Buffer overflow in passwd for HP UX B.10.20 allows local users to execute arbitrary commands with root privileges via a long LANG environment variable. 20030203 HP UX passwd Binary Buffer Overflow Vulnerability rpc.walld (wall daemon) for Solaris 2.6 through 9 allows local users to send messages to logged on users that appear to come from arbitrary user IDs by closing stderr before executing wall, then supplying a spoofed from header. VU#944241 solaris-wall-message-spoofing(11608) 51980 20030103 Solaris 2.x /usr/sbin/wall Advisory 7825 1006682 1005882 6509 gsinterf.c in bmv 1.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files. For the stable distribution this problem has been fixed in version 1.2-14.2. For the unstable distribution this problem has been fixed in version 1.2-17. bmv-symlink(18823) 12229 DSA-633 http://packages.debian.org/changelogs/pool/main/b/bmv/bmv_1.2-14.2/changelog 1012847 13796 13793 Memory leak in libmcrypt before 2.5.5 allows attackers to cause a denial of service (memory exhaustion) via a large number of requests to the application, which causes libmcrypt to dynamically load algorithms via libtool. DSA-228 20030103 Multiple libmcrypt vulnerabilities libmcrypt-libtool-memory-leak(10988) 6512 20030105 GLSA: libmcrypt CLA-2003:567 Multiple buffer overflows in libmcrypt before 2.5.5 allow attackers to cause a denial of service (crash). DSA-228 20030103 Multiple libmcrypt vulnerabilities 1006181 6510 20030105 GLSA: libmcrypt CLA-2003:567 The default .htaccess scripts for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 do not include filenames for backup copies of the localconfig file that are made from editors such as vi and Emacs, which could allow remote attackers to obtain a database password by directly accessing the backup file. DSA-230 20030102 [BUGZILLA] Security Advisory - remote database password disclosure 6501 6351 bugzilla-htaccess-database-password(10970) The data collection script for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 sets world-writable permissions for the data/mining directory when it runs, which allows local users to modify or delete the data. 20030102 [BUGZILLA] Security Advisory - remote database password disclosure bugzilla-mining-world-writable(10971) 6502 RHSA-2003:012 DSA-230 Multiple stack-based buffer overflows in the error handling routines of the minires library, as used in the NSUPDATE capability for ISC DHCPD 3.0 through 3.0.1RC10, allow remote attackers to execute arbitrary code via a DHCP message containing a long hostname. VU#284857 CA-2003-01 RHSA-2003:011 DSA-231 dhcpd-minires-multiple-bo(11073) SuSE-SA:2003:0006 1005924 6627 OpenPKG-SA-2003.002 MDKSA-2003:007 N-031 CLA-2003:562 20030122 [securityslackware.com: [slackware-security] New DHCP packages available] Multiple SQL injection vulnerabilities in IMP 2.2.8 and earlier allow remote attackers to perform unauthorized database activities and possibly gain privileges via certain database functions such as check_prefs() in db.pgsql, as demonstrated using mailbox.php3. DSA-229 20030108 IMP 2.x SQL injection vulnerabilities 1005904 6559 20030108 Re: IMP 2.x SQL injection vulnerabilities 8177 8087 Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. VU#412115 RHSA-2003:025 http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf A010603-1 20030110 More information regarding Etherleak 20030110 More information regarding Etherleak 20030117 Re: More information regarding Etherleak 20030106 Etherleak: Ethernet frame padding information leakage (A010603-1) RHSA-2003:088 9962 7996 oval:org.mitre.oval:def:2665 Unknown vulnerability in the FTP server (in.ftpd) for Solaris 2.6 through 9 allows remote attackers to cause a denial of service (temporary FTP server hang), which affects other active mode FTP clients. 50240 7968 solaris-ftpd-dos(11186) 1005996 6709 Buffer overflow in AbsoluteTelnet before 2.12 RC10 allows remote attackers to execute arbitrary code via a long window title. VU#666073 absolutetelnet-title-bar-bo(11265) 6785 20030206 AbsoluteTelnet 2.00 buffer overflow. 16024 Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure. VU#850785 http://www.entercept.com/news/uspr/01-22-03.asp solaris-kcms-directory-traversal(11129) 6665 50104 20030122 Entercept Ricochet Advisory: Sun Solaris KCMS Library Service Daemon Arbitrary File Retrieval Vulner oval:org.mitre.oval:def:2592 oval:org.mitre.oval:def:195 oval:org.mitre.oval:def:120 Apache 2.0 before 2.0.44 on Windows platforms allows remote attackers to obtain certain files via an HTTP request that ends in certain illegal characters such as ">", which causes a different filename to be processed and served. http://marc.theaimsgroup.com/?l=apache-httpd-announce&m=104313442901017&w=2 Apache before 2.0.44, when running on unpatched Windows 9x and Me operating systems, allows remote attackers to cause a denial of service or execute arbitrary code via an HTTP request containing MS-DOS device names. VU#979793 VU#825177 [apache-httpd-announce] 20030120 [ANNOUNCE] Apache 2.0.44 Released http://www.apacheweek.com/issues/03-01-24#security apache-device-code-execution(11125) apache-device-name-dos(11124) 6659 Double-free vulnerability in CVS 1.11.4 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed Directory request, as demonstrated by bypassing write checks to execute Update-prog and Checkin-prog commands. VU#650937 CA-2003-02 http://security.e-matters.de/advisories/012003.html RHSA-2003:013 cvs-doublefree-memory-corruption(11108) 6650 RHSA-2003:012 MDKSA-2003:009 DSA-233 N-032 FreeBSD-SA-03:01 20030202 Exploit for CVS double free() for Linux pserver 20030124 Test program for CVS double-free. 20030122 [security@slackware.com: [slackware-security] New CVS packages available] http://ccvs.cvshome.org/servlets/NewsItemView?newsID=51&JServSessionIdservlets=5of2iuhr14 20030120 Advisory 01/2003: CVS remote vulnerability Buffer overflow in the RPC Locator service for Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code via an RPC call to the service containing certain parameter information. VU#610986 CA-2003-03 MS03-001 win-locator-bo(11132) 6666 20030130 Microsoft RPC Locator Buffer Overflow Vulnerability (#NISR29012003) 20030130 Microsoft RPC Locator Buffer Overflow Vulnerability (#NISR29012003) oval:org.mitre.oval:def:103 Cross-site scripting vulnerability (XSS) in ManualLogin.asp script for Microsoft Content Management Server (MCMS) 2001 allows remote attackers to execute arbitrary script via the REASONTXT parameter. MS03-002 mcms-manuallogin-reasontxt-xss (10318) 20021007 CSS on Microsoft Content Management Server 5922 Microsoft Outlook 2002 does not properly handle requests to encrypt email messages with V1 Exchange Server Security certificates, which causes Outlook to send the email in plaintext, aka "Flaw in how Outlook 2002 handles V1 Exchange Server Security Certificates could lead to Information Disclosure." MS03-003 outlook-v1-certificate-plaintext(11133) 6667 ISC dhcrelay (dhcp-relay) 3.0rc9 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (packet storm) via a certain BOOTP packet that is forwarded to a broadcast MAC address, causing an infinite loop that is not restricted by a hop count. VU#149953 DSA-245 20030115 DoS against DHCP infrastructure with isc dhcrelay dhcp-dhcrelay-dos(11187) 6628 RHSA-2003:034 20030219 [OpenPKG-SA-2003.012] OpenPKG Security Advisory (dhcpd) CLSA-2003:616 TLSA-2003-26 Cross-site scripting (XSS) vulnerability in options.py for Mailman 2.1 allows remote attackers to inject script or HTML into web pages via the (1) email or (2) language parameters. DSA-436 http://telia.dl.sourceforge.net/sourceforge/mailman/xss-2.1.0-patch.txt 20030124 Mailman: cross-site scripting bug mailman-email-variable-xss(11152) 1005987 6677 9205 Buffer overflows in noffle news server 1.0.1 and earlier allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code. DSA-244 noffle-multiple-bo(11181) 6695 7955 ml85p, as included in the printer-drivers package for Mandrake Linux, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable filenames of the form "mlg85p%d". http://www.idefense.com/advisory/01.21.03.txt 20030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package 1005959 20030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package MDKSA-2003:010 Buffer overflow in escputil, as included in the printer-drivers package in Mandrake Linux, allows local users to execute arbitrary code via a long printer-name command line argument. http://www.idefense.com/advisory/01.21.03.txt 20030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package 1005959 6658 20030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package MDKSA-2003:010 Buffer overflow in the mtink status monitor, as included in the printer-drivers package in Mandrake Linux, allows local users to execute arbitrary code via a long HOME environment variable. http://www.idefense.com/advisory/01.21.03.txt 20030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package 1005959 6656 MDKSA-2003:010 Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp. jakarta-tomcat-msdos-dos(12102) http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML. DSA-246 HPSBUX0303-249 http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/ tomcat-web-app-xss(11196) 6720 9204 9203 N-060 7972 Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file. tomcat-webxml-read-files(11195) http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/ 6722 HPSBUX0303-249 DSA-246 N-060 Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character. DSA-246 20030130 Apache Jakarta Tomcat 3 URL parsing vulnerability http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/ tomcat-null-directory-listing(11194) 6721 HPSBUX0303-249 N-060 7977 