Jump to content

aru

Members
 View Profile  See their activity

  • Posts

    2022

  • Joined

  • Last visited

 Content Type 

Everything posted by aru

  1. aru
    Mandriva Security Advisories MDKSA-2005:128 : mozilla Updated mozilla packages fix multiple vulnerabilities August 2nd, 2005 A number of vulnerabilities were reported and fixed in Mozilla 1.7.9. The following vulnerabilities have been backported and patched for this update: In several places the browser UI did not correctly distinguish between true user events, such as mouse clicks or keystrokes, and synthetic events genenerated by web content. The problems ranged from minor annoyances like switching tabs or entering full-screen mode, to a variant on MFSA 2005-34 Synthetic events are now prevented from reaching the browser UI entirely rather than depend on each potentially spoofed function to protect itself from untrusted events (MFSA 2005-45). Scripts in XBL controls from web content continued to be run even when Javascript was disabled. By itself this causes no harm, but it could be combined with most script-based exploits to attack people running vulnerable versions who thought disabling javascript would protect them.In the Thunderbird and Mozilla Suite mail clients Javascript is disabled by default for protection against denial-of-service attacks and worms; this vulnerability could be used to bypass that protection (MFSA 2005-46). The InstallTrigger.install() method for launching an install accepts a callback function that will be called with the final success or error status. By forcing a page navigation immediately after calling the install method this callback function can end up running in the context of the new page selected by the attacker. This is true even if the user cancels the unwanted install dialog: cancel is an error status. This callback script can steal data from the new page such as cookies or passwords, or perform actions on the user's behalf such as make a purchase if the user is already logged into the target site.In Firefox the default settings allow only http://addons.mozilla.org to bring up this install dialog. This could only be exploited if users have added questionable sites to the install whitelist, and if a malicious site can convince you to install from their site that's a much more powerful attack vector.In the Mozilla Suite the whitelist feature is turned off by default, any site can prompt the user to install software and exploit this vulnerability.The browser has been fixed to clear any pending callback function when switching to a new site (MFSA 2005-48). When InstallVersion.compareTo() is passed an object rather than a string it assumed the object was another InstallVersion without verifying it. When passed a different kind of object the browser would generally crash with an access violation.shutdown has demonstrated that different javascript objects can be passed on some OS versions to get control over the instruction pointer. We assume this could be developed further to run arbitrary machine code if the attacker can get exploit code loaded at a predictable address (MFSA 2005-50). The original frame-injection spoofing bug was fixed in the Mozilla Suite 1.7 and Firefox 0.9 releases. This protection was accidentally bypassed by one of the fixes in the Firefox 1.0.3 and Mozilla Suite 1.7.7 releases (MFSA 2005-51). A child frame can call top.focus() even if the framing page comes from a different origin and has overridden the focus() routine. The call is made in the context of the child frame. The attacker would look for a target site with a framed page that makes this call but doesn't verify that its parent comes from the same site. The attacker could steal cookies and passwords from the framed page, or take actions on behalf of a signed-in user. This attack would work only against sites that use frames in this manner (MFSA 2005-52). Alerts and prompts created by scripts in web pages are presented with the generic title [JavaScript Application] which sometimes makes it difficult to know which site created them. A malicious page could attempt to cause a prompt to appear in front of a trusted site in an attempt to extract information such as passwords from the user.In the fixed version these prompts will contain the hostname from the page which created it (MFSA 2005-54). Parts of the browser UI relied too much on DOM node names without taking different namespaces into account and verifying that nodes really were of the expected type. An XHTML document could be used to create fakeelements, for example, with content-defined properties that the browser would access as if they were the trusted built-in properties of the expected HTML elements.The severity of the vulnerability would depend on what the attacker could convince the victim to do, but could result in executing user-supplied script with elevated "chrome" privileges. This could be used to install malicious software on the victim's machine (MFSA 2005-55). Improper cloning of base objects allowed web content scripts to walk up the prototype chain to get to a privileged object.This could be used to execute code with enhanced privileges (MFSA 2005-56). The updated packages have been patched to address these issue.This update also brings the mozilla shipped in Mandriva Linux 10.1 to version 1.7.8 to ease maintenance.As a result, new galeon and epiphany packages are also available for 10.1, and community contribs packages that are built against mozilla have been rebuilt and are also available via contribs. The released versions of Mandriva GNU/Linux affected are: 10.1 CS3.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:128 Other references: http://www.mozilla.org/security/announce/mfsa2005-45.html http://www.mozilla.org/security/announce/mfsa2005-46.html http://www.mozilla.org/security/announce/mfsa2005-48.html http://www.mozilla.org/security/announce/mfsa2005-50.html http://www.mozilla.org/security/announce/mfsa2005-51.html http://www.mozilla.org/security/announce/mfsa2005-52.html http://www.mozilla.org/security/announce/mfsa2005-54.html http://www.mozilla.org/security/announce/mfsa2005-55.html http://www.mozilla.org/security/announce/mfsa2005-56.html http://secunia.com/advisories/15489/ http://secunia.com/advisories/15549/ http://secunia.com/advisories/15601/ Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  2. aru
