Network Security

AERAsec
Network Security
Current Security Messages


Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Some of the files are transferred by FTP.

By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

Here you find our network security search engine!


This is some information you send:

Your Browser

CCBot/2.0 (http://commoncrawl.org/faq/)

Your IP address

ec2-54-147-248-118.compute-1.amazonaws.com [54.147.248.118]

Your referer

(filtered or not existing)

Current month, Last month, Last 10 messages, Last 20 messages (index only)

Chosen month 02 / 2004

System: FreeBSD
Topic: Vulnerabilitiy in jail
Links: FreeBSD-SA-04:03, ESB-2004.0171
ID: ae-200402-075

The jail system call allows a system administrator to lock up a process and all its descendants inside a closed environment with very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more stringent than, the traditional Unix chroot system call. A programming error has been found in the jail_attach system call which affects the way that system call verifies the privilege level of the calling process. Instead of failing immediately if the calling process was already jailed, the jail_attach system call would fail only after changing the calling process's root directory. A process with superuser privileges inside a jail could change its root directory to that of a different jail, and thus gain full read and write access to files and directories within the target jail. It's recommended to install a patch or an upgrade.

System: Debian GNU/Linux
Topic: Vulnerabilities in xboing
Links: DSA-451, OAR-2004:0268
ID: ae-200402-074

Xboing is a game. It shows a number of buffer overflow vulnerabilities, which could be exploited by a local attacker to gain gid "games". A patch is available now.

System: Some
Topic: Vulnerabilities in Oracle9i Database
Links: #NISR12122003d, #NISR12122003c, #NISR12122003e, #NISR12122003b, Secunia #10805, VU#819126, VU#846582, VU#240174, VU#399806, OAR-2004.0278, OAR-2004.0279, OAR-2004.0280
ID: ae-200402-073

Multiple vulnerabilities in Oracle9i Database have been found. They can be exploited by malicious database users to compromise the system and gain escalated privileges. The first vulnerabilities are caused due to boundary errors in two functions used for interval conversion ("NUMTOYMINTERVAL" and "NUMTODSINTERVAL"). These can be exploited to cause buffer overflows by supplying an overly long "char_expr" string and have been reported in versions prior to 9.2.0.4 (Patchset 3). The last two vulnerabilities are caused due to boundary errors in the "FROM_TZ" function and in the "TIME_ZONE" parameter. Both vulnerabilities affect versions prior to 9.2.0.3. Successful exploitation of the vulnerabilities may allow a malicious, unprivileged database user to execute arbitrary code with either SYSTEM or ORACLE privileges. It's recommended to update to version 9.2.0.4 and apply Patch 3, which reportedly is via the Metalink site.

System: Sun Solaris
Topic: Vulnerabilities in passwd and /usr/lib/print/conv_fix
Links: Sun Alert 57454, Sun Alert 57509, VU#412566, OAR-2004:0262, OAR-2004:0263, O-088, O-089
ID: ae-200402-072

The command passwd is used for e.g. changing their passwords by the users. A local unprivileged user may be able to gain unauthorized root privileges due to a security issue involving the passwd command. The "/usr/lib/print/conv_fix" command is invoked by the conv_lpd script and contains a security vulnerability. If the conv_lpd script is executed as the "root" user, it may be possible for unprivileged local users to exploit this vulnerability to overwrite or create any file on the system. This could lead to unauthorized elevated privileges or allow a Denial of Service (DoS) against the system. It's recommended to install the concerning patches.

System: Microsoft Windows
Topic: Vulnerability in ISS Proventia, RealSecure, and BlackICE Products
Links: AD20040226, ISS Alert 165, O-085, ESB-2004.0167, VU#150326
ID: ae-200402-071

A vulnerability was discovered in the SMB (Server Message Block) protocol parsing routines of the ISS Protocol Analysis Module (PAM) component found in some ISS products. The flaw relates to incorrect parsing of the SMB protocol, which may lead to a heap overflow condition. Patches are available now.

System: SGI Advanced Linux Environment / SGI ProPack
Topic: Several vulnerabilities fixed
Links: SGI-20040202-01, SGI-20040203-01, SGI-20040204-01, OAR-2004:0259, OAR-2004:0260, OAR-2004:0261
ID: ae-200402-070

SGI has released Patch 10044: SGI Advanced Linux Environment security update #11, Patch 10051: SGI Advanced Linux Environment security update #12, and Patch 10046: SGI ProPack v2.4: Kernel update which include updated RPMs for SGI ProPack v2.4 for the SGI Altix family of systems. It's strongly recommended to install this update.

System: Debian GNU/Linux
Topic: Vulnerabilities in kernel for the mips architecture
Links: DSA-450, ESB-2004.0170
ID: ae-200402-069

Several vulnerabilities have been found in the do_brk() and mremap() system calls of the linux-kernel-2.4.19-mips. Patches are available now.

System: Mandrake Linux
Topic: Vulnerability in mtools
Links: MDKSA-2004:016, OAR-2004:0256
ID: ae-200402-068

the mformat program, when installed suid root, can create any file with 0666 permissions as root, and that it also does not drop privileges when reading local configuration files. The updated packages remove the suid bit from mformat.

System: Red Hat Linux
Topic: Vulnerabilities in libxml2 and mod_python
Links: RHSA-2004-091, RHSA-2004-090, RHSA-2004-063, RHSA-2004-058, CAN-2004-0110, CAN-2003-0973, ESB-2004.0165, ESB-2004.0166, ESB-2004.0178, O-086, O-087
ID: ae-200402-067

'libxml2' is a library for manipulating XML files. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL.
'mod_python' embeds the Python language interpreter within the Apache httpd server. A bug has been found in mod_python that can lead to a denial of service vulnerability.
Fixed packages are available now.

System: SuSE Linux
Topic: Vulnerabilities in XFree86
Links: SA:2004:006, OAR-2004.0247
ID: ae-200402-066

XFree86 is an implementation of the X Window System, providing the core graphical user interface and video drivers. Two buffer overflows have been discovered in the parsing of the 'font.alias' file. A local attacker could exploit this vulnerability by creating a carefully-crafted file and gain root privileges in this way. Patches are available now.