7972 Unknown vulnerability in mail for Solaris 2.6 through 9 allows local users to read the email of other users. solaris-mail-unauthorized-access(11303) 50751 8058 1006084 6838 Unknown vulnerability in UDP RPC for Solaris 2.5.1 through 9 for SPARC, and 2.5.1 through 8 for x86, allows remote attackers to cause a denial of service (memory consumption) via certain arguments in RPC calls that cause large amounts of memory to be allocated. solaris-udp-rpc-dos(11368) 50626 8092 1006131 6883 PuTTY 0.53b and earlier does not clear logon credentials from memory, including plaintext passwords, which could allow attackers with access to memory to steal the SSH credentials. http://www.idefense.com/advisory/01.28.03.txt 1006014 6724 20030129 iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords SSH2 clients for VanDyke (1) SecureCRT 4.0.2 and 3.4.7, (2) SecureFX 2.1.2 and 2.0.4, and (3) Entunnel 1.0.2 and earlier, do not clear logon credentials from memory, including plaintext passwords, which could allow attackers with access to memory to steal the SSH credentials. http://www.idefense.com/advisory/01.28.03.txt 20030129 iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords 1006012 1006011 1006010 6728 6727 6726 AbsoluteTelnet SSH2 client does not clear logon credentials from memory, including plaintext passwords, which could allow attackers with access to memory to steal the SSH credentials. http://www.idefense.com/advisory/01.28.03.txt http://www.celestialsoftware.net/telnet/beta_software.html 20030129 iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords 1006013 6725 7686 uml_net in the kernel-utils package for Red Hat Linux 8.0 has incorrect setuid root privileges, which allows local users to modify network interfaces, e.g. by modifying ARP entries or placing interfaces into promiscuous mode. VU#134025 RHSA-2003:056 linux-umlnet-gain-privileges(11276) 6801 N-044 Linux kernel 2.4.10 through 2.4.21-pre4 does not properly handle the O_DIRECT feature, which allows local attackers with write privileges to read portions of previously deleted files, or cause file system corruption. RHSA-2003:025 DSA-423 linux-odirect-information-leak(11249) 6763 MDKSA-2003:014 DSA-358 http://linux.bkbits.net:8080/linux-2.4/cset@3e2f193drGJDBg9SG6JwaDQwCBnAMQ Kerberos FTP client allows remote FTP sites to execute arbitrary code via a pipe (|) character in a filename that is retrieved by the client. RHSA-2003:020 20030128 MIT Kerberos FTP client remote shell commands execution MDKSA-2003:021 8114 7979 SQL injection vulnerability in the PostgreSQL auth module for courier 0.40 and earlier allows remote attackers to execute SQL code via the user name. 6738 DSA-247 courierimap-authmysqllib-sql-injection(11213) Buffer overflow in the Windows Redirector function in Microsoft Windows XP allows local users to execute arbitrary code via a long parameter. MS03-005 6778 winxp-windows-redirector-bo(11260) 20030327 NSFOCUS SA2003-01: Microsoft Windows XP Redirector Local Buffer Overflow Vulnerability 20030327 NSFOCUS SA2003-01: Microsoft Windows XP Redirector Local Buffer Overflow Vulnerability Buffer overflow in secure locate (slocate) before 2.7 allows local users to execute arbitrary code via a long (1) -c or (2) -r command line argument. DSA-252 20030202 GLSA: slocate http://www.usg.org.uk/advisories/2003.001.txt CLA-2003:643 MDKSA-2003:015 8749 8236 8118 8007 7982 7947 10720 RHSA-2004:041 20030125 Re: [USG- SA- 2003.001] USG Security Advisory (slocate) 20030124 [USG- SA- 2003.001] USG Security Advisory (slocate) 20040202-01-U CSSA-2003-009.0 Multiple buffer overflows in Hypermail 2 before 2.1.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code (1) via a long attachment filename that is not properly handled by the hypermail executable, or (2) by connecting to the mail CGI program from an IP address that reverse-resolves to a long hostname. 20030127 Hypermail buffer overflows hypermail-long-hostname-bo(11158) hypermail-mail-attachment-bo(11157) 6690 6689 DSA-248 8030 20030126 Hypermail buffer overflows MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference. VU#661243 6683 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt kerberos-kdc-null-pointer-dos(10099) RHSA-2003:168 RHSA-2003:052 RHSA-2003:051 MDKSA-2003:043 50142 CLSA-2003:639 oval:org.mitre.oval:def:1110 Unknown vulnerability in the chk_trans.c of the libkrb5 library for MIT Kerberos V5 before 1.2.5 allows users from one realm to impersonate users in other realms that have the same inter-realm keys. VU#684563 6714 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt kerberos-kdc-user-spoofing(11188) RHSA-2003:168 RHSA-2003:052 RHSA-2003:051 MDKSA-2003:043 CLSA-2003:639 Format string vulnerabilities in the logging routines for MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in Kerberos principal names. VU#787523 6712 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt kerberos-kdc-format-string(11189) 4879 CLSA-2003:639 Buffer overflow in Eset Software NOD32 for UNIX before 1.013 allows local users to execute arbitrary code via a long path name. http://www.idefense.com/advisory/02.10.03.txt 6803 nod32-pathname-bo(11282) 20030210 iDEFENSE Security Advisory 02.10.03: Buffer Overflow In NOD32 Antivirus Software for Unix Double-free vulnerability in mysqld for MySQL before 3.23.55 allows attackers with MySQL access to cause a denial of service (crash) via mysql_change_user. DSA-303 20030129 [OpenPKG-SA-2003.008] OpenPKG Security Advisory (mysql) http://www.mysql.com/doc/en/News-3.23.55.html 6718 RHSA-2003:166 RHSA-2003:094 RHSA-2003:093 MDKSA-2003:013 ESA-20030220-004 mysql-mysqlchangeuser-doublefree-dos(11199) CLA-2003:743 oval:org.mitre.oval:def:436 Format string vulnerability in mpmain.c for plpnfsd of the plptools package allows remote attackers to execute arbitrary code via the functions (1) debuglog, (2) errorlog, and (3) infolog. 6715 plptools-plpnsfd-format-string(11193) 20030129 Re: Local root vuln in SuSE 8.0 plptools package 20030129 Local root vuln in SuSE 8.0 plptools package Integer signedness error in the myFseek function of samplein.c for Blade encoder (BladeEnc) 0.94.2 and earlier allows remote attackers to execute arbitrary code via a negative offset value following a "fmt" wave chunk. 6745 http://www.pivx.com/luigi/adv/blade942-adv.txt GLSA-200302-04 bladeenc-myfseek-code-execution(11227) 20030202 Bladeenc 0.94.2 code execution Unknown vulnerability in the directory parser for Direct Connect 4 Linux (dcgui) before 0.2.2 allows remote attackers to read files outside the sharelist. 20030204 GLSA: qt-dcgui qtdcgui-directory-download-files(11246) http://dc.ketelhot.de/pipermail/dc/2003-January/000094.html Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box." MS03-004 ie-dialog-zone-bypass(11258) 6779 N-038 oval:org.mitre.oval:def:49 oval:org.mitre.oval:def:178 oval:org.mitre.oval:def:126 Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box." MS03-004 ie-dialog-zone-bypass(11258) 6779 N-038 oval:org.mitre.oval:def:49 oval:org.mitre.oval:def:178 oval:org.mitre.oval:def:126 The FTP client for Solaris 2.6, 7, and 8 with the debug (-d) flag enabled displays the user password on the screen during login. solaris-ftp-plaintext-password(11436) 51081 8186 1006195 6989 The "screen dump" feature in Eterm 0.9.1 and earlier allows attackers to overwrite arbitrary files via a certain character escape sequence when it is echoed to a user's terminal, e.g. when the user views a file containing the malicious sequence. terminal-emulator-screen-dump(11413) 20030224 Terminal Emulator Security Issues 6936 MDKSA-2003:040 20030224 Terminal Emulator Security Issues The "screen dump" feature in rxvt 2.7.8 allows attackers to overwrite arbitrary files via a certain character escape sequence when it is echoed to a user's terminal, e.g. when the user views a file containing the malicious sequence. terminal-emulator-screen-dump(11413) 20030224 Terminal Emulator Security Issues 6938 RHSA-2003:055 RHSA-2003:054 MDKSA-2003:034 20030224 Terminal Emulator Security Issues The menuBar feature in rxvt 2.7.8 allows attackers to modify menu options and execute arbitrary commands via a certain character escape sequence that inserts the commands into the menu. terminal-emulator-menu-modification(11416) 20030224 Terminal Emulator Security Issues 6947 RHSA-2003:055 RHSA-2003:054 MDKSA-2003:034 20030224 Terminal Emulator Security Issues The menuBar feature in aterm 0.42 allows attackers to modify menu options and execute arbitrary commands via a certain character escape sequence that inserts the commands into the menu. terminal-emulator-menu-modification(11416) 20030224 Terminal Emulator Security Issues 6949 20030224 Terminal Emulator Security Issues The Eterm terminal emulator 0.9.1 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 10237 MDKSA-2003:040 DSA-496 20030224 Terminal Emulator Security Issues VTE, as used by default in gnome-terminal terminal emulator 2.2 and as an option in gnome-terminal 2.0, allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues RHSA-2003:053 GLSA-200303-2 20030224 Terminal Emulator Security Issues The DEC UDK processing feature in the xterm terminal emulator in XFree86 4.2.99.4 and earlier allows attackers to cause a denial of service via a certain character escape sequence that causes the terminal to enter a tight loop. terminal-emulator-dec-udk(11415) 20030224 Terminal Emulator Security Issues 6950 RHSA-2003:067 RHSA-2003:066 RHSA-2003:065 RHSA-2003:064 DSA-380 20030224 Terminal Emulator Security Issues ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack." http://www.openssl.org/news/secadv_20030219.txt 20030219 [OpenPKG-SA-2003.013] OpenPKG Security Advisory (openssl) ssl-cbc-information-leak(11369) DSA-253 