    Mandriva Security Advisories MDKSA-2005:127 : mozilla-thunderbird Updated mozilla-thunderbird packages fix multiple vulnerabilities July 28th, 2005 A number of vulnerabilities were reported and fixed in Thunderbird 1.0.5 and Mozilla 1.7.9.The following vulnerabilities have been backported and patched for this update: The native implementations of InstallTrigger and other XPInstall- related javascript objects did not properly validate that they were called on instances of the correct type.By passing other objects, even raw numbers, the javascript interpreter would jump to the wrong place in memory.Although no proof of concept has been developed we believe this could be exploited (MFSA 2005-40). moz_bug_r_a4 reported several exploits giving an attacker the ability to install malicious code or steal data, requiring only that the user do commonplace actions like clicking on a link or open the context menu.The common cause in each case was privileged UI code ("chrome") being overly trusting of DOM nodes from the content window.Scripts in the web page can override properties and methods of DOM nodes and shadow the native values, unless steps are taken to get the true underlying values (MFSA 2005-41). Additional checks were added to make sure Javascript eval and Script objects are run with the privileges of the context that created them, not the potentially elevated privilege of the context calling them in order to protect against an additional variant of MFSA 2005-41 (MFSA 2005-44). In several places the browser UI did not correctly distinguish between true user events, such as mouse clicks or keystrokes, and synthetic events genenerated by web content. The problems ranged from minor annoyances like switching tabs or entering full-screen mode, to avariant on MFSA 2005-34 Synthetic events are now prevented from reaching the browser UI entirely rather than depend on each potentially spoofed function to protect itself from untrusted events (MFSA 2005-45). Scripts in XBL controls from web content continued to be run even when Javascript was disabled. By itself this causes no harm, but it could be combined with most script-based exploits to attack people running vulnerable versions who thought disabling javascript would protect them.In the Thunderbird and Mozilla Suite mail clients Javascript is disabled by default for protection against denial-of-service attacks and worms; this vulnerability could be used to bypass that protection (MFSA 2005-46). When InstallVersion.compareTo() is passed an object rather than a string it assumed the object was another InstallVersion without verifying it. When passed a different kind of object the browser would generally crash with an access violation.shutdown has demonstrated that different javascript objects can be passed on some OS versions to get control over the instruction pointer. We assume this could be developed further to run arbitrary machine code if the attacker can get exploit code loaded at a predictable address (MFSA 2005-50). A child frame can call top.focus() even if the framing page comes from a different origin and has overridden the focus() routine. The call is made in the context of the child frame. The attacker would look for a target site with a framed page that makes this call but doesn't verify that its parent comes from the same site. The attacker could steal cookies and passwords from the framed page, or take actions on behalf of a signed-in user. This attack would work only against sites that use frames in this manner (MFSA 2005-52). Parts of the browser UI relied too much on DOM node names without taking different namespaces into account and verifying that nodes really were of the expected type. An XHTML document could be used to create fakeelements, for example, with content-defined properties that the browser would access as if they were the trusted built-in properties of the expected HTML elements.The severity of the vulnerability would depend on what the attacker could convince the victim to do, but could result in executing user-supplied script with elevated "chrome" privileges. This could be used to install malicious software on the victim's machine (MFSA 2005-55). Improper cloning of base objects allowed web content scripts to walk up the prototype chain to get to a privileged object.This could be used to execute code with enhanced privileges (MFSA 2005-56). The updated packages have been patched to address these issue. The released versions of Mandriva GNU/Linux affected are: 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:127 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2260 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2261 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2265 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2269 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2270 http://www.mozilla.org/security/announce/mfsa2005-40.html http://www.mozilla.org/security/announce/mfsa2005-41.html http://www.mozilla.org/security/announce/mfsa2005-44.html http://www.mozilla.org/security/announce/mfsa2005-45.html http://www.mozilla.org/security/announce/mfsa2005-46.html http://www.mozilla.org/security/announce/mfsa2005-50.html http://www.mozilla.org/security/announce/mfsa2005-52.html http://www.mozilla.org/security/announce/mfsa2005-55.html http://www.mozilla.org/security/announce/mfsa2005-56.html http://secunia.com/advisories/15549/ Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  3. aru
    Mandriva Security Advisories MDKSA-2005:126 : fetchmail Updated fetchmail packages fix vulnerability July 28th, 2005 A buffer overflow was discovered in fetchmail's POP3 client which could allow a malicious server to send a carefully crafted message UID, causing fetchmail to crash or potentially execute arbitrary code as the user running fetchmail. The updated packages have been patched to address this problem. The released versions of Mandriva GNU/Linux affected are: 10.1 CS2.1 CS3.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:126 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2335 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  4. aru
    Mandriva Security Advisories MDKSA-2005:125 : clamav Updated clamav packages fix more vulnerabilities July 27th, 2005 Neel Mehta and Alex Wheeler discovered integer overflow vulnerabilites in Clam AntiVirus when handling the TNEF, CHM, and FSG file formats. By sending a specially-crafted file, an attacker could execute arbitrary code with the permissions of the user running Clam AV. This update provides clamav 0.86.2 which is not vulnerable to these issues. The released versions of Mandriva GNU/Linux affected are: 10.1 CS3.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:125 Other references: http://sourceforge.net/project/shownotes.p...lease_id=344514 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  5. aru
    Mandriva Security Advisories MDKA-2005:036 : hal Updated hal packages fix USB drive mounting July 27th, 2005 A problem was discovered in the hal package when used for auto-mounting USB storage devices (such as memory sticks) that were formatted using the DOS filesystem, or which are using manufacturer formatting.The mount points were not being created the auto-mounting was not working properly. Updated packages are provided to fix this issue. The released versions of Mandriva GNU/Linux affected are: 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKA-2005:036 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  6. aru