System: HP-UX
Topic: Many newly revised patches available
Links: SSRT3670, SSRT4681, SSRT2339, SSRT3476, SSRT3492, SSRT3507, SSRT3622, SSRT3576, SSRT3596, SSRT3657, SSRT2316, SSRT3461, SSRT3556, SSRT2341, OAR-2004:0225, OAR-2004:0227, OAR-2004:0228, OAR-2004:0229, OAR-2004:0230, OAR-2004:0231, OAR-2004:0232, OAR-2004:0233, OAR-2004:0235, OAR-2004:0236, OAR-2004:0237, OAR-2004:0238, OAR-2004:0239, OAR-2004:0240
ID: ae-200402-065

Hewlett Packard has revised some advisories. They address vulnerabilities in VirtualVault OpenSSH, Apache 1.3.29 web server on VVOS, ypxfrd, SharedX, libDtSvc, dtterm, Apache web server, Mozilla, rpc.mountd, CDE libDtHelp, DNS, uucp, uusub, /usr/lbin/rwrite, and calloc. It's recommended to look up, if the patches for your system have been revised.

System: SCO OpenLinux
Topic: Vulnerabilities in BIND and Perl
Links: CSSA-2004-003, CSSA-2004-007, OAR-2004:0211, OAR-2004:0218
ID: ae-200402-064

BIND is an implementation of the Domain Name System (DNS) protocols. Some versions show the possibility for cache poisoning. Successful exploitation of this vulnerability may result in a temporary Denial-of-Service. When Perl code is executed within a Safe compartment, it cannot access variables outside of the compartment unless the outside code chooses to share the variables with the code inside the compartment. If code inside a Safe compartment is executed via Safe->reval() twice, it is able to change its operation mask the second time. This could allow the code to access variables outside the Safe compartment. Safe.pm 2.0.7 and earlier, when used in Perl 5.8.0 and earlier, may allow attackers to break out of safe compartments. Patches are available now.

System: Mac OS X
Topic: New Security Update available
Links: APPLE-SA-2004-02-23, VU#194238, VU#460350, VU#578886, VU#841742, atstake, ESB-2004.0159
ID: ae-200402-063

Security Update 2004-02-23 is now available. It addresses issues in the CoreFoundation, DiskArbitration, IPSec, Point-to-Point-Protocol, QuickTime Streaming Server, Safari, and tcpdump.

System: Microsoft Windows
Topic: Vulnerability in IPswitch IMail Server LDAP Daemon
Links: iDefense, SA10880, VU#972334
ID: ae-200402-062

A buffer overflow flaw exists in the way that the Lightweight Directory Access Protocol (LDAP) server included with the IPswitch IMail Server handles messages with overly long tags. This results in a vulnerability than can be exploited by a remote attacker with the ability to supply a specially-crafted message to the server. So a remote attacker may be able to execute arbitrary code in the context of Administrator on vulnerable systems running Windows 2000 or Windows XP. Furthermore, successful exploitation has been reported to cause the LDAP service to crash, resulting in a denial-of-service condition. It's strongly recommended to install the patch published now.

System: Several systems
Topic: New ISS Summary
Links: AS04-08
ID: ae-200402-061

Within the last the last week 56 new vulnerabilities have been reported:

- xfree86-glx-integer-dos - punkbuster-login-sql-injection - linux-ncplookup-gain-privileges
- mnogosearch-udmdoctotextbuf-bo - metamail-splitmail-subject-bo - purge-battletype-map-bo
- productcart-advsearchhasp-sql-injection - xlight-retr-dos - metamail-printheader-format-string
- onlinestorekit-more-xss - productcart-keystream-obtain-information - broker-ftp-dos
- cisco-ons-gain-access - linksys-snmp-strings-disclosure - productcart-custva-xss
- shopcartcgi-dotdot-directory-traversal - owls-file-retrieval - sami-http-get-bo
- ie-bmp-integer-overflow - onlinestorekit-more-sql-injection - allmyguests-php-file-include
- metamail-contenttype-format-string - symantec-firewallvpn-password-plaintext - solaris-sulogin-single-dos
- etrust-antivirus-scan-bypass - metamail-printheader-nonascii-bo - yabb-post-sql-injection
- yabb-invalidmessage-obtain-information - symantec-scanengine-race-condition - phpwebsite-announce-sql-injection
- signaturedb-sdbscan-bo - smallftpd-forwardslash-dos - servu-sitechmod-command-dos
- allmylinks-file-include - broker-ftp-tsftpsrv-dos - oracle9i-sql-dos
- robot-username-bo - oracle-mobile-gain-access - cisco-ons-ack-dos
- imail-ldap-tag-bo - teamfactor-packet-dos - apc-smartslot-default-password
- linux-vicam-dos - xfree86-multiple-font-improper-handling - linux-mremap-gain-privileges
- vizer-long-string-dos - vbulletin-search-xss - livejournal-url-xss
- zonelabs-multiple-products-bo - webstores-browseitems-sql-injection - xfree86-glx-array-dos
- win-kernel-gain-privileges - webstores-error-xss - cisco-ons-file-upload
- oracle-soap-dos - cesarftp-userpass-dos
System: Debian GNU/Linux
Topic: Vulnerabilities in kernel s390, lbreakout2, synaesthesia, hsftp, and pwlib
Links: DSA-442, DSA-445, DSA-446, DSA-447, DSA-448, ESB-2004.0152, ESB-2004.0156, ESB-2004.0157, ESB-2004.0158
ID: ae-200402-060

10 security related problems have been fixed in the Linux kernel 2.4.17 used for the S/390 architecture, mostly by backporting fixes from 2.4.18 and incorporating recent security fixes.
A vulnerability in lbreakout2 has been found. This is a game, where proper bounds checking isn't performed on environment variables. This bug could be exploited by a local attacker to gain the privileges of group "games".
Synaesthesia is a program which represents sounds visually. Synaesthesia creates its configuration file while holding root privileges, allowing a local user to create files owned by root and writable by the user's primary group. This type of vulnerability can usually be easily exploited to execute arbitrary code with root privileges by various means.
A format string vulnerability in hsftp has been found. This vulnerability might be exploited by an attacker able to create files on a remote server with carefully crafted names, to which a user would connect using hsftp. When the user requests a directory listing, particular bytes in memory could be overwritten, potentially allowing arbitrary code to be executed with the privileges of the user invoking hsftp.
Pwlib is a library used to aid in writing portable applications. Due to a vulnerability a remote attacker might cause a Denial-of-Service or potentially execute arbitrary code. This library is most notably used in several applications implementing the H.323 teleconferencing protocol, including the OpenH323 suite, gnomemeeting and asterisk.
Patches to solve these problems are available now.