2003-0005 6884 RHSA-2003:205 RHSA-2003:104 RHSA-2003:082 RHSA-2003:063 RHSA-2003:062 3945 MDKSA-2003:020 ESA-20030220-005 N-051 GLSA-200302-10 20030219 OpenSSL 0.9.7a and 0.9.6i released CLSA-2003:570 20030501-01-I NetBSD-SA2003-001 The DEC UDK processing feature in the hanterm (hanterm-xf) terminal emulator before 2.0.5 allows attackers to cause a denial of service via a certain character escape sequence that causes the terminal to enter a tight loop. terminal-emulator-dec-udk(11415) 20030224 Terminal Emulator Security Issues 6944 RHSA-2003:071 RHSA-2003:070 4918 20030224 Terminal Emulator Security Issues The xterm terminal emulator in XFree86 4.2.0 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 6940 RHSA-2003:067 RHSA-2003:066 RHSA-2003:065 RHSA-2003:064 DSA-380 20030224 Terminal Emulator Security Issues The dtterm terminal emulator allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 6942 HPSBUX0401-309 20030224 Terminal Emulator Security Issues The uxterm terminal emulator allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 6945 20030224 Terminal Emulator Security Issues The rxvt terminal emulator 2.7.8 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 6953 200303-16 RHSA-2003:055 RHSA-2003:054 MDKSA-2003:003 20030224 Terminal Emulator Security Issues Apple File Protocol (AFP) in Mac OS X before 10.2.4 allows administrators to log in as other users by using the administrator password. http://docs.info.apple.com/article.html?artnum=61798 macos-afp-unauthorized-access(11333) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6860 1006107 The RADIUS decoder in tcpdump 3.6.2 and earlier allows remote attackers to cause a denial of service (crash) via an invalid RADIUS packet with a header length field of 0, which causes tcpdump to generate data within an infinite loop. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=81585 tcpdump-radius-decoder-dos(11324) RHSA-2003:214 RHSA-2003:033 RHSA-2003:032 MDKSA-2003:027 DSA-261 A patch for mcookie in the util-linux package for Mandrake Linux 8.2 and 9.0 uses /dev/urandom instead of /dev/random, which causes mcookie to use an entropy source that is more predictable than expected, which may make it easier for certain types of attacks to succeed. utillinux-mcookie-cookie-predictable(11318) 6855 MDKSA-2003:016 Buffer overflow in ORACLE.EXE for Oracle Database Server 9i, 8i, 8.1.7, and 8.0.6 allows remote attackers to execute arbitrary code via a long username that is provided during login, as exploitable through client applications that perform their own authentication, as demonstrated using LOADPSP. VU#953746 CA-2003-05 http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf 6849 6319 oracle-username-bo(11328) N-046 20030217 Oracle unauthenticated remote system compromise (#NISR16022003a) Multiple buffer overflows in Oracle 9i Database release 2, Release 1, 8i, 8.1.7, and 8.0.6 allow remote attackers to execute arbitrary code via (1) a long conversion string argument to the TO_TIMESTAMP_TZ function, (2) a long time zone argument to the TZ_OFFSET function, or (3) a long DIRECTORY parameter to the BFILENAME function. VU#840666 VU#743954 VU#663786 CA-2003-05 6850 6848 6847 http://www.nextgenss.com/advisories/ora-tzofstbo.txt http://www.nextgenss.com/advisories/ora-tmstmpbo.txt http://www.nextgenss.com/advisories/ora-bfilebo.txt oracle-totimestamptz-bo(11327) oracle-tzoffset-bo(11326) oracle-bfilename-directory-bo(11325) N-046 http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf 20030217 Oracle bfilename function buffer overflow vulnerability (#NISR16022003e) 20030217 Oracle TZ_OFFSET Remote System Buffer Overrun (#NISR16022003c) 20030217 Oracle TO_TIMESTAMP_TZ Remote System Buffer Overrun (#NISR16022003b) 20030217 Oracle bfilename function buffer overflow vulnerability (#NISR16022003e) 20030217 Oracle TZ_OFFSET Remote System Buffer Overrun (#NISR16022003c) 20030217 Oracle unauthenticated remote system compromise (#NISR16022003a) Unknown vulnerability in CGI module for PHP 4.3.0 allows attackers to access arbitrary files as the PHP user, and possibly execute PHP code, by bypassing the CGI force redirect settings (cgi.force_redirect or --enable-force-cgi-redirect). GLSA-200302-09 20030217 PHP Security Advisory: CGI vulnerability in PHP version 4.3.0 http://www.slackware.com/changelog/current.php?cpu=i386 php-cgi-sapi-access(11343) 6875 GLSA-200302-09.1 Unknown vulnerability in apcupsd before 3.8.6, and 3.10.x before 3.10.5, allows remote attackers to gain root privileges, possibly via format strings in a request to a slave server. DSA-277 7200 SuSE-SA:2003:022 apcupsd-logevent-format-string(11334) http://sourceforge.net/project/shownotes.php?release_id=137900 1006108 http://hsj.shadowpenguin.org/misc/apcupsd_exp.txt http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/apcupsd/apcupsd/src/apcnisd.c.diff?r1=1.5&r2=1.6 CSSA-2003-015.0 6828 MDKSA-2003:018 Multiple buffer overflows in apcupsd before 3.8.6, and 3.10.x before 3.10.5, may allow attackers to cause a denial of service or execute arbitrary code, related to usage of the vsprintf function. DSA-277 7200 apcupsd-vsprintf-multiple-bo(11491) http://sourceforge.net/project/shownotes.php?release_id=137900 http://sourceforge.net/project/shownotes.php?release_id=137892 SuSE-SA:2003:022 MDKSA-2003:018 1006108 CSSA-2003-015.0 Buffer overflow in Cisco IOS 11.2.x to 12.0.x allows remote attackers to cause a denial of service and possibly execute commands via a large number of OSPF neighbor announcements. 20030221 Re: Cisco IOS OSPF exploit cisco-ios-ospf-bo(11373) 20030220 Cisco IOS OSPF exploit 6895 miniserv.pl in (1) Webmin before 1.070 and (2) Usermin before 1.000 does not properly handle metacharacters such as line feeds and carriage returns (CRLF) in Base-64 encoded strings during Basic authentication, which allows remote attackers to spoof a session ID and gain root privileges. http://marc.theaimsgroup.com/?l=webmin-announce&m=104587858408101&w=2 20030224 [SNS Advisory No.62] Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2" 6915 http://www.lac.co.jp/security/english/snsadv_e/62_e.html webmin-usermin-root-access(11390) DSA-319 N-058 20030224 GLSA: usermin (200302-14) 20030224 Webmin 1.050 - 1.060 remote exploit ESA-20030225-006 HPSBUX0303-250 20030602-01-I 1006160 MDKSA-2003:025 http://www.linuxsecurity.com/advisories/gentoo_advisory-2886.html 8163 8115 Buffer overflow in libIM library (libIM.a) for National Language Support (NLS) on AIX 4.3 through 5.2 allows local users to gain privileges via several possible attack vectors, including a long -im argument to aixterm. http://www.idefense.com/advisory/02.12.03.txt aix-aixterm-libim-bo(11309) 6840 7996 IY40320 IY40317 IY40307 20030212 libIM.a buffer overflow vulnerability 20030212 iDEFENSE Security Advisory 02.12.03: Buffer Overflow in AIX libIM.a 20030212 iDEFENSE Security Advisory 02.12.03: Buffer Overflow in AIX libIM.a TruBlueEnvironment for MacOS 10.2.3 and earlier allows local users to overwrite or create arbitrary files and gain root privileges by setting a certain environment variable that is used to write debugging information. A021403-1 macos-trublueenvironment-gain-privileges(11332) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt http://docs.info.apple.com/article.html?artnum=61798 6859 Unknown vulnerability in UFS for Solaris 9 for SPARC, with logging enabled, allows local users to cause a denial of service (UFS file system hang). 51300 8234 solaris-ufs-logging-dos(11481) 1006233 7032 Format string vulnerability in Nokia 6210 handset allows remote attackers to cause a denial of service (crash, lockup, or restart) via a Multi-Part vCard with fields containing a large number of format string specifiers. 6952 nokia-6210-vcard-dos(11421) Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code. VU#142121 zlib-gzprintf-bo(11381) 20030222 buffer overrun in zlib 1.1.4 20030223 poc zlib sploit just for fun :) http://lists.apple.com/mhonarc/security-announce/msg00038.html 6913 RHSA-2003:081 RHSA-2003:079 6599 MDKSA-2003:033 57405 GLSA-200303-25 20030225 [sorcerer-spells] ZLIB-SORCERER2003-02-25 20030224 Re: buffer overrun in zlib 1.1.4 CLSA-2003:619 NetBSD-SA2003-004 CSSA-2003-011.0 isakmp_sub_print in tcpdump 3.6 through 3.7.1 allows remote attackers to cause a denial of service (CPU consumption) via a certain malformed ISAKMP packet to UDP port 500, which causes tcpdump to enter an infinite loop. 6974 http://www.idefense.com/advisory/02.27.03.txt DSA-255 tcpdump-isakmp-dos(11434) RHSA-2003:214 RHSA-2003:085 RHSA-2003:032 SuSE-SA:2003:0015 MDKSA-2003:027 20030304 [OpenPKG-SA-2003.014] OpenPKG Security Advisory (tcpdump) 20030227 iDEFENSE Security Advisory 02.27.03: TCPDUMP Denial of Service Vulnerability in ISAKMP Packet Parsin CLA-2003:629 adb2mhc in the mhc-utils package before 0.25+20010625-7.1 allows local users to overwrite arbitrary files via a symlink attack on a default temporary directory with a predictable name. DSA-256 6978 mhc-adb2mhc-insecure-tmp(11439) parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute arbitrary code via shell metacharacters. 20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities quicktime-darwin-command-execution(11401) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6954 parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to obtain the physical path of the server's installation path via a NULL file parameter. 20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities quicktime-darwin-path-disclosure(11402) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6956 parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to list arbitrary directories. 