attackers who have not authenticated to read potentially sensitive information, such as the version, via an incorrect login and a modified (1) error or (2) modify parameter that returns template files or the "about" information page. NOTE: the vendor has disputed this issue.20050117 Novell GroupWise WebAccess error modules loading20050121 NOVL-2005-10096251 GroupWise WebAccess error handling modules (report)20050127 NOVL-2005-10096251 GroupWise WebAccess error handling modules (report)http://support.novell.com/servlet/tidfinder/1009625112285groupwise-error-auth-bypass(18954)13135SQL injection vulnerability in Oracle Database 9i and 10g allows remote attackers to execute arbitrary SQL commands and gain privileges.20050118 Multiple high risk vulnerabilities in Oracle RDBMS 10g/9i