| Security Issues and Fixes: 127.0.0.1 |
| Type |
Port |
Issue and Fix |
| Warning |
ssh (22/tcp) |
The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.
These protocols are not completely cryptographically
safe so they should not be used.
Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'
Risk factor : Low
Nessus ID : 10882 |
| Informational |
ssh (22/tcp) |
An ssh server is running on this port
Nessus ID : 10330 |
| Informational |
ssh (22/tcp) |
Remote SSH version : SSH-1.99-OpenSSH_3.6.1p2
Remote SSH supported authentication : publickey,password,keyboard-interactive
Nessus ID : 10267 |
| Informational |
ssh (22/tcp) |
The remote SSH daemon supports the following versions of the
SSH protocol :
. 1.33
. 1.5
. 1.99
. 2.0
SSHv1 host key fingerprint : d5:4b:32:6d:4c:27:21:87:b8:56:fa:09:53:d1:44:90
SSHv2 host key fingerprint : 35:57:8a:35:d9:31:75:a9:0d:43:84:7b:18:eb:b7:df
Nessus ID : 10881 |
| Informational |
sunrpc (111/tcp) |
The RPC portmapper is running on this port.
An attacker may use it to enumerate your list
of RPC services. We recommend you filter traffic
going to this port.
Risk factor : Low
CVE : CAN-1999-0632, CVE-1999-0189
BID : 205
Nessus ID : 10223 |
| Informational |
sunrpc (111/tcp) |
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111 |
| Warning |
ipp (631/tcp) |
It seems that your web server tries to hide its version
or name, which is a good thing.
However, using a special crafted request, Nessus was able
to determine that is is running :
CUPS/1.1
Risk factor : None
Solution : Fix your configuration.
Nessus ID : 11239 |
| Warning |
ipp (631/tcp) |
It seems that the PUT method is enabled on your web server
Although we could not exploit this, you'd better disable it
Solution : disable this method
Risk factor : High
BID : 12141
Other references : OWASP:OWASP-CM-001
Nessus ID : 10498 |
| Informational |
ipp (631/tcp) |
A web server is running on this port
Nessus ID : 10330 |
| Informational |
ipp (631/tcp) |
The following CGI have been discovered :
Syntax : cginame (arguments [default value])
/admin/ (op [add-class] )
/jobs (which_jobs [completed] )
Nessus ID : 10662 |
| Informational |
ipp (631/tcp) |
The remote web server type is :
CUPS/1.1
Nessus ID : 10107 |
| Informational |
ipp (631/tcp) |
The following Acrobat files (.pdf) are available on the remote server :
/translation.pdf
/ssr.pdf
/svd.pdf
/sps.pdf
/sdd.pdf
/idd.pdf
/ipp.pdf
/cmp.pdf
/spm.pdf
/sam.pdf
/sum.pdf
/overview.pdf
You should make sure that none of these files contain confidential or
otherwise sensitive information.
An attacker may use these files to gain a more intimate knowledge of
your organization and eventually use them do perform social engineering
attacks (abusing the trust of the personnel of your company).
Solution : sensitive files should not be accessible by everyone, but only
by authenticated users.
Nessus ID : 11419 |
| Warning |
nessus (1241/tcp) |
A Nessus Daemon is listening on this port.
Nessus ID : 10147 |
| Informational |
nessus (1241/tcp) |
A TLSv1 server answered on this port
Nessus ID : 10330 |
| Informational |
nessus (1241/tcp) |
Here is the TLSv1 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=PA, L=Norristown, O=me, OU=Certification Authority for PhantomX, CN=PhantomX/emailAddress=ca@PhantomX
Validity
Not Before: Aug 24 00:15:36 2005 GMT
Not After : Aug 24 00:15:36 2006 GMT
Subject: C=US, ST=PA, L=Norristown, O=me, OU=Server certificate for PhantomX, CN=PhantomX/emailAddress=nessusd@PhantomX
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b4:30:e4:22:2e:6e:3b:79:6d:5e:a7:4e:8d:1c:
7c:5b:8b:6f:c6:4a:b3:2a:90:23:d5:06:74:41:1a:
73:38:47:a1:03:24:8a:fc:0a:1b:74:8b:bf:c4:af:
13:15:be:e2:00:08:ce:a5:a4:55:d9:07:c8:6d:dc:
56:b6:68:83:14:e1:d1:0c:bb:46:b1:ee:91:1b:27:
67:97:88:99:d4:56:2a:85:31:b8:50:1d:78:d8:12:
b9:21:83:ad:75:46:8a:8a:17:4a:18:23:fd:d3:04:
f5:e0:40:9b:2a:09:49:f6:2a:a2:0c:73:83:c9:2f:
05:a5:d5:ca:db:2a:ee:78:69
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL Server
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E2:E5:6E:79:E7:C0:6C:C7:82:12:50:88:D4:10:52:64:E0:AE:C9:F5
X509v3 Authority Key Identifier:
keyid:5E:70:7D:D9:80:9D:20:EE:0A:F0:0D:E6:7B:47:FE:DE:97:26:43:FB
DirName:/C=US/ST=PA/L=Norristown/O=me/OU=Certification Authority for PhantomX/CN=PhantomX/emailAddress=ca@PhantomX
serial:00
X509v3 Subject Alternative Name:
email:nessusd@PhantomX
X509v3 Issuer Alternative Name:
<EMPTY>
Signature Algorithm: md5WithRSAEncryption
0e:7d:5a:8a:3f:13:2e:95:8e:6d:02:46:85:47:57:b4:a5:e7:
cc:78:19:6a:37:7c:43:74:da:cd:87:48:4a:c4:9d:21:aa:53:
db:a6:d2:25:a3:78:7b:a6:9b:f5:0b:93:dd:d8:ce:97:52:d8:
f1:d8:44:d1:a5:d9:36:17:7d:15:b6:de:38:a7:80:90:1c:67:
2c:a8:bd:94:a6:1c:14:ba:94:94:2f:7c:5c:16:e4:77:35:59:
30:08:a4:69:f1:58:4d:33:e3:fc:41:7c:3f:aa:2f:f5:77:15:
1d:54:1f:96:be:27:82:2c:7a:fc:61:c4:2d:ce:67:10:ef:82:
c4:44
This TLSv1 server does not accept SSLv2 connections.
This TLSv1 server does not accept SSLv3 connections.
Nessus ID : 10863 |
| Informational |
x11 (6000/tcp) |
This X server does *not* allow any client to connect to it
however it is recommended that you filter incoming connections
to this port as attacker may send garbage data and slow down
your X session or even kill the server.
Here is the server version : 11.0
Here is the message we received : No protocol specified
Solution : filter incoming connections to ports 6000-6009
Risk factor : Low
Nessus ID : 10407 |
| Informational |
unknown (32768/tcp) |
RPC program #391002 version 2 'sgi_fam' (fam) is running on this port
Nessus ID : 11111 |
| Informational |
sunrpc (111/udp) |
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111 |
| Vulnerability |
unknown (32789/udp) |
SNMP Agent responded as expected with community name: private
CVE : CAN-1999-0517, CAN-1999-0186, CAN-1999-0254, CAN-1999-0516
BID : 11237, 10576, 177, 2112, 6825, 7081, 7212, 7317, 9681, 986
Other references : IAVA:2001-B-0001
Nessus ID : 10264 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:031 (perl).
Jeroen van Wolffelaar discovered that the rmtree() function in the perl
File::Path module would remove directories in an insecure manner which could
lead to the removal of arbitrary files and directories via a symlink attack
(CAN-2004-0452).
Trustix developers discovered several insecure uses of temporary files in many
modules which could allow a local attacker to overwrite files via symlink
attacks (CAN-2004-0976).
'KF' discovered two vulnerabilities involving setuid-enabled perl scripts. By
setting the PERLIO_DEBUG environment variable and calling an arbitrary
setuid-root perl script, an attacker could overwrite arbitrary files with perl
debug messages (CAN-2005-0155). As well, calling a setuid-root perl script with
a very long path would cause a buffer overflow if PERLIO_DEBUG was set, which
could be exploited to execute arbitrary files with root privileges
(CAN-2005-0156).
The provided packages have been patched to resolve these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:031
Risk factor : High
CVE : CAN-2004-0452, CAN-2004-0976, CAN-2005-0155, CAN-2005-0156
Nessus ID : 16360 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:082 (mozilla).
A number of security vulnerabilities in mozilla are addressed by this update for
Mandrakelinux 10.0 users, including a fix for frame spoofing, a fixed popup
XPInstall/security dialog bug, a fix for untrusted chrome calls, a fix for SSL
certificate spoofing, a fix for stealing secure HTTP Auth passwords via DNS
spoofing, a fix for insecure matching of cert names for non-FQDNs, a fix for
focus redefinition from another domain, a fix for a SOAP parameter overflow, a
fix for text drag on file entry, a fix for certificate DoS, and a fix for lock
icon and cert spoofing.
Additionally, mozilla for both Mandrakelinux 9.2 and 10.0 have been rebuilt to
use the system libjpeg and libpng which addresses vulnerabilities discovered in
libpng (ref: MDKSA-2004:079).
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:082
Risk factor : High
CVE : CAN-2004-0597, CAN-2004-0598, CAN-2004-0599
Nessus ID : 14331 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:001 (libtiff).
Several vulnerabilities have been discovered in the libtiff package:
iDefense reported the possibility of remote exploitation of an integer overflow
in libtiff that may allow for the execution of arbitrary code.
The overflow occurs in the parsing of TIFF files set with the STRIPOFFSETS
flag.
iDefense also reported a heap-based buffer overflow vulnerability within the
LibTIFF package could allow attackers to execute arbitrary code.
(CAN-2004-1308)
The vulnerability specifically exists due to insufficient validation of
user-supplied data when calculating the size of a directory entry.
The updated packages are patched to protect against these vulnerabilities.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:001
Risk factor : High
CVE : CAN-2004-1183, CAN-2004-1308
Nessus ID : 16114 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:116-1 (cpio).
A race condition has been found in cpio 2.6 and earlier which allows local
users to modify permissions of arbitrary files via a hard link attack on a file
while it is being decompressed, whose permissions are changed by cpio after the
decompression is complete (CAN-2005-1111).
A vulnerability has been discovered in cpio that allows a malicious cpio file
to extract to an arbitrary directory of the attackers choice. cpio will extract
to the path specified in the cpio file, this path can be absolute
(CAN-2005-1229).
Update:
The previous packages had a problem upgrading due to an unresolved issue with
tar and rmt. These packages correct the problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:116-1
Risk factor : High
CVE : CAN-2005-1111, CAN-2005-1229
Nessus ID : 18678 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:156 (krb5).
Michael Tautschnig discovered a heap buffer overflow in the history handling
code of libkadm5srv which could be exploited by an authenticated user to
execute arbitrary code on a Key Distribution Center (KDC) server.
The updated packages have been patched to prevent this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:156
Risk factor : High
CVE : CAN-2004-1189
Nessus ID : 16037 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:045 (passwd).
Steve Grubb found some problems in the passwd program. Passwords given to passwd
via stdin are one character shorter than they are supposed to be. He also
discovered that pam may not have been sufficiently initialized to ensure safe
and proper operation. A few small memory leaks have been fixed as well.
The updated packages are patched to correct these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:045
Risk factor : High
Nessus ID : 14144 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:148 (iproute2).
Herbert Xu discovered that iproute can accept spoofed messages sent via the
kernel netlink interface by other users on the local machine. This could lead
to a local Denial of Service attack.