    Mandriva Security Advisories MDKSA-2005:124 : zlib Updated zlib packages fix vulnerability July 22nd, 2005 A previous zlib update (MDKSA-2005:112; CAN-2005-2096) fixed an overflow flaw in the zlib program.While that update did indeed fix the reported overflow issue, Markus Oberhumber discovered additional ways that a specially-crafted compressed stream could trigger an overflow.An attacker could create such a stream that would cause a linked application to crash if opened by a user. The updated packages are provided to protect against this flaw.The Corporate Server 2.1 product is not affected by this vulnerability. The released versions of Mandriva GNU/Linux affected are: 10.0 10.1 CS3.0 MNF2.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:124 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1849 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  7. aru
    Mandriva Security Advisories MDKSA-2005:120-1 : mozilla-firefox Updated mozilla-firefox packages fix multiple vulnerabilities July 22nd, 2005 A number of vulnerabilities were reported and fixed in Firefox 1.0.5 and Mozilla 1.7.9.The following vulnerabilities have been backported and patched for this update: In several places the browser UI did not correctly distinguish between true user events, such as mouse clicks or keystrokes, and synthetic events genenerated by web content. The problems ranged from minor annoyances like switching tabs or entering full-screen mode, to a variant on MFSA 2005-34 Synthetic events are now prevented from reaching the browser UI entirely rather than depend on each potentially spoofed function to protect itself from untrusted events (MFSA 2005-45; CAN-2005-2260). Scripts in XBL controls from web content continued to be run even when Javascript was disabled. By itself this causes no harm, but it could be combined with most script-based exploits to attack people running vulnerable versions who thought disabling javascript would protect them.In the Thunderbird and Mozilla Suite mail clients Javascript is disabled by default for protection against denial-of-service attacks and worms; this vulnerability could be used to bypass that protection (MFSA 2005-46; CAN-2005-2261). If an attacker can convince a victim to use the "Set As Wallpaper" context menu item on a specially crafted image then they can run arbitary code on the user's computer. The image "source" must be a java script: url containing an eval() statement and such an image would get the "broken image" icon, but with CSS it could be made transparent and placed on top of a real image.The attacker would have to convince the user to change their desktop background to the exploit image, and to do so by using the Firefox context menu rather than first saving the image locally and using the normal mechanism provided by their operating system.This affects only Firefox 1.0.3 and 1.0.4; earlier versions are unaffected. The implementation of this feature in the Mozilla Suite is also unaffected (MFSA 2005-47; CAN-2005-2262). The InstallTrigger.install() method for launching an install accepts a callback function that will be called with the final success or error status. By forcing a page navigation immediately after calling the install method this callback function can end up running in the context of the new page selected by the attacker. This is true even if the user cancels the unwanted install dialog: cancel is an error status. This callback script can steal data from the new page such as cookies or passwords, or perform actions on the user's behalf such as make a purchase if the user is already logged into the target site.In Firefox the default settings allow only http://addons.mozilla.org to bring up this install dialog. This could only be exploited if users have added questionable sites to the install whitelist, and if a malicious site can convince you to install from their site that's a much more powerful attack vector.In the Mozilla Suite the whitelist feature is turned off by default, any site can prompt the user to install software and exploit this vulnerability.The browser has been fixed to clear any pending callback function when switching to a new site (MFSA 2005-48; CAN-2005-2263). Sites can use the _search target to open links in the Firefox sidebar. A missing security check allows the sidebar to inject data: urls containing scripts into any page open in the browser. This could be used to steal cookies, passwords or other sensitive data (MFSA 2005-49; CAN-2005-2264). When InstallVersion.compareTo() is passed an object rather than a string it assumed the object was another InstallVersion without verifying it. When passed a different kind of object the browser would generally crash with an access violation.shutdown has demonstrated that different javascript objects can be passed on some OS versions to get control over the instruction pointer. We assume this could be developed further to run arbitrary machine code if the attacker can get exploit code loaded at a predictable address (MFSA 2005-50; CAN-2005-2265). The original frame-injection spoofing bug was fixed in the Mozilla Suite 1.7 and Firefox 0.9 releases. This protection was accidentally bypassed by one of the fixes in the Firefox 1.0.3 and Mozilla Suite 1.7.7 releases (MFSA 2005-51; CAN-2005-1937). A child frame can call top.focus() even if the framing page comes from a different origin and has overridden the focus() routine. The call is made in the context of the child frame. The attacker would look for a target site with a framed page that makes this call but doesn't verify that its parent comes from the same site. The attacker could steal cookies and passwords from the framed page, or take actions on behalf of a signed-in user. This attack would work only against sites that use frames in this manner (MFSA 2005-52; CAN-2005-2266). Several media players, for example Flash and QuickTime, support scripted content with the ability to open URLs in the default browser. The default behavior for Firefox was to replace the currently open browser window's content with the externally opened content. If the external URL was a java script: url it would run as if it came from the site that served the previous content, which could be used to steal sensitive information such as login cookies or passwords. If the media player content first caused a privileged chrome: url to load then the subsequent java script: url could execute arbitrary code.External java script: urls will now run in a blank context regardless of what content it's replacing, and external apps will no longer be able to load privileged chrome: urls in a browser window. The -chrome command line option to load chrome applications is still supported (MFSA 2005-53; CAN-2005-2267). Alerts and prompts