Network Security

AERAsec
Network Security
Current Security Messages


Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Some of the files are transferred by FTP.

By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

Here you find our network security search engine!


This is some information you send:

Your Browser

CCBot/2.0 (http://commoncrawl.org/faq/)

Your IP address

ec2-54-196-199-117.compute-1.amazonaws.com [54.196.199.117]

Your referer

(filtered or not existing)

Current month, Last month, Last 10 messages, Last 20 messages (index only)

Chosen month 04 / 2005

System: Mandrake Linux
Topic: Vulnerabilities in perl and xpm
Links: MDKSA-2005:079, CAN-2005-0448, MDKSA-2005:080, MDKSA-2005:081, CAN-2005-0605
ID: ae-200504-083

A vulnerability was discovered in the rmtree() function in File::Path.pm. While a process running as root (or another user) was busy deleting a directory tree, a different user could exploit a race condition to create setuid binaries in this directory tree, provided that he already had write permissions in any subdirectory of that tree.
An integer overflow flaw was found in libXPM, which is used by some applications for loading of XPM images. An attacker could create a malicious XPM file that would execute arbitrary code via a negative bitmap_unit value if opened by a victim using an application linked to the vulnerable library.
Fixed packages are available now.

System: Various
Topic: Vulnerability in HP OpenView Radia Management Portal/Agent
Links: HPSBMA01138 / SSRT5958, P-196, ESB-2005.0351
ID: ae-200504-082

A security vulnerability has been identified with HP OpenView Radia Management Portal (RMP) versions 2.x and 1.x running Radia Management Agent (RMA). This security vulnerability could be exploited to allow a remote unauthorized user to gain privileged access or to create a Denial of Service (DoS). Patches are available now.

System: SGI IRIX
Topic: Vulnerabilities in telnet
Links: 20050405-01-P, CAN-2005-0468, CAN-2005-0469, ESB-2005.0349
ID: ae-200504-081

Vulnerabilities were found in the functions env_opt_add() and slc_add_reply() of the telnet client. Patches are available now.

System: Red Hat Enterprise Linux
Topic: Vulnerabilities in PHP
Links: RHSA-2005-405, RHSA-2005-406, CAN-2004-1392, CAN-2005-0524, CAN-2005-0525, CAN-2005-1042, CAN-2005-1043, P-197, ESB-2005.0355
ID: ae-200504-080

A bug was found in the way PHP processes IFF and JPEG images. It is possible to cause PHP to consume CPU resources for a short period of time by supplying a carefully crafted IFF or JPEG image. A buffer overflow bug was also found in the way PHP processes EXIF image headers. It is possible for an attacker to construct an image file in such a way that it could execute arbitrary instructions when processed by PHP. A denial of service bug was found in the way PHP processes EXIF image headers. Fixed packages are available now.

System: Debian GNU/Linux
Topic: Vulnerabilities in ethereal and prozilla
Links: DSA-718, CAN-2005-0739, ESB-2005.0352 DSA-719, CAN-2005-0523, ESB-2005.0353
ID: ae-200504-079

A buffer overflow has been detected in the IAPP dissector of Ethereal, a commonly used network traffic analyser. A remote attacker may be able to overflow a buffer using a specially crafted packet.
Several format string problems have been discovered in prozilla, a multi-threaded download accelerator, that can be exploited by a malicious server to execute arbitrary code with the rights of the user running prozilla.
Fixed packages are available now.

System: Sun Solaris
Topic: Vulnerability in libtiff
Links: Sun Alert 57769, CAN-2004-0803, CAN-2004-0804, CAN-2004-0886, CAN-2004-1308, ESB-2005.0344
ID: ae-200504-078

Multiple security vulnerabilities have been found in libtiff(3), a library for reading and writing Tag Image File Format (TIFF) files. Patches are available now.

System: Various
Topic: Vulnerability in Squid
Links: CAN-2005-0718, SQUID-2005_4, SQUID-2005_5, SUSE 9.2, TLSA-2005-53, MDKSA-2005:078, ESB-2005.0358
ID: ae-200504-077

Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher and HTTP data objects. Squid allows remote attackers to cause a denial of service (crash) via PUT or POST request. Fixed software is available now.

System: Red Hat Enterprise Linux
Topic: Vulnerabilities in sharutils
Links: RHSA-2005-377, CAN-2005-0396, P-194, ESB-2005.0342
ID: ae-200504-076

Several vulnerabilities have been found in the sharutils package. Buffer overflows were found in the .o option and wc command options. Exploiting the vulnerability would require an attacker to coerce a victim into running a specially crafted command on their machine. Also a bug was found in the way unshar creates temporary files. Fixed packages are available now.

System: Turbolinux
Topic: Vulnerabilities in php, krb5, and sharutils
Links: TLSA-2005-50, CAN-2004-1018, CAN-2004-1063, CAN-2004-1064, CAN-2005-0524, CAN-2005-0525, CAN-2005-1042, CAN-2005-1043, TLSA-2005-52, CAN-2005-0468, CAN-2005-0469, TLSA-2005-54, CAN-2004-1772, CAN-2004-1773, CAN-2005-0990
ID: ae-200504-075

Turbolinux has published patches for the packages listed above. Some of the vulnerabilities are critical, so it's recommended to install the updates.