The updated packages have been patched to prevent this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:148
Risk factor : High
CVE : CAN-2003-0856
Nessus ID : 15956 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:151 (php).
A number of vulnerabilities in PHP versions prior to 4.3.10 were discovered by
Stefan Esser. Some of these vulnerabilities were not deemed to be severe enough
to warrant CVE names, however the packages provided, with the exception of the
Corporate Server 2.1 packages, include fixes for all of the vulnerabilities,
thanks to the efforts of the OpenPKG team who extracted and backported the
fixes.
The vulnerabilities fixed in all provided packages include a fix for a possible
information disclosure, double free, and negative reference index array
underflow in deserialization code (CAN-2004-1019). As well, the exif_read_data
() function suffers from an overflow on a long sectionname; this vulnerability
was discovered by Ilia Alshanetsky (CAN-2004-1065).
The other fixes that appear in Mandrakelinux 9.2 and newer packages include a
fix for out of bounds memory write access in shmop_write() and integer overflow
/underflows in the pack() and unpack() functions. The addslashes() function did
not properly escape '
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:151
Risk factor : High
CVE : CAN-2004-1019, CAN-2004-1065
Nessus ID : 15998 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:146 (nfs-utils).
SGI developers discovered a remote DoS (Denial of Service) condition in the NFS
statd server. rpc.statd did not ignore the 'SIGPIPE' signal which would cause
it to shutdown if a misconfigured or malicious peer terminated the TCP
connection prematurely.
The updated packages have been patched to prevent this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:146
Risk factor : High
CVE : CAN-2004-1014
Nessus ID : 15919 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:054 (cyrus-sasl).
A buffer overflow was discovered in cyrus-sasl's digestmd5 code. This could
lead to a remote attacker executing code in the context of the service using
SASL authentication. This vulnerability was fixed upstream in version 2.1.19.
The updated packages are patched to deal with this issue.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:054
Risk factor : High
CVE : CAN-2005-0373
Nessus ID : 17332 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:126 (shadow-utils).
A vulnerability in the shadow suite was discovered by Martin Schulze that can
be exploited by local users to bypass certain security restrictions due to an
input validation error in the passwd_check() function. This function is used by
the chfn and chsh tools.
The updated packages have been patched to prevent this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:126
Risk factor : High
CVE : CAN-2004-1001
Nessus ID : 15637 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:123 (perl-MIME-tools).
There's a bug in MIME-tools, where it mis-parses things like boundary=''. Some
viruses use an empty boundary, which may allow unapproved parts through
MIMEDefang.
The updated packages are patched to fix this problem.
As well, the Updated perl-MIME-tools requires MIME::Base64 version 3.03. Since
MIME::Base64 is integrated in the perl package on Mandakelinux, these updates
now provide the newer version.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:123
Risk factor : High
Nessus ID : 15603 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:048 (cvs).
Stefan Esser discovered that malformed 'Entry' lines in combination with
Is-modified and Unchanged can be used to overflow malloc()ed memory in a way
that can be remotely exploited.
The updated packages contain a patch to correct the problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:048
Risk factor : High
CVE : CAN-2004-0396
Nessus ID : 14147 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:020 (kdegraphics).
A buffer overflow vulnerability was discovered in the xpdf PDF code, which
could allow for arbitrary code execution as the user viewing a PDF file. The
vulnerability exists due to insufficient bounds checking while processing a PDF
file that provides malicious values in the /Encrypt /Length tag. Kdegraphics
uses xpdf code and is susceptible to the same vulnerability.
10.1 packages also include a fix for ksvg kde bug #74457.
The updated packages have been patched to prevent these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:020
Risk factor : High
CVE : CAN-2005-0064
Nessus ID : 16257 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:055 (openslp).
An audit by the SUSE Security Team of critical parts of the OpenSLP package
revealed various buffer overflow and out of bounds memory access issues. These
problems can be triggered by remote attackers by sending malformed SLP packets.
The packages have been patched to prevent these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:055
Risk factor : High
Nessus ID : 17333 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:149 (postgresql).
The Trustix development team found insecure temporary file creation problems in
a script included in the postgresql package. This could allow an attacker to
trick a user into overwriting arbitrary files he has access to.
The updated packages have been patched to prevent this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:149
Risk factor : High
CVE : CAN-2004-0977
Nessus ID : 15957 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:065 (ImageMagick).
A format string vulnerability was discovered in ImageMagick, in the way it
handles filenames. An attacker could execute arbitrary code on a victim's
machine provided they could trick them into opening a file with a special name
(CAN-2005-0397).
As well, Andrei Nigmatulin discovered a heap-based buffer overflow in
ImageMagick's image handler. An attacker could create a special PhotoShop
Document (PSD) image file in such a way that it would cause ImageMagick to
execute arbitray code when processing the image (CAN-2005-0005).
Other vulnerabilities were discovered in ImageMagick versions prior to 6.0:
A bug in the way that ImageMagick handles TIFF tags was discovered. It was
possible that a TIFF image with an invalid tag could cause ImageMagick to crash
(CAN-2005-0759).
A bug in ImageMagick's TIFF decoder was discovered where a specially- crafted
TIFF image could cause ImageMagick to crash (CAN-2005-0760).
A bug in ImageMagick's PSD parsing was discovered where a specially- crafted
PSD file could cause ImageMagick to crash (CAN-2005-0761).
Finally, a heap overflow bug was discovered in ImageMagick's SGI parser. If an
attacker could trick a user into opening a specially- crafted SGI image file,
ImageMagick would execute arbitrary code (CAN-2005-0762).
The updated packages have been patched to correct these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:065
Risk factor : High
CVE : CAN-2005-0005, CAN-2005-0397, CAN-2005-0759, CAN-2005-0760, CAN-2005-0761, CAN-2005-0762
Nessus ID : 17677 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:109 (libtiff).
Several vulnerabilities have been discovered in the libtiff package:
Chris Evans discovered several problems in the RLE (run length encoding)
decoders that could lead to arbitrary code execution. (CAN-2004-0803) Matthias
Clasen discovered a division by zero through an integer overflow.
(CAN-2004-0804)
Dmitry V. Levin discovered several integer overflows that caused malloc issues
which can result to either plain crash or memory corruption. (CAN-2004-0886)
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:109
Risk factor : High
CVE : CAN-2004-0803, CAN-2004-0804, CAN-2004-0886
Nessus ID : 15523 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:101 (webmin).
A vulnerability in webmin was discovered by Ludwig Nussel. A temporary directory
was used in webmin, however it did not check for the previous owner of the
directory. This could allow an attacker to create the directory and place
dangerous symbolic links inside.
The updated packages are patched to prevent this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:101
Risk factor : High
CVE : CAN-2003-0559
Nessus ID : 14795 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:030 (tcpdump).
A number of vulnerabilities were discovered in tcpdump versions prior to 3.8.1
that, if fed a maliciously crafted packet, could be exploited to crash tcpdump.
These vulnerabilities include:
Remote attackers can cause a denial of service (crash) via ISAKMP packets
containing a Delete payload with a large number of SPI's, which causes an
out-of-bounds read. (CAN-2004-1083)
Integer underflow in the isakmp_id_print allows remote attackers to cause a
denial of service (crash) via an ISAKMP packet with an Identification payload
with a length that becomes less than 8 during byte order conversion, which
causes an out-of-bounds read. (CAN-2004-0184)
The updated packages are patched to correct these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:030
Risk factor : High
CVE : CAN-2004-0183, CAN-2004-0184, CAN-2004-1083
Nessus ID : 14129 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:116 (cups).
Chris Evans discovered numerous vulnerabilities in the xpdf package, which also
effect software using embedded xpdf code:
Multiple integer overflow issues affecting xpdf-2.0 and xpdf-3.0. Also programs
like cups which have embedded versions of xpdf. These can result in writing an
arbitrary byte to an attacker controlled location which probably could lead to
arbitrary code execution. (CAN-2004-0888)
Also, when CUPS debugging is enabled, device URIs containing username and
password end up in error_log. This information is also visible via 'ps'.
(CAN-2004-0923)
The updated packages are patched to protect against these vulnerabilities.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:116
Risk factor : High
CVE : CAN-2004-0888, CAN-2004-0923
Nessus ID : 15551 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:098 (wget).
Two vulnerabilities were found in wget. The first is that an HTTP redirect
statement could be used to do a directory traversal and write to files outside
of the current directory. The second is that HTTP redirect statements could be
used to overwrite dot ('.') files, potentially overwriting the user's
configuration files (such as .bashrc, etc.).
The updated packages have been patched to help address these problems by
replacing dangerous directories and filenames containing the dot ('.')
character with an underscore ('_') character.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:098
Risk factor : High
CVE : CAN-2004-1487, CAN-2004-1488
Nessus ID : 18440 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:108 (cvs).
iDEFENSE discovered a flaw in CVS versions prior to 1.1.17 in an undocumented
switch implemented in CVS' history command. The -X switch specifies the name of
the history file which allows an attacker to determine whether arbitrary system
files and directories exist and whether or not the CVS process has access to
them.
This flaw has been fixed in CVS version 1.1.17.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:108
Risk factor : High
CVE : CAN-2004-0778
Nessus ID : 15522 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:103 (OpenOffice.org).
A vulnerability in OpenOffice.org was reported by pmladek where a local user may
be able to obtain and read documents that belong to another user. The way that
OpenOffice.org created temporary files, which used the user's umask to create
the file, could potentially allow for other users to have read access to the
document (again, dependant upon the user's umask).
The updated packages have been patched to prevent this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:103
Risk factor : High
CVE : CAN-2004-0752
Nessus ID : 14840 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:066 (kernel).
A number of vulnerabilities were discovered in the Linux kernel that are
corrected with this update:
Multiple vulnerabilities were found by the Sparse source checker that could
allow local users to elevate privileges or gain access to kernel memory
(CAN-2004-0495).
Missing Discretionary Access Controls (DAC) checks in the chown(2) system call
could allow an attacker with a local account to change the group ownership of
arbitrary files, which could lead to root privileges on affected systems
(CAN-2004-0497).
An information leak vulnerability that affects only ia64 systems was fixed
(CAN-2004-0565).
Insecure permissions on /proc/scsi/qla2300/HbaApiNode could allow a local user
to cause a DoS on the system; this only affects Mandrakelinux 9.2 and below
(CAN-2004-0587).
A vulnerability that could crash the kernel has also been fixed. This crash,
however, can only be exploited via root (in br_if.c).
The provided packages are patched to fix these vulnerabilities. All users are
encouraged to upgrade to these updated kernels.
To update your kernel, please follow the directions located at:
http://www.mandrakesoft.com/security/kernelupdate
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:066
Risk factor : High
CVE : CAN-2004-0495, CAN-2004-0497, CAN-2004-0565, CAN-2004-0587
BID : 10279, 10687
Nessus ID : 14165 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:102 (ImageMagick).
Several buffer overflow vulnerabilities in ImageMagick were discovered by Marcus
Meissner from SUSE. These vulnerabilities would allow an attacker to create a
malicious image or video file in AVI, BMP, or DIB formats which could crash the
reading process. It may be possible to create malicious images that could also
allow for the execution of arbitray code with the privileges of the invoking
user or process.
The updated packages provided are patched to correct these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:102
Risk factor : High
CVE : CAN-2004-0827
Nessus ID : 14796 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:092 (samba).