created by scripts in web pages are presented with the generic title [JavaScript Application] which sometimes makes it difficult to know which site created them. A malicious page could attempt to cause a prompt to appear in front of a trusted site in an attempt to extract information such as passwords from the user.In the fixed version these prompts will contain the hostname from the page which created it (MFSA 2005-54; CAN-2005-2268). Parts of the browser UI relied too much on DOM node names without taking different namespaces into account and verifying that nodes really were of the expected type. An XHTML document could be used to create fakeelements, for example, with content-defined properties that the browser would access as if they were the trusted built-in properties of the expected HTML elements.The severity of the vulnerability would depend on what the attacker could convince the victim to do, but could result in executing user-supplied script with elevated "chrome" privileges. This could be used to install malicious software on the victim's machine (MFSA 2005-55; CAN-2005-2269). Improper cloning of base objects allowed web content scripts to walk up the prototype chain to get to a privileged object.This could be used to execute code with enhanced privileges (MFSA 2005-56; CAN-2005-2270). The updated packages have been patched to address these issue. Update: New packages are available that fix some regression errors that appeared in the Firefox 1.0.5 release that the patches were based on. The released versions of Mandriva GNU/Linux affected are: 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:120-1 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2260 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2261 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2262 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2263 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2264 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2265 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2267 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2268 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2269 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2270 http://www.mozilla.org/security/announce/mfsa2005-45.html http://www.mozilla.org/security/announce/mfsa2005-46.html http://www.mozilla.org/security/announce/mfsa2005-47.html http://www.mozilla.org/security/announce/mfsa2005-48.html http://www.mozilla.org/security/announce/mfsa2005-49.html http://www.mozilla.org/security/announce/mfsa2005-50.html http://www.mozilla.org/security/announce/mfsa2005-51.html http://www.mozilla.org/security/announce/mfsa2005-52.html http://www.mozilla.org/security/announce/mfsa2005-53.html http://www.mozilla.org/security/announce/mfsa2005-54.html http://www.mozilla.org/security/announce/mfsa2005-55.html http://www.mozilla.org/security/announce/mfsa2005-56.html http://secunia.com/advisories/15489/ http://secunia.com/advisories/15549/ http://secunia.com/advisories/15601/ Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  8. aru
    Mandriva Security Advisories MDKA-2005:035 : clamav Updated clamav packages provide latest version July 22nd, 2005 Clamav is being updated to 0.86.1 for all supported versions in order to provide compatibility with the latest virus definitions. The released versions of Mandriva GNU/Linux affected are: 10.1 CS3.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKA-2005:035 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  9. aru
    Mandriva Security Advisories MDKSA-2005:123 : shorewall Updated shorewall packages fix vulnerability July 20th, 2005 A vulnerability was discovered in all versions of shorewall where a client accepted by MAC address filtering is able to bypass any other rule.If MACLIST_TTL is set to a value greater than 0 or MACLIST_DISPOSITION is set to ACCEPT in shorewall.conf, and a client is positively identified through its MAC address, it bypasses all other policies and rules in place, gaining access to all open services on the firewall. Shorewall 2.0.17 is provided which fixes this issue. The released versions of Mandriva GNU/Linux affected are: 10.0 10.1 CS3.0 MNF2.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:123 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2317 http://shorewall.net/News.htm#20050717 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  10. aru
    Mandriva Security Advisories MDKSA-2005:122 : kdelibs Updated kdelibs packages fix vulnerability in kate and kwrite July 20th, 2005 The Kate and Kwrite programs create a file backup before saving a modified file.These backup files are created with default system permissions, even if the original file had more strict permissions set. The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: 10.1 CS3.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:122 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1920 http://www.kde.org/info/security/advisory-20050718-1.txt Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  11. aru
    Mandriva Security Advisories MDKSA-2005:116-1 : cpio Updated cpio packages fix vulnerabilities July 19th, 2005 A race condition has been found in cpio 2.6 and earlier which allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete (CAN-2005-1111). A vulnerability has been discovered in cpio that allows a malicious cpiofile to extract to an arbitrary directory of the attackers choice.cpio will extract to the path specified in the cpio file, this path can be absolute (CAN-2005-1229). Update: The previous packages had a problem upgrading due to an unresolved issue with tar and rmt.These packages correct the problem. The released versions of Mandriva GNU/Linux affected are: 10.0 10.1 CS2.1 CS3.0 MNF2.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:116-1 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1111 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1229 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  12. aru
    Mandriva Security Advisories MDKSA-2005:121 : nss_ldap Updated nss_ldap/pam_ldap packages fix vulnerabilities July 18th, 2005 Rob Holland, of the Gentoo Security Audit Team, discovered that pam_ldap and nss_ldap would not use TLS for referred connections if they are referred to a master after connecting to a slave, regardless of the "ssl start_tls" setting in ldap.conf. As well, a bug in nss_ldap in Corporate Server and Mandrake 10.0 has been fixed that caused crond, and other applications, to crash as a result of clients receiving a SIGPIPE signal when attempting to issue a new search request to a directory server that is no longer available. The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: 10.0 10.1 CS2.1 CS3.0 MNF2.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:121 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2069 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  13. aru