System: Debian GNU/Linux
Topic: Vulnerabilities in kdelibs, gaim, and lsh-utils
Links: DSA-714, CAN-2005-1046, ESB-2005.0339 P-191 DSA-716, CAN-2005-0472, ESB-2005.0347 DSA-717, CAN-2003-0826, CAN-2005-0814, ESB-2005.0348
ID: ae-200504-074

Several vulnerabilities were discovered in the PCX and other image file format readers in the KDE core libraries, some of them exploitable to execute arbitrary code.
It has been discovered that certain malformed SNAC packets sent by other AIM or ICQ users can trigger an infinite loop in Gaim.
Several security relevant problems have been discovered in lsh, the alternative secure shell v2 (SSH2) protocol server.
Fixed packages are available now.

System: Various
Topic: Vulnerabilities in MaxDB
Links: iDEFENSE, iDEFENSE, ESB-2005.0336
ID: ae-200504-073

MaxDB, former SAP DB, is a heavy-duty, SAP-certified open source database. Two stack overflow vulnerabilities were found in the web administration service of MaxDB. Patches are available now.

System: Various
Topic: Vulnerability in OpenView Network Node Manager
Links: HPSBMA01125, ESB-2005.0333, P-198, ESB-2005.0361
ID: ae-200504-072

A potential vulnerability has been identified with OpenView Network Node Manager (OV NNM). The vulnerability could be exploited remotely by an unauthorized user to create a Denial of Service (DoS). Patches are available now.

System: Various
Topic: Vulnerability in OpenOffice.org
Links: OpenOffice, CAN-2005-0941, SUSE-SA:2005:025, RHSA-2005-375, P-192, ESB-2005.0340, SGI-20050501-01, MDKSA-2005:082
ID: ae-200504-071

A heap based buffer overflow bug was found in the OpenOffice.org DOC file processor. An attacker could create a carefully crafted DOC file in such a way that it could cause OpenOffice.org to execute arbitrary code when the file was opened by a victim. Fixed software is available now.

System: Microsoft Windows
Topic: Problem with Trend Micro OfficeScan and PC-cilin
Links: TrendMicro #24263, TrendMicro #24264
ID: ae-200504-070

When having updated the pattern of this AntiVirus Software to Update #594, the CPU utilization might go up to 100%. The latest update #596 solves this problem which is unique for #594. If an update isn't possible, a way to edit the registry is described in the advisories.

System: Turbolinux
Topic: Vulnerabilities in mysql
Links: TLSA-2005-48, CAN-2005-0709, CAN-2005-0710, CAN-2005-0711
ID: ae-200504-069

Several vulnerabilities have been discovered in MySQL, a popular database. MySQL allows remote authenticated users with INSERT and DELETE privileges to execute arbitrary code. MySQL uses predictable file names when creating temporary tables, which allows local users with CREATE TEMPORARY TABLE privileges to overwrite arbitrary files via a symlink attack. Fixed packages are available now.

System: Various
Topic: Vulnerabilities in Mozilla and Firefox
Links: Mozilla, CAN-2005-0752, CAN-2005-0989, CAN-2005-1153, CAN-2005-1154, CAN-2005-1155, CAN-2005-1156, CAN-2005-1157, CAN-2005-1158, CAN-2005-1159, CAN-2005-1160, RHSA-2005-383, P-190, ESB-2005.0330, RHSA-2005-386, P-193, ESB-2005.0343, RHSA-2005-384, TLSA-2005-49, ESB-2005.0334, SUSE-SA:2005:028
ID: ae-200504-068

Several vulnerabilities were found in tne Mozilla and Firefox browsers that may allow a remote attacker to execute arbitrary code and other attackes. Fixed software is available now.

System: Debian GNU/Linux
Topic: Vulnerabilities in junkbuster
Links: DSA-713, CAN-2005-1108, CAN-2005-1109, ESB-2005.0331
ID: ae-200504-067

Several bugs have been found in junkbuster, a HTTP proxy and filter. An attacker can modify the referrer setting with a carefully crafted URL by accidently overwriting a global variable. Several heap corruptions due to inconsistent use of an internal function can crash the daemon or possibly lead to the execution of arbitrary code. Fixed packages are available now.

System: Various
Topic: Vulnerability in Sun Java System Proxy Server
Links: Sun Alert 57763, ESB-2005.0329
ID: ae-200504-066

A buffer overflow vulnerability in the Sun Java System Web Proxy Server (Formerly Sun ONE Proxy Server) may allow a remote unprivileged user to execute arbitrary code on the system running the Web Proxy Server with the privileges of the server process. Patches are available now.

System: SGI Advanced Linux Environment
Topic: Some potential vulnerabilities fixed
Links: SGI-20050404-01
ID: ae-200504-065

SGI has released Security Update #35 for SGI Advanced Linux Environment 3. These updates fix security related problems in kdegraphics and gaim. It's recommended to install this update.

System: Mandrake Linux
Topic: Vulnerabilities in gnome-vfs2, libcdaudio1, xli, and cdrecord
Links: MDKSA-2005:074, MDKSA-2005:075, CAN-2005-0706, MDKSA-2005:076, CAN-2005-0638, CAN-2005-0639, MDKSA-2005:077, CAN-2005-0866
ID: ae-200504-064

A buffer overflow bug was in the way that grip, gnome-vfs2, and libaudio1 handle data returned by CDDB servers. If a user connected to a malicious CDDB server, an attacker could execute arbitrary code on the user's machine.
A flaw was discovered in the handling of compressed images where shell meta-characters are not properly escaped. It was also found that insufficient validation of image properties could potentially result in buffer management errors
cdrecord creates temporary files in an insecure manner if DEBUG iss enabled in /etc/cdrecord/rscsi.
Fixed packages are available now.