20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities quicktime-darwin-directory-disclosure(11403) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6955 Cross-site scripting (XSS) vulnerability in parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to insert arbitrary script via the filename parameter, which is inserted into an error message. 20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities quicktime-darwin-parsexml-xss(11404) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6958 Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute certain code via a request to port 7070 with the script in an argument to the rtsp DESCRIBE method, which is inserted into a log file and executed when the log is viewed using a browser. 20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities quicktime-darwin-describe-xss(11405) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6960 Buffer overflow in the MP3 broadcasting module of Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute arbitrary code via a long filename. 20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities quicktime-darwin-mp3-bo(11406) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6957 Cross-site scripting (XSS) vulnerability in Help and Support Center for Microsoft Windows Me allows remote attackers to execute arbitrary script in the Local Computer security context via an hcp:// URL with the malicious script in the topic parameter. VU#489721 6966 MS03-006 20030227 MS-Windows ME IE/Outlook/HelpCenter critical vulnerability winme-hsc-hcp-bo(11425) 6074 N-047 Buffer overflow in the RPC preprocessor for Snort 1.8 and 1.9.x before 1.9.1 allows remote attackers to execute arbitrary code via fragmented RPC packets. VU#916785 CA-2003-13 6963 snort-rpc-fragment-bo(10956) 20030303 Snort RPC Preprocessing Vulnerability 4418 MDKSA-2003:029 ESA-20030307-007 DSA-297 GLSA-200304-06 GLSA-200303-6.1 20030303 Snort RPC Vulnerability (fwd) Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. 9930 apache-esc-seq-injection(11412) 20030224 Terminal Emulator Security Issues 2004-0027 2004-0017 SSA:2004-133 RHSA-2003:244 RHSA-2003:243 RHSA-2003:139 RHSA-2003:104 RHSA-2003:083 RHSA-2003:082 MDKSA-2003:050 57628 101555 GLSA-200405-22 SSRT4717 20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache) APPLE-SA-2004-05-03 MDKSA-2004:046 20030224 Terminal Emulator Security Issues oval:org.mitre.oval:def:4114 oval:org.mitre.oval:def:150 oval:org.mitre.oval:def:100109 The aterm terminal emulator 0.42 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 20030224 Terminal Emulator Security Issues Format string vulnerability in packet-socks.c of the SOCKS dissector for Ethereal 0.8.7 through 0.9.9 allows remote attackers to execute arbitrary code via SOCKS packets containing format string specifiers. 7049 http://www.guninski.com/etherre.html http://www.ethereal.com/appnotes/enpa-sa-00008.html DSA-258 ethereal-socks-format-string(11497) RHSA-2003:077 RHSA-2003:076 SuSE-SA:2003:019 GLSA-200303-10 20030308 Ethereal format string bug, yet still ethereal much better than windows MDKSA-2003:051 CLSA-2003:627 oval:org.mitre.oval:def:54 The PuTTY terminal emulator 0.53 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 8347 20030224 Terminal Emulator Security Issues The hanterm (hanterm-xf) terminal emulator 2.0.5 and earlier, and possibly later versions, allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues RHSA-2003:071 RHSA-2003:070 4917 20030224 Terminal Emulator Security Issues Clearswift MAILsweeper 4.x allows remote attackers to bypass attachment detection via an attachment that does not specify a MIME-Version header field, which is processed by some mail clients. 7044 20030307 Corsaire Security Advisory - Clearswift MAILsweeper MIME attachment evasion issue 20030326 RE: Corsaire Security Advisory - Clearswift MAILsweeper MIME attachment evasion issue Buffer overflow in Notes server before Lotus Notes R4, R5 before 5.0.11, and early R6 allows remote attackers to execute arbitrary code via a long distinguished name (DN) during NotesRPC authentication and an outer field length that is less than that of the DN field. VU#433489 CA-2003-11 7037 http://www-1.ibm.com/support/docview.wss?rs=482&q=Domino&uid=swg21105101 20030313 R7-0010: Buffer Overflow in Lotus Notes Protocol Authentication http://www.rapid7.com/advisories/R7-0010.html lotus-nrpc-bo(11526) N-065 20030313 R7-0010: Buffer Overflow in Lotus Notes Protocol Authentication Buffer overflow in Web Retriever client for Lotus Notes/Domino R4.5 through R6 allows remote malicious web servers to cause a denial of service (crash) via a long HTTP status line. VU#411489 CA-2003-11 7038 http://www-1.ibm.com/support/docview.wss?rs=482&q=Domino&uid=swg21105060 20030313 R7-0011: Lotus Notes/Domino Web Retriever HTTP Status Buffer Overflow http://www.rapid7.com/advisories/R7-0011.html lotus-web-retriever-bo(11525) N-065 man before 1.5l allows attackers to execute arbitrary code via a malformed man file with improper quotes, which causes the my_xsprintf function to return a string with the value "unsafe," which is then executed as a program via a system call if it is in the search path of the user who runs man. 7066 20030311 Vulnerability in man < 1.5l man-myxsprintf-code-execution(11512) RHSA-2003:134 RHSA-2003:133 GLSA-200303-13 CLSA-2003:620 Buffer overflow in the web interface for SOHO Routefinder 550 before firmware 4.63 allows remote attackers to cause a denial of service (reboot) and execute arbitrary code via a long GET /OPTIONS value. http://www.krusesecurity.dk/advisories/routefind550bof.txt ftp://ftp.multitech.com/Routers/RF550VPN.TXT routefinder-vpn-options-bo(11514) 7067 The web interface for SOHO Routefinder 550 firmware 4.63 and earlier, and possibly later versions, has a default "admin" account with a blank password, which could allow attackers on the LAN side to conduct unauthorized activities. http://www.krusesecurity.dk/advisories/routefind550bof.txt Directory traversal vulnerability in PeopleTools 8.10 through 8.18, 8.40, and 8.41 allows remote attackers to overwrite arbitrary files via the SchedulerTransfer servlet. 7053 peoplesoft-schedulertransfer-create-files(10962) 20030310 PeopleSoft PeopleTools Remote Command Execution Vulnerability Buffer overflow in tryelf() in readelf.c of the file command allows attackers to execute arbitrary code as the user running file, possibly via a large entity size value in an ELF header (elfhdr.e_shentsize). VU#611865 7008 http://www.idefense.com/advisory/03.04.03.txt file-afctr-read-bo(11469) RHSA-2003:087 RHSA-2003:086 SuSE-SA:2003:017 MDKSA-2003:030 DSA-260 20030304 iDEFENSE Security Advisory 03.04.03: Locally Exploitable Buffer Overflow in file(1) IMNX-2003-7+-012-01 NetBSD-SA2003-003 Buffer overflows in protegrity.dll of Protegrity Secure.Data Extension Feature (SEF) before 2.2.3.9 allow attackers with SQL access to execute arbitrary code via the extended stored procedures (1) xp_pty_checkusers, (2) xp_pty_insert, or (3) xp_pty_select. VU#247545 7085 7084 7083 20030313 Protegrity buffer overflow 8294 SNMP daemon in the DX200 based network element for Nokia Serving GPRS support node (SGSN) allows remote attackers to read SNMP options via arbitrary community strings. A031303-2 8301 The pop_msg function in qpopper 4.0.x before 4.0.5fc2 does not null terminate a message buffer after a call to Qvsnprintf, which could allow authenticated users to execute arbitrary code via a buffer overflow in a mdef command with a long macro name. 7058 DSA-259 qpopper-popmsg-macroname-bo(11516) 20030310 QPopper 4.0.x buffer overflow vulnerability SuSE-SA:2003:018 GLSA-200303-12 20030314 [OpenPKG-SA-2003.018] OpenPKG Security Advisory (qpopper) 20030312 Re: QPopper 4.0.x buffer overflow vulnerability BEA WebLogic Server and Express 7.0 and 7.0.0.1, when using "memory" session persistence for web applications, does not clear authentication information when a web application is redeployed, which could allow users of that application to gain access without having to re-authenticate. VU#691153 weblogic-app-reauthentication-bypass(11555) 7130 Cross-site scripting (XSS) vulnerability in index.php for Mambo Site Server 4.0.10 allows remote attackers to execute script on other clients via the ?option parameter. mambo-option-index-xss(11601) 7135 20030318 Some XSS vulns ldbm_back_exop_passwd in the back-ldbm backend in passwd.c for OpenLDAP 2.1.12 and earlier, when the slap_passwd_parse function does not return LDAP_SUCCESS, attempts to free an uninitialized pointer, which allows remote attackers to cause a denial of service (segmentation fault). This was fixed in OpenLDAP version 2.1.17. 7656 http://www.openldap.org/its/index.cgi?findid=2390 GLSA-200403-12 9203 11261 CLSA-2003:685 openldap-back-ldbm-dos(12520) 17000 Version 4 of the Kerberos protocol (krb4), as used in Heimdal and other packages, allows an attacker to impersonate any principal in a realm via a chosen-plaintext attack. VU#623217 DSA-266 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt RHSA-2003:091 RHSA-2003:052 RHSA-2003:051 DSA-273 DSA-269 7113 20030331 GLSA: krb5 & mit-krb5 (200303-28) 20030317 MITKRB5-SA-2003-004: Cryptographic weaknesses in Kerberos v4 protocol oval:org.mitre.oval:def:248 Certain weaknesses in the implementation of version 4 of the Kerberos protocol (krb4) in the krb5 distribution, when triple-DES keys are used to key krb4 services, allow an attacker to create krb4 tickets for unauthorized principals using a cut-and-paste attack and "ticket splicing." VU#442569 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt 20030319 MITKRB5-SA-2003-004: Cryptographic weaknesses in Kerberos v4 RHSA-2003:091 RHSA-2003:052 RHSA-2003:051 DSA-273 DSA-266 20030330 GLSA: openafs (200303-26) 20030331 GLSA: krb5 & mit-krb5 (200303-28) oval:org.mitre.oval:def:250 Buffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder. 7120 20030320 CORE-20030304-02: Vulnerability in Mutt Mail User Agent mutt-folder-name-bo(11583) 20030319 mutt-1.4.1 fixes a buffer overflow. RHSA-2003:109 SuSE-SA:2003:020 DSA-268 MDKSA-2003:041 GLSA-200303-19 http://www.coresecurity.com/common/showdoc.php?idx=310&idxseccion=10 20030430 GLSA: balsa (200304-10) 20030322 GLSA: mutt (200303-19) 20030320 [OpenPKG-SA-2003.025] OpenPKG Security Advisory (mutt) CLA-2003:630 CLA-2003:626 oval:org.mitre.oval:def:434 oval:org.mitre.oval:def:2 The try_uudecoding function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malicious uuencoded (UUE) header, possibly triggering a heap-based buffer overflow. 