System: HP-UX
Topic: Revised patches for vulnerabilities in sendmail, rpc.yppasswdd, xdrmem_getbytes, and XDR library available
Links: SSRT3631, SSRT2330, SSRT2439, SSRT2336, ESB-2004.0142, ESB-2004.0143, ESB-2004.0144, ESB-2004.0145
ID: ae-200402-059

Hewlett Packard has revised some advisories. They are about a vulnerability in sendmail, potentially allowing unauthorized privileged access, and a security vulnerability in rpc.yppasswdd, also allowing unauthorized privileged access or a Denial-of-Service. Additionally, a potential buffer overflow in xdrmem_getbyte and related functions might lead to a Denial-of-Service or unauthorized privileged access. The same effect might have a potential buffer overflow in XDR library. It's recommended to look up, if the patches for your system have been revised.

System: Zone Labs
Topic: Vulnerability in handling SMTP
Links: AD20040219, ZoneLabs #8, VU#619982, O-084, ESB-2004.0147
ID: ae-200402-058

A security vulnerability exists in specific versions of ZoneAlarm, ZoneAlarm Pro, ZoneAlarm Plus and the Zone Labs Integrity client. This vulnerability is caused by an unchecked buffer in Simple Mail Transfer Protocol (SMTP) processing which could lead to a buffer overflow. In order to exploit the vulnerability without user assistance, the target system must be operating as an SMTP server. Zone Labs does not recommend using our client security products to protect servers. This problem can be solved by installing an upgrade.

System: IBM AIX
Topic: Vulnerability in X server
Links: OAR-2004:0207, OAR-2004:0216
ID: ae-200402-057

A buffer overflow exists in the X server of IBM AIX 4.3, 5.1 and 5.2. This can be exploited by an attacker who has the ability to modify the fonts.alias file used by the X server and perform operations against the X server. The fonts.alias file can only be modified by root. This makes it difficult for an attacker to exploit this vulnerability. A patch should be applied.

System: Cisco
Topic: Some vulnerabilities on Cisco ONS x
Links: Cisco, ESB-2004.0140
ID: ae-200402-056

Multiple vulnerabilities exist in the Cisco ONS 15327 Edge Optical Transport Platform, the Cisco ONS 15454 Optical Transport Platform, the Cisco ONS 15454 SDH Multiplexer Platform, and the Cisco ONS 15600 Multiservice Switching Platform. This hardware is managed through the XTC, TCC+/TCC2, TCCi/TCC2, and TSC control cards respectively. They show some vulnerabilites. The TFTP service is enabled by default to allow both GET and PUT commands to be executed without any authentication. Some hardware is susceptible to an ACK Denial of Service (DoS) attack on TCP port 1080. TCP port 1080 is used by network management applications to communicate with the controller card. The controller card on the optical device will reset under such an attack. Telnet access to the underlying VxWorks operating system, by default, is restricted to Superusers only. Due to a vulnerability, a superuser whose account is locked out, disabled, or suspended is still able to login (Telnet) into the VxWorks shell, using their previously configured password. Fixes are available now.

System: NetBSD
Topic: Vulnerabilities in racoon IKE daemon, IPv6 path MTU discovery, OpenSSL ASN.1 parser, and shmat
Links: NetBSD-SA2004-001, NetBSD-SA2004-002, NetBSD-SA2004-003, NetBSD-SA2004-004, ESB-2004.148, ESB-2004.149, ESB-2004.150, ESB-2004.151
ID: ae-200402-055

NetBSD ships with the racoon IKE (Internet Key Exchange) daemon. A vulnerability was found in the code for packet validation of "informational exchange" messages. By sending specifically-crafted IKE packets, a malicious party could remove an IPsec SA and/or ISAKMP SA on the victim node.
Once a specially-crafted ICMPv6 "too big" message is sent to a victim node, a routing table entry with a small path-MTU is installed. The victim system may later experience a kernel panic (due to a kernel stack overflow) if a TCP session that uses the routing table entry is later established.
OpenSSL 0.9.6k ASN.1 parser has a possible denial-of-service vulnerability, further described here.
A programming error in the shmat system call can result in a shared memory segment's reference count being erroneously incremented. This system call is part of the System-V Shared Memory subsystem; although this is enabled in the default (GENERIC*) kernels, custom kernels built without "options SYSVSHM" are not affected.
Patches have been published now.

System: Several Linux
Topic: Vulnerabilities in metamail
Links: VU#513062, VU#518518, RHSA-2004-073, O-083, ESB-2004.134, MDKSA-2004:014, SSA:2004-049-02, DSA-449, ESB-2004.161
ID: ae-200402-054

Metamail is a system for handling multimedia mail. Two format string bugs and two buffer overflow bugs in versions of Metamail up to and including 2.7 have been found. An attacker might create a carefully-crafted message such that when it is opened by a victim and parsed through Metamail, it runs arbitrary code as the victim. A patch to solve this problem is available now.

System: SuSE Linux
Topic: Vulnerabilities in Kernel
Links: SUSE 8.2, SUSE 9.0
ID: ae-200402-053

The new RPM k_athlon 2.4.21-192 solves several vulnerabilities in the Kernel. These vulnerabilities include Denial-of-Service (DoS) and also the problems with nremap mentioned before.

System: Microsoft Windows
Topic: New worm W32/Netsky.B in the wild
Links: IN-2004-02, AL-2004.05
ID: ae-200402-052

A new mass-mailing virus known as W32/Netsky.B is in the wild an spreading rapidly. It propagates either as an attachment to an E-Mail message or by automatically copying itself to Windows network shares. Upon successful execution, the virus attempts to
- modify various Windows registry values so that the virus is run again upon reboot.
- install a copy of itself in the %Windir%\services.exe, where %Windir% is a variable pointing to the root of the Windows directory on the host.
- collect target email addresses from files with specific extensions on the local system.
- copy itself to particularly-named files within non-CDROM local drives or mapped network shares.
- remove registry keys that were added as a likely result of successful compromise via other recent malicious code, including W32/Novarg.A and W32/MyDoom.B.
When spreading via E-Mail, the virus arrives as an email message with a 22,016-byte attachment that has a filename selected randomly from a fixed list and a double-extension. Anti-virus vendors have developed signatures for and information about W32/Netsky.B. So please update your Anti-virus Software and be careful with E-Mail attachments.