System: Debian GNU/Linux
Topic: Vulnerability in f2c
Links: DSA-661, CAN-2005-0017, CAN-2005-0018, ESB-2005.0326
ID: ae-200504-063

f2c and fc, which are both part of the f2c package, a fortran 77 to C/C++ translator, open temporary files insecurely and are hence vulnerable to a symlink attack. Fixed packages are available now.

System: Various
Topic: Vulnerability in RealPlayer and Helix Player
Links: RealNetworks, P-189, CAN-2005-0755, RHSA-2005-363, RHSA-2005-392, ESB-2005.0327, ESB-2005.0328, SUSE-SA:2005:026
ID: ae-200504-062

A vulnerability was found in RealNetworks RealPlayer, RealOnePlayer and Helix Player. An attacker may craft a malicious RAM file that may cause a buffer overflow allowing the attacker to execute arbitrary code on a victim.s machine. Fixed software is available now.

System: Sun Solaris
Topic: Possible Network Port Theft in Solaris
Links: Sun Alert 57766, ESB-2005.0320, P-186
ID: ae-200504-061

A vulnerability was found in Solaris 8 and 9 that applies to network services which run on non-privileged ports such as NFS or NIS. Local unprivileged users may be able to start processes on non-privileged network ports. By "stealing" the port, these processes may act as modified or "trojaned" versions of the service that typically runs on that port. Patches to solve this problem are available now.

System: Turbolinux
Topic: Vulnerabilities in xloadimage, sylpheed, perl, mc, and ImageMagick
Links: TLSA-2005-43, CAN-2001-0775, CAN-2005-0638, TLSA-2005-44, CAN-2005-0667, CAN-2005-0926, TLSA-2005-45, CAN-2005-0448, TLSA-2005-46, CAN-2005-0763, TLSA-2005-47, CAN-2005-0005, CAN-2005-0379, CAN-2005-0759, CAN-2005-0760, CAN-2005-0761, CAN-2005-0762
ID: ae-200504-060

Turbolinux has published patches for the packages listed above. Some of the vulnerabilities are critical, so it's recommended to install the updates.

System: Debian GNU/Linux
Topic: Vulnerabilities in info2www and geneweb
Links: DSA-711, CAN-2005-0390, ESB-2005.0319 DSA-712, CAN-2005-0391
ID: ae-200504-059

A cross-site scripting vulnerability was discovered in info2www, a converter for info files to HTML. A malicious person could place a harmless looking link on the web that could cause arbitrary commands to be executed in the browser of the victim user.
A problem was discovered during the upgrade of geneweb, a genealogy software with web interface. The maintainer scripts automatically converted files without checking their permissions and content, which could lead to the modification of arbitrary files.
Fixed packages are available now.

System: Red Hat Enterprise Linux
Topic: Vulnerabilities in xloadimage and kernel
Links: RHSA-2005-332, CAN-2005-0638, ESB-2005.0321,
RHSA-2005-366, RHSA-2005-293, CAN-2005-0135, CAN-2005-0207, CAN-2005-0209, CAN-2005-0384, CAN-2005-0400, CAN-2005-0449, CAN-2005-0529, CAN-2005-0530, CAN-2005-0531, CAN-2005-0736, CAN-2005-0749, CAN-2005-0750, CAN-2005-0767, CAN-2005-0815, CAN-2005-0839, CAN-2005-0867, CAN-2005-0977, CAN-2005-1041, ESB-2005.0323, ESB-2005.0337
ID: ae-200504-058

A flaw was discovered in xloadimage where filenames were not properly quoted when calling the gunzip command. An attacker could create a file with a carefully crafted filename so that it would execute arbitrary commands if opened by a victim.
Several vulnerabilities were found in the kernel versions 2.4 and 2.6.
Fixed packages are available now.

System: Various
Topic: Vulnerabilities in cvs
Links: CAN-2005-0753, VU#327037, SUSE-SA:2005:024, MDKSA-2005:073, FreeBSD-SA-05:05, ESB-2005.0332, RHSA-2005-387, ESB-2005.0341, DSA-715, P-195, ESB-2005.0346, TLSA-2005-51, OpenBSD, ESB-2005.0357
ID: ae-200504-057

Various problems within the Concurrent Versions System (CVS) were reported such as a buffer overflow and memory access problems. Fixed software is available now.

System: Debian GNU/Linux
Topic: Vulnerability in gtkhtml
Links: DSA-710, CAN-2003-0541, ESB-2005.0317
ID: ae-200504-056

A problem was discovered in gtkhtml, an HTML rendering widget used by the Evolution mail reader. Certain malformed messages could cause a crash due to a null pointer dereference. Fixed packages are available now.

System: Sun Solaris
Topic: Vulnerability in libgss
Links: Sun Alert 57734, ESB-2005.0316
ID: ae-200504-055

A local unprivileged user may be able to load their own Generic Security Service Application Program Interface (GSS-API) when a privileged GSS-API application is installed which utilizes the libgss(3LIB) library. Patches to solve this problem are available now.

System: Mac OS X
Topic: New Apple Security Update
Links: APPLE, CAN-2005-0969, CAN-2005-0970, CAN-2005-0971, CAN-2005-0972, CAN-2005-0973, CAN-2005-0974, CAN-2005-0975, CAN-2005-0976, ESB-2005.0311, P-185
ID: ae-200504-054

A new Apple Security Update solves several security related problems. The update gives improvements for the Kernel and Safari. So the installation of this update is recommended.