    Mandriva Security Advisories MDKSA-2005:120 : mozilla-firefox Updated mozilla-firefox packages fix multiple vulnerabilities July 13th, 2005 A number of vulnerabilities were reported and fixed in Firefox 1.0.5 and Mozilla 1.7.9.The following vulnerabilities have been backported and patched for this update: In several places the browser UI did not correctly distinguish between true user events, such as mouse clicks or keystrokes, and synthetic events genenerated by web content. The problems ranged from minor annoyances like switching tabs or entering full-screen mode, to a variant on MFSA 2005-34 Synthetic events are now prevented from reaching the browser UI entirely rather than depend on each potentially spoofed function to protect itself from untrusted events (MFSA 2005-45). Scripts in XBL controls from web content continued to be run even when Javascript was disabled. By itself this causes no harm, but it could be combined with most script-based exploits to attack people running vulnerable versions who thought disabling javascript would protect them.In the Thunderbird and Mozilla Suite mail clients Javascript is disabled by default for protection against denial-of-service attacks and worms; this vulnerability could be used to bypass that protection (MFSA 2005-46). If an attacker can convince a victim to use the "Set As Wallpaper" context menu item on a specially crafted image then they can run arbitary code on the user's computer. The image "source" must be a java script: url containing an eval() statement and such an image would get the "broken image" icon, but with CSS it could be made transparent and placed on top of a real image.The attacker would have to convince the user to change their desktop background to the exploit image, and to do so by using the Firefox context menu rather than first saving the image locally and using the normal mechanism provided by their operating system.This affects only Firefox 1.0.3 and 1.0.4; earlier versions are unaffected. The implementation of this feature in the Mozilla Suite is also unaffected (MFSA 2005-47). The InstallTrigger.install() method for launching an install accepts a callback function that will be called with the final success or error status. By forcing a page navigation immediately after calling the install method this callback function can end up running in the context of the new page selected by the attacker. This is true even if the user cancels the unwanted install dialog: cancel is an error status. This callback script can steal data from the new page such as cookies or passwords, or perform actions on the user's behalf such as make a purchase if the user is already logged into the target site.In Firefox the default settings allow only http://addons.mozilla.org to bring up this install dialog. This could only be exploited if users have added questionable sites to the install whitelist, and if a malicious site can convince you to install from their site that's a much more powerful attack vector.In the Mozilla Suite the whitelist feature is turned off by default, any site can prompt the user to install software and exploit this vulnerability.The browser has been fixed to clear any pending callback function when switching to a new site (MFSA 2005-48). Sites can use the _search target to open links in the Firefox sidebar. A missing security check allows the sidebar to inject data: urls containing scripts into any page open in the browser. This could be used to steal cookies, passwords or other sensitive data (MFSA 2005-49). When InstallVersion.compareTo() is passed an object rather than a string it assumed the object was another InstallVersion without verifying it. When passed a different kind of object the browser would generally crash with an access violation.shutdown has demonstrated that different javascript objects can be passed on some OS versions to get control over the instruction pointer. We assume this could be developed further to run arbitrary machine code if the attacker can get exploit code loaded at a predictable address (MFSA 2005-50). The original frame-injection spoofing bug was fixed in the Mozilla Suite 1.7 and Firefox 0.9 releases. This protection was accidentally bypassed by one of the fixes in the Firefox 1.0.3 and Mozilla Suite 1.7.7 releases (MFSA 2005-51). A child frame can call top.focus() even if the framing page comes from a different origin and has overridden the focus() routine. The call is made in the context of the child frame. The attacker would look for a target site with a framed page that makes this call but doesn't verify that its parent comes from the same site. The attacker could steal cookies and passwords from the framed page, or take actions on behalf of a signed-in user. This attack would work only against sites that use frames in this manner (MFSA 2005-52). Several media players, for example Flash and QuickTime, support scripted content with the ability to open URLs in the default browser. The default behavior for Firefox was to replace the currently open browser window's content with the externally opened content. If the external URL was a java script: url it would run as if it came from the site that served the previous content, which could be used to steal sensitive information such as login cookies or passwords. If the media player content first caused a privileged chrome: url to load then the subsequent java script: url could execute arbitrary code.External java script: urls will now run in a blank context regardless of what content it's replacing, and external apps will no longer be able to load privileged chrome: urls in a browser window. The -chrome command line option to load chrome applications is still supported (MFSA 2005-53). Alerts and prompts created by scripts in web pages are presented with the generic title [JavaScript Application] which sometimes makes it difficult to know which site created them. A malicious page could attempt to cause a prompt to appear in front of a trusted site in an attempt to extract information such as passwords from the user.In the fixed version these prompts will contain the hostname from the page which created it (MFSA 2005-54). Parts of the browser UI relied too much on DOM node names without taking different namespaces into account and verifying that nodes really were of the expected type. An XHTML document could be used to create fakeelements, for example, with content-defined properties that the browser would access as if they were the trusted built-in properties of the expected HTML elements.The severity of the vulnerability would depend on what the attacker could convince the victim to do, but could result in executing user-supplied script with elevated "chrome" privileges. This could be used to install malicious software on the victim's machine (MFSA 2005-55). Improper cloning of base objects allowed