System: Debian GNU/Linux
Topic: More vulnerabilities in kernel
Links: DSA-439, DSA-440, ESB-2004.0135, ESB-2004.0136
ID: ae-200402-051

More vulnerabilities have been found in kernel 2.4.16 and 2.4.17, respectively. An integer overflow in the brk system call (do_brk() function) for Linux allows a local attacker to gain root privileges. A flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) may allow a local attacker to gain root privileges. In the memory management code of Linux inside the mremap(2) system call another vulnerability has been found. Due to missing function return value check of internal functions a local attacker can gain root privileges. Patches are available now.

System: Serveral Linux
Topic: Another Vulnerability in kernel
Links: isec-0014, O-082, DSA-438, ESB-2004.0130, RHSA-2004-065, RHSA-2004-066, RHSA-2004-069, ESB-2004.0131, ESB-2004.0139, ESB-2004.0141, DSA-441, ESB-2004.0137, SuSE-2004_05, SSA:2004-049-01, ESB-2004.0138, CLA-2004:820, TLSA-2004-7, DSA-444, ESB-2004.0154, MDKSA-2004:015, MDKSA-2004:015-1
ID: ae-200402-050

A critical security vulnerability has been found in the Linux kernel memory management code inside the mremap system call due to missing function return value check. This bug is completely unrelated to the mremap bug disclosed on 05-01-2004 except concerning the same internal kernel function code. Since no special privileges are required to use the mremap system call any process may use its unexpected behavior to disrupt the kernel memory management subsystem. Proper exploitation of this vulnerability leads to local privilege escalation giving an attacker full super-user privileges. The vulnerability may also lead to a denial-of-service attack on the available system memory. If the vendor of your distribution offers a patch, please install it.

System: Several systems
Topic: New ISS Summary
Links: AS04-07
ID: ae-200402-049

Within the last the last week 56 new vulnerabilities have been reported:

- ezcontents-multiple-file-include - redalert-long-request-dos - bosdates-calendar-sql-injection
- samba-smbmnt-gain-privileges - mutt-index-menu-bo - samba-mksmbpasswd-gain-access
- etrust-inoculateit-insecure-permissions - monkey-getrealstring-dos - trackmania-dos
- redalert-bypass-security - resin-source-disclosure - crob-multiple-connections-dos
- dreamftp-string-format-string - linux-vserver-gain-privileges - mailman-command-handler-dos
- resin-dotdot-directory-traversal - win-asn1-library-bo - macallan-gain-unauthorized-access
- eggdrop-sharemod-gain-access - winxp-helpctr-hcp-xss - ie-error-obtain-information
- maxwebportal-personalmesssages-sql-injection - redalert-gain-access - sambar-http-post-bo
- palace-server-address-bo - mailmgr-insecure-temp-directory - maxwebportal-multiple-xss
- pwlib-message-dos - matrixftp-login-list-dos - win-wins-gsflag-dos
- realoneplayer-rmp-directory-traversal - aix-password-enumeration - phpnuke-publicmessage-sql-injection
- palmhttpd-accept-bo - etrust-inoculateit-symlink - sophos-mime-header-dos
- linux-rsync-opensocketout-bo - xfree86-copyisolatin1lLowered-bo - jshop-searchphp-xss
- nokia-obex-dos - clam-antivirus-uuencoded-dos - sophos-email-virus-undetected
- xfree86-fontalias-bo - sandsurfer-undisclosed-gain-access - phpnuke-mulitple-xss
- evolutionx-command-line-dos - sami-cd-get-dos - aim-sniff-symlink
- phpnuke-modules-sql-injection - jack-formmail-file-upload - ezcontents-login-bypass
- ie-host-null-dos - maxwebportal-register-xss - virtual-pc-gain-privileges
- phpcodecabinet-multiple-xss - ratbag-data-length-dos
System: SuSE Linux
Topic: Vulnerability in Apache
Links: SUSE 8.2, SUSE 9.0
ID: ae-200402-048

Apache-contrib is a collection of third-party modules contributed to the Apache HTTP server project. An update fixes some buffer overflows which might lead to problems with remote attackers. Additionally, the insecure handling of files in the Apache module mod_gzip has been fixed as well as a bug in mod_auth_shadow. Here, the validity time of accounts hasn't been correct.

System: Several
Topic: Vulnerability in mutt
Links: Mutt, RHSA-2004-050, RHSA-2004-051, MDKSA-2004:010, SSA:2004-043-01, TSL-2004-0006
ID: ae-200402-047

Several Linux a remote exploitable vulnerability in mutt, a text based mail user agent. This vulnerability is in the index menu code of mutt. A remote attacker could send a carefully crafted mail message that can cause mutt to segfault and possibly execute arbitrary code as the victim. It's recommended to install the concerning patch.

System: Turbolinux
Topic: Vulnerabilities in XFree86 and slocate fixed
Links: TLSA-2004-5, TLSA-2004-6, OAR-2004:0199
ID: ae-200402-046

XFree86 is an implementation of the X Window System, providing the core graphical user interface and video drivers. Two buffer overflows have been discovered in the parsing of the 'font.alias' file. A local attacker could exploit this vulnerability by creating a carefully-crafted file and gain root privileges in this way.
The main part of slocate 2.6 an maybe also other versions show a heap-based buffer overflow. So local users might gain privileges via a modified slocate database that causes a negative "pathlen" value to be used.
Both problems can be fixed now for Turbolinux also.

System: Microsoft Windows
Topic: Malicious E-Mail titled "Police investigation"
Links: AL-2004.03
ID: ae-200402-045

AusCERT has become aware of an E-Mail with the subject "Police investigation" circulating in Australia and overseas which is used to entice the reader to visit a malicious web site. This web site contains executable Java code which, if successfully executed, will install a trojan program which in turn captures keystrokes when the user visits particular banking related web sites. This malicious web site attempts to exploit a vulnerability in the Microsoft Virtual Machine (VM), for which Microsoft have released a patch on April 9, 2003 with security bulletin MS03-011.

System: Debian GNU/Linux
Topic: Vulnerability in gnupg
Links: DSA-429, ESB-2004.0128
ID: ae-200402-044

Gnupg is a software for encrypting and signing data, e.g. E-Mail. A bug in the way GnuPG creates and uses ElGamal keys for signing has been fixed now. Due to this bug, a significant security failure can lead to a compromise of almost all ElGamal keys used for signing. The update provided in DSA 429-1 disables the use of this type of key, using an interim fix. This update, DSA 429-2, implements a more correct and permanent fix.