Two vulnerabilities were discovered in samba 3.0.x; the first is a defect in
smbd's ASN.1 parsing that allows an attacker to send a specially crafted packet
during the authentication request which will send the newly spawned smbd process
into an infinite loop. As a result, it is possible to use up all available
memory on the server.
The second vulnerability is in nmbd's processing of mailslot packets which could
allow an attacker to anonymously crash nmbd.
The provided packages are patched to protect against these two vulnerabilities.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:092
Risk factor : High
CVE : CAN-2004-0807, CAN-2004-0808
Nessus ID : 14723 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:125 (iptables).
Faheem Mitha discovered that the iptables tool would not always load the
required modules on its own as it should have, which could in turn lead to
firewall rules not being loaded on system startup in some cases.
The updated packages are patched to prevent this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:125
Risk factor : High
CVE : CAN-2004-0986
Nessus ID : 15636 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:112 (zlib).
Tavis Ormandy of the Gentoo Security Project discovered a vulnerability in zlib
where a certain data stream would cause zlib to corrupt a data structure,
resulting in the linked application to dump core.
The updated packages have been patched to correct this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:112
Risk factor : High
CVE : CAN-2005-2096
Nessus ID : 18649 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:087 (tcpdump).
A number of Denial of Service vulnerabilities were discovered in the way that
tcpdump processes certain network packets. If abused, these flaws can allow a
remote attacker to inject a carefully crafted packet onto the network, crashing
tcpdump.
The provided packages have been patched to correct these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:087
Risk factor : High
CVE : CAN-2005-1278, CAN-2005-1279, CAN-2005-1280
Nessus ID : 18276 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:067 (sharutils).
Shaun Colley discovered a buffer overflow in shar that was triggered by output
files (using -o) with names longer than 49 characters which could be exploited
to run arbitrary attacker-specified code.
Ulf Harnhammar discovered that shar does not check the data length returned by
the wc command.
Joey Hess discovered that unshar would create temporary files in an insecure
manner which could allow a symbolic link attack to create or overwrite
arbitrary files with the privileges of the user using unshar.
The updated packages have been patched to correct these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:067
Risk factor : High
CVE : CAN-2004-1772, CAN-2004-1773
Nessus ID : 18002 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:135 (apache2).
A vulnerability in apache 2.0.35-2.0.52 was discovered by Chintan Trivedi; he
found that by sending a large amount of specially- crafted HTTP GET requests, a
remote attacker could cause a Denial of Service on the httpd server. This
vulnerability is due to improper enforcement of the field length limit in the
header-parsing code.
The updated packages have been patched to prevent this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:135
Risk factor : High
CVE : CAN-2004-0942
Nessus ID : 15740 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:090 (zlib).
Due to a Debian bug report, a Denial of Service vulnerability was discovered in
the zlib compression library versions 1.2.x, in the inflate() and inflateBack()
functions. Older versions of zlib are not affected.
Once the updated packages have been installed, all programs linked against zlib
must be restarted for the new packages to take effect.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:090
Risk factor : High
CVE : CAN-2004-0797
Nessus ID : 14679 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:160 (kdelibs).
A vulnerability in the Konqueror web browser was discovered that would allow a
malicious web site to take advantage of a flaw in kio_ftp to send email
messages without user interaction.
The updated packages are patched to correct the problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:160
Risk factor : High
Nessus ID : 16077 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:022 (kernel).
A number of vulnerabilities are fixed in the 2.4 and 2.6 kernels with this
advisory.
To update your kernel, please follow the directions located at:
http://www.mandrakesoft.com/security/kernelupdate
PLEASE NOTE: Mandrakelinux 10.0 users will need to upgrade to the latest
module-init-tools package prior to upgrading their kernel. Likewise, MNF8.2
users will need to upgrade to the latest modutils package prior to upgrading
their kernel.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022
Risk factor : High
CVE : CAN-2004-0814, CAN-2004-0816, CAN-2004-0883, CAN-2004-0949, CAN-2004-1016, CAN-2004-1058, CAN-2004-1068, CAN-2004-1069, CAN-2004-1070, CAN-2004-1071, CAN-2004-1072, CAN-2004-1073, CAN-2004-1074, CAN-2004-1137, CAN-2004-1151, CAN-2004-1235, CAN-2005-0001, CAN-2005-0003
Nessus ID : 16259 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:021 (tetex).
A buffer overflow vulnerability was discovered in the xpdf PDF code, which
could allow for arbitrary code execution as the user viewing a PDF file. The
vulnerability exists due to insufficient bounds checking while processing a PDF
file that provides malicious values in the /Encrypt /Length tag. Tetex uses
xpdf code and is susceptible to the same vulnerability.
The updated packages have been patched to prevent these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:021
Risk factor : High
CVE : CAN-2005-0064
Nessus ID : 16258 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:154 (kdelibs).
A vulnerability in the Konqueror webbrowser was discovered where an untrusted
java applet could escalate privileges (through JavaScript calling into Java
code). This includes the reading and writing of files with the privileges of
the user running the applet.
The provided packages have been patched to correct this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:154
Risk factor : High
CVE : CAN-2004-1145
Nessus ID : 16035 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:150 (kdelibs).
Daniel Fabian discovered a potential privacy issue in KDE. When creating a link
to a remote file from various applications, including Konqueror, the resulting
URL may contain the authentication credentials used to access that remote
resource. This includes, but is not limited to, browsing SMB (Samba) shares.
Upon further investigation, it was found that the SMB protocol handler also
unnecessarily exposed authentication credentials (CAN-2004-1171).
Another vulnerability was discovered where a malicious website could abuse
Konqueror to load its own content into a window or tab that was opened by a
trusted website, or it could trick a trusted website into loading content into
an existing window or tab. This could lead to the user being confused as to the
origin of a particular webpage and could have the user unknowingly send
confidential information intended for a trusted site to the malicious site
(CAN-2004-1158).
The updated packages contain a patch from the KDE team to solve this issue.
Additionally, the kdelibs and kdebase packages for Mandrakelinux 10.1 contain
numerous bugfixes. New qt3 packages are being provided for Mandrakelinux 10.0
that are required to build the kdebase package.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:150
Risk factor : High
CVE : CAN-2004-1158, CAN-2004-1171
Nessus ID : 15981 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:080 (xpm).
The XPM library which is part of the XFree86/XOrg project is used by several
GUI applications to process XPM image files.
An integer overflow flaw was found in libXPM, which is used by some
applications for loading of XPM images. An attacker could create a malicious
XPM file that would execute arbitrary code via a negative bitmap_unit value if
opened by a victim using an application linked to the vulnerable library.
Updated packages are patched to correct all these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:080
Risk factor : High
CVE : CAN-2005-0605
Nessus ID : 18173 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:044 (libuser).
Steve Grubb discovered a number of problems in the libuser library that can lead
to a crash in applications linked to it, or possibly write 4GB of garbage to the
disk.
The updated packages provide a patched libuser to correct these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:044
Risk factor : High
Nessus ID : 14143 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:115 (kdegraphics).
Chris Evans discovered numerous vulnerabilities in the xpdf package, which also
effect software using embedded xpdf code, such as kpdf:
Multiple integer overflow issues affecting xpdf-2.0 and xpdf-3.0. Also programs
like kpdf which have embedded versions of xpdf. These can result in writing an
arbitrary byte to an attacker controlled location which probably could lead to
arbitrary code execution.
The updated packages are patched to protect against these vulnerabilities.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:115
Risk factor : High
CVE : CAN-2004-0888
Nessus ID : 15550 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:029 (vim).
Javier Fernandez-Sanguino Pena discovered two vulnerabilities in scripts
included with the vim editor. The two scripts, 'tcltags' and 'vimspell.sh'
created temporary files in an insecure manner which could allow a malicious
user to execute a symbolic link attack or to create, or overwrite, arbitrary
files with the privileges of the user invoking the scripts.
The updated packages are patched to prevent this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:029
Risk factor : High
CVE : CAN-2005-0069
Nessus ID : 16302 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:091 (bzip2).
A race condition in the file permission restore code of bunzip2 was discovered
by Imran Ghory. While a user was decompressing a file, a local attacker with
write permissions to the directory containing the compressed file could replace
the target file with a hard link which would cause bunzip2 to restore the file
permissions of the original file to the hard link target. This could be
exploited to gain read or write access to files of other users (CAN-2005-0953).
A vulnerability was found where specially crafted bzip2 archives would cause an
infinite loop in the decompressor, resulting in an indefinitively large output
file (also known as a 'decompression bomb'). This could be exploited to cause a
Denial of Service attack on the host computer due to disk space exhaustion
(CAN-2005-1260).
The provided packages have been patched to correct these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:091
Risk factor : High
CVE : CAN-2005-0953, CAN-2005-1260
Nessus ID : 18307 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:011 (xine-lib).
iDefense discovered that the PNA_TAG handling code in pnm_get_chunk() does not
check if the input size is larger than the buffer size (CAN-2004-1187). As
well, they discovered that in this same function, a negative value could be
given to an unsigned variable that specifies the read length of input data
(CAN-2004-1188).
Ariel Berkman discovered that xine-lib reads specific input data into an array
without checking the input size making it vulnerable to a buffer overflow
problem (CAN-2004-1300).
The updated packages have been patched to prevent these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:011
Risk factor : High
CVE : CAN-2004-1187, CAN-2004-1188, CAN-2004-1300
Nessus ID : 16220 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:143 (ImageMagick).
A vulnerability was discovered in ImageMagick where, due to a boundary error
within the EXIF parsing routine, a specially crafted graphic image could
potentially lead to the execution of arbitrary code.
The updated packages have been patched to prevent this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:143
Risk factor : High
CVE : CAN-2004-0981
Nessus ID : 15916 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:058 (cvs).
Another vulnerability was discovered related to 'Entry' lines in cvs, by the
development team (CAN-2004-0414).
As well, Stefan Esser and Sebastian Krahmer performed an audit on the cvs source
code and discovered a number of other problems, including:
A double-free condition in the server code is exploitable (CAN-2004-0416).
By sending a large number of arguments to the CVS server, it is possible to
cause it to allocate a huge amount of memory which does not fit into the address
space, causing an error (CAN-2004-0417).
It was found that the serve_notify() function would write data out of bounds
(CAN-2004-0418).
The provided packages update cvs to 1.11.16 and include patches to correct all
of these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:058
Risk factor : High
CVE : CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418
Nessus ID : 14157 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:138 (XFree86).
The XPM library which is part of the XFree86/XOrg project is used by several
GUI applications to process XPM image files.
A source code review of the XPM library, done by Thomas Biege of the SuSE
Security-Team revealed several different kinds of bugs. These bugs include
integer overflows, out-of-bounds memory access, shell command execution, path
traversal, and endless loops.
These bugs can be exploited by remote and/or local attackers to gain access to
the system or to escalate their local privileges, by using a specially crafted
xpm image.
Updated packages are patched to correct all these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:138
Risk factor : High
CVE : CAN-2004-0914
Nessus ID : 15794 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:037 (kernel).
A vulnerability was found in the framebuffer driver of the 2.6 kernel. This is
due to incorrect use of the fb_copy_cmap function. (CAN-2004-0229)
A vulnerability has been found in the Linux kernel in the ip_setsockopt()
function code. There is an exploitable integer overflow inside the code handling
the MCAST_MSFILTER socket option in the IP_MSFILTER_SIZE macro calculation. This
issue is present in both 2.4 (2.4.25) and 2.6 kernels. (CAN-2004-0424)
There is a minor issue with the static buffer in 2.4 kernel's panic() function.