web content scripts to walk up the prototype chain to get to a privileged object.This could be used to execute code with enhanced privileges (MFSA 2005-56). The updated packages have been patched to address these issue. The released versions of Mandriva GNU/Linux affected are: 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:120 Other references: http://www.mozilla.org/security/announce/mfsa2005-45.html http://www.mozilla.org/security/announce/mfsa2005-46.html http://www.mozilla.org/security/announce/mfsa2005-47.html http://www.mozilla.org/security/announce/mfsa2005-48.html http://www.mozilla.org/security/announce/mfsa2005-49.html http://www.mozilla.org/security/announce/mfsa2005-50.html http://www.mozilla.org/security/announce/mfsa2005-51.html http://www.mozilla.org/security/announce/mfsa2005-52.html http://www.mozilla.org/security/announce/mfsa2005-53.html http://www.mozilla.org/security/announce/mfsa2005-54.html http://www.mozilla.org/security/announce/mfsa2005-55.html http://www.mozilla.org/security/announce/mfsa2005-56.html http://secunia.com/advisories/15489/ http://secunia.com/advisories/15549/ http://secunia.com/advisories/15601/ Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  14. aru
    Mandriva Security Advisories MDKSA-2005:119 : krb5 Updated krb5 packages fix multiple vulnerabilities July 13th, 2005 A number of vulnerabilities have been corrected in this Kerberos update: The rcp protocol would allow a server to instruct a client to write to arbitrary files outside of the current directory.The Kerberos-aware rcp could be abused to copy files from a malicious server (CAN-2004-0175). Gael Delalleau discovered an information disclosure vulnerability in the way some telnet clients handled messages from a server.This could be abused by a malicious telnet server to collect information from the environment of any victim connecting to the server using the Kerberos- aware telnet client (CAN-2005-0488). Daniel Wachdorf disovered that in error conditions that could occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory, which could cause the KDC to crash resulting in a Denial of Service (CAN-2005-1174). Daniel Wachdorf also discovered a single-byte heap overflow in the krb5_unparse_name() function that could, if successfully exploited, lead to a crash, resulting in a DoS.To trigger this flaw, an attacker would need to have control of a Kerberos realm that shares a cross- realm key with the target (CAN-2005-1175). Finally, a double-free flaw was discovered in the krb5_recvauth() routine which could be triggered by a remote unauthenticated attacker. This issue could potentially be exploited to allow for the execution of arbitrary code on a KDC.No exploit is currently known to exist (CAN-2005-1689). The updated packages have been patched to address this issue and Mandriva urges all users to upgrade to these packages as quickly as possible. The released versions of Mandriva GNU/Linux affected are: 10.0 10.1 CS2.1 CS3.0 MNF2.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:119 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0175 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0488 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1175 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1689 http://www.kb.cert.org/vuls/id/623332 http://www.kb.cert.org/vuls/id/259798 http://www.kb.cert.org/vuls/id/885830 http://web.mit.edu/kerberos/advisories/MIT...005-002-kdc.txt http://web.mit.edu/kerberos/advisories/MIT...03-recvauth.txt Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  15. aru
    Mandriva Security Advisories MDKSA-2005:118 : ruby Updated ruby packages fix vulnerabilities July 12th, 2005 A vulnerability was discovered in ruby version 1.8 that could allow for the execution of arbitrary commands on a server running the ruby xmlrpc server. The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: 10.1 CS3.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:118 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1992 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  16. aru
    Mandriva Security Advisories MDKSA-2005:117 : dhcpcd Updated dhcpcd packages fix vulnerabilities July 12th, 2005 "infamous42md" discovered that the dhcpcd DHCP client could be tricked into reading past the end of the supplied DHCP buffer, which could lead to the daemon crashing. The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: 10.1 CS3.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:117 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1848 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  17. aru
    Mandriva Security Advisories MDKSA-2005:116 : cpio Updated cpio packages fix vulnerabilities July 11th, 2005 A race condition has been found in cpio 2.6 and earlier which allows localusers to modify permissions of arbitrary files via a hard link attack ona file while it is being decompressed, whose permissions are changed bycpio after the decompression is complete. (CAN-2005-1111) A vulnerability has been discovered in cpio that allows a malicious cpiofile to extract to an arbitrary directory of the attackers choice.Cpio will extract to the path specified in the cpio file, this path can be absolute. (CAN-2005-1229) The updated packages have been patched to address both of these issues. The released versions of Mandriva GNU/Linux affected are: 10.0 10.1 CS2.1 CS3.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:116 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1111 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1229 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  18. aru
    Mandriva Security Advisories MDKSA-2005:115 : mplayer Updated mplayer packages fix vulnerabilities July 11th, 2005 Two heap overflows were discovered in mplayer's code handling the RealMedia RTSP and Microsoft Media Services streams over TCP (MMST). These vulnerabilities could allow for a malicious server to execute arbitrary code on the client computer with the permissions of the user running MPlayer. The updated packages have been patched to correct this problem. The released versions of Mandriva GNU/Linux affected are: 10.1 CS3.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:115 Other references: http://www.mplayerhq.hu/homepage/design7/news.html#vuln10 http://www.mplayerhq.hu/homepage/design7/news.html#vuln11 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  19. aru