System: Some
Topic: Vulnerability in Novell iChain Telnet Service
Links: O-080, ESB-2004.0146
ID: ae-200402-043

A key component of the Novell Nsure secure identity management solution, Novell iChain controls access to application, Web and network resources across technical and organizational boundaries. iChain separates security from individual applications and Web servers. This enables single-point, policy-based management of authentication and access privileges throughout the Net. A remote attacker can connect and provide an arbitrary password to obtain unauthorized access. The telnet server is enabled by default, and cannot be disabled. So it's strongly recommended to install iChain 2.2 Field Patch 3b version 2.2.116.

System: Mandrake Linux
Topic: Vulnerabilities in XFree86 and mailman
Links: MDKSA-2004:012, MDKSA-2004:013, OAR-2004:0184, OAR-2004:0186
ID: ae-200402-042

For the known problem in XFree86 now also for Mandrake Linux a patch is available. A cross-site scripting vulnerability was discovered in mailman's administration interface in . version 2.1 earlier than 2.1.4. In versions earlier than 2.1.3 another cross-site scripting vulnerability was found in mailman's 'create' CGI script. Certain malformed email commands could cause the mailman process to crash in version 2.0 earlier than 2.0.14.

System: Mandrake Linux
Topic: Vulnerabilities in mutt and netpbm
Links: MDKSA-2004:010, MDKSA-2004:011, OAR-2004:0172
ID: ae-200402-041

Mutt, a text based mail user agent, shows a remote exploitable vulnerability. This vulnerability is in the index menu code of mutt. A remote attacker could send a carefully crafted mail message that can cause mutt to segfault and possibly execute arbitrary code as the victim.
Netpbm is a graphics conversion toolkit. It consists of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Patches to fix these vulnerabilities are available now.

System: Red Hat Linux
Topic: Vulnerabilities in PWLib and XFree86
Links: RHSA-2004-047, RHSA-2004-048, RHSA-2004-059, RHSA-2004-060, RHSA-2004-061, CAN-2004-0097, CAN-2004-0083, CAN-2004-0084, CAN-2004-0106, O-081, ESB-2004.0127, ESB-2004.0124, ESB-2004.0125, ESB-2004.0126, ESB-2004.0132
ID: ae-200402-040

PWLib is a cross-platform class library designed to support the OpenH323 project. Several bugs in PWLib were found that may lead to denial of service conditions.
XFree86 is an implementation of the X Window System, providing the core graphical user interface and video drivers. Two buffer overflows have been discovered in the parsing of the 'font.alias' file. A local attacker could exploit this vulnerability by creating a carefully-crafted file and gain root privileges this way.
Fixed packages are available now.

System: Debian GNU/Linux
Topic: cgiemail as open mail relay
Links: DSA-437, ESB-2004.0119
ID: ae-200402-039

A vulnerability has been discovered in cgiemail. This is a CGI program used to email the contents of an HTML form, whereby it could be used to send email to arbitrary addresses. This type of vulnerability is commonly exploited to send unsolicited commercial email (spam). It can be fixed by installing a patch.

System: SCO OpenLinux
Topic: Vulnerability in slocate
Links: CSSA-2004-001, OAR-2004:0170
ID: ae-200402-038

The main part of slocate 2.6 an maybe also other versions show a heap-based buffer overflow. So local users might gain privileges via a modified slocate database that causes a negative "pathlen" value to be used. This can be fixed mow by applying a patch.

System: Conectiva Linux
Topic: Vulnerabilities in vim and gaim
Links: GG#059, CLA-2004:812, CLA-2004:813, OAR-E01-2004.0161, OAR-E01-2004.0165,
ID: ae-200402-037

Vim is a highly configurable text editor. It is an improved version of the vi editor distributed with most UNIX systems. A vulnerability in vim that can be exploited to execute arbitrary commands when the user opens a text file specially crafted by an attacker. The vulnerability resides in the "modelines" feature, which allows one to place some VIM commands inside of a text file. A patch is available now.
As reported quite a time before (e.g. ae-200401-077), several vulnerabilities in GAIM have been found. Now, patches for Conectiva Linux are also available.

System: SGI Advanced Linux Environment
Topic: Several vulnerabilities fixed
Links: SGI-20040201-01, OAR-2004:0166
ID: ae-200402-036

SGI has released Patch 10050: SGI Advanced Linux Environment security update #10, which includes updated RPMs for SGI ProPack v2.3 for the SGI Altix family of systems. Problems fixed concern slocate, util-linux, mc, NetBPM, Gaim, and mailman. It's strongly recommended to install this update.

System: Sun Solaris
Topic: Multiple vulnerabilities in Sun Cluster (SunPlex)
Links: Sun Alert 57475, ESB-2004.0118, ESB-2004.0129, ESB-2004.160
ID: ae-200402-035

On systems running Sun Cluster 3.x with SunPlex Manager configured, a remote unprivileged user (who has obtained "root" privileges) may cause a Denial-of-Service (DoS) and arbitrary code execution due to multiple vulnerabilities in OpenSSL Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. These vulnerabilities are described in CA-2003-26. Now, Sun Microsystems has published new patches to solve these problems.

System: Various
Topic: Vulnerability in XFree86
Links: iDEFENSE #72, ESB-2004.0116, RHSA-2004-059, RHSA-2004-060, RHSA-2004-061, SSA:2004-043-02, MDKSA-2004:012, OpenBSD, TLSA-2004-5, IMNX-2004-73-002-01, CLA-2004:821, DSA-443, ESB-2004.0153, SuSE-2004_06
ID: ae-200402-034

XFree86 provides a client/server interface between display hardware (e.g. the mouse, keyboard, and video displays) and the desktop environment while also providing both the windowing infrastructure and a standardized application interface (API). XFree86 is platform independent, network-transparent and extensible. A problem exists in the parsing of the 'font.alias' file. The X server (running as root) fails to check the length of user provided input. So A malicious user may craft a malformed 'font.alias' file causing a buffer overflow upon parsing, eventually leading to the execution of arbitrary code with the privileges of root. A patch for all systems is available now.