Although it's a possibly buffer overflow, it most like not exploitable due to
the nature of panic(). (CAN-2004-0394)
In do_fork(), if an error occurs after the mm_struct for the child has been
allocated, it is never freed. The exit_mm() meant to free it increments the
mm_count and this count is never decremented. (For a running process that is
exitting, schedule() takes care this; however, the child process being cleaned
up is not running.) In the CLONE_VM case, the parent's mm_struct will get an
extra mm_count and so it will never be freed. This issue is present in both 2.4
and 2.6 kernels. (CAN-2004-0427)
The provided packages are patched to fix these vulnerabilities. All users are
encouraged to upgrade to these updated kernels.
To update your kernel, please follow the directions located at:
http://www.mandrakesecure.net/en/kernelupdate.php
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:037
Risk factor : High
CVE : CAN-2004-0229, CAN-2004-0394, CAN-2004-0424, CAN-2004-0427
BID : 10211, 10221, 10233
Nessus ID : 14136 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:105 (xine-lib).
A number of string overflows were discovered in the xine-lib program, some of
which can be used for remote buffer overflow exploits that lead to the execution
of arbitrary code with the permissions of the user running a xine-lib-based
media application. xine-lib versions 1-rc2 through, and including, 1-rc5 are
vulnerable to these problems.
As well, a heap overflow was found in the DVD subpicture decoder of xine-lib;
this vulnerability is also remotely exploitable. All versions of xine-lib prior
to and including 0.5.2 through, and including, 1-rc5 are vulnerable to this
problem.
Patches from the xine-lib team have been backported and applied to the program
to solve these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:105
Risk factor : High
Nessus ID : 15434 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:077 (cdrecord).
Javier Fernandez-Sanguino Pena discovered that cdrecord created temporary files
in an insecure manner if DEBUG was enabled in /etc/cdrecord/rscsi. If the
default value was used (which stored the debug output file in /tmp), a symbolic
link attack could be used to create or overwrite arbitrary files with the
privileges of the user invoking cdrecord. Please note that by default this
configuration file does not exist in Mandriva Linux so unless you create it and
enable DEBUG, this does not affect you.
The updated packages have been patched to correct these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:077
Risk factor : High
CVE : CAN-2005-0866
Nessus ID : 18107 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:166 (tetex).
Chris Evans discovered numerous vulnerabilities in the xpdf package, which also
effect software using embedded xpdf code, such as tetex (CAN-2004-0888).
Multiple integer overflow issues affecting xpdf-2.0 and xpdf-3.0. Also programs
like tetex which have embedded versions of xpdf. These can result in writing an
arbitrary byte to an attacker controlled location which probably could lead to
arbitrary code execution.
iDefense also reported a buffer overflow vulnerability, which affects versions
of xpdf <= xpdf-3.0 and several programs, like tetex, which use embedded xpdf
code. An attacker could construct a malicious payload file which could enable
arbitrary code execution on the target system (CAN-2004-1125).
The updated packages are patched to protect against these vulnerabilities.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:166
Risk factor : High
CVE : CAN-2004-0888, CAN-2004-1125
Nessus ID : 16083 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:159 (glibc).
The Trustix developers discovered that the catchsegv and glibcbug utilities,
part of the glibc package, created temporary files in an insecure manner. This
could allow for a symlink attack to create or overwrite arbitrary files with
the privileges of the user invoking the program.
The updated packages have been patched to correct this issue.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:159
Risk factor : High
CVE : CAN-2004-0968
Nessus ID : 16076 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:142 (gzip).
The Trustix developers found some insecure temporary file creation problems in
the zdiff, znew, and gzeze supplemental scripts in the gzip package. These
flaws could allow local users to overwrite files via a symlink attack.
A similar problem was fixed last year (CAN-2003-0367) in which this same
problem was found in znew. At that time, Mandrakesoft also used mktemp to
correct the problems in gzexe. This update uses mktemp to handle temporary
files in the zdiff script.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:142
Risk factor : High
CVE : CAN-2003-0367, CAN-2004-0970
Nessus ID : 15915 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:057 (gnupg).
The OpenPGP protocol is vulnerable to a timing-attack in order to gain plain
text from cipher text. The timing difference appears as a side effect of the
so-called 'quick scan' and is only exploitable on systems that accept an
arbitrary amount of cipher text for automatic decryption.
The updated packages have been patched to disable the quick check for all
public key-encrypted messages and files.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:057
Risk factor : High
CVE : CAN-2005-0366
Nessus ID : 17334 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:011-1 (netpbm).
A number of temporary file bugs have been found in versions of NetPBM. These
could allow a local user the ability to overwrite or create files as a different
user who happens to run one of the the vulnerable utilities.
Update:
The patch applied made some calls to the mktemp utility with an incorrect
parameter which prevented mktemp from creating temporary files in some scripts.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:011-1
Risk factor : High
CVE : CAN-2003-0924
BID : 9442
Nessus ID : 14111 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:052 (kdegraphics).
Previous updates to correct integer overflow issues affecting xpdf overlooked
certain conditions when built for a 64 bit platform. (formerly CAN-2004-0888).
This also affects applications like kdegraphics, that use embedded versions of
xpdf. (CAN-2005-0206)
In addition, previous libtiff updates overlooked kdegraphics, which contains
and embedded libtiff used for kfax. This update includes patches to address:
CAN-2004-0803, CAN-2004-0804, CAN-2004-0886, CAN-2004-1183, CAN-2004-1308.
The updated packages are patched to deal with these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:052
Risk factor : High
CVE : CAN-2004-0803, CAN-2004-0804, CAN-2004-0886, CAN-2004-0888, CAN-2004-1183, CAN-2004-1308, CAN-2005-0206
Nessus ID : 17281 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:096 (openssl).
Colin Percival reported a cache timing attack that could be used to allow a
malicious local user to gain portions of cryptographic keys (CAN-2005-0109).
The OpenSSL library has been patched to add a new fixed-window mod_exp
implementation as default for RSA, DSA, and DH private key operations. The
patch was designed to mitigate cache timing and possibly related attacks.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:096
Risk factor : High
CVE : CAN-2005-0109
Nessus ID : 18434 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:050 (kernel).
Brad Spender discovered an exploitable bug in the cpufreq code in the Linux 2.6
kernel (CAN-2004-0228).
As well, a permissions problem existed on some SCSI drivers; a fix from Olaf
Kirch is provided that changes the mode from 0777 to 0600.
This update also provides a 10.0/amd64 kernel with fixes for the previous
MDKSA-2004:037 advisory as well as the above-noted fixes.
The provided packages are patched to fix these vulnerabilities. All users are
encouraged to upgrade to these updated kernels.
To update your kernel, please follow the directions located at:
http://www.mandrakesoft.com/security/kernelupdate
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:050
Risk factor : High
CVE : CAN-2004-0228
BID : 10201
Nessus ID : 14149 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:120 (mpg123).
Carlos Barros discovered two buffer overflow vulnerabilities in mpg123; the
first in the getauthfromURL() function and the second in the http_open()
function. These vulnerabilities could be exploited to possibly execute
arbitrary code with the privileges of the user running mpg123.
The provided packages are patched to fix these issues, as well additional
boundary checks that were lacking have been included (thanks to the Gentoo
Linux Sound Team for these additional fixes).
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:120
Risk factor : High
CVE : CAN-2004-0982
Nessus ID : 15600 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:064 (apache2).
A Denial of Service (Dos) condition was discovered in Apache 2.x by George
Guninski. Exploiting this can lead to httpd consuming an arbitrary amount of
memory. On 64bit systems with more than 4GB of virtual memory, this may also
lead to a heap-based overflow.
The updated packages contain a patch from the ASF to correct the problem.
It is recommended that you stop Apache prior to updating and then restart it
again once the update is complete ('service httpd stop' and 'service httpd
start' respectively).
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:064
Risk factor : High
CVE : CAN-2004-0493
Nessus ID : 14163 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:136 (samba).
Steffan Esser discovered that invalid bounds checking in reply to certain
trans2 requests could result in a buffer overrun in smbd. This can only be
exploited by a malicious user able to create files with very specific Unicode
filenames on a samba share.
The updated packages have been patched to prevent this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:136
Risk factor : High
CVE : CAN-2004-0882
Nessus ID : 15769 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:031-1 (utempter).
Steve Grubb discovered two potential issues in the utempter program:
1) If the path to the device contained /../ or /./ or //, the program was not
exiting as it should. It would be possible to use something like
/dev/../tmp/tty0, and then if /tmp/tty0 were deleted and symlinked to another
important file, programs that have root privileges that do no further validation
can then overwrite whatever the symlink pointed to. 2) Several calls to strncpy
without a manual termination of the string. This would most likely crash
utempter.
The updated packages are patched to correct these problems.
Update:
The second portion of the patch to address the manual termination of the string
has been determined to be uneccessary, as well as reducing the length of utmp
strings by one character. As such, it has been removed.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:031-1
Risk factor : High
CVE : CAN-2004-0233
Nessus ID : 14130 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:029 (kernel).
A vulnerability was found in the R128 DRI driver by Alan Cox. This could allow
local privilege escalation. The previous fix, in MDKSA-2004:015 only partially
corrected the problem; the full fix is included (CAN-2004-0003).
A local root vulnerability was discovered in the isofs component of the Linux
kernel by iDefense. This vulnerability can be triggered by performing a
directory listing on a maliciously constructed ISO filesystem, or attempting to
access a file via a malformed symlink on such a filesystem (CAN-2004-0109).
An information leak was discovered in the ext3 filesystem code by Solar
Designer. It was discovered that when creating or writing to an ext3 filesystem,
some amount of other in-memory data gets written to the device. The data is not
the file's contents, not something on the same filesystem, or even anything that
was previously in a file at all. To obtain this data, a user needs to read the
raw device (CAN-2004-0177).
The same vulnerability was also found in the XFS filesystem code (CAN-2004-0133)
and the JFS filesystem code (CAN-2004-0181).
Finally, a vulnerability in the OSS code for SoundBlaster 16 devices was
discovered by Andreas Kies. It is possible for local users with access to the
sound system to crash the machine (CAN-2004-0178).
The provided packages are patched to fix these vulnerabilities. All users are
encouraged to upgrade to these updated kernels.
To update your kernel, please follow the directions located at:
http://www.mandrakesecure.net/en/kernelupdate.php
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:029
Risk factor : High
CVE : CAN-2004-0003, CAN-2004-0109, CAN-2004-0133, CAN-2004-0177, CAN-2004-0178, CAN-2004-0181
BID : 10152, 9570
Nessus ID : 14128 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:107 (mozilla).
A number of vulnerabilities were fixed in mozilla 1.7.3, the following of which
have been backported to mozilla packages for Mandrakelinux 10.0:
- 'Send page' heap overrun - javascript clipboard access - buffer overflow when
displaying VCard - BMP integer overflow - javascript: link dragging - Malicious
POP3 server III
The details of all of these vulnerabilities are available from the Mozilla
website.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:107
Risk factor : High
CVE : CAN-2004-0902, CAN-2004-0903, CAN-2004-0904, CAN-2004-0905, CAN-2004-0908
Nessus ID : 15521 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:164 (cups).
iDefense reported a buffer overflow vulnerability, which affects versions of
xpdf <= xpdf-3.0 and several programs, like cups, which use embedded xpdf code.
An attacker could construct a malicious payload file which could enable
arbitrary code execution on the target system.