    Mandriva Security Advisories MDKSA-2005:114 : leafnode Updated leafnode packages fix multiple vulnerabilities July 11th, 2005 A number of vulnerabilities in the leafnode NNTP server package have been found: A vulnerability in the fetchnews program that could under some circumstances cause a wait for input that never arrives, which in turn would cause fetchnews to hang (CAN-2004-2068). Two vulnerabilities in the fetchnews program can cause fetchnews to crash when the upstream server closes the connection and leafnode is receiving an article header or an article body, which prevent leafnode from querying other servers that are listed after that particular server in the configuration file (CAN-2005-1453). Finally, another vulnerability in the fetchnews program could also cuase a wait for input that never arrives, causing fetchnews to hang (CAN-2005-1911). The updated packages have been patched to correct this problem. The released versions of Mandriva GNU/Linux affected are: 10.1 CS3.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:114 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2068 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1453 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1911 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  20. aru
    Mandriva Security Advisories MDKSA-2005:113 : clamav Updated clamav packages fix vulnerability July 11th, 2005 Andrew Toller and Stefan Kanthak discovered that a flaw in libmspack's Quantum archive decompressor renders Clam AntiVirus vulnerable to a Denial of Service attack. The updated packages have been patched to correct the problem. The released versions of Mandriva GNU/Linux affected are: 10.1 CS3.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:113 Other references: http://sourceforge.net/project/shownotes.p...lease_id=337279 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  21. aru
    Mandriva Security Advisories MDKA-2005:034 : drakxtools Updated drakxtools packages fix various bugs July 11th, 2005 Three bugs have been corrected in the drakxtools package: drakfirewall: The port range syntax has been corrected for samba. (#16604) drakfont: Uninstalling fonts has been fixed. (#9324) drakbackup: The application has been patched to correctly deal with directory names that contain spaces, as well as add more restrictive permissions on the backup tarballs. (#12861) The updated packages correct these issues. The released versions of Mandriva GNU/Linux affected are: 10.0 CS3.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKA-2005:034 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  22. aru
    Mandriva Security Advisories MDKSA-2005:112 : zlib Updated zlib packages fix vulnerability July 6th, 2005 Tavis Ormandy of the Gentoo Security Project discovered a vulnerability in zlib where a certain data stream would cause zlib to corrupt a data structure, resulting in the linked application to dump core. The updated packages have been patched to correct this problem. The released versions of Mandriva GNU/Linux affected are: 10.0 10.1 CS3.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:112 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  23. aru
    Mandriva Security Advisories MDKSA-2005:111 : kernel-2.4 Updated 2.4 kernel packages fix multiple vulnerabilities June 30th, 2005 Multiple vulnerabilities in the Linux kernel have been discovered and fixed in this update.The following have been fixed in the 2.4 kernels: Colin Percival discovered a vulnerability in Intel's Hyper-Threading technology could allow a local user to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys via a timing attack on memory cache misses.This has been corrected by disabling HT support in all kernels (CAN-2005-0109). When forwarding fragmented packets, a hardware assisted checksum could only be used once which could lead to a Denial of Service attack or crash by remote users (CAN-2005-0209). A flaw in the Linux PPP driver was found where on systems allowing remote users to connect to a server via PPP, a remote client could cause a crash, resulting in a Denial of Service (CAN-2005-0384). An information leak in the ext2 filesystem code was found where when a new directory is created, the ext2 block written to disk is not initialized (CAN-2005-0400). A signedness error in the copy_from_read_buf function in n_tty.c allows local users to read kernel memory via a negative argument (CAN-2005-0530). George Guninski discovered a buffer overflow in the ATM driver where the atm_get_addr() function does not validate its arguments sufficiently which could allow a local attacker to overwrite large portions of kernel memory by supplying a negative length argument. This could potentially lead to the execution of arbitrary code (CAN-2005-0531). A flaw when freeing a pointer in load_elf_library was found that could be abused by a local user to potentially crash the machine causing a Denial of Service (CAN-2005-0749). A problem with the Bluetooth kernel stack in kernels 2.4.6 through 2.4.30-rc1 and 2.6 through 2.6.11.5could be used by a local attacker to gain root access or crash the machine (CAN-2005-0750). A race condition in the Radeon DRI driver allows a local user with DRI privileges to execute arbitrary code as root (CAN-2005-0767). Paul Starzetz found an integer overflow in the ELF binary format loader's code dump function in kernels prior to and including 2.4.31-pre1 and 2.6.12-rc4.By creating and executing a specially crafted ELF executable, a local attacker could exploit this to execute arbitrary code with root and kernel privileges (CAN-2005-1263). The released versions of Mandriva GNU/Linux affected are: 10.0 10.1 MNF8.2 CS2.1 CS3.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:111 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0384 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0400 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0530 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0531 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0749 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0750 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0767 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1263 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  24. aru
    Mandriva Security Advisories MDKSA-2005:110 : kernel Updated 2.6 kernel packages fix multiple vulnerabilities June 30th, 2005 Multiple vulnerabilities in the Linux kernel have been discovered and fixed in this update.The following CVE names have been fixed in the LE2005 kernel: Colin Percival discovered a vulnerability in Intel's Hyper-Threading technology could allow a local user to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys via a timing attack on memory cache misses.This has been corrected by disabling HT support in all kernels (CAN-2005-0109). An information leak in the ext2 filesystem code in kernels prior to 2.6.11.6 was found where when a new directory is created, the ext2 block written to disk is not initialized (CAN-2005-0400). A flaw when freeing a pointer in load_elf_library was found in kernels prior to 2.6.11.6 that could be abused by a local user to potentially crash the machine causing a Denial of Service (CAN-2005-0749). A problem with the Bluetooth kernel stack in kernels 2.4.6 through 2.4.30-rc1 and 2.6 through 2.6.11.5could be used by a