System: Debian GNU/Linux
Topic: Vulnerability in libexif
Links: DSA-709, CAN-2005-0664, P-184, ESB-2005.0315
ID: ae-200504-053

A buffer overflow in libexif, a library that parses EXIF files (such as JPEG files with extra tags), has been found. This bug could be exploited to crash the application and maybe to execute arbitrary code as well. An updated package is available now.

System: Some
Topic: Problems with Sun ONE and JES Directory Server
Links: VU#258905, Sun Alert 57754, P-183
ID: ae-200504-052

A local or remote unprivileged user may be able to execute arbitrary commands on a vulnerable LDAP server with the privileges of the LDAP process or terminate the LDAP process resulting in a Denial-of-Service (DoS). Patches to solve this problem are available now.

System: Many
Topic: Problems with ICMP attacks against TCP
Links: IETF Internet Draft, CAN-2004-0790, CAN-2004-0791, VU#222750,
Cisco, ESB-2005.0305, P-181 MS05-019, P-177, ESB-2005.0294, Symantec, ISS Alert#192, Sun Alert #57746, ESB-2005.0312, ESB-2005.0335, ESB-2005.0356, ESB-2005.0363
ID: ae-200504-051

An IETF Internet Draft describes the use of the Internet Control Message Protocol (ICMP) to perform a variety of attacks against the Transmission Control Protocol (TCP) and other similar protocols. Couter measures are proposed, and now some manufacturers start to implement them. If an update is available for your system, it should be installed.

System: Various
Topic: Oracle Critical Security Update - April 2005
Links: Oracle, P-182, AL-2005.009
ID: ae-200504-050

Oracle has released Critical Patch Updates for serveral products. A Critical Patch Update is a collection of patches for multiple security vulnerabilities.

System: Microsoft Windows
Topic: Vulnerability in Sun Java System Web Server
Links: Sun Alert 57760, ESB-2005.0310
ID: ae-200504-049

A vulnerability in certain releases of the Sun Java System Web Server (formerly Sun ONE Web Server and iPlanet Web Server) may allow a remote user to cause the web server to become unresponsive, causing a Denial-of-Service (DOS) condition. Patches are available now.

System: SGI Advanced Linux Environment
Topic: Some potential vulnerabilities fixed
Links: SGI-20050403-01
ID: ae-200504-048

SGI has released Security Update #34 for SGI Advanced Linux Environment 3. These updates fix security related problems in gdk-pixbuf, curl, and kdelibs. It's recommended to install this update.

System: FreeBSD
Topic: Vulnerability in ifconf
Links: FreeBSD-SA-05:04, ESB-2005.0313
ID: ae-200504-047

The SIOCGIFCONF ioctl allows a user process to ask the kernel to produce a list of the existing network interfaces. In generating the list of network interfaces, the kernel writes into a portion of a buffer without first zeroing it. As a result, the prior contents of the buffer will be disclosed to the calling process. A patch a available now.

System: Various
Topic: Vulnerability in Veritas i3 Focalpoint Server
Links: Veritas, ESB-2005.0308
ID: ae-200504-046

A critical vulnerability was discovered in the Veritas i3 Focalpoint Server. This component can be found bundled with other servers such as Indepth for Oracle. Veritas has developed a patch to fix the problem.

System: Mandrake Linux
Topic: Vulnerabilities in gaim
Links: MDKSA-2005:071, CAN-2005-0965, CAN-2005-0966, CAN-2005-0967
ID: ae-200504-045

The Gaim application is a multi-protocol instant messaging client. Bugs were found in the way gaim escapes HTML, in several of gaim's IRC processing functions, and in gaim's Jabber message parser. A remote attacker could send a specially crafted message to a Gaim client, causing it to crash. Fixed packages are available now.

System: Debian GNU/Linux
Topic: Vulnerabilities in axel and mysql
Links: DSA-706, CAN-2005-0390, ESB-2005.0306 DSA-707, CAN-2004-0957, CAN-2005-0709, CAN-2005-0710, CAN-2005-0711, ESB-2005.0307
ID: ae-200504-044

A buffer overflow was discovered in axel, a light download accellerator. When reading remote input the program did not check if a part of the input can overflow a buffer and maybe trigger the execution of arbitrary code.
Several vulnerabilities have been discovered in MySQL, a popular database. MySQL allows remote authenticated users with INSERT and DELETE privileges to execute arbitrary code. MySQL uses predictable file names when creating temporary tables, which allows local users with CREATE TEMPORARY TABLE privileges to overwrite arbitrary files via a symlink attack. If a user is granted privileges to a database with a name containing an underscore ("_"), the user also gains privileges to other databases with similar names.
Fixed packages are available now.

System: Microsoft Windows
Topic: Vulnerabilities in Microsoft Word 200x, Microsoft Works Suite 200x and Office Word 2003
Links: MS05-022, CAN-2004-0963, CAN-2005-0558, VU#752591, VU#442567, P-176, ESB-2005.0298
ID: ae-200504-043

No further comment due to legal reasons.

System: Microsoft Windows
Topic: Vulnerability in Microsoft MSN Messenger
Links: MS05-021, CAN-2005-0562, VU#633446, P-175, ESB-2005.0297, Symantec
ID: ae-200504-042

No further comment due to legal reasons.

System: Microsoft Windows
Topic: Vulnerability in Exchange Server 2000/2003
Links: MS05-021, CAN-2005-0560, VU#275193, P-174, ESB-2005.0296, Symantec, ISS Alert#193
ID: ae-200504-041

No further comment due to legal reasons.

System: Microsoft Windows
Topic: Vulnerabilities in Internet Explorer
Links: MS05-020, CAN-2005-0553, CAN-2005-0554, CAN-2005-0555, VU#222050, VU#756122, VU#774338, P-173, ESB-2005.0295
ID: ae-200504-040

No further comment due to legal reasons.