The updated packages are patched to protect against these vulnerabilities.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:164
Risk factor : High
CVE : CAN-2004-1125
Nessus ID : 16081 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:133 (sudo).
Liam Helmer discovered a flow in sudo's environment sanitizing. This flaw could
allow a malicious users with permission to run a shell script that uses the
bash shell to run arbitrary commands.
The problem is fixed in sudo 1.6.8p2; the provided packages have been patched
to correct the issue.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:133
Risk factor : High
Nessus ID : 15738 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:099 (XFree86).
Chris Evans found several stack and integer overflows in the libXpm code of
X.Org/XFree86:
Stack overflows (CAN-2004-0687):
Careless use of strcat() in both the XPMv1 and XPMv2/3 xpmParseColors code leads
to a stack based overflow (parse.c).
Stack overflow reading pixel values in ParseAndPutPixels (create.c) as well as
ParsePixels (parse.c).
Integer Overflows (CAN-2004-0688):
Integer overflow allocating colorTable in xpmParseColors (parse.c) - probably a
crashable but not exploitable offence.
The updated packages have patches from Chris Evans and Matthieu Herrb to address
these vulnerabilities.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:099
Risk factor : High
CVE : CAN-2004-0687, CAN-2004-0688
BID : 11196
Nessus ID : 14755 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:038 (emacs).
Max Vozeler discovered several format string vulnerabilities in the movemail
utility in Emacs. If a user connects to a malicious POP server, an attacker can
execute arbitrary code as the user running emacs.
The updated packages have been patched to correct the problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:038
Risk factor : High
CVE : CAN-2005-0100
Nessus ID : 16473 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:083 (rsync).
An advisory was sent out by the rsync team regarding a security vulnerability in
all versions of rsync prior to and including 2.6.2. If rsync is running in
daemon mode, and not in a chrooted environment, it is possible for a remote
attacker to trick rsyncd into creating an absolute pathname while sanitizing it.
This vulnerability allows a remote attacker to possibly read/write to/from files
outside of the rsync directory.
The updated packages are patched to prevent this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:083
Risk factor : High
CVE : CAN-2004-0792
Nessus ID : 14332 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:163 (kdegraphics).
iDefense reported a buffer overflow vulnerability, which affects versions of
xpdf <= xpdf-3.0 and several programs, like kdegraphics, which use embedded
xpdf code. An attacker could construct a malicious payload file which could
enable arbitrary code execution on the target system.
The updated packages are patched to protect against these vulnerabilities.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:163
Risk factor : High
CVE : CAN-2004-1125
Nessus ID : 16080 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:071 (samba).
A vulnerability was discovered in SWAT, the Samba Web Administration Tool. The
routine used to decode the base64 data during HTTP basic authentication is
subject to a buffer overrun caused by an invalid base64 character. This same
code is also used to internally decode the sambaMungedDial attribute value when
using the ldapsam passdb backend, and to decode input given to the ntlm_auth
tool.
This vulnerability only exists in Samba versions 3.0.2 or later; the 3.0.5
release fixes the vulnerability. Systems using SWAT, the ldapsam passdb backend,
and tose running winbindd and allowing third- party applications to issue
authentication requests via ntlm_auth tool should upgrade immediately.
(CAN-2004-0600)
A buffer overrun has been located in the code used to support the 'mangling
method = hash' smb.conf option. Please be aware that the default setting for
this parameter is 'mangling method = hash2' and therefore not vulnerable. This
bug is present in Samba 3.0.0 and later, as well as Samba 2.2.X (CAN-2004-0686)
This update also fixes a bug where attempting to print in some cases would cause
smbd to exit with a signal 11.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:071
Risk factor : High
CVE : CAN-2004-0600, CAN-2004-0686
Nessus ID : 14170 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:074 (webmin).
Unknown vulnerability in Webmin 1.140 allows remote attackers to bypass access
control rules and gain read access to configuration information for a module.
(CAN-2004-0582)
The account lockout functionality in Webmin 1.140 does not parse certain
character strings, which allows remote attackers to conduct a brute force attack
to guess user IDs and passwords. (CAN-2004-0583)
The updated packages are patched to correct the problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:074
Risk factor : High
CVE : CAN-2004-0582, CAN-2004-0583
BID : 10474, 10522, 10523
Nessus ID : 14172 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:043 (apache2).
A memory leak in mod_ssl in the Apache HTTP Server prior to version 2.0.49
allows a remote denial of service attack against an SSL-enabled server.
The updated packages provide a patched mod_ssl to correct these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:043
Risk factor : High
CVE : CAN-2004-0113
BID : 9826
Nessus ID : 14142 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:027 (chbg).
A vulnerability in chbg was discovered by Danny Lungstrom. A
maliciously-crafted configuration/scenario file could overflow a buffer leading
to the potential execution of arbitrary code.
The updated packages are patched to prevent the problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:027
Risk factor : High
CVE : CAN-2004-1264
Nessus ID : 16293 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:038 (sysklogd).
Steve Grubb discovered a bug in sysklogd where it allocates an insufficient
amount of memory which causes sysklogd to write to unallocated memory. This
could allow for a malicious user to crash sysklogd.
The updated packages provide a patched sysklogd using patches from Openwall to
correct the problem and also corrects the use of an unitialized variable (a
previous use of 'count').
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:038
Risk factor : High
Nessus ID : 14137 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:079 (libpng).
Chris Evans discovered numerous vulnerabilities in the libpng graphics library,
including a remotely exploitable stack-based buffer overrun in the
png_handle_tRNS function, dangerous code in png_handle_sBIT, a possible
NULL-pointer crash in png_handle_iCCP (which is also duplicated in multiple
other locations), a theoretical integer overflow in png_read_png, and integer
overflows during progressive reading.
All users are encouraged to upgrade immediately.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:079
Risk factor : High
CVE : CAN-2004-0597, CAN-2004-0598, CAN-2004-0599
Nessus ID : 14328 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:018 (cups).
A buffer overflow vulnerability was discovered in the xpdf PDF code, which
could allow for arbitrary code execution as the user viewing a PDF file. The
vulnerability exists due to insufficient bounds checking while processing a PDF
file that provides malicious values in the /Encrypt /Length tag. Cups uses xpdf
code and is susceptible to the same vulnerability.
The updated packages have been patched to prevent these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:018
Risk factor : High
CVE : CAN-2005-0064
Nessus ID : 16255 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:089 (imlib2).
Marcus Meissner discovered that the imlib and imlib2 libraries are also affected
with a similar BMP-related vulnerability as the recent QT updates. The updated
imlib and imlib2 packages are patched to protect against this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:089
Risk factor : High
CVE : CAN-2004-0802, CAN-2004-0817
Nessus ID : 14678 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:091 (cdrecord).
Max Vozeler found that the cdrecord program, which is suid root, fails to drop
euid=0 when it exec()s a program specified by the user through the $RSH
environment variable. This can be abused by a local attacker to obtain root
privileges.
The updated packages are patched to fix the vulnerability.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:091
Risk factor : High
CVE : CAN-2004-0806
BID : 11075
Nessus ID : 14680 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:076 (sox).
Ulf Harnhammar discovered two buffer overflows in SoX. They occur when the sox
or play commands handle malicious .WAV files.
Versions 12.17.4, 12.17.3 and 12.17.2 are vulnerable to these overflows.
12.17.1, 12.17 and 12.16 are some versions that are not.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:076
Risk factor : High
CVE : CAN-2004-0557
BID : 10819
Nessus ID : 14174 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:064 (libexif).
A buffer overflow was discovered in the way libexif parses EXIF tags. An
attacker could exploit this by creating a special EXIF image file which could
cause image viewers linked against libexif to crash.
The updated packages have been patched to correct these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:064
Risk factor : High
CVE : CAN-2005-0664
Nessus ID : 17670 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:100 (mpg123).
A vulnerability in mpg123 was discovered by Davide Del Vecchio where certain
malicious mpg3/2 files would cause mpg123 to fail header checks, which could in
turn allow arbitrary code to be executed with the privileges of the user running
mpg123 (CAN-2004-0805).
As well, an older vulnerability in mpg123, where a response from a remote HTTP
server could overflow a buffer allocated on the heap, is also fixed in these
packages. This vulnerability could also potentially permit the execution of
arbitray code with the privileges of the user running mpg123 (CAN-2003-0865).
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:100
Risk factor : High
CVE : CAN-2003-0865, CAN-2004-0805
Nessus ID : 14794 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:008 (cups).
A buffer overflow was discovered in the ParseCommand function in the hpgltops
utility. An attacker with the ability to send malicious HPGL files to a printer
could possibly execute arbitrary code as the 'lp' user (CAN-2004-1267).
Vulnerabilities in the lppasswd utility were also discovered. The program
ignores write errors when modifying the CUPS passwd file. A local user who is
able to fill the associated file system could corrupt the CUPS passwd file or
prevent future use of lppasswd (CAN-2004-1268 and CAN-2004-1269). As well,
lppasswd does not verify that the passwd.new file is different from STDERR,
which could allow a local user to control output to passwd.new via certain user
input that could trigger an error message (CAN-2004-1270).
The updated packages have been patched to prevent these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:008
Risk factor : High
CVE : CAN-2004-1267, CAN-2004-1268, CAN-2004-1269, CAN-2004-1270
Nessus ID : 16184 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:097 (cups).
Alvaro Martinez Echevarria discovered a vulnerability in the CUPS print server
where an empty UDP datagram sent to port 631 (the default port that cupsd
listens to) would disable browsing. This would prevent cupsd from seeing any
remote printers or any future remote printer changes.
The updated packages are patched to protect against this vulnerability.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:097
Risk factor : High
CVE : CAN-2004-0558
Nessus ID : 14753 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:158 (samba).
Remote exploitation of an integer overflow vulnerability in the smbd daemon
included in Samba 2.0.x, Samba 2.2.x, and Samba 3.0.x prior to and including
3.0.9 could allow an attacker to cause controllable heap corruption, leading to
execution of arbitrary commands with root privileges. In order to exploit this
vulnerability an attacker must possess credentials that allow access to a share
on the Samba server. Unsuccessful exploitation attempts will cause the process
serving the request to crash with signal 11, and may leave evidence of an
attack in logs. The updated packages have been patched to correct this issue.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:158
Risk factor : High
CVE : CAN-2004-1154
Nessus ID : 16065 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:078 (OpenOffice.org).
The OpenOffice.org office suite contains an internal libneon library which
allows it to connect to WebDAV servers. This internal library is subject to the
same vulnerabilities that were fixed in libneon recently. These updated packages
contain fixes to libneon to correct the several format string vulnerabilities in
it, as well as a heap-based buffer overflow vulnerability.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:078
Risk factor : High
CVE : CAN-2004-0179, CAN-2004-0398
BID : 10136
Nessus ID : 14176 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:137-1 (libxpm4).
The XPM library which is part of the XFree86/XOrg project is used by several
GUI applications to process XPM image files.
A source code review of the XPM library, done by Thomas Biege of the SuSE
Security-Team revealed several different kinds of bugs. These bugs include
integer overflows, out-of-bounds memory access, shell command execution, path
traversal, and endless loops.
These bugs can be exploited by remote and/or local attackers to gain access to
the system or to escalate their local privileges, by using a specially crafted
xpm image.
Update:
The previous libxpm4 update had a linking error that resulted in a missing
s_popen symbol error running applications dependant on the library. In
addition, the file path checking in the security updates prevented some
applications, like gimp-2.0 from being able to save xpm format images.