7117 http://www.coresecurity.com/common/showdoc.php?idx=309&idxseccion=10 RHSA-2003:108 20030319 CORE-2003-03-04-01: Multiple vulnerabilities in Ximian 's Evolution Mail User Agent MDKSA-2003:045 GLSA-200303-18 20030321 GLSA: evolution (200303-18) CLA-2003:648 oval:org.mitre.oval:def:107 Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (memory consumption) via a mail message that is uuencoded multiple times. 7118 http://www.coresecurity.com/common/showdoc.php?idx=309&idxseccion=10 20030321 GLSA: evolution (200303-18) RHSA-2003:108 20030319 CORE-2003-03-04-01: Multiple vulnerabilities in Ximian 's Evolution Mail User Agent MDKSA-2003:045 GLSA-200303-18 CLA-2003:648 oval:org.mitre.oval:def:108 The handle_image function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier does not properly escape HTML characters, which allows remote attackers inject arbitrary data and HTML via a MIME Content-ID header in a MIME-encoded image. 7119 http://www.coresecurity.com/common/showdoc.php?idx=309&idxseccion=10 20030321 GLSA: evolution (200303-18) RHSA-2003:108 20030319 CORE-2003-03-04-01: Multiple vulnerabilities in Ximian 's Evolution Mail User Agent MDKSA-2003:045 GLSA-200303-18 CLA-2003:648 oval:org.mitre.oval:def:111 The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack." VU#888801 7148 20030319 [OpenSSL Advisory] Klima-Pokorny-Rosa attack on PKCS #1 v1.5 padding ssl-premaster-information-leak(11586) RHSA-2003:102 RHSA-2003:101 http://www.openssl.org/news/secadv_20030319.txt SuSE-SA:2003:024 http://www.linuxsecurity.com/advisories/immunix_advisory-3066.html DSA-288 http://lists.apple.com/mhonarc/security-announce/msg00028.html http://eprint.iacr.org/2003/052/ 20030501-01-I NetBSD-SA2003-007 SuSE-SA:2003:024 20030327 Immunix Secured OS 7+ openssl update OpenPKG-SA-2003.026 MDKSA-2003:035 GLSA-200303-20 2003-0013 20030324 GLSA: openssl (200303-20) CLA-2003:625 CSSA-2003-014.0 oval:org.mitre.oval:def:461 Directory traversal vulnerability in Cross-Referencing Linux (LXR) allows remote attackers to read arbitrary files via .. (dot dot) sequences in the v parameter. 7062 DSA-264 20030311 Cross-Referencing Linux vulnerability ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0138. Reason: This candidate is a reservation duplicate of CVE-2003-0138 due to incomplete coordination. Notes: All CVE users should reference CVE-2003-0138 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0139. Reason: This candidate is a reservation duplicate of CVE-2003-0139 due to incomplete coordination. Notes: All CVE users should reference CVE-2003-0139 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. MySQL 3.23.55 and earlier creates world-writeable files and allows mysql users to gain root privileges by using the "SELECT * INFO OUTFILE" operator to overwrite a configuration file and cause mysql to run as root upon restart, as demonstrated by modifying my.cnf. VU#203897 7052 20030318 [OpenPKG-SA-2003.022] OpenPKG Security Advisory (mysql) mysql-datadir-root-privileges(11510) RHSA-2003:093 ESA-20030324-012 DSA-303 RHSA-2003:094 20030318 GLSA: mysql (200303-14) 20030318 [OpenPKG-SA-2003.022] OpenPKG Security Advisory (mysql) 20030310 Re: MySQL user can be changed to root 20030308 MySQL_user_can_be_changed_to_root? 20030308 MySQL_user_can_be_changed_to_root? CLA-2003:743 MDKSA-2003:057 oval:org.mitre.oval:def:442 BEA WebLogic Server and Express 6.0 through 7.0 does not properly restrict access to certain internal servlets that perform administrative functions, which allows remote attackers to read arbitrary files or execute arbitrary code. 20030317 S21SEC-011 - Multiple vulnerabilities in BEA WebLogic Server 20030317 SPI ADVISORY: Remote Administration of BEA WebLogic Server and Express http://www.s21sec.com/en/avisos/s21sec-011-en.txt http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-28.jsp 7124 7122 Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack. 7146 MS03-008 20030319 iDEFENSE Security Advisory 03.19.03: Heap Overflow in Windows Script Engine 20030319 Windows Scripting Engine issue 20030319 Heap Overflow in Windows Script Engine oval:org.mitre.oval:def:795 oval:org.mitre.oval:def:794 oval:org.mitre.oval:def:200 oval:org.mitre.oval:def:134 Unknown vulnerability in the DNS intrusion detection application filter for Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to cause a denial of service (blocked traffic to DNS servers) via a certain type of incoming DNS request that is not properly handled. 7145 MS03-009 Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391. CA-2003-10 VU#516825 20030522 [slackware-security] glibc XDR overflow fix (SSA:2003-141-03) RHSA-2003:091 RHSA-2003:089 RHSA-2003:052 RHSA-2003:051 SuSE-SA:2003:027 ESA-20030321-010 AD20030318 DSA-282 DSA-272 DSA-266 20030522 [slackware-security] glibc XDR overflow fix (SSA:2003-141-03) 2003-0014 20030325 GLSA: glibc (200303-22) 20030319 MITKRB5-SA-2003-003: faulty length checks in xdrmem_getbytes 20030319 EEYE: XDR Integer Overflow 20030319 EEYE: XDR Integer Overflow NetBSD-SA2003-008 20030331 GLSA: krb5 & mit-krb5 (200303-28) 20030331 GLSA: dietlibc (200303-29) 20030319 RE: EEYE: XDR Integer Overflow MDKSA-2003:037 oval:org.mitre.oval:def:230 Unknown vulnerability in newtask for Solaris 9 allows local users to gain root privileges. 8454 solaris-newtask-root-access(11657) 52111 1006411 7252 The iptables ruleset in Gnome-lokkit in Red Hat Linux 8.0 does not include any rules in the FORWARD chain, which could allow attackers to bypass intended access restrictions if packet forwarding is enabled. 7128 RHSA-2003:072 gnomelokkit-forward-bypass-firewall(11552) 4400 Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code. VU#298233 7106 DSA-262 20030317 Security Bugfix for Samba - Samba 2.2.8 Released 20030317 GLSA: samba (200303-11) RHSA-2003:095 SuSE-SA:2003:016 20030302-01-I 20030401 Immunix Secured OS 7+ samba update 20030325 Fwd: APPLE-SA-2003-03-24 Samba, OpenSSL RHSA-2003:096 MDKSA-2003:032 GLSA-200303-11 8303 8299 20030318 [OpenPKG-SA-2003.021] OpenPKG Security Advisory (samba) oval:org.mitre.oval:def:552 The code for writing reg files in Samba before 2.2.8 allows local users to overwrite arbitrary files via a race condition involving chown. 7107 DSA-262 20030317 GLSA: samba (200303-11) RHSA-2003:095 SuSE-SA:2003:016 20030302-01-I 20030325 Fwd: APPLE-SA-2003-03-24 Samba, OpenSSL RHSA-2003:096 MDKSA-2003:032 GLSA-200303-11 8303 8299 20030318 [OpenPKG-SA-2003.021] OpenPKG Security Advisory (samba) oval:org.mitre.oval:def:554 Buffer overflow in the lprm command in the lprold lpr package on SuSE 7.1 through 7.3, OpenBSD 3.2 and earlier, and possibly other operating systems, allows local users to gain root privileges via long command line arguments such as (1) request ID or (2) user name. 7025 lprm-bo(11473) SuSE-SA:2003:0014 DSA-275 DSA-267 20030406-02-P ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/010_lprm.patch MDKSA-2003:059 8293 20030308 OpenBSD lprm(1) exploit 20030305 potential buffer overflow in lprm (fwd) Unknown vulnerability in tcpdump before 3.7.2 related to an inability to "Handle unknown RADIUS attributes properly," allows remote attackers to cause a denial of service (infinite loop), a different vulnerability than CAN-2003-0093. http://www.tcpdump.org/tcpdump-changes.txt tcpdump-radius-attribute-dos(11857) RHSA-2003:214 RHSA-2003:151 RHSA-2003:032 MDKSA-2003:027 DSA-261 Multiple vulnerabilities in NetPBM 9.20 and earlier, and possibly other versions, may allow remote attackers to cause a denial of service or execute arbitrary code via "maths overflow errors" such as (1) integer signedness errors or (2) integer overflows, which lead to buffer overflows. VU#630433 DSA-263 netpbm-multiple-bo(11463) 6979 RHSA-2003:060 20030228 NetPBM, multiple vulnerabilities CLSA-2003:656 OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal). VU#997481 RHSA-2003:102 RHSA-2003:101 http://www.openssl.org/news/secadv_20030317.txt MDKSA-2003:035 DSA-288 20030317 [ADVISORY] Timing Attack on OpenSSL 20030313 Vulnerability in OpenSSL http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf 20030313 OpenSSL Private Key Disclosure 20030501-01-I 20030327 Immunix Secured OS 7+ openssl update APPLE-SA-2003-03-24 OpenPKG-SA-2003.019 GLSA-200303-23 GLSA-200303-24 GLSA-200303-15 20030320 [OpenPKG-SA-2003.026] OpenPKG Security Advisory (openssl) CLA-2003:625 CSSA-2003-014.0 oval:org.mitre.oval:def:466 The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel. VU#628849 RHSA-2003:098 RHSA-2003:145 DSA-495 DSA-423 DSA-336 DSA-332 DSA-312 DSA-311 DSA-276 DSA-270 GLSA-200303-17 RHSA-2003:088 CSSA-2003-020.0 RHSA-2003:103 MDKSA-2003:039 MDKSA-2003:038 ESA-20030515-017 20030317 Fwd: Ptrace hole / Linux 2.2.25 oval:org.mitre.oval:def:254 Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0. CA-2003-09 VU#117394 7116 MS03-007 http-webdav-long-request(11533) 20030317 Microsoft IIS WebDAV Remote Compromise Vulnerability http://www.nextgenss.com/papers/ms03-007-ntdll.pdf Q815021 http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en 20030321 New attack vectors and a vulnerability dissection of MS03-007 20030708 WDAV exploit without netcat and with pretty magic number 20030328 Fate Research Labs Presents: Analysis of the NTDLL.DLL Exploit 20030326 WebDAV exploit: using wide character decoder scheme 20030325 IIS 5.0 WebDAV -Proof of concept-. Fully documented. 