System: Microsoft Windows
Topic: Vulnerabilities in TCP/IP implementation
Links: MS05-019, CAN-2005-0048, CAN-2004-0790, CAN-2004-1060, CAN-2004-0230, CAN-2005-0688, VU#222750, VU#233754, P-177, ESB-2005.0294, Symantec, ISS Alert#192
ID: ae-200504-039

No further comment due to legal reasons.

System: Microsoft Windows
Topic: Vulnerabilities in Windows Kernel
Links: MS05-018, CAN-2005-0060, CAN-2005-0061, CAN-2005-0550, CAN-2005-0551, VU#943749, VU#775933, VU#650181, VU#259197, P-180, ESB-2005.0301
ID: ae-200504-038

No further comment due to legal reasons.

System: Microsoft Windows
Topic: Vulnerability in Message Queuing (MSMQ)
Links: MS05-017, CAN-2005-0059, P-178, ESB-2005.0300
ID: ae-200504-037

No further comment due to legal reasons.

System: Microsoft Windows
Topic: Vulnerability in Windows Shell
Links: MS05-016, CAN-2005-0063, VU#673051, P-179, ESB-2005.0299, Symantec
ID: ae-200504-036

No further comment due to legal reasons.

System: Mandrake Linux
Topic: Vulnerability in mysql
Links: MDKSA-2005:070, CAN-2004-0957
ID: ae-200504-035

A vulnerability in MySQL would allow a user with grant privileges to a database with a name containing an underscore character ("_") to have the ability to grant privileges to other databases with similar names. Fixed packages are available now.

System: Cisco
Topic: Crafted ICMP Messages Can Cause Denial of Service with Cisco Devices
Links: Cisco, ESB-2005.0305, P-181
ID: ae-200504-034

Multiple Cisco products are affected by attacks with ICMP packets on TCP sessions. Successful attacks may cause connection resets or reduction of throughput in existing connections. Details on affected products, workarounds, and fixed software versions can be found in the Cisco advisory.

System: Red Hat Enterprise Linux
Topic: Vulnerabilities in gaim and kdegrapgics
Links: RHSA-2005-365, CAN-2005-0965, CAN-2005-0966, CAN-2005-0967, ESB-2005.0304, RHSA-2005-021, CAN-2004-0803, CAN-2004-0804, CAN-2004-0886, ESB-2005.0302
ID: ae-200504-033

The Gaim application is a multi-protocol instant messaging client. Bugs were found in the way gaim escapes HTML, in several of gaim's IRC processing functions, and in gaim's Jabber message parser. A remote attacker could send a specially crafted message to a Gaim client, causing it to crash.
A number of integer and buffer overflow bugs that affect libtiff were discovered. The kfax application contains a copy of the libtiff code used for parsing TIFF files and is therefore affected by these bugs.
Fixed packages are available now.

System: Microsoft Windows
Topic: Vulnerability in Computer Associates BrightStor ARCserve
Links: iDEFENSE #232, CAN-2005-1018, ESB-2005.0293, ISS Alert #194
ID: ae-200504-032

Remote exploitation of a buffer overflow vulnerability in Computer Associates International Inc's BrightStor ARCserve Backup UniversalAgent may allow attackers to execute arbitrary code. Patches are available now.

System: Turbolinux
Topic: Vulnerabilities in ipsec-tools, libexif, and curl
Links: TLSA-2005-40, CAN-2005-0398 TLSA-2005-41, CAN-2005-0664 TLSA-2005-42, CAN-2005-0490
ID: ae-200504-031

The racoon IKE daemon, contained in package ipsec-tools, can be crashed from remote by sending a special crafted ISAKMP packet.
A buffer overflow was discovered in the way libexif parses EXIF tags. An attacker could exploit this by creating a special EXIF image file which could cause image viewers linked against libexif to crash.
cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. Multiple buffer overflow bugs were found in the way curl processes base64 encoded replies. If a victim can be tricked into visiting a URL with curl, a malicious web server could execute arbitrary code on a victim's machine.
Fixed packages are available now.

System: Many
Topic: Vulnerability in BIND
Links: ISC
ID: ae-200504-030

BIND is the Berkeley Internet Name Domain, the most used DNS Nameserver. The Internet Software Consortium points out that in all versions except BIND 9 a vulnerability exists when the option "forwarders" is used. There is a current, wide scale Kashpureff-style DNS cache corruption attack which depends on BIND4 and BIND8 as "forwarders" targets. So it's strongly recommended to upgrade all nameservers used as "forwarders" to BIND9.

System: SCO UnixWare
Topic: Vulnerabilities in dtlogin, libtiff, and cdrecord
Links: SCOSA-2005.18, SCOSA-2005.19, SCOSA-2005.20, ESB-2005.0287, ESB-2005.0288, ESB-2005.0289
ID: ae-200504-029

The Common Desktop Environment (CDE) dtlogin utility has a double-free vulnerability in the X Display Manager Control Protocol (XDMCP). By sending a specially-crafted XDMCP packet to a vulnerable system, a remote attacker could obtain sensitive information, cause a denial of service or execute arbitrary code on the system.
Multiple vulnerabilities were discovered in the libtiff library.
cdrecord in the cdrtools package before 2.01, when installed setuid root, does not properly drop privileges before executing a program specified in the RSH environment variable, which allows local users to gain privileges.
Patches are available now.