local attacker to gain root access or crash the machine (CAN-2005-0750). Paul Starzetz found an integer overflow in the ELF binary format loader's code dump function in kernels prior to and including 2.4.31-pre1 and 2.6.12-rc4.By creating and executing a specially crafted ELF executable, a local attacker could exploit this to execute arbitrary code with root and kernel privileges (CAN-2005-1263). The drivers for raw devices used the wrong function to pass arguments to the underlying block device in 2.6.x kernels.This made the kernel address space accessible to user-space applictions allowing any local user with at least read access to a device in /dev/raw/* (usually only root) to execute arbitrary code with kernel privileges (CAN-2005-1264). The it87 and via686a hardware monitor drivers in kernels prior to 2.6.11.8 and 2.6.12 prior to 2.6.12-rc2 created a sysfs file named 'alarms' with write permissions although they are not designed to be writable.This allowed a local user to crash the kernel by attempting to write to these files (CAN-2005-1369). In addition to the above-noted CAN-2005-0109, CAN-2005-0400, CAN-2005-0749, CAN-2005-0750, and CAN-2005-1369 fixes, the following CVE names have been fixed in the 10.1 kernel: The POSIX Capability Linux Security Module (LSM) for 2.6 kernels up to and including 2.6.8.1 did not properly handle the credentials of a process that is launched before the module is loaded, which could be used by local attackers to gain elevated privileges (CAN-2004-1337). A flaw in the Linux PPP driver in kernel 2.6.8.1 was found where on systems allowing remote users to connect to a server via PPP, a remote client could cause a crash, resulting in a Denial of Service (CAN-2005-0384). George Guninski discovered a buffer overflow in the ATM driver in kernels 2.6.10 and 2.6.11 before 2.6.11-rc4 where the atm_get_addr() function does not validate its arguments sufficiently which could allow a local attacker to overwrite large portions of kernel memory by supplying a negative length argument. This could potentially lead to the execution of arbitrary code (CAN-2005-0531). The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c before kernel 2.6.11, when running on 64-bit architectures, could allow local users to trigger a buffer overflow as a result of casting discrepancies between size_t and int data types.This could allow an attacker to overwrite kernel memory, crash the machine, or potentially obtain root access (CAN-2005-0532). A race condition in the Radeon DRI driver in kernel 2.6.8.1 allows a local user with DRI privileges to execute arbitrary code as root (CAN-2005-0767). Access was not restricted to the N_MOUSE discipline for a TTY in kernels prior to 2.6.11.This could allow local attackers to obtain elevated privileges by injecting mouse or keyboard events into other user's sessions (CAN-2005-0839). Some futex functions in futex.c in 2.6 kernels performed get_user calls while holding the mmap_sem semaphore, which could allow a local attacker to cause a deadlock condition in do_page_fault by triggering get_user faults while another thread is executing mmap or other functions (CAN-2005-0937). In addition to the above-noted CAN-2004-1337, CAN-2005-0109, CAN-2005-0384, CAN-2005-0400, CAN-2005-0531, CAN-2005-0532, CAN-2005-0749, CAN-2005-0750, CAN-2005-0767, CAN-2005-0839, CAN-2005-0937, CAN-2005-1263, CAN-2005-1264, and CAN-2005-1369fixes, the following CVE names have been fixed in the 10.0/ Corporate 3.0 kernels: A race condition in the setsid function in kernels before 2.6.8.1 could allow a local attacker to cause a Denial of Service and possibly access portions of kernel memory related to TTY changes, locking, and semaphores (CAN-2005-0178). When forwarding fragmented packets in kernel 2.6.8.1, a hardware assisted checksum could only be used once which could lead to a Denial of Service attack or crash by remote users (CAN-2005-0209). A signedness error in the copy_from_read_buf function in n_tty.c before kernel 2.6.11 allows local users to read kernel memory via a negative argument (CAN-2005-0530). A vulnerability in the fib_seq_start() function allowed a local user to crash the system by readiung /proc/net/route in a certain way, causing a Denial of Service (CAN-2005-1041). A vulnerability in the Direct Rendering Manager (DRM) driver in the 2.6 kernel does not properly check the DMA lock, which could allow remote attackers or local users to cause a Denial of Service (X Server crash) and possibly modify the video output (CAN-2004-1056). The released versions of Mandriva GNU/Linux affected are: 10.0 10.1 CS3.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:110 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1056 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0178 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0384 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0400 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0530 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0531 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0532 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0749 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0750 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0767 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0839 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1041 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1263 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1264 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1369 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  25. aru
    Mandriva Security Advisories MDKSA-2005:109 : php-pear Updated php-pear packages fix remotely exploitable vulnerability June 30th, 2005 A vulnerability was discovered by GulfTech Security in the PHP XML RPC project.This vulnerability is considered critical and can lead to remote code execution.The vulnerability also exists in the PEAR XMLRPC implementation. Mandriva ships with the PEAR XMLRPC implementation and it has been patched to correct this problem.It is advised that users examine the PHP applications they have installed on their servers for any applications that may come bundled with their own copies of the PEAR system and either patch RPC.php or use the system PEAR (found in /usr/share/pear). Updates have been released for some popular PHP applications such as WordPress and Serendipity and users are urged to take all precautions to protect their systems from attack and/or defacement by upgrading their applications from the authors of the respective applications. The released versions of Mandriva GNU/Linux affected are: 10.0 10.1 CS3.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:109 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1921 http://www.hardened-php.net/advisory-022005.php Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
×
×
  • Create New...