20030321 New attack vectors and a vulnerability dissection of MS03-007 oval:org.mitre.oval:def:109 Stack-based buffer overflow in the bsd_queue() function for lpq on Solaris 2.6 and 7 allows local users to gain root privilege. 20030331 NSFOCUS SA2003-02: Solaris lpq Stack Buffer Overflow Vulnerability 20030331 NSFOCUS SA2003-02: Solaris lpq Stack Buffer Overflow Vulnerability 8713 http://www.nsfocus.com/english/homepage/sa2003-02.htm N-068 52443 http://packetstormsecurity.org/0304-advisories/sa2003-02.txt oval:org.mitre.oval:def:4383 Heap-based buffer overflow in dtsession for Solaris 2.5.1 through Solaris 9 allows local users to gain root privileges via a long HOME environment variable. 20030331 NSFOCUS SA2003-03: Solaris dtsession Heap Buffer Overflow Vulnerability 7240 20030331 NSFOCUS SA2003-03: Solaris dtsession Heap Buffer Overflow Vulnerability 52388 oval:org.mitre.oval:def:1905 The PNG deflate algorithm in RealOne Player 6.0.11.x and earlier, RealPlayer 8/RealPlayer Plus 8 6.0.9.584, and other versions allows remote attackers to corrupt the heap and overwrite arbitrary memory via a PNG graphic file format containing compressed data using fixed trees that contain the length values 286-287, which are treated as a very large length. VU#705761 7177 http://www.coresecurity.com/common/showdoc.php?idx=311&idxseccion=10 http://www.coresecurity.com/common/showdoc.php?idx=311&idxseccion=10 20030328 CORE-2003-0306: RealPlayer PNG deflate heap corruption vulnerability 20030328 CORE-2003-0306: RealPlayer PNG deflate heap corruption vulnerability The HTTP proxy for Symantec Enterprise Firewall (SEF) 7.0 allows proxy users to bypass pattern matching for blocked URLs via requests that are URL-encoded with escapes, Unicode, or UTF-8. http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2003032507434754 20030326 Corsaire Security Advisory - Symantec Enterprise Firewall (SEF) H TTP URL pattern evasion issue 7196 20030326 Corsaire Security Advisory - Symantec Enterprise Firewall (SEF) H TTP URL pattern evasion issue 20030326 Corsaire Security Advisory - Symantec Enterprise Firewall (SEF) H TTP URL pattern evasion issue Unknown vulnerability in bonsai Mozilla CVS query tool allows remote attackers to execute arbitrary commands as the www-data user. 7162 DSA-265 bonsai Mozilla CVS query tool leaks the absolute pathname of the tool in certain error messages generated by (1) cvslog.cgi, (2) cvsview2.cgi, or (3) multidiff.cgi. DSA-265 bonsai-path-disclosure(9921) 20020819 Advisory: Bonsai XSS and Physical Path Revealing Vulnerabilities http://bugzilla.mozilla.org/show_bug.cgi?id=187230 5517 Cross-site scripting vulnerabilities (XSS) in bonsai Mozilla CVS query tool allow remote attackers to execute arbitrary web script via (1) the file, root, or rev parameters to cvslog.cgi, (2) the file or root parameters to cvsblame.cgi, (3) various parameters to cvsquery.cgi, (4) the person parameter to showcheckins.cgi, (5) the module parameter to cvsqueryform.cgi, and (6) possibly other attack vectors as identified by Mozilla bug #146244. 5516 DSA-265 bonsai-error-message-xss(9920) 20020819 Advisory: Bonsai XSS and Physical Path Revealing Vulnerabilities http://bugzilla.mozilla.org/show_bug.cgi?id=163573 http://bugzilla.mozilla.org/show_bug.cgi?id=146244 http://bugzilla.mozilla.org/attachment.cgi?id=95985&action=view http://bugzilla.mozilla.org/attachment.cgi?id=95950&action=view bonsai Mozilla CVS query tool allows remote attackers to gain access to the parameters page without authentication. 7163 DSA-265 Format string vulnerability in Eye Of Gnome (EOG) allows attackers to execute arbitrary code via format string specifiers in a command line argument for the file to display. VU#363001 7121 RHSA-2003:128 20030328 CORE-2003-0304-03: Vulnerability in GNOME's Eye of Gnome 20030328 Vulnerability in GNOME's Eye of Gnome MDKSA-2003:048 http://www.coresecurity.com/common/showdoc.php?idx=312&idxseccion=10 oval:org.mitre.oval:def:52 Integer signedness error in emalloc() function for PHP before 4.3.2 allow remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via negative arguments to functions such as (1) socket_recv, (2) socket_recvfrom, and possibly other functions. 7198 7197 20030326 @(#)Mordred Labs advisory - Integer overflow in PHP memory allocator 20030402 Inaccurate Reports Concerning PHP Vulnerabilities 20030327 RE: FUD-ALARM: @(#)Mordred Labs advisory - Integer overflow in PHP memory allocator CLSA-2003:691 Multiple off-by-one buffer overflows in the IMAP capability for Mutt 1.3.28 and earlier, and Balsa 1.2.4 and earlier, allow a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a specially crafted mail folder, a different vulnerability than CVE-2003-0140. 7229 DSA-274 DSA-300 Buffer overflow in Apple QuickTime Player 5.x and 6.0 for Windows allows remote attackers to execute arbitrary code via a long QuickTime URL. VU#112553 http://www.idefense.com/advisory/03.31.03.txt http://lists.apple.com/mhonarc/security-announce/msg00027.html 20030331 iDEFENSE Security Advisory 03.31.03: Buffer Overflow in Windows QuickTime Player quicktime-url-bo(11671) 7247 20030401 iDEFENSE Security Advisory 03.31.03: Buffer Overflow in Windows QuickTime Player APPLE-SA-2003-03-31 10561 Heap-based buffer overflow in the NTLMSSP code for Ethereal 0.9.9 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code. 7050 http://www.ethereal.com/appnotes/enpa-sa-00008.html SuSE-SA:2003:019 RHSA-2003:077 MDKSA-2003:051 20030309 GLSA: ethereal (200303-10) oval:org.mitre.oval:def:55 Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.2.11 allow remote attackers to inject arbitrary HTML code and steal information from a client's web browser. http://sourceforge.net/mailarchive/forum.php?thread_id=1641953&forum_id=1988 RHSA-2003:112 oval:org.mitre.oval:def:614 The prescan() function in the address parser (parseaddr.c) in Sendmail before 8.12.9 does not properly handle certain conversions from char and int types, which can cause a length check to be disabled when Sendmail misinterprets an input value as a special "NOCHAR" control value, allowing attackers to cause a denial of service and possibly execute arbitrary code via a buffer overflow attack using messages, a different vulnerability than CVE-2002-1337. CA-2003-12 VU#897604 7230 RHSA-2003:120 RHSA-2003:121 DSA-290 DSA-278 20030329 Sendmail: -1 gone wild 20030329 Sendmail: -1 gone wild http://lists.apple.com/mhonarc/security-announce/msg00028.html 20030401-01-P SCOSA-2004.11 FreeBSD-SA-03:07 CSSA-2003-016.0 20030401 Immunix Secured OS 7+ openssl update 20030331 GLSA: sendmail (200303-27) 20030520 [Fwd: 127 Research and Development: 127 Day!] GLSA-200303-27 52700 52620 20030330 [OpenPKG-SA-2003.027] OpenPKG Security Advisory (sendmail) 20030329 sendmail 8.12.9 available CLA-2003:614 Ecartis 1.0.0 (formerly listar) before snapshot 20030227 allows remote attackers to reset passwords of other users and gain privileges by modifying hidden form fields in the HTML page. 6971 ecartis-password-reset(11431) DSA-271 20030303 Re: Ecardis Password Reseting Vulnerability 20030227 Ecardis Password Reseting Vulnerability The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun"). DSA-266 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt RHSA-2003:091 RHSA-2003:052 RHSA-2003:051 7185 20030331 GLSA: krb5 & mit-krb5 (200303-28) 54042 oval:org.mitre.oval:def:4430 oval:org.mitre.oval:def:2536 oval:org.mitre.oval:def:244 Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020. RHSA-2003:139 20040325 LNSA-#2004-0006: bug workaround for Apache 2.0.48 http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/loggers/mod_log_config.c?only_with_tag=APACHE_2_0_BRANCH http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/modules/standard/mod_log_config.c?only_with_tag=APACHE_1_3_25 8146 20040325 GLSA200403-04 Multiple security vulnerabilities in Apache 2 oval:org.mitre.oval:def:151 The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes an out-of-bounds read of an array (aka "array overrun"). DSA-266 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt RHSA-2003:052 RHSA-2003:051 7184 20030331 GLSA: krb5 & mit-krb5 (200303-28) 54042 Buffer overflow in openlog function for PHP 4.3.1 on Windows operating system, and possibly other OSes, allows remote attackers to cause a crash and possibly execute arbitrary code via a long filename argument. 7210 20030327 @(#)Mordred Labs advisory - PHP for Win32: buffer overflow in openlog() function php-openlog-stack-bo(11637) 20041222 PHP v4.3.x exploit for Windows. 