Updated packages are patched to correct all these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:137-1
Risk factor : High
Nessus ID : 15793 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:024 (evolution).
Max Vozeler discovered an integer overflow in the camel-lock-helper
application. This application is installed setgid mail by default. A local
attacker could exploit this to execute malicious code with the privileges of
the 'mail' group; likewise a remote attacker could setup a malicious POP server
to execute arbitrary code when an Evolution user connects to it.
The updated packages have been patched to prevent this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:024
Risk factor : High
CVE : CAN-2005-0102
Nessus ID : 16290 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:036 (xchat).
A remotely exploitable vulnerability was discovered in the Socks-5 proxy code in
XChat. By default, socks5 traversal is disabled, and one would also need to
connect to an attacker's own custom proxy server in order for this to be
exploited. Successful exploitation could lead to arbitrary code execution as the
user running XChat.
The provided packages are patched to prevent this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:036
Risk factor : High
CVE : CAN-2004-0409
BID : 10168
Nessus ID : 14135 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:068 (gtk+2.0).
A bug was discovered in the way that gtk+2.0 processes BMP images which could
allow for a specially crafted BMP to cause a Denial of Service attack on
applications linked against gtk+2.0.
The updated packages have been patched to correct these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:068
Risk factor : High
CVE : CAN-2004-0891
Nessus ID : 18003 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:141 (zip).
A vulnerability in zip was discovered where zip would not check the resulting
path length when doing recursive folder compression, which could allow a
malicious person to convince a user to create an archive containing a
specially-crafted path name. By doing so, arbitrary code could be executed with
the permissions of the user running zip.
The updated packages are patched to prevent this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:141
Risk factor : High
CVE : CAN-2004-1010
Nessus ID : 15839 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:081 (XFree86).
The XPM library which is part of the XFree86/XOrg project is used by several
GUI applications to process XPM image files.
The XPM library which is part of the XFree86/XOrg project is used by several
GUI applications to process XPM image files.
An integer overflow flaw was found in libXPM, which is used by some
applications for loading of XPM images. An attacker could create a malicious
XPM file that would execute arbitrary code via a negative bitmap_unit value if
opened by a victim using an application linked to the vulnerable library.
Updated packages are patched to correct all these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:081
Risk factor : High
CVE : CAN-2005-0605
Nessus ID : 18235 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:055 (apache2).
A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in
ssl_util.c in Apache. When mod_ssl is configured to trust the issuing CA, a
remote attacker may be able to execute arbitrary code via a client certificate
with a long subject DN.
The provided packages are patched to prevent this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:055
Risk factor : High
CVE : CAN-2004-0488
Nessus ID : 14154 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:093 (postgresql).
A number of vulnerabilities were found and corrected in the PostgreSQL DBMS:
Two serious security errors have been found in PostgreSQL 7.3 and newer
releases. These errors at least allow an unprivileged database user to crash
the backend process, and may make it possible for an unprivileged user to gain
the privileges of a database superuser.
Functions that support client-to-server character set conversion can be called
from SQL commands by unprivileged users, but these functions are not designed
to be safe against malicious choices of argument values. (CAN-2005-1409)
The contrib/tsearch2 module misdeclares several functions as returning type
'internal' when they do not have any 'internal' argument. This breaks the type
safety of 'internal' by allowing users to construct SQL commands that invoke
other functions accepting 'internal' arguments. (CAN-2005-1410)
These vulnerabilities must also be fixed in all existing databases when
upgrading. The post-installation script of the updated postgresql-server
package attempts to do this automatically.
The updated packages have been patched to correct these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:093
Risk factor : High
CVE : CAN-2005-1409, CAN-2005-1410
Nessus ID : 18411 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:005 (nfs-utils).
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer overflow.
An attacker with access to an NFS share could send a specially crafted request
which could then lead to the execution of arbitrary code.
The updated packages are provided to prevent this issue.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:005
Risk factor : High
CVE : CAN-2004-0946
Nessus ID : 16135 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:049 (gaim).
Gaim versions prior to version 1.1.4 suffer from a few security issues such as
the HTML parses not sufficiently validating its input. This allowed a remote
attacker to crash the Gaim client be sending certain malformed HTML messages
(CAN-2005-0208 and CAN-2005-0473).
As well, insufficient input validation was also discovered in the 'Oscar'
protocol handler, used for ICQ and AIM. By sending specially crafted packets,
remote users could trigger an inifinite loop in Gaim causing it to become
unresponsive and hang (CAN-2005-0472).
Gaim 1.1.4 is provided and fixes these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:049
Risk factor : High
CVE : CAN-2005-0208, CAN-2005-0472, CAN-2005-0473
Nessus ID : 17278 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:007 (imlib).
Pavel Kankovsky discovered several heap overflow flaw in the imlib image
handler. An attacker could create a carefully crafted image file in such a way
that it could cause an application linked with imlib to execute arbitrary code
when the file was opened by a user (CAN-2004-1025).
As well, Pavel also discovered several integer overflows in imlib. These could
allow an attacker, creating a carefully crafted image file, to cause an
application linked with imlib to execute arbitrary code or crash
(CAN-2004-1026).
The updated packages have been patched to prevent these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:007
Risk factor : High
CVE : CAN-2004-1025, CAN-2004-1026
Nessus ID : 16158 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:088 (krb5).
A double-free vulnerability exists in the MIT Kerberos 5's KDC program that
could potentially allow a remote attacker to execute arbitrary code on the KDC
host. As well, multiple double-free vulnerabilities exist in the krb5 library
code, which makes client programs and application servers vulnerable. The MIT
Kerberos 5 development team believes that exploitation of these bugs would be
difficult and no known vulnerabilities are believed to exist. The vulnerability
in krb524d was discovered by Marc Horowitz; the other double-free
vulnerabilities were discovered by Will Fiveash and Nico Williams at Sun.
Will Fiveash and Nico Williams also found another vulnerability in the ASN.1
decoder library. This makes krb5 vulnerable to a DoS (Denial of Service) attack
causing an infinite loop in the decoder. The KDC is vulnerable to this attack.
The MIT Kerberos 5 team has provided patches which have been applied to the
updated software to fix these issues. Mandrakesoft encourages all users to
upgrade immediately.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:088
Risk factor : High
CVE : CAN-2004-0642, CAN-2004-0643, CAN-2004-0644, CAN-2004-0772
Nessus ID : 14673 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:110 (gaim).
More vulnerabilities have been discovered in the gaim instant messenger client.
The vulnerabilities pertinent to version 0.75, which is the version shipped with
Mandrakelinux 10.0, are: installing smiley themes could allow remote attackers
to execute arbitrary commands via shell metacharacters in the filename of the
tar file that is dragged to the smiley selector. There is also a buffer overflow
in the way gaim handles receiving very long URLs.
The provided packages have been patched to fix these problems. These issues,
amongst others, have been fixed upstream in version 0.82.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:110
Risk factor : High
CVE : CAN-2004-0784, CAN-2004-0785
Nessus ID : 15546 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:003 (vim).
Several 'modeline'-related vulnerabilities were discovered in Vim by Ciaran
McCreesh. The updated packages have been patched with Bram Moolenaar's vim
6.3.045 patch which fixes the reported vulnerabilities and adds more
conservative 'modeline' rights.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:003
Risk factor : High
CVE : CAN-2004-1138
Nessus ID : 16116 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:079 (perl).
Paul Szabo discovered another vulnerability in the rmtree() function in
File::Path.pm. While a process running as root (or another user) was busy
deleting a directory tree, a different user could exploit a race condition to
create setuid binaries in this directory tree, provided that he already had
write permissions in any subdirectory of that tree.
The provided packages have been patched to resolve this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:079
Risk factor : High
CVE : CAN-2005-0448
Nessus ID : 18172 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:045 (kdelibs).
A bug in the way kioslave handles URL-encoded newline (%0a) characters before
the FTP command was discovered. Because of this, it is possible that a
specially crafted URL could be used to execute any ftp command on a remote
server, or even send unsolicited email.
As well, Davide Madrisan discovered that dcopidlng created temporary files in
an insecure manner.
The updated packages are patched to deal with these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:045
Risk factor : High
CVE : CAN-2004-1165
Nessus ID : 17140 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:073 (XFree86).
Steve Rumble discovered XDM in XFree86 opens a chooserFd TCP socket even when
DisplayManager.requestPort is 0, which could allow remote attackers to connect
to the port, in violation of the intended restrictions.
The updated packages are patched to correct the problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:073
Risk factor : High
CVE : CAN-2004-0419
BID : 10423
Nessus ID : 14171 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:092 (gzip).
Several vulnerabilities have been discovered in the gzip package:
Zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows
local users to execute arbitrary commands via filenames that are injected into
a sed script. (CAN-2005-0758)
A race condition in gzip 1.2.4, 1.3.3, and earlier when decompressing a gzip
file allows local users to modify permissions of arbitrary files via a hard
link attack on a file while it is being decompressed, whose permissions are
changed by gzip after the decompression is complete. (CAN-2005-0988)
A directory traversal vulnerability via 'gunzip -N' in gzip 1.2.4 through 1.3.5
allows remote attackers to write to arbitrary directories via a .. (dot dot) in
the original filename within a compressed file. (CAN-2005-1228)
Updated packages are patched to address these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:092
Risk factor : High
CVE : CAN-2005-0758, CAN-2005-0988, CAN-2005-1228
Nessus ID : 18308 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:147 (openssl).
The Trustix developers found that the der_chop script, included in the openssl
package, created temporary files insecurely. This could allow local users to
overwrite files using a symlink attack.
The updated packages have been patched to prevent this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:147
Risk factor : High
CVE : CAN-2004-0975
Nessus ID : 15920 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:098 (libxpm4).
Chris Evans found several stack and integer overflows in the libXpm code of
X.Org/XFree86 (from which the libxpm code is derived):
Stack overflows (CAN-2004-0687):
Careless use of strcat() in both the XPMv1 and XPMv2/3 xpmParseColors code leads
to a stack based overflow (parse.c).
Stack overflow reading pixel values in ParseAndPutPixels (create.c) as well as
ParsePixels (parse.c).
Integer Overflows (CAN-2004-0688):
Integer overflow allocating colorTable in xpmParseColors (parse.c) - probably a
crashable but not exploitable offence.
The updated packages have patches from Chris Evans and Matthieu Herrb to address
these vulnerabilities.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:098
Risk factor : High
CVE : CAN-2004-0687, CAN-2004-0688
BID : 11196
Nessus ID : 14754 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:033 (enscript).
A vulnerability in the enscript program's handling of the epsf command used to
insert inline EPS file into a document was found. An attacker could create a
carefully crafted ASCII file which would make used of the epsf pipe command in
such a way that it could execute arbitrary commands if the file was opened with
enscript (CAN-2004-1184).
Additionally, flaws were found in enscript that could be abused by executing
enscript with carefully crafted command-line arguments. These flaws only have a
security impact if enscript is executed by other programs and passed untrusted
data from remote users (CAN-2004-1185 and CAN-2004-1186).
The updated packages have been patched to prevent these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:033
Risk factor : High
CVE : CAN-2004-1184, CAN-2004-1185, CAN-2004-1186
Nessus ID : 16376 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:062 (kernel).
A vulnerability in the e1000 driver for the Linux kernel 2.4.26 and earlier was
discovered by Chris Wright. The e1000 driver does not properly reset memory or
restrict the maximum length of a data structure, which can allow a local user to
read portions of kernel memory (CAN-2004-0535).