System: Red Hat Linux
Topic: Vulnerability in mutt
Links: RHSA-2004-050, RHSA-2004-051, ESB-2004.0122, ESB-2004.0123
ID: ae-200402-033

Red Hat Linux 9 and Enterprise Linux shows a remote exploitable vulnerability in mutt, a text based mail user agent. This vulnerability is in the index menu code of mutt. A remote attacker could send a carefully crafted mail message that can cause mutt to segfault and possibly execute arbitrary code as the victim. It's recommended to install the patch, which is available now.

System: Sun Solaris 8/9
Topic: Vulnerability in Apache
Links: Sun Alert 57496, OAR-2004:0178
ID: ae-200402-032

Apache is a famous Web server and is delivered with Sun Solaris 8 and 9. A local or remote unprivileged user may be able to execute arbitrary code with the privileges of the Apache HTTP process on Solaris 8 and Solaris 9 systems when running the bundled version of Apache. This is due to a buffer overflow in the Apache modules "mod_alias" and "mod_rewrite". Sun has published patches for an upgrade to version 1.3.29 and 2.0.48, respectively.

System: Various
Topic: Vulnerability in Samba 3.0
Links: O-078, ESB-2004.0117, RHSA-2004-064, ESB-2004.0133
ID: ae-200402-031

Samba 3.0 is susceptible to a password initialization bug that could grant an attacker unauthorized access to a user account created by the mksmbpasswd.sh shell script. Samba version 3.0.2 fixes this problem.

System: Microsoft Windows
Topic: Vulnerability in ASN.1
Links: MS04-007, AD20040210, AD20040210-2, VU#583108, VU#216324, TA04-041A, ESB-2004.0113, Symantec, ISS-164, S-04-008
ID: ae-200402-030

No further comment due to Microsoft insisting on their copyright on advisories.

System: Microsoft Windows Server
Topic: Vulnerability in WINS
Links: MS04-006, VU#445214, O-077, ESB-2004.0115, Symantec
ID: ae-200402-029

No further comment due to Microsoft insisting on their copyright on advisories.

System: Mac
Topic: Vulnerability in Virtual PC for Mac
Links: @stake, MS04-005, VU#987118, O-076, ESB-2004.0114
ID: ae-200402-028

No further comment due to Microsoft insisting on their copyright on advisories.

System: HP-UX
Topic: Vulnerabilities in BIND
Links: SSRT3622, OAR-2004:0155
ID: ae-200402-027

Some (well known) vulnerabilities in BIND concerning ASN.1 encodings, malformed public keys and an error in the SSL/TLS protocol handling have been fixed for HP-UX B.11.11 now also. So an updated version of BIND 9.2 is available for this system.

System: Red Hat Linux
Topic: Vulnerabilities in GAIM
Links: RHSA-2004-045, ESB-2004.0112
ID: ae-200402-026

As reported quite a time before (e.g. ae-200401-077), several vulnerabilities in GAIM have been found. Now, patches for Red Hat Enterprise Linux 2.1 are also available.

System: Sun Solaris
Topic: Revised patches for vulnerability in CDE DtHelp available
Links: Sun Alert 57414, ESB-2004.0110
ID: ae-200402-025

Due to a possible buffer overflow in CDE DtHelp might allow local users to gain root-access. Now, Sun Microsystems has published revised patches to solve this problem.

System: Several systems
Topic: New ISS Summary
Links: AS04-06
ID: ae-200402-024

Within the last the last week 55 new vulnerabilities have been reported:

- crawl-long-environment-bo - linux-ixj-bo - webcrossing-contentlength-post-dos
- phpx-main-help-xss - oracle-multiple-function-bo - xlight-long-string-dos
- aproxphpportal-index-directory-traversal - xcart-perlbinary-execute-commands - xcart-dotdot-directory-traversal
- crob-dir-directory-traversal - aas-longhttp-request-dos - solaris-tcsetattr-dos
- win-linux-smbmount-dos - phpx-subject-html-injection - surgeftp-web-interface-dos
- mambo-itemid-xss - chaser-memory-dos - overkill-client-multiple-bo
- radius-radprintrequest-dos - basomail-multiple-connection-dos - caravan-dotdot-directory-traveral
- discuzboard-image-tag-xss - cactushoplite-backdoor - freebsd-mksnapffs-bypass-security
- isearch-isearchincphp-file-include - apache-httpd-bypass-restriction - chatterbox-dos
- ichain-tcp-gain-access - openjournal-uid-admin-access - realoneplayer-multiple-file-bo
- photopostphp-sql-injection - thephototool-login-sql-injection - bsd-shmat-gain-privileges
- lescommentaires-multiple-file-include - phpx-cookie-account-hijacking - bugport-obtain-information
- libtool-insecure-temp-directory - openbsd-ipv6-dos - webblog-file-command-execution
- rxgoogle-query-xss - cloudscape-sql-injection - solaris-bsm-sunwscpu-weak-security
- tunez-multiple-sql-injection - reviewpostpro-showproduct-sql-injection - utillinux-information-leak
- gbook-message-html-injection - apachessl-default-password - suidperl-obtain-information
- forumwebserver-multiple-xss - sqwebmail-login-info-disclosure - phpmyadmin-dotdot-directory-traversal
- xcart-generalphp-obtain-information - overkill-server-parsecommandline-bo - cisco-malformed-frame-dos
- typsoft-empty-username-dos
System: Debian GNU/Linux
Topic: Vulnerabilities in mailman
Links: DSA-436, CAN-2003-0991, CAN-2003-0965, CAN-2003-0038, ESB-2004.0105, ESB-2004.0155
ID: ae-200402-023

Mailman is a mailing list manager. Cross-site scripting bugs were discovered in the admin interface and via certain CGI parameters. In addition certain malformed email commands could cause the mailman process to crash. Fixed packages are available now.

System: OpenBSD
Topic: Vulnerability when using IPv6
Links: OpenBSD, ESB-2004.0103
ID: ae-200402-022

An IPv6 MTU handling problem has been found. An attacker might be able to cause a Denial-of-Service attack against hosts with reachable IPv6 TCP ports. A patch fixes this problem.

System: Debian GNU/Linux
Topic: Vulnerability in mpg123
Links: DSA-435, ESB-2004.0104
ID: ae-200402-021

A vulnerability was discovered in mpg123, a command-line mp3 player, whereby a response from a remote HTTP server could overflow a buffer allocated on the heap, potentially permitting execution of arbitrary code with the privileges of the user invoking mpg123. In order for this vulnerability to be exploited, mpg321 would need to request an mp3 stream from a malicious remote server via HTTP. This problem can be fixed by a patch, which has been published now.