System: SCO OpenServer
Topic: Vulnerabilities in cscope and termsh
Links: SCOSA-2005.15, SCOSA-2005.11, ESB-2005.0286, ESB-2005.0285
ID: ae-200504-028

cscope creates temporary files with an easily predictable file name. A local attacker could exploit this vulnerability and possibly gain elevated privileges on the system.
A very long HOME environment variable will cause a buffer overflow in auditsh, atcronsh and termsh.
Patches are available now.

System: Macromedia ColdFusion MX
Topic: Vulnerability in ColdFusion MX 6.1 Updater
Links: MPSB05-02, ESB-2005.0290
ID: ae-200504-027

ColdFusion 6.1 Updater 1 in the ColdFusion MX for JRun4 configuration only creates a /WEB-INF/cfclasses directory under the web server root and places compiled java .class files created from .cfms and .cfcs. The .class files can be downloaded by end users. A fix is available now.

System: SGI IRIX
Topic: Vulnerabilities in gr_osview
Links: 20050402-01-P, iDEFENSE #225, iDEFENSE #226, CAN-2005-0464, CAN-2005-0465, ESB-2005.0284, P-172
ID: ae-200504-026

Two vulnerabilities were found in gr_osview. gr_osview -s can corrupt arbitrary files. gr_osview can display head of arbitrary files. Patches are available now.

System: Mandrake Linux
Topic: Vulnerabilities in sharutils, gtk+, and gdk-pixbuf
Links: MDKSA-2005:067, CAN-2004-1772, CAN-2004-1773, MDKSA-2005:068, MDKSA-2005:069, CAN-2004-0891
ID: ae-200504-025

Several vulnerabilities were discovered in 'sharutils'. A buffer overflow in triggered by output files (using -o) with names longer than 49 characters. 'shar' does not check the data length returned by the wc command. 'unshar' would create temporary files in an insecure manner which could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user using 'unshar'.
A bug was discovered in the way that gtk+ and gdk-pixbuf process BMP images which could allow for a specially crafted BMP to cause a Denial of Service attack on applications linked against gtk+ or gdk-pixbuf.
Fixed packages are available now.

System: Red Hat Enterprise Linux
Topic: Vulnerability in kdelibs
Links: RHSA-2005-307, CAN-2005-0396
ID: ae-200504-024

A flaw was discovered in dcopserver, the KDE Desktop Communication Protocol (DCOP) daemon. A local user could use this flaw to stall the DCOP authentication process, affecting any local desktop users and causing a reduction in their desktop functionality. Fixed packages are available now.

System: SGI Advanced Linux Environment
Topic: Some potential vulnerabilities fixed
Links: SGI-20050401-01, P-171
ID: ae-200504-023

SGI has released Security Update #33 for SGI Advanced Linux Environment 3. These updates fix security related problems in mysql-server, gtk2, tetex, krb5, XFree86, and telnet. It's recommended to install this update.

System: Some
Topic: Vulnerability in IBM Lotus Domino Server Web Service
Links: IBM_21202446, iDEFENSE #224, ESB-2005.0283
ID: ae-200504-022

Remote exploitation of a Denial-of-service vulnerability in IBM Corp.'s Lotus Domino Server web service allows attackers to crash the service, thereby preventing legitimate access. The problem specifically exists within the module NLSCCSTR.DLL. If a very long string of UNICODE decimal value 430 characters is sent, the nHTTP.EXE crashes without this beeing reported to the NSERVER terminal. The crash occurs only when the long string is prefixed with /cgi-bin/. IBM has released technote #1202446 for this issue. The vendor has been unable to reproduce the issue and has therefore not released any patches.

System: Microsoft Windows
Topic: Vulnerability in Computer Associates eTrust Intrusion Detection System
Links: iDEFENSE #223, ESB-2005.0282
ID: ae-200504-021

Computer Associates International, Inc.'s (CA) eTrust Intrusion Detection 3.0 is a complete session security solution for network protection, network session monitoring and Internet web filtering. A vulnerability exists due to insufficient checking on values passed to Microsoft's Crypto API function CPImportKey. The CPImportKey function determines certain buffer allocation sizes from data supplied in the data blob passed to CPImportKey and may be manipulated to cause the allocation of large buffers if wrapper functions do not validate the data passed to the Crypto API before calling CPImportKey. In cases which CPImportKey receives a size value which exceeds the mapped memory size, an exception is generated and the memory is never freed. This is a Denial-of-Service. For eTrust Intrusion Detection 3.0 a new download is available.

System: Cisco IOS
Topic: Vulnerabilities in SSH and IKE
Links: Cisco, P-170, ESB-2005.0281,
Cisco, P-169, ESB-2005.0280
ID: ae-200504-020

Certain release trains of Cisco Internetwork Operating System (IOS), when configured to use the IOS Secure Shell (SSH) server in combination with Terminal Access Controller Access Control System Plus (TACACS+) as a means to perform remote management tasks on IOS devices, may contain two vulnerabilities that can potentially cause IOS devices to exhaust resources and reload. Repeated exploitation of these vulnerabilities can result in a Denial-of-Service (DoS) condition. Use of SSH with Remote Authentication Dial In User Service (RADIUS) is not affected by these vulnerabilities.
Cisco IOS Software release trains 12.2T, 12.3 and 12.3T may contain vulnerabilities in processing certain Internet Key Exchange (IKE) Xauth messages when configured to be an Easy VPN Server. Successful exploitation of these vulnerabilities may permit an unauthorized user to complete authentication and potentially access network resources.
Cisco has made free software available to address these vulnerabilities for all affected customers.