A vulnerability was also discovered in the kernel were a certain C program would
trigger a floating point exception that would crash the kernel. This
vulnerability can only be triggered locally by users with shell access
(CAN-2004-0554).
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:062
Risk factor : High
CVE : CAN-2004-0535, CAN-2004-0554
BID : 10352
Nessus ID : 14161 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:081 (gaim).
Sebastian Krahmer discovered two remotely exploitable buffer overflow
vulnerabilities in the gaim instant messenger. The updated packages are patched
to correct the problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:081
Risk factor : High
CVE : CAN-2004-0500
BID : 10865
Nessus ID : 14330 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:127 (libxml/libxml2).
Multiple buffer overflows were reported in the libxml XML parsing library.
These vulnerabilities may allow remote attackers to execute arbitray code via a
long FTP URL that is not properly handled by the xmlNanoFTPScanURL() function,
a long proxy URL containing FTP data that is not properly handled by the
xmlNanoFTPScanProxy() function, and other overflows in the code that resolves
names via DNS.
The updated packages have been patched to prevent these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:127
Risk factor : High
CVE : CAN-2004-0989
Nessus ID : 15638 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:063 (libpng).
A buffer overflow vulnerability was discovered in libpng due to a wrong
calculation of some loop offset values. This buffer overflow can lead to Denial
of Service or even remote compromise.
This vulnerability was initially patched in January of 2003, but it has since
been noted that fixes were required in two additional places that had not been
corrected with the earlier patch. This update uses an updated patch to fix all
known issues.
After the upgrade, all applications that use libpng should be restarted. Many
applications are linked to libpng, so if you are unsure of what applications to
restart, you may wish to reboot the system. Mandrakesoft encourages all users to
upgrade immediately.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:063
Risk factor : High
CVE : CAN-2002-1363
Nessus ID : 14162 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:103 (sudo).
A race condition was discovered in sudo by Charles Morris. This could lead to
the escalation of privileges if /etc/sudoers allowed a user to execute selected
programs that were then followed by another line containing the pseudo-command
'ALL'. By creating symbolic links at a certain time, that user could execute
arbitrary commands.
The updated packages have been patched to correct this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:103
Risk factor : High
CVE : CAN-2005-1993
Nessus ID : 18550 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:096 (apache2).
Two Denial of Service conditions were discovered in the input filter of mod_ssl,
the module that enables apache to handle HTTPS requests.
Another vulnerability was discovered by the ASF security team using the
Codenomicon HTTP Test Tool. This vulnerability, in the apr-util library, can
possibly lead to arbitray code execution if certain non-default conditions are
met (enabling the AP_ENABLE_EXCEPTION_HOOK define).
As well, the SITIC have discovered a buffer overflow when Apache expands
environment variables in configuration files such as .htaccess and httpd.conf,
which can lead to possible privilege escalation. This can only be done, however,
if an attacker is able to place malicious configuration files on the server.
Finally, a crash condition was discovered in the mod_dav module by Julian
Reschke, where sending a LOCK refresh request to an indirectly locked resource
could crash the server.
The updated packages have been patched to protect against these vulnerabilities.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:096
Risk factor : High
CVE : CAN-2004-0747, CAN-2004-0748, CAN-2004-0751, CAN-2004-0786
Nessus ID : 14752 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:028 (cvs).
Sebastian Krahmer from the SUSE security team discovered a remotely exploitable
vulnerability in the CVS client. When doing a cvs checkout or update over a
network, the client accepts absolute pathnames in the RCS diff files. A
maliciously configured server could then create any file with content on the
local user's disk. This problem affects all versions of CVS prior to 1.11.15
which has fixed the problem.
The updated packages provide 1.11.14 with the pertinent fix for the problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:028
Risk factor : High
CVE : CAN-2004-0180
Nessus ID : 14127 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:035 (python).
A flaw in the python language was found by the development team. The
SimpleXMLRPCServer library module could permit remote attackers unintended
access to internals of the registered object or it's module, or possibly even
other modules. This only affects python XML-RPC servers that use the
register_instance() method to register an object without a _dispatch() method.
Servers that only use the register_function() method are not affected.
The updated packages have been patched to prevent these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:035
Risk factor : High
CVE : CAN-2005-0089
Nessus ID : 16378 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:085 (qt3).
Chris Evans discovered a heap-based overflow in the QT library when handling
8-bit RLE encoded BMP files. This vulnerability could allow for the compromise
of the account used to view or browse malicious BMP files. On subsequent
investigation, it was also found that the handlers for XPM, GIF, and JPEG image
types were also faulty.
These problems affect all applications that use QT to handle image files, such
as QT-based image viewers, the Konqueror web browser, and others.
The updated packages have been patched to correct these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:085
Risk factor : High
CVE : CAN-2004-0691, CAN-2004-0692, CAN-2004-0693
Nessus ID : 14334 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:030 (perl-DBI).
Javier Fernandez-Sanguino Pena disovered the perl5 DBI library created a
temporary PID file in an insecure manner, which could be exploited by a
malicious user to overwrite arbitrary files owned by the user executing the
parts of the library.
The updated packages have been patched to prevent these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:030
Risk factor : High
CVE : CAN-2005-0077
Nessus ID : 16359 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:056-1 (krb5).
Multiple buffer overflows exist in the krb5_aname_to_localname() library
function that if exploited could lead to unauthorized root privileges. In order
to exploit this flaw, an attacker must first successfully authenticate to a
vulnerable service, which must be configured to enable the explicit mapping or
rules-based mapping functionality of krb5_aname_to_localname, which is not a
default configuration.
Mandrakesoft encourages all users to upgrade to these patched krb5 packages.
Update:
The original patch provided contained a bug where rule-based entries on systems
without HAVE_REGCOMP would not work. These updated packages provide the second
patch provided by Kerberos development team which fixes that behaviour.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:056-1
Risk factor : High
CVE : CAN-2004-0523
BID : 10448
Nessus ID : 14155 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:119 (krb5).
A number of vulnerabilities have been corrected in this Kerberos update:
The rcp protocol would allow a server to instruct a client to write to
arbitrary files outside of the current directory. The Kerberos-aware rcp could
be abused to copy files from a malicious server (CAN-2004-0175).
Gael Delalleau discovered an information disclosure vulnerability in the way
some telnet clients handled messages from a server. This could be abused by a
malicious telnet server to collect information from the environment of any
victim connecting to the server using the Kerberos- aware telnet client
(CAN-2005-0488).
Daniel Wachdorf disovered that in error conditions that could occur in response
to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free
uninitialized memory, which could cause the KDC to crash resulting in a Denial
of Service (CAN-2005-1174).
Daniel Wachdorf also discovered a single-byte heap overflow in the
krb5_unparse_name() function that could, if successfully exploited, lead to a
crash, resulting in a DoS. To trigger this flaw, an attacker would need to have
control of a Kerberos realm that shares a cross- realm key with the target
(CAN-2005-1175).
Finally, a double-free flaw was discovered in the krb5_recvauth() routine which
could be triggered by a remote unauthenticated attacker. This issue could
potentially be exploited to allow for the execution of arbitrary code on a KDC.
No exploit is currently known to exist (CAN-2005-1689).
The updated packages have been patched to address this issue and Mandriva urges
all users to upgrade to these packages as quickly as possible.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:119
Risk factor : High
CVE : CAN-2004-0175, CAN-2005-0488, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689
Nessus ID : 19201 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:069 (gdk-pixbuf).
A bug was discovered in the way that gdk-pixbuf processes BMP images which
could allow for a specially crafted BMP to cause a Denial of Service attack on
applications linked against gdk-pixbuf.
The updated packages have been patched to correct these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:069
Risk factor : High
CVE : CAN-2005-0891
Nessus ID : 18004 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:122 (mod_ssl/apache2-mod_ssl).
A vulnerability in mod_ssl was discovered by Hartmut Keil. After a
renegotiation, mod_ssl would fail to ensure that the requested cipher suite is
actually negotiated. The provided packages have been patched to prevent this
problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:122
Risk factor : High
CVE : CAN-2004-0885
Nessus ID : 15602 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:073 (cvs).
A buffer overflow and memory access problem in CVS have been discovered by the
CVS maintainer. The updated packages have been patched to correct the problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:073
Risk factor : High
CVE : CAN-2005-0753
Nessus ID : 18103 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:095 (gdb).
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered two
vulnerabilites in the GNU debugger. The first allows an attacker to execute
arbitrary code with the privileges of the user running gdb if they can trick
the user into loading a specially crafted executable (CAN-2005-1704).
He also discovered that gdb loads and executes the file .gdbinit in the current
directory even if the file belongs to a different user. If a user can be
tricked into running gdb in a directory with a malicious .gdbinit file, a local
attacker can exploit this to run arbitrary commands with the privileges of the
user running gdb (CAN-2005-1705).
The updated packages have been patched to correct these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:095
Risk factor : High
CVE : CAN-2005-1704, CAN-2005-1705
Nessus ID : 18404 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:087 (kernel).
A race condition was discovered in the 64bit file offset handling by Paul
Starzetz from iSEC. The file offset pointer (f_pos) is changed during reading,
writing, and seeking through a file in order to point to the current position of
a file. The value conversion between both the 32bit and 64bit API in the kernel,
as well as access to the f_pos pointer, is defective. As a result, a local
attacker can abuse this vulnerability to gain access to uninitialized kernel
memory, mostly via entries in the /proc filesystem. This kernel memory can
possibly contain information like the root password, and other sensitive data.
The updated kernel packages provided are patched to protect against this
vulnerability, and all users are encouraged to upgrade immediately.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:087
Risk factor : High
CVE : CAN-2004-0415
BID : 10852
Nessus ID : 14387 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:089 (cdrdao).
The cdrdao package contains two vulnerabilities; the first allows local users
to read arbitrary files via the show-data command and the second allows local
users to overwrite arbitrary files via a symlink attack on the ~/.cdrdao
configuration file. This can also lead to elevated privileges (a root shell)
due to cdrdao being installed suid root.
The provided packages have been patched to correct these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:089
Risk factor : High
CVE : CAN-2002-0137, CAN-2002-0138
Nessus ID : 18305 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:106 (cyrus-sasl).
A vulnerability was discovered in the libsasl library of cyrus-sasl. libsasl
honors the SASL_PATH environment variable blindly, which could allow a local
user to create a malicious 'library' that would get executed with the effective
ID of SASL when anything calls libsasl.
The provided packages are patched to protect against this vulnerability.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:106
Risk factor : High
CVE : CAN-2004-0884
Nessus ID : 15435 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:042 (rsync).
Rsync before 2.6.1 does not properly sanitize paths when running a read/write
daemon without using chroot, allows remote attackers to write files outside of
the module's path.
The updated packages provide a patched rsync to correct this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:042
Risk factor : High
CVE : CAN-2004-0426
BID : 10247
Nessus ID : 14141 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:086 (kdelibs/kdebase).
A number of vulnerabilities were discovered in KDE that are corrected with these
update packages.
The integrity of symlinks used by KDE are not ensured and as a result can be
abused by local attackers to create or truncate arbitrary files or to prevent
KDE applications from functioning correctly (CAN-2004-0689).
The DCOPServer creates temporary files in an insecure manner. These temporary
files are used for authentication-related purposes, so this could potentially
allow a local attacker to compromise the account of any user running a KDE
application (CAN-2004-0690). Note that only KDE 3.2.x is affected by this
vulnerability.