System: Conectiva Linux
Topic: Vulnerability in libtool
Links: CLA-2004:811, OAR-E01-2004.0150
ID: ae-200402-020

GNU libtool consists of a set of shell scripts used to build shared libraries. There is a vulnerability in the way the ltmain.sh script as part of the libtool package creates temporary directories for its use. So a local attacker might exploit this vulnerability to change or delete arbitrary files in the system on behalf of the user who is calling the script. This vulnerability has been fixed in the 1.5.2 version of libtool.

System: Various
Topic: Vulnerabilities in RealOne Player and RealPlayer 8
Links: NGSSoftware, Real, O-075, ESB-2004.0109
ID: ae-200402-019

Three vulnerabilities have been detected in the RealPlayer. It's possible to operate remote Javascript from the domain of the URL opened by a SMIL file or other file and to fashion RMP files which allow an attacker to download and execute arbitrary code on a user's machine. Additionally buffer overruns can be created by fashion media files. A patch fixes these problems.

System: VMware ESX Server
Topic: Vulnerability in kernel
Links: OAR-E01-2004.0139, CAN-2003-0985, VU#301156
ID: ae-200402-018

A flaw in bounds checking in the do_brk() function in the Linux kernel can allow a local attacker to gain root privileges. This issue is known to be exploitable; an exploit has been seen in the wild that takes advantage of this vulnerability. Fixed kernels are available now.

System: OpenBSD, FreeBSD
Topic: Vulnerability in shmat
Links: OpenBSD, FreeBSD-SA-04:02, ESB-2004.0099, ESB-2004.0102
ID: ae-200402-017

The System V Shared Memory interface provides primitives for sharing memory segments between separate processes. The shmat(2) system call is used to attach a shared memory segment to the calling process's address space. It may be possible to cause a shared memory segment to reference unallocated kernel memory, but remain valid. This could allow a local attacker to gain read or write access to a portion of kernel memory, resulting in sensitive information disclosure, bypass of access control mechanisms, or privilege escalation. A patch is available now.

System: Various
Topic: Vulnerability in GNU Radius
Links: ESB-2004.0096, VU#277396
ID: ae-200402-016

Radius is a server for remote user authentication and accounting. Remote exploitation of a denial of service condition within GNU Radius can allow an attacker to crash the service. This vulnerability has been fixed in GNU Radius version 1.2.

System: Check Point VPN-1 4.1
Topic: Vulnerability in VPN-1/SecureClient ISAKMP
Links: Check Point, ISS Alert, O-073, ESB-2004.0095 VU#873334
ID: ae-200402-015

A buffer overflow vulnerability has been identified in the ISAKMP processing for both the Check Point VPN-1 Server and VPN Client (Securemote/SecureClient). A remote attacker could gain root access to the VPN-1 server, which could then allow possible compromises to other systems on the network. Check Point will not be patching this vulnerability since the software is no longer supported. Instead, they recommend upgrading to VPN-1 NG.

System: Turbolinux
Topic: Vulnerability in kdepim
Links: TLSA-2004-4, KDE, CAN-2003-098, VU#820798, OAR-2004:0144
ID: ae-200402-014

The K Desktop Environment (KDE) is a graphical desktop for the X Window System. The KDE Personal Information Management (kdepim) suite helps to organize mail, tasks, appointments, and contacts. A buffer overflow in the file information reader of VCF files has been found. So an attacker can construct a VCF file so that when it was opened by a victim it would execute arbitrary commands. This can be prohibited by installing the latest patch.

System: Red Hat Linux
Topic: Vulnerabilities in mailman
Links: RHSA-2004-019, RHSA-2004-020, CAN-2003-0965, CAN-2003-0992, O-074, ESB-2004.0100, ESB-2004.0107, ESB-2004.0111
ID: ae-200402-013

Mailman is a mailing list manager. Cross-site scripting bugs were discovered in the admin interface and the 'create' CGI script. Fixed packages are available now.

System: Mandrake Linux
Topic: Vulnerability in glibc
Links: MDKSA-2004:009, RHSA-2002-197, OAR-2004:0148
ID: ae-200402-012

A read buffer overflow vulnerability exists in the resolver code in versions of glibc. The vulnerability is triggered by DNS packets larger than 1024 bytes, which can cause an application to crash. A patch to fix this vulnerability is available now.

System: Check Point VPN-1 / Firewall-1
Topic: Vulnerability in HTTP Security Server
Links: Check Point, ISS Alert, TA04-036A, O-072, ESB-2004.0093, ESB-2004.0097, O-072, VU#790771,
ID: ae-200402-011

Several format string vulnerabilities were found in Check Point Firewall-1. If the HTTP Security Server is used, a remote unauthenticated attacker may exploit one of these vulnerabilities and execute commands under the security context of the super-user, usually "SYSTEM", or "root". This attack may lead to direct compromise of the Firewall-1 server. A hotfix is available now.

System: Sun Solaris
Topic: Vulnerability in BSM
Links: Sun Alert 57483, O-070, ESB-2004.0093
ID: ae-200402-010

Solaris systems with Basic Security Module (BSM) enabled which have been security hardened may have had the SUNWscpu package removed. If this is the case, the BSM audit_warn script will not e-mail any errors or warning messages generated by the audit daemon (auditd). The SUNWCscp cluster provides source compatibility support for Solaris 1.0 (previously known as SunOS 4.X) and the SUNWscpu package contains the mail command which the BSM audit_warn relies on. A patch addressing this problem has been published now.

System: Cisco 6000/6500/7600
Topic: Vulnerabilities in Layer 2
Links: Cisco, OAR-2004:0138
ID: ae-200402-009

A layer 2 frame that is encapsulating a protocol independent layer 3 packet (IP, IPX, etc.) may cause Cisco 6000/6500/7600 series systems with an MSFC2 to freeze or reset. The actual length of the layer 2 frame needs to be inconsistent with the length of the encapsulated layer 3 packet. A layer 3 packet that is routed by the Cisco 6000/6500/7600 series systems may trigger this vulnerability if the packet is encapsulated in a specifically crafted layer 2 frame. Crafted packets must be software switched on the vulnerable systems to trigger this vulnerability. The packets that are switched in hardware will not trigger this vulnerability. Fixes are available now and should be installed.