System: Turbolinux
Topic: Vulnerabilities in cpio, squid, imap, nfs-utils, krb5, perl, python, xemacs, postgresql, and gftp
Links: TLSA-2005-30, CAN-1999-1572,
TLSA-2005-31, CAN-2005-0446,
TLSA-2005-32, CAN-2005-0198,
TLSA-2005-33, CAN-2004-0946, CAN-2004-1014,
TLSA-2005-34, CAN-2004-1189,
TLSA-2005-35, CAN-2004-0452, CAN-2004-0976,
TLSA-2005-36, CAN-2005-0089,
TLSA-2005-37, CAN-2005-0100,
TLSA-2005-38, CAN-2005-0244, CAN-2005-0245, CAN-2005-0246, CAN-2005-0247,
TLSA-2005-39, CAN-2005-0372
ID: ae-200504-019

Turbolinux has published patches for the packages listed above. Some of the vulnerabilities are critical, so it's recommended to install the updates.

System: Various
Topic: Several Vulnerabilities in Sybase Adaptive Server Enterprise 12.5.3
Links: Sybase_1034520, Sybase_1034752, NGSSoftware, P-166
ID: ae-200504-018

Buffer overflow vulnerabilities occur in internal parsing components and built-in functions that are accessible to all authenticated Sybase users. They allow an attacker with no special permission to take advantage of these flaws and no mechanism exists to prevent a user from executing the vulnerable code. An unauthenticated Sybase User could trigger a buffer overflow and gain full control of the database server. Due to a buffer overflow, at least a Denial-of-Service is possible. It's strongly recommended to install the latest patches published by Sybase.

System: Various
Topic: Vulnerability in phpMyAdmin
Links: adv20050403, PMASA-2005-3, ESB-2005.0274, Suse 9.2, Suse 9.1
ID: ae-200504-017

In phpMyAdmin 2.6.1 and prior the convcharset parameter isn't correctly set, so there is a Cross-Site Scripting vulnerability (XSS). It's recommended to ugrade to phpMyAdmin 2.6.2-rc1 or newer.

System: IBM AIX 5.3
Topic: Vulnerability in NIS
Links: ESB-2005.0270
ID: ae-200504-016

A remote attacker may gain root access to a system configured as a NIS client. Note that it's also possible for a local attacker to exploit this vulnerability. Versions of AIX prior to AIX 5.3 are not affected by this issue. An official patch is available.

System: Microsoft Windows Server 2003
Topic: Vulnerabilities in Windows Server 2003
Links: ESB-2005.0279
ID: ae-200504-015

Windows Server 2003 has two denial of service vulnerabilties by which authenticated local users, and in particular Terminal Services users can crash the server. A Terminal Services user can cause the system to crash. This may be exploited by opening a Microsoft Word attachment in Outlook then printing it to a network printer. When a SMB browser announcement frame is wrongly processed by the SMB redirector, it may attempt to execute code that is paged out and unavailable, resulting in a "STOP 0x000000D1" blue screen error. A local user can exploit this for example by retrieving large files from a network share when the system is under heavy load. These vulnerabilities are fixed in Windows Server 2003 Service Pack 1.

System: SGI Advanced Linux Environment
Topic: Some potential vulnerabilities fixed
Links: SGI-20050304-01
ID: ae-200504-014

SGI has released Security Update #32 for SGI Advanced Linux Environment 3. These updates fix security related problems in imagemagick, ipsec-tools, and mozilla. It's recommended to install this update.

System: Linux
Topic: Vulnerability in Kernel
Links: CAN-2005-0750, VU#685461, SUSE-2005:021
ID: ae-200504-013

The Linux kernel is the core component of the Linux system. A problem was found within the Bluetooth kernel stack which can be used by a local attacker to gain root access or crash the machine. Fixed kernel packages are available now.

System: FreeBSD
Topic: Vulnerabilities in sendfile and amd64
Links: FreeBSD-SA-05:02, CAN-2005-0708, ESB-2005.0273, FreeBSD-SA-05:03, ESB-2005.0278
ID: ae-200504-012

The sendfile(2) system call allows a server application to transmit the contents of a file over a network connection without first copying it to application memory. If the file being transmitted is truncated after the transfer has started but before it completes, sendfile(2) will transfer the contents of more or less random portions of kernel memory in lieu of the missing part of the file.
Unprivileged users on amd64 systems can gain direct access to some hardware, allowing for denial of service, disclosure of sensitive information, or possible privilege escalation.
Patches are available now.

System: Red Hat Enterprise Linux
Topic: Vulnerabilities in gdk-pixbuf and curl
Links: RHSA-2005-343, CAN-2005-0891, ESB-2005.0276, RHSA-2005-340, CAN-2005-0490, ESB-2005.0275, P-167
ID: ae-200504-011

A bug was found in the way gdk-pixbuf processes BMP images. It is possible that a specially crafted BMP image could cause a denial of service attack on applications linked against gdk-pixbuf.
cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. Multiple buffer overflow bugs were found in the way curl processes base64 encoded replies. If a victim can be tricked into visiting a URL with curl, a malicious web server could execute arbitrary code on a victim's machine.
Updated packages solve these problems.