The Konqueror web browser allows websites to load web pages into a frame of any
other frame-based web page that the user may have open. This could potentially
allow a malicious website to make Konqueror insert its own frames into the page
of an otherwise trusted website (CAN-2004-0721).
The Konqueror web browser also allows websites to set cookies for certain
country-specific top-level domains. This can be done to make Konqueror send the
cookies to all other web sites operating under the same domain, which can be
abused to become part of a session fixation attack. All country-specific
secondary top-level domains that use more than 2 characters in the secondary
part of the domain name, and that use a secondary part other than com, net, mil,
org, gove, edu, or int are affected (CAN-2004-0746).
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:086
Risk factor : High
CVE : CAN-2004-0689, CAN-2004-0690, CAN-2004-0721, CAN-2004-0746
BID : 10991, 11186, 11552
Nessus ID : 14335 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:058 (kdelibs).
A vulnerability in dcopserver was discovered by Sebastian Krahmer of the SUSE
security team. A local user can lock up the dcopserver of other users on the
same machine by stalling the DCOP authentication process, causing a local
Denial of Service. dcopserver is the KDE Desktop Communication Procotol daemon
(CAN-2005-0396).
As well, the IDN (International Domain Names) support in Konqueror is
vulnerable to a phishing technique known as a Homograph attack. This attack is
made possible due to IDN allowing a website to use a wide range of
international characters that have a strong resemblance to other characters.
This can be used to trick users into thinking they are on a different trusted
site when they are in fact on a site mocked up to look legitimate using these
other characters, known as homographs. This can be used to trick users into
providing personal information to a site they think is trusted (CAN-2005-0237).
Finally, it was found that the dcopidlng script was vulnerable to symlink
attacks, potentially allowing a local user to overwrite arbitrary files of a
user when the script is run on behalf of that user. However, this script is
only used as part of the build process of KDE itself and may also be used by
the build processes of third- party KDE applications (CAN-2005-0365).
The updated packages are patched to deal with these issues and Mandrakesoft
encourages all users to upgrade immediately.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:058
Risk factor : High
CVE : CAN-2005-0237, CAN-2005-0365, CAN-2005-0396
Nessus ID : 17346 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:040 (postgresql).
A number of vulnerabilities were found and corrected in the PostgreSQL DBMS:
A flaw in the LOAD command could be abused by a local user to load arbitrary
shared libraries and as a result execute arbitrary code with the privileges of
the user running the postgresql server (CAN-2005-0227).
A permission checking flaw was found where a local user could bypass the
EXECUTE permission check for functions using the CREATE AGGREGATE command
(CAN-2005-0244).
Multiple bufffer overflows were discovered in PL/PgSQL. A database user with
permission to create plpgsql functions could trigger these flaws which could
then lead to arbitrary code execution with the privileges of the user running
the postgresql server (CAN-2005-0245 and CAN-2005-0247).
Finally, a flaw in the integer aggregator (intagg) contrib module was found. A
user could create carefully crafted arrays and crash the server, causing a
Denial of Service (CAN-2005-0246).
The updated packages have been patched to correct these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:040
Risk factor : High
CVE : CAN-2005-0227, CAN-2005-0244, CAN-2005-0245, CAN-2005-0246, CAN-2005-0247
Nessus ID : 17139 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:080 (shorewall).
The shorewall package has a vulnerability when creating temporary files and
directories, which could allow non-root users to overwrite arbitrary files on
the system. The updated packages are patched to fix the problem.
As well, for Mandrakelinux 10.0, the updated packages have been fixed to start
shorewall after the network, rather than before.
After updating the package, if shorewall was previously running, you may need to
issue a 'service shorewall restart'.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:080
Risk factor : High
Nessus ID : 14329 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:050 (gftp).
A vulnerability in gftp could allow a malicious FTP server to overwrite files
on the local system as the user running gftp due to improper handling of
filenames containing slashes.
The updated packages are patched to deal with these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:050
Risk factor : High
CVE : CAN-2005-0372
Nessus ID : 17279 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:131 (samba).
Karol Wiesek discovered a bug in the input validation routines in Samba 3.x
used to match filename strings containing wildcard characters. This bug may
allow a user to consume more than normal amounts of CPU cycles which would
impact the performance and response of the server. In some cases it could also
cause the server to become entirely unresponsive.
The updated packages are patched to prevent this problem with patches from the
Samba team. This vulnerability is fixed in samba 3.0.8.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:131
Risk factor : High
CVE : CAN-2004-0930
Nessus ID : 15699 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:110 (kernel).
Multiple vulnerabilities in the Linux kernel have been discovered and fixed in
this update.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:110
Risk factor : High
Nessus ID : 18598 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:153 (aspell).
A vulnerability was discovered in the aspell word-list-compress utility that
can allow an attacker to execute arbitrary code.
The updated packages have been patched to correct this problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:153
Risk factor : High
CVE : CAN-2004-0548
Nessus ID : 16015 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:040 (libpng).
Steve Grubb discovered that libpng would access memory that is out of bounds
when creating an error message. The impact of this bug is not clear, but it
could lead to a core dump in a program using libpng, or could result in a DoS
(Denial of Service) condition in a daemon that uses libpng to process PNG
imagaes.
The updated packages are patched to correct the vulnerability.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:040
Risk factor : High
CVE : CAN-2004-0421
BID : 10244
Nessus ID : 14139 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:072 (php).
A number of vulnerabilities are addressed in this PHP update:
Stefano Di Paolo discovered integer overflows in PHP's pack(), unpack(), and
shmop_write() functions which could allow a malicious script to break out of
safe mode and execute arbitray code with privileges of the PHP interpreter
(CAN-2004-1018; this was previously fixed in Mandrakelinux >= 10.0 in
MDKSA-2004:151).
Stefan Esser discovered two safe mode bypasses which would allow malicious
scripts to circumvent path restrictions by using virtual_popen() with a current
directory containing shell meta- characters (CAN-2004-1063) or by creating a
specially crafted directory whose length exceeded the capacity of realpath()
(CAN-2004-1064; both of these were previously fixed in Mandrakelinux >= 10.0 in
MDKSA-2004:151).
Two Denial of Service vulnerabilities were found in the getimagesize() function
which uses the format-specific internal functions php_handle_iff() and
php_handle_jpeg() which would get stuck in infinite loops when certain
(invalid) size parameters are read from the image (CAN-2005-0524 and
CAN-2005-0525).
An integer overflow was discovered in the exif_process_IFD_TAG() function in
PHP's EXIF module. EXIF tags with a specially crafted 'Image File Directory'
(IFD) tag would cause a buffer overflow which could be exploited to execute
arbitrary code with the privileges of the PHP server (CAN-2005-1042).
Another vulnerability in the EXIF module was also discovered where headers with
a large IFD nesting level would cause an unbound recursion which would
eventually overflow the stack and cause the executed program to crash
(CAN-2004-1043).
All of these issues are addressed in the Corporate Server 2.1 packages and the
last three issues for all other platforms, which had previously included the
first two issues but had not been mentioned in MDKSA-2004:151.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:072
Risk factor : High
CVE : CAN-2004-1018, CAN-2004-1043, CAN-2004-1063, CAN-2004-1064, CAN-2005-0524, CAN-2005-0525, CAN-2005-1042, CAN-2005-1043
Nessus ID : 18091 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:047 (kdelibs).
A vulnerability in the Opera web browser was identified by iDEFENSE; the same
type of vulnerability exists in KDE. The telnet, rlogin, ssh, and mailto URI
handlers do not check for '-' at the beginning of the hostname passed, which
makes it possible to pass an option to the programs started by the handlers.
This can allow remote attackers to create or truncate arbitrary files.
The updated packages contain patches provided by the KDE team to fix this
problem.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:047
Risk factor : High
CVE : CAN-2004-0411
Nessus ID : 14146 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:068 (php).
Stefan Esser discovered a remotely exploitable vulnerability in PHP where a
remote attacker could trigger a memory_limit request termination in places where
an interruption is unsafe. This could be used to execute arbitrary code.
As well, Stefan Esser also found a vulnerability in the handling of allowed tags
within PHP's strip_tags() function. This could lead to a number of XSS issues on
sites that rely on strip_tags(); however, this only seems to affect the Internet
Explorer and Safari browsers.
The updated packages have been patched to correct the problem and all users are
encouraged to upgrade immediately.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:068
Risk factor : High
CVE : CAN-2004-0594, CAN-2004-0595
Nessus ID : 14167 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:048 (curl).
'infamous41md' discovered a buffer overflow vulnerability in libcurl's NTLM
authorization base64 decoding. This could allow a remote attacker using a
prepared remote server to execute arbitrary code as the user running curl.
The updated packages are patched to deal with these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:048
Risk factor : High
CVE : CAN-2005-0490
Nessus ID : 17277 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:095-1 (gdk-pixbuf/gtk+2).
A vulnerability was found in the gdk-pixbug bmp loader where a bad BMP image
could send the bmp loader into an infinite loop (CAN-2004-0753).
Chris Evans found a heap-based overflow and a stack-based overflow in the xpm
loader of gdk-pixbuf (CAN-2004-0782 and CAN-2004-0783).
Chris Evans also discovered an integer overflow in the ico loader of gdk-pixbuf
(CAN-2004-0788).
All four problems have been corrected in these updated packages.
Update:
The previous package had an incorrect patch applied that would cause some
problems with other programs. The updated packages have the correct patch
applied.
As well, patched gtk+2 packages, which also contain gdk-pixbuf, are now
provided.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:095-1
Risk factor : High
CVE : CAN-2004-0753, CAN-2004-0782, CAN-2004-0783, CAN-2004-0788
Nessus ID : 14751 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2004:094 (printer-drivers).
The foomatic-rip filter, which is part of foomatic-filters package, contains a
vulnerability that allows anyone with access to CUPS, local or remote, to
execute arbitrary commands on the server. The updated packages provide a fixed
foomatic-rip filter that prevents this kind of abuse.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:094
Risk factor : High
CVE : CAN-2004-0801
BID : 11184
Nessus ID : 14750 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:009 (mpg123).
A vulnerability in mpg123's ability to parse frame headers in input streams
could allow a malicious file to exploit a buffer overflow and execute arbitray
code with the permissions of the user running mpg123.
The updated packages have been patched to prevent these problems.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:009
Risk factor : High
CVE : CAN-2004-0991
Nessus ID : 16218 |
| Vulnerability |
general/tcp |
The remote host is missing the patch for the advisory MDKSA-2005:061 (krb5).
Two buffer overflow issues were discovered in the way telnet clients handle
messages from a server. Because of these issues, an attacker may be able to
execute arbitray code on the victim's machine if the victim can be tricked into
connecting to a malicious telnet server. The Kerberos package contains a telnet
client and is patched to deal with these issues.
Solution : http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:061
Risk factor : High
CVE : CAN-2005-0468, CAN-2005-0469
Nessus ID : 17658 |
| Informational |
general/tcp |
127.0.0.1 resolves as localhost.
Nessus ID : 12053 |
| Informational |
general/tcp |
The output of "uname -a" is :
Linux PhantomX 2.6.8.1 #3 Wed Oct 13 23:18:32 EDT 2004 i686 unknown unknown GNU/Linux
The remote Mandrake system is :
Mandrake Linux release 10.0 (Official) for i586
Local security checks have been enabled for this host.
Nessus ID : 12634 |