System: Red Hat Enterprise Linux
Topic: Vulnerabilities in util-linux and kernel
Links: RHSA-2004-056, RHSA-2004-044, VU#801526, ESB-2004.0088, ESB-2004.0089
ID: ae-200402-008

The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. In some situations, the login program could use a pointer that had been freed and reallocated. This could cause unintentional data leakage. Note that Red Hat Enterprise Linux 3 is not vulnerable to this issue. It's recommended that all users upgrade to these updated packages, which are not vulnerable to this issue.
Additionally, updated kernel packages are now available that fix a few security issues, an NFS performance issue, and an e1000 driver loading issue introduced in Update 3.

System: Debian GNU/Linux
Topic: Vulnerability in crawl
Links: DSA-432, OAR-2004:0137
ID: ae-200402-007

A problem in crawl, another console based dungeon exploration game, has been found. The program uses several environment variables as inputs but doesn't apply a size check before copying one of them into a fixed size buffer. To prevent a buffer overflow, it's recommended to install the patched version now.

System: Several applications
Topic: Possible Denial-of-Service caused by decompression bomb
Links: AERAsec/decompression-bomb-vulnerability
ae-200401-020, BugTraq, SecurityFocus/Bugtraq VulnID 9393, FullDisclosure, Packet Storm,
HeiseNews, Heise PDA, Handelsblatt, KES, ComputerBase, KoSiB, IT-Audit,
PCWorld, TechWorld, InfoWorld.com, InfoWorld NL, ITworld, Computerworld, Business Network Communications, bmonday(dot)com, IDG SE, IDG SG, NetworkWorldFusion, ForbiddenWeb, TrimMail, YOZ, InformIT, DataCompression, The Spam Weblog,
LinuxNews PL, Kitetoa, PTnix, Radium Software Development JP,
Mozilla/Bugzilla#233262, amavisd-new
ID: ae-200402-006

Further investigations after publication of the problems with bzip2 bombs of antivirus scanner software brought interesting results. Also several other applications have no anomaly detection on opening compressed data. This mostly causes a crash or a fulfilled temporary directory, which leads in many cases to an unusable system. We have investigated some applications (antivirus-scanners, web browsers, image manipulation- and office programs) and the results published in our Advisory.

System: Microsoft Windows
Topic: Vulnerabilities in Microsoft Internet Explorer
Links: MS04-004, TA04-033A, VU#413886, VU#784102, O-068, ESB-2004.0083, S-04-007, ESB-2004.0091
ID: ae-200402-005

No further comment due to Microsoft insisting on their copyright on advisories.

System: HP OpenVMS
Topic: Vulnerability in BIND
Links: SSRT3653, VU#734644, ESB-2004.0084
ID: ae-200402-004

A potential security vulnerability has been identified in HP TCP/IP for HP OpenVMS Bind 8 software that may result in a local or remote user creating a Denial of Service (DoS). It's recommended to install the concerning patch, which is available now.

System: Various
Topic: Vulnerability in netpbm
Links: VU#487102, CAN-2003-0924, RHSA-2004-031, RHSA-2004-030, ESB-2004.0101, ESB-2004.0108, SUSE 9.0, SUSE 8.2, MDKSA-2004:011
ID: ae-200402-003

A graphics conversion toolkit is netpbm. It consists of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool. This can be avoided by installing the latest version.

System: Several systems
Topic: New ISS Summary
Links: AS04-05
ID: ae-200402-002

Within the last the last week 66 new vulnerabilities have been reported:

- gaim-urlparser-bo - cherokee-error-xss - proxynow-get-bo
- tinyserver-string-dos - mbedthis-multiple-dos - inlook-file-information-disclosure
- informix-onedcu-symlink-attack - gaim-mime-decoder-bo - macosx-safari-unknown
- gaim-extractinfo-bo - servu-chmodcommand-execute-code - mailsweeper-smtp-rar-dos
- gaim-mime-decoder-oob - blackice-blackdexe-bo - gaim-sscanf-oob
- phpgedview-editconfiggedcom-file-include - dotnetnuke-get-information-disclosure - oraclehttpserver-isqlplus-xss
- informix-ontape-binary-bo - gaim-yahoopacketread-keyname-bo - gaim-login-value-bo
- coldfusion-mx-request-dos - bremsserver-xss - dotnetnuke-multiple-sql-injection
- tinyserver-xss - gallery-gallerybasedir-file-include - gaim-http-proxy-bo
- intraforum-intraforumcgi-xss - ie-clsid-file-extension-spoofing - epolicy-contentlength-post-dos
- informix-ids-glpath-bo - gaim-login-name-bo - suse-multiple-symlink-attack
- bodington-uploadarea-obtain-information - cvsup-rpath-gain-privileges - bremsserver-dotdot-directory-traversal
- wwwform-xss - informix-onshowaudit-information-disclosure - weblogic-configxml-plaintext-password
- mydoom-worm - solaris-pfexec-gain-privileges - macosx-configd-file-manipulation
- tinyserver-dotdot-directory-traversal - kerio-pf-gain-privileges - coldfusion-mx-sandbox-bypass
- macosx-mail-undisclosed - bws-directory-traversal - gaim-yahoodecode-offbyone-bo
- gaim-directim-bo - pjcgineoreview-dotdot-directory-traversal - dotnetnuke-editmoduleaspxxss
- weblogic-trace-xs - macosx-trublue-environmentvariable-bo - surfnow-get-dos
- weblogic-operator-gain-access - webweaver-isapiskeleton-xss - gaim-yahoowebpending-cookie-bo
- finjan-surfingate-execute-commands - ibm-netdata-db2wwwcomponent-xss - weblogic-boot-password-disclosure
- win-folder-execute-code - trr19-gain-privileges - reptilewebserver-get-dos
- webblog-dotdot-directory-traversal - nextplace-multiple-xss - informix-informixdir-format-string
System: Debian GNU/Linux
Topic: Vulnerability in suidperl
Links: DSA-431, ESB-2004.0080, ESB-2004.0286
ID: ae-200402-001

Suidperl is a helper program to run Perl scripts with setuid privileges. A number of similar bugs in suidperl have been found now. By exploiting these bugs, an attacker could abuse suidperl to discover information about files (such as testing for their existence and some of their permissions) that should not be accessible to unprivileged users. It's recommended to install the patch which has been published now.



(c) 2000-2014 AERAsec Network Services and Security GmbH