System: Debian GNU/Linux
Topic: Vulnerabilities in remstats and wu-ftpd
Links: DSA-704, CAN-2005-0387, CAN-2005-0388, ESB-2005.0271 DSA-705, CAN-2005-0256, CAN-2003-0854, ESB-2005.0272
ID: ae-200504-010

Several vulnerabilities were found in remstats, the remote statistics system. When processing uptime data on the unix-server a temporary file is opened in an insecure fashion which could be used for a symlink attack to create or overwrite arbitrary files with the permissions of the remstats user. The remoteping service can be exploited to execute arbitrary commands due to missing input sanitising.
Several denial of service conditions have been discovered in wu-ftpd, the popular FTP daemon. A denial of service condition in wu-ftpd can be exploited by a remote user and cause the server to slow down the server by resource exhaustion. /bin/ls may be called from within wu-ftpd in a way that will result in large memory consumption and hence slow down the server.
Fixed packages are available now.

System: Microsoft Windows
Topic: Vulnerability in Adobe Reader
Links: 482323/NISCC, Adobe, CAN-2005-0035, ESB-2005.0269
ID: ae-200504-009

A vulnerability within the Adobe Reader and Acrobat web control has been identified. Under certain circumstances, if the Internet Explorer ActiveX control is directly invoked by a web page, it is possible to discover the existence of local files by monitoring the behavior of certain methods. Fixed versions are available now.

System: Mandrake Linux
Topic: Vulnerability in grip
Links: MDKSA-2005:066, CAN-2005-0706
ID: ae-200504-008

A buffer overflow bug has been found in the way that grip handles data returned by CDDB servers. If a user is connected to a malicious CDDB server, an attacker might execute arbitrary code on the user's machine. An updated package addresses this issue.

System: Red Hat Enterprise Linux
Topic: Vulnerabilities in tetex and gtk2
Links: RHSA-2005-354, CAN-2004-0803, CAN-2004-0804, CAN-2004-0886, CAN-2004-0888, CAN-2004-1125,
RHSA-2005-344, CAN-2005-0891, ESB-2005.0264, ESB-2005.0265
ID: ae-200504-007

TeTeX is an implementation of TeX for Linux or UNIX systems. A number of security flaws have been found affecting libraries used internally within teTeX. An attacker who has the ability to trick a user into processing a malicious file with teTeX could cause teTeX to crash or possibly execute arbitrary code. Additionally, a number of security related bugs concerning teTeX have been found in Xpdf and libtiff.
The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. A bug has been found in the way gtk2 processes BMP images. It's possible that a specially crafted BMP image could cause a Denial-of-Service attack on applications linked against gtk2. Additionally, a double free vulnerability has been found.
Updated packages solve these problems.

System: Linux/Unix
Topic: Vulnerabilities in ImageMagick
Links: CAN-2005-0397, CAN-2005-0759, CAN-2005-0760, CAN-2005-0762, SUSE-SA:2005:017, DSA-702, ESB-2005.0267, MDKSA-2005:065, RHSA-2005-070
ID: ae-200504-006

Several vulnerabilities have been discovered in ImageMagick, a commonly used image manipulation library. These problems can be exploited by a carefully crafted graphic image. A format string vulnerability in the filename handling code might allow attackers to cause a Denial-of-Service and possibly execute arbitrary code of attacker's choice. A Denial-of-Service might occur due to in invalid tag in a TIFF image. Additionally, the TIFF decoder is vulnerable to accessing memory out of bounds which will result in a segmentation fault. Finally, a buffer overflow in the SGI parser allows a remote attacker to execute arbitrary code via a specially crafted SGI image file. For most Linux a fixed package is available now.

System: Various
Topic: Vulnerabilities in PHP
Links: PHP, iDEFENSE #222, CAN-2005-0524, CAN-2005-0525, ESB-2005.0261, SuSE-2005_23, DSA-708, ESB-2005.0314, MDKSA-2005:072
ID: ae-200504-005

Several vulnerabilities were found in PHP 4 and PHP 5. Two vulnerability in the getimagesize() PHP routine could allow unauthenticated remote attackers to consume 100% CPU resources on vulnerable systems. A vulnerability in swf_openfile() bypasses safe mode restrictions. In conjunction with application vulnerabilities this can potentially allow overwriting arbitrary files. unserialize() corrupts floating point values in non-English locales. Patches are available now.

System: Mandrake Linux
Topic: Vulnerabilities in htdig and libexif
Links: MDKSA-2005:063, CAN-2005-0085, MDKSA-2005:064, CAN-2005-0664
ID: ae-200504-004

A cross-site scripting vulnerability was discovered in ht://dig.
A buffer overflow was discovered in the way libexif parses EXIF tags. An attacker could exploit this by creating a special EXIF image file which could cause image viewers linked against libexif to crash.
Fixed packages are available now.

System: Various Linux
Topic: Vulnerability in ipsec-tools
Links: CAN-2005-0398, RHSA-2005-239, ESB-2005.0239, SUSE-SA:2005:020, MDKSA-2005:062
ID: ae-200504-003

The racoon IKE daemon, contained in package ipsec-tools, can be crashed from remote by sending a special crafted ISAKMP packet. Fixed packages are available now.

System: SGI Advanced Linux Environment
Topic: Some potential vulnerabilities fixed
Links: SGI-20050302-01, SGI-20050303-01
ID: ae-200504-002

SGI has released Security Updates #30 and #31 for SGI Advanced Linux Environment 3. These updates fix security related problems in xpdf, squid, kdenetwork, mailman, ethereal, and gaim. It's recommended to install these updates.

System: Debian GNU/Linux
Topic: Vulnerability in samba
Links: DSA-701, CAN-2004-1154, VU#226184, ESB-2005.0262
ID: ae-200504-001

Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients. Integer overflow vulnerabilities have been discovered in Samba, so remote attackers might execute arbitrary code using certain SMB requests. Fixed packages are available now.



(c) 2000-2014 AERAsec Network Services and Security GmbH