20030327 Re: @(#)Mordred Labs advisory - PHP for Win32: buffer overflow in openlog() function 2113 20030402 Inaccurate Reports Concerning PHP Vulnerabilities Multiple buffer overflows in Lotus Domino Web Server before 6.0.1 allow remote attackers to cause a denial of service or execute arbitrary code via (1) the s_ViewName option in the PresetFields parameter for iNotes, (2) the Foldername option in the PresetFields parameter for iNotes, or (3) a long Host header, which is inserted into a long Location header and used during a redirect operation. VU#772817 VU#542873 VU#206361 CA-2003-11 6871 20030217 Lotus Domino Web Server iNotes Overflow (#NISR17022003b) lotus-domino-hostname-bo(11337) lotus-domino-inotes-bo(11336) 6870 http://www.nextgenss.com/advisories/lotus-inotesoflow.txt http://www.nextgenss.com/advisories/lotus-hostlocbo.txt N-065 20030217 Domino Advisories UPDATE 20030217 Lotus Domino Web Server iNotes Overflow (#NISR17022003b) 20030217 Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability (#NISR17022003a) 20030217 Domino Advisories UPDATE 20030217 Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability (#NISR17022003a) 20030217 Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c) 20030217 Lotus Domino Web Server iNotes Overflow (#NISR17022003b) 20030217 Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability (#NISR17022003a) Buffer overflow in the COM Object Control Handler for Lotus Domino 6.0.1 and earlier allows remote attackers to execute arbitrary code via multiple attack vectors, as demonstrated using the InitializeUsingNotesUserName method in the iNotes ActiveX control. VU#571297 CA-2003-11 6872 20030217 Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c) lotus-notes-activex-bo(11339) http://www.nextgenss.com/advisories/lotus-inotesclientaxbo.txt N-065 http://www-1.ibm.com/support/docview.wss?uid=swg21104543 20030217 Domino Advisories UPDATE 20030217 Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c) 20030217 Domino Advisories UPDATE 20030217 Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c) Lotus Domino Web Server (nhttp.exe) before 6.0.1 allows remote attackers to cause a denial of service via an incomplete POST request, as demonstrated using the h_PageUI form. VU#355169 CA-2003-11 http://www.nextgenss.com/advisories/lotus-60dos.txt lotus-incomplete-post-dos(11360) 6951 http://www.nextgenss.com/advisories/lotus-60dos.txt N-065 http://www-1.ibm.com/support/docview.wss?uid=swg21104528 20030218 More Lotus Domino Advisories Lotus Domino Web Server (nhttp.exe) before 6.0.1 allows remote attackers to cause a denial of service via a "Fictionary Value Field POST request" as demonstrated using the s_Validation form with a long, unknown parameter name. CA-2003-11 http://www.nextgenss.com/advisories/lotus-60dos.txt lotus-invalid-field-dos(11361) 6951 http://www-1.ibm.com/support/docview.wss?uid=swg21104528 20030218 More Lotus Domino Advisories Buffer overflow gds_lock_mgr of Interbase Database 6.x allows local users to gain privileges via a long ISC_LOCK_ENV environment variable (INTERBASE_LOCK). http://www.secnetops.com/research/advisories/SRT2003-04-03-1300.txt 20030403 SRT2003-04-03-1300 - Interbase ISC_LOCK_ENV overflow 20030403 SRT2003-04-03-1300 - Interbase ISC_LOCK_ENV overflow Buffer overflow in moxftp 2.2 and earlier allows remote malicious FTP servers to execute arbitrary code via a long FTP banner. 6921 moxftp-welcome-banner-bo(11399) DSA-281 20030223 moxftp arbitrary code execution poc/advisory 1006156 20030223 moxftp arbitrary code execution poc/advisory 8136 20030223 moxftp arbitrary code execution poc/advisory hpnst.exe in the GoAhead-Webs webserver for HP Instant TopTools before 5.55 allows remote attackers to cause a denial of service (CPU consumption) via a request to hpnst.exe that calls itself, which causes an infinite loop. 7246 20030331 [DDI-1012] Malformed request causes denial of service in HP Instant TopTools 20030331 [DDI-1012] Malformed request causes denial of service in HP Instant TopTools Unknown vulnerability in filestat.c for Apache running on OS2, versions 2.0 through 2.0.45, allows unknown attackers to cause a denial of service via requests related to device names. 20030402 [ANNOUNCE] Apache 2.0.45 Released http://cvs.apache.org/viewcvs/apr/file_io/os2/filestat.c.diff?r1=1.34&r2=1.35 20030528 [SECURITY] [ANNOUNCE] Apache 2.0.46 released vsftpd FTP daemon in Red Hat Linux 9 is not compiled against TCP wrappers (tcp_wrappers) but is installed as a standalone service, which inadvertently prevents vsftpd from restricting access as intended. 7253 RHSA-2003:084 oval:org.mitre.oval:def:634 A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed. VU#206537 20030402 [ANNOUNCE] Apache 2.0.45 Released ADV-2009-1233 RHSA-2003:139 http://www.idefense.com/advisory/04.08.03.txt http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=205147 8499 34920 http://lists.apple.com/mhonarc/security-announce/msg00028.html 20030411 PATCH: [CAN-2003-0132] Apache 2.0.44 Denial of Service 20030410 working apache <= 2.0.44 DoS exploit for linux. 20030408 Exploit Code Released for Apache 2.x Memory Leak 20030409 GLSA: apache (200304-01) 20030408 iDEFENSE Security Advisory 04.08.03: Denial of Service in Apache HTTP Server 2.x oval:org.mitre.oval:def:156 mod_access_referer 1.0.2 allows remote attackers to cause a denial of service (crash) via a malformed Referer header that is missing a hostname, as parsed by the ap_parse_uri_components function in Apache, which triggers a null dereference. 7375 http://sourceforge.net/project/shownotes.php?release_id=151905 20030416 [VulnWatch] Apache mod_access_referer denial of service issue http://www.vuxml.org/freebsd/af747389-42ba-11d9-bd37-00065be4b5b6.html 8612 Unknown vulnerability in rpcbind for Solaris 2.6 through 9 allows remote attackers to cause a denial of service (rpcbind crash). sun-rpcbind-dos(11906) 7455 50922 8685 Memory leak in lofiadm in Solaris 8 allows local users to cause a denial of service (kernel memory consumption). 8686 sun-lofiadm-dos(11895) 54100 7454 GtkHTML, as included in Evolution before 1.2.4, allows remote attackers to cause a denial of service (crash) via certain malformed messages. RHSA-2003:126 MDKSA-2003:046 CLA-2003:737 oval:org.mitre.oval:def:138 psbanner in the LPRng package allows local users to overwrite arbitrary files via a symbolic link attack on the /tmp/before file. RHSA-2003:142 DSA-285 http://bugs.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=188366 oval:org.mitre.oval:def:423 decrypt_msg for the Gaim-Encryption GAIM plugin 1.15 and earlier does not properly validate a message length parameter, which allows remote attackers to cause a denial of service (crash) via a negative length, which overwrites arbitrary heap memory with a zero byte. 7182 http://www.rapid7.com/advisories/R7-0013.html 20030412 R7-0013: Heap Corruption in Gaim-Encryption Plugin The Winsock Proxy service in Microsoft Proxy Server 2.0 and the Microsoft Firewall service in Internet Security and Acceleration (ISA) Server 2000 allow remote attackers to cause a denial of service (CPU consumption or packet storm) via a spoofed, malformed packet to UDP port 1745. MS03-012 http://www.idefense.com/advisory/04.09.03.txt 20030409 iDEFENSE Security Advisory 04.09.03: Denial of Service in Microsoft Proxy Server and Internet Security and Acceleration Server 2000 oval:org.mitre.oval:def:406 The ByteCode Verifier component of Microsoft Virtual Machine (VM) build 5.0.3809 and earlier, as used in Windows and Internet Explorer, allows remote attackers to bypass security checks and execute arbitrary code via a malicious Java applet, aka "Flaw in Microsoft VM Could Enable System Compromise." VU#447569 MS03-011 msvm-bytecode-improper-validation(11751) oval:org.mitre.oval:def:136 KDE 2 and KDE 3.1.1 and earlier 3.x versions allows attackers to execute arbitrary commands via (1) PostScript (PS) or (2) PDF files, related to missing -dPARANOIDSAFER and -dSAFER arguments when using the kghostview Ghostscript viewer. http://www.kde.org/info/security/advisory-20030409-1.txt DSA-284 RHSA-2003:002 DSA-296 DSA-293 http://bugs.kde.org/show_bug.cgi?id=56808 http://bugs.kde.org/show_bug.cgi?id=53343 MDKSA-2003:049 20030414 GLSA: kde-2.x (200304-05.1) 20030412 [Sorcerer-spells] KDE-SORCERER2003-04-12 20030411 GLSA: kde-2.x (200304-05) 20030410 GLSA: kde-3.x (200304-04) CLA-2003:747 CLA-2003:668 Mac OS X before 10.2.5 allows guest users to modify the permissions of the DropBox folder and read unauthorized files. http://lists.apple.com/mhonarc/security-announce/msg00028.html Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code. VU#267873 7294 DSA-280 20030407 [DDI-1013] Buffer Overflow in Samba allows remote root compromise RHSA-2003:137 SuSE-SA:2003:025 http://www.digitaldefense.net/labs/advisories/DDI-1013.txt 20030403-01-P MDKSA-2003:044 20030409 GLSA: samba (200304-02) 20030408 [Sorcerer-spells] SAMBA--SORCERER2003-04-08 20030407 Immunix Secured OS 7+ samba update CLA-2003:624 oval:org.mitre.oval:def:567 oval:org.mitre.oval:def:2163 ps2epsi creates insecure temporary files when calling ghostscript, which allows local attackers to overwrite arbitrary files. DSA-286 Cross-site scripting (XSS) vulnerability in Macromedia Flash ad user tracking capability allows remote attackers to insert arbitrary Javascript via the clickTAG field. http://www.securiteam.com/securitynews/5XP0B0U9PE.html http://www.macromedia.com/support/flash/ts/documents/clicktag_security.htm 20030413 Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy Breach 20030413 Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy Breach Integer overflow in the TCP stream reassembly module (stream4) for Snort 2.0 and earlier allows remote attackers to execute arbitrary code via large sequence numbers in packets, which enable a heap-based buffer overflow. VU#139129 CA-2003-13 7178 DSA-297 http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10 ESA-20030430-013 20030428 GLSA: snort (200304-06) 20030423 Snort <=1.9.1 exploit 20030422 GLSA: snort (200304-05) 20030415 CORE-2003-0307: Snort TCP Stream Reassembly Integer Overflow Vulnerability MDKSA-2003:052 Memory leak in xinetd 2.3.10 allows remote attackers to cause a denial of service (memory consumption) via a large number of rejected connections. 20030418 Xinetd 2.3.10 Memory Leaks RHSA-2003:160 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=88537 MDKSA-2003:056 CLA-2003:782 oval:org.mitre.oval:def:657 xfsdq in xfsdump does not create quota information files securely, which allows local users to gain root privileges. VU#111673 DSA-283 20030404-01-P MDKSA-2003:047 DirectoryServices in MacOS X trusts the PATH environment variable to locate and execute the touch command, which allows local users to execute arbitrary commands by modifying the PATH to point to a directory containing a malicious touch program. A041003-1 http://lists.apple.com/mhonarc/security-announce/msg00028.html Multiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CVE-2003-0201. RHSA-2003:137 DSA-280 20030407 [OpenPKG-SA-2003.028] OpenPKG Security Advisory (samba) MDKSA-2003:044 20030407 Immunix Secured OS 7+ samba update oval:org.mitre.oval:def:564 BitchX IRC client 1.0c20cvs and earlier allows attackers to cause a denial of service (core dump) via certain channel mode changes that are not properly handled in names.c. 20030510 BitchX: Crash when channel modes change CLA-2003:655 bitchx-mode-change-dos(12008) 7551 MDKSA-2003:069 Cross-site scripting (XSS) vulnerability in John Beatty Easy PHP Photo Album 1.0 allows remote attackers to inject arbitrary web script or HTML via the dir parameter. 8977 http://security.nnov.ru/docs5347.html Buffer overflow in PostMethod() function for Monkey HTTP Daemon (monkeyd) 0.6.1 and earlier allows remote attackers to execute arbitrary code via a POST request with a large body. 7202 20030428 GLSA: monkeyd (200304-07.1) 20030420 Monkey HTTPd Remote Buffer Overflow http://monkeyd.sourceforge.net/Changelog.txt 20030420 Monkey HTTPd Remote Buffer Overflow Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute administrator commands by sniffing packets from a valid session and replaying them against the remote administration server. VU#641012 http://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10 7179 20030428 CORE-2003-0305-02: Vulnerabilities in Kerio Personal Firewall Buffer overflow in the administrator authentication process for Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute arbitrary code via a handshake packet. VU#454716 http://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10 7180 20030428 CORE-2003-0305-02: Vulnerabilities in Kerio Personal Firewall The (1) dupatch and (2) setld utilities in HP Tru64 UNIX 5.1B PK1 and earlier allows local users to overwrite files and possibly gain root privileges via a symlink attack. tru64-dupatch-setld-symlink(11892) 7452 SSRT3471 Stack-based buffer overflow in Oracle Net Services for Oracle Database Server 9i release 2 and earlier allows attackers to execute arbitrary code via a "CREATE DATABASE LINK" query containing a connect string with a long USING parameter. 7453 http://otn.oracle.com/deploy/security/pdf/2003alert54.pdf oracle-database-link-bo(11885) N-085 20030429 Oracle Database Server Buffer Overflow Vulnerability (#NISR29042003) 20030429 Oracle Database Server Buffer Overflow Vulnerability (#NISR29042003) Heap-based buffer overflow in plugin.ocx for Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via the Load() method, a different vulnerability than CVE-2003-0115. MS03-015 20030424 Internet Explorer Plugin.ocx heap overflow (#NISR24042003) ie-plugin-load-bo(11854) oval:org.mitre.oval:def:1094 The LDAP name service (nsd) in IRIX 6.5.19 and earlier does not properly verify if the USERPASSWORD attribute has been provided by an LDAP server, which could allow attackers to log in without a password. 7442 20030407-01-P irix-ldap-authentication-bypass(11860) N-084 OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. 7467 20030430 OpenSSH/PAM timing attack allows remote users identification TLSA-2003-31 RHSA-2003:224 RHSA-2003:222 20030806 [OpenPKG-SA-2003.035] OpenPKG Security Advisory (openssh) 20030430 OpenSSH/PAM timing attack allows remote users identification 20030430 OpenSSH/PAM timing attack allows remote users identification http://lab.mediaservice.net/advisory/2003-01-openssh.txt oval:org.mitre.oval:def:445 handleAccept in rinetd before 0.62 does not properly resize the connection list when it becomes full and sets an array index incorrectly, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large number of connections. DSA-289 20030417 Vulnerability in rinetd ctrlpacket.c in PoPToP PPTP server before 1.1.4-b3 allows remote attackers to cause a denial of service via a length field of 0 or 1, which causes a negative value to be fed into a read operation, leading to a buffer overflow. VU#673993 7316 20030409 PoPToP PPTP server remotely exploitable buffer overflow DSA-295 SuSE-SA:2003:029 20030418 Exploit for PoPToP PPTP server 20030422 Re: Exploit for PoPToP PPTP server - Linux version http://sourceforge.net/project/shownotes.php?release_id=138437 20030428 GLSA: pptpd (200304-08) run-mailcap in mime-support 3.22 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files. DSA-292 SQL injection vulnerability in bttlxeForum 2.0 beta 3 and earlier allows remote attackers to bypass authentication via the (1) username and (2) password fields, and possibly other fields. http://www.battleaxesoftware.com/forums/forum.asp?forumid=36&select=1812 20030424 SQL injection in BttlxeForum 1006632 Unknown vulnerability in Cisco Catalyst 7.5(1) allows local users to bypass authentication and gain access to the enable mode without a password. VU#443257 20030424 Cisco Security Advisory: Cisco Catalyst Enable Password Bypass Vulnerability Buffer overflow in the administration service (CSAdmin) for Cisco Secure ACS before 3.1.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long user parameter to port 2002. VU#697049 20030423 Cisco Secure Access Control Server for Windows Admin Buffer Overflow Vulnerability 20030424 NSFOCUS SA2003-04 : Remote Buffer Overflow Vulnerability in Web Management Interface of Cisco Secure ACS 20030424 NSFOCUS SA2003-04 : Remote Buffer Overflow Vulnerability in Web Management Interface of Cisco Secure ACS gkrellm-newsticker gkrellm plugin before 0.3-3.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the ticker title of a URI. DSA-294 20030423 Security problems in gkrellm-newsticker gkrellm-newsticker gkrellm plugin before 0.3-3.1 allows remote attackers to cause a denial of service (crash) via (1) link or (2) title elements that contain multiple lines. DSA-294 20030423 Security problems in gkrellm-newsticker Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger. VU#446338 7370 MS03-013 win-kernel-lpcrequestwaitreplyport-bo(11803) oval:org.mitre.oval:def:779 oval:org.mitre.oval:def:3145 oval:org.mitre.oval:def:262 oval:org.mitre.oval:def:2265 oval:org.mitre.oval:def:2022 oval:org.mitre.oval:def:142 oval:org.mitre.oval:def:1264 Buffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via an HTTP response containing long values in (1) Content-type and (2) Content-encoding fields. VU#169753 MS03-015 20030426 Buffer overflow in Internet Explorer's HTTP parsing code 20030701 URLMON.DLL buffer overflow - technical details oval:org.mitre.oval:def:926 The file upload control in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to automatically upload files from the local system via a web page containing a script to upload the files. MS03-015 20030203 internet explorer local file reading oval:org.mitre.oval:def:963 Microsoft Internet Explorer 5.01, 5.5 and 6.0 does not properly check parameters that are passed during third party rendering, which could allow remote attackers to execute arbitrary web script, aka the "Third Party Plugin Rendering" vulnerability, a different vulnerability than CVE-2003-0233. MS03-015 ie-improper-thirdparty-rendering(11848) Microsoft Internet Explorer 5.01, 5.5 and 6.0 does not properly check the Cascading Style Sheet input parameter for Modal dialogs, which allows remote attackers to read files on the local system via a web page containing script that creates a dialog and then accesses the target files, aka "Modal Dialog script execution." VU#244729 6306 MS03-015 20021203 Poisonous Style for Dialog window turns the zone off. Buffer overflow in the HTTP receiver function (BizTalkHTTPReceive.dll ISAPI) of Microsoft BizTalk Server 2002 allows attackers to execute arbitrary code via a certain request to the HTTP receiver. MS03-016 20030505 Microsoft Biztalk Server ISAPI HTTP Receive function buffer overflow SQL injection vulnerability in the Document Tracking and Administration (DTA) website of Microsoft BizTalk Server 2000 and 2002 allows remote attackers to execute operating system commands via a request to (1) rawdocdata.asp or (2) RawCustomSearchField.asp containing an embedded SQL statement. MS03-016 20030505 Microsoft Biztalk Server DTA vulnerable to SQL injection mod_auth_any package in Red Hat Enterprise Linux 2.1 and other operating systems does not properly escape arguments when calling other programs, which allows attackers to execute arbitrary commands via shell metacharacters. 7448 RHSA-2003:114 modauthany-command-execution(11893) RHSA-2003:113 http://www.itlab.musc.edu/webNIS/mod_auth_any.html N-090 The Sendmail 8.12.3 package in Debian GNU/Linux 3.0 does not securely create temporary files, which could allow local users to gain additional privileges via (1) expn, (2) checksendmail, or (3) doublebounce.pl. DSA-305 https://bugs.gentoo.org/show_bug.cgi?id=235770 [oss-security] 20081030 CVE requests: tempfile issues for aview, mgetty, openoffice, crossfire http://dev.gentoo.org/~rbu/security/debiantemp/sendmail-base http://bugs.debian.org/496408 Multiple buffer overflows in kermit in HP-UX 10.20 and 11.00 (C-Kermit 6.0.192 and possibly other versions before 8.0) allow local users to gain privileges via long arguments to (1) ask, (2) askq, (3) define, (4) assign, and (5) getc, some of which may share the same underlying function "doask," a different vulnerability than